Date: Tue, 31 Oct 2006 15:52:07 -0600 From: Brooks Davis <brooks@one-eyed-alien.net> To: Nicolas Blais <nb_root@videotron.ca> Cc: freebsd-current@freebsd.org Subject: Re: Hifn 7955/7956 crypto accelerator questions Message-ID: <20061031215207.GA38358@lor.one-eyed-alien.net> In-Reply-To: <200610311629.06271.nb_root@videotron.ca> References: <200610311629.06271.nb_root@videotron.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 31, 2006 at 04:29:01PM -0500, Nicolas Blais wrote: > Hi, >=20 > I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hi= fn=20 > 7956) to do some performance tests in a military environment with FreeBSD= =20 > systems. Since this is a big project and I don't want to jump in somethin= g=20 > destined to fail, I'll ask your expertise. >=20 > 1. After searching the mailing lists for reports of performance with open= ssl=20 > and cryptop accelerators, I did not find anything that showed an increase= in=20 > performance with the cards (though some posts date back to FBSD4.8). Does= =20 > openssl today make correct use of the crypto hardware? I believe it can in modern versions. > 2. From what I understand, ssh is supposed to increase in performance wit= h=20 > those cards. Assuming two FreeBSD computers with crypto accelerators are= =20 > transfering big files (say sftp) in a cipher that the card and driver=20 > supports, would the transfer rate be at or near clear-text speed (in a=20 > 100mbps link)? It all depends on your CPU and your algorithm. For example, looking the data from the HPN-SSH project, you'll see they are getting >100Mbps throughput with SCP encrypted with AES. That meets your requirements below, but that's with a fairly fast CPU. If you need to use a slow CPU an accelerator may help. http://www.psc.edu/networking/projects/hpn-ssh/ > 3. How does GEOM_ELI uses crypto hardware to accelerate working with encr= ypted=20 > partitions? Again, with big file systems, would a gain in performance be= =20 > noticeable? Yes and maybe. Again, it depends. With a modern CPU the older hifn cards probably won't show much benefit. > 4. Also, it seems that asymmetric crypto support is not yet implemented i= n the=20 > hifn driver (according to the man page). Is it safe to assume that pgp wi= ll=20 > not be accelerated? Any plans to support it? (perhaps this is an OpenBSD= =20 > question...) PGP mostly uses an asymmetric cypher encrypted using RSA or DSA because they are too slow to encrypt even a small file otherwise. If PGP used OpenSSL for that part and the OpenSSL supported acceleration, and PGP was configured to use an accelerated symmetric cipher then you would see some speedup. You'd still have the cost of generating the random symmetric key and encrypting it, but for large files the cost would be reduced. > The whole idea is to reduce conversion and transfer time with highly=20 > sensitive, huge files (> 1 GB, sometimes near 10 GB). We currently use a= =20 > commercial software compatible with PGP, but there are security and=20 > logistical issues with it (the commercial software, not PGP). Encrypting = a=20 > 2GB file with PGP, even on a modern machine, takes a long time. I've done= =20 > tests with geli and am so far satisfied with it, but it is a storage=20 > encryption and doesn't allow us to safely transfer data unless we physica= lly=20 > transfert the disk or use ssh. With geli, you also have to make sure that= the=20 > created partition is only readable/writeable by the user you want access= =20 > allowed to which reduces the total security of the information due to hum= an=20 > negligeance. Assuming non-trivial bandwidth-delay products, you'll definitely want to look at HPN-SSH and understand what it does even if you don't end up using it. -- Brooks --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFR8WGXY6L6fI4GtQRAjqvAJ4i46bzoA+CHVc+IrJ3iYwyGJWJ5ACfTShC QyHcojlCeFr/Xctck1lZKAI= =9oOm -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061031215207.GA38358>