Comodo Internet Security 5.3.174622.1216 - IPv6 Discussion

Would this explain why I’m seeing a great many Solicited-Node address queries with a scope of two, to numerous addresses, even though there are only three different IPv6 enabled devices on the LAN and that is filtered by a router?

ICMPv6 is needed for it to function, I’d suggest to remove this rule from the global rules if your using v6.

These are outbound events, Ronny.

I also understand the need for ICMPv6, which is why I posted here https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-531746221216-released-t67084.0.html;msg473388#msg473388

Edit: typo

If stuff get’s logged, you probably put logging on rules?
Maybe we should continue this discussion in a new thread…

With something new and untested, I always log. If you wish me to start a new thread, I am happy to do so. Perhaps you can move these last posts there…

Can you post a screenshot of what your seeing on IPv6 traffic?

Attached is a small section from the log. This portion identifies several different addresses to which multicast packets are being sent, there are numerous others.

The originating address (fe80::972:322:9617:bc8d) is the Link Local Address of the Windows 7 PC. The destination addresses are unknown to me. Using the standard conversion process to arrive at the Link Layer Address, also didn’t provide any useful information. I could have made a mistake in the conversion process.

One thing I’m wondering, my router, although providing full IPv6 support, is still using NAT and only IPv4 filters I haven’t, as yet, updated iptables, in the router, to provide filters for IPv6…

[attachment deleted by admin]

It’s normal behavior, as Broadcast has been removed in v6 and multicast has been added for it…
Also ARP is no longer used to find MAC v.s. IP so it’s all based on ICMPv6 multicast now.

ff02::1 All nodes on the local network segment
ffx2::/16 is link-local, meaning packets with this destination address may not be routed anywhere.
(Source: Multicast address - Wikipedia)

Part from a packet capture…
00:43:27.229076 IP6 fe80::6966:d051:4ce1:741 > ff02::1:ffff:fffe: ICMP6, neighbor solicitation, who has fe80::ffff:ffff:fffe, length 32

If your interested in finding out what’s running around on your wire download Wireshark and see what’s going on there… http://www.wireshark.org/

btw, im getting connection ipvp6 and im in IPVP4 …

[attachment deleted by admin]

First it’s both fe80: so it’s link-local (so it must be somewhere on your local LAN).
Second TCP port 2869 is used by uPNP so it’s probably your router having v6 support.

How many devices do you have on your local network?

4, 1 ps3, 2computers, 1tv

Where is your brake-out for Internet then? No router/modem?
Fastest way to find it is to set up a ping -6 -t to the address and disconnect the devices one by one untill the ping drops to time-out.

The one with c100 on the end is your PC from what I can see from the screenshot.


ping -6 -t fe80::497e:1fca:55f0:5433

Thanks for the reply.

In an earlier post I did mention the scope ID was set to 2 and thus these were all link local requests, what don’t understand is where the requests are being sent to.

I have already performed a wireshark analysis of the network and, as mentioned, have identified the link layer address of most of the devices to which these packets are being sent. None of which are attached to my network and thus are not on the local link.

My surmise, which doesn’t make sense, as mentioned, is that because my router is not currently configured to filter IPv6 packets, these Node Address queries are actually for devices outside of the local environment.

If you wish I could analyze your network capture, please PM me if your interested in a second opinion :wink:

Reading this discussion has gotten me interested in using Wireshark and I have downloaded the Windows installer x64 version from the Wireshark website, but I wanted to confirm that it would work with my Win 7 x64 computer’s Intel core i7 930 processor before installing it because I read in their system requirements that an AMD processor is required.

~Maxx~

I run Wireshark on my i7-960.

From Wiresharks System requirements:

Any modern 32-bit x86 or 64-bit AMD64/x86-64 processor.

One more piece of the puzzle, all of these events are related to utorrent (I imagine the same holds true for other torrent clients, also). When the client is not running, there are no solicitation events, start the client and the solicitation events start. This is reproducible always.

Can you make a packet capture of it and upload it somewhere so I can analyze it, it should not leave your local network, unless something is seriously misconfigured on you providers network.
(Send me a PM if you don’t wish to share it here…).

Are you on a cable network or DSL?

Here’s a couple of packets from the most recent capture. I’ve redacted a few details for the sake of privacy.

The first packet (a.txt) is what appears to be an ICMPv6 reply to a teredo packet. The source of this is my router and the destination is my Windows 7 PC (the port destination is my uTorrent port). Interestingly, I don’t have teredo enabled on the PC or the router. In fact, all tunnel types are disabled.

There was nothing in either the router log or the CIS log to indicate this dialogue (there are actually 4 packets, 2 from the router to the PC and 2 from the PC to the router) ever took place. It’s also interesting to note the ICMPv6 type and code, both of which are 0 and unknown.

The second packet is one of a great many, the only difference between this and the others is the Target address.

This capture is actually related to the posts I made earlier, that is, they show the Neigbor Solicitation packets. The source is The Windows PC Link local address (fe80::972:322:9617:bc8d) and the destination is the ICMPv6 Multicast address (ff02::1:fff4:5bf9) which, as previously stated, has a scope ID of 2 (link local scope).

If we derive the MAC address of the target, from the IPv6 address via the EUI-64 notation, we should arrive at something like 00-25-00-f4-5b-f9. The OUI 00-25-00 belongs to QLogic Corporation, products from whom are not to be found on my network.

Edit:

To answer your question, my connection is more like cable than DSL, however, I connect to my ISP via an L2TP tunnel. I have two IP addresses, one from the reserved 172 block, which is the ISP subscribers private LAN and one which is an Internet facing address.

[attachment deleted by admin]

Not sure about the Teredo, have to look in to it.

Regarding the 2 second packet, As there is no response received it’s probably an address delivered to uTorrent it tries to see if this system is on the local-link, not sure why uTorrent would do this but it could be related to not having a global v6 address on either end.

Doesnt’ make it easier, having 2 ip’s mixed up routing and L2TP :wink: