multiple crypto accelerator cards in one FreeBSD box

[Marc Bevand]

sekchye goh wrote:
| Hi there!
|  we are thinking of  deploying a IPSEC VPN concentrator using multiple PCI bus
| version VPN1401 cards  in a FreeBSD box using hifn support..
|  From the technical specs in Soekris website
| http://www.soekris.com/vpn1401.htm,
| each card can support 24 to 70 connections.  The question is if we
| put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support
| 3 x (24 to 70) IPSEC connections ?

No, the 24 or 70 figure refers to the number of new connections per
second (where each new connection involves 1 sign or verify public
key operation, such operations are usually the bottleneck).

But if you want something really fast, and if you can spend another
couple of hundreds of dollars on the motherboard/CPU, do the crypto in
software, it will be faster than a hardware solution using those Soekris
vpn14x1 cards.

According to their tech specs, the highest throughput they support while
doing encryption is 460 Mbps. For reference, a 1.8 GHz Opteron (x44) can
encrypt with RC4 at 2500 Mbps. As an example, this means you can choose
to limit the throughput to 1250 Mbps, and keep 50% of you CPU time for
other applications, or just add a second CPU to your system. A 2.2 GHz
Opteron (x48) scales to 3100 Mbps, a 2.6 GHz one (x52) would scale to
3700 Mbps.

The performance/price ratio depends on which CPU and which crypto card
are compared, sometimes the hardware solution has the advantage, sometimes
it's the software solution.

The downside of the software solution is that some algorithms are quite
slow (DES), while other are blazing fast (RC4, MD5). Depending on your
security requirements, this may be a problem, or not.

-- 
Marc Bevand                              http://epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.