openbsd / ipsec / hardware

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

openbsd / ipsec / hardware

Dewey Hylton-5
i'm getting ready to implement a few new site-to-site vpns using openbsd, and am on the hunt for appropriate hardware. i have several alix (geode) and lanner (intel atom) boxes working wonderfully as firewalls and routers, but neither type are able to provide enough throughput when ipsec is added to their roles.

the lanner boxes can't accept add-in cards. the alix can accept a minipci, and i know that soekris makes a crypto accelerator (hifn?) that may help - but i'm not sure that'll be enough oompf either. our site-to-site link will provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps.

can anyone point me to a matrix of hardware types and their crypto performance benchmarks with openbsd, or at least make recommendations based on real-world use?

i'm using defaults for my ipsec configuration, so this is what i'm testing with: auth hmac-sha2-256 enc aes

thanks for your time.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

James Shupe-4
On 03/30/2012 03:16 PM, Dewey Hylton wrote:
> i'm getting ready to implement a few new site-to-site vpns using openbsd,
and am on the hunt for appropriate hardware. i have several alix (geode) and
lanner (intel atom) boxes working wonderfully as firewalls and routers, but
neither type are able to provide enough throughput when ipsec is added to
their roles.
>
> the lanner boxes can't accept add-in cards. the alix can accept a minipci,
and i know that soekris makes a crypto accelerator (hifn?) that may help - but
i'm not sure that'll be enough oompf either. our site-to-site link will
provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec
and the alix is at 1.5Mbps.
>
> can anyone point me to a matrix of hardware types and their crypto
performance benchmarks with openbsd, or at least make recommendations based on
real-world use?
>
> i'm using defaults for my ipsec configuration, so this is what i'm testing
with: auth hmac-sha2-256 enc aes
>
> thanks for your time.
>

The Alix has a crypto accelerator that supports AES-128-CBC. You should
get around 14Mbps using aes-128 and turning on kern.usercrypto.

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

James Shupe-4
In reply to this post by Dewey Hylton-5
On 03/30/2012 03:16 PM, Dewey Hylton wrote:
> i'm getting ready to implement a few new site-to-site vpns using openbsd,
and am on the hunt for appropriate hardware. i have several alix (geode) and
lanner (intel atom) boxes working wonderfully as firewalls and routers, but
neither type are able to provide enough throughput when ipsec is added to
their roles.
>
> the lanner boxes can't accept add-in cards. the alix can accept a minipci,
and i know that soekris makes a crypto accelerator (hifn?) that may help - but
i'm not sure that'll be enough oompf either. our site-to-site link will
provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec
and the alix is at 1.5Mbps.
>
> can anyone point me to a matrix of hardware types and their crypto
performance benchmarks with openbsd, or at least make recommendations based on
real-world use?
>
> i'm using defaults for my ipsec configuration, so this is what i'm testing
with: auth hmac-sha2-256 enc aes
>
> thanks for your time.
>

I just send "The Alix has a crypto accelerator that supports
AES-128-CBC. You should get around 14Mbps using aes-128 and turning on
kern.usercrypto."

I just realised that won't make a difference for IPSec since that's all
in the kernel. My 14Mbps figures were tested using OpenVPN.

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Maxim Bourmistrov-5
In reply to this post by James Shupe-4
On Mar 30, 2012, at 10:42 PM, James Shupe wrote:

> On 03/30/2012 03:16 PM, Dewey Hylton wrote:
>> i'm getting ready to implement a few new site-to-site vpns using openbsd,
> and am on the hunt for appropriate hardware. i have several alix (geode)
and
> lanner (intel atom) boxes working wonderfully as firewalls and routers, but
> neither type are able to provide enough throughput when ipsec is added to
> their roles.
>>
>> the lanner boxes can't accept add-in cards. the alix can accept a minipci,
> and i know that soekris makes a crypto accelerator (hifn?) that may help -
but
> i'm not sure that'll be enough oompf either. our site-to-site link will
> provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with
ipsec
> and the alix is at 1.5Mbps.
>>
>> can anyone point me to a matrix of hardware types and their crypto
> performance benchmarks with openbsd, or at least make recommendations based
on

> real-world use?
>>
>> i'm using defaults for my ipsec configuration, so this is what i'm testing
> with: auth hmac-sha2-256 enc aes
>>
>> thanks for your time.
>>
>
> The Alix has a crypto accelerator that supports AES-128-CBC. You should
> get around 14Mbps using aes-128 and turning on kern.usercrypto.
>
> [demime 1.01d removed an attachment of type application/pgp-signature which
had a name of signature.asc]
>

I don't see the point with setting kern.usercrypto=1, all support for enc/dec
you get already from the hw+kernel.
IPSec stack already used the HW if supported, else you get software based
enc/dec.

