Subject: Re: Interest in Broadcom crypto cards?
To: Alicia da Conceicao <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 02/19/2007 23:03:37
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Alicia" == Alicia da Conceicao <firstname.lastname@example.org> writes:
Alicia> At one time, I was really keen on Broadcom and other crypto
Alicia> cards. However, personal computers have become so cheap and
Alicia> powerful, that I am able to get more than >2000 RSA
Alicia> private-key signatures with a RSA key having a 1024bit
Alicia> modulus, just on a cheap/basic 2GHz AMD64 machine running
Yes, if you are a crypto nut, and/or you are trying to do only networking
things, then your argument holds.
You mention one case where there is gain:
Alicia> The only justification these days I have for crypto is for
Alicia> embedded devices that need accelerated crypto for VPN, and
Yes, that's one case. Let's look at why this situation is interesting:
a) the devices do crypto at significantly lower power consumption
b) the devices do things in parallel with the CPU.
c) the CPU may already be pegged doing revenue generating work.
Adding IPsec/VPN/SSL/etc. to the system may cause the machine to
d) there are significant advantages of doing IPsec work on the NIC
(line) card, prior to the TCP offload engine. This lets' NFSv4
w/channel-binding, or iSCSI, or DCCP do all the work in hardware.
10GbE is here now, with 100GbE (or maybe 40..) coming.
Sure, the current broadcom and hifn cards that we have drivers for
do not do inline crypto, only look-aside crypto.
But, the models and mechanisms for look-aside provide a lot of
ancilliary infrastructure for doing the inline work.
For instance, we have only very rudamentary to no controls to
select which IPsec SAs are handled by which methods (hardware,
software, immediate or batched OCF, immediate or batched callback,
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] email@example.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----