Local Network Protection for IPv6

JKnott

TI don't know with certainty how many addresses there are and to be honest, it doesn't matter to me. Irrespective of how difficult you think it is, they clearly know more about it than you, because their service works (and works well). I can't help but wonder why you're so wound up about this. If you know so much about offering VPN services, why aren't you in business?

You still haven't explained why NAT provides any advantage over using random global addresses.  As I mentioned, when I used that anonymous connection, I'd be just as anonymous as you'd be with NAT.  On the other hand, I don't have to deal with the issues NAT causes.  In addition, NAT carries a significant performance penalty.

https://theses.lib.vt.edu/theses/available/etd-10062003-170440/unrestricted/thesis.pdf

FWIW, I have set up several VPNs for businesses, as well as my own use, and know why NAT is used and why it causes problems.

I'll state again that reason.  It's a hack that's sole purpose is to get around the IPv4 address shortage.  It has absolutely no place in IPv6, where there is no address shortage.  There is nothing that it can provide, not even privacy, that can't be obtained by other means that don't the cause problems that NAT does. Nothing!!!

JKnott

One other thing, you seem to think the port changing that happens with NAT is a security feature.  How so?  According to RFC6056, source ports are supposed to be random.  So, with NAT, you get an address change and perhaps a source port change.  The destination port never changes.  This means you're trading one random source port number for another random source port number.  How does that improve things?  If someone intercepts traffic from your VPN, they'll see the provider's IP address and a random source port.  Now, if the same thing happens with a global address assigned from the provider's address pool, that someone will see an IP address assigned to the provider and a random source port.  How is that any different from using NAT???

From: https://tools.ietf.org/html/rfc6056#section-3

"3.1.  Characteristics of a Good Algorithm for the Obfuscation of the
      Ephemeral Port Selection

There are several factors to consider when designing an algorithm for
  selecting ephemeral ports, which include:

o  Minimizing the predictability of the ephemeral port numbers used
      for future transport-protocol instances."

The above is supposed to happen with every TCP or UDP connection.

johnpoz

^ and ^^ well said @JKnott

I too have setup many a vpn solution, but only in the enterprise not for any "vpn" providers.  Most of these so called vpn services are hacks on the bandwagon to make quick buck off the hype that is I need a vpn to hide my IP..  Most of the users of all of they vpn solutions have zero valid reasons to be using them other than their buddy is using one and they wanted to jump on the vpn bandwagon.  Or they want to circumvent some geo restrictions to watch some streaming service that is not available in their region.

I wouldn't be surprised if many of them are selling user data to the highest bidder and or all bidders ;)

I don't think anyone is getting worked up.  I am sure we are all happy your happy with your vpn provider..

And sorry but you have not shown anything to backup your statement that NAT is needed for a vpn other than that is the way your vpn provider has done it - and it works.  Doesn't make it a valid reason.  Doesn't make your vpn provider smarter since they did it that way that is for damn sure..

bimmerdriver

@JKnott:

TI don't know with certainty how many addresses there are and to be honest, it doesn't matter to me. Irrespective of how difficult you think it is, they clearly know more about it than you, because their service works (and works well). I can't help but wonder why you're so wound up about this. If you know so much about offering VPN services, why aren't you in business?

You still haven't explained why NAT provides any advantage over using random global addresses.  As I mentioned, when I used that anonymous connection, I'd be just as anonymous as you'd be with NAT.  On the other hand, I don't have to deal with the issues NAT causes.  In addition, NAT carries a significant performance penalty.

https://theses.lib.vt.edu/theses/available/etd-10062003-170440/unrestricted/thesis.pdf

FWIW, I have set up several VPNs for businesses, as well as my own use, and know why NAT is used and why it causes problems.

I'll state again that reason.  It's a hack that's sole purpose is to get around the IPv4 address shortage.  It has absolutely no place in IPv6, where there is no address shortage.  There is nothing that it can provide, not even privacy, that can't be obtained by other means that don't the cause problems that NAT does. Nothing!!!

I'm not a proponent or opponent of NAT. I am saying, however, that your claim it doesn't work is bogus. My vpn works. I can max out my connection with it. It makes no difference how it was implemented, as long as it works.

I also dispute your claim that a privacy address serves the same purpose as a vpn. That is completely false and as someone who has set up a vpn you're being disingenuous to claim it serves the same purpose as a vpn.

bimmerdriver

@JKnott:

One other thing, you seem to think the port changing that happens with NAT is a security feature.  How so?  According to RFC6056, source ports are supposed to be random.  So, with NAT, you get an address change and perhaps a source port change.  The destination port never changes.  This means you're trading one random source port number for another random source port number.  How does that improve things?  If someone intercepts traffic from your VPN, they'll see the provider's IP address and a random source port.  Now, if the same thing happens with a global address assigned from the provider's address pool, that someone will see an IP address assigned to the provider and a random source port.  How is that any different from using NAT???

From: https://tools.ietf.org/html/rfc6056#section-3

"3.1.  Characteristics of a Good Algorithm for the Obfuscation of the
      Ephemeral Port Selection

There are several factors to consider when designing an algorithm for
  selecting ephemeral ports, which include:

o  Minimizing the predictability of the ephemeral port numbers used
      for future transport-protocol instances."

The above is supposed to happen with every TCP or UDP connection.

