> >Do not make the mistake of equating "stripped down" with "low capacity". > > I'm not confusing the two. However, I've already identified two optimizations > that can't be used with the standard LEAF distro > > 1) No linux support for hardware encryption accelerators; > > 2) No IP stack multithreading in the 2.2 kernel, which effectively neuters > dual CPU hardware.
Both correct, AFAIK, but you can use the 2.4 kernel with LEAF and get around the second issue... > With an ipsec tunnel in place, throughput was between 3268 and 3402 > KB/sec [Which is 32 to 34 megabits per second encryption rate] > > --- > > This 3.3 megabit 3DES encryption rate with the PIII/733 is only about that of > a pair of T-1 lines; while the similar hardware in the Intel box has an > encryption rate of 95 megabits. ??? You're confusing me...how do you go from 32-34 MBits/s to 3.3 MBits/s? > >Testing with single processor 733 MHz Pentium III systems, and measuring > >with ttcp, unencrypted traffic moved at 10644-11320 KB/s, or about 92 > >MBits/s (that's a pretty saturated 100Mbit ethernet link!). Adding > >encryption overhead caused these speeds to drop by about 1/3, to 3268-3402 > >KB/s, or about 27 MBits/s. > > My point exactly: The Intel reference design - Now being sold by H-P as > well - seems to be about 3 times as efficient in 3DES encryption as FreeS/WAN > with (essentially) the same PIII/733 architecture. <major snipage> > I'm not trying to bash FreeS/WAN - Quite to the contrary! I know it's a > decent product that does its job well. When I see something with about the > same hardware (PIII/733) that's 3 times more efficient, though, it raises a > flag. Yeah, but those are the specs with the optional hardware crypto accelerator. You can't compare the hardware assisted numbers of the intel box with the CPU only numbers of FreeS/WAN, and claim the intel box is 3x faster code, or 3x more efficient code...it's faster because it has a crypto ASIC built-in to offload the CPU. I've seen a number of reports from folks successfully using hardware acceleration with FreeS/WAN, although this is not a particularly main-stream thing. If you really want to burst to 155 MBits/sec, you'll probably need some form of hardware acceleration (at least for a year or two, until the 5-6 GHz CPU's come out). You might also want to note that the new AES crypto algorithm is much more CPU friendly than 3DES (as are several other cryto standards). You may be able to find FreeS/WAN patches for rijendall (sp?) or some of the other alternate crypto schemes that will give you higher throughput than 3DES. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
