Re: Hifn 7955/7956 crypto accelerator questions
- From: Brooks Davis <brooks@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 31 Oct 2006 15:52:07 -0600
On Tue, Oct 31, 2006 at 04:29:01PM -0500, Nicolas Blais wrote:
Hi,
I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn
7956) to do some performance tests in a military environment with FreeBSD
systems. Since this is a big project and I don't want to jump in something
destined to fail, I'll ask your expertise.
1. After searching the mailing lists for reports of performance with openssl
and cryptop accelerators, I did not find anything that showed an increase in
performance with the cards (though some posts date back to FBSD4.8). Does
openssl today make correct use of the crypto hardware?
I believe it can in modern versions.
2. From what I understand, ssh is supposed to increase in performance with
those cards. Assuming two FreeBSD computers with crypto accelerators are
transfering big files (say sftp) in a cipher that the card and driver
supports, would the transfer rate be at or near clear-text speed (in a
100mbps link)?
It all depends on your CPU and your algorithm. For example, looking
the data from the HPN-SSH project, you'll see they are getting >100Mbps
throughput with SCP encrypted with AES. That meets your requirements
below, but that's with a fairly fast CPU. If you need to use a slow CPU
an accelerator may help.
http://www.psc.edu/networking/projects/hpn-ssh/
3. How does GEOM_ELI uses crypto hardware to accelerate working with encrypted
partitions? Again, with big file systems, would a gain in performance be
noticeable?
Yes and maybe. Again, it depends. With a modern CPU the older hifn
cards probably won't show much benefit.
4. Also, it seems that asymmetric crypto support is not yet implemented in the
hifn driver (according to the man page). Is it safe to assume that pgp will
not be accelerated? Any plans to support it? (perhaps this is an OpenBSD
question...)
PGP mostly uses an asymmetric cypher encrypted using RSA or DSA because
they are too slow to encrypt even a small file otherwise. If PGP used
OpenSSL for that part and the OpenSSL supported acceleration, and PGP was
configured to use an accelerated symmetric cipher then you would see
some speedup. You'd still have the cost of generating the random
symmetric key and encrypting it, but for large files the cost would be
reduced.
The whole idea is to reduce conversion and transfer time with highly
sensitive, huge files (> 1 GB, sometimes near 10 GB). We currently use a
commercial software compatible with PGP, but there are security and
logistical issues with it (the commercial software, not PGP). Encrypting a
2GB file with PGP, even on a modern machine, takes a long time. I've done
tests with geli and am so far satisfied with it, but it is a storage
encryption and doesn't allow us to safely transfer data unless we physically
transfert the disk or use ssh. With geli, you also have to make sure that the
created partition is only readable/writeable by the user you want access
allowed to which reduces the total security of the information due to human
negligeance.
Assuming non-trivial bandwidth-delay products, you'll definitely want to
look at HPN-SSH and understand what it does even if you don't end up
using it.
-- Brooks
Attachment:
pgpPJNVyREMJ3.pgp
Description: PGP signature
- References:
- Hifn 7955/7956 crypto accelerator questions
- From: Nicolas Blais
- Hifn 7955/7956 crypto accelerator questions
- Prev by Date: [head tinderbox] failure on powerpc/powerpc
- Next by Date: [head tinderbox] failure on ia64/ia64
- Previous by thread: Hifn 7955/7956 crypto accelerator questions
- Index(es):
Relevant Pages
|
