FBI & DEA Warn That IPv6 May Be Too Damn Anonymous

from the they-just-woke-up? dept

IPv6 has been around for quite some time at this point, but as we get closer and closer to moving the internet over to the system, it appears that American and Canadian law enforcement has just noticed that it’s not as easy to identify and track users, and they’re frantically raising concerns.

FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn’t do enough voluntarily.

The issue has more to do with record-keeping than technology. As Declan McCullagh explains at the link above:

ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in 64.30.224.118, you can see that it’s registered to CNET’s publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it’s been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.

But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies — presumably armed with court orders — longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider’s customer.

Of course, some might see that as a feature, not a bug. Either way, I would imagine that most service providers will bend over backwards to make sure that law enforcement can, in fact, track people down if necessary. Too many service providers fold when the feds come knocking seeking information on people already. As long as this is presented as a way to protect children or stop terrorists or whatever the favorite of the day is, it seems likely that ISPs will get things in order themselves.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI & DEA Warn That IPv6 May Be Too Damn Anonymous”

Subscribe: RSS Leave a comment
90 Comments
anonymous blob says:

I think the fbi and dea need to stay the feck off the internet. if someone really wanted to hack and do harm they can got to a public library use there pc under a phony name and do as they please,,, i don’t blame hackers for hacking the fbi’s page they seem to be getting a little noisy…FBI aka federally being ignorent needs to grow up and leave things and people alone if they have a hard time catching criminals then they shouldn’t have start it hint they are a criminals

Robert A. Rosenberg (profile) says:

Re: Re: Anonymous Library Usage

“if someone really wanted to hack and do harm they can got to a public library use there pc under a phony name and do as they please”

Not in my Library System. To log onto their public computers, I need to supply my Library Card Number and I am then granted 120 minutes (or until 15 minutes until closing – which ever is less) of access. Since I have to prove my identity to get the card I am not anonymous (unless I supply someone-else’s number which might qualify as a phony name).

Brad C (profile) says:

Every service provider is going to know where the IP address exists and who is using it or they won’t be able to run their business very well. The traceability already exists and works very well, they are just not going to be making that information public, or making it available to law enforcement without proper warrants. A lot of them are already in this situation now, meaning IPv6 will change nothing. The only problem here is that law enforcement seems to think that getting warrants is not worth their time.

Gwiz (profile) says:

Of course, some might see that as a feature, not a bug.

I certainly see it as a feature.

For the last year or so one (or more) of the AC’s around here has been saying that IPv6 will spell the end to anonymity on the internet*. I’m guessing that this story might be a wee bit of rain on his parade.

* Not that I ever was really worried about it – if I really want to be anonymous on the internet I can always spoof my hardware MAC address on the WiFI at my local Burger King or public library anyways.

Anonymous Coward says:

Re: The Problem is Figuring Out Which ISP

I can understand that new IP addresses might be hard to track, but by using a simple “tracert” command and look at the last few nodes before the end point. Chances are these will be the main routers of the ISP which are likely using an IP range that was assigned to their network. I’m sure that the IP block for the ISP backbone are recorded into a global database and rarely change.

But yes, I guess having someone magically tell me the answer without me needing to understand the system or even do a tiny bit of work would be nice.

Josh in CharlotteNC (profile) says:

Re: The Problem is Figuring Out Which ISP

the issue is ISP anonymity.

That makes no sense at all.

If an ISP wants its traffic to be routable, it can’t be anonymous. IPv6 isn’t going to change anything in this respect. ISPs still need to buy bandwidth from larger ISPs, all the way up to the Tier 1 providers.

ARIN hands out address blocks to ISPs under IPv4. They’ll do the same under IPv6. That ISP is then responsible for keeping records of what addresses they give to their customers – exactly the same as now. I don’t see how IPv6 changes anything in regard to finding out what ISP is responsible for what IP address.

Anonymous Coward says:

Re: Re: The Problem is Figuring Out Which ISP

As it stands now many ARIN, RIPENIC, etc. whois records are out of date. Some people in my office still get calls about address blocks related to a company that went under and no longer control those address blocks, but those blocks *are* in use by other companies, are world routable, and are not on the bogon lists.

Josh in CharlotteNC (profile) says:

Re: Re: Re: The Problem is Figuring Out Which ISP

Excerpt from chapter 2:
“The hard part comes when you have to find some legitimate or at least semi-legitimate company that has it’s own properly-registered Autonomous System Number (ASN) and who is willing and able to announce routes to your shiny new IP address block.”

That is exactly what I’m saying. An IP address does you no good at all unless someone will route to it – and thus cannot be completely anonymous.

Yes, tracking spam and malware through shell companies, uncooperative ISPs, and fraudulent and out-of-date entries in lookups is a serious pain in the ass. But all that traffic has to pass between networks that have agreements with each other to do exactly that.

Also, that page needs some kind of overview or introduction – it just kinda feels like a random grouping of unrelated facts/events. Give me a plot, man!

Rekrul says:

Re: Re: The Problem is Figuring Out Which ISP

If an ISP wants its traffic to be routable, it can’t be anonymous. IPv6 isn’t going to change anything in this respect. ISPs still need to buy bandwidth from larger ISPs, all the way up to the Tier 1 providers.

Let’s say that someone from 235.54.98.125 is trying to hack your system. How do you find out who they are? You ask the ISP that issued that IP address, right? And how do you figure out what ISP issued that address? You use WhoIs to look up what company owns that IP address.

What the article is saying is that when thousands of IPv6 addresses are handed out, the records may not properly updated. So they might know that someone from 6543:4539:7654::8634 is doing something illegal, but how do you ask the ISP for the name of the person paying for that account, if you can’t figure out which ISP that address is assigned to?

Anonymous Coward says:

Pardon me, but one feature of IPv6 is, no more daily interruption/disconnect, one IP address (almost) forever, or am I wrong?

And that will make it much easier to track a single user, or at least the IP of her/his router. The IP will be as unique as the phone number.

Please correct me, if I’m wrong.

Robert A. Rosenberg (profile) says:

Re: IPv6 Address Ownership

With IPv6 you own a IPv6/64 network. The low 64 bits identify the device and can be changed on a connection by connection basis (although the default is the MAC address of the device’s interface). Thus all you can track is the network not the user (ie: It is like trying to identify a user who is on a NAT protected LAN – All you see is the WAN facing address not the LAN address).

New Mexico Mark says:

Re: Re:

Scale is a critical factor when it comes to learning IPv6. I know just enough to be dangerous, and I still can’t get my head around it.

IPv4 has about 2^32 or four billion addresses, significantly less than the current world population. IPv6 has about 340 undecillion addresses, or enough for every atom in the universe to be assigned its own address. With IPv6, a /48 is generally assigned by an ISP and you add 16 bits to identify subnets in your network. That means your home could have 65,535 subnets with 2^64 addresses each, or 65,535 * 4 billion IPv4 Internets, if you will.

On the upside, IPv6 has more organization features than IPv4, making those 340 trillion trillion trillion addresses easier to manage than it might seem at first.

Whew!

AndyD273 (profile) says:

It's a trick?

They are trying to get people to switch to IPv6, and not getting much cooperation…
“All of the sudden” law enforcement says that they can’t track IPv6 addresses? Pull the other one.
It’s just a ploy to try to get better IPv6 adoption.

And on a side note, I read that IPv6 has enough range to give every star in the universe an address, even if there were several billion times more stars in the universe. Why not just give every single network capable device it’s own burned in IPv6 address that can’t be changed no matter what. Then, all the sudden an IP address is a person, or at least a specific machine owned by a person.

Anonymous Coward says:

Re: It's a trick?

– It’s enough addresses for many trillions of addresses to be assigned to every human being on the planet.

– The earth is about 4.5 billion years old. If we had been assigning IPv6 addresses at a rate of 1 billion per second since the earth was formed, we would have by now used up less than one trillionth of the address space.

– The earth’s surface area is about 510 trillion square meters. If a typical computer has a footprint of about a tenth of a square meter, we would have to stack computers 10 billion high blanketing the entire surface of the earth to use up that same trillionth of the address space.

