ARIN: No More IP's For IP-Based Virtual Hosts

Mike writes: "ARIN (the guys who hand out IP addresses) has a policy change where they will no longer allocate IP addresses for IP-based virtual hosting. They are expecting everyone to move to name-based hosting now. ARIN is solicting comments to their public policy mailing list: ppml@arin.net. What do you guys think? Is name based virtual hosting ready for prime time?"

host header is fine.. unless....

[posilipo]

APNIC (Asia Pacific NIC) has had a "move to host header" policy for awhile now, and when we ask for more addresses (we presently have a request for a large block in with them), they want to see your network address plan, and they want to see how many host header boxes versus how many IP'd webservers you have.

Host header, as dirty a word as it is, seems to work fine (we use Micro$oft IIS, ugh) - oh. there's one sticking point. You cant use bundle per-virtual-server anonymous FTP access on the domain name to clients. This minor problem aside, I think it's a good thing. The number of borign web sites we have wasting IP addresses haunts me every time I open that address database...

Re:host header is fine.. unless....

[Jason+Straight]

Unless you also use the IP# to limit bandwidth. Granted now for email aliases I'll have to go to normal pop3 and my customers will have to login as user@domain.com, I can deal with that, but how am I supposed to measure or shape bandwidth reliably with name based hosting?

Re:host header is fine.. unless....

[Alex+Pennace]

You cant use bundle per-virtual-server anonymous FTP access on the domain name to clients.

Just use HTTP for what you were using anonymous FTP for. Current HTTP implementations are a little slower than current FTP implementations, but HTTP is much easier to cache and proxy. Go with HTTP.

Re:host header is fine.. unless....

[Cramer]

Umm, in a word, NO .

((HTTP != FTP) && (HTTP !~ FTP))

HTTP is good for moving visually rendered media -- "magazine pages". FTP is designed for moving files -- any file of any size to anywhere. More and more people are using HTTP to do what FTP used to do. I hate that. No web browser on the face of the planet has the file transfer smarts that even the stupidest ftp program has.

Re:host header is fine.. unless....

[Alex+Pennace]

No. HTTP supports caching. FTP doesn't (at least not easily). If several LAN users are using a local cache, multiple requests to the same HTTP URL will be retrieved once over the Internet. Plug that local cache into a distributed cache mesh and popular content is mirrored automatically and transparently to the user.

If you have a problem with current HTTP clients, man wget, or post your problems in detail so the community can see what it has to offer.

In the larger picture, FTP is inferior to HTTP for anonymous file transfers of any size.

Re:host header is fine.. unless....

[ahknight]

In the larger picture, FTP is inferior to HTTP for anonymous file transfers of any size.

Never downloaded a few hundred tarballs before, have you? =)

ftp>get XFree*
vs.
click .. click .. click .. click .. click .. click

I'm sure you see the idea. =)
Besides, the only time I like HTTP file transfers is when all the RedHat install FTP servers are busy... [g]
--

Re:host header is fine.. unless....

[Alex+Pennace]

ftp>get XFree* vs. click .. click .. click .. click .. click .. click

Definitely one disadvtange, though a good HTTP client will make things better. Someday that will be a reality.

Re:host header is fine.. unless....

[obada]

This is not a protocol issue but a client issue.
wget -r -np http:// is much more convinient than most wildcard posibilities of ftp mget.

IPv4 is the reason for this, I'll wager

[Matt+Ownby]

they wouldn't have any problem with ip-based virtual hosting if there were more IPs than people know what to do with floating around.
I predict IPv6 sees a return to ip-based virtual hosting.

Name based hosting isn't a bad idea though, since most people use a browser that supports it nowadays.

Re:IPv4 is the reason for this, I'll wager

[posilipo]

Yep, address shortages are the reason; due to the numbers of hoarded addresses, many NICs have nothign to do but hoarde more addresses. That's not to say that there's not alot of un-allocated CIDR blocks sitting out there, however...

Re:IPv4 is the reason for this, I'll wager

[Lxy]

Personally, I've been using host headers for a long time on my apache box. I get one IP from my DSL provider (saves me $10/mo) and I can string as many domains as I want off it. Works VERY nicely. I think it's kind of silly to be dishing out IPs as generously as they have been. Even before I heard of the 2010 prediction (the anticipated date that IPv4 will run out of IPs) I could see from the design of IP that there wouldn't be enough addresses. Especially when you start networking devices in your home. Masquerade and use port forwarding, use host headers, whatever you must to make it all work. You can do a LOT with a single IP address, so this article makes perfect sense to me.

"You'll die up there son, just like I did!" - Abe Simpson

Re:IPv4 is the reason for this, I'll wager

[rtscts]

is there any reason (other than giving the power mongers a reason to get up in the morning) for flat address space?

eg. instead of every host having a world unique address, eg. 64.28.67.48 why not segment it, like 1.2.3.4:209.207.165.16? ie. 209.207.165.16 is the world unique address, any packet directed to ?.?.?.?:209.207.165.16 is sent to 209.207.165.16, once there, 209.207.165.16 decides where internally to route the packet.

like a user@hostname kinda thing, except with IPs.

Re:IPv4 is the reason for this, I'll wager

[robertchin]

No, the IPv6 architecture is so designed that IPs will be dynamically allocated. All references to any system should be by hostname only. Besides, who wants to type 3fae:b01:c54:f1f1:da3c:af5c anyway?

Re:IPv4 is the reason for this, I'll wager

[David+Jericho]

I know Matt Ownby didn't say this in his comment, but I'm sick and tired of hearing people saying we're running out of ipv4 address space. We're so far away from actually using the entire address space it isn't funny. The real issues are things like routing, block hording and manageability. Routing is a fairly obvious one, restrict the amount of CIDR blocks we have to advertise, both on private networks and out to the rest of the world and we've sped up routing decisions. Obviously having a slightly bigger address space allows for geographical routing, and hopefully less rules at each router. I know in Australia while ago, block hording was a fairly common practice. Joe Blow would have a /23 to route over a modem, and he'd have 2 machines on it. And less address space to track, less chance of mistakes and other problems at the registries end. Having applied for many blocks from APNIC, to say they are retentive is an understatement. Unless I was lying outright, I'd have no chance of having bucket loads of address space to abuse and horde.

Re:IPv4 is the reason for this, I'll wager

[copito]

It's sort of like that already.

Any IP request has an IP address (32 bits) which uniquely identifies a network device and a port number (16 bits) Which uniquely identifies a service. So there are 4 billion x 65 thousand = a lot of possiblilities.

You can use the port number to route to different servers as you suggest but since certain port numbers are associated with certain services HTTP=80, FTP=21, Telnet=23 etc, you only get granularity on the order of services at the IP level. Some protocols, such as HTTP, have the client send the DNS name of the host it requests which then allows you to virtualize based on the (effectively infinite) DNS namespace. To do more than this requires client cooperation such as requesting an HTTP session on an alternate port. But this is impossible in the world of firewalls where it is quite common for only port 80 connections to be allowed.

There are other problems with the current form of IP addresses such as the difficulty of making a routing table since adjacent IP addresses may be in completely different geographical locations.

IPv6 is the solution and it contains the concept of global and local portions of the IP address similar to what you proposed as well as a mindbogglingly big address space (128 bits) and other features. Search Google for more info.
--

Re:IPv4 is the reason for this, I'll wager

[rtscts]

what I hope for is that everyone gets their own complete network, no more single IP/subnet nonsense... by segmenting it, only the world unique portion is assigned by your provider, the rest you assign yourself...

Re:what does this mean?

[posilipo]

http://www.stu d.ifi.uio.no/~lmariusg/download/artikler/HTTP_tut. html read that, it explains the HTTP protocol. Basically, host header webservers host multiple sites (different domain names, e.g. "http://www.example.com" and "http://www.fred.com") on the same IP address. They distinguish between which site to send to the client based on the HTTP request itself, rather than purely the DNS lookup.

Yes and no.

[Skorpion]

For normal (http) virtual web sites, hostname based virtuality is OK. But it isn't OK for https (SSL secured) web servers. A web server certificate is issued for name and IP and you can't have two of those on one IP.

I think moving to name-based virtual servers is a good idea in general, but the https problem needs to be resolved first.

Alex

Re:Yes and no.

[Emil+S+Hansen]

AFAIK certificates are issued for hostnames, not IPs, so there really isn't a problem here.

Re:Yes and no.

[homb]

I just came upon that problem today, as I was debugging an issue with 2 of our co-branded services on our website. Everytime I'd enter the secure area I'd get the default certificate, and therefore the dreaded "certificate error" box popping up.

I traced it to the fact that we are using name-based virtual hosting: In our Intel 7110 SSL accelerators (nice hardware, but one nasty lingering bug) one cannot assign 2 SSL certificates to one IP address in the mapping table. I expect the same to happen when using software SSL under Apache/mod_ssl or anything else.

So now I'll have to somehow pull those 2 cobranded sites out of name-based hosting and into IP-based, add to the DNS tables, modify the Cisco LocalDirector tables, and fix the Intel 7110 mappings. That's going to be ugly.

IMHO for large ISPs that use a lot of SSL, name-based hosting is not an option. Also consider the fact that Verisign has finally simplified somewhat the process by which one can request massive numbers of SSL certificates, and with the new SSL hardware accelerators that came onto the market it becomes rather easy to aggregate all those certificates and manage them from one central point.
They should reconsider their expectations that everyone move to name-based hosting. For some it's not an option.

Re:Yes and no.

[mariab]

they may be issued on a name basis, but the problem here is that SSL is a transport, you have to negotiate the SSL link complete with the certificate before you get to talk to the actual web server ... at this point the server doesn't know which web site you are looking for, and therefor has no way to know which certificate it should send.

Where I work right now, SSL is one of the biggest problems, we have 5 servers here running host-header based virtual hosting, but we have had to set aside relatively large chunks of our IP space to cater for the customers who want SSL.

To top this off, the SSL-hosting IPs can only do one thing each, and cannot be accelerated by our caching system ... a single SSL site on one server generates 3 times as much traffic as the whole of the other sites on that server, because the normal sites can be accelerated, SSL can't.

So ... how do we fix the SSL https issue?

I would love to do name based SSL hosting .. but I can't see how

Re:Yes and no.

[keli]

... except because SSL has to know which hostname the client is connecting to, so it can fetch the right host key - and because the only way it has to do that is to do a reverse lookup on the IP-address. All this happens befor the client sends any data, so there's no host: header to look at.

By the way is this really a problem? Wouldn't you want a dedicated server anyway to host your site if it has to hanlde confidencial data? I don't like the idea of a Web-shop running on a 100+ site web-hotel, storing my credit card number - SSL or no SSL

Re:Yes and no.

[grahamm]

In that case should the certificate not be issued to the hosting site rather than be for the virtual hosted site?

Re:Yes and no.

[mariab]

> By the way is this really a problem? Wouldn't
> you want a dedicated server anyway to host your
> site if it has to hanlde confidencial data? I
> don't like the idea of a Web-shop running on a
> 100+ site web-hotel, storing my credit card
> number - SSL or no SSL

well, you can either secure the system hosting this "web-hotel" completely and partition all the users, or you can arrange to store the confidential details on a specially designed and secured repository outside of that server .. both of these and just theories of course ..

or, you can pay us a lot of money and we (and most of the other ISPs in the world) will build, install and host a dedicated server for you

This is a good point, but you have to choose to do something that is feasible, sensible and cost effective. You have to make a decision about which trade-off's to accept. (just like anything else really)

Re:Yes and no.

[AussiePenguin]

No, that isn't really a good idea. It is unprofessional and tells your client's customers that the hosting company is who they say they are but not the retailer.

AussiePenguin
Melbourne, Australia
ICQ 19255837

Re:Yes and no.

[AussiePenguin]

Oh yeah, I forgot to mention, the only otherway to work it would be to use different ports for different sites. It works, but still has an unprofessional look.

We really do need a standard to hack into SSL to say what hostname it wants.

AussiePenguin
Melbourne, Australia
ICQ 19255837

Re:Yes and no.

[grahamm]

How many people accessing SSL sites actually care about the contents of the certificate? I suspect that many use SSL because the link is encrypted rather than because of the X.509 certificate.

Re:Yes and no.

[Omnifarious]

Don't most sites switch to SSL after an initial login screen? Why would people care if the site went to some strange subdirectory after they first access the site?

As for the caching problem...
Design your web pages so most of the heavy content is pulled from the http server. Most of that content doesn't need to be protected by the encryption of an SSL connection. Of course, you then have the problem of 'sideband' data. An attacker may be able to determine something about a persons movements on the website from observing the unecrypted traffic stream, but I think that issue is minor.

Re:Yes and no.

[uhlmann]

Design your web pages so most of the heavy content is pulled from the http server.

Not a good idea. First because the browser will pop up a box saying that there is insecure data within the secure webpage which always will "scare" some customers and looks unprofessional. Second because for example Netscape under Linux crashes just after showing that box. IE won't load that page at all with certain settings.

Re:Yes and no.

[Skorpion]

There is no way to hack SSL to do this. What we need is a complete reintergration of http/https/tls(ssl). Without this a see no way of doint it. http is an application-level protocol and tls is connection level (i'm simplyfying).

Alex

Re:Yes and no.

[uhlmann]

So hoping that you're not a troll, would you care to share your knowledge with us?

Re:Yes and no.

[The+Cisco+Kid]

1. HTTPS is a placebo designed to make people 'think' that anything is secure.

2. Regardless of #1, I think ARIN will understand if you use IP-Virtual for HTTPS sites..

3. If you are providing entire (virtual or real) servers to customers, as opposed to just simple webhosting, this doesn't apply either.

All this effects is sites providing plain virtual webhosting service, that still havent migrated to name virtual hosting - listing that use of IP addresses will no longer carry as much weight as if you had assigned those IP's to dynamic dialup ports, or assigned small blocks of them to many customers.

As far as IPv6, its a neat idea, but there are lots of things to stumble over before it can be implemented.. It also seems that IPv6 is suffering from 'death by committee' - too many people have added too many overcomplications..

Re:Yes and no.

[fm6]

You're assuming that there are a significant number of sites that (a) need secure connections (b) can't put the services that use those connections on a separate server. I don't see that.

