IPv6 could change things - Was: DMCA takedowns of networks

Michael_Dillon4 · October 27, 2009, 2:05pm

Not sure how much I believe of the article and its lack of detail and
chopped quotes...but did HE really disconnect an entire downstream network
over a DMCA notice, or did they null route a /32 that was used by a customer
to host hundreds of virtual web sites?

Since the tools at a network operator's disposal are ACLs which make it easy to
block traffic to a /32 without the need for deep packet inspection,
one would expect
that this regularly causes collateral damage if that /32 is a web server hosting
hundreds of virtual websites.

But, when IPv6 is a bit more common, there is no need for virtual
hosters to share
a single IP address between several sites. They may as well use a
unique IPv6 address
for every single site, even if they are all on the same server. The
side effect of this is
that it makes the network operator's tool sharper, and able to knock
down single sites
with a /32 ACL.

For a hosting provider, I would think that this strengthens the
business case for IPv6.

--Michael Dillon

Jeroen_Massar1 · October 27, 2009, 2:13pm

Michael Dillon wrote:
[..]

[..] The
side effect of this is
that it makes the network operator's tool sharper, and able to knock
down single sites
with a /32 ACL.

You actually mean a /128 in the case of IPv6, the /32 would be the
complete ISP...

For a hosting provider, I would think that this strengthens the
business case for IPv6.

and they can just use a single /64 for a single 'virtual webhost', then
assign a 32 bit customer-id and have every customer have 2^32 sites, bingo.

Greets,
Jeroen

Jeffrey_Ollie · October 27, 2009, 2:20pm

But do the commonly-used operating systems support adding hundreds or
thousands of addresses to an interface, and what would the performance
implications be?

Jeroen_Massar1 · October 27, 2009, 2:32pm

Jeffrey Ollie wrote:
[..]

But do the commonly-used operating systems support adding hundreds or
thousands of addresses to an interface, and what would the performance
implications be?

Remember that IP addresses are 128bits, while hostnames (the ones for
the "Host:" header in the HTTP query) are well, quite a bit longer than
that on average.

If thus something like this would become common-place, there definitely
will be quite some people who will be paying some attention on
optimizing Apache.

But yes, the network stack itself is a different question, then again,
you can just route a /64 into the loopback device and let your apache
listen there... (which also allows you to do easy-failover as you can
move that complete /64 to a different box

Greets,
Jeroen

Adrian_Chadd · October 27, 2009, 2:39pm

Funny you should mention that.

A couple of tricks I've seen:

* instead of a linked list and O(n) searching of interface aliases, use
some kind of tree to map local IP -> interface.
* hacks to do a "bind to all damned IP addresses and let userspace sort
it out".

I've done the former for a few thousand aliases with no degredation
in performance. The hacks available for freebsd-4.x for the Web Polygraph
software did something similar.

2c,

Adrian

Ray_Soucy · October 27, 2009, 2:45pm

But do the commonly-used operating systems support adding hundreds or
thousands of addresses to an interface, and what would the performance
implications be?

Jeff Ollie

Last time I checked, and this may have changed, the limit in Linux was
around 4096.

In practice though, you also have to consider the physical limitations
of the server itself. The biggest bang for the buck in dense hosting
environments seems to be running about 1000 sites per box, with a few
boxes dedicated to your heavy hitters with 100 or less ea.

Until we start seeing IPv6-only hosting though, I suspect that we will
see IPv6 address mirror the configuration of the IP assignments.
Sites with dedicated IPs will have dedicated IPv6, sites with shared
IP will have shared IPv6, if only to maintain sanity.

If you're trying to make the case for IPv6 to hosting companies,
you're barking up the wrong tree. IP address just became a scarce
commodity, instead of providing you with a free IP address, the can
now charge $100 a mo for one. They know darn well that it will take a
while for every user to have IPv6 from their SP and that if you want
to run a site you'll need access to the "legacy" IP Internet to reach
your customers. On the bright side, this will encourage the market to
adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a
policy of decommissioning IP space as they reclaim it to prevent
people from receiving new allocations as people begin to go IPv6-only,
otherwise we'll be stuck with two Internets for a very long time.

Chris_Adams3 · October 27, 2009, 2:57pm

Once upon a time, Jeffrey Ollie <jeff@ocjtech.us> said:

But do the commonly-used operating systems support adding hundreds or
thousands of addresses to an interface, and what would the performance
implications be?

I've got Linux (and even Windows) boxes with several hundred IPs bound
today; I don't see why IPv6 addresses would be any different.

Jack_Bates · October 27, 2009, 3:41pm

Jeroen Massar wrote:

But yes, the network stack itself is a different question, then again,
you can just route a /64 into the loopback device and let your apache
listen there... (which also allows you to do easy-failover as you can
move that complete /64 to a different box

You are still comparing an application level decision to a stack level decision. Thousands of addresses on a stack could definitely pose an issue depending on the OS.

