dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3269
share rss forum feed

Walter Dnes

join:2008-01-27
Thornhill, ON

1 recommendation

Will Teksavvy IPV6 be static prefix or dynamic prefix?

For IPV4, residential service IP addresses are generally dynamic. In residential IPV6, you get a prefix (/64 or /56) instead of a single IP address. Question; will the prefix be static or dynamic? "Privacy extensions" would be useless if we get static prefixes.


squircle

join:2009-06-23
Oakville, ON

2 recommendations

There is a thread for these kind of questions (»IPv6 beta), but the IPv6 allocation is static. However, you are incorrect that RFC 4941 is "useless" with a static allocation. RFC 4941 is intended to randomize the last 64 bits of the address (the interface ID) so you can't be tracked via MAC address (another reason RFC 4941 only applies to SLAAC). RFC 4941 is not meant to make you untrackable on the internet, nor is it intended to give you any sort of privacy. Since your interface ID will always be the same on any network with SLAAC, it just prevents you from being tracked by that.

And yes, you do get a /56 and /64 network instead of a single address. This is because there is no need for NAT with IPv6 (although some silly, insane person tried to draft a standard for IPv6 NAT) because of the plethora of addresses.

InvalidError

join:2008-02-03
kudos:5

1 recommendation

said by squircle:

(although some silly, insane person tried to draft a standard for IPv6 NAT)

As long as the application-layer protocol does not rely on embedding its own IP address in the protocol for addressing purposes (no point in doing that since TCP/UDP embed the source/destination at the IP layer), there is nothing preventing people/companies from doing IPv6 NAT.

AFAIK, there is no 'standard' on IPv4 NAT implementations, those are vendor-proprietary and NAT is transparent to most properly written software. The only thing that requires standards is NAT traversal for applications that require support for inbound connection requests.


squircle

join:2009-06-23
Oakville, ON

1 recommendation

said by InvalidError:

As long as the application-layer protocol does not rely on embedding its own IP address in the protocol for addressing purposes (no point in doing that since TCP/UDP embed the source/destination at the IP layer), there is nothing preventing people/companies from doing IPv6 NAT.

AFAIK, there is no 'standard' on IPv4 NAT implementations, those are vendor-proprietary and NAT is transparent to most properly written software. The only thing that requires standards is NAT traversal for applications that require support for inbound connection requests.

You're right. I never said there was anything preventing people/companies from doing IPv6 NAT except the conceptual hurdle of the need for NAT when an end-user receives an allocation that has 1.2×10² addresses (281 trillion times the size of the IPv4 address space).

There are standards for IPv4 NAT (RFC 5382, RFC 4787, RFC 3022 etc.); while the implementations may differ between vendors, they all follow the standards. I agree that most programs don't care about NAT (nor about the lower 4 layers of the OSI model).

However, I'll let RFC 6296, IPv6-to-IPv6 Network Prefix Translation, speak for itself:

said by IETF :

For reasons discussed in [RFC2993] and Section 5, the IETF does not recommend the use of Network Address Translation technology for IPv6. Where translation is implemented, however, this specification provides a mechanism that has fewer architectural problems than merely implementing a traditional stateful Network Address Translator in an IPv6 environment. It also provides a useful alternative to the complexities and costs imposed by multihoming using provider- independent addressing and the routing and network management issues of overlaid ISP address space. Some problems remain, however. The reader should consider the alternatives suggested in [RFC4864] and the considerations of [RFC5902] for improved approaches.

RFC 4864 (specifically section 3) deals with protection for IPv6 networks, including RFC 4941 (Privacy Extensions for Stateless Address Autoconfiguration in IPv6, the original inquiry the OP was making). There isn't a need for a hack like NAT to be used with IPv6.

Walter Dnes

join:2008-01-27
Thornhill, ON
reply to squircle
said by squircle:

the IPv6 allocation is static. However, you are incorrect that RFC 4941 is "useless" with a static allocation. RFC 4941 is intended to randomize the last 64 bits of the address (the interface ID) so you can't be tracked via MAC address (another reason RFC 4941 only applies to SLAAC). RFC 4941 is not meant to make you untrackable on the internet, nor is it intended to give you any sort of privacy. Since your interface ID will always be the same on any network with SLAAC, it just prevents you from being tracked by that.

IPV4 dynamic addresses make tracking more difficult. Static allocations (IPV4 address or IPV6 prefix) make tracking braindead simple. Think of MAC address as the fingerprints on your left hand and IPV6 prefix as the fingerprints on your right hand. Wearing one glove is pointless. You need to wear both gloves at all times to make tracking under IPV6 harder.


squircle

join:2009-06-23
Oakville, ON
I totally disagree with your analogy. You're saying that the prefix is just as specific as the interface ID, which is totally wrong. You know I'm at the University of Waterloo because I'm coming from 2620:101:f000::/47, but I also know you're from Teksavvy if you have an address in any of these blocks: »bgp.he.net/search?search%5Bsearc···t=Search

I think your argument is flawed. If the interface ID (which isn't an interface ID anymore thanks to RFC 4941) are your right-hand fingerprints, the prefix is like a rough crayon sketch of your left elbow.

TL;DR it's no easier to track you over v6 than over v4.

Walter Dnes

join:2008-01-27
Thornhill, ON
said by squircle:

TL;DR it's no easier to track you over v6 than over v4.

But it's not any harder. Hypothetical example... IF THE /64 (or /56) IS STATIC (i.e. I get the same one as long as I'm a Teksavvy customer) then every tracking outfit will know that all addresses in blah:blah:blah:blah/64 are one and the same account/user. While it won't have a pointer to my name+address, it will tell trackers that this is the same account each time. The same concept applies to IPV4. If the IPV4 address or IPV6 /64 subnet is static, that greatly simplifies tracking.

InvalidError

join:2008-02-03
kudos:5
said by Walter Dnes:

The same concept applies to IPV4. If the IPV4 address or IPV6 /64 subnet is static, that greatly simplifies tracking.

Static or dynamic does not matter much. The fundamental principle you are trying to point out is that anyone can deduct with reasonable confidence which may be reinforced by analytics that all addresses within an IPv6 /64 subnet over a reasonable time span most likely belong to the same account.

Single IP, subnet, static or dynamic, if someone with enough influence wants to track your IP, it becomes pretty difficult to hide.


squircle

join:2009-06-23
Oakville, ON
reply to Walter Dnes
said by InvalidError:

Static or dynamic does not matter much. The fundamental principle you are trying to point out is that anyone can deduct with reasonable confidence which may be reinforced by analytics that all addresses within an IPv6 /64 subnet over a reasonable time span most likely belong to the same account.

Single IP, subnet, static or dynamic, if someone with enough influence wants to track your IP, it becomes pretty difficult to hide.

I agree 100%. IPv6 wasn't designed so your IP address could be hidden, it was designed to solve the looming problem of IPv4 address exhaustion. If you're really that paranoid concerned about tracking, why not use open proxies on the internet that rotate every 15 minutes?


RMerlin

join:2009-10-09
Montreal, QC

1 recommendation

reply to Walter Dnes
The instant you connect to ANY server on the Internet, you can forget about your anonymity. NAT doesn't change the fact that your IP address gets logged by every server you connect to. Your IP might change if dynamic, but it's still logged. NAT only means you can't tell which computer behind that IP established the connection, which is exactly what the Privacy Extensions will also achieve. The web server to which you connect still gets your public IP, NAT or no NAT.

If total anonymity is so important, either use a VPN service (and yet your IP will still be logged by your ISP and by the VPN provider), or stay away from the Internet. I'm not being harsh, it's just the way the Internet actually works. A client connects to a server, and the server needs to be able to send replies back to that client.

Personally I'm glad NAT will be going away. It was a patched solution for the issue of limited IP availability, and it created quite a few of its own while solving other issues.

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

reply to Walter Dnes
said by Walter Dnes:

IPV4 dynamic addresses make tracking more difficult.

With the way most of the tracking stuff works this is not true at all.

said by Walter Dnes:

Static allocations (IPV4 address or IPV6 prefix) make tracking braindead simple. Think of MAC address as the fingerprints on your left hand and IPV6 prefix as the fingerprints on your right hand. Wearing one glove is pointless. You need to wear both gloves at all times to make tracking under IPV6 harder.

