Re: [v6ops] Google Alert - IPv6
<mohamed.boucadair@orange.com> Fri, 27 October 2017 06:43 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0362139B9F for <v6ops@ietfa.amsl.com>; Thu, 26 Oct 2017 23:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdcsazRnle-c for <v6ops@ietfa.amsl.com>; Thu, 26 Oct 2017 23:43:20 -0700 (PDT)
Received: from orange.com (mta239.mail.business.static.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDE6E13B126 for <v6ops@ietf.org>; Thu, 26 Oct 2017 23:43:19 -0700 (PDT)
Received: from opfedar07.francetelecom.fr (unknown [xx.xx.xx.9]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id 8E7F416059D; Fri, 27 Oct 2017 08:43:18 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.41]) by opfedar07.francetelecom.fr (ESMTP service) with ESMTP id 70C45C005C; Fri, 27 Oct 2017 08:43:18 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM31.corporate.adroot.infra.ftgroup ([fe80::2cc9:4bac:7b7d:229d%19]) with mapi id 14.03.0361.001; Fri, 27 Oct 2017 08:43:18 +0200
From: mohamed.boucadair@orange.com
To: Ole Troan <otroan@employees.org>, Dave O'Reilly <rfc@daveor.com>
CC: "v6ops@ietf.org" <v6ops@ietf.org>, Tore Anderson <tore@fud.no>
Thread-Topic: [v6ops] Google Alert - IPv6
Thread-Index: AQHTTmtMwql/Mql1i0ebPys+zPL336L2b/YAgAATq4CAALtjcA==
Date: Fri, 27 Oct 2017 06:43:17 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300A05F0FC@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <f403045ef57ac52962055bd88b84@google.com> <20395E98-DA55-447F-BEFE-CB581A88BB78@gmail.com> <alpine.DEB.2.20.1710190655260.31961@uplift.swm.pp.se> <20171019083506.6627a166@echo.ms.redpill-linpro.com> <alpine.DEB.2.20.1710190856530.31961@uplift.swm.pp.se> <787AE7BB302AE849A7480A190F8B93300A056EB5@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAHw9_iLWAMexrfXwsdB8duGa5ueJMofqVRqNck6DeOzA=KChqA@mail.gmail.com> <C4E37677-A2FB-49F8-B362-C29B28DFD570@daveor.com> <CE4906A4-E0CC-4C3F-A1F8-D2B5BED294D7@employees.org>
In-Reply-To: <CE4906A4-E0CC-4C3F-A1F8-D2B5BED294D7@employees.org>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.2]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vsVebjJCAybzvUfE7nf32hIRBL8>
Subject: Re: [v6ops] Google Alert - IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 06:43:23 -0000
Hi Ole, Please see inline. Cheers, Med > -----Message d'origine----- > De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Ole Troan > Envoyé : jeudi 26 octobre 2017 23:26 > À : Dave O'Reilly > Cc : v6ops@ietf.org; Tore Anderson > Objet : Re: [v6ops] Google Alert - IPv6 > > Dave, > > Thanks for an eloquently written draft! > > Just a few things that occurred to me while reading through. > > Two minor comments. > > 1) You might want to reference the other IPv4 sharing mechanisms too > (RFC7598, 7599 etc). Although they don't require logging by the IPv4 > sharing operator [Med] A logging/binding is needed to be done by the v4 sharing operator even for A+P. Perhaps you meant the logging is not required at the BR for MAP/E-T. , they have the same issue with source port + timestamp > required. > > 2) I'd suggest you drop mentioned of suspects and criminal activity in > general. Also it reads in places like it is written with too much of a > particular jurisdiction in mind. > > Major comment: > 3) The document talks about identifying an individual, and in places a > subscriber endpoint. What it does identify, is the _originating network_. > What you get is the public interface address of the customer CPE. Which > looks like a network from the inside. > Make it very clear that this does not identify individual hosts. And it > might be worth noting that traffic my enter the originating network from > outside. E.g. through VPNs, TOR exits, shared WIFI and whatnot. > > Best regards, > Ole > > > > > > On 26 Oct 2017, at 13:15, Dave O'Reilly <rfc@daveor.com> wrote: > > > > Hello everybody, > > > > I’m the author of https://tools.ietf.org/html/draft-daveor-cgn-logging- > 01. Warren brought this thread to my attention so I would like to throw in > a few thoughts for people to consider, if I may. I have attempted to > address as many as possible of the points raised by others in the thread > in one big response below. > > > > Thanks for taking the time to read this and I look forward to any > feedback you might have, > > daveor > > > > > > On the topic of “CGNAT is a bad idea” > > —————————————————————————————— > > > > I am not too sure how much mileage there is getting caught up in this > point. CGNAT is out there in the world, along with a suite of other large- > scale address sharing technologies, and although the transition to IPv6 is > ongoing, it is painfully slow and transitionary arrangements will be > required for the foreseeable future. > > > > It would be, in my opinion, remiss of the criminal justice system not to > consider this issue. The argument that the CGNAT problem will go away if > we were all to just move to IPv6 doesn’t help solve the murder that > happened