Dear Slashdot: You get what you pay for

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

Dear Slashdot: You get what you pay for

posted on Friday, April 17, 2009 4:56 AM

Open Source SSL Accelerator solution not as cost effective or well-performing as you think

o3 Magazine has a write up on building an SSL accelerator out of Open Source components. It’s a compelling piece, to be sure, that was picked up by Slashdot and discussed extensively.

If o3 had stuck to its original goal – building an SSL accelerator on the cheap – it might have had better luck making its arguments. But it wanted to compare an Open Source solution to a commercial solution. That makes sense, the author was trying to show value in Open Source and that you don’t need to shell out big bucks to achieve similar functionality. The problem is that there are very few – if any – commercial SSL accelerators on the market today. SSL acceleration has long been subsumed by load balancers/application delivery controllers and therefore a direct comparison between o3’s Open Source solution and any commercially available solution would have been irrelevant; comparing apples to chicken is a pretty useless thing to do.

To the author’s credit, he recognized this and therefore offered a complete Open Source solution that would more fairly be compared to existing commercial load balancers/application delivery controllers, specifically he chose BIG-IP 6900. The hardware platform was chosen, I assume, based on the SSL TPS rates to ensure a more fair comparison. Here’s the author’s description of the “full” Open Source solution:

The Open Source SSL Accelerator requires a dedicated server running Linux. Which Linux distribution does not matter, Ubuntu Server works just as well as CentOS or Fedora Core. A multi-core or multi-processor system is highly recommended, with an emphasis on processing power and to a lesser degree RAM. This would be a good opportunity to leverage new hardware options such as Solid State Drives for added performance. The only software requirement is Nginx (Engine-X) which is an Open Source web server project. Nginx is designed to handle a large number of transactions per second, and has very well designed I/O subsystem code, which is what gives it a serious advantage over other options such as Lighttpd and Apache. The solution can be extended by combining a balancer such as HAproxy and a cache solution such as Varnish. These could be placed on the Accelerator in the path between the Nginx and the back-end web servers.

o3 specs out this solution as running around $5000, which is less than 10% of the listed cost of a BIG-IP 6900. On the surface, this seems to be quite the deal. Why would you ever purchase a BIG-IP, or any other commercial load balancer/application delivery controller based on the features/price comparison offered?

Turns out there are quite a few reasons; reasons that were completely ignored by the author.

CHAINING PROXIES vs INTEGRATED SOLUTIONS

While all of the moving parts cited by the author (Nginx, Apache, HAproxy, Varnish) are all individually fine solutions, he suggests combining them to assemble a more complete application delivery solution that provides caching, Layer 7 inspection and transformation, and other advanced functionality. Indeed, combining these solutions does provide a deployment that is closer to the features offered by a commercial application delivery controller such as BIG-IP.

Unfortunately, none of these Open Source components are integrated. This necessitates an architecture based on chaining of proxies, regardless of their deployment on the same hardware (as suggested by the author) or on separate devices; in path, of course, but physically separated.

Chaining proxies incurs latency at every point in the process. If you chain proxies, you are going to incur latency in the form of:

TCP connection setup and teardown processing
Inspection of application data (layer 7 inspection is rarely computationally inexpensive)
Execution of functionality (caching, security, acceleration, etc…)
Transfer of data between proxies (when deployed on the same device this is minimized)
Multiple log files

This network sprawl degrades response time by adding latency at every hop and actually defeats the purposes for which they were deployed. The gains in performance achieved by offloading SSL to Nginx is almost immediately lost when multiple proxies are chained in order to provide the functionality required to match a commercial application delivery controller.

A chained proxy solution adds complexity, obscures visibility (impacts ability to troubleshoot) and makes audit paths more difficult to follow. Aggregated logging never mentioned, but this is a serious consideration, especially where regulatory compliance enters the picture. The issue of multiple log files is one that has long plagued IT departments everywhere, as they often require manual aggregation and correlation – which incurs time and costs. A third party solution is often required to support troubleshooting and transactional monitoring, which incurs additional costs in the form of acquisition, maintenance, and management not considered by the author.

