IPv6 could change things - Was: DMCA takedowns of networks
Not sure how much I believe of the article and its lack of detail and chopped quotes...but did HE really disconnect an entire downstream network over a DMCA notice, or did they null route a /32 that was used by a customer to host hundreds of virtual web sites?
Since the tools at a network operator's disposal are ACLs which make it easy to block traffic to a /32 without the need for deep packet inspection, one would expect that this regularly causes collateral damage if that /32 is a web server hosting hundreds of virtual websites. But, when IPv6 is a bit more common, there is no need for virtual hosters to share a single IP address between several sites. They may as well use a unique IPv6 address for every single site, even if they are all on the same server. The side effect of this is that it makes the network operator's tool sharper, and able to knock down single sites with a /32 ACL. For a hosting provider, I would think that this strengthens the business case for IPv6. --Michael Dillon
Michael Dillon wrote: [..]
[..] The side effect of this is that it makes the network operator's tool sharper, and able to knock down single sites with a /32 ACL.
You actually mean a /128 in the case of IPv6, the /32 would be the complete ISP...
For a hosting provider, I would think that this strengthens the business case for IPv6.
and they can just use a single /64 for a single 'virtual webhost', then assign a 32 bit customer-id and have every customer have 2^32 sites, bingo. Greets, Jeroen
On Tue, Oct 27, 2009 at 9:05 AM, Michael Dillon <wavetossed@googlemail.com> wrote:
But, when IPv6 is a bit more common, there is no need for virtual hosters to share a single IP address between several sites. They may as well use a unique IPv6 address for every single site, even if they are all on the same server. The side effect of this is that it makes the network operator's tool sharper, and able to knock down single sites with a /32 ACL.
For a hosting provider, I would think that this strengthens the business case for IPv6.
But do the commonly-used operating systems support adding hundreds or thousands of addresses to an interface, and what would the performance implications be? -- Jeff Ollie
Jeffrey Ollie wrote: [..]
But do the commonly-used operating systems support adding hundreds or thousands of addresses to an interface, and what would the performance implications be?
Remember that IP addresses are 128bits, while hostnames (the ones for the "Host:" header in the HTTP query) are well, quite a bit longer than that on average. If thus something like this would become common-place, there definitely will be quite some people who will be paying some attention on optimizing Apache. But yes, the network stack itself is a different question, then again, you can just route a /64 into the loopback device and let your apache listen there... (which also allows you to do easy-failover as you can move that complete /64 to a different box ;) Greets, Jeroen
On Tue, Oct 27, 2009, Jeroen Massar wrote:
But yes, the network stack itself is a different question, then again, you can just route a /64 into the loopback device and let your apache listen there... (which also allows you to do easy-failover as you can move that complete /64 to a different box ;)
Funny you should mention that. A couple of tricks I've seen: * instead of a linked list and O(n) searching of interface aliases, use some kind of tree to map local IP -> interface. * hacks to do a "bind to all damned IP addresses and let userspace sort it out". I've done the former for a few thousand aliases with no degredation in performance. The hacks available for freebsd-4.x for the Web Polygraph software did something similar. 2c, Adrian
Jeroen Massar wrote:
But yes, the network stack itself is a different question, then again, you can just route a /64 into the loopback device and let your apache listen there... (which also allows you to do easy-failover as you can move that complete /64 to a different box ;)
You are still comparing an application level decision to a stack level decision. Thousands of addresses on a stack could definitely pose an issue depending on the OS. Jack
On Tue, 27 Oct 2009 10:41:46 -0500 Jack Bates <jbates@brightok.net> wrote:
Jeroen Massar wrote:
But yes, the network stack itself is a different question, then again, you can just route a /64 into the loopback device and let your apache listen there... (which also allows you to do easy-failover as you can move that complete /64 to a different box ;)
You are still comparing an application level decision to a stack level decision. Thousands of addresses on a stack could definitely pose an issue depending on the OS.
Depends a bit on how the OS handles interface address assignments. Linux creates host routes in a separate 'local' route table, which you can see via ip route show table local or for IPv6 ip -6 route show table local which I think would suggest that Linux's interface address assignment scalability is as scalable as it's route table scalability. Performing concurrent IPv6 Duplicate Address Detection on that many addresses when the interface/host comes up might be an issue. Regards, Mark.
But do the commonly-used operating systems support adding hundreds or thousands of addresses to an interface, and what would the performance implications be?
Jeff Ollie
Last time I checked, and this may have changed, the limit in Linux was around 4096. In practice though, you also have to consider the physical limitations of the server itself. The biggest bang for the buck in dense hosting environments seems to be running about 1000 sites per box, with a few boxes dedicated to your heavy hitters with 100 or less ea. Until we start seeing IPv6-only hosting though, I suspect that we will see IPv6 address mirror the configuration of the IP assignments. Sites with dedicated IPs will have dedicated IPv6, sites with shared IP will have shared IPv6, if only to maintain sanity. If you're trying to make the case for IPv6 to hosting companies, you're barking up the wrong tree. IP address just became a scarce commodity, instead of providing you with a free IP address, the can now charge $100 a mo for one. They know darn well that it will take a while for every user to have IPv6 from their SP and that if you want to run a site you'll need access to the "legacy" IP Internet to reach your customers. On the bright side, this will encourage the market to adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a policy of decommissioning IP space as they reclaim it to prevent people from receiving new allocations as people begin to go IPv6-only, otherwise we'll be stuck with two Internets for a very long time. -- Ray Soucy Communications Specialist +1 (207) 561-3526 Communications and Network Services University of Maine System http://www.maine.edu/
-----Original Message----- From: Ray Soucy [mailto:rps@maine.edu] Sent: Tuesday, October 27, 2009 9:45 AM To: Jeffrey Ollie Cc: North American Network Operators Group Subject: Re: IPv6 could change things - Was: DMCA takedowns of networks
But do the commonly-used operating systems support adding hundreds or thousands of addresses to an interface, and what would the performance implications be?
Jeff Ollie
Last time I checked, and this may have changed, the limit in Linux was around 4096.
So in this circumstance you could route a /116 to the server. COOL!
In practice though, you also have to consider the physical limitations of the server itself. The biggest bang for the buck in dense hosting environments seems to be running about 1000 sites per box, with a few boxes dedicated to your heavy hitters with 100 or less ea.
So in this circumstance you could route a /118 to the server serving 1000 sites and a /125 to the server serving 100 sites. Also COOL!
Until we start seeing IPv6-only hosting though, I suspect that we will see IPv6 address mirror the configuration of the IP assignments. Sites with dedicated IPs will have dedicated IPv6, sites with shared IP will have shared IPv6, if only to maintain sanity.
This passes my smell and duh tests. :)
If you're trying to make the case for IPv6 to hosting companies, you're barking up the wrong tree. IP address just became a scarce commodity, instead of providing you with a free IP address, the can now charge $100 a mo for one. They know darn well that it will take a while for every user to have IPv6 from their SP and that if you want to run a site you'll need access to the "legacy" IP Internet to reach your customers. On the bright side, this will encourage the market to adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a policy of decommissioning IP space as they reclaim it to prevent people from receiving new allocations as people begin to go IPv6-only, otherwise we'll be stuck with two Internets for a very long time.
Agreed, except for one thing. ARIN shouldn't "decommission" IP space. The Internet will dictate that IPv4 will go away all on its own once IPv6 becomes the protocol of choice for enough of the net. At some point, the people who depend on IPv4 will not be able to pay for their providers supporting the IPv4 infrastructure as new devices become available that either only support IPv6, or don't implement a full suite of IPv4 to keep costs down. Also remember that at some point, there will be no IPv4 left. When this happens new entrants will suffer greatly at the hands of this circumstance. But we will get through it and there will be new sites that will be IPv6 only, then there will be demand for these sites, then there will be people who vote with their wallets for the new sites... Was I rambling there? :) In the end it will be economics that dictate a single protocol Internet. I am one who wishes we put a date in stone now to establish the "cut date" of IPv4 to IPv6, but that is unreasonable. This will take care of itself. _____________________________________ Brian Johnson Converged Network Engineer (CCNP, ENA) Dickey Rural Networks
Brian Johnson wrote:
Last time I checked, and this may have changed, the limit in Linux was around 4096.
So in this circumstance you could route a /116 to the server. COOL!
