IPv6 prefix privacy


The horror which I, apparently, now have to look forward to. Apparently Virgin Media (part of Liberty Global) are using DS-Lite for their IPv6 roll-out and will be turning off modem mode on our cable modems. Interesting times ahead :frowning:

(sorry, getting even further off-topic)

Well, IPv6 is vastly superior to IPv4 so if by doing this we can accelerate the complete conversion of the internet, I'm pretty happy with that.

See if you can just turn IPv4 off on your home network and use ipv6 only. My guess is that there's a NAT64 involved in the DS-Lite, and you can set up DNS64 on your router and pretend the ipv4 internet doesn't exist.

I've tested this with my own DNS64 running on my router and it works fine. I spent about a whole year without any ipv4 on my home network. I went back mainly for my kids games that wanted to broadcast LAN packets using ipv4.

I agree with you, IPv6 is superior, but it's still very poorly supported by a majority of vendors and services.

Also, my main point was: if they turn off modem mode on the CPE I won't be able to use "my router" (the OpenWrt device) without incurring double NAT. I'll be forced to route through the poor SuperHub3 CPE I get from them. I'll have native IPv6 (yay!) but my IPv4 service (which, let's be honest, is still how we're gonna be accessing a large part of the Internet for some years to come) will be of a lower quality with CGNAT.

DS-Lite is a crappy, cheap solution unfortunately.

Sort of.

Your main problem will be if you want incoming ipv4 connections to your home. And let's be honest, that isn't going to happen.

But there's no reason you can't use your own router, and there's no reason you have to get any ipv4 service from them at all (ie. use DHCP etc). What you do is you get your native IPv6 on the WAN, and you get your prefix allocation, and you put a native ipv6 prefix on the LAN... and now you set up DNS64 to map all ipv4 only entries to the corresponding ipv6 address that the carrier is using in their NAT64 solution. Now inside your lan, it looks like the ipv4 internet doesn't exist. DNS points to ipv6 for *everything* and you just connect to that ipv6 address which goes through the CGNAT and voila. This is how T-Mobile has been rolling in the US for cell phones for several years. My cell doesn't ever get an ipv4, it's ipv6 only, and their NAT64 boxes do all the translation.As far as I understand it, DS-Lite just adds an extra layer of translation to this scheme. Somewhere deep in their system there's a NAT64... an ipv4 packet comes in there, it gets encapsulated to IPv6... and sent to your virgin CPE, which unencapsulates it and converts it to ipv4 again and then hands it to you as an ipv4 packet.. so you can pretend you have a ipv4 connection.Now, my scheme might not work due to administrative reasons, which would be a shame. But in principle they could offer you an ipv6 only internet.

EDIT: looks like I might be mixing up 464XLAT and DS-Lite, both of which are very similar but have different mechanisms... 464XLAT actually translates the packets, where as DS-Lite maybe just tunnels them inside ipv6.

Since there will be zero chance of allowing incoming ipv4 connections, it looks like yes you'll need a "double NAT" solution but the double NAT will have zero additional consequences in the sense that it won't break anything since whatever it would break is already broken :wink:

1 Like

They can still predict your location. I've used the word "geographic" a few times. Prefixes have to be routed statically, pretty much. So, there's still a larger [ISP] prefix in their Autonomous System - being issued from an upstream [border] router, to [many downstream and] your neighborhood aggregate router. I think to do what you desire, you have to ask your ISP to rotate their IPv6 prefixes on their downstream routers from time-to-time.

You are correct, IPv4 and IPv6 are quite different.


Indeed, geolocation even with dynamic, frequently changing, IPs (both IPv4 and IPv6 alike) tends to be rather accurate, it's rare to see it be off more than 10-15km (unless you're using tunnels to other locations, of course).



Privacy is best implemented at Layer "8" or rotated 90 degrees "∞"...

@firefexx, you have to realize there are more things than prefixes that ID you, many in the community noted them above...even ones that can link the IPv6 address used - to the IPv4-based servers you're accessing other data on. You also need to research how a machine may be fingerprinted flipping from TOR to normal connections. Cookies, for example, flipping connections while same device, etc. Someone with unlimited resources and/or capital WILL track you...so...

Honestly, I'm happy there's a configuration to not announce a MAC address in IPv6.

Just be a good Netizen of the Internet; and everything will be OK...

:pray: :prayer_beads:

Be that good Layer 8 Citizen of the Internet.


I already know that there is a lot of other identifying information. It's totally clear that changing IP addresses isn't helping when hiding from governments, etc. That's not the point. It's about making it not insanely trivial for ordinary parties on the web to track someone. Further privacy enhancing measures can be implemented at will, but that's not the point here.

The geolocation argument is indeed true. But, as long as you don't live in a sparsely populated area, changing prefixes still increases the anonymity set.

