From owner-freebsd-geom@FreeBSD.ORG Thu Jan 17 15:18:02 2008 Return-Path: Delivered-To: freebsd-geom@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EADE016A420 for ; Thu, 17 Jan 2008 15:18:02 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 64BF713C442 for ; Thu, 17 Jan 2008 15:18:02 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 14E1245E94; Thu, 17 Jan 2008 15:47:26 +0100 (CET) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id F12BD45E8F; Thu, 17 Jan 2008 15:47:20 +0100 (CET) Date: Thu, 17 Jan 2008 15:47:12 +0100 From: Pawel Jakub Dawidek To: Cyrus Rahman Message-ID: <20080117144712.GH8820@garage.freebsd.pl> References: <9e77bdb50801160832p39619f1fm85bf1454fead3357@mail.gmail.com> <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Ucgz5Oc/kKURWzXs" Content-Disposition: inline In-Reply-To: <9e77bdb50801170615l3ff6f6bbo97ade8b4471dc7b0@mail.gmail.com> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-geom@freebsd.org Subject: Re: Authentication with geom_eli X-BeenThere: freebsd-geom@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: GEOM-specific discussions and implementations List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jan 2008 15:18:03 -0000 --Ucgz5Oc/kKURWzXs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 17, 2008 at 07:15:26AM -0700, Cyrus Rahman wrote: > Here are some timings related to different encryption and > authentication algorithms. Although the authentication involves extra > copying and additional data being written to disk, it is clear the > algorithm is also quite significant. >=20 > The system is a quad processor Q6600 running at 2.4GHz with mid-range > SATA disks. >=20 > Given the considerable performance hit and the fact that for most > applications the only viable and useful authentication attacks I can > think of would involve replay, which is not detected in the current > implementation, I think there is a clear benefit to an algorithm like > a CRC to provide data integrity at a lower cost. >=20 > But I also agree that the ideal place for a CRC style check would be > in a separate geom layer. >=20 > Baseline: > dd if=3D/dev/random of=3D/dev/mirror/gm0 bs=3D1m count=3D200 > 200+0 records in > 200+0 records out > 209715200 bytes transferred in 4.733112 secs (44308101 bytes/sec) >=20 > *** > Varied encryption algorithms: > geli init -P -e aes -l 256 -s 4096 -K key mirror/gm0 > dd if=3D/dev/random of=3D/dev/mirror/gm0.eli bs=3D1m count=3D200 > 209715200 bytes transferred in 7.336633 secs (28584666 bytes/sec) >=20 > geli init -P -e aes -l 128 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 6.919852 secs (30306313 bytes/sec) >=20 > geli init -P -e blowfish -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 9.289385 secs (22575790 bytes/sec) >=20 > geli init -P -e camellia -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 8.384749 secs (25011506 bytes/sec) >=20 > geli init -P -e 3des -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 18.362226 secs (11421012 bytes/sec) >=20 > *** > Varied authentication algorithms: > geli init -P -e aes -l 256 -a hmac/sha512 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.553233 secs (16706071 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/sha256 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.487267 secs (16794323 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/sha1 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 12.101804 secs (17329251 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/ripemd160 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 11.301225 secs (18556856 bytes/sec) >=20 > geli init -P -e aes -l 256 -a hmac/md5 -s 4096 -K key mirror/gm0 > 209715200 bytes transferred in 10.345111 secs (20271914 bytes/sec) Could you retry with /dev/zero instead of /dev/random and also try 'null' as encryption algorithm? --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --Ucgz5Oc/kKURWzXs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHj2pwForvXbEpPzQRAiePAKCJbBPaJzZmse5AEkKBKg+ddLPmyQCg8HnS Gq/m4wMTzLI61bR6frN/Gbo= =M0EU -----END PGP SIGNATURE----- --Ucgz5Oc/kKURWzXs--