I vastly prefer CGNAT to IPv6, because CGNAT preserves my privacy by default, and IPv6 eliminates it by default. It’s that simple.
While it’s possible for an ISP to unmask me on CGNAT (Verizon and AT&T did in the early smartphone days)- and it’s possible for an ISP to NAT/Wildcard my IPv6 address for privacy - it’s the default in 99% of the cases; and I prefer default privacy to the ability to be directly addressable at home.
Well, I'm inside a CGNAT. It's like living in an apartment building with 20,000 other families. Maybe it's all fine when everything is normal, but one day, the water pipe on the top floor might go burst while no one is answering the door.
It is true that a NAT could give you some privacy, but the downside is also very obvious. For example, your network neighbor might rub some service in the wrong way, then the service ended up sanction/ban the shared NAT exit.
Then, you might be thinking, "just use a smaller CGNAT then". Well, then a smaller CGNAT will allow the website to track you more easily.
If I really really don't want to be tracked, I'd rather use Tor.
In that analogy, the /64 is their specific apartment, not the whole building. That is, they wouldn't get banned for something their neighbor did, because their neighbor would be in a separate /64.
That is, the whole /64 is equivalent to the single IPv4 address they have in their home router, not to the CGNAT which combines several home routers into a single IPv4 address.
Ding ding ding. IPv6 doesn't solve this problem either because not all malicious activity from a given IP address is guaranteed to be conducted with the knowledge or consent of the folks paying for the connection anyway.
There should only ever be discrimination against traffic, not against addresses. Addresses should not be presumed to be fixed, and it should therefore never be assumed that seeing the same client IP twice means it's the same end user.
It's something I had said before in another thread, but oh well... Here goes again:
The so called privacy-presevation of CGNAT is a double edged sword. Other websites can't track you, simultaneously that also means other internet users can't reach you.
The most obvious consequence is that to host a server, you must purchase a VPS or rent an public IP address from your ISP, and the price for a public IPv4 address is getting higher and higher.
The less obvious consequence is that you're giving up control to the VPS providers (and other centralized services). Does your VPS provider allow you to host Tor services? Run BitTorrrent?
It's rather ironic that people on HN, a website whose name literally includes the term "hacker", would support things like CGNAT which hurt hackers/hobbyists/"privacyists" the most.
The CGNAT makes it impossible for random websites to correlate my actions among them - which is something they try to do while profiling me. It is, as you point out, useless against state actors and similarly funded-and-legally-equipped bodies; For those, you indeed need Tor and VPN and likely that's not enough even then.
But I care about the civilian "spies" following me; like Facebook, Google, Microsoft, and friends. I use as little of their services as possible, with add blockers, a restrictive JS policy, ultra restrictive cookie policy, etc. It's unlikely any of them can correlate me with the other (or with myself from yesterday, for many uses). Giving me an externally imposed unique identifier (and a /64 prefix is just that, regardless of randomizing the remaining bits) makes it trivial for them and impossible for me -- unless I do all my browsing through Tor or something like that.
For the record, I have no proper FB or G account, but cannot avoid Whatsapp and an occasional Google product.
> I will be blunt: Long term, IPv4 and any technology that extends the lifetime of IPv4 will actually result in the death of online privacy.
Can you explain why you believe that? To me it sounds like baseless scaremongering.
>Can you explain why you believe that? To me it sounds like baseless scaremongering.
One word: centralization.
As we have seen throughout the years, all means of IPv4 lifetime extension have involved the introduction of state, which is bound to a central node. The HTTP/1.1 Host request header allowed the existence of reverse proxies, the invent of NAT allowed routers to no longer be "just" a dumb packet forwarder. Both technologies are involved in state tracking.
NATs also destroyed the possibility for any two nodes on the Internet to communicate with each other directly, unless workarounds like port forwarding are used. This means that all messages on the Internet must go through a central server, where there can be malicious actors sniffing your traffic. Remember Mark Zuckerberg's infamous "they trust me"? [0]
But it was still somewhat managable during the early 21st century, when free IPv4 addresses were available. Most people had only one layer of NAT (in their routers) which they owned and controlled back then, so P2P were still mostly doable, and services like Skype relied on that. Life went on.
