Jump to content
jbwisemo

When will the IPv6 hop-by-hop fix be available for KES?

Recommended Posts

The bugfix described for home users in

is still not included in KES 10.3.0.6294 (SP2 mr1), and is not mentioned in the release notes for KES11 RC.

When will this IPv6 compatibility bugfix (awaited by multiple customers for years) be available for KES users?

Note, that according to the thread this only affects Windows 8.1 and maybe Windows 8.0 machines

Please refer to the referenced thread for acknowledgement of the root cause by Egor Kurnev, way back in 2015! (comment 2450523).

Note that the routers he suggested upgrading are the routers on the public Internet provider networks, nothing that Kaspersky customers can change.

 

 

Share this post


Link to post
2 hours ago, jbwisemo said:

The bugfix described for home users in

is still not included in KES 10.3.0.6294 (SP2 mr1), and is not mentioned in the release notes for KES11 RC.

When will this IPv6 compatibility bugfix (awaited by multiple customers for years) be available for KES users?

Note, that according to the thread this only affects Windows 8.1 and maybe Windows 8.0 machines

Please refer to the referenced thread for acknowledgement of the root cause by Egor Kurnev, way back in 2015! (comment 2450523).

Note that the routers he suggested upgrading are the routers on the public Internet provider networks, nothing that Kaspersky customers can change.

Hello.

KES functionality is not related to that of home products. Please describe the issue in terms of KES.

Thank you.

Share this post


Link to post

The behavior described in that thread, in particular in Egor Kurnev's comment, also happen in KES 10 SP2 mr1 (and in KES 10 SP1 mr4), exactly as described there.

Specifically, when a Windows 8.1 machine with KES 10 sends out an ICMPv6 Echo Request (ping), an unfortunate interaction between Kaspersky and Microsoft firewall code causes that ping packet to be incorrectly prefixed with an extra "hop-by-hop" router options IPv6 header, which in turn causes some 3rd party public Internet routers to not route the packet to its destination.

There are multiple threads all over the forum about this issue, most of them derailed by irrelevant details.  That particular thread seems to be the one that most clearly describes the root cause of how that extra header is added to the ICMPv6 packet.  In particular the thread points to klwfp.sys, which is also included in KES 10.  File version of klwfp.sys (x64) is 12.0.0.11 on one machine and 13.0.0.20 on another.

Share this post


Link to post
21 minutes ago, jbwisemo said:

The behavior described in that thread, in particular in Egor Kurnev's comment, also happen in KES 10 SP2 mr1 (and in KES 10 SP1 mr4), exactly as described there.

Specifically, when a Windows 8.1 machine with KES 10 sends out an ICMPv6 Echo Request (ping), an unfortunate interaction between Kaspersky and Microsoft firewall code causes that ping packet to be incorrectly prefixed with an extra "hop-by-hop" router options IPv6 header, which in turn causes some 3rd party public Internet routers to not route the packet to its destination.

There are multiple threads all over the forum about this issue, most of them derailed by irrelevant details.  That particular thread seems to be the one that most clearly describes the root cause of how that extra header is added to the ICMPv6 packet.  In particular the thread points to klwfp.sys, which is also included in KES 10.  File version of klwfp.sys (x64) is 12.0.0.11 on one machine and 13.0.0.20 on another.

KIS uses different versions of drivers than KES, and unfortunately issues cannot be investigated across different products by extension. Please let us know if there are existing reports of this issue particularly in KES, or if you are able to describe the scenario to reproduce the issue in KES and collect corresponding traces (while only the affecting component is active).

Thank you.

Share this post


Link to post

As I said, there are other reports if you search for it.  They usually complain that IPv6 ping doesn't work.

Steps to test/reproduce:

1. Set up a test machine running Windows 8.1 (not 10, not 7) on an IPv6 network with actual routers to elsewhere.

2. Set up the ability to capture outgoing traffic from the test machine at the lowest possible level (e.g. with WireShark)

3. Without Kaspersky software installed, use the Windows ping command to ping an IPv6 address that needs to go via a router (i.e. not on the same network segment).

4. The outgoing ICMPv6 echo request packet should not contain a "hop-by-hop" element (shown inside the IPv6 header in WireShark 2.x) (or at least it should contain one with harmless content).

5. Install Kaspersky software and reboot.

6. Do the same ping again.

7. The outgoing ICMPv6 now contains a new (or changed) hop-by-hop header.

The added hop-by-hop header is the problem as it confuses 3rd party routers.

 

Share this post


Link to post

Hello!

Please collect the KES traces while reproucing the issue and the full GSI report from the probematic machine. 

Thanks!

Share this post


Link to post
On 30-1-2018 at 8:02 AM, jbwisemo said:

The bugfix described for home users in

is still not included in KES 10.3.0.6294 (SP2 mr1), and is not mentioned in the release notes for KES11 RC.

When will this IPv6 compatibility bugfix (awaited by multiple customers for years) be available for KES users?

Note, that according to the thread this only affects Windows 8.1 and maybe Windows 8.0 machines

Please refer to the referenced thread for acknowledgement of the root cause by Egor Kurnev, way back in 2015! (comment 2450523).

Note that the routers he suggested upgrading are the routers on the public Internet provider networks, nothing that Kaspersky customers can change.

 

 

Look at this... It's 2018 and they still didn't fix that... I just installed the KIS 18.0.0.405 (f) and it's still the same thing.
ICMP to ipv6 adresses still giving a timeout...

Share this post


Link to post

Kaspersky Internet Security is not Kaspersky Endpoint Security, you should address your issues with KIS in home users forum. 

IPv6 will definantly save an internet at some point but not today, many home and business environments still uses IPv4 as well as internet services.

If you need to implement IPv6 addressing in your business network please create an incident in Kaspersky 'Companny Account' service and request private patch 1920 for that particular case.

Share this post


Link to post
En 7/2/2018 a las 19:40, Evgeny_E dijo:

Kaspersky Internet Security is not Kaspersky Endpoint Security, you should address your issues with KIS in home users forum. 

IPv6 will definantly save an internet at some point but not today, many home and business environments still uses IPv4 as well as internet services.

If you need to implement IPv6 addressing in your business network please create an incident in Kaspersky 'Companny Account' service and request private patch 1920 for that particular case.

HI!

Yesterday i get the patch 3020 for the same issue witch ICMP ipv6 for windows 10.

Thanks for the indications. I wondering if will be fixed in KES 11... Its very dificult to do diagnostics without ICMP...

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.