Cybercrime Investigation, Data Retention Said Jeopardized by Growing Use of Network Address Translation

CGN, which involves assigning several IP addresses behind a single public-facing IP address, allows carriers to make use of dwindling IPv4 addresses rather than shifting to IPv6. This can make it harder to trace criminals on the Internet, Leslie Daigle, Internet Society chief Internet technology officer, and Alissa Cooper, chief computer scientist at the Center for Democracy & Technology, told us in recent interviews. It could also affect data retention obligations, they said. But IPv6 engineers at Comcast, Juniper Networks and Kalorama, an IPv6 consultancy, said customers using CGN will still be able to be identified.

CGN is “a necessary step in the evolution of the Internet,” since so many devices still require IPv4 address connectivity, said Alain Durand, distinguished engineer at Juniper Networks. “Today, going to an IPv6-only world is simply not an option.” But the implementation of CGN has serious consequences for law enforcement agencies, who are used to identifying potential criminals based on a single IP address, he said. “When an IP address no longer uniquely identifies a single subscriber, but is now shared among many subscribers, that is more problematic,” he said. “If you have 100 people sharing the same address, if you ask who was using the address yesterday, you may get a complex answer. And that can be a problem."

That potential problem has some in the law enforcement community concerned. “We certainly know some law enforcement agencies that are very much keenly aware of the issue and wanting to get it addressed before they have to wear the problem, but I think there are other law enforcement agencies that haven’t really had to think it through yet,” Daigle said. Kalorama Director Louis Sterchi said that at information technology registry meetings, “a guy from the FBI or two will be there, so it’s obviously something that they're aware of. ... There is a very creative, intelligent underworld out there that can be one step ahead of these guys.” John Brzozowski, Comcast chief architect for IPv6, said the potential difficulties have prompted law enforcement to encourage faster deployment of IPv6 technology. “Law enforcement in particular, they want to advocate the deployment of v6 because it improves or at least keeps their ability to do their jobs at the status quo,” he said. They “see IPv6 as a way to, at a bare minimum, maintain the status quo as far as being able to deliver their end of law enforcement.” The FBI and U.S. Secret Service declined to comment for this article, and the Department of Justice did not respond to request for comment.

In Europe, where IP addresses have been exhausted more quickly, broadband service providers like British Telecom have already entered trials of CGN for some of its service providers. Law enforcement officials have taken notice; the U.K. Home Office said CGN will make it harder to trace criminals on the Internet. “It can be difficult to establish who is responsible for online activity as IP addresses can be shared by a number of people,” the Home Office said. “This can frustrate law enforcement agencies who are trying to trace criminals using the internet to commit crime,” it said in a statement. In her speech opening Parliament in May, Queen Elizabeth II said, “In relation to the problem of matching Internet Protocol addresses, my government will bring forward proposals to enable to protection of the public and the investigation of crime in cyberspace."

CGN takes sharing to a new level, said Thomas Haeberlen, an expert in the European Network and Information Security Agency (ENISA) critical information infrastructure protection and resilience unit. ISPs that use CGN don’t give users a “real” IPv4 address anymore, instead allocating a private address that’s shared among several customers in the same way that home routers share among devices, said Haeberlen, saying he’s following the CGN issue but it’s not something ENISA is currently working on. Imagine there’s a house with a standard nuclear family, and an average number of 10 devices, all connected and sharing a single home IPv4 address, said Keycom PLC Chief Technology Officer James Blessing, a council member of the Internet Services Providers Association U.K. That single home IPv4 address would then be shared with about 1,000 other subscribers using CGN, he said. “To the outside world, a single IPv4 address is really 10,000 devices,” he said.

Depending on how a carrier implements CGN, there could be one public IP address shared with 10 or 1,000 end-users, Alain Fiocco, senior director of Cisco’s IPv6 program, told us. CGN can also have disruptive implications for noncriminal end-users, he said. If a bank website notices someone attempting a false transfer, it can only track the criminal through a source IP address, which would be that of the CGN, Fiocco said. If the bank decides it must act quickly, it will block the source, which could block all the other addresses behind that public CGN, he said. Kalorama’s Sterchi gave the example of a Melbourne Free University website that was one of about 1,000 websites shut down in May, when the Australian government blocked another website, hosted on the same IP address, that it suspected of engaging in fraud.

CGN has been used in the mobile market since the beginning, but its effects are different from those on fixed services, Fiocco said. A mobile CGN shares a public IP address with users but each individual has her own telephone number, he said. When the police intercept mobile traffic, they do it on the basis of the telephone number on a SIM card, without regard to the IP address, he said. But with fixed services, the only entity that can identify the user is the IP address and, now, the ports, he said.

Some believe the widespread use of CGN could slow the adoption of IPv6, Cisco Distinguished Systems Engineer Steve Orr told us. Some end-users believe NAT acts as a second security mechanism, protecting their identity online. While this isn’t really the case, Orr said, he emphasized that “moving to IPv6 doesn’t necessarily mean NAT will go away,” since it will take so long to get a critical mass of devices, websites and end-users onto the technology, and since network administrators see it as a security mechanism.

BT’s CGN pilot has some customers sharing an IP address with up to nine other customers, it said. But even though the public IP address is shared, “all activity on the internet is unique to a particular user as the port address is used to uniquely identify any activity and trace it back to a specific broadband line,” it said in a statement.

This gets into potential traffic data storage issues, several people said. ISPs will have to store a lot more data if they use CGN, and this information “will be a lot more ‘fragile,’ so it’s unclear at this point if data retention obligations can be met at all in CGN networks,” Haeberlen said. Depending on how the CGN is configured, an individual’s ports and IP address could change from minute to minute, said ISPA U.K.’s Blessing. That increases the chance of misidentification of a user, he said. Cisco’s Fiocco said BT, or other carriers using CGN, will have to log everything to see which ports were consumed by which Web sessions, many of which can be fleeting. The log now contains “the entire life of the user” and shows everything he has done online, he said. It’s a scalability issue because the CGN system is much more complex and costly to operators, he said.

Some reports say each end customer generates around 33,000 CGN session states per day, regional Internet registry APNIC Chief Scientist Geoff Huston wrote in a May 19 blog post (http://xrl.us/bo77xj). For a large service provider, a busy period could see data flow of 400 Gbps, and it could be required to store up to 1.0 exabytes of data, he said. “It’s no longer an option to ask ‘who used this IP address on this date?'” or even who used the address and this port address in a particular hour, he wrote. “A traceback that can penetrate the CGN-generated address overuse fog requires the question to include both the source and destination IP addresses and port numbers, the transport protocol, and the precise time of day, measured in milliseconds,” he said.

Juniper’s Durand said the engineering community has found ways to solve those problems. A service provider can assign several hundred ports to each consumer, rather than rotate them, so the block of ports itself serves as identification. ISPs would then store only one log, tying each customer to his block of ports, he said, eliminating the need to log what sites a customer was accessing at what time. Fiocco said all that makes it more complicated for law enforcement agencies to narrow down the identity of a particular use, but it’s doable.

Durand said “the sky is not falling” under CGN, precisely because of techniques like port allocation. “Those techniques have really achieved the technique of not only reducing the volume of the log but actually suppressing the log,” he said. “Carrier-grade NAT is not new. It has been in play in wireless for a number of years. We as an Internet community have learned how to deal with that. It’s not a new problem. The sky is not falling. We have some technologies to address some of the concerns that have been raised, like the log volume. I think we are very well prepared."

But the Internet Society’s Daigle said solutions like port allocation “are part of what makes CGN complex and expensive and difficult to manage.” CGNs are designed to reassign addresses to different users, potentially at high rates of recycling, she said. “The harder you get into a crunch with lack of v4 space, the more you're going to be pushing those CGNs to be reassigning addresses,” and that’s where “you get into the complexity and the cost and the volume of logs you have to do. Computationally, yes, you can solve it; practically speaking it gets really expensive.” The technology may seem compelling at the outset, she said, but “operators will step into it and realize that this is really ugly.”