Local Network Protection for IPv6



  • Since some people seem to think NAT on IPv6 is a good idea, I'm linking to this RFC to show why it's not.  NAT was created to get around the IPv4 address shortage, but causes other problems.  It should not be used on IPv6.

    https://tools.ietf.org/rfc/rfc4864.txt



  • @JKnott:

    Since some people seem to think NAT on IPv6 is a good idea, I'm linking to this RFC to show why it's not.  NAT was created to get around the IPv4 address shortage, but causes other problems.  It should not be used on IPv6.

    https://tools.ietf.org/rfc/rfc4864.txt

    There is a place for NAT with ipv6 and that's VPNs. My service provider NATs both the ipv4 and the ipv6 addresses. On top of that, the addresses are shared. If you don't NAT ipv4 and ipv6, you don't have privacy. Sharing addresses adds to privacy.



  • @bimmerdriver:

    @JKnott:

    Since some people seem to think NAT on IPv6 is a good idea, I'm linking to this RFC to show why it's not.  NAT was created to get around the IPv4 address shortage, but causes other problems.  It should not be used on IPv6.

    https://tools.ietf.org/rfc/rfc4864.txt

    There is a place for NAT with ipv6 and that's VPNs. My service provider NATs both the ipv4 and the ipv6 addresses. On top of that, the addresses are shared. If you don't NAT ipv4 and ipv6, you don't have privacy. Sharing addresses adds to privacy.

    That's bizarre!  Why would any ISP NAT IPv6?  There's no address shortage with IPv6.  In fact, there are enough /48 prefixes to give 5000 to every person on earth!  I get a /56 or 256 /64s from my ISP.  It's a simple matter to assign one of the /64s to a VPN.

    One thing that provided privacy are the privacy addresses (wonder why they're called that?), where outgoing connections get a new address every day.  Also, that RFC I linked to mentions that the sparse address space makes scanning attacks difficult.  It said that with a 40 Gb connection, it would take 5000 years to ping an entire /64.

    NAT is still a bad idea.  While it was needed to get around the IPv4 address shortage, it also causes problems for some protocols and increases the work routers have to do.  It has no place in IPv6.



  • @JKnott:

    @bimmerdriver:

    @JKnott:

    Since some people seem to think NAT on IPv6 is a good idea, I'm linking to this RFC to show why it's not.  NAT was created to get around the IPv4 address shortage, but causes other problems.  It should not be used on IPv6.

    https://tools.ietf.org/rfc/rfc4864.txt

    There is a place for NAT with ipv6 and that's VPNs. My service provider NATs both the ipv4 and the ipv6 addresses. On top of that, the addresses are shared. If you don't NAT ipv4 and ipv6, you don't have privacy. Sharing addresses adds to privacy.

    That's bizarre!  Why would any ISP NAT IPv6?  There's no address shortage with IPv6.  In fact, there are enough /48 prefixes to give 5000 to every person on earth!  I get a /56 or 256 /64s from my ISP.  It's a simple matter to assign one of the /64s to a VPN.

    One thing that provided privacy are the privacy addresses (wonder why they're called that?), where outgoing connections get a new address every day.  Also, that RFC I linked to mentions that the sparse address space makes scanning attacks difficult.  It said that with a 40 Gb connection, it would take 5000 years to ping an entire /64.

    NAT is still a bad idea.  While it was needed to get around the IPv4 address shortage, it also causes problems for some protocols and increases the work routers have to do.  It has no place in IPv6.

    If you read what I said, I was referring to a VPN service provider, not my ISP. And irrespective of how many address supported by ipv6, if you are using the prefix allocated by your ISP, it's directly traceable to you, no different than your ipv4 address. VPN service providers that offer dual-stack service provide their own public ipv4 and ipv6 addresses to be exposed to the world. That way if you do "what is my ip address", it will show shared addresses belonging to the VPN service provider in whatever location their gateway is, not an address allocated using the prefix that was assigned to you by your ISP. Even privacy addresses do not accomplish this. They are also allocated using your dedicated prefix.



  • I think the privacy address issue is causing confusion…

    If the type of privacy you are looking for is preventing subnet scanning, it is already "built-in", because it would take forever to scan a /64, and a firewall would block it anyway.  It really doesn't matter what address you assign to the host "privacy" or static, or DHCP6, or SLAAC.

    Since the privacy address changes from time-to-time, you're not really getting privacy because any website can easily track you using cookies, beacons, etc instead to figure out who you are anyway, so the address is really irrelevant.  Facebook, Google and their advertising machines have this technique pretty well in the bag.
    On the flip-side, due to the huge IPv6 address space, anti-hacking blocking techniques are turning to tracking prefixes, for instance they would block the /64 of a host doing bad stuff, and then work up to bigger and bigger subnets if the problem persists, because there isn't enough machine resources to keep track of individual IPs.

