From nobody Sun Sep 3 21:47:16 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A064B1329E3; Sun, 3 Sep 2017 21:47:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ElAHHkZyB5tf; Sun, 3 Sep 2017 21:47:08 -0700 (PDT) Received: from mail-it0-x229.google.com (mail-it0-x229.google.com [IPv6:2607:f8b0:4001:c0b::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93847132E23; Sun, 3 Sep 2017 21:33:12 -0700 (PDT) Received: by mail-it0-x229.google.com with SMTP id k189so12621449itk.0; Sun, 03 Sep 2017 21:33:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=XkelEKANE8hBFJz5pMTdijDwYvnSa8mizH0ZLOC1c9g=; b=IIKCV/vChB1zQygjk1HVddDXinT/j3UUhXAlLdTW5DgePPtPYT3OWUfrfNqnRfnBQu BANyMWGtqFqT+7VAta8K7DngEKMKwyN8rQGbjA/56WccRvJTuGs6pF0JTL8X/e9CLGR7 jj/CXFvQ1hcAoz0p/uDmjzShs/q8qAEU2TJ2xG8/aGjm3jhoIKIcTuC8qHOJS52vdEyA OFtIpZyGZD9Ctc0rHwzjT7BDHW+6RmHTumiYOw0NoWOxrKfhD7pp+ZLdD/Lp8oSjfokO d0swUOuZ5NCTT+tMIcSLxV3WrltgHP5tw68Z/gxaG4DrIroYp2d7sDxNhvgmTgo5Uwsi leBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=XkelEKANE8hBFJz5pMTdijDwYvnSa8mizH0ZLOC1c9g=; b=Sc6GeJLL+DqhqasgleLzI4WWKDECrrZuYSa0aRkOXU2qmWx2L8WS/InVh06EquOc/u lR3X/peIkgFS1V1BkO2XyA3/o6HCL4kCWUHFnbLwmcRJWPTQNFrbV6IADuVS3pluiGOf hWYQXQ0ry/iRvDFvEH64bnszYn2rtJSiGeMC/Hs3z+ttVtLQMZWIeHIMJEQEWsrXK18S kvpL1JybDscKojM65gqpN9FBsv6PxJcxIdk/qwmc/tcFUJkhaz2KY++UZABRE+urpbHT oqP78qlTiC+PYDdHK/IwhW/Mde8GY6eHyAGA6Sc3VgDrzpTbDTqe0pGKhb0W4hurX79a 91sg== X-Gm-Message-State: AHPjjUirmNpmNDqwiUos0kY4/3X69Ov+EUWbnrx4PoojI0s4hierT0fW 1HQLcPwQJ2aBazErNjMJak3FL+BftqDx X-Google-Smtp-Source: ADKCNb42RAgBo7nCtng9NSc7txhK33IVCRT0RVQ8IR8Lrxtvyx2+LdtWpKlABJfKQLlM7FfOnDlaMWl/zgBLQB5fETg= X-Received: by 10.36.160.73 with SMTP id o70mr5241595ite.160.1504499591656; Sun, 03 Sep 2017 21:33:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.48.212 with HTTP; Sun, 3 Sep 2017 21:33:11 -0700 (PDT) From: Radia Perlman Date: Sun, 3 Sep 2017 21:33:11 -0700 Message-ID: To: "secdir@ietf.org" , The IESG , draft-ietf-taps-transports-usage-udp.all@tools.ietf.org Content-Type: multipart/alternative; boundary="94eb2c04a072b9b96a0558559b25" Archived-At: Subject: [secdir] Secdir review of draft-ietf-taps-transports-usage-udp-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Sep 2017 04:47:10 -0000 --94eb2c04a072b9b96a0558559b25 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This informational document contains tutorial information on the use of the sockets API to send and receive data over the UDP and UDP-lite protocols. It is apparently part of an effort to write tutorial descriptions of APIs to all IETF-standardized transport protocols. This document refers the reader to the standards for all security considerations. That is probably appropriate. It=E2=80=99s always difficult= to decide what information to include and what to exclude in a tutorial. I would have liked an explanation of how the sender knows whether to request UDP or UDP-lite, since it doesn't look like UDP-lite would be compatible with something that only speaks UDP. Nits: The abstract refers to a current I-D intended to advance with this one as RFCxxxx, which I believe is non-standard, but the RFC editor can probably sort it out. In the pdf version, one of the references to [I-D.ietf-taps-transports-usag= e] is not preceded with a space and did not get turned into a clickable link. There is a similar problem with [RFC8200] on page 4. Page 4: =E2=80=9COperations should be provided that allows=E2=80=9D -> =E2= =80=9COperations should be provided that allow=E2=80=9D Page 4: =E2=80=9C[RFC6935] and [RFC6936] defines=E2=80=9D -> =E2=80=9C[RFC6= 935] and [RFC6936] define=E2=80=9D Radia --94eb2c04a072b9b96a0558559b25 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I have reviewed this = document as part of the security directorate's

=

ongoing effort to review all IETF docu= ments being processed by the IESG.

