New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter out undefined/reserved addresses #2703
Comments
Will try to include in v0.33 release |
It looks like this list is incomplete: https://github.com/multiformats/go-multiaddr/blob/master/net/private.go#L46 If we are discovering those addresses via identify, once we fix that list these should get filtered. However, I think it's cheap enough to just skip these addresses when dialing. |
That may not be sufficient. We likely need to switch from blacklisting bad addresses to whitelisting good address ranges, at least for IPv6. E.g., everything in |
I agree. Whitelisting seems a lot simpler. I've raised multiformats/go-multiaddr#235 I'm classifying NAT64 as public because as I understand, in a NAT64 system these addresses can reference public IP addresses. However I am not sure which layer does this translation actually happens. From #2349 (comment)
This sounds like the os should receive an IPv4 address and it'll handle converting it to a NAT64 address of the form |
Note: The fix above relies on not adding invalid addresses to the peer store. We do this for identify and dht(https://github.com/libp2p/go-libp2p-kad-dht/blob/master/dual/dual.go#L111) |
NAT64 can only reference public addresses, yes. Any NAT64 address referencing a private address should be treated as invalid.
I'm not so sure. The RFC claims that Basically:
At least that's my reading. |
I agree with your reasoning. I think you meant:
|
Ah, sorry, I meant.
|
Basically, this is about assigning IPv4-compatible IPv6 addresses so IPv4-only clients can talk to IPv6 servers. |
Yep from RFC 6052 section 3.1
My reading is a bit different.
https://datatracker.ietf.org/doc/html/rfc6146#section-1.2.2 contains a full walkthrough example that's helpful. |
There's an implicit "when IPv4 routes are available". My understanding is that this prefix exists to allow IPv6-only clients to reach IPv4-only nodes, so most operating systems prefer IPv4 to avoid this extra translation. This RFC is trying to deal with the case where IPv6 is actually preferable. |
Nevermind..., you're right. IPv4-mapped addresses exist solely so that software can drop support for IPv4 addresses. |
I was inferring something the RFC didn't state to try to figure out how IPv4-mapped addresses could possibly be useful on the internet.... and the answer is: they aren't. |
Motivated by ipfs/kubo#10327 (comment).
For some reason there seem to be nodes out there that will advertise IP addresses that are invalid. For example:
::5054:ff:fe92:8bc9
(from one of the logs in the linked issue) seems to be an invalid IP address in that:::/8
, which was reserved by IETF https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml::/8
that was allocated (i.e. see footnotes 1 through 6 in https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml or https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml)Adding a filter for at least these unspecified
::/8
addresses (although we could do more) might look like blocking that entire range except for:Note: ::/128 (unspecified) should also be blocked, but we already do that.
It seems like the additional filters could go where we already do filtering
go-libp2p/p2p/net/swarm/swarm_dial.go
Lines 476 to 502 in ae44ef9
It's possible I'm misunderstanding how some of these ranges are meant to be used, and if so please let me know.
cc @sukunrt @Stebalien
The text was updated successfully, but these errors were encountered: