From owner-freebsd-current@FreeBSD.ORG Wed Nov 1 04:26:09 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96C4B16A412 for ; Wed, 1 Nov 2006 04:26:09 +0000 (UTC) (envelope-from nb_root@videotron.ca) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 326A443D49 for ; Wed, 1 Nov 2006 04:26:09 +0000 (GMT) (envelope-from nb_root@videotron.ca) Received: from clk01a ([24.202.77.103]) by VL-MH-MR001.ip.videotron.ca (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0J8100IK9AZHSLF0@VL-MH-MR001.ip.videotron.ca> for freebsd-current@freebsd.org; Tue, 31 Oct 2006 23:26:06 -0500 (EST) Date: Tue, 31 Oct 2006 23:25:59 -0500 From: Nicolas Blais In-reply-to: <200611010358.kA13wprx067313@lava.sentex.ca> To: freebsd-current@freebsd.org Message-id: <200610312326.05311.nb_root@videotron.ca> MIME-version: 1.0 Content-type: multipart/signed; boundary=nextPart1437141.mV4WKWOBQp; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-transfer-encoding: 7bit References: <200610311629.06271.nb_root@videotron.ca> <200611010358.kA13wprx067313@lava.sentex.ca> User-Agent: KMail/1.9.4 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Mike Tancsa Subject: Re: Hifn 7955/7956 crypto accelerator questions X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Nov 2006 04:26:09 -0000 --nextPart1437141.mV4WKWOBQp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Tuesday 31 October 2006 23:00, Mike Tancsa wrote: > At 04:29 PM 10/31/2006, Nicolas Blais wrote: > >Hi, > > > >I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 > > (hifn 7956) to do some performance tests in a military environment with > > FreeBSD systems. Since this is a big project and I don't want to jump in > > something destined to fail, I'll ask your expertise. > > Yes, regardless of what you read, you would want to test it > first. So for sure I would recommend you order a couple of Soekris > boxes and test! test! test! :) Well they are cheap, I think I'll try it even if I do not get the expected = result. > > >1. After searching the mailing lists for reports of performance with > > openssl and cryptop accelerators, I did not find anything that showed an > > increase in performance with the cards (though some posts date back to > > FBSD4.8). Does openssl today make correct use of the crypto hardware? > > OpenSSL and FAST_IPSEC will make use of it for sure. However, there > is a fair bit of overhead to offload the calculations from > userland. Generally, you wont see much of an improvement (if any) on > a modern fast CPU with a single stream. The place I find where a > crypto card really helps with ssh is where you have multiple streams > coming in at the same time. For us, its a big help for our backup > server to keep the cpu load down to a reasonable level when we have a > dozen or so dumps and tars coming in over ssh all at once. Even with > just 3 or 4, it makes a difference for cpu utilization and overall > throughput. We are usually just using 1 stream per transfer session per host, but the s= erver could be getting multiple streams. Perhaps it could help the server. > > >2. From what I understand, ssh is supposed to increase in performance wi= th > >those cards. Assuming two FreeBSD computers with crypto accelerators are > >transfering big files (say sftp) in a cipher that the card and driver > >supports, would the transfer rate be at or near clear-text speed (in a > >100mbps link)? > > On a soekris ? 100Mb, I doubt it. Not sure what speeds you would > get, but you should try it and see if it would meet your needs They do claim 500mbps throughput for the vpn1461 and 250mbps for the vpn140= 1. Then again, this remains to be proven :).=20 Currently, on a 100mbps link, an scp transfer between two computers uses ~4= mbps. Transfering huge files (>GB) takes a very long time and even if I cou= ld only double the rate to ~8mbps, the time saved would still be worth it (= say 15min instead of 30min for a ~1GB). The goal would be to use the maximu= m bandwith available. > > >3. How does GEOM_ELI uses crypto hardware to accelerate working with > >encrypted > >partitions? Again, with big file systems, would a gain in performance be > >noticeable? > > Through the crypto(4) framework. Something like a VIA C3 or C7 might > give you better results here. I think pjd@freebsd.org (the author of > geli posted some numbers a while back when he created the padlock > driver for the crypto framework. Although I really like the Soekris > products, (they are rock solid reliable) if you really need more > crypto performance, take a look at something based on the via C3 or > C7 chips. You can get some very fast AES encryption and there is > very good FreeBSD support both through the padlock crypto driver as > well as through openssl > > e.g. > openssl speed -evp aes-256-ecb > > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes aes-256-ecb 42023.12k 44053.24k 44642.50k 44622.43k = =20 > 44814.01k aes-256-ecb 37529.17k 142774.72k 390269.36k 678968.2= 5k > 870247.80k > > > The "slow" numbers are from an Intel Core DUO, 6400 @ 2.13GHz. The > fast #s are from an C3 embedded board we use by Commell. > CPU: VIA C3 Nehemiah+RNG+ACE (796.77-MHz 686-class CPU) > Wow that is surpringly fast! I just tried a test myself: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 byt= es aes-256-ecb 43367.29k 45096.90k 45855.74k 46049.83k 46084.= 44k CPU: AMD Athlon(tm) 64 Processor 3000+ (2493.04-MHz 686-class CPU) These systems (and numbers!) look nice, unfortunately I have to stay out of= the embedded :( Nicoals. =2D-=20 =46reeBSD 7.0-CURRENT #9: Tue Oct 31 15:44:23 EST 2006 nicblais@clk01a:= /usr/obj/usr/src/sys/CLK01A=20 PGP? : http://www.clkroot.net/security/nb_root.asc --nextPart1437141.mV4WKWOBQp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFSCHd4wTBlvcsbJURAk9VAKCdPAcdT3mlzQQmi5dDjF3F/hCWTwCghYhv J28PZI1qqXYDi5szKZbRnxo= =4rrN -----END PGP SIGNATURE----- --nextPart1437141.mV4WKWOBQp--