Soft costs, too, are ignored by the author. The configuration of the multiple Open Source intermediaries required to match a commercial solution often require manual editing of configuration files; and must be configured individually. Commercial solutions – and specifically BIG-IP – reduce the time and effort required to configure such solutions by offering myriad options for management – standards-based API, scripting, command line, GUI, application templates and wizards, central management system, and integration as part of other standard data center management systems.

COMPRESSION SHOULD NEVER BE A BINARY CONFIGURATION

The author correctly identifies that offloading compression duties from back-end servers to an intermediary can result in improved performance of the application and greater efficiencies of the servers. NGinx supports industry-standard gzip compression.

The problem with this – and there is a problem – is that it is not always beneficial to apply compression. Years of extensive experience and testing prove that the use of compression can actually degrade performance. Factors such as size of application payload, type of content, and the speed of the network on which the application data will be transferred should all be considered when making the decision to compress or not compress.

This intelligence, this context-awareness, is not offered by this Open Source solution. o3’s solution is on or off, with nothing in between. In situations where images are being delivered over a LAN, for example, this will not provide any significant performance benefit and in fact will likely degrade performance. Certainly NGinx could be configured to ignore images, but this does not solve the problem of the inherent uselessness of trying to compress content traversing a LAN and/or under a specific length.

SECURITY

Another overlooked item is security. Not just application security, but full TCP/IP stack security. The Open Source solution could easily add mod_security to the list to achieve parity with the application security features available in commercial solutions. That does not address the underlying stack security. The author suggests running on any standard Linux platform. To be sure, anyone building such a solution for deployment in a production environment will harden the base OS; potentially using SELinux to further lock down the system. No need to argue about this; it’s assumed good administrators will harden such solutions.

But what will not be done – and can’t be done – is securing the system against network and application attacks. Simple DoS, ARP poisoning, SYN floods, cookie tampering. The potential attacks against a system designed to sit in front of web and application servers are far more lengthy than this, but even these commonly seen attacks will not be addressed by o3’s Open Source solution. By comparison, these types of attacks are part and parcel of BIG-IP; no additional modules or functionality necessary.

Furthermore, the performance numbers provided by o3 for their solution seem to indicate that testing was accomplished using 512-bit key certificates. A single Opteron core can only process around 1500 1024-bit RSA operations per second. This means an 8-core CPU could only perform approximately 12,000 1024-bit RSA ops per second – assuming that’s all they were doing. 512-bit keys run around five times faster than 1024-bit. The author states: “The system had no problems handling over 26,590 TPS” which seems to indicate it was not using the industry standard 1024-bit key based on the core capabilities of the processors to process RSA operations. In fact, 512-bit key certificates are no longer supported by most CAs due to their weak key strength.

Needless to say, if the testing used to determine the SSL TPS for BIG-IP were to use 512-bit keys, you’d see a marked increase in the number of SSL TPS in the data sheet.

YOU GET WHAT YOU PAY FOR

Look, o3 has a put together a fairly cool and cheap solution that accomplishes many of the same tasks as a commercial application delivery controller. That’s not the point. The point is trying to compare a robust, integrated application delivery solution with a cobbled together set of components designed to mimic similar functionality is silly.

Not only that, the logic that claims it is more cost efficient is flawed.

Is the o3 solution cheaper? Sure- as long as we look only at acquisition. If we look at cost to application performance, to maintain the solution, to troubleshoot, and to manage it then no, no it isn’t. You’re trading in immediate CAPEX cost savings for long-term OPEX cost outlays.

And as is always the case, in every market, you get what you pay for. A $5000 car isn’t going to last as long or perform as well as the $50,000 car, and it isn’t going to come with warranties and support, either. It will do what you want, at least for a while, but you’re on your own when you take the cheap route.

That said, you are welcome to do so. It is your data center, after all. Just be aware of what you’re sacrificing and the potential issues with choosing the road less expensive.

