There are some problems with IPv6, but these are not it. All ISP customer routers I've seen blocks inbound IPv6 by default when IPv6 is enabled. Most devices these days randomize their interface identifier part of the address either periodically or hashing the prefix + some local secret + eui (or some other stable identifier). This way the MAC/EUI/"serial" is not encoded into the address, and also does not stay the same when moving to other networks. The way IPv6 SLAAC *used to* address using the MAC/EUI was madness. That design was from before the internet became a privacy nightmare and has fallen out of favor (well more or less.) Neighbor Discovery is similar to ARP in IPv4 and has many of the same security problems. It is also just local to your network segment so doesnt really matter in the grand scheme of things. If you absolutely must secure it, the mechanisms to do so is very similar in IPv4 and IPv6 - quite complicated for both - and not suitable for a home-type environment. The localization of prefixes is total, and utter ???. That is not how the space is allocated at all. I cant even. However: there will still be geoip databases - like with IPv4 - and chunks of addresses tends to be used in one area - like with IPv4. fe80:: addresses are local to your LAN (a single network segment - it's in the name - link-local), not internal to ISP. Although they do often control your router and could theoretically reach them - just like your internal addresses with IPv4. I probably forgot several things, but I'm not watching this one more time. One actual IPv6 privacy issue is: when a VPN provider does not support IPv6 properly, or at least account for it, it will leak left and right if IPv6 is available on the network. VPN providers needs to to better.

OK, let's talk about device fingerprinting: The auto assigned IPv6 address that uses the MAC address (7th bit flipped) begins with FE80 and is NOT routable - much like the 192 / 172 / 10 prefixes on IPv4. It is only used on the local network. On the other hand, smart phones on cellular data connections almost always use public IPv6 addresses (like 2001) yet are still secure. The problems you mention are problems of implementation not protocol. Any potential problem with IPv6 is also a potential problem with IPv4. However, IPv6 actually solves several problems which required work arounds on IPv4.

It sounds like someone isn't competent or is trying to push a product that doesn't support IPv6. Devices that are IPv4 only are not affected by having IPv6 available. IPv4 hasn't been adequate for many years, due to the address shortage. As a result, many people are stuck behind carrier grade NAT, which means they cannot access their own network from elsewhere. Also, NAT breaks some protocols. This is why it's necessary to use STUN for VoIP and some games. It also breaks IPSec Authentication Headers, which reduces security. As for the "automatic firewall", firewalls by default block everything and you have to open what you need. As for each device having a routeable address, yes that is true. However, with SLAAC, you get one consistent address, which you'd use for incoming connections and random number based "privacy" addresses, which change every day, for outgoing. Further, you have at least a /64 prefix, which contains 2^64 addresses, which means that port scanning, a common attack with IPv4, is simply not feasible with IPv6. As for an ISP knowing who's doing something they shouldn't, while they may not be able to tie an address to a specific device, they can tie a prefix to a customer, just as they would with the single IPv4 address. Also, the MAC address is only used if enabled in the consistent address. Very often a random number is used, even for the consistent address. The MAC is never used in the privacy addresses. Further, even with IPv4, your general location is still more or less available. Certainly your ISP is identified. In short, this video is based largely on ignorance.

There are so many misconceptions about IPv6 (and networking in general) in this video for someone who supposedly builds router software. Even the cheapest consumer grade routers (regardless of whether they have IPv6 enabled) have a built in firewall to block incoming connections. NAT is not responsible for this functionality in a home router. NAT is NOT firewalling! NAT64 is a transition technology meant for ISPs and enterprises (those with publicly accessibly resources) to migrate to IPv6 while continuing to support IPv4. In essence NAT64 translates a publicly routable IPv6 address to a public IPv4 and vice-versa. It is not meant to translate Private IPs to a Public IP as you are implying. There is no reasonable use case to implement it on a consumer router. Man-in-the-middle attacks are possible are just as possible on IPv4 as on IPv6. One of the many solutions is encryption. IPv6 unlike IPv4 natively supports IPSec to mitigate this risk. There are several issues with IPv6 as it is today and I really enjoy your videos but I think you missed the ball on this one.

didn't Obama say *"If you like your IPv4, you can keep it?"*

No joke: I changed providers recently and got a dual IP (v4 and v6) configuration. When I checked the DNS for the ipv6 I couldn't believe my eyes: they were using a HUAWEI dns server! And there was no option to turn it off or change the dns (there were options for the ipv4 though). Fortunately I managed to access it another way and turn it off, but my jaw is still dropped. I am nowhere near China for it to use a chinese DNS, and they're installing it as standard config for all users.

