Replying to Avatar DZC

NATing allow every device in my own network to share the same public IP when accessing internet servers.

Please explain how IPv6 improves that and why do I need it.

🫂
Avatar
Jivan Pal 1mo ago

Sharing the same IP address as other devices doesn't improve usability, it actively hampers it by breaking the end-to-end principle. If you care about using peer-to-peer applications (voice calls, online gaming, torrents, Bitcoin, Nostr, etc.) without requiring the use of middlemen/relays that are publicly reachable over IP (thereby introducing other issues such as natural centralisation pressures and additional latency), then you care about maintaining the end-to-end principle. If you don't care about P2P apps, that's your prerogative, but just know that such an architecture is significantly responsible for the current state of the internet economy (among other things, of course).

It can also actively harm usability by lumping you in with bad actors that happen to be sharing the same IP address as you. What do you do when someone on the other side of your neighbourhood is using the same IP address as you and does something that gets that IP address blocked by a service that you want to use?

Sharing an IP address also doesn't give you any extra privacy, because (1) NAT on a per-household basis still identifies the household, (2) where CGNAT is used, NAT mappings on a per-neighbourhood basis are still logged by your ISP, and (3) the actual endpoints you're communicating with over the internet can fingerprint you using other means anyway.

Reply to this note

Please Login to reply.

Discussion

Avatar
DZC 1mo ago 💬 3

Wait, who said something about usability?

nostr:nevent1qqsqahxr62ym856qkjqafapxq34r0t6h40lx2y2e3e70yn385gt5nhgpzamhxue69uhhyetvv9ujuurjd9kkzmpwdejhgtczyq26l8sz3kuju5x4gchltqm7m9fdgx5mc5s5n77753dlcrwv6lrdjqcyqqqqqqgf8zjrr

Nor I'm saying than NAT by itself is the way to achieve full privacy, but it's just a good thing to have, privacy-wise.

By the way, IPv4 and NAT are not responsible about the internet moving from decentralised protocols to centralised platforms.

'User convenience' and tech companies are much more responsible for that outcome, imo.

Avatar
Jivan Pal 1mo ago

> it's just a good thing to have, privacy-wise.

Please explain why you think this, bearing in mind the reasons that I have already given for why it is not.

> Wait, who said something about usability?

Separately, I am telling you why IPv6 is more useful than IPv4, because you asked what improvements IPv6 provides.

Avatar
DZC 1mo ago

In your own words:

" with IPV6 rather than NAT/CGNAT, endpoints can distinguish different households and users"

🫂

Avatar
DZC 1mo ago 💬 10

Regarding P2P filesharing:

* NAT has not stopped it to happen.

* Moreover, sharing an IP address has protected a P2P user from legal consequences (I'm Spain, at least):

https://www.abogacia.es/en/publicaciones/blogs/blog-de-innovacion-legal/a-vueltas-con-la-ip-y-con-la-pi/

Avatar
Jivan Pal 1mo ago

> NAT has not stopped it to happen.

I never said that it does. But do you care about increased latency, decreased throughput, more centralised points of failure? If so, then you should prefer avoiding the use of relays to facilitate P2P traffic, because relays result in all of these things.

> Moreover, sharing an IP address has protected a P2P user from legal consequences

Such protection/anonymity does not come from address sharing due to NAT, it comes from some combination of network sharing (e.g. at a public place), proxying (e.g. using a public VPN service), and/or local laws restricting access to certain kinds of data/logs. All of these factors being the same, you have exactly the same level of anonymity with IPv6 as with IPv4.

The particular case you cited hinges on the specifics of Spanish Law 25/2007, which states that data such as NAT mappings must be retained by the relevant orgs, such as ISPs, for at least 12 months, and only shared following a judicial order:

> > imposibilidad dada por la Ley 25/2007, de 18 de Octubre, de conservación de datos relativos a las comunicaciones electrónicas y a las redes públicas de comunicaciones, que circunscribe la posibilidad de exigir la identificaci a supuestos de detección, investigación y enjuiciamiento de delitos graves

> > ***

> > impossibility given by Law 25/2007, of October 18, on the conservation of data related to electronic communications and public communications networks, which limits the possibility of requiring identification to cases of detection, investigation, and prosecution of serious crimes

In other words, the crime was not serious enough to legally compel the ISP to disclose the identifying data (the NAT mappings); it did not meet the standard of "delito grave" in Spanish law. In an IPv6 context, it would be the specific IPv6 subnet (address/network prefix) delegated/assigned to the customer by the ISP that the plaintiff would need to know. This identifying data is, again, something that only the ISP and the customer know by default, and would require legal warrant for the plaintiff to obtain. Thus, the outcome of the case should be the same in an IPv6 context.

