Hi,


On 2/23/17 12:11 AM, Shane Kerr wrote:
Roland,

At 2017-02-22 20:57:34 +0000
Roland Perry <roland@internetpolicyagency.com> wrote:


In message <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net>, at 12:32:33 
on Thu, 16 Feb 2017, Chris Buckridge <chrisb@ripe.net> writes


LEA interest in reducing the use of CGN also came up for discussion at
the recent RIPE NCC Roundtable Meeting for Governments and Regulators
(held in Brussels on 24 January)  

The UK's approach, as expressed in the 2016 IP[1] Act, is not to 
prohibit CGN, but require operators to log who was using which IP, when.

IP+port, right?

Right.  And the big issue in this report isn't how it impacts the telco/routing aspects of an ISP, but how it may impact any content provider by requiring logging changes to include at least src IP+port and possibly the entire 5-tuple.  Here's the relevant content from that document:

  • In order to be able to trace back an individual end-user to an IP address on a network using CGN, law enforcement must request additional information3 from content providers via legal process:

    o Source and Destination IP addresses;
    o Exact time of the connection (within a second); o Source port number.

    However, the lack of harmonized data retention standard requirements in Europe4 means that content service, Internet service and data hosting providers are under no legal obligation to retain this type of information, meaning that even a more elaborate request from LEA would not yield useable information from the provider.

    Regulatory/legislative changes would be helpful to ensure that content service providers systematically retain the necessary additional data (source port) information to allow law enforcement and judicial authorities to identify one specific end-user among the thousands of users sharing the same public IP address.

  • As some content providers in Europe do store the relevant information but some others do not practical solutions can be sought through collaboration between the electronic/Internet? service providers and law enforcement using already established channels for cooperation such as the EU Internet Forum.


Note that [3] refers to RFC 6302 from June of 2011, and the abstract of that document makes plain the problem:

   In the wake of IPv4 exhaustion and deployment of IP address sharing
   techniques, this document recommends that Internet-facing servers log
   port number and accurate timestamps in addition to the incoming IP
   address.

But here's your bog standard apache log line:

10.11.12.13 - - [23/Feb/2017:08:50:18 +0100] "GET / HTTP/1.1" 200 67442 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

Note what is NOT there.  It is easy enough to change this with the LogFormat statement in Apache. However, you do so at your peril if you have any tools consuming those logs.  The risk is probably not to the Akamais of the world, but to any small business that decided to a server on their own, and probably has NO idea as to what the legal requirements are.



This is exactly the same as when Internet access was primarily by 
dial-up to banks of modems, and customers shared the IP Address of the 
modem. The ISPs were expected to log who had been online at a specific 
IP address at a specific time.

It's not exactly the same, because a dial-up session was expected to be
several minutes or even hours. A single IP+port may be used for less
than a second.

Plus there is likely an extra layer of indirection. A NAT device may
know the customer private IP address and the public IP address, but
might not necessarily have access to the database which assigned the
customer to the private IP address. So that data also needs to be
logged & correlated.

If LEA are expected to pay for all of this extra storage and
processing - or even if it just makes investigations slower - then I
can easily understand why they would want to reduce the use of CGN. (If
that cost gets eaten by ISP, then the push will naturally go towards
fewer CGN without any encouragement by the LEA.)

Many operators using CGN are already required to retain this mapping.  There are some tools out there to reduce the data requirement, such as bulk assignment.  The problem here is that the ISP using CGN actually changes the game for the end site.

Eliot