From owner-freebsd-net@FreeBSD.ORG Thu May 4 06:56:46 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 545C416A404 for ; Thu, 4 May 2006 06:56:46 +0000 (UTC) (envelope-from michael@staff.openaccess.org) Received: from smtp.openaccess.org (smtp.openaccess.org [66.165.52.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C51343D46 for ; Thu, 4 May 2006 06:56:46 +0000 (GMT) (envelope-from michael@staff.openaccess.org) Received: from [192.168.2.149] (unknown [216.57.214.91]) by smtp.openaccess.org (Postfix) with ESMTP id 64A686D44B9; Wed, 3 May 2006 23:56:45 -0700 (PDT) In-Reply-To: <44457DB4.4030601@errno.com> References: <200604180244.k3I2icZj076600@white.dogwood.com> <44457DB4.4030601@errno.com> Mime-Version: 1.0 (Apple Message framework v749.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <424A33C3-3E6F-437D-AF42-C508FCCFEDF7@staff.openaccess.org> Content-Transfer-Encoding: 7bit From: Michael DeMan Date: Wed, 3 May 2006 23:56:43 -0700 To: Sam Leffler X-Mailer: Apple Mail (2.749.3) Cc: freebsd-net@freebsd.org, Mike Tancsa Subject: Re: crypto accelerators X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2006 06:56:46 -0000 hi, Just jumping in here. The Soekris 1401 offers only limited performance enhancements. If you read the specs, it is only useful (and used?) for certain encryption algorithms. Its also deprecated and would imagine that Soren regrets even releasing it in the first place. None the less, we have seen significant enhancements using that chip on 4.9+ BSD releases on older platforms. I don't have our thruput metrics in front of me right now, but I seem to recall they could take IPSec on a Soekris 4501 from about 2Mbit to about 6, with kernel polling enabled. I presume that kernel polling on the network side could adversely affect performance on the VPN board as well. It depends what you want in many ways. The only time I've seen IPSec or SSH traffic limited on a BSD box is from sheer CPU cycles, and a lot of that has to do with bandwidth over the PCI bus (or busses). I would expect a good crypto accelerator on a PCI bus separated from the network bus to perform much better? Michael F. DeMan Director of Technology OpenAccess Network Services Bellingham, WA 98225 michael@staff.openaccess.org 360-647-0785 On Apr 18, 2006, at 5:00 PM, Sam Leffler wrote: > Mike Tancsa wrote: >> On Mon, 17 Apr 2006 16:44:38 -1000 (HST), in sentex.lists.freebsd.net >> you wrote: >>> I've read here before (or maybe some other freebsd list) that cards >>> like the Soekris 1401 don't gain as much as you'd expect due to >>> moving >>> packets to/from the card over the PCI bus. But the context is >>> usually >>> one of trying to encrypt packets to increase throughput. >>> >>> So the question is whether these cards, regardless of their >>> affect on >>> throughput, increase usable CPU cycles? I have several Soekris 1401 >>> cards and am wondering if there would be any point to putting them >>> into some machines that provide logins over ssh. These machines are >>> generally pretty good spec, 2.4GHz+, 1GB RAM, Intel MBs, mostly >>> on-board peripherals. >> The only place I found it really helpful for ssh connections was on >> our backup server where we had multiple inbound ssh connections (e.g. >> 10+ at once sending dump piped through ssh) it kept the CPU >> utilization down. If you have just one or two, it doesnt really >> matter > > Unless you're doing lots of scp's it's unlikely ssh traffic is > going to generate large packets so offloading the crypto won't be > worthwhile (cost to setup the h/w op probably is higher than doing > the op in s/w). This has been discussed previously; see for > example my BSDCan 2003 paper. > > Sam > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >