Slightly OT: where to get Crypto HW (long, detailed, ends w/questions...)
Wyllys Ingersoll
Wyllys.Ingersoll at Sun.COM
Tue Oct 13 17:57:20 UTC 2009
>
> SCA6000 is pci-e, so it will not work in a e450. The e450 does,
> however, have 64bit pci slots, so the old SCA-1000 would work there.
>
> However, the SCA-1000 does not do AES at all, even with the v2.0
> firmware, so my previous discussion (and ebay link) should be ignored.
>
> The (also discontinued, like the SCA-1000) SCA-4000 does AES, but does
> not appear to do AES-CTR.
>
> Finally, this page:
>
> http://www.opensolaris.org/os/project/crypto/Accelerators/
>
> shows that the BCM5825 will work in Solaris. I think this is the best
> option provided that the AES-CTR support it provides can be accessed in
> the same painless way that it can be in the T2 chips. Wyllys ?
Yes, the BCM5825 is supported by the crypto framework and would meet
the requirement for AES-CTR.
>
> The BCM5825 board, off the shelf, costs less than half of what the
> SCA6000 does ( $462.50 at www.abstractelec.com (see "pxs2510) vs. $1350
> ). A cursory review of the specs shows that they both run bulk AES @
> 1gbps and 12,000 RSA tps for the broadcom vs. 13,000 RSA tps for the
> sca-6000 ... smells like the same part, actually, but I can't confirm that.
I don't know if it is the same part or not, probably not if the price
diff is that great.
> But that begs two questions:
>
>
> - Do the crypto framework APIs (PKCS#11) efficiently use multiple
> compute sources, such as a dual-processor T2 system with four SCA-6000
> plugged in ? Wyllys ? :)
The dual-processor support would be provided by the kernel itself, not
anything in userland or the crypto framework. If there were multiple
accelerators, each would be registered in the framework as a unique
instance and each would then be treated as a single accelerator by
the crypto framework. This means that there is no multi-tasking/threading
amongst crypto processors for a given session.
You may get better answers to these questions from the crypto-discuss at opensolaris.org
mailing list:
http://www.opensolaris.org/jive/forum.jspa?forumID=179
>
> - Is any of this useful for any conceivable Tor traffic loads ? The
> fastest Tor node I have ever seen on the status page is (roughly)
> 100mbps, which is a lot, but ... more than a pair of modern quad-core
> CPUs can handle ? It's conceivable that even at 200 or 400 mbps you
> wouldn't need any kind of crypto hardware to supplant a pair of modern
> CPUs...
The benefit I see is that individual packets are processed much faster.
Which translates to the node being able to handle many more transactions
for a given period of time. I think this should lead to greater
bandwidth utilization, but I don't know if it would approach 100mbps or
not, there may be other limiting factors that get in the way.
-Wyllys
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list