[Asterisk-Dev] IBM/SGI implementations

[Scott Laird]

On Nov 22, 2004, at 6:38 PM, James Sharp wrote:
> John Todd wrote:
>
>> Speaking of off-board crypto processing, does anyone know if RTP (AES 
>> or otherwise) could easily be offloaded to the Broadcom or Hifn cards 
>> that are supported under some O/S'es?  (notably, OpenBSD)  Are the 
>> abilities of those cards useful towards VoIP applications?  S/MIME or 
>> TLS aren't a major issue as far as I'm concerned, because there 
>> typically is enough horsepower on the main CPU to handle a reasonable 
>> number of requests per second of just signalling.  Though processing 
>> SIP control messages in a very large scale environment is a problem 
>> even for the signalling, I think a more important issue is the audio 
>> stream.  Perhaps both can be sped up by one of these third-party 
>> boards.  Just a thought...
>
> Some quick research shows that it should be easy to do.
>
> open /dev/crypto & lock it
> Recieve packet.
> Stuff packet into crypto data structure along with key
> pull trigger on ioctl using /dev/crypto file descriptor
> get decrypted packet out of structure
> close /dev/crypto & unlock it
> continue processing decrypted packet.

The impression that I got was that none of the current crypto boards 
are very fast at encrypting small packets.  Generally, the CPU is 
faster when doing small-ish amounts of data, while the crypto cards are 
a bit faster if you can throw big blobs of data at them.

Since Asterisk will almost never have big blobs of data handy, it'll 
almost certainly be faster to use the CPU to encrypt everything.  As 
someone else mentioned, AES is really, really fast is software anyways; 
there's no real need for a hardware accelerator for it with modern 
CPUs.  3DES might be a different story, but it's not *that* slow, 
either.  Run 'openssl speed' on one of your boxes and look at the 
results given for AES and DES--if you can't handle over 100,000 64-byte 
operations/second, then your hardware is even older then mine :-).


Scott