These days what we might at one point have refered to as a host or server may actually be a hardware container with N > 1 or so virtual systems... which may variously be: attached to the network via dedicated interface individual vlans a virtual bridge a layer-3 topology
In practice though, you also have to consider the physical limitations of the server itself. The biggest bang for the buck in dense hosting environments seems to be running about 1000 sites per box, with a few boxes dedicated to your heavy hitters with 100 or less ea.
So in this circumstance you could route a /118 to the server serving 1000 sites and a /125 to the server serving 100 sites. Also COOL!
How many ips you can park on a particular hardware container is probably bounded only by the over-subscription rate of what you intend to serve. Most of the superficial limits (macs on a bridge table, ips on an interface etc can be worked around in fairly simple fashion but the number of connections per second or pps rate a given hardware container can pass though whatever abstraction is applied is less fungible.
Until we start seeing IPv6-only hosting though, I suspect that we will see IPv6 address mirror the configuration of the IP assignments. Sites with dedicated IPs will have dedicated IPv6, sites with shared IP will have shared IPv6, if only to maintain sanity.
This passes my smell and duh tests. :)
If you're trying to make the case for IPv6 to hosting companies, you're barking up the wrong tree. IP address just became a scarce commodity, instead of providing you with a free IP address, the can now charge $100 a mo for one. They know darn well that it will take a while for every user to have IPv6 from their SP and that if you want to run a site you'll need access to the "legacy" IP Internet to reach your customers. On the bright side, this will encourage the market to adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a policy of decommissioning IP space as they reclaim it to prevent people from receiving new allocations as people begin to go IPv6-only, otherwise we'll be stuck with two Internets for a very long time.
Agreed, except for one thing. ARIN shouldn't "decommission" IP space. The Internet will dictate that IPv4 will go away all on its own once IPv6 becomes the protocol of choice for enough of the net. At some point, the people who depend on IPv4 will not be able to pay for their providers supporting the IPv4 infrastructure as new devices become available that either only support IPv6, or don't implement a full suite of IPv4 to keep costs down.
Also remember that at some point, there will be no IPv4 left. When this happens new entrants will suffer greatly at the hands of this circumstance. But we will get through it and there will be new sites that will be IPv6 only, then there will be demand for these sites, then there will be people who vote with their wallets for the new sites...
Was I rambling there? :) In the end it will be economics that dictate a single protocol Internet. I am one who wishes we put a date in stone now to establish the "cut date" of IPv4 to IPv6, but that is unreasonable. This will take care of itself.
_____________________________________ Brian Johnson Converged Network Engineer (CCNP, ENA) Dickey Rural Networks
Once upon a time, Jeffrey Ollie <jeff@ocjtech.us> said:
But do the commonly-used operating systems support adding hundreds or thousands of addresses to an interface, and what would the performance implications be?
I've got Linux (and even Windows) boxes with several hundred IPs bound today; I don't see why IPv6 addresses would be any different. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Tue, Oct 27, 2009 at 02:05:36PM +0000, Michael Dillon wrote:
But, when IPv6 is a bit more common, there is no need for virtual hosters to share a single IP address between several sites. They may as well use a unique IPv6 address for every single site, even if they are all on the same server. The side effect of this is that it makes the network operator's tool sharper, and able to knock down single sites with a /32 ACL.
A /128 you mean. If you look in Apache's httpd/server/vhost.c, you may notice that the server locates addressed virtual hosts using a simple 32->8 bit integer reduction hash, which produces a well balanced hash table in typical virtual server applications (generally these servers get addresses in contiguous blocks). Named virtuals are relegated to an extra hash bucket, essentially placing them all on a single unsorted linear list, which is searched if a by-address match is not found. Probably in the modern day, the additional processing (and system calls) necessary to render a web object into a reply is significantly higher than the overhead to locate a virtual server even at these orders of magnitude, but it's interesting that the software works differently. -- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins
participants (11)
-
Adrian Chadd
-
Brian Johnson
-
Chris Adams
-
David W. Hankins
-
Jack Bates
-
Jeffrey Ollie
-
Jeroen Massar
-
Joel Jaeggli
-
Mark Smith
-
Michael Dillon
-
Ray Soucy