Hacker News new | ask | show | jobs
by yonz 1243 days ago
In the context of network intrusion detection and providing secure online services, I agree with you.

However, if this guidance is trying to influence government office routers and internet gateways... It's a different story.

A transition from IPV4 to IPV6 creates a new per device tracking capability that leaks internal network structure. This in my opinion is worse than internal domains getting certs from Let's Encrypt https://crt.sh/?q=twitter.com cr: https://shkspr.mobi/blog/2022/01/should-you-use-lets-encrypt...

The dual stack, DHCP and SLAAC can go a long way in adding some anonymity.
2 comments
ZeroSolstice 1243 days ago
Realistically though what information can you glean from a hosts IPv6 address that wouldn't already be part of WHOIS? With IPv4 you already know there are only (3) rfc1918 reserved ranges. Anyone can use them as they see fit so seeing a 10/8 address in a email header doesn't automatically mean the company is huge its just what they picked. Myself, i've just never really bought into the whole "dns naming" or discovering private address ranges giving anything away. With existing NAT device tracking moved onto more unique features such as browser, screen size, etc. such that IP address tracking is probably not as accurate.
link
jeroenhd 1243 days ago
> A transition from IPV4 to IPV6 creates a new per device tracking capability that leaks internal network structure.

I doubt it. Your load balancers will be the only addresses that will be addressable anyway. Your IPv4 load balancers will also be "leaking" IP addresses.

link
wmf 1243 days ago
You're thinking of the server side, not clients.
link
jeroenhd 1242 days ago
Clients that aren't misconfigured will use random IPv6 addresses that rotate. The usual default is once per day but that's a mere preference, you can make your computer take a new IP every minute if you want.
link
wmf 1242 days ago
You can still see subnets though which was the original point.
link
jeroenhd 1242 days ago
With many ISPs handing out /64s and others handing out /48s and /56s to households, it's difficult to tell a subnet from another IP.

Even still, this information is pretty useless. So what if you know my current subnet is 3a80? That won't help you get past the firewall.

link
jiggawatts 1243 days ago
Clients use random IPv6 suffixes.
link