Page MenuHomeVyOS Platform
Create Task
Maniphest T4541

Improve `strip-private` to make stripped configs reproducible
Open, LowPublicFEATURE REQUEST
Actions

Description

The strip-private filter cuts all the private data, by replacing it partially or completely with predefined masks (xxx). In many cases, this makes configuration unusable for reproducing. For example:

  • different routes with the same latest octets look equal;
  • all the site-to-site peers in VPN are the same;
  • it is not possible to connect multiple parts of configuration together, where they are logically connected in the original config.

Because of this, it would be good to not simply crop private data, but replace it with randomly generated in the way, when the same original data is replaced with the same randomly generated across the whole configuration, keeping a configuration fully valid for VyOS.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Related Objects

Event Timeline

zsdc created this task.Jul 18 2022, 11:47 AM
c-po added a subscriber: c-po.Jul 18 2022, 11:53 AM

This might confuse the users as now there is sensitive information again, but a different one.

I think this might be better suited in a show tech-support command which generates your requested type of configuration.

pasik added a subscriber: pasik.Jul 18 2022, 1:38 PM
Viacheslav mentioned this in T5860: Enhance strip-private to output more readable config.Dec 27 2023, 11:15 AM
trae32566 added a subscriber: trae32566.EditedDec 27 2023, 8:49 PM

Food for thought:

  • Replace IP addresses with:
    • TEST-NET-1 / TEST-NET-2 / TEST-NET-3 for /24 or smaller
    • 198.18.0.0/15 for anything up to a /15
    • Anything larger probably doesn't need to be censored (I can't see a large subnet being a huge privacy issue for anyone but a company with massive public IP ranges, and at that point, whois probably provides the same information anyway).
  • Replace descriptions with something like REDACTED and stop processing them after (descriptions currently can get messed up by the strip-private script)
  • Replace MAC addresses with generated MACs with the U/L bit set to local: https://en.wikipedia.org/wiki/MAC_address#Universal_vs._local_(U/L_bit)
  • Replace Wireguard public / private keys with newly generated ones
  • Replace VRRP passwords
  • Replace HTTPS API keys
  • Replace RADIUS keys
  • Replace SNMP community strings
  • Replace user password(s) with vyos
  • Replace commit-archive passwords
dmbaturin triaged this task as Low priority.Jan 10 2024, 10:23 PM
dmbaturin added a project: VyOS 1.5 Circinus.
kevinrausch added a subscriber: kevinrausch.Jan 16 2024, 2:20 PM
dmbaturin removed a project: VyOS 1.4 Sagitta.Fri, Apr 12, 12:15 PM