Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[PacketTracer]

I have had my router a long time but just started using IPV6, it has been a great router for SOHO/CPE gear, I find it even surpasses some commercial gear in features.

Just to stay fair: As long as IPv6 is not yet available in native form by the majority of ISPs, I would accept a missing IPv6 firewall in a CPE implementation, but I expect that missing but important features are provided in time by later firmware updates. Being an early adopter it is okay if not everything is perfect from the beginning, but if things turn to standard operation the fun stops. And I don't want to hear from the manufacturer: Sorry, this feature will not be made available by a firmware update for your device, instead we recommend to buy our new brilliant device called DIR-XXX that has all that advanced features you want. This is a good method to make customers look for other vendors who make things better and are more trustworthy.

If you read http://www.dlink.com/ipv6, you'll find the following proud citation: "In the February 2011 Network World article "Most IPv6-certified home network gear is frightfully buggy," D-Link was cited as the only vendor shipping IPv6 consumer equipment that was ready for ISP field trials."

That's not true, even in February 2011. There is a german company, having a 3 letter acronym starting with "A", sitting in Berlin and producing widespread used CPE, that are even better concerning IPv6 capabilities:

• They support SixXS-Tunnels in heartbeat mode. DIR-825 doesn't, what a pity!
• If public IPv4 address at the WAN-Link changes (every 24 hours, normal at least for german internet access based on DSL), their CPE is able to form a new 6to4 prefix, advertising it in the LAN and advertising the old one with a valid lifetime of 0 and thus starting the clients to form a new IPv6 address. The DIR-825 is not able to do this. So 6to4 is useless for me (but it is useless anyway, see RFC6343)
• Of course they have a stateful IPv6 firewall in place allowing to open ports for incoming connections
• With their latest firmware update they support DS-Lite. This is as least as important as having an IPv6 firewall, if your ISP chooses to select this technique for access to the IPv4 internet after switchover to IPv6 as standard internet protocol (in a future not too far away).

If you ask me now: Why did you buy this D-Link device and not the other one: I'm living in the country, where the physical quality of my DSL line is that bad, that the other device didn't manage to synchronize (it has a built in modem not yielding an uplink port, so I couldn't use another DSL modem instead), so I had to look for another device and found that D-Link apparatus, being praised because of its promising IPv6 ready logo...

[Patrick533]

I just checked and the 655 Rev B, 615 Rev E, DIR 600 and 601 all have IPv6 enabled however no firewall for IPv6 like the new gen routers do. I'm just presuming that this was a feature set that was set up for some of these routers and at the time, IPv6 hadn't been fully implemented on an ISP to client level and was in very early stages and possibly DLink didn't include a firewall since it really wasn't needed at the time and people had not migrated to it.

I go agree, there probably should be some form of security in IPv6 layer and hope Dlink can offer up something too upgrade. These routers are still great routers and should continue be used well with out having to go by something new.

Which routers have SPI/firewall on the IPV6 layer with Gigabit ports? Tech support only mentioned 1, that one is hard to find. Not in the market for an upgrade at the moment, Mothers Day, Wifes birthday and a medium to large size SSD are in line near the top right now, plus the 12 year old laser printer that smoked last night! Just curious. Do the new revs of the Dir-655 and DIR-825(C-1) support SPI on the IPV6 layer?

Thx,

Pat

[FurryNutz]

So far All next gen Amplify routers have IPv6 Firewall options. I haven't found a current older generation router with any options, only IPv6 layer options.

[Patrick533]

So far All next gen Amplify routers have IPv6 Firewall options. I haven't found a current older generation router with any options, only IPv6 layer options.

Too bad, the reviews are still showing buggy firmware for those at independent reviewers, was hoping for legacy products. I did notice that the IPV6 features are not really being advertised, like IPV6 port forwarding and advanced routing, just that the Amplifi line has some IPV6 support.

Me thinks I will sit this one out until IPV6 is more prevalent unless there is a fix for the DIR-825.

The IPV6 society/consortium never got back with me regarding the lack of security for the DIR-825 and the other products it certifies, but it does carry the same IPV6 ready logo as the Amplfi series routers, which we know now does not mean a lot and seems to be nothing more then a sham to get people to part with their money based on a false sense of security(literally).

I guess it could be a couple of design cycles before we see IPV4 and IPV6 features identical in products.

Me thinks it is time for a 256Mb SSD

 

[FurryNutz]

I think it's a good idea to wait. IPv6 is still in it's infancy and still isn't supported on all ISPs let alone to the ISP clients. It's not a show stopper or reached a critical point where IPv6 and the features are really needed or being used. I presume at some point all Mfrs will be addressing IPv6 in the future. When will be up to them. We can only voice our concerns and give feed back. IMO, i don't see DLink doing anything with these older products and are probably more focused on the next gen products coming out and even then maybe they won't do anything with those by the time IPv6 gets out to more people and becomes the standard that everyone is waiting to use. Just seems that IPv6 and or ISPs are dragging there feet in getting it going. There is some support for it, it's not spotty right now. Dlink is on the game for IPv6, just don't know what will happen going forward. For security on IPv6, I would investigate using a 3rd party Firewall program that supports IPv6 in meantime if you really feel the need to.

Were still waiting on 4G or LTE were I live at. Still no idea when thats coming. 

[Patrick533]

Were still waiting on 4G or LTE were I live at. Still no idea when thats coming.

See where Australia just put the brakes on a couple of American cell companies from marketing 4G products that were only 3G? I guess in other countries false advertising is actually pursued by the government, what we call 4G here is not even close to meeting the standards of true 4G.

I guess in some countries the marketing actually has to live up to the claims a company makes, in other countries they just outright shut you down instead of making their population sue you for your false statements, then pay you off to keep your mouth shut. I like the truth policy much better. Either live up to your claims or go do business somewhere else, like the USA. So far I have been a technical witness for the prosecution in 3 suits against wireless telcos, all 3 were won and the government levied huge fines against the telcos, two of those suits barely even broke the news even though both companies were fined in the tens of millions of dollars. They just pass the cost on to us and consider it part of doing business. I was a customer of one of the companies, afterwords I called and complained about coverage, they asked me if I wanted out of the contract for no ETF, funny how that works!

That is my job here at work, to make sure we procure quality products that do what they say they can out of the box, this day and age too many companies fail under the type of scrutiny I provide.

Caveat emptor!

Burn me once, shame on you, Burn me twice, shame on me!
   

[FurryNutz]

 

[Patrick533]

I was out leaving some feedback on a vendors site regarding this router when I ran across this, I just about choked: 

IPV6 Ready: Get Ready for the Future

With the growing number of Internet-enabled applications requiring IP addresses, the supply of IP addresses under the current Internet Protocol version 4 (IPv4) system has already been exhausted. The IPv6 protocol solves this network addressing exhaustion by creating more IP addresses, but migration from IPv4 to IPv6 is not necessarily automatic. But, you don't need to worry about service interruption if you go with D-Link products that are IPv6 Certified. Your network will be automatically IPv4 and IPv6 ready when you use an IPv6-certified D-Link product like his one. With D-Link products, you can rest assured that you'll be covered for the current and the new standards without any hassle to you.

[FurryNutz]

You can't choke too much Patrick, it is IPv6 supporting. 
Just how much is left up to debate.

[PacketTracer]

Did the same on the German support side (D-Link Case Number 697023), quoting and linking the threads here in this forum. I'll report the feedback when available...

I got the following feedback today:

2012-05-01 20:06:00                                        100 Unassigned/New
2012-05-04 15:53:00 10000678 Berlin, Stockholm, Rome, Bern
2012-05-07 09:45:00 10000580 Berlin, Stockholm, Rome, Bern 100 Unassigned/New   105 Escalated
2012-05-07 09:46:00 10000580 Berlin, Stockholm, Rome, Bern 105 Escalated        110 Open/Active
2012-05-07 11:42:00 10000569 Berlin, Stockholm, Rome, Bern 105 Unassigned/New   999 Complete

Sehr geehrter Herr XXXX,

vielen Dank für die ausführliche Beschreibung der Sachlage.
Wir haben Ihre Anfrage an das Produktmanagemant weitergeleitet. Die Kollegen werden sich zeitnah um Ihren Fall kümmern.

Mit freundlichen Grüßen,
Ihr D-Link Support Team

---->
Dear Mr. XXX,

thank you for your detailed description of the circumstances.
We forwarded your request to the product management team. The colleagues will take care of your case as soon as possible.

Kind Regards,
Your D-Link Support Team

[PacketTracer]

Today I also got an answer from a German D-Link product manager. In short, he stated that present routers (e.g. DIR-857) have new chip sets that include an IPv6 firewall.

He also said, when DIR-825 Rev B was developed, RFC6092 didn't exist, and that IPv6 was only implemented afterwords as a best effort to allow customers access via IPv6.

Then he argued, that in former days when Windows XP was current and PCs used to connect to the Internet via modems, they also had to be protected by software.

He also said that operating systems like Windows 2000 and Windows XP, which Microsoft doesn't support any more for years(*) regrettably can't keep up with IPv6, that changes one fundament of the Internet.

------------------------ end of summary -------------------------

He didn't say anything about future firmware updates for DIR-825 Rev B, that might include an IPv6 firewall. (*) By the way, Windows XP SP3 is still supported by Microsoft up to 2014.

If you visit the german D-Link website to see the current products (http://dlink.de/cs/Satellite?c=Product_P&childpagename=DLinkEurope-DE%2FDLProductFamily&cid=1197318677527&p=1197318958248&packedargs=locale%3D1195806663795&pagename=DLinkEurope-DE%2FDLWrapper) you'll find both DIR-825 and DIR-857, and the data sheets of both products state the same IPv6 capabilties:

"IPv6 ready
This router is ready for the future of the Internet with support for the upcoming
move from IPv4 to IPv6. It carries the IPv6 Ready Gold Logo, meaning that
it not only supports the IPv6 protocol, but is also compatible with IPv6
equipment from other manufacturers. Using a dual-stack architecture, this
router can handle routing for both IPv4 and IPv6 networks at the same time,
so you can be assured that your router is forward and backward compatible."

They do not say, that DIR-857 has an IPv6 firewall and DIR-825 has not.

[PacketTracer]

Ups, I didn't read the IPv6 capabilities in the data sheets carefully enough. There is as difference: In the DIR-825 datasheet you find the following additional clause:

"This transition allows users to change to a 128-bit addressing system and directly connect to anybody in the world using a unique IP address."

This sentence is missing in the data sheet for DIR-857. Now it is clear: Yes, everybody in the IPv6 Internet can connect to my LAN-PC because of its global IPv6 address, because DIR-825 doesn't protect me by a firewall! It is a feature!

[FurryNutz]

That makes sense, If the RFC didn't exist back then, then there wasn't a requirement to implement it I presume.    Going forward and after RFC was supported then it was probably some form of decision to implement it on the next gen routers instead of trying to implement it on current gen routers. Not sure what's all involved in doing that, however I presume if the RFC calls for additional development and chip sets, I might think that implementing RFC on current routers may not be feasible or from a marketing stand point, there looking at the new gen routers for the support and it makes me think that we wont see any IPv6 firewalls on older gen routers.   Kind of a shame though. There are really good routers and do work well for what they are. And we have to keep in mind what the routers are too, HOME users routers. Ya, need to provide a level of protection for home users. I guess we'll have to use them until IPv6 becomes main stream and users will need the RFC protections that the new gen routers have. Would be interesting to see if they would add the RFC to these routers, however, it's their code so, we must choose to either follow or find other solutions.

I presume that there are some SW firwall solutions that support IPv6?

Thanks for the information PT.

[PacketTracer]

As I mentioned in my reply to the product manager, the security demands were already published in 2007 within RFC4864 (Local Network Protection for IPv6), and RFC6092 only makes security things more precise for so called CPE (customer premise equipement), better known as home routers. The demand for a firewall with stateful inspection within the border router of a network (even more in home networks) should be well known since 2007, especially by the developers of such CPE devices.

And it is not okay, that even now D-Link sells CPE like DIR-825 without saying clearly, that these boxes don't have an IPv6 firewall. These devices are not safe for use in a near future, when ISPs start offering IPv6 to customers (I guess this will happen this year).

What would you think about a car seller who sells you a new car without saying that it doesn't have airbags?

Concerning me, if my provider comes up with IPv6 in June this year (I hope), I can throw away my DIR-825 after having used it for 14 month only and have to buy a new one, that has an IPv6 firewall. And a customer who buys this product now will have even less fun with it. I guess he will be D-Link's best friend after he finds out this missing basic feature of his device.

Relying only on IPv6 firewalls in the end nodes of the LAN is no solution, even more for home uses who in most cases don't know or care about these things and expect with IPv6 to be protected by their router as was taken for granted for IPv4 before. And they are right! And any CPE producer who doesn't meet this expectation is wrong.

[Patrick533]

As I mentioned in my reply to the product manager, the security demands were already published in 2007 within RFC4864 (Local Network Protection for IPv6), and RFC6092 only makes security things more precise for so called CPE (customer premise equipement), better known as home routers. The demand for a firewall with stateful inspection within the border router of a network (even more in home networks) should be well known since 2007, especially by the developers of such CPE devices.

And it is not okay, that even now D-Link sells CPE like DIR-825 without saying clearly, that these boxes don't have an IPv6 firewall. These devices are not safe for use in a near future, when ISPs start offering IPv6 to customers (I guess this will happen this year).

What would you think about a car seller who sells you a new car without saying that it doesn't have airbags?

Concerning me, if my provider comes up with IPv6 in June this year (I hope), I can throw away my DIR-825 after having used it for 14 month only and have to buy a new one, that has an IPv6 firewall. And a customer who buys this product now will have even less fun with it. I guess he will be D-Link's best friend after he finds out this missing basic feature of his device.

Relying only on IPv6 firewalls in the end nodes of the LAN is no solution, even more for home uses who in most cases don't know or care about these things and expect with IPv6 to be protected by their router as was taken for granted for IPv4 before. And they are right! And any CPE producer who doesn't meet this expectation is wrong.

Packet Tracer,

Check your private mail, I have been busy on this behind the scenes, I have an update for you. You are making some very good points that have helped me immensely.

For everyone else, it could be a week to 45 days before I can post anything, or I could get slapped with a gag order and not be able to say anything public. Time will tell.

Later,

Pat