Dual Stack home network pros and cons

[CriticJay]

Slaac addressing still has a part of the device identifier generated per device and part of the isp identifier in the address. Not that you are wrong though.

SLAAC should have privacy extensions enabled by default on most modern devices/OS's, which addresses the first part of your statement - and the second part of your statement can only be addressed by using VPN so it's not a valid criticism

 

[Frank Monroe]

SLAAC should have privacy extensions enabled by default on most modern devices/OS's, which addresses the first part of your statement - and the second part of your statement can only be addressed by using VPN so it's not a valid criticism

Then we should also remove this as a valid criticism when it was used as a justification to not enable IPv6. Thats what I think the real point was here. Earlier in this thread or maybe in the other thread, it was stated that your privacy is better with IPv4 behind NAT because your individual IP's are not exposed. But, in reality, you are more exposed under NAT since the one IP coming from your network can still be tracked and its usage lasts for a longer period.

If you are concerned about this and are diligently using a VPN, then it doesn't matter either way. However, ff you are not using a VPN, can't use a VPN, or forget to turn it on, your situation improves with IPv6.

 

[SomeWhereOverTheRainBow]

SLAAC should have privacy extensions enabled by default on most modern devices/OS's, which addresses the first part of your statement - and the second part of your statement can only be addressed by using VPN so it's not a valid criticism

Wasn't aimed at being a criticism at all, just that it is not actually private and the fact that it makes more outgoing connections than ipv4 leaves your foot print in more places. And by the way it is a common myth that privacy extensions solve all ipv6 slaac privacy concerns. Privacy extention is created in addition of slaac and not in replacement of slaac. It should also be noted they are horrible in regards to where network management is concerned because of how often they change.while this may make it hard to track devices, unchanging IIDs can be used to identify and track a given device.

 

[SomeWhereOverTheRainBow]

Then we should also remove this as a valid criticism when it was used as a justification to not enable IPv6. Thats what I think the real point was here. Earlier in this thread or maybe in the other thread, it was stated that your privacy is better with IPv4 behind NAT because your individual IP's are not exposed. But, in reality, you are more exposed under NAT since the one IP coming from your network can still be tracked and its usage lasts for a longer period.

If you are concerned about this and are diligently using a VPN, then it doesn't matter either way. However, ff you are not using a VPN, can't use a VPN, or forget to turn it on, your situation improves with IPv6.

I agree the fact that slaac was brought up in regards to whether one should enable ipv6 or not is irrelevant.

 

[heysoundude]

@heysoundude, you run DNS/IP-blocking scripts not really necessary for average user security and in the same time you have opened another access to your network without knowing if your IPv4 level of security applies to IPv6. There are smarter people out there indeed. Someone may come see you uninvited. Is your Internet experience any different with IPv6 enabled?

my understanding of v6 is that by design, openings in the firewall must be mindfully, deliberately opened, whereas in v4 there's a lot of plugging that needs doing by default. completely bass-ackwards if you're asking my opinion.
as far as user experience, I'd need to be able to tell if I'm using 6 or 4 first before I can possibly evaluate...but I do know ipv6.google.com loads quicker.
I've a trust of the people who make it possible to run the scripts I do, because I assume they run them themselves on their networks for more specific reasons than I have - why would they self-sabotage?

 

[Tech9]

I don't know everything about how my Asus router handles IPv6; therefore it must be a security risk

No. We are trying to find what we gain and what we lose, if we enable IPv6 just to test it. For people who need IPv6 - no choice. Since the forum folks mostly use Asus routers, the focus shifted on Asuswrt IPv6 support.

Diversion automatically enables or disables IPv6 support when the router settings change

Does it increase the workload by increasing the blocklist size when IPv6 is enabled? It was @dave14305 observation in previous discussion.

 

[Tech9]

-Parental Controls: This works with IPv6. I wouldn't expect it to break since ASUS uses MAC address for enforcement and not IP

It identifies the client, but does it identify the traffic?

-NAT acceleration: Works as normal

I've got kernel buggy errors with NAT acceleration on AC86U router, Asuswrt 45956 firmware. Had to disable it to stop the error log.

 

[heysoundude]

Finally, after I enabled IPv6 earlier this year, I was surprised how much of my traffic is IPv6. In fact, most of it is.

How do you track this?

 

[Frank Monroe]

It identifies the client, but does it identify the traffic?

It blocks on my AC-5300 with IPv6 enabled.

 

[Frank Monroe]

I've got kernel buggy errors with NAT acceleration on AC86U router, Asuswrt 45956 firmware. Had to disable it to stop the error log.

I'm not having this issue on my AC-5300 running IPv6.

 

[Tech9]

I've a trust of the people who make it possible to run the scripts

Well, @RMerlin and @thelonelycoder ISP's don't support IPv6. Skynet does nothing with IPv6. OpenVPN was IPv4 only yesterday. You are the one to test.

my understanding of v6 is that by design, openings in the firewall must be mindfully, deliberately opened

Not really. Don't count on grain of sand on the beach theory. IPv6 clients scanning techniques already exist and quite effective. Shodan sees you.

 

[Frank Monroe]

How do you track this?

deleted

 

[Frank Monroe]

How do you track this?

As stated earlier, I had a pfSense VM in-between the ASUS and the T-Mobile gateway. During another period, I had all IPv4 traffic running through the pfSense while IPv6 traffic was routing through the ASUS. With these two setups I had other goals than collecting the data. But, when I had these two setups I did check and most of my traffic is IPv6. Thats not really a surprise to me since most of the services that I use also support IPv6.

You can also use DNS logs. That won't really tell you how much traffic. But, it will tell you who offers IPv6 and who doesn't. For the usage in my house, even DNS shows a high lookup hit for IPv6. Its hard to say if there's more DNS for IPv6 over IPv4. But, for the traffic, IPv6 is definitely exceeding IPv4 traffic from my house. BTW, I use IPv6 DNS servers.

 

[heysoundude]

It identifies the client, but does it identify the traffic?

To whom, and are they a threat to me?

 

[Tech9]

I'm not having this issue on my AC-5300 running IPv6.

Confirmed on non-HND router, RT-AC1900P. Must be HND related.

Here is my guinea pig certificate:

 

[Tech9]

To whom, and are they a threat to me?

I don't know. Some people use Parental Controls to filter content. Also, I need to experiment with filtering DNS filtering services. With IPv6 enabled no more category filtering with popular OpenDNS, for example. This is a serious drawback. Other similar services are paid.

 

[Frank Monroe]

It blocks on my AC-5300 with IPv6 enabled.

Now, what I don't know is if the content you are trying to block is coming from IPv6 is it still blocked. I assume the filtering is by DNS domain or host. If that is the case, it should still work.

 

[SomeWhereOverTheRainBow]

I don't know. Some people use Parental Controls to filter content. Also, I need to experiment with filtering DNS filtering services. With IPv6 enabled no more category filtering with popular OpenDNS, for example. This is a serious drawback. Other similar services are paid.

That is a good concern though. How well does the traffic properly get identified.

 

[Tech9]

How well does the traffic properly get identified.

Let me hit some XXX and I'll let you know. I need to find ones using IPv6 first. BRB.

 

[thelonelycoder]

Does it increase the workload by increasing the blocklist size when IPv6 is enabled? It was @dave14305 observation in previous discussion.

The Diversion blocklists line count doubles with IPv6 enabled. That means Dnsmasq uses more memory. The workload increase is marginal during normal router operations. However, the cpu load and read/write actions are higher during an update of said lists, compared to a non v6 update. Nothing I would be worried about.