guideline for name-based web hosting justification

Mury mury at
Tue Sep 12 16:59:23 EDT 2000

> > Instead of putting the clamps on the ISPs why not focus on:
> > 
> > 1) Reclaiming unused IP space to hold us out a little longer
> That's already being done, but there's a big problem.  ARIN doesn't have
> authority over the major offenders (legacy /8s and /16s).  The AC has had
> long, involved discussions about how is best to do this, and we're working
> on it.  For example, our first goal is to re-claim address space of
> companies that have gone out of business.  If you have some ideas on how we
> can do this we'd _love_ to hear them.

I'm not sure where ARIN gets it's authority.  Maybe the father of the
Internet wants to save his creation and support a law giving ARIN the
authority.  Seriously, where does ARIN receive it's authority from?  Why
hasn't it been given the authority to reclaim unused space from legacy

Maybe ARIN would like to clearly publish a list of those offenders and
send them a nice letter asking them to comply with current allocation
policies.  If they don't want to cooperate, I suppose we could call the
media and/or Null route their IPs until they want to play by the same
rules we all need to.

> > 2) Push a plan to get better client server technology out there, and once
> > it is out there get people using it.  As an rotten example, but feeling
> > one is needed, what if the top 10 most popular sites had a message pop up
> > that informed people if they were using an old browser and encouraged them
> > to upgrade.
> Yuck!
> I mean, it's an idea, but I see where you're going...

Actually from the recent contributions to the list it appears as though
the HTTP/1.0 issues are far less a problem than I first perceived.  I
would however like to see some real statistics.

> > I'm not bitching just to bitch.  I'm looking out for my ecommerce
> > customers.  90% of my revenue comes from businesses.  If I don't watch out
> > for their bottom line, they sure the hell aren't going to look out for
> > mine.  If I switch them to a name-based system, before the world is ready
> > for it and they lose hits do to software incompatibilites, or don't notice
> > that their traffic died, or they can't see how effective a commercial was
> > by using real-time accounting stats, or one of my customers gets DOSed and
> > I can't control the traffic at my core routers or at my upstream so I have
> > to take everyone down because they all share an IP, they are going to host
> > with someone who cheats the system and gets them an IP.
> Those are legitimate gripes.
> Can we come up with reasonable solutions to them?

Well, what is the realistic possibility of making that "policy" a
"guideline?"  Give ISPs 6 months to essentially self-comply.  If web
hosting IP usage drops a significant percentage, then we declare a

If usage does not drop, have a policy ready with more details.  What
exactly constitutes an exception?  Obviously secure servers are an
exception, but what about bandwidth based accounting, or high bandwidth
sites (and if so, where is the line drawn?)

I realize I might be living in a dream world thinking most ISPs will
rapidly change if not forced to, but it's not an impossible task to
convince them either.  It's actually easy to configure multiple sites to
one IP than to multiple IPs.

I really don't know.  I'd personally rather spend my time and money trying
to get back massive chunks of unused IPs from those knowingly or
unknowingly abusing them, and wait for technologies to mature a little
more before cracking down on web hosting IPs.

> No, you aren't the only one, but at the same time, there were a huge number
> of people at the last ARIN meeting who were in support of this policy,
> however most of them have been silent through most of this (perhaps because
> they feel they already made their feelings known at the last meeting).
> And as far as being labled a trouble-maker, I know plenty of people who have
> been far more vocal about ARIN policy than you and have had no problem
> getting address space.  Please don't spread the mis-conception that ARIN is
> anything other than an objective organization.  It isn't true and it makes
> everyone's life much more difficult in getting support for the organization.

Oh, if I thought that were true, I wouldn't be writing this or previous
emails.  I obviously don't think ARIN is going to treat my allocations
differently than the next person.  I'm just guessing as to why others
emailed only me and not the group.

