The changes to Ethernet lookup mandate that you have a link-local address in addition to your “real” address, and this starts the ball rolling on the idea that machines have multiple IP addresses in general. Which makes privacy addresses commonplace, ULA+GUA addresses on the same machine, etc.
I think this is the biggest change with IPv6: that a machine’s IP addresses is no longer its identity, and you can’t easily predict what address will be used when connecting somewhere. IP-based access control becomes impossible (not that it was ever a great idea in the first place), reverse DNS lookups become irrelevant, seeing IP’s in logs no longer tells you “what machine connected here”, it’s overall a big change in mental model.
But then you get over it, stop making assumptions that you can rely on IP addresses for knowing things about a host, and the rest of it is fine.
> I think this is the biggest change with IPv6: that a machine’s IP addresses is no longer its identity, and you can’t easily predict what address will be used when connecting somewhere.
Can't you unset the "Use autonomous addressing" bit and set the "Use DHCPv6 for addressing and other config" bit in your RAs, and then refuse to hand out anything other than DHCPv6 Normal Addresses? Or do OS's ignore the fact that Temporary Addresses are an entire other category of DHCPv6 addresses and just go off and make their own "privacy addresses" off of the advertised prefix in the RA... ignoring the router's command to not use SLAAC for addressing? [0]
[0] Yes, I'm very aware that Android doesn't support anything that DHCPv6 provides other than getting an entire damn prefix delegated. For the duration of this discussion, let's ignore Android.
IME nothing pays attention to when you set a flag to not do autonomous addressing. macOS and iOS don't respect it AFAICT, I don't recall what Linux does by default, but I don't remember having any success.
But it's rather not really my point... best practices for IPv6 are to not do any of this, and you probably don't want to do it, because privacy addresses are an actually-important thing for privacy (so that sites can't correlate you easily.) You can say "oh but websites use fingerprinting anyway" (which doesn't help you when it's not a web browser you're using, but any other software that's connecting places) or "but sites don't trust the trailing 64 bits" (which only helps because everyone else is using privacy addresses, which rather proves my point.) When doing IPv6, you sort of have to abandon the idea that you're going to have a fixed, known IP address that you will use for all outbound connections. Fighting this is an exercise in pain.
> IME nothing pays attention to when you set a flag to not do autonomous addressing.
When I unset the Autonomous flag, Linux does the right thing, at least on the systems I have at hand. Android does the right thing. My Playstation 5 does the right thing. I'd be shocked if Windows doesn't do the right thing. While I wouldn't be surprised to hear that Apple devices absolutely do the wrong thing -given Apple's long history with flagrantly doing the disruptively-wrong thing in regards to networking-, based on the results I'm seeing, I expect that Apple devices work just fine. I think you came to the wrong conclusions because you fucked up your test.
> ...privacy addresses are an actually-important thing for privacy (so that sites can't correlate you easily.)
As you allude to, The Web has eleventy billion ways to track you that give absolutely zero shits about your IP address. "Privacy" addresses buy the typical user of The Internet effectively zero privacy. January's deprecation of DHCPv6 "Temporary Addresses" suggests that folks who deploy this stuff believe that this feature is far less useful than proponents might think it to be. Plus, absolutely nothing prevents a DHCPv6 server from randomly generating the host part of the addresses it hands out, as well as handing out entirely new addresses for each address request. If I believed that "privacy" addresses actually provided any meaningful privacy, that's how I'd configure mine to behave for hosts that I wasn't intentionally providing fixed addresses.
Y’know I see you in every thread about IPv6 and you have this terrible habit of completely ignoring the actual point someone is trying to make and bogging straight down into the minutiae of some technical detail instead.
I will stipulate that it’s possible to configure a network so that clients don’t set up their own addresses and use only DHCP. I will stipulate that I fucked up the configuration the last time I tried it. You’re obviously a lot more smart than me. Congratulations.
Now, yould you maybe get past that and look at my actual point, which is that multiple addresses is the expected and default behavior of IPv6, and is a big change from how people are used to doing things in IPv4? You don’t need to use every opportunity you can to flex your nerd cred at the expense of actually getting the point of what is being discussed.
