Tuesday, October 17, 2017

Europol Calls on Internet Providers to End CGNAT IP Address Sharing

ip address internet protocol

Europol, which helps the 28 member states of the EU (inc. UK) to fight serious international crime and terrorism, has called on broadband and mobile providers to end the use of Carrier Grade NAT (CGN) in order to "increase accountability online" and stop people "sharing the same IP address as a criminal."

Generally everybody needs an Internet Protocol (IP) address to go online and your ISP is responsible for assigning one to your connection (it's the internet equivalent of a phone number). Most fixed line ISPs tend to use Dynamic IP addresses for domestic connectivity, which changes each time your broadband link is disconnected and isn't shared with other subscribers (not at the same time you're using it).

Some providers will also allow you to take a Static IP address, which remains the same no matter how many times you switch the connection on and off (usually more of a premium / business feature). However the shift from the old IPv4 (ran out of spare addresses) to newer IPv6 addressing system has caused some providers, which don't have a large stockpile of IPv4s, to adopt Carrier Grade Network Address Translation (CGN).

CGNAT enables a single IP address to be shared between many users and is thus seen by some ISPs as a useful solution for IPv4 shortages (e.g. Hyperoptic use it and BT / other ISPs have toyed with it), at least until IPv6 is fully implemented (this will take years). Now there are many reasons to dislike CGNAT, most of which stem from the fact that it can disrupt certain internet services, such as those that expect each individual to have their own IP.

For example, CGNAT can cause connectivity problems for some multiplayer games and it may also prevent a login to other services, such as if two users are trying to connect from the same IP (security check). Likewise if an online survey restricts votes by IP address then you could find yourself excluded if somebody votes from the same address. Similarly if another user with your IP is banned from a service.. you get the picture.

However we should say that a properly maintained and well configure CGNAT setup can still work quite well and often you won't even know it exists. Never the less Europol and the Estonian Presidency of the EU Council are concerned that CGNAT can also disrupt the ability of law enforcement to correctly identify criminals.

Rob Wainwright, Europol's Executive Director, said:

"CGN technology has created a serious online capability gap in law enforcement efforts to investigate and attribute crime.

It is particularly alarming that individuals who are using mobile phones to connect to the internet to facilitate criminal activities cannot be identified because 90% of mobile internet access providers have adopted a technology which prevents them from complying with their legal obligations to identify individual subscribers.

On behalf of the European law enforcement community Europol is grateful to the Estonian Presidency of the EU Council for actively exploring ways to address this urgent problem with stakeholders in the EU and industry."

Europol states that the number of subscribers sharing a single IP has increased in recent years (in some cases thousands of users can share one address) and it has thus become "technically impossible" for ISPs to comply with legal orders to identify individual subscribers. This is relevant as in criminal investigations an IP address is "often the only information that can link a crime to an individual" (this seems to ignore the merits of traditional evidence gathering).

The EU policing agency also fears that CGNAT "may lead to innocent individuals being wrongly investigated by law enforcement because they share their IP address with several thousand others – potentially including criminals." Admittedly there is a certain irony to this, not least with respect to new laws that seek to cast IP addresses as "personal information" (despite them being so unreliable at accurately identifying a specific person).

However simply calling for an "end" to CGNAT seems to overlook one of the key reasons why the technology exists. How do Europol propose to solve the issue of IPv4 address shortages for those with CGN? An ISP can't adopt a native IPv6-only network, not until such time as the vast majority of internet connected hardware and software is ready for it (this is not going to happen for a long time), otherwise a big chunk of the online world would become inaccessible.

Europol are consulting "industry experts" (Proximus, CISCO, ISOC, the IPv6 Company etc.) in order to try and find a solution. One option is a Voluntary Code of Conduct for ISPs to reduce the use of CGNs, while another "solution" might involve ISPs being required to log source port numbers or the possibility to adopt regulations to increase IPv6 deployment. The latter would be more productive but upgrading the industry is only half the battle; you can't leave end-users with old IPv4-only systems isolated (until recently a lot of modern hardware and software still shipped as IPv4-only).

At least the hunt for a solution to such a tedious issue should be very entertaining.

Let's block ads! (Why?)


see source

No comments:

Post a Comment