Man Linux: Main Page and Category List


       ranonymize.conf - ranonymize(1) configuration file.


       Copyright (c) 2000-2002 QoSient. All rights reserved.




       This  configuration  file  provides  the ability to specify options for
       argus data anoymization.


       The  anonymization  clients  have  a  small  number  of   options   for
       controlling  specific  aspects  of  the  anonymization function and its

Timestamps, Reference and Sequence Numbers

       Ranonymize anonymizes various fields in  Argus  records,  such  as  the
       network   addresses,   protocol   specific  port  numbers,  timestamps,
       transaction reference numbers, and the sequence numbers.

       For some fields, specifically  the  timestamps,  transaction  reference
       numbers  and  the  sequence  numbers, which are generally monotonically
       increasing counters, a good anonymization technique  is  to  shift  the
       values  by  a  constant,  so  that the sequential relationships between
       values is preserved.

       The configuration provides some flexibility here, so that the user  can
       control fixed offset shifting anonymization.  The constant value can be
       generated by the anonymization client at "random", which is the default
       behavior,  or  the  user  can provide a "fixed:x", where x is the fixed
       offset.  Of course, the keyword "none" can be  used  to  turn  off  the
       default anonymization for these values.


Ethernet Address Vendor Codes

       When  anonymizing  ethernet  addresses,  ranonymize  has  the option to
       preserve the  vendor  portion,  if  desired.   This  allows  analytical
       programs to differentiate anonymized data by vendor type.  This feature
       is turned off by default.


Broadcast Addresses

       Ranonymize has the option to preserve the semantic that an address is a
       broadcast address.  This is very important when doing flow analysis for
       either operational or performance  managment  tasks,  using  anonymized


IPv4 Address Anonymization

       IPv4 address are composed of two parts, a network part and a host part.
       Because the addressing strategy of a site may have integrated semantics
       that  would  want  to  be  retained  in  the anonymized addresses, IPv4
       address anonymization  involves  specifying  a  one-to-one  translation
       table  for both the network and host address spaces in an IPv4 address.
       Once a new network address has been allocated, every occurence of  that
       network  address  will be substituted in the anonymizers output stream.
       The host address space is anonymized  in  an  independent  but  similar

       Ranonymize  allows you to specify the type of anonymization method used
       in a number of categories. For network  and  host  address  conversion,
       ranonymize  can  support  "sequential", "random" or "no" anonymization.
       Sequential  anonymization  involves  allocating  new  addresses  in   a
       monotonically  increasing  fashion  on  a first come first serve basis.
       Random anonymization allocates random addresses from the  working  pool
       of  addresses,  and  "no"  anonymization  preserves  the  address type,
       whether its network, host or both.

       The default working  pool  of  network  addresses  contains  only  non-
       routable addresses, and starts with  All anonymized addresses
       are treated as Class C network addresses,  in  order  to  conserve  the
       anonymization allocation demands.

       As  an  example,  if  the  first  Argus  record contained the addresses and as the source and  destination,  sequential
       anonymization would generate the addresses and as the
       new source  and  destination  addresses.   This  is  because,  the  two
       addresses  have  differing network parts, 128.64.2 and 132.243.2, these
       would  be  allocated  10.0.0  and   10.0.1   respectively   (sequential
       allocation).   Because  these  are the first hosts to be allocated, the
       host parts are both 1.

       Random anonymization could  generate  and  as
       possible  addresses,  as  both  the  Class  C  network address would be
       allocated randomly from the 10 network space, and the host address part
       would be allocated randomly from the possible host addresses.

       Sequential  randomization uses the least amount of memory and minimizes
       anonymization processing time, while  random  provides  better  address

       Implemenation note: currently only supporting sequential


Address Hierarchy

       Ranonymize  has the option to preserve the network address hierarchy at
       various levels  of  granularity.   This  allows  you  to  preserve  the
       addressing  relationships  between  addresses.  The options are "cidr",
       "class", "subnet" and "no".

       Class network adddress heirarchy preservation, causes  ranonymize()  to
       allocate  new  network addresses base on the address class.  All CLASSA
       network addresses will be allocated new  addresses  from  the  Class  A
       network  pool.   Network  addresses  will  be  allocated as 24 bit CIDR
       addresses, in that the first 24 bits will map to a  unique  24  network
       address, and host addresses will be allocated from the 254 address pool
       (0 and 255 can be preserved, see below).


Specific Network Address Aliasing

       Ranonymize can  be  configured  to  perform  specific  network  address
       translation.   These  must  be  specified  as  24  bit  CIDR addresses.
       RANON_PRESERVE_NET_ADDRESS_HIERARCHY must be set to  "cidr",  for  this
       feature to work.

       Examples would be:


Specific Host Address Aliasing

       Ranonymize   can   be  configured  to  perform  specific  host  address
       translation.  These addresses are allocated prior to reading any  data,
       and  are removed from the potential network address pool, regardless of
       the anonymization strategy.  Feel free to list as many  addresses  that
       you would like.

       Examples would be:


Transport SAP Aliasing

       Ranonymize  can  be  configured  to  preserve  specific  ranges of port
       numbers.  For convenience, ranonymize() can be configured  to  preserve
       the  IANA  well  known  port  allocation range (0-1023), the registered
       ports (1024-49151) and/or the  private  port  range  (49152  -  65535).
       Also, ranonymize() can be configured to preserve specific port numbers.
       These numbers are independent of protocol type, so if port 23461 is  to
       be preserved, it will be preserved for both tcp and udp based flows.




                               14 November 2001             RANONYMIZE.CONF(5)