Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hardware for IPSec at 1 GBit/s

    Scheduled Pinned Locked Moved Hardware
    15 Posts 7 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      olejak
      last edited by

      The traffic will be a mix of both and all in between  :)

      So let's say that I don't need 1 GBit/s exactly but I need to be close. Say no less than 850 MBit/s

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Hardware encryption cards will also help lower the CPU load.
        http://forum.pfsense.org/index.php/topic,8883.0.html

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • O
          olejak
          last edited by

          I found this guide: http://www.pfsense.org/index.php?option=com_content&task=view&id=52&Itemid=49

          Feature Considerations - VPN

          ..and relatively new server hardware (Xeon 800 FSB and newer) deployments are pushing over 100 Mbps with plenty of capacity to spare.

          But it's hard to tell what kind of hw I need for close to 1 Gbit/s IPSec

          I also found this:

          501+ Mbps - server class hardware with PCI-X or PCI-e network adapters. No less than 3.0 GHz CPU.

          That will mean that I at least will need a 3.0 GHz CPU just for traffic. Will a dual or quad core CPU be able to handle 1Gbit/s alone?

          GruensFroeschli:
          The Hifn 8450 is the only one that is able to provide the speed. But I can't find a reseller i DK. :(

          I could also imagen that a card like that would cost quite a bit. The question is then again: Is it possible to do the en-/decryption and routning in standard server/pc hardware. Perhaps Xeon quad 3.0 GHz?

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I'm not sure if there exist any buyable/(payable?) cards with this chip: http://www.hifn.com/products.aspx?id=390
            but it seems interresting.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • O
              olejak
              last edited by

              That was the chip/card I was talking about.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                ah.
                But that's not an encryption accelerator.
                Thats a chip which can be integrated into an NIC.
                –> The NIC itself will encrypt the traffic.

                However as you say it seems to be hard to get such a card.
                Also questionable is, if such an encryption is supported under FreeBSD.

                You may have more luck with the addon encryption cards such as the
                hifn 7751, 7951, 7811, 7955, and 7956

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • P
                  Perry
                  last edited by

                  Seems that google doesn't know everything. But that's what I found.
                  http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2005-02/0020.html
                  http://www.silicom-usa.com/default.asp?contentID=676
                  You could also ask http://www.bsd-dk.dk/mailing-list.dk.shtml for help too.

                  /Perry
                  doc.pfsense.org

                  1 Reply Last reply Reply Quote 0
                  • Cry HavokC
                    Cry Havok
                    last edited by

                    I'd say that a visit to the freebsd-net mailing list (see the FreeBSD mailing list page) would probably be your best bet.  Ultimately this is a question about the hardware required for FreeBSD 7.0 to push 850 Mb/s to 1 Gb/s of IPSec traffic (you'll never hit 1 Gb/s on a 1 Gb/s link because of overheads).

                    You also certainly want quality kit - which means things like the Intel server adapters etc.  I suspect one problem you'll find is that you're probably limited to a single threaded process, which means that extra cores may not help as much as raw processor clock speed (though extra cores will probably still help a bit).  Your choice of encryption algorithm will also matter (DES will have lower overheads, and be less secure, than AES).

                    1 Reply Last reply Reply Quote 0
                    • O
                      olejak
                      last edited by

                      GruensFroeschli: You're right. I saw that, but after my post :)

                      Perry: Interesting. The PESC62 looks like it can do the job. But again it looks like there is no reseller in DK. :(

                      Cry Havok: I know that hitting the 1 Gb/s is not possible because of overhead but I wont to get as close as possible.

                      I'll try the freebsd mailing lists as well, but keep the posts coming.

                      Also:

                      According to their tech specs, the highest throughput they support while
                      doing encryption is 460 Mbps. For reference, a 1.8 GHz Opteron (x44) can
                      encrypt with RC4 at 2500 Mbps. As an example, this means you can choose
                      to limit the throughput to 1250 Mbps, and keep 50% of you CPU time for
                      other applications, or just add a second CPU to your system. A 2.2 GHz
                      Opteron (x48) scales to 3100 Mbps, a 2.6 GHz one (x52) would scale to
                      3700 Mbps.

                      By law and internal IT policy the encryption must be at least AES-256, equivalent or better. Guess  that properly was some good information to put in my first post.

                      So a 2.6 GHz Opteron can do 3700 Mbps of RC4. It would be interesting to see what it can do in AES-256, but also interesting to see what a Xeon 3.0 GHz can do.

                      Does anyone know how they did those tests?

                      1 Reply Last reply Reply Quote 0
                      • Cry HavokC
                        Cry Havok
                        last edited by

                        Probably the low tech way - hook up a packet generator and receiver with a pair of hosts to act as VPN routers then turn the speed up until the processors max out ;)  I've done similar things quite a few times.

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmb
                          last edited by

                          A modern server can easily do 1 Gbps wire speed without crypto, and I would expect it to offer the same performance even with crypto. A quad core box should do fine, though I can't say I've ever tested at that scale.

                          1 Reply Last reply Reply Quote 0
                          • ?
                            Guest
                            last edited by

                            I may be off base here a bit but I would worry more about the throughput of the front side bus and the interface of the network cards.  Out of curiosity, what are you doing to produce that much traffic and what type of connection are you using?

                            1 Reply Last reply Reply Quote 0
                            • D
                              Darkk
                              last edited by

                              My guess is site-to-site VPN connections.  At that speeds sounds like he wants to bridge to two large offices together.

                              He may also be thinking about incorporating off-site backups into this VPN scheme.

                              He maybe better off just splitting up the site-to-site VPN connections into channels.  This way he'll get the total throughput he wants and added bonus of backup network connection.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.