Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
In article 20120616160738.eee09...@resin05.mta.everyone.net, Scott Weeks sur...@mauigateway.com writes What is going to make folks change their behavior? If all else fails, perhaps a regulator fining the ISP $1000 for every allocation (I agree that whether it's IPv4 or IPv6 isn't relevant) where the WHOIS information is shown to be false or significantly out of date. They could send compliance teams in to check, just like the IRS does for the accounts. -- Roland Perry
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
Internet Regulator? /bill On Sun, Jun 17, 2012 at 10:43:26AM +0100, Roland Perry wrote: In article 20120616160738.eee09...@resin05.mta.everyone.net, Scott Weeks sur...@mauigateway.com writes What is going to make folks change their behavior? If all else fails, perhaps a regulator fining the ISP $1000 for every allocation (I agree that whether it's IPv4 or IPv6 isn't relevant) where the WHOIS information is shown to be false or significantly out of date. They could send compliance teams in to check, just like the IRS does for the accounts. -- Roland Perry
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Jun 16, 2012, at 7:07 PM, Scott Weeks wrote: From: John Curran jcur...@arin.net With respect to updating Whois, it is true that many ISPs do not update their sub-delegations until applying for their next IPv4 block. Whether this is also the case with IPV6 or not remains to be seen, but given IPv6 allocation size, it would not be good. What is going to make folks change their behavior? One would hope that industry self-regulation and the small amount of self-interest would suffice here, but it's hard to be optimistic. Even if keeping this information up to date is commonly recognized as a best practice, our collectively track record in community pressure for compliance to best practices is uneven at best; i.e. I can imagine someone saying Um, can we at least use MD5 on this session or You're giving us a lot of needless deaggregates with the same path info but can't quite believe that We happened to review all your address blocks and noticed you don't have a lot of the subassignments listed is going to be a frequent phrase heard in peering discussions... Net result is that we may just have to live with lax practices by some, since many other potential solutions have real potential for consequences worse than the problem itself. FYI, /John John Curran President and CEO ARIN
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
But whois info is really the linchpin for LEAs trying to find criminals? I find that very hard to believe. CB
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
It's about time and cost. If it's an emergency situation, trying to guess who might own the address waste time to get confirmation, if it is a complete guessing game. Then a warrant has to be gotten. You need to know who to put on the warrant to make a request. Cameron Byrne cb.li...@gmail.com wrote: But whois info is really the linchpin for LEAs trying to find criminals? I find that very hard to believe. CB
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Jun 17, 2012, at 9:39 AM, joseph.sny...@gmail.com wrote: It's about time and cost. If it's an emergency situation, trying to guess who might own the address waste time to get confirmation, if it is a complete guessing game. Then a warrant has to be gotten. You need to know who to put on the warrant to make a request. Exactly. If you start with an IP address and you're trying to get to some real-world entity, then you can check routing of the block or the Whois entry... this will get your to an ISP, but then you get to repeat the process by contacting that ISP and repeating the query (and potentially again if their customer is an even smaller ISP or hosting firm, etc.) With reasonable Whois update practices, Whois will get you to the ultimate non-residential organization much faster (which can make a difference in many situations.) The entire process can be pursued via contacting ISPs serially and asking them to check their routing and customer records, but that approach is definitely slower and far most costly for both government and industry. FYI, /John John Curran President and CEO ARIN
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
Wouldn't BCP38 help? /as On 15 Jun 2012, at 11:59, Jay Ashworth wrote: http://news.cnet.com/8301-1009_3-57453738-83/fbi-dea-warn-ipv6-could-shield-criminals-from-police/ sigh Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said: Wouldn't BCP38 help? The mail I'm replying to has as the first Received: line: Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? ([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id b8sm25918444anm.4.2012.06.17.10.11.04 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT) Obviously BCP38 doesn't help, as it's an established TCP connection so it can't be spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless Google is silly enough to *still* not be doing RFC1948 properly. I mean, Steve Bellovin wrote that literally last century. ;) So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? *THAT* is the problem that needs solving. (And who *does* own that IP? I admit not knowing. ;) pgpEmzCnZyz0u.pgp Description: PGP signature
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On 6/17/12 10:24 , valdis.kletni...@vt.edu wrote: On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said: Wouldn't BCP38 help? The mail I'm replying to has as the first Received: line: Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? ([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id b8sm25918444anm.4.2012.06.17.10.11.04 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT) Obviously BCP38 doesn't help, as it's an established TCP connection so it can't be spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless Google is silly enough to *still* not be doing RFC1948 properly. I mean, Steve Bellovin wrote that literally last century. ;) So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? so first of you introduced a typo 2800:af:ba30:e8cf:4881:973a:c68 2800:af:ba30:e8cf:d06f:4881:973a:c68 which like the wrong address in a search warrant can be a problem. jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:4881:973a:c68 ^ invalid ip address or hostname: 2800:af:ba30:e8cf:4881:973a:c68 at '2800:af:ba30:e8cf:4881:973a:c68' jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:d06f:4881:973a:c68 inet6.0: 9674 destinations, 38494 routes (9674 active, 0 holddown, 19088 hidden) + = Active Route, - = Last Active, * = Both 2800:a0::/28 *[BGP/170] 1w2d 00:00:21, MED 50, localpref 200, from 2620:102:8004::10 AS path: 7922 12956 6057 I -X:~ jjaeggli$ whois -h whois.lacnic.net 2800:af:ba30:e8cf:d06f:4881:973a:c68 inetnum: 2800:a0::/28 status: allocated aut-num: N/A owner: Administracion Nacional de Telecomunicaciones ownerid: UY-ANTA-LACNIC responsible: ANTELDATA ANTEL URUGUAY address: Treinta y Tres, 1418, P.3 address: 11000 - Montevideo - country: UY phone: +598 2 9028819 [] owner-c: ANU tech-c: ANU abuse-c: ANU inetrev: 2800:a0::/28 nserver: NS1.ANTELV6.NET.UY nsstat: 20120615 AA nslastaa:20120615 created: 20070115 changed: 20070115 nic-hdl: ANU person: ANTELDATA ANTEL URUGUAY e-mail: ipad...@antel.net.uy address: Mercedes, 876, P. 2 address: 11100 - Montevideo - country: UY phone: +598 2 9002877 [] created: 20020910 changed: 20111014 scopes it to not being a problem you can solve with policy in the arin region. *THAT* is the problem that needs solving. (And who *does* own that IP? I admit not knowing. ;) was trivial enough to find the origin, I have nothing to indicate that any of that information is wrong.
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
You would go to the whois: whois -h whois.lacnic.net 2800:af::/32 You will find that it is assigned to ISP Whatever. If you are the cops you will find who I am asking them. BCP 38 would work. The problem is that many ISPs do not ingress filter, so I can use whatever unnallocated IPv6 space (2F10:baba:ba30:e8cf:d06f:4881:973a:c68) to SPAM and then go invisible and use another one (2E10:baba:ba30:e8cf:d06f:4881:973a:c68) Regards, as On 17 Jun 2012, at 13:24, valdis.kletni...@vt.edu wrote: On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said: Wouldn't BCP38 help? The mail I'm replying to has as the first Received: line: Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? ([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id b8sm25918444anm.4.2012.06.17.10.11.04 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT) Obviously BCP38 doesn't help, as it's an established TCP connection so it can't be spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless Google is silly enough to *still* not be doing RFC1948 properly. I mean, Steve Bellovin wrote that literally last century. ;) So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? *THAT* is the problem that needs solving. (And who *does* own that IP? I admit not knowing. ;)
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
BCP 38 would work. The problem is that many ISPs do not ingress filter, so I can use whatever unnallocated IPv6 space (2F10:baba:ba30:e8cf:d06f:4881:973a:c68) to SPAM and then go invisible and use another one (2E10:baba:ba30:e8cf:d06f:4881:973a:c68) How do you plan to get the return packets? DNS bombing with forged address UDP packets is one thing, but anything that runs over TCP won't work without return routes. If the bad guy can inject routes, you have worse problems than lack of SWIP. (This assumes the target is not using a 20 year old TCP stack with predictable sequence numbers, but in the IPv6 world we should be able to assume that particular security hole is closed.) I expect bad guys to hop around within a /64 or whatever size allocation the ISP assigns to customers, but that's still easily handled by SWIP, or by subpoena to the ISP if they didn't get around to SWIP. R's, John
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
