Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

server profile should not include non-global IPv6 ranges #6284

Closed
ghost opened this issue May 1, 2019 · 4 comments · Fixed by #6285
Closed

server profile should not include non-global IPv6 ranges #6284

ghost opened this issue May 1, 2019 · 4 comments · Fixed by #6285
Labels
exp/novice Someone with a little familiarity can pick up help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws)

Comments

@ghost
Copy link

ghost commented May 1, 2019

Version information:

$ ipfs version --all
go-ipfs version: 0.4.20-dev-221d1b13a
Repo version: 7
System version: amd64/linux
Golang version: go1.12

Type: bug

Description:

If you have a private IPv6 address, say such as fec0::, ipfs will announce this. If you do ipfs init --profile server, there's a very hefty list of IPv4s to avoid, but not the same for IPv6.

https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv6

This seems like a pretty easy patch to write up. If you can confirm this is not intended behavior, I can open a PR.

(I also see swarm announcements for 127.0.0.1, I'm not sure if that's a bad thing or not.)

@Stebalien
Copy link
Member

(I also see swarm announcements for 127.0.0.1, I'm not sure if that's a bad thing or not.)

Long discussion here: libp2p/go-libp2p#436


But yes, the server profile should block all non-routable addresses. Patches most welcome! (https://github.com/ipfs/go-ipfs-config/blob/master/profile.go)

@Stebalien Stebalien added kind/bug A bug in existing code (including security flaws) exp/novice Someone with a little familiarity can pick up help wanted Seeking public contribution on this issue labels May 1, 2019
@ghost
Copy link
Author

ghost commented May 1, 2019

Thank you! I went ahead and opened a pull request.

https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

I had pretty mixed feelings on what to add. We could have Teredo, 6to4, etc. But I think that could break desired connectivity in some cases. I hope this is at least a start.

I can see the swarm announcements being a potential privacy issue as well. Especially if say you're a client on a laptop and you really just want outbound connections. If you have IPv6 privacy mode enabled, you hand out every last one of your globally routable addresses. Of cousre this PR doesn't impact that, but I think it may be something to think about more.

@Stebalien
Copy link
Member

That's a good enough start for now. We can always adjust this later.

I can see the swarm announcements being a potential privacy issue as well. Especially if say you're a client on a laptop and you really just want outbound connections. If you have IPv6 privacy mode enabled, you hand out every last one of your globally routable addresses. Of cousre this PR doesn't impact that, but I think it may be something to think about more.

I agree. That's a large part of that libp2p issue I listed.

Stebalien added a commit that referenced this issue May 1, 2019
fixes #6284

License: MIT
Signed-off-by: Steven Allen <[email protected]>
@ghost
Copy link
Author

ghost commented May 1, 2019

Gotcha. Thank you for merging!

Stebalien added a commit that referenced this issue May 1, 2019
fixes #6284

License: MIT
Signed-off-by: Steven Allen <[email protected]>
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Feb 25, 2022
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Feb 25, 2022
Closes: ipfs#6284 Add appropriate IPv6 ranges to defaultServerFilters
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Feb 25, 2022
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Feb 25, 2022
Closes: ipfs#6284 Add appropriate IPv6 ranges to defaultServerFilters
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Mar 4, 2022
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Mar 4, 2022
Closes: ipfs#6284 Add appropriate IPv6 ranges to defaultServerFilters
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Mar 4, 2022
laurentsenta pushed a commit to laurentsenta/kubo that referenced this issue Mar 4, 2022
Closes: ipfs#6284 Add appropriate IPv6 ranges to defaultServerFilters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
exp/novice Someone with a little familiarity can pick up help wanted Seeking public contribution on this issue kind/bug A bug in existing code (including security flaws)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant