The IPFS bootstrap nodes seem to use 1024 bits RSA keys

[tomaka]

While 2048 bits keys are default and would be preferred.

cc @diasdavid

[daviddias]

@lgierth @kyledrake what's the main reason why we don't use 1024 bits keys in our Infrastructure nodes?

[daviddias]

Ping @lgierth and @kyledrake

[ghost]

Historic reasons -- we bumped the default to 2048 at some point.

There are a few 2048 bit peerIDs in the default bootstrap list that I added like 9 months ago - we should:

1. start using them, i.e. start the respective nodes.
2. remove the QmSoL nodes from default bootstrap.
3. hopefully in a year or five be able to shut the QmSoL nodes down.

[daviddias]

@lgierth can we have a list of all the nodes and their keys here?

[ghost]

New nodes (not running yet, just PeerIDs):

• /dnsaddr/bootstrap.libp2p.io/ipfs/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN
• /dnsaddr/bootstrap.libp2p.io/ipfs/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa
• /dnsaddr/bootstrap.libp2p.io/ipfs/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb
• /dnsaddr/bootstrap.libp2p.io/ipfs/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt

Old nodes:

• QmSoLPppuBtQSGwKDZT2M73ULpjvfd3aZ6ha4oFGL1KrGM (in default bootstrap)
• QmSoLnSGccFuZQJzRadHn95W2CrSFmZuTdDWP8HXaHca9z
• QmSoLueR4xBeUbY9WZ9xGUUxunbKWcrNFTDAadQJmocnWm
• QmSoLSafTMBsPKadTEgaXctDQVcqN88CNLHXMkTNwMKPnu (in default bootstrap)
• QmSoLju6m7xTh3DuokvT3886QRYqxAzb1kShaanJgW36yx
• QmSoLV4Bbm51jM9C4gDYZQ9Cy3U6aXMJDAbzgu2fzaDs64 (in default bootstrap)
• QmSoLer265NRgSp2LA3dPaeykiS1J6DifTC88f5uVQKNAd (in default bootstrap)
• QmSoLMeWqB7YGVLJN3pNLQpmmEk35v6wYtsMGLzSr5QBU3

[victorb]

@lgierth is it possible we could have a similar schema as the old QmSoL? Maybe a different one, but was handy to immediatly see if a node was a bootstrap node or node. Same with the gateways.

[ghost]

They're already in go-ipfs's default bootstrap. I also think that at one point we'd break from that scheme anyway when there's a situation where we need to quickly add new nodes (brute-forcing these took a day or three).

[MichaelMure]

I got hit by this:

2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2a03:b0c0:0:1010::23:1001/tcp/4001] dial tcp6 [2a03:b0c0:0:1010::23:1001]:4001: connect: network is unreachable
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2a03:b0c0:0:1010::23:1001/tcp/4001] dial tcp6 [2a03:b0c0:0:1010::23:1001]:4001: connect: network is unreachable
2019/09/22 14:18:39 failed to dial QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb: no good addresses
2019/09/22 14:18:39 failed to dial QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN: no good addresses
2019/09/22 14:18:39 failed to dial QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt: no good addresses
2019/09/22 14:18:39 failed to dial QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa: no good addresses
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:1:20::203:d001/tcp/4001] dial tcp6 [2604:a880:1:20::203:d001]:4001: connect: network is unreachable
  * [/ip4/104.236.179.241/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:1:20::203:d001/tcp/4001] dial tcp6 [2604:a880:1:20::203:d001]:4001: connect: network is unreachable
  * [/ip4/104.236.179.241/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:800:10::4a:5001/tcp/4001] dial tcp6 [2604:a880:800:10::4a:5001]:4001: connect: network is unreachable
  * [/ip4/104.236.76.40/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:800:10::4a:5001/tcp/4001] dial tcp6 [2604:a880:800:10::4a:5001]:4001: connect: network is unreachable
  * [/ip4/104.236.76.40/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip4/128.199.219.111/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip4/128.199.219.111/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 Connected to QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ

It seems that in the default boostrapper list, only one node has a key >= 2048 and support IPv4, which makes it a fairly brittle and slow bootstrap process.

Note: I'm using libp2p directly, which has a 2048 minim length required, unlike go-ipfs (512).

[hsanjuan]

Got hit too, I will try to expedite a fix

[mburns]

For legacy compatibility, the 'old' bootstrap nodes with small keys are essentially stuck in-place, and are deprecated by the 'new nodes', under bootstrap.libp2p.io/IPFS/... which have been running for a while now.

Closing as resolved, but please reopen if you run into issues.

[daviddias]

@mburns it might be worth making an announcement so that people update their IPFS/libp2p configs + checking where those old nodes show up (in the default configs + examples) and updating them to only show the new ones.

[mburns]

indeed. I'll track some notes and the announcement here: #496