From secdir-bounces@ietf.org Sun Feb 1 00:19:28 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E3B93A6801; Sun, 1 Feb 2009 00:19:28 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1EEF83A6801 for ; Sun, 1 Feb 2009 00:19:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.739 X-Spam-Level: X-Spam-Status: No, score=-2.739 tagged_above=-999 required=5 tests=[AWL=-0.139, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bpAa7aIxu1Lq for ; Sun, 1 Feb 2009 00:19:26 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 2D0903A67E5 for ; Sun, 1 Feb 2009 00:19:25 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id n118J5kE042389 for ; Sun, 1 Feb 2009 03:19:05 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id n118J48g042385 for ; Sun, 1 Feb 2009 03:19:05 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Sun, 1 Feb 2009 03:19:04 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (fledge.watson.org [127.0.0.1]); Sun, 01 Feb 2009 03:19:05 -0500 (EST) Subject: [secdir] Assignments for February 8th X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Many changes since last week: about a dozen new assignments, and some docs have fallen off of the list because they were on this past week's telechat. Susan Thomson is next in the rotation. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam For telechat 2009-02-10 Reviewer Draft Phillip Hallam-Baker T draft-atlas-icmp-unnumbered-06 Love Hornquist-Astrand T draft-ietf-ccamp-gr-description-04 Jeffrey Hutzelman T draft-ietf-ccamp-pc-and-sc-reqs-06 Hilarie Orman T draft-ietf-ippm-duplicate-07 Last calls and special requests: Reviewer Draft Derek Atkins draft-ietf-avt-post-repair-rtcp-xr-04 Rob Austein draft-ietf-dime-qos-parameters-09 Alan DeKok draft-ietf-roll-home-routing-reqs-06 Phillip Hallam-Baker draft-ietf-radext-design-05 Steve Hanna draft-ietf-eai-downgrade-11 Paul Hoffman draft-ietf-behave-turn-12 Scott Kelly draft-ietf-tsvwg-rsvp-proxy-approaches-06 Scott Kelly draft-ietf-mediactrl-architecture-04 Julien Laganier draft-ietf-sip-certs-07 Chris Lonvick draft-ietf-ccamp-path-key-ero-03 Catherine Meadows draft-ietf-speechsc-mrcpv2-17 Catherine Meadows draft-groves-megaco-pkgereg-02 Alexey Melnikov draft-ietf-avt-rfc3047-bis-08 Sandy Murphy draft-ietf-mpls-mpls-and-gmpls-security-framework-04 Sandy Murphy draft-ietf-avt-rtcp-non-compound-08 Vidya Narayanan draft-ietf-sip-saml-05 Vidya Narayanan draft-ietf-avt-rtp-speex-05 Magnus Nystrom draft-ietf-avt-rtp-uemclip-04 Radia Perlman draft-ietf-mmusic-decoding-dependency-05 Eric Rescorla draft-wing-sipping-srtp-key-04 Eric Rescorla draft-ietf-mmusic-sdp-source-attributes-02 Joe Salowey draft-ietf-geopriv-lis-discovery-05 Stefan Santesson draft-ietf-rserpool-mib-10 Juergen Schoenwaelder draft-ietf-sipping-sip-offeranswer-10 Yaron Sheffer draft-ietf-xcon-event-package-01 Sam Weiler draft-chown-v6ops-rogue-ra-02 Brian Weis draft-ietf-pim-sm-linklocal-05 Nico Williams draft-ietf-v6ops-ra-guard-01 Larry Zhu draft-thaler-v6ops-teredo-extensions-02 _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Sun Feb 1 02:25:36 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0AFBA3A6B7E; Sun, 1 Feb 2009 02:25:36 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0277C3A68BC; Thu, 29 Jan 2009 11:54:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.413 X-Spam-Level: X-Spam-Status: No, score=-6.413 tagged_above=-999 required=5 tests=[AWL=-0.129, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kn4EQQQsykoO; Thu, 29 Jan 2009 11:54:52 -0800 (PST) Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by core3.amsl.com (Postfix) with ESMTP id 79AEC3A687E; Thu, 29 Jan 2009 11:54:52 -0800 (PST) Received: from [127.0.0.1] (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 610A3A94439; Thu, 29 Jan 2009 19:54:31 +0000 (UTC) Message-Id: <0EA59E43-DC4F-4510-9E80-76C0D89C3A8F@mail-abuse.org> From: Douglas Otis To: Barry Leiba In-Reply-To: <675489E3DF05B8FA18C3C849@Uranus.home> Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 29 Jan 2009 11:54:30 -0800 References: <675489E3DF05B8FA18C3C849@Uranus.home> X-Mailer: Apple Mail (2.930.3) X-Mailman-Approved-At: Sun, 01 Feb 2009 02:25:34 -0800 Cc: draft-kucherawy-sender-auth-header@tools.ietf.org, draft-otis-auth-header-sec-issues@tools.ietf.org, apps-review@ietf.org, iesg@ietf.org, secdir@ietf.org Subject: Re: [secdir] [APPS-REVIEW] secdir review of draft-kucherawy-sender-auth-header-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org On Jan 25, 2009, at 7:52 AM, Barry Leiba wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > Specifically, I've been asked to review draft-kucherawy-sender-auth- > header-20, after having reviewed the -18 revision, and to consider > draft-otis-auth-header-sec-issues-00 in the review. I'm also > copying this review to the apps-review list, since it's relevant > there. > > I've looked at the diffs between the -18 and -20 versions, to make > sure I didn't miss any changes, and I've reviewed the -20 version as > a whole. I've also looked at the comments and questions that have > come up during IESG evaluation. > > My evaluation of the document stands from the -18 version -- the -19 > and -20 revisions have made clarifications over -18, in response to > other comments, and that's good. But the document was basically > sound then, and reflected rough consensus of the participants from > the email-developer community, and still does. > > Considering draft-otis-auth-header-sec-issues-00: Doug's main point > appears to involve a disagreement with Murray's decision not to > include the IP address, for SPF and Sender-ID cases (for simplicity, > I'll just say "SPF" to refer to both in this review). Murray > instead includes only the domain that has been verified (or not) > *using* the IP address. His complaint is that the header field > "fails to offer the authenticated entity being trusted in the > exchange, the IP address of the SMTP client." In other words, Doug > considers that it's the IP address, not the ADMD, that has been > "authenticated". > > I disagree, but this is a tricky area, because we're not wading in a > typical sort of authentication pool here -- SPF is actually blending > identity, authentication, and authorization. As I see it, the SPF > model is that the *identity* to be authenticated is taken from the > SMTP MAIL FROM command (for Sender-ID it's derived through the PRA > algorithm), the IP address supplies the authentication > *credentials*, and the DNS lookup both verifies the credentials > (completing the authentication) and returns the authorization > information in one, combined response ("the entity with these > credentials is authorized to send mail on behalf of the identity > 'example.com'."). The IP address of the SMTP is being authorized by a domain. It is not known whether the domain intended the authorization to have been based upon the Mail From or the PRA due to conflicting RFCs. Although the IESG added a warning about this conflict within the respective RFCs, it seems unlikely the warning convinced a substantial portion of those who published an SPF record, to then also add a record intended to support Sender-ID. The statement made within RFC 4406 in regard to unintended use of the SPF record is as follows: ,---- In order to provide compatibility for these domains, Sender ID implementations SHOULD interpret the version prefix "v=spf1" as equivalent to "spf2.0/mfrom,pra", provided no record starting with "spf2.0" exists. ... If the information in a "v=spf1" record is not correct for a PRA check, administrators SHOULD publish either an "spf2.0/pra" record with correct information or an "spf2.0/pra ?all" record indicating that the result of a PRA check is explicitly inconclusive. '---- While this was a way to adopt RFC 4406 without waiting for explicit support, this also created animosity among those not wanting the scope of SPF record changed by what they viewed as interlopers. While the IESG warning may have been well intended to better ensure email acceptance, it would be dangerous to also assume this warning rectified existing conflicts between RFC 4408 and RFC 4406. Secondly, the initial intent of this record was primarily to mitigate backscatter (currently mitigated by RFC 3834 with greater delivery integrity). It remains doubtful that a domain wishing to avoid backscatter, also asserts that their authorization of an SMTP client ensures _only_ their domain controls the use of Mail From parameter or PRA header field. Any assumption that Authorization of an SMTP client represents Authentication of the authorizing domain as a message source ignores these dangerous and likely incorrect assumptions! > Of course, it's entirely reasonable to want the credentials to be > preserved, since they're not secret. I see nothing wrong with > including the IP address, and I wonder why Murray has chosen not > to. That said, I agree with the approach that this field is meant > to convey the *results* of application of an "authentication" > algorithm, and not to give the MUA what it needs to re-run the > authentication. I'll note that the same is true with the application > of this to DKIM: the header field described here does not contain > all the information provided to the DKIM validator. > > So, while I see no harm in including the IP address, I have no > problem with the decision not to. I also note that it can be added > as an extension, if there's demand for that from the MUA vendors. > There doesn't seem to be, at this point. The problem of not including the IP address is many. The header is labeled "Authentication-Results". By excluding the _only_ authenticated source identity, the IP address of the SMTP client, the header becomes dangerously misleading. When there are two entities depicted, a recipient is likely to question which element was authenticated. In addition, it is the SMTP client being trusted to control the use of parameters or header fields that contain the authorizing domain. When this trust is not upheld, the reputation of the SMTP client should be directly affected, and not that of the domain. If access to the SMTP client has been compromised, direct application of SMTP client reputation offers a means for the rapid protection across all domains who may have authorized the SMTP client. Assessing SMTP client reputation against the authorizing domains is unfair for several reasons. The domain is unlikely to control the SMTP client and therefore is unaware of any security breach. Blocking the entire domain also prevents communication through any other secure SMTP client, which makes assessments of the SMTP client by the authorizing domain highly disruptive and unlikely impractical! > There's the issue of needing the IP address to properly assess > reputation. DNS black/white lists (see draft-irtf-asrg-dnsbl) use > the IP address as a reputation key because it's what they have. The > whole *point* of SPF is to translate the IP address into a confirmed > domain name, to have a more useful reputation key, and this header > field supports that. Strongly disagree. The intent of the Authentication-Results header is for the presentation the results of the methods _after the reputation of the message's authenticated origination was checked_. The only authenticated identifier of the message's origination is the IP address of the SMTP client in the case of SPF and Sender-ID. The draft does not mandate that the reputation of the source be checked prior to adding this header. In fact the example given for look-alike domains indicates an expectation that the header is added without prior reputation checks regarding what is safe to be annotated. The draft only requires the reputation of the message source be checked prior to revealing these results to users, which is normally a function of an application down stream from that of the border MTA. Although the border MTA that will be making acceptance assessments, these assessments may not relate to the safe source annotations of Mail From or PRA parameters or header fields. > That said, there are result values that do not allow the use of the > ADMD as a key to a reputation check: "none" and "neutral", for > example, explicitly refuse to tie the IP address to the domain > name. In such cases it might be useful to have the IP address > available for fall-back reputation checks. The IP address of the SMTP client is the only reputation check that should be made! While there are hundreds of millions of domains, there are about 1.5 million SMTP clients that earn good reputations. The issue is not about which message is accepted, (a function of the border MTA), this is about what domain can be safely revealed to users. Whether the SMTP client protects these fields is the essential question that needs to checked. Appendix D reaches several incorrect conclusions, primarily based upon assessments about whether a message should be accepted, but not about which parameters or fields should be highlighted to users as the source of the message. With malware being so rampant and polymorphic, the source of an item represents an extremely critical aspect of security these days. It is not safe to assume that malware can always be detected. The malware can come in the form documents, images, or videos that many incorrectly consider inherently safe. > On the other hand, it's likely that the mail system will have done > other checks at the domain boundary besides just SPF. Putting the > responsibility for IP-address-based checks in the MUA is probably > unwise anyway. The draft places this responsibility ONLY on the application that is revealing the results! There are NO assurances within the header that any reputation checks have even been made! Preventing a reputation check of the SMTP client by the MUA for either SPF or Sender-ID methods is extremely unwise and will endanger users. > Doug also worries about the use of the "local part" in SPF cases. I > know that Doug is bothered by the local-part stuff in general, and I > agree with some of his concerns. I think, though, that those > concerns aren't relevant to this document -- the document, again, is > reflecting the *results* of the SPF check, which may or may not > involve the local part. This document is not *adding* anything in > that regard. Actually it does increase the concerns related to the use of the local- part macros available within SPF. This draft adds a stipulation that local-part annotations be "authenticated" which will be interpreted to mean that local-part macros must be used. In essence, the entire SPF SMTP client IP address authorization scheme MUST BE REPEATED for every user within a domain! In addition, many of the related transactions are likely to occur as a result of a cached SPF record. The amount of DNS traffic this generates might even saturate OC192 connections, let alone swamp victim DNS servers. This enables a free attack while spamming! > Finally, Doug appears to dislike the use of the word > "authentication" here, and I agree with him. As I said above, SPF > (for example) isn't *really* an authentication system, and it's > unfortunate that we've fallen into using that term for it. But the > fact is that we *have* fallen into it, and I think there'd be more > damage done by trying to use a different term than there is by using > the term that's come to be accepted, and to acknowledge that it's > not strictly correct. The dangers are to recipients that are about to see these misrepresented results as a result of this draft. At least getting the terminology correct now will allow a better understanding of the risks related to the methods being displayed. > So, here's the bottom line: > 1. I think draft-kucherawy-sender-auth-header-20 is ready to go as > it is. Strongly disagree. > 2. I'd like it if we weren't calling all this "authentication", but > I don't see any way around it and I recommend that it NOT be changed. Why? > 3. I wouldn't object to the inclusion of the IP address in the > header field for SPF and Sender-ID cases, but I don't think it's > necessary and support the decision not to include it. Not including the IP address will mostly likely become a basis for an appeal. There is no desire to impugn the integrity of those involved in the consensus building process related to this draft, but there is also reason to be believe special interests were influential in shaping this consensus, where the general good of the public and the Internet was not properly considered. My humble apologies to those offended by an appeal not to accept the consensus for this draft. Two years of misrepresenting a method intended to provide an allusion of security, that also makes mitigating security breaches impractical, can not justify the dangerous decisions that shaped this draft. -Doug _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Sun Feb 1 02:25:36 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 211F228C0FC; Sun, 1 Feb 2009 02:25:36 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A3F828C0D9 for ; Fri, 30 Jan 2009 08:33:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[AWL=0.163, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5etvav85uq3c for ; Fri, 30 Jan 2009 08:33:49 -0800 (PST) Received: from outbound-mail-40.bluehost.com (outbound-mail-40.bluehost.com [69.89.20.194]) by core3.amsl.com (Postfix) with SMTP id D61E63A6B68 for ; Fri, 30 Jan 2009 08:33:48 -0800 (PST) Received: (qmail 26924 invoked by uid 0); 30 Jan 2009 16:33:22 -0000 Received: from unknown (HELO box474.bluehost.com) (74.220.219.74) by outboundproxy2.bluehost.com with SMTP; 30 Jan 2009 16:33:22 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=labn.net; h=Received:X-Mailer:Date:To:From:Subject:Cc:In-Reply-To:References:Mime-Version:Content-Type:X-Identified-User; b=eANeD46B5Pacu4jBs+ROJeCuaS2voNiDAGRBPIQneKiKLHnvLbayszPEYMAJiIaqyCgPTIWIF/kNPS3roaZoNB1Rwg3QCJXjm1zC/vREgIiRpRlF2dZ2UJ20257STS0E; Received: from box474.bluehost.com ([74.220.219.74] helo=LC2.labn.net) by box474.bluehost.com with esmtpa (Exim 4.69) (envelope-from ) id 1LSwJ9-0002QS-1i; Fri, 30 Jan 2009 09:33:31 -0700 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 30 Jan 2009 11:33:19 -0500 To: Stephen Kent From: Lou Berger In-Reply-To: References: <200812161700.31641.julien.laganier.IETF@googlemail.com> <20090128192024.568F03A6C06@core3.amsl.com> Mime-Version: 1.0 X-Identified-User: {2629:box474.bluehost.com:labnmobi:labn.net} {sentby:smtp auth 74.220.219.74 authed with lberger@labn.net} Message-Id: <20090130163348.D61E63A6B68@core3.amsl.com> X-Mailman-Approved-At: Sun, 01 Feb 2009 02:25:34 -0800 Cc: draft-ietf-softwire-encaps-ipsec@tools.ietf.org, secdir@ietf.org, Tim Polk , softwire-chairs@tools.ietf.org, Lou Berger , iesg@ietf.org Subject: Re: [secdir] SECDIR review of draft-ietf-softwire-encaps-ipsec-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Steve, Thanks for the comments. Please see below for in-line responses. At 05:14 PM 1/29/2009, Stephen Kent wrote: >Lou, > >As an IPsec guy with an interest in routing, I had a few questions >about this document. > >The current version of IPsec (See RFC 4301) suggests use of ESP-NULL >for the latter security services, rather that AH. However, this >document lists ESP and AH as the two IPsec encapsulation options. It >might be preferable to cite ESP-NULL in lieu of AH here, especially >if integrity is likely to be a commonly-selected service. I believe Eric R (co-author) raised this exact point and proposed to exclude AH completely from the document. I argued that AH wasn't deprecated by 4302 so we should allow for it, and also that this document wasn't the right place to provide guidance on use of AH vs. ESP-NULL. >(It was not clear from the security consideration section whether >the primary focus of this tunnel option was to provide >confidentiality and integrity for traffic, or integrity.) This option is provide a generic support mechanism that can be used for either and is intentionally not biased towards any IPsec tunneling type. >I also think that the IPsec architecture document (RFC 4301) ought >to be cited here as normative, along with the IPsec protocol >specs. If an RFC defines a means of triggering use of IPsec, and >defines parameters that indicate which then the IPsec architecture >document and the relevant IPsec protocol documents strike me as >normative references. For example, when the encapsulation type calls >for an AH or ESP tunnel, the two routers in question need to have >SPD entries that specify the parameters for the tunnel that will be >created, e.g., indicating algorithms, modes, and optional services >like anti-replay. Just saying that a router will create an AH or ESP >tunnel is not specific enough to say what really will happen. The >SPD entries at each end will be used to fill in the details needed >to allow successful creation of the tunnel. So, it seems >appropriate to note this in the document, and to cite the >architecture spec as normative. 100% agree. This will be corrected in the next rev. >Finally, there is no cite for IKE. White it is true that IPsec does >not require use of IKE, I believe that the vast majority of IPsec >implementation use IKE. So, why not call for IKE use here as well, >to negotiate the SA parameters and manage keys. The IETF prefers >automated key management for security protocols, and IKE is the >designated key management protocol for IPsec. Since the document >cites the newest versions of AH and ESP, both of which assume use of >IKEv2, the right cite is to that version of IPsec. okay, will add the reference. Thanks, Lou >Thanks, > >Steve > _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Sun Feb 1 02:25:36 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3049A28C12A; Sun, 1 Feb 2009 02:25:36 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A55E728C2BB for ; Fri, 30 Jan 2009 08:44:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.11 X-Spam-Level: X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cp2JUPjFuuIQ for ; Fri, 30 Jan 2009 08:44:13 -0800 (PST) Received: from outbound-mail-141.bluehost.com (outbound-mail-141.bluehost.com [67.222.38.31]) by core3.amsl.com (Postfix) with SMTP id BFB5828C10B for ; Fri, 30 Jan 2009 08:44:13 -0800 (PST) Received: (qmail 16658 invoked by uid 0); 30 Jan 2009 16:41:03 -0000 Received: from unknown (HELO box474.bluehost.com) (74.220.219.74) by outboundproxy5.bluehost.com with SMTP; 30 Jan 2009 16:41:03 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=labn.net; h=Received:X-Mailer:Date:To:From:Subject:Cc:In-Reply-To:References:Mime-Version:Content-Type:X-Identified-User; b=P0cQQWNhTSfp1EZ5UuZzcDA3+nzK/w+CImYWvtC8kxi/F+WysfSdlJ39xD897C9DMOR90hMLQ7K4894oEcupBm1mmYWcPWVKBlQqZVkIr4l69GNcTvXwvAvS9OGgKBsf; Received: from box474.bluehost.com ([74.220.219.74] helo=LC2.labn.net) by box474.bluehost.com with esmtpa (Exim 4.69) (envelope-from ) id 1LSwSG-0000SJ-JM; Fri, 30 Jan 2009 09:42:56 -0700 X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 30 Jan 2009 11:42:45 -0500 To: Stephen Kent From: Lou Berger In-Reply-To: References: <200812161700.31641.julien.laganier.IETF@googlemail.com> <20090128192024.568F03A6C06@core3.amsl.com> Mime-Version: 1.0 X-Identified-User: {2629:box474.bluehost.com:labnmobi:labn.net} {sentby:smtp auth 74.220.219.74 authed with lberger@labn.net} Message-Id: <20090130164413.BFB5828C10B@core3.amsl.com> X-Mailman-Approved-At: Sun, 01 Feb 2009 02:25:34 -0800 Cc: draft-ietf-softwire-encaps-ipsec@tools.ietf.org, secdir@ietf.org, Tim Polk , softwire-chairs@tools.ietf.org, Lou Berger , iesg@ietf.org Subject: Re: [secdir] SECDIR review of draft-ietf-softwire-encaps-ipsec-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org IKEv2 [RFC4306] will be in the next rev. Thanks, Lou At 10:24 AM 1/30/2009, Stephen Kent wrote: >Whoops, again. I missed that too. But, if one calls for use of the >latest AH and ESP specs, then IKEv2 is needed, since these versions >of the IPsec protocols rely on IKEv2 negotiation capabilities. > >Steve _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Sun Feb 1 09:01:29 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A04C63A6A3B; Sun, 1 Feb 2009 09:01:29 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6EE53A6A3B for ; Sun, 1 Feb 2009 09:01:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWTjrtam3c3u for ; Sun, 1 Feb 2009 09:01:27 -0800 (PST) Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by core3.amsl.com (Postfix) with ESMTP id 601123A6A2E for ; Sun, 1 Feb 2009 09:01:21 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.37,360,1231113600"; d="scan'208";a="32504741" Received: from ams-dkim-2.cisco.com ([144.254.224.139]) by ams-iport-1.cisco.com with ESMTP; 01 Feb 2009 17:01:01 +0000 Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n11H10i7002107; Sun, 1 Feb 2009 18:01:00 +0100 Received: from xbh-ams-331.emea.cisco.com (xbh-ams-331.cisco.com [144.254.231.71]) by ams-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n11H1076019021; Sun, 1 Feb 2009 17:01:00 GMT Received: from xfe-ams-331.emea.cisco.com ([144.254.231.72]) by xbh-ams-331.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 1 Feb 2009 18:01:00 +0100 Received: from ams-flefauch-87112.cisco.com ([10.55.161.205]) by xfe-ams-331.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 1 Feb 2009 18:00:59 +0100 Message-Id: <3FEF0CB3-61A7-4426-9050-CF71CDD6F4C4@cisco.com> From: Francois Le Faucheur IMAP To: Stephen Kent In-Reply-To: Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sun, 1 Feb 2009 18:00:57 +0100 References: X-Mailer: Apple Mail (2.930.3) X-OriginalArrivalTime: 01 Feb 2009 17:01:00.0154 (UTC) FILETIME=[A85B2DA0:01C9848E] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5363; t=1233507660; x=1234371660; c=relaxed/simple; s=amsdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=flefauch@cisco.com; z=From:=20Francois=20Le=20Faucheur=20IMAP=20 |Subject:=20Re=3A=20Comments=20=20on=20draft-ietf-tsvwg-rsv p-proxy-proto-07.txt |Sender:=20; bh=nnsKAOLoYHeJxyLoyByNe3BeMrCiUayBKSLzjE0uP50=; b=HTTu7nyz0KFQ7N2WQip3kkbWbJHjk+HIdVkuJqumJhZIP634G+SvXs4zYJ ZehfFbn8JIU+uomtdX6FcxQHfZTqjXKIx0XlObvHwMUS6iZl59fvSofMwe2+ D/wJSFaQ8d; Authentication-Results: ams-dkim-2; header.From=flefauch@cisco.com; dkim=pass ( sig from cisco.com/amsdkim2001 verified; ); Cc: magnus.westerlund@ericsson.com, Francois Le Faucheur IMAP , allan.guillou@neufcegetel.fr, jmanner@cs.helsinki.fi, tim.polk@nist.gov, Pasi.Eronen@nokia.com, secdir@core3.amsl.com, ashokn@cisco.com Subject: Re: [secdir] Comments on draft-ietf-tsvwg-rsvp-proxy-proto-07.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Hello Steve, Thanks a lot for your comments. We will post a new rev shortly aiming at addressing your comments. Let us know if you have comments/concerns on the proposed resolution approaches as described embedded below: On 17 Dec 2008, at 03:29, Stephen Kent wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > This document defines extensions to RSVP to enable a router to act > as an RSVP "Receiver Proxy," when a sender invokes the proxy through > use of an RSVP Path message (so-called Path-triggered RSVP). (An > RSVP Receiver Proxy is employed when the sender (reservation > requestor) is more than one hop away from the first router that > implements RSVP.). A companion document (ietf-tsvwg-rsvp-proxy- > approaches) is cited as an informative reference, but given that > this document makes extensive use of definitions from that document, > I think it is more properly a normative reference. The companion document (draft-tsvwg-rsvp-proxy-approaches) is going for Information Track while the present document is going for Standards Track. We understand it is not appropriate to normative downref an Informational doc from a Standards doc. If this is not the case, we can certainly move the ref to the Normative Ref section. > > > The use of a receiver proxy for RSVP reverses the usual roles in the > RSVP protocol, and this suggests that there may be new security > concerns, distinct form those usually addressed by RSVP. I expected > he security considerations section address this possible issue, and > about 40% of the text in that section is devoted to this topic, and > it is appropriately addressed. great. > > On page 12 the authors note that certain error cases in multicast > environments could result in transmission of a large number of > PathErr messages to a sender by many receivers. This is cited as a > possible "scalability issue," which I interpret as a euphemism for > DDoS attacks. I also expected to see a mention of this in the > security considerations section, but there was no further discussion > of this DoS issue. The reason we see this case as a scalability issue rather than DDOS is because the device that receives all the multiple PathErr messages is actually the device that can trigger those in the first place (by sending a Path). So we just pointed out that a well-behaved sender may (in some large scale multicast environment) get more PathErr than he'd like. A mis-behaved sender would primarily trigger a self-DDOS than real DDOS. Of course, there is the general security concern about a node sending many RSVP messages to an RSVP neighbor thereby DOSing it (or potentially DDOSing other RSVP nodes since some RSVP messages may in turn trigger multiple RSVP messages). But that is not really specific to PathErr messages and is addressed generically in teh security considerations section when discussing use of RSVP Authentication mechanisms. > > Page 12 also notes that the mandated behavior described in "this > section" (but presumably subsequent sections, i.e., 3.1.1-3.1.4) > does not apply in the case of wildcard filtered reservations. That > seems a bit ambiguous; does this mean that the routers SHOULD/MUST > do nothing in the error cases described later, or that they MAY do > anything that implementors please? Yes, the current text is ambiguous. The right behavior would be that the receiver proxy sends a PathErr message to all the senders. So text will be changed to something like: " For Wildcard-Filter (WF) style reservations, it is not always possible for the Receiver Proxy to reliably know which sender caused the reservation failure. Therefore, the Receiver Proxy SHOULD send a PathErr towards each sender. This means that all the senders will receive a notification that the reservation is not established, including senders that did not cause the reservation failure. Therefore, the method of sender notification via PathErr message is somewhat over-conservative (i.e. in some cases rejecting reservations from some senders when those could have actually been established) when used in combination with Wildcard-Filter style (and when there is more than one sender). " Your comment also made us realize that: * we didn't use 2119 terminology when discussing the FF and SE styles. so we will : s/the Receiver Proxy sends/the Receiver Proxy MUST send/ * we did not include the equivalent discussion on applicability to multicast and WF/SE/FF in section 3.2. So we will add that discussion. > > > I have attached copy of the document, with numerous proposed edits > that I believe will improve readability. > I included your suggestions (and addressed the few comments embedded) in teh new rev that will be posted soon.. Thanks for this very thorough review. Francois > Steve _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Mon Feb 2 06:16:44 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D5A63A6A13; Mon, 2 Feb 2009 06:16:44 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5C8AA3A677E; Mon, 2 Feb 2009 06:16:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.535 X-Spam-Level: X-Spam-Status: No, score=-6.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USFs-KIWt3aw; Mon, 2 Feb 2009 06:16:35 -0800 (PST) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 4B3613A6A0C; Mon, 2 Feb 2009 06:16:32 -0800 (PST) Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx03.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id n12EFmsW004210; Mon, 2 Feb 2009 16:16:10 +0200 Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 2 Feb 2009 16:16:08 +0200 Received: from smtp.mgd.nokia.com ([65.54.30.6]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 2 Feb 2009 16:16:04 +0200 Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.106]) by nok-am1mhub-02.mgdnok.nokia.com ([65.54.30.6]) with mapi; Mon, 2 Feb 2009 15:16:03 +0100 From: To: , Date: Mon, 2 Feb 2009 15:16:02 +0100 Thread-Topic: Pasi's AD Notes for January 2009 Thread-Index: AcmFQMb+KMeFp4+/R2e3EcHeSieBfw== Message-ID: <808FD6E27AD4884E94820BC333B2DB7727E78782E1@NOK-EUMSG-01.mgdnok.nokia.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US MIME-Version: 1.0 X-OriginalArrivalTime: 02 Feb 2009 14:16:04.0568 (UTC) FILETIME=[C88A5580:01C98540] X-Nokia-AV: Clean Subject: [secdir] Pasi's AD Notes for January 2009 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Hi all, Here's again a short status update about what things are going on from my point-of-view. If you notice anything that doesn't look right, let me know -- miscommunication and mix-ups do happen. Best regards, Pasi MISC NOTES - Security area WG chairs had a virtual meeting on January 12 to discuss having "virtual interim meetings" to help WGs get more work done between the IETF meetings. - (not wearing AD hat): Errata #1623 (for RFC 4282): waiting for Dan Romascanu to mark this as "Rejected" with note explaining why WORKING GROUPS DKIM - Lot of discussion about draft-ietf-dkim-rfc4871-errata and the meaning of d=/i= tags (and I haven't read all the emails). - draft-ietf-dkim-ssp: the errata discussion may impact Section 2.7 (or at least the reasoning behind doing it, even if no technical change is done), so currently I'm waiting to see if some kind of consensus is reached before taking ADSP to IESG. - draft-ietf-dkim-overview: in Publication Requested, waiting for ADSP to progress first (but since ADSP is taking longer than expected, I may attempt progressing them in parallel). - Waiting for WG to send list of RFC errata IDs the WG agrees on. EMU - draft-ietf-emu-gpsk: now in RFC Editor Queue/AUTH48 - Discussion about use of EAP type codes in EAP-FAST documents - Verified errata 1389 for EAP-TLS (RFC 5216) IPSECME - Busy month in IPSECME -- and lots of emails that I haven't read yet - Russ verified errata #1502 for RFC 4718 (IKEv2 Clarifications). ISMS - Lots of emails that I haven't read yet. KEYPROV - Lots of emails that I haven't read yet. PKIX - Note: I'm shepherding two PKIX drafts where Tim is a co-author - draft-ietf-pkix-ecc-subpubkeyinfo: in RFC Editor Queue/AUTH48 - draft-ietf-pkix-rfc4055-update: went through IETF Last Call and IESG evaluation; waiting for the authors to propose text to handle Jari's discuss [since 2009-01-30] SASL - Some progress on SCRAM, it seems. SYSLOG - draft-ietf-syslog-transport-tls: now in RFC Editor Queue/AUTH48 state, but blocked by the RFC 5378 problem. - draft-ietf-syslog-sign: in AD Evaluation, waiting for me to read version -24 [since 2008-12-11] TLS - draft-ietf-tls-des-idea: now in RFC Editor Queue/AUTH48, waiting for me to check it [since 2009-01-30] - draft-ietf-tls-ecdhe-psk: went through IETF Last Call and IESG Evaluation; waiting to see if anyone in WG objects to text proposed to address Tim's discuss [since 2009-01-30]. - draft-ietf-tls-psk-new-mac-aes-gcm: was approved by IESG, going to RFC Editor Queue soon - draft-housley-tls-authz-extns went to 4th IETF Last Call - Errata #1585: waiting for Ekr to confirm that this errata is correct [since 2008-11-06] OTHER DOCUMENTS - draft-randall-3447bis: I finally reviewed this draft, and sent James Randall a bunch of comments. - draft-lebovitz-kmart-roadmap: now that -00 was posted, I have promised to comment and contribute. - draft-ietf-mpls-mpls-and-gmpls-security-framework: I've promised to read this. - "Applicability guidance for security protocols": Tim and I have promised to write something that would help in determining which security mechanism (e.g. TLS, IPsec, SASL, GSS-API, ..) to use for a new higher-layer protocol. - draft-mattsson-srtp-store-and-forward: I've been planning to read this and send comments, but it seems unlikely I'll get to this anytime soon. DISCUSSES (active -- something happened within last month) - draft-cain-post-inch-phishingextns: authors have promised a new version some time in February [since 2009-01-29] - draft-ietf-l2tpext-tdm: waiting for the authors or Mark to reply [since 2009-01-27] - draft-ietf-mext-nemo-v4traversal: discussion ongoing, waiting for authors to propose text [since 2009-01-19] - draft-ietf-mipshop-mstp-solution: waiting for Jari to confirm that the proposed IESG note is OK; will move to "Abstain" once Jari says we're ready to go [since 2009-01-30] - draft-ietf-monami6-multiplecoa: some text agreed, waiting for authors to reply to my remaining comments [since 2009-01-28] - draft-ietf-nfsv4-rfc1831bis: I need to check if version -11 addresses my comments [since 2009-01-30] - draft-ietf-ospf-lls: waiting for a revised ID or RFC Editor Notes to address my remaining comments [since 2009-01-19] - draft-ietf-radext-management-authorization: waiting for authors to reply to my comments [since 2009-01-28] - draft-ietf-roll-urban-routing-reqs: good discussion ongoing, waiting for the authors to reply [since 2009-01-27] - draft-ietf-shim6-proto: discussion ongoing, waiting for me to review the text proposed by Erik [since 2009-01-24] - draft-ietf-softwire-encaps-ipsec: lots of emails that I need to read [since 2009-01-29] - draft-ietf-softwire-encaps-safi: waiting for Dave/Ross to check the text proposed by authors [since 2009-02-02] - draft-ietf-softwire-hs-framework-l2tpv2: discussion ongoing, waiting for authors to reply or submit a revised ID [since 2009-01-30] - draft-igoe-secsh-aes-gcm: authors have proposed text to partially address my discuss; waiting for Tim to take a look and comment [2009-01-30] - draft-kato-camellia-ctrccm: authors have proposed text that would resolve my comments; waiting for a revised ID [since 2009-01-06] - draft-stjohns-sipso: waiting for Tim to propose a path forward [since 2009-01-29] DISCUSSES (stalled -- I haven't heard anything from the authors or document shepherd for over one month) - draft-cheshire-dnsext-nbp: waiting for authors to reply to my comments [since 2008-12-03] - draft-ietf-calsify-rfc2445bis: waiting for authors to reply to my comment [since 2008-12-18] - draft-ietf-enum-combined: waiting for authors to propose text or a revised ID [since 2008-12-11] - draft-ietf-sip-dtls-srtp-framework: waiting for authors to reply to my comments or submit a revised ID [since 2008-11-06] - draft-ietf-vrrp-unified-spec: waiting for authors to propose text [since 2008-11-07] - draft-kato-ipsec-camellia-modes: waiting for authors to reply to my comments or submit a revised ID [since 2008-11-06] DISCUSSES (presumed dead -- I haven't heard anything from the authors or document shepherd for over three months) - draft-ietf-bfd-base: waiting for authors to reply to my comments or submit a revised ID [since 2008-06-05] - draft-ietf-bfd-multihop: waiting for authors to reply to my comments or submit a revised ID [since 2008-06-05] - draft-ietf-bfd-v4v6-1hop: waiting for authors to reply to my comments or submit a revised ID [since 2008-06-05] - draft-ietf-sip-xcapevent: waiting for revised ID or RFC Editor Note to fix the ABNF/XML bugs [since 2008-10-24] - draft-ietf-sipping-policy-package: waiting for more information from Mary or Jon [since 2008-10-28] --end-- _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Mon Feb 2 08:19:51 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFAFB3A6BA7; Mon, 2 Feb 2009 08:19:51 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A23C3A6B28; Mon, 2 Feb 2009 08:19:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.18 X-Spam-Level: X-Spam-Status: No, score=-2.18 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599, HELO_EQ_DE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqTNdacHwfdE; Mon, 2 Feb 2009 08:19:44 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id 63A5D3A6828; Mon, 2 Feb 2009 08:19:44 -0800 (PST) Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 24D76C0004; Mon, 2 Feb 2009 17:19:25 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id TNtpxIZubPDi; Mon, 2 Feb 2009 17:19:19 +0100 (CET) Received: from elstar.iuhb02.iu-bremen.de (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id A9511C000B; Mon, 2 Feb 2009 17:19:18 +0100 (CET) Received: by elstar.iuhb02.iu-bremen.de (Postfix, from userid 501) id 6C0E395B9D0; Mon, 2 Feb 2009 17:19:17 +0100 (CET) Date: Mon, 2 Feb 2009 17:19:17 +0100 From: Juergen Schoenwaelder To: Takuya Sawada , "Paul H. Kyzivat" Message-ID: <20090202161917.GA25638@elstar.iuhb02.iu-bremen.de> Mail-Followup-To: Takuya Sawada , "Paul H. Kyzivat" , iesg@ietf.org, secdir@ietf.org, sipping-chairs@tools.ietf.org MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.19 (2009-01-05) Cc: iesg@ietf.org, sipping-chairs@tools.ietf.org, secdir@ietf.org Subject: [secdir] secdir review of draft-ietf-sipping-sip-offeranswer-10.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: j.schoenwaelder@jacobs-university.de List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The goal of the document is to document the offer/answer exchanges used in the SIP framework to establish and update multimedia sessions. This informational document does not define new protocol exchanges; its goal is to clarify what can be found in various RFCs. The text in the security considerations says: There are not any security issues beyond the referenced RFCs. While this might be true, I would have preferred to have a somewhat more explicit discussion and more precise pointers which parts of the security considerations in the "referenced RFCs" (really all?) apply. The document describes some offer/answer interactions where the correct behaviour is not clear and it would be good to spell out whether any of the described offer/answer scenarios can be exploited. If not, having a statement that they can't be exploited and why would be nice to have. (For example, spell out whether SIP integrity protection and authentication are sufficient to mitigate any possible attacks.) Editorial: - It would be nice for readers who are not too deeply involved with SIP if all acronyms (UAC, UAS, 3ppc, ...) are expanded on first usage. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Mon Feb 2 12:49:06 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47B5228C1CC; Mon, 2 Feb 2009 12:49:06 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 540CD28C177; Mon, 2 Feb 2009 12:34:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.432 X-Spam-Level: X-Spam-Status: No, score=-3.432 tagged_above=-999 required=5 tests=[AWL=-0.833, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bPdhSamShyr; Mon, 2 Feb 2009 12:34:04 -0800 (PST) Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) by core3.amsl.com (Postfix) with ESMTP id 95A653A69E4; Mon, 2 Feb 2009 12:34:04 -0800 (PST) Received: from mx02.mta.xmission.com ([166.70.13.212]) by out02.mta.xmission.com with esmtp (Exim 4.62) (envelope-from ) id 1LU5UF-0000w6-FT; Mon, 02 Feb 2009 13:33:43 -0700 Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=localhost.localdomain) by mx02.mta.xmission.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1LU5UE-0001Jp-Ps; Mon, 02 Feb 2009 13:33:43 -0700 Received: from localhost.localdomain (tobermory [127.0.0.1]) by localhost.localdomain (8.12.10/8.12.10) with ESMTP id n12KTTij013636; Mon, 2 Feb 2009 13:29:29 -0700 Received: (from ho@localhost) by localhost.localdomain (8.12.10/8.12.10/Submit) id n12KTSWF013632; Mon, 2 Feb 2009 13:29:28 -0700 Date: Mon, 2 Feb 2009 13:29:28 -0700 Message-Id: <200902022029.n12KTSWF013632@localhost.localdomain> X-Authentication-Warning: localhost.localdomain: ho set sender to hilarie using -f From: "Hilarie Orman" To: henk@ripe.net X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx02.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none X-XM-DomainKey: sender_domain=alum.mit.edu; ; ; sender=ho@alum.mit.edu; ; ; status=no signature X-SA-Exim-Connect-IP: 166.70.57.249 X-SA-Exim-Mail-From: hilarie@purplestreak.com X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;henk@ripe.net X-Spam-Relay-Country: X-SA-Exim-Version: 4.2.1 (built Thu, 07 Dec 2006 04:40:56 +0000) X-SA-Exim-Scanned: Yes (on mx02.mta.xmission.com) Cc: magnus.westerlund@ericsson.com, secdir@ietf.org, iesg@ietf.org, lars.eggert@nokia.com, matt@internet2.edu Subject: [secdir] Review of draft-ietf-ippm-duplicate-07.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Hilarie Orman List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org draft-ietf-ippm-duplicate-07.txt describes metrics for reporting results of packet duplication tests. The tests use active packet injection and monitoring to find duplicates. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I have only a minor comment to add to security considerations. If an attacker were to observe that these measurements were going on, he might want to cause packet duplications. This might lead network operators to conclude that the "natural" duplication rate was high, in turn causing them to set thresholds for "replay attacks" so high that real attacks were overlooked. For this reason, operators should consider the threat level to the system under test, and if it is non-zero, and if the results might be used by security administrators, the traffic used for testing and for reporting results should be obscured as much as possible. Hilarie Orman _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Mon Feb 2 13:16:37 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B4D7A3A6B32; Mon, 2 Feb 2009 13:16:37 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 876173A6B32; Mon, 2 Feb 2009 13:16:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.414 X-Spam-Level: X-Spam-Status: No, score=-6.414 tagged_above=-999 required=5 tests=[AWL=0.185, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBnF3DZuFxB0; Mon, 2 Feb 2009 13:16:35 -0800 (PST) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by core3.amsl.com (Postfix) with ESMTP id BFF1C3A68C2; Mon, 2 Feb 2009 13:16:35 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.37,367,1231113600"; d="scan'208";a="62050602" Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-5.cisco.com with ESMTP; 02 Feb 2009 21:16:16 +0000 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n12LGG9d023197; Mon, 2 Feb 2009 13:16:16 -0800 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n12LGGB3001051; Mon, 2 Feb 2009 21:16:16 GMT Date: Mon, 2 Feb 2009 13:16:16 -0800 (PST) From: Chris Lonvick To: iesg@ietf.org, secdir@ietf.org, jpv@cisco.com, Rich Bradford , adrian@olddog.co.uk, Deborah Brungard Message-ID: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1548; t=1233609376; x=1234473376; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:=20Chris=20Lonvick=20 |Subject:=20SECDIR=20review=20of=20draft-ietf-ccamp-path-ke y-ero-03 |Sender:=20; bh=Fu1DrJ7M9GFi41J3NMGLdGpfhnJYNMt6t7vlA7h1knI=; b=yot9hA+fuUQV52KTwVkxjzi8ktZU4Fg2uY3v3IMxygXgyOicVndTgwCKaX N2+Qmv9L0VcMAwx+tdbM3xXJdMsqN20xABTfX1thOUb0kz6WnJ5tdVqOTN53 2bgIGdDj8v; Authentication-Results: sj-dkim-2; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; ); Subject: [secdir] SECDIR review of draft-ietf-ccamp-path-key-ero-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Overall, the document appears to be well written and comprehensive and I have no problem with it proceeding to become an RFC. I do have one editorial comment. In Section 4, Security Considerations, the following bullet appears. === - Authenticity of the path key. A concern is that the path key in the PKS will be altered or faked leading to erroneous path key expansion and the use of the wrong CPS. The consequence would be a bad ERO in a Path message causing the LSP to be set up incorrectly resulting in incorrect network resource usage, diversion of traffic to where it can be intercepted, or failure to set up the LSP. These problems can be prevented by protecting the protocol exchanges in PCEP and RSVP-TE using standard security techniques. === I feel that the term "standard security techniques" is too vague for a standards track document and would ask you to rephrase the last sentence to be: "These problems can be prevented by protecting the protocol exchanges in PCEP and RSVP-TE using the techniques described in [PSEC] and [RFC2205]." Or reference other techniques if you have them in mind. Best regards, Chris _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Mon Feb 2 15:32:54 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77FF93A699F; Mon, 2 Feb 2009 15:32:54 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A05AD3A699F; Mon, 2 Feb 2009 15:32:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.811 X-Spam-Level: X-Spam-Status: No, score=-1.811 tagged_above=-999 required=5 tests=[AWL=0.788, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9+SUXe3INKLQ; Mon, 2 Feb 2009 15:32:52 -0800 (PST) Received: from asmtp2.iomartmail.com (asmtp2.iomartmail.com [62.128.201.249]) by core3.amsl.com (Postfix) with ESMTP id EEE1F3A67B5; Mon, 2 Feb 2009 15:32:51 -0800 (PST) Received: from asmtp2.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp2.iomartmail.com (8.12.11.20060308/8.12.8) with ESMTP id n12NWBmn010330; Mon, 2 Feb 2009 23:32:11 GMT Received: from your029b8cecfe (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp2.iomartmail.com (8.12.11.20060308/8.12.11) with ESMTP id n12NW9Cm010308; Mon, 2 Feb 2009 23:32:10 GMT Message-ID: From: "Adrian Farrel" To: "Chris Lonvick" , , , , "Rich Bradford" , "Deborah Brungard" References: Date: Mon, 2 Feb 2009 23:32:02 -0000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Subject: Re: [secdir] SECDIR review of draft-ietf-ccamp-path-key-ero-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Adrian Farrel List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Sure thing, Chris. The references would be to RFC 5440 and to draft-ietf-mpls-mpls-and-gmpls-security-framework-04.txt Cheers, Adrian ----- Original Message ----- From: "Chris Lonvick" To: ; ; ; "Rich Bradford" ; ; "Deborah Brungard" Sent: Monday, February 02, 2009 9:16 PM Subject: SECDIR review of draft-ietf-ccamp-path-key-ero-03 > Hi, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Overall, the document appears to be well written and comprehensive and I > have no problem with it proceeding to become an RFC. > > I do have one editorial comment. In Section 4, Security Considerations, > the following bullet appears. > === > - Authenticity of the path key. A concern is that the path key in the > PKS will be altered or faked leading to erroneous path key > expansion and the use of the wrong CPS. The consequence would be a > bad ERO in a Path message causing the LSP to be set up incorrectly > resulting in incorrect network resource usage, diversion of traffic > to where it can be intercepted, or failure to set up the LSP. These > problems can be prevented by protecting the protocol exchanges in > PCEP and RSVP-TE using standard security techniques. > === > I feel that the term "standard security techniques" is too vague for a > standards track document and would ask you to rephrase the last sentence > to be: > "These problems can be prevented by protecting the protocol exchanges in > PCEP and RSVP-TE using the techniques described in [PSEC] and [RFC2205]." > Or reference other techniques if you have them in mind. > > Best regards, > Chris > _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Mon Feb 2 16:56:02 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 421AF3A69C1; Mon, 2 Feb 2009 16:56:02 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DD7743A6BCD; Mon, 2 Feb 2009 16:56:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.037 X-Spam-Level: X-Spam-Status: No, score=-6.037 tagged_above=-999 required=5 tests=[AWL=-0.562, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SORTED_RECIPS=1.125] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XypZEaT-xXVN; Mon, 2 Feb 2009 16:56:00 -0800 (PST) Received: from nutshell.tislabs.com (ns1.tislabs.com [192.94.214.100]) by core3.amsl.com (Postfix) with ESMTP id F12BC3A69C1; Mon, 2 Feb 2009 16:55:59 -0800 (PST) Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id n130sw3u020627; Mon, 2 Feb 2009 19:54:58 -0500 (EST) Received: from nodnsquery(10.66.1.30) by nutshell.tislabs.com via csmap (V6.0) id srcAAAZ1aqsO; Mon, 2 Feb 09 19:54:58 -0500 Received: by pecan.tislabs.com (Postfix, from userid 2005) id A70E23F45D; Mon, 2 Feb 2009 19:52:42 -0500 (EST) To: adrian@olddog.co.uk, clonvick@cisco.com, dbrungard@att.com, iesg@ietf.org, jpv@cisco.com, rbradfor@cisco.com, secdir@ietf.org In-Reply-To: Message-Id: <20090203005242.A70E23F45D@pecan.tislabs.com> Date: Mon, 2 Feb 2009 19:52:42 -0500 (EST) From: sandy@tislabs.com (Sandy Murphy) Subject: Re: [secdir] SECDIR review of draft-ietf-ccamp-path-key-ero-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org >The references would be to RFC 5440 and to RFC 5440 has not yet been issued, according to the rfc-editor pages. I could not pick out an obvious candidate in the drafts on the queue that might be about to become RFC 5440 and www.ietf.org/rfc/rfc5440.txt gets a object-not-found error. Typo? --Sandy _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Mon Feb 2 17:37:57 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3F93D3A690D; Mon, 2 Feb 2009 17:37:57 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB4803A6A05; Mon, 2 Feb 2009 17:37:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.318 X-Spam-Level: X-Spam-Status: No, score=-6.318 tagged_above=-999 required=5 tests=[AWL=0.281, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56qQYfftaEqy; Mon, 2 Feb 2009 17:37:55 -0800 (PST) Received: from nutshell.tislabs.com (nutshell.tislabs.com [192.94.214.100]) by core3.amsl.com (Postfix) with ESMTP id 1550E3A67D9; Mon, 2 Feb 2009 17:37:55 -0800 (PST) Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id n131aoVR020678; Mon, 2 Feb 2009 20:36:50 -0500 (EST) Received: from nodnsquery(10.66.1.30) by nutshell.tislabs.com via csmap (V6.0) id srcAAA2baOyO; Mon, 2 Feb 09 20:36:50 -0500 Received: by pecan.tislabs.com (Postfix, from userid 2005) id 3D7E53F483; Mon, 2 Feb 2009 20:34:34 -0500 (EST) To: , , , , , , ""@tislabs.com, adrian@olddog.co.uk, Bradford@tislabs.com, Brungard@tislabs.com, Chris@tislabs.com, Deborah@tislabs.com, Lonvick@tislabs.com, rcallon@juniper.net, Rich@tislabs.com, sandy@tislabs.com In-Reply-To: <3525C9833C09ED418C6FD6CD9514668C05972908@emailwf1.jnpr.net> Message-Id: <20090203013434.3D7E53F483@pecan.tislabs.com> Date: Mon, 2 Feb 2009 20:34:34 -0500 (EST) From: sandy@tislabs.com (Sandy Murphy) Subject: Re: [secdir] SECDIR review of draft-ietf-ccamp-path-key-ero-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org >Where you see "RFC5440", assume that this refers to >"draft-ietf-pce-pcep-19.txt". The RFC editor will have no trouble making >the connection, and RFC5440 is exceptionally likely to be published >before this document gets to the RFC editor.=20 This is about what I expected (and why I went searching the rfc editor queue). But what I was curious about was what the reference said, not its publication status. Thanks for the pointer. --Sandy _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Tue Feb 3 01:34:14 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C50FF3A6991; Tue, 3 Feb 2009 01:34:14 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0CDE33A6824; Tue, 3 Feb 2009 01:34:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.818 X-Spam-Level: X-Spam-Status: No, score=-1.818 tagged_above=-999 required=5 tests=[AWL=0.780, BAYES_00=-2.599, STOX_REPLY_TYPE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqfQG2a-kzOH; Tue, 3 Feb 2009 01:34:13 -0800 (PST) Received: from asmtp2.iomartmail.com (asmtp2.iomartmail.com [62.128.201.249]) by core3.amsl.com (Postfix) with ESMTP id 5B1333A6991; Tue, 3 Feb 2009 01:34:12 -0800 (PST) Received: from asmtp2.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp2.iomartmail.com (8.12.11.20060308/8.12.8) with ESMTP id n139XGBe016962; Tue, 3 Feb 2009 09:33:16 GMT Received: from your029b8cecfe (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp2.iomartmail.com (8.12.11.20060308/8.12.11) with ESMTP id n139XE1s016938; Tue, 3 Feb 2009 09:33:15 GMT Message-ID: From: "Adrian Farrel" To: "Chris Lonvick" , "Brungard, Deborah A, ALABS" , , , "Bradford, Richard" , "secdir" , , , , , , "Ross Callon" , , "Sandy Murphy" References: <20090203013434.3D7E53F483@pecan.tislabs.com> Date: Tue, 3 Feb 2009 09:33:12 -0000 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Subject: Re: [secdir] SECDIR review of draft-ietf-ccamp-path-key-ero-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Adrian Farrel List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Hi, Yeah, 5440 is draft-ietf-pce-pcep-19.txt. It is way ahead in the RFC Editor queue. Maybe less than a week from publication. See it at http://www.rfc-editor.org/authors/rfc5440.txt A ----- Original Message ----- From: "Sandy Murphy" To: ; ; ; ; ; ; <@tislabs.com>; ; ; ; ; ; ; ; ; Sent: Tuesday, February 03, 2009 1:34 AM Subject: RE: [secdir] SECDIR review of draft-ietf-ccamp-path-key-ero-03 > >Where you see "RFC5440", assume that this refers to >>"draft-ietf-pce-pcep-19.txt". The RFC editor will have no trouble making >>the connection, and RFC5440 is exceptionally likely to be published >>before this document gets to the RFC editor.=20 > > This is about what I expected (and why I went searching the rfc editor > queue). > > But what I was curious about was what the reference said, not its > publication status. > > Thanks for the pointer. > > --Sandy > _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Tue Feb 3 07:31:46 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E371D3A6B20; Tue, 3 Feb 2009 07:31:46 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A7FD73A6BBB; Mon, 2 Feb 2009 10:03:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.096 X-Spam-Level: X-Spam-Status: No, score=-6.096 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PPcm7QT3glT; Mon, 2 Feb 2009 10:03:42 -0800 (PST) Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 728453A6B2B; Mon, 2 Feb 2009 10:03:42 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.37,366,1231113600"; d="scan'208";a="35666234" Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-1.cisco.com with ESMTP; 02 Feb 2009 18:03:23 +0000 Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n12I3M13016063; Mon, 2 Feb 2009 13:03:22 -0500 Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by rtp-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n12I3M5C028003; Mon, 2 Feb 2009 18:03:23 GMT Received: from xfe-rtp-201.amer.cisco.com ([64.102.31.38]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 2 Feb 2009 13:03:22 -0500 Received: from [10.86.247.238] ([10.86.247.238]) by xfe-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 2 Feb 2009 13:03:22 -0500 Message-ID: <49873569.7020200@cisco.com> Date: Mon, 02 Feb 2009 13:03:21 -0500 From: Paul Kyzivat User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Takuya Sawada , iesg@ietf.org, secdir@ietf.org, sipping-chairs@tools.ietf.org References: <20090202161917.GA25638@elstar.iuhb02.iu-bremen.de> In-Reply-To: <20090202161917.GA25638@elstar.iuhb02.iu-bremen.de> X-OriginalArrivalTime: 02 Feb 2009 18:03:22.0633 (UTC) FILETIME=[8975E790:01C98560] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1967; t=1233597803; x=1234461803; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pkyzivat@cisco.com; z=From:=20Paul=20Kyzivat=20 |Subject:=20Re=3A=20secdir=20review=20of=20draft-ietf-sippi ng-sip-offeranswer-10.txt |Sender:=20 |To:=20Takuya=20Sawada=20,=20iesg@ietf. org,=20secdir@ietf.org,=0A=20=20=20=20=20=20=20=20sipping-ch airs@tools.ietf.org; bh=R2lDxnVLD75Ih2SLH8ZgBcvlraedpxX6e5lOe7qL8ec=; b=e/STmGaJketJi15zgze1xwgYnUuFl7CjObsHuFN6djdJbGQAQE2mKK4WhJ Pmk3L7uhMPcAefGRxMN6RlmBLJ6Ld1UmO4/u2GWosmMKA/jnz9futjvmV5Q6 VKiGbipxN6; Authentication-Results: rtp-dkim-1; header.From=pkyzivat@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; ); X-Mailman-Approved-At: Tue, 03 Feb 2009 07:31:45 -0800 Subject: Re: [secdir] secdir review of draft-ietf-sipping-sip-offeranswer-10.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Juergen, Thanks for the comments. See my responses inline. Juergen Schoenwaelder wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The goal of the document is to document the offer/answer exchanges > used in the SIP framework to establish and update multimedia sessions. > This informational document does not define new protocol exchanges; > its goal is to clarify what can be found in various RFCs. The text in > the security considerations says: > > There are not any security issues beyond the referenced RFCs. > > While this might be true, I would have preferred to have a somewhat > more explicit discussion and more precise pointers which parts of the > security considerations in the "referenced RFCs" (really all?) apply. I'll see what I can do. > The document describes some offer/answer interactions where the > correct behaviour is not clear and it would be good to spell out > whether any of the described offer/answer scenarios can be exploited. > If not, having a statement that they can't be exploited and why would > be nice to have. (For example, spell out whether SIP integrity > protection and authentication are sufficient to mitigate any possible > attacks.) It seems like a valid point, though my first reaction is that security is invariant to which interpretations are taken. I'll have to think about it a bit. > Editorial: > > - It would be nice for readers who are not too deeply involved with > SIP if all acronyms (UAC, UAS, 3ppc, ...) are expanded on first > usage. OK. After awhile these things become invisible to those of us who are deeply involved. Thanks, Paul _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From secdir-bounces@ietf.org Tue Feb 3 07:31:47 2009 Return-Path: X-Original-To: secdir-archive@ietf.org Delivered-To: ietfarch-secdir-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0099C28C10E; Tue, 3 Feb 2009 07:31:47 -0800 (PST) X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EBB83A6A63; Tue, 3 Feb 2009 04:27:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.745 X-Spam-Level: X-Spam-Status: No, score=-3.745 tagged_above=-999 required=5 tests=[AWL=-1.146, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4x2otEQ9SChq; Tue, 3 Feb 2009 04:27:36 -0800 (PST) Received: from postlady.ripe.net (postlady.ripe.net [193.0.19.65]) by core3.amsl.com (Postfix) with ESMTP id 29A7F3A6A9C; Tue, 3 Feb 2009 04:27:36 -0800 (PST) Received: from herring.ripe.net ([193.0.1.203]) by postlady.ripe.net with esmtp (Exim 4.63) (envelope-from ) id 1LUJZt-0004cA-BN; Tue, 03 Feb 2009 12:36:31 +0100 Received: from geir.local (gw.office.nsrp.ripe.net [193.0.1.126]) by herring.ripe.net (Postfix) with ESMTP id 360FA2F583; Tue, 3 Feb 2009 12:36:29 +0100 (CET) Message-ID: <49882C3D.3070709@ripe.net> Date: Tue, 03 Feb 2009 12:36:29 +0100 From: Henk Uijterwaal User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Hilarie Orman References: <200902022029.n12KTSWF013632@localhost.localdomain> In-Reply-To: <200902022029.n12KTSWF013632@localhost.localdomain> X-RIPE-Spam-Level: ---- X-RIPE-Signature: e0cdef1f45f89a40ad608d255b27e7d5cdb70d8f4ee90639a2e0518a9416f415 X-Mailman-Approved-At: Tue, 03 Feb 2009 07:31:45 -0800 Cc: magnus.westerlund@ericsson.com, secdir@ietf.org, iesg@ietf.org, lars.eggert@nokia.com, matt@internet2.edu Subject: Re: [secdir] Review of draft-ietf-ippm-duplicate-07.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: secdir-bounces@ietf.org Errors-To: secdir-bounces@ietf.org Hilarie, > I have only a minor comment to add to security considerations. If an > attacker were to observe that these measurements were going on, he > might want to cause packet duplications. This might lead network > operators to conclude that the "natural" duplication rate was high, in > turn causing them to set thresholds for "replay attacks" so high > that real attacks were overlooked. Thresholds etc are beyond the scope of IPPM. IPPM only specifies how things should be measured. That said, the optimal value for duplication is 0, that is, as an operator I want every packet to arrive exactly once. As soon as there is duplication above the percent level, it is time to take action. A replay attack will typically involve every packet being sent twice (once by the legitimate source and once by the attacker). That translates into 100% duplication. That is well above the level any operator will ignore. > For this reason, operators should consider the threat level to the > system under test, and if it is non-zero, and if the results might > be used by security administrators, the traffic used for testing This is part of the IPPM framework. Traffic used for testing should be as similar to other traffic as possible, in order to avoid preferential treatement by intermediate operators. > and for reporting results should be obscured as much as possible. Reporting results is outside the scope of the draft. Henk -- ------------------------------------------------------------------------------ Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.amsterdamned.org/~henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The Netherlands The Netherlands Mobile: +31.6.55861746 ------------------------------------------------------------------------------ Belgium: an unsolvable problem, discussed in endless meetings, with no hope for a solution, where everybody still lives happily. _______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir From hilarie@purplestreak.com Tue Feb 3 16:16:53 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 207AB28C0FC; Tue, 3 Feb 2009 16:16:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.313 X-Spam-Level: X-Spam-Status: No, score=-3.313 tagged_above=-999 required=5 tests=[AWL=-0.714, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0UU1g8VTu26; Tue, 3 Feb 2009 16:16:52 -0800 (PST) Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) by core3.amsl.com (Postfix) with ESMTP id 5A55B28C0DC; Tue, 3 Feb 2009 16:16:52 -0800 (PST) Received: from mx01.mta.xmission.com ([166.70.13.211]) by out02.mta.xmission.com with esmtp (Exim 4.62) (envelope-from ) id 1LUVRP-00054b-Ah; Tue, 03 Feb 2009 17:16:31 -0700 Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=localhost.localdomain) by mx01.mta.xmission.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1LUVRO-0003l2-C4; Tue, 03 Feb 2009 17:16:31 -0700 Received: from localhost.localdomain (tobermory [127.0.0.1]) by localhost.localdomain (8.12.10/8.12.10) with ESMTP id n140CFij005798; Tue, 3 Feb 2009 17:12:15 -0700 Received: (from ho@localhost) by localhost.localdomain (8.12.10/8.12.10/Submit) id n140CCA9005781; Tue, 3 Feb 2009 17:12:12 -0700 Date: Tue, 3 Feb 2009 17:12:12 -0700 Message-Id: <200902040012.n140CCA9005781@localhost.localdomain> X-Authentication-Warning: localhost.localdomain: ho set sender to hilarie using -f From: "Hilarie Orman" To: henk@ripe.net In-reply-to: Yourmessage <49882C3D.3070709@ripe.net> X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx01.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none X-XM-DomainKey: sender_domain=alum.mit.edu; ; ; sender=ho@alum.mit.edu; ; ; status=no signature X-SA-Exim-Connect-IP: 166.70.57.249 X-SA-Exim-Mail-From: hilarie@purplestreak.com X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ;henk@ripe.net X-Spam-Relay-Country: X-SA-Exim-Version: 4.2.1 (built Thu, 07 Dec 2006 04:40:56 +0000) X-SA-Exim-Scanned: Yes (on mx01.mta.xmission.com) Cc: magnus.westerlund@ericsson.com, secdir@ietf.org, matt@internet2.edu, lars.eggert@nokia.com, iesg@ietf.org Subject: Re: [secdir] Review of draft-ietf-ippm-duplicate-07.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Hilarie Orman List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 00:16:53 -0000 My comments do apply to how things should be measured. Replay attacks have no typical behavior wrt frequency, and malicious attempts to bias duplication measurements would be surreptious. I'm not sure that all networks aim for zero duplications. Surely some background level exists. It is all statistics. There is a subtle difference between test traffic being "as similar as possible" to other traffic "to avoid preferential treatment by intermediate operators" and being undetectable to a malicious adversary. Hilarie > I have only a minor comment to add to security considerations. If an >> attacker were to observe that these measurements were going on, he >> might want to cause packet duplications. This might lead network >> operators to conclude that the "natural" duplication rate was high, in >> turn causing them to set thresholds for "replay attacks" so high >> that real attacks were overlooked. > >Thresholds etc are beyond the scope of IPPM. IPPM only specifies how >things should be measured. > >That said, the optimal value for duplication is 0, that is, as an >operator I want every packet to arrive exactly once. As soon as >there is duplication above the percent level, it is time to take >action. A replay attack will typically involve every packet being sent >twice (once by the legitimate source and once by the attacker). >That translates into 100% duplication. That is well above >the level any operator will ignore. > >> For this reason, operators should consider the threat level to the >> system under test, and if it is non-zero, and if the results might >> be used by security administrators, the traffic used for testing > >This is part of the IPPM framework. Traffic used for testing should >be as similar to other traffic as possible, in order to avoid >preferential treatement by intermediate operators. > >> and for reporting results should be obscured as much as possible. > >Reporting results is outside the scope of the draft. > From henk@ripe.net Wed Feb 4 00:52:36 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D9C5F28C161; Wed, 4 Feb 2009 00:52:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.714 X-Spam-Level: X-Spam-Status: No, score=-3.714 tagged_above=-999 required=5 tests=[AWL=-1.115, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQ9YueBkkPR4; Wed, 4 Feb 2009 00:52:36 -0800 (PST) Received: from postlady.ripe.net (postlady.ripe.net [193.0.19.65]) by core3.amsl.com (Postfix) with ESMTP id CB7DC28C1AB; Wed, 4 Feb 2009 00:52:35 -0800 (PST) Received: from herring.ripe.net ([193.0.1.203]) by postlady.ripe.net with esmtp (Exim 4.63) (envelope-from ) id 1LUdU0-0000Ba-SY; Wed, 04 Feb 2009 09:51:46 +0100 Received: from geir.local (gw.office.nsrp.ripe.net [193.0.1.126]) by herring.ripe.net (Postfix) with ESMTP id D05C92F583; Wed, 4 Feb 2009 09:51:44 +0100 (CET) Message-ID: <49895720.5050505@ripe.net> Date: Wed, 04 Feb 2009 09:51:44 +0100 From: Henk Uijterwaal User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: Hilarie Orman References: <200902040012.n140CCA9005781@localhost.localdomain> In-Reply-To: <200902040012.n140CCA9005781@localhost.localdomain> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-RIPE-Spam-Level: ---- X-RIPE-Signature: e0cdef1f45f89a40ad608d255b27e7d50463deedf55b57ae11181821d635f4c7 X-Mailman-Approved-At: Wed, 04 Feb 2009 11:23:09 -0800 Cc: magnus.westerlund@ericsson.com, secdir@ietf.org, matt@internet2.edu, lars.eggert@nokia.com, iesg@ietf.org Subject: Re: [secdir] Review of draft-ietf-ippm-duplicate-07.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2009 08:52:36 -0000 Hilarie Orman wrote: > I'm not sure that all > networks aim for zero duplications. Surely some background level > exists. It is all statistics. Duplication means that packets are sent twice. That means that bandwidth is wasted sending useless information and this is something operators do not want. > There is a subtle difference between test traffic being "as similar as > possible" to other traffic "to avoid preferential treatment by > intermediate operators" and being undetectable to a malicious > adversary. You wrote "obscured" in your previous mail. I think that is what one does if one makes the measurement traffic as similar as possible to other traffic. Undetectable is impossible: take all packets between source and destination, then plot the time between the packets. If this distribution looks like a poisson distribution over a long time, then there is high probability that these are measurement systems. Henk -- ------------------------------------------------------------------------------ Henk Uijterwaal Email: henk.uijterwaal(at)ripe.net RIPE Network Coordination Centre http://www.amsterdamned.org/~henk P.O.Box 10096 Singel 258 Phone: +31.20.5354414 1001 EB Amsterdam 1016 AB Amsterdam Fax: +31.20.5354445 The Netherlands The Netherlands Mobile: +31.6.55861746 ------------------------------------------------------------------------------ Belgium: an unsolvable problem, discussed in endless meetings, with no hope for a solution, where everybody still lives happily. From yaronf@checkpoint.com Wed Feb 4 23:24:53 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDC993A6359; Wed, 4 Feb 2009 23:24:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.551 X-Spam-Level: X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hd-8IIoOr1G; Wed, 4 Feb 2009 23:24:50 -0800 (PST) Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id A590D3A67C1; Wed, 4 Feb 2009 23:24:49 -0800 (PST) Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 232F029C005; Thu, 5 Feb 2009 09:24:26 +0200 (IST) Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 9E75C29C002; Thu, 5 Feb 2009 09:23:15 +0200 (IST) X-CheckPoint: {498A90EA-10000-88241DC2-7B6} Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n157NEei019224; Thu, 5 Feb 2009 09:23:15 +0200 (IST) Received: from il-ex01.ad.checkpoint.com ([194.29.32.26]) by il-ex01.ad.checkpoint.com ([194.29.32.26]) with mapi; Thu, 5 Feb 2009 09:23:14 +0200 From: Yaron Sheffer To: "secdir@ietf.org" , "iesg@ietf.org" , "draft-ietf-xcon-event-package@tools.ietf.org" , "adam@nostrum.com" , "alan@sipstation.com" Date: Thu, 5 Feb 2009 09:23:17 +0200 Thread-Topic: Secdir review of draft-ietf-xcon-event-package-01 Thread-Index: AcmHYp24ieqmVErzS/u49aQNwjkO7g== Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FC8E@il-ex01.ad.checkpoint.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FC8Eilex01adcheck_" MIME-Version: 1.0 Subject: [secdir] Secdir review of draft-ietf-xcon-event-package-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2009 07:24:54 -0000 --_000_7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FC8Eilex01adcheck_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. This draft extends the existing SIP conference package by adding additional= functionality (the XCON data model) and XML document patching. The Security Considerations section references predecessor documents, and t= his seems reasonable to me. One functionality comment, with security implications: Sec. 5.3 specifies t= hat a "patch" document MUST be well formed and SHOULD be valid. I believe n= on-valid documents significantly increase the vulnerability "attack surface= ". And since the "patch" schema is extensible by design, I see no reason to= not validate the document. In other words, please consider changing valida= tion to a MUST. Thanks, Yaron =0D=0A Email secured by Check Point=0D=0A --_000_7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FC8Eilex01adcheck_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed b= y the IESG.  These comments were written primarily for the benefit of th= e security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

 

This draft extends the existing SIP conference package b= y adding additional functionality (the XCON data model) and XML document patching.

