[cooperation-wg] Europol Communication on Carrier-Grade NAT

Hi,


On 2/23/17 12:11 AM, Shane Kerr wrote:
> Roland,
>
> At 2017-02-22 20:57:34 +0000
> Roland Perry <roland at internetpolicyagency.com> wrote:
>
>> In message <4C47D72B-8A25-4CFE-AF61-B7347F726579 at ripe.net>, at 12:32:33 
>> on Thu, 16 Feb 2017, Chris Buckridge <chrisb at ripe.net> writes
>>
>>> LEA interest in reducing the use of CGN also came up for discussion at
>>> the recent RIPE NCC Roundtable Meeting for Governments and Regulators
>>> (held in Brussels on 24 January)  
>> The UK's approach, as expressed in the 2016 IP[1] Act, is not to 
>> prohibit CGN, but require operators to log who was using which IP, when.
> IP+port, right?

Right.  And the big issue in this report *isn't* how it impacts the
telco/routing aspects of an ISP, but how it may impact *any* content
provider by requiring logging changes to include at least src IP+port
and possibly the entire 5-tuple.  Here's the relevant content from that
document:

>  *
>
>     In order to be able to trace back an individual end-user to an IP
>     address on a network using CGN, law enforcement must request
>     additional information3 from content providers via legal process:
>
>     o Source and Destination IP addresses;
>     o Exact time of the connection (within a second); o Source port
>     number.
>
>     However, the lack of harmonized data retention standard
>     requirements in Europe4 means that content service, Internet
>     service and data hosting providers are under no legal obligation
>     to retain this type of information, meaning that even a more
>     elaborate request from LEA would not yield useable information
>     from the provider.
>
>     Regulatory/legislative changes would be helpful to ensure that
>     content service providers systematically retain the necessary
>     additional data (source port) information to allow law enforcement
>     and judicial authorities to identify one specific end-user among
>     the thousands of users sharing the same public IP address.
>
>  *
>
>     As some content providers in Europe do store the relevant
>     information but some others do not practical solutions can be
>     sought through collaboration between the electronic/Internet?
>     service providers and law enforcement using already established
>     channels for cooperation such as the EU Internet Forum.
>

Note that [3] refers to RFC 6302 from June of 2011, and the abstract of
that document makes plain the problem:

>    In the wake of IPv4 exhaustion and deployment of IP address sharing
>    techniques, this document recommends that Internet-facing servers log
>    port number and accurate timestamps in addition to the incoming IP
>    address.

But here's your bog standard apache log line:

*10.11.12.13* - - [23/Feb/2017:08:50:18 +0100] "GET / HTTP/1.1" 200
67442 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101
Firefox/40.1"

Note what is *NOT* there.  It is easy enough to change this with the
LogFormat statement in Apache. However, you do so at your peril if you
have any tools consuming those logs.  The risk is probably *not* to the
Akamais of the world, but to any small business that decided to a server
on their own, and probably has NO idea as to what the legal requirements
are.

>
>> This is exactly the same as when Internet access was primarily by 
>> dial-up to banks of modems, and customers shared the IP Address of the 
>> modem. The ISPs were expected to log who had been online at a specific 
>> IP address at a specific time.
> It's not exactly the same, because a dial-up session was expected to be
> several minutes or even hours. A single IP+port may be used for less
> than a second.
>
> Plus there is likely an extra layer of indirection. A NAT device may
> know the customer private IP address and the public IP address, but
> might not necessarily have access to the database which assigned the
> customer to the private IP address. So that data also needs to be
> logged & correlated.
>
> If LEA are expected to pay for all of this extra storage and
> processing - or even if it just makes investigations slower - then I
> can easily understand why they would want to reduce the use of CGN. (If
> that cost gets eaten by ISP, then the push will naturally go towards
> fewer CGN without any encouragement by the LEA.)
>

Many operators using CGN are *already* required to retain this mapping. 
There are some tools out there to reduce the data requirement, such as
bulk assignment.  The problem here is that the ISP using CGN actually
changes the game for the end site.

Eliot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/cooperation-wg/attachments/20170223/0a51f8cb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: OpenPGP digital signature
URL: </ripe/mail/archives/cooperation-wg/attachments/20170223/0a51f8cb/attachment.sig>