I've got a couple of SPARCstation 2s (about as fast as a fast 486, for most thing) that I'm going to be using for some testing. I realize that these machines are a bit slow, but when connecting via OpenSSH, it's MUCH slower than connecting to my 486-DX 50. The point where it waits is just after "debug: Sent encrypted session key.". The pause is for about 10 seconds, while when connecting to the 486 the pause is barely noticeable. All machines are using 3des as the encryption type. So, I've got a few questions. First, why is this machine SO much slower than my 486? Crappy compiler (linux is compiled using egcs 1.1.2 and the OpenSSH box is using ssl-2.6-USA, installed when I did my OpenBSD install)? Second, would I be better off using another encryption algorithm? If so, which one? These machines are just my toys, not commercial in any way. What are the pros and cons? (RTFM links appreciated) Third, what can I do to help "fix" this slowness? Later, and thanks, Greg |---------------------------------------------------| | Windows NT has detected that there were no errors | | for the past 10 minutes. The system will now try | | to restart or crash. Click the OK button to | | continue. | | < Ok > | |---------------------------------------------------| (sigline nicked from Jayan M on comp.os.linux.misc)
On Thu, 10 Aug 2000, Gregory Leblanc wrote:> I've got a couple of SPARCstation 2s (about as fast as a fast 486, for most > thing) that I'm going to be using for some testing. I realize that these > machines are a bit slow, but when connecting via OpenSSH, it's MUCH slower > than connecting to my 486-DX 50. The point where it waits is just after > "debug: Sent encrypted session key.". The pause is for about 10 seconds, > while when connecting to the 486 the pause is barely noticeable. All > machines are using 3des as the encryption type. So, I've got a few > questions. > First, why is this machine SO much slower than my 486? Crappy compiler > (linux is compiled using egcs 1.1.2 and the OpenSSH box is using > ssl-2.6-USA, installed when I did my OpenBSD install)?This sounds like DNS problems - the server may be trying to resolve the client's hostname from its IP address? If the client does not have an in-addr.arpa address or an entry in the hosts file then this can take a while to timeout.> Second, would I be better off using another encryption algorithm? If so, > which one? These machines are just my toys, not commercial in any way. > What are the pros and cons? (RTFM links appreciated) > Third, what can I do to help "fix" this slowness?3des is slow and secure (due to many years of review and attacks) blowfish is faster, but not as well examined -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)
> -----Original Message----- > From: R P Herrold [mailto:herrold at owlriver.com] > Sent: Monday, August 14, 2000 5:50 PM > To: Damien Miller > Cc: Gregory Leblanc; OpenSSH List (E-mail) > Subject: Re: slow sparc questions > > On Tue, 15 Aug 2000, Damien Miller wrote: > > > > "debug: Sent encrypted session key.". The pause is for > about 10 seconds, > <snip> > > > First, why is this machine SO much slower than my 486? > > > > This sounds like DNS problems - the server may be trying to > resolve the > > client's hostname from its IP address? If the client does > not have an > > in-addr.arpa address or an entry in the hosts file then > this can take > > a while to timeout. > > ... well, no - not it's not DNS related ... even with the > prior non-OpenSSH, connects with a fully functioning DNS > (forward and reverse) can only be described as 'glacier-like' > in their startup on a Sparc 2 -- I stripped almost ALL > services, spare consoles, turned off the inetd - everything, > and _still_ cannot get reasonable throughput. I had assumed > that the math processing was not up to par.I'll double check things with DNS, but I'm not convinced, yet. :-) [several hours pass] Ok, I got back to check on things, DNS is properly configured, things haven't changed. Which end of the connection were you talking about doing a reverse lookup, the server (SPARCstation2) or the client (some other machine)? My SS2 should have been able to handle lookups fine, I had hosts properly configured. I've added the SS2 to my DNS server, but that hasn't made any difference. Drifting off-topic slightly, here are some SPEC numbers from relative machine machines. System CPU BUS Cache SPECint SPECfp Info Mhz Mhz Int/ 92 92 Date Ext SS2 40 20 64 21.8 22.8 Oct92 Intel 50 50 8/256 30.1 14.0 Oct92 486DX Intel 66 33 8/256 32.4 16.1 Sep92 486DX2 Pentium 60 60 8/256 70.4 55.1 Mar95 I've got an SS2, and a 486DX 50. Somehow, it doesn't seem that there is that big of a difference. However, just for reference, I've used the P60 systems, and compared them with similar 486 DX2 66 systems, and the 486's "felt" faster.> I have not recently tried an install of openssh/openssl (I > thought I filed a private bugreport with Damien, but don't > have a copy on the host I am at) -- it died during compile > perhaps 6 months ago -- I'll retry and run some time trials.Hmm, I don't compile things on my SS2, instead I use my dual proc SS20. There is a patch for the RPM that makes it work properly on S/Linux, but I don't know if that was your test platform or not. Thanks, Greg