 

The Security Considerations section references predecess= or documents, and this seems reasonable to me.

 

One functionality comment, with security implications: S= ec. 5.3 specifies that a “patch” document MUST be well formed and SHOUL= D be valid. I believe non-valid documents significantly increase the vulnerabili= ty “attack surface”. And since the “patch” schema is extensible by design, I see no reason to not validate the document. In other words, pleas= e consider changing validation to a MUST.

 

Thanks,

         &n= bsp;  Yaron


= =0D=0A
Email secured by Check Point=0D=0A

= --_000_7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FC8Eilex01adcheck_-- From lha@kth.se Thu Feb 5 20:36:59 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F1F0728C179; Thu, 5 Feb 2009 20:36:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.499 X-Spam-Level: X-Spam-Status: No, score=-5.499 tagged_above=-999 required=5 tests=[AWL=0.800, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPMs-akhnK70; Thu, 5 Feb 2009 20:36:58 -0800 (PST) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by core3.amsl.com (Postfix) with ESMTP id 396B73A6A03; Thu, 5 Feb 2009 20:36:51 -0800 (PST) Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out4.apple.com (Postfix) with ESMTP id 87C4553AD073; Thu, 5 Feb 2009 20:36:52 -0800 (PST) Received: from relay14.apple.com (unknown [127.0.0.1]) by relay14.apple.com (Symantec Brightmail Gateway) with ESMTP id 65C4928041; Thu, 5 Feb 2009 20:36:52 -0800 (PST) X-AuditID: 11807134-a4853bb000000ff0-70-498bbe64d5b8 Received: from hummel.apple.com (hummel.apple.com [17.202.43.223]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay14.apple.com (Apple SCV relay) with ESMTP id 3B2AB2802F; Thu, 5 Feb 2009 20:36:52 -0800 (PST) Message-Id: <608D1983-F870-48CC-8571-A6AD4C920C6F@kth.se> From: =?ISO-8859-1?Q?Love_H=F6rnquist_=C5strand?= To: Security-Directorat Directorat , IESG - , ccamp-chairs@ietf.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 5 Feb 2009 20:36:52 -0800 X-Mailer: Apple Mail (2.930.3) X-Brightmail-Tracker: AAAAAA== Cc: asatyana@cisco.com, snigdho.bardalai@us.fujitsu.com, danli@huawei.com, gjhhit@huawei.com Subject: [secdir] secdir review: draft-ietf-ccamp-gr-description-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 04:36:59 -0000 Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. draft-ietf-ccamp-gr-description-04 seems ok to me, I think that Security Considerations covers those issues that I though up. Love From secdir-bounces@mit.edu Fri Feb 6 08:35:24 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EB643A685F for ; Fri, 6 Feb 2009 08:35:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.598 X-Spam-Level: X-Spam-Status: No, score=-4.598 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgY3Xd6fxee6 for ; Fri, 6 Feb 2009 08:35:23 -0800 (PST) Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 4CCE83A676A for ; Fri, 6 Feb 2009 08:35:23 -0800 (PST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n16GZPOV022682 for ; Fri, 6 Feb 2009 11:35:25 -0500 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n16GZJok022646 for ; Fri, 6 Feb 2009 11:35:19 -0500 Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n16GZDkG011229 for ; Fri, 6 Feb 2009 11:35:14 -0500 (EST) Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by mit.edu (Spam Firewall) with ESMTP id 0762712AD6E0 for ; Fri, 6 Feb 2009 11:34:52 -0500 (EST) Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.6/8.13.6) with ESMTP id n16GYM0B022352; Fri, 6 Feb 2009 11:34:22 -0500 (EST) Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.6/8.13.6) with SMTP id n16GYLfj014497; Fri, 6 Feb 2009 11:34:21 -0500 (EST) Received: (from [IPv6:::1] [10.0.0.13]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2009020611341814624 ; Fri, 06 Feb 2009 11:34:20 -0500 Message-Id: <8716AA45-149F-4E94-86DA-8953D4AA73C4@nrl.navy.mil> From: Catherine Meadows To: secdir@mit.edu, Christian.Groves@nteczone.com, linyangbo@huawei.com, iesg@ietf.org, fluffy@cisco.com Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 6 Feb 2009 11:34:17 -0500 X-Mailer: Apple Mail (2.930.3) X-Scanned-By: MIMEDefang 2.42 X-BeenThere: secdir@mit.edu X-Mailman-Version: 2.1.6 Precedence: list Content-Type: multipart/mixed; boundary="===============1801371386==" Sender: secdir-bounces@mit.edu Errors-To: secdir-bounces@mit.edu Subject: [secdir] secdir review of draft-groves-megaco-pkgereg-02 X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 16:35:24 -0000 --===============1801371386== Content-Type: multipart/alternative; boundary=Apple-Mail-3-80303026 --Apple-Mail-3-80303026 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft concerns the H.248/MEGACO IANA Package Registration procedures. It updates the procedure so that a formal review step, since the IETF Megaco working group, which previously did an informal review, is now disbanded. Since this merely updates the package review process to include a formal review, the ID claims that this introduces no extra security concerns, other than to require that the requester of a review and registration of a package is authorized to do so. However, I wonder if it would be appropriate to include some language saying that the review process should address any potential security concerns a package may introduce. I am not an expert on this protocol, but packages appear to be fairly complex structures that support terminations, which are sources and/or sinks. Ambiguity in packages would be a security concern (possibly allowing spoofing, if I understand this correctly); this is already covered in the review process recommended in this ID. I would like to see more justification in the security concerns section that this is the *only* security concerned introduced by new packages before I feel comfortable with this. The ID says that security concerns for the H.248/MEGACO protocol are discussed in H.248.1 section 10. Note that this itself appears to be a draft . Also, it only discusses security in an IP setting. That should presumably not be a problem for the IETF, since that is what we are concerned about, but it should still be mentioned, so that the reader doesn't think that document covers security in general. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil --Apple-Mail-3-80303026 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I have reviewed this document = as part of the security directorate's
ongoing effort to review all = IETF documents being processed by the
IESG.  These comments were = written primarily for the benefit of the
security area directors. =  Document editors and WG chairs should treat
these comments just = like any other last call comments.

This draft = concerns the H.248/MEGACO IANA Package Registration =
procedures.  It updates the procedure so that a formal review = step, since the IETF Megaco
working group, which previously = did an informal review, is now disbanded. =  

Since this merely updates the package = review process to include a formal review, the ID claims
that = this introduces no extra security concerns, other than to require that = the requester of a review
and registration of a package is = authorized to do so.  However, I wonder if it would be = appropriate
to include some language saying that the review = process should address any potential security
concerns a = package may introduce.  I am not an expert on this protocol, but =  packages appear to be fairly
complex structures that = support terminations, which are sources and/or sinks. Ambiguity in = packages
would be a security concern (possibly allowing = spoofing, if I understand this correctly);  this
is = already covered in the review process recommended in this ID.   I = would like to see more justification
in the security concerns = section that this is the *only* security concerned introduced by new = packages
before I feel comfortable with = this.

The ID says that security concerns for = the H.248/MEGACO protocol 
are  discussed in = H.248.1 section 10.  Note that this itself
appears to be = a draft .  Also, it only discusses security in an IP setting. That = should presumably not be a problem
for the IETF, since that is = what we are concerned about, but it should still be mentioned, so that = the
reader doesn't think that document covers security in = general.


Catherine Meadows
Naval Research = Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, = 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.= mil

= --Apple-Mail-3-80303026-- --===============1801371386== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir --===============1801371386==-- From catherine.meadows@nrl.navy.mil Fri Feb 6 08:50:52 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F2EB3A69EC for ; Fri, 6 Feb 2009 08:50:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lrwCiYrvQ4XT for ; Fri, 6 Feb 2009 08:50:51 -0800 (PST) Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by core3.amsl.com (Postfix) with ESMTP id E5D4D3A67D6 for ; Fri, 6 Feb 2009 08:50:50 -0800 (PST) Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.6/8.13.6) with ESMTP id n16GoqPN024149; Fri, 6 Feb 2009 11:50:53 -0500 (EST) Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.6/8.13.6) with SMTP id n16Goqnm015814; Fri, 6 Feb 2009 11:50:52 -0500 (EST) Received: (from [IPv6:::1] [10.0.0.13]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2009020611504814658 ; Fri, 06 Feb 2009 11:50:49 -0500 Message-Id: From: Catherine Meadows To: secdir@ietf.org Content-Type: multipart/alternative; boundary=Apple-Mail-5-81293577 Mime-Version: 1.0 (Apple Message framework v930.3) Date: Fri, 6 Feb 2009 11:50:47 -0500 References: <8716AA45-149F-4E94-86DA-8953D4AA73C4@nrl.navy.mil> X-Mailer: Apple Mail (2.930.3) Subject: [secdir] Fwd: secdir review of draft-groves-megaco-pkgereg-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 16:50:52 -0000 --Apple-Mail-5-81293577 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit My apologies, I sent this to the old secdir address my mistake. Cathy Begin forwarded message: > From: Catherine Meadows > Date: February 6, 2009 11:34:17 AM EST > To: secdir@mit.edu, Christian.Groves@nteczone.com, linyangbo@huawei.com > , iesg@ietf.org, fluffy@cisco.com > Cc: Catherine Meadows > Subject: secdir review of draft-groves-megaco-pkgereg-02 > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This draft concerns the H.248/MEGACO IANA Package Registration > procedures. It updates the procedure so that a formal review step, > since the IETF Megaco > working group, which previously did an informal review, is now > disbanded. > > Since this merely updates the package review process to include a > formal review, the ID claims > that this introduces no extra security concerns, other than to > require that the requester of a review > and registration of a package is authorized to do so. However, I > wonder if it would be appropriate > to include some language saying that the review process should > address any potential security > concerns a package may introduce. I am not an expert on this > protocol, but packages appear to be fairly > complex structures that support terminations, which are sources and/ > or sinks. Ambiguity in packages > would be a security concern (possibly allowing spoofing, if I > understand this correctly); this > is already covered in the review process recommended in this ID. I > would like to see more justification > in the security concerns section that this is the *only* security > concerned introduced by new packages > before I feel comfortable with this. > > The ID says that security concerns for the H.248/MEGACO protocol > are discussed in H.248.1 section 10. Note that this itself > appears to be a draft . Also, it only discusses security in an IP > setting. That should presumably not be a problem > for the IETF, since that is what we are concerned about, but it > should still be mentioned, so that the > reader doesn't think that document covers security in general. > > > Catherine Meadows > Naval Research Laboratory > Code 5543 > 4555 Overlook Ave., S.W. > Washington DC, 20375 > phone: 202-767-3490 > fax: 202-404-7942 > email: catherine.meadows@nrl.navy.mil > Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil --Apple-Mail-5-81293577 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable My apologies, I sent this to = the old secdir address my = mistake.

Cathy


Begin = forwarded message:

From: = Catherine Meadows <catherine.meadows@nrl.navy.= mil>
Date: February 6, 2009 11:34:17 AM = EST
Cc: Catherine = Meadows <catherine.meadows@nrl.navy.= mil>
Subject: secdir review of = draft-groves-megaco-pkgereg-02

I have reviewed this document as part of the = security directorate's
ongoing effort to review all IETF documents = being processed by the
IESG.  These comments were written = primarily for the benefit of the
security area directors. =  Document editors and WG chairs should treat
these comments just = like any other last call comments.

This draft = concerns the H.248/MEGACO IANA Package Registration =
procedures.  It updates the procedure so that a formal review = step, since the IETF Megaco
working group, which previously = did an informal review, is now disbanded. =  

Since this merely updates the package = review process to include a formal review, the ID claims
that = this introduces no extra security concerns, other than to require that = the requester of a review
and registration of a package is = authorized to do so.  However, I wonder if it would be = appropriate
to include some language saying that the review = process should address any potential security
concerns a = package may introduce.  I am not an expert on this protocol, but =  packages appear to be fairly
complex structures that = support terminations, which are sources and/or sinks. Ambiguity in = packages
would be a security concern (possibly allowing = spoofing, if I understand this correctly);  this
is = already covered in the review process recommended in this ID.   I = would like to see more justification
in the security concerns = section that this is the *only* security concerned introduced by new = packages
before I feel comfortable with = this.

The ID says that security concerns for = the H.248/MEGACO protocol 
are  discussed in = H.248.1 section 10.  Note that this itself
appears to be = a draft .  Also, it only discusses security in an IP setting. That = should presumably not be a problem
for the IETF, since that is = what we are concerned about, but it should still be mentioned, so that = the
reader doesn't think that document covers security in = general.


Catherine Meadows
Naval Research = Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, = 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.= mil
 =


Catherine Meadows
Naval Research = Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, = 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.= mil

= --Apple-Mail-5-81293577-- From weiler+secdir@watson.org Fri Feb 6 13:01:46 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0938C3A6C25 for ; Fri, 6 Feb 2009 13:01:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.725 X-Spam-Level: X-Spam-Status: No, score=-2.725 tagged_above=-999 required=5 tests=[AWL=-0.126, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqX7ORC7mAM4 for ; Fri, 6 Feb 2009 13:01:45 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 24D323A6C1D for ; Fri, 6 Feb 2009 13:01:44 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id n16L1k2a006313 for ; Fri, 6 Feb 2009 16:01:46 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id n16L1kKm006310 for ; Fri, 6 Feb 2009 16:01:46 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Fri, 6 Feb 2009 16:01:46 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (fledge.watson.org [127.0.0.1]); Fri, 06 Feb 2009 16:01:47 -0500 (EST) Subject: [secdir] assignments for Feb 10th and 13th X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2009 21:01:46 -0000 Four new documents. I am next in the rotation. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam For telechat 2009-02-10 Phillip Hallam-Baker T draft-atlas-icmp-unnumbered-06 Jeffrey Hutzelman T draft-ietf-ccamp-pc-and-sc-reqs-06 Charlie Kaufman TR draft-ietf-idr-flow-spec-05 Last calls and special requests: Derek Atkins draft-ietf-avt-post-repair-rtcp-xr-04 Rob Austein draft-ietf-dime-qos-parameters-09 Alan DeKok draft-ietf-roll-home-routing-reqs-06 Phillip Hallam-Baker draft-ietf-radext-design-05 Steve Hanna draft-ietf-eai-downgrade-11 Paul Hoffman draft-ietf-behave-turn-12 Scott Kelly draft-ietf-tsvwg-rsvp-proxy-approaches-06 Scott Kelly draft-ietf-mediactrl-architecture-04 Julien Laganier draft-ietf-sip-certs-07 Catherine Meadows draft-ietf-speechsc-mrcpv2-17 Alexey Melnikov draft-ietf-avt-rfc3047-bis-08 Sandy Murphy draft-ietf-avt-rtcp-non-compound-08 Vidya Narayanan draft-ietf-sip-saml-05 Vidya Narayanan draft-ietf-avt-rtp-speex-05 Magnus Nystrom draft-ietf-avt-rtp-uemclip-04 Radia Perlman draft-ietf-mmusic-decoding-dependency-05 Eric Rescorla draft-wing-sipping-srtp-key-04 Eric Rescorla draft-ietf-mmusic-sdp-source-attributes-02 Joe Salowey draft-ietf-geopriv-lis-discovery-06 Stefan Santesson draft-ietf-rserpool-mib-10 Susan Thomson draft-jones-dime-3gpp-eps-command-codes-01 Hannes Tschofenig draft-ietf-lemonade-profile-bis-11 Sean Turner draft-ietf-netconf-tls-06 Carl Wallace draft-gulbrandsen-imap-response-codes-07 Sam Weiler draft-chown-v6ops-rogue-ra-02 Brian Weis draft-ietf-pim-sm-linklocal-06 Nico Williams draft-ietf-v6ops-ra-guard-01 Larry Zhu draft-thaler-v6ops-teredo-extensions-02 From daveburke@google.com Sun Feb 8 13:51:44 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 345793A6AAA for ; Sun, 8 Feb 2009 13:51:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.507 X-Spam-Level: X-Spam-Status: No, score=-100.507 tagged_above=-999 required=5 tests=[AWL=-0.990, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Y8fg4xDT2T9 for ; Sun, 8 Feb 2009 13:51:36 -0800 (PST) Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 60AED3A68AE for ; Sun, 8 Feb 2009 13:51:34 -0800 (PST) Received: from spaceape12.eur.corp.google.com (spaceape12.eur.corp.google.com [172.28.16.146]) by smtp-out.google.com with ESMTP id n18LpbKr018022 for ; Sun, 8 Feb 2009 21:51:37 GMT DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1234129897; bh=0yyXqDtYe3llNJApTFGFkigXGJs=; h=DomainKey-Signature:MIME-Version:In-Reply-To:References:Date: Message-ID:Subject:From:To:Cc:Content-Type:X-GMailtapped-By: X-GMailtapped; b=hyvClt0mciIdXlrCRyi+DaseVMGPW0DYWecLapEznTvXYIXD6 oRPl/RHWDf/A/sI2J7dhbNGMGqycET4Z+WGyg== DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-gmailtapped-by:x-gmailtapped; b=x8gMnIhqgdvA2BsCw4MKiti1RbdGVtjUbkYaoCYyWU3g91+fKxKiBxuO0NoQqSE1r NwsudLt8+hSSpkLX611Fg== Received: from rn-out-0910.google.com (rndk57.prod.google.com [10.38.137.57]) by spaceape12.eur.corp.google.com with ESMTP id n18LpVjq018370 for ; Sun, 8 Feb 2009 13:51:32 -0800 Received: by rn-out-0910.google.com with SMTP id k57so1260178rnd.13 for ; Sun, 08 Feb 2009 13:51:31 -0800 (PST) MIME-Version: 1.0 Received: by 10.151.49.8 with SMTP id b8mr2119371ybk.135.1234129890625; Sun, 08 Feb 2009 13:51:30 -0800 (PST) In-Reply-To: References: <6e608abf0901270754s5b16274fgeb6092f840baf82d@mail.gmail.com> Date: Sun, 8 Feb 2009 21:51:30 +0000 Message-ID: <6e608abf0902081351y2458ad56x55ab9d5460aa2939@mail.gmail.com> From: Dave Burke To: Stephen Kent Content-Type: multipart/mixed; boundary=0015174c0e8cbcca9904626f4135 X-GMailtapped-By: 172.28.16.146 X-GMailtapped: daveburke X-Mailman-Approved-At: Sun, 08 Feb 2009 18:18:15 -0800 Cc: secdir@core3.amsl.com, Mark.Scott@genesyslab.com, jon.peterson@neustar.biz Subject: Re: [secdir] secdir review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Feb 2009 21:51:44 -0000 --0015174c0e8cbcca9904626f4135 Content-Type: multipart/alternative; boundary=0015174c0e8cbcca9104626f4133 --0015174c0e8cbcca9104626f4133 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit I've updated draft-ietf-mediactrl-vxml-04 (just posted to the I-D respository) addressing your comments. For convenience, I've attached the latest draft and a diff. Dave On Thu, Jan 29, 2009 at 11:04 PM, Stephen Kent wrote: > Dave, > > I think the changes you propose are reasonable. > > Steve > -- Dave Burke Google UK Limited Registered Office: Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ Registered in England Number: 3977902 --0015174c0e8cbcca9104626f4133 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable I've updated draft-ietf-mediactrl-vxml-04 (just posted to the I-D respo= sitory) addressing your comments. For convenience, I've attached the la= test draft and a diff.

Dave

On Th= u, Jan 29, 2009 at 11:04 PM, Stephen Kent <kent@bbn.com> wrote:
Dave,

I think the changes you propose are reasonable.

Steve



--
Dave Burke

Googl= e UK Limited

Registered Office: Belgrave House, 76 =A0Buckingham Pal= ace Road, London SW1W 9TQ
Registered in England Number: 3977902
--0015174c0e8cbcca9104626f4133-- --0015174c0e8cbcca9904626f4135 Content-Type: text/plain; charset=US-ASCII; name="draft-ietf-mediactrl-vxml-04.txt" Content-Disposition: attachment; filename="draft-ietf-mediactrl-vxml-04.txt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_fqy9158j1 CgoKTWVkaWFjdHJsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEQuIEJ1cmtlCkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdvb2dsZQpJbnRlbmRlZCBzdGF0dXM6IFN0YW5k YXJkcyBUcmFjayAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTS4gU2NvdHQKRXhwaXJl czogQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBHZW5lc3lzCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBGZWIgOCwgMjAwOQoKCiAgICAgICAgICAgICAgICBTSVAgSW50ZXJmYWNl IHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzCiAgICAgICAgICAgICAgICAgICAgZHJhZnQtaWV0 Zi1tZWRpYWN0cmwtdnhtbC0wNC50eHQKClN0YXR1cyBvZiB0aGlzIE1lbW8KCiAgIFRoaXMgSW50 ZXJuZXQtRHJhZnQgaXMgc3VibWl0dGVkIHRvIElFVEYgaW4gZnVsbCBjb25mb3JtYW5jZSB3aXRo IHRoZQogICBwcm92aXNpb25zIG9mIEJDUCA3OCBhbmQgQkNQIDc5LgoKICAgSW50ZXJuZXQtRHJh ZnRzIGFyZSB3b3JraW5nIGRvY3VtZW50cyBvZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmcKICAg VGFzayBGb3JjZSAoSUVURiksIGl0cyBhcmVhcywgYW5kIGl0cyB3b3JraW5nIGdyb3Vwcy4gIE5v dGUgdGhhdAogICBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZSB3b3JraW5nIGRvY3Vt ZW50cyBhcyBJbnRlcm5ldC0KICAgRHJhZnRzLgoKICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFm dCBkb2N1bWVudHMgdmFsaWQgZm9yIGEgbWF4aW11bSBvZiBzaXggbW9udGhzCiAgIGFuZCBtYXkg YmUgdXBkYXRlZCwgcmVwbGFjZWQsIG9yIG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQg YW55CiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMg YXMgcmVmZXJlbmNlCiAgIG1hdGVyaWFsIG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3 b3JrIGluIHByb2dyZXNzLiIKCiAgIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtRHJhZnRz IGNhbiBiZSBhY2Nlc3NlZCBhdAogICBodHRwOi8vd3d3LmlldGYub3JnL2lldGYvMWlkLWFic3Ry YWN0cy50eHQuCgogICBUaGUgbGlzdCBvZiBJbnRlcm5ldC1EcmFmdCBTaGFkb3cgRGlyZWN0b3Jp ZXMgY2FuIGJlIGFjY2Vzc2VkIGF0CiAgIGh0dHA6Ly93d3cuaWV0Zi5vcmcvc2hhZG93Lmh0bWwu CgogICBUaGlzIEludGVybmV0LURyYWZ0IHdpbGwgZXhwaXJlIG9uIEF1Z3VzdCAxMiwgMjAwOS4K CkNvcHlyaWdodCBOb3RpY2UKCiAgIENvcHlyaWdodCAoYykgMjAwOSBJRVRGIFRydXN0IGFuZCB0 aGUgcGVyc29ucyBpZGVudGlmaWVkIGFzIHRoZQogICBkb2N1bWVudCBhdXRob3JzLiAgQWxsIHJp Z2h0cyByZXNlcnZlZC4KCiAgIFRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5k IHRoZSBJRVRGIFRydXN0J3MgTGVnYWwKICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERv Y3VtZW50cwogICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBlZmZl Y3Qgb24gdGhlIGRhdGUgb2YKICAgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFz ZSByZXZpZXcgdGhlc2UgZG9jdW1lbnRzCiAgIGNhcmVmdWxseSwgYXMgdGhleSBkZXNjcmliZSB5 b3VyIHJpZ2h0cyBhbmQgcmVzdHJpY3Rpb25zIHdpdGggcmVzcGVjdAogICB0byB0aGlzIGRvY3Vt ZW50LgoKCgoKCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAy MDA5ICAgICAgICAgICAgICAgIFtQYWdlIDFdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZh Y2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKQWJzdHJhY3QK CiAgIFRoaXMgZG9jdW1lbnQgZGVzY3JpYmVzIGEgU0lQIGludGVyZmFjZSB0byBWb2ljZVhNTCBt ZWRpYSBzZXJ2aWNlcy4KICAgQ29tbW9ubHksIGFwcGxpY2F0aW9uIHNlcnZlcnMgY29udHJvbGxp bmcgbWVkaWEgc2VydmVycyB1c2UgdGhpcwogICBwcm90b2NvbCBmb3IgcHVyZSBWb2ljZVhNTCBw cm9jZXNzaW5nIGNhcGFiaWxpdGllcy4gIFRoaXMgcHJvdG9jb2wgaXMKICAgYW4gYWRqdW5jdCB0 byB0aGUgZnVsbCBNRURJQUNUUkwgcHJvdG9jb2wgYW5kIHBhY2thZ2VzIG1lY2hhbmlzbS4KCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKQnVya2UgJiBTY290dCAg ICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgIFtQYWdlIDJd CgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2Vydmlj ZXMgICAgICAgIEZlYiAyMDA5CgoKQ29tbWVudHMKCiAgIFBsZWFzZSBzZW5kIGNvbW1lbnRzIG9u IHRoaXMgZHJhZnQgdG8gdGhlIE1FRElBQ1RSTCBtYWlsIGxpc3QsCiAgIG1lZGlhY3RybEBpZXRm Lm9yZy4KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgpCdXJr ZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAgICAg ICAgW1BhZ2UgM10KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBN ZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgpUYWJsZSBvZiBDb250ZW50cwoKICAgMS4g IEludHJvZHVjdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICA1CiAgICAgMS4xLiAgVXNlIENhc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgNQogICAgICAgMS4xLjEuICBJVlIgU2VydmljZXMgd2l0 aCBBcHBsaWNhdGlvbiBTZXJ2ZXJzICAuIC4gLiAuIC4gLiAuIC4gIDUKICAgICAgIDEuMS4yLiAg UFNUTiBJVlIgU2VydmljZSBOb2RlICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA2 CiAgICAgICAxLjEuMy4gIDNHUFAgSU1TIE1lZGlhIFJlc291cmNlIEZ1bmN0aW9uIChNUkYpIC4g LiAuIC4gLiAuIC4gLiAgNwogICAgICAgMS4xLjQuICBDQ1hNTCA8LT4gVm9pY2VYTUwgSW50ZXJh Y3Rpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDgKICAgICAgIDEuMS41LiAgT3RoZXIgVXNl IENhc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA4CiAgICAgMS4y LiAgVGVybWlub2xvZ3kgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgOAogICAyLiAgVm9pY2VYTUwgU2Vzc2lvbiBFc3RhYmxpc2htZW50IGFuZCBUZXJtaW5h dGlvbiAuIC4gLiAuIC4gLiAuIC4gMTAKICAgICAyLjEuICBTZXJ2aWNlIElkZW50aWZpY2F0aW9u IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDEwCiAgICAgMi4yLiAgSW5pdGlh dGluZyBhIFZvaWNlWE1MIFNlc3Npb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMwog ICAgIDIuMy4gIFByZXBhcmluZyBhIFZvaWNlWE1MIFNlc3Npb24gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gMTQKICAgICAyLjQuICBTZXNzaW9uIFZhcmlhYmxlIE1hcHBpbmdzICAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDE1CiAgICAgMi41LiAgVGVybWluYXRpbmcgYSBW b2ljZVhNTCBTZXNzaW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxOAogICAgIDIuNi4g IEV4YW1wbGVzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gMTgKICAgICAgIDIuNi4xLiAgQmFzaWMgU2Vzc2lvbiBFc3RhYmxpc2htZW50ICAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIDE4CiAgICAgICAyLjYuMi4gIFZvaWNlWE1MIFNlc3Npb24gUHJl cGFyYXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxOQogICAgICAgMi42LjMuICBNUkNQ IEVzdGFibGlzaG1lbnQgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjAKICAg My4gIE1lZGlhIFN1cHBvcnQgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIDIzCiAgICAgMy4xLiAgT2ZmZXIvQW5zd2VyIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAyMwogICAgIDMuMi4gIEVhcmx5IE1lZGlhICAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjMKICAgICAzLjMuICBN b2RpZnlpbmcgdGhlIE1lZGlhIFNlc3Npb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IDI1CiAgICAgMy40LiAgQXVkaW8gYW5kIFZpZGVvIENvZGVjcyAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAyNQogICAgIDMuNS4gIERUTUYgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjYKICAgNC4gIFJldHVybmluZyBEYXRh IHRvIHRoZSBBcHBsaWNhdGlvbiBTZXJ2ZXIgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDI3CiAgICAg NC4xLiAgSFRUUCBNZWNoYW5pc20gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAyNwogICAgIDQuMi4gIFNJUCBNZWNoYW5pc20gIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMjcKICAgNS4gIE91dGJvdW5kIENhbGxpbmcgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDMwCiAgIDYuICBDYWxsIFRy YW5zZmVyICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAz MQogICAgIDYuMS4gIEJsaW5kICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gMzEKICAgICA2LjIuICBCcmlkZ2UgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDMzCiAgICAgNi4zLiAgQ29uc3VsdGF0aW9u IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAzNAogICA3LiAg Q29udHJpYnV0b3JzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gMzcKICAgOC4gIEFja25vd2xlZGdlbWVudHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIDM4CiAgIDkuICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAzOQogICAxMC4gSUFOQSBDb25z aWRlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gNDAK ICAgMTEuIENoYW5nZXMgc2luY2UgbGFzdCB2ZXJzaW9uOiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIDQxCiAgIDEyLiBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA0MgogICAgIDEyLjEuIE5vcm1hdGl2ZSBSZWZl cmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gNDIKICAgICAxMi4y LiBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIDQ0CiAgIEFwcGVuZGl4IEEuICBOb3RlcyBvbiBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiA0NgogICBBdXRob3JzJyBBZGRyZXNzZXMgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gNDcKCgoKCgoKCkJ1cmtlICYgU2Nv dHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgICBbUGFn ZSA0XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNl cnZpY2VzICAgICAgICBGZWIgMjAwOQoKCjEuICBJbnRyb2R1Y3Rpb24KCiAgIFZvaWNlWE1MIFtW WE1MMjBdLCBbVlhNTDIxXSBpcyBhIFdvcmxkIFdpZGUgV2ViIENvbnNvcnRpdW0gKFczQykKICAg c3RhbmRhcmQgZm9yIGNyZWF0aW5nIGF1ZGlvIGFuZCB2aWRlbyBkaWFsb2dzIHRoYXQgZmVhdHVy ZQogICBzeW50aGVzaXplZCBzcGVlY2gsIGRpZ2l0aXplZCBhdWRpbywgcmVjb2duaXRpb24gb2Yg c3Bva2VuIGFuZCBEVE1GCiAgIGtleSBpbnB1dCwgcmVjb3JkaW5nIG9mIGF1ZGlvIGFuZCB2aWRl bywgdGVsZXBob255LCBhbmQgbWl4ZWQKICAgaW5pdGlhdGl2ZSBjb252ZXJzYXRpb25zLiAgVm9p Y2VYTUwgYWxsb3dzIFdlYi1iYXNlZCBkZXZlbG9wbWVudCBhbmQKICAgY29udGVudCBkZWxpdmVy eSBwYXJhZGlnbXMgdG8gYmUgdXNlZCB3aXRoIGludGVyYWN0aXZlIHZpZGVvIGFuZAogICB2b2lj ZSByZXNwb25zZSBhcHBsaWNhdGlvbnMuCgogICBUaGlzIGRvY3VtZW50IGRlc2NyaWJlcyBhIFNJ UCBbUkZDMzI2MV0gaW50ZXJmYWNlIHRvIFZvaWNlWE1MIG1lZGlhCiAgIHNlcnZpY2VzLiAgQ29t bW9ubHksIGFwcGxpY2F0aW9uIHNlcnZlcnMgY29udHJvbGxpbmcgbWVkaWEgc2VydmVycwogICB1 c2UgdGhpcyBwcm90b2NvbCBmb3IgcHVyZSBWb2ljZVhNTCBwcm9jZXNzaW5nIGNhcGFiaWxpdGll cy4gIFNJUCBpcwogICByZXNwb25zaWJsZSBmb3IgaW5pdGlhdGluZyBhIG1lZGlhIHNlc3Npb24g dG8gdGhlIFZvaWNlWE1MIG1lZGlhCiAgIHNlcnZlciBhbmQgc2ltdWx0YW5lb3VzbHkgdHJpZ2dl cmluZyB0aGUgZXhlY3V0aW9uIG9mIGEgc3BlY2lmaWVkCiAgIFZvaWNlWE1MIGFwcGxpY2F0aW9u LiAgVGhpcyBwcm90b2NvbCBpcyBhbiBhZGp1bmN0IHRvIHRoZSBmdWxsCiAgIE1FRElBQ1RSTCBw cm90b2NvbCBhbmQgcGFja2FnZXMgbWVjaGFuaXNtLgoKICAgVGhlIGludGVyZmFjZSBkZXNjcmli ZWQgaGVyZSBsZXZlcmFnZXMgYSBtZWNoYW5pc20gZm9yIGlkZW50aWZ5aW5nCiAgIGRpYWxvZyBt ZWRpYSBzZXJ2aWNlcyBmaXJzdCBkZXNjcmliZWQgaW4gW1JGQzQyNDBdLiAgVGhlIGludGVyZmFj ZQogICBoYXMgYmVlbiB1cGRhdGVkIGFuZCBleHRlbmRlZCB0byBzdXBwb3J0IHRoZSBXM0MgUmVj b21tZW5kYXRpb24gZm9yCiAgIFZvaWNlWE1MIDIuMCBbVlhNTDIwXSBhbmQgVm9pY2VYTUwgMi4x IFtWWE1MMjFdLiAgQSBzZXQgb2YgY29tbW9ubHkKICAgaW1wbGVtZW50ZWQgZnVuY3Rpb25zIGFu ZCBleHRlbnNpb25zIGhhdmUgYmVlbiBzcGVjaWZpZWQgaW5jbHVkaW5nCiAgIFZvaWNlWE1MIGRp YWxvZyBwcmVwYXJhdGlvbiwgb3V0Ym91bmQgY2FsbGluZywgdmlkZW8gbWVkaWEgc3VwcG9ydCwK ICAgYW5kIHRyYW5zZmVycy4gIFZvaWNlWE1MIHNlc3Npb24gdmFyaWFibGUgbWFwcGluZ3MgaGF2 ZSBiZWVuIGRlZmluZWQKICAgZm9yIFNJUCB3aXRoIGFuIGV4dGVuc2libGUgbWVjaGFuaXNtIGZv ciBwYXNzaW5nIGFwcGxpY2F0aW9uLXNwZWNpZmljCiAgIHZhbHVlcyBpbnRvIHRoZSBWb2ljZVhN TCBhcHBsaWNhdGlvbi4gIE1lY2hhbmlzbXMgZm9yIHJldHVybmluZyBkYXRhCiAgIHRvIHRoZSBB cHBsaWNhdGlvbiBTZXJ2ZXIgaGF2ZSBhbHNvIGJlZW4gYWRkZWQuCgoxLjEuICBVc2UgQ2FzZXMK CiAgIFRoZSBWb2ljZVhNTCBtZWRpYSBzZXJ2aWNlIHVzZXIgaW4gdGhpcyBkb2N1bWVudCBpcyBn ZW5lcmljYWxseQogICByZWZlcnJlZCB0byBhcyBhbiBBcHBsaWNhdGlvbiBTZXJ2ZXIuICBJbiBw cmFjdGljZSwgaXQgaXMgaW50ZW5kZWQKICAgdGhhdCB0aGUgaW50ZXJmYWNlIGRlZmluZWQgYnkg dGhpcyBkb2N1bWVudCBpcyBhcHBsaWNhYmxlIGFjcm9zcyBhCiAgIHdpZGUgcmFuZ2Ugb2YgdXNl IGNhc2VzLiAgU2V2ZXJhbCBpbnRlbmRlZCB1c2UgY2FzZXMgYXJlIGRlc2NyaWJlZAogICBiZWxv dy4KCjEuMS4xLiAgSVZSIFNlcnZpY2VzIHdpdGggQXBwbGljYXRpb24gU2VydmVycwoKICAgU0lQ IEFwcGxpY2F0aW9uIFNlcnZlcnMgcHJvdmlkZSBzZXJ2aWNlcyB0byB1c2VycyBvZiB0aGUgbmV0 d29yay4KICAgVHlwaWNhbGx5LCB0aGVyZSBtYXkgYmUgc2V2ZXJhbCBBcHBsaWNhdGlvbiBTZXJ2 ZXJzIGluIHRoZSBzYW1lCiAgIG5ldHdvcmssIGVhY2ggc3BlY2lhbGlzZWQgaW4gcHJvdmlkaW5n IGEgcGFydGljdWxhciBzZXJ2aWNlLgogICBUaHJvdWdob3V0IHRoaXMgc3BlY2lmaWNhdGlvbiBh bmQgd2l0aG91dCBsb3NzIG9mIGdlbmVyYWxpdHksIHdlCiAgIHBvc2l0IHRoZSBwcmVzZW5jZSBv ZiBhbiBBcHBsaWNhdGlvbiBTZXJ2ZXIgc3BlY2lhbGlzZWQgaW4gcHJvdmlkaW5nCiAgIElWUiBz ZXJ2aWNlcy4gIEEgdHlwaWNhbCBjb25maWd1cmF0aW9uIGZvciB0aGlzIHVzZSBjYXNlIGlzCiAg IGlsbHVzdHJhdGVkIGJlbG93LgoKCgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVz IEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgICBbUGFnZSA1XQoMCkludGVybmV0LURyYWZ0 ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAw OQoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLSsKICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgfAogICAgICAgICAgICAgICAg ICAgICAgICAgICAgICB8ICBBcHBsaWNhdGlvbiB8XAogICAgICAgICAgICAgICAgICAgICAgICAg ICAgICB8ICAgIFNlcnZlciAgICB8IFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAg ICAgICAgICAgICAgfCAgXCBIVFRQCiAgICAgICAgICAgICAgICAgICAgICAgICBTSVAgICstLS0t LS0tLS0tLS0tLSsgICBcCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8gICAgICAgICAg ICAgICBcICAgXAogICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0rIC8gICAgICAgICAgICAgU0lQ IFwgKy0tLS0tLS0tLS0tLS0tKwogICAgICAgICAgICAgfCAgICAgICAgICAgICB8LyAgICAgICAg ICAgICAgICAgICBcfCAgICAgICAgICAgICAgfAogICAgICAgICAgICAgfCAgICAgU0lQICAgICB8 ICAgICAgICAgICAgICAgICAgICAgfCAgIFZvaWNlWE1MICAgfAogICAgICAgICAgICAgfCBVc2Vy IEFnZW50ICB8ICAgICAgUlRQL1NSVFAgICAgICAgfCBNZWRpYSBTZXJ2ZXIgfAogICAgICAgICAg ICAgfCAgICAgICAgICAgICB8PT09PT09PT09PT09PT09PT09PT09fCAgICAgICAgICAgICAgfAog ICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0rICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0t LS0tLS0tKwoKCiAgIEFzc3VtaW5nIHRoZSBBcHBsaWNhdGlvbiBTZXJ2ZXIgYWxzbyBzdXBwb3J0 cyBIVFRQLCB0aGUgVm9pY2VYTUwKICAgYXBwbGljYXRpb24gbWF5IGJlIGhvc3RlZCBvbiBpdCBh bmQgc2VydmVkIHVwIHZpYSBIVFRQIFtSRkMyNjE2XS4KICAgTm90ZSwgaG93ZXZlciwgdGhhdCB0 aGUgV2ViIG1vZGVsIGFsbG93cyB0aGUgVm9pY2VYTUwgYXBwbGljYXRpb24gdG8KICAgYmUgaG9z dGVkIG9uIGEgc2VwYXJhdGUgKEhUVFApIEFwcGxpY2F0aW9uIFNlcnZlciBmcm9tIHRoZSAoU0lQ KQogICBBcHBsaWNhdGlvbiBTZXJ2ZXIgdGhhdCBpbnRlcmFjdHMgd2l0aCB0aGUgVm9pY2VYTUwg TWVkaWEgU2VydmVyIHZpYQogICB0aGlzIHNwZWNpZmljYXRpb24uICBJdCBpcyBhbHNvIHBvc3Np YmxlIGZvciBhIHN0YXRpYyBWb2ljZVhNTAogICBhcHBsaWNhdGlvbiB0byBiZSBzdG9yZWQgbG9j YWxseSBvbiB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyLAogICBsZXZlcmFnaW5nIHRoZSBWb2lj ZVhNTCAyLjEgW1ZYTUwyMV0gPGRhdGE+IG1lY2hhbmlzbSB0byBpbnRlcmFjdAogICB3aXRoIGEg V2ViL0FwcGxpY2F0aW9uIFNlcnZlciB3aGVuIGR5bmFtaWMgYmVoYXZpb3IgaXMgcmVxdWlyZWQu ICBUaGUKICAgdmlhYmlsaXR5IG9mIHN0YXRpYyBWb2ljZVhNTCBhcHBsaWNhdGlvbnMgaXMgZnVy dGhlciBlbmhhbmNlZCBieSB0aGUKICAgbWVjaGFuaXNtcyBkZWZpbmVkIGluIHNlY3Rpb24gMi40 LCB0aHJvdWdoIHdoaWNoIHRoZSBBcHBsaWNhdGlvbgogICBTZXJ2ZXIgY2FuIG1ha2Ugc2Vzc2lv bi1zcGVjaWZpYyBpbmZvcm1hdGlvbiBhdmFpbGFibGUgd2l0aGluIHRoZQogICBWb2ljZVhNTCBz ZXNzaW9uIGNvbnRleHQuCgogICBUaGUgYXBwcm9hY2ggZGVzY3JpYmVkIGluIHRoaXMgZG9jdW1l bnQgaXMgc29tZXRpbWVzIHRlcm1lZCB0aGUKICAgImRlbGVnYXRpb24gbW9kZWwiIC0gdGhlIEFw cGxpY2F0aW9uIFNlcnZlciBpcyBlc3NlbnRpYWxseSBkZWxlZ2F0aW5nCiAgIHByb2dyYW1tYXRp YyBjb250cm9sIG9mIHRoZSBodW1hbi1tYWNoaW5lIGludGVyYWN0aW9ucyB0byBvbmUgb3IgbW9y ZQogICBWb2ljZVhNTCBkb2N1bWVudHMgcnVubmluZyBvbiB0aGUgVm9pY2VYTUwgTWVkaWEgU2Vy dmVyLiAgRHVyaW5nIHRoZQogICBodW1hbi1tYWNoaW5lIGludGVyYWN0aW9ucywgdGhlIEFwcGxp Y2F0aW9uIFNlcnZlciByZW1haW5zIGluIHRoZQogICBzaWduYWxpbmcgcGF0aCBhbmQgY2FuIHJl c3BvbmQgdG8gcmVzdWx0cyByZXR1cm5lZCBmcm9tIHRoZSBWb2ljZVhNTAogICBNZWRpYSBTZXJ2 ZXIgb3Igb3RoZXIgZXh0ZXJuYWwgbmV0d29yayBldmVudHMuCgoxLjEuMi4gIFBTVE4gSVZSIFNl cnZpY2UgTm9kZQoKICAgV2hpbGUgdGhpcyBkb2N1bWVudCBpcyBpbnRlbmRlZCB0byBlbmFibGUg ZW5oYW5jZWQgdXNlIG9mIFZvaWNlWE1MIGFzCiAgIGEgY29tcG9uZW50IG9mIGxhcmdlciBzeXN0 ZW1zIGFuZCBzZXJ2aWNlcywgaXQgaXMgaW50ZW5kZWQgdGhhdAogICBkZXZpY2VzIHRoYXQgYXJl IGNvbXBsZXRlbHkgdW5hd2FyZSBvZiB0aGlzIHNwZWNpZmljYXRpb24gcmVtYWluCiAgIGNhcGFi bGUgb2YgaW52b2tpbmcgVm9pY2VYTUwgc2VydmljZXMgb2ZmZXJlZCBieSBhIFZvaWNlWE1MIE1l ZGlhCiAgIFNlcnZlciBjb21wbGlhbnQgd2l0aCB0aGlzIGRvY3VtZW50LiAgQSB0eXBpY2FsIGNv bmZpZ3VyYXRpb24gZm9yCiAgIHRoaXMgdXNlIGNhc2UgaXMgYXMgZm9sbG93czoKCgoKCgoKQnVy a2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAg ICAgIFtQYWdlIDZdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwg TWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKICAgICAgICAgICAgICstLS0tLS0tLS0t LS0tKyAgICAgICAgIFNJUCAgICAgICAgICstLS0tLS0tLS0tLS0tLSsKICAgICAgICAgICAgIHwg ICAgICAgICAgICAgfC0tLS0tLS0tLS0tLS0tLS0tLS0tLXwgICAgICAgICAgICAgIHwKICAgICAg ICAgICAgIHwgICBJUC9QU1ROICAgfCAgICAgICAgICAgICAgICAgICAgIHwgICBWb2ljZVhNTCAg IHwKICAgICAgICAgICAgIHwgICBHYXRld2F5ICAgfCAgICAgIFJUUC9TUlRQICAgICAgIHwgTWVk aWEgU2VydmVyIHwKICAgICAgICAgICAgIHwgICAgICAgICAgICAgfD09PT09PT09PT09PT09PT09 PT09PXwgICAgICAgICAgICAgIHwKICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tKyAgICAgICAg ICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLSsKCiAgIE5vdGUgYWxzbyB0aGF0IGJleW9uZCB0 aGUgaW52b2NhdGlvbiBhbmQgdGVybWluYXRpb24gb2YgYSBWb2ljZVhNTAogICBkaWFsb2csIHRo ZSBzZW1hbnRpY3MgZGVmaW5lZCBmb3IgY2FsbCB0cmFuc2ZlcnMgdXNpbmcgUkVGRVIgYXJlCiAg IGludGVuZGVkIHRvIGJlIGNvbXBhdGlibGUgd2l0aCBzdGFuZGFyZCwgZXhpc3RpbmcgSVAvUFNU TiBnYXRld2F5cy4KCjEuMS4zLiAgM0dQUCBJTVMgTWVkaWEgUmVzb3VyY2UgRnVuY3Rpb24gKE1S RikKCiAgIFRoZSAzR1BQIElQIE11bHRpbWVkaWEgU3Vic3lzdGVtIChJTVMpIFtUUzIzMDAyXSBk ZWZpbmVzIGEgTWVkaWEKICAgUmVzb3VyY2UgRnVuY3Rpb24gKE1SRikgdXNlZCB0byBvZmZlciBt ZWRpYSBwcm9jZXNzaW5nIHNlcnZpY2VzIHN1Y2gKICAgYXMgY29uZmVyZW5jaW5nLCB0cmFuc2Nv ZGluZywgYW5kIHByb21wdC9jb2xsZWN0LiAgVGhlIGNhcGFiaWxpdGllcwogICBvZmZlcmVkIGJ5 IFZvaWNlWE1MIGFyZSBpZGVhbCBmb3Igb2ZmZXJpbmcgcmljaGVyIG1lZGlhIHByb2Nlc3NpbmcK ICAgc2VydmljZXMgaW4gdGhlIGNvbnRleHQgb2YgdGhlIE1SRi4gIEluIHRoaXMgYXJjaGl0ZWN0 dXJlLCB0aGUKICAgaW50ZXJmYWNlIGRlZmluZWQgaGVyZSBjb3JyZXNwb25kcyB0byB0aGUgIk1y IiBpbnRlcmZhY2UgdG8gdGhlIE1SRkM7CiAgIHRoZSBpbXBsZW1lbnRhdGlvbiBvZiB0aGlzIGlu dGVyZmFjZSBtaWdodCB1c2Ugc2VwYXJhdGVkIE1SRkMgYW5kCiAgIE1SRlAgZWxlbWVudHMgKGFz IHBlciB0aGUgSU1TIGFyY2hpdGVjdHVyZSksIG9yIG1pZ2h0IGJlIGFuCiAgIGludGVncmF0ZWQg TVJGIChhcyBpcyBjb21tb24gcHJhY3RpY2UpLgoKICAgICAgICAgICAgICstLS0tLS0tLS0tKwog ICAgICAgICAgICAgfCAgIEFwcCAgICB8CiAgICAgICAgICAgICB8ICBTZXJ2ZXIgIHwKICAgICAg ICAgICAgICstLS0tLS0tLS0tKwogICAgICAgICAgICAgICAgICB8CiAgICAgICAgICAgICAgICAg IHwgU0lQIChJU0MpCiAgICAgICAgICAgICAgICAgIHwKICAgICAgICAgICAgICstLS0tLS0tLS0t KyAgIFNJUCAoTXIpICAgICstLS0tLS0tLS0tLS0tLSsKICAgICAgICAgICAgIHwgIFMtQ1NDRiAg fC0tLS0tLS0tLS0tLS0tLXwgICBWb2ljZVhNTCAgIHwKICAgICAgICAgICAgIHwgICAgICAgICAg fCAgICAgICAgICAgICAgIHwgICAgIE1SRiAgICAgIHwKICAgICAgICAgICAgICstLS0tLS0tLS0t KyAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLSsKICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICB8fAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHx8IFJUUC9TUlRQIChNYikKICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICB8fAoKICAgVGhlIGFib3ZlIGRpYWdyYW0gaXMgaGlnaGx5 IHNpbXBsaWZpZWQgYW5kIHNob3dzIGEgc3Vic2V0IG9mIG5vZGVzCiAgIHR5cGljYWxseSBpbnZv bHZlZCBpbiBNUkYgaW50ZXJhY3Rpb25zLiAgSXQgc2hvdWxkIGJlIG5vdGVkIHRoYXQKICAgd2hp bGUgdGhlIE1SRiB3aWxsIHByaW1hcmlseSBiZSB1c2VkIGJ5IHRoZSBBcHBsaWNhdGlvbiBTZXJ2 ZXIgdmlhCiAgIHRoZSBTLUNTQ0YsIGl0IGlzIGFsc28gcG9zc2libGUgZm9yIGNhbGxzIHRvIGJl IHJvdXRlZCBkaXJlY3RseSB0bwogICB0aGUgTVJGIHdpdGhvdXQgdGhlIGludm9sdmVtZW50IG9m IGFuIEFwcGxpY2F0aW9uIFNlcnZlci4KCiAgIEFsdGhvdWdoIHRoZSBhYm92ZSBpcyBkZXNjcmli ZWQgaW4gdGVybXMgb2YgdGhlIDNHUFAgSU1TCiAgIGFyY2hpdGVjdHVyZSwgaXQgaXMgaW50ZW5k ZWQgdGhhdCBpdCBpcyBhbHNvIGFwcGxpY2FibGUgdG8gM0dQUDIsCiAgIE5HTiwgYW5kIFBhY2tl dENhYmxlIGFyY2hpdGVjdHVyZXMgdGhhdCBhcmUgY29udmVyZ2luZyB3aXRoIDNHUFAgSU1TCiAg IHN0YW5kYXJkcy4KCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEy LCAyMDA5ICAgICAgICAgICAgICAgIFtQYWdlIDddCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRl cmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKMS4xLjQu ICBDQ1hNTCA8LT4gVm9pY2VYTUwgSW50ZXJhY3Rpb24KCiAgIENhbGwgQ29udHJvbCBlWHRlbnNp YmxlIE1hcmt1cCBMYW5ndWFnZSAoQ0NYTUwpIDEuMCBbQ0NYTUwxMF0KICAgYXBwbGljYXRpb25z IHByb3ZpZGUgc2VydmljZXMgbWFpbmx5IHRocm91Z2ggY29udHJvbGxpbmcgdGhlCiAgIGludGVy YWN0aW9uIGJldHdlZW4gQ29ubmVjdGlvbnMsIENvbmZlcmVuY2VzLCBhbmQgRGlhbG9ncy4gIEFs dGhvdWdoCiAgIENDWE1MIGlzIGNhcGFibGUgb2Ygc3VwcG9ydGluZyBhcmJpdHJhcnkgZGlhbG9n IGVudmlyb25tZW50cywKICAgVm9pY2VYTUwgaXMgY29tbW9ubHkgdXNlZCBhcyBhIGRpYWxvZyBl bnZpcm9ubWVudCBpbiBjb25qdW5jdGlvbiB3aXRoCiAgIENDWE1MIGFwcGxpY2F0aW9uczsgQ0NY TUwgaXMgc3BlY2lmaWNhbGx5IGRlc2lnbmVkIHRvIGVmZmVjdGl2ZWx5CiAgIHN1cHBvcnQgdGhl IHVzZSBvZiBWb2ljZVhNTC4gIENDWE1MIDEuMCBkZWZpbmVzIGxhbmd1YWdlIGVsZW1lbnRzCiAg IHRoYXQgYWxsb3cgZm9yIERpYWxvZ3MgdG8gYmUgcHJlcGFyZWQsIHN0YXJ0ZWQsIGFuZCB0ZXJt aW5hdGVkOyBpdAogICBmdXJ0aGVyIGFsbG93cyBmb3IgZGF0YSB0byBiZSByZXR1cm5lZCBieSB0 aGUgZGlhbG9nIGVudmlyb25tZW50LCBmb3IKICAgY2FsbCB0cmFuc2ZlcnMgdG8gYmUgcmVxdWVz dGVkIChieSB0aGUgZGlhbG9nKSBhbmQgcmVzcG9uZGVkIHRvIGJ5CiAgIHRoZSBDQ1hNTCBhcHBs aWNhdGlvbiwgYW5kIGZvciBhcmJpdHJhcnkgZXZlbnRpbmcgYmV0d2VlbiB0aGUgQ0NYTUwKICAg YXBwbGljYXRpb24gYW5kIHJ1bm5pbmcgZGlhbG9nIGFwcGxpY2F0aW9uLgoKICAgVGhlIGludGVy ZmFjZSBkZXNjcmliZWQgaW4gdGhpcyBkb2N1bWVudCBjYW4gYmUgdXNlZCBieSBDQ1hNTCAxLjAK ICAgaW1wbGVtZW50YXRpb25zIHRvIGNvbnRyb2wgVm9pY2VYTUwgTWVkaWEgU2VydmVycy4gIE5v dGUsIGhvd2V2ZXIsCiAgIHRoYXQgc29tZSBDQ1hNTCBsYW5ndWFnZSBmZWF0dXJlcyByZXF1aXJl IGV2ZW50aW5nIGZhY2lsaXRpZXMgYmV0d2VlbgogICBDQ1hNTCBhbmQgVm9pY2VYTUwgc2Vzc2lv bnMgdGhhdCBnbyBiZXlvbmQgd2hhdCBpcyBkZWZpbmVkIGluIHRoaXMKICAgc3BlY2lmaWNhdGlv bi4gIEZvciBleGFtcGxlLCBWb2ljZVhNTC1jb250cm9sbGVkIGNhbGwgdHJhbnNmZXJzIGFuZAog ICBtaWQtZGlhbG9nIGFwcGxpY2F0aW9uLWRlZmluZWQgZXZlbnRzIGNhbm5vdCBiZSBmdWxseSBy ZWFsaXplZCB1c2luZwogICB0aGlzIHNwZWNpZmljYXRpb24gYWxvbmUuICBBIFNJUCBldmVudCBw YWNrYWdlIFtSRkMzMjY1XSBNQVkgYmUgdXNlZAogICBpbiBhZGRpdGlvbiB0byB0aGlzIHNwZWNp ZmljYXRpb24gdG8gcHJvdmlkZSBleHRlbmRlZCBldmVudGluZy4KCjEuMS41LiAgT3RoZXIgVXNl IENhc2VzCgogICBJbiBhZGRpdGlvbiB0byB0aGUgdXNlIGNhc2VzIGRlc2NyaWJlZCBpbiBzb21l IGRldGFpbCBhYm92ZSwgdGhlcmUKICAgYXJlIGEgbnVtYmVyIG9mIG90aGVyIGludGVuZGVkIHVz ZSBjYXNlcyB0aGF0IGFyZSBub3QgZGVzY3JpYmVkIGluCiAgIGRldGFpbCwgc3VjaCBhczoKCiAg IDEuICBVc2Ugb2YgYSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgYXMgYW4gYWRqdW5jdCB0byBhbiBJ UC1iYXNlZCBQQlgvCiAgICAgICBBQ0QsIHBvc3NpYmx5IHRvIHByb3ZpZGUgdm9pY2VtYWlsL21l c3NhZ2luZywgYXV0b21hdGVkCiAgICAgICBhdHRlbmRhbnQsIG9yIG90aGVyIGNhcGFiaWxpdGll cy4KCiAgIDIuICBJbnZvY2F0aW9uIGFuZCBjb250cm9sIG9mIGEgVm9pY2VYTUwgc2Vzc2lvbiB0 aGF0IHByb3ZpZGVzIHRoZQogICAgICAgdm9pY2UgbW9kYWxpdHkgY29tcG9uZW50IGluIGEgbXVs dGltb2RhbCBzeXN0ZW0uCgoxLjIuICBUZXJtaW5vbG9neQoKICAgQXBwbGljYXRpb24gU2VydmVy OiAgQSBTSVAgQXBwbGljYXRpb24gU2VydmVyIGhvc3RzIGFuZCBleGVjdXRlcwogICAgICBzZXJ2 aWNlcywgaW4gcGFydGljdWxhciBieSB0ZXJtaW5hdGluZyBTSVAgc2Vzc2lvbnMgb24gYSBtZWRp YQogICAgICBzZXJ2ZXIuICBUaGUgQXBwbGljYXRpb24gU2VydmVyIE1BWSBhbHNvIGFjdCBhcyBh biBIVFRQIHNlcnZlcgogICAgICBbUkZDMjYxNl0gaW4gaW50ZXJhY3Rpb25zIHdpdGggbWVkaWEg c2VydmVycy4KCiAgIFZvaWNlWE1MIE1lZGlhIFNlcnZlcjogIEEgVm9pY2VYTUwgaW50ZXJwcmV0 ZXIgaW5jbHVkaW5nIGEgU0lQLWJhc2VkCiAgICAgIGludGVycHJldGVyIGNvbnRleHQgYW5kIHRo ZSByZXF1aXNpdGUgbWVkaWEgcHJvY2Vzc2luZwogICAgICBjYXBhYmlsaXRpZXMgdG8gc3VwcG9y dCBWb2ljZVhNTCBmdW5jdGlvbmFsaXR5LgoKCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4 cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgIFtQYWdlIDhdCgwKSW50ZXJuZXQt RHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZl YiAyMDA5CgoKICAgVm9pY2VYTUwgU2Vzc2lvbjogIEEgVm9pY2VYTUwgU2Vzc2lvbiBpcyBhIG11 bHRpbWVkaWEgc2Vzc2lvbgogICAgICBjb21wcmlzaW5nIG9mIGF0IGxlYXN0IGEgU0lQIHVzZXIg YWdlbnQsIGEgVm9pY2VYTUwgTWVkaWEgU2VydmVyLAogICAgICB0aGUgZGF0YSBzdHJlYW1zIGJl dHdlZW4gdGhlbSwgYW5kIGFuIGV4ZWN1dGluZyBWb2ljZVhNTAogICAgICBhcHBsaWNhdGlvbi4K CiAgIFZvaWNlWE1MIERpYWxvZzogIEVxdWl2YWxlbnQgdG8gVm9pY2VYTUwgU2Vzc2lvbi4KCiAg IFRoZSBrZXkgd29yZHMgIk1VU1QiLCAiTVVTVCBOT1QiLCAiUkVRVUlSRUQiLCAiU0hBTEwiLCAi U0hBTEwgTk9UIiwKICAgIlNIT1VMRCIsICJTSE9VTEQgTk9UIiwgIlJFQ09NTUVOREVEIiwgIk1B WSIsIGFuZCAiT1BUSU9OQUwiIGluIHRoaXMKICAgZG9jdW1lbnQgYXJlIHRvIGJlIGludGVycHJl dGVkIGFzIGRlc2NyaWJlZCBpbiBbUkZDMjExOV0uCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEy LCAyMDA5ICAgICAgICAgICAgICAgIFtQYWdlIDldCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRl cmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKMi4gIFZv aWNlWE1MIFNlc3Npb24gRXN0YWJsaXNobWVudCBhbmQgVGVybWluYXRpb24KCiAgIFRoaXMgc2Vj dGlvbiBkZXNjcmliZXMgaG93IHRvIGVzdGFibGlzaCBhIFZvaWNlWE1MIFNlc3Npb24sIHdpdGgg b3IKICAgd2l0aG91dCBwcmVwYXJhdGlvbiwgYW5kIGhvdyB0byB0ZXJtaW5hdGUgYSBzZXNzaW9u LiAgVGhpcyBzZWN0aW9uCiAgIGFsc28gYWRkcmVzc2VzIGhvdyBzZXNzaW9uIGluZm9ybWF0aW9u IGlzIG1hZGUgYXZhaWxhYmxlIHRvIFZvaWNlWE1MCiAgIGFwcGxpY2F0aW9ucy4KCjIuMS4gIFNl cnZpY2UgSWRlbnRpZmljYXRpb24KCiAgIFRoZSBTSVAgUmVxdWVzdC1VUkkgaXMgdXNlZCB0byBp ZGVudGlmeSB0aGUgVm9pY2VYTUwgbWVkaWEgc2VydmljZS4KICAgVGhlIHVzZXIgcGFydCBvZiB0 aGUgU0lQIFJlcXVlc3QtVVJJIGlzIGZpeGVkIHRvICJkaWFsb2ciLiAgVGhpcyBpcwogICBkb25l IHRvIGVuc3VyZSBjb21wYXRpYmlsaXR5IHdpdGggW1JGQzQyNDBdLCBzaW5jZSB0aGlzIGRvY3Vt ZW50CiAgIGV4dGVuZHMgdGhlIGRpYWxvZyBpbnRlcmZhY2UgZGVmaW5lZCBpbiB0aGF0IHNwZWNp ZmljYXRpb24sIGFuZAogICBiZWNhdXNlIHRoaXMgY29udmVudGlvbiBmcm9tIFtSRkM0MjQwXSBp cyB3aWRlbHkgYWRvcHRlZCBieSBleGlzdGluZwogICBtZWRpYSBzZXJ2ZXJzLgoKICAgU3RhbmRh cmRpemluZyB0aGUgU0lQIFJlcXVlc3QtVVJJIGluY2x1ZGluZyB0aGUgdXNlciBwYXJ0IGFsc28K ICAgaW1wcm92ZXMgaW50ZXJvcGVyYWJpbGl0eSBiZXR3ZWVuIGFwcGxpY2F0aW9uIHNlcnZlcnMg YW5kIG1lZGlhCiAgIHNlcnZlcnMsIGFuZCByZWR1Y2VzIHRoZSBwcm92aXNpb25pbmcgb3Zlcmhl YWQgdGhhdCB3b3VsZCBiZSByZXF1aXJlZAogICBpZiB1c2Ugb2YgYSBtZWRpYSBzZXJ2ZXIgYnkg YW4gYXBwbGljYXRpb24gc2VydmVyIHJlcXVpcmVkIGFuCiAgIGluZGl2aWR1YWxseSBwcm92aXNp b25lZCBVUkkuICBJbiB0aGlzIHJlc3BlY3QsIHRoaXMgZG9jdW1lbnQgKGFuZAogICBbUkZDNDI0 MF0pIGRvIG5vdCBhZGQgc2VtYW50aWNzIHRvIHRoZSB1c2VyIHBhcnQsIGJ1dCByYXRoZXIKICAg c3RhbmRhcmRpemUgdGhlIHdheSB0aGF0IHRhcmdldHMgb24gbWVkaWEgc2VydmVycyBhcmUgcHJv dmlzaW9uZWQuCiAgIEZ1cnRoZXIsIHNpbmNlIGFwcGxpY2F0aW9uIHNlcnZlcnMgLSBhbmQgbm90 IGh1bWFuIGJlaW5ncyAtIGFyZQogICBnZW5lcmFsbHkgdGhlIGNsaWVudHMgb2YgbWVkaWEgc2Vy dmVycywgaXNzdWVzIHN1Y2ggYXMgaW50ZXJwcmV0YXRpb24KICAgYW5kIGludGVybmF0aW9uYWxp emF0aW9uIGRvIG5vdCBhcHBseS4KCiAgIEV4cG9zaW5nIGEgVm9pY2VYTUwgbWVkaWEgc2Vydmlj ZSB3aXRoIGEgd2VsbC1rbm93biBhZGRyZXNzIG1heQogICBlbmhhbmNlIHRoZSBwb3NzaWJpbGl0 eSBvZiBleHBsb2l0YXRpb246IHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgaXMKICAgUkVDT01N RU5ERUQgdG8gdXNlIHN0YW5kYXJkIFNJUCBtZWNoYW5pc21zIHRvIGF1dGhlbnRpY2F0ZSBlbmRw b2ludHMKICAgYXMgZGlzY3Vzc2VkIGluIFNlY3Rpb24gOS4KCiAgIFRoZSBpbml0aWFsIFZvaWNl WE1MIGRvY3VtZW50IGlzIHNwZWNpZmllZCB3aXRoIHRoZSAidm9pY2V4bWwiCiAgIHBhcmFtZXRl ci4gIEluIGFkZGl0aW9uLCBwYXJhbWV0ZXJzIGFyZSBkZWZpbmVkIHRoYXQgY29udHJvbCBob3cg dGhlCiAgIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBmZXRjaGVzIHRoZSBzcGVjaWZpZWQgVm9pY2VY TUwgZG9jdW1lbnQuICBUaGUKICAgbGlzdCBvZiBwYXJhbWV0ZXJzIGRlZmluZWQgYnkgdGhpcyBz cGVjaWZpY2F0aW9uIGlzIGFzIGZvbGxvd3MgKG5vdGUKICAgdGhlIHBhcmFtZXRlciBuYW1lcyBh cmUgY2FzZS1pbnNlbnNpdGl2ZSk6CgogICB2b2ljZXhtbDogIFVSSSBvZiB0aGUgaW5pdGlhbCBW b2ljZVhNTCBkb2N1bWVudCB0byBmZXRjaC4gIFRoaXMgd2lsbAogICAgICB0eXBpY2FsbHkgY29u dGFpbiBhbiBIVFRQIFVSSSwgYnV0IG1heSB1c2Ugb3RoZXIgVVJJIHNjaGVtZXMsIGZvcgogICAg ICBleGFtcGxlIHRvIHJlZmVyIHRvIGxvY2FsLCBzdGF0aWMgVm9pY2VYTUwgZG9jdW1lbnRzLiAg SWYgdGhlCiAgICAgICJ2b2ljZXhtbCIgcGFyYW1ldGVyIGlzIG9taXR0ZWQsIHRoZSBWb2ljZVhN TCBNZWRpYSBTZXJ2ZXIgbWF5CiAgICAgIHNlbGVjdCB0aGUgaW5pdGlhbCBWb2ljZVhNTCBkb2N1 bWVudCBieSBvdGhlciBtZWFucywgc3VjaCBhcyBieQogICAgICBhcHBseWluZyBhIGRlZmF1bHQs IG9yIG1heSByZWplY3QgdGhlIHJlcXVlc3QuCgoKCgoKCgpCdXJrZSAmIFNjb3R0ICAgICAgICAg ICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAgICAgICBbUGFnZSAxMF0KDApJbnRl cm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAgICAg ICAgRmViIDIwMDkKCgogICBtYXhhZ2U6ICBVc2VkIHRvIHNldCB0aGUgbWF4LWFnZSB2YWx1ZSBv ZiB0aGUgQ2FjaGUtQ29udHJvbCBoZWFkZXIgaW4KICAgICAgY29uanVuY3Rpb24gd2l0aCBWb2lj ZVhNTCBkb2N1bWVudHMgZmV0Y2hlZCB1c2luZyBIVFRQLCBhcyBwZXIKICAgICAgW1JGQzI2MTZd LiAgSWYgb21pdHRlZCwgdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciB3aWxsIHVzZSBhCiAgICAg IGRlZmF1bHQgdmFsdWUuCgogICBtYXhzdGFsZTogIFVzZWQgdG8gc2V0IHRoZSBtYXgtc3RhbGUg dmFsdWUgb2YgdGhlIENhY2hlLUNvbnRyb2wKICAgICAgaGVhZGVyIGluIGNvbmp1bmN0aW9uIHdp dGggVm9pY2VYTUwgZG9jdW1lbnRzIGZldGNoZWQgdXNpbmcgSFRUUCwKICAgICAgYXMgcGVyIFtS RkMyNjE2XS4gIElmIG9taXR0ZWQsIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgd2lsbCB1c2UK ICAgICAgYSBkZWZhdWx0IHZhbHVlLgoKICAgbWV0aG9kOiAgVXNlZCB0byBzZXQgdGhlIEhUVFAg bWV0aG9kIGFwcGxpZWQgaW4gdGhlIGZldGNoIG9mIHRoZQogICAgICBpbml0aWFsIFZvaWNlWE1M IGRvY3VtZW50LiAgQWxsb3dlZCB2YWx1ZXMgYXJlICJnZXQiIG9yICJwb3N0IgogICAgICAoY2Fz ZS1pbnNlbnNpdGl2ZSkuICBEZWZhdWx0IGlzICJnZXQiLgoKICAgcG9zdGJvZHk6ICBVc2VkIHRv IHNldCB0aGUgYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIGVuY29kZWQKICAgICAg W0hUTUw0XSBIVFRQIGJvZHkgZm9yICJwb3N0IiByZXF1ZXN0cyAob3IgaXMgb3RoZXJ3aXNlIGln bm9yZWQpLgoKICAgY2N4bWw6ICBUaGlzIHBhcmFtZXRlciBpcyB1c2VkIHRvIHNwZWNpZnkgYSAi SlNPTiB2YWx1ZSIgW1JGQzQ2MjddCiAgICAgIHRoYXQgaXMgbWFwcGVkIHRvIHRoZSBzZXNzaW9u LmNvbm5lY3Rpb24uY2N4bWwgVm9pY2VYTUwgc2Vzc2lvbgogICAgICB2YXJpYWJsZSAtIHNlZSBz ZWN0aW9uIDIuNAoKICAgYWFpOiAgVGhpcyBwYXJhbWV0ZXIgaXMgdXNlZCB0byBzcGVjaWZ5IGEg IkpTT04gdmFsdWUiIFtSRkM0NjI3XSB0aGF0CiAgICAgIGlzIG1hcHBlZCB0byB0aGUgc2Vzc2lv bi5jb25uZWN0aW9uLmFhaSBWb2ljZVhNTCBzZXNzaW9uIHZhcmlhYmxlCiAgICAgIC0gc2VlIHNl Y3Rpb24gMi40CgogICBPdGhlciBhcHBsaWNhdGlvbi1zcGVjaWZpYyBwYXJhbWV0ZXJzIG1heSBi ZSBhZGRlZCB0byB0aGUgUmVxdWVzdC1VUkkKICAgYW5kIGFyZSBleHBvc2VkIGluIFZvaWNlWE1M IHNlc3Npb24gdmFyaWFibGVzIChzZWUgc2VjdGlvbiAyLjQpLgoKICAgRm9ybWFsbHksIHRoZSBS ZXF1ZXN0LVVSSSBmb3IgdGhlIFZvaWNlWE1MIG1lZGlhIHNlcnZpY2UgaGFzIGEgZml4ZWQKICAg dXNlciBwYXJ0ICdkaWFsb2cnLiAgU2V2ZW4gVVJJIHBhcmFtZXRlcnMgYXJlIGRlZmluZWQgKHNl ZSB0aGUKICAgZGVmaW5pdGlvbiBvZiB1cmktcGFyYW1ldGVyIGluIFNlY3Rpb24gMjUuMSBvZiBb UkZDIDMyNjFdKS4KCgoKCgoKCgoKCgoKCgoKCgoKCgpCdXJrZSAmIFNjb3R0ICAgICAgICAgICAg RXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAgICAgICBbUGFnZSAxMV0KDApJbnRlcm5l dC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAgICAgICAg RmViIDIwMDkKCgogIGRpYWxvZy1wYXJhbSAgICAgID0gInZvaWNleG1sPSIgdnhtbC11cmwgOyB2 eG1sLXVybCBmb2xsb3dzIHRoZSBVUkkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIDsgc3ludGF4IGRlZmluZWQgaW4gW1JGQzM5ODZdCiAgbWF4YWdlLXBhcmFtICAg ICAgPSAibWF4YWdlPSIgMSpESUdJVAoKICBtYXhzdGFsZS1wYXJhbSAgICA9ICJtYXhzdGFsZT0i IDEqRElHSVQKCiAgbWV0aG9kLXBhcmFtICAgICAgPSAibWV0aG9kPSIgKCJnZXQiIC8gInBvc3Qi KQoKICBwb3N0Ym9keS1wYXJhbSAgICA9ICJwb3N0Ym9keT0iIHRva2VuCgogIGNjeG1sLXBhcmFt ICAgICAgID0gImNjeG1sPSIganNvbi12YWx1ZQoKICBhYWktcGFyYW0gICAgICAgICA9ICJhYWk9 IiBqc29uLXZhbHVlCgogIGpzb24tdmFsdWUgICAgICAgID0gIGZhbHNlIC8KICAgICAgICAgICAg ICAgICAgICAgICBudWxsIC8KICAgICAgICAgICAgICAgICAgICAgICB0cnVlIC8KICAgICAgICAg ICAgICAgICAgICAgICBvYmplY3QgLwogICAgICAgICAgICAgICAgICAgICAgIGFycmF5IC8KICAg ICAgICAgICAgICAgICAgICAgICBudW1iZXIgLwogICAgICAgICAgICAgICAgICAgICAgIHN0cmlu ZyA7IGRlZmluZWQgaW4gW1JGQyA0NjI3XQoKCiAgIFBhcmFtZXRlcnMgb2YgdGhlIFJlcXVlc3Qt VVJJIGluIHN1YnNlcXVlbnQgcmUtSU5WSVRFcyBhcmUgaWdub3JlZC4KICAgT25lIGNvbnNlcXVl bmNlIG9mIHRoaXMgaXMgdGhhdCB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIGNhbm5vdCBiZQog ICBpbnN0cnVjdGVkIGJ5IHRoZSBBcHBsaWNhdGlvbiBTZXJ2ZXIgdG8gY2hhbmdlIHRoZSBleGVj dXRpbmcgVm9pY2VYTUwKICAgQXBwbGljYXRpb24gYWZ0ZXIgYSBWb2ljZVhNTCBTZXNzaW9uIGhh cyBiZWVuIHN0YXJ0ZWQuCgogICBTcGVjaWFsIGNoYXJhY3RlcnMgY29udGFpbmVkIGluIHRoZSBk aWFsb2ctcGFyYW0sIHBvc3Rib2R5LXBhcmFtLAogICBjY3htbC1wYXJhbSwgYW5kIGFhaS1wYXJh bSB2YWx1ZXMgbXVzdCBiZSBVUkwtZW5jb2RlZCAoImVzY2FwZWQiKSBhcwogICByZXF1aXJlZCBi eSB0aGUgU0lQIFVSSSBzeW50YXgsIGZvciBleGFtcGxlICc/JyAoJTNmKSwgJz0nICglM2QpLCBh bmQKICAgJzsnICglM2IpLiAgVGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBNVVNUIHRoZXJlZm9y ZSB1bmVzY2FwZSB0aGVzZQogICBwYXJhbWV0ZXIgdmFsdWVzIGJlZm9yZSBtYWtpbmcgdXNlIG9m IHRoZW0gb3IgZXhwb3NpbmcgdGhlbSB0bwogICBydW5uaW5nIFZvaWNlWE1MIGFwcGxpY2F0aW9u cy4gIEl0IGlzIGltcG9ydGFudCB0aGF0IHRoZSBWb2ljZVhNTAogICBNZWRpYSBTZXJ2ZXIgb25s eSB1bmVzY2FwZSB0aGUgcGFyYW1ldGVyIHZhbHVlcyBvbmNlIHNpbmNlIHRoZQogICBkZXNpcmVk IFZvaWNlWE1MIFVSSSB2YWx1ZSBjb3VsZCBpdHNlbGYgYmUgVVJMIGVuY29kZWQsIGZvciBleGFt cGxlLgoKICAgU2luY2Ugc29tZSBhcHBsaWNhdGlvbnMgbWF5IGNob29zZSB0byB0cmFuc2ZlciBj b25maWRlbnRpYWwKICAgaW5mb3JtYXRpb24sIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgTVVT VCBzdXBwb3J0IHRoZSBzaXA6IHNjaGVtZQogICBhcyBkaXNjdXNzZWQgaW4gU2VjdGlvbiA5LgoK ICAgSW5mb3JtYXRpdmUgbm90ZTogV2l0aCByZXNwZWN0IHRvIHRoZSBwb3N0Ym9keS1wYXJhbSB2 YWx1ZSwgc2luY2UgdGhlCiAgIGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCBjb250 ZW50IGl0c2VsZiBlc2NhcGVzIG5vbi0KICAgYWxwaGFudW1lcmljIGNoYXJhY3RlcnMgYnkgaW5z ZXJ0aW5nICVISCByZXBsYWNlbWVudHMsIHRoZSBlc2NhcGluZwogICBydWxlcyBhYm92ZSB3aWxs IHJlc3VsdCBpbiB0aGUgJyUnIGNoYXJhY3RlcnMgYmVpbmcgZnVydGhlciBlc2NhcGVkCiAgIGlu IGFkZGl0aW9uIHRvIHRoZSAnJicgYW5kICc9JyBuYW1lL3ZhbHVlIHNlcGFyYXRvcnMuCgogICBB cyBhbiBleGFtcGxlLCB0aGUgZm9sbG93aW5nIFNJUCBSZXF1ZXN0LVVSSSBpZGVudGlmaWVzIHRo ZSB1c2Ugb2YKCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAy MDA5ICAgICAgICAgICAgICAgW1BhZ2UgMTJdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZh Y2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKICAgVm9pY2VY TUwgbWVkaWEgc2VydmljZXMsIHdpdGgKICAgJ2h0dHA6Ly9hcHBzZXJ2ZXIuZXhhbXBsZS5jb20v cHJvbXB0Y29sbGVjdC52eG1sJyBhcyB0aGUgaW5pdGlhbAogICBWb2ljZVhNTCBkb2N1bWVudCwg dG8gYmUgZmV0Y2hlZCB3aXRoIG1heC1hZ2UvbWF4LXN0YWxlIHZhbHVlcyBvZgogICAzNjAwcy8w cyByZXNwZWN0aXZlbHk6CgogICAgICAgc2lwOmRpYWxvZ0BtZWRpYXNlcnZlci5leGFtcGxlLmNv bTsgXAogICAgICAgICAgdm9pY2V4bWw9aHR0cDovL2FwcHNlcnZlci5leGFtcGxlLmNvbS9wcm9t cHRjb2xsZWN0LnZ4bWw7IFwKICAgICAgICAgIG1heGFnZT0zNjAwO21heHN0YWxlPTAKCjIuMi4g IEluaXRpYXRpbmcgYSBWb2ljZVhNTCBTZXNzaW9uCgogICBBIFZvaWNlWE1MIFNlc3Npb24gaXMg aW5pdGlhdGVkIHZpYSB0aGUgQXBwbGljYXRpb24gU2VydmVyIHVzaW5nIGEKICAgU0lQIElOVklU RS4gIFR5cGljYWxseSwgdGhlIEFwcGxpY2F0aW9uIFNlcnZlciB3aWxsIGJlIHNwZWNpYWxpemVk IGluCiAgIHByb3ZpZGluZyBWb2ljZVhNTCBzZXJ2aWNlcy4gIEF0IGEgbWluaW11bSwgdGhlIEFw cGxpY2F0aW9uIFNlcnZlcgogICBtYXkgYmVoYXZlIGFzIGEgc2ltcGxlIHByb3h5IGJ5IHJld3Jp dGluZyB0aGUgUmVxdWVzdC1VUkkgcmVjZWl2ZWQKICAgZnJvbSB0aGUgVXNlciBBZ2VudCB0byBh IFJlcXVlc3QtVVJJIHN1aXRhYmxlIGZvciBjb25zdW1wdGlvbiBieSB0aGUKICAgVm9pY2VYTUwg TWVkaWEgU2VydmVyIChhcyBzcGVjaWZpZWQgaW4gc2VjdGlvbiAyLjEpLiAgRm9yIGV4YW1wbGUs IGEKICAgVXNlciBBZ2VudCBtaWdodCBwcmVzZW50IGEgZGlhbGVkIG51bWJlcjoKCiAgICAgICB0 ZWw6KzEtMjAxLTU1NS0wMTIzCgogICB3aGljaCB0aGUgQXBwbGljYXRpb24gU2VydmVyIG1hcHMg dG8gYSBkaXJlY3RvcnkgYXNzaXN0YW5jZQogICBhcHBsaWNhdGlvbiBvbiB0aGUgVm9pY2VYTUwg TWVkaWEgU2VydmVyIHdpdGggYSBSZXF1ZXN0LVVSSSBvZjoKCiAgICAgICBzaXA6ZGlhbG9nQG1z MS5leGFtcGxlLmNvbTsgXAogICAgICAgICAgdm9pY2V4bWw9aHR0cDovL2FzMS5leGFtcGxlLmNv bS9kYS52eG1sCgogICBDZXJ0YWluIGhlYWRlciB2YWx1ZXMgaW4gdGhlIElOVklURSBtZXNzYWdl IHRvIHRoZSBWb2ljZVhNTCBNZWRpYQogICBTZXJ2ZXIgYXJlIG1hcHBlZCBpbnRvIFZvaWNlWE1M IHNlc3Npb24gdmFyaWFibGVzIGFuZCBhcmUgc3BlY2lmaWVkCiAgIGluIHNlY3Rpb24gMi40LgoK ICAgT24gcmVjZWlwdCBvZiB0aGUgSU5WSVRFLCB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIGlz c3VlcyBhCiAgIHByb3Zpc2lvbmFsIHJlc3BvbnNlLCAxMDAgVHJ5aW5nLCBhbmQgY29tbWVuY2Vz IHRoZSBmZXRjaCBvZiB0aGUKICAgaW5pdGlhbCBWb2ljZVhNTCBkb2N1bWVudC4gIFRoZSAyMDAg T0sgcmVzcG9uc2UgaW5kaWNhdGVzIHRoYXQgdGhlCiAgIFZvaWNlWE1MIGRvY3VtZW50IGhhcyBi ZWVuIGZldGNoZWQgYW5kIHBhcnNlZCBjb3JyZWN0bHkgYW5kIGlzIHJlYWR5CiAgIGZvciBleGVj dXRpb24uICBBcHBsaWNhdGlvbiBleGVjdXRpb24gY29tbWVuY2VzIG9uIHJlY2VpcHQgb2YgdGhl IEFDSwogICAoZXhjZXB0IGlmIHRoZSBkaWFsb2cgaXMgYmVpbmcgcHJlcGFyZWQgYXMgc3BlY2lm aWVkIGluIHNlY3Rpb24gMi4zKS4KICAgTm90ZSB0aGF0IHRoZSAxMDAgVHJ5aW5nIHJlc3BvbnNl IHdpbGwgdXN1YWxseSBiZSBzZW50IG9uIHJlY2VpcHQgb2YKICAgdGhlIElOVklURSBpbiBhY2Nv cmRhbmNlIHdpdGggW1JGQzMyNjFdLCBzaW5jZSB0aGUgVm9pY2VYTUwgTWVkaWEKICAgU2VydmVy IGNhbm5vdCBpbiBnZW5lcmFsIGd1YXJhbnRlZSB0aGF0IHRoZSBpbml0aWFsIGZldGNoIHdpbGwK ICAgY29tcGxldGUgaW4gbGVzcyB0aGFuIDIwMCBtcy4gIEhvd2V2ZXIsIGNlcnRhaW4gaW1wbGVt ZW50YXRpb25zIG1heQogICBiZSBhYmxlIHRvIGd1YXJhbnRlZSByZXNwb25zZSB0aW1lcyB0byB0 aGUgaW5pdGlhbCBJTlZJVEUsIGFuZCB0aHVzCiAgIG1heSBub3QgbmVlZCB0byBzZW5kIGEgMTAw IFRyeWluZyByZXNwb25zZS4KCiAgIEFzIGFuIG9wdGltaXphdGlvbiwgcHJpb3IgdG8gc2VuZGlu ZyB0aGUgMjAwIE9LIHJlc3BvbnNlLCB0aGUKICAgVm9pY2VYTUwgTWVkaWEgU2VydmVyIE1BWSBl eGVjdXRlIHRoZSBhcHBsaWNhdGlvbiB1cCB0byB0aGUgcG9pbnQgb2YKICAgdGhlIGZpcnN0IFZv aWNlWE1MIHdhaXRpbmcgc3RhdGUgb3IgcHJvbXB0IGZsdXNoLgoKCgoKQnVya2UgJiBTY290dCAg ICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgW1BhZ2UgMTNd CgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2Vydmlj ZXMgICAgICAgIEZlYiAyMDA5CgoKICAgQSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIsIGxpa2UgYW55 IFNJUCBVc2VyIEFnZW50LCBtYXkgYmUgdW5hYmxlIHRvCiAgIGFjY2VwdCB0aGUgSU5WSVRFIHJl cXVlc3QgZm9yIGEgdmFyaWV0eSBvZiByZWFzb25zLiAgRm9yIGluc3RhbmNlLCBhbgogICBTRFAg b2ZmZXIgY29udGFpbmVkIGluIHRoZSBJTlZJVEUgbWlnaHQgcmVxdWlyZSB0aGUgdXNlIG9mIGNv ZGVjcwogICB0aGF0IGFyZSBub3Qgc3VwcG9ydGVkIGJ5IHRoZSBNZWRpYSBTZXJ2ZXIuICBJbiBz dWNoIGNhc2VzLCB0aGUgTWVkaWEKICAgU2VydmVyIHNob3VsZCByZXNwb25kIGFzIGRlZmluZWQg YnkgW1JGQzMyNjFdLiAgSG93ZXZlciwgdGhlcmUgYXJlCiAgIGVycm9yIGNvbmRpdGlvbnMgc3Bl Y2lmaWMgdG8gVm9pY2VYTUwsIGFzIGZvbGxvd3M6CgogICAxLiAgSWYgdGhlIFJlcXVlc3QtVVJJ IGRvZXMgbm90IGNvbmZvcm0gdG8gdGhpcyBzcGVjaWZpY2F0aW9uLCBhIDQwMAogICAgICAgQmFk IFJlcXVlc3QgTVVTVCBiZSByZXR1cm5lZCAodW5sZXNzIGl0IGlzIHVzZWQgdG8gc2VsZWN0IG90 aGVyCiAgICAgICBzZXJ2aWNlcyBub3QgZGVmaW5lZCBieSB0aGlzIHNwZWNpZmljYXRpb24pLgoK ICAgMi4gIElmIGFuIGluaXQtcGFyYW0gaXMgcmVwZWF0ZWQsIHRoZW4gdGhlIHJlcXVlc3QgTVVT VCBiZSByZWplY3RlZAogICAgICAgd2l0aCBhIDQwMCBCYWQgUmVxdWVzdCByZXNwb25zZS4KCiAg IDMuICBJZiB0aGUgUmVxdWVzdC1VUkkgZG9lcyBub3QgaW5jbHVkZSBhICJ2b2ljZXhtbCIgcGFy YW1ldGVyLCBhbmQKICAgICAgIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgZG9lcyBub3QgZWxl Y3QgdG8gdXNlIGEgZGVmYXVsdCBwYWdlLAogICAgICAgdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZl ciBNVVNUIHJldHVybiBhIGZpbmFsIHJlc3BvbnNlIG9mIDQwMCBCYWQKICAgICAgIFJlcXVlc3Qs IGFuZCBTSE9VTEQgaW5jbHVkZSBhIFdhcm5pbmcgaGVhZGVyIHdpdGggYSAzLWRpZ2l0IGNvZGUK ICAgICAgIG9mIDM5OSBhbmQgYSBodW1hbiByZWFkYWJsZSBlcnJvciBtZXNzYWdlLgoKICAgNC4g IElmIHRoZSBWb2ljZVhNTCBkb2N1bWVudCBjYW5ub3QgYmUgZmV0Y2hlZCBvciBwYXJzZWQsIHRo ZQogICAgICAgVm9pY2VYTUwgTWVkaWEgU2VydmVyIE1VU1QgcmV0dXJuIGEgZmluYWwgcmVzcG9u c2Ugb2YgNTAwIFNlcnZlcgogICAgICAgSW50ZXJuYWwgRXJyb3IgYW5kIFNIT1VMRCBpbmNsdWRl IGEgV2FybmluZyBoZWFkZXIgd2l0aCBhIDMtZGlnaXQKICAgICAgIGNvZGUgb2YgMzk5IGFuZCBh IGh1bWFuIHJlYWRhYmxlIGVycm9yIG1lc3NhZ2UuCgogICBJbmZvcm1hdGlvbmFsIG5vdGU6IENl cnRhaW4gYXBwbGljYXRpb25zIG1heSBwYXNzIGEgc2lnbmlmaWNhbnQKICAgYW1vdW50IG9mIGRh dGEgdG8gdGhlIFZvaWNlWE1MIGRpYWxvZyBpbiB0aGUgZm9ybSBvZiBSZXF1ZXN0LVVSSQogICBw YXJhbWV0ZXJzLiAgVGhpcyBtYXkgY2F1c2UgdGhlIHRvdGFsIHNpemUgb2YgdGhlIElOVklURSBy ZXF1ZXN0IHRvCiAgIGV4Y2VlZCB0aGUgTVRVIG9mIHRoZSB1bmRlcmx5aW5nIG5ldHdvcmsuICBJ biBzdWNoIGNhc2VzLAogICBhcHBsaWNhdGlvbnMvaW1wbGVtZW50YXRpb25zIG11c3QgdGFrZSBj YXJlIGVpdGhlciB0byB1c2UgYSB0cmFuc3BvcnQKICAgYXBwcm9wcmlhdGUgdG8gdGhlc2UgbGFy Z2VyIG1lc3NhZ2VzIChzdWNoIGFzIFRDUCksIG9yIHRvIHVzZQogICBhbHRlcm5hdGl2ZSBtZWFu cyBvZiBwYXNzaW5nIHRoZSByZXF1aXJlZCBpbmZvcm1hdGlvbiB0byB0aGUgVm9pY2VYTUwKICAg ZGlhbG9nIChzdWNoIGFzIHN1cHBseWluZyBhIHVuaXF1ZSBzZXNzaW9uIGlkZW50aWZpZXIgaW4g dGhlIGluaXRpYWwKICAgVm9pY2VYTUwgVVJJIGFuZCBsYXRlciB1c2luZyB0aGF0IGlkZW50aWZp ZXIgYXMgYSBrZXkgdG8gcmV0cmlldmUKICAgZGF0YSBmcm9tIHRoZSBIVFRQIHNlcnZlcikuCgoy LjMuICBQcmVwYXJpbmcgYSBWb2ljZVhNTCBTZXNzaW9uCgogICBJbiBjZXJ0YWluIHNjZW5hcmlv cywgaXQgaXMgYmVuZWZpY2lhbCB0byBwcmVwYXJlIGEgVm9pY2VYTUwgU2Vzc2lvbgogICBmb3Ig ZXhlY3V0aW9uIHByaW9yIHRvIHJ1bm5pbmcgaXQuICBBIHByZXZpb3VzbHkgcHJlcGFyZWQgVm9p Y2VYTUwKICAgU2Vzc2lvbiBpcyBleHBlY3RlZCB0byBleGVjdXRlIHdpdGggbWluaW1hbCBkZWxh eSB3aGVuIGluc3RydWN0ZWQgdG8KICAgZG8gc28uCgogICBJZiBhIG1lZGlhLWxlc3MgU0lQIGRp YWxvZyBpcyBlc3RhYmxpc2hlZCB3aXRoIHRoZSBpbml0aWFsIElOVklURSB0bwogICB0aGUgVm9p Y2VYTUwgTWVkaWEgU2VydmVyLCB0aGUgVm9pY2VYTUwgQXBwbGljYXRpb24gd2lsbCBub3QgZXhl Y3V0ZQogICBhZnRlciByZWNlaXB0IG9mIHRoZSBBQ0suICBUbyBydW4gdGhlIFZvaWNlWE1MIEFw cGxpY2F0aW9uLCB0aGUgQVMKICAgbXVzdCBpc3N1ZSBhIHJlLUlOVklURSB0byBlc3RhYmxpc2gg YSBtZWRpYSBzZXNzaW9uLgoKCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVn dXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgW1BhZ2UgMTRdCgwKSW50ZXJuZXQtRHJhZnQgIFNJ UCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoK ICAgQSBtZWRpYS1sZXNzIFNJUCBkaWFsb2cgY2FuIGJlIGVzdGFibGlzaGVkIGJ5IHNlbmRpbmcg U0RQIGNvbnRhaW5pbmcKICAgbm8gbWVkaWEgbGluZXMgaW4gdGhlIGluaXRpYWwgSU5WSVRFLiAg QWx0ZXJuYXRpdmVseSwgaWYgbm8gU0RQIGlzCiAgIHNlbnQgaW4gdGhlIGluaXRpYWwgSU5WSVRF LCB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIHdpbGwgaW5jbHVkZSBhbgogICBvZmZlciBpbiB0 aGUgMjAwIE9LIG1lc3NhZ2UsIHdoaWNoIGNhbiBiZSByZXNwb25kZWQgdG8gd2l0aCBhbiBhbnN3 ZXIKICAgaW4gdGhlIEFDSyB3aXRoIHRoZSBtZWRpYSBwb3J0KHMpIHNldCB0byAwLgoKICAgT25j ZSBhIFZvaWNlWE1MIEFwcGxpY2F0aW9uIGlzIHJ1bm5pbmcsIGEgcmUtSU5WSVRFIHdoaWNoIGRp c2FibGVzCiAgIHRoZSBtZWRpYSBzdHJlYW1zIChpLmUuIHNldHMgdGhlIHBvcnRzIHRvIDApIHdp bGwgbm90IG90aGVyd2lzZQogICBhZmZlY3QgdGhlIGV4ZWN1dGluZyBhcHBsaWNhdGlvbiAoZXhj ZXB0IHRoYXQgcmVjb2duaXRpb24gYWN0aW9ucwogICBpbml0aWF0ZWQgd2hpbGUgdGhlIG1lZGlh IHN0cmVhbXMgYXJlIGRpc2FibGVkIHdpbGwgcmVzdWx0IGluIG5vaW5wdXQKICAgdGltZW91dHMp LgoKMi40LiAgU2Vzc2lvbiBWYXJpYWJsZSBNYXBwaW5ncwoKICAgVGhlIHN0YW5kYXJkIFZvaWNl WE1MIHNlc3Npb24gdmFyaWFibGVzIGFyZSBhc3NpZ25lZCB2YWx1ZXMgYWNjb3JkaW5nCiAgIHRv OgoKICAgc2Vzc2lvbi5jb25uZWN0aW9uLmxvY2FsLnVyaTogIEV2YWx1YXRlcyB0byB0aGUgU0lQ IFVSSSBzcGVjaWZpZWQgaW4KICAgICAgdGhlIFRvOiBoZWFkZXIgb2YgdGhlIGluaXRpYWwgSU5W SVRFLgoKICAgc2Vzc2lvbi5jb25uZWN0aW9uLnJlbW90ZS51cmk6ICBFdmFsdWF0ZXMgdG8gdGhl IFNJUCBVUkkgc3BlY2lmaWVkIGluCiAgICAgIHRoZSBGcm9tOiBoZWFkZXIgb2YgdGhlIGluaXRp YWwgSU5WSVRFLgoKICAgc2Vzc2lvbi5jb25uZWN0aW9uLnJlZGlyZWN0OiAgVGhpcyBhcnJheSBp cyBwb3B1bGF0ZWQgYnkgaW5mb3JtYXRpb24KICAgICAgY29udGFpbmVkIGluIHRoZSBIaXN0b3J5 LUluZm8gW1JGQzQyNDRdIGhlYWRlciBpbiB0aGUgaW5pdGlhbAogICAgICBJTlZJVEUgb3IgaXMg b3RoZXJ3aXNlIHVuZGVmaW5lZC4gIEVhY2ggZW50cnkgKGhpLWVudHJ5KSBpbiB0aGUKICAgICAg SGlzdG9yeS1JbmZvIGhlYWRlciBpcyBtYXBwZWQsIGluIHJldmVyc2Ugb3JkZXIsIGludG8gYW4g ZWxlbWVudAogICAgICBvZiB0aGUgc2Vzc2lvbi5jb25uZWN0aW9uLnJlZGlyZWN0IGFycmF5LiAg UHJvcGVydGllcyBvZiBlYWNoCiAgICAgIGVsZW1lbnQgb2YgdGhlIGFycmF5IGFyZSBkZXRlcm1p bmVkIGFzIGZvbGxvd3M6CgogICAgICAqICB1cmkgLSBTZXQgdG8gdGhlIGhpLXRhcmdldGVkLXRv LXVyaSB2YWx1ZSBvZiB0aGUgSGlzdG9yeS1JbmZvCiAgICAgICAgIGVudHJ5CgogICAgICAqICBw aSAtIFNldCB0byAndHJ1ZScgaWYgaGktdGFyZ2V0ZWQtdG8tdXJpIGNvbnRhaW5zIGEKICAgICAg ICAgJ1ByaXZhY3k9aGlzdG9yeScgcGFyYW1ldGVyLCBvciBpZiB0aGUgSU5WSVRFIFByaXZhY3kg aGVhZGVyCiAgICAgICAgIGluY2x1ZGVzICdoaXN0b3J5JzsgJ2ZhbHNlJyBvdGhlcndpc2UKCiAg ICAgICogIHNpIC0gU2V0IHRvIHRoZSB2YWx1ZSBvZiB0aGUgJ3NpJyBwYXJhbWV0ZXIgaWYgaXQg ZXhpc3RzLAogICAgICAgICB1bmRlZmluZWQgb3RoZXJ3aXNlCgogICAgICAqICByZWFzb24gLSBT ZXQgdmVyYmF0aW0gdG8gdGhlIHZhbHVlIG9mIHRoZSAnUmVhc29uJyBwYXJhbWV0ZXIgb2YKICAg ICAgICAgaGktdGFyZ2V0ZWQtdG8tdXJpCgogICBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wu bmFtZTogIEV2YWx1YXRlcyB0byAic2lwIi4gIE5vdGUgdGhhdAogICAgICB0aGlzIGlzIGludGVu ZGVkIHRvIHJlZmxlY3QgdGhlIHVzZSBvZiBTSVAgaW4gZ2VuZXJhbCwgYW5kIGRvZXMKICAgICAg bm90IGRpc3Rpbmd1aXNoIGJldHdlZW4gd2hldGhlciB0aGUgbWVkaWEgc2VydmVyIHdhcyBhY2Nl c3NlZCB2aWEKICAgICAgU0lQIG9yIFNJUFMgcHJvY2VkdXJlcy4KCgoKCkJ1cmtlICYgU2NvdHQg ICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQYWdlIDE1 XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZp Y2VzICAgICAgICBGZWIgMjAwOQoKCiAgIHNlc3Npb24uY29ubmVjdGlvbi5wcm90b2NvbC52ZXJz aW9uOiAgRXZhbHVhdGVzIHRvICIyLjAiLgoKICAgc2Vzc2lvbi5jb25uZWN0aW9uLnByb3RvY29s LnNpcC5oZWFkZXJzOiAgVGhpcyBpcyBhbiBhc3NvY2lhdGl2ZQogICAgICBhcnJheSB3aGVyZSBl YWNoIGtleSBpbiB0aGUgYXJyYXkgaXMgdGhlIG5vbi1jb21wYWN0IG5hbWUgb2YgYSBTSVAKICAg ICAgaGVhZGVyIGluIHRoZSBpbml0aWFsIElOVklURSBjb252ZXJ0ZWQgdG8gbG93ZXItY2FzZSAo bm90ZSB0aGUKICAgICAgY2FzZSBjb252ZXJzaW9uIGRvZXMgbm90IGFwcGx5IHRvIHRoZSBoZWFk ZXIgdmFsdWUpLiAgSWYgbXVsdGlwbGUKICAgICAgaGVhZGVyIGZpZWxkcyBvZiB0aGUgc2FtZSBm aWVsZCBuYW1lIGFyZSBwcmVzZW50LCB0aGUgdmFsdWVzIGFyZQogICAgICBjb21iaW5lZCBpbnRv IGEgc2luZ2xlIGNvbW1hLXNlcGFyYXRlZCB2YWx1ZS4gIEltcGxlbWVudGF0aW9ucwogICAgICBN VVNUIGF0IGEgbWluaW11bSBpbmNsdWRlIHRoZSBDYWxsLUlEIGhlYWRlciBhbmQgTUFZIGluY2x1 ZGUgb3RoZXIKICAgICAgaGVhZGVycy4gIEZvciBleGFtcGxlLAogICAgICBzZXNzaW9uLmNvbm5l Y3Rpb24ucHJvdG9jb2wuc2lwLmhlYWRlcnNbImNhbGwtaWQiXSBldmFsdWF0ZXMgdG8KICAgICAg dGhlIENhbGwtSUQgb2YgdGhlIFNJUCBkaWFsb2cuCgogICBzZXNzaW9uLmNvbm5lY3Rpb24ucHJv dG9jb2wuc2lwLnJlcXVlc3R1cmk6ICBUaGlzIGlzIGFuIGFzc29jaWF0aXZlCiAgICAgIGFycmF5 IHdoZXJlIHRoZSBhcnJheSBrZXlzIGFuZCB2YWx1ZXMgYXJlIGZvcm1lZCBmcm9tIHRoZSBVUkkK ICAgICAgcGFyYW1ldGVycyBvbiB0aGUgU0lQIFJlcXVlc3QtVVJJIG9mIHRoZSBpbml0aWFsIElO VklURS4gIFRoZQogICAgICBhcnJheSBrZXkgaXMgdGhlIFVSSSBwYXJhbWV0ZXIgbmFtZSBjb252 ZXJ0ZWQgdG8gbG93ZXItY2FzZSAobm90ZQogICAgICB0aGUgY2FzZSBjb252ZXJzaW9uIGRvZXMg bm90IGFwcGx5IHRvIHRoZSBwYXJhbWV0ZXIgdmFsdWUpLiAgVGhlCiAgICAgIGNvcnJlc3BvbmRp bmcgYXJyYXkgdmFsdWUgaXMgb2J0YWluZWQgYnkgZXZhbHVhdGluZyB0aGUgVVJJCiAgICAgIHBh cmFtZXRlciB2YWx1ZSBhcyBhICJKU09OIHZhbHVlIiBbUkZDNDYyN10gaW4gdGhlIGNhc2Ugb2Yg dGhlCiAgICAgIGNjeG1sLXBhcmFtIGFuZCBhYWktcGFyYW0gdmFsdWVzIGFuZCBvdGhlcndpc2Ug YXMgYSBzdHJpbmcuICBJbgogICAgICBhZGRpdGlvbiwgdGhlIGFycmF5J3MgdG9TdHJpbmcoKSBm dW5jdGlvbiByZXR1cm5zIHRoZSBmdWxsIFNJUAogICAgICBSZXF1ZXN0LVVSSS4gIEZvciBleGFt cGxlLCBhc3N1bWluZyBhIFJlcXVlc3QtVVJJIG9mIHNpcDpkaWFsb2dACiAgICAgIGV4YW1wbGUu Y29tO3ZvaWNleG1sPWh0dHA6Ly9leGFtcGxlLmNvbTthYWk9JTdiIngiOjElMmMieSI6dHJ1ZSU3 ZAogICAgICB0aGVuIHNlc3Npb24uY29ubmVjdGlvbi5wcm90b2NvbC5zaXAucmVxdWVzdHVyaVsi dm9pY2V4bWwiXQogICAgICBldmFsdWF0ZXMgdG8gImh0dHA6Ly9leGFtcGxlLmNvbSIsCiAgICAg IHNlc3Npb24uY29ubmVjdGlvbi5wcm90b2NvbC5zaXAucmVxdWVzdHVyaVsiYWFpIl0ueCBldmFs dWF0ZXMgdG8gMQogICAgICAodHlwZSBOdW1iZXIpLCBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9j b2wuc2lwLnJlcXVlc3R1cmlbImFhaSJdLnkKICAgICAgZXZhbHVhdGVzIHRvIHRydWUgKHR5cGUg Qm9vbGVhbiksIGFuZAogICAgICBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wuc2lwLnJlcXVl c3R1cmkgZXZhbHVhdGVzIHRvIHRoZQogICAgICBjb21wbGV0ZSBSZXF1ZXN0LVVSSSAodHlwZSBT dHJpbmcpICdzaXA6ZGlhbG9nQAogICAgICBleGFtcGxlLmNvbTt2b2ljZXhtbD1odHRwOi8vZXhh bXBsZS5jb207YWFpPXsieCI6MSwieSI6dHJ1ZX0nLgoKICAgc2Vzc2lvbi5jb25uZWN0aW9uLmFh aTogIEV2YWx1YXRlcyB0bwogICAgICBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wuc2lwLnJl cXVlc3R1cmlbImFhaSJdCgogICBzZXNzaW9uLmNvbm5lY3Rpb24uY2N4bWw6ICBFdmFsdWF0ZXMg dG8KICAgICAgc2Vzc2lvbi5jb25uZWN0aW9uLnByb3RvY29sLnNpcC5yZXF1ZXN0dXJpWyJjY3ht bCJdCgogICBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wuc2lwLm1lZGlhOiAgVGhpcyBpcyBh biBhcnJheSB3aGVyZSBlYWNoCiAgICAgIGFycmF5IGVsZW1lbnQgaXMgYW4gb2JqZWN0IHdpdGgg dGhlIGZvbGxvd2luZyBwcm9wZXJ0aWVzOgoKICAgICAgKiAgdHlwZTogLSBUaGlzIHJlcXVpcmVk IHByb3BlcnR5IGluZGljYXRlcyB0aGUgdHlwZSBvZiB0aGUgbWVkaWEKICAgICAgICAgYXNzb2Np YXRlZCB3aXRoIHRoZSBzdHJlYW0uICBUaGUgdmFsdWUgaXMgYSBzdHJpbmcuICBJdCBpcwogICAg ICAgICBzdHJvbmdseSByZWNvbW1lbmRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgdmFsdWVzIGFyZSB1 c2VkIGZvcgogICAgICAgICBjb21tb24gdHlwZXMgb2YgbWVkaWE6ICJhdWRpbyIgZm9yIGF1ZGlv IG1lZGlhLCBhbmQgInZpZGVvIiBmb3IKICAgICAgICAgdmlkZW8gbWVkaWEuCgoKCgpCdXJrZSAm IFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAgICAgICBb UGFnZSAxNl0KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRp YSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgogICAgICAqICBkaXJlY3Rpb246IC0gVGhpcyBy ZXF1aXJlZCBwcm9wZXJ0eSBpbmRpY2F0ZXMgdGhlCiAgICAgICAgIGRpcmVjdGlvbmFsaXR5IG9m IHRoZSBtZWRpYSByZWxhdGl2ZSB0bwogICAgICAgICBzZXNzaW9uLmNvbm5lY3Rpb24ub3JpZ2lu YXRvci4gIERlZmluZWQgdmFsdWVzIGFyZSBzZW5kcmVjdiwKICAgICAgICAgc2VuZG9ubHksIHJl Y3Zvbmx5LCBhbmQgaW5hY3RpdmUuCgogICAgICAqICBmb3JtYXQ6IC0gVGhpcyBwcm9wZXJ0eSBp cyBvcHRpb25hbC4gIElmIGRlZmluZWQsIHRoZSB2YWx1ZSBvZgogICAgICAgICB0aGUgcHJvcGVy dHkgaXMgYW4gYXJyYXkuICBFYWNoIGFycmF5IGVsZW1lbnQgaXMgYW4gb2JqZWN0CiAgICAgICAg IHdoaWNoIHNwZWNpZmllcyBpbmZvcm1hdGlvbiBhYm91dCBvbmUgZm9ybWF0IG9mIHRoZSBtZWRp YQogICAgICAgICAodGhlcmUgaXMgYW4gYXJyYXkgZWxlbWVudCBmb3IgZWFjaCBwYXlsb2FkIHR5 cGUgb24gdGhlCiAgICAgICAgIG0tbGluZSkuICBUaGUgb2JqZWN0IGNvbnRhaW5zIGF0IGxlYXN0 IG9uZSBwcm9wZXJ0eSBjYWxsZWQgbmFtZQogICAgICAgICB3aG9zZSB2YWx1ZSBpcyB0aGUgTUlN RSBzdWJ0eXBlIG9mIHRoZSBtZWRpYSBmb3JtYXQgKE1JTUUKICAgICAgICAgc3VidHlwZXMgYXJl IHJlZ2lzdGVyZWQgaW4gW1JGQzQ4NTVdKS4gIE90aGVyIHByb3BlcnRpZXMgbWF5IGJlCiAgICAg ICAgIGRlZmluZWQgd2l0aCBzdHJpbmcgdmFsdWVzOyB0aGVzZSBjb3JyZXNwb25kIHRvIHJlcXVp cmVkIGFuZCwKICAgICAgICAgaWYgZGVmaW5lZCwgb3B0aW9uYWwgcGFyYW1ldGVycyBvZiB0aGUg Zm9ybWF0LgoKICAgICAgQXMgYSBjb25zZXF1ZW5jZSBvZiB0aGlzIGRlZmluaXRpb24sIHRoZXJl IGlzIGFuIGFycmF5IGVudHJ5IGluCiAgICAgIHNlc3Npb24uY29ubmVjdGlvbi5wcm90b2NvbC5z aXAubWVkaWEgZm9yIGVhY2ggbm9uLWRpc2FibGVkIG0tbGluZQogICAgICBmb3IgdGhlIG5lZ290 aWF0ZWQgbWVkaWEgc2Vzc2lvbi4gIE5vdGUgdGhhdCB0aGlzIHNlc3Npb24gdmFyaWFibGUKICAg ICAgaXMgdXBkYXRlZCBpZiB0aGUgbWVkaWEgc2Vzc2lvbiBjaGFyYWN0ZXJpc3RpY3MgZm9yIHRo ZSBWb2ljZVhNTAogICAgICBTZXNzaW9uIGNoYW5nZSAoaS5lLiBkdWUgdG8gYSByZS1JTlZJVEUp LiAgRm9yIGFuIGV4YW1wbGUsCiAgICAgIGNvbnNpZGVyIGEgY29ubmVjdGlvbiB3aXRoIGJpLWRp cmVjdGlvbmFsIEcuNzExIG11LWxhdyBhdWRpbwogICAgICBzYW1wbGVkIGF0IDhrSHouICBJbiB0 aGlzIGNhc2UsCiAgICAgIHNlc3Npb24uY29ubmVjdGlvbi5wcm90b2NvbC5zaXAubWVkaWFbMF0u dHlwZSBldmFsdWF0ZXMgdG8KICAgICAgImF1ZGlvIiwgc2Vzc2lvbi5jb25uZWN0aW9uLnByb3Rv Y29sLnNpcC5tZWRpYVswXS5kaXJlY3Rpb24gdG8KICAgICAgInNlbmRyZWN2IiwgYW5kCiAgICAg IHNlc3Npb24uY29ubmVjdGlvbi5wcm90b2NvbC5zaXAubWVkaWFbMF0uZm9ybWF0WzBdLm5hbWUg ZXZhbHVhdGVzCiAgICAgIHRvICJhdWRpby9QQ01VIiBhbmQKICAgICAgc2Vzc2lvbi5jb25uZWN0 aW9uLnByb3RvY29sLnNpcC5tZWRpYVswXS5mb3JtYXRbMF0ucmF0ZSBldmFsdWF0ZXMKICAgICAg dG8gIjgwMDAiLgoKICAgTm90ZSB0aGF0IHdoZW4gYWNjZXNzaW5nIFNJUCBoZWFkZXJzIGFuZCBS ZXF1ZXN0LVVSSSBwYXJhbWV0ZXJzIHZpYQogICB0aGUgc2Vzc2lvbi5jb25uZWN0aW9uLnByb3Rv Y29sLnNpcC5oZWFkZXJzIGFuZAogICBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wuc2lwLnJl cXVlc3R1cmkgYXNzb2NpYXRpdmUgYXJyYXlzIGRlZmluZWQKICAgYWJvdmUsIGFwcGxpY2F0aW9u cyBjYW4gY2hvb3NlIGJldHdlZW4gdHdvIHNlbWFudGljYWxseSBlcXVpdmFsZW50CiAgIHdheXMg b2YgcmVmZXJyaW5nIHRvIHRoZSBhcnJheS4gIEZvciBleGFtcGxlLCBlaXRoZXIgb2YgdGhlIGZv bGxvd2luZwogICBjYW4gYmUgdXNlZCB0byBhY2Nlc3MgYSBSZXF1ZXN0LVVSSSBwYXJhbWV0ZXIg bmFtZWQgJ2Zvbyc6CgogICAgICAgc2Vzc2lvbi5jb25uZWN0aW9uLnByb3RvY29sLnNpcC5yZXF1 ZXN0dXJpWyJmb28iXQogICAgICAgc2Vzc2lvbi5jb25uZWN0aW9uLnByb3RvY29sLnNpcC5yZXF1 ZXN0dXJpLmZvbwoKICAgSG93ZXZlciwgaXQgaXMgaW1wb3J0YW50IHRvIG5vdGUgdGhhdCBub3Qg YWxsIFNJUCBoZWFkZXIgbmFtZXMgb3IKICAgUmVxdWVzdC1VUkkgcGFyYW1ldGVyIG5hbWVzIGFy ZSB2YWxpZCBFQ01BU2NyaXB0IGlkZW50aWZpZXJzLCBhbmQgYXMKICAgc3VjaCwgY2FuIG9ubHkg YmUgYWNjZXNzZWQgdXNpbmcgdGhlIGZpcnN0IGZvcm0gKGFycmF5IG5vdGF0aW9uKS4KICAgRm9y IGV4YW1wbGUsIHRoZSBDYWxsLUlEIGhlYWRlciBjYW4gb25seSBiZSBhY2Nlc3NlZCBhcwogICBz ZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wuc2lwLmhlYWRlcnNbImNhbGwtaWQiXTsgYXR0ZW1w dGluZyB0bwogICBhY2Nlc3MgdGhlIHNhbWUgdmFsdWUgYXMKICAgc2Vzc2lvbi5jb25uZWN0aW9u LnByb3RvY29sLnNpcC5oZWFkZXJzLmNhbGwtaWQgd291bGQgcmVzdWx0IGluIGFuCiAgIGVycm9y LgoKCgpCdXJrZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAg ICAgICAgICAgICBbUGFnZSAxN10KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBW b2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgoyLjUuICBUZXJtaW5hdGlu ZyBhIFZvaWNlWE1MIFNlc3Npb24KCiAgIFRoZSBBcHBsaWNhdGlvbiBTZXJ2ZXIgY2FuIHRlcm1p bmF0ZSBhIFZvaWNlWE1MIFNlc3Npb24gYnkgaXNzdWluZyBhCiAgIEJZRSB0byB0aGUgVm9pY2VY TUwgTWVkaWEgU2VydmVyLiAgVXBvbiByZWNlaXB0IG9mIGEgQllFIGluIHRoZQogICBjb250ZXh0 IG9mIGFuIGV4aXN0aW5nIFZvaWNlWE1MIFNlc3Npb24sIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2 ZXIKICAgTVVTVCBzZW5kIGEgMjAwIE9LIHJlc3BvbnNlLCBhbmQgTVVTVCB0aHJvdyBhCiAgICdj b25uZWN0aW9uLmRpc2Nvbm5lY3QuaGFuZ3VwJyBldmVudCB0byB0aGUgVm9pY2VYTUwgYXBwbGlj YXRpb24uICBJZgogICB0aGUgUmVhc29uIGhlYWRlciBbUkZDMzMyNl0gaXMgcHJlc2VudCBvbiB0 aGUgQllFIFJlcXVlc3QsIHRoZW4gdGhlCiAgIHZhbHVlIG9mIHRoZSBSZWFzb24gaGVhZGVyIGlz IHByb3ZpZGVkIHZlcmJhdGltIHZpYSB0aGUgJ19tZXNzYWdlJwogICB2YXJpYWJsZSB3aXRoaW4g dGhlIGNhdGNoIGVsZW1lbnQncyBhbm9ueW1vdXMgdmFyaWFibGUgc2NvcGUuCgogICBUaGUgVm9p Y2VYTUwgTWVkaWEgU2VydmVyIG1heSBhbHNvIGluaXRpYXRlIHRlcm1pbmF0aW9uIG9mIHRoZQog ICBzZXNzaW9uIGJ5IGlzc3VpbmcgYSBCWUUgcmVxdWVzdC4gIFRoaXMgd2lsbCB0eXBpY2FsbHkg b2NjdXIgYXMgYQogICByZXN1bHQgb2YgZW5jb3VudGVyaW5nIGEgPGRpc2Nvbm5lY3Q+IG9yIDxl eGl0PiBpbiB0aGUgVm9pY2VYTUwKICAgYXBwbGljYXRpb24sIGR1ZSB0byB0aGUgVm9pY2VYTUwg YXBwbGljYXRpb24gcnVubmluZyB0byBjb21wbGV0aW9uLAogICBvciBkdWUgdG8gdW5oYW5kbGVk IGVycm9ycyB3aXRoaW4gdGhlIFZvaWNlWE1MIGFwcGxpY2F0aW9uLgoKICAgU2VlIFNlY3Rpb24g NCBmb3IgbWVjaGFuaXNtcyB0byByZXR1cm4gZGF0YSB0byB0aGUgQXBwbGljYXRpb24KICAgU2Vy dmVyLgoKMi42LiAgRXhhbXBsZXMKCjIuNi4xLiAgQmFzaWMgU2Vzc2lvbiBFc3RhYmxpc2htZW50 CgogICBUaGlzIGV4YW1wbGUgaWxsdXN0cmF0ZXMgYW4gQXBwbGljYXRpb24gU2VydmVyIHNldHRp bmcgdXAgYSBWb2ljZVhNTAogICBTZXNzaW9uIG9uIGJlaGFsZiBvZiBhIFVzZXIgQWdlbnQuCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgpCdXJrZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBB dWd1c3QgMTIsIDIwMDkgICAgICAgICAgICAgICBbUGFnZSAxOF0KDApJbnRlcm5ldC1EcmFmdCAg U0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkK CgogICAgICAgICAgICAgICAgICAgICAgICAgU0lQICAgICAgICAgICAgICAgVm9pY2VYTUwgICAg ICAgICAgICAgIEhUVFAKICAgVXNlciAgICAgICAgICAgICAgQXBwbGljYXRpb24gICAgICAgICAg ICBNZWRpYSAgICAgICAgICAgIEFwcGxpY2F0aW9uCiAgIEFnZW50ICAgICAgICAgICAgICAgU2Vy dmVyICAgICAgICAgICAgICAgU2VydmVyICAgICAgICAgICAgICBTZXJ2ZXIKICAgIHwgICAgICAg ICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwK ICAgIHwoMSkgSU5WSVRFIFtvZmZlcl0gIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAg ICAgICAgICAgIHwKICAgIHwtLS0tLS0tLS0tLS0tLS0tLS0tPnwoMikgSU5WSVRFIFtvZmZlcl0g IHwgICAgICAgICAgICAgICAgICAgIHwKICAgIHwoMykgMTAwIFRyeWluZyAgICAgIHwtLS0tLS0t LS0tLS0tLS0tLS0tPnwgICAgICAgICAgICAgICAgICAgIHwKICAgIHw8LS0tLS0tLS0tLS0tLS0t