> Non-unique IP, which, for good no-logging VPNs, means no way to map a connection to a person, even through the legal system.
Not guaranteed. That depends on the network setup and on how much pressure legal system had on the ISP in question.
Possible cases:
1. Dynamic IPs allocated from a shared address pool, but no carrier-grade NAT, just 1:1 mappings. Most likely, ISP's AAA (authentication, authorization and accounting) systems keep track of those, so the account details are one warrant away. Especially if ISP has or historically had metered plans, using IP addresses is generally the most straightforward way to match flow reports (with traffic volume data) to customers.
2. User is behind a carrier-grade NAT, ISP's local jurisdiction requires ISPs to disclose information about customers, and local law enforcement aren't happy with "uh... we don't know, there's a NAT, we only can tell it's someone of those thousand accounts from that BRAS, sorry" replies, so ISP had been fined or threatened with license revocation (if ISP services are licensed in their jurisdiction). In such case they had probably at least set up two flow probes - before and after the NAT, so it's usually possible to correlate the streams. Or, more likely, implemented logging of NAT connection mappings (on GNU/Linux machines this is quite simple with conntrack and ulogd, no idea about Ciscos - not my area of expertise), so it's also well possible to determine who it was.
Since one generally can't know what ISP's routers are capable of, having carrier-grade NAT should be only considered as a possible hindrance, but not as a guaranteed way to keep their account identity anonymous.
Not guaranteed. That depends on the network setup and on how much pressure legal system had on the ISP in question.
Possible cases:
1. Dynamic IPs allocated from a shared address pool, but no carrier-grade NAT, just 1:1 mappings. Most likely, ISP's AAA (authentication, authorization and accounting) systems keep track of those, so the account details are one warrant away. Especially if ISP has or historically had metered plans, using IP addresses is generally the most straightforward way to match flow reports (with traffic volume data) to customers.
2. User is behind a carrier-grade NAT, ISP's local jurisdiction requires ISPs to disclose information about customers, and local law enforcement aren't happy with "uh... we don't know, there's a NAT, we only can tell it's someone of those thousand accounts from that BRAS, sorry" replies, so ISP had been fined or threatened with license revocation (if ISP services are licensed in their jurisdiction). In such case they had probably at least set up two flow probes - before and after the NAT, so it's usually possible to correlate the streams. Or, more likely, implemented logging of NAT connection mappings (on GNU/Linux machines this is quite simple with conntrack and ulogd, no idea about Ciscos - not my area of expertise), so it's also well possible to determine who it was.
Since one generally can't know what ISP's routers are capable of, having carrier-grade NAT should be only considered as a possible hindrance, but not as a guaranteed way to keep their account identity anonymous.