Re: [v6ops] Google Alert - IPv6

[<mohamed.boucadair@orange.com>]

Hi Mikael, Tore, all,

You may want read: https://tools.ietf.org/html/draft-daveor-cgn-logging-00 which relies on the Europol threat assessment report (https://www.europol.europa.eu/sites/default/files/documents/europol_iocta_web_2016.pdf)

As far as the IETF is concerned, I do believe that we have done our part of the job: 

   1.   Identify logging as an issue in address sharing: RFC 6269

   2.   Require address sharing to enable a logging function: RFC 6269
        and RFC 6888

   3.   Identify a minimal set of information to be logged: RFC 6269,
        RFC 6888, and RFC 6908

   4.   Identify and discuss trade-offs of solutions to achieve logging:
        RFC 6269, RFC 6908

   5.   Specify means to optimize logging (port range allocation,
        deterministic NAT): draft-ietf-softwire-stateless-
        4v6-motivation, RFC 7596, RFC 7597, RFC 7599, RFC 7753, and
        RFC7422

   6.   Recommend servers to log source port: RFC 6302

   7.   An initial survey of servers supporting source port logging: RFC
        7768

   8.   Retrieve NAT session loggings: draft-ietf-behave-syslog-nat-
        logging, draft-ietf-behave-ipfix-nat-logging

   9.   Enable address sharing logging function by means of NETCONF:
        draft-ietf-opsawg-nat-yang

   10.  CPU and memory issues: RFC 6908

Cheers,
Med

> -----Message d'origine-----
> De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Mikael
> Abrahamsson
> Envoyé : jeudi 19 octobre 2017 09:03
> À : Tore Anderson
> Cc : v6ops@ietf.org
> Objet : Re: [v6ops] Google Alert - IPv6
> 
> On Thu, 19 Oct 2017, Tore Anderson wrote:
> 
> > * Mikael Abrahamsson <swmike@swm.pp.se>
> >
> >> If they do have a port, then LEA can have a single subscriber.
> >
> > Reading the original article (linked below) I am left with the feeling
> > that the problem is that they generally *don't* know the source port,
> > and therefore end up, quote, «[unable] to identify internet subscribers
> > on the basis of an IP address».
> >
> > https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-
> address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-
> increase-accountability-online
> >
> > The article proceeds to define «CGN» as «technologies which allow
> > sharing of IPv4 addresses with multiple internet users». In that
> > context, MAP, even though it is not technically CGNAT, is just as
> > problematic (to answer Rajiv).
> >
> > C'est la vie! If Europol don't like IP address sharing, I think the
> > only thing they actually could do about it would be to put pressure on
> > regulators and/or lawmakers to accelerate IPv6 adoption. I understand
> > that's what already happened in Belgium with impressive results.
> 
> So I have no idea what's really going on here, but I can imagine someone
> doing CGN and just NATing people left and right, and not logging anything.
> Then it's near impossible to find who did what.
> 
> At least when I looked into this issue, the message I got back was that
> narrowing down the user list to a few tens of subscribers was still vastly
> better than no information at all. Of course LEAs don't like it, but it's
> a lot better than nothing.
> 
> Also, services who are typically involved in being targeted for crimes
> should start logging the source port of whoever is talking to them. This
> option is available in most web servers and has been for a considerable
> amount of time.
> 
> Mandating IPv6 is a hard sell. Mandating ISPs to log what subscriber
> accounts was behind an IPv4 address at a given point in time including
> port used by what account, that's less far fetched.
> 
> --
> Mikael Abrahamsson    email: swmike@swm.pp.se