logoalt Hacker News

genewitch01/21/20252 repliesview on HN

I don't care if users see "my" ipv4 because cgnat. I think i don't care if they can see my ipv6 because each machine gets a /64 to itself, that's the logic, right?

But my PBX and my matrix server both use coturn. Our 10 user "private" PBX we have to VPN into a fortigate in a DC to use, but to my understanding, there's literally no way to eavesdrop on those calls without already compromising the server it's running on, and if that's the case, no extra VPN steps or whatever will help.

anyhow even with a real, publicly routable IP, stock windows 11, stock macos (used to be true), and most linuxes won't get compromised by stuff like backorifice or whatever else l0pht put out as "remote administration tools". that is, there usually isn't any listening ports on a public IP these days. Shield's Up!

Replies

bigiain01/21/2025

> to my understanding, there's literally no way to eavesdrop on those calls without already compromising the server it's running on

That's probably correct (with the caveat that I suspect NSA/FSB/MSS/Mossad/whoever can reasonably be assumed to have backdoored Fortinet)

There is still the problem that an attacker with "global passive observer" capabilities (which almost certainly includes most non 3rd world nation states, and probably a few of the more problematic 3rd world ones too) can still do traffic analysis to uncover your social network (or criminal/terrorist/whistleblower/journalistic network) by identifying the call traffic endpoints.

show 1 reply
bigiain01/21/2025

> I think i don't care if they can see my ipv6 because each machine gets a /64 to itself, that's the logic, right?

I suspect you're looking at that wrong.

It's each internet connection that gets a /64, not each machine. Your ISP hands you a /64 and you can do whatever you like with it on your home(/corporate) network.

So you can choose from 18 thousand trillion IPV6 addresses for any machine behind your ISP/internet connection, but the top half of your IPV6 address uniquely identifies that ISP and they can connect that to your account/payment details, with 4 billion times as much precision as an IPV4 address.