Re: [load balancing] Verisign and Load Balancers

From: Michael Batchelder (binkyIZZATcertaintysolutions.com)
Date: Wed Feb 21 2001 - 20:25:18 EST

  • Next message: Alex Samonte: "Re: [load balancing] Verisign and Load Balancers"

    I believe someone's implemented SSL in WebStone, but the web site
    (www.mindcraft.com) doesn't mention it, so it hasn't been included in
    the official development source.

    Michael

    Tim Nelson wrote:
    >
    > We use an app called ACT (ApplicationCenterTest) which is part of
    > Application Center 2000 from Microsoft.
    >
    >
    > -----Original Message-----
    > From: Titus, Tim
    > Sent: Wed 2/21/2001 9:01 AM
    > To: lb-lIZZATvegan.net
    > Cc:
    > Subject: RE: [load balancing] Verisign and Load Balancers
    >
    > All of this talk about SSL connections and it makes me wonder:
    >
    > What kind of SSL load testing software is there out there?
    >
    >
    > -Tim Titus------------------------------
    > Director, Internet Operations, NCS Learn
    > -----<www.NCSlearn.com>-----------------
    >
    >
    >
    > -----Original Message-----
    > From: timnIZZATmicrosoft.com [mailto:timnIZZATmicrosoft.com]
    > Sent: Tuesday, February 20, 2001 8:37 PM
    > To: lb-lIZZATvegan.net
    > Subject: RE: [load balancing] Verisign and Load
    > Balancers
    >
    >
    >
    > Rainbow is too expensive, so is nCipher, and any of the
    > front end devices.
    >
    > Our OS is W2k ADVServer, SP2 -with schannel.dll fix.
    >
    > Here are our finalists:
    >
    > Atalla's AXL300 Card sells on the street for $1495. We
    > tested it and were able to manage 285cps on a 2x833Mhz, cpu was about
    > 67%. Compaq says they scale linearally, up to 8 in a box (if you had the
    > slots, and the bus didn't bottleneck). If you have an app that supports
    > CRT, they claim you could double your cps.
    >
    > Broadcom's solution comes in at less than $1000. It
    > supports up to 600cps and with the same server config as above, managed
    > around 560cps, cpu at 85%.
    >
    >
    >
    > --- Original message ---
    > From: Alex Samonte
    > Sent: Tue 2/20/2001 7:51:19 PM
    > To: lb-lIZZATvegan.net
    > Subject: Re: [load balancing] Verisign and Load
    > Balancers
    >
    >
    > On Tue, Feb 20, 2001 at 06:13:14PM -0600, KJ & JC
    > Salchow wrote:
    > >
    > > > If Eric cares to speak up even F5 admitted to us
    > this was a problem. One
    > > > they hoped would be taken care of by SMP (or just
    > putting bigger procs in
    > > > there)
    > > >
    > > Of course the issue here with your testing is that I
    > bet you a box of
    > > doughnuts that every vendor you tested used the
    > Rainbow chipset. So, what
    > > kind of choices can we make? Like I told Eric, I'm
    > not doubting you, I was
    > > just having trouble swallowing the stats based on my
    > experience, so, given
    > > you obviously can do a lot more testing than I can,
    > I'll go with your
    > > numbers. Which brings us back to, what choices do we
    > have?
    >
    > Well, for the short term you don't have a lot of
    > choices.
    > Rainbow is by far the most popular and widely used.
    > There is also
    > Attala that Compaq OEMs and, nCipher, and Phobos (they
    > make the load balancer
    > of the future....in joke...)
    >
    > Right now most people are using off the shelf rainbow
    > cards. There are some
    > network gear vendors out there doing it with broadcom
    > chipsets (which I believe
    > were BlueSteel before they were aquired), many people
    > are starting to utilize
    > geneeral VPN accelerators with SSL (for doing DeS
    > stuff).
    >
    >
    > There are also several stealth startups which are doing
    > some pretty cool
    > stuff with SSL accelerators in excess of what is
    > available today.
    >
    > I would venture to say that the people making their own
    > SSL chipsets I can
    > count on two hands, but It's still a lot better than
    > just 1. Even with
    > what's existing today you have choices, but the best one
    > so far isn't all
    > that great. Be patient there's more stuff coming!
    >
    > > For your white paper, you might want to mention the
    > above mention of the
    > > Rainbow chipset. If, and I suspect you are correct,
    > the Internet goes
    > > entirely crypto - what ever the means (SSL/TLS being
    > the obvious choice) -
    > > which will require everyone to use SSL accelerators,
    > what are the
    > > consequences of one company having so much control
    > over that aspect of
    > > commerce, information dissemination, and secrecy?
    > Then, once you're done
    > > turning Rainbow over the the Feds - can you work on
    > Verisign?? :-0
    >
    > An interesting thought. I'm not saying that the entire
    > internet will become
    > crypto. But that it will be so easy to do so (atleast
    > with commercial
    > hardware) the big sites would just do it by default.
    >
    > But from what I have seen there are so many
    > implementations of SSL (both in
    > hardware and software) no one is going to have a
    > controlling stake in it
    > in the same way people were paranoid about the skipjack
    > stuff.
    >
    > In all reality, we know that SSL doesn't really buy us
    > much. People will
    > break into the database if they want all the info, not
    > sniff the traffic
    > (atleast on the server side). It can be broken, and
    > sometimes with not much
    > computing effort. But it makes people feel better. And
    > if a wide
    > acceptance of SSL happens it will definately benefit the
    > client side so you
    > don't have some disgruntled network admin sniffing corp
    > traffic and stealing
    > all the execs logins to their online brokerage and bank
    > accounts.
    >
    > Let me leave you with this interesting thought on SSL
    > accelerators. From our
    > testing we can get 100 conn/s out of a PIII-800 running
    > mod_ssl. Obviously
    > it maxes out the CPU at that point. Let's just say for
    > example I wanted
    > 200 conn/s of SSL. That PIII-800 box costs me about
    > 1.5-3K each. How much does
    > 1 cryptoswift 200 cost? How much does it cost when F5
    > sells it to you? Or
    > Intel, or alteon? (plus I still need to buy the server).
    >
    > -Alex
    >
    >
    > ------------------------------------------------------------------------
    > Name: winmail.dat
    > winmail.dat Type: application/ms-tnef
    > Encoding: base64



    This archive was generated by hypermail 2b30 : Wed Feb 21 2001 - 20:22:41 EST