Hifn 7955/7956 crypto accelerator questions

Nicolas Blais nb_root at videotron.ca
Tue Oct 31 21:29:40 UTC 2006 

Hi,

I'm looking to get a couple of Soekris vpn1401 (hifn 7955) or vpn1461 (hifn 
7956) to do some performance tests in a military environment with FreeBSD 
systems. Since this is a big project and I don't want to jump in something 
destined to fail, I'll ask your expertise.

1. After searching the mailing lists for reports of performance with openssl 
and cryptop accelerators, I did not find anything that showed an increase in 
performance with the cards (though some posts date back to FBSD4.8). Does 
openssl today make correct use of the crypto hardware?

2. From what I understand, ssh is supposed to increase in performance with 
those cards. Assuming two FreeBSD computers with crypto accelerators are 
transfering big files (say sftp) in a cipher that the card and driver 
supports, would the transfer rate be at or near clear-text speed (in a 
100mbps link)?

3. How does GEOM_ELI uses crypto hardware to accelerate working with encrypted 
partitions? Again, with big file systems, would a gain in performance be 
noticeable?

4. Also, it seems that asymmetric crypto support is not yet implemented in the 
hifn driver (according to the man page). Is it safe to assume that pgp will 
not be accelerated? Any plans to support it? (perhaps this is an OpenBSD 
question...)

The whole idea is to reduce conversion and transfer time with highly 
sensitive, huge files (> 1 GB, sometimes near 10 GB). We currently use a 
commercial software compatible with PGP, but there are security and 
logistical issues with it (the commercial software, not PGP). Encrypting a 
2GB file with PGP, even on a modern machine, takes a long time. I've done 
tests with geli and am so far satisfied with it, but it is a storage 
encryption and doesn't allow us to safely transfer data unless we physically 
transfert the disk or use ssh. With geli, you also have to make sure that the 
created partition is only readable/writeable by the user you want access 
allowed to which reduces the total security of the information due to human 
negligeance.

Nicolas.
-- 
FreeBSD 7.0-CURRENT #9: Tue Oct 31 15:44:23 EST 2006     
nicblais at clk01a:/usr/obj/usr/src/sys/CLK01A 
PGP? : http://www.clkroot.net/security/nb_root.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20061031/9808a826/attachment.pgp

More information about the freebsd-current mailing list