Ahti Kitsik
Building tools with Python, Java, Go, JS. For enquiries email inbox@ahtik.com

writings biography

IPv4 exhaustion and WinXP extinction

23 Apr 2014 by @ahtik

Windows XP is extremely relevant for IPv4 address space consumption due to not supporting TLS extension SNI. Extremely relevant in terms of the sooner it goes extinct the better.

SNI is what removes the requirement from HTTPS websites to host one domain per IP. This is done by having hostname as part of the initial handshake. Many websites or at least most (hopefully all) webapps these days serve over HTTPS, at least the ones that require user input like login. So there's the need for at least one public IP per site.

With SNI these sites could be all served from the same IP. Of course datacenter and IP route restrictions still apply.

Now think about CDN services like AWS CloudFront -- to support sites with SSL certificates you must use one IP per cert in EACH region or whatever the distribution granularity is.

Now this my friends is why AWS CloudFront asks $600/mo for each custom SSL cert domain and with SNI custom SSL it costs $0/mo.

As soon as all the 99.9% browsers/clients support SNI we'll be living in a better place with at least a few more IPs to spare. But even more important -- we can finally distribute static content from CDN through custom SSL without the $600/mo pricetag!

It's naive to think everyone would go to SNI-based hosts with IPs shared with strangers but at least within the same datacenter for the same company IPs can be more easily conserved.

Please note that Chrome and Firefox do not use Windows XP SSL implementation (both use NSS library) and thereby decently recent versions support SNI even with XP. This issue is still relevant for all the IE versions on Windows XP and any other application that is using Windows XP native SSL implementation.

@ahtik is on twitter!