bdns, policy: Move reserved IP checking from bdns to policy & refactor (#8196)

Move `IsReservedIP` and its supporting vars from `bdns` to `policy`.

Rewrite `IsReservedIP` to:
* Use `netip` because `netip.Prefix` can be used as a map key, allowing
us to define prefix lists more elegantly. This will enable future work
to import prefix lists from IANA's primary source data.
* Return an error including the reserved network's name.

Refactor `IsReservedIP` tests to be table-based.

Fixes #8040

Author: jprenken

bdns/dns.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/netip"
 	"net/url"
 	"slices"
 	"strconv"
@@ -23,83 +24,7 @@ import (
 	"github.com/letsencrypt/boulder/features"
 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/metrics"
-)
-
-func parseCidr(network string, comment string) net.IPNet {
-	_, net, err := net.ParseCIDR(network)
-	if err != nil {
-		panic(fmt.Sprintf("error parsing %s (%s): %s", network, comment, err))
-	}
-	return *net
-}
-
-var (
-	// TODO(#8040): Rebuild these as structs that track the structure of IANA's
-	// CSV files, for better automated handling.
-	//
-	// Private CIDRs to ignore. Sourced from:
-	// https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
-	privateV4Networks = []net.IPNet{
-		parseCidr("0.0.0.0/8", "RFC 791, Section 3.2: This network"),
-		parseCidr("0.0.0.0/32", "RFC 1122, Section 3.2.1.3: This host on this network"),
-		parseCidr("10.0.0.0/8", "RFC 1918: Private-Use"),
-		parseCidr("100.64.0.0/10", "RFC 6598: Shared Address Space"),
-		parseCidr("127.0.0.0/8", "RFC 1122, Section 3.2.1.3: Loopback"),
-		parseCidr("169.254.0.0/16", "RFC 3927: Link Local"),
-		parseCidr("172.16.0.0/12", "RFC 1918: Private-Use"),
-		parseCidr("192.0.0.0/24", "RFC 6890, Section 2.1: IETF Protocol Assignments"),
-		parseCidr("192.0.0.0/29", "RFC 7335: IPv4 Service Continuity Prefix"),
-		parseCidr("192.0.0.8/32", "RFC 7600: IPv4 dummy address"),
-		parseCidr("192.0.0.9/32", "RFC 7723: Port Control Protocol Anycast"),
-		parseCidr("192.0.0.10/32", "RFC 8155: Traversal Using Relays around NAT Anycast"),
-		parseCidr("192.0.0.170/32", "RFC 8880 & RFC 7050, Section 2.2: NAT64/DNS64 Discovery"),
-		parseCidr("192.0.0.171/32", "RFC 8880 & RFC 7050, Section 2.2: NAT64/DNS64 Discovery"),
-		parseCidr("192.0.2.0/24", "RFC 5737: Documentation (TEST-NET-1)"),
-		parseCidr("192.31.196.0/24", "RFC 7535: AS112-v4"),
-		parseCidr("192.52.193.0/24", "RFC 7450: AMT"),
-		parseCidr("192.88.99.0/24", "RFC 7526: Deprecated (6to4 Relay Anycast)"),
-		parseCidr("192.168.0.0/16", "RFC 1918: Private-Use"),
-		parseCidr("192.175.48.0/24", "RFC 7534: Direct Delegation AS112 Service"),
-		parseCidr("198.18.0.0/15", "RFC 2544: Benchmarking"),
-		parseCidr("198.51.100.0/24", "RFC 5737: Documentation (TEST-NET-2)"),
-		parseCidr("203.0.113.0/24", "RFC 5737: Documentation (TEST-NET-3)"),
-		parseCidr("240.0.0.0/4", "RFC1112, Section 4: Reserved"),
-		parseCidr("255.255.255.255/32", "RFC 8190 & RFC 919, Section 7: Limited Broadcast"),
-		// 224.0.0.0/4 are multicast addresses as per RFC 3171. They are not
-		// present in the IANA registry.
-		parseCidr("224.0.0.0/4", "RFC 3171: Multicast Addresses"),
-	}
-	// Sourced from:
-	// https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
-	privateV6Networks = []net.IPNet{
-		parseCidr("::/128", "RFC 4291: Unspecified Address"),
-		parseCidr("::1/128", "RFC 4291: Loopback Address"),
-		parseCidr("::ffff:0:0/96", "RFC 4291: IPv4-mapped Address"),
-		parseCidr("64:ff9b::/96", "RFC 6052: IPv4-IPv6 Translat."),
-		parseCidr("64:ff9b:1::/48", "RFC 8215: IPv4-IPv6 Translat."),
-		parseCidr("100::/64", "RFC 6666: Discard-Only Address Block"),
-		parseCidr("2001::/23", "RFC 2928: IETF Protocol Assignments"),
-		parseCidr("2001::/32", "RFC 4380 & RFC 8190: TEREDO"),
-		parseCidr("2001:1::1/128", "RFC 7723: Port Control Protocol Anycast"),
-		parseCidr("2001:1::2/128", "RFC 8155: Traversal Using Relays around NAT Anycast"),
-		parseCidr("2001:1::3/128", "RFC-ietf-dnssd-srp-25: DNS-SD Service Registration Protocol Anycast"),
-		parseCidr("2001:2::/48", "RFC 5180 & RFC Errata 1752: Benchmarking"),
-		parseCidr("2001:3::/32", "RFC 7450: AMT"),
-		parseCidr("2001:4:112::/48", "RFC 7535: AS112-v6"),
-		parseCidr("2001:10::/28", "RFC 4843: Deprecated (previously ORCHID)"),
-		parseCidr("2001:20::/28", "RFC 7343: ORCHIDv2"),
-		parseCidr("2001:30::/28", "RFC 9374: Drone Remote ID Protocol Entity Tags (DETs) Prefix"),
-		parseCidr("2001:db8::/32", "RFC 3849: Documentation"),
-		parseCidr("2002::/16", "RFC 3056: 6to4"),
-		parseCidr("2620:4f:8000::/48", "RFC 7534: Direct Delegation AS112 Service"),
-		parseCidr("3fff::/20", "RFC 9637: Documentation"),
-		parseCidr("5f00::/16", "RFC 9602: Segment Routing (SRv6) SIDs"),
-		parseCidr("fc00::/7", "RFC 4193 & RFC 8190: Unique-Local"),
-		parseCidr("fe80::/10", "RFC 4291: Link-Local Unicast"),
-		// ff00::/8 are multicast addresses as per RFC 4291, Sections 2.4 & 2.7.
-		// They are not present in the IANA registry.
-		parseCidr("ff00::/8", "RFC 4291: Multicast Addresses"),
-	}
+	"github.com/letsencrypt/boulder/policy"
 )
 
