Re: [Openvpn-users] RE: Scalability?

[Eugen Leitl <eugen@xxxxxxxxx>]

On Thu, Mar 03, 2005 at 11:38:50AM +0100, Martijn Lievaart wrote:
> Jamie Lokier wrote:
> 
> >I've read that the VIA CPUs have instructions which help implementing
> >symmetric crypto like AES, but are not much use for asymmetric
> >public-key crypto such as the slowest part of certificate verification,
> >and session key generation.
> 
> True, AFAIK.

True, currently. Does this bite for OpenVPN with static keys, too, though?

Assuming I use a config like

eugen@debian:~$ cat /etc/openvpn/leitl.conf
remote blablah 
tun-mtu 1492
dev tap
ifconfig 10.3.0.1 255.255.255.0
secret blahblah.key
ping 10
verb 3
mute 10

in a VServer-customer, and force AES-256 a cipher, will lack of RSA
acceleration be an issue at all?
 
> >If that's true, they will speed up ordinary tunnelling a little bit,
> >but not the certificate checks and periodic rekeying.
> > 
> >
> 
> True, AFAIK.

Speaking about certificates, does anyone use OpenVPN tunnels with secrets
stored on pkcs15 smartcards? (This isn't high-performance, being USB 1.1
token, and 2048 bit keys will probably make it even slower, but it will protect
the secret in case of a remote compromise of the machine).
 
> >And, being VIA CPUs, they're not very powerful for general operations
> >in comparison with Intel and AMD CPUs.
> > 
> >
> 
> Running a low-end via board on a server myself, I can state it should be 
> fine for most  uses (my OpenVPN links terminate on a lowly P90 just 

How much server can you buy for 600 EUR? Moderately useful systems begin at
twice the price. It will depend on the application, but for what I'm trying
to do, 4x low-end servers in 2U rackspace total for the price of one Intel or
AMD box is a much superior solution.

> fine, the via is low-end, but /much/ more powerful than a P90). But it 
> /is/ underpowered compared to even the cheapest desktop today and I 
> would be hesitant to run a lot of tunnels on it without first testing if 
> it can handle the load.

I think this issue will go away with the Esther core, but even now nothing
prevents you from racking several machines, and letting DNS take care of the
load.
 
> OTOH, the cheapest Via board would make a fine embedded OpenVPN 
> appliance, but that's completely something else.

As long as you restrict yourself to one system, yes. A cluster, no.
Especially, on a budget.

-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net

Attachment: pgp2qdvHARp8y.pgp
Description: PGP signature