I've ran into a problem and I'm looking for a new secure protocol/client/server that's faster over a 1Gb/s fibre link - let me tell you the story...
- I have a pair of redundant, diversely-routed, 1Gb/s links over a distance of around 250 miles or so (not dark fibre but a dedicated point to point link, not a mesh).
- At the 'client' end I have a HP DL380 G5 (2 x dual-core 2.66Ghz Xeon's, 4GB, Windows 2003EE 32-bit), at the 'server' end I have a HP BL460c G6 (2 x quad-core 2.53Ghz Xeons, 48GB, Oracle Linux 5.3 64-bit).
- I need to transfer around 500 x 2GB files per week from the client to the server machines per week - but the transfer NEEDS to be secure.
- Using both iPerf or regular FTP I can get ~80MB/s of transfer pretty consistently, which is great.
- Using WinSCP or Windows SFTP I can't seem to get more that ~3-4MB/s, at this point the server's CPU is >3% busy while CPU0 of the client goes to ~30% utilised. We've tried editing various TCP window sizes with little success.
Both ends are connected to quite low-usage Cisco Cat6509's with Sup720's.
I can replace the client machine with a newer machine and/or move it to Linux - but this will take time.
Clearly these single-threaded secure Windows clients are introducing too much latency doing their encryption.
So a few questions/thoughts;
- Are there any higher performing secure protocols or client software for Windows that I could try? I'm pretty protocol-gnostic so long as it'll work between Windows and Linux.
- Should I be using hardware to do the encryption, either in the client or the network parts? If so what would you recommend?
- I'm not convinced that just swapping the server would be that much faster, the CPU was only at 30% but then again that's higher than I'd have expected given the load - moving to Linux at the client end may be a better idea but would be quite disruptive.
- Am I missing a trick?
Thanks in advance.
Compress and encrypt the files in place, then transfer the encrypted copies using your known high speed "iPerf or regular FTP." If necessary, add an additional small file with the encryption key or keys necessary. That key file can be transferred with scp or sftp because it will be so small, the performance hit won't matter.
Another alternative: Have you tried ftps vice sftp and scp? I don't know if there's a general speed difference (overall, it should be small, but the specific libraries/clients/servers you use may make a difference).
You did the right thing by checking the CPU loading and otherwise actually looking for the cause of the performance hit. From what you said, hardware encryption or server upgrade will not be a help, although if you want all traffic between your sites private setting up a VPN either via hardware or software would mean you can set it up once and not worry about it.
I have never used this, but this module that works with Catalyst 6500s claims it can do 2.5 Gb/s IPSEC on the wire. At least with Cisco routers, you can also limit what the IPSec is applied to on a IP/port pair, but seems like it might be good to encrypt everything anyways"
This is obviously not the cheap option (maybe go opensource), but with dual 1Gb links, sounds like you guys have a little cash.
(I feel like I work for Cisco marketing all of the sudden.)
You also have a go at getting built-in Windows IPSec to talk to IPSec on Linux (Something like OpenSwan). I would be surprised if that "just worked" though.