If the ISP fails to filter my bogus space and leak that route to the Internet (which happens today everyday with IPv4, and will with IPv6) I would get my return path. Again, if every ISP followed BCP 38 that would not happen (IPv6 and IPv4). But they are not, and probably they won't. .as On 17 Jun 2012, at 15:41, John Levine wrote: BCP 38 would work. The problem is that many ISPs do not ingress filter, so I can use whatever unnallocated IPv6 space (2F10:baba:ba30:e8cf:d06f:4881:973a:c68) to SPAM and then go invisible and use another one (2E10:baba:ba30:e8cf:d06f:4881:973a:c68) How do you plan to get the return packets? DNS bombing with forged address UDP packets is one thing, but anything that runs over TCP won't work without return routes. If the bad guy can inject routes, you have worse problems than lack of SWIP. (This assumes the target is not using a 20 year old TCP stack with predictable sequence numbers, but in the IPv6 world we should be able to assume that particular security hole is closed.) I expect bad guys to hop around within a /64 or whatever size allocation the ISP assigns to customers, but that's still easily handled by SWIP, or by subpoena to the ISP if they didn't get around to SWIP. R's, John
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On 6/15/2012 11:59 AM, Jay Ashworth wrote: http://news.cnet.com/8301-1009_3-57453738-83/fbi-dea-warn-ipv6-could-shield-criminals-from-police/ sigh Cheers, -- jra I fail to see the problem the media and FBI are worried about. If the regional registries are accurately documenting who they are allocating assignments to, the authorities have somewhere to start. Even if everything is properly documented via SWIP or WHOIS, the FBI requests far more information in a subpena from ISP's than is provided by those tools and I don't think they generally really even rely on them to be accurate. They go straight to the ISP from what I've seen. They don't want the criminal to know the FBI is on to them and won't first go direct to the end user. A /64, /56 or even /48 will be one customer, so regardless if a criminal keeps changing IP's inside those blocks, it still points to that customer which the ISP can provide to the FBI. Where is the issue? I don't see how this is that hard to track down. What's the difference with an ISP that didn't SWIP an IPv4 /29 allocation to a company with all RFC1918 space behind the address. sarcasm How oh how will they ever find the criminal within all of that IPv4 address space behind the ISP assigned /29 without someone documenting the RFC1918 space in the customer's network??!?! /sarcasm If anything, I feel like this is a ploy by the FBI feeding the media to get criminals to adopt IPv6 thinking they're harder to track and drop their guard so they'll be easier to catch. -Vinny
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Sun, 17 Jun 2012 10:53:52 -0700, Joel jaeggli said: On 6/17/12 10:24 , valdis.kletni...@vt.edu wrote: So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? so first of you introduced a typo Aha. Somebody's paying attention :) That's exactly the sort of thing you'll end up seeing a lot more of if you have to start chasing through 2 and 3 hops of provider-customer-subcustomer. It's easy to notice that an IPv4 address is missing an octet - a lot harder to tell you have 7 chunks rather than 8, plus you're left wondering whether you dropped 16 bits, or if one of the : should be a :: instead. But Joel - you *really* need to get out more. ;) pgpgmqsBTw8h9.pgp Description: PGP signature
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On 6/17/12 13:22 , valdis.kletni...@vt.edu wrote: On Sun, 17 Jun 2012 10:53:52 -0700, Joel jaeggli said: On 6/17/12 10:24 , valdis.kletni...@vt.edu wrote: So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? so first of you introduced a typo Aha. Somebody's paying attention :) That's exactly the sort of thing you'll end up seeing a lot more of if you have to start chasing through 2 and 3 hops of provider-customer-subcustomer. Yes, in a previous $job I have been served court authorized requests that are incorrect. I have provided helpful advice. It's easy to notice that an IPv4 address is missing an octet - a lot harder to tell you have 7 chunks rather than 8, plus you're left wondering whether you dropped 16 bits, or if one of the : should be a :: instead. If one enters the wrong number the right answer will rarely be forthcoming. But Joel - you *really* need to get out more. ;) yes
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Jun 17, 2012, at 4:01 PM, Vinny Abello wrote: I fail to see the problem the media and FBI are worried about. If the regional registries are accurately documenting who they are allocating assignments to, the authorities have somewhere to start. Even if everything is properly documented via SWIP or WHOIS, the FBI requests far more information in a subpena from ISP's than is provided by those tools and I don't think they generally really even rely on them to be accurate. Indeed, there are subpoenas which request a lot more information, (particularly if you are in a lengthy investigation.) However, if they are trying to figure out where a missing kid or person in danger person might be located based on email headers, then time can be of the essence and being able to follow the subassignments (that are already supposed to be in Whois) can make the difference. I would not say they rely on Whois to be accurate, but they certainly take its contents into consideration in some situations along with