Date: Tue, 10 Nov 2015 09:52:16 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: OpenSSH HPN Message-ID: <20151110175216.GN65715@funkthat.com> In-Reply-To: <86io5a9ome.fsf@desk.des.no> References: <86io5a9ome.fsf@desk.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smrgrav wrote this message on Tue, Nov 10, 2015 at 10:42 +0100: > Therefore, I would like to remove the HPN patches from base and refer > anyone who really needs them to the openssh-portable port, which has > them as a default option. I would also like to remove the NONE cipher > patch, which is also available in the port (off by default, just like in > base). My vote is to remove the HPN patches. First, the NONE cipher made more sense back when we didn't have AES-NI widely available, and you were seriously limited by it's performance. Now we have both aes-gcm and chacha-poly which it's performance should be more than acceptable for today's uses (i.e. cipher performance is 2GB/sec+). Second, I did some testing recently due to a thread on -net, and I found no significant (not run statistically though) difference in performance between in HEAD ssh and OpenSSH 7.1p1. I started a wiki page to talk about this: https://wiki.freebsd.org/SSHPerf Feel free to add to the page any more info. There are other apparent issues w/ ssh that keeps it's performance low on high latency links, but I haven't spend the time to figure out what they are, but in my testing HPN did not increase performance to make use of the fat but high latency link. So, if it's not increasing performance and making us fall behind, why bother with the trouble of keeping the patch? If someone is willing to spend the time doing benchmarks, and prove that the HPN patches do make a difference, I'm willing to work with them to figure out why my tests didn't work and change my vote. I also believe that the defaults should be enough, if you have to tune or enable features, then you can install from ports or compile yourself. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151110175216.GN65715>