this post was submitted on 24 Sep 2024
96 points (95.3% liked)
Asklemmy
43438 readers
1042 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy π
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
We turn it off in our office. It doesnβt benefit us.
You could also make the argument that ipv4 through NAT is better for privacy since it obfuscate what, and how many devices are connected to where.
When I was first looking into IPv6, people were talking about how you can self-assign an address by simply wrapping an IPv6 address around your MAC address. But that practice seems to have fallen out of favour, and I'm guessing the reason is, as you say, the whole privacy thing? There's a lot of pushback these days against any tech that makes it easier to fingerprint your connection.
With modern IPv6 (say, Windows 7 or later?) IPv6 privacy extensions solve this problem. Basically, you get a whole bunch of addresses. One based on your MAC address so you can port forward/allow incoming connections in the firewall, and then a bunch of rotating random addresses used for outgoing connections. People that know your prefix and MAC address can find your listening PC, but websites won't get your MAC address.
As for fingerprinting, thanks to NAT slipstreaming you can choose between "video calling software breaks" and "every malicious ad can access any port on your device" or in some extreme cases "every malicious ad can access any device in your network". Some websites have also been caught scanning IPv4 networks to figure out where your router lives using standard Javascript, so your IPv4 network isn't any better protected. At least with IPv6 a website can't take ten seconds to scan 255 addresses and figure out how many devices are on your network!
Noobie question, wouldn't the ISP decide what your outgoing IPv6 address is? Like they do with IPv4? I mean no matter how many times I restart my router, my public IP remains the same so I always thought it was assigned by them.
They assign a prefix. For IPv4 this is usually a /32, or 1 single address, though it's possible to assign larger ranges. I've seen businesses with a /28 on IPv4 for example.
The end device picks what IP addresses within the prefix are used for what. For instance, the server rack may use three IP addresses, the office one, and maybe the IoT network also gets one.
With IPv6 you should be getting a /56 or a /48. In other words, they pick the first 48 to 56 bits of your IP addresses, basically leaving 80 to 72 bytes for the end device to distribute amongst itself. You could give the first device address one and start counting up if you wanted to, but that'd come with the annoying edge case of needing to track what numbers are already in use. If you like a false sense of control, DHCPv6 is what manages this.
SLAAC (the "everything works by default" approach) requires a /64 (64 bits of local address space), so if you want to do routing (say, attach a wireless access point or a second router) and you don't want to do IPv4 hacks that hide IP addresses from each other, you need a few networks. That's why you get 8 to 16 bits of network space, so you can assign 256 to 65536 networks yourself in case you have weird requirements.
If your ISP assigns you 2003:123:def:abc::/48, then you can pick whether you want to assign 2003:123:def:abc::beef:cafe or any random address that starts with the ISP prefix. You have enough space to give every connection of every device on every WiFi network its own IP address every second of the day, but usually addresses are rotated only once per day.
The ISP picking the address range does come with a huge downside, and that's that you can't really use internal IP addresses anymore. To fix that, you can set up a so-called ULA. That's basically a service anywhere on the network that shouts "hey, if you can't, you can pick any address from fdef:abc:abc:abc::/96". By default, devices will pick two addresses (one based on the MAC address and a temporary one), and you can use the one based on the MAC address to plug into your local DNS server.
That way, even if you switch ISPs to one that only does IPv4, you can still use a Pi-Hole at fdef:abc:abc:abc::123:456:789 as your DNS server. These ULAs are completely local, so they can't be reached from the internet.
Though, just to be sure, you should generate a random ULA prefix (there's an algorithm in the standard, but there are sites to do it for you) just in case you have bad luck and connect to someone else's wifi who also thought it'd be funny to use fdef:cafe:babe:b00b::/96 as the local prefix. Completely optional, but best practice.
For reference, in the US, Comcast only gives up to a /60 for residential connections. It's still fine for most use cases, but it does feel a bit like doing a bit of penny pinching when you're wondering if you have enough /64's for how your network is going to be set up.
The standards bodies used to recommend /48 as a default and have scaled down to /56. Anything smaller makes sense for stuff like servers but there's no good reason to do it. I guess penny-pinching is a reason, but it's not the norm.
If all else fails, hurricane electric will hand out /48s for free, you just can't use them to watch things like Netflix.
Yeah, fortunately, for my own use cases, /60 is enough, but I can't think of a good reason for Comcast to not give out /56 since they're pretty cheap compared to IPv4.
That was so insane - "we need a unique number, let's just use the MAC" - it was like people didn't even think through any of the implications when making ipv6 address schemes.
Similar with the address proposals that ignored the need to minimise the size of core internet routing tables.
That proposal was made when every computer hooked straight into the internet without a firewall. Every device already had a unique IP address that was globally routable and you needed to race to a firewall download page before a scanner would infect your computer (you had about five minutes, much less if you had the network cable plugged in during setup).
The routing table size reduction has always been stupid. The protocol should not be adjusted to help the penny pinchers save on RAM. And the same problem happened to IPv4 a few years ago, because nobody learned their lesson.
IPv6 has privacy addresses, though. Stuff on my network generates a new random address every day and uses that address for outgoing connections, so you can't really track individual devices inside my network.
You can just look at what addresses from that range have left the network in any given 24 hour window.
If AAAA is constantly reaching our to aussie.zone one day, and the next day AAAB is reaching out to that address you can pretty easily connect the dots.
But privacy addresses aren't incremented numbers. And it doesn't really matter if you can connect the dots, every /64 is the same as a single IPv4 address anyway. Especially for something like Lemmy where the browser will maintain a QUIC connection for ages if you want to track sessions. Besides, you have the session cookies to associate the other end even if they turn off WiFi and move to mobile data.