crypto accelerators

Thu May 4 06:56:46 UTC 2006

hi,

Just jumping in here.  The Soekris 1401 offers only limited  
performance enhancements.  If you read the specs, it is only useful  
(and used?) for certain encryption algorithms.  Its also deprecated  
and would imagine that Soren regrets even releasing it in the first  
place.

None the less, we have seen significant enhancements using that chip  
on 4.9+ BSD releases on older platforms. I don't have our thruput  
metrics in front of me right now, but I seem to recall they could  
take IPSec on a Soekris 4501 from about 2Mbit to about 6, with kernel  
polling enabled.  I presume that kernel polling on the network side  
could adversely affect performance on the VPN board as well.

It depends what you want in many ways.  The only time I've seen IPSec  
or SSH traffic limited on a BSD box is from sheer CPU cycles, and a  
lot of that has to do with bandwidth over the PCI bus (or busses).  I  
would expect a good crypto accelerator on a PCI bus separated from  
the network bus to perform much better?

Michael F. DeMan
Director of Technology
OpenAccess Network Services
Bellingham, WA 98225
michael at staff.openaccess.org
360-647-0785

On Apr 18, 2006, at 5:00 PM, Sam Leffler wrote:

> Mike Tancsa wrote:
>> On Mon, 17 Apr 2006 16:44:38 -1000 (HST), in sentex.lists.freebsd.net
>> you wrote:
>>> I've read here before (or maybe some other freebsd list) that cards
>>> like the Soekris 1401 don't gain as much as you'd expect due to  
>>> moving
>>> packets to/from the card over the PCI bus.  But the context is  
>>> usually
>>> one of trying to encrypt packets to increase throughput.
>>>
>>> So the question is whether these cards, regardless of their  
>>> affect on
>>> throughput, increase usable CPU cycles?  I have several Soekris 1401
>>> cards and am wondering if there would be any point to putting them
>>> into some machines that provide logins over ssh.  These machines are
>>> generally pretty good spec, 2.4GHz+, 1GB RAM, Intel MBs, mostly
>>> on-board peripherals.
>> The only place I found it really helpful for ssh connections was on
>> our backup server where we had multiple inbound ssh connections (e.g.
>> 10+ at once sending dump piped through ssh) it kept the CPU
>> utilization down.  If you have just one or two, it doesnt really
>> matter
>
> Unless you're doing lots of scp's it's unlikely ssh traffic is  
> going to generate large packets so offloading the crypto won't be  
> worthwhile (cost to setup the h/w op probably is higher than doing  
> the op in s/w).  This has been discussed previously; see for  
> example my BSDCan 2003 paper.
>
> 	Sam
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>