    If you are concerned about privacy to the point that you are using PIA (VPN) services, then you must ensure that you never have, nor ever will access anything without the VPN active, as a single dropped cookie will allow correlation between your "real" prefix and whatever prefix the PIA service is giving out to you.  Besides, the NSA et al. have already figured out how to do that.

    In fact, just don't deploy IPv6 if a tin-foil hat is part of your wardrobe!



  • @awebster:

    I think the privacy address issue is causing confusion…

    If the type of privacy you are looking for is preventing subnet scanning, it is already "built-in", because it would take forever to scan a /64, and a firewall would block it anyway.  It really doesn't matter what address you assign to the host "privacy" or static, or DHCP6, or SLAAC.

    Since the privacy address changes from time-to-time, you're not really getting privacy because any website can easily track you using cookies, beacons, etc instead to figure out who you are anyway, so the address is really irrelevant.  Facebook, Google and their advertising machines have this technique pretty well in the bag.
    On the flip-side, due to the huge IPv6 address space, anti-hacking blocking techniques are turning to tracking prefixes, for instance they would block the /64 of a host doing bad stuff, and then work up to bigger and bigger subnets if the problem persists, because there isn't enough machine resources to keep track of individual IPs.

    If you are concerned about privacy to the point that you are using PIA (VPN) services, then you must ensure that you never have, nor ever will access anything without the VPN active, as a single dropped cookie will allow correlation between your "real" prefix and whatever prefix the PIA service is giving out to you.  Besides, the NSA et al. have already figured out how to do that.

    In fact, just don't deploy IPv6 if a tin-foil hat is part of your wardrobe!

    Not sure who your "tin-foil hat" comment is directed at. In case it wasn't clear, my point is that an ipv6 privacy address will be allocated from within the same prefix as the UGA, so it's directly traceable to a subscriber in exactly the same manner as an ipv4 address and the location will be associated accordingly. If you're using a dual-stack vpn for whatever reason, be it "privacy" or geolocation, you want both addresses to be associated with the physical location you chose for the exit point. That way, you will see content for the chosen location, not for your home location, and if you're downloading a torrent over ipv6 (which may happen if you have a dual-stack vpn connection), the apparent address will be the public address of the exit point, not your own UGA or privacy address. A VPN is a very handy way to get around the silly "this content is not available in your location" message for this reason. While a VPN may not fool the NSA, it certainly works for geolocation. It would completely defeat the purpose of using a VPN to not "NAT" both the ipv4 and ipv6 addresses. Some day, when people no longer use ipv4, there will still be VPNs and they will still NAT the ipv6 address, otherwise, what's the point?

    Anyone really concerned about privacy from the NSA should be using tor.



  • If you read what I said, I was referring to a VPN service provider, not my ISP.

    I guess I misread "My service provider NATs both the ipv4 and the ipv6 addresses." because you didn't say you got a VPN from a service provider.  I have set up several VPNs in my time and never used a service provider.

    Regardless, where does NAT fit in with your description?  You could use Unique Local Addresses for the VPN, just as you'd use  RFC 1918 addresses on IPv4.  Neither requires NAT.  What address range does the VPN service supply?  They could have a public /48 or other suitable prefix and assign a /64 on a temporary basis to users.  I believe that was also mentioned in that RFC.



  • as a single dropped cookie

    Yeah, you don't want to toss your cookies!  ;)

    In fact, just don't deploy IPv6 if a tin-foil hat is part of your wardrobe!

    Or IPv4 for that matter.



  • @JKnott:

    If you read what I said, I was referring to a VPN service provider, not my ISP.

    I guess I misread "My service provider NATs both the ipv4 and the ipv6 addresses." because you didn't say you got a VPN from a service provider.  I have set up several VPNs in my time and never used a service provider.

    Regardless, where does NAT fit in with your description?  You could use Unique Local Addresses for the VPN, just as you'd use  RFC 1918 addresses on IPv4.  Neither requires NAT.  What address range does the VPN service supply?  They could have a public /48 or other suitable prefix and assign a /64 on a temporary basis to users.  I believe that was also mentioned in that RFC.

    If I pay a company to provide a service, it is a service provider, IMO. An ISP is a service provider, but not all service providers are ISPs.

    When I'm connected "through" Telus (i.e., without the VPN connected), my public ipv4 and ipv6 addresses are the assigned ipv4 and a UGA allocated using the assigned ipv6 prefix. They are "traceable" to me, subject to how well Telus maintains logs. When I connect to the VPN service, I can choose from their list of servers which are located around the world. Each server provides different ipv4 and ipv6 addresses, both of which are shared. Depending on the location of the server a different "service provider" is used. I don't choose the addresses. They are assigned when the client connects to the server. The computer sees private ipv4 and ipv6 addresses, but when you use a website like ipv6-test.com, only the public addresses are visible. When I'm connected, I get ads in the local language. It's as if I'm in the location connected using the particular local service provider. The addresses are NATed between private and public by the VPN server. This is how typical VPN services such as PIA or whatever work. If you set up your own VPN server, it's going to be using your ipv4 address and ipv6 prefix. Such a VPN isn't very useful if you are trying to spoof your location or have addresses that aren't traceable to you.


