From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <brad@monetra.com>
Received: from mail.mainstreetsoftworks.com (mail.mainstreetsoftworks.com
 [216.155.126.6]) by mail.saout.de (Postfix) with SMTP
 for <dm-crypt@saout.de>; Mon, 27 Jun 2011 17:47:56 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail.mainstreetsoftworks.com (Postfix) with ESMTP id 5B51319C007E
 for <dm-crypt@saout.de>; Mon, 27 Jun 2011 11:38:45 -0400 (EDT)
Received: from mail.mainstreetsoftworks.com ([127.0.0.1])
 by localhost (mail.mainstreetsoftworks.com [127.0.0.1]) (amavisd-new,
 port 10026) with SMTP id mMIZyqSP97A3 for <dm-crypt@saout.de>;
 Mon, 27 Jun 2011 11:38:45 -0400 (EDT)
Received: from [192.168.11.138] (shop.monetra.com [216.155.101.90])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mail.mainstreetsoftworks.com (Postfix) with ESMTPSA id 3DC4219C007C
 for <dm-crypt@saout.de>; Mon, 27 Jun 2011 11:38:45 -0400 (EDT)
Message-ID: <4E08A404.4010009@monetra.com>
Date: Mon, 27 Jun 2011 11:38:44 -0400
From: Brad House <brad@monetra.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [dm-crypt] Recommended modes for performance (SMP+AES-NI)
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

We're in the process of building a new fileserver which will
be using dm-crypt, and are trying to get a game plan together
on what mode of operation will be best for a good ratio of
performance and security.

Initially the machine will be a 6-core Xeon which supports
the AES-NI instruction set, but a second identical CPU may be
dropped-in, in the future.  It will be connected to the network
by at least one 10Gbps NIC.

Obviously, we'll be making sure to use 2.6.38 or higher in
order to utilize the multi-cpu scaling enhancements to
dm-crypt:
http://kernelnewbies.org/Linux_2_6_38#head-49f5f735853f8cc7c4d89e5c266fe07316b49f4c

I think we've settled on AES-256, but may entertain AES-128
if there is a huge performance difference as I think AES-128
is still considered sufficiently safe for our purposes.

So, the question is mainly what mode of operation would be
best?
  - cbc-essiv
  - ctr-{plain64|essiv}
  - xts-{plain64|essiv}
  - are there any others I should be considering?
NOTE: I'm not sure if essiv is even an option for CTR or XTS
       modes, I'd like feedback on that, as well as what the
       security implications are...

At this point, I'm leaning towards CTR mode, mainly because it
was designed explicitly to be parallelizable:
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29

And it appears Intel has explicitly submitted a patch to optimize
dm-crypt for AES-NI with this mode of operation:
http://lwn.net/Articles/376562/

I know "test it" is going to be the obvious answer, and we will,
but I don't want to make any decisions that could severely impact
security for a little extra speed.  Well, that, and our hardware
is on order and probably won't be in for 3 weeks ;)

Any suggestions/feedback would be greatly appreciated.

Thanks!
-Brad