2017 03-01-forensics 1488330715
1 like90 views
The document discusses challenges with forensic tracing in the evolving Internet. It begins by looking at traceback methods from the 1980s Internet, when each end site had a stable IP address. The introduction of NATs complicated traceback by hiding internal addresses. Further issues have arisen from IPv4 exhaustion, widespread NAT deployment including carrier-grade NATs, and the diversity of IPv4-IPv6 transition technologies used by different ISPs. This variability undermines the traditional model of tracing based on IP addresses and timestamps. New record keeping requirements are needed from ISPs but may not be practical or scalable. The complexity is increased further by trends toward more encrypted and opaque application-level protocols that obscure network-level sessions.
![2017#apricot2017
Traceback – Version 1
3
A: 192.0.2.1
Ftp Server
Internet
Lets start by looking way back to the
Internet of the 1980’s
ftpserver.net 192.0.2.1 [31/Aug/2013:00:00:08 +0000]
Ftp Server Log
$ whois 192.0.2.1
NetRange: 192.0.2.0 - 192.0.2.255
NetName: TEST-NET-1
Contact: User Contact Details There was a rudimentary whois service
and it listed all end users!](https://image.slidesharecdn.com/2017-03-01-forensics1488330715-170306004553/85/2017-03-01-forensics-1488330715-3-320.jpg)
![2017#apricot2017
Traceback – Version 2
7
A: 10.0.0.1
Web Server
ISP
webserver.net 192.0.2.1 [31/Aug/2013:00:00:08 +0000] "GET /1x1.png HTTP/1.1" 200
Web Server Log
$ whois 192.0.2.1
NetRange: 192.0.2.0 - 192.0.2.255
CIDR: 192.0.2.0/24
OriginAS:
NetName: TEST-NET-1
NetHandle: NET-192-0-2-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
CPE NAT/
DHCP Server
192.0.2.1
ISP RADIUS Log
15/Aug/2013:18:01:02: user XXX IP: 192.0.2.1](https://image.slidesharecdn.com/2017-03-01-forensics1488330715-170306004553/85/2017-03-01-forensics-1488330715-7-320.jpg)
![2017#apricot2017
Traceback – Version 3
12
A: 10.0.0.1
B: 10.0.0.2
C: 10.0.0.3
CPE NAT/
DHCP Server
ISP CGN
192.0.2.0/24
Web Server
Internet
webserver.net [192.0.2.1]::45800 [31/Aug/2013:00:00:08
+0000] "GET /1x1.png HTTP/1.1" 200
Web Server Log
$ whois 192.0.2.1
NetRange: 192.0.2.0 - 192.0.2.255
CIDR: 192.0.2.0/24
OriginAS:
NetName: TEST-NET-1
NetHandle: NET-192-0-2-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
ISP CGN Log
31/Aug/2013:00:00:02
172.16.5.6:34233 128.66.0.0:80 -> 192.0.2.1:45800 128.66.0.0:80
ISP RADIUS Log
15/Aug/2013:18:01:02: user XXX IP: 172.16.5.6:34000-40000
172.16.5.6](https://image.slidesharecdn.com/2017-03-01-forensics1488330715-170306004553/85/2017-03-01-forensics-1488330715-12-320.jpg)
2017 03-01-forensics 1488330715
- 1. 2017#apricot2017 Forensic Tracing in the Internet: An Update Geoff Huston Chief Scientist APNIC
- 2. 2017#apricot2017 The story so far… • The status of the transition to IPv6 is not going according to the original plan: • We have exhausted the remaining pools of IPv4 addresses in all regions except Africa - this was never meant to have happened • We we meant to have IPv6 fully deployed by now • What we are seeing is the pervasive use of Carrier Grade NATs as a means of extending the useable life of the IPv4 Internet • Around 10% of users use both IPv6 and IPv4 – the other 90% are IPv4 only • It appears that most IPv4 use today uses NATs in the path • This has some major implications for LEA functions, principally in traceback and metadata record keeping 2
- 3. 2017#apricot2017 Traceback – Version 1 3 A: 192.0.2.1 Ftp Server Internet Lets start by looking way back to the Internet of the 1980’s ftpserver.net 192.0.2.1 [31/Aug/2013:00:00:08 +0000] Ftp Server Log $ whois 192.0.2.1 NetRange: 192.0.2.0 - 192.0.2.255 NetName: TEST-NET-1 Contact: User Contact Details There was a rudimentary whois service and it listed all end users!
- 4. 2017#apricot2017 Assumptions: • Each end site used a stable IP address range • Each address range was recorded in a registry, together with the end user data • Each end device was manually configured with a stable IP address • Traceback was keyed from the IP address 4
- 5. 2017#apricot2017 Assumptions: • Each end site used a stable IP address range • Each address range was recorded in a registry, together with the end user data • Each end device was manually configured with a stable IP address • Traceback is keyed from the IP address 5
- 6. 2017#apricot2017 + NATs 6 A: 10.0.0.1 B: 10.0.0.2 C: 10.0.0.3 CPE NAT/ DHCP Server 192.0.2.1 ISP
- 7. 2017#apricot2017 Traceback – Version 2 7 A: 10.0.0.1 Web Server ISP webserver.net 192.0.2.1 [31/Aug/2013:00:00:08 +0000] "GET /1x1.png HTTP/1.1" 200 Web Server Log $ whois 192.0.2.1 NetRange: 192.0.2.0 - 192.0.2.255 CIDR: 192.0.2.0/24 OriginAS: NetName: TEST-NET-1 NetHandle: NET-192-0-2-0-1 Parent: NET-192-0-0-0-0 NetType: IANA Special Use CPE NAT/ DHCP Server 192.0.2.1 ISP RADIUS Log 15/Aug/2013:18:01:02: user XXX IP: 192.0.2.1
- 8. 2017#apricot2017 Assumptions • The ISP operates an address pool • Each end site is dynamically assigned a single IP address upon login (AAA) • The site is dynamically addressed using a private address range and a DHCP server • The single public address is shared by the private devices through a CPE NAT 8
- 9. 2017#apricot2017 Changes • Traceback to an end site is keyed by an IP address and a date/time • Requires access to WHOIS records to identify the ISP and the ISP’s AAA logs to identify the end site • No traceback to an individual device – the trace stops at the edge NAT 9
- 10. 2017#apricot2017 IPv4 Address Exhaustion 10 What have ISP’s done in response? • It’s still not viable to switch over to all-IPv6 yet • The supply of further IPv4 addresses to fuel service platform growth has dried up • How do ISPs continue to offer IPv4 services to customers in the interim? • By sharing addresses across customers
- 11. 2017#apricot2017 Carrier Grade NATs 11 By sharing public IPv4 addresses across multiple customers!
- 12. 2017#apricot2017 Traceback – Version 3 12 A: 10.0.0.1 B: 10.0.0.2 C: 10.0.0.3 CPE NAT/ DHCP Server ISP CGN 192.0.2.0/24 Web Server Internet webserver.net [192.0.2.1]::45800 [31/Aug/2013:00:00:08 +0000] "GET /1x1.png HTTP/1.1" 200 Web Server Log $ whois 192.0.2.1 NetRange: 192.0.2.0 - 192.0.2.255 CIDR: 192.0.2.0/24 OriginAS: NetName: TEST-NET-1 NetHandle: NET-192-0-2-0-1 Parent: NET-192-0-0-0-0 NetType: IANA Special Use ISP CGN Log 31/Aug/2013:00:00:02 172.16.5.6:34233 128.66.0.0:80 -> 192.0.2.1:45800 128.66.0.0:80 ISP RADIUS Log 15/Aug/2013:18:01:02: user XXX IP: 172.16.5.6:34000-40000 172.16.5.6
- 13. 2017#apricot2017 Assumptions • The ISP operates a public address pool and a private address pool • The access into the public address pool is via an ISP-operated NAT (CGN) • Each end site is dynamically assigned a single private IP address upon login (AAA) • The site is dynamically addressed using a private address range and a DHCP server • The single public address is shared by the private devices through a CPE NAT 13
- 14. 2017#apricot2017 Assumptions • Traceback to an end site is keyed by a source IP address and a source port address, and a date/time • Requires access to • WHOIS records to identify the ISP, • The ISP’s CGN logs to identify the ISP’s private address and • The ISP’s AAA logs to identify the end site 14
- 15. 2017#apricot2017 ISP CGN Logging CGN bindings are formed for EVERY unique TCP and UDP session That can be a LOT of data to retain… 15http://www.nanog.org/meetings/nanog54/presentations/Tuesday/GrundemannLT.pdf
- 16. 2017#apricot2017 It could be better than this… • Use Port Blocks per customer or • Use a mix of Port Blocks and Shared Port Pool overflow and • Compress the log data (which will reduce storage but may increase search overhead) 16
- 17. 2017#apricot2017 Or it could be worse… 17
- 18. 2017#apricot2017 18 We are going to see a LOT of transition middleware being deployed!
- 19. 2017#apricot2017 19 And we are going to see a significant diversity in what that transition middleware does We are going to see a LOT of transition middleware being deployed!
- 20. 2017#apricot2017 What does this mean for Forensic tracing? 20 LEAs have traditionally focused on the NETWORK as the point of interception and tracing They are used to a consistent model to trace activity: • get an IP address and a time range • trace back based on these two values to uncover a set of network transactions
- 21. 2017#apricot2017 What does this mean for Forensic tracing? 21 In a world of densely deployed CGNs and ALGs the IP address loses coherent meaning in terms of end party identification.
- 22. 2017#apricot2017 What does this mean for Forensic tracing? 22 And instead of shifting to a single “new” model of IP address use, we are going to see widespread diversity in the use of transition mechanisms and NATs in carrier networks Which implies that there will no longer be a useful single model of how to perform traceback on the network Or even a single coherent model of “what is an IP address” in the network
- 23. 2017#apricot2017 Variants of NAT CGN Technologies 23 Variant: CGN with per user port blocks CGN with per user port blocks + pooled overflow CGN with pooled ports CGN with 5-tuple binding maps Address Compression Ratio 10:1 100:1 1,000:1 >>10,000:1 The same public address and port is used simultaneously by multiple different internal users ISP Internet CGN Source: 192.0.2.1:1234 Dest: 128.66.0.0:80 Source: 192.0.2.1:1234 Dest: 128.66.2.2:80 Customer A Customer B
- 24. 2017#apricot2017 Adding IPv6 to the CGN Mix • The space is not exclusively an IPv4 space. • While CGNs using all-IPv4 technologies are common today, we are also looking at how to use CGN variants with a mix of IPv6 and IPv4 For example: Dual-Stack Light connects IPv4 end users to the IPv4 Internet across an IPv6 ISP infrastructure. • We see many more variants of ISP’s address transforming middleware when they IPv6 into the mix 24
- 25. 2017#apricot2017 ++IPv6: Transition Technologies 25 Randy Bush, APPRICOT 2012: http://meetings.apnic.net/__data/assets/pdf_file/0016/45241/120229.apops-v4-life-extension.pdf
- 26. 2017#apricot2017 Transition Technologies Example: 464XLAT 26Masataka Mawatari, Apricot 2012, http://meetings.apnic.net/__data/assets/pdf_file/0020/45542/jpix_464xlat_apricot2012_for_web.pdf
- 27. 2017#apricot2017 What does this mean for Forensic tracing? 27 There is no single consistent model of how an IP network manages IPv4 and IPv6 addresses There is no fixed relationship between IPv4 and IPv6 addresses What you see in terms of network trace information is strongly dependent on where the trace data is collected
- 28. 2017#apricot2017 What does this mean for LEAs? 28 What’s the likely response from LEAs and regulators? One likely response is to augment the record keeping rules for ISPs
- 29. 2017#apricot2017 What does this mean for ISPs and LEAs? 29 But what are the new record keeping rules? In order to map a “external” IP address and time to a subscriber as part of a traceback exercise then: for every active middleware element you now need to hold the precise time and the precise transforms that were applied to a packet flow and you need to be able to cross-match these records accurately
- 30. 2017#apricot2017 What does this mean for ISPs and LEAs? 30 But what are the new record keeping rules? In order to map a “external” IP address and time to a subscriber as part of a traceback exercise then: for every active middleware element you now need to hold the precise time and the precise transforms that were applied to a packet flow and you need to be able to cross-match these records accurately
- 31. 2017#apricot2017 What does this mean for ISPs and LEAs? 31 How many different sets of record keeping rules are required for each CGN / dual stack transition model being used? And are these record keeping practices affordable? (granularity of the records is shifting from “session” records to “transition” and even individual packet records in this diverse model) Are they even practical within today’s technology capability? Is this scaleable? Is it even useful any more?
- 33. 2017#apricot2017 Making it very hard... The problem we are facing is that we are heading away from a single service architecture in our IP networks Different providers are seeing different pressures and opportunities, and are using different technology solutions in their networks And the longer we sit in this “exhaustion + transitioning” world, the greater the diversity and internal complexity of service networks that will be deployed 33
- 34. 2017#apricot2017 34 Does it ever get easier? Is there light at the end of this tunnel?
- 35. 2017#apricot2017 That was then The material so far refers to the Internet of late 2013 Three years later, has it got any easier? Or has it just got harder? 35
- 36. 2017#apricot2017 Sessions are the Key We assumed that there is a “session” that maps between a service and a client, and this session is visible in some manner to the network The forensic task was to take a partial record of a “session” and identify the other party to the session by using ancilliary information (whois registries, web logs, metadata data sets, etc) But maybe the entire concept of a “session” no longer exists! Do we still use “sessions” in applications? What is changing? 36
- 38. 2017#apricot2017 The new Paranoid Internet Service Architecture The entire concept of open network transactions is now over We are shifting into an environment where user information is deliberately withheld from the network, withheld from the platform and even withheld from other applications We circulate large self-contained applications that attempt to insulate themselves completely from the host platform Application Service Providers see the platform provider as representing a competitive interest in the user, and they want to prevent information leakage from their application to the platform Application Service Providers see other applications as as representing a competitive interest in the user, and they want to prevent information leakage from their application to other applications in the same platform 38
- 40. 2017#apricot2017 40 These technologies are already deployed, and enjoy significant use in today’s network They break down the concept of a “session” and splay the encrypted traffic across multiple networks, and even multiple protocols They use opportunistic encryption to limit third party access to information about users’ actions The result is that only the endpoints see the entirety of a session, while individual networks see disparate fragments of pseudo-sessions
- 43. 2017#apricot2017 Its not just “the IPv6 transition” any more These are not just temporary steps to make IPv4 last longer for the transition to IPv6 Even if we complete the transition to an all-IPv6 Internet, this paranoia, complexity and deliberate obfuscation will not go away This is now the Internet we have to live with 43
- 44. 2017#apricot2017 We are never coming back from here – this is the new “ground state” for the Internet! 44
- 45. 2017#apricot2017 45 Does it ever get easier? Is there light at the end of this tunnel?