Correct me if I'm wrong, but I think we're basically talking about ecommerce. Most ecommerce sites think nothing of having their customers click through to a secure server when they make an actual purchase. I'm not a security expert, but I gather there are many good reasons to keep all your sensitive information on a separate, secure site.

Also, most small-time shopping sites seem to prefer to outsource their money transactions.

If you're serious about handling your own transactions, I don't think it too much to expect you to shell out $200/month for a dedicated transaction node.

Re:Yes and no.

[Skorpion]

I doubt it. There is no way to make SSL tell the remote server which hostname he wants to connect to. The http-over-ssl negotiation starts much later.

A.

A few problems

[Emil+S+Hansen]

Name based virtual hosts won't work for FTP and anything that relies on the Reverse DNS name of the host eg. IRC. But for HTTP sites it is great. Actully IP based virtual hosts for pure HTTP sites should be banned. (But I guess that is what they are doing ;))

Re:A few problems

[michellem]

Name based virtual hosts won't work for FTP and anything that relies on the Reverse DNS name of the host eg IRC

Well, I can't speak about IRC, as I've never implemented it. But we've got a very small virtual host setup for our clients (about 20) on one server - all name based. We use easyDNS right now, but we certaily could move to doing DNS ourselves. FTP, Telnet, etc., work just fine.

Re:A few problems

[Emil+S+Hansen]

I guess you aren't authenticating users by thier hostname then. Right?

Re:A few problems

[avdp]

I can vouch that name based vhosting works just fine for FTP and telnet. Don't ask me how and why, but it does - I use it daily, and the ISP I use is superb.net.

Re:A few problems

[johnnyb]

They don't do virtual IP. What usually happens is they link your username/password to a directory on the system. If you find another address with the same IP as yours, ftp in with your username and password, you will still find your site. The host name is never transferred in the FTP protocol.

Re:A few problems

[alhaz]

That's not possible. The FTP protocol doesn't include any name information. The FTP server doesn't know what host you think you're connecting to, it just knows it recieved a connection to a particular IP.

Name-based virtual hosts work because an HTTP 1.1 request includes the hostname. FTP requests don't. It's as simple as that.

Chances are your isp is doing something like I used to have to do, with the ftp server CNAME'd to the web server, and the web server ip based. The reverse works just as well but looks silly.

Most people running a web site don't actually need an ftp server for the public tho, and just use ftp to upload their web page. In that case, they should definately be using name-based virtual hosting, and the isp should be up front and honest and not even bother to tell them they can ftp to their "web server" and just tell them to ftp to web-farm.isp.com or whatever.

The business model this is going to kill is the one wherein the service gives the customer a whole virtual machine. That *Definately* requires an ip per customer.

Re:A few problems

[avdp]

right. and that works fine :)

I guess it's only a problem for anonymous ftp servers.

Re:A few problems

[avdp]

exactly. only a problem for anonymous FTP servers where the ISP can't use the username/password to determine which customer is being accessed.

It's only after posting my message that I realized this single issue with name based v-hosts and FTP. I can't say that I feel this is a big deal. Anonymous FTP is typically read only, in which case, why do you absolutely have to use FTP in the first place?

As far as the ISP telling you to use web-farm-isp.com instead of your own domain name - it's simply a convienience thing. I can (hopefully) remember my own domain name. I have no interest in remember the often obscure name they have for the server that actually host my domain name.

Re:A few problems

[rodgerd]

Like that's a secure approach.

--
My name is Sue,
How do you do?
Now you gonna die!

Secure websites need IP's however....

[listuser]

My letter to Arin:

Sure you can do web hosting with named virtual hosts, several hundred sites per IP, and it works fine. But what happens when sites start hosting more and more SSL secured websites (i.e. https://store.example.org/)? SSL works at the transport layer, you cannot host multiple domains off of one IP address. Will an exemption be made for this (i.e. I need a CIDR because I want to host a lot of secure websites?). Making it harder for people to implement SSL secured websites will only hurt the Internet, making it a much less secure place to do business, and ultimately stifle growth (well a little bit anyways). Thank you for your consideration.

Kurt Seifried, Senior Analyst
SecurityPortal, your focal point for security on the net
http://www.securityportal.com/

Re:Secure websites need IP's however....

[Nexx]

Assuming that you're misinformed rather than being a troll, SSL needs the signature to prevent a man-in-the-middle attacks, or any hosts masquerading as another host. Think about it. You're going to amazon.com to buy books. I poisoned your DNS so that www.amazon.com points to my domain, and I act as a proxy for the real amazon.com until you're ready to make a purchase. When you do, through my SSL server, without the certificate, and I log your credit card information for my future use.

With certificates, you can be reasonably sure that the www.amazon.com is the real amazon.com and not my little false fpos thing. Without it, well, it opens things up for all sorts of interesting attacks.

--

IP-based virtual hosting still needed

[Markonen]

Plain name-based virtual hosting is acceptable for "bulk" or low-end hosting, but there's still plenty of situations where you run into trouble without using separate IPs.

For example, the hosting provider I work for sets up dedicated Apache installations for each customer -- and this policy gets hailed as heavenlike by our customers, since they're free to install any extensions they could possibly need (or even completely switch servers). With current technology, it's tricky at best to implement something like this with name-based virtual hosts. We would need to run our private address space internally and then have a HTTP-level metaserver to distribute the HTTP/1.1 name-based queries to the right servers.

Also gone are access lists on the router level. Dedicated ftp/smtp servers listening on the same IP as the site. I could go on forever.

To the credit of both ARIN and RIPE (ARIN's equivalent in Europe), they seem to be on top of this. If a company DOES use a single Apache for a thousand sites, I think it's justified to ask them to use less than a thousand IP numbers. However, this is a grey issue, and the organizations have been understanding in situations where there really is a need for IP-based virtual hosting.

IP numbers are not assigned for administrative ease, and that's ok. But the issue of name-based or IP-based virtual hosting isn't about convenience yet. It's still about functionality.

Re:IP-based virtual hosting still needed

[xtremex]

We've always been monitored concerning our netblock usage...If we want a new netblock, ARIN wants to know why....since we mostly do dedicated servers, we issue only one IP address to each box.
Some want more than one and WE have to question them...since many of our customers get a linux box to do virtual hosting, we have to show them how to do name-based..because when you have 200 something dedicateds, it's not easy to issue each box 6 IP addresses!

Re:IP-based virtual hosting still needed

[xlogan]

For example, the hosting provider I work for sets up dedicated Apache installations for each customer -- and this policy gets hailed as heavenlike by our customers, since they're free to install any extensions they could possibly need (or even completely switch servers).
This is OT a little, but instead of having dedicated Apache installations, can't you just use seperate entries for each site. One apache, one httpd.conf, but each site can have only the things they want/need.

Re:IP-based virtual hosting still needed

[Markonen]

All in all, dedicated Apache installations seem to be the smallest compromise. Memory is cheap, at least when compared to administration hassles.

Also, reconfiguring and restarting an Apache with one site is a few orders of magnitude less critical an operation than doing the same with an Apache that handles 1000 sites.

On a sidenote, security is always a compromise in shared-server solutions. But a shared HTTP server is, IMHO, one step worse.

Re:IP-based virtual hosting still needed

[Cramer]

Having done both (one mega server and one server per client) I can say both has it's merits and problems.

The mega-server is administratively simplistic as everything is in one file. Having only one main process, it tends to use system resources more efficiently reducing the constraints on server hardware. And it only needs one IP address. However, it's hard to police what any individual vhost can do -- including server capability, bandwidth, connections, and system resources. And, the larger the configuration, the longer it takes to startup making altering the configuration (add or delete a vhost) more costly and dangerous.

The one-off model is rather administratively costly. Each site is run by it's own apache server complete and standalone. This gives the admin complete control over what that client is allowed to do -- system resources, bandwidth, and even individualized server functionality. Alterations to the client's setup only effects that one site. Moving a client to a different physical server is quite simple and again, only effects that customer. However, this mode is much more demanding on server hardware as you've got far more processes running. And it needs IP-based hosting.

SSL?

[kris]

As far as I understand SSL, you must use virtual interfaces to host SSL web servers. How does the policy change affect these servers?

Also, TLS is supposed to fix that. Which browsers implement TLS correctly?


© Copyright 2000 Kristian Köhntopp

Re:SSL?

[uhlmann]

As far as I understand SSL, you must use virtual interfaces to host SSL web servers. How does the policy change affect these servers?

Yes, but every virtual interface has a different IP address. And ARIN sells IP's not NIC's ;-)
The reason is explained in many articles above, but the vhost part in the mod_ssl FAQ is also very good.

Also, TLS is supposed to fix that. Which browsers implement TLS correctly?

It's not whether TLS or not, it's whether the browser can make use of the upgrade mechanism in TLS.
And equally important is the question which webservers implement this? Last time I checked mod_ssl did not.

Does this work with old clients?

[ghoti]

I have to say that I don't quite understand how this works, because AFAIK when you make a GET, you just request a file, but don't tell the server the whole URL (or the hostname, for that matter). So how does it know which of the virtual hosts you refer to? Is this a feature of HTTP 1.1? And even if not, could this be a problem with old browsers that assume that there is just one website per IP address and port?

Re:Does this work with old clients?

[Ed+Random]

In the HTTP/1.0 spec, sending a "Host:" header with your GET request was optional. In HTTP/1.1, it became mandatory.

This means that all requests from your browser to websites will look something like this:

GET /index.html HTTP/1.1
Host: mydomain.dom
<nl>

This is kind of similar to using a proxy; you need to tell your browser to use a proxy. The browser will then send 'absolute URLs' instead of 'relative URLs' as in my example above. That way, the proxy knows which server you are really trying to reach.

I think that name-based virtual hosting is a great thing (I run 3 domains off my single IP).

Unfortunately, I can only run 1 SSL-capable secure website on that same IP address since the SSL handshake needs to complete before the request is interpreted at the HTTP level.

And I have another issue: I want to run a "reverse proxy" (multiple physical webservers, possibly running different OS's) with name-based virtual hosting. I haven't found a way of doing that [with Apache] yet.

--
Greetings,
Ed.

Re:Does this work with old clients?

[c0mawhite]

I have to say that I don't quite understand how this works, because AFAIK when you make a GET, you just request a file, but don't tell the server the whole URL (or the hostname, for that matter).

It's fairly simple - the browser request makes a GET, then follows by passing a series of headers:

GET / HTTP/1.0
Host: hostname.domain.tld
User-agent: Mozilla
<blank line to terminate request>

Then expects the return from the server.

So, when you run off to http://slashdot.org/comments.pl, it's performing:

GET /comments.pl HTTP/1.0
Host: slashdot.org
User-agent: Mozilla
<blank line to terminate request>

Both HTTP 1.0 and 1.1 implement this, if you want to read the RFC 1945 and RFC 2068 for information on HTTP 1.0 and 1.1 respectively.

Re:Does this work with old clients?

[tjansen]

The client must add a host-line to the request header to get the right virtual-host, a simple GET is not enough. And yes, it is a problem if your browser is VERY old (for example a Netscape 1.0). I also remember having trouble with a Python HTTP library that did not support virtual-host one or two years ago...

Re:Does this work with old clients?

[raarts]

And I have another issue: I want to run a "reverse proxy" (multiple physical webservers, possibly running different OS's) with name-based virtual hosting. I haven't found a way of doing that [with Apache] yet.



NameVirtualHost your_external_ip_address:80
<VirtualHost your_external_ip_address>
ServerName www.yourdomain.com
ProxyRequests on
ProxyPass / http://internal_ip_address/
ProxyPassReverse / http://internal_ip_address/
</VirtualHost>
<VirtualHost your_external_ip_address>
ServerName www.otherdomain.com
ProxyRequests on
ProxyPass / http://other_internal_ip_address/
ProxyPassReverse / http://other_internal_ip_address/
</VirtualHost>


Works for me.

Re:Does this work with old clients?

[cmj]

Apache as a reverse proxy is easy - look at mod_rewrite and mod_proxy. Reverse proxy'ing just winds up being a set of proxy directives and rewrites add some flexibility. Look specifically at the ProxyRemote directive for additional info.

Re:Does this work with old clients?

[arivanov]

And I have another issue: I want to run a "reverse proxy" (multiple physical webservers, possibly running different OS's) with name-based virtual hosting. I haven't found a way of doing that [with Apache] yet.

Squid in accelerator mode should do this. You will have to tell it to use the host header though.

Re:Does this work with old clients?

[Ravagin]

At one of the places I interned with this summer, we had to set up a second domain name, but link it to a subdirectory on our local NT server. I don't know if this is what virtual hosting is or not, but I do recall that it was only supported by HTTP 1.1 (not 1.0). This meant that any browser before 4.0, methinks, would not be have the right line in the request header and therefore not get the right site. (Our sysadmin was pretty confident that hardly anyone uses anything older than 4.x, but I wasn't so sure.) So the browser doesn't have to be that old...
-J

Re:Does this work with old clients?

[Ed+Random]

Squid in accelerator mode should do this. You will have to tell it to use the host header though.

Ah. I was looking at it purely from a webserver (Apache) perspective. Thanks, I'll go and read up on Squid... I've been using that as a forward proxy for a while, but never thought of using that as a reverse proxy.

--
Greetings,
Ed.

Re:Does this work with old clients?

[xlcus]

it is a problem if your browser is VERY old (for example a Netscape 1.0)

I just checked my web stats for this year to see what sort of percentage of visitors were using older browsers. Not very many by the looks of it...

Internet Explorer 5.0 = 39.9%
Netscape 4.0 = 23.0%
Internet Explorer 4.0= 9.9%
Netscape 3.0= 2.7%
Netscape = 1.3%
Netscape 1.0= 0.5%

--
Jonathan Hunt

Re:Does this work with old clients?

[orabidoo]

reverse proxy can be done with Apache and mod_proxy, see the documentation for mod_proxy at http://www.apache.org/docs/mod/mod_pr oxy.html. To do name-based vhosting with it, you have two options: either have the <Virtualhost> directives on the rev-proxy and forward to different URL paths on the backend (i.e www.bletch.com/urf becomes backend.serverfarm.com/bletch/urf), or you pass the Host: field as Original-Host to the backend, and then setup a fixuphandler to put it back as the Host: header. There is an example module that does something similar (passes the original request's IP as X-Forwarded-For" at http://www.cpan.org/auth ors/id/ABH/mod_proxy_add_forward.c; it's originally meant for use with mod_perl, but there's no reason why it wouldnt work with anything else on the backend, with a tiny bit of C hacking.