Related blogs and articles:

Technorati Tags: MacVittie,F5,SSL,SSL acceleration,open source,Slashdot,o3,opteron,anandtech,security,performance,cost,opex,capex,proxies,latency,web,internet,blog

Feedback

4/17/2009 7:28 AM
		The tone of your response is rather snarky which makes your otherwise very valid points just seem like you are a little bitter somebody "cobbled" together something which is essentially as good as your product (even if its OPEX is greater)
Morgan

4/17/2009 7:37 AM
		Just so many sour grapes. There's nothing to see here. Move along.
Rex

4/17/2009 7:44 AM
		Running scared eh ? Yes, text based configuration files are harder. Yes the chain of proxies slows things down. But guess what ? I can throw dual Xenon 5500's octacores at the problem today and upgrade 18 months later just by swapping out the motherboard and double my throughput every 18 months. Lets see a BigIP box which could do that. for $50,000 I could buy an entire cluster of 10 nehalem based dual processor octa core boxes. Lets see your BigIP box beat that. Warranties and support ? I can buy 10 boxes for every one of your big ip boxes. I can pay a net admin to sit and watch the thing every single day and still come out ahead. BigIP is too expensive and you know it. Open source will eventually eat your lunch. Your business model is obsolete. Deal with it.
Zound

4/17/2009 8:01 AM
		The car analogy is a bad one. It is possible to get a decent $5,000 used car with an extended warranty, and one that may outlast the $50,000 car. Now, the $5,000 car may have higher annual cost and maintenance. While the $50,000 car will likely have a bumper to bumper warranty for several years/miles, a warranty where you any annual maintenance costs will have been included in the $50,000 price tag. Maintenance costs aside, that $50,000 price tag is inflated because of brand-name recognition. Also, that $50,000 car is a status symbol which the buyer is willing to pay a premium. The price tag often has little to do with the functionality, performance, or manufacturing costs of a product. A good example of this is a $25 Timex and a $10,000 Rolex. The $25 Timex may actually keep better time, and last longer than the Rolex. The $10,000 Rolex costs roughly $200 to manufacture, but the reason people will pay that inflated premium for the Rolex is "status" and "brand-name recognition". I am not rejecting the notion that the F5 Big-IP products have added value that a home-brewed solution cannot provide. But using a $5,000 car vs a $50,000 car is a ridiculous analogy. Otherwise, you bring up some great points about how the home-brewed solution could use some improvement.
Eric Wolfe

4/17/2009 8:12 AM
		This is the time where a car analogy does not work with relation to computing systems. If you were to examine Consumer Report's car reviews (get the Consumer Report's annual big book) and look at the long term value and longevity, for example, a Mercedes sedan which has a MSRP of about $50k and a Honda Accord or even a Hyundai Sedan priced, you will notice that PRICE does NOT compare with long term longevity and upkeep. The lower purchase price of the Hondas and Hyundais does not correlate to the higher price and worse quality and upkeep cost of the Mercedes in any way. Your car analogy does not work. ...looks like someone else does not agree with the car analogy as well...
Eugene

4/17/2009 8:24 AM
		Ever heard of appliance VMs? VMs and syslog obviate about half the argument about integration. Yeah, it's hard to do this integration but it only needs to be done once. Then it's done. Since the VMs and the "network" are all running on the same box the "network" performance of the chained proxies can happen accross the backplane. That's likely to be pretty damn good. That pretty good is likely to drive somebody to set up some sort of integrated web based gui for this collections of VMs. That probably comes close to doing %80 of what a BigIP does. This won't come anywhere close to killing BigIP much less compete with it feature-wisethis year but it's days of market dominance like most pay software are numbered. Special purpose hardware has been regularly obsoleted in the history of computing by advances in the capabilities of general purpose CPUs. The multi-core systems like nehalem are game changing and it's likely that it won't just be load-balancers that shift back to general purpose architectures. The server software world will one day belong to pre-packaged assemblages of VMs configured via XML.
John

4/17/2009 8:37 AM
		"The point is trying to compare a robust, integrated application delivery solution with a cobbled together set of components designed to mimic similar functionality is silly." Try to explain that to Google and their commodity hardware server: http://news.cnet.com/8301-1001_3-10209580-92.html
Thiago

4/17/2009 9:26 AM
		Appliance VM's and virtual switching aren't necessarily going to help performance here, at least not much. The issue isn't with moving traffic across a network so much as simply with the number of TCP connections needed to move that traffic between a half dozen components in the OSS model. Opening those connections takes time virtual or not. VM's and virtual networks could speed up transfer of a significant payload, sure, but that's not the type of performance being discussed. In the integrated model F5 offers there is a significant performance gain simply because the traffic is accepted and processed using a single (ingress) tcp connection. There is no need to "loop" the traffic in circles each time one piece of logic has been applied. I believe O3 presented a "quick and dirty" solution that could work well in lab environments or for organizations with very limited budgets (like most of us these days I assume). However, it's not a scalable or supportable solution in a mid-size or large production environment. Regardless, the original article and the F5 response have been entertaining to read!
John

