feat(stdlib): add IP encryption and decryption functions #1506
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduce `encrypt_ip` and `decrypt_ip` functions to the standard library for cryptographic protection of IP addresses. Unlike the generic `encrypt` and `decrypt` utilities, these functions transform an IP address into another valid IP address, enabling seamless integration in networking contexts. Two modes are currently supported: - `aes128`: scrambles the entire address. An IPv4 address may become an IPv6 address, and vice versa. - `pfx`: prefix-preserving mode. Encrypted addresses that share a common prefix will retain that relationship, which supports statistical analysis while still providing confidentiality. These implementations follow the `ipcrypt-deterministic` and `ipcrypt-pfx` methods described in the IPCrypt specification.
alterstep
added a commit
to alterstep/vector
that referenced
this pull request
Sep 12, 2025
Add documentation for the new `encrypt_ip` and `decrypt_ip` VRL functions that implement format-preserving encryption for IP addresses. These functions support two modes: - AES128: Scrambles entire IP address using AES-128 encryption - PFX: Prefix-preserving mode that maintains network hierarchy The functions implement the `ipcrypt-deterministic` and `ipcrypt-pfx` algorithms from the IPCrypt specification. Related PR: vectordotdev/vrl#1506
8 tasks
auto-merge was automatically disabled
September 12, 2025 20:46
Head branch was pushed to by a user without write access
|
Sibling documentation PR in Vector - Done. |
alterstep
added a commit
to alterstep/vector
that referenced
this pull request
Sep 16, 2025
Add documentation for the new `encrypt_ip` and `decrypt_ip` VRL functions that implement format-preserving encryption for IP addresses. These functions support two modes: - AES128: Scrambles entire IP address using AES-128 encryption - PFX: Prefix-preserving mode that maintains network hierarchy The functions implement the `ipcrypt-deterministic` and `ipcrypt-pfx` algorithms from the IPCrypt specification. Related PR: vectordotdev/vrl#1506
alterstep
added a commit
to alterstep/vector
that referenced
this pull request
Sep 16, 2025
Add documentation for the new `encrypt_ip` and `decrypt_ip` VRL functions that implement format-preserving encryption for IP addresses. These functions support two modes: - AES128: Scrambles entire IP address using AES-128 encryption - PFX: Prefix-preserving mode that maintains network hierarchy The functions implement the `ipcrypt-deterministic` and `ipcrypt-pfx` algorithms from the IPCrypt specification. Related PR: vectordotdev/vrl#1506
github-merge-queue bot
pushed a commit
to vectordotdev/vector
that referenced
this pull request
Sep 17, 2025
* docs(vrl): add documentation for IPCrypt functions Add documentation for the new `encrypt_ip` and `decrypt_ip` VRL functions that implement format-preserving encryption for IP addresses. These functions support two modes: - AES128: Scrambles entire IP address using AES-128 encryption - PFX: Prefix-preserving mode that maintains network hierarchy The functions implement the `ipcrypt-deterministic` and `ipcrypt-pfx` algorithms from the IPCrypt specification. Related PR: vectordotdev/vrl#1506 * Add newlines * update licenses * update vrl del and rebuild licenses --------- Co-authored-by: Pavlos Rontidis <[email protected]>
github-merge-queue bot
pushed a commit
to vectordotdev/vector
that referenced
this pull request
Sep 17, 2025
* docs(vrl): add documentation for IPCrypt functions Add documentation for the new `encrypt_ip` and `decrypt_ip` VRL functions that implement format-preserving encryption for IP addresses. These functions support two modes: - AES128: Scrambles entire IP address using AES-128 encryption - PFX: Prefix-preserving mode that maintains network hierarchy The functions implement the `ipcrypt-deterministic` and `ipcrypt-pfx` algorithms from the IPCrypt specification. Related PR: vectordotdev/vrl#1506 * Add newlines * update licenses * update vrl del and rebuild licenses --------- Co-authored-by: Pavlos Rontidis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Introduce
encrypt_ipanddecrypt_ipfunctions to the standard library for cryptographic protection of IP addresses.Unlike the generic
encryptanddecryptutilities, these functions transform an IP address into another valid IP address, enabling seamless integration in networking contexts.Two modes are currently supported:
aes128: scrambles the entire address. (note: an IPv4 address may become an IPv6 address, and vice versa.)pfx: prefix-preserving mode. Encrypted addresses that share a common prefix will retain that relationship, which supports statistical analysis while still providing confidentiality.These implementations follow the
ipcrypt-deterministicandipcrypt-pfxmethods described in the IPCrypt specification: https://www.ietf.org/archive/id/draft-denis-ipcrypt-11.htmlSummary
Change Type
Is this a breaking change?
How did you test this PR?
I deployed this in production. The PR also includes tests for that feature.
The code compiles to WebAssembly.
Does this PR include user facing changes?
our guidelines.
Checklist
run
dd-rust-license-tool writeand commit the changes. More details here.References
I’ll open a sibling PR in the vector repository to add documentation, but I’d like to know first whether the addition of these functions would be accepted.