Since I disabled ipv6 support in the firewall I wonder how to decide if I allow or block those connections. I regularly encounter icmp6 requests and don’t experience any disadvantages by denying them. I’m not surprised about that since today ipv6 traffic is still just an alternative for almost all programs.
On the one hand they look very common like
C:\Program Files (x86)\Mozilla Firefox\firefox.exe -Out -ICMPV6
-DST fe80::ecbf:ed74:b460:6606
but I wonder why the explorer tries to use ipv6 even if i don’t get a ipv4 request! what does it try to do?
C:\Windows\explorer.exe -Out -ICMPV6
-DST fe80::3d0b:252a:6096:13fb
and then sometimes I even get requests from applications that have completly nothing to do with networking like the filesearch subprogram of my filemanager, the unrar.exe of jdownloader and WTF even a program written by myself (programming exercise from my studies, a mini ray tracer!) triggered an ICMPV6 request.
Why do offline programs make icmpv6 requests and should I allow those?
When looking through the log I also recognized that always my static non-randomized ipv6 address is used as source address in the log instead of the randomized one, though I have privacy enalbed (win7). Should the randomized one be used?
If you have Firewall Behaviour Settings/Enable IPv6 Filtering unchecked, you shouldn’t be seeing any IPv6 activity at all.
I regularly encounter icmp6 requests and don't experience any disadvantages by denying them. I'm not surprised about that since today ipv6 traffic is still just an alternative for almost all programs.
Actually, IPv6 is a replacement for IPv4, not an alternative.
On the one hand they look very common like
C:\Program Files (x86)\Mozilla Firefox\firefox.exe -Out -ICMPV6
-DST fe80::ecbf:ed74:b460:6606
but I wonder why the explorer tries to use ipv6 even if i don’t get a ipv4 request! what does it try to do?
C:\Windows\explorer.exe -Out -ICMPV6
-DST fe80::3d0b:252a:6096:13fb
Both of the IPv6 addresses listed above are link local addresses. Do you have a router or other PC’s on your network, if so what kind and which OS.
and then sometimes I even get requests from applications that have completly nothing to do with networking like the [i]filesearch subprogram of my filemanager[/i], the [i]unrar.exe of jdownloader[/i] and *WTF* even a [i]program written by myself[/i] (programming exercise from my studies, a mini ray tracer!) triggered an ICMPV6 request.
Why do offline programs make icmpv6 requests and should I allow those?
IPv6 uses ICMPv6 much more that ICMP is/was used with IPv4. On a LAN. For example, if you have IPv6 enabled on your PCs, routers and other devices, they will chatter away sharing information via ICMPv6. This is normal. Take a look at ICMPv6 , Internet Control Message Protocol for IPv6 for more detailed information.
When looking through the log I also recognized that always my static non-randomized ipv6 address is used as source address in the log instead of the randomized one, though I have privacy enalbed (win7). Should the randomized one be used?
Does your ISP provide you with native IPv6 or do you have a tunnel via a broker? Typically, with IPv6 enabled and a valid Ipv6 address, excluding tunnels via teredo, 6to4 or ISATAP, you will have three Ipv6 addresses, the ‘real’ address, the EUI-64 auto-generated address - this is the one you can disable via netsh interface ipv6 set privacy state=disable - and a link local address, which are you referring to?
Actually, IPv6 is a replacement for IPv4, not an alternative.
You're right, of course. I just didn't mean it technical, rather in a way of necessity.
Both of the IPv6 addresses listed above are link local addresses. Do you have a router or other PC's on your network, if so what kind and which OS.
Thanks, I didn't know that. On the network there are two routers, one for internet access and the other as bridge to expand wireless lan. Other computers use different kinds of OS, win xp-7 and macOS. Can you infere additional information from this topology?
IPv6 uses ICMPv6 much more that ICMP is/was used with IPv4. On a LAN. For example, if you have IPv6 enabled on your PCs, routers and other devices, they will chatter away sharing information via ICMPv6. This is normal. Take a look at [url=http://www.networksorcery.com/enp/protocol/icmpv6.htm]ICMPv6 , Internet Control Message Protocol for IPv6[/url] for more detailed information.