These comments were written primarily for the benefit = of the security

area directors. Document editors and WG chairs should treat these<= u>

comments just like an= y other last call comments.

=C2=A0

This informational document contains tutorial information on the u= se of the sockets API to send and receive data over the UDP and UDP-lite pr= otocols. It is apparently part of an effort to write tutorial descriptions = of APIs to all IETF-standardized transport protocols.<= /p>

=C2=A0

This document refers the reader to the sta= ndards for all security considerations. That is probably appropriate. It=E2= =80=99s always difficult to decide what information to include and what to = exclude in a tutorial.=C2=A0 I would have liked an explanation of how the s= ender knows whether to request UDP or UDP-lite, since it doesn't look l= ike UDP-lite would be compatible with something that only speaks UDP.

=C2=A0

Nits:

=C2=A0

<= p class=3D"MsoNormal" style=3D"font-size:12.8px">The abstract refers to a current I-D in= tended to advance with this one as RFCxxxx, which I believe is non-standard= , but the RFC editor can probably sort it out.

=C2=A0

In the pdf version, one of the references to=C2= =A0[I-= D.ietf-taps-transports-usage] is not preceded with a space and did not= get turned into a clickable link. There is a similar problem with [RFC8200= ] on page 4.

<= u>=C2=A0

Page 4: = =E2=80=9COperations should be provided that allows=E2=80=9D -> =E2=80=9C= Operations should be provided that allow=E2=80=9D

<= p class=3D"MsoNormal" style=3D"font-size:12.8px">Page 4: =E2=80=9C[RFC6935] and [RFC6936= ] defines=E2=80=9D -> =E2=80=9C[RFC6935] and [RFC6936] define=E2=80=9D<= u>


Radia

=C2=A0

--94eb2c04a072b9b96a0558559b25-- From nobody Wed Sep 6 10:51:53 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEED0132705; Wed, 6 Sep 2017 10:51:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fwj7kCRB1eGX; Wed, 6 Sep 2017 10:51:50 -0700 (PDT) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0131.outbound.protection.outlook.com [104.47.41.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA69A132494; Wed, 6 Sep 2017 10:51:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=w2P2fqsPiDT5oeB2vMieM5khv/avr5QcbaeDGyvE2hY=; b=RqBUdS/aeeGFoP4mdGI09VF9XNoP/uqG1z74FDaWYj2EvTOkIzzx8abJmCeQU2EUlVHD/JikN+oyJpoLPlTYGfZWp7gVcK623CvCZb4xmPFC3srCvzxPEgcErFQTDVVYfnpRjvyNC4LyxBPbKVdi5rVx+aNQRlJwjI7noM9FWvk= Received: from SN4PR0501CA0025.namprd05.prod.outlook.com (10.167.112.38) by CY1PR0501MB1225.namprd05.prod.outlook.com (10.160.145.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.35.3; Wed, 6 Sep 2017 17:51:47 +0000 Received: from BY2NAM05FT057.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e52::204) by SN4PR0501CA0025.outlook.office365.com (2603:10b6:803:40::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.35.3 via Frontend Transport; Wed, 6 Sep 2017 17:51:47 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.12 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.12) by BY2NAM05FT057.mail.protection.outlook.com (10.152.100.194) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256) id 15.1.1385.11 via Frontend Transport; Wed, 6 Sep 2017 17:51:46 +0000 Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 6 Sep 2017 10:51:21 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id v86HpKnb000459; Wed, 6 Sep 2017 10:51:20 -0700 (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id EF4431144E; Wed, 6 Sep 2017 10:51:19 -0700 (PDT) To: Donald Eastlake CC: "iesg@ietf.org" , , "secdir@ietf.org" In-Reply-To: References: Comments: In-reply-to: Donald Eastlake message dated "Thu, 24 Aug 2017 18:26:13 -0400." From: "Mark D. Baushke" Date: Wed, 6 Sep 2017 10:51:19 -0700 Message-ID: <21748.1504720279@eng-mail01.juniper.net> Sender: MIME-Version: 1.0 Content-Type: text/plain X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.12; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(2980300002)(199003)(189002)(48376002)(2906002)(50466002)(4326008)(2810700001)(7846003)(106466001)(105596002)(626005)(6392003)(8936002)(97736004)(1411001)(8676002)(76506005)(53416004)(478600001)(47776003)(81156014)(68736007)(189998001)(81166006)(86362001)(53936002)(117636001)(2950100002)(229853002)(77096006)(6266002)(97876018)(230783001)(7126002)(6246003)(69596002)(39060400002)(7696004)(5660300001)(6916009)(54906002)(55016002)(356003)(305945005)(54356999)(50986999)(5003940100001)(110136004)(4743002)(76176999)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1225; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BY2NAM05FT057; 1:bgcs1KasJ4nXF3vN2m8a3WGgXOdj6OtZSrFMMfrG/oer3b1r7IK794asaU32maPOGBfi6CYRb0XKXjXZjTK/hQ6bQ2rfrXLuJWMOXNuPdnBQCatfBCRHJ6hutvy3Ceq4 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9c027aa0-edc6-4f4b-a403-08d4f54ff192 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY1PR0501MB1225; X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1225; 