Comodo is blocking ICMPv6 Router Advertisements every 3 seconds, nonstop

I own an Arris SB6141 modem and never experienced problems with it. I purchased a TP-Link wireless router and noticed websites were not loading sometimes.

So, I currently have my modem connected directly to the PC, and with IPv6 filtering enabled, I am experiencing firewall logs every 3 seconds exactly.

Application: windows operating system
Action: Blocked
Direction In
Protocol ICMPv6
source IP fe80::201:5cff:fe8a:3c46
Source port: Router advertisement
Destination IP: ff02::1
Destination port: Router advertisement

These logs stop when I disable ipv6 filtering and happen as soon as I enable filtering. I have tried unplugging and plugging the modem back in several times. Apparently, I am being locked out of logging into this modem as well. I have tried 192.168.100.1 on two different browsers. I am not able to reset the modem, only power cycle it it seems. I’m about to call my ISP and see if they can reset it for me.

[attachment deleted by admin]

When I disable ipv6 in Windows I get get tons of router advertisements. When ipv6 is enabled, the router advertisements stop.

You need to add global rules allowing incoming ICMPv6 packets. Create rules for the following ICMPv6 types under global rules section Packet too big, Time exceeded, Type 134 Code 0. Refer to the attached screenshots on what the rules should be set to.

[attachment deleted by admin]

The issue seems to be solved for now. I have IPv6 enabled in Windows and on my router, and IPv6 filtering enabled in Comodo firewall, and the logs have ceased. I’ll disable IPv6 and try adding those firewall rules if I don’t need IPv6.

And I finally manged to log into my modem after booting a Linux live distribution. Apparently, something was preventing me from accessing the modem’s configuration page in Windows. Anyway I looked at the configuration page of the modem and it states that the Modem’s IP Mode is IPv6 Only, and typing IPCONFIG into the Windows command prompt confirms I am using an IPv6 address.

I created the firewall rules but am still getting neighbor solicitations. I have been reading up on the RFC 4443 and trying to understand what is happening in the backround.

From what I understand, ICMPv6 replaces ARP by using multicast instead of broadcast to find link-local ipv6 addresses on the network. Sorry if this is a wrong interpretation.

The source address in the logfile I uploaded is my router’s link local address? The destination is my computer’s ipv6 address? What I don’t understand is why the router would be sending neighbor solicitations to the PC.

I am trying to follow along with the video but it does not seem to apply to my circumstance.

The neighbor solicitation message appears to be coming from the router as the source IP in the firewall log matches what my router says it’s “ipv6 LAN link local address” is.

But what exactly is the destination? All nodes on the local network segment, according to Wikepedia. So is the router trying to find out the address of any other device on my network?

After reading about neighbor discovery on cisco’s website it now finally makes sense,

[b]Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting to discover the link-layer addresses of other nodes on the local link. The neighbor solicitation message is sent to the solicited-node multicast address.The source address in the neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation message. The neighbor solicitation message also includes the link-layer address of the source node.

After receiving a neighbor solicitation message, the destination node replies by sending a neighbor advertisement message (ICPMv6 Type 136) on the local link. The source address in the neighbor advertisement message is the IPv6 address of the node sending the neighbor advertisement message; the destination address is the IPv6 address of the node that sent the neighbor solicitation message. The data portion of the neighbor advertisement message includes the link-layer address of the node sending the neighbor advertisement message.

After the source node receives the neighbor advertisement, the source node and destination node can communicate. [/b]

[attachment deleted by admin]

Ok so just add the rule to allow incoming Neighbor solicitations by choosing custom ICMPv6 type 135. So you should have Allow In rules for ICMPv6 Router Advertisements, Neighbor Solicitation, Packet Too Big, and Time Exceeded. Those should allow IPv6 connectivity without blocking required packets.

Once I add these rules, is Comodo still “filtering IPv6 traffic”? Or is this pretty much what the filtering does is block neighbor discovery?

When creating the firewall rule to allow neighbor solicitation, could I place the router’s IPv6 address in the source address instead of “any address”?

I also pulled this from Cisco’s site as well.

[b]Although efficient, NDP and SLAAC represent a significant security risk in IPv6. IPSec, which is mandated by the IPv6 specifications, is not suited to easily secure these ICMP messages because of the need to manually configure the IPSec keys. Without IPSec protection, each of these ICMP messages is easily spoofable (similar to ARP spoofing in IPv4). This leaves NDP and SLAAC open to various attacks, such as the following:

Attacker can claim to be another host’s address using Neighbor Solicitation Messages
Attacker can claim to be the default router using Router Advertisement Messages
Attacker can claim all addresses using Neighbor Solicitation Messages, preventing hosts from getting an address
Attacker can advertise false prefixes using Router Advertisement Messages[/b]

http://blogs.cisco.com/security/icmp-and-security-in-ipv6

Yes CIS will still monitor and filter IPv6 packets as long as you have enabled the setting under firewall advanced settings. If you disable filter IPv6 traffic, then CIS will ignore such traffic and allow the traffic to go through regardless of any blocking rules for IPv6 that you may have created. You will also notice connections with IPv6 addresses under View connections task when filter IPv6 traffic is enabled, when disabled you wont see any connections related to IPv6 in the active connections window.

When creating the firewall rule to allow neighbor solicitation, could I place the router's IPv6 address in the source address instead of "any address"?

I also pulled this from Cisco’s site as well.

[b]Although efficient, NDP and SLAAC represent a significant security risk in IPv6. IPSec, which is mandated by the IPv6 specifications, is not suited to easily secure these ICMP messages because of the need to manually configure the IPSec keys. Without IPSec protection, each of these ICMP messages is easily spoofable (similar to ARP spoofing in IPv4). This leaves NDP and SLAAC open to various attacks, such as the following:

Attacker can claim to be another host’s address using Neighbor Solicitation Messages
Attacker can claim to be the default router using Router Advertisement Messages
Attacker can claim all addresses using Neighbor Solicitation Messages, preventing hosts from getting an address
Attacker can advertise false prefixes using Router Advertisement Messages[/b]

http://blogs.cisco.com/security/icmp-and-security-in-ipv6

These concerns only apply in the situation where the attacker is connected to the same local network as you. In other words these attacks cannot be carried out over the internet, so you don’t need to make rules with your routers IPv6 address as the sourced address, though you could but I’m not sure which IPv6 address you would use, the routers link-local IPv6 address or public route-able IPv6 address.