Slashdot Mirror

← Back to Stories (view on slashdot.org)

ARIN: No More IP's For IP-Based Virtual Hosts

Posted by ryuzaki0 on from the I-will-call-mine-eclaire dept.

Mike writes: "ARIN (the guys who hand out IP addresses) has a policy change where they will no longer allocate IP addresses for IP-based virtual hosting. They are expecting everyone to move to name-based hosting now. ARIN is solicting comments to their public policy mailing list: ppml@arin.net. What do you guys think? Is name based virtual hosting ready for prime time?"

22 of 249 comments (clear)

  1. host header is fine.. unless.... by posilipo · · Score: 4
    APNIC (Asia Pacific NIC) has had a "move to host header" policy for awhile now, and when we ask for more addresses (we presently have a request for a large block in with them), they want to see your network address plan, and they want to see how many host header boxes versus how many IP'd webservers you have.

    Host header, as dirty a word as it is, seems to work fine (we use Micro$oft IIS, ugh) - oh. there's one sticking point. You cant use bundle per-virtual-server anonymous FTP access on the domain name to clients. This minor problem aside, I think it's a good thing. The number of borign web sites we have wasting IP addresses haunts me every time I open that address database...

  2. IPv4 is the reason for this, I'll wager by Matt+Ownby · · Score: 4

    they wouldn't have any problem with ip-based virtual hosting if there were more IPs than people know what to do with floating around.
    I predict IPv6 sees a return to ip-based virtual hosting.

    Name based hosting isn't a bad idea though, since most people use a browser that supports it nowadays.

  3. Re:what does this mean? by posilipo · · Score: 4

    http://www.stu d.ifi.uio.no/~lmariusg/download/artikler/HTTP_tut. html read that, it explains the HTTP protocol. Basically, host header webservers host multiple sites (different domain names, e.g. "http://www.example.com" and "http://www.fred.com") on the same IP address. They distinguish between which site to send to the client based on the HTTP request itself, rather than purely the DNS lookup.

  4. Yes and no. by Skorpion · · Score: 5
    For normal (http) virtual web sites, hostname based virtuality is OK. But it isn't OK for https (SSL secured) web servers. A web server certificate is issued for name and IP and you can't have two of those on one IP.

    I think moving to name-based virtual servers is a good idea in general, but the https problem needs to be resolved first.

    Alex

    1. Re:Yes and no. by mariab · · Score: 3

      they may be issued on a name basis, but the problem here is that SSL is a transport, you have to negotiate the SSL link complete with the certificate before you get to talk to the actual web server ... at this point the server doesn't know which web site you are looking for, and therefor has no way to know which certificate it should send.

      Where I work right now, SSL is one of the biggest problems, we have 5 servers here running host-header based virtual hosting, but we have had to set aside relatively large chunks of our IP space to cater for the customers who want SSL.

      To top this off, the SSL-hosting IPs can only do one thing each, and cannot be accelerated by our caching system ... a single SSL site on one server generates 3 times as much traffic as the whole of the other sites on that server, because the normal sites can be accelerated, SSL can't.

      So ... how do we fix the SSL https issue?

      I would love to do name based SSL hosting .. but I can't see how

      --
      meow! Maria
  5. Secure websites need IP's however.... by listuser · · Score: 3

    My letter to Arin:

    Sure you can do web hosting with named virtual hosts, several hundred sites per IP, and it works fine. But what happens when sites start hosting more and more SSL secured websites (i.e. https://store.example.org/)? SSL works at the transport layer, you cannot host multiple domains off of one IP address. Will an exemption be made for this (i.e. I need a CIDR because I want to host a lot of secure websites?). Making it harder for people to implement SSL secured websites will only hurt the Internet, making it a much less secure place to do business, and ultimately stifle growth (well a little bit anyways). Thank you for your consideration.

    Kurt Seifried, Senior Analyst
    SecurityPortal, your focal point for security on the net
    http://www.securityportal.com/

  6. IP-based virtual hosting still needed by Markonen · · Score: 3

    Plain name-based virtual hosting is acceptable for "bulk" or low-end hosting, but there's still plenty of situations where you run into trouble without using separate IPs.

    For example, the hosting provider I work for sets up dedicated Apache installations for each customer -- and this policy gets hailed as heavenlike by our customers, since they're free to install any extensions they could possibly need (or even completely switch servers). With current technology, it's tricky at best to implement something like this with name-based virtual hosts. We would need to run our private address space internally and then have a HTTP-level metaserver to distribute the HTTP/1.1 name-based queries to the right servers.

    Also gone are access lists on the router level. Dedicated ftp/smtp servers listening on the same IP as the site. I could go on forever.

    To the credit of both ARIN and RIPE (ARIN's equivalent in Europe), they seem to be on top of this. If a company DOES use a single Apache for a thousand sites, I think it's justified to ask them to use less than a thousand IP numbers. However, this is a grey issue, and the organizations have been understanding in situations where there really is a need for IP-based virtual hosting.

    IP numbers are not assigned for administrative ease, and that's ok. But the issue of name-based or IP-based virtual hosting isn't about convenience yet. It's still about functionality.

