New SEARCH Publication Addresses What Law Enforcement Needs to Know About the Internet Protocol Transition from IPv4 to IPv6
The world is facing a shortage of Internet Protocol addresses—those unique numbers that help us connect to the Internet. In fact, service providers have just about exhausted the available supply of version 4 IP addresses. So in order to keep things moving online, users are being migrated over to version 6, which has an almost infinite capacity for doling out unique numbers.
Most of us don’t even notice when the transition takes place because it’s handled by the service providers and there’s really nothing we need to do on our end. But for law enforcement investigators and forensics examiners, there’s reason to take notice.
Below are excerpts from The Internet is Upgrading: What Law Enforcement Needs to Know About the Protocol Transition from IPv4 to IPv6. The publication can be found on our High-Tech Crime Investigative Resources page and is freely available to all law enforcement.
While IPv6 resolves the shortage of available IP addresses, it presents new challenges. The two systems do not support each other, meaning IPv4 cannot route (pass information) directly to IPv6 addresses. The converse is also true—IPv6 cannot route directly to IPv4. If a website or peer-to-peer (P2P) network is on IPv6, it cannot be seen by an IPv4 system. This is an issue that law enforcement investigators and forensics techs need to recognize. IPv6 is a game changer in how IP addresses are structured, and investigators need to know that the traditional tools they have used for IPv4 may not work as expected with IPv6.
What law enforcement needs to know
Here are three important takeaways:
- Different IPv6 implementation methods will affect online investigations and information that is retrievable by law enforcement. Encapsulation of IP addresses in tunneling can create obstacles to identifying the actual source of activities in incidents being investigated. For example, the HughesNet Gen4 High-Speed Satellite service uses a single IPv6 carrier to transmit as many as 200 IPv4 addresses simultaneously. This means identifying a single subscriber using the service will require additional identifying information.
- In addition to the IP address and precise times of the subject activity, the investigator may need port assignment information for the activity in order to identify the service subscriber. Port assignment identifies the client software in use for data communication, such as P2P software, email clients, web browsers, social networks, etc. Having the port assignment lets Internet Service Providers (ISPs) identify the subscriber during a specific time frame related to the incident. Without the port information, the only mechanism to identify the subscriber may require a live intercept of the activity as it is in transmission, necessitating a court order for the communication intercept.
- Implementation methods may confound investigations when one IP version is identified but the actual activity is conducted on the other (either IPv6 or IPv4). If an investigator is on IPv4 and the target of the investigation is using IPv6, the investigator may not be able work the case.
About the Author
Mr. Don Lewis is a High-Tech Crime Training Specialist for SEARCH. He coordinates and provides training and technical assistance on high-tech crime investigations and forensics to local, state and federal justice and public safety agencies. He provides technical assistance to law enforcement agencies in active cases, prepares training curricula, teaches SEARCH investigative courses and speaks at conferences throughout the United States.
1 Comments | Category: SEARCH News