Open bernhardschmidt opened 1 year ago
There are multiple reasons I haven't done that yet:
So while intriguing, I would not hold my breadth right now. I'm always happy to accept code contributions or discuss it further though.
When enabling IPv6, you could rate limit IPv6 addresses using only their /48
prefix, as this the smallest prefix usually assigned to an entity. So this should be pretty conservative approach, for a start.
However, most entities surely just get /56
or even /64
prefixes, so a less overly cautious approach would be to rate-limit those.
Or use a tiered approach were you have an IPv4-like rate limit for /64
prefixes and higher limits for /56
and then an even higher one for /48
.
Background: With IPv6, the address is 128 bit wide, and the idea is that a network gets at least a /64
prefix delegated. If a provider hands out a /48
prefix that means that the customer may create up to 2**16
networks under that prefix, i.e. he/she is able to sub-delegate longer prefixes in his/her own infrastructure quite flexible.
Using a large-enough prefix sounds like a reasonable compromise. It's still not high on my list, though; so much other stuff to do :-D
I think there may be more to do than just enabling IPv6 on the main server. My personal server has both IPv4 and IPv6, my home has both too, but my mobile provider only has IPv4. I've noticed that the ntfy Android client regularly loses connection to my dual-stack ntfy instance and takes a very long time to reconnect, which causes my notifications to arrive very late and in batches. My second ntfy instance only has an IPv4 DNS record and I have none of the problems there.
This is a great article that describes the reasons for why ntfy.sh does not support IPv6 yet: https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/
https://github.com/binwiederhier/ntfy/issues/519#issuecomment-2156231591
@bernhardschmidt, considering the PRs mentioned at https://github.com/adam-p/adam-p.github.com/blob/f8a8c1ee8e42e568dccdf57165373cad45db314a/content/blog/2022-02-20-ipv6-rate-limiting.md#user-content-fn-2-4d1d3136096ba6b2ebad92ddc2261cb2:~:text=I%20submitted%20PRs%20to%20tollbooth%20and%20httprate - https://github.com/go-chi/httprate/pull/10#issue-1145095727 and https://github.com/didip/tollbooth/pull/98#issue-1145095717 - have both been merged, how much of it applies? Although everything stated is correct, it appears somewhat outdated.
I would highly appreciate it if you would enable IPv6 connectivity on the official ntfy.sh service. Right now it seems to be hosted on DigitalOcean. Enabling IPv6 there should be pretty straight forward.
https://docs.digitalocean.com/products/networking/ipv6/