Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 May 2010 09:47:58 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Peter Cornelius <pcc@gmx.net>
Cc:        kevin.wilcox@gmail.com, freebsd-questions@freebsd.org
Subject:   Re: 'Serious' crypto?
Message-ID:  <4BFF833E.6060301@infracaninophile.co.uk>
In-Reply-To: <20100528082011.143490@gmx.net>
References:  <AANLkTinvU5tOZyzzeJmVU1mlXGXMIEEOXWEv5GGArSCl@mail.gmail.com>	<4BFE99EB.50208@infracaninophile.co.uk>	<20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk> <20100528082011.143490@gmx.net>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/05/2010 09:20:11, Peter Cornelius wrote:

>> > Yes -- in many use cases this is true.  Modern processors are fast
>> > enough that they don't need an external accelerator to perform.  It
>> > doesn't mean that running crypto imposes *no* extra cost on a server.
>> > For instance, a web server running HTTP will (roughly speaking) be able
>> > to support an order of magnitude more simultaneous sessions than the
>> > same site served over HTTPS.

> And a hardware crypto device will level HTTPS to the HTTP volume
> without it?

Probably.  The usual approach with HTTPS once traffic levels get big
enough is crypto-offload.  You use a separate device as the crypto
endpoint: typically built into a load balancer.  You can do this using a
PF based firewall using relayd(8) for a lot less money, and in this case
 one crypto accelerator card in your firewall could support several
webservers behind it.

>> > Also, if you need really high volume crypto traffic throughput (multiple
>> > Gb/s levels), then yes, you will need specialised hardware.  However, in
>> > this case, you're likely to be using pretty fancy routers (Cisco,
>> > Juniper, etc.) and those all have options for hardware acceleration
>> > built into interface cards.

> Yes, I know the Ciscos very well but currently the Junipers look 
> more appropriate to me for one application we have. The Junipers
> probably go outside the ASAs inside.

Heh.  When I said 'pretty fancy kit' I meant something considerably more
*shiny* than a Cisco ASA5510.  In fact, running OpenBSD on a commodity
server is roughly performance compatible with a 5510 but considerably
cheaper if you want all the trimmings like high-availability, unlimited
numbers of servers, GB on all interfaces etc.

Note that ASA5510 level kit tends to do things like deep packet
inspection, content based filtering etc. [Not to mention fubar'ing EDNS0
and screwing with SMTP so hard it breaks.]  PF itself is purely based on
dealing with packet headers: however you can easily add things like
squid caching and filtering, snort etc. but these will ramp up the CPU
requirements beyond what a small appliance could support.

> My reason for the post was considering more another 'quiet' and
> 'lowpower' project I have, so that's probably a completely different
> pair of shoes. I'll try without first and then see what comes out of
> it.

Commodity servers certainly don't fulfil the "quiet" requirement.  Most
of them have enough fannage to build a fairly respectable hovercraft.

	Cheers,

	Matthew

- -- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkv/gz4ACgkQ8Mjk52CukIwOfgCfXdrawnYYFZj3npV3gleqJlcY
5msAn2tVjGtoUJQTB/lR3dqMM4X+PS1U
=LS+F
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BFF833E.6060301>