mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-23 13:01:10 +01:00
8998619212
the bandwidth of long fat pipes (i.e. 100Mbps+ trans-oceanic or trans-continental links). Bandwidth-delay products up to 64MB are supported. Also add support (not compiled by default) for the None cypher. The None cypher can only be enabled on non-interactive sessions (those without a pty where -T was not used) and must be enabled in both the client and server configuration files and on the client command line. Additionally, the None cypher will only be activated after authentication is complete. To enable the None cypher you must add -DNONE_CIPHER_ENABLED to CFLAGS via the make command line or in /etc/make.conf. This code is a style(9) compliant version of these features extracted from the patches published at: http://www.psc.edu/networking/projects/hpn-ssh/ Merging this patch has been a collaboration between me and Bjoern. Reviewed by: bz Approved by: re (kib), des (maintainer)
121 lines
5.7 KiB
Plaintext
121 lines
5.7 KiB
Plaintext
Notes:
|
|
|
|
NONE CIPHER:
|
|
To use the NONE option you must have the NoneEnabled switch set on the server
|
|
and you MUST have *both* NoneEnabled and NoneSwitch set to yes on the client.
|
|
The NONE feature works with ALL ssh subsystems (as far as we can tell)
|
|
as long as there is no tty allocated.
|
|
If a user uses the -T switch to prevent a tty being created the NONE cipher
|
|
will be disabled.
|
|
|
|
|
|
PERFORMANCE:
|
|
The performance increase will only be as good as the network and TCP stack
|
|
tuning on the reciever side of the connection allows. As a rule of thumb a
|
|
user will need at least 10Mb/s connection with a 100ms RTT to see a doubling
|
|
of performance.
|
|
The HPN-SSH home page http://www.psc.edu/networking/projects/hpn-ssh
|
|
describes this in greater detail.
|
|
|
|
|
|
BUFFER SIZES:
|
|
- if HPN is disabled the receive buffer size will be set to the OpenSSH default
|
|
of 64K.
|
|
|
|
- if a HPN system connects to a non-HPN system the receive buffer will
|
|
be set to the HPNBufferSize value. The default is 2MB but user adjustable.
|
|
|
|
- If a HPN to HPN connection is established a number of different things might
|
|
happen based on the user options and conditions.
|
|
|
|
Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
|
|
Result: HPN Buffer Size = up to 64MB
|
|
This is the default state. The HPN buffer size will grow to a maximum of
|
|
64MB as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB
|
|
is geared towards 10GigE transcontinental connections.
|
|
|
|
Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
|
|
Result: HPN Buffer Size = TCP receive buffer value.
|
|
Users on non-autotuning systesm should disable TCPRcvBufPoll in the
|
|
ssh_cofig and sshd_config
|
|
|
|
Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
|
|
Result: HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
|
|
This would be the system defined TCP receive buffer (RWIN).
|
|
|
|
Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
|
|
Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
|
|
Generally there is no need to set both.
|
|
|
|
Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
|
|
Result: HPN Buffer Size = grows to HPNBufferSize
|
|
The buffer will grow up to the maximum size specified here.
|
|
|
|
Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
|
|
Result: HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
|
|
Generally there is no need to set both of these, especially on autotuning
|
|
systems. However, if the users wishes to override the autotuning this would
|
|
be one way to do it.
|
|
|
|
Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
|
|
Result: HPN Buffer Size = TCPRcvBuf.
|
|
This will override autotuning and set the TCP recieve buffer to the user
|
|
defined value.
|
|
|
|
|
|
HPN SPECIFIC CONFIGURATION OPTIONS:
|
|
|
|
- HPNDisabled=[yes/no] client/server
|
|
In some situations, such as transfers on a local area network, the impact
|
|
of the HPN code produces a net decrease in performance. In these cases it is
|
|
helpful to disable the HPN functionality. By default HPNDisabled is set to no.
|
|
|
|
- HPNBufferSize=[int]KB client/server
|
|
This is the default buffer size the HPN functionality uses when interacting
|
|
with non-HPN SSH installations. Conceptually this is similar to the TcpRcvBuf
|
|
option as applied to the internal SSH flow control. This value can range from
|
|
1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause
|
|
performance problems depending on the roud trip time of the network path.
|
|
The default size of this buffer is 2MB.
|
|
|
|
- TcpRcvBufPoll=[yes/no] client/server
|
|
Enable or disable the polling of the TCP receive buffer through the life
|
|
of the connection. You would want to make sure that this option is enabled
|
|
for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista,
|
|
FreeBSD 7.x and later). Default is yes.
|
|
|
|
- TcpRcvBuf=[int]KB client
|
|
Set the TCP socket receive buffer to n Kilobytes. It can be set up to the
|
|
maximum socket size allowed by the system. This is useful in situations where
|
|
the TCP receive window is set low but the maximum buffer size is set higher
|
|
(as is typical). This works on a per TCP connection basis. You can also use
|
|
this to artifically limit the transfer rate of the connection. In these cases
|
|
the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
|
|
Default is the current system wide TCP receive buffer size.
|
|
|
|
- NoneEnabled=[yes/no] client/server
|
|
Enable or disable the use of the None cipher. Care must always be used when
|
|
enabling this as it will allow users to send data in the clear. However, it
|
|
is important to note that authentication information remains encrypted even
|
|
if this option is enabled. Set to no by default.
|
|
|
|
- NoneSwitch=[yes/no] client
|
|
Switch the encryption cipher being used to the None cipher after
|
|
authentication takes place. NoneEnabled must be enabled on both the client
|
|
and server side of the connection. When the connection switches to the NONE
|
|
cipher a warning is sent to STDERR. The connection attempt will fail with an
|
|
error if a client requests a NoneSwitch from the server that does not
|
|
explicitly have NoneEnabled set to yes.
|
|
Note: The NONE cipher cannot be used in interactive (shell) sessions and it
|
|
will fail silently. Set to no by default.
|
|
|
|
|
|
CREDITS:
|
|
|
|
This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
|
|
The majority of the actual coding for versions up to HPN12v1 was performed
|
|
by Michael Stevens (mstevens@andrew.cmu.edu).
|
|
The MT-AES-CTR cipher was implemented by Ben Bennet (ben@psc.edu).
|
|
This work was financed, in part, by Cisco System, Inc., the National Library
|
|
of Medicine, and the National Science Foundation.
|