Dedicated crypto accelerator cards? Please, that’s so last decade

February 15, 2012 Technical, General

Today I’ve been looking over the legacy architecture for a new customer we have coming on board. I think it’s fair to say that they’re of a substantial size.

One of the things that stands out to me is that they have five load-balancers (huh?) on the public-facing end, and then seven nginx frontends terminating SSL traffic and serving static content. Let’s ignore the load-balancers, I think they’re just some cloud-y appliance. The frontends are where it’s at.

These are some pretty substantial VMs (a certain provider’s 2gb instance) running SSL all day and not much else. Their app doesn’t even run on the frontends!

SSL crypto is very much the lifeblood of internet commerce, it’d come to a screeching halt without it these days. It’s just an unfortunate fact that it’s computationally very expensive.

SSLShader – A GPU-accelerated SSL Proxy

Now we’re talking. Unlike using your GPU for swap space, this actually sounds kind of sensible.

The benefit of using a GPU comes from the heavy parallelisation inherent in the architecture, which is great when you want to serve many requests in parallel. Like on a web server. Assuming you can fit them in the chassis (powerful GPUs tend to be two slots wide, which doesn’t jive well in a 2RU rackmount chassis), GPUs should be quite cost effective, too.

What about modern CPUs with AES-NI instructions?“, you might ask. It’s good, but it’s really more relevant for bulk crypto.

Every SSL transaction starts with a key-exchange handshake, which uses RSA. RSA is extremely computationally expensive, which is why we use it to bootstrap a symmetric cipher like AES. You can go for your life with optimised AES-NI once the key-exchange is done, but the RSA is still a big startup-overhead – SSLShader shows promising results here.

SSLShader doesn’t look ready for primetime just yet (code not readily available), but it’s a very exciting piece of research. Whether it’s something we really need in the datacentre is an unanswered question, but it looks like a decent solution to a real problem that some websites will face.

(and just think, you can mine bitcoins when the website’s not busy…)