***

Amusingly, the article highlights a negative point about NAT that I have already mentioned — one user's actions unfairly negatively affecting many other unrelated users due to a subsequent restriction of access to services by the offending IP addresses.

> > Además, aparte de a "nito75" el alcance de la sentencia perjudicará a todos aquellos que usen esa misma conexión a internet.

> > ***

> > In addition, apart from "nito75" the scope of the sentence will harm all those who use the same internet connection.

This would not happen in an IPv6 context, because the offended service can simply block traffic from the particular subnet. In other words, with IPv6 rather than NAT/CGNAT, endpoints can distinguish different households and users but still can't identify them without extra info.

Avatar
DZC 1mo ago

You got me by DoS'ing with too long to answer all of that text, sorry.

🫂

Avatar
Jivan Pal 1mo ago

I can only interpret this as apathy. If you just don't care about latency centralisation, etc , just say so. You're welcome to use whatever you want to use, but if you actually want to have a discussion about whether NAT provides extra privacy or not, you can respond to the points I've made.

Avatar
DZC 1mo ago

You don't get it: it's not about what I or you care about. It's about what it's useful or not.

Laws require ISP to keep logs because NAT works as a privacy tool.

🤷

Avatar
Jivan Pal 1mo ago

> it's not about what I or you care about.

I'm asking whether you care so that I can determine whether it's worth it for me to be talking to you. If you don't care about the benefits of IPv6, then there is no point in me trying to convince you.

I asked again because you said you couldn't respond to something "that long". If you cared, I would expect you to respond to that "long" post. If you don't actually care, then there's no point talking to you about this, so if that's the case, please just say so, so that I can drop this conversation. If you do care about the topic, then please actually read the post and respond to the points if you feel that you have something to say about them.

> It's about what it's useful or not.

IPv6 is useful because it maintains the end-to-end principle in light of the fact that we have so many internet-connected devices. NAT is only useful in situations where address exhaustion would otherwise occur. NAT is not a privacy tool. NAT was not necessary in the dial-up era. NAT is is still not necessary in IPv4 environments with more addresses than devices, such as enterprise/university settings where they have had enough IPv4 addresses since the early days of the Internet that they still don't suffer address exhaustion and thus have no need to use NAT with IPv4.

> Laws require ISP to keep logs because NAT works as a privacy tool.

Those laws don't exist because of NAT. Laws require ISPs to keep equivalent logs even in contexts where NAT is not used at all.

NAT is not a privacy tool. It is not the thing giving you the privacy here. The privacy comes from two things:

1. the pseudonymous nature of the IP address, a property which is just as present without NAT; and

2. the fact that the ISP isn't giving up your identity to anyone and everyone that asks about your IP address. This is a consequence of data protection laws, not of NAT. I said this in the previous post that you said you couldn't respond to because it was "too long".

Let me provide concrete examples to hopefully make the point clear to you: the IP address that I'm sending this post from is 2a02:6b6f:fc22:4c01:211c:b02a:a4f1:266e. My ISP owns the prefix 2a02:6b6x, assigns 2a02:6b6f:fcxx to my neighbourhood, and assigns 2a02:6b6f:fc22:4cxx to my household. However, that household-level assignment is subject to change, and so e.g. tomorrow I may be given 2a02:6b6f:fc48:a9xx instead. As such, the ISP must log the fact that they assigned "22:4c" to me one day, and "48:a9" to me the next day, so that if they are served a warrant asking them to identify which household was the source of packets using address 2a02:6b6f:fc22:4c01:211c:b02a:a4f1:266e, they can actually answer that request.

This is absolutely no different from the case where the adversary's query is instead, "we saw packets coming from address 193.164.21.152 at time X. Which household did these originate from?" My ISP's use of CGNAT means that this address is used by the entire neighbourhood, just like the IPv6 prefix 2a02:6b6f:fc22:4cxx, but this doesn't affect the nature of the query, nor the nature of the information that the adversary has before making the query. The only difference is that with IPv6, the "22:4c" or "48:a9" data can also be seen publicly, but this isn't useful alone in identifying me; it doesn't compromise my privacy in any way.

