From owner-freebsd-questions@FreeBSD.ORG Fri May 28 08:20:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9984E106564A for ; Fri, 28 May 2010 08:20:14 +0000 (UTC) (envelope-from pcc@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 1333F8FC18 for ; Fri, 28 May 2010 08:20:13 +0000 (UTC) Received: (qmail 13358 invoked by uid 0); 28 May 2010 08:20:12 -0000 Received: from 84.163.211.120 by www020.gmx.net with HTTP; Fri, 28 May 2010 10:20:11 +0200 (CEST) Content-Type: text/plain; charset="utf-8" Date: Fri, 28 May 2010 10:20:11 +0200 From: "Peter Cornelius" In-Reply-To: <4BFF7374.8090608@infracaninophile.co.uk> Message-ID: <20100528082011.143490@gmx.net> MIME-Version: 1.0 References: <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk> To: Matthew Seaman X-Authenticated: #491680 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 5 X-Provags-ID: V01U2FsdGVkX1+PEbR2FqyPaQ3k0FUUktC2VRW5fqIOQi/ENS/HEh nfSGchmQLuuYNLV/JsAg/UXqqEo6f+Q6ZBhw== Content-Transfer-Encoding: 8bit X-GMX-UID: gkTJAkV/QEV/H5e2bnVp3fpCNzg2NYLC X-FuHaFi: 0.57999999999999996 Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 08:20:14 -0000 Hi Matthew, Thanks for the response. > >> NAT. Doing serious crypto slows things up somewhat. > > > > I've been pondering this since a while but thought that crypto > > engines on modern hardware would make 'extra' hardware accelerators > > obsolete? > > Yes -- in many use cases this is true. Modern processors are fast > enough that they don't need an external accelerator to perform. It > doesn't mean that running crypto imposes *no* extra cost on a server. > For instance, a web server running HTTP will (roughly speaking) be able > to support an order of magnitude more simultaneous sessions than the > same site served over HTTPS. And a hardware crypto device will level HTTPS to the HTTP volume without it? > > Or is it still worthwhile to consider hardware accelerators such as > > the ones guys like soekris [1] and others offer? Does anyone have an > > idea "how much" such an accelerator may help on older vs. on newer > > hardware? > > Those soekris boards are designed to work in low power (both in wattage > and in compute capability) appliances. That is a perfectly viable > alternative design for a crypto-gateway router / packet filter intended > for traffic levels within the specification they claim. That is what I currently consider. The low power is a good thing. I just wonder whether it is worthwhile to hunt for a "newer" hardware (= more expensive, both in wattage and procurement) or stick to a known platform and just add a new component. > Hmmm... 250Mb/s IPSec throughput is (I think -- not having tried this, I > cannot be certain) easily accessible through a fairly run of the mill > server such as the HP Proliant DL120 G6. Of course, the HP box costs > about 4--5 times as much as the Soekris. It will have a great deal more > spare RAM, disk, compute capacity etc. No idea abut on-going support > costs, but I don't think you could get support cover with a 4 hour > on-site response from Soekris... I know the DL series though I have used more the DL360 G4-G6 ones. I like something with low noise and power intake, hopefully achieving passive cooling. > > Would multiple engines work (and help) at all? From crypto(4), I > > would not guess so. One consequence would be that there may be > > certain limitations in using a separate accelerator once the platform > > comes with its own accelerator device? > > One feature that hardware accelerator boards provide which is hard to > get otherwise is plenty of random numbers on tap. Generating > cryptographically strong randomness in volume is pretty hard > computationally, and a hardware solution really helps things like IPSec > throughput. I think I do understand that (I hope :)) > Also, if you need really high volume crypto traffic throughput (multiple > Gb/s levels), then yes, you will need specialised hardware. However, in > this case, you're likely to be using pretty fancy routers (Cisco, > Juniper, etc.) and those all have options for hardware acceleration > built into interface cards. Yes, I know the Ciscos very well but currently the Junipers look more appropriate to me for one application we have. The Junipers probably go outside the ASAs inside. My reason for the post was considering more another 'quiet' and 'lowpower' project I have, so that's probably a completely different pair of shoes. I'll try without first and then see what comes out of it. Thanks again, and All the best, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01