NAT is broken by design. And CG-NAT can&#x27;t do any kind of port forwarding on the routers. And adding more NAT is just breaking more networks.RFC 4941 is currently old enough to be taking it&#x27;s SAT&#x27;s and preparing itself for college... :)

&gt; A router could auto-block an IPv6 address that&#x27;s been in use too long, with a whitelist for servers.So… I’m not saying you don’t want to do that, but I do want to expand on this a bit:4941 is not the only way to avoid having your MAC address in your IPv6 address. In fact RFC 3972 (from 2005! Almost old enough to buy beer!) describes a method for stable “cryptographic” addresses which enable the host to attest to the address’s authenticity in ND. That’s a really powerful feature because it means that another host can’t impersonate you like they can with ARP on v4. RFC 3972 is what macOS uses for the “non temporary” address (the one ifconfig labels “secured”). One of the things everyone should know about 3972 addresses is that a host will generate different addresses on different prefixes (so you can’t correlate a host moving between networks like you could with a MAC-derived address).It is expected and normal that a host should have at least two “non temporary” addresses: a link local one, plus one generated by 3972 (or DHCPv6 or some other mechanism), in addition to one or more 4941 temporary addresses.One way to block MAC-derived addresses without breaking e2e connectivity is to add a firewall rule blocking addresses with “FFFE” in the middle.

Going further still, forget all the NAT breakage and require all devices to actually use the privacy extensions described in RFC 4941 17 years ago. A router could auto-block an IPv6 address that&#x27;s been in use too long, with a whitelist for servers.There are reasons you might want your desktop to have the same address for a long time. I can&#x27;t think of any reason why I&#x27;d want that for a light bulb.

&gt; I don&#x27;t want any random machines behind my router to be able to open ports to the internet at large.The solution to this is a firewall, not NAT. As has always been.NAT is not a security feature and never has been. The fact that it blocks uninitiated inbound connectivity is an implementation detail, not its purpose.

&gt; I don&#x27;t want any random machines behind my router to be able to open ports to the internet at large.While it&#x27;s hypothetically possible to have NAT without a firewall, I&#x27;ve never personally touched or seen such a thing. I can confidently state that if you have NAT, you also have a firewall. Use it.

NAT is actually less restrictive for inbound connections, because it allows people to connect with just the correct port and not the correct IP+port. Instead of needing to provide the correct 80-bit number to connect, they only need the correct 16-bit number, which is small enough to brute-force.NAT doesn&#x27;t even stop machines opening ports; it&#x27;s your firewall doing that. It&#x27;s not NAT giving you a single point of presence, that&#x27;s your router. It doesn&#x27;t normally restrict outbound connections either, so what&#x27;s the point? All it&#x27;s doing is presenting your servers in a way that makes them easier to find.NAT doesn&#x27;t do any of the things you&#x27;ve claimed to need it for.

Since every IPv6 discussion on HN has to repeat this misunderstanding, I&#x27;ll just link to what I posted last time: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39997078">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39997078</a>

&gt; NAT and hide all these devices behind a single external IP.If&#x2F;when I&#x27;m forced to shift my LAN to IPv6, this is the approach I&#x27;ll take. I don&#x27;t want any random machines behind my router to be able to open ports to the internet at large. I want a single point of presence that handles that and forwards to whichever machine I want to handle that traffic.For those who are excited about IPv6, I hear you and your use cases are legit. I just don&#x27;t share them and want the most restrictive network setup that I can tolerate.

&gt;Quick solution would be DHCPv6 so they don&#x27;t have a choice in what address they use.Android doesn&#x27;t support DHCPv6.<a href="https:&#x2F;&#x2F;issuetracker.google.com&#x2F;issues&#x2F;36949085" rel="nofollow">https:&#x2F;&#x2F;issuetracker.google.com&#x2F;issues&#x2F;36949085</a>

&gt; Put it on an isolated VLAN with no Internet connectivity.It&#x27;s hardly an Internet of Things if your Things aren&#x27;t connected to the Internet :p

I think the real question is &quot;what the hell IoT is doing on a globally-routable network?&quot; Put it on an isolated VLAN with no Internet connectivity. Or a minimal connectivity only to what&#x27;s absolutely necessary (e.g. I haven&#x27;t seen IoT devices that need inbound connections, so drop any inbound packets unless conntrack says otherwise). There there will be probably no need for weird NAT66 contraptions or anything like that - just old good plain drop-by-default firewall.But then, the article is about consumer tech, and most consumers aren&#x27;t gonna set up any VLANs, firewalls or complex NAT systems, they don&#x27;t know anything about those. They got one single flat WiFi network and that&#x27;s about it. So, I guess, all the technical suggestions here are not really relevant.

