Best Crypto Accelerator?

HypeTelecon

What would be the best PCI/PCIe Crypto Accelerator that pfSense would be capable of using for IPSec 3DES offloading?

wallabybob

The answer probably depends on the data rate at which you want to encrypt.

MeatPuppet

I have had real good experience with HiFn, they have cards for most any requirements and not to mention price range.
I am running a HiFn DS100 under Linux, using the "OpenBSD/FreeBSD Cryptographic Framework (OCF)" port for Linux, and it works really well.

The BSD application cryptotest (running on Slackware Linux) gives me the following results:

des:
0.005 sec, 2    des crypts, 65280 bytes, 28023181 bytes/sec, 213.8 Mb/sec

3des:
0.004 sec, 2   3des crypts, 65280 bytes, 31271856 bytes/sec, 238.6 Mb/sec

aes256
0.004 sec, 2   aes256 crypts, 65280 bytes, 32007845 bytes/sec, 244.2 Mb/sec

The card has NIST certified hardware implementations of the most widely used algorithms (AES, DES, 3DES, SHA, HMAC);
not to mention a True Hardware RNG, which is my main reason for investing, I am in serious need of entropy…

The BSD/Linux driver supports up to 64 cards working toghether, and they also have much more powerful cards than the DS100 (the cheapest of the bunch) if that is needed,
the driver is also Open Source, which is a key factor.

Since I am mainly a Linux zealot, I do not know if this card works with pfSense, but considering the driver is actually written for freeBSD and then ported to Linux I would almost dare to assume so.

Best Regards,
MeatPuppet

HypeTelecon

What would be the best place to purchase these cards from?

@MeatPuppet:

I have had real good experience with HiFn, they have cards for most any requirements and not to mention price range.
I am running a HiFn DS100 under Linux, using the "OpenBSD/FreeBSD Cryptographic Framework (OCF)" port for Linux, and it works really well.

The BSD application cryptotest (running on Slackware Linux) gives me the following results:

des:
0.005 sec, 2    des crypts, 65280 bytes, 28023181 bytes/sec, 213.8 Mb/sec

3des:
0.004 sec, 2   3des crypts, 65280 bytes, 31271856 bytes/sec, 238.6 Mb/sec

aes256
0.004 sec, 2   aes256 crypts, 65280 bytes, 32007845 bytes/sec, 244.2 Mb/sec

The card has NIST certified hardware implementations of the most widely used algorithms (AES, DES, 3DES, SHA, HMAC);
not to mention a True Hardware RNG, which is my main reason for investing, I am in serious need of entropy…

The BSD/Linux driver supports up to 64 cards working toghether, and they also have much more powerful cards than the DS100 (the cheapest of the bunch) if that is needed,
the driver is also Open Source, which is a key factor.

Since I am mainly a Linux zealot, I do not know if this card works with pfSense, but considering the driver is actually written for freeBSD and then ported to Linux I would almost dare to assume so.

Best Regards,
MeatPuppet

dotdash

I've had good results with the vpn1411 http://www.soekris.com/vpn1401.htm

MeatPuppet

I picked up mine from eBay, it is selling for around the $100-150 mark, depending if you can be bothered to wait or not… It should be noted that most of these are PCI64 cards, but personally I only find this to be an advantage.

Best Regards,
MeatPuppet

HypeTelecon

Is there a PCIe based crypto accelerator that will work with FreeBSD? I'm looking for something with a little more horse power.

dotdash

Hifn makes the 255, which is a PCIe card based on the 8155 chip. I'm not sure if it's supported in FreeBSD though, and they are significantly more expensive than the PCI cards.

HypeTelecon

Can anyone confirm or deny that this particular card is supported by FreeBSD 6.2?

@dotdash:

Hifn makes the 255, which is a PCIe card based on the 8155 chip. I'm not sure if it's supported in FreeBSD though, and they are significantly more expensive than the PCI cards.