Re: Which crypto card for Soekris 4801?
On 1/15/07, Heinrich Rebehn [EMAIL PROTECTED] wrote: Hi all, which crypto cards actually work in a soekris 4801 under OpenBSD? You're going to have a hard time finding supported Mini-PCI cards, other than the HiFn stuff. Instead, check out the Commel motherboards: http://www.commell-sys.com/Product/SBC/ITX-662.HTM This one has the C3 chip which is listed as supported here: http://www.openbsd.org/crypto.html#hardware If it's performance that you're after, you're going to have a struggle with that Soekris. Chris
Re: Which crypto card for Soekris 4801?
Hi Heinrich, I thought about bying a vpn1411, but have read about problems with corrupted mac, which don't seem to be resolved so far. This is a bit confusing: http://www.openbsd.org/i386.html states that the board is supported, so does the soekris website. However: http://archives.neohapsis.com/archives/openbsd/2006-06/0825.html suggests that it's not. Although I can't tell you which card actually works, I can (partly) confirm the corrupted mac-thingie: My WRAP-firewall is running 4.0-stable and a VPN1411. From time to time, running ssh-sessions will simply die and spit out Disconnecting: Corrupted MAC on input. Everything else works, but it's rather confusing editing pf.conf and seing your connecting dying. If you don't have to configure your device every 5 minutes or so, this shouldn't be a showstopper. Hope that helps... Chris
Re: Which crypto card for Soekris 4801?
On 2007/01/15 09:39, Heinrich Rebehn wrote: I thought about bying a vpn1411, but have read about problems with corrupted mac, which don't seem to be resolved so far. I only remember seeing posts about problems with encryption in user processes, not the kernel. If it is indeed reliable with kernel use, then you can set sysctl kern.usercrypto=0 and restrict use of the card to the kernel. However the Geode hardware platform has a weak PCI system relying in part on emulation in the CPU; this is the main cause of limited throughput on this hardware; depending on what sort of speeds you're trying to achieve, the accelerator may not be enough. If you disable IPsec and pass the amount of bandwidth you need to support through the system, you can watch top(1) and examine the cpu% spent handling interrupts; if there is not a reasonable amount free to handle the interrupts from the accelerator card, it won't help you. The systems using VIA processors are very much faster even without hardware AES support since they have a better PCI system; the models with accelerated encryption do so by using new CPU instructions, rather than a device which must be accessed over the PCI bus. There's far less overhead because of this. AMD Geode LX processors also have AES instructions on-CPU (for 128-bit, anyway) but they're not yet supported (-current has support for the random number generator, AES to be added later). Other hardware - Commell has been mentioned, Liantec are another option (some of their hardware is listed here: http://kd85.com/liantec.html), and of course there are others.
Re: Which crypto card for Soekris 4801?
Christian Ney wrote: Hi Heinrich, I thought about bying a vpn1411, but have read about problems with corrupted mac, which don't seem to be resolved so far. This is a bit confusing: http://www.openbsd.org/i386.html states that the board is supported, so does the soekris website. However: http://archives.neohapsis.com/archives/openbsd/2006-06/0825.html suggests that it's not. Although I can't tell you which card actually works, I can (partly) confirm the corrupted mac-thingie: My WRAP-firewall is running 4.0-stable and a VPN1411. From time to time, running ssh-sessions will simply die and spit out Disconnecting: Corrupted MAC on input. Everything else works, but it's rather confusing editing pf.conf and seing your connecting dying. If you don't have to configure your device every 5 minutes or so, this shouldn't be a showstopper. No, i don't. I want to use the box as a fileserver at home and have the WLAN traffic encrypted with IPsec or OpenVPN. I do not know how robust both of them are w.r.t to intermittent corrupted mac errors. Unrecoverable hangs during file transfers would of course be quite annyoing. Maybe i will simply give it a try.. Hope that helps... Yes, thanks very much. Chris Heinrich
Re: Which crypto card for Soekris 4801?
