Surprising Privacy Dangers of IPv6! - Rob Braxman Tech
video description
Date: 2022-03-20
Related videos
Comments and reviews: 10
feldim2425
I don't think IPv6 is that dangerous, since IPv4 NAT is just a backwards solution to fix the problem of too few addresses, so when you use Internet for a long time. There was certainly a point were IPv4 hat the same privacy issues. There are privacy concerns to consider when using IPv6 but many users only rely on NAT which also doesn't give you perfect privacy.
If you are only one person your household NAT doesn't give you much privacy, as there is one address that only belongs to you, yes there is GCNAT but that doesn't stop your ISP from spying. Also the Phones Bluetooth is not part of the IP Network and has no IP address at least not one that has anything to do with the internet. Your Cell Phone Connection has a IP address separate from the NAT as it is not connected to your router, it is part of some routing/gcnat infrastructure of the Cell Phone carrier, so the Carrier can still see the IP of the Cell connection since it is not part of your NAT on your Router, and your carrier can use the Signal to track you, which is more precise than IPv6. The carrier/ISP has to assign the prefix so they have to know where you are beforehand, which is easily done since the DSL/Fiber connection is registered and the antenna towers for mobile connections can provide the required location data. The concern here is more that providers outside your ISP can now also track the location, but that depends on the ISP. Stateless Addresses are usually only used for link local or local unicast addresses where global routable addresses are generated using Neighbor Discovery or DHCPv6.
If they give you the router (the ISP) and you don't trust them then IPv6 is NOT the problem. They have made the router, they configured it, and they can also put a backdoor or service port on the router, so even IPv4 will not protect you as they can simply just install a Portforward by remotely accessing your router with typically can see all devices that are connected even if they never sent a packet outside your network which would be a requirement on IPv6 for the ISP to see a device.
reply
I don't think IPv6 is that dangerous, since IPv4 NAT is just a backwards solution to fix the problem of too few addresses, so when you use Internet for a long time. There was certainly a point were IPv4 hat the same privacy issues. There are privacy concerns to consider when using IPv6 but many users only rely on NAT which also doesn't give you perfect privacy.
If you are only one person your household NAT doesn't give you much privacy, as there is one address that only belongs to you, yes there is GCNAT but that doesn't stop your ISP from spying. Also the Phones Bluetooth is not part of the IP Network and has no IP address at least not one that has anything to do with the internet. Your Cell Phone Connection has a IP address separate from the NAT as it is not connected to your router, it is part of some routing/gcnat infrastructure of the Cell Phone carrier, so the Carrier can still see the IP of the Cell connection since it is not part of your NAT on your Router, and your carrier can use the Signal to track you, which is more precise than IPv6. The carrier/ISP has to assign the prefix so they have to know where you are beforehand, which is easily done since the DSL/Fiber connection is registered and the antenna towers for mobile connections can provide the required location data. The concern here is more that providers outside your ISP can now also track the location, but that depends on the ISP. Stateless Addresses are usually only used for link local or local unicast addresses where global routable addresses are generated using Neighbor Discovery or DHCPv6.
If they give you the router (the ISP) and you don't trust them then IPv6 is NOT the problem. They have made the router, they configured it, and they can also put a backdoor or service port on the router, so even IPv4 will not protect you as they can simply just install a Portforward by remotely accessing your router with typically can see all devices that are connected even if they never sent a packet outside your network which would be a requirement on IPv6 for the ISP to see a device.
reply
James
It sounds like someone isn't competent or is trying to push a product that doesn't support IPv6. Devices that are IPv4 only are not affected by having IPv6 available. IPv4 hasn't been adequate for many years, due to the address shortage. As a result, many people are stuck behind carrier grade NAT, which means they cannot access their own network from elsewhere. Also, NAT breaks some protocols. This is why it's necessary to use STUN for VoIP and some games. It also breaks IPSec Authentication Headers, which reduces security. As for the -automatic firewall-, firewalls by default block everything and you have to open what you need. As for each device having a routeable address, yes that is true. However, with SLAAC, you get one consistent address, which you'd use for incoming connections and random number based -privacy- addresses, which change every day, for outgoing. Further, you have at least a /64 prefix, which contains 2-64 addresses, which means that port scanning, a common attack with IPv4, is simply not feasible with IPv6. As for an ISP knowing who's doing something they shouldn't, while they may not be able to tie an address to a specific device, they can tie a prefix to a customer, just as they would with the single IPv4 address. Also, the MAC address is only used if enabled in the consistent address. Very often a random number is used, even for the consistent address. The MAC is never used in the privacy addresses. Further, even with IPv4, your general location is still more or less available. Certainly your ISP is identified.
In short, this video is based largely on ignorance.
reply
It sounds like someone isn't competent or is trying to push a product that doesn't support IPv6. Devices that are IPv4 only are not affected by having IPv6 available. IPv4 hasn't been adequate for many years, due to the address shortage. As a result, many people are stuck behind carrier grade NAT, which means they cannot access their own network from elsewhere. Also, NAT breaks some protocols. This is why it's necessary to use STUN for VoIP and some games. It also breaks IPSec Authentication Headers, which reduces security. As for the -automatic firewall-, firewalls by default block everything and you have to open what you need. As for each device having a routeable address, yes that is true. However, with SLAAC, you get one consistent address, which you'd use for incoming connections and random number based -privacy- addresses, which change every day, for outgoing. Further, you have at least a /64 prefix, which contains 2-64 addresses, which means that port scanning, a common attack with IPv4, is simply not feasible with IPv6. As for an ISP knowing who's doing something they shouldn't, while they may not be able to tie an address to a specific device, they can tie a prefix to a customer, just as they would with the single IPv4 address. Also, the MAC address is only used if enabled in the consistent address. Very often a random number is used, even for the consistent address. The MAC is never used in the privacy addresses. Further, even with IPv4, your general location is still more or less available. Certainly your ISP is identified.
In short, this video is based largely on ignorance.
reply
revravenli
There are so many misconceptions about IPv6 (and networking in general) in this video for someone who supposedly builds router software.
Even the cheapest consumer grade routers (regardless of whether they have IPv6 enabled) have a built in firewall to block incoming connections. NAT is not responsible for this functionality in a home router. NAT is NOT firewalling!
NAT64 is a transition technology meant for ISPs and enterprises (those with publicly accessibly resources) to migrate to IPv6 while continuing to support IPv4. In essence NAT64 translates a publicly routable IPv6 address to a public IPv4 and vice-versa. It is not meant to translate Private IPs to a Public IP as you are implying. There is no reasonable use case to implement it on a consumer router.
Man-in-the-middle attacks are possible are just as possible on IPv4 as on IPv6. One of the many solutions is encryption. IPv6 unlike IPv4 natively supports IPSec to mitigate this risk.
There are several issues with IPv6 as it is today and I really enjoy your videos but I think you missed the ball on this one.
reply
There are so many misconceptions about IPv6 (and networking in general) in this video for someone who supposedly builds router software.
Even the cheapest consumer grade routers (regardless of whether they have IPv6 enabled) have a built in firewall to block incoming connections. NAT is not responsible for this functionality in a home router. NAT is NOT firewalling!
NAT64 is a transition technology meant for ISPs and enterprises (those with publicly accessibly resources) to migrate to IPv6 while continuing to support IPv4. In essence NAT64 translates a publicly routable IPv6 address to a public IPv4 and vice-versa. It is not meant to translate Private IPs to a Public IP as you are implying. There is no reasonable use case to implement it on a consumer router.
Man-in-the-middle attacks are possible are just as possible on IPv4 as on IPv6. One of the many solutions is encryption. IPv6 unlike IPv4 natively supports IPSec to mitigate this risk.
There are several issues with IPv6 as it is today and I really enjoy your videos but I think you missed the ball on this one.
reply
Fyodor
I recently tried to configure port forwarding on a router to one of my devices, and was surprised that the router only had an IPv6 address.
I can confirm that MAC addresses were used to generate the IPv6 addresses of local devices.
However, I actually couldn't make the device/port available from the outside Internet (v6. The firewall blocks all traffic by default, and it probably was buggy, I couldn't enable it at all -- I created an ALLOW ALL rule and it didn't even work. The most I could achieve was that traceroute6 could reach the device, but even ping6 didn't work, not even talking of TCP (I actually needed the port available over IPv4, so I just played with it, but didn't bring this up with ISP support)
reply
I recently tried to configure port forwarding on a router to one of my devices, and was surprised that the router only had an IPv6 address.
I can confirm that MAC addresses were used to generate the IPv6 addresses of local devices.
However, I actually couldn't make the device/port available from the outside Internet (v6. The firewall blocks all traffic by default, and it probably was buggy, I couldn't enable it at all -- I created an ALLOW ALL rule and it didn't even work. The most I could achieve was that traceroute6 could reach the device, but even ping6 didn't work, not even talking of TCP (I actually needed the port available over IPv4, so I just played with it, but didn't bring this up with ISP support)
reply
Russellm
I was checking out my Spectrum internet account and it showed each device that's been connected to my WiFi and supposedly I can block any of them from the website.
