Re: multiple crypto accelerator cards in one FreeBSD box

• Previous message: Sam Leffler: "Re: multiple crypto accelerator cards in one FreeBSD box"
• In reply to: sekchye goh: "multiple crypto accelerator cards in one FreeBSD box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 18 Feb 2005 20:41:13 +0100
To: sekchye goh <sekchye@gmail.com>

sekchye goh wrote:
| Hi there!
| we are thinking of deploying a IPSEC VPN concentrator using multiple PCI bus
| version VPN1401 cards in a FreeBSD box using hifn support..
| From the technical specs in Soekris website
| http://www.soekris.com/vpn1401.htm,
| each card can support 24 to 70 connections. The question is if we
| put 3 VPN1401 cards in a single box, does this mean the FreeBSD box can support
| 3 x (24 to 70) IPSEC connections ?

No, the 24 or 70 figure refers to the number of new connections per
second (where each new connection involves 1 sign or verify public
key operation, such operations are usually the bottleneck).

But if you want something really fast, and if you can spend another
couple of hundreds of dollars on the motherboard/CPU, do the crypto in
software, it will be faster than a hardware solution using those Soekris
vpn14x1 cards.

According to their tech specs, the highest throughput they support while
doing encryption is 460 Mbps. For reference, a 1.8 GHz Opteron (x44) can
encrypt with RC4 at 2500 Mbps. As an example, this means you can choose
to limit the throughput to 1250 Mbps, and keep 50% of you CPU time for
other applications, or just add a second CPU to your system. A 2.2 GHz
Opteron (x48) scales to 3100 Mbps, a 2.6 GHz one (x52) would scale to
3700 Mbps.

The performance/price ratio depends on which CPU and which crypto card
are compared, sometimes the hardware solution has the advantage, sometimes
it's the software solution.

The downside of the software solution is that some algorithms are quite
slow (DES), while other are blazing fast (RC4, MD5). Depending on your
security requirements, this may be a problem, or not.

-- 
Marc Bevand                              http://epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

• Previous message: Sam Leffler: "Re: multiple crypto accelerator cards in one FreeBSD box"
• In reply to: sekchye goh: "multiple crypto accelerator cards in one FreeBSD box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [2.6.10] PCMCIA/CardBus Wifi Card Problem ... I tried to build a configuration that was working but I didn't succeed. ... # Firmware Drivers ... # ACPI Support ... # Obsolete Wireless cards support ... (Linux-Kernel) Re: 2.4.32 Oops in scsi_dispatch_cmd ... >> The tar process is run from a backup scripts that mounts an IDE ... As I said, the IDE drive was on an ATA RAID card at first, visible to ... # Loadable module support ... # Passive ISDN cards ... (Linux-Kernel) Re: 2.6.17-rc5-mm2 ... Usually sshing into the machine and compiling the kernel is enough. ... # ACPI Support ... # Infrared-port device drivers ... # Wireless 802.11 Frequency Hopping cards support ... (Linux-Kernel) Crashes wuth Tyan S2892 ... Kernel panic - not syncing: ... # ACPI Support ... # AX.25 network device drivers ... # Wireless 802.11 Frequency Hopping cards support ... (Linux-Kernel) 2.6.12.3 Kernel Oops using ISDN capi (c2faxsend) ... The ISDN Card installed in the Server is a AVM B1 4.0 PCI ... # ACPI Support ... # Device Drivers ... # Active Eicon DIVA Server cards ... (Linux-Kernel)