[Coral-dev] Are hardware adresses anonymized?

[David Moore]

David Rosal <david.rosal at upf.edu> writes:

> When using anonymization with CryptoPan, IPv4 addresses are 
> prefix-preserving anonymized. But what about hardware IDs like 
> the Ethernet addresses? Are they left untouched?

Ethernet addresses aren't currently anonymized.  Typically we capture on
links between routers so you only see 2 mac addresses or if on a span
port, don't care about anonymization.

I don't think doing cryptopan prefix-preserving anonymization is
neccessary for hw addresses, although doing some sort of keyed
anonymization could be useful, although we're very busy at the moment,
so not likely to see it in the near future.

Depending on your needs, you may be able to just discard all layer2
information from the trace.  This can be done via the `-r' option to
crl_to_pcap or initializing the iface with coral_iface_to_pcapp_raw
from the libcoral API.

You would also want to discard arp and rarp packets, since they'll leak
ethernet addresses at a higher layer.  Easiest way to do this is:
-Cfilter='!arp and !rarp'  on any coral application.

If you want the layer2 headers (say for vlan info?) but just don't want
to expose the mac addresses, you could also just zero those out in
your application.  But you still need to discard arp/rarp.

-- david