I just use ipv4 in my network.it&#x27;s my personal network (and my personal opinion&#x2F;solution).I turn off ipv6. I don&#x27;t want to maintain two sets of firewall rules, or have some weird routing problem that lets packets in or out.I add this to my linux kernel command line:<pre><code> ipv6.disable=1 ipv6.ipv6_disable=1
</code></pre>
sometimes in &#x2F;etc&#x2F;sysctl.d&#x2F;00-nov6.conf:<pre><code> net.ipv6.conf.all.disable_ipv6=1
 net.ipv6.conf.default.disable_ipv6=1
</code></pre>
in macos I do:<pre><code> networksetup -setv6off &#x27;Ethernet 1&#x27; (or whatever network interface)
</code></pre>
helps me be more organized.

Nothing is preventing you from doing NAT in IPv6. There is the Unique Local Address[0] range which is analogous to the RFC-1918 addresses from IPv4. That being said, there are very few reasons to do this in IPv6 (the only that comes to my mind is running virtual machines on a laptop connected via wifi).[0] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Unique_local_address" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Unique_local_address</a>

You can easily enable IPv6 masquerading on openwrt and linux in general:<a href="https:&#x2F;&#x2F;openwrt.org&#x2F;docs&#x2F;guide-user&#x2F;network&#x2F;ipv6&#x2F;ipv6.nat6" rel="nofollow">https:&#x2F;&#x2F;openwrt.org&#x2F;docs&#x2F;guide-user&#x2F;network&#x2F;ipv6&#x2F;ipv6.nat6</a>This has been available for a long time.You can also do static NAT and anything that you were used to on IPv4.

I&#x27;m wondering what are you referring to when you mention NAT in the context of IPv6. I thought there is no widely adopted implementation.

&gt; Going even further, NATYup, and having lost any and all reasons to use IPv6, go back to what has already been working just fine: IPv4

What this says is IOT devices leak their MAC within their IPv6 address.Quick solution would be DHCPv6 so they don&#x27;t have a choice in what address they use.Going further, NAT and hide all these devices behind a single external IP.Going even further, NAT the whole network by default and only give global addresses to endpoints that need it (local servers and such)

&gt; I haven&#x27;t gone to IPv6 at home because working with an IPv6 string is so much harder.Setup DNS, configure something mdns based like Avahi, or use the hosts file.&gt; I can&#x27;t always copy&#x27;n&#x27;paste addresses. I often shout&#x2F;phone an address to someone else to type in.This is weird and not a normal need on a well-run network, or if you have the above working.

Everytime IPv6 comes up there&#x27;s back and forth on NAT vs firewall etc etc.That&#x27;s easy. IPv6 has more flexibility. You do what you want and leave everyone else to do what they want. Networking stuff will break sure, but hasn&#x27;t it always...I haven&#x27;t gone to IPv6 at home because working with an IPv6 string is so much harder.I can&#x27;t always copy&#x27;n&#x27;paste addresses. I often shout&#x2F;phone an address to someone else to type in. And talking to 3rd parties (ISP , anyone controlling outside WAN) etc IPv4 is a known quantity.It&#x27;s that chicken vs egg problem. I don&#x27;t want to touch IPv6 at home until other admins have figured out how to make this easy.

I&#x27;m a little confused why you would need NPT to resolve this? Why not just create a separate local prefix for your local networking needs? Unless you mean something else by &quot;breaks routing&quot;?

My ISP assign changes the IPv4 &#x2F;32 and IPv6 prefix every PPPoE authentication. This is so annoying and breaks routing every couple days or so that I ended up running NPT (NAT for IPv6) and using a ULA block for my LAN.I&#x27;ve seen reports saying you can request a specific prefix as hints to Prefix Delegation and it keeps it mostly static but it is not guaranteed.

&gt; this seems to imply that ISP rotating ipv6 prefix is &quot;obvious&quot;, but uh. Really?Please no. That would mean constantly having to check PD and updating DNS, wireguard endpoints, etc. accordingly.

ISPs charging extra for a static IP seem to rotate IPv6 prefixes. It&#x27;s just a scam to squeeze a little bit of extra money out of their customers.

