As the original person who specced out an SSL offloading appliance (and who sadly has still not been able to purchase an LB, although F5 is a front runner), I thought I might comment on why I originally listed the requirement. <div>
<br></div><div>Some of the sites we host deal with secured data, like credit card transactions, financial records, etc. Indeed, PCI DSS would be well and truly broken if we unencrypted the transaction at any point between server and client, no matter how much we trusted our own network or the people running it. We would never use SSL offloading for this type of site. </div>
<div><br></div><div>Many of the applications we host use SSL only for member authentication, such a sites that allow members to log in before posting on message boards and so on. That transaction doesn't strictly need to be secure inside our network (users who can sniff that would find it much easier to just go straight to the server/db). But the thing we get most out of SSL offloading is that we can achieve seamless failover between servers. If a server handling 1000 SSL connections dies, then those encrypted streams are dead and the user experience interrupted. If they're handled by the LB, however, then they can be passed off to another server (hopefully) without interruption. </div>
<div><br></div><div>Performance gains by SSL offloading were never really a factor. If I hosted sites so popular that I couldn't get enough processor cycles for cryptography, well, I'd already have a load balancer :)<br>
<br><div class="gmail_quote">On Mon, Feb 22, 2010 at 6:35 PM, Dobbins, Roland <span dir="ltr"><<a href="mailto:rdobbins@arbor.net">rdobbins@arbor.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><br>
On Feb 22, 2010, at 2:05 PM, Ian Henderson wrote:<br>
<br>
> if you can't trust your own network between the accelerator/load balancer and the content<br>
> hosts, what can you trust?<br>
<br>
</div>I trust any network infrastructure elements under my direct span of control just fine, it's *people* I don't trust - nor should you, nor your customers.<br>
<div class="im"><br>
> Do any of these work in an ESX or similar virtualised environment?<br>
<br>
</div>It's my understanding they do, though I've no hands-on experience using them in such an environment.<br>
<div class="im"><br>
-----------------------------------------------------------------------<br>
Roland Dobbins <<a href="mailto:rdobbins@arbor.net">rdobbins@arbor.net</a>> // <<a href="http://www.arbornetworks.com" target="_blank">http://www.arbornetworks.com</a>><br>
<br>
Injustice is relatively easy to bear; what stings is justice.<br>
<br>
-- H.L. Mencken<br>
<br>
<br>
<br>
_______________________________________________<br>
</div><div><div></div><div class="h5">AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br></div>