 // ResolverAddrs contains DNS resolver(s) that were chosen to perform a
@@ -432,24 +357,6 @@ func (dnsClient *impl) LookupTXT(ctx context.Context, hostname string) ([]string
 	return txt, ResolverAddrs{resolver}, err
 }
 
-func isPrivateV4(ip net.IP) bool {
-	for _, net := range privateV4Networks {
-		if net.Contains(ip) {
-			return true
-		}
-	}
-	return false
-}
-
-func isPrivateV6(ip net.IP) bool {
-	for _, net := range privateV6Networks {
-		if net.Contains(ip) {
-			return true
-		}
-	}
-	return false
-}
-
 func (dnsClient *impl) lookupIP(ctx context.Context, hostname string, ipType uint16) ([]dns.RR, string, error) {
 	resp, resolver, err := dnsClient.exchangeOne(ctx, hostname, ipType)
 	switch ipType {
@@ -474,6 +381,9 @@ func (dnsClient *impl) lookupIP(ctx context.Context, hostname string, ipType uin
 // chase CNAME/DNAME aliases and return relevant records. It will retry
 // requests in the case of temporary network errors. It returns an error if
 // both the A and AAAA lookups fail or are empty, but succeeds otherwise.
+//
+// TODO(#5925): Changing from net.IP to netip.Addr could start from here
+// outwards.
 func (dnsClient *impl) LookupHost(ctx context.Context, hostname string) ([]net.IP, ResolverAddrs, error) {
 	var recordsA, recordsAAAA []dns.RR
 	var errA, errAAAA error
@@ -502,8 +412,11 @@ func (dnsClient *impl) LookupHost(ctx context.Context, hostname string) ([]net.I
 		for _, answer := range recordsA {
 			if answer.Header().Rrtype == dns.TypeA {
 				a, ok := answer.(*dns.A)
-				if ok && a.A.To4() != nil && (!isPrivateV4(a.A) || dnsClient.allowRestrictedAddresses) {
-					addrsA = append(addrsA, a.A)
+				if ok && a.A.To4() != nil {
+					netIP, ok := netip.AddrFromSlice(a.A)
+					if ok && (policy.IsReservedIP(netIP) == nil || dnsClient.allowRestrictedAddresses) {
+						addrsA = append(addrsA, a.A)
+					}
 				}
 			}
 		}
@@ -517,8 +430,11 @@ func (dnsClient *impl) LookupHost(ctx context.Context, hostname string) ([]net.I
 		for _, answer := range recordsAAAA {
 			if answer.Header().Rrtype == dns.TypeAAAA {
 				aaaa, ok := answer.(*dns.AAAA)
-				if ok && aaaa.AAAA.To16() != nil && (!isPrivateV6(aaaa.AAAA) || dnsClient.allowRestrictedAddresses) {
-					addrsAAAA = append(addrsAAAA, aaaa.AAAA)
+				if ok && aaaa.AAAA.To16() != nil {
+					netIP, ok := netip.AddrFromSlice(aaaa.AAAA)
+					if ok && (policy.IsReservedIP(netIP) == nil || dnsClient.allowRestrictedAddresses) {
+						addrsAAAA = append(addrsAAAA, aaaa.AAAA)
+					}
 				}
 			}
 		}
@@ -686,20 +602,3 @@ func (d *dohExchanger) Exchange(query *dns.Msg, server string) (*dns.Msg, time.D
 
