Re: IPSEC/SSL accelerator
Yes, it would be interesting to hear some devs on this topic. A specially about drivers "on board": 1. What can be done and what is missing. 2. What hw is worth to spend money on and what kind of hw devs need to make it worth to spend money on. I'd like to see this kind on acceleration perform best in OpenBSD. Regards Maxim On May 19, 2011, at 9:08 PM, Oeschger Patrick wrote: > hi all > still thinking about the diff between 2gbit in the specs and about 400mbit in > real world on a pretty new processor > that's a *big* difference > so we can say that every accelerator board - regardless if pci-e 16x or > miniPCI - will not be able to perform at lets say 1gbit because of the need of > copying packets forth and back > can anybody confirm hat most of the speed is lost by copying the packets first > TO the accelerator board and then BACK to process it further after > decryption? > just read some manuals (parts of) regarding the new tilera and cavium octeon > architecture > ...part of their secret seems to be a kind of 'copyfree' processing of packets > (accelerators modify the paket 'in place') > has anybody done some reasearch on this? > thanks > /pat > > On May 18, 2011, at 21:03, Joosep wrote: > >> Hi! >> >> ubsec0 at pci5 dev 0 function 0 "Broadcom 5862" rev 0x01: 3DES MD5 SHA1 AES >> PK, apic 9 int 0 (irq 10) >> >> Joosep >> >> On Wed, May 18, 2011 at 8:56 PM, Maxim Bourmistrov >> wrote: >> >>> How does it look in dmesg for this card? >>> >>> Sent from my iPhone >>> >>> On May 18, 2011, at 10:42, Joosep wrote: >>> On Wed, May 18, 2011 at 10:06 AM, Patrick Oeschger < patrick.oesch...@bluewin.ch> wrote: > thank you for your input > why 'only' 400mbit? > the specs say 2gbit for BCM5862 in a pci-e 4x slot... > sounds like quite some overhead writing/ getting packets to/from the >>> card - > i would have expected it higher but i do not want to question your tests > *hmmm* > > Sent from Pat's iPhone > Hi! There is of course a possibility, that the test doesn't simulate reality >>> in the best way. The specs say 2gbit, but when doing 400mbps there isn't much power left >>> on machines main cpu (10% idle). So i guess the limiting factor here is main cpu not the CA card. I have done the same tests with 1,8 GHz opteron and in that case the >>> result was around 270mbps. Joosep
Re: IPSEC/SSL accelerator
hi all still thinking about the diff between 2gbit in the specs and about 400mbit in real world on a pretty new processor that's a *big* difference so we can say that every accelerator board - regardless if pci-e 16x or miniPCI - will not be able to perform at lets say 1gbit because of the need of copying packets forth and back can anybody confirm hat most of the speed is lost by copying the packets first TO the accelerator board and then BACK to process it further after decryption? just read some manuals (parts of) regarding the new tilera and cavium octeon architecture ...part of their secret seems to be a kind of 'copyfree' processing of packets (accelerators modify the paket 'in place') has anybody done some reasearch on this? thanks /pat On May 18, 2011, at 21:03, Joosep wrote: > Hi! > > ubsec0 at pci5 dev 0 function 0 "Broadcom 5862" rev 0x01: 3DES MD5 SHA1 AES > PK, apic 9 int 0 (irq 10) > > Joosep > > On Wed, May 18, 2011 at 8:56 PM, Maxim Bourmistrov > wrote: > >> How does it look in dmesg for this card? >> >> Sent from my iPhone >> >> On May 18, 2011, at 10:42, Joosep wrote: >> >>> On Wed, May 18, 2011 at 10:06 AM, Patrick Oeschger < >>> patrick.oesch...@bluewin.ch> wrote: >>> thank you for your input why 'only' 400mbit? the specs say 2gbit for BCM5862 in a pci-e 4x slot... sounds like quite some overhead writing/ getting packets to/from the >> card - i would have expected it higher but i do not want to question your tests *hmmm* Sent from Pat's iPhone >>> >>> Hi! >>> >>> There is of course a possibility, that the test doesn't simulate reality >> in >>> the best way. >>> The specs say 2gbit, but when doing 400mbps there isn't much power left >> on >>> machines main cpu (10% idle). >>> So i guess the limiting factor here is main cpu not the CA card. >>> I have done the same tests with 1,8 GHz opteron and in that case the >> result >>> was around 270mbps. >>> >>> Joosep
