seeking current supported crypto co-processors

Ricky Charlet RCharlet at adaranet.com
Fri Sep 3 21:27:08 UTC 2010 

Thanks Ivan,

        You have some valid points about performance. I was hoping not to get distracted from the main thrust of my question by performance considerations though.

        Are their PCIe attachable crypto co-processors with current vendor support for FreeBSD8.x?  If anyone else reading this thread want's to chime in with info about current supported crypto co-processors that plug in via PCIe, please drop a note.


        However, I think you do deserve a reply on the performance topic...

        I am close enough to agreeing with you to not argue much about whether modern CPU parts can saturate a 1 Gb link with crypto data. The CPU part I am currently married to (a touch old but not that bad), seems to be able to through around 200Mb of IP-ESP data around. However, in spite of these observations, I would prefer if my system could handle that throughput load and yet have CPU power left over for other tasks.

        I'm very attracted to Andre's mention of "newer x86/amd64 CPU's see:
  http://en.wikipedia.org/wiki/AES_instruction_set". Does anyone know if FreeBSD supports or will support this through either /dev/crypto or through openssl (or any other mechanism I guess)?




---
Ricky Charlet
Adara Networks
USA 408-433-4942






-----Original Message-----
From: owner-freebsd-net at freebsd.org [mailto:owner-freebsd-net at freebsd.org] On Behalf Of Ivan Voras
Sent: Friday, September 03, 2010 2:49 AM
To: freebsd-net at freebsd.org
Cc: freebsd-security at freebsd.org
Subject: Re: seeking current supported crypto co-processors

On 09/03/10 02:35, Ricky Charlet wrote:
> Howdy,
>     <this messages is cross posted in freebsd-security and freebsd-net>
>
>          I'm seeking current cryptographic coprocessors supported in FreeBSD 8.x.  By perusing through the crypto-dev (and subsequently referenced) man page(s) I found this list:
> Hifn 7751/7951/7811/7955/7956 crypto accelerator
> SafeNet 1141/1741
> Bluesteel 5501/5601
> Broadcom bcm5801/5802/5805/5820/5821/5822/5823/5825
>
>          Those are all pretty old (and in some cases, no longer existent). I'm surveying these lists to see if anyone knows of more modern chips working with FreeBSD 8.x. Or if you feel some chip on the list above is up to the task of near about 1 Gb throughput across a PCIe and has friendly vendor support for FreeBSD, I'd sure like to hear about that too.
>

I'm not saying they are useless but are you really sure you need them?
Even on the last generation of CPUs without AES instructions you can
easily get 125 MB/s of AES-128 encryption and 300 MB/s of RC4 per CPU
core, so even one core can saturate a 1 Gbit/s link. You can setup a
cheap box to be a SSL proxy in front of the real web servers to offload SSL.


_______________________________________________
freebsd-net at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list