LS0tLXwoNCkgMTAwIFRyeWluZyAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwKICAgIHwgICAg ICAgICAgICAgICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tLS0tLXwgICAgICAgICAgICAgICAgICAg IHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAg ICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAg ICAgIHwoNSkgR0VUICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAg ICAgICAgICAgICAgICAgIHwtLS0tLS0tLS0tLS0tLS0tLS0tPnwKICAgIHwgICAgICAgICAgICAg ICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwoNikgMjAwIE9LIFtWWE1MXSAgIHwKICAgIHwg ICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHw8LS0tLS0tLS0tLS0tLS0t LS0tLXwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAg ICAgICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwoNykgMjAwIE9LIFth bnN3ZXJdIHwgICAgICAgICAgICAgICAgICAgIHwKICAgIHwoOCkgMjAwIE9LIFthbnN3ZXJdIHw8 LS0tLS0tLS0tLS0tLS0tLS0tLXwgICAgICAgICAgICAgICAgICAgIHwKICAgIHw8LS0tLS0tLS0t LS0tLS0tLS0tLXwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwKICAg IHwoOSkgQUNLICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgIHwKICAgIHwtLS0tLS0tLS0tLS0tLS0tLS0tPnwoMTApIEFDSyAgICAgICAgICAgIHwg ICAgICAgICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwtLS0tLS0tLS0t LS0tLS0tLS0tPnwgKGV4ZWN1dGUgICAgICAgICAgIHwKICAgIHwoMTEpIFJUUC9TUlRQICAgICAg IHwgICAgICAgICAgICAgICAgICAgIHwgIFZvaWNlWE1MICAgICAgICAgIHwKICAgIHwuLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLnwgIGFwcGxpY2F0aW9uKSAgICAgIHwK ICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAg ICAgICAgICAgIHwKCgoyLjYuMi4gIFZvaWNlWE1MIFNlc3Npb24gUHJlcGFyYXRpb24KCiAgIFRo aXMgZXhhbXBsZSBkZW1vbnN0cmF0ZXMgdGhlIHByZXBhcmF0aW9uIG9mIGEgVm9pY2VYTUwgU2Vz c2lvbi4gIEluCiAgIHRoaXMgZXhhbXBsZSwgdGhlIFZvaWNlWE1MIHNlc3Npb24gaXMgcHJlcGFy ZWQgcHJpb3IgdG8gcGxhY2luZyBhbgogICBvdXRib3VuZCBjYWxsIHRvIGEgVXNlciBBZ2VudCwg YW5kIGlzIHN0YXJ0ZWQgYXMgc29vbiBhcyB0aGUgVXNlcgogICBBZ2VudCBhbnN3ZXJzLgoKICAg VGhlIFthbnN3ZXIxOjBdIG5vdGF0aW9uIGlzIHVzZWQgdG8gaW5kaWNhdGUgYW4gU0RQIGFuc3dl ciB3aXRoIHRoZQogICBtZWRpYSBwb3J0cyBzZXQgdG8gMC4KCgoKCgoKCgoKCgoKCgoKCkJ1cmtl ICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAg IFtQYWdlIDE5XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1l ZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCiAgICAgICAgICAgICAgICAgICAgICAgICBT SVAgICAgICAgICAgICAgICBWb2ljZVhNTCAgICAgICAgICAgICAgSFRUUAogICBVc2VyICAgICAg ICAgICAgICBBcHBsaWNhdGlvbiAgICAgICAgICAgIE1lZGlhICAgICAgICAgICAgQXBwbGljYXRp b24KICAgQWdlbnQgICAgICAgICAgICAgICBTZXJ2ZXIgICAgICAgICAgICAgICBTZXJ2ZXIgICAg ICAgICAgICAgIFNlcnZlcgogICAgfCAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAg ICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwo MSkgSU5WSVRFICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAg ICAgICAgICAgICB8LS0tLS0tLS0tLS0tLS0tLS0tLS0+fCAgICAgICAgICAgICAgICAgICAgfAog ICAgfCAgICAgICAgICAgICAgICAgICAgfCgyKSAxMDAgVHJ5aW5nICAgICAgIHwgICAgICAgICAg ICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tLS0t LS18ICAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgfAogICAgfCAgICAgICAgICAgICAg ICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwoMykgR0VUICAgICAgICAgICAgIHwKICAgIHwg ICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8LS0tLS0tLS0tLS0tLS0t LS0tLT58CiAgICB8ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgfCg0 KSAyMDAgT0sgW1ZYTUxdICAgfAogICAgfCAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tLS0tLXwKICAgIHwgICAgICAgICAgICAgICAgICAg IHwgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAg ICAgICAgICAgICAgICB8KDUpIDIwMCBPSyBbb2ZmZXIxXSAgfCAgICAgICAgICAgICAgICAgICAg fAogICAgfCAgICAgICAgICAgICAgICAgICAgfDwtLS0tLS0tLS0tLS0tLS0tLS0tLXwgICAgICAg ICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgIHwoNikgQUNLIFthbnN3ZXIx OjBdICB8ICAgICAgICAgICAgICAgICAgICB8CiAgICB8KDcpIElOVklURSAgICAgICAgICB8LS0t LS0tLS0tLS0tLS0tLS0tLS0+fCAgICAgICAgICAgICAgICAgICAgfAogICAgfDwtLS0tLS0tLS0t LS0tLS0tLS0tfCAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwKICAg IHwoOCkgMjAwIE9LIFtvZmZlcjJdIHwgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAg ICAgICAgICB8CiAgICB8LS0tLS0tLS0tLS0tLS0tLS0tLT58KDkpIElOVklURSBbb2ZmZXIyJ10g fCAgICAgICAgICAgICAgICAgICAgfAogICAgfCAgICAgICAgICAgICAgICAgICAgfC0tLS0tLS0t LS0tLS0tLS0tLS0tPnwgICAgICAgICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAg ICAgIHwoMTApIDEwMCBUcnlpbmcgICAgICB8ICAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAg ICAgICAgICAgICAgICAgICB8PC0tLS0tLS0tLS0tLS0tLS0tLS0tfCAgICAgICAgICAgICAgICAg ICAgfAogICAgfCAgICAgICAgICAgICAgICAgICAgfCgxMSkgMjAwIE9LIFthbnN3ZXIyXXwgICAg ICAgICAgICAgICAgICAgIHwKICAgIHwoMTIpIEFDSyBbYW5zd2VyMl0gIHw8LS0tLS0tLS0tLS0t LS0tLS0tLS18ICAgICAgICAgICAgICAgICAgICB8CiAgICB8PC0tLS0tLS0tLS0tLS0tLS0tLS18 KDEzKSBBQ0sgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgfAogICAgfCAgICAgICAg ICAgICAgICAgICAgfC0tLS0tLS0tLS0tLS0tLS0tLS0tPnwgKGV4ZWN1dGUgICAgICAgICAgIHwK ICAgIHwoMTQpIFJUUC9TUlRQICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICBWb2ljZVhN TCAgICAgICAgICB8CiAgICB8Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4ufCAgYXBwbGljYXRpb24pICAgICAgfAogICAgfCAgICAgICAgICAgICAgICAgICAgfCAgICAg ICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgIHwKCgogICBJbXBsZW1lbnRhdGlv biBkZXRhaWw6IG9mZmVyMicgaXMgZGVyaXZlZCBmcm9tIG9mZmVyMiAtIGl0IGR1cGxpY2F0ZXMK ICAgdGhlIG0tbGluZXMgYW5kIGEtbGluZXMgZnJvbSBvZmZlcjIuICBIb3dldmVyLCBvZmZlcjIn IGRpZmZlcnMgZnJvbQogICBvZmZlcjIgc2luY2UgaXQgbXVzdCBjb250YWluIHRoZSBzYW1lIG8t bGluZSBhcyB1c2VkIGluIGFuc3dlcjE6MCBidXQKICAgd2l0aCB0aGUgdmVyc2lvbiBudW1iZXIg aW5jcmVtZW50ZWQuICBBbHNvLCBpZiBvZmZlcjEgaGFzIG1vcmUKICAgbS1saW5lcyB0aGFuIG9m ZmVyMiwgdGhlbiBvZmZlcjInIG11c3QgYmUgcGFkZGVkIHdpdGggZXh0cmEKICAgKHJlamVjdGVk KSBtLWxpbmVzLgoKMi42LjMuICBNUkNQIEVzdGFibGlzaG1lbnQKCiAgIE1SQ1AgW01SQ1B2Ml0g aXMgYSBwcm90b2NvbCB0aGF0IGVuYWJsZXMgY2xpZW50cyBzdWNoIGFzIGEgVm9pY2VYTUwKICAg TWVkaWEgU2VydmVyIHRvIGNvbnRyb2wgbWVkaWEgc2VydmljZSByZXNvdXJjZXMgc3VjaCBhcyBz cGVlY2gKICAgc3ludGhlc2l6ZXJzLCByZWNvZ25pemVycywgdmVyaWZpZXJzIGFuZCBpZGVudGlm aWVycyByZXNpZGluZyBpbgogICBzZXJ2ZXJzIG9uIHRoZSBuZXR3b3JrLgoKICAgVGhlIGV4YW1w bGUgYmVsb3cgaWxsdXN0cmF0ZXMgaG93IGEgVm9pY2VYTUwgTWVkaWEgU2VydmVyIG1heQoKCgpC dXJrZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAg ICAgICBbUGFnZSAyMF0KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhN TCBNZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgogICBlc3RhYmxpc2ggYW4gTVJDUCBz ZXNzaW9uIGluIHJlc3BvbnNlIHRvIGFuIGluaXRpYWwgSU5WSVRFLgoKICAgICAgICAgICAgICAg ICAgICAgICBWb2ljZVhNTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIVFRQCiAg IFVzZXIgICAgICAgICAgICAgICAgTWVkaWEgICAgICAgICAgICAgICAgIE1SQ1B2MiAgICAgICAg ICBBcHBsaWNhdGlvbgogICBBZ2VudCAgICAgICAgICAgICAgIFNlcnZlciAgICAgICAgICAgICAg ICBTZXJ2ZXIgICAgICAgICAgICAgU2VydmVyCiAgICB8ICAgICAgICAgICAgICAgICAgICB8ICAg ICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8KDEpIElOVklURSBb b2ZmZXIxXSB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8 LS0tLS0tLS0tLS0tLS0tLS0tLT58ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICB8CiAgICB8KDIpIDEwMCBUcnlpbmcgICAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwg ICAgICAgICAgICAgICAgICB8CiAgICB8PC0tLS0tLS0tLS0tLS0tLS0tLS18KDMpIEdFVCAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8 LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLT58CiAgICB8ICAgICAgICAg ICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAg ICB8ICAgICAgICAgICAgICAgICAgICB8KDQpIDIwMCBPSyBbVlhNTF0gICAgIHwgICAgICAgICAg ICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8PC0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS18CiAgICB8ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAg ICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAg ICB8KDUpIElOVklURSBbb2ZmZXIyXSAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAg ICAgICAgICAgICAgICB8LS0tLS0tLS0tLS0tLS0tLS0tLS0tPnwgICAgICAgICAgICAgICAgICB8 CiAgICB8ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAg ICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8KDYpIDIwMCBPSyBbYW5zd2Vy Ml0gIHwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8PC0tLS0t LS0tLS0tLS0tLS0tLS0tLXwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAg ICAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAg ICAgICAgICAgICAgICAgICB8KDcpIEFDSyAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAg ICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8LS0tLS0tLS0tLS0tLS0tLS0tLS0tPnwgICAg ICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAg ICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8KDgp IE1SQ1AgY29ubmVjdGlvbiAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAg ICAgICAgICB8PC0tLS0tLS0tLS0tLS0tLS0tLS0tPnwgICAgICAgICAgICAgICAgICB8CiAgICB8 KDkpIDIwMCBPSyBbYW5zd2VyMV18ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICB8CiAgICB8PC0tLS0tLS0tLS0tLS0tLS0tLS18ICAgICAgICAgICAgICAgICAgICAgIHwg ICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8KDEwKSBBQ0sgICAgICAgICAgICB8 ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAgICB8LS0tLS0tLS0t LS0tLS0tLS0tLT58ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CiAg ICB8ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAg ICAgICAgICB8CiAgICB8KDExKSBSVFAvU1JUUCAgICAgICB8ICAgICAgICAgICAgICAgICAgICAg IHwgICAgICAgICAgICAgICAgICB8CiAgIC4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLnwgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAg ICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8CgoKICAgSW4gdGhp cyBleGFtcGxlLCB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIGlzIHJlc3BvbnNpYmxlIGZvcgog ICBlc3RhYmxpc2hpbmcgYSBzZXNzaW9uIHdpdGggdGhlIE1SQ1B2MiBNZWRpYSBSZXNvdXJjZSBT ZXJ2ZXIgcHJpb3IgdG8KICAgc2VuZGluZyB0aGUgMjAwIE9LIHJlc3BvbnNlIHRvIHRoZSBpbml0 aWFsIElOVklURS4gIFRoZSBWb2ljZVhNTAogICBNZWRpYSBTZXJ2ZXIgd2lsbCBwZXJmb3JtIHRo ZSBhcHByb3ByaWF0ZSBvZmZlci9hbnN3ZXIgd2l0aCB0aGUKICAgTVJDUHYyIE1lZGlhIFJlc291 cmNlIFNlcnZlciBiYXNlZCBvbiB0aGUgU0RQIGNhcGFiaWxpdGllcyBvZiB0aGUKICAgQXBwbGlj YXRpb24gU2VydmVyIGFuZCB0aGUgTVJDUHYyIE1lZGlhIFJlc291cmNlIFNlcnZlci4gIFRoZQog ICBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgd2lsbCBjaGFuZ2UgdGhlIG9mZmVyIHJlY2VpdmVkIGZy b20gc3RlcCAxIHRvCiAgIGVzdGFibGlzaCBhIE1SQ1B2MiBzZXNzaW9uIGluIHN0ZXAgKDUpIGFu ZCB3aWxsIHJlLXdyaXRlIHRoZSBTRFAgdG8KICAgaW5jbHVkZSBhbiBtLWxpbmUgZm9yIGVhY2gg TVJDUHYyIHJlc291cmNlIHRvIGJlIHVzZWQgYW5kIG90aGVyCiAgIHJlcXVpcmVkIFNEUCBtb2Rp ZmljYXRpb25zIGFzIHNwZWNpZmllZCBieSBNUkNQdjIuICBPbmNlIHRoZSBWb2ljZVhNTAogICBN ZWRpYSBTZXJ2ZXIgcGVyZm9ybXMgdGhlIG9mZmVyL2Fuc3dlciB3aXRoIHRoZSBNUkNQdjIgTWVk aWEgUmVzb3VyY2UKCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEy LCAyMDA5ICAgICAgICAgICAgICAgW1BhZ2UgMjFdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRl cmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKICAgU2Vy dmVyLCBpdCB3aWxsIGVzdGFibGlzaCBhIE1SQ1B2MiBjb250cm9sIGNoYW5uZWwgaW4gc3RlcCAo OCkuICBUaGUKICAgTVJDUHYyIHJlc291cmNlIGlzIGRlYWxsb2NhdGVkIHdoZW4gdGhlIFZvaWNl WE1MIE1lZGlhIFNlcnZlcgogICByZWNlaXZlcyBvciBzZW5kcyBhIEJZRSAobm90IHNob3duKS4K CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKQnVya2UgJiBT Y290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgW1Bh Z2UgMjJdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEg U2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKMy4gIE1lZGlhIFN1cHBvcnQKCiAgIFRoaXMgc2Vj dGlvbiBkZXNjcmliZXMgdGhlIG1hbmRhdG9yeSBhbmQgb3B0aW9uYWwgbWVkaWEgc3VwcG9ydAog ICByZXF1aXJlZCBieSB0aGlzIGludGVyZmFjZS4KCjMuMS4gIE9mZmVyL0Fuc3dlcgoKICAgVGhl IFZvaWNlWE1MIE1lZGlhIFNlcnZlciBNVVNUIHN1cHBvcnQgdGhlIHN0YW5kYXJkIG9mZmVyL2Fu c3dlcgogICBtZWNoYW5pc20gb2YgW1JGQzMyNjRdLiAgSW4gcGFydGljdWxhciwgaWYgYW4gU0RQ IG9mZmVyIGlzIG5vdAogICBwcmVzZW50IGluIHRoZSBJTlZJVEUsIHRoZSBWb2ljZVhNTCBNZWRp YSBTZXJ2ZXIgd2lsbCBtYWtlIGFuIG9mZmVyCiAgIGluIHRoZSAyMDAgT0sgcmVzcG9uc2UgbGlz dGluZyBpdHMgc3VwcG9ydGVkIGNvZGVjcy4KCjMuMi4gIEVhcmx5IE1lZGlhCgogICBUaGUgVm9p Y2VYTUwgTWVkaWEgU2VydmVyIE1BWSBzdXBwb3J0IGVhcmx5IGVzdGFibGlzaG1lbnQgb2YgbWVk aWEKICAgc3RyZWFtcyBhcyBkZXNjcmliZWQgaW4gW1JGQzM5NjBdLiAgVGhpcyBhbGxvd3MgdGhl IEFwcGxpY2F0aW9uCiAgIFNlcnZlciB0byBlc3RhYmxpc2ggbWVkaWEgc3RyZWFtcyBiZXR3ZWVu IGEgdXNlciBhZ2VudCBhbmQgdGhlCiAgIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBpbiBwYXJhbGxl bCB3aXRoIHRoZSBpbml0aWFsIFZvaWNlWE1MIGRvY3VtZW50CiAgIGJlaW5nIHByb2Nlc3NlZCAo d2hpY2ggbWF5IGludm9sdmUgZHluYW1pYyBWb2ljZVhNTCBwYWdlIGdlbmVyYXRpb24KICAgYW5k IGludGVyYWN0aW9uIHdpdGggZGF0YWJhc2VzIG9yIG90aGVyIHN5c3RlbXMpLiAgVGhpcyBpcyB1 c2VmdWwKICAgcHJpbWFyaWx5IGZvciBtaW5pbWl6aW5nIHRoZSBkZWxheSBpbiBzdGFydGluZyBh IFZvaWNlWE1MIFNlc3Npb24sCiAgIHBhcnRpY3VsYXJseSBpbiBjYXNlcyB3aGVyZSBhIHNlc3Np b24gd2l0aCB0aGUgdXNlciBhZ2VudCBhbHJlYWR5CiAgIGV4aXN0cyBidXQgdGhlIG1lZGlhIHN0 cmVhbSBhc3NvY2lhdGVkIHdpdGggdGhhdCBzZXNzaW9uIG5lZWRzIHRvIGJlCiAgIHJlZGlyZWN0 ZWQgdG8gYSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIuCgogICBUaGUgZm9sbG93aW5nIGZsb3cgZGVt b25zdHJhdGVzIHRoZSB1c2Ugb2YgZWFybHkgbWVkaWEgKHVzaW5nIHRoZQogICBHYXRld2F5IG1v ZGVsIGRlZmluZWQgaW4gW1JGQzM5NjBdKToKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKQnVya2Ug JiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAg W1BhZ2UgMjNdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVk aWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKICAgICAgICAgICAgICAgICAgICAgICAgIFNJ UCAgICAgICAgICAgICAgIFZvaWNlWE1MICAgICAgICAgICAgICBIVFRQCiAgIFVzZXIgICAgICAg ICAgICAgIEFwcGxpY2F0aW9uICAgICAgICAgICAgTWVkaWEgICAgICAgICAgICBBcHBsaWNhdGlv bgogICBBZ2VudCAgICAgICAgICAgICAgIFNlcnZlciAgICAgICAgICAgICAgIFNlcnZlciAgICAg ICAgICAgICAgU2VydmVyCiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8Li4oZXhpc3Rpbmcgc2Vzc2lvbikuLnwg ICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwoMSkgSU5WSVRFICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8 ICAgICAgICAgICAgICAgICAgICAgIHwtLS0tLS0tLS0tLS0tLS0tLS0+fCAgICAgICAgICAgICAg ICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgfCgy KSBIVFRQIEdFVCAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAg ICAgICAgICAgfC0tLS0tLS0tLS0tLS0tLS0tLT58CiAgICB8ICAgICAgICAgICAgICAgICAgICAg IHwoMykgMTgzICAgIFtvZmZlcl0gfCAgICAgICAgICAgICAgICAgICB8CiAgICB8KDQpIHJlLUlO VklURSBbb2ZmZXJdIHw8LS0tLS0tLS0tLS0tLS0tLS0tfCAgICAgICAgICAgICAgICAgICB8CiAg ICB8PC0tLS0tLS0tLS0tLS0tLS0tLS0tLXwgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgICB8CiAgICB8KDUpIDIwMCBPSyBbYW5zd2VyXSAgIHwgICAgICAgICAgICAgICAgICAg fCAgICAgICAgICAgICAgICAgICB8CiAgICB8LS0tLS0tLS0tLS0tLS0tLS0tLS0tPnwgICAgICAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8KDYpIEFDSyAgICAgICAgICAg ICAgIHwgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8PC0tLS0t LS0tLS0tLS0tLS0tLS0tLXwgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8 CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgKDcpIFBSQUNLIFthbnN3ZXJdfCAgICAgICAg ICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwtLS0tLS0tLS0tLS0tLS0t LS0+fCAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgKDgp IFBSQUNLIDIwMCBPSyAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAg ICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tLS0tfCAgICAgICAgICAgICAgICAgICB8CiAgICB8KDkp IFJUUC9TUlRQICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAg ICB8CiAgICB8Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4ufCAgICAg ICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgfCgxMCkgMjAwIE9LIFtWWE1MXSB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwg ICAgICAgICAgICAgICAgICAgfDwtLS0tLS0tLS0tLS0tLS0tLS18CiAgICB8ICAgICAgICAgICAg ICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8 ICAgICAgICAgICAgICAgICAgICAgIHwoMTEpIDIwMCBPSyAgICAgICAgfCAgICAgICAgICAgICAg ICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tLS0tfCAg ICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwoMTIpIEFDSyAg ICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAg IHwtLS0tLS0tLS0tLS0tLS0tLS0+fCAoZXhlY3V0ZSAgICAgICAgICB8CiAgICB8ICAgICAgICAg ICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgfCAgVm9pY2VYTUwgICAgICAgICB8CiAg ICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgfCAgYXBwbGljYXRp b24pICAgICB8CiAgICB8ICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAg fCAgICAgICAgICAgICAgICAgICB8CgoKICAgQWx0aG91Z2ggW1JGQzM5NjBdIHByZWZlcnMgdGhl IHVzZSBvZiB0aGUgQXBwbGljYXRpb24gU2VydmVyIG1vZGVsCiAgIGZvciBlYXJseSBtZWRpYSBv dmVyIHRoZSBHYXRld2F5IG1vZGVsLCB0aGUgcHJpbWFyeSBpc3N1ZSB3aXRoIHRoZQogICBHYXRl d2F5IG1vZGVsIC0gZm9ya2luZyAtIGlzIHNpZ25pZmljYW50bHkgbGVzcyBjb21tb24gd2hlbiBp c3N1aW5nCiAgIHJlcXVlc3RzIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZlcnMuICBUaGlzIGlzIGJl Y2F1c2UgVm9pY2VYTUwgTWVkaWEKICAgU2VydmVycyByZXNwb25kIHRvIGFsbCByZXF1ZXN0cyB3 aXRoIDIwMCBPSyByZXNwb25zZXMgaW4gdGhlIGFic2VuY2UKICAgb2YgdW51c3VhbCBlcnJvcnMs IGFuZCB0eXBpY2FsbHkgZG8gc28gd2l0aGluIHNldmVyYWwgaHVuZHJlZAogICBtaWxsaXNlY29u ZHMuICBUaGlzIG1ha2VzIHRoZW0gdW5saWtlbHkgdGFyZ2V0cyBpbiBmb3JraW5nIHNjZW5hcmlv cywKICAgc2luY2UgYWx0ZXJuYXRpdmUgdGFyZ2V0cyBvZiB0aGUgZm9ya2luZyBwcm9jZXNzIHdv dWxkIHZpcnR1YWxseQogICBuZXZlciBiZSBhYmxlIHRvIHJlc3BvbmQgbW9yZSBxdWlja2x5IHRo YW4gYW4gYXV0b21hdGVkIHN5c3RlbSwKICAgdW5sZXNzIHRoZXkgYXJlIHRoZW1zZWx2ZXMgYXV0 b21hdGVkIHN5c3RlbXMgLSBpbiB3aGljaCBjYXNlIHRoZXJlIGlzCiAgIGxpdHRsZSBwb2ludCBp biBzZXR0aW5nIHVwIGEgcmVzcG9uc2UgdGltZSByYWNlIGJldHdlZW4gdHdvIGF1dG9tYXRlZAog ICBzeXN0ZW1zLiAgSXNzdWVzIHdpdGggcmluZ2luZyB0b25lIGdlbmVyYXRpb24gaW4gdGhlIEdh dGV3YXkgbW9kZWwKICAgYXJlIGFsc28gbWl0aWdhdGVkLCBib3RoIGJ5IHRoZSB0eXBpY2FsbHkg cXVpY2sgMjAwIE9LIHJlc3BvbnNlIHRpbWUsCiAgIGFuZCBiZWNhdXNlIHRoaXMgc3BlY2lmaWNh dGlvbiBtYW5kYXRlcyB0aGF0IG5vIG1lZGlhIHBhY2tldHMgYXJlCgoKCkJ1cmtlICYgU2NvdHQg ICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQYWdlIDI0 XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZp Y2VzICAgICAgICBGZWIgMjAwOQoKCiAgIGdlbmVyYXRlZCB1bnRpbCB0aGUgcmVjZWlwdCBvZiBh biBBQ0sgKHRodXMgZWxpbWluYXRpbmcgdGhlIG5lZWQgZm9yCiAgIHRoZSB1c2VyIGFnZW50IHRv IHBlcmZvcm0gbWVkaWEgcGFja2V0IGFuYWx5c2lzKS4KCiAgIE5vdGUgdGhhdCB0aGUgb2ZmZXIg b2YgZWFybHkgbWVkaWEgYnkgYSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgZG9lcwogICBub3QgaW1w bHkgdGhhdCB0aGUgcmVmZXJlbmNlZCBWb2ljZVhNTCBhcHBsaWNhdGlvbiBjYW4gYWx3YXlzIGJl CiAgIGZldGNoZWQgYW5kIGV4ZWN1dGVkIHN1Y2Nlc3NmdWxseS4gIEZvciBpbnN0YW5jZSwgaWYg dGhlIEhUVFAKICAgQXBwbGljYXRpb24gU2VydmVyIHdlcmUgdG8gcmV0dXJuIGEgNHh4IHJlc3Bv bnNlIGluIHN0ZXAgMTAgYWJvdmUsIG9yCiAgIGlmIHRoZSBwcm92aWRlZCBWb2ljZVhNTCBjb250 ZW50IHdhcyBub3QgdmFsaWQsIHRoZSBWb2ljZVhNTCBNZWRpYQogICBTZXJ2ZXIgd291bGQgc3Rp bGwgcmV0dXJuIGEgNTAwIHJlc3BvbnNlIChhcyBwZXIgc2VjdGlvbiAyLjIpLiAgQXQKICAgdGhp cyBwb2ludCwgaXQgd291bGQgYmUgdGhlIHJlc3BvbnNpYmlsaXR5IG9mIHRoZSBhcHBsaWNhdGlv biBzZXJ2ZXIKICAgdG8gdGVhciBkb3duIGFueSBtZWRpYSBzdHJlYW1zIGVzdGFibGlzaGVkIHdp dGggdGhlIG1lZGlhIHNlcnZlci4KCjMuMy4gIE1vZGlmeWluZyB0aGUgTWVkaWEgU2Vzc2lvbgoK ICAgVGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBNVVNUIGFsbG93IHRoZSBtZWRpYSBzZXNzaW9u IHRvIGJlIG1vZGlmaWVkCiAgIHZpYSBhIHJlLUlOVklURSBhbmQgU0hPVUxEIHN1cHBvcnQgdGhl IFVQREFURSBtZXRob2QgW1JGQzMzMTFdIGZvcgogICB0aGUgc2FtZSBwdXJwb3NlLiAgSW4gcGFy dGljdWxhciwgaXQgTVVTVCBiZSBwb3NzaWJsZSB0byBjaGFuZ2UKICAgc3RyZWFtcyBiZXR3ZWVu IHNlbmRyZWN2LCBzZW5kb25seSwgYW5kIHJlY3Zvbmx5IGFzIHNwZWNpZmllZCBpbgogICBbUkZD MzI2NF0uCgogICBVbmlkaXJlY3Rpb25hbCBzdHJlYW1zIGFyZSB1c2VmdWwgZm9yIGFubm91bmNl bWVudC0gb3IgbGlzdGVuaW5nLW9ubHkKICAgKGhvdHdvcmQpLiAgVGhlIHByZWZlcnJlZCBtZWNo YW5pc20gZm9yIHB1dHRpbmcgdGhlIG1lZGlhIHNlc3Npb24gb24KICAgaG9sZCBpcyBzcGVjaWZp ZWQgaW4gW1JGQzMyNjRdLCBpLmUuIHRoZSBVQSBtb2RpZmllcyB0aGUgc3RyZWFtIHRvIGJlCiAg IHNlbmRvbmx5IGFuZCBtdXRlcyBpdHMgb3duIHN0cmVhbS4gIE1vZGlmaWNhdGlvbiBvZiB0aGUg bWVkaWEgc2Vzc2lvbgogICBkb2VzIG5vdCBhZmZlY3QgVm9pY2VYTUwgYXBwbGljYXRpb24gZXhl Y3V0aW9uIChleGNlcHQgdGhhdAogICByZWNvZ25pdGlvbiBhY3Rpb25zIGluaXRpYXRlZCB3aGls ZSBvbiBob2xkIHdpbGwgcmVzdWx0IGluIG5vaW5wdXQKICAgdGltZW91dHMpLgoKMy40LiAgQXVk aW8gYW5kIFZpZGVvIENvZGVjcwoKICAgRm9yIHRoZSBwdXJwb3NlcyBvZiBhY2hpZXZpbmcgYSBi YXNpYyBsZXZlbCBvZiBpbnRlcm9wZXJhYmlsaXR5LCB0aGlzCiAgIHNlY3Rpb24gc3BlY2lmaWVz IGEgbWluaW1hbCBzdWJzZXQgb2YgY29kZWNzIGFuZCBSVFAgW1JGQzM1NTBdCiAgIHBheWxvYWQg Zm9ybWF0cyB0aGF0IE1VU1QgYmUgc3VwcG9ydGVkIGJ5IHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2 ZXIuCgogICBGb3IgYXVkaW8tb25seSBhcHBsaWNhdGlvbnMsIEcuNzExIG11LWxhdyBhbmQgQS1s YXcgTVVTVCBiZSBzdXBwb3J0ZWQKICAgdXNpbmcgdGhlIFJUUCBwYXlsb2FkIHR5cGUgMCBhbmQg OCBbUkZDMzU1MV0uICBPdGhlciBjb2RlY3MgYW5kCiAgIHBheWxvYWQgZm9ybWF0cyBNQVkgYmUg c3VwcG9ydGVkLgoKICAgVmlkZW8gdGVsZXBob255IGFwcGxpY2F0aW9ucywgd2hpY2ggZW1wbG95 IGEgdmlkZW8gc3RyZWFtIGluIGFkZGl0aW9uCiAgIHRvIHRoZSBhdWRpbyBzdHJlYW0sIGFyZSBw b3NzaWJsZSBpbiBWb2ljZVhNTCAyLjAvMi4xIHRocm91Z2ggdGhlIHVzZQogICBvZiBtdWx0aW1l ZGlhIGZpbGUgY29udGFpbmVyIGZvcm1hdHMgc3VjaCBhcyB0aGUgLjNncCBbVFMyNjI0NF0gYW5k CiAgIC5tcDQgZm9ybWF0cyBbSUVDMTQ0OTYtMTRdLiAgVmlkZW8gc3VwcG9ydCBpcyBvcHRpb25h bCBmb3IgdGhpcwogICBzcGVjaWZpY2F0aW9uLiAgSWYgdmlkZW8gaXMgc3VwcG9ydGVkIHRoZW46 CgogICAxLiAgSC4yNjMgQmFzZWxpbmUgW1JGQzQ2MjldIE1VU1QgYmUgc3VwcG9ydGVkLiAgRm9y IGxlZ2FjeSByZWFzb25zLAogICAgICAgdGhlIDE5OTYgdmVyc2lvbiBvZiBILjI2MyBNQVkgYmUg c3VwcG9ydGVkIHVzaW5nIHRoZSBSVFAgcGF5bG9hZAogICAgICAgZm9ybWF0IGRlZmluZWQgaW4g W1JGQzIxOTBdIChwYXlsb2FkIHR5cGUgMzQgW1JGQzM1NTFdKS4KCgoKCkJ1cmtlICYgU2NvdHQg ICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQYWdlIDI1 XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZp Y2VzICAgICAgICBGZWIgMjAwOQoKCiAgIDIuICBBTVItTkIgYXVkaW8gW1JGQzQ4NjddIFNIT1VM RCBiZSBzdXBwb3J0ZWQuCgogICAzLiAgTVBFRy00IHZpZGVvIFtSRkMzMDE2XSBTSE9VTEQgYmUg c3VwcG9ydGVkLgoKICAgNC4gIE1QRUctNCBBQUMgYXVkaW8gW1JGQzMwMTZdIFNIT1VMRCBiZSBz dXBwb3J0ZWQuCgogICA1LiAgT3RoZXIgY29kZWNzIGFuZCBwYXlsb2FkIGZvcm1hdHMgTUFZIGJl IHN1cHBvcnRlZC4KCiAgIFZpZGVvIHJlY29yZCBvcGVyYXRpb25zIGNhcnJpZWQgb3V0IGJ5IHRo ZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIKICAgdHlwaWNhbGx5IHJlcXVpcmUgcmVjZWlwdCBvZiBh biBpbnRyYS1mcmFtZSBiZWZvcmUgdGhlIHJlY29yZGluZyBjYW4KICAgY29tbWVuY2UuICBUaGUg Vm9pY2VYTUwgTWVkaWEgU2VydmVyIFNIT1VMRCB1c2UgdGhlIG1lY2hhbmlzbQogICBkZXNjcmli ZWQgaW4gW1JGQzQ1ODVdIHRvIHJlcXVlc3QgdGhhdCBhIG5ldyBpbnRyYS1mcmFtZSBiZSBzZW50 LgoKICAgU2luY2Ugc29tZSBhcHBsaWNhdGlvbnMgbWF5IGNob29zZSB0byB0cmFuc2ZlciBjb25m aWRlbnRpYWwKICAgaW5mb3JtYXRpb24sIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgTVVTVCBz dXBwb3J0IFNlY3VyZSBSVFAgKFNSVFApCiAgIFtSRkMzNzExXSBhcyBkaXNjdXNzZWQgaW4gU2Vj dGlvbiA5LgoKMy41LiAgRFRNRgoKICAgRFRNRiBldmVudHMgW1JGQzQ3MzNdIE1VU1QgYmUgc3Vw cG9ydGVkLiAgV2hlbiB0aGUgdXNlciBhZ2VudCBkb2VzCiAgIG5vdCBpbmRpY2F0ZSBzdXBwb3J0 IGZvciBbUkZDNDczM10gdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBNQVkKICAgcGVyZm9ybSBE VE1GIGRldGVjdGlvbiB1c2luZyBvdGhlciBtZWFucyBzdWNoIGFzIGRldGVjdGluZyBEVE1GIHRv bmVzCiAgIGluIHRoZSBhdWRpbyBzdHJlYW0uICBJbXBsZW1lbnRhdGlvbiBub3RlOiB0aGUgcmVh c29uIHdoeSBvbmx5CiAgIFtSRkM0NzMzXSB0ZWxlcGhvbmUtZXZlbnRzIG11c3QgYmUgdXNlZCB3 aGVuIHRoZSB1c2VyIGFnZW50IGluZGljYXRlcwogICBzdXBwb3J0IG9mIGl0IGlzIHRvIGF2b2lk IHRoZSByaXNrIG9mIGRvdWJsZSBkZXRlY3Rpb24gb2YgRFRNRiBpZgogICBkZXRlY3Rpb24gb24g dGhlIGF1ZGlvIHN0cmVhbSB3YXMgc2ltdWx0YW5lb3VzbHkgYXBwbGllZC4KCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwg MjAwOSAgICAgICAgICAgICAgIFtQYWdlIDI2XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJm YWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCjQuICBSZXR1 cm5pbmcgRGF0YSB0byB0aGUgQXBwbGljYXRpb24gU2VydmVyCgogICBUaGlzIHNlY3Rpb24gZGlz Y3Vzc2VzIHRoZSBtZWNoYW5pc21zIGZvciByZXR1cm5pbmcgZGF0YSAoZS5nLgogICBjb2xsZWN0 ZWQgdXR0ZXJhbmNlIG9yIGRpZ2l0IGluZm9ybWF0aW9uKSBmcm9tIHRoZSBWb2ljZVhNTCBNZWRp YQogICBTZXJ2ZXIgdG8gdGhlIEFwcGxpY2F0aW9uIFNlcnZlci4KCjQuMS4gIEhUVFAgTWVjaGFu aXNtCgogICBBdCBhbnkgdGltZSBkdXJpbmcgdGhlIGV4ZWN1dGlvbiBvZiB0aGUgVm9pY2VYTUwg YXBwbGljYXRpb24sIGRhdGEKICAgY2FuIGJlIHJldHVybmVkIHRvIHRoZSBBcHBsaWNhdGlvbiBT ZXJ2ZXIgdmlhIGEgSFRUUCBQT1NUIHVzaW5nCiAgIHN0YW5kYXJkIFZvaWNlWE1MIGVsZW1lbnRz IHN1Y2ggYXMgPHN1Ym1pdD4gb3IgPHN1YmRpYWxvZz4uICBOb3RhYmx5LAogICB0aGUgPGRhdGE+ IGVsZW1lbnQgaW4gVm9pY2VYTUwgMi4xIFtWWE1MMjFdIGFsbG93cyBkYXRhIHRvIGJlIHNlbnQg dG8KICAgdGhlIEFwcGxpY2F0aW9uIFNlcnZlciBlZmZpY2llbnRseSB3aXRob3V0IHJlcXVpcmlu ZyBhIFZvaWNlWE1MIHBhZ2UKICAgdHJhbnNpdGlvbiBhbmQgaXMgaWRlYWwgZm9yIHNob3J0IFZv aWNlWE1MIGFwcGxpY2F0aW9ucyBzdWNoIGFzCiAgICJwcm9tcHQgYW5kIGNvbGxlY3QiLgoKICAg Rm9yIG1vc3QgYXBwbGljYXRpb25zLCBpdCBpcyBuZWNlc3NhcnkgdG8gY29ycmVsYXRlIHRoZSBp bmZvcm1hdGlvbgogICBiZWluZyBwYXNzZWQgb3ZlciBIVFRQIHdpdGggYSBwYXJ0aWN1bGFyIFZv aWNlWE1MIFNlc3Npb24uICBPbmUgd2F5CiAgIHRoaXMgY2FuIGJlIGFjaGlldmVkIGlzIHRvIGlu Y2x1ZGUgdGhlIFNJUCBDYWxsLUlEIChhY2Nlc3NpYmxlIGluCiAgIFZvaWNlWE1MIHZpYSB0aGUg c2Vzc2lvbi5jb25uZWN0aW9uLnByb3RvY29sLnNpcC5oZWFkZXJzIGFycmF5KQogICB3aXRoaW4g dGhlIEhUVFAgUE9TVCBmaWVsZHMuICBBbHRlcm5hdGl2ZWx5LCBhIHVuaXF1ZSAiUE9TVC1iYWNr IFVSSSIKICAgY2FuIGJlIHNwZWNpZmllZCBhcyBhbiBhcHBsaWNhdGlvbi1zcGVjaWZpYyBVUkkg cGFyYW1ldGVyIGluIHRoZQogICBSZXF1ZXN0LVVSSSBvZiB0aGUgaW5pdGlhbCBJTlZJVEUgKGFj Y2Vzc2libGUgaW4gVm9pY2VYTUwgdmlhIHRoZQogICBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9j b2wuc2lwLnJlcXVlc3R1cmkgYXJyYXkpLgoKICAgU2luY2Ugc29tZSBhcHBsaWNhdGlvbnMgbWF5 IGNob29zZSB0byB0cmFuc2ZlciBjb25maWRlbnRpYWwKICAgaW5mb3JtYXRpb24sIHRoZSBWb2lj ZVhNTCBNZWRpYSBTZXJ2ZXIgTVVTVCBzdXBwb3J0IHRoZSBodHRwczogc2NoZW1lCiAgIGFzIGRp c2N1c3NlZCBpbiBTZWN0aW9uIDkuCgo0LjIuICBTSVAgTWVjaGFuaXNtCgogICBEYXRhIGNhbiBi ZSByZXR1cm5lZCB0byB0aGUgQXBwbGljYXRpb24gU2VydmVyIHZpYSB0aGUgZXhwciBvcgogICBu YW1lbGlzdCBhdHRyaWJ1dGUgb24gPGV4aXQ+IG9yIHRoZSBuYW1lbGlzdCBhdHRyaWJ1dGUgb24K ICAgPGRpc2Nvbm5lY3Q+LiAgQSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgTVVTVCBzdXBwb3J0IGVu Y29kaW5nIG9mIHRoZQogICBleHByIC8gbmFtZWxpc3QgZGF0YSBpbiB0aGUgbWVzc2FnZSBib2R5 IG9mIGEgQllFIHJlcXVlc3Qgc2VudCBmcm9tCiAgIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIg YXMgYSByZXN1bHQgb2YgZW5jb3VudGVyaW5nIHRoZSA8ZXhpdD4gb3IKICAgPGRpc2Nvbm5lY3Q+ IGVsZW1lbnQuICBBIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBNQVkgc3VwcG9ydCBpbmNsdXNpb24K ICAgb2YgdGhlIGV4cHIgLyBuYW1lbGlzdCBkYXRhIGluIHRoZSBtZXNzYWdlIGJvZHkgb2YgdGhl IDIwMCBPSyBtZXNzYWdlCiAgIGluIHJlc3BvbnNlIHRvIGEgcmVjZWl2ZWQgQllFIHJlcXVlc3Qg KGkuZS4gd2hlbiB0aGUgVm9pY2VYTUwKICAgQXBwbGljYXRpb24gcmVzcG9uZHMgdG8gdGhlIGNv bm5lY3Rpb24uZGlzY29ubmVjdC5oYW5ndXAgZXZlbnQgYW5kCiAgIHN1YnNlcXVlbnRseSBleGVj dXRlcyBhbiA8ZXhpdD4gZWxlbWVudCB3aXRoIHRoZSBleHByIG9yIG5hbWVsaXN0CiAgIGF0dHJp YnV0ZSBzcGVjaWZpZWQpLgoKICAgTm90ZSB0aGF0IHNlbmRpbmcgZXhwci9uYW1lbGlzdCBkYXRh IGluIHRoZSAyMDAgT0sgcmVzcG9uc2UgcmVxdWlyZXMKICAgdGhhdCB0aGUgVm9pY2VYTUwgTWVk aWEgU2VydmVyIGRlbGF5IHRoZSBmaW5hbCByZXNwb25zZSB0byB0aGUKICAgcmVjZWl2ZWQgQllF IHJlcXVlc3QgdW50aWwgdGhlIFZvaWNlWE1MIEFwcGxpY2F0aW9uJ3MgcG9zdC1kaXNjb25uZWN0 CiAgIGZpbmFsIHByb2Nlc3Npbmcgc3RhdGUgdGVybWluYXRlcy4gIFRoaXMgbWVjaGFuaXNtIGlz IHN1YmplY3QgdG8gdGhlCiAgIGNvbnN0cmFpbnQgdGhhdCB0aGUgVm9pY2VYTUwgTWVkaWEgU2Vy dmVyIG11c3QgcmVzcG9uZCBiZWZvcmUgdGhlCgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBF eHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQYWdlIDI3XQoMCkludGVybmV0 LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBG ZWIgMjAwOQoKCiAgIFVBQydzIHRpbWVyIEYgZXhwaXJlcyAoZGVmYXVsdHMgdG8gMzIgc2Vjb25k cykuICBNb3Jlb3ZlciwgZm9yCiAgIHVucmVsaWFibGUgdHJhbnNwb3J0cywgdGhlIFVBQyB3aWxs IHJldHJhbnNtaXQgdGhlIEJZRSByZXF1ZXN0CiAgIGFjY29yZGluZyB0byB0aGUgcnVsZXMgb2Yg W1JGQzMyNjFdLiAgVGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlcgogICBTSE9VTEQgaW1wbGVtZW50 IHRoZSByZWNvbW1lbmRhdGlvbnMgb2YgW1JGQzQzMjBdIHJlZ2FyZGluZyB3aGVuIHRvCiAgIHNl bmQgdGhlIDEwMCBUcnlpbmcgcHJvdmlzaW9uYWwgcmVzcG9uc2UgdG8gdGhlIEJZRSByZXF1ZXN0 LgoKICAgSWYgYSBWb2ljZVhNTCBBcHBsaWNhdGlvbiBleGVjdXRlcyBhIDxkaXNjb25uZWN0PiBb VlhNTDIxXSBhbmQgdGhlbgogICBzdWJzZXF1ZW50bHkgZXhlY3V0ZXMgYW4gPGV4aXQ+IHdpdGgg bmFtZWxpc3QgaW5mb3JtYXRpb24sIHRoZQogICBuYW1lbGlzdCBpbmZvcm1hdGlvbiBmcm9tIHRo ZSA8ZXhpdD4gZWxlbWVudCBpcyBkaXNjYXJkZWQuCgogICBOYW1lbGlzdCB2YXJpYWJsZXMgYXJl IGZpcnN0IGNvbnZlcnRlZCB0byB0aGVpciBKU09OIHZhbHVlIGVxdWl2YWxlbnQKICAgW1JGQzQ2 MjddIGFuZCBlbmNvZGVkIGluIHRoZSBtZXNzYWdlIGJvZHkgdXNpbmcgdGhlIGFwcGxpY2F0aW9u LwogICB4LXd3dy1mb3JtLXVybGVuY29kZWQgZm9ybWF0IGNvbnRlbnQgdHlwZSBbSFRNTDRdLiAg VGhlIGJlaGF2aW9yCiAgIHJlc3VsdGluZyBmcm9tIHNwZWNpZnlpbmcgYSByZWNvcmRpbmcgdmFy aWFibGUgaW4gdGhlIG5hbWVsaXN0IG9yIGFuCiAgIEVDTUFTY3JpcHQgb2JqZWN0IHdpdGggY2ly Y3VsYXIgcmVmZXJlbmNlcyBpcyBub3QgZGVmaW5lZC4gIElmIHRoZQogICBleHByIGF0dHJpYnV0 ZSBpcyBzcGVjaWZpZWQgb24gdGhlIDxleGl0PiBlbGVtZW50IGluc3RlYWQgb2YgdGhlCiAgIG5h bWVsaXN0IGF0dHJpYnV0ZSwgdGhlIHJlc2VydmVkIG5hbWUgX19leGl0IGlzIHVzZWQuCgogICBU byBhbGxvdyB0aGUgYXBwbGljYXRpb24gc2VydmVyIHRvIGRpZmZlcmVudGlhdGUgYmV0d2VlbiBh IEJZRQogICByZXN1bHRpbmcgZnJvbSBhIDxkaXNjb25uZWN0PiBmcm9tIG9uZSByZXN1bHRpbmcg ZnJvbSBhbiA8ZXhpdD4sIHRoZQogICByZXNlcnZlZCBuYW1lIF9fcmVhc29uIGlzIHVzZWQsIHdp dGggYSB2YWx1ZSBvZiAiZGlzY29ubmVjdCIgKHdpdGhvdXQKICAgYnJhY2tldHMpIHRvIHJlZmxl Y3QgdGhlIHVzZSBvZiBWb2ljZVhNTCdzIDxkaXNjb25uZWN0PiBlbGVtZW50LCBhbmQKICAgYSB2 YWx1ZSBvZiAiZXhpdCIgKHdpdGhvdXQgYnJhY2tldHMpIHRvIGFuIGV4cGxpY2l0IDxleGl0PiBp biB0aGUKICAgVm9pY2VYTUwgZG9jdW1lbnQuICBJZiB0aGUgc2Vzc2lvbiB0ZXJtaW5hdGVzIGZv ciBvdGhlciByZWFzb25zIChzdWNoCiAgIGFzIHRoZSBtZWRpYSBzZXJ2ZXIgZW5jb3VudGVyaW5n IGFuIGVycm9yKSwgdGhpcyBwYXJhbWV0ZXIgbWF5IGJlCiAgIG9taXR0ZWQsIG9yIG1heSB0YWtl IG9uIHBsYXRmb3JtLXNwZWNpZmljIHZhbHVlcyBwcmVmaXhlZCB3aXRoIGFuCiAgIHVuZGVyc2Nv cmUuCgogICBUaGlzIHNwZWNpZmljYXRpb24gZXh0ZW5kcyB0aGUgYXBwbGljYXRpb24veC13d3ct Zm9ybS11cmxlbmNvZGVkIGJ5CiAgIHJlcGxhY2luZyBub24tQVNDSUkgY2hhcmFjdGVycyB3aXRo IG9uZSBvciBtb3JlIG9jdGV0cyBvZiB0aGUgVVRGLTgKICAgcmVwcmVzZW50YXRpb24gb2YgdGhl IGNoYXJhY3Rlciwgd2l0aCBlYWNoIG9jdGV0IGluIHR1cm4gcmVwbGFjZWQgYnkKICAgJUhILCB3 aGVyZSBISCByZXByZXNlbnRzIHRoZSB1cHBlcmNhc2UgaGV4YWRlY2ltYWwgbm90YXRpb24gZm9y IHRoZQogICBvY3RldCB2YWx1ZSBhbmQgJSBpcyBhIGxpdGVyYWwgY2hhcmFjdGVyLiAgQXMgYSBj b25zZXF1ZW5jZSwgdGhlCiAgIENvbnRlbnQtVHlwZSBoZWFkZXIgZmllbGQgaW4gYSBCWUUgbWVz c2FnZSBjb250YWluaW5nIGV4cHIvbmFtZWxpc3QKICAgZGF0YSBNVVNUIGJlIHNldCB0byBhcHBs aWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7Y2hhcnNldD11dGYtOC4KCiAgIFRoZSBmb2xs b3dpbmcgdGFibGUgcHJvdmlkZXMgc29tZSBleGFtcGxlcyBvZiA8ZXhpdD4gdXNhZ2UgYW5kIHRo ZQogICBjb3JyZXNwb25kaW5nIHJlc3VsdCBjb250ZW50LgoKCgoKCgoKCgoKCgoKQnVya2UgJiBT Y290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgW1Bh Z2UgMjhdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEg U2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKICAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKwogICAgfDxleGl0PiBVc2Fn ZSAgICAgICAgICAgICAgICAgIHwgUmVzdWx0IENvbnRlbnQgICAgICAgICAgICAgICAgICB8CiAg ICB8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tfC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLXwKICAgIHw8ZXhpdC8+ICAgICAgICAgICAgICAgICAgICAgICB8IF9fcmVhc29u PWV4aXQgICAgICAgICAgICAgICAgICAgfAogICAgfDxleGl0IGV4cHI9IjUiLz4gICAgICAgICAg ICAgIHwgX19leGl0PTUmX19yZWFzb249ZXhpdCAgICAgICAgICB8CiAgICB8PGV4aXQgZXhwcj0i J2RvbmUnIi8+ICAgICAgICAgfCBfX2V4aXQ9ImRvbmUiJl9fcmVhc29uPWV4aXQgICAgIHwKICAg IHw8ZXhpdCBleHByPSJ1c2VyQXV0aG9yaXplZCIvPiB8IF9fZXhpdD10cnVlJl9fcmVhc29uPWV4 aXQgICAgICAgfAogICAgfDxleGl0IG5hbWVsaXN0PSJwaW4gZXJyb3JzIi8+IHwgcGluPTEyMzQm ZXJyb3JzPTAmX19yZWFzb249ZXhpdCB8CiAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsKICAgIGFzc3VtaW5nIHRoZSBm b2xsb3dpbmcgVm9pY2VYTUwgdmFyaWFibGVzIGFuZCB2YWx1ZXM6CiAgICAgICAgdXNlckF1dGhv cml6ZWQgPSB0cnVlCiAgICAgICAgcGluID0gMTIzNAogICAgICAgIGVycm9ycyA9IDAKCiAgIEZv ciBleGFtcGxlLCBjb25zaWRlciB0aGUgVm9pY2VYTUwgc25pcHBldDoKCiAgICAgICAuLi4KICAg ICAgIDxleGl0IG5hbWVsaXN0PSJpZCBwaW4iLz4KICAgICAgIC4uLgoKICAgSWYgaWQgZXF1YWxz IDEyMzQgYW5kIHBpbiBlcXVhbHMgOTk5OSwgc2F5LCB0aGUgQllFIG1lc3NhZ2Ugd291bGQKICAg bG9vayBzaW1pbGFyIHRvOgoKICAgICAgQllFIHNpcDp1c2VyQHBjMzMuZXhhbXBsZS5jb20gU0lQ LzIuMAogICAgICBWaWE6IFNJUC8yLjAvVURQIDE5Mi4wLjIuNDticmFuY2g9ejloRzRiS25hc2hk czEwCiAgICAgIE1heC1Gb3J3YXJkczogNzAKICAgICAgRnJvbTogc2lwOmRpYWxvZ0BleGFtcGxl LmNvbTt0YWc9YTZjODVjZgogICAgICBUbzogc2lwOnVzZXJAZXhhbXBsZS5jb207dGFnPTE5Mjgz MDE3NzQKICAgICAgQ2FsbC1JRDogYTg0YjRjNzZlNjY3MTAKICAgICAgQ1NlcTogMjMxIEJZRQog ICAgICBDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDtjaGFy c2V0PXV0Zi04CiAgICAgIENvbnRlbnQtTGVuZ3RoOiAzMAoKICAgICAgaWQ9MTIzNCZwaW49OTk5 OSZfX3JlYXNvbj1leGl0CgogICBTaW5jZSBzb21lIGFwcGxpY2F0aW9ucyBtYXkgY2hvb3NlIHRv IHRyYW5zZmVyIGNvbmZpZGVudGlhbAogICBpbmZvcm1hdGlvbiwgdGhlIFZvaWNlWE1MIE1lZGlh IFNlcnZlciBNVVNUIHN1cHBvcnQgdGhlIFMvTUlNRQogICBlbmNvZGluZyBvZiBTSVAgbWVzc2Fn ZSBib2RpZXMgYXMgZGlzY3Vzc2VkIGluIFNlY3Rpb24gOS4KCgoKCgoKCgoKCgoKCkJ1cmtlICYg U2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQ YWdlIDI5XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlh IFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCjUuICBPdXRib3VuZCBDYWxsaW5nCgogICBPdXRi b3VuZCBjYWxscyBjYW4gYmUgdHJpZ2dlcmVkIHZpYSB0aGUgQXBwbGljYXRpb24gU2VydmVyIHVz aW5nCiAgIHRoaXJkIHBhcnR5IGNhbGwgY29udHJvbCBbUkZDMzcyNV0uCgogICBGbG93IElWIGZy b20gW1JGQzM3MjVdIGlzIHJlY29tbWVuZGVkIGluIGNvbmp1bmN0aW9uIHdpdGggdGhlCiAgIFZv aWNlWE1MIFNlc3Npb24gcHJlcGFyYXRpb24gbWVjaGFuaXNtLiAgVGhpcyBmbG93IGhhcyBzZXZl cmFsCiAgIGFkdmFudGFnZXMgb3ZlciBvdGhlcnMsIG5hbWVseToKCiAgIDEuICBTZWxlY3Rpb24g b2YgYSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgYW5kIHByZXBhcmF0aW9uIG9mIHRoZQogICAgICAg Vm9pY2VYTUwgQXBwbGljYXRpb24gY2FuIG9jY3VyIGJlZm9yZSB0aGUgY2FsbCBpcyBwbGFjZWQg dG8gYXZvaWQKICAgICAgIHRoZSBjYWxsZWUgZXhwZXJpZW5jaW5nIGRlbGF5cy4KCiAgIDIuICBB dm9pZHMgdGltaW5nIGRpZmZpY3VsdGllcyB0aGF0IGNvdWxkIG9jY3VyIHdpdGggb3RoZXIgZmxv d3MgZHVlCiAgICAgICB0byB0aGUgdGltZSB0YWtlbiB0byBmZXRjaCBhbmQgcGFyc2UgdGhlIGlu aXRpYWwgVm9pY2VYTUwKICAgICAgIGRvY3VtZW50LgoKICAgMy4gIFRoZSBmbG93IGlzIElQdjYg Y29tcGF0aWJsZS4KCiAgIEFuIGV4YW1wbGUgZmxvdyBmb3IgYW4gQXBwbGljYXRpb24gU2VydmVy IGluaXRpYXRlZCBvdXRib3VuZCBjYWxsIGlzCiAgIHByb3ZpZGVkIGluIHNlY3Rpb24gMi42LjIu CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBF eHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQYWdlIDMwXQoMCkludGVybmV0 LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBG ZWIgMjAwOQoKCjYuICBDYWxsIFRyYW5zZmVyCgogICBXaGlsZSBWb2ljZVhNTCBpcyBhdCBpdHMg Y29yZSBhIGRpYWxvZyBsYW5ndWFnZSwgaXQgYWxzbyBwcm92aWRlcwogICBvcHRpb25hbCBjYWxs IHRyYW5zZmVyIGNhcGFiaWxpdHkuICBWb2ljZVhNTCdzIHRyYW5zZmVyIGNhcGFiaWxpdHkgaXMK ICAgcGFydGljdWxhcmx5IHN1aXRlZCB0byB0aGUgUFNUTiBJVlIgU2VydmljZSBOb2RlIHVzZS1j YXNlIGRlc2NyaWJlZAogICBpbiBzZWN0aW9uIDEuMS4yLiAgSXQgaXMgTk9UIFJFQ09NTUVOREVE IHRvIHVzZSBWb2ljZVhNTCdzIGNhbGwKICAgdHJhbnNmZXIgY2FwYWJpbGl0eSBpbiBuZXR3b3Jr cyBpbnZvbHZpbmcgQXBwbGljYXRpb24gU2VydmVycy4KICAgUmF0aGVyLCB0aGUgQXBwbGljYXRp b24gU2VydmVyIGl0c2VsZiBjYW4gcHJvdmlkZSBjYWxsIHJvdXRpbmcKICAgZnVuY3Rpb25hbGl0 eSBieSB0YWtpbmcgc2lnbmFsaW5nIGFjdGlvbnMgYmFzZWQgb24gdGhlIGRhdGEgcmV0dXJuZWQK ICAgdG8gaXQgZnJvbSB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIHZpYSBIVFRQIG9yIGluIHRo ZSBTSVAgQllFCiAgIG1lc3NhZ2UuCgogICBJZiBWb2ljZVhNTCB0cmFuc2ZlciBpcyBzdXBwb3J0 ZWQsIHRoZSBtZWNoYW5pc20gZGVzY3JpYmVkIGluIHRoaXMKICAgc2VjdGlvbiBNVVNUIGJlIGVt cGxveWVkLiAgVGhlIHRyYW5zZmVyIGZsb3dzIHNwZWNpZmllZCBoZXJlIGFyZQogICBzZWxlY3Rl ZCBvbiB0aGUgYmFzaXMgdGhhdCB0aGV5IHByb3ZpZGUgdGhlIGJlc3QgaW50ZXJ3b3JraW5nIGFj cm9zcwogICBhIHdpZGUgcmFuZ2Ugb2YgU0lQIGRldmljZXMuICBDQ1hNTDwtPlZvaWNlWE1MIGlt cGxlbWVudGF0aW9ucywgd2hpY2gKICAgcmVxdWlyZSB0aWdodC1jb3VwbGluZyBpbiB0aGUgZm9y bSBvZiBiaS1kaXJlY3Rpb25hbCBldmVudGluZyB0bwogICBzdXBwb3J0IGFsbCB0cmFuc2ZlciB0 eXBlcyBkZWZpbmVkIGluIFZvaWNlWE1MLCBtYXkgYmVuZWZpdCBmcm9tCiAgIG90aGVyIGFwcHJv YWNoZXMsIHN1Y2ggYXMgdGhlIHVzZSBvZiBTSVAgZXZlbnQgcGFja2FnZXMgW1JGQzMyNjVdLgoK ICAgSW4gd2hhdCBmb2xsb3dzLCB0aGUgcHJvdmlzaW9uYWwgcmVzcG9uc2VzIGhhdmUgYmVlbiBv bWl0dGVkIGZvcgogICBjbGFyaXR5LgoKNi4xLiAgQmxpbmQKCiAgIFRoZSBibGluZCB0cmFuc2Zl ciBzZXF1ZW5jZSBpcyBpbml0aWF0ZWQgYnkgdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlcgogICB2 aWEgYSBSRUZFUiBtZXNzYWdlIFtSRkMzNTE1XSBvbiB0aGUgb3JpZ2luYWwgU0lQIGRpYWxvZy4g IFRoZQogICBSZWZlci1UbyBoZWFkZXIgY29udGFpbnMgdGhlIFVSSSBmb3IgdGhlIGNhbGxlZCBw YXJ0eSwgYXMgc3BlY2lmaWVkCiAgIHZpYSB0aGUgJ2Rlc3QnIG9yICdkZXN0ZXhwcicgYXR0cmli dXRlcyBvbiB0aGUgVm9pY2VYTUwgPHRyYW5zZmVyPgogICB0YWcuCgogICBJZiB0aGUgUkVGRVIg cmVxdWVzdCBpcyBhY2NlcHRlZCwgaW4gd2hpY2ggY2FzZSB0aGUgVm9pY2VYTUwgTWVkaWEKICAg U2VydmVyIHdpbGwgcmVjZWl2ZSBhIDJ4eCByZXNwb25zZSwgdGhlIFZvaWNlWE1MIE1lZGlhIFNl cnZlciB0aHJvd3MKICAgdGhlIGNvbm5lY3Rpb24uZGlzY29ubmVjdC50cmFuc2ZlciBldmVudCBh bmQgd2lsbCB0ZXJtaW5hdGUgdGhlCiAgIFZvaWNlWE1MIFNlc3Npb24gd2l0aCBhIEJZRSBtZXNz YWdlLiAgRm9yIGJsaW5kIHRyYW5zZmVycywKICAgaW1wbGVtZW50YXRpb25zIE1BWSB1c2UgW1JG QzQ0ODhdIHRvIHN1cHByZXNzIHRoZSBpbXBsaWNpdAogICBzdWJzY3JpcHRpb24gYXNzb2NpYXRl ZCB3aXRoIHRoZSBSRUZFUiBtZXNzYWdlLgoKICAgSWYgdGhlIFJFRkVSIHJlcXVlc3QgcmVzdWx0 cyBpbiBhIG5vbi0yeHggcmVzcG9uc2UsIHRoZSA8dHJhbnNmZXI+J3MKICAgZm9ybSBpdGVtIHZh cmlhYmxlIChvciBldmVudCByYWlzZWQpIGRlcGVuZHMgb24gdGhlIFNJUCByZXNwb25zZSBhbmQK ICAgaXMgc3BlY2lmaWVkIGluIHRoZSBmb2xsb3dpbmcgdGFibGUuICBOb3RlIHRoYXQgdGhpcyBp bmRpY2F0ZXMgdGhhdAogICB0aGUgdHJhbnNmZXIgcmVxdWVzdCB3YXMgcmVqZWN0ZWQuCgoKCgoK CgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAg ICAgICAgICAgIFtQYWdlIDMxXQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZv aWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCiAgICArLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsKICAgIHwg U0lQIFJlc3BvbnNlICAgICAgICAgICAgfCA8dHJhbnNmZXI+IHZhcmlhYmxlIC8gZXZlbnQgICAg ICAgfAogICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rCiAgICB8IDQwNCBOb3QgRm91bmQgICAgICAgICAgIHwgZXJyb3IuY29u bmVjdGlvbi5iYWRkZXN0aW5hdGlvbiAgIHwKICAgIHwgNDA1IE1ldGhvZCBOb3QgQWxsb3dlZCAg fCBlcnJvci51bnN1cHBvcnRlZC50cmFuc2Zlci5ibGluZCAgfAogICAgfCA1MDMgU2VydmljZSBV bmF2YWlsYWJsZSB8IGVycm9yLmNvbm5lY3Rpb24ubm9yZXNvdXJjZSAgICAgICB8CiAgICB8IChO byByZXNwb25zZSkgICAgICAgICAgIHwgbmV0d29ya19idXN5ICAgICAgICAgICAgICAgICAgICAg IHwKICAgIHwgKE90aGVyIDN4eC80eHgvNXh4LzZ4eCkgfCB1bmtub3duICAgICAgICAgICAgICAg ICAgICAgICAgICAgfAogICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCgoKICAgQW4gZXhhbXBsZSBpcyBpbGx1c3RyYXRlZCBi ZWxvdyAocHJvdmlzaW9uYWwgcmVzcG9uc2VzIGFuZCBOT1RJRlkKICAgbWVzc2FnZXMgY29ycmVz cG9uZGluZyB0byBwcm92aXNpb25hbCByZXNwb25zZXMgaGF2ZSBiZWVuIG9taXR0ZWQgZm9yCiAg IGNsYXJpdHkpLgoKICAgVXNlciBBZ2VudCAxICAgICAgICBWb2ljZVhNTCAgICAgICAgVXNlciBB Z2VudCAyCiAgICAgKENhbGxlcikgICAgICAgIE1lZGlhIFNlcnZlciAgICAgICAgKENhbGxlZSkK ICAgICAgICB8ICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICB8CiAgICAgICAgfCgw KSBSVFAvU1JUUCAgICAgfCAgICAgICAgICAgICAgICAgfAogICAgICAgIHwuLi4uLi4uLi4uLi4u Li4uLnwgICAgICAgICAgICAgICAgIHwKICAgICAgICB8ICAgICAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgICB8CiAgICAgICAgfCgxKSBSRUZFUiAgICAgICAgfCA8dHJhbnNmZXI+ICAgICAg fAogICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tLXwgICAgICAgICAgICAgICAgIHwKICAgICAgICB8 KDIpIDIwMiBBY2NlcHRlZCB8ICAgICAgICAgICAgICAgICB8CiAgICAgICAgfC0tLS0tLS0tLS0t LS0tLS0+fCAgICAgICAgICAgICAgICAgfAogICAgICAgIHwoMykgQllFICAgICAgICAgIHwgICAg ICAgICAgICAgICAgIHwKICAgICAgICB8PC0tLS0tLS0tLS0tLS0tLS18ICAgICAgICAgICAgICAg ICB8CiAgICAgICAgfCg0KSAyMDAgT0sgICAgICAgfCAgICAgICAgICAgICAgICAgfAogICAgICAg IHwtLS0tLS0tLS0tLS0tLS0tPnwgICAgICAgICAgICAgICAgIHwKICAgICAgICB8ICAgICAgICAg ICAgICAgICB8IFN0b3AgUlRQICgwKSAgICB8CiAgICAgICAgfCg1KSBJTlZJVEUgICAgICAgICAg ICAgICAgICAgICAgICAgfAogICAgICAgIHwtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tPnwKICAgICAgICB8KDYpIDIwMCBPSyAgICAgICAgICAgICAgICAgICAgICAgICB8CiAgICAg ICAgfDwtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tfAogICAgICAgIHwoNykgTk9U SUZZICAgICAgIHwgICAgICAgICAgICAgICAgIHwKICAgICAgICB8LS0tLS0tLS0tLS0tLS0tLT58 ICAgICAgICAgICAgICAgICB8CiAgICAgICAgfCg4KSAyMDAgT0sgICAgICAgfCAgICAgICAgICAg ICAgICAgfAogICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tIHwgICAgICAgICAgICAgICAgIHwKICAg ICAgICB8KDkpIEFDSyAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CiAgICAgICAgfC0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0+fAogICAgICAgIHwoMTApIFJUUC9TUlRQICAg ICAgICAgICAgICAgICAgICAgIHwKICAgICAgICB8Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi58CiAgICAgICAgfCAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgfAoK CiAgIElmIHRoZSAiYWFpIiBvciAiYWFpZXhwciIgYXR0cmlidXRlIGlzIHByZXNlbnQgb24gPHRy YW5zZmVyPiwgaXQgaXMKICAgYXBwZW5kZWQgdG8gdGhlIFJlZmVyLVRvIFVSSSBhcyBhIHBhcmFt ZXRlciBuYW1lZCAiYWFpIiBpbiB0aGUgUkVGRVIKICAgbWV0aG9kLiAgUmVzZXJ2ZWQgY2hhcmFj dGVycyBhcmUgVVJMLWVuY29kZWQgYXMgcmVxdWlyZWQgZm9yIFNJUC9TSVBTCgoKCkJ1cmtlICYg U2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQ YWdlIDMyXQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlh IFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCiAgIFVSSXMgW1JGQzMyNjFdLiAgVGhlIG1hcHBp bmcgb2YgdmFsdWVzIG91dHNpZGUgb2YgdGhlIEFTQ0lJIHJhbmdlIGlzCiAgIHBsYXRmb3JtIHNw ZWNpZmljLgoKNi4yLiAgQnJpZGdlCgogICBUaGUgYnJpZGdlIHRyYW5zZmVyIGZ1bmN0aW9uIHJl c3VsdHMgaW4gdGhlIGNyZWF0aW9uIG9mIGEgc21hbGwKICAgbXVsdGktcGFydHkgc2Vzc2lvbiBp bnZvbHZpbmcgdGhlIENhbGxlciwgdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciwKICAgYW5kIHRo ZSBDYWxsZWUuICBUaGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIGludml0ZXMgdGhlIENhbGxlZSB0 byB0aGUKICAgc2Vzc2lvbiBhbmQgd2lsbCBlamVjdCB0aGUgQ2FsbGVlIGlmIHRoZSB0cmFuc2Zl ciBpcyB0ZXJtaW5hdGVkLgoKICAgSWYgdGhlICJhYWkiIG9yICJhYWlleHByIiBhdHRyaWJ1dGUg aXMgcHJlc2VudCBvbiA8dHJhbnNmZXI+LCBpdCBpcwogICBhcHBlbmRlZCB0byB0aGUgUmVxdWVz dC1VUkkgaW4gdGhlIElOVklURSBhcyBhIFVSSSBwYXJhbWV0ZXIgbmFtZWQKICAgImFhaSIuICBS ZXNlcnZlZCBjaGFyYWN0ZXJzIGFyZSBVUkwtZW5jb2RlZCBhcyByZXF1aXJlZCBmb3IgU0lQL1NJ UFMKICAgVVJJcyBbUkZDMzI2MV0uICBUaGUgbWFwcGluZyBvZiB2YWx1ZXMgb3V0c2lkZSBvZiB0 aGUgQVNDSUkgcmFuZ2UgaXMKICAgcGxhdGZvcm0gc3BlY2lmaWMuCgogICBEdXJpbmcgdGhlIHRy YW5zZmVyIGF0dGVtcHQsIGF1ZGlvIHNwZWNpZmllZCBpbiB0aGUgdHJhbnNmZXJhdWRpbwogICBh dHRyaWJ1dGUgb2YgPHRyYW5zZmVyPiBpcyBzdHJlYW1lZCB0byBVc2VyIEFnZW50IDEuICBBIFZv aWNlWE1MCiAgIE1lZGlhIFNlcnZlciBNQVkgcGxheSBlYXJseSBtZWRpYSByZWNlaXZlZCBmcm9t IHRoZSBDYWxsZWUgdG8gdGhlCiAgIENhbGxlciBpZiB0aGUgdHJhbnNmZXJhdWRpbyBhdHRyaWJ1 dGUgaXMgb21pdHRlZC4KCiAgIFRoZSBicmlkZ2UgdHJhbnNmZXIgc2VxdWVuY2UgaXMgaWxsdXN0 cmF0ZWQgYmVsb3cuICBUaGUgVm9pY2VYTUwKICAgTWVkaWEgU2VydmVyIChhY3RpbmcgYXMgYSBV QUMpIG1ha2VzIGEgY2FsbCB0byBVc2VyIEFnZW50IDIgd2l0aCB0aGUKICAgc2FtZSBjb2RlY3Mg dXNlZCBieSBVc2VyIEFnZW50IDEuICBXaGVuIHRoZSBjYWxsIHNldHVwIGlzIGNvbXBsZXRlLAog ICBSVFAgZmxvd3MgYmV0d2VlbiBVc2VyIEFnZW50IDIgYW5kIHRoZSBWb2ljZVhNTCBNZWRpYSBT ZXJ2ZXIuICBUaGlzCiAgIHN0cmVhbSBpcyBtaXhlZCB3aXRoIFVzZXIgQWdlbnQgMSdzLgoKICAg VXNlciBBZ2VudCAxICAgICAgICAgVm9pY2VYTUwgICAgICAgICAgVXNlciBBZ2VudCAyCiAgICAg KENhbGxlcikgICAgICAgICBNZWRpYSBTZXJ2ZXIgICAgICAgICAgKENhbGxlZSkKICAgICAgIHwg ICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8CiAgICAgICB8KDApUlRQL1NS VFAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgfAogICAgICAgfC4uLi4uLi4uLi4uLi4uLi4u Li58ICAgICAgICAgICAgICAgICAgIHwKICAgICAgIHwgICAgICAgICAgICAgICAgICAgfCAgICAg ICAgICAgICAgICAgICB8CiAgICAgICB8ICAgICAgICAgPHRyYW5zZmVyPnwoMSlJTlZJVEUgW29m ZmVyXSAgfAogICAgICAgfCAgICAgICAgICAgICAgICAgICB8LS0tLS0tLS0tLS0tLS0tLS0tPnwK ICAgICAgIHwgICAgICAgICAgICAgICAgICAgfCgyKSAyMDAgT0sgW2Fuc3dlcl18CiAgICAgICB8 ICAgICAgICAgICAgICAgICAgIHw8LS0tLS0tLS0tLS0tLS0tLS0tfAogICAgICAgfCAgICAgICAg ICAgICAgICAgICB8KDMpIEFDSyAgICAgICAgICAgIHwKICAgICAgIHwgICAgICAgICAgICAgICAg ICAgfC0tLS0tLS0tLS0tLS0tLS0tLT58CiAgICAgICB8ICAgICAgICAgICAgICAgICAgIHwoNCkg UlRQL1NSVFAgICAgICAgfAogICAgICAgfCAgICAgICAgICAgICAgbWl4ICB8Li4uLi4uLi4uLi4u Li4uLi4uLnwKICAgICAgIHwgICAgICAgICAgICAoMCkrKDQpfCAgICAgICAgICAgICAgICAgICB8 CgoKICAgSWYgYSBmaW5hbCByZXNwb25zZSBpcyBub3QgcmVjZWl2ZWQgZnJvbSBVc2VyIEFnZW50 IDIgZnJvbSB0aGUgSU5WSVRFCiAgIGFuZCB0aGUgY29ubmVjdHRpbWVvdXQgZXhwaXJlcyAoc3Bl Y2lmaWVkIGFzIGFuIGF0dHJpYnV0ZSBvZgogICA8dHJhbnNmZXI+KSwgdGhlIFZvaWNlWE1MIE1l ZGlhIFNlcnZlciB3aWxsIGlzc3VlIGEgQ0FOQ0VMIHRvCiAgIHRlcm1pbmF0ZSB0aGUgdHJhbnNh Y3Rpb24gYW5kIHRoZSA8dHJhbnNmZXI+J3MgZm9ybSBpdGVtIHZhcmlhYmxlIGlzCgoKCkJ1cmtl ICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAg IFtQYWdlIDMzXQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1l ZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCiAgIHNldCB0byBub2Fuc3dlci4KCiAgIElm IElOVklURSByZXN1bHRzIGluIGEgbm9uLTJ4eCByZXNwb25zZSwgdGhlIDx0cmFuc2Zlcj4ncyBm b3JtIGl0ZW0KICAgdmFyaWFibGUgKG9yIGV2ZW50IHJhaXNlZCkgZGVwZW5kcyBvbiB0aGUgU0lQ IHJlc3BvbnNlIGFuZCBpcwogICBzcGVjaWZpZWQgaW4gdGhlIGZvbGxvd2luZyB0YWJsZS4KCgog ICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rCiAgICB8IFNJUCBSZXNwb25zZSAgICAgICAgICAgIHwgPHRyYW5zZmVyPiB2YXJp YWJsZSAvIGV2ZW50ICAgICAgIHwKICAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKwogICAgfCA0MDQgTm90IEZvdW5kICAgICAg ICAgICB8IGVycm9yLmNvbm5lY3Rpb24uYmFkZGVzdGluYXRpb24gICB8CiAgICB8IDQwNSBNZXRo b2QgTm90IEFsbG93ZWQgIHwgZXJyb3IudW5zdXBwb3J0ZWQudHJhbnNmZXIuYnJpZGdlIHwKICAg IHwgNDA4IFJlcXVlc3QgVGltZW91dCAgICAgfCBub2Fuc3dlciAgICAgICAgICAgICAgICAgICAg ICAgICAgfAogICAgfCA0ODYgQnVzeSBIZXJlICAgICAgICAgICB8IGJ1c3kgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICB8CiAgICB8IDUwMyBTZXJ2aWNlIFVuYXZhaWxhYmxlIHwgZXJyb3Iu Y29ubmVjdGlvbi5ub3Jlc291cmNlICAgICAgIHwKICAgIHwgKE5vIHJlc3BvbnNlKSAgICAgICAg ICAgfCBuZXR3b3JrX2J1c3kgICAgICAgICAgICAgICAgICAgICAgfAogICAgfCAoT3RoZXIgM3h4 LzR4eC81eHgvNnh4KSB8IHVua25vd24gICAgICAgICAgICAgICAgICAgICAgICAgICB8CiAgICAr LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSsKCgogICBPbmNlIHRoZSB0cmFuc2ZlciBpcyBlc3RhYmxpc2hlZCwgdGhlIFZvaWNlWE1M IE1lZGlhIFNlcnZlciBjYW4KICAgImxpc3RlbiIgdG8gdGhlIG1lZGlhIHN0cmVhbSBmcm9tIFVz ZXIgQWdlbnQgMSB0byBwZXJmb3JtIHNwZWVjaCBvcgogICBEVE1GIGhvdHdvcmQsIHdoaWNoIHdo ZW4gbWF0Y2hlZCByZXN1bHRzIGluIGEgbmVhci1lbmQgZGlzY29ubmVjdCwKICAgaS5lLiB0aGUg Vm9pY2VYTUwgTWVkaWEgU2VydmVyIGlzc3VlcyBhIEJZRSB0byBVc2VyIEFnZW50IDIgYW5kIHRo ZQogICBWb2ljZVhNTCBBcHBsaWNhdGlvbiBjb250aW51ZXMgd2l0aCBVc2VyIEFnZW50IDEuICBB IEJZRSB3aWxsIGFsc28gYmUKICAgaXNzdWVkIHRvIFVzZXIgQWdlbnQgMiBpZiB0aGUgY2FsbCBk dXJhdGlvbiBleGNlZWRzIHRoZSBtYXhpbXVtCiAgIGR1cmF0aW9uIHNwZWNpZmllZCBpbiB0aGUg bWF4dGltZSBhdHRyaWJ1dGUgb24gPHRyYW5zZmVyPi4KCiAgIElmIFVzZXIgQWdlbnQgMiBpc3N1 ZXMgYSBCWUUgZHVyaW5nIHRoZSB0cmFuc2ZlciwgdGhlIHRyYW5zZmVyCiAgIHRlcm1pbmF0ZXMg YW5kIHRoZSBWb2ljZVhNTCA8dHJhbnNmZXI+J3MgZm9ybSBpdGVtIHZhcmlhYmxlIHJlY2VpdmVz CiAgIHRoZSB2YWx1ZSBmYXJfZW5kX2Rpc2Nvbm5lY3QuICBJZiBVc2VyIEFnZW50IDEgaXNzdWVz IGEgQllFIGR1cmluZwogICB0aGUgdHJhbnNmZXIsIHRoZSB0cmFuc2ZlciB0ZXJtaW5hdGVzIGFu ZCB0aGUgVm9pY2VYTUwgZXZlbnQKICAgY29ubmVjdGlvbi5kaXNjb25uZWN0LnRyYW5zZmVyIGlz IHRocm93bi4KCjYuMy4gIENvbnN1bHRhdGlvbgoKICAgVGhlIGNvbnN1bHRhdGlvbiB0cmFuc2Zl ciAoYWxzbyBjYWxsZWQgYXR0ZW5kZWQgdHJhbnNmZXIgW1NJUEVYXSkgaXMKICAgc2ltaWxhciB0 byBhIGJsaW5kIHRyYW5zZmVyIGV4Y2VwdCB0aGF0IHRoZSBvdXRjb21lIG9mIHRoZSB0cmFuc2Zl cgogICBjYWxsIHNldHVwIGlzIGtub3duIGFuZCB0aGUgQ2FsbGVyIGlzIG5vdCBkcm9wcGVkIGFz IGEgcmVzdWx0IG9mIGFuCiAgIHVuc3VjY2Vzc2Z1bCB0cmFuc2ZlciBhdHRlbXB0LgoKICAgQ29u c3VsdGF0aW9uIHRyYW5zZmVyIGNvbW1lbmNlcyB3aXRoIHRoZSBzYW1lIGZsb3cgYXMgZm9yIGJy aWRnZQogICB0cmFuc2ZlciBleGNlcHQgdGhhdCB0aGUgUlRQIHN0cmVhbXMgYXJlIG5vdCBtaXhl ZCBhdCBzdGVwICg0KSBhbmQKICAgZXJyb3IudW5zdXBwb3J0ZWQudHJhbnNmZXIuY29uc3VsdGF0 aW9uIHN1cHBsYW50cwogICBlcnJvci51bnN1cHBvcnRlZC50cmFuc2Zlci5icmlkZ2UuICBBc3N1 bWluZyBhIG5ldyBTSVAgZGlhbG9nIHdpdGgKICAgVXNlciBBZ2VudCAyIGlzIGNyZWF0ZWQsIHRo ZSByZW1haW5kZXIgb2YgdGhlIHNlcXVlbmNlIGZvbGxvd3MgYXMKICAgaWxsdXN0cmF0ZWQgYmVs b3cgKHByb3Zpc2lvbmFsIHJlc3BvbnNlcyBhbmQgTk9USUZZIG1lc3NhZ2VzCiAgIGNvcnJlc3Bv bmRpbmcgdG8gcHJvdmlzaW9uYWwgcmVzcG9uc2VzIGhhdmUgYmVlbiBvbWl0dGVkIGZvcgoKCgpC dXJrZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAg ICAgICBbUGFnZSAzNF0KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhN TCBNZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgogICBjbGFyaXR5KS4gIENvbnN1bHRh dGlvbiB0cmFuc2ZlciBtYWtlcyB1c2Ugb2YgdGhlIFJlcGxhY2VzOiBoZWFkZXIKICAgW1JGQzM4 OTFdIHN1Y2ggdGhhdCBVc2VyIEFnZW50IDEgY2FsbHMgVXNlciBBZ2VudCAyIGFuZCByZXBsYWNl cyB0aGUKICAgbGF0dGVyJ3MgU0lQIGRpYWxvZyB3aXRoIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2 ZXIgd2l0aCBhIG5ldyBTSVAKICAgZGlhbG9nIGJldHdlZW4gdGhlIENhbGxlciBhbmQgQ2FsbGVl LgoKICAgVXNlciBBZ2VudCAxICAgICAgICBWb2ljZVhNTCAgICAgICBVc2VyIEFnZW50IDIKICAg ICAoQ2FsbGVyKSAgICAgICAgTWVkaWEgU2VydmVyICAgICAgIChDYWxsZWUpCiAgICAgICAgfCAg ICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgfAogICAgICAgIHwoMCkgUlRQL1NSVFAg ICAgIHwgICAgICAgICAgICAgICAgIHwKICAgICAgICB8Li4uLi4uLi4uLi4uLi4uLi58KDQpIFJU UC9TUlRQICAgICB8CiAgICAgICAgfCAgICAgICAgICAgICAgICAgfC4uLi4uLi4uLi4uLi4uLi4u fAogICAgICAgIHwoNSkgUkVGRVIgICAgICAgIHwgICAgICAgICAgICAgICAgIHwKICAgICAgICB8 PC0tLS0tLS0tLS0tLS0tLS18ICAgICAgICAgICAgICAgICB8CiAgICAgICAgfCg2KSAyMDIgQWNj ZXB0ZWQgfCAgICAgICAgICAgICAgICAgfAogICAgICAgIHwtLS0tLS0tLS0tLS0tLS0tPnwgICAg ICAgICAgICAgICAgIHwKICAgICAgICB8KDcpIElOVklURSBSZXBsYWNlczptczEuZXhhbXBsZS5j b218CiAgICAgICAgfC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0+fAogICAgICAg IHwoOCkgMjAwIE9LICAgICAgICAgICAgICAgICAgICAgICAgIHwKICAgICAgICB8PC0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS18CiAgICAgICAgfCg5KSBBQ0sgICAgICAgICAgICAg ICAgICAgICAgICAgICAgfAogICAgICAgIHwtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tPnwKICAgICAgICB8KDEwKSBSVFAvU1JUUCAgICAgICAgICAgICAgICAgICAgICB8CiAgICAg ICAgfC4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4ufAogICAgICAgIHwgICAgICAg ICAgICAgICAgIHwoMTEpIEJZRSAgICAgICAgIHwKICAgICAgICB8ICAgICAgICAgICAgICAgICB8 PC0tLS0tLS0tLS0tLS0tLS18CiAgICAgICAgfCAgICAgICAgICAgICAgICAgfCgxMikgMjAwIE9L ICAgICAgfAogICAgICAgIHwgICAgICAgICAgICAgICAgIHwtLS0tLS0tLS0tLS0tLS0tPnwgU3Rv cAogICAgICAgIHwoMTMpIE5PVElGWSAgICAgIHwgICAgICAgICAgICAgICAgIHwgUlRQICg0KQog ICAgICAgIHwtLS0tLS0tLS0tLS0tLS0tPnwgICAgICAgICAgICAgICAgIHwKICAgICAgICB8KDE0 KSAyMDAgT0sgICAgICB8ICAgICAgICAgICAgICAgICB8CiAgICAgICAgfDwtLS0tLS0tLS0tLS0t LS0tfCAgICAgICAgICAgICAgICAgfAogICAgICAgIHwoMTUpIEJZRSAgICAgICAgIHwgICAgICAg ICAgICAgICAgIHwKICAgICAgICB8PC0tLS0tLS0tLS0tLS0tLS18ICAgICAgICAgICAgICAgICB8 CiAgICAgICAgfCgxNikgMjAwIE9LICAgICAgfCAgICAgICAgICAgICAgICAgfAogICAgICAgIHwt LS0tLS0tLS0tLS0tLS0tPnwgU3RvcCAgICAgICAgICAgIHwKICAgICAgICB8ICAgICAgICAgICAg ICAgICB8IFJUUCAoMCkgICAgICAgICB8CgogICBJZiBhIHJlc3BvbnNlIG90aGVyIHRoYW4gMjAy IEFjY2VwdGVkIGlzIHJlY2V2aWVkIGluIHJlc3BvbnNlIHRvIHRoZQogICBSRUZFUiByZXF1ZXN0 IHNlbnQgdG8gVXNlciBBZ2VudCAxLCB0aGUgdHJhbnNmZXIgdGVybWluYXRlcywgYW5kIGFuCiAg IGVycm9yLnVuc3VwcG9ydGVkLnRyYW5zZmVyLmNvbnN1bHRhdGlvbiBldmVudCBpcyByYWlzZWQu ICBJbgogICBhZGRpdGlvbiwgYSBCWUUgaXMgc2VudCB0byBVc2VyIEFnZW50IDIgdG8gdGVybWlu YXRlIHRoZSBlc3RhYmxpc2hlZAogICBvdXRib3VuZCBsZWcuCgogICBUaGUgVm9pY2VYTUwgTWVk aWEgU2VydmVyIHVzZXMgcmVjZWlwdCBvZiBhIE5PVElGWSBtZXNzYWdlIHdpdGggYQogICBzaXBm cmFnIG1lc3NhZ2Ugb2YgMjAwIE9LIHRvIGRldGVybWluZSB0aGF0IHRoZSBjb25zdWx0YXRpb24g dHJhbnNmZXIKICAgaGFzIHN1Y2NlZWRlZC4gIFdoZW4gdGhpcyBvY2N1cnMsIHRoZSBjb25uZWN0 aW9uLmRpc2Nvbm5lY3QudHJhbnNmZXIKICAgZXZlbnQgd2lsbCBiZSB0aHJvd24gdG8gdGhlIFZv aWNlWE1MIGFwcGxpY2F0aW9uLCBhbmQgYSBCWUUgaXMgc2VudAogICB0byBVc2VyIEFnZW50IDEg dG8gdGVybWluYXRlIHRoZSBzZXNzaW9uLiAgQSBOT1RJRlkgbWVzc2FnZSB3aXRoIGEKCgoKQnVy a2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAg ICAgW1BhZ2UgMzVdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwg TWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKICAgbm9uLTJ4eCBmaW5hbCByZXNwb25z ZSBzaXBmcmFnIG1lc3NhZ2UgYm9keSB3aWxsIHJlc3VsdCBpbiB0aGUKICAgdHJhbnNmZXIgdGVy bWluYXRpbmcgYW5kIHRoZSBhc3NvY2lhdGVkIFZvaWNlWE1MIGlucHV0IGl0ZW0gdmFyaWFibGUK ICAgYmVpbmcgc2V0IHRvICd1bmtub3duJy4gIE5vdGUgdGhhdCBhcyBhIGNvbnNlcXVlbmNlIG9m IHRoaXMKICAgbWVjaGFuaXNtLCBpbXBsZW1lbnRhdGlvbnMgTVVTVCBOT1QgdXNlIFtSRkM0NDg4 XSB0byBzdXBwcmVzcyB0aGUKICAgaW1wbGljaXQgc3Vic2NyaXB0aW9uIGFzc29jaWF0ZWQgd2l0 aCB0aGUgUkVGRVIgbWVzc2FnZSBmb3IKICAgY29uc3VsdGF0aW9uIHRyYW5zZmVycy4KCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKQnVya2UgJiBTY290dCAgICAg ICAgICAgIEV4cGlyZXMgQXVndXN0IDEyLCAyMDA5ICAgICAgICAgICAgICAgW1BhZ2UgMzZdCgwK SW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMg ICAgICAgIEZlYiAyMDA5CgoKNy4gIENvbnRyaWJ1dG9ycwoKICAgVGhlIGJ1bGsgb2YgdGhlIGVh cmx5IHdvcmsgZm9yIHRoaXMgZWZmb3J0IHdhcyBjYXJyaWVkIG91dCBvbiB3ZWVrbHkKICAgdGVs ZWNvbmZlcmVuY2VzIGFuZCBvdmVyIGUtbWFpbC4gIFRoZSBhdXRob3JzIHdvdWxkIHBhcnRpY3Vs YXJseSBsaWtlCiAgIHRvIHJlY29nbml6ZSB0aGUgY29udHJpYnV0aW9ucyBvZiBSLiBKLiBBdWJ1 cm4gKFZveGVvKSwgSmVmZiBIYXluaWUKICAgKEhha2FubyksIGFuZCBTY290dCBNY0dsYXNoYW4g KEhld2xldHQtUGFja2FyZCkuCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAg ICAgICAgICAgICAgIFtQYWdlIDM3XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRv IFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCjguICBBY2tub3dsZWRn ZW1lbnRzCgogICBUaGlzIGRvY3VtZW50IG93ZXMgaXRzIGdlbmVzaXMgdG8gdGhlIGV4cGlyZWQg SW50ZXJuZXQtRHJhZnQsICJBIFNJUAogICBJbnRlcmZhY2UgdG8gVm9pY2VYTUwgRGlhbG9nIFNl cnZlcnMiLCBhdXRob3JlZCBieSBKLiBSb3NlbmJlcmcsIFAuCiAgIE1hdGFnYSwgYW5kIEQuIExh ZGQuICBUaGUgZm9sbG93aW5nIHBlb3BsZSBoYWQgaW5wdXQgdG8gdGhlIGN1cnJlbnQKICAgZG9j dW1lbnQ6CgogICAgICBSLiBKLiBBdWJ1cm4gKFZveGVvKQoKICAgICAgSGFucyBCanVyc3Ryb20g KEhld2xldHQtUGFja2FyZCkKCiAgICAgIEVtaWx5IENhbmRlbGwgKENvbXZlcnNlKQoKICAgICAg UGV0ZXIgRGFuaWVsc2VuIChMdWNlbnQpCgogICAgICBCcmlhbiBGcmFzY2EgKFRlbGxtZSkKCiAg ICAgIEplZmYgSGF5bmllIChIYWthbm8pCgogICAgICBTY290dCBNY0dsYXNoYW4gKEhld2xldHQt UGFja2FyZCkKCiAgICAgIE1hdHQgT3NocnkgKFRlbGxtZSkKCiAgICAgIFJhbyBTdXJhcGFuZW5p IChUZWxsbWUpCgogICBUaGUgYXV0aG9ycyB3b3VsZCBsaWtlIHRvIGFja25vd2xlZGdlIHRoZSBz dXBwb3J0IG9mIEN1bGxlbiBKZW5uaW5ncwogICBhbmQgdGhlIE1lZGlhY3RybCBjaGFpcnMsIEVy aWMgQnVyZ2VyIGFuZCBTcGVuY2VyIERhd2tpbnMuCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCkJ1 cmtlICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAg ICAgIFtQYWdlIDM4XQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1M IE1lZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCjkuICBTZWN1cml0eSBDb25zaWRlcmF0 aW9ucwoKICAgRXhwb3NpbmcgYSBWb2ljZVhNTCBtZWRpYSBzZXJ2aWNlIHdpdGggYSB3ZWxsLWtu b3duIGFkZHJlc3MgbWF5CiAgIGVuaGFuY2UgdGhlIHBvc3NpYmlsaXR5IG9mIGV4cGxvaXRhdGlv biAoZm9yIGV4YW1wbGUgYW4gaW52b2tlZAogICBuZXR3b3JrIHNlcnZpY2UgbWF5IHRyaWdnZXIg YSBiaWxsaW5nIGV2ZW50KS4gIFRoZSBWb2ljZVhNTCBNZWRpYQogICBTZXJ2ZXIgaXMgUkVDT01N RU5ERUQgdG8gdXNlIHN0YW5kYXJkIFNJUCBtZWNoYW5pc21zIFtSRkMzMjYxXSB0bwogICBhdXRo ZW50aWNhdGUgcmVxdWVzdGluZyBlbmRwb2ludHMgYW5kIGF1dGhvcml6ZSBwZXIgbG9jYWwgcG9s aWN5LgoKICAgU29tZSBhcHBsaWNhdGlvbnMgbWF5IGNob29zZSB0byB0cmFuc2ZlciBjb25maWRl bnRpYWwgaW5mb3JtYXRpb24gdG8KICAgb3IgZnJvbSB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVy LiAgVG8gcHJvdmlkZSBkYXRhIGNvbmZpZGVudGlhbGl0eSwKICAgdGhlIFZvaWNlWE1MIE1lZGlh IFNlcnZlciBNVVNUIGltcGxlbWVudCB0aGUgc2lwczogYW5kIGh0dHBzOiBzY2hlbWVzCiAgIGlu IGFkZGl0aW9uIHRvIFMvTUlNRSBtZXNzYWdlIGJvZHkgZW5jb2RpbmcgYXMgZGVzY3JpYmVkIGlu CiAgIFtSRkMzMjYxXS4KCiAgIFRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgTVVTVCBzdXBwb3J0 IFNlY3VyZSBSVFAgKFNSVFApIFtSRkMzNzExXSB0bwogICBwcm92aWRlIGNvbmZpZGVudGlhbGl0 eSwgYXV0aGVudGljYXRpb24sIGFuZCByZXBsYXkgcHJvdGVjdGlvbiBmb3IKICAgUlRQIG1lZGlh IHN0cmVhbXMgKGluY2x1ZGluZyBSVENQIGNvbnRyb2wgdHJhZmZpYykuCgogICBUbyBtaXRpZ2F0 ZSBhZ2FpbnN0IHRoZSBwb3NzaWJpbGl0eSBmb3IgZGVuaWFsIG9mIHNlcnZpY2UgYXR0YWNrcywK ICAgdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBpcyBSRUNPTU1FTkRFRCAoaW4gYWRkaXRpb24g dG8KICAgYXV0aGVudGljYXRpbmcgYW5kIGF1dGhvcml6aW5nIGVuZHBvaW50cyBkZXNjcmliZWQg YWJvdmUpIHRvIHByb3ZpZGUKICAgbWVjaGFuaXNtcyBmb3IgaW1wbGVtZW50aW5nIGxvY2FsIHBv bGljaWVzIHN1Y2ggYXMgdGltZS1saW1pdGluZyBvZgogICBWb2ljZVhNTCBhcHBsaWNhdGlvbiBl eGVjdXRpb24uCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgpCdXJrZSAmIFNjb3R0ICAgICAg ICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAgICAgICBbUGFnZSAzOV0KDApJ bnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAg ICAgICAgRmViIDIwMDkKCgoxMC4gIElBTkEgQ29uc2lkZXJhdGlvbnMKCiAgIElBTkEgU0hBTEwg cmVnaXN0ZXIgdGhlIGZvbGxvd2luZyBwYXJhbWV0ZXJzIGluIHRoZSBTSVAvU0lQUyBVUkkKICAg UGFyYW1ldGVycyByZWdpc3RyeSwgZm9sbG93aW5nIHRoZSBzcGVjaWZpY2F0aW9uIHJlcXVpcmVk IHBvbGljeSBvZgogICBSRkMgMzk2OToKCiAgIFBhcmFtZXRlciBOYW1lICAgIFByZWRlZmluZWQg VmFsdWVzICAgIFJlZmVyZW5jZQogICAtLS0tLS0tLS0tLS0tLSAgICAtLS0tLS0tLS0tLS0tLS0t LSAgICAtLS0tLS0tLS0KICAgbWF4YWdlICAgICAgICAgICAgICAgICAgIG5vICAgICAgICAgICAg ICAgVEJECiAgIG1heHN0YWxlICAgICAgICAgICAgICAgICBubyAgICAgICAgICAgICAgIFRCRAog ICBtZXRob2QgICAgICAgICAgICAgICJnZXQiIC8gInBvc3QiICAgICAgICBUQkQKICAgcG9zdGJv ZHkgICAgICAgICAgICAgICAgIG5vICAgICAgICAgICAgICAgVEJECiAgIGNjeG1sICAgICAgICAg ICAgICAgICAgICBubyAgICAgICAgICAgICAgIFRCRAogICBhYWkgICAgICAgICAgICAgICAgICAg ICAgbm8gICAgICAgICAgICAgICBUQkQKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBFeHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAg ICAgICAgICAgIFtQYWdlIDQwXQoMCkludGVybmV0LURyYWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZv aWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBGZWIgMjAwOQoKCjExLiAgQ2hhbmdlcyBzaW5j ZSBsYXN0IHZlcnNpb246CgogICBvICBUaWdodGVuZWQgdXAgU2VjdXJpdHkgQ29uc2lkZXJhdGlv bnMgcGVyIGNvbW1lbnRzIGZyb20gSUVTRyByZXZpZXcKCiAgIG8gIEFkZGVkIG1pc3NpbmcgY2N4 bWwgYW5kIGFhaSBJQU5BIHJlZ2lzdHJhdGlvbnMKCiAgIG8gIE1pc2NlbGxhbmVvdXMgdHlwb3MK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgpCdXJrZSAmIFNjb3R0 ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAgICAgICAgICAgICBbUGFnZSA0 MV0KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRpYSBTZXJ2 aWNlcyAgICAgICAgRmViIDIwMDkKCgoxMi4gIFJlZmVyZW5jZXMKCjEyLjEuICBOb3JtYXRpdmUg UmVmZXJlbmNlcwoKICAgW0hUTUw0XSAgICBSYWdnZXR0LCBELiwgTGUgSG9ycywgQS4sIGFuZCBJ LiBKYWNvYnMsICJIVE1MIDQuMDEKICAgICAgICAgICAgICBTcGVjaWZpY2F0aW9uIiwgVzNDIFJl Y29tbWVuZGF0aW9uLCBEZWMgMTk5OS4KCiAgIFtSRkMyMTE5XSAgQnJhZG5lciwgUy4sICJLZXkg d29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlCiAgICAgICAgICAgICAgUmVxdWlyZW1l bnQgTGV2ZWxzIiwgQkNQIDE0LCBSRkMgMjExOSwgTWFyY2ggMTk5Ny4KCiAgIFtSRkMyNjE2XSAg RmllbGRpbmcsIFIuLCBHZXR0eXMsIEouLCBNb2d1bCwgSi4sIEZyeXN0eWssIEguLAogICAgICAg ICAgICAgIE1hc2ludGVyLCBMLiwgTGVhY2gsIFAuLCBhbmQgVC4gQmVybmVycy1MZWUsICJIeXBl cnRleHQKICAgICAgICAgICAgICBUcmFuc2ZlciBQcm90b2NvbCAtLSBIVFRQLzEuMSIsIFJGQyAy NjE2LCBKdW5lIDE5OTkuCgogICBbUkZDMzAxNl0gIEtpa3VjaGksIFkuLCBOb211cmEsIFQuLCBG dWt1bmFnYSwgUy4sIE1hdHN1aSwgWS4sIGFuZCBILgogICAgICAgICAgICAgIEtpbWF0YSwgIlJU UCBQYXlsb2FkIEZvcm1hdCBmb3IgTVBFRy00IEF1ZGlvL1Zpc3VhbAogICAgICAgICAgICAgIFN0 cmVhbXMiLCBSRkMgMzAxNiwgTm92ZW1iZXIgMjAwMC4KCiAgIFtSRkMzMjYxXSAgUm9zZW5iZXJn LCBKLiwgU2NodWx6cmlubmUsIEguLCBDYW1hcmlsbG8sIEcuLCBKb2huc3RvbiwKICAgICAgICAg ICAgICBBLiwgUGV0ZXJzb24sIEouLCBTcGFya3MsIFIuLCBIYW5kbGV5LCBNLiwgYW5kIEUuCiAg ICAgICAgICAgICAgU2Nob29sZXIsICJTSVA6IFNlc3Npb24gSW5pdGlhdGlvbiBQcm90b2NvbCIs IFJGQyAzMjYxLAogICAgICAgICAgICAgIEp1bmUgMjAwMi4KCiAgIFtSRkMzMjY0XSAgUm9zZW5i ZXJnLCBKLiBhbmQgSC4gU2NodWx6cmlubmUsICJBbiBPZmZlci9BbnN3ZXIgTW9kZWwKICAgICAg ICAgICAgICB3aXRoIFNlc3Npb24gRGVzY3JpcHRpb24gUHJvdG9jb2wgKFNEUCkiLCBSRkMgMzI2 NCwKICAgICAgICAgICAgICBKdW5lIDIwMDIuCgogICBbUkZDMzI2NV0gIFJvYWNoLCBBLiwgIlNl c3Npb24gSW5pdGlhdGlvbiBQcm90b2NvbCAoU0lQKS1TcGVjaWZpYwogICAgICAgICAgICAgIEV2 ZW50IE5vdGlmaWNhdGlvbiIsIFJGQyAzMjY1LCBKdW5lIDIwMDIuCgogICBbUkZDMzMxMV0gIFJv c2VuYmVyZywgSi4sICJUaGUgU2Vzc2lvbiBJbml0aWF0aW9uIFByb3RvY29sIChTSVApCiAgICAg ICAgICAgICAgVVBEQVRFIE1ldGhvZCIsIFJGQyAzMzExLCBPY3RvYmVyIDIwMDIuCgogICBbUkZD MzMyNl0gIFNjaHVsenJpbm5lLCBILiwgT3JhbiwgRC4sIGFuZCBHLiBDYW1hcmlsbG8sICJUaGUg UmVhc29uCiAgICAgICAgICAgICAgSGVhZGVyIEZpZWxkIGZvciB0aGUgU2Vzc2lvbiBJbml0aWF0 aW9uIFByb3RvY29sIChTSVApIiwKICAgICAgICAgICAgICBSRkMgMzMyNiwgRGVjZW1iZXIgMjAw Mi4KCiAgIFtSRkMzNTE1XSAgU3BhcmtzLCBSLiwgIlRoZSBTZXNzaW9uIEluaXRpYXRpb24gUHJv dG9jb2wgKFNJUCkgUmVmZXIKICAgICAgICAgICAgICBNZXRob2QiLCBSRkMgMzUxNSwgQXByaWwg MjAwMy4KCiAgIFtSRkMzNTUwXSAgU2NodWx6cmlubmUsIEguLCBDYXNuZXIsIFMuLCBGcmVkZXJp Y2ssIFIuLCBhbmQgVi4KICAgICAgICAgICAgICBKYWNvYnNvbiwgIlJUUDogQSBUcmFuc3BvcnQg UHJvdG9jb2wgZm9yIFJlYWwtVGltZQogICAgICAgICAgICAgIEFwcGxpY2F0aW9ucyIsIFNURCA2 NCwgUkZDIDM1NTAsIEp1bHkgMjAwMy4KCiAgIFtSRkMzNTUxXSAgU2NodWx6cmlubmUsIEguIGFu ZCBTLiBDYXNuZXIsICJSVFAgUHJvZmlsZSBmb3IgQXVkaW8gYW5kCiAgICAgICAgICAgICAgVmlk ZW8gQ29uZmVyZW5jZXMgd2l0aCBNaW5pbWFsIENvbnRyb2wiLCBTVEQgNjUsIFJGQyAzNTUxLAog ICAgICAgICAgICAgIEp1bHkgMjAwMy4KCgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBFeHBp cmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQYWdlIDQyXQoMCkludGVybmV0LURy YWZ0ICBTSVAgSW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzICAgICAgICBGZWIg MjAwOQoKCiAgIFtSRkMzNzExXSAgQmF1Z2hlciwgTS4sIE1jR3JldywgRC4sIE5hc2x1bmQsIE0u LCBDYXJyYXJhLCBFLiwgYW5kIEsuCiAgICAgICAgICAgICAgTm9ycm1hbiwgIlRoZSBTZWN1cmUg UmVhbC10aW1lIFRyYW5zcG9ydCBQcm90b2NvbCAoU1JUUCkiLAogICAgICAgICAgICAgIFJGQyAz NzExLCBNYXJjaCAyMDA0LgoKICAgW1JGQzM3MjVdICBSb3NlbmJlcmcsIEouLCBQZXRlcnNvbiwg Si4sIFNjaHVsenJpbm5lLCBILiwgYW5kIEcuCiAgICAgICAgICAgICAgQ2FtYXJpbGxvLCAiQmVz dCBDdXJyZW50IFByYWN0aWNlcyBmb3IgVGhpcmQgUGFydHkgQ2FsbAogICAgICAgICAgICAgIENv bnRyb2wgKDNwY2MpIGluIHRoZSBTZXNzaW9uIEluaXRpYXRpb24gUHJvdG9jb2wgKFNJUCkiLAog ICAgICAgICAgICAgIEJDUCA4NSwgUkZDIDM3MjUsIEFwcmlsIDIwMDQuCgogICBbUkZDMzg5MV0g IE1haHksIFIuLCBCaWdncywgQi4sIGFuZCBSLiBEZWFuLCAiVGhlIFNlc3Npb24gSW5pdGlhdGlv bgogICAgICAgICAgICAgIFByb3RvY29sIChTSVApICJSZXBsYWNlcyIgSGVhZGVyIiwgUkZDIDM4 OTEsCiAgICAgICAgICAgICAgU2VwdGVtYmVyIDIwMDQuCgogICBbUkZDMzk4Nl0gIEJlcm5lcnMt TGVlLCBULiwgRmllbGRpbmcsIFIuLCBhbmQgTC4gTWFzaW50ZXIsICJVbmlmb3JtCiAgICAgICAg ICAgICAgUmVzb3VyY2UgSWRlbnRpZmllciAoVVJJKTogR2VuZXJpYyBTeW50YXgiLCBTVEQgNjYs CiAgICAgICAgICAgICAgUkZDIDM5ODYsIEphbnVhcnkgMjAwNS4KCiAgIFtSRkM0MjQ0XSAgQmFy bmVzLCBNLiwgIkFuIEV4dGVuc2lvbiB0byB0aGUgU2Vzc2lvbiBJbml0aWF0aW9uCiAgICAgICAg ICAgICAgUHJvdG9jb2wgKFNJUCkgZm9yIFJlcXVlc3QgSGlzdG9yeSBJbmZvcm1hdGlvbiIsIFJG QyA0MjQ0LAogICAgICAgICAgICAgIE5vdmVtYmVyIDIwMDUuCgogICBbUkZDNDMyMF0gIFNwYXJr cywgUi4sICJBY3Rpb25zIEFkZHJlc3NpbmcgSWRlbnRpZmllZCBJc3N1ZXMgd2l0aCB0aGUKICAg ICAgICAgICAgICBTZXNzaW9uIEluaXRpYXRpb24gUHJvdG9jb2wncyAoU0lQKSBOb24tSU5WSVRF CiAgICAgICAgICAgICAgVHJhbnNhY3Rpb24iLCBSRkMgNDMyMCwgSmFudWFyeSAyMDA2LgoKICAg W1JGQzQ0ODhdICBMZXZpbiwgTy4sICJTdXBwcmVzc2lvbiBvZiBTZXNzaW9uIEluaXRpYXRpb24g UHJvdG9jb2wKICAgICAgICAgICAgICAoU0lQKSBSRUZFUiBNZXRob2QgSW1wbGljaXQgU3Vic2Ny aXB0aW9uIiwgUkZDIDQ0ODgsCiAgICAgICAgICAgICAgTWF5IDIwMDYuCgogICBbUkZDNDU4NV0g IE90dCwgSi4sIFdlbmdlciwgUy4sIFNhdG8sIE4uLCBCdXJtZWlzdGVyLCBDLiwgYW5kIEouIFJl eSwKICAgICAgICAgICAgICAiRXh0ZW5kZWQgUlRQIFByb2ZpbGUgZm9yIFJlYWwtdGltZSBUcmFu c3BvcnQgQ29udHJvbAogICAgICAgICAgICAgIFByb3RvY29sIChSVENQKS1CYXNlZCBGZWVkYmFj ayAoUlRQL0FWUEYpIiwgUkZDIDQ1ODUsCiAgICAgICAgICAgICAgSnVseSAyMDA2LgoKICAgW1JG QzQ2MjddICBDcm9ja2ZvcmQsIEQuLCAiVGhlIGFwcGxpY2F0aW9uL2pzb24gTWVkaWEgVHlwZSBm b3IKICAgICAgICAgICAgICBKYXZhU2NyaXB0IE9iamVjdCBOb3RhdGlvbiAoSlNPTikiLCBSRkMg NDYyNywgSnVseSAyMDA2LgoKICAgW1JGQzQ2MjldICBPdHQsIEguLCBCb3JtYW5uLCBDLiwgU3Vs bGl2YW4sIEcuLCBXZW5nZXIsIFMuLCBhbmQgUi4KICAgICAgICAgICAgICBFdmVuLCAiUlRQIFBh eWxvYWQgRm9ybWF0IGZvciBJVFUtVCBSZWMiLCBSRkMgNDYyOSwKICAgICAgICAgICAgICBKYW51 YXJ5IDIwMDcuCgogICBbUkZDNDczM10gIFNjaHVsenJpbm5lLCBILiBhbmQgVC4gVGF5bG9yLCAi UlRQIFBheWxvYWQgZm9yIERUTUYKICAgICAgICAgICAgICBEaWdpdHMsIFRlbGVwaG9ueSBUb25l cywgYW5kIFRlbGVwaG9ueSBTaWduYWxzIiwgUkZDIDQ3MzMsCiAgICAgICAgICAgICAgRGVjZW1i ZXIgMjAwNi4KCiAgIFtSRkM0ODU1XSAgQ2FzbmVyLCBTLiwgIk1lZGlhIFR5cGUgUmVnaXN0cmF0 aW9uIG9mIFJUUCBQYXlsb2FkCiAgICAgICAgICAgICAgRm9ybWF0cyIsIFJGQyA0ODU1LCBGZWJy dWFyeSAyMDA3LgoKCgoKQnVya2UgJiBTY290dCAgICAgICAgICAgIEV4cGlyZXMgQXVndXN0IDEy LCAyMDA5ICAgICAgICAgICAgICAgW1BhZ2UgNDNdCgwKSW50ZXJuZXQtRHJhZnQgIFNJUCBJbnRl cmZhY2UgdG8gVm9pY2VYTUwgTWVkaWEgU2VydmljZXMgICAgICAgIEZlYiAyMDA5CgoKICAgW1JG QzQ4NjddICBTam9iZXJnLCBKLiwgV2VzdGVybHVuZCwgTS4sIExha2FuaWVtaSwgQS4sIGFuZCBR LiBYaWUsCiAgICAgICAgICAgICAgIlJUUCBQYXlsb2FkIEZvcm1hdCBhbmQgRmlsZSBTdG9yYWdl IEZvcm1hdCBmb3IgdGhlCiAgICAgICAgICAgICAgQWRhcHRpdmUgTXVsdGktUmF0ZSAoQU1SKSBh bmQgQWRhcHRpdmUgTXVsdGktUmF0ZSBXaWRlYmFuZAogICAgICAgICAgICAgIChBTVItV0IpIEF1 ZGlvIENvZGVjcyIsIFJGQyA0ODY3LCBBcHJpbCAyMDA3LgoKICAgW1ZYTUwyMF0gICBNY0dsYXNo YW4sIFMuLCBCdXJuZXR0LCBELiwgQ2FydGVyLCBKLiwgRGFuaWVsc2VuLCBQLiwKICAgICAgICAg ICAgICBGZXJyYW5zLCBKLiwgSHVudCwgQS4sIEx1Y2FzLCBCLiwgUG9ydGVyLCBCLiwgUmVob3Is IEsuLAogICAgICAgICAgICAgIGFuZCBTLiBUcnlwaG9uYXMsICJWb2ljZSBFeHRlbnNpYmxlIE1h cmt1cCBMYW5ndWFnZQogICAgICAgICAgICAgIChWb2ljZVhNTCkgVmVyc2lvbiAyLjAiLCBXM0Mg UmVjb21tZW5kYXRpb24sIE1hcmNoIDIwMDQuCgogICBbVlhNTDIxXSAgIE9zaHJ5LCBNLiwgQXVi dXJuLCBSIEouLCBCYWdnaWEsIFAuLCBCb2RlbGwsIE0uLCBCdXJrZSwKICAgICAgICAgICAgICBE LiwgQnVybmV0dCwgRC4sIENhbmRlbGwsIEUuLCBLaWxpYywgSC4sIE1jR2xhc2hhbiwgUy4sCiAg ICAgICAgICAgICAgTGVlLCBBLiwgUG9ydGVyLCBCLiwgYW5kIEsuIFJlaG9yLCAiVm9pY2UgRXh0 ZW5zaWJsZQogICAgICAgICAgICAgIE1hcmt1cCBMYW5ndWFnZSAoVm9pY2VYTUwpIFZlcnNpb24g Mi4xIiwgVzNDIENhbmRpZGF0ZQogICAgICAgICAgICAgIFJlY29tbWVuZGF0aW9uLCBKdW5lIDIw MDUuCgoxMi4yLiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlcwoKICAgW0NDWE1MMTBdICBBdWJ1cm4s IFIgSi4sICJWb2ljZSBCcm93c2VyIENhbGwgQ29udHJvbDogQ0NYTUwgVmVyc2lvbgogICAgICAg ICAgICAgIDEuMCIsIFczQyBXb3JraW5nIERyYWZ0ICh3b3JrIGluIHByb2dyZXNzKSwgSnVuZSAy MDA1LgoKICAgW0lFQzE0NDk2LTE0XQogICAgICAgICAgICAgICJJbmZvcm1hdGlvbiB0ZWNobm9s b2d5LiBDb2Rpbmcgb2YgYXVkaW8tdmlzdWFsIG9iamVjdHMuCiAgICAgICAgICAgICAgTVA0IGZp bGUgZm9ybWF0IiwgSVNPL0lFQyBJU08vSUVDIDE0NDk2LTE0OjIwMDMsCiAgICAgICAgICAgICAg T2N0b2JlciAyMDAzLgoKICAgW01SQ1B2Ml0gICBTaGFubXVnaGFtLCBTLiBhbmQgRC4gQnVybmV0 dCwgIk1lZGlhIFJlc291cmNlIENvbnRyb2wKICAgICAgICAgICAgICBQcm90b2NvbCBWZXJzaW9u IDIiLCBkcmFmdC1pZXRmLXNwZWVjaHNjLW1yY3B2Mi0xMyAod29yawogICAgICAgICAgICAgIGlu IHByb2dyZXNzKSwgU2VwIDIwMDcuCgogICBbUkZDMjE5MF0gIFpodSwgQy4sICJSVFAgUGF5bG9h ZCBGb3JtYXQgZm9yIEguMjYzIFZpZGVvIFN0cmVhbXMiLAogICAgICAgICAgICAgIFJGQyAyMTkw LCBTZXB0ZW1iZXIgMTk5Ny4KCiAgIFtSRkMzOTYwXSAgQ2FtYXJpbGxvLCBHLiBhbmQgSC4gU2No dWx6cmlubmUsICJFYXJseSBNZWRpYSBhbmQgUmluZ2luZwogICAgICAgICAgICAgIFRvbmUgR2Vu ZXJhdGlvbiBpbiB0aGUgU2Vzc2lvbiBJbml0aWF0aW9uIFByb3RvY29sIChTSVApIiwKICAgICAg ICAgICAgICBSRkMgMzk2MCwgRGVjZW1iZXIgMjAwNC4KCiAgIFtSRkMzOTY5XSAgQ2FtYXJpbGxv LCBHLiwgIlRoZSBJbnRlcm5ldCBBc3NpZ25lZCBOdW1iZXIgQXV0aG9yaXR5CiAgICAgICAgICAg ICAgKElBTkEpIFVuaWZvcm0gUmVzb3VyY2UgSWRlbnRpZmllciAoVVJJKSBQYXJhbWV0ZXIKICAg ICAgICAgICAgICBSZWdpc3RyeSBmb3IgdGhlIFNlc3Npb24gSW5pdGlhdGlvbiBQcm90b2NvbCAo U0lQKSIsCiAgICAgICAgICAgICAgQkNQIDk5LCBSRkMgMzk2OSwgRGVjZW1iZXIgMjAwNC4KCiAg IFtSRkM0MjQwXSAgQnVyZ2VyLCBFLiwgVmFuIER5a2UsIEouLCBhbmQgQS4gU3BpdHplciwgIkJh c2ljIE5ldHdvcmsKICAgICAgICAgICAgICBNZWRpYSBTZXJ2aWNlcyB3aXRoIFNJUCIsIFJGQyA0 MjQwLCBEZWNlbWJlciAyMDA1LgoKICAgW1NJUEVYXSAgICBKb2huc3RvbiwgQS4sIFNwYXJrcywg Ui4sIEN1bm5pbmdoYW0sIEMuLCBEb25vdmFuLCBTLiwgYW5kCiAgICAgICAgICAgICAgSy4gU3Vt bWVycywgIlNlc3Npb24gSW5pdGlhdGlvbiBQcm90b2NvbCBFeGFtcGxlcyIsCiAgICAgICAgICAg ICAgZHJhZnQtaWV0Zi1zaXBwaW5nLXNlcnZpY2UtZXhhbXBsZXMgKHdvcmsgaW4gcHJvZ3Jlc3Mp LAoKCgpCdXJrZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAg ICAgICAgICAgICBbUGFnZSA0NF0KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBW b2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgogICAgICAgICAgICAgIEp1 bHkgMjAwNS4KCiAgIFtUUzIzMDAyXSAgIjNyZCBHZW5lcmF0aW9uIFBhcnRuZXJzaGlwIFByb2pl Y3Q6IE5ldHdvcmsgYXJjaGl0ZWN0dXJlCiAgICAgICAgICAgICAgKFJlbGVhc2UgNikiLCAzR1BQ IFRTIDIzLjAwMiB2Ni42LjAsIERlY2VtYmVyIDIwMDQuCgogICBbVFMyNjI0NF0gICJUcmFuc3Bh cmVudCBlbmQtdG8tZW5kIHBhY2tldCBzd2l0Y2hlZCBzdHJlYW1pbmcgc2VydmljZQogICAgICAg ICAgICAgIChQU1MpOyAzR1BQIGZpbGUgZm9ybWF0ICgzR1ApIiwgM0dQUCBUUyAyNi4yNDQgdjYu NC4wLAogICAgICAgICAgICAgIERlY2VtYmVyIDIwMDQuCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgpCdXJrZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1 c3QgMTIsIDIwMDkgICAgICAgICAgICAgICBbUGFnZSA0NV0KDApJbnRlcm5ldC1EcmFmdCAgU0lQ IEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgpB cHBlbmRpeCBBLiAgTm90ZXMgb24gTm9ybWF0aXZlIFJlZmVyZW5jZXMKCiAgIFdlIG1ha2UgYSAi ZG93bnJlZiIgbm9ybWF0aXZlIHJlZmVyZW5jZSB0byBbUkZDNDYyN10gLSBhbgogICBJbmZvcm1h dGlvbmFsIERyYWZ0IGRlc2NyaWJpbmcgYSBwcm9wcmlldGFyeSAoYnV0IGV4dHJlbWVseSBwb3B1 bGFyKQogICBmb3JtYXQuCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK CgoKCgpCdXJrZSAmIFNjb3R0ICAgICAgICAgICAgRXhwaXJlcyBBdWd1c3QgMTIsIDIwMDkgICAg ICAgICAgICAgICBbUGFnZSA0Nl0KDApJbnRlcm5ldC1EcmFmdCAgU0lQIEludGVyZmFjZSB0byBW b2ljZVhNTCBNZWRpYSBTZXJ2aWNlcyAgICAgICAgRmViIDIwMDkKCgpBdXRob3JzJyBBZGRyZXNz ZXMKCiAgIERhdmUgQnVya2UKICAgR29vZ2xlCiAgIEJlbGdyYXZlIEhvdXNlLCA3NiBCdWNraW5n aGFtIFBhbGFjZSBSb2FkCiAgIExvbmRvbiAgU1cxVyA5VFEKICAgVW5pdGVkIEtpbmdkb20KCiAg IEVtYWlsOiBkYXZlYnVya2VAZ29vZ2xlLmNvbQoKCiAgIE1hcmsgU2NvdHQKICAgR2VuZXN5cwog ICAxMTIwIEZpbmNoIEF2ZW51ZSBXZXN0LCA4dGggZmxvb3IKICAgVG9yb250bywgT250YXJpbyAg TTNKIDNINwogICBDYW5hZGEKCiAgIEVtYWlsOiBNYXJrLlNjb3R0QGdlbmVzeXNsYWIuY29tCgoK CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCkJ1cmtlICYgU2NvdHQgICAgICAgICAgICBF eHBpcmVzIEF1Z3VzdCAxMiwgMjAwOSAgICAgICAgICAgICAgIFtQYWdlIDQ3XQoMCgo= --0015174c0e8cbcca9904626f4135 Content-Type: text/html; charset=US-ASCII; name="rfcdiff.html" Content-Disposition: attachment; filename="rfcdiff.html" Content-Transfer-Encoding: base64 X-Attachment-Id: f_fqy911jh0 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25h bC5kdGQiPgo8aHRtbD48aGVhZD4KIAo8IS0tIEdlbmVyYXRlZCBieSByZmNkaWZmIDEuMzU6IHJm Y2RpZmYgIC0tPiAKPCEtLSA8IURPQ1RZUEUgaHRtbCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwg NC4wMSBUcmFuc2l0aW9uYWwiID4gLS0+CjwhLS0gU3lzdGVtOiBMaW51eCBjYWJlcm5ldC52ZXJr c3RhZC5uZXQgMi42LjE4LTQtNjg2ICMxIFNNUCBXZWQgTWF5IDkgMjM6MDM6MTIgVVRDIDIwMDcg aTY4NiBHTlUvTGludXggLS0+IAo8IS0tIFVzaW5nIGF3azogL3Vzci9iaW4vZ2F3azogR05VIEF3 ayAzLjEuNSAtLT4gCjwhLS0gVXNpbmcgZGlmZjogL3Vzci9iaW4vZGlmZjogZGlmZiAoR05VIGRp ZmZ1dGlscykgMi44LjEgLS0+IAo8IS0tIFVzaW5nIHdkaWZmOiAvdXNyL2Jpbi93ZGlmZjogR05V IHdkaWZmIDAuNSAtLT4gCiAKIAogIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29u dGVudD0idGV4dC9odG1sOyBjaGFyc2V0PUlTTy04ODU5LTEiPiAKICA8bWV0YSBodHRwLWVxdWl2 PSJDb250ZW50LVN0eWxlLVR5cGUiIGNvbnRlbnQ9InRleHQvY3NzIj4gCiAgPHRpdGxlPkRpZmY6 IGRyYWZ0LWlldGYtbWVkaWFjdHJsLXZ4bWwtMDMudHh0IC0gZHJhZnQtaWV0Zi1tZWRpYWN0cmwt dnhtbC0wNC50eHQ8L3RpdGxlPiAKICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPiAKICAgIGJvZHkg ICAgeyBtYXJnaW46IDAuNGV4OyBtYXJnaW4tcmlnaHQ6IGF1dG87IH0gCiAgICB0ciAgICAgIHsg fSAKICAgIHRkICAgICAgeyB3aGl0ZS1zcGFjZTogcHJlOyBmb250LWZhbWlseTogbW9ub3NwYWNl OyB2ZXJ0aWNhbC1hbGlnbjogdG9wOyBmb250LXNpemU6IDAuODZlbTt9IAogICAgdGggICAgICB7 IGZvbnQtc2l6ZTogMC44NmVtOyB9IAogICAgLnNtYWxsICB7IGZvbnQtc2l6ZTogMC42ZW07IGZv bnQtc3R5bGU6IGl0YWxpYzsgZm9udC1mYW1pbHk6IFZlcmRhbmEsIEhlbHZldGljYSwgc2Fucy1z ZXJpZjsgfSAKICAgIC5sZWZ0ICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRUVFOyB9IAogICAgLnJp Z2h0ICB7IGJhY2tncm91bmQtY29sb3I6ICNGRkY7IH0gCiAgICAuZGlmZiAgIHsgYmFja2dyb3Vu ZC1jb2xvcjogI0NDRjsgfSAKICAgIC5sYmxvY2sgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjQkZCOyB9 IAogICAgLnJibG9jayB7IGJhY2tncm91bmQtY29sb3I6ICNGRjg7IH0gCiAgICAuaW5zZXJ0IHsg YmFja2dyb3VuZC1jb2xvcjogIzhGRjsgfSAKICAgIC5kZWxldGUgeyBiYWNrZ3JvdW5kLWNvbG9y OiAjQUNGOyB9IAogICAgLnZvaWQgICB7IGJhY2tncm91bmQtY29sb3I6ICNGRkI7IH0gCiAgICAu Y29udCAgIHsgYmFja2dyb3VuZC1jb2xvcjogI0VFRTsgfSAKICAgIC5saW5lYnIgeyBiYWNrZ3Jv dW5kLWNvbG9yOiAjQUFBOyB9IAogICAgLmxpbmVubyB7IGNvbG9yOiByZWQ7IGJhY2tncm91bmQt Y29sb3I6ICNGRkY7IGZvbnQtc2l6ZTogMC43ZW07IHRleHQtYWxpZ246IHJpZ2h0OyBwYWRkaW5n OiAwIDJweDsgfSAKICAgIC5lbGlwc2lzeyBiYWNrZ3JvdW5kLWNvbG9yOiAjQUFBOyB9IAogICAg LmxlZnQgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjREREOyB9IAogICAgLnJpZ2h0IC5jb250 IHsgYmFja2dyb3VuZC1jb2xvcjogI0VFRTsgfSAKICAgIC5sYmxvY2sgLmNvbnQgeyBiYWNrZ3Jv dW5kLWNvbG9yOiAjOUQ5OyB9IAogICAgLnJibG9jayAuY29udCB7IGJhY2tncm91bmQtY29sb3I6 ICNERDY7IH0gCiAgICAuaW5zZXJ0IC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjogIzBERDsgfSAK ICAgIC5kZWxldGUgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjOEFEOyB9IAogICAgLnN0YXRz LCAuc3RhdHMgdGQsIC5zdGF0cyB0aCB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IHBhZGRpbmc6 IDJweCAwOyB9IAogIDwvc3R5bGU+IAo8L2hlYWQ+PGJvZHk+IAogIDx0YWJsZSBib3JkZXI9IjAi IGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+IAogIDx0Ym9keT48dHIgYmdjb2xvcj0i b3JhbmdlIj48dGg+PC90aD48dGg+Jm5ic3A7ZHJhZnQtaWV0Zi1tZWRpYWN0cmwtdnhtbC0wMy50 eHQmbmJzcDs8L3RoPjx0aD4gPC90aD48dGg+Jm5ic3A7ZHJhZnQtaWV0Zi1tZWRpYWN0cmwtdnht bC0wNC50eHQmbmJzcDs8L3RoPjx0aD48L3RoPjwvdHI+IAogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPk1lZGlhY3RybCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICBELiBCdXJrZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPk1lZGlhY3RybCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBELiBCdXJrZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij5JbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHb29nbGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij5JbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBHb29nbGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+SW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFyZHMgVHJhY2sg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE0uIFNjb3R0PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+SW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFyZHMgVHJhY2sgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIE0uIFNjb3R0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwMSI+PC9h PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+RXhwaXJlczogPHNwYW4gY2xhc3M9ImRlbGV0ZSI+SnVseSAx Myw8L3NwYW4+IDIwMDkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg R2VuZXN5czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj5FeHBpcmVzOiA8c3BhbiBj bGFzcz0iaW5zZXJ0Ij5BdWd1c3QgMTIsPC9zcGFuPiAyMDA5ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBHZW5lc3lzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPkphbiA5 LDwvc3Bhbj4gMjAwOTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4g Y2xhc3M9Imluc2VydCI+RmViIDgsPC9zcGFuPiAyMDA5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICAgICAgICAgICAgICAgU0lQIEludGVyZmFjZSB0byBWb2ljZVhNTCBNZWRpYSBTZXJ2 aWNlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICBTSVAg SW50ZXJmYWNlIHRvIFZvaWNlWE1MIE1lZGlhIFNlcnZpY2VzPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAw MiI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgICAgICAgICAgICAgICBkcmFmdC1pZXRm LW1lZGlhY3RybC12eG1sLTA8c3BhbiBjbGFzcz0iZGVsZXRlIj4zPC9zcGFuPi50eHQ8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAgICAgICAgICAgICBkcmFmdC1pZXRm LW1lZGlhY3RybC12eG1sLTA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij40PC9zcGFuPi50eHQ8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPlN0YXR1cyBvZiB0aGlzIE1lbW88L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij5TdGF0dXMgb2YgdGhpcyBNZW1vPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBUaGlzIEludGVybmV0LURyYWZ0IGlzIHN1Ym1pdHRlZCB0byBJRVRGIGluIGZ1 bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBUaGlzIEludGVybmV0LURyYWZ0IGlzIHN1Ym1pdHRlZCB0byBJRVRGIGluIGZ1bGwgY29uZm9y bWFuY2Ugd2l0aCB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBwcm92aXNpb25zIG9mIEJDUCA3OCBhbmQgQkNQIDc5 LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3Jr aW5nIGRvY3VtZW50cyBvZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmc8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRz IG9mIHRoZSBJbnRlcm5ldCBFbmdpbmVlcmluZzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUYXNrIEZvcmNlIChJRVRGKSwgaXRzIGFyZWFz LCBhbmQgaXRzIHdvcmtpbmcgZ3JvdXBzLiAgTm90ZSB0aGF0PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgVGFzayBGb3JjZSAoSUVURiksIGl0cyBhcmVhcywgYW5kIGl0cyB3b3Jr aW5nIGdyb3Vwcy4gIE5vdGUgdGhhdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZSB3 b3JraW5nIGRvY3VtZW50cyBhcyBJbnRlcm5ldC08L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZSB3b3JraW5nIGRvY3VtZW50 cyBhcyBJbnRlcm5ldC08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgRHJhZnRzLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IERyYWZ0cy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFydC1s MiI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDEsIGxpbmUg MzM8L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0icGFydC1yMiI+PHNtYWxsPnNr aXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDEsIGxpbmUgMzM8L2VtPjwvYT48 L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBhbmQgbWF5IGJlIHVwZGF0ZWQsIHJlcGxhY2Vk LCBvciBvYnNvbGV0ZWQgYnkgb3RoZXIgZG9jdW1lbnRzIGF0IGFueTwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIGFuZCBtYXkgYmUgdXBkYXRlZCwgcmVwbGFjZWQsIG9yIG9ic29s ZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRl IHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgdGltZS4gIEl0IGlzIGluYXBwcm9wcmlhdGUgdG8gdXNlIEludGVybmV0 LURyYWZ0cyBhcyByZWZlcmVuY2U8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgbWF0ZXJpYWwgb3IgdG8gY2l0ZSB0aGVtIG90aGVyIHRoYW4g YXMgIndvcmsgaW4gcHJvZ3Jlc3MuIjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IG1hdGVyaWFsIG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNz LiI8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50 ZXJuZXQtRHJhZnRzIGNhbiBiZSBhY2Nlc3NlZCBhdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtRHJhZnRzIGNhbiBiZSBhY2Nl c3NlZCBhdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBodHRwOi8vd3d3LmlldGYub3JnL2lldGYvMWlkLWFic3RyYWN0cy50eHQuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaHR0cDovL3d3dy5pZXRmLm9yZy9pZXRmLzFp ZC1hYnN0cmFjdHMudHh0LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIGxpc3Qg b2YgSW50ZXJuZXQtRHJhZnQgU2hhZG93IERpcmVjdG9yaWVzIGNhbiBiZSBhY2Nlc3NlZCBhdDwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBsaXN0IG9mIEludGVybmV0LURy YWZ0IFNoYWRvdyBEaXJlY3RvcmllcyBjYW4gYmUgYWNjZXNzZWQgYXQ8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaHR0cDovL3d3dy5pZXRm Lm9yZy9zaGFkb3cuaHRtbC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBodHRw Oi8vd3d3LmlldGYub3JnL3NoYWRvdy5odG1sLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDAzIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBUaGlz IEludGVybmV0LURyYWZ0IHdpbGwgZXhwaXJlIG9uIDxzcGFuIGNsYXNzPSJkZWxldGUiPkp1bHkg MTM8L3NwYW4+LCAyMDA5LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBUaGlz IEludGVybmV0LURyYWZ0IHdpbGwgZXhwaXJlIG9uIDxzcGFuIGNsYXNzPSJpbnNlcnQiPkF1Z3Vz dCAxMjwvc3Bhbj4sIDIwMDkuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5Db3B5cmlnaHQg Tm90aWNlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+Q29weXJpZ2h0IE5vdGljZTwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQ29weXJpZ2h0IChjKSAyMDA5IElFVEYgVHJ1 c3QgYW5kIHRoZSBwZXJzb25zIGlkZW50aWZpZWQgYXMgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgQ29weXJpZ2h0IChjKSAyMDA5IElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJz b25zIGlkZW50aWZpZWQgYXMgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRvY3VtZW50IGF1dGhvcnMuICBBbGwgcmlnaHRzIHJlc2Vy dmVkLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGRvY3VtZW50IGF1dGhvcnMu ICBBbGwgcmlnaHRzIHJlc2VydmVkLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhp cyBkb2N1bWVudCBpcyBzdWJqZWN0IHRvIEJDUCA3OCBhbmQgdGhlIElFVEYgVHJ1c3QncyBMZWdh bDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoaXMgZG9jdW1lbnQgaXMgc3Vi amVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3MgTGVnYWw8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgUHJvdmlzaW9ucyBSZWxh dGluZyB0byBJRVRGIERvY3VtZW50czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IFByb3Zpc2lvbnMgUmVsYXRpbmcgdG8gSUVURiBEb2N1bWVudHM8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgKGh0dHA6Ly90cnVzdGVlLmll dGYub3JnL2xpY2Vuc2UtaW5mbykgaW4gZWZmZWN0IG9uIHRoZSBkYXRlIG9mPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKGh0dHA6Ly90cnVzdGVlLmlldGYub3JnL2xpY2Vuc2Ut aW5mbykgaW4gZWZmZWN0IG9uIHRoZSBkYXRlIG9mPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1l bnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3 IHRoZXNlIGRvY3VtZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1l PSJwYXJ0LWwzIj48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2Ug NCwgbGluZSAxNzwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXIzIj48 c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgNCwgbGluZSAxNzwv ZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDEuICBJbnRyb2R1Y3Rpb24gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgNTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDEuICBJbnRyb2R1Y3Rpb24gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgNTwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDEuMS4gIFVzZSBDYXNl cyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDU8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDEuMS4gIFVzZSBDYXNlcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDU8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgIDEuMS4xLiAg SVZSIFNlcnZpY2VzIHdpdGggQXBwbGljYXRpb24gU2VydmVycyAgLiAuIC4gLiAuIC4gLiAuICA1 PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgIDEuMS4xLiAgSVZSIFNlcnZp Y2VzIHdpdGggQXBwbGljYXRpb24gU2VydmVycyAgLiAuIC4gLiAuIC4gLiAuICA1PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAxLjEu Mi4gIFBTVE4gSVZSIFNlcnZpY2UgTm9kZSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAgNjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAxLjEuMi4gIFBTVE4g SVZSIFNlcnZpY2UgTm9kZSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgNjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAg MS4xLjMuICAzR1BQIElNUyBNZWRpYSBSZXNvdXJjZSBGdW5jdGlvbiAoTVJGKSAuIC4gLiAuIC4g LiAuIC4gIDc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgMS4xLjMuICAz R1BQIElNUyBNZWRpYSBSZXNvdXJjZSBGdW5jdGlvbiAoTVJGKSAuIC4gLiAuIC4gLiAuIC4gIDc8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAgIDEuMS40LiAgQ0NYTUwgJmx0Oy0mZ3Q7IFZvaWNlWE1MIEludGVyYWN0aW9uIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICA4PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAg IDEuMS40LiAgQ0NYTUwgJmx0Oy0mZ3Q7IFZvaWNlWE1MIEludGVyYWN0aW9uIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuICA4PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgICAgICAxLjEuNS4gIE90aGVyIFVzZSBDYXNlcyAgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgODwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgICAgICAxLjEuNS4gIE90aGVyIFVzZSBDYXNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgODwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDEuMi4gIFRlcm1pbm9sb2d5ICAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDg8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICAgIDEuMi4gIFRlcm1pbm9sb2d5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gIDg8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgMi4gIFZvaWNlWE1MIFNlc3Npb24gRXN0YWJsaXNobWVu dCBhbmQgVGVybWluYXRpb24gLiAuIC4gLiAuIC4gLiAuIDEwPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgMi4gIFZvaWNlWE1MIFNlc3Npb24gRXN0YWJsaXNobWVudCBhbmQgVGVy bWluYXRpb24gLiAuIC4gLiAuIC4gLiAuIDEwPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgMi4xLiAgU2VydmljZSBJZGVudGlmaWNhdGlv biAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgICAgMi4xLiAgU2VydmljZSBJZGVudGlmaWNhdGlvbiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxMDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDQiPjwv YT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgMi4yLiAgSW5pdGlhdGluZyBhIFZvaWNlWE1MIFNl c3Npb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ Mjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAyLjIuICBJbml0 aWF0aW5nIGEgVm9pY2VYTUwgU2Vzc2lvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDE8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4zPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDIuMy4gIFByZXBhcmluZyBhIFZvaWNlWE1M IFNlc3Npb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTQ8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDIuMy4gIFByZXBhcmluZyBhIFZvaWNlWE1MIFNlc3Npb24g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gMTQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDA1Ij48 L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDIuNC4gIFNlc3Npb24gVmFyaWFibGUgTWFwcGlu Z3MgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ MTQ8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgMi40LiAgU2Vz c2lvbiBWYXJpYWJsZSBNYXBwaW5ncyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xNTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDIuNS4gIFRlcm1pbmF0aW5nIGEgVm9p Y2VYTUwgU2Vzc2lvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gPHNwYW4gY2xhc3M9ImRl bGV0ZSI+MTc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgMi41 LiAgVGVybWluYXRpbmcgYSBWb2ljZVhNTCBTZXNzaW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xODwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAyLjYuICBFeGFtcGxlcyAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDE4PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAyLjYuICBFeGFtcGxlcyAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDE4PC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAyLjYuMS4gIEJhc2lj IFNlc3Npb24gRXN0YWJsaXNobWVudCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxODwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAyLjYuMS4gIEJhc2ljIFNlc3Npb24g RXN0YWJsaXNobWVudCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAxODwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0i ZGlmZjAwMDYiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAyLjYuMi4gIFZvaWNlWE1M IFNlc3Npb24gUHJlcGFyYXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFz cz0iZGVsZXRlIj4xODwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg ICAgIDIuNi4yLiAgVm9pY2VYTUwgU2Vzc2lvbiBQcmVwYXJhdGlvbiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjE5PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAyLjYuMy4gIE1S Q1AgRXN0YWJsaXNobWVudCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3Bh biBjbGFzcz0iZGVsZXRlIj4xOTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgICAgIDIuNi4zLiAgTVJDUCBFc3RhYmxpc2htZW50IC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjIwPC9zcGFuPjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDMuICBNZWRp YSBTdXBwb3J0ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yMjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+ICAgMy4gIE1lZGlhIFN1cHBvcnQgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjIzPC9zcGFuPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAg My4xLiAgT2ZmZXIvQW5zd2VyIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yMjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+ICAgICAzLjEuICBPZmZlci9BbnN3ZXIgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjIzPC9zcGFu PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgICAgMy4yLiAgRWFybHkgTWVkaWEgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yMjwvc3Bhbj48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAzLjIuICBFYXJseSBNZWRpYSAgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjIz PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs YmxvY2siPiAgICAgMy4zLiAgTW9kaWZ5aW5nIHRoZSBNZWRpYSBTZXNzaW9uICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yNDwvc3Bhbj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAzLjMuICBNb2RpZnlpbmcgdGhlIE1lZGlh IFNlc3Npb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNl cnQiPjI1PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgICAgMy40LiAgQXVkaW8gYW5kIFZpZGVvIENvZGVjcyAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yNDwvc3Bhbj48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAzLjQuICBBdWRpbyBhbmQgVmlk ZW8gQ29kZWNzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNz PSJpbnNlcnQiPjI1PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgMy41LiAgRFRNRiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yNTwv c3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAzLjUuICBEVE1GIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFu IGNsYXNzPSJpbnNlcnQiPjI2PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDQuICBSZXR1cm5pbmcgRGF0YSB0byB0aGUgQXBw bGljYXRpb24gU2VydmVyIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRl Ij4yNjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgNC4gIFJldHVy bmluZyBEYXRhIHRvIHRoZSBBcHBsaWNhdGlvbiBTZXJ2ZXIgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IDxzcGFuIGNsYXNzPSJpbnNlcnQiPjI3PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgNC4xLiAgSFRUUCBNZWNoYW5pc20g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0i ZGVsZXRlIj4yNjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICA0 LjEuICBIVFRQIE1lY2hhbmlzbSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjI3PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgNC4yLiAgU0lQIE1lY2hh bmlzbSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBj bGFzcz0iZGVsZXRlIj4yNjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ ICAgICA0LjIuICBTSVAgTWVjaGFuaXNtICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjI3PC9zcGFuPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDUuICBPdXRib3Vu ZCBDYWxsaW5nIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8 c3BhbiBjbGFzcz0iZGVsZXRlIj4yOTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgNS4gIE91dGJvdW5kIENhbGxpbmcgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjMwPC9zcGFuPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDYuICBD YWxsIFRyYW5zZmVyICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4zMDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+ICAgNi4gIENhbGwgVHJhbnNmZXIgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjMxPC9zcGFuPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAg ICAgNi4xLiAgQmxpbmQgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4zMDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJibG9jayI+ICAgICA2LjEuICBCbGluZCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjMxPC9z cGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPiAgICAgNi4yLiAgQnJpZGdlIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4zMjwvc3Bhbj48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICA2LjIuICBCcmlkZ2UgLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQi PjMzPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPiAgICAgNi4zLiAgQ29uc3VsdGF0aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4zMzwvc3Bhbj48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICA2LjMuICBDb25zdWx0YXRpb24gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJp bnNlcnQiPjM0PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPiAgIDcuICBDb250cmlidXRvcnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4zNjwvc3Bh bj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgNy4gIENvbnRyaWJ1dG9ycyAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNs YXNzPSJpbnNlcnQiPjM3PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDguICBBY2tub3dsZWRnZW1lbnRzIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj4z Nzwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgOC4gIEFja25vd2xl ZGdlbWVudHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxz cGFuIGNsYXNzPSJpbnNlcnQiPjM4PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDkuICBTZWN1cml0eSBDb25zaWRlcmF0aW9u cyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVs ZXRlIj4zODwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgOS4gIFNl Y3VyaXR5IENvbnNpZGVyYXRpb25zICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjM5PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDEwLiBJQU5BIENvbnNpZGVyYXRp b25zICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFz cz0iZGVsZXRlIj4zOTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg MTAuIElBTkEgQ29uc2lkZXJhdGlvbnMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjQwPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDExLiBDaGFuZ2VzIHNp bmNlIGxhc3QgdmVyc2lvbjogIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3Bh biBjbGFzcz0iZGVsZXRlIj40MDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgMTEuIENoYW5nZXMgc2luY2UgbGFzdCB2ZXJzaW9uOiAgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjQxPC9zcGFuPjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDEyLiBSZWZl cmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiA8c3BhbiBjbGFzcz0iZGVsZXRlIj40MTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+ICAgMTIuIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjQyPC9zcGFuPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAg MTIuMS4gTm9ybWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj40MTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+ICAgICAxMi4xLiBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjQyPC9zcGFu PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgICAgMTIuMi4gSW5mb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj40Mzwvc3Bhbj48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAxMi4yLiBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjQ0 PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs YmxvY2siPiAgIEFwcGVuZGl4IEEuICBOb3RlcyBvbiBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj40NTwvc3Bhbj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgQXBwZW5kaXggQS4gIE5vdGVzIG9uIE5vcm1h dGl2ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNzPSJpbnNl cnQiPjQ2PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgIEF1dGhvcnMnIEFkZHJlc3NlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA8c3BhbiBjbGFzcz0iZGVsZXRlIj40Njwvc3Bhbj48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgQXV0aG9ycycgQWRkcmVzc2VzIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDxzcGFuIGNsYXNz PSJpbnNlcnQiPjQ3PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+MS4gIEludHJv ZHVjdGlvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjEuICBJbnRyb2R1Y3Rpb248 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFZvaWNlWE1MIFtWWE1MMjBdLCBbVlhNTDIx XSBpcyBhIFdvcmxkIFdpZGUgV2ViIENvbnNvcnRpdW0gKFczQyk8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBWb2ljZVhNTCBbVlhNTDIwXSwgW1ZYTUwyMV0gaXMgYSBXb3JsZCBX aWRlIFdlYiBDb25zb3J0aXVtIChXM0MpPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHN0YW5kYXJkIGZvciBjcmVhdGluZyBhdWRpbyBhbmQg dmlkZW8gZGlhbG9ncyB0aGF0IGZlYXR1cmU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBzdGFuZGFyZCBmb3IgY3JlYXRpbmcgYXVkaW8gYW5kIHZpZGVvIGRpYWxvZ3MgdGhhdCBm ZWF0dXJlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIHN5bnRoZXNpemVkIHNwZWVjaCwgZGlnaXRpemVkIGF1ZGlvLCByZWNvZ25pdGlvbiBv ZiBzcG9rZW4gYW5kIERUTUY8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBzeW50 aGVzaXplZCBzcGVlY2gsIGRpZ2l0aXplZCBhdWRpbywgcmVjb2duaXRpb24gb2Ygc3Bva2VuIGFu ZCBEVE1GPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIGtleSBpbnB1dCwgcmVjb3JkaW5nIG9mIGF1ZGlvIGFuZCB2aWRlbywgdGVsZXBob255 LCBhbmQgbWl4ZWQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBrZXkgaW5wdXQs IHJlY29yZGluZyBvZiBhdWRpbyBhbmQgdmlkZW8sIHRlbGVwaG9ueSwgYW5kIG1peGVkPC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGluaXRp YXRpdmUgY29udmVyc2F0aW9ucy4gIFZvaWNlWE1MIGFsbG93cyBXZWItYmFzZWQgZGV2ZWxvcG1l bnQgYW5kPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaW5pdGlhdGl2ZSBjb252 ZXJzYXRpb25zLiAgVm9pY2VYTUwgYWxsb3dzIFdlYi1iYXNlZCBkZXZlbG9wbWVudCBhbmQ8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgY29u dGVudCBkZWxpdmVyeSBwYXJhZGlnbXMgdG8gYmUgdXNlZCB3aXRoIGludGVyYWN0aXZlIHZpZGVv IGFuZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGNvbnRlbnQgZGVsaXZlcnkg cGFyYWRpZ21zIHRvIGJlIHVzZWQgd2l0aCBpbnRlcmFjdGl2ZSB2aWRlbyBhbmQ8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdm9pY2UgcmVz cG9uc2UgYXBwbGljYXRpb25zLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHZv aWNlIHJlc3BvbnNlIGFwcGxpY2F0aW9ucy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48 dGg+PGEgbmFtZT0icGFydC1sNCI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+ PGVtPiBwYWdlIDEwLCBsaW5lIDMyPC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9 InBhcnQtcjQiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAx MCwgbGluZSAzMjwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGltcHJvdmVz IGludGVyb3BlcmFiaWxpdHkgYmV0d2VlbiBhcHBsaWNhdGlvbiBzZXJ2ZXJzIGFuZCBtZWRpYTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGltcHJvdmVzIGludGVyb3BlcmFiaWxp dHkgYmV0d2VlbiBhcHBsaWNhdGlvbiBzZXJ2ZXJzIGFuZCBtZWRpYTwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzZXJ2ZXJzLCBhbmQgcmVk dWNlcyB0aGUgcHJvdmlzaW9uaW5nIG92ZXJoZWFkIHRoYXQgd291bGQgYmUgcmVxdWlyZWQ8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBzZXJ2ZXJzLCBhbmQgcmVkdWNlcyB0aGUg cHJvdmlzaW9uaW5nIG92ZXJoZWFkIHRoYXQgd291bGQgYmUgcmVxdWlyZWQ8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaWYgdXNlIG9mIGEg bWVkaWEgc2VydmVyIGJ5IGFuIGFwcGxpY2F0aW9uIHNlcnZlciByZXF1aXJlZCBhbjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGlmIHVzZSBvZiBhIG1lZGlhIHNlcnZlciBieSBh biBhcHBsaWNhdGlvbiBzZXJ2ZXIgcmVxdWlyZWQgYW48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW5kaXZpZHVhbGx5IHByb3Zpc2lvbmVk IFVSSS4gIEluIHRoaXMgcmVzcGVjdCwgdGhpcyBkb2N1bWVudCAoYW5kPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgaW5kaXZpZHVhbGx5IHByb3Zpc2lvbmVkIFVSSS4gIEluIHRo aXMgcmVzcGVjdCwgdGhpcyBkb2N1bWVudCAoYW5kPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkM0MjQwXSkgZG8gbm90IGFkZCBzZW1h bnRpY3MgdG8gdGhlIHVzZXIgcGFydCwgYnV0IHJhdGhlcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIFtSRkM0MjQwXSkgZG8gbm90IGFkZCBzZW1hbnRpY3MgdG8gdGhlIHVzZXIg cGFydCwgYnV0IHJhdGhlcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBzdGFuZGFyZGl6ZSB0aGUgd2F5IHRoYXQgdGFyZ2V0cyBvbiBtZWRp YSBzZXJ2ZXJzIGFyZSBwcm92aXNpb25lZC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBzdGFuZGFyZGl6ZSB0aGUgd2F5IHRoYXQgdGFyZ2V0cyBvbiBtZWRpYSBzZXJ2ZXJzIGFy ZSBwcm92aXNpb25lZC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgRnVydGhlciwgc2luY2UgYXBwbGljYXRpb24gc2VydmVycyAtIGFuZCBu b3QgaHVtYW4gYmVpbmdzIC0gYXJlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg RnVydGhlciwgc2luY2UgYXBwbGljYXRpb24gc2VydmVycyAtIGFuZCBub3QgaHVtYW4gYmVpbmdz IC0gYXJlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIGdlbmVyYWxseSB0aGUgY2xpZW50cyBvZiBtZWRpYSBzZXJ2ZXJzLCBpc3N1ZXMgc3Vj aCBhcyBpbnRlcnByZXRhdGlvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGdl bmVyYWxseSB0aGUgY2xpZW50cyBvZiBtZWRpYSBzZXJ2ZXJzLCBpc3N1ZXMgc3VjaCBhcyBpbnRl cnByZXRhdGlvbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBhbmQgaW50ZXJuYXRpb25hbGl6YXRpb24gZG8gbm90IGFwcGx5LjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFuZCBpbnRlcm5hdGlvbmFsaXphdGlvbiBkbyBu b3QgYXBwbHkuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlm ZjAwMDciPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5FeHBvc2luZyBhIFZvaWNlWE1MIG1lZGlh IHNlcnZpY2Ugd2l0aCBhIHdlbGwta25vd24gYWRkcmVzcyBtYXk8L3NwYW4+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGVuaGFuY2UgdGhl IHBvc3NpYmlsaXR5IG9mIGV4cGxvaXRhdGlvbjogdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBp czwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu c2VydCI+ICAgUkVDT01NRU5ERUQgdG8gdXNlIHN0YW5kYXJkIFNJUCBtZWNoYW5pc21zIHRvIGF1 dGhlbnRpY2F0ZSBlbmRwb2ludHM8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv Y2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGFzIGRpc2N1c3NlZCBpbiBTZWN0aW9uIDkuPC9z cGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRo ZSBpbml0aWFsIFZvaWNlWE1MIGRvY3VtZW50IGlzIHNwZWNpZmllZCB3aXRoIHRoZSAidm9pY2V4 bWwiPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIGluaXRpYWwgVm9pY2VY TUwgZG9jdW1lbnQgaXMgc3BlY2lmaWVkIHdpdGggdGhlICJ2b2ljZXhtbCI8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcGFyYW1ldGVyLiAg SW4gYWRkaXRpb24sIHBhcmFtZXRlcnMgYXJlIGRlZmluZWQgdGhhdCBjb250cm9sIGhvdyB0aGU8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBwYXJhbWV0ZXIuICBJbiBhZGRpdGlv biwgcGFyYW1ldGVycyBhcmUgZGVmaW5lZCB0aGF0IGNvbnRyb2wgaG93IHRoZTwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBWb2ljZVhNTCBN ZWRpYSBTZXJ2ZXIgZmV0Y2hlcyB0aGUgc3BlY2lmaWVkIFZvaWNlWE1MIGRvY3VtZW50LiAgVGhl PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVm9pY2VYTUwgTWVkaWEgU2VydmVy IGZldGNoZXMgdGhlIHNwZWNpZmllZCBWb2ljZVhNTCBkb2N1bWVudC4gIFRoZTwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBsaXN0IG9mIHBh cmFtZXRlcnMgZGVmaW5lZCBieSB0aGlzIHNwZWNpZmljYXRpb24gaXMgYXMgZm9sbG93cyAobm90 ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGxpc3Qgb2YgcGFyYW1ldGVycyBk ZWZpbmVkIGJ5IHRoaXMgc3BlY2lmaWNhdGlvbiBpcyBhcyBmb2xsb3dzIChub3RlPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoZSBwYXJh bWV0ZXIgbmFtZXMgYXJlIGNhc2UtaW5zZW5zaXRpdmUpOjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIHRoZSBwYXJhbWV0ZXIgbmFtZXMgYXJlIGNhc2UtaW5zZW5zaXRpdmUpOjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdm9pY2V4bWw6ICBVUkkgb2YgdGhlIGluaXRp YWwgVm9pY2VYTUwgZG9jdW1lbnQgdG8gZmV0Y2guICBUaGlzIHdpbGw8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICB2b2ljZXhtbDogIFVSSSBvZiB0aGUgaW5pdGlhbCBWb2ljZVhN TCBkb2N1bWVudCB0byBmZXRjaC4gIFRoaXMgd2lsbDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICB0eXBpY2FsbHkgY29udGFpbiBhbiBI VFRQIFVSSSwgYnV0IG1heSB1c2Ugb3RoZXIgVVJJIHNjaGVtZXMsIGZvcjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHR5cGljYWxseSBjb250YWluIGFuIEhUVFAgVVJJLCBi dXQgbWF5IHVzZSBvdGhlciBVUkkgc2NoZW1lcywgZm9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIGV4YW1wbGUgdG8gcmVmZXIgdG8g bG9jYWwsIHN0YXRpYyBWb2ljZVhNTCBkb2N1bWVudHMuICBJZiB0aGU8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBleGFtcGxlIHRvIHJlZmVyIHRvIGxvY2FsLCBzdGF0aWMg Vm9pY2VYTUwgZG9jdW1lbnRzLiAgSWYgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICJ2b2ljZXhtbCIgcGFyYW1ldGVyIGlzIG9t aXR0ZWQsIHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgbWF5PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgICAgInZvaWNleG1sIiBwYXJhbWV0ZXIgaXMgb21pdHRlZCwgdGhlIFZv aWNlWE1MIE1lZGlhIFNlcnZlciBtYXk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+ PGEgbmFtZT0icGFydC1sNSI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVt PiBwYWdlIDEyLCBsaW5lIDIwPC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBh cnQtcjUiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxMiwg bGluZSA0MTwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBTcGVjaWFsIGNoYXJhY3RlcnMgY29udGFpbmVkIGluIHRoZSBk aWFsb2ctcGFyYW0sIHBvc3Rib2R5LXBhcmFtLDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIFNwZWNpYWwgY2hhcmFjdGVycyBjb250YWluZWQgaW4gdGhlIGRpYWxvZy1wYXJhbSwg cG9zdGJvZHktcGFyYW0sPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIGNjeG1sLXBhcmFtLCBhbmQgYWFpLXBhcmFtIHZhbHVlcyBtdXN0IGJl IFVSTC1lbmNvZGVkICgiZXNjYXBlZCIpIGFzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgY2N4bWwtcGFyYW0sIGFuZCBhYWktcGFyYW0gdmFsdWVzIG11c3QgYmUgVVJMLWVuY29k ZWQgKCJlc2NhcGVkIikgYXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgcmVxdWlyZWQgYnkgdGhlIFNJUCBVUkkgc3ludGF4LCBmb3IgZXhh bXBsZSAnPycgKCUzZiksICc9JyAoJTNkKSwgYW5kPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgcmVxdWlyZWQgYnkgdGhlIFNJUCBVUkkgc3ludGF4LCBmb3IgZXhhbXBsZSAnPycg KCUzZiksICc9JyAoJTNkKSwgYW5kPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgICc7JyAoJTNiKS4gIFRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2 ZXIgTVVTVCB0aGVyZWZvcmUgdW5lc2NhcGUgdGhlc2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICAnOycgKCUzYikuICBUaGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIE1VU1QgdGhl cmVmb3JlIHVuZXNjYXBlIHRoZXNlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHBhcmFtZXRlciB2YWx1ZXMgYmVmb3JlIG1ha2luZyB1c2Ug b2YgdGhlbSBvciBleHBvc2luZyB0aGVtIHRvPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgcGFyYW1ldGVyIHZhbHVlcyBiZWZvcmUgbWFraW5nIHVzZSBvZiB0aGVtIG9yIGV4cG9z aW5nIHRoZW0gdG88L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgcnVubmluZyBWb2ljZVhNTCBhcHBsaWNhdGlvbnMuICBJdCBpcyBpbXBvcnRh bnQgdGhhdCB0aGUgVm9pY2VYTUw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBy dW5uaW5nIFZvaWNlWE1MIGFwcGxpY2F0aW9ucy4gIEl0IGlzIGltcG9ydGFudCB0aGF0IHRoZSBW b2ljZVhNTDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBNZWRpYSBTZXJ2ZXIgb25seSB1bmVzY2FwZSB0aGUgcGFyYW1ldGVyIHZhbHVlcyBv bmNlIHNpbmNlIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIE1lZGlhIFNl cnZlciBvbmx5IHVuZXNjYXBlIHRoZSBwYXJhbWV0ZXIgdmFsdWVzIG9uY2Ugc2luY2UgdGhlPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRl c2lyZWQgVm9pY2VYTUwgVVJJIHZhbHVlIGNvdWxkIGl0c2VsZiBiZSBVUkwgZW5jb2RlZCwgZm9y IGV4YW1wbGUuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZGVzaXJlZCBWb2lj ZVhNTCBVUkkgdmFsdWUgY291bGQgaXRzZWxmIGJlIFVSTCBlbmNvZGVkLCBmb3IgZXhhbXBsZS48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwOCI+PC9h PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg IDxzcGFuIGNsYXNzPSJpbnNlcnQiPlNpbmNlIHNvbWUgYXBwbGljYXRpb25zIG1heSBjaG9vc2Ug dG8gdHJhbnNmZXIgY29uZmlkZW50aWFsPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBpbmZvcm1hdGlvbiwgdGhlIFZvaWNlWE1M IE1lZGlhIFNlcnZlciBNVVNUIHN1cHBvcnQgdGhlIHNpcDogc2NoZW1lPC9zcGFuPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBhcyBkaXNj dXNzZWQgaW4gU2VjdGlvbiA5Ljwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBJbmZvcm1hdGl2ZSBub3RlOiBXaXRoIHJlc3BlY3QgdG8gdGhl IHBvc3Rib2R5LXBhcmFtIHZhbHVlLCBzaW5jZSB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBJbmZvcm1hdGl2ZSBub3RlOiBXaXRoIHJlc3BlY3QgdG8gdGhlIHBvc3Rib2R5 LXBhcmFtIHZhbHVlLCBzaW5jZSB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVk IGNvbnRlbnQgaXRzZWxmIGVzY2FwZXMgbm9uLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCBjb250ZW50IGl0c2VsZiBl c2NhcGVzIG5vbi08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgYWxwaGFudW1lcmljIGNoYXJhY3RlcnMgYnkgaW5zZXJ0aW5nICVISCByZXBs YWNlbWVudHMsIHRoZSBlc2NhcGluZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IGFscGhhbnVtZXJpYyBjaGFyYWN0ZXJzIGJ5IGluc2VydGluZyAlSEggcmVwbGFjZW1lbnRzLCB0 aGUgZXNjYXBpbmc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgcnVsZXMgYWJvdmUgd2lsbCByZXN1bHQgaW4gdGhlICclJyBjaGFyYWN0ZXJz IGJlaW5nIGZ1cnRoZXIgZXNjYXBlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IHJ1bGVzIGFib3ZlIHdpbGwgcmVzdWx0IGluIHRoZSAnJScgY2hhcmFjdGVycyBiZWluZyBmdXJ0 aGVyIGVzY2FwZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgaW4gYWRkaXRpb24gdG8gdGhlICcmYW1wOycgYW5kICc9JyBuYW1lL3ZhbHVl IHNlcGFyYXRvcnMuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaW4gYWRkaXRp b24gdG8gdGhlICcmYW1wOycgYW5kICc9JyBuYW1lL3ZhbHVlIHNlcGFyYXRvcnMuPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBBcyBhbiBleGFtcGxlLCB0aGUgZm9sbG93aW5nIFNJUCBS ZXF1ZXN0LVVSSSBpZGVudGlmaWVzIHRoZSB1c2Ugb2Y8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBBcyBhbiBleGFtcGxlLCB0aGUgZm9sbG93aW5nIFNJUCBSZXF1ZXN0LVVSSSBp ZGVudGlmaWVzIHRoZSB1c2Ugb2Y8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgVm9pY2VYTUwgbWVkaWEgc2VydmljZXMsIHdpdGg8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBWb2ljZVhNTCBtZWRpYSBzZXJ2aWNlcywgd2l0 aDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICAnaHR0cDovL2FwcHNlcnZlci5leGFtcGxlLmNvbS9wcm9tcHRjb2xsZWN0LnZ4bWwnIGFzIHRo ZSBpbml0aWFsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgJ2h0dHA6Ly9hcHBz ZXJ2ZXIuZXhhbXBsZS5jb20vcHJvbXB0Y29sbGVjdC52eG1sJyBhcyB0aGUgaW5pdGlhbDwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBWb2lj