don't waste dials to reserved addresses

Question

don't waste dials to reserved addresses

cryptix opened this issue 10 years ago · 5 comments

I talked to somebody, who heard from somebody, .. that some network intrusion detection systems flag connection attempt sprees to unreachable addresses as malicious scanning attempts.

Apart from a discussion about overzealous monitoring, this reminded me that we need to revisit Dialing and Advertising.

For me as a node on, let's say 192.168.23.42, I have no business trying to connect to a node on 192.168.123.x for instance. Same goes for whole block of 10.0.0.0/8, etc.

We should add a facility that uses OS lookup to get the local addresses and constructs the intersection of the local and the remote peer addresses, using the rules of Reserved IP addresses to see if it is even possible that this peer is on my subnet. There still might be false positives then of remote peers also having a VPN winch uses 10.10.x.x as well but we would cut out a lot of vein dialing attempts.

I'm not sure if this would work but with the new local network discovery, we might consider not even advertising local/private addresses on a global scale and just to listen on them for other locals to discover and dial them.

Answer 1 · 2015-05-01T11:38:19.000Z

We should add a facility that uses OS lookup to get the local addresses and constructs the intersection of the local and the remote peer addresses, using the rules of Reserved IP addresses to see if it is even possible that this peer is on my subnet.

sounds right. though not so simple-- have to also take into account complicated topologies where nodes may be inside VMs / containers inside virtual networks. (wheeee! networking is fun! ...)

I'm not sure if this would work but with the new local network discovery, we might consider not even advertising local/private addresses on a global scale and just to listen on them for other locals to discover and dial them.

No, this doesn't work. see the ICE + WebRTC specs.

So, browsers with WebRTC, torrents+friends using ICE, all face this problem and have likely come up with reasonable heuristics for us to evaluate. we can't take them wholesale because we have some different use cases, but good to compare. Also may be we could have settings for how aggressive peer dialing is -- so that in harsh networks we can tone down (at the expense of perf).

Answer 2 · 2015-05-03T03:30:17.000Z

Off topic, but I cant wait for us to have relays...

Answer 3 · 2015-10-21T09:47:57.000Z

Just because a node is in a reserved subnet does that mean that we can't dial them? We don't know what routes may be accessible to our default gateway.

Answer 4 · 2015-10-27T08:53:53.000Z

@tilgovi that's true. it doesn't actually mean we can't dial them... these are annoying heuristics that can often go wrong, and drive people crazy ("why doesn't this very simple thing connect!"). In the end we will need to drive our dialing (or not dialing) decisions based on observations about the network.

Answer 5 · 2016-06-15T14:43:09.000Z

This got largely resolved by #1433 and #1226 (comment)