RE: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)

[Dan Schwartz]

        Dear Charles and Tony,

        Thank you very much - Again! - for the capacity planning help.

        [More]

>-----Original Message 2-----
>From: Charles Steinkuehler
>To: #LEAF ListSERV
>Subject: Re: [Leaf-user] Is this newbie even in the right ballpark with
>LEAF?
>
>
>> Over the past few days I've received some very helpful guidance about
>> assembling LEAF VPN appliances to handle multi-megabit 3DES encryption
>> throughput rates; and I really appreciate the guidance given this Mac & NT
>> geek (& linux newbie).
>>
>> However, since LEAF is essentially a small, stripped down (yet robust!)
>> router that fits on 1 or 2 floppies, is there another router/encryption
>> project out there in *nix land that's more suited for high capacity, i.e.
>> something on the order of an Intel NetStructure 31xx VPN gateway
>> <http://www.intel.com/network/idc/products/vpn_gateway.htm>?
>
>Do not make the mistake of equating "stripped down" with "low capacity".

        I'm not confusing the two. However, I've already identified two optimizations
that can't be used with the standard LEAF distro

        1) No linux support for hardware encryption accelerators;

        2) No IP stack multithreading in the 2.2 kernel, which effectively neuters
dual CPU hardware.

>The capacity of a LEAF system is related to the hardware you install it on.
>Use a 486 with NE2000 ISA NIC's, and you'll be lucky to get 5 or 6 MBits/sec
>(although this is fine for most cable/DSL users).  Upgrade to a Pentium
>class system with good PCI NIC's, and you'll get a router system that can
>come close to saturating several 100 MBit links.
>
>Since you're mainly interested in encryption throughput, I refer you again
>to the FreeS/WAN performance page:
>http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/performance.html

        Actually, when I looked at that document last week launched a host of new
questions. From the freeswan.org article, comments [in brackets]:

 ---

The crypt boxes are Compaq DL380s - Uniprocessor PIII/733 with 256K
cache. [This is about the same as the high end Intel appliances] They have
128M main memory.  Nothing significant was running on
the boxes other than freeswan.  The kernel was a 2.2.19pre7 patched
with freeswan and ext3.

Without an ipsec tunnel in the chain (ie the 2 inner boxes just being
100BaseT routers), throughput (measured with ttcp) was between 10644
and 11320 KB/sec [This is 100 to 110 megabits per second, unencrypted]

With an ipsec tunnel in place, throughput was between 3268 and 3402
KB/sec [Which is 32 to 34 megabits per second encryption rate]

 ---

        This 3.3 megabit 3DES encryption rate with the PIII/733 is only about that of
a pair of T-1 lines; while the similar hardware in the Intel box has an
encryption rate of 95 megabits.


        [more]

>Testing with single processor 733 MHz Pentium III systems, and measuring
>with ttcp, unencrypted traffic moved at 10644-11320 KB/s, or about 92
>MBits/s (that's a pretty saturated 100Mbit ethernet link!).  Adding
>encryption overhead caused these speeds to drop by about 1/3, to 3268-3402
>KB/s, or about 27 MBits/s.

        My point exactly: The Intel reference design - Now being sold by H-P as
well - seems to be about 3 times as efficient in 3DES encryption as FreeS/WAN
with (essentially) the same PIII/733 architecture.

>With much faster systems are available today, and taking into account the
>fact that the encrypted throughput numbers above are for the end-end TCP
>connection (ie the acutal traffic on the encrypted link is running at a
>higher bandwidth, due to the IPSec protocol overhead),  and I don't think
>you're going to have trouble saturating your internet connections.

        Well... With the tariffs rigged by Verizon the way they are, that T-1 frame
relay line could quickly jump to a burstable OC-3 155 megabit ATM circuit...

>IIRC, you indicated you were starting with a T1, which can easily be kept
>saturated by a Pentium-1 class system (ie P90-133), even when running
>encryption.  The 733 MHz systems above provide you with about a 20X margin
>for future growth, with a modern 1.5 MHz

        You mean 1.5 gHz...

>single CPU system likely providing
>40-50x your initial T1 requirement.  The intel system with hardware crypto
>acceleration only provides a peak performance of 95 MBits/s.  You should be
>able to match this using linux and FreeS/WAN with a 2.5-3 GHz CPU...these
>may not be availble today, but it won't be long until they are.
>
>If you're customers are seriously going to be using more bandwidth than a
>modern fast CPU can encrypt/decrypt, you should have no problem jumping to a
>high-end dedicated VPN endpoint solution...while these systems are quite
>expensive, the purchase price will likely be lost in the noise of your
>monthly bandwidth charges...

        Not necessarily, due to the difference between a committed rate ("all you can
eat" for a fixed monthly price) and a burstable rate ("I'll give you a fat
pipe and charge you for your peak usage").

>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
>-----Original Message 1-----
>From:  Tony
>Subject: RE: [Leaf-user] Is this newbie even in the right ballpark with
>LEAF?
>
>
>But, isn't LEAF limited to 64M for the ramdisk?  MINIX is the
>filesys right?  And I thought that was limited to 64M total.

        Could this be a bottleneck? What happens with a $30 512 MB DIMM?

>Now, 64M with the PIII and some quality PCI cards....should be more
>than enough for what he needs.  I know 3com and Intel have cards
>with the 3DES decoding chips onboard to offload the work, but I
>don't know if they work with Linux (I know they work with W2K).

        Ahh, yes: The i82550 chipset. The NICs with this will work with the core
driver, i.e. work as a standard NIC; but the encryption coprocessor just sits
idle unless the NT4 or NT5 driver is loaded. Sorry, no *nix drivers:
<http://www.intel.com/network/connectivity/resources/technologies/advanced_fea
tures.htm>
        And...
<http://www.intel.com/network/connectivity/resources/technologies/advanced_fea
tures/server_adapters.htm>

        If you want to play around with these cards (or other mobile or PCI NIC's),
they are actually quite inexpensive with their "test drive" program:
<http://inteleval.ententeweb.com/store.asp>. And, you can reorder about once
per week - They don't care.

>I looked at 3com's site, and they have beta version drivers for the
>2.2 and 2.4 kernels, but I am not totally sure they support the
>offloading of the encryption/decryption and tcp checksum calcs.  If
>they did, then you could get away with even less CPU.
>
>Later
>
>Tony
>
>
>[snip]
>>
>> You're talking about
>>
>>   Low end Intel                      High End Intel
>> --------------------                 -----------------
>>   233 MHz Cpu                        733 MHz Cpu
>>   3 Mbps 3DES throughput             95 Mbps 3DES throughput
>>
>> That's a big difference.   I'm sure you could put together
>> a LEAF box with a PIII 800 and 512 MB ram, but you're asking
>> for other companies solutions, and I'll let someone else
>> answer that.  I'd like to think a LEAF box could keep
>> up until it's compared to some fancy hardware with a modified
>> PCI bus or multiple PCI buses.
>>
>> Good Luck,
>> Matthew

        I'm not trying to bash FreeS/WAN - Quite to the contrary! I know it's a
decent product that does its job well. When I see something with about the
same hardware (PIII/733) that's 3 times more efficient, though, it raises a
flag.

        Cheers!
        Dan...

DISCLAIMER: I don't own any Intel stock...


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user