Slightly OT: where to get Crypto HW (long, detailed, ends w/questions...)

Tue Oct 13 16:32:38 UTC 2009

On Tue, 13 Oct 2009, Wyllys Ingersoll wrote:

> Thomas.Hluchnik at netcologne.de wrote:
>> Am Dienstag 13 Oktober 2009 schrieben Sie:
>>
>> Hello Wyllys and all other Solaris freaks. This thread is very
>> interesting to me. I have some older Suns at home (E450, V480) and
>> playing around with tor on Solaris. But I never saw a crypto hardware
>> accelerator card for Sparc engines at Ebay or anywhere else. I would
>> like to test this stuff. Anybody here who can give me a hint where to
>> get such a card that would fit in my Suns?
>>
>> Thomas
>
>
> The SCA6000 card supports AES CTR mode, I may have said in a previous email
> that it does not, but I checked and it *does*.    It is supported on the
> V480, but I don't see the E450 listed on the supported platform list.
>
> Here is the link on the Sun product site with the spec sheet.
> http://www.sun.com/products/networking/sslaccel/suncryptoaccel6000/index.xml
>
> I don't know if you can find these on Ebay or not.

SCA6000 is pci-e, so it will not work in a e450.  The e450 does, however, 
have 64bit pci slots, so the old SCA-1000 would work there.

However, the SCA-1000 does not do AES at all, even with the v2.0 firmware, 
so my previous discussion (and ebay link) should be ignored.

The (also discontinued, like the SCA-1000) SCA-4000 does AES, but does not 
appear to do AES-CTR.

Finally, this page:

http://www.opensolaris.org/os/project/crypto/Accelerators/

shows that the BCM5825 will work in Solaris.  I think this is the best 
option provided that the AES-CTR support it provides can be accessed in 
the same painless way that it can be in the T2 chips.  Wyllys ?

The BCM5825 board, off the shelf, costs less than half of what the SCA6000 
does ( $462.50 at www.abstractelec.com (see "pxs2510) vs. $1350 ).  A 
cursory review of the specs shows that they both run bulk AES @ 1gbps and 
12,000 RSA tps for the broadcom vs. 13,000 RSA tps for the sca-6000 ... 
smells like the same part, actually, but I can't confirm that.

... and since I'm dumping my brain here, we read at:

http://blogs.sun.com/darren/entry/new_crypto_hardware

For our newest SPARC based servers that fill the same target area that 
many V240's are used for, particulary ones with an SCA-500 card (SSL web 
serving) the UltraSPARC T1 (Niagara) machines (T1000 & T2000) will do the 
crypto much faster, faster even than the new SCA-6000 can achieve. The key 
value for an SCA-6000 in an UltrSPARC T1 is the key store; which the 
SCA-500 and SCA-1000 didn't provide.

So ... with newer sparc systems, having a SCA-6000 or BCM5825 might be 
overkill - unless you're focusing on performance-per-watt, in which case a 
T2 system with a few SCA-6000s plugged in might raise the bar quite a bit.

But that begs two questions:

- Do the crypto framework APIs (PKCS#11) efficiently use multiple 
compute sources, such as a dual-processor T2 system with four SCA-6000 
plugged in ?  Wyllys ?   :)

- Is any of this useful for any conceivable Tor traffic loads ?  The 
fastest Tor node I have ever seen on the status page is (roughly) 100mbps, 
which is a lot, but ... more than a pair of modern quad-core CPUs can 
handle ?  It's conceivable that even at 200 or 400 mbps you wouldn't need 
any kind of crypto hardware to supplant a pair of modern CPUs...
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/