<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi, <div class="moz-cite-prefix">On 2/23/17 12:11 AM, Shane Kerr wrote: </div> <blockquote cite="mid:20170223001128.1027432e@pallas.home.time-travellers.org" type="cite"> <pre wrap="">Roland, At 2017-02-22 20:57:34 +0000 Roland Perry <a class="moz-txt-link-rfc2396E" href="mailto:roland@internetpolicyagency.com"><roland@internetpolicyagency.com></a> wrote: </pre> <blockquote type="cite"> <pre wrap="">In message <a class="moz-txt-link-rfc2396E" href="mailto:4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net"><4C47D72B-8A25-4CFE-AF61-B7347F726579@ripe.net></a>, at 12:32:33 on Thu, 16 Feb 2017, Chris Buckridge <a class="moz-txt-link-rfc2396E" href="mailto:chrisb@ripe.net"><chrisb@ripe.net></a> writes </pre> <blockquote type="cite"> <pre wrap="">LEA interest in reducing the use of CGN also came up for discussion at the recent RIPE NCC Roundtable Meeting for Governments and Regulators (held in Brussels on 24 January) </pre> </blockquote> <pre wrap=""> The UK's approach, as expressed in the 2016 IP[1] Act, is not to prohibit CGN, but require operators to log who was using which IP, when. </pre> </blockquote> <pre wrap=""> IP+port, right?</pre> </blockquote> Right. And the big issue in this report isn't how it impacts the telco/routing aspects of an ISP, but how it may impact any content provider by requiring logging changes to include at least src IP+port and possibly the entire 5-tuple. Here's the relevant content from that document: <blockquote type="cite"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <div class="page" title="Page 6"> <div class="layoutArea"> <div class="column"> <ul style="list-style-type: disc"> <li style="font-size: 12.000000pt; font-family: 'SymbolMT'"> In order to be able to trace back an individual end-user to an IP address on a network using CGN, law enforcement must request additional information3 from content providers via legal process: o Source and Destination IP addresses; o Exact time of the connection (within a second); o Source port number. However, the lack of harmonized data retention standard requirements in Europe4 means that content service, Internet service and data hosting providers are under no legal obligation to retain this type of information, meaning that even a more elaborate request from LEA would not yield useable information from the provider. Regulatory/legislative changes would be helpful to ensure that content service providers systematically retain the necessary additional data (source port) information to allow law enforcement and judicial authorities to identify one specific end-user among the thousands of users sharing the same public IP address. </li> <li style="font-size: 12.000000pt; font-family: 'SymbolMT'"> As some content providers in Europe do store the relevant information but some others do not practical solutions can be sought through collaboration between the electronic/Internet? service providers and law enforcement using already established channels for cooperation such as the EU Internet Forum. </li> </ul> </div> </div> </div> <title></title> </blockquote> Note that [3] refers to RFC 6302 from June of 2011, and the abstract of that document makes plain the problem: <blockquote type="cite"> In the wake of IPv4 exhaustion and deployment of IP address sharing techniques, this document recommends that Internet-facing servers log port number and accurate timestamps in addition to the incoming IP address. </blockquote> But here's your bog standard apache log line: 10.11.12.13 - - [23/Feb/2017:08:50:18 +0100] "GET / HTTP/1.1" 200 67442 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" Note what is NOT there. It is easy enough to change this with the LogFormat statement in Apache. However, you do so at your peril if you have any tools consuming those logs. The risk is probably not to the Akamais of the world, but to any small business that decided to a server on their own, and probably has NO idea as to what the legal requirements are. <blockquote cite="mid:20170223001128.1027432e@pallas.home.time-travellers.org" type="cite"> <pre wrap=""> </pre> <blockquote type="cite"> <pre wrap="">This is exactly the same as when Internet access was primarily by dial-up to banks of modems, and customers shared the IP Address of the modem. The ISPs were expected to log who had been online at a specific IP address at a specific time. </pre> </blockquote> <pre wrap=""> It's not exactly the same, because a dial-up session was expected to be several minutes or even hours. A single IP+port may be used for less than a second. Plus there is likely an extra layer of indirection. A NAT device may know the customer private IP address and the public IP address, but might not necessarily have access to the database which assigned the customer to the private IP address. So that data also needs to be logged & correlated. If LEA are expected to pay for all of this extra storage and processing - or even if it just makes investigations slower - then I can easily understand why they would want to reduce the use of CGN. (If that cost gets eaten by ISP, then the push will naturally go towards fewer CGN without any encouragement by the LEA.) </pre> </blockquote> Many operators using CGN are already required to retain this mapping. There are some tools out there to reduce the data requirement, such as bulk assignment. The problem here is that the ISP using CGN actually changes the game for the end site. Eliot </body> </html>