4/17/2009 9:41 AM
		"But what will not be done – and can’t be done – is securing the system against network and application attacks. Simple DoS, ARP poisoning, SYN floods, cookie tampering." All of the above can be addressed in the solution. Just as you mentioned, any good sysadmin will have locked the system down, and that includes configuring the O/S IP stack and firewall(netfilter). And modsecurity does an excellent layer7 job, better than many commercial devices I've worked with. We've used a very similar solution (Linux/Apache/MosSecurity/HAproxy) for many years, and it has proven stable, reliable and easy to support. And it has also proven to be a very scalable solution. A couple of years ago we demo'd a BigIP box, and we still went with an open source solution. Flexibility was a big factor in the decision and a "closed" device, like the BigIPs, just can't compete in that area.
Todd

4/17/2009 10:10 AM
		The author of the original o3 article works for Nortel and used to work for Alteon, of course he hates any LTM. No matter how many cores you throw at a bucket brigade of proxies, the incremental latency of such solution will always bite you due to context switching and data passing. While solutions like the one mentioned in the article are clever and cheap, they are unacceptable for any site of reasonable size. As websites scale up, solutions like that simply fall on their face. LTMs work well in the high end and provide a flexibility that these limited solutions can not. That is why they exist. There is room in the world for the clever little unsupportable solutions but given the business cost of losing a big site the ROI on commercial solutions is easy to justify. Thiago - Google's hardware is tied to their use of distributed databases and content serving. Their setup is specifically designed to solve that problem, the solution is inappropriate to the places a solution like the one in the article mentions. Where I put that "commodity hardware" is in nodes behind a LTM/ASM not up front. Up front they have very nice and expensive hardware (http://gigaom.com/2007/11/18/google-making-its-own-10gig-switches/).
Asted Hamaki

4/17/2009 10:26 AM
		Information Security more than just "locking down the server and service". A good solution will continue with ongoing, proactive vulnerability detection, intrusion detection, change management, backups, and sound audit policies. By leveraging the lower cost open source solution, I can install a suite of readily available COTS, and Open Source tools, such as Tripwire, Splunk, PowerBroker, NetBackup, TeamQuest, and so on, directly on the system in question to provide a more complete security posture than I can with a closed proprietary appliance. That said, a general purpose system would probably have more places the bad guys could install stuff too. How would I know though?
rotten

4/17/2009 10:31 AM
		Zounds comments crack me up. I think this article, while straight forward, misses the larger point. The 6900 isn't designed to just be an SSL offloader. That's just a bonus side feature built into a larger feature set of application delivery functionality through perimiter packet content defence and load balancing applications. Like previous people, sure I could throw mad processors at the problem but by that point, you've defeated the SSL offload requirement. Your web server for the same price would be large enough to handle SSL transactions. The 6900 is designed to handle millions of requests across hundreds of computers, and as an ADDED BONUS, SSL offloading is provided. This allows you to then use a Google model of inexpensive low end computers for your data center. I'm sorry but throwing 10 Opensource servers isn't going to cut it because those servers are not designed to handle that much traffic. Remember those 6900 series have MAD bandwidth. That and custom built boards with custom hardware ASIC functionality designed just for Layer 4 to 7 functionality, your open source solution suddenly just turned into a rack of servers.... and yet, you still have to build a team of developers to figure out the low level logic. On it's own, you would be silly to get a 6900 (higher end model) for just OpenSSL offloading, but that's not why people buy them.
Chaser

4/17/2009 10:40 AM
		Excellent well though out blog you bring up alot of good points about adopting opens source. Only thing is I know for a fact that the F5 has a linux OS under the hood. I also tried to find the source code on www.f5.com and couldn't. Can you please tell me where I can download modified source that F5 uses on its F5's?
Rob

