kubo icon indicating copy to clipboard operation
kubo copied to clipboard
verified publisher icon ipfs

MDNS discovery listens on IPv6 global ([::]:5353)

Open iacore opened this issue 2 years ago • 7 comments

Checklist

Installation method

third-party binary

Version

Kubo version: 0.20.0-b8c472500
Repo version: 13
System version: amd64/linux
Golang version: go1.20.4

Config

{
  "API": {
    "HTTPHeaders": {}
  },
  "Addresses": {
    "API": "/ip4/127.0.0.1/tcp/5001",
    "Announce": [],
    "AppendAnnounce": [],
    "Gateway": "/ip4/127.0.0.1/tcp/8080",
    "NoAnnounce": [],
    "Swarm": [
      "/ip4/0.0.0.0/tcp/4001",
      "/ip6/::/tcp/4001",
      "/ip4/0.0.0.0/udp/4001/quic",
      "/ip4/0.0.0.0/udp/4001/quic-v1",
      "/ip4/0.0.0.0/udp/4001/quic-v1/webtransport",
      "/ip6/::/udp/4001/quic",
      "/ip6/::/udp/4001/quic-v1",
      "/ip6/::/udp/4001/quic-v1/webtransport"
    ]
  },
  "AutoNAT": {},
  "Bootstrap": [
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN",
    "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa"
  ],
  "DNS": {
    "Resolvers": {}
  },
  "Datastore": {
    "BloomFilterSize": 0,
    "GCPeriod": "1h",
    "HashOnRead": false,
    "Spec": {
      "mounts": [
        {
          "child": {
            "path": "blocks",
            "shardFunc": "/repo/flatfs/shard/v1/next-to-last/2",
            "sync": true,
            "type": "flatfs"
          },
          "mountpoint": "/blocks",
          "prefix": "flatfs.datastore",
          "type": "measure"
        },
        {
          "child": {
            "compression": "none",
            "path": "datastore",
            "type": "levelds"
          },
          "mountpoint": "/",
          "prefix": "leveldb.datastore",
          "type": "measure"
        }
      ],
      "type": "mount"
    },
    "StorageGCWatermark": 90,
    "StorageMax": "10GB"
  },
  "Discovery": {
    "MDNS": {
      "Enabled": true,
      "Interval": 10
    }
  },
  "Experimental": {
    "AcceleratedDHTClient": true,
    "FilestoreEnabled": false,
    "GraphsyncEnabled": false,
    "Libp2pStreamMounting": true,
    "P2pHttpProxy": false,
    "StrategicProviding": false,
    "UrlstoreEnabled": false
  },
  "Gateway": {
    "APICommands": [],
    "HTTPHeaders": {
      "Access-Control-Allow-Headers": [
        "X-Requested-With",
        "Range",
        "User-Agent"
      ],
      "Access-Control-Allow-Methods": [
        "GET"
      ],
      "Access-Control-Allow-Origin": [
        "*"
      ]
    },
    "NoDNSLink": false,
    "NoFetch": false,
    "PathPrefixes": [],
    "PublicGateways": null,
    "RootRedirect": "",
    "Writable": false
  },
  "Identity": {
    "PeerID": ":)"
  },
  "Internal": {},
  "Ipns": {
    "RecordLifetime": "",
    "RepublishPeriod": "",
    "ResolveCacheSize": 128
  },
  "Migration": {
    "DownloadSources": [],
    "Keep": ""
  },
  "Mounts": {
    "FuseAllowOther": false,
    "IPFS": "/ipfs",
    "IPNS": "/ipns"
  },
  "Peering": {
    "Peers": null
  },
  "Pinning": {
    "RemoteServices": {}
  },
  "Plugins": {
    "Plugins": null
  },
  "Provider": {
    "Strategy": ""
  },
  "Pubsub": {
    "DisableSigning": false,
    "Router": ""
  },
  "Reprovider": {},
  "Routing": {},
  "Swarm": {
    "AddrFilters": null,
    "ConnMgr": {},
    "DisableBandwidthMetrics": false,
    "DisableNatPortMap": false,
    "RelayClient": {},
    "RelayService": {},
    "Transports": {
      "Multiplexers": {},
      "Network": {},
      "Security": {}
    }
  }
}

Description

If I run IPFS/kubo with the above config, and run netstat -nupl, I can see that IPFS is listening on :::5353.

That includes global scope IPv6. i.e. the port is world-wide accessible. I don't know about the security implication of this, but it feels insecure.

It also listens on 0.0.0.0:5353, which may be world-wide accessible without NAT.

iacore avatar Jun 14 '23 18:06 iacore

I don't think it's an issue, I don't remember the exact details, if we randomly generate keys or use peerid based encoding. There is no private information on there.

Jorropo avatar Jun 14 '23 19:06 Jorropo

I've only seen mDNS being used for link local

iacore avatar Jun 14 '23 20:06 iacore

We do use it for local. But I don't think it's bad if it is exposed. It's a simple way to listen on all your local addresses if you are in more than one LAN.

ipfs config profile apply server (which you probably want to run if you run straight raw on a public IP) turns it off.

Jorropo avatar Jun 14 '23 21:06 Jorropo

Should I close this?

iacore avatar Jun 16 '23 16:06 iacore

I'll ask other maintainers at our next triage.

Jorropo avatar Jun 16 '23 16:06 Jorropo

@Jorropo we are ready to be asked :-)

lidel avatar Oct 30 '23 13:10 lidel

Triage notes:


  • 5353 is the default port defined in github.com/libp2p/zeroconf

  • ..which is used by https://github.com/libp2p/go-libp2p/blob/master/p2p/discovery/mdns/mdns.go



@sukunrt is the default behavior of listening on global ipv6 namespace an intended behavior, or should/could we lock this down? I think we could only listen on link-local addresses however I have seen networks where theses are not used (that is rare tho).

Jorropo avatar Nov 20 '23 14:11 Jorropo