Rate-lmits spanning multiple entities

The enforced rate-limits seem somehow arbitrary decided.
As a VPS-provider, all customers get one IPv4 and IPv6 address.
Both the IPv4 and IPv6 are allocated in an +1 incrementing fashion, causing a rate-limit on an entire /48 to cut off all customers if a single customer decide to register 500 accounts at the same time (which may also be a perfectly legit thing to do).
I don’t see why we should allocate one IPv6 address per /48 just to circumvent this random restriction.
If we did that, some random services on the internet will just start rate-limiting by /44 instead and we are going nowhere…

Is it still a problem this month? The rate limits were adjusted; now it's 10 accounts per address or 500 accounts per /48. A single customer should no longer be able to blow out the entire /48's rate limit, at least easily.

My initial problem was that we exceeded the 10 registrations per IP. We as a single entity are provided with an acceptable method to solve this; one account for multiple domains. All ok for now.
However, when reading about the /48-limitation there is a problem because it spans multiple entities/users that have nothing to do with each other.

My concern is that a single user can cut off all other customers doing 500-account registrations. It is extremely easy, may even be legit and will not violate a standard ToS so there is little we can do about it once it is happening. I understand that your reasoning is that a single entity often have access to a /48, so you want to limit that single entity. However, in our case there might be thousands of entities behind a single /48.
Additionally, a single entity can pretty easily have a /44, /40 or even a /32. Services restricting on “/48 per user” will cause people to get even larger netblocks and punish the ones that don’t.
Because of the size of ipv6, there is little one can do to enforce limits per user based on a network block today.

Could we get @cpu’s comment on this?

@Jay1, I suspect that Let’s Encrypt staff would be willing to intervene to adjust the rate limits in specific cases, for this particular problem. My own opinion is that there is indeed some arbitrariness in this particular limit, but I don’t think we’ve seen evidence that the problem has been common in practice so far, at least after the adjustment that @mnordhoff mentioned.

Hi @jay1,

It's perhaps not as dire as you say since they will only be cut off from creating new accounts. If you had an existing account there wouldn't be any issue continuing to use it for issuance.

This rate limit is a best-effort to try and put guardrails in place for malfunctioning clients more than malicious clients. Like you say it is fairly trivial to evade this limit with malicious intent and there's little one can do about it in an IPv6 world.

Definitely true!

I concur. It's possible that one customer may be a jerk and cut off all the other customers from creating new accounts if they all share the same /48. We haven't seen that happen yet (but we have seen run-away clients that the rate limit has helped with!). I suspect that if you have one bad apple in your /48 the other customers will complain and you can identify the user at fault and deal with them similar to other resource exhaustion problems in a shared environment. We would certainly try to help you from our side.

Hope that helps,

Thank you. Im very glad to hear that you are willing to adjust in specific cases if it should become a problem. The limits are fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.