Fast forward to the 2010s, we ran out of IPv4 addresses. CGNATs were starting to be widely deployed so even port forwarding had become impossible. P2P communications ceased to work. Virtual hosting were now ubiquitous. TURN was invented, which of course increased more centralization. [1] Since central servers have to carry even more traffic now (back then they merely mediated the communication between two nodes behind NAT, now they have to relay the entire traffic), it had become more costly to host web services, increasing the barrier to entry.
In the 2020s, people can no longer host servers inside their homes, many have come to rely on centralized technologies or services e.g. VPSes for that purpose. By now, we have mostly given up on peer-to-peer, and moved onto "federation" where we have a web of central servers that clients can connect to -- in the end though, a central server is still a central server that you have to implicitly trust, and some admins of the Fediverse had been discovered performing suspicious activities.
Perhaps I worded my thoughts too strongly in my previous comment, but the trend of centralization is there and continuing. Your own comment has alluded to that fact. Time has shown repeatedly that privacy never fares well under centralization.
The thing is, the Internet as a whole doesn't have to go down this route, had we simply moved onto IPv6 and restored end-to-end communication. Then P2P is possible again. [2] It's IPv4 and its lack of address space that created an environment where people expect there to be a central node. It's just the natural consequence of the statefulness of IPv4-extending technologies like NAT and CGNAT.
I disagree it’s the limited IPv4 address space that promotes centralization, which seems to be the essence of your thesis.
Incumbents and laziness promote centralization. First, people stopped hosting email because gmail (and friends) were free. Now, it’s become hard regardless of whether you own a pristine IPv4 or not - because msft+goog+amzn+etc make it hard, and effectively own email.
I don’t see how the IPv4/CGNAT/IPv6 thing is related. To be decentralized, we need thousands of directly addressable nodes (which IPv4 even today easily and cheaply provides), not that every single node be addressable.
It's a fact that with NATs, many nodes are hidden from the Internet -- it's in fact how it works. The only way for two hidden nodes to communicate with each other then, is through a central service. And the hiddenness (statefulness) is what caused you to think that CGNAT provides privacy.
So, in essence, you are already believing in my thesis! There's no agreeing nor disagreeing here, we are effectively on the same page but looking at the different sides of it.
As a side note, the early internet had a lot of P2P phenomenons, Napster etc were all based on the technology, but we don't see them nowadays except maybe BitTorrent. The entire Web 2.0 (so GOOGL, AMZN, etc) was built on the already-existing expectation that there is a central node somewhere.
Yes, ISP's can still track but the other websites-that-are-not-the-ISP that depend on logging unique ip addresses for tracking can't identify you behind a CGNAT. My previous comment about how CGNAT can be another layer of privacy for things like torrents: https://news.ycombinator.com/item?id=38176079
EDIT reply to : >Sure except for the like 800 other metrics they use to track you besides IP lol. Advertisers
My comment was specifically talking about those websites that depend on ip addresses and not fingerprinting. Examples are torrent trackers, torrent honeypots, and Wikipedia articles' edits history where their server logs keep track of ip addresses instead of browser fingerprints. CGNAT will make users more anonymous in those situations. Lawsuits and subpoenas from RIAA and movie studios against torrenters for copyright infringements were filed against ip addresses and not browser fingerprints.
As for Google/Facebook sophistication levels of browser fingerprints tracking and surveillance, I'm not so sure how paranoid I should be about it because they still think I'm in Idaho because I happen to open my laptop in a hotel one time there 10 months ago.
No one “depends” on IP addresses. Wikipedia could very easily (and likely does) use browser fingerprints for some things. They don’t serialize to something human-readable, though, so I wouldn’t expect them to appear anywhere but debug interfaces.
IPs havent been a viable way to ban or identify people since the early 00’s. For sure with the launch AWS, and the ease of swapping IPs there. It’s been laughably easy to swap source IPs on requests for at least a couple of decades.
I think the only people you’re getting privacy from is people who didn’t really care enough to invade it in the first place.
>IPs havent been a viable way to ban or identify people since the early 00’s.
You are factually wrong. Copyright holders have successfully won lawsuits as recently as 2023[1] by starting the process via subpoena of ip addresses from ISPs. The steps are:
1) obtain the ip addresses of anonymous users torrenting your intellectual property. (Because the studios monitor torrent trackers for ip addresses.)
