Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
iso1631 6 hours ago

You can nat all your ipv6 traffic behind a single IP if you want. Or a new IP for every connection.

Realistically though there's enough fingerprinting in browsers to track you regardless of your public IP and whether it's shared between every device in the house or if you dole out a routable ipv4 to every device.

CG-NAT gives more privacy benefits as you have more devices behind the same IP, but the other means of tracking still tend to work.

For me I just don't see the appeal of supporting both ipv4 and ipv6. It means a larger attack surface. Every year or two I move onto my ipv6 vlan and last a few hours before something doesn't work. I still don't see any benefit to me, the user.

drnick1 5 hours ago | parent | next [-]

> Realistically though there's enough fingerprinting in browsers to track you regardless of your public IP and whether it's shared between every device in the house or if you dole out a routable ipv4 to every device.

Yes, browser fingerprinting is a big issue, but it can be mitigated. The first thing everyone should do is to use a network-wide DNS blacklist against all known trackers (e.g. https://github.com/hagezi/dns-blocklists) and run uBlock Origin in the browser.

You can go further and restrict third party scripts in uBlock, or even all scripts. This will break at lot of websites, but it is a surefire way to prevent fingerprinting.

Then of course there is Tor.

iamnothere 5 hours ago | parent | prev | next [-]

IPv6 itself seems to provide a larger attack surface based on IPv6-specific CVEs. I don’t know if it’s the added complexity or that it’s treated as a second class citizen by devs, but I still see a solid number of these coming across the CVE feed.

This one was particularly scary: https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.ht...

orangeboats an hour ago | parent [-]

When something happens over IPv4 people treat it like "the Internet has malicious actors, water is wet", but when it happens over IPv6 it must be IPv6's fault.

Sigh...

simoncion 5 hours ago | parent | prev [-]

> Realistically though there's enough fingerprinting in browsers to track you regardless...

Yep. For the OP, IPv6 "Privacy" addresses do what he's looking for. You can change how long they're valid for on Linux, so you can churn through them very frequently if you wish.

> Every year or two I move onto my ipv6 vlan and last a few hours before something doesn't work.

Odd. I've been using IPv6 for like fifteen, twenty years now with no trouble at all. If you've been using a "single stack" IPv6-only network, well, there's your problem.

> For me I just don't see the appeal of supporting both ipv4 and ipv6. It means a larger attack surface.

The attack surface with IPv6 is exactly as large as if each of your LAN hosts had a globally-routable IPv4 address. Thinking otherwise is as smart as thinking that the attack surface on a host increases linearly with the number of autoconfigured IPv6 addresses assigned to that host from the same subnet.

If you don't want the IPv6 hosts on your LAN to be reachable by unsolicited traffic, set the default policy for your router's ip6tables FORWARD chain to DROP, and ACCEPT forwarded packets for ESTABLISHED or RELATED connections. If you're not using ip6tables, do whatever is the equivalent in the firewall software you're using. If you know that you have rules in your FORWARD chain that this change would break, then you already knew that you could simply drop unsolicited traffic in the FORWARD chain.

Unrelated to that, I see no reason to get rid of IPv4.

I expect that the future will be that nearly all "residental" [0] and non-datacenter business connections provide globally-routable IPv6 service and provide IPv4 via CGNAT, as IPv6 will be used for servers deployed at these sorts of sites. [1] I expect that the future will be that all datacenters and "clouds" will provide globally-routable IPv6 to servers and VMs, and globally-routable IPv4 to the same by way of load balancers.

So, home servers [1] will use IPv6, datacenter and "cloud" servers will use IPv4 and IPv6, and "legacy" devices that work fine but will never have their IP software updated will use IPv4.

I see IPv6 as a "reduce the pressure on the IPv4 address pool" mechanism, rather than a "replace IPv4" system. Again, I see no reason to get rid of "short" IP addresses. Default to using "long" ones, and keep the "short" ones around just in case.

[0] I'm including people's personal mobile computers in this definition of "residential".

[1] "Servers" here include things like "listen" video game servers or short-lived servers for file transfers and stuff like that.