Robert Milkowski's blog: Niagara2+ ssh improvements

Tuesday, October 07, 2008

Niagara2+ ssh improvements

Recently ssh/openssl changes have been integrated into ssh so if runing on Niagara-2 CPUs ssh will automatically, take advantage of buitl-in HW Crypto. So let's see what improvement we can expect.

Below is a chart of total time it took to transfer over ssh about 500MB using different ciphers.

As you can see there is a very nice improvement and it's out of the box - no special configs, no tuning - it just works.

Details below.

Solaris 10 5/08


# time dd if=/dev/zero bs=1024k count=500 | ssh root@localhost 'cat >/dev/null'

real    0m52.635s
user    0m48.256s
sys     0m4.195s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c blowfish root@localhost 'cat >/dev/null'

real    0m39.705s
user    0m34.744s
sys     0m3.884s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c arcfour root@localhost 'cat >/dev/null'

real    0m34.551s
user    0m29.169s
sys     0m4.273s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-cbc root@localhost 'cat >/dev/null'

real    1m5.420s
user    0m54.914s
sys     0m3.963s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-ctr root@localhost 'cat >/dev/null'

real    0m52.227s
user    0m47.970s
sys     0m3.937s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c 3des root@localhost 'cat >/dev/null'

real    2m27.648s
user    2m23.886s
sys     0m4.071s

Open Solaris build 99


# time dd if=/dev/zero bs=1024k count=500 | ssh root@localhost 'cat >/dev/null'

real    0m20.478s
user    0m12.028s
sys     0m6.853s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c blowfish root@localhost 'cat >/dev/null'

real    0m43.196s
user    0m38.136s
sys     0m4.031s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c arcfour root@localhost 'cat >/dev/null'

real    0m20.443s
user    0m11.992s
sys     0m6.923s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-cbc root@localhost 'cat >/dev/null'

real    0m20.500s
user    0m12.008s
sys     0m7.054s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-ctr root@localhost 'cat >/dev/null'

real    0m21.372s
user    0m12.013s
sys     0m7.225s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c 3des root@localhost 'cat >/dev/null'

real    0m21.758s
user    0m12.396s
sys     0m7.513s

2 comments:

Anonymous said...: Sure it's a big RELATIVE speedup - but it's still only 25MB/s from /dev/zero to /dev/null. What's the remaining bottleneck?; 10 October, 2008 07:41
Anonymous said...: to Milek: the speed of Blowfish should be exactly the same since n2cp doesn't support it and in that case the OpenSSL implementation is used, as before. I see the same numbers during my tests. Maybe if you repeat it a few times it will converge there.

to Anonymous: there are ways to speed it up - to precompute AES CTR stream in 64KB blocks, for example. For now, we didn't change the blocks sizes. More info is in my presentation. Also, you can see http://bugs.opensolaris.org/view_bug.do?bug_id=6749535.

Jan.; 10 October, 2008 09:38