Page MenuHomeVyOS Platform

strip-private command improvement for additional masking of IPv6 and MAC address
Closed, ResolvedPublic

Description

I think need improve some private data. If we set set system login user vyos full-name 'First Second Third ...' after stripe-private returned only first word masking

set system login user xxxxxx full-name xxxxxx Second Third ...'

And same history with ipv6 addresses which is unmasked

set interfaces tunnel tun0 address '2001:DB8::1/32'
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:DB8:100::1'

I propose check ours configs with show configuration commands | strip-private command and add to this task additional unmasked private data

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Unknown Object (User) created this task.Aug 8 2019, 10:33 AM
Unknown Object (User) created this object in space S1 VyOS Public.

@Dmitry Do you know ABOUT BGP Communities filtering?

@Dmity stripping is done here: https://github.com/vyos/vyatta-op/blob/current/scripts/vyos-strip-config.pl

Maybe we should use IPv4/IPv6 documentation prefixes instead of just masking them?

Unknown Object (User) added a comment.Aug 8 2019, 11:24 AM

@c-po yes, I saw this script. About documentation prefixes is not bad idea, but with XXXXX view more pretty, I think.

@noitcennok , can you provide some example?

@Dmitry i want to secure my /24 from layer 7 attacks? i already contacted my upstream he said:

Upstream said: you will have to add bgp community 940 to your advertisement in order for filtering to work properly.

I have a post already at https://forum.vyos.io/t/bgp-communities-filtering/3969 can you please reply there i will thankful to you.

@noitcennok stop polluting non relevant threads and stick to your original forum post.

If it is an urgent matter you can buy support from https://vyos.io

Unknown Object (User) added a comment.EditedAug 8 2019, 8:57 PM

Created PR https://github.com/vyos/vyatta-op/pull/23/commits/20822ca355fcec4a364375edf6330e6b2357a570
Need check. If you any additional info about unmasked config data, please write here

Unknown Object (User) added a comment.Aug 9 2019, 7:06 AM

Would we masking snmp community and email addresses in config for privacy?

set service snmp community no-public
set service snmp contact '[email protected]'

backported 20822ca3 to crux

c-po assigned this task to Unknown Object (User).Dec 6 2019, 7:39 PM
c-po set Is it a breaking change? to Unspecified (possibly destroys the router).
c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.4) board.

SNMP community should stay. If it should be removed it can be handled via dedicates task

c-po renamed this task from strip-private command improvement for additional masking to strip-private command improvement for additional masking of IPv6 and MAC address.Dec 6 2019, 7:40 PM
c-po closed this task as Resolved.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.