[TheDong]

Where's the privacy issue?

That the server can figure out that two computers in the same house are different since your laptop and phone no longer share the same ipv4 address but instead have two ipv6 address?

Your phone and laptop can just have multiple ipv6 addresses and rotate through them regularly... as apple does by default https://support.apple.com/en-ca/guide/security/seccb625dcd9/...

Security? NAT is not a firewall, you need a firewall, and switching to IPv6 does not remove your firewall.

Before IPv6: The server gets "1.2.3.4:56789" for your device. After IPv6: the server gets "1:2:3:4::56" or whatever for your device. In either case, if the server makes a connection to 1.2.3.4:56789 or 1:2:3:4::56, your router sees the packet and firewalls the connection. Cool.

Want to give me a concrete example of where IPv6 is hurting my privacy or security, because I've been using it for over a decade with zero mishaps, zero privacy issues, zero security issues (to my knowledge at least)

[NitpickLawyer]

> NAT is not a firewall,

I've only read that on HN, I've never heard this anywhere else. Since it's been a good 20+ years since my CCNA (and haven't needed to renew it since), could you please offer a real-world example where NAT is not a firewall w/ practical examples relating to 99.9% of cases of home use? I just can't get why people say this a lot here.

NAT works and passes the grandma test. If grandma buys a crappy vulnerable 40$ printer and plugs it in, even if it accepts unauthenticated stuff on every local port, you will not be able to connect to it behind NAT. So what's the difference? The only way I could think this can apply is if the ISP is compromised or criminally mismanaged, in which case you probably already have bigger problems.

[fegu]

I agree. NAT, while occasionally limiting, was a godsend. Just imagine how the world would look if everyone out there was at the mercy of a well configured router with firewall.

[throw0101a]

> I've only read that on HN, I've never heard this anywhere else.

Well-regarded networking architect, author, and instructor:

* https://blog.ipspace.net/2011/12/is-nat-security-feature/

> NAT works and passes the grandma test.

So does my Asus with a default deny IPv6 rule on incoming connections.

You're more likely to click on a link that installs malware that attacks your network from the inside, and that attack works regardless of IPv4 or IPv6.

Treating a firewall as some impenetrable moat has not been network security practice for a decade(+), and waving around RFC 1918 address space like systems with a 10.8 or 192.168/16 can't get infected is lazy thinking. It leads to complacency: I'm behind NAT, I'm safe.

[kstrauser]

Grandma’s ISP can send RFC 1918 traffic to her router and likely be able to directly connect to every internal host. You should have learned in your CCNA training that NAT makes it harder to send inbound traffic to a system, but doesn’t by itself provide the filtering that a firewall does.

[NitpickLawyer]

Right, I get that. I can see the ISP angle. But my question was specifically for outside attacks. Tangible, real-world threats in existing ISPs, reachable from the outside.

[mlyle]

NAT was not designed as a security boundary. Sure, it may block some kinds of incoming traffic accidentally and as a side-effect disrupt some attacks.

But why would you rather have an always-broken network that might block attackers instead of a deliberate "deny incoming" rule that does exactly what you want -- and that you can punch holes in if desired?

Instead we have apps circumventing this accidental barrier with STUN, uPNP, etc with little/no oversight and we also regularly encounter brokenness.

[inigyou]

They used to recommend using the MAC address. This was ok 30 years ago when a computer sat in an office on a desk but it makes it very easy to fingerprint a moving computer as it moves across different networks.

Using a random address (Privacy Extensions) solves this problem though, but do we expect everyone to know what that is and check it's enabled? Mine wasn't enabled by default (on Linux) and I only noticed when a bittorrent site warned me.

[throw0101a]

As mentioned by GP, Apple enables privacy extensions on all their OSes:

* https://support.apple.com/en-ca/guide/security/seccb625dcd9/...

As does Windows (since Vista), and Android (8+).

So why are we still talking about this?

[frantathefranta]

Could you publicly shame the distro that had that issue? Pretty sure it should be the default (on NixOS at least it is).

[doubled112]

Fedora doesn’t enable privacy extensions by default, if I recall correctly.

[throw0101a]

Debian does.