Thanks Ivan,
You have some valid points about performance. I was hoping not to get
distracted from the main thrust of my question by performance considerations
though.
Are their PCIe attachable crypto co-processors with current vendor
support for FreeBSD8.x? If anyone else reading this thread want's to chime in
with info about current supported crypto co-processors that plug in via PCIe,
please drop a note.
However, I think you do deserve a reply on the performance topic...
I am close enough to agreeing with you to not argue much about whether
modern CPU parts can saturate a 1 Gb link with crypto data. The CPU part I am
currently married to (a touch old but not that bad), seems to be able to
through around 200Mb of IP-ESP data around. However, in spite of these
observations, I would prefer if my system could handle that throughput load and
yet have CPU power left over for other tasks.
I'm very attracted to Andre's mention of "newer x86/amd64 CPU's see:
http://en.wikipedia.org/wiki/AES_instruction_set";. Does anyone know if
FreeBSD supports or will support this through either /dev/crypto or through
openssl (or any other mechanism I guess)?
---
Ricky Charlet
Adara Networks
USA 408-433-4942
-----Original Message-----
From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-...@freebsd.org] On
Behalf Of Ivan Voras
Sent: Friday, September 03, 2010 2:49 AM
To: freebsd-net@freebsd.org
Cc: freebsd-secur...@freebsd.org
Subject: Re: seeking current supported crypto co-processors
On 09/03/10 02:35, Ricky Charlet wrote:
> Howdy,
> <this messages is cross posted in freebsd-security and freebsd-net>
>
> I'm seeking current cryptographic coprocessors supported in FreeBSD
> 8.x. By perusing through the crypto-dev (and subsequently referenced) man
> page(s) I found this list:
> Hifn 7751/7951/7811/7955/7956 crypto accelerator
> SafeNet 1141/1741
> Bluesteel 5501/5601
> Broadcom bcm5801/5802/5805/5820/5821/5822/5823/5825
>
> Those are all pretty old (and in some cases, no longer existent).
> I'm surveying these lists to see if anyone knows of more modern chips working
> with FreeBSD 8.x. Or if you feel some chip on the list above is up to the
> task of near about 1 Gb throughput across a PCIe and has friendly vendor
> support for FreeBSD, I'd sure like to hear about that too.
>
I'm not saying they are useless but are you really sure you need them?
Even on the last generation of CPUs without AES instructions you can
easily get 125 MB/s of AES-128 encryption and 300 MB/s of RC4 per CPU
core, so even one core can saturate a 1 Gbit/s link. You can setup a
cheap box to be a SSL proxy in front of the real web servers to offload SSL.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
