Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Patrick533]

Here is the test standard. Kind of a joke actually.

http://www.ipv6ready.org/docs/Phase2_DHCPv6_Conformance_Latest.pdf

[PacketTracer]

Another slight problem I have run into, I use a DNS filter (Opendns) to keep the kiddies out of trouble, it seems that if a 6 and 4 stack exist in the Windows OS, it will pull from the 6 DNS first, even if you are resolving a 4 address, completely bypassing my DNS filter. I seem to remember having read Windows will go to IPV6 first if the stack is installed, but I did not think it would resolve an IPV4 addresses this early on. This has lead to me removing the 6 stack from all of the computers the kids use.

Hi,

in general the type of dns query (A for IPv4 or AAAA for IPv6) is independent of the protocol you use to transport dns queries and responses. There is no correlation, so you can use both UDP/IPv4 or UDP/IPv6 to ask for both A or AAAA resource records. With Windows 7/Vista (and I checked that doing a packet trace), if it operates dual stacked and if you configured both an IPv6 and IPv4 dns resolver address, UDP/IPv6 is the preferred transport for DNS queries (only a special case of the general preference for using IPv6 if possible), even if you only want to resolve IPv4 addresses.

I don't know how your Opendns DNS filter works, but I guess it operates as a local DNS forwarder just listening on 127.0.0.1:53/udp to catch and filter any DNS requests that use udp/ipv4 transport only. For udp/ipv6 transport this tool should also listen on [::1]:53/udp and then forward allowed DNS queries to the IPv6 dns resolver, obviously it doesn't.

[Patrick533]

Hello,

Thank you for the update, that is what I figured, thank you for verifying it.

OpenDNS is a worldwide company, they are a alternate free resolver/DNS server to my provider, the two resolver server addresses they operate for IPV4 are: 208.67.222.222, 208.67.220.220.

Once you sign up for service, you install a piece of software that tells OpenDNS your external IPV4 address every hour. Then I load those 2 DNS/resolver server addresses into the DIR-825 as the default DNS server address, it of course then forwards the DNS srever address to the client computer when they turn it on, every time a kid tries to go somewhere, it checks the address against the profile I have setup with the OpenDNS server, if they are trying to go somewhere I don't want them to, OpenDNS returns a page informing them they can't go there and it also logs the attempt and informs me, if it is not in the profile it assumes it is safe and returns the resolved address so the browser can proceed to the site they want to go to. OpenDNS also keeps a complete log of where they have went overall(in the paid service).

They are in Frankfurt I see on their map. It is a very fast resolver/DNS service that I use instead of Charter Cables DNS servers, even before I needed DNS/resolver filtering. The reason I used them before I needed filtering is because they are much faster then most ISP DNS/resolver servers. They also offer free IPV6 resolver/DNS servers, but there is no way of filtering IPV6 from them yet. Their services are free unless you want filtering and logs, which costs 10 USD per year.

The kid can change the DNS/resolver server address in the computer, so the computer must have the IP controls locked. It also seems to be safe from proxies and direct address entries too.

I ran logs of my older Son trying to defeat the filtering (he is 21), he could not get around it until I installed IPV6 and it started resolving IPV4 addresses, once I removed the IPV6 stack, he has done.

It is worth every dollar in my opinion. One must also restrict MAC addresses on the network so they just can't plug in a device that they can enter their own DNS/resolver server address in, that has been tried by my oldest also.

This is where the DIR-825 has been so user friendly to me, it is very configurable as some routers are not. The only reason my older kids are still here is to go to college and they don't need to be teaching the younger ones bad habits.   

The argument is if you raise your kids properly, then you would not need OpenDNS, that is what I thought until I read the logs of where they were going before I installed the filters.

I tried an alternate firewall last night, it is sold in the States by F-Secure, it is quite weak on IPV6, it showed all the ports blocked as opposed to stealth by the Microsoft firewall. It even left some open, so I uninstalled it.

It is a good thing my kids will be on their own soon, once IPV6 becomes mainstream, filtering will be a nightmare. Thank you for the education.

I really hope D-Link comes up with a better SPI solution for IPV6, but I am not very confident they will fix this version(B-1).

