Re: Rainbow Cryptoswift cards - information
[EMAIL PROTECTED] wrote: > > Although > I'm seeing that much speed improvement (using the "openssl speed" tests), > I'm also seeing a significant drop in the amount of CPU utilisation. > [..] > Even if it were the case that you would get only 3x improvement on a 1Ghz > P3, you would still have substantially more CPU processing available. I wonder if "openssl speed" is a benchmark relevant for real-world servers? If you have independant server processes I would not expect the RSA operations being optimally queued to the hardware crypto device. I would also think that you might run into a I/O bottleneck e.g. in case of a SCSI device => I would estimate that you can only use ~25% of the CPU power of a hardware crypto device. But I would be pleaseed if you provide some web server benchmarks (e.g. delivering static pages with a forking server with lots of processes). Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards - information
> [EMAIL PROTECTED] wrote: > > Further to my previous message, I have not only received my Cryptoswift > > card, but I actually have it working. I'm seeing a speed improvement of > > around 20x on a Dual Pentium 166. > > Hmmm ... so we can expect about 3x on a single P3/1GHz. How much do > these things cost? I'm not sure that's a valid estimate. Suppose on his system, the SSL portion of client handling was 95% of the job and the cryptoswift card is so fast that dropped to zero. That made his implementation 20 times faster. Suppose on your system, the SSL portion of client handling is likewise 95% of the work and the cryptoswift card is so fast that drops again to nearly zero. That would make it a 20x speedup on your machine to, since 19/20 of the job is being accelerated to nearly instantaneous. On the other hand, if the card is the limiting factor, the speedup may not even be 3x. Suppose the CPU required to walk the crypto card through the process of doing the calculations (time spent loading it and getting the output) is constant. Perhaps on your machine that overhead will be so much that the card is actually slower than just letting the CPU do the work. You may actually experience a slowdown. In all honesty, I wouldn't be surprised if you saw a speedup of near 20x as well. But you need to make a lot of assumptions to guess what difference it will make on your machine from just that one data point. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards - information
[EMAIL PROTECTED] wrote: > > Further to my previous message, I have not only received my Cryptoswift > card, but I actually have it working. I'm seeing a speed improvement of > around 20x on a Dual Pentium 166. Hmmm ... so we can expect about 3x on a single P3/1GHz. How much do these things cost? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
well... sort of. the 7 January snapshot, which includes working Broadcom engine support, has CryptoSwift, Compaq Atalla, nCipher CHIL and Nuron listed. I thought there was Hifn support too? So... I guess the list is, approximately, in alphabetical order: Broadcom 5805 Compaq Atalla nCipher CHIL Nuron Rainbow CryptoSwift At 04:34 PM 1/19/01 +0100, someone wrote: >The supported Crypto cards are in the Openssl-engine README.ENGINE > >There's currently built-in support for the following crypto devices: > > o CryptoSwift > o Compaq Atalla > o nCipher CHIL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
David Lang wrote: > > when I was evaluating similar products a couple years ago I found that it > really didn't help to try and worry about spilling the load over to the > main CPU. > > benchmarks from the time were > > pentium 200 linux 19 connections/sec 100% CPU > RS/6000 233 (RISC) 29 connections/sec 100% CPU > install SSL accelerator 300 connections/sec 10-20% CPU > > nowdays the raw machines will be faster, but you also need to have CPU > time to run CGIs etc. I think it's unlikly that you will gain much by > useing your main CPUs (assuming you get an appropriatly sized SSL > accelerator We will be aiming toward a dual 880-1000Mhz system with a Gig of Ram, and using a Gigabit fiber ethernet interface. No CGI will be supported (not in the business model, we just serve cacheable content as FAST as possible). The only other overhead will be static backend database connections (possibly > 100) and a few (<5) other network connections. I don't think one card is going to peg those CPUs. Right now, a 440Mhz machine with 512MB of Ram is able to maintain 500+ objects served/second. The new systems will (presumably, barring any unforseen bottlenecks) be able to maintain over 1800 objects/second. We are guessing (meaning we based these numbers on 'similar but scaled' environment performance numbers), that we will need to maintain at least 600 real world new connections per second. My experience suggests that this means 2 or 3 cards that claim a 600cps ability. If these cards cost more than the system they are intended to sit on, we could just buy more of those systems (maybe even 1/card) and possibly get a better cost/performance benefit. Lots to think about. Regards Lou -- Louis LeBlanc Fully Funded Hobbyist, KeySlapper Extrordinaire :) [EMAIL PROTECTED] http://acadia.ne.mediaone.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
