FBI & DEA Warn That IPv6 May Be Too Damn Anonymous
from the they-just-woke-up? dept
IPv6 has been around for quite some time at this point, but as we get closer and closer to moving the internet over to the system, it appears that American and Canadian law enforcement has just noticed that it's not as easy to identify and track users, and they're frantically raising concerns.FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn't do enough voluntarily.The issue has more to do with record-keeping than technology. As Declan McCullagh explains at the link above:
ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in 64.30.224.118, you can see that it's registered to CNET's publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it's been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.Of course, some might see that as a feature, not a bug. Either way, I would imagine that most service providers will bend over backwards to make sure that law enforcement can, in fact, track people down if necessary. Too many service providers fold when the feds come knocking seeking information on people already. As long as this is presented as a way to protect children or stop terrorists or whatever the favorite of the day is, it seems likely that ISPs will get things in order themselves.
But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies -- presumably armed with court orders -- longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider's customer.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
In fact, Polio helped make sure that suspects couldn't get away at all, we should just start warning that the Polio vaccine is also hindering our work.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
The early bird may get the worm, but the second rat gets the cheese! =P
[ link to this | view in chronology ]
Oh, wait. Silly me, that doesn't matter anymore.
[ link to this | view in chronology ]
Oh, right, I forgot. For that you need to follow procedures and "ask politely", whereas, currently any idiot can run whois from the command line and get that info without asking anyone.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
We might have to get actual warrants rather than just a post-it to get information!
Anyone else scared that these great minds just now figured out they might have more difficulty with IPv6, not like its been on the horizon for a while...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
What does anybody expect?
[ link to this | view in chronology ]
Re: What does anybody expect?
[ link to this | view in chronology ]
Re: Re: What does anybody expect?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
So just get rid of public libraries, duh! Problem solved.
[ link to this | view in chronology ]
Re: Re: Anonymous Library Usage
Not in my Library System. To log onto their public computers, I need to supply my Library Card Number and I am then granted 120 minutes (or until 15 minutes until closing - which ever is less) of access. Since I have to prove my identity to get the card I am not anonymous (unless I supply someone-else's number which might qualify as a phony name).
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I certainly see it as a feature.
For the last year or so one (or more) of the AC's around here has been saying that IPv6 will spell the end to anonymity on the internet*. I'm guessing that this story might be a wee bit of rain on his parade.
* Not that I ever was really worried about it - if I really want to be anonymous on the internet I can always spoof my hardware MAC address on the WiFI at my local Burger King or public library anyways.
[ link to this | view in chronology ]
Re:
DHCPv6 also doesn't include the mac.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
~Montgomery Scott (AKA Scotty) - Streak Trek III
Too true - isn't it?
[ link to this | view in chronology ]
What a typo! lol
[ link to this | view in chronology ]
Re:
Now I have a mental image of old, fat Scotty running naked across the Engine Room to go along with the "It's no good Captain, I cannot reach the control panel" scene from The Simpsons.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The Problem is Figuring Out Which ISP
You can't ask an ISP who owns an address if you can't figure out who issued the address in the first place. That's what the old registry used to do.
[ link to this | view in chronology ]
Re: The Problem is Figuring Out Which ISP
But yes, I guess having someone magically tell me the answer without me needing to understand the system or even do a tiny bit of work would be nice.
[ link to this | view in chronology ]
Re: The Problem is Figuring Out Which ISP
That makes no sense at all.
If an ISP wants its traffic to be routable, it can't be anonymous. IPv6 isn't going to change anything in this respect. ISPs still need to buy bandwidth from larger ISPs, all the way up to the Tier 1 providers.
ARIN hands out address blocks to ISPs under IPv4. They'll do the same under IPv6. That ISP is then responsible for keeping records of what addresses they give to their customers - exactly the same as now. I don't see how IPv6 changes anything in regard to finding out what ISP is responsible for what IP address.
[ link to this | view in chronology ]
Re: Re: The Problem is Figuring Out Which ISP
[ link to this | view in chronology ]
Re: Re: Re: The Problem is Figuring Out Which ISP
Yep - and I'm willing to bet real money those are IPv4 blocks. My point is this will be no different under IPv6. Thanks for giving me an example that proves it.
[ link to this | view in chronology ]
Re: Re: The Problem is Figuring Out Which ISP
Au contraire: it can not only be anonymous, it doesn't even have to exist. Please read -- in its entirety, which will take some time: 47-usc-230c2.org
[ link to this | view in chronology ]
Re: Re: Re: The Problem is Figuring Out Which ISP
"The hard part comes when you have to find some legitimate or at least semi-legitimate company that has it's own properly-registered Autonomous System Number (ASN) and who is willing and able to announce routes to your shiny new IP address block."
That is exactly what I'm saying. An IP address does you no good at all unless someone will route to it - and thus cannot be completely anonymous.
Yes, tracking spam and malware through shell companies, uncooperative ISPs, and fraudulent and out-of-date entries in lookups is a serious pain in the ass. But all that traffic has to pass between networks that have agreements with each other to do exactly that.
Also, that page needs some kind of overview or introduction - it just kinda feels like a random grouping of unrelated facts/events. Give me a plot, man!
[ link to this | view in chronology ]
Re: Re: The Problem is Figuring Out Which ISP
Let's say that someone from 235.54.98.125 is trying to hack your system. How do you find out who they are? You ask the ISP that issued that IP address, right? And how do you figure out what ISP issued that address? You use WhoIs to look up what company owns that IP address.
What the article is saying is that when thousands of IPv6 addresses are handed out, the records may not properly updated. So they might know that someone from 6543:4539:7654::8634 is doing something illegal, but how do you ask the ISP for the name of the person paying for that account, if you can't figure out which ISP that address is assigned to?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And that will make it much easier to track a single user, or at least the IP of her/his router. The IP will be as unique as the phone number.
Please correct me, if I'm wrong.
[ link to this | view in chronology ]
Re:
It won't be any easier to track a "single user", but it will be just as easy to track an account. Give the IP to the ISP, and they can tell you who gets billed for it.
[ link to this | view in chronology ]
Re: IPv6 Address Ownership
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
IPv4 has about 2^32 or four billion addresses, significantly less than the current world population. IPv6 has about 340 undecillion addresses, or enough for every atom in the universe to be assigned its own address. With IPv6, a /48 is generally assigned by an ISP and you add 16 bits to identify subnets in your network. That means your home could have 65,535 subnets with 2^64 addresses each, or 65,535 * 4 billion IPv4 Internets, if you will.
On the upside, IPv6 has more organization features than IPv4, making those 340 trillion trillion trillion addresses easier to manage than it might seem at first.
Whew!
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Anything from 2001:db8::/32.
[ link to this | view in chronology ]
it great! its horrible! its dangerous! it'll help! it'll hinder! it'll solve all our problems and make all our problems worse at the same time!
would someone shove some thorazine down their throats please?
[ link to this | view in chronology ]
It's a trick?
"All of the sudden" law enforcement says that they can't track IPv6 addresses? Pull the other one.
It's just a ploy to try to get better IPv6 adoption.
And on a side note, I read that IPv6 has enough range to give every star in the universe an address, even if there were several billion times more stars in the universe. Why not just give every single network capable device it's own burned in IPv6 address that can't be changed no matter what. Then, all the sudden an IP address is a person, or at least a specific machine owned by a person.
[ link to this | view in chronology ]
Re: It's a trick?
- The earth is about 4.5 billion years old. If we had been assigning IPv6 addresses at a rate of 1 billion per second since the earth was formed, we would have by now used up less than one trillionth of the address space.
- The earth's surface area is about 510 trillion square meters. If a typical computer has a footprint of about a tenth of a square meter, we would have to stack computers 10 billion high blanketing the entire surface of the earth to use up that same trillionth of the address space.
[ link to this | view in chronology ]
Re: Re: It's a trick?
[ link to this | view in chronology ]
Re: Re: Re: It's a trick?
[ link to this | view in chronology ]
Re: It's a trick?
1 - how would you know when to retire old addresses from obsolete machines?
2 - what do you do about machines with multiple IP addresses, like a server running VMWare, or some monster cloud server?
[ link to this | view in chronology ]
Re: It's a trick?
[ link to this | view in chronology ]
It's often instructive in such cases...
I'd also like to point out that WHOIS data has never been of sufficient accuracy as to facilitate law enforcement activity, not without multiple independent corroborating sources of information. That's not a knock on ARIN: while I often disagree with their policies, I have to admit that they do a pretty good job under difficult circumstances. It's just a recognition that the incidence rate of fraud and network hijacking is significant and likely to continue increasing.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
How IPv6 works
With IPv6, the ISP says we are network 2001:..../48 and your computer uses that to create a global unique IP address. Your computer also uses that information to create a random IP address that is used for all outgoing communications.
It's sort of like having a permanent mailing address, but the post office lets you use another PO box for free. Oh, and you can change which PO box you're using at any time.
An ISP can trace those addresses back to your cable modem or DSL box, but they would need one entry per computer in that house or business. However, those random addresses normally change at least once a day. So that's one entry per computer per day.
If they're doing there jobs properly and giving the house a whole /64 then you're back to the way things are today. They know that every address that starts with those 64 bits comes from your house, but that's all they know.
This whole complaint is about record keeping. Under the old system an ISP would have the DHCP server send the information about each address to the whois database. Under the new system, they have to have there routers doing essentially the same thing.
The problem with that is that it's expensive to set all of this up, and after ARIN gave them the initial /48 or whatever they don't have a stick to beat the ISP with.
Incidentally, without proper whois records geolocation doesn't work properly.
[ link to this | view in chronology ]
Re: How IPv6 works
There are three ways to do IPv6 addressing.
