Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)
I've seen a number of reports from folks successfully using hardware acceleration with FreeS/WAN, Oh? I didn't see any drivers for hardware accelerators - Or did I miss something. I don't think you missed anything...there's no hardware support in the mainstream code for FreeS/WAN. I have, however, seen several reports of folks adding hardware support to the FreeS/WAN code base on the mailing list. I have no idea if their code is available, or under what terms, but there are reports of folks who have done this. The libdes used by FreeS/WAN is the same libdes provided with OpenSSL, and since most crypto hardware makers who support linux provide OpenSSL patches, it may not be too hard to interface FreeS/WAN to acceleration hardware, although such a project is likely not for the feint of heart (there are still several kernel-mode/user-mode issues...AFAIK, OpenSSL is generally designed to run in user-space, while the FreeS/WAN software crypto routines are running in kernel space, which makes a big difference in how you talk to the hardware). although this is not a particularly main-stream thing. If you really want to burst to 155 MBits/sec, you'll probably need some form of hardware acceleration (at least for a year or two, until the 5-6 GHz CPU's come out). If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead. Sounds like a plan...I've seen reports of 3DES routines that really smoke running on Alphas, taking advantage of the true 64 bit architecture to run bit-sliced algorithms which really speed things up vs the clunky x86 systems. If you go with an alpha system, you'll probably want to use a mainstream disto...you might want to do this anyway, depending on how 'thin' you want to make your VPN gateways. You might also consider seperating your VPN gateway and firewall functions into seperate boxes, but that introduces complications of a different sort (especially routing)... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)
-Original Message- From: Charles Steinkuehler Subject: Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary) I've seen a number of reports from folks successfully using hardware acceleration with FreeS/WAN, Oh? I didn't see any drivers for hardware accelerators - Or did I miss something. I don't think you missed anything...there's no hardware support in the mainstream code for FreeS/WAN. I have, however, seen several reports of folks adding hardware support to the FreeS/WAN code base on the mailing list. I have no idea if their code is available, or under what terms, but there are reports of folks who have done this. The libdes used by FreeS/WAN is the same libdes provided with OpenSSL, and since most crypto hardware makers who support linux provide OpenSSL patches, it may not be too hard to interface FreeS/WAN to acceleration hardware, although such a project is likely not for the feint of heart (there are still several kernel-mode/user-mode issues... I'll pass at this time... However: Also check out PowerCrypt at: http://www.powercrypt.com/ AFAIK, OpenSSL is generally designed to run in user-space, while the FreeS/WAN software crypto routines are running in kernel space, which makes a big difference in how you talk to the hardware). Yeah, you could say that although this is not a particularly main-stream thing. If you really want to burst to 155 MBits/sec, you'll probably need some form of hardware acceleration (at least for a year or two, until the 5-6 GHz CPU's come out). If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead. Sounds like a plan...I've seen reports of 3DES routines that really smoke running on Alphas, taking advantage of the true 64 bit architecture to run bit-sliced algorithms which really speed things up vs the clunky x86 systems. Yes, I've been using Alpha's for 5 years now - I have 3 Multia's in boxes in my basement; plus an AlphaPC 164SX (with 533 mHz 21164PC CPU) running Win2k/RC2 server. [I also have another identical 164SX mobo on the way that was shipped last week, so I'll be building an NT4/Datacenter cluster for Exchange 5.5, to work as my home family email server(!)] If you go with an alpha system, you'll probably want to use a mainstream disto...you might want to do this anyway, depending on how 'thin' you want to make your VPN gateways. http://www.alpha-processor.com You might also consider seperating your VPN gateway and firewall functions into seperate boxes, but that introduces complications of a different sort (especially routing)... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)
Dan Schwartz wrote: although this is not a particularly main-stream thing. If you really want to burst to 155 MBits/sec, you'll probably need some form of hardware acceleration (at least for a year or two, until the 5-6 GHz CPU's come out). If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead. Now that's a waste of money. I even doubt a 1Ghz 21264 will be faster than a 2Ghz x86 cpu, when doing integer calculations. You might also want to note that the new AES crypto algorithm is much more CPU friendly than 3DES (as are several other cryto standards). You may be able to find FreeS/WAN patches for rijendall (sp?) or some of the other alternate crypto schemes that will give you higher throughput than 3DES. I looked for them and didn't find any good ones. This an areas where IMHO OpenBSD (and perhaps the other *BSD's) is much more advanced than linux. OpenBSD does support hardware crypto accelerators, and X509 certificates, and other ciphers than 3des. Ewald Wasscher ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)
