Don't trust autonat responses from your same netblock
willscott opened this issue · 2 comments
One part of the heuristic game we can play for IPv6 in particular, is that if the remote peer looks like it's in the same BGP announcement (or approximation thereof), it's ability to dial-back to you should be suspect.
In v4, the simplest approximation of this would be to only ask for autonat to nodes with a public IP that is in a different /16 from what you currently believe your external address is.
In v6, typical allocations range for IPSs/orgs range from /32 to /48. /32 is probably a reasonable conservative baseline.
For my own understanding
In v4, the simplest approximation of this would be to only ask for autonat to nodes with a public IP that is in a different /16 from what you currently believe your external address is.
What do you mean by "a public IP that is in a different /16 from " ? Please can you explain how this is different from libp2p/go-libp2p-autonat-svc#44 ?
What do you mean by "a public IP that is in a different /16 from " ?
for another node with an IP of a.b.c.d, you would not ask them to check your IP if you believe your IP also is of the form a.b.x.y. (if the first 2 octets, or 16 bits of the IP are the same, there's a plausible chance that both machines are in the same network, and may see different connectivity between themselves than two nodes further apart on the internet would.)