I have AT&T Fiber at home and have IPv6 turned off at the router because I don't believe consumer grade firewalls are as good as plain ol' NAT traversal for basic security. IPv6 seems to want everything directly connected to the Internet which I find crazy.
Update me - am I crazy? Is this old info or a bad take?
Yes. With IPv6 there are still stateful firewalls on routers. An app/service still generally needs to do firewall hole punching via UPnP or PCP. The main thing that goes away is the rigamarole of figuring out the public IP address:
The only difference between NAT traversal and zone based state firewalling is whether you translate the address before you put it in the state table. The security functionality is roughly identical, NAT itself is not actually the security layer it just forces having the concept of tracking what is outbound initiated to work.
In pure academic sense you can have NAT without disallowing inbound initiated sessions to internal addresses but that's insecure because it's just hiding the routing information not actually blocking inbound sessions.
The only thing to worry about with the gateway they give you for AT&T fiber is if you have the crap model that has an extremely limited session table (4k) and if so you should ask for the new one (16k). This applies regardless of IP version preference.
> The only difference between NAT traversal and zone based state firewalling is whether you translate the address before you put it in the state table. The security functionality is roughly identical
Except that not translating your IP address means allowing certain types of tracking that NAT prevented. One unique IP address per device means that with nothing more than a list of IP addresses and timestamps servers can identify the number of devices you used on your network to connect to them, and can track which device was in use at which time. NAT prevents that scenario very well.
IPv6 has some features around this, most commonly implemented on devices (even more than just grabbing an assignment and sticking with it) is using temporary address assignments which change over time.
Neither NAT or IPv6 randomization really do much for tracking prevention though. Servers get to see a lot more than just source port (~2 bytes of fingerprinting info) and source node (~0-2 bytes depending on the number of devices in the network) e.g. even just a TCP handshake has a larger fingerprinting signature and that's before you've even gotten to the application level protocol you're talking to the server with or the data in the connection itself.
With enough effort you probably could enumerate the devices on a remote network using NAT, but the amount of effort matters too. NAT is easy for most end user's needs, works with a huge number of devices/gateways and somehow does a decent enough job at keeping the internet from passively learning about each of the devices on your network and tracking them over time that it's foiled the plans of many site operators and nosy organizations looking to do just that.
Granted, there are other ways to track devices and as long as an application can be installed on a device and communicate to the outside world it can share whatever data it wants, but the last time I looked into it IPv6 made the situation worse not better, and there were multiple flaws found in its privacy extensions. It's admittedly been a few years and so maybe things have changed and it's time to give it another look.
> passively learning about each of the devices on your network and tracking them over time that it's foiled the plans of many site operators and nosy organizations looking to do just that.
Again passive learning (i.e. your device just existing and getting scanned) never happens in either scenario as inbound scanning is not possible in home or office in either IPv4 setups or IPv6 and it has nothing to do with where NAT is at play inbound initiated sessions aren't allowed in either case. I.e. just because you send a packet to <IP> does not mean a home or corporate router is going to allow it in, it's going to check if that conversation exists and if not it's going to check if the conversation started from the inside or the outside. If the latter it gets dropped, routability be damned, as it'd be insecure to allow anyone to connect to anything internal just because they sent a packet to that IP. This tracking is done at the L4 level, i.e. just because you opened a TCP session to a server using some high range outbound port doesn't mean that server will be allowed to send a packet back to you on e.g. 22 SSH it only means that specific tuple (ip:port:ip:port) is allowed bidirectionally until the session is closed by either side or times out from inactivity.
I'm not exactly sure which ways IPv6 makes it worse, as mentioned pretty much all devices (Windows, Linux, Mac, Android, iOS) use temporary IPs and have for well over a decade. Nobody is tracking individual user clients by IP address alone, be it v4 or v6, they are doing it with the troves of data in the higher layer protocol information where they can identify each device uniquely.
You can dislike IPv6 if you like but you shouldn't just make fear mongering claims of why it's bad for privacy if you don't have enough experience with it to know how it is designed to avoid these very issues.
On any modern Windows, MacOS, BSD, or Linux install, your system maintains multiple* public-routeable IPv6 addresses at once. New connections are opened on the newest address, and the old addresses are retired as legacy connections are closed. SLAAC (stateless autoconfiguration) allows the system to automatically configure new addresses at-will. Two web pages that you open within seconds may not see the same IP address when you use v6.
For example, the computer I'm typing this on currently has 9 public-routeable IPv6 addresses (plus additional link-local and private addresses), on one NIC. That's the normal state of IPv6, not some exotic configuration. It "just happens" when you have SLAAC set up.
You could, if you wanted (though I don't know of any OS that supports it) open literally every new connection from a new address.
IPv6 also has better multi-homing support, so you can distribute your connections among multiple ISPs (and, again, with SLAAC, configuring IPv6 addresses from multiple routers on a single NIC is trivial).
I actually do kind of like the idea of a new IP for every connection...
I haven't had much time to look into it recently, so maybe the situation has changed, but I do recall seeing multiple issues with SLAAC and other privacy features (not just involving EUI-64) still leaving devices trackable in common situations, and even that's only where it's supported.
Hopefully there are workarounds and patches for the issues that have been identified so far, and I should probably take another hard look at the current state of things but the impression I got just a couple of years ago is that if IPv4 can be made to protect privacy it'd still be way too complicated for most end users where NAT pretty much just works, and works with most devices and gateways.
Interesting. You're right - I just found a reddit thread from a few months ago and ATT fiber seems to still have horrible IPv6 support, for that reason and others. I think I'll leave it off.
The conntrack table on the BG320 is 8k regardless if it's doing NAT with v4 or plain session tracking with IPv6. You just want to make sure you don't have the older model with the 2k limit as that'll cause problems for even light usage households.
The way the IPv6 rollout is broken on ATT is the same as their IPv4 rollout is broken, they don't support bridge mode. Passthrough IP doesn't quite work the same as traditional bridge mode and still hits the conntrack limits. DHCPv6 and PD work fine though, I have it configured right now.
> Update me - am I crazy? Is this old info or a bad take?
1. NAT does nothing to prevent network egress. NAT is not a firewall--it monitors outgoing connection to remember how to re-write incoming packets. Any IoT shit or malware that wants to call home to a control server is free to do so.
2. Most consumer-NAT implementation have a facility for "inside" hosts to map "outside" ports to "inside" IP address-port combinations (for games). The facility has no authentication, other than (usually) ignoring packets from "outside". So a single infected device on your network can poke arbitrary holes in your "firewall".
3. Most modern IPv6 stacks create new auto-configured addresses and rotate them on a regular basis (the address space is big enough to do that). So "your address" is constantly in flux. Obscurity isn't good security, but at least it makes it harder for the bad guys to know where to send the packets.
4. The IPv6 packet structure is simpler, so, in theory, you might expect fewer vulnerabilities in your IP stack.
NAT is not a security feature, nor is everything publicly exposed to the internet on IPv6. With most routers you would have to explicitly forward a port in the router to expose that to the client anyways.
Update me - am I crazy? Is this old info or a bad take?