2. Network Obfuscation¶
2.1. Network Obfuscation Overview¶
Beginning with version 0.3.0, soscleaner uses the ipaddr module to manage network objects and their obfuscation This will let the program be much more intelligent with how it obfuscates the data while being network away, etc.
2.2. IPv4 Network database¶
Each entry in
self.net_db represents a network and its obfuscated value.
self.net_db is a list of tuples. Each tuple has the following format:
For each entry in
x is the original network as an
x is the obfuscated network as an
2.3. IPv4 address database¶
Each entry in
self.ip_db represents a found IP address and its obfuscated value as a key/value pair.
2.4. Obfuscating IPv4 addresses¶
self.clean_report is run, it populates
self.net_db with the networks found in an sosreports routing table as well as with any networks specified using the
-n command line parameter.
Each time an IP is found in a file, it will be compared against the values in
self.net_db to determine its parent network. The IP is then obfuscated sanely with fidelity to the subnet and relative network space. The obfuscated value for that IP address is then either retrieved from
self.ip_db, or added to the database if it hasn’t been obfuscated previously.
If an IP address is matched that doesn’t exist in any other network, it will be obfuscated using an address from
self.default_net is the first obfuscated network created when soscleaner is run.
Soscleaner doesn’t obfuscate multicast addresses to other multicast address spaces because of the limitations without that IPv4 space. They are, however, obfuscated to a unique network so they can still be tracked and used for troubleshooting issues.
2.5. IPv4 metadata¶
self.net_metadata is a metadata dictionary for obfuscated networks. It tracks the number of allocated hosts in each network so the obfuscated networks can be iterated cleanly. Keys in
self.net_metadata are set when networks are defined at the beginning of a soscleaner run.
|host_count:||Used to assign the next obfuscated IP address by tracking how many addresses on each network have been allocated.|
The length of
self.net_metadata is also used to determine how many obfuscated networks are in use.
2.6. IPv4 limitations and assumptions¶
If your dataset or sosreport contain subnets larger than a /8, you will break the math for creating obfuscating networks.
|Why:||To calculate the next obfuscation subnet, I have no idea what the next subnet mask will be, and I don’t want to get into crazy CIDR calculations.|
|How:||I take the default_net’s first octet, increment it by the current existing obfuscated network count, and create a subnet with the corresponding subnet mask.|
2.6.1. Example obfuscated network topology¶
An obfuscated network map could end up similar to:
|220.127.116.11/24||obfuscated network 1|
|18.104.22.168/16||obfuscated network 2|
|22.214.171.124/30||obfuscated network 3|
|126.96.36.199/8||obfuscated network 4|
|188.8.131.52/32||obfuscated network 5|
Essentially we’re using up a lot of IP addresses to keep the math simple. The default network starts 1 above the loopback, so we don’t have to account for that. We know there are corner cases here that could break the math. We have to hope common sense will prevail.
2.7. Network report¶
At the conclusion of a soscleaner run, the supplied network mappings are recorded in
self.report_dir/<SESSION_ID>-ip.csv. If an SOSCleaner session fails to complete, this report isn’t created.
This report only includes IPv4 data. IPv6 is (likely) coming in an upcoming release. The work for IPv6 obfuscation will happen under GitHub 7.