With IPv4 that's true to a certain extent. With IPv6 and OS's that utilize the privacy extensions that is not necessarily true, but its a moot point with the way browsers are setup by default and the fact that people have Java / Flash and JavaScript enabled with their browsers. THAT makes it brain dead simple to track people. So it doesn't matter if you have a completely different IP address even on completely different sub-nets and in a different country. You're worrying about the smallest issue. Wearing the gloves won't help when you've left a written note telling them who you are. With a static IPv6 sub-net you know which account it is associated with but do not necessarily know which system or who was using the system, that is especially so when you add Wifi into the situation.

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

reply to RMerlin
said by RMerlin:

Personally I'm glad NAT will be going away. It was a patched solution for the issue of limited IP availability, and it created quite a few of its own while solving other issues.

Me too. For the most part it is a poor solution to the root problem of limited address space and its a problem creating more problems especially with RFC1918 address space on networks interconnecting to other networks whether via VPNs/various other forms of dedicated connectivity.

JeanInNepean

join:2012-09-19
Nepean, ON
Reviews:
·TekSavvy TekTalk
·voip.ms
·Primus Talkbroad..

1 recommendation

reply to Walter Dnes
Though I agree that NAT is an imperfect work-around for the limitations of IPv4, NAT has is very useful in some cases. For instance, NAT is used to redirect traffic transparently, something that's very desirable in a server setting. Using NAT, it is possible to dynamically reroute traffic based on changing factors such as server load. There are work-arounds (such as using proxies that redirect traffic) but those have serious drawbacks.

34764170

join:2007-09-06
Etobicoke, ON

1 recommendation

said by JeanInNepean:

Though I agree that NAT is an imperfect work-around for the limitations of IPv4, NAT has is very useful in some cases. For instance, NAT is used to redirect traffic transparently, something that's very desirable in a server setting. Using NAT, it is possible to dynamically reroute traffic based on changing factors such as server load. There are work-arounds (such as using proxies that redirect traffic) but those have serious drawbacks.

I don't have an issue with that usage scenario. It's the common use case of NAT (PAT) or for overlapping RFC1918 address space that I do.

Walter Dnes

join:2008-01-27
Thornhill, ON

1 recommendation

reply to Walter Dnes
Dear internet hippies; please stop ranting about NAT. There's a joke about how 90% of today's baby boomers remember having attended Woodstock in 1969. It seems that there's a similar false memory syndrome about everybody having end-to-end connectivity in "ye olde internete" of some fabled distant past. I'm pushing 61, and my memories are totally different.

Yes, SYSADMINS were experimenting and doing crazy things. The vast majority of people on the net were "lusers" (Local USERS) who only had access to "greenscreen terminals", and they were tightly locked down as far as privileges were concerned.

34764170

join:2007-09-06
Etobicoke, ON

1 edit

1 recommendation

said by Walter Dnes:

Dear internet hippies; please stop ranting about NAT. There's a joke about how 90% of today's baby boomers remember having attended Woodstock in 1969. It seems that there's a similar false memory syndrome about everybody having end-to-end connectivity in "ye olde internete" of some fabled distant past. I'm pushing 61, and my memories are totally different.

Huh? Trying to compare a serial terminal to a PC / server or some device directly connected to a network. You're not even making sense. Talk about your brain failing you.

Majromax

join:2012-09-02
Dollard-Des-Ormeaux, QC

1 recommendation

reply to Walter Dnes
said by Walter Dnes:

Dear internet hippies; please stop ranting about NAT. There's a joke about how 90% of today's baby boomers remember having attended Woodstock in 1969. It seems that there's a similar false memory syndrome about everybody having end-to-end connectivity in "ye olde internete" of some fabled distant past. I'm pushing 61, and my memories are totally different.

Was 12 years ago really that long? The success of Napster (and later Gnutella/Kaazaa) is directly attributable to the end-to-end connectivity allowed by dial-up and the first few broadband links. A small fraction of NAT-enabled clients didn't break the network, but only because the bulk of the 'herd' had a direct, public IP. (Remember that this was also before UPnP and STUN mitigated some of the problems of a NAT-rich environment).

IPv6 privacy extensions give individual machines in a client (/64) network almost exactly the same level of privacy they currently have behind a private network with a single IP used with NAT. (I say 'almost' because privacy extensions will still allow someone monitoring an entire network's traffic to set a lower bound on the number of active, transmitting devices. IPv4 makes this detection somewhat harder, requiring more detailed association of flows.)

The static or dynamic nature of the /64 prefix is only equivalent to the static or dynamic nature of the current IPv4 address: it remains mostly meaningless. A static prefix will allow a foreign host to associate a prefix with a single customer, but without deliberate precaution today's DHCP-assigned dynamic addresses still persist for days to weeks at a time. That is, a fully static address/prefix is only good for time-associations longer than a week or so, and that's a pretty marginal area as-is.

In return, privacy extensions have the potential to almost completely eliminate host-scanning attacks. The first /64 is already a relatively sparse address space (making it difficult for a completely random scanner to find your customer-based network in the first place), and then privacy-extension addresses in the second /64 make it difficult to find your computers on your own network. Implementations aren't yet perfect (we tend to give home routers easy-to-guess assignments in the last /64, and the unchanging EUID-based addresses are still used as the 'permanent' addresses for privacy-enabled systems, although no outgoing connections should come from that address), but there's little technical reason to expect a persistent vulnerability here.

To put it another way: the 2000-era Code Red worm could not have happened had we been all using IPv6 addresses.


Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:21

1 recommendation

reply to Walter Dnes
So just to be clear here.. Nobody disputes that static IPv6 prefixes will make tracking of home based users brain dead simple. Just that many of you are claiming that cookies have already made tracking brain dead simple, so in practice it won't make any difference. Is that right? Further, the recommended solution for people who care about privacy is to use proxys and VPN into other networks which hopefully yield some anonymity?

I dunno guys.. Personally, I have Firefox managing my cookies. Except for a small handful of sites I allow, cookies on my system are cleared daily. Proxys are slow as molasses in January. I don't do VPN, but I find it hard to imagine that would be much better than using a proxy.

I know my anonymity hack doesn't guarantee no tracking. It does make tracking a lot harder though, and a dynamic IP is an integral part of it functioning. Static IPv6 prefix will break my approach completely.

Instead of being all Mark Zuckerberg "privacy is dead" about it, maybe you can suggest what the state of the art in minimal effort transparently functional anonimizing will be in an IPv6 environment?
--
electronicsguru.ca/for_sale/Cablemodems

Majromax

join:2012-09-02
Dollard-Des-Ormeaux, QC

1 recommendation

said by Teddy Boom:

Nobody disputes that static IPv6 prefixes will make tracking of home based users brain dead simple

I actually do dispute that. A static IPv6 allocation has no more privacy implications than a static IPv4 address. In practice, even those of us with dynamic IPv4 addresses are holding those leases for a long time, so dynamic IPv4 addresses don't offer privacy either.

The most important question to ask here about privacy is, "privacy of what and from whom?"

You are Alice, making a connection to Bob's server. If you (Alice) are trying to hide your identity from Bob, then you're already screwed without the specific, deliberate use of an anonymizing proxy. Bob must be able to reliably deliver data to you, so he needs a valid address, and without deliberately breaking the end-to-end model of the Internet then that's the only way to do it. (Onion routing protocols are, for example, a deliberate break, and their known performance problems come from that.)

If your system has a static, public IPv4 address and there is only one device on your network, then yes, that suffices as a personal identification. But that's not the common case. Most networks have more than one attached device now, so for the kind of tracking that Bob (along with associated ad-hosts Billy, Bart, and Butler) will do, they must identify a user across sites. An IP address is one datum useful for such an analysis, but only one -- and knowing the persistence of such an address on >1wk scales is probably not the most useful aspect.

With an IPv4 network -- even with a static IP -- NAT does indeed make this problem more difficult. But do does IPv6 with privacy extensions. It's possible to configure your personal machine to use a new IP address for outgoing connections on a rolling window of a few seconds, if you so choose. Your single machine behind the network would appear as a half dozen or so to Bob's servers, if connection pipelining were disabled.

Now, if you're not talking about privacy from Bob, but instead from third-party snooper Eve, then I still don't think you're helped more than trivially by a dynamic IP/subnet. The most common case I can think of here is law enforcement (or a company preparing legal discovery), and then already Teksavvy's customer records are available to subpoena.

