type 0: นี่คือโพสต์ที่เกี่ยวข้องกับหัวข้อนี้
Contents
Introduction
Malicious Use of Type 0 Routing Headers
IPv6 Header Formats
IPv6 Header
IPv6 Extension Header: Routing Header
IPv6 Type 0 Routing Header
Countermeasures for IPv6 Type 0 Routing Headers
Disabling Processing of Type 0 Routing Header Packets
Filtering Routing Header Packets Using Access Lists
Filtering Type 0 Routing Header Packets Using Access Lists
Control Plane Policing
Spoofing Protection Using IPv6 Unicast Reverse Path Forwarding
Cisco ASA, PIX, and Firewall Services Module Firewalls
Troubleshooting Countermeasures for IPv6 Type 0 Routing Headers
Filtering Routing Header Packets Using Access Lists
Filtering Type 0 Routing Header Packets Using Access Lists
Control Plane Policing
Spoofing Protection Using IPv6 Unicast RPF
Cisco ASA, PIX, and FWSM Firewalls
References
Introduction
The protocol specification for Internet Protocol version 6 (IPv6) was originally defined in RFC 1883 and then obsoleted by RFC 2460. These RFCs also define IPv6 extension headers that contain optional Internet-layer information encoded in separate headers. These headers may be inserted between the IPv6 header and the upper-layer header in an IPv6 packet. This document will focus on the IPv6 extension header Type 0 Routing header, which is used by an IPv6 source to list one or more intermediate nodes to be “visited” on the way to a packet’s destination. The IPv6 Type 0 Routing header is similar in function to the IPv4 (RFC 791) Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header. This document will advise how to disable the processing of IPv6 packets with a Type 0 Routing header on devices that are running Cisco IOS Software and how to filter such packets using Cisco IOS Software or Cisco IOS XR Software.
Malicious Use of Type 0 Routing Headers
Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing).
IPv6 Header Formats
IPv6 Header
The following diagram provides the format of the IPv6 header. The field descriptions from RFC 2460 are below it.
Field
Description
Version
4-bit Internet Protocol version number = 6.
Traffic Class
8-bit traffic class field.
Flow Label
20-bit flow label.
Payload Length
16-bit unsigned integer. Length of the IPv6 payload, i.e., the rest of the packet following this IPv6 header, in octets. (Note that any extension headers present are considered part of the payload, i.e., included in the length count.)
Next Header
8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
Hop Limit
8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero.
Source Address
128-bit address of the originator of the packet.
Destination Address
128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present).
IPv6 Extension Header: Routing Header
The following diagram provides the format of the IPv6 extension header Routing header. The field descriptions from RFC 2460 are below it.
Field
Description
Next Header
8-bit selector. Identifies the type of header immediately following the Routing header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
Hdr Ext Len
8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets.
Routing Type
8-bit identifier of a particular Routing header variant.
Segments Left
8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination.
type-specific data
Variable-length field, of format determined by the Routing Type, and of length such that the complete Routing header is an integer multiple of 8 octets long.
IPv6 Type 0 Routing Header
The following diagram provides the format of the IPv6 Type 0 Routing header. The field descriptions from RFC 2460 are below it.
Field
Description
Next Header
8-bit selector. Identifies the type of header immediately following the Routing header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
Hdr Ext Len
8-bit unsigned integer. Length of the Routing header in 8-octet units, not including the first 8 octets. For the Type 0 Routing header, Hdr Ext Len is equal to two times the number of addresses in the header.
Routing Type
0.
Segments Left
8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination.
Reserved
32-bit reserved field. Initialized to zero for transmission; ignored on reception.
Address[1..n]
Vector of 128-bit addresses, numbered 1 to n.
<
Countermeasures for IPv6 Type 0 Routing Headers
Disabling Processing of Type 0 Routing Header Packets
Cisco IOS Software provides the ability to disable the processing of IPv6 packets with Type 0 Routing headers. Starting with Cisco IOS Software releases 12.2(15)T and 12.0(32)S, administrators can enable the no ipv6 source-route command from global configuration mode to prevent hosts from performing source routing using IPv6-enabled IOS devices. Prior to these Cisco IOS Software releases, the processing of IPv6 Type 0 Routing headers was enabled.
Note: When the no ipv6 source-route command is configured and the IOS device receives a packet with a Type 0 Routing header present, the IOS device drops the packet and sends an IPv6 Internet Control Message Protocol (ICMP) “destination unreachable” message back to the source and logs an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval [] command from global configuration mode.
Filtering Routing Header Packets Using Access Lists
Cisco IOS Software provides the ability to filter IPv6 Routing headers starting with Cisco IOS Software releases 12.2(13)T, 12.0(23)S, and Cisco IOS XR Software release 2.0 using the IPv6 access list routing keyword. However, filtering for IPv6 Routing headers will filter on all IPv6 Routing header types (0 through 255). If Mobile IPv6 (MIPv6) is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended. Additional filtering for explicit IPv6 Type 0 Routing headers will be shown below.
The following example access control list (ACL) policy shows how to filter and deny all unauthorized IPv6 Routing header Type 0 through 255 packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device or IPv6 link-local addresses and then deny all other unauthorized IPv6 Routing header type packets sent to the IPv6 prefix assigned to infrastructure devices.
Note: Cisco IOS Software releases prior to 12.4(2)T and Cisco IOS XR Software releases prior to 3.4.2 do not have the ability to filter on specific IPv6 Routing header type values using IPv6 ACLs. IOS releases prior to 12.4(2)T can filter only IPv6 packets with the presence of a Routing header in the IPv6 header chain. In Cisco IOS Software release 12.4(2)T, a new keyword ofrouting-type added the ability to filter on the presence of specific IPv6 Routing header type values.
Caution: If MIPv6 is deployed within the infrastructure, the following ACL policies may disrupt and/or break its operations. Therefore, a workaround does not exist for MIPv6.
Cisco IOS Software
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ipv6 any host 2001:DB8::0:1:0:1111 routing deny ipv6 any host 2001:DB8::0:2:0:2222 routing deny ipv6 any host 2001:DB8::0:3:0:3333 routing deny ipv6 any host 2001:DB8::0:4:0:4444 routing deny ipv6 any host FE80::218:74FF:FEB5:A41B routing deny ipv6 any host FE80::218:74FF:FEB5:A41A routing deny ipv6 any host FE80::218:74FF:FEB5:A419 routing deny ipv6 any host 2001:DB8::0:F:0:FFFF routing deny ipv6 any host 2001:DB8::0:F:0:F00D routing deny ipv6 any 2001:DB8::/32 routing interface GigabitEthernet0/0 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 traffic-filter DENY-IPv6-ALL-RH-TYPES in
Cisco IOS XR Software
ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ipv6 any host 2001:DB8::0:1:0:1111 routing deny ipv6 any host 2001:DB8::0:2:0:2222 routing deny ipv6 any host 2001:DB8::0:3:0:3333 routing deny ipv6 any host 2001:DB8::0:4:0:4444 routing deny ipv6 any host FE80::218:74FF:FEB5:A41B routing deny ipv6 any host FE80::218:74FF:FEB5:A41A routing deny ipv6 any host FE80::218:74FF:FEB5:A419 routing deny ipv6 any host 2001:DB8::0:F:0:FFFF routing deny ipv6 any host 2001:DB8::0:F:0:F00D routing deny ipv6 any 2001:DB8::/32 routing interface GigabitEthernet 0/0/0/1 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 access-group DENY-IPv6-ALL-RH-TYPES ingress
Note: When filtering with an interface access list, Cisco IOS Software and Cisco IOS XR Software will elicit the transmission of an ICMP “destination unreachable” message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval [] command from global configuration mode.
Filtering Type 0 Routing Header Packets Using Access Lists
Cisco IOS Software provides the ability to filter on specific IPv6 Routing header types (0 through 255) starting with Cisco IOS release 12.4(2)T using the IPv6 access list routing-type keyword. Explicitly filtering for IPv6 Type 0 Routing headers allows for access lists to deny packets with an IPv6 Type 0 Routing header without impacting the operations of other IPv6 services that use IPv6 Routing headers (for example, MIPv6 uses Type 2 Routing headers). Cisco IOS XR Software does not have the ability to filter on specific IPv6 Routing header types as of release 3.4.2. See “Filtering Routing Header Packets Using Access Lists” for information about filtering IPv6 Routing header packets on Cisco IOS XR Software.
The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 Type 0 Routing header packets sent to any IPv6 interface (configured, link-local) on an IPv6-enabled IOS device and how to filter and deny such packets transiting through the IPv6-enabled IOS device:
ipv6 access-list DENY-IPv6-TYPE0-RH deny ipv6 any any routing-type 0 interface GigabitEthernet0/0 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 traffic-filter DENY-IPv6-TYPE0-RH in
The following example ACL policy shows how to filter and deny unauthorized IPv6 Type 0 Routing header packets sent to specific IPv6 addresses configured on an IPv6-enabled IOS device and specific IPv6 link-local addresses and then deny all other unauthorized IPv6 Type 0 Routing header packets sent to the IPv6 prefix assigned to infrastructure devices:
!-- If device is running Cisco IOS Software release 12.4(2)T or later !-- Deny all IPv6 extension header Type 0 Routing header
packets sent !-- to IPv6 addresses configured on interfaces of the IPv6-enabled device !-- (management, loopback, access links,
and network/user segments) or !-- or IPv6 link-local addresses. ! ipv6 access-list DENY-IPv6-TYPE0-RH deny ipv6 any host 2001:DB8::0:1:0:1111 routing-type 0 deny ipv6 any host 2001:DB8::0:2:0:2222 routing-type 0 deny ipv6 any host 2001:DB8::0:3:0:3333 routing-type 0 deny ipv6 any host 2001:DB8::0:4:0:4444 routing-type 0 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing-type 0 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing-type 0 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing-type 0 ! !-- The following IPv6 addresses are configured on loopback interfaces !-- for management and BGP peering using /128
prefixes. deny ipv6 any host 2001:DB8::0:F:0:FFFF routing-type 0 deny ipv6 any host 2001:DB8::0:F:0:F00D routing-type 0 ! !-- Deny all other IPv6 Type 0 Routing header traffic sent to the IPv6 !-- prefix used in the configuration of network
infrastructure devices. deny ipv6 any 2001:DB8::/32 routing-type 0 ! !-- Permit/deny all other IPv6 Layer 3 and Layer 4 traffic in accordance !-- with existing security policies and
configurations. ! !-- Apply IPv6 ACL to interface(s) in the ingress direction. interface GigabitEthernet0/0 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 traffic-filter DENY-IPv6-TYPE0-RH in !
Note: When filtering with an interface access list, Cisco IOS Software will elicit the transmission of an ICMP “destination unreachable” message back to the source of the filtered traffic and log an appropriate debug message. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software and Cisco IOS XR Software, IPv6 ICMP unreachable message generation is limited to one packet every 100 milliseconds and 10 tokens by default. IPv6 ICMP unreachable message generation can be disabled using the interface configuration command no ipv6 unreachables. The rate at which the router generates all IPv6 ICMP error messages can be limited using the ipv6 icmp error-interval [] command from global configuration mode.
Control Plane Policing
Administrators can use Control Plane Policing (CoPP) to block untrusted IPv6 Type 0 Routing header packets to an IPv6-enabled device. Cisco IOS Software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to a specific network. This example assumes that IPv6 packets sent to the IPv6 addresses configured on an IPv6-enabled device are to be fully restricted from receiving any IPv6 Type 0 Routing header packets.
Note: In the following example, the routing-type IPv6 access lists keyword will match only packets with an IPv6 Type 0 Routing header present. It is possible to use the routing IPv6 access list keyword to match all IPv6 Routing header types (0 through 255). However, doing so may impact current operations or future deployments of MIPv6. If MIPv6 is in use or may be deployed in the future, using the IPv6 access lists routing keyword is not recommended.
ipv6 access-list DROP-IPv6-RH0 permit ipv6 any any routing-type 0 class-map match-all drop-IPv6-RH0-class match access-group name DROP-IPv6-RH0 policy-map DROP-UNAUTHORIZED-INFRA-TRAFFIC class drop-IPv6-RH0-class drop control-plane service-policy input DROP-UNAUTHORIZED-INFRA-TRAFFIC
In the preceding CoPP example, the access control list entry (ACE) that matches packets with an IPv6 Type 0 Routing header using the permit action causes the policy map drop function to discard those packets, whereas packets that match the deny action (not shown) are not affected by the policy map drop function.
Note that in Cisco IOS Software releases 12.2S and 12.0S, the policy map syntax is different.
Note: Cisco IOS Software 12.2S and 12.0S currently allow only the ability to filter on all IPv6 Routing header types (0 through 255) using the routing keyword for IPv6 extended access lists. If this capability is used and MIPv6 is deployed at a later time, MIPv6 will not function properly because it will be dropped by the CoPP policy.
policy-map DROP-UNAUTHORIZED-INFRA-TRAFFIC class drop-IPv6-RH-class police 32000 1500 1500 conform-action drop exceed-action drop
Additional information about the configuration and use of the CoPP feature is at Control Plane Policing Implementation Best Practices and Control Plane Policing for Cisco IOS Release 12.2S.
Spoofing Protection Using IPv6 Unicast Reverse Path Forwarding
Protection mechanisms for spoofing exist through the proper deployment and configuration of Unicast Reverse Path Forwarding (Unicast RPF) for IPv6. Unicast RPF for IPv6 can detect and drop (discard) IPv6 packets that lack a verifiable IPv6 source addresses. Administrators should not rely on Unicast RPF for IPv6 to provide 100 percent protection because spoofed packets may still enter the network through a Unicast RPF-enabled interface for which there is a return route to the IPv6 source address within the packet or may be allowed by Unicast RPF access lists. Additional information about Unicast RPF for IPv6 is available at Unicast RPF for IPv6 on the Cisco 12000 Series. Configuration information for ipv6 verify unicast reverse-path and ipv6 verify unicast source reachable-via (where rx = Unicast RPF strict mode and any = Unicast RPF loose mode) is available at Cisco IOS IPv6 Command Reference. ACLs that prevent spoofing coupled with Unicast RPF for IPv6 provide an added layer of threat mitigation against spoofed packets with a Type 0 Routing header present. The Unicast RPF for IPv6 feature requires Cisco Express Forwarding.
interface GigabitEthernet0/0 ipv6 address 2001:DB8::0:1:0:1111/96 ipv6 enable ipv6 verify unicast reverse-path -or- ipv6 verify unicast source reachable-via ipv6 flow ingress
Cisco ASA, PIX, and Firewall Services Module Firewalls
The Cisco ASA 5500 Series Adaptive Security Appliance (ASA), the Cisco PIX 500 Series Security Appliance, and the Firewall Services Module (FWSM) for Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers will process and will drop IPv6 Type 0 Routing header packets by default. These firewall products do not have the ability to filter on IPv6 Routing headers or explicit IPv6 Routing header types; however, IPv6 access lists can be used to explicitly deny unauthorized or permit authorized IPv6 traffic based on source and destination IPv6 addresses, the source and destination port numbers, and the protocol number for the traffic administrators want to filter.
The following example ACL policy shows how to explicitly filter and deny unauthorized IPv6 packets sent to specific IPv6-enabled hosts that are behind the firewall, and permits only authorized BGP traffic on TCP port 179 from trusted hosts used for BGP peering over IPv6:
Caution: If MIPv6 is deployed within the infrastructure, the following ACL policies may disrupt and/or break its operations. Therefore, a workaround does not exist for MIPv6.
ipv6 access-list DENY-IPv6-ALL-RH-TYPES remark -- Deny IPv6 traffic sent to specific IPv6 enabled hosts behind the firewall -- ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:1:0:1111 ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:2:0:2222 ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:3:0:3333 ipv6 access-list DENY-IPv6-ALL-RH-TYPES deny ip any host 2001:DB8::0:4:0:4444 ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:f00d host 2001:DB8::0:f:0:ffff eq bgp ipv6 access-list DENY-IPv6-ALL-RH-TYPES permit tcp host 2001:DB8::f:0:f:ffff host 2001:DB8::0:f:0:f00d eq bgp access-group DENY-IPv6-ALL-RH-TYPES in interface outside
Troubleshooting Countermeasures for IPv6 Type 0 Routing Headers
Filtering Routing Header Packets Using Access Lists
Cisco IOS Software
After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets that are being filtered with any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-ALL-RH-TYPES follows:
ios-router#show ipv6 access-list DENY-IPv6-ALL-RH-TYPES IPv6 access list DENY-IPv6-ALL-RH-TYPES deny ipv6 any host 2001:DB8::0:1:0:1111 routing sequence 10 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (17 matches) sequence 20 deny ipv6 any host 2001:DB8::0:3:0:3333 routing sequence 30 deny ipv6 any host 2001:DB8::0:4:0:4444 routing sequence 40 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing sequence 50 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing sequence 60 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing sequence 70 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (29 matches) sequence 80 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (77 matches) sequence 90 deny ipv6 any 2001:DB8::/32 routing (137 matches) sequence 100 -- ACL Policy Truncated -- -- Permit/deny all other IPv6 Layer 3 and Layer 4 -- -- traffic in accordance with existing security -- -- policies and configurations. -- ios-router#
In the preceding example, the access list , which is applied in the ingress direction on interface GigabitEthernet0/0, denied 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20, 29 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80, 77 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90, and 137 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID100.
