U.S. and Canadian law enforcement agencies are warning that a historic switch to the next-generation Internet protocol calledmay imperil investigations by making it more difficult to trace who's using which electronic address.
FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn't do enough voluntarily.
Investigations stemming from kidnappings, the September 11 terrorist attacks, and the Mytob worm have involved tracing previous-generation IPv4 addresses back to an Internet provider's customer, the FBI says. The bureau says it needs the same level of traceability for IPv6, which got a boost in popularity last week thanks to .
"We're looking at a problem that's about to occur," John Curran, president of the American Registry for Internet Numbers (ARIN), a nonprofit group that allocates blocks of IPv4 and IPv6 addresses in North America and the Caribbean, told CNET. "It occurs as service providers start to roll out V6."
This IPv6-related effort comes as the FBI isto combat what it calls the "Going Dark" problem, meaning that its surveillance capabilities may diminish as technology advances. CNET was the that the bureau had formed a Domestic Communications Assistance Center to keep abreast of technological changes that may otherwise imperil government surveillance.
Blame people, not machines
Law enforcement's difficulty with IPv6 traceability has little to do with the underlying technology -- and a lot to do with the foibles of human bookkeeping.
ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in 220.127.116.11, you can see that it's registered to CNET's publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it's been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.
But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies -- presumably armed with court orders -- longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider's customer.
Accurate IPv6 record-keeping does more than help law enforcement. It's useful for combating abuse. It's useful for anti-spam measures. It's useful for figuring out what's going on with distributed denial of service attacks. And it's useful for civil litigants.
An FBI spokesman told CNET that the bureau is concerned about IPv6 because:
An issue may also arise around the amount of registration information that is maintained by providers and the amount of historical logging that exists. Today there are complete registries of what IPv4 addresses are "owned" by an operator. Depending on how the IPv6 system is rolled out, that registry may or may not be sufficient for law enforcement to identify what device is accessing the Internet.
"This is not a question of willful rejection," Curran says, referring to the service providers who are receiving huge blocks of IPv6 addresses. "ISPs are happy to do this. They're just lazy...It doesn't have a direct impact on them and their ability to get new address space because they don't need new address space."
During an investigation, police typically look up the originating IP address in the Whois database to glean a pointer to the organization sending the problematic traffic. Unless the database is kept up-to-date, including what Internet engineers call "subdelegations," it can mean repeated subpoenas or court orders, which could delay investigations for days or weeks until the final provider in the chain is identified and contacted. (There are also more manual processes that can be used if Whois records are unavailable.)
"When law enforcement is looking at these records, we need to know who to serve our legal process to," FBI supervisory special agent Bobby Flaim said at an ARIN meeting in April. "When we're looking at this information, we need for it to be accurate... We need the speed because digital evidence evaporates so quickly. That's why it's so key to us."
Still working on it
Most Internet providers contacted by CNET declined to comment publicly.
Some said they are still drafting IPv6 transition policies. "Cox is still developing our IPv6 transition plans," said Todd Smith, director of media relations for Cox Communications. Anita Lamont, a spokeswoman for Charter Communications, said that "Charter is formalizing its IPv6 management policy for allocation."
About a quarter or a third of the Internet providers have automated systems to keep track of their address assignments, ARIN estimates, with the rest keeping track of where their IP addresses are used through spreadsheets or in-house databases.
Flaim, who works for the FBI's Operational Technology Division based in Quantico, Va., which boasts of creating "the latest and greatest investigative technologies to catch terrorists and criminals," suggested during April's ARIN meeting that the industry has a strong incentive to keep accurate IPv6 address records.
"We're hoping through all of this you can come up with some self-regulatory method in which you can do it," Flaim said. "Because otherwise, there will be other things that people are going to consider."
Royal Canadian Mounted Police Staff Sgt. Marc Moreau offered a similar prediction: "We're hoping that people in the community seize the opportunity to work and to have that self-regulation, because, if not, if all of the different governments then get involved, it could get uglier."
The DEA and the RCMP told CNET yesterday that they needed more time to respond to questions.
Law enforcement has alsorelating to IPv4 address exhaustion, including greater use of carrier-grade Network Address Translation, or CGN, which means Internet providers that want to help with investigations would have to keep track of what port number a customer is assigned.
Another FBI priority is requiring Internet providers to keep records of what IP addresses their customers are assigned, also known as data retention; a House of Representatives committeethose requirements last summer.
Last updated at 1 p.m. PT