Re:Does this work with old clients?

[AintTooProudToBeg]

IE3,4,5 support this, but IE2 does not. Ever try to visit your [virtual hosted] website after a nice fresh install of NT4? You'll be suprised at what you see! :)

No, because of SSL

[kinkie]

Secure sites can't move to name-based virtual hosting, as site and key selection takes place before a single HTTP header line is sent.
In other words, a secure site requires an unique IP address.
So as a general policy it's pretty dumb, unless exceptions are made for secure sites, and from the announcement it doesn't seem so.

Re: No, because of SSL

[JoostFaassen]

You could run virtual hosts on different ports to allow multiple hosts with multiple certificates to serve on 1 IP address... It's 'a-pache' trick I know, but you could do some tricks in hidding urls like https://1.2.3.4:1234/securedstyff.html in a page on a non-ssl virtual host...

Re: No, because of SSL

[kinkie]

Been there, done that.
Would you trust such a site? It's possible that some user seeing a ":portnum" part in the URL would consider (or at least fear, which is more than enough) the site to be a forgery and leave for safer harbours.

Re: No, because of SSL

[searlea]

Plus, you instantly lose a whole bunch of potential customers to the firewalls.

Can you imagine asking your network admin to open up ports for individual ecommerce sites?

I don't think so.

Re: No, because of SSL

[billcopc]

If such a user were dumb enough to be "alarmed" by a simple port number, then I'd much rather see them go elsewhere. Anyone who's ever worked on phone tech support will remember the long joke that ends like this :

- "Sir you'll need to return your computer to the store for a refund"

- "Oh really ? it's that bad ? what's wrong ?"

- "Just tell the salesman you're too @!#$ing stupid to use a computer."

Ha. Ha. Ha.

Re: No, because of SSL

[sporty]

Don't run it off of a different port. A lot of companies firewall outgoing traffic or even proxy it only to port 80. :1234 might be bocked...

---

Re:No, because of SSL

[Kozz]

I was under the impression that certs are NOT tied to a specific IP address, but a domain or host name instead, according to this FAQ. But I don't know alot about hosting and such, and considering the high moderation of this comment, kinkie must be correct and I'm confusing this with a different issue. Can someone explain the difference to me?


Quidquid latine dictum sit, altum viditur.

Re: No, because of SSL

[the_tsi]

That's just a joke?

-Chris

Re: No, because of SSL

[HiThere]

It is unwarranted to assume that just because a particular user is not interested in the particular details that you are interested in, and knowledgeable where you are knowledgeable, the the user is also unintelligent. Actually, if they even noticed the port number then they would be more aware of technical issues than the majority. And if one is selling products then one does not wish to chase away customers. Should one not be allowed to purchase CDs because one doesn't hack OS kernels? That would severly limit one's customer base.

Re: No, because of SSL

[fishbowl]

No customer is going to pay the same price
for https://your.domain.com:65220/
as they would for :443. Further,
the number of ports available doesn't
provide the kind of scale needed (hundreds
of thousands or millions of sites for large
ISP's); and client firewall issues make port-based
solutions unacceptable.

Re:No, because of SSL

[Kitanin]

So as a general policy it's pretty dumb, unless exceptions are made for secure sites, and from the announcement it doesn't seem so.

Obviously we're reading the announcement differently then. My take is that ``I want to do IP virtual hosting'' is no longer sufficient justification for getting a block. ``I am running x secure servers, and therefore need x IP addresses'' is still a valid justification (assuming you can demonstrate that you do need x servers, have saturated a possibly non-contiguous /21 in an effective manner, yadda yadda yadda). That seems reasonable to me.

Re: No, because of SSL

[Stormin]

Yeah that had occured to me. But then you run into corporate firewalls that do not allow outgoing traffic on any randomly selected port. I went through this with a custom app we were runing at my last job that required us to create 20 diffrent rules on our firewall. It was not fun.

Re: No, because of SSL

[billcopc]

Well no it's a true story. Still I laugh because I feel that way every damned day.

Re: No, because of SSL

[billcopc]

True, but note the exact wording of the sentence :

"... you're too stupid to use a computer"

The person might be a genius novel writer, but if they don't know a thing about computers other than "these machines are cool" (which is litterally false since my PC was complaining of excess heat this morning - anyways!).. well maybe they should stick to book writing instead of trying to tell me what I already know is wrong. We all know the classic situation where a total ignoramus tries to tell you how to do your job (i.e. they call tech sup't but don't pause long enough between complaints to allow you to help them). There are some people out there who simply lack the mental tools required to grok computers adequately, or maybe they're just synaptically lazy.

Really?

[posilipo]

As far as I can tell, it's only due to the limitation of A/PTR resource record mismatches that SSL doesn't work on host-header. The SSL key is actually registered under a domain name, not an IP address.

RIPE has done this for years

[sparks]

RIPE (The European allocation authority) has had this policy for a few years now. You *can* get space assigned for IP virtual hosts, but there's a "special application procedure" in place meaning you have to justfy each assignment and get approval from RIPE staff.

The fact is that the Host: header has been a part of HTTP for a very long time now, and the number of HTTP clients which don't support it is trivially small - certainly not enough to justify the vast acrages of IP space it eats up. IP virtual hosting is an idea who's time has gone.

Re:RIPE has done this for years

[abdulwahid]

It is correct that RIPE has effectively done this for years. We have to justify the use of every IP on our networks and RIPE won't except seperate IPs for every web site on our servers. This hasn't been a problem though. I have some web servers that are for the masses that have hundreds of sites on one IP. Then I have some servers with an IP address for just one site. I even have some sites with multiple IPs that are doing load balancing. RIPE don't have a problem with this, as long as I can justify the use of the IPs. I am sure ARIN will take a similar line. Heck, they should understand the technical implications.

I haven't had any problems with relying on Named Virtual Hosts. Anyway, if someone is still using IE1 or Netscape 2 then they aren't going to see the features on my customers sites anyway. It really isn't an issue worth hasseling yourself about.

Re:RIPE has done this for years

[arivanov]

Actual statistics show a huge number of strange hosts like MSIE-2.x and 3.0 and other similar abnormalities. It is strange but true. There are lots of people with NT4.0 with no service packs applied and IE not installed out there. There is a lot of software like junkbuster that reports an IE when asked for browser as well. The actual percentage depends on the target site but it can go as high as 20% of apparently non-host compliant browsers.

Also, you are mixing RIPE general policy with host policy. RIPE is assuming this stance on all addresses. You have to justify anything above /31 by default with them. If you are a big ISP they may raise this so called assignment window but not by much. This is quite different compared to the US.

And yes you can get IPs for virtual hosts from them. You just need to know how to write your requests.

Re:RIPE has done this for years

[sparks]

> Also, you are mixing RIPE general policy with
> host policy. RIPE is assuming this stance on
> all addresses. You have to justify anything
> above /31 by default with them. If you are a
> big ISP they may raise this so called
> assignment window but not by much. This is
> quite different compared to the US.

This isn't true. Most RIPE local registries have
assignment windows of at least /24, and mine was
/23. You don't need any explicit approval for
these, but you still need the documentation
because they randomly audit your decision making.

Andrew

Re:RIPE has done this for years

[jbailey999]

I remember last year when I installed an NT 4.0 system from an Old CD. It installed with IE 2 and I couldn't get to Microsofts site it install it. I wound up downloading netscape so I could download IE.

Are you sure?...

[mkachan]

It does not really seem that they are not giving anymore IP addresses for IP-based virtual hosting. At ARIN, just like at RIPE, they are just _strongly_ discouraging IP-based virtual hosting, in favour of name-based VH. You can see her e for a discussion about IP-based VH at RIPE.

IPv4 adresses running out

[Ford+Fulkerson]

The problem is that the IPv4 adresses are running out, in other parts of the world we have had this policy for years since IP adresses are even harder to get here than in the US. I guess it's about time to start using IPv6...

Not as bad as it seems...

[schnurble]

Personally, I think ARIN needs to go, and NetworkSolutions with it. They've become monstrosities that don't belong on the Internet. They're plagued with bureaucratic crap, slowness, and idiocy that all harm the public Internet of today.

Anyway. This policy isn't near as bad as it seems. True, SSL websites require their own IP address, since SSL certificates are bound to both name and IP, and the SSL handshake verifies the certificate before it exchanges hostname data. But, the majority of websites out there are name-based. I host 5 websites on my one machine. My roommate hosts 7 on his. I know of companies with -thousands- of sites on one machine, one IP. HTTPS gets moved to a separate box (which it would be anyway, for security reasons), with IP aliases. So this doesn't affect daily operations near as much as people think it does.

Of course, FTP is also affected. But it isn't something that can't be overcome by coders. I mean hell, it should be as simple as it was to introduce name based virtual hosting for webservers. Or, just move your ftp files into HTTP, since most people just click links inside IE/Netscape/etc.

As someone who has a request for a /19 in *pray* *hope*, I can understand this policy. Now, if I can just make sure my announcements wont get filtered.....

Re:Not as bad as it seems...

[schnurble]

It is not simply a matter of coding to support name based virtual ftp hosts, a change to the ftp protocol is needed. The http protocol contains a slot for the server name, the ftp protocol does not. An upgrade of the ftp protocol, with the associated upgrade of the client base is a _major_ undertaking.?

HTTP 1.0 didnt have a slot for it. How many servers run HTTP 1.1 compliant code? And how many are still running HTTP 1.0?

Yes, it's a semi-major undertaking. But it's not much different than adding Host: header to the HTTP protocol. It just has to be pushed.

Sorry but...

[CynTHESis]

While some organizations use IP-based webhosting to, in part, justify their requests for IP space, ARIN will no longer accept IP-based hosting as justification for an allocation unless an exception is warranted

Virtual hosting maybe ok for general public web-pages, a.k.a. a step-up from geocities. But for people who provide web servicing to many different entities which all wish to have either SSH/FTP access to the web servers and SSL services this provides a problem. I currently provide services to only a few people but I plan to get a larger subnet within a year, the people I provide services for wish to have these services and in most cases the ability to do reverse lookup for security reasons. Being denied additional IP-space because of a reason such as web-hosting methods, seems to be slightly ludicrous.

Re:Sorry but...

[NevDull]

If you're serving many entities who need SSL from one box, and allowing them shell access, then you're doing a disservice by letting any of them think their information is safe.

-Nev

Re:Sorry but...

[mrfiddlehead]

I agree that allowing ftp in this situation would be a cause for concern but a well managed ssh setup with appropriate filesystem permissions would be feasible. Although he would be better off hosting a separate secure server for SSL.

Re:Sorry but...

[zentec]

It's not safe unless it's encrypted before it is put on the machine. Period. Doesn't matter what access level people have to the machine, if it's coming in SSL, it needs to be laid to disk encrypted if there people unaffiliated to that SSL site on the same machine.

Re:Sorry but...

[NevDull]

I'd think that the second biggest mistake made in security is pride (the first being laziness). If you think your machine is secure, you're just not paranoid enough. If you've got a user on your system, you've offered it up to be abused. "appropriate filesystem permissions" is a nice concept. Even if initially done well, how does one know that they will stay correctly? -Nev

we've been doing it for years now

[otmar]

What do you guys think? Is name based virtual hosting ready for prime time?"

Sure. We're running almost all of our webhostings off name-based virtual servers now.

The only thing where you don't have a clean solution are secure servers, as the SSL authentication comes before the server is told which virtual host the client wanted to reach.

It's really time that ARIN catches up with RIPE on its IP address preservation policy.

/ol

Re:we've been doing it for years now

[genej]

I am all for switching to host headers. My old company was doing it for years also. Most of the people who object to this are people that need to better understand the proper way to host sites. I was suprised at the ARIN meeting. The larger hosts (who understand the issues) had almost no gripes, the smaller people (the mom's and pop's)didn't really seem to understand how it all works. I think some education is in order!

You are correct

[Cappy]

I meant to include they will assign for IP-based on exceptions (which I would assume would include SSL). You can do FTP, POP, IMAP, etc... on a virtual host bases (even telnet) but it starts getting tricker (and more limiting).

The link to the article explains the policy changes in better detail.

-Mike

Re:You are correct

[tzanger]

I meant to include they will assign for IP-based on exceptions (which I would assume would include SSL). You can do FTP, POP, IMAP, etc... on a virtual host bases (even telnet) but it starts getting tricker (and more limiting).

We run a single IP / multiple host type scenario here... about a dozen and a half websites with individual FTP and email.

• qmail and vpopmail work wonderfully supporting tons of domains under one IP
• Naturally, Apache is what the web server is
• (check freshmeat) ProFTPd seems to use the same interface that Apache uses to give you multiple domains under one IP which remain seperate from each other

I'm not saying all problems can be solved, but the biggest ones (aside from SSL) are gone with some software.

vpopmail in particular is nice... combined with qmailadmin (also on inter7's site) you can give each domain owner the ability to control their email system from a web interface without any hassle on your end. Courier IMAP knows how to handle vpopmail authentication so POP3 and IMAP are done. The only change on the client end is that they must authenticate as "user@domain" instead of just "user". I usually inform people to use user%domain since Netscape tries to be smart and strip off everything after the @.

Re:You are correct

[spudnic]

(check freshmeat) ProFTPd seems to use the same interface that Apache uses to give you multiple domains under one IP which remain seperate from each other

Sorry, this doesn't work. FTP doesn't follow the concept of a host header. If you read the documentation for ProFTPd it states that while it can do hosting for many domains on the same box, each domain must have its own IP address.

No Problem

[scon31]

We migrated to name based hosting about 6 months ago - although it's true to say that you still need the IP's for SSL, we still saved around 400 IP addresses, and we're only a small ISP. IPV6 is still far enough away to make the effort to conserve as many IP's as possible and name based hosting helps a great deal. We haven't had any problems or complaints, anyone still using a non HTTP 1.1 compliant browser probably writes with a big slab of rock and a chisel.

ftp

[bero-rh]

For www, it's ok by now - all the important browsers (including "telnet server 80" ;) ) support it. (https just requires a policy change in the organizations issuing certificates).

However, the command for name-based virtual hosting in FTP is not even in an RFC yet (it is included in the latest drafts for a new RFC though, along with MLST).