Do not make the mistake of equating stripped down with low capacity. I'm not confusing the two. However, I've already identified two optimizations that can't be used with the standard LEAF distro 1) No linux support for hardware encryption accelerators; 2) No IP stack multithreading in the 2.2 kernel, which effectively neuters dual CPU hardware. Both correct, AFAIK, but you can use the 2.4 kernel with LEAF and get around the second issue... With an ipsec tunnel in place, throughput was between 3268 and 3402 KB/sec [Which is 32 to 34 megabits per second encryption rate] --- This 3.3 megabit 3DES encryption rate with the PIII/733 is only about that of a pair of T-1 lines; while the similar hardware in the Intel box has an encryption rate of 95 megabits. ??? You're confusing me...how do you go from 32-34 MBits/s to 3.3 MBits/s? Testing with single processor 733 MHz Pentium III systems, and measuring with ttcp, unencrypted traffic moved at 10644-11320 KB/s, or about 92 MBits/s (that's a pretty saturated 100Mbit ethernet link!). Adding encryption overhead caused these speeds to drop by about 1/3, to 3268-3402 KB/s, or about 27 MBits/s. My point exactly: The Intel reference design - Now being sold by H-P as well - seems to be about 3 times as efficient in 3DES encryption as FreeS/WAN with (essentially) the same PIII/733 architecture. major snipage I'm not trying to bash FreeS/WAN - Quite to the contrary! I know it's a decent product that does its job well. When I see something with about the same hardware (PIII/733) that's 3 times more efficient, though, it raises a flag. Yeah, but those are the specs with the optional hardware crypto accelerator. You can't compare the hardware assisted numbers of the intel box with the CPU only numbers of FreeS/WAN, and claim the intel box is 3x faster code, or 3x more efficient code...it's faster because it has a crypto ASIC built-in to offload the CPU. I've seen a number of reports from folks successfully using hardware acceleration with FreeS/WAN, although this is not a particularly main-stream thing. If you really want to burst to 155 MBits/sec, you'll probably need some form of hardware acceleration (at least for a year or two, until the 5-6 GHz CPU's come out). You might also want to note that the new AES crypto algorithm is much more CPU friendly than 3DES (as are several other cryto standards). You may be able to find FreeS/WAN patches for rijendall (sp?) or some of the other alternate crypto schemes that will give you higher throughput than 3DES. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)
-Original Message- From: Charles Steinkuehler Subject: Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary) Do not make the mistake of equating stripped down with low capacity. I'm not confusing the two. However, I've already identified two optimizations that can't be used with the standard LEAF distro 1) No linux support for hardware encryption accelerators; 2) No IP stack multithreading in the 2.2 kernel, which effectively neuters dual CPU hardware. Both correct, AFAIK, but you can use the 2.4 kernel with LEAF and get around the second issue... With an ipsec tunnel in place, throughput was between 3268 and 3402 KB/sec [Which is 32 to 34 megabits per second encryption rate] --- This 3.3 megabit 3DES encryption rate with the PIII/733 is only about that of a pair of T-1 lines; while the similar hardware in the Intel box has an encryption rate of 95 megabits. ??? You're confusing me...how do you go from 32-34 MBits/s to 3.3 MBits/s? My bad: I slipped a decimal point major snipage I'm not trying to bash FreeS/WAN - Quite to the contrary! I know it's a decent product that does its job well. When I see something with about the same hardware (PIII/733) that's 3 times more efficient, though, it raises a flag. Yeah, but those are the specs with the optional hardware crypto accelerator. You can't compare the hardware assisted numbers of the intel box with the CPU only numbers of FreeS/WAN, and claim the intel box is 3x faster code, or 3x more efficient code...it's faster because it has a crypto ASIC built-in to offload the CPU. I've seen a number of reports from folks successfully using hardware acceleration with FreeS/WAN, Oh? I didn't see any drivers for hardware accelerators - Or did I miss something. although this is not a particularly main-stream thing. If you really want to burst to 155 MBits/sec, you'll probably need some form of hardware acceleration (at least for a year or two, until the 5-6 GHz CPU's come out). If I need more CPU horsepower, I'll use 21264 (Alpha) CPU's instead. You might also want to note that the new AES crypto algorithm is much more CPU friendly than 3DES (as are several other cryto standards). You may be able to find FreeS/WAN patches for rijendall (sp?) or some of the other alternate crypto schemes that will give you higher throughput than 3DES. Charles Steinkuehler Cheers! Dan When the chips are down, the buffalo is empty ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Is this newbie even in the right ballpark with LEAF?
But, isn't LEAF limited to 64M for the ramdisk? MINIX is the filesys right? And I thought that was limited to 64M total. Now, 64M with the PIII and some quality PCI cardsshould be more than enough for what he needs. I know 3com and Intel have cards with the 3DES decoding chips onboard to offload the work, but I don't know if they work with Linux (I know they work with W2K). I looked at 3com's site, and they have beta version drivers for the 2.2 and 2.4 kernels, but I am not totally sure they support the offloading of the encryption/decryption and tcp checksum calcs. If they did, then you could get away with even less CPU. Later Tony [snip] You're talking about Low end Intel High End Intel - 233 MHz Cpu733 MHz Cpu 3 Mbps 3DES throughput 95 Mbps 3DES throughput That's a big difference. I'm sure you could put together a LEAF box with a PIII 800 and 512 MB ram, but you're asking for other companies solutions, and I'll let someone else answer that. I'd like to think a LEAF box could keep up until it's compared to some fancy hardware with a modified PCI bus or multiple PCI buses. Good Luck, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Is this newbie even in the right ballpark with LEAF? (Summary)
Dear Charles and Tony, Thank you very much - Again! - for the capacity planning help. [More] -Original Message 2- From: Charles Steinkuehler To: #LEAF ListSERV Subject: Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF? Over the past few days I've received some very helpful guidance about assembling LEAF VPN appliances to handle multi-megabit 3DES encryption throughput rates; and I really appreciate the guidance given this Mac NT geek ( linux newbie). However, since LEAF is essentially a small, stripped down (yet robust!) router that fits on 1 or 2 floppies, is there another router/encryption project out there in *nix land that's more suited for high capacity, i.e. something on the order of an Intel NetStructure 31xx VPN gateway http://www.intel.com/network/idc/products/vpn_gateway.htm? Do not make the mistake of equating stripped down with low capacity. I'm not confusing the two. However, I've already identified two optimizations that can't be used with the standard LEAF distro 1) No linux support for hardware encryption accelerators; 2) No IP stack multithreading in the 2.2 kernel, which effectively neuters dual CPU hardware. The capacity of a LEAF system is related to the hardware you install it on. Use a 486 with NE2000 ISA NIC's, and you'll be lucky to get 5 or 6 MBits/sec (although this is fine for most cable/DSL users). Upgrade to a Pentium class system with good PCI NIC's, and you'll get a router system that can come close to saturating several 100 MBit links. Since you're mainly interested in encryption throughput, I refer you again to the FreeS/WAN performance page: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/performance.html Actually, when I looked at that document last week launched a host of new questions. From the freeswan.org article, comments [in brackets]: --- The crypt boxes are Compaq DL380s - Uniprocessor PIII/733 with 256K cache. [This is about the same as the high end Intel appliances] They have 128M main memory. Nothing significant was running on the boxes other than freeswan. The kernel was a 2.2.19pre7 patched with freeswan and ext3. Without an ipsec tunnel in the chain (ie the 2 inner boxes just being 100BaseT routers), throughput (measured with ttcp) was between 10644 and 11320 KB/sec [This is 100 to 110 megabits per second, unencrypted] With an ipsec tunnel in place, throughput was between 3268 and 3402 KB/sec [Which is 32 to 34 megabits per second encryption rate] --- This 3.3 megabit 3DES encryption rate with the PIII/733 is only about that of a pair of T-1 lines; while the similar hardware in the