There is the clichΓ© that Germans are statistically a bit more privacy concerned. Maybe there is some truth in it. I found several German speaking IT news articles covering the prefix privacy topic and the countrie's largest ISP announced possible measures to enhance IPv6 privacy in the past. In fact, it's implemented that I get a new IP on each reconnect. And a lot of CPE routers offer the functionality to daily reconnect. Sometimes it is even the default setting. That's the reason I asked here if there is something like that in OpenWrt. (But I need to say that the presence of this functionality is not purely for privacy purposes, it was originally implemented to schedule the force reconnect a provider required when using DSL over phone landline)

So in fact, I could have asked how to do a scheduled reconnect. This is already covered in Scheduled pppoe reconnect (specific time)

There, it is stated that the easiest way to do it is to setup a cron job executing just ifup wan, no ifdown or sleep required.

I can not concur geoIP is a mess and routinely mislocates me, currently it is roughly 400 km off, this really depends on the size of your ISP and it's IP re-cycling policy. IMHO geoIP is so bad that it should be prohibited... Then again, it's main use is making sure national distribution rights for media content can be enforced by the right holder, or rather on-line merchants. But it certainly does not act as a reliable localizer good enough to significantly reduce the challenge posed by wanting to individually track users. I have, alas, no data to back this up statistically, so my ISP might be the exception, but my experience with geoIP is that it basically is snake-oil...

That horse is out of the stable long ago, the interested parties do tracking successfully for users on "dynamic" IPv4 links already, heck they track through CGNAT, which has even less persistence than the 24hour IP addresses you talk about. That fight is lost so completely that it is not even funny anymore. Especially since prefix persistence makes it much simpler to connect to machines on the private network from the outside (e.g. mosh session will happily survive temporary disconnects, but do not tolerate the end-host's IP address to change).
Now, I realize this is a policy question with no right or wrong answer, and having a simple method to request a reconnect from the GUI seems a reasonable thing to ask (although I believe the the button labeled "Restart" in the interfaces tab of the luci GUI should do just that). But you are are the mercy of your ISP and unless your ISP made promises you might end up with the same IP/prefix you had before...

I think that's absolutely the truth. So the whole reconnecting prefixes thing is basically all cost no benefit. And by that I mean 100% costs and 0% benefit exactly not "near 100%" or "near 0%". So, of course, the OP can do whatever they want, but if it became policy to change my ipv6 prefix every time the power went out or my router had to be rebooted you can believe I'd be ranting and raving about it on the public message boards, and writing letters to ATT and soforth. It breaks huge amounts of what is good about the ipv6 internet.

If you just want an anonymous IP then TOR or a VPN service are your go-to mechanism. You can hide (your IP and nothing else) in the pool of other people using the same VPN. But if you'd like to actually have anonymity you will have to at a minimum use the TOR or VPN, plus use private windows, plus close and reopen your private window every time you change what you're doing (because cookies and javascript bits persist in private windows until they are all closed). And that's at a minimum, you'll also probably have to disable flash, and should rotate your VPN endpoint every 5 minutes using a cryptographic random number generator... probably some other things too. Like for example do not under any circumstances log in to any service and do not under any circumstances have your android or iphone turned on while you are surfing your computer. Do not under any circumstances allow any person you are familiar with (such as a friend or family member or neighbor) to have their phone on and connected to your network... etc

1 Like

Go to whatismyip.com...you'll see they can even obtain the LAN IP address. You'll have a lot of privacy mechanisms to employ for success in your endeavor. Just a FYI.

I hope the best for your efforts.

Hmm, I'm guessing that's some javascript in the browser that hands it over to them? Interestingly their geo location is like 1000 miles off for me.

1 Like

no, no, no, don't click that link! OMG! :wink:

"message": "Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data.",

<script async src="https://www.whatismyip.com/custom/autotrack/autotrack.js"></script>


The only thing you can do is pull the plug.

1 Like

In case someone wants to manage their data, at least in Firefox you can go to preferences and type "cookie" in the preferences search, and you'll find a list of sites that have set cookies or local storage data... you can easily sort these by last use date/time and delete either really old ones, or some recent ones that may have been set if you clicked a certain link :wink:

I use Firefox exclusively because I consider Chrome spyware.

FWIW, I use dnscrypt for my upstream DNS on OpenWrt, uBlock Origin browser plugin for Safari/Chrome on laptops, Cookie for cookie management on macOS and 1 Blocker X on iOS

That's fancy. For those who are interested: They do it using WebRTC. For Firefox, EFF's PrivacyBadger extension has an option to block that.

The geolocation on the other hand is not that impressive. It's way off.

1 Like

This is rather normal for geoIP, it really is not all that precise. In the end the main customers basically seem only interested in the country of an IP as that allows selling content licenses on a per-nation basis.

1 Like

Hehe....considering the thread topic, that's funny: it locates me in "Fremont, California" as my he.net IPv6 address appears to override my Virgin Media UK IPv4 address, so only 5000 miles off :rofl:

1 Like

Assuming that you are using dual stack mode, they can find your location from both IPv4 and IPv6 databases.
It's not difficult to understand that IPv6 resolving into he.net-tunnel is not your real location.

1 Like