ZVhNTCBkb2N1bWVudCwgdG8gYmUgZmV0Y2hlZCB3aXRoIG1heC1hZ2UvbWF4LXN0YWxlIHZhbHVl cyBvZjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFZvaWNlWE1MIGRvY3VtZW50 LCB0byBiZSBmZXRjaGVkIHdpdGggbWF4LWFnZS9tYXgtc3RhbGUgdmFsdWVzIG9mPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgYmdj b2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9InBhcnQtbDYiPjxzbWFsbD5za2lwcGlu ZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxNywgbGluZSA0MzwvZW0+PC9hPjwvdGg+ PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXI2Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdl IGF0PC9zbWFsbD48ZW0+IHBhZ2UgMTgsIGxpbmUgMTg8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBCWUUgdG8gdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlci4gIFVwb24gcmVj ZWlwdCBvZiBhIEJZRSBpbiB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBC WUUgdG8gdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlci4gIFVwb24gcmVjZWlwdCBvZiBhIEJZRSBp biB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgY29udGV4dCBvZiBhbiBleGlzdGluZyBWb2ljZVhNTCBTZXNzaW9uLCB0aGUgVm9pY2VY TUwgTWVkaWEgU2VydmVyPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgY29udGV4 dCBvZiBhbiBleGlzdGluZyBWb2ljZVhNTCBTZXNzaW9uLCB0aGUgVm9pY2VYTUwgTWVkaWEgU2Vy dmVyPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIE1VU1Qgc2VuZCBhIDIwMCBPSyByZXNwb25zZSwgYW5kIE1VU1QgdGhyb3cgYTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIE1VU1Qgc2VuZCBhIDIwMCBPSyByZXNwb25zZSwg YW5kIE1VU1QgdGhyb3cgYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAnY29ubmVjdGlvbi5kaXNjb25uZWN0Lmhhbmd1cCcgZXZlbnQgdG8g dGhlIFZvaWNlWE1MIGFwcGxpY2F0aW9uLiAgSWY8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICAnY29ubmVjdGlvbi5kaXNjb25uZWN0Lmhhbmd1cCcgZXZlbnQgdG8gdGhlIFZvaWNl WE1MIGFwcGxpY2F0aW9uLiAgSWY8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIFJlYXNvbiBoZWFkZXIgW1JGQzMzMjZdIGlzIHByZXNl bnQgb24gdGhlIEJZRSBSZXF1ZXN0LCB0aGVuIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIHRoZSBSZWFzb24gaGVhZGVyIFtSRkMzMzI2XSBpcyBwcmVzZW50IG9uIHRoZSBC WUUgUmVxdWVzdCwgdGhlbiB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgdmFsdWUgb2YgdGhlIFJlYXNvbiBoZWFkZXIgaXMgcHJvdmlk ZWQgdmVyYmF0aW0gdmlhIHRoZSAnX21lc3NhZ2UnPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgdmFsdWUgb2YgdGhlIFJlYXNvbiBoZWFkZXIgaXMgcHJvdmlkZWQgdmVyYmF0aW0g dmlhIHRoZSAnX21lc3NhZ2UnPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIHZhcmlhYmxlIHdpdGhpbiB0aGUgY2F0Y2ggZWxlbWVudCdzIGFu b255bW91cyB2YXJpYWJsZSBzY29wZS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICB2YXJpYWJsZSB3aXRoaW4gdGhlIGNhdGNoIGVsZW1lbnQncyBhbm9ueW1vdXMgdmFyaWFibGUg c2NvcGUuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGUgVm9pY2VYTUwgTWVkaWEg U2VydmVyIG1heSBhbHNvIGluaXRpYXRlIHRlcm1pbmF0aW9uIG9mIHRoZTwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgbWF5IGFsc28g aW5pdGlhdGUgdGVybWluYXRpb24gb2YgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHNlc3Npb24gYnkgaXNzdWluZyBhIEJZRSByZXF1 ZXN0LiAgVGhpcyB3aWxsIHR5cGljYWxseSBvY2N1ciBhcyBhPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgc2Vzc2lvbiBieSBpc3N1aW5nIGEgQllFIHJlcXVlc3QuICBUaGlzIHdp bGwgdHlwaWNhbGx5IG9jY3VyIGFzIGE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDA5Ij48L2E+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGJsb2NrIj4gICByZXN1bHQgb2YgZW5jb3V0ZXJpbmcgYSAmbHQ7ZGlzY29ubmVjdCZn dDsgb3IgJmx0O2V4aXQmZ3Q7IGluIHRoZSBWb2ljZVhNTDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj4gICByZXN1bHQgb2YgZW5jb3U8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5uPC9zcGFu PnRlcmluZyBhICZsdDtkaXNjb25uZWN0Jmd0OyBvciAmbHQ7ZXhpdCZndDsgaW4gdGhlIFZvaWNl WE1MPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIGFwcGxpY2F0aW9uLCBkdWUgdG8gdGhlIFZvaWNlWE1MIGFwcGxpY2F0aW9uIHJ1bm5pbmcg dG8gY29tcGxldGlvbiw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBhcHBsaWNh dGlvbiwgZHVlIHRvIHRoZSBWb2ljZVhNTCBhcHBsaWNhdGlvbiBydW5uaW5nIHRvIGNvbXBsZXRp b24sPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIG9yIGR1ZSB0byB1bmhhbmRsZWQgZXJyb3JzIHdpdGhpbiB0aGUgVm9pY2VYTUwgYXBwbGlj YXRpb24uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgb3IgZHVlIHRvIHVuaGFu ZGxlZCBlcnJvcnMgd2l0aGluIHRoZSBWb2ljZVhNTCBhcHBsaWNhdGlvbi48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIFNlZSBTZWN0aW9uIDQgZm9yIG1lY2hhbmlzbXMgdG8gcmV0dXJu IGRhdGEgdG8gdGhlIEFwcGxpY2F0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgU2VlIFNlY3Rpb24gNCBmb3IgbWVjaGFuaXNtcyB0byByZXR1cm4gZGF0YSB0byB0aGUgQXBw bGljYXRpb248L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgU2VydmVyLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFNlcnZl ci48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjIuNi4gIEV4YW1wbGVzPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+Mi42LiAgRXhhbXBsZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjIuNi4xLiAgQmFzaWMgU2Vzc2lvbiBFc3RhYmxpc2htZW50PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+Mi42LjEuICBCYXNpYyBTZXNzaW9uIEVzdGFibGlzaG1lbnQ8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgYmdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+ PHRoPjxhIG5hbWU9InBhcnQtbDciPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxs PjxlbT4gcGFnZSAyNSwgbGluZSAxODwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1l PSJwYXJ0LXI3Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2Ug MjYsIGxpbmUgMTg8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgNC4gIE1QRUctNCBBQUMgYXVkaW8gW1JGQzMwMTZdIFNI T1VMRCBiZSBzdXBwb3J0ZWQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgNC4g IE1QRUctNCBBQUMgYXVkaW8gW1JGQzMwMTZdIFNIT1VMRCBiZSBzdXBwb3J0ZWQuPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICA1LiAgT3RoZXIgY29kZWNzIGFuZCBwYXlsb2FkIGZvcm1h dHMgTUFZIGJlIHN1cHBvcnRlZC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICA1 LiAgT3RoZXIgY29kZWNzIGFuZCBwYXlsb2FkIGZvcm1hdHMgTUFZIGJlIHN1cHBvcnRlZC48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFZpZGVvIHJlY29yZCBvcGVyYXRpb25zIGNhcnJp ZWQgb3V0IGJ5IHRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXI8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBWaWRlbyByZWNvcmQgb3BlcmF0aW9ucyBjYXJyaWVkIG91dCBieSB0aGUg Vm9pY2VYTUwgTWVkaWEgU2VydmVyPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHR5cGljYWxseSByZXF1aXJlIHJlY2VpcHQgb2YgYW4gaW50 cmEtZnJhbWUgYmVmb3JlIHRoZSByZWNvcmRpbmcgY2FuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgdHlwaWNhbGx5IHJlcXVpcmUgcmVjZWlwdCBvZiBhbiBpbnRyYS1mcmFtZSBi ZWZvcmUgdGhlIHJlY29yZGluZyBjYW48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgY29tbWVuY2UuICBUaGUgVm9pY2VYTUwgTWVkaWEgU2Vy dmVyIFNIT1VMRCB1c2UgdGhlIG1lY2hhbmlzbTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIGNvbW1lbmNlLiAgVGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBTSE9VTEQgdXNlIHRo ZSBtZWNoYW5pc208L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgZGVzY3JpYmVkIGluIFtSRkM0NTg1XSB0byByZXF1ZXN0IHRoYXQgYSBuZXcg aW50cmEtZnJhbWUgYmUgc2VudC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBk ZXNjcmliZWQgaW4gW1JGQzQ1ODVdIHRvIHJlcXVlc3QgdGhhdCBhIG5ldyBpbnRyYS1mcmFtZSBi ZSBzZW50LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYw MDEwIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+U2luY2Ugc29tZSBhcHBsaWNhdGlvbnMgbWF5 IGNob29zZSB0byB0cmFuc2ZlciBjb25maWRlbnRpYWw8L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGluZm9ybWF0aW9uLCB0aGUg Vm9pY2VYTUwgTWVkaWEgU2VydmVyIE1VU1Qgc3VwcG9ydCBTZWN1cmUgUlRQIChTUlRQKTwvc3Bh bj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ ICAgW1JGQzM3MTFdIGFzIGRpc2N1c3NlZCBpbiBTZWN0aW9uIDkuPC9zcGFuPjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjMuNS4gIERUTUY8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4zLjUuICBEVE1GPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBEVE1GIGV2ZW50cyBbUkZDNDczM10gTVVTVCBiZSBzdXBwb3J0ZWQuICBXaGVuIHRo ZSB1c2VyIGFnZW50IGRvZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBEVE1G IGV2ZW50cyBbUkZDNDczM10gTVVTVCBiZSBzdXBwb3J0ZWQuICBXaGVuIHRoZSB1c2VyIGFnZW50 IGRvZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgbm90IGluZGljYXRlIHN1cHBvcnQgZm9yIFtSRkM0NzMzXSB0aGUgVm9pY2VYTUwgTWVk aWEgU2VydmVyIE1BWTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG5vdCBpbmRp Y2F0ZSBzdXBwb3J0IGZvciBbUkZDNDczM10gdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBNQVk8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg cGVyZm9ybSBEVE1GIGRldGVjdGlvbiB1c2luZyBvdGhlciBtZWFucyBzdWNoIGFzIGRldGVjdGlu ZyBEVE1GIHRvbmVzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcGVyZm9ybSBE VE1GIGRldGVjdGlvbiB1c2luZyBvdGhlciBtZWFucyBzdWNoIGFzIGRldGVjdGluZyBEVE1GIHRv bmVzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIGluIHRoZSBhdWRpbyBzdHJlYW0uICBJbXBsZW1lbnRhdGlvbiBub3RlOiB0aGUgcmVhc29u IHdoeSBvbmx5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaW4gdGhlIGF1ZGlv IHN0cmVhbS4gIEltcGxlbWVudGF0aW9uIG5vdGU6IHRoZSByZWFzb24gd2h5IG9ubHk8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzQ3 MzNdIHRlbGVwaG9uZS1ldmVudHMgbXVzdCBiZSB1c2VkIHdoZW4gdGhlIHVzZXIgYWdlbnQgaW5k aWNhdGVzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzQ3MzNdIHRlbGVw aG9uZS1ldmVudHMgbXVzdCBiZSB1c2VkIHdoZW4gdGhlIHVzZXIgYWdlbnQgaW5kaWNhdGVzPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHN1 cHBvcnQgb2YgaXQgaXMgdG8gYXZvaWQgdGhlIHJpc2sgb2YgZG91YmxlIGRldGVjdGlvbiBvZiBE VE1GIGlmPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc3VwcG9ydCBvZiBpdCBp cyB0byBhdm9pZCB0aGUgcmlzayBvZiBkb3VibGUgZGV0ZWN0aW9uIG9mIERUTUYgaWY8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZGV0ZWN0 aW9uIG9uIHRoZSBhdWRpbyBzdHJlYW0gd2FzIHNpbXVsdGFuZW91c2x5IGFwcGxpZWQuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZGV0ZWN0aW9uIG9uIHRoZSBhdWRpbyBzdHJl YW0gd2FzIHNpbXVsdGFuZW91c2x5IGFwcGxpZWQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4K ICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWw4Ij48 c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMjYsIGxpbmUgMzA8 L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0icGFydC1yOCI+PHNtYWxsPnNraXBw aW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI3LCBsaW5lIDMwPC9lbT48L2E+PC90 aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IEZvciBtb3N0IGFwcGxpY2F0aW9ucywgaXQgaXMgbmVjZXNzYXJ5IHRvIGNvcnJlbGF0ZSB0aGUg aW5mb3JtYXRpb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBGb3IgbW9zdCBh cHBsaWNhdGlvbnMsIGl0IGlzIG5lY2Vzc2FyeSB0byBjb3JyZWxhdGUgdGhlIGluZm9ybWF0aW9u PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IGJlaW5nIHBhc3NlZCBvdmVyIEhUVFAgd2l0aCBhIHBhcnRpY3VsYXIgVm9pY2VYTUwgU2Vzc2lv bi4gIE9uZSB3YXk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBiZWluZyBwYXNz ZWQgb3ZlciBIVFRQIHdpdGggYSBwYXJ0aWN1bGFyIFZvaWNlWE1MIFNlc3Npb24uICBPbmUgd2F5 PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IHRoaXMgY2FuIGJlIGFjaGlldmVkIGlzIHRvIGluY2x1ZGUgdGhlIFNJUCBDYWxsLUlEIChhY2Nl c3NpYmxlIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhpcyBjYW4gYmUg YWNoaWV2ZWQgaXMgdG8gaW5jbHVkZSB0aGUgU0lQIENhbGwtSUQgKGFjY2Vzc2libGUgaW48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVm9p Y2VYTUwgdmlhIHRoZSBzZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wuc2lwLmhlYWRlcnMgYXJy YXkpPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVm9pY2VYTUwgdmlhIHRoZSBz ZXNzaW9uLmNvbm5lY3Rpb24ucHJvdG9jb2wuc2lwLmhlYWRlcnMgYXJyYXkpPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdpdGhpbiB0aGUg SFRUUCBQT1NUIGZpZWxkcy4gIEFsdGVybmF0aXZlbHksIGEgdW5pcXVlICJQT1NULWJhY2sgVVJJ IjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHdpdGhpbiB0aGUgSFRUUCBQT1NU IGZpZWxkcy4gIEFsdGVybmF0aXZlbHksIGEgdW5pcXVlICJQT1NULWJhY2sgVVJJIjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBjYW4gYmUg c3BlY2lmaWVkIGFzIGFuIGFwcGxpY2F0aW9uLXNwZWNpZmljIFVSSSBwYXJhbWV0ZXIgaW4gdGhl PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgY2FuIGJlIHNwZWNpZmllZCBhcyBh biBhcHBsaWNhdGlvbi1zcGVjaWZpYyBVUkkgcGFyYW1ldGVyIGluIHRoZTwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBSZXF1ZXN0LVVSSSBv ZiB0aGUgaW5pdGlhbCBJTlZJVEUgKGFjY2Vzc2libGUgaW4gVm9pY2VYTUwgdmlhIHRoZTwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFJlcXVlc3QtVVJJIG9mIHRoZSBpbml0aWFs IElOVklURSAoYWNjZXNzaWJsZSBpbiBWb2ljZVhNTCB2aWEgdGhlPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHNlc3Npb24uY29ubmVjdGlv bi5wcm90b2NvbC5zaXAucmVxdWVzdHVyaSBhcnJheSkuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgc2Vzc2lvbi5jb25uZWN0aW9uLnByb3RvY29sLnNpcC5yZXF1ZXN0dXJpIGFy cmF5KS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAx MSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv Y2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPlNpbmNlIHNvbWUgYXBwbGljYXRpb25zIG1heSBj aG9vc2UgdG8gdHJhbnNmZXIgY29uZmlkZW50aWFsPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBpbmZvcm1hdGlvbiwgdGhlIFZv aWNlWE1MIE1lZGlhIFNlcnZlciBNVVNUIHN1cHBvcnQgdGhlIGh0dHBzOiBzY2hlbWU8L3NwYW4+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAg IGFzIGRpc2N1c3NlZCBpbiBTZWN0aW9uIDkuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjQuMi4gIFNJUCBNZWNoYW5pc208L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij40LjIuICBTSVAgTWVjaGFuaXNtPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBEYXRhIGNhbiBiZSByZXR1cm5lZCB0byB0aGUgQXBwbGljYXRpb24gU2Vy dmVyIHZpYSB0aGUgZXhwciBvcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIERh dGEgY2FuIGJlIHJldHVybmVkIHRvIHRoZSBBcHBsaWNhdGlvbiBTZXJ2ZXIgdmlhIHRoZSBleHBy IG9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIG5hbWVsaXN0IGF0dHJpYnV0ZSBvbiAmbHQ7ZXhpdCZndDsgb3IgdGhlIG5hbWVsaXN0IGF0 dHJpYnV0ZSBvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG5hbWVsaXN0IGF0 dHJpYnV0ZSBvbiAmbHQ7ZXhpdCZndDsgb3IgdGhlIG5hbWVsaXN0IGF0dHJpYnV0ZSBvbjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAmbHQ7 ZGlzY29ubmVjdCZndDsuICBBIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBNVVNUIHN1cHBvcnQgZW5j b2Rpbmcgb2YgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgJmx0O2Rpc2Nv bm5lY3QmZ3Q7LiAgQSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgTVVTVCBzdXBwb3J0IGVuY29kaW5n IG9mIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBleHByIC8gbmFtZWxpc3QgZGF0YSBpbiB0aGUgbWVzc2FnZSBib2R5IG9mIGEgQllF IHJlcXVlc3Qgc2VudCBmcm9tPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZXhw ciAvIG5hbWVsaXN0IGRhdGEgaW4gdGhlIG1lc3NhZ2UgYm9keSBvZiBhIEJZRSByZXF1ZXN0IHNl bnQgZnJvbTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICB0aGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIGFzIGEgcmVzdWx0IG9mIGVuY291bnRl cmluZyB0aGUgJmx0O2V4aXQmZ3Q7IG9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlciBhcyBhIHJlc3VsdCBvZiBlbmNvdW50ZXJpbmcg dGhlICZsdDtleGl0Jmd0OyBvcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICAmbHQ7ZGlzY29ubmVjdCZndDsgZWxlbWVudC4gIEEgVm9pY2VY TUwgTWVkaWEgU2VydmVyIE1BWSBzdXBwb3J0IGluY2x1c2lvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgICZsdDtkaXNjb25uZWN0Jmd0OyBlbGVtZW50LiAgQSBWb2ljZVhNTCBN ZWRpYSBTZXJ2ZXIgTUFZIHN1cHBvcnQgaW5jbHVzaW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG9mIHRoZSBleHByIC8gbmFtZWxpc3Qg ZGF0YSBpbiB0aGUgbWVzc2FnZSBib2R5IG9mIHRoZSAyMDAgT0sgbWVzc2FnZTwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG9mIHRoZSBleHByIC8gbmFtZWxpc3QgZGF0YSBpbiB0 aGUgbWVzc2FnZSBib2R5IG9mIHRoZSAyMDAgT0sgbWVzc2FnZTwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpbiByZXNwb25zZSB0byBhIHJl Y2VpdmVkIEJZRSByZXF1ZXN0IChpLmUuIHdoZW4gdGhlIFZvaWNlWE1MPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgaW4gcmVzcG9uc2UgdG8gYSByZWNlaXZlZCBCWUUgcmVxdWVz dCAoaS5lLiB3aGVuIHRoZSBWb2ljZVhNTDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0 aD48YSBuYW1lPSJwYXJ0LWw5Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48 ZW0+IHBhZ2UgMjcsIGxpbmUgMTA8L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0i cGFydC1yOSI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI4 LCBsaW5lIDE0PC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVUFDJ3MgdGlt ZXIgRiBleHBpcmVzIChkZWZhdWx0cyB0byAzMiBzZWNvbmRzKS4gIE1vcmVvdmVyLCBmb3I8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBVQUMncyB0aW1lciBGIGV4cGlyZXMgKGRl ZmF1bHRzIHRvIDMyIHNlY29uZHMpLiAgTW9yZW92ZXIsIGZvcjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB1bnJlbGlhYmxlIHRyYW5zcG9y dHMsIHRoZSBVQUMgd2lsbCByZXRyYW5zbWl0IHRoZSBCWUUgcmVxdWVzdDwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIHVucmVsaWFibGUgdHJhbnNwb3J0cywgdGhlIFVBQyB3aWxs IHJldHJhbnNtaXQgdGhlIEJZRSByZXF1ZXN0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFjY29yZGluZyB0byB0aGUgcnVsZXMgb2YgW1JG QzMyNjFdLiAgVGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZlcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIGFjY29yZGluZyB0byB0aGUgcnVsZXMgb2YgW1JGQzMyNjFdLiAgVGhlIFZv aWNlWE1MIE1lZGlhIFNlcnZlcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBTSE9VTEQgaW1wbGVtZW50IHRoZSByZWNvbW1lbmRhdGlvbnMg b2YgW1JGQzQzMjBdIHJlZ2FyZGluZyB3aGVuIHRvPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgU0hPVUxEIGltcGxlbWVudCB0aGUgcmVjb21tZW5kYXRpb25zIG9mIFtSRkM0MzIw XSByZWdhcmRpbmcgd2hlbiB0bzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBzZW5kIHRoZSAxMDAgVHJ5aW5nIHByb3Zpc2lvbmFsIHJlc3Bv bnNlIHRvIHRoZSBCWUUgcmVxdWVzdC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBzZW5kIHRoZSAxMDAgVHJ5aW5nIHByb3Zpc2lvbmFsIHJlc3BvbnNlIHRvIHRoZSBCWUUgcmVx dWVzdC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIElmIGEgVm9pY2VYTUwgQXBwbGlj YXRpb24gZXhlY3V0ZXMgYSAmbHQ7ZGlzY29ubmVjdCZndDsgW1ZYTUwyMV0gYW5kIHRoZW48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJZiBhIFZvaWNlWE1MIEFwcGxpY2F0aW9u IGV4ZWN1dGVzIGEgJmx0O2Rpc2Nvbm5lY3QmZ3Q7IFtWWE1MMjFdIGFuZCB0aGVuPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHN1YnNlcXVl bnRseSBleGVjdXRlcyBhbiAmbHQ7ZXhpdCZndDsgd2l0aCBuYW1lbGlzdCBpbmZvcm1hdGlvbiwg dGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc3Vic2VxdWVudGx5IGV4ZWN1 dGVzIGFuICZsdDtleGl0Jmd0OyB3aXRoIG5hbWVsaXN0IGluZm9ybWF0aW9uLCB0aGU8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbmFtZWxp c3QgaW5mb3JtYXRpb24gZnJvbSB0aGUgJmx0O2V4aXQmZ3Q7IGVsZW1lbnQgaXMgZGlzY2FyZGVk LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG5hbWVsaXN0IGluZm9ybWF0aW9u IGZyb20gdGhlICZsdDtleGl0Jmd0OyBlbGVtZW50IGlzIGRpc2NhcmRlZC48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxMiI+PC9hPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxibG9jayI+ICAgTmFtZWxpc3QgdmFyaWFibGVzIGFyZSBmaXJzdCBjb252ZXJ0ZWQgdG8gPHNw YW4gY2xhc3M9ImRlbGV0ZSI+dG88L3NwYW4+IHRoZWlyIEpTT04gdmFsdWU8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+ICAgTmFtZWxpc3QgdmFyaWFibGVzIGFyZSBmaXJzdCBjb252 ZXJ0ZWQgdG8gdGhlaXIgSlNPTiB2YWx1ZSBlcXVpdmFsZW50PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgZXF1aXZhbGVudCBbUkZDNDYy N10gYW5kIGVuY29kZWQgaW4gdGhlIG1lc3NhZ2UgYm9keSB1c2luZyB0aGU8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+ICAgW1JGQzQ2MjddIGFuZCBlbmNvZGVkIGluIHRoZSBtZXNz YWdlIGJvZHkgdXNpbmcgdGhlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmFwcGxpY2F0aW9uLzwvc3Bh bj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr Ij4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5hcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29k ZWQ8L3NwYW4+IGZvcm1hdCBjb250ZW50IHR5cGUgW0hUTUw0XS4gIFRoZTwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICB4LXd3dy1mb3JtLXVy bGVuY29kZWQ8L3NwYW4+IGZvcm1hdCBjb250ZW50IHR5cGUgW0hUTUw0XS4gIFRoZSBiZWhhdmlv cjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgIGJlaGF2aW9yIHJlc3VsdGluZyBmcm9tIHNwZWNpZnlpbmcgYSByZWNvcmRpbmcgdmFyaWFi bGUgaW4gdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHJlc3VsdGluZyBm cm9tIHNwZWNpZnlpbmcgYSByZWNvcmRpbmcgdmFyaWFibGUgaW4gdGhlIG5hbWVsaXN0IG9yIGFu PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ ICAgbmFtZWxpc3Qgb3IgYW4gRUNNQVNjcmlwdCBvYmplY3Qgd2l0aCBjaXJjdWxhciByZWZlcmVu Y2VzIGlzIG5vdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBFQ01BU2NyaXB0 IG9iamVjdCB3aXRoIGNpcmN1bGFyIHJlZmVyZW5jZXMgaXMgbm90IGRlZmluZWQuICBJZiB0aGU8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g ICBkZWZpbmVkLiAgSWYgdGhlIGV4cHIgYXR0cmlidXRlIGlzIHNwZWNpZmllZCBvbiB0aGUgJmx0 O2V4aXQmZ3Q7IGVsZW1lbnQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgZXhw ciBhdHRyaWJ1dGUgaXMgc3BlY2lmaWVkIG9uIHRoZSAmbHQ7ZXhpdCZndDsgZWxlbWVudCBpbnN0 ZWFkIG9mIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPiAgIGluc3RlYWQgb2YgdGhlIG5hbWVsaXN0IGF0dHJpYnV0ZSwgdGhlIHJlc2Vy dmVkIG5hbWUgX19leGl0IGlzIHVzZWQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PiAgIG5hbWVsaXN0IGF0dHJpYnV0ZSwgdGhlIHJlc2VydmVkIG5hbWUgX19leGl0IGlzIHVzZWQu PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUbyBhbGxvdyB0aGUgYXBwbGljYXRpb24g c2VydmVyIHRvIGRpZmZlcmVudGlhdGUgYmV0d2VlbiBhIEJZRTwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIFRvIGFsbG93IHRoZSBhcHBsaWNhdGlvbiBzZXJ2ZXIgdG8gZGlmZmVy ZW50aWF0ZSBiZXR3ZWVuIGEgQllFPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlc3VsdGluZyBmcm9tIGEgJmx0O2Rpc2Nvbm5lY3QmZ3Q7 IGZyb20gb25lIHJlc3VsdGluZyBmcm9tIGFuICZsdDtleGl0Jmd0OywgdGhlPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcmVzdWx0aW5nIGZyb20gYSAmbHQ7ZGlzY29ubmVjdCZn dDsgZnJvbSBvbmUgcmVzdWx0aW5nIGZyb20gYW4gJmx0O2V4aXQmZ3Q7LCB0aGU8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcmVzZXJ2ZWQg bmFtZSBfX3JlYXNvbiBpcyB1c2VkLCB3aXRoIGEgdmFsdWUgb2YgImRpc2Nvbm5lY3QiICh3aXRo b3V0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcmVzZXJ2ZWQgbmFtZSBfX3Jl YXNvbiBpcyB1c2VkLCB3aXRoIGEgdmFsdWUgb2YgImRpc2Nvbm5lY3QiICh3aXRob3V0PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGJyYWNr ZXRzKSB0byByZWZsZWN0IHRoZSB1c2Ugb2YgVm9pY2VYTUwncyAmbHQ7ZGlzY29ubmVjdCZndDsg ZWxlbWVudCwgYW5kPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYnJhY2tldHMp IHRvIHJlZmxlY3QgdGhlIHVzZSBvZiBWb2ljZVhNTCdzICZsdDtkaXNjb25uZWN0Jmd0OyBlbGVt ZW50LCBhbmQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgYSB2YWx1ZSBvZiAiZXhpdCIgKHdpdGhvdXQgYnJhY2tldHMpIHRvIGFuIGV4cGxp Y2l0ICZsdDtleGl0Jmd0OyBpbiB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBhIHZhbHVlIG9mICJleGl0IiAod2l0aG91dCBicmFja2V0cykgdG8gYW4gZXhwbGljaXQgJmx0 O2V4aXQmZ3Q7IGluIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBWb2ljZVhNTCBkb2N1bWVudC4gIElmIHRoZSBzZXNzaW9uIHRlcm1p bmF0ZXMgZm9yIG90aGVyIHJlYXNvbnMgKHN1Y2g8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBWb2ljZVhNTCBkb2N1bWVudC4gIElmIHRoZSBzZXNzaW9uIHRlcm1pbmF0ZXMgZm9y IG90aGVyIHJlYXNvbnMgKHN1Y2g8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgYXMgdGhlIG1lZGlhIHNlcnZlciBlbmNvdW50ZXJpbmcgYW4g ZXJyb3IpLCB0aGlzIHBhcmFtZXRlciBtYXkgYmU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBhcyB0aGUgbWVkaWEgc2VydmVyIGVuY291bnRlcmluZyBhbiBlcnJvciksIHRoaXMg cGFyYW1ldGVyIG1heSBiZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBvbWl0dGVkLCBvciBtYXkgdGFrZSBvbiBwbGF0Zm9ybS1zcGVjaWZp YyB2YWx1ZXMgcHJlZml4ZWQgd2l0aCBhbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIG9taXR0ZWQsIG9yIG1heSB0YWtlIG9uIHBsYXRmb3JtLXNwZWNpZmljIHZhbHVlcyBwcmVm aXhlZCB3aXRoIGFuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIHVuZGVyc2NvcmUuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgdW5kZXJzY29yZS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0i cGFydC1sMTAiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAy OSwgbGluZSA1PC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjEwIj48 c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMjksIGxpbmUgNDA8 L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBNYXgtRm9yd2FyZHM6IDcw PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgTWF4LUZvcndhcmRzOiA3MDwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg ICBGcm9tOiBzaXA6ZGlhbG9nQGV4YW1wbGUuY29tO3RhZz1hNmM4NWNmPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgRnJvbTogc2lwOmRpYWxvZ0BleGFtcGxlLmNvbTt0YWc9 YTZjODVjZjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICAgICBUbzogc2lwOnVzZXJAZXhhbXBsZS5jb207dGFnPTE5MjgzMDE3NzQ8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBUbzogc2lwOnVzZXJAZXhhbXBsZS5jb207 dGFnPTE5MjgzMDE3NzQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICAgQ2FsbC1JRDogYTg0YjRjNzZlNjY3MTA8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBDYWxsLUlEOiBhODRiNGM3NmU2NjcxMDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBDU2VxOiAy MzEgQllFPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgQ1NlcTogMjMxIEJZ RTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICAgICBDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDtjaGFy c2V0PXV0Zi04PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgQ29udGVudC1U eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7Y2hhcnNldD11dGYtODwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBD b250ZW50LUxlbmd0aDogMzA8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBD b250ZW50LUxlbmd0aDogMzA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIGlkPTEy MzQmYW1wO3Bpbj05OTk5JmFtcDtfX3JlYXNvbj1leGl0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgICAgaWQ9MTIzNCZhbXA7cGluPTk5OTkmYW1wO19fcmVhc29uPWV4aXQ8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxMyI+PC9hPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxz cGFuIGNsYXNzPSJpbnNlcnQiPlNpbmNlIHNvbWUgYXBwbGljYXRpb25zIG1heSBjaG9vc2UgdG8g dHJhbnNmZXIgY29uZmlkZW50aWFsPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs b2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBpbmZvcm1hdGlvbiwgdGhlIFZvaWNlWE1MIE1l ZGlhIFNlcnZlciBNVVNUIHN1cHBvcnQgdGhlIFMvTUlNRTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgZW5jb2Rpbmcgb2YgU0lQ IG1lc3NhZ2UgYm9kaWVzIGFzIGRpc2N1c3NlZCBpbiBTZWN0aW9uIDkuPC9zcGFuPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjUuICBPdXRib3VuZCBDYWxs aW5nPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+NS4gIE91dGJvdW5kIENhbGxpbmc8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIE91dGJvdW5kIGNhbGxzIGNhbiBiZSB0cmln Z2VyZWQgdmlhIHRoZSBBcHBsaWNhdGlvbiBTZXJ2ZXIgdXNpbmc8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBPdXRib3VuZCBjYWxscyBjYW4gYmUgdHJpZ2dlcmVkIHZpYSB0aGUg QXBwbGljYXRpb24gU2VydmVyIHVzaW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoaXJkIHBhcnR5IGNhbGwgY29udHJvbCBbUkZDMzcy NV0uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhpcmQgcGFydHkgY2FsbCBj b250cm9sIFtSRkMzNzI1XS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEZsb3cgSVYg ZnJvbSBbUkZDMzcyNV0gaXMgcmVjb21tZW5kZWQgaW4gY29uanVuY3Rpb24gd2l0aCB0aGU8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBGbG93IElWIGZyb20gW1JGQzM3MjVdIGlz IHJlY29tbWVuZGVkIGluIGNvbmp1bmN0aW9uIHdpdGggdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFZvaWNlWE1MIFNlc3Npb24gcHJl cGFyYXRpb24gbWVjaGFuaXNtLiAgVGhpcyBmbG93IGhhcyBzZXZlcmFsPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgVm9pY2VYTUwgU2Vzc2lvbiBwcmVwYXJhdGlvbiBtZWNoYW5p c20uICBUaGlzIGZsb3cgaGFzIHNldmVyYWw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYWR2YW50YWdlcyBvdmVyIG90aGVycywgbmFtZWx5 OjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFkdmFudGFnZXMgb3ZlciBvdGhl cnMsIG5hbWVseTo8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDEuICBTZWxlY3Rpb24g b2YgYSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgYW5kIHByZXBhcmF0aW9uIG9mIHRoZTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDEuICBTZWxlY3Rpb24gb2YgYSBWb2ljZVhNTCBN ZWRpYSBTZXJ2ZXIgYW5kIHByZXBhcmF0aW9uIG9mIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0 ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwxMSI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBh dDwvc21hbGw+PGVtPiBwYWdlIDM4LCBsaW5lIDc8L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+ PGEgbmFtZT0icGFydC1yMTEiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxl bT4gcGFnZSAzOSwgbGluZSA3PC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIE1hdHQgT3NocnkgKFRlbGxtZSk8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBNYXR0IE9zaHJ5IChUZWxsbWUpPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBSYW8gU3VyYXBhbmVuaSAoVGVsbG1lKTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIFJhbyBTdXJhcGFuZW5pIChUZWxs bWUpPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGUgYXV0aG9ycyB3b3VsZCBsaWtl IHRvIGFja25vd2xlZGdlIHRoZSBzdXBwb3J0IG9mIEN1bGxlbiBKZW5uaW5nczwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBhdXRob3JzIHdvdWxkIGxpa2UgdG8gYWNrbm93 bGVkZ2UgdGhlIHN1cHBvcnQgb2YgQ3VsbGVuIEplbm5pbmdzPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFuZCB0aGUgTWVkaWFjdHJsIGNo YWlycywgRXJpYyBCdXJnZXIgYW5kIFNwZW5jZXIgRGF3a2lucy48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBhbmQgdGhlIE1lZGlhY3RybCBjaGFpcnMsIEVyaWMgQnVyZ2VyIGFu ZCBTcGVuY2VyIERhd2tpbnMuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij45LiAgU2VjdXJp dHkgQ29uc2lkZXJhdGlvbnM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij45LiAgU2Vj dXJpdHkgQ29uc2lkZXJhdGlvbnM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48 YSBuYW1lPSJkaWZmMDAxNCI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgRXhwb3NpbmcgPHNw YW4gY2xhc3M9ImRlbGV0ZSI+bmV0d29yayBzZXJ2aWNlczwvc3Bhbj4gd2l0aCB3ZWxsLWtub3du IDxzcGFuIGNsYXNzPSJkZWxldGUiPmFkZHJlc3Nlczwvc3Bhbj4gbWF5IGVuaGFuY2UgdGhlPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIEV4cG9zaW5nIDxzcGFuIGNsYXNzPSJp bnNlcnQiPmEgVm9pY2VYTUwgbWVkaWEgc2VydmljZTwvc3Bhbj4gd2l0aCA8c3BhbiBjbGFzcz0i aW5zZXJ0Ij5hPC9zcGFuPiB3ZWxsLWtub3duIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmFkZHJlc3M8 L3NwYW4+IG1heTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPiAgIHBvc3NpYmlsaXR5IG9mIDxzcGFuIGNsYXNzPSJkZWxldGUiPmV4cGxvaXRh dGlvbi4gIFRoZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIgTVVTVCBzdXBwb3J0PC9zcGFuPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBlbmhhbmNlIHRoZSBwb3NzaWJpbGl0eSBv ZiA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5leHBsb2l0YXRpb24gKGZvciBleGFtcGxlIGFuIGludm9r ZWQ8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgZGlnZXN0IGF1dGhlbnRpY2F0aW9uIG9m IHJlcXVlc3RpbmcgZW5kcG9pbnRzLjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgbmV0d29yayA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5zZXJ2aWNlPC9zcGFuPiBtYXkg PHNwYW4gY2xhc3M9Imluc2VydCI+dHJpZ2dlciBhIGJpbGxpbmcgZXZlbnQpLjwvc3Bhbj4gIFRo ZSBWb2ljZVhNTCBNZWRpYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+ICAgU2VydmVyIGlzIFJFQ09NTUVOREVEIHRvIDxzcGFuIGNs YXNzPSJpbnNlcnQiPnVzZSBzdGFuZGFyZCBTSVAgbWVjaGFuaXNtcyBbUkZDMzI2MV08L3NwYW4+ IHRvPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgVGhlIHRyYW5zZmVyIG1lY2hhbmlzbSBkZXNjcmli ZWQgaW4gc2VjdGlvbiA2IG1ha2VzIGl0IHBvc3NpYmxlIGZvcjwvc3Bhbj48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+YXV0aGVudGljYXRl IHJlcXVlc3RpbmcgZW5kcG9pbnRzPC9zcGFuPiBhbmQgPHNwYW4gY2xhc3M9Imluc2VydCI+YXV0 aG9yaXplIHBlciBsb2NhbCBwb2xpY3kuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIGFw cGxpY2F0aW9uIGRldmVsb3BlcnMgdG8gaW5pdGlhdGUgb3V0Ym91bmQgY2FsbHMgdGhhdCBjb25z dW1lPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBuZXR3b3JrIDxz cGFuIGNsYXNzPSJkZWxldGUiPnJlc291cmNlcywgaGF2ZSBiaWxsaW5nIGltcGxpY2F0aW9ucywg YW5kPC9zcGFuPiBtYXkgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Y3JlYXRlPC9zcGFuPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICB1bnRyYWNl YWJsZSBjYWxscy48L3NwYW4+ICBUaGUgVm9pY2VYTUwgTWVkaWEgU2VydmVyIGlzIFJFQ09NTUVO REVEIHRvPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJk ZWxldGUiPnByb3ZpZGUgbG9jYWwgcG9saWNpZXMgZm9yIGF1dGhvcml6aW5nIGFuZCBsaW1pdGlu ZyBjYWxsIHBsYWNlbWVudCBpbjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgYWRkaXRpb248L3NwYW4+IHRvIDxzcGFuIGNsYXNz PSJkZWxldGUiPnByb3ZpZGluZyBjYWxsIGRldGFpbCByZWNvcmRpbmcgZm9yIHRoZSBwdXJwb3Nl cyBvZjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9 ImRlbGV0ZSI+ICAgZ2VuZXJhdGluZyBhdWRpdCB0cmFpbHM8L3NwYW4+IGFuZCA8c3BhbiBjbGFz cz0iZGVsZXRlIj5iaWxsaW5nLjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBTb21lIGFwcGxpY2F0aW9ucyBtYXkg Y2hvb3NlIHRvIHRyYW5zZmVyIGNvbmZpZGVudGlhbCBpbmZvcm1hdGlvbiB0bzwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFNvbWUgYXBwbGljYXRpb25zIG1heSBjaG9vc2UgdG8g dHJhbnNmZXIgY29uZmlkZW50aWFsIGluZm9ybWF0aW9uIHRvPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAx NSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgb3IgZnJvbSB0aGUgVm9pY2VYTUwgTWVkaWEg U2VydmVyLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+VGhlPC9zcGFuPiBWb2ljZVhNTCBNZWRpYSBT ZXJ2ZXIgTVVTVDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBvciBmcm9tIHRo ZSBWb2ljZVhNTCBNZWRpYSBTZXJ2ZXIuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5UbyBwcm92aWRl IGRhdGEgY29uZmlkZW50aWFsaXR5LDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBpbXBsZW1lbnQgdGhlIHNpcHM6IGFuZCBo dHRwczogc2NoZW1lcyB0byA8c3BhbiBjbGFzcz0iZGVsZXRlIj5wcm92aWRlIGRhdGE8L3NwYW4+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAg IHRoZTwvc3Bhbj4gVm9pY2VYTUwgTWVkaWEgU2VydmVyIE1VU1QgaW1wbGVtZW50IHRoZSBzaXBz OiBhbmQgaHR0cHM6IHNjaGVtZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBjb25maWRlbnRpYWxp dHkuPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFz cz0iaW5zZXJ0Ij5pbiBhZGRpdGlvbjwvc3Bhbj4gdG8gPHNwYW4gY2xhc3M9Imluc2VydCI+Uy9N SU1FIG1lc3NhZ2UgYm9keSBlbmNvZGluZyBhcyBkZXNjcmliZWQgaW48L3NwYW4+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFtSRkMzMjYx XS48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGUgVm9pY2VYTUwgTWVk aWEgU2VydmVyIE1VU1Qgc3VwcG9ydCBTZWN1cmUgUlRQIChTUlRQKSBbUkZDMzcxMV0gdG88L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUgVm9pY2VYTUwgTWVkaWEgU2VydmVy IE1VU1Qgc3VwcG9ydCBTZWN1cmUgUlRQIChTUlRQKSBbUkZDMzcxMV0gdG88L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcHJvdmlkZSBjb25m aWRlbnRpYWxpdHksIGF1dGhlbnRpY2F0aW9uLCBhbmQgcmVwbGF5IHByb3RlY3Rpb24gZm9yPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcHJvdmlkZSBjb25maWRlbnRpYWxpdHks IGF1dGhlbnRpY2F0aW9uLCBhbmQgcmVwbGF5IHByb3RlY3Rpb24gZm9yPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFJUUCBtZWRpYSBzdHJl YW1zIChpbmNsdWRpbmcgUlRDUCBjb250cm9sIHRyYWZmaWMpLjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIFJUUCBtZWRpYSBzdHJlYW1zIChpbmNsdWRpbmcgUlRDUCBjb250cm9s IHRyYWZmaWMpLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVG8gbWl0aWdhdGUgYWdh aW5zdCB0aGUgcG9zc2liaWxpdHkgZm9yIGRlbmlhbCBvZiBzZXJ2aWNlIGF0dGFja3MsPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVG8gbWl0aWdhdGUgYWdhaW5zdCB0aGUgcG9z c2liaWxpdHkgZm9yIGRlbmlhbCBvZiBzZXJ2aWNlIGF0dGFja3MsPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZm MDAxNiI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgdGhlIFZvaWNlWE1MIE1lZGlhIFNlcnZl ciBpcyBSRUNPTU1FTkRFRCB0byA8c3BhbiBjbGFzcz0iZGVsZXRlIj5oYXZlPC9zcGFuPiBsb2Nh bCBwb2xpY2llcyBzdWNoPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHRoZSBW b2ljZVhNTCBNZWRpYSBTZXJ2ZXIgaXMgUkVDT01NRU5ERUQgPHNwYW4gY2xhc3M9Imluc2VydCI+ KGluIGFkZGl0aW9uPC9zcGFuPiB0bzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGFzIHRpbWUtbGltaXRpbmcgVm9pY2VYTUwgYXBwbGlj YXRpb24gZXhlY3V0aW9uLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3Bh biBjbGFzcz0iaW5zZXJ0Ij5hdXRoZW50aWNhdGluZyBhbmQgYXV0aG9yaXppbmcgZW5kcG9pbnRz IGRlc2NyaWJlZCBhYm92ZSkgdG8gcHJvdmlkZTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgbWVjaGFuaXNtcyBmb3IgaW1wbGVt ZW50aW5nPC9zcGFuPiBsb2NhbCBwb2xpY2llcyBzdWNoIGFzIHRpbWUtbGltaXRpbmcgPHNwYW4g Y2xhc3M9Imluc2VydCI+b2Y8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PiAgIFZvaWNlWE1MIGFwcGxpY2F0aW9uIGV4ZWN1dGlvbi48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjEwLiAgSUFOQSBDb25zaWRlcmF0aW9uczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPjEwLiAgSUFOQSBDb25zaWRlcmF0aW9uczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgSUFOQSBTSEFMTCByZWdpc3RlciB0aGUgZm9sbG93aW5nIHBhcmFtZXRlcnMgaW4gdGhl IFNJUC9TSVBTIFVSSTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIElBTkEgU0hB TEwgcmVnaXN0ZXIgdGhlIGZvbGxvd2luZyBwYXJhbWV0ZXJzIGluIHRoZSBTSVAvU0lQUyBVUkk8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg UGFyYW1ldGVycyByZWdpc3RyeSwgZm9sbG93aW5nIHRoZSBzcGVjaWZpY2F0aW9uIHJlcXVpcmVk IHBvbGljeSBvZjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFBhcmFtZXRlcnMg cmVnaXN0cnksIGZvbGxvd2luZyB0aGUgc3BlY2lmaWNhdGlvbiByZXF1aXJlZCBwb2xpY3kgb2Y8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg UkZDIDM5Njk6PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgUkZDIDM5Njk6PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBQYXJhbWV0ZXIgTmFtZSAgICBQcmVkZWZpbmVk IFZhbHVlcyAgICBSZWZlcmVuY2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBQ YXJhbWV0ZXIgTmFtZSAgICBQcmVkZWZpbmVkIFZhbHVlcyAgICBSZWZlcmVuY2U8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgLS0tLS0tLS0t LS0tLS0gICAgLS0tLS0tLS0tLS0tLS0tLS0gICAgLS0tLS0tLS0tPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgLS0tLS0tLS0tLS0tLS0gICAgLS0tLS0tLS0tLS0tLS0tLS0gICAg LS0tLS0tLS0tPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIG1heGFnZSAgICAgICAgICAgICAgICAgICBubyAgICAgICAgICAgICAgIFRCRDwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG1heGFnZSAgICAgICAgICAgICAgICAg ICBubyAgICAgICAgICAgICAgIFRCRDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBtYXhzdGFsZSAgICAgICAgICAgICAgICAgbm8gICAgICAg ICAgICAgICBUQkQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBtYXhzdGFsZSAg ICAgICAgICAgICAgICAgbm8gICAgICAgICAgICAgICBUQkQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbWV0aG9kICAgICAgICAgICAgICAi Z2V0IiAvICJwb3N0IiAgICAgICAgVEJEPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgbWV0aG9kICAgICAgICAgICAgICAiZ2V0IiAvICJwb3N0IiAgICAgICAgVEJEPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHBvc3Rib2R5 ICAgICAgICAgICAgICAgICBubyAgICAgICAgICAgICAgIFRCRDwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIHBvc3Rib2R5ICAgICAgICAgICAgICAgICBubyAgICAgICAgICAgICAg IFRCRDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTciPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5jY3ht bCAgICAgICAgICAgICAgICAgICAgbm8gICAgICAgICAgICAgICBUQkQ8L3NwYW4+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGFhaSAgICAg ICAgICAgICAgICAgICAgICBubyAgICAgICAgICAgICAgIFRCRDwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjExLiAgQ2hhbmdlcyBzaW5jZSBsYXN0IHZlcnNpb246PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+MTEuICBDaGFuZ2VzIHNpbmNlIGxhc3QgdmVyc2lvbjo8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxOCI+PC9h PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgbyAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+QWRkZWQgcmF0 aW9uYWxlIGZvciBzdGFuZGFyZGl6aW5nIHRoZSBTSVAgVVJJIHVzZXIgcGFydCB0bzwvc3Bhbj48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgbyAgPHNwYW4gY2xhc3M9Imluc2Vy dCI+VGlnaHRlbmVkIHVwIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHBlciBjb21tZW50cyBmcm9t IElFU0cgcmV2aWV3PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgICdkaWFsb2cnPC9z cGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxOSI+PC9hPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+ICAgbyAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+U3BlY2lmaWVkIHRoYXQgdGhlIFJlcXVlc3Qt VVJJIHBhcmFtZXRlciBuYW1lcyBhcmUgY2FzZS08L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPiAgIG8gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPkFkZGVkIG1pc3NpbmcgY2N4 bWw8L3NwYW4+IGFuZCA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5hYWkgSUFOQSByZWdpc3RyYXRpb25z PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs YmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgIGluc2Vuc2l0aXZlPC9zcGFuPiBhbmQg PHNwYW4gY2xhc3M9ImRlbGV0ZSI+dGhlIGNvcnJlc3BvbmRpbmcgYXJyYXkga2V5cyBhcmUgY29u dmVydGVkIHRvPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj bGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgICAgbG93ZXItY2Fz ZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu c2VydCI+ICAgbyAgTWlzY2VsbGFuZW91cyB0eXBvczwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPjEyLiAgUmVmZXJlbmNlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjEyLiAgUmVmZXJlbmNlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+MTIuMS4gIE5vcm1h dGl2ZSBSZWZlcmVuY2VzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+MTIuMS4gIE5v cm1hdGl2ZSBSZWZlcmVuY2VzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbSFRNTDRd ICAgIFJhZ2dldHQsIEQuLCBMZSBIb3JzLCBBLiwgYW5kIEkuIEphY29icywgIkhUTUwgNC4wMTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtIVE1MNF0gICAgUmFnZ2V0dCwgRC4s IExlIEhvcnMsIEEuLCBhbmQgSS4gSmFjb2JzLCAiSFRNTCA0LjAxPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgU3BlY2lm aWNhdGlvbiIsIFczQyBSZWNvbW1lbmRhdGlvbiwgRGVjIDE5OTkuPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBTcGVjaWZpY2F0aW9uIiwgVzNDIFJlY29tbWVu ZGF0aW9uLCBEZWMgMTk5OS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkMyMTE5 XSAgQnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzIxMTldICBCcmFkbmVyLCBTLiwg IktleSB3b3JkcyBmb3IgdXNlIGluIFJGQ3MgdG8gSW5kaWNhdGU8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBSZXF1aXJl bWVudCBMZXZlbHMiLCBCQ1AgMTQsIFJGQyAyMTE5LCBNYXJjaCAxOTk3LjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgUmVxdWlyZW1lbnQgTGV2ZWxzIiwgQkNQ IDE0LCBSRkMgMjExOSwgTWFyY2ggMTk5Ny48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgoKICAgICA8dHI+PHRkPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZD48L3RkPjwvdHI+CiAgICAgPHRy IGJnY29sb3I9ImdyYXkiPjx0aCBjb2xzcGFuPSI1IiBhbGlnbj0iY2VudGVyIj48YSBuYW1lPSJl bmQiPiZuYnNwO0VuZCBvZiBjaGFuZ2VzLiAxOSBjaGFuZ2UgYmxvY2tzLiZuYnNwOzwvYT48L3Ro PjwvdHI+CiAgICAgPHRyIGNsYXNzPSJzdGF0cyI+PHRkPjwvdGQ+PHRoPjxpPjYyIGxpbmVzIGNo YW5nZWQgb3IgZGVsZXRlZDwvaT48L3RoPjx0aD48aT4gPC9pPjwvdGg+PHRoPjxpPjgxIGxpbmVz IGNoYW5nZWQgb3IgYWRkZWQ8L2k+PC90aD48dGQ+PC90ZD48L3RyPgogICAgIDx0cj48dGQgY29s c3Bhbj0iNSIgY2xhc3M9InNtYWxsIiBhbGlnbj0iY2VudGVyIj48YnI+VGhpcyBodG1sIGRpZmYg d2FzIHByb2R1Y2VkIGJ5IHJmY2RpZmYgMS4zNS4gVGhlIGxhdGVzdCB2ZXJzaW9uIGlzIGF2YWls YWJsZSBmcm9tIDxhIGhyZWY9Imh0dHA6Ly93d3cudG9vbHMuaWV0Zi5vcmcvdG9vbHMvcmZjZGlm Zi8iPmh0dHA6Ly90b29scy5pZXRmLm9yZy90b29scy9yZmNkaWZmLzwvYT4gPC90ZD48L3RyPgog ICA8L3Rib2R5PjwvdGFibGU+CiAgIDwvYm9keT48L2h0bWw+ --0015174c0e8cbcca9904626f4135-- From aland@deployingradius.com Mon Feb 9 06:17:28 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7E8E3A6C17; Mon, 9 Feb 2009 06:17:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.734 X-Spam-Level: X-Spam-Status: No, score=-1.734 tagged_above=-999 required=5 tests=[AWL=0.638, BAYES_00=-2.599, SARE_SUB_OBFU_Q1=0.227] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPhkq1T8BlwS; Mon, 9 Feb 2009 06:17:28 -0800 (PST) Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id F08513A6BB9; Mon, 9 Feb 2009 06:17:26 -0800 (PST) Received: from Thor.local (pas38-1-82-67-71-238.fbx.proxad.net [82.67.71.238]) by liberty.deployingradius.com (Postfix) with ESMTPSA id 9A4FA123444C; Mon, 9 Feb 2009 15:17:30 +0100 (CET) Message-ID: <49903AFA.8020008@deployingradius.com> Date: Mon, 09 Feb 2009 15:17:30 +0100 From: Alan DeKok User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: secdir@ietf.org, IESG IESG , abr@zen-sys.com, jbu@zen-sys.com, giorgio.porcu@guest.telecomitalia.it X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [secdir] SECDIR review of draft-ietf-roll-home-routing-reqs X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 14:17:28 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document discusses the routing requirements for low-power and lossy (e.g. "in-home") wireless networks. The document discusses the use of such networks to drive devices such as lights, window shades, ... and health care reporting and monitoring. The first sentence of the Security Considerations section says: Implementing security mechanisms in ROLL network devices may degrade energy efficiency and increase cost. This sentence is simply inadequate, and shows that the priorities are in the wrong place. If the methods outlined here are to be used in health care reporting and monitoring, then device security must be a higher priority than energy efficiency. The alternative is to design an "energy efficient" device that is susceptible to attacks that cause illness or even death. The potential for abuse with cheap but insecure devices in healthcare is so large as to be catastrophic for the people involved. The ability to forge inaccurate values for (e.g.) insulin levels can result in incorrect diagnosis and/or dosages. Different jurisdictions may also have legal restrictions on the use and dissemination of healthcare information. Broadcasting data such as insulin levels "in the clear" may be illegal. Even outside of the healthcare field, insecure protocols would allow attackers to control window blinds, lights, and alarm systems. The side effects here are possible voyeurism, robbery and/or home invasion. Attacks on lights and other devices could lead to artificially increased power bills, with side-effects ranging from increased debt to law-enforcement suspicion that the home is being used to grow illegal crops. The second sentence of the Security Considerations section says: The routing protocol chosen for ROLL MUST allow for low-power, low-cost network devices with limited security needs. Any device used for health care and/or home alarm systems CANNOT be described as having "limited security needs". The third, and final, sentence of the Security Considerations section says: Protection against unintentional inclusion in neighboring networks MUST be provided. These requirements are inadequate for the stated purpose of the document. At the minimum, the protocol must protect against: - forgery of data from known devices - alteration of data from known devices - unauthorized commands from unknown control devices - eavesdropping on private data These security requirements are difficult to meet. I recognize that they may conflict with the desire to have cheap, low-power devices. However, the potential for abuse, loss of property, and death due to insecure devices is large, and cannot be ignored. Alan DeKok. From CWallace@cygnacom.com Mon Feb 9 08:53:07 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 453B33A6813 for ; Mon, 9 Feb 2009 08:53:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.039 X-Spam-Level: X-Spam-Status: No, score=-2.039 tagged_above=-999 required=5 tests=[AWL=-0.570, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMcAtFSJcbNz for ; Mon, 9 Feb 2009 08:53:06 -0800 (PST) Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by core3.amsl.com (Postfix) with SMTP id 5C5DD3A6A41 for ; Mon, 9 Feb 2009 08:53:06 -0800 (PST) Received: (qmail 25462 invoked from network); 9 Feb 2009 15:53:16 -0000 Received: from CWallace@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 09 Feb 2009 15:53:16 -0000 Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 9 Feb 2009 15:53:16 -0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 9 Feb 2009 10:52:53 -0500 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Secdir review of draft-gulbrandsen-imap-response-codes-07 Thread-Index: AcmKznb85bi0TPUqSqKFLnkZinQMRg== From: "Carl Wallace" To: , Subject: [secdir] Secdir review of draft-gulbrandsen-imap-response-codes-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 16:53:07 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines and documents a variety of IMAP response codes. The draft looks fine but I have one nit in the security considerations section. The first paragraph states "revealing information about a passphrase to unauthenticated IMAP clients has bad karma". I suggest this be changed to "revealing information about a passphrase to unauthenticated IMAP clients causes bad karma". It could be expanded to state that this may result in your own password being revealed as a karmic payback. From Sandy.Murphy@sparta.com Mon Feb 9 08:57:02 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8C4E3A6857; Mon, 9 Feb 2009 08:57:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.517 X-Spam-Level: X-Spam-Status: No, score=-2.517 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rS9-HKqWk0Hf; Mon, 9 Feb 2009 08:57:02 -0800 (PST) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id D63FD3A6813; Mon, 9 Feb 2009 08:57:01 -0800 (PST) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id n19GLTTD015242; Mon, 9 Feb 2009 10:21:29 -0600 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.12.11/8.13.1) with ESMTP id n19GLTHY000575; Mon, 9 Feb 2009 10:21:29 -0600 Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.81.210]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 9 Feb 2009 11:21:29 -0500 Date: Mon, 9 Feb 2009 11:21:28 -0500 (Eastern Standard Time) From: Sandra Murphy To: Eric Rosen In-Reply-To: <1374.1234194056@erosen-linux> Message-ID: References: <1374.1234194056@erosen-linux> X-X-Sender: sandy@nemo.columbia.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 09 Feb 2009 16:21:29.0496 (UTC) FILETIME=[76A37980:01C98AD2] Cc: draft-ietf-softwire-encaps-ipsec@tools.ietf.org, secdir@ietf.org, Tim Polk , softwire-chairs@tools.ietf.org, Lou Berger , iesg@ietf.org Subject: Re: [secdir] SECDIR review of draft-ietf-softwire-encaps-ipsec-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 16:57:02 -0000 The word I used was "ironic", not "funny". The irony is that there's a (relatively) weak mechanism being used to signal the use of a stronger mechanism. Ten cent hasp for a $100 padlock, or something like that. And that the signalling that IPsec is acceptable means that the signaller has the capability to be using IPsec, and so could use IPsec to protect the signalling channel (BGP) also. --Sandy On Mon, 9 Feb 2009, Eric Rosen wrote: > >> I found it somewhat ironic that signalling the use of public key >> cryptography in these IPsec tunnels is itself to be protected by TCP MD5: > > Could you let me in on the joke? > > From pbaker@verisign.com Mon Feb 9 12:55:37 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B65203A6BA5; Mon, 9 Feb 2009 12:55:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.417 X-Spam-Level: X-Spam-Status: No, score=-5.417 tagged_above=-999 required=5 tests=[AWL=-0.215, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZgR1WOLNkWm; Mon, 9 Feb 2009 12:55:36 -0800 (PST) Received: from robin.verisign.com (robin.verisign.com [65.205.251.75]) by core3.amsl.com (Postfix) with ESMTP id DF2013A6B07; Mon, 9 Feb 2009 12:55:36 -0800 (PST) Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by robin.verisign.com (8.12.11/8.13.4) with ESMTP id n19KtVS5027619; Mon, 9 Feb 2009 12:55:31 -0800 Received: from MOU1WNEXMB09.vcorp.ad.vrsn.com ([10.25.15.197]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 9 Feb 2009 12:55:30 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C98AF8.BDFDCE3A" Date: Mon, 9 Feb 2009 12:55:30 -0800 Message-ID: <2788466ED3E31C418E9ACC5C3166155768B26A@mou1wnexmb09.vcorp.ad.vrsn.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SECDIR review of draft-atlas-icmp-unnumbered-06 Thread-Index: AcmK91KuUl4zofcQQYiVxsu1xXj+qQ== From: "Hallam-Baker, Phillip" To: , , , , , X-OriginalArrivalTime: 09 Feb 2009 20:55:30.0772 (UTC) FILETIME=[BE671940:01C98AF8] Subject: [secdir] SECDIR review of draft-atlas-icmp-unnumbered-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 20:55:37 -0000 This is a multi-part message in MIME format. ------_=_NextPart_001_01C98AF8.BDFDCE3A Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.=20 =20 The goal of the document is to provide a mechanism that allows routers = or hosts to supply additional information in responses that may be = useful for troubleshooting and debugging. =20 As such the document has the standard security recitals with respect to = the disclosure of information that may compromise the security of the = network. I believe these warnings to be adequate and the risk of the = additional information disclosure to be low since the purpose of this = particular mechanism is to provide a reliable means of obtaining = information that an attacker could otherwise guess or obtain through = heuristics. So the additional exposure of information is likely to be = marginal at best. =20 The security considerations do not address the issue of authenticating = the response data. While the intended field of use is administrative = debugging, we have in the past observed attempts to develop protocols = that employ traceroute for selection amongst available host (sonar et. = al.). One can imagine a situation in todays internet where such a = mechanism might be abused by an attacker in order to direct traffic onto = particular networks and thus make possible a DoS attack. =20 A security consideration warning not to use the protocol in such a = fashion should be sufficient. ------_=_NextPart_001_01C98AF8.BDFDCE3A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =0A= =0A= =0A= I have reviewed this document as part of the = security directorate's
ongoing effort to review all IETF documents = being processed by the
IESG.  These comments were written = primarily for the benefit of the
security area directors.  = Document editors and WG chairs should treat
these comments just like = any other last call comments.=0A=
 
