Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[PacketTracer]

After updating my DIR-825 to firmware version 2.05EUb09 (01/06/2012) it was nice to see the progress IPv6 has taken in this version. For example when selecting PPPoE you can now select to share IPv6 with IPv4 within a single PPPoE session or to create a seperate PPPoE session for IPv6 instead. Sharing IPv6 with IPv4 within a common PPPoE session wasn't possible in former firmware version 2.04EUb02 and I'm happy that this will work now because my ISP (German Telekom) will provide native IPv6 this way. And I hope they'll do it at World IP Launch Day, so that I can get rid of my SixXS tunnel I'm using now as a surrogate for native IPv6 (which works fine too, but native IPv6 would be better of course).

Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it conform to RFC6092 (http://datatracker.ietf.org/doc/rfc6092)?

And: If there is an IPv6 firewall implemented, how shall I open a port for an incoming connection if there is no configuration switch for doing that? Will this be made available in future firmware updates?

Thanks for replies in advance!

[MAKEPA59]

I´m also interested about knowing for sure if there is IPv6 compatible firewall from D-Link for DIR-825 available or not. And if yes how it can be taken into work. And if not is there any plans for that. Unfortunately I don´t see it so interesting getting my homenetwork open to everybody - eventhough it would be only IPv6 space  .

I´m also using version 2.05EU dated 07, Oct, 2011. Got if from local organisation (Finland).

[FurryNutz]

I recommend calling your local DLink sales or support office and ask about this.

[PacketTracer]

I guess, this means: No, there is no IPv6 firewall implemented at all! Hm... 

[FurryNutz]

I recommend tou call DLink to find out. It means that different regions have different options and the best way to find out for your region is to call DLink.

[Patrick533]

Hmmm, my IPV6 ports seemed to be stealthed. There are several servers out there for testing this.

Don't know about the EU firmware, I would assume the only difference would be the WiFi channels.

I guess it depends on what your definition of "firewall" is too. Stealthed ports and NAT do a pretty good job, I am not running a firewall on my Win 7 machine so if the router was wide open a port scanner should find it.

Here is a scanner.

http://laltromondo.dynalias.net/cgi-bin6/ipscan-js.cgi

Scan beginning at: Sat Apr 28 19:20:00 2012 , expected to take up to 12 seconds ...
ICMPv6 ECHO REQUEST returned :    ECHO REPLY

Individual TCP port scan results:
Port 7 = STLTH            Port 21 = STLTH     Port 22 = STLTH     Port 23 = STLTH
Port 25 = STLTH     Port 37 = STLTH     Port 53 = STLTH            Port 79 = STLTH
Port 80 = STLTH            Port 88 = STLTH            Port 110 = STLTH    Port 111 = STLTH
Port 113 = STLTH    Port 119 = STLTH    Port 123 = STLTH    Port 135 = STLTH
Port 137 = STLTH    Port 138 = STLTH    Port 139 = STLTH    Port 143 = STLTH
Port 311 = STLTH    Port 389 = STLTH    Port 427 = STLTH    Port 443 = STLTH
Port 445 = STLTH    Port 514 = STLTH    Port 543 = STLTH    Port 544 = STLTH
Port 548 = STLTH    Port 631 = STLTH    Port 749 = STLTH    Port 873 = STLTH
Port 993 = STLTH    Port 1025 = STLTH    Port 1026 = STLTH    Port 1029 = STLTH
Port 1030 = STLTH    Port 1080 = STLTH    Port 1720 = STLTH    Port 1812 = STLTH
Port 3128 = STLTH    Port 3306 = STLTH    Port 3389 = STLTH    Port 3689 = STLTH
Port 5000 = STLTH    Port 5100 = STLTH    Port 5900 = STLTH    Port 8080 = STLTH
Port 9090 = STLTH

Scan is :    COMPLETE.

After using several of the utilities that are out there for IPV6, I am showing the Dir-825 is fairly secure.

[PacketTracer]

Hi Patrick533,

thank you for providing this information. Since there is no NAT with IPv6, protection by a firewall with stateful inspection is most important. And per default it should block (drop or at least reject) any incoming connection requests in terms of what the connection tracking system of the firewall interprets as a connection. In other words the recommended default behaviour as defined by RFC6092 should be in place.

And as can be seen from your results, except incoming ICMPv6 echo requests anything else (at least TCP) seems to be dropped. That's good news.

[Patrick533]

Ok, after rereading your initial request, I understand why you are asking.

But you say there is no NAT? My IPV6 address to the outside world is different from my internal address, is this not NAT? I did not post my address in the test I did, but my outside IPV6 address to the world is different then the Windows 7 x64 machine that ran the test. The DIR-825 is giving all of the machines that have an IPV6 stack behind the router a different address.

Looking a little closer I do have a IPV6 routing tab but port forwarding is only by IPV4 it seems.

I have been running this configuration for 7 months, in the States the only site that is 100% IPV6 is Facebook, I have even held video chats through Facebook to IPV4 with no problems.

This router in the States has been given gold awards for its IPV6 support and many of the routers still being sold here are still IPV4. The reason I purchased it was for it's native IPV6 support.

The need here for IPV6 in the States is nonexistent, I have only set this up to learn more about the new technology. Now that I am thinking about it, the router is missing a few tabs for configuration, like port forwarding.

I did look at a business dual WAN router recently, but the IPV6 support was non existent so I am staying with the D-link for now. I just have to do a manual switchover if the 1st WAN dies. 

[PacketTracer]

Hi,

having IPv6 addresses from different ipv6 prefixes at the WAN- and LAN-interface of a router is a premise for a device working as an IPv6 router, isn't it? In no case this means, that the router is doing NAT! And this is the same as with IPv4, where you have a public IPv4 address at the WAN interface and private addresses inside your LAN. As private addresses are not unique, they are not routable within the internet and that's why your Router has to do NAT in case of IPv4. In contrast, with IPv6 you use public addresses within in your LAN, hence your router can (and does so) directly route them to the internet.

While NAT is the standard operation of a CPE in IPv4 (where the use of private IPv4 addresses within the LAN is common), routing without NAT is the default behaviour in IPv6. NAT operation for IPv6 isn't even standardized and hopefully it never will (okay there is a technique called NPTv6, as described by RFC6296, but this is a stateless 1:1 NAT without the need for managing NAT sessions and hence without the side effect of a pseudo protection as is the case with N:1 SNAT/NAPT/PAT/Masquerading in IPv4). While in IPv4 NAT is useful to reduce global IPv4 address consumption because of the scarcity of those addresses, in IPv6 we have enough addresses, and hence, NAT isn't needed any more (at least for saving addresses). That's why we have to migrate to IPv6.

In IPv6 there are different techniques, how the WAN interface of a CPE gets its IPv6 address, as described by RFC6204. It might come from the ISP by DHCPv6 or stateless autoconfigurations (SLAAC), but not within PPP negotiation as is the case with IPv4. In any case an ISP will additionally provide a global IPv6 address block of some size (e.g. /56 or even /48) by DHCPv6-PD (prefix delegation, RFC3633) for use within your LAN, and your CPE will form a /64 block from that and announce it in the LAN, so that your end nodes can form an IPv6 address of their own by doing SLAAC. Some boxes will form a different /64 prefix from the delegated address block for use on the WAN interface, if the ISP doesn't provide an IPv6 address by one of the above mentioned methods.

Back to the firewall question: Are you sure your DIR box has native IPv6 access? Or did you activate 6to4 only (in this case, the IPv6 addresses you use start with 2002:... and the next 32 bits consist of the hex translated octets of your public IPv4 address at the WAN interface of your router). But in either case your portscan results are meaningful, because they prove, there is an IPv6 firewall operating inside your box and it protects you.

[Patrick533]

Thank you for the contrast, I have been using IPV4 for so long I forgot that we had blocks for private networks, versus IPV6 which is all public addresses. I did read most of the IPV6 info in the early days, but that has been almost 5 years. I was out of work for 2 years, that is when I did most of my studying. I found a great job that keeps me busy, 3 years ago, so now I have became and appliance user again instead on an innovator, if I don't get back up to speed this IPV6 is going to bite me. I did not realize I have had this router for so long either.

My provider has given us 6RD(tunneling) for now, they say they are working on native deployment, but that could take a while. I get my client addresses by DHCPv6 issued by the DIR-825. It is giving my clients addresses close to where you stated (2602:0100).

I do not like the "echo reply", stealth is stealth. It may be part of the 6RD function, but I do know with IPV4 you get no response from this router. I hate being a Guinea pig. We in the states get scanned by foreign countries 100+ times a day, I would prefer people not even know I am here. I had purchased a Cisco router before this one, it was wide open on IPV4, but they said they would fix it, Cisco discontinued the line and left all that junk out there, I returned the Cisco to the merchant and purchased the Dir-825, I was later banned by Cisco on their forums for relentlessly asking about the IPV4 problem they never fixed.

You must work in the IT field, asking questions at work from our IT people, they have no clue about IPV6, I work for a very large company I am sure you have heard of but would rather leave their name out, we do have one of the larger networks in the states, but I guess that does not mean our techs have recent education, even though our CEO has mandated IPV6 deployment. Much like the 802.11 N early days, there is so much that needs to be done to get this hammered out and until it becomes more mainstream and "standardized", people like me that have enough knowledge to make us dangerous but not 100% up to speed will exist.

As I had stated earlier, I went to buy a Cisco dual WAN router a few weeks back, but the router still was waiting for IPV6 firmware, as I always tell people, if it does not work out of the box, don't plan on firmware to save the day. If I had a Euro for every time I had been told "firmware will fix that later", we would both be sitting in Amsterdam discussing this with all the beer we could drink, on me!

Unless you know something about the 6RD I do not, I will submit the echo response as a bug to D-Link, if they respond to it this early in the game remains to be seen.

Another slight problem I have run into, I use a DNS filter (Opendns) to keep the kiddies out of trouble, it seems that if a 6 and 4 stack exist in the Windows OS, it will pull from the 6 DNS first, even if you are resolving a 4 address, completely bypassing my DNS filter. I seem to remember having read Windows will go to IPV6 first if the stack is installed, but I did not think it would resolve an IPV4 addresses this early on. This has lead to me removing the 6 stack from all of the computers the kids use.

Any info to help with the IPV6 echo is greatly appreciated, even if it doesn't not get fixed in this hardware revision, they need to know it is a problem. Unless people like you and I bring this up early on, it will take forever to get fixed when 6 goes mainstream.      

Cheers!

Pat

[Patrick533]

I was wrong! 

I have discovered that Win 7 has 3 IPV6 addresses. The test posted was using my TEMPORARY IPV6 address directly to my machine, that is the firewall that was scanned. It appears that the DIR-825 has NO SPI for IPV6.

Here is the tests with my Win 7 firewall on and off. Too bad, I really liked this router! I can see this really being a problem, with no NAT and no SPI and my trust of windows being ZERO.

WINDOWS firewall OFF:

Scan beginning at: Sun Apr 29 17:20:44 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned :    ECHO REPLY

Individual TCP port scan results:
Port 7 = RFSD    Port 21 = RFSD    Port 22 = RFSD    Port 23 = RFSD
Port 25 = RFSD    Port 37 = RFSD    Port 53 = RFSD    Port 79 = RFSD
Port 80 = RFSD    Port 88 = RFSD    Port 110 = RFSD    Port 111 = RFSD
Port 113 = RFSD    Port 119 = RFSD    Port 123 = RFSD    Port 135 = OPEN
Port 137 = RFSD    Port 138 = RFSD    Port 139 = RFSD    Port 143 = RFSD
Port 311 = RFSD    Port 389 = RFSD    Port 427 = RFSD    Port 443 = RFSD
Port 445 = OPEN    Port 514 = RFSD    Port 543 = RFSD    Port 544 = RFSD
Port 548 = RFSD    Port 631 = RFSD    Port 749 = RFSD    Port 873 = RFSD
Port 993 = RFSD    Port 1025 = RFSD    Port 1026 = RFSD    Port 1029 = RFSD
Port 1030 = RFSD    Port 1080 = RFSD    Port 1720 = RFSD    Port 1812 = RFSD
Port 2869 = OPEN    Port 3128 = RFSD    Port 3306 = RFSD    Port 3389 = RFSD
Port 3689 = RFSD    Port 5000 = RFSD    Port 5100 = RFSD    Port 5357 = OPEN
Port 5900 = RFSD    Port 8080 = RFSD    Port 9090 = RFSD    Port 10243 = OPEN

WINDOWS firewall ON:


Scan beginning at: Sun Apr 29 17:22:32 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned :    ECHO REPLY

Individual TCP port scan results:
Port 7 = STLTH    Port 21 = STLTH    Port 22 = STLTH    Port 23 = STLTH
Port 25 = STLTH    Port 37 = STLTH    Port 53 = STLTH    Port 79 = STLTH
Port 80 = STLTH    Port 88 = STLTH    Port 110 = STLTH    Port 111 = STLTH
Port 113 = STLTH    Port 119 = STLTH    Port 123 = STLTH    Port 135 = STLTH
Port 137 = STLTH    Port 138 = STLTH    Port 139 = STLTH    Port 143 = STLTH
Port 311 = STLTH    Port 389 = STLTH    Port 427 = STLTH    Port 443 = STLTH
Port 445 = STLTH    Port 514 = STLTH    Port 543 = STLTH    Port 544 = STLTH
Port 548 = STLTH    Port 631 = STLTH    Port 749 = STLTH    Port 873 = STLTH
Port 993 = STLTH    Port 1025 = STLTH    Port 1026 = STLTH    Port 1029 = STLTH
Port 1030 = STLTH    Port 1080 = STLTH    Port 1720 = STLTH    Port 1812 = STLTH
Port 2869 = STLTH    Port 3128 = STLTH    Port 3306 = STLTH    Port 3389 = STLTH
Port 3689 = STLTH    Port 5000 = STLTH    Port 5100 = STLTH    Port 5357 = STLTH
Port 5900 = STLTH    Port 8080 = STLTH    Port 9090 = STLTH    Port 10243 = STLTH

That is just sad! Are there any routers out there with IPV6 SPI? or do I just invest in a good firewall?

[PacketTracer]

Hi Pat,

unfortunately I must confirm your results. I switched off my small IPv6 router that I use for my SixXS tunnel and that sits behind my DIR-825 (and that works with OpenWRT that has a SPI-firewall based on ip6tables, that protects me fine).

Then I turned on 6to4 on my DIR-825 and switched off my Windows firewall. After that I visited http://ipv6.chappell-family.com/ipv6tcptest/ to do a tcp port scan, that was aimed directly to the temporary 2002:... IPv6 address of my Windows PC (works with Win Vista x64).

And really unbelievable but true: Ports 21 (I'm operating a local FTP-Server for internal use only), 445 (may I invite you all out in the IPv6 wild to connect to my local shares? You're welcome), 2869 and 5357 were open.

So my statement, I posted earlier is true: DIR-825 doesn't have an IPv6-firewall at all and if you use it for IPv6 internet access of any kind (6to4, 6rd, static tunnel or native via PPPoE) you will be unprotected. So you must rely on the local firewalls at your end nodes, nice if those firewalls are not IPv6 capable as with Windows XP.

So D-LINK: Nice that you praise this box carrying the "gold IPv6 ready logo", but as far as I can see from https://www.ipv6ready.org/db/index.php/public/logo/02-C-000332/ and http://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf, a SPI-firewall, as recommended by RFC6092 is not part of that gold logo. Why don't you say that clearly in the data sheets of your products?

Will you fix this with later firmware versions?

Up to now I would recommend everyone, who is interested in using IPv6 with DIR-825, to use an OpenWRT firmware that is available for that box (http://wiki.openwrt.org/toh/d-link/dir-825).

[Patrick533]

I even tried using a 3rd party program my IP recommends(f-secure), they just out right turn IPV6 off, I opened a ticket with them.

Glad I met you, here I was thinking that I had SPI via hardware for IPV6.

AAAaaaarrggghhh! I feel sick.

[PacketTracer]

Yes, it's really annoying. But as long as my ISP (German Telekom) isn't offering native IPv6, IPv6 remains disabled in my DIR-825. And I hope, that D-Link will come up with a firmware update not later than IPv6 launch day at 6 June 2012, where I believe my ISP will start providing native IPv6, too. Hope dies last.

And I really can't imagine that any CPE producer in the world, who wants to sell his products, can take the risk, to sell them without a SPI firewall! Those products would be regarded unsafe, and people wouldn't buy them.

Here are some interesting citations from RFC6092:

Chapter 1, page 3, last paragraph:

"The reader is cautioned always to remember that the typical
residential or small-office network administrator has no expertise
whatsoever in Internet engineering. Configuration interfaces for
router/gateway appliances marketed toward them should be easy to
understand and even easier to ignore. In particular, extra care
should be used in the design of baseline operating modes for
unconfigured devices, since most devices will never be changed from
their factory configurations."

Chapter 2, page 4, last paragraph:

"Prior to the widespread availability of IPv6 Internet service, homes
and small offices often used private IPv4 network address realms
[RFC1918] with Network Address Translation (NAT) functions deployed
to present all the hosts on the interior network as a single host to
the Internet service provider. The stateful packet filtering
behavior of NAT set user expectations that persist today with
residential IPv6 service. "Local Network Protection for IPv6"
[RFC4864] recommends applying stateful packet filtering at
residential IPv6 gateways that conforms to the user expectations
already in place."

So, D-Link: The typical SOHO user who uses your box for access to the IPv6 Internet is not able or willing to configure your box and he simply relies on the box and expects that it will protect him like with NAT for IPv4 in former days. So, please do your job!

In addition, in the current firmware I use for the DIR-825, I'm missing a DS-Lite support. I guess many ISPs in the world will use this technique after switching over to IPv6 as the main protocol and providing access to the IPv4-Internet by tunneling IPv4 over IPv6 to a CGN/LSN they will operate within their provider networks. So please also implement DS-Lite support!

[Patrick533]

While researching this, I came across a news article from D-link advertising the release of the DIR-825 REV. C-1 on June 6th, 2012 for IPV6 day. I know warranties in Europe are completely different then the States, but in the States it usually means there will be no further firmware updates for the old hardware rev., of course there are exceptions to every case, but I do believe the people in the states that have rev A-1 of the DIR-825 have no IPV6 support, it was not introduced until rev B-1. I think this is also true for the DIR-655 too, only the latest version has IPV6 support.

I think I will be writing a letter to the people handing out gold certifications for this equipment. I am a electrical design engineer and based on the previous white papers you quoted, they are certifying incomplete/unfinished equipment. I will have to look up what they call "phase 2" certification. If we go by phases, then horses would be considered phase 1 for transportation, the auto phase 2 and the space shuttle phase 3?

I was able to find another manufacturers router that SPI for IPV6 had a soft switch so you could turn it on and off, so others have implemented it. (Shaking head in disbelief)