Thank you Rob, I find your talks very informative. My ISP provider told me I had to change my IPv4 router for an IPv6 router or loose my cable Internet service. They said that they would give me a replacement router, but when it arrived I found that it was not a router but a hub! So I searched on the Internet and found that there was an Mobile Use Only option. I made connection via fast ethernet cable to a Draytek Vigor 2860ac router that allow me to use IPv4 and IPv6 as well as specifying 2.4G or 5G and Dos protection, and power levels ... I also found on my android phone that there were other frequencies other than my selected ones which were also transmitting. I had to go back into the set up system and turn them off. Which reminds me, I had better go and check that my settings haven't been changed. For window, I find Sphinx is excellent. I am looking for a secure Linux OS. Would you use Alpine Linux?

I've been pretty sketched out ever since I read the wiki description of ipv6; says it's used to 'identify and locate computers'....

Rob brings complex tech to normies who have no idea how zucked they are. In other words, he is a saint like citizen who we need 👏🏻

This was one of the most important videos I've watched all year about security. Fantastic job.

Please make a quick video on how to set up a basic router for defense! Can't wait to hear about other hidden threats you're discovering

There are actually things you gain from IPv6. First of all you can remove the whole NAT garbage from many routers and use proper firewalls instead. IPv4 introduced for many applications this whole crap of NAT traversal, hole-punching and pricing IPv4 addresses and sub-nets completely unnecessary. The only reason IPv4 stayed so long was compatibility to old systems and devices. Disabling IPv6 now is only a temporary solution... all related problems have to be solved differently in long term. What me bugs the most is that the IPv4 actually had very neat features like multicast groups you could have used for decentralized streaming, podcasting or messaging. This would have reduced traffic, latency and server cost. But they turned this service down in favor of more addresses because of the lack of address space. So IPv6 brings this feature back hopefully for everyone.

Thanks for your very expert and incisive analysis which has become so indespensible!

Thanks for looking out for us!

Rob, if all routers are set to use dhcp, and a typical IP address is 192.168.1.1/2/3/4/5 etc couldn't someone fire a packet through a nat firewall by guessing a PC is using Skype for example and get a malicious packet into a network? Or is the nat firewall more sophisticated than that?

Partial solution? For ISP modem/router combo: turn off wifi, connect to Nighthawk router by cat5, use that wifi?

I give up,every step we take is being "recorded", I'm going to become a lonely monk!

Great videos, but I think you are overstating the privacy risks of IPv6, and falling for a few misconceptions here: 1. FE80 "link local" addresses are equivalent to non-routeable IPv4 addresses (like 192.168.0.1). They're local only and NOT routed to your ISP's network*. 2. EUI-64 (where IPv6 addresses are based on a device's MAC address) is NOT used in the example you give (around 16m20s+). Any EUI-64 address can be identified as it has __FF:FE__ in the middle: networklessons.com/ipv6/ipv6-eui-64-explained The RFC4941 from 2007, "Privacy Extensions for SLAAC in IPv6", means that the MAC address is no longer used to generate devices' IPv6 addresses. Even my cheapo, years-old ISP router doesn't use EUI-64. Wikipedia: en.wikipedia.org/wiki/IPv6#Stateless_address_autoconfiguration_(SLAAC) RFC4941: tools.ietf.org/html/rfc4941 3. The location identifiers of IPv6 are pretty much the same as in IPv4. A public IPv4 address will reveal which ISP you use, and which subnet of that ISP you are connected to (which can narrow-down a more accurate location). How is IPv6 any different? --- * - One "feature" that exposes your local network to the ISP is TR-069. ISPs use this on their routers to remotely update the firmware, but can also see all the devices and IP addresses (IPv4 and IPv6) on your local network. en.wikipedia.org/wiki/TR-069

I'm honestly quite clueless but I only configured IPv6 because my ISP modem router combo and personal router are causing double NAT. Somehow, enabling IPv6 solved double NAT issues for me.

