Home / Blogs

How Failure To Maintain IPv6 Is Hindering Law Enforcement

Michael Darer

In recent years, our society has been uniquely conditioned in our understanding of technological and digital advancement. Whereas for past generations, leaps forward in technology seemed terrifying, alien and sometimes apocalyptic in their implications, our generation has been taught differently. Since the creation of the world wide web and its domination of daily life, technologies which for most defy comprehension, have become mundane.

The average American no longer views advancement as a danger because we have become used to the presence of high level technology in our daily lives. We witness its advancement everyday. Twenty minutes ago, I updated iTunes. Maybe yesterday, you downloaded the newest version of your web browser. The days of Y2K are over and the new is now our friend. There is no danger or downside to the newer, to the faster, to the sleeker. The newer, the better.

Right? Well, maybe not so much.

As most people in the tech sphere know (and most outside have no clue, myself one of these until recently), a couple of weeks ago we all celebrated a holiday: World IPv6 Day, heralding the (supposed) upcoming dominance of the newest version of the IP (Internet Protocol, for the non-technical such as I) address.

As most know, an IP address is simply a number which serves as a device's ID within a computer network (read this phenomenal breakdown of the technology by Stephen Shankland for more information). For a while, most computers have been using IPv4, which identified machines using 32 bit numbers, creating a total of 4.3 billion different addresses.

However, as the internet grows at its ever increasing pace, this has proven to simply not be enough, and thus, IPv6 was born. With IPv6 computers are identified by 128 bit numbers, meaning that with this new technology, there are roughly 340 undecillion possible addresses.

Awesome, right? Again, maybe not so much.

FBI Headquarters – FBI has suggested that the switch to IPv6 is making it more difficult to track criminals online.Recently, the FBI, DEA and even the Canadian Mounted Police have suggested that the switch to IPv6 is making it more difficult to track criminals online, those who would traffic in things such as drugs or child pornography, in addition to hackers, botnets, kidnappers and terrorists.

Under IPv4, it wasn't very difficult to find offenders online via their IP addresses. The American Registry of Internet Numbers (ARIN) would hand out the address and internet providers would log them into the public WHOIS database.

In this way, if the FBI caught wind of suspicious email conversations, they could simply look up whose IP addresses the messages were traveling between and pay the participants a visit.

Since IPv6 has made so many more addresses available, however, registration protocol has changed.

Rather than handing out smaller blocks of IP addresses more frequently, the ARIN is handing out massive blocks every 10 to 15 years. As a result, internet providers are getting lazier and choosing not to update WHOIS as often, meaning that the database is unable to provide law enforcement with the up-to-date information it needs to take advantage of IP addresses as a means they can identify criminals.

For companies such as Dyn, this problem is especially resonant for multiple reasons. On the most basic level, it deals with a technology that we work with and that defines our field of industry. On a deeper level, though, this problem speaks to us because it says a great deal about the way in which providers and clients can and do interact with technology.

Because, in many ways, the problem here isn't IPv6 at all. It's the laziness of internet providers. The technology is failing because the people who work with it choose not to put in the due diligence required to make the technology function as it should.

And this isn't a wholly ridiculous occurrence. With technological advancement comes complacency. Complacency breeds laziness. Laziness leads to complication and obstruction.

This does not solely apply to the problems the DEA and the FBI are having.

Surely, some argue that it is not the job of the private sector to tailor its products to the needs of governmental powers, that ease of search shouldn't be a goal to strive for, that compliance with those principles is compliance with a fundamental violation of liberty. Even if we want to make that argument, we cannot use it as an excuse for failing our fundamental duties as innovators.

The important thing to think about (however you may feel about the presence of law enforcement in matters of internet security) is that the damage that laziness and complacency does eventually inflict is far wider in its reach than just the hunt for cyber criminals. In the end, those attitudes do damage to everyone who uses digital technology, whether it's a student or a professional or a law enforcement officer. The need for high functioning and safe digital systems is absolutely universal and apolitical.

We, the technological community, owe it to all who interact with our creations to do the grunt work so that they can use what we give them in a safe and effective way.

Honestly, if we neglect that, we're simply not doing our jobs.

It's important to remember that we're responsible for maintaining what we create, tending to it, making sure that we don't let our excitement over the innovation get in the way of our attention to the fine-tuning, the troubleshooting, the grunt work that may not have the glory of invention or the distinction of discovery.

We must be both architect and janitor, because, in stepping forward into an industry with such far reaching, universal application, to be any less, is to fail both our creation and our clientele.

By Michael Darer, Author at Dyn

Related topics: Cybercrime, IP Addressing, IPv6, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


A bit misleading Michael Sinatra  –  Jul 12, 2012 11:20 AM PDT

The statements of the FBI and RCMP are well-intentioned, but unfortunately, they're somewhat FUD-like.  First of all, ARIN already has mechanisms in place to deal with the lack of documentation that LE is rightly concerned about.  Moreover, the statement:

"Rather than handing out smaller blocks of IP addresses more frequently, the ARIN is handing out massive blocks every 10 to 15 years. As a result, internet providers are getting lazier and choosing not to update WHOIS as often, meaning that the database is unable to provide law enforcement with the up-to-date information it needs to take advantage of IP addresses as a means they can identify criminals."

...is pure speculation.  We don't yet know the long-term impact of the vast IPv6 address space on registry activity, nor on whois updating.  It's possible that because of the vast address space, ISPs will see the need for MORE thorough documentation, just so they can keep track of the large IPv6 space.

Second, this hypothetical IPv6 problem pales in comparison to what CGN/LSN is going to do.  That IPv4 address of a suspicious email?  Good luck looking it up in whois--and expecting to trace it back to a person--when it has been through at least three NAT gateways.

Finally, Chris Grundemann has already done a nice job of outlining the major issues--right here on CircleID. The one disagreement I have with Chris is that I think that ARIN 2011-7 would have ended up aiding criminals, not preventing their activity.  It would have "penalized" ISPs who don't update their whois by turning of their reverse DNS!  Disabling one form of documentation because another isn't up-to-date isn't going to catch the bad guys.

Bottom line is that CGN has the potential to be way worse than IPv6 for LE, and I think spinning this as an IPv6 problem is misleading.

basic economics Carl Byington  –  Jul 12, 2012 2:19 PM PDT

And this isn't a wholly ridiculous occurrence. With technological advancement comes complacency. Complacency breeds laziness. Laziness leads to complication and obstruction.

I think those unsupported assertions are generally false, but in any case have little to do with the issue of documenting ipv6 address usage.

I think you are confusing laziness with basic economics. Any expensive or scarce resource will be tracked much more closely than a resource that is cheap or trivially available. No one will spend much effort tracking a resource that is essentially free. Hurricane Electric is giving away 2**64 ipv6 addresses for free. Why should anyone spend (manual) effort to track exactly which user is using which ip address. All that is needed is a mechanism to avoid collisions so that two users don't try to use the same address.

fighting /fire/ with /fire/ ? Max M. Hyperbole  –  Jul 15, 2012 10:34 AM PDT


Just because the author used questionable data points to make a really bad inference about a matter that is widely recognized as "real," and which could (at least potentially) become serious at some point in the future, heaping nonsensical "basic economic" assertions on top is not going to do much to improve public understanding. "All that is needed is a mechanism to avoid collisions so that two users don't try to use the same address"… Really? All we need is a "mechanism" that makes both accidental IP address "collisions" and intentional address "hijackings" physically impossible, without fail, forever? Obviously, with such a mechanism in place, there would be never be any need for any kind of authoritative "tracking information" showing who is responsible for what IP addresses. In fact, with the future probability of IP address-related collisions and hijackings permanently fixed at 0.00%, the very notion of "accountability" would lose all meaning in this particular domain of Internet operations, right? If so, then there's no need to resort to even the most basic of economic considerations, as exerting any effort to maintain IP address tracking records that have no conceivable purpose would defy basic common sense!

Um, now that I think about it, the above only holds if our "mechanism" guarantees not just permanent invulnerability to collisions and hijackings, but 100% immunity to every possible kind of harmful or unauthorized interaction that might occur between every single IP address and every other IP address — including "transitive" interactions between IP addresses that are widely separated from each other and administered by parties that have no direct or even indirect relations with each other — now and forevermore.

