ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!

John Curran jcurran at arin.net
Sun Jun 17 23:16:33 UTC 2012


On Jun 17, 2012, at 4:01 PM, Vinny Abello wrote:

> I fail to see the problem the media and FBI are worried about. If the
> regional registries are accurately documenting who they are allocating
> assignments to, the authorities have somewhere to start. Even if
> everything is properly documented via SWIP or WHOIS, the FBI requests
> far more information in a subpena from ISP's than is provided by those
> tools and I don't think they generally really even rely on them to be
> accurate.

Indeed, there are subpoenas which request a lot more information,
(particularly if you are in a lengthy investigation.)  However, if 
they are trying to figure out where a missing kid or person in danger 
person might be located based on email headers, then time can be of 
the essence and being able to follow the subassignments (that are 
already supposed to be in Whois) can make the difference.   

I would not say they rely on Whois to be accurate, but they certainly
take its contents into consideration in some situations along with all
the other various data points they may have.

> They go straight to the ISP from what I've seen. They don't
> want the criminal to know the FBI is on to them and won't first go
> direct to the end user.

Depends on circumstance.  If you're talking about investigations
of front companies for various nefarious commercial activities, 
then that is indeed the case, but that is not the only type of 
law enforcement activity.

> A /64, /56 or even /48 will be one customer, so
> regardless if a criminal keeps changing IP's inside those blocks, it
> still points to that customer which the ISP can provide to the FBI.

If the ISP has a lawful response desk which is available at 3 PM on
a Sunday afternoon or holiday weekend, then going to the ISP would 
indeed be equivalent.  Also, this presumes that the ISP in question
isn't serving a smaller ISP or hosting firm which would then also 
need to be queried to find the actual customer.

> Where is the issue? I don't see how this is that hard to track down.
> What's the difference with an ISP that didn't SWIP an IPv4 /29
> allocation to a company with all RFC1918 space behind the address.
> <sarcasm> How oh how will they ever find the criminal within all of that
> IPv4 address space behind the ISP assigned /29 without someone
> documenting the RFC1918 space in the customer's network??!?! </sarcasm>

There is no difference.  The question is whether the ISP who had to SWIP 
the /29 under IPv4 as part of showing utilization to get their next block 
will bother to record subdelegations under IPv6 when they don't need to 
come back for _a long time_...

> If anything, I feel like this is a ploy by the FBI feeding the media to
> get criminals to adopt IPv6 thinking they're harder to track and drop
> their guard so they'll be easier to catch.

No, it's a real concern that law enforcement has with the current 
incentives for keeping the Whois up to date, and what happens with
IPv6.  Feel free to come to an ARIN meeting and chat with the folks
from US, Canada, and various Caribbean governments about their issue.

By the way, it is not that there is _no_ incentive...  Any _large_ ISP
ends up having to provide lawful response duties (often the same team
that handles spam/abuse/copyright issues) and that means staff.  For
networks that put subdelegations into Whois reliably, there are less
requests for routine information (ergo less staff & less co$t needed 
to respond.)  Not many ISPs are the size where such inquires are routine
enough for having a dedicated team, but those who do generally realize 
the pleasant side effect of keeping Whois up-to-date.  This isn't really 
seen by ISPs who only get the occasional LEA request, so it's not a 
meaningful incentive on its own for many service providers.

FYI,
/John

John Curran
President and CEO
ARIN









More information about the NANOG mailing list