The problem with disabling IPv6 is that websites are switching to IPv6 and disabling IPv4. Eventually, it will no longer be possible to access any website via IPv4. There is no turning back from this trend and it is necessary to create a way to protect ourselves with IPv6.

BTW, you forgot to mention Unique Local Addresses, which are the IPv6 equivalent of IPv4 RFC1918 addresses and can be used for local networks.

NAT is not a Firewall. What’s a shame

11:20 Only a perk maybe, but not security filtering/inspecting.

So I have a question? My ipv6 and ipv4 change randomly and sometimes they go out out randomly as well. This happens when I'm on a VPN on my cell phone and when I'm off a VPN. The vpn takes the ipv6 away but the ipv4 still changes randomly. Sometimes 3hrs sometimes 1hr, 4 min. I'm curious to why it does this? Then my ipv6 changes and sometimes my ipv4 will remain the same. And sometimes they change at the same time.

I don't know much about ipv6 but these are the things immediately concerned me. Thanks for this video. Literally nobody talks about it.

I said a lot of truths, especially about fingerprinting, but getting rid of NAT does not immediately imply getting rid of a firewall.

Thanks Rob! Where do we go if we need answers to questions we have about your products, that arn't provided in the description?

I found an option in the KDE wifi settings under the tab "IPv6" then Privacy, where you can set it to generate a "public" or "temporary" address. Not exactly sure what that does, but it probably does something so I guess I'll turn that on.

I’m glad I watched your video, I was thinking of setting up IPv6 tomorrow, I’ve always used my own router but using my isp’s modem.

I'm learning so much from you. Really appreciate your time and effort. When I build my house, I will take all the necessary steps to protect my privacy.

THANKS ROB FOR ALL THIS INFORMATION, THIS HELPS A LOT SPECIALLY THOSE LIKE ME I AM NOT SO EXPECT SO ALL THIS INFORMATION HELPS ME OUT.

It's getting to the point where I'm ready to abandon the internet completely. What a dystopian future we all have waiting for us.

Thanks for the info, Rob.

Thank you Mr. Braxman.

Tell me how an attacker can pinpoint a particular IPv6 of your home computer. There are hackers continuously scanning IPv4 addresses for vulnerabilities, because going through 4 billion possibilities is easy. With IPv6, a hacker randomly stumbling upon your IPv6 address is an effective impossibility. The odds are truly astronomical. Actually, IPv6 is much better this way. And privacy extensions make things even better.

So much wrong with this video, I'm not sure where to begin.

Ipv6 is not as horrible as some think. You dont need stateless autoconfig if you dont want although most will use it by default. True, v6 is not the greatest design but it is just another addressing scheme. NAT is security through obscurity and is not a real security control. The biggest privacy issue is the mac address can be known through stateless autoconfig but there are solutions to prevent that through ipv6 extensions.

Many avenues of attack can also be found focusing on IPv4. Or USB ports. Or Bluetooth. Or your web browser.

I was checking out my Spectrum internet account and it showed each device that's been connected to my WiFi and supposedly I can block any of them from the website. But watching this video made me realize that Yes, not only do they have your router or home internet address but each device hooked to it. I also started checking out Google account settings too and see they have each device I've logged on with also. I think I'd seen somewhere on my Spectrum account that the router is ipv6. So if I had just an ipv4 modem/router then would all these devices not be known to Spectrum? How about Google? Thank you Rob and God bless you and your family.

NAT 64 IS NOT A FIREWALL.

What an excellent tutorial! What are your thoughts about TAILS?

From what I can gather IPV6 offers point to point so outside devices can access internal without NAT (could be wrong here), but this equally means you have made a Hackers job easier and you are broadcasting your devices. So it appears IPV6 has a lot of security issues. Many man in the middle attacks take advantage of an IPv6 exploit, so I’d say turn IPv6 off if you don’t need it.

Is ipv6 good on a apn for phone im having trouble with my data when I go to my house it completely turns off I lose data and sometimes when I go out side I have to either put it in airplane mode and then put it back to normal to get data again can u please help me with my apn for metro pcs

Incredible amount of Information you are sharing, Thank you for all these Efforts

Very interesting and enlightening article, thanks. I’ve read that a growing number of websites are blocking “non ipv6” address. Is this correct and if so is there anyway round this?