Cisco IOS XR Software
After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show access-lists ipv6 command to identify the number of IPv6 packets that are being filtered in hardware or software for any Routing header type (0 through 255). Filtered packets should be investigated to determine whether they are being used maliciously. Example output forshow access-list ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0 (packets denied in hardware) and show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES (packets denied in software) follows:
RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES hardware ingress location 0/3/CPU0 ipv6 access-list DENY-IPv6-ALL-RH-TYPES 10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing 20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (69 hw matches) 30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing 40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing 50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing 60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing 70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing 80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (17 hw matches) 90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (54 hw matches) 100 deny ipv6 any 2001:DB8::/32 routing (185 hw matches) -- ACL Policy Truncated -- -- Permit/deny all other IPv6 Layer 3 and Layer 4 -- -- traffic in accordance with existing security -- -- policies and configurations. -- RP/0/0/CPU0:iosxr-router#
In the preceding example, the access list , which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 69 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in hardware, 17 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in hardware, 54 IPv6 Routing Header (Type 0 through 255) packets on ACE sequence ID 90 in hardware, and 185 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in hardware.
RP/0/0/CPU0:iosxr-router#show access-lists ipv6 DENY-IPv6-ALL-RH-TYPES ipv6 access-list DENY-IPv6-ALL-RH-TYPES 10 deny ipv6 any host 2001:DB8::0:1:0:1111 routing 20 deny ipv6 any host 2001:DB8::0:2:0:2222 routing (3 matches) 30 deny ipv6 any host 2001:DB8::0:3:0:3333 routing 40 deny ipv6 any host 2001:DB8::0:4:0:4444 routing 50 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing 60 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing 70 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing 80 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing (2 matches) 90 deny ipv6 any host 2001:DB8::0:F:0:F00D routing (5 matches) 100 deny ipv6 any 2001:DB8::/32 routing (3 matches) -- ACL Policy Truncated -- -- Permit/deny all other IPv6 Layer 3 and Layer 4 -- -- traffic in accordance with existing security -- -- policies and configurations. -- RP/0/0/CPU0:iosxr-router#
In the preceding example, the access list , which is applied in the ingress direction on interface GigabitEthernet0/0/0/1, denied 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 20 in software, 2 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 80 in software, 5 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 90 in software, and 3 IPv6 Routing header (Type 0 through 255) packets on ACE sequence ID 100 in software.
Filtering Type 0 Routing Header Packets Using Access Lists
After the IPv6 access list is applied to an interface in the ingress direction, the show ipv6 access-list command can be used to identify the number of IPv6 Type 0 Routing header packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list DENY-IPv6-TYPE0-RH follows :
ios-router#show ipv6 access-list DENY-IPv6-TYPE0-RH IPv6 access list DENY-IPv6-TYPE0-RH deny ipv6 any any routing-type 0 (156 matches) sequence 10 -- ACL Policy Truncated -- -- Permit/deny all other IPv6 Layer 3 and Layer 4 -- -- traffic in accordance with existing security -- -- policies and configurations. -- ios-router#
In the preceding example, the access list , which is applied in the ingress direction on interface GigabitEthernet0/0, denied 156 IPv6 Type 0 Routing header packets on ACE sequence ID 10.
ios-router#show ipv6 access-list DENY-IPv6-TYPE0-RH IPv6 access list DENY-IPv6-TYPE0-RH deny ipv6 any host 2001:DB8::0:1:0:1111 routing-type 0 (9 matches) sequence 10 deny ipv6 any host 2001:DB8::0:2:0:2222 routing-type 0 sequence 20 deny ipv6 any host 2001:DB8::0:3:0:3333 routing-type 0 sequence 30 deny ipv6 any host 2001:DB8::0:4:0:4444 routing-type 0 (127 matches) sequence 40 deny ipv6 any host FE80::218:74FF:FEB5:A41B routing-type 0 sequence 50 deny ipv6 any host FE80::218:74FF:FEB5:A41A routing-type 0 sequence 60 deny ipv6 any host FE80::218:74FF:FEB5:A419 routing-type 0 sequence 70 deny ipv6 any host 2001:DB8::0:F:0:FFFF routing-type 0 sequence 80 deny ipv6 any host 2001:DB8::0:F:0:F00D routing-type 0 sequence 90 deny ipv6 any 2001:DB8::/32 routing-type 0 (173 matches) sequence 100 -- ACL Policy Truncated -- -- Permit/deny all other IPv6 Layer 3 and Layer 4 -- -- traffic in accordance with existing security -- -- policies and configurations. -- ios-router#
In the preceding example, access list , which is applied in the ingress direction on interface GigabitEthernet0/0, denied 9 IPv6 Type 0 Routing header packets on ACE sequence ID 10, 127 IPv6 Type 0 Routing header packets on ACE sequence ID 40, and 173 IPv6 Type 0 Routing header packets on ACE sequence ID 100.
Control Plane Policing
With Control Plane Policing (CoPP), after the policy map is applied to the control plane, administrators can use the show policy-map control-plane and show ipv6 access-list commands to identify the number of packets that have been sent to the management and control planes and dropped by the CoPP policy. Packets dropped by CoPP should be investigated to determine whether they are being used maliciously.
Example output for show policy-map control-plane and show ipv6 access-list DROP-IPv6-RH0 follows:
ios-router#show policy-map control-plane Control Plane Service-policy input: DROP-UNAUTHORIZED-INFRA-TRAFFIC Class-map: drop-IPv6-RH0-class (match-all) 41 packets, 14846 bytes 5 minute offered rate 3000 bps, drop rate 3000 bps Match: access-group name DROP-IPv6-RH0 drop Class-map: class-default (match-any) 1804 packets, 144288 bytes 5 minute offered rate 4000 bps, drop rate 0 bps Match: any ios-router# ios-router#show ipv6 access-list DROP-IPv6-RH0 IPv6 access list DROP-IPv6-RH0 permit ipv6 any any routing-type 0 (41 matches) sequence 10 ios-router#
In the preceding example, the CoPP policy dropped 41 (total) IPv6 packets with a Type 0 Routing header by using the access control list , which is associated with CoPP.
Spoofing Protection Using IPv6 Unicast RPF
With Unicast RPF for IPv6 properly deployed and configured throughout the network infrastructure, administrators can use the show ipv6 interface, show cef drop, show cef interface internal, and show ipv6 traffic commands to identify the number of IPv6 packets that Unicast RPF for IPv6 has dropped.
Note: The show | begin and show | include command modifiers are used in the following examples to minimize the amount of output that administrators need to parse to view the desired information. Additional information about command modifiers is available in the show command sections of the Cisco IOS Configuration Fundamentals Command Reference.
Note: show cef interface internal is a hidden command that must be fully entered at the command-line interface. Command completion is not available for it.
ios-router# ios-router#show ipv6 interface GigabitEthernet 0/0 | begin Unicast RPF Unicast RPF Process Switching: 0 verification drops 0 suppressed verification drops CEF Switching: 12 verification drops 0 suppressed verification drops Inbound access list infrastructure-acl-policy ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses. ios-router# ios-router#show cef drop IPv6 CEF Drop Statistics Slot Encap_fail Unresolved Unsupported No_route No_adj RP 51 0 0 12 0 ios-router# ios-router#show cef interface GigabitEthernet 0/0 internal | begin IPv6 unicast RPF IPv6 unicast RPF: acl=None, drop=12, sdrop=0 IPv6: enabled 1 unreachable TRUE redirect TRUE mtu 1500 flags 0x0 Switching mode is CEF Input features: Ingress-Netflow RPF ACL Output features: Post-Ingress-Netflow Egress-Netflow Inbound access list: infrastructure-acl-policy ios-router# ios-router#show ipv6 traffic | inc RPF 12 unicast RPF drop, 0 suppressed RPF drop ios-router#
In the preceding examples, Unicast RPF for IPv6 has dropped 12 IPv6 packets received on interface GigabitEthernet0/0 due to the inability to verify the source address of the IPv6 packets within the Cisco Express Forwarding Forwarding Information Base.
Cisco ASA, PIX, and FWSM Firewalls
After the IPv6 access list is applied to an interface in the ingress direction, administrators can use the show ipv6 access-list command to identify the number of IPv6 packets being filtered. Filtered packets should be investigated to determine whether they are being used maliciously. Example output for show ipv6 access-list follows:
firewall# show ipv6 access-list DENY-IPv6-ALL-RH-TYPES ipv6 access-list DENY-IPv6-ALL-RH-TYPES; 6 elements ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 1 remark -- Deny IPv6 traffic sent to specific IPv6 enabled hosts behind the firewall -- ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 2 deny ip any host 2001:db8::1:0:1111 (hitcnt=69) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 3 deny ip any host 2001:db8::2:0:2222 (hitcnt=0) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 4 deny ip any host 2001:db8::3:0:3333 (hitcnt=37) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 5 deny ip any host 2001:db8::4:0:4444 (hitcnt=18) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 6 permit tcp host 2001:db8::f:0:f:f00d host 2001:db8::f:0:ffff eq bgp (hitcnt=11) ipv6 access-list DENY-IPv6-ALL-RH-TYPES line 7 permit tcp host 2001:db8::f:0:f:ffff host 2001:db8::f:0:f00d eq bgp (hitcnt=9) firewall#
In the preceding example, access list denied a total of 124 unauthorized IPv6 packets on line 2, line 4, and line 5 for hosts behind the IPv6-enabled firewall, and permitted a total of 20 authorized IPv6 packets on line 6 and line 7 from known trusted hosts for BGP on TCP port 179. IPv6 access list is applied in the ingress direction on interface .
