Date: Fri, 28 May 2010 09:47:58 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Peter Cornelius <pcc@gmx.net> Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? Message-ID: <4BFF833E.6060301@infracaninophile.co.uk> In-Reply-To: <20100528082011.143490@gmx.net> References: <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com> <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk> <20100528082011.143490@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/05/2010 09:20:11, Peter Cornelius wrote:
>> > Yes -- in many use cases this is true. Modern processors are fast
>> > enough that they don't need an external accelerator to perform. It
>> > doesn't mean that running crypto imposes *no* extra cost on a server.
>> > For instance, a web server running HTTP will (roughly speaking) be able
>> > to support an order of magnitude more simultaneous sessions than the
>> > same site served over HTTPS.
> And a hardware crypto device will level HTTPS to the HTTP volume
> without it?
Probably. The usual approach with HTTPS once traffic levels get big
enough is crypto-offload. You use a separate device as the crypto
endpoint: typically built into a load balancer. You can do this using a
PF based firewall using relayd(8) for a lot less money, and in this case
one crypto accelerator card in your firewall could support several
webservers behind it.
>> > Also, if you need really high volume crypto traffic throughput (multiple
>> > Gb/s levels), then yes, you will need specialised hardware. However, in
>> > this case, you're likely to be using pretty fancy routers (Cisco,
>> > Juniper, etc.) and those all have options for hardware acceleration
>> > built into interface cards.
> Yes, I know the Ciscos very well but currently the Junipers look
> more appropriate to me for one application we have. The Junipers
> probably go outside the ASAs inside.
Heh. When I said 'pretty fancy kit' I meant something considerably more
*shiny* than a Cisco ASA5510. In fact, running OpenBSD on a commodity
server is roughly performance compatible with a 5510 but considerably
cheaper if you want all the trimmings like high-availability, unlimited
numbers of servers, GB on all interfaces etc.
Note that ASA5510 level kit tends to do things like deep packet
inspection, content based filtering etc. [Not to mention fubar'ing EDNS0
and screwing with SMTP so hard it breaks.] PF itself is purely based on
dealing with packet headers: however you can easily add things like
squid caching and filtering, snort etc. but these will ramp up the CPU
requirements beyond what a small appliance could support.
> My reason for the post was considering more another 'quiet' and
> 'lowpower' project I have, so that's probably a completely different
> pair of shoes. I'll try without first and then see what comes out of
> it.
Commodity servers certainly don't fulfil the "quiet" requirement. Most
of them have enough fannage to build a fairly respectable hovercraft.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@infracaninophile.co.uk Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkv/gz4ACgkQ8Mjk52CukIwOfgCfXdrawnYYFZj3npV3gleqJlcY
5msAn2tVjGtoUJQTB/lR3dqMM4X+PS1U
=LS+F
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BFF833E.6060301>