[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Slightly OT: where to get Crypto HW (long, detailed, ends w/questions...)




On Tue, 13 Oct 2009, Wyllys Ingersoll wrote:

Thomas.Hluchnik@xxxxxxxxxxxxx wrote:
Am Dienstag 13 Oktober 2009 schrieben Sie:

Hello Wyllys and all other Solaris freaks. This thread is very
interesting to me. I have some older Suns at home (E450, V480) and
playing around with tor on Solaris. But I never saw a crypto hardware
accelerator card for Sparc engines at Ebay or anywhere else. I would
like to test this stuff. Anybody here who can give me a hint where to
get such a card that would fit in my Suns?

Thomas


The SCA6000 card supports AES CTR mode, I may have said in a previous email
that it does not, but I checked and it *does*.    It is supported on the
V480, but I don't see the E450 listed on the supported platform list.

Here is the link on the Sun product site with the spec sheet.
http://www.sun.com/products/networking/sslaccel/suncryptoaccel6000/index.xml

I don't know if you can find these on Ebay or not.


SCA6000 is pci-e, so it will not work in a e450. The e450 does, however, have 64bit pci slots, so the old SCA-1000 would work there.

However, the SCA-1000 does not do AES at all, even with the v2.0 firmware, so my previous discussion (and ebay link) should be ignored.

The (also discontinued, like the SCA-1000) SCA-4000 does AES, but does not appear to do AES-CTR.

Finally, this page:

http://www.opensolaris.org/os/project/crypto/Accelerators/

shows that the BCM5825 will work in Solaris. I think this is the best option provided that the AES-CTR support it provides can be accessed in the same painless way that it can be in the T2 chips. Wyllys ?

The BCM5825 board, off the shelf, costs less than half of what the SCA6000 does ( $462.50 at www.abstractelec.com (see "pxs2510) vs. $1350 ). A cursory review of the specs shows that they both run bulk AES @ 1gbps and 12,000 RSA tps for the broadcom vs. 13,000 RSA tps for the sca-6000 ... smells like the same part, actually, but I can't confirm that.

... and since I'm dumping my brain here, we read at:

http://blogs.sun.com/darren/entry/new_crypto_hardware

For our newest SPARC based servers that fill the same target area that many V240's are used for, particulary ones with an SCA-500 card (SSL web serving) the UltraSPARC T1 (Niagara) machines (T1000 & T2000) will do the crypto much faster, faster even than the new SCA-6000 can achieve. The key value for an SCA-6000 in an UltrSPARC T1 is the key store; which the SCA-500 and SCA-1000 didn't provide.

So ... with newer sparc systems, having a SCA-6000 or BCM5825 might be overkill - unless you're focusing on performance-per-watt, in which case a T2 system with a few SCA-6000s plugged in might raise the bar quite a bit.


But that begs two questions:


- Do the crypto framework APIs (PKCS#11) efficiently use multiple compute sources, such as a dual-processor T2 system with four SCA-6000 plugged in ? Wyllys ? :)

- Is any of this useful for any conceivable Tor traffic loads ? The fastest Tor node I have ever seen on the status page is (roughly) 100mbps, which is a lot, but ... more than a pair of modern quad-core CPUs can handle ? It's conceivable that even at 200 or 400 mbps you wouldn't need any kind of crypto hardware to supplant a pair of modern CPUs...
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/