Mailing List Archive: NANOG: users

IPv6 could change things - Was: DMCA takedowns of networks

Index | Next | Previous | View Threaded

wavetossed at googlemail

Oct 27, 2009, 7:05 AM

Post #1 of 13 (142 views)
Permalink

IPv6 could change things - Was: DMCA takedowns of networks

> Not sure how much I believe of the article and its lack of detail and
> chopped quotes...but did HE really disconnect an entire downstream network
> over a DMCA notice, or did they null route a /32 that was used by a customer
> to host hundreds of virtual web sites?

Since the tools at a network operator's disposal are ACLs which make it easy to
block traffic to a /32 without the need for deep packet inspection,
one would expect
that this regularly causes collateral damage if that /32 is a web server hosting
hundreds of virtual websites.

But, when IPv6 is a bit more common, there is no need for virtual
hosters to share
a single IP address between several sites. They may as well use a
unique IPv6 address
for every single site, even if they are all on the same server. The
side effect of this is
that it makes the network operator's tool sharper, and able to knock
down single sites
with a /32 ACL.

For a hosting provider, I would think that this strengthens the
business case for IPv6.

--Michael Dillon

jeroen at unfix

Oct 27, 2009, 7:13 AM

Post #2 of 13 (140 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

Michael Dillon wrote:
[..]
> [..] The
> side effect of this is
> that it makes the network operator's tool sharper, and able to knock
> down single sites
> with a /32 ACL.

You actually mean a /128 in the case of IPv6, the /32 would be the
complete ISP...

> For a hosting provider, I would think that this strengthens the
> business case for IPv6.

and they can just use a single /64 for a single 'virtual webhost', then
assign a 32 bit customer-id and have every customer have 2^32 sites, bingo.

Greets,
Jeroen

Attachments:

signature.asc (0.19 KB)

jeff at ocjtech

Oct 27, 2009, 7:20 AM

Post #3 of 13 (140 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

On Tue, Oct 27, 2009 at 9:05 AM, Michael Dillon
<wavetossed[at]googlemail.com> wrote:
>
> But, when IPv6 is a bit more common, there is no need for virtual
> hosters to share
> a single IP address between several sites. They may as well use a
> unique IPv6 address
> for every single site, even if they are all on the same server. The
> side effect of this is
> that it makes the network operator's tool sharper, and able to knock
> down single sites
> with a /32 ACL.
>
> For a hosting provider, I would think that this strengthens the
> business case for IPv6.

But do the commonly-used operating systems support adding hundreds or
thousands of addresses to an interface, and what would the performance
implications be?

--
Jeff Ollie

jeroen at unfix

Oct 27, 2009, 7:32 AM

Post #4 of 13 (140 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

Jeffrey Ollie wrote:
[..]
> But do the commonly-used operating systems support adding hundreds or
> thousands of addresses to an interface, and what would the performance
> implications be?

Remember that IP addresses are 128bits, while hostnames (the ones for
the "Host:" header in the HTTP query) are well, quite a bit longer than
that on average.

If thus something like this would become common-place, there definitely
will be quite some people who will be paying some attention on
optimizing Apache.

But yes, the network stack itself is a different question, then again,
you can just route a /64 into the loopback device and let your apache
listen there... (which also allows you to do easy-failover as you can
move that complete /64 to a different box ;)

Greets,
Jeroen

Attachments:

signature.asc (0.19 KB)

adrian at creative

Oct 27, 2009, 7:39 AM

Post #5 of 13 (140 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

On Tue, Oct 27, 2009, Jeroen Massar wrote:

> But yes, the network stack itself is a different question, then again,
> you can just route a /64 into the loopback device and let your apache
> listen there... (which also allows you to do easy-failover as you can
> move that complete /64 to a different box ;)

Funny you should mention that.

A couple of tricks I've seen:

* instead of a linked list and O(n) searching of interface aliases, use
some kind of tree to map local IP -> interface.
* hacks to do a "bind to all damned IP addresses and let userspace sort
it out".

I've done the former for a few thousand aliases with no degredation
in performance. The hacks available for freebsd-4.x for the Web Polygraph
software did something similar.