Rich Kulawiec says:

It's often instructive in such cases...

…to read what the people who actually run networks have to say about such things. So let me point you to the current discussion thread on NANOG concerning this issue.

I’d also like to point out that WHOIS data has never been of sufficient accuracy as to facilitate law enforcement activity, not without multiple independent corroborating sources of information. That’s not a knock on ARIN: while I often disagree with their policies, I have to admit that they do a pretty good job under difficult circumstances. It’s just a recognition that the incidence rate of fraud and network hijacking is significant and likely to continue increasing.

Arthur Moore (profile) says:

How IPv6 works

IPv6 normally does things differently than IPv4. With IPv4 the service provider uses something called DHCP to give your router an address. Your router then gives every PC in your house its own address, and uses NAT to talk to the outside world. This is one of the major reasons that IP addresses don’t even correspond to individual computers.

With IPv6, the ISP says we are network 2001:…./48 and your computer uses that to create a global unique IP address. Your computer also uses that information to create a random IP address that is used for all outgoing communications.

It’s sort of like having a permanent mailing address, but the post office lets you use another PO box for free. Oh, and you can change which PO box you’re using at any time.

An ISP can trace those addresses back to your cable modem or DSL box, but they would need one entry per computer in that house or business. However, those random addresses normally change at least once a day. So that’s one entry per computer per day.

If they’re doing there jobs properly and giving the house a whole /64 then you’re back to the way things are today. They know that every address that starts with those 64 bits comes from your house, but that’s all they know.

This whole complaint is about record keeping. Under the old system an ISP would have the DHCP server send the information about each address to the whois database. Under the new system, they have to have there routers doing essentially the same thing.

The problem with that is that it’s expensive to set all of this up, and after ARIN gave them the initial /48 or whatever they don’t have a stick to beat the ISP with.

Incidentally, without proper whois records geolocation doesn’t work properly.

Will (user link) says:

Re: How IPv6 works

This is actually just plain wrong.

There are three ways to do IPv6 addressing.

1. DHCPv6 & DHCPv6-PD
2. SLAAC (stateless address auto configuration)
3. Static.

What you’re talking about is SLAAC. ISPs do not use SLAAC to deploy for two reasons. The first is it’s hard to do accounting with their IPAM. Secondly, you need to provide a the customer with a routed prefix for their network. So they use DHCPv6-PD.

Where SLAAC is used, is in the home to distribute that routed prefix around the LAN. A machine will see the advertised prefix and encode itself an address using its MAC. However, privacy extensions are used on most modern operating systems so it will hash a new address for sourcing.

The only time I’ve ever seen SLAAC used on an ISP network is for modem management interfaces. Since the ISP knows the MAC of the modem and the prefix being advertised, it can trivially calculate the address. In this case the provider has obviously disabled PE on the modems management interface.

Miso Susanowa says:

stupid?

Why do people think that someone clever enough to be in Congress & weasel their way through lobbyists and bribery money while playing footsie with the spooks is “stupid” or “thick” or “just doesn’t get it”?

That’s still thinking along the lines that these are rational guys who don’t have their own reasons for being opaque? People smart enough to hide their own money, play the tax system & the investment system aren’t stupid.

I imagine they know quite enough about the internet, IPv6 and all the rest to make the policy that they want.

Bah. says:

Re: stupid?

The policy they (as in the congresspeople with a reasonable understanding of networking and IP addressing) want will be clobbered to death by Lobbyists and politicians wielding the “Think of the childreeeeeen!” tree-sized club, and there won’t be any use to the resulting bill.

Remove the money and politics from the equation and we’ll have a proper law, keep both and the bills in favor of the wealthy will continue to strangle all others to death.

Digitari says:

Re:

sorry did I miss the law that is says it “has” to be easy…

I always though it was a Job, or a vocation,When did law enforcement become “push button” easy?

Did I miss a day or something?

Criminal: my job is to break the law..

