AIX

 View Only
  • 1.  AIX SSH performance, POWER hardware acceleration?

    Posted Fri June 21, 2024 11:39 AM
    Edited by Russell Adams Fri June 21, 2024 11:39 AM

    Has anyone been able to use the POWER9 compression and encryption hardware acceleration with SSH?

    Unfortunately scp seems to always have poor performance, I was hoping it could be faster with the hardware acceleration. I understand that may have to be setup on both client and server, so let's assume they are both AIX with access to HW acceleration.

    The only reference I have found is an undocumented sshd_config "EnableHWCompression" parameter buried in the release notes of OpenSSH 9 on the MRS site.

    https://www.ibm.com/resources/mrs/assets/DirectDownload?source=aixbp&lang=en_US#lang=en_US

    (fixed link)

    This version includes other fixes part of previous fileset release:
    -------------------------------------------------------------------------------------------------------
    Fix for APAR Draft 17902: sshd may corrupt SYSENVIRON and affect at jobs
    Fix for APAR IJ40247: sshd memory leak and core when multiplexing/connection sharing
    Fix for Apar Draft 17855 : ssh public key authentication fails if no password defined
    Fix for APAR IJ38179 : sshd won't work in Trusted Aix environment.
    Fix for CVE-2021-41617 : privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured
    Fix for APAR IJ32806 : A PIPED COMMAND TO SSH COULD RETURN EAGAIN.
    Fix for APAR IJ33264 : OPENSSH 8.X DOES NOT SET PAG VALUE
    Introducing new configuration option fipsforopenssh which enforces the following configuration:
      - PubkeyAcceptedKeyTypes rsa-sha2-256,rsa-sha2-512,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384
      - Ciphers aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com
      - MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512
      - KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
      - DRBG uses aes256-ctr as the default
    Addition of a new configuration option EnableHwCompression to make use of Hardware compression feature in Power9 and above

    It makes no mention of encryption. Given the single threaded nature of scp, I think both encryption and compression acceleration would be helpful.



    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------



  • 2.  RE: AIX SSH performance, POWER hardware acceleration?

    Posted Sun June 23, 2024 07:22 PM
    Edited by Chris Gibson Sun June 23, 2024 07:26 PM

    There's a little more information in these blog posts:

    Performance improvement in openssh with on-chip data compression accelerator in power9 
    https://community.ibm.com/community/user/power/blogs/swetha-narayana/2021/07/27/performance-improvement-in-openssh-with-on-chip-da

    GZIP Acceleration with AIX on Power Systems 
    https://community.ibm.com/community/user/power/blogs/brian-veale1/2022/03/14/gzip-acceleration-with-aix-on-power-systems




  • 3.  RE: AIX SSH performance, POWER hardware acceleration?

    IBM Champion
    Posted Mon June 24, 2024 02:28 AM
    Edited by Joerg Kauke Mon June 24, 2024 02:29 AM

    Hello Russel,

    we have tested a lot with ssh / scp and compression.
    Result in short was the following:
    on a fast connection between the lpars you want to transfer file, the transfer rate with scp drops to 80 MB/s. Without compression and using the option "Ciphers aes256-gcm@openssh.com" in the ssh_config we have a transferrate of 300 MB/s.
    Our hardware is a Power1080 with a 100GB adapter.
    With a slower network connections compression could increase the transferrate, but it depends on the file.

    kind regards,
    Joerg



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------



  • 4.  RE: AIX SSH performance, POWER hardware acceleration?

    Posted Wed June 26, 2024 08:52 AM
    Edited by Sandeep Umesh Wed June 26, 2024 09:00 AM

    Hello

    Can you try with the latest OpenSSH 9.2.112.2400 version provided in web download pack: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssh

    It has a prereq for OpenSSL 1.1.2.2400 version available at : https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl

    In 9.2 openssh version, community has changed the default cipher to chacha20-poly1305 algorithm. This algorithm does not use the Power in-core accelerator. So, from 9.2.112.2400 version, the default Cipher is changed to aes128-ctr which should improve the performance for scp transfer.

    Thanks

    Regards

    Sandeep Umesh

    AIX Opensource Security



    ------------------------------
    Sandeep Umesh
    ------------------------------



  • 5.  RE: AIX SSH performance, POWER hardware acceleration?

    Posted Wed June 26, 2024 09:21 AM
    On Wed, Jun 26, 2024 at 12:52:07PM +0000, Sandeep Umesh via IBM TechXchange Community wrote:
    > Can you try with the latest OpenSSH 9.2.112.2400 version provided in web download pack:
    >
    >
    > https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssh
    >
    >
    > It has a prereq for OpenSSL 1.1.2.2400 version available at : https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl
    >
    > This version of openssh has a change in default Cipher to aes128-ctr which should improve the performance for scp transfer.

    That sounds great, except now AIX is using OpenSSL v3!

    I've also already got a ticket open with IBM about the security of
    files on the MRS site, as I have no way to authenticate those downloads.


    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/




  • 6.  RE: AIX SSH performance, POWER hardware acceleration?

    Posted Wed June 26, 2024 09:35 AM

    ok, then it is not required to update openssl fileset, however we recommend to update to latest openssl 3 available in web pack: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl

    We have now introduced multiple methods to check the integrity of packages provided through MRS site.

    You can refer to the Readme file provided along with package which gives details about checking the integrity.

    Thanks

    Regards

    Sandeep Umesh

    AIX Opensource Security



    ------------------------------
    Sandeep Umesh
    ------------------------------



  • 7.  RE: AIX SSH performance, POWER hardware acceleration?

    Posted Wed June 26, 2024 10:06 AM
    On Wed, Jun 26, 2024 at 01:35:24PM +0000, Sandeep Umesh via IBM TechXchange Community wrote:
    > ok, then it is not required to update openssl fileset, however we
    > recommend to update to latest openssl 3 available in web pack:
    > https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=openssl

    > We have now introduced multiple methods to check the integrity of packages provided through MRS site.
    > You can refer to the Readme file provided along with package which gives details about checking the integrity.

    Indeed! I see the new signature file and readme.

    You published the checksum, and a method for signature validation
    inside AIX using the certificate already distributed with the
    OS. That's huge progress!

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/




  • 8.  RE: AIX SSH performance, POWER hardware acceleration?

    IBM Champion
    Posted Mon July 01, 2024 09:07 AM

    Hello Sandeep,

    just tested the new versions of openssl and openssh...

    Now scp with compression is faster then with the old version, but still not that fast as without compression:

    #:~:scp -C /tmp/test.large.file svrsinst1-0:/tmp/test.large.file-1
    test.large.file                                                                                                            100% 2048MB 179.4MB/s   00:11
    #:~:scp /tmp/test.large.file svrsinst1-0:/tmp/test.large.file-1
    test.large.file                                                                                                            100% 2048MB 342.4MB/s   00:05



    ------------------------------
    Joerg Kauke
    Unix Administrator
    COOP Switzerland
    ------------------------------