all the other various data points they may have. They go straight to the ISP from what I've seen. They don't want the criminal to know the FBI is on to them and won't first go direct to the end user. Depends on circumstance. If you're talking about investigations of front companies for various nefarious commercial activities, then that is indeed the case, but that is not the only type of law enforcement activity. A /64, /56 or even /48 will be one customer, so regardless if a criminal keeps changing IP's inside those blocks, it still points to that customer which the ISP can provide to the FBI. If the ISP has a lawful response desk which is available at 3 PM on a Sunday afternoon or holiday weekend, then going to the ISP would indeed be equivalent. Also, this presumes that the ISP in question isn't serving a smaller ISP or hosting firm which would then also need to be queried to find the actual customer. Where is the issue? I don't see how this is that hard to track down. What's the difference with an ISP that didn't SWIP an IPv4 /29 allocation to a company with all RFC1918 space behind the address. sarcasm How oh how will they ever find the criminal within all of that IPv4 address space behind the ISP assigned /29 without someone documenting the RFC1918 space in the customer's network??!?! /sarcasm There is no difference. The question is whether the ISP who had to SWIP the /29 under IPv4 as part of showing utilization to get their next block will bother to record subdelegations under IPv6 when they don't need to come back for _a long time_... If anything, I feel like this is a ploy by the FBI feeding the media to get criminals to adopt IPv6 thinking they're harder to track and drop their guard so they'll be easier to catch. No, it's a real concern that law enforcement has with the current incentives for keeping the Whois up to date, and what happens with IPv6. Feel free to come to an ARIN meeting and chat with the folks from US, Canada, and various Caribbean governments about their issue. By the way, it is not that there is _no_ incentive... Any _large_ ISP ends up having to provide lawful response duties (often the same team that handles spam/abuse/copyright issues) and that means staff. For networks that put subdelegations into Whois reliably, there are less requests for routine information (ergo less staff less co$t needed to respond.) Not many ISPs are the size where such inquires are routine enough for having a dedicated team, but those who do generally realize the pleasant side effect of keeping Whois up-to-date. This isn't really seen by ISPs who only get the occasional LEA request, so it's not a meaningful incentive on its own for many service providers. FYI, /John John Curran President and CEO ARIN
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Jun 17, 2012, at 10:53 AM, Joel jaeggli wrote: On 6/17/12 10:24 , valdis.kletni...@vt.edu wrote: On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said: Wouldn't BCP38 help? The mail I'm replying to has as the first Received: line: Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? ([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id b8sm25918444anm.4.2012.06.17.10.11.04 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT) Obviously BCP38 doesn't help, as it's an established TCP connection so it can't be spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless Google is silly enough to *still* not be doing RFC1948 properly. I mean, Steve Bellovin wrote that literally last century. ;) So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? so first of you introduced a typo 2800:af:ba30:e8cf:4881:973a:c68 2800:af:ba30:e8cf:d06f:4881:973a:c68 which like the wrong address in a search warrant can be a problem. jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:4881:973a:c68 ^ invalid ip address or hostname: 2800:af:ba30:e8cf:4881:973a:c68 at '2800:af:ba30:e8cf:4881:973a:c68' jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:d06f:4881:973a:c68 inet6.0: 9674 destinations, 38494 routes (9674 active, 0 holddown, 19088 hidden) + = Active Route, - = Last Active, * = Both 2800:a0::/28 *[BGP/170] 1w2d 00:00:21, MED 50, localpref 200, from 2620:102:8004::10 AS path: 7922 12956 6057 I -X:~ jjaeggli$ whois -h whois.lacnic.net 2800:af:ba30:e8cf:d06f:4881:973a:c68 scopes it to not being a problem you can solve with policy in the arin region. Lather rinse repeat with a better choice of address... 2001:550:3ee3:f329:102a3:2aff:fe23:1f69 This is in the ARIN region... It's from within a particular ISP's /32. Has that ISP delegated some overlapping fraction to another ISP? If so, it's not in whois. Have they delegated it to an end user? Again, if so, it's not in whois. Same for 2001:550:10:20:62a3:3eff:fe19:2909 I don't honestly know if either of those prefixes is allocated or not, so maybe nothing's wrong in this particular case, but if they have been delegated and not registered in whois, that's a real problem when it comes time to get a search warrant if speed is of the essence. Owen
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
Hello everyone, Yes the FBI can't just rely on Whois for apart of their investigation. yes I will agree it's a big part but also those records are spoofed alot. But reverse Ip looks I can understand. James Smith CEO, CEH SmithwaySecurity Toronto, Canada On 12-06-17 08:29 PM, Owen DeLong wrote: On Jun 17, 2012, at 10:53 AM, Joel jaeggli wrote: On 6/17/12 10:24 , valdis.kletni...@vt.edu wrote: On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said: Wouldn't BCP38 help? The mail I'm replying to has as the first Received: line: Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? ([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id b8sm25918444anm.4.2012.06.17.10.11.04 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT) Obviously BCP38 doesn't help, as it's an established TCP connection so it can't be spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless Google is silly enough to *still* not be doing RFC1948 properly. I mean, Steve Bellovin wrote that literally last century. ;) So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? so first of you introduced a typo 2800:af:ba30:e8cf:4881:973a:c68 2800:af:ba30:e8cf:d06f:4881:973a:c68 which like the wrong address in a search warrant can be a problem. jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:4881:973a:c68 ^ invalid ip address or hostname: 2800:af:ba30:e8cf:4881:973a:c68 at '2800:af:ba30:e8cf:4881:973a:c68' jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:d06f:4881:973a:c68 inet6.0: 9674 destinations, 38494 routes (9674 active, 0 holddown, 19088 hidden) + = Active Route, - = Last Active, * = Both 2800:a0::/28 *[BGP/170] 1w2d 00:00:21, MED 50, localpref 200, from 2620:102:8004::10 AS path: 7922 12956 6057 I -X:~ jjaeggli$ whois -h whois.lacnic.net 2800:af:ba30:e8cf:d06f:4881:973a:c68 scopes it to not being a problem you can solve with policy in the arin region. Lather rinse repeat with a better choice of address... 2001:550:3ee3:f329:102a3:2aff:fe23:1f69 This is in the ARIN region... It's from within a particular ISP's /32. Has that ISP delegated some overlapping fraction to another ISP? If so, it's not in whois. Have they delegated it to an end user? Again, if so, it's not in whois. Same for 2001:550:10:20:62a3:3eff:fe19:2909 I don't honestly know if either of those prefixes is allocated or not, so maybe nothing's wrong in this particular case, but if they have been delegated and not registered in whois, that's a real problem when it comes time to get a search warrant if speed is of the essence. Owen
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On 6/17/12 16:29 , Owen DeLong wrote: On Jun 17, 2012, at 10:53 AM, Joel jaeggli wrote: On 6/17/12 10:24 , valdis.kletni...@vt.edu wrote: On Sun, 17 Jun 2012 13:10:59 -0400, Arturo Servin said: Wouldn't BCP38 help? The mail I'm replying to has as the first Received: line: Received: from ?IPv6:2800:af:ba30:e8cf:d06f:4881:973a:c68? ([2800:af:ba30:e8cf:d06f:4881:973a:c68]) by mx.google.com with ESMTPS id b8sm25918444anm.4.2012.06.17.10.11.04 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 17 Jun 2012 10:11:06 -0700 (PDT) Obviously BCP38 doesn't help, as it's an established TCP connection so it can't be spoofed traffic (gotta ACK Google's ISN from the SYN-ACK) - unless Google is silly enough to *still* not be doing RFC1948 properly. I mean, Steve Bellovin wrote that literally last century. ;) So - who owns 2800:af:ba30:e8cf:4881:973a:c68? And how does an LEO find that info quickly if they need to figure out who to hand a warrant to? so first of you introduced a typo 2800:af:ba30:e8cf:4881:973a:c68 2800:af:ba30:e8cf:d06f:4881:973a:c68 which like the wrong address in a search warrant can be a problem. jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:4881:973a:c68 ^ invalid ip address or hostname: 2800:af:ba30:e8cf:4881:973a:c68 at '2800:af:ba30:e8cf:4881:973a:c68' jjaeggli@cXX-XX-XX0 show route table inet6.0 2800:af:ba30:e8cf:d06f:4881:973a:c68 inet6.0: 9674 destinations, 38494 routes (9674 active, 0 holddown, 19088 hidden) + = Active Route, - = Last Active, * = Both 2800:a0::/28 *[BGP/170] 1w2d 00:00:21, MED 50, localpref 200, from 2620:102:8004::10 AS path: 7922 12956 6057 I -X:~ jjaeggli$ whois -h whois.lacnic.net 2800:af:ba30:e8cf:d06f:4881:973a:c68 scopes it to not being a problem you can solve with policy in the arin region. Lather rinse repeat with a better choice of address... 2001:550:3ee3:f329:102a3:2aff:fe23:1f69 This is in the ARIN region... Actually it's not a valid address at all, because it also has a typo. one might assume with a typo that the most significant bits are probably correct but potentially compounding errors doesn't sound like a good idea. It's from within a particular ISP's /32. Has that ISP delegated some overlapping fraction to another ISP? If so, it's not in whois. Have they delegated it to an end user? Again, if so, it's not in whois. Same for 2001:550:10:20:62a3:3eff:fe19:2909 I don't honestly know if either of those prefixes is allocated or not, so maybe nothing's wrong in this particular case, but if they have been delegated and not registered in whois, that's a real problem when it comes time to get a search warrant if speed is of the essence. If you're asserting that cogent is not swiping their delegations then do so. they have certain obligations as an LIR under the policy under which resources were delegated to them. future prefix assignments will clearly require that the demonstrate utilization much as they are required to in ipv4. Owen
