IETF Logo Mail Archive

Re: [v6ops] Google Alert - IPv6

<mohamed.boucadair@orange.com> Fri, 27 October 2017 06:43 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0362139B9F for <v6ops@ietfa.amsl.com>; Thu, 26 Oct 2017 23:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdcsazRnle-c for <v6ops@ietfa.amsl.com>; Thu, 26 Oct 2017 23:43:20 -0700 (PDT)
Received: from orange.com (mta239.mail.business.static.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDE6E13B126 for <v6ops@ietf.org>; Thu, 26 Oct 2017 23:43:19 -0700 (PDT)
Received: from opfedar07.francetelecom.fr (unknown [xx.xx.xx.9]) by opfedar23.francetelecom.fr (ESMTP service) with ESMTP id 8E7F416059D; Fri, 27 Oct 2017 08:43:18 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.41]) by opfedar07.francetelecom.fr (ESMTP service) with ESMTP id 70C45C005C; Fri, 27 Oct 2017 08:43:18 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM31.corporate.adroot.infra.ftgroup ([fe80::2cc9:4bac:7b7d:229d%19]) with mapi id 14.03.0361.001; Fri, 27 Oct 2017 08:43:18 +0200
From: mohamed.boucadair@orange.com
To: Ole Troan <otroan@employees.org>, Dave O'Reilly <rfc@daveor.com>
CC: "v6ops@ietf.org" <v6ops@ietf.org>, Tore Anderson <tore@fud.no>
Thread-Topic: [v6ops] Google Alert - IPv6
Thread-Index: AQHTTmtMwql/Mql1i0ebPys+zPL336L2b/YAgAATq4CAALtjcA==
Date: Fri, 27 Oct 2017 06:43:17 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300A05F0FC@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <f403045ef57ac52962055bd88b84@google.com> <20395E98-DA55-447F-BEFE-CB581A88BB78@gmail.com> <alpine.DEB.2.20.1710190655260.31961@uplift.swm.pp.se> <20171019083506.6627a166@echo.ms.redpill-linpro.com> <alpine.DEB.2.20.1710190856530.31961@uplift.swm.pp.se> <787AE7BB302AE849A7480A190F8B93300A056EB5@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CAHw9_iLWAMexrfXwsdB8duGa5ueJMofqVRqNck6DeOzA=KChqA@mail.gmail.com> <C4E37677-A2FB-49F8-B362-C29B28DFD570@daveor.com> <CE4906A4-E0CC-4C3F-A1F8-D2B5BED294D7@employees.org>
In-Reply-To: <CE4906A4-E0CC-4C3F-A1F8-D2B5BED294D7@employees.org>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.2]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vsVebjJCAybzvUfE7nf32hIRBL8>
Subject: Re: [v6ops] Google Alert - IPv6
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 06:43:23 -0000

Hi Ole, 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Ole Troan
> Envoyé : jeudi 26 octobre 2017 23:26
> À : Dave O'Reilly
> Cc : v6ops@ietf.org; Tore Anderson
> Objet : Re: [v6ops] Google Alert - IPv6
> 
> Dave,
> 
> Thanks for an eloquently written draft!
> 
> Just a few things that occurred to me while reading through.
> 
> Two minor comments.
> 
> 1) You might want to reference the other IPv4 sharing mechanisms too
> (RFC7598, 7599 etc). Although they don't require logging by the IPv4
> sharing operator

[Med] A logging/binding is needed to be done by the v4 sharing operator even for A+P. Perhaps you meant the logging is not required at the BR for MAP/E-T. 

, they have the same issue with source port + timestamp
> required.
> 
> 2) I'd suggest you drop mentioned of suspects and criminal activity in
> general. Also it reads in places like it is written with too much of a
> particular jurisdiction in mind.
> 
> Major comment:
> 3) The document talks about identifying an individual, and in places a
> subscriber endpoint. What it does identify, is the _originating network_.
> What you get is the public interface address of the customer CPE. Which
> looks like a network from the inside.
> Make it very clear that this does not identify individual hosts. And it
> might be worth noting that traffic my enter the originating network from
> outside. E.g. through VPNs, TOR exits, shared WIFI and whatnot.
