Rate Limit with IPv6


#1

Hey,

I couldn’t figure it out how boulder checks the IPv6 Addresses hence which Prefix is used for the rate limit.

Is this related to the subnet eg. x:x:x:x::/56, /64 or x:x:x:x:x:x:x:1/128 so we can change the IP to x::2/128 and have another 400 registrations.

Thanks
Tobias


#2

According to the current Boulder sources (sa/sa.go: CountRegistrationsByIP), for IPv6 the registration rate limit is per /48 network.

// CountRegistrationsByIP returns the number of registrations created in the
// time range in an IP range. For IPv4 addresses, that range is limited to the
// single IP. For IPv6 addresses, that range is a /48, since it's not uncommon
// for one person to have a /48 to themselves.

#3

Thanks @sigprof!

@Knight, @sigprof is right. Though I have to ask - why do you need so many registrations?


#4

Thanks @jsha and @sigprof :+1:

I haven’t found anything on Google and in the code about the IPv6 rate limits so I thought somebody else might end up with the same question and asked it for reference :slight_smile:

But I actually had an idea behind it. I want to use the simplicity, coolness from your service for an upcoming hosting with customer sub-domains and own domains. The only thing we can/need to do is manually requesting to raise up the limit per domain or adding the domain to the PSL and wait for the review and the merge to the production system for the sub-domains. But we could circumvent that with a wildcard certificate and redirection for projects with there own domain name. I’m not quite sure which solution would be the best for our needs.

-> Using custom sub-domain certs with single certificate (overhead but bad privacy) - I know CT and love it
-> Using custom sub-domain with 100 SAN but we need to renew that often and would also hit the renewal exemption

-> Using custom domain with single cert and wildcard cert
-> Using custom domain with single cert and sub-domain (privacy)

But in the first time there will be many registrations per hour hope - think. So I want to make sure everything is running smoothly as possible. Because we can’t wait for enough users to have enough to request a new certificate containing up to the 100 domain limit. This was my intention to ask for the IP registration limits :wink:

Another Question that I have. Is there a difference in ECC and RSA issuance? Because that would half the limits for us :frowning:


#5

The term “registration” may be confusing here: It describes creating an account, not authenticating a domain name. I would recommend that you create just one account and use it for all your certs, per our Integration Guide.

-> Using custom sub-domain certs with single certificate (overhead but bad privacy) - I know CT and love it

Why do you say this is bad privacy?


#6

Wow does that really mean there is no issuance limit per ip :eyes: This is nice and what I want. Thanks for clarification @jsha :thumbsup:

I only would use one account because that makes things so easy (revocation and issuance for already verified names) and handling so many certs is enough :slight_smile:

My bad I meant the second option with all 100 names in one certificate :grimacing: The first option would have a very good privacy

Anyway thanks booth of you @jsha & sigproof for your fast and nice support :slight_smile: :raised_hands:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.