[mirimir]

Yes, I've never been comfortable with the device specificity of IPv6. Sure, temporary non-local addresses are now the norm. And they're usually not MAC-based. But still, I'd rather have IPv4 with NAT. Also, there's the issue that many VPN services don't yet route IPv6, and so IPv6 connections can bypass the VPN connection.

[pilif]

> Yes, I've never been comfortable with the device specificity of IPv6

these days it's really not much different from IPv4: During the lifetime of a connection, the prefix stays the same, so that's equivalent to the IPv4 address before that.

The actual machine address rotates very often, so there's no real value in using this for identifying unique devices.

If you want to profile specific devices, you're much better off using the same attributes you were using with IPv4 (user agent, TTL, other protocol specific fingerprint techniques)

[mirimir]

But isn't NAT deprecated for IPv6?

[pilif]

You don’t need to nat for privacy. That was my point. If your machine uses a different outgoing address for every connection, it’s as well masked as if all your machines used the same address.

The only thing that stays static across connections is the provider assigned prefix and that’s equivalent to your dynamic ipv4 address.

[kiallmacinnes]

Honestly, that sounds like a failing of the VPN services.

At the least, they should push a null default route to users that connect (assuming we're talking about the kind of VPN services that advertise as "protect your privacy with a VPN!").

[mirimir]

Yes, good ones handle that. Also firewall rules.

But crappy ones don't. And some people end up using crappy ones, because they don't know any better :(

[pilif]

Crappy ones also sometimes leak UDP packets. Or all DNS queries or whatever. If you use crappy VPNs it's your fault if you then don't get the protection you want, no matter the transport protocol.

Or rather: Using IPv4 doesn't guarantee non-crapyness of a VPN provider.

But: Working IPv6 support guarantees at least some level of proficiency by the VPN provider, so they might be more reliable candidates to begin with.

[mirimir]

Crappy VPN services do all sorts of crappy stuff.

But there's more needed with IPv6 than routing properly. The VPN provider needs to assign IPv6 addresses to customers, and that's harder than just NATing stuff. It's almost like being an IPv6 ISP.

But I've done a toy implementation. To get "anonymous" IPv6 addresses, so I could test VPN service clients for IPv6 leaks, without pwning myself. I needed a little help from an IVPN engineer, but it wasn't that hard.