Opened 4 years ago

Last modified 4 years ago

#2177 open enhancement

Tunnel Manager blacklist/whitelist should allow ip entries

Reported by: Reportage Owned by:
Priority: minor Milestone: undecided
Component: apps/i2ptunnel Version: 0.9.33
Keywords: security Cc:
Parent Tickets: Sensitive: no


When 'Unique IP per client' is configured for a server tunnel, the resulting unique IP addresses per remote destination should be able to be used as the basis for white/blacklisting.


Change History (1)

comment:1 Changed 4 years ago by str4d

Keywords: security added; i2ptunnel white/blacklist unique ips removed
Milestone: 0.9.35undecided
Priority: majorminor
Status: newopen
Type: defectenhancement

Ideally management should be done over Destinations, but the "Unique IP per client" feature is there to enable external programs like fail2ban (or non-HTTP servers that can't be passed the I2P Destination in headers) to manage connections. Given that the available local IP address space (24 bits if the server is listening on local IPv4, 120 bits if the server is listening on local IPv6) is smaller than the possible Destination hash space (256 bits), collisions can (and likely do) happen. So "Unique IP" is a misnomer, but is "fine" for normal server usage (e.g. logging or DoS management).

Using these IP addresses for blacklisting is probably not too much of an issue (it would be overbroad, but so is fail2ban usage like this). However, using them for whitelisting is definitely a bad idea, as it would lead the user to thinking they've whitelisted a single client, when in fact they've whitelisted an entire class. Computing B32 collisions over 24 bits is trivial, and while 120 bits is harder, I highly doubt that many configured servers are using localhost IPv6 instead of localhost IPv4. Maybe this is something we can influence? But probably not reliably.

Note: See TracTickets for help on using tickets.