The people behind the \u201cEyes\u201d on the Internet are most often governments and their law enforcement and intelligence agencies.\u00a0 Corporations are also seeking to gain a greater understanding of the customers who use their products and services.\u00a0 They seek out greater\u00a0brand intimacy<\/a>\u00a0and \u201cstickiness\u201d with these customers and leverage customer information for sales and marketing purposes.\u00a0 Other companies collect this information and sell it to other companies that attempt to monetize the data.<\/p>\n On the Internet, not only our web surfing traffic can be inspected, but our\u00a0DNS packets as well<\/a>. \u00a0We can take measures (or rather our browsers and apps most often take them for us) to protect the confidentiality of our web traffic by using\u00a0Transport Layer Security (TLS)<\/a>\u00a0encryption and HTTPS.\u00a0 Some may use\u00a0The Onion Router<\/a>\u00a0(Tor) or use IPsec\/SSL VPN tunnels.\u00a0 When it comes to DNS privacy, there are \u00a0emerging methods, such as\u00a0DNS over HTTPS<\/a>\u00a0(DoH) for\u00a0preserving the confidentiality of DNS queries and responses<\/a>.<\/p>\n Over the past two decades, the Internet has become much more densely populated.\u00a0 Public\u00a0IPv4 address exhaustion occurred years ago<\/a>, but\u00a0thanks to Network Address Translation (NAT)<\/a>\u00a0and protocols like HTTP that cooperate with NATs, the Internet continues to work.\u00a0 As service providers have felt the sting of limited public IPv4 addresses for subscribers, they have had to resort to using\u00a0Carrier-Grade-NAT<\/a>\/Large-Scale-NAT<\/a>\u00a0(CGN\/LSN) systems to provide continued operation and facilitate future growth.<\/p>\n NAT and web proxies have allowed clients on private networks to access Internet resources while preserving some of their anonymity.\u00a0 This use of multiple layers of NAT has caused\u00a0IPv4 addresses to become increasingly localized<\/a>.\u00a0 Multiple layers of NAT have also created \u201cinvisible\u201d places and provided added anonymity to not only legitimate users of the Internet but malicious actors as well.\u00a0 In John Curran\u2019s (President and CEO of ARIN) presentation at the 2017 North American IPv6 Summit titled \u201cThe future of the Internet, IPv6, and the long tail<\/a>\u201d he commented on how other\u00a0non-technical users are afraid of the Internet<\/a>.\u00a0 John\u00a0quoted a poem<\/a>\u00a0eloquently articulating these fears of the Internet.<\/p>\n These NATs provide anonymity for attackers and have made\u00a0fighting online crime more difficult<\/a>.\u00a0\u00a0Europol has called for an end of CGN<\/a>\u00a0to increase accountability online.\u00a0 Service providers that have implemented CGN\/LSN systems have struggled to perform\u00a0Lawful Interception<\/a>\u00a0(LI) as required by Law Enforcement Agencies (LEAs) as well as legislation like the\u00a0Communications Assistance for Law Enforcement Act<\/a>\u00a0(CALEA).\u00a0 Even enterprises have difficulty\u00a0performing cybersecurity forensics<\/a>\u00a0when there are multiple levels of NAT taking place.<\/p>\n The primary advantage IPv6 has over IPv4 is its large 128-bit address space, which creates sufficient globally-unique addresses and removes the requirement for NAT.\u00a0 IPv6 was designed to restore the end-to-end model of Internet communications with all nodes on networks using globally unique addresses.\u00a0 Considering this, it\u2019s tempting to conclude that IPv6 might provide a greater degree of authenticity for identifying who or what is connecting to the Internet.\u00a0 However,\u00a0organizations should be cautioned against trying to use an IPv6 address as an authentication factor<\/a>.<\/p>\n IPv6 has the potential to change how organizations observe user behavior on the Internet or in private corporate networks.\u00a0 If organizations are observing IPv4 network traffic, they are not seeing the \u201cwhole picture\u201d and thus lack situational awareness.\u00a0 The \u201cclient\u201d IPv4 address observed by the Internet service is actually from a service provider\u2019s NAT pool, or the external IP address of the enterprise perimeter firewall.