Add a new flow risk `NDPI_ANONYMOUS_SUBSCRIBER` (#1462)

The main goal of a DPI engine is usually to determine "what", i.e. which
types of traffic flow on the network.
However the applications using DPI are often interested also in "who",
i.e. which "user/subscriber" generated that traffic.

The association between a flow and a subscriber is usually done via some
kind of DHCP/GTP/RADIUS/NAT mappings. In all these cases the key element
of the flow used to identify the user is the source ip address.

That usually happens for the vast majority of the traffic.

However, depending on the protocols involved and on the position on the net
where the traffic is captured, the source ip address might have been
changed/anonymized. In that case, that address is useless for any
flow-username association.

Example: iCloud Private Relay traffic captured between the exit relay and
the server.
See the picture at page 5 on:
https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

This commit adds new generic flow risk `NDPI_ANONYMOUS_SUBSCRIBER` hinting
that the ip addresses shouldn't be used to identify the user associated
with the flow.
As a first example of this new feature, the entire list of the relay ip
addresses used by Private Relay is added.

A key point to note is that list is NOT used for flow classification
(unlike all the other ip lists present in nDPI) but only for setting this
new flow risk.

TODO: IPv6

1 files changed, 5 insertions, 0 deletions

diff --git a/doc/flow_risks.rst b/doc/flow_risks.rst
index 4b363365b..e3b661150 100644
--- a/doc/flow_risks.rst
+++ b/doc/flow_risks.rst
@@ -272,4 +272,9 @@ NDPI_HTTP_CRAWLER_BOT
 ===================================
 The risk is set whenever a crawler/bot/robot has been detected
 
+.. _Risk 045:
 
+NDPI_ANONYMOUS_SUBSCRIBER
+===================================
+The risk is set whenever the (source) ip address has been anonymized and it can't be used to identify the subscriber.
+Example: the flow is generated by an iCloud-private-relay exit node.