tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Hardware-accelerated IPsec, anyone?



> what do people use for hardware accelerated IPsec these days?
> I understand that only FAST_IPSEC (and not IPSEC) supports hardware
> acceleration. Question is - what hardware out there does support IPsec?
> 
> Options that I see are:
> 
> * glxsb(4) - here the manpage says no hardware IPsec is supported due to
>   the lack of HMAC support:
> 
>     The glxsb driver only provides random numbers and AES acceleration.
>     Since it does not provide HMACs, IPSec will not currently use it; it will
>     however be used by OpenSSH.
> 
> * hifn(4) - Available in various cards, but also with some warnings in
>   the manpage:
> 
>     Support for the 7955 and 7956 is incomplete; the asymmetric crypto facil-
>     ities are to be added and the performance is suboptimal.
> 
> * ubsec(4) - looks promising by the manpage, but I've hardly heared of
>   anyone use them (in contrast to HIFN based boards). Does anyone have
>   a comment e.g. on the BCM58xx based NIAGARA cards sold by
>   InterfaceMasters
>   (http://www.interfacemasters.com/products/SSL_IPSec_cards.html)?
> 
> * n8 / nsp(4) - I couldn't find a manufacturer here, and the driver
>   is not listed in GENERIC (in contast to the above drivers).
>   Not an option as far as I can see - anyone got a vendor for any cards?
> 
> What do people use for hardware accelerated IPsec these days?
> What options did I miss, which ones are good, which ones to avoid?
> Any dmesg examples that are known working / not working?

I am not using it at all on faster machines since offloading the data to the 
crypto device over a PCI bus is slower than doing the math in the CPU.

HW accelerators help for slow machines like Soekris or ALIX, though.



Home | Main Index | Thread Index | Old Index