SSL 101

From LB Wiki

Jump to: navigation, search

SSL acceleration and termination, where by the SSL session is stopped at the load balancer, is one of the most basic functions of modern load balancers. So why is this so necessary? The need for SSL accelerator functionality is well accepted in the load balancing world, but why exactly is it needed?

There are two primary reasons: Speed, and functionality.

Speed

Modern SSL works with two different types of encryption technologies: Asymmetric and symmetric. Asymmetric encryption is used to setup the initial connection, and symmetric encryption (often referred to as “bulk encryption”) is used for data transfer.

It’s the asymmetric encryption that’s the main problem. It’s about 1,000 times more CPU intensive, per byte of data transferred, than symmetric encryption. But without doing the asymmetric encryption first secure communication wouldn’t be possible (for why this is the case, see here). This can bring even a powerful server to its knees if its handling hundreds or thousands of connections per second.

Most load balancers have what’s known as SSL ASICs (Application Specific Integrated Circuits). ASICs are highly specialized processors that are only good at a few specific tasks (and little else). The SSL ASICs built-in to most load balancers offload the SSL tasks from the main CPU, so an SSL connection isn’t any more burdensome to the load balancer than a regular non-SSL connection.

A modern x86 processor can probably handle a few hundred, perhaps even a thousand SSL connections per second, but that would take away resources from the actual job of the server.

An SSL ASIC, depending on the model, can handle anywhere between 5,000 to 40,000 SSL connections per second, and the server would be saved all that work.

Functionality

Most modern websites rely on something called server persistence (or sticky, or affinity), whereby subsequent requests from a client are sent to the same server in a server farm.

The mechanism that most sites employ to accomplish this persistence is cookie-based persistence, where the HTTP header information is parsed. In an SSL connection, the header information is encrypted, and unreadable by the load balancer. That is, unless the SSL session is terminated at the load balancer.

Another up and coming function of load balancers that requires this SSL termination at the load balancer itself is application firewall capability. Some load balancers can now look at the requests coming from the clients and screen them for potential exploits.

Most value load balancers offer SSL termination, but some of the lower-cost boxes do not do hardware acceleration with an ASIC. Instead, SSL operations are handled on the general CPU. This can work for small amounts of SSL traffic, but software SSL is not suitable for moderate to high levels of SSL traffic, and a model with a hardware SSL chip is required.


Because of the need for speed and functionality, any load balancer worth its salt will be able to do SSL termination, and any load balancer that’s needed for more than a light amount of SSL traffic should also have a hardware SSL ASIC.


Retrieved from "http://www.lbwiki.com/index.php/SSL_101"
Personal tools
Advertisements