operations icon indicating copy to clipboard operation
operations copied to clipboard

Published 20 hours ago verified publisher icon openstreetmap

Exempt iCloud private relay IP ranges from rate-limiting

Open pnorman opened this issue 1 year ago • 3 comments

iCloud private relay causes users traffic to exit to the public internet from centralized IPs. This causes a problem for 429 blocking based on request rate on the backend, because many users are coming from the same IP. Looking at the IPs, they come from Akamai and Cloudflare.

This is not just a theoretical - 27% of the IPs blocked came from AS36183 or AS13335. A subset of those are from iCloud private relay IPs.

The CIDR ranges are at https://mask-api.icloud.com/egress-ip-ranges.csv

Potential issues

  • the cidr list is 284k lines long. Aggregating CIDRs cuts this down to 36274. I feel like there maybe some gaps in the current list making this substantially worse than it could be - e.g. 2a04:4e41:5e::/60 2a04:4e41:5e:10::/61 2a04:4e41:5e:18::/63 are all in the list, but I bet all of 2a04:4e41:5e is really there. Maybe we can contact them and ask if there's a shorter file which just has the ranges we need to cover, because we don't care about the geographic portion of the current file.
  • Can non-Safari apps use iCloud Private Relay? Preliminary searches in the logs indicate not, but needs verification.

@lonvia, potentially relevant to Nominatim lists too

pnorman avatar Jul 28 '22 09:07 pnorman

I've looked into this some more. For HTTPS connections, it's only Safari. For HTTP connections, there's the potential for other apps to use it, but I haven't seen this in practice.

I'm still trying to get a CIDR list, but can't find a contact. I might reach out to Cloudflare NOC to see if they have a contact.

pnorman avatar Aug 06 '22 04:08 pnorman

Does the CSV linked under ‘ Access IP geolocation feeds https://mask-api.icloud.com/egress-ip-ranges.csv’ provide what you want?

https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/

Jon

On Sat, 6 Aug 2022 at 05:03, Paul Norman @.***> wrote:

I've looked into this some more. For HTTPS connections, it's only Safari. For HTTP connections, there's the potential for other apps to use it, but I haven't seen this in practice.

I'm still trying to get a CIDR list, but can't find a contact. I might reach out to Cloudflare NOC to see if they have a contact.

— Reply to this email directly, view it on GitHub https://github.com/openstreetmap/operations/issues/709#issuecomment-1207141242, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAODG57P4TU2K6SSQ4AEE4TVXXPZTANCNFSM544QMW6Q . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Jon

jburgess777 avatar Aug 06 '22 11:08 jburgess777

On Sat, 6 Aug 2022 at 12:55, Jon Burgess @.***> wrote:

Does the CSV linked under ‘ Access IP geolocation feeds https://mask-api.icloud.com/egress-ip-ranges.csv’ provide what you want?

https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/

I see from an earlier comment that you found that already

-- Jon

jburgess777 avatar Aug 06 '22 12:08 jburgess777