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
Lather rinse repeat with a better choice of address... 2001:550:3ee3:f329:102a3:2aff:fe23:1f69 This is in the ARIN region... Actually it's not a valid address at all, because it also has a typo. one might assume with a typo that the most significant bits are probably correct but potentially compounding errors doesn't sound like a good idea. Yes... Should have been 2001:550:3ee3:f329:02a3:2aff:fe23:1f69. Not sure how the extra 1 got in there. It's from within a particular ISP's /32. Has that ISP delegated some overlapping fraction to another ISP? If so, it's not in whois. Have they delegated it to an end user? Again, if so, it's not in whois. Same for 2001:550:10:20:62a3:3eff:fe19:2909 I don't honestly know if either of those prefixes is allocated or not, so maybe nothing's wrong in this particular case, but if they have been delegated and not registered in whois, that's a real problem when it comes time to get a search warrant if speed is of the essence. If you're asserting that cogent is not swiping their delegations then do so. they have certain obligations as an LIR under the policy under which resources were delegated to them. future prefix assignments will clearly require that the demonstrate utilization much as they are required to in ipv4. I'm making no assertion about cogent whatsoever. Since I don't know whether those addresses I chose at random within the ARIN region happen to be delegated or not, I have no ability to determine whether they should be registered as delegated or not. I said this in the above paragraph you quoted. I was attempting to demonstrate the potential problem, not point to an extant example as I do not have an extant example handy, though I suspect such do actually exist. Owen
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On 6/17/12, Joel jaeggli joe...@bogus.com wrote: [snip] resources were delegated to them. future prefix assignments will clearly require that the demonstrate utilization much as they are required to in ipv4. Sure. But they don't necessarily have to have WHOIS listings up to date in order to successfully demonstrate utilization; it is possible they provide private documentation or utilize the spreadsheet method of demonstrating utilization, without publishing details in WHOIS, and indicate they themselves serve as contact. The IP address WHOIS database is a system for identifying valid network contacts to report connectivity and operational issues to, and the contact listed in WHOIS for a network does not necessarily have to be an organization capable of identifying an individual user or customer. WHOIS is not a system for tracing IP addresses down to an individual user level, not with IPv6, not with IPv4. Owen -- -JH
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
Hey John, Thanks for taking the time for the detailed response. I always enjoy reading your posts. On 6/17/2012 7:16 PM, John Curran wrote: On Jun 17, 2012, at 4:01 PM, Vinny Abello wrote: If anything, I feel like this is a ploy by the FBI feeding the media to get criminals to adopt IPv6 thinking they're harder to track and drop their guard so they'll be easier to catch. No, it's a real concern that law enforcement has with the current incentives for keeping the Whois up to date, and what happens with IPv6. Feel free to come to an ARIN meeting and chat with the folks from US, Canada, and various Caribbean governments about their issue. It would seem to me if the if law enforcement is concerned about incentives to make networks do this, then it should be made a law within their operating jurisdiction to enforce this compliance. Failure to comply would have legal and possibly financial consequences in the form of fines or other penalties. We have many more obtuse laws about us (at least in the US that I'm familiar with) that this doesn't seem infeasible or impractical of a goal that will benefit the majority of people via law enforcement's ability to protect and serve. Hoping for a technical solution or self governing document IPv6 allocations just because we're supposed to, even though there is no consequence either way won't result in any action. Incentives are also not equally received among 100% of the population. Not everyone likes cookies. :) By the way, it is not that there is _no_ incentive... Any _large_ ISP ends up having to provide lawful response duties (often the same team that handles spam/abuse/copyright issues) and that means staff. For networks that put subdelegations into Whois reliably, there are less requests for routine information (ergo less staff less co$t needed to respond.) Not many ISPs are the size where such inquires are routine enough for having a dedicated team, but those who do generally realize the pleasant side effect of keeping Whois up-to-date. This isn't really seen by ISPs who only get the occasional LEA request, so it's not a meaningful incentive on its own for many service providers. That