IPv6 and HTTPS

[bernhard at ICSI.Berkeley.EDU (Bernhard Amann)]

On Apr 25, 2013, at 9:27 PM, Patrick W. Gilmore <patrick at ianai.net> wrote:

> On Apr 26, 2013, at 00:19 , joel jaeggli <joelja at bogus.com> wrote:
>> On 4/25/13 6:24 PM, Jay Ashworth wrote:
> 
>>> Ok, here's a stupid question[1], which I'd know the answer to if I ran bigger
>>> networks:
>>> 
>>> Does anyone know how much IPv4 space is allocated *specifically* to cater
>>> to the fact that HTTPS requires a dedicated IP per DNS name?
>> It doesn't, or doesn't if if your clients are not stuck in the past.
>> 
>> TLS SNI has existed for a rather long time.
>>> Is that a statistically significant percentage of all the IPs in use?
>>> 
>>> Wasn't there something going on to make HTTPS IP muxable?  How's that coming?
>> there are stuborn legacy hosts.
>>> How fast could it be deployed?
>> you can use it now.
> 
> Sure, you "can".
> 
> But no one will. No one (especially someone doing SSL content) wants 99% connectivity. And there's a lot more than 1% XP out there. (Hrm, that explanation works to explain why to a couple decimal places 0% of the Internet is on v6 only today.)

Just to give a numbers, in case anyone is interested - we have been passively
monitoring SSL traffic of ~300k users for more than a year (project description at 
http://notary.icsi.berkeley.edu).

All in all, we see about 71% of the connections on port 443 using SNI.

And the only site I am aware of that uses SNI quite extensively is google - their servers
give different certificates to clients that do not support SNI and clients that support it.

Bernhard