For migration of enterprise Web services from IPv4 to IPv6, just making a Web server ready for IPv6 is a weak solution that raises serious problems. For example, users experience errors when they request services that have not yet supported IPv6. In addition, the solution requires that the organization network be protected from malicious IPv6 accesses, although there are no total security solutions for IPv6 such as a firewall. To address these issues, we have developed a high performance IPv6-enabled reverse proxy server that provides practical migration strategy to IPv6 for enterprise Web services. The key techniques there include an efficient memory-based cache algorithm especially for reverse proxies and a flexible service filter that allows administrators to manage services intensively for both IPv4 and IPv6. Our reverse proxy server also provides good conformity to the current IPv4 security framework.
IPv6, migration to IPv6, Web caching, reverse proxy server, enterprise service
IPv6 will be vital in the near future to make every kind of electronic device connected to the Internet. These devices are, for example, PDAs, cellular phones, automobiles, air conditioners, microwave ovens, refrigerators and various kinds of home appliances. Consequently, supporting IPv6 is an urgent task for services on the Internet, especially for Web services. Today, Web is the common interface of all the services on the Internet.
The most simple but weak solution to make the Web service IPv6-ready is a Web server that supports both IPv4 and IPv6, e.g., Apache with IPv6/IPv4 dual stack. Because the essence of Web service is to connect various services to each other, making a single server ready for IPv6 causes various errors by the services that have not yet supported IPv6.
Another solution is duplicating the system, one for IPv4 and the other for IPv6. With this solution, we can remove the errors by modifying links to the services that are not ready for IPv6. However, this solution pushes up the content management cost because the administrator has to manage double sets of Web contents consistently.
We also have to consider IPv6 support for enterprise services. Unfortunately, there are no IPv6 server load balancing solutions such as Layer4/7 switches. In addition, we cannot ignore security issues. In fact, there are almost no total security solutions for IPv6. If an IPv6-enabled host is connected to an organization network without much attention to security, the host can undermine the IPv4 organization network that is likely protected by some security system such as a firewall.
We obviously need a practical strategy for migration to IPv6, i.e., the introduction of IPv6 services should not exert any influence on the current IPv4 services including its performance and security framework. Consequently the solution for the migration should meet the following two requirements, 1) isolation from the current IPv4 Web service and 2) high performance and low cost for IPv6 service. The goal of this study is to develop a realistic and incremental solution that meets these requirements.
The IPv6 service should be isolated not only logically but also physically from the current IPv4 services. Actually, IPv6 has been designed with much regard to peaceful coexistence with IPv4[1, 2, 3]. However, IPv6 is now just on the early stage of deployment and it can still contain some bugs. We need to protect the IPv4 services from IPv6 service failures.
Because a huge number of requests rush on enterprise Web servers, the solution should provide high performance to handle them. On the other hand, the operation cost for the IPv6 service, e.g., contents management cost, network cost, and security cost, should be low enough. Of course, no extra cost is allowed for the current IPv4 Web services to support IPv6.
As a consequence of consideration described in the previous section, we have developed a high performance reverse proxy server that enables enterprise Web services to migrate gradually from IPv4 to IPv6. It is highly portable and runs on various Unix platforms. Here, we describe three key technologies implemented in our proxy server, i.e., IPv6 support on a reverse proxy server, efficient memory cache, and flexible service filter.
To minimize the influence on the current IPv4 Web services, a reverse proxy server is currently the best solution for several reasons. First, a reverse proxy server does not require any modification in the IPv4 services working. Secondly, cache technologies can be applied on the proxy server to keep the number of the requests forwarded to the Web servers extremely low. Because the total volume of contents the reverse proxy server handles is relatively small (usually under several gigabytes), the reverse proxy server can achieve a high hit ratio. Lastly, we can preserve the security of the IPv4 world by setting up the proxy server outside the firewall of the IPv4 organization network. This prevents the IPv6 proxy server from being a backdoor host that breaks the security of the network.
For the enterprise services, considerably high performance is desired. For example, such a server may receive over 1,000 requests per seconds. To handle such a high arrival rate of requests, a memory-based cache technology can be a good candidate. However, the total amount of memory available on a server host is highly limited. In addition, the memory is shared among the kernel, network and file system buffers, other processes, and the proxy server. To optimize the memory usage for object cache, we have designed a new memory cache algorithm especially for a reverse proxy server. It is a hybrid algorithm based on LFU, LRU, and object aging technique that uses access count of each object in the cache to keep up with the change of the contents working set. It's high performance, ability to handle over 1,000 requests per second with a single 450MHz PentiumII and only 200MB of memory for object cache area, was probed through benchmark tests with Web Polygraph[4] at the 4th Cache-Off[5]. It was also operated to provide Web services of the National High School Baseball Tournament in Japan[6].
As mentioned earlier, supporting IPv6 on Web requires deep consideration about link errors. The link errors are disgraceful for all Web sites, especially for commercial ones, because they are the evidence of wrong administration. However, modifying such links one by one on all the contents on the server is a difficult and expensive task. In our solution, we can use a URL map that describes the relationship between the links that cause errors and the links to corresponding messages that notify users that the service they request is currently not available on IPv6. Our proxy server navigates the user to the messages automatically with 301 Moved Temporarily responses. With this technique, the Web pages for IPv6 are managed intensively and their management cost is reduced.
For an experiment on IPv6, our reverse proxy server was demonstrated at the IPv6 exhibition of Net.Liferium 2001[7]. It served the Web site of Mainichi Broadcasting System, Inc. (MBS) to IPv6 users on the IPv6 Net.Liferium network. The origin server is hosted by NTT Smart Connect Corporation (SMC). Fig. 1 depicts the experimental networks for the exhibition. There, it was proved that the basic functions of our reverse proxy server, such as IPv6-IPv4 translation and service filtering, work well. As our future work, we will test our proxy server with a higher and longer load in cooperation with Cyber Kansai Project[8].
Today, several popular operating systems such as Linux, BSD variants, Solaris, and Windows 2000/XP have already supported IPv6, and just making a software IPv6-ready is an easy task. However, in case of Web service, we must consider its service architecture to provide IPv6 service because there are a lot of potential problems. As a solution to these problems, we have developed a new reverse proxy server that enables enterprise Web services to migrate gradually from IPv4 to IPv6. Our reverse proxy server provides high performance enough for enterprise services, good conformity to the current IPv4 security framework, and an easy content management scheme to avoid IPv6-related errors.