Re: IPSEC/SSL accelerator
Hi! ubsec0 at pci5 dev 0 function 0 "Broadcom 5862" rev 0x01: 3DES MD5 SHA1 AES PK, apic 9 int 0 (irq 10) Joosep On Wed, May 18, 2011 at 8:56 PM, Maxim Bourmistrov wrote: > How does it look in dmesg for this card? > > Sent from my iPhone > > On May 18, 2011, at 10:42, Joosep wrote: > > > On Wed, May 18, 2011 at 10:06 AM, Patrick Oeschger < > > patrick.oesch...@bluewin.ch> wrote: > > > >> thank you for your input > >> why 'only' 400mbit? > >> the specs say 2gbit for BCM5862 in a pci-e 4x slot... > >> sounds like quite some overhead writing/ getting packets to/from the > card - > >> i would have expected it higher but i do not want to question your tests > >> *hmmm* > >> > >> Sent from Pat's iPhone > >> > > > > Hi! > > > > There is of course a possibility, that the test doesn't simulate reality > in > > the best way. > > The specs say 2gbit, but when doing 400mbps there isn't much power left > on > > machines main cpu (10% idle). > > So i guess the limiting factor here is main cpu not the CA card. > > I have done the same tests with 1,8 GHz opteron and in that case the > result > > was around 270mbps. > > > > Joosep
Re: IPSEC/SSL accelerator
How does it look in dmesg for this card? Sent from my iPhone On May 18, 2011, at 10:42, Joosep wrote: > On Wed, May 18, 2011 at 10:06 AM, Patrick Oeschger < > patrick.oesch...@bluewin.ch> wrote: > >> thank you for your input >> why 'only' 400mbit? >> the specs say 2gbit for BCM5862 in a pci-e 4x slot... >> sounds like quite some overhead writing/ getting packets to/from the card - >> i would have expected it higher but i do not want to question your tests >> *hmmm* >> >> Sent from Pat's iPhone >> > > Hi! > > There is of course a possibility, that the test doesn't simulate reality in > the best way. > The specs say 2gbit, but when doing 400mbps there isn't much power left on > machines main cpu (10% idle). > So i guess the limiting factor here is main cpu not the CA card. > I have done the same tests with 1,8 GHz opteron and in that case the result > was around 270mbps. > > Joosep
Re: IPSEC/SSL accelerator
On Wed, May 18, 2011 at 10:06 AM, Patrick Oeschger < patrick.oesch...@bluewin.ch> wrote: > thank you for your input > why 'only' 400mbit? > the specs say 2gbit for BCM5862 in a pci-e 4x slot... > sounds like quite some overhead writing/ getting packets to/from the card - > i would have expected it higher but i do not want to question your tests > *hmmm* > > Sent from Pat's iPhone > Hi! There is of course a possibility, that the test doesn't simulate reality in the best way. The specs say 2gbit, but when doing 400mbps there isn't much power left on machines main cpu (10% idle). So i guess the limiting factor here is main cpu not the CA card. I have done the same tests with 1,8 GHz opteron and in that case the result was around 270mbps. Joosep
Re: IPSEC/SSL accelerator
thank you for your input why 'only' 400mbit? the specs say 2gbit for BCM5862 in a pci-e 4x slot... sounds like quite some overhead writing/ getting packets to/from the card - i would have expected it higher but i do not want to question your tests *hmmm* Sent from Pat's iPhone On 18.05.2011, at 08:06, Joosep wrote: > On Tue, May 17, 2011 at 9:40 AM, patrick.oesch...@bluewin.ch < > patrick.oesch...@bluewin.ch> wrote: > >> i am looking for a IPSEC accelerator board for a company firewall to >> terminate multiple IPSEC tunnels (branches) >> >> expected IPSEC traffic: ~500mbit/s (100 tunnels) >> any recommendations for a *pci express 4x* board handling this amount >> of traffic? >> thank you >> /pat >> >> > Hi! > > We are currently using this board: > http://www.silicom-usa.com/downloads/pdf/PESB62.pdf > It's currently running on 4.7 stable amd64. > With 2.6GHz AMD opteron we managed to get around 400Mbps asynchronous > throughput(the result may ofcourse vary depending on packet size and other > factors), wich was twice as much as without it. We used iperf with UDP > protocol for testing. > > All the best, > Joosep
Re: IPSEC/SSL accelerator
On Tue, May 17, 2011 at 9:40 AM, patrick.oesch...@bluewin.ch < patrick.oesch...@bluewin.ch> wrote: > i am looking for a IPSEC accelerator board for a company firewall to > terminate multiple IPSEC tunnels (branches) > > expected IPSEC traffic: ~500mbit/s (100 tunnels) > any recommendations for a *pci express 4x* board handling this amount > of traffic? > thank you > /pat > > Hi! We are currently using this board: http://www.silicom-usa.com/downloads/pdf/PESB62.pdf It's currently running on 4.7 stable amd64. With 2.6GHz AMD opteron we managed to get around 400Mbps asynchronous throughput(the result may ofcourse vary depending on packet size and other factors), wich was twice as much as without it. We used iperf with UDP protocol for testing. All the best, Joosep
Re: IPSEC/SSL accelerator
On Tue, May 17, 2011 at 3:45 PM, Stuart Henderson wrote: > On 2011-05-17, patrick.oesch...@bluewin.ch > wrote: >> i am looking for a IPSEC accelerator board for a company firewall to >> terminate multiple IPSEC tunnels (branches) >> >> expected IPSEC traffic: ~500mbit/s (100 tunnels) >> any recommendations for a *pci express 4x* board handling this amount >> of traffic? >> thank you >> /pat >> >> > > there hasn't been support for any newer bus-based accelerators > added recently (overheads for these are typically rather high). > > currently if you want fast AES, you should be looking at the > newer intel cpus with AESNI (and OpenBSD 4.9 or newer), but this > doesn't fit your pcie 4x requirements. > > unfortunately, aesni won't help you much here as you still have to do not accelerated hmac which will cap the maximum throughput.
Re: IPSEC/SSL accelerator
Stuart Henderson [s...@spacehopper.org] wrote: > > there hasn't been support for any newer bus-based accelerators > added recently (overheads for these are typically rather high). > > currently if you want fast AES, you should be looking at the > newer intel cpus with AESNI (and OpenBSD 4.9 or newer), but this > doesn't fit your pcie 4x requirements. I dunno, Gregory Perry hired Paul Otellini around the time the AESNI instructions were developed, he says that Paul put in AES weaknesses into new Intel chips for NASA. Apparently after Lisa Nowak was arrested for attempted kidnapping, NASA wanted a backdoor to monitor JPL's "Build Your Own Space Mission" live-chat sessions. A lot of folks doubted Gregory, they thought that "obviously" NASA would have simply added the monitoring code to the game itself, or they could have simply listened to the decrypted chatter at the game servers. Never the less, Gregory informs us that in fact they wanted the faults to be completely untraceable, even by "Symantec". Paul's job was to break AESNI in ever-so-subtle ways so that another national security disaster involving diapers, BB guns and pepper spray could be averted.
Re: IPSEC/SSL accelerator
On 2011-05-17, patrick.oesch...@bluewin.ch wrote: > i am looking for a IPSEC accelerator board for a company firewall to > terminate multiple IPSEC tunnels (branches) > > expected IPSEC traffic: ~500mbit/s (100 tunnels) > any recommendations for a *pci express 4x* board handling this amount > of traffic? > thank you > /pat > > there hasn't been support for any newer bus-based accelerators added recently (overheads for these are typically rather high). currently if you want fast AES, you should be looking at the newer intel cpus with AESNI (and OpenBSD 4.9 or newer), but this doesn't fit your pcie 4x requirements.
IPSEC/SSL accelerator
i am looking for a IPSEC accelerator board for a company firewall to terminate multiple IPSEC tunnels (branches) expected IPSEC traffic: ~500mbit/s (100 tunnels) any recommendations for a *pci express 4x* board handling this amount of traffic? thank you /pat