However, even when that RFC is passed, it will take a while until it is implemented in servers and clients (and a change IS required on both sides).

Patches for wu-ftp and the netkit ftp client exist (sample implementations...) - but I can't see a certain large company that refuses to open-source any of their products implementing something just because it's an RFC or because it would make sense... And while that company controls one of the most commonly used ftp clients... :(

Re:ftp

[titus-g]

And while that company controls one of the most commonly used ftp clients... :(

Wot? GlobalScape? :P

I'd have thought anyone with the knowledge to be able to use DOS FTP would know how to get a decent client and use that instead.

Re:ftp

[BJH]

I think he's talking about IE...

Re:ftp

[g_mcbay]

IE supports the correct behavior for hostname transmission in HTTP 1.1 with IE, why wouldn't it do it for ftp? Particularly when doing so is such an amazingly minor change, NOT doing so would be ammunition against them from the "net standards" purists AND they have nothing to lose from supporting it?

Please at least THINK before you bash Microsoft for something they might or might not do in the future.

Re:ftp

[titus-g]

Ummm yeah now that would make a lot more sense...

I guess the main thing we can look forward to if things get switched over to name based v.hosts are some pretty huge error logs...

Err... not the nature of the problem...

[NevDull]

The actual nature of the problem is not "what SSL certificates are for," -- it's that the SSL is done at a lower level than the HTTP headers.

Verisign certificates are assigned to what they refer to as a Common Name. A Common Name is pretty much just an FQDN. (www.foo.bar)

The SSL session is begun before the hostname is known. The problem then becomes that the webserver has to know what certificate to present before it ascertains the hostname request from the client. If the Common Name in the certificate presented differs from the portion of the URL between the // and /, the user's browser pops up an error, as it should.

It can be done through either IP based virtual SSL hosts or name-based virtual SSL hosts on differing ports.

-Nev

They're only talking about WEB hosting...

[thomasd]

...which I've always taken to mean HTTP. If you need to have multiple FTP (or whatever) servers, I don't see that this is going to be a problem.

Certainly not.

[xonix7]

What you have to realize is that while virtual based IP adresses are useful in some cases, they are in fact, not secure. The cases that spring to mind where IP-based virtual hosts would be useful would be for DNS server(s). Say Company X can only afford a single rackmount unit. They could configure their box, with virtual interfaces (eth0:1 etc under Linux, or equivalents under NT or other operating systems), and use one box for running 2 name daemons, each bound to different "virtual" IP adresses. But for webhosting?

For Webhosting, it actually makes sense to make use of Site proxying such as Apache provides. Typically, how this would be set up is this:

You'd have a Firewall/proxy box sitting on a single legal (routable) IP adress. You'd run Linux, BSD, or (insert any other operating system), and use that box to "NAT" (Network Address Translation) to seperate boxes behind that box - or even virtual interfaces on the same box - which would, undoubtedly, use non-routable addresses (illegal IPs). This way, you could have Apache proxying your site from 197.x.x.y (your legal IP), to the illegal IP running on your "internal" box.

So when a user types in "www.foo.com", it hits 197.x.x.y, where Apache is running, and Apache, with the VirtualHost directive (VirtualHost 197.x.x.y), uses the "ProxyPass" Function to redirect the request to the site in question, running possibly on your internal box. So you could go to www.foo.com:80(default), which would really go to 192.168.2.10:8080, running a Zope Server, and www.foo2.com:80, would, possibly go to another box running Apache on 192.168.2.11:80 - whatever you want, literally.

I think this is where Arin wants administrators to start going, and I've been doing it for ages. It works well, and for that - the authors of Apache, Linux, and the many open source utilities that support those Applications must be commended. If you aren't doing this, try it. It's quite brilliant. The way it all fits together, is an echo of the very thoughts that inhabit the minds of the thousands of individuals using - and not using, (but perhaps, subconciously using, or wanting to use) these systems. For the code itself is like a Christmas present. Yes, a year - two years. 10,000 years. In the blink of an eye, the coding time. Think about the implications of 10,000 years of coding tiem in one blink of an eye! Indeed, we live in strange times.

Re:Certainly not.

[msouth]

What you have to realize is that while virtual based IP adresses are useful in some cases, they are in fact, not secure.

Perhaps I didn't understand--it looked to me like you claimed that this was not secure, then sung its praises for the rest of the post. Did I miss something? Maybe you could rephrase or summarize for those of us who are just getting the hang of this? (I'm really not flaming, I just got confused because I was expecting you to say why it's not secure, but what I got was just gushing about how cool it is.)

thanks
--

Re:Certainly not.

[jallen02]

Hmmn.. I read your post, im not sure whether to laugh, cry, or run as fast as I can and never read /. again...

*sigh*

*clicks back on the /. logo*

Re:Certainly not.

[spudnic]

We've been looking into implementing a setup like this.

The only thing that keeps us from doing it is that our virtual hosting clients need FTP access to their sites.

Maybe I'm missing something, but I don't see a simple solution for this. HTTP file transfers are not an option for security reasons.

I'd really like to do this. Sit something like an OpenBSD box on the dirty side and run Linux behind it. You could even use something like a Mac or Netware server in that place that are fairly secure.

Any ideas or comments?

Re:Certainly not.

[xonix7]

I'm sure it's possible. I haven't tried with the BSD's, but what you need to do is add a static route on your OpenBSD firewall and redirect FTP requests to your internal server. (Forward packets hitting port 21 of your Firewall to port 21 of your internal host running FTP, and obviously the reverse path wouldn't be a problem since all traffic would be allowed on the Output chain).

Re:Certainly not.

[spudnic]

True. Using this solution you would need an IP on the dirty box for each machine on the internal network, right?

Re:Certainly not.

[glitch_]

I've been toying with the pro's and con's of doing this exact thing. Why would somebody really NEED to have 50 computers on a network all with routable IP's? With good proxy support and NAT, I don't see a need in my network. I know this is off topic, but I really could use the advice. Better than AskSlashdot.

Re:Certainly not.

[don.g]

Having done something similar for a while, I can tell you the one (ok, ok, so there are several) major problem with this: logs.

Apache with ProxyPass is not doing NAT, it is proxying. Therefore all HTTP requests to the rackmounted servers with their RFC1918 IP addresses appear to come from your proxy. I suspect your customers wouldn't be pleased. That, and running Zeus behind Apache seems kind of pointless.

Now if you could patch thttpd to do that sort of proxying, and fix the log problem [which really needs real NAT], you'd be fine. Unfortunately SOMETHING has to accept the TCP connection before you can read the host: header, so NAT is not going to cut it.

tree, n: lump of wood with green things

Finally this madness ends.

[arcade]

Ah. On time. Its no use handing out hundreds of IPs to nothing. You don't need hundreds of different ip's just to do some hosting. You need one for each SSL-host, and one for the rest. So, if every provider that needs ip's get something like a /28 or a /27 - that should be more than enough. And, you don't need one IP for every workstation at your company neither. Use NAT. Then you've got some sort of a "firewall" at the same time.

I can't understand why they've used this long to implement this. No "small" company should need more than a /27 or a /28. Have a DMZ for the servers, and place the rest behind NAT.


--

Re:Finally this madness ends.

[Detritus]

And, you don't need one IP for every workstation at your company neither. Use NAT. Then you've got some sort of a "firewall" at the same time.

NAT is evil. Kill it before it multiplies.

NAT breaks end-to-end transparency and IPSEC. If you want a firewall, buy or build a real firewall.

Re:Finally this madness ends.

[Cardinal+Biggles]

Use NAT. Then you've got some sort of a "firewall" at the same time.

NOOOOOOOOOOOOOO!!!!! NO! NO! Please don't use NAT. It sucks! It sucks! Aaaaaarggggggh.

Sorry about that. Seriously, though: NAT is not a security measure. It can imply some firewall functionality because there are many things a NAT-box just can't do, but that doesn't make it any less "security by obscurity".

NAT has been causing me so many problems this last year. It's nothing more than a clever but nasty hack to keep IPv4 up and running. So is name-based virtual hosting, really.

We really need to move to IPv6 and be done with all this nonsense.

Re:Finally this madness ends.

[johnnyb]

It is _not_ security by obscurity. As you said, there are things that the NAT boxes _can't_ do. That _is_ security - limitting the possibilities. It prevents any requests from being routed to your internal boxes.

Re:Finally this madness ends.

[xlogan]

NAT is OK, especially if you are using it on a Cisco box and all people want to do is basic HTTP, FTP and email stuff. Cisco lets you use one IP to NAT off of, so you just set your Dialer 1 interface to be 'ip address negotiated' and then your NAT statement to be 'ip nat inside source access-list number interface Dialer1 overload'. It works real nice, and saves IPs.

It does have limitations like you say, but for a lot of small businesses it works fine.

Re:Finally this madness ends.

[Cardinal+Biggles]

It is _not_ security by obscurity. As you said, there are things that the NAT boxes _can't_ do. That _is_ security - limitting the possibilities. It prevents any requests from being routed to your internal boxes.

That's not NAT, that's a firewall you're talking about. NAT is Network Address Translation - it substitutes IP-adresses n:m.

Doing that breaks a lot of stuff in previously unknown ways. That's not security.

NAT-boxen may well have some firewall functionality (like, in your example, allowing the admin to say that translation will only be one-way), but you can get that from a firewall, too.

You may also use NAT in a situation where external IP addresses aren't routable on your internal network - but again, that's not a property of NAT, you can do this in other ways.

There is no security NAT gives you that cannot be achieved in other, better, ways. Relying on your NAT software to break stuff is not very secure at all.

But, aside from all that, one thing that you keep hearing in the "NAT adds security"-talk is that it hides details of your network from the outside world because no-one will know your IP addresses. Now that *is* security by obscurity.

Re:Finally this madness ends.

[Cardinal+Biggles]

It does have limitations like you say, but for a lot of small businesses it works fine.

Well, I have to use it at home too, because dialup-ISPs only give you 1 address.

Faced with that, it is a clever hack, and it works OK even if you don't use Cisco (I can't afford that, I just use Linux on an old '486 :-), but it still sucks if you want to do anything 'unexpected'.

I just think that using NAT as an argument for saying that IPv4 is still OK, and, by the way, it gives you security, is wrong. It doesn't fly. NAT shouldn't be necessary, it's overhead and it breaks lots of stuff.

Re:Finally this madness ends.

[johnnyb]

I think the main idea is not that "they will know my IP address", but rather "they can route my IP address". This makes attacks _very_ difficult. How do you break into a machine that you can't route to? Not only do you have to break our firewall, you have to break into every router between you and them and make that IP address routable. Most of NAT's features are in the "firewall-like" category. However, NAT makes the setup much more foolproof. You don't have to remember to block syn packets in certain directions. And, on top of everything else, the address you are coming from is non-routable. On top of that, there is a layer of obscurity (yes, obscurity has its purposes, but it shouldn't be confused with security). So, the advantages of NAT are:

* More foolproof firewalling (security benefit)

* Non-routable internal addresses (security benefit)

* Makes the internal network harder to view (obscurity benefit)

I've implemented a NAT solution for about 300 machines, and it worked quite well.

Re:Finally this madness ends.

[orabidoo]

NAT is conceptually ugly because it breaks IP's basic rule "only the endpoints should know or care about established connections". but hey, it works, and it works pretty well. Of course, NAT alone doesn't make a firewall... but it sure gives you a convenient place to put your firewalling rules, and *then* it can be one.

Hard to account

[OpperNerd]

We do accounting based on Cisco ip-accounting. With name-based virtual hosting we have to do this based on the webserver logs, giving a difference of about 20 to 40% less, as the IP overhead is not counted.

Re:Hard to account

[driehuis]

That's probable not so much the IP overhead, but rather HTTP protocol overhead. Fortunately, I don't have to do chargeback, but for bandwidth planning purpuses I just add 1K to each hit.

And seeing that it's pretty hard to explain to customers what the difference is anyway between bandwidth and bytes of content, I don't care much...

How to do it with Apache...

[enneff]

http://www.apache.org/docs/vhosts /name-based.html

I just set it up for all my hosted pages, and it works beautifully. It took less than 10 minutes.

Re:How to do it with Apache...

[dudle]

Did you check mod_vhost_alias?

dudle

In Belgium and EU in general, we have no choice.

[Ma�djeurtam]

That's funny I see this thread today, since I had a discussion a few days ago with some important ISP here...

When I started publishing web page here (I live in Belgium, EU), every vHost had his own IP.

In the meantime, I moved my web pages to web hostings to Jumpline, who give an excellent service and an IP per domain name. It was a lot cheaper service thant EU's one at the time.

A few days ago, I had the discussion with 3 of the most important ISP in Belgium: for some reason, I wanted to vhost my pages in Belgium again (the price is now roughly the same than in the US). My idea didn't last: name-based hosting is the rule here, and they looked at me as if I was a martian when I told them I wanted my own IP by vHost.

In a more general context, I'd really like to see an quick adoption of IPv6: more and more ISP's here rely on NAT (whith all the problems it can give) and host hundreds of sites by IP.

That's definitely not a Good Thing.

Just my thoughts

Stefano
--

clarify please

[el_guapo]

Is the relatively limited amount of current address space the reason for this? And if so, won't the move to IPv6 eliminate this little choke point, thus removing the need for this "fix"?

Re:clarify please

[Punto]

Ok. let's switch all web servers, web browsers, DNS servers and tcp/ip drivers to ipv6, by 6pm tomorrow. OK? OK.

--

Re:clarify please

[el_guapo]

I guess that means "yes". I *knew* it'd take a while (years?), I was just wondering if we are seeing a symptom of running out of address space...

X.509 certificate cis ritical for link security...

[EyesOfNostradamus]

Without the certificate, it would be trivial for any (compromised) router on the path between client and server to mount a "man in the middle attack". Basically, the compromised router would "catch" traffic intended for the server (using ipchains -j REDIRECT for example), negotiate a key with the client (pretending to be the server), then open a second connection to the real server, negotiate a key with the server (pretending to be the client), and plug both of them together, and log the traffic.

The only thing preventing this is the certificate: that way, a compromised host on the path cannot pretend to be the server, as it wouldn't have the necessary certificate to do pretend to be the server.

Next down the road...

[CBoy]

What is keeping ARIN from next saying that you can no longer hand out greater than /30 's as an ISP because "Everyone should be able to use NAT" ?
Nat with virtual hosting would be you can forward a single IP TO a single webserver inside the IP range.

