not sure what manual you downloaded there but i'll assume it the basic one for the billion 7800dx (which is my current primary router), which doesn't even mention that when using NAT the spi firewall default setting is off, its only the technical manual that mentions any of it, and goes on to explain how its possible to have the firewall enabled for native ipv6 traffic (not tunnelled) because that unlike ipv4 doesn't use NAT, but then goes  on to explain how if static port forwarding is used instead of UPnP then your open ports are still vulnerable to unsolicited traffic so should be avoided.....

actually theres also a very advanced manual for the tg582n which described the problem in great detail, furthermore it explains that running dual stack connections it has to have the firewall off in order for the NA(P)T to work.......so your network is only protected if your running ipv6 only connection and then only if you use UPnP to create the micro holes as required in the firewall and then close them when finished......
theres several publications that talk quite a lot about security problems with various implementations of ipv6 the biggest one being ipv6 unaware network equipment (something the uk has a lot of across the WAN) not being able to correctly identify and route things, the compilation of DNS +routing tables (and given the possible number of addresses in a subnet assignment) and limiting address entries per connection being the only practical way around the problem until someone builds a server /datatbase package that can actually hold every address in the entire 128bit range and retrieve the information in a nanosecond
but you guys can crack on with your flame posts clearly there is a problem with getting passed the popular "easy to understand but wrong non facts" and the truth about how much of a problem there will be when it comes to crunch time and dual stack is fully implemented with junk like cg-nat

fixed a typo

Quote from: nanotm

not sure what manual you downloaded there but i'll assume it the basic one for the billion 7800dl (which is my current primary router), which doesn't even mention that when using NAT the spi firewall default setting is off, its only the technical manual that mentions any of it, and goes on to explain how its possible to have the firewall enabled for native ipv6 traffic (not tunnelled) because that unlike ipv4 doesn't use NAT, but then goes  on to explain how if static port forwarding is used instead of UPnP then your open ports are still vulnerable to unsolicited traffic so should be avoided.....

Link to reference please?  With some routers (old D-Link ones for instance) you have to turn off SPI for port forwarding to work but the stateless firewall still works.  I think you're confusing the action of port forwarding punching holes through a firewall with turning the complete firewall off.  Generally, the whole point of port forwarding is to accept unsolicited traffic so I'm unclear about what you're getting at...  
Let's also be clear IPv4 != NAT, just most consumer connections use NAT.

Quote from: nanotm

actually theres also a very advanced manual for the tg582n which described the problem in great detail, furthermore it explains that running dual stack connections it has to have the firewall off in order for the NA(P)T to work.......so your network is only protected if your running ipv6 only connection and then only if you use UPnP to create the micro holes as required in the firewall and then close them when finished......

Link to reference please?

Quote from: nanotm

theres sevreeral publications that talk quite a lot about security problems with various implementations of ipv6 the biggest one being ipv6 unaware network equipment (something the uk has a lot of across the WAN) not being able to correctly identify and route things, the compilation of DNS +routing tables (and given the possible number of addresses in a subnet assignment) and limiting address entries per connection being the only practical way around the problem until someone builds a server /datatbase package that can actually hold every address in the entire 128bit range and retrieve the information in a nanosecond

Link to references please?

it was a typo, should of said 7800dx, should of paid more attention but I fixed it now

Link to the manual?

Quote from: pwatson

Link to reference please?  With some routers (old D-Link ones for instance) you have to turn off SPI for port forwarding to work but the stateless firewall still works.  I think you're confusing the action of port forwarding punching holes through a firewall with turning the complete firewall off.  Generally, the whole point of port forwarding is to accept unsolicited traffic so I'm unclear about what you're getting at...  Let's also be clear IPv4 != NAT, just most consumer connections use NAT.

stateless firewall is actually just NAT, the problem with port forwarding is *most people* forward a port for a single application or console and leave it there permanently unless there router needs them to change it so they can create a new one, as opposed to business's who do it so there server(s) are accessible across domains(multi site) or to consumers.
network address translation only works on ipv4, but then why would anyone try to use it on ipv6 when if everyone of the 7.5 billion potential users on the planet had 10 devices connected 24/7 there would still be so many available addresses that nobody would ever need to create a new way to address share,  perhaps if we expanded across the galaxy we might in a few hundred years run out of them and need to go down the NAT route but then that would be something for the future generations to overcome (and in all likelihood would simply expand to using a 256bit address system anyway)

@jelv I don't think there is one, not that I was referring to it as being essentially junk (if it was I would of sent it back for a refund) but there's a wealth of info available online about how various isp provided routers implement workarounds and provide extra features whilst disabling others (like the tg582n's usb version which has a 3g fullback option and/or a 4 port media/file server option in some software configurations but in order to provide different functions those get wiped out due to its limited processing ability)
theres even info on how it provides connectivity options by parsing all the info at the operating level your favourite isp has a whole set of documents on it ......

Quote from: nanotm

the manual of the router stating that it does, how to port forward "do xyz", *please note this disabled the spi firewall and changes NAT to open or loose* its a really good indicator of there being a problem with using dmz or port forwarding rules

Did you just make this up or is it actually what a manual said? If it is what a manual said please provide a link or if you only have a hard copy please post an image of the relevant page(s).

The title of this thread is wrong.

Quote

UK among nations that have done least

Only one country can "have done the least". 

So, finally, we have an admission that the (irrelevant) comment about turning on port forwarding disables the router firewall, removes all security and turn the router into 'a simple switch' was wrong.
Just need to work on the users being limited to a handful of addresses and DNS servers being needed for routing 'mistakes' now.... 🙂

Quote from: vilefoxdemonofdoom

The title of this thread is wrong. Quote UK among nations that have done least Only one country can "have done the least".

Perhaps you need to contact the BBC!
[quote=http://www.bbc.co.uk/news/technology-20646710]The indifference means the UK is among the nations that have done the least to move to V6, it said.

Quote from: pwatson

So, finally, we have an admission that the (irrelevant) comment about turning on port forwarding disables the router firewall, removes all security and turn the router into 'a simple switch' was wrong. Just need to work on the users being limited to a handful of addresses and DNS servers being needed for routing 'mistakes' now.... 🙂

just so you stop thinking otherwise, open nat doesn't check anything other than the destination of the header appears on your internal network device list (which means that at some point it was connected to the network in the past), its refered to as a stateless firewall because it doesn't track if the device is even present just that it appears in the list of known devices, when the spi firewall is dropped unless you edit the cli then the dns cache is open to the entire world on most cheapo routers and particularly so with things like isp supplied boxes
EDIT;
this also makes it less use than a switch because it incorrectly makes people believe they have some form of protection when in reality the have nothing
as for the number of addresses allowed on a subnet allocation, someone from plusnet already made the point that they would be limited in a different thread, and the reason being was because a single /64 contains enough addresses to cater for most of the world, if every customer had unlimited address capability the isp's would need something the size of the millennium dome just to house the dns servers, never mind that they would need to populate every possible address unit into the fields and maintain a live update stream to track if those endpoints were connected and in use or not, limiting address allocation use down to under 500 per/64 subnet whilst extreamly wastefull (in ipv4 thinking) is actually rather clever in terms of future expandability address separation means that it will be a lot less likely for address duplication
@jelv
I paraphrased,
you would need to look at 5 separate sections of the manual in order to actually put it all together and find a warning about it, well that depends what isp supplied the router of course some don't have any warning about anything in them ......others have information overload but again most are fragmented

This thread is going rather off topic....again.
Although I'm really not trying to fuel the fire here (again) but just to clarify I don't believe anyone from Plusnet said addresses would be limited for all the previously mentioned good reasons/standards around IPv6 and aggregated routes.
As has been suggested in other posts, if you have a legitimate question around NAT/routing/IPv4(6) then you would be better off starting a new thread with an appropriate title.

Quote from: nanotm

this also makes it less use than a switch because it incorrectly makes people believe they have some form of protection when in reality the have nothing

Nonsense!  Ports that have been pro-actively will forward traffic to the nominated internal machine.  All other ports remain closed and only the nominated machine receives the incoming traffic.  Quite what you witter on about DNS caches for at this point escapes me...

Quote from: nanotm

if every customer had unlimited address capability the isp's would need something the size of the millennium dome just to house the dns servers,

For the umpteenth time, this is also nonsense!  Just as with IPv4, there is no requirement to associate names with all available addresses.
Agree with Paul though - Starting your own thread is a good idea!