    --
    Marko Karppinen
  7. No, because of SSL by kinkie · · Score: 5

    Secure sites can't move to name-based virtual hosting, as site and key selection takes place before a single HTTP header line is sent.
    In other words, a secure site requires an unique IP address.
    So as a general policy it's pretty dumb, unless exceptions are made for secure sites, and from the announcement it doesn't seem so.

    --
    /kinkie
    1. Re: No, because of SSL by JoostFaassen · · Score: 3

      You could run virtual hosts on different ports to allow multiple hosts with multiple certificates to serve on 1 IP address... It's 'a-pache' trick I know, but you could do some tricks in hidding urls like https://1.2.3.4:1234/securedstyff.html in a page on a non-ssl virtual host...

      --
      This post is powered by caffeine
  8. RIPE has done this for years by sparks · · Score: 3
    RIPE (The European allocation authority) has had this policy for a few years now. You *can* get space assigned for IP virtual hosts, but there's a "special application procedure" in place meaning you have to justfy each assignment and get approval from RIPE staff.

    The fact is that the Host: header has been a part of HTTP for a very long time now, and the number of HTTP clients which don't support it is trivially small - certainly not enough to justify the vast acrages of IP space it eats up. IP virtual hosting is an idea who's time has gone.

  9. Re:Does this work with old clients? by Ed+Random · · Score: 5

    In the HTTP/1.0 spec, sending a "Host:" header with your GET request was optional. In HTTP/1.1, it became mandatory.

    This means that all requests from your browser to websites will look something like this:

    GET /index.html HTTP/1.1
    Host: mydomain.dom
    <nl>

    This is kind of similar to using a proxy; you need to tell your browser to use a proxy. The browser will then send 'absolute URLs' instead of 'relative URLs' as in my example above. That way, the proxy knows which server you are really trying to reach.

    I think that name-based virtual hosting is a great thing (I run 3 domains off my single IP).

    Unfortunately, I can only run 1 SSL-capable secure website on that same IP address since the SSL handshake needs to complete before the request is interpreted at the HTTP level.

    And I have another issue: I want to run a "reverse proxy" (multiple physical webservers, possibly running different OS's) with name-based virtual hosting. I haven't found a way of doing that [with Apache] yet.

    --
    Greetings,
    Ed.

    --
    -- Gxis! Ed.
  10. Sorry but... by CynTHESis · · Score: 3

    While some organizations use IP-based webhosting to, in part, justify their requests for IP space, ARIN will no longer accept IP-based hosting as justification for an allocation unless an exception is warranted

    Virtual hosting maybe ok for general public web-pages, a.k.a. a step-up from geocities. But for people who provide web servicing to many different entities which all wish to have either SSH/FTP access to the web servers and SSL services this provides a problem. I currently provide services to only a few people but I plan to get a larger subnet within a year, the people I provide services for wish to have these services and in most cases the ability to do reverse lookup for security reasons. Being denied additional IP-space because of a reason such as web-hosting methods, seems to be slightly ludicrous.

  11. Certainly not. by xonix7 · · Score: 3

    What you have to realize is that while virtual based IP adresses are useful in some cases, they are in fact, not secure. The cases that spring to mind where IP-based virtual hosts would be useful would be for DNS server(s). Say Company X can only afford a single rackmount unit. They could configure their box, with virtual interfaces (eth0:1 etc under Linux, or equivalents under NT or other operating systems), and use one box for running 2 name daemons, each bound to different "virtual" IP adresses. But for webhosting?

    For Webhosting, it actually makes sense to make use of Site proxying such as Apache provides. Typically, how this would be set up is this:

    You'd have a Firewall/proxy box sitting on a single legal (routable) IP adress. You'd run Linux, BSD, or (insert any other operating system), and use that box to "NAT" (Network Address Translation) to seperate boxes behind that box - or even virtual interfaces on the same box - which would, undoubtedly, use non-routable addresses (illegal IPs). This way, you could have Apache proxying your site from 197.x.x.y (your legal IP), to the illegal IP running on your "internal" box.

    So when a user types in "www.foo.com", it hits 197.x.x.y, where Apache is running, and Apache, with the VirtualHost directive (VirtualHost 197.x.x.y), uses the "ProxyPass" Function to redirect the request to the site in question, running possibly on your internal box. So you could go to www.foo.com:80(default), which would really go to 192.168.2.10:8080, running a Zope Server, and www.foo2.com:80, would, possibly go to another box running Apache on 192.168.2.11:80 - whatever you want, literally.

    I think this is where Arin wants administrators to start going, and I've been doing it for ages. It works well, and for that - the authors of Apache, Linux, and the many open source utilities that support those Applications must be commended. If you aren't doing this, try it. It's quite brilliant. The way it all fits together, is an echo of the very thoughts that inhabit the minds of the thousands of individuals using - and not using, (but perhaps, subconciously using, or wanting to use) these systems. For the code itself is like a Christmas present. Yes, a year - two years. 10,000 years. In the blink of an eye, the coding time. Think about the implications of 10,000 years of coding tiem in one blink of an eye! Indeed, we live in strange times.

