Skip private networks #49
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`devp2p` did not discriminate "private" and public network addresses. This can lead to at least the following issues: 1) If peers (incorrectly) reports a private network address as endpoint, this fills the discovery with a lot of incorrect entries. 2) On the other hand is it hard to keep nodes in a private network protected from discovery requests from the outside. With this change, each Address from devp2p will be checked against a range of "allowed networks", which consists of a whitelist (default empty) and a blacklist (default populated with most entries from `ipaddress._IPv4Constants._private_networks`). Entries to the whitelist take precedence over the blacklist. User libraries can adjust the behaviour via environment variables or changing the instance `devp2p.discovery.ALLOWED_NETWORKS`.
In tests we need to enable local networks in the discovery module.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR opened for discussion
ping @fjl @heikoheiko
please fill in other interested parties!
Description
devp2pdid not discriminate "private" and "public" network addresses.This can lead to at least the following issues:
If peers (incorrectly) report a "private" network addresses as endpoints,
this fills the discovery with a lot of incorrect entries.
see also: https://www.reddit.com/r/ethereum/comments/55xjrb/yet_another_new_attack_using_faked_ip_src/
On the other hand is it hard to keep nodes in a private network protected
from discovery requests from the outside.
With this change, each
Addressfrom devp2p will be checked against a range of"allowed networks", which consists of a whitelist (default empty) and a blacklist
(default populated with most entries from
ipaddress._IPv4Constants._private_networks).If a new
Addressis not in the "allowed" list, it will invalidate with aValueError.Entries to the whitelist take precedence over the blacklist. User libraries
can adjust the behaviour via environment variables or changing the instance
devp2p.discovery.ALLOWED_NETWORKS.