[rssac-caucus] DNSCAP Anonymization Tools now available from DNS-OARC
Keith Mitchell
keith at dns-oarc.net
Mon Dec 10 15:26:08 UTC 2018
DNSCAP v1.10.0 + IP (pseudo-)anonymization & RSSAC040
-----------------------------------------------------
Thanks to funding from Verisign, DNS-OARC is releasing 5 new plugins for
the open-source DNSCAP tool that implement various IP anonymization/
deanonymization techniques. The methods to do (pseudo-)anonymization
have been taken from:
RSSAC040 "Major Proposals for Methods of Anonymizing IP Addresses":
https://www.icann.org/en/system/files/files/rssac-040-07aug18-en.pdf
OARC hopes these features will help compliance with privacy
requirements, and welcomes feedback on them from the RSSAC Community.
- anonaes128: Anonymize IP addresses by encrypting them with AES128
(RSSAC040 4.1/4.3).
Since AES128 works on 128 bit blocks the IPv4 addresses (32 bits) are
padded by copying itself to fill the 128 bits (IPv4*4) and then the
output is truncated to 32 bits which means that it can't be
deanonymized. No modifications are needed for IPv6 since the output
length is the same.
Thanks to help from Jim Hague (Sinodun) we have successfully tested
interoperability with anonymization features of compactor/inspector
and this plugin.
- anonmask: Pseudo-anonymize IP addresses by masking them as you do
with netmasks (RSSAC040 4.4).
The default is a /24 for IPv4 and /48 for IPv6 but it can be changed
by command line options to the plugin.
- cryptopan: Anonymize IP addresses using an extension to Crypto-PAn
(College of Computing, Georgia Tech) made by David Stott (Lucent)
(RSSAC040 4.2).
The extension was picked instead of the reference implementation
because it provided a deanonymization function, handled endian and
hopefully gives better randomness in the resulting anonymized
addresses.
https://www.cc.gatech.edu/computing/Networking/projects/cryptopan/lucent.shtml
- cryptopant: Anonymize IP addresses using the library cryptopANT,
a different implementation of Crypto-PAn, made by the ANT project
at USC/ISI (RSSAC040 4.2).
https://ant.isi.edu/software/cryptopANT/index.html
- ipcrypt: Anonymize IP addresses using ipcrypt create by
Jean-Philippe Aumasson (RSSAC040 4.3).
Although the method was designed for IPv4 addresses, the plugin can
handle IPv6 addresses too. It does this with a command line option,
treating IPv6 addresses as four IPv4 addresses, encrypting/decrypting
them separately.
https://github.com/veorq/ipcrypt
All of this is now available in release v1.10.0. The full list of
changes, links to tar-ball and packages can be found here:
https://github.com/DNS-OARC/dnscap/releases/tag/v1.10.0
Please report any bugs or issues via the above github page, or more
general queries can be addressed to <jerry at dns-oarc.net>.
More information about the rssac-caucus
mailing list