Page MenuHomePhabricator

strip-private command improvement for additional masking of IPv6 and MAC address
Closed, ResolvedPublic

Description

I think need improve some private data. If we set set system login user vyos full-name 'First Second Third ...' after stripe-private returned only first word masking

set system login user xxxxxx full-name xxxxxx Second Third ...'

And same history with ipv6 addresses which is unmasked

set interfaces tunnel tun0 address '2001:DB8::1/32'
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:DB8:100::1'

I propose check ours configs with show configuration commands | strip-private command and add to this task additional unmasked private data

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

Dmitry created this task.Aug 8 2019, 10:33 AM
Dmitry created this object in space S1 VyOS Public.

@Dmitry Do you know ABOUT BGP Communities filtering?

c-po added a subscriber: c-po.Aug 8 2019, 11:19 AM

@Dmity stripping is done here: https://github.com/vyos/vyatta-op/blob/current/scripts/vyos-strip-config.pl

Maybe we should use IPv4/IPv6 documentation prefixes instead of just masking them?

@c-po yes, I saw this script. About documentation prefixes is not bad idea, but with XXXXX view more pretty, I think.

@noitcennok , can you provide some example?

@Dmitry i want to secure my /24 from layer 7 attacks? i already contacted my upstream he said:

Upstream said: you will have to add bgp community 940 to your advertisement in order for filtering to work properly.

I have a post already at https://forum.vyos.io/t/bgp-communities-filtering/3969 can you please reply there i will thankful to you.

c-po added a comment.EditedAug 8 2019, 11:36 AM

@noitcennok stop polluting non relevant threads and stick to your original forum post.

If it is an urgent matter you can buy support from https://vyos.io

Dmitry added a comment.EditedAug 8 2019, 8:57 PM

Created PR https://github.com/vyos/vyatta-op/pull/23/commits/20822ca355fcec4a364375edf6330e6b2357a570
Need check. If you any additional info about unmasked config data, please write here

Dmitry added a comment.Aug 9 2019, 7:06 AM

Would we masking snmp community and email addresses in config for privacy?

set service snmp community no-public
set service snmp contact 'mail@example.com'
pasik added a subscriber: pasik.Aug 9 2019, 10:28 AM
c-po added a comment.Fri, Dec 6, 7:38 PM

backported 20822ca3 to crux

c-po assigned this task to Dmitry.Fri, Dec 6, 7:39 PM
c-po set Is it a breaking change? to Perfectly compatible.
c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.4) board.

SNMP community should stay. If it should be removed it can be handled via dedicates task

c-po renamed this task from strip-private command improvement for additional masking to strip-private command improvement for additional masking of IPv6 and MAC address.Fri, Dec 6, 7:40 PM
c-po closed this task as Resolved.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.