Re: vpn performance - C2750 vs C2758
Axton axton.grams at gmail.com writes: On Tue, Jan 27, 2015 at 2:24 PM, Stuart Henderson stu at spacehopper.org wrote: On 2015-01-27, Adam Thompson athompso at athompso.net wrote: On 2015-01-27 02:58 AM, Stuart Henderson wrote: On 2015-01-26, Christian Weisgerber naddy at mips.inka.de wrote: I don't think we support Quick Assist, whatever that is. correct. [...] It doesn't look like something we can use easily. FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist crypto accel support into FreeBSD 10.2 [possibly a private branch??] for some ciphers. Apologies, but I'm completely failing to find the message that mentioned it on the pfSense mailing list, right now. I don't know enough about FreeBSD's cryptodev engine to know if any of that work can be used here. One problem with that codebase is that it's US crypto. This pdf from Intel makes reference to OCF-Linux, a Linux port of the OpenBSD/FreeBSD Cryptographic Framework (OCF) as it relates to QuickAssist. http://www.intel.com/content/dam/www/public/us/en/documents/white- papers/communications-quick-assist-paper.pdf From what I am seeing, there is a Kernel module and userland pieces available for Linux and FreeBSD to support this capability. In addition to Stuart's point on the US crypto code base as it relates to export restrictions, it is also hardware designed by a US company for strong crypto. Axton Intel QuickAssist could also only be used for the compression stuff without crypto things, so it is not touched by the US export regulations and will not bringing you in trouble as I see it right, and yes for sure there must be something that can be used by OpenBSD to gain more compression likes for; - Apache webservers - speeding up Snort - Point to Point links over the Internet - Tape compression - Backup compression - benefit Load balancers (ARPbalance over CARP) - Storage file compression/decompression And no adapters are needed if you are using Intel CPUs or SoCs with support for QuickAssist technology. Would be great to speed up also things such - VPN connections - OpenVPN connections - S/FTP up- and downloads The linux guys at todays go an easy way by shooting a used Comtech AHA636PCIe adapter and gaining up to 5 GBit/s either to speed up Apache webservers or OpenVPN connections, easy to shoot a eBay for $30 bucks. So this can be a benefit to support QuickAssist because no extra hardware to buy is needed!
Re: vpn performance - C2750 vs C2758
On 2015-01-26, Christian Weisgerber na...@mips.inka.de wrote: On 2015-01-26, Sonic sonicsm...@gmail.com wrote: Wondering if the addition of the Intel's Quick Assist feature present on Intel's C2758 processor provides any advantage for a VPN connection between two OpenBSD systems. I don't think we support Quick Assist, whatever that is. correct. http://www.intel.com/content/www/us/en/io/quickassist-technology/quickassist-technology-developer.html From what I can make out, it's an api to use an intel-provided software abstraction layer for access to fpga-based crypto/compression accelerators. https://01.org/packet-processing/intelĀ®-quickassist-technology-drivers-and-patches (linux code, api docs - 01.org is Intel open source technology centre) http://rssi.ncsa.illinois.edu/proceedings/industry/Intel.pdf http://blog.chinaaet.com/uploads/Blog_affix/files/11121036091012.pdf It doesn't look like something we can use easily.
Re: vpn performance - C2750 vs C2758
On 2015-01-27, Adam Thompson athom...@athompso.net wrote: On 2015-01-27 02:58 AM, Stuart Henderson wrote: On 2015-01-26, Christian Weisgerber na...@mips.inka.de wrote: I don't think we support Quick Assist, whatever that is. correct. [...] It doesn't look like something we can use easily. FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist crypto accel support into FreeBSD 10.2 [possibly a private branch??] for some ciphers. Apologies, but I'm completely failing to find the message that mentioned it on the pfSense mailing list, right now. I don't know enough about FreeBSD's cryptodev engine to know if any of that work can be used here. One problem with that codebase is that it's US crypto.
Re: vpn performance - C2750 vs C2758
On Tue, Jan 27, 2015 at 2:24 PM, Stuart Henderson s...@spacehopper.org wrote: On 2015-01-27, Adam Thompson athom...@athompso.net wrote: On 2015-01-27 02:58 AM, Stuart Henderson wrote: On 2015-01-26, Christian Weisgerber na...@mips.inka.de wrote: I don't think we support Quick Assist, whatever that is. correct. [...] It doesn't look like something we can use easily. FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist crypto accel support into FreeBSD 10.2 [possibly a private branch??] for some ciphers. Apologies, but I'm completely failing to find the message that mentioned it on the pfSense mailing list, right now. I don't know enough about FreeBSD's cryptodev engine to know if any of that work can be used here. One problem with that codebase is that it's US crypto. This pdf from Intel makes reference to OCF-Linux, a Linux port of the OpenBSD/FreeBSD Cryptographic Framework (OCF) as it relates to QuickAssist. http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/communications-quick-assist-paper.pdf From what I am seeing, there is a Kernel module and userland pieces available for Linux and FreeBSD to support this capability. In addition to Stuart's point on the US crypto code base as it relates to export restrictions, it is also hardware designed by a US company for strong crypto. Axton
Re: vpn performance - C2750 vs C2758
On 2015-01-27 02:58 AM, Stuart Henderson wrote: On 2015-01-26, Christian Weisgerber na...@mips.inka.de wrote: I don't think we support Quick Assist, whatever that is. correct. [...] It doesn't look like something we can use easily. FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist crypto accel support into FreeBSD 10.2 [possibly a private branch??] for some ciphers. Apologies, but I'm completely failing to find the message that mentioned it on the pfSense mailing list, right now. I don't know enough about FreeBSD's cryptodev engine to know if any of that work can be used here. -- -Adam Thompson athom...@athompso.net
