Date: Fri, 28 May 2010 10:06:31 +0200 From: "Peter Cornelius" <pcc@gmx.net> To: Chuck Swiger <cswiger@mac.com> Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? (was: FreeBSD router - large scale) Message-ID: <20100528080631.143490@gmx.net> In-Reply-To: <24902239-9767-444C-9C50-F51ACEEAEB97@mac.com> References: <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com> <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <24902239-9767-444C-9C50-F51ACEEAEB97@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Chuck, Thanks for the response. > > Or is it still worthwhile to consider hardware accelerators such as the > ones guys like soekris [1] and others offer? Does anyone have an idea "how > much" such an accelerator may help on older vs. on newer hardware? > > Something like a 1GHz P3 or equivalent can generally do the symmetric > crypto about as fast as a decent PCI crypto card like the HiFN 795x could; bus > limitations made faster CPUs better, although a newer PCIe crypto device > ought to be more competitive. > > What matters more for some common use cases is that crypto H/W tends to do > asymmetric crypto like RSA/DSA signing to negotiate a shared session key-- > aka SSL session creation for SSL websites, secure email, SSH keys, etc > much faster than normal CPUs could. I guess I try first without and see where I hit the ceiling. Then go to plan b. I was more thinking of many IPSEC connections but then there's also only so many slots and so many NICs in them. I'll try without and monitor that for a while and then see what happens. > > Would multiple engines work (and help) at all? From crypto(4), I would > not guess so. One consequence would be that there may be certain limitations > in using a separate accelerator once the platform comes with its own > accelerator device? > > Sure, you can setup multiple engines, although this does better if you > have separate services using each, since you do want to use an SSL session > cache, but you don't want to pollute one for HTTPS with sessions from IMAPS > and vice versa. Also, the config interface for Apache/IIS/whatever, or > Dovecot/Cyrus/Exchange, etc might not let you specify more than one SSLEngine. > > On the other hand, it's not very much coding to adjust things to use > multiple engines even within Apache or whatever-- I can recall some custom > webserver modules from CryptoSwift for NSAPI / ISAPI / ASAPI which let you use > multiple CryptoSwift boxes via ethernet network or local PCI slots, for > example. Hmm... I was thinking more like round-robin the devices but I probably now too little about 'serious' crypto to see the side-effects. Anyways, I think the question is a bit academic at this time since I probably divide the servers anyways. Thanks again, All the best regards, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100528080631.143490>