Christopher Snell wrote: On 1/15/07, Heinrich Rebehn [EMAIL PROTECTED] wrote: Hi all, which crypto cards actually work in a soekris 4801 under OpenBSD? You're going to have a hard time finding supported Mini-PCI cards, other than the HiFn stuff. Instead, check out the Commel motherboards: http://www.commell-sys.com/Product/SBC/ITX-662.HTM This one has the C3 chip which is listed as supported here: http://www.openbsd.org/crypto.html#hardware If it's performance that you're after, you're going to have a struggle with that Soekris. Chris Thanks for your reply. Performance is of course relative. ATM i am getting 7 Mbit/s via OpenVPN measured with iperf. This is somewhat less than my WLAN can handle (54 Mbit/s) and also less than the speed of the HDD (~70 Mbit/s). So a working VPN1411 would really help. I will see if i can get more from IPsec. This one has the C3 chip which is listed as supported here: The Hi/fn 7955 is also listed as supported.. ;-) Cheers, Heinrich
Re: Which crypto card for Soekris 4801?
On 2007/01/15 17:25, Heinrich Rebehn wrote: Thanks for your reply. Performance is of course relative. ATM i am getting 7 Mbit/s via OpenVPN measured with iperf. This is somewhat less than my WLAN can handle (54 Mbit/s) 54 Mbit/s is before protocol overhead; actual throughput is a bit less than half that (assuming signal strength is strong, no packet loss etc, however unlikely that is). This is around the limit of what you can handle on the current Soekris boards _without_ encryption. Crypto h/w helps a bit, but not a lot. NPtcp seems to fill the network better than iperf, so might be a better test. But if you're really interested in fileserver performance, it's better to look at that directly under real conditions and decide whether the performance is acceptable. and also less than the speed of the HDD (~70 Mbit/s). I don't run HDs in Soekris boxes any more; without extra cooling or extended-temperature-range drives they don't seem to last very long.
Re: Which crypto card for Soekris 4801?
2007/1/15, Heinrich Rebehn [EMAIL PROTECTED]: getting 7 Mbit/s via OpenVPN measured with iperf. This is somewhat less than my WLAN can handle (54 Mbit/s) and also less than the speed of the HDD (~70 Mbit/s). So a working VPN1411 would really help. If your HDD does only 70 M_bit_/s, you should buy a new one that does 70 M_Byte_/s. :-) Good NASes have fast CPUs and GEs for a reason. Best Martin
Re: Which crypto card for Soekris 4801?
No, i don't. I want to use the box as a fileserver at home and have the WLAN traffic encrypted with IPsec or OpenVPN. I do not know how robust both of them are w.r.t to intermittent corrupted mac errors. Unrecoverable hangs during file transfers would of course be quite annyoing. Maybe i will simply give it a try.. in this case you shouldn't run into any problems: I'm also using the WRAP as tunnel endpoint (OpenVPN mostly, but also IPSec) and the only thing affected until now has been SSH. Otoh: as others already mentioned, the performance benefit won't be knocking you off your feet as long as there are only one or two users. Well, at least the VPN1411 isn't _that_ expensive. ;) Hopefully, you'll have much fun with your Soekris box.
Re: Which crypto card for Soekris 4801?
Stuart Henderson wrote: The systems using VIA processors are very much faster even without hardware AES support since they have a better PCI system; the models with accelerated encryption do so by using new CPU instructions, rather than a device which must be accessed over the PCI bus. There's far less overhead because of this. I'll second this. My VIA EN15000 is quite fast when it comes to IPSEC and the motherboard+cpu utilizes ~20W...if that. I had trouble find a good crypto implementation that was fully supported and worked well. This statement by Theo helped my decision though: ~~~snip~~~ Theo de Raadt is quoted as saying, There's just no way to describe how happy we were to find such an inexpensive, blazingly fast, and correctly operating device as the VIA Eden-N processor's Padlock ACE ... OpenBSD 3.4 has support for this processor and its integrated cryptographic engine. ~~~snip~~~ This gave me some confidence that the VIA was the right choice.
