On Wed, Mar 30, 2005 at 05:19:50PM -0500, Waters, G Scott RDECOM(THE LOG.SEC TEAM) wrote:
Does anyone have any experience with SMB signing??
We recently applied a DEBUG version of DoT 6.5.3 to our F760 in order to take advantage of SMB signing - a feature that won't be available until a later release of DoT 7.x - which won't be available for the F760's.
With the SMB signing turned on we are seeing a much higher load on the filer's CPUs. NetApp analyzed some Performance Data and say that the SMB signing module is adding a 30% load to our FILER CPUs.
What would you think?
<snip>
SMB signing also has a large impact on windows servers, I have heard at least one story from the trenches about clients enabling smb signing with windows patches and the poor bewildered windows server operator wondering why his servers are suddenly so overloaded. So, I would imagine adding encryption would have a significant overhead. You might feel lucky that you know the cause and how to prevent it. I would say it all depends on what the other 70% of your cpu is doing. Also, assuming traffic does not increase alot with a faster filer, the percentage would most likely decrease.
Instead of balking about it in entirety, I would inquire about the applicability of using a hardware crypto card in the netapp to offload this extra load. I'm not an expert on these cards, but if they would provide a benefit, then netapp would just have to code for that too and sell an appropriate card.