Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Nov 2015 15:38:13 +0300
From:      Slawa Olhovchenkov <slw@zxy.spb.ru>
To:        John-Mark Gurney <jmg@funkthat.com>
Cc:        Ben Woods <woodsb02@gmail.com>, "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>, Dag-Erling =?utf-8?B?U23DuHJncmF2?= <des@des.no>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org>
Subject:   Re: OpenSSH HPN
Message-ID:  <20151111123813.GD48728@zxy.spb.ru>
In-Reply-To: <20151111075930.GR65715@funkthat.com>
References:  <86io5a9ome.fsf@desk.des.no> <20151110175216.GN65715@funkthat.com> <56428C84.8050600@FreeBSD.org> <CAOc73CAHQ0FRPES7GrM6ckkWfgZCS3Se7GFUrDO4pR_EMVSvZQ@mail.gmail.com> <20151111075930.GR65715@funkthat.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 10, 2015 at 11:59:30PM -0800, John-Mark Gurney wrote:

> Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800:
> > On Wednesday, 11 November 2015, Bryan Drewery <bdrewery@freebsd.org> wrote:
> > 
> > > On 11/10/15 9:52 AM, John-Mark Gurney wrote:
> > > > My vote is to remove the HPN patches.  First, the NONE cipher made more
> > > > sense back when we didn't have AES-NI widely available, and you were
> > > > seriously limited by it's performance.  Now we have both aes-gcm and
> > > > chacha-poly which it's performance should be more than acceptable for
> > > > today's uses (i.e. cipher performance is 2GB/sec+).
> > >
> > > AES-NI doesn't help the absurdity of double-encrypting when using scp or
> > > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use
> > > for me.
> > 
> > I have to agree that there are cases when the NONE cipher makes sense, and
> > it is up to the end user to make sure they know what they are doing.
> > 
> > Personally I have used it at home to backup my old FreeBSD server (which
> > does not have AESNI) over a dedicated network connection to a backup server
> > using rsync/ssh. Since it was not possible for anyone else to be on that
> > local network, and the server was so old it didn't have AESNI and would
> > soon be retired, using the NONE cipher sped up the transfer significantly.
> 
> If you have a trusted network, why not just use nc?

I think you kidding:

- scp need only one command on initiator side and
  no additional setup on target. simple, well know.
- nc need additional work on target, need synchronization for file
  names with target, also need ssh to target for start, etc... Too
  complex.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151111123813.GD48728>