Home page logo
/

nanog logo nanog mailing list archives

Re: IPv6 and HTTPS
From: Bernhard Amann <bernhard () ICSI Berkeley EDU>
Date: Thu, 25 Apr 2013 22:30:57 -0700


On Apr 25, 2013, at 9:27 PM, Patrick W. Gilmore <patrick () ianai net> wrote:

On Apr 26, 2013, at 00:19 , joel jaeggli <joelja () bogus com> wrote:
On 4/25/13 6:24 PM, Jay Ashworth wrote:

Ok, here's a stupid question[1], which I'd know the answer to if I ran bigger
networks:

Does anyone know how much IPv4 space is allocated *specifically* to cater
to the fact that HTTPS requires a dedicated IP per DNS name?
It doesn't, or doesn't if if your clients are not stuck in the past.

TLS SNI has existed for a rather long time.
Is that a statistically significant percentage of all the IPs in use?

Wasn't there something going on to make HTTPS IP muxable?  How's that coming?
there are stuborn legacy hosts.
How fast could it be deployed?
you can use it now.

Sure, you "can".

But no one will. No one (especially someone doing SSL content) wants 99% connectivity. And there's a lot more than 1% 
XP out there. (Hrm, that explanation works to explain why to a couple decimal places 0% of the Internet is on v6 only 
today.)

Just to give a numbers, in case anyone is interested - we have been passively
monitoring SSL traffic of ~300k users for more than a year (project description at 
http://notary.icsi.berkeley.edu).

All in all, we see about 71% of the connections on port 443 using SNI.

And the only site I am aware of that uses SNI quite extensively is google - their servers
give different certificates to clients that do not support SNI and clients that support it.

Bernhard



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]