[rssac-caucus] DNSCAP Anonymization Tools now available from DNS-OARC

Keith Mitchell keith at dns-oarc.net
Mon Dec 10 15:26:08 UTC 2018 

DNSCAP v1.10.0 + IP (pseudo-)anonymization & RSSAC040
-----------------------------------------------------

Thanks to funding from Verisign, DNS-OARC is releasing 5 new plugins for
the open-source DNSCAP tool that implement various IP anonymization/
deanonymization techniques.  The methods to do (pseudo-)anonymization
have been taken from:

  RSSAC040 "Major Proposals for Methods of Anonymizing IP Addresses":

  https://www.icann.org/en/system/files/files/rssac-040-07aug18-en.pdf

OARC hopes these features will help compliance with privacy
requirements, and welcomes feedback on them from the RSSAC Community.

- anonaes128: Anonymize IP addresses by encrypting them with AES128
  (RSSAC040 4.1/4.3).

  Since AES128 works on 128 bit blocks the IPv4 addresses (32 bits) are
  padded by copying itself to fill the 128 bits (IPv4*4) and then the
  output is truncated to 32 bits which means that it can't be
  deanonymized.  No modifications are needed for IPv6 since the output
  length is the same.

  Thanks to help from Jim Hague (Sinodun) we have successfully tested
  interoperability with anonymization features of compactor/inspector
  and this plugin.

- anonmask: Pseudo-anonymize IP addresses by masking them as you do
  with netmasks (RSSAC040 4.4).

  The default is a /24 for IPv4 and /48 for IPv6 but it can be changed
  by command line options to the plugin.

- cryptopan: Anonymize IP addresses using an extension to Crypto-PAn
  (College of Computing, Georgia Tech) made by David Stott (Lucent)
  (RSSAC040 4.2).

  The extension was picked instead of the reference implementation
  because it provided a deanonymization function, handled endian and
  hopefully gives better randomness in the resulting anonymized
  addresses.


https://www.cc.gatech.edu/computing/Networking/projects/cryptopan/lucent.shtml

- cryptopant: Anonymize IP addresses using the library cryptopANT,
  a different implementation of Crypto-PAn, made by the ANT project
  at USC/ISI (RSSAC040 4.2).

  https://ant.isi.edu/software/cryptopANT/index.html

- ipcrypt: Anonymize IP addresses using ipcrypt create by
  Jean-Philippe Aumasson (RSSAC040 4.3).

  Although the method was designed for IPv4 addresses, the plugin can
  handle IPv6 addresses too.  It does this with a command line option,
  treating IPv6 addresses as four IPv4 addresses, encrypting/decrypting
  them separately.

  https://github.com/veorq/ipcrypt


All of this is now available in release v1.10.0.  The full list of
changes, links to tar-ball and packages can be found here:

  https://github.com/DNS-OARC/dnscap/releases/tag/v1.10.0

Please report any bugs or issues via the above github page, or more
general queries can be addressed to <jerry at dns-oarc.net>.

More information about the rssac-caucus mailing list