Forum Discussion

boneyard's avatar
Nov 14, 2013

SSL limit 2x00 / 4x00 platforms

im looking at the SSL limits of the new 2x00 and 4x00 platforms and not totally getting it. it seems the 2000 and 4000 are limited in SSL TPS but that is not based on actual SSL TPS but on TCP SYNs per second to HTTPS virtual servers.

 

is that correct? how exactly is that done?

 

in this SOL i do see a difference mentioned between 1k and 2k keys for the 4000 platform, so does the above method (counting SYNs per second) also look at key size?

 

http://support.f5.com/kb/en-us/solutions/public/13000/000/sol13067.html

 

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account

    Hi, my take on this would be there are two, perhaps fine points to consider:

     

    1) What the CPU can handle (impacted by key size). SOL13067.

     

    2) What the BIG-IP is licensed to handle based on SYN. SOL6475.

     

    So a device can be licensed for only 500 TPS, but be capable of processing 5000 TPS should a max TPS license be applied.

     

  • The two important concepts to understand when discussing SSL performance are "TPS" or Transactions per Second, and bulk encryption. SSL TPS is the initial SSL handshake and key negotiation (and to some degree re-negotiations). The size of the keys are important here because they are used in the initial session seed key encryption and digital signing. After the handshake, both peers have a (generally smaller) session encryption key that they use for bulk encryption. The bulk encryption number is therefore always larger because it's using smaller keys. The difference in SSL TPS and bulk encryption numbers across platforms is based on the SSL ASIC (SSL offload chip) processing ability, and to some degree system processing. Anything less than the "max" number would be a licensing thing.

     

    Further, the difference between 1K and 2K key sizes and TPS has to do with the cryptographic intensity of each, where 2K keys are more complex than 1K keys by a factor of about 5.

     

  • thanks kevin, that is pretty clear.

     

    still im looking for how F5 implements these TPS restrictions on their newer platforms. when the datasheet says 4500 tps with 2k keys can i then assume the box will allow / handle 4500 full handshakes with 2k keys? or is there another system in place that is going to count 4500 TCP SYNs to HTTPS enabled virtual servers and cut off at 4500?

     

  • when the datasheet says 4500 tps with 2k keys can i then assume the box will allow / handle 4500 full handshakes with 2k keys?

     

    This number is specifically about the platform's ability to handle SSL/TLS handshake key negotiations with 2k keys (client and/or server). There are other performance numbers for layer 4 and layer 7 connections/transactions.

     

  • so there are no other "tricks" used to limit the number of tps? you get what you see, the old system (see SOL6475 http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6475.html) isn't used on the the 2000 / 2200 / 4000 / 4200 / ... anymore?

     

  • I see what you mean. So yes, a system will have a licensed limitation for TPS, which is more of an OS thing than a platform thing. Take a look at the hardware datasheet:

     

    http://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf

     

    A base system will have a "comes with" TPS license, and can be upgraded/licensed for its max TPS capability. Back in the day, F5 sliced up SSL TPS licensing into odd-sized incremental blocks. Now it's just base and max, and max is based on platform hardware capability.

     

  • and looking at the new 2000/2200/4000/4200 they are all on max by default already right?