Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for encrypting IP addresses #gdpr #6242

Closed
wants to merge 19 commits into from

Conversation

Projects
None yet
3 participants
@ahupowerdns
Copy link
Member

commented Feb 2, 2018

Short description

With this change, PowerDNS core gains ability to encrypt & decrypt IP addresses as described in https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
For IPv4 this uses ipcrypt, for IPv6 it uses a 128-bit AES ECB operation.
This PR also hooks up ipencrypt() and ipdecrypt() methods for dnsdist use, specifically to pseudonomyse logging.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
  • checked that this code was merged to master

ahupowerdns added some commits Feb 2, 2018

Add support for encrypting IP addresses #gdpr
With this change, PowerDNS core gains ability to encrypt & decrypt IP addresses as described in https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
For IPv4 this uses ipcrypt, for IPv6 it uses a 128-bit AES ECB operation.
This CR also hooks up ipencrypt() and ipdecrypt() methods for dnsdist use, specifically to pseudonomyse logging.
@pieterlexis

This comment has been minimized.

I'm pretty sure this has to be a relative symlink :)

This comment has been minimized.

Copy link
Owner Author

replied Feb 2, 2018

fixed, thanks.

@pieterlexis

This comment has been minimized.

Copy link

commented on pdns/ipcrypt.cc in e84e713 Feb 2, 2018

small comment: we have a ComboAddress::isIPv4() and a ComboAddress::isIPv6() function

This comment has been minimized.

Copy link
Owner Author

replied Feb 2, 2018

This is close enough to idiom, it will never, ever change.

@pieterlexis

This comment has been minimized.

Copy link

commented on pdns/Makefile.am in e84e713 Feb 2, 2018

we can also move this to the testrunner_SOURCES only in dnsdistdist/Makefile.am, where it makes more sense to test this

This comment has been minimized.

Copy link
Owner Author

replied Feb 2, 2018

no it doesn't, this is a PowerDNS feature, not a dnsdist feature. It'll crop up in lots of places. Let us think big!

ahupowerdns added some commits Feb 2, 2018

@rgacogne
Copy link
Member

left a comment

LGTM, just one nit regarding dnsdist's linkage.

@@ -152,14 +152,13 @@ if HAVE_RE2
dnsdist_LDADD += $(RE2_LIBS)
endif

if HAVE_DNS_OVER_TLS

This comment has been minimized.

Copy link
@rgacogne

rgacogne Feb 12, 2018

Member

This would cause dnsdist to be linked against libgnutls and $(LIBSSL_LIBS) when they are available, regardless of whether DNS over TLS support is enabled. If I'm not mistaken you only need to link against $(LIBCRYPTO_LIBS) for this to work?

This comment has been minimized.

Copy link
@ahupowerdns

ahupowerdns Feb 16, 2018

Author Member

yes, that is correct, but I did not find a way to make that happen correctly.

@@ -52,10 +52,11 @@ PDNS_CHECK_LUA_HPP
DNSDIST_ENABLE_DNS_OVER_TLS
DNSDIST_CHECK_GNUTLS
DNSDIST_CHECK_LIBSSL
PDNS_CHECK_LIBCRYPTO
AS_IF([test "x$enable_dns_over_tls" != "xno"], [
AS_IF([test "$HAVE_LIBSSL" = "1"], [
# we need libcrypto if libssl is enabled

This comment has been minimized.

Copy link
@rgacogne

rgacogne Feb 12, 2018

Member

This comment is now useless

@rgacogne rgacogne referenced this pull request Feb 13, 2019

Merged

Add support for encrypting IP addresses #gdpr #7481

6 of 7 tasks complete
@rgacogne

This comment has been minimized.

Copy link
Member

commented Apr 4, 2019

Superseded by #7481.

@rgacogne rgacogne closed this Apr 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.