[ipv6hackers] Dynamic prefixes & privacy (was: IPv6 prefix changing)

Carlos Martinez-Cagnazzo carlosm3011 at gmail.com
Wed Mar 21 19:19:27 CET 2012


<rant alert>
All this talk about depending on changing IPv4 assignments for privacy,
the 'NAT is security' mantra reminds me of Stockholm Syndrome. We've
been buried so long under these hacks that we accept them as if they
were good things.

Just as NAT is *not* a security tool, the periodic change of IPv4
assignments is *not a privacy tool*. This stupid hack started as an
artificial way of segmenting the broadband market into 'residential' and
'corporate' customers.

The idea (and I clearly remember vendor presentations expressing just
this and my clueless bosses at the time nodding with smiles in their
faces) was that in order to avoid cheap DSL carving into your profitable
Frame Relay/ATM services you had to somehow make it very hard for people
to host servers in their DSL services.

Fast forward 12 years, what we have now in my country is that FR/ATM
basically have ceased to exist and the low-end, SOHO market just hosts
their servers in the Amazon cloud or in just $2/mo El Cheapo hosting.
The hack accomplished nothing but giving us a harder-to-use network,
more failure-prone network.

</rant alert>

C.

On 3/21/12 3:04 PM, Owen DeLong wrote:
> Not true.
>
> Your IP public IP address is not obfuscated today and is akin to not changing (or at least not rapidly changing) prefixes in IPv6.
>
> If you are counting on your public IPv4 address changing for privacy today, you are either suffering from a degraded network experience (most likely at the hands of a German ISP), or, you are deluding yourself.
>
> Having a dynamic (though rarely changing) IPv6 prefix with PEA would provide roughly the same privacy as IPv4 today, which is nearly none.
>
> Owen
>
> On Mar 21, 2012, at 10:48 AM, S.P.Zeidler wrote:
>
>> Thus wrote Owen DeLong (owend at he.net):
>>
>>> I'm not sure how PE helps to resolve this at the prefix level.
>> It's not meant to. But if your goal is privacy, all change-my-prefix
>> actions are pointless is you are using a fixed, worldwide-unique local
>> part through all prefix changes.
>>
>> For privacy at the address level, neither prefix changes alone
>> nor PE alone is sufficient, you must use both to get the same level
>> of mild obfuscation as you are getting from changing addresses
>> in IPv4 now.
>>
>> regards,
>> 	spz
>> -- 
>> spz at serpens.de (S.P.Zeidler)
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list