freebsd security - Sep 2010 - seeking current supported crypto co-processors

Howdy,
   <this messages is cross posted in freebsd-security and freebsd-net>

        I'm seeking current cryptographic coprocessors supported in FreeBSD
8.x.  By perusing through the crypto-dev (and subsequently referenced) man
page(s) I found this list:
Hifn 7751/7951/7811/7955/7956 crypto accelerator
SafeNet 1141/1741
Bluesteel 5501/5601
Broadcom bcm5801/5802/5805/5820/5821/5822/5823/5825

        Those are all pretty old (and in some cases, no longer existent).
I'm surveying these lists to see if anyone knows of more modern chips
working with FreeBSD 8.x. Or if you feel some chip on the list above is up to
the task of near about 1 Gb throughput across a PCIe and has friendly vendor
support for FreeBSD, I'd sure like to hear about that too.

---
Ricky Charlet
Adara Networks
USA 408-433-4942

On 03.09.2010 02:35, Ricky Charlet wrote:
> Howdy, <this messages is cross posted in freebsd-security and
freebsd-net>
>
> I'm seeking current cryptographic coprocessors supported in FreeBSD
8.x.  By perusing through the
> crypto-dev (and subsequently referenced) man page(s) I found this list:
Hifn
> 7751/7951/7811/7955/7956 crypto accelerator SafeNet 1141/1741 Bluesteel
5501/5601 Broadcom
> bcm5801/5802/5805/5820/5821/5822/5823/5825
>
> Those are all pretty old (and in some cases, no longer existent). I'm
surveying these lists to
> see if anyone knows of more modern chips working with FreeBSD 8.x. Or if
you feel some chip on
> the list above is up to the task of near about 1 Gb throughput across a
PCIe and has friendly
> vendor support for FreeBSD, I'd sure like to hear about that too.
What cypto algorithms do you need?  Stream encryption and/or PKI KEX?

For AES stream encrpytion there are some CPU's that directly support
the crypto primitives on the silicon.  For newer x86/amd64 CPU's see:
  http://en.wikipedia.org/wiki/AES_instruction_set

A number of VIA x86 CPU's have supported a set of crypto algorithms
inlcuding stream cyphers, cryptographic hashing and RSA for quite some
time on their silicon.
  http://www.via.com.tw/en/initiatives/padlock/hardware.jsp

Other than that there are some embedded crypto engines with their own
(mostly MIPS based) single and multi-core CPU's.  AKAIK they have a
FreeBSD API and the FreeBSD MIPS port should work on at least some of
them:
  http://www.caviumnetworks.com/

Cavium also has some plug-in crypto accelerator cards under the brand
name Nitrox.  IIRC they have some drivers for FreeBSD available.

-- 
Andre

Thanks Ivan,

        You have some valid points about performance. I was hoping not to get
distracted from the main thrust of my question by performance considerations
though.

        Are their PCIe attachable crypto co-processors with current vendor
support for FreeBSD8.x?  If anyone else reading this thread want's to chime
in with info about current supported crypto co-processors that plug in via PCIe,
please drop a note.


        However, I think you do deserve a reply on the performance topic...

        I am close enough to agreeing with you to not argue much about whether
modern CPU parts can saturate a 1 Gb link with crypto data. The CPU part I am
currently married to (a touch old but not that bad), seems to be able to through
around 200Mb of IP-ESP data around. However, in spite of these observations, I
would prefer if my system could handle that throughput load and yet have CPU
power left over for other tasks.

        I'm very attracted to Andre's mention of "newer x86/amd64
CPU's see:
  http://en.wikipedia.org/wiki/AES_instruction_set". Does anyone know if
FreeBSD supports or will support this through either /dev/crypto or through
openssl (or any other mechanism I guess)?




---
Ricky Charlet
Adara Networks
USA 408-433-4942






-----Original Message-----
From: owner-freebsd-net@freebsd.org [mailto:owner-freebsd-net@freebsd.org] On
Behalf Of Ivan Voras
Sent: Friday, September 03, 2010 2:49 AM
To: freebsd-net@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: Re: seeking current supported crypto co-processors

On 09/03/10 02:35, Ricky Charlet wrote:
> Howdy,
>     <this messages is cross posted in freebsd-security and
freebsd-net>
>
>          I'm seeking current cryptographic coprocessors supported in
FreeBSD 8.x.  By perusing through the crypto-dev (and subsequently referenced)
man page(s) I found this list:
> Hifn 7751/7951/7811/7955/7956 crypto accelerator
> SafeNet 1141/1741
> Bluesteel 5501/5601
> Broadcom bcm5801/5802/5805/5820/5821/5822/5823/5825
>
>          Those are all pretty old (and in some cases, no longer existent).
I'm surveying these lists to see if anyone knows of more modern chips
working with FreeBSD 8.x. Or if you feel some chip on the list above is up to
the task of near about 1 Gb throughput across a PCIe and has friendly vendor
support for FreeBSD, I'd sure like to hear about that too.
>
I'm not saying they are useless but are you really sure you need them?
Even on the last generation of CPUs without AES instructions you can
easily get 125 MB/s of AES-128 encryption and 300 MB/s of RC4 per CPU
core, so even one core can saturate a 1 Gbit/s link. You can setup a
cheap box to be a SSL proxy in front of the real web servers to offload SSL.


_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"