SNI Reduces the Need for Unique IP Addresses

SNI Reduces the Need for Unique IP Addresses

SNI Featured Image

Headline news


Scary, but the real concern for small businesses and web hosts has been how this issue affects the issuing of SSL certificates because to issue an SSL certificate, a unique IP address was needed for every site requiring a certificate. But there’s a workaround.

Let’s set the scene with some background first.

What is an IP address?

An Internet Protocol (IP) address is a numerical label assigned to each device on a computer network that uses the Internet Protocol, which is a set of rules governing the format of data sent over the internet or another network. Each computer, or host, has at least one IP address that uniquely identifies it from all other computers.

IPv4 is the fourth version of the IP. IPv4 uses 32-bit addresses which limit the address space available on the internet to 4294967296 (232) addresses (nearly 4.3 billion).

The problem

The seemingly bottomless supply of IPv4 addresses as envisaged in the 1980s, to all intents and purposes ran out in 2011. Internet authorities allot large bundles of IP address numbers to regional internet service providers. Those ISP's, in turn, assign IP addresses to servers and internet users from a pool. However, thankfully, users log out too, making addresses available for reuse. In the workplace, office computers are given an internal IP address. As soon as an office computer accesses the internet, it lends the office's main IP address.

There have been other innovative ideas that developers used to circumvent the problem of a diminishing supply of IPv4 addresses, but most of these turned out to be “quick fixes” and not at all suitable for the long-term future of:
  • Increasing numbers of internet users,
  • An explosion of mobile devices,
  • The IoT, and
  • The increasing use of always-on devices, like modems, to support constant connectivity on our high-tech modern planet.

IPv6, the seemingly obvious solution designed to replace IPv4, uses 128-bit addresses which allow for approximately three hundred and forty trillion unique IP addresses. IPv6 started rolling out in mid-2000, but the problem is that IPv6 is not "backward-compatible" with IPv4. When a host uses IPv6 exclusively, then that host has no direct connectivity to any part of the IPv4 network. And, the vast majority of the devices connected to the Internet today are not yet compatible with IPv6.

But, in 2014, Google estimated that its IPv6 traffic was only about 4% of its total traffic. Why the hesitation in adopting the new-generation protocol? The short answer is that somebody running a server wants the server to be as widely available as possible, which means it must have an IPv4 address. But the main reason is that there’s been no demand for small and medium businesses from clients for IPv6… yet.

Displaying little real concern about IP versioning, on the whole, customers of web hosting companies did get all hot under the collar about security. Although hosting several sites on a single virtual private server is not a challenge with the use of virtual hosts, as mentioned, providing separate SSL certificates for each site traditionally required separate IP addresses. That is until SNI came along.

The solution

The good news is that using Server Name Indication (SNI) can reduce the need for unique IP addresses. SNI is an extension of the Transport Layer Security (TLS), designed to ensure privacy and data integrity between two communicating applications. SNI indicates which hostname is being contacted by the browser at the beginning of the handshaking process, which is the method by which server and client establish their credentials. In the process, the client requests a digital certificate from the server and then matches it up with the host to which it is trying to connect.

To understand the solution, a few words about how IP manages data. It sends data from one computer to another on the internet in packets, each packet including sender and receiver information in headers which identify them as belonging to a particular piece of content.

Prior to the introduction of SNI, the client could not establish secure connections to multiple virtual servers hosted on a single IP address.  This happened because the destination server name can only be decoded from the HTTP request header after the SSL connection has been established. And the request headers that identified the requested host name were encrypted, so having the connection come in on a dedicated IP was the only way to connect the request to the proper virtual host on the server and properly decrypt it. SNI allows the client to include the requested hostname in the first message of the handshake. The server then uses this information to select the appropriate certificate to return to the client when it responds.

What this means is that a server, e.g. your hosting company, can include multiple certificates on the same IP address and TCP port number and thereby allow multiple secure websites to be served off the same IP address without requiring all those sites to use the same certificate.

In the human world, it’s like two parties meeting and making polite introductions. Upon meeting, the first human says: “Hello. Who are you? My name is Joe.” The second human is then able to mentally place where they know a Joe from, and make a suitable response: “Hi Joe. I know you from the tennis club.”

Note: While SNI has been around for a while, adoption was initially somewhat slow on some client platforms, so it was difficult to rely on it until recently. It’s not supported by:
  • Any Internet Explorer browser on Windows XP
  • Chrome 5 and older on Windows XP
  • Blackberry web browser
  • Windows Mobile phones up to version 6.5
  • Android mobile phone default browser on Android OS 2.x


Conclusion

For site visitors and hosting users, nothing has changed. The browser still shows the certificate that verifies HTTPS security and SNI is treated like SSL in most modern panels like cPanel or Plesk, and most browsers and servers support SNI.