[PacketTracer]

Here you can find tons of documents dealing with the IPv6 Ready Logo Program: http://www.ipv6ready.org/docs/. Especially this document gives an overview: http://www.ipv6ready.org/docs/IPv6_Ready_Logo_White_Paper_Final.pdf

The latest conformance-document in the mentioned folder is dated 23-Sep-2011: http://www.ipv6ready.org/docs/CE_Router_Conformance_Latest.pdf.

Here RFC6204 (Basic Requirements for IPv6 Customer Edge Routers) is mentioned, but RFC6092 (Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service) seems to be unknown. Even the term "firewall" seems to be a foreign word in all those documents, at least I didn't find it. "Phase 3" just deals with IPsec.

And finally you can study the history in the release notes of my current firmware:

DIR-825EUB1 Firmware Release Note  
Firmware: v2.05EU Build: 09beta07
Hardware: B1
Date: 06, Jan, 2012)

...
Firmware Version: ver2.05EUb07
Firmware Date: 17, Dec, 2010
...
Problems Resolved & Enhancements:
...
3. Support IPv6 Spec v1.14R phase 2 (without IPv6 firewall)
...
Firmware Version: ver2.05EUb06
Firmware Date: 13, Dec, 2010
...
Problems Resolved & Enhancements:
...
2. Support IPv6 Spec v1.14R phase 1. (Do not support IPv6 firewall).


and so on down to:


Firmware Version: ver2.02EUb06
Firmware Date: Fri, 26, Mar, 2010
...
Problems Resolved & Enhancements:
...
2. Support Ipv6 spec v1.08.(Doesn't support IPV6 Firewall)

The listed Ipv6 specs might use version numbers with only internal meaning to D-Link,  I didn't find any information about them.


Strange! Do they really want to produce CPE without IPv6 SPI-firewalls? And praise them to be compliant with some strange logo program whose designers have forgotten to specify firewall requirements for?

[Patrick533]

I read some of the documents last night regarding what testing the DIR-825 had to pass to get the gold logo. As you said, no security, none, zip. If you are reading this you should either have a GREAT firewall or DO NOT enable IPV6 on the DIR-825 Rev. B-1.

The documents I read spoke mainly of routing and handshaking. I think that I read about 100 pages regarding how the IPV6 router should route, and testing methods to verify this, nothing else.

I know some people in the states have native IPV6 already, so unless they have went through and tested their equipment for security, they are wide open to the world (most people that use CPE in the States can't even set up security for WiFi properly), it should at least come with a warning that this device does not secure your computer from anything on IPV6. The bloody (DIR-825) thing is bullet proof on IPV4.

I need to check my work schedule and then find out more about the gold certification board. If they will accept a formal personal query, I will draft a concern letter to the board regarding it's certification of hardware that has no security protocols enabled for IPV6, based on our findings and see if I get a reply. Being IPV6 day is just around the corner it would be perfect timing. The chance of any of the major router manufacturers replying is non existent(They will reply to the company I work for, I just have to wait for someone to request some equipment and then write a minimum specification for IPV6 security, I am sure that will ruffle some feathers when no one can win a contract based on technical short comings, but it would not be the first time I have fought that battle).

When a problem exists they just blame it on your hardware here in the states. I had one customer support rep tell me I needed to format my hard drive to get full speed on my internet connection, pulled my hard drive put another in and did a fresh install of Windows, called them back and said that did not fix it, now what? They finally found the problem on their end.

I just allowed some D-Link equipment here at work to be speced for a large project I was working, based on our findings I have the duty to reject requests for hardware that does not meet security protocols already in place by the company I work for, being we are supposed to be moving towards IPV6 readiness, I would say the equipment fails, security is our number one priority at work. We do sometimes use CPE stuff for small work groups, satellite offices.

I will query some of my IT people too and see if they know anything, that could be why I have not seen much movement here at work regarding IPV6, current security implementations are lacking. Just about the time we bring a web site up, they take it back down, but I have never asked why. Maybe I now know.

If I can get a letter together, I will send it to you private.

Cheers!

Pat

 

[Patrick533]

PacketTracer,

Sent you a copy of the letter I sent to the people with the Gold certificates.

