back to article IPv6 and 5G will make life hell for spooks and cops say Australia's spooks and cops

The Australian government has fingered the next threat in the country's cryptography vs. policing debate: the IPv6 protocol. The nation's Department of Home Affairs (a super-department created last year to bring immigration, border protection, and security services under a single minister) aired its fears in a submission to …

  1. Mayday
    Big Brother

    Every user?

    "Home Affairs likes it that way, because it can record a one-to-one relationship between the ISP-assigned address and the account-holder's edge router."

    For some reason I don't think every single user has a static IP.

    I would be rather unhappy if Mr and Mrs Nasty plan some devious terror plot and watch bad things then both of us reload our home routers after which I obtain their old IP then the cops come kicking my door in on that basis.

    1. topikutya

      Re: Every user?

      DHCP lease logging doesn't work like that. Leases are time stamped. Your ISP knows who has what IP at any given time.

      1. Mayday

        Re: Every user?

        @ topikutya

        I agree with you and you are correct, but the article seems to imply that IP address is the basis for a search. Perhaps a current IP as opposed to historic? Not really a favourable situation :)

        FWIW - I used to work at a telco which would occasionally get warrants from the AFP to ask who is username x or who used IP address y at a given time as described. DHCP was not in use as the bulk of the customers were DSL which uses PPP/L2TP and fixed IPs (which of course don't need to be logged) for the bulk of other services, but the principal is the same.

      2. Anonymous Coward
        Anonymous Coward

        Re: Every user?

        Re Your ISP knows who has what IP at any given time.

        Fine in theory, but in practice this has failed, why?, the concept of timezones was missed.

        There was a case where people where accused of downloading porn, they lived in the UK, the detection was carried by an organisation in a different timezone.

        There have been other instances involving more scary organisations, and no doubt there will be more.

        1. Anonymous Coward
          Anonymous Coward

          Re: Every user?

          Twilight Zone music..

          Imagine if you will, multiple active directory domains, all with their own idea of where to get time. Mix in some none AD legacy machines where some noob had just clicked through windows setup leaving it set to US time. Then add in a concerted effort to sync these up - by pointing them all to a time server on a network switch which itself was firewalled off from the outside world. Do it slightly different on each AD so as some fail to talk to the switch ntp at all and never check. Finally, refuse to allow downtime for the legacy 24/7 unix machines to install ntp because if it screwed up so bad for windoze then it must be impossible to do it without rebooting unix. Couple this with people logging in remotely and you get a situation where time can indeed go backward and not just on the GMT/BST dates either.

          If only the raspberry pi was a thing back then. There'd be one hidden in a rack somewhere dishing up time properly and all the unix boxes would be pointing to it!

      3. Anonymous Coward
        Anonymous Coward

        Re: Every user?

        It is my understanding that an ISP external IPv4 address - that is visible across the internet - might be shared by many users at the same time. Most/many users don't usually need a reserved IPv4 external address. That's how the IPv4 shortage of addresses has been mitigated for many years.

        The TCP/UDP connections for such users are multiplexed on one external address by user source port number translation. A user's dynamically assigned source port numbers will change quite quickly after they are deemed to have expired. They don't necessarily even have to all be on the ISP's same IPv4 external address.

        1. Steve the Cynic

          Re: Every user?

          @AC on the subject of sharing the external IPv4:

          Yes and no. Most ADSL ISPs will give the "outside" of your router its own public IPv4 address - your household will share this address, but your neighbours ill not. They *might* give it an RFC-1918 private address and then have a bunch of such routers hiding behind a (much smaller) group of public addresses that are imposed by NAT on a large router in the guts of the ISP's network. This is known as "Carrier Grade NAT", and introduces its own collection of weirdness, mostly related to how protocols like SIP can allow direct media connections between households that belong to the same CGNAT router. (There are also secondary weirdnesses in that the individual household is no longer able to freely change its internal RFC-1918 numbering plan, and it is in no way apparent which address range(s) he can use, aside from the default one.)

    2. Gene Cash Silver badge

      Re: Every user?

      > For some reason I don't think every single user has a static IP.

      I don't know how Australia does it, but on this side of the pond, I've had the same IP from Spectrum for over a year. That's not much different from static.

  2. frank ly

    Some encryption, good; ...

    “There's no intention that we have … to undermine legitimate encryption,”

    But anybody who uses 'bad encryption' had better watch out. We'll decide which is which.

    1. topikutya

      Re: Some encryption, good; ...

      The Russians will love these notbackdoors.

    2. Bronek Kozicki

      Re: Some encryption, good; ...

      Seems like a good idea, anyone to prepare new revision of RFC3514 ?

      /s

      I think spooks would be happy to endorse such proposal

      1. Yes Me Silver badge
        Happy

        Re: Some encryption, good; ...

        "new revision of RFC3514"

        That's RFC8136.

  3. Daedalus

    ObPedantry

    "El Reg is certain that our erstwhile commenters will have something to say "

    Erstwhile meaning "former"? mmmmmmmmmnah

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: ObPedantry

        Could be they're hoping this article will draw some of their erstwhile commenters to comment once again.

        The use of the word to mean intermittent is wrong, the antonym of erstwhile is current. But nothing stops a former commenter from commenting once more. Especially with Miss Bee gone and all.

      2. Milton

        Re: ObPedantry

        It can also be used to refer to someone / a group as "sometime" commenters

        No, it cannot. "Erstwhile" means "previously", "formerly", etc; it has no usage which includes "sometime" or "occasionally".

  4. Anonymous Coward
    Anonymous Coward

    Beware the future!

    Ban security and privacy!

    We're all gonna die!!!

    - Oz Gov

    1. GrumpyOldBloke

      Re: Beware the future!

      Don't worry, we can save freedom by destroying it. Just send your tax dollars to the Joseph Stalin memorial super ministry, C/- Canberra.

  5. P. Lee

    5g temporary id tokens vs billing

    I think the “problem” is warrantless slurping.

    Asking for the identification data creates a paper trail- oh such a burden!

    1. Anonymous Coward
      Anonymous Coward

      Re: 5g temporary id tokens vs billing

      but doesn't IPv6 simply create your own personal stream of packets of digitally-signed evidence?, viz the furball of threads emanating from a home - I thought that would be great for the cops & secret-squirrels?

      mac terminal$ netstat -ap tcp

      mac terminal$ sudo lsof -PiTCP -sTCP:LISTEN

      and I thought I had IPv6 off!

      actually the paper-trail business was holding back UK squirrel access to Schengen/Prüm databases for ages, UK allegedly wanted access but didn't want anyone else seeing just who they were looking for!

      according to an article I read in Computer Shopper or Stratfor or somewhere similarly reliable, joy.

  6. JakeMS

    So they want..

    So they want technology to be held back purely for spying reasons? That's insane.

    They complain that the address space is too large, but their forgetting one thing about IPv6: Large address space is one of the main reasons for it's usage, seeing as IPv4 has run out of IP addresses - hence the need for NAT in IPv4 ISPs.

    If we were to hold back to IPv4 it may make it easier for spying, but it'll make it hell for just about everyone else due to the sheer lack of IPv4 address space.

    I wonder if this is more the case they cannot be bothered, or do not have the knowledge to make their network IPv6 friendly? Thus unable to "hack" or "track" remote IPv6-only hosts.

    IPv6 is needed and is here to stay, get used to it Australia.

    Besides, if you need tons of information on people, what they are doing and where they are, you don't need to track their IP address (whether v4 or v6) all you need to do is follow their Facebook and Twitter feeds - these days everyone posts everything they do on them, even when they go to the toilet etc. Plus, this way you'd have a name to stick the data to.

    /end rant

    1. jmch Silver badge
      WTF?

      Re: So they want..

      This sounds bonkers to me. With current NAT, any device connected on the same router looks like it has the same IP on the outside network, therefore police cannot identify an individual from IP address, only a router. They cannot identify a single device, only a set of devices, and possibly not comprehensively.

      With ipv6 they can do a 1-to-1 mapping of IP address to device, which surely is much stronger from the point of view of bureden of proof.

      1. Anonymous Coward
        Anonymous Coward

        Re: So they want..

        "[...] therefore police cannot identify an individual from IP address, only a router"

        The ISP may also be multiplexing several customers' home routers' connections onto one external IPv4 address by dynamic port address translations in the firewall. The multiplexing might also spread a customer's connections dynamically across several of the ISP's external IPv4 addresses.

      2. Steve the Cynic

        Re: So they want..

        With ipv6 they can do a 1-to-1 mapping of IP address to device, which surely is much stronger from the point of view of bureden of proof.

        Unless the Person Of Interest uses temporary IPv6 addresses and/or any number of related wheezes.

        But of course the whole discussion overlooks one important aspect.

        DISCLAIMER: I have dual-stack service at home. My computers all have an RFC 1918 IPv4 assigned locally and hide behind the IPv4 on the "outside" of my router. They *also* have an IPv6 address "computed" by appending a machine-specific portion (EUI-64 normally, but it doesn't have to be) on the back of an ISP-supplied /56 prefix.

        Conclusion: they all have the same public IPv4 address, and they all have the same IPv6 prefix.

        Conclusion to the conclusion: if you're an alphabet soup looking to link together activity by my computers (desktop computer, network protocol analysis computer(1), dedicated video game computer, pocket computer, wrist computer, etc.) in IPv6, just look at the prefix. It's actually *more* linked to me than my public IPv4, since I can't change the prefix by rebooting my router.

        (1) UTM-grade firewall. My company makes them, so I get to use one at home for free. It was amusing(2) to report a bug when it identified the connections to Final Fantasy XIV's gameplay servers as being a particular industrial networking protocol, and then shutting them down because they were, in fact, NOT that protocol.

        (2) Amusing because it's not sold as a home-user product, so MMORPG connections aren't exactly normal for it, but now the automated regression test suite includes an FFXIV connection.

      3. bombastic bob Silver badge
        Devil

        Re: So they want..

        "With ipv6 they can do a 1-to-1 mapping of IP address to device, which surely is much stronger from the point of view of bureden of proof."

        not only that, but an IPv6 user is likely to have an assigned netblock, which "identifies" you. So, in actual fact, it's EASIER to tell who you are, because your netblock won't change.

        As I recall, I've got two /64 blocks assigned to me. that leaves about 2**60 netblocks for everyone else, assuming that we're all assigned netblocks from 2000::/3

        https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml

    2. Roland6 Silver badge

      Re: So they want..

      >IPv6 is needed and is here to stay, get used to it...

      I find it amusing how people are so keen on getting faster Internet connections, so they can do bulk downloads, streaming, etc. etc. yet think that a protocol largely rooted in an Internet with sub-512kbps WAN links, predates the current 'Kaizson' style obsession with security; is fit for tomorrows Internet, where people want to be able to shift multi-GB files around and stream multiple 8K video streams.

      Remember, we were encountering problems with TCP/IP back in the 80's when 'fast' was 30Mbps.

      Personally, I think the lack of takeup of IPv6 gives time to review it's suitability for the modern Internet...

    3. Pen-y-gors

      Re: So they want..

      Restricted address space?

      If they can't handle logging every activity of every IPv6 address, perhaps the spooks should float a new standard, IPv4.5 - like IPv4 but a bit bigger - shove a 5th group at the end, max value 4 - and they could include built in tracking and logging for all packets as part of the standard.

      1. onefang

        Re: So they want..

        "If they can't handle logging every activity of every IPv6 address, perhaps the spooks should float a new standard, IPv4.5 - like IPv4 but a bit bigger - shove a 5th group at the end, max value 4 - and they could include built in tracking and logging for all packets as part of the standard."

        Don't give them new bad ideas, they are entirely capable of coming up with bad ideas of their own. You'll only confuse them.

    4. Withdrawn

      Re: So they want..

      "I wonder if this is more the case they cannot be bothered, or do not have the knowledge to make their network IPv6 friendly? Thus unable to "hack" or "track" remote IPv6-only hosts."

      My first thought was this as well. A not small number of network admins have had a hard time with wrapping their heads around IPv6 as it is....and law enforcement/courts are just getting a solid mastery on IPv4. They will be a decade behind again if they have to start over learning 6.

  7. Anonymous Coward
    Anonymous Coward

    Backdoors don't matter.....

    ....if the bad guys have implemented their own encryption. A dictionary-based scheme can publish anywhere (say for instance on El Reg) and in plain text, and the spooks might have a hard time.

    *

    overstately rewiden aleatoric graylings sergings shisham theologaster full-leather warred Rif famulus gossaniferous prickly-toothed parvenuism dasyproctine gum-gum bottomries colibertus bilobular exindusiate Gallicolae snake-eyed socii Treculia bastinades straked dearie alodialty kojang pseudogentlemanly wonga lactigenous linguistry sweet-scented Altingiaceae menthenol viscerating Frederico

    *

    1. GruntyMcPugh Silver badge

      Re: Backdoors don't matter.....

      Indeed, or use steganography, and hide messages in images on Instagram, FB, etc.

      1. Baldrickk

        Re: Backdoors don't matter.....

        I don't know about Instagram, but on Facebook at least, they re-compress the images (and jpg is lossy). Good luck hiding your message and not having it destroyed.

        But yes, you could use a service that serves up the png you upload to do the job just fine.

      2. bombastic bob Silver badge
        Coat

        Re: Backdoors don't matter.....

        I'll just stick with ROT-13 - it's secure enough for everyone!

