back to article Europol cops lean on phone networks, ISPs to dump CGNAT walls that 'hide' cyber-crooks

Europol has asked cellphone networks and other internet providers to stop using Carrier Grade Network Address Translation (CGNAT) – because it’s making life too difficult for cops trying to track cyber-villains across the web. CGNAT is used by telcos running short of public IPv4 addresses. By deploying CGNAT, a mobile network …

  1. Aitor 1

    Fishing

    So their complain is that they cant go fishing, and need a court order..

    On top of that their current SW to create thought police databases needs to be improved..

    1. Anonymous Coward
      Anonymous Coward

      Re: Fishing

      My thoughts too.

      On top of which if I chat with my mates the police can't systematically record what I say. Intercepting and reading everyone's post has not been implemented in most democracies and most countries don't keep a list of books you take out of the library or indeed buy.

      So, I don't see a need for the police to be able to fish through the equivalent things I do on-line.

      1. Mark 85
        Big Brother

        Re: Fishing

        While I agree with you, I would hope that you (or I) never get drug into a police investigation because they can't follow the true path and end up going after someone innocent which is bound to happen. Yeah, it's a real mess with the cops and TLA's wanting everything (including backdoors for encryption and they can't get it. I just hope innocent bystanders (or users in this case) don't start getting rounded up and put in situations they were involved in.

        1. Kernel

          Re: Fishing

          "While I agree with you, I would hope that you (or I) never get drug dragged into a police investigation because they can't follow the true path and end up going after someone innocent which is bound to happen. "

          FTTFY - I'm not normally a grammar nazi, but the use of 'drug' as a verb is one thing that really grates!

      2. Aodhhan

        Re: Fishing

        No... they can still read what your chatting to your mates about (using filters). They just have a difficult time locating you and in some courts, providing evidence everything you chatted over multiple days is actually you.

  2. Voland's right hand Silver badge

    Police mandated v6 deployment

    Life just could not get any better...

    The only way the number of mobile devices out there can be supported in a non-CGNAT setting is if they are all v6-ed.

    Looking at the calendar: Friday 13th was last week and we survived (if we do not count 250 quid worth of various things breaking on that day in the house). It is not today.

    1. Ken Hagan Gold badge

      Re: Police mandated v6 deployment

      You omitted to point out that, once they've been v6-ed and are using privacy-protected addresses that change "every so often", plod will find them even harder to track. OK, perhaps that's obvious to most El Reg readers, but just in case it isn't...

  3. Anonymous Coward
    Anonymous Coward

    It's a sad state of affairs that I look at an article such as this and my first thoughts are is that it will get abused by the government etc... when in an ideal world I should be thinking sure, if someone has committed a crime and a warrant exists from a court then why not be able to identify them.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        > And what's more, it might be that its only purpose is for government abuse, as criminals can just use Orbot on their telephones.

        And non-criminals too. In particular, it was used recently in Catalonia to be able to check voters against the electoral roll and prevent double-voting. It had to be done this way because of the Spanish government attempts to prevent people from exercising a fundamental democratic right, which included DDOS attacks on the servers being used and, reportedly, at times blocking huge chunks of the internet to deny use of the well-known CloudFare block-busting trick.

        For once, Tor was used exactly what it was designed for.

    2. ukaudiophile

      I think it's also telling how trust between individuals and the Government has broken down to the point that I, and I'm sure many others, read your post and thought 'If only more people thought like this and were aware of the abuses of power by our Government and European bodies'.

      Wish I could upvote your post more than once.

    3. Ken Hagan Gold badge

      "in an ideal world I should be thinking sure, if someone has committed a crime and a warrant exists from a court then why not be able to identify them."

      Why does your ideal world contain people who commit crimes, or courts to issue warrants against them?

  4. Pen-y-gors

    Hiding activity?

    Shameful. The next thing they'll want to do is ban people from using false number plates on vehicles. (What's that Skippy? They already do? But the crims ignore the ban?)

    But surely that means that only law-abiding people with genuine number plates will be recorded on all the ANPR cameras? That doesn't seem right.