I think it's long past time for IPv6.

What about the loss of IP's from people who give EVERY end user their own IP addres ? For normal surfing/webbrowsing user, it's not necessary. Even FTP works through it.

Just something to think about.

Likewise, if you can't justify all the IP's because ARIN forces you to use VH, do you have to return them ? or can you then "un-nat" all your normal user/client machines and use them in that case ? I have a feeling that you are NOT going to see any IP blocks returned. I hope that wasn't ARIN's point in this whole debacle.

CBoy

Re:Next down the road...

[wesmills]

or, who give every user their own /28 (well, not really ... I pay extra for the extra 8. my ISP usually gives a /29)? Also, why do Hewlett Packard, DEC (defunct), Public Data Network, Apple, MIT, Ford Motor Company??, CSC and a company/group called Royal Signals and Radar Establishment (might be government, so its understandable) get their very own Class A block of addresses? How about asking *them* to return some to the available pool?

It's time for the Internet community at large to make a decision: are we going to keep applying these little fixes at the bottom end of the totem pole, such as requiring Name Based virtual hosts, or are we actually going to fix the problem? We can fix it short-term by reallocating some of these huge grants made long before the Internet became popular (which is politically sensitive to do), or we can fix it for a good long while by migrating to IPv6.

My box talks IPv6, how about yours?

---

Re:Next down the road...

[genej]

or you could also start relcaiming some legacy address space -- there are so many companies out there have B addresses that are not using them --

Re:Next down the road...

[grahamm]

Or even old Class 'C'. A company I worked for in the past went out of business about 7 years ago but I am sure that they (or rather the liquidator) did not hand back their class C ip range.

Re:X.509 certificate cis ritical for link security

[grahamm]

That is why a certificate is needed, but does it really matter in whose name the certificate is issued? As long as the certificate matches the server, does it matter if the certificate is in the name of "John Doe Retailer inc." or "A Web Hosting Corp"?

IPV6 FTP

[jjr]

Name based hosting will work for most cases. There is about less than 2 percent (if that many) of people that would have a problem viewing name based hosted sites. Ftp that would cause a problem. Quite a few people like the fact they could have an anonymous ftp server. This a why they should start impletementing IPV6 now so everyone could start making the long transion. It might take six years for IPV6 to be fully acceptable after it is implemted. Just my thoughts

These stories are sad

[xeer0]

With depressing regularity, I see stories related to various virtual "shortages".

Why is this sad?

It's sad because there shouldn't be any virtual shortages.

Whether this is a bureaucratic, technological, societal or other failure is debatable.

In this particular case name-based hosting may be a perfectly valid workaround, but that's not the point.

The point is that if we allow these shortages to continue, then the internet and related technologies will miss alot of their potential. It will simply be another case where only a few can afford access to scarce (virtual) resources.

And that really will be sad.

Re:These stories are sad

[Harik]

Quite true. There is no "IP" shortage, there is however a CPU shortage at core routers. IPv4 only fuels the problem because the minute amount of free IPs left causes ARIN to assign multiple seperate networks. That and the braindead configuration of 95% of the OSs out there makes renumbering extremely difficult.... so you end up, like me, with a /19 worth of IPs in 6 seperate allocations. (Down to a stupid /25!)

All of these have to be announced, leading to a multiplication of routing entries. Whee.

Of course, all the big guys are dragging their feet at IPv6. Stupid stupid stupid.

In fact, I can't really find much non-experimental deployment info. Perhaps if CISCO would implement IPv6 in a released platform we would see it.

--Dan

Re:These stories are sad

[Frank+T.+Lofaro+Jr.]

Maybe the people in charge want it this way.

Here is what they want:

Make it so only the rich and powerful can get resources (such as IP addresses). Make it so residential customers aren't allowed to host content, even if their ISP doesn't mind, since their ISP will have beeen ordered to use NAT and hence the customers lack an Internet routable address to host off. No more pesky speech from the masses. Shift information transfer totally from bottom-up to top-down.

Along those lines, eventually, make it so the shortage is so bad the government comes in and requires mandatory FCC licenses at thousands/millions of dollars each and strict regulations on who can use them and how. The justification would be "scarce resources". Does that sound totally unbelievable? Well, if it does, you need to look at the early history of radio. Used to be free, now it is extremely regulated and restricted.

Re:These stories are sad

[bitMonster]

Wow. Well said and sobering.

The change in the nature of the internet over the past 1/2 decade is already staggering.

We're already charged for routable addresses (most of us). Just wait 'til we're charged per *upstream* bit.

Re:These stories are sad

[swb]

We've been hearing about the CPU shortage in core routers for a long time. The question I have is, where's the CPU gain we've all been experiencing on the desktop?

When I first started hearing about the sky falling because routers couldn't host and process the tables, a Pentium 166 was $400 and 32MB of RAM not much cheaper.

Now I can buy 10x the performance and 5x the RAM for the same money and we're still hearing about how the core's going to collapse. Why is that? I can't imagine that routing table growth is that rapid, especially with the advent of CIDR.

It also strikes me as odd that we're hearing about this considering the number of big-time backbone ISPs that are selling their IP backbones as end-end communications solutions -- latency, loss, uptime guarantees. I don't think they're running seperate networks for this traffic, I think they've so overbuilt their backbones that there's literally no traffic that they can't handle. All the interior stuff is probably easy to route and its only the edges where BGP crunching gets dicey, but there they can throw tons of hardware at the problem.

Surely the problems earlier on were due to low-budget outfits running lame hardware and trying to pull off too many peering sessions in some overheated public NAP.

Dosn't affect me.

[Harik]

Although name-based hosting works fine for webserving, my virtual services include a number of protocols that have no way of stating the hostname. This includes: FTP, pop/imap, true virtual email (no internal relaying), virtualized telnet... the list goes on.

To conserve IP space I use a l4 switch to shunt port traffic to different virtual servers, so all a domain's services may be on the same IP, but split over different boxes. So hosting virtual www IPbased is simply a side effect.

--Dan

Re:Dosn't affect me.

[michellem]

Am I missing something here? We've got virtual hosts set up on one server, all name based. We use easyDNS to point all of the variety of domain names to one server. All of the domains are listed in the hosts table, and we've got sendmail set up right using the virtusertable feature. Folks can ftp and telnet to their own domain, and check pop mail using their own domain. We could do DNS ourselves, but haven't gotten there yet. There are two snags. One, as mentioned several times, is SSL. The second is true POP aliasing. Since all of the accounts are on one server, each account name obviously has to be unique, and we've not yet found a way to alias pop accounts. (So we have yet to find a way to give two clients info@domain.com)

Yes, we are only doing this for about 20 domains, and I imagine it would get very unwieldy and problematic in a variety of ways for 1000. But that's not the business we're in.

Re:Dosn't affect me.

[avdp]

I don't know what you use, but I have hostname based v-host (with an ISP called superb.net) and ALL of the services you have listed (FTP, pop/imap, email, telnet) works just fine AND they are definetely all on the same sun box. I verified it several times.

Don't ask me how they do it, all I am telling you is that your post is innacurate.

Re:Dosn't affect me.

[avdp]

that's why telnet always has a username/password.

What about high-traffic Web sites?

[satch89450]

Just a small point: if you have a Web site that will be handling tons of traffic, and need multiple IP addresses just to handle the large number of TCP connections, how is the new rule going to affect that? I'm in particular thinking about sites that use multiple servers with traffic distributors.

Or is this supposed to fall in the ill-defined "list of exceptions"?

37% of browsers use HTTP/1.1, the rest use 1.0

[Swordfish]

Try this:

[akenning@dog]$ fgrep " HTTP/1.0" access_log | wc
252233 2522331 24313937
[akenning@dog]$ fgrep " HTTP/1.1" access_log | wc
151023 1510233 14952893
[akenning@dog]$ fgrep -v " HTTP/1.1" access_log | fgrep -v " HTTP/1.0" | wc
188 1521 12028

I think that means that about 63% of browsers are still using HTTP/1.0 (contradicting the opposite opinion expressed in the O'Reilly Apache book).

And I think that this means that the net is not ready to abandon IP-based hosting.

Re:37% of browsers use HTTP/1.1, the rest use 1.0

[johnnyb]

Most browsers only support parts of the HTTP/1.1 spec, so they broadcast themselves as HTTP/1.0, even though they are sending the host header. A better metric would be to search for Netscape 1 and IE 1/2 UserAgents. I don't think you'll find any.

Re:37% of browsers use HTTP/1.1, the rest use 1.0

[bradsjm]

Sorry, not even close. IE when used via a proxy will default to using HTTP 1.0 but still sends a Host header and older versions of Netscape (um, maybe even new versions since last time I looked Netscape is still using HTTP 1.0) also send Host: headers. Not sure how far back that goes tho.

Re:37% of browsers use HTTP/1.1, the rest use 1.0

[KnightStalker]

Sure you will. In July, I had 14 hits from Netscape 1 and a good 867 from IE 2 (one hit from IE 1... did that ever really exist? I also got one hit from Explorer 54x) out of just over a million total :-)

Re:37% of browsers use HTTP/1.1, the rest use 1.0

[tshak]

We run thousands of sites off of one IP and tested Netscape 2.0 (1% of our users) and have had no problems. SSL is no problem because we setup a central secure site for everyone. For example: https://secure.[hostingcompany].com/[customer] Now you've just used 2 IPs to run your entire web service. Then you've got your PIX, your 3600's, mail servers etc. and you don't even need a full class C!

Re:37% of browsers use HTTP/1.1, the rest use 1.0

[spudnic]

I find it absolutely pathetic that the browser microsoft ships with NT 4 makes it impossible to get to their website to download the newest version.

Is this because it's not sending host headers? I know that's why we can't access any of the sites we do vhosting for, but is ms using virtual hosted sites?

Virtual hosting, a wider definition

[DrumHacksaw]

Consider that virtual hosting could be defined much more widely. I wouldn't be surprised if some folks out there are offering a sort of vitual machine for their users, using virtual hosting, and chroot to provide locked down areas for users to work in, plus virtual web hosting and mail.

I used the virtual hosting capabilities of Sendmail, as well as web virtual hosts.

It's not clear to me that sendmail would scale up to having many many virtual hosts. It needs to be tested.

I could never get apache to do the right thing, which I suspect was because of the funny setup I have (my dsl router does NAT). A speculation. Roxen worked for me.

Re:X.509 certificate cis ritical for link security

[mariab]

It doesn't really matter to us, or anyone else .. it would work the same and still give an encrypted connection ..

but, people would notice, customers _always_ somehow manage to notice the least little thing, all they see is the box that comes up, they wouldn't look at the little padlock that says the connection is encrypted .. and of course as someone else posted, without the certificate checking you can mount a "man-in-the-middle" attack.

also, the thought occurs that when you generate the CSR (certificate signing request) it uses the server key, the server key has the servers name in it doesn't it? so the servers _name_ will always be in the certificate, and fail to match with the address that someone typed in to access one of these virtually hosted SSL sites.
surely a browser would alert someone to this discrepency?
This will probably immediately send J. Random Bloggs into a fit of panic that it isn't a secure connection, regardless of whether it really is or not.

This would make you and your company look _bad_

I can't actually test whether this happens or not, not tending to have a spare SSL certificate lying around to play with .. can anyone confirm/disprove this?

Re:X.509 certificate is critical for link security

[EyesOfNostradamus]

> That is why a certificate is needed, but does it really matter in whose name the certificate is issued?

Server certificates contain the host name of the Web server, and the browser automatically warns the user if the "server" tries to present a certificate whose hostname doesn't match. So, in addition to cracking a backbone router, our would-be man-in-the-middle hacker would need to explain to his favorite certification authority why he needs a certificate for www.etrade.com even though he doesn't own that domain.

Thank God

[NinjaPaul]

It's about time.. I see so many customers requesting an entire /24 for their "web servers" and when we actually pay a visit to the company site they have *TWO* of them! It's rediculous. It's long overdue to put a stop to the bratty little companies with 2 or 3 servers from wasting away IP addresses.

Your toaster doesn't need a routable IP.
Your doorbell doesn't need a routable IP.
Your random internet appliance doesn't need a routable ip.
Your 200 employees don't each need a routable IP
And your 300 websites don't each need their own IP. With technologies like NAT and name-based virtual hosting we can ride on IPv4 for a *LONG* time. IPv6 is going to take ages to implement so people please please stop whining about "why won't we switch to IPv6? come on!!! it'll solve all our problems!!" well considering the amount of stuff out on the net right now a switchover to IPv6 will take at least 10 years.

Re:Thank God

[Eric+Smith]

Your random internet appliance doesn't need a routable IP.

It does need to be a routable address, or it won't be of much bloody use. If I can't query it from work or on the road, it's not really an internet appliance.

Re:Certainly hot.

[tsx]

Yeah, could you explain that last paragraph? That kinda threw me.

Great explanation of the issue, however, I am more of a programmer and had no idea what this was about, gut this clears it up considerably. Thanks for the info!

One question for you though, is there any way to distribute the risk of that one machine running the vHost redirection? It seems like if that machine was ever subjected to a dDos or went down for some reason, you'd be up the creek. The way it seems now is if a particular DNS server goes down, there is a backup, and sometimes the name to ip is sometimes cached anyway. How frustrating would it be to have your web server sitting totally idle because nobody can get to it due to a crashed vHost redirect!!!

Will someone please think of the shell providers!!

[grahamsz]

No longer will I be able to get a shell with it's own IP for £54 a year ($80 US) - bummer.. how will i ever irc from i.graha.ms now :(

Also this will probably come down hard on ISPs like Demon Internet who give static ips to dialup users. This was a bugger originally since they used to use smtp for mail delivery which wasn't easy on Macs and Windows, but still a very nice feature.

Conspiracy Theory

[Andrew+Dvorak]

Roll out the IPV6, baby!! Maybe this will aid in the forced adoption of IPV6!! ..one can dream ..

Re:what does this mean?

[bsorensen]

Just thinking out loud to see if I've got this right...
1. I request a page from www.myco.com.
2. Make a DNS resolution, get back an address of 2.2.2.2, which is the same address as several other domains' web pages.
3. Send http request to 2.2.2.2, which happens to be a webserver hosting several pages, or a load balancer, or whatever.
4. 2.2.2.2 looks at the domain in the http request, sends back the page if it's a server, or does it's thing and redirects to another server if it's a load balancer...

