Carrier Grade NAT

Lee Howard Lee at asgard.org
Tue Jul 29 18:20:46 UTC 2014



On 7/29/14 1:00 PM, "Robert Drake" <rdrake at direcpath.com> wrote:

>
>On 7/29/2014 12:42 PM, Chris Boyd wrote:
>>
>> There's probably going to be some interesting legal fallout from that
>>practice.  As an ISP customer, I'd be furious to find out that my
>>communications had been intercepted due to the bad behavior of another
>>user.
>>
>> --Chris
>>
>Usually, unless the judge is being super generous, they'll provide a
>timestamp and a destination IP.  That should be pretty unique unless
>they're looking for fraud against large website or something.  In the
>unlikely event that two people hit the same IP at the same time(window)
>they would probably just throw that information out as unusable for
>their case.

If your CGN logs destination IP, then you are tracking every site your
customer visits.  Geoff posits that this is valuable information, but some
of the likeliest buyers aren't interested.  You'll want to find some
buyers, because you'll need to defray the cost of your logging. Do some
back-of-the-envelope math on the storage required per user per day if you
log the 5-tuple.

The alternative is logging of address and source ports only, keeping logs
equivalent to your DHCP logs now.

I've also heard law enforcement say they're not necessarily keen to ask,
"Which of your customers accessed this web site at this time?"  Sometimes
it's awkward.  They're much more likely to say, "Who was using this
address (and source port) at this time?"

If they can't tell you the source port, you have two options:
1. Give them the names of all customers using that address at that time.
How many--10? 50? 100?
2. Tell them their subpoena is too broad, and you cannot respond.

I suggest you consult with counsel to determine your response.

Lee





More information about the NANOG mailing list