Europol Communication on Carrier-Grade NAT
Dear colleagues, Europol (the European Union’s law enforcement agency) last month sent a communication to the Council of the European Union (the group of government ministers from each EU country) regarding Carrier-Grade NAT (CGN), an issue of direct relevance to many RIPE NCC members and the RIPE community. The communication is available online at: http://www.statewatch.org/news/2017/jan/eu-europol-cgn-tech-going-dark-data-... Specifically, it notes that:
With CGN, law enforcement has lost its ability to associate and link a particular cyber criminal’s activity back to a particular IP address.
The paper suggests greater regulatory coordination at the EU level regarding CGN, and also notes that:
On 31st January 2017 a European Network of law enforcement specialists in CGN will be established, the secretariat of which will be established [/provided by?] at Europol. The aim of this network is to:
- document cases of non-attribution linked to CGN in EU, - document existing best practices to overcome CGN-related attribution problems currently in place in some Member States, - raise awareness of European policy-makers about the problem of attribution linked to CGN technologies, - represent the voice of law enforcement developing a common narrative and advocating for a voluntary scheme at EU level to improve traceability by engaging in a coordinated fashion with ISPs and content providers.
A press release was also issued by Europol regarding the formation of this new group: https://www.europol.europa.eu/newsroom/news/closing-online-crime-attribution... LEA interest in reducing the use of CGN also came up for discussion at the recent RIPE NCC Roundtable Meeting for Governments and Regulators (held in Brussels on 24 January), where the strong uptake of IPv6 in Belgium was attributed (at least partially) to coordination between law enforcement, national regulators and operators to limit the number of customers that can concurrently share a single IPv4 address. As noted in a previous email, the RIPE NCC and Europol signed an MoU in December 2016 with a focus on sharing expertise in the areas of cybercrime and Internet security. We will be liaising with Europol on this topic, and would appreciate any feedback from the RIPE community on this or related issues. Best regards, Chris Buckridge External Relations Manager RIPE NCC
It is funny how things progress. Not that long ago we had various LEAs complaining about IPv6. Google << IPv6 FBI >> for examples, including this: "The FBI, DEA, and Royal Canadian Mounted Police say IPv6 may erode their ability to trace Internet addresses -- and warn new laws may be necessary if industry doesn't do more." https://www.cnet.com/news/fbi-dea-warn-ipv6-could-shield-criminals-from-poli... Anyway while I think outreach and "enhanced cooperation” by NCC can be a good thing I also think that transparency is important to maintain the trust of the community. I believe more reporting of the detail of meetings and contacts between NCC and LEAs and regulators would be helpful. For starters, I might ask if there will be reports on the recent Round Table in Brussels and on NCC’s involvement with the European Parliament’s EIF? (Sorry Chris!) Gordon
On 16 Feb 2017, at 15:22, Gordon Lennox <gordon.lennox.13@gmail.com> wrote:
Anyway while I think outreach and "enhanced cooperation” by NCC can be a good thing I also think that transparency is important to maintain the trust of the community. I believe more reporting of the detail of meetings and contacts between NCC and LEAs and regulators would be helpful.
For starters, I might ask if there will be reports on the recent Round Table in Brussels and on NCC’s involvement with the European Parliament’s EIF? (Sorry Chris!)
Not at all, Gordon, and a useful reminder to share with this group a link to the report from our recent Roundtable Meeting: https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/ripe-ncc-hold... (The report includes a link to presentations given on the day, and the discussion mentioned in my earlier email about Belgian IPv6 adoption sprang from RIPE NCC report and its section on IPv6 adoption trends). Cheers Chris
Chris 100% agree with Gordon on this. Transparency => trust And while I appreciate that the NCC isn’t trying to obfuscate anything, sharing information as widely as possible to members is helpful and appreciated Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blacknight.blog / http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 On 16/02/2017, 14:22, "cooperation-wg on behalf of Gordon Lennox" <cooperation-wg-bounces@ripe.net on behalf of gordon.lennox.13@gmail.com> wrote: It is funny how things progress. Not that long ago we had various LEAs complaining about IPv6. Google << IPv6 FBI >> for examples, including this: "The FBI, DEA, and Royal Canadian Mounted Police say IPv6 may erode their ability to trace Internet addresses -- and warn new laws may be necessary if industry doesn't do more." https://www.cnet.com/news/fbi-dea-warn-ipv6-could-shield-criminals-from-poli... Anyway while I think outreach and "enhanced cooperation” by NCC can be a good thing I also think that transparency is important to maintain the trust of the community. I believe more reporting of the detail of meetings and contacts between NCC and LEAs and regulators would be helpful. For starters, I might ask if there will be reports on the recent Round Table in Brussels and on NCC’s involvement with the European Parliament’s EIF? (Sorry Chris!) Gordon
In message <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net>, at 12:32:33 on Thu, 16 Feb 2017, Chris Buckridge <chrisb@ripe.net> writes
LEA interest in reducing the use of CGN also came up for discussion at the recent RIPE NCC Roundtable Meeting for Governments and Regulators (held in Brussels on 24 January)
The UK's approach, as expressed in the 2016 IP[1] Act, is not to prohibit CGN, but require operators to log who was using which IP, when. This is exactly the same as when Internet access was primarily by dial-up to banks of modems, and customers shared the IP Address of the modem. The ISPs were expected to log who had been online at a specific IP address at a specific time. [1] Investigatory Powers, not Internet Protocol. -- Roland Perry
Roland, At 2017-02-22 20:57:34 +0000 Roland Perry <roland@internetpolicyagency.com> wrote:
In message <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net>, at 12:32:33 on Thu, 16 Feb 2017, Chris Buckridge <chrisb@ripe.net> writes
LEA interest in reducing the use of CGN also came up for discussion at the recent RIPE NCC Roundtable Meeting for Governments and Regulators (held in Brussels on 24 January)
The UK's approach, as expressed in the 2016 IP[1] Act, is not to prohibit CGN, but require operators to log who was using which IP, when.