3:aEKFwATBdrCFx4lYURey8ERQC+HvBrALwSm5K/uS7pAN/9hcVkW0V64fmW4PMvLy5vUHz5zVskPGiY9svuLRxQ/KPWmQ63wuTEhXm5D0Y+rOs4TorWbCsMaiILpxSwD5tSY9WCUzxHd7U6JOG4NLI2o9NzN4TLFsAqh4+vyEEmSm8ptB67B06oPBNctUFnbT+QC33jJ/wciQeGDe5DHUtO1JrZkD6FbNQbDnYlqTm8bMNH1XIG2R8ykgazPp3vfkOXSA7U/Z8UdQqOW7etiHc053J/JFE2E8/Jry/tnAdjfAh1iqSMlX7Et7RS5YUTK6YzWmA0DtVxWz8DpQZVHEDjrxLjPdwdvKyCKASJNyJ/E=; 25:mgHYdruzfMilPxBLE9cyn4c27ke6uINH1vLmCaaNVmH2xqkNGBdgu0A8WWYH9Tyw18OTHnnq1Bcl/J7cn8d8Lf7r0Rd6bVrfd1t22ygrjsSOScz72eatvnrllp5mw4ln4SdwzBsaRuBjKebrghAaVLP6URfzCQkTv5OUHnPYrIK99m5y9U90mWRhgWa2qqDlgPsWQDarzV/xlq8pAuh0LkUx/hb8lQp251AZgrjJhorgqtcn6gNSyp1DYK9FW5ZjzgRX5+O4cZ3Mt90rUTEKNklyjWRJILPU/Bkl/tkjr6SBfPBIEib/b0K9NArGCHHr1AZAWKNbUZ0BzFwRPpaxDQ== X-MS-TrafficTypeDiagnostic: CY1PR0501MB1225: X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1225; 31:nSxFb1hmHVMBrhjqhLO2GH3rllpJFPz4GNWs2AGVqpEXJ/iOrQe7NDTqBPDbJF7rAaKDM+/R81pfFysHhEgScEmoON6+QxygtqWCzVwP+drrHmSIGm4Nhf5ew1mvEaXL3CZVnpxXuibOeGs1I3RzmMrx5rA1T9Vq5fJHtakSENvbbgOD27YQLyYaMQEZ0AkZZohrzw06E4T3ih2Vb3ruzYmW9O9mXrhbSOjRxcCj9VQ=; 20:qkA7bkXf1cszn5fppQODxeGXeAVpzEv3QFpC/pfUcLuoE+DbCiSuijWfIy+NFzmLYjMIeRF371IFCcg7DGevtfzGc3duGM/QPssmPboJCFkh9w6N35JzvDV1wAiw/UnDrLzAtTgZ/bzC1mDZtpI08HpNFrwL95HcgCuzs6RnGJPmeu/jXLei6GZ8LsQjRHGrORxKqFtum9rQOb+KmjFz+wR5H6qX+Clp/v04DDqH3kULlM97TnYhkuJOPGuRjGJQsburovyUCGP0RMTvnb2ZFUtDjrkl8Rqp3lZt1Fj2bwVLM5NLAvzSY7AJqR3prIB5KJaLIy3hQ+t3IolVngdne17PaGin0DYdsG3YoAXIppcPWKitjLmzs96lOhEkR8P9Lfe0pdgtQo2raTlKcQKUjDna82YC7vtkakpTHqb5ooo74t4B9TZ5eWHcrYIvM14V+GZ64p4rEKLCuGTMvKZeMbBBlK61QZPhvI9197mq4n/gRuRFjGCQkDwgjZ9DKhzW X-Exchange-Antispam-Report-Test: UriScan:(192374486261705); X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93003095)(10201501046)(3002001)(6055026)(6041248)(20161123560025)(20161123562025)(20161123564025)(20161123558100)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR0501MB1225; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR0501MB1225; X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1225; 4:KkgPNp061AGrki/3q+173hRq3nIH3MSzaJHuoK3xPLhLxG4VI9smOBI2jyjIHgC3A1S2q2S2xoiSv/8dkw+zn7JEpNgvSdH8UfppbIEQ2MF8fII7VdBLkmaqHZZxYaSYUCLnf9EstnojryvIeZgGe8hsyT9g9N4ZwT7Wd9STZoRvt19lxnUnL5yAK3UexTCDf/dnuFZ+k1ZKtRJ1eF52pzB4I3DPsPk1o4n1uSvWxQ/Zi/WreemQJfSa0Osls/dePVrTvPgedNzeBLVErKLMPFAuwp3FYfIJNis2YyJScHc= X-Forefront-PRVS: 0422860ED4 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; CY1PR0501MB1225; 23:CSh4PrV+b68V/knMzJGOln/eXotoBdjOeUb+nA/?= =?us-ascii?Q?1mp3c820XsODWSbnCBYNJryCdzqSSOYFFzNBT7dcfJpwX6pHEmmB7hxN/FFL?= =?us-ascii?Q?TL3diziRy6gi7s/jMT3hxnG1p0zafLN9Dmw7+oBPP4Wsl9iv76zAfCgSdPji?= =?us-ascii?Q?YBnJQHG6SF0p0XKvrJ+GMgLVpqqZi1dXCV02idoGlG42uGNSn1Lq8lAXhN+K?= =?us-ascii?Q?lWs3NzRcs9hAQcEjm3saWGb8W767hOu+gZZNnMnvpzLMFdWA4dp5Bich4IAV?= =?us-ascii?Q?GyzDNb0uPub0RNBv3pc8cBNgFZV1xZoqH+3eYDkMdvYjdMRL93xcYL3Em4jY?= =?us-ascii?Q?EBFfwrfTguGK7bLwO11qNZqumqZwO6ruzf+f+bSfbVS4CSA44IopgUsWPzMx?= =?us-ascii?Q?mgke9IuWLWhJtajro+JOmnn8BP6hIqxgwCoOlxMXyMnNq0Kl3YHr/v0bu91Z?= =?us-ascii?Q?VbFsLkm2BRNoQm5Qt2hBNmh+wTDwJDD69/DSbg12b6vsdLNXScYebDhr08gV?= =?us-ascii?Q?obNyYmuFhRFObnScHygScBx1m+IM20de4brKVEnx9yp5LGk5CQzXTledkXaR?= =?us-ascii?Q?gc7iQnMcY5OQ6yjN+RZ0t6ClpCCO13QInhUO1vIWtw6e9QqnFm2j0Q2xW34H?= =?us-ascii?Q?ZxBsK51Yx9793gE39i8g2Ob/7WMgej1eOiF0kh37BBkycg8D8B7Or3CYFOSe?= =?us-ascii?Q?20ZSYER08wCUeQ85VsRaYvgbl7ZUoYAC7NfXvBpImBpqva98k6GU/ok6cbK3?= =?us-ascii?Q?82GX2s1zDNmCGScrlFLz1JXE8I8WxlV16arcyZJVudV6ZBMZ2109qxh2VVtY?= =?us-ascii?Q?QapSjKOiE/XEP0myxWB7fPzuoeiNfoA/ISfIGEPCzfuZxcHWLaJXy/efDNIq?= =?us-ascii?Q?/J6wcsc0RmiCzsFoVdPirdfTxyAlUhh2MDGynvFAU5eeEJNVIWo9xYvreQ6H?= =?us-ascii?Q?003/eGq2Vf2GeX/TKIWV9aCOpEyWOxMIHjrDjf3w9lvfipcOD/lGVtit+XnC?= =?us-ascii?Q?OIXa3Ar2SXmVfPJM78hOXygpIZu+bJOoT0sUYaq43t1Aohy100n3GQvktl+G?= =?us-ascii?Q?Kdi7VYY1mfjy/J6ZNTlsV8lcXmaLVQ2aXPqh9QeFBQ7eNCfwTatsyGwwbepj?= =?us-ascii?Q?r5j91exxy3VfVfUr49IUtxd7zdqQGaLWMMFjGPrTHIlBoivz2nMs1bcfvgEK?= =?us-ascii?Q?NWIc6c2aOHVYptooIsnRae6x9r6JPvazQ/gNKRfIpK1WLxmOdbSPPrV2x2pP?= =?us-ascii?Q?Sf9g5MBepm/puRCjfoVgtiY0jlTb666D4Dj5cndmo?= X-Microsoft-Exchange-Diagnostics: 1; CY1PR0501MB1225; 6:PP7tWJD6tYtu2aZN9xFTJMoPcCCC0NyGIKxVFJ7qCz/huaPRmoHyqdsbgkYTWEVQmi4/wq+W2yFVkXwg05VjfutOPqNKKQDk7KXff/bjQ91d1i1gQG+BfZFdoMV9ajl3EIXBBvzYX7OziDWXSat9MShW3ca7iGh4Ur0yiHqbSxpRTOMbfyAvF+BeT3fsKhTlSIW0GnmEAro6WbJ8DBPb9xFNHYf4Keg/hqPuG5rdUNudX8sXF6LEe5z8CHiU6ILfmOnOJlsE0TtXljpHhyzxwBVQNjcFstVfDdULBLJbSgxpnri+uNUXfqRWimqqbrxO5RXjfn6zMvAGBN3oZZlP+Q==; 5:ZW3fHpEqGEmXR4oJPibdsh+JPtQClTulG2rOY4fSx3m+yNI/A/U7PGiCGi22o9Mi+rCnLOpyiWvBxi4x/XaK6HlI8LR1+X5kT5JJn80tYfkgWCrofZhX13M4bpEHzwKnoMWXMiufoHQ0iLzMH4u8TQ==; 24:OQmdsti8eJKQEsUM9VVetDZR8KeHiTr9ueOObduFr4v5fvNEkTM2SScGkOwf+9t9tyETFG87KZhkLc6FmMKYAUPWsEW3JBu0liTItSLfQI4=; 7:FuYuEbLtEKU3ny3KCSPAjdkxl7WwevCOhC8dsSa2fALVzGpOEP/Cssh3FQ6Mc3+3QJxIwLKkqjNlo0anYkJwLCXaVyXiHYl92woTVN1gkinmFT8uGpD3xjiLq+QOm8WPTd5ifSLBJ809pdQJr96GrTbNc/mrfkeg3KCxG1YT46eFCgdiHOt8vzE9yEQ7ixa0cUqs0otZ6Ak3bl7YVsGwIzI/Gb6QQYu3xKrEQzOCTlI= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Sep 2017 17:51:46.7879 (UTC) X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.12]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1225 Archived-At: Subject: Re: [secdir] draft-ietf-curdle-ssh-modp-dh-sha2 SECDIR review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2017 17:51:52 -0000 Hi Donald, Donald Eastlake writes: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. Document editors and WG chairs should treat these comments just > like any other last call comments. > > The summary of the review is Ready. > > I am not an expert on MODP groups or the like but this document looks > good to me. > > I would comment that I am used to information about where comments on > the draft should be sent being on the title page rather than on page 3 > at the end of Section 1. My appologies for the use of a non-standard section for the note. I will try to do better in future documents. As it is in a [TO BE REMOVED: Please send comments on this draft to curdle@ietf.org.] paragraph, I do not plan to revise the document to address this concern. -- Mark From nobody Thu Sep 7 08:31:46 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DC4E4132F4B for ; Thu, 7 Sep 2017 08:31:38 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.60.0 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secretary@mit.edu Message-ID: <150479829889.20799.5292306882548367210.idtracker@ietfa.amsl.com> Date: Thu, 07 Sep 2017 08:31:38 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2017 15:31:39 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2017-09-14 Reviewer LC end Draft Daniel Franke 2017-07-30 draft-ietf-curdle-ssh-dh-group-exchange-05 Daniel Gillmor 2017-07-30 draft-ietf-curdle-des-des-des-die-die-die-04 Dan Harkins 