IPv6 with regards to servers detecting and blocking VPN usage

[Ernst89 11]

Currently AirVPN use a few IP addresses for a given country. Each IP address being shared by many customers.

 

It is quite easy for a web service provider to detect that a known IPv4 address is being used and thus block access to AirVPN users. They could also detect a large number of requests from the same IP address and block that way.

 

When IPv6 is introduced will AirVPN customers be given their own unique IPv6 block or will all customers share the same ones as with IPv4?

 

In effect will it be harder to detect and block VPN use via known IPv6 addresses?

 

[zhang888 1066]

The effect is pretty much the same. The blocks are not individual (single) IP based but are classified to hosting/business and residential IPs.

I am not talking about "simple" blocks where you have been banned from some chat room for abusive behavior, for example.

The only positive thing from IPv6 might be that the blocking websites will take more time to figure out how to properly implement these blocks,

but once they do, it's pretty much the same. Larger address space doesn't mean it will be harder to block, they can just block a /48 instead of a /16 in IPv4 and so on.

 

Don't count on IPv6 to avoid blocks in the long run, quite the opposite - since ISPs will have larger spaces to use, there will be more clear definition between

residential, mobile, business and hosting allocations in the future.

 

P.S.

Assigning a unique IP per user defeats the idea of anonymity you can gain with VPNs, when many users share the same public address.

This is why a public VPN provider is considered more anonymous rather than just running OpenVPN on your own remote infrastructure.

[Ernst89 11]

Ok, I'm largely ignorant of this but I'll give you the benefit of my thoughts anyway     .

 

The advantage with IPv6 that I was suggesting is that there will be far more IP addresses available. 

 

If a VPN is able to source an IPv6 block like a residential ISP would, or even share a sub block with a genuine residential ISP, it becomes much harder for for a large company supplying a web service to spot. Yes the web service provider may spot a lot of connections from an IPv6  block but that will be similar to the residential ISP use case, rather than the distinct large number of requests from a single IPv4 address which is not.  I guess this is similar to Carrier Grade NAT with IPv4, but everyone would be doing it rather than just a few large mobile companies.

 

Given the high availability of IPv6 addresses a VPN provider could change them regularly to avoid detection. For popular services the VPN provider may set up specific routing via intermediate IPv6 addresses which are not transparent to VPN customers.

 

I also understand the secrecy issue with using a shared address but many of us, I suspect the vast majority, only want superficial privacy. We won't be hacking the Pentagon or communicating state secrets to WikiLeaks. Instead many of us just want protection from ISP default logging or we want to spoof geo-location for streaming TV. For us the problem with VPN detection leading to blocked services totally outweighs the extra potential anonymity from sharing an IP address.

[zhang888 1066]

You should probably refer to the RIPE policy regarding IP allocations, under which AirVPN operates.

No reputable VPN provider should, and probably will ever, violate those rules in order to achieve some

temporary questionable benefit regarding locations by cheating the RIR (In Europe - RIPE).

 

VPN providers who implement fake geolocation and other forms of cheating are out of this topic,

for the reason they also cheat their customers by announcing fake locations in the first place.

 

In any case this would only be a theoretical issue, since no matter what you declare in your RIR contacts,

most of the major services like Netflix and BBC know how to find the ASN of the residential ISPs and then

apply their blocks according to the residential ASNs and their allocations.

 

Residential example for UK:

https://bgp.he.net/AS5089#_prefixes

 

Hosting example for UK:

https://bgp.he.net/AS20860#_prefixes

 

If your question is still about blocks, refer to http://bgp.he.net/country/(2_letter_TLD) and see which IPv4+IPv6 addresses

residential (Cable/DSL) providers use. There is no much difference between IPv4 and 6 in this case.

This is what any good network admin would implement, and they have an army of them obviously.

[telemus 16]

Hi Zhang888,

Thanks for this explanation: <<In any case this would only be a theoretical issue, since no matter what you declare in your RIR contacts, most of the major services like Netflix and BBC know how to find the ASN of the residential ISPs and then apply their blocks according to the residential ASNs and their allocations.>>

This raises a really big and troubling issue. Internet and freedom unfriendly governments will be in a position to start blocking VPNs much like the BBC does already - and so restrict communication and access to information. But more significantly, monitor the IPs and, if the government is powerful and pervasive enough technically - uncloak the user, without the need to break encryption. 

Your explanation would seem to explain some recent court cases that were puzzling.

I think I will go back to reading books.... :-)

[zhang888 1066]

I can't see how is this related to IPv4/6, and to any court cases.

Governments that choose to block VPNs, already do it per protocol basis, regardless of IP addresses, which is a completely different kind of block.

One thing is to block your outgoing traffic, another thing is to know who the visitor is.

As a government you cannot block access to non-residential IPs country-wide, this is pretty much same as disabling ~80% of the internet addresses

and going back in time about 30 years. No country has ever done that except North Korea and Cuba.