Peering with private IPs

[ivan4th]

Description

At the moment of this writing, there's a bug in the gater setup code, namely, IPv4/IPv6 address block lists are not initialized https://github.com/spacemeshos/go-spacemesh/blob/bb31280efa3f286bf020658ac979ff1381a21832/p2p/host.go#L257-L265 This results in dial requests to private IP address ranges, which some cloud providers can interpret as port scans. After an obvious gater fix, there remains a problem of nodes contacting peers behind the same NAT. This will work via the public IP in case if NAT in question supports hairpinning, even though it will cause some back-and-forth traffic through the user's router and also possibly through the ISP, if the user doesn't get a public IP address from the ISP. As an interim solution, we can suggest that home users set "ip4-blocklist": [], "ip6-blocklist": [] in their config and make sure their routers block traffic to private networks on their WAN interface, but that's somewhat hacky approach. The proper approach likely involves using dual DHT, one DHT being public and one private, like kubo does.

Steps to reproduce

Run several nodes on the same local network (connected to Internet)

Actual Behavior

Nodes try to dial peers outside the local network on private IPs. With gater blocking enacted, peers can only talk to other peers on the same local network through NAT hairpinning via the public IP.

Expected Behavior

Nodes never try to dial peers outside the local network on private IPs. Peers in the same local network are dialed based on their private IPs.

Additional Resources

Related kubo issue:

• ipfs/kubo#6932

Also related:

• libp2p/go-libp2p#436
• ipfs/kubo#5511
• libp2p/go-libp2p#803
• libp2p/go-libp2p-kad-dht#570