    2. Anonymous Coward
      Anonymous Coward

      Re: Backdoors don't matter.....

      overstately rewiden aleatoric graylings sergings shisham theologaster full-leather warred Rif famulus gossaniferous prickly-toothed parvenuism dasyproctine gum-gum bottomries colibertus bilobular exindusiate Gallicolae snake-eyed socii Treculia bastinades straked dearie alodialty kojang pseudogentlemanly wonga lactigenous linguistry sweet-scented Altingiaceae menthenol viscerating Frederico

      Where exactly do you expect to find seven belgian hedgehogs in the middle of winter?

      1. onefang

        Re: Backdoors don't matter.....

        "Where exactly do you expect to find seven belgian hedgehogs in the middle of winter?"

        This is Australia, it's summer, and we call them echidnas. I think your code book is out of date.

        1. Anonymous Coward
          Anonymous Coward

          Re: Backdoors don't matter.....

          This is Australia, it's summer, and we call them echidnas. I think your code book is out of date.

          The Echidna is not related to the bavarian hedgehog, nor does the moonlight penetrate the abode of faerie.

          (I will laugh when they decode this and discover what we're actually blathering about)

      2. Claptrap314 Silver badge
        Trollface

        Re: Backdoors don't matter.....

        Pinky and the Brain, Season 2, Episode 5.

    3. Pen-y-gors

      Re: Backdoors don't matter.....

      gum-gum bottomries colibertus bilobular exindusiate Gallicolae snake-eyed socii Treculia

      Look, I told you last time. I've got a dentist's appointment on the bilobular exindusiate. Could we make it shanvanfocht pocabuile?

  8. hazzamon

    I would have thought...

    ...that the authorities would have an easier time tracking an IPv6 address than a carrier-grade NAT one. At least a /56 subnet will get you as far as a customer's house.

    1. MacroRodent

      Re: I would have thought...

      I wondered about that too. If every device has its own global IPv6 address, it should be easier for the cops argue some particular laptop was used for something naughty. The alleged criminal cannot so easily claim the IP address was actually used by someone else's device, like a neighbour or a "wardriver" who has managed to break in into his WLAN.

      1. Bill Stewart

        Re: IPv6 Address Privacy

        IPV6 Address Privacy has become supported in several popular OS's - instead of using a constant IPv6 address based on the MAC address of the interface or some other constant IP address, computers pick a different address per connection for outbound connections like web browsing. Obviously the /64 for the network segment doesn't change (so your /64, /56, /48, whatever your ISP assigns is more easily trackable than a dynamic IP might be), but the individual computer isn't tracked (which is especially important for portable computers that would otherwise have the same lower 64 bits at the coffee shop or office as they do at home.)

        I don't know if cellphones do this or not, but I assume cellphones generally leak identification all over the place.

  9. dan1980

    Legitimate encryption

    "There's no intention that we have to undermine legitimate encryption . . . "

    This statement implies that there is an intention to "undermine" whatever they consider non-legitimate encryption.

    The only way this makes sense is if we assume that access to strong encryption - encryption not undermined by the government - is being restricted in some way, such that those situations deemed as 'legitimate' uses of encryption are able to run proper, strong encryption, whereas those situations deemed non-legitimate must run encryption that has been 'undermined'.

    So who gets to decide this and how?

    1. handleoclast

      Re: Legitimate encryption

      There's an interesting twist to this. Any claims that backdoored encryption will only be decrypted with a warrant are false. The people proposing it may not realize this is so, but it is.

      Thought experiment. Gov't introduce backdoored encryption and mandate its use for personal communications (things like banks are allowed to use better stuff). Bad guys simply use good encryption which they then super-encrypt with the mandated backdoored encryption. How would the gov't ever know? Only when they get the warrant will they find out that the baddies have thwarted them.

      So if backdoored encryption is ever mandated, it will be routinely decrypted en masse. Which will let the authorities know who is being naughty, and allow them to decide whether to arrest immediately or monitor more closely. Because using good encryption underneath the backdoored encryption will be illegal and carry heavy penalties.

      So, whether or not politicians currently realize the case, whether the legislation introducing it admits it or denies it, backdoored encryption will lead to universal decryption. Everyone and everything,

      On an unrelated note, my sister Jacqueline just adopted three rescue kittens which she has named Mr Poo, Marmalade and Biscuits (because he has ginger nuts, but not for much longer).

      Oh, and anyone tempted to use codes should try to ensure that the messages they produce make some sort of sense. :)

      1. bombastic bob Silver badge
        Devil

        Re: Legitimate encryption

        "Any claims that backdoored encryption will only be decrypted with a warrant are false"

        Here's a much simpler analogy: Gummint wants to have EVERY DOOR LOCK be unlockable with a gummint-mandated skeleton/master key. The Gummint ensures you that THEY will be the only ones with this skeleton/master key.