References
RFC 1883 Internet Protocol, Version 6 (IPv6) Specification (obsoleted)
http://tools.ietf.org/html/rfc1883
RFC 2460 Internet Protocol, Version 6 (IPv6) Specification (current)
http://tools.ietf.org/html/rfc2460
IPv6 Routing Headers Security, presented at CanSecWest 2007 by Philippe Biondi and Arnaud Ebalard
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
The IPv6 Type 0 Routing Header Issue
http://www.natisbad.org/
Scapy (Philippe Biondi) and Scapy6 (IPv6 extension for Scapy, Guillaume Valadon and Arnaud Ebalard)
http://www.secdev.org/projects/scapy/ and http://www.natisbad.org/scapy/
IPv6 Ping Pong, May 2007, by Geoff Huston
http://www.potaroo.net/ispcol/2007-05/6pong.txt or http://ispcolumn.isoc.org/2007-05/6pong.txt
Experts Scramble to Quash IPv6 Flaw, 2007-05-09 (May 9, 2007), by Robert Lemos, SecurityFocus
http://www.securityfocus.com/news/11463
IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability
http://www.securityfocus.com/bid/23615/
Deprecation of Type 0 Routing Headers in IPv6
http://tools.ietf.org/html/draft-jabley-ipv6-rh0-is-evil-00
Security of IPv6 Routing Header and Home Address Option
http://tools.ietf.org/html/draft-savola-ipv6-rh-ha-security-00
Note About Routing Header Processing on IPv6 Hosts
http://tools.ietf.org/html/draft-savola-ipv6-rh-hosts-00
IPv6 Type 0 Routing Header Processing
http://tools.ietf.org/html/draft-savola-ipv6-rtheader-00
Deprecation of Type 0 Routing Headers in IPv6
http://tools.ietf.org/html/draft-ietf-ipv6-deprecate-rh0-00
Firewalling Considerations for IPv6
http://tools.ietf.org/html/draft-savola-v6ops-firewalling-00
Detecting Loops in the IPv6 Routing Header Type 0
http://tools.ietf.org/html/draft-manral-ipv6-detecting-loops-rh-00
IPv6 Transition/Co-existence Security Considerations
http://tools.ietf.org/html/draft-ietf-v6ops-security-overview-00
IPv6 Home Page on Cisco.com
http://www.cisco.com/go/ipv6
IPv6 Extension Headers Review and Considerations
http://www.cisco.com/en/US/tech/tk872/technologies_white_paper0900aecd8054d37d.shtml
Cisco IOS IPv6 Command Reference
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/command/reference/ipv6_book.html
Cisco IOS IPv6 Configuration Library
http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/ip6-config_lib.html
Unicast RPF for IPv6 on the Cisco 12000 Series
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00803e9789.html
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.
Back to Top
[Update] The Blood Type Diets : Blood Type O | type 0 – NATAVIGUIDES
Blood Type O
What Makes a ‘Type O’ an Individual?
What makes Me Me and You You?
This is the question that is at the heart of the genetic puzzle. It is also central to our exploration of blood types. The key is genetic heritage – the story line of your life. Even though you are living in the 21st century, you share a common bond with your ancestors. The genetic information that resulted in their particular characteristics has been passed on to you.
People who are O blood type have a different set of characteristics than people who are Type B or Type A – they are susceptible to different diseases, they should eat different foods and exercise in a completely different manner. Dr. D’Adamo, author of the best selling books Eat Right for Your Type and Live Right for Your Type, among others, gives us a blueprint for living in his books. Read on to learn more about the Type O individual.
The Blood Type O Individualized Lifestyle
Why are some people plagued by poor health while others seem to live healthy, vital lives even late in life? Does blood type influence personality? A single drop of blood contains a biochemical make up as unique as your fingerprint. Your blood type is a key to unlocking the secrets to your biochemical individuality. Foods and supplements contain lectins that interact with your cells depending on your blood type. This explains why some nutrients which are beneficial to one blood type, may be harmful to the cells of another. Dr. Peter D’Adamo, the author of the best selling books Eat Right for Your Type and Live Right for Your Type gives Type O’s some tips on leading a healthy lifestyle.
Read More
View Popular Recipes for Type O
The Type O Profile
Type O was an early success formula. It is the only blood type that carries two opposing blood type antibodies (one blood type A and another against blood type B). These antibodies undoubtably conveyed some survival advantage, as many of the common diseases that plagued our ancestors possessed markers (antigens) that simulated the other blood types. Thus, what is commonly considered a transfusion complication was, in type O, a very useful defensive benefit. However, when misdirected, this innate immune reactivity can sometimes get in the way of good health. Blood Type O may be predisposed to certain illnesses, such as ulcers and thyroid disorders. In the 1950’s it was discovered that Type O’s had about twice the instances of ulcers of all kinds than the other blood types. These findings have been replicated many times since then.
Type O Strengths and Weaknesses
We’ve already mentioned the tendency of type O towards higher levels of stomach acid. There is also another unique characteristic of type O that is perhaps even more important: This blood type has a very well-developed ability to digest meals that contain both protein and fat. This is because two chemicals used by the digestive tract, an enzyme called intestinal alkaline phosphatase, and a lipoprotein called ApoB48 are secreted into the digestive tract in much higher amounts by type O’s. These digestive factors greatly enhance the ability of type O to not only metabolize the choelsterol in animal products more efficiently, but also greatly increase their ability to heal their digestive tract and better assimilate calcium. However, these very same strengths come at a cost: in Type O simple carbohydrates, especially from grains, are more easily converted into fats and triglycerides. Many grains also contain reactive proteins called lectins that can ramp up the type O immune system, resulting in unwanted inflammation and auto-immunity.
Read More
Blood Types, Fats and the Intestines
Manage Your Type O Stress
The legacy of your Type O ancestry causes an immediate “fight or flight” response in people of this blood type. However, this finely tuned response to stress, so vital in early Type O’s, is not always so beneficial in modern times. The Type O response can cause bouts of excessive anger, temper tantrums, hyperactivity and even create a severe enough chemical imbalance to bring about a manic episode. Since there is a powerful, synergistic relationship between the release of dopamine and feelings of reward, Type O is more vulnerable to destructive behaviors when overly tired, depressed or bored. These can include gambling, sensation seeking, risk taking, substance abuse and impulsivity. To avoid becoming overstressed, Dr. D’Adamo recommends following the Type O diet, which focuses on lean, organic meats, vegetables and fruits and avoid wheat and dairy which can be triggers for digestive and health issues in Type O. Additionally, he suggests that Type O’s avoid caffeine and alcohol. Caffeine can be particularly harmful because of its tendency to raise adrenaline and noradrenaline, which are already high for Type O’s.