Interesting information, thank you for the links. That explains the higher activity in general. But I am still worried about the supposed to be offline applications that send ICMP messages.
Does your ISP provide you with native IPv6 or do you have a tunnel via a broker? Typically, with IPv6 enabled and a valid Ipv6 address, excluding tunnels via teredo, 6to4 or ISATAP, you will have three Ipv6 addresses, the 'real' address, the EUI-64 auto-generated address - this is the one you can disable via netsh interface ipv6 set privacy state=disable - and a link local address, which are you referring to?
I actually don't know if my ISP provides me with native IPv6. Would it be necessary to have a rather new router to support that? Because my internet access router is quite old.
I'm referring to my link local address. Now knowing that it is exactly that, a link local address, it sounds less strange to my. Does this mean in my local network my (link local) IPv6 address stays static and isn't randomized like the global one?
All of the operating systems support IPv6, however, XP has to have the protocol stack enabled, which it’s not by default. IPv6 support on the routers will depend on the firmware.
Interesting information, thank you for the links. That explains the higher activity in general. But I am still worried about the supposed to be offline applications that send ICMP messages.
It’s really going to depend on the process and the ICMPv6 type. Can you give some specific examples with related log entries.
I actually don't know if my ISP provides me with native IPv6.
Right now it’s doubtful but not impossible. Open a command prompt and type ipconfig /all and see what shows - see image for an example of a configuration with a valid IPv6 address, albeit an address from a tunnel broker.
Would it be necessary to have a rather new router to support that? Because my internet access router is quite old.
Not necessarily a new router, a great many can be upgraded with new firmware, either from the manufacture, of via a third-party, such a Tomato, dd - wrt, OpenWrt and others.
I'm referring to my link local address. Now knowing that it is exactly that, a link local address, it sounds less strange to my. Does this mean in my local network my (link local) IPv6 address stays static and isn't randomized like the global one?
A link local address is part of IPv6 auto-configuration. In some ways it’s similar to getting a IPv4 address that begins with 169.254... You can read more RFC 4862
Ok here is the entry of my self-written program (is there any way to copy events from the event log in plain text?):
E:\Data\unidata\ris\assignment03\MiniGI\build\ReleaseWin32\bin\MiniGI.exe
-Asked -Out -ICMPV6
-SRC fe80::f543:caad:d1ef:af4
-DST fe80::3098:8154:7aae:6d2d
this happened two times with afterward three blocked attempts each with about a minute between attempts.
Right now it's doubtful but not impossible. Open a command prompt and type ipconfig /all and see what shows - see image for an example of a configuration with a valid IPv6 address, albeit an address from a tunnel broker.
I only have the link local ipv6 address (german windows, but I’m sure you can see it):
@your ipconfig:
Why is there an ‘IPv6 Address’ AND an ‘Temporary IPv6 Address’? Or in other words: How can I make sure that my applications use the temporary one to connect to the internet and not the static one?
Probably, but you’d need to confirm with your ISP, it may be they offer IPv6 only when asked, or they may have a trial you could join, should you be interested.
[at]your ipconfig:
Why is there an 'IPv6 Address' AND an 'Temporary IPv6 Address'? Or in other words: How can I make sure that my applications use the temporary one to connect to the internet and not the static one?
The temporary address is what I was referring to earlier, when I mentioned “EUI-64 auto-generated addresses” You can read more about how and why this works here.
If there’s no port they’re probably multicast packets. However,would you mind posting an image of the logs showing these entries, you can use Additional Options to attach an image.