 	return response, d.clk.Since(start), nil
 }
-
-// IsReservedIP reports whether an IP address is part of a reserved range.
-//
-// TODO(#7311): Once we're fully ready to issue for IP address identifiers, dev
-// environments should have a way to bypass this check for their own Private-Use
-// IP addresses. Maybe plumb the DNSAllowLoopbackAddresses feature flag through
-// to here.
-//
-// TODO(#8040): Move this and its dependencies into the policy package. As part
-// of this, consider changing it to return an error and/or the description of
-// the reserved network.
-func IsReservedIP(ip net.IP) bool {
-	if ip.To4() == nil {
-		return isPrivateV6(ip)
-	}
-	return isPrivateV4(ip)
-}

bdns/dns_test.go

@@ -487,37 +487,6 @@ caa.example.com.	0	IN	CAA	1 issue "letsencrypt.org"
 	test.AssertEquals(t, resolvers[0], "127.0.0.1:4053")
 }
 
-func TestIsPrivateIP(t *testing.T) {
-	test.Assert(t, isPrivateV4(net.ParseIP("127.0.0.1")), "should be private")
-	test.Assert(t, isPrivateV4(net.ParseIP("192.168.254.254")), "should be private")
-	test.Assert(t, isPrivateV4(net.ParseIP("10.255.0.3")), "should be private")
-	test.Assert(t, isPrivateV4(net.ParseIP("172.16.255.255")), "should be private")
-	test.Assert(t, isPrivateV4(net.ParseIP("172.31.255.255")), "should be private")
-	test.Assert(t, !isPrivateV4(net.ParseIP("128.0.0.1")), "should be private")
-	test.Assert(t, !isPrivateV4(net.ParseIP("192.169.255.255")), "should not be private")
-	test.Assert(t, !isPrivateV4(net.ParseIP("9.255.0.255")), "should not be private")
-	test.Assert(t, !isPrivateV4(net.ParseIP("172.32.255.255")), "should not be private")
-
-	test.Assert(t, isPrivateV6(net.ParseIP("::0")), "should be private")
-	test.Assert(t, isPrivateV6(net.ParseIP("::1")), "should be private")
-	test.Assert(t, !isPrivateV6(net.ParseIP("::2")), "should not be private")
-
-	test.Assert(t, isPrivateV6(net.ParseIP("fe80::1")), "should be private")
-	test.Assert(t, isPrivateV6(net.ParseIP("febf::1")), "should be private")
-	test.Assert(t, !isPrivateV6(net.ParseIP("fec0::1")), "should not be private")
-	test.Assert(t, !isPrivateV6(net.ParseIP("feff::1")), "should not be private")
-
-	test.Assert(t, isPrivateV6(net.ParseIP("ff00::1")), "should be private")
-	test.Assert(t, isPrivateV6(net.ParseIP("ff10::1")), "should be private")
-	test.Assert(t, isPrivateV6(net.ParseIP("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff")), "should be private")
-
-	test.Assert(t, isPrivateV6(net.ParseIP("2002::")), "should be private")
-	test.Assert(t, isPrivateV6(net.ParseIP("2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff")), "should be private")
-	test.Assert(t, isPrivateV6(net.ParseIP("0100::")), "should be private")
-	test.Assert(t, isPrivateV6(net.ParseIP("0100::0000:ffff:ffff:ffff:ffff")), "should be private")
-	test.Assert(t, !isPrivateV6(net.ParseIP("0100::0001:0000:0000:0000:0000")), "should be private")
-}
-
 type testExchanger struct {
 	sync.Mutex
 	count int