Energize – The Essential Exercise Component
Type O’s benefit tremendously from brisk regular exercise that taxes the cardiovascular and muscular skeletal system. But the benefit derived surpasses the goal of physical fitness. Type O also derives the benefit of a well timed chemical release system. The act of physical exercise releases a swarm of neurotransmitter activity that acts as a tonic for the entire system. The Type O who exercises regularly also has a better emotional response. You are more emotionally balanced as a result of well regulated, efficient chemical transport system. More than any other blood type, O’s rely on physical exercise to maintain physical health and emotional balance. Dr. D’Adamo suggests that Type O’s engage in regular physical activity three to four times per week. For best results, engage in aerobic activity for thirty to forty five minutes at least four times per week. If you are easily bored, choose two or three different exercises and vary your routine.
Read More
Blood Group Genetics, Exercise and Stress
Live Right!
In addition to exercising and eating foods that are Right For Your Type, here are a few key lifestyle strategies for Type O individuals:
- Develop clear plans for goals and tasks – annual, monthly, weekly, daily to avoid impulsivity.
- Make lifestyle changes gradually, rather than trying to tackle everything at once.
- Eat all meals, even snacks, seated at a table.
- Chew slowly and put your fork down between bites of food.
- Avoid making big decisions or spending money when stressed.
- Do something physical when you feel anxious.
- Engage in thirty to forty five minutes of aerobic exercise at least four times per week.
- When you crave a pleasure releasing-substance (alcohol, tobacco, sugar), do something physical.
Dr. D’Adamo recommends that Type O, “Approach this program as a long term strategy. This is not a short term goal, rather a lifestyle that you adapt for a lifetime of health and well being. There is no doubt that there is a connection between the mind and the body. The knowledge that we can do something to change our genetic destiny is powerful.”
Click Here to read more helpful articles about the Blood Type Diet.
Type O Negative – I Don’t Wanna Be Me [OFFICIAL VIDEO]
Type O Negative’s video for ‘I Don’t Wanna Be Me’ off the album Life Is Killing Me available now on Roadrunner Records. Download now on iTunes: http://smarturl.it/tonlikm
LYRICS
I don’t wanna be me anymore
Ever throwing at his home
Two glass houses, twenty stones
Fourteen yellow, six are blue
Could it be worse?.. Quite doubtful.
I don’t wanna be me anymore
I don’t wanna be me anymore
12
1234.
Two steps forward, three steps back
Without warning, heart attack
He fell asleep in the snow
Never woke up, died alone
I don’t wanna be me anymore
I don’t wanna be me anymore
12
1234.
[x2]
Please don’t dress in black
When you’re at his wake
Don’t go there to mourn
But to celebrate
I don’t wanna be me anymore
I don’t wanna be me anymore
12
1234.
I don’t wanna be me anymore
I don’t wanna be me anymore
นอกจากการดูบทความนี้แล้ว คุณยังสามารถดูข้อมูลที่เป็นประโยชน์อื่นๆ อีกมากมายที่เราให้ไว้ที่นี่: ดูความรู้เพิ่มเติมที่นี่
Battlefield 2042 Multiplayer Livestream! – All Out Warfare! (LEVEL 37+)
I stream pretty much everyday \u0026 upload about 6 videos a week. Its only Battlefield that you will find on this channel and Maybe some other FPS games every now and than.
More Battlefield on My 2nd Channel! https://www.youtube.com/channel/UCZARpe5ZcBnXtzFI7QyC9zA
More Battlefield Clips on My 3rd Channel https://www.youtube.com/channel/UCU314hF_bHvB6QtKuezdiQ
My TikTok account: https://www.tiktok.com/@maxiqyt
My Instagram account: https://www.instagram.com/maxiqyt/
Want to support a little extra?
Donations appear on screen, Every donation helps, nothing is too small.
https://streamlabs.com/maxiq
Want to become a Member? (I add Tier 3 Members on PS5 \u0026 Crossplay) use: https://www.youtube.com/channel/UCmgOCibflFwaslTaKLP9Fzg/join
Check out My own Apex Gaming PC Line: https://apexgamingpcs.com/products/maxiq
Get My Merch Here:
https://teespring.com/en/stores/maxiqyt
A big thank you to all the Members You guys are Legends!:
TIER 5: Darkbotrules, buljong bosse, proLegion Gavin, Ilicitano1975, Shift Boy, Matt Bing, Zaalix, Brandon Difford
TIER 4: SpotOmnivore 109, MzudemS, JayFz8, Apxcalypse, MimsLawn, Simewinder, Conor Hogan, Shawn Harvey
TIER3: TheDisabledMachine, ShakeN001, Madkiwi Gaming, Splash, FightForHonor, AVASTANDARD, Epp, atomdarkshadow, speedbamTTV, Grolorix, Dr Acula1Vile Breath, x shocks, TORTILLABUN, Shiro Kush, Bigdaddy gamings, Mikael Malmsten