        OK - how long before someone abuses THAT setup? Either Gummint _OR_ some clever locksmith? That's right, nobody EVER plants evidence or does a "bogus warrant" search for political reasons, right?

        1. Anonymous Coward
          Anonymous Coward

          Re: Legitimate encryption

          It's worth remembering there was a set of TSA approved padlocks which all had a top secret master key, until a researcher managed to remotely copy it.

          1. Anonymous Coward
            Anonymous Coward

            Re: Legitimate encryption

            It's worth remembering there was a set of TSA approved padlocks which all had a top secret master key, until a researcher managed to remotely copy it.

            --------------------------------------------------------------------------------------------------------------------------------------

            You mean the ones with a set of seven master keys, all of which were reproduced hundreds of thousands of times for official purposes....

        2. Withdrawn

          Re: Legitimate encryption

          Seems safe to me... After all, when has a government ever been hacked?

      2. Alistair
        Pint

        Re: Legitimate encryption

        not @ handleoclast.

        Interesting. I hope that Biscuits' nuts get mounted appropriately on the mantle.

        On an unrelated note, my grandfather happened upon a large puddle in the middle of the street the other day that had a pair of rollerskate wheels, unattached, in back with white lettering on them at the bottom. I wonder who fell off their skates?

      3. onefang
        Black Helicopters

        Re: Legitimate encryption

        "Thought experiment. Gov't introduce backdoored encryption and mandate its use for personal communications (things like banks are allowed to use better stuff). Bad guys simply use good encryption which they then super-encrypt with the mandated backdoored encryption. How would the gov't ever know? Only when they get the warrant will they find out that the baddies have thwarted them."

        The problem with that theory is VPNs. VPNs are legitimate use of encryption, especially for business. A previous Oz government has even said that VPNs are a legitimate tool for bypassing geoblocks for consumers to get around the "Aussie tax" overseas companies levy on us coz they can. So you use your VPN to make a HTTPS to some foreign companies ordering web site. The VPN connection starts in your Aussie lounge room, so uses the backdoored Aussie encryption, but the other end is the foreign VPN providers server in the foreign country. You use good HTTPS encryption that is tunneled through the VPN, coz the foreign web site thinks you are a local, and doesn't support backdoored Aussie encryption for it's locals. You are not being naughty, you are following the governments advice, but you get flagged as being naughty.

        Tough luck for overseas visitors using the existing VPN software on their laptop / phone to do business with their office in country of origin.

        "Oh, and anyone tempted to use codes should try to ensure that the messages they produce make some sort of sense. :)"

        coded messages can make purfect sense if then cotes look like typeoz. If you get really clever, you don't even need code books. B-)

  10. Anonymous Coward
    Anonymous Coward

    In IPv6, encryption becomes “easily accessible and transparent to consumers”

    What nonsense. IPv6 has no more security features than IPv4.

    IPv6 designers in their wisdom mandated that IPv6-compliant devices must have IPSEC capability; but without a keying infrastructure (which doesn't exist) it will never be used except for manually-configured tunnels.

    As for IPv6 address space: it's very easy to take the top 64 bits which locates you to an individual network. Plus: as time goes on, a single IPv4 addresses will end up being shared between multiple subscribers, thus making it more difficult to use an IP address to identify a miscreant (there will be more false leads).

    Senior plod never really did understand technology very much.

    1. Chronos
      FAIL

      Someone in the AussiePlod looked at the RFC and saw IPSec mandatory. It was then a leap from mandatory ability to mandatory use in interpretation and they ran with the idea.

      There's a lesson here: Just because you can do something, it doesn't mean you have to. Such as, I dunno, exchanging freedom for the temporary illusion of security, maybe?

      Also, regarding the article's title: Oh dear, what a shame. My heart bleeds. Or it may be ketchup from the sausage and bacon bin lid I just had...

  11. Pascal Monett Silver badge

    Legislation if necessary ?

    Well go ahead and legislate. That'll be just about as useful as existing laws that criminalize gun use for robbing banks. Sure, it's forbidden, but if thieves want to rob a bank, that law is not what is going to stop them from having guns when they go in.

    For encryption it is the same thing. Legislate all you want, if a group of terrorists is intent on striking in your country, a law is not going to stop them from using "illegal" encryption and then what are you going to do ?

    1. Chronos

      Re: Legislation if necessary ?

      They'll be too busy running around like blue-arsed flies trying to stop the storm of MITM hacks on all the financial services when their backdoor keys leak to do anything else.

      1. Withdrawn

        Re: Legislation if necessary ?

        As if they'd care enough to do something about the leaked key...

