The IPFS bootstrap nodes seem to use 1024 bits RSA keys

Question

The IPFS bootstrap nodes seem to use 1024 bits RSA keys

tomaka opened this issue 7 years ago · 12 comments

tomaka commented 7 years ago

While 2048 bits keys are default and would be preferred.

cc @diasdavid

Answer 1 · 2018-02-22T15:47:14.000Z

@lgierth @kyledrake what's the main reason why we don't use 1024 bits keys in our Infrastructure nodes?

Answer 2 · 2018-03-06T10:16:20.000Z

Ping @lgierth and @kyledrake

Answer 3 · 2018-03-06T18:32:27.000Z

Historic reasons -- we bumped the default to 2048 at some point.

There are a few 2048 bit peerIDs in the default bootstrap list that I added like 9 months ago - we should:

start using them, i.e. start the respective nodes.
remove the QmSoL nodes from default bootstrap.
hopefully in a year or five be able to shut the QmSoL nodes down.

Answer 4 · 2018-03-06T18:36:27.000Z

@lgierth can we have a list of all the nodes and their keys here?

Answer 5 · 2018-03-06T18:38:33.000Z

New nodes (not running yet, just PeerIDs):

/dnsaddr/bootstrap.libp2p.io/ipfs/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN
/dnsaddr/bootstrap.libp2p.io/ipfs/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa
/dnsaddr/bootstrap.libp2p.io/ipfs/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb
/dnsaddr/bootstrap.libp2p.io/ipfs/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt

Old nodes:

QmSoLPppuBtQSGwKDZT2M73ULpjvfd3aZ6ha4oFGL1KrGM (in default bootstrap)
QmSoLnSGccFuZQJzRadHn95W2CrSFmZuTdDWP8HXaHca9z
QmSoLueR4xBeUbY9WZ9xGUUxunbKWcrNFTDAadQJmocnWm
QmSoLSafTMBsPKadTEgaXctDQVcqN88CNLHXMkTNwMKPnu (in default bootstrap)
QmSoLju6m7xTh3DuokvT3886QRYqxAzb1kShaanJgW36yx
QmSoLV4Bbm51jM9C4gDYZQ9Cy3U6aXMJDAbzgu2fzaDs64 (in default bootstrap)
QmSoLer265NRgSp2LA3dPaeykiS1J6DifTC88f5uVQKNAd (in default bootstrap)
QmSoLMeWqB7YGVLJN3pNLQpmmEk35v6wYtsMGLzSr5QBU3

Answer 6 · 2018-03-06T18:41:49.000Z

@lgierth is it possible we could have a similar schema as the old QmSoL? Maybe a different one, but was handy to immediatly see if a node was a bootstrap node or node. Same with the gateways.

Answer 7 · 2018-03-06T18:55:58.000Z

They're already in go-ipfs's default bootstrap. I also think that at one point we'd break from that scheme anyway when there's a situation where we need to quickly add new nodes (brute-forcing these took a day or three).

Answer 8 · 2019-09-22T05:33:39.000Z

I got hit by this:

2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2a03:b0c0:0:1010::23:1001/tcp/4001] dial tcp6 [2a03:b0c0:0:1010::23:1001]:4001: connect: network is unreachable
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2a03:b0c0:0:1010::23:1001/tcp/4001] dial tcp6 [2a03:b0c0:0:1010::23:1001]:4001: connect: network is unreachable
2019/09/22 14:18:39 failed to dial QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb: no good addresses
2019/09/22 14:18:39 failed to dial QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN: no good addresses
2019/09/22 14:18:39 failed to dial QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt: no good addresses
2019/09/22 14:18:39 failed to dial QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa: no good addresses
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:1:20::203:d001/tcp/4001] dial tcp6 [2604:a880:1:20::203:d001]:4001: connect: network is unreachable
  * [/ip4/104.236.179.241/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:1:20::203:d001/tcp/4001] dial tcp6 [2604:a880:1:20::203:d001]:4001: connect: network is unreachable
  * [/ip4/104.236.179.241/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:800:10::4a:5001/tcp/4001] dial tcp6 [2604:a880:800:10::4a:5001]:4001: connect: network is unreachable
  * [/ip4/104.236.76.40/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip6/2604:a880:800:10::4a:5001/tcp/4001] dial tcp6 [2604:a880:800:10::4a:5001]:4001: connect: network is unreachable
  * [/ip4/104.236.76.40/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip4/128.199.219.111/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 failed to dial : all dials failed
  * [/ip4/128.199.219.111/tcp/4001] failed to negotiate security protocol: rsa keys must be >= 2048 bits to be useful
2019/09/22 14:18:39 Connected to QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ

It seems that in the default boostrapper list, only one node has a key >= 2048 and support IPv4, which makes it a fairly brittle and slow bootstrap process.

Note: I'm using libp2p directly, which has a 2048 minim length required, unlike go-ipfs (512).

Answer 9 · 2019-10-19T20:21:32.000Z

Got hit too, I will try to expedite a fix

Answer 10 · 2020-02-10T23:38:27.000Z

For legacy compatibility, the 'old' bootstrap nodes with small keys are essentially stuck in-place, and are deprecated by the 'new nodes', under bootstrap.libp2p.io/IPFS/... which have been running for a while now.

Closing as resolved, but please reopen if you run into issues.

Answer 11 · 2020-02-11T04:48:21.000Z

@mburns it might be worth making an announcement so that people update their IPFS/libp2p configs + checking where those old nodes show up (in the default configs + examples) and updating them to only show the new ones.

Answer 12 · 2020-02-11T06:42:09.000Z

indeed. I'll track some notes and the announcement here: #496