I'm pretty sure this is not the right place to post this, but I wanted to get as much input as possible.
I have a question that is weighing on me and trying to figure out what the best practice would be for this. Currently, we assign a public IP address to each of our customers, mainly for liability issues. This is done in case a customer does something they're not supposed to. ie. Copyright infringement. This way, we can track down exactly who is doing anything illegal and keeps the liability off of us.
My question is, with the depeletion of IPv4 public addressing, ARIN is no longer assigning any new blocks of IP's. We will need to start NATTing customers instead of assigning public IP's. in the near future How can we track down a customer that is doing something illegal if all customers are NATTed to one public? One thing I have done is NAT small subnets of privates to one public. On one tower, I have several /29 subnets built with each /29 being NATted to one public addess. This gives me 6 customers per public address. to help minimize the amount of snooping I need to do.
I was just curious how all of you are setting up your networks and how you are handling liability issues. with IPv4 addressing. I'd appreciate any input.
You should track each private IP assignment session and track all connections using a firewall. On MikroTik routers that's very simple to do. You can do this on the main GW or on all your POP (it depends on your network).
You could use a single IP to NAT an entire /24 (253 users) or several /29 subnets like you did (you'll need more public IPs).
If someone asks you to know exactly who did something on day X at hour Y, you simply get data from your logs and take the user name for that connection.
The data amount depends on your ISP size, but there are several solutions to store and search in such big data.
You should ask for solutions about that part to your IT Guy!
Is there anyone with other solutions? Software suggestion for searching and storing logs?
We have most of our SM in NAT mode. We assign a different VLAN for each tower. Then each AP has DHCP Option 82 enabled. This allows us to be able to track down an offender by the SM MACC address per tower.
The real solution to this issue is IPv6, but we know the challenges there with adoption of the protocol in devices and services. Giuseppe is right in that logging is your proof of user action and defence against any legal action, and there are many ways to implement a properly-logging 'carrier NAT' scheme.
Have you had any legal requests to date (I'm thinking DMCA)?
The only issue I've had to date, was about a year ago. Got a cease and decist letter from Warner Bros. about one of my customers downloading the movie Central Intelligence the weekend it came out. They downloaded it through bit torrent. Fortunately, it was an easy catch because all of the customers had public IP addresses, and I was able to tie it directly to the offending customer, and let them know what was going on.
At our sister company, who services the oil industry, there was a customer offshore that was engaging in watching child pornography. The FBI got involved, and had to track down the culprit. That was a little harder to do since all customers were NATted to a single public IP. It really took some digging.
Thats kind of what I'm worried about happening again. I want to make sure that the liability stays off of myself and the company, and want to be able to pinpoint exactly who is doing any illegal activity.
I try to avoid NAT for just general performance reasons and to avoid issues with blacklists affecting multiple customers.
For the liability, in the US you have to follow CALEA (https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act) if I am remembering correctly. There are no historical provisions in that law, just that if the FBI or other law enforcement come knocking you have to provide some way of monitoring what a particular customer is doing (wiresharking before the NAT suffices for this purpose).
Looking at one of our mikrotik routers which has netflow enabled shows about 750k active connections at the moment and we are pretty small. The storage requirements to keep track of just the netflow data is astronomical if you even have to keep only say three months worth. The privacy requirement that a request must single out a particular user reduces this reqirement to something reasonable even if it has to be maintained for an extended period.
I try to avoid NAT for just general performance reasons and to avoid issues with blacklists affecting multiple customers.
For the liability, in the US you have to follow CALEA (https://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act) if I am remembering correctly. There are no historical provisions in that law, just that if the FBI or other law enforcement come knocking you have to provide some way of monitoring what a particular customer is doing (wiresharking before the NAT suffices for this purpose).
Looking at one of our mikrotik routers which has netflow enabled shows about 750k active connections at the moment and we are pretty small. The storage requirements to keep track of just the netflow data is astronomical if you even have to keep only say three months worth. The privacy requirement that a request must single out a particular user reduces this reqirement to something reasonable even if it has to be maintained for an extended period.
I 2nd this as well.
we deliver a public address directly to the homes and maintain out DHCP logs for a year via centralized DHCP system. makes CALEA requests quick and simple on our side.
NAT in my opinion should be kept away as long as possible for performance, end users experience with things like play station network, black lists and legal reasons. Likely inevitable for most of us at some point though.
We too try to hand out public DHCP to all clients. I set up a rollover DHCP pool of 172.20.a.b IPs for each, but whenever I see the 172s getting handed out I know I need to revisit and massage the public assignments. We're really lucky in a way - we had about 100% of the IPs needed, but now a partner on our wireless network is peeling off an entire county and routing it through a fiber to their own network center (where they terminate all their DSL customers), freeing up a /22 of public IPs we can now reuse elsewhere. We also have an inconceivably huge block of IPv6 addresses, which I'm working on rolling out across the network. (that doesn't presently suffice, of course, too many devices and services are still IPv4-only for that to be a solution)
I've been contacted {censored} times by law enforcement to identify a customer based on IP and time/date, each time led to successful prosecution (mostly child pornography) but we've never yet been asked to capture any traffic on their behalf.
All our DHCP is handed out by a couple dozen Mikrotik routers, and the routers are set to log DHCP remotely to one of our Ubuntu servers which can then be queried wtih an IP and date to find the MAC address to which that IP was assigned during the time in question, then I track the MAC address (almost always a router) back to a specific customer and document each step.