  • LAYER 8 Global Moderator

    Hiding behind a vpn providers IP range has ZERO to do with natting the ipv6 address they give your client.. With the almost infinite address space that ipv6 provides there is zero reason for them to NAT this ipv6 address they give the vpn client..

    They would use a tunnel network just like you do in ipv4.  The only reason the tunnel network in ipv4 is normally rfc1918 is the vpn provider doesn't have a shitton of ipv4 public space to use ;)

    There would be ZERO reason for a ipv6 vpn provider to NAT this address space to hide their users real IPv6 address..  To the public the IPv6 address these users come from would still be registered to the VPN provider.. The ipv6 address your traffic presents to the world would be theirs, and not registered to you or your ISP in anyway.

    The only reason you share IPs in the IPv4 world is their is lack of them!!!

    As to the vpn tracking which user tunnel IP is what public IP would be to the vpn provider logging.



  • As to the vpn tracking which user tunnel IP is what public IP would be to the vpn provider logging.

    And via tossed cookies.  :P

    Not sure who your "tin-foil hat" comment is directed at.

    Not directed at anyone in particular, but generally to people that think that casually using a PIA offers them anonymity.

    I get it, people just want to use torrents and not receive threatening legal letters, but my point is that if you are serious about achieving a true level of anonymity, you first need to ensure that your anonymous environment cannot ever connect to anything without going through a VPN.  You need to select PIA providers that don't keep logs and you need to  change your ISP and PIA providers from time-to-time.  You need to setup machines that will be accessing the Internet anonymous from scratch and from trusted sources, and  you need rebuild them from time-to-time, or use a read-only machine VM instance.  And you better be aggressively blocking Google, Facebook, Twitter and all other social media services.  You must use all new accounts anonymously.  You need to study movies like "Enemy of the state", and "The Conversation", and on and on and on….The required effort is huge, and you must never make a mistake.  :-X



  • @awebster:

    As to the vpn tracking which user tunnel IP is what public IP would be to the vpn provider logging.

    And via tossed cookies.  :P

    Not sure who your "tin-foil hat" comment is directed at.

    Not directed at anyone in particular, but generally to people that think that casually using a PIA offers them anonymity.

    I get it, people just want to use torrents and not receive threatening legal letters, but my point is that if you are serious about achieving a true level of anonymity, you first need to ensure that your anonymous environment cannot ever connect to anything without going through a VPN.  You need to select PIA providers that don't keep logs and you need to  change your ISP and PIA providers from time-to-time.  You need to setup machines that will be accessing the Internet anonymous from scratch and from trusted sources, and  you need rebuild them from time-to-time, or use a read-only machine VM instance.  And you better be aggressively blocking Google, Facebook, Twitter and all other social media services.  You must use all new accounts anonymously.  You need to study movies like "Enemy of the state", and "The Conversation", and on and on and on….The required effort is huge, and you must never make a mistake.  :-X

    I think I was pretty clear that I'm not trying to achieve privacy from NSA or I would be using tor and resorting to the other measures you mentioned. I use a VPN for two purposes. First is geolocation. Second is for torrenting. For these purposes, it works as advertised. My vpn service provider does not log. I'm happy.



  • When you get an IPv6 VPN, what address range is it in?  If it starts with 2, then it's a public address that's given to you to use and does not need NAT.  If it starts with fd, then it's a Unique Local Address that requires NAT.



  • @johnpoz:

    Hiding behind a vpn providers IP range has ZERO to do with natting the ipv6 address they give your client.. With the almost infinite address space that ipv6 provides there is zero reason for them to NAT this ipv6 address they give the vpn client..

    They would use a tunnel network just like you do in ipv4.  The only reason the tunnel network in ipv4 is normally rfc1918 is the vpn provider doesn't have a shitton of ipv4 public space to use ;)

    There would be ZERO reason for a ipv6 vpn provider to NAT this address space to hide their users real IPv6 address..  To the public the IPv6 address these users come from would still be registered to the VPN provider.. The ipv6 address your traffic presents to the world would be theirs, and not registered to you or your ISP in anyway.

    The only reason you share IPs in the IPv4 world is their is lack of them!!!

    As to the vpn tracking which user tunnel IP is what public IP would be to the vpn provider logging.

    When I go to ipv6-test.com while the vpn is not connected, it shows both addresses are from my isp. When I go to ipv6-test.com while the vpn is connected, it shows both addresses are from the local service provider where the vpn server is located. These addresses are shared. When my pc is connected to the vpn, it has private ipv4 (10…) and ipv6 (fdda::...) addresses according to ipconfig. The vpn connection is NATing the private addresses to the shared public addresses. Maybe they could or should have set it up differently, but as far as I'm concerned, it works, so that's good enough for me.



  • When my pc is connected to the vpn, it has private ipv4 (10…) and ipv6 (fdda::...) addresses according to ipconfig. The vpn connection is NATing the private addresses to the shared public addresses. Maybe they could or should have set it up differently, but as far as I'm concerned, it works, so that's good enough for me.

    Yes they should have done IPv6 differently.  By using a Unique Local Address, they're forcing NAT to be used, with all it's problems.  With all the IPv6 addresses available, they could have used a public address and avoided NAT.  I don't know how many addresses they give you, but a single /64 has 2^64 addresses available.  That's the entire IPv4 address space squared!



  • @JKnott:

    When my pc is connected to the vpn, it has private ipv4 (10…) and ipv6 (fdda::...) addresses according to ipconfig. The vpn connection is NATing the private addresses to the shared public addresses. Maybe they could or should have set it up differently, but as far as I'm concerned, it works, so that's good enough for me.

    Yes they should have done IPv6 differently.  By using a Unique Local Address, they're forcing NAT to be used, with all it's problems.  With all the IPv6 addresses available, they could have used a public address and avoided NAT.  I don't know how many addresses they give you, but a single /64 has 2^64 addresses available.  That's the entire IPv4 address space squared!

    No one is questioning that there are 2^64 addresses available in a /64 prefix. However, shared public addresses are considered a feature, because they further obscure individual users. There's no way to share public addresses without translating the individual private addresses to the shared public address. NAT or not, the vpn works. I can max out my available bandwidth and it does exactly what I want.


  • LAYER 8 Global Moderator

    "There's no way to share public addresses without translating the individual private addresses to the shared public address"

    Not really true - you could quite easy use a proxy to have multiple users traffic be coming from the same public IP without any actual nat.

    Also with ipv6 done how its designed, outbound traffic from a client would use multiple IPs all the time.. These Temporary Addresses would expire and new ones created all the time.  So the odds of someone tracking a users actions based upon their IPv6 would be quite difficult because they would use different address all the time for their different connections, and one session might use address X while traffic to some other place would come from address Y.

    Really the whole point of NAT as a feature to hide someones behavior is gone with the privacy extensions that are built into ipv6.  So while someone would be able to track your IPv6 address to the ISP providing you said address, unless the isp is giving away your info there would normally be no way for someone to know who that IPv6 address is actually registered too.  So you trust the vpn provider more than the isp in giving away said info.  Or your wanting to use the vpn to hide your behavior from your ISP.



  • These Temporary Addresses would expire and new ones created all the time.

    Quite so.  On my Linux system, I get a new privacy address every 24 hours and they have a lifetime of only 5 or 6 days.  Compare that to the 5000 years it would take to scan a single /64, with a 40 Gb connection, according to the RFC I referenced for this thread.

    Getting back to the VPN, if a service provider simply provided temporary use of a single address in a /64 for the VPN, then the user would be just as hidden as behind NAT.



  • You're both missing the point and getting hung up on semantics. Irrespective of whether "NAT" or a proxy server or some other mechanism is used, a reasonable expectation from a vpn service provider is for to provide public addresses that are not associated with the isp-provided addresses or prefix. The mechanism used to achieve that is immaterial. According to my vpn service provider, "NAT" is being used in their openvpn configuration. They could use magic, as long as they accomplish the same result. It makes no difference.

    I attached three screen captures.

    The first is the result of ipv6-test.com when the vpn is not connected. It's possible to determine my isp and my approximate location. The address is the privacy address, not the dhcpv6 address. Both the ipv4 address and the ipv6 prefix are directly associated with me.

    The second is output from ipconfig /all with the vpn connected. You can see the private addresses used by the vpn, as well as the public addresses used when the vpn is not connected.  (This screen capture was taken at a different time so the privacy address is not the same as above.)

    The third is the result of ipv6-test.com when the vpn is connected to a server in sweden. It shows the isp the vpn server is connected to and it shows the location in sweden. If I browse to a website, I see local ads in the swedish language. I get local ads for whatever server I connect to. I can view regional content that would otherwise be "not available in my location".

    This is exactly what I would expect a vpn to do. It completely defeats the purpose of a vpn if the public ipv6 address uses my isp-provided prefix.

    The issue of whether I trust my vpn service provider more than my isp is somewhat moot, because my isp cannot / will not offer public ip addresses in another geographic location. However, since you bring up trust, my vpn service provider keeps no logs and they have no record of my name or my email address. My isp clearly has that info and more. I completely trust my isp to act in its self-interest. They have my contact info and I don't doubt they would provide it if they were compelled. My vpn service provider has nothing to give, even if it's compelled. For me, this is a big deal, but not nearly as big a deal for me as it is for a person who lives in a country where there is censorship, such as China or Iran.

    In the (distant) future when isps stop handing out ipv4 addresses, people will still be using vpns for a variety of reasons. A vpn that uses a privacy address allocated using the subscriber's isp-provided prefix is an oxymoron and would serve no purpose. It's neither virtual, nor private.  I don't get why you're beating on this dead horse. A privacy address has a valid purpose, but it's not equivalent to a vpn.



    ![Capture 2.PNG](/public/imported_attachments/1/Capture 2.PNG)
    ![Capture 2.PNG_thumb](/public/imported_attachments/1/Capture 2.PNG_thumb)
    ![Capture 3.PNG](/public/imported_attachments/1/Capture 3.PNG)
    ![Capture 3.PNG_thumb](/public/imported_attachments/1/Capture 3.PNG_thumb)



  • You're both missing the point and getting hung up on semantics. Irrespective of whether "NAT" or a proxy server or some other mechanism is used, a reasonable expectation from a vpn service provider is for to provide public addresses that are not associated with the isp-provided addresses or prefix.

    And once again, there is no need to use NAT to do that.  Any VPN provider can get a block of global addresses and hand them out as needed, on a temporary basis to their users.  That address will be one of theirs, not yours and can be different every time you connect or even changed periodically.



  • … this is a big deal, but not nearly as big a deal for me as it is for a person who lives in a country where there is censorship, such as China or Iran.

    Since you brought this up, I've seen that the great firewall of China does a remarkably good job at blocking VPNs. 
    I said it before, the IP or IPv6 address the user is using is inconsequential to the identification of the user behavior, and subsequently the user.
    In the case of China, it appears that they are using a mechanism by which DNS requests to certain sites resolve to one IP inside China and another outside.  The sites (perhaps gov't run banner ads) could  drop unique cookies on the user's machine, or clever javascript trickery, and if the same cookie ID comes back from an outside facing IP within a certain time window, that means that the user has brought up a VPN.  You now can pick off the IP (could by IPv4 or IPv6) and filter it.  If the ISP is state run, well, you know what can happen next.

    So the VPN makes sense for certain use cases that were discussed previously, but if you're in a country where VPN use is controlled, or the government simply wants to keep tabs on what its citizens are doing, privacy addresses, NAT, VPN won't get you anywhere unless you are willing to take all the necessary precautions to evade detection.  Tails might help here, but the great firewall is pretty good at blocking TOR traffic too. YMMV.



  • I am going to provide an example that shows NAT is not necessary.  Prior to my ISP offering IPv6 last year, I used a 6in4 tunnel for 6 years from a service called gogo6.  They offered a /56 prefix or a single static IPv6 address to a registered account or a single random IPv6 address to an anonymous connection.  I used the prefix on my home network, but the anonymous connection on my notebook computer, when away from home.  That IPv6 address was not in any way assigned to me.  I just used whatever address was available.  How does this differ from what you're trying to accomplish with a VPN?  Also, that service had a few servers around the world.  I used the one in Montreal, but one of the others, which I recall, was in Amsterdam.  So, I could have made an anonymous connection to any of the servers around the world , received a random address, yet required absolutely no use of NAT.  What does your VPN provide, other than possibly encryption, that the anonymous connection didn't?  Also, I bet that gogo6 service had far more IPv6 addresses to hand out, than the IPv4 & port number combinations that your VPN service offers.  Seems to me that's a bit more secure.


  • LAYER 8 Global Moderator

    ^ same with Hurricane Electrics IPv6 tunnel.. Which I use because my isp ipv6 deployment is flaky..  While my tunnel runs and runs and runs and I get a /48 to work with.

    "It shows the isp the vpn server is connected to and it shows the location in sweden. If I browse to a website, I see local ads in the swedish language."

    If your goal is circumvention of some geo restrictions then sure use a VPN, that still has zero to do with them NATing the ipv6 address they give you.  I can create tunnels to any of the HE sites all over the globe, etc.  Some services even block HE ipv6 space as vpn service - since you can tunnel to different regions of the globe to circumvent restrictions.

    "In the (distant) future when isps stop handing out ipv4 addresses, people will still be using vpns for a variety of reasons"
    Nobody is disagreeing with you on this - its just that the VPN provider has zero need to NAT the ipv6 address they give you. NONE!!!



  • No one is questioning that there are 2^64 addresses available in a /64 prefix. However, shared public addresses are considered a feature, because they further obscure individual users.

    One question, how many addresses are in the shared pool? 1? 10? 100?  The thing about NAT is the server has to actually be configured for the addresses being used and provide the memory and other resources to process NAT.  So, you'd have as many addresses as they provide multiplied by the number of ports available, which is 65536 minus the 1024 well known ports or 64512.  So, even if they used 100 separated addresses, you'd have nowhere near as many address/port combinations as simply making a single /64 available to users.



  • @awebster:

    … this is a big deal, but not nearly as big a deal for me as it is for a person who lives in a country where there is censorship, such as China or Iran.

    Since you brought this up, I've seen that the great firewall of China does a remarkably good job at blocking VPNs. 
    I said it before, the IP or IPv6 address the user is using is inconsequential to the identification of the user behavior, and subsequently the user.
    In the case of China, it appears that they are using a mechanism by which DNS requests to certain sites resolve to one IP inside China and another outside.  The sites (perhaps gov't run banner ads) could  drop unique cookies on the user's machine, or clever javascript trickery, and if the same cookie ID comes back from an outside facing IP within a certain time window, that means that the user has brought up a VPN.  You now can pick off the IP (could by IPv4 or IPv6) and filter it.  If the ISP is state run, well, you know what can happen next.

    So the VPN makes sense for certain use cases that were discussed previously, but if you're in a country where VPN use is controlled, or the government simply wants to keep tabs on what its citizens are doing, privacy addresses, NAT, VPN won't get you anywhere unless you are willing to take all the necessary precautions to evade detection.  Tails might help here, but the great firewall is pretty good at blocking TOR traffic too. YMMV.

    I know people in China who use VPNs to get past / around the "great firewall". I guess this is like the attempts to block pirate bay. Shut down one address and two more replace it.



  • @johnpoz:

    ^ same with Hurricane Electrics IPv6 tunnel.. Which I use because my isp ipv6 deployment is flaky..  While my tunnel runs and runs and runs and I get a /48 to work with.

    "It shows the isp the vpn server is connected to and it shows the location in sweden. If I browse to a website, I see local ads in the swedish language."

    If your goal is circumvention of some geo restrictions then sure use a VPN, that still has zero to do with them NATing the ipv6 address they give you.  I can create tunnels to any of the HE sites all over the globe, etc.  Some services even block HE ipv6 space as vpn service - since you can tunnel to different regions of the globe to circumvent restrictions.

    "In the (distant) future when isps stop handing out ipv4 addresses, people will still be using vpns for a variety of reasons"
    Nobody is disagreeing with you on this - its just that the VPN provider has zero need to NAT the ipv6 address they give you. NONE!!!

    Honestly, it doesn't matter to me that they have "zero need to NAT" the address. The only thing that matters is that it works. The possibility that they could have implemented the server differently doesn't change that it works.



  • @JKnott:

    No one is questioning that there are 2^64 addresses available in a /64 prefix. However, shared public addresses are considered a feature, because they further obscure individual users.

    One question, how many addresses are in the shared pool? 1? 10? 100?  The thing about NAT is the server has to actually be configured for the addresses being used and provide the memory and other resources to process NAT.  So, you'd have as many addresses as they provide multiplied by the number of ports available, which is 65536 minus the 1024 well known ports or 64512.  So, even if they used 100 separated addresses, you'd have nowhere near as many address/port combinations as simply making a single /64 available to users.

    I don't know with certainty how many addresses there are and to be honest, it doesn't matter to me. Irrespective of how difficult you think it is, they clearly know more about it than you, because their service works (and works well). I can't help but wonder why you're so wound up about this. If you know so much about offering VPN services, why aren't you in business?



  • TI don't know with certainty how many addresses there are and to be honest, it doesn't matter to me. Irrespective of how difficult you think it is, they clearly know more about it than you, because their service works (and works well). I can't help but wonder why you're so wound up about this. If you know so much about offering VPN services, why aren't you in business?

    You still haven't explained why NAT provides any advantage over using random global addresses.  As I mentioned, when I used that anonymous connection, I'd be just as anonymous as you'd be with NAT.  On the other hand, I don't have to deal with the issues NAT causes.  In addition, NAT carries a significant performance penalty.

    https://theses.lib.vt.edu/theses/available/etd-10062003-170440/unrestricted/thesis.pdf

    FWIW, I have set up several VPNs for businesses, as well as my own use, and know why NAT is used and why it causes problems.

    I'll state again that reason.  It's a hack that's sole purpose is to get around the IPv4 address shortage.  It has absolutely no place in IPv6, where there is no address shortage.  There is nothing that it can provide, not even privacy, that can't be obtained by other means that don't the cause problems that NAT does. Nothing!!!



  • One other thing, you seem to think the port changing that happens with NAT is a security feature.  How so?  According to RFC6056, source ports are supposed to be random.  So, with NAT, you get an address change and perhaps a source port change.  The destination port never changes.  This means you're trading one random source port number for another random source port number.  How does that improve things?  If someone intercepts traffic from your VPN, they'll see the provider's IP address and a random source port.  Now, if the same thing happens with a global address assigned from the provider's address pool, that someone will see an IP address assigned to the provider and a random source port.  How is that any different from using NAT???

    From: https://tools.ietf.org/html/rfc6056#section-3

    "3.1.  Characteristics of a Good Algorithm for the Obfuscation of the
          Ephemeral Port Selection

    There are several factors to consider when designing an algorithm for
      selecting ephemeral ports, which include:

    o  Minimizing the predictability of the ephemeral port numbers used
          for future transport-protocol instances."

    The above is supposed to happen with every TCP or UDP connection.


  • LAYER 8 Global Moderator

    ^ and ^^ well said @JKnott

    I too have setup many a vpn solution, but only in the enterprise not for any "vpn" providers.  Most of these so called vpn services are hacks on the bandwagon to make quick buck off the hype that is I need a vpn to hide my IP..  Most of the users of all of they vpn solutions have zero valid reasons to be using them other than their buddy is using one and they wanted to jump on the vpn bandwagon.  Or they want to circumvent some geo restrictions to watch some streaming service that is not available in their region.

    I wouldn't be surprised if many of them are selling user data to the highest bidder and or all bidders ;)

    I don't think anyone is getting worked up.  I am sure we are all happy your happy with your vpn provider..

    And sorry but you have not shown anything to backup your statement that NAT is needed for a vpn other than that is the way your vpn provider has done it - and it works.  Doesn't make it a valid reason.  Doesn't make your vpn provider smarter since they did it that way that is for damn sure..



  • @JKnott:

    TI don't know with certainty how many addresses there are and to be honest, it doesn't matter to me. Irrespective of how difficult you think it is, they clearly know more about it than you, because their service works (and works well). I can't help but wonder why you're so wound up about this. If you know so much about offering VPN services, why aren't you in business?

    You still haven't explained why NAT provides any advantage over using random global addresses.  As I mentioned, when I used that anonymous connection, I'd be just as anonymous as you'd be with NAT.  On the other hand, I don't have to deal with the issues NAT causes.  In addition, NAT carries a significant performance penalty.

    https://theses.lib.vt.edu/theses/available/etd-10062003-170440/unrestricted/thesis.pdf

    FWIW, I have set up several VPNs for businesses, as well as my own use, and know why NAT is used and why it causes problems.

    I'll state again that reason.  It's a hack that's sole purpose is to get around the IPv4 address shortage.  It has absolutely no place in IPv6, where there is no address shortage.  There is nothing that it can provide, not even privacy, that can't be obtained by other means that don't the cause problems that NAT does. Nothing!!!

    I'm not a proponent or opponent of NAT. I am saying, however, that your claim it doesn't work is bogus. My vpn works. I can max out my connection with it. It makes no difference how it was implemented, as long as it works.

    I also dispute your claim that a privacy address serves the same purpose as a vpn. That is completely false and as someone who has set up a vpn you're being disingenuous to claim it serves the same purpose as a vpn.



  • @JKnott:

    One other thing, you seem to think the port changing that happens with NAT is a security feature.  How so?  According to RFC6056, source ports are supposed to be random.  So, with NAT, you get an address change and perhaps a source port change.  The destination port never changes.  This means you're trading one random source port number for another random source port number.  How does that improve things?  If someone intercepts traffic from your VPN, they'll see the provider's IP address and a random source port.  Now, if the same thing happens with a global address assigned from the provider's address pool, that someone will see an IP address assigned to the provider and a random source port.  How is that any different from using NAT???

    From: https://tools.ietf.org/html/rfc6056#section-3

    "3.1.  Characteristics of a Good Algorithm for the Obfuscation of the
          Ephemeral Port Selection

    There are several factors to consider when designing an algorithm for
      selecting ephemeral ports, which include:

    o  Minimizing the predictability of the ephemeral port numbers used
          for future transport-protocol instances."

    The above is supposed to happen with every TCP or UDP connection.

    You're putting words into my mouth. Where did I say that "the port changing that happens with NAT is a security feature"? All I have said all along is that using an isp-provided prefix is not private, irrespective of whether the address is a "privacy address". My vpn service provider chose to use a shared NAT address. You cannot argue that is not more private than a "privacy address" allocated using an isp-provided prefix and it also addresses the geolocation issue. You don't like that my vpn service provider uses NAT. I get that, but I really truly don't care. It doesn't matter to me that you don't like this or whether you think not using NAT is better.



