guideline for name-based web hosting justification

[Haralds Jass]

This doesn't seem to have went through yesterday, so I'll try to send
it through again...


------- Forwarded Message Follows -------
From:          Self <hjass>
To:            arin-discuss at arin.net
Subject:       Re: guideline for name-based web hosting justification
Cc:            ppml at arin.net 
Reply-to:      HJass at SUPERB.NET 
Date:         Wed, 13 Sep 2000 20:47:02 -0700

I have been following this thread quite closely and I'd like to throw
in my comments, first arising from this thread specifically, and
secondly about the bigger issue at stake here.

It's been no surprise that those who don't really know web hosting
agree with the policy completely and talk of trivial solutions to real
problems and issues. Of course, it's always easier to talk than to
actually do something (and isn't it those who talk and can't do that
come up with hopelessly vague policies in the first place?). There
have been a number of valid issues brought up to show the many needs
for which there is no practical alternative to using unique IPs for
virtual sites. I feel that this side has been discussed fairly and
there have been no unbased needs put forth.

Now then, going to the specifics, there's a number of things
fundamentally wrong with the policy. It seems to be arising from the
fact that no one at ARIN really knows web hosting. Before this policy
was in effect, ARIN effectively had no notion of the existence of such
a thing as web hosting. At least, that's the impression I got, as
every person at ARIN would come up with totally different,
inconsistent, requirements for address usage proof to allocate IPs -
the rules were trivially made up on the spot. I know it's not just me,
as even before the policy was created, I was asked by the organizers
of the Web Host Expo (I'm on its board of advisors), regarding this
issue and I was told that most other hosting companies feel the same
way - that ARIN *should* develop some sort of clear policy for this,
effectively "recognizing" web hosting as a valid need of IPs. Well,
ARIN did indeed come up with a policy, however, one that shows total
lack of understanding of what web hosting is and what IPs are needed
for.

Now, I'm a firm believer in effective IP address usage on a per-need
basis, only. We have always, since we started back in the summer of
1996, required our dedicated service customers to provide full
justification for IPs, including why can't what they need to do be
done using name based hosting instead, and closely following up on IP
usage and revoking allocated IPs where they are not used, or used with
no true justification. Also, we were one of the first (to the best of
my knowledge, the first) IPPs to provide full service name-based
hosting, compatible with *all* browsers (yes, HTTP/1.0 too). That was
back in late 1996 or early 1997 if I recall correctly. Now most of our
virtual hosting, as well as that of our hosting company customers, is
done using name-based sites. The split is about 8:1 -eight name based
virtual sites for every one IP-based one.

The thing to keep in mind here is that HTTP/1.0 browsers can still get
to name based sites no problem. All it takes is a simple shell script
that'll grab the HTTP_REFERRER and based on that (simple if...then)
redirect customer to the proper URL (say: namesite.com/namesite/) that
has been setup as a link specifically for the old browsers. (Funny how
ARIN's "instructions for using name-based virtual hosting" are utterly
useless and only provide links to some generic URLs giving no
solutions to the real problems, such as backward browser
compatibility, among many others.) So this is one issue that should be
of no concern, basic site functionality in stone-age browsers. (99.8%+
of web traffic now is fully name-based compliant anyhow from our
observations)

Before I outline the practical situations where name based hosting is
the best and is justified, let me first list clearly all the
limitations of it - all the reasons why IP based hosting is required
for some sites (why our name:IP ratio is 8:1 and not 80:1).

- SSL

- virtual FTP

- virtual POP

- a number of issues for large/complex sites, such as database
connectivity, proprietary application implementation, clustering,
accounting for bandwidth and not traffic, QoS, etc.

Now, these are service-related issues. There are other usability
related issues which are present for all name-based sites:

- search engine indexing - a real problem for some spiders, still, to
index name-based sites (way to overcome it: use
http://www.namesite.com/namesite/ URL, where the /namesite/ is a
symlink to the actual site public_html and works via HTTP/1.0. Of
course, not a favoured solution in customers' eyes as the URL doesn't
look as "respectable," but, it works.)

- IP blocking - a valid issue which there is no way to overcome (for
sure, no one can do any porn site hosting on a name-based basis, as if
one IP is blocked from spamming search engines, or from AOL, then all
customers are in trouble; solution: hosting 'controversial' and
'high-risk' sites must be an exception until blocking mechanisms at
the powers that be are setup using names and not IPs, specifically for
HTTP and not all-out per IP)

Also, Virtual DNS (to the best of my knowledge we were the first
company offering this service back in late 1996). A separate issue,
but one to kept in mind - a very valid use of IPs, as every nameserver
must have a unique IP, so if a customer has ns1 & ns2.theirdomain.com
setup on the nameserver, two unique IPs must be used. 

All in all, this creates quite a few exceptions to the ARIN rules. A
lot of protocols used to provide services other than plain web hosting
are solely based on IPs, with no possible way - for now - to go on to
name-based basis instead. Knowing the web hosting industry by being an
active and innovative (we like to think so) part of it for the last 5
years, I am sure that there are going to be more exceptions - many,
many more - than compliance to the rules. ARIN needs to do its
homework and come up with rules that actually take into account the
needs of the web hosting industry, clearly outlined, and define what
it means by "web hosting," too. The way the policy stand now, it's not
any better than before when there were no rules, it'll just make it
even harder to get IPs for perfectly legitimate uses (such as
SSL-based sites, as we have already seen in this thread - ARIN
refusing IPs despite the very valid e'xceptionary' justification being
that sites are using SSL).

I don't think it's that complicated and hard to come up with a more
workable and clearly defined policy. Some key points to consider, what
I would put in there --

- Essentially, a simple "use name-based hosting unless IP-based
hosting is required" policy. Some hosting companies, such as us, have
been following that on their own initiative. Others will need to
change. No other choice here, though. Better sooner than later, it may
be painful, but it'll hurt less now than later (a policy on web
hosting IP allocation is some 3-4 years overdue already, where were
the ARIN policy makers for the last few years?).

- More specifically, define and differentiate "mid to high-range
hosting" and "low-end" hosting, whereby low-end is small, simple web
sites with no SSL, virtual FTP, or any custom applications, nor need
for real-time bandwidth measuring, QoS, and other high end services.
Require (or request) all mass-market web hosts to offer such a low-end
solution, so that users who do not need IPs are not automatically
given hosting that is IP-based (i.e. a offering an IP and services a
customer doesn't need 'forcibly' by there being no alternative does
not create grounds for exception). Allow web hosts to use "mid" or
"high-range" hosting services as justification for IPs, and perhaps
request to elaborate on that (specific features that need IPs). There
are simply much too many needs for IPs where there is NO clear
alternative, so unless ARIN can tell us how to use SSL, or virtual
FTP, or virtual POP, or create a unique nameserver (VDNS), or use one
of the many other many IP-dependant services on a name-based site,
those are all exceptions. 

- The exceptions are so many, that the basic principles of those
should be clearly defined and the process made less cumbersome by
allowing IPs for mid to high-end sites that need them for proper
functionality. Also, keep in mind the black-listing of IPs. To that
issue there is no solution, but, that alone can not be enough grounds
for using a unique IP for every site. However, ARIN could take the
high ground on this and try to request the vendors of the relevant
software to implement name-based HTTP-only blocking (of course, not as
easy as it sounds, but than sooner the effort starts, than better).

- Also, why not write up and publish a checklist that web hosts must
follow when allocating IPs to their dedicated clients, going by which
they can determine whether the IP request is justified, or not. I've
seen some companies get confused and say that all their customer IP
requests must be approved by ARIN; obviously ARIN wants to avoid that,
so why not write up IP allocation guidelines and a checklist for web
hosts offering dedicated service? 

I think that about sums it up. It's clear that ARIN didn't do its
homework, by creating this vague, unclear, policy. It is indeed very
much needed to push web hosts to use IPs effectively; however, a
policy can not be formed without first understanding the underlying
issues. Hopefully ARIN will listen to the many valid comments and
suggestions submitted in this thread and act accordingly in improving
this policy. By taking some time to develop reasonable, logical,
policies on web host IP allocation, ARIN could save itself, and the
hosting companies, a lot of headaches and wasted time.

As a final remark, it is also interesting how there have been very
few, virtually no, hosting companies participating in this discussion.
The general industry attitude I've seen on this is that there will be
always a way to get around the new rules, due to the wide open
exceptions allowance (or, even more so, just the same old tactics -
corresponding with ARIN until it gets sick and tired of you and gives
you the IPs you need, still not understanding what and how they are
used for). It would do everyone much good if the rules were more
clear, as then they could be also more firm. The new policy has not
hit the hosting industry nearly as strongly as it should have. Perhaps
because it is laughably vague and illogical, effectively changing
nothing. At least, that was my reaction when I first read it. Most
seem to think they can continue doing what they do, as opposed to
improving their IP usage efficiency, and just ride on ARIN's lack of
understanding of hosting. A clear policy with differentiated hosting
levels and IP justification criteria defined would change that.

I hope that someone at ARIN is listening...


--
Haralds Jass <HJass at SUPERB.NET>
Superb Internet - "Ahead of the Rest."
http://www.superb.net

"I am easily satisfied by the very best"
- Winston Churchill