Internet DRAFT - draft-elkins-v6ops-multicast-virtual-nodes
draft-elkins-v6ops-multicast-virtual-nodes
INTERNET-DRAFT N. Elkins
Inside Products
M. Ackermann
Intended Status: Informational BCBS Michigan
Expires: March 2015 September 18, 2014
The Effect of Multicast on Virtual Nodes in the Same Subnet
draft-elkins-v6ops-multicast-virtual-nodes-00
Abstract
When network administrators in an end-user enterprise create subnets
for Virtual Machines (VMs) in IPv6, they are not considering what
will happen with IPv6 multicast. We will describe how one node can
impact its neighbors. For example, multicast Ping Denial of Service
(DoS) attacks and other mischief can easily be done.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright and License Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
Elkins Expires March 22, 2015 [Page 1]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Who is a Neighbor and Why Does it Matter? . . . . . . . . . . . 3
3 Sample Real Situation . . . . . . . . . . . . . . . . . . . . . 3
3.1 Ping to FF02::1 . . . . . . . . . . . . . . . . . . . . . . 4
3.2 Our Test . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.3 Other packets generated to multicast addresses . . . . . . . 6
4 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1 Best Practices for Subnet Configuration / Address
Allocation . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2 Should nodes respond to Ping to FF0x::1 . . . . . . . . . . 6
5 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
6 Security Considerations . . . . . . . . . . . . . . . . . . . . 6
7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1 Normative References . . . . . . . . . . . . . . . . . . . . 6
7.2 Informative References . . . . . . . . . . . . . . . . . . . 7
8 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7
Appendix 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Neigbor Cache Before Ping . . . . . . . . . . . . . . . . . . . . 8
Neighbor Cache After Ping . . . . . . . . . . . . . . . . . . . . 8
1 Introduction
When network administrators in an end-user enterprise create subnets
for Virtual Machines (VMs) in IPv6, they are not considering what
will happen with IPv6 multicast. "IPv4 thinking" may be done in
that addresses are rationed.
We will describe how one node can impact its neighbors. For example,
multicast Ping Denial of Service (DoS) attacks and other mischief can
easily be done.
How Neigbor Discovery may impact IPv6 subnets was covered in
"Operational Neighbor Discovery Problems [RFC6583].
Elkins Expires March 22, 2015 [Page 2]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
From [RFC6583]:
"In IPv4, subnets are generally small, made just large enough to
cover the actual number of machines on the subnet. In contrast, the
default IPv6 subnet size is a /64, a number so large it covers
trillions of addresses, the overwhelming number of which will be
unassigned. Consequently, simplistic implementations of Neighbor
Discovery (ND) can be vulnerable to deliberate or accidental denial
of service (DoS), whereby they attempt to perform address resolution
for large numbers of unassigned addresses. Such denial-of-service
attacks can be launched intentionally (by an attacker) or result from
legitimate operational tools or accident conditions."
1.1 Terminology
From "Neighbor Discovery for IP version 6 (IPv6)" [RFC4861], we have:
neighbors - nodes attached to the same link.
interface - a node's attachment to a link.
link - a communication facility or medium over which nodes can
communicate at the link layer, i.e., the layer immediately below IP.
Examples are Ethernets (simple or bridged), PPP links, X.25, Frame
Relay, or ATM networks as well as Internet-layer (or higher-layer)
2 Who is a Neighbor and Why Does it Matter?
A neighbor is anyone that you can talk to with a link-local address.
When you have a very large subnet, it can be a great many nodes,
indeed.
IPv6 multicast packets are seen by nodes who are "on-link". Again,
this may be a great many neighbors.
3 Sample Real Situation
We got two IPv6 enabled virtual servers from a commercial hosting
company. One was a Windows server. The other, a Linux server. The
addresses we received for the Windows server were:
Here are the IPs:
nnnn:abcd:123::31da:4b3b
nnnn:abcd:123::df8d:8198
nnnn:abcd:123::797e:5ec
Elkins Expires March 22, 2015 [Page 3]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
nnnn:abcd:123::6512:b2c3
nnnn:abcd:123::2563:4d17
nnnn:abcd:123::30b2:7a05
nnnn:abcd:123::9d90:8e24
nnnn:abcd:123::9ada:3f3c
nnnn:abcd:123::bf53:d3d3
nnnn:abcd:123::4515:bc5e
They told us that the gateway is nnnn:abcd:123::1. The subnet is a
/64.
On the Linux machine, we received:
nnnn:abcd:123::3fed:2e56
nnnn:abcd:123::90bf:fb81
nnnn:abcd:123::5d40:cb6e
nnnn:abcd:123::bc8:512a
nnnn:abcd:123::d93b:164c
nnnn:abcd:123::f4fd:4c9c
nnnn:abcd:123::91dc:f23
nnnn:abcd:123::4c5d:6ac8
nnnn:abcd:123::6170:ec48
nnnn:abcd:123::bfd9:b68a
Again, they told us that the gateway is nnnn:abcd:123::1. The subnet
is a /64.
Clearly both sets of addresses were in the same IPv6 subnet thus
"neighbors" in a link-local sense. The hosting companies policy for
global unicast address allocation appears to be random. At least,
the allocations were not via an algorithm that was readily apparent
to us.
Clearly, also, these machines were virtual servers. That is, not
real physical nodes.
We feel that this situation illustrates a scenario causing a number
of problems that are likely to happen when IPv6 addresses start being
allocated at end user enterprise sites.
3.1 Ping to FF02::1
When we did a Ping to FF02::1 (multicast all nodes), we were able to
impact an entirely separate virtual server. By the way, we also
impacted all the other clients of that hosting company. (We only did
this once or twice for proof of concept!)
Elkins Expires March 22, 2015 [Page 4]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
3.2 Our Test
The command we issued was:
Ping FF02::1 -n 10
The result was:
Pinging ff02::1 with 32 bytes of data:
Reply from ff02::1: time=6ms
Reply from ff02::1: time=2ms
Reply from ff02::1: time=3ms
Reply from ff02::1: time=2ms
Reply from ff02::1: time=4ms
Reply from ff02::1: time=3ms
Reply from ff02::1: time=2ms
Reply from ff02::1: time=2ms
Reply from ff02::1: time=2ms
Reply from ff02::1: time=2ms
Ping statistics for ff02::1:
Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 6ms, Average = 2ms
We did a WireShark packet trace at the same time. We could see that
indeed Pings and Ping replies were done. Neighbor discovery packets
were done as well.
In fact, this is what we see:
ICMP Type Packet Number
------------------------------------------------
128 Echo Request 10
129 Echo Reply 2,840
135 Neighbor Solicitation 578
136 Neighbor Advertisement 568
In a second test, when we sent 4 packets for the Ping request, we
see:
ICMP Type Packet Number
------------------------------------------------
128 Echo Request 4
129 Echo Reply 1,140
135 Neighbor Solicitation 574
Elkins Expires March 22, 2015 [Page 5]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
136 Neighbor Advertisement 570
143 V2 Multicast Listener Report 4
What was happening is that the Echo Replies were coming from all our
neighbors. To confirm what we are seeing, we interrogated the
neighbor cache before and after the commands. The neighbor cache
had 4 unicast addresses before the Ping. After the Ping, the neighbor
cache has grown to 127 unicast addresses. This confirms what we see
with the packet trace.
See Appendix A for results of the neighbor cache.
So, it is clear that one virtual node on an IPv6 subnet can impact
others. Potentially, all nodes on a subnet can be impacted.
3.3 Other packets generated to multicast addresses
Clearly other packets can be generated to do Denial of Service
attacks on virtual (and real) nodes, including MLD. But, we
consider this out of scope for this document.
4 Recommendations
4.1 Best Practices for Subnet Configuration / Address Allocation
Guidance for how to allocate addresses and create subnets for Virtual
Machines should be provided.
4.2 Should nodes respond to Ping to FF0x::1
This question needs to be discussed. Is there a need for this
functionality? Or should it be deprecated?
5 IANA Considerations
There are no IANA considerations.
6 Security Considerations
There are no security considerations.
7 References
7.1 Normative References
Elkins Expires March 22, 2015 [Page 6]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP Version 6 (IPv6)", RFC 4861, September
2007
[RFC6583] Gashinsky, I., Jaeggli, J., Kumari, W., "Operational
Neighbor Discovery Problems", March 2012
Elkins Expires March 22, 2015 [Page
6] � INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00
September 2014
(IPv6) Specification", RFC 2460, December 1998.
7.2 Informative References
8 Acknowledgments
The authors would like to thank Rob Hamilton for his comments.
Authors' Addresses
Nalini Elkins
Inside Products, Inc.
36A Upper Circle
Carmel Valley, CA 93924
United States
Phone: +1 831 659 8360
Email: nalini.elkins@insidethestack.com
http://www.insidethestack.com
Michael S. Ackermann
Blue Cross Blue Shield of Michigan
P.O. Box 2888
Detroit, Michigan 48231
United States
Phone: +1 310 460 4080
Email: mackermann@bcbsmi.com
http://www.bcbsmi.com
Appendix 1
Elkins Expires March 22, 2015 [Page 7]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
Neigbor Cache Before Ping
C:\Users\Administrator>netsh int ipv6 show nei int=11
Interface 11: Local Area Connection
Internet Address Physical Address Type
--------------------------- ----------------- -----------
nnnn:abcd:123::1 00-1b-21-d4-45-ea Stale (Router)
fe80::88e8:228f:f0de:d028 00-00-00-00-00-00 Unreachable
fe80::a089:f460:ad2b:6723 00-16-3e-c6-d4-df Stale
fe80::b479:2679:b663:4470 00-16-3e-84-1b-1d Stale
fe80::cc18:c232:74cb:d08c 00-00-00-00-00-00 Unreachable
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
Neighbor Cache After Ping
C:\Users\Administrator>netsh int ipv6 show nei int=11
Interface 11: Local Area Connection
Internet Address Physical Address Type
------------------------------- --------------- --------
nnnn:abcd:123::1 00-1b-21-d4-45-ea Stale (Router)
fe80::216:3eff:fe03:498 00-16-3e-03-04-98 Stale
fe80::216:3eff:fe03:dc6c 00-16-3e-03-dc-6c Stale
fe80::216:3eff:fe05:3f71 00-16-3e-05-3f-71 Stale
fe80::216:3eff:fe05:f2af 00-16-3e-05-f2-af Stale
fe80::216:3eff:fe07:c08a 00-16-3e-07-c0-8a Stale
fe80::216:3eff:fe0c:f25 00-16-3e-0c-0f-25 Stale
fe80::216:3eff:fe0d:3143 00-16-3e-0d-31-43 Stale
fe80::216:3eff:fe0d:db6e 00-16-3e-0d-db-6e Stale
fe80::216:3eff:fe15:2029 00-16-3e-15-20-29 Stale
fe80::216:3eff:fe16:3fe4 00-16-3e-16-3f-e4 Stale
fe80::216:3eff:fe17:c9b7 00-16-3e-17-c9-b7 Stale
fe80::216:3eff:fe17:ea46 00-16-3e-17-ea-46 Stale
fe80::216:3eff:fe18:ceac 00-16-3e-18-ce-ac Stale
fe80::216:3eff:fe18:d6f5 00-16-3e-18-d6-f5 Stale
fe80::216:3eff:fe1b:7297 00-16-3e-1b-72-97 Stale
fe80::216:3eff:fe21:3a58 00-16-3e-21-3a-58 Stale
fe80::216:3eff:fe2b:9fb0 00-16-3e-2b-9f-b0 Stale
fe80::216:3eff:fe2c:1451 00-16-3e-2c-14-51 Stale
fe80::216:3eff:fe2e:8ed7 00-16-3e-2e-8e-d7 Stale
fe80::216:3eff:fe30:469c 00-16-3e-30-46-9c Stale
fe80::216:3eff:fe31:8972 00-16-3e-31-89-72 Stale
fe80::216:3eff:fe34:689 00-16-3e-34-06-89 Stale
fe80::216:3eff:fe34:6259 00-16-3e-34-62-59 Stale
Elkins Expires March 22, 2015 [Page 8]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
fe80::216:3eff:fe34:c4c1 00-16-3e-34-c4-c1 Stale
fe80::216:3eff:fe37:3e86 00-16-3e-37-3e-86 Stale
fe80::216:3eff:fe38:20b2 00-16-3e-38-20-b2 Stale
fe80::216:3eff:fe38:4db4 00-16-3e-38-4d-b4 Stale
fe80::216:3eff:fe38:9676 00-16-3e-38-96-76 Stale
fe80::216:3eff:fe3a:475b 00-16-3e-3a-47-5b Stale (Router)
fe80::216:3eff:fe3a:8258 00-16-3e-3a-82-58 Stale
fe80::216:3eff:fe3a:d904 00-16-3e-3a-d9-04 Stale
fe80::216:3eff:fe41:c9d2 00-16-3e-41-c9-d2 Stale
fe80::216:3eff:fe46:c18e 00-16-3e-46-c1-8e Stale
fe80::216:3eff:fe47:a56d 00-16-3e-48-d9-07 Stale
fe80::216:3eff:fe4b:40f 00-16-3e-4b-04-0f Stale
fe80::216:3eff:fe4e:2b15 00-16-3e-4e-2b-15 Stale
fe80::216:3eff:fe4e:3023 00-16-3e-4e-30-23 Stale
fe80::216:3eff:fe51:f64f 00-16-3e-51-f6-4f Stale
fe80::216:3eff:fe53:5ae 00-16-3e-53-05-ae Stale
fe80::216:3eff:fe5a:12d1 00-16-3e-5a-12-d1 Stale
fe80::216:3eff:fe60:ed08 00-16-3e-60-ed-08 Stale
fe80::216:3eff:fe61:6d64 00-16-3e-61-6d-64 Stale
fe80::216:3eff:fe64:6cb2 00-16-3e-64-6c-b2 Stale
fe80::216:3eff:fe67:7fa3 00-16-3e-67-7f-a3 Stale
fe80::216:3eff:fe6f:a61b 00-16-3e-6f-a6-1b Stale
fe80::216:3eff:fe70:2513 00-16-3e-70-25-13 Stale
fe80::216:3eff:fe71:5c07 00-16-3e-71-5c-07 Stale
fe80::216:3eff:fe72:21ed 00-16-3e-72-21-ed Stale
fe80::216:3eff:fe7e:5f13 00-16-3e-7e-5f-13 Stale
fe80::216:3eff:fe7e:ea7a 00-16-3e-7e-ea-7a Stale
fe80::216:3eff:fe80:43cf 00-16-3e-80-43-cf Stale
fe80::216:3eff:fe81:18e2 00-16-3e-81-18-e2 Stale
fe80::216:3eff:fe81:9024 00-16-3e-81-90-24 Stale
fe80::216:3eff:fe82:abe 00-16-3e-82-0a-be Stale
fe80::216:3eff:fe82:a76d 00-16-3e-82-a7-6d Stale
fe80::216:3eff:fe85:db2b 00-16-3e-85-db-2b Stale
fe80::216:3eff:fe8a:26c 00-16-3e-8a-02-6c Stale
fe80::216:3eff:fe8c:ab98 00-16-3e-8c-ab-98 Stale
fe80::216:3eff:fe8e:49e6 00-16-3e-8e-49-e6 Stale
fe80::216:3eff:fe90:5b1 00-16-3e-90-05-b1 Stale
fe80::216:3eff:fe94:68ab 00-16-3e-94-68-ab Stale
fe80::216:3eff:fe95:2bd8 00-16-3e-95-2b-d8 Stale
fe80::216:3eff:fe95:e1dc 00-16-3e-95-e1-dc Stale
fe80::216:3eff:fe97:2b92 00-16-3e-97-2b-92 Stale
fe80::216:3eff:fe97:601f 00-16-3e-97-60-1f Stale
fe80::216:3eff:fe98:afe2 00-16-3e-98-af-e2 Stale
fe80::216:3eff:fe9c:bcf3 00-16-3e-9c-bc-f3 Stale
fe80::216:3eff:fe9f:28ef 00-16-3e-9f-28-ef Stale
fe80::216:3eff:fea0:40e4 00-16-3e-a0-40-e4 Stale
fe80::216:3eff:fea4:cbf1 00-16-3e-a4-cb-f1 Stale
fe80::216:3eff:fea4:ed6b 00-16-3e-a4-ed-6b Stale
Elkins Expires March 22, 2015 [Page 9]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
fe80::216:3eff:fea5:d79f 00-16-3e-a5-d7-9f Stale
fe80::216:3eff:fea6:81f7 00-16-3e-a6-81-f7 Stale
fe80::216:3eff:fea7:8c7c 00-16-3e-a7-8c-7c Stale
fe80::216:3eff:fea7:a574 00-16-3e-a7-a5-74 Stale
fe80::216:3eff:feac:de47 00-16-3e-ac-de-47 Stale
fe80::216:3eff:feaf:8a0a 00-16-3e-af-8a-0a Stale
fe80::216:3eff:feb2:94e9 00-16-3e-b2-94-e9 Stale
fe80::216:3eff:feb2:9636 00-16-3e-b2-96-36 Stale
fe80::216:3eff:feb3:3fbf 00-16-3e-b3-3f-bf Stale
fe80::216:3eff:feb5:83e4 00-16-3e-b5-83-e4 Stale
fe80::216:3eff:feb8:39d1 00-16-3e-b8-39-d1 Stale
fe80::216:3eff:feba:897b 00-16-3e-ba-89-7b Stale
fe80::216:3eff:febc:37e1 00-16-3e-bc-37-e1 Stale
fe80::216:3eff:febd:1a89 00-16-3e-bd-1a-89 Stale
fe80::216:3eff:febd:2c86 00-16-3e-bd-2c-86 Stale
fe80::216:3eff:febe:65b1 00-16-3e-be-65-b1 Stale
fe80::216:3eff:febe:d7d8 00-16-3e-be-d7-d8 Stale
fe80::216:3eff:fec0:bcad 00-16-3e-c0-bc-ad Stale
fe80::216:3eff:fec2:530 00-16-3e-c2-05-30 Stale
fe80::216:3eff:fec2:79c3 00-16-3e-c2-79-c3 Stale
fe80::216:3eff:fec3:5c89 00-16-3e-c3-5c-89 Stale
fe80::216:3eff:fec5:4d6c 00-16-3e-c5-4d-6c Stale
fe80::216:3eff:fec5:69d0 00-16-3e-c5-69-d0 Stale
fe80::216:3eff:fec7:31f8 00-16-3e-c7-31-f8 Stale
fe80::216:3eff:fec8:6138 00-16-3e-c8-61-38 Stale
fe80::216:3eff:fec8:b7ec 00-16-3e-c8-b7-ec Stale
fe80::216:3eff:feca:a1c6 00-16-3e-ca-a1-c6 Stale
fe80::216:3eff:fed1:2a2a 00-16-3e-d1-2a-2a Stale
fe80::216:3eff:fed1:d33c 00-16-3e-d1-d3-3c Stale
fe80::216:3eff:fed2:802c 00-16-3e-d2-80-2c Stale
fe80::216:3eff:fed2:f770 00-16-3e-d2-f7-70 Stale
fe80::216:3eff:fed6:211a 00-16-3e-d6-21-1a Stale
fe80::216:3eff:fed9:850 00-16-3e-d9-08-50 Stale
fe80::216:3eff:fedb:5ec 00-16-3e-db-05-ec Stale
fe80::216:3eff:fedc:799f 00-16-3e-dc-79-9f Stale
fe80::216:3eff:fee4:40ed 00-16-3e-e4-40-ed Stale
fe80::216:3eff:fee6:4869 00-16-3e-e6-48-69 Stale
fe80::216:3eff:fee9:53d5 00-16-3e-e9-53-d5 Stale
fe80::216:3eff:feeb:de71 00-16-3e-eb-de-71 Stale
fe80::216:3eff:fef2:273b 00-16-3e-f2-27-3b Stale
fe80::216:3eff:fef2:96c5 00-16-3e-f2-96-c5 Stale
fe80::216:3eff:fef3:c0ac 00-16-3e-f3-c0-ac Stale
fe80::216:3eff:fef5:c548 00-16-3e-f5-c5-48 Stale
fe80::216:3eff:fef6:d428 00-16-3e-f6-d4-28 Stale
fe80::216:3eff:fef7:ec4e 00-16-3e-f7-ec-4e Stale
fe80::216:3eff:fef8:9be1 00-16-3e-f8-9b-e1 Stale
fe80::216:3eff:fef9:46a4 00-16-3e-f9-46-a4 Stale
fe80::216:3eff:fefa:c342 00-16-3e-fa-c3-42 Stale
Elkins Expires March 22, 2015 [Page 10]
�
INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014
fe80::216:3eff:fefc:8f91 00-16-3e-fc-8f-91 Stale
fe80::32ff:b90c:73b1:34a7 00-16-3e-e1-2f-5e Stale
fe80::5246:5dff:fee0:31b4 50-46-5d-e0-31-b4 Stale
fe80::a089:f460:ad2b:6723 00-16-3e-c6-d4-df Stale
fe80::a5ff:73b8:3bc8:4c4 00-00-00-00-00-00 Unreachable
fe80::b479:2679:b663:4470 00-16-3e-84-1b-1d Stale
fe80::cc18:c232:74cb:d08c 00-00-00-00-00-00 Unreachable
ff02::1 33-33-00-00-00-01 Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
ff02::1:ffab:742e 33-33-ff-ab-74-2e Permanent
ff02::1:ffba:10eb 33-33-ff-ba-10-eb Permanent
Elkins Expires March 22, 2015 [Page 11]
