Declan McCullagh recently opined that the “FBI [and the] DEA warn [that] IPv6 could shield criminals from police.” His post was picked-up relatively widely in the past few days, with the headlines adding more hyperbole along the way. So just how real is this threat? Let’s take a look.

The Claim

The issue being discussed here is really all about RIR (Regional Internet Registry) Whois database accuracy. The RIR Whois databases contain the records of who holds what IP addresses, down to a level of granularity dependent on that RIRs specific policies. When law enforcement agencies like the FBI, DEA, and RCMP want to find out who was using an IP address (say to post child pornography or host an illegal prescription sales website) at a given time, they first go to Whois to determine who is responsible for the network that IP address belongs to. If everything is as it should be, Whois will provide the name (and contact info) of the responsible party. “Responsible party” in this context means the organization responsible for the network that the offending IP address belongs to. This is typically either the enterprise which holds that network directly, or the ISP who’s customer is using the address. When law enforcement officials get the party directly responsible for that specific IP address from Whois, they are able to obtain and serve warrants most efficiently. In cases where Whois information is stale (out of date) or not granular enough (perhaps Whois lists the ISP of the ISP of the ISP of the person using the IP address); they must embark on a goose chase of sorts, obtaining and serving warrant after warrant as they work down the chain to the responsible party who should have been listed in Whois in the first place.

The hypothesis being presented is that IPv6 Whois information will be less accurate than IPv4 Whois information, causing more of those wild goose chases and ultimately making it harder for law enforcement to track criminals by IP address. The rationale behind this claim is basically that Internet number registrants (ISPs and others who hold AS numbers and IP addresses) only update Whois in order to receive more addresses from the RIR. Since IPv4 has been known to be an ultimately scarce resource since as far back as the early 1990s, IPv4 addresses have been handed out in relatively small chunks. This requires organizations who consume lots of addresses, like ISPs and data-centers, to come back to the RIRs and request more IPv4 addresses with great regularity. Because the RIRs will not grant addresses to organizations who are out of compliance with RIR policy, this in effect forces such organizations to keep their Whois records up to date. In the brave new world of IPv6, things have changed. Since the IPv6 addressing space is effectively some 16 million to 17 billion times larger than IPv4; RIRs are handing out IPv6 in much larger blocks, allowing these very same organizations to come back to the well much less frequently and perhaps never at all. This is great for network address planning and route aggregation but not so great for Whois database accuracy if you believe that folks only make updates in order to get more addresses.

The (Recent) History

I think we should first realize that this is not a new story. I have personally been working on this subject, often with members of the FBI and the RCMP, for around four years now. I am, by far, not the first champion of Whois accuracy, as registration requirements have been present in RIR policy since the very beginning. I have however contributed to some of the more recent reforms directly related to IPv6 and law enforcement’s ability to use IP addresses and Whois to track down criminals as quickly and efficiently as possible, without infringing on anyone’s individual or organizational rights. In these past four years we have seen some major “wins” for Whois database accuracy.

The first happened in the ARIN region with the adoption of draft policy 2008-7, which was eventually implemented by ARIN in the second half of 2010. This policy requires ARIN staff to conduct an annual Whois POC validation during which all POC (Point Of Contact) records in ARINs Whois database are verified via response to an email message. In the context of today’s discussion, this means that every single POC in ARINs Whois is contacted and asked to make updates every year, regardless of their organizations need for more addresses. This is true for POCs associated with IPv4 and/or IPv6 records.

The second victory came with the adoption and subsequent implementation of ARIN-2010-14 in mid 2011. ARIN-2010-14 encompassed fairly sweeping changes to the ARIN policies regarding Whois data for both IPv4 and IPv6. The key reforms directly associated with criminal traceability in IPv6 were threefold: First, to require that all static IPv6 assignments to downstream organizations be recorded in Whois. Second, to define the organizational information required in Whois as; legal name, full physical address, and at least two POCs (both with a verifiable email address and phone number). Third, and perhaps most importantly, to specifically allow ARIN to conduct resource reviews if an organization fails to maintain accurate and complete Whois records (including downstream assignments to other organizations).

Most recently (and further south) we scored another win for global Whois data accuracy when the LACNIC community approved LAC-2012-02 following LACNIC XVII in May 2012. This policy was crafted based on the reforms in ARIN-2010-14 following a brief presentation I gave at the October 2011 LACNIC meeting. They key difference is that the LACNIC policy sets the boundary for downstream IPv6 assignments at /48 rather than /64. This effectively means that while ARIN policy requires all static IPv6 assignments to be recorded in Whois, in the LACNIC region only assignments of larger than a /48 prefix must be registered.

There have obviously been great strides, within the ARIN region and elsewhere, with regard to Whois data accuracy in the past few years but there has been at least one setback as well. Draft policy ARIN-2011-7 was recently abandoned by the ARIN AC after not gaining clear consensus among the ARIN community. This proposed policy change would have supplied some added clarity and additional tools to ARINs Whois data enforcement abilities.

The Current (IPv6) Situation

Perhaps even more important than tallying the recent wins and losses is understanding the current state of affairs more clearly.

The first thing to realize is that this is not just a law enforcement issue. Accurate Whois information is extremely helpful in all sorts of abuse reporting which happens directly between network operators. The very same wild goose hunts that can plague LEAs can cost Internet connected businesses substantial amounts of time and money. Not to mention the fact that knowing you can be easily identified regardless of your physical location would likely have a chilling affect on abuse in the first place.

The next thing to realize is that this is not just a U.S. or Canadian issue. Internet users (including the nefarious types) span the globe. IP addresses are used all over this planet. Five distinct Whois databases for Internet numbers are operated by the five individual RIRs representing the various regions of our world. In order to understand where we are today, we need to examine all five RIRs policy on Whois and re-assignment registration.

Working alphabetically, AFRINIC is the first RIR. AFRINIC’s IPv6 policy has a section titled “5.5. Registration” which simply requires that all organizations holding IPv6 addresses must register all downstream assignments larger than a /48 in the “AFRINIC database.” Their policy further states that this data will be used “to calculate the HD-Ratio at the time of application for subsequent allocation and to check for changes in assignments over time” and does not appear to have any additional auditing or ‘enforcement’ mechanisms in place (although they do encourage the inclusion of an abuse contact).

APNIC has a very similar registration policy to AFRINICs. Theirs is titled “5.6. Registration” and also requires all downstream assignments of /48 or larger to be “registered in an RIR/NIR database” and they also state that “RIR/NIRs will use registered data to calculate the HD-Ratio at the time of application for subsequent allocation and to check for changes in assignments over time.” However, there is a key difference in the APNIC policy. “Organizations that receive an allocation from APNIC can choose whether or not their customer assignment registrations should be publicly available.” So while APNIC address holders must register reassignments, that info does not have to be viewable in Whois. They do require (since late 2010) the registration of an “Incident Report Team (IRT) object for each allocation and assignment record in the APNIC Whois Database.” This object provides abuse contact information.

We have discussed ARINs IPv6 registration policy already, since it was re-written by ARIN-2010-14, but to keep it simple let’s cover the basics: ARINs policy states that all static IPv6 assignments of a /64 or larger must be registered publicly within 7 business days of being made. Further, these “reassignment registrations” must include the pre-defined “organizational information” of name, address, and two POCs - unless the assignment is to an individual residential customer (for privacy protection). Finally, ARIN is granted the ability to conduct a “resource review” specifically “whenever ARIN has reason to believe that an organization is not complying with reassignment policies.”

LACNIC is another one that we covered above. Post-LAC-2012-2 LACNICs IPv6 policies (yet to be updated with the new text) will include a revised section “4.5.6. Registration” which states that all assignments of /48 or larger must be visible in Whois within 7 days of issue and that those registrations “must include the organization’s name; address; administrative contact, technical contact, and contact in case of abuse, with their updated telephone numbers and email addresses” except again in the case of residential customers. While LACNICs policy is not as clearly specific to reassignment registrations as ARINs is, they do have a provision stating that a “breach of LACNIC policies” (presumably including registration policies) may be used as evidence to “initiate the resource recovery process.”

Finally we turn to RIPE NCC, the final RIR alphabetically speaking. RIPEs IPv6 policy has a familiarly titled section “5.5 Registration,” which requires quite simply: “When an organisation holding an IPv6 address allocation makes IPv6 address assignments, it must register these assignments in the appropriate RIR database.” However, it does go on to qualify that assignments smaller than a /48 can be aggregated and simply indicate the “size of the individual assignments made to End Users.” I am unaware of any auditing/review or ‘enforcement’ policies at RIPE NCC but they do allow for an optional “IRT (Incident Response Team) object.”

The Other (IPv4) Side

We’ve taken a fairly in depth view of IPv6 Whois policy around the world, including some of the most recent reforms. But all of that is hard to judge in a vacuum. What about the other side of this comparison? If IPv6 really is (going to be) worse for tracing criminals, what is it worse than? To answer that we must take a look at IPv4 traceability. I mentioned in the opening section of this post that IPv4 Whois accuracy has benefited from the constant and frequent return of many organizations to ARIN and the other RIRs for additional addresses. There are however two major factors that work against Whois accuracy in IPv4.

One of these challenges is the “legacy” or “swamp” IPv4 address space. This problem affects folks in the ARIN region the worst, since most of this so-called legacy address space resides within the ARIN service region but there is also legacy space under the oversight of other RIRs as well. The problem with legacy space as it relates to Whois accuracy is twofold: First, legacy address holders received their assignments and/or allocations before the current RIR system was in place (that’s what makes them “legacy” registrations). This is problematic because it means that many of these organizations have no relationship with their RIR. This in turn means that while “regular” address holders pay dues every year (i.e. must be in contact with the RIR at least once a year), many legacy registrants have no contact at all with any RIR. With no formal relationship ever established, there is no way for the RIR to know if the organization is still using the addresses or if they even exist at all (the annual Whois POC validation policy was created in large part to help resolve this lack of contact issue). Second, legacy allocations were made during the period of classful addressing. The effect of this that concerns us here is that many legacy allocations were far larger than what the organization truly needed at the time, thus they have never needed to come back to the RIRs for more addresses. Now, this may or may not be an impact-full issue but it certainly puts them in the same boat with IPv6 address holders from that perspective - and legacy allocations are a significant portion of the total IPv4 address space.

The other primary challenge to criminal tracing in IPv4 is the eminent exhaustion of free IPv4 addresses. This is actually causing two new phenomenon which have the potential to make IPv4 address based identification much more difficult: The emergence of CGN (Carrier Grade NAT) as an IPv4 life-extension technology and the emergence of IPv4 address transfers as a CGN avoidance technique. CGN means that multiple users share a single IP address. While not directly related to Whois data accuracy, this will make IPv4 users increasingly harder to identify and track down. The more users that are forced to share a single address, the harder identification becomes (along with other problems related to IP address reputation and port consumption, etc.). More on this challenge can be found here and (perhaps surprisingly) here. On the other hand, the transfer of IPv4 addresses will hopefully not cause too much disturbance to Whois data accuracy, and may actually improve it if done properly. Unfortunately it could also cause chaos and confusion if profiteers are able to set up even quasi-successful “alternate registries.” This is a vast topic in its own right so I won’t go any further here other than to say that having multiple conflicting Whois databases is obviously not a good thing for abuse reporting and law enforcement.

The Bottom Line

There are two preliminary conclusions to be drawn from all of this:

• Tracing criminals using IPv4 is no bed of roses and its getting worse.
• IPv6 Whois policies exist and they’re getting stronger.

Beyond that, we can also see that coming back to get more addresses is only one touch point between address holders and the RIRs who maintain these invaluable Whois databases. Regular billing cycles and recurring Whois POC validations are two others that will actually be more efficient in IPv6 due to the absence of “legacy” registrants. Resource reviews and ultimately reclamations are another potentially effective (albeit much more drastic) tool available to the RIRs. Weigh this against the impending age of IPv4 CGN and address transfers, add in the increasingly formalized Whois registration policies, and I think we can likely agree that abuse reporting and criminal tracing based on IP address will very likely actually be better in the future with IPv6 than it is today with IPv4.

Even so, we can all help ensure that the future is much better, rather than marginally better, by continuing to reform Whois registration policies in all five regions. From my perspective as I write this, sitting at my desk where much of its current text was written, ARIN has set the benchmark for Whois policy today. One of our first steps should be to bring the other four regions policies as close to that mark as possible. Of course the reason we have five regional registries rather than one global registry is to accommodate local differences, so alignment will never be perfect, but we can continue working in the right direction. I send kudos and congratulations to the folks at LACNIC who recently did just that and I offer my assistance to folks in other regions who want to do the same.

No one and no thing is perfect though, and ARINs Whois policy is no exception. There are pieces of the failed ARIN-2011-7 that need to be resurrected and submitted again, and other pieces that need to be revisited and reconsidered. Other, new policies are likely needed as well. One of the primary areas of further exploration needs to be policy enforcement, or even better, incentivising policy compliance. While all the RIRs have policies regarding Whois data accuracy, which are likely to grow stronger over time, they lack a strong enforcement mechanism. Yes, there is the ability to revoke addresses for non-compliance, but no RIR is likely to yank addresses from hundreds or possibly thousands of innocent parties simply because their ISP failed to update downstream assignments in Whois. So how do we ensure that even the laziest of engineers at the most lackadaisical organizations always update their Whois data properly? Answering that question will not be easy but is necessary if we are to avoid imposition of solutions from above upon the Internet community (something no one wants, including the folks at the FBI). Perhaps Internet service providers can provide effective enforcement of Whois policies by peer pressure, or perhaps other mechanisms are needed. In either case I have full confidence in the many bright and capable minds now working on Internet numbering policy. Who knows, it may even be you who solves this final puzzle.

So, bottom line: Is there work still to be done? Absolutely, plenty to go around. Is IPv6 a major threat to law enforcement? No, and its only getting better.