-4

Edit: Since I was asked to edit this, I'll ask about an awfully specific issue. The question was obviously never about information leakage on OSI layer 7, since that wouldn't be a network issue.

I'm going to assume that we have a bad guy sitting in front of the firewall getting all the traffic. I furthermore assume all traffic is encrypted (say TLS).

If we don't NAT the bad guy is easily able to identify how many devices there are, just from looking at the IP addresses. A lot of the devices have clear access pattern which allows to identify certain gadgets just based on addresses, possibly enhanced with statistic methods using time and request size.

How to avoid telling the bad guy such valuable information without NAT?

Dave M
  • 4,494
  • 21
  • 30
  • 30
f384
  • 1
  • 1
  • Traffic analyze. Note, for example on encrypted sound connections, it is enough say, what was said. The only defense against it, to generate a large amount of crap traffic. (How about setting up a tor bridge node?) This in independent from ipv6 et al. – peterh Aug 05 '19 at 13:53

1 Answers1

1

Similar IPv6 misunderstandings have been debunked several times in the past, but I'll give it another go.

What exactly leaks via an IP address? Say I access google.com. My v6 address changes randomly every day or so, but say the clever analytics makes the sane assumption that the /64 is (one LAN at) our organization. Traffic is also TLS encrypted, so its just garbage on the wire. On top of that, hiding the origin ISP and adding another encryption layer is relatively easy by using a VPN. This is much the same security profile as v4.

Randomly generated privacy IPv6 addresses are the default in many stacks, so don't get too anxious about the other methods. MAC address is an already unique-ish identifier available to the networking stack. What else is reasonable to use as a global identifier? An address based on that in a /64 has an extremely small probability of collision. Personally, I'm not super worried about it as an identifier, here's mine: 00-24-1D-1C-D1-0D. Outside my layer 2 network, MAC address is not an easy identifier to retrieve, compared to browser sessions and ad identifiers.

NAT has never been a security feature. You can have a NAT that redirects all IP packets unconditionally to one client, it just rewrites addresses. A firewall defaulting to deny is an entirely separate feature. I don't want a NAT on my IPv6 connection, that just slows it down. Firewall yes, NAT no.

IPv6 address space is large enough for all kinds of experiments. If you want to develop a method for a different address per request, go ahead. I am skeptical of the utility when the smart trackers will look at your v6 prefix, and very smart trackers use browser cookies and not IP address.

If you don't want a host public at all, don't give it a route to the Internet and/or firewall it. If you want to appear from a different service provider, get a VPN.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • How can you say that it's just garbage over the wire when I have two clear addresses (one going out and one going in)? – f384 Jul 10 '19 at 20:14
  • And what exactly can you determine from an IP address? The address changes regularly. Its data payload is probably encrypted. – John Mahowald Jul 10 '19 at 20:43
  • I can profile individual devices, which is much easier if the devices stick to an address for several minutes or even hours. I get a pretty clear picture how many devices there are and what they roughly do, which may allow me to identify certain IoT gadgets as well differentiate the other systems from each other. – f384 Jul 10 '19 at 21:23