4/17/2009 10:57 AM
		Overall, some good points on the value of Big-IP over the o3 contraption! Like most technical arguments, we could argue on a variety of those points such as whether or not GNU/Linux can be configured to defend against DoS, ARP poisoning, etc. What strikes me, though, is the attitude. This article looks like a challenge that includes some great pointers on building an Open Source solution that fully integrates these capabilities and puts F5 out of the load-balancer business. Also I want to note that from my ~20 years of experience in IT, you don't always get what you pay for. There is a lot of expensive crap out there. From model to model of every hardware vendor, for example, one can never be sure of the reliability or weird BIOS issues one will run into. For a monumental example of expensive crap from a name-brand vendor, look at Microsoft Sharepoint. Overly complex for the simplest features, caveats at every corner requiring you to start again from installation on up... mismatched interface styles and idiosyncrasies galore.
Matthew C. Tedder

4/17/2009 11:11 AM
		@morgan, @Matthew My apologies if I came across as "too snarky". I tend to always write with an edge, that's just my particular "voice". Given that this is a blog and not an "official" response, I did not see a need to modify that voice. However, perhaps I should. I will definitely consider that if the situation arises again. Lori
Lori MacVittie

4/17/2009 11:24 AM
		The design of LTM makes the changes off the base Centos distro very minimal. F5 support can give you a tarball of the packages if you are a customer but you will find it to be only a few minor tweaks. All the good stuff is isolated into the non-GPL portion of the box. The Linux side is just so that F5 can use Apache and OpenSSH for the UI but none of the fun stuff is in there.
Support Monkey

4/17/2009 11:46 AM
		@Support Monkey "The Linux side is just so that F5 can use Apache and OpenSSH for the UI but none of the fun stuff is in there." OK, but even in this case, where can we get the source code for the linux kernel and distro used on F5 products?
Hander

4/17/2009 11:53 AM
		The author makes some good points, and most of the comments seem a little off base. The author's main point is that the value is in their software. A $5K commodity server packs the same punch as one of their boxes, there is little doubt about that. The counter argument is that current FOSS stacks. 1: Are lacking some features 2: Are more difficult to administer 3: Do not yet have the performance 4: The default security tends to be lesser than BigIP, with the exception of SELinux enabled distros. He also points out that this was not an apples to apples comparison since the keys were of different sizes, which closes the performance gap. From the FOSS side, there are a couple good counter arguments. A number of FOSS distributions are geared to be a network appliance, and are direct competitors to F5. These distros perform much better in network management roles than vanilla UES or RHEL . It is these distros that we should use for comparison, and not retartedly insecure server operating systems like UES. Personally, I wrote off o3's article the second that they indicated that SSDs would boost network performance (with the exception of caching/proxy performance). F
Frank

4/17/2009 12:02 PM
		I'm a big fan of BigIP mainly for the flexibility & manageability of the platform in general although I think the criticism of an open source approach is a little over zealous. In my opinion It is as you intimate horses for courses, something the o3 article also failed to mention, if you work for a large corporation the cost of an F5 implementation can be easily absorbed by the benefits of having an easy to manage solution. I'm also a Big fan of open source solutions but where I'd happily deploy a potentially difficult to manage & support solution for testing, in production I much prefer to use technology with extensive vendor support and a well known interface (GUI.....gasp). In conclusion, I'd liked to have see a more balanced (no pun intended) argument for both sides, possibly along the lines of.... Testing / Proof of concept / very tight budget / unlimited time for deployment & support? = Open Source. High availability, mission critical in a five nines enterprise environment ? = F5. Just my 2c. ;-)
Not Very Anon..

4/17/2009 12:18 PM
		>Furthermore, the performance numbers provided by o3 for their solution >seem to indicate that testing was accomplished using 512-bit key >certificates. A single Opteron core can only process around 1500 >1024-bit RSA operations per second. Not as sure about that as you are. You appear to be taking the output of the Opteron 880 output and dividing by eight to get your 1500 figure. These benchmarks are done on a part from 2006. The hardware cited in the o3 article was dual processor AMD Opteron 2380 2.5GHz a 2008 part. It doesn't seem all that far fetched to say that, for CPU intensive tasks like Signs/s that the 2380 is say 2-3x faster. Which makes it at least plausible that it's doing 1024bit keys.
The Guy

4/17/2009 12:32 PM
		Excellent article Lori! I saw this out on Slashdot yesterday and was hoping that someone from F5 would do a true comparison. Lets face it folks, if you are big enough to be processing that kind of traffic you would be foolish not be using F5 products. They really are the best on the market. I have been using their products for a while now and I am a huge fan. Their stuff works outstandingly well and I don't understand why some folks are saying their pricing is to high. We literally replaced AN ENTIRE RACK of equipment when we brought our first BIG-IP onboard. We are saving $200,000 a year just because of the fact we don't have to keep service contracts on all that old equipment! Not to mention when you have a cobbled together solution it is a heck of a lot harder to troubleshoot... Just my two cents worth. -TheF5Guy www.TheF5Guy.com
TheF5Guy

4/17/2009 12:53 PM
		@Hander Support Monkey said that you can get if from support if you're a customer, and that is all well and good according to the GPL.
Rob

4/17/2009 1:02 PM
		I haven't read the article, however, I don't think it chose the right platform if he wanted to take potshots at SSL commercial accelerators. He should have chosen A Sun Niagara for a comparision. (from a an old solaris zone lying around ... 1 core ) $ openssl speed -engine pkcs11 rsa1024 engine "pkcs11" set. Doing 1024 bit private rsa's for 10s: 8203 1024 bit private RSA's in 0.38s Doing 1024 bit public rsa's for 10s: 21638 1024 bit public RSA's in 0.75s OpenSSL 0.9.7d 17 Mar 2004 (+ security patches to 2006-09-29) built on: date not available options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial) blowfish(ptr) compiler: information not available available timing options: TIMES TIMEB HZ=100 [sysconf value] timing function used: times sign verify sign/s verify/s rsa 1024 bits 0.0000s 0.0000s 21586.8 28850.7 $ uptime 3:39pm up 441 day(s), 17 min(s), 3 users, load average: 0.36, 0.23, 0.20 22k signs /second without any appreciable cpu usage (remember this is a 32 core machine .36 is _nothing_) running two openssl benches in parallel yield me 42000 signs per second. I can have not cared to try and saturate the chip ... If somebody wants to run the numbers please do .... http://www.sun.com/servers/coolthreads/t1000/ ($3000) So for anyone thinking ... oh yeah .. I need more than 1500 s/p get me an f5 ... consider hiring talent ... and buying _one_ Niagara ... I don't know what the numbers using Linux on Niagara are ... but either opensolaris or Linux have advantages over a 'black box' ... Invest in your people not in vendor magic. There is substantial value to having the knowledge in-house. This matters in emergencies. This matters for planning. OSS is tremendous here.
Garick

4/17/2009 2:44 PM
		DevCentral Top5 04/17/2009
Colin Walker

4/17/2009 2:53 PM
		Lori, I find some valid points in your response, even if you sound very much defensive. I agree with your points about integration, tuning, user interface, logging, etc... in fact all points which generally make the difference between an assembly of out-of-the box components and a finished product. However I don't agree on 3 points : - having everything tied together in one single box makes your product the bottleneck one day, whatever its performance. And sometimes it happens earlier than expected because you turn on compression or SSL. There's nothing more frustrating than saturating your load-balancer. I'm a big advocate of architectures with single-points doing almost nothing but do it fast and well (IPVS, haproxy) and CPU eaters distributed on as many boxes as required. In this case, there is nothing wrong with starting small with all components on the same box, then progressively taking the more expensive ones out to new cheap pizza boxes. IPVS can easily to 100k L4 sessions/s on a $1000 box. Haproxy can easily do 40k L7 sessions/s. At these rates, you should only have one load balancer and as many compressors/encryptors/caches as you need, and you should not be forced to create congestion between all of them on a single appliance. This is called scalability. - Concerning the number of SSL TPS, it's not interesting to only know which one of the opteron or F5 does more 1024bit RSA keys per second, as most sites will return more than one object per user in SSL and the session key will be reused for several requests. So it's interesting to know how many SSL transactions can be performed with key renegociations every 1-100 transactions. Most often you will notice that only one recent machine is enough even for very big sites. My experiences range from 1600 to 5000 SSL TPS on a single-core opteron 1.8 GHz, depending on the renegociation rates. And if it that's not enough, just apply the scalability principle above, stuff more pizza boxes at SSL. - layer 7 processing is not necessarily expensive. Haproxy can parse an average HTTP request in less than one microsecond. It is in fact faster on HTTP than on TCP because it can predict on which side the traffic is expected to come from. Layer 7 can be almost as fast as a correct L4 implementation (ie not one which does not care about TCP sequence numbers and causes trouble with sessions expiring too fast). If you need to process 100k layer 7 requests per second on a 3 GHz machine which does an average of 2 instructions per cycle, you have 60000 instructions to process every request. That's huge just for URL matching and protocol validation. Remember, processors are way faster now than they were in 1999. And you know it because the proxies you put in your Big-IPs are obviously based on the same programming models and take advantage of this raw CPU power. My recommendations would be for anyone with a small to medium site to go for the open source solutions indicated above, hire some very skilled admins or support contracts when system/network stack tuning becomes necessary, then turn to a commercial product as soon as they need to patch their kernel to get the most out of it, since that's not a viable long-term solution for many businesses.
Willy