2c,

Adrian

rps at maine

Oct 27, 2009, 7:45 AM

Post #6 of 13 (140 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

> But do the commonly-used operating systems support adding hundreds or
> thousands of addresses to an interface, and what would the performance
> implications be?
>
> Jeff Ollie

Last time I checked, and this may have changed, the limit in Linux was
around 4096.

In practice though, you also have to consider the physical limitations
of the server itself. The biggest bang for the buck in dense hosting
environments seems to be running about 1000 sites per box, with a few
boxes dedicated to your heavy hitters with 100 or less ea.

Until we start seeing IPv6-only hosting though, I suspect that we will
see IPv6 address mirror the configuration of the IP assignments.
Sites with dedicated IPs will have dedicated IPv6, sites with shared
IP will have shared IPv6, if only to maintain sanity.

If you're trying to make the case for IPv6 to hosting companies,
you're barking up the wrong tree. IP address just became a scarce
commodity, instead of providing you with a free IP address, the can
now charge $100 a mo for one. They know darn well that it will take a
while for every user to have IPv6 from their SP and that if you want
to run a site you'll need access to the "legacy" IP Internet to reach
your customers. On the bright side, this will encourage the market to
adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a
policy of decommissioning IP space as they reclaim it to prevent
people from receiving new allocations as people begin to go IPv6-only,
otherwise we'll be stuck with two Internets for a very long time.

--

Ray Soucy
Communications Specialist

+1 (207) 561-3526

Communications and Network Services

University of Maine System
http://www.maine.edu/

cmadams at hiwaay

Oct 27, 2009, 7:57 AM

Post #7 of 13 (140 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

Once upon a time, Jeffrey Ollie <jeff[at]ocjtech.us> said:
> But do the commonly-used operating systems support adding hundreds or
> thousands of addresses to an interface, and what would the performance
> implications be?

I've got Linux (and even Windows) boxes with several hundred IPs bound
today; I don't see why IPv6 addresses would be any different.
--
Chris Adams <cmadams[at]hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

jbates at brightok

Oct 27, 2009, 8:20 AM

Post #8 of 13 (140 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

Jeroen Massar wrote:
> But yes, the network stack itself is a different question, then again,
> you can just route a /64 into the loopback device and let your apache
> listen there... (which also allows you to do easy-failover as you can
> move that complete /64 to a different box ;)
>

You are still comparing an application level decision to a stack level
decision. Thousands of addresses on a stack could definitely pose an
issue depending on the OS.

Jack

bjohnson at drtel

Oct 27, 2009, 8:53 AM

Post #9 of 13 (128 views)
Permalink

RE: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

> -----Original Message-----
> From: Ray Soucy [mailto:rps[at]maine.edu]
> Sent: Tuesday, October 27, 2009 9:45 AM
> To: Jeffrey Ollie
> Cc: North American Network Operators Group
> Subject: Re: IPv6 could change things - Was: DMCA takedowns of
networks
>
> > But do the commonly-used operating systems support adding hundreds
or
> > thousands of addresses to an interface, and what would the
> performance
> > implications be?
> >
> > Jeff Ollie
>
> Last time I checked, and this may have changed, the limit in Linux was
> around 4096.

So in this circumstance you could route a /116 to the server. COOL!

>
> In practice though, you also have to consider the physical limitations
> of the server itself. The biggest bang for the buck in dense hosting
> environments seems to be running about 1000 sites per box, with a few
> boxes dedicated to your heavy hitters with 100 or less ea.

So in this circumstance you could route a /118 to the server serving
1000 sites and a /125 to the server serving 100 sites. Also COOL!

>
> Until we start seeing IPv6-only hosting though, I suspect that we will
> see IPv6 address mirror the configuration of the IP assignments.
> Sites with dedicated IPs will have dedicated IPv6, sites with shared
> IP will have shared IPv6, if only to maintain sanity.

This passes my smell and duh tests. :)

>
> If you're trying to make the case for IPv6 to hosting companies,
> you're barking up the wrong tree. IP address just became a scarce
> commodity, instead of providing you with a free IP address, the can
> now charge $100 a mo for one. They know darn well that it will take a
> while for every user to have IPv6 from their SP and that if you want
> to run a site you'll need access to the "legacy" IP Internet to reach
> your customers. On the bright side, this will encourage the market to
> adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a
> policy of decommissioning IP space as they reclaim it to prevent
> people from receiving new allocations as people begin to go IPv6-only,
> otherwise we'll be stuck with two Internets for a very long time.

