On 11/10/15 9:52 AM, John-Mark Gurney wrote:> My vote is to remove the HPN patches. First, the NONE cipher made more > sense back when we didn't have AES-NI widely available, and you were > seriously limited by it's performance. Now we have both aes-gcm and > chacha-poly which it's performance should be more than acceptable for > today's uses (i.e. cipher performance is 2GB/sec+).AES-NI doesn't help the absurdity of double-encrypting when using scp or rsync/ssh over an encrypted VPN, which is where NONE makes sense to use for me. -- Regards, Bryan Drewery
On Wednesday, 11 November 2015, Bryan Drewery <bdrewery at freebsd.org> wrote:> On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > My vote is to remove the HPN patches. First, the NONE cipher made more > > sense back when we didn't have AES-NI widely available, and you were > > seriously limited by it's performance. Now we have both aes-gcm and > > chacha-poly which it's performance should be more than acceptable for > > today's uses (i.e. cipher performance is 2GB/sec+). > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > for me. >I have to agree that there are cases when the NONE cipher makes sense, and it is up to the end user to make sure they know what they are doing. Personally I have used it at home to backup my old FreeBSD server (which does not have AESNI) over a dedicated network connection to a backup server using rsync/ssh. Since it was not possible for anyone else to be on that local network, and the server was so old it didn't have AESNI and would soon be retired, using the NONE cipher sped up the transfer significantly. If the patch is made easy enough to maintain (as some subsequent posts have implied), I quote the NONE cipher stays. I would even like to see it compiled in by default (but disabled in the default configuration file). That way you wouldn't need a custom compiled base to use it - just edit the config file. Regards, Ben -- -- From: Benjamin Woods woodsb02 at gmail.com
Ben Woods wrote this message on Wed, Nov 11, 2015 at 15:40 +0800:> On Wednesday, 11 November 2015, Bryan Drewery <bdrewery at freebsd.org> wrote: > > > On 11/10/15 9:52 AM, John-Mark Gurney wrote: > > > My vote is to remove the HPN patches. First, the NONE cipher made more > > > sense back when we didn't have AES-NI widely available, and you were > > > seriously limited by it's performance. Now we have both aes-gcm and > > > chacha-poly which it's performance should be more than acceptable for > > > today's uses (i.e. cipher performance is 2GB/sec+). > > > > AES-NI doesn't help the absurdity of double-encrypting when using scp or > > rsync/ssh over an encrypted VPN, which is where NONE makes sense to use > > for me. > > I have to agree that there are cases when the NONE cipher makes sense, and > it is up to the end user to make sure they know what they are doing. > > Personally I have used it at home to backup my old FreeBSD server (which > does not have AESNI) over a dedicated network connection to a backup server > using rsync/ssh. Since it was not possible for anyone else to be on that > local network, and the server was so old it didn't have AESNI and would > soon be retired, using the NONE cipher sped up the transfer significantly.If you have a trusted network, why not just use nc? -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Ben Woods <woodsb02 at gmail.com> writes:> Personally I have used it at home to backup my old FreeBSD server > (which does not have AESNI) over a dedicated network connection to a > backup server using rsync/ssh. Since it was not possible for anyone > else to be on that local network, and the server was so old it didn't > have AESNI and would soon be retired, using the NONE cipher sped up > the transfer significantly.In that scenario, you don't need ssh at all. Just set up rsyncd on the backup server. DES -- Dag-Erling Sm?rgrav - des at des.no