> > If eliminate multiple IPs I'm unsure how to:
> > 
> > 1) Address the HTTP/1.0 issues in an acceptable clean fashion
> See other discussions; the issue of legacy browsers IMO is a red herring. 
> It exists, but it's really small.

Is sure seems that way.  I'd still like to see *real* statistics.

> > 2) Do real time web accounting.  Remember we buy bandwidth by the Mbit, so
> > we need to sell it by the Mbit
> Doing bandwidth (as opposed to bytes transfered per period of time) billing
> is tough, although it sounds like more and more vendors are starting to sell
> equipment that handles this.
> > 3) Provide controls against DOS attacks.  No we don't host porn sites
> But those are the money-makers! :-)
> Seriously, I understand the DOS issue all too well, and it does need to be
> addressed.  Not sure how to at this point, except to say that this policy is
> really targeted towards the bottom-of-the-line web hosting accounts.  If you
> have a customer who has a lot of traffic, pays you a lot of money and can't
> afford to be off the air then it makes perfect sense to have him on a
> dedicated IP (I think at least).

Well, that doesn't totally work.  Because if someone on the main IP gets
attacked I have to shut all sites down on that IP, so it's not just a
matter of keeping my one big customer up, it's a matter of keeping 1000
sites up that only pay $50/month but adds up to $50,000.00/month in
total.  When everyone has their own IP, you can simply Null route their IP
if trouble starts. 

In all fairness, I only have to do this a handful of times per year, but
the times I have it has probably saved me hours if not days of down time.  
There is no way to predict if,, is going to be the one that gets attacked.

This issue is not a massive one.

> > 4) Provide secure server certificates
> That qualifies as an exception.
> > 5) Provide database support from server to server.  I'm not a programmer
> > any more so I don't know how big an issue it is, but my programmer told me
> > it would be a mess
> Not sure exactly what you're trying to do with server to server DB support
> (more to the point why it would be a problem).

If your backend hosting databases reside on different computers than your
hosting does, you probably are going to have issues with name based
hosting.  However, I am far enough out of this arena personally to be able
to explain why.

Once again this is a relatively small issue, at least for us.  Most of our
databases do reside on the hosting server.

> > Actually I think the policy would make a wonderful "Guideline".  It
> > shouldn't affect IP allocation, but it should be encouraged at this time.
> That's actually been proposed on another list, although I'm really not sure
> if that would affect what people do.  Anybody else have thoughts?
> > 
> > As someone pointed out.  Apparently HTTP/1.0 can support name based
> > hosting.  I was unaware of this.
> > 
> > And if that truely is the case, I would like to see some numbers.  I would
> > have guessed ARIN would know this before instituting a policy.  Perhaps
> > they would like to share.
> The numbers we got came from our members.  I believe Gene had some extensive
> data.

Gene, do you want to share that data with the list?

> > Alec, I understand your and ARIN's points.  However if a "policy" is going
> > to be created and enforced I think we some of these issues need to be
> > better addressed and defined so legit ISPs don't have to wait over a
> > month to get new IP space and go through a process of defending web
> > hosting IP space.
> Which is why we really need more participation.  Fortunately this policy
> change has brought more of it forward, but as I said above we need a better
> way to tally opinions in a fair manner...

Someone sent me an email suggesting a poll on your web site using handles
as an ID so only members could vote, and they could only vote once.

As a side note, from the lack of participation in this list it appears
that either:

1) Not many ISPs are subscribed to this list
2) They aren't receiving the messages
3) They are too busy to care, or
4) I'm one of only about 10-20 people that feel strongly about this policy

Whatever the case is, I have a business to run, and I've said my
peace.  I can't stick up for the rest of them.

For all the reasons I've stated I think this policy is both too undefined
in that it lacks the explanations of exceptions (currently it looks like
exceptions would be left up to the discretion of the individual staff
person working on the account), and that it is premature.

For the record, I tried to participate.

GoldenGate Internet Services

More information about the ARIN-PPML mailing list