-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPFS should not default to doing port scanning #5511
Comments
It's legitimate attempts to connect to IPFS nodes, using addresses it has learned from the DHT. It's not port scanning, not by any definition. We have argued this with many hosters, some have fixed their monitoring, others are stubborn. A few even told us we're not smart enough to grasp their sophisticated "intrusion detection" systems. Whether these local-network addresses should be published to the DHT is something we should seriously reconsider though. My own two cents are that it's rather pointless to publish them there -- a global DHT isn't a good tool for facilitating local connectivity, not when we have mDNS, link-local multicast, etc.
Your four UX suggestions are also worth considering 👍 |
Private addresses should only be published together with at least one corresponding STUN response IP. If your own STUN address is "close", then at least there's a chance in h*** that the private address is reachable. Without this extra information, the probability is x⁻¹, x → ∞. Google runs public STUN servers for ICE. |
Maybe you can use something like https://github.com/ccding/go-stun ? |
I totally concur. Publishing local-network addresses to the global DHT doesn't make sense for the vast majority of go-ipfs users. If there is a strong desire to have seperate IPFS swarms within private networks, then there might be a desire to publish local-network addresses to the DHT but maybe this is better handled with a specific configuration operations? |
Together, these two options should just "do the right thing", no configuration necessary. |
Proposed solution: libp2p/go-libp2p#436 |
Closing in favor of #6932 as it has more (and more accurate) information. |
Regarding issue #1226, #1173, #1433, #4343, #5418, #5473, and also helm/charts#7746 is relevant.
These issues relate to the port scanning / default profile used by ipfs.
This issue is about the current default when running:
issues port scanning traffic. This means that it's highly dangerous for any business to use ipfs. It can cost thousands of dollars in lost revenue to have access revoked by an ISP that reacts to this traffic and misinterprets it as abuse.
The default for ipfs must be one of:
The last option is not really a viable alternative as damage mitigation might happen automatically from the ISPs point of view.
The text was updated successfully, but these errors were encountered: