[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Slightly OT: where to get Crypto HW (long, detailed, ends w/questions...)
On Tue, 13 Oct 2009, Wyllys Ingersoll wrote:
Thomas.Hluchnik@xxxxxxxxxxxxx wrote:
Am Dienstag 13 Oktober 2009 schrieben Sie:
Hello Wyllys and all other Solaris freaks. This thread is very
interesting to me. I have some older Suns at home (E450, V480) and
playing around with tor on Solaris. But I never saw a crypto hardware
accelerator card for Sparc engines at Ebay or anywhere else. I would
like to test this stuff. Anybody here who can give me a hint where to
get such a card that would fit in my Suns?
Thomas
The SCA6000 card supports AES CTR mode, I may have said in a previous email
that it does not, but I checked and it *does*. It is supported on the
V480, but I don't see the E450 listed on the supported platform list.
Here is the link on the Sun product site with the spec sheet.
http://www.sun.com/products/networking/sslaccel/suncryptoaccel6000/index.xml
I don't know if you can find these on Ebay or not.
SCA6000 is pci-e, so it will not work in a e450. The e450 does, however,
have 64bit pci slots, so the old SCA-1000 would work there.
However, the SCA-1000 does not do AES at all, even with the v2.0 firmware,
so my previous discussion (and ebay link) should be ignored.
The (also discontinued, like the SCA-1000) SCA-4000 does AES, but does not
appear to do AES-CTR.
Finally, this page:
http://www.opensolaris.org/os/project/crypto/Accelerators/
shows that the BCM5825 will work in Solaris. I think this is the best
option provided that the AES-CTR support it provides can be accessed in
the same painless way that it can be in the T2 chips. Wyllys ?
The BCM5825 board, off the shelf, costs less than half of what the SCA6000
does ( $462.50 at www.abstractelec.com (see "pxs2510) vs. $1350 ). A
cursory review of the specs shows that they both run bulk AES @ 1gbps and
12,000 RSA tps for the broadcom vs. 13,000 RSA tps for the sca-6000 ...
smells like the same part, actually, but I can't confirm that.
... and since I'm dumping my brain here, we read at:
http://blogs.sun.com/darren/entry/new_crypto_hardware
For our newest SPARC based servers that fill the same target area that
many V240's are used for, particulary ones with an SCA-500 card (SSL web
serving) the UltraSPARC T1 (Niagara) machines (T1000 & T2000) will do the
crypto much faster, faster even than the new SCA-6000 can achieve. The key
value for an SCA-6000 in an UltrSPARC T1 is the key store; which the
SCA-500 and SCA-1000 didn't provide.
So ... with newer sparc systems, having a SCA-6000 or BCM5825 might be
overkill - unless you're focusing on performance-per-watt, in which case a
T2 system with a few SCA-6000s plugged in might raise the bar quite a bit.
But that begs two questions:
- Do the crypto framework APIs (PKCS#11) efficiently use multiple
compute sources, such as a dual-processor T2 system with four SCA-6000
plugged in ? Wyllys ? :)
- Is any of this useful for any conceivable Tor traffic loads ? The
fastest Tor node I have ever seen on the status page is (roughly) 100mbps,
which is a lot, but ... more than a pair of modern quad-core CPUs can
handle ? It's conceivable that even at 200 or 400 mbps you wouldn't need
any kind of crypto hardware to supplant a pair of modern CPUs...
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/