[125510] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Apr 19 06:54:49 2010
From: Florian Weimer <fw@deneb.enyo.de>
To: "Patrick W. Gilmore" <patrick@ianai.net>
Date: Mon, 19 Apr 2010 12:54:24 +0200
In-Reply-To: <2ECD9372-1E81-40D1-9D2C-7CFF6EA83F08@ianai.net> (Patrick
W. Gilmore's message of "Sun, 18 Apr 2010 21:36:18 -0400")
Cc: North American Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Patrick W. Gilmore:
>> Reality is that as soon as SSL web servers and SSL-capable web
>> browsers have support for name-based virtual hosts, the number of
>> IPv4 addresses required will drop. Right now, you need 1 IP
>> address for 1 SSL site; SNI spec of SSL gets rid of that.
>
> Agreed.
>
> When do you expect Windows XP & earlier versions to be a small enough
> segment of the userbase that businesses will consider DoS'ing those
> customers? My guess is when the cost of additional v4 addresses is
> higher than the profit generated by those customers.
>
> Put another way: Not until it is too late.
I'm not so sure. Name-based virtual hosting for plain HTTP was
introduced when Windows NT 4.0 was still in wide use. It originally
came with Internet Explorer 2.0, which did not send the Host: header
in HTTP requests.
Anyway, I think the TLS thing is a bit of a red herring. It might be
a popular justification for IP space at the formal level, but
real-world requirements are a bit more nuanced. FTP and SSH/SFTP do
not support name-based virtual hosting, so if you're a web hoster and
structured things around "one IPv4 address per customer", then there
might be another obstacle to collapsing everything on a single IPv4
address. It's also difficult to attribute DoS attackers at sub-HTTP
layers to a customer if everything is on a single IPv4 address, making
mitigation a bit harder.
