From owner-freebsd-questions@FreeBSD.ORG Fri May 28 07:40:42 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 06C86106566C for ; Fri, 28 May 2010 07:40:42 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 852AE8FC12 for ; Fri, 28 May 2010 07:40:41 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o4S7eaPJ027515 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 28 May 2010 08:40:37 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BFF7374.8090608@infracaninophile.co.uk> Date: Fri, 28 May 2010 08:40:36 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Peter Cornelius References: <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> In-Reply-To: <20100527204912.143520@gmx.net> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=2.0 required=5.0 tests=DKIM_ADSP_ALL,SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 07:40:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/05/2010 21:49:12, Peter Cornelius wrote: >> NAT. Doing serious crypto slows things up somewhat. > > I've been pondering this since a while but thought that crypto > engines on modern hardware would make 'extra' hardware accelerators > obsolete? Yes -- in many use cases this is true. Modern processors are fast enough that they don't need an external accelerator to perform. It doesn't mean that running crypto imposes *no* extra cost on a server. For instance, a web server running HTTP will (roughly speaking) be able to support an order of magnitude more simultaneous sessions than the same site served over HTTPS. > Or is it still worthwhile to consider hardware accelerators such as > the ones guys like soekris [1] and others offer? Does anyone have an > idea "how much" such an accelerator may help on older vs. on newer > hardware? Those soekris boards are designed to work in low power (both in wattage and in compute capability) appliances. That is a perfectly viable alternative design for a crypto-gateway router / packet filter intended for traffic levels within the specification they claim. Hmmm... 250Mb/s IPSec throughput is (I think -- not having tried this, I cannot be certain) easily accessible through a fairly run of the mill server such as the HP Proliant DL120 G6. Of course, the HP box costs about 4--5 times as much as the Soekris. It will have a great deal more spare RAM, disk, compute capacity etc. No idea abut on-going support costs, but I don't think you could get support cover with a 4 hour on-site response from Soekris... > Would multiple engines work (and help) at all? From crypto(4), I > would not guess so. One consequence would be that there may be > certain limitations in using a separate accelerator once the platform > comes with its own accelerator device? One feature that hardware accelerator boards provide which is hard to get otherwise is plenty of random numbers on tap. Generating cryptographically strong randomness in volume is pretty hard computationally, and a hardware solution really helps things like IPSec throughput. Also, if you need really high volume crypto traffic throughput (multiple Gb/s levels), then yes, you will need specialised hardware. However, in this case, you're likely to be using pretty fancy routers (Cisco, Juniper, etc.) and those all have options for hardware acceleration built into interface cards. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv/c3QACgkQ8Mjk52CukIxJIwCbBTN1wcUcOodn6s7Sxa8yv4lE d+sAmwTZLxLo7KyMIdEKJJOLfa8OfVmI =KzX7 -----END PGP SIGNATURE-----