[nycbug-talk] Hifn card
Isaac Levy
ike at blackskyresearch.net
Wed Jun 6 14:06:47 EDT 2012
Hi George,
On Jun 6, 2012, at 12:58 PM, George Rosamond wrote:
> On 06/06/12 12:48, George Rosamond wrote:
>> Wondering about others' experiences with Hifn card on FreeBSD.
>>
>> Looking for something not too expensive, mostly for SSL/TLS acceleration.
>>
>> Have used padlock(4) and glxsb(4), the later on Alix boards.
>>
>> Went through the hifn(4) man page, but would love to hear about
>> experiences, not read about them.
>
> Well still curious to hear about others' experiences, but it seems for what I need, CPU matters more, in that there will be lots of little work, not some big fat work :)
>
> g
2 things worth less than .02¢:
1) Depends on your use, CPU has blown away what the little hifn cards can push.
(I have a 4 year old story about pulling them out of Soekris 5501's and getting measured 3-5x throughput increase for IPSEC VPN's- no kidding. [was PFSense 1.2, which was of course, FreeBSD 7.x based]) Interrupts and data throughput to the card were killing network IO, and the CPU totally smoked the accelerator on it's own. Stats fuzzy, never looked back after pulling the cards.
2) Hardware crypto is difficult to resolve when some aspect of it is compromised, (implementation, fundamental protocol or cypher cracks, etc…).
Nothing seems really confirmed, but the hifn chip was implicated in the 2010 OpenBSD IPSEC "FBI-backdoor" fiasco, of the huge lists of notes, here's Gregory Perry's dense explanation:
http://seclists.org/fulldisclosure/2010/Dec/441
I'm of course not capable of proving/disproving this situation, however, it's totally the worst-case nightmare for any security hardware that isn't trivially interchangeable, (cost, tech, manufacturing time to response, etc…)
Best,
.ike
More information about the talk
mailing list