IETF Logo Mail Archive

Re: [v6ops] Google Alert - IPv6

Dave O'Reilly <rfc@daveor.com> Thu, 26 October 2017 20:15 UTC

Return-Path: <rfc@daveor.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 719C713871A for <v6ops@ietfa.amsl.com>; Thu, 26 Oct 2017 13:15:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=daveor.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7SIQ8-6_uzT for <v6ops@ietfa.amsl.com>; Thu, 26 Oct 2017 13:15:36 -0700 (PDT)
Received: from vps.ftrsolutions.com (vps.ftrsolutions.com [5.77.39.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B052C1386A1 for <v6ops@ietf.org>; Thu, 26 Oct 2017 13:15:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=daveor.com; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=t2xaXvlRfB6N6dfb1Gj4BSjL8n0wmaRe9B3lUm0wrFQ=; b=D+8TGEAViBMb1temyO7hm5+gxZ GN/FsWB2cTVAwnI2EuwjNT4nLxOpUfNBfByMD4kE1W6WIA9V4D3yI+5dJhueNJXaWSSghMD/MK9EF gkMJXNqyXYY3NCxVUWOZGp4ZW9lnVqOneSj+mdHaIUtPwfP91mvETbOllErFK7GbpPSw=;
Received: from 86-44-56-31-dynamic.agg7.bsn.cld-dbn.eircom.net ([86.44.56.31]:56097 helo=[192.168.1.25]) by vps.ftrsolutions.com with esmtpsa (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from <rfc@daveor.com>) id 1e7oYr-0001T8-3G; Thu, 26 Oct 2017 21:15:29 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Dave O'Reilly <rfc@daveor.com>
In-Reply-To: <CAHw9_iLWAMexrfXwsdB8duGa5ueJMofqVRqNck6DeOzA=KChqA@mail.gmail.com>
Date: Thu, 26 Oct 2017 21:15:28 +0100
Cc: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Mikael Abrahamsson <swmike@swm.pp.se>, Tore Anderson <tore@fud.no>, "v6ops@ietf.org" <v6ops@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C4E37677-A2FB-49F8-B362-C29B28DFD570@daveor.com>
References: <f403045ef57ac52962055bd88b84@google.com> <20395E98-DA55-447F-BEFE-CB581A88BB78@gmail.com> <alpine.DEB.2.20.1710190655260.31961@uplift.swm.pp.se> <20171019083506.6627a166@echo.ms.redpill-linpro.com> <alpine.DEB.2.20.1710190856530.31961@uplift.swm.pp.se> <787AE7BB302AE849A7480A190F8B93300A056EB5@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAHw9_iLWAMexrfXwsdB8duGa5ueJMofqVRqNck6DeOzA=KChqA@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3124)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - vps.ftrsolutions.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - daveor.com
X-Get-Message-Sender-Via: vps.ftrsolutions.com: authenticated_id: dave@daveor.com
X-Authenticated-Sender: vps.ftrsolutions.com: dave@daveor.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/L3fNg2WuTDB_yyL1FwxC2CKIGmA>
Subject: Re: [v6ops] Google Alert - IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 20:16:55 -0000

Hello everybody,

I’m the author of https://tools.ietf.org/html/draft-daveor-cgn-logging-01. Warren brought this thread to my attention so I would like to throw in a few thoughts for people to consider, if I may. I have attempted to address as many as possible of the points raised by others in the thread in one big response below.

Thanks for taking the time to read this and I look forward to any feedback you might have,
daveor


On the topic of “CGNAT is a bad idea”
——————————————————————————————

I am not too sure how much mileage there is getting caught up in this point. CGNAT is out there in the world, along with a suite of other large-scale address sharing technologies, and although the transition to IPv6 is ongoing, it is painfully slow and transitionary arrangements will be required for the foreseeable future. 

It would be, in my opinion, remiss of the criminal justice system not to consider this issue. The argument that the CGNAT problem will go away if we were all to just move to IPv6 doesn’t help solve the murder that happened today or catch the person distributing child pornography on the Internet. 

Can we regulate our way out of this problem?
——————————————————————————————

There are plenty of business reasons why an operator might choose to deploy CGNAT, maybe they don’t like the risk associated with changing to IPv6, maybe they’re waiting for someone else to move first, maybe they can’t afford to migrate infrastructure, maybe they just don’t want to. 

Considering regulation as a way to adjust economic incentives, there is indeed an opportunity to help to shift things along in one or more countries through regulation, but to what extent will this help with the global issue of crime attribution? It is clear that if the number of subscribers that can be simultaneously behind a CGNAT is limited, the deployment of IPv6 increases, and the IPv6 adoption in Belgium bears that out. 

However, the obvious question to ask is - are the Belgian authorities catching any more criminals now that they have such a high adoption rate of IPv6? Has the problem of crime attribution due to CGNAT gone away for them, or does it actually require global adoption of IPv6? I don’t have answers to these questions, but before leaping on a regulatory solution it would be very useful to know whether the regulatory solution achieves the desired effect. 

Let’s also not forget that CGNAT is not uncommon in areas outside telecoms, such as in an increasing number of IoT deployments.

Does migration to IPv6 actually solve the problem
——————————————————————————————

One possible solution frequently cited to the problem of CGNAT is migration to IPv6.However, does migration to IPv6 ACTUALLY solve the problem of crime attribution due to large-scale address sharing? 

Let’s also not forget that the problem is not limited to the set of technologies commonly referred to as CGNAT. Any large-scale IP address sharing technology will have a similar problem, including 4-to-6 technologies. Therefore, until there is total global adoption of IPv6, and in fact until IPv4 is no longer routable on the Internet, this problem is going to persist.

The evidence is very sparse and, again, I refer to the questions that I posed above about the effectiveness of regulation in the Belgian case towards achieving the actual goal, which (for the purposes of this discussion) is improved crime attribution, not migration to IPv6.

The reason I am making this point is to emphasise that the problem of crime attribution arising from large-scale address sharing is not going away in the medium term, perhaps even not in the long term.

Alternatives to source port logging for crime attribution
——————————————————————————————

There is already regulation in place requiring ISPs to be able to identify their subscribers, including the requirement to identify people behind a CGN (within the EU at least), which is the data retention directive. I know that the future of this directive is unsure right now but today, as we write this, the legislation of every country in the EU requires ISPs to keep this data. The problem is that law enforcement agencies do not have the required information to be able to ask the ISP for the subscriber identity - because source ports are required and not logged anywhere. 

So the question becomes how to address this information gap. One possibility is that ISPs must record all destination IP addresses for all TCP connections, and I think you also refer to this possibility. This solution has, in my opinion, two major challenges - firstly that the storage requirements (and therefore the cost) for ISPs is very substantial indeed and secondly there are significant privacy implications arising from the storage of such a volume of data on (predominantly) innocent people. Some of the references provided by Mohamed Boucadair touch on these points, and they are also addressed in my draft.

The alternative, that I propose in the Internet Draft, is that if there is a shift to routine logging of source port alongside IP address, this will achieve the same goal but with significantly less privacy implications and with significantly less impact on operator (meaning that, in my opinion at least, operators should favour this approach).

Support for logging source port
——————————————————————————————

This is something that I study in the Internet Draft. The majority of server software examined support logging of source port in some way, but in some cases it involves enabling a distressingly high level of logging verbosity, and this is a scenario where I refer to source port logging as “Possible” but not “Feasible”. About 70% of server software that I examined supported logging of source port in a way that could be considered “Feasible”. Only one had logging of source port enabled as a default.

The contribution of my Internet Draft
——————————————————————————————

The key RFC upon which my Internet Draft builds is RFC6302, which contains the recommendation that servers log source port. My document attempts to contribute to the discussion by considering (a) why, despite recommendations of RFC6302, source port logging is not routine and (b) to identify possible solutions and workarounds for some of these objections.

The role of the IETF in this
——————————————————————————————

Right from the front page of the IETF website: "The mission of the IETF is to make the Internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the Internet.”

Large scale address sharing technologies present a challenge to the management of the Internet so that seems to fit right within the remit of the IETF to me. Correct me if I’m wrong...

Other things I have been doing
——————————————————————————————

Finally, and for your information, I thought you might be interested to know what else I have been doing to try to move this conversation forward.

You might be aware that of the OWASP (https://www.owasp.org/) who produce amongst many other fine documents, secure coding guidelines. One of the aspects of their guidance is logging and they have a list of fields that should be logged…and source port isn’t on it. I have been trying to reach out to people in OWASP to have the conversation about including source port in the list of fields to be logged in their guidance. So far I have received no response but I will keep trying. 




> On 26 Oct 2017, at 16:00, Warren Kumari <warren@kumari.net> wrote:
> 
> On Thu, Oct 19, 2017 at 5:23 AM,  <mohamed.boucadair@orange.com> wrote:
>> Hi Mikael, Tore, all,
>> 
>> You may want read: https://tools.ietf.org/html/draft-daveor-cgn-logging-00 which relies on the Europol threat assessment report (https://www.europol.europa.eu/sites/default/files/documents/europol_iocta_web_2016.pdf)
>> 
> 
> I'm somewhat hijacking an old thread, but it would be great if we
> could get some more review of draft-daveor-cgn-logging -- I know Dave
> would really appreciate comments / review.
> 
> W
> 
> 
>> As far as the IETF is concerned, I do believe that we have done our part of the job:
>> 
>>   1.   Identify logging as an issue in address sharing: RFC 6269
>> 
>>   2.   Require address sharing to enable a logging function: RFC 6269
>>        and RFC 6888
>> 
>>   3.   Identify a minimal set of information to be logged: RFC 6269,
>>        RFC 6888, and RFC 6908
>> 
>>   4.   Identify and discuss trade-offs of solutions to achieve logging:
>>        RFC 6269, RFC 6908
>> 
>>   5.   Specify means to optimize logging (port range allocation,
>>        deterministic NAT): draft-ietf-softwire-stateless-
>>        4v6-motivation, RFC 7596, RFC 7597, RFC 7599, RFC 7753, and
>>        RFC7422
>> 
>>   6.   Recommend servers to log source port: RFC 6302
>> 
>>   7.   An initial survey of servers supporting source port logging: RFC
>>        7768
>> 
>>   8.   Retrieve NAT session loggings: draft-ietf-behave-syslog-nat-
>>        logging, draft-ietf-behave-ipfix-nat-logging
>> 
>>   9.   Enable address sharing logging function by means of NETCONF:
>>        draft-ietf-opsawg-nat-yang
>> 
>>   10.  CPU and memory issues: RFC 6908
>> 
>> Cheers,
>> Med
>> 
>>> -----Message d'origine-----
>>> De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Mikael
>>> Abrahamsson
>>> Envoyé : jeudi 19 octobre 2017 09:03
>>> À : Tore Anderson
>>> Cc : v6ops@ietf.org
>>> Objet : Re: [v6ops] Google Alert - IPv6
>>> 
>>> On Thu, 19 Oct 2017, Tore Anderson wrote:
>>> 
>>>> * Mikael Abrahamsson <swmike@swm.pp.se>
>>>> 
>>>>> If they do have a port, then LEA can have a single subscriber.
>>>> 
>>>> Reading the original article (linked below) I am left with the feeling
>>>> that the problem is that they generally *don't* know the source port,
>>>> and therefore end up, quote, «[unable] to identify internet subscribers
>>>> on the basis of an IP address».
>>>> 
>>>> https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-
>>> address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-
>>> increase-accountability-online
>>>> 
>>>> The article proceeds to define «CGN» as «technologies which allow
>>>> sharing of IPv4 addresses with multiple internet users». In that
>>>> context, MAP, even though it is not technically CGNAT, is just as
>>>> problematic (to answer Rajiv).
>>>> 
>>>> C'est la vie! If Europol don't like IP address sharing, I think the
>>>> only thing they actually could do about it would be to put pressure on
>>>> regulators and/or lawmakers to accelerate IPv6 adoption. I understand
>>>> that's what already happened in Belgium with impressive results.
>>> 
>>> So I have no idea what's really going on here, but I can imagine someone
>>> doing CGN and just NATing people left and right, and not logging anything.
>>> Then it's near impossible to find who did what.
>>> 
>>> At least when I looked into this issue, the message I got back was that
>>> narrowing down the user list to a few tens of subscribers was still vastly
>>> better than no information at all. Of course LEAs don't like it, but it's
>>> a lot better than nothing.
>>> 
>>> Also, services who are typically involved in being targeted for crimes
>>> should start logging the source port of whoever is talking to them. This
>>> option is available in most web servers and has been for a considerable
>>> amount of time.
>>> 
>>> Mandating IPv6 is a hard sell. Mandating ISPs to log what subscriber
>>> accounts was behind an IPv4 address at a given point in time including
>>> port used by what account, that's less far fetched.
>>> 
>>> --
>>> Mikael Abrahamsson    email: swmike@swm.pp.se
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
> 
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>   ---maf
> 
> 
> 
> --===============7090974386904564375==--
> 
> --===============4172498714441195205==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Description: Digest Footer
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email