|
|
Subject: Re: Re: Hardware acceleration using VIA Padlock
(was Re: [Openvpn-users] a couple of questions) -
msg#00474
Den 25. jun 2004, kl. 9:48, skrev James Yonan:
"Eric E. Bowles" <eric@xxxxxxxxxx> said:
[cut]
I got access to a 1GHz VIA C3 box and tried the command using OpenVPN
1.6
and patched OpenSSL library; here are the results:
Stock Patched
OpenVPN OpenVPN
real 1m13.084s 0m47.655s
user 1m12.570s 0m47.560s
sys 0m0.020s 0m0.010s
I see a 34% improvement with hardware acceleration enabled.
Interesting. Note that this percentage might be off what you will see
in real
usage, because --test-crypto is doing other stuff like generating a
lot of
strong pseudo-random numbers to fill up the test packets.
OpenVPN is also doing per-packet authentication using the HMAC/SHA1
algorithm,
I wonder if this is hardware accelerated as well?
only in the next version of the cpu.
JonB
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
Thread at a glance:
Previous Message by Date:
Re: Re: Hardware acceleration using VIA Padlock (was Re: [Openvpn-users] a couple of questions)
"Eric E. Bowles" <eric@xxxxxxxxxx> said:
> Hi James,
>
> > Now on OpenVPN 1.6 or 2.0-beta6 (but not beta5) try a crypto loopback test:
> >
> > openvpn --genkey --secret tmp-key
> > time openvpn --test-crypto --secret tmp-key --verb 0 --tun-mtu 10000
> > --cipher
> > aes-128-cbc
> >
> > This test will generate 10000 random packets starting at a size of 1 byte
> > and
> > going up to 10000 bytes, and loop them back through the the encryption and
> > decryption algorithms.
>
> I got access to a 1GHz VIA C3 box and tried the command using OpenVPN 1.6
> and patched OpenSSL library; here are the results:
>
> Stock Patched
> OpenVPN OpenVPN
>
> real 1m13.084s 0m47.655s
> user 1m12.570s 0m47.560s
> sys 0m0.020s 0m0.010s
>
> I see a 34% improvement with hardware acceleration enabled.
Interesting. Note that this percentage might be off what you will see in real
usage, because --test-crypto is doing other stuff like generating a lot of
strong pseudo-random numbers to fill up the test packets.
OpenVPN is also doing per-packet authentication using the HMAC/SHA1 algorithm,
I wonder if this is hardware accelerated as well?
Can you try a real network test, such as constructing a tunnel between two
locally connected machines, transfering a large file over the tunnel using FTP
(in both directions), and measuring the CPU usage of OpenVPN?
James
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
Next Message by Date:
Re: openvpn-2.0_beta6, OpenBSD 3.5
On Friday, June 25, 2004 2:23 AM [GMT-5=EST], Christian Sander Røsnes
<christian@xxxxxxxxx> wrote:
> I don't think tap is available by default under OpenBSD.
> If you do a google for the following 4 words:
>
> "openbsd tap Claudio Jeker"
>
> you'll find some postings by Claudio Jeker, who appearantly has
> done some work on this.
>
> There's a recent posting by Claudio Jeker from June 2004 on the
> newsgroup: "lucky.openbsd.tech" with subject: "integrate tap into
> tun(4)" which reads:
>
> "Here is a patch that integrates the tap (layer 2 tunneling) into the
> tun(4) interface. The interface can be switch to layer 2 mode by
> setting the link0 flag via ifconfig(8). ..."
>
> Here's the link to Claudio's webpage:
>
> http://diehard.n-r-g.com/
Thanks for the reply. I came across the Claudio's ported tap driver as
well; seems a little more advanced than my abilities can currenlty handle.
I think I'll give FreeBSD a shot.
-Adam
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
Previous Message by Thread:
Re: Re: Hardware acceleration using VIA Padlock (was Re: [Openvpn-users] a couple of questions)
"Eric E. Bowles" <eric@xxxxxxxxxx> said:
> Hi James,
>
> > Now on OpenVPN 1.6 or 2.0-beta6 (but not beta5) try a crypto loopback test:
> >
> > openvpn --genkey --secret tmp-key
> > time openvpn --test-crypto --secret tmp-key --verb 0 --tun-mtu 10000
> > --cipher
> > aes-128-cbc
> >
> > This test will generate 10000 random packets starting at a size of 1 byte
> > and
> > going up to 10000 bytes, and loop them back through the the encryption and
> > decryption algorithms.
>
> I got access to a 1GHz VIA C3 box and tried the command using OpenVPN 1.6
> and patched OpenSSL library; here are the results:
>
> Stock Patched
> OpenVPN OpenVPN
>
> real 1m13.084s 0m47.655s
> user 1m12.570s 0m47.560s
> sys 0m0.020s 0m0.010s
>
> I see a 34% improvement with hardware acceleration enabled.
Interesting. Note that this percentage might be off what you will see in real
usage, because --test-crypto is doing other stuff like generating a lot of
strong pseudo-random numbers to fill up the test packets.
OpenVPN is also doing per-packet authentication using the HMAC/SHA1 algorithm,
I wonder if this is hardware accelerated as well?
Can you try a real network test, such as constructing a tunnel between two
locally connected machines, transfering a large file over the tunnel using FTP
(in both directions), and measuring the CPU usage of OpenVPN?
James
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
Next Message by Thread:
OpenVPN 2.0-beta6 released
2004.06.23 -- Version 2.0-beta6
* Fixed Windows installer to intelligently put
up a reboot dialog only if tapinstall tells
us that it's really necessary.
* Fixed "Assertion failed at fragment.c:309"
bug when --mode server and --fragment are used
together.
* Ignore HUP, USR1, and USR2 signals during
initialization. Prior versions would abort.
* Fixed bug on OS X: "Assertion failed at event.c:406".
* Added --service option to Windows version, for use
when OpenVPN is being programmatically instantiated
by another process (see man page for info).
* --log and --log-append options now work on Windows.
* Update OpenBSD INSTALL notes (Janne Johansson).
* Enable multicast on tun interface when running on
OpenBSD (Pavlin Radoslavov).
* Fixed recent --test-crypto breakage, where options
such as --cipher were not being parsed correctly.
* Modified options compatibility string by removing
ifconfig substring if it is empty. Incremented
options compatibility string version number to 4.
* Fixed typo in --tls-timeout option parsing
(Mikael Lönnroth).
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
|
|