=0A=
The goal of the document is to provide = a mechanism that allows routers or hosts to supply additional = information in responses that may be useful for troubleshooting and = debugging.
=0A=
 
=0A=
As such the document has the standard = security recitals with respect to the disclosure of information that may = compromise the security of the network. I believe these warnings to be = adequate and the risk of the additional information disclosure to be low = since the purpose of this particular mechanism is to provide a reliable = means of obtaining information that an attacker could otherwise guess or = obtain through heuristics. So the additional exposure of information is = likely to be marginal at best.
=0A=
 
=0A=
The security considerations do not = address the issue of authenticating the response data. While the = intended field of use is administrative debugging, we have in the past = observed attempts to develop protocols that employ traceroute for = selection amongst available host (sonar et. al.). One can imagine a = situation in todays internet where such a mechanism might be abused by = an attacker in order to direct traffic onto particular networks and thus = make possible a DoS attack.
=0A=
 
=0A=
A security consideration warning not to = use the protocol in such a fashion should be = sufficient.
------_=_NextPart_001_01C98AF8.BDFDCE3A-- From erosen@cisco.com Mon Feb 9 08:50:07 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F2403A6A6A; Mon, 9 Feb 2009 08:50:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.466 X-Spam-Level: X-Spam-Status: No, score=-6.466 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E2XamHFGD2KS; Mon, 9 Feb 2009 08:50:06 -0800 (PST) Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 288F43A69B1; Mon, 9 Feb 2009 08:50:06 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.37,406,1231113600"; d="scan'208";a="36400484" Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-2.cisco.com with ESMTP; 09 Feb 2009 15:41:09 +0000 Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n19Ff9sQ016094; Mon, 9 Feb 2009 10:41:09 -0500 Received: from erosen-linux.cisco.com (erosen-linux.cisco.com [161.44.70.34]) by rtp-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n19Ff9t2000907; Mon, 9 Feb 2009 15:41:09 GMT Received: from erosen-linux (localhost.localdomain [127.0.0.1]) by erosen-linux.cisco.com (8.13.1/8.13.1) with ESMTP id n19FeuoF001375; Mon, 9 Feb 2009 10:41:00 -0500 To: Sandra Murphy In-reply-to: Your message of Thu, 29 Jan 2009 18:28:21 -0500. Date: Mon, 09 Feb 2009 10:40:56 -0500 Message-ID: <1374.1234194056@erosen-linux> From: Eric Rosen DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=184; t=1234194069; x=1235058069; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=erosen@cisco.com; z=From:=20Eric=20Rosen=20 |Subject:=20Re=3A=20[secdir]=20SECDIR=20review=20of=20draft -ietf-softwire-encaps-ipsec-01=20 |Sender:=20 |To:=20Sandra=20Murphy=20; bh=ps8loLzlpSpDNXyDagn4N105mfgUfEH2qjj7eyRvNy0=; b=rmy4/Kd3XgHGFAfDn73DZ4MjpsWOHUnq07X9cBnncJuynrxG88Aj28fwOe 8HJLsTNr0r9VXB1hAXxFnF1iq4qsxQoE52zzKtecwvQ7tbXc9/Q7VuBvTLwD Hqmbscm+na; Authentication-Results: rtp-dkim-1; header.From=erosen@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; ); X-Mailman-Approved-At: Mon, 09 Feb 2009 13:31:17 -0800 Cc: draft-ietf-softwire-encaps-ipsec@tools.ietf.org, secdir@ietf.org, Tim Polk , softwire-chairs@tools.ietf.org, Lou Berger , iesg@ietf.org Subject: Re: [secdir] SECDIR review of draft-ietf-softwire-encaps-ipsec-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: erosen@cisco.com List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 16:50:07 -0000 > I found it somewhat ironic that signalling the use of public key > cryptography in these IPsec tunnels is itself to be protected by TCP MD5: Could you let me in on the joke? From derek@ihtfp.com Mon Feb 9 14:03:12 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5389C3A6BCE; Mon, 9 Feb 2009 14:03:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.988 X-Spam-Level: X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mpnZF0-aoyXm; Mon, 9 Feb 2009 14:03:11 -0800 (PST) Received: from mail.ihtfp.org (MAIL.IHTFP.ORG [204.107.200.6]) by core3.amsl.com (Postfix) with ESMTP id 5EB4E3A6830; Mon, 9 Feb 2009 14:03:11 -0800 (PST) Received: from pgpdev.ihtfp.org (c-76-109-66-143.hsd1.fl.comcast.net [76.109.66.143]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail.ihtfp.org (Postfix) with ESMTP id 914E4BD8549; Mon, 9 Feb 2009 17:03:12 -0500 (EST) Received: (from warlord@localhost) by pgpdev.ihtfp.org (8.14.3/8.14.2/Submit) id n19M301S027383; Mon, 9 Feb 2009 17:03:00 -0500 To: iesg@ietf.org, secdir@ietf.org From: Derek Atkins Date: Mon, 09 Feb 2009 17:02:59 -0500 Message-ID: User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: mlague@cisco.com, abegen@cisco.com, dohsu@cisco.com, avt-chairs@tools.ietf.org Subject: [secdir] sec-dir review of draft-ietf-avt-post-repair-rtcp-xr-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 22:03:12 -0000 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a new report block type within the framework of RTP Control Protocol (RTCP) Extended Reports. The Security Considerations section of this document pushes off all issues to RFC3611 but I believe that this document adds no additional security concerns. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant From pbaker@verisign.com Mon Feb 9 14:05:04 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D01B3A6C04; Mon, 9 Feb 2009 14:05:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.413 X-Spam-Level: X-Spam-Status: No, score=-5.413 tagged_above=-999 required=5 tests=[AWL=-0.211, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jaKYCqxsA6t3; Mon, 9 Feb 2009 14:05:03 -0800 (PST) Received: from colibri.verisign.com (colibri.verisign.com [65.205.251.74]) by core3.amsl.com (Postfix) with ESMTP id 3AAF63A6BCE; Mon, 9 Feb 2009 14:05:03 -0800 (PST) Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id n19LfJ7Y030759; Mon, 9 Feb 2009 13:41:19 -0800 Received: from MOU1WNEXMB09.vcorp.ad.vrsn.com ([10.25.15.197]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 9 Feb 2009 14:05:00 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C98B02.7333B3FC" Date: Mon, 9 Feb 2009 14:04:59 -0800 Message-ID: <2788466ED3E31C418E9ACC5C3166155768B26D@mou1wnexmb09.vcorp.ad.vrsn.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SECDIR Review of draft-ietf-radext-design-05 Thread-Index: AcmLAnL6gKJijmdjRPy/u9JF0sLnpA== From: "Hallam-Baker, Phillip" To: , , X-OriginalArrivalTime: 09 Feb 2009 22:05:00.0131 (UTC) FILETIME=[7388CB30:01C98B02] Cc: iesg@ietf.org, secdir@ietf.org Subject: [secdir] SECDIR Review of draft-ietf-radext-design-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Feb 2009 22:05:04 -0000 This is a multi-part message in MIME format. ------_=_NextPart_001_01C98B02.7333B3FC Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.=20 =20 The purpose of this document is to explain the workings of RADIUS = attributes for the benefit of those involved in the design of future = RADIUS attribute specifications. As such the document is very clear and = provides advice that will no doubt prove useful. =20 The Security Considerations section could do with some additional work = however. =20 The discussion of encryption of attributes is somewhat confusing. = Mention is made of encryption, followed by mention of MD5 and SHA1. = While it was common to describe the use of one way functions to = obfusticate passwords as 'encryption' in the 1980s, this is not current = terminology and this needs to be explained. =20 Also I would like to see specific mention made of whatever provisions = are made for message authentication in the protocol, if none, then this = should also be specified. This is a major concern in what is essentially = a protocol that supports the authentication/authorization process. =20 Finally, I would like to see some mention of the use of a secure tunnel = such as IPSEC and which types of attributes might need superencryption = within such a tunnel. ------_=_NextPart_001_01C98B02.7333B3FC Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable =0A= =0A= =0A= =0A=
I have reviewed this document as = part of the security directorate's
ongoing effort to review all IETF = documents being processed by the
IESG.  These comments were = written primarily for the benefit of the
security area = directors.  Document editors and WG chairs should treat
these = comments just like any other last call comments. =
=0A=
 
=0A=
The purpose of this document is to explain the workings of RADIUS = attributes for the benefit of those involved in the design of future = RADIUS attribute specifications. As such the document is very clear and = provides advice that will no doubt prove useful.
=0A=
 
=0A=
The Security Considerations section could do with some additional = work however.
=0A=
 
=0A=
The discussion of encryption of attributes is somewhat confusing. = Mention is made of encryption, followed by mention of MD5 and SHA1. = While it was common to describe the use of one way functions to = obfusticate passwords as 'encryption' in the 1980s, this is not current = terminology and this needs to be explained.
=0A=
 
=0A=
Also I would like to see specific mention made of whatever = provisions are made for message authentication in the protocol, if none, = then this should also be specified. This is a major concern in what is = essentially a protocol that supports = the authentication/authorization process.
=0A=
 
=0A=
Finally, I would like to see some mention of the use of a secure = tunnel such as IPSEC and which types of attributes might need = superencryption within such a tunnel.
------_=_NextPart_001_01C98B02.7333B3FC-- From alexey.melnikov@isode.com Tue Feb 10 15:23:19 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F059F3A6CD6; Tue, 10 Feb 2009 15:23:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.529 X-Spam-Level: X-Spam-Status: No, score=-2.529 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uogwqK-ozdD2; Tue, 10 Feb 2009 15:23:19 -0800 (PST) Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by core3.amsl.com (Postfix) with ESMTP id 454213A697F; Tue, 10 Feb 2009 15:23:18 -0800 (PST) Received: from [92.40.222.93] (92.40.222.93.sub.mbb.three.co.uk [92.40.222.93]) by rufus.isode.com (submission channel) via TCP with ESMTPA id ; Tue, 10 Feb 2009 23:23:20 +0000 Message-ID: <49920C4C.50907@isode.com> Date: Tue, 10 Feb 2009 23:22:52 +0000 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en To: secdir@ietf.org, draft-ietf-avt-rfc3047-bis@tools.ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: iesg@ietf.org, avt-chairs@tools.ietf.org Subject: [secdir] secdir review of draft-ietf-avt-rfc3047-bis-08.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2009 23:23:20 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes the payload format for including G.722.1 generated bit streams (audio) within an RTP packet. The Security Considerations section is nearly the same as in RFC 3047, with some obsoleted text deleted (good). I would suggest replacing the first paragraph RTP packets using the payload format defined in this specification are subject to the security considerations discussed in the RTP specification [RFC3550], and any appropriate RTP profile. This implies that confidentiality of the media streams is achieved by encryption. with (for example) the text found in RFC 5404: RTP packets using the payload format defined in this specification are subject to the security considerations discussed in the RTP specification [RFC3550] and in any applicable RTP profile. The main security considerations for the RTP packet carrying the RTP payload format defined within this memo are confidentiality, integrity, and source authenticity. Confidentiality is achieved by encryption of the RTP payload. Integrity of the RTP packets is achieved through a suitable cryptographic integrity protection mechanism. Such a cryptographic system may also allow the authentication of the source of the payload. A suitable security mechanism for this RTP payload format should provide confidentiality, integrity protection, and at least source authentication capable of determining if an RTP packet is from a member of the RTP session. Note that the appropriate mechanism to provide security to RTP and payloads following this memo may vary. It is dependent on the application, the transport, and the signaling protocol employed. Therefore, a single mechanism is not sufficient, although if suitable, usage of the Secure Real-time Transport Protocol (SRTP) [RFC3711] is recommended. Other mechanisms that may be used are IPsec [RFC4301] and Transport Layer Security (TLS) [RFC5246] (RTP over TCP); other alternatives may exist. as it provides more background to a reader unfamiliar with RTP on possible security mechanisms that can be used. Apart from that I found the document to be well written and being quite clear on which data is valid and which is invalid. From aland@freeradius.org Wed Feb 11 06:07:32 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C056C3A69C7; Wed, 11 Feb 2009 06:07:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQe-MZVbOhlk; Wed, 11 Feb 2009 06:07:32 -0800 (PST) Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id DB8133A690E; Wed, 11 Feb 2009 06:07:31 -0800 (PST) Received: from Thor.local (pas38-3-82-229-198-135.fbx.proxad.net [82.229.198.135]) by liberty.deployingradius.com (Postfix) with ESMTPSA id 695FE123443B; Wed, 11 Feb 2009 15:07:34 +0100 (CET) Message-ID: <4992DBA5.9010703@freeradius.org> Date: Wed, 11 Feb 2009 15:07:33 +0100 From: Alan T DeKok User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209) MIME-Version: 1.0 To: "Hallam-Baker, Phillip" References: <2788466ED3E31C418E9ACC5C3166155768B26D@mou1wnexmb09.vcorp.ad.vrsn.com> In-Reply-To: <2788466ED3E31C418E9ACC5C3166155768B26D@mou1wnexmb09.vcorp.ad.vrsn.com> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: secdir@ietf.org, radiusext@ops.ietf.org, gdweber@gmail.com, iesg@ietf.org Subject: Re: [secdir] SECDIR Review of draft-ietf-radext-design-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: aland@freeradius.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 14:07:32 -0000 Hallam-Baker, Phillip wrote: > The Security Considerations section could do with some additional work > however. > > The discussion of encryption of attributes is somewhat confusing. > Mention is made of encryption, followed by mention of MD5 and SHA1. > While it was common to describe the use of one way functions to > obfusticate passwords as 'encryption' in the 1980s, this is not current > terminology and this needs to be explained. OK. We will update the document to clarify this "obfuscation" != "encryption". > Also I would like to see specific mention made of whatever provisions > are made for message authentication in the protocol, if none, then this > should also be specified. This is a major concern in what is essentially > a protocol that supports the authentication/authorization process. The protocol supports a Message-Authenticator attribute, which is an HMAC-MD5 of the packet contents && secret key. We can add a note on this to the security section, though it's already discussed in the other RADIUS documents, too. > Finally, I would like to see some mention of the use of a secure tunnel > such as IPSEC and which types of attributes might need superencryption > within such a tunnel. It may be best simply to reference RFC 3579 && RFC 3580, which already have extensive discussion of these issues. Alan DeKok. From jhutz@cmu.edu Wed Feb 11 10:12:50 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0182A3A6935; Wed, 11 Feb 2009 10:12:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.773 X-Spam-Level: X-Spam-Status: No, score=-3.773 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-4, SARE_SUB_OBFU_Q1=0.227] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHpD5xw4bvMR; Wed, 11 Feb 2009 10:12:49 -0800 (PST) Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by core3.amsl.com (Postfix) with ESMTP id EC8933A6904; Wed, 11 Feb 2009 10:12:48 -0800 (PST) Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n1BICUS4004703 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Feb 2009 13:12:30 -0500 (EST) Date: Wed, 11 Feb 2009 13:12:30 -0500 From: Jeffrey Hutzelman To: iesg@ietf.org, secdir@ietf.org, ccamp-chairs@tools.ietf.org, diego.caviglia@ericsson.com, dino.bramanti@ericsson.com, dan.li@huawei.com, dave.mcdysan@verizon.com Message-ID: <29CB4AF52E418956F8DAC191@minbar.fac.cs.cmu.edu> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.201.16 Subject: [secdir] SECDIR review of draft-ietf-ccamp-pc-and-sc-reqs-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 18:12:50 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes requirements for a procedure to be used within a GMPLS network to convert a permanent connection, which is provisioned throughout the network, into a soft permanent connection, which is provisioned at the edges but set up by the control plane in the middle, and back, without interrupting the flow of data. As a requirements document, this document does not directly create any new security considerations, but does raise some points which must be addressed by any solution. Overall, I think this document is fine. I also asked David Harrington to take a look at a paragraph referring to SNMP, which seemed to me to make too many assumptions about which pieces would "always" be used together. David had the following to add: > OK. It is incorrect to reference to MIBs as SNMP MIBs. MIBs are > defined indepednently from SNMP. MIBs can theoretically be used by > other protocols. > > There is standard boilerplate for MIB documents. Since this document > does not contain a MIB module, most of it does not directly apply. > However, the boilerplate discusses using a secure protocol and access > control. I recommend that these authors use that section of the > boilerplate text: > > > SNMP versions prior to SNMPv3 did not include adequate security. > Even if the network itself is secure (for example by using IPsec), > even then, there is no control as to who on the secure network is > allowed to access and GET/SET (read/change/create/delete) the > objects > in this MIB module. > > It is RECOMMENDED that implementers consider the security features > as > provided by the SNMPv3 framework (see [RFC3410], section 8), > including full support for the SNMPv3 cryptographic mechanisms (for > authentication and privacy). > > Further, deployment of SNMP versions prior to SNMPv3 is NOT > RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to > enable cryptographic security. It is then a customer/operator > responsibility to ensure that the SNMP entity giving access to an > instance of this MIB module is properly configured to give access > to > the objects only to those principals (users) that have legitimate > rights to indeed GET or SET (change/create/delete) them. > > > This could be as simple as > > If SNMP is used for configuration, then it is RECOMMENDED > that implementers consider the security features as > provided by the SNMPv3 framework (see [RFC3410], section 8), > including full support for the SNMPv3 cryptographic mechanisms (for > authentication and privacy). > > As the IETF is moving toward a multi-protocol approach to network > management, I would change the paragraph to encompass a wider > approach: > > "Any protocol used to configure a device should support > authentication, encryption, integrity checking, and control of access > to the configuration parameters. It is RECOMMENDED to deploy an IETF > standard protocol for secure configuration, such as Netconf [RFC4741] > or SNMPv3 [RFC3410]. Operators SHOULD enable cryptographic security > and ensure that the entity giving access to configuration parameters > is properly configured to give access only to those principals (users) > that have legitimate rights to read/create/change/delete the > parameters." > > I have asked the OPS and Security ADs to comment on this last > paragraph as a proposed new boilerplate regarding secure management. My only other comment is regarding the abstract. A document and its abstract should each stand on their own, independently. In particular, it should not be necessary to read the abstract in order to understand the document, and the abstract should contain only a brief description of what the document is about, intended to be read by someone trying to determine whether the document is of interest. In the case of this document, text invoking RFC2119 does not belong in the abstract; rather, it belongs in the main document body. -- Jeffrey T. Hutzelman (N3NHS) Carnegie Mellon University - Pittsburgh, PA From adrian@olddog.co.uk Wed Feb 11 13:44:57 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A3C428C0D7; Wed, 11 Feb 2009 13:44:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.883 X-Spam-Level: X-Spam-Status: No, score=-0.883 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, SARE_SUB_OBFU_Q1=0.227] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUFokRFfouFu; Wed, 11 Feb 2009 13:44:56 -0800 (PST) Received: from asmtp1.iomartmail.com (asmtp1.iomartmail.com [62.128.201.248]) by core3.amsl.com (Postfix) with ESMTP id 2887F28C0E7; Wed, 11 Feb 2009 13:44:55 -0800 (PST) Received: from asmtp1.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp1.iomartmail.com (8.12.11.20060308/8.12.8) with ESMTP id n1BLiRDn019740; Wed, 11 Feb 2009 21:44:27 GMT Received: from your029b8cecfe (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp1.iomartmail.com (8.12.11.20060308/8.12.11) with ESMTP id n1BLiP9b019731; Wed, 11 Feb 2009 21:44:26 GMT Message-ID: <23E53B36510442F1B64C24DFE059AF91@your029b8cecfe> From: "Adrian Farrel" To: "Jeffrey Hutzelman" , , , , , , , References: <29CB4AF52E418956F8DAC191@minbar.fac.cs.cmu.edu> Date: Wed, 11 Feb 2009 21:44:15 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.5512 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Cc: Adrian Farrel Subject: Re: [secdir] SECDIR review of draft-ietf-ccamp-pc-and-sc-reqs-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: Adrian Farrel List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 21:44:57 -0000 Hi Jeffrey, Thanks for this input. >> I would change the paragraph to encompass a wider approach: >> >> "Any protocol used to configure a device should support >> authentication, encryption, integrity checking, and control of access >> to the configuration parameters. It is RECOMMENDED to deploy an IETF >> standard protocol for secure configuration, such as Netconf [RFC4741] >> or SNMPv3 [RFC3410]. Operators SHOULD enable cryptographic security >> and ensure that the entity giving access to configuration parameters >> is properly configured to give access only to those principals (users) >> that have legitimate rights to read/create/change/delete the >> parameters." I am not happy that the Security section should recomend the use of a particular management protocol, and certainly not in 2119 language. This I-D is not an IETF policy statement for the security of management protocols. I am also not particularly happy with your "SHOULD" guidance to the operator. This I-D is a requirements spec for the development of protocol solutions. It is not a protocol spec, and certainly not a deployment guide. But it is good to pick up some words here. I propose... OLD If SNMP MIBs are used for configuration, then the Management Plane should support authentication for PC-SC configuration changes as specified in [RFC3414]. NEW The Management Plane interactions MUST be supported through protocols that can offer adequate security mechanisms to secure the configuration and protect the operation of the devices that are managed. These mechanisms MUST include at least cryptographic security and the abilty to ensure that the entity giving access to configuration parameters is properly configured to give access only to those principals (users) that have legitimate rights to read/create/change/delete the parameters. IETF standard management protocols (Netconf [RFC4741] and SNMPv3 [RFC3410]) offer these mechanisms. END > My only other comment is regarding the abstract. A document and its > abstract should each stand on their own, independently. In particular, it > should not be necessary to read the abstract in order to understand the > document, and the abstract should contain only a brief description of what > the document is about, intended to be read by someone trying to determine > whether the document is of interest. In the case of this document, text > invoking RFC2119 does not belong in the abstract; rather, it belongs in > the main document body. Sure. There is an indentation issue in the current version that makes this look worse than it is. The 2119 boilerplate often seems to be placed immediately after the Abstract in I-Ds. But anyway, the RFC Editor has a special place for this text and will sort it out. However, you have just made me note that this is an Informational requirements draft, and so the 2119 language is not completely appropriate. A hoary old chestnut, this. We want to use some strong requirements language, but 2119 is intended only for protocol specs. I guess we will morph this to... Although this requirements document is an informational document not a protocol specification, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] for clarity of requirement specification. Many thanks, Adrian From jhutz@cmu.edu Wed Feb 11 14:26:31 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ADCCF28C389; Wed, 11 Feb 2009 14:26:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.072 X-Spam-Level: X-Spam-Status: No, score=-5.072 tagged_above=-999 required=5 tests=[AWL=1.299, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_SUB_OBFU_Q1=0.227] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a8G27JSHk8fm; Wed, 11 Feb 2009 14:26:30 -0800 (PST) Received: from jackfruit.srv.cs.cmu.edu (JACKFRUIT.SRV.CS.CMU.EDU [128.2.201.16]) by core3.amsl.com (Postfix) with ESMTP id A7B9C28C387; Wed, 11 Feb 2009 14:26:30 -0800 (PST) Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by jackfruit.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id n1BMQLJD016282 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Feb 2009 17:26:21 -0500 (EST) Date: Wed, 11 Feb 2009 17:26:20 -0500 From: Jeffrey Hutzelman To: Adrian Farrel , iesg@ietf.org, secdir@ietf.org, ccamp-chairs@tools.ietf.org, diego.caviglia@ericsson.com, dino.bramanti@ericsson.com, dan.li@huawei.com, dave.mcdysan@verizon.com Message-ID: <8711BD60B6F8AC0239858382@minbar.fac.cs.cmu.edu> In-Reply-To: <23E53B36510442F1B64C24DFE059AF91@your029b8cecfe> References: <29CB4AF52E418956F8DAC191@minbar.fac.cs.cmu.edu> <23E53B36510442F1B64C24DFE059AF91@your029b8cecfe> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.201.16 Subject: Re: [secdir] SECDIR review of draft-ietf-ccamp-pc-and-sc-reqs-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2009 22:26:31 -0000 --On Wednesday, February 11, 2009 09:44:15 PM +0000 Adrian Farrel wrote: > I am not happy that the Security section should recomend the use of a > particular management protocol In fact, one of David's points was that SNMP is not the only management protocol. And, the point that caused me to raise this to begin with is that the protocol defined in RFC3414 is not the only SNMP security model > and certainly not in 2119 language. This > I-D is not an IETF policy statement for the security of management > protocols. > > I am also not particularly happy with your "SHOULD" guidance to the > operator. This I-D is a requirements spec for the development of protocol > solutions. It is not a protocol spec, and certainly not a deployment > guide. That's not my text; some of it is David's, and some comes from existing boilerplate used in MIB documents. It is certainly the case that in some ways that text is not directly applicable to a requirements document. But the gist is right, I think. > OLD > If SNMP MIBs are used for configuration, then the Management Plane > should support authentication for PC-SC configuration changes as > specified in [RFC3414]. > NEW > The Management Plane interactions MUST be supported through protocols > that can offer adequate security mechanisms to secure the > configuration and protect the operation of the devices that are > managed. These mechanisms MUST include at least cryptographic > security and the abilty to ensure that the entity giving access to > configuration parameters is properly configured to give access only > to those principals (users) that have legitimate rights to > read/create/change/delete the parameters. IETF standard management > protocols (Netconf [RFC4741] and SNMPv3 [RFC3410]) offer these > mechanisms. > END I think this is a good change. > However, you have just made me note that this is an Informational > requirements draft, and so the 2119 language is not completely > appropriate. A hoary old chestnut, this. We want to use some strong > requirements language, but 2119 is intended only for protocol specs. My personal take here is that, despite its own introduction, it really is appropriate to use 2119-like language in some contexts other than protocol specs, and that this is one of them. > I guess we will morph this to... > > Although this requirements document is an informational document not > a protocol specification, the key words "MUST", "MUST NOT", > "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", > "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be > interpreted as described in RFC 2119 [RFC2119] for clarity of > requirement specification. I like that. -- Jeff From jari.arkko@piuha.net Wed Feb 11 23:27:13 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 777933A6AB6; Wed, 11 Feb 2009 23:27:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_22=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dU1V56xKAYH8; Wed, 11 Feb 2009 23:27:12 -0800 (PST) Received: from smtp.piuha.net (p130.piuha.net [IPv6:2001:14b8:400::130]) by core3.amsl.com (Postfix) with ESMTP id D4C523A699A; Wed, 11 Feb 2009 23:27:11 -0800 (PST) Received: from smtp.piuha.net (localhost [127.0.0.1]) by smtp.piuha.net (Postfix) with ESMTP id 4656319876C; Thu, 12 Feb 2009 09:27:16 +0200 (EET) Received: from [127.0.0.1] (unknown [IPv6:2001:14b8:400::130]) by smtp.piuha.net (Postfix) with ESMTP id CD8741986EF; Thu, 12 Feb 2009 09:27:15 +0200 (EET) Message-ID: <4993CF06.8030909@piuha.net> Date: Thu, 12 Feb 2009 09:25:58 +0200 From: Jari Arkko User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: Larry Zhu References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: "cpignata@cisco.com" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] Review of draft-arkko-arp-iana-rules-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 07:27:13 -0000 Thanks for your review. Your comments have resulted in changes in the -06 version of the document. Jari Larry Zhu wrote: > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > Document: draft-arkko-arp-iana-rules-05 > Title: IANA Allocation Guidelines for the Address Resolution Protocol (ARP) > > Overall, the document is clear and easy to read. I have the following comments. > > 1) The following text in the "acknowledgements" section fits better into the "introduction" section. > > The lack of any current rules has come up as new values were > requested from IANA. <<>> When no rules exist, IANA > consults the IESG for approval of the new values. The purpose of > this specification is to establish the rules and allow IANA to > operate based on the rules, without requiring confirmation from the > IESG. > > In addition, the above text somewhat contradicts to the fact that the assignment of ar$op values does require IESG approval. Hence I would recommend to replace OLD: > > The purpose of > this specification is to establish the rules and allow IANA to > operate based on the rules, without requiring confirmation from the > IESG. > > With NEW: > > The purpose of > this specification is to establish the rules and allow IANA to > manage number assignments based on these rules, to ensure consistent > interpretations in different implementations. > > 2) This document does not seem to fit exactly with RFC5226. Given there is an existing registry at http://www.iana.org/assignments/arp-parameters/arp-parameters.xhtml, I would recommend either spell exactly how to update it or how to create a new one to replace the existing one, and populate the new registry with the existing entries as "initial" assignments. > > I find no specific security issues with this document. > > --Larry Zhu > > > > From pbaker@verisign.com Thu Feb 12 04:47:18 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B96B53A6B54; Thu, 12 Feb 2009 04:47:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.9 X-Spam-Level: X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[AWL=0.698, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ey3kcjr1ADKz; Thu, 12 Feb 2009 04:47:17 -0800 (PST) Received: from colibri.verisign.com (colibri.verisign.com [65.205.251.74]) by core3.amsl.com (Postfix) with ESMTP id E13BD3A6B0B; Thu, 12 Feb 2009 04:47:17 -0800 (PST) Received: from mou1wnexcn01.vcorp.ad.vrsn.com (mailer1.verisign.com [65.205.251.34]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id n1CCNR5q015726; Thu, 12 Feb 2009 04:23:27 -0800 Received: from MOU1WNEXMB09.vcorp.ad.vrsn.com ([10.25.15.197]) by mou1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 12 Feb 2009 04:47:15 -0800 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C98D10.0744E063" Date: Thu, 12 Feb 2009 04:46:41 -0800 Message-ID: <2788466ED3E31C418E9ACC5C3166155768B28D@mou1wnexmb09.vcorp.ad.vrsn.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [secdir] SECDIR Review of draft-ietf-radext-design-05 Thread-Index: AcmMUhehDdqrqRH8Tq2i4MTtuEe5tQAvdyhK References: <2788466ED3E31C418E9ACC5C3166155768B26D@mou1wnexmb09.vcorp.ad.vrsn.com> <4992DBA5.9010703@freeradius.org> From: "Hallam-Baker, Phillip" To: X-OriginalArrivalTime: 12 Feb 2009 12:47:15.0915 (UTC) FILETIME=[088BE9B0:01C98D10] Cc: secdir@ietf.org, radiusext@ops.ietf.org, gdweber@gmail.com, iesg@ietf.org Subject: Re: [secdir] SECDIR Review of draft-ietf-radext-design-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 12:47:18 -0000 This is a multi-part message in MIME format. ------_=_NextPart_001_01C98D10.0744E063 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable That should do it. -----Original Message----- From: Alan T DeKok [mailto:aland@freeradius.org] Sent: Wed 2/11/2009 9:07 AM To: Hallam-Baker, Phillip Cc: gdweber@gmail.com; radiusext@ops.ietf.org; iesg@ietf.org; = secdir@ietf.org Subject: Re: [secdir] SECDIR Review of draft-ietf-radext-design-05 =20 Hallam-Baker, Phillip wrote: > The Security Considerations section could do with some additional work > however. > =20 > The discussion of encryption of attributes is somewhat confusing. > Mention is made of encryption, followed by mention of MD5 and SHA1. > While it was common to describe the use of one way functions to > obfusticate passwords as 'encryption' in the 1980s, this is not = current > terminology and this needs to be explained. OK. We will update the document to clarify this "obfuscation" !=3D "encryption". > Also I would like to see specific mention made of whatever provisions > are made for message authentication in the protocol, if none, then = this > should also be specified. This is a major concern in what is = essentially > a protocol that supports the authentication/authorization process. The protocol supports a Message-Authenticator attribute, which is an HMAC-MD5 of the packet contents && secret key. We can add a note on this to the security section, though it's already discussed in the other RADIUS documents, too. > Finally, I would like to see some mention of the use of a secure = tunnel > such as IPSEC and which types of attributes might need superencryption > within such a tunnel. It may be best simply to reference RFC 3579 && RFC 3580, which already have extensive discussion of these issues. Alan DeKok. ------_=_NextPart_001_01C98D10.0744E063 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: [secdir] SECDIR Review of draft-ietf-radext-design-05

That should do it.

