Soekris 5501-70: what to do with hifn & PCI ethernet

[raindog308]

I bought a Soekris net5501-70, used. It came with a vpn1411 card. This shows up in OpenBSD as:

Code:

hifn0 at pci0 dev 17 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 15

So I'm wondering if there is something I can use this for - i.e., to exploit the card since I own it. What do people usually use hifn cards for? If I was doing heavy encryption (which I'm not), I'm thinking the general purpose CPU on other desktop boxes (e.g., an i3 or i7) would be faster than the Geode + hifn on the Soekris - ?

Also, if some (userland) code does some AES or MD5, will it automatically use that card?

I'm planning to use the box as a firewall between my WAN and LAN, as it only has 100mbit Ethernet - debating whether to drop in a gig-E card in the PCI to make it more useful. I was a little disappointed that the onboard NICs are somewhat crippled in OpenBSD, but they're still fast enough for my WAN.

It's another toy on the Isle of Misfit Toys...the pile of small, strange exotic boxes in the corner of my desk

[jggimi]

As far as I know, the hifn(4) device can only be used as a crypto offlload driver for ipsec(4). I have some Alix machines that use the glxsb(4) device, which has similar IPSec offload and can also act as a source of entropy for the kernel. A tiny advantage for a tiny platform.

According to CVS logs, the userland access driver for our crypto devices, crypto(4), has been removed for 5.7. The log stated, "The interface has been disabled by default for about 4 years and currently there's not much value in having it around at all."

I did play with this driver when I first got my Alixes. I used OpenSSL's CLI tool. Yes, it encrypted/decrypted with improved performance. But I just played with it; my use of openssl(1) on those platforms was not then or now a part of normal day to day production operations.

I use IPSec, and take the default crypto transforms, which includes AES-CBC. I have not tried to use IPSec with the offload device disabled and measure performance differences, so I do not know its value for that function.

Edited to add: I misread the hifn(4) man page. Your 7955 can also be an entropy source.

[ibara]

Quote:

Originally Posted by raindog308

So I'm wondering if there is something I can use this for - i.e., to exploit the card since I own it. What do people usually use hifn cards for? If I was doing heavy encryption (which I'm not), I'm thinking the general purpose CPU on other desktop boxes (e.g., an i3 or i7) would be faster than the Geode + hifn on the Soekris - ?

Today's CPUs, yes. But these offloader cards were a big deal back in the day!

Quote:

Originally Posted by raindog308

I'm planning to use the box as a firewall between my WAN and LAN, as it only has 100mbit Ethernet - debating whether to drop in a gig-E card in the PCI to make it more useful. I was a little disappointed that the onboard NICs are somewhat crippled in OpenBSD, but they're still fast enough for my WAN.

They should likely be fine for your usage. If you want to "cheat" a bit though you can get a single port gigE card for your LAN and put a switch behind that. Or according to that link you can get a PCI-X gigE card with multiple ports provided you have a powerful enough PSU. Any way you cut it, all those parts can be had super cheap on eBay.