Fishing
So their complain is that they cant go fishing, and need a court order..
On top of that their current SW to create thought police databases needs to be improved..
Europol has asked cellphone networks and other internet providers to stop using Carrier Grade Network Address Translation (CGNAT) – because it’s making life too difficult for cops trying to track cyber-villains across the web. CGNAT is used by telcos running short of public IPv4 addresses. By deploying CGNAT, a mobile network …
My thoughts too.
On top of which if I chat with my mates the police can't systematically record what I say. Intercepting and reading everyone's post has not been implemented in most democracies and most countries don't keep a list of books you take out of the library or indeed buy.
So, I don't see a need for the police to be able to fish through the equivalent things I do on-line.
While I agree with you, I would hope that you (or I) never get drug into a police investigation because they can't follow the true path and end up going after someone innocent which is bound to happen. Yeah, it's a real mess with the cops and TLA's wanting everything (including backdoors for encryption and they can't get it. I just hope innocent bystanders (or users in this case) don't start getting rounded up and put in situations they were involved in.
"While I agree with you, I would hope that you (or I) never get drug dragged into a police investigation because they can't follow the true path and end up going after someone innocent which is bound to happen. "
FTTFY - I'm not normally a grammar nazi, but the use of 'drug' as a verb is one thing that really grates!
Life just could not get any better...
The only way the number of mobile devices out there can be supported in a non-CGNAT setting is if they are all v6-ed.
Looking at the calendar: Friday 13th was last week and we survived (if we do not count 250 quid worth of various things breaking on that day in the house). It is not today.
It's a sad state of affairs that I look at an article such as this and my first thoughts are is that it will get abused by the government etc... when in an ideal world I should be thinking sure, if someone has committed a crime and a warrant exists from a court then why not be able to identify them.
This post has been deleted by its author
> And what's more, it might be that its only purpose is for government abuse, as criminals can just use Orbot on their telephones.
And non-criminals too. In particular, it was used recently in Catalonia to be able to check voters against the electoral roll and prevent double-voting. It had to be done this way because of the Spanish government attempts to prevent people from exercising a fundamental democratic right, which included DDOS attacks on the servers being used and, reportedly, at times blocking huge chunks of the internet to deny use of the well-known CloudFare block-busting trick.
For once, Tor was used exactly what it was designed for.
I think it's also telling how trust between individuals and the Government has broken down to the point that I, and I'm sure many others, read your post and thought 'If only more people thought like this and were aware of the abuses of power by our Government and European bodies'.
Wish I could upvote your post more than once.
Shameful. The next thing they'll want to do is ban people from using false number plates on vehicles. (What's that Skippy? They already do? But the crims ignore the ban?)
But surely that means that only law-abiding people with genuine number plates will be recorded on all the ANPR cameras? That doesn't seem right.
"Basically, target the low-level crims and ignore the bigger issues. Yep, that sounds like a government plan. Also sounds like a big business' plan though. Screw the little guy!"
Now, why does that remind me of this other story today. Just change the word "crims" to "incompetence",,,
@Doctor Syntax
it identifies an IP, an ISP, an IMEI, a sim, a subscriber, a location etc, that location can then be sued to scour cctv, the lcoation history can be checked to see where you've been and who with etc.
It makes the detective job much easier to join the dots, or link dots that should not be linked depending on your leaning.
For over a decade and a half the whole tech community is dragging its feet to make the transition to IPv6.
Given the aversion and failure to adapt IPv6, is there really nobody interested to propose a more acceptable IPv5 which doesn't give users the feeling they lost all control over what is what due to these horrible looking addresses ?.
We need an IP v7, bigger than 32-bit but compatible with v4.
It was a huge mistake by the people who imposed v6 to ignore compatibility issues, i.e. to ignore real users.
V4 was a work of genius. Everything since then has been B-team at best, student project at worst. How many people have heard of v5?
I write this now from a computer which has been IPv6 only (though sometimes upgraded) on a network which has been IPv6 only except the edge for 7 years.
My service provider delivers IPv6 to my house using 6rd which appends my 32-bit IP address to the end of a 28-bit network prefix they own to allow 4 /64 subnets (IPv6 does not variably subnet past /64) within my home.
Anyone using my service provider who wants IPv6 can either obtain their IPv6 information via DHCP extensions that provide the prefix and therefore automatically creates the tunnel over their IPv4 network... or they can manually configure it. Of course, you probably need to know IPv6 to do so.
I use IPv6 exclusively (except for a single HP printer and my front door lock) within my house. By using a DNS64 server, when I resolve an address which lacks an IPv6 destination, the DNS server provides the top 64-bits of my address containing a known prefix (I chose) and the bottom 32-bits contain the IPv4 address I'm trying to reach. The edge device then recognizes the destination prefix and creates a NAT record and replaces the IPv6 header with an IPv4 header to communicate with the destination device. This is called NAT64.
I run zone based firewalling on a Cisco router which allows me to allow traffic to pass from the inside of my network to the outside freely and establish return paths.
I have not seen any compatibility issues between IPv4 and IPv6 in the past 7 years. The technology is basically flawless. It's actually plug-and-play in many cases as well.
Is it possible you're claim there is a compatibility issue between the two protocols because you don't know how to use them?
BTW... I first started using IPv6 when Microsoft Research released the source code for IPv6 on Windows NT 4.0. I've had it running more or less ever since. At this time, over 85% of all my traffic is 100% IPv6 from work and home. Over 95% of all my traffic is encrypted using both IPv6 IPSEC end-to-end and 802.1ae LinkSec/MACSEC between layer-2 devices.
There has been one single problem with IPv6 which is still not resolved and I'm forced in my DNS64 gateway to force IPv4 instead of IPv6. That is because Facebook has DNS AAAA records for some of their servers which no longer exist.
As for technical complexity... a believe a drunken monkey can set this up with little effort.
But I guess you think it's worth a nearly $1 trillion investment to drop IPv6 in favor of something new.
Yes... it would cost at least $1 trillion to use something other than IPv4 and IPv6. Routers and servers can be changed to a different protocol using nothing but software. But switches and service provider routers which implement their protocols in hardware would require new chips. Since we don't replace chips, it would require replacing all Layer-3 switches and all carrier grade routers worldwide to change protocols.
Consider a small Tier-1 service provider such as Telia-Sonera that runs about 250 Cisco 9222 routers for their backbone with 400Gb/s-1Tb/s links between them. The average cost of a router on this scale is about $2.5 million. So, to change protocols on just their routers would cost $625 million in just core hardware. It would cost them approximately $2 billion just to handle their stuff.
No consider someone like the US Transport Security Agency which has 1.2 million users in their Active Directory (employees, consultants, etc...). Now consider the number of locations where they are present and the network to run it. Altogether about 4 million network ports... all Layer-3. At an average cost of $200 per network port... that would be $800 million just to change the network ports on their network. Then consider that's just the access ports and distribution and core would need to be changed to. That would place the expense up to at least $5 billion.
Those were just two examples. $1 trillion wouldn't even get the project started.
Now consider the amount of time it would take. Even if you had a "compatible system" and honestly... I have no idea what that means. IPv6 is 100% compatible with IPv4... but I support you know something I don't. But let's say there was a "compatible system" by your standards. It would take 20+ years and trillions of dollars to deploy it.
Of course, if all we care about is addressing... and it really isn't, then IPv4 is good enough and we can just use CGNAT which is expensive but really perfectly good. Thanks to CGNAT and firewall traversal mechanisms like STUN, TURN, ICE and others, there's absolutely no reason we need to make the change. Consider that China as an entire country is 100% NATed and it works fine.
So... recommended reading. 6RD and NAT64/DNS64
Then instead of saying really really really silly things about IPv6 lacking compatibility with IPv4 or that IPv6 is B-team... you can be part of the solution. The "B-team" as you call it did in fact pay close attention to real users. They first built the IPv6 infrastructure and they also solved the transition mechanism problems to get real users online without any problems. It took a long time, but it's been solid and stable since IPv6 went officially live on June 6th 2012.
As for technical complexity... a believe a drunken monkey can set this up with little effort.
I always assumed that the reason for IPv6 having so little adoption was that the perceived benefits did not justify the necessarily huge learning curve. If what you say is true then there must be some other reason that nobody bothers with it. Perhaps it's a bag of spanners destined to fail hard once it moves from geek's garage to live production work...
