[opensuse] IPv6 Rogue Router Security Issue
Hi Folks, There seems to be a flurry of IPv6 talk going on, maybe this is time for me to bring up the rogue router problem again? I asked about this a couple of times over the years but could never find anyone to comment on it. First, here's the RFC that describes the problem: https://tools.ietf.org/html/rfc6104 Rogue routers have affected me personally at a customer's site. This is a large, professionally managed, dual-stacked network with a number of v4 class B addresses and thousands of hosts. Subnets seem to be /20 CIDR in size, so there are plenty of "neighbors" on any given subnet. I've encountered the situation where misconfigured Windows systems will advertise themselves as an IPv6 router. They then happily accept traffic and drop it all silently on the floor. This problem doesn't seem to bother other Windows boxes too much, but it absolutely kills SSH connections. SSH preferentially tries IPv6 port 22, which when sent to a dumb Windows box results in very long hangups and connection failures. My workaround for my cohort of Linux desktops and servers was to disable IPv6 for both ssh and sshd. This will work for as long as the host network supports dual stacks, but eventually? Then there's the issue of intentional MITM attacks using this vector. If a bad actor has physical access to a subnet, or has compromised a host on that subnet, your goose is cooked. This link mentions some mitigations, but they're quite technical and may require hardware support. https://community.infoblox.com/t5/IPv6-Center-of-Excellence/Holding-IPv6-Nei... So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network. Has SUSE addressed this issue? Tell me I don't have to worry about it! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 12:46 PM, Lew Wolfgang wrote:
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network.
First off, use Wireshark to determine the MAC address of the device sending out those RAs. Once you've found that computer, you can configure it properly (or toss it out the Windows <g>). Also, forget about NAT as a firewall. You should be relying only on a properly configured stateful firewall for both IPv4 and IPv6. You can have firewalls on both the router and hosts. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 10:01 AM, James Knott wrote:
On 09/10/2016 12:46 PM, Lew Wolfgang wrote:
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network. First off, use Wireshark to determine the MAC address of the device sending out those RAs. Once you've found that computer, you can configure it properly (or toss it out the Windows <g>).
Also, forget about NAT as a firewall. You should be relying only on a properly configured stateful firewall for both IPv4 and IPv6. You can have firewalls on both the router and hosts.
Yes, but I'm not getting paid to police my customer's network looking for knuckleheads. Then there's the bad actor problem that might be harder to discover. Yes, I use a good stateful firewall (ZyXel) and am not using NAT as the firewall. I've got specific ACL's between WAN/LAN and between subnets on the LAN side. Further, I've got a separate Wifi router with separate SSID's for authorized access and IOT devices. Wifi connections, especially from IOT devices, are almost by default insecure. What prevents a bad actor from hacking into my wireless network and installing a rogue IPv6 router? My routing tables are cast in concrete with IPv4 and MITM's are very unlikely. Basically, can IPv6 router discovery be turned off? Nothing makes me happier than a nice static route! Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 10 September 2016 21:03:18 Lew Wolfgang wrote:
On 09/10/2016 10:01 AM, James Knott wrote:
On 09/10/2016 12:46 PM, Lew Wolfgang wrote:
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network.
First off, use Wireshark to determine the MAC address of the device sending out those RAs. Once you've found that computer, you can configure it properly (or toss it out the Windows <g>).
Also, forget about NAT as a firewall. You should be relying only on a properly configured stateful firewall for both IPv4 and IPv6. You can have firewalls on both the router and hosts.
Yes, but I'm not getting paid to police my customer's network looking for knuckleheads. Then there's the bad actor problem that might be harder to discover.
Yes, I use a good stateful firewall (ZyXel) and am not using NAT as the firewall. I've got specific ACL's between WAN/LAN and between subnets on the LAN side. Further, I've got a separate Wifi router with separate SSID's for authorized access and IOT devices.
Wifi connections, especially from IOT devices, are almost by default insecure. What prevents a bad actor from hacking into my wireless network and installing a rogue IPv6 router? My routing tables are cast in concrete with IPv4 and MITM's are very unlikely.
Basically, can IPv6 router discovery be turned off? Nothing makes me happier than a nice static route!
echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra But I don't think it makes sense to accept the prefix but not the router.
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 04:28 PM, Rüdiger Meier wrote:
That might be a possibility for accidental misconfigurations. But it
doesn't address the overall security of an IPv6-only network that might contain a bad actor or two. Maybe you are overvaluing the "ipv4 security". What would happen within your LAN if you had two dhcp servers? Is your network protected against arp-spoofing?
Very true, Rüdiger. But isn't it also true that IPv4, being a simpler protocol, is easier to lock down? After all, you have to "enable" dhcp in IPv4, while you have to "disable" RA in IPv6. dhcp was added to v4, while RA was baked into v6.
I don't see that ipv6 has any issue which is not an issue on IPv4 too. For me it looks like your only real problem are these particular existing multiple ipv6 routers within your LAN. I guess if you really want to be more secure then you would also need to review your ipv4 setup.
If you are happy with usual ipv4/dhcp setup then you should also be happy with ipv6/dhcpv6 (disable ipv6 autoconfig).
Indeed. What exactly does net.ipv6.conf.all.autoconf=0 disable? Neighbor discovery? Router advertisements? Would there be any side effects? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday, 10 September 2016 9:46:04 AM ACST Lew Wolfgang wrote:
Hi Folks,
[...] So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network.
Has SUSE addressed this issue? Tell me I don't have to worry about it!
Regards, Lew
Exactly the same security principle apply to IPv6 as to IPv4. Especially given that every ISP-issued IPv6 address is a public IP address, the only way to go is to have a properly configured firewall (either in the router or separately) between your internal network and the outside world; preferrably one that supports stateful packet inspection that will only allow traffic through that is part of a connected stream where the connection was originated from inside your network. It doesn't hurt to have your wifi on its own subnet with another firewall (or, at the very least, ACL's on the router and/or access point) between the wifi and wired portions of your network. Having properly secured wifi with appropriately long encryption keys and certificate-based client authentication controlled by a properly configured authentication server (either Radius or TACACS+) either. If you absolutely must allow connections from the outside world, using certificate-based authentication and locking that access down to only the ports absolutely required will help maintain security. For my network, I allow only IMAPS, ssh and SIP (for VoIP) through - everything else is blocked. Oh, yes - makd sure your router and/or firewall are configured to log (at the very least) anything that is blocked and check the logs regularly. Rodney. -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ============================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 01:08 PM, Rodney Baker wrote:
It doesn't hurt to have your wifi on its own subnet with another firewall (or, at the very least, ACL's on the router and/or access point) between the wifi and wired portions of your network. Having properly secured wifi with appropriately long encryption keys and certificate-based client authentication controlled by a properly configured authentication server (either Radius or TACACS+) either.
I used to do that, back in the days of 802.11b and WEP. However, since I now use WPA2, with a 63 random character password, my WiFi is on the same subnet as my main network. I used the password generator at www.grc.com. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 12:43 AM, James Knott wrote:
On 09/10/2016 01:08 PM, Rodney Baker wrote:
It doesn't hurt to have your wifi on its own subnet with another firewall (or, at the very least, ACL's on the router and/or access point) between the wifi and wired portions of your network. Having properly secured wifi with appropriately long encryption keys and certificate-based client authentication controlled by a properly configured authentication server (either Radius or TACACS+) either.
