Slashdot Mirror

← Back to Stories (view on slashdot.org)

F5 Fires Back On Open Source SSL Accelerator

Posted by timothy on from the first-name-basis dept.

Random Feature writes "In response to Build an Open Source SSL Accelerator, in which o3 magazine detailed how to build a solution comparable to an F5 BIG-IP 6900 on the cheap, F5 Fires Back claiming it's not as cheap as it appears and pointing out the potential performance implications of a 'cobbled together set of components designed to mimic similar functionality.' The discussion on the performance of the Open Source solution based on Opteron RSA operation processing capabilities brings into question the validity of the 'more SSL TPS for cheaper' argument presented by o3."

24 of 120 comments (clear)

  1. How is that different from F5? by Anonymous Coward · · Score: 2, Interesting

    The F5 load balancers we have (admittedly not the newest) are just standard ATX & PCI off the shelf products and BSD.

    1. Re:How is that different from F5? by Anonymous Coward · · Score: 2, Insightful

      And custom software and encryption accelerator cards.

    2. Re:How is that different from F5? by Script+Cat · · Score: 5, Funny

      I once worked on binary load lifters which are very similar to your F5 load balances in many respects.

  2. Common response by Lord+Grey · · Score: 3, Interesting

    At the risk of being flamed as a troll and getting modded to hell, I'd like to point out that F5's response is exactly the same kind of thing one hears when comparing special-purpose (or custom-written) software to the integration of COTS applications, libraries or frameworks. Sure, with the latter option you get something that works, eventually, but at what cost to maintainability and performance?

    I say this after coming out of a meeting where a large Rube Goldberg system of Java tools was presented as the best solution to a high-volume ETL problem that has particular performance and distribution requirements. The resemblance is uncanny.

    I'm all for not reinventing the wheel, but if that's what is required, then just do it.

    --
    // Beyond Here Lie Dragons
    1. Re:Common response by spinkham · · Score: 2, Insightful

      If you have the experience with Linux based fail over solutions and apache or nginx to pull this off, more power to you. Go ahead and save some bucks, but make sure you test the heck out of it first, and have a plan for updates and failures.
      If not, the money you would save is probably not worth the potential downtime you could experience.

      Big iron boxes have big iron price tags, and you can almost always hack together something cheaper. The question is how much more reliable, easy to configure, and easy to upgrade is the big iron? In most organizations, buying equipment is cheaper in the long run then buying experience and maintenance for a home grown solution.

      --
      Blessed are the pessimists, for they have made backups.
    2. Re:Common response by 222 · · Score: 2, Informative

      With all due respect, load balancing SSL isn't exactly rocket science. It serves a fairly straight-forward purpose. Hell, I did something like this with an Apache box serving as a reverse proxy to an internal web server; my setup isn't designed to accommodate the load discussed in this article, but it does just that. Connections from the outside are secure between my Apache box and the outside world, and my internal web server doesn't worry about a thing.

      The Apache reverse proxy was more of a security measure, but SSL offload is just an added benefit.

    3. Re:Common response by 222 · · Score: 2, Interesting

      Again, with all due respect load balancing is something that the Apache crowd figured out a long time ago. My particular setup might not be ripe for the big leagues, but reproduced on an industrial scale Apache is quite capable. I also wasn't "bragging", I was simply sharing my personal experience with this sort of thing. I often appreciate it when other slashdotters do the same.

      If you'd like more info on Apache HA, I'd start here:

      http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html

      You also might want to look at this discussion; its not directly related but has some good commentary:

      http://ask.slashdot.org/article.pl?sid=02/06/26/2026217

  3. Re:Nothing wrong with cobbled together by lawaetf1 · · Score: 2

    Yes, usually $30k or more in difference.

    --
    CommentBot 0.7a running with args "-module irritate,disagree -target random"
  4. Justifying the Price Tag, nothing more... by geekmux · · Score: 5, Insightful

    Finally, someone who isn't a raisin sack aptly describes all of FOSS: 'cobbled together set of components designed to mimic similar functionality.'

    Ah, FOSS may be cobbled together at times, and it also may be as polished and clean as many commercial apps, but it still does not erase the bottom line that F5 is still charging an asinine amount of money for their hardware. And in this economy, the financial bottom line tends to speak volumes over F5 coming out and trying to justify their price tag with a weak "yeah, but yours sucks" argument.

    This reminds me of my first time opening up the lid on a $30,000 Nokia Firewall-1 rack-mount firewall "appliance". They wanted to sell me a $2000 "upgrade". When I slid the mobo out of the fancy chassis, I found I was staring at a generic Intel mobo with a slot-1 celeron proc and 64MB of SDRAM. I then found out that the $2000 "upgrade" was merely a Pentium Proc and 256MB SDRAM stick. Needless to say, I've been rather tainted with justification for commercial hardware.