Thanks for the info. I had to go into the modem/router settings to turn off ip6 :)

my problem is that I have a double nat my router and a LiteBeam 5AC Gen2 so the LiteBeam 5AC Gen2 (its out at the end of the driveway) can't be replaced due to thats how I get my satelite internet I guess I could request my ISP to turn the litebeam into bridge mode or dmz my router

This video feeds wrong information. NAT is neither a security feature nor a prerequisite for firewall. So stop feeding misinformation. IPv6 is the future.

Regarding security from outside attacks: So you're saying if you're using one of these Spectrum modem/routers the ISP will give a public-facing IP address to each device in the home? How is that possible when the greater internet is running IPv4.. each device in your home would need its own internet IPv4 address to be reachable from the outside. there would be no other way the Spectrum router would know how to route incoming connections without using port forwarding, just like a standard router would do. Unless I"m missing something here?

I need this answered, please. Can't you change your public IPV6 address anytime you wish?

I have ATT Fios, and was told I.absolutely have to use their modem and router. The only thing I was able to do was put my router between theirs and my devices and configure it as bridge mode. Please help me keep Fios, but ditch their equipment. Also, is my setup insecure? Thx

Doesn't it not matter whether or not ipv6 is exposed or not, since it changes regularly?

What about turning on IVP6 an android TV?

Lots of well intentioned but misinformed information here based on out of date thought processes. The biggest one is is that NAT IS NOT A FIREWALL and shouldn't be used as such. NAT creates many issues with the advanced networking tasks many home users are trying to accomplish. For example NAT can interfere with the end to end communication needed for Video Conferencing or even just trying to run more than one gaming console simultaneously. Given that many ISP's are implementing CG-NAT (Carrier Grade NAT) and not giving a true routable IPv4 address NOW is the time to be embracing IPv6 in the home environment.

Hi Rob. I use a modem/router combo. I can get into firewall settings and see ipv6 and firewall setting low- med - high. Should I implement those settings or turn them off completely since the modem router is it’s own firewall?

Will I have to put my edge router behind my isp modem/router ?

Thanks for the video !

And I also have wifi and I use spectrum I really don't like it cause of hackers trying to get my identity or information so I would like more information on my phone service apn setting to get the most out of my phone thank u n great video

@Rob Braxman Tech - Exceptional vid! When you're at the top of your game, it's hard to out-do yourself---but you did on this one!

as far as i'm aware the mac address part of the address is using a randomly generated address by default, at least on linux and windows, instead of the mac. does anybody know if rob is right on it not being this way?

IPv6 is like trying to protect a house with 1 door vs with 7 doors. Now instead of worrying with one you need to awry with 7. And who wants that 😭😭

Always good info thanks! I was about to switch to IPV6 to be like one of the cool kids but thankfully I saw this first.

Hi Rob, thanks for educating and informing us!

We are running out of 4B IPv4 addresses because Java always has been running on 3B devices 🙃

I'm in Canada ISP default routers are combo modem and router in my province. Since day 1, I had the ipv6 disabled, only ipv4 enabled at all time. Nonetheless, doesn't help against APTs. Difficult to find justa modem standalone that will work with the ISP with the appropriate matching mbps to set up the Brax router, I've looked at several sites. Therefore, haven't properly set up mine. Any suggestions?

Yes, NAT isnt important anymore ... But in Germany we will definetely still have Firewall-Routers using NAT. Isn't the IANA-Location based IP Adresses already in use with IPv4? My IP pinpoints me to my region and isp in germany already.

Yes I wish you would give steps on setting a router up , or some links to some good vids on it ! I am no guru in this stuff and appreciate your information . I am glad you are discussing not only phones but computer security. Big brother & criminals are always ahead of the power curve on us it seems like all the time .

yes i notied that too ,i have a hidden router .com router which is also a vpn router and google was still monitoring me on ivpn6 so i had ipvanish to couter that ,so i have both vpns on software and hardware

I really want to know who's walking around with 4 billion+ or even just 3.7 billion machines on their local network and worried about running out of ipv4 addresses...

I was upgraded to a new ATT modem recently, for free, so the first thing I did was go into the router and untick the radio button for IPv6. Since ATT buys only barebones modems/routers for the consumer market, and has them flashed with their proprietary firmware, there is no extra per-month cost for renting or buying the device; at least that is my case where I live in the US.

