DNSCAP v1.10.0 + IP (pseudo-)anonymization & RSSAC040 ----------------------------------------------------- Thanks to funding from Verisign, DNS-OARC is releasing 5 new plugins for the open-source DNSCAP tool that implement various IP anonymization/ deanonymization techniques. The methods to do (pseudo-)anonymization have been taken from: RSSAC040 "Major Proposals for Methods of Anonymizing IP Addresses": https://www.icann.org/en/system/files/files/rssac-040-07aug18-en.pdf OARC hopes these features will help compliance with privacy requirements, and welcomes feedback on them from the RSSAC Community. - anonaes128: Anonymize IP addresses by encrypting them with AES128 (RSSAC040 4.1/4.3). Since AES128 works on 128 bit blocks the IPv4 addresses (32 bits) are padded by copying itself to fill the 128 bits (IPv4*4) and then the output is truncated to 32 bits which means that it can't be deanonymized. No modifications are needed for IPv6 since the output length is the same. Thanks to help from Jim Hague (Sinodun) we have successfully tested interoperability with anonymization features of compactor/inspector and this plugin. - anonmask: Pseudo-anonymize IP addresses by masking them as you do with netmasks (RSSAC040 4.4). The default is a /24 for IPv4 and /48 for IPv6 but it can be changed by command line options to the plugin. - cryptopan: Anonymize IP addresses using an extension to Crypto-PAn (College of Computing, Georgia Tech) made by David Stott (Lucent) (RSSAC040 4.2). The extension was picked instead of the reference implementation because it provided a deanonymization function, handled endian and hopefully gives better randomness in the resulting anonymized addresses. https://www.cc.gatech.edu/computing/Networking/projects/cryptopan/lucent.sht... - cryptopant: Anonymize IP addresses using the library cryptopANT, a different implementation of Crypto-PAn, made by the ANT project at USC/ISI (RSSAC040 4.2). https://ant.isi.edu/software/cryptopANT/index.html - ipcrypt: Anonymize IP addresses using ipcrypt create by Jean-Philippe Aumasson (RSSAC040 4.3). Although the method was designed for IPv4 addresses, the plugin can handle IPv6 addresses too. It does this with a command line option, treating IPv6 addresses as four IPv4 addresses, encrypting/decrypting them separately. https://github.com/veorq/ipcrypt All of this is now available in release v1.10.0. The full list of changes, links to tar-ball and packages can be found here: https://github.com/DNS-OARC/dnscap/releases/tag/v1.10.0 Please report any bugs or issues via the above github page, or more general queries can be addressed to <jerry@dns-oarc.net>.