The Carrier-Grade NAT Information Gap

Large-scale IP address sharing technologies (such as "Carrier-Grade NAT" and “Address plus Port”) are a helpful tool for extending the life of IPv4 addresses by allowing multiple endpoints to share a small number of IPv4 addresses. There is also a related category of technologies, used in the transition from IPv4 to IPv6, that also involve large-scale address sharing (including, amongst others, “ISATAP”, “Teredo” and “6rd”). All of these technologies involve extending the space of available IPv4 addresses by mapping communication from multiple endpoints to a single, or small number of shared addresses through the use of port numbers. The detail of how this is achieved in each technology varies, but the principle remains the same in all cases.

Whilst not universally the case, the overwhelming majority of organisations that operate large-scale address sharing infrastructure are Internet Service Providers (ISPs). In practically every jurisdiction there is a legal or regulatory requirement that ISPs retain records to enable identification their subscribers, should they be required to do so either by court order or by law enforcement request, depending on the jurisdiction and circumstances. In practical terms, what this has meant in most cases is ISPs retaining records of which subscriber was using a particular IP address at a particular point in time. With the advent of large-scale address sharing technologies, ISPs also nowadays commonly maintain records of the source port that was in use by a particular subscriber at a particular point in time.

To be able to uniquely identify a specific subscriber within the ISP’s records, a law enforcement agency needs to have the following three pieces of information:

  1. A source IP address
  2. A source port number
  3. The exact time that the IP address and port number were being used

This data could come, for example, from the records of a server that has been hacked or used as a platform for some type of criminal activity. Common practice at the present time, however, is for servers to log the connection time and source IP address of incoming connections but this is not sufficient to identify the true source of the traffic because potentially hundreds or thousands of individual endpoints were using that IP address at the same time.

Therefore, an information gap exists because the data required to query the ISP’s records is not available in most cases. How should this gap be addressed?

There are a limited number of options:

  1. Require ISPs to log more information, sufficient to identify a specific subscriber from the combination of Source IP, Destination IP and time. This is known as connection logging.
  2. Restrict through regulation or code of practice the number of individual subscribers that can simultaneously be using a particular IP address.
  3. Complete migration of the entire Internet to IPv6.
  4. Bring about the routine logging of source port information at Internet servers.

Requiring ISPs to log more information, effectively to record every connection made by all of their subscribers, has some serious negative consequences including amongst other things, the cost to the ISP in terms of storage and processing power but also the significantly increased risk to subscriber privacy arising from a data breach in the ISP. Despite these downsides, this is a solution that has been adopted by some regulators around the world.

Another approach that has been used in some countries is to severely restrict the number of subscribers that can be simultaneously sharing an IP address, to something in the region of sixteen for example. This means that a law enforcement agency thiat is in possession of a source IP address that is associated with criminal activity and an accurate timestamp can find the sixteen subscribers that were using that IP address and, hopefully, quickly eliminate fifteen of them. Of course, this approach raises concerns about the rights of the innocent parties, who may find themselves under suspicion in a criminal investigation through no fault of their own. This approach also severely limits the usefulness of address-sharing technologies for the ISP.

The ultimate solution to the problem of large-scale address sharing is, of course, to migrate to IPv6 in which case address sharing would no longer be required. However, total migration to IPv6 is still a long way off so the challenge arising from large-scale address sharing needs to be considered in the meantime. IPv6 is also not without crime attribution challenges.

The only other solution is to bring about the routine logging of source port information alongside IP address in the logs of Internet-facing servers. With this approach, were it possible, the needs of law enforcement could be met without negatively impacting the privacy of ISP subscribers. Both the IETF and this author have put this approach forward as the preferred option. The problem is that this requires coordinated, distributed action by a large number of organisations to bring about the required change in standards.

In summary, if the need arises during a criminal investigation to identify the source of a specific connection, the source IP address, source port, and exact connection time will be required to query the records of an ISP operating a large-scale address sharing infrastructure. Without this additional information it is highly unlikely that it will be possible for law enforcement authorities to progress their investigations. If ISP regulators are put into a position where they need to act to address this gap, there are only a limited number of options available; more logging by ISPs, restrict address sharing or migrate to IPv6, none of which are particularly attractive or timely. Therefore the best balance between individual right to privacy and the needs of law enforcement can be achieved through a concerted effort to bring about routine logging of source port information on Internet-facing servers.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site you are accepting the use of cookies in accordance with our privacy policy.
Privacy Policy Accept