From owner-freebsd-questions@FreeBSD.ORG Fri May 28 08:48:04 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4C5C106564A for ; Fri, 28 May 2010 08:48:04 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id DE4A68FC0A for ; Fri, 28 May 2010 08:48:03 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o4S8lwSJ028092 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 28 May 2010 09:47:59 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BFF833E.6060301@infracaninophile.co.uk> Date: Fri, 28 May 2010 09:47:58 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Peter Cornelius References: <4BFE99EB.50208@infracaninophile.co.uk> <20100527204912.143520@gmx.net> <4BFF7374.8090608@infracaninophile.co.uk> <20100528082011.143490@gmx.net> In-Reply-To: <20100528082011.143490@gmx.net> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96.1 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=2.0 required=5.0 tests=DKIM_ADSP_ALL,SPF_FAIL autolearn=no version=3.3.1 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: kevin.wilcox@gmail.com, freebsd-questions@freebsd.org Subject: Re: 'Serious' crypto? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 May 2010 08:48:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/05/2010 09:20:11, Peter Cornelius wrote: >> > Yes -- in many use cases this is true. Modern processors are fast >> > enough that they don't need an external accelerator to perform. It >> > doesn't mean that running crypto imposes *no* extra cost on a server. >> > For instance, a web server running HTTP will (roughly speaking) be able >> > to support an order of magnitude more simultaneous sessions than the >> > same site served over HTTPS. > And a hardware crypto device will level HTTPS to the HTTP volume > without it? Probably. The usual approach with HTTPS once traffic levels get big enough is crypto-offload. You use a separate device as the crypto endpoint: typically built into a load balancer. You can do this using a PF based firewall using relayd(8) for a lot less money, and in this case one crypto accelerator card in your firewall could support several webservers behind it. >> > Also, if you need really high volume crypto traffic throughput (multiple >> > Gb/s levels), then yes, you will need specialised hardware. However, in >> > this case, you're likely to be using pretty fancy routers (Cisco, >> > Juniper, etc.) and those all have options for hardware acceleration >> > built into interface cards. > Yes, I know the Ciscos very well but currently the Junipers look > more appropriate to me for one application we have. The Junipers > probably go outside the ASAs inside. Heh. When I said 'pretty fancy kit' I meant something considerably more *shiny* than a Cisco ASA5510. In fact, running OpenBSD on a commodity server is roughly performance compatible with a 5510 but considerably cheaper if you want all the trimmings like high-availability, unlimited numbers of servers, GB on all interfaces etc. Note that ASA5510 level kit tends to do things like deep packet inspection, content based filtering etc. [Not to mention fubar'ing EDNS0 and screwing with SMTP so hard it breaks.] PF itself is purely based on dealing with packet headers: however you can easily add things like squid caching and filtering, snort etc. but these will ramp up the CPU requirements beyond what a small appliance could support. > My reason for the post was considering more another 'quiet' and > 'lowpower' project I have, so that's probably a completely different > pair of shoes. I'll try without first and then see what comes out of > it. Commodity servers certainly don't fulfil the "quiet" requirement. Most of them have enough fannage to build a fairly respectable hovercraft. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv/gz4ACgkQ8Mjk52CukIwOfgCfXdrawnYYFZj3npV3gleqJlcY 5msAn2tVjGtoUJQTB/lR3dqMM4X+PS1U =LS+F -----END PGP SIGNATURE-----