//mxb

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Maxim Bourmistrov-5
In reply to this post by Dewey Hylton-5
On Mar 30, 2012, at 10:16 PM, Dewey Hylton wrote:

> i'm getting ready to implement a few new site-to-site vpns using openbsd,
and am on the hunt for appropriate hardware. i have several alix (geode) and
lanner (intel atom) boxes working wonderfully as firewalls and routers, but
neither type are able to provide enough throughput when ipsec is added to
their roles.
>
> the lanner boxes can't accept add-in cards. the alix can accept a minipci,
and i know that soekris makes a crypto accelerator (hifn?) that may help - but
i'm not sure that'll be enough oompf either. our site-to-site link will
provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec
and the alix is at 1.5Mbps.
>
> can anyone point me to a matrix of hardware types and their crypto
performance benchmarks with openbsd, or at least make recommendations based on
real-world use?
>
> i'm using defaults for my ipsec configuration, so this is what i'm testing
with: auth hmac-sha2-256 enc aes
>
> thanks for your time.
>

Even if you get hifn or CPU-resident AES-NI, the heavy lifting is done for
hmac-stuff (according to the list).
This is where you need the power, but hw-acceleration is not there.

You might want to get a faster CPU for hmac and preferably AES-NI CPU.
Else you have to accept the slow link.


//mxb

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

James Shupe-4
In reply to this post by Maxim Bourmistrov-5
> I don't see the point with setting kern.usercrypto=1, all support for enc/dec
> you get already from the hw+kernel.
> IPSec stack already used the HW if supported, else you get software based
> enc/dec.
>
> //mxb

I replied to my original email about 45 seconds after I wrote it,
pointing that out. I also mentioned that my speed testing was done with
OpenVPN, which is where that is advantageous.

I also checked the aes enc type in the man page and found that he was
already using aes-128 (I figured it would default to 256).

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Stuart Henderson
In reply to this post by Dewey Hylton-5
On 2012-03-30, Dewey Hylton <[hidden email]> wrote:

> i'm getting ready to implement a few new site-to-site vpns using
> openbsd, and am on the hunt for appropriate hardware. i have several
> alix (geode) and lanner (intel atom) boxes working wonderfully as
> firewalls and routers, but neither type are able to provide enough
> throughput when ipsec is added to their roles.
>
> the lanner boxes can't accept add-in cards. the alix can accept
> a minipci, and i know that soekris makes a crypto accelerator (hifn?)
> that may help - but i'm not sure that'll be enough oompf either.
> our site-to-site link will provide up to 20Mbps, but the lanner box
> is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps.

This seems a bit on the low side. How are you testing throughput?

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Stefan Sieg
In reply to this post by Dewey Hylton-5
On 2012-03-30 22:16, Dewey Hylton wrote:

> i'm getting ready to implement a few new site-to-site vpns using
> openbsd, and am on the hunt for appropriate hardware. i have several
> alix (geode) and lanner (intel atom) boxes working wonderfully as
> firewalls and routers, but neither type are able to provide enough
> throughput when ipsec is added to their roles.
>
> the lanner boxes can't accept add-in cards. the alix can accept a
> minipci, and i know that soekris makes a crypto accelerator (hifn?)
> that may help - but i'm not sure that'll be enough oompf either. our
> site-to-site link will provide up to 20Mbps, but the lanner box is
> topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps.
>
> can anyone point me to a matrix of hardware types and their crypto
> performance benchmarks with openbsd, or at least make recommendations
> based on real-world use?
>
> i'm using defaults for my ipsec configuration, so this is what i'm
> testing with: auth hmac-sha2-256 enc aes
>
> thanks for your time.

