From owner-freebsd-current@FreeBSD.ORG Tue Oct 31 21:53:11 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9CB3C16A494 for ; Tue, 31 Oct 2006 21:53:11 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from sccmmhc91.asp.att.net (sccmmhc91.asp.att.net [204.127.203.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id 959D843DCD for ; Tue, 31 Oct 2006 21:52:29 +0000 (GMT) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net ([12.207.12.9]) by sccmmhc91.asp.att.net (sccmmhc91) with ESMTP id <20061031215210m9100ekl2he>; Tue, 31 Oct 2006 21:52:10 +0000 Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.8/8.13.8) with ESMTP id k9VLq8J2039419; Tue, 31 Oct 2006 15:52:08 -0600 (CST) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.8/8.13.8/Submit) id k9VLq7GA039418; Tue, 31 Oct 2006 15:52:07 -0600 (CST) (envelope-from brooks) Date: Tue, 31 Oct 2006 15:52:07 -0600 From: Brooks Davis To: Nicolas Blais Message-ID: <20061031215207.GA38358@lor.one-eyed-alien.net> References: <200610311629.06271.nb_root@videotron.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: <200610311629.06271.nb_root@videotron.ca> User-Agent: Mutt/1.5.11 Cc: freebsd-current@freebsd.org Subject: Re: Hifn 7955/7956 crypto accelerator questions X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Oct 2006 21:53:11 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 31, 2006 at 04:29:01PM -0500, Nicolas Blais wrote: > Hi, >=20 > I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hi= fn=20 > 7956) to do some performance tests in a military environment with FreeBSD= =20 > systems. Since this is a big project and I don't want to jump in somethin= g=20 > destined to fail, I'll ask your expertise. >=20 > 1. After searching the mailing lists for reports of performance with open= ssl=20 > and cryptop accelerators, I did not find anything that showed an increase= in=20 > performance with the cards (though some posts date back to FBSD4.8). Does= =20 > openssl today make correct use of the crypto hardware? I believe it can in modern versions. > 2. From what I understand, ssh is supposed to increase in performance wit= h=20 > those cards. Assuming two FreeBSD computers with crypto accelerators are= =20 > transfering big files (say sftp) in a cipher that the card and driver=20 > supports, would the transfer rate be at or near clear-text speed (in a=20 > 100mbps link)? It all depends on your CPU and your algorithm. For example, looking the data from the HPN-SSH project, you'll see they are getting >100Mbps throughput with SCP encrypted with AES. That meets your requirements below, but that's with a fairly fast CPU. If you need to use a slow CPU an accelerator may help. http://www.psc.edu/networking/projects/hpn-ssh/ > 3. How does GEOM_ELI uses crypto hardware to accelerate working with encr= ypted=20 > partitions? Again, with big file systems, would a gain in performance be= =20 > noticeable? Yes and maybe. Again, it depends. With a modern CPU the older hifn cards probably won't show much benefit. > 4. Also, it seems that asymmetric crypto support is not yet implemented i= n the=20 > hifn driver (according to the man page). Is it safe to assume that pgp wi= ll=20 > not be accelerated? Any plans to support it? (perhaps this is an OpenBSD= =20 > question...) PGP mostly uses an asymmetric cypher encrypted using RSA or DSA because they are too slow to encrypt even a small file otherwise. If PGP used OpenSSL for that part and the OpenSSL supported acceleration, and PGP was configured to use an accelerated symmetric cipher then you would see some speedup. You'd still have the cost of generating the random symmetric key and encrypting it, but for large files the cost would be reduced. > The whole idea is to reduce conversion and transfer time with highly=20 > sensitive, huge files (> 1 GB, sometimes near 10 GB). We currently use a= =20 > commercial software compatible with PGP, but there are security and=20 > logistical issues with it (the commercial software, not PGP). Encrypting = a=20 > 2GB file with PGP, even on a modern machine, takes a long time. I've done= =20 > tests with geli and am so far satisfied with it, but it is a storage=20 > encryption and doesn't allow us to safely transfer data unless we physica= lly=20 > transfert the disk or use ssh. With geli, you also have to make sure that= the=20 > created partition is only readable/writeable by the user you want access= =20 > allowed to which reduces the total security of the information due to hum= an=20 > negligeance. Assuming non-trivial bandwidth-delay products, you'll definitely want to look at HPN-SSH and understand what it does even if you don't end up using it. -- Brooks --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFR8WGXY6L6fI4GtQRAjqvAJ4i46bzoA+CHVc+IrJ3iYwyGJWJ5ACfTShC QyHcojlCeFr/Xctck1lZKAI= =9oOm -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--