I just hope ipv6 doesn't have privacy nightmare that 1 device will always get 1 IP. Currently, the isp I use provides dynamic ip, so on every router restart my ip gets changed. If they starts to provide ipv6, I hope they give options to rotate it frequently, so toxic companies like meta, facebook, microsoft can't connect my device & ip.
It rotates about once a day in most operating systems. Called ipv6 privacy extensions. This is of course defeatable, but it provides a nice black hole for a device. It moves on and you can't connect to it anymore.
On a protocol level, there is nothing in ipv6 preventing you from doing NAT. There are only less implementations of that, but it doesn't need buy-in from your ISP, as long as you control the router (and if not, you put a second router behind the first one which has your actual network).
I work for a large online service. We barely need your IP to track you. There are _so_ many other variables sites can use to track you. Even when you switch networks completely.
It's not a privacy nightmare. You could just run a proxy on your gateway and your connections would legitimately end up coming from it, but it wouldn't actually do much for your privacy.
Rotating the IP to get similar privacy to what NAT/PAT gave you is annoying I know with v6 we need to use DNS but I hate to say it. I miss Nat I hope the just give us nat66.
You are mixing up IPv6 prefix rotation and IPv6 privacy extensions, and you don't seem to take into account that IPv4 from most ISPs is much worse (typically, you get an IPv4 address from your ISP via DHCP and keep it nearly forever, nothing to defeat).
With IPv6 each device getting a unique IP is not a bug but a feature -- what will probably happen is that your ISP will lend out a /64 range to you, which your devices will use to assign a unique IP to themselves. This completely removes the need for NAT (also, keep in mind that a NAT is not a firewall or a security feature). BTW, dynamic IP rotation was never a guarantee and is only used because the pool of IPs were small. Use a VPN to avoid FAANG.
NAT itself doesn't provide any protection at all. You can set up NAT in dozens of different configurations (1:1 NAT comes to mind), but in the way consumer routers generally set up NAT, I can see why you'd say that (despite there being standard ways to forward ports without any user intervention such as uPnP). There's nothing "secure" about NAT.
Not having client devices accessable via unique IPs is a great security feature. Certainly an unintended side effect but NAT is what is dropping unwelcomed incoming traffic on consumer devices.
You mean a firewall? NAT doesn’t have to drop any packets. It can translate unknown flows into broadcast packets, forward them to a set ip (dmz), or drop them. NAT is not a firewall, even if some configurations make it kinda sorta, if you squint, look like one.
I don't think that works. A router should decrement the TTL of the frame, and thus showing that there is a router between the host device. The linux default is 64 and windows is 128 IIRC, so you can easily deduce the OS just from looking at the TTL. This can tell you whether an ipv4 device is directly connected. From there, you just need to look at IP ID in the packet and figure out which ones are increasing independently to determine individual devices behind the NAT.
Every ISP I know has their routers set to block incoming traffic by default. With most consumer router SIP ALG being defeated easily (NAT slipstreaming attacks etc) I'd argue that NAT is actually worse for security than just a simple firewall.
1:many NAT requires an affirmative choice on where to route incoming packets that aren't part of an existing stream.
In adaptation to that, most attacks are malware spread by email, or attack browser vulnerabilities, or attack services running on network devices, especially remote management systems.
It's not even technically correct; it's just wrong.
NAT doesn't make any choices on where a packet gets delivered. For packets that aren't part of an existing steam, NAT will simply not edit the packet. Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
> For packets that aren't part of an existing steam, NAT will simply not edit the packet.
A 1:1 NAT should generally just swap IP for IP and not know about streams or ports at all.
> Unless there's a separate firewall that chooses to drop it, the packet will get delivered to whatever IP was already in the destination field, which could be the IP of one of your LAN machines.
I would call that a routing rules error, even in the absence of a firewall.
It's sad how much has changed in the past 10+ years. I remember arguments advocating for ipv6 for exact reason. 1 device per 1 ip. Back then, it was seen as something great.
I agree with what you said. It's just interesting how it illustrates how different things are now.
> I remember arguments advocating for ipv6 for exact reason. 1 device per 1 ip. Back then, it was seen as something great.
I remember a bunch of people being horrified by the idea of 1 device per IP. I think it's more a matter of who you were around then the group changing their mind, but maybe that happened too.