This is the throughput/load from a branch vpn ...

Alix
cpu0: Geode(TM) ..... PCS ("AuthenticAMD" 586-class) 499 MHz

IPSec using auth hmac-sha1 enc aes-128

tcpbench:
Conn:   1 Mbps:       11.091 Peak Mbps:       12.038 Avg Mbps:      
11.091

systat:
8.6%Int  36.0%Sys   0.6%Usr   0.0%Nic  54.8%Idle

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Dewey Hylton-5
In reply to this post by Dewey Hylton-5
----- Original Message -----

> From: "James Shupe" <[hidden email]>
> To: "Dewey Hylton" <[hidden email]>
> Sent: Friday, March 30, 2012 4:40:23 PM
> Subject: Re: openbsd / ipsec / hardware
>
> On 03/30/2012 03:16 PM, Dewey Hylton wrote:
> > i'm getting ready to implement a few new site-to-site vpns using
> > openbsd, and am on the hunt for appropriate hardware. i have
> > several alix (geode) and lanner (intel atom) boxes working
> > wonderfully as firewalls and routers, but neither type are able to
> > provide enough throughput when ipsec is added to their roles.
> >
> > the lanner boxes can't accept add-in cards. the alix can accept a
> > minipci, and i know that soekris makes a crypto accelerator
> > (hifn?) that may help - but i'm not sure that'll be enough oompf
> > either. our site-to-site link will provide up to 20Mbps, but the
> > lanner box is topping out at 3.3Mbps with ipsec and the alix is at
> > 1.5Mbps.
> >
> > can anyone point me to a matrix of hardware types and their crypto
> > performance benchmarks with openbsd, or at least make
> > recommendations based on real-world use?
> >
> > i'm using defaults for my ipsec configuration, so this is what i'm
> > testing with: auth hmac-sha2-256 enc aes
> >
> > thanks for your time.
> >
>
> The Alix has a crypto accelerator that supports AES-128-CBC. You
> should
> get around 14Mbps using aes-128 and turning on kern.usercrypto (speed
> tested with OpenVPN*).
>
> -J

would you mind posting your (sanitized) openvpn configuration, as well
as your bandwidth measuring method?

i attempted this today and am seeing much less than 14Mbps. i'm probably
not measuring the same way, however, as i'm using a simple scp which
obviously has its own overhead - but does give me what i believe to be
a fair comparison (testing with and without vpn).

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Dewey Hylton-5
In reply to this post by Dewey Hylton-5
>From: Stuart Henderson <stu <at> spacehopper.org>
>Subject: Re: openbsd / ipsec / hardware
>Newsgroups: gmane.os.openbsd.misc
>Date: 2012-03-31 21:39:14 GMT (1 day, 22 hours and 53 minutes ago)
>On 2012-03-30, Dewey Hylton <dewey.hylton <at> gmail.com> wrote:
>> i'm getting ready to implement a few new site-to-site vpns using
>> openbsd, and am on the hunt for appropriate hardware. i have several
>> alix (geode) and lanner (intel atom) boxes working wonderfully as
>> firewalls and routers, but neither type are able to provide enough
>> throughput when ipsec is added to their roles.
>>
>> the lanner boxes can't accept add-in cards. the alix can accept
>> a minipci, and i know that soekris makes a crypto accelerator (hifn?)
>> that may help - but i'm not sure that'll be enough oompf either.
>> our site-to-site link will provide up to 20Mbps, but the lanner box
>> is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps.
>
>This seems a bit on the low side. How are you testing throughput?

i'm using a simple scp of a 100MB file. scp reports its transmission
speed. and i'm comparing the same transmission of the same file between
the same two hosts with and without vpn encryption. it may not be
the best or most accurate measurement, but i believe it gives me the
information i'm looking for.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

James Shupe-4
In reply to this post by Dewey Hylton-5
> would you mind posting your (sanitized) openvpn configuration, as well
> as your bandwidth measuring method?
>
> i attempted this today and am seeing much less than 14Mbps. i'm probably
> not measuring the same way, however, as i'm using a simple scp which
> obviously has its own overhead - but does give me what i believe to be
> a fair comparison (testing with and without vpn).
>
>

