Computer addresses for Internet access (IP addresses) do not fall from the sky: The Internet Engineering Task Force specifies Internet protocols and has thus determined the capacity of the address spaces: 4.3 billion for IPv4, 340 sextillion for IPv6.
The highest registry, the Internet Assigned Numbers Authority, draws from this. It assigns IP address blocks to the Regional Internet Registries, in Europe to the Reseaux IP Européens, or RIPE for short. The RIPE in turn outputs IP address blocks to European Internet providers. Finally, a provider grants its customers paid access to the Internet using IP addresses. So at least he knows which customer is using which IP address.
Does the RIPE now have to record the addresses of address block owners? In any case, a lot of material has accumulated in the RIPE databases over the years, which whets the appetite of law enforcement, but raises questions about the maintenance effort and legality of address management.
It is undisputed that the providers need databases to coordinate their network interconnections, which the RIPE maintains as the registration office. The first RIPE database was created in August 1992. This includes the owners of IP addresses and autonomous systems (AS) in Europe, the Middle East, Russia and parts of Central Asia – these are mostly providers such as 1 & 1 or Vodafone.
In 1995, RIPE created the Internet Routing Registry (IRR) for routing coordination, thereby separating routing information from address registration (Internet Number Registry, INR). A few years ago the RPKI database was added, which contains certificates for cryptographically securing wide area routes and resources.
Corpses of data and GDPR
The cross with the RIPE databases is that the members were originally allowed to make their entries voluntarily. At least in the beginning, some did this with enthusiasm – but increasingly there was a lack of will to update, so some of the data is out of date. Therefore, today the RIPE Network Coordination Center (NCC), the operational arm, collects part of the data on the basis of contracts with members. Part of the non-public RIPE registry, such as contract data such as addresses, names or phone numbers, is also in the publicly accessible INR.
Presumably for this reason, the desires of criminal prosecutors have grown in recent years. Europol in particular urged the RIPE to collect addresses of address block holders and store them in the public database. They hope that this will speed up cross-border investigations.
In the meantime, however, the General Data Protection Regulation (GDPR) came into force in 2018 and gave the impetus to put the RIPE databases to the test. In 2019, the address administrators commissioned a six-person task force, which also included a representative from Europol. After around two years, the group has now put its recommendations in the document “RIPE Data Base Requirements” before.
In summary, one can say: The task force recommends the RIPE strict data economy. For example, the postal address of IP address block owners in the open database is to become optional in the future, but preferably to disappear. The postal address is not needed for the main purpose of the database, namely the coordination of the provider and the network interconnection.
IPv4 address pool has been used up
The providers should omit the assignment between customers and fixed public IP addresses. “The RIPE NCC has requested the assignment as proof that a member actually needs new addresses,” explains Peter Koch, DENIC policy expert and task force member. Only those who could prove that they had assigned all their addresses were allowed to apply for new ones. Especially when IPv4 addresses became scarce, the address management looked closely at it.
But Koch added in an interview with c’t: “This purpose has expired, because the RIPE has now used up its IPv4 address pool.” One can also assume that the Task Force on IPv6 addresses does not consider such control necessary, because they are available in abundance.
When recommending deleting the assignment of users and IPv4 addresses, Koch assures us that we did not think so much about the GDPR. Rather, this deletion makes sense, “because things that are not in the database cannot become out of date”.
The task force also suggests introducing role addresses for technical contact persons instead of real personal addresses. At RIPE and its NCC, there was increasing concern about the growing number of personal data that was not only entered for technical contact persons.
“In May 2021, the RIPE database contained a total of 1.92 million person objects,” the task force states. This is critical, because the greater this number, the higher the likelihood of GDPR violations. The members could hardly keep such a mass of data up to date.
Some participants criticized the fact that the task force opposes the use of the database as an IP address management tool (IPAM). Some providers enter who they have assigned which subnets and IP addresses in order to monitor their use and to automate troubleshooting. The task force members write that the RIPE database is not intended for this.
Denis Walker, chairman of the working group responsible for the database at RIPE, criticized the fact that the task force only considered the “historical purposes”. There are also “new purposes” that are undocumented. The task force did not take into account the requirements of new stakeholders. By that Walker should mean regulators and law enforcement officers.
They will therefore be happy about Walker’s encouragement. Because the task force recognizes the need for quick access to address data in the fight against crime. But there was no consensus in the group on the proposal of the prosecutors. So if the task force has its way, law enforcement officers should request the data from the RIPE NCC as before. A court order is then required for the surrender. However, if Walker has his way, the RIPE should immediately start a new debate about the future destination of the database.
The chairman of RIPE, Mirjam Kühne, slowed Walker’s enthusiasm and initially only saw the various RIPE working groups on the train. It is now in their hands which of the decisions they implement and how quickly.
In c’t 2/2022 we have put together the c’t Emergency Windows 2022 for you. With the kit for the system running from the USB stick, you can find viruses, save data or reset passwords. We shed light on how the EU wants to use loopholes of the GDPR for content scanners, we tested high-end smartphones, mobile USB-C monitors and server software for private media collection. You will find issue 2/2022 from December 31st in Heise shop and at the well-stocked newspaper kiosk.