Home page logo

nanog logo nanog mailing list archives

Re: IPv6 and HTTPS
From: Owen DeLong <owen () delong com>
Date: Thu, 25 Apr 2013 22:32:10 -0400

On Apr 25, 2013, at 9:47 PM, Jay Ashworth <jra () baylink com> wrote:

----- Original Message -----
From: "Chris Adams" <cmadams () hiwaay net>

Once upon a time, Jay Ashworth <jra () baylink com> said:
Does anyone know how much IPv4 space is allocated *specifically* to cater
to the fact that HTTPS requires a dedicated IP per DNS name?

Is that a statistically significant percentage of all the IPs in use?

I have no numbers, but my gut feeling is that there are a lot more
eyeballs than web servers with lots of IPs.

Fair point.  Though those are choked behind carriers who may well CGN
them whether the eyeballs like it or not.

That won't reduce the number of IPs they are consuming, it will just increase
the number of customers using them.

Wasn't there something going on to make HTTPS IP muxable? How's that

SNI; RFC 3546

How fast could it be deployed?

The RFC is just shy of 10 years old, so that's like a baby compared to

It is mostly deployed, but there's still a fair number of old clients
that don't support it. WinXP+IE is probably the biggest fail, followed
by Android < 3.0 and BlackBerry.

When you say "it is mostly deployed", what exactly do you mean?  Is it 
layer 7 or 4?  Does it live in libraries that can be upgraded behind
users' backs?  Or is it actually in the browser proper?  Or are you just 
talking about the server-side of the equation?

Browsers are the long-tail here. There are also some privacy concerns.

The good news is that most things which fully support IPv6 also support SNI.
The bad new is that most things that don't support IPv6 don't support SNI.

Guess what that means. ;-)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]