I'm going to go ahead and say that I'm happy with CG-NAT because of the security and privacy benefits.
This thing of having a per-device IP address looks like the wet dream of marketers and those newspapers that won't let you look at more than X articles a month. No thanks.
NAT, including CG-NAT really provides no security benefits. Too many comments, blogs, etc, have been written on this topic for me to reiterate the specifics here.
NAT, including CG-NAT, provides near zero privacy benefits. Nobody is tracking by IP address - there are far, far, far, more accurate ways, again, I won't reiterate all the ways this happens, Google it (or is the TLS session resumption one still on the front page as one example?)
NAT, and CG-NAT provide real drawbacks. Drawbacks most people won't understand, and that's OKAY. Not everyone
needs to understand them, but when you don't understand something, please don't advocate for it with specifics like "happy with CG-NAT because of the security and privacy benefits", instead, just leave it as, "happy with CG-NAT, I don't see any drawbacks".
I agree with the statement that NAT provides no privacy benefits, but there are security benefits to NAT. As Robert Graham says, "NAT is a firewall. It's the most common firewall. It's the best firewall."
If all you rely on is NAT, and you turn the firewall on your router off, it is possible for outside attackers to send unexpected packets to through the NAT device and right to your endpoints.
The targets are limited to the entries contained within the NAT translation tables, but that's still a pretty leaky "firewall".
NAT is just not a firewall, all it does is translate addresses, or in the case of PAT, Ports+Addresses. It does not filter the packets it receives, it just translates them.
I have seen some that don't. Back in early days of residential ISPs to offer IPv6. But, that's a thing of the past - and the same mistakes happened on the early IPv4 routers when dialup was disappearing, and DSL/Cable was kicking off.
Having IPv6 will be exactly as secure as IPv4+NAT by default on any CPE. And, just as with NAT+v4, it's possible to open your machines to the world if you have no idea what you're doing.
(This is actually pretty common for gamers who set the "DMZ host" router feature to aim at their desktop and flick off the firewall!)
Newer devices might support the Port Control Protocol, so applications can ask for the port to be forwarded on ipv4 and allowed in the firewall for ipv6
Which does not solve the common case when you want to pass unfiltered ingress trafic to few specific hosts and have the default reject unknown ingress behavior for all other LAN hosts. Just give me the ability to set my own firewall rules when I need to instead of drop-all/drop-ingress/accept-all combo-box with confusing label.
I don't think IPs were ever a viable tracking tool besides detecting the country. NAT has been the default for most home networks and as a marketer you really don't want to confuse a mid-forties dad with their 14 year old daughter. So you've always had very very different marketing profiles share an IP. Besides that browser profiles are just soo much more exact.
>I don't think IPs were ever a viable tracking tool besides detecting the country.
That depends on the ISP.
Many cable ISPs assign DHCP blocks to nodes that are defined by geographical areas. These can then be correlated with cellphone apps on wireless connections that also return GPS data to the collector. After a few thousand samples you get a really good picture of IP blocks that move and ones that are somewhat static.
Yes, I've never been comfortable with the device specificity of IPv6. Sure, temporary non-local addresses are now the norm. And they're usually not MAC-based. But still, I'd rather have IPv4 with NAT. Also, there's the issue that many VPN services don't yet route IPv6, and so IPv6 connections can bypass the VPN connection.
> Yes, I've never been comfortable with the device specificity of IPv6
these days it's really not much different from IPv4: During the lifetime of a connection, the prefix stays the same, so that's equivalent to the IPv4 address before that.
The actual machine address rotates very often, so there's no real value in using this for identifying unique devices.
If you want to profile specific devices, you're much better off using the same attributes you were using with IPv4 (user agent, TTL, other protocol specific fingerprint techniques)
You don’t need to nat for privacy. That was my point. If your machine uses a different outgoing address for every connection, it’s as well masked as if all your machines used the same address.
The only thing that stays static across connections is the provider assigned prefix and that’s equivalent to your dynamic ipv4 address.
Honestly, that sounds like a failing of the VPN services.
At the least, they should push a null default route to users that connect (assuming we're talking about the kind of VPN services that advertise as "protect your privacy with a VPN!").
Crappy ones also sometimes leak UDP packets. Or all DNS queries or whatever. If you use crappy VPNs it's your fault if you then don't get the protection you want, no matter the transport protocol.
Or rather: Using IPv4 doesn't guarantee non-crapyness of a VPN provider.
But: Working IPv6 support guarantees at least some level of proficiency by the VPN provider, so they might be more reliable candidates to begin with.
But there's more needed with IPv6 than routing properly. The VPN provider needs to assign IPv6 addresses to customers, and that's harder than just NATing stuff. It's almost like being an IPv6 ISP.
But I've done a toy implementation. To get "anonymous" IPv6 addresses, so I could test VPN service clients for IPv6 leaks, without pwning myself. I needed a little help from an IVPN engineer, but it wasn't that hard.
This thing of having a per-device IP address looks like the wet dream of marketers and those newspapers that won't let you look at more than X articles a month. No thanks.