Policy shift could disable secure servers

The organization is the American Registry for Internet Numbers, or ARIN, which grants Internet Protocol (IP) addresses. Each IP address is a four-part number, such as 209.68.1.202. These numbers underlie Web sites ranging from giants like Amazon.com to the smallest e-tailer.

ARIN doles out blocks of these numbers to Internet service providers throughout North America and South America. This means it provides address space to some of the world's largest ISPs, including WorldCom, Sprint and UUNet, as well to countless other corporations and universities. These companies, in turn, assign IP addresses to their customers.

But ARIN announced last month that it will deny address blocks to ISPs that host a single Web site on a single IP address. The policy was designed to conserve IP addresses while a new Internet standard to provide more numbers is adopted.

But using a different IP address for every different Web site is considered a necessity by many companies that host Web sites for others. As a result, ARIN's announcement has generated hundreds of protest messages.

"Verio Web hosting feels that ARIN should rethink this policy," Stacey Son, vice president of Verio, said in an ARIN forum. Verio, which supports more than 400,000 Web sites running on its servers, describes itself as the world's largest Web hosting company.

One of Son's primary objections is that secure servers--which are essential for most e-commerce purposes--do not work properly if two or more Web sites share the same IP address.

The concerns have prompted ARIN officials to announce that they will revisit the issue at the group's annual meeting next month.

"There may be a specific list of exceptions created, or the policy may be eliminated," said Richard Jimerson, ARIN's director of operations.

Son said he wants a clear list of exceptions, including one that would accommodate Web hosts that provide secure servers.

The inability of secure servers to share a single IP address, however, is far from the only problem ISPs have with ARIN's new policy. Numerous other services are also affected:

• Email. Many people retrieve email using an industry standard such as POP3. Today's Web hosting software often has no way to segregate email sent to different sites if they share an IP address.

• Bandwidth metering. Web sites often pay hosting companies a flat rate if they consume less than an agreed-upon amount of traffic or bandwidth per month. Each site must have a unique IP address, or most hosts' bandwidth metering methods won't work.

• Denial of service. To defeat denial-of-service attacks, like the ones that temporarily disabled Yahoo and other sites last February, most Web hosts depend on the attacked site having a different IP address than any other site.

Some of these problems may be solved with upgrades to the software that ISPs use. But that may take years.

The controversy doesn't affect companies like Yahoo that host their own servers. Instead, start-up companies may be hurt the most, said Marko Karppinen, chief technology officer of Magenta Sites, based in Helsinki, Finland.

His company provides several dozen customers with duplicate servers around the world, a feat small e-businesses can't easily manage on their own.

"We have an address allocation for about 8,000 addresses we don't use, so we don't have a problem yet," Karppinen said. "But obviously, if a Web hosting company is just starting out and asks for addresses, they might have to do a lot of persuading."

Many ISPs hope the new or revised ARIN policy will be announced quickly. Several Web hosting companies plan to offer their customers new secure servers for free as soon as a patent on the technology expires in September.

Consumer advocate Brian Livingston appears at CNET News.com every Friday. Do you know of a problem affecting consumers? Send info to tips@BrianLivingston.com. He'll send you a book of high-tech secrets free if you're the first to submit a tip he prints.