感谢支持
我们一直在努力

压榨SCP传输速度

对于千兆网来说,带宽大致为125M/s,scp的速度约为40M/s,对于需要全量恢复数据库的时候(300G 左右的量),需要2个小时左右,很不能接受这种情况;

加快SCP传输速度需要考虑以下几点:

1、ssh加密算法的改变;(加密算法越弱速度越快在IDC内网间可以考虑使用)

2、数据完整校验方式改变;(MACs Message authentication code)

3、是否启用压缩;

4、磁盘性能问题;

man scp 可调整速率的大多在算法上,(亲测-B batch mode 对传输影响不大)

-c cipher  -o 完整性校验

ssh -v 调试ssh连接

关于以上问题的测试数据可参考:http://www.linuxidc.com/Linux/2014-01/95497.htm

加密算法可以采用 scp -c  aes192-cbc

数据完整性校验采用  scp -o ‘MACs umac-64@openssh.com’  关于此哈希算法

值得一提的是压缩,只要压缩后节省的传输时间大于压缩本身的时间;

压缩往往适用于: 网速慢;数据中大量重复、空洞的; 而对于压缩比很低的数据不建议使用SSH的传输压缩方式;最好在本地进行并行压缩后再传输;

加快压缩可以参考以下命令:

scp -c aes192-cbc -o “MACs umac-64@openssh.com”

 

Network Working Group                                          D. Miller
Internet-Draft                                                P. Valchev
Intended status: Standards Track                                 OpenSSH
Expires: March 6, 2008                                 September 3, 2007


          The use of UMAC in the SSH Transport Layer Protocol
                     draft-miller-secsh-umac-01.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on March 6, 2008.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This memo describes the use of the UMAC Message Authentication Code
   in the SSH transport protocol.









Miller & Valchev          Expires March 6, 2008                 [Page 1]

Internet-Draft     UMAC message authentication for SSH    September 2007


Table of Contents

   1.  Requirements notation . . . . . . . . . . . . . . . . . . . . . 3
   2.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  MAC calculation . . . . . . . . . . . . . . . . . . . . . . . . 3
   4.  New MAC methods . . . . . . . . . . . . . . . . . . . . . . . . 4
     4.1.  umac-32 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     4.2.  umac-64 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     4.3.  umac-96 . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     4.4.  umac-128  . . . . . . . . . . . . . . . . . . . . . . . . . 4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
   7.  Normative References  . . . . . . . . . . . . . . . . . . . . . 5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 5
   Intellectual Property and Copyright Statements  . . . . . . . . . . 6




































Miller & Valchev          Expires March 6, 2008                 [Page 2]

Internet-Draft     UMAC message authentication for SSH    September 2007


1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].


2.  Overview

   SSH [RFC4251] is a popular protocol for secure remote login and data
   transfer on the Internet.  Among the security properties that SSH
   offers is integrity of communication against active adversaries.
   This integrity is provided in the SSH transport protocol [RFC4253]
   through the use of a per-packet Message Authentication Code (MAC).

   This memo describes the use of the UMAC Message Authentication Code
   [RFC4418] in the SSH transport protocol.  UMAC offers improved
   performance over the current HMAC-based MACs supported by SSH.
   Furthermore, UMAC represents a different cryptographic approach to
   message authentication to that of HMAC, and its use in SSH would
   provide a diversity that may be of benefit if HMAC or one of its
   underlying hash algorithms is found to be vulnerable to a new attack.

   UMAC offers a choice of four authentication tag sizes: 32, 64, 96 and
   128 bits.  This allows users to trade between fast, compact tags and
   longer tags that are slower to generate but offer better security.
   These four tag sizes are represented in the new MAC methods
   introduced in this memo: "umac-32", "umac-64", "umac-96" and "umac-
   128".


3.  MAC calculation

   Message authentication tags in the SSH transport protocol are
   specified to be calculated over the packet sequence number followed
   by the entire unencrypted packet:

           mac = MAC(key, sequence_number || unencrypted_packet)

   However, UMAC accepts a nonce as an explicit input to MAC
   calculation.  In order for the security proofs that accompany UMAC to
   apply, this nonce must never be repeated under a given key.  In the
   context of the SSH protocol, this may be achieved by using the packet
   sequence number as the nonce.  The sequence number is guaranteed to
   be unique over the life of the MAC key by the requirement that
   implementations perform a key re-exchange before the sequence number
   wraps (section 9.3.3 of [RFC4251]).




Miller & Valchev          Expires March 6, 2008                 [Page 3]

Internet-Draft     UMAC message authentication for SSH    September 2007


   To use the sequence number as the MAC nonce, it is encoded into a SSH
   protocol uint64 (as described in section 5 of [RFC4251]) and it is
   supplied to the UMAC algorithm instead of prepending it to the packet
   to be authenticated:

           mac = UMAC(key, sequence_number, unencrypted_packet)

   Where UMAC is one of the UMAC-32, UMAC-64, UMAC-96 or UMAC-128
   algorithms specified in [RFC4418], section 4.2, using the default
   underlying block cipher of AES-128.


4.  New MAC methods

   This memo introduces four new MAC methods, one for each UMAC
   authentication tag length specified in [RFC4418]: "umac-32",
   "umac-64", "umac-96" and "umac-128".

4.1.  umac-32

   Calculate message authentication tags using the UMAC-32 algorithm
   specified in [RFC4418], section 4.2.

4.2.  umac-64

   Calculate message authentication tags using the UMAC-64 algorithm
   specified in [RFC4418], section 4.2.

4.3.  umac-96

   Calculate message authentication tags using the UMAC-96 algorithm
   specified in [RFC4418], section 4.2.

4.4.  umac-128

   Calculate message authentication tags using the UMAC-128 algorithm
   specified in [RFC4418], section 4.2.


5.  Security Considerations

   As mentioned above, it is imperative that implementations perform a
   re-keying operation before reusing a packet sequence number as a UMAC
   nonce.  Implementations conforming to [RFC4251] are already required
   to do this.






Miller & Valchev          Expires March 6, 2008                 [Page 4]

Internet-Draft     UMAC message authentication for SSH    September 2007


6.  IANA Considerations

   IANA must assign the MAC Algorithm Names "umac-32", "umac-64",
   "umac-96" and "umac-128".


7.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4251]  Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
              Protocol Architecture", RFC 4251, January 2006.

   [RFC4253]  Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
              Transport Layer Protocol", RFC 4253, January 2006.

   [RFC4418]  Krovetz, T., "UMAC: Message Authentication Code using
              Universal Hashing", RFC 4418, March 2006.


Authors' Addresses

   Damien Miller
   OpenSSH

   Email: djm@openssh.com


   Peter Valchev
   OpenSSH

   Email: pvalchev@openssh.com


















Miller & Valchev          Expires March 6, 2008                 [Page 5]

Internet-Draft     UMAC message authentication for SSH    September 2007


Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Miller & Valchev          Expires March 6, 2008                 [Page 6]
赞(0) 打赏
转载请注明出处:服务器评测 » 压榨SCP传输速度
分享到: 更多 (0)

听说打赏我的人,都进福布斯排行榜啦!

支付宝扫一扫打赏

微信扫一扫打赏