README $Id$ This directory contains two utilities used by LANDER project: http://www.isi.edu/ant/lander/ for removing user data from packet traces and anonymizing IP addresses "dag_scrubber" and "scramble_ips". dag_scrubber - reads input packet tracefile in ERF format (produced by DAG capture cards) and does two things. The first function is dubbed "scrubbing" and is designed to zero out or chop off (if at the end of the packet) all user data. "User data" is a vague term; it's precise definition in the dag_scrubber context can be derived from the dag_scrubber decision tree described in the accompanying file "scrubber_decisiontree.txt". The second process, called "scrambling", performs cryptography-based prefix-preserving IP address anonymization for both IPv4 and IPv6 addresses. This algorithm was published by Jun Xu, Jinliang Fan, Mostafa Ammar, and Sue Moon in "Prefix-Preserving IP Address Anonymization: Measurement-based Security Evaluation and a New Cryptography-based Scheme": http://www.cc.gatech.edu/computing/Telecomm/cryptopan/icnp02.ps This code does not derive from the Crypto-PAn package, and is an independent implementation of the ideas described in the paper. scramble_ips - allows the user to scramble some known IP addresses and find out their anonymized counterparts. This is useful, for example, if your trace contains traffic to your server and you'd like to know the server's address to find traffic addressed to/from it in the scrambled trace. Note that it should be very hard to find the reverse mapping (i.e. from scrambled to unscrambled addresses) if the key is not available. If the key is available, the "reverse"- mode of this tool allows to recover original addresses (-r switch). CHANGELOG.txt contains details about changes made to this software package. PLATFORMS These utilities have been tested only on x86-based platforms running GNU-Linux. In particular, we've tested them on RedHat Entriprise Linux AS release 3, Fedora Core 3, and Fedora Core 4. Note, that we HAVE NOT tested this code on any big-endian machines; one potential caveat could be related to memory acessing unaligned packet header structures, but we have not explored this issue. We may address this in future releases. BUILDING BINARIES 1. Make sure you have installed PCAP and SSL libraries in standard places. Without these libraries linking of the binaries will fail. 2. Run make and pray. VALIDATIONS Sample sets of random IP addresses (both IPv4 and IPv6) have been added to the distribution, as well as a sample keyfile. These can be used for simple validation of the prefix-preserving properties of the crypto-scrambling code. To run validations, type: make validate It may take a minute or two (especially for IPv6 addresses) to complete, because unscrambling operations are relatively slow.