Instead of being all Mark Zuckerberg "privacy is dead" about it, maybe you can suggest what the state of the art in minimal effort transparently functional anonmizing will be in an IPv6 environment?

It will be exactly the same as the IPv4 environment: onion routing and dedicated proxies. To be truly anonymous, you'll have to work within some other protocol built on top of IP, between trusted (or specified-mistrust, as in Tor) nodes. Fortunately, end-to-end connectivity in IPv6 makes establishing those links a good deal easier (no NAT or CGN/double-NAT to worry about), so IPv6 still helps you.


squircle

join:2009-06-23
Oakville, ON

1 recommendation

reply to Teddy Boom
said by Teddy Boom:

So just to be clear here.. Nobody disputes that static IPv6 prefixes will make tracking of home based users brain dead simple. Just that many of you are claiming that cookies have already made tracking brain dead simple, so in practice it won't make any difference. Is that right? Further, the recommended solution for people who care about privacy is to use proxys and VPN into other networks which hopefully yield some anonymity?

I am disputing that "static IPv6 prefixes will make tracking of home based users brain dead simple." You make it sound like the use of IPv6 facilitates tracking of users on the internet, something that is completely patent nonsense (well, patent to me, anyways). IPv6 does not facilitate tracking any more than IPv4, and (for the reasons mentioned in my first post) actually makes tracking by IP addresses harder.

said by Teddy Boom:

I dunno guys.. Personally, I have Firefox managing my cookies. Except for a small handful of sites I allow, cookies on my system are cleared daily. Proxys are slow as molasses in January. I don't do VPN, but I find it hard to imagine that would be much better than using a proxy.

I know my anonymity hack doesn't guarantee no tracking. It does make tracking a lot harder though, and a dynamic IP is an integral part of it functioning. Static IPv6 prefix will break my approach completely.

This thread isn't about cookies, but I will address your extraneous point. Cookies will be set on your system regardless of whether you use IPv4 or IPv6; they live above the protocol layer. If you don't wish to expose your IPv6 addresses to the world (regardless of how random and temporary they are), fine. Don't. Use a proxy that doesn't show X-Forwarded-For headers, or use a VPN tunnel to a server you don't care about. All it seems like is tons of extra effort for a negligible gain (and potential loss) in anonymity, but whatever you do is your prerogative.

said by Teddy Boom:

Instead of being all Mark Zuckerberg "privacy is dead" about it, maybe you can suggest what the state of the art in minimal effort transparently functional anonimizing will be in an IPv6 environment?

If you take the time to read the posts in this thread, you'll notice that not a single person has claimed that "privacy is dead." I still value my privacy on the internet; a reason why I couldn't be happier about the standardization of RFC 4941 (Privacy Extensions for Stateless Address Autoconfiguration in IPv6). RFC 4941 provides a method for "minimal effort transparently functional anonimiz[ing]." It's certainly more random than IPv4 ever was (save, of course, for CG-NAT, and even that's doubtful IMO). And best of all: it's built-in to many of the operating systems and devices you use today! Think: why go from 206.248.185.101 to 206.248.185.220 instead of [3FFE::e20c:29a9:61c2:52ff] to 3FFE::9187:fd67:fccf:8291]? You're randomizing over 64 bits of available address space (made lower, of course, by the implementation of RFC 4941) instead of maybe 4 or 5 bits of Teksavvy's IPv4 allocations on any given cable/DSL network segment. The difference is night-and-day! You're deriving random interface identifiers from a pool larger than the entire IPv4 address space!

TL;DR there are certain companies and websites on the internet that will track you despite the presence of the DNT header in your browser or your changing RFC 4941 address or your dynamic IPv4 address. The root of this argument is that IPv6 does NOT facilitate tracking by IP address, and privacy extensions like RFC 4941 in fact make tracking by IP address much more difficult.

I hate to seem inflammatory (and I try to be calm as often as I can), but it just seems to obvious to me that IPv6 doesn't facilitate tracking as you've accused it to.


Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:21

1 recommendation

reply to Majromax
said by Majromax:

for the kind of tracking that Bob (along with associated ad-hosts Billy, Bart, and Butler) will do, they must identify a user across sites. An IP address is one datum useful for such an analysis, but only one -- and knowing the persistence of such an address on >1wk scales is probably not the most useful aspect.

The kindergarden level explanations really aren't appreciated. However, the thoroughness is.

What do you mean by that persistence line? It seems that you are saying that because dynamic IPs are fairly persistent anyway, they can still more or less track you even if your IP is dynamic. I don't agree.

Obviously you are right about law enforcement. There are no easy ways to avoid the law. I don't think that is particularly interesting myself. I'm far more concerned with keeping Google's nose out of my business. And I get that if you assume sophisticated data mining it truly is all a moot point--with sufficiently sophisticated data mining there is no privacy. Meanwhile I think most tracking is pretty naive..
--
electronicsguru.ca/for_sale/Cablemodems


Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:21
reply to squircle
said by squircle:

privacy extensions like RFC 4941 in fact make tracking by IP address much more difficult.

I just don't get this.. From what I read up thread, it is the suffix that is randomized, right? The prefix is static, and for most home internet situations can be mapped to a group of at most 4 unique users. That isn't particularly private.

In fact, I don't really understand what the privacy extension is trying to accomplish. Privacy on larger networks maybe? In a home I can't see how it helps at all..
--
electronicsguru.ca/for_sale/Cablemodems


squircle

join:2009-06-23
Oakville, ON
said by Teddy Boom:

I just don't get this.. From what I read up thread, it is the suffix that is randomized, right? The prefix is static, and for most home internet situations can be mapped to a group of at most 4 unique users. That isn't particularly private.

Thank you for helping my point.

You see, the IPv4 addresses that are allotted to Teksavvy have prefixes, too. You can see the full list here, but I'll sample a few for brevity.

My current IP at my house is 206.248.185.101. Every time I disconnect and reconnect my PPPoE session, I receive a different IP from the 206.248.184.0/22 block. The IP I receive is always in this block because it is the block of address space that has been allocated to my geographic region.

Take an example for cable: Rogers requires Teksavvy tell them which block of addresses they'd like to assign from. Using a fictional example, if Teksavvy allocated 24.10.0.0/22 to a specific POI, then every Teksavvy customer on that POI would have an address between 24.10.0.1 and 24.10.3.254.

So now we can agree: just like IPv6 addresses, the IPv4 addresses you receive have a static prefix.

Now I know what you're probably going to say: "My IPv6 prefix is used only by me, but many people share the same IPv4 prefixes!" While that statement may be true in this case, it's not true everywhere (in fact, I'd argue that this isn't the case for the majority of IPv6 deployments). It would be difficult for advertisers (or whoever you think is tracking you) to correlate a single address (or group of addresses) to a single person or small group of people (like a family). It is much easier for them to track heuristics and behaviour patterns to determine identity (as has been previously established in this thread).

Now, let me quote RFC 4941 to help you understand its purpose:

The use of a non-changing interface identifier to form addresses is a specific instance of the more general case where a constant identifier is reused over an extended period of time and in multiple independent activities. Any time the same identifier is used in multiple contexts, it becomes possible for that identifier to be used to correlate seemingly unrelated activity. For example, a network sniffer placed strategically on a link across which all traffic to/ from a particular host crosses could keep track of which destinations a node communicated with and at what times. Such information can in some cases be used to infer things, such as what hours an employee was active, when someone is at home, etc. Although it might appear that changing an address regularly in such environments would be desirable to lessen privacy concerns, it should be noted that the network prefix portion of an address also serves as a constant identifier. All nodes at, say, a home, would have the same network prefix, which identifies the topological location of those nodes. This has implications for privacy, though not at the same granularity as the concern that this document addresses. Specifically, all nodes within a home could be grouped together for the purposes of collecting information. If the network contains a very small number of nodes, say, just one, changing just the interface identifier will not enhance privacy at all, since the prefix serves as a constant identifier.
Your main argument, "The prefix is static" is true for both v6 and v4. Now let me help you ascertain how RFC 4941 helps with your concerns by again quoting the RFC:

The use of a constant identifier within an address is of special concern because addresses are a fundamental requirement of communication and cannot easily be hidden from eavesdroppers and other parties.

[...]

In summary, IPv6 addresses on a given interface generated via Stateless Autoconfiguration contain the same interface identifier, regardless of where within the Internet the device connects. This facilitates the tracking of individual devices (and thus, potentially, users). The purpose of this document is to define mechanisms that eliminate this issue in those situations where it is a concern.
Essentially, by randomizing interface addresses that would otherwise be automatically generated from the interface's MAC address (in modified EUI-64 format), it is much more difficult to track a single device across the internet because its IP address will no longer be based on its MAC address.

The reason I say IPv6 is more random is because of the possible bits of entropy. One has 64 bits of entropy for the interface identifier of an IPv6 address (nominally less because of some reserved addresses). With an IPv4 prefix like mine, 206.248.184.0/22, I only have 10 bits of entropy (again, nominally less because of some reserved addresses). Those with static IPv4 addresses have 0 bits of entropy. Similarly, those with a computer that always sits at home with a static IPv6 allocation, without RFC 4941, would have 0 bits of entropy (the address would always be the same). Instead of relying on a constantly-changing IPv4 address to provide ~10 bits of entropy (it's not random on DSL as the addresses are sequentially allocated, it's somewhat more random on cable), we allow RFC 4941 to give us 64 bits of entropy.

Hopefully I have proved that IPv6 addresses are (at minimum) no more easily tracked than IPv4 addresses, and how RFC 4941 is the careful person's best friend with IPv6.


Teddy Boom
k kudos Received
Premium
join:2007-01-29
Toronto, ON
kudos:21
said by squircle:

Now I know what you're probably going to say: "My IPv6 prefix is used only by me, but many people share the same IPv4 prefixes!" While that statement may be true in this case, it's not true everywhere (in fact, I'd argue that this isn't the case for the majority of IPv6 deployments).

Indeed you are obviously right if you are talking about most IPv6 deployments today. If consumer ISPs ever switch, the vast majority of IPv6 deployments will be those recently switched homes. It will no longer be true then.

said by squircle:

It is much easier for them to track heuristics and behaviour patterns to determine identity (as has been previously established in this thread).

So you are arguing that the data mining they do is already so sophisticated that we might as well give up. I don't know, but I doubt it.

said by squircle:

Now, let me quote RFC 4941 to help you understand its purpose:

That helps me see something I've missed. Randomizing home IPv6 addresses will still be important as a deterrent to snoopers and hackers.
--
electronicsguru.ca/for_sale/Cablemodems


squircle

join:2009-06-23
Oakville, ON

1 recommendation

said by Teddy Boom:

Indeed you are obviously right if you are talking about most IPv6 deployments today. If consumer ISPs ever switch, the vast majority of IPv6 deployments will be those recently switched homes. It will no longer be true then.

I don't agree with that statement. Teksavvy is the only ISP I know of that is providing static allocations for its users. Since most ISP's would rather not have to guide people through setting up IPv6 connectivity manually, they will use IP6CP or SLAAC/DHCPv6 to assign either a prefix or individual addresses to the CPE and other devices. This ensures that there is little to no configuration required on the end user's behalf to obtain IPv6 connectivity, and so the big networks can better manage their address space.

The truth is, we don't know how the big carriers will do their IPv6 rollout yet. One thing is certain, though: they won't statically assign prefixes. Only time will tell (once we move past the 6in4/6RD transition technologies).

said by Teddy Boom:

So you are arguing that the data mining they do is already so sophisticated that we might as well give up. I don't know, but I doubt it.

I certainly hope that's not the case, and is not what I intended to argue. All I was trying to say is tracking by IP address is less reliable than other metrics that companies use to track users because of all the different use cases (NAT, CG-NAT, proxying, VPNs etc.), which is why uniquely-identifiable cookies are used instead.

Walter Dnes

join:2008-01-27
Thornhill, ON
reply to Majromax
said by Majromax:

A static prefix will allow a foreign host to associate a prefix with a single customer, but without deliberate precaution today's DHCP-assigned dynamic addresses still persist for days to weeks at a time.

I shut down my PC and ADSL router-modem when not using the system. This is a side-effect of being in a condo building where each suite has its own electricity meter. I have a financial incentive to conserve electricity. As a side-effect, I get a new IP address every day.

