|
|
Joe St Sauver, Ph.D.
joe@oregon.uoregon.edu
The eight 7180 e-Commerce Director boxes that Intel recently donated to the
university can perform a number of vital networking tasks. Below we've described
two of the most important: SSL acceleration and load balancing.
When you connect to a secure website like DuckWeb, or to one of the UO's secure
web email servers, or to an online shopping website such as amazon.com, the
connection between that site and your web browser is encrypted using the SSL
protocol (symbolized by the little "lock" you'll see at the bottom
corner of your browser).
Using SSL provides three big advantages: "privacy," "integrity,"
and "authenticity." SSL encryption ensures your privacy by preventing
someone from "eavesdropping" on your network traffic. SSL encryption
also provides traffic "integrity" by ensuring your transmissions cannot
be altered en route. If you trust the ID verification procedures of the party
who issued the SSL certificate for a given server, you also have assurance that
you're connecting to the party you believe you're connecting to. This is usually
referred to as providing "authenticity."
Given the benefits of SSL security, you may wonder why all websites don't use
SSL for all traffic. The answer is simple: there is substantial computational
overhead associated with encrypting traffic using SSL (or SSH, or any other
nontrivial encryption scheme), so encryption is usually used only when particularly
sensitive information is being transmitted, such as a credit card number, a
password, a student's grade information, etc.
SSL accelerators were created to "offload" computationally demanding
encryption calculations from the web server, using specially tailored hardware
encryption chips in a separate box that sits in front of the server. (For example,
the Intel 7180 boxes we received can handle over 600 SSL connections per second--or
over 2,000,000 an hour.) Because the SSL accelerator handles all the encryption-related
overhead for those connections, the main web server can focus on doing its primary
job, delivering web pages. That usually translates to better performance (less
latency) or higher web server throughput.
The other task an Intel 7180 can perform is what's normally referred to as
"load direction" or "intelligent load balancing." To understand
how this balancing function works, you need to know that there are two fundamental
approaches to scaling a system up to handle a large number of users. You can
either build a single large monolithic system, typically with lots of memory
and many processors--or you can run a bunch of smaller systems, making them
act as if they were all one system and somehow dividing up the traffic load
between those boxes. The Google search engine is a good example of this. Google
is actually a cluster of over 10,000 PCs running Linux (see http://www.google.com/press/highlights.html),
all of which appear to the user to be a single unified system.
Making numerous systems act as if they were all one system and dividing the
load between them are the tasks usually handled by a load director. In its simplest
form, a load director sits in front of two or more identical back-end web servers
and hands connections off to one or the other in round-robin fashion. This is
very similar to what can be easily done via DNS round-robin aliases. However,
unlike DNS round-robin aliasing, load directors can also employ other rules,
such as sending a connection to whichever server is least busy, or ignoring
a server which is temporarily down, thereby improving performance and effectively
eliminating site downtime.
Load directors can also be used to intelligently route object requests based
on the type of content being requested. For example, a 7180 can reroute requests
for HTML pages to one server, requests for images to another web server, and
requests for cgi-bin pages to a third server. Load directors can also be used
to do a variety of network address translation tricks. For instance, by default,
when a load balancer is interposed between users and a back-end farm of multiple
web servers, all the traffic will appear to "come from" the load balancer,
both in terms of what Internet users see and in terms of what each of the multiple
web servers sitting behind the load director responds to--the 7180 mediates
all content delivery in that scenario.
The 7180 does have the ability to do something called "Source Address
Preservation," however, which allows the farm of web servers to see the
true address of the user requesting a web page, rather than just seeing all
requests (apparently) coming only from the 7180's address. This is convenient
if you want to do log analysis on the individual web servers (rather than on
the load director), for example, or if you want to do "out of path return,"
allowing the back- end web servers to bypass the 7180 and talk directly to the
user when sending traffic back to that user's web browser.
This overview provides just a glimpse of the many functions these e-Commerce Director boxes can perform. You'll find more information about the role of e-Commerce Directors in network management at http://www.intel.com/network/idc/products/director_7180.htm