I talked with @jacobheun a while ago about autonat and he mentioned that when considering autonat responses we should ensure that we don't accept multiple responses from different peers in the same network segment. This is to prevent an attack whereby an attacker could trivially spin up multiple nodes on the same host or service provider, trick you into trying to use them for autonat which may then give them control over what you think is your external address.
This isn't in the spec, which does mention some specific mitigations for other attacks.
Should it be added? If so, what is the behaviour of existing implementations around this?
Would something like the first octet of their IP being different be sufficient?
marten-seemann
commented
2 years ago
I talked with @jacobheun a while ago about autonat and he mentioned that when considering autonat responses we should ensure that we don't accept multiple responses from different peers in the same network segment. This is to prevent an attack whereby an attacker could trivially spin up multiple nodes on the same host or service provider, trick you into trying to use them for autonat which may then give them control over what you think is your external address.
This isn't in the spec, which does mention some specific mitigations for other attacks.
Should it be added? If so, what is the behaviour of existing implementations around this?
Would something like the first octet of their IP being different be sufficient?