IPv6 prefix privacy

Hello all,

recently, I had a look on IPv6 privacy stuff. Hosts can use privacy extensions, so the host part of the address cannot be tracked over time. But this brings you nothing if the network prefix stays the same. A host could be tracked just by looking at the network prefix (at least in small home/consumer network setups).

My ISP assigns /56 prefixes and does not force a (daily) reconnect, so it will stay the same until I manually intervene.

I can imagine to setup a cron job with ifdown wan && sleep 30 && ifup wan so I get a new prefix, e.g. daily.

But this looks like a somewhat dirty hack. What are you doing to address IPv6 privacy? Does your ISP assign new prefixes regularly without manually reconnecting? Do you have a better idea on what to do on router's side?

As fas I'm aware, IPv6 privacy extensions are really only intended to be effective at "hiding you in a crowd". There's no intention to randomise or change the network prefix (as that would essentially break the Internet), it's more about masking you within a large group of clients on the same network. As such it's really not going to be effective for what you seem to want, with only a handful of clients on your home network.

Depending on what you really want to achieve, you may be better served by a good VPN provider or use of TOR.


Hi, thanks for answering.

Yes, as I wrote, privacy extensions do (literally) only help half way. This question is about the other half, the network prefix. This can be changed from time to time without breaking the Internet. The ISP would just need to assign a new prefix to you.

Without this, we basically have the IPv6 privacy equivalent of a static IPv4 behind a NAT. Your home network can easily be tracked over time.

Using VPN or TOR is a step further, i.e. when I also need to hide against my ISP. But this question is about establishing a similar privacy level compared to a dynamic IPv4, i.e. to hide against tracking by arbitrary parties on the web (advertising, curious website owners, ...).

A method to change the Privacy Secret is noted in this thread.

1 Like

Hi, thanks also for your reply.

Your linked post is about generating interface identifiers. As I noted, the privacy extension stuff on the host side is already fine. This thread is about privacy concerns regarding network prefixes.

Thee is literally zero OpenWrt can do for you, take this up with your ISP if you believe this to be a real issue. Please note that the very moment you want to access local services from the outside you will need reasonably persistent IP addresses to reach your own services. Use TOR and tight operational security to solve this issue. Please also note that you ISP will keep book on which IP addresses /prefixes where assigned to you, so there is literally (again) no way to hide traffic occurrence from your ISP (you can hide the content though, using https and or VPN, or tor).

Again use TOR.

Dynamik IPv4 is not a privacy mechanism and and privacy gained from short "cycle" times is pretty much accidental.


How did you solve this for the IPv4 address...?

It could, for example, offer a userfriendly way to periodically reconnect to the ISP in order to get a new prefix. (Of course, this requires the ISP to hand out a new one...)

There is an ongoing browser fingerprinting battle between the trackers who implement more sneaky tracking methods and the defending side (browsers like Firefox and add-ons like EFF's privacy badger). So it actually is an issue. If we have no dynamic IP addresses, the whole fingerprinting stuff is needless since the trackers could just look at IP addresses. That would be much simpler.

This accidental circumstance is the reason why it is not insanely easy for tracking companies to observe the visitors.

We need something comparable to this. Maybe you can tell me to use TOR but ordinary users who just want to go online need privacy by default. TOR is about another level of privacy. Hiding something from the ISP is out of scope of this issue.

True, but this is theoretically solvable by obtaining both a static IP and a periodically changing prefix. Don't know if ISPs would do this. But again, out of scope here.

They are, at least in my case, dynamic, hence not constant over a long period of time.

What you're looking for can very easily be achieved by downloading a copy of TOR Browser. It's a simple, single binary with no install necessary, it fits your requirement of being suitable for "ordinary users" and requires no changes to your router.

I honestly believe you're going down an inappropriate route trying to get the functionality from your router and/or leveraging DHCP leases (IPv4 or IPv6). The nature of Internet routing is that all traffic to or from clients on your LAN will pass through the pinch point that is that your router. It doesn't matter how often you change its public address, it's still trackable and has associated logs somewhere in the cloud unless you use a VPN or tunnel service designed to obfuscate this sort of data.

To do so, a) your ISP would need to be willing to hand you a new prefix on a reconnect (which while likely is not guaranteed) and b) will take down your IPv6 internet connection transiently, IMHO this is really undesirable, but I i accept that this is a matter of policy and do not claim my desire to be normative here.

