manager: Expose option to forbid dialing private IP addresses

[lexnv]

This PR exposes an option to forbid or allow dialing private IP addresses.

For test networks started locally, it is recommended to use private IP addresses to establish connections.

However, for running production validators, the validator node should never attempt to dial a private IP address.
This behavior can be detected by some cloud providers as port scanning. The downstream effect of that depends on the cloud provider, but most likely, the node will become unreachable or the instance will be terminated.

Before this PR, litep2p might receive a local (private) IP address on either the Kademlia or the Identify protocol from a libp2p node. Now, the transport manager will not forward the dialing request to the installed protocols if the private IP option is disabled.

This may be the case of paritytech/polkadot-sdk#8915, where a node operator running a validator using litep2p on the Polkadot network loses connectivity after a few days.

Closes: paritytech/polkadot-sdk#8631

Next Steps

• Wait for further information to be provided by the node operator
• Ensure the PR is properly tested locally, in versi-net and on kusama validators

[dmitry-markin]

One consequence might be that mDNS won't work with IpDialingMode::GlobalOnly, because multicast addresses are not considered global.

Actually, this brings us back to the discussion of Kademlia manual routing table update mode — ideally, private IPs should not be added to the local routing table (and distributed further) in the first place, and this can be done completely in client code (polkadot-sdk) like it's done with libp2p backend. Just one thing to consider is we should also ensure we don't add private addresses to the transport manager. This way we will "fail early" and not even try to dial such peers.

[dmitry-markin]

One consequence might be that mDNS won't work with IpDialingMode::GlobalOnly, because multicast addresses are not considered global.

This is not the case luckily — mDNS directly uses UDP sockets instead of relying on TransportManager:

litep2p/src/protocol/mdns.rs

Line 129 in 8618470

let socket = Socket::new(Domain::IPV4, Type::DGRAM, Some(Protocol::UDP))?;

[dmitry-markin]

This will leak addresses like /dns4/10.10.10.10/tcp/30333/..., and also dns records can point to local IP addresses.

[dmitry-markin]

Currently we check if the address is global two times — in TransportManagerHandle, and later in TransportManager. May be it's enough to keep the check only in one place?

[lexnv]

Indeed, we could keep the check in TransportManager. I think I wanted to propagate the dial error as soon as possible (not entirely sure since itsbeen a while)

[la10736]

What about this PR? This issue is still present on polkadot nodes.

[lexnv]

Hey @la10736, we reprioritized the efforts towards a high-priority objective. I'll handle this in the following few weeks as this is still important 🙏

[lexnv]

From the testing done locally with a patched polkadot binary, this PR ensures that no dials will be made on private IP addresses.

This was tested similarly to the linked issue above netstat -nputw | grep -E "10\.|\(172\.16\|192\.168\)"