alt Hacker News> Anonymity-by-crowd is the point
Only for IP based trackers. Any webpages embedding facebook/twitter/microsoft/google trackers have already deanonymised you through a variety of fingerprinting techniques. This includes if you use private browsing sessions, and even qubesOS. You get a fuzzy feeling doing the things you do (and I do these things too), but that battle is lost.
> NAT + default-deny inbound is simple, effective security … That's a concrete property I get for free
Depends on your definition of “free”. Is it cheaper to lookup just a connection state table, or is it cheaper to look up both a connection state table and a NAT table?
> IPv6 adds configuration surface I don't want … More features means more things to audit, understand, and misconfigure.
100% agreed. More complexity, more attack surface, more things to go wrong.
> I already solved "reaching my own stuff" without global addressing … It's better than being globally routable.
I do something like this too. It’s more private and more secure. It adds more complexity, and it restricts my ability to access things from terminals I don’t personally own & control unless I create another exposed vector though. “Better” is subjective based on metrics being optimised for.
> IPv6 wasn't designed as "IPv4 with more bits." It was designed as a reimagining of how networks should work: global addressability as a first-class property
Apologies, but global addressability as a first-class property is exactly how the internet was designed. NAT was originally deployed as a hacky add-on to temporarily alleviate the lack of addressing space in IPv4 until a successor could resolve that.
That said, the internet of the 90s was a very different beast to the internet of today. A lot of your concerns and perspective is absolutely valid and extremely reasonable given the internet of today.
> "It serves my goals better than IPv4" is the bar, and IPv6 doesn't meet it. Never has, never will … Want me to adopt a new addressing scheme? Give me a new addressing scheme, don't impose an opinionated routing philosophy on me.
IPv6 can absolutely be configured in ways that just gives you a new addressing scheme and does away with a lot of the other complexity. You’re just very much straying off the happy path, removing complexity by introducing … other complexity.
FWIW, I’m operating my home networks much the same way you do. I’ve also been dual stacking networks since the 2000s. Things have come a long way since the original pure-dogma introduction of ipv6.
Replies
Thank you for the thoughtful response.
To be fair about fingerprinting, there's no such thing as "bulletproof", but I do have a pretty robust setup. DNS level ad and tracker blocking, browser extension level ad and tracker blocking, LibreWolf's extensive anti-fingerprinting measures, kernel-level measures like kloak, I block all third party JS by default, etc. My goal isn't to become invisible and untraceable to nation states (which is essentially impossible when 90%+ of all global ISPs can and do sell netflow metadata, enabling timing and packet size correlation even across multiple hops, even with background traffic forgery / traffic pattern obfuscation), but rather to frustrate lower-level tracking efforts, and mostly to reduce attack surface for security reasons, and to reduce the total amount of information I'm sending to adversaries, even if it technically increases uniqueness. For instance, WebGL, JS JIT, WASM, WebRTC, and even SVG rendering are similarly disabled by default on my browsers, and I may very selectively enable them on a case-by-case basis depending on how important I feel the web property I'm trying to access actually is. I'll spoof my UA, my screen dimensions, and use residential SOCKS5 proxies, one by one, to identify which fingerprinting measures are being used to block me with YouTube, for instance, without enabling JIT compilation or SVG rendering. This approach absolutely does make me more distinctly identifiable (less anonymous), but doesn't necessarily make me less private, nor less secure, if e.g. ad network JS never even runs on my box in the first place. Security is the base of the pyramid, it is the prerequisite for privacy, but doesn't guarantee it. Privacy is the middle layer, it is the prerequisite for anonymity, but doesn't guarantee it. I'm aggressively climbing that pyramid where I can while accepting some tradeoffs where the net benefit is positive to me. I don't think of any of these - security, privacy, or anonymity - as binary properties, but rather a unified journey I am on to enhance gradually and iteratively over time. Switching to IPv6 would greatly complicate and regress my path through much of the journey I've already completed.
If I could leave you with a couple questions: What tangible benefits have you reaped from IPv6 that simply weren't possible on IPv4? Has the ROI for you on going dual stack outweighed the costs on your time, attention, and configuration work required for securely handling edge cases, dealing with weird or unexpected routing issues, for straying from the happy path?
> Any webpages embedding facebook/twitter/microsoft/google trackers have already deanonymised you
I bet OP has already blocked at least 3 of them. Private browsing is only a partial solution, blocking/unblocking domains, scripts, etc. on a case-by-case basis is a more reliable way to defend your right to privacy against abusive practices (I'm talking about fine grained adblockers such as uMatrix/uBlockOrigin) daily.
I admit it can be a hassle sometimes, in particular if one explores the net every day, but staying away from bad actors (such as some of those 4) is one way to maybe eventually stop them - even if "vote with your clicks" feels as pointless as "vote with your feet" when you're just one in many millions.