Which brings up another question, does this issue with virtual hosting bother load balancers, which use several IPS for each domain? OTOH, anyone loadbalancing their servers probably has enough influence (money) to get as many IPs as they want. I guess you could load balance several domains, all of which are using the same set of IPs and servers.

Instead of

[LondonFish]

restricting themselves when handing out new addresses, these people should concentrate their efforts on reclaiming IP's from companies and individuals who are just WASTING them

I know companies who blagged 256 or 512 addresses a few years ago to every PC they own has an Internet IP (no NAT) and they are refusing to hand them back (as they regard them now as a monetary asset...)

If an effort was made to reclaim addresses from greedy companies, and defunct sites then they can be reissued to people who need them!

Oh, and I think a move to name based virtual hosting is a good thing, and should be applied retrospectively as well!

Re:Instead of

[marnerd]

Okay, but they had better yank the addresses from the guys who got the Class A's and B's before coming after me!

By the time the legal dust from that settles, we should be using IPv6, negating the problem.

Re:Instead of

[johnnyb]

Where I work, we have a whole class B. We only use about 100 of them for routable machines.

weve been doing it for years!

[bones20]

I work for an ISP which has been doing name base hosting for...YEARS! Besides the occasional odd problem here and there (nothing getting rid of internet exploder cant fix) its been a beautiful thing. I thought everyone used virtual hosting...

How would I go about setting this up

[LiquidIce]

Before reading this I thought each website needed an ip. I'm one on the millions of people wasting ip's, unknowingly. Can someone point me in the right direction on where I can find information on how to set up virtual sites that use one ip in NT 4 using Microsoft IIS? Thanks!

Re:How would I go about setting this up

[oldave]

See this knowledgebase article: http://support.microsoft.com/support/kb/articles/Q 190/0/08.ASP

How to take what you need

[edp]

It's no problem. When I need an IP address, I'll start doing business as 123.45.67.89, trademark it, and sue the current holder of the address for trademark violation and petition the court to order the holder to turn the address over to me.

For crying out loud, there is an infinite supply of integers; we shouldn't be squabbling over them. Bring on bigger address fields already.

By the way, do corporations report their IP address allocations as assets? E.g., the early network participants got big chunks of space. Digital Equipment Corporation (since purchased by Compaq) had all IP addresses 16.*.*.*. That has some economic value now. Maybe the tax assessors would like to take a look.

Name-based hosting

[IGnatius+T+Foobar]

I started doing name-based virtual hosting on my home system in 1996. I only have one IP address, so it was a forced decision. At the time, I had some friends check out the various host names to see what they got. The only ones who had problems were using Mosaic or ancient (1.x) Netscape browsers. Four years later, it's probably safe to assume that almost everyone has Netscape >=3.0 or aIEeee >=4.0 (or else is already having problems much bigger than hitting the wrong NameVirtualHost!).

If you're setting up a NameVirtualHost setup, and you're truly worried about people hitting the wrong site with an older browser, then you set up a bogus "primary" site on your system (primary meaning, the one that you get if the client browser doesn't indicate the name of the host it's looking for) that contains nothing but links to the names of NameVirtualHosts that exist there. For an example of this, you could look at this site which I've linked here by its IP address instead of its name.
--

Double standard?

[matt1318]

Does this policy apply to l33t shell providers who provide virtual hosts like "my.eggdrop.flashed.its.nuts.cuz.it.is.supal33t.ne t"?
I mean, obviously people like that NEED the IPs, whereas major web providers can think of other ways to serve up some net.

Things this fucks up (jails, monitoring, etc.)

Right now we assign an IP to every website. We have some address space luckilly.. what this will fuck up however is:

* jails. For some customers, we provide a virtual OS "jail" using FreeBSD. This basically assigns a new copy of FreeBSD to an IP, with it's own /etc and such.

This very nicely keeps sites with "suspicious" cgi's and such from effecting other sites on the same server, as well as lets them maintain accounts. Takes some disk space however.

* traffic monitoring. Nothing like just watching trafshow to see who is eating up what

* Intrusion Detection. With snort, your only going to see that "Yes, they tried to sploit my webserver", not which of the 100,000 virtuals on it. This actually isn't too bad, you can always read the tcpdumps.

* Virtual ftp sites. Luckilly, theres a new RFC which allows you to do "host based" ftp serving. I haven't seen anything support it yet.

* DoS attacks. If you host some "contreversial" sites such as www.godhatesfags.com, it's good to know why when someone tries to force an OC3 worth of UDP packets down your T1... If your weak, you can just remove the IP and hope it stops :)

* SSL stuff. What we did to get around this for now is a secure.ourdomain site, with subdirectories for ordering pages. This of course, doesn't sit well with bigger customers however.

Just some observations.. helixblue

Non-web.

[Hallow]

There are a lot of non-www based services that don't use name based virtual hosting. Name based ftp? Name based finger? Virtualizing is good, but we can't switch to just that for everything, at least not yet. Yes there actually are a few people who continue to run services other than http!

What?!?!

[SUWAIN]

This is outrageous. I have been looking at hosting my own domain, and learned a lot about hosting in the process of trying to find a place to host. One of the first things I learned - with the new HTTP protocol, I could host multiple websites on a single IP. HOWEVER, if someone who had an older browser were to go to www.something.com, which was hosted in this way, they might end up at www.somethingelse.com, which was the first entry in the list of domains for that IP.

Yes, I know... People can just upgrade their browser. But I think Microsoft should sue them for infringing on one of their most popular business policies - destroying backward-compatibility so people will have to upgrade. Sure, an HTTP standard is different from a version of Microsoft Word, but...

What really gets to me, though, is that they're dicating what we can and cannot use our IPs for. This is like the recent (okay, rather old...) announcement that Network Solutions owns your domain name, and can take it back if they think it's appropriate. What's next? Just suppose for a minute that UUNet, one of the major Internet backbones, releases a new policy - you are not allowed to do your own webhosting. Okay, so, most likely, UUNet would go out of business very quickly. But you get the idea - more and more companies are dicating what you can do on your Internet connection. Suddenly, it's illegal for me to use profanity, post something to more than one newsgroup, or, here's the scary part... Run a "server" on my cable modem. They go on to list some types of servers we can't run, including a telnet server. They're very indirectly telling me what OS I can and can't use.

Unfortunately, places like this seem to have a monopoly. If they stop giving out IPs, we're screwed. (I might be wrong on this...)

BTW, I have another idea... By placing new limits on what can and can't have an IP, they seem to be hinting at the fact that they're anticipating running out of IPs. Here's my idea - add one more "ocet." So, instead of having "255.255.255.255" as a maximum, you would have "255.255.255.255.255" as a maximum. This will multiply your IPs by 256 - and there are already billions. Ensure that 4-ocet (is "ocet" the right word?) IPs will still work with the new standard, and bingo... Maybe then they'll be more lenient with assigning IPs.

...............
SUWAIN: Slashdot User Without An Interesting Name

Re:What?!?!

[johnnyb]

I think your missing the point - everyone _has_ upgraded their browser. Are you using Netscape 1.0? IE 2.0? Netscape 1.0 only got usage from people who were in the early days of the net, and they were savvy enough to upgrade. If you're using IE 2.0, then it crashes every other page you visit. I can't think of a browser that I've even _heard_ of people using that doesn't give a host header.

Also, simply adding one more octet (not ocet) is not as easy as it sounds. There are thousands of applications/operating systems/etc built around the current IP addressing scheme. Simply adding
an extra octet will mean that every router/client program/server/kernel will have to be rewritten. It seems strange that you are willing to have users upgrade their browsers for one change and not another. Anyway, IPV6 is essentially this (except that it has a lot of other features, too). However, it is expected to take about 10 years to implement because of the problems I've noted above.

Re:What?!?! a correction

[Jeld]

OK, first, the browser is not making DNS ( name resolution calls by itself ). It generally uses some API that in turn makes DNS calls. Under *NIX the API is called gethostbyname() I am not sure about other OSs. SO the difference is not really in how old your browser is, but how bad is your TCP/IP implementation. Oh, well if you use MS DOS 3.3 with LAN manager client you might have a problem... but I don't know any web browsers for this platform except of the lynx port. Anyways, the other thing is that there is already a so called standard so called IPv6 which is a version of IP protocol that uses 6 byte addresses. It is though REALLY difficult to make a change like this transparent especially if your users are not under your direct control. I mean if you have two different addressing schemes, you either have to make translating gateways or force people to use new one over old one. There is no way to force the Internet community to do anything, and someone has to build the gateways without any hope to get paid for it. I hope you see the problem now.

this problem has already been solved.

[Karmageddon]

man, everybody's jawing away in here: a lot of good info, reasonable suggestions, and stuff I didn't know.

But this problem has already been solved: private property and free markets. Just auction IP addresses through a central exchange, all IP addresses, including the sacrosanct class As. You want an IP, or a block of IPs, you pay for them. How much? Who knows, who cares, we'll find out when they go up for sale.

Some regulations are required: don't allow monopolies or cartels; declare IPs fungible to allow central administrators to reallocate or consolidate blocks for routing purposes.

Problem solved.

Re:this problem has already been solved.

[valmont]

now THAT would be a rather dumb way to go: no way in hell this could be regulated: before you know it, all IP's WILL be owned by one or two telco giants and sold for prime $$$. This would essentially give a bigger share of the internet pie to people with more money than to people who actually wanna do something useful with them. I think they're right to scrutinize your plans before allocating you blocks of IP's.

IP addresses deal with the essential functionment of the internet, this CANNOT be taken lightly and certainly not put in the dirty hands of capitalism. It would like handing the internet over to a couple of corporations, which would, essentially, rule the world. It is absolutely vital that IP addresses allocations remain in the hands of an INDEPENDENT non-profit organization.

Domain names do not affect the way the internet works. There can always be a near infinite amount of domain names available. You can't compare auctioning domains and auctioning IP blocks, that's just crazy!@

Re:this problem has already been solved.

[Karmageddon]

You can't compare auctioning domains and auctioning IP blocks, that's just crazy!

I didn't compare it to domains: you did. I was comparing to real estate, sorghum futures, petroleum, pollution rights, etc. They all get bought and sold routinely. With real estate (and domain names) location, location, location matters, but ip addresses and other commodities are fungible.

IP addresses deal with the essential functionment of the internet, this CANNOT be taken lightly and certainly not put in the dirty hands of capitalism.

... why, it would be as bad as putting our food supply in private capitalist hands. Why, giant companies would come along and own it all and charge exorbitantly... oh wait, private companies do control our food and it's dirt cheap. Your "theory" is gasping for breath.

all IP's WILL be owned by one or two telco giants

I love it the way you ignore all the parts where I addressed your sole legitimate concern. I said, NO MONOPOLIES. if you want reviews, fine, we can add in NO IDIOTS.

Re:this problem has already been solved.

[sillysally]

in my original post I noted this problem. "fungible" is a legal term meaning "one is just as good as another." So, for an example, paperback books are pretty fungible. If you lend me any old copy of The Valley of The Dolls and I lose it, I can give you back another copy and you can't sue me claiming you've been harmed.

So, what I meant by "buying" an IP address was that you are entitled to one in the place where you bought it, but the actual address would be subject to change for routing purposes. Should you be allowed to move your IP? It doesn't matter; prices in a rational market would reflect the value/cost of that choice.

Re:this problem has already been solved.

[pabl0]

Just auction IP addresses through a central exchange, all IP addresses, including the sacrosanct class As.

To some degree, this is already occurring. ARIN charges for block allocations. In turn, Tier 1 service/access providers routinely toss their clients smaller chunks of IP's, with the option to purchase larger chunks. In this manner, IP's are already controlled by a central repository, and you can purchase as much as you want. ARIN simply adds the conditional that you must justify the necessity of those allocations. This to me seems a much better solution than the same (or a similar) entity deciding that it doesn't care WHY you want the IP addresses, so long as the check doesn't bounce.

Some regulations are required: don't allow monopolies or cartels; declare IPs fungible to allow central administrators to reallocate or consolidate blocks for routing purposes.

This raises the usual array of annoying questions: - Who creates the regulations and under what authority? - Who decides what defines an IP monopoly or cartel? If I'm there first and with VC funding I purchase 50% of the available address space and other companies then chew up the remaining space over time, am I now a monopoly if I choose to resell that IP address space at severely inflated prices? Or is that just capitalism at work?

Re:this problem has already been solved.

[sillysally]

your objections are easily resolved: resolving such problems is exactly what pricing systems do. some rights can be grandfathered, you can pay for unreassignability, blah blah. The point is, if you understand why auctions and market prices are better than communist/fascist/religious secretive/nepotistic central planning committees, you can understand how property rights are bought and sold.

Re:What?!?! a correction

[MRK]

No.

The problem is that when you have one, eg, webserver, listening on a given IP it has no way of knowing that you want one site or another. That is why you need the host header. Think about it. Any dns implementation which fails to return an A record for a given name when it exists isn't just going to have problems with virtual hosting on single ip ... Its busted!

Re:Will someone please think of the shell provider

[mariab]

Demon still use SMTP mail delivery as the main method ...
and don't forget that Demon Internet (now part of Thus) also has a static IP for each dialup customer that has a homepage .. ie, not only is there an IP for luser.demon.co.uk but if they upload web pages, an IP is assigned by demon to www.luser.demon.co.uk !

I wonder if demon will change all their dialup users homepages to name based virtual hosting and give back however many thousands of IPs this will free up

I don't know about anywhere else, but at the ISP I work at, we only give a user a static IP if they can justify it, then we can justify it to RIPE
fair's fair, right?

Too many problems with this to even count them all

There are too many problems with this policy to even begin counting them.

Virtual hosting isn't just about HTTP. It's also about FTP, POP3, IMAP, SSL, and whatever other protocols a host chooses to support. Some hosts even virtualize Telnet, SMTP relay, or finger. There are problems with bandwidth shapers, traffic analysis, partitioned "virtual servers" or other unique technologies, etc.

I don't think anyone has mentioned the impact of filtering systems or Spam filters such as ORBS. If you have three hundred customers on one IP, and that address gets filtered by such a service because of one rogue customer, you're screwed.

