Opened 11 months ago

Last modified 11 months ago

#2177 open enhancement

Tunnel Manager blacklist/whitelist should allow ip entries

Reported by: Reportage Owned by:
Priority: minor Milestone: undecided
Component: apps/i2ptunnel Version: 0.9.33
Keywords: security Cc:
Parent Tickets:

Description

When 'Unique IP per client' is configured for a server tunnel, the resulting unique IP addresses per remote destination should be able to be used as the basis for white/blacklisting.

Subtickets (add)

Change History (1)

comment:1 Changed 11 months ago by str4d

  • Keywords security added; i2ptunnel white/blacklist unique ips removed
  • Milestone changed from 0.9.35 to undecided
  • Priority changed from major to minor
  • Status changed from new to open
  • Type changed from defect to enhancement

Ideally management should be done over Destinations, but the "Unique IP per client" feature is there to enable external programs like fail2ban (or non-HTTP servers that can't be passed the I2P Destination in headers) to manage connections. Given that the available local IP address space (24 bits if the server is listening on local IPv4, 120 bits if the server is listening on local IPv6) is smaller than the possible Destination hash space (256 bits), collisions can (and likely do) happen. So "Unique IP" is a misnomer, but is "fine" for normal server usage (e.g. logging or DoS management).

Using these IP addresses for blacklisting is probably not too much of an issue (it would be overbroad, but so is fail2ban usage like this). However, using them for whitelisting is definitely a bad idea, as it would lead the user to thinking they've whitelisted a single client, when in fact they've whitelisted an entire class. Computing B32 collisions over 24 bits is trivial, and while 120 bits is harder, I highly doubt that many configured servers are using localhost IPv6 instead of localhost IPv4. Maybe this is something we can influence? But probably not reliably.

Note: See TracTickets for help on using tickets.