Jack

Brian_Johnson · October 27, 2009, 3:53pm

From: Ray Soucy [mailto:rps@maine.edu]
Sent: Tuesday, October 27, 2009 9:45 AM
To: Jeffrey Ollie
Cc: North American Network Operators Group
Subject: Re: IPv6 could change things - Was: DMCA takedowns of

networks

> But do the commonly-used operating systems support adding hundreds

or

> thousands of addresses to an interface, and what would the
performance
> implications be?
>
> Jeff Ollie

Last time I checked, and this may have changed, the limit in Linux was
around 4096.

So in this circumstance you could route a /116 to the server. COOL!

In practice though, you also have to consider the physical limitations
of the server itself. The biggest bang for the buck in dense hosting
environments seems to be running about 1000 sites per box, with a few
boxes dedicated to your heavy hitters with 100 or less ea.

So in this circumstance you could route a /118 to the server serving
1000 sites and a /125 to the server serving 100 sites. Also COOL!

Until we start seeing IPv6-only hosting though, I suspect that we will
see IPv6 address mirror the configuration of the IP assignments.
Sites with dedicated IPs will have dedicated IPv6, sites with shared
IP will have shared IPv6, if only to maintain sanity.

This passes my smell and duh tests.

If you're trying to make the case for IPv6 to hosting companies,
you're barking up the wrong tree. IP address just became a scarce
commodity, instead of providing you with a free IP address, the can
now charge $100 a mo for one. They know darn well that it will take a
while for every user to have IPv6 from their SP and that if you want
to run a site you'll need access to the "legacy" IP Internet to reach
your customers. On the bright side, this will encourage the market to
adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a
policy of decommissioning IP space as they reclaim it to prevent
people from receiving new allocations as people begin to go IPv6-only,
otherwise we'll be stuck with two Internets for a very long time.

Agreed, except for one thing. ARIN shouldn't "decommission" IP space.
The Internet will dictate that IPv4 will go away all on its own once
IPv6 becomes the protocol of choice for enough of the net. At some
point, the people who depend on IPv4 will not be able to pay for their
providers supporting the IPv4 infrastructure as new devices become
available that either only support IPv6, or don't implement a full suite
of IPv4 to keep costs down.

Also remember that at some point, there will be no IPv4 left. When this
happens new entrants will suffer greatly at the hands of this
circumstance. But we will get through it and there will be new sites
that will be IPv6 only, then there will be demand for these sites, then
there will be people who vote with their wallets for the new sites...

Was I rambling there? In the end it will be economics that dictate a
single protocol Internet. I am one who wishes we put a date in stone now
to establish the "cut date" of IPv4 to IPv6, but that is unreasonable.
This will take care of itself.

David_W_Hankins · October 27, 2009, 6:00pm

A /128 you mean.

If you look in Apache's httpd/server/vhost.c, you may notice that the
server locates addressed virtual hosts using a simple 32->8 bit
integer reduction hash, which produces a well balanced hash table in
typical virtual server applications (generally these servers get
addresses in contiguous blocks).

Named virtuals are relegated to an extra hash bucket, essentially
placing them all on a single unsorted linear list, which is searched
if a by-address match is not found.

Probably in the modern day, the additional processing (and system
calls) necessary to render a web object into a reply is significantly
higher than the overhead to locate a virtual server even at these
orders of magnitude, but it's interesting that the software works
differently.

Joel_Jaeggli · October 28, 2009, 5:23am

Brian Johnson wrote:

Last time I checked, and this may have changed, the limit in Linux was
around 4096.

So in this circumstance you could route a /116 to the server. COOL!

These days what we might at one point have refered to as a host or
server may actually be a hardware container with N > 1 or so virtual
systems... which may variously be:

attached to the network via dedicated interface
individual vlans
a virtual bridge
a layer-3 topology

In practice though, you also have to consider the physical limitations
of the server itself. The biggest bang for the buck in dense hosting
environments seems to be running about 1000 sites per box, with a few
boxes dedicated to your heavy hitters with 100 or less ea.

So in this circumstance you could route a /118 to the server serving
1000 sites and a /125 to the server serving 100 sites. Also COOL!

How many ips you can park on a particular hardware container is probably
bounded only by the over-subscription rate of what you intend to serve.
Most of the superficial limits (macs on a bridge table, ips on an
interface etc can be worked around in fairly simple fashion but the
number of connections per second or pps rate a given hardware container
can pass though whatever abstraction is applied is less fungible.

Mark_Smith1 · October 28, 2009, 5:35am

Depends a bit on how the OS handles interface address assignments.
Linux creates host routes in a separate 'local' route table, which you
can see via

ip route show table local

or for IPv6

ip -6 route show table local

which I think would suggest that Linux's interface address assignment
scalability is as scalable as it's route table scalability.

Performing concurrent IPv6 Duplicate Address Detection on that many
addresses when the interface/host comes up might be an issue.

Regards,
Mark.