So, taking into consideration to overall costs and benefits of using the Internet, and given the options of (a) suspending further net usage until the day after your Internet Invulnerability Mechanism has been invented and universally deployed, or (b) embracing the absolute certainty that any additional, pre-IIM use of the Internet could result in your incurring (and/or causing) substantial harm at any moment, with zero hope of recourse and zero means of reducing that risk going forward, or (c) bearing the relatively moderate burden of keeping accurate records of your own use of IP addresses, and making those records available as necessary as part of a collective "tracking" exercise (i.e., an address registration database) that provides both a means for other IP address users "of good faith" to avoid colliding with you (and vice versa), and a means of directly or indirectly holding those of somewhat less-good faith accountable for the harms that they inflict upon others… which alternative best satisfies your "basic economics" test?

Move along, nothing to see... Valdis Kletnieks  –  Jul 13, 2012 7:30 AM PDT

Failure to SWIP an allocation makes people call the upstream who failed to SWIP it. FIlm at 11.

It's the exact same problem as IPv4.  And over in IPv4 land, people learned that if they didn't SWIP something, they'd get more phone calls.  Eventually, everybody got better about SWIP so their phones stopped ringing so much.

Same issue, maybe better maybe worse, who knows yet Dan Campbell  –  Jul 17, 2012 8:19 AM PDT

I wouldn't say it "wasn't very difficult to find offenders" by their IPv4 address.  IPv4 addresses are (1) more often than not temporary and (2) often are behind one or more NAT gateways that obscure the actual address and end user.  You may be able to find the offending IP address, and thus the "offending" ISP or "offending" end organization that holds the IP allocation/assignment, but you may not be able to prove who the actual person using the address was, not without another internal method for tracking IP to users, e.g., DHCP records, other username/account records, etc.  In IPv6, the vastness of the address space will (1) not likley change the temporary nature of addressing.  There will still be DHCPv6, SLAAC, etc. that may or may not help you to really determine who had the address at a given time, not without the same additional information you need with IPv4 now.  Very few if any will really go to static public IP addressing for internal end users who are temporarily on the network and move around, not for your average Internet access service, and people will continue to move around from home to work to wireless to coffee shops to wherever, using many different addresses.  Organizations may extend DHCP lease times in IPv6, since expiration for the purpose of address reclamation doesn't matter much, so there may be better chances of mapping the end user to the IPv6 address they used after the fact.  And (2), IPv6 may or may not really change NAT'ting.  It should, yes, but old habits die hard and the security commmunity will still be hard pressed to give up the (very false sense of) security benefit of NAT. I hope that's not the case for too long.  I hope in v6 we see hosts with multiple addresses, unique local (i.e., private) inside the network while using global to reach the Internet.  Hopefully this will be common and traditional NAT'ting that we see now will go away.  But old habits die hard, and people are still concerned about the security implications of IPv6 mostly because of the newness of it, and there will be for a while a level of IPv4/IPv6 translation going on as well.  We will be dual-stacked for as long as any of us here are still working on these things, for the forseeable future.  So whether IPv6 makes things harder or easier in terms of tracking end users to IP addresses, I think it's hard to really say right now.

ANSWER Anonymous Coward  –  Oct 02, 2012 5:09 PM PDT


Because it's secure? Because it's operationally sound and approved? EXCELLENCE!

If a few forensics companies have to learn how to ngrep or load a Volatility plugin that dumps IPv6 related data, then that doesn't sound too rough. It's just network addresses

To post comments, please login or create an account.

Related Blogs

Related News


Industry Updates – Sponsored Posts

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Motivated to Solve Problems at Verisign

Diversity, Openness and vBSDcon 2013

Neustar's Proposal for New gTLD Collision Risk Mitigation

IT Project Management: Best Practices in Small-Scale Engagements

DDoS Attacks in the United Kingdom: 2012 Annual Trends and Impact Survey

Dyn Adds Chris Griffiths As New VP of Labs

Sponsored Topics