hub: Ipv6 abuse limit (#21905)

## Description

- Update abuse rate limit to specify it is per IPv4 address or IPv6 /64
subnet.
(https://deploy-preview-21905--docsdocker.netlify.app/docker-hub/usage/#abuse-rate-limit)
- Add section to call this out and provide workaround.
(https://deploy-preview-21905--docsdocker.netlify.app/docker-hub/usage/pulls/#rate-limiting-on-third-party-platforms)
- Update pull rate limit in tables to include IPv6 for unauthenticated
users

## Related issues or tickets

https://docker.slack.com/archives/C04300R4G5U/p1737814817277139

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review
- [ ] Editorial review
- [ ] Product review

---------

Signed-off-by: Craig <[email protected]>

Author: craig-osterhout

content/manuals/docker-hub/usage/_index.md

@@ -20,13 +20,13 @@ The following table provides an overview of the included usage and limits for ea
 user type, subject to fair use:
 
 
-| User type                | Pulls per month | Pull rate limit per hour | Public repositories | Public repository storage | Private repositories | Private repository storage |
-|--------------------------|-----------------|--------------------------|---------------------|---------------------------|----------------------|----------------------------|
-| Business (authenticated) | 1M              | Unlimited                | Unlimited           | Unlimited                 | Unlimited            | Up to 500 GB               |
-| Team (authenticated)     | 100K            | Unlimited                | Unlimited           | Unlimited                 | Unlimited            | Up to 50 GB                |
-| Pro (authenticated)      | 25K             | Unlimited                | Unlimited           | Unlimited                 | Unlimited            | Up to 5 GB                 |
-| Personal (authenticated) | Not applicable  | 40                       | Unlimited           | Unlimited                 | Up to 1              | Up to 2 GB                 |
-| Unauthenticated users    | Not applicable  | 10 per IP address        | Not applicable      | Not applicable            | Not applicable       | Not applicable             |
+| User type                | Pulls per month | Pull rate limit per hour               | Public repositories | Public repository storage | Private repositories | Private repository storage |
+|--------------------------|-----------------|----------------------------------------|---------------------|---------------------------|----------------------|----------------------------|
+| Business (authenticated) | 1M              | Unlimited                              | Unlimited           | Unlimited                 | Unlimited            | Up to 500 GB               |
+| Team (authenticated)     | 100K            | Unlimited                              | Unlimited           | Unlimited                 | Unlimited            | Up to 50 GB                |
+| Pro (authenticated)      | 25K             | Unlimited                              | Unlimited           | Unlimited                 | Unlimited            | Up to 5 GB                 |
+| Personal (authenticated) | Not applicable  | 40                                     | Unlimited           | Unlimited                 | Up to 1              | Up to 2 GB                 |
+| Unauthenticated users    | Not applicable  | 10 per IPv4 address or IPv6 /64 subnet | Not applicable      | Not applicable            | Not applicable       | Not applicable             |
 
 For more details, see the following:
 
@@ -45,10 +45,10 @@ exhibiting excessive data and storage consumption.
 
 Docker Hub has an abuse rate limit to protect the application and
 infrastructure. This limit applies to all requests to Hub properties including
-web pages, APIs, and image pulls. The limit is applied per-IP, and while the
-limit changes over time depending on load and other factors, it's in the order
-of thousands of requests per minute. The abuse limit applies to all users
-equally regardless of account level.
+web pages, APIs, and image pulls. The limit is applied per IPv4 address or per
+IPv6 /64 subnet, and while the limit changes over time depending on load and
+other factors, it's in the order of thousands of requests per minute. The abuse
+limit applies to all users equally regardless of account level.
 
 You can differentiate between the pull rate limit and abuse rate limit by
 looking at the error code. The abuse limit returns a simple `429 Too Many

content/manuals/docker-hub/usage/pulls.md

@@ -23,13 +23,13 @@ The following pull usage and limits apply based on your subscription, subject to
 fair use:
 
 
-| User type                | Pulls per month | Pull rate limit per hour |
-|--------------------------|-----------------|--------------------------|
-| Business (authenticated) | 1M              | Unlimited                |
-| Team (authenticated)     | 100K            | Unlimited                |
-| Pro (authenticated)      | 25K             | Unlimited                |
-| Personal (authenticated) | Not applicable  | 40                       |
-| Unauthenticated Users    | Not applicable  | 10 per IP address        |
+| User type                | Pulls per month | Pull rate limit per hour               |
+|--------------------------|-----------------|----------------------------------------|
+| Business (authenticated) | 1M              | Unlimited                              |
+| Team (authenticated)     | 100K            | Unlimited                              |
+| Pro (authenticated)      | 25K             | Unlimited                              |
+| Personal (authenticated) | Not applicable  | 40                                     |
+| Unauthenticated Users    | Not applicable  | 10 per IPv4 address or IPv6 /64 subnet |
 
 ## Pull definition
 
@@ -121,6 +121,13 @@ for information on authentication.
 
 If you're using any third-party platforms, follow your provider’s instructions on using registry authentication.
 
+> [!NOTE]
+>
+> When pulling images via a third-party platform, the platform may use the same
+> IPv4 address or IPv6 /64 subnet to pull images for multiple users. Even if you
+> are authenticated, pulls attributed to a single IPv4 address or IPv6 /64 subnet
+> may cause [abuse rate limiting](./_index.md#abuse-rate-limit).
+
 - [Artifactory](https://www.jfrog.com/confluence/display/JFROG/Advanced+Settings#AdvancedSettings-RemoteCredentials)
 - [AWS CodeBuild](https://aws.amazon.com/blogs/devops/how-to-use-docker-images-from-a-private-registry-in-aws-codebuild-for-your-build-environment/)
 - [AWS ECS/Fargate](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html)
@@ -153,7 +160,6 @@ separated file with the following detailed information.
 | `version_checks`     | The number of version checks accumulated for the date and hour of each image repository. Depending on the client, a pull can do a version check to verify the existence of an image or tag without downloading it. | This helps identify the frequency of version checks, which you can use to analyze usage trends and potential unexpected behaviors.                                                  |
 | `pulls`              | The number of pulls accumulated for the date and hour of each image repository.                                                                                                                                            | This helps identify the frequency of repository pulls, which you can use to analyze usage trends and potential unexpected behaviors.                                                |
 
-
 ## View hourly pull rate and limit
 
 The pull rate limit is calculated on a per hour basis. There is no pull rate
@@ -215,4 +221,5 @@ To view your current pull rate and limit:
    is unlimited in partnership with a publisher, provider, or an open source
    organization. It could also mean that the user you are pulling as is part of a
    paid Docker plan. Pulling that image won't count toward pull rate limits if you
-   don't see these headers.
+   don't see these headers.
+