Monday, December 17, 2007

OpenSSH over high speed networks

We run gigabit Ethernet in the network at work. I noticed that my actual throughput on scp transfers was in the 200Mbit/s range. Iperf wirespeed tests indicated over 900Mbit/s. Now, obviously encryption will bring about some cost, but that seemed a bit much for me, so I set to try tuning things a bit. As a result, I think I can confidently make the following recommendations to those running OpenSSH over high speed networks:

1) Upgrade your SSH server. OpenSSH 4.3 was about 1/3 faster than various 3.6 or 3.9.
2) Turn off compression. This just slows you down over a high speed network. This should be done on the server side.
3) Use blowfish. In the /etc/ssh/ssh_config (client configuration file), set:
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Blowfish was a bit faster than AES on the systems I tested.

The net effect was a boost to ~350Mbit/s, which is a significant improvement.

No comments: