[30738] in North American Network Operators' Group
Re: ARIN Policy on IP-based Web Hosting
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Tue Aug 29 19:29:45 2000
Message-ID: <39ABE3F3.3759D88B@netmore.net>
Date: Tue, 29 Aug 2000 09:25:23 -0700
From: Roland Dobbins <rdobbins@netmore.net>
Reply-To: rdobbins@netmore.net
MIME-Version: 1.0
To: Bill Fumerola <billf@chimesnet.com>
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
It's a far-*left* policy - "We're ARIN, and we know how best everyone's
resources should be allocated."
A far-right policy would be "Here are these IPs you've requested; use
them as you will, but don't come whining back to us for more because you
underestimated your initial request." This would be far preferable.
The SSL issue is a real one, and I don't know how to get around it. One
would assume that this would qualify as an 'exception'; however, how are
they going to verify what you're using them for? Are they going to nmap
your networks to see if you're really running SSL on the IPs you've
requested?
--
------------------------------------------------------------
Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice
Bill Fumerola wrote:
>
> On Tue, Aug 29, 2000 at 06:43:30PM -0400, jlewis@lewis.org wrote:
>
> > Unless something's changed recently, SSL still requires IP based virtual
> > hosting. Here's a clipping from the c2.net Stronghold FAQ:
> >
> > Should I use name-based or IP-based virtual hosts?
> >
> > Name-based virtual hosts do not work with SSL because certificates are
> > sent before server names are established. Secure virtual hosts must be
> > either IP-based or port-based. IP-based virtual hosts are more
> > convenient, as users would have to remember the port numbers for
> > port-based virtual hosts.
>
> Nothing has changed. There still is a chicken/egg relationship with trying
> to do namebased virtual hosts with SSL.
>
> You have to know which certificate to present based on the name...
> and
> ... you don't know the name until the certificate exchange is complete.
>
> Speaking as a application provider who _has_ to have independent sites
> running SSL per customer, I still need a 1:1 relationship with IP and
> hosts.
>
> ARIN need to take a hit off the clue-pipe before coming down with
> such a far-right policy.
>
> --
> Bill Fumerola - Network Architect, BOFH / Chimes, Inc.
> billf@chimesnet.com / billf@FreeBSD.org
