Ok, here's a stupid question[1], which I'd know the answer to if I ran bigger
networks:
Does anyone know how much IPv4 space is allocated *specifically* to cater
to the fact that HTTPS requires a dedicated IP per DNS name?
Is that a statistically significant percentage of all the IPs in use?
Wasn't there something going on to make HTTPS IP muxable? How's that coming?
How fast could it be deployed?
Cheers,
-- jra
[1] Ok, five questions.
Once upon a time, Jay Ashworth <jra@baylink.com> said:
Does anyone know how much IPv4 space is allocated *specifically* to cater
to the fact that HTTPS requires a dedicated IP per DNS name?Is that a statistically significant percentage of all the IPs in use?
I have no numbers, but my gut feeling is that there are a lot more
eyeballs than web servers with lots of IPs.
Wasn't there something going on to make HTTPS IP muxable? How's that coming?
SNI; RFC 3546
How fast could it be deployed?
The RFC is just shy of 10 years old, so that's like a baby compared to
IPv6.
It is mostly deployed, but there's still a fair number of old clients
that don't support it. WinXP+IE is probably the biggest fail, followed
by Android < 3.0 and BlackBerry.
We're a host catering to just ecommerce sites and consume an
IPv4 address for each site specifically because of SSL certs.
SNI (Server Name Indication) is what you're thinking of to let
SSL send the hostname as the handshake process begins and
does indeed eliminate the need for an exclusive IP (although
there will always be a high rate of people who avoid shared
IP's for SEO reasons since the search engines are doing nothing
to eliminate that concern). The problem with SNI is many
older, but still commonly used, browsers don't support it,
such as IE on Windows XP, which certainly won't disappear long
before address run-out is a distant memory.
My guess is amongst hosting providers, SSL is the cause for
much of the usage; I have no feel for how may IP addresses
are allocated towards hosts versus anything else though.
David
From: "Chris Adams" <cmadams@hiwaay.net>
Once upon a time, Jay Ashworth <jra@baylink.com> said:
> Does anyone know how much IPv4 space is allocated *specifically* to cater
> to the fact that HTTPS requires a dedicated IP per DNS name?
>
> Is that a statistically significant percentage of all the IPs in use?I have no numbers, but my gut feeling is that there are a lot more
eyeballs than web servers with lots of IPs.
Fair point. Though those are choked behind carriers who may well CGN
them whether the eyeballs like it or not.
> Wasn't there something going on to make HTTPS IP muxable? How's that
> coming?SNI; RFC 3546
> How fast could it be deployed?
The RFC is just shy of 10 years old, so that's like a baby compared to
IPv6.It is mostly deployed, but there's still a fair number of old clients
that don't support it. WinXP+IE is probably the biggest fail, followed
by Android < 3.0 and BlackBerry.
When you say "it is mostly deployed", what exactly do you mean? Is it
layer 7 or 4? Does it live in libraries that can be upgraded behind
users' backs? Or is it actually in the browser proper? Or are you just
talking about the server-side of the equation?
Cheers,
-- jra
Sent: Thursday, April 25, 2013 9:47 PM
To: NANOG
Subject: Re: IPv6 and HTTPSWhen you say "it is mostly deployed", what exactly do you
mean? Is it
layer 7 or 4? Does it live in libraries that can be upgraded behind
users' backs? Or is it actually in the browser proper? Or
are you just
talking about the server-side of the equation?
I'm guessing the browser may depend on some OS goodies based
on the fact that supposedly MS has said XP will never support
SNI.
The web server has to support it too, which means compiling
apache with SNI support and there are of course plenty of
hosts running old apache.
David
From: "Chris Adams" <cmadams@hiwaay.net>
Once upon a time, Jay Ashworth <jra@baylink.com> said:
Does anyone know how much IPv4 space is allocated *specifically* to cater
to the fact that HTTPS requires a dedicated IP per DNS name?Is that a statistically significant percentage of all the IPs in use?
I have no numbers, but my gut feeling is that there are a lot more
eyeballs than web servers with lots of IPs.Fair point. Though those are choked behind carriers who may well CGN
them whether the eyeballs like it or not.
That won't reduce the number of IPs they are consuming, it will just increase
the number of customers using them.
Wasn't there something going on to make HTTPS IP muxable? How's that
coming?SNI; RFC 3546
How fast could it be deployed?
The RFC is just shy of 10 years old, so that's like a baby compared to
IPv6.It is mostly deployed, but there's still a fair number of old clients
that don't support it. WinXP+IE is probably the biggest fail, followed
by Android < 3.0 and BlackBerry.When you say "it is mostly deployed", what exactly do you mean? Is it
layer 7 or 4? Does it live in libraries that can be upgraded behind
users' backs? Or is it actually in the browser proper? Or are you just
talking about the server-side of the equation?
Browsers are the long-tail here. There are also some privacy concerns.
The good news is that most things which fully support IPv6 also support SNI.
The bad new is that most things that don't support IPv6 don't support SNI.
Guess what that means. 
Owen
Well, sure, but for the hoster, it's a direct benefit, not an externality;
they have motive to fix it.
Cheers,
-- jra
From: "David Hubbard"<dhubbard@dino.hostasaurus.com>
The web server has to support it too, which means compiling
apache with SNI support and there are of course plenty of
hosts running old apache.Well, sure, but for the hoster, it's a direct benefit, not an externality;
they have motive to fix it.
Sort of. Consider though that any clients of an SNI configured website
which don't support SNI will likely experience cert name mismatch
warnings, which is usually construed as a Bad Thing.
So in practice, there's not a lot of benefit/motive to support SNI
server side...
Cheers,
-- jra
This message and any attached files contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or without error as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Ok, here's a stupid question[1], which I'd know the answer to if I ran bigger
networks:Does anyone know how much IPv4 space is allocated *specifically* to cater
to the fact that HTTPS requires a dedicated IP per DNS name?
It doesn't, or doesn't if if your clients are not stuck in the past.
TLS SNI has existed for a rather long time.
Is that a statistically significant percentage of all the IPs in use?
Wasn't there something going on to make HTTPS IP muxable? How's that coming?
there are stuborn legacy hosts.
How fast could it be deployed?
you can use it now.
Sure, you "can".
But no one will. No one (especially someone doing SSL content) wants 99% connectivity. And there's a lot more than 1% XP out there. (Hrm, that explanation works to explain why to a couple decimal places 0% of the Internet is on v6 only today.)
Ok, here's a stupid question[1], which I'd know the answer to if I ran bigger
networks:Does anyone know how much IPv4 space is allocated *specifically* to cater
to the fact that HTTPS requires a dedicated IP per DNS name?It doesn't, or doesn't if if your clients are not stuck in the past.
TLS SNI has existed for a rather long time.
Is that a statistically significant percentage of all the IPs in use?
Wasn't there something going on to make HTTPS IP muxable? How's that coming?
there are stuborn legacy hosts.
How fast could it be deployed?
you can use it now.
Sure, you "can".
But no one will. No one (especially someone doing SSL content) wants 99% connectivity. And there's a lot more than 1% XP out there. (Hrm, that explanation works to explain why to a couple decimal places 0% of the Internet is on v6 only today.)
Well there are certainly people who no longer support ie6 e.g. google facebook and so on, IE doesn't support it unless you run vista or later. and it will work on xp if you use firefox.
we use it with api's and non-browser-based html5 applications with essentially no issues.
The market-share of some of the more problematic devices is in fact getting to the point where it is possible.
Just to give a numbers, in case anyone is interested - we have been passively
monitoring SSL traffic of ~300k users for more than a year (project description at
http://notary.icsi.berkeley.edu).
All in all, we see about 71% of the connections on port 443 using SNI.
And the only site I am aware of that uses SNI quite extensively is google - their servers
give different certificates to clients that do not support SNI and clients that support it.
Bernhard
>> Ok, here's a stupid question[1], which I'd know the answer to if I ran
bigger
>> networks:
>>
>> Does anyone know how much IPv4 space is allocated *specifically* to
cater
>> to the fact that HTTPS requires a dedicated IP per DNS name?
> It doesn't, or doesn't if if your clients are not stuck in the past.
>
> TLS SNI has existed for a rather long time.
>> Is that a statistically significant percentage of all the IPs in use?
>>
>> Wasn't there something going on to make HTTPS IP muxable? How's that
coming?
> there are stuborn legacy hosts.
>> How fast could it be deployed?
> you can use it now.Sure, you "can".
But no one will. No one (especially someone doing SSL content) wants 99%
connectivity. And there's a lot more than 1% XP out there. (Hrm, that
explanation works to explain why to a couple decimal places 0% of the
Internet is on v6 only today.)
You like fuzzy math. OK.
Hi Jay,
The DTC hosting control panel team had a chat about this issue earlier in the year.
http://gplhost.sg/lists/dtcdev/msg03482.html - Interesting reading.
I followed a little, but decided that SNI just isn't worth our time.
In my personal view, an hour spent on SNI is an hour wasted that I should be spending on IPv6.
There's still more than enough IPv4 space about, it's just going to get more and more expensive.
http://www.geekzone.co.nz/forums.asp?forumid=49&topicid=116328
I'm happy to put IP space costs on my customers to help fund my IPv6 progress where I can.
I agree with others that there is still way to much XP and other non supporting platforms and I suspect that by the time we get those out of the system we'll be most of the way there for IPv6 access.
I feel a bit like it's a case of "am I committed to IPv6 or not?".
D
If the hosting provider can still charge for IPv4 addresses, why would
they support SNI or IPv6 SSL
I have seen a CDN using certificates with tons of domain names in
subject alternative name. Old Symbian phones don't support SAN......
And heck, you don't even need to get rid of XP for IPv6 -- just enable the stack. (It's not the greatest implementation, but `ipv6 install` is still an easier sell than "replace your computer.")
Jima
There's ways around it for most software but old jetdirect stuff, switches,
routers, ip control systems. Things are going to be 6to4 for a while. In
fact I won't be surprised to see little hardware boxes that do it for $30
or so (probably late with this idea but have no need to know).
I hope you mean NAT64; 6to4 is, at best, iffy to support. I do like the $30 hardware device idea, though -- I haven't seen anything like that yet.
The majority of what I think of when you say "control systems" shouldn't be directly connected to the internet anyway, even with ACLs -- or so I gleaned from the nice folks from DHS.
Jima
> There's ways around it for most software but old jetdirect stuff,
> switches, routers, ip control systems. Things are going to be 6to4 for a
> while. In fact I won't be surprised to see little hardware boxes that do
> it for $30 or so (probably late with this idea but have no need to know).I hope you mean NAT64; 6to4 is, at best, iffy to support. I do like
the $30 hardware device idea, though -- I haven't seen anything like
that yet.
I saw adds for such a device a couple of years ago.
This will work until you no longer have an IPv4 resolver available for DNS. After that, XP fails miserably.
Owen