One end of the VPN is a Celeron E3300 w/ 4GB RAM and no crypto
accelerator. There is 20Mbit metro-ethernet connection here that is
being shared with about 300 PCs at a school. The other end is a Alix
2d13. The 2d13 has this config:

---
/etc/hostname.tun0
---
up
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.conf
---

---
/etc/openvpn/client.conf
---
client
float
dev tun0
proto udp
remote w.x.y.z 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
tls-auth /etc/openvpn/ta.key 0
ns-cert-type server
comp-lzo
verb 3
engine cryptodev
cipher aes-128-cbc
---

---
/etc/sysctl.conf
---
kern.usercrypto=1
---

---
iperf on vpn client acting as client
---
$ iperf -i 2 -t 30 -c 192.168.176.1
------------------------------------------------------------
Client connecting to 192.168.176.1, TCP port 5001
TCP window size: 16.9 KByte (default)
------------------------------------------------------------
[  3] local 192.168.176.6 port 4863 connected with 192.168.176.1 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 2.0 sec  2.62 MBytes  11.0 Mbits/sec
[  3]  2.0- 4.0 sec  3.25 MBytes  13.6 Mbits/sec
[  3]  4.0- 6.0 sec  3.12 MBytes  13.1 Mbits/sec
[  3]  6.0- 8.0 sec  3.12 MBytes  13.1 Mbits/sec
[  3]  8.0-10.0 sec  3.25 MBytes  13.6 Mbits/sec
[  3] 10.0-12.0 sec  3.12 MBytes  13.1 Mbits/sec
[  3] 12.0-14.0 sec  3.25 MBytes  13.6 Mbits/sec
[  3] 14.0-16.0 sec  3.25 MBytes  13.6 Mbits/sec
[  3] 16.0-18.0 sec  3.12 MBytes  13.1 Mbits/sec
[  3] 18.0-20.0 sec  3.12 MBytes  13.1 Mbits/sec
[  3] 20.0-22.0 sec  3.25 MBytes  13.6 Mbits/sec
[  3] 22.0-24.0 sec  3.12 MBytes  13.1 Mbits/sec
[  3] 24.0-26.0 sec  3.25 MBytes  13.6 Mbits/sec
[  3] 26.0-28.0 sec  3.12 MBytes  13.1 Mbits/sec
[  3] 28.0-30.0 sec  3.25 MBytes  13.6 Mbits/sec
[  3]  0.0-30.2 sec  47.4 MBytes  13.2 Mbits/sec
---

---
iperf on vpn client acting as server
---
$ iperf -s
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 16.0 KByte (default)
------------------------------------------------------------
[  4] local 192.168.176.6 port 5001 connected with 192.168.176.1 port 13679
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0-30.1 sec  51.8 MBytes  14.4 Mbits/sec
---

Thank you,
James Shupe

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

James Shupe-4
In reply to this post by Dewey Hylton-5
> as well as your bandwidth measuring method?

You may also look at tcpbench, which is in base. It's not on the Alix
box because I'm using a stripped down flashboot image... I just grabbed
the first thing that came to mind and installed it, which happened to be
iperf.

--
James Shupe

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Stuart Henderson
In reply to this post by Dewey Hylton-5
On 2012-04-02, Dewey Hylton <[hidden email]> wrote:

>>From: Stuart Henderson <stu <at> spacehopper.org>
>>Subject: Re: openbsd / ipsec / hardware
>>Newsgroups: gmane.os.openbsd.misc
>>Date: 2012-03-31 21:39:14 GMT (1 day, 22 hours and 53 minutes ago)
>>On 2012-03-30, Dewey Hylton <dewey.hylton <at> gmail.com> wrote:
>>> i'm getting ready to implement a few new site-to-site vpns using
>>> openbsd, and am on the hunt for appropriate hardware. i have several
>>> alix (geode) and lanner (intel atom) boxes working wonderfully as
>>> firewalls and routers, but neither type are able to provide enough
>>> throughput when ipsec is added to their roles.
>>>
>>> the lanner boxes can't accept add-in cards. the alix can accept
>>> a minipci, and i know that soekris makes a crypto accelerator (hifn?)
>>> that may help - but i'm not sure that'll be enough oompf either.
>>> our site-to-site link will provide up to 20Mbps, but the lanner box
>>> is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps.
>>
>>This seems a bit on the low side. How are you testing throughput?
>
> i'm using a simple scp of a 100MB file. scp reports its transmission
> speed. and i'm comparing the same transmission of the same file between
> the same two hosts with and without vpn encryption. it may not be
> the best or most accurate measurement, but i believe it gives me the
> information i'm looking for.

