Go-ipfs: IPFS should not default to doing port scanning

issues port scanning traffic

It's legitimate attempts to connect to IPFS nodes, using addresses it has learned from the DHT. It's not port scanning, not by any definition. We have argued this with many hosters, some have fixed their monitoring, others are stubborn. A few even told us we're not smart enough to grasp their sophisticated "intrusion detection" systems.

Whether these local-network addresses should be published to the DHT is something we should seriously reconsider though. My own two cents are that it's rather pointless to publish them there -- a global DHT isn't a good tool for facilitating local connectivity, not when we have mDNS, link-local multicast, etc.

The default for ipfs must be one of:

Your four UX suggestions are also worth considering :+1:

It's legitimate attempts to connect to IPFS nodes, using addresses it has learned from the DHT. It's not port scanning, not by any definition. We have argued this with many hosters, some have fixed their monitoring, others are stubborn. A few even told us we're not smart enough to grasp their sophisticated "intrusion detection" systems.

Private addresses should only be published together with at least one corresponding STUN response IP. If your own STUN address is "close", then at least there's a chance in h* that the private address is reachable. Without this extra information, the probability is x⁻¹, x → ∞.

Google runs public STUN servers for ICE.

Maybe you can use something like https://github.com/ccding/go-stun ?

Whether these local-network addresses should be published to the DHT is something we should seriously reconsider though. My own two cents are that it's rather pointless to publish them there -- a global DHT isn't a good tool for facilitating local connectivity, not when we have mDNS, link-local multicast, etc.

I totally concur. Publishing local-network addresses to the global DHT doesn't make sense for the vast majority of go-ipfs users.

If there is a strong desire to have seperate IPFS swarms within private networks, then there might be a desire to publish local-network addresses to the DHT but maybe this is better handled with a specific configuration operations?

1. We could, and probably should, create one DHT per distinct private IP network. However, this will require some improvements to our DHT protocol.
2. ~For each peer, we should filter the addresses we advertise to them based on their IP address and the IP/netmask of the interface we're listening on. This is something we can do right now and it should solve the private network use-case. This one should actually be pretty easy.~ This won't work. The gateway is still allowed to route non-routable IPs as long as they don't end up on the public internet. Multiple distinct subnets can be joined.

Together, these two options should just "do the right thing", no configuration necessary.

Proposed solution: https://github.com/libp2p/go-libp2p/issues/436

Closing in favor of https://github.com/ipfs/go-ipfs/issues/6932 as it has more (and more accurate) information.