rippled icon indicating copy to clipboard operation
rippled copied to clipboard

Published 20 hours ago verified publisher icon XRPLF

Configuration option for advertised IP address

Open jscottbranson opened this issue 3 years ago • 2 comments

Summary

Occasionally monitoring sites, such as livenet.xrpl.org/network, will show bogon IP addresses for nodes that have publicly routable addresses. I'm not certain why this occurs, but I suspect it happens when a peer on the same LAN reports data for a server, instead of the server self-reporting (since only LAN peers should know a server by it's LAN IPv4 address).

Motivation

Broadcasting LAN topographies could have security implications for the network.

Solution

I'm curious if it is possible to add a config option, so a node on the network could inform peers to advertise a specific IPv4 address for the node. That way LAN peers could report public IPv4 addresses instead of bogons.

Paths Not Taken

I've also opened #31 on the Ripple explorer Git.

jscottbranson avatar Oct 15 '21 16:10 jscottbranson

Adding a config option or an automatic config for this seems like a great security feature, how about we only activate this configuration on nodes that have peers on the same LAN?

e.g:

  1. Node A goes online
  2. Node A connects with a LAN peer (Node B).
  3. Node A automatically turns this config on for Node B since it's a LAN peer.
  4. Node A advertises a specific IPv4 address to Node B to avoid advertising a bogon IP address to other nodes.
  5. Node A is now connected to new peers; Node C and Node D (WAN).
  6. Other peers will get a normal report as usual since they aren't in the same LAN.

thoughts?

wojake avatar Oct 15 '21 18:10 wojake

On further reflection, there could be occasional benefits to activating the configuration on the WAN as well. For example, a server with misconfigured sNAT could connect to other servers using a gateway IPv4 address, rather than the server's own public IPv4 address. In this situation, if other nodes try to connect to the server, their connections will fail if they attempt to connect to the gateway IPv4 rather than the server's IPv4. Having an advertised address for incoming connections would enable peers to connect back to the server, even if the server is only reaching other servers using a gateway's IP.

jscottbranson avatar Oct 16 '21 13:10 jscottbranson