Re: IPv6 and HTTPS

[Bernhard Amann <bernhard () ICSI Berkeley EDU>]

On Apr 25, 2013, at 9:27 PM, Patrick W. Gilmore <patrick () ianai net> wrote:

> On Apr 26, 2013, at 00:19 , joel jaeggli <joelja () bogus com> wrote:
> > On 4/25/13 6:24 PM, Jay Ashworth wrote:
>
> > > Ok, here's a stupid question[1], which I'd know the answer to if I ran bigger
> > > networks:
> > >
> > > Does anyone know how much IPv4 space is allocated *specifically* to cater
> > > to the fact that HTTPS requires a dedicated IP per DNS name?
> > It doesn't, or doesn't if if your clients are not stuck in the past.
> >
> > TLS SNI has existed for a rather long time.
> > > Is that a statistically significant percentage of all the IPs in use?
> > >
> > > Wasn't there something going on to make HTTPS IP muxable?  How's that coming?
> > there are stuborn legacy hosts.
> > > How fast could it be deployed?
> > you can use it now.
>
> Sure, you "can".
>
> But no one will. No one (especially someone doing SSL content) wants 99% connectivity. And there's a lot more than 1% 
> XP out there. (Hrm, that explanation works to explain why to a couple decimal places 0% of the Internet is on v6 only 
> today.)

Just to give a numbers, in case anyone is interested - we have been passively
monitoring SSL traffic of ~300k users for more than a year (project description at 
http://notary.icsi.berkeley.edu).

All in all, we see about 71% of the connections on port 443 using SNI.

And the only site I am aware of that uses SNI quite extensively is google - their servers
give different certificates to clients that do not support SNI and clients that support it.

Bernhard