> 
> Best regards,
> Ole
> 
> 
> 
> 
> > On 26 Oct 2017, at 13:15, Dave O'Reilly <rfc@daveor.com> wrote:
> >
> > Hello everybody,
> >
> > I’m the author of https://tools.ietf.org/html/draft-daveor-cgn-logging-
> 01. Warren brought this thread to my attention so I would like to throw in
> a few thoughts for people to consider, if I may. I have attempted to
> address as many as possible of the points raised by others in the thread
> in one big response below.
> >
> > Thanks for taking the time to read this and I look forward to any
> feedback you might have,
> > daveor
> >
> >
> > On the topic of “CGNAT is a bad idea”
> > ——————————————————————————————
> >
> > I am not too sure how much mileage there is getting caught up in this
> point. CGNAT is out there in the world, along with a suite of other large-
> scale address sharing technologies, and although the transition to IPv6 is
> ongoing, it is painfully slow and transitionary arrangements will be
> required for the foreseeable future.
> >
> > It would be, in my opinion, remiss of the criminal justice system not to
> consider this issue. The argument that the CGNAT problem will go away if
> we were all to just move to IPv6 doesn’t help solve the murder that
> happened today or catch the person distributing child pornography on the
> Internet.
> >
> > Can we regulate our way out of this problem?
> > ——————————————————————————————
> >
> > There are plenty of business reasons why an operator might choose to
> deploy CGNAT, maybe they don’t like the risk associated with changing to
> IPv6, maybe they’re waiting for someone else to move first, maybe they
> can’t afford to migrate infrastructure, maybe they just don’t want to.
> >
> > Considering regulation as a way to adjust economic incentives, there is
> indeed an opportunity to help to shift things along in one or more
> countries through regulation, but to what extent will this help with the
> global issue of crime attribution? It is clear that if the number of
> subscribers that can be simultaneously behind a CGNAT is limited, the
> deployment of IPv6 increases, and the IPv6 adoption in Belgium bears that
> out.
> >
> > However, the obvious question to ask is - are the Belgian authorities
> catching any more criminals now that they have such a high adoption rate
> of IPv6? Has the problem of crime attribution due to CGNAT gone away for
> them, or does it actually require global adoption of IPv6? I don’t have
> answers to these questions, but before leaping on a regulatory solution it
> would be very useful to know whether the regulatory solution achieves the
> desired effect.
> >
> > Let’s also not forget that CGNAT is not uncommon in areas outside
> telecoms, such as in an increasing number of IoT deployments.
> >
> > Does migration to IPv6 actually solve the problem
> > ——————————————————————————————
> >
> > One possible solution frequently cited to the problem of CGNAT is
> migration to IPv6.However, does migration to IPv6 ACTUALLY solve the
> problem of crime attribution due to large-scale address sharing?
> >
> > Let’s also not forget that the problem is not limited to the set of
> technologies commonly referred to as CGNAT. Any large-scale IP address
> sharing technology will have a similar problem, including 4-to-6
> technologies. Therefore, until there is total global adoption of IPv6, and
> in fact until IPv4 is no longer routable on the Internet, this problem is
> going to persist.
> >
> > The evidence is very sparse and, again, I refer to the questions that I
> posed above about the effectiveness of regulation in the Belgian case
> towards achieving the actual goal, which (for the purposes of this
> discussion) is improved crime attribution, not migration to IPv6.
> >
> > The reason I am making this point is to emphasise that the problem of
> crime attribution arising from large-scale address sharing is not going
> away in the medium term, perhaps even not in the long term.
> >
> > Alternatives to source port logging for crime attribution
> > ——————————————————————————————
> >
> > There is already regulation in place requiring ISPs to be able to
> identify their subscribers, including the requirement to identify people
> behind a CGN (within the EU at least), which is the data retention
> directive. I know that the future of this directive is unsure right now
> but today, as we write this, the legislation of every country in the EU
> requires ISPs to keep this data. The problem is that law enforcement
> agencies do not have the required information to be able to ask the ISP
> for the subscriber identity - because source ports are required and not
> logged anywhere.
> >
> > So the question becomes how to address this information gap. One
> possibility is that ISPs must record all destination IP addresses for all
> TCP connections, and I think you also refer to this possibility. This
> solution has, in my opinion, two major challenges - firstly that the
> storage requirements (and therefore the cost) for ISPs is very substantial
> indeed and secondly there are significant privacy implications arising
> from the storage of such a volume of data on (predominantly) innocent
> people. Some of the references provided by Mohamed Boucadair touch on
> these points, and they are also addressed in my draft.
> >
> > The alternative, that I propose in the Internet Draft, is that if there
> is a shift to routine logging of source port alongside IP address, this
> will achieve the same goal but with significantly less privacy
> implications and with significantly less impact on operator (meaning that,
> in my opinion at least, operators should favour this approach).
> >
> > Support for logging source port
> > ——————————————————————————————
> >
> > This is something that I study in the Internet Draft. The majority of
> server software examined support logging of source port in some way, but
> in some cases it involves enabling a distressingly high level of logging
> verbosity, and this is a scenario where I refer to source port logging as
> “Possible” but not “Feasible”. About 70% of server software that I
> examined supported logging of source port in a way that could be
> considered “Feasible”. Only one had logging of source port enabled as a
> default.
> >
> > The contribution of my Internet Draft
> > ——————————————————————————————
> >
> > The key RFC upon which my Internet Draft builds is RFC6302, which
> contains the recommendation that servers log source port. My document
> attempts to contribute to the discussion by considering (a) why, despite
> recommendations of RFC6302, source port logging is not routine and (b) to
> identify possible solutions and workarounds for some of these objections.
> >
> > The role of the IETF in this
> > ——————————————————————————————
> >
> > Right from the front page of the IETF website: "The mission of the IETF
> is to make the Internet work better by producing high quality, relevant
> technical documents that influence the way people design, use, and manage
> the Internet.”
> >
> > Large scale address sharing technologies present a challenge to the
> management of the Internet so that seems to fit right within the remit of
> the IETF to me. Correct me if I’m wrong...
> >
> > Other things I have been doing
> > ——————————————————————————————
> >
> > Finally, and for your information, I thought you might be interested to
> know what else I have been doing to try to move this conversation forward.
> >
> > You might be aware that of the OWASP (https://www.owasp.org/) who
> produce amongst many other fine documents, secure coding guidelines. One
> of the aspects of their guidance is logging and they have a list of fields
> that should be logged…and source port isn’t on it. I have been trying to
> reach out to people in OWASP to have the conversation about including
> source port in the list of fields to be logged in their guidance. So far I
> have received no response but I will keep trying.
> >
> >
> >
> >
> >> On 26 Oct 2017, at 16:00, Warren Kumari <warren@kumari.net> wrote:
> >>
> >> On Thu, Oct 19, 2017 at 5:23 AM,  <mohamed.boucadair@orange.com> wrote:
> >>> Hi Mikael, Tore, all,
> >>>
> >>> You may want read: https://tools.ietf.org/html/draft-daveor-cgn-
> logging-00 which relies on the Europol threat assessment report
> (https://www.europol.europa.eu/sites/default/files/documents/europol_iocta
> _web_2016.pdf)
> >>>
> >>
> >> I'm somewhat hijacking an old thread, but it would be great if we
> >> could get some more review of draft-daveor-cgn-logging -- I know Dave
> >> would really appreciate comments / review.
> >>
> >> W
> >>
> >>
> >>> As far as the IETF is concerned, I do believe that we have done our
> part of the job:
> >>>
> >>>  1.   Identify logging as an issue in address sharing: RFC 6269
> >>>
> >>>  2.   Require address sharing to enable a logging function: RFC 6269
> >>>       and RFC 6888
> >>>
> >>>  3.   Identify a minimal set of information to be logged: RFC 6269,
> >>>       RFC 6888, and RFC 6908
> >>>
> >>>  4.   Identify and discuss trade-offs of solutions to achieve logging:
> >>>       RFC 6269, RFC 6908
> >>>
> >>>  5.   Specify means to optimize logging (port range allocation,
> >>>       deterministic NAT): draft-ietf-softwire-stateless-
> >>>       4v6-motivation, RFC 7596, RFC 7597, RFC 7599, RFC 7753, and
> >>>       RFC7422
> >>>
> >>>  6.   Recommend servers to log source port: RFC 6302
> >>>
> >>>  7.   An initial survey of servers supporting source port logging: RFC
> >>>       7768
> >>>
> >>>  8.   Retrieve NAT session loggings: draft-ietf-behave-syslog-nat-
> >>>       logging, draft-ietf-behave-ipfix-nat-logging
> >>>
> >>>  9.   Enable address sharing logging function by means of NETCONF:
> >>>       draft-ietf-opsawg-nat-yang
> >>>
> >>>  10.  CPU and memory issues: RFC 6908
> >>>
> >>> Cheers,
> >>> Med
> >>>
> >>>> -----Message d'origine-----
> >>>> De : v6ops [mailto:v6ops-bounces@ietf.org] De la part de Mikael
> >>>> Abrahamsson
> >>>> Envoyé : jeudi 19 octobre 2017 09:03
> >>>> À : Tore Anderson
> >>>> Cc : v6ops@ietf.org
> >>>> Objet : Re: [v6ops] Google Alert - IPv6
> >>>>
> >>>> On Thu, 19 Oct 2017, Tore Anderson wrote:
> >>>>
> >>>>> * Mikael Abrahamsson <swmike@swm.pp.se>
> >>>>>
> >>>>>> If they do have a port, then LEA can have a single subscriber.
> >>>>>
> >>>>> Reading the original article (linked below) I am left with the
> feeling
> >>>>> that the problem is that they generally *don't* know the source
> port,
> >>>>> and therefore end up, quote, «[unable] to identify internet
> subscribers
> >>>>> on the basis of an IP address».
> >>>>>
> >>>>> https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-
> >>>> address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-
> cgn-to-
> >>>> increase-accountability-online
> >>>>>
> >>>>> The article proceeds to define «CGN» as «technologies which allow
> >>>>> sharing of IPv4 addresses with multiple internet users». In that
> >>>>> context, MAP, even though it is not technically CGNAT, is just as
> >>>>> problematic (to answer Rajiv).
> >>>>>
> >>>>> C'est la vie! If Europol don't like IP address sharing, I think the
> >>>>> only thing they actually could do about it would be to put pressure
> on
> >>>>> regulators and/or lawmakers to accelerate IPv6 adoption. I
> understand
> >>>>> that's what already happened in Belgium with impressive results.
> >>>>
> >>>> So I have no idea what's really going on here, but I can imagine
> someone
> >>>> doing CGN and just NATing people left and right, and not logging
> anything.
> >>>> Then it's near impossible to find who did what.
> >>>>
> >>>> At least when I looked into this issue, the message I got back was
> that
> >>>> narrowing down the user list to a few tens of subscribers was still
> vastly
> >>>> better than no information at all. Of course LEAs don't like it, but
> it's
> >>>> a lot better than nothing.
> >>>>
> >>>> Also, services who are typically involved in being targeted for
> crimes
> >>>> should start logging the source port of whoever is talking to them.
> This
> >>>> option is available in most web servers and has been for a
> considerable
> >>>> amount of time.
> >>>>
> >>>> Mandating IPv6 is a hard sell. Mandating ISPs to log what subscriber
> >>>> accounts was behind an IPv4 address at a given point in time
> including
> >>>> port used by what account, that's less far fetched.
> >>>>
> >>>> --
> >>>> Mikael Abrahamsson    email: swmike@swm.pp.se
> >>> _______________________________________________
> >>> v6ops mailing list
> >>> v6ops@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/v6ops
> >>
> >>
> >>
> >> --
> >> I don't think the execution is relevant when it was obviously a bad
> >> idea in the first place.
> >> This is like putting rabid weasels in your pants, and later expressing
> >> regret at having chosen those particular rabid weasels and that pair
> >> of pants.
> >>  ---maf
> >>
> >>
> >>
> >> --===============7090974386904564375==--
> >>
> >> --===============4172498714441195205==
> >> Content-Type: text/plain; charset="us-ascii"
> >> MIME-Version: 1.0
> >> Content-Transfer-Encoding: 7bit
> >> Content-Description: Digest Footer
> >>
> >> _______________________________________________
> >> v6ops mailing list
> >> v6ops@ietf.org
> >> https://www.ietf.org/mailman/listinfo/v6ops
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email