Re: [pve-devel] High Performance SSH
> Am 28.05.2015 um 12:55 schrieb dea : > > >> I don't think it is wise to play with security-related software in >> the stack. If OpenBSD and Debian (or for the matter all the other >> distros) haven't applied those patches, I'm sure there is some >> reason, although maybe it being only "uncertainty". > > Yes, is true. > > But I think that from an uncrypted connection (from cluster nodes) and a maybe > insecure ssh patched connection there is a lot of difference. > > We can use a patched ssh connection on special port only to connect nodes > (live migration, etc), than use a standard Debian ssh daemon on standard port > to admin the cluster. It is also possible to speed up transfers over ssh by selecting a cipher. Basically, you can choose to use a less secure cipher in favor of better speed. Using Debian Wheezy here (or rather Proxmox VE 3.4): Over a gigabit connection, scp gives me around 65MB/s. If I specify, for instance, the RC4 cipher like this scp -c arcfour source destination I get around 105 MB/s. Same options are possible for ssh, e.g. when using rsync et al. However, apart from this being *nice*, I really doubt any such tweaks should be made. All manner of things can change and be a real PITA. E.g. available ciphers in upstream packages can change, a new version of SSH that those patches do not work with yet, etc. In short: This is best left to upstream *unless* we are prepared to permanently support our own SSH package. Best, Martin Waschbüsch signature.asc Description: Message signed with OpenPGP using GPGMail ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] High Performance SSH
A little bit off-topic, but there is hope: This week, I almost saturated a 1 Gbit network link between two brand new Dell Servers with 3.2 GHz Xeon E5-2667v3 CPUs. I got 105 MB/sec using standard SSH/SCP. So we finally have single-thread-performance that is fast enough for encryption on gigabit. Parallel encryption in threads would still be desirable. On Thu, May 28, 2015 at 12:55 PM, dea wrote: > > > I don't think it is wise to play with security-related software in > > the stack. If OpenBSD and Debian (or for the matter all the other > > distros) haven't applied those patches, I'm sure there is some > > reason, although maybe it being only "uncertainty". > > Yes, is true. > > But I think that from an uncrypted connection (from cluster nodes) and a > maybe > insecure ssh patched connection there is a lot of difference. > > We can use a patched ssh connection on special port only to connect nodes > (live migration, etc), than use a standard Debian ssh daemon on standard > port > to admin the cluster. > ___ > pve-devel mailing list > pve-devel@pve.proxmox.com > http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] High Performance SSH
> I don't think it is wise to play with security-related software in > the stack. If OpenBSD and Debian (or for the matter all the other > distros) haven't applied those patches, I'm sure there is some > reason, although maybe it being only "uncertainty". Yes, is true. But I think that from an uncrypted connection (from cluster nodes) and a maybe insecure ssh patched connection there is a lot of difference. We can use a patched ssh connection on special port only to connect nodes (live migration, etc), than use a standard Debian ssh daemon on standard port to admin the cluster. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] High Performance SSH
On 28/05/15 12:38, dea wrote: Il Thu, 28 May 2015 12:02:21 +0200 (CEST), Dietmar Maurer scrisse I've find this... http://www.psc.edu/index.php/hpn-ssh What do you all think? This is great, but unfortunately ssh people rejected those patches (AFAIK). So default ssh tools from Debian does not have that features. Yes, for Debian... but Proxmox could not have a patched version of SSH ? It would be a substantial improvement... I don't think it is wise to play with security-related software in the stack. If OpenBSD and Debian (or for the matter all the other distros) haven't applied those patches, I'm sure there is some reason, although maybe it being only "uncertainty". Cheers Eneko -- Zuzendari Teknikoa / Director Técnico Binovo IT Human Project, S.L. Telf. 943575997 943493611 Astigarraga bidea 2, planta 6 dcha., ofi. 3-2; 20180 Oiartzun (Gipuzkoa) www.binovo.es ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] High Performance SSH
Il Thu, 28 May 2015 12:02:21 +0200 (CEST), Dietmar Maurer scrisse > > I've find this... > > > > http://www.psc.edu/index.php/hpn-ssh > > > > What do you all think? > > This is great, but unfortunately ssh people rejected those patches > (AFAIK). So default ssh tools from Debian does not have that features. Yes, for Debian... but Proxmox could not have a patched version of SSH ? It would be a substantial improvement... ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] High Performance SSH
> I've find this... > > http://www.psc.edu/index.php/hpn-ssh > > What do you all think? This is great, but unfortunately ssh people rejected those patches (AFAIK). So default ssh tools from Debian does not have that features. ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] High Performance SSH
Hi all !!! Proxmox uses ssh to move data from nodes (ok, is possible to disable encryption but is not safe). I've find this... http://www.psc.edu/index.php/hpn-ssh What do you all think? Luca ___ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
