[162590] in North American Network Operators' Group
Re: IPv6 and HTTPS
daemon@ATHENA.MIT.EDU (Bernhard Amann)
Fri Apr 26 02:15:55 2013
From: Bernhard Amann <bernhard@ICSI.Berkeley.EDU>
In-Reply-To: <7C8838A3-70FA-478A-97E3-3F1F09FC4E15@ianai.net>
Date: Thu, 25 Apr 2013 22:30:57 -0700
To: "Patrick W. Gilmore" <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 25, 2013, at 9:27 PM, Patrick W. Gilmore <patrick@ianai.net> =
wrote:
> On Apr 26, 2013, at 00:19 , joel jaeggli <joelja@bogus.com> wrote:
>> On 4/25/13 6:24 PM, Jay Ashworth wrote:
>=20
>>> Ok, here's a stupid question[1], which I'd know the answer to if I =
ran bigger
>>> networks:
>>>=20
>>> Does anyone know how much IPv4 space is allocated *specifically* to =
cater
>>> to the fact that HTTPS requires a dedicated IP per DNS name?
>> It doesn't, or doesn't if if your clients are not stuck in the past.
>>=20
>> TLS SNI has existed for a rather long time.
>>> Is that a statistically significant percentage of all the IPs in =
use?
>>>=20
>>> Wasn't there something going on to make HTTPS IP muxable? How's =
that coming?
>> there are stuborn legacy hosts.
>>> How fast could it be deployed?
>> you can use it now.
>=20
> Sure, you "can".
>=20
> But no one will. No one (especially someone doing SSL content) wants =
99% connectivity. And there's a lot more than 1% XP out there. (Hrm, =
that explanation works to explain why to a couple decimal places 0% of =
the Internet is on v6 only today.)
Just to give a numbers, in case anyone is interested - we have been =
passively
monitoring SSL traffic of ~300k users for more than a year (project =
description at=20
http://notary.icsi.berkeley.edu).
All in all, we see about 71% of the connections on port 443 using SNI.
And the only site I am aware of that uses SNI quite extensively is =
google - their servers
give different certificates to clients that do not support SNI and =
clients that support it.
Bernhard