        1. Blotto Silver badge

          Re: Legislation if necessary ?

          they'd just pass a law making it illegal for those unauthorised to use the key, simple.

  12. Snow Wombat

    no one tell them...

    The easiest way to address this would to be give each Aussie an IPV6 Allocation range, and any devices you own must be registered in your range.

    I am SO happy Boomers are dumb as a box of rocks when it comes to this stuff, because IPV6 could be used to ID every man / woman / child on the planet, for the next 1000 years and still have plenty of space left.

    1. Anonymous Coward
      Anonymous Coward

      Re: no one tell them...

      > The easiest way to address this would to be give each Aussie an IPV6 Allocation range, and any devices you own must be registered in your range

      And watch the Internet routing tables explode as every person's IPv6 range is announced separately.

    2. Anonymous Coward
      Anonymous Coward

      Re: no one tell them...

      I am SO happy Boomers are dumb as a box of rocks when it comes to this stuff, because IPV6 could be used to ID every man / woman / child on the planet, for the next 1000 years and still have plenty of space left.

      ---------------------------------------------------------------------------------------------------------------------------

      Yes, exactly, just like social security numbers are the perfect identifier because no one would use one belonging to someone else, and no one would ever use a fake SSN.

      It is so reassuring to know that post-boomers have such a wonderful grasp on the complexities of the real world.

  13. Anonymous Coward
    Anonymous Coward

    Different how?

    So with IPV6 we are replacing a single NAT IPV4 address, which multiple people could be using with an IPV6 address block, which multiple people could be using.

    Either way, you can't know for certain which person did whatever it is you want to investigate. I would think that IPV6 would be slightly easier. You could probably trawl the logs on the devices using the suspect address range (warrant assumed) to find which device obtained which IPV6 address.

  14. Pen-y-gors

    I am a bear of very little brain.

    I used to (vaguely) understand IPv4.

    I think I need to do a bit of reading up about this mystical IPv6 thingy. Just done an ipconfig on my Win10 lappie (with BT fibre router) and it's reporting 2 IPv6 addresses, plus a dozen 'Temporary IPv6 addresses' (using the prefixes of the first two) plus a link-local IPv6 address. What the heck?

    1. bombastic bob Silver badge
      Devil

      Re: I am a bear of very little brain.

      "Just done an ipconfig on my Win10 lappie"

      <condescension>

      well, if you're using Win-10-nic, IPv6 configuration is too advanced a topic for you. Sorry to disappoint.

      </condescension>

      However, keep in mind one thing: Micro-shaft doesn't know how to properly set up IPv6, either.

      https://www.theregister.co.uk/2017/01/19/windows_10_bug_undercuts_ipv6_rollout/

      So it should come as no surprise that it makes no real sense. I suppose I could 'nuke out' what they're trying to accomplish, with the dozen or so 'temporary addresses', most likely being a general FUBAR in their networking code.

      FreeBSD assigns 3 IPv6 addresses for me: one's a 'link local' fe80: address, one's the static address I assigned in the config file, and a 3rd one is an 'autoconf' address that's based on the MAC address along with the assigned IPv6 prefix. And you certainly don't need a dozen 'temporary' assigned addresses.

      On the same network, NOT statically assigned, a Win 7 box has 4 IPv6 addresses. One appears to be from the DHCPv6 server, another one appears to be 'autoconf' (using the MAC address in the suffix), a third is a link local, and a 4th is a 'temporary' one that looks like it's randomly assigned.

      Anyway, your Win-10-nic box is obviously doing something stupid.

      1. Blotto Silver badge
        Thumb Down

        Re: I am a bear of very little brain.

        as a bolt on privacy consideration an IPv6 address can be assigned per application flow. the reason why your unix like os is only showing 3 addresses in use is because unix is relatively quiet vs windows. If your unix os was as busy as windows it'd have 20 ipv6 addresses too.

        1. Chronos
          Thumb Up

          Re: I am a bear of very little brain.

          IPv6 address can be assigned per application flow. the reason why your unix like os is only showing 3 addresses in use is because unix is relatively quiet vs windows.

          Good point, well made.

          1. onefang

            Re: I am a bear of very little brain.

            Or to put it another way, the temporary IPv6 addresses are indeed temporary. They only last a fixed time, or last a bit longer if they are currently being used by some application for a long lasting connection. More temporary addresses are generated for new connections when the old ones expire. So depending on how busy your applications are at creating new connections, or reusing old connections, you will have some random number of temporary IPv6 address at any given time. Of the two computers I have running currently, one has none, the other has eight.

    2. Chronos

      Re: I am a bear of very little brain.

