2

I need to become an IPV4 and IPV6 expert in a couple of hours.

Our company is being bullied by the internet legislator in our country to move fast to offer the site in IPV6 only (we are just content providers, not a ISP or the like)

The demand that the internet legislator here in Brazil is making upon us is that by sticking to IPV4 we wont be able to offer the Justice system enough information on certain users (when probed) once IPV6 is fully operational. That is certainly bogus.

But what is not bogus and can affect us is the following attribution they are impinging upon us:

That by sticking to IPV4 we are going to log the IP address from all the users + the OUTGOING port they got from their ISPs. Is that info even available in the IP protocol? They tell us that when the ISPs start to use NAT to give the same address to a group of users, we will need the outgoing port to uniquely identify these people.

Another question is: when someone gets out of their ISP using IPV6 will they be able to reach our old IPV4 website?

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Draconar
  • 123
  • 4
  • 1
    Hmmm... IP protocol does not have ports, ports are used in tcp/udp... –  Apr 24 '14 at 22:02
  • 3
    The FBI is also interested in ISP's converting to IPv6 for similar reasons http://gcn.com/Articles/2012/06/07/FBI-wants-IPv6-hard-to-track-IPv4-with-NAT.aspx?Page=1 – Eric J. Apr 24 '14 at 22:05
  • 1
    `I need to become an IPV4 and IPV6 expert in a couple of hours.` - My sincere wish of good luck to you on that. – joeqwerty Apr 25 '14 at 01:24

2 Answers2

3

Yes, you can log the remote port number for incoming HTTP connections.

For instance, with Apache, you would add %{remote}p to your CustomLog to log the remote port number.

With nginx, the remote port number is in $remote_port which you can add to your log_format.

Remember when you change the log format, you also need to adjust any tools that you use to parse the logs.

As for IPv6, the usual thing for content providers (and everyone else) is to run dual-stack, i.e. serve content on both IPv6 and IPv4. You should have already pressured your data center to provide you with IPv6 service and deployed it on your web site. If they won't give it to you, consider moving your site to some provider who will.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • `If they won't give it to you, consider moving your site to some provider who will` - or just have the Brazilian government pressure them for you. They are the ones with the interest, and they certainly have power. – Eric J. Apr 24 '14 at 22:11
  • @EricJ. Haha, yes, that too. But with carrier grade NAT, using IPv6 is a performance optimization for web sites; it will be faster for people who have native IPv6 but IPv4 via CGNAT. – Michael Hampton Apr 24 '14 at 22:11
  • @michael a question: how does our surfing on the interwebs happens nowadays? is that hibrid? do I have both IPV4 AND IPV6 addresses for surfing? – Draconar Apr 24 '14 at 22:34
  • @Draconar If you got IPv6 from your ISP, then you will use IPv6 if the remote site has IPv6, or fall back to IPv4 otherwise. – Michael Hampton Apr 24 '14 at 22:35
  • @MichaelHampton I see.. so that means that I have both addresses available for me (IVP4 AND IPV6) for normal surfing after hopping out of my ISP? – Draconar Apr 24 '14 at 22:58
  • @Draconar Yes, that's the whole point of dual stack: you will have both an IPv6 address and an IPv4 address for the same device. – Michael Hampton Apr 24 '14 at 22:58
  • @Draconar: On Windows, you can run the command `ipconfig`. It will show you something like `IPv6 Address: 2001:0:9d38:90d7:148b:1ee0:bbfa:68ab`, if you also have an IPv6 address. I'm sure it is similar on Linux. – Eric J. Apr 24 '14 at 23:24
2

It makes sense, from a law enforcement point of view. Yes, to be able to trace sessions through Carrier NATs you need to log source address and port + destination address and port. And very accurate time stamps. And even then it requires a huge amount of ligging in the NAT as well. IPv6 usually doesn't have NAT, so just logging addresses is usually enough. The world is (still slowly, but picking up speed) moving to IPv6, and everybody needs to move. Both content and access. The quicker we move, the quicker we can get rid of IPv4 and the NATing, timestamped port logging and routing table mess that IPv4 is becoming.

Sander Steffann
  • 7,712
  • 19
  • 29
  • But for now we need dual-stack. The worst of both worlds, but necessary in the transition. (A bit exaggerated, but you get the point ;) – Sander Steffann Apr 24 '14 at 22:44
  • However IPv6 does have it's own provisions meant to help ensure anonymity, such as a single device having multiple IPs and formal mechanisms for the device to change IPs. – Eric J. Apr 24 '14 at 23:22
  • True, but the subnet doesn't change, and that is approximately the same information law enforcement would get in case of a client-side NAT. – Sander Steffann Apr 25 '14 at 05:38
  • Logging on the NAT can be avoided, if a range of port numbers is statically allocated to each customer. That also reduces the accuracy requirement on time stamps. – kasperd Apr 29 '14 at 12:35