I used to do that, back in the days of 802.11b and WEP. However, since I now use WPA2, with a 63 random character password, my WiFi is on the same subnet as my main network. I used the password generator at www.grc.com.
Perhaps more generically, and for KDE users,there is a a widget you can have on-screen or in the edge panel that generates random readable passwords of any length. The default length is 10 characters; I reset that to a minimum of 16 for use on web sites that require a password. Yes it can also generate 63 character ones. I also use a password manager to remember them. This is what technology is for! -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Anton Aylward composed on 2016-09-11 01:02 (UTC-0400):
Perhaps more generically, and for KDE users,there is a a widget you can have on-screen or in the edge panel that generates random readable passwords... I also use a password manager to remember them.
This is what technology is for!
How does this work out for those who can't limit themselves to only one login on only one computer, or nearly so? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 01:50 AM, Felix Miata wrote:
Anton Aylward composed on 2016-09-11 01:02 (UTC-0400):
Perhaps more generically, and for KDE users,there is a a widget you can have on-screen or in the edge panel that generates random readable passwords... I also use a password manager to remember them.
This is what technology is for!
How does this work out for those who can't limit themselves to only one login on only one computer, or nearly so?
If sure if you use only one computer EVER and only have one login account on the single computer EVER than you can probably remember your password or pass-phrase without the assistance of a device. I do wonder though, how common that is these days. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 08:15 AM, James Knott wrote:
On 09/11/2016 01:02 AM, Anton Aylward wrote:
I also use a password manager to remember them.
You can't remember a 63 random character password??? ;-)
I'll be perfectly honest with you, James, I can't remember all the couple of dozen 16-character passwords I use. Perhaps being forced to change them every 90 days or so according to corporate policy has something to do with that. This is one reason I prefer to use SSH and certificates, but websites insist on passwords. Perhaps you'd prefer it if sites used easier to remember 4 or 8 character passwords and never changed them? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-10 a las 09:46 -0700, Lew Wolfgang escribió:
I've encountered the situation where misconfigured Windows systems will advertise themselves as an IPv6 router. They then happily accept traffic and drop it all silently on the floor. This problem doesn't seem to bother other Windows boxes too much, but it absolutely kills SSH connections. SSH preferentially tries IPv6 port 22, which when sent to a dumb Windows box results in very long hangups and connection failures.
Configure gai.conf to prefer IPv4 connections :-? There is a comment in the file that says what to do. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfURgcACgkQja8UbcUWM1yjzgD/dmncKT+qloKe8O1dADHu8m+3 mBQj+LHBrx4xeX9DG+wA/RjvAFCNOVoERcnVYCslSG0VkBw4a5JwcXAaEs7V1Wwj =1Md7 -----END PGP SIGNATURE-----
On 09/10/2016 10:42 AM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-10 a las 09:46 -0700, Lew Wolfgang escribió:
I've encountered the situation where misconfigured Windows systems will advertise themselves as an IPv6 router. They then happily accept traffic and drop it all silently on the floor. This problem doesn't seem to bother other Windows boxes too much, but it absolutely kills SSH connections. SSH preferentially tries IPv6 port 22, which when sent to a dumb Windows box results in very long hangups and connection failures.
Configure gai.conf to prefer IPv4 connections :-?
There is a comment in the file that says what to do.
That might be a possibility for accidental misconfigurations. But it doesn't address the overall security of an IPv6-only network that might contain a bad actor or two. "We have a known vulnerability, but it requires a local compromise to be leveraged. We're safe!" What could possibly go wrong? Here's an interesting slide show entitled "IPv6 Attack and Defense Strategies": https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schaefer-Worksho... I like page 39: "On the local link we're all brothers!" It also says: * Simple Rule: the higher the complexity of a communications act the higher the cost of keeping state of it. * IPv6 has a high degree of complexity... and * We’re very interested to see how vendors of stateful firewalls will handle scenarios like “single infected machine sitting in a broadband /64 and establishing valid connections to web server from many many random source addresses”. BCP 38 won’t solve this. I didn't read the whole thing yet. But it makes me feel MUCH more secure and happy on my simple home natted IPv4-only network. Maybe I should rephrase the question: What has SUSE done to address the known IPv6 security issue described by RFC 6104 and others? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 10 September 2016 21:35:18 Lew Wolfgang wrote:
On 09/10/2016 10:42 AM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-10 a las 09:46 -0700, Lew Wolfgang escribió:
I've encountered the situation where misconfigured Windows systems will advertise themselves as an IPv6 router. They then happily accept traffic and drop it all silently on the floor. This problem doesn't seem to bother other Windows boxes too much, but it absolutely kills SSH connections. SSH preferentially tries IPv6 port 22, which when sent to a dumb Windows box results in very long hangups and connection failures.
Configure gai.conf to prefer IPv4 connections :-?
There is a comment in the file that says what to do.
That might be a possibility for accidental misconfigurations. But it doesn't address the overall security of an IPv6-only network that might contain a bad actor or two.
Maybe you are overvaluing the "ipv4 security". What would happen within your LAN if you had two dhcp servers? Is your network protected against arp-spoofing? I don't see that ipv6 has any issue which is not an issue on IPv4 too. For me it looks like your only real problem are these particular existing multiple ipv6 routers within your LAN. I guess if you really want to be more secure then you would also need to review your ipv4 setup. If you are happy with usual ipv4/dhcp setup then you should also be happy with ipv6/dhcpv6 (disable ipv6 autoconfig). Personally I'm using static setup for both ipv4 and ipv6 (except for guest WiFi). But I know that even this is not "secure" on the IP layer, because my colleagues have access to the cables...
"We have a known vulnerability, but it requires a local compromise to be leveraged. We're safe!" What could possibly go wrong?
Here's an interesting slide show entitled "IPv6 Attack and Defense Strategies":
https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schaefer-Worksh op-Slides.pdf
I like page 39: "On the local link we're all brothers!"
It also says:
* Simple Rule: the higher the complexity of a communications act the higher the cost of keeping state of it.
* IPv6 has a high degree of complexity...
and
* We’re very interested to see how vendors of stateful firewalls will handle scenarios like “single infected machine sitting in a broadband /64 and establishing valid connections to web server from many many random source addresses”. BCP 38 won’t solve this.
I didn't read the whole thing yet. But it makes me feel MUCH more secure and happy on my simple home natted IPv4-only network.
Maybe I should rephrase the question:
What has SUSE done to address the known IPv6 security issue described by RFC 6104 and others?
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 03:35 PM, Lew Wolfgang wrote:
That might be a possibility for accidental misconfigurations. But it doesn't address the overall security of an IPv6-only network that might contain a bad actor or two. "We have a known vulnerability, but it requires a local compromise to be leveraged. We're safe!" What could possibly go wrong?
How does that differ from a bad actor on IPv4? There you might have someone spoofing an address or arping the wrong MAC. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 01:42 PM, Carlos E. R. wrote:
Configure gai.conf to prefer IPv4 connections :-?
