SSL Acceleration

SSL Offload Presentation

To download or view the .pdf version, click here

Contents:

  • SSL Monitoring vs. SSL Termination
  • SSL Monitoring models: “Enterprise In” and “Enterprise Out”
  • SSL Acceleration, connection, & bulk crypto
  • Inline vs. Parallel SSL Hardware Acceleration
  • Inline solutions & features for SSL monitoring solutions

Termination – Standard Web Server Deployment


Web Server Deployment with Reverse Proxy


SSL Monitoring Models: “Enterprise In”

SSL Decoder function could optionally be integrated into the NPB or Analytical Tools units.


SSL Monitoring Models: “Enterprise Out”


SSL Acceleration: connection & bulk crypto

Hardware Acceleration solutions may accelerate connection, bulk crypto, or both.

Many hardware solutions let software process connections while hardware accelerates bulk crypto.


Parallel or Co-processor Hardware Acceleration Model

Typical Hardware SSL Acceleration in use Today


Inline Hardware Acceleration Model

Inline Solution offers advantages for some applications.


Inline vs. Parallel SSL Offload: Parallel PCIE Attached Coprocessors


Receive:

  1. Load balance to a CPU
  2. TCP stack
  3. Open SSL
    1. To crypto engine
    2. Back from crypto engine
  4. Application delivery and processing

Transmit:

  1. App to open SSL
  2. Open SSL
    1. To crypto engine
    2. Back to Open SSL
  3. TCP stack
  4. Out to NIC

For each direction:

  • Data crosses PCIE 2x (crypto engine), NIC 1x.
    • Significant bus & memory overhead with extra I/O operations
  • Still significant software/CPU overhead processing connections and interacting with crypto engine.

Inline vs. Parallel SSL Offload: Inline Solution


Receive:

  1. Load balance to a CPU
  2. TCP stack
  3. Application delivery and processing

Transmit:

  1. App to TCP stack
  2. TCP stack
  3. Out to NIC

Extra bus transfers removed. All SSL software/CPU overhead offloaded to NIC.


Parallel vs. Inline Scalability

Coprocessors are a global resource.

Multiple can be installed but require a software load balance implementation.

Inline crypto acceleration is per NIC.

Multiple can be installed with load balance across interfaces.


Inline Solutions & Features for SSL Monitoring Solutions

Monitoring solution desired features:

  1. Option to “cut through” non-SSL traffic.
    1. Out BIW port
    2. To host for normal analytics.
  2. 2-way NPB (Network Packet Broker) interface for host to decide to forward or drop a packet (as opposed to a simple Tap interface).
  3. Option for SSL traffic to be delivered as “payload-only” or “generated TCP streams”
  4. Support for multiple Tap ports to prevent oversubscription.

Additional MPS Inline SSL Monitoring Features:

  1. Traffic can be delivered with zero-copy, kernel bypass drivers, directly to user-space applications.
  2. Host application interface can be customized to meet customer requirements.
  3. “Cut-through” options can be configurable.

MPS Inline SSL Monitoring Solution can provide these features to meet customer requirements.