But watching this video made me realize that Yes, not only do they have your router or home internet address but each device hooked to it.
I also started checking out Google account settings too and see they have each device I've logged on with also.
I think I'd seen somewhere on my Spectrum account that the router is ipv6.
So if I had just an ipv4 modem/router then would all these devices not be known to Spectrum? How about Google?
Thank you Rob and God bless you and your family.
reply
I was checking out my Spectrum internet account and it showed each device that's been connected to my WiFi and supposedly I can block any of them from the website.
But watching this video made me realize that Yes, not only do they have your router or home internet address but each device hooked to it.
I also started checking out Google account settings too and see they have each device I've logged on with also.
I think I'd seen somewhere on my Spectrum account that the router is ipv6.
So if I had just an ipv4 modem/router then would all these devices not be known to Spectrum? How about Google?
Thank you Rob and God bless you and your family.
reply
Dan
Lots of well intentioned but misinformed information here based on out of date thought processes.
The biggest one is is that NAT IS NOT A FIREWALL and shouldn't be used as such. NAT creates many issues with the advanced networking tasks many home users are trying to accomplish. For example NAT can interfere with the end to end communication needed for Video Conferencing or even just trying to run more than one gaming console simultaneously.
Given that many ISP's are implementing CG-NAT (Carrier Grade NAT) and not giving a true routable IPv4 address NOW is the time to be embracing IPv6 in the home environment.
reply
Lots of well intentioned but misinformed information here based on out of date thought processes.
The biggest one is is that NAT IS NOT A FIREWALL and shouldn't be used as such. NAT creates many issues with the advanced networking tasks many home users are trying to accomplish. For example NAT can interfere with the end to end communication needed for Video Conferencing or even just trying to run more than one gaming console simultaneously.
Given that many ISP's are implementing CG-NAT (Carrier Grade NAT) and not giving a true routable IPv4 address NOW is the time to be embracing IPv6 in the home environment.
reply
paulshankster
OK, let's talk about device fingerprinting: The auto assigned IPv6 address that uses the MAC address (7th bit flipped) begins with FE80 and is NOT routable - much like the 192 / 172 / 10 prefixes on IPv4. It is only used on the local network. On the other hand, smart phones on cellular data connections almost always use public IPv6 addresses (like 2001) yet are still secure. The problems you mention are problems of implementation not protocol. Any potential problem with IPv6 is also a potential problem with IPv4. However, IPv6 actually solves several problems which required work arounds on IPv4.
reply
OK, let's talk about device fingerprinting: The auto assigned IPv6 address that uses the MAC address (7th bit flipped) begins with FE80 and is NOT routable - much like the 192 / 172 / 10 prefixes on IPv4. It is only used on the local network. On the other hand, smart phones on cellular data connections almost always use public IPv6 addresses (like 2001) yet are still secure. The problems you mention are problems of implementation not protocol. Any potential problem with IPv6 is also a potential problem with IPv4. However, IPv6 actually solves several problems which required work arounds on IPv4.
reply
Efron
Is ipv6 good on a apn for phone im having trouble with my data when I go to my house it completely turns off I lose data and sometimes when I go out side I have to either put it in airplane mode and then put it back to normal to get data again can u please help me with my apn for metro pcs
reply
Is ipv6 good on a apn for phone im having trouble with my data when I go to my house it completely turns off I lose data and sometimes when I go out side I have to either put it in airplane mode and then put it back to normal to get data again can u please help me with my apn for metro pcs
reply
Mike
my problem is that I have a double nat my router and a LiteBeam 5AC Gen2
so the LiteBeam 5AC Gen2 (its out at the end of the driveway) can't be replaced due to thats how I get my satelite internet
I guess I could request my ISP to turn the litebeam into bridge mode or dmz my router
reply
my problem is that I have a double nat my router and a LiteBeam 5AC Gen2
so the LiteBeam 5AC Gen2 (its out at the end of the driveway) can't be replaced due to thats how I get my satelite internet
I guess I could request my ISP to turn the litebeam into bridge mode or dmz my router
reply
Adam
This guy is a quack. Most of the crap he said is so far from the truth. (a few things are 100%, but what a useless video)
the reality is IPv6 is the only option as more and more people get on the internet.
You can NAT IPv6, or Firewall it.
reply
This guy is a quack. Most of the crap he said is so far from the truth. (a few things are 100%, but what a useless video)
the reality is IPv6 is the only option as more and more people get on the internet.
You can NAT IPv6, or Firewall it.
reply
Add a review, comment
Other channel videos
