How many sessions you thinking of running on each server? Ted
>-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Bards1888 >Sent: Wednesday, December 14, 2005 3:34 AM >To: openssl-users@openssl.org >Subject: Speed tests > > >Hello all, > > >I've searched the archives and couldn't find anything related, so I'm >posting here for some help/advice; > > >Basically, I have a a machine that is going in to production as an SSL >based VPN server (openvpn on amd64 openbsd port to be precise) and I was >trying to determine which cipher to use to get the best balance of speed >and security (key size ?). The server has an AMD Sempron 64 bit CPU >running at 1.6ghz, I was particularly interested in aes-256-cbc, after >some reaserch, so I ran some tests on the box (all tests where when the >server were 99% idle); > >==================================================================== ># openssl speed -evp aes-256-cbc >To get the most accurate results, try to run this >program when this computer is idle. >Doing aes-256-cbc for 3s on 16 size blocks: 9862366 >aes-256-cbc's in 3.00s >Doing aes-256-cbc for 3s on 64 size blocks: 2654800 >aes-256-cbc's in 3.01s >Doing aes-256-cbc for 3s on 256 size blocks: 682695 >aes-256-cbc's in 3.01s >Doing aes-256-cbc for 3s on 1024 size blocks: 171871 >aes-256-cbc's in 3.01s >Doing aes-256-cbc for 3s on 8192 size blocks: 21527 >aes-256-cbc's in 3.01s >OpenSSL 0.9.7g 11 Apr 2005 >built on: date not available >options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) >aes(partial) blowfish(idx) >compiler: information not available >available timing options: USE_TOD HZ=100 [sysconf value] >timing function used: getrusage >The 'numbers' are in 1000s of bytes per second processed. >type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 >bytes >aes-256-cbc 52599.29k 56488.64k 58105.31k 58512.93k >58630.37k >==================================================================== >I have a few questions regarding the test; > >1) Does the part that states "numbers are in 1000s of bytes per second" >mean that the figures below have still to be translated in to 'human >readable' quantities ? or has that already been performed. I'm guessing >it has already been performed mainly due to the 'k' on the end, however >I could be very wrong. > >2) This seems, to the novice in me, to be a fairly well balance cipher >to use on this kit as the rate seems to be close regardless of block >size. Does the blocksize roughly equate to network packets in an SSL VPN >scenario ? > > >I also have a 2ghz amd athlon 64 3200+ which happens to have a hifn >crypto PCI card in it, exact same Openbsd 3.8 OS; > >==================================================================== ># dmesg |grep hifn >hifn0 at pci0 dev 9 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 >MD5 SHA1 RNG AES PK, 32KB dram, irq 11 >==================================================================== > >So I thought I'd run the same test on it to see how much faster the hifn >card is; > > >==================================================================== ># openssl speed -evp aes-256-cbc >To get the most accurate results, try to run this >program when this computer is idle. >Doing aes-256-cbc for 3s on 16 size blocks: 40467 aes-256-cbc's in 0.02s >Doing aes-256-cbc for 3s on 64 size blocks: 40014 aes-256-cbc's in 0.00s >Doing aes-256-cbc for 3s on 256 size blocks: 38356 >aes-256-cbc's in 0.00s >Doing aes-256-cbc for 3s on 1024 size blocks: 29925 >aes-256-cbc's in 0.02s >Doing aes-256-cbc for 3s on 8192 size blocks: 9659 >aes-256-cbc's in 0.00s >OpenSSL 0.9.7g 11 Apr 2005 >built on: date not available >options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) >aes(partial) blowfish(idx) >compiler: information not available >available timing options: USE_TOD HZ=100 [sysconf value] >timing function used: getrusage >The 'numbers' are in 1000s of bytes per second processed. >type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 >bytes >aes-256-cbc 41438.21k 2560896.00k 9819136.00k 1961164.80k >79126528.00k >==================================================================== > >Questions; >1) why does it mention that it is running for 3 seconds but then state a >fraction of that in the last colum (elapsed time ?) ? > > >2) notice that the non-accelated box processed ~ 21000 8kb blocks in 3 >seconds yet the accelerated box reckons in did 9659 of the same size >blocks in 0.00 seconds. Can I force the speed test to run for >3 seconds ? > >Sometimes the accelerated test results are like this; > >==================================================================== ># openssl speed -evp aes-256-cbc >To get the most accurate results, try to run this >program when this computer is idle. >Doing aes-256-cbc for 3s on 16 size blocks: 40601 aes-256-cbc's in 0.02s >Doing aes-256-cbc for 3s on 64 size blocks: 39915 aes-256-cbc's in 0.02s >Doing aes-256-cbc for 3s on 256 size blocks: 38326 >aes-256-cbc's in 0.02s >Doing aes-256-cbc for 3s on 1024 size blocks: 29922 >aes-256-cbc's in 0.00s >Doing aes-256-cbc for 3s on 8192 size blocks: 9682 >aes-256-cbc's in 0.01s >OpenSSL 0.9.7g 11 Apr 2005 >built on: date not available >options:bn(64,64) md2(int) rc4(ptr,int) des(ptr,risc2,4,int) >aes(partial) blowfish(idx) >compiler: information not available >available timing options: USE_TOD HZ=100 [sysconf value] >timing function used: getrusage >The 'numbers' are in 1000s of bytes per second processed. >type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 >bytes >aes-256-cbc 41575.42k 163491.84k 418613.19k 30640128.00k >10152962.62k >==================================================================== > >notice the 8k blocks took 0.01 seconds this time and the rate drops from >~79 million to ~10 million. > >what better ways are there to test this sort of thing ? > >I dont know if any of this is a big deal, but I'm curious nonetheless as >I'm trying to determine whether it is worth equipping each VPN box with >a hifn card before deploying. > > > > >Any help or advice appreciated. > > >Cheers, > > >Brian. >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager [EMAIL PROTECTED] > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.371 / Virus Database: 267.13.13/199 - Release >Date: 12/13/2005 > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]