1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
README
$Id$
This directory contains two utilities used by LANDER project:
http://www.isi.edu/ant/lander/
for removing user data from packet traces and anonymizing IP addresses
"dag_scrubber" and "scramble_ips".
dag_scrubber - reads input packet tracefile in ERF format (produced by
DAG capture cards) and does two things. The first function is
dubbed "scrubbing" and is designed to zero out or chop off (if at
the end of the packet) all user data. "User data" is a vague term;
it's precise definition in the dag_scrubber context can be derived
from the dag_scrubber decision tree described in the accompanying
file "scrubber_decisiontree.txt".
The second process, called "scrambling", performs cryptography-based
prefix-preserving IP address anonymization for both IPv4 and IPv6
addresses. This algorithm was published by Jun Xu, Jinliang Fan,
Mostafa Ammar, and Sue Moon in "Prefix-Preserving IP Address
Anonymization: Measurement-based Security Evaluation and a New
Cryptography-based Scheme":
http://www.cc.gatech.edu/computing/Telecomm/cryptopan/icnp02.ps
This code does not derive from the Crypto-PAn package, and is an
independent implementation of the ideas described in the paper.
scramble_ips - allows the user to scramble some known IP addresses and
find out their anonymized counterparts. This is useful, for
example, if your trace contains traffic to your server and you'd
like to know the server's address to find traffic addressed to/from
it in the scrambled trace. Note that it should be very hard to find
the reverse mapping (i.e. from scrambled to unscrambled addresses) if
the key is not available. If the key is available, the "reverse"-
mode of this tool allows to recover original addresses (-r switch).
CHANGELOG.txt contains details about changes made to this software
package.
PLATFORMS
These utilities have been tested only on x86-based platforms running
GNU-Linux. In particular, we've tested them on RedHat Entriprise
Linux AS release 3, Fedora Core 3, and Fedora Core 4. Note, that we
HAVE NOT tested this code on any big-endian machines; one potential
caveat could be related to memory acessing unaligned packet header
structures, but we have not explored this issue. We may address this
in future releases.
BUILDING BINARIES
1. Make sure you have installed PCAP and SSL libraries in
standard places. Without these libraries linking of the binaries
will fail.
2. Run make and pray.
VALIDATIONS
Sample sets of random IP addresses (both IPv4 and IPv6) have been
added to the distribution, as well as a sample keyfile. These can
be used for simple validation of the prefix-preserving properties of
the crypto-scrambling code. To run validations, type:
make validate
It may take a minute or two (especially for IPv6 addresses) to
complete, because unscrambling operations are relatively slow.
|
