Slightly OT: where to get Crypto HW stuff for Sparc/Solaris?
Am Dienstag 13 Oktober 2009 schrieben Sie: Hello Wyllys and all other Solaris freaks. This thread is very interesting to me. I have some older Suns at home (E450, V480) and playing around with tor on Solaris. But I never saw a crypto hardware accelerator card for Sparc engines at Ebay or anywhere else. I would like to test this stuff. Anybody here who can give me a hint where to get such a card that would fit in my Suns? Thomas > > > > On the other hand, there are Solaris-specific routines (crypto framework > > APIs (PKCS#11)) built into Solaris that Tor can call instead of OpenSSL, > > which _will_ do AES CTR in hardware, yielding a huge gain in performance > > (you mention 25x). > > > > Do I have all of that correct ? > > > > Yes. > > > - How does the T2 (Niagara 2) compare to dedicated hardware such as the > > Sun Crypto 6000 which is currently available ? Presumably the crypto > > framework APIs will use whatever is available, whether it be a SCA-6 > > or a Broadcom based card or ... ? > > > I don't think the SCA6000 offers AES CTR support. The N2 (T2) crypto > chips are newer and offer more algorithm support and faster performance. > You are correct, though, we (Solaris security) do strive to offer crypto > framework support for the underlying hardware devices. > signature.asc Description: This is a digitally signed message part.
Re: Slightly OT: where to get Crypto HW stuff for Sparc/Solaris?
On Tue, 13 Oct 2009, thomas.hluch...@netcologne.de wrote: Hello Wyllys and all other Solaris freaks. This thread is very interesting to me. I have some older Suns at home (E450, V480) and playing around with tor on Solaris. But I never saw a crypto hardware accelerator card for Sparc engines at Ebay or anywhere else. I would like to test this stuff. Anybody here who can give me a hint where to get such a card that would fit in my Suns? Your best bet is the Sun Crypto Accelerator (SCA) 1000. It's a 64 bit PCI card, so I don't think it is suitable for an e450 (did those have 64 bit pci slots ?) but it should work in your V480: http://cgi.ebay.com/SUN-CRYPTO-ACCELERATOR-1000-CARD-375-3089_W0QQitemZ270466884309QQcmdZViewItemQQptZCOMP_EN_Networking_Components?hash=item3ef91522d5#ht_555wt_1167 $99 on ebay... *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Slightly OT: where to get Crypto HW stuff for Sparc/Solaris?
thomas.hluch...@netcologne.de wrote: > Am Dienstag 13 Oktober 2009 schrieben Sie: > > Hello Wyllys and all other Solaris freaks. This thread is very > interesting to me. I have some older Suns at home (E450, V480) and > playing around with tor on Solaris. But I never saw a crypto hardware > accelerator card for Sparc engines at Ebay or anywhere else. I would > like to test this stuff. Anybody here who can give me a hint where to > get such a card that would fit in my Suns? > > Thomas The SCA6000 card supports AES CTR mode, I may have said in a previous email that it does not, but I checked and it *does*.It is supported on the V480, but I don't see the E450 listed on the supported platform list. Here is the link on the Sun product site with the spec sheet. http://www.sun.com/products/networking/sslaccel/suncryptoaccel6000/index.xml I don't know if you can find these on Ebay or not. (I'm not trying to push the product here) -Wyllys *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Slightly OT: where to get Crypto HW (long, detailed, ends w/questions...)