      Link local: fe80::/64, suffix usually from MAC(octet-octet:octet-ff:fe-octet:octet-octet), used for NDP SLAAC and such.

      Global: Static or local LAN prefix advertised by rtadvd and/or DHCP6. One will have the suffix based on your MAC, same schema as the link local and the other will be an "IPv6 privacy" based address. Which one gets preferred is down to your settings.

      Temporary: $DEITY knows. Could be crap from Teredo, old "privacy" suffix assignments (most likely if they're all the same /64 as your globals) and so on. What MS does in their network stack can be, frankly, baffling although there is a case to be made for answering on old assignments.

      There should also be a local loopback on ::1, which is just 127.0.0.1 in IPv6-speak.

  15. mark l 2 Silver badge

    These days virtually every shop and cafe, even in small towns offers some sort of free WiFi hotspot for its customers. These could easily to be used by people who want to commit criminal acts and keep their activity anonymous and I don't see them calling for bans on free wireless hotspots.

  16. Milton

    Who advises these people??

    Once again we're hearing a securocrat confidently uttering some portentous, fine-sounding stuff with an authoritative and knowledgeable demeanour ... only to discover that he's talking shyte, because the evidence, facts, rationale and logic make no sense whatever.

    Now, ok: we long since stopped expecting much in the way of coherent, informed, detail-level statements from *-crats of any kind, and we know that the silly little empire builders in the security services have as their primary goal the constant addition of staff and budget, so this sort of self-important, manipulative tosh makes a bit of sense—especially if you assume that the speaker doesn't realise how daft s/he sounds. (And of course it's become axiomatic that all modern politicians talk 100% ignorant drivel 100% of the time, so we won't even go there.)

    But who tells them to blether this crap? When you hear the voice of yet another senior jackass mumbling through his trousers about "backdoors", you know that s/he has a cadre of knowledgeable advisers, back at the office, who do understand the details and who cannot possibly believe the pure garbage which The Boss is spouting live on TV. Does no one ever check speeches and review interview topics with them? Does The Boss never say "Read this and strike out anything that sounds illogical or wrong so I don't sound like an idiot in my interview tomorrow on Good Morning Bumville"?

    Pace the real crypto experts who recently invited the securo-empire to name and shame who was giving them (apparently terrible) advice, I ask of the Dept of Home Affairs: Which among your experts consented to making these statements? Why? Have you fired them yet? Have you considered a radical option, to wit: employing people who (a) know what they're talking about and (b) aren't afraid of speaking truth to power? Do you really not grasp that you undermine your authority, and public trust, every time you say something untrue and stupid?

    "Whaddaya mean you deleted the whole speech? You're fired!"

    1. Withdrawn

      Re: Who advises these people??

      Maybe it's not fear. If you were the bofh that worked for these folks, and they treated you like they treat the rest of us, would you tell him he sounds like an idiot? Or would you let him go make a fool of himself publicly, knowing his attitude will co-opt his ignorance and prevent him from ever realizing what an idiot he sounds like?

  17. druck Silver badge
    Go

    Interception

    The problem here is interception: if a session spends some of its time on the 5G network and some of its time on WiFi, what the spooks will snoop might be incomplete.

    Android can already do this with WiFi and 3/4G.

  18. Anonymous Coward
    Anonymous Coward

    Tracking data from mobile devices via IP... what a weird concept Australia.

    Talk to facebook, they recommend your IMEI!

  19. Joe Harrison

    Internal strife

    We tinfoil hat people always imagine that "They" are trying to find ways to snoop on us. In reality there are many competing agencies (who hate each other) who all have their own reasons to get into our stuff. It's not just the hatred, they have many other reasons not to be motivated to share data with each other.

    As in this story, officials regularly complain that their detection ability is being undermined by technology X but what they really mean is that it will defeat themselves as agency Y but it won't be such an obstacle for agency Z (who they hate) and who will thus laugh at them.

  20. Anonymous Coward
    Anonymous Coward

    The problem will come with distributed networks on 5G. imagine you have a base station say at big ben. 100 people connect to that, then others connect to each other , you can have mobiles sending data to each other through the distributed network rather than over the telcoms providers kit.

    At that point tracking mobile phones is akin to a snooker table with thousands of balls being tracked over an extra dimension of time. This is the nightmare scenario for the spooks. You cant gain access to enough points on the network(mobile phones) at one time to track whos sending what. Compared to now where you connect to an ISP who logs where your entering the network.

    Isnt the future beautiful, distributed internet,distributed networks,end to end encryption.

    1. Withdrawn

      "Isnt the future beautiful, distributed internet,distributed networks,end to end encryption."

      They brought that last one on themselves.

  21. onefang
    FAIL

    Our PM has declared that Oz laws outrank maths laws, so it will be very interesting to see them try to legislate that. If they do, not sure if I should place a very large order for pop corn, or move to NZ, or both.

  22. Alistair
    Windows

    This IS IMportTANT!

    \<please note, sarc tag\>

    I iz a Seeeeniour gummint 'fissshial, and have a 'streeemly 'portant ting to say here:

    TERRORRRRRRRRISTS!!! PAEDOS!!!!! RAPE!!!! MURDER!!!!!, encryption BAD!!!! Tech BAD!!!! TERRORRRRRISTS!!!! BAD!!!, please line up here and register that you are a terrrrrrrrorist and a Murderist Raper Paedo!!!!"

    /s

    I've been playing with IPV6 for a while (yes, temp IPs exist and can be created per flow, there are in linux and solaris settings to inhibit per flow, HPUX last I looked (5 years ago) did not have it for IPV6, but to my knowledge it was in the pipe, no idea on AIX at the moment. Windows I can't be arsed to care much, but I'm sure I could figure it out.) By default the idea with IPV6 was to provide sufficient ip addresses to essentially pave the planet. It makes mobility easier, and makes connection management and tracking *far far* easier. Even with "temp" IPs on the prefix block is still going to be your locator to an single path.

    What clueless morons are advising this technically illiterate twat?

    1. onefang

      Re: This IS IMportTANT!

      "By default the idea with IPV6 was to provide sufficient ip addresses to essentially pave the planet."

      My ISP recently informed me that they had assigned to me 4,722,366,482,869,645,213,696 IPv6 addresses. That may be enough for me to pave the planet all by myself, and have a few left over.

  23. Anonymous Coward
    Happy

    Laziness will win out

    Dear Mr Attorney General,

    IVP6 encapsulates the whole of IVP4, all you have to do is encapsulate your IVP4 in a IVP6 wrapper and you can go back to sleep.

    Laziness will win out !

    Watch those encryption nightmares though.

  24. Anonymous Coward
    Anonymous Coward

    ARE YOU SHARING THE SAME IP ADDRESS AS A CRIMINAL?

    EUROPOL thinks differently to the Australian spooks and cops:

    https://www.europol.europa.eu/newsroom/news/are-you-sharing-same-ip-address-criminal-law-enforcement-call-for-end-of-carrier-grade-nat-cgn-to-increase-accountability-online

    They think CGN will reduce accountability, and IPv6 will increase it.

    "Other solutions reviewed were ... the possibility to adopt regulations for the internet industry to ***increase IPv6 deployment.***"

    ===

    Also IPv6 Security isn't mandatory to implement since Dec 2011

    https://tools.ietf.org/html/rfc6434#section-11

    and IPsec has been retrofitted to IPv4 too.

  25. fredbloxx

    but how do they define ' legitimate encryption'?

  26. ocratato
    Stop

    Satellite Networks

    If they are worried about IPv6 and 5G just wait till Musk and others get their LEO satellite networks up.

  27. Anonymous Coward
    Anonymous Coward

    It's cost-shifting, and not understanding the thing they seek to regulate

    The network can only relate connections to a subscriber. In IPv4 the subscriber is allocated a particular IPv4 network. This was a /16 (~65,000 addresses) at the start of the internet and is a /32 (one address) these days. That doesn't change with IPv6 -- the subscriber is allocated a particular IPv6 network. That is currently a /32 for the largest of sites (<4 billion subnets) and a /60 for the smallest of sites (16 subnets, enough to separate a home's laptops, phone, TV and IoT so the home router can have access policies between these).

    The agencies complaint is essentially one of an error in their "systems analysis". They assumed that a subscriber having one address was the way it always was and the way it always would be. Both assumptions are incorrect. Now the agencies are trying to change the world to match their deployed software rather than fixing the errors in their systems which arose from their faulty understanding of the technology. In short, that their interception and monitoring software needs to monitor subnets (of which single addresses are a special case) not only be able to monitor single addresses.

    What's really odd is that the agencies are shooting themselves in the foot. IPv4 only tells the agencies the subscriber home router, as everything behind that is NATed. IPv6 tells the agencies the subscriber home router and allows a device behind that router to be identified. That is, after raiding the house the agencies can quickly determine which device accessed the resource. That's mostly true even of privacy addressing, as the device usually logs the privacy address used.

    The power to make the world match the way you want it to be only appears in two sorts of literature: fantasy and histories of totalitarian states. Neither is a suitable model for agencies' behaviour.

    (Anon, as personal view, not employers)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like