cmd/boulder-va/main.go

@@ -10,6 +10,7 @@ import (
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/features"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
+	"github.com/letsencrypt/boulder/policy"
 	"github.com/letsencrypt/boulder/va"
 	vaConfig "github.com/letsencrypt/boulder/va/config"
 	vapb "github.com/letsencrypt/boulder/va/proto"
@@ -152,7 +153,7 @@ func main() {
 		c.VA.AccountURIPrefixes,
 		va.PrimaryPerspective,
 		"",
-		bdns.IsReservedIP)
+		policy.IsReservedIP)
 	cmd.FailOnError(err, "Unable to create VA server")
 
 	start, err := bgrpc.NewServer(c.VA.GRPC, logger).Add(

cmd/remoteva/main.go

@@ -11,6 +11,7 @@ import (
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/features"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
+	"github.com/letsencrypt/boulder/policy"
 	"github.com/letsencrypt/boulder/va"
 	vaConfig "github.com/letsencrypt/boulder/va/config"
 	vapb "github.com/letsencrypt/boulder/va/proto"
@@ -141,7 +142,7 @@ func main() {
 		c.RVA.AccountURIPrefixes,
 		c.RVA.Perspective,
 		c.RVA.RIR,
-		bdns.IsReservedIP)
+		policy.IsReservedIP)
 	cmd.FailOnError(err, "Unable to create Remote-VA server")
 
