Re: [load balancing] Verisign and Load Balancers

From: Alex Samonte (
Date: Wed Feb 21 2001 - 14:04:59 EST

  • Next message: Tim Nelson: "RE: [load balancing] Verisign and Load Balancers"

    On Tue, Feb 20, 2001 at 11:32:35PM -0500, Simon Lvov wrote:
    > The differentiator and advantage of alteon's isd-ssl box, that aside from cryptoswifts,
    > it has a dedicated CPU just for bulk encryption. This CPU doesn't do any additional
    > functions, like healthchecks, routing (the box has much simplified IP forwarding
    > mechanism), or processing complex L4/7 rules. It is off the unencrypted data-path,
    > and doesn't impose any additional bottlenecks. You can scale it by adding more
    > boxes (all active) in parallel - load-sharing mode.

    Well, F5 has this as well. You don't HAVE to put the cryptoswift in the
    LB that you have doing your normal front end load balancing.

    Most of the SSL accelerators I've been seeing are (in my opinion correctly)
    moving toward the 1 arm mode. It allows the same kind of horizontal scalability
    we love that we have in the web servers.

    But I would not make this a big differentiator from alteon. Plus, with what you
    are actually getting both from F5 and alteon, they both sure charge a heck
    of a lot of a ssl accelerator card and an intel box!

    On the other hand, there are some other up and coming boxes which do SSL
    acceleration inline with the box. From what I had said before it would
    seem that I shouldn't like these boxes. But they are doing all sorts of
    other inpath data processing as well and it does make sense to combine
    this functionality. It could also be argued that they are doing this
    traffic separation inline. But then again these are the types of devices which
    could in theory enable whole sites to be SSL accelerated with little impact.

    > On more general note - when you compare cost of server-based solution to hardware
    > ssl accelerators, don't forget to factor in cost and pains of maintenance of each
    > individual server, software compatibility, upgrades , cert management, ability to have
    > application-based persistency (cookies) for loadbalancing, and more...

    Oh definately. Management is a bitch. But is it 10x the bitch? That's about
    what SSL accelerators are running right now. I think that's a way overinflated
    number, and it should drop way down.


    This archive was generated by hypermail 2b30 : Wed Feb 21 2001 - 14:09:12 EST