Agreed, except for one thing. ARIN shouldn't "decommission" IP space.
The Internet will dictate that IPv4 will go away all on its own once
IPv6 becomes the protocol of choice for enough of the net. At some
point, the people who depend on IPv4 will not be able to pay for their
providers supporting the IPv4 infrastructure as new devices become
available that either only support IPv6, or don't implement a full suite
of IPv4 to keep costs down.

Also remember that at some point, there will be no IPv4 left. When this
happens new entrants will suffer greatly at the hands of this
circumstance. But we will get through it and there will be new sites
that will be IPv6 only, then there will be demand for these sites, then
there will be people who vote with their wallets for the new sites...

Was I rambling there? :) In the end it will be economics that dictate a
single protocol Internet. I am one who wishes we put a date in stone now
to establish the "cut date" of IPv4 to IPv6, but that is unreasonable.
This will take care of itself.

_____________________________________
Brian Johnson
Converged Network Engineer (CCNP, ENA)
Dickey Rural Networks

David_Hankins at isc

Oct 27, 2009, 11:00 AM

Post #10 of 13 (121 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

On Tue, Oct 27, 2009 at 02:05:36PM +0000, Michael Dillon wrote:
> But, when IPv6 is a bit more common, there is no need for virtual
> hosters to share
> a single IP address between several sites. They may as well use a
> unique IPv6 address
> for every single site, even if they are all on the same server. The
> side effect of this is
> that it makes the network operator's tool sharper, and able to knock
> down single sites
> with a /32 ACL.

A /128 you mean.

If you look in Apache's httpd/server/vhost.c, you may notice that the
server locates addressed virtual hosts using a simple 32->8 bit
integer reduction hash, which produces a well balanced hash table in
typical virtual server applications (generally these servers get
addresses in contiguous blocks).

Named virtuals are relegated to an extra hash bucket, essentially
placing them all on a single unsorted linear list, which is searched
if a by-address match is not found.

Probably in the modern day, the additional processing (and system
calls) necessary to render a web object into a reply is significantly
higher than the overhead to locate a virtual server even at these
orders of magnitude, but it's interesting that the software works
differently.

--
David W. Hankins "If you don't do it right the first time,
Software Engineer you'll just have to do it again."
Internet Systems Consortium, Inc. -- Jack T. Hankins

nenolod at systeminplace

Oct 27, 2009, 11:29 AM

Post #11 of 13 (121 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

To expand on this from a programmers perspective, usually at the kernel/network stack level, a "patricia" radix-style trie is used for fast ipv6 lookups.

The benefit of the patricia trie being that if you only have a difference keylength of 8 bits (/120) then the ip lookup only takes 8 steps in a worst-case scenario.

The same concept applies to ipv4 cidr as well, but it is less obvious.

William
------Original Message------
From: Adrian Chadd
To: Jeroen Massar
Cc: North American Network Operators Group
Subject: Re: IPv6 could change things - Was: DMCA takedowns of networks
Sent: Oct 27, 2009 10:39 AM

On Tue, Oct 27, 2009, Jeroen Massar wrote:

> But yes, the network stack itself is a different question, then again,
> you can just route a /64 into the loopback device and let your apache
> listen there... (which also allows you to do easy-failover as you can
> move that complete /64 to a different box ;)

Funny you should mention that.

A couple of tricks I've seen:

* instead of a linked list and O(n) searching of interface aliases, use
some kind of tree to map local IP -> interface.
* hacks to do a "bind to all damned IP addresses and let userspace sort
it out".

I've done the former for a few thousand aliases with no degredation
in performance. The hacks available for freebsd-4.x for the Web Polygraph
software did something similar.

2c,

Adrian

--
William Pitcock
SystemInPlace - Simple Hosting Solutions
1-866-519-6149

joelja at bogus

Oct 27, 2009, 10:23 PM

Post #12 of 13 (104 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

Brian Johnson wrote:

>> Last time I checked, and this may have changed, the limit in Linux was
>> around 4096.
>
> So in this circumstance you could route a /116 to the server. COOL!

These days what we might at one point have refered to as a host or
server may actually be a hardware container with N > 1 or so virtual
systems... which may variously be:

attached to the network via dedicated interface
individual vlans
a virtual bridge
a layer-3 topology

>> In practice though, you also have to consider the physical limitations
>> of the server itself. The biggest bang for the buck in dense hosting
>> environments seems to be running about 1000 sites per box, with a few
>> boxes dedicated to your heavy hitters with 100 or less ea.
>
> So in this circumstance you could route a /118 to the server serving
> 1000 sites and a /125 to the server serving 100 sites. Also COOL!

How many ips you can park on a particular hardware container is probably
bounded only by the over-subscription rate of what you intend to serve.
Most of the superficial limits (macs on a bridge table, ips on an
interface etc can be worked around in fairly simple fashion but the
number of connections per second or pps rate a given hardware container
can pass though whatever abstraction is applied is less fungible.

>> Until we start seeing IPv6-only hosting though, I suspect that we will
>> see IPv6 address mirror the configuration of the IP assignments.
>> Sites with dedicated IPs will have dedicated IPv6, sites with shared
>> IP will have shared IPv6, if only to maintain sanity.
>
> This passes my smell and duh tests. :)
>
>> If you're trying to make the case for IPv6 to hosting companies,
>> you're barking up the wrong tree. IP address just became a scarce
>> commodity, instead of providing you with a free IP address, the can
>> now charge $100 a mo for one. They know darn well that it will take a
>> while for every user to have IPv6 from their SP and that if you want
>> to run a site you'll need access to the "legacy" IP Internet to reach
>> your customers. On the bright side, this will encourage the market to
>> adopt IPv6 because they can't afford IP. Hopefully ARIN adopts a
>> policy of decommissioning IP space as they reclaim it to prevent
>> people from receiving new allocations as people begin to go IPv6-only,
>> otherwise we'll be stuck with two Internets for a very long time.
>
> Agreed, except for one thing. ARIN shouldn't "decommission" IP space.
> The Internet will dictate that IPv4 will go away all on its own once
> IPv6 becomes the protocol of choice for enough of the net. At some
> point, the people who depend on IPv4 will not be able to pay for their
> providers supporting the IPv4 infrastructure as new devices become
> available that either only support IPv6, or don't implement a full suite
> of IPv4 to keep costs down.
>
> Also remember that at some point, there will be no IPv4 left. When this
> happens new entrants will suffer greatly at the hands of this
> circumstance. But we will get through it and there will be new sites
> that will be IPv6 only, then there will be demand for these sites, then
> there will be people who vote with their wallets for the new sites...
>
> Was I rambling there? :) In the end it will be economics that dictate a
> single protocol Internet. I am one who wishes we put a date in stone now
> to establish the "cut date" of IPv4 to IPv6, but that is unreasonable.
> This will take care of itself.
>
> _____________________________________
> Brian Johnson
> Converged Network Engineer (CCNP, ENA)
> Dickey Rural Networks
>
>

nanog at 85d5b20a518b8f6864949bd940457dc124746ddc

Oct 27, 2009, 10:35 PM

Post #13 of 13 (104 views)
Permalink

Re: IPv6 could change things - Was: DMCA takedowns of networks [In reply to]

On Tue, 27 Oct 2009 10:41:46 -0500
Jack Bates <jbates[at]brightok.net> wrote:

> Jeroen Massar wrote:
> > But yes, the network stack itself is a different question, then again,
> > you can just route a /64 into the loopback device and let your apache
> > listen there... (which also allows you to do easy-failover as you can
> > move that complete /64 to a different box ;)
> >
>
> You are still comparing an application level decision to a stack level
> decision. Thousands of addresses on a stack could definitely pose an
> issue depending on the OS.
>

Depends a bit on how the OS handles interface address assignments.
Linux creates host routes in a separate 'local' route table, which you
can see via

ip route show table local

or for IPv6

ip -6 route show table local

which I think would suggest that Linux's interface address assignment
scalability is as scalable as it's route table scalability.

Performing concurrent IPv6 Duplicate Address Detection on that many
addresses when the interface/host comes up might be an issue.

Regards,
Mark.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com