    1. Anonymous Coward Silver badge
      Black Helicopters

      Re: Hiding activity?

      and the crims who didn't think to hide/modify/replace the number plates.

      Basically, target the low-level crims and ignore the bigger issues. Yep, that sounds like a government plan. Also sounds like a big business' plan though. Screw the little guy!

      1. Fruit and Nutcase Silver badge
        Coat

        Re: Hiding activity?

        "Basically, target the low-level crims and ignore the bigger issues. Yep, that sounds like a government plan. Also sounds like a big business' plan though. Screw the little guy!"

        Now, why does that remind me of this other story today. Just change the word "crims" to "incompetence",,,

        "https://www.theregister.co.uk/2017/10/18/mps_grill_dido_harding_over_suitability_to_chair_nhs_improvement

    2. streaky

      Re: Hiding activity?

      What's that Skippy? They already do? But the crims ignore the ban?

      Pretty readily caught too. Try it yourself, see what happens. No? Exactly.

      1. streaky

        Re: Hiding activity?

        Amusing downvote.

        I do enjoy the idea that the system isn't built to rectify impossible car journeys though, carry on.

  5. Pen-y-gors

    Europol?

    Never mind, it's only Europol, and we'll be leaving in March 2019. So international crims can then run riot, with the full support of HMG.

  6. Doctor Syntax Silver badge

    What would this unique IP address be linked to? The phone number? Unless there's also a record of the IMEI a phone number or anything linked to it doesn't even identify a phone, let alone who's holding it. It identifies a SIM.

    1. Alan Brown Silver badge

      "Unless there's also a record of the IMEI a phone number or anything linked to it doesn't even identify a phone"

      IMEIs can be changed and frequently are, regardless of legality.

    2. Blotto Silver badge
      Big Brother

      @Doctor Syntax

      it identifies an IP, an ISP, an IMEI, a sim, a subscriber, a location etc, that location can then be sued to scour cctv, the lcoation history can be checked to see where you've been and who with etc.

      It makes the detective job much easier to join the dots, or link dots that should not be linked depending on your leaning.

  7. naive

    IPv6 is the fail of the century

    For over a decade and a half the whole tech community is dragging its feet to make the transition to IPv6.

    Given the aversion and failure to adapt IPv6, is there really nobody interested to propose a more acceptable IPv5 which doesn't give users the feeling they lost all control over what is what due to these horrible looking addresses ?.

    1. Anonymous Coward
      Anonymous Coward

      Re: IPv6 is the fail of the century

      Suggesting that an odd-number IP version be adopted does not exactly show an abundance of familiarity with the technology in question.

  8. Primus Secundus Tertius

    v7 needed

    We need an IP v7, bigger than 32-bit but compatible with v4.

    It was a huge mistake by the people who imposed v6 to ignore compatibility issues, i.e. to ignore real users.

    V4 was a work of genius. Everything since then has been B-team at best, student project at worst. How many people have heard of v5?

    1. CheesyTheClown

      Re: v7 needed

      I write this now from a computer which has been IPv6 only (though sometimes upgraded) on a network which has been IPv6 only except the edge for 7 years.

      My service provider delivers IPv6 to my house using 6rd which appends my 32-bit IP address to the end of a 28-bit network prefix they own to allow 4 /64 subnets (IPv6 does not variably subnet past /64) within my home.

      Anyone using my service provider who wants IPv6 can either obtain their IPv6 information via DHCP extensions that provide the prefix and therefore automatically creates the tunnel over their IPv4 network... or they can manually configure it. Of course, you probably need to know IPv6 to do so.

      I use IPv6 exclusively (except for a single HP printer and my front door lock) within my house. By using a DNS64 server, when I resolve an address which lacks an IPv6 destination, the DNS server provides the top 64-bits of my address containing a known prefix (I chose) and the bottom 32-bits contain the IPv4 address I'm trying to reach. The edge device then recognizes the destination prefix and creates a NAT record and replaces the IPv6 header with an IPv4 header to communicate with the destination device. This is called NAT64.

      I run zone based firewalling on a Cisco router which allows me to allow traffic to pass from the inside of my network to the outside freely and establish return paths.

      I have not seen any compatibility issues between IPv4 and IPv6 in the past 7 years. The technology is basically flawless. It's actually plug-and-play in many cases as well.

      Is it possible you're claim there is a compatibility issue between the two protocols because you don't know how to use them?

      BTW... I first started using IPv6 when Microsoft Research released the source code for IPv6 on Windows NT 4.0. I've had it running more or less ever since. At this time, over 85% of all my traffic is 100% IPv6 from work and home. Over 95% of all my traffic is encrypted using both IPv6 IPSEC end-to-end and 802.1ae LinkSec/MACSEC between layer-2 devices.

      There has been one single problem with IPv6 which is still not resolved and I'm forced in my DNS64 gateway to force IPv4 instead of IPv6. That is because Facebook has DNS AAAA records for some of their servers which no longer exist.

      As for technical complexity... a believe a drunken monkey can set this up with little effort.

      But I guess you think it's worth a nearly $1 trillion investment to drop IPv6 in favor of something new.

      Yes... it would cost at least $1 trillion to use something other than IPv4 and IPv6. Routers and servers can be changed to a different protocol using nothing but software. But switches and service provider routers which implement their protocols in hardware would require new chips. Since we don't replace chips, it would require replacing all Layer-3 switches and all carrier grade routers worldwide to change protocols.

      Consider a small Tier-1 service provider such as Telia-Sonera that runs about 250 Cisco 9222 routers for their backbone with 400Gb/s-1Tb/s links between them. The average cost of a router on this scale is about $2.5 million. So, to change protocols on just their routers would cost $625 million in just core hardware. It would cost them approximately $2 billion just to handle their stuff.

      No consider someone like the US Transport Security Agency which has 1.2 million users in their Active Directory (employees, consultants, etc...). Now consider the number of locations where they are present and the network to run it. Altogether about 4 million network ports... all Layer-3. At an average cost of $200 per network port... that would be $800 million just to change the network ports on their network. Then consider that's just the access ports and distribution and core would need to be changed to. That would place the expense up to at least $5 billion.

      Those were just two examples. $1 trillion wouldn't even get the project started.

      Now consider the amount of time it would take. Even if you had a "compatible system" and honestly... I have no idea what that means. IPv6 is 100% compatible with IPv4... but I support you know something I don't. But let's say there was a "compatible system" by your standards. It would take 20+ years and trillions of dollars to deploy it.

      Of course, if all we care about is addressing... and it really isn't, then IPv4 is good enough and we can just use CGNAT which is expensive but really perfectly good. Thanks to CGNAT and firewall traversal mechanisms like STUN, TURN, ICE and others, there's absolutely no reason we need to make the change. Consider that China as an entire country is 100% NATed and it works fine.

      So... recommended reading. 6RD and NAT64/DNS64

      Then instead of saying really really really silly things about IPv6 lacking compatibility with IPv4 or that IPv6 is B-team... you can be part of the solution. The "B-team" as you call it did in fact pay close attention to real users. They first built the IPv6 infrastructure and they also solved the transition mechanism problems to get real users online without any problems. It took a long time, but it's been solid and stable since IPv6 went officially live on June 6th 2012.

      1. Joe Harrison

        Re: v7 needed

        As for technical complexity... a believe a drunken monkey can set this up with little effort.

        I always assumed that the reason for IPv6 having so little adoption was that the perceived benefits did not justify the necessarily huge learning curve. If what you say is true then there must be some other reason that nobody bothers with it. Perhaps it's a bag of spanners destined to fail hard once it moves from geek's garage to live production work...

        1. Ken Hagan Gold badge

          Re: v7 needed

          "If what you say is true then there must be some other reason that nobody bothers with it."

          There is another reason. In Western Europe and North America there was, until recently, no problem with only offering IPv4, so ISPs did that, so home users didn't have a choice, so equipment vendors had no incentive to switch on the capability in their device stacks (despite it basically being there for free), so anybody who even started to try the new tech quickly ran into the near-brick-wall that no-one else was running it apart from a few geeks.