when I was evaluating similar products a couple years ago I found that it really didn't help to try and worry about spilling the load over to the main CPU. benchmarks from the time were pentium 200 linux 19 connections/sec 100% CPU RS/6000 233 (RISC) 29 connections/sec 100% CPU install SSL accelerator 300 connections/sec 10-20% CPU nowdays the raw machines will be faster, but you also need to have CPU time to run CGIs etc. I think it's unlikly that you will gain much by useing your main CPUs (assuming you get an appropriatly sized SSL accelerator David Lang On Fri, 19 Jan 2001 [EMAIL PROTECTED] wrote: > Date: Fri, 19 Jan 2001 12:47:02 - > From: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: RE: Rainbow Cryptoswift cards > > > -Original Message- > > From: Louis LeBlanc [mailto:[EMAIL PROTECTED]] > > Sent: 19 January 2001 12:39 > > To: [EMAIL PROTECTED] > > Subject: Re: Rainbow Cryptoswift cards > > > > > > One quick question, just so I know how to answer when this kind of > > project comes up: > > The cryptoswift card provides 'onboard' acceleration of SSL based > > processing, but the card itself can only handle so many > > transactions per > > second. What happens if your traffic load exceeds the cards ability? > > can you easily 'spill' that extra work over to the system if you have > > any room there? > > I don't think so. All you can do is add extra cards, or run multiple servers > (NetAID used 28 servers with a Rainbow card in each one). > > You will need to have a rough idea how much traffic you'll have, in order to > estimate how many cards you'll need. Bear in mind that some of these other > solutions like the Intel accelerator are based on a Rainbow card anyway. > > I'm hoping we can get away with one per machine. First though, I have to > recompile openssl! > > - > Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm > John Airey > Internet Systems Support Officer, ITCSD, Royal National Institute for the > Blind, > Bakewell Road, Peterborough PE2 6XU, > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
Have you heard of the nCipher card? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rodney Thayer Sent: Friday, January 19, 2001 9:52 AM To: [EMAIL PROTECTED] Subject: Re: Rainbow Cryptoswift cards is there somewhere one can get a list of the supported engine cards? I mean, there are vendors out there, other than Rainbow, who'd like to put their two milli-euro's worth into this conversation but that would be impolite and a commercial advertisement (yeah, yeah, read the source. I mean a real list of the cards and how you buy them/etc.) At 08:52 AM 1/19/01 -0500, you wrote: >adrien mistretta wrote: > > > > > The cryptoswift card provides 'onboard' acceleration of SSL based > > > processing, but the card itself can only handle so many transactions per > > > second. What happens if your traffic load exceeds the cards ability? > > > can you easily 'spill' that extra work over to the system if you have > > > any room there? > > > > The only thing done with the cryptoswift is the RSA key calculation. All > > others things are done by your CPU(s) > >So what about the actual data encryption/decryption? If the system >handles this, the potential gains are pretty high for a powerful >system. How much of the actual handshake has to be done on the card? > > > > > > I know this can be done with a separate appliance, like the Intel 7115 > > > (which takes the fun of actually implementing a solution away), but > > > these are overly expensive, and make relational performance measurements > > > pretty complicated in many configurations. > > > > There many other appliance > > CiberIQ, Alteon ... > > cryptoswift is very expensive , The sonicwall card seems to be nice (RSA, > > 3DES, DES, ARC[24], SHA1, MD5) and cheap, but i didn't have the opportunity > > to make some tests > >I've heard of the CyberIQ. I've also heard that their numbers were >cooked a little more than most of the providers. I'm sure we will wind >up validating a number of options. > > > > > > Enough rambling about this though. Now you have a context for my > > > original question: can the OpenSSL engine spill extra SSL sessions over > > > to the system cpu? > > > > When I run some test with heavy load of ssl transaction with the > cryptoswift > > 200, the 2 cpus (p3-700) was 0% idle. But i don't know if some keys > > calculation has been done by the cpus > >Interesting. Was your system responsible for anything else (ie, a ftp >server, etc.)? Were you using Apache in the back end? >Our system is pretty streamlined, we have left out a lot of the 'bells >and whistles' found in Apache, so we can handle a lot more throughput. >We can serve 500+ objects on a clear connection from a Netra 440, where >our experience shows Apache at less than half this for the same system. >Purely CPU bound on the server side. Client side (separate system) is >I/O bound until you start fetching on a secure connection. Maybe we >want to see how one of these cards performs there? > >Thanks for your feedback. > >Lou > > > > > > Adrien > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > >-- >Louis LeBlanc >Fully Funded Hobbyist, KeySlapper Extrordinaire :) >[EMAIL PROTECTED] >http://acadia.ne.mediaone.net >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