So uh, this seems to imply that ISP rotating ipv6 prefix is &quot;obvious&quot;, but uh. Really? I don&#x27;t think I&#x27;ve ever seen this implemented willingly (many have dynamic allocation, but it&#x27;s changing so slowly that it looks more like a bug than a feature). Does some people have other experience?I was wondering what kind of IoT could be widespread enough to pose a significant problem or if it was rather statistical, but they mention TVs. And uh yeah, TVs during their lifetime discuss with a huge range of providers, so this indeed broadcasts toThe privacy handling of the article writing isn&#x27;t great imo. Only an ISP should have access to those data, not external researchers. I even fail to see how it can be GPDR compliant. That being said, operators won&#x27;t spontaneously write those articles, so well, this one is usefl.Overall this is an interesting article. I think ISPs doing prefix rotations can easily detect devices and warn the user and&#x2F;or isolate the bad device (through symmetric NAT for instance -- I think this is an okay compromise, it&#x27;s not a horrible hack), which this article shines light on. Cool.

While I had an &quot;ST412 reference&quot; on my bingo card yesterday morning, sadly I do not have it today. Opportunity lost.

&gt; And by that analogy, the previous BIOS version was released in 1981, and modern networking is hamstrung by its design which assumed &quot;4 billion addresses ought to be enough for anybody&quot; and that it needed to be manageable by an 8-bit OS with 64KB of RAM.I&#x27;m not sure if it makes the analogy better or worse, but this is what happened; BIOS was born in ~1981 (I think), had severe shortcomings that were partially mitigated over time but you can only mitigate so much, UEFI is a better replacement, BIOS-&gt;UEFI was a somewhat rocky migration, that migration was made worse by extra stuff getting bundled in (secure boot), and this led to a significant chunk of the population deliberately avoiding it at least for a while. The only real difference is that UEFI has long since become standard, while IPv6 is still fighting for adoption.

And by that analogy, the previous BIOS version was released in 1981, and modern networking is hamstrung by its design which assumed &quot;4 billion addresses ought to be enough for anybody&quot; and that it needed to be manageable by an 8-bit OS with 64KB of RAM.IPv4 is a brilliant protocol for having been published 43 years ago. There aren&#x27;t a whole lot of technologies that old still widely used. I mean, I&#x27;m glad my NVMe drive doesn&#x27;t have to shove bits through an ST412 interface.

I really wanted to disagree with you but sadly that&#x27;s how it was treated in secure environments a few years ago: &quot;ipv6.disable=1&quot;. Everything that&#x27;s not in needed would be disabled. Nobody wanted to be the first to &quot;need it&quot; and learn all that stuff, if it works with ipv4, stick with it.Sure, one can figure out the split DNS, tunneling&#x2F;no tunneling, DHCPv6, multiple addresses per interface, additional filtering rules, or just you know &quot;ipv6.disable=1&quot; and worry about in a few more years perhaps.

I suspect you haven&#x27;t read the errata sheets for any modern EFI or even worse BMC? There is so much buggy crap in there that users are likely to run into that patching your firmware is a good idea just for stability and performance before you even consider integrity and privacy.

Ipv6 is a lot like a bios update - best avoided unless absolutely necessary. Potential mess with no upsides for end users.

You went with IPv4-only because users with IoT devices could reduce IPv6 privacy back to the trackability of IPv4? That seems rather counter productive to me.

This is the main reason we did not support IPv6 at Winston.

I didn&#x27;t read the paper. For anyone who did: How would that work exactly? It looks like the general problem is that an IoT device can use SLAAC and its MAC to generate an address like `prefix1::87:65:43:21`. Then the household&#x27;s prefix can change and the IoT device can create a new address with the same local portion, like `prefix2::87:65:43:21`. Then an attacker could see that `prefix1` and `prefix2` are very likely to have been used by the same person.How would an attacker get that information? If the IoT device is janky and malicious it could ping a bunch of malicious websites and wait for me to access them, I suppose. What would that give an attacker? It&#x27;s not clear to me how that&#x27;d be worse than, say, the current IPv4 situation. And if the device is compromised and no firewall is blocking its outbound Internet access, there are other things I&#x27;d be more worried about.If Amazon or Google make the device, then it could just report that back directly to them whenever its Alexa or Google Home bridge reports back. Their logs would show that &quot;bridge 0x1234 connected from `prefix1::` yesterday, and `prefix2::` today, and it&#x27;s owned by user kstrauser&quot;. I don&#x27;t think anything in this paper could make it less private than that, surely?

Good old Internet of Things that shouldn&#x27;t be on the Internet.

It&#x27;s like they say: the &quot;S&quot; in IoT stands for security.

&quot;Our results show that IoT devices contribute the most to this privacy leakage&quot;

One bad apple can spoil your IPv6 privacy (2022)