Published on February 23rd, 2022 | by Kevin McTiernan & Rory Quann
With just over 4 billion unique, public addresses in the IPv4 scheme and north of 10 billion devices today, many Communication Service Providers (CSPs) assign private addresses to subscribers and leverage a carrier-grade network address translation (CG-NAT) to allow those private addresses to flow through one single public IP address. For law enforcement investigating a crime committed on or following leads on the public Internet, the use of a NAT presents major challenges. With thousands of subscribers (or endpoints) on a CSP network sharing one public IP address, knowing that address alone is not sufficient to isolate a single subscriber’s device or person of interest. To do that requires visibility into the routing traffic within the CSP’s private network. SS8’s platform provides that insight, seamlessly illuminating identity details that would otherwise be hidden.
Obscured Identity in Private IP Networks
The familiar “x.x.x.x” IPv4 addressing scheme is limited to just over 4 billion addresses and in the early days of the Internet, that was more than sufficient to assign a unique public address to every device. However, the explosion of the Internet quickly showed the number of addresses was not enough. One way to deal with that shortage was to reserve ranges of private IP addresses for use only within a device’s home network. In this topology, a network identifies itself to the outside world using a unique public IP address. To external networks, every entity within that network is identified by that single address. Within the network, devices and other entities each have unique private IP addresses. Therefore, IP addresses can be reused in separate private networks without conflict.
The interface between the public and private IP addressing schemas is a simple, one-to-many mapping that is performed by a Network Address Translation (NAT) service running on network infrastructure like a router or firewall or as a virtualized network function. NAT may assign a static private IP address to a given host, or it may use dynamic host configuration protocol (DHCP) to automatically assign private IP addresses on an as-needed basis.
Public Address Translation (PAT), in the context of lawful intelligence, identifies the companion technology that operates in the opposite direction of NAT. That is, while NAT maps a single public IP address to multiple private ones, PAT maps the multiple addresses in that private network back to the public address using port information and other data.
Communication service providers employ an enterprise version of this technology known as Carrier-grade NAT (CG-NAT) to share small pools of public IP addresses among large numbers of customers. Because CG-NAT is performed by the CSP, unique public IP addresses are not associated with individual end customers. Instead, subscribers are identified by private, CSP-administered IP addresses, many of which are reassigned on a regular basis.
From a lawful intercept and mediation perspective, private IP addressing can obscure the identity of endpoints within the CSP network. For example, a law enforcement agency (LEA) might ask Facebook for the IP address used for a given illicit activity. If that address belongs to a CSP that uses CG-NAT however, it may be shared by thousands of users, making it impossible to identify the subject of interest using public IP addresses.
Extending Visibility and Disclosure for Lawful Intelligence
The inability to identify an individual subscriber associated with specific activity on its network may expose a CSP to significant penalties. In the case of a CSP using CG-NAT, lawful intelligence requires records from both the private and the public data flows, which can be provided directly by the CG-NAT service or by other means.
SS8’s Lawful Intelligence platform provides access to the public and private data flows and the analytics to associate the illicit, public internet activity with a subscriber’s device. By incorporating these capabilities into a broader lawful intelligence platform, the effects of NAT/PAT on user or device identification can be minimized or eliminated. Interoperability with broader workflows also means CSPs do not have to code, integrate, or maintain any associated software functionality themselves.
SS8’s NAT/PAT solution is built into its broader lawful intelligence platform trusted by both CSPs and LEAs for more than two decades around the world. The solution is future-proofed to align with any combination of network architecture a CSP requires, from on-prem or hosted solutions to cloud-native ones and provides oversights to ensure legal safeguards are used to prevent misuse.
To extend the life of the IPv4 schema, CSPs utilize NAT/PAT services to map private, internal subscriber IP addresses to their public networks. This has the unfortunate side effect of obscuring the identity of individual users and creating problems for LEAs investigating illicit online activity. SS8’s platform translates IP addressing schemas for both the public CSP network and the private pools of addresses they assign to their individual subscribers and embeds this capability within its broader lawful intelligence operation, helping LEAs focus on investigations instead of being distracted by network details.
About Kevin McTiernan
Kevin has over 20 years of extensive experience in the telecommunications and network security industries. At SS8, Kevin is the VP of Government Solutions and is responsible for leading the vision, design, and delivery of SS8’s government solutions, including the Xcipio® compliance portfolio. You can learn more about Kevin on his LinkedIn profile by clicking here.
About Rory Quann
Rory Quann is Head of International Sales at SS8 Networks and brings with him over 10 years of experience in the Lawful Interception and Data Analysis industry. He is responsible for the organizations international sales policies, objectives and initiatives in the Middle East, Asia, and Eastern Europe.
Prior to joining SS8 in 2013, Rory worked for BAE System Applied Intelligence where he was focused on large scale Government deployments of Intelligence Solutions. Rory has held multiple positions in the Lawful Intelligence space ranging from Deployment Engineer, System Consultant, and Sales Engineer with focus being on Country-wide Passive deployments. Rory is a Certified Microsoft MCSA Engineer and EMC Certified deployment Engineer. You can learn more about Rory on his LinkedIn profile by clicking here.
About SS8 Networks
SS8 provides Lawful Intelligence platforms. They work closely with leading intelligence agencies, communication providers, law enforcement agencies and standards bodies. Their technology incorporates the methodologies discussed in this blog and the Xcipio® and Intellego® XT product portfolios are used worldwide for the capture, analysis, and delivery of data for the purposes of criminal investigations.