The need to Standardize Internet Services through CyberLaw

As we manage daily ISP services for our customers, we are sometime affraid of something. What? Our IP addresses can be used for criminal activities. And, it just happened.

As we focus on providing the internet bandwitdh for corporate, we do not deal with retail customer. However, at the end corporate customer is sometime a customer that give access to the public. Say for example Warnet (CyberCafe). The chain is: the Internet, we (as the ISP), Warnet, and the end user (the customer of the Warnet).

Now, suppose, the end user of a Warnet conduct a criminal act (such as carding), then a big problem may arise. The victim of the carding act would trace the transaction by the IP address used in the e-commerce transaction. It is very normal for every e-commerce provider to log every transaction. So, the victim would observe the transaction log, then find the IP address used in the transaction.

There is a database in the internet regarding who own the IP address. However, this database is not so granular, in which it is sometime (and most of the time) pointing to the ISP (not the customer's of the ISP that uses it). Having information the police or the victim then can request to the ISP regarding who is the customer of that ISP that use the IP address.

Now here is the problem. The ISP is absolutely able to inform the police or the victim regarding the detailed information of the IP address in question. There are 2 possible usage of the IP in question, namely:
1. The IP address in question is given to a corporate, or
2. The IP address in question is being used by the ISP itself for shared services (such as email service).

In the case of 1, the police or the victim can chase the corporate and ask for more information. In the case of 2, the ISP can provide the information to the police rot the victim, regarding more information on the IP in question (for example: is it used for an email server?, etc).

The police or the victim may simply think that data traffic is similar to data traffic. In which all the operators (the ISP, the Warnet, or the corporate) that are providing services to the end user must be having a complete CDR (Call Data Record). This is the problem. In the data world there exist some technology limitation that make the tracking down of the perpertrator no easy. Say NAT (Network Address Translation), or PAT (Port Address Translation). Using this technology, one IP address can be used for almost unlimited number of users. Imagine one public IP address is used by 200 employees in a corporate. Then, how to track down who is the perpetrator out of this 200 people? It's hard to tell.

The bottom line is to chase the perpetrator. How to do that? The simple way is that for every service whoever uses the Internet must at minimum provide a logging system. What are the internet services? Some of which are the following:
1. DNS Service
2. Email Services
3. Web Hosting Services
4. NAT/PAT Services

Now not all of the application to provide the abovementioned services have their own logging systems. So, there is a technology limitation for this. The second problem is that, if the provider must provide logging system this may lead to two problems: (i) investment issue (cost would be significant), (ii) degradation in the technical performance (the delay in accessing the service will be noticeable). The technology limitation can be solved as the technology keep growing to a better stage.

The third problem is the ISP feels that being an ISP the only business he deals with is to provide the access. It is the responsibility of the customers to use it at their own risks. It is like a paper producing company. The company produce the paper and sell it to the customer. It is the responsibility of the customer to use it for good things or for bad things (for example, to print phornographic items onto the paper).

So, it very obvious that tracking down the perpetrator on the Internet is no trivial task.

I think one of the solutions is to compose a good CyberLaw in which it mandates for all of ISP, Warnet, and Corporate to follow and implement a "tracking" system. So in case of criminal acts happen the police can retrive the data from that tracking system. And for sure, the perpertrator must have a severe punishment.

IPv6: Hello...

I managed to get /20 from APJII/APNIC in 2001. We still have a few portions of them as of now. I remembered back in the end of 2000, all people were talking about IPv6. Everybody was so affraid that the IPv4 was not able to cope with the higher demand of the internet booming. In every seminar, course, event, people were so excited predicting about when the booming of IPv6 will be. Some predicted it would happen in 2003. But the fact? It didn't. In a seminar held by APJII in 2002, some local experts here predicted that the booming of IPv6 in Indonesia would be around 2005. Still now we almost at the end of year 2005. Nothing has happened.

However, I heard that there are a few development locally. Some has tried to experiment with IPv6. And it was a success. But still, I don't see a movement toward using it comercially.

The big question is WHY? Why people do not embark on IPv6 in comercial point of view. I think the answers among others are the following:
(1) There is no compelling reason to use for most of ISPs. As long as ISPs can purchase IPv4, then they will use it and forget about IPv6. The question is how long will it take for IPv4 to run out? People predicts in 2003, then in 2004, then in 2005.
(2) Many work-arround technology has emerged such as PAT and NAT. For corporate requirements, having 3 to 5 Public IP addresses are more than enough. Those IPs can be used to address the Web Server, and Email Server. The rest can be used for Proxy or NAT gateways.
(3) Many network equipments are still using IPv4. If using IPv6 is mandatory then the upgrading cost for these old equipments would be significant. Not only that. Upgrading people skill would also incurs significant cost.

Having such limitation, then when the IPv6 can fly?