Notices by Dan Wing :unverified: (danwing@infosec.exchange)

@vurpo @DJGummikuh IPv6 privacy changes the client IPv6 address every couple 24-ish hours on most OSs; it's a lot of effort to do better (such as a fresh IPv6 source address per IPv6 destination which would be perhaps the ideal). The 24 hour behavior makes all the IPv6 activity from that client very trackable. An IPv4 NAPT does a better job at obscuring if connections are from one client or multiple clients.

@fl @vurpo @DJGummikuh To avoid that ongoing logging, the three vendor CGNAT implementations I am aware of use fixed port ranges per subscriber. For example if the CGNAT is configured to give everyone 1024 ports that means neighbor Bob gets 1024 ports and his range might be 10000-11024, I would get the next set of 1024 ports (11025-12049), neighbor Sue gets the next set of 1024 ports, and so on. Some CGNATs have an 'overflow' pool of ports shared amongst subscribers, so a subscriber can 'burst' beyond their 1024 ports to consume 2x or 3x that amount. Those overflow which are dynamically assigned likely create logs when they are mapped to a subscriber. See https://datatracker.ietf.org/doc/html/rfc7422 and see vendor documentation for more details.