Build an Open Source SSL Accelerator 136
Amin Zelfani writes "SSL accelerators like Big-IP 6900 from F5 Networks typically carry a $50k or more price tag. An article over at o3magazine.com shows you how to build an SSL accelerator that's on par with the commercial solutions, using Open Source projects. SSL Accelerators offload the encryption / decryption process from web servers, reducing load and reducing the number of certificates needed."
Huh? (Score:2, Interesting)
Ideally... (Score:5, Interesting)
...you'd offload the entire TCP/IP stack (Linux' networking isn't the fastest) as well as the SSL. Preferably get the IPSEC in there as well. It shouldn't be too hard to build a card that does the lot. You could then use VCHAN or some other kernel bypass method to forward the data as though Linux had just processed the packets within its own networking stack. The software doesn't need to know where the operation is taking place, so long as the API is the same.
However, just getting the SSL onto a card is a definite advantage, as SSL is a heavy processor consumer and is used frequently-enough that it's a drag on systems.
There are many encryption chips out there (Freescale's S1, for example) and there are projects on OpenCores that you can download right into a low-cost FPGA, so you can get pretty much whatever speed you want at whatever budget you're prepared to set aside.
Re:It'd be nice to see SSL on all web sites (Score:3, Interesting)
Verisign.
Re:It'd be nice to see SSL on all web sites (Score:3, Interesting)
Better yet, it'd be nice to see SSL used on all pages on all web sites. One of the first rules of security is that context can tell you a lot about what is being encrypted and can potentially weaken that encryption. It also allows attackers to distinguish packets of interest from context.
Using SSL for only critical stuff is like using encryption for only shell passwords. It's better than nothing, but exposes far far too much.
(One might argue that there's so much valuable data placed on computers in corporate DMZ's that further security is pointless until that is fixed. That's true, but one reason corporations don't bother with security is that customers don't demand it. One reason customers don't demand it is that SSL is slow, so sites that don't have good security give a better response, which is what the customer thinks they want. If the response was fixed, customers might start considering sites with competent security preferable to those that effectively hand out bank details to any cracker that asks.)
Re:Huh? (Score:2, Interesting)
UltraSparc T2 server as competitor? (Score:4, Interesting)
It doesn't cost 50K to buy a T2 based server from Sun (more like 15K at entry-level prices). This would give you 8 crypto-accelerated cores with 2x 10GBit ports straight into the processor. They are also not that power hungry. You could use this to both accelerate your web server as well as your SSL. Wouldn't this be a better solution than building two servers?
Just thinking out loud, maybe I've overlooked something as I'm not a network engineer or anything.
Re:uh (Score:2, Interesting)
50k? Are you insane? I worked at a company that built similar products, and we had six developers working on it for five years.
Don't trivialize how hard it can be do build a piece of high performance equipment (especially where you are doing crypto in hardware).