Why are 0.0.0.0/8 and ::/128 are included?

[daenney]

Is it possible to remove 0.0.0.0/8 and ::/128 from the IPvXSpecialPurpose slices?

[daenney]

I spent a bit of time digging into whether 0.0.0.0/8 and ::/128 could be removed from the list. Turns out we can't, because they actually go places we don't want them to go.

Connecting to either of 0.0.0.0 and [::] works. The addresses aren't valid destination addresses and as such sending it out of this machine wouldn't be valid and the OS should ensure that doesn't happen. In the case of Linux at least, this results in localhost being copied into the destination address instead, resulting in it being functionally equivalent to 127.0.0.1 or ::1 and the packet being sent out through the loopback interface. As such, if a DNS lookup of a name would return 0.0.0.0 for an A-record or :: for AAAA, you could be tricked into connecting to localhost.

An address like 0.0.0.1 gets weirder as that one makes it out of your box and onto the network at least in the case of Linux. Arguably this shouldn't happen and I would expect the same to apply as with 0.0.0.0/32 for any address in 0.0.0.0/8 as IANA has recorded that range as both invalid as a destination address and not forwardable. In this case the next hop (either your switch or a router) should return an ICMP Destination Unreachable but switches might still forward this along to the edge of the network. This shouldn't be harmful, but it's useless so we might as well not let it happen.

It's currently unclear to me how Free|Open|NetBSD behave in these cases, or what macOS or Windows do. Best not take to take any chances and just keep them in the IPvXSpecialPurpose set ensuring we don't even allow the dial to take place. It's one more entry to check, I'm sure we'll survive.

You can try all of this yourself with a simple snippet like the following and observing your network traffic with Wireguard:

package main

import (
	"fmt"
	"net"

	"code.dny.dev/ssrf"
)

func main() {
	fmt.Println(regularDial("0.0.0.1:443"))
	fmt.Println(safeDial("0.0.0.1:443"))
}

func regularDial(address string) error {
	conn, err := net.Dial("tcp", "0.0.0.1:443")
	if err == nil {
		conn.Close()
	}
	return err
}

func safeDial(address string) error {
	dialer := &net.Dialer{
		Control: ssrf.New().Safe,
	}

	conn, err := dialer.Dial("tcp", "0.0.0.1:443")
	if err == nil {
		conn.Close()
	}
	return err
}

dial tcp 0.0.0.1:443: connect: connection refused
dial tcp 0.0.0.1:443: 0.0.0.1 is not a permitted destination: prohibited IP address

In the case of regularDial wireshark will show packets being sent out with your box's source address, whereas with the safeDial nothing will happen.

[daenney]

This has changed slightly now that #14 has landed. We no longer check for ::/128 since it falls outside of the global unicast range.