do ISPs keep track of end-user IP changes within thier network?


just a general curiousity question. it's been a long time since ive worked at an ISP.

back then it was non-expiring DHCP leases and in some cases static IP for all.. (yes it was long ago..)

Any feedback would be greatly appreciated..


Back then it was also short lease dialup and radius / tacacs to keep track.

Things have got rather better

Yes, it's very common to keep track of what user account/line had what IP at what time.

been a while, but seems like lately it's more a question of how long. ISPs
can be in position where they need to, but as things have consolidated,
seems like they'd really like to forget it as soon as they can. If you've
got a specific case in mind, likely best to find a direct contact and get a
response about policy, even if it has to be off-record. The big ones (like
one I likely shouldn't mention by name unless they do as I don't work for
them) definitely do, at least long enough to handle DMCA requests and other
legal obligations.


I'm not sure about the current state of the industry it's been a while since I was responsible for an access network. In the past we would keep radius logs for about 4 months, these would include the username,IP address and yes (to date myself) the caller id of the customer at the time.

Sam Moats

I'm no lawyer but in the U.S., 18 USC 2703 appears to indicate this data must be kept for at least 180 days.


While I'm also not an attorney, my reading of 18 USC 2703 leads me to
believe that records need only to be preserved for 180 days if a
governmental entity (i.e. law enforcement agency, regulatory body,
prosecutors office, etc) makes a request that such records be preserved. To
the best of my knowledge, there's no statue on the books (at least at a
federal level) which would mandate that a provider keep any records
relating to dynamic IP allocations.

You are very mistaken. There is no requirement to retain *any* logs
(notwithstanding any orders issued by a court).

Option 82 info and logging.


We used to keep several years worth of RADIUS summary data, which included username, call end time, duration, IP, NAS-IP, ANI, and DNIS, except for where the telco wouldn't sell PRI and we had to use CT1, where those weren't available. How's that for dating? :slight_smile:

Want to go back a little further?

Rack of Sportsters, "Digicrap"[1] on top, and some Total Control USR modems on the table/overflow.

[1] That's what I ended up nicknaming Digicom's rackmount modem chassis as their modems were unreliable (would repeatedly lock up requiring manual/physical resets and causing major problems for our hunt group). We eventually got them to buy it back as they were unable to resolve their problems.

I still have a soft spot for the Portmasters :-). We had rows of PM2's with US robotics 33.6K sportster modems attached on 8mm tape racks.
Back when a town of 40K people could all connect through 2XT1's and everyone was happy.
Sam Moats

I'd say in addition to just "how long", it's "how badly do you need them ". Searchable database could go back a few months while tapes usually exist for a lot longer than that. But you're not going to get the provider to dig through those unless they're under some legal obligation to do so.


My observation would be that 18 USC 2703 appears to provide for
requirements for the service provider to disclose certain records, IF the
provider has the records stored.

The act doesn't say they must keep the records for 180 days in the first
The act actually appears to impose additional restrictions on records that
have been in the electronic system for less than 180 days.

If LESS than 180 days, then a warrant is required; if 180 days or MORE,
then in some cases, an administrative procedure may be used, instead of a

"that is in electronic storage in an electronic communications system for
one hundred and eighty days or less, only pursuant to a warrant issued
using the procedures described in the Federal Rules of Criminal Procedure"

Section (f) Addresses a requirement to Preserve records,
Preserve records and evidence PENDING issuance of a court order or process,
  SHALL retain for 90 days, extend to an additional 90-day period upon a
renewed request by the government entity:

(f) Requirement To Preserve Evidence.—
(1) In general.— A provider of wire or electronic communication services or
a remote computing service, upon the request of a governmental entity,
shall take all necessary steps to preserve records and other evidence in
its possession pending the issuance of a court order or other process.
(2) Period of retention.— Records referred to in paragraph (1) shall be
retained for a period of 90 days, which shall be extended for an additional
90-day period upon a renewed request by the governmental entity.

The PMs were fantastic.

PM3's were pretty good as well. 2 PRIs or T1s.. 48 56k digital modems, + ISDN support.. :slight_smile:


Another question:
I would think that the systems that keep the logs get backed up to tape, right? Wouldn't this mean the data is kept for years off-site? Do they not offsite backup the access logs ever?


I wouldn't assume anything like that these days. Lots of people gave up on tape for backups years ago.

Dell - Internal Use - Confidential

PM3's were pretty solid. PM4's, not so much. They were often problematic requiring periodic reboots of the entire chassis to keep them sane even right up through the last firmware release until Lucent killed them off in favor of their newly acquired Ascend equipment. The team that designed them were good guys. We used to work directly with them on issues and get early access to beta releases of new firmware for the PM's, including new cutting edge protocols such as K56Flex and later V.90. :slight_smile:


Back in the day (geesh I feel old just saying that), I deployed a lot of
PM3’s …. Then we moved to Ascend TNT Max stuff - that was very exciting
back then!



"Exciting" was just the word for Ascends. In the mid 90s, I cured lots of
this excitement by putting my ascends on a socket timer which physically
rebooted them a couple of times daily. The support load dropped off
substantially due to that.


And back in my day we were excited when we deployed the USR (eventually 3Com) Total Control access servers.