Date: Wed, 3 May 2006 23:56:43 -0700 From: Michael DeMan <michael@staff.openaccess.org> To: Sam Leffler <sam@errno.com> Cc: freebsd-net@freebsd.org, Mike Tancsa <mike@sentex.net> Subject: Re: crypto accelerators Message-ID: <424A33C3-3E6F-437D-AF42-C508FCCFEDF7@staff.openaccess.org> In-Reply-To: <44457DB4.4030601@errno.com> References: <200604180244.k3I2icZj076600@white.dogwood.com> <bjua42ds5esbkeek8v8a9qelhtbebteqm4@4ax.com> <44457DB4.4030601@errno.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi, Just jumping in here. The Soekris 1401 offers only limited performance enhancements. If you read the specs, it is only useful (and used?) for certain encryption algorithms. Its also deprecated and would imagine that Soren regrets even releasing it in the first place. None the less, we have seen significant enhancements using that chip on 4.9+ BSD releases on older platforms. I don't have our thruput metrics in front of me right now, but I seem to recall they could take IPSec on a Soekris 4501 from about 2Mbit to about 6, with kernel polling enabled. I presume that kernel polling on the network side could adversely affect performance on the VPN board as well. It depends what you want in many ways. The only time I've seen IPSec or SSH traffic limited on a BSD box is from sheer CPU cycles, and a lot of that has to do with bandwidth over the PCI bus (or busses). I would expect a good crypto accelerator on a PCI bus separated from the network bus to perform much better? Michael F. DeMan Director of Technology OpenAccess Network Services Bellingham, WA 98225 michael@staff.openaccess.org 360-647-0785 On Apr 18, 2006, at 5:00 PM, Sam Leffler wrote: > Mike Tancsa wrote: >> On Mon, 17 Apr 2006 16:44:38 -1000 (HST), in sentex.lists.freebsd.net >> you wrote: >>> I've read here before (or maybe some other freebsd list) that cards >>> like the Soekris 1401 don't gain as much as you'd expect due to >>> moving >>> packets to/from the card over the PCI bus. But the context is >>> usually >>> one of trying to encrypt packets to increase throughput. >>> >>> So the question is whether these cards, regardless of their >>> affect on >>> throughput, increase usable CPU cycles? I have several Soekris 1401 >>> cards and am wondering if there would be any point to putting them >>> into some machines that provide logins over ssh. These machines are >>> generally pretty good spec, 2.4GHz+, 1GB RAM, Intel MBs, mostly >>> on-board peripherals. >> The only place I found it really helpful for ssh connections was on >> our backup server where we had multiple inbound ssh connections (e.g. >> 10+ at once sending dump piped through ssh) it kept the CPU >> utilization down. If you have just one or two, it doesnt really >> matter > > Unless you're doing lots of scp's it's unlikely ssh traffic is > going to generate large packets so offloading the crypto won't be > worthwhile (cost to setup the h/w op probably is higher than doing > the op in s/w). This has been discussed previously; see for > example my BSDCan 2003 paper. > > Sam > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?424A33C3-3E6F-437D-AF42-C508FCCFEDF7>