  • ou're putting words into my mouth. Where did I say that "the port changing that happens with NAT is a security feature"? All I have said all along is that using an isp-provided prefix is not private, irrespective of whether the address is a "privacy address". My vpn service provider chose to use a shared NAT address. You cannot argue that is not more private than a "privacy address" allocated using an isp-provided prefix and it also addresses the geolocation issue. You don't like that my vpn service provider uses NAT. I get that, but I really truly don't care. It doesn't matter to me that you don't like this or whether you think not using NAT is better.

    And you seem to be missing what I and John have said several times.  A VPN provider can provide an IPv6 address from a huge pool.  There is nothing to tie a user to that any more than there is through NAT.  In my example, I mentioned an anonymous connection with a random IPv6 address, possibly from other parts of the world.  How is that different from what you get with NAT?  That address is simply not tied to you.  I am not talking about a privacy address, which would contain a person's prefix.  I am talking about an address, owned by the VPN provider, made available to you.  Next time you connect, you get a completely different address, again not tied in any way to you.  Isn't that what you're looking for???

    Perhaps you should wonder why 3 people here are strongly disagreeing with you.  Might it be that you're flat out wrong and don't realize it?  I haven't heard anyone agree with you.  Why is that???



  • @johnpoz:

    ^ and ^^ well said @JKnott

    I too have setup many a vpn solution, but only in the enterprise not for any "vpn" providers.  Most of these so called vpn services are hacks on the bandwagon to make quick buck off the hype that is I need a vpn to hide my IP..  Most of the users of all of they vpn solutions have zero valid reasons to be using them other than their buddy is using one and they wanted to jump on the vpn bandwagon.  Or they want to circumvent some geo restrictions to watch some streaming service that is not available in their region.

    I wouldn't be surprised if many of them are selling user data to the highest bidder and or all bidders ;)

    I don't think anyone is getting worked up.  I am sure we are all happy your happy with your vpn provider..

    And sorry but you have not shown anything to backup your statement that NAT is needed for a vpn other than that is the way your vpn provider has done it - and it works.  Doesn't make it a valid reason.  Doesn't make your vpn provider smarter since they did it that way that is for damn sure..

    This is epic trolling, even for you.



  • @JKnott:

    ou're putting words into my mouth. Where did I say that "the port changing that happens with NAT is a security feature"? All I have said all along is that using an isp-provided prefix is not private, irrespective of whether the address is a "privacy address". My vpn service provider chose to use a shared NAT address. You cannot argue that is not more private than a "privacy address" allocated using an isp-provided prefix and it also addresses the geolocation issue. You don't like that my vpn service provider uses NAT. I get that, but I really truly don't care. It doesn't matter to me that you don't like this or whether you think not using NAT is better.

    And you seem to be missing what I and John have said several times.  A VPN provider can provide an IPv6 address from a huge pool.  There is nothing to tie a user to that any more than there is through NAT.  In my example, I mentioned an anonymous connection with a random IPv6 address, possibly from other parts of the world.  How is that different from what you get with NAT?  That address is simply not tied to you.  I am not talking about a privacy address, which would contain a person's prefix.  I am talking about an address, owned by the VPN provider, made available to you.  Next time you connect, you get a completely different address, again not tied in any way to you.  Isn't that what you're looking for???

    Perhaps you should wonder why 3 people here are strongly disagreeing with you.  Might it be that you're flat out wrong and don't realize it?  I haven't heard anyone agree with you.  Why is that???

    How is that you are so determined to bludgeon me with your opinion that you can't or won't read what I've said numerous times? I have never once said that the implementation my vpn service provider chose is the only way or the "right way", as if there is such a thing, to implement a vpn. I could not care less that you don't like how my vpn service provider implemented their network. It works FFS. Get over it.



  • I have never once said that the implementation my vpn service provider chose is the only way or the "right way", as if there is such a thing, to implement a vpn.

    Ummm…  Who was it who said?

    If you don't NAT ipv4 and ipv6, you don't have privacy.

    Or

    It would completely defeat the purpose of using a VPN to not "NAT" both the ipv4 and ipv6 addresses. Some day, when people no longer use ipv4, there will still be VPNs and they will still NAT the ipv6 address, otherwise, what's the point?

    Or

    There's no way to share public addresses without translating the individual private addresses to the shared public address.


  • LAYER 8 Global Moderator

    "This is epic trolling, even for you."

    Even for me?  Wow.. You do understand you started this whole thing. JKnott post a RFC fro some info and you I assume in your complete understanding of ipv6 and how vpn services work disagree with that RFC??  Did you even read it?  I guess that is a no from your comments.

    You understand its a Request for Comment, the authors addresses are listed - if you disagree with them, why don't you contact them directly and point out to them how Nat is still needed for vpns ;)

    "It works FFS. Get over it."

    Which has ZERO to do with the the info that was posted - who is trolling?


Log in to reply