But we are on the loosing end of this battle anyway, as in the end we are interested in the content and if we re-visit a site the probability is high that they will find a way to notice. Otherwise just use TOR, as that is as far as I can tell the state of the art to side-step this problem.
Interstingly we lost the "fingerprinting battle" already, so changing the IPv6 prefix often will not noticeably increase one's privacy IMHO.

Might not be insanely easy, but from their perspective already a solved problem, with a known work-around (you guessed it, TOR).

I simply disagree that this is worth the effort; and if it is worth some effort, than it certainly should be worth teaching ordinary users how to use TOR (which is not rocket science). The whole give a man a fish versus teach a man to fish argument applies here.

But agin, I am just voicing my opinion here.

1 Like

Prefixes are assigned by the ISP, what are you talking about?

The ISP can't do anything, prefixes are assigned to ISPs!!!

Just like IPv4 prefixes.

@firefexx, what are you trying to solve!?!?


I'm using the solution in Post No. 4. Privacy is compromised by the EUI64 suffix based from MAC address. So, if you use those privacy extensions, you can not be identified simply by the IPv6 address, regardless of prefix.

Okay, thanks for mentioning TOR a hundred times. :smiley: I know TOR and I occasionally use it. But you don't want me to stream YouTube videos over TOR (just an example why this isn't a universal solution). Let's spare some of the limited bandwidth for people in oppressing countries. I just wanted to achieve comparable privacy to dynamic IPv4 addresses. And that the fingerprinting battle doesn't look good is not a reason to give up completely.

But I see, we have a different view on this topic. Let's agree on this.

Exactly. And if the ISP delegates a new prefix occasionally, website operators cannot that easily track who I am.

Yeah, for example they get assigned a /19. Much space to choose subnets from which can be delegated.

Ehm, no! When the /56 prefix stays always the same, why should a tracker care about the last 64 bits?

I just told you. Because, unlkike in IPv4, an EUI64 address is DIRECTLY RENDERED FROM YOUR MAC ADDRESS. Hence, a prefix comes from the ISP, and is likely geographic, so not greatly changeable; but the last hextets of a EUI64 IP directly identify the host, even behind a firewall!!!

That's why.

Using privacy extensions solves that privacy problem.

ISPs get assigned something like a /24 prefix, from which they can lease smaller prefixes to end-customers, typically maybe /48 (or /56). Thus ISP would have 2^24 (or something like that) different /48 prefixes for customers. They could in theory give a new prefix every few hours and randomize it...

Yes, but they can't change the /24. Also, they likely don't greatly change the routing related to where those prefixed are geographically!

So the OP's data can still be fingerprinted likely...but less so in Privacy Extensions since the IP used wouldn't be based on a SPECIFIC MAC, HENCE A SPECIFIC MACHINE. LOL...are we kidding here?

So now the OP switches ISPs for privacy every day?

The traffic could still be IDed if the hardware weren't using Privacy Extensions.

Yes, I understand the need for privacy extensions to change the last 64 bits. But this does not help to prevent tracking when the prefix already uniquely identifies my home.

No, of course it is easy to figure out the ISP by just making a whois lookup on the IPv6. But if the ISP hands out changing prefixes and reassigns older prefixes to other customers, a tracker cannot infer that I'm the same person as yesterday (at least not purely based on my IP address). I.e. that would be exactly the same privacy level one has with a dynamic IPv4.

Do you believe this?

I'm not under such an impression; but I now understand your concern. It seems paranoid in my opinion, though. Your ISP must not have many customers in your geographic area.

Perhaps you should use tunnelbrokers, and constantly rotate accounts.

Of course, this is easy to implement. From tracker's perspective: See visitor's IPv6, make whois lookup to infer the ISP, lookup what prefix length the ISP usually delegates, take that prefix from the observed IP and voila, that's the identifying information.

Nah, not really paranoid. Just want to achieve the same privacy everyone has since years with a dynamically changing IPv4.

It has. But if the ISP gives me the same prefix all the time, it doesn't matter how many customers there are.


See if changing your MAC (LOL) will fix this.

I'd also set privacy extensions, to see if the prefixes change.

The MAC of my end system wouldn't matter since the prefix got already delegated to my router at this point of time. Changing the MAC of the router's WAN port would require a reconnect which already gives me a new prefix even without changing the MAC, as I stated in my opening post.