[125515] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Apr 19 09:00:52 2010
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <87hbn7k90f.fsf@mid.deneb.enyo.de>
Date: Mon, 19 Apr 2010 09:00:10 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 19, 2010, at 6:54 AM, Florian Weimer wrote:
> =08* Patrick W. Gilmore:
>=20
>>> Reality is that as soon as SSL web servers and SSL-capable web
>>> browsers have support for name-based virtual hosts, the number of
>>> IPv4 addresses required will drop. Right now, you need 1 IP
>>> address for 1 SSL site; SNI spec of SSL gets rid of that.
>>=20
>> Agreed.
>>=20
>> When do you expect Windows XP & earlier versions to be a small enough
>> segment of the userbase that businesses will consider DoS'ing those
>> customers? My guess is when the cost of additional v4 addresses is
>> higher than the profit generated by those customers.
>>=20
>> Put another way: Not until it is too late.
>=20
> I'm not so sure. Name-based virtual hosting for plain HTTP was
> introduced when Windows NT 4.0 was still in wide use. It originally
> came with Internet Explorer 2.0, which did not send the Host: header
> in HTTP requests.
NT4 was never heavily adopted by users. Also, not nearly as many =
billions were being sold on e-commerce sites.
> Anyway, I think the TLS thing is a bit of a red herring. It might be
> a popular justification for IP space at the formal level, but
> real-world requirements are a bit more nuanced. FTP and SSH/SFTP do
> not support name-based virtual hosting, so if you're a web hoster and
> structured things around "one IPv4 address per customer", then there
> might be another obstacle to collapsing everything on a single IPv4
> address. It's also difficult to attribute DoS attackers at sub-HTTP
> layers to a customer if everything is on a single IPv4 address, making
> mitigation a bit harder.
Since the vast majority of non-SSL HTTP is served off shared IP =
addresses, I would have to disagree. Also, it is trivial to dump =
FTP/SSH sessions into the correct directory on a shared backend system. =
So SSL does seem to me to be the big problem with the hosting side of =
the house.
But end of day, we do agree. I do not see the growth in certs being the =
limiting factor here. There are far more users than websites, so even =
if we could wave a magic wand and get back all HTTP/SSL IP addresses, we =
would still have a large problem.
--=20
TTFN,
patrick
