Apple's Private Relay service

[Cantor, Scott]

I thought I should note this a bit more widely, since it's about to become a bit of a thing, but people should note that Apple's about to release iOS and macOS updates that include the optional Cloud+ Private Relay VPN service, which essentially masks your IP address through a lot of networking magic.

The testing at this point suggests that it's pretty inconsistent about how stable the IP address actually is, to the point that it's not even staying consistent throughout a request conversation with the IdP in a lot of cases.

Since a lot of us (myself included) load balance based on that, it's gonna break and we cannot and will not fix this, the IdP is incapable of serializing state to allow for nodes to switch mid conversation. Other than proxying at layer 7 with node affinity via cookies, not much can be done about it if you have to support those users.

The knock-on effect of a lot of session binding problems in the IdP and SP is also an issue, though both ends now include some support for allowing sessions to float within unreliable network ranges and Apple does supposedly plan to publish the address ranges at some point. Don't know how stable those ranges will be.

This is just the tip of the spear that's probably coming over the next few years, but it's coming pretty fast, so be warned.

-- Scott