today or catch the person distributing child pornography on the > Internet. > > > > Can we regulate our way out of this problem? > > —————————————————————————————— > > > > There are plenty of business reasons why an operator might choose to > deploy CGNAT, maybe they don’t like the risk associated with changing to > IPv6, maybe they’re waiting for someone else to move first, maybe they > can’t afford to migrate infrastructure, maybe they just don’t want to. > > > > Considering regulation as a way to adjust economic incentives, there is > indeed an opportunity to help to shift things along in one or more > countries through regulation, but to what extent will this help with the > global issue of crime attribution? It is clear that if the number of > subscribers that can be simultaneously behind a CGNAT is limited, the > deployment of IPv6 increases, and the IPv6 adoption in Belgium bears that > out. > > > > However, the obvious question to ask is - are the Belgian authorities > catching any more criminals now that they have such a high adoption rate > of IPv6? Has the problem of crime attribution due to CGNAT gone away for > them, or does it actually require global adoption of IPv6? I don’t have > answers to these questions, but before leaping on a regulatory solution it > would be very useful to know whether the regulatory solution achieves the > desired effect. > > > > Let’s also not forget that CGNAT is not uncommon in areas outside > telecoms, such as in an increasing number of IoT deployments. > > > > Does migration to IPv6 actually solve the problem > > —————————————————————————————— > > > > One possible solution frequently cited to the problem of CGNAT is > migration to IPv6.However, does migration to IPv6 ACTUALLY solve the > problem of crime attribution due to large-scale address sharing? > > > > Let’s also not forget that the problem is not limited to the set of > technologies commonly referred to as CGNAT. Any large-scale IP address > sharing technology will have a similar problem, including 4-to-6 > technologies. Therefore, until there is total global adoption of IPv6, and > in fact until IPv4 is no longer routable on the Internet, this problem is > going to persist. > > > > The evidence is very sparse and, again, I refer to the questions that I > posed above about the effectiveness of regulation in the Belgian case > towards achieving the actual goal, which (for the purposes of this > discussion) is improved crime attribution, not migration to IPv6. > > > > The reason I am making this point is to emphasise that the problem of > crime attribution arising from large-scale address sharing is not going > away in the medium term, perhaps even not in the long term. > > > > Alternatives to source port logging for crime attribution > > —————————————————————————————— > > > > There is already regulation in place requiring ISPs to be able to > identify their subscribers, including the requirement to identify people > behind a CGN (within the EU at least), which is the data retention > directive. I know that the future of this directive is unsure right now > but today, as we write this, the legislation of every country in the EU > requires ISPs to keep this data. The problem is that law enforcement > agencies do not have the required information to be able to ask the ISP > for the subscriber identity - because source ports are required and not > logged anywhere. > > > > So the question becomes how to address this information gap. One > possibility is that ISPs must record all destination IP addresses for all > TCP connections, and I think you also refer to this possibility. This > solution has, in my opinion, two major challenges - firstly that the > storage requirements (and therefore the cost) for ISPs is very substantial > indeed and secondly there are significant privacy implications arising > from the storage of such a volume of data on (predominantly) innocent > people. Some of the references provided by Mohamed Boucadair touch on > these points, and they are also addressed in my draft. > > > > The alternative, that I propose in the Internet Draft, is that if there > is a shift to routine logging of source port alongside IP address, this > will achieve the same goal but with significantly less privacy > implications and with significantly less impact on operator (meaning that, > in my opinion at least, operators should favour this approach). > > > > Support for logging source port > > —————————————————————————————— > > > > This is something that I study in the Internet Draft. The majority of > server software examined support logging of source port in some way, but > in some cases it involves enabling a distressingly high level of logging > verbosity, and this is a scenario where I refer to source port logging as > “Possible” but not “Feasible”. About 70% of server software that I > examined supported logging of source port in a way that could be > considered “Feasible”. Only one