From owner-freebsd-current@FreeBSD.ORG Wed Nov 1 03:58:53 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BE3316A412 for ; Wed, 1 Nov 2006 03:58:53 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id F120443D55 for ; Wed, 1 Nov 2006 03:58:52 +0000 (GMT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id kA13wqqt061535; Tue, 31 Oct 2006 22:58:52 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.6/8.13.3) with ESMTP id kA13wprx067313 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 31 Oct 2006 22:58:51 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200611010358.kA13wprx067313@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 31 Oct 2006 23:00:54 -0500 To: Nicolas Blais , freebsd-current@freebsd.org From: Mike Tancsa In-Reply-To: <200610311629.06271.nb_root@videotron.ca> References: <200610311629.06271.nb_root@videotron.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: ClamAV version 0.88.3, clamav-milter version 0.88.3 on clamscanner2 X-Virus-Status: Clean Cc: Subject: Re: Hifn 7955/7956 crypto accelerator questions X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2006 03:58:53 -0000 At 04:29 PM 10/31/2006, Nicolas Blais wrote: >Hi, > >I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn >7956) to do some performance tests in a military environment with FreeBSD >systems. Since this is a big project and I don't want to jump in something >destined to fail, I'll ask your expertise. Yes, regardless of what you read, you would want to test it first. So for sure I would recommend you order a couple of Soekris boxes and test! test! test! :) >1. After searching the mailing lists for reports of performance with openssl >and cryptop accelerators, I did not find anything that showed an increase in >performance with the cards (though some posts date back to FBSD4.8). Does >openssl today make correct use of the crypto hardware? OpenSSL and FAST_IPSEC will make use of it for sure. However, there is a fair bit of overhead to offload the calculations from userland. Generally, you wont see much of an improvement (if any) on a modern fast CPU with a single stream. The place I find where a crypto card really helps with ssh is where you have multiple streams coming in at the same time. For us, its a big help for our backup server to keep the cpu load down to a reasonable level when we have a dozen or so dumps and tars coming in over ssh all at once. Even with just 3 or 4, it makes a difference for cpu utilization and overall throughput. >2. From what I understand, ssh is supposed to increase in performance with >those cards. Assuming two FreeBSD computers with crypto accelerators are >transfering big files (say sftp) in a cipher that the card and driver >supports, would the transfer rate be at or near clear-text speed (in a >100mbps link)? On a soekris ? 100Mb, I doubt it. Not sure what speeds you would get, but you should try it and see if it would meet your needs >3. How does GEOM_ELI uses crypto hardware to accelerate working with >encrypted >partitions? Again, with big file systems, would a gain in performance be >noticeable? Through the crypto(4) framework. Something like a VIA C3 or C7 might give you better results here. I think pjd@freebsd.org (the author of geli posted some numbers a while back when he created the padlock driver for the crypto framework. Although I really like the Soekris products, (they are rock solid reliable) if you really need more crypto performance, take a look at something based on the via C3 or C7 chips. You can get some very fast AES encryption and there is very good FreeBSD support both through the padlock crypto driver as well as through openssl e.g. openssl speed -evp aes-256-ecb The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-ecb 42023.12k 44053.24k 44642.50k 44622.43k 44814.01k aes-256-ecb 37529.17k 142774.72k 390269.36k 678968.25k 870247.80k The "slow" numbers are from an Intel Core DUO, 6400 @ 2.13GHz. The fast #s are from an C3 embedded board we use by Commell. CPU: VIA C3 Nehemiah+RNG+ACE (796.77-MHz 686-class CPU) ---Mike