> ...you have this terrible habit of completely ignoring the actual point someone is trying to make and bogging straight down into the minutiae of some technical detail instead. ... [w]ould you maybe get past that and look at my actual point, which is that multiple addresses is the expected and default behavior of IPv6...
Here's your comment's [0] second paragraph:
I think this is the biggest change with IPv6: that a machine’s IP addresses is no longer its identity, and you can’t easily predict what address will be used when connecting somewhere. IP-based access control becomes impossible (not that it was ever a great idea in the first place), reverse DNS lookups become irrelevant, seeing IP’s in logs no longer tells you “what machine connected here”, it’s overall a big change in mental model.
An attentive reader notes that I did not object to your comment's first paragraph. [1] Such a reader also notes that in your reply to me you both double down on the claim that it's impossible to centrally control what IPv6 addresses a host has, and go on to claim that even if you could it would be undesirable to do so.
[1] "The changes to Ethernet lookup mandate that you have a link-local address in addition to your “real” address, and this starts the ball rolling on the idea that machines have multiple IP addresses in general. Which makes privacy addresses commonplace, ULA+GUA addresses on the same machine, etc."
See here you go again. I'm not doubling down on anything.
My claim goes like this. Tell me where you disagree.
1. In a typical IPv6 setup you have more than one address. You even had to exclude android from the discussion just to bring up a scenario where this isn't true.
> Yes, I'm very aware that Android doesn't support anything that DHCPv6 provides other than getting an entire damn prefix delegated. For the duration of this discussion, let's ignore Android.
Yeah so as long as we ignore the largest operating system in the world by number of devices, yeah you totally are making a great point here.
2. In such a setup, things like IP-based access control become impossible (no, I'm not going to just pretend android doesn't exist, sorry), reverse DNS lookups become irrelevant, etc.
3. Yes, it is possible to configure a network such that these things are not the case, but that is not a typical IPv6 setup. There are a lot of reasons this setup is not typical, there are a lot of SHOULD lines in various IEEE specs that talk about this. Hell, even if you get your network configured perfectly, it's not going to stop a random machine from deciding to use its link-local address when talking to somemachine.local (which happens all the damned time in my network.)
It's like if someone came in and critiqued that /64 is way too huge of a subnet size in IPv6, and you responded with "yeah but you can change it and run a /96 network!" Which while technically true is also not how literally fucking anybody does IPv6 at all.
Now I wait while you attack the above with dumb fucking nitpicks about technicalities while totally fucking ignoring the point I was trying to make. Go ahead, you've done it in these threads for years.
Hon, you really need to step away from the keyboard and seek yourself some headpats, or other such comforting entertainment. I expect that -like most people- once you're able to find a way to regularly and reliably enhance your calm, you'll be better able to take critique and acknowledge when parts of your argument are substandard.
Nothing in v6 stops you giving a machine a single stable address (plus link-local). Every server on the internet has one. You can also bind a socket to a specific source address if that's what you want, because the recipient is IP-filtering.
I'm not necessarily talking about fingerprinting or tracking here, it can be something a lot more mundane. Like if I have a homelab setup and I want to see what hosts connected to something, and I look at the logs and see privacy addresses, I know I'll never know what host it was. Or if I want to set up netgroups for access control to shares or something (just a hypothetical.)
In the classic sysadmin world, the idea that an IP you see could belong to any host and you have practically zero way of knowing, is rather different from what we expect in the IPv4 world. You just have to embrace it, basically.
I think this is the biggest change with IPv6: that a machine’s IP addresses is no longer its identity, and you can’t easily predict what address will be used when connecting somewhere. IP-based access control becomes impossible (not that it was ever a great idea in the first place), reverse DNS lookups become irrelevant, seeing IP’s in logs no longer tells you “what machine connected here”, it’s overall a big change in mental model.
But then you get over it, stop making assumptions that you can rely on IP addresses for knowing things about a host, and the rest of it is fine.