2) Connect a real name to that ip address by having a court subpoena the ISP to reveal the owner of the ip address. If the ISP subscriber on the account is not the actual infringer, ask the owner of the account (via a court deposition) to further identify the actual user (e.g. a spouse, a roommate, etc)
3) get a financial settlement or judgement against that person
That type of identity unmasking doesn't happen with CG-NAT or other shared NAT scenarios like libraries/airports because the torrent trackers logs only have granularity of ip addresses which is useless when a thousand people share it.
You just have to have the source port as well as IP instead of just the IP (which the MPAA et al surely gather). CGNAT is basically just port-based DHCP; it still has to keep an inventory of what ports are available, practically requiring the ability to tell who was using what port at what time.
Even from a first principle's perspective, if they can't identify subscribers for relatively benign things like piracy, they also can't do it for something like CP. Those logs 100% exist, if only so the telecom has something to turn over when the FBI comes looking for pedophiles.
And yet that very tooling will detect if a hard-blocked user tries to log in from a new IP address and block that new IP address. It's almost like IP address blocking doesn't work very well...
You're of course free to do what you want, but it seems naive to me to assume that anyone operating even a moderately popular site isn't browser fingerprinting. Even if the site isn't, CloudFlare will if they use CloudFlare (and I wouldn't be surprised if other CDNs).
Yes, CGNAT can't give you any protection against state actors.
But if you are NOT under criminal investigation, having an IPv6 lets every single server on earth know who you are so they can correlate and profile you. That's happening with or without IPv6 of course, but is much less reliable through CGNAT - and essentially useless through a CGNAT if you have proper fingerprinting/cookie/js/3rd party protection. But if you HAVE IPv6, there is nothing you can do to remain anonymous except e.g. Tor.
I got kind of curious how UDP works with CGNAT, and in my travels I found this on the Wikipedia page [1]:
> STUN does not work with symmetric NAT (also known as bi-directional NAT) which is often found in the networks of large companies. Since the IP address of the STUN server is different from that of the endpoint, in the symmetric NAT case, the NAT mapping will be different for the STUN server than for an endpoint. TURN offers better results with symmetric NAT.
Not sure if that's related or if you're even having issues, but figured I'd drop it since I found it.
As for the privacy aspect, are you CGNAT'ed? My understanding is that bidirectional UDP streams generally don't work with CGNAT unless your ISP adds a proxying service that can construct "sessions" out of those packets. E.g. for DNS, you can proxy it across the CGNAT by having the DNS proxy record the transaction ID and the internal IP/port that requested it, and then looking for that txid in UDP packets coming to the DNS relay to forward it.
The solution I usually see for getting UDP across CGNAT is TURN, but then you're making a TCP connection which can be tracked by port easily.
I just can't see any way for an ISP to proxy UDP packets without knowing which subscriber they're going to. It seems like trying to make a router route without any routing tables; I just don't see how your ISP can forward that packet to you without knowing it's going to you.
For many people, that’s true. But not for those who care. The other metrics are under my control, and I actively scramble them to uselessness. An IP address … I can’t do much about.
For every ISP serving my area, it is indeed a "per customer, immutable" prefix. IIRC, some have a 96-bit prefix, some have a /64, but that's the kind of thing that a "maxmind" style database of prefix length per isp lets you nail down easily -- if those databases don't already exist today, they will soon.
You can’t. When my ISP switched me to CGNAT, I spent days upgrading everything to IPv6, only to discover that gmail didn’t even support it! (Mail Server to mail server, not the web app) I gave up, asked my ISP IPv4 back and, fortunately, got back a new IPv4. But I fear the day that option will disappear…
What year was this? While I can't find a source I believe Gmail has supported IPv6 for sending and receiving since the World IPv6 day back in 2011. I've certainly been doing it since 2017.
Your issue might be rather that Gmail actually enforces all their guidelines on IPv6 instead of silently degrading your reputation behind the scenes like they do for IPv4. So proper RDNS, SPF and DKIM are tablestakes with DMARC and MTA-STS strongly recommended.
either buy paying a few bucks for a vps with static v4 or try techniques like "nat hole punching" to keep the cgnat statemachine happy. but tbf it isn't meant to
>billions of ppl access the internet thru nat everyday
A caveat is that a lot of people are knowing or unknowingly relying on things like UPnP and NAT-PMP to have services operating normally under NAT. That conveniently masked a lot of the issues with NAT in P2P usecases such as online gaming and torrenting.
