> There’s no way in which IPv6 is less private than IPv4

With IPv4 behind CGNAT you share an address with hundreds of other users. This won't protect you against a targeted subpoena, but tracking companies typically don't have this kind of power, so they have to resort to other fingerprinting options.

On the other hand, an IPv6 address is effectively a unique, and somewhat persistent, tracking ID, 48/56/64-bit long (ISP dependent), concatenated with some random garbage. And of course every advertiser, every tracking company and their dog know which part is random garbage; you are not going to fool anyone by rotating it with privacy extensions.

CGNAT is nowhere near the common case yet. And frankly, I’m horrified that anyone’s describing it as a good thing. CGNAT is the devil, even if it accidentally has one not-terrible feature, and especially when ISPs realize that they can sell those NAT logs to companies who still want to track end users.

For tracking purposes, an IPv6 address is 48 bits long. That’s what identifies a customer premise router, exactly like a IPv4 /32 identifies one. The remaining 80 random bits might as well be treated like longer source port numbers: they identify one particular connection but aren’t persistent and can’t map back to a particular device behind that router afterward.

>CGNAT is nowhere near the common case yet. And frankly, I’m horrified that anyone’s describing it as a good thing.

For some reason, "CGNAT == privacy" is a very common sentiment on Hacker News. Yeah, Hacker News. It's bewildering, and after my last comment [0] talking about it, I have kinda already given up trying to convince people that CGNAT is devilish and not at all a privacy protector.

[0]: https://news.ycombinator.com/item?id=40180058

It’s right up there with “NAT == security”, which is also disappointing for here. It’s not so much the sentiment, as how confidently it’s asserted.

Without NAT my computer isn't on the internet, because my ISP only affords me one IP which my router uses. If it's not on the internet, and adversary can't send my computer any packets.

With NAT, an adversary can't send my computer any packets either unless I explicitly set up port mappings.

So, if you can't send my computer any packets, how is it not providing security?

Of course, it doesn't provide full security like a firewall can do, since there's ways to punch holes in the NAT from the inside. But it seems just as incorrect to fully dismiss "NAT == security".

NAT provides some functional security. It is not a replacement for a proper firewall.

My question with all of the lovely IoT devices that rely on that same mechanism is. Why would you even care about connection from outside? Shouldn't you also be secure against inside? Trusting on NAT alone is idiotic and foolish. If you want to protect a port do it properly in the first place. No excuses.

> Why would you even care about connection from outside?

Because if those nice IoT devices were reachable from the internet they could be compromised easily due to their likely shitty firmware with backdoors and hardcoded passwords.

> Trusting on NAT alone is idiotic and foolish.

Sure, but that's a far cry from saying NAT provides no security.

When I was on CGNAT, sure I shared an IP address with hundreds of others, but the specific ports I was assigned on that IP were deterministic, and you can be sure the advertising companies were taking advantage of that.

Google gets subpoenad all the fucking time. They have whole departments set up to handle the case load.

Some public evidence: https://www.alphabetworkersunion.org/press/google-lays-off-c...

Sorry I meant to say google aren't subpoenaing

The people I want to protect my privacy from are google, facebook, amazon, they can't subpoena my IP, they can track me just fine though.

I was directly replying to someone saying they could subpoena the temporal owner of an IPv6 address, as though that were somehow different than IPv4.

The tracking is a moot point. You can be tracked using the same technologies whether you connect though v4 or v6, and neither stack has the advantage there.

IPv6 eliminates the possibility of proxies / VPNs. Being tracked simply by IP becomes non-optional.

This is factually wrong. I have a VPN between my VPC and my house so services can communicate securely without configuring each one separately with TLS.

Wat?

It, um. No, it doesn't do that. You can use proxies and VPNs in v6, and you're about as trackable by IP as you are on v4.

Name one VPN service that supports IPv6. Perhaps the most existential reason IPv6 was invented was to make proxies obsolete.

Either you use address translation or you don't.

VPNs as a technology, gre/ipsec and wireguard. I assume others.

VPNs as a youtube sold service. Mullvad/mozillavpn for one

I get an IP of fc00:bbbb:bbbb:bb01::1 and it uses NAT66 to place me in New York despite being in the UK

  1.|-- fc00:bbbb:bbbb:bb01::1                                                        0.0%    10   78.6  80.2  78.6  82.0   1.2
  2.|-- 2607:9000:a000:34::1                                                          0.0%    10   80.1  80.3  79.3  81.2   0.7
  3.|-- ???                                                                          100.0    10    0.0   0.0   0.0   0.0   0.0
  4.|-- 2607:f740:70:101::1                                                           0.0%    10   82.2  83.9  79.8 104.3   7.2
  5.|-- 2001:550:2:d::4a:1                                                           90.0%    10   80.1  80.1  80.1  80.1   0.0
  6.|-- be3448.agr22.jfk02.atlas.cogentco.com (2001:550:0:1000::9a36:1a9)            60.0%    10   80.4  81.0  79.2  82.9   1.5

and on

Proton VPN?

And no, proxies were either never obsoleted or they were obsoleted by routing. Nothing to do with v6.

My bar for "support" is higher than "linux only and you need IPv4 to initialize".

https://protonvpn.com/support/prevent-ipv6-vpn-leaks

That's a valid criticism of Proton VPN, but if it works even just on Linux it's sufficient to demonstrate that v6 doesn't eliminate the possibility of VPNs.