OpenBSD and VPN 1411 Criptographic Card

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenBSD and VPN 1411 Criptographic Card

João Salvatti
Hi misc,

I bought a Soekris Net5501 with a cryptographic card VPN1411
(Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
Hardware random number generator) and I would like to know if any
configuration is needed in OpenBSD kernel to use this card when
cryptography is necessary.

eg. When a VPN IPSec is done.

--
Joco Salvatti
Graduated in Computer Science
Federal University of Para - UFPA - Brazil
E-Mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

Daniel Gracia Garallar
AFAIK, crypto accel cards will be used by the OpenBSD kernel whenever
possible without further user intervention needed other than plugging
the card and rebooting the system.

Make sure your dmesg displays the hifn* device and make some performance
test: you may be satisfied.

Joco Salvatti escribis:

> Hi misc,
>
> I bought a Soekris Net5501 with a cryptographic card VPN1411
> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
> Hardware random number generator) and I would like to know if any
> configuration is needed in OpenBSD kernel to use this card when
> cryptography is necessary.
>
> eg. When a VPN IPSec is done.
>
> --
> Joco Salvatti
> Graduated in Computer Science
> Federal University of Para - UFPA - Brazil
> E-Mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

Henning Brauer
In reply to this post by João Salvatti
* Jo?o Salvatti <[hidden email]> [2009-05-20 13:51]:
> I bought a Soekris Net5501 with a cryptographic card VPN1411
> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
> Hardware random number generator) and I would like to know if any
> configuration is needed in OpenBSD kernel to use this card when
> cryptography is necessary.

crypto accellerators are used automagically as far as they are
supported. no buttons.

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

João Salvatti
Thanks for all.

On Wed, May 20, 2009 at 12:07 PM, Henning Brauer <[hidden email]>
wrote:

> * Jo?o Salvatti <[hidden email]> [2009-05-20 13:51]:
>> I bought a Soekris Net5501 with a cryptographic card VPN1411
>> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
>> Hardware random number generator) and I would like to know if any
>> configuration is needed in OpenBSD kernel to use this card when
>> cryptography is necessary.
>
> crypto accellerators are used automagically as far as they are
> supported. no buttons.
>
> --
> Henning Brauer, [hidden email], [hidden email]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
>
>



--
"Se Debugar i a arte de remover bugs, programar i a arte de inserm-los".

Donald E. Knuth.

--
Joco Salvatti
Graduated in Computer Science
Federal University of Para - UFPA - Brazil
E-Mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

Stuart Henderson
In reply to this post by João Salvatti
On 2009-05-20, Joco Salvatti <[hidden email]> wrote:
> Hi misc,
>
> I bought a Soekris Net5501 with a cryptographic card VPN1411
> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
> Hardware random number generator) and I would like to know if any
> configuration is needed in OpenBSD kernel to use this card when
> cryptography is necessary.
>
> eg. When a VPN IPSec is done.

You might want to check that it's not actually slower when you use the card.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

Iñigo Ortiz de Urbina
On Wed, May 20, 2009 at 10:15 PM, Stuart Henderson <[hidden email]> wrote:

> On 2009-05-20, Joco Salvatti <[hidden email]> wrote:
>> Hi misc,
>>
>> I bought a Soekris Net5501 with a cryptographic card VPN1411
>> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
>> Hardware random number generator) and I would like to know if any
>> configuration is needed in OpenBSD kernel to use this card when
>> cryptography is necessary.
>>
>> eg. When a VPN IPSec is done.
>
> You might want to check that it's not actually slower when you use the card.
>
>

Some basic benchmarking would be appreciated, for the sake of the
list. As a newcomer I am really interested in understanding the
cryptohardware framework.