          I believe that in the Far East, the IPv4 address space was so puny that the economic arguments went the other way and, there being no technical problem with IPv6, there are parts of that region with near-universal IPv6 adoption. Of course, they tend not to contribute to English-speaking forums so we rarely ever hear from them.

  9. mark l 2 Silver badge

    Interpol must hate the thought that in the UK you can buy a contract fee pay as you go SIM with no need to provide any credit card details or ID and top up the phone up with cash at 1000s of corner shops, so if your a criminal looking to remain anonymous its much easier here evening without CGNAT. Unless of course they are morons and use the phone to call their mum or access their personal bank accounts etc.

    1. Lysenko

      Unless of course they are morons and use the phone to call their mum or access their personal bank accounts etc.

      99% of law enforcement consists of detecting and apprehending morons. Any crim with reasonable OpSec awareness isn't going to be even slightly inconvenienced by this because they'll already be obeying the golden rule of assuming that all communication mechanisms are compromised/hostile.

      1. NonSSL-Login
        Trollface

        Social crimes

        Knowing our plod they are more interested in making their stats look good for catching someone who said something deemed naughty or hurtful on Facebook or twitter, rather than catching real criminals. With kids using just phones for internet a lot of the time now, the police are scared they might have to go after real criminals unless the carrier grade NAT issue is sorted.

        1. rmason

          Re: Social crimes

          You're most likely correct.

          I can't find the article but I remember reading recently some chief-plod somewhere or other saying that, basically, "our Shaz saw on facebook that bitch Kayleigh-Mai calling our Jayden a paedo" and the like constituted a massive percentage of total calls made.

          Social media complaints, online bullying and harassment etc took up (IIRC) approx 50% of the total "999" calls being made.

          *still searching for link but i've not found it yet, suspect it was in a local rag*

          *edit - seems it was 2014 that 50% of calls passed to front line staff were related to social media. I imagine that's still the same if not higher now.

          http://www.bbc.co.uk/news/uk-27949674

      2. Anonymous Coward
        Anonymous Coward

        > 99% of law enforcement consists of detecting and apprehending morons.

        Which looks fabulous in their stats and reports, mind.

      3. Charles 9

        "...assuming that all communication mechanisms are compromised/hostile."

        Including word of mouth? Then how do they communicate at all given they must assume all methods of communication are not only hostile but capable of being intercepted and decoded (not even one time pads are immune as plods can intercept the pads before they're used)?

        1. Lysenko

          Including word of mouth? Then how do they communicate at all given they must assume all methods of communication are not only hostile but capable of being intercepted and decoded (not even one time pads are immune as plods can intercept the pads before they're used)?

          You assume that any communication mechanism might be intercepted, which includes the arrest of messengers. Encryption is flawed on its own because even one time pads are susceptible to RIPA attacks so you need to conceal the communication end points and/or employ some form of steganography.

          This isn't a new concept. Agatha Christie crims were aware of this and posted messages using plausibly deniable language in newspaper classified columns. The same technique works perfectly well with CraigsList or USENET or (ElReg comments). If you need to send specific instructions that can't be reduced to deniable language then you encrypt and steganographically encode it.

          Secure criminal comms isn't so much a matter of strong encryption as evasion of detection and plausible deniability of intended recipient and content. A direct PGP email or WhatsApp message is vulnerable to RIPA so cryptographic strength isn't helpful. Encode the same message in the high order bits of a photo posted to alt.fan.cats and it is impossible to prove that the message even exists, and even if you do, it is impossible to prove who the intended recipient is, thus neutering RIPA. To cite Agatha again: "When no-one suspects you, murder is easy".

          1. Charles 9

            "Encode the same message in the high order bits of a photo posted to alt.fan.cats and it is impossible to prove that the message even exists, and even if you do, it is impossible to prove who the intended recipient is, thus neutering RIPA. To cite Agatha again: "When no-one suspects you, murder is easy"."

