[ipv6hackers] Dynamic prefixes & privacy (was: IPv6 prefix changing)

Owen DeLong owend at he.net
Fri Mar 16 12:20:23 CET 2012

On Mar 16, 2012, at 1:06 AM, Alex List wrote:

> Hi,
>> Not exactly, but yes. IPv6 privacy extensions alone would be sufficient to
>> make IP based tracking a lot harder and too inaccurate for the marketing
>> company.
> Due to the /64 bits left I don't agree, but from the discussion so far
> I understand that:
> - there is indeed no point in using dynamic prefixes for privacy if
> they were deterministic
> - random prefix assignments scary many people
> But wait, aren't ULA prefixes random? If CGNs were here to stay[1],
> why couldn't they provide a "network layer privacy" [2] service? If
> they claim to be so good at NATPT44, NPTv6 should be a piece of cake.

ULA prefixes can't talk to the global internet. If you don't want to talk to
the global internet and have packets routed back to you, you can be as
anonymous as you want. If you want the rest of the world to be able to
answer when you send them a packet, then there has to be a way for
them to get the answers back to you. Kind of reduces the probability
of useful anonymity short of using an anonymizing proxy or some other
such construct.

Perhaps you should become familiar with the basics of how routing
actually works before pursuing this further.

I wouldn't say that random prefix assignments scare people so much
as those of us who understand how the internet actually works realize
that they aren't really technically viable. (see my reference to having
your phone number randomized).

The difference is that in the phone network, since it is circuit switched,
the routing is all handled as part of the call setup and there is no need
for the remote destination to know the source address because the
destination does not participate at all in the routing decision.

With a packet switched network where each packet of information is
individually routed on a hop-by-hop basis, the story is a bit different.
The remote destination has to be able to place the originators source
address into reply packet headers in order for them to reach the

IPv6 privacy extensions prevent one from using someone's MAC
address to track their mobility across different network segments.
They do nothing to anonymize your prefix.

Dynamic prefixes aren't exactly deterministic, but, they are what I would
call long-lived. In most cases to be useful in the routing system, they
need to be sufficiently long-lived that they can't really offer much in
the way of anonymitiy.

As to your question of "if CGNs are here to stay", well, hopefully they
are very much not here to stay. CGNs are a really bad hack.  A worse
hack even than existing IPv4 NAT. They severely limit the utility of
the internet and the applications and innovations that can be
accomplished while they are in place. Hopefully they will be very
temporary in nature and will only apply to IPv4.

One of the biggest benefits of IPv6 is eliminating NAT. Adding it back
in is so antithetical to goodness I can only stare at your last sentence
in dismay and shake my head in disgust.


More information about the Ipv6hackers mailing list