had logging of source port enabled as a > default. > > > > The contribution of my Internet Draft > > —————————————————————————————— > > > > The key RFC upon which my Internet Draft builds is RFC6302, which > contains the recommendation that servers log source port. My document > attempts to contribute to the discussion by considering (a) why, despite > recommendations of RFC6302, source port logging is not routine and (b) to > identify possible solutions and workarounds for some of these objections. > > > > The role of the IETF in this > > —————————————————————————————— > > > > Right from the front page of the IETF website: "The mission of the IETF > is to make the Internet work better by producing high quality, relevant > technical documents that influence the way people design, use, and manage > the Internet.” > > > > Large scale address sharing technologies present a challenge to the > management of the Internet so that seems to fit right within the remit of > the IETF to me. Correct me if I’m wrong... > > > > Other things I have been doing > > —————————————————————————————— > > > > Finally, and for your information, I thought you might be interested to > know what else I have been doing to try to move this conversation forward. > > > > You might be aware that of the OWASP (https://www.owasp.org/) who > produce amongst many other fine documents, secure coding guidelines. One > of the aspects of their guidance is logging and they have a list of fields > that should be logged…and source port isn’t on it. I have been trying to > reach out to people in OWASP to have the conversation about including > source port in the list of fields to be logged in their guidance. So far I > have received no response but I will keep trying. > > > > > > > > > >> On 26 Oct 2017, at 16:00, Warren Kumari <warren@kumari.net> wrote: > >> > >> On Thu, Oct 19, 2017 at 5:23 AM, <mohamed.boucadair@orange.com> wrote: > >>> Hi Mikael, Tore, all, > >>> > >>> You may want read: https://tools.ietf.org/html/draft-daveor-cgn- > logging-00 which relies on the Europol threat assessment report > (https://www.europol.europa.eu/sites/default/files/documents/europol_iocta > _web_2016.pdf) > >>> > >> > >> I'm somewhat hijacking an old thread, but it would be great if we > >> could get some more review of draft-daveor-cgn-logging -- I know Dave > >> would really appreciate comments / review. > >> > >> W > >> > >> > >>> As far as the IETF is concerned, I do believe that we have done our > part of the job: > >>> > >>> 1. Identify logging as an issue in address sharing: RFC 6269 > >>> > >>> 2. Require address sharing to enable a logging function: RFC 6269 > >>> and RFC 6888 > >>> > >>> 3. Identify a minimal set of information to be logged: RFC 6269, > >>> RFC 6888, and RFC 6908 > >>> > >>> 4. Identify and discuss trade-offs of solutions to achieve logging: > >>> RFC 6269, RFC 6908 > >>> > >>> 5. Specify means to optimize logging (port range allocation, > >>> deterministic NAT): draft-ietf-softwire-stateless- > >>> 4v6-motivation, RFC 7596, RFC 7597, RFC 7599, RFC 7753, and > >>> RFC7422 > >>> > >>> 6. Recommend servers to log source port: RFC 6302 > >>> > >>> 7. An initial survey of servers supporting source port logging: RFC > >>> 7768 > >>> > >>> 8. Retrieve NAT session loggings: draft-ietf-behave-syslog-nat- > >>> logging, draft-ietf-behave-ipfix-nat-logging > >>> > >>> 9. Enable address sharing logging function by means of NETCONF: > >>> draft-ietf-opsawg-nat-yang > >>> > >>> 10. CPU and memory issues: RFC 6908 > >>> > >>> Cheers, > >>> Med > >>> > >>>> -----Message d'origine----- > >>>> De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Mikael > >>>> Abrahamsson > >>>> Envoyé : jeudi 19 octobre 2017 09:03 > >>>> À : Tore Anderson > >>>> Cc : v6ops@ietf.org > >>>> Objet : Re: [v6ops] Google Alert - IPv6 > >>>> > >>>> On Thu, 19 Oct 2017, Tore Anderson wrote: > >>>> > >>>>> * Mikael Abrahamsson <swmike@swm.pp.se> > >>>>> > >>>>>> If they do have a port, then LEA can have a single subscriber. > >>>>> > >>>>> Reading the original article (linked below) I am left with the > feeling > >>>>> that the problem is that they generally *don't* know the source > port, > >>>>> and therefore end up, quote, «[unable] to identify internet > subscribers > >>>>> on the basis of an IP address». > >>>>> > >>>>> https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip- > >>>> address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat- > cgn-to- > >>>> increase-accountability-online > >>>>> > >>>>> The article proceeds to define «CGN» as «technologies which allow > >>>>> sharing of IPv4 addresses with multiple internet users». In that > >>>>> context, MAP, even though it is not technically CGNAT, is just as > >>>>> problematic (to answer Rajiv). > >>>>> > >>>>> C'est la vie! If Europol don't like IP address sharing, I think the > >>>>> only thing they actually could do about it would be to put pressure > on > >>>>> regulators and/or lawmakers to accelerate IPv6 adoption. I > understand > >>>>> that's what already happened in Belgium with impressive results. > >>>> > >>>> So I have no idea what's really going on here, but I can imagine > someone > >>>> doing CGN and just NATing people left and right, and not logging > anything. > >>>> Then it's near impossible to find who did what. > >>>> > >>>> At least when I looked into this issue, the message I got back was > that > >>>> narrowing down the user list to a few tens of subscribers was still > vastly > >>>> better than no information at all. Of course LEAs don't like it, but > it's > >>>> a lot better than nothing. > >>>> > >>>> Also, services who are typically involved in being targeted for > crimes > >>>> should start logging the source port of whoever is talking to them. > This > >>>> option is available in most web servers and has been for a > considerable > >>>> amount of time. > >>>> > >>>> Mandating IPv6 is a hard sell. Mandating ISPs to log what subscriber > >>>> accounts was behind an IPv4 address at a given point in time > including > >>>> port used by what account, that's less far fetched. > >>>> > >>>> -- > >>>> Mikael Abrahamsson email: swmike@swm.pp.se > >>> _______________________________________________ > >>> v6ops mailing list > >>> v6ops@ietf.org > >>> https://www.ietf.org/mailman/listinfo/v6ops > >> > >> > >> > >> -- > >> I don't think the execution is relevant when it was obviously a bad > >> idea in the first place. > >> This is like putting rabid weasels in your pants, and later expressing > >> regret at having chosen those particular rabid weasels and that pair > >> of pants. > >> ---maf > >> > >> > >> > >> --===============7090974386904564375==-- > >> > >> --===============4172498714441195205== > >> Content-Type: text/plain; charset="us-ascii" > >> MIME-Version: 1.0 > >> Content-Transfer-Encoding: 7bit > >> Content-Description: Digest Footer > >> > >> _______________________________________________ > >> v6ops mailing list > >> v6ops@ietf.org > >> https://www.ietf.org/mailman/listinfo/v6ops > > > > _______________________________________________ > > v6ops mailing list > > v6ops@ietf.org > > https://www.ietf.org/mailman/listinfo/v6ops
- Re: [v6ops] Google Alert - IPv6 Paul Marks
- Re: [v6ops] Google Alert - IPv6 Fred Baker
- Re: [v6ops] Google Alert - IPv6 JORDI PALET MARTINEZ
- Re: [v6ops] Google Alert - IPv6 Brian E Carpenter
- Re: [v6ops] Google Alert - IPv6 Rajiv Asati (rajiva)
- Re: [v6ops] Google Alert - IPv6 Ca By
- Re: [v6ops] Google Alert - IPv6 Erik Kline
- Re: [v6ops] Google Alert - IPv6 Mikael Abrahamsson
- Re: [v6ops] Google Alert - IPv6 Tore Anderson
- Re: [v6ops] Google Alert - IPv6 Mikael Abrahamsson
- Re: [v6ops] Google Alert - IPv6 mohamed.boucadair
- Re: [v6ops] Google Alert - IPv6 Ca By
- Re: [v6ops] Google Alert - IPv6 Lorenzo Colitti
- Re: [v6ops] Google Alert - IPv6 Alexandre Petrescu
- Re: [v6ops] Google Alert - IPv6 Warren Kumari
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 Ca By
- Re: [v6ops] Google Alert - IPv6 Ole Troan
- Re: [v6ops] Google Alert - IPv6 mohamed.boucadair
- Re: [v6ops] [SUSPECTED SPAM] RE: Google Alert - I… Ole Troan
- Re: [v6ops] [SUSPECTED SPAM] RE: Google Alert - I… mohamed.boucadair
- Re: [v6ops] Google Alert - IPv6 Lee Howard
- Re: [v6ops] Google Alert - IPv6 Erik Nygren
- Re: [v6ops] Google Alert - IPv6 Lee Howard
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Ole Troan
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Fred Baker
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Ole Troan
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Fred Baker
- Re: [v6ops] Google Alert - IPv6 Fernando Gont
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Gert Doering
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Mark Smith
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Fred Baker
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 JORDI PALET MARTINEZ
- Re: [v6ops] Google Alert - IPv6 Ole Troan
- Re: [v6ops] Google Alert - IPv6 Fred Baker
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 Ole Troan
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 Ole Troan
- Re: [v6ops] Google Alert - IPv6 Mark Smith
- Re: [v6ops] Google Alert - IPv6 DY Kim
- Re: [v6ops] Google Alert - IPv6 Fred Baker
- Re: [v6ops] Google Alert - IPv6 DY Kim
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 JORDI PALET MARTINEZ
- Re: [v6ops] Google Alert - IPv6 Mark Andrews
- Re: [v6ops] Google Alert - IPv6 JORDI PALET MARTINEZ
- Re: [v6ops] Google Alert - IPv6 Lee Howard
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 JORDI PALET MARTINEZ
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 JORDI PALET MARTINEZ
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 t.petch
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Dave O'Reilly
- Re: [v6ops] Google Alert - IPv6 Tom Herbert
- Re: [v6ops] Google Alert - IPv6 Ole Troan
- Re: [v6ops] [SUSPECTED SPAM] Google Alert - IPv6 Mark Smith