From owner-freebsd-security@FreeBSD.ORG  Fri Sep  3 21:43:31 2010
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 797B210656B5
	for <freebsd-security@freebsd.org>;
	Fri,  3 Sep 2010 21:43:30 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200])
	by mx1.freebsd.org (Postfix) with ESMTP id 441B98FC0C
	for <freebsd-security@freebsd.org>;
	Fri,  3 Sep 2010 21:43:29 +0000 (UTC)
Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua
	[10.1.1.148])
	by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id o83LhMrs083932
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 4 Sep 2010 00:43:22 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1])
	by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id
	o83LhMkS033722; Sat, 4 Sep 2010 00:43:22 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
Received: (from kostik@localhost)
	by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id o83LhM4F033721; 
	Sat, 4 Sep 2010 00:43:22 +0300 (EEST)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to
	kostikbel@gmail.com using -f
Date: Sat, 4 Sep 2010 00:43:22 +0300
From: Kostik Belousov <kostikbel@gmail.com>
To: Ricky Charlet <RCharlet@adaranet.com>
Message-ID: <20100903214322.GU2396@deviant.kiev.zoral.com.ua>
References: <32AB5C9615CC494997D9ABB1DB12783C024C8DE03A@SJ-EXCH-1.adaranet.com>
	<i5qg9s$mi9$1@dough.gmane.org>
	<32AB5C9615CC494997D9ABB1DB12783C024C8DE0F5@SJ-EXCH-1.adaranet.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="HpNsou9EUJHn1L/v"
Content-Disposition: inline
In-Reply-To: <32AB5C9615CC494997D9ABB1DB12783C024C8DE0F5@SJ-EXCH-1.adaranet.com>
User-Agent: Mutt/1.4.2.3i
X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.2 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_50,
	DNS_FROM_OPENWHOIS autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	skuns.kiev.zoral.com.ua
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
	Ivan Voras <ivoras@freebsd.org>,
	"freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: Re: seeking current supported crypto co-processors
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2010 21:43:31 -0000


--HpNsou9EUJHn1L/v
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 03, 2010 at 02:26:37PM -0700, Ricky  Charlet wrote:
> Thanks Ivan,
>=20
>         You have some valid points about performance. I was hoping not to=
 get distracted from the main thrust of my question by performance consider=
ations though.
>=20
>         Are their PCIe attachable crypto co-processors with current vendo=
r support for FreeBSD8.x?  If anyone else reading this thread want's to chi=
me in with info about current supported crypto co-processors that plug in v=
ia PCIe, please drop a note.
>=20
>=20
>         However, I think you do deserve a reply on the performance topic.=
..
>=20
>         I am close enough to agreeing with you to not argue much about wh=
ether modern CPU parts can saturate a 1 Gb link with crypto data. The CPU p=
art I am currently married to (a touch old but not that bad), seems to be a=
ble to through around 200Mb of IP-ESP data around. However, in spite of the=
se observations, I would prefer if my system could handle that throughput l=
oad and yet have CPU power left over for other tasks.
>=20
>         I'm very attracted to Andre's mention of "newer x86/amd64
>   CPU's see: http://en.wikipedia.org/wiki/AES_instruction_set". Does
>   anyone know if FreeBSD supports or will support this through either
>   /dev/crypto or through openssl (or any other mechanism I guess)?
I believe recent OpenSSL 1.x supports AESNI in usermode.

For the AES acceleration in the kernel and /dev/crypto support
see the aesni driver in the recent HEAD, working both on i386 and
amd64 architectures. I had a plan to merge the driver into RELENG_8,
but it is stalled due to some issues (not related to the driver
quality).

--HpNsou9EUJHn1L/v
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkyBa/oACgkQC3+MBN1Mb4hzagCfQwfaUXSrtGyvMnfKhFKt1nyW
qNEAoIjEPKRs2rqgeh690BXCda/qnmrX
=xjfx
-----END PGP SIGNATURE-----

--HpNsou9EUJHn1L/v--