My best guess - as there’s no way for me to tell in the current situation- would be Neighbor Solicitation (type 135) and Neighbor Advertisement (type 136) - see packet capture
Internet Protocol Version 6, Src: fe80::e2cb:4eff:fea8:6ef3 (fe80::e2cb:4eff:fea8:6ef3), Dst: fe80::95de:2f06:296c:4a32 (fe80::95de:2f06:296c:4a32)
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... 0000 00.. .... .... .... .... .... = Differentiated Services Field: Default (0x00000000)
.... .... ..0. .... .... .... .... .... = ECN-Capable Transport (ECT): Not set
.... .... ...0 .... .... .... .... .... = ECN-CE: Not set
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 32
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source: fe80::e2cb:4eff:fea8:6ef3 (fe80::e2cb:4eff:fea8:6ef3)
[Source SA MAC: AsustekC_a8:6e:f3 (e0:cb:4e:a8:6e:f3)]
Destination: fe80::95de:2f06:296c:4a32 (fe80::95de:2f06:296c:4a32)
Internet Control Message Protocol v6
Type: Neighbor Advertisement (136)
Code: 0
The above is a capture from my network and shows the essential elements of the ICMpv6 packet.
Basically, part or the auto-configuration process requires a node to ascertain the availability of an address before assigning that address to the local interface. Unfortunately, CIS is a bit broken when it comes to ICMPv6, as there’s no filtering and no way to identify types and codes. Really, the implementation of IPv6 in CIS, at least currently, is a bit of a bodge, so unless you really need it, I’d suggest turning off filtering.
If you want to check, you can load up a copy of Wireshark and check the details of the packets.
alright, thank you very much for your help and giving me some insights.
I think propably I will follow your advice and turn off ipv6 filtering for the moment
I have exact the same problem, ICMPv6 connections, which are part of Neighbor Discovery protocol (Neighbor Solicitation, Router Advertisement, etc.), comes (causing asking pop-up) to completely random running processes, most of them are standalone and never use any IP protocol. This is longstanding bug from the very first time IPv6 support was introduced in COMODO. Moreover, I see another firewall which does exact the same - assing ICMPv6 to random running proces - it was PC Tools Firewal, so it may be Windows 7 bug or the some sort of identical misinterpretation how IP stack works. And no, I can’t turn off IPv6 firewall to disable those annoying pop-ups because I need it. Yes, I have fe80::/10 in my trusted zone. Hope it will be fixed sometimes.
Unfortunately, the implementation of IPv6 support is CIS is still far form complete, so until they actually finish this, it’s question of living with what we’ve been given.
The simplest solution I’ve found for dealing with the spurious ICMPv6 traffic, which is only between local nodes, is to create an Application rule for the ‘All Applications’ pre-defined group that allows ICMPv6 traffic to and from fe80::/10 and to place the rule at the top of the list of Application rules. As the rules are read from the top down, this prevents further alerts. You can also add a rule for IPv6 UDP link local multicasts to the same group.
Yes, it seems ‘All Applications rule’ you describe is workaround. The only inconvenience is that newly added automatic rules from pop-up boxes are placed before it, so it is needed to move your rule to the top again each time such rules are added.
P.S.
Yes, rarely I notice the same random process problem, but with IGMP, not UDP (obviously workaround will be the same).
IPv6 doesn’t use IGMP or Broadcasts, IGMP is replaced with MLD (Multicast Listener Discovery) As far as IGMP traffic is concerned, you should be only be seeing this against the System process and occasionally svchost.exe but the latter will depend upon your environment. The only IGMP traffic I see and hence the only rule I have, is for the System process IGMP Out on 224.0.0.22, which is IGMPv2 Multicast Group Report.
The IPv6 UDP traffic I’m referring to, is for LLMNR (Link-local Multicast Name Resolution) and CIS has a habit of generating a LLMNR request for virtually every process with an Application firewall rule.
As far as IGMP traffic is concerned, you should be only be seeing this against the System process and occasionally svchost.exe but the latter will depend upon your environment. The only IGMP traffic I see and hence the only rule I have, is for the System process IGMP Out on 224.0.0.22, which is IGMPv2 Multicast Group Report.
I saw this random process bug with IGMP rarely in transitional states, when notebook is just awaken from the sleep mode. IGMP on 224.0.0.2. I have [224.0.0.0 - 239.255.255.255.255] in my trusted local area network zone.
I believe this two problems have the same root, but IGMP one is very rare while ICMPv6 is permanent. Somehow COMODO can’t determine right process for the traffic.
The IPv6 UDP traffic I'm referring to, is for LLMNR (Link-local Multicast Name Resolution) and CIS has a habit of generating a LLMNR request for virtually every process with an Application firewall rule.
