You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Richard Esmond <ri...@hotmail.com> on 2000/05/31 10:30:24 UTC
Opinion on Acceleration effort
Forgive my ingorance on most everything discussed here, but I wanted to get
some feed back on the possible relivance of work that I am currently doing
that might fit with Apachee, etc.
I am currently working to finish a VxWorks\NT hybrid that runs IIS across
multiple processors. VxWorks is a real time os with very good I/O
performance. The VxWorks layer handles almost all Lan and Disk tasks
including encryption and authentication, which is handled through a hardware
acceleration chip. Multiple VxWorks cards can be configured, each with
dedicated processing resources, crypto chips and customized support FPGA's.
I am using the FPGA's for real-time HTTP header/XML/HTML parsing and
expansion\compression.
All static HTTP distribution is handled without NT involvement after inital
user identification, which in fact is mostly handled by the crypto chip. I
am also playing with the option to switch out the JRE that is being used
with one that has source available and move the I/O critial areas of it to
VxWorks.
For raw processing VxWorks doesn't offer much advantage, but for I/O you
can't touch it with NT or Unix.
[offtopic] Re: Opinion on Acceleration effort
Posted by Jon Stevens <jo...@latchkey.com>.
on 5/31/2000 6:33 AM, Serge Knystautas at sergek@lokitech.com wrote:
> Just because I thought this was interesting... I read the latest
> Netscape (iPlanet) web server (enterprise 4.0?) supports using a
> hardware accelerator to handle the encryption. I've noticed that
> encryption takes the biggest of CPU of anything I ever run on a web
> server. I figure other web servers will support this sooner or later if
> it's really useful.
according to a couple people i have talked to, those cards that are sold for
ssl encryption don't really do squat.
moving that amount of data back and forth over the pci bus just isn't fast
enough. if it was, they would probably make hard disks that plugged into the
pci bus. :-)
having been to etrade's NOC before...i know that their solution was to
simply have around 400 sparc's and a bunch of load balancing. :-) i love it
when people throw more hardware at the problem. the head guy there had a few
of the encryption cards laying around, but wasn't really using them...
-jon (not a hardware expert by any means)
Re: Opinion on Acceleration effort
Posted by Serge Knystautas <se...@lokitech.com>.
"Preston L. Bannister" wrote:
> 5. Encryption might be a *huge* win. As more secure sites come online the
> CPU required to encrypt the data going out on the network may well
> greatly exceed all other processing. Outside of IBM mainframes I'm not
> familiar with any high performance encryption hardware.
>
> Looking over the above, I wonder if perhaps the primary role in which you
> could make a dramatic difference is as a front-end processor that performs
> encryption/decryption and then distributes traffic by URL to back-end boxes.
Just because I thought this was interesting... I read the latest
Netscape (iPlanet) web server (enterprise 4.0?) supports using a
hardware accelerator to handle the encryption. I've noticed that
encryption takes the biggest of CPU of anything I ever run on a web
server. I figure other web servers will support this sooner or later if
it's really useful.
Serge Knystautas
Loki Technologies
http://www.lokitech.com/
RE: Opinion on Acceleration effort
Posted by "Preston L. Bannister" <pr...@home.com>.
From: Richard Esmond [mailto:richard_esmond@hotmail.com]
> I am currently working to finish a VxWorks\NT hybrid that runs IIS across
> multiple processors. VxWorks is a real time os with very good I/O
> performance. The VxWorks layer handles almost all Lan and Disk tasks
> including encryption and authentication, which is handled through a hardware
> acceleration chip. Multiple VxWorks cards can be configured, each with
> dedicated processing resources, crypto chips and customized support FPGA's.
> I am using the FPGA's for real-time HTTP header/XML/HTML parsing and
> expansion\compression.
>
> All static HTTP distribution is handled without NT involvement after inital
> user identification, which in fact is mostly handled by the crypto chip.
[snip]
> Also, with
> network performance being the biggest bottleneck right now, I don't have a
> good idea if people are feeling the squees on server I/O performance.
>
> PERF EST: A single 2Pent server with 2 I/O support engines should be able to
> completely saturate 2x100mb Enet lan connections without much trouble. If
> the data was static HTML\GIF, then the CPU would be almost completely
> available for ASP\JSP\SQL\LDAP... Unreal performance delta's can be seen on
> test configs that SSL all trafic, or when te parsing needs are high enough
> to make the custom silicon felt, but mostly we have targeted this at
> commercial and hosting sites.
Pretty radical hardware... :)
Can't say I've seen performance data from a *large* site, but I'd expect
that things break down as follows:
1. Network I/O is not a big win. Between 1Ghz single CPUs and intelligent
network cards my guess is that you will bottleneck on the network long
before you run out of processor. Really *really* big sites can run a
front end box to split out traffic by URL prefix, and cut down the
network I/O burden on back-end boxes to minor significance.
2. Serving static content is not a big win. My guess is that you are more
likely to saturate the network connection before you run out of processor
on fairly ordinary boxes.
3. Disk I/O is not a big win. Heavy disk traffic requires lots of spindles
driven by intelligent disk controllers. This is the critical bottleneck
on heavily loaded sites, but it is not clear that you will offer much or
any improvement here.
4. Processing for dynamic content is uneffected. Application specific code
to generate dynamic content (using Perl/ASP/Java or whatever) might well
be a bottleneck at some big sites, but it sounds like you won't change
this much.
5. Encryption might be a *huge* win. As more secure sites come online the
CPU required to encrypt the data going out on the network may well
greatly exceed all other processing. Outside of IBM mainframes I'm not
familiar with any high performance encryption hardware.
Looking over the above, I wonder if perhaps the primary role in which you
could make a dramatic difference is as a front-end processor that performs
encryption/decryption and then distributes traffic by URL to back-end boxes.
Another role might be as an add-in accellerator for encrypted traffic at
sites that are not so large as to need a front-end box.
Concerns:
1. Cost - will the custom hardware and software cost more than just buying
another box? Will I see better performance for the same dollars?
2. Obsolesence - will future changes in HTTP/IIS/NT render the hardware
solution no longer usable?
... my 2 cents worth :).
--
Preston L. Bannister
preston@home.com
http://members.home.com/preston
pbannister via Yahoo! Messenger