SSL accelerator for the masses

Several days ago my staff bought some network cards for our stock. Today I took a look, and to my surprise, it’s a model from 3Com with a chip titled “Crypto”. Could it be….?

Nowadays we use SSL a lot, most of the time without us even realizing it. ssh, scp, rsync – these are just a few example of software based on SSL. Then we have their derivatives — sshfs for example, a filesystem based on ssh.
SSL is not just about browsing to ecommerce website anymore. It’s pretty much integrated into our daily activities.

However, as you may have noticed, the encryption process kills performance. It’s very processor-intensive, and thus decrease the transfer rate, significantly. For huge file transfers, I had to use FTP or HTTP, since the speed is just too slow using scp.

So an SSL accelerator can make overall system performance better. That’s what I was hoping when I saw these 3Com 3CR990 (also known as “Typhoon”) cards.

Alas, no such luck.
The crypto chip was only for DES, which is a very weak encryption, for use on IPSEC. OpenBSD developers also noted that the chip is pretty buggy. And no driver for the crypto chip on Linux (and in OpenBSD), so we can only utilize its 3XP chip to offload several TCP processing (checksum, etc). It doesn’t bring much increase in system performance though.
I didn’t want to give up, so I look around for another mass-produced SSL accelerators.

I found SSL offloaders instead. Basically, these are expensive products (some costing US$ 20.000 or more) which would receive all SSL communications, and then relay the plaintext (deciphered) packets to the servers “behind” it.
This brings security risk though, since we no longer have end-to-end encryption (which may in turn bring liability issues, if we have promised our customers that we do).

I failed to find any other consumer-level SSL accelerators, except for (surprise) — VIA C3 CPUs.
These C3 chips with Nehemiah core are able to process AES-128 for OpenSSL at rate of 780 MBps (that’s 6.2 Gbps). Mighty awesome !
It’s already supported in Linux since 2006, and patch for OpenSSL existed, giving instant performance-boost to SSL-related applications. Michal claimed that he actually able to reach speed of 1.8 GBps / 14.4 Gbps.

You can fully saturate a 100 Mbps (or even 1 Gbps) ethernet link with full, and very strong, encryption. So if you want / need accelerated SSL performance, now you know which CPU to use.

Now if only someone would slap these cheap chips (about US$ 33 each) onto NICs and selling them as SSL accelerators, I would be buying. It would be way cheaper that current SSL-accelerator NICs currently selling at > US$ 1000, and probably much faster too. And then we are free to choose other CPU for the server.

Any takers ? 🙂

15 thoughts on “SSL accelerator for the masses

  1. Putting C3 at NIC is look like putting a PC at NIC, Remember C3 basicaly is an x86 compatible processor with crypto accelerator inside.
    Using crypto accelerator outside processor has another disadvantage. Data transfer between processor and accelerator become bottleneck for the whole performance.

  2. Ass…Pa kabar Pak Hary..Mudah-mudahan ingat dengan saya ex mahasiswa ITP yang masang jaringan Inherent.
    Pak saya mau nanya nich..ada tahu alamat nya web yang nyediain SSL yang free buat certificate nya.
    Trus ada ngak script php untuk cnvert pdf to xml.
    tq

  3. @sueng – PCI’s bandwidth is 133 MBps / 1064 Mbps. When a C3 chip is put on a NIC (network interface card), it would still be able to fully saturate a 100 Mbps connection.
    .
    Also, other SSL accelerators (with price tag around US$ 1000) are all PCI cards as well.
    .
    CMIIW.
    .
    @Rizal – Wsww, silakan bisa ditemukan disini
    .
    Konverter PDF ke XML bisa ditemukan disini.

  4. “If anyone’s interested to buy those Typhoon / 3CR990 3Com cards, at the moment they’re for sale at Queen-tech.com for only Rp 25,000 (about US$ 2.50)”

    NICE POST! THANKS!

    Scott

  5. 3com gear generally does cost more but i find its worth it you can always pick up second hand gear if price is a problem.

  6. Forex trading robot 95% win ratio! Moneyback guarantee
    Heard of forex trading?
    Proof of live accounts going from $370 to $7,300 in 2 months.
    95% win ratio over past 9 years.
    60 day Money back guarantee!

  7. Hanya saja karena ada stigma yang lebih negatif soal perjodohan, maka saya membuat posting ini, yang memberikan contoh sebaliknya

  8. SSL is not just about browsing to ecommerce website anymore. It’s pretty much integrated into our daily activities.

Leave a Reply

Your email address will not be published.