2017-08-09 draft-ietf-bess-evpn-etree-13 Sandra Murphy 2017-09-01 draft-ietf-mpls-ldp-mrt-06 Derrell Piper 2017-09-14 draft-ietf-taps-transports-usage-08 For telechat 2017-09-28 Reviewer LC end Draft Hilarie Orman 2017-09-19 draft-ietf-tsvwg-ecn-experimentation-05 Last calls: Reviewer LC end Draft Ólafur Guðmundsson 2017-08-15 draft-ietf-sidr-rpki-validation-reconsidered-08 Phillip Hallam-Baker 2017-08-11 draft-ietf-rtcweb-jsep-23 Ben Laurie 2017-08-23 draft-ietf-pce-pce-initiated-lsp-10 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-11 Yoav Nir 2017-09-27 draft-kille-ldap-xmpp-schema-01 Magnus Nystrom 2017-09-13 draft-ietf-dcrup-dkim-usage-04 Tim Polk 2017-09-11 draft-ietf-kitten-rfc5653bis-05 Vincent Roca 2017-09-11 draft-ietf-curdle-rsa-sha2-10 Joseph Salowey 2017-09-20 draft-ietf-opsawg-service-model-explained-03 Rich Salz 2017-09-15 draft-ietf-6man-maxra-03 Tom Yu 2017-07-25 draft-ietf-lamps-rfc5280-i18n-update-03 Tom Yu 2017-02-20 draft-ietf-slim-negotiating-human-language-13 Early review requests: Reviewer Due Draft Daniel Gillmor 2016-02-01 draft-ietf-rtcweb-security-08 Next in the reviewer rotation: Yaron Sheffer Rifaat Shekh-Yusef Melinda Shore Robert Sparks Takeshi Takahashi Tina Tsou Sean Turner Carl Wallace David Waltermire Samuel Weiler From nobody Thu Sep 7 09:06:14 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08993132F49; Thu, 7 Sep 2017 09:06:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.52 X-Spam-Level: X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knhwMPO9LMo6; Thu, 7 Sep 2017 09:06:03 -0700 (PDT) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EC35132ECA; Thu, 7 Sep 2017 09:06:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13100; q=dns/txt; s=iport; t=1504800363; x=1506009963; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=qpEdPNwYpHK3eFolOsMc4dBkbzyJYMqZLYyK1AEwnEM=; b=VHnxSVGoYle6RFjYkQsZ/4ee/SD+EdUEGuKsOZ7tQgK1HANCmuTm1xdh MIQnRuBESr4KVFZ9BsVWBbFwwmcynwIcO17jsjfxnOwmGVi1bmgkzjw/t q2DJnNdZk5SXAaEalRl5SKFgd2SPnTaiNqu1bi8wgj5zFnktEwCFeNq2n c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A5AQCDbbFZ/4MNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1pkbicHg3CKIZAggU8id5UxghIKJYUZAhqDaT8YAQIBAQEBAQE?= =?us-ascii?q?BayiFGAEBAQECAQwXETMEBAoFCwIBCBIGAgImAgICMBUCDgIEDgUbig4IEK06g?= =?us-ascii?q?ieLRQEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgQ2CHYICgU6BYysLgWVYNYMmgSg?= =?us-ascii?q?ngxMwgjEFiX+JEIUliEACh1mMdoIThWeDfoZ5iXyLAgIRGQGBOAEfOIENdxVbA?= =?us-ascii?q?YcIdohJgTKBDwEBAQ?= X-IronPort-AV: E=Sophos;i="5.42,359,1500940800"; d="scan'208";a="482739075" Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 07 Sep 2017 16:06:02 +0000 Received: from XCH-RTP-019.cisco.com (xch-rtp-019.cisco.com [64.101.220.159]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v87G61W2015763 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 7 Sep 2017 16:06:02 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-019.cisco.com (64.101.220.159) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 7 Sep 2017 12:06:01 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1263.000; Thu, 7 Sep 2017 12:06:01 -0400 From: "Carlos Pignataro (cpignata)" To: Christian Huitema CC: The IESG , "secdir@ietf.org" , "draft-ietf-sfc-nsh.all@ietf.org" , "IETF Discussion Mailing List" Thread-Topic: SECDIR review of draft