1. DHCPv6 & DHCPv6-PD
2. SLAAC (stateless address auto configuration)
3. Static.
What you're talking about is SLAAC. ISPs do not use SLAAC to deploy for two reasons. The first is it's hard to do accounting with their IPAM. Secondly, you need to provide a the customer with a routed prefix for their network. So they use DHCPv6-PD.
Where SLAAC is used, is in the home to distribute that routed prefix around the LAN. A machine will see the advertised prefix and encode itself an address using its MAC. However, privacy extensions are used on most modern operating systems so it will hash a new address for sourcing.
The only time I've ever seen SLAAC used on an ISP network is for modem management interfaces. Since the ISP knows the MAC of the modem and the prefix being advertised, it can trivially calculate the address. In this case the provider has obviously disabled PE on the modems management interface.
[ link to this | view in chronology ]
stupid?
That's still thinking along the lines that these are rational guys who don't have their own reasons for being opaque? People smart enough to hide their own money, play the tax system & the investment system aren't stupid.
I imagine they know quite enough about the internet, IPv6 and all the rest to make the policy that they want.
[ link to this | view in chronology ]
Re: stupid?
Remove the money and politics from the equation and we'll have a proper law, keep both and the bills in favor of the wealthy will continue to strangle all others to death.
[ link to this | view in chronology ]
Re:
I always though it was a Job, or a vocation,When did law enforcement become "push button" easy?
Did I miss a day or something?
Criminal: my job is to break the law..
Law Enforcement person: My job is to catch the person breaking the law
why "should" it be made easy? If it becomes "easy" then whats the point of having the "job"????
When did WORK become easy?? and why is my Job hard work??
I call "Radishes" on this mind set...
If the work you have chosen is to difficult, maybe you should find ANOTHER Job.......(and quit whinning about it)
[ link to this | view in chronology ]
Re: Re:
What did it say? Ummm..."getting an education and then taking a job you're overqualified for". I think that was it. Part of it, yeah. And you won't get 'rich' but the work will be easy and you'll still have a lifestyle that kings from 200 years ago would kill for. "Lowered expectations..." Yeah.
Something along those lines anyway.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Now What?
DEA agent #1: �We caught this guy with a pound of cocaine in his hands.�
DEA agent #2: �Did we get his IPv6 address?�
DEA agent #1: �No.�
DEA agent #2: 'Damn it, we can't identify him without it. Let him go.�
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
They always do it with a straight face.
ref: Harry Reid justifying public employee payoffs via unneeded postal service offices because "Old people need junk mail to feel connected to society."
or:
"We need to be able to determine citizens' location, 24/7, or we will be unable to protect them from crime." ~DEA, FBI, etc.
or (as noted above):
"It would be a violation of citizens' privacy for us to tell them if we were spying on them. We will not be responding to questions at this time." ~NSA
Totally straight-faced. Totally creepy.
[ link to this | view in chronology ]
Why not give me my own
[ link to this | view in chronology ]
Imagine if these noofuses had been around when telephone tech was evolving in the US. Private start up companies would never have been able to afford to service these kinds of demands while trying to spread a revolutionary new technology. The Constitution is supposed to protect citizens against this kind of snooping. That is why law enforcement are supposed to get a warrrent to wire-tap or to access telephone records.
The internet is not alien. It's just another evolution in communication technology. The content is novel but the fact of an emergent communication technology is older than speech itself (languages are probably our most significant communication technology to ever evolve). There is no rational justification for any communication technology to be "snoop ready" for so called law enforcement.
Just as the telephone system would have been hugely hampered and civil rights significantly degraded in the US if this kind of snooping had been accepted as reasonable and necessary when telephone communication technology was evolving into the modern land-line telephone system, so too is there a cost to imposing this snooping on new forms of communications. That cost is immeasurable but no less real.
If the US telephone could not have evolved at the speed and complexity as it did, might the Cold War have been lost? We'll never know.
If we consider the basic premise that is necessary to all this "panic" over evolving communication technology, we are looking at an assumption that private law-abiding citizens do not have a default right to communicate without being snooped and spied on. That's just wrong and it goes to show how much civil society has devolved and degraded in the US.
[ link to this | view in chronology ]
Lowery is a liar
[ link to this | view in chronology ]
Re: Lowery is a liar
[ link to this | view in chronology ]
Re: Lowery is a liar
Is something going on with the Techdirt database?
Anyway, this was supposed to go here:
http://www.techdirt.com/articles/20120619/11493419390/david-lowery-wants-pony.shtm
[ link to this | view in chronology ]
Re: Re: Lowery is a liar
* I use that word in the best possible way
[ link to this | view in chronology ]
Re: Re: Lowery is a liar
[ link to this | view in chronology ]
Privacy
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Italics
[ link to this | view in chronology ]
Re: Italics
[ link to this | view in chronology ]
Re: Re: Italics
[ link to this | view in chronology ]
Re: Re: Re: Italics
[ link to this | view in chronology ]
[ link to this | view in chronology ]