[Sanzig]

Why don't you want every device to have a public IP? There seems to be a perception that this is somehow insecure, but the default configuration of any router is to firewall everything. And one small bonus of the huge size of a /64 is that port scanning is not feasible, unlike in the old days when you could trivially scan a whole IPv4 /24 of a company that forgot to configure their firewall.

NAT may work fine for your setup, but it can be a huge headache for some users, especially users on CGNAT. How many years of human effort have gone towards unnecessary NAT workarounds? With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.

Your ISP shouldn't be rotating your /64, although unfortunately many do since they are still IPv4-brained when it comes to prefix assignment. Best practice is to assign a static /56 per customer, although admittedly this isn't always followed.

And if you don't need a /48... don't use it? 99.99% of home customers will just automatically use the first /64 in the block, and that's totally fine. There's a ton of address space available, there's no drawback to giving every customer a /56 or even a /48.

[jrm4]

[flagged]

[craftkiller]

You can't correlate the number of addresses with the number of devices because IPv6 temporary addresses exist. If you enable temporary addresses, your computer will periodically randomly generate a new address and switch to it.

https://www.rfc-editor.org/rfc/rfc8981.html

[saltcured]

I feel like this is a silly narrowing of the problem for normal, retail users. My priority isn't masking "the number of addresses" or devices. My desire is to not have a persistent identifier to correlate all my traffic. The whole idea of temporary addresses fails at this because the network prefix becomes the correlation ID.

I'm not an IPv4 apologist though. Clearly the NAT/DHCP assignments from the ISP are essentially the same risk, with just one shallow layer of pseudo-obscurity. I'd rather have IPv6 and remind myself that my traffic is tagged with my customer ID, one way or another.

Unfortunately, I see no real hope that this will ever be mitigated. Incentives are not aligned for any ISP to actually help mask customer traffic. It seems that onion routing (i.e. Tor) is the best anyone has come up with, and I suspect that in today's world, this has become a net liability for a mundane, privacy-conscious user.

[throw0101c]

> My desire is to not have a persistent identifier to correlate all my traffic.

Reboot your router. Asus (with the vendor firmware) allows you do this in a scheduled manner. You'll get a new IPv4 WAN IP (for your NAT stuff) and (with most ISPs) a new IPV6 prefix.

As it stands, if you think NAT hides an individual device, you may have a false sense of security (PDF):

* https://oasis.library.unlv.edu/cgi/viewcontent.cgi?article=1...

[ronsor]

> The whole idea of temporary addresses fails at this because the network prefix becomes the correlation ID.

So the same as the public IPv4 on a traditional home NAT setup?

[graemep]

Most home users do not have a static public IPv4 address - they have a single address that changes over time.

[db48x]

But most ISPs aren’t giving out static IPv6 prefixes either. Instead they are collecting logs of what addresses they’ve handed out to which customer and holding on to them for years and years in case a court requests them. Tracking visitors doesn’t need to use ip addresses simply because it’s trivial to do so with cookies or browser fingerprinting. There’s exactly zero privacy either way.

[throw0101c]

> Most home users do not have a static public IPv4 address - they have a single address that changes over time.

I'd be curious to know the statistics on this: I would hazard to guess that for most ISPs, if your router/modem does not reboot, your IPv4 address (and IPv6 prefix) will not change.

[jrm4]

[flagged]

[craftkiller]

Temporary addresses are enabled by default in OSX, windows, android, and iOS. That's what, like 95% of the consumer non-server market? As for Linux, that's going to be up to each distro to decide what their defaults are. It looks like they are _not_ the default on FreeBSD, which makes sense because that OS is primarily targeting servers (even though I use it on my laptop).

[zekica]

Temporary addresses are used by any Linux distro using NetworkManager (all desktop ones). For server distros, it can differ.

[Levitating]

In Gnome it's just a toggle in the network settings

[password4321]

> ALL THE HEAVY LIFTING THERE

> MUCH MORE IMPORTANT

I haven't done the exhaustive research but props in advance for being the only person shouting in caps on HN. Definitely one way to proclaim one's not AI-ness without forced spelling errors.

[jrm4]

Didn't even think about that. Interesting.

[electronsoup]

and most OS do enable it by default

[iamnothere]

I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.

I don’t want a static address either (although static addresses should be freely available to those who want them). Having a rotating IP provides a small privacy benefit. People who have upset other people during an online gaming session will understand; revenge DDoS is not unheard of in the gaming world.

[craftkiller]

> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.

Do you ever connect your laptop to any network other than your home network? For example, public wifi hotspots, hotel wifi, tech conferences, etc? If so, you need to be running a firewall _on your laptop_ anyway because your router is no longer there to save you from the other people on that network.

It's also a good idea even inside your home network, because one compromised device on your network could then lead to all your other firewall-less devices being exploited.

[iamnothere]

Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall.

[iso1631]

Sure, but they sit on an iot vlan where your firewall prevents access except specificly allowed services

[iamnothere]

You must have not read my original post. I said that the NAT provides an additional fallback layer of safety in case you accidentally misconfigure your firewall. (This has happened to me once before while working late and I’ve also seen it in the field.)

[icedchai]

Most public wifi has client isolation enabled for this reason. Firewall or not, you can't communicate with other clients.

[craftkiller]

Only if they're set up properly, which is quite the gamble. I was recently in a hotel and I listed all the chromecast devices throughout the entire hotel. I could see what everyone was watching and if I was a lesser person I could have controlled their TVs or changed what they were watching.

[icedchai]

What about device like those Chromecasts which don't even have firewalls? The only real solution would be to bring your own hardware firewall / access point and connect it as a client off the hotel wifi. Who is really going to do that?

[UltraSane]

You can have IPv6 firewalls emulate the behavior of NAT so it blocks unsolicited inbound traffic while allowing outbound traffic. If you get a /48 form your ISP you could rotate to a new IP address every second for the rest of your life.

[throw0101c]

> You can have IPv6 firewalls emulate the behavior of NAT so it blocks unsolicited inbound traffic while allowing outbound traffic.

Are there any (consumer?) firewalls that do not do this? I know Asus do this (and have for years).

AIUI most 'enterprise' firewalls have a default deny shipped from the factory and you have to actively allow stuff.

[iamnothere]

Right, but if you’re messing around as a naive learner it’s easy to accidentally disable that or completely open up an IP or range due to a bad rule. It’s a lot harder to accidentally enable port forwarding on a NAT.

[degamad]

> It’s a lot harder to accidentally enable port forwarding on a NAT.

It's probably less than three clicks on most home router web UIs.

[MisterTea]

But you have to specify not only the exposed port but also the destination address and port which is not easy to do accidentally.

edit: typo

[iamnothere]

Very hard to make all those clicks accidentally. But anyway I’m talking about pf/iptables rules, not web UIs.

[ac29]

> I don’t want some of my devices to be publicly addressable at all, even if I mess up something at the firewall while updating the rules. NAT provides this by default.

This feels like a strawman. If you are making the sort of change that accidentally disables your IPv6 firewall completely, you could accidentally make a change that exposed IPv4 devices as well (accidentally enabling DMZ, or setting up port forwarding incorrectly for example).

[iamnothere]

As someone who has done this while tired, it’s a lot easier to accidentally open extra ports to a publicly routable IP (or overbroad range of IPs) than it is to accidentally enable port forwarding or DMZ.

[wredcoll]

You could accidentally swap ips to one that had a port forward, some applications can ask routers to forward, etc etc. I donmt know how exactly we'd measure the various potential issues but they seem incredibly minor compared to the sheer amount of breakage created by widespread nat.

[iamnothere]

I don’t have any problems with NAT on my network.

[cyberax]

> Why don't you want every device to have a public IP?

Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.

> With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers.

There is no guarantee with IPv6 that hole punching works. It _usually_ does like with IPv4.

[Marsymars]

> Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.

The answer here is kinda that Wi-Fi isn't an appropriate networking protocol for lightbulbs (or most other devices that aren't high-bandwidth) in the first place.

Smart devices that aren't high bandwidth (i.e. basically anything other than cameras) and that don't need to be internet accessible outside of a smart home controller should be using one of Z-Wave/Zigbee/Thread/LoRaWAN depending on requirements, but basically never Wi-Fi.

[zadikian]

Silliness of smart bulbs aside, I would hope the answer is how ipv6 is actually safe for this, not that you should just not use wifi.

[Marsymars]

Well Thread uses ipv6 in a safe way for this, nobody ever complains about how they wish their Thread network only used ipv4. :)

[throw0101c]

>> Why don't you want every device to have a public IP?

> Suddenly, your smart lightbulb is accessible by everyone. Not a great idea.

Why would it be "accessible by everyone"? My last ISP had IPv6 and my Asus (with the vendor firmware) didn't allow it. My printer automatically picked up an IPV6 address via SLACC and it was not "accessible by everyone" (I tried connecting to it externally).

[Aluminum0643]

> Suddenly, your smart lightbulb is accessible by everyone.

A firewall solves that issue, IPv4 or IPv6.

[ryandrake]

A lot of people, even on HN, mistake "addressable" for "accessible".