    --
    Everything is but a number spoken by itself.
  12. How to do it with Apache... by enneff · · Score: 3
    http://www.apache.org/docs/vhosts /name-based.html

    I just set it up for all my hosted pages, and it works beautifully. It took less than 10 minutes.

  13. In Belgium and EU in general, we have no choice. by Ma�djeurtam · · Score: 3

    That's funny I see this thread today, since I had a discussion a few days ago with some important ISP here...

    When I started publishing web page here (I live in Belgium, EU), every vHost had his own IP.

    In the meantime, I moved my web pages to web hostings to Jumpline, who give an excellent service and an IP per domain name. It was a lot cheaper service thant EU's one at the time.

    A few days ago, I had the discussion with 3 of the most important ISP in Belgium: for some reason, I wanted to vhost my pages in Belgium again (the price is now roughly the same than in the US). My idea didn't last: name-based hosting is the rule here, and they looked at me as if I was a martian when I told them I wanted my own IP by vHost.

    In a more general context, I'd really like to see an quick adoption of IPv6: more and more ISP's here rely on NAT (whith all the problems it can give) and host hundreds of sites by IP.

    That's definitely not a Good Thing.

    Just my thoughts

    Stefano
    --

    --
    Instant Karma's gonna get you, Gonna knock you right on the head (John Lennon, 1970)
  14. 37% of browsers use HTTP/1.1, the rest use 1.0 by Swordfish · · Score: 3
    Try this:
    [akenning@dog]$ fgrep " HTTP/1.0" access_log | wc
    252233 2522331 24313937
    [akenning@dog]$ fgrep " HTTP/1.1" access_log | wc
    151023 1510233 14952893
    [akenning@dog]$ fgrep -v " HTTP/1.1" access_log | fgrep -v " HTTP/1.0" | wc
    188 1521 12028
    I think that means that about 63% of browsers are still using HTTP/1.0 (contradicting the opposite opinion expressed in the O'Reilly Apache book).

    And I think that this means that the net is not ready to abandon IP-based hosting.

    1. Re:37% of browsers use HTTP/1.1, the rest use 1.0 by tshak · · Score: 4

      We run thousands of sites off of one IP and tested Netscape 2.0 (1% of our users) and have had no problems. SSL is no problem because we setup a central secure site for everyone. For example: https://secure.[hostingcompany].com/[customer] Now you've just used 2 IPs to run your entire web service. Then you've got your PIX, your 3600's, mail servers etc. and you don't even need a full class C!

      --

      There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
  15. Will someone please think of the shell providers!! by grahamsz · · Score: 3

    No longer will I be able to get a shell with it's own IP for £54 a year ($80 US) - bummer.. how will i ever irc from i.graha.ms now :(

    Also this will probably come down hard on ISPs like Demon Internet who give static ips to dialup users. This was a bugger originally since they used to use smtp for mail delivery which wasn't easy on Macs and Windows, but still a very nice feature.

  16. this problem has already been solved. by Karmageddon · · Score: 4
    man, everybody's jawing away in here: a lot of good info, reasonable suggestions, and stuff I didn't know.

    But this problem has already been solved: private property and free markets. Just auction IP addresses through a central exchange, all IP addresses, including the sacrosanct class As. You want an IP, or a block of IPs, you pay for them. How much? Who knows, who cares, we'll find out when they go up for sale.

    Some regulations are required: don't allow monopolies or cartels; declare IPs fungible to allow central administrators to reallocate or consolidate blocks for routing purposes.

    Problem solved.

  17. SSL can use renegotiation by drig · · Score: 3

    It's easy enough to set up a site that changes key/cert upon receipt of the request URI (or Host: header). Simply choose a primary key and cert, do the initial connection with that one. Then, when the client specifies the URI (or Host:), request renegotiation and choose a new key/cert pair. All major browsers support renegotiation.

    --
    Citizens Against Plate Tectonics
  18. Re:These stories are sad by Frank+T.+Lofaro+Jr. · · Score: 3
    Maybe the people in charge want it this way.

    Here is what they want:

    Make it so only the rich and powerful can get resources (such as IP addresses). Make it so residential customers aren't allowed to host content, even if their ISP doesn't mind, since their ISP will have beeen ordered to use NAT and hence the customers lack an Internet routable address to host off. No more pesky speech from the masses. Shift information transfer totally from bottom-up to top-down.

    Along those lines, eventually, make it so the shortage is so bad the government comes in and requires mandatory FCC licenses at thousands/millions of dollars each and strict regulations on who can use them and how. The justification would be "scarce resources". Does that sound totally unbelievable? Well, if it does, you need to look at the early history of radio. Used to be free, now it is extremely regulated and restricted.

    --
    Just because it CAN be done, doesn't mean it should!
  19. HTTP 1.0, 1.1 usages? by seebs · · Score: 3

    So, I'm not sure about this, but I did notice that HTTP 1.0 (doesn't support the by-name hack) is still about 40% of the hits in our web logs.

    Is that more modern browsers trying to be friendly, or is that people who actually *can't see* the NamedVirtualHost stuff?

    --
    My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/