People think a higher number is better with anything.

Hackers using IPv6 to attack my devices

Someone hacked me and I'm sure they unencrypted my ipv6 to gain access to my electronics and I got NO help from anyone in government I reached out to other hackers at one point and got no help there either.... I'm still looking for help to this day.

for computer illiterate an IPv6 address is a tattoo mustache elimination place in poland. You don't want that. Great thing about IP before is that it reuses name so many times around the world that it's almost impossible to identify an end user definitively. It's safeguards your anonymity. IPv6 is essentially a universally unique ID which is not good privacy wise

Doesn't ur isp have its own firewall software on the modem router they provide?

in android you can go to APN settings and change setting to obtain ipv4 only. secondly, add iptables rules to drop all ipv6 traffic.

Why not limit corporations to 254 public IP addresses?

Thanks, great video 👍 I didn't have a clue about it.

there's a lot of misinformation here...

How do I access your EU market?

Today I learnt the fact that things are made up of two parts if you split them in half. That is all.

I have my router as a VPN gateway and tunnel for my LAN just because having a big fat target pointing directly at my phone that is routeable over the web? No thank you

We created nat to extend the life of ipv4

This is piled up with misinformation. Don't listen to this guy. Read a book or watch legitimate videos about IPv6.

I am excited when I click IpV6 disable on each wifi connection :).

Great job! I subbed!

I recently tried to configure port forwarding on a router to one of my devices, and was surprised that the router only had an IPv6 address. I can confirm that MAC addresses were used to generate the IPv6 addresses of local devices. However, I actually couldn't make the device/port available from the outside Internet (v6). The firewall blocks all traffic by default, and it probably was buggy, I couldn't enable it at all -- I created an ALLOW ALL rule and it didn't even work. The most I could achieve was that traceroute6 could reach the device, but even ping6 didn't work, not even talking of TCP (I actually needed the port available over IPv4, so I just played with it, but didn't bring this up with ISP support)

Another fantastic video. Great work, very concise!

NAT is not a firewall. Please don't confusing people with this misleading information.

Fantastic video very well explained

Thank you. Just saved me a big risk. Top explanation. Was going to set up for gaming. After your video I don't think it will make a difference. Thank you again.

Very good Rob! 🤓

Even though it is a serious privacy issue, there is nothing you can do about it. I don't think it is a good idea to disable it because IPv4 will be killed, and there is no going back. If you can't implement a way to make IPv6 secure, this workaround won't do much good.

Excellent review!

Thank you Rob, for clarifying this bag of worms called IPv6! I still have a modem from my ISP as I refused to have one of those crappy all in one devices they rolled out to other customers with are configured as dual stack. My modem was recently "upgraded" to dual stack without any comment. As my basic router had performance problems I finally updated my router with a Pfsense box where I disabled the IPv6 stack. Not only is this "under the hood" implementation a serious thread regarding privacy (that unfortunately we do not have anymore) but even more concerning it is a major security threat. Perhaps not the data that is available from a simple citizens computer but your computer can be used without your knowledge for infiltrating other computers. The current implementation of IPv6 will just facilitate these threats. With IOT getting more popularized this is calling for a major disaster. In the last 1 1/2 year I never heard so much companies in my country affected by hacking, data breaches, etc. These are the ones hitting the news, not speaking of the others hiding... I thought we learned about what happened 10+ years ago in one of the Baltic states . That state had to literally unplug their routers going to international sites because they were bombarded from all over the world. All banking, government,... facilities were down for several weeks. They even tried to kill the power plants but fortunately these were older platforms adapted to digital and they still had "manual controls" . I am getting more and more concerned about the computer infrastructures from my country as most people have a blind faith into the security implementations of these platforms. I still remember the quote from one of our teachers " security is a matter of time" . Most systems have no manual override because to expensive.... When I look through the log files of my Pfsense router I am surprised regarding all the port scans that happens on my router external IP address, some are targeted to the common ports, others are random ports. These addresses originate from countries like Iran, Russia, China, Bulgaria,... to mention the top 4.

Great job Rob!!

We are so zucked!

excuse me sir, did you say "zucked" ?

All the stuff is beautiful

Rob the Dob Dob