The exact same is true if the ISP were not using CGNAT for IPv4, but just a single layer of NAT: the adversary can still see the pseudonym of the household in the address of packets that they received, e.g. if the ISP owns 192.0.2.16/28 and delegates 192.0.2.20 to my household, then the adversary sees packets coming from 192.0.2.20, but still doesn't know what household those packets came from until the ISP tells them. Their query to the ISP would also be identical: "we saw packets coming from address 192.0.2.20 at time X. Which household did these originate from?"

***

So please, tell me: in your view, what is the actual *practical* difference, if any, when NAT is used vs. when it isn't used? What actual aspect of your privacy is compromised without NAT, but retained or gained with NAT? How is the actual set of possible effects on you any different in either circumstance? You keep saying NAT "works as a privacy tool because you share an address with other people", but *how* do you think that address-sharing actually aids in keeping you private/unidentified compared to no NAT?

Genuinely, I want to know your reasoning here, but you haven't provided any reasoning in light of what I've told you about the nature of networks without NAT, so currently there's literally nothing for me to argue against. You're just saying "but I share a address, therefore I have more privacy." I tell you, "no, that's wrong, and here's why," but then you just repeat, "no, address sharing gives me privacy." That's a completely unfounded statement on it's own. You need to tell me what the tangible privacy benefit that you see actually is, because I don't see any.

Avatar
DZC 1mo ago 💬 3

Thank you for four time and passion.

But you've completely DoS'ed me.

As I told you before, there's no way for me going through all that text answering every point.

Thanks again for your time and have a nice day.

🫂

Avatar
Jivan Pal 1mo ago

Then I guess there is no way for you to understand that NAT is not a privacy tool. 🤷🫂

Avatar
DZC 0mo ago

You love to have the final word, don't you?

Avatar
Jivan Pal 0mo ago

I could say the same to you and it would be just as incorrect. No, I just like it when people actually engage with genuine questions and arguments rather than completely ignoring them. Could you tell me how NAT actually improves your privacy compared to no NAT?

Avatar
DZC 1mo ago

"This would not happen in an IPV6 context, because the offended service can simply block traffic from the particular subnet. In other words, with IPV6 rather than NAT/ CGNAT, endpoints can distinguish different households and users"

That's the point: NAT allows "mixing users behind a common IP".

If you can not be distinguished from other users, that's privacy.

Avatar
Jivan Pal 1mo ago

You misunderstand my use of "distinguish" there. Even with IPv4, you can already be distinguished from other users when it comes to your identity/fingerprint, because such fingerprinting doesn't come from IP metadata, but from application-layer data. However, filtering based on this requires deeper packet inspection, which is more resource-intensive.

With IPv6, endpoints can distinguish your IP packets from those of other users/households based solely on the IP address. That doesn't increase or decrease your privacy in any way; they still don't know *who*, only *what*. The only thing an endpoint gains from this is the ability to more selectively block/filter packets based on IP address alone. That's good for both you and the endpoint, not bad.

In other words, you have no good reason to think that distinguishing household A from household B, whilst still not knowing anything more specific about A and B, such as their street addresses, is harmful to privacy. Or at least, so far, you have failed to convince me that this actually harms your privacy. Perhaps you could give a concrete example of where this would be the case?

Avatar
DZC 1mo ago

Sorry, butI didn't misunderstand anything, in any case you didn't explain yourself properly. If you didn't want me to read it as "distinguish", maybe don't use that word.

And I also didn't failed to convince you of anything. I'm not trying to do that actually.

You are already completely convinced that you have the right opinion here.

I'm old enough to know that when people argue on the internet with the dedication that you're showing here, they don't want to be convinced, but they want to be right.

Anyway, if fingerprinting a device were enough, and knowing the final IP were of no use, there wouldn't be forcing the ISPs to keep one year of logs.

🫂

Avatar
Jivan Pal 1mo ago

"Distinguish" means "tell two things apart", e.g. one household from another. It doesn't mean "identify".

Fingerprinting is likewise a means of distinguishing, but not necessarily identifying. The need for law enforcement to identify is where the need for the logs arises.

I assure you that I don't care about whether I'm right, I just care about the reasoning and what the correct conclusion is. If being willing to engage in discussion about something comes across to you as wanting to be right, that's just your personal inference.