Intel box has an encryption rate of 95 megabits. [more] Testing with single processor 733 MHz Pentium III systems, and measuring with ttcp, unencrypted traffic moved at 10644-11320 KB/s, or about 92 MBits/s (that's a pretty saturated 100Mbit ethernet link!). Adding encryption overhead caused these speeds to drop by about 1/3, to 3268-3402 KB/s, or about 27 MBits/s. My point exactly: The Intel reference design - Now being sold by H-P as well - seems to be about 3 times as efficient in 3DES encryption as FreeS/WAN with (essentially) the same PIII/733 architecture. With much faster systems are available today, and taking into account the fact that the encrypted throughput numbers above are for the end-end TCP connection (ie the acutal traffic on the encrypted link is running at a higher bandwidth, due to the IPSec protocol overhead), and I don't think you're going to have trouble saturating your internet connections. Well... With the tariffs rigged by Verizon the way they are, that T-1 frame relay line could quickly jump to a burstable OC-3 155 megabit ATM circuit... IIRC, you indicated you were starting with a T1, which can easily be kept saturated by a Pentium-1 class system (ie P90-133), even when running encryption. The 733 MHz systems above provide you with about a 20X margin for future growth, with a modern 1.5 MHz You mean 1.5 gHz... single CPU system likely providing 40-50x your initial T1 requirement. The intel system with hardware crypto acceleration only provides a peak performance of 95 MBits/s. You should be able to match this using linux and FreeS/WAN with a 2.5-3 GHz CPU...these may not be availble today, but it won't be long until they are. If you're customers are seriously going to be using more bandwidth than a modern fast CPU can encrypt/decrypt, you should have no problem jumping to a high-end dedicated VPN endpoint solution...while these systems are quite expensive, the purchase price will likely be lost in the noise of your monthly bandwidth charges... Not necessarily, due to the difference between a committed rate (all you can eat for a fixed monthly price) and a burstable rate (I'll give you a fat pipe and charge you for your peak usage). Charles Steinkuehler http
Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF?
Dan Schwartz wrote: Good evening, folks! Over the past few days I've received some very helpful guidance about assembling LEAF VPN appliances to handle multi-megabit 3DES encryption throughput rates; and I really appreciate the guidance given this Mac NT geek ( linux newbie). What's the consensus? You can have a 300 MHz PII running at 450 MHz, and a pci bus running at 33 MHz, on a 100 MHz FSB using PC100 SDRAM. Um, that's fast. It'll cost you about $100 to put it together and test, assuming you have most of the part in your closet. I have a suspicion that more than a few of you out there have broken the GHz barrier :-o However, since LEAF is essentially a small, stripped down (yet robust!) router that fits on 1 or 2 floppies, is there another router/encryption project out there in *nix land that's more suited for high capacity, i.e. something on the order of an Intel NetStructure 31xx VPN gateway http://www.intel.com/network/idc/products/vpn_gateway.htm? You're talking about Low end Intel High End Intel - 233 MHz Cpu733 MHz Cpu 3 Mbps 3DES throughput 95 Mbps 3DES throughput That's a big difference. I'm sure you could put together a LEAF box with a PIII 800 and 512 MB ram, but you're asking for other companies solutions, and I'll let someone else answer that. I'd like to think a LEAF box could keep up until it's compared to some fancy hardware with a modified PCI bus or multiple PCI buses. Good Luck, Matthew Thanking you in advance, Dan Schwartz ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF?
