PORKINet: Proxy Network Integrator Jim Hong, Kaisen Lin, Taurin Tan-atichat Abstract Proxy servers are a popular method for serving content to We present PORKINet, a scalable peer-to-peer network of a client. They provide a variety of functions depending on web proxy servers integrated to allow transparent access how they are used. Examples include content caching, load to websites that restrict access based on source domain. balancing, and access rights management. This paper deals This allows security policies to be structured around con- primarily with access rights management. tent rather than domains. A client can connect to any PORKINet web proxy and access all content that is avail- Web proxy servers are often used to allow users that are out- able to the network. It maintains acceptable performance side of a domain to access content restricted to the domain and high availability by caching routes to eligible web proxy by forwarding requests on behalf of the user. For exam- servers while falling back to a distributed hash table in the ple, a web proxy server is often used by universities to allow event of server failures. Periodic heartbeat messages and students to access restricted content while off-campus. How- timeouts are used to ensure that nodes with proper ac- ever, a student affiliated with two universities would have to cess capabilities can be found when needed. Our initial change proxy servers explicitly if one campus had access to experimental results show that PORKINet can scale with content that the other did not. 10MB/sec per node and provide reasonable latency. Another example is when a consortium of organizations com- 1. INTRODUCTION bine together to work on a common project. We give a concrete example. Suppose organizations Bread, Peanut This recent decade has seen a monumental growth in Inter- Butter, and Jelly want to design a new kind of sandwich net media ranging from magazine articles, journals, music, designated Project SNACK. SNACK is comprised of mem- television programs, and movies. However, as the amount of bers from each organization. The SNACK team would like Internet media increases, so does the management overhead that each project member be able to access resources on of restricting content to only authorized audiences. One so- snack.bread.org, snack.pb.org, and snack.jelly.org. lution is domain based content restriction. That is, only users from a specific domain or class of domains are allowed A simple solution is to have each company setup a proxy to access the content. Online television networks use this server that allows access to each individual subdomain. How- technique to restrict their audience to a specific geographic ever, this is rather inconvenient because anytime a team region. Scientific journals also use this technique to give member wants to access content from a different organiza- university students access to their online archives. tion’s web server, it must switch its proxy server. A better solution would be to have a single proxy server that has ac- In order to allow students to access restricted content from cess to all three servers, but only on the snack.XX.org sub- off campus, universities often employ proxy servers that for- domain. Thus access should be on the nature of the content ward requests on behalf of the client. While this is a usable not on the domain itself. solution, it is fundamentally restricted to the domain of that particular university. This is problematic, for example, if a Our solution, PORKINet, creates the illusion of a single web researcher affiliated with multiple universities would like to proxy server that exactly solves this problem. PORKINet access the aggregate of all the university resources. Cur- allows users to connect to a single PORKINet node and rently, the researcher would have to explicitly change proxy requests to restricted content are automatically directed to servers for each access. It would be much more convenient the correct node. Routing of requests are transparent to the to only have to specify one proxy server and have requests user, and all the user must do is configure to use one of the for any content be automatically forwarded to the appro- PORKINet nodes in the network. Although there are many priate proxy server in such a way that would allow access. web proxies available, none of the other systems serves the PORKINet is a network of web proxy servers that aims to need that PORKINet fulfills. achieve this goal. We organize the remainder of the paper in the following 3. RELATED WORK way. Section 2 provides background and motivation for There are numerous web proxy servers, such as CoDeeN [7] PORKINet. Section 3 discusses various web proxy servers and Coral [2], but most of them focus on content caching and and how they relate to PORKINet. Sections 4 and 5 describe local routing for high performance. PORKINet, in contrast, and evaluate the PORKINet architecture and PORKI pro- focuses on content access. Although the goals are differ- tocol in more detail including its numerous design decisions. ent, PORKINet borrows several ideas from other web proxy Then we discuss future work and conclude in Sections 6 and servers. The first is the use of a periodic heartbeat message 7, respectively. to determine when nodes fail, which is done by CoDeeN. Another is its use of a distributed hash table (DHT) for 2. BACKGROUND locating nodes to route to. main that it can access. Requests to a certain domain in that network are routed to PORKINet nodes with that ca- pability. The PORKI protocol has three different roles, one of which only occurs in certain situations. The roles are: 1. Client Proxy: As a client proxy, PORKI must ser- vice client requests and forward the request to a proxy which actually has access rights. 2. Content Proxy: As a content proxy, PORKI must fetch from the original content web server and return results back to the client proxy that requested from it. 3. Manager Proxy: The manager proxy role is to en- able client proxies to determine what content proxies are available. A client proxy finds a manager by query- ing the DHT with a get on the desired capability which should return the manager’s IP address. The manager is responsible for keeping the DHT entry up to date. Thus a client proxy can determine a PORKI node with the right capabilities via the DHT. Figure 1 gives an overview of how a request is handled in PORKINet. In the following sections, we describe in more detail how we handle node discovery, node failures, and con- Figure 1: System Overview of PORKINet - (1) tent requests. User requests content from snack.pb.org. (2) Client Proxy consults DHT to find Manager Proxy. (3) 4.1 Node Discovery and Groups Manager Proxy returns a Content Proxy for Client When a new PORKINet node starts, it needs to contact a Proxy to use. (4) Client Proxy forwards request to node in the DHT that is holding capability/IP data. This Content Proxy. (5) Content Proxy requests content can be obtained through a fixed directory. Once it knows from Web Server. (6) Web Server returns requested about the DHT, it queries for a PORKINet node with the content. (7) Content Proxy forwards requested con- same capability as itself. If none is found, the new node will tent. (8) Client Proxy forwards requested content. put itself into the DHT as manager for that capability. If a manager is instead found, PORKI adds the manager to its peer list and sends a heartbeat message. DHTs provide a scalable and decentralized way of storing key/value pairs. They provide a put and get interface. There Heartbeat messages are short UDP packets designed to no- are numerous DHT implementations such as Chord [6], Pas- tify other PORKINet nodes that a node is alive. When try [5], and Bamboo [4]. We use the Bamboo DHT in PORKI receives a heartbeat message from an unknown ad- PORKINet. dress, it immediately adds the new address to its peer list and sends the peer list via TCP to the new node. The peer Summary Cache [1] is a protocol used to help reduce over- list is a set of PORKINet nodes that have the same capabili- head of communication between cooperating proxy servers. ties. TCP is used instead of UDP because it is important to It is also directed for use with proxy servers that cache con- get the peer list as soon as possible in order to begin partic- tent. We explore how to use similar techniques for PORKINet ipation. Notice that each PORKINet node need not know in Section 6.1. about every other PORKINet node, only the ones that have common capabilities. 4. PORKI PORKINet uses the PORKI protocol to route requests to Each PORKINet node in a peer list is designated as either the correct nodes. When a user requests content through a a peer or a manager. This designation is important later PORKINet client proxy, PORKI determines the manager in when PORKINet nodes fail. The PORKINet nodes in a charge of that content and contacts the manager. The man- peer list form a view of the current participants for a given ager responds with the proper content proxy that should capability. However, each node’s peer list is not required handle the request, possibly even itself. The client proxy to be consistent with the peer list of others in the group. then forwards the request to the content proxy and the re- We take the anti-entropy approach presented in Bayou [3] quest is fulfilled. To deal with churn throughout the net- because PORKINet servers may come and go and we do not work, PORKI uses a periodic heartbeat message to deter- want the service to stop in times of churn.