On Tue, 13 Oct 2009, Wyllys Ingersoll wrote: thomas.hluch...@netcologne.de wrote: Am Dienstag 13 Oktober 2009 schrieben Sie: Hello Wyllys and all other Solaris freaks. This thread is very interesting to me. I have some older Suns at home (E450, V480) and playing around with tor on Solaris. But I never saw a crypto hardware accelerator card for Sparc engines at Ebay or anywhere else. I would like to test this stuff. Anybody here who can give me a hint where to get such a card that would fit in my Suns? Thomas The SCA6000 card supports AES CTR mode, I may have said in a previous email that it does not, but I checked and it *does*.It is supported on the V480, but I don't see the E450 listed on the supported platform list. Here is the link on the Sun product site with the spec sheet. http://www.sun.com/products/networking/sslaccel/suncryptoaccel6000/index.xml I don't know if you can find these on Ebay or not. SCA6000 is pci-e, so it will not work in a e450. The e450 does, however, have 64bit pci slots, so the old SCA-1000 would work there. However, the SCA-1000 does not do AES at all, even with the v2.0 firmware, so my previous discussion (and ebay link) should be ignored. The (also discontinued, like the SCA-1000) SCA-4000 does AES, but does not appear to do AES-CTR. Finally, this page: http://www.opensolaris.org/os/project/crypto/Accelerators/ shows that the BCM5825 will work in Solaris. I think this is the best option provided that the AES-CTR support it provides can be accessed in the same painless way that it can be in the T2 chips. Wyllys ? The BCM5825 board, off the shelf, costs less than half of what the SCA6000 does ( $462.50 at www.abstractelec.com (see "pxs2510) vs. $1350 ). A cursory review of the specs shows that they both run bulk AES @ 1gbps and 12,000 RSA tps for the broadcom vs. 13,000 RSA tps for the sca-6000 ... smells like the same part, actually, but I can't confirm that. ... and since I'm dumping my brain here, we read at: http://blogs.sun.com/darren/entry/new_crypto_hardware For our newest SPARC based servers that fill the same target area that many V240's are used for, particulary ones with an SCA-500 card (SSL web serving) the UltraSPARC T1 (Niagara) machines (T1000 & T2000) will do the crypto much faster, faster even than the new SCA-6000 can achieve. The key value for an SCA-6000 in an UltrSPARC T1 is the key store; which the SCA-500 and SCA-1000 didn't provide. So ... with newer sparc systems, having a SCA-6000 or BCM5825 might be overkill - unless you're focusing on performance-per-watt, in which case a T2 system with a few SCA-6000s plugged in might raise the bar quite a bit. But that begs two questions: - Do the crypto framework APIs (PKCS#11) efficiently use multiple compute sources, such as a dual-processor T2 system with four SCA-6000 plugged in ? Wyllys ? :) - Is any of this useful for any conceivable Tor traffic loads ? The fastest Tor node I have ever seen on the status page is (roughly) 100mbps, which is a lot, but ... more than a pair of modern quad-core CPUs can handle ? It's conceivable that even at 200 or 400 mbps you wouldn't need any kind of crypto hardware to supplant a pair of modern CPUs... *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Slightly OT: where to get Crypto HW (long, detailed, ends w/questions...)
> > SCA6000 is pci-e, so it will not work in a e450. The e450 does, > however, have 64bit pci slots, so the old SCA-1000 would work there. > > However, the SCA-1000 does not do AES at all, even with the v2.0 > firmware, so my previous discussion (and ebay link) should be ignored. > > The (also discontinued, like the SCA-1000) SCA-4000 does AES, but does > not appear to do AES-CTR. > > Finally, this page: > > http://www.opensolaris.org/os/project/crypto/Accelerators/ > > shows that the BCM5825 will work in Solaris. I think this is the best > option provided that the AES-CTR support it provides can be accessed in > the same painless way that it can be in the T2 chips. Wyllys ? Yes, the BCM5825 is supported by the crypto framework and would meet the requirement for AES-CTR. > > The BCM5825 board, off the shelf, costs less than half of what the > SCA6000 does ( $462.50 at www.abstractelec.com (see "pxs2510) vs. $1350 > ). A cursory review of the specs shows that they both run bulk AES @ > 1gbps and 12,000 RSA tps for the broadcom vs. 13,000 RSA tps for the > sca-6000 ... smells like the same part, actually, but I can't confirm that. I don't know if it is the same part or not, probably not if the price diff is that great. > But that begs two questions: > > > - Do the crypto framework APIs (PKCS#11) efficiently use multiple > compute sources, such as a dual-processor T2 system with four SCA-6000 > plugged in ? Wyllys ? :) The dual-processor support would be provided by the kernel itself, not anything in userland or the crypto framework. If there were multiple accelerators, each would be registered in the framework as a unique instance and each would then be treated as a single accelerator by the crypto framework. This means that there is no multi-tasking/threading amongst crypto processors for a given session. You may get better answers to these questions from the crypto-disc...@opensolaris.org mailing list: http://www.opensolaris.org/jive/forum.jspa?forumID=179 > > - Is any of this useful for any conceivable Tor traffic loads ? The > fastest Tor node I have ever seen on the status page is (roughly) > 100mbps, which is a lot, but ... more than a pair of modern quad-core > CPUs can handle ? It's conceivable that even at 200 or 400 mbps you > wouldn't need any kind of crypto hardware to supplant a pair of modern > CPUs... The benefit I see is that individual packets are processed much faster. Which translates to the node being able to handle many more transactions for a given period of time. I think this should lead to greater bandwidth utilization, but I don't know if it would approach 100mbps or not, there may be other limiting factors that get in the way. -Wyllys *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Less OT: Here's a Solaris crypto acceleration branch to try.
