On Tuesday 31 October 2006 23:00, Mike Tancsa wrote: > At 04:29 PM 10/31/2006, Nicolas Blais wrote: > >Hi, > > > >I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 > > (hifn 7956) to do some performance tests in a military environment with > > FreeBSD systems. Since this is a big project and I don't want to jump in > > something destined to fail, I'll ask your expertise. > > Yes, regardless of what you read, you would want to test it > first. So for sure I would recommend you order a couple of Soekris > boxes and test! test! test! :) Well they are cheap, I think I'll try it even if I do not get the expected result. > > >1. After searching the mailing lists for reports of performance with > > openssl and cryptop accelerators, I did not find anything that showed an > > increase in performance with the cards (though some posts date back to > > FBSD4.8). Does openssl today make correct use of the crypto hardware? > > OpenSSL and FAST_IPSEC will make use of it for sure. However, there > is a fair bit of overhead to offload the calculations from > userland. Generally, you wont see much of an improvement (if any) on > a modern fast CPU with a single stream. The place I find where a > crypto card really helps with ssh is where you have multiple streams > coming in at the same time. For us, its a big help for our backup > server to keep the cpu load down to a reasonable level when we have a > dozen or so dumps and tars coming in over ssh all at once. Even with > just 3 or 4, it makes a difference for cpu utilization and overall > throughput. We are usually just using 1 stream per transfer session per host, but the server could be getting multiple streams. Perhaps it could help the server. > > >2. From what I understand, ssh is supposed to increase in performance with > >those cards. Assuming two FreeBSD computers with crypto accelerators are > >transfering big files (say sftp) in a cipher that the card and driver > >supports, would the transfer rate be at or near clear-text speed (in a > >100mbps link)? > > On a soekris ? 100Mb, I doubt it. Not sure what speeds you would > get, but you should try it and see if it would meet your needs They do claim 500mbps throughput for the vpn1461 and 250mbps for the vpn1401. Then again, this remains to be proven :). Currently, on a 100mbps link, an scp transfer between two computers uses ~4mbps. Transfering huge files (>GB) takes a very long time and even if I could only double the rate to ~8mbps, the time saved would still be worth it (say 15min instead of 30min for a ~1GB). The goal would be to use the maximum bandwith available. > > >3. How does GEOM_ELI uses crypto hardware to accelerate working with > >encrypted > >partitions? Again, with big file systems, would a gain in performance be > >noticeable? > > Through the crypto(4) framework. Something like a VIA C3 or C7 might > give you better results here. I think pjd_at_freebsd.org (the author of > geli posted some numbers a while back when he created the padlock > driver for the crypto framework. Although I really like the Soekris > products, (they are rock solid reliable) if you really need more > crypto performance, take a look at something based on the via C3 or > C7 chips. You can get some very fast AES encryption and there is > very good FreeBSD support both through the padlock crypto driver as > well as through openssl > > e.g. > openssl speed -evp aes-256-ecb > > The 'numbers' are in 1000s of bytes per second processed. > type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 > bytes aes-256-ecb 42023.12k 44053.24k 44642.50k 44622.43k > 44814.01k aes-256-ecb 37529.17k 142774.72k 390269.36k 678968.25k > 870247.80k > > > The "slow" numbers are from an Intel Core DUO, 6400 _at_ 2.13GHz. The > fast #s are from an C3 embedded board we use by Commell. > CPU: VIA C3 Nehemiah+RNG+ACE (796.77-MHz 686-class CPU) > Wow that is surpringly fast! I just tried a test myself: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-256-ecb 43367.29k 45096.90k 45855.74k 46049.83k 46084.44k CPU: AMD Athlon(tm) 64 Processor 3000+ (2493.04-MHz 686-class CPU) These systems (and numbers!) look nice, unfortunately I have to stay out of the embedded :( Nicoals. -- FreeBSD 7.0-CURRENT #9: Tue Oct 31 15:44:23 EST 2006 nicblais_at_clk01a:/usr/obj/usr/src/sys/CLK01A PGP? : http://www.clkroot.net/security/nb_root.asc
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:02 UTC