4/17/2009 5:12 PM
		I have a F5 running and I've never ever think about assembling an open source solution. But your response is very weak. The bigip and the OSS solution are two DIFFERENT products aimed at DIFFERENT markets. Seems like you are scared.....
Diego

4/17/2009 5:44 PM
		The adage that "you get what you pay for" is a misnomer. For example generic Indian pharmeceutical medications are much cheaper and of superior quality than western branded products! The basic linux setup discribed in the original article can be modified and since it has free software it can be modified as people will lke it. WHy should people spend ten times as much more money in this recession just for a brand name and then paying support if something goes wrong.
prof A. Ponniah

4/17/2009 9:41 PM
		The trouble with OS solutions is that more often than not, they end up as bespoke solutions “cobbled together” by clever engineers who may not necessarily stick around once the project is complete. It’s all about risk. Companies, whose IT infrastructure is critical to their success (or existence!), need a solution that is of least risk to them both at implementation time and after. Savvy IT decision makers know that “large” upfront costs are part and parcel of successful, supportable, stable, high performing IT deployments. They also know that these upfront costs can be tiny compared to those associated with broken SLAs etc.
Ichalis

4/18/2009 12:05 AM
		Lori, This is a nice damage control marketing piece, reading through the comments, I'm quite pleased to see that few people fall for those tactics these days. Keep in mind that the article was only intended to make the SSL accelerator technology more accessible to folks who see the cost of commercial solutions as a barrier to entry. The fact that a Technical Marketing employee at F5 went to this level of trouble is quite interesting. Might I suggest you do a little more research next time, as your counter-points had more holes in them than swiss cheese! :) I've pointed a few of them out on the blog... http://o3magazine.blogspot.com/2009/04/ssl-accelerator-strikes-nerve-with-f5.html Enjoy!
John Buswell

4/18/2009 2:38 AM
		RE: TheF5Guy said "We literally replaced AN ENTIRE RACK of equipment when we brought our first BIG-IP onboard." In the software world, I have replaced 4,000 lines of code with 14 lines. It was several orders of magnitude faster and sleeker in every way. Your anecdotal evidence is appreciated, but meaningless here! There's lots of crap out there, and that's really all you seem to be observing! You aren't really participating in the debate about what this article was about!
Donny Viszneki

4/18/2009 3:17 AM
		@Diego You're the second person to say "you sound scared". That seems to be a fairly typical response in the face of a reply to what is essentially a difference of opinion. Neither I, nor F5, is "scared" of o3's solution - or any other solution. We believe our solution is the best option and as indicated by many responses, other people believe their chosen option is the best solution. Would you prefer a bland, pedantic response? Something written by marketing that very carefully chooses all the right words? If you want to interpret my words as "scared" I can't stop you but it's an incorrect interpretation. Lori
Lori MacVittie

4/18/2009 3:23 AM
		The same old tired arguments for closed, proprietary systems. O3 wasn't saying the BigIP sucks. In fact, I'm pretty sure that anyone that's ever used one thinks very highly of the devices. They've always been good products. What they were saying is that you CAN build this type of device yourself. It's up to the company to decide, but you have the option. So, here you come puking the same old tired arguments instead of making ones. "Single Vendor" "Security" (through obscurity..) "Support" blah blah. Yea, we know all that. You should keep your mouth shut and let the product stand on its own. If you're that worried about this stuff, why don't you lower the price a bit? Geez, I didn't expect this from F5.
Joe