Unfortunately, even that is broken under CGNAT.
The more layers of NAT you put on your connection, the more things you break.
interestingly, i religiously disable upnp/pmp on all residential cpe's that i configure due to it's glaring security implications. never heard of a problem
though i do defend v4-nat internet as the way it was meant to be, being jailed behind a cgnat w/o repercussions would push me to another isp.
In gaming communities e.g. Minecraft you regularly get people asking for port forwarding related questions. Some gamedevs automate that process using UPnP, I believe Eve is one of them.
Neither solution works for me though, as someone whose IPv4 connnectivity is behind a CGNAT.
ALL ISPs in my country have deployed CGNAT so there's no "changing ISP" for me either. IPv6 is the only solution left unless I want to pay a premium to get one of those public IPv4 addresses. Really, single-layered IPv4 NAT can't last forever. The address space of IPv4 is simply too limited.
the push of p2p comms in gaming was never a good idea, but i can totally see how it was sold. apart from that i don't know why any game would need incoming connections.
the upnp cargo cult in gaming is real though, despite the prevalence of cgnat.
i agree that you should have choice but am not yet ready to accept that ~11B ppl cannot manage with ~3B addresses given the typical ratio of users per v4 with nat.
Using "11 billion" as an estimate of total needed addresses is a bad idea (TM).
Both sides of the internet (provider and user) need an IP address. An average human may possibly require two or more addresses simultaneously (phone, laptop, office PC, and maybe IoT) in the future. And internet infrastructures like routers and managed switches, although never visible to the end users, need an IP address for themselves too. And don't get me started on containerization.
Furthermore, there are internal networks running out of RFC1918 addresses to use so even internal IPv4 has a real limit. Comcast is one of them, T-mobile is another. I believe Facebook moved to IPv6-core because of this too.
People constantly find new ways to use more IP addresses. 4.3B is just too small, even with NAT.
The fact that we are deploying CGNAT everywhere should have made that obvious enough.
Indeed, I don't have "friends" on Facebook / Instagram (I don't use those) - I talk to friends on the phone, meet them in person, we have message groups on various services.
Some of my friends do post on Facebook or Instagram; but they let me know personally if there's anything important I should know.
you're a privacy by-default kinda guy because you don't maintain any 'traditional' 'social media' accounts i guess you mean to say? that's a somewhat random notion and not entirely relevant as social media is about the lowest hanging fruit any of us could conjure.
so you believe yourself to be privacy-minded, yeah. i had already gathered that much. my point was that there's all but no such thing and typically merely only the illusion of 'privacy by-default'—hence the lonely, lonely world in which you could only claim to live.
I fail to understand your perception in which I am lonely just because I don’t leave a breadcrumbs everywhere for state and commercial actors (whose interests don’t align with mine) to find.
i don't think you're lonely. i was simply employing sarcasm to suggest that maybe the private world you merely believe yourself to live in doesn't actually exist. not for any of us, myself included.
we're definitely replying past each other a bit. i now realize after seeing a few of your other comments throughout this thread that your opinions surrounding personal privacy are much more aligned with my own than i think your opinions on CGNAT represent.
You are wrong, and I say that as someone who was employed by someone who (likely) invaded and still invades your privacy through a firewall and IPv6.
Modern firewalls do nothing for privacy. IPv6 eliminates your ability to maintain your privacy.
Security is a different matter, and NAT doesn't add much there (although it is another layer). But the comment you quoted was specifically about privacy.
Even though you're right, privacy is quite irrelevant in this case anyway. If no one can walk through the door, your personal space cannot be violated. If you want to hide your IP use VPN. You essentially should not rely on things out of your control, such as CGNAT. But yeah, I agree, I should have mentioned security, only.
My threat model excludes state actors and my ISP actively collaborating with those who try to profile me. Thus, CGNAT - which I already get, is comparable to VPN (better in some respects, worse in others).
While it’s possible for an ISP to unmask me on CGNAT (Verizon and AT&T did in the early smartphone days)- and it’s possible for an ISP to NAT/Wildcard my IPv6 address for privacy - it’s the default in 99% of the cases; and I prefer default privacy to the ability to be directly addressable at home.