right there is the problem. The Internet isn't just large ISP's (thank God). You're never going to get an incentive that appeals equally across all types of businesses to comply. Some just don't have the resources like you stated, to even document the allocations despite being required to. If a company were to downsize and looked at someone's job who SWIP'ed allocations or maintained WHOIS, the question would be asked of what would happen if they stopped. In IPv6 land for the small to medium ISP, the answer would be nothing as is illustrated by this article. They would be let go by upper management that didn't know any better, and the company would stop documenting even if they initially did the right thing. Even if ARIN refunded 100% of the fees to networks who properly documented everything and only charged those who were not in compliance, you'd still find people not documenting because it costs less to pay the fee than pay someone to manage that. Incentives are not the solution. Congress should consider passing a law in the US if this of that much concern. I'm unfamiliar with other jurisdiction's law processes covered within the ARIN region, but from the US standpoint, that's the only way I see something actually happening. Technical problems are frequently solved best by technical solutions; legal problems by legal solutions. This is a law enforcement problem and I feel it should be properly solved by a legal solution, but I'm sure someone will be glad to oppose my stated opinion with their own. :) I'm also sure a die hard technical advocate of some technology who is much smarter than myself will illustrate just how technology can solve the problem, so please prove me wrong so we don't need to rely on more government solutions. I beg of you! :) -Vinny
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On 6/17/2012 10:22 PM, Jimmy Hess wrote: On 6/17/12, Joel jaeggli joe...@bogus.com wrote: [snip] resources were delegated to them. future prefix assignments will clearly require that the demonstrate utilization much as they are required to in ipv4. Sure. But they don't necessarily have to have WHOIS listings up to date in order to successfully demonstrate utilization; it is possible they provide private documentation or utilize the spreadsheet method of demonstrating utilization, without publishing details in WHOIS, and indicate they themselves serve as contact. The IP address WHOIS database is a system for identifying valid network contacts to report connectivity and operational issues to, and the contact listed in WHOIS for a network does not necessarily have to be an organization capable of identifying an individual user or customer. WHOIS is not a system for tracing IP addresses down to an individual user level, not with IPv6, not with IPv4. Thanks for clearly stating this, Jimmy. This is largely my point with WHOIS as well, although I may not have expressed it clearly. Along the same lines, WHOIS is not Geolocation (as poorly as that technology works, frequently because it's partly or mostly built on WHOIS data to begin with). The registered place of business an assignment points to, which may be completely accurate for valid network contacts at a company headquarters, doesn't dictate satellite offices are at the same address, city, state or country which may make up 90% of the use of the entire allocation... just as one example. This is abundant in enterprises. -Vinny
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
--- vi...@abellohome.net wrote: From: Vinny Abello vi...@abellohome.net : It would seem to me if the if law enforcement is concerned about : incentives to make networks do this, then it should be made a law : within their operating jurisdiction to enforce this compliance. : This is a law enforcement problem and I feel it should be properly : solved by a legal solution, --- Worst case solution. Guaranteed. scott
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On 6/17/2012 10:48 PM, Scott Weeks wrote: --- vi...@abellohome.net wrote: From: Vinny Abello vi...@abellohome.net : It would seem to me if the if law enforcement is concerned about : incentives to make networks do this, then it should be made a law : within their operating jurisdiction to enforce this compliance. : This is a law enforcement problem and I feel it should be properly : solved by a legal solution, --- Worst case solution. Guaranteed. scott So again, please propose a better one and save us, because you know this is what will happen. :) -Vinny
