From owner-freebsd-questions@FreeBSD.ORG Thu May 27 21:08:08 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C28941065670 for ; Thu, 27 May 2010 21:08:08 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout025.mac.com (asmtpout025.mac.com [17.148.16.100]) by mx1.freebsd.org (Postfix) with ESMTP id A82328FC15 for ; Thu, 27 May 2010 21:08:08 +0000 (UTC) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii Received: from cswiger1.apple.com ([17.209.4.71]) by asmtp025.mac.com (Sun Java(tm) System Messaging Server 6.3-8.01 (built Dec 16 2008; 32bit)) with ESMTPSA id <0L3300BGCK15YP50@asmtp025.mac.com> for freebsd-questions@freebsd.org; Thu, 27 May 2010 14:07:55 -0700 (PDT) X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1004200000 definitions=main-1005270156 X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5,1.2.40,4.0.166 definitions=2010-05-27_03:2010-02-06, 2010-05-27, 2010-05-27 signatures=0 From: Chuck Swiger X-Priority: 5 In-reply-to: <20100527204912.143520@gmx.net> Date: Thu, 27 May 2010 14:07:53 -0700 Message-id: <24902239-9767-444C-9C50-F51ACEEAEB97@mac.com> References: <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> To: Peter Cornelius X-Mailer: Apple Mail (2.1078) Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? (was: FreeBSD router - large scale) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2010 21:08:08 -0000 On May 27, 2010, at 1:49 PM, Peter Cornelius wrote: > Hi, > >> NAT. Doing serious crypto slows things up somewhat. > > I've been pondering this since a while but thought that crypto engines on modern hardware would make 'extra' hardware accelerators obsolete? It depends upon usage. > Or is it still worthwhile to consider hardware accelerators such as the ones guys like soekris [1] and others offer? Does anyone have an idea "how much" such an accelerator may help on older vs. on newer hardware? Something like a 1GHz P3 or equivalent can generally do the symmetric crypto about as fast as a decent PCI crypto card like the HiFN 795x could; bus limitations made faster CPUs better, although a newer PCIe crypto device ought to be more competitive. What matters more for some common use cases is that crypto H/W tends to do asymmetric crypto like RSA/DSA signing to negotiate a shared session key-- aka SSL session creation for SSL websites, secure email, SSH keys, etc much faster than normal CPUs could. > Would multiple engines work (and help) at all? From crypto(4), I would not guess so. One consequence would be that there may be certain limitations in using a separate accelerator once the platform comes with its own accelerator device? Sure, you can setup multiple engines, although this does better if you have separate services using each, since you do want to use an SSL session cache, but you don't want to pollute one for HTTPS with sessions from IMAPS and vice versa. Also, the config interface for Apache/IIS/whatever, or Dovecot/Cyrus/Exchange, etc might not let you specify more than one SSLEngine. On the other hand, it's not very much coding to adjust things to use multiple engines even within Apache or whatever-- I can recall some custom webserver modules from CryptoSwift for NSAPI / ISAPI / ASAPI which let you use multiple CryptoSwift boxes via ethernet network or local PCI slots, for example. Regards, -- -Chuck