-----Original Message-----
From: Alan T DeKok [mailto:aland@freeradius.org]
= Sent: Wed 2/11/2009 9:07 AM
To: Hallam-Baker, Phillip
Cc: gdweber@gmail.com; radiusext@ops.ietf.org; iesg@ietf.org; = secdir@ietf.org
Subject: Re: [secdir] SECDIR Review of draft-ietf-radext-design-05

Hallam-Baker, Phillip wrote:
> The Security Considerations section could do with some additional = work
> however.

> The discussion of encryption of attributes is somewhat = confusing.
> Mention is made of encryption, followed by mention of MD5 and = SHA1.
> While it was common to describe the use of one way functions to
> obfusticate passwords as 'encryption' in the 1980s, this is not = current
> terminology and this needs to be explained.

  OK.  We will update the document to clarify this = "obfuscation" !=3D
"encryption".

> Also I would like to see specific mention made of whatever = provisions
> are made for message authentication in the protocol, if none, then = this
> should also be specified. This is a major concern in what is = essentially
> a protocol that supports the authentication/authorization = process.

  The protocol supports a Message-Authenticator attribute, which is = an
HMAC-MD5 of the packet contents && secret key.  We can add = a note on
this to the security section, though it's already discussed in the = other
RADIUS documents, too.

> Finally, I would like to see some mention of the use of a secure = tunnel
> such as IPSEC and which types of attributes might need = superencryption
> within such a tunnel.

  It may be best simply to reference RFC 3579 && RFC 3580, = which already
have extensive discussion of these issues.

  Alan DeKok.

------_=_NextPart_001_01C98D10.0744E063-- From scott@hyperthought.com Thu Feb 12 06:37:52 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A80853A6B04 for ; Thu, 12 Feb 2009 06:37:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Em0+5573o6fZ for ; Thu, 12 Feb 2009 06:37:52 -0800 (PST) Received: from smtp112.sat.emailsrvr.com (smtp112.sat.emailsrvr.com [66.216.121.112]) by core3.amsl.com (Postfix) with ESMTP id 867743A6826 for ; Thu, 12 Feb 2009 06:37:52 -0800 (PST) Received: from relay1.relay.sat.mlsrvr.com (localhost [127.0.0.1]) by relay1.relay.sat.mlsrvr.com (SMTP Server) with ESMTP id 9295CCD61F; Thu, 12 Feb 2009 09:37:56 -0500 (EST) Received: by relay1.relay.sat.mlsrvr.com (Authenticated sender: scott-AT-hyperthought.com) with ESMTPSA id E4FDECD58A; Thu, 12 Feb 2009 09:37:55 -0500 (EST) Message-ID: <4994346C.5050007@hyperthought.com> Date: Thu, 12 Feb 2009 06:38:36 -0800 From: "Scott G. Kelly" User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: secdir@ietf.org, tsvwg-chairs@tools.ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: flefauch@cisco.com, allan.guillou@neufcegetel.fr, jmanner@cs.helsinki.fi, dwing@cisco.com, iesg@ietf.org Subject: [secdir] review of draft-ietf-tsvwg-rsvp-proxy-approaches-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 14:37:52 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This informational document describes various RSVP proxy use cases. It does not define any protocols, and is intended to support other related documents which do. The security considerations section seems well thought out and complete. I see no issues of concern for the security AD's in this document. From scott@hyperthought.com Thu Feb 12 13:43:08 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 83A2B3A6982 for ; Thu, 12 Feb 2009 13:43:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sYkoQfGglWlH for ; Thu, 12 Feb 2009 13:43:07 -0800 (PST) Received: from smtp152.sat.emailsrvr.com (smtp152.sat.emailsrvr.com [66.216.121.152]) by core3.amsl.com (Postfix) with ESMTP id A36F93A6BDF for ; Thu, 12 Feb 2009 13:43:07 -0800 (PST) Received: from relay15.relay.sat.mlsrvr.com (localhost [127.0.0.1]) by relay15.relay.sat.mlsrvr.com (SMTP Server) with ESMTP id 32B9B1C3DB3; Thu, 12 Feb 2009 16:43:12 -0500 (EST) Received: by relay15.relay.sat.mlsrvr.com (Authenticated sender: scott-AT-hyperthought.com) with ESMTPSA id A6B751D0804; Thu, 12 Feb 2009 16:43:11 -0500 (EST) Message-ID: <4994981B.2000907@hyperthought.com> Date: Thu, 12 Feb 2009 13:43:55 -0800 From: "Scott G. Kelly" User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: secdir@ietf.org, iesg@ietf.org, tim.melanchuk@gmail.com, mediactrl-chairs@tools.ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [secdir] review of draft-ietf-mediactrl-architecture-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Feb 2009 21:43:08 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is an architecture document describing a framework for media server control which combines elements from several related working groups and protocols. The framework described in this document consists of 3 elements: the application server, the media server, and the user agent. The document focuses on the interactions between the application server and the media server, and declares the user agent interactions to be out of scope. The security considerations section says that media servers use the security mechanisms of SIP to authenticate requests from application servers, and to ensure the integrity of those requests, and says that this ensures that only authorized application servers may access the media server and impact its resources. I have two concerns: first, the current security considerations section focuses on the media server and how to protect against malicious application servers (or AS impersonators) -- it should also address the flip side of this, i.e. what happens if someone impersonates the media server, and what, if anything, should be done? If this is addressed in some other related document, then perhaps a pointer to that other document would be helpful. My other concern is a bit more nebulous: this work seems to cut across multiple other efforts (more than I have time to seriously review right now), and while I think it makes sense to reference the security considerations of other documents when they adequately address the problems at hand, I think the wg (and security ADs) will want to be sure that the particular threats of this framework are explicitly called out and completely addressed. This architecture document may or may not be the right place to do that. --Scott From stefans@exmsft.com Fri Feb 13 14:21:05 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 372503A6A16 for ; Fri, 13 Feb 2009 14:21:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.249 X-Spam-Level: X-Spam-Status: No, score=-3.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKnjiqkE+3dY for ; Fri, 13 Feb 2009 14:21:04 -0800 (PST) Received: from s87.loopia.se (s87.loopia.se [194.9.94.113]) by core3.amsl.com (Postfix) with ESMTP id 2064B3A68DF for ; Fri, 13 Feb 2009 14:21:03 -0800 (PST) Received: (qmail 96086 invoked from network); 13 Feb 2009 22:21:16 -0000 Received: from s34.loopia.se (HELO s128.loopia.se) ([194.9.94.70]) (envelope-sender ) by s87.loopia.se (qmail-ldap-1.03) with AES256-SHA encrypted SMTP for ; 13 Feb 2009 22:21:16 -0000 Received: (qmail 79907 invoked from network); 13 Feb 2009 22:21:06 -0000 Received: from 90-229-233-249-no153.tbcn.telia.com (HELO [192.168.0.17]) (stefan@fiddler.nu@[90.229.233.249]) (envelope-sender ) by s128.loopia.se (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 13 Feb 2009 22:21:06 -0000 User-Agent: Microsoft-Entourage/12.15.0.081119 Date: Fri, 13 Feb 2009 23:20:57 +0100 From: Stefan Santesson To: , Samuel Weiler , Message-ID: Thread-Topic: Review of draft-ietf-rserpool-mib-10 Thread-Index: AcmOKVeGzSSMX0i/dUSeHuV3EaDVAw== In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: [secdir] Review of draft-ietf-rserpool-mib-10 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 22:21:05 -0000 I will no be able to review this document before I leave for 1 week of vacation Feb 14-21. I'm happy to do the review as soon as I get home again. On 2/6/09 10:01 PM, "Samuel Weiler" wrote: > draft-ietf-rserpool-mib-10 From ekr@networkresonance.com Sun Feb 15 08:36:40 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 49D0E3A6A17; Sun, 15 Feb 2009 08:36:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.718 X-Spam-Level: X-Spam-Status: No, score=-1.718 tagged_above=-999 required=5 tests=[AWL=-0.881, BAYES_00=-2.599, MISSING_SUBJECT=1.762] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvZ8WwpuXK2L; Sun, 15 Feb 2009 08:36:39 -0800 (PST) Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id 4D9AE3A6997; Sun, 15 Feb 2009 08:36:39 -0800 (PST) Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id EEB8C50822; Sun, 15 Feb 2009 08:59:29 -0800 (PST) Date: Sun, 15 Feb 2009 08:59:29 -0800 From: Eric Rescorla To: sipping@ietf.org, secdir@ietf.org, draft-wing-sipping-srtp-key@tools.ietf.org User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20090215165929.EEB8C50822@romeo.rtfm.com> Subject: [secdir] (no subject) X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2009 16:36:40 -0000 $Id: draft-wing-sipping-srtp-key-04-rev.txt,v 1.2 2009/02/15 15:41:29 ekr Exp $ End-to-end VoIP security mechanisms such as DTLS-SRTP represent a threat to mechanisms in which a network element which is not a party to the call wishes to monitor or modify the contents of the media traffic. This document describes a mechanism for one of the parties to the communication to provide a copy of the keying material to such a third party subject to some set of authorization controls. I'm concerned that this document doesn't have a very clear statement of requirements. Rather, it seems to be attempting to fulfill a number of distinct use cases which don't have much in common except that they represent violations of the end-to-end security model of the SIP call. This document describes two major use cases for this type of technology: - Monitoring (call recording) - Transcoding I don't think it's particularly useful to conflate these cases, which are really quite different. Monitoring is fundamentally a passive process: there is no need for the monitor to be able to modify the traffic. By contrast, transcoding is an active process: the transcoder is expected to modify the data. In reality, a transcoded call isn't a call between two endpoints, but rather two calls, each from one endpoint to the transcoder. I think it's a mistake to try do to these with the same mechanism. Similarly, this document fails to distinguish adequately between real-time and non-real-time use cases. Many monitoring/call recording applications are inherently non-real-time: you record the call and some time in the future, the call may or may not be replayed. This distinction has a number of implications, particularly since capture of the keying material and media can be separated. In particular, it may be desirable to deliver the keying material long after the call has finished (for privacy reasons). It's not clear to me how this is accomplished with this draft. It's possible it could be initiated by the UA, but I don't see how it could be initiated by the monitor. Even in a UA initiated fashion, I don't see that the information provided by the SDP in S 11 is sufficient to unambiguously identify the flow, in part due to network parameter reuse. While I appreciate it's convenient to reuse the SDP parameters, it's not clear to me that it's a good idea to hand over the SRTP master key. If all you need to do is verify the call for quality assurance, you don't need the integrity check, at least not initially. In fact, not having access to the integrity key protects against accusations that the recording device tampered. Similarly, it's not clear to me that it's desirable to have the same level of protection for the connection parameters as for the keys. Wouldn't it be useful for the monitoring application to know what connections it *potentially* has the keys for but not have direct access to them until some future time? Again, this seems like something that would be more clear with a requirements analysis in terms of privacy requirements. Finally, the elephant under the covers here is lawful intercept. the authors specifically disclaim it, but it's quite clear that this is usable as an LI system. Indeed, many such systems (e.g., FORTEZZA) involve cooperation from the endpoint being monitored. Accordingly, I would recommend that rather than accepting this mechanism as a WG document, the WG do a thorough requirements analysis focusing on minimizing the privacy issues inherent in mechanisms of this type. Once there is consensus on the requirements, then it's possible to have a discussion of mechanisms. DETAILED COMMENTS 4.3. If the requirement for recording is this strong, wouldn't it be better not to rely on the UA doing the right thing? Rather enforce it in a firewall or IDS. 7.2.2. The signature of the SAML assertion should be produced using the private key of the domain certificate. This certificate MUST have a SubjAltName which matches the domain of user agent's SIP proxy (that is, if the SIP proxy is sip.example.com, the SubjAltName of the domain certificate signing this SAML assertion MUST also be example.com). Here, the main focus is placed on communication of clients with the ESC, which belongs to the client's home domain. It's not clear to me why this is the correct authorizing certificate. 7.2.3. I don't really understand the need for the rcrypto thing. Why not just pretend you have two streams with distinct keys and use crypto= for both. Actually, I don't really think it makes sense to use SDP here at all: the semantics of the SDP really aren't the same, since you're not offering to receive a media stream, you're advertising what you're going to send. As noted above, I think it would be better to send the traffic keys separately. 7.2.4. This whole SAML thing seems pretty underspecified. I don't think using SIPS here is adequate, since it doesn't provide any guarantee to the endpoint of the security treatment of the keying material. In fact, as I noted earlier, I'm not clear that S/MIME is good enough. I think you may want something multilevel. 9.3. This Disclosure thing seems a bit confusing. Isn't what you really need to inject the appropriate warnings in the media plane. -Ekr From secdir-bounces@mit.edu Thu Feb 12 16:58:41 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D9A728C15C for ; Thu, 12 Feb 2009 16:58:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.602 X-Spam-Level: X-Spam-Status: No, score=-4.602 tagged_above=-999 required=5 tests=[AWL=1.997, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyPSOKpmEFOi for ; Thu, 12 Feb 2009 16:58:40 -0800 (PST) Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 44ACA28C157 for ; Thu, 12 Feb 2009 16:58:40 -0800 (PST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n1D0wjVD025984 for ; Thu, 12 Feb 2009 19:58:45 -0500 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n1D0wf38025957 for ; Thu, 12 Feb 2009 19:58:41 -0500 Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n1D0wXav028610 for ; Thu, 12 Feb 2009 19:58:34 -0500 (EST) Received: from ipmail05.adl2.internode.on.net (ipmail05.adl2.internode.on.net [203.16.214.145]) by mit.edu (Spam Firewall) with ESMTP id 6231A12A9E45 for ; Thu, 12 Feb 2009 19:57:56 -0500 (EST) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjsBAFZSlEl5LNjE/2dsb2JhbAAIxUAJjmcBgmKBNQY X-IronPort-AV: E=Sophos;i="4.38,199,1233495000"; d="scan'208";a="317262561" Received: from ppp121-44-216-196.lns10.mel4.internode.on.net (HELO [192.168.0.4]) ([121.44.216.196]) by ipmail05.adl2.internode.on.net with ESMTP; 13 Feb 2009 11:27:48 +1030 Message-ID: <4994C57F.2090008@nteczone.com> Date: Fri, 13 Feb 2009 11:57:35 +1100 From: Christian Groves User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Catherine Meadows References: <8716AA45-149F-4E94-86DA-8953D4AA73C4@nrl.navy.mil> In-Reply-To: <8716AA45-149F-4E94-86DA-8953D4AA73C4@nrl.navy.mil> X-Scanned-By: MIMEDefang 2.42 X-BeenThere: secdir@mit.edu X-Mailman-Version: 2.1.6 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@mit.edu Errors-To: secdir-bounces@mit.edu X-Mailman-Approved-At: Sun, 15 Feb 2009 19:06:57 -0800 Cc: fluffy@cisco.com, secdir@mit.edu, linyangbo@huawei.com, iesg@ietf.org Subject: Re: [secdir] secdir review of draft-groves-megaco-pkgereg-02 X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Feb 2009 00:58:41 -0000 Hello Catherine, Thankyou for the review of the draft. You are correct that the draft basically introduces a formal review step for PackageID allocations. In developing the draft I took the assumption that the use of packages (and associated PackageID allocation) has been a long established practice. Therefore I didn't delve into protocol operation. Whilst packages may define extra procedures and codepoints these are done within the framework of the core protocol specfication. It is not possible to update the core protocol through a package specification. The use of the H.248.1 core protocol is agreed between a MGC/MG. H.248 ServiceChange procedures establish a H.248 control association between the MGC/MG. To establish an association there must be a level of trust between the MGC/MG. In the context of this control association (and trust) the elements (properties/signals/events/statistics) from the Packages are conveyed between the MGC and MG. An MGC/MG will only act upon elements that it knows. If it does not understand an PackageID or package element then an error response is returned only in the context of the control association. So if someone wrote a malicious Package Specification and implemented it in a MGC or MG it would be unlikely to cause problems. As H.248 is a master slave protocol if the malicious package was implemented in the MGC and not the MG there would be no action because the MG would not understand the PackageID (and elements). If the malicious package was implemented on the MG there would be no affect because the MGC would never command the MG to use it. If the malicious package was implemented in both the MGC and MG then there's a wider non-H.248 issue that someone has managed to install software on both the MGC and the MG. It is highly unlikely for such a person to ask IANA for a PackageID when they could use any one they want. Indeed the allocation of "Private" PackageIDs with little review is allowed. Keeping this is mind I'm not sure that I understand your point with regards to ambiguity leading to spoofing. Could you elaborate? Please see some further comments below. Regards, Christian Catherine Meadows wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This draft concerns the H.248/MEGACO IANA Package Registration > procedures. It updates the procedure so that a formal review step, > since the IETF Megaco > working group, which previously did an informal review, is now > disbanded. > > Since this merely updates the package review process to include a > formal review, the ID claims > that this introduces no extra security concerns, other than to require > that the requester of a review > and registration of a package is authorized to do so. However, I > wonder if it would be appropriate > to include some language saying that the review process should address > any potential security > concerns a package may introduce. [CNG] I can add some general text to say that the reviewer should address any potential security concerns. > I am not an expert on this protocol, but packages appear to be fairly > complex structures that support terminations, which are sources and/or > sinks. Ambiguity in packages > would be a security concern (possibly allowing spoofing, if I > understand this correctly); this > is already covered in the review process recommended in this ID. [CNG] Please see my initial comments. > I would like to see more justification > in the security concerns section that this is the *only* security > concerned introduced by new packages > before I feel comfortable with this. [CNG] I can add something based on the outcome of our discussions. > > The ID says that security concerns for the H.248/MEGACO protocol > are discussed in H.248.1 section 10. Note that this itself > appears to be a draft . Also, it only discusses security in an IP > setting. That should presumably not be a problem > for the IETF, since that is what we are concerned about, but it should > still be mentioned, so that the > reader doesn't think that document covers security in general. [CNG] With regards to H.248.1 being a draft, it is an approved document. It is state "pre-published" for editorial reasons i.e. translation must be done etc. The technical content does not change. With regards to H.248.1 section 10 being IP specific yes I agree I can add some text to this effect. > > > Catherine Meadows > Naval Research Laboratory > Code 5543 > 4555 Overlook Ave., S.W. > Washington DC, 20375 > phone: 202-767-3490 > fax: 202-404-7942 > email: catherine.meadows@nrl.navy.mil > > _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir From HKaplan@acmepacket.com Sun Feb 15 10:48:52 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8B10F3A69B0; Sun, 15 Feb 2009 10:48:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.421 X-Spam-Level: X-Spam-Status: No, score=-2.421 tagged_above=-999 required=5 tests=[AWL=0.178, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y7z0RJFk0VsK; Sun, 15 Feb 2009 10:48:51 -0800 (PST) Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 27BB53A699E; Sun, 15 Feb 2009 10:48:51 -0800 (PST) Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.291.1; Sun, 15 Feb 2009 13:47:40 -0500 Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Sun, 15 Feb 2009 13:47:39 -0500 From: Hadriel Kaplan To: Eric Rescorla , "sipping@ietf.org" , "secdir@ietf.org" , "draft-wing-sipping-srtp-key@tools.ietf.org" Date: Sun, 15 Feb 2009 13:47:36 -0500 Thread-Topic: [Sipping] draft-wing-sipping-srtp-key-04 (was no subject) Thread-Index: AcmPi30LkMWMKzWIQiCliY9xlKjOsAAbW2Jw Message-ID: References: <20090215165929.EEB8C50822@romeo.rtfm.com> In-Reply-To: <20090215165929.EEB8C50822@romeo.rtfm.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 15 Feb 2009 19:06:57 -0800 Subject: Re: [secdir] [Sipping] draft-wing-sipping-srtp-key-04 (was no subject) X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Feb 2009 18:48:52 -0000 > -----Original Message----- > From: sipping-bounces@ietf.org [mailto:sipping-bounces@ietf.org] On Behal= f > Of Eric Rescorla > Sent: Sunday, February 15, 2009 11:59 AM > > This document describes two major use cases for this type of > technology: > - Monitoring (call recording) > - Transcoding > I don't think it's particularly useful to conflate these cases, which > are really quite different. I agree - it's really, really weird to think of transcoding cases doing thi= ngs this draft's way. (in fact it's hard to believe call recording apps sho= uld work this way either, but I know they want to) > Similarly, this document fails to distinguish adequately between > real-time and non-real-time use cases. Many monitoring/call recording > applications are inherently non-real-time: you record the call > and some time in the future, the call may or may not be replayed. I used to think that too, but I've come to find out that some call monitori= ng apps really do need real-time play-back; because it's not "play-back", i= t's like a 3-party conference with a silent listener. For example some sup= port call centers have managers who listen in on active calls randomly, or = listen in to newly-hired staff for the first day or so. Also, some vertical markets must successfully record all calls, for legal r= easons, and even the chance of the keys getting lost due to phone reboots o= r whatever is not acceptable to them. So I think getting the keys at the b= eginning of the call is a requirement. > Finally, the elephant under the covers here is lawful intercept. > the authors specifically disclaim it, but it's quite clear that > this is usable as an LI system. Indeed, many such systems > (e.g., FORTEZZA) involve cooperation from the endpoint being > monitored. I actually believe them that it's not applicable. Most LI systems cannot w= ork like FORTEZZA, specifically because they cannot let the user know he/sh= e is being tapped and cannot rely on cooperation. I don't think any self-r= especting LI system would rely on the endpoints to give it keys. :) Besides, pretty much any Call Monitoring application has unavoidable simila= rities with Lawful Interception. The same could be argued for Troubleshoot= ing mechanisms too. So what/who cares? We cannot and should not define a = mechanism for LI in the IETF; but that doesn't mean we can't define mechani= sms for other purposes, which may also happen to be usable as LI mechanisms= . > DETAILED COMMENTS > 4.3. > If the requirement for recording is this strong, wouldn't it > be better not to rely on the UA doing the right thing? Rather > enforce it in a firewall or IDS. Yeah, this is whacked. The whole mechanism is odd, imho. If you need to r= ecord calls in a call center, use keys in signaling the B2BUA can see, or t= erminate the SRTP at the B2BUA. It's not as secure as DTLS-SRTP end-to-end= , obviously, but it's not as secure as that anyway in this draft's mechanis= m. You're already trusting middleboxes with the keys in this draft's mecha= nism, so trust them with the keys a priori. Also, as an aside - using SIP to-from the recording server makes no sense. = You can pretend it's a 3-party conference call, but it's not true. It wil= l really get confusing when calls get REFER transferred, for example. I kn= ow some vendors want to do this, but it's a really bad idea. They're gonna= be in a world of hurt spending all their time troubleshooting and enhancin= g their SIP stacks to handle this odd model for every corner case, instead = of spending it on their business-specific application logic. Just because = SIP is a hammer doesn't mean this application is a nail. -hadriel From magnus@rsa.com Mon Feb 16 23:36:21 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2DFAA3A69A2; Mon, 16 Feb 2009 23:36:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.299 X-Spam-Level: X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuf8K-lma13B; Mon, 16 Feb 2009 23:36:20 -0800 (PST) Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by core3.amsl.com (Postfix) with ESMTP id 543373A684F; Mon, 16 Feb 2009 23:36:20 -0800 (PST) Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id n1H7aRPA011186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Feb 2009 02:36:28 -0500 (EST) Received: from mailhub.lss.emc.com (sesha.lss.emc.com [10.254.144.12]) by hop04-l1d11-si03.isus.emc.com (Tablus Interceptor); Tue, 17 Feb 2009 02:36:19 -0500 Received: from corpussmtp1.corp.emc.com (corpussmtp1.corp.emc.com [128.221.10.43]) by mailhub.lss.emc.com (Switch-3.2.5/Switch-3.1.7) with ESMTP id n1H7aDU6027885; Tue, 17 Feb 2009 02:36:16 -0500 (EST) Received: from CORPUSMX50B.corp.emc.com ([128.221.62.39]) by corpussmtp1.corp.emc.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 17 Feb 2009 02:36:15 -0500 Received: from W-JNISBETTEST-1 ([10.72.72.44]) by CORPUSMX50B.corp.emc.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 17 Feb 2009 02:36:15 -0500 Date: Tue, 17 Feb 2009 08:36:44 +0100 (W. Europe Standard Time) From: =?iso-8859-1?Q?Magnus_Nystr=F6m?= To: iesg@ietf.org, secdir@ietf.org, hiwasaki.yusuke@lab.ntt.co.jp, ohmuro.hitoshi@lab.ntt.co.jp In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 17 Feb 2009 07:36:15.0229 (UTC) FILETIME=[69F9F2D0:01C990D2] Cc: ron.even.tlv@gmail.com, secdir-secretary@ietf.org, tom.taylor@rogers.com Subject: [secdir] SecDir review of draft-ietf-avt-rtp-uemclip-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2009 07:36:21 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Background ---------- This document describes the payload format of an enhanced speech codec of ITU-T G.711. Comments -------- The draft appears well written to me (it may benefit from an editorial review by a native English reader however). The Security Considerations section also appears adequate. One (possible) suggestion: The security consideration section notes the risk of memory attacks due to illegal layer indices etc. Maybe it could also be pointed out that decoders could be configured to reject layer indices etc. that are outside of some specified policy? Other than that I have no additional comments on this document. -- Magnus From dwing@cisco.com Mon Feb 16 14:47:49 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 47ED83A689D; Mon, 16 Feb 2009 14:47:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BuRe38mbripT; Mon, 16 Feb 2009 14:47:48 -0800 (PST) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id B2FB23A6838; Mon, 16 Feb 2009 14:47:47 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.38,218,1233532800"; d="scan'208";a="250652739" Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 16 Feb 2009 22:47:58 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n1GMlwiA007006; Mon, 16 Feb 2009 14:47:58 -0800 Received: from dwingwxp01 ([10.32.240.194]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n1GMlvR4001416; Mon, 16 Feb 2009 22:47:57 GMT From: "Dan Wing" To: "'Eric Rescorla'" References: <20090215165929.EEB8C50822@romeo.rtfm.com> Date: Mon, 16 Feb 2009 14:47:57 -0800 Message-ID: <02cd01c99088$9d1d87c0$c2f0200a@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <20090215165929.EEB8C50822@romeo.rtfm.com> Thread-Index: AcmPi6BWsER1VqurSGGf2lj+chKElwA/O4XA X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6387; t=1234824478; x=1235688478; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20 |Subject:=20RE=3A=20[Sipping]=20draft-wing-sipping-srtp-key |Sender:=20; bh=V9Xxe9sZ4SoKPmIAH93btvkWFwv1rACDXzR4AQJdKow=; b=czhsed5Lzbm9t9hsCHhkekVXQpAvHv4l0iSOqvwys3ZaQ3ZaQDnIgPeHcR PhVBhoLm83eGfRdKJwnx194K8KKWfUuumigsOmIWF0t/aWLYvXCbY7pyVZdW SbJcciz7/q; Authentication-Results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; ); X-Mailman-Approved-At: Tue, 17 Feb 2009 07:21:44 -0800 Cc: draft-wing-sipping-srtp-key@tools.ietf.org, sipping@ietf.org, secdir@ietf.org Subject: Re: [secdir] [Sipping] draft-wing-sipping-srtp-key X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2009 22:47:49 -0000 Thanks for your review. -d > -----Original Message----- > From: sipping-bounces@ietf.org > [mailto:sipping-bounces@ietf.org] On Behalf Of Eric Rescorla > Sent: Sunday, February 15, 2009 8:59 AM > To: sipping@ietf.org; secdir@ietf.org; > draft-wing-sipping-srtp-key@tools.ietf.org > Subject: [Sipping] (no subject) > > $Id: draft-wing-sipping-srtp-key-04-rev.txt,v 1.2 2009/02/15 > 15:41:29 ekr Exp $ > > > End-to-end VoIP security mechanisms such as DTLS-SRTP represent a > threat to mechanisms in which a network element which is not a party > to the call wishes to monitor or modify the contents of the media > traffic. This document describes a mechanism for one of the parties > to the communication to provide a copy of the keying material > to such a third party subject to some set of authorization > controls. > > I'm concerned that this document doesn't have a very clear > statement of requirements. Rather, it seems to be attempting > to fulfill a number of distinct use cases which don't have > much in common except that they represent violations of the > end-to-end security model of the SIP call. > > This document describes two major use cases for this type of > technology: > > - Monitoring (call recording) > - Transcoding > > I don't think it's particularly useful to conflate these cases, which > are really quite different. Monitoring is fundamentally a passive > process: there is no need for the monitor to be able to modify the > traffic. By contrast, transcoding is an active process: the transcoder > is expected to modify the data. In reality, a transcoded call isn't > a call between two endpoints, but rather two calls, each from one > endpoint to the transcoder. I think it's a mistake to try do to > these with the same mechanism. > > Similarly, this document fails to distinguish adequately between > real-time and non-real-time use cases. Many monitoring/call recording > applications are inherently non-real-time: you record the call > and some time in the future, the call may or may not be replayed. > This distinction has a number of implications, particularly since > capture of the keying material and media can be separated. In > particular, it may be desirable to deliver the keying > material long after > the call has finished (for privacy reasons). It's not clear > to me how this is accomplished with this draft. It's possible > it could be initiated by the UA, but I don't see how it could > be initiated by the monitor. Even in a UA initiated fashion, > I don't see that the information provided by the SDP in S 11 > is sufficient to unambiguously identify the flow, in part > due to network parameter reuse. > > While I appreciate it's convenient to reuse the SDP parameters, > it's not clear to me that it's a good idea to hand over the SRTP > master key. If all you need to do is verify the call for > quality assurance, you don't need the integrity check, at > least not initially. In fact, not having access to the integrity > key protects against accusations that the recording device > tampered. Similarly, it's not clear to me that it's desirable > to have the same level of protection for the connection parameters > as for the keys. Wouldn't it be useful for the monitoring application > to know what connections it *potentially* has the keys for > but not have direct access to them until some future time? > Again, this seems like something that would be more clear with > a requirements analysis in terms of privacy requirements. > > Finally, the elephant under the covers here is lawful intercept. > the authors specifically disclaim it, but it's quite clear that > this is usable as an LI system. Indeed, many such systems > (e.g., FORTEZZA) involve cooperation from the endpoint being > monitored. > > Accordingly, I would recommend that rather than accepting this > mechanism as a WG document, the WG do a thorough requirements > analysis focusing on minimizing the privacy issues inherent in > mechanisms of this type. Once there is consensus on the requirements, > then it's possible to have a discussion of mechanisms. > > > DETAILED COMMENTS > 4.3. > If the requirement for recording is this strong, wouldn't it > be better not to rely on the UA doing the right thing? Rather > enforce it in a firewall or IDS. > > 7.2.2. > The signature of the SAML assertion should be produced using the > private key of the domain certificate. This certificate > MUST have a > SubjAltName which matches the domain of user agent's SIP > proxy (that > is, if the SIP proxy is sip.example.com, the SubjAltName of the > domain certificate signing this SAML assertion MUST also be > example.com). Here, the main focus is placed on communication of > clients with the ESC, which belongs to the client's home domain. > > It's not clear to me why this is the correct authorizing certificate. > > > 7.2.3. > I don't really understand the need for the rcrypto thing. > Why not just pretend you have two streams with distinct > keys and use crypto= for both. > > Actually, I don't really think it makes sense to use SDP > here at all: the semantics of the SDP really aren't the same, > since you're not offering to receive a media stream, > you're advertising what you're going to send. > > As noted above, I think it would be better to send the > traffic keys separately. > > 7.2.4. > This whole SAML thing seems pretty underspecified. > > I don't think using SIPS here is adequate, since it doesn't > provide any guarantee to the endpoint of the security treatment > of the keying material. In fact, as I noted earlier, I'm not clear > that S/MIME is good enough. I think you may want something > multilevel. > > > 9.3. > This Disclosure thing seems a bit confusing. Isn't what you > really need to inject the appropriate warnings in the media > plane. > > -Ekr > > > > > > > > > > > > > > > > > > > _______________________________________________ > Sipping mailing list https://www.ietf.org/mailman/listinfo/sipping > This list is for NEW development of the application of SIP > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sip@ietf.org for new developments of core SIP From weiler@watson.org Thu Feb 19 08:10:54 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D722D3A68A8 for ; Thu, 19 Feb 2009 08:10:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1BOTYToFjGPq for ; Thu, 19 Feb 2009 08:10:54 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id DF84D3A6820 for ; Thu, 19 Feb 2009 08:10:53 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id n1JGB64V093768 for ; Thu, 19 Feb 2009 11:11:06 -0500 (EST) (envelope-from weiler@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id n1JGB6UI093765 for ; Thu, 19 Feb 2009 11:11:06 -0500 (EST) (envelope-from weiler@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 19 Feb 2009 11:11:06 -0500 (EST) From: Samuel Weiler To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (fledge.watson.org [127.0.0.1]); Thu, 19 Feb 2009 11:11:06 -0500 (EST) Subject: [secdir] assignments for Feb 24th/26th X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2009 16:10:55 -0000 So far, a short telechat agenda for next week, which means there may be more assignments in the next 24 hours. Glen Zorn is next in the rotation. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam Telechat next week: Rob Austein draft-ietf-dime-qos-parameters-09 Brian Weis draft-ietf-pcn-architecture-09 Last calls, etc.: Steve Hanna draft-ietf-eai-downgrade-11 Paul Hoffman draft-ietf-behave-turn-12 Julien Laganier draft-ietf-sip-certs-07 Catherine Meadows draft-ietf-speechsc-mrcpv2-17 Sandy Murphy draft-ietf-avt-rtcp-non-compound-08 Vidya Narayanan draft-ietf-sip-saml-05 Vidya Narayanan draft-ietf-avt-rtp-speex-05 Radia Perlman draft-ietf-mmusic-decoding-dependency-05 Eric Rescorla draft-ietf-mmusic-sdp-source-attributes-02 Joe Salowey draft-ietf-geopriv-lis-discovery-07 Stefan Santesson draft-ietf-rserpool-mib-11 Susan Thomson draft-jones-dime-3gpp-eps-command-codes-01 Hannes Tschofenig draft-ietf-lemonade-profile-bis-11 Sean Turner draft-ietf-netconf-tls-06 Sam Weiler draft-chown-v6ops-rogue-ra-02 Sam Weiler draft-ietf-softwire-security-requirements-06 Brian Weis draft-ietf-pim-sm-linklocal-06 Nico Williams draft-ietf-v6ops-ra-guard-01 Nico Williams draft-ietf-netlmm-pmipv6-heartbeat-04 Tom Yu draft-ietf-btns-connection-latching-08 Kurt Zeilenga draft-ietf-ntp-ntpv4-proto-11 Larry Zhu draft-thaler-v6ops-teredo-extensions-02 Larry Zhu draft-ietf-ntp-ntpv4-mib-05 From bew@cisco.com Thu Feb 19 17:25:28 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 78DF53A6939; Thu, 19 Feb 2009 17:25:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJTbyUoKE-Bp; Thu, 19 Feb 2009 17:25:22 -0800 (PST) Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 94B363A692F; Thu, 19 Feb 2009 17:25:18 -0800 (PST) X-IronPort-AV: E=Sophos;i="4.38,237,1233532800"; d="scan'208";a="144936868" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 20 Feb 2009 01:25:32 +0000 Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n1K1PWqv023042; Thu, 19 Feb 2009 17:25:32 -0800 Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n1K1PWDR019011; Fri, 20 Feb 2009 01:25:32 GMT Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 19 Feb 2009 17:25:32 -0800 Received: from dhcp-128-107-163-207.cisco.com ([128.107.163.207]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 19 Feb 2009 17:25:31 -0800 Message-Id: <0D547151-A90A-40EA-A25A-34AA023D485C@cisco.com> From: Brian Weis To: secdir@ietf.org, iesg@ietf.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 19 Feb 2009 17:25:30 -0800 X-Mailer: Apple Mail (2.930.3) X-OriginalArrivalTime: 20 Feb 2009 01:25:31.0802 (UTC) FILETIME=[1F1997A0:01C992FA] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=8633; t=1235093132; x=1235957132; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20 |Subject:=20Secdir=20review=20of=20draft-ietf-pim-sm-linklo cal-06 |Sender:=20; bh=93DWnEMog6k7u75ISDMB0anM1fIUQR5kb+mMVCl+iBM=; b=Jsr0cXNPNLOvfjKsNz6L8vs0brLg6ZaJRAwKUwQrok4ZhDDhFZN+UGnTpO 04FCObPHbrepkOseBMrilB0ik2l5JMXGrYinSV2XFF3lEC/72w2Uii0rW/25 B3TIGF9vKP; Authentication-Results: sj-dkim-3; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; ); Cc: draft-ietf-pim-sm-linklocal@tools.ietf.org, pim-chairs@tools.ietf.org Subject: [secdir] Secdir review of draft-ietf-pim-sm-linklocal-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Feb 2009 01:25:28 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies mechanisms to authenticate the PIM-SM link local messages using ESP and AH. Since these messages are sent to a link-local multicast addresses (potentially to a group of receivers), the document describes the use of group keys shared between the PIM speakers on a particular LAN. The use of IPsec manual keying is specified as mandatory, with an option of automated group key management also discussed. For the most part, this document describes a use of IPsec that matches the IPsec Architecture (RFC 4301) and Multicast Extensions to the IPsec Architecture (RFC 5374). But I do have a few issues with choices made by the document, followed by some more routine comments. Issues ====== Section 9.3, third bullet. This bullet tacitly describes both DES and HMAC-MD5 as good to use, although neither are good choices these days. I recommend replacing the last two bullets with one that recommends the use of AES-CBC and HMAC-SHA1. Section 10.2.2. The second paragraph states that "the arrival of a PIM- SM link-local message" will trigger changes to the GSPD, and the last paragraph says that a PIM-SM message from an unknown peer would cause the router to query the group key management system in order to discover new PIM neighbors. Neither RFC 4301 or RFC 5374 advocate setting up IPsec state triggered from an unprotected interface because of the denial of service opportunity it gives attackers, and this document should not proscribe it either. I suggest removing the phrase from paragraph 2, and replacing paragraph three with wordage similar to the following: "A router SHOULD NOT dynamically detect new neighbors as the result of receiving an unauthenticated PIM-SM link- local message or an IPsec packet which fails an SAD lookup. An automated key management protocol SHOULD provide a means of notifying a router of new, legitimate neighbors." Section 11, second paragraph. The statement "various prohibitions in the IPsec RFCs concerning multisender multicast SAs" is not exactly correct. While RFC 4302 (AH) and RFC 4303 (ESP) say this situation is "not recommended" (because anti-replay cannot be used with a sequence number), RFC 4301 says "Multiple senders to a multicast group SHOULD use a single Security Association ...." (Section 4.6) due to the difficulty of authenticating a particular sender (i.e., one a single sender SA). Because this is a murky area, I suggest either removing the the prohibition verbage or removing the paragraph. Section 12. This section has too much discussion of anti-replay use with manual keys, in my opinion. As stated in the third paragraph it is not recommended to use a sequence number for anti-replay with manual keys, and this is in accordance with the IPsec RFCs. It should be left at that. Furthermore, the proposed use of counters and ESN values (list item b) does not match RFC 4303, which says "the sequence number counter at the sender MUST be correctly maintained across local reboots, etc., until the key is replaced". Starting counters over at zero after a reboot and then accepting any particular starting point in the sequence number space enables an attacker to replay any number of previously sent packets, which is unacceptable. Section 14. This section should state that when an ESN is used with a manually keyed SA that it MUST be saved over a reboot (as well as an indication of which sequence numbers have been used). Comments ======== Section 1, paragraph 4. This paragraph notes that securing unicast PIM- SM messages "can be achieved by the use of a normal unicast IPsec Security Association between the two communicants." That's correct, but the next sentence puzzles me: "Securing the user data exchanges is covered in RFC 3740." This RFC describes a multicast security architecture for large multicast groups, not unicast IPsec. Perhaps you meant RFC 4301? Section 1, paragraph 5. "This document recommends manual key management as mandatory to implement, i.e., that all implementations MUST support, ....". The use of "recommends" isn't quite right for a mandatory to implement feature. Perhaps "specifies" is better. Section 1.1, third paragraph. s/Permitted Access Database/Peer Authorization Database (PAD)/ Section 3. This section describes requirements on the use of Transport Mode and Tunnel Mode. These rules should be attributed to RFC 4301 (e.g., Begin the section "As stated in Section 4.1 of RFC 4301, ....."). Also it would be clearer in the second sentence to change "is a router/gateway" to "acting as a security gateway". Section 6. The "Encryption and authentication algorithms" requirement states that stream ciphers MUST NOT be configurable, because they "are not suitable for manual keys". However, they would be suitable if used with automated keying (which is an option in this document.) It would be better to make the restriction only in the case of manual keying. Also, the rest of this requirement (including by reference RFC 4835) is a little confusing, since RFC 4835 mandates the use of ciphers other than NULL but the PIM-SM link-local document states that support of confidentiality is optional. I suggest the following wording as a replacement for this section: "Encryption and authentication algorithm requirements described in RFC 4835 [RFC4835] apply when ESP and AH are used to protect PIM-SM. Implementations MUST support ESP-NULL, and if providing confidentiality MUST support the RFC 4838 required ESP transforms providing confidentiality. However, in any case implementations MUST NOT allow the user to choose a stream cipher or block mode cipher in counter mode for use with manuyal keys." Section 7.2. The paragraph referring to RSVP is probably intended to document a related automated group key management requirement, but is incongruous in this document. I suggest removing it. Section 8, paragraph following Figure 2. The sentence "Each node will look up the SA to be used based on the source address" is a little misleading. It should be "Each node will include the source address when searching the SAD for a match." (There may be other occurrences of this in the document too.) Section 8, last paragraph. This paragraph implies that "impersonation attacks" are not possible when automated keying is used. Actually, impersonation is possible whenever a symmetric group key is deployed regardless of the keying method (including when using the first method shown in Figure 2). I suggest deleting this sentence and leaving the topic for the Security Considerations section. Section 9. This section should say why it is important to periodically change keys, e.g. if there is a change of trusted personnel or to limit the risk of undetected key disclosure. When an implementation follows the algorithm requirements in RFC 4835 there, there should be no cryptographic reason to change keys. Section 9.1. I suggest changing the title to "Manual Rekeying Procedure". Section 9.3, last paragraph. This section considers the analysis in RFC 3562 to be relevant, but that analysis is really confined to the use of MD5 (not HMAC-MD5), which is not particularly relevant to algorithms used with IPsec since all are much stronger. I recommend removing the paragraph. Section 9.3, second bullet. This point isn't clearly stated elsewhere in the document. Perhaps Section 5 needs to make this statement. (But note that RFC 4301 already states that this combination is NOT RECOMMENDED.) Section 10.1.2. There are no IPsec traffic selectors defined to be as specific as "PIM message type". If PIM message types not mentioned here are sent to ALL_PIM_ROUTERS they will be encrypted as well. This section should be clear on this. Section 13. This section claims that RFC 4601 describes interface- specific SADs. It describes interface-specific SPDs, but not SADs. Brian -- Brian Weis Router/Switch Security Group, ARTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com From secdir-bounces@mit.edu Sun Feb 22 10:04:32 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8127F28C10F for ; Sun, 22 Feb 2009 10:04:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.599 X-Spam-Level: X-Spam-Status: No, score=-8.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35uLyprUpGA5 for ; Sun, 22 Feb 2009 10:04:31 -0800 (PST) Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 7E4B628C11E for ; Sun, 22 Feb 2009 10:04:31 -0800 (PST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n1MI4lOE032204 for ; Sun, 22 Feb 2009 13:04:47 -0500 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n1MI4ipK032201 for ; Sun, 22 Feb 2009 13:04:46 -0500 Received: from mit.edu (M24-004-BARRACUDA-2.MIT.EDU [18.7.7.112]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id n1MI4ZlN008150 for ; Sun, 22 Feb 2009 13:04:36 -0500 (EST) Received: from mail.ietf.org (mail.ietf.org [64.170.98.32]) by mit.edu (Spam Firewall) with ESMTP id 283A114BAD39 for ; Sun, 22 Feb 2009 13:03:55 -0500 (EST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55DC528C106; Sun, 22 Feb 2009 10:03:37 -0800 (PST) X-Original-To: new-work@core3.amsl.com Delivered-To: new-work@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 840BA3A685A for ; Wed, 18 Feb 2009 14:49:52 -0800 (PST) Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22IFdkBAYM5n for ; Wed, 18 Feb 2009 14:49:51 -0800 (PST) Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id B71973A6824 for ; Wed, 18 Feb 2009 14:49:51 -0800 (PST) Received: from lists by frink.w3.org with local (Exim 4.63) (envelope-from ) id 1LZvEs-0000w2-B7 for public-new-work-dist@listhub.w3.org; Wed, 18 Feb 2009 22:49:58 +0000 Received: from maggie.w3.org ([193.51.208.68]) by frink.w3.org with esmtp (Exim 4.63) (envelope-from ) id 1LZvEr-0000vQ-D1 for public-new-work@listhub.w3.org; Wed, 18 Feb 2009 22:49:57 +0000 Received: from ssh.w3.org ([128.30.52.60] helo=homer.w3.org) by maggie.w3.org with esmtp (Exim 4.63) (envelope-from ) id 1LZvEi-0002Sr-Jp; Wed, 18 Feb 2009 22:49:56 +0000 Received: from [IPv6:::1] (homer.w3.org [128.30.52.30]) by homer.w3.org (Postfix) with ESMTP id CA8004EED9; Wed, 18 Feb 2009 17:49:47 -0500 (EST) Message-Id: <79312C53-3CC9-41F0-8660-E734263243C0@w3.org> From: Ian Jacobs To: public-new-work@w3.org Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 18 Feb 2009 16:49:47 -0600 X-Mailer: Apple Mail (2.930.3) X-W3C-Hub-Spam-Status: No, score=-4.4 X-W3C-Hub-Spam-Report: ALL_TRUSTED=-1.8, BAYES_00=-2.599 X-W3C-Scan-Sig: maggie.w3.org 1LZvEi-0002Sr-Jp 99b4ab7ca80865bb5c7278f3ae65773a X-Original-To: public-new-work@w3.org Archived-At: Resent-From: public-new-work@w3.org X-Mailing-List: archive/latest/39 X-Loop: public-new-work@w3.org Resent-Sender: public-new-work-request@w3.org Precedence: list Resent-Message-Id: Resent-Date: Wed, 18 Feb 2009 22:49:58 +0000 X-Mailman-Approved-At: Sun, 22 Feb 2009 10:03:36 -0800 X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.9 X-Scanned-By: MIMEDefang 2.42 X-BeenThere: secdir@mit.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@mit.edu Errors-To: secdir-bounces@mit.edu X-Mailman-Approved-At: Sun, 22 Feb 2009 19:31:25 -0800 Subject: [secdir] [New-work] Proposed W3C Charter: WebApps Working Group (until 2009-03-18) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2009 18:04:32 -0000 Hello, Today W3C Advisory Committee Representatives received a proposal to revise the Rich Web Client Activity [0] (see the W3C Process Document description of Activity Proposals [1]). This proposal includes a draft charter for the WebApps Working Group: http://www.w3.org/2008/12/webapps/charter-2009-proposed As part of ensuring that the community is aware of proposed work at W3C, this draft charter is public during the Advisory Committee review period. W3C invites public comments through 2009-03-18 on the proposed charter. Please send comments to public-new-work@w3.org, which has a public archive: http://lists.w3.org/Archives/Public/public-new-work/ Other than comments sent in formal responses by W3C Advisory Committee Representatives, W3C cannot guarantee a response to comments. If you work for a W3C Member [2], please coordinate your comments with your Advisory Committee Representative. For example, you may wish to make public comments via this list and have your Advisory Committee Representative refer to it from his or her formal review comments. If you should have any questions or need further information, please contact Doug Schepers, Team Contact . Thank you, Ian Jacobs, Head of W3C Communications [0] http://www.w3.org/2006/rwc/ [1] http://www.w3.org/2005/10/Process-20051014/activities#ActivityCreation [2] http://www.w3.org/Consortium/Member/List -- Ian Jacobs (ij@w3.org) http://www.w3.org/People/Jacobs/ Tel: +1 718 260 9447 _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir From secdir-bounces@mit.edu Sun Feb 22 10:04:37 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 355DA28C0FD for ; Sun, 22 Feb 2009 10:04:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.932 X-Spam-Level: X-Spam-Status: No, score=-7.932 tagged_above=-999 required=5 tests=[AWL=-1.333, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dybLAR40cUi7 for ; Sun, 22 Feb 2009 10:04:33 -0800 (PST) Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 37A5528C124 for ; Sun, 22 Feb 2009 10:04:33 -0800 (PST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n1MI4oo2032212 for ; Sun, 22 Feb 2009 13:04:50 -0500 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n1MI4mSI032209 for ; Sun, 22 Feb 2009 13:04:48 -0500 Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n1MI4dW3020540 for ; Sun, 22 Feb 2009 13:04:39 -0500 (EST) Received: from mail.ietf.org (mail.ietf.org [64.170.98.32]) by mit.edu (Spam Firewall) with ESMTP id 5774412BB550 for ; Sun, 22 Feb 2009 13:03:55 -0500 (EST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4232028C0E1; Sun, 22 Feb 2009 10:03:37 -0800 (PST) X-Original-To: new-work@core3.amsl.com Delivered-To: new-work@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B58E3A6BE8 for ; Wed, 11 Feb 2009 15:16:58 -0800 (PST) Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7PU2K1QDMTi for ; Wed, 11 Feb 2009 15:16:57 -0800 (PST) Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by core3.amsl.com (Postfix) with ESMTP id 43BDD3A69CD for ; Wed, 11 Feb 2009 15:16:57 -0800 (PST) Received: from lists by frink.w3.org with local (Exim 4.63) (envelope-from ) id 1LXOKA-0007Dy-EY for public-new-work-dist@listhub.w3.org; Wed, 11 Feb 2009 23:16:58 +0000 Received: from maggie.w3.org ([193.51.208.68]) by frink.w3.org with esmtp (Exim 4.63) (envelope-from ) id 1LXOK9-0007BR-1G for public-new-work@listhub.w3.org; Wed, 11 Feb 2009 23:16:57 +0000 Received: from ssh.w3.org ([128.30.52.60] helo=homer.w3.org) by maggie.w3.org with esmtp (Exim 4.63) (envelope-from ) id 1LXOJx-0003B2-CL; Wed, 11 Feb 2009 23:16:56 +0000 Received: from [IPv6:::1] (homer.w3.org [128.30.52.30]) by homer.w3.org (Postfix) with ESMTP id 9879F4EEC1; Wed, 11 Feb 2009 18:16:44 -0500 (EST) Message-Id: From: Ian Jacobs To: public-new-work@w3.org Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 11 Feb 2009 17:16:44 -0600 X-Mailer: Apple Mail (2.930.3) X-W3C-Hub-Spam-Status: No, score=-4.4 X-W3C-Hub-Spam-Report: ALL_TRUSTED=-1.8, BAYES_00=-2.599 X-W3C-Scan-Sig: maggie.w3.org 1LXOJx-0003B2-CL 46c034935fd455887a26371c291242c5 X-Original-To: public-new-work@w3.org Archived-At: Resent-From: public-new-work@w3.org X-Mailing-List: archive/latest/38 X-Loop: public-new-work@w3.org Resent-Sender: public-new-work-request@w3.org Precedence: list Resent-Message-Id: Resent-Date: Wed, 11 Feb 2009 23:16:58 +0000 X-Mailman-Approved-At: Sun, 22 Feb 2009 10:03:36 -0800 X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.9 X-Scanned-By: MIMEDefang 2.42 X-BeenThere: secdir@mit.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: secdir-bounces@mit.edu Errors-To: secdir-bounces@mit.edu X-Mailman-Approved-At: Sun, 22 Feb 2009 19:31:25 -0800 Subject: [secdir] [New-work] Proposed W3C Charter: XML Activity (until 2009-03-13) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2009 18:04:37 -0000 Hello, Today W3C Advisory Committee Representatives received a Proposal to revise the XML Activity [0] (see the W3C Process Document description of Activity Proposals [1]). The proposal is available for public comment: http://www.w3.org/XML/2009/02/activity-proposal It includes links to proposed charters for these groups: - Efficient XML Interchange Working Group - Service Modeling Language Working Group - XML Processing Working Group - XML Coordination Group - XML Plenary Interest Group - XML Query Working Group - XML Schema Working Group and Interest Group - XSL Working Group (XSLT and XSL-FO) As part of ensuring that the community is aware of proposed work at W3C, this draft charters are public during the Advisory Committee review period. W3C invites public comments through 2009-03-13 on the proposed charters. Please send comments to public-new-work@w3.org, which has a public archive: http://lists.w3.org/Archives/Public/public-new-work/ Other than comments sent in formal responses by W3C Advisory Committee Representatives, W3C cannot guarantee a response to comments. If you work for a W3C Member [2], please coordinate your comments with your Advisory Committee Representative. For example, you may wish to make public comments via this list and have your Advisory Committee Representative refer to it from his or her formal review comments. If you should have any questions or need further information, please contact Liam Quin, XML Activity Lead . Thank you, Ian Jacobs, Head of W3C Communications [0] http://www.w3.org/XML/ [1] http://www.w3.org/2005/10/Process-20051014/activities#ActivityCreation [2] http://www.w3.org/Consortium/Member/List -- Ian Jacobs (ij@w3.org) http://www.w3.org/People/Jacobs/ Tel: +1 718 260 9447 _______________________________________________ New-work mailing list New-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir From gonzalo.camarillo@ericsson.com Tue Feb 24 05:47:05 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BB483A67A2; Tue, 24 Feb 2009 05:47:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.249 X-Spam-Level: X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-52fMYp+Vxd; Tue, 24 Feb 2009 05:47:04 -0800 (PST) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 855F73A68A6; Tue, 24 Feb 2009 05:47:04 -0800 (PST) Received: from mailgw4.ericsson.se (unknown [127.0.0.1]) by mailgw4.ericsson.se (Symantec Mail Security) with ESMTP id 2761122408; Tue, 24 Feb 2009 14:47:20 +0100 (CET) X-AuditID: c1b4fb3e-ad0bdbb000001315-36-49a3fa60d34b Received: from esealmw129.eemea.ericsson.se (unknown [153.88.253.125]) by mailgw4.ericsson.se (Symantec Mail Security) with ESMTP id 791EA22218; Tue, 24 Feb 2009 14:47:12 +0100 (CET) Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Tue, 24 Feb 2009 14:47:10 +0100 Received: from [131.160.126.174] ([131.160.126.174]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Tue, 24 Feb 2009 14:47:10 +0100 Message-ID: <49A3FA5E.4010405@ericsson.com> Date: Tue, 24 Feb 2009 15:47:10 +0200 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Yaron Sheffer References: <7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FC8E@il-ex01.ad.checkpoint.com> In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC8D97E66FC8E@il-ex01.ad.checkpoint.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 24 Feb 2009 13:47:10.0466 (UTC) FILETIME=[6405DE20:01C99686] X-Brightmail-Tracker: AAAAAA== Cc: "draft-ietf-xcon-event-package@tools.ietf.org" , "alan@sipstation.com" , "adam@nostrum.com" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] Secdir review of draft-ietf-xcon-event-package-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Feb 2009 13:47:05 -0000 Hi Yaron, thanks for your review. With respect to your comment, it is common to specify that documents SHOULD be valid. Note that RFC 5261 (this draft is based on it) also specifies documents that SHOULD be valid. Therefore, we chose to keep the SHOULD given that this is an extension to RFC 5261. Thanks, Gonzalo Yaron Sheffer wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > > > This draft extends the existing SIP conference package by adding > additional functionality (the XCON data model) and XML document patching. > > > > The Security Considerations section references predecessor documents, > and this seems reasonable to me. > > > > One functionality comment, with security implications: Sec. 5.3 > specifies that a “patch” document MUST be well formed and SHOULD be > valid. I believe non-valid documents significantly increase the > vulnerability “attack surface”. And since the “patch” schema is > extensible by design, I see no reason to not validate the document. In > other words, please consider changing validation to a MUST. > > > > Thanks, > > Yaron > > > > Email secured by Check Point > From ron.even.tlv@gmail.com Wed Feb 25 06:21:37 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 28F6628C230; Wed, 25 Feb 2009 06:21:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-EMsluwLJ6n; Wed, 25 Feb 2009 06:21:36 -0800 (PST) Received: from mail-fx0-f176.google.com (mail-fx0-f176.google.com [209.85.220.176]) by core3.amsl.com (Postfix) with ESMTP id B28D528C22F; Wed, 25 Feb 2009 06:21:35 -0800 (PST) Received: by fxm24 with SMTP id 24so790fxm.37 for ; Wed, 25 Feb 2009 06:21:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:cc:references :in-reply-to:subject:date:message-id:mime-version:content-type :content-transfer-encoding:x-mailer:thread-index:content-language; bh=AfQ9wXKry5k+rnnzbfA3rTtzgg7FUqS6bEZGJ7f9jvY=; b=eRdKbe0iHkzpq0IQ59+PR+HzNoEcZ1PMdF+iYn9bT86VKeeaji4Leti/M2/V7p1A3a 5k4e6dEdsigPvr+/cclp9pGBao+sMomAH2GDp6DUrG8hTEbZ0Ixq3Ki8KNQwHMjjJD03 TScUDvCAxyd2QO7y7i00TYaHaIquE1dq+amP4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding:x-mailer :thread-index:content-language; b=wDgqcxAvBKDti5AO1b0vdanBO73oRKVHKWp++TgU+fBqM43CgelGPE21Xms+T+3Dg3 AKEJBcB7zS99YC+697cMpr6jFw6rhZktNRAqz8leS/lIdoWUtVdhkg9cM+RHm961EGnz p9fZeQKBJl7QsCDsvB00jjtyfny3TgCwwuIFE= Received: by 10.103.245.18 with SMTP id x18mr86955mur.62.1235571715041; Wed, 25 Feb 2009 06:21:55 -0800 (PST) Received: from windows8d787f9 (bzq-79-182-130-108.red.bezeqint.net [79.182.130.108]) by mx.google.com with ESMTPS id y6sm4709315mug.57.2009.02.25.06.21.53 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 25 Feb 2009 06:21:54 -0800 (PST) From: "Roni Even" To: "'Alexey Melnikov'" , , References: <49920C4C.50907@isode.com> In-Reply-To: <49920C4C.50907@isode.com> Date: Wed, 25 Feb 2009 16:19:52 +0200 Message-ID: <49a55402.06e2660a.114b.ffffaa53@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcmL1pLdp903pf8vRKqWXgq7aIXhgwLfTEpQ Content-Language: en-us X-Mailman-Approved-At: Wed, 25 Feb 2009 08:07:10 -0800 Cc: iesg@ietf.org, avt-chairs@tools.ietf.org Subject: Re: [secdir] secdir review of draft-ietf-avt-rfc3047-bis-08.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2009 14:21:37 -0000 Hi, I agree with the proposed change. Regards Roni Even As editor of rfc3047-bis -----Original Message----- From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] Sent: Wednesday, February 11, 2009 1:23 AM To: secdir@ietf.org; draft-ietf-avt-rfc3047-bis@tools.ietf.org Cc: avt-chairs@tools.ietf.org; iesg@ietf.org Subject: secdir review of draft-ietf-avt-rfc3047-bis-08.txt I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes the payload format for including G.722.1 generated bit streams (audio) within an RTP packet. The Security Considerations section is nearly the same as in RFC 3047, with some obsoleted text deleted (good). I would suggest replacing the first paragraph RTP packets using the payload format defined in this specification are subject to the security considerations discussed in the RTP specification [RFC3550], and any appropriate RTP profile. This implies that confidentiality of the media streams is achieved by encryption. with (for example) the text found in RFC 5404: RTP packets using the payload format defined in this specification are subject to the security considerations discussed in the RTP specification [RFC3550] and in any applicable RTP profile. The main security considerations for the RTP packet carrying the RTP payload format defined within this memo are confidentiality, integrity, and source authenticity. Confidentiality is achieved by encryption of the RTP payload. Integrity of the RTP packets is achieved through a suitable cryptographic integrity protection mechanism. Such a cryptographic system may also allow the authentication of the source of the payload. A suitable security mechanism for this RTP payload format should provide confidentiality, integrity protection, and at least source authentication capable of determining if an RTP packet is from a member of the RTP session. Note that the appropriate mechanism to provide security to RTP and payloads following this memo may vary. It is dependent on the application, the transport, and the signaling protocol employed. Therefore, a single mechanism is not sufficient, although if suitable, usage of the Secure Real-time Transport Protocol (SRTP) [RFC3711] is recommended. Other mechanisms that may be used are IPsec [RFC4301] and Transport Layer Security (TLS) [RFC5246] (RTP over TCP); other alternatives may exist. as it provides more background to a reader unfamiliar with RTP on possible security mechanisms that can be used. Apart from that I found the document to be well written and being quite clear on which data is valid and which is invalid. From weiler@watson.org Thu Feb 26 11:03:38 2009 Return-Path: X-Original-To: secdir@core3.amsl.com Delivered-To: secdir@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D28193A6907 for ; Thu, 26 Feb 2009 11:03:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrDLhXjwrF0E for ; Thu, 26 Feb 2009 11:03:38 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 052A23A6818 for ; Thu, 26 Feb 2009 11:03:37 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id n1QJ3w3G065302 for ; Thu, 26 Feb 2009 14:03:58 -0500 (EST) (envelope-from weiler@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id n1QJ3wDE065299 for ; Thu, 26 Feb 2009 14:03:58 -0500 (EST) (envelope-from weiler@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 26 Feb 2009 14:03:58 -0500 (EST) From: Samuel Weiler To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0 (fledge.watson.org [127.0.0.1]); Thu, 26 Feb 2009 14:03:58 -0500 (EST) Subject: [secdir] Assignments for March 4th X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2009 19:03:38 -0000 If you're wondering why a review previously assigned to you vanished from this list, see mail from me last night. Ran Canetti is next in the rotation. Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview -- Sam Reviewer Draft Derek Atkins draft-ietf-roll-building-routing-reqs-05 Rob Austein draft-p2pi-cooper-workshop-report-01 Richard Barnes draft-ietf-ntp-ntpv4-proto-11 Uri Blumenthal draft-ietf-lemonade-streaming-09 Pat Cain draft-crocker-email-arch-11 Steve Hanna draft-ietf-eai-downgrade-11 Paul Hoffman draft-ietf-behave-turn-13 Julien Laganier draft-ietf-sip-certs-07 Catherine Meadows draft-ietf-speechsc-mrcpv2-17 Vidya Narayanan draft-ietf-sip-saml-05 Joe Salowey draft-ietf-geopriv-lis-discovery-07 Susan Thomson draft-jones-dime-3gpp-eps-command-codes-01 Hannes Tschofenig draft-ietf-lemonade-profile-bis-12 Sean Turner draft-ietf-netconf-tls-07 Sam Weiler draft-chown-v6ops-rogue-ra-02 Sam Weiler draft-ietf-softwire-security-requirements-06 Nico Williams draft-ietf-v6ops-ra-guard-01 Nico Williams draft-ietf-netlmm-pmipv6-heartbeat-04 Larry Zhu draft-thaler-v6ops-teredo-extensions-02 Larry Zhu draft-ietf-ntp-ntpv4-mib-05 Glen Zorn draft-ietf-roll-indus-routing-reqs-04