Perhaps you should be advising people to find and correct the problem, instead of preferring IPv4. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 09:44 PM, James Knott wrote:
On 09/10/2016 01:42 PM, Carlos E. R. wrote:
Configure gai.conf to prefer IPv4 connections :-?
Perhaps you should be advising people to find and correct the problem, instead of preferring IPv4.
The point I was trying to make is that IPv6 seems so flawed by design that there's an RFC on the topic. Windows users can generate a Denial of Service on a subnet just by turning on ICS. If DOS and MITM can be done accidentally by regular users, think of the fun a dedicated intruder could have. Sure, v4 is susceptible to rogue DHCP servers and ARP poisoning, but I've been using it since 1986 and I never had a rogue router DOS problem. It takes a dedicated actor to DOS a v4 subnet, while v6 requires only a clueless Windows user. To rephrase my original question: has SUSE done anything to mitigate the rogue RA threat? Is it even possible to mitigate without causing collateral damage? I'm certainly not an expert here... Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
To rephrase my original question: has SUSE done anything to mitigate the rogue RA threat? Is it even possible to mitigate without causing collateral damage? I'm certainly not an expert here...
How significant is that threat for a typical openSUSE user? If it's a genuine threat, I would certainly expect some mitigating features in SLES. -- Per Jessen, Zürich (19.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LSU.2.20.1609111548130.4233@zvanf-gvevgu.inyvabe> El 2016-09-11 a las 09:28 +0200, Per Jessen escribió:
Lew Wolfgang wrote:
To rephrase my original question: has SUSE done anything to mitigate the rogue RA threat? Is it even possible to mitigate without causing collateral damage? I'm certainly not an expert here...
How significant is that threat for a typical openSUSE user? If it's a genuine threat, I would certainly expect some mitigating features in SLES.
Unknown. You need a mixed local network. Mixed as in Windows-Linux machines, but being IPv6. Then you can find the problem, because it only needs a random Windows user activating the wrong option. Apparently a Windows machine can be told (I don't know where exactly) to advertise itself as a router. But in fact, it can not route, so it accepts packets which end nowhere, killing connections. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVYMcACgkQja8UbcUWM1xrdAD9FHL8kh1i9jbyuVxG+HC3CVAw eukhv2vjaDCMOkfnQOYBAIZZrP1L7XsSfzY893aY2ndpF3FCpasBswtHgouu+n6t =AuJQ -----END PGP SIGNATURE-----
On 09/11/2016 09:48 AM, Carlos E. R. wrote:
Unknown. You need a mixed local network. Mixed as in Windows-Linux machines, but being IPv6. Then you can find the problem, because it only needs a random Windows user activating the wrong option.
That sort of thing generally requires admin rights and in the corporate world, most users are restricted to mere mortal status. On the other hand many home (and some business) users run with admin rights, because they don't know any better and simply use the admin account that comes with the computer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID: <alpine.LSU.2.20.1609111548130.4233@zvanf-gvevgu.inyvabe>
El 2016-09-11 a las 09:28 +0200, Per Jessen escribió:
Lew Wolfgang wrote:
To rephrase my original question: has SUSE done anything to mitigate the rogue RA threat? Is it even possible to mitigate without causing collateral damage? I'm certainly not an expert here...
How significant is that threat for a typical openSUSE user? If it's a genuine threat, I would certainly expect some mitigating features in SLES.
Unknown. You need a mixed local network. Mixed as in Windows-Linux machines, but being IPv6. Then you can find the problem, because it only needs a random Windows user activating the wrong option.
Which presumably means an authorized, but incompetent Windows user? Okay, that's a significant risk. My advice - just disable Windows :-) -- Per Jessen, Zürich (25.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LSU.2.20.1609111635020.4233@zvanf-gvevgu.inyvabe> El 2016-09-11 a las 16:18 +0200, Per Jessen escribió:
Carlos E. R. wrote:
Unknown. You need a mixed local network. Mixed as in Windows-Linux machines, but being IPv6. Then you can find the problem, because it only needs a random Windows user activating the wrong option.
Which presumably means an authorized, but incompetent Windows user?
Yep. As james says, decent corporate sites have an admin that does not allow normal staff to access. But many small sites do not have a Windows server or a full admin to do it.
Okay, that's a significant risk. My advice - just disable Windows :-)
LOL. But I guess that Linux machines can be configured that way as well. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVbC0ACgkQja8UbcUWM1xqIAD/QNryvh+NdVKmE8T2JjG+Au9A PhAjOxup+V41pIsEq5YA/RmGnBbalKHPT3U3iXc3wPwLxqVJa1+7u/BDfXPmcchw =KoLO -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Content-ID: <alpine.LSU.2.20.1609111635020.4233@zvanf-gvevgu.inyvabe>
El 2016-09-11 a las 16:18 +0200, Per Jessen escribió:
Carlos E. R. wrote:
Unknown. You need a mixed local network. Mixed as in Windows-Linux machines, but being IPv6. Then you can find the problem, because it only needs a random Windows user activating the wrong option.
Which presumably means an authorized, but incompetent Windows user?
Yep. As james says, decent corporate sites have an admin that does not allow normal staff to access. But many small sites do not have a Windows server or a full admin to do it.
Then they're asking for it. No RFC or mitigating features can prevent an incompetent idiot from shooting himself in the foot. It is unfortunate, but any tool can become a hazard if operated by an incompetent or unskilled individual.
Okay, that's a significant risk. My advice - just disable Windows :-)
LOL.
But I guess that Linux machines can be configured that way as well.
Only with root access and by installing and starting radvd. (there might be other daemons, we use radvd). -- Per Jessen, Zürich (26.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-11 a las 16:45 +0200, Per Jessen escribió:
Carlos E. R. wrote:
Which presumably means an authorized, but incompetent Windows user?
Yep. As james says, decent corporate sites have an admin that does not allow normal staff to access. But many small sites do not have a Windows server or a full admin to do it.
Then they're asking for it. No RFC or mitigating features can prevent an incompetent idiot from shooting himself in the foot. It is unfortunate, but any tool can become a hazard if operated by an incompetent or unskilled individual.
But they don't shoot their own foot, but the foot of others. in this case, Linux users in the same network. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVcMgACgkQja8UbcUWM1yvvAD/btKox54BHioM65P/D6L8gkPM HnkRFuzvwKx9c1tWR7oA/2763/aILKGrqn+Swl4x3S+bBb/lnuxUFLoKvoMxaux0 =tK4i -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-11 a las 16:45 +0200, Per Jessen escribió:
Carlos E. R. wrote:
Which presumably means an authorized, but incompetent Windows user?
Yep. As james says, decent corporate sites have an admin that does not allow normal staff to access. But many small sites do not have a Windows server or a full admin to do it.
Then they're asking for it. No RFC or mitigating features can prevent an incompetent idiot from shooting himself in the foot. It is unfortunate, but any tool can become a hazard if operated by an incompetent or unskilled individual.
But they don't shoot their own foot, but the foot of others. in this case, Linux users in the same network.
In a business setting, whoever it was that allowed common users admin access to Windows is an incompetent idiot. -- Per Jessen, Zürich (26.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-11 a las 17:36 +0200, Per Jessen escribió:
Carlos E. R. wrote:
But they don't shoot their own foot, but the foot of others. in this case, Linux users in the same network.
In a business setting, whoever it was that allowed common users admin access to Windows is an incompetent idiot.
Well, I have worked in small sites that don't have any IT personel, but do use computers. Often they do their own setup as much as they can. Maybe they hire a shop that comes once a month or on call when a disaster happens. Or maybe some office worker "knows computers" and does it, in the hours that he can get out of his normal duties. Or the boss calls in his son, when he gets home from school. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVfekACgkQja8UbcUWM1w8JQD/ar1ptSkNmIhN5EpeW92UnfuH RWnKR3/JvVZPp6V19ggA/jzEZHGNA5y49NPCDGHdeKpn6T5GRgTq4eWfdqCu0Ee2 =MRtZ -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-11 a las 17:36 +0200, Per Jessen escribió:
Carlos E. R. wrote:
But they don't shoot their own foot, but the foot of others. in this case, Linux users in the same network.
In a business setting, whoever it was that allowed common users admin access to Windows is an incompetent idiot.
Well, I have worked in small sites that don't have any IT personel, but do use computers. Often they do their own setup as much as they can. Maybe they hire a shop that comes once a month or on call when a disaster happens. Or maybe some office worker "knows computers" and does it, in the hours that he can get out of his normal duties. Or the boss calls in his son, when he gets home from school.
Doesn't change my opinion. If people think they can get away with asking a 14 year old to do the job of a professional, they've only got themselves to blame. I know this sort of thing goes on of course, but that does not make it a best practice. Anyway, the issue Lew brought up wouldn't be a problem, because you don't have IPv6 in Spain :-) -- Per Jessen, Zürich (26.5°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 12:03 PM, Per Jessen wrote:
Doesn't change my opinion. If people think they can get away with asking a 14 year old to do the job of a professional, they've only got themselves to blame. I know this sort of thing goes on of course, but that does not make it a best practice.
This brings up an interesting point. Last week, I set up a VoIP system for a small company. I noticed that they're getting IPv6 from the ISP, but they didn't know it until I told them. I wonder if their IT guy is up to speed on IPv6. He was due in after I had finished, so I never met him. There are a lot of IT "professionals" who are ignorant or even hostile to IPv6. They will not be so competent if they're not prepared to work with IPv6. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-11 a las 12:15 -0400, James Knott escribió:
On 09/11/2016 12:03 PM, Per Jessen wrote:
Doesn't change my opinion. If people think they can get away with asking a 14 year old to do the job of a professional, they've only got themselves to blame. I know this sort of thing goes on of course, but that does not make it a best practice.
This brings up an interesting point. Last week, I set up a VoIP system for a small company. I noticed that they're getting IPv6 from the ISP, but they didn't know it until I told them. I wonder if their IT guy is up to speed on IPv6. He was due in after I had finished, so I never met him. There are a lot of IT "professionals" who are ignorant or even hostile to IPv6. They will not be so competent if they're not prepared to work with IPv6.
Indeed. I submitted myself to a three month training course on networking. IPv6 was not in the program. Only mentioned in passing. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVpL8ACgkQja8UbcUWM1xk1QD/fXCi7zAVvwa43PHZwW8x0PT8 cds1NpioUp6FkZzWP6oA/jbd5XuqtrplKQCWRZg4gpEBGwZ00D8m1tt4W7BCmZSA =p58Z -----END PGP SIGNATURE-----
On 09/11/2016 02:38 PM, Carlos E. R. wrote:
Indeed. I submitted myself to a three month training course on networking. IPv6 was not in the program. Only mentioned in passing.
How long ago did you take that? If recent, you should ask for a refund. ;-) Any Cisco CCNA should know about IPv6 by now, if they've been maintaining their certification. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LSU.2.20.1609112104550.4233@zvanf-gvevgu.inyvabe> El 2016-09-11 a las 14:55 -0400, James Knott escribió:
On 09/11/2016 02:38 PM, Carlos E. R. wrote:
Indeed. I submitted myself to a three month training course on networking. IPv6 was not in the program. Only mentioned in passing.
How long ago did you take that? If recent, you should ask for a refund. ;-)
Oh, I didn't pay for it, not personally. Except my taxes, I guess. It was on 2012.
Any Cisco CCNA should know about IPv6 by now, if they've been maintaining their certification.
I don't. Perhaps now they do, but not when I took it, perhaps 2010. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVqxgACgkQja8UbcUWM1zQmwD9HC5QwaNI99QWnuIynHORryY3 3KLgZ3bqSP7YillC9t4BAJlVXz+ha3sNW/CgV2tPdCxOs44nN8AdcZq+V2o7+1I7 =1vWP -----END PGP SIGNATURE-----
On 09/11/2016 03:06 PM, Carlos E. R. wrote:
Any Cisco CCNA should know about IPv6 by now, if they've been maintaining their certification.
I don't. Perhaps now they do, but not when I took it, perhaps 2010.
So, you haven't maintained your certification. It has to be done every 3 years. You can either redo it or try a related certification, such as CCNA Wireless or a more senior certification. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-11 a las 18:03 +0200, Per Jessen escribió:
Carlos E. R. wrote:
Doesn't change my opinion. If people think they can get away with asking a 14 year old to do the job of a professional, they've only got themselves to blame. I know this sort of thing goes on of course, but that does not make it a best practice.
If they can hardly pay the salaries, they are not going to hire a proper IT chap...
Anyway, the issue Lew brought up wouldn't be a problem, because you don't have IPv6 in Spain :-)
LOL. You can actually get it if you are a business. Or if you are at the point of starting up, because then you ask several providers specifically for it, and thus get it. But... Years (perhaps a decade or two) ago, some one was setting up business. He wanted internet. So the dealer installed it. On each lab table he installed an ISDN connection. A full connection for each table. Clever, eh? You can't say we Spanish aren't clever. ;-) You could see the revenue ticking... - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVpFEACgkQja8UbcUWM1ywPgD+LkXZ1+VbQgrpSqeZsjBJGQqZ 1doC2vSUoUSu3+qiix0A/3GNxy0TJBoQcQ3O1VeIAY5D/BQx92OxSa7jiISo3/hn =OzHY -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-11 a las 18:03 +0200, Per Jessen escribió:
Carlos E. R. wrote:
Doesn't change my opinion. If people think they can get away with asking a 14 year old to do the job of a professional, they've only got themselves to blame. I know this sort of thing goes on of course, but that does not make it a best practice.
If they can hardly pay the salaries, they are not going to hire a proper IT chap...
So let the 14 year old do the IT, and he can do the book-keeping and the VAT report on his lunch break. Sure. We're straying off-topic, but not wanting to pay for IT means not realizing the value of it. That is a pity, but like I said, they've only got themselves to blame.
Anyway, the issue Lew brought up wouldn't be a problem, because you don't have IPv6 in Spain :-)
LOL. You can actually get it if you are a business. Or if you are at the point of starting up, because then you ask several providers specifically for it, and thus get it.
Hehe, I was only judging by the Akamai chart. Like you say, I'm sure IPv6 is available, even if not dished out by default.
Years (perhaps a decade or two) ago, some one was setting up business. He wanted internet. So the dealer installed it. On each lab table he installed an ISDN connection. A full connection for each table. Clever, eh? You can't say we Spanish aren't clever. ;-)
I guess they had a 14 year old in charge of IT :-) -- Per Jessen, Zürich (17.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-12 a las 08:46 +0200, Per Jessen escribió:
Carlos E. R. wrote:
If they can hardly pay the salaries, they are not going to hire a proper IT chap...
So let the 14 year old do the IT, and he can do the book-keeping and the VAT report on his lunch break. Sure.
Nay, that's a serious thing for which they pay an external accountant office. They are not that dumb, LOL. Computers are kids game.
We're straying off-topic, but not wanting to pay for IT means not realizing the value of it. That is a pity, but like I said, they've only got themselves to blame.
Yes, I know. But it is real life, here at least.
Anyway, the issue Lew brought up wouldn't be a problem, because you don't have IPv6 in Spain :-)
LOL. You can actually get it if you are a business. Or if you are at the point of starting up, because then you ask several providers specifically for it, and thus get it.
Hehe, I was only judging by the Akamai chart. Like you say, I'm sure IPv6 is available, even if not dished out by default.
Right.
Years (perhaps a decade or two) ago, some one was setting up business. He wanted internet. So the dealer installed it. On each lab table he installed an ISDN connection. A full connection for each table. Clever, eh? You can't say we Spanish aren't clever. ;-)
I guess they had a 14 year old in charge of IT :-)
No, no one at that point. Just fell victim to a clever "IT dealer". Later came somebody else, scrapped all the ISDN connections save one, and installed a hub or switch. Actually, the first dealer "worked" for a phone company, and the second (friend of mine) for another. Of course they switched phone company. And all this happened months before actually commencing business. Months paying those phone bills with no activity. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfWq4QACgkQja8UbcUWM1w22AD/WCASYX2xRQdn8HjbE3QYSi8G saM1dEhBky5QimRjGH4BAJ7V/swi/l6YZFvuOl+k+Hk+SS5I1Yd/oD9iFswd54go =53pP -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-12 a las 08:46 +0200, Per Jessen escribió:
Carlos E. R. wrote:
If they can hardly pay the salaries, they are not going to hire a proper IT chap...
So let the 14 year old do the IT, and he can do the book-keeping and the VAT report on his lunch break. Sure.
Nay, that's a serious thing for which they pay an external accountant office. They are not that dumb, LOL. Computers are kids game.
If that's the attitude, I think they are beyond dumb. Ah well, let them be hit by Lew's $SUBJ issue then and have the 14-year old diagnose it. -- Per Jessen, Zürich (27.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 11/09/2016 à 17:53, Carlos E. R. a écrit :
it, in the hours that he can get out of his normal duties. Or the boss calls in his son, when he gets home from school.
LoL jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 08:36 AM, Per Jessen wrote:
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-11 a las 16:45 +0200, Per Jessen escribió:
Carlos E. R. wrote:
Which presumably means an authorized, but incompetent Windows user? Yep. As james says, decent corporate sites have an admin that does not allow normal staff to access. But many small sites do not have a Windows server or a full admin to do it. Then they're asking for it. No RFC or mitigating features can prevent an incompetent idiot from shooting himself in the foot. It is unfortunate, but any tool can become a hazard if operated by an incompetent or unskilled individual. But they don't shoot their own foot, but the foot of others. in this case, Linux users in the same network. In a business setting, whoever it was that allowed common users admin access to Windows is an incompetent idiot.
Well, this was in a research environment where a scientist's desktop was in reality a laboratory instrument. User admin access was required in many cases. This organization has also been on the forefront of IPv6 deployment, I believe it's been dual-stacked for more than ten years. They were operating v6 before dhcpv6 was available. But the fact remains you can't excuse IPv6's default router insecurity by criticizing user's methods and processes. Rogue router advertisements are an issue, and that is a fact. IPv6's complexity is another issue. Security is inversely proportional to complexity, right? I guess my question has been indirectly answered. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
On 09/11/2016 08:36 AM, Per Jessen wrote:
El 2016-09-11 a las 16:45 +0200, Per Jessen escribió:
Which presumably means an authorized, but incompetent Windows user? Yep. As james says, decent corporate sites have an admin that does not allow normal staff to access. But many small sites do not have a Windows server or a full admin to do it. Then they're asking for it. No RFC or mitigating features can
Carlos E. R. wrote: prevent an incompetent idiot from shooting himself in the foot. It is unfortunate, but any tool can become a hazard if operated by an incompetent or unskilled individual. But they don't shoot their own foot, but the foot of others. in this case, Linux users in the same network.
In a business setting, whoever it was that allowed common users admin access to Windows is an incompetent idiot.
Well, this was in a research environment where a scientist's desktop was in reality a laboratory instrument. User admin access was required in many cases. This organization has also been on the forefront of IPv6 deployment, I believe it's been dual-stacked for more than ten years. They were operating v6 before dhcpv6 was available.
But the fact remains you can't excuse IPv6's default router insecurity by criticizing user's methods and processes. Rogue router advertisements are an issue, and that is a fact.
Fair enough, it is a fact, but how much of an issue is it? Is it something that someone here ought to address?
IPv6's complexity is another issue.
What complexity is that? I was going to put a smiley, but seriously, what complexity, Lew? The only added complexity I see is the length of an address. All we have added in terms of infrastructure - radvd and dhcpv6. Both are easy to configure. -- Per Jessen, Zürich (17.6°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 11:39 PM, Per Jessen wrote:
IPv6's complexity is another issue. What complexity is that? I was going to put a smiley, but seriously, what complexity, Lew? The only added complexity I see is the length of an address. All we have added in terms of infrastructure - radvd and dhcpv6. Both are easy to configure.