Sorry, this is a horrible way to measure connection speed.
Plain ftp would be better, but something that doesn't also measure
disk throughput would be better still (tcpbench, iperf etc).

Also if you're testing from the router itself note that results
when testing from another machine which connects through the router
are likely to be very different.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Abel Abraham Camarillo Ojeda-2
On Mon, Apr 2, 2012 at 5:02 PM, Stuart Henderson <[hidden email]> wrote:

> On 2012-04-02, Dewey Hylton <[hidden email]> wrote:
>>>From: Stuart Henderson <stu <at> spacehopper.org>
>>>Subject: Re: openbsd / ipsec / hardware
>>>Newsgroups: gmane.os.openbsd.misc
>>>Date: 2012-03-31 21:39:14 GMT (1 day, 22 hours and 53 minutes ago)
>>>On 2012-03-30, Dewey Hylton <dewey.hylton <at> gmail.com> wrote:
>>>> i'm getting ready to implement a few new site-to-site vpns using
>>>> openbsd, and am on the hunt for appropriate hardware. i have several
>>>> alix (geode) and lanner (intel atom) boxes working wonderfully as
>>>> firewalls and routers, but neither type are able to provide enough
>>>> throughput when ipsec is added to their roles.
>>>>
>>>> the lanner boxes can't accept add-in cards. the alix can accept
>>>> a minipci, and i know that soekris makes a crypto accelerator (hifn?)
>>>> that may help - but i'm not sure that'll be enough oompf either.
>>>> our site-to-site link will provide up to 20Mbps, but the lanner box
>>>> is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps.
>>>
>>>This seems a bit on the low side. How are you testing throughput?
>>
>> i'm using a simple scp of a 100MB file. scp reports its transmission
>> speed. and i'm comparing the same transmission of the same file between
>> the same two hosts with and without vpn encryption. it may not be
>> the best or most accurate measurement, but i believe it gives me the
>> information i'm looking for.
>
> Sorry, this is a horrible way to measure connection speed.
> Plain ftp would be better, but something that doesn't also measure
> disk throughput would be better still (tcpbench, iperf etc).
>
> Also if you're testing from the router itself note that results
> when testing from another machine which connects through the router
> are likely to be very different.
>

is nc okay for this kind of measurements?

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Stuart Henderson
On 2012/04/02 17:11, Abel Abraham Camarillo Ojeda wrote:

> >> i'm using a simple scp of a 100MB file. scp reports its transmission
> >> speed. and i'm comparing the same transmission of the same file between
> >> the same two hosts with and without vpn encryption. it may not be
> >> the best or most accurate measurement, but i believe it gives me the
> >> information i'm looking for.
> >
> > Sorry, this is a horrible way to measure connection speed.
> > Plain ftp would be better, but something that doesn't also measure
> > disk throughput would be better still (tcpbench, iperf etc).
> >
> > Also if you're testing from the router itself note that results
> > when testing from another machine which connects through the router
> > are likely to be very different.
> >
>
> is nc okay for this kind of measurements?

It might do at a push (would be better than scp), but it's really not
designed for this.  What's wrong with using the right tool for the job?

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Ted Unangst-6
In reply to this post by Dewey Hylton-5
On Mon, Apr 02, 2012, Stuart Henderson wrote:
>> i'm using a simple scp of a 100MB file. scp reports its transmission
>> speed. and i'm comparing the same transmission of the same file between
>> the same two hosts with and without vpn encryption. it may not be
>> the best or most accurate measurement, but i believe it gives me the
>> information i'm looking for.
>
> Sorry, this is a horrible way to measure connection speed.
> Plain ftp would be better, but something that doesn't also measure
> disk throughput would be better still (tcpbench, iperf etc).

I'll take the dissenting view here.  We often criticize people for
putting too much emphasis on fake benchmarks and ignoring real world
performance data.  Here we have somebody actually testing the same
thing he's going to be using (maybe).  A few other tests may provide a
insight into the problem, but at the end of the day, they
aren't going to determine whether the ipsec link is usable or not.

