Date: Tue, 31 Oct 2006 16:29:01 -0500 From: Nicolas Blais <nb_root@videotron.ca> To: freebsd-current@freebsd.org Subject: Hifn 7955/7956 crypto accelerator questions Message-ID: <200610311629.06271.nb_root@videotron.ca>
next in thread | raw e-mail | index | archive | help
--nextPart1854864.7RVcYb3NdI Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn= =20 7956) to do some performance tests in a military environment with FreeBSD=20 systems. Since this is a big project and I don't want to jump in something= =20 destined to fail, I'll ask your expertise. 1. After searching the mailing lists for reports of performance with openss= l=20 and cryptop accelerators, I did not find anything that showed an increase i= n=20 performance with the cards (though some posts date back to FBSD4.8). Does=20 openssl today make correct use of the crypto hardware? 2. From what I understand, ssh is supposed to increase in performance with= =20 those cards. Assuming two FreeBSD computers with crypto accelerators are=20 transfering big files (say sftp) in a cipher that the card and driver=20 supports, would the transfer rate be at or near clear-text speed (in a=20 100mbps link)? 3. How does GEOM_ELI uses crypto hardware to accelerate working with encryp= ted=20 partitions? Again, with big file systems, would a gain in performance be=20 noticeable? 4. Also, it seems that asymmetric crypto support is not yet implemented in = the=20 hifn driver (according to the man page). Is it safe to assume that pgp will= =20 not be accelerated? Any plans to support it? (perhaps this is an OpenBSD=20 question...) The whole idea is to reduce conversion and transfer time with highly=20 sensitive, huge files (> 1 GB, sometimes near 10 GB). We currently use a=20 commercial software compatible with PGP, but there are security and=20 logistical issues with it (the commercial software, not PGP). Encrypting a= =20 2GB file with PGP, even on a modern machine, takes a long time. I've done=20 tests with geli and am so far satisfied with it, but it is a storage=20 encryption and doesn't allow us to safely transfer data unless we physicall= y=20 transfert the disk or use ssh. With geli, you also have to make sure that t= he=20 created partition is only readable/writeable by the user you want access=20 allowed to which reduces the total security of the information due to human= =20 negligeance. Nicolas. =2D-=20 =46reeBSD 7.0-CURRENT #9: Tue Oct 31 15:44:23 EST 2006 =20 nicblais@clk01a:/usr/obj/usr/src/sys/CLK01A=20 PGP? : http://www.clkroot.net/security/nb_root.asc --nextPart1854864.7RVcYb3NdI Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFR8Ai4wTBlvcsbJURAl3PAJ9T6bda6jCNEbJk5C8HcPI/hn48/QCdEa9P f9345jEnNrfLr7aIPsfQTqU= =7OrR -----END PGP SIGNATURE----- --nextPart1854864.7RVcYb3NdI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610311629.06271.nb_root>