Walter Dnes

join:2008-01-27
Thornhill, ON
reply to squircle
said by squircle:

TL;DR there are certain companies and websites on the internet that will track you despite the presence of the DNT header in your browser or your changing RFC 4941 address or your dynamic IPv4 address. The root of this argument is that IPv6 does NOT facilitate tracking by IP address, and privacy extensions like RFC 4941 in fact make tracking by IP address much more difficult.

I hate to seem inflammatory (and I try to be calm as often as I can), but it just seems to obvious to me that IPv6 doesn't facilitate tracking as you've accused it to.

Please re-read my original post that started the thread. My concern is STATIC /64 prefixes... as in from the day I join an ISP until the day I leave years later.

Walter Dnes

join:2008-01-27
Thornhill, ON
reply to squircle
said by squircle:

So now we can agree: just like IPv6 addresses, the IPv4 addresses you receive have a static prefix.

Now I know what you're probably going to say: "My IPv6 prefix is used only by me, but many people share the same IPv4 prefixes!" While that statement may be true in this case, it's not true everywhere (in fact, I'd argue that this isn't the case for the majority of IPv6 deployments). It would be difficult for advertisers (or whoever you think is tracking you) to correlate a single address (or group of addresses) to a single person or small group of people (like a family).

Taurine excrement! Fixed IPV6 prefix == fixed IPV4 address. Trackers are not that stupid. IPV6 whois/rwhois will tell you if an address is hooked up to a residential or business provider. If it's a residential provider AND THE PREFIX IS STATIC, you know that it's coming from the same household... period... end of story. What would really be hilarious, would be to see an ISP serve thousands of customers out of a single /64; if for no other reason than to watch the reaction of both marketers and the internet hippies.


squircle

join:2009-06-23
Oakville, ON
reply to Walter Dnes
said by Walter Dnes:

Please re-read my original post that started the thread. My concern is STATIC /64 prefixes... as in from the day I join an ISP until the day I leave years later.

I did, and addressed it in this thread: »Re: Will Teksavvy IPV6 be static prefix or dynamic prefix?


squircle

join:2009-06-23
Oakville, ON

2 edits
reply to Walter Dnes
said by Walter Dnes:

Taurine excrement! Fixed IPV6 prefix == fixed IPV4 address. Trackers are not that stupid. IPV6 whois/rwhois will tell you if an address is hooked up to a residential or business provider. If it's a residential provider AND THE PREFIX IS STATIC, you know that it's coming from the same household... period... end of story.

I take offense to trying to shut me up by saying "period... end of story." I'm trying to have a logical discussion with you and you're using phrases like "Taurine excrement!"

Anyways, I completely disagree, for reasons outlined above, that "Fixed IPV6 prefix == fixed IPV4 address" (which in itself is a fallacy; an IPv6 prefix and IPv4 address are fundamentally different, making your expression evaluate to 0). A static IPv6 prefix is equivalent to using a dynamically-assigned IPv4 address from a finite pool (again, for reasons stated above).

I also reject your statement that if any prefix is static, one knows the traffic is coming from the same house. Sure, you can tell that 2607:f2c0::/32 is statically allocated. Do you know the prefix sizes that are allocated? Do you know how they are allocated? Do you know if prefixes are assigned to CPE or customers? You're making an unfair assumption, so it's not "end of story."

said by Walter Dnes:

What would really be hilarious, would be to see an ISP serve thousands of customers out of a single /64; if for no other reason than to watch the reaction of both marketers and the internet hippies.

Many ISP's do. Commence hilarity on your part, I suppose.

You seem to be exhibiting one of the fundamental logical fallacies: "I cannot believe this it cannot be true" (an argument from personal incredulity). My old NSP served thousands of hosts from a single /64 (allocating a /116 to each subscriber) and they still do across the 'States. The university I work at serves all students in residence from a single /64 (something I'm petitioning to change, but purely for cosmetic and administrative reasons; nothing is technically wrong). I'm sure you can easily find hundreds of other examples.

You seem to have already come to your own conclusion, so I'm going to step aside from this thread and let you continue believing whatever you choose to believe. I can't change your mind, I can only provide facts.