Subject: Re: Interest in Broadcom crypto cards?
To: Alicia da Conceicao <alicia@engine.ca>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: current-users
Date: 02/19/2007 23:03:37
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Alicia" == Alicia da Conceicao <alicia@engine.ca> writes:
    Alicia> At one time, I was really keen on Broadcom and other crypto
    Alicia> cards.  However, personal computers have become so cheap and
    Alicia> powerful, that I am able to get more than >2000 RSA
    Alicia> private-key signatures with a RSA key having a 1024bit
    Alicia> modulus, just on a cheap/basic 2GHz AMD64 machine running
    Alicia> NetBSD-amd64.

  Yes, if you are a crypto nut, and/or you are trying to do only networking
things, then your argument holds. 
  You mention one case where there is gain:

    Alicia> The only justification these days I have for crypto is for
    Alicia> embedded devices that need accelerated crypto for VPN, and

  Yes, that's one case. Let's look at why this situation is interesting:
  a) the devices do crypto at significantly lower power consumption
     than CPUs.

  b) the devices do things in parallel with the CPU.

  c) the CPU may already be pegged doing revenue generating work.
     Adding IPsec/VPN/SSL/etc. to the system may cause the machine to
     fallover.

  d) there are significant advantages of doing IPsec work on the NIC
     (line) card, prior to the TCP offload engine. This lets' NFSv4
     w/channel-binding, or iSCSI, or DCCP do all the work in hardware.
     10GbE is here now, with 100GbE (or maybe 40..) coming.
     Sure, the current broadcom and hifn cards that we have drivers for
     do not do inline crypto, only look-aside crypto.
     But, the models and mechanisms for look-aside provide a lot of
     ancilliary infrastructure for doing the inline work.

     For instance, we have only very rudamentary to no controls to
     select which IPsec SAs are handled by which methods (hardware,
     software, immediate or batched OCF, immediate or batched callback,
     etc.). 

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [



     
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRdpzEICLcPvd0N1lAQIXfgf+IM8SWSpt2hMP82eRwzia6sWyZDvS0mWr
Sw6J/PXnoZm4QOSh8C5Li5aFI+IEQYMBG8UZ/yl91YGVeAkEPkCP13t+FZPg4fKA
kWsk31+Af3mc1ZLTyz4wsb+LrwtzZ1HKch9D+VTOoVunhSE7+kcEq14wv20ax+Cb
ju+8AeHKI5jcMOpFz57NmTdIgObEES/rAbu0M3I/cTGdHYHldaE1ApSUaUEEEjW8
W8o7qsYO0jiSwz913VGLxlsRNX55egBOxsqNwyXUG72e63DkNANgWBoS1xH1k+Ek
ep3+VzW2MR2LKtogxtXxAYO5H4kfQeHrjW/yEsKkNSFIrVPJWxh25Q==
=sZOG
-----END PGP SIGNATURE-----