 	start, err := bgrpc.NewServer(c.RVA.GRPC, logger).Add(

policy/ip.go

@@ -0,0 +1,93 @@
+package policy
+
+import (
+	"fmt"
+	"net/netip"
+)
+
+var (
+	// TODO(#8080): Rebuild these as structs that track the structure of IANA's
+	// CSV files, for better automated handling.
+	//
+	// Private CIDRs to ignore. Sourced from:
+	// https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+	privateV4Prefixes = map[netip.Prefix]string{
+		netip.MustParsePrefix("0.0.0.0/8"):          "RFC 791, Section 3.2: This network",
+		netip.MustParsePrefix("0.0.0.0/32"):         "RFC 1122, Section 3.2.1.3: This host on this network",
+		netip.MustParsePrefix("10.0.0.0/8"):         "RFC 1918: Private-Use",
+		netip.MustParsePrefix("100.64.0.0/10"):      "RFC 6598: Shared Address Space",
+		netip.MustParsePrefix("127.0.0.0/8"):        "RFC 1122, Section 3.2.1.3: Loopback",
+		netip.MustParsePrefix("169.254.0.0/16"):     "RFC 3927: Link Local",
+		netip.MustParsePrefix("172.16.0.0/12"):      "RFC 1918: Private-Use",
+		netip.MustParsePrefix("192.0.0.0/24"):       "RFC 6890, Section 2.1: IETF Protocol Assignments",
+		netip.MustParsePrefix("192.0.0.0/29"):       "RFC 7335: IPv4 Service Continuity Prefix",
+		netip.MustParsePrefix("192.0.0.8/32"):       "RFC 7600: IPv4 dummy address",
+		netip.MustParsePrefix("192.0.0.9/32"):       "RFC 7723: Port Control Protocol Anycast",
+		netip.MustParsePrefix("192.0.0.10/32"):      "RFC 8155: Traversal Using Relays around NAT Anycast",
+		netip.MustParsePrefix("192.0.0.170/32"):     "RFC 8880 & RFC 7050, Section 2.2: NAT64/DNS64 Discovery",
+		netip.MustParsePrefix("192.0.0.171/32"):     "RFC 8880 & RFC 7050, Section 2.2: NAT64/DNS64 Discovery",
+		netip.MustParsePrefix("192.0.2.0/24"):       "RFC 5737: Documentation (TEST-NET-1)",
+		netip.MustParsePrefix("192.31.196.0/24"):    "RFC 7535: AS112-v4",
+		netip.MustParsePrefix("192.52.193.0/24"):    "RFC 7450: AMT",
+		netip.MustParsePrefix("192.88.99.0/24"):     "RFC 7526: Deprecated (6to4 Relay Anycast)",
+		netip.MustParsePrefix("192.168.0.0/16"):     "RFC 1918: Private-Use",
+		netip.MustParsePrefix("192.175.48.0/24"):    "RFC 7534: Direct Delegation AS112 Service",
+		netip.MustParsePrefix("198.18.0.0/15"):      "RFC 2544: Benchmarking",
+		netip.MustParsePrefix("198.51.100.0/24"):    "RFC 5737: Documentation (TEST-NET-2)",
+		netip.MustParsePrefix("203.0.113.0/24"):     "RFC 5737: Documentation (TEST-NET-3)",
+		netip.MustParsePrefix("240.0.0.0/4"):        "RFC1112, Section 4: Reserved",
+		netip.MustParsePrefix("255.255.255.255/32"): "RFC 8190 & RFC 919, Section 7: Limited Broadcast",
+		// 224.0.0.0/4 are multicast addresses as per RFC 3171. They are not
+		// present in the IANA registry.
+		netip.MustParsePrefix("224.0.0.0/4"): "RFC 3171: Multicast Addresses",
+	}
+	// Sourced from:
+	// https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+	privateV6Prefixes = map[netip.Prefix]string{
+		netip.MustParsePrefix("::/128"):            "RFC 4291: Unspecified Address",
+		netip.MustParsePrefix("::1/128"):           "RFC 4291: Loopback Address",
+		netip.MustParsePrefix("::ffff:0:0/96"):     "RFC 4291: IPv4-mapped Address",
+		netip.MustParsePrefix("64:ff9b::/96"):      "RFC 6052: IPv4-IPv6 Translat.",
+		netip.MustParsePrefix("64:ff9b:1::/48"):    "RFC 8215: IPv4-IPv6 Translat.",
+		netip.MustParsePrefix("100::/64"):          "RFC 6666: Discard-Only Address Block",
+		netip.MustParsePrefix("2001::/23"):         "RFC 2928: IETF Protocol Assignments",
+		netip.MustParsePrefix("2001::/32"):         "RFC 4380 & RFC 8190: TEREDO",
+		netip.MustParsePrefix("2001:1::1/128"):     "RFC 7723: Port Control Protocol Anycast",
+		netip.MustParsePrefix("2001:1::2/128"):     "RFC 8155: Traversal Using Relays around NAT Anycast",
+		netip.MustParsePrefix("2001:1::3/128"):     "RFC-ietf-dnssd-srp-25: DNS-SD Service Registration Protocol Anycast",
+		netip.MustParsePrefix("2001:2::/48"):       "RFC 5180 & RFC Errata 1752: Benchmarking",
+		netip.MustParsePrefix("2001:3::/32"):       "RFC 7450: AMT",
+		netip.MustParsePrefix("2001:4:112::/48"):   "RFC 7535: AS112-v6",
+		netip.MustParsePrefix("2001:10::/28"):      "RFC 4843: Deprecated (previously ORCHID)",
+		netip.MustParsePrefix("2001:20::/28"):      "RFC 7343: ORCHIDv2",
+		netip.MustParsePrefix("2001:30::/28"):      "RFC 9374: Drone Remote ID Protocol Entity Tags (DETs) Prefix",
+		netip.MustParsePrefix("2001:db8::/32"):     "RFC 3849: Documentation",
+		netip.MustParsePrefix("2002::/16"):         "RFC 3056: 6to4",
+		netip.MustParsePrefix("2620:4f:8000::/48"): "RFC 7534: Direct Delegation AS112 Service",
+		netip.MustParsePrefix("3fff::/20"):         "RFC 9637: Documentation",
+		netip.MustParsePrefix("5f00::/16"):         "RFC 9602: Segment Routing (SRv6) SIDs",
+		netip.MustParsePrefix("fc00::/7"):          "RFC 4193 & RFC 8190: Unique-Local",
+		netip.MustParsePrefix("fe80::/10"):         "RFC 4291: Link-Local Unicast",
+		// ff00::/8 are multicast addresses as per RFC 4291, Sections 2.4 & 2.7.
+		// They are not present in the IANA registry.
+		netip.MustParsePrefix("ff00::/8"): "RFC 4291: Multicast Addresses",
+	}
+)
+
+// IsReservedIP returns an error if an IP address is part of a reserved range.
+func IsReservedIP(ip netip.Addr) error {
+	var reservedPrefixes map[netip.Prefix]string
+	if ip.Is4() {
+		reservedPrefixes = privateV4Prefixes
+	} else {
+		reservedPrefixes = privateV6Prefixes
+	}
+
+	for net, name := range reservedPrefixes {
+		if net.Contains(ip) {
+			return fmt.Errorf("%w: %s", errIPReserved, name)
+		}
+	}
+
+	return nil
+}