            OK, then how do you get it past a media mangler or have to post it in a medium where you can't be sure the message will get through intact and in its original form? Plus there's the matter of establishing your code system in the first place: the First Contact problem. I haven't seen a system that can reliably work on zero contact.

            1. Lysenko

              OK, then how do you get it past a media mangler or have to post it in a medium where you can't be sure the message will get through intact and in its original form?

              You use a platform that doesn't screw around with graphics files (i.e. not FarceBorg). Usenet is ideal, but there are dozens of blogs and forums out there that will do just as well. Github, for example.

              First Contact problem. I haven't seen a system that can reliably work on zero contact

              You're right. You need to secure the (conceptual) key exchange differently, eliminating as many points of interception as possible. Ideally that exchange will have taken place months or years before you engage in anything nefarious using the agreed channel, so by the time it is detected (if ever) it will be far too late to try and compromise it.

  10. JakeMS

    Conflicted...

    For years I've been against CGNAT and wanted static ip addresses from broadband suppliers, to extent it's a requirement when picking a provider. I considered this critical for ensuring proper and secure firewall rules (only allow connection from X IP etc).

    However, after reading this article I'm feeling like I want to be in favour of it just to annoy Mr. Spy and make it harder for them.

    I'm so conflicted.

  11. Alan Brown Silver badge

    CGNAT is a clusterfuck

    But this has to be one of the more surprising objections to it.

    1. Pen-y-gors

      Re: CGNAT is a clusterfuck

      We should never be surprised when TPTB use 'because trrrsts' and 'think of the children' as objections to anything.

  12. John Smith 19 Gold badge
    Gimp

    " a serious online capability gap in law enforcement " What he really means....

    "I want an evidence free way to go on fishing trips, rather than have to develop suspicion, conduct an investigation and get a warrant so I can approach the ISP formally."

    Shocking news. Police work is (and should only ever be) easy in a police state.

    I'm quite sure there are ex members of the STASI who are thinking "Himmel. If we had this sort of tech in the GDR we'd still have a GDR"

  13. imanidiot Silver badge

    Thank god for IPv4 shortages then

    From what I understand of the issue (admittedly not much) there's not much chance of ISPs dropping GCNAT for IPv4 adress space, since none of them have enough adresses to run their network otherwise. So tough luck for the coppers, they'll have to actually do their job the right/hard way.

  14. Mike Ozanne

    From where do LEO's get this never-ending supply of clueless thunderc*nts?

    1. Mark 85

      From where do LEO's get this never-ending supply of clueless thunderc*nts?

      The pool is filled with those who wanted to be politicians....?

  15. scrubber

    VPN

    My phone only ever connects to a single IP address. How you gonna track me, euro-fuzz?

    1. Charles 9

      Re: VPN

      Server-side drive-by attack. Once they nab the endpoint, they can follow you no matter which network you use. Server-side attacks have been the traditional way to penetrate NATs since the client establishes the connection him/herself for the attack to exploit.

      1. scrubber

        Re: VPN

        Hang on, I use my mobile to connect to my home computer which is permanently connected to my aws instance running a VPN which then connects to an azure server running tor... and they can still get me for ordering a hit on my annoying neighbour?

        1. Charles 9

          Re: VPN

          Yup, because ultimately it has to get to your mobile for it to be seen, and that's when you're vulnerable. Even a remote desktop protocol can have pwnage potential in it.

  16. Kevin McMurtrie Silver badge
    Trollface

    IPv6 side effects may include...

    o Increased peer-to-peer communications

    o Sudden loss of traffic routed through monitored servers

    o Big chunks of IP addresses being random bits

    o Obsolete government exploits and rootkits

  17. Anonymous Coward
    Anonymous Coward

    Even if you did move mobile devices to ipv6 I think we can discount a move to ipv4 addresses as there arent enough of them, thats still not going to give mr plod what he wants. Most internet traffic is still ipv4 and the number of sites using ipv6 is still limited hence most traffic would either need dual stack on the phone and still be via ipv4 CGNAT or go through whatever solution the ISP chooses for IPv6 to IPv4 most likely NAT64 which would still result in a limited number of ipv4 addresses being used for thousands of clients.