> is there somewhere one can get a list of the supported engine cards? > I mean, there are vendors out there, other than Rainbow, who'd like > to put their two milli-euro's worth into this conversation but > that would be impolite and a commercial advertisement The supported Crypto cards are in the Openssl-engine README.ENGINE There's currently built-in support for the following crypto devices: o CryptoSwift o Compaq Atalla o nCipher CHIL for the cryptoswift the french sales told me 31000FF for the cryptoswift 200 or 94000FF for the cryptoswift 600 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
> -Original Message- > From: Rodney Thayer [mailto:[EMAIL PROTECTED]] > Sent: 19 January 2001 14:52 > To: [EMAIL PROTECTED] > Subject: Re: Rainbow Cryptoswift cards > > > is there somewhere one can get a list of the supported engine cards? > I mean, there are vendors out there, other than Rainbow, who'd like > to put their two milli-euro's worth into this conversation but > that would be impolite and a commercial advertisement > > (yeah, yeah, read the source. I mean a real list of the cards > and how you buy them/etc.) > > There's a list of supported cards in the openssl changelog at http://www.openssl.org/news/changelog.html Don't know anything else though. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
is there somewhere one can get a list of the supported engine cards? I mean, there are vendors out there, other than Rainbow, who'd like to put their two milli-euro's worth into this conversation but that would be impolite and a commercial advertisement (yeah, yeah, read the source. I mean a real list of the cards and how you buy them/etc.) At 08:52 AM 1/19/01 -0500, you wrote: >adrien mistretta wrote: > > > > > The cryptoswift card provides 'onboard' acceleration of SSL based > > > processing, but the card itself can only handle so many transactions per > > > second. What happens if your traffic load exceeds the cards ability? > > > can you easily 'spill' that extra work over to the system if you have > > > any room there? > > > > The only thing done with the cryptoswift is the RSA key calculation. All > > others things are done by your CPU(s) > >So what about the actual data encryption/decryption? If the system >handles this, the potential gains are pretty high for a powerful >system. How much of the actual handshake has to be done on the card? > > > > > > I know this can be done with a separate appliance, like the Intel 7115 > > > (which takes the fun of actually implementing a solution away), but > > > these are overly expensive, and make relational performance measurements > > > pretty complicated in many configurations. > > > > There many other appliance > > CiberIQ, Alteon ... > > cryptoswift is very expensive , The sonicwall card seems to be nice (RSA, > > 3DES, DES, ARC[24], SHA1, MD5) and cheap, but i didn't have the opportunity > > to make some tests > >I've heard of the CyberIQ. I've also heard that their numbers were >cooked a little more than most of the providers. I'm sure we will wind >up validating a number of options. > > > > > > Enough rambling about this though. Now you have a context for my > > > original question: can the OpenSSL engine spill extra SSL sessions over > > > to the system cpu? > > > > When I run some test with heavy load of ssl transaction with the > cryptoswift > > 200, the 2 cpus (p3-700) was 0% idle. But i don't know if some keys > > calculation has been done by the cpus > >Interesting. Was your system responsible for anything else (ie, a ftp >server, etc.)? Were you using Apache in the back end? >Our system is pretty streamlined, we have left out a lot of the 'bells >and whistles' found in Apache, so we can handle a lot more throughput. >We can serve 500+ objects on a clear connection from a Netra 440, where >our experience shows Apache at less than half this for the same system. >Purely CPU bound on the server side. Client side (separate system) is >I/O bound until you start fetching on a secure connection. Maybe we >want to see how one of these cards performs there? > >Thanks for your feedback. > >Lou > > > > > > Adrien > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > >-- >Louis LeBlanc >Fully Funded Hobbyist, KeySlapper Extrordinaire :) >[EMAIL PROTECTED] >http://acadia.ne.mediaone.net >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
I do not know anything about the Rainbow Cryptoswift card. However, I do know how to set it up with the nCipher card. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2001 5:51 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Rainbow Cryptoswift cards I'm getting a Rainbow Cryptoswift card in the post today (thank you Santa, although you are a bit late). Does anyone have experience of setting this up with mod-ssl? If so, can you let me know how I do it. I understand I need to use shm rather than dbm, but how do I get openssl to recognise the card? I've the openssl change list, and it alleges support for these cards, but I don't seem to have it. I'm using the pre-compiled rpms which I realise may not have compiled this support in. (I can't find anything else in the openssl or modssl docs to help me, hence my post. The documentation available on the Rainbow site is scant as well) Thank you. If no-one can help, I'll battle on and post my results later. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