We're not talking about giving IP addresses to toasters. We're not talking about giving Class C's to T-1 customers. We're talking about using IP addresses for hosting customers who need and pay for a package of virtualized services. Services which hosts have provided for years, and will need to continue to provide in order to remain competitive. Services provisioned in a fashion which ARIN has supported.

Lastly, what about enforcement, reclamation, and competitive advantages? Will Host A run out of allocated space before Host B? Will Host C decide to circumvent the policy through any of a dozen methods that come to mind? Will ARIN go to Host A and say "give us back that /18 you've been using for three years"? Will they do the same to Host B? Will the big hosts end up in court?

I'm running for one of the seats on the Advisory Council, myself. It seems that the policy was created without input from those actually using the technology. Again, it's not just about HTTP.

Kevin Martin
sigma@pair.com
www.pair.com

Re:In Belgium and EU in general, we have no choice

[Gothmolly]

Of coursey you don't, you live in a socialist country.

proftpd can work with virtual hosts

[SaberTaylor]

I don't know why every is saying that ftp can't work with virtual host names when there is a proftpd config for it.

Re:proftpd can work with virtual hosts

[Ledge+Kindred]

That's for doing IP-based vhosting.

Read the FAQ.

-=-=-=-=-

Re:proftpd can work with virtual hosts

[ebunga]

Each virtual host for ProFTPd requires its own IP address. Please take a look at the config file, read documentation, and enjoy.

Problems and prejudices

[thesparkle]

I know a few people who serve in some capacity with ARIN and there is a distinct bias against webhosting and the hypertext protocol in general. Too many of the ARIN and Internic directors are they type who lament what they see as the "death" of the Internet at the hands of commercial and individual entities and therefore blame the popularity of this protocol for changing the face of the Internet.

I wonder how much of their opinion came into play here.

Furthermore, the real problem is not the webhosting allocations, but the host allocations to large, workstation-based networks. I know of more than a few companies who have /19, /18 and larger allocated blocks who were assigned these networks many years ago. Rather, they should be actively using non-routable IP space, proxies, and DHCP rather than static IP configurations.

It does not make sense to choose a website, ftp site or any other Internet service host over a workstation.

Much to their credit, though, ARIN has actively sought out unused IP space from companies, universities and other organizations assigned A and B space in the past.

Bad idea

[Ledge+Kindred]

There are lots of reasons why name-based virtual hosting won't work, namly many protocols that are NOT http.

Why do people seem to insist that "The Internet == The World Wide Web" anymore?

It reminds me of The Corinthians website issue. Just because a guy doesn't have a web page on a domain, or that page hasn't been updated for a while, The Powers That Be consider the domain unused. (May not be the exact case with this example, but in general that seems to be the opinion anymore.)

Seems like nowadays, if you're NOT running a high-profile website on your domain, you just aren't officially "using it."

EMail? What's that? FTP? CVS? Telnet? SSH? Huh?

-=-=-=-=-

NAT is not a solution, it's a problem.

[DJ+Wipeout]

NAT is not a technology, it's an abomination. It breaks one of the most fundamental rules of the Internet, which is end-to-end connectivity. NAT is also a weak curtain for people who are unwilling to secure their machines.

Microsoft has been "riding" on top of DOS for the past 15 years or so, how has that been good?

People need to learn when technologies need to be taken out of service and replaced.

What about non-anonymous FTP?

[yerricde]

Users need to be able to upload to their web space, and HTTP can't upload without potentially compromising the system.
<O
( \
XGNOME vs. KDE: the game!

Re:What about non-anonymous FTP?

[korr]

Non-anonymous FTP will run without any problems...as long as there aren't any duplicate usernames on the system (which there should not be). Run a normal ftp server, and each client gets put in their home directory when they log in.

Protection from DDOS? Not likely.

[yerricde]

It seems like if that machine was ever subjected to a dDos or went down for some reason

A well-designed Distributed Denial Of Service is impossible to distinguish from normal heavy site traffic <cough>Slashdot effect</cough>.

<O
( \
XGNOME vs. KDE: the game!

Re:Protection from DDOS? Not likely.

[rodgerd]

From my experience of being slashdotted, there are plenty of script kiddies who turn up with DOSes around the same time legit visitors do.

--
My name is Sue,
How do you do?
Now you gonna die!

Failsafe Requirements...

[buffy]

I don't think that encouraging the use of name-based virtual servers is a bad idea per se, as long as they're flexible and accept the limitations when they're presented in a requirements request document.

In addition to the SSL restriction, if you're running a site, or sites, that use some form failsafe mechanisms for redundancy, you'll have some difficulties trying to do it with only a name-based VIP.

Again, as long as the policy is flexible, and defaults to allowing someone the address space if they justify it's need, then ok.

Unfortunately, I think we're all aware of the history involved, and I don't think the flexibility will be as available as necessary to make us happy.

No kidding, all shortages are artificial.

[TheDullBlade]

There are a lot more IP addresses than there are people connected to the internet.

--------

Re:No kidding, all shortages are artificial.

[NathanDay]

Or ever will be (v6).

"I always try to avoid the term 'language', but it is certainly a complex communication system."

Re:No kidding, all shortages are artificial.

[spudnic]

Ah, but what happens when we start to route packets to the infinite number of other planets out there that need (want) access to our hosts?

Is there possibly an RFC or provisions in the current IPV6 out there for some kind of gateway protocol (translation) for this?

Look how long it's taking IPV6 to be implemented. I think we need to address this NOW.

Re:No kidding, all shortages are artificial.

[Karmageddon]

as you said, but did not say strongly enough, all ip address shortages are artificial. It is precisely because they are regulated and hoarded that folks with connections grab all they can and hang on. if they were auctioned there'd be a huge glut.

Re:No kidding, all shortages are artificial.

[Dr.+Sp0ng]

Ah, but what happens when we start to route packets to the infinite number of other planets out there that need (want) access to our hosts?

By that point they're going to have to find a different transport method rather than electricity or light anyway (who wants ping times of 2 years, anyway? hurry up with the quantum physics research.) and if they can do that, implemention IPv12 shouldn't be too much of a problem at that point :-)
--

Re:Will someone please think of the shell provider

[Soruk]

(Static IPs to dialup users)

I'm a Demon customer, and a happy one at that. They allow both POP3 and SMTP mail delivery, both of which I use depending on whether I'm just checking it or actually downloading to my primary box.
Anyway, Demon (currently) use a single IP per customer's homepages website, but they plan to change to some name-based virtual hosting. And once they've done that they can recycle those IPs for dial-up customers.

Also, why do you need a shell account with its own IP address? UNIX boxes have been allowing multiple shell accounts off the one IP since year dot.

RIPE and APNIC do it, ARIN are behind the times.

[Zwack]

I know RIPE have been doing this for about a year (or so)... Whether this is a good thing depends on your point of view. It helps conserve IPv4 addresses. It means people need to think about what they are doing...

But if you offer anonymous ftp server and web server for a single fee then you still need to use IP addresses. FTP is not capable of working on a HOST header basis.

The ISP in the UK that I used to work for bundled anonymous FTP with web servers before this policy came out. I don't know how many people use their FTP space, but it is there. It was a cheap and easy way of adding value to our offerings.

My personal belief is that some people will switch to name based virtual servers, others will start to bundle more services for the same price such as FTP and HTTPS that can't be run on the same basis.

Anyone want an IP based shell account with a web server, ftp server, https server and nntp server of their very own, all for the low price of...

Re:Just change the port for each SSl Key

[FalseConsciousness]

That would unfortunately prevent access by any users who are behind firewalls that are configured to allow only port 80 and port 443. Depending upon your audience, lots of people who do their shopping from work would get blocked.

Re:Just change the port for each SSl Key

[Doomdark]

But doesn't that cause problems for people behind nazi firewalls? (some companies seem to think anything going ports other than 80 and perhaps 8080 is inherently dangerous and ought to be blocked).
... and yes, this happens... :-(

Re:Will someone please think of the shell provider

[grahamsz]

Well the main use is if you want to IRC from a certain hostname. IRCd checks when u connect that your forward and reverse dns match so that means if you want a custom hostname - you need your own ip.

Also as a demon customer (although i use blueyonder hi-speed at my flat, BT at my parents and Lineone on my mobile) actually we just keep demon for email :) i'd like to see them improve the webmail service since it's been in testing for about 3 years now and should be nearing maturity.

Re:Will someone please think of the shell provider

[grahamm]

When Demon introduced the ip based virtual hosting for the homepages service, they announced the intention of moving to named based virtual hosting - but as yet this has not happened.

Which cert does it send out?

[yerricde]

At the time the server sends a certificate, it doesn't yet have any HTTP headers; all it has is the IP address. Without the Host: header, how will it know which certificate to send?
<O
( \
XGNOME vs. KDE: the game!

It depends how its implemented

[Quetza]

I've seen many companies that grossly misuse their IP address allocation. They allocate a static IP per dial-up user; they allocate a static IP in apache for thousands of virtual web-hosting clients.
The point is that where an IP address is needed, like for _public_ ftp servers and for SSL servers, they should be allocated.
It's the people that waste because they can that are in the wrong.
The problem is policing it, of course. Everyone wants contiguous blocks so they'll ask for more than they'll ever need.

SSL can use renegotiation

[drig]

It's easy enough to set up a site that changes key/cert upon receipt of the request URI (or Host: header). Simply choose a primary key and cert, do the initial connection with that one. Then, when the client specifies the URI (or Host:), request renegotiation and choose a new key/cert pair. All major browsers support renegotiation.

web servers may be ready, but is reporting?

[PerfectCircle]

Earlier this year we installed Accrue (a high-end, high-cost web reporting package), and discovered that their sniffs-the-wire to monitor web-usage technology had a pre-configured limit of distinct sites per IP Address (we were at 40 sites when we installed, and have 80+ sites now). After jumping through far-too-many hoops with the installer person and customer service, they realized that yes, indeed, our many virutal hosts per IP Address had blown out an array of 32. Once the problem was identified Accrue quickly supplied a patch to increase the array to 128, but were reluctant to make it larger, 'for performance reasons'. We expect to surpass the 128 limit by the end of the year.

I know that not every reporting package is written with the same limitations, but if they didn't write it to deal with large numbers of virtual hosts, will it efficiently deal with them? or deal with them at all ?

Re:X.509 certificate cis ritical for link security

[Sensor]

More to the point if you are hosting several virtual SSL servers on a single box then its likely that your DNS is setup with an alias for the real site to point to the CNAME of the hosting box....

This suggests to me that the client could allow authentication against a certificate from the real host name... eg

website = www.somecompany.com
website = www.anothercompany.com
host = host.hostingcompany.com

with DNS config of:

host.hostingcompany.com IN A 10.0.0.1

and

www.somecompany.com CNAME host.hostingcompany.com
www.anothercompany.com CNAME host.hostingcompany.com

then both webservers could use a certificate for host.hostingcompany.com.

The problem with this of course is that if someone can hack your DNS (which of course would never happen *grin*) then they can fake the SSL component of another site which isn't a vulnerability under the current mechanism.

Really it comes down to a question of is SSL intended to provide security for traffic in transit or authentication of the web site? Consumers are currently more paranoid about the first but I'd have thought the second was actually more important.

I suppose that there could be a two stage authentication process where the real name of the box is used to encrypt the link (and authenticate that host) but then an additional certificate (X509 with an extension) could be provided to prove that a particular name can be hosted on that machine...

just thoughts

Tom

Dangerous precedent

[Frank+T.+Lofaro+Jr.]

I am worried about a precedent this can set.

Like companies being required to use NAT, even if they don't want to and want each machine to have an Internet routable IP. Like ISPs that serve residential customors via DSL or cable modem being required to tell their customers they can not be on the net more that 8 hours a day average. Why would they do that? Because even if you have dynamic IPs you don't get any savings of IPs if everyone is holding on to them 24/7. Or even just telling ISPs they have to put all residential customers on NAT. Each ISP would get IPs for themselves, but home customers would only get "private" 10.x.y.z IPs (of course they can't serve content then, but it is likely that neither the ISPs nor ARIN would be at all upset about that.)

Re:Will someone please think of the shell provider

[Soruk]

IRC: I would say 'fair enough' - but why do you need your own hostname to use IRC? I'm not an IRC user myself (I'm a MUSHer) I may be missing something somewhere...

I use Demon for my box at home on a caller-id ringback system (so I've got static IP to ssh into). I also use Demon on my cellphone (ED50 on Orange) in the evenings on their 0121 number, but for daytime cellphone use I use OneTel who charge 1p/min (and on a cellphone 1p/min ain't bad especially at peak rates!) through a freephone number.

The switchover to IPv6

[tuxrules]

But if it can be progressively done, and backwards compatibility can be maintained, there won't be any problems.

I've used VHOST's for years...

[r0ach]

I'm on the internet through a cable connection, and I have about 20 different domains hosted on a server in my house, all using the same IP, apache's directive and some creative CNAME's in my DNS records... It's been working great for like two years now, and it's definately a viable solution to the IP shortage...

Arin doesn't hand anything out

[bumbaclaat]

I must object to the characterization that ARIN 'hands out' IP addresses. They don't. At least in my case they made people from my company work for months to justify our initial allocation of a /19. And then they fully gouged us for several thousand dollars to get the IP's, and are going to keep gouging us every year.

No way they just 'hand them out', it's as if they don't want you to have them, so they can save them all for Worldcom or something.

Understood.

[Kozz]

Thanks for the clarification.


Quidquid latine dictum sit, altum viditur.

FTP is no big deal (Re:ftp)

[Punto]

FTP is not a big deal either.

I admin a couple of servers with about 100 sites each, on 1 IP. The FTP access is not 'name based' but 'user based'. Each user can FTP into the server using any of the names (and any of the IPs), but it will only have access to its own site. That way, it doesn't matter what domain name is using, the access is defined by the username.

--

Why not?

[icezip]

I don't know about any one else, but I have been using name based Virtual Hosting for quite some time, and so have quite a number of large ISPs in my area. I personally don't foresee a problem meaning that I have yet to receive a complaint about not being able to use my site. Any one using an old browser shouldn't be surfing newer sites anyhow.

--Dave
"Besides, I think Slackware sounds better than Microsoft, don't you?" --Patrick Volkerding

hi

[jmd!]