"If what you say is true then there must be some other reason that nobody bothers with it."
There is another reason. In Western Europe and North America there was, until recently, no problem with only offering IPv4, so ISPs did that, so home users didn't have a choice, so equipment vendors had no incentive to switch on the capability in their device stacks (despite it basically being there for free), so anybody who even started to try the new tech quickly ran into the near-brick-wall that no-one else was running it apart from a few geeks.
I believe that in the Far East, the IPv4 address space was so puny that the economic arguments went the other way and, there being no technical problem with IPv6, there are parts of that region with near-universal IPv6 adoption. Of course, they tend not to contribute to English-speaking forums so we rarely ever hear from them.
Interpol must hate the thought that in the UK you can buy a contract fee pay as you go SIM with no need to provide any credit card details or ID and top up the phone up with cash at 1000s of corner shops, so if your a criminal looking to remain anonymous its much easier here evening without CGNAT. Unless of course they are morons and use the phone to call their mum or access their personal bank accounts etc.
Unless of course they are morons and use the phone to call their mum or access their personal bank accounts etc.
99% of law enforcement consists of detecting and apprehending morons. Any crim with reasonable OpSec awareness isn't going to be even slightly inconvenienced by this because they'll already be obeying the golden rule of assuming that all communication mechanisms are compromised/hostile.
Knowing our plod they are more interested in making their stats look good for catching someone who said something deemed naughty or hurtful on Facebook or twitter, rather than catching real criminals. With kids using just phones for internet a lot of the time now, the police are scared they might have to go after real criminals unless the carrier grade NAT issue is sorted.
You're most likely correct.
I can't find the article but I remember reading recently some chief-plod somewhere or other saying that, basically, "our Shaz saw on facebook that bitch Kayleigh-Mai calling our Jayden a paedo" and the like constituted a massive percentage of total calls made.
Social media complaints, online bullying and harassment etc took up (IIRC) approx 50% of the total "999" calls being made.
*still searching for link but i've not found it yet, suspect it was in a local rag*
*edit - seems it was 2014 that 50% of calls passed to front line staff were related to social media. I imagine that's still the same if not higher now.
http://www.bbc.co.uk/news/uk-27949674
"...assuming that all communication mechanisms are compromised/hostile."
Including word of mouth? Then how do they communicate at all given they must assume all methods of communication are not only hostile but capable of being intercepted and decoded (not even one time pads are immune as plods can intercept the pads before they're used)?
Including word of mouth? Then how do they communicate at all given they must assume all methods of communication are not only hostile but capable of being intercepted and decoded (not even one time pads are immune as plods can intercept the pads before they're used)?
You assume that any communication mechanism might be intercepted, which includes the arrest of messengers. Encryption is flawed on its own because even one time pads are susceptible to RIPA attacks so you need to conceal the communication end points and/or employ some form of steganography.
This isn't a new concept. Agatha Christie crims were aware of this and posted messages using plausibly deniable language in newspaper classified columns. The same technique works perfectly well with CraigsList or USENET or (ElReg comments). If you need to send specific instructions that can't be reduced to deniable language then you encrypt and steganographically encode it.
Secure criminal comms isn't so much a matter of strong encryption as evasion of detection and plausible deniability of intended recipient and content. A direct PGP email or WhatsApp message is vulnerable to RIPA so cryptographic strength isn't helpful. Encode the same message in the high order bits of a photo posted to alt.fan.cats and it is impossible to prove that the message even exists, and even if you do, it is impossible to prove who the intended recipient is, thus neutering RIPA. To cite Agatha again: "When no-one suspects you, murder is easy".
"Encode the same message in the high order bits of a photo posted to alt.fan.cats and it is impossible to prove that the message even exists, and even if you do, it is impossible to prove who the intended recipient is, thus neutering RIPA. To cite Agatha again: "When no-one suspects you, murder is easy"."
OK, then how do you get it past a media mangler or have to post it in a medium where you can't be sure the message will get through intact and in its original form? Plus there's the matter of establishing your code system in the first place: the First Contact problem. I haven't seen a system that can reliably work on zero contact.
