Hi, I'm pondering building my own SSL accelerator out of a multi-CPU FreeBSD system and a crypto accelerator. What's the recommended hardware crypto accelerator card these days? Thanks, ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org Today's chance of throwing it all away to start a goat farm: 49.1% http://www.BlackHelicopters.org/~mwlucas/
In message <20040408115414.GA81875@bewilderbeast.blackhelicopters.org>, "Michae l W. Lucas" writes:> >Hi, > >I'm pondering building my own SSL accelerator out of a multi-CPU >FreeBSD system and a crypto accelerator. > >What's the recommended hardware crypto accelerator card these >days?Look at VPN14x1 from www.soekris.com, it's darn cheap too. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
I would recommend you to take a look at www.rainbow.com and www.nchipher.com The hardware seems nice, but I am not sure about the driver support in FreeBSD. I spoke with rainbow ( about cryptoswift) a month ago. Initially they told me there are drivers ... then they changed their minds .. and told me that FreeBSD is unsupported. I didn't clear the issue anyway. I'll be glad to hear any successful installations of cryptocards in FreeBSD. Rumen Telbizov On Thu, Apr 08, 2004 at 07:54:14AM -0400, Michael W. Lucas wrote:> > Hi, > > I'm pondering building my own SSL accelerator out of a multi-CPU > FreeBSD system and a crypto accelerator. > > What's the recommended hardware crypto accelerator card these > days? > > Thanks, > > ==ml > > -- > Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org > > Today's chance of throwing it all away to start a goat farm: 49.1% > http://www.BlackHelicopters.org/~mwlucas/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Hi,
as is looks like, 'openssl aes-128-cbc' does use the HW-crypto,
whereas aes-256-cbc doesn't:
(fw)(root) ./hifnstats
input 33061744 bytes 27580 packets
output 33061744 bytes 27580 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0
openssl aes-128-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla -k foo
./hifnstats
(fw)(root) openssl aes-128-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla
-k foo
(fw)(root) ./hifnstats
input 62496592 bytes 34770 packets
output 62496592 bytes 34770 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0
but:
(fw)(root) ./hifnstats
input 62509488 bytes 34937 packets
output 62509488 bytes 34937 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0
openssl aes-256-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla -k foo
./hifnstats
(fw)(root) openssl aes-256-cbc -e -in /sys/i386/compile/fw/kernel.debug -out bla
-k foo
(fw)(root) ./hifnstats
input 62510128 bytes 34947 packets
output 62510128 bytes 34947 packets
invalid 0 nomem 0 abort 0
noirq 0 unaligned 0
totbatch 0 maxbatch 0
nomem: map 0 load 0 mbuf 0 mcl 0 cr 0 sd 0
another indication is `iostat 1`:
during openssl aes-128-cbc:
tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id
1 79 124.69 29 3.50 0.00 0 0.00 0.00 0 0.00 7 0 25 8 60
0 230 126.58 78 9.67 0.00 0 0.00 0.00 0 0.00 2 0 26 5 68
0 77 128.00 105 13.12 0.00 0 0.00 0.00 0 0.00 5 0 47 8 41
0 88 62.74 27 1.64 0.00 0 0.00 0.00 0 0.00 22 0 22 2 55
during openssl aes-256-cbc:
tin tout KB/t tps MB/s KB/t tps MB/s KB/t tps MB/s us ni sy in id
1 79 124.49 41 4.94 0.00 0 0.00 0.00 0 0.00 78 0 16 0 5
0 77 126.64 47 5.75 0.00 0 0.00 0.00 0 0.00 89 0 11 0 0
0 77 128.00 44 5.45 0.00 0 0.00 0.00 0 0.00 88 0 12 0 0
0 77 128.00 45 5.57 0.00 0 0.00 0.00 0 0.00 88 0 12 0 0
0 77 128.00 46 5.69 0.00 0 0.00 0.00 0 0.00 90 0 8 2 0
(it takes longer, is much less idle, and user much more usertime)
Bye/2
---
Michael Reifenberger, Business Development Manager SAP-Basis, Plaut Consulting
Comp: Michael.Reifenberger@plaut.de | Priv: Michael@Reifenberger.com
http://www.plaut.de | http://www.Reifenberger.com
At 02:19 PM 13/04/2004, Michael W. Lucas wrote:>OK, for the record I asked sam@. He says that the VPN1401 has issues >for (at a minimum) symmetric crypto ops, but he hasn't had time to >investigate and doesn't own a 1401, so... > >So, it looks like my choices are rapidly narrowing. It seems that the >powercrypt cards are well-supported, perhaps I'll give them a call.I think the powercrypt is based on the same HiFn chip and uses the same driver, so it might be hit by the same bug that I am running into both on FreeBSD and OpenBSD. Then again, it could be some issue with openssl as to how it talks to the card. Still, there were reports by one ipsec user on OpenBSD that they had problems with the card and IPSEC. I would love to hear from any FreeBSD or OpenBSD user with the 1401 to see if they can reproduce this bug. ---Mike