Deploy360 Improving Technical Security IPv6

CGN, IPv6 and fighting online crime…

Carrier Grade NAT (CGN) is commonly used by network operators as a way of ekeing out the limited supply of public IPv4 addresses. This is where private IPv4 addresses are allocated to end customers, who in turn also use private IPv4 address ranges on their own Local Area Networks, which means there can be multiple layers of Network Address Translation (NAT) before traffic reaches the publicly addressed Internet.
Whilst CGN offers something of a technical solution to the shortage of public IPv4 addresses, it presents a number of problems for investigating and solving online crime. A CGN environment means that many hundreds of users can be sharing a single public IPv4 address, so that when a crime is committed, tracing the perpetrator is very difficult. Furthermore, sometimes action needs to be taken against a public IPv4 address that’s the origin of particular problems, but this then penalises many hundreds or even thousands of innocent users who may also be sharing that IP address.
Europol, the European Union Agency for Law Enforcement Cooperation, has identified that CGN is an impediment to investigating online crime, and is therefore consulting the Internet community on how network operators can be encouraged to deploy IPv6.
To facilitate this, a meeting of the European Cybercrime Centre (EC3) Advisory Group on Communication Providers was held on 19 February 2018 in Den Haag, The Netherlands. This involved some of the biggest European ISPs, the European Telecommunications Network Operators Association (ETNO), representatives of the European Commission, and several external experts from the community including Eric Vyncke (Cisco), Marco Hogewoning (RIPE NCC) and myself (Jan Žorž) from the Internet Society.
I’d remotely attended a previous meeting of this group and presented on the issues around CGN. At this meeting, I introduced three IPv6 Best Current Operational Practices (BCOP) documents, why they were produced, and how they were developed with the consensus of a wide group of network operators.
The first document was RIPE-554 “Requirements of IPv6 in ICT equipment” that can be used during equipment evaluation and in RFP creation to ensure IPv6 support in hardware and software. It provides a list of IPv6 requirements that vendors must meet in order for you to purchase their equipment.
The second document was RIPE-631 “IPv6 Troubleshooting for Residential ISP Helpdesks” that offers guidance to help desks who have to deal with Internet connectivity problems. It’s a simple set of detect/understand/solve instructions for helpdesk staff when users report IPv6 issues.
The last of the documents was RIPE-690 “IPv6 prefix assignment for end-users: persistent versus non-persistent, and what size to choose”. This offers operational guidance on how to assign IPv6 prefixes to end customers, and the consequences of making wrong choices when designing an IPv6 network.
Some of the wider discussion at the meeting focused on how deal with the issues around CGN that concern law enforcement, and tracing attackers by searching sessions logs in network operator firewalls. However, whilst this is feasible in a smaller setup, a CGN can create millions of sessions every second and logging to the extent necessary becomes extremely expensive in an industry where profit margins are quite low.
The meeting concluded that an IPv4-based Internet with layers of CGNs will be unscalable and unaffordable as the Internet grows further, but from a law enforcement perspective also limits the effectiveness of solving online crime. It was therefore agreed that IPv6 deployment needs to be supported and accelerated on the Internet.
IPv6 of course offers an almost unlimited supply of addresses which could allow every end user device to have a public IPv6 address without the need for complex translation and logging systems. This may make it easier for law enforcement to identify the source of suspicious or criminal behaviour and who might be behind it. However, there are a number of privacy considerations associated with IPv6 (see RFC 7721), and in 2007 the IETF published RFC 4941 that defined IPv6 privacy extensions which is explained in more detail in a blog written by my colleague Dan York.
Further Information
The Internet Society also encourages IPv6 deployment, so please see Start Here page to understand how you can get started with IPv6.
4 / 5
Deploy360 Events

The Network Forensics problem of IPv4

Although not directly on the subject IPv6, we absolutely need to draw your attention to a great presentation from Geoff Huston (APNIC) on Forensic Tracing in the Internet during APRICOT 2017. This relates to the pervasive use of Carrier Grade NATs as a means of extending the useable life of IPv4 on the Internet, and the implications for metadata record keeping and tracing users.