    1. Re:Justifying the Price Tag, nothing more... by Fulcrum+of+Evil · · Score: 3, Interesting

      But what might well make a lot more sense is to find a way to use graphics processor cards as SSL accelerators.

      Stick a GTX250 in your server and use a CUDA enabled RSA codec and you're set.

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  5. You must be smart when buying these things by C_Kode · · Score: 4, Insightful

    You must be smart when buying stuff like this.

    First off, if I'm handling 25k+ SSL TPS, point blank, I pay the money for an F5. A home built solution will only get you fired when something goes seriously wrong.

    Secondly, if an F5 is out of your budge and you aren't handling 10s of thousands of SSL TPS, look elsewhere. Kemp Technologies makes a solution that support up to 10k SSL TPS for less than half the price and even cheaper if you handle even less. If you're not even handling a thousand of TPS, let your Apache servers handle SSL and be done with it.

  6. Re:Win by sqlrob · · Score: 4, Insightful

    'Cobbled Together' describes most proprietary development as well.

  7. Re:Win by janeuner · · Score: 2, Insightful

    'cobbled together set of components designed to mimic similar functionality.'

    http://en.wikipedia.org/wiki/Object-oriented_programming

  8. CHAINING PROXIES vs INTEGRATED SOLUTIONS by RiotingPacifist · · Score: 3, Insightful

    I'm a huge fan of chaining proxies, one program doing one thing then passing it on to the next, for the security, compatibility & debugging (contrary to what TFA say's you can check the pieces of a chain, but with an integrated solution you can't) benefits. The article does however raise a good point, the integrated solutions will have better performance:

    # TCP connection setup and teardown processing
    # Inspection of application data (layer 7 inspection is rarely computationally inexpensive)

    Which means you'd have to consider the options carefully when looking for an accelerator

    --
    IranAir Flight 655 never forget!
  9. Re:Win by fuzzyfuzzyfungus · · Score: 4, Insightful

    Ah, but it is harder to see the cobblers, so it must be better.

  10. Proving a (price) Point... by geekmux · · Score: 2, Insightful

    You must be smart when buying stuff like this. First off, if I'm handling 25k+ SSL TPS, point blank, I pay the money for an F5. A home built solution will only get you fired when something goes seriously wrong.

    I agree you must be wise with your purchases. At times, commercial hardware is justified. That being said, the entire point of the original article was to prove that there's NOT THAT much magic behind F5 hardware to justify the price tag. Accelerating SSL isn't rocket science, nor is it some uber-secret. The main point here was an attempt to prove the FOSS can and will do exactly what commercial software and hardware does at a micro-fraction of the cost. As I've said before, in this economy and shrinking IT budgets, I'm finding it harder and harder to justify uber-elite solutions with obscene price tags.

  11. Re:Win by hackus · · Score: 4, Interesting

    It is even worse than that I am afraid.

    Most commercial products do not even have a dividing line between "cobbled" and "polished" now days.

    How many different commercial off the shelf Wireless AP's now days come with "cobbled" open source software?

    I do not mind paying for software, I do. I just do not like companies that rip off the open source community, then whine and complain when their proprietary code is leaked to the net and it is a crime along with prison and fines, if you touch our code. Apparently you can do anything you like with GNU software.

    I want to see Cisco execs in jail like the Pirate Bay people. Unlike the Pirate Bay people though they are actively making a direct profit from breaking the law.

    5 years in the pen along with 50 Million put in a trust to start and fund more open source projects. Preferably building open wireless drivers for more cards.

    http://www.guardian.co.uk/technology/blog/2008/dec/12/cisco-fsf-opensource

    -Hack

    --
    Got Geometrodynamics? Awe, too hard to figure out? Too bad.
  12. Of course I could produce something similar by russg · · Score: 5, Informative

    Let me first state that I over see a large deployment of F5 systems and I have compared commercial offerings in this space many times over the years. I have a deep understanding of the tools available and see the work product every day.

    Both articles are great for debate. Showing that FOSS and tools available could produce a solution that resembles a commercial product is wonderful in promoting the power and breadth of FOSS. F5's response is good but also a bit disappointing as I find they have much more than is covered in their response.

    I'm honestly surprised that F5 responded at all as there's really no comparison between the solutions for real world work loads and support. First and foremost is the thought that these are only load-balancers. The term used most appropriately today is "ADC" (Application Delivery Controller). The reason is that they not only perform load-balancing but reverse proxy cache, compression, acceleration, tuning, and in-stream logic decisions.

    F5's products allow you to create profiles for services that are reusable and easy to maintain. You can deliver new configurations in minutes. They also work with the major application vendors to produce proper configurations that you can use out of the box. iRules (TCL) is an awesome tool directly integrated into the product that as F5's tag line says, "With iRules you can". Even with all of the this power and robust tools you will see little or no impact on high performance applications.

    F5 also offers the community DevCentral which, in my opinion, gives back to the community in a proper FOSS style.

