Page MenuHomePhabricator

strip-private command improvement for additional masking
Open, Requires assessmentPublic

Description

I think need improve some private data. If we set set system login user vyos full-name 'First Second Third ...' after stripe-private returned only first word masking

set system login user xxxxxx full-name xxxxxx Second Third ...'

And same history with ipv6 addresses which is unmasked

set interfaces tunnel tun0 address '2001:DB8::1/32'
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:DB8:100::1'

I propose check ours configs with show configuration commands | strip-private command and add to this task additional unmasked private data

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

Dmitry created this task.Aug 8 2019, 10:33 AM
Dmitry created this object in space S1 VyOS Public.

@Dmitry Do you know ABOUT BGP Communities filtering?

c-po added a subscriber: c-po.Aug 8 2019, 11:19 AM

@Dmity stripping is done here: https://github.com/vyos/vyatta-op/blob/current/scripts/vyos-strip-config.pl

Maybe we should use IPv4/IPv6 documentation prefixes instead of just masking them?

@c-po yes, I saw this script. About documentation prefixes is not bad idea, but with XXXXX view more pretty, I think.

@noitcennok , can you provide some example?

@Dmitry i want to secure my /24 from layer 7 attacks? i already contacted my upstream he said:

Upstream said: you will have to add bgp community 940 to your advertisement in order for filtering to work properly.

I have a post already at https://forum.vyos.io/t/bgp-communities-filtering/3969 can you please reply there i will thankful to you.

c-po added a comment.EditedAug 8 2019, 11:36 AM

@noitcennok stop polluting non relevant threads and stick to your original forum post.

If it is an urgent matter you can buy support from https://vyos.io

Dmitry added a comment.EditedAug 8 2019, 8:57 PM

Created PR https://github.com/vyos/vyatta-op/pull/23/commits/20822ca355fcec4a364375edf6330e6b2357a570
Need check. If you any additional info about unmasked config data, please write here

Dmitry added a comment.Aug 9 2019, 7:06 AM

Would we masking snmp community and email addresses in config for privacy?

set service snmp community no-public
set service snmp contact 'mail@example.com'
pasik added a subscriber: pasik.Aug 9 2019, 10:28 AM