Since people are interested in Solaris crypto acceleration, I should point out that there's an unfinished solaris-aes branch in my public git repository[1]. (It's off an older version of 2.0.x, so you would want to merge it into the latest master to try it out.[2]) The original code here was by Wyllys Ingersoll; I cleaned it up a bit to be a bit closer to our house style. It is supposed to take advantage of the AES_CTR mode from Solaris's PKCS11 support. Wyllys said that his original patch gave him a 25x improvement for relay payload encryption on a Sun Niagara 2 with AES_CTR from the n2cp accelerator. The branch needs more work if anybody wants to take a shot at it. Specifically: 1) It needs to detect at build time whether we actually have PKCS11 support, and define the USE_PKCS11_FRAMEWORK macro if so. 2) It needs to support using the aes_set_iv function to adjust the AES counter, or else hidden services will break. 3) We actually need to try building it on a version of solaris with the right PKCS11 support, to make sure it still works after my cleanups. 4) We need to actually try building it on a version of solaris *without* PKCS11 support, to make sure we didn't break those. I haven't got a Solaris installation, so I'm not in a good position to do any of these, but if somebody who knows Solaris wants to give it a shot, that would be grand. [1] git://git.torproject.org/~nickm/git/tor [2] Here's some Git help. To get a copy of the master branch with the solaris-aes branch merged in, you would do something like this, assuming you already have a checked-out version of the main Tor repository: git remote add nickm git://git.torproject.org/~nickm/git/tor git fetch nickm git branch solaris-aes-merged master git checkout solaris-aes-merged git merge nickm/solaris-aes This is no substitute for reading the Git tutorial, though. peace, -- Nick *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Less OT: Here's a Solaris crypto acceleration branch to try.
On Tue, Oct 13, 2009 at 02:21:44PM -0400, Nick Mathewson wrote: > Since people are interested in Solaris crypto acceleration, I should > point out that there's an unfinished solaris-aes branch in my public > git repository[1]. (It's off an older version of 2.0.x, so you would > want to merge it into the latest master to try it out.[2]) Oh man, I can't type today. It's off an older version of 0.2.2.x. Sorry for my confusion. peace, -- Nick *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Less OT: Here's a Solaris crypto acceleration branch to try.
Nick Mathewson wrote: > On Tue, Oct 13, 2009 at 02:21:44PM -0400, Nick Mathewson wrote: >> Since people are interested in Solaris crypto acceleration, I should >> point out that there's an unfinished solaris-aes branch in my public >> git repository[1]. (It's off an older version of 2.0.x, so you would >> want to merge it into the latest master to try it out.[2]) > > Oh man, I can't type today. It's off an older version of 0.2.2.x. > > Sorry for my confusion. > > peace, The patches currently being applied to the Tor in Solaris (2.0.34) can be seen here: http://src.opensolaris.org/source/xref/sfw/usr/src/cmd/tor/Patches I have a newer release of Tor (2.1.19) ready to go, I just haven't had time to complete the steps needed to do the putback into Solaris lately. -Wyllys *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
