The Internet of Things, the IPv4 crunch and carrier-grade NATs are just the beginning of a headache for law enforcement trying to track down individuals on the Internet. New technologies coming online to prolong IPv4 will push the number of shared users of one IP address to 1000:1 and new protocols like multipath TCP and Google QUIC will make server IP logs all but useless.
That’s according to Geoff Huston, chief scientist at APNIC, who spoke about this at last week’s Apricot 2017 in Ho Chi Minh City, Vietnam. Given this week’s news about WikiLeaks and its Vault7 release of CIA hacking tricks, his talk provides some fascinating context on how hard it has become for law enforcement to use the internet to track down people in the real world.
Today, Huston explained, telcos have hit the IPv4 exhaustion wall and hit it hard. Many remember when the word NAT (network address translation) was a swear word in the hallowed halls of the IETF (Internet Engineering Task Force) and the idea that the entire Internet would run off carrier-grade NATs was heresy of the worst order.
And yet, the industry has managed to cram 14 billion devices into 1.5 billion IPv4 addresses. 90% of the world’s users still have only v4 and nobody runs only v6.
Law enforcement is accustomed to bashing down doors based on IP addresses, and most countries have introduced metadata retention laws in a vain attempt to keep up. Before the days of the web, we had FTP server logs. If law enforcement found someone trying to download naughty files, they would look at IPv4 and query “whois”. Often it would go not just to the university but the department and often even the room number. Whois was the telephone directory of the Internet, and it was based on the assumption that everyone uses a single v4 address, updates their contact details and every device is configured with a permanent address.
Law enforcement got used to this.
But these days, Huston said, instead of giving each customer a bunch of addresses, ISPs give them one and they put all their devices behind a NAT. The address that law enforcement sees in the webserver log is simply a dynamic address based on a radius server allocation. That means the forensic analyst would also need the ISP’s radius log to find out which particular endpoint was assigned to which IP address at each time to provide the location of the physical door to be bashed down. So we now need accurate time logs as well.
This is with 14 billion devices on 1.5 billion IPv4 addresses. Soon we will get to 50 billion, Huston said. What’s happening is that ISPs are driving dual stack networks, with many now running IPv6 only on the mobile side. Address sharing is intense. How long is a TCP session? It could be five hours, or as short as 10 ms. The time on each server needs to be exact in order to find the right physical location. Even different NTP servers can be off by more than 10ms.
In 2012, a NAT log of every CGN saw endpoints generating between 5-96MB of log data per second. That is 1PB per million subscribers per month. The log stream alone is 20 Mbps and this was over four years ago. It is virtually impossible to even index that amount of data in real-time.
The post-Snowden internet
Consequently, said Huston, all these data retention acts simply do not work. They only keep politicians and hard disk manufacturers happy. Belgium has an agreement with ISPs to limit the number of users per IPv4 address at 12 users. But while that is workable for 2016, said Huston, can it be sustained for another ten years?
Complicating things further is IPv6 translation. Because nobody runs pure v6 right now, there is a lot of translation being done in many different ways. A cop tapping the network will see only v6 without any clue regarding the v4 on either end, Huston said. New Zealand has passed a law addressing this. It requires everyone to register their network design architecture with authorities, and report any changes that are made.
But there is still more.
Google has decided there is too much middleware – too much mangling of the TCP packets – and have come up with a new protocol, QUIC, in which they arm their Chrome browser with UDP rather than TCP. All the session data is in the UDP packet as a 64-bit session key. As long as the UDP packet arrives with the right key, no matter how it arrives, the server replies to that address. NATs massacre UDP, as there is no session start or end. Everything in UDP is crypto to the network. All Google expects is that the session to be up long enough for one round trip which can be less than a second.
Today 78% of the world runs Chrome. Hence, that 78% also runs QUIC. You see the problem.
Then there’s multipath TCP, which Apple has adopted. Law enforcement might think that tapping the mobile network is enough, but it’s not – the iPhone sends packets via Wi-Fi too.
Why has this happened? Two words: Edward Snowden.
Snowden’s NSA revelations about the degree and sophistication of online tracking sent the tech industry into a spin to the point that it is now completely paranoid, Huston said. We live in a world where apps do everything – even DNS lookup – without relying on the phone, let alone the ISP, so that it doesn’t leak anything to the network.
This is the Internet of the post-Snowden era, Huston said. There is no such thing as a session anymore. Opportunistic encryption is everywhere. Everything is obfuscated and scrambled. There is no state, no clarity, no binding. Even the DNS is going dark.
IPv4 and NAT was bad. IPv4 and NAT and IPv6 was double extra bad. IPv4, NAT, IPv6 and applications that are using all the horsepower on your phone to hide themselves is double, extra, triple really bad. Even if tomorrow we decided to run pure v6, the world will not change back, he concluded. We have crossed the Rubicon and we are not going back to a trustful internet. This is the new state of distrust.