Peering with private IPs #5510
Comments
ivan4th
added a commit
that referenced
this issue
Jan 29, 2024
The IP blockslists were not initialized properly. This change is related to #5510, but doesn't constitute a complete fix, as enabling the blocklists makes it impossible for the peers on the same LAN to talk to each other on their private IPs without involving NAT hairpinning, which may not be supported by the router or the ISP.
spacemesh-bors bot
pushed a commit
that referenced
this issue
Jan 30, 2024
## Motivation The IP blockslists were not initialized properly. This results in "portscans", when the node tries to contact other nodes outside its local network on their private IP. See #5510 for more information
spacemesh-bors bot
pushed a commit
that referenced
this issue
Jan 30, 2024
## Motivation The IP blockslists were not initialized properly. This results in "portscans", when the node tries to contact other nodes outside its local network on their private IP. See #5510 for more information
spacemesh-bors bot
pushed a commit
that referenced
this issue
Feb 5, 2024
## Motivation The IP blockslists were not initialized properly. This results in "portscans", when the node tries to contact other nodes outside its local network on their private IP. See #5510 for more information
ivan4th
added a commit
that referenced
this issue
Feb 5, 2024
## Motivation The IP blockslists were not initialized properly. This results in "portscans", when the node tries to contact other nodes outside its local network on their private IP. See #5510 for more information
ivan4th
added a commit
that referenced
this issue
Feb 5, 2024
## Motivation The IP blockslists were not initialized properly. This results in "portscans", when the node tries to contact other nodes outside its local network on their private IP. See #5510 for more information
ivan4th
added a commit
that referenced
this issue
Feb 5, 2024
## Motivation The IP blockslists were not initialized properly. This results in "portscans", when the node tries to contact other nodes outside its local network on their private IP. See #5510 for more information
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
At the moment of this writing, there's a bug in the gater setup code, namely, IPv4/IPv6 address block lists are not initialized
go-spacemesh/p2p/host.go
Lines 257 to 265 in bb31280
This results in dial requests to private IP address ranges, which some cloud providers can interpret as port scans.
After an obvious gater fix, there remains a problem of nodes contacting peers behind the same NAT. This will work via the public IP in case if NAT in question supports hairpinning, even though it will cause some back-and-forth traffic through the user's router and also possibly through the ISP, if the user doesn't get a public IP address from the ISP. As an interim solution, we can suggest that home users set
"ip4-blocklist": [], "ip6-blocklist": []in their config and make sure their routers block traffic to private networks on their WAN interface, but that's somewhat hacky approach. The proper approach likely involves using dual DHT, one DHT being public and one private, like kubo does.Steps to reproduce
Run several nodes on the same local network (connected to Internet)
Actual Behavior
Nodes try to dial peers outside the local network on private IPs.
With gater blocking enacted, peers can only talk to other peers on the same local network through NAT hairpinning via the public IP.
Expected Behavior
Nodes never try to dial peers outside the local network on private IPs.
Peers in the same local network are dialed based on their private IPs.
Additional Resources
Related kubo issue:
Also related:
The text was updated successfully, but these errors were encountered: