Closed adamenhance closed 10 months ago
I am sorry you are having trouble! Let me see if I can clear things up.
We rolled out IPv6 today and in the blog post we describe how we are rate limiting IPv6 IP addresses against the first 64 bits in the address, so if you have an IP address of 1111:2222:3333:4444:5555:6666:7777:8888
, then we would rate limit against 1111:2222:3333:4444:xxxx:xxxx:xxxx:xxxx
. The second half of the IP address is masked.
In your case, the docker-ratelimit-source
header says 2a01:7e00::
, which is actually a valid, compressed format which represents 2a01:7e00:0000:0000:xxxx:xxxx:xxxx:xxxx
.
In this situation, the following IP addresses would be rate limited into the same bucket:
2a01:7e00:0000:0000:0000:0000:0000:0001
2a01:7e00:0000:0000:0000:0003:0000:0000
2a01:7e00:0000:0000:0000:0000:0005:0000
The following IP addresses would be rate limited into separate buckets:
2a01:7e00:0000:0001:0000:0000:0000:0000
2a01:7e00:0000:0003:0000:0000:0000:0000
2a01:7e00:0005:0000:0000:0000:0000:0000
Therefore, I think the rate limiting is being done as our blog is saying, but you are seeing the compressed format of your masked address in the header, rather than it fully being written out with all zeros.
Thanks for clarifying, I wasn't actually aware that ipv6 support was new.
So the maximum prefix length is /64? The problem here is that Linode by default use SLAAC, to get a dedicated /64 you have to deliberately enable it. We only use Linode for CI so this can be easily worked around but it might affect other users of Linode and similar providers who are unaware of this policy.
Linode is actively investigating this - https://status.linode.com/. Please reach out to support@linode.com with contact information so we can follow up directly
This should be resolved now. We are working closely with Linode/Akamai in order to make sure we are aligned on how they use Docker Hub to avoid issues like this in the future.
It seems that this behaviour began in the past 24 hours.
As far as I can tell this means that any Linode VPS in this /32 pulling images over ipv6 will always be denied.