\u00a0 If the\u00a0web service is using reputation filtering<\/a>\u00a0and the client happens to use a bad IPv4 address in the NAT pool, then the legitimate connection could be dropped.<\/p>\n One of the advantages of using IPv6 that appeals to content providers is that they get greater visibility of user or customer behavior on the Internet.\u00a0 The \u201cclient\u201d IPv6 address observed by the Internet service is the actual global address currently assigned to the source of the connection.\u00a0 However, while the IPv6 prefix of the client\u2019s subnet is stable, when using\u00a0DHCPv6<\/a>\u00a0or temporary addresses, the last 64-bits of the IPv6 address\u2014the Interface Identifier (IID)–is subject to change over time.<\/p>\n Social media companies could be using both IPv4 and IPv6 to give them visibility to the broadest population of their users.\u00a0 Using IPv6 gives them global visibility and IPv6 allows them insights into portions of the network that have traditionally been hidden from view behind NATs.\u00a0 The social media company would know more precisely the IPv6 prefix that the client uses and could more accurately traceback to the client\u2019s source, than when they are using IPv4 with NAT.<\/p>\n Retail organizations are tracking customer location within their stores based on Wi-Fi or Bluetooth signals from their mobile devices.\u00a0 They track dwell times and then use the data gathered to optimize showroom and store layout based on the most popular products.\u00a0 The company that offers those free Internet services or makes that free mobile app receives something in return for your usage of their application.\u00a0 They get the ability to gather information about your usage and online behavior with both the client\u2019s NAT\u2019ed IPv4 address and its global IPv6 address.<\/p>\n Many consumers are not aware that their mobile devices already have IPv6 enabled and that many of their communications are already utilizing IPv6.\u00a0 When mobile phones are using global IPv6 addresses, but private IPv4 addresses, then using IPv6 allows for greater knowledge of the user\u2019s location.\u00a0 This information can be used for the purpose of creating greater customer intimacy and value or for tracking behavior. \u00a0However, it should be noted that this is not unique to IPv6. \u00a0Websites have been using cookies and other tracking methods for years to understand who the user is, regardless of what network a device currently is on. \u00a0IPv6 simply provides another unique data point for them to gather.<\/p>\n When it comes to service providers, IPv6 primarily provides them a way to scale their networks beyond the limitations and scarcity of IPv4 addresses.\u00a0 However, with IPv4, the number of devices within a residence is unknown to them because the residential broadband gateway performs NAT.\u00a0 There could be anywhere from one to one hundred IPv4 devices in the home, but the ISP or the online retailer cannot determine the actual device information.\u00a0 However, if the residential service used global IPv6 addresses, then the ISP would absolutely know how many devices are in the home.\u00a0 IPv6 would make their\u00a0CALEA<\/a>\u00a0responsibilities much easier while still providing the same service and access they provide today.<\/p>\n We are also aware that the vastness of the IPv6 address space is one of the security advantages of using IPv6.\u00a0 Not only are IPv6 prefixes sparsely utilized out of blocks of addresses allocated to organizations by RIRs, but the those \/64 prefixes are extremely sparely populated by nodes (i.e., tens or hundreds or even thousands out of 18,446,744,073,709,551,616 addresses).\u00a0 IPv6 nodes can (and typically do) use\u00a0privacy extensions<\/a>\u00a0(RFC 4941) to prevent any tracking of their burned-in MAC address(es), which are easily readable in the original\u00a0modified EUI-64 interface identifier<\/a>\u00a0format.\u00a0 But some organizations didn\u2019t want that much privacy for users so\u00a0stable IPv6 interface identifiers<\/a>\u00a0(RFC 8064) were developed.