TIER 2: supe32, Project TokyO, Henryp44, Ol Reperbate, [MxQ]Kdog, 🔸Jelly🔸, proud gunowner26, KingOneShot, zito313, TaHriC, Salty Addicts, Josh Brown, Derek H ZIPPER_ZERO, morrison, TheFlemishBeast, OuTkasT79, lPYROABLAZEl, KaneDidntDoIt, Darth Twerk, xBigSaintx, FinnishUncleSam, HarryBoGold, BuII HD, vofff, Mickamage, SITH_THE_EXP, KnockOut, Jan Tijssen, AlsoDiablo, EarlyPaus, Saint, xSPARTACUS1977x, RichG811, wiz29, Creeping_Sloth, bbcoachjw33, Deimos_009, Josh Tonkin, Underdog, Bubba Gump Shrimp, Heath Lynes, Fred Nugent, Wide Arch Shark, Boemboempapi, [MxQ]SaucySev, Dunkarizona, Danny Krikke, Suleiman Taie, Rushi Patel, Daniel_1989, nuTella78, Rubydeath00 00, Smash, Rocky, Herschel Crouse, jan, Ultras_Kenny, YourBigBrotherSteve, KibaTheWolf X, Swift Media, Mohamed Osama, Jdrum, Dani Nutdestroyer_89, AlphA Evo, DalyLad98, Lars Indo, drag_0n_x78_63 yt, c0ca1n, Headsie, ThomasK247, litter_isak, Rellt, vBlackout, Nicolas Kr, Grenadeuser, Peter McGregor, Joshua Maroney, Sweaty Poptarts, Nighthawk, NoahJamesYT, Luis Velez, moritz stiftinger, Jimmy James, maliki lipscomb, Rezza DYO, BoZo, EpicMemeFace, Falcone CW, vAldin, jordan defone, XxUncle_StalinxX, Hxtxd_demon, Johnny Hastings, Kirdow Plays, Mr ClapNdemCheeks, OfficiallyZinq, starwatcher73, HorizonPlayz, Electrifier, Jordy11, Georgy Turkman, Alissa Thornbury, Jonathan sauder, BB Everjoy, Christopher Slone, Adam Alboori, ARn0
1K$ HALL OF FAME (Biggest single Donos I have ever gotten)
All Time Top Single Donation: Daniel Benz $1225,75
DarkbotRules: $1050
Crispy Bacon: $1000
SAMMII: $1000
DONATION CHALLANGES:
At the Moment I don’t take Donation challanges, unless it is a very high donation or a gun request. Be sure to confirm the Challange before you Donate otherwise the Challange might be refused
A big thank you to the moderators:
Project TokyO, Kast, Kdog, DonnYTello, Mehdi, Exotic, Bolty, KingOneShot, C Mags, Cender, TheZguy, Jelly, FinnishNcoUncleSam, Greenmonkey0181, Max G,
GovaertDesign (Max G) For doing the Designs on my channel \u0026 Twitter
Stream graphics designed by Akshay R. C. (https://linktr.ee/arc_design)
FACE REVEAL: Type in chat: !insta
Battlefield 2042 settings: Type in chat: !settings
Battlefield 2042 Sniper Tips: Type in chat: !sniper
Follow me on twitter : https://twitter.com/MaxiqYT
PSN/XBOX: MaxiqYT
Join My Discord Server! https://discord.gg/cNchxpa
Epic SciFi Military by Infraction
Song: Aliaksei Yukhnevich End of the Abyss (No Copyright Music) Music provided by Tunetank. Free Download: https://bit.ly/2xtEXR1 Video Link: https://youtu.be/hoap3gfnrgo
(End of Abyss: https://tunetank.com/t/2cnn/621endoftheabyss)
BF2042, battlefield 2042, BATTLFIELD 2042 LIVESTREAM, 2042, SNIPER GAMEPLAY, assault gameplay, bf2042 gameplay, SMG GAMEPLAY, shotgun gameplay, recon gameplay, vehicle gameplay, BETA gameplay, battlefield 2042 beta gameplay, livestream, gameplay, bf2042 settings, specialists, Portal Gameplay, Battlefield 2042 Portal, best player, ps5 gameplay, xbox gameplay, pc gameplay, crossplay, tank gameplay, jet gameplay, helicopter gameplay, BF2042, Battlefield2042, Livestreamgameplay,livestream,gameplay,bf2042 settings,specialists,Portal Gameplay,Battlefield 2042 Portal,best player,ps5 gameplay,xbox gameplay,pc gameplay,crossplay,tank gameplay,jet gameplay,helicopter gameplay,BF2042,Battlefield2042,livestream
Final Fantasy Type-0 HD – English Walkthrough Part 1 – Prologue
Final Fantasy Type0 HD walkthrough on the PS4 is here!
This is my full walkthrough in english through the PSP classic Final Fantasy Type0 which has been remade for the PS4 and Xbox One.
Hit the like button if you enjoyed the video and want more!
FINAL FANTASY TYPE-0 HD Opening Cinematic
Type0 HD now on Steam!
Type O Negative – My Girlfriend’s Girlfriend [OFFICIAL VIDEO]
Type O Negative’s video for ‘My Girlfriend’s Girlfriend’ off the album October Rust available now on Roadrunner Records. Download now on iTunes: http://smarturl.it/tonoctoberrust
LYRICS
Say \”ah\”.
It’s no secret we’re close
As sweaty velcro,
Like latex, fur and feathers
Stuck together
Now.
In their ’62 ‘vette
Sharing one cigarette,
In a black light trance then
Go go dance
Then.
Go go trance
Then.
They keep me warm on cold nights
We must be quite a sight,
In our meat triangle
All tangled.
Wow.
My girlfriend’s girlfriend
She looks like you,
My girlfriend’s girlfriend
She’s my girl too.
Her and me an her and she and me
An uncrowded couple
are we three.
And we don’t care what people say,
When walking hand in hand down Kings Highway
Two for one today.
My girlfriend’s girlfriend
She looks like you
My girlfriend’s girlfriend
She’s my girl too
My girlfriend’s girlfriend
She looks like you
My girlfriend’s girlfriend
She’s my girl…
นอกจากการดูบทความนี้แล้ว คุณยังสามารถดูข้อมูลที่เป็นประโยชน์อื่นๆ อีกมากมายที่เราให้ไว้ที่นี่: ดูบทความเพิ่มเติมในหมวดหมู่LEARN FOREIGN LANGUAGE
ขอบคุณที่รับชมกระทู้ครับ type 0