> Also if you're testing from the router itself note that results
> when testing from another machine which connects through the router
> are likely to be very different.

This is very true.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Dewey Hylton-5
----- Original Message -----

> From: "Ted Unangst" <[hidden email]>
> To: "Stuart Henderson" <[hidden email]>
> Cc: [hidden email]
> Sent: Monday, April 2, 2012 7:42:01 PM
> Subject: Re: openbsd / ipsec / hardware
>
> On Mon, Apr 02, 2012, Stuart Henderson wrote:
> >> i'm using a simple scp of a 100MB file. scp reports its
> >> transmission
> >> speed. and i'm comparing the same transmission of the same file
> >> between
> >> the same two hosts with and without vpn encryption. it may not be
> >> the best or most accurate measurement, but i believe it gives me
> >> the
> >> information i'm looking for.
> >
> > Sorry, this is a horrible way to measure connection speed.
> > Plain ftp would be better, but something that doesn't also measure
> > disk throughput would be better still (tcpbench, iperf etc).
>
> I'll take the dissenting view here.  We often criticize people for
> putting too much emphasis on fake benchmarks and ignoring real world
> performance data.  Here we have somebody actually testing the same
> thing he's going to be using (maybe).  A few other tests may provide
> a
> insight into the problem, but at the end of the day, they
> aren't going to determine whether the ipsec link is usable or not.
>
> > Also if you're testing from the router itself note that results
> > when testing from another machine which connects through the router
> > are likely to be very different.
>
> This is very true.

ted, that was my thought as well ... i chose scp because this link will
be used to sync data offsite via, rsync, and a few other methods. while
tcpbench is a nifty tool, it doesn't really show me what i need to see.

i currently have a freebsd box on one side of the connection and linux
on the other. i will eventually have openbsd on both sides with which
i could use tcpbench, but again that doesn't seem to matter at this time.
each box has 4GB of memory, so i figured the 100MB file would be
transmitted to/from RAM in the first place. and as far as i'm aware
even the slowest sata disk can handle the slow connection i'm attempting
to test, so disk throughput shouldn't be a factor. and i'm not testing
from router to router, but across both routers.

and of course, my measurements are comparisons between transmissions
with and without vpn. so the difference between the two shows the overhead
of the vpn, and that's what i'm trying to work on here.

i know that the alix has hardware crypto supporting aes-128-cbc. one thing
that was unclear to me was, on the openbsd ipsec side, whether
aes == aes-128 == aes-128-cbc ... my assumption was YES, after seeing that
aes/aes-128 are both 3 times faster than des on this hardware - but then
i found that blowfish and aes-256 are both faster as well, so at this point
i'm still not sure i'm even getting anything out of the hardware crypto.

one ah-hah, though, was that the scp command was reporting megabytes
per second, not megabits per second as was being reported by another user
here. so there was confusion on my part.

Reply | Threaded
Open this post in threaded view
|

Re: openbsd / ipsec / hardware

Christian Weisgerber
Dewey Hylton <[hidden email]> wrote:

> i know that the alix has hardware crypto supporting aes-128-cbc. one thing
> that was unclear to me was, on the openbsd ipsec side, whether
> aes == aes-128 == aes-128-cbc ... my assumption was YES, after seeing that

Yes.

> aes/aes-128 are both 3 times faster than des on this hardware - but then
> i found that blowfish and aes-256 are both faster as well, so at this point

3DES is relatively slow in software.  More modern algorithms like
Blowfish and AES were designed for their operations to map efficiently
to the command sets of common 32- and 64-bit microprocessors.

> i'm still not sure i'm even getting anything out of the hardware crypto.

You are.  You could compare the performance of "aes" (AES-128-CBC)
and "aesctr" (AES-128-CTR).  These require similar amounts of
processing, but aesctr doesn't benefit from the Geode's hardware
acceleration.

Also, as has already been mentioned, the authentication algoritms
are similarly computationally expensive as the encryption part.
If there isn't enough CPU, you could gain some performance by
switching back from AES/SHA256 to AES/SHA1.

--
Christian "naddy" Weisgerber                          [hidden email]