undefined | Better HN

0 pointsdoubleplusgood9y ago0 comments

TLS offload is usually extra on F5 BigIP

0 comments

7 comments · 1 top-level

Karunamon9y ago· 6 in thread

Does F5 do any special secret sauce that can't be replicated with an equally powerful set of hardware and a good HAProxy config? I know one of our network admins is continually complaining about how shitty their UI is...

mdekkers9y ago

Does F5 do any special secret sauce that can't be replicated with an equally powerful set of hardware and a good HAProxy config?

Not unless you think "extract a lot of money from clueless execs" is secret sauce. That, and support contracts - you know, throats to choke when it all goes wrong.

otterley9y ago

BigIP's iRules (Tcl) are pretty nice. (https://devcentral.f5.com/irules). I hear HAproxy has Lua support now, but I don't know how comprehensive it is compared to iRules.

Also, F5 load balancers have real hardware failover capability, and can even synchronize TCP session state across instances. That's a pretty nice feature.

1 more reply

corrigible9y ago

Not an expert, but the last BIG-IP LTM I saw a couple of months ago didn't support TLS acceleration without a dedicated hardware module (and the accompanying license); this would usually mean upgrading to a more expensive model.

Plain old TLS termination isn't license-limited as far as I know.

EDIT: to answer your question, yes, you could probably do it with haproxy, but the added value in these appliances is iRules (TCL hooks for all network events, you could augment request processing etc) and vendor support.

xorcist9y ago

F5 has some secret sauce to it but it's mostly performance related. They have a good chunk of hardware offloading, all the way up to the TLS layer.

I seem to remember even the entry license includes full TLS offloading so I doubt the poster above is correct that it is a cost issue.

As to if HAProxy can do the job, well, that depends. F5s are complex beasts and they can load balance application specific protocols that can be hard to find elsewhere, with the support contract that goes with it.

mdekkers9y ago

crypto offloading isn't hard, and can be done on the NIC if you want/need: https://www.nextplatform.com/2016/10/03/server-encryption-fp...

1 more reply

corrigible9y ago

SSL offloading is license-limited (TPS-wise) on physical F5 appliances, E.G., `10250v` vs `10200v-SSL`.

j / k navigate · click thread line to collapse

0 comments

7 comments · 1 top-level

Karunamon9y ago· 6 in thread

mdekkers9y ago

Does F5 do any special secret sauce that can't be replicated with an equally powerful set of hardware and a good HAProxy config?

Not unless you think "extract a lot of money from clueless execs" is secret sauce. That, and support contracts - you know, throats to choke when it all goes wrong.

otterley9y ago

BigIP's iRules (Tcl) are pretty nice. (https://devcentral.f5.com/irules). I hear HAproxy has Lua support now, but I don't know how comprehensive it is compared to iRules.

Also, F5 load balancers have real hardware failover capability, and can even synchronize TCP session state across instances. That's a pretty nice feature.

1 more reply

corrigible9y ago

Plain old TLS termination isn't license-limited as far as I know.

xorcist9y ago

F5 has some secret sauce to it but it's mostly performance related. They have a good chunk of hardware offloading, all the way up to the TLS layer.

I seem to remember even the entry license includes full TLS offloading so I doubt the poster above is correct that it is a cost issue.

mdekkers9y ago

crypto offloading isn't hard, and can be done on the NIC if you want/need: https://www.nextplatform.com/2016/10/03/server-encryption-fp...

1 more reply

corrigible9y ago

SSL offloading is license-limited (TPS-wise) on physical F5 appliances, E.G., `10250v` vs `10200v-SSL`.

j / k navigate · click thread line to collapse