SSL... yeah... what about SSL? SSL? SSL...

jeeze, read before you post... half the freaking comments are 'BUT SSL!'

Workarounds for protocols other than HTTP are bad!

[GoRK]

Welcome back to the consumer notion that the web *IS* the Internet.

If that were the case and the only protocol running on the Internet that would require something like virtual hosting was HTTP, then we'd be all set.

For those of you who don't understand what this is all about, think of HTTP like this:

1) Your machine connects to an IP
2) Your machine then tells the IP what webserver it wants to be talking to *BY NAME*
3) Webserver fires back the appropriate content

If every single protocol on the planet had the client identify the server *BY NAME* this wouldn't be a big deal; however, they don't. Very few protocols do this.

Mail delivery does. POP3 and IMAP don't; though. Neither does FTP. Any protocol that requires reverse lookups to return a specific hostname is problematic if you are attempting to have one ip with many names (e.g. ident) Oh, and as many have mentioned SSL certs are tied to IP *AND* NAME so they have to be vhosted by IP.

The only current ways around this seem to be passing the server name with the user name. There are virtual ftp servers, virtual POP3 servers, etc. that allow for this. E.g. the user bob trying to access the mail server mail.foo.com to recieve his email would pass the username as bob:mail.foo.com. Or when logging into a virtual ftp server, the username would be bob:ftp.foo.com.

For most users this is a terrible inconvienience and anyone who works tech support at a large virtual hosting provider, I'm sure would agree. It's a tech support nightmare. For the majority of lusers out there, logging into 'mail.foo.com' as 'bob' makes life a helluva lot easier than logging into 'mail.foo.com' as 'bob:mail.foo.com' to check mail for the address 'bob@foo.com' .. "Why do I have to do that?" Bob says... Then you have to talk him through setting his Reply-To: header and that's a pain. Let's let the ARIN people do 20K tech support calls about this and see how they like it.

Perhaps providers of the world could go back on ARIN calling this move 'anti-competitive.' For most providers, it probably removes the ability to market a certain service - IP based virtual hosting - a step in between virtual hosting and dedicated server services that is ideal for midsize hosting accounts.

Grrrrr.......

~GoRK

Potential problems even with HTTP

[GoRK]

1) IP based virtual hosting is tremendously more manageable than name based hosting - Primarily because DNS takes 1 TTL (however long) to change over in the event of a problem that requires a workaround where one must move a website from one IP to another. If you can move the IP, instant change.

2) IP based virtual hosting prevents unnecessary headaches for administrators of medium size sites that must endure access problems to named hosts due to misconfigured client proxies, firewalls, DNS servers, or web browsers. Also extremely old browsers - THEY ARE OUT THERE PEOPLE - even if their numbers are very very few.

3) DNS is introduced as another point of failure in the entire system. Without proper DNS resolution there would be absolutely *NO WAY* for a website to be accessed if it were on a named host even if you knew the IP. (at least without a bunch of fiddling around) The other problem to consider is what site could potentially be brought up using the IP number of your named host? Your hosting provider's site? Someone else's site maybe? Someone else's PORN site?? -- THis poses a tremendous problem for businesses who cannot afford dedicated server solutions. Pretty much every virtual server on servint.net's network is porn. Imagine if you had a legitimate business site on one of these named virtual hosts and DNS broke, so you accessed the site by IP and got a PORN site! Bad karma!

Try it - see if your favorite website is name vhosted. nslookup the IP and use it as the URL! You'll be shocked.

~GoRK

Re:Potential problems even with HTTP

[Bastiaan]

Ad. 1. With the same logic you can argue name based virtual hosting is tremendously more manageable: try to move your 1000 sites from server A to server B. With name virtual hosting it's just a change of a single DNS entry. With IP based hosting you either have to move 1000 addresses to server B or change 1000 DNS entries.

Ad. 2. Actually it seems rather difficult to misconfigure your firewall or DNS for name virtual hosting. It seems much easier to forget one of the X IP addresses you need for IP based hosting. About the old browser support, shouldn't it be time to kill Netscape 0.91 and friends. Ah no, I bet you still support gopher too?

Ad. 3. The average user will be helpless without DNS anyway. For the non average user that knows about IP addresses, it's trivial to add an entry in the hosts file. Not really 'no way'. And about the pr0n stuff: I can only assume your 'favorite website' is a porn site too. Any normal vhosting company would put advertisement for itself on the IP address only site.

no problem.. as long as...

[NNKK]

this isn't a problem in my book so long as the policy is reversed when IPv6 enters widespread use (beyond universities and Internet2 (I2 is using IPv6 right?)) since once that happens we'll have plenty of IP addresses avalible :)

Re:X.509 certificate cis ritical for link security

[rocca]

www.somecompany.com CNAME host.hostingcompany.com
www.anothercompany.com CNAME host.hostingcompany.com
then both webservers could use a certificate for host.hostingcompany.com

Except that the browser will validate the server certificate, which embedded within is the name host.hostingcompany.com and warn the user that the site they have connected to (www.somecompany.com or www.anothercompany.com) does not match the certificate contents.

RTFA!!

[kindbud]

The policy says they will no longer accept IP-based hosting (I presume this means web hosting) as justification for allocating addresses.

It doesn't say you can't get allocations for other IP-based services.

What ARIN doesn't tell you...

[preed-man]

There's a fairly good discussion on why this new decision sucks, so we don't need to rehash that.

But, according to linux-firewall-tools.com, the following address spaces are reserved by the IANA;

# Refuse addresses defined as reserved by the IANA.
# Note: this list includes the loopback, multicast, & reserved addresses.

# 0.*.*.* - Can't be blocked for DHCP users.
# 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*
# 49-50.*.*.*, 58-60.*.*.*
# 67-127.*.*.*
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 197.*.*.*, 217-255.*.*.*

Now, obviously the IANA can't release addresses like 192.x and 217-255, but why is 49/50 reserved

What about 58-60?

There are a significant number of useable IP addresses the IANA is just sitting on, and I may be stupid, but I haven't heard of any good reasons for this; maybe someone can enlighten me.

Instead of trying to be fascists about IP addresses, the IANA/ARIN/APNIC/Big-Brother-of-the-Internet should just release the addresses it's sitting on, or get IPv6 out the door; I hate this kind of gestapo crap, where they have to make stupid decisions because of their lack of planning in the first place.

ARIN shouldn't care what I use my IP addresses for, as long as I'm using them...frankly, it's none of their god damn business.

WebDAV

[Earlybird]

Many sites actually insist on, or used to insist on, *cough* FrontPage Extensions *cough* for that.

The real solution for the future is WebDAV (and being worked on by the W3C), which fully supports named servers and authentication, and is designed to replace FTP and the various ugly "web posting" systems out there, including the uploading aspects of FrontPage Extensions.

Notably WebDAV implementations include Zope and mod_dav for Apache.

Interesting Indeed

[pivo]

Comments like this are what makes /. for me, a lucid technical description followed by a bout of babbling insanity. Can life get any more perfect?

What about the reverse zone lookup?

[coolgeek]

When say, a site sends an email to a visitor, like an order confirmation, the receiving mail server will likely do a reverse lookup in the my-ip-octets.in-addr.arpa domain, as an anti-SPAM countermeasure. Other reverse-lookup situations apply too.

If ARIN gets its way, the response to one of these lookups will return possibly up to 2500 hostnames. This is if a single server is hosting 800 sites (not uncommon) on one IP, with 3 or 4 hostnames (www, ftp, mail and plain old mydomain.com) for each domain hosted on the server.

Seems a bit short sighted, although maybe they hope to push IPv6 down everyone's throat. What they should probably focus more on is all the Class C's handed out by ISPs to their clients, who can really get by with 4 or 8 IPs and IP Masquerading.

IPv4 has 1/4 of itself free!

[Convergence]

If anything, they're being too aggressive in not letting out IP addresses.. a whole 1/4 of the IP address space was just opened up a couple of months ago (64/2). That's over a billion machine names.

Now, I will agree that some of the first allocations should be redone and forced to be returned. (MIT and some others have a class A space, or 16 million machines worth.)

There really isn't as severe shortage of IP's as everyone makes it out to be.

Where is IPv6

[ikekrull]

What the hell is wrong with these people. Instead of saying 'we won't assign any more IPV4 addresses for virtual hosting', why not say 'we will only assign IPV6 addresses for virtual hosting purposes.

Then, at the every least, some of the people on the internet might have a good reason to drive the adoption of IPV6.

Problems w/ Name Based Virtual Hosting

[BMIComp]

When you use name based virtual hosting with websites, one problem is that browsers which are not HTTP/1.1 compliant try to reverse-lookup the server's IP address, and so, instead of getting the virtual website, they will get the hosting companies website.

Expect a lot more SSL servers soon

[phr1]

The comments people are making about SSL servers needing there own IP addresses are all true.

The reason there aren't a lot more SSL servers running now are 1) US crypto export regulations have made it a pain to ship the software around; and 2) SSL servers in the US generally need to license the RSA patent to use RSA cryptography.

The export stuff has just been relaxed a lot, and the RSA patent will expire on September 20, just a few weeks from now. I expect a lot of new SSL servers to go up after that. Sites that store any personal info (not just financial stuff like credit card numbers) should use SSL a lot more than they do. There's easy-to-install free server software available, certificates are a lot cheaper than they used to be, and computers now are fast enough that the crypto computations aren't a real bottleneck any more.

I'll probably announce SSL availability on my own personal site on September 21, the day after the patent expires ;-).

Re:What?!?! a correction

[CyberChrist]

Not wanting to be a pedantic fuck, but IPv6 actually uses 16 byte addresses, from memory.

SSL and TLS upgrade issues

[madbrain]

There is in fact a big problem with doing name-based hosting for secure sites.

As pointed out before, the SSL handshake happens before any name can be transmitted, so that the server must always present the same certificate for a given IP/port combination.

The TLS upgrade draft as proposed doesn't really solve the problem. What is proposed is to start a connection insecurely, have the browser send a host header, and then have both the server and the client upgrade the connection to TLS.

The first big flaw is that this requires new clients and servers. There are no servers out there that support this, and no clients either. I work on one of the most popular commercial servers - the iPlanet web server - which, incidently, is available for Linux for free at www.iplanet.com . So I can fix the server part in our next release. And our browser folks could fix that in Mozilla/Communicator too ...

But, IMHO, we will not do that. The second flaw is that the TLS draft makes the upgrading of the connection "option" and reuses the existing http:// URL scheme. The connection is supposed to be upgraded to TLS only if the server requests it, or the browser requests it, based on the user preferences. This is very bad because a server-side application has no way of enforcing security on its content. It is forced to use conventional http:// links and relies on the browser being TLS-upgrade compliant to do the magic. If not, the connection will just proceed, insecurely.

I think making security optional is a terrible idea. You either want it or you don't, and if you do, there must be no circumstances under which the connection will be insecure.

The right thing to do would be to extend the TLS protocol to support virtual hosts. Failing that, a new URL scheme ("httpt://"?) could be devised specifically to mean "connect insecurely and immediately upgrade the connection to TLS after VS negotiation". Then the security could be enforced by the clients, servers as well as applications.

Re:X.509 certificate cis ritical for link security

[palp]

If the hostname you typed into your browser doesn't match the certificate you got, browsers warn you. See https://www.palp.org for an example.

What other options???

[Vantage]

They have a point in saying that something needs to be done.

What other options are there?? There are only so many availible IPs. More may be coming soon with the new "standard" but that isnt very widly supported yet. This is much more reasonable right now.

What else would you have them do???

Re:A few problems - DNS solution

[MadCamel]

A good solution to the FTP and http 1.0 problem would be some server-side extensions to the nameserver. Lets say ftp.bluh.com is pointed at an IP along with 200 other hostnames. When ftp.bluh.com is resolved, a token could be sent to the nameservers for bluh.com telling them what IP is resolving it. This information could be passed in turn to the FTP server, which would know that it's ftp.bluh.com from that IP's point of view, and act accordingly. The same could be done with many other services.

This isn't as hard to impliment as it sounds. We have to start conserving IP's, I don't think putting large blocks of users behind NAT is a good option, and ipv6 is still a long way off from being global.

Re:X.509 certificate cis ritical for link security

[Sensor]

I know thats how it works at present - but the browser by doing a reverse lookup could also get the real name of the server and validate against that.... this would involve a change to the authentication method but as far as I can see it would be the only way to allow virual SSL servers on a single IP.

Re:Will someone please think of the shell provider

[grahamsz]

It looks cool to appear as graha.ms@graha.ms and clearly identifies who I am to people who know me. It instills a far greater level of trust that I am who I claim to be than if i appear as ~graham@modem13813.uranium.pol.co.uk or any other freeserve like address.

Bandwidth Limiting

[gpowers]

Limiting the amount of bandwidth a web site uses also requires a separate IP address for each limited site. This applies to MS IIS AND Cobalt RaQ [Linux] servers. You can't do this with host headers.

Re:Bandwidth Limiting

[madbrain]

Actually, funny you would mention that, as I am spending the next couple of days solving that problem in our iPlanet web server.

It's completely possible to limit the bandwidth based on the host header.

HTTP 1.0, 1.1 usages?

[seebs]

So, I'm not sure about this, but I did notice that HTTP 1.0 (doesn't support the by-name hack) is still about 40% of the hits in our web logs.

Is that more modern browsers trying to be friendly, or is that people who actually *can't see* the NamedVirtualHost stuff?

Re:HTTP 1.0, 1.1 usages?

[madbrain]

Netscape Navigator/Communicator is a hybrid browser that supports the host header, and therefore will work with name-based virtual hosting for HTTP, but it still advertises itself as a 1.0 browser, because it is not compliant with many other features of HTTP/1.1, like chunked encoding, which are listed as "MUST" requirements for user-agents in RFC2616 (HTTP/1.1). The other 1.1 features are neat, and I went through careful coding to support them in our iPlanet Web Server, that I should point out is available for Linux in a free Fasttrack edition.

I wouldn't be surprised if almost all your HTTP/1.0 traffic came in fact from Netscape browsers, which are capable of navigating name-based virtual hosted sites.

Re:A few problems - DNS solution

[MadCamel]

I am fully aware of that, in fact, this is why it would require no client side modifications. Simply a token sent from their nameserver to the authoritive stating what IP is resolving what. This type of data can be packet into 20 bytes, even on a large scale, traffic would be negligable.