- European Cybercrime Centre (EC3)
- European Telecommunications Network Operators Association (ETNO)
Although not directly on the subject IPv6, we absolutely need to draw your attention to a great presentation from Geoff Huston (APNIC) on Forensic Tracing in the Internet during APRICOT 2017. This relates to the pervasive use of Carrier Grade NATs as a means of extending the useable life of IPv4 on the Internet, and the implications for metadata record keeping and tracing users.
As we know, the pools of IPv4 addresses are close to depletion, but around 90% of the Internet is still only accessible via IPv4. As a result, Carrier-Grade NAT (CGN) has been widely implemented whereby private IPv4 address space is used in conjunction with a limited number of public IPv4 addresses in order to conserve public IPv4 address space. In other words, many customers are sharing a single public IPv4 address that will usually also change over a given time period.
If you therefore wish to trace from where traffic has originated from, then you need to maintain an extensive logging system keeping records on source IP addresses, source port addresses, along with dates/times. CGN bindings are formed for every unique TCP and UDP session, which can mean 150-450 bytes per connection and 33-216,000 connections per subscriber each day, resulting in the need to log 5-96 MB of data. For 1 million subscribers, this will generate up to 1 PB of data per month!
It’s becoming ever more complex to handle this information, and even if it’s possible to maintain comprehensive records, subscribers are also likely to be operating NATs and the trace will stop at these edge points. Bear in mind that some operators are also running out of private IPv4 address space on individual subnets, and are therefore needing to implement layers of CGNs.
Furthermore, it’s becoming increasingly difficult to analyse traffic flows as users and applications resort to encryption, sessions are split over multiple paths and access technologies (e.g. cellular, wifi), and even over a combination of IPv4 and IPv6.
So whilst Law Enforcement Agencies have traditionally focused on the network as the point of interception and tracing, and have introduced laws to mandate ever more extensive logging, the reality is that IPv4 addresses are increasing losing coherent meaning in terms of end party identification.
This might be interpreted that the choice is between ever more complicated and expensive record keeping systems, or transitioning to IPv6. Of course, some may see obfuscation through IPv4 as a positive benefit, but the fact remains that IPv4 is increasingly less scalable and becoming more complex to manage. IPv6 brings many other advantages with it, and confidentiality can still be maintained by using platforms and applications that support this.
We had a very successful ION conference in Islamabad on 25 January 2017, and amongst the interesting topics presented at the conference, it’s worth highlighting the statistics on IPv4 and IPv6 allocation in Pakistan. Let me share those in detail here.
As per the APNIC resource delegation data (as of 1 January 2017). There are 5,314,816 IPv4 address allocated to ISPs and enterprises in Pakistan. However, if you look at the graph then it shows PTCL as the holder of nearly 73% IPv4 addresses in Pakistan, leaving the remaining 27% to the rest of the ISPs and enterprises. PTCL is undoubtedly the biggest broadband provider in Pakistan and also provides services to Ufone (telco operator), so you’d expect them to have the largest user base for both wired and mobile broadband services.
The main concern though, is that it’s now only possible to obtain a /22 IPv4 prefix from APNIC (as per the last /8 policy), and those will soon be exhausted. This means that if ISPs need more IPv4 address, the only option will be to buy them open market. The current going rate for IPv4 addresses is around USD 10 for each address in a /18 block, plus the APNIC transfer fees, which amounts to nearly USD 164K for 16,384 IPv4 addresses.
The other option is deploying Carrier Grade NAT (CGN) to put many users behind a single IPv4 address.In theory, it’s safe to consider that each user may have around 250 concurrent sessions, so with around 65,000 sessions available per IP address, it’s possible to put 250 users behind a single IPv4 address with CGN. The downside though, are that you need powerful boxes to manage that many sessions and it is difficult to guarantee performance.
There’s another graph showing IPv6 delegations in Pakistan, with a very uniform address allocation to all existing APNIC members (with few negligible exceptions). No single entity has an edge over another, and it doesn’t cost anything extra (if you already hold IPv4 addresses) to obtain IPv6 addresses from APNIC. There’s no need to install complex and difficult to manage CGN solutions, nor buy expensive IPv4 addresses from the open market. It’s an open and level playing field for all operators wanting to serve the 200 million plus population of Pakistan.
For many years there was a big debate in Pakistan about the financial benefit of deploying IPv6, but these statistics clearly illustrate the business case for doing it. You can either deploy IPv6 at minimal cost by upgrading some old hardware (very rare), or deploy CGN and buy IPv4 from open market at significant expense. The choice is yours!
Deploy360 aims to help you deploy IPv6, so please take a look at our Start Here page to understand how you can get started with IPv6.