Merge pull request #52223 from nextcloud/feat/add-configurable-ipv6-subnet

feat(security): add configurable IPv6 subnet for BFP and throttling

Author: provokateurin

config/config.sample.php

@@ -450,6 +450,16 @@
  */
 'ratelimit.protection.enabled' => true,
 
+/**
+ * Size of subnet used to normalize IPv6
+ *
+ * For Brute Force Protection and Rate Limiting, IPv6 are truncated using subnet size.
+ * It defaults to /56 but you can set it between /32 and /64
+ *
+ * Defaults to ``56``
+ */
+'security.ipv6_normalized_subnet_size' => 56,
+
 /**
  * By default, WebAuthn is available, but it can be explicitly disabled by admins
  */

lib/private/Security/Normalizer/IpAddress.php

@@ -8,6 +8,8 @@
  */
 namespace OC\Security\Normalizer;
 
+use OCP\IConfig;
+
 /**
  * Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
  * relevant contexts in Nextcloud.
@@ -24,7 +26,8 @@ public function __construct(
 	}
 
 	/**
-	 * Return the given subnet for an IPv6 address (48 first bits)
+	 * Return the given subnet for an IPv6 address
+	 * Rely on security.ipv6_normalized_subnet_size, defaults to 56
 	 */
 	private function getIPv6Subnet(string $ip): string {
 		if ($ip[0] === '[' && $ip[-1] === ']') { // If IP is with brackets, for example [::1]
@@ -35,10 +38,14 @@ private function getIPv6Subnet(string $ip): string {
 			$ip = substr($ip, 0, $pos - 1);
 		}
 
+		$config = \OCP\Server::get(IConfig::class);
+		$maskSize = min(64, $config->getSystemValueInt('security.ipv6_normalized_subnet_size', 56));
+		$maskSize = max(32, $maskSize);
+		$mask = pack('VVP', (1 << 32) - 1, (1 << $maskSize - 32) - 1, 0);
+
 		$binary = \inet_pton($ip);
-		$mask = inet_pton('FFFF:FFFF:FFFF::');
 
-		return inet_ntop($binary & $mask) . '/48';
+		return inet_ntop($binary & $mask) . '/' . $maskSize;
 	}
 
 	/**
@@ -63,7 +70,7 @@ private function getEmbeddedIpv4(string $ipv6): ?string {
 
 
 	/**
-	 * Gets either the /32 (IPv4) or the /48 (IPv6) subnet of an IP address
+	 * Gets either the /32 (IPv4) or the /56 (default for IPv6) subnet of an IP address
 	 */
 	public function getSubnet(): string {
 		if (filter_var($this->ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {

tests/lib/Security/Normalizer/IpAddressTest.php

@@ -37,19 +37,19 @@ public function subnetDataProvider() {
 			],
 			[
 				'2001:0db8:0000:0000:0000:8a2e:0370:7334',
-				'2001:db8::/48',
+				'2001:db8::/56',
 			],
 			[
 				'2001:db8:3333:4444:5555:6666:7777:8888',
-				'2001:db8:3333::/48',
+				'2001:db8:3333:4400::/56',
 			],
 			[
 				'::1234:5678',
-				'::/48',
+				'::/56',
 			],
 			[
 				'[::1]',
-				'::/48',
+				'::/56',
 			],
 		];
 	}