Why the FBI wants IPv6: It's better for tracking criminals

There are plenty of reasons to like or hate Network Address Translation. Network administrators like it because it provides a way to eke out small pools of IP addresses and allows them to hide portions of their networks from the public Internet. Engineers hate it because it breaks the end-to-end nature of the Internet by separating users from their address.

The FBI hates it because it stops them from gathering data from Internet service providers about their customers.

“If we are going to capture the bad guys, it goes back to attribution,” the ability to associate an individual’s online activity with a specific address, said supervisory special agent Robert Flaim.

Related coverage:

IPv6 traffic shoots up on World Launch Day; dot-gov domains join in

Turn on IPv6, get attacked by malware

But when carriers put hundreds of customers behind a single public IP address using Carrier Grade NAT, the link is broken and it becomes difficult or impossible to identify the activities of an individual.

Carriers are required to provide police with records of user activity under court order, but if the records do not exist, the police are out of luck. “We’re already seeing this,” Flaim said June 6 at a conference on government IPv6 sponsored by the Digital Government Institute. “We are serving them subpoenas and they have nothing to provide us.”

The FBI formed the Law Enforcement CGN Working Group in June 2011 to address this problem, said Flaim, who chairs the group. There are some workarounds that could help, but the ultimate answer is adoption of IPv6, which will provide enough Internet addresses to allow every user and every device to have its own address, he said.

IPv6 is the next generation of Internet Protocols, the rules that specify how networked devices communicate and interoperate on the Internet. The IPv6 address space is exponentially larger than that in the current version, IPv4, which is running out of new addresses as the growth of the Internet accelerates. Adoption of IPv6 has begun, but is moving slowly because, for the time being at least, using the new addresses requires operating and maintaining a separate network on top of existing IPv4 infrastructure.

The CGN working group wants to see the adoption of IPv6 proceed more quickly, before carriers spend millions of dollars on a Carrier Grade NAT infrastructure that would likely remain in place for decades once the investment is made.

Network Address Translation allows multiple users on a network to share a single IP address behind a device that translates the public IP address to a private network address. It has long been used by enterprises to extend their pool of addresses. But as the pool of unallocated IPv4 addresses dries up, Carrier Grade or Large Scale NAT is being seen as a tool for carriers and network providers to put off the transition to IPv6.

Nearly everyone agrees that the transition is inevitable because the addition of new customers will increasingly come with IPv6 addresses. In an effort to jump-start the transition, the Internet Society sponsored IPv6 Launch Day June 6 to encourage networks, service providers and content providers to make the transition.

The law enforcement working group has held five meetings in its first year, and has scheduled another for July. “We’re gaining a lot of momentum,” Flaim said, with state and local law enforcement agencies from the United States as well as foreign agencies working, along with carriers and equipment providers, to explore ways around the CGN roadblock until IPv6 replaces the need for translation.

“They are going to have to start logging a lot more,” Flaim said. The working group is developing applications to identify and log user information for lawful intercept purposes. But this is no simple solution. Logging intercept data can generate petabytes of data that have to be stored and managed, requiring significant investments by carriers, and not all servers and applications support logging by default. And unlike Europe, the United States has no data retention laws specifying how data is to be gathered and handled. On top of these difficulties, the collection and retention of such information also raises serious privacy issues.

“It’s a very touchy issue,” Flaim said.

Even wholesale adoption of IPv6 will not completely solve the problem because users still would be able to use anonymous proxy servers to hide or obscure activities.

“A criminal can always find a way around anything,” Flaim said. “What we are trying to do is eliminate most of the problems, but there are always ways around it.”

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • blockchain (Immersion Imagery/Shutterstock.com)

    DARPA eyes 'less-explored avenues' of blockchain

Reader Comments

Thu, Sep 27, 2018 Abraham Y. Chen USA

The following are regularly updated world statistics that may shed some light on where IPv6 is today: (Please use the following three quoted strings as keyword for browser search, after replaced each underscore “_” with a forward slash “/”. "ams-ix.net_technical_statistics_sflow-stats_ether-type" "stats.labs.apnic.net_ipv6" We have come upon an approach that can expand each IPv4 address by 256M (Million) fold. A proposal nicknamed EzIP (phonetic for Easy IPv4) has been submitted to IETF: "tools.ietf.org_html_draft-chen-ati-adaptive-ipv4-address-space-03" Among a few interesting benefits, EzIP enables the establishment of sub-Internets each capable of serving a region up to the size of the largest city (Tokyo Metro) or 75% countries, utilizing existing technology and equipment of the current Internet, yet not required to follow its conventions. Thoughts and comments will be much appreciated. Abe (2018-09-27 22:32)

Mon, Aug 27, 2018 Abraham Y. Chen

The IPv4 shortage issue may have been resolved. We came upon a scheme that will expand each public IPv4 address by 256M (Million) fold without affecting the current Internet. We have submitted a proposal called EzIP (phonetic for Easy IPv4) to IETF: https://tools.ietf.org/html/draft-chen-ati-adaptive-ipv4-address-space-03 Essentially, EzIP can establish a sub-Internet capable of serving an area with up to 256M IoTs from just one IPv4 address. This is bigger than the largest city (Tokyo metro) and 75% of the countries. The current Internet becomes the backbone / infrastructure / skeleton for interconnecting these sub-Internets, but only for traffic among them, very similar as the electric grid supporting islands of renewable energy generated by individual homes and businesses. Consequently, there will be a lot of spare IPv4 addresses, now. Thoughts and comments will be much appreciated. Abe (2018-08-27 22:45)

Fri, Jun 8, 2012 SoutheastUS

I think it is well past time for the US Congress (both houses) to go to technology school and start writing legislation for law enforcement to protect citizens' privacy and against "unlawful search and seizure". Government agencies should be required to get court orders for having ISPs log data. It would reduce the logging costs for the ISPs and protect privacy for law abiding citizens that are not the object of ongoing investigations.

Fri, Jun 8, 2012

IPv6 allows for privacy addresses to be generated. Your address will change regularly, and authorities can't prove how many people there are on a network, or which activities were related. At least Mac OS X enables this by default. This article is badly researched.

Fri, Jun 8, 2012 TJ United States

The "attribution" aspect is pretty much the same with IPv6 (with privacy addressing) as we had in IPv4 (locally NATed, not Carrier-NATed). For home users: Either way, the FBI kicks in the door and takes all of the machines within that residence ... Carrier NATing would would require a bit more information (ports) from the FBI that the ISP would need to be logging, BUT with the same end result.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group