Date: Tue, 31 Oct 2006 23:25:59 -0500 From: Nicolas Blais <nb_root@videotron.ca> To: freebsd-current@freebsd.org Cc: Mike Tancsa <mike@sentex.net> Subject: Re: Hifn 7955/7956 crypto accelerator questions Message-ID: <200610312326.05311.nb_root@videotron.ca> In-Reply-To: <200611010358.kA13wprx067313@lava.sentex.ca> References: <200610311629.06271.nb_root@videotron.ca> <200611010358.kA13wprx067313@lava.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1437141.mV4WKWOBQp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Tuesday 31 October 2006 23:00, Mike Tancsa wrote: > At 04:29 PM 10/31/2006, Nicolas Blais wrote: > >Hi, > > > >I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 > > (hifn 7956) to do some performance tests in a military environment with > > FreeBSD systems. Since this is a big project and I don't want to jump in > > something destined to fail, I'll ask your expertise. > > Yes, regardless of what you read, you would want to test it > first. So for sure I would recommend you order a couple of Soekris > boxes and test! test! test! :) Well they are cheap, I think I'll try it even if I do not get the expected = result. > > >1. After searching the mailing lists for reports of performance with > > openssl and cryptop accelerators, I did not find anything that showed an > > increase in performance with the cards (though some posts date back to > > FBSD4.8). Does openssl today make correct use of the crypto hardware? > > OpenSSL and FAST_IPSEC will make use of it for sure. However, there > is a fair bit of overhead to offload the calculations from > userland. Generally, you wont see much of an improvement (if any) on > a modern fast CPU with a single stream. The place I find where a > crypto card really helps with ssh is where you have multiple streams > coming in at the same time. For us, its a big help for our backup > server to keep the cpu load down to a reasonable level when we have a > dozen or so dumps and tars coming in over ssh all at once. Even with > just 3 or 4, it makes a difference for cpu utilization and overall > throughput. We are usually just using 1 stream per transfer session per host, but the s= erver could be getting multiple streams. Perhaps it could help the server. > > >2. From what I understand, ssh is supposed to increase in performance wi= th > >those cards. Assuming two FreeBSD computers with crypto accelerators are > >transfering big files (say sftp) in a cipher that the card and driver > >supports, would the transfer rate be at or near clear-text speed (in a > >100mbps link)? > > On a soekris ? 100Mb, I doubt it. Not sure what speeds you would > get, but you should try it and see if it would meet your needs They do claim 500mbps throughput for the vpn1461 and 250mbps for the vpn140= 1. Then again, this remains to be proven :).=20 Currently, on a 100mbps link, an scp transfer between two computers uses ~4= mbps. Transfering huge files (>GB) takes a very long time and even if I cou= ld only double the rate to ~8mbps, the time saved would still be worth it (= say 15min instead of 30min for a ~1GB). The goal would be to use the maximu= m bandwith available. > > >3. How does GEOM_ELI uses crypto hardware to accelerate working with > >encrypted > >partitions? Again, with big file systems, would a gain in performance be > >noticeable? > > Through the crypto(4) framework. Something like a VIA C3 or C7 might > give you better results here. I think pjd@freebsd.org (the author of > geli posted some numbers a while back when he created the padlock > driver for the crypto framework. Although I really like the Soekris > products, (they are rock solid reliable) if you really need more > crypto performance, take a look at something based on the via C3 or > C7 chips. You can get some very fast AES encryption and there is > very good FreeBSD support both through the padlock crypto driver as > well as through openssl > > e.g. > openssl speed -evp aes-256-ecb > > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes aes-256-ecb 42023.12k 44053.24k 44642.50k 44622.43k = =20 > 44814.01k aes-256-ecb 37529.17k 142774.72k 390269.36k 678968.2= 5k > 870247.80k > > > The "slow" numbers are from an Intel Core DUO, 6400 @ 2.13GHz. The > fast #s are from an C3 embedded board we use by Commell. > CPU: VIA C3 Nehemiah+RNG+ACE (796.77-MHz 686-class CPU) > Wow that is surpringly fast! I just tried a test myself: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 byt= es aes-256-ecb 43367.29k 45096.90k 45855.74k 46049.83k 46084.= 44k CPU: AMD Athlon(tm) 64 Processor 3000+ (2493.04-MHz 686-class CPU) These systems (and numbers!) look nice, unfortunately I have to stay out of= the embedded :( Nicoals. =2D-=20 =46reeBSD 7.0-CURRENT #9: Tue Oct 31 15:44:23 EST 2006 nicblais@clk01a:= /usr/obj/usr/src/sys/CLK01A=20 PGP? : http://www.clkroot.net/security/nb_root.asc --nextPart1437141.mV4WKWOBQp Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFSCHd4wTBlvcsbJURAk9VAKCdPAcdT3mlzQQmi5dDjF3F/hCWTwCghYhv J28PZI1qqXYDi5szKZbRnxo= =4rrN -----END PGP SIGNATURE----- --nextPart1437141.mV4WKWOBQp--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610312326.05311.nb_root>