support an operation mode that doesn't dial private IP addresses

[willscott]

There are reports from operators of Netscan detected and similar.

This is also present in IPFS nodes, and often comes from attempts to dial peers that have private-space ip addresses
(in this case the data center observed the VM attempting to dial into the 192.168.x.x and 10.x.x.x spaces)

• there shouldn't be any multiaddrs returned from the indexer that are in these private address spaces (they are filtered out)
• Perhaps upon connecting to peers as part of identify we learn the other addresses they claim to be listening on, and subsequent dials may attempt those?

this is likely a libp2p configuration tweak. we may want help from libp2p stewards to identify what the optimal configuration will be to limit our exposure to triggering this sort of issue.

[aschmahmann]

You can just use a go-libp2p connection gater. Here are the address ranges you probably want to filter https://github.com/ipfs/kubo/blob/4283b9d98f8438fc8751ccc840d8fc24eeae6f13/config/profile.go#L27. Here is the addressfilter connection gater used in kubo https://github.com/ipfs/kubo/blob/4283b9d98f8438fc8751ccc840d8fc24eeae6f13/core/node/libp2p/addrs.go#L13. go-libp2p might have some other builtins that you can use though, I don't recall what the latest is there

[hannahhoward]

Do we need further action here?

[hannahhoward]

essentially should we apply the setup @aschmahmann referenced above @willscott ?

[willscott]

correct

[willscott]

@hannahhoward is this done?

[rvagg]

I don't believe this is done, shouldn't be too hard but we should only be doing this when the user doesn't give us explicit --providers because local peers are a legitimate case. Added to the board to get it done shortly.