OK, then how do you get it past a media mangler or have to post it in a medium where you can't be sure the message will get through intact and in its original form?
You use a platform that doesn't screw around with graphics files (i.e. not FarceBorg). Usenet is ideal, but there are dozens of blogs and forums out there that will do just as well. Github, for example.
First Contact problem. I haven't seen a system that can reliably work on zero contact
You're right. You need to secure the (conceptual) key exchange differently, eliminating as many points of interception as possible. Ideally that exchange will have taken place months or years before you engage in anything nefarious using the agreed channel, so by the time it is detected (if ever) it will be far too late to try and compromise it.
For years I've been against CGNAT and wanted static ip addresses from broadband suppliers, to extent it's a requirement when picking a provider. I considered this critical for ensuring proper and secure firewall rules (only allow connection from X IP etc).
However, after reading this article I'm feeling like I want to be in favour of it just to annoy Mr. Spy and make it harder for them.
I'm so conflicted.
"I want an evidence free way to go on fishing trips, rather than have to develop suspicion, conduct an investigation and get a warrant so I can approach the ISP formally."
Shocking news. Police work is (and should only ever be) easy in a police state.
I'm quite sure there are ex members of the STASI who are thinking "Himmel. If we had this sort of tech in the GDR we'd still have a GDR"
From what I understand of the issue (admittedly not much) there's not much chance of ISPs dropping GCNAT for IPv4 adress space, since none of them have enough adresses to run their network otherwise. So tough luck for the coppers, they'll have to actually do their job the right/hard way.
Even if you did move mobile devices to ipv6 I think we can discount a move to ipv4 addresses as there arent enough of them, thats still not going to give mr plod what he wants. Most internet traffic is still ipv4 and the number of sites using ipv6 is still limited hence most traffic would either need dual stack on the phone and still be via ipv4 CGNAT or go through whatever solution the ISP chooses for IPv6 to IPv4 most likely NAT64 which would still result in a limited number of ipv4 addresses being used for thousands of clients.
Wouldn't it be more productive to go after the money launderers, like the 1.6 billion dollars that was funnelled through Estonia recently?
"the non-attribution of malicious groups and individuals, should be resolved."
That's code for going after anyone who criticises the unholy alliance between the global corporatocracy and the state security apparatus, what's the word for that, it's on the tip of the tongue.
We have enough IPv4 addresses, and non-CG NAT leaves plenty of room for expansion as people's homes get more and more IP devices. NAT has some obvious disadvantages, but we've long since worked through them so there's no real benefit to going to IPv6 for the average person.
I could enable IPv6 on my router and PC, but why should I? Is it faster? No. Is it more secure? No. Is it more compatible? No, I'm actually more likely to experience issues in IPv6 than the decades old and well tested IPv4.
I get why Asia and Africa are moving to it, they don't have a choice because we hogged all the IPv4 addresses. That's done and there is a solution for them in the form of IPv6. If I was left with no choice I'd go IPv6, but since I do have a choice why should I and the rest of the US and Europe bother? How would it benefit me, or the internet in general to do so?
Amazon came along too late, they missed the halcyon days when a /8 would have been theirs for the asking. Figures that Microsoft would ignore the internet for long enough they'd need to buy a /8 instead of grabbing one for free back in the 80s like companies with more foresight such as Apple and HP!
The fact that they're able to get addresses they need from those who don't need/use what they have shows that IPv4 has sufficient capacity in the west. So they cost $10/IP, big deal. It isn't as though Microsoft and Amazon have trouble affording that. If the price gets high enough ($100/IP? $1000/IP? I don't know what "high enough" is exactly) then they'll start pushing IPv6. How to push IPv6? AWS and other hosting services could offer cheaper hosting for servers accessible via IPv6 only, for example. If stuff I want is only accessible via IPv6 then that would incentivize me and other end users to want to use IPv6, and ISPs to provide "full" IPv6 connectivity instead of 6to4 and the like.
ISPs probably already log their NAT tables, even cheap "hot spot" routers can do that easily. The enforcement companies probably just don't yet submit the ports to information requests.
