On Tue, Feb 20, 2001 at 11:32:35PM -0500, Simon Lvov wrote:
> The differentiator and advantage of alteon's isd-ssl box, that aside from cryptoswifts,
> it has a dedicated CPU just for bulk encryption. This CPU doesn't do any additional
> functions, like healthchecks, routing (the box has much simplified IP forwarding
> mechanism), or processing complex L4/7 rules. It is off the unencrypted data-path,
> and doesn't impose any additional bottlenecks. You can scale it by adding more
> boxes (all active) in parallel - load-sharing mode.
Well, F5 has this as well. You don't HAVE to put the cryptoswift in the
LB that you have doing your normal front end load balancing.
Most of the SSL accelerators I've been seeing are (in my opinion correctly)
moving toward the 1 arm mode. It allows the same kind of horizontal scalability
we love that we have in the web servers.
But I would not make this a big differentiator from alteon. Plus, with what you
are actually getting both from F5 and alteon, they both sure charge a heck
of a lot of a ssl accelerator card and an intel box!
On the other hand, there are some other up and coming boxes which do SSL
acceleration inline with the box. From what I had said before it would
seem that I shouldn't like these boxes. But they are doing all sorts of
other inpath data processing as well and it does make sense to combine
this functionality. It could also be argued that they are doing this
traffic separation inline. But then again these are the types of devices which
could in theory enable whole sites to be SSL accelerated with little impact.
> On more general note - when you compare cost of server-based solution to hardware
> ssl accelerators, don't forget to factor in cost and pains of maintenance of each
> individual server, software compatibility, upgrades , cert management, ability to have
> application-based persistency (cookies) for loadbalancing, and more...
Oh definately. Management is a bitch. But is it 10x the bitch? That's about
what SSL accelerators are running right now. I think that's a way overinflated
number, and it should drop way down.
This archive was generated by hypermail 2b30 : Wed Feb 21 2001 - 14:09:12 EST