Add a new flow risk NDPI_ANONYMOUS_SUBSCRIBER
#1462
Conversation
The main goal of a DPI engine is usually to determine "what", i.e. which types of traffic flow on the network. However the applications using DPI are often interested also in "who", i.e. which "user/subscriber" generated that traffic. The association between a flow and a subscriber is usually done via some kind of DHCP/GTP/RADIUS/NAT mappings. In all these cases the key element of the flow used to identify the user is the source ip address. That usually happens for the vast majority of the traffic. However, depending on the protocols involved and on the position on the net where the traffic is captured, the source ip address might have been changed/anonymized. In that case, that address is useless for any flow-username association. Example: iCloud Private Relay traffic captured between the exit relay and the server. See the picture at page 5 on: https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF This commit adds new generic flow risk `NDPI_ANONYMOUS_SUBSCRIBER` hinting that the ip addresses shouldn't be used to identify the user associated with the flow. As a first example of this new feature, the entire list of the relay ip addresses used by Private Relay is added. A key point to note is that list is NOT used for flow classification (unlike all the other ip lists present in nDPI) but only for setting this new flow risk. TODO: IPv6
Yeah, the idea is to incrementally extend this feature with other services. With PrivateRelay we are able to identify the flows before the "proxies" (via SNI) and the (different) flows after it (via this new ip list) I think that when nDPI classified a flow as |
IvanNardi
force-pushed
the
anonymous-user
branch
from
982120c
to
caacfda
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
IvanNardi
changed the title
NDPI_ANONYMOUS_USERNDPI_ANONYMOUS_SUBSCRIBER
It should be possible to use the publicly available list of TOR exit nodes and set the risk according to their address tuple. Or is that not how the feature is meant to be used? Anyway, it might be better to solve this in a follow-up, so this PR does not get bloated. |
You got that right; that is the general idea. I know that there are lists with (only) the exit nodes, but I don't know if there are lists only with the "ingress" nodes (to flow classification). |
|
I think the idea and the PR are great and I believe they can be merged. As you said probably some extra work will be necessary in order to complete it |
The main goal of a DPI engine is usually to determine "what", i.e. which
types of traffic flow on the network.
However the applications using DPI are often interested also in "who",
i.e. which "user/subscriber" generated that traffic.
The association between a flow and a subscriber is usually done via some
kind of DHCP/GTP/RADIUS/NAT mappings. In all these cases the key element
of the flow used to identify the user is the source ip address.
That usually happens for the vast majority of the traffic.
However, depending on the protocols involved and on the position on the net
where the traffic is captured, the source ip address might have been
changed/anonymized. In that case, that address is useless for any
flow-username association.
Example: iCloud Private Relay traffic captured between the exit relay and
the server.
See the picture at page 5 on:
https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF
This commit adds new generic flow risk
NDPI_ANONYMOUS_SUBSCRIBERhintingthat the ip addresses shouldn't be used to identify the user associated
with the flow.
As a first example of this new feature, the entire list of the relay ip
addresses used by Private Relay is added.
A key point to note is that list is NOT used for flow classification
(unlike all the other ip lists present in nDPI) but only for setting this
new flow risk.
TODO: IPv6