Tuesday, October 07, 2008

Niagara2+ ssh improvements

Recently ssh/openssl changes have been integrated into ssh so if runing on Niagara-2 CPUs ssh will automatically, take advantage of buitl-in HW Crypto. So let's see what improvement we can expect.

Below is a chart of total time it took to transfer over ssh about 500MB using different ciphers.


As you can see there is a very nice improvement and it's out of the box - no special configs, no tuning - it just works.


Details below.


Solaris 10 5/08

# time dd if=/dev/zero bs=1024k count=500 | ssh root@localhost 'cat >/dev/null'

real 0m52.635s
user 0m48.256s
sys 0m4.195s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c blowfish root@localhost 'cat >/dev/null'

real 0m39.705s
user 0m34.744s
sys 0m3.884s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c arcfour root@localhost 'cat >/dev/null'

real 0m34.551s
user 0m29.169s
sys 0m4.273s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-cbc root@localhost 'cat >/dev/null'

real 1m5.420s
user 0m54.914s
sys 0m3.963s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-ctr root@localhost 'cat >/dev/null'

real 0m52.227s
user 0m47.970s
sys 0m3.937s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c 3des root@localhost 'cat >/dev/null'

real 2m27.648s
user 2m23.886s
sys 0m4.071s


Open Solaris build 99

# time dd if=/dev/zero bs=1024k count=500 | ssh root@localhost 'cat >/dev/null'

real 0m20.478s
user 0m12.028s
sys 0m6.853s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c blowfish root@localhost 'cat >/dev/null'

real 0m43.196s
user 0m38.136s
sys 0m4.031s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c arcfour root@localhost 'cat >/dev/null'

real 0m20.443s
user 0m11.992s
sys 0m6.923s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-cbc root@localhost 'cat >/dev/null'

real 0m20.500s
user 0m12.008s
sys 0m7.054s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c aes128-ctr root@localhost 'cat >/dev/null'

real 0m21.372s
user 0m12.013s
sys 0m7.225s

# time dd if=/dev/zero bs=1024k count=500 | ssh -c 3des root@localhost 'cat >/dev/null'

real 0m21.758s
user 0m12.396s
sys 0m7.513s

2 comments:

  1. Sure it's a big RELATIVE speedup - but it's still only 25MB/s from /dev/zero to /dev/null. What's the remaining bottleneck?

    ReplyDelete
  2. to Milek: the speed of Blowfish should be exactly the same since n2cp doesn't support it and in that case the OpenSSL implementation is used, as before. I see the same numbers during my tests. Maybe if you repeat it a few times it will converge there.

    to Anonymous: there are ways to speed it up - to precompute AES CTR stream in 64KB blocks, for example. For now, we didn't change the blocks sizes. More info is in my presentation. Also, you can see http://bugs.opensolaris.org/view_bug.do?bug_id=6749535.

    Jan.

    ReplyDelete