Below is a chart of total time it took to transfer over ssh about 500MB using different ciphers.
As you can see there is a very nice improvement and it's out of the box - no special configs, no tuning - it just works.
Details below.
Solaris 10 5/08
# time dd if=/dev/zero bs=1024k count=500 | ssh root@localhost 'cat >/dev/null'
real 0m52.635s
user 0m48.256s
sys 0m4.195s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c blowfish root@localhost 'cat >/dev/null'
real 0m39.705s
user 0m34.744s
sys 0m3.884s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c arcfour root@localhost 'cat >/dev/null'
real 0m34.551s
user 0m29.169s
sys 0m4.273s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-cbc root@localhost 'cat >/dev/null'
real 1m5.420s
user 0m54.914s
sys 0m3.963s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-ctr root@localhost 'cat >/dev/null'
real 0m52.227s
user 0m47.970s
sys 0m3.937s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c 3des root@localhost 'cat >/dev/null'
real 2m27.648s
user 2m23.886s
sys 0m4.071s
Open Solaris build 99
# time dd if=/dev/zero bs=1024k count=500 | ssh root@localhost 'cat >/dev/null'
real 0m20.478s
user 0m12.028s
sys 0m6.853s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c blowfish root@localhost 'cat >/dev/null'
real 0m43.196s
user 0m38.136s
sys 0m4.031s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c arcfour root@localhost 'cat >/dev/null'
real 0m20.443s
user 0m11.992s
sys 0m6.923s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-cbc root@localhost 'cat >/dev/null'
real 0m20.500s
user 0m12.008s
sys 0m7.054s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-ctr root@localhost 'cat >/dev/null'
real 0m21.372s
user 0m12.013s
sys 0m7.225s
# time dd if=/dev/zero bs=1024k count=500 | ssh -c 3des root@localhost 'cat >/dev/null'
real 0m21.758s
user 0m12.396s
sys 0m7.513s
Sure it's a big RELATIVE speedup - but it's still only 25MB/s from /dev/zero to /dev/null. What's the remaining bottleneck?
ReplyDeleteto Milek: the speed of Blowfish should be exactly the same since n2cp doesn't support it and in that case the OpenSSL implementation is used, as before. I see the same numbers during my tests. Maybe if you repeat it a few times it will converge there.
ReplyDeleteto Anonymous: there are ways to speed it up - to precompute AES CTR stream in 64KB blocks, for example. For now, we didn't change the blocks sizes. More info is in my presentation. Also, you can see http://bugs.opensolaris.org/view_bug.do?bug_id=6749535.
Jan.