Hi Chuck, Thanks for the response.
> > Or is it still worthwhile to consider hardware accelerators such as the > ones guys like soekris [1] and others offer? Does anyone have an idea "how > much" such an accelerator may help on older vs. on newer hardware? > > Something like a 1GHz P3 or equivalent can generally do the symmetric > crypto about as fast as a decent PCI crypto card like the HiFN 795x could; bus > limitations made faster CPUs better, although a newer PCIe crypto device > ought to be more competitive. > > What matters more for some common use cases is that crypto H/W tends to do > asymmetric crypto like RSA/DSA signing to negotiate a shared session key-- > aka SSL session creation for SSL websites, secure email, SSH keys, etc > much faster than normal CPUs could. I guess I try first without and see where I hit the ceiling. Then go to plan b. I was more thinking of many IPSEC connections but then there's also only so many slots and so many NICs in them. I'll try without and monitor that for a while and then see what happens. > > Would multiple engines work (and help) at all? From crypto(4), I would > not guess so. One consequence would be that there may be certain limitations > in using a separate accelerator once the platform comes with its own > accelerator device? > > Sure, you can setup multiple engines, although this does better if you > have separate services using each, since you do want to use an SSL session > cache, but you don't want to pollute one for HTTPS with sessions from IMAPS > and vice versa. Also, the config interface for Apache/IIS/whatever, or > Dovecot/Cyrus/Exchange, etc might not let you specify more than one SSLEngine. > > On the other hand, it's not very much coding to adjust things to use > multiple engines even within Apache or whatever-- I can recall some custom > webserver modules from CryptoSwift for NSAPI / ISAPI / ASAPI which let you use > multiple CryptoSwift boxes via ethernet network or local PCI slots, for > example. Hmm... I was thinking more like round-robin the devices but I probably now too little about 'serious' crypto to see the side-effects. Anyways, I think the question is a bit academic at this time since I probably divide the servers anyways. Thanks again, All the best regards, Peter. -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
