F5 Fires Back On Open Source SSL Accelerator

Random Feature writes "In response to Build an Open Source SSL Accelerator, in which o3 magazine detailed how to build a solution comparable to an F5 BIG-IP 6900 on the cheap, F5 Fires Back claiming it's not as cheap as it appears and pointing out the potential performance implications of a 'cobbled together set of components designed to mimic similar functionality.' The discussion on the performance of the Open Source solution based on Opteron RSA operation processing capabilities brings into question the validity of the 'more SSL TPS for cheaper' argument presented by o3."

How is that different from F5?

[Anonymous Coward]

The F5 load balancers we have (admittedly not the newest) are just standard ATX & PCI off the shelf products and BSD.

Shill

[LordKazan]

Shilling much?

Common response

[Lord Grey]

At the risk of being flamed as a troll and getting modded to hell, I'd like to point out that F5's response is exactly the same kind of thing one hears when comparing special-purpose (or custom-written) software to the integration of COTS applications, libraries or frameworks. Sure, with the latter option you get something that works, eventually, but at what cost to maintainability and performance?

I say this after coming out of a meeting where a large Rube Goldberg system of Java tools was presented as the best solution to a high-volume ETL problem that has particular performance and distribution requirements. The resemblance is uncanny.

I'm all for not reinventing the wheel, but if that's what is required, then just do it.

Re:Win

[hackus]

It is even worse than that I am afraid.

Most commercial products do not even have a dividing line between "cobbled" and "polished" now days.

How many different commercial off the shelf Wireless AP's now days come with "cobbled" open source software?

I do not mind paying for software, I do. I just do not like companies that rip off the open source community, then whine and complain when their proprietary code is leaked to the net and it is a crime along with prison and fines, if you touch our code. Apparently you can do anything you like with GNU software.

I want to see Cisco execs in jail like the Pirate Bay people. Unlike the Pirate Bay people though they are actively making a direct profit from breaking the law.

5 years in the pen along with 50 Million put in a trust to start and fund more open source projects. Preferably building open wireless drivers for more cards.

http://www.guardian.co.uk/technology/blog/2008/dec/12/cisco-fsf-opensource [guardian.co.uk]

-Hack

Re:Common response

[222]

Again, with all due respect load balancing is something that the Apache crowd figured out a long time ago. My particular setup might not be ripe for the big leagues, but reproduced on an industrial scale Apache is quite capable. I also wasn't "bragging", I was simply sharing my personal experience with this sort of thing. I often appreciate it when other slashdotters do the same.

If you'd like more info on Apache HA, I'd start here:

http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html [apache.org]

You also might want to look at this discussion; its not directly related but has some good commentary:

http://ask.slashdot.org/article.pl?sid=02/06/26/2026217 [slashdot.org]

Re:Justifying the Price Tag, nothing more...

[Fulcrum of Evil]

But what might well make a lot more sense is to find a way to use graphics processor cards as SSL accelerators.

Stick a GTX250 in your server and use a CUDA enabled RSA codec and you're set.

Re:F5 is pretty useless too...

[Anonymous Coward]

Posting anonymously...'cause I work at F5, 3rd tier support.

I'd have to say your former boss' experience and opinion are atypical. Our customer sats are *awesome*, and the problems we address are the most complex. Turnaround time for serious bugs is *incredibly* fast. Open Source fast. Enhancements and minor tweaks, maybe never, and yeah, you can't add them yourself. Unless the behavior you want is in packet processing, in which case you can use TCL based iRules to do unimaginably brutal things to your packets. So most of the flexibility argument is moot.

Without knowing your former boss's case, I can't address it directly. In my own experience, cases drag on when it is difficult to gather the data necessary to show the problem. Often the customer is the bottleneck, and this tracks with customer attitude. The less cooperative and helpful tend to be the least patient as well. "I can't get you tcpdumps! Fix it!" It is also often the case that F5 gets blamed because we're more responsive than the other vendors in the equation and the customers can at least talk to someone.

Your snark is well constructed, but logically inert. F5 stuff handles the biggest loads going. Name a vendor that can compete on pps, thruput or other performance stat. Then show evidence from a repeatable, reasonable test rather than benchmarketing.

If what you need is simple load balancing, you don't need F5. Many situations require more. And yes, the F5 solution is more integrated in a meaningful way than a chain of separate proxies.

Re:Of course I could produce something similar

[Jah-Wren Ryel]

I'm honestly surprised that F5 responded at all as there's really no comparison between the solutions for real world work loads and support.

Me too. If anything, making a defensive response like that is going to lend credence to the other side of the argument. People who know what F5 does don't need to be convinced, but those don't know are now thinking "hey, F5 is afraid of this." Seems like bad marketing to me.