Law Enforcement person: My job is to catch the person breaking the law

why “should” it be made easy? If it becomes “easy” then whats the point of having the “job”????

When did WORK become easy?? and why is my Job hard work??

I call “Radishes” on this mind set…

If the work you have chosen is to difficult, maybe you should find ANOTHER Job…….(and quit whinning about it)

the future sucks says:

If anything IPv6 will destroy all anonymity. Most devices will retain their IPv6 address statically. Web applications/sites will start using addresses as unique identifiers, or locking account access to a particular IP. Inevitably users will be tracked everywhere and have no choice in the matter because you can’t hide your IP. This will happen in spite of the bad practice of doing so because of inertia, the easiest, laziest outcome possible ALWAYS wins.

Anonymous Coward says:

Now What?

“FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes.”

DEA agent #1: ?We caught this guy with a pound of cocaine in his hands.?

DEA agent #2: ?Did we get his IPv6 address??

DEA agent #1: ?No.?

DEA agent #2: ‘Damn it, we can’t identify him without it. Let him go.?

trollificus (profile) says:

Re: Re:

Man, I always get a little spooked when government agencies send out spokesbots with a message like “Black is white, until the legislation deeming it so is repealed or revised. We will not be responding to questions at this time.”.

They always do it with a straight face.

ref: Harry Reid justifying public employee payoffs via unneeded postal service offices because “Old people need junk mail to feel connected to society.”

or:
“We need to be able to determine citizens’ location, 24/7, or we will be unable to protect them from crime.” ~DEA, FBI, etc.

or (as noted above):

“It would be a violation of citizens’ privacy for us to tell them if we were spying on them. We will not be responding to questions at this time.” ~NSA

Totally straight-faced. Totally creepy.

Freddy says:

Why not give me my own

Since there are so many IPv6 addresses, let’s kill 2 birds with one stone and issue one to me on a permanent basis. That way law enforcement can Identify my totally encrypted web services that can more competently rely on my own address. There is no need to lease them out anymore. How would you feel if you mail address changed every 3 days?

Anonymous Coward says:

Good grief.

Imagine if these noofuses had been around when telephone tech was evolving in the US. Private start up companies would never have been able to afford to service these kinds of demands while trying to spread a revolutionary new technology. The Constitution is supposed to protect citizens against this kind of snooping. That is why law enforcement are supposed to get a warrrent to wire-tap or to access telephone records.

The internet is not alien. It’s just another evolution in communication technology. The content is novel but the fact of an emergent communication technology is older than speech itself (languages are probably our most significant communication technology to ever evolve). There is no rational justification for any communication technology to be “snoop ready” for so called law enforcement.

Just as the telephone system would have been hugely hampered and civil rights significantly degraded in the US if this kind of snooping had been accepted as reasonable and necessary when telephone communication technology was evolving into the modern land-line telephone system, so too is there a cost to imposing this snooping on new forms of communications. That cost is immeasurable but no less real.

If the US telephone could not have evolved at the speed and complexity as it did, might the Cold War have been lost? We’ll never know.

If we consider the basic premise that is necessary to all this “panic” over evolving communication technology, we are looking at an assumption that private law-abiding citizens do not have a default right to communicate without being snooped and spied on. That’s just wrong and it goes to show how much civil society has devolved and degraded in the US.

Karl (profile) says:

Re: Lowery is a liar

Oh, for fuck’s sake. This reply is to the wrong article. I have no idea why it was posted here – I hadn’t even viewed this article.

Is something going on with the Techdirt database?

Anyway, this was supposed to go here:
http://www.techdirt.com/articles/20120619/11493419390/david-lowery-wants-pony.shtm

trollificus (profile) says:

Re:

Oh dear, another one that didn’t get the memo? You didn’t see it? It was, like, a piece of paper, with a bold header!

What did it say? Ummm…”getting an education and then taking a job you’re overqualified for”. I think that was it. Part of it, yeah. And you won’t get ‘rich’ but the work will be easy and you’ll still have a lifestyle that kings from 200 years ago would kill for. “Lowered expectations…” Yeah.

Something along those lines anyway.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...