So I just posted a CNET article about the FBI's views on the IPv6 transition. One of the organizations I talked to was Yahoo, which co-authored RFC6302 (http://tools.ietf.org/html/rfc6302
) that recommends what Web sites should log about visitors. Note this is different from whether Internet providers are logging port numbers as well. And if you're the FBI you need both ends to piece together a trail...
Anyway, below is what Yahoo told me. It's an interesting look at the work involved here, which is not trivial:
For a web site such as yahoo.com
, it is no longer going to be adequate to
log just the IP address and the time stamp. That could represent any of
1000 customers. We have updated our applications to include the "source
port" (each internet connection between hosts will have a source port,
source address, destination port, destination address). Only with the
combination of time, address, and
source port, will any Internet
Service Provider have any chance of checking their logs, and associating
that information back to a specific subscriber.
This is a heavy burden for the ISPs, one they will be forced to take, as
they start deploying customers behind NATs. One that most ISPs are
putting off as long as possible, except on a trial basis.
I don't think there is a big difference between NAT64/DNS64, versus
NAT44. Either way, way too many unrelated strangers are hang to share a
single address. Either way, the time and port have to be trackable to a
distinct subscriber; whether that is logging every single session, or
assigning port ranges to users and logging the port range (like a DHCP
lease). This overhead is similar in all of these NAT cases.
We treat IPv6 addresses with the same privacy controls as IPv4 addresses.
Specifically, both are treated as PII.http://info.yahoo.com/privacy/us/yahoo/ip/http://info.yahoo.com/privacy/us/yahoo/datastorage/details.html
[Re: IPv4-in-IPv6 tunneling issues (DS-Lite)]
For logging (and identification), I expect this to be the same as any
other NAT. Only, the subscriber identify would need to be recorded
instead of the private IPv4 address, since all DS-Lite users each have
their own instance of the same IPv4. The burden should be about the
same, though obviously the records format will likely be different.
For actual legal intercept, I conjecture that this could be a real issue.