As we know, the pools of IPv4 addresses are close to depletion, but around 90% of the Internet is still only accessible via IPv4. As a result, Carrier-Grade NAT (CGN) has been widely implemented whereby private IPv4 address space is used in conjunction with a limited number of public IPv4 addresses in order to conserve public IPv4 address space. In other words, many customers are sharing a single public IPv4 address that will usually also change over a given time period.

If you therefore wish to trace from where traffic has originated from, then you need to maintain an extensive logging system keeping records on source IP addresses, source port addresses, along with dates/times. CGN bindings are formed for every unique TCP and UDP session, which can mean 150-450 bytes per connection and 33-216,000 connections per subscriber each day, resulting in the need to log 5-96 MB of data. For 1 million subscribers, this will generate up to 1 PB of data per month!

It’s becoming ever more complex to handle this information, and even if it’s possible to maintain comprehensive records, subscribers are also likely to be operating NATs and the trace will stop at these edge points. Bear in mind that some operators are also running out of private IPv4 address space on individual subnets, and are therefore needing to implement layers of CGNs.

Furthermore, it’s becoming increasingly difficult to analyse traffic flows as users and applications resort to encryption, sessions are split over multiple paths and access technologies (e.g. cellular, wifi), and even over a combination of IPv4 and IPv6.

So whilst Law Enforcement Agencies have traditionally focused on the network as the point of interception and tracing, and have introduced laws to mandate ever more extensive logging, the reality is that IPv4 addresses are increasing losing coherent meaning in terms of end party identification.

This might be interpreted that the choice is between ever more complicated and expensive record keeping systems, or transitioning to IPv6. Of course, some may see obfuscation through IPv4 as a positive benefit, but the fact remains that IPv4 is increasingly less scalable and becoming more complex to manage. IPv6 brings many other advantages with it, and confidentiality can still be maintained by using platforms and applications that support this.

You can watch Geoff’s presentation during the Network Security session on YouTube.

And if you’re interested in deploying IPv6 after this, then please see our Start Here page for more information!

Deploy360 IPv6

The Business Case for IPv6 in Pakistan

We had a very successful ION conference in Islamabad on 25 January 2017, and amongst the interesting topics presented at the conference, it’s worth highlighting the statistics on IPv4 and IPv6 allocation in Pakistan. Let me share those in detail here.

As per the APNIC resource delegation data (as of 1 January 2017). There are 5,314,816 IPv4 address allocated to ISPs and enterprises in Pakistan. However, if you look at the graph then it shows PTCL as the holder of nearly 73% IPv4 addresses in Pakistan, leaving the remaining 27% to the rest of the ISPs and enterprises. PTCL is undoubtedly the biggest broadband provider in Pakistan and also provides services to Ufone (telco operator), so you’d expect them to have the largest user base for both wired and mobile broadband services.

The main concern though, is that it’s now only possible to obtain a /22 IPv4 prefix from APNIC (as per the last /8 policy), and those will soon be exhausted. This means that if ISPs need more IPv4 address, the only option will be to buy them open market. The current going rate for IPv4 addresses is around USD 10 for each address  in a /18 block, plus the APNIC transfer fees, which amounts to nearly USD 164K for 16,384 IPv4 addresses.

The other option is deploying Carrier Grade NAT (CGN) to put many users behind a single IPv4 address.In theory, it’s safe to consider that each user may have around 250 concurrent sessions, so with around 65,000 sessions available per IP address, it’s possible to put 250 users behind a single IPv4 address with CGN. The downside though, are that you need powerful boxes to manage that many sessions and it is difficult to guarantee performance.

There’s another graph showing IPv6 delegations in Pakistan, with a very uniform address allocation to all existing APNIC members (with few negligible exceptions). No single entity has an edge over another, and it doesn’t cost anything extra (if you already hold IPv4 addresses) to obtain IPv6 addresses from APNIC. There’s no need to install complex and difficult to manage CGN solutions, nor buy expensive IPv4 addresses from the open market. It’s an open and level playing field for all operators wanting to serve the 200 million plus population of Pakistan.

For many years there was a big debate in Pakistan about the financial benefit of deploying IPv6, but these statistics clearly illustrate the business case for doing it. You can either deploy IPv6 at minimal cost by upgrading some old hardware (very rare), or deploy CGN and buy IPv4 from open market at significant expense. The choice is yours!

Deploy360 aims to help you deploy IPv6, so please take a look at our Start Here page to understand how you can get started with IPv6.