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Jun 17, 2012 7:46 PM, Vinny Abello vi...@abellohome.net wrote: On 6/17/2012 10:22 PM, Jimmy Hess wrote: On 6/17/12, Joel jaeggli joe...@bogus.com wrote: [snip] resources were delegated to them. future prefix assignments will clearly require that the demonstrate utilization much as they are required to in ipv4. Sure. But they don't necessarily have to have WHOIS listings up to date in order to successfully demonstrate utilization; it is possible they provide private documentation or utilize the spreadsheet method of demonstrating utilization, without publishing details in WHOIS, and indicate they themselves serve as contact. The IP address WHOIS database is a system for identifying valid network contacts to report connectivity and operational issues to, and the contact listed in WHOIS for a network does not necessarily have to be an organization capable of identifying an individual user or customer. WHOIS is not a system for tracing IP addresses down to an individual user level, not with IPv6, not with IPv4. Thanks for clearly stating this, Jimmy. This is largely my point with WHOIS as well, although I may not have expressed it clearly. Along the same lines, WHOIS is not Geolocation (as poorly as that technology works, frequently because it's partly or mostly built on WHOIS data to begin with). The registered place of business an assignment points to, which may be completely accurate for valid network contacts at a company headquarters, doesn't dictate satellite offices are at the same address, city, state or country which may make up 90% of the use of the entire allocation... just as one example. This is abundant in enterprises. -Vinny +1 to Jimmy and Vinny, and going back to the OP. .. This is why the article is poorly formed. Whois evolution and practices are NOT a speedbump for ipv6 deployment. Traceroute is likely more informative than whois. ...or looking at a bgp as path... For both ipv4 and ipv6 You think whois traceability is a problem in ipv6? It is nothing compared to ipv4 CGN traceability challenges Which the article also mentions. CB
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
This is a law enforcement problem and I feel it should be properly solved by a legal solution, Worst case solution. Guaranteed. So again, please propose a better one and save us, because you know this is what will happen. :) soapbox o terms such as regulation and governance presuppose a centralized hierarchic view of the universe. the internet has grown, exploded, and constructively disrupted because we coordinate and we cooperate. those who wish to stifle growth and disruption (of their saurian business models) try to get us to assume the culture of control, centralization, and hierarchy. o to quote jeff schiller Law enforcement was not supposed to be easy. Where it is easy, it's called a police state. o so my interest in accurate registry data is not for law enforcement, the mpa, riaa, et alia. it is so we can better and more efficiently operate the internet. o i want to be able to contact the routing, abuse, whatever desks of the isp responsible for some address space. i have no desire to contact a dsl consumer as they have no fracking clue. the routing and abuse desks of the isp are sufficiently daunting. o if we believe ipv6 space to be effectively infinite, then the rirs really do not need to know usage data, do they? smirk randy
RE: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
APNIC has a web based whois form that is pretty easy to drive. Jonathon -Original Message- From: Steven Noble [mailto:sno...@sonn.com] Sent: Saturday, 16 June 2012 12:05 p.m. To: goe...@anime.net Cc: nanog@nanog.org Subject: Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE! Sent from my iPhone On Jun 15, 2012, at 3:53 PM, goe...@anime.net wrote: On Fri, 15 Jun 2012, Scott Weeks wrote: if arin would clamp down and revoke allocations that had provably wrong/fraudulent whois data, we would probably get 50% IPv4 space back. Part of the issue is how hard it is to update ARIN, they gladly take your money but it's like pulling teeth to get anything updated and sometimes you run out of teeth. I don't know if this is true about apnic, ripe and the others. This email and attachments: are confidential; may be protected by privilege and copyright; if received in error may not be used, copied, or kept; are not guaranteed to be virus-free; may not express the views of Kordia(R); do not designate an information system; and do not give rise to any liability for Kordia(R).
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Jun 18, 2012, at 10:50 AM, Jonathon Exley wrote: APNIC has a web based whois form that is pretty easy to drive. Yes, but data-entry tools which are viewed as secondary to the task at hand - i.e., address allocations - and which require interactive human participation to perform duplicative input don't tend to scale very well. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
In message fa98e8a1-f50e-4951-ab63-a0bd1d54b...@arbor.net, Dobbins, Roland writes: On Jun 18, 2012, at 10:50 AM, Jonathon Exley wrote: APNIC has a web based whois form that is pretty easy to drive.=20 Yes, but data-entry tools which are viewed as secondary to the task at hand= - i.e., address allocations - and which require interactive human particip= ation to perform duplicative input don't tend to scale very well. APNIC has B2B over email. It should be possible to totally automate updating APNIC. http://www.apnic.net/apnic-info/whois_search/using-whois/updating-whois/objects -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
On Jun 18, 2012, at 11:23 AM, Mark Andrews wrote: APNIC has B2B over email. It should be possible to totally automate updating APNIC. That's a much better option than the Web form. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
