Changes to internet addresses affect trading participants
Published by the Stockbrockers Association of Australia in the Stockbrokers Monthly, April 2016.
In 2015, the internet ran out of addresses! Anticipating this issue, a new standard for internet addresses (known as the Internet Protocol version 6; IPv6) was developed during the ’90s. However, it was not deployed in Australia until more recently. Even now its usage is limited. As a result, telecommunications carriers have implemented other workarounds, such as 'port numbers'. These developments have implications for the systems participants use to determine origin of orders.
Every computer participating in a network that uses the Internet Protocol (IP) to communicate is assigned a unique numerical label or 'IP address'. This also applies to mobile devices (such as mobile phones or tablets). Despite the introduction of IPv6, most organisations and individuals still use the original system, Internet Protocol version 4 (IPv4). This causes ongoing problems for telecommunication carriers, given the scarcity of IPv4 addresses.
To overcome this carriers have begun adding additional information to the end of IP addresses. This creates significantly more options for IP addresses. The additional information is referred to as a 'port number'. There are 65,535 port numbers per IP address. Most networks have adopted this approach already.
Participants must have appropriate trading management arrangements to determine the origin of orders and trading messages: Rule 5.5.3 of the ASIC Market Integrity Rules (ASX Market) 2010 and the ASIC Market Integrity Rules (Chi-X Australia Market) 2011. The relevant information includes the identity and capacity of the client and the computer or device they are using to connect to the participant.
When a client places a trading order through the internet, the device they use transmits its IP address to the participant's computer. Many participants use this information to verify the identity of their client and the origin of the order. In order to accurately identify the device being used by a client to place orders, a participant will need to capture the complete IP address.
Likewise, ASIC may request information under notice from a participant to assist us to fulfil our supervision responsibilities. For participants who allow access to clients through the internet, this could include a list of IP addresses from which specific order instructions originated or from which trading in certain securities originated. We too require the complete IP address.
Following changes to the way IP addresses are configured, a client's IP address could include an IPv6 sequence or port number, or both. Unless a participant has specifically upgraded its systems to capture IPv6 addresses and port numbers, this information is probably being lost at present. Participants should review their information technology systems to ensure this information is being captured, in order to fully comply with the origin of order requirements.
Some participants use third-party providers to collect and store origin of order information. This is permissible as long as the requisite information is captured.
We recently had discussions with a participant who had experienced a denial of service attack. While assessing the damage caused by the attack, the participant realised that their third-party provider was not collecting IPv6 or port number information that would allow the participant to determine origin of orders.
Participants are responsible for ensuring that any third-party service providers engaged by them comply with all applicable regulatory requirements. Where the participant is relying on IP addresses for origin of order, they must make inquiries with third-party providers to ensure their systems are configured for all standards of IP address.