On Jun 17, 2012, at 4:01 PM, Vinny Abello wrote:
I fail to see the problem the media and FBI are worried about. If the regional registries are accurately documenting who they are allocating assignments to, the authorities have somewhere to start. Even if everything is properly documented via SWIP or WHOIS, the FBI requests far more information in a subpena from ISP's than is provided by those tools and I don't think they generally really even rely on them to be accurate.
Indeed, there are subpoenas which request a lot more information, (particularly if you are in a lengthy investigation.) However, if they are trying to figure out where a missing kid or person in danger person might be located based on email headers, then time can be of the essence and being able to follow the subassignments (that are already supposed to be in Whois) can make the difference. I would not say they rely on Whois to be accurate, but they certainly take its contents into consideration in some situations along with all the other various data points they may have.
They go straight to the ISP from what I've seen. They don't want the criminal to know the FBI is on to them and won't first go direct to the end user.
Depends on circumstance. If you're talking about investigations of front companies for various nefarious commercial activities, then that is indeed the case, but that is not the only type of law enforcement activity.
A /64, /56 or even /48 will be one customer, so regardless if a criminal keeps changing IP's inside those blocks, it still points to that customer which the ISP can provide to the FBI.
If the ISP has a lawful response desk which is available at 3 PM on a Sunday afternoon or holiday weekend, then going to the ISP would indeed be equivalent. Also, this presumes that the ISP in question isn't serving a smaller ISP or hosting firm which would then also need to be queried to find the actual customer.
Where is the issue? I don't see how this is that hard to track down. What's the difference with an ISP that didn't SWIP an IPv4 /29 allocation to a company with all RFC1918 space behind the address. <sarcasm> How oh how will they ever find the criminal within all of that IPv4 address space behind the ISP assigned /29 without someone documenting the RFC1918 space in the customer's network??!?! </sarcasm>
There is no difference. The question is whether the ISP who had to SWIP the /29 under IPv4 as part of showing utilization to get their next block will bother to record subdelegations under IPv6 when they don't need to come back for _a long time_...
If anything, I feel like this is a ploy by the FBI feeding the media to get criminals to adopt IPv6 thinking they're harder to track and drop their guard so they'll be easier to catch.
No, it's a real concern that law enforcement has with the current incentives for keeping the Whois up to date, and what happens with IPv6. Feel free to come to an ARIN meeting and chat with the folks from US, Canada, and various Caribbean governments about their issue. By the way, it is not that there is _no_ incentive... Any _large_ ISP ends up having to provide lawful response duties (often the same team that handles spam/abuse/copyright issues) and that means staff. For networks that put subdelegations into Whois reliably, there are less requests for routine information (ergo less staff & less co$t needed to respond.) Not many ISPs are the size where such inquires are routine enough for having a dedicated team, but those who do generally realize the pleasant side effect of keeping Whois up-to-date. This isn't really seen by ISPs who only get the occasional LEA request, so it's not a meaningful incentive on its own for many service providers. FYI, /John John Curran President and CEO ARIN