Re: [load balancing] Verisign and Load Balancers

From: KJ & JC Salchow (salchowIZZATfrontiernet.net)
Date: Tue Feb 20 2001 - 18:43:57 EST

  • Next message: KJ & JC Salchow: "Re: [load balancing] Verisign and Load Balancers"

    ----- Original Message -----
    From: "Eric Gray" <egrayIZZATsitesmith.com>
    To: <lb-lIZZATvegan.net>
    Sent: Tuesday, February 20, 2001 12:05 PM
    Subject: Re: [load balancing] Verisign and Load Balancers

    > I spoke to Rainbow recently and they indicated that bulk encryption was
    > not available in their products. But that might have changed. I am
    > aware of efforts to produce hardware bulk encryption by other vendors.
    >

    I guess I did mispeak here - I've been told that they were working on it,
    and it sounded like they were almost ready for production - I must have been
    speaking to a sales guy, huh?

    >
    > Recently, I did this very thing in our lab. I was able to get about 210
    > conn/sec, at which point the CPU is saturated.

    I wasn't trying to knock on Alex about this - I said I'd never seen it.
    What interests me about this is that my understanding - at least of the F5 -
    was that the card was rated at 200 tps, and even F5 admits that you'll never
    see that. But additionally, I understood that anything over that tps, the
    F5 would simply drop the requests. What your numbers almost say is that
    once the Rainbow card has been saturated, the F5 doesn't drop the packets,
    but attempts to handle the DH exchange all by itself. That would definetly
    kill the CPU. I could understand if that was what was happening - as I
    never liked the "drop the packet" answer myself, so maybe they changed it to
    handle "flash" traffic?

    >
    > The load client I used was http_load compiled with OpenSSL. It does not
    > cache or reuse sessions, so each request is a new one. The file
    > requested was less than 1k.

    Whew! Good thing you weren't testing throughput :-)

    >
    > I am a fan of the BIG-IP, but the SSL solution is not appropriate for
    > every site. A separate dedicated group of SSL boxes is much more
    > scalable. Of course F5 makes those too.
    >
    Agreed.

    > Eric
    Ken



    This archive was generated by hypermail 2b30 : Tue Feb 20 2001 - 18:46:11 EST