You're putting words into my mouth. Where did I say that "the port changing that happens with NAT is a security feature"? All I have said all along is that using an isp-provided prefix is not private, irrespective of whether the address is a "privacy address". My vpn service provider chose to use a shared NAT address. You cannot argue that is not more private than a "privacy address" allocated using an isp-provided prefix and it also addresses the geolocation issue. You don't like that my vpn service provider uses NAT. I get that, but I really truly don't care. It doesn't matter to me that you don't like this or whether you think not using NAT is better.

JKnott

ou're putting words into my mouth. Where did I say that "the port changing that happens with NAT is a security feature"? All I have said all along is that using an isp-provided prefix is not private, irrespective of whether the address is a "privacy address". My vpn service provider chose to use a shared NAT address. You cannot argue that is not more private than a "privacy address" allocated using an isp-provided prefix and it also addresses the geolocation issue. You don't like that my vpn service provider uses NAT. I get that, but I really truly don't care. It doesn't matter to me that you don't like this or whether you think not using NAT is better.

And you seem to be missing what I and John have said several times.  A VPN provider can provide an IPv6 address from a huge pool.  There is nothing to tie a user to that any more than there is through NAT.  In my example, I mentioned an anonymous connection with a random IPv6 address, possibly from other parts of the world.  How is that different from what you get with NAT?  That address is simply not tied to you.  I am not talking about a privacy address, which would contain a person's prefix.  I am talking about an address, owned by the VPN provider, made available to you.  Next time you connect, you get a completely different address, again not tied in any way to you.  Isn't that what you're looking for???

Perhaps you should wonder why 3 people here are strongly disagreeing with you.  Might it be that you're flat out wrong and don't realize it?  I haven't heard anyone agree with you.  Why is that???

bimmerdriver

@johnpoz:

^ and ^^ well said @JKnott

I too have setup many a vpn solution, but only in the enterprise not for any "vpn" providers.  Most of these so called vpn services are hacks on the bandwagon to make quick buck off the hype that is I need a vpn to hide my IP..  Most of the users of all of they vpn solutions have zero valid reasons to be using them other than their buddy is using one and they wanted to jump on the vpn bandwagon.  Or they want to circumvent some geo restrictions to watch some streaming service that is not available in their region.

I wouldn't be surprised if many of them are selling user data to the highest bidder and or all bidders ;)

I don't think anyone is getting worked up.  I am sure we are all happy your happy with your vpn provider..

And sorry but you have not shown anything to backup your statement that NAT is needed for a vpn other than that is the way your vpn provider has done it - and it works.  Doesn't make it a valid reason.  Doesn't make your vpn provider smarter since they did it that way that is for damn sure..

This is epic trolling, even for you.

bimmerdriver

@JKnott:

ou're putting words into my mouth. Where did I say that "the port changing that happens with NAT is a security feature"? All I have said all along is that using an isp-provided prefix is not private, irrespective of whether the address is a "privacy address". My vpn service provider chose to use a shared NAT address. You cannot argue that is not more private than a "privacy address" allocated using an isp-provided prefix and it also addresses the geolocation issue. You don't like that my vpn service provider uses NAT. I get that, but I really truly don't care. It doesn't matter to me that you don't like this or whether you think not using NAT is better.

And you seem to be missing what I and John have said several times.  A VPN provider can provide an IPv6 address from a huge pool.  There is nothing to tie a user to that any more than there is through NAT.  In my example, I mentioned an anonymous connection with a random IPv6 address, possibly from other parts of the world.  How is that different from what you get with NAT?  That address is simply not tied to you.  I am not talking about a privacy address, which would contain a person's prefix.  I am talking about an address, owned by the VPN provider, made available to you.  Next time you connect, you get a completely different address, again not tied in any way to you.  Isn't that what you're looking for???

Perhaps you should wonder why 3 people here are strongly disagreeing with you.  Might it be that you're flat out wrong and don't realize it?  I haven't heard anyone agree with you.  Why is that???

How is that you are so determined to bludgeon me with your opinion that you can't or won't read what I've said numerous times? I have never once said that the implementation my vpn service provider chose is the only way or the "right way", as if there is such a thing, to implement a vpn. I could not care less that you don't like how my vpn service provider implemented their network. It works FFS. Get over it.

JKnott

I have never once said that the implementation my vpn service provider chose is the only way or the "right way", as if there is such a thing, to implement a vpn.

Ummm…  Who was it who said?

If you don't NAT ipv4 and ipv6, you don't have privacy.

Or

It would completely defeat the purpose of using a VPN to not "NAT" both the ipv4 and ipv6 addresses. Some day, when people no longer use ipv4, there will still be VPNs and they will still NAT the ipv6 address, otherwise, what's the point?

Or

There's no way to share public addresses without translating the individual private addresses to the shared public address.

johnpoz

"This is epic trolling, even for you."

Even for me?  Wow.. You do understand you started this whole thing. JKnott post a RFC fro some info and you I assume in your complete understanding of ipv6 and how vpn services work disagree with that RFC??  Did you even read it?  I guess that is a no from your comments.

You understand its a Request for Comment, the authors addresses are listed - if you disagree with them, why don't you contact them directly and point out to them how Nat is still needed for vpns ;)

"It works FFS. Get over it."

Which has ZERO to do with the the info that was posted - who is trolling?