Also I called D-Link USA, it turns out they are only 30 minutes from me via freeway, if i had your freeway it would only be 15 minutes. The DIR-825 does not have SPI for IPV6, only IPV4(per US tech support). There was a little language barrier but he understood what I was talking about. I asked if this was a feature they planned on adding to the DIR-825(SPI) and he said he did NOT think so.

He recommended I purchase a DIR-857. I asked if there were any other routers with SPI for IPV6 that D-Link made, he said it was the DIR-857. I looked it up, can't even purchase one state-side yet, it has not been released. It shows up as a pre-order for 179USD.

I can't find any hardware specs(chipsets) and do not like the fact it has no external antennas. If I am going to pay that much again just 4 years later, I think I may wait and go full blown Dual WAN, SOHO Cisco with no WiFi, not fond of Cisco but not fond of this either!

I used to work for an "AG" company here in the states, I know you have minimum support times for firmware and warranties. Any hopes of getting a EU update? What language is your firmware in? I have not spoken your language in close to 40 years, if it was not in English I would have a hard time.

Too bad, I really liked D-links firmware.
 

[Patrick533]

Ahhh! I got rid of the Echo through windows firewall without having to turn security up so high I was loosing functionality. That will work for now!

Scan beginning at: Tue May 1 02:13:59 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned :    ECHO NO REPLY

Individual TCP port scan results:
Port 7 = STLTH    Port 21 = STLTH    Port 22 = STLTH    Port 23 = STLTH
Port 25 = STLTH    Port 37 = STLTH    Port 53 = STLTH    Port 79 = STLTH
Port 80 = STLTH    Port 88 = STLTH    Port 110 = STLTH    Port 111 = STLTH
Port 113 = STLTH    Port 119 = STLTH    Port 123 = STLTH    Port 135 = STLTH
Port 137 = STLTH    Port 138 = STLTH    Port 139 = STLTH    Port 143 = STLTH
Port 311 = STLTH    Port 389 = STLTH    Port 427 = STLTH    Port 443 = STLTH
Port 445 = STLTH    Port 514 = STLTH    Port 543 = STLTH    Port 544 = STLTH
Port 548 = STLTH    Port 631 = STLTH    Port 749 = STLTH    Port 873 = STLTH
Port 993 = STLTH    Port 1025 = STLTH    Port 1026 = STLTH    Port 1029 = STLTH
Port 1030 = STLTH    Port 1080 = STLTH    Port 1720 = STLTH    Port 1812 = STLTH
Port 2869 = STLTH    Port 3128 = STLTH    Port 3306 = STLTH    Port 3389 = STLTH
Port 3689 = STLTH    Port 5000 = STLTH    Port 5100 = STLTH    Port 5357 = STLTH
Port 5900 = STLTH    Port 8080 = STLTH    Port 9090 = STLTH    Port 10243 = STLTH

Scan is :    COMPLETE.

[PacketTracer]

Hallo Patrick,

Sent you a copy of the letter I sent to the people with the Gold certificates.

Thank you very much! Let's hope it will have some impact on them.

I used to work for an "AG" company here in the states, I know you have minimum support times for firmware and warranties. Any hopes of getting a EU update? What language is your firmware in? I have not spoken your language in close to 40 years, if it was not in English I would have a hard time.

Sorry I really don't know the special warranty conditions for this D-Link product, valid here in Germany. I guess they are 1 year standard, but in general it will be difficult to get your money back if you come up with a problem later than half a year after date of purchase (in my case: 04.04.2011, I bought it online from Amazon and paid 92,91 EUR for it).  And I don't know if warranty conditions include any claims for firmware updates within some period of time.

I only know that not any firmware update out in the world fits my European DIR-825 edition, so I must be careful which one to use. I usually download them via FTP from here: ftp://ftp.dlink.de/dir/dir-825/driver_software, but up to now only 2 newer versions have been offered there (2.04EUb02 date 2010/08/26 and the present one 2.05EUb09beta07 date 2012/01/06). They are both multilingual, so you can switch the language of the web surface of the DIR box to English if you want.

Don't know if D-Link will offer other firmware updates in the future here in EU for that model. And if so, what's their value, if they don't include a SPI firewall? And from what you reported so far, there is not much hope that it will come.

So I feel like a fool who bought a car without airbags. You better leave it in the garage...

[FurryNutz]

Any issues, details, tests details and steps you guys have done including your concerns, Please post them here and I'll forward this on to my contact at DLink. I can't promise anything. I hope some resolution will come of it. Thank you.

[Patrick533]

PacketTracer,

I am going to start a thread on this over on the US support side and see if we can generate any feedback.

Pat

[FurryNutz]

Keep it here Patrick...all information is here so lets just keep this thread going for now.

[Patrick533]

After several days of testing on the DIR-825 Rev. B-1, it appears that it does NOT have a Firewall or SPI of any sort to protect the user from malicious intent on the IPV6 layer, though the sales information clearly states that SPI is provided to the USER of the DIR-825. The current sales brochure still advertises Statefull Packet Inspection PERIOD, not just SPI for IPV4. This is leaving thousands of people completely unprotected from intrusive raids once their ISP implements the IPV6 layer  on their network. These people are under the impression that they are protected. Being the majority of internet users are not much more then "appliance users" this could go on for years, causing countless people to have their personal information stolen and causing millions of dollars worth of damage in identity theft.

Test configuration: Win 7 X64 SP1, DIR-825 Rev. B-1 w/firmware 2.07 4/04/2012, Motorola SB6120 DOCSIS 3.0 cable modem using Charter 100 x 5 plan and Charter 6RD servers terminated at the DIR-825 using OpenDNS DNS servers. Port scanner used: ipv6.chappell-family.com/ipv6tcptest/

Results: When the Windows firewall is turned OFF and a port scan is run, the scanner shows open service ports on the DIR-825 IPV6 route. This was both observed on the 2.05EU firmware and the 2.07NA firmware installed on a DIR-825 REV. B-1.

The DIR-825 purports to be "IPV6 Ready Gold certified", but how could something as basic as Statefull Packet Inspection be left out with this readiness certification? One would assume that a piece of hardware that is purported to be IPV6 ready would at least have BASIC protection from the outside world that is afforded to IPV4. Being the nature of the IPV6 layer and NOT having any NAT, IPV6 on a DIR-825 is wide open to anyone with an IPV6 connection, so in essence your computer is wide open to the internet IPV6 community for the taking. The problem gets worse when you consider that older operating systems prior to Windows 7 that do NOT have any form of IPV6 firewall built in.


WINDOWS firewall OFF:

Scan beginning at: Sun Apr 29 17:20:44 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned :    ECHO REPLY

Individual TCP port scan results:
Port 7 = RFSD    Port 21 = RFSD    Port 22 = RFSD    Port 23 = RFSD
Port 25 = RFSD    Port 37 = RFSD    Port 53 = RFSD    Port 79 = RFSD
Port 80 = RFSD    Port 88 = RFSD    Port 110 = RFSD    Port 111 = RFSD
Port 113 = RFSD    Port 119 = RFSD    Port 123 = RFSD    Port 135 = OPEN
Port 137 = RFSD    Port 138 = RFSD    Port 139 = RFSD    Port 143 = RFSD
Port 311 = RFSD    Port 389 = RFSD    Port 427 = RFSD    Port 443 = RFSD
Port 445 = OPEN    Port 514 = RFSD    Port 543 = RFSD    Port 544 = RFSD
Port 548 = RFSD    Port 631 = RFSD    Port 749 = RFSD    Port 873 = RFSD
Port 993 = RFSD    Port 1025 = RFSD    Port 1026 = RFSD    Port 1029 = RFSD
Port 1030 = RFSD    Port 1080 = RFSD    Port 1720 = RFSD    Port 1812 = RFSD
Port 2869 = OPEN    Port 3128 = RFSD    Port 3306 = RFSD    Port 3389 = RFSD
Port 3689 = RFSD    Port 5000 = RFSD    Port 5100 = RFSD    Port 5357 = OPEN
Port 5900 = RFSD    Port 8080 = RFSD    Port 9090 = RFSD    Port 10243 = OPEN

WINDOWS firewall ON:


Scan beginning at: Sun Apr 29 17:22:32 2012 , expected to take up to 11 seconds ...
ICMPv6 ECHO REQUEST returned :    ECHO REPLY

Individual TCP port scan results:
Port 7 = STLTH    Port 21 = STLTH    Port 22 = STLTH    Port 23 = STLTH
Port 25 = STLTH    Port 37 = STLTH    Port 53 = STLTH    Port 79 = STLTH
Port 80 = STLTH    Port 88 = STLTH    Port 110 = STLTH    Port 111 = STLTH
Port 113 = STLTH    Port 119 = STLTH    Port 123 = STLTH    Port 135 = STLTH
Port 137 = STLTH    Port 138 = STLTH    Port 139 = STLTH    Port 143 = STLTH
Port 311 = STLTH    Port 389 = STLTH    Port 427 = STLTH    Port 443 = STLTH
Port 445 = STLTH    Port 514 = STLTH    Port 543 = STLTH    Port 544 = STLTH
Port 548 = STLTH    Port 631 = STLTH    Port 749 = STLTH    Port 873 = STLTH
Port 993 = STLTH    Port 1025 = STLTH    Port 1026 = STLTH    Port 1029 = STLTH
Port 1030 = STLTH    Port 1080 = STLTH    Port 1720 = STLTH    Port 1812 = STLTH
Port 2869 = STLTH    Port 3128 = STLTH    Port 3306 = STLTH    Port 3389 = STLTH
Port 3689 = STLTH    Port 5000 = STLTH    Port 5100 = STLTH    Port 5357 = STLTH
Port 5900 = STLTH    Port 8080 = STLTH    Port 9090 = STLTH    Port 10243 = STLTH

If anyone has an OS prior to WIN7 is able to run an IPV6 port scan using a DIR-825, I would be very interested in the port scan information. Please be sure to omit your IPV6 address for security reasons. I will further my testing using an OLDER OS next weekend, if possible.
  
Upon calling D-links Fountain Valley office and querying about firewall support on the DIR-825s IPV6 layer, I was told by tech support it has no form of firewall or filtering for IPV6 and if I wanted these "ADVANCED" features I should upgrade to a DIR-857. They are still selling these routers as of this post knowing that their customers are wide open to invasion by anyone with a IPV6 connection! They are selling them as "GOLD CERTIFIED IPV6 READY". Testing shows they are indeed ready, the router works great, as long as you need NO security on IPV6. As a colleague stated, this is like getting in a wreck with a new car that said it had air bags, only to find out after an accident it really did not, after flying through the windshield.

IF YOU DO NOT HAVE A GREAT FIREWALL, I WOULD URGE YOU TO DISABLE IPV6 ON THIS PRODUCT, FOR YOU OWN SAFETY!

[PacketTracer]

Hi Patrick

I am going to start a thread on this over on the US support side and see if we can generate any feedback.

Did the same on the German support side (D-Link Case Number 697023), quoting and linking the threads here in this forum. I'll report the feedback when available...

[Patrick533]

Hi Patrick

Did the same on the German support side (D-Link Case Number 697023), quoting and linking the threads here in this forum. I'll report the feedback when available...

Good job! If it was not for you I would have never done any further testing then the port scans I had done 8 months ago when I went live with 6RD. I have had my router a long time but just started using IPV6, it has been a great router for SOHO/CPE gear, I find it even surpasses some commercial gear in features. So far I have gotten a much better response then I did with Linksys EVER.

Once again thanks for the motivation and education, I had become a lazy appliance user. I am hoping this was just a simple oversight due to the number of products they offer.

[FurryNutz]

I just checked and the 655 Rev B, 615 Rev E, DIR 600 and 601 all have IPv6 enabled however no firewall for IPv6 like the new gen routers do. I'm just presuming that this was a feature set that was set up for some of these routers and at the time, IPv6 hadn't been fully implemented on an ISP to client level and was in very early stages and possibly DLink didn't include a firewall since it really wasn't needed at the time and people had not migrated to it.

I go agree, there probably should be some form of security in IPv6 layer and hope Dlink can offer up something too upgrade. These routers are still great routers and should continue be used well with out having to go by something new.