I actually lifted the complexity issue from the referenced blackhat link. https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schaefer-Worksho... It says in summary at one point: Why IPv6 Security Is So Hard? ¬ Trust Model & Provisioning ¬ Crypto-Optimism ¬ Complexity ¬ The State Problem ¬ Stack Heterogeneity ¬ Attack / Defense Asymmetry IPv6’s Trust Model: On the local link we’re all brothers. Certainly taking functions that are provided by external modules in v4 and building them into a monolithic v6 adds complexity. The UNIX philosophy takes many small easily tested modules to build functionality. Everything in one package is the Micro$oft Way, and indeed, certain other contentious core Linux functionality that can't be named here. Then, there's added complexity at the user level. I'm thinking mainly of the requirement to run dual-stacked networks because not all hardware is v6 compatible. I'm sure that things will eventually get better when absolutely everything handles v6, but until then simplicity lives in the v4 natted world. Security is inversely proportional to Complexity, and dual stacked networks increase complexity. To illustrate by personal example, my home system uses a cable modem connected to a Zyxel router/firewall. The Zyxel is a cut above standard home commodity routers and allows full ACLs between subnet segments. I've got an Asus wifi hub on one isolated segment, which has it's own rather good firewall and guest network capability. I've got ACL's set up so that certain protocols (ssh, ipp) can bridge the segments as appropriate. It's all v4 and nat, with default deny between the segments. This dialog caused me to check to see if my ISP even offers v6, they do! And so does the Zyxel. All I have to do is click a check box to turn on v6. I was tempted to do that this past weekend, but then reality started to sink in when I thought about all my devices having direct connection to the Internet. The ACL's between my segments might work, but they'd certainly have to be tested, and I didn't want to take the time to get started. I might also bork The Fetching Mrs. Wolfgang's Tivo connection, and that just wouldn't do. I've been working in IT and networking for decades, and I still claim to be ignorant of many things. How would Joe Six-pack or Grandma Noodle-Soup handle setting up their home v4/v6 dual stacked network? Or, is v6 a clever ruse by state actors to increase the Internet's attack surface? :-) Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
Then, there's added complexity at the user level. I'm thinking mainly of the requirement to run dual-stacked networks because not all hardware is v6 compatible. I'm sure that things will eventually get better when absolutely everything handles v6, but until then simplicity lives in the v4 natted world. Security is inversely proportional to Complexity, and dual stacked networks increase complexity.
Okay, yes, that dual-stack could be seen as added complexity. I guess I was thinking more of the IPv6 protocol than the infrastructure, but it does make more sense to look at the overall picture. [snip]
This dialog caused me to check to see if my ISP even offers v6, they do! And so does the Zyxel. All I have to do is click a check box to turn on v6. I was tempted to do that this past weekend, but then reality started to sink in when I thought about all my devices having direct connection to the Internet. The ACL's between my segments might work, but they'd certainly have to be tested, and I didn't want to take the time to get started. I might also bork The Fetching Mrs. Wolfgang's Tivo connection, and that just wouldn't do. I've been working in IT and networking for decades, and I still claim to be ignorant of many things. How would Joe Six-pack or Grandma Noodle-Soup handle setting up their home v4/v6 dual stacked network?
Without great fanfare I suspect. The provider would take care of it, just as they did for IPv4. I see no reason why they shouldn't. Surely this is the typical firewall config in any average xDSL modem/router : IPv4+NAT - all inbound ports blocked, only locally initiated traffic allowed. To enable external access to a service, you need to configure port forwarding. (send port 80 to address 192.168.77.123). IPv6 - all inbound ports blocked, only locally initiated traffic allowed. To enable external access to a host/service, you need to open an address::port combo. (allow port 80 for 2001:db8:1711:45) Did I miss something? -- Per Jessen, Zürich (27.0°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/12/2016 08:32 AM, Per Jessen wrote:
Surely this is the typical firewall config in any average xDSL modem/router :
IPv4+NAT - all inbound ports blocked, only locally initiated traffic allowed. To enable external access to a service, you need to configure port forwarding. (send port 80 to address 192.168.77.123).
IPv6 - all inbound ports blocked, only locally initiated traffic allowed. To enable external access to a host/service, you need to open an address::port combo. (allow port 80 for 2001:db8:1711:45)
Did I miss something?
That sounds good, and I'd assume it will be so. But you certainly know where the devil lives! If this was easy wouldn't v6 switchover have been completed many years ago? I'll report on my adventures with my router when I get a chance to fiddle with it. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
On 09/12/2016 08:32 AM, Per Jessen wrote:
Surely this is the typical firewall config in any average xDSL modem/router :
IPv4+NAT - all inbound ports blocked, only locally initiated traffic allowed. To enable external access to a service, you need to configure port forwarding. (send port 80 to address 192.168.77.123).
IPv6 - all inbound ports blocked, only locally initiated traffic allowed. To enable external access to a host/service, you need to open an address::port combo. (allow port 80 for 2001:db8:1711:45)
Did I miss something?
That sounds good, and I'd assume it will be so. But you certainly know where the devil lives! If this was easy wouldn't v6 switchover have been completed many years ago?
I am certain it _is_ that easy, but the business case for moving to IPv6 seems to have remained stable, or maybe even slowly diminished. Despite the IPv4 pool having run out, it is not yet empty - unused IPv4 ranges are being discovered/returned etc. I'm not well-connected in the telco world, so I have no detailed knowledge, but when they're not actively pushing people to IPv6, I can only assume it means there is still sufficient IPv4 addresses.
I'll report on my adventures with my router when I get a chance to fiddle with it.
Let us know how it goes - that first traffic over IPv6 feels a little like the first time your 2400baud dial-up modem sync'ed. -- Per Jessen, Zürich (26.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/12/2016 01:24 PM, Per Jessen wrote:
I am certain it _is_ that easy, but the business case for moving to IPv6 seems to have remained stable, or maybe even slowly diminished. Despite the IPv4 pool having run out, it is not yet empty - unused IPv4 ranges are being discovered/returned etc. I'm not well-connected in the telco world, so I have no detailed knowledge, but when they're not actively pushing people to IPv6, I can only assume it means there is still sufficient IPv4 addresses.
There are other reasons to move to IPv6 beyond address space. For example, fixed length headers improve router performance. Mulitcast, instead of broadcast reduces network traffic. Smaller routing tables at the top level (you may recall the problems a few years back with this on IPv4). There are others. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/12/2016 10:45 AM, Lew Wolfgang wrote:
but until then simplicity lives in the v4 natted world. Security is inversely proportional to Complexity, and dual stacked networks increase complexity.
NAT adds complexity. For example it breaks some things such as IPSec Authentication Headers. We need VTUN servers to get around NAT and more. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 10:45 AM, Per Jessen wrote:
Then they're asking for it. No RFC or mitigating features can prevent an incompetent idiot from shooting himself in the foot. It is unfortunate, but any tool can become a hazard if operated by an incompetent or unskilled individual.
That problem can affect much more than IPv6. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 10:18 AM, Per Jessen wrote:
Which presumably means an authorized, but incompetent Windows user? Okay, that's a significant risk. My advice - just disable Windows :-)
Or disable the incompetent Windows user. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
Hi Folks,
There seems to be a flurry of IPv6 talk going on,
My fault, I got a little fed up with all the disinformation flowing around - "just turn it off", "fix it in gai.conf", "it doesnt work", "can't be found in the wild", "breaks openSUSE", "ipv6 breaks home connectivity", "its difficult to learn".
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network.
As others have already said, use a firewall for IPv6 just as you do with IPv4.
Has SUSE addressed this issue? Tell me I don't have to worry about it!
Which issue, Lew? Your router will presumably already have a firewall, so your devices are safe. -- Per Jessen, Zürich (18.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 03:23 AM, Per Jessen wrote:
As others have already said, use a firewall for IPv6 just as you do with IPv4.
Indeed; some of us were around in the days before NAT, when the (admitedly few) universities and firms that were on the net all had directly connected hosts, just as James is saying will be the case with IPV6, simply because the IPV4 address space was so sparsely occupied. Even so, we had firewalls and access controls. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 09:31 AM, Anton Aylward wrote:
On 09/11/2016 03:23 AM, Per Jessen wrote:
As others have already said, use a firewall for IPv6 just as you do with IPv4. Indeed; some of us were around in the days before NAT, when the (admitedly few) universities and firms that were on the net all had directly connected hosts, just as James is saying will be the case with IPV6, simply because the IPV4 address space was so sparsely occupied.
