9

Does switching to IPv6 without any NAT mean my that ISP can identify/monitor/limit the number of devices in my private network more than they can with NAT (which is a necessity in an a private IPv4-based configuration)?

Thanks!

Jason Kleban
  • 207
  • 1
  • 7
  • Since [current best practice](http://tools.ietf.org/html/rfc6177) is to assign a minimum of a /56 per end customer, it's very unlikely you'll actually run into this situation. If you do, you should beat your ISP over the head with a copy of the RFC, printed on a steel bar... – Michael Hampton May 12 '13 at 16:52

3 Answers3

6

If you are not using NAT, then they will be assigning an IPV6 address to each device and will be able to identify them. You could still use NAT however and they would be unable to detect how many devices are behind the gateway device since only the one gateway device would make all requests.

A NAT conceals the information about your internal network because all Internet connections originate from the one IP and are mapped to your internal network. There is no reason the same thing can't be done with a single IPV6 address and device. IPV6 just makes it so that layer isn't necessary if people don't need/want it.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • +1. True, it can be implemented but from a practical perspective NAT-lessness can be a desirable feature and if 99% of private networks don't use NAT, I'm afraid that ISPs would use this new control to create new Premium Tiers and/or sell the data to marketers. – Jason Kleban Jan 03 '13 at 16:37
  • "Oh, look whose phone just ranged-in to their home network. Time to send them an email about some crap they can order on Video-On-Demand!" Is this something that is made incredibly easier by going NATless? – Jason Kleban Jan 03 '13 at 16:39
  • 1
    @uosef - Honestly, that kind of thing is already doable by looking at the type of protocals being used. VOIP information is pretty recognizable if it is SIP based just from the packets themselves. They could also probably tell from the IP addresses that it is going to (if I'm making a connection to Google Voice's IP blocks, chances are good I'm making or receiving a call). I'd be more worried about them trying to do per-device charges like cellphone carriers. – AJ Henderson Jan 03 '13 at 16:50
  • 1
    @uosɐſ this is only if the EUI-64 autoconfiguration format is used, which is based on the device's mac address, thus effectively advertising the device manufacturer both to the ISP and every system you connect to. We really need to make sure that privacy extensions are enabled on all consumer devices before ipv6 is widely used. – mricon Jan 03 '13 at 17:12
  • But even if randomly assigned, does the IPv6 address change often? – Jason Kleban Jan 03 '13 at 17:42
  • 1
    When privacy extensions are enabled, new addresses are generated every few hours or days and existing addresses are put into "deprecated" mode, allowing them to continue receiving connections, but not initiate new ones. So, effectively, this will make it look like you have a lot more devices than you actually have, since every device will have multiple and constantly changing ipv6 addresses. – mricon Jan 03 '13 at 18:09
4

You can do NAT with IPv6, of course. The good thing about IPv6 is precisely that you do not need to do NAT: there are enough IPv6 possible addresses that there is no need for sharing an address between distinct machines. Having a publicly visible address for each of your computers allows you to run accessible servers on each of them, which is great for some usages.

Of course, if having multiple addresses is convenient, then ISP will be quick to think that they may make you pay for it. They cannot sell you less than one IP address, but they may charge you more for several. That it does not cost them more to route for a whole /64 network than for a single address is irrelevant; the ISP fee is not computed from the required technical resources, but set as high as you will agree to pay, limited only by competition with other ISP, and, in some cases, state regulations.

The ISP is inherently aware of how many IP addresses it will give you. This happens to be strongly correlated to the number of machines you own, because each machine will want exactly one address. The ISP cannot technically limit the number of machines that you plug in your network (they can set contractual limits, but not enforce them easily); but limiting the number of IP addresses they will route for you is a piece of cake for them.

Beyond the count of devices, they can harvest some additional data, because in IPv6, each machine will try to automatically obtain an IPv6 address on the local network, where part of the address is derived from the MAC address of the ethernet/WiFi interface; such MAC address are subject to a worldwide allocation scheme, and from the MAC address, it is possible to infer the hardware vendor and possibly the hardware family.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
0

Normal practice with IPv6 for home connections is to give the home network a /64, clients than allocate themselves addresses from the /64. In the early days of IPv6 it was typical for clients to use long-lived IP addresses based on thier MAC address. In such a setup the ISP could easilly count how many addresses were active.

More recent IPv6 implementations support privacy extensions where short-lived addresses are used by the clients for outgoing connections. However normally a client will still only use one address at a time for new connections, so the ISP can probablly still make a reasonable estimate of the number of connected devices.

So yes they could monitor and restrict the number of connected devices if they wanted to.

Peter Green
  • 4,918
  • 1
  • 21
  • 26