Over the past few days I've received some very helpful guidance about assembling LEAF VPN appliances to handle multi-megabit 3DES encryption throughput rates; and I really appreciate the guidance given this Mac NT geek ( linux newbie). However, since LEAF is essentially a small, stripped down (yet robust!) router that fits on 1 or 2 floppies, is there another router/encryption project out there in *nix land that's more suited for high capacity, i.e. something on the order of an Intel NetStructure 31xx VPN gateway http://www.intel.com/network/idc/products/vpn_gateway.htm? Do not make the mistake of equating stripped down with low capacity. The capacity of a LEAF system is related to the hardware you install it on. Use a 486 with NE2000 ISA NIC's, and you'll be lucky to get 5 or 6 MBits/sec (although this is fine for most cable/DSL users). Upgrade to a Pentium class system with good PCI NIC's, and you'll get a router system that can come close to saturating several 100 MBit links. Since you're mainly interested in encryption throughput, I refer you again to the FreeS/WAN performance page: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/performance.html Testing with single processor 733 MHz Pentium III systems, and measuring with ttcp, unencrypted traffic moved at 10644-11320 KB/s, or about 92 MBits/s (that's a pretty saturated 100Mbit ethernet link!). Adding encryption overhead caused these speeds to drop by about 1/3, to 3268-3402 KB/s, or about 27 MBits/s. With much faster systems are available today, and taking into account the fact that the encrypted throughput numbers above are for the end-end TCP connection (ie the acutal traffic on the encrypted link is running at a higher bandwidth, due to the IPSec protocol overhead), and I don't think you're going to have trouble saturating your internet connections. IIRC, you indicated you were starting with a T1, which can easily be kept saturated by a Pentium-1 class system (ie P90-133), even when running encryption. The 733 MHz systems above provide you with about a 20X margin for future growth, with a modern 1.5 MHz single CPU system likely providing 40-50x your initial T1 requirement. The intel system with hardware crypto acceleration only provides a peak performance of 95 MBits/s. You should be able to match this using linux and FreeS/WAN with a 2.5-3 GHz CPU...these may not be availble today, but it won't be long until they are. If you're customers are seriously going to be using more bandwidth than a modern fast CPU can encrypt/decrypt, you should have no problem jumping to a high-end dedicated VPN endpoint solution...while these systems are quite expensive, the purchase price will likely be lost in the noise of your monthly bandwidth charges... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Is this newbie even in the right ballpark with LEAF?
Dan Schwartz wrote: Over the past few days I've received some very helpful guidance about assembling LEAF VPN appliances to handle multi-megabit 3DES encryption throughput rates; and I really appreciate the guidance given this Mac NT geek ( linux newbie). However, since LEAF is essentially a small, stripped down (yet robust!) router that fits on 1 or 2 floppies, is there another router/encryption project out there in *nix land that's more suited for high capacity, i.e. something on the order of an Intel NetStructure 31xx VPN gateway http://www.intel.com/network/idc/products/vpn_gateway.htm? What is it that these products have that you believe cannot be done with LEAF? ``The Intel NetStructure VPN Gateway Family features an IntelĀ® PentiumĀ® processor-based PC architecture with solid-state design (no moving parts), protected OS kernel and optional hardware acceleration.'' Don't be fooled by the ``no moving parts'' ; The fact that we boot off of floppy or cdrom doesn't really conflict with that quotation, since, once it's running, we, too, have no moving parts! How often do you plan on rebooting? And, as I asked last night, that pentium processor does *not* have the processing power of the celerons my systems are running! I don't know about you; but, when I read: ``Windows* OS-based utilities for centralized and remote management'' I wonder if that added gui overhead couldn't better be used in the encryption, firewalling and routing processes ??? The fact that LEAF is a ``small, stripped down'' linux os should be a strong selling point -- *all* of your os can be delegated to the primary function of the system. It is not likely that anybody can claim that for any ``Windows* OS-based'' system. What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
