Date: Fri, 28 May 2010 10:20:11 +0200 From: "Peter Cornelius" <pcc@gmx.net> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? Message-ID: <20100528082011.143490@gmx.net> In-Reply-To: <4BFF7374.8090608@infracaninophile.co.uk> References: <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com> <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Matthew, Thanks for the response. > >> NAT. Doing serious crypto slows things up somewhat. > > > > I've been pondering this since a while but thought that crypto > > engines on modern hardware would make 'extra' hardware accelerators > > obsolete? > > Yes -- in many use cases this is true. Modern processors are fast > enough that they don't need an external accelerator to perform. It > doesn't mean that running crypto imposes *no* extra cost on a server. > For instance, a web server running HTTP will (roughly speaking) be able > to support an order of magnitude more simultaneous sessions than the > same site served over HTTPS. And a hardware crypto device will level HTTPS to the HTTP volume without it? > > Or is it still worthwhile to consider hardware accelerators such as > > the ones guys like soekris [1] and others offer? Does anyone have an > > idea "how much" such an accelerator may help on older vs. on newer > > hardware? > > Those soekris boards are designed to work in low power (both in wattage > and in compute capability) appliances. That is a perfectly viable > alternative design for a crypto-gateway router / packet filter intended > for traffic levels within the specification they claim. That is what I currently consider. The low power is a good thing. I just wonder whether it is worthwhile to hunt for a "newer" hardware (= more expensive, both in wattage and procurement) or stick to a known platform and just add a new component. > Hmmm... 250Mb/s IPSec throughput is (I think -- not having tried this, I > cannot be certain) easily accessible through a fairly run of the mill > server such as the HP Proliant DL120 G6. Of course, the HP box costs > about 4--5 times as much as the Soekris. It will have a great deal more > spare RAM, disk, compute capacity etc. No idea abut on-going support > costs, but I don't think you could get support cover with a 4 hour > on-site response from Soekris... I know the DL series though I have used more the DL360 G4-G6 ones. I like something with low noise and power intake, hopefully achieving passive cooling. > > Would multiple engines work (and help) at all? From crypto(4), I > > would not guess so. One consequence would be that there may be > > certain limitations in using a separate accelerator once the platform > > comes with its own accelerator device? > > One feature that hardware accelerator boards provide which is hard to > get otherwise is plenty of random numbers on tap. Generating > cryptographically strong randomness in volume is pretty hard > computationally, and a hardware solution really helps things like IPSec > throughput. I think I do understand that (I hope :)) > Also, if you need really high volume crypto traffic throughput (multiple > Gb/s levels), then yes, you will need specialised hardware. However, in > this case, you're likely to be using pretty fancy routers (Cisco, > Juniper, etc.) and those all have options for hardware acceleration > built into interface cards. Yes, I know the Ciscos very well but currently the Junipers look more appropriate to me for one application we have. The Junipers probably go outside the ASAs inside. My reason for the post was considering more another 'quiet' and 'lowpower' project I have, so that's probably a completely different pair of shoes. I'll try without first and then see what comes out of it. Thanks again, and All the best, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100528082011.143490>