IP+port, right?
This is exactly the same as when Internet access was primarily by dial-up to banks of modems, and customers shared the IP Address of the modem. The ISPs were expected to log who had been online at a specific IP address at a specific time.
It's not exactly the same, because a dial-up session was expected to be several minutes or even hours. A single IP+port may be used for less than a second. Plus there is likely an extra layer of indirection. A NAT device may know the customer private IP address and the public IP address, but might not necessarily have access to the database which assigned the customer to the private IP address. So that data also needs to be logged & correlated. If LEA are expected to pay for all of this extra storage and processing - or even if it just makes investigations slower - then I can easily understand why they would want to reduce the use of CGN. (If that cost gets eaten by ISP, then the push will naturally go towards fewer CGN without any encouragement by the LEA.) Cheers, -- Shane
Hi, On 2/23/17 12:11 AM, Shane Kerr wrote:
Roland,
At 2017-02-22 20:57:34 +0000 Roland Perry <roland@internetpolicyagency.com> wrote:
In message <4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net>, at 12:32:33 on Thu, 16 Feb 2017, Chris Buckridge <chrisb@ripe.net> writes
LEA interest in reducing the use of CGN also came up for discussion at the recent RIPE NCC Roundtable Meeting for Governments and Regulators (held in Brussels on 24 January) The UK's approach, as expressed in the 2016 IP[1] Act, is not to prohibit CGN, but require operators to log who was using which IP, when. IP+port, right?
Right. And the big issue in this report *isn't* how it impacts the telco/routing aspects of an ISP, but how it may impact *any* content provider by requiring logging changes to include at least src IP+port and possibly the entire 5-tuple. Here's the relevant content from that document:
*
In order to be able to trace back an individual end-user to an IP address on a network using CGN, law enforcement must request additional information3 from content providers via legal process:
o Source and Destination IP addresses; o Exact time of the connection (within a second); o Source port number.
However, the lack of harmonized data retention standard requirements in Europe4 means that content service, Internet service and data hosting providers are under no legal obligation to retain this type of information, meaning that even a more elaborate request from LEA would not yield useable information from the provider.
Regulatory/legislative changes would be helpful to ensure that content service providers systematically retain the necessary additional data (source port) information to allow law enforcement and judicial authorities to identify one specific end-user among the thousands of users sharing the same public IP address.
*
As some content providers in Europe do store the relevant information but some others do not practical solutions can be sought through collaboration between the electronic/Internet? service providers and law enforcement using already established channels for cooperation such as the EU Internet Forum.
Note that [3] refers to RFC 6302 from June of 2011, and the abstract of that document makes plain the problem:
In the wake of IPv4 exhaustion and deployment of IP address sharing techniques, this document recommends that Internet-facing servers log port number and accurate timestamps in addition to the incoming IP address.
But here's your bog standard apache log line: *10.11.12.13* - - [23/Feb/2017:08:50:18 +0100] "GET / HTTP/1.1" 200 67442 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" Note what is *NOT* there. It is easy enough to change this with the LogFormat statement in Apache. However, you do so at your peril if you have any tools consuming those logs. The risk is probably *not* to the Akamais of the world, but to any small business that decided to a server on their own, and probably has NO idea as to what the legal requirements are.
This is exactly the same as when Internet access was primarily by dial-up to banks of modems, and customers shared the IP Address of the modem. The ISPs were expected to log who had been online at a specific IP address at a specific time. It's not exactly the same, because a dial-up session was expected to be several minutes or even hours. A single IP+port may be used for less than a second.
Plus there is likely an extra layer of indirection. A NAT device may know the customer private IP address and the public IP address, but might not necessarily have access to the database which assigned the customer to the private IP address. So that data also needs to be logged & correlated.
If LEA are expected to pay for all of this extra storage and processing - or even if it just makes investigations slower - then I can easily understand why they would want to reduce the use of CGN. (If that cost gets eaten by ISP, then the push will naturally go towards fewer CGN without any encouragement by the LEA.)
Many operators using CGN are *already* required to retain this mapping. There are some tools out there to reduce the data requirement, such as bulk assignment. The problem here is that the ISP using CGN actually changes the game for the end site. Eliot
On 23 Feb 2017, at 00:11, Shane Kerr <shane@time-travellers.org> wrote:
IP+port, right?
Hope it is the full 5-tuple + timestamp synced to a known (and accurate) source. And then still wonder what kinda of surprises you’ll find, with the other peer (not in UK) not logging ports or having a system clock that is significantly off from what is considered standard time. Mind you, a few decades in and my (big corp) calendar application sometimes still struggles with timezones and occasionally plans meetings +/- 1 hour. I still see some opportunity for outreach there; time, timezones and clocks on the Internet and how those may effect the timestamps in logs. MarcoH
participants (7)
-
Chris Buckridge -
Eliot Lear -
Gordon Lennox -
Marco Hogewoning -
Michele Neylon - Blacknight -
Roland Perry -
Shane Kerr