You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Richard Esmond <ri...@hotmail.com> on 2000/05/31 10:30:24 UTC

Opinion on Acceleration effort

Forgive my ingorance on most everything discussed here, but I wanted to get 
some feed back on the possible relivance of work that I am currently doing 
that might fit with Apachee, etc.

I am currently working to finish a VxWorks\NT hybrid that runs IIS across 
multiple processors.  VxWorks is a real time os with very good I/O 
performance.  The VxWorks layer handles almost all Lan and Disk tasks 
including encryption and authentication, which is handled through a hardware 
acceleration chip.  Multiple VxWorks cards can be configured, each with 
dedicated processing resources, crypto chips and customized support FPGA's.  
I am using the FPGA's for real-time HTTP header/XML/HTML parsing and 
expansion\compression.

All static HTTP distribution is handled without NT involvement after inital 
user identification, which in fact is mostly handled by the crypto chip.  I 
am also playing with the option to switch out the JRE that is being used 
with one that has source available and move the I/O critial areas of it to 
VxWorks.

For raw processing VxWorks doesn't offer much advantage, but for I/O you 
can't touch it with NT or Unix.

[offtopic] Re: Opinion on Acceleration effort

Posted by Jon Stevens <jo...@latchkey.com>.

on 5/31/2000 6:33 AM, Serge Knystautas at sergek@lokitech.com wrote:

> Just because I thought this was interesting... I read the latest
> Netscape (iPlanet) web server (enterprise 4.0?) supports using a
> hardware accelerator to handle the encryption.  I've noticed that
> encryption takes the biggest of CPU of anything I ever run on a web
> server.  I figure other web servers will support this sooner or later if
> it's really useful.

according to a couple people i have talked to, those cards that are sold for
ssl encryption don't really do squat.

moving that amount of data back and forth over the pci bus just isn't fast
enough. if it was, they would probably make hard disks that plugged into the
pci bus. :-)

having been to etrade's NOC before...i know that their solution was to
simply have around 400 sparc's and a bunch of load balancing. :-) i love it
when people throw more hardware at the problem. the head guy there had a few
of the encryption cards laying around, but wasn't really using them...

-jon (not a hardware expert by any means)

Re: Opinion on Acceleration effort

Posted by Serge Knystautas <se...@lokitech.com>.

"Preston L. Bannister" wrote:
> 5.  Encryption might be a *huge* win.  As more secure sites come online the
>     CPU required to encrypt the data going out on the network may well
>     greatly exceed all other processing.  Outside of IBM mainframes I'm not
>     familiar with any high performance encryption hardware.
> 
> Looking over the above, I wonder if perhaps the primary role in which you
> could make a dramatic difference is as a front-end processor that performs
> encryption/decryption and then distributes traffic by URL to back-end boxes.

Just because I thought this was interesting... I read the latest
Netscape (iPlanet) web server (enterprise 4.0?) supports using a
hardware accelerator to handle the encryption.  I've noticed that
encryption takes the biggest of CPU of anything I ever run on a web
server.  I figure other web servers will support this sooner or later if
it's really useful.

Serge Knystautas
Loki Technologies
http://www.lokitech.com/

RE: Opinion on Acceleration effort

Posted by "Preston L. Bannister" <pr...@home.com>.

From: Richard Esmond [mailto:richard_esmond@hotmail.com]

> I am currently working to finish a VxWorks\NT hybrid that runs IIS across 
> multiple processors.  VxWorks is a real time os with very good I/O 
> performance.  The VxWorks layer handles almost all Lan and Disk tasks 
> including encryption and authentication, which is handled through a hardware 
> acceleration chip.  Multiple VxWorks cards can be configured, each with 
> dedicated processing resources, crypto chips and customized support FPGA's.  
> I am using the FPGA's for real-time HTTP header/XML/HTML parsing and 
> expansion\compression.
> 
> All static HTTP distribution is handled without NT involvement after inital 
> user identification, which in fact is mostly handled by the crypto chip.
[snip]
> Also, with 
> network performance being the biggest bottleneck right now, I don't have a 
> good idea if people are feeling the squees on server I/O performance.
> 
> PERF EST: A single 2Pent server with 2 I/O support engines should be able to 
> completely saturate 2x100mb Enet lan connections without much trouble.  If 
> the data was static HTML\GIF, then the CPU would be almost completely 
> available for ASP\JSP\SQL\LDAP...  Unreal performance delta's can be seen on 
> test configs that SSL all trafic, or when te parsing needs are high enough 
> to make the custom silicon felt, but mostly we have targeted this at 
> commercial and hosting sites.

Pretty radical hardware... :)

Can't say I've seen performance data from a *large* site, but I'd expect
that things break down as follows:

1.  Network I/O is not a big win.  Between 1Ghz single CPUs and intelligent
    network cards my guess is that you will bottleneck on the network long 
    before you run out of processor.  Really *really* big sites can run a
    front end box to split out traffic by URL prefix, and cut down the 
    network I/O burden on back-end boxes to minor significance.

2.  Serving static content is not a big win.  My guess is that you are more 
    likely to saturate the network connection before you run out of processor 
    on fairly ordinary boxes.

3.  Disk I/O is not a big win.  Heavy disk traffic requires lots of spindles
    driven by intelligent disk controllers.  This is the critical bottleneck 
    on heavily loaded sites, but it is not clear that you will offer much or 
    any improvement here.

4.  Processing for dynamic content is uneffected.  Application specific code
    to generate dynamic content (using Perl/ASP/Java or whatever) might well
    be a bottleneck at some big sites, but it sounds like you won't change 
    this much.

5.  Encryption might be a *huge* win.  As more secure sites come online the
    CPU required to encrypt the data going out on the network may well 
    greatly exceed all other processing.  Outside of IBM mainframes I'm not
    familiar with any high performance encryption hardware.

Looking over the above, I wonder if perhaps the primary role in which you 
could make a dramatic difference is as a front-end processor that performs
encryption/decryption and then distributes traffic by URL to back-end boxes.

Another role might be as an add-in accellerator for encrypted traffic at
sites that are not so large as to need a front-end box.

Concerns:

1.  Cost - will the custom hardware and software cost more than just buying
    another box?  Will I see better performance for the same dollars?

2.  Obsolesence - will future changes in HTTP/IIS/NT render the hardware
    solution no longer usable?

... my 2 cents worth :).

--
Preston L. Bannister
preston@home.com
http://members.home.com/preston
pbannister via Yahoo! Messenger