From owner-freebsd-current@freebsd.org Tue Nov 10 17:52:21 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3042A2CC33; Tue, 10 Nov 2015 17:52:21 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "gold.funkthat.com", Issuer "gold.funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BAD2E17B6; Tue, 10 Nov 2015 17:52:21 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.14.5/8.14.5) with ESMTP id tAAHqGEL089233 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Nov 2015 09:52:16 -0800 (PST) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.14.5/8.14.5/Submit) id tAAHqG31089232; Tue, 10 Nov 2015 09:52:16 -0800 (PST) (envelope-from jmg) Date: Tue, 10 Nov 2015 09:52:16 -0800 From: John-Mark Gurney To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151110175216.GN65715@funkthat.com> References: <86io5a9ome.fsf@desk.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86io5a9ome.fsf@desk.des.no> X-Operating-System: FreeBSD 9.1-PRERELEASE amd64 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (gold.funkthat.com [127.0.0.1]); Tue, 10 Nov 2015 09:52:16 -0800 (PST) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 17:52:22 -0000 Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100: > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). My vote is to remove the HPN patches. First, the NONE cipher made more sense back when we didn't have AES-NI widely available, and you were seriously limited by it's performance. Now we have both aes-gcm and chacha-poly which it's performance should be more than acceptable for today's uses (i.e. cipher performance is 2GB/sec+). Second, I did some testing recently due to a thread on -net, and I found no significant (not run statistically though) difference in performance between in HEAD ssh and OpenSSH 7.1p1. I started a wiki page to talk about this: https://wiki.freebsd.org/SSHPerf Feel free to add to the page any more info. There are other apparent issues w/ ssh that keeps it's performance low on high latency links, but I haven't spend the time to figure out what they are, but in my testing HPN did not increase performance to make use of the fat but high latency link. So, if it's not increasing performance and making us fall behind, why bother with the trouble of keeping the patch? If someone is willing to spend the time doing benchmarks, and prove that the HPN patches do make a difference, I'm willing to work with them to figure out why my tests didn't work and change my vote. I also believe that the defaults should be enough, if you have to tune or enable features, then you can install from ports or compile yourself. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."