Of course there are the people who want to see the Internet as a glorious Facebook delivery network. Those are happy with CGNAT. However that's not what the Internet is. The Internet is a peer to peer network with no participants playing a special role. It's just that home NAT and bad home operating systems have killed the peer to peer idea for most people. They see the Internet as something dangerous. Any "snakeoil in a box" solution will be evaluated based on how many alerts it presents to you. Don't run your own webserver to share your pictures, use Facebook instead, then you'll be all safe and warm behind your double or triple NAT which logs all your connections.
However with ubiquitous surveillance, maybe we should consider getting alternatives to the Internet, meanwhile IPv6 will at least save us from the marketers who evaluate every bit we send the Facebooks and Googles of the world, since we can easily build ways around them.
is for law enforcement to get off their azz, and get out there and do real investigative work.
Knock on doors and a few heads to collect what is needed.
Silly millennials have been so spoiled and pandered they don't want to get out there and do actual police work. They've grown up having conversations via text messaging instead of learning how to talk face-to-face and build this type of trust and relationships with contacts and informants.
Too much tax payer money is spent on electronic surveillance and not enough on training officers to do in-depth investigations away from a keyboard.
"Knock on doors and a few heads to collect what is needed."
But what happens when those heads belong to and reside in hostile sovereign powers? Electronic communications have made international communications much easier: including to and from hostile powers, which makes investigations more difficult since sovereignty gets in the way.
Instead of beating around the manifestations, we should look at the root-cause of a subject. Basically, cyber security issues started with no definitive association between an IP address and the responsible party. (Just think about why the emergency locator services such as the "US 911 System" can find a telephone caller within minutes or sometimes even faster.) This problem started with IPv4 because it did not have enough addresses. However, IPv6 continues the same practice, even with more than enough addresses to assign.
A few years ago, we accidentally ventured into the study of the IPv4 address exhaustion myth. We now have come up with a proposal called EzIP (phonetic for Easy IPv4) to IETF. EzIP utilizes the original IPv4 standard RFC791 and the long-reserved yet hardly-used 240/4 address block to expand the assignable public address pool by 256M (Million) fold:
https://tools.ietf.org/html/draft-chen-ati-adaptive-ipv4-address-space-03
The EzIP approach will not only resolve IPv4 address shortage issues, but also largely mitigate the root cause to cyber security vulnerabilities, plus open up new possibilities for the Internet, all within the confines of the IPv4 domain. A degenerated form of the EzIP may even be deployed "stealthily" for an isolated area where needed, forming a "sub-Internet". This enables any country to start offering a new Internet service based on one the IPv4 public addresses already assigned to that country, so that citizens will have the opportunity to compare and choose.
These should address the underlying main issue of the Internet. That is, with EzIP, it is possible to establish the GeoLocation capability in the Internet that came so natural to the PSTN (Public Switched Telephone Network). Of course, someone may raise the privacy concerns against this approach. However, one must understand the trade-offs when picking a non-conventional and not fully tested approach and then wonder what is going on. If most of the Internet users are identifiable, we can insist that the government to only focus on the very small group of perpetrators. When there is no way to tell the difference, the law enforcement must spread their efforts thin to monitor all traffic to spot the abnormality which means the "privacy" goal is gone anyway!
In a nutshell, the EzIP approach provides a very similar functionality as CGNAT at the daily operation level, but with a fundamental difference. The CGNAT provides soft temporary port numbers to get an Internet session set up. EzIP assigns hard permanent IP addresses to each premises / IoT following the old-fashioned communications system philosophy and conventions.
Thoughts and comments will be much appreciated.
Abe (2018-08-15 12:13)
Dear Colleagues:
0) Here are two pieces of updated information for share:
1) The following is a discussion thread on the "state of IPv6". The findings are quite surprising.
http://www.circleid.com/posts/20190529_digging_into_ipv6_traffic_to_google_is_28_percent_deployment_limit/
2) Then, you may like to have a look at the feasibility demonstration report below about our proposed architecture eliminating CG-NAT for expanding IPv4 address pool, addressing ITU's CIR proposal, etc.:
https://www.avinta.com/phoenix-1/home/RegionalAreaNetworkArchitecture.pdf
These should provide some material for furthering the dialog
Abe (2020-08-30 16:51 EDT)