adrien mistretta wrote: > > > The cryptoswift card provides 'onboard' acceleration of SSL based > > processing, but the card itself can only handle so many transactions per > > second. What happens if your traffic load exceeds the cards ability? > > can you easily 'spill' that extra work over to the system if you have > > any room there? > > The only thing done with the cryptoswift is the RSA key calculation. All > others things are done by your CPU(s) So what about the actual data encryption/decryption? If the system handles this, the potential gains are pretty high for a powerful system. How much of the actual handshake has to be done on the card? > > > I know this can be done with a separate appliance, like the Intel 7115 > > (which takes the fun of actually implementing a solution away), but > > these are overly expensive, and make relational performance measurements > > pretty complicated in many configurations. > > There many other appliance > CiberIQ, Alteon ... > cryptoswift is very expensive , The sonicwall card seems to be nice (RSA, > 3DES, DES, ARC[24], SHA1, MD5) and cheap, but i didn't have the opportunity > to make some tests I've heard of the CyberIQ. I've also heard that their numbers were cooked a little more than most of the providers. I'm sure we will wind up validating a number of options. > > > Enough rambling about this though. Now you have a context for my > > original question: can the OpenSSL engine spill extra SSL sessions over > > to the system cpu? > > When I run some test with heavy load of ssl transaction with the cryptoswift > 200, the 2 cpus (p3-700) was 0% idle. But i don't know if some keys > calculation has been done by the cpus Interesting. Was your system responsible for anything else (ie, a ftp server, etc.)? Were you using Apache in the back end? Our system is pretty streamlined, we have left out a lot of the 'bells and whistles' found in Apache, so we can handle a lot more throughput. We can serve 500+ objects on a clear connection from a Netra 440, where our experience shows Apache at less than half this for the same system. Purely CPU bound on the server side. Client side (separate system) is I/O bound until you start fetching on a secure connection. Maybe we want to see how one of these cards performs there? Thanks for your feedback. Lou > > Adrien > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Louis LeBlanc Fully Funded Hobbyist, KeySlapper Extrordinaire :) [EMAIL PROTECTED] http://acadia.ne.mediaone.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
[EMAIL PROTECTED] wrote: > > > -Original Message- > > From: Louis LeBlanc [mailto:[EMAIL PROTECTED]] > > Sent: 19 January 2001 12:39 > > To: [EMAIL PROTECTED] > > Subject: Re: Rainbow Cryptoswift cards > > > > > > One quick question, just so I know how to answer when this kind of > > project comes up: > > The cryptoswift card provides 'onboard' acceleration of SSL based > > processing, but the card itself can only handle so many > > transactions per > > second. What happens if your traffic load exceeds the cards ability? > > can you easily 'spill' that extra work over to the system if you have > > any room there? > > I don't think so. All you can do is add extra cards, or run multiple servers > (NetAID used 28 servers with a Rainbow card in each one). > > You will need to have a rough idea how much traffic you'll have, in order to > estimate how many cards you'll need. Bear in mind that some of these other > solutions like the Intel accelerator are based on a Rainbow card anyway. > > I'm hoping we can get away with one per machine. First though, I have to > recompile openssl! > Thanks. I guess we will have to validate the various options with our system and code base before even guessing at which option to go for. We are using our own streamlined implementation to serve content, so it is possible we will get a better cost/performance ratio without any peripherals. The backend system could wind up being overkill if we can get 500 objects/sec served without an accelerator at around $6K (give or take) and the accelerator only handling 300 effectively, we would need 2 cards to get by the 500 cps limit, but since the system is no longer performing the SSL arithmetic, it could very well be better than 60% idle. we would need to add a couple more cards to get the most out of it, but by then we could be saturating our network, and don't even get me started on the cost/performance hit with the added cost of all those cards. The specific numbers are strictly conjecture, but something to think about. Sorry to take the discussion so far off topic. L -- Louis LeBlanc Fully Funded Hobbyist, KeySlapper Extrordinaire :) [EMAIL PROTECTED] http://acadia.ne.mediaone.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Rainbow Cryptoswift cards
I'm getting a Rainbow Cryptoswift card in the post today (thank you Santa, although you are a bit late). Does anyone have experience of setting this up with mod-ssl? If so, can you let me know how I do it. I understand I need to use shm rather than dbm, but how do I get openssl to recognise the card? I've the openssl change list, and it alleges support for these cards, but I don't seem to have it. I'm using the pre-compiled rpms which I realise may not have compiled this support in. (I can't find anything else in the openssl or modssl docs to help me, hence my post. The documentation available on the Rainbow site is scant as well) Thank you. If no-one can help, I'll battle on and post my results later. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]