4/18/2009 3:26 AM
		@o3 magazine, I've read your posted response - very nice. I've also left you a comment correcting your misconceptions regarding both me and the BIG-IP. Thanks!
Lori MacVittie

4/18/2009 7:50 AM
		Lori, Thanks for the quick response! I replied back to your comments on my blog, it would be great if you could clarify with answers to some of the questions I posed to you there. In particular to the use of Linux on the F5 platform and how Fast Cache actually works. Thanks
John Buswell

4/18/2009 8:49 AM
		Thanks for the most enjoyable debate/argument or whatever you would call it, it is fantastic to get everyone spirited to talk about something and perhaps someone will make a more informed choice because of it.
Chetan Bhatt

4/19/2009 2:55 PM
		>It’s all about risk. Companies, whose IT infrastructure is critical >to their success (or existence!), need a solution that is of least >risk to them both at implementation time and after. Savvy IT decision >makers know that “large” upfront costs are part and parcel of >successful, supportable, stable, high performing IT deployments. They >also know that these upfront costs can be tiny compared to those >associated with broken SLAs etc. See I work in one of those businesses to be honest- who doesn't. I mean how many medium sized businesses these days could operate if their core switches all died? If they can't I'd call their IT infrastructure as critical. If they could get away with no network for some period of time it would seem an incredibly small number of them would use SSL accelerators. That said...and actually being a decision maker - I don't see buying at the network or network application layer as one-sided as you do. Although buying something from a company (as opposed to engineering one) can be posed as risk distribution but it can just as easily posed the other way. The crucial difference I see is based on having software development skills in house - including those contained in your admins. The risk and overall cost of an OSS solution in an environment where you have a reasonable development staff could easily be lower than that of F5. Especially if as, F5 people here tend to argue here that F5 is bringing more to the table. Clearly a solution that does less would have a lower maintenance cost. Not to mention that the actual benefit of those features to your business might simply be not worth the money. Also some of the claims of Lori are a little weird. Her benchmark comparison as I pointed out is dubious and as others have pointed out irrelevant. Multiple log files? Uh ever heard of using an aggregation tool? Compression - sure it's not always beneficial but it's interesting how that doesn't matter. What actually matters is the question: Does applying it in all cases (or perhaps to everything but images) degrade performance to a statistically (and after you demonstrate that to an operationally) significant degree. Which is an interesting question I often pose when I'm in the middle of a build/buy discussion. One other thing, although we own a few network devices of this sort we don't own anything by Big-IP and most people here seem to be focusing on the purchase price. Generally given a 5yr lifespan the support charges of these devices tend to overshadow the purchase price...or does F5 provide that service for free? On a personal note Ichalis and well lots of the other folk here should look up the logical flaw of "prejudicial language"
That Guy

4/20/2009 2:28 PM
		Hey John from OC3, You claim to be an expert on all things layer 2 - 7, but, you admit in your on blog that you "forgot" about iRules? How do you miss one of the most import features in the market leading product? On the positive side, you did help engineer the alteon/nortel/radware product...How has that worked out?
That other guy

4/22/2009 11:48 PM
		@That other guy I don't think my expertise on the topic was ever called into question. I'm not going to be as familiar with the F5 offering as an F5 employee or customer. To be perfectly honest with you there are issues with the iRules concept and as an engineer I would have to question the sanity and the potential performance / security impact of such a feature. That worked out very well for me thanks, I've made a ton of money of L2-L7 :) Actually, I'm currently working on a solution that does ADC functionality on the hypervisor, eliminating the need for ADCs like F5's product line.
John Buswell

8/15/2009 10:12 AM
		Matthew +1
will

8/16/2009 2:54 PM
		Invest in your people not in vendor magic
uspeh

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 2 and 7 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		617		Comments		1136
Stories		0		Trackbacks		328

	Tag Cloud
	acceleration application delivery application security architecture BIG-IP blog cloud cloud computing dynamic infrastructure F5 HTTP infrastructure INfrastructure 2.0 integration internet load balancing MacVittie optimization performance scalability security SOA virtualization web web 2.0 more tags...

Post Categories

		WILS
		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization

Archives

		February, 2010 (7)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Survivability

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use