Encrypt/ pseudonymize IP addresses in log files
Users who need to store log files wish to minimize the possibility of leaking information that easily identifies users. Applying some encrpyption to obfuscate addresses provides some protection. There are several use cases:
With the advent of GDPR, operators of public dns services (e.g. ISP resolvers) may require the ability to encrypt these logs as they are created, so the only stored data they have is at least anonymized. If the logs are leaked somehow, it will at least require some effort to de-anonymize them. These operators may need to be able to decrypt to uncover the original IP address, in case their analysis shows abuse that they need to block.
Operators of root servers, ccTLDs, gTLDs and other public services may wish to be able to share data for research purposes (e.g. with DNS-OARC's ditl program). In this case, it is preferable that the encryption not be reversible, and it is desirable to be able to run the encryption on an existing log file. This use case is already under discussion in RSSAC.
- It would be ideal to be able to apply this pseudonymization to both native BIND logs and dnstap log files.
- Performance is obviously an important consideration.
- This will need to work for both IPv4 and IPv6 addresses and the result fit into the space in the logs reserved for those addresses (which are obviously different lengths).
Relevant existing work:
- Bert Hubert has created a tool, 'ipcipher'
https://powerdns.org/ipcipher/for Power DNS. He gave a presentation at NDSS DNS Privacy Workshop that described some of the issues with implementing this. Others have created additional implementations, including one by Frank Denis in C.
- There is also apparently a NIST standard for format-preserving encryption. (Paul Hoffman knows about this)
Other things that are needed:
- Tool you can pipe an existing pcap through that will produce a log file where IP addresses are encrypted (producing output that is irreversible)
- Utility that enables frequent key rotation for this process