    I won't even go into the underlying architecture such as the TMM kernel and separate management kernel.

    F5's article does state one thing very clear and I would want to emphasis it. Humans cost far more over time than capitol expenditures.

    I believe that F5 has taken FOSS to proper pedestal in the industry. If anyone thought for one second that FOSS was toys and not to be considered for serious work loads then F5 proves them wrong. Cisco has been trying to chase F5 for years and are still nowhere near them. F5 systems are my swiss-army knife of networking and I'm proud to purchase and use them from my FOSS background but also know they save my butt every day.

    1. Re:Of course I could produce something similar by Jah-Wren+Ryel · · Score: 2, Interesting

      I'm honestly surprised that F5 responded at all as there's really no comparison between the solutions for real world work loads and support.

      Me too. If anything, making a defensive response like that is going to lend credence to the other side of the argument. People who know what F5 does don't need to be convinced, but those don't know are now thinking "hey, F5 is afraid of this." Seems like bad marketing to me.

      --
      When information is power, privacy is freedom.
  13. F5 is pretty useless too... by SuperBanana · · Score: 4, Insightful

    First off, if I'm handling 25k+ SSL TPS, point blank, I pay the money for an F5. A home built solution will only get you fired when something goes seriously wrong.

    An old boss has spent the last FOUR WEEKS with F5 and Cisco trying to figure out why their F5 load balancer starts dropping ACKS on the floor...at connection rates well under advertised capacity of the particular model in question, which has been in production use for months/year+. How the fuck about that- a load balancer that craps out...under load. How useful. The bug is triggered daily when this particular unnamed CA major internet company hits peak usage in the day.

    At least with the open source community, you can hire someone to look at the code, or report the bug and try and get it fixed by the community. F5 has been completely useless, reportedly.

    --
    Please help metamoderate.
    1. Re:F5 is pretty useless too... by Anonymous Coward · · Score: 3, Interesting

      Posting anonymously...'cause I work at F5, 3rd tier support.

      I'd have to say your former boss' experience and opinion are atypical. Our customer sats are *awesome*, and the problems we address are the most complex. Turnaround time for serious bugs is *incredibly* fast. Open Source fast. Enhancements and minor tweaks, maybe never, and yeah, you can't add them yourself. Unless the behavior you want is in packet processing, in which case you can use TCL based iRules to do unimaginably brutal things to your packets. So most of the flexibility argument is moot.

      Without knowing your former boss's case, I can't address it directly. In my own experience, cases drag on when it is difficult to gather the data necessary to show the problem. Often the customer is the bottleneck, and this tracks with customer attitude. The less cooperative and helpful tend to be the least patient as well. "I can't get you tcpdumps! Fix it!" It is also often the case that F5 gets blamed because we're more responsive than the other vendors in the equation and the customers can at least talk to someone.

      Your snark is well constructed, but logically inert. F5 stuff handles the biggest loads going. Name a vendor that can compete on pps, thruput or other performance stat. Then show evidence from a repeatable, reasonable test rather than benchmarketing.

      If what you need is simple load balancing, you don't need F5. Many situations require more. And yes, the F5 solution is more integrated in a meaningful way than a chain of separate proxies.

  14. Got news for ya pal by Weaselmancer · · Score: 2, Insightful

    Everything made today is a "cobbled together set of components." The chips come from Taiwan or Korea or Germany, the plastic from China, the metal from the USA or pretty much anywhere else...you name it. That's why we have standards - so you can replace one part with another.

    The difference is in the quality of the cobbling.

    And the final proof is in dollars per something-or-other, engineering aside. In this case SSL throughput. Let's see some benchmarks and let's see some dollar signs. Then we'll decide what's useless and what isn't.

    --
    Weaselmancer
    rediculous.
  15. Right tool for the job^H^H^H company by neurovish · · Score: 2, Insightful

    If a site is big enough that it really needs the performance/scale of such an F5 appliance, then the price tag is not that great and likely reflects .001% of the IT budget or less. Some shops will be better served with the cheap OSS solutions, and others would blow one up fairly quickly. If you blow it up fairly quickly and the $50k price tag is also hard to justify, then your cost of doing business is severely out of whack.

  16. Marketing barrage by jlmale0 · · Score: 2, Insightful

    Simply enough, they're firing back because with the popularity of slashdot, now every time some manager goes to scope out Big-IP or their 6900 the slashdot discussion and the original project will rise to the top of the search results.

    Big IP isn't worried about this home grown solution, because in the end, businesses buy warranties, maintenance and upgrade paths. Something the FOSS solution doesn't have prepackaged.

    Enjoy o3's article; it's a great project. Have fun building it, but don't take offense at Big-IPs defense of their product; they're obligated.

    The best thing to take away from all this, if you're in the market for SSL offloading, is to print out the article and slashdot discussion, pass it to the check-writer and let her use it as leverage to get an additional 5% savings off list.