I would have never said accelerated hardware could perform any worse.
Interesting point Stuart.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

Theo de Raadt
> >> I bought a Soekris Net5501 with a cryptographic card VPN1411
> >> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
> >> Hardware random number generator) and I would like to know if any
> >> configuration is needed in OpenBSD kernel to use this card when
> >> cryptography is necessary.
> >>
> >> eg. When a VPN IPSec is done.
> >
> > You might want to check that it's not actually slower when you use the card.
> >
> >
>
> Some basic benchmarking would be appreciated, for the sake of the
> list. As a newcomer I am really interested in understanding the
> cryptohardware framework.
>
> I would have never said accelerated hardware could perform any worse.
> Interesting point Stuart.

Of course it can perform worse, in the wrong situation.

The cards are very fast, but they require 'setup' to do each operation.

It's is like getting in to your car to go buy something at the store
right next to your house.

Do a small enough operation, and the 'overhead' becomes unbearable.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

Stuart Henderson
In reply to this post by Iñigo Ortiz de Urbina
On 2009-05-20, Iqigo Ortiz de Urbina <[hidden email]> wrote:

> On Wed, May 20, 2009 at 10:15 PM, Stuart Henderson <[hidden email]> wrote:
>> On 2009-05-20, Joco Salvatti <[hidden email]> wrote:
>>> Hi misc,
>>>
>>> I bought a Soekris Net5501 with a cryptographic card VPN1411
>>> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
>>> Hardware random number generator) and I would like to know if any
>>> configuration is needed in OpenBSD kernel to use this card when
>>> cryptography is necessary.
>>>
>>> eg. When a VPN IPSec is done.
>>
>> You might want to check that it's not actually slower when you use the card.
>>
>>
>
> Some basic benchmarking would be appreciated, for the sake of the
> list. As a newcomer I am really interested in understanding the
> cryptohardware framework.
>
> I would have never said accelerated hardware could perform any worse.
> Interesting point Stuart.
>
>

also note the difference between discrete devices (PCI or PCI-like
accelerators, either discrete cards/ICs, or on-die like the AES128
accelerator in the Geode LX cpu), and the accelerators that use
specific CPU instructions like VIA C7M and forthcoming Intel CPUs.
the latter have fewer overheads.

Reply | Threaded
Open this post in threaded view
|

Re: OpenBSD and VPN 1411 Criptographic Card

João Salvatti
Ok, thanks Stuart.

On Wed, May 20, 2009 at 9:47 PM, Stuart Henderson <[hidden email]>
wrote:
> On 2009-05-20, Iqigo Ortiz de Urbina <[hidden email]> wrote:
>> On Wed, May 20, 2009 at 10:15 PM, Stuart Henderson <[hidden email]>
wrote:

>>> On 2009-05-20, Joco Salvatti <[hidden email]> wrote:
>>>> Hi misc,
>>>>
>>>> I bought a Soekris Net5501 with a cryptographic card VPN1411
>>>> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH,
>>>> Hardware random number generator) and I would like to know if any
>>>> configuration is needed in OpenBSD kernel to use this card when
>>>> cryptography is necessary.
>>>>
>>>> eg. When a VPN IPSec is done.
>>>
>>> You might want to check that it's not actually slower when you use the
card.

>>>
>>>
>>
>> Some basic benchmarking would be appreciated, for the sake of the
>> list. As a newcomer I am really interested in understanding the
>> cryptohardware framework.
>>
>> I would have never said accelerated hardware could perform any worse.
>> Interesting point Stuart.
>>
>>
>
> also note the difference between discrete devices (PCI or PCI-like
> accelerators, either discrete cards/ICs, or on-die like the AES128
> accelerator in the Geode LX cpu), and the accelerators that use
> specific CPU instructions like VIA C7M and forthcoming Intel CPUs.
> the latter have fewer overheads.
>
>



--
"Se Debugar i a arte de remover bugs, programar i a arte de inserm-los".

Donald E. Knuth.

--
Joco Salvatti
Graduated in Computer Science
Federal University of Para - UFPA - Brazil
E-Mail: [hidden email]