IP address limits might not suitable for IPv6 #20522

qin-nz · 2020-01-07T15:05:16Z

Hi all,
In this code, geth restrict only 2 IP address is allowed in the same subnet (/24) to prevent from attack of the eclipse.

Lines 52 to 53 in 9e0f934

    
           // IP address limits. 
        
           bucketIPLimit, bucketSubnet = 2, 24 // at most 2 addresses from the same /24

In IPv4, it's ok. But in IPv6, /24 is quite a big subnet.
For example,

China Telecom (Tire 1 ISP in China, with hundred million users ) only have a /20 subnet (=16*/24) (see https://bgp.he.net/ip/240e:: ).
Alibaba/Aliyun (No.1 Public Cloud Provider in China) only have a /22 subnet (=4*/24) (see https://bgp.he.net/net/2408:4000::/22 ).

I think good limit should be:

Reasons:
/24 in IPv4 is the minium length in GLOBAL routing table.
/48 in IPv6 is the minium length in GLOBAL routing table.

For higher securtiy, the follwing limit may also be considerate:

The text was updated successfully, but these errors were encountered:

fjl · 2020-01-08T08:54:48Z

Thank you for bringing this up. I will investigate how to improve IPv6 limits very soon.

qin-nz changed the title ~~IP address limits might not suit for IPv6~~ IP address limits might not suitable for IPv6 Jan 7, 2020

ligi added the status:triage label Jan 7, 2020

fjl self-assigned this Jan 8, 2020

fjl added area:network and removed status:triage labels Jan 8, 2020

karalabe removed the area:network label May 3, 2023

Provide feedback