RE: [load balancing] Verisign and Load Balancers

Date: Tue Feb 20 2001 - 23:37:05 EST

  • Next message: Michael Batchelder: "Re: [load balancing] Verisign and Load Balancers"

    Rainbow is too expensive, so is nCipher, and any of the front end devices.
    Our OS is W2k ADVServer, SP2 -with schannel.dll fix.
    Here are our finalists:
    Atalla's AXL300 Card sells on the street for $1495. We tested it and were able to manage 285cps on a 2x833Mhz, cpu was about 67%. Compaq says they scale linearally, up to 8 in a box (if you had the slots, and the bus didn't bottleneck). If you have an app that supports CRT, they claim you could double your cps.
    Broadcom's solution comes in at less than $1000. It supports up to 600cps and with the same server config as above, managed around 560cps, cpu at 85%.
    --- Original message ---
    From: Alex Samonte
    Sent: Tue 2/20/2001 7:51:19 PM
    Subject: Re: [load balancing] Verisign and Load Balancers

    On Tue, Feb 20, 2001 at 06:13:14PM -0600, KJ & JC Salchow wrote:
    > > If Eric cares to speak up even F5 admitted to us this was a problem. One
    > > they hoped would be taken care of by SMP (or just putting bigger procs in
    > > there)
    > >
    > Of course the issue here with your testing is that I bet you a box of
    > doughnuts that every vendor you tested used the Rainbow chipset. So, what
    > kind of choices can we make? Like I told Eric, I'm not doubting you, I was
    > just having trouble swallowing the stats based on my experience, so, given
    > you obviously can do a lot more testing than I can, I'll go with your
    > numbers. Which brings us back to, what choices do we have?

    Well, for the short term you don't have a lot of choices.
    Rainbow is by far the most popular and widely used. There is also
    Attala that Compaq OEMs and, nCipher, and Phobos (they make the load balancer
    of the joke...)

    Right now most people are using off the shelf rainbow cards. There are some
    network gear vendors out there doing it with broadcom chipsets (which I believe
    were BlueSteel before they were aquired), many people are starting to utilize
    geneeral VPN accelerators with SSL (for doing DeS stuff).

    There are also several stealth startups which are doing some pretty cool
    stuff with SSL accelerators in excess of what is available today.

    I would venture to say that the people making their own SSL chipsets I can
    count on two hands, but It's still a lot better than just 1. Even with
    what's existing today you have choices, but the best one so far isn't all
    that great. Be patient there's more stuff coming!

    > For your white paper, you might want to mention the above mention of the
    > Rainbow chipset. If, and I suspect you are correct, the Internet goes
    > entirely crypto - what ever the means (SSL/TLS being the obvious choice) -
    > which will require everyone to use SSL accelerators, what are the
    > consequences of one company having so much control over that aspect of
    > commerce, information dissemination, and secrecy? Then, once you're done
    > turning Rainbow over the the Feds - can you work on Verisign?? :-0

    An interesting thought. I'm not saying that the entire internet will become
    crypto. But that it will be so easy to do so (atleast with commercial
    hardware) the big sites would just do it by default.

    But from what I have seen there are so many implementations of SSL (both in
    hardware and software) no one is going to have a controlling stake in it
    in the same way people were paranoid about the skipjack stuff.

    In all reality, we know that SSL doesn't really buy us much. People will
    break into the database if they want all the info, not sniff the traffic
    (atleast on the server side). It can be broken, and sometimes with not much
    computing effort. But it makes people feel better. And if a wide
    acceptance of SSL happens it will definately benefit the client side so you
    don't have some disgruntled network admin sniffing corp traffic and stealing
    all the execs logins to their online brokerage and bank accounts.

    Let me leave you with this interesting thought on SSL accelerators. From our
    testing we can get 100 conn/s out of a PIII-800 running mod_ssl. Obviously
    it maxes out the CPU at that point. Let's just say for example I wanted
    200 conn/s of SSL. That PIII-800 box costs me about 1.5-3K each. How much does
    1 cryptoswift 200 cost? How much does it cost when F5 sells it to you? Or
    Intel, or alteon? (plus I still need to buy the server).


    This archive was generated by hypermail 2b30 : Tue Feb 20 2001 - 23:50:05 EST