'Serious' crypto?
Matthew Seaman
m.seaman at infracaninophile.co.uk
Fri May 28 08:48:04 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/05/2010 09:20:11, Peter Cornelius wrote:
>> > Yes -- in many use cases this is true. Modern processors are fast
>> > enough that they don't need an external accelerator to perform. It
>> > doesn't mean that running crypto imposes *no* extra cost on a server.
>> > For instance, a web server running HTTP will (roughly speaking) be able
>> > to support an order of magnitude more simultaneous sessions than the
>> > same site served over HTTPS.
> And a hardware crypto device will level HTTPS to the HTTP volume
> without it?
Probably. The usual approach with HTTPS once traffic levels get big
enough is crypto-offload. You use a separate device as the crypto
endpoint: typically built into a load balancer. You can do this using a
PF based firewall using relayd(8) for a lot less money, and in this case
one crypto accelerator card in your firewall could support several
webservers behind it.
>> > Also, if you need really high volume crypto traffic throughput (multiple
>> > Gb/s levels), then yes, you will need specialised hardware. However, in
>> > this case, you're likely to be using pretty fancy routers (Cisco,
>> > Juniper, etc.) and those all have options for hardware acceleration
>> > built into interface cards.
> Yes, I know the Ciscos very well but currently the Junipers look
> more appropriate to me for one application we have. The Junipers
> probably go outside the ASAs inside.
Heh. When I said 'pretty fancy kit' I meant something considerably more
*shiny* than a Cisco ASA5510. In fact, running OpenBSD on a commodity
server is roughly performance compatible with a 5510 but considerably
cheaper if you want all the trimmings like high-availability, unlimited
numbers of servers, GB on all interfaces etc.
Note that ASA5510 level kit tends to do things like deep packet
inspection, content based filtering etc. [Not to mention fubar'ing EDNS0
and screwing with SMTP so hard it breaks.] PF itself is purely based on
dealing with packet headers: however you can easily add things like
squid caching and filtering, snort etc. but these will ramp up the CPU
requirements beyond what a small appliance could support.
> My reason for the post was considering more another 'quiet' and
> 'lowpower' project I have, so that's probably a completely different
> pair of shoes. I'll try without first and then see what comes out of
> it.
Commodity servers certainly don't fulfil the "quiet" requirement. Most
of them have enough fannage to build a fairly respectable hovercraft.
Cheers,
Matthew
- --
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkv/gz4ACgkQ8Mjk52CukIwOfgCfXdrawnYYFZj3npV3gleqJlcY
5msAn2tVjGtoUJQTB/lR3dqMM4X+PS1U
=LS+F
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list