  18. ecofeco Silver badge

    I... WTF?!

    So they want an insecure network to make it easier to track crims?

    How about we also take the locks off our doors to make it easier to catch burglars?

    GAH!

  19. Anonymous Coward
    Big Brother

    The non-attribution of malicious groups and individuals

    Wouldn't it be more productive to go after the money launderers, like the 1.6 billion dollars that was funnelled through Estonia recently?

    "the non-attribution of malicious groups and individuals, should be resolved."

    That's code for going after anyone who criticises the unholy alliance between the global corporatocracy and the state security apparatus, what's the word for that, it's on the tip of the tongue.

  20. Anonymous Coward
    Anonymous Coward

    There's no incentive for IPv6 in the west

    We have enough IPv4 addresses, and non-CG NAT leaves plenty of room for expansion as people's homes get more and more IP devices. NAT has some obvious disadvantages, but we've long since worked through them so there's no real benefit to going to IPv6 for the average person.

    I could enable IPv6 on my router and PC, but why should I? Is it faster? No. Is it more secure? No. Is it more compatible? No, I'm actually more likely to experience issues in IPv6 than the decades old and well tested IPv4.

    I get why Asia and Africa are moving to it, they don't have a choice because we hogged all the IPv4 addresses. That's done and there is a solution for them in the form of IPv6. If I was left with no choice I'd go IPv6, but since I do have a choice why should I and the rest of the US and Europe bother? How would it benefit me, or the internet in general to do so?

    1. Fazal Majid

      Re: There's no incentive for IPv6 in the west

      Not so. Large service providers have to get IPv4 addresses on the black market nowadays, at around $10/IP. Microsoft bought Nortel's /8 at its bankruptcy auction, and Amazon bought big chunks of MIT's /8 for AWS.

      1. Anonymous Coward
        Anonymous Coward

        Re: There's no incentive for IPv6 in the west

        Amazon came along too late, they missed the halcyon days when a /8 would have been theirs for the asking. Figures that Microsoft would ignore the internet for long enough they'd need to buy a /8 instead of grabbing one for free back in the 80s like companies with more foresight such as Apple and HP!

        The fact that they're able to get addresses they need from those who don't need/use what they have shows that IPv4 has sufficient capacity in the west. So they cost $10/IP, big deal. It isn't as though Microsoft and Amazon have trouble affording that. If the price gets high enough ($100/IP? $1000/IP? I don't know what "high enough" is exactly) then they'll start pushing IPv6. How to push IPv6? AWS and other hosting services could offer cheaper hosting for servers accessible via IPv6 only, for example. If stuff I want is only accessible via IPv6 then that would incentivize me and other end users to want to use IPv6, and ISPs to provide "full" IPv6 connectivity instead of 6to4 and the like.

  21. Anonymous Coward
    Anonymous Coward

    "loads of people on their phones are behind a small brick wall of IPs"

    Kill them all and let God sort them out.

    Oh, can't use that - only the Pope can ;)

    1. scrubber

      Re: "loads of people on their phones are behind a small brick wall of IPs"

      God has already sorted us. We're just too dumb to have noticed. #TheGoodPlace

  22. Christian Berger

    I call Bullshit on this

    ISPs probably already log their NAT tables, even cheap "hot spot" routers can do that easily. The enforcement companies probably just don't yet submit the ports to information requests.

    Of course there are the people who want to see the Internet as a glorious Facebook delivery network. Those are happy with CGNAT. However that's not what the Internet is. The Internet is a peer to peer network with no participants playing a special role. It's just that home NAT and bad home operating systems have killed the peer to peer idea for most people. They see the Internet as something dangerous. Any "snakeoil in a box" solution will be evaluated based on how many alerts it presents to you. Don't run your own webserver to share your pictures, use Facebook instead, then you'll be all safe and warm behind your double or triple NAT which logs all your connections.

