D-Link Forums
The Graveyard - Products No Longer Supported => Routers / COVR => DIR-855L => Topic started by: id2 on March 06, 2016, 11:54:14 AM
-
I have recently discovered that this DIR-family of routers is completely accessible via the IPv6 from the WAN. If the device received an IPv6 from internet provider, then the routers authentication screen is presented, even though it is explicitly configured not to have remote administration under Admin section. In summary the remote administration appears to only secure the IPv4, not the IPv6 side of the router.
the IPv6 page presents the typical admin login page and clearly show the device name hardware version and software version. if users did not change the default admin password the router is completely exposed to the WAN :o
if secured, when looking through the logs, owners can see failed login attempts from IPv6 side, they will appear as such.
Httpd: remote 3881 login password fail ...
Question:
is there a way to secure remote administration over IPv6 on the DIR-855L and others DIR-* ?
is there a plan to fix this ?
is there a plan to provide IPv6 firewall information, currently the firewall section for the DIR-family routers is blank.
-
Link>Welcome! (http://forums.dlink.com/index.php?topic=48135.0)
- What Hardware version is your router? Look at sticker under the router case.
- Link>What Firmware (http://forums.dlink.com/index.php?topic=47512.0) version is currently loaded? Found on the routers web page under status.
- What region are you located?
Most DIR series routers have IPv6 support. Some older ones don't.
Can you post a picture of what your seeing?
What browser are you using?
-
Hardware Version: A1
Firmware Version: 1.02
Region: USA
-
Let us know what browser your using and post a capture of what your seeing.
-
i used all three different browsers, and results are the same and would be the same for anyone else.
the problem is, the WAN side IPv6 of the Dlink DIR-* wireless router(s), is (are) accessible from the WAN or Internet, because the "ADMINISTRATOR SETTINGS" and default IPv6 FIREWALL do not seems to apply to the IPv6.
as for the screenshot, it would/does look identical to the 192.168.0.1, for your/owner respective router, for the exception, that the address is the IPv6 address given by the internet provider. * it is not the link local address with the prefix fe80::/64
I am not talking about connecting to the router via the IPv6 link-local address.
one way to test your own router, is to log in, and see the "WAN IPv6 Address:", then from internet device (not you LAN) connect to the IPv6 of the address given/assigned to your IPv6 WAN side.
to use type in http://[youripv6goeshere] or https://[youripv6goeshere]
* note please omit the /128 or/64 from the end of the WAN IPv6 Address of your wireless router.
another way is to scan (at your own risk) the provider side network and discover dlink webcams, among other devices, some are defaulted ;D
-
So does disabling the IPv4 remote access and HTTPS server features listed under Tools/Admin, the IPv6 version of the remote web page can still be viewed?
-
yes, exactly my point! :)
disabling the the IPv4 remote access and HTTPS server features, has no impact on the IPv6 version of the remote web page access and view.
"By DEFAULT, subscriber-managed residential gateways MUST NOT offer management application services to the exterior network."
#point 50, http://ipv6friday.org/wp-content/uploads/2012/08/ipv6friday-ipv6-cpe-security.pdf
http://tools.ietf.org/html/rfc6092
-
I'll try and do some digging on this. You may need to phone contact D-Link support, ask for elevated support as I don't think level 1 can help here. Let us now if you find out anything.