[XorNot]

It's because router defaults have been bad for a long time and NAT accidentally made them better.

I finally have IPv6 at home but I am being very cautious about enabling it because I don't really know what the implications are, and I do not trust the defaults.

[zadikian]

Many routers don't firewall by default. Lemme check later, but pretty sure my basic ASUS router doesn't either.

[iso1631]

My ISP doesn't rotate my /48

However if I change my ISP I get a new one, and that means a renumbering.

[ErroneousBosh]

> Why don't you want every device to have a public IP?

What would be the advantage in it?

[zekica]

Trivially easy do direct connections between devices (if desired), no issues when creating VPNs between networks using private ranges.

What would be the disadvantage?

[ErroneousBosh]

Well, the disadvantage would be that it would be really difficult to do direct connections between devices.

I don't want VPNs between private ranges.

I don't want publically-routable IP addresses on anything.

[throw0101c]

>> Why don't you want every device to have a public IP?

> What would be the advantage in it?

Not having to deal with ICE/TURN/STUN. Being able to develop P2P applications without having to build out that infrastructure (anyone remember Skype's "supernodes"?).

[ErroneousBosh]

This is not something I ever want any device on my network to do.

[throw0101c]

It's about being able to run apps that can operate without have an HQ that needs to be phoned home to for operation, which is currently generally necessary with NAT.

[everdrive]

> hollowing can crash the target process if the payload isn't carefully matched to the host process architecture.

So here's the thing. My ISP does _not_ rotate my IPv4 address, but _does_ rotate IPv6. Why? I'll never know.

Anyhow. I'm not confused about NAT vs. firewalling. No one who dislikes IPv6 is confused by this.

[throw0101c]

> Anyhow. I'm not confused about NAT vs. firewalling. No one who dislikes IPv6 is confused by this.

"No one"; LOL. I've participated in entire sub-threads on HN with people insisting that NAT = security. I've cited well-regarded network educators/commentators and vendors:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

* https://www.f5.com/resources/white-papers/the-myth-of-networ...

[aeonik]

That article is making a narrower claim than you're implying. It argues that NAT is not a security mechanism by design and that some forms of NAT provide no protection, which is true.

It also explicitly acknowledges that NAT has side effects that resemble security mechanisms.

In typical deployments, those side effects mean internal hosts are not directly addressable from the public internet unless a mapping already exists. That reduces externally reachable attack surface.

So, the disagreement here is mostly semantic. NAT is not a security control in the design sense, but it does have security-relevant effects in practice.

I personally do consider NAT as part of a security strategy. It's sometimes nice to have.

[Dagger2]

Both of those articles are actually wrong. They say "if an unknown packet arrives from the outside interface, it’s dropped" and "While it is true that stateful ingress IPv4 NAT will reject externally initiated TCP traffic" respectively, but this is in fact not true for NAT, which you can see for yourself just by testing it. (It's true for a firewall, but not for NAT.)

The biggest security-relevant effects of NAT are negative. It makes people think they're protected when they aren't, and when used with port forwarding rules it reduces the search space needed to find accessible servers.

I agree it can be a useful tool in your toolbox sometimes, but a security tool it is not.

[donmcronald]

> Why don't you want every device to have a public IP?

Big companies would abuse that beyond belief. Back around the late 90s ISPs wanted to have everyone pay per device on their local networks. NAT was part of what saved us from that.

IMO, IPv6 should have given more consideration to the notation. Sure, hex is "better in every way" except when people need to use it. If we could just send the IPv6 designers back in time, they could have made everyone use integer addresses.

    # IPv4 - you can ping this
    ping 16843009
    # IPv6 - if they hadn't broke it :-(
    ping 50129923160737025685877875977879068433
    # IPv7 - what could have been :-(
    ping 19310386531895462985913581418294584302690104794478241438464910045744047689

It's simple, unambiguous, and scales infinitely.

[vel0city]

> Back around the late 90s ISPs wanted to have everyone pay per device on their local networks. NAT was part of what saved us from that.

But with IPv6 a single device may have multiple addresses, some of which it just changes randomly. So this idea that they'll then know how many devices you have and be able to pay per device isn't really feasible in IPv6.

A single /64 being assigned to your home gives you over 18 quintillion addresses to choose from.

If the ISP really wanted to limit devices they'd rely on only allowing their routers and looking at MAC addresses, but even then one can just put whatever to route through that and boom it's a single device on the ISP's lan.

[NewJazz]

It's simple, unambiguous, and scales infinitely

This is a joke right? How does it "scale infinitely"? It is clearly ambiguous in your ipv7 example.