IPv6 and privacy


#1

I was happy with my IPv4 only setup, until someone, somewhere, on this forum said I was ‘missing out on a big part of the internet’, if I didn’t have IPv6.

So I started the quest to get my provider to exchange my docsis v2 cable modem (IPv4 only) for a docsis v3 cable modem (IPv4 & IPv6), and finally succeeded to get the modem.
After the initial (pfsense) setup hickups (needed to turn of the modem, reconfigure pfsense, reboot pfsense, turn on the modem), I finally got IPv6 addresses on my pfsense LAN interface(s), my pi (reconfigured pihole for IPv6 - pihole -r) and the windows workstations, using WAN (DHCP PD/56) and LAN (‘track interface’ PD /64). Happiness all over the place…

Now I started looking at connectivity issues, and found this site somewhere on this forum, so I started working to get an all green solution. Learned a lot of things, using duckduckgo, reading hundreds of documents; after a week I got the all green.

Now the worrying began. I was reading this topic, about ever changing addresses, and started to look in to it. To my surprise, I’m not affected, it appears my ISP doesn’t change the IP ever so often, I’ve been getting the same IPv4 and IPv6 address, even after a pfsense reboot.
Unfortunately, I also noticed my workstations IP address was picked up by this test site, and many other sites.
So as opposed to IPv4, where these sites can only pick up my routers IPv4 address, using IPv6 lets them identify the device you’re actually working on (all of them, all of the time).

This get’s me worried, My provider is now able, using the DHCP logs, to identify when I turn on my workstation(s). The sites I visit are able to identify witch machine is visiting their site, capable now to server different content for different machines within the same home network.

The question(s), open for discussion:

  • Is using IPv6 equal to giving up part of your privacy?
  • Is there anything you can do about it? I noticed on the test page ‘privacy extensions for IPv6 are enabled’, but that doesn’t really keep them from seeing the individual IP addresses.
  • others …

#2

This is not really Pi-hole related but I will still quickly share my thoughts about this.

I know how you feel and this something which naturally comes up for everyone new to IPv6. It will take some time, but you will eventually get that how IPv6 is doing it is the right way.

With IPv4 and NAS on the router level, this is only a very shallow level of “security” as it is security through obscurity (the foreign sites see not the individual devices addresses but only one big IP per household). However, they have long invented other techniques by identifying your devices using scripts, cookies, browser and operating system information etc. The apparent security your NAT gives you is actually a delusive assumption.

So, we conclude that you gain almost no security through having the NAT in place. However, it has a number of (more or less significant) drawbacks and shortcomings. I will only shortly talk about the most obvious one that is it interferes with the way the Internet is designed to work (as peer-to-peer network). With a NAT, all internal packets going out into the world are rewritten at the router’s level to be not sent to 192.168.2.10 but to 45.67.89.123 (assuming this is your “Internet IP”). When they eventually get back, the router has to manipulate them again and first find out to which client this reply has to be sent to. This all is quite a bit of effort and delays everything notably. You may not see this with a standard ISP router at 25 MBit/s speed, however, at higher speeds with not top-tier router hardware, there will be a significant slowdown only due to the NAT.

Now look at how IPv6 does it: All communication is true end-to-end and no packet manipulation at the router level has to be done. Starting from maybe already 25 MBit/s onwards, you will always see that (correctly working) speed tests will report higher speeds. This is not an artifact but mostly due to the easier handling of packets at the router level (and some other things I’m not going into detail here).

Coming back to the privacy issue:

No

If you are concerned about how the Internet was designed (true peer-to-peer instead of man-in-the-middle models), then privacy extension (PE) may be interesting for you. Note that, however, it is obviously important that your address doesn’t change too often to keep existing connections intact. Usually, PE rotates the IPv6 GUA on every restart of the machine.


#3

My take is the same as the OP - worried. I have shared folders inside my network, folders that are visible only “inside” on a IPv4 network.
Shoot, I have the pictures folders on my workstation shared for “Everyone” so it would work on multiple devices in my LAN.
I have two printers shared.
To make something “visible” outside, I need to actively “poke” a hole in the NAT and Firewall.

I am not sure that IPv6 is as safe.


#4

I don’t see how an external party could potentially access your shared folders without you explicitly allowing the corresponding traffic to be able to pass your firewall?..