Several days ago my staff bought some network cards for our stock. Today I took a look, and to my surprise, it’s a model from 3Com with a chip titled “Crypto”. Could it be….?

Nowadays we use SSL a lot, most of the time without us even realizing it. ssh, scp, rsync - these are just a few example of software based on SSL. Then we have their derivatives — sshfs for example, a filesystem based on ssh.
SSL is not just about browsing to ecommerce website anymore. It’s pretty much integrated into our daily activities.

However, as you may have noticed, the encryption process kills performance. It’s very processor-intensive, and thus decrease the transfer rate, significantly. For huge file transfers, I had to use FTP or HTTP, since the speed is just too slow using scp.

So an SSL accelerator can make overall system performance better. That’s what I was hoping when I saw these 3Com 3CR990 (also known as “Typhoon”) cards.

Alas, no such luck.
The crypto chip was only for DES, which is a very weak encryption, for use on IPSEC. OpenBSD developers also noted that the chip is pretty buggy. And no driver for the crypto chip on Linux (and in OpenBSD), so we can only utilize its 3XP chip to offload several TCP processing (checksum, etc). It doesn’t bring much increase in system performance though.
I didn’t want to give up, so I look around for another mass-produced SSL accelerators.

I found SSL offloaders instead. Basically, these are expensive products (some costing US$ 20.000 or more) which would receive all SSL communications, and then relay the plaintext (deciphered) packets to the servers “behind” it.
This brings security risk though, since we no longer have end-to-end encryption (which may in turn bring liability issues, if we have promised our customers that we do).

I failed to find any other consumer-level SSL accelerators, except for (surprise) — VIA C3 CPUs.
These C3 chips with Nehemiah core are able to process AES-128 for OpenSSL at rate of 780 MBps (that’s 6.2 Gbps). Mighty awesome !
It’s already supported in Linux since 2006, and patch for OpenSSL existed, giving instant performance-boost to SSL-related applications. Michal claimed that he actually able to reach speed of 1.8 GBps / 14.4 Gbps.

You can fully saturate a 100 Mbps (or even 1 Gbps) ethernet link with full, and very strong, encryption. So if you want / need accelerated SSL performance, now you know which CPU to use.

Now if only someone would slap these cheap chips (about US$ 33 each) onto NICs and selling them as SSL accelerators, I would be buying. It would be way cheaper that current SSL-accelerator NICs currently selling at > US$ 1000, and probably much faster too. And then we are free to choose other CPU for the server.

Any takers ?

This entry was posted on Thursday, March 27th, 2008 at 14:24 and is filed under Teknoblogia. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.