fbd87b1757
Prior to this PR the SA's `CountRegistrationsByIP` treated IPv6 differently than IPv4 by counting registrations within a /48 for IPv6 as opposed to exact matches for IPv4. This PR updates `CountRegistrationsByIP` to treat IPv4 and IPv6 the same, always matching exactly. The existing RegistrationsPerIP rate limit policy will be applied against this exact matching count. A new `CountRegistrationsByIPRange` function is added to the SA that performs the historic matching process, e.g. for IPv4 it counts exactly the same as `CountRegistrationsByIP`, but for IPv6 it counts within a /48. A new `RegistrationsPerIPRange` rate limit policy is added to allow configuring the threshold/window for the fuzzy /48 matching registration limit. Stats for the "Exceeded" and "Pass" events for this rate limit are separated into a separate `RegistrationsByIPRange` stats scope under the `RateLimit` scope to allow us to track it separate from the exact registrations per IP rate limit. Resolves https://github.com/letsencrypt/boulder/issues/2738 |
||
|---|---|---|
| .. | ||
| proto | ||
| ra.go | ||
| ra_test.go | ||