    However with ubiquitous surveillance, maybe we should consider getting alternatives to the Internet, meanwhile IPv6 will at least save us from the marketers who evaluate every bit we send the Facebooks and Googles of the world, since we can easily build ways around them.

  23. Aodhhan

    What's really needed

    is for law enforcement to get off their azz, and get out there and do real investigative work.

    Knock on doors and a few heads to collect what is needed.

    Silly millennials have been so spoiled and pandered they don't want to get out there and do actual police work. They've grown up having conversations via text messaging instead of learning how to talk face-to-face and build this type of trust and relationships with contacts and informants.

    Too much tax payer money is spent on electronic surveillance and not enough on training officers to do in-depth investigations away from a keyboard.

    1. Charles 9

      Re: What's really needed

      "Knock on doors and a few heads to collect what is needed."

      But what happens when those heads belong to and reside in hostile sovereign powers? Electronic communications have made international communications much easier: including to and from hostile powers, which makes investigations more difficult since sovereignty gets in the way.

  24. AbeChen

    Let's Go to the Basics

    Instead of beating around the manifestations, we should look at the root-cause of a subject. Basically, cyber security issues started with no definitive association between an IP address and the responsible party. (Just think about why the emergency locator services such as the "US 911 System" can find a telephone caller within minutes or sometimes even faster.) This problem started with IPv4 because it did not have enough addresses. However, IPv6 continues the same practice, even with more than enough addresses to assign.

    A few years ago, we accidentally ventured into the study of the IPv4 address exhaustion myth. We now have come up with a proposal called EzIP (phonetic for Easy IPv4) to IETF. EzIP utilizes the original IPv4 standard RFC791 and the long-reserved yet hardly-used 240/4 address block to expand the assignable public address pool by 256M (Million) fold:

    https://tools.ietf.org/html/draft-chen-ati-adaptive-ipv4-address-space-03

    The EzIP approach will not only resolve IPv4 address shortage issues, but also largely mitigate the root cause to cyber security vulnerabilities, plus open up new possibilities for the Internet, all within the confines of the IPv4 domain. A degenerated form of the EzIP may even be deployed "stealthily" for an isolated area where needed, forming a "sub-Internet". This enables any country to start offering a new Internet service based on one the IPv4 public addresses already assigned to that country, so that citizens will have the opportunity to compare and choose.

    These should address the underlying main issue of the Internet. That is, with EzIP, it is possible to establish the GeoLocation capability in the Internet that came so natural to the PSTN (Public Switched Telephone Network). Of course, someone may raise the privacy concerns against this approach. However, one must understand the trade-offs when picking a non-conventional and not fully tested approach and then wonder what is going on. If most of the Internet users are identifiable, we can insist that the government to only focus on the very small group of perpetrators. When there is no way to tell the difference, the law enforcement must spread their efforts thin to monitor all traffic to spot the abnormality which means the "privacy" goal is gone anyway!

    In a nutshell, the EzIP approach provides a very similar functionality as CGNAT at the daily operation level, but with a fundamental difference. The CGNAT provides soft temporary port numbers to get an Internet session set up. EzIP assigns hard permanent IP addresses to each premises / IoT following the old-fashioned communications system philosophy and conventions.

    Thoughts and comments will be much appreciated.

    Abe (2018-08-15 12:13)

  25. AbeChen

    Making Use of IPv4 240/4 Netblock

    Dear Colleagues:

    0) Here are two pieces of updated information for share:

    1) The following is a discussion thread on the "state of IPv6". The findings are quite surprising.

    http://www.circleid.com/posts/20190529_digging_into_ipv6_traffic_to_google_is_28_percent_deployment_limit/

    2) Then, you may like to have a look at the feasibility demonstration report below about our proposed architecture eliminating CG-NAT for expanding IPv4 address pool, addressing ITU's CIR proposal, etc.:

    https://www.avinta.com/phoenix-1/home/RegionalAreaNetworkArchitecture.pdf

    These should provide some material for furthering the dialog

    Abe (2020-08-30 16:51 EDT)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon