From owner-freebsd-security@FreeBSD.ORG  Fri Feb 18 05:20:59 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7FDDC16A4CE
	for <freebsd-security@freebsd.org>;
	Fri, 18 Feb 2005 05:20:59 +0000 (GMT)
Received: from ebb.errno.com (ebb.errno.com [66.127.85.87])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 436A043D3F
	for <freebsd-security@freebsd.org>;
	Fri, 18 Feb 2005 05:20:59 +0000 (GMT)	(envelope-from sam@errno.com)
Received: from [66.127.85.89] ([66.127.85.89])
	(authenticated bits=0)
	by ebb.errno.com (8.12.9/8.12.6) with ESMTP id j1I5KwWi081458
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 17 Feb 2005 21:20:58 -0800 (PST)
	(envelope-from sam@errno.com)
Message-ID: <42157B60.8000404@errno.com>
Date: Thu, 17 Feb 2005 21:21:36 -0800
From: Sam Leffler <sam@errno.com>
Organization: Errno Consulting
User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: sekchye goh <sekchye@gmail.com>
References: <21f8a77b0502172000693da743@mail.gmail.com>
In-Reply-To: <21f8a77b0502172000693da743@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 18 Feb 2005 13:15:29 +0000
cc: freebsd-security@freebsd.org
Subject: Re: multiple crypto accelerator cards in one FreeBSD box
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2005 05:20:59 -0000

sekchye goh wrote:
> Hi there!
>  we are thinking of  deploying a IPSEC VPN concentrator using multiple PCI bus
> version VPN1401 cards  in a FreeBSD box using hifn support..
>  From the technical specs in Soekris website
> http://www.soekris.com/vpn1401.htm,
> each card can support 24 to 70 connections.  The question is if we
> put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support
> 3 x (24 to 70) IPSEC connections ?
> 

Not sure where the 24-70 connection numbers come from.  If it's based on 
alllocating session state in on-chip SDRAM then that was removed a while 
ago by moving the session state allocation to host memory.  If the 
numbers are representative of peak performance then I'd be curious where 
they came from.  Understand that you're likely to be bus-limited for 
performance and adding additional cards isn't going to help unless cards 
are on separate pci buses.  Beware however that the current crypto code 
does not manage multiple cards well.  If you decide to go with multiple 
cards you'll want to do some load balancing.

	Sam