The Network Forensics problem of IPv4

Although not directly on the subject IPv6, we absolutely need to draw your attention to a great presentation from Geoff Huston (APNIC) on Forensic Tracing in the Internet during APRICOT 2017. This relates to the pervasive use of Carrier Grade NATs as a means of extending the useable life of IPv4 on the Internet, and the implications for metadata record keeping and tracing users.

As we know, the pools of IPv4 addresses are close to depletion, but around 90% of the Internet is still only accessible via IPv4. As a result, Carrier-Grade NAT (CGN) has been widely implemented whereby private IPv4 address space is used in conjunction with a limited number of public IPv4 addresses in order to conserve public IPv4 address space. In other words, many customers are sharing a single public IPv4 address that will usually also change over a given time period.

If you therefore wish to trace from where traffic has originated from, then you need to maintain an extensive logging system keeping records on source IP addresses, source port addresses, along with dates/times. CGN bindings are formed for every unique TCP and UDP session, which can mean 150-450 bytes per connection and 33-216,000 connections per subscriber each day, resulting in the need to log 5-96 MB of data. For 1 million subscribers, this will generate up to 1 PB of data per month!

It’s becoming ever more complex to handle this information, and even if it’s possible to maintain comprehensive records, subscribers are also likely to be operating NATs and the trace will stop at these edge points. Bear in mind that some operators are also running out of private IPv4 address space on individual subnets, and are therefore needing to implement layers of CGNs.

Furthermore, it’s becoming increasingly difficult to analyse traffic flows as users and applications resort to encryption, sessions are split over multiple paths and access technologies (e.g. cellular, wifi), and even over a combination of IPv4 and IPv6.

So whilst Law Enforcement Agencies have traditionally focused on the network as the point of interception and tracing, and have introduced laws to mandate ever more extensive logging, the reality is that IPv4 addresses are increasing losing coherent meaning in terms of end party identification.

This might be interpreted that the choice is between ever more complicated and expensive record keeping systems, or transitioning to IPv6. Of course, some may see obfuscation through IPv4 as a positive benefit, but the fact remains that IPv4 is increasingly less scalable and becoming more complex to manage. IPv6 brings many other advantages with it, and confidentiality can still be maintained by using platforms and applications that support this.

You can watch Geoff’s presentation during the Network Security session on YouTube.

And if you’re interested in deploying IPv6 after this, then please see our Start Here page for more information!

Leave a Reply

Your email address will not be published. Required fields are marked *