1. Field of the Invention
This invention relates to Secure Socket Layer (SSL) information transfers, and more specifically to clustered SSL accelerators for information transfers.
2. Background Information
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are the dominant approaches to web security. Both protocols provide a secure channel over which ordinary web traffic (Hyper Text Transfer Protocol (HTTP)) can be transmitted. HTTP over SSL (HTTPS) is widely used to protect confidential information in transit between a client and server.
However, SSL is dramatically more CPU intensive than ordinary TCP communication and the addition of SSL to unsecure web servers can create unacceptable performance consequences on the web server. The dominant performance cost is for the public key encryption algorithm (e.g., RSA) operation in the SSL handshake. One common approach to reducing this cost is to offload the RSA operations into a cryptographic co-processor that is installed on the server machine.
The co-processor approach has a number of disadvantages: (1) the server software must be co-processor aware; (2) the case must be open to insert the co-processor; and (3) it can be difficult to match the co-processor to the CPU such that neither is idle much of the time. Scaling problems may also arise because the speed at which the co-processor can handle the traffic may not match the speed at which the host CPU can handle it.
One response to the failing of the co-processor approach has been to create standalone cryptographic accelerators. These accelerators are network devices that reside between the client and server. They accept HTTPS connections from a client, decrypt them, and make HTTP connections to the web server. Examples of such devices include iPIVOT/Intel's Netstructure accelerators, F5's BigIP accelerator, and Andes Network's Nonstop SSL products. One key advantage of standalone accelerators is that scaling is relatively simple, i.e., more than one box can be purchased allowing the traffic to be load balanced across the accelerators.
In conventional configurations, having multiple standalone accelerators may provide improved performance since if a given accelerator fails, other accelerators may be available to handle the load. However, these configurations only offer high availability in a bulk sense. All SSL connections terminated on a failing box are simply lost. A customer perceives this as an input/output (I/O) error of some kind. Although the remaining boxes are still available to handle future connections and the accelerators as a group remain available, there is no high availability at the connection level.