From owner-freebsd-questions@FreeBSD.ORG Fri May 28 08:06:34 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 30D671065675 for ; Fri, 28 May 2010 08:06:34 +0000 (UTC) (envelope-from pcc@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 8B8528FC08 for ; Fri, 28 May 2010 08:06:33 +0000 (UTC) Received: (qmail 17936 invoked by uid 0); 28 May 2010 08:06:32 -0000 Received: from 84.163.211.120 by www167.gmx.net with HTTP; Fri, 28 May 2010 10:06:31 +0200 (CEST) Content-Type: text/plain; charset="utf-8" Date: Fri, 28 May 2010 10:06:31 +0200 From: "Peter Cornelius" In-Reply-To: <24902239-9767-444C-9C50-F51ACEEAEB97@mac.com> Message-ID: <20100528080631.143490@gmx.net> MIME-Version: 1.0 References: <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <24902239-9767-444C-9C50-F51ACEEAEB97@mac.com> To: Chuck Swiger X-Authenticated: #491680 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 5 X-Provags-ID: V01U2FsdGVkX1/PuoADUjjP1mi1bOezZMKyJyLpOh8pzUEbyxXVQ3 +QRDJwAhVEpPJIHb6LsDR+rzqul87kAParfQ== Content-Transfer-Encoding: 8bit X-GMX-UID: tU/KenhQbUk7EJazNWgnzt5sZ2hlN8pS X-FuHaFi: 0.58999999999999997 Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? (was: FreeBSD router - large scale) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 08:06:34 -0000 Hi Chuck, Thanks for the response. > > Or is it still worthwhile to consider hardware accelerators such as the > ones guys like soekris [1] and others offer? Does anyone have an idea "how > much" such an accelerator may help on older vs. on newer hardware? > > Something like a 1GHz P3 or equivalent can generally do the symmetric > crypto about as fast as a decent PCI crypto card like the HiFN 795x could; bus > limitations made faster CPUs better, although a newer PCIe crypto device > ought to be more competitive. > > What matters more for some common use cases is that crypto H/W tends to do > asymmetric crypto like RSA/DSA signing to negotiate a shared session key-- > aka SSL session creation for SSL websites, secure email, SSH keys, etc > much faster than normal CPUs could. I guess I try first without and see where I hit the ceiling. Then go to plan b. I was more thinking of many IPSEC connections but then there's also only so many slots and so many NICs in them. I'll try without and monitor that for a while and then see what happens. > > Would multiple engines work (and help) at all? From crypto(4), I would > not guess so. One consequence would be that there may be certain limitations > in using a separate accelerator once the platform comes with its own > accelerator device? > > Sure, you can setup multiple engines, although this does better if you > have separate services using each, since you do want to use an SSL session > cache, but you don't want to pollute one for HTTPS with sessions from IMAPS > and vice versa. Also, the config interface for Apache/IIS/whatever, or > Dovecot/Cyrus/Exchange, etc might not let you specify more than one SSLEngine. > > On the other hand, it's not very much coding to adjust things to use > multiple engines even within Apache or whatever-- I can recall some custom > webserver modules from CryptoSwift for NSAPI / ISAPI / ASAPI which let you use > multiple CryptoSwift boxes via ethernet network or local PCI slots, for > example. Hmm... I was thinking more like round-robin the devices but I probably now too little about 'serious' crypto to see the side-effects. Anyways, I think the question is a bit academic at this time since I probably divide the servers anyways. Thanks again, All the best regards, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01