Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 31 Oct 2006 23:00:54 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        Nicolas Blais <nb_root@videotron.ca>, freebsd-current@freebsd.org
Subject:   Re: Hifn 7955/7956 crypto accelerator questions
Message-ID:  <200611010358.kA13wprx067313@lava.sentex.ca>
In-Reply-To: <200610311629.06271.nb_root@videotron.ca>
References:  <200610311629.06271.nb_root@videotron.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
At 04:29 PM 10/31/2006, Nicolas Blais wrote:
>Hi,
>
>I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn
>7956) to do some performance tests in a military environment with FreeBSD
>systems. Since this is a big project and I don't want to jump in something
>destined to fail, I'll ask your expertise.


Yes, regardless of what you read, you would want to test it 
first.  So for sure I would recommend you order a couple of Soekris 
boxes and test! test! test! :)


>1. After searching the mailing lists for reports of performance with openssl
>and cryptop accelerators, I did not find anything that showed an increase in
>performance with the cards (though some posts date back to FBSD4.8). Does
>openssl today make correct use of the crypto hardware?

OpenSSL and FAST_IPSEC will make use of it for sure.  However, there 
is a fair bit of overhead to offload the calculations from 
userland.  Generally, you wont see much of an improvement (if any) on 
a modern fast CPU with a single stream.  The place I find where a 
crypto card really helps with ssh is where you have multiple streams 
coming in at the same time.  For us, its a big help for our backup 
server to keep the cpu load down to a reasonable level when we have a 
dozen or so dumps and tars coming in over ssh all at once.  Even with 
just 3 or 4, it makes a difference for cpu utilization and overall throughput.



>2. From what I understand, ssh is supposed to increase in performance with
>those cards. Assuming two FreeBSD computers with crypto accelerators are
>transfering big files (say sftp) in a cipher that the card and driver
>supports, would the transfer rate be at or near clear-text speed (in a
>100mbps link)?

On a soekris ?  100Mb, I doubt it.  Not sure what speeds you would 
get, but you should try it and see if it would meet your needs



>3. How does GEOM_ELI uses crypto hardware to accelerate working with 
>encrypted
>partitions? Again, with big file systems, would a gain in performance be
>noticeable?

Through the crypto(4) framework.  Something like a VIA C3 or C7 might 
give you better results here. I think pjd@freebsd.org (the author of 
geli posted some numbers a while back when he created the padlock 
driver for the crypto framework.  Although I really like the Soekris 
products, (they are rock solid reliable) if you really need more 
crypto performance, take a look at something based on the via C3 or 
C7 chips.  You can get some very fast AES encryption and there is 
very good FreeBSD support both through the padlock crypto driver as 
well as through openssl

e.g.
openssl speed -evp aes-256-ecb

The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-256-ecb      42023.12k    44053.24k    44642.50k    44622.43k    44814.01k
aes-256-ecb      37529.17k   142774.72k   390269.36k   678968.25k   870247.80k


The "slow" numbers are from an Intel Core DUO, 6400  @ 2.13GHz. The 
fast #s are from an C3 embedded board we use by Commell.
CPU: VIA C3 Nehemiah+RNG+ACE (796.77-MHz 686-class CPU)


         ---Mike 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611010358.kA13wprx067313>