Re: [Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance, part 2
So, as you see, I'll be building 2 to 4 identical appliances, with me configuring testing them all here, and shipping the remote units overseas. I don't want to build these appliances next week, only to tell the customer he needs new units in 6 months. Hence, that's the reason why I'm looking at dual Athlon's or Xeon's with the v2.4x kernel: The very LAST place I need a bottleneck is the VPN appliance! :) - Speaking of which, are there any rough estimates of LEAF's capacity vs CPU horsepower. Also, does the linux kernel take advantage of the Screaming Sindy P4 instruction extensions? LEAF is linux, so any pertinent data you can find on linux performance will apply. I don't know if the kernel in general makes use of the new SIMD instructions...you'd be most likely to find these in stuff like the software RAID parity calculations and encryption code, but I don't know for sure how many optimizations have made it into the code. I *can* tell you none of these are in my existing kernels, which are compiled for a 486 system, and are compiled on a P-90 (so even if the makefiles are smart enough to optimize for the local architecture, they won't find any MMX instructions, much less any SIMD stuff). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance
I need. Here's my preliminary list of design goals: * No moving parts: Loading from a floppy or CD is a no-no; and if I can avoid a hard drive I'll be quite pleased. Having worked extensively with Apple DEC RISC machines, I know a floppy is a worthless POS; * Since the price of Compact Flash cards is dirt cheap, and since they conform to the IDE standard, I'm thinking of using these. This way, I can easily deploy upgrades by mailing out replacement cards... No big shake, as Pee Wee would say; This is probably the easiest way to go. * The throughput (encryption rate) needs to be plenty, with room for expansion. Fortunately, hardware is cheap, so a 1.4 gHz Athlon package is no problem whatsoever; * Along the NIC lines, how well do the Pro/100 S (i82550-based) http://www.intel.com/network/connectivity/products/server_adapters.htm adapters work with LEAF? This looks like a nice way to gain throughput .IF. there are linix drivers. I think the NIC's will function properly (ie send/recieve traffic), but getting the crypto acceleration hardware working with IPSec is another thing entirely. The current FreeS/WAN code isn't really setup to easily integrate hardware acceleration, although there are a few folks who have been working on this. Troll the FreeS/WAN mailing list for more info, and check out their documentation: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/compat.html#hardwar e I think you're comitted to patching FreeS/WAN, KLIPS, and building custom kernels if you want hardware acceleration in today's FreeS/WAN. Given the data rates you're talking about, and the speed of today's hardware, I doubt you really need the HW acceleration, however...see the performance page: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/performance.html Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance, part 2
Good afternoon, folks! Well, it looks like at least part of the capacity answer was in the Linux FreeS/WAN Compatibility Guide, right above the crypto hardware section at: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/compat.html#multipro cessor, namely the dual processor option. I've long used dual CPU machines with NT4 NT5, all the way back to dual PPro machines. On the other hand, the article cited above glosses over a problem with multiple CPU's: The linux 2.2x kernel does *not* have a multithreaded IP stack. If you remember about 2½ years ago, NetCraft had a shootout between NT4/IIS and linux 2.2x/apache, on quad Xeon Dell's... And IIS blew apache out of the water as the load increased. As it turns out after long analysis, the bottleneck was the IP stack only using one CPU; and the problem wasn't fixed until the v2.4 kernel was released. As I look at the FreeS/WAN documentation with an eye towards a dual CPU mobo, I notice that it still uses the 2.2x kernel, which means I lose the symmetric multiprocessing capacity, and end up somewhere between NetWare 4 and MacOS 9 running on dual CPU boxes. Are there any FreeS/WAN implementations using the v2.4x kernel? Cheers! Dan Schwartz Cherry Hill, NJ --- PREVIOUSLY, MR. BROCK NANSON WROTE... From: Brock Nanson [EMAIL PROTECTED] Subject: [Leaf-user] Re: Starting from scratch to build a high capacity VPN tunnel appliance Date: Wed, 19 Dec 2001 09:44:45 -0800 Hi Dan, I don't think you are alone in this quest... There are several prebuilt options out there (firecard for instance) that can make the VPN more of an appliance than a PC. However, it's nice to have some control over the configuration, and more satisfying to do it yourself rather than just buy a canned product! I believe the CF-IDE idea has been done, at least for the regular LRP concept. You could snoop around the various LRP sites. I don't see why it couldn't be extended to include the FreeS/WAN stuff as well. I've got the Steinkuehler version of 1.5 going in several locations, without issue. I just use the floppy drive versions - they are only read