Position Paper for NLANR Cache Workshop ’97
Novell BorderManager – Proxy Cache
Gary Tomlinson
Novell Advanced Development
garyt@novell.com
Introduction
This paper introduces an innovative implementation of the ICPv2 Proxy Cache service in Novell’s BorderManager suite of Internet services. This service is interoperable with Harvest/Squid proxy caches and standard CERN proxies. This paper outlines several operating systems issues we believe are fundamental to the successful implementation of a commercial proxy cache cluster. We also mention some performance results and experiences under production workload conditions that validate our beliefs. Finally, we describe Novell’s goals and support of NLANR and the research community in developing an architected cache infrastructure for the Internet.
Operating System Issues
The unique character of the IntranetWare communication engine enables it to dramatically improve on the performance and scalability of proxy caching. IntranetWare is an integrated set of kernel services. This real-time OS is a finite state machine built of automata for handling sophisticated collections of services such as file, network, proxy, and so on. IntranetWare spawns transactions to service states in the finite state machine, where work-to-do threads are bound to transactions during state processing with dramatically less overhead than in process-based context switching. To play off these strengths the IntranetWare proxy cache is implemented as a multi-threaded, non-blocking service (as opposed to a process). The distinction between process and service is fundamental because a process is a relatively heavy weight entity with built-in overhead (context-switch time and memory footprint). The consequence is that proxy services integrated into this thin OS are at least an order of magnitude more efficient in using threads than application-server based implementations.
Performance comparisons demonstrate the ability of these proxy cache services built on this foundation to provide three to 10 times more throughput than those built on application server process models. Current performance results are in the 3000 to 4000 pages per second range with content throughput at 300 to 400Mbps. This is consistent with Novell’s heritage of combining high performance with industry-leading access controls and industry-standard interoperability.
Further, IntranetWare contains Novell Directory Services (NDS), an object-oriented, global, replicated administrative repository. NDS is the natural place to store and manage meta-content associated with the proxy cache and Web objects stored in the cache. With the proxy service configuration and access control lists distributed via NDS in a single system image, single point of administration and a uniform security model are rendered across all participating caches.
Deployment Experiences
Novell has deployed its proxy cache service at
www.novell.com, at the border between the corporate intranet and the Internet, and is planing to front-end Novell’s technical support forum at support.novell.com. These experiences validate the performance and scalability of our proxy cache under production workloads and confirm our hypothesis that proxy cache accelerators do, in fact, greatly complement web servers by offloading a significant portion of the hit rate.
The HTTPD accelerator at
www.novell.com runs on a Compaq Proliant 5000 Pentium Pro 200 with 128MB of memory and 8GB of cache space. The system is located at the Novell corporate headquarters in Provo, Utah, and is connected between the dual T3 Internet access provider links and the 100Mb Ethernet DMZ backbone. As an HTTPD accelerator running in front of www.novell.com, the cache front-ends multiple web servers on a round-robin basis. These consist of four web servers to publish www.novell.com and two web servers to publish support.novell.com.
The accelerator deployed at
www.novell.com services 25% of the 1,100,000 hit per day HTTP traffic with system utilization hovering around 5%. Based on this efficiency, we plan to increase www.novell.com acceleration to 50% of the total workload, with eventual 100% service as soon as possible. The accelerator service at support.novell.com will initially offload the significant bandwidth requirements of binary downloads and eventually handle all static content When the proxy caches are fully deployed, we plan to reduce the www.novell.com web servers to two and the support.novell.com web servers to one. A second accelerator is planned for redundancy.
We are also in the process of deploying ICP proxy cache clusters in our intranet. We have completed the hierarchy design of the global intranet which encompasses many regional sites and WAN links. The first intranet root cache has been deployed in the DMZ. Numerous departmental caches are in production today which link into the evolving corporate mesh.
Long Term Objective
Novell is preparing to work with NLANR to introduce BorderManager proxy caches into the Global Mesh. We look forward to participating with NLANR and the greater research community in developing an architected cache infrastructure for the Internet. We would like to see the ICP evolve towards a more generic object location service, which supports multiple name spaces and their associated policy expressions.
We are continuing to integrate directory capabilities into the proxy caching service. We see this as necessary to improve the security and manageability of the distributed system of caches. An interesting discovery was that with a single system image of access controls, restricted objects can be securely cached and serviced at all nodes of the proxy cluster hierarchy.
We are exploring the use of directory services to provide automated configuration of proxy server clusters and browser configurations, similar to those provided in the auto-config (PAC) files, but generated dynamically. This service looks promising as an enabler of transparent proxying.
Our ultimate goal is to provide commercially available technologies that provide uniform security, single point of administration, stellar performance, reliability and scalability through distributed caching of both the Internet and intranet object spaces.
Reference
· Novell Border Manager Home Page
http://www.novell.com/border/· Managing Virtual "Borders" Between Corporate Networks and The Internet
http://www.novell.com/border/whitepaper.html