I run both because of this; and because SLAAC enables features in Desktop OSes that offer some level of additional privacy.
For example; Windows can do "Temporary IPv6 Addressing" that it will hand out to various applications and browsers. That IPv6 address rotates on a periodic basis; once every 24 hours by default; and can be configured to behave differently depending on your needs via registry keys.
This could for example, allow you to quickly spin up a small application server for something; like a gaming session; and let you use/bind that IPv6 address for it. Once the application stops using it and the time period has elapsed; Windows drops the IP address and statelessly configures itself a new one.
I also like the privacy extensions, but how often does your prefix even change? Most places I've seen you get a /64 announced and it basically never changes -- so somewhat elementary to "break through" that regardless.
A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I'm not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.
With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.
I actually use /55s to cordon off blocks inside the /48 that aren't used too. So dialing a random prefix won't help. You'd be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way...and it doesn't work because I'm not subnetting on any standard behavior.
I run both because of this; and because SLAAC enables features in Desktop OSes that offer some level of additional privacy.
For example; Windows can do "Temporary IPv6 Addressing" that it will hand out to various applications and browsers. That IPv6 address rotates on a periodic basis; once every 24 hours by default; and can be configured to behave differently depending on your needs via registry keys.
This could for example, allow you to quickly spin up a small application server for something; like a gaming session; and let you use/bind that IPv6 address for it. Once the application stops using it and the time period has elapsed; Windows drops the IP address and statelessly configures itself a new one.
I also like the privacy extensions, but how often does your prefix even change? Most places I've seen you get a /64 announced and it basically never changes -- so somewhat elementary to "break through" that regardless.
I have a /48 that I can basically roll through.
A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I'm not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.
With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.
I actually use /55s to cordon off blocks inside the /48 that aren't used too. So dialing a random prefix won't help. You'd be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way...and it doesn't work because I'm not subnetting on any standard behavior.