'Serious' crypto? (was: FreeBSD router - large scale)
Peter Cornelius
pcc at gmx.net
Fri May 28 08:06:34 UTC 2010
Hi Chuck,
Thanks for the response.
> > Or is it still worthwhile to consider hardware accelerators such as the
> ones guys like soekris [1] and others offer? Does anyone have an idea "how
> much" such an accelerator may help on older vs. on newer hardware?
>
> Something like a 1GHz P3 or equivalent can generally do the symmetric
> crypto about as fast as a decent PCI crypto card like the HiFN 795x could; bus
> limitations made faster CPUs better, although a newer PCIe crypto device
> ought to be more competitive.
>
> What matters more for some common use cases is that crypto H/W tends to do
> asymmetric crypto like RSA/DSA signing to negotiate a shared session key--
> aka SSL session creation for SSL websites, secure email, SSH keys, etc
> much faster than normal CPUs could.
I guess I try first without and see where I hit the ceiling. Then go to plan b. I was more thinking of many IPSEC connections but then there's also only so many slots and so many NICs in them. I'll try without and monitor that for a while and then see what happens.
> > Would multiple engines work (and help) at all? From crypto(4), I would
> not guess so. One consequence would be that there may be certain limitations
> in using a separate accelerator once the platform comes with its own
> accelerator device?
>
> Sure, you can setup multiple engines, although this does better if you
> have separate services using each, since you do want to use an SSL session
> cache, but you don't want to pollute one for HTTPS with sessions from IMAPS
> and vice versa. Also, the config interface for Apache/IIS/whatever, or
> Dovecot/Cyrus/Exchange, etc might not let you specify more than one SSLEngine.
>
> On the other hand, it's not very much coding to adjust things to use
> multiple engines even within Apache or whatever-- I can recall some custom
> webserver modules from CryptoSwift for NSAPI / ISAPI / ASAPI which let you use
> multiple CryptoSwift boxes via ethernet network or local PCI slots, for
> example.
Hmm... I was thinking more like round-robin the devices but I probably now too little about 'serious' crypto to see the side-effects. Anyways, I think the question is a bit academic at this time since I probably divide the servers anyways.
Thanks again,
All the best regards,
Peter.
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
More information about the freebsd-questions
mailing list