<\/p>\n Attackers can change their IPv6 addresses frequently when they are on a network.\u00a0 This is similar to how malicious sites perform \u201cfast-flux<\/a>\u201d, which they accomplish by changing their IP addresses frequently to avoid being picked up and placed onto block lists and poor-reputation lists.\u00a0 Systems like the\u00a0Moving Target IPv6 Defense<\/a>\u00a0(MT6D) developed at\u00a0Virginia Tech<\/a>\u00a0show how rapidly-changing IPv6 addresses can help avoid detection.\u00a0 Companies Like\u00a0Morphisec<\/a>\u00a0see these techniques as a security protection measure.\u00a0 People are also considering how using the vastness of\u00a0IPv6 can improve the anonymity provided by Tor<\/a>.<\/p>\n Even within IPv6 networks, identifying the IPv6 address of a bad actor can be difficult.\u00a0 Enterprises perform proactive monitoring to learn what devices are connected to their networks.\u00a0 IPv6 changes network reconnaissance and how organizations\u00a0perform vulnerability scanning<\/a>. \u00a0In general,\u00a0IPv6 geolocation is not as accurate<\/a>\u00a0as IPv4 geolocation.\u00a0 There is an IETF draft titled \u201cAnalysis of the Crime Attribution Characteristics of Various IPv6 Address Assignment Techniques<\/a>\u201d, which covers the methods of identifying a malicious actor using IPv6.<\/p>\n It is still possible to spoof the source address of IPv6 packets and send them off into the Internet towards an unwitting target.\u00a0 As organizations proceed to deploy IPv6, they should follow the best practices found in the IETF document\u00a0BCP 38<\/a>, which advocates ingress and egress filtering at the Internet perimeter.<\/p>\n As with IPv4, there is no inherent security built into IPv6.\u00a0 Spam,\u00a0DDoS attacks<\/a>, and botnets are still present on the IPv6 Internet.\u00a0 Even though NAT is not recommended and is typically not used with IPv6, you can still have web proxies that perform a NAT-like function.\u00a0 There are firewall manufacturers that list NAT66 and\u00a0NPTv6<\/a>\u00a0on their product specifications.\u00a0 Bad actors can hide within the vastness of the IPv6 address space, changing their addresses frequently to avoid discovery.<\/p>\n If your organization wants to gather more information about your customers, your subscribers, your vendors, and your partners, then you will want use both IPv4 and IPv6 for greater insights.\u00a0 What you do with that information is up to you, but consider using this valuable data responsibly. As Google used to say, \u201cDon\u2019t be evil<\/a>\u201d.<\/p>\n Scott Hogg\u00a0(@ScottHogg<\/a>) is CTO of\u00a0HexaBuild.io<\/a>, an IPv6 consulting and training company.\u00a0 Scott is Chair Emeritus of the Rocky Mountain IPv6 Task Force (RMv6TF<\/a>) and authored the Cisco Press book on\u00a0IPv6 Security<\/a>.\u00a0 Follow HexaBuild on\u00a0Twitter<\/a>\u00a0and\u00a0LinkedIn<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Privacy and the Presence of Pervasive Monitoring What comes to mind when you think about the topics of\u00a0pervasive monitoring\u00a0and\u00a0mass surveillance?\u00a0 Does your mind immediately conjure up images of the\u00a0Eye of Providence\u00a0or, more popularly, the\u00a0Eye of Sauron\u00a0from J. R. R. Tolkien\u2019s\u00a0The Lord of the Rings\u00a0epic saga?\u00a0 There are so many literary references to mysterious ever-watching beings […]<\/p>\n","protected":false},"author":321,"featured_media":894,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[17],"tags":[56,38,31,39,15],"class_list":{"0":"post-884","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ipv6-coe","8":"tag-ipv4","9":"tag-ipv6","10":"tag-networking","11":"tag-protocols","12":"tag-security","13":"entry"},"acf":[],"yoast_head":"\n![\"IPv6](\"https:\/\/live-infoblox-blog.pantheonsite.io\/wp-content\/uploads\/threatindexblog.jpg\")
<\/h2>\nAnonymity for Nefarious IPv4 Internet Behavior<\/h2>\n
IPv6: Globally Unique Addresses Without NAT<\/h2>\n
Hiding in the Vastness of IPv6<\/h2>\n
Conclusions About IPv6 Internet Visibility<\/h2>\n