on boot - and have yet to have a floppy-caused failure. I avoided the 'superfloppy' by adding a second drive. So I have two 1.44 MB floppies to handle all the modules I need. I'm not sure that the Compact Flash idea is really going to solve all your problems... Why not try the floppy method first? A second set of floppies kept at each site would allow a failsafe should the first set meet an untimely demise. And if you're planning to courier updated CF cards, you could just as easily courier a new set of floppies. Or for that matter, create new disk images you could email and have the remote office write them to floppy. Or SSH and SCP stuff to the remote offices. Using a CD would be even more reliable... In fact I'd be tempted to say more reliable than CF. Given that my floppies see use once a month or less, I don't think you should be overly concerned! Once you build a stable system, you could practically through the floppies away and run the gateway on a UPS - they are that solid. R Brock Nanson, P.Eng. [EMAIL PROTECTED] TRUE Consulting Group 201 - 2079 Falcon Road Kamloops BC V2C4J2 www.true.bc.ca (250) 828-0881 fax: (250) 828-0717 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance, part 2
On Wednesday 19 December 2001 03:19 pm, Dan Schwartz wrote: Are there any FreeS/WAN implementations using the v2.4x kernel? I've been running FreeS/WAN on 2.4 kernels for months. I'm currently using FreeS/WAN version 1.94 with kernel 2.4.16. -Tom -- Tom Eastep\ [EMAIL PROTECTED] AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance, part 2
Dan Schwartz wrote: Dear Charles: Thank you *very* much for the offer. Right now they are in the process of getting the T-1 line provisioned (still 30+ days away, courtesy of Verizon); and as they get closer to deciding on whether they want a VPN channel between their offices I'll shepherd them towards this. [By the way, you're probably wondering why they would need a dual CPU encryption appliance: The firm is a service bureau, scanning in over 100,000 documents per day - About 5 gigabytes per day. Then, they send the image files to Manila, where a crew of 200 operators key in and verify the data (sort of a manual OCR), then FTP the text back to NJ where it's put on disk or tape for the customer. Right now, they're sending a DVD every day via DHL to Manila with the scans: It's actually slightly cheaper than a T-1; but they lose a day. Basically, with T-1 lines on both ends (they are 4 miles from the Pennsauken peering point) the 1.544 megabit line will be fully loaded for 11 hours just transmitting the data. Where the encryption (VPN circuit) comes in is that some of the customers are financial institutions, and it's a selling point in the highly competitive business.] [ snip ] What am I missing? How is that you think that you can saturate a single 500 MHz celeron with an encrypted 1.5 Mbps connection? Unless I'm missing something, you might do well to redo that math . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Starting from scratch to build a high capacity VPN tunnel appliance
Good evening, folks! I have a new customer with two (soon to be four) offices; and when I got there their Internet access on both ends (Cherry Hill NJ Manila) was a DSL mess. In fact, it's so bad they send 1 to 2 DVD's per day via DHL to Manila. I'm finalizing the design costing for the MAN links to the ISP's, using either multiple T-1 frame relay links or fractional DS-3, in order to get sustained throughputs of 3 to 6 megabits. I'm in need of some advice on the OS software for the two to four appliances I'll be building for them. I started out on Charles Steinkuehler's site, as well as the linked article at: http://www.linuxjournal.com/article.php?sid=4772; but it doesn't quite cut the cheese for what I need. Here's my preliminary list of design goals: * No moving parts: Loading from a floppy or CD is a no-no; and if I can avoid a hard drive I'll be quite pleased. Having worked extensively with Apple DEC RISC machines, I know a floppy is a worthless POS; * Since the price of Compact Flash cards is dirt cheap, and since they conform to the IDE standard, I'm thinking of using these. This way, I can easily deploy upgrades by mailing out replacement cards... No big shake, as Pee Wee would say; * The throughput (encryption rate) needs to be plenty, with room for expansion. Fortunately, hardware is cheap, so a 1.4 gHz Athlon package is no problem whatsoever; * I was going to purchase Intel 31xx VPN appliances http://www.intel.com/network/idc/products/vpn_gateway.htm, until I saw the prices. Oh, and they just EOL'd these boxes, instead giving the reference design to H-P; * Along the NIC lines, how well do the Pro/100 S (i82550-based) http://www.intel.com/network/connectivity/products/server_adapters.htm adapters work with LEAF? This looks like a nice way to gain throughput .IF. there are linix drivers. Thanks in advance for any tips! Cheers! Dan Schwartz Cherry Hill, NJ When the chips are down, the buffalo is empty... -- ___ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup 1 cent a minute calls anywhere in the U.S.! http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJurl=http://www.getpennytalk.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
