NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: crypto accelerators, 6Gb/s SAS adapters, quad port gigabit ethernet adapters

On 9/21/2010 9:49 AM, wrote:
After looking at hifn(4), ubsec(4), and nsp(4), I am uncertain which hardware

In all of our research, we found that CPU accelerators on helped in two conditions:

1) When the CPU load in a server cluster/environment cannot be
   upgraded (or cannot easily be upgraded) and is over-saturated
   and/or the crypto-related work can't be offloaded elsewhere
   but the systems *can* take the installation of a crypto

2) Embedded platforms with low power requirements with
   embedded-class CPUs

  In almost every other condition (*), its almost always less costly
  to upgrade the CPU, upgrade the overall server, add additional
  servers to the cluster, or offload the work to a secondary
  cluster (even if it compels network infrastructure upgrades)

  You'll understand when you start finding out the unit costs
  from vendors who resell cards with Broadcom Chips (Thales,
  Interface Masters, etc.)

The new Intel Xeon Westermere series (Formally Nehalem-C) has a new instruction set for improving AES:

      "* A new set of instructions that gives over 3x the
         encryption and decryption rate of Advanced Encryption
         Standard (AES) processes compared to before.[52]
        o Delivers seven new instructions (AES instruction set or
          AES-NI) that will be used by the AES algorithm. Also an
         instruction called PCLMULQDQ (see CLMUL instruction set) that
         will perform carry-less multiplication for use in
         cryptography.[53] These instructions will allow the processor
         to perform hardware-accelerated encryption, not only resulting
         in faster execution but also protecting against software
         targeted attacks.
         o AES-NI may be included in the integrated graphics of

   Presuambly once OS level support is in place, the softdev engine
   in OpenSSL could just take advantage of it naturally.


(*)  There's always the possibility that you're buying servers
    from Oracle :)

Home | Main Index | Thread Index | Old Index