Hifn 7955/7956 crypto accelerator questions
Mike Tancsa
mike at sentex.net
Wed Nov 1 03:58:53 UTC 2006
At 04:29 PM 10/31/2006, Nicolas Blais wrote:
>Hi,
>
>I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn
>7956) to do some performance tests in a military environment with FreeBSD
>systems. Since this is a big project and I don't want to jump in something
>destined to fail, I'll ask your expertise.
Yes, regardless of what you read, you would want to test it
first. So for sure I would recommend you order a couple of Soekris
boxes and test! test! test! :)
>1. After searching the mailing lists for reports of performance with openssl
>and cryptop accelerators, I did not find anything that showed an increase in
>performance with the cards (though some posts date back to FBSD4.8). Does
>openssl today make correct use of the crypto hardware?
OpenSSL and FAST_IPSEC will make use of it for sure. However, there
is a fair bit of overhead to offload the calculations from
userland. Generally, you wont see much of an improvement (if any) on
a modern fast CPU with a single stream. The place I find where a
crypto card really helps with ssh is where you have multiple streams
coming in at the same time. For us, its a big help for our backup
server to keep the cpu load down to a reasonable level when we have a
dozen or so dumps and tars coming in over ssh all at once. Even with
just 3 or 4, it makes a difference for cpu utilization and overall throughput.
>2. From what I understand, ssh is supposed to increase in performance with
>those cards. Assuming two FreeBSD computers with crypto accelerators are
>transfering big files (say sftp) in a cipher that the card and driver
>supports, would the transfer rate be at or near clear-text speed (in a
>100mbps link)?
On a soekris ? 100Mb, I doubt it. Not sure what speeds you would
get, but you should try it and see if it would meet your needs
>3. How does GEOM_ELI uses crypto hardware to accelerate working with
>encrypted
>partitions? Again, with big file systems, would a gain in performance be
>noticeable?
Through the crypto(4) framework. Something like a VIA C3 or C7 might
give you better results here. I think pjd at freebsd.org (the author of
geli posted some numbers a while back when he created the padlock
driver for the crypto framework. Although I really like the Soekris
products, (they are rock solid reliable) if you really need more
crypto performance, take a look at something based on the via C3 or
C7 chips. You can get some very fast AES encryption and there is
very good FreeBSD support both through the padlock crypto driver as
well as through openssl
e.g.
openssl speed -evp aes-256-ecb
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-ecb 42023.12k 44053.24k 44642.50k 44622.43k 44814.01k
aes-256-ecb 37529.17k 142774.72k 390269.36k 678968.25k 870247.80k
The "slow" numbers are from an Intel Core DUO, 6400 @ 2.13GHz. The
fast #s are from an C3 embedded board we use by Commell.
CPU: VIA C3 Nehemiah+RNG+ACE (796.77-MHz 686-class CPU)
---Mike
More information about the freebsd-current
mailing list