In the modern era of communications, a healthy tension exists between key stakeholders. These include Governments who set policies and legislation, the Communications Service Providers (CSPs) who are required to comply with those requirements, and the Law Enforcement Agencies (LEAs) who rely upon technical capabilities to protect nations and their citizens from physical and cyber threats.
One perennial challenge is the dynamic nature of public IP address allocations and the ability to attribute communications to individuals when common translation techniques such as NAT (Network Address Translation) are employed by CSPs in their networks. This is primarily relevant for Retained Data and Lawful Disclosures, where CSPs have a regulatory obligation to provide access to metadata relating to service usage for law enforcement purposes. Specifically, to help LEAs gather information on ‘Subjects of Interest’ (SoI) – such as their activities, contacts and locations – to combat serious crimes and protect national security.
Putting IPAR into practice
There are several explanations why IP address retention and traceability can be difficult to implement. The primary reason is that when Carrier Grade NAT (CGNAT) is employed by a CSP, IP addresses and source ports are dynamically assigned for very short periods of time based on availability within the configured address pool at a specific moment.
To create a complete picture of who was using a specific IP address and source port at any moment in time, multiple data sources (typically Authentication, Authorisation, and Accounting (AAA) and NAT logs) must be combined. What’s more, the generation, capture and processing of large volumes of CGNAT data can be storage and computing power intensive.
This poses a question as to why CSPs continue to implement CGNAT, especially in an IPv6 world where there are more than enough unique IP addresses for every internet connected device to have one statically assigned.
There are several factors that drive the continued use of CGNAT, with key drivers being both security and technical in nature. From a security perspective, Carrier Grade NAT (CGNAT) provides network security by hiding the details of the internal network such as subscribers’ IP addresses so that individuals can’t be easily tracked.
In an IPv4 environment CGNAT facilitates IP address sharing, enabling CSPs to drive more value from the limited range of internet facing IPv4 addresses that they have access to. It also supports the translation of IPv6 to IPv4, which is required for internet services that do not support IPv6.
So, network address translation delivers considerable value for CSPs. But, at the same time, it impacts IP address attribution when observed from outside the CSPs’ network – i.e. through the lens of a law enforcement agency. To complicate matters, there are multiple different types of NAT and CGNAT technologies available, which are used to support various business requirements and affect IP address and port allocation in different ways:
The variety of approaches and implementations presents complications for both CSPs and LEAs, making it even more important to clearly define the methods involved in accessing, sorting and querying the records of IP and port allocation from within a CSP's network.
Accurate data collection
There are two primary methods of data acquisition, which apply to both AAA and CGNAT logs: active and passive. Active acquisition requires close integration with network functions, where data can be acquired directly from the network devices that provide the access and translation for user sessions. Data is typically sent from the CGNAT device as either a data stream or as batched log files, simplifying the acquisition process but having the potential to affect CGNAT equipment performance and ultimately customer services.
In contrast, passive acquisition does not require network function integration. Instead, it acquires data through passive monitoring of network links. This mitigates the risk of service issues, but introduces complexities around data accuracy. Passive solutions acquire all network traffic that ingresses and egresses a CGNAT device, with the data then processed to determine a correlation between the ingress and egress IP packets in order to trace IP sessions.
In both methods, the data must be standardised before being stored so that it can be searched effectively by law enforcement. Otherwise, records could be rejected or fail to appear in searches.
This is all just scratching the surface of the complexities involved in IP address retention and traceability. Read ETSI’s recent technical report to learn more about the subject in the context of Retained Data and Lawful Disclosure. Or view our BAE Systems DataRetain™ page to discover how our cloud-native solution facilitates CSP metadata retention and disclosure while providing a standardised but flexible solution to the problem.
Cloud ready lawful disclosure compliance for 5G and beyond
Stay up to date with our experts' perspectives on the latest trends, issues and technologies sent directly to your inbox.