Even so, we had firewalls and access controls.
I first heard of NAT at a computer show back in '96. It was with a box designed to connect via dial up. This was just about the time cable modems and ADSL were starting to appear and dial up was the usual connection method back then. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Lew Wolfgang wrote:
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network.
Ditto. I freaked the first time I saw my shiny new Win7 box routing internal traffic out past my FW, using IPv6 tunneling over a IPV4 web-proxy to open IPV6 networking through a MS-ipv6 forwarder back several years ago. Ever since then I've been sure to disable IPV6 services in Windows and build my linux kernels w/o IPV6. Increased networking speed by about 5-10% too. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-09-13 18:07, Linda Walsh wrote:
Lew Wolfgang wrote:
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network. --- Ditto. I freaked the first time I saw my shiny new Win7 box routing internal traffic out past my FW, using IPv6 tunneling over a IPV4 web-proxy to open IPV6 networking through a MS-ipv6 forwarder back several years ago.
That would be the theredo service. You can disable it. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfYdyIACgkQja8UbcUWM1yHJAD/SU/mU+xXKBHXDjtZTBFAn7rM TwH5q2Avv8LkzusctLoA/2s6VCNMO8ZsBYROXMY4BTtTclJ62kuVPnn5BRaEacrB =AsS+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/13/2016 06:01 PM, Carlos E. R. wrote:
That would be the theredo service. You can disable it.
Teredo https://en.wikipedia.org/wiki/Teredo_tunneling Also, if you disable IPv6 on Windows, you also disable Home Group networking. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 09/13/2016 06:01 PM, Carlos E. R. wrote:
That would be the theredo service. You can disable it.
Teredo https://en.wikipedia.org/wiki/Teredo_tunneling
Also, if you disable IPv6 on Windows, you also disable Home Group networking.
Um, and explain to my why I would want or need that? ;-) James Knott wrote:
Do you honestly believe you have a hope of getting between MS and your personal data??? ;-)
Not so much lately. They've gone back to pure evil again -- one of the ways they are now working on moving Win7 users to Win10 is by issuing updates that disable functionality in Win7 (most recent, Win7 Journal). Earlier this year, they moved something else to the cloud. That update disabled the local util. Also down for the count, no recent versions of MS-OFFICE will install anymore --- had to go back and install Office 2k just to read some docs I received.
As for disabling IPv6, you're heading down the wrong path. More and more ISPs are providing IPv6 and some cell carriers are now native IPv6 and only provide IPv4 by large scale NAT or 464XLAT.
Mine already does -- good that I have a fixed-IP
It's far better you learn to work with it than pretend it doesn't exist.
It's on my list, but I have many other things of far greater importance. Porting my email sorting script to remove features made illegal in perl5.18, writing service-ctl scripts to auto-generate RC-scripts from the sasd config files (have a parser for them I wrote a year ago, but never got much farther than that)....several other random projects... I don't think my Domain name would work real well w/only IPv6 either. Not as good connectivity as w/ipv4.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/14/2016 08:51 PM, Linda Walsh wrote:
I don't think my Domain name would work real well w/only IPv6 either. Not as good connectivity as w/ipv4.
What difference does domain name make WRT IPv4 vs IPv6? Mine works fine on both. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LSU.2.21.1712271214491.6421@Telcontar.valinor> Clearing old posts, I noticed this old thread: On Tuesday, 2016-09-13 at 21:29 -0400, James Knott wrote:
On 09/13/2016 06:01 PM, Carlos E. R. wrote:
On Tuesday, 2016-09-13 at 09:07 -0700, Linda Walsh wrote:
Lew Wolfgang wrote:
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network.
Ditto. I freaked the first time I saw my shiny new Win7 box routing internal traffic out past my FW, using IPv6 tunneling over a IPV4 web-proxy to open IPV6 networking through a MS-ipv6 forwarder back several years ago. Ever since then I've been sure to disable IPV6 services in Windows and build my linux kernels w/o IPV6. Increased networking speed by about 5-10% too.
That would be the theredo service. You can disable it.
Teredo https://en.wikipedia.org/wiki/Teredo_tunneling
Also, if you disable IPv6 on Windows, you also disable Home Group networking.
Running Windows 10 as a virtual machine under Linux with vmplayer, I like to run on it "gkrellm" to see a bit of what it is doing. Well, it displays two network devices: one is an intel something that is the expected network interface, but another is "Teredo tunnel", wich is IPv6 and is the one you mention above. It is also displayed in the output of "ipconfig", with an address of 2001:0:...something, and another fe80::... I believe it is used, for instance, for peer to peer sharing of updates, if enabled. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpDga4ACgkQtTMYHG2NR9UXtgCfciIllAZ5x2Rk8mc65INOKK6J t1kAniNU6M1z60GnHbFRN3YGNiproI98 =J9AD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/27/2017 06:19 AM, Carlos E. R. wrote:
Also, if you disable IPv6 on Windows, you also disable Home Group networking. Running Windows 10 as a virtual machine under Linux with vmplayer, I like to run on it "gkrellm" to see a bit of what it is doing.
Well, it displays two network devices: one is an intel something that is the expected network interface, but another is "Teredo tunnel", wich is IPv6 and is the one you mention above.
It is also displayed in the output of "ipconfig", with an address of 2001:0:...something, and another fe80::...
I believe it is used, for instance, for peer to peer sharing of updates, if enabled.
Teredo is Microsofts method of providing IPv6 to those with only IPv4. It creates a tunnel, where IPv6 packets are carried by IPv4 packets. I did similar for 6 years with a 6in4 tunnel. However, I have no experience with Teredo. https://en.wikipedia.org/wiki/Teredo_tunneling -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Dec 27, 2017 at 3:12 PM, James Knott <james.knott@rogers.com> wrote:
Teredo is Microsofts method
I was not aware that IETF is now owned by Microsoft. https://tools.ietf.org/html/rfc4380 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/27/2017 08:16 AM, Andrei Borzenkov wrote:
On Wed, Dec 27, 2017 at 3:12 PM, James Knott <james.knott@rogers.com> wrote:
Teredo is Microsofts method I was not aware that IETF is now owned by Microsoft.
Check the Wikipedia article I linked to: "Teredo is a temporary measure. In the long term, all IPv6 hosts should use native IPv6 connectivity. Teredo should be disabled when native IPv6 connectivity becomes available. Christian Huitema <https://en.wikipedia.org/wiki/Christian_Huitema> developed Teredo at Microsoft <https://en.wikipedia.org/wiki/Microsoft>, and the IETF <https://en.wikipedia.org/wiki/IETF> standardized it as RFC 4380 <https://tools.ietf.org/html/rfc4380>. The Teredo server listens on UDP <https://en.wikipedia.org/wiki/User_Datagram_Protocol> port 3544 <https://en.wikipedia.org/wiki/Well-known_ports>." Microsoft created it and submitted it to the IETF. Have you seen Teredo used on anything other than Microsoft products? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2017-12-27 at 07:12 -0500, James Knott wrote:
On 12/27/2017 06:19 AM, Carlos E. R. wrote:
Also, if you disable IPv6 on Windows, you also disable Home Group networking. Running Windows 10 as a virtual machine under Linux with vmplayer, I like to run on it "gkrellm" to see a bit of what it is doing.
Well, it displays two network devices: one is an intel something that is the expected network interface, but another is "Teredo tunnel", wich is IPv6 and is the one you mention above.
It is also displayed in the output of "ipconfig", with an address of 2001:0:...something, and another fe80::...
I believe it is used, for instance, for peer to peer sharing of updates, if enabled.
Teredo is Microsofts method of providing IPv6 to those with only IPv4. It creates a tunnel, where IPv6 packets are carried by IPv4 packets. I did similar for 6 years with a 6in4 tunnel. However, I have no experience with Teredo.
I know :-) But the thing I noticed now is that in Windows 10 the fact is listed, it appears openly. On Windows 7 it was somewhat more hidden. An improvement. :-) It is also of note that it punches a hole on virtual machines under Linux. - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpDshgACgkQtTMYHG2NR9VGmACfVTOjmgVLg/fGraiO/00NMC+C XvYAnR4yCvXUgAeNDDRm2zxTZ/4CcZjB =qKWt -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/27/2017 09:45 AM, Carlos E. R. wrote:
Teredo is Microsofts method of providing IPv6 to those with only IPv4. It creates a tunnel, where IPv6 packets are carried by IPv4 packets. I did similar for 6 years with a 6in4 tunnel. However, I have no experience with Teredo.
I know :-)
But the thing I noticed now is that in Windows 10 the fact is listed, it appears openly. On Windows 7 it was somewhat more hidden.
An improvement. :-)
It is also of note that it punches a hole on virtual machines under Linux.
Make sure the firewall is working. ;-) Does Teredo still work? According to that article, Microsoft was shutting it down in 2014. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-12-27 15:54, James Knott wrote:
On 12/27/2017 09:45 AM, Carlos E. R. wrote:
It is also of note that it punches a hole on virtual machines under Linux.
Make sure the firewall is working. ;-)
Mine is working, but Teredo bypasses it, AFAIK.
Does Teredo still work? According to that article, Microsoft was shutting it down in 2014.
Yes, I see activity in gkrellm some times. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On December 27, 2017 6:59:30 AM PST, "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2017-12-27 15:54, James Knott wrote:
On 12/27/2017 09:45 AM, Carlos E. R. wrote:
It is also of note that it punches a hole on virtual machines under
Linux.
Make sure the firewall is working. ;-)
Mine is working, but Teredo bypasses it, AFAIK.
Does Teredo still work? According to that article, Microsoft was shutting it down in 2014.
Yes, I see activity in gkrellm some times.
Well your mail sure takes a tortured path lots of hops, before it gets to the list server, so who knows what's working and how. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/29/2017 12:54 PM, John Andersen wrote:
Well your mail sure takes a tortured path lots of hops, before it gets to the list server, so who knows what's working and how.
MS might have shut down Teredo in the mean time. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On December 27, 2017 6:59:30 AM PST, "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 2017-12-27 15:54, James Knott wrote:
On 12/27/2017 09:45 AM, Carlos E. R. wrote:
It is also of note that it punches a hole on virtual machines under
Linux.
Make sure the firewall is working. ;-)
Mine is working, but Teredo bypasses it, AFAIK.
Does Teredo still work? According to that article, Microsoft was shutting it down in 2014.
Yes, I see activity in gkrellm some times.
Well your mail sure takes a tortured path lots of hops, before it gets to the list server, so who knows what's working and how.
Huh? Looking at Carlo's mail, it leaves his dynamic address and passes through two movistar.es servers before it is delivered to the SUSE mailserver. Not much torture ? -- Per Jessen, Zürich (0.0°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2017-12-29 at 21:05 +0100, Per Jessen wrote:
John Andersen wrote:
On December 27, 2017 6:59:30 AM PST, "Carlos E. R." <> wrote:
On 2017-12-27 15:54, James Knott wrote:
On 12/27/2017 09:45 AM, Carlos E. R. wrote:
It is also of note that it punches a hole on virtual machines under
Linux.
Make sure the firewall is working. ;-)
Mine is working, but Teredo bypasses it, AFAIK.
Does Teredo still work? According to that article, Microsoft was shutting it down in 2014.
Yes, I see activity in gkrellm some times.
Well your mail sure takes a tortured path lots of hops, before it gets to the list server, so who knows what's working and how.
Huh? Looking at Carlo's mail, it leaves his dynamic address and passes through two movistar.es servers before it is delivered to the SUSE mailserver. Not much torture ?
And I'm not doing it from Windows, but from Linux. So no chance my mail is sent via the Teredo hole. My routing is: Alpine or Thunderbird --> postfix --> amavis --> postfix --> --> relayout01.e.movistar.es --> --> relayout01-redir.e.movistar.es aka relayout01-q02.e.movistar.es --> --> mx2.suse.de Then there are several machines at openSUSE and back to me: mx2.suse.de --> relay2.suse.de --> amavis-new --> relay2.suse.de --> --> lists5.opensuse.org (baloo.infra.opensuse.org) --> --> lists5.opensuse.org --> hydra.opensuse.org --> And this is my local part again - your's will be different: --> relayin03.e.movistar.es --> asavin05.e.movistar.es --> --> dovector04.e.movistar.es --> lda04.e.movistar.es (imap.telefonica.net) --> --> Telcontar.valinor (fetchmail) --> Telcontar.valinor (Postfix) --> --> Telcontar.valinor (amavisd-new) --> Telcontar.valinor (Postfix) - -- Cheers, Carlos E. R. (from openSUSE 42.2 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlpH7dIACgkQtTMYHG2NR9UJIACfUvqiXluZMbiJqviEWl6/hmfq sp0AnRB6FC6k8LtO02cMJ9UaGMgTO5nD =CA6k -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/13/2016 12:07 PM, Linda Walsh wrote:
Ditto. I freaked the first time I saw my shiny new Win7 box routing internal traffic out past my FW, using IPv6 tunneling over a IPV4 web-proxy to open IPV6 networking through a MS-ipv6 forwarder back several years ago. Ever since then I've been sure to disable IPV6 services in Windows and build my linux kernels w/o IPV6. Increased networking speed by about 5-10% too.
Do you honestly believe you have a hope of getting between MS and your personal data??? ;-) As for disabling IPv6, you're heading down the wrong path. More and more ISPs are providing IPv6 and some cell carriers are now native IPv6 and only provide IPv4 by large scale NAT or 464XLAT. It's far better you learn to work with it than pretend it doesn't exist. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (12)
-
Andrei Borzenkov -
Anton Aylward -
Carlos E. R. -
Felix Miata -
James Knott -
jdd -
John Andersen -
Lew Wolfgang -
Linda Walsh -
Per Jessen -
Rodney Baker -
Rüdiger Meier