Why the FBI wants IPv6: It's better for tracking criminals

There are plenty of reasons to like or hate Network Address Translation. Network administrators like it because it provides a way to eke out small pools of IP addresses and allows them to hide portions of their networks from the public Internet. Engineers hate it because it breaks the end-to-end nature of the Internet by separating users from their address.

The FBI hates it because it stops them from gathering data from Internet service providers about their customers.

“If we are going to capture the bad guys, it goes back to attribution,” the ability to associate an individual’s online activity with a specific address, said supervisory special agent Robert Flaim.

Related coverage:

IPv6 traffic shoots up on World Launch Day; dot-gov domains join in

Turn on IPv6, get attacked by malware

But when carriers put hundreds of customers behind a single public IP address using Carrier Grade NAT, the link is broken and it becomes difficult or impossible to identify the activities of an individual.

Carriers are required to provide police with records of user activity under court order, but if the records do not exist, the police are out of luck. “We’re already seeing this,” Flaim said June 6 at a conference on government IPv6 sponsored by the Digital Government Institute. “We are serving them subpoenas and they have nothing to provide us.”

The FBI formed the Law Enforcement CGN Working Group in June 2011 to address this problem, said Flaim, who chairs the group. There are some workarounds that could help, but the ultimate answer is adoption of IPv6, which will provide enough Internet addresses to allow every user and every device to have its own address, he said.

IPv6 is the next generation of Internet Protocols, the rules that specify how networked devices communicate and interoperate on the Internet. The IPv6 address space is exponentially larger than that in the current version, IPv4, which is running out of new addresses as the growth of the Internet accelerates. Adoption of IPv6 has begun, but is moving slowly because, for the time being at least, using the new addresses requires operating and maintaining a separate network on top of existing IPv4 infrastructure.

The CGN working group wants to see the adoption of IPv6 proceed more quickly, before carriers spend millions of dollars on a Carrier Grade NAT infrastructure that would likely remain in place for decades once the investment is made.

Network Address Translation allows multiple users on a network to share a single IP address behind a device that translates the public IP address to a private network address. It has long been used by enterprises to extend their pool of addresses. But as the pool of unallocated IPv4 addresses dries up, Carrier Grade or Large Scale NAT is being seen as a tool for carriers and network providers to put off the transition to IPv6.

Nearly everyone agrees that the transition is inevitable because the addition of new customers will increasingly come with IPv6 addresses. In an effort to jump-start the transition, the Internet Society sponsored IPv6 Launch Day June 6 to encourage networks, service providers and content providers to make the transition.

The law enforcement working group has held five meetings in its first year, and has scheduled another for July. “We’re gaining a lot of momentum,” Flaim said, with state and local law enforcement agencies from the United States as well as foreign agencies working, along with carriers and equipment providers, to explore ways around the CGN roadblock until IPv6 replaces the need for translation.

“They are going to have to start logging a lot more,” Flaim said. The working group is developing applications to identify and log user information for lawful intercept purposes. But this is no simple solution. Logging intercept data can generate petabytes of data that have to be stored and managed, requiring significant investments by carriers, and not all servers and applications support logging by default. And unlike Europe, the United States has no data retention laws specifying how data is to be gathered and handled. On top of these difficulties, the collection and retention of such information also raises serious privacy issues.

“It’s a very touchy issue,” Flaim said.

Even wholesale adoption of IPv6 will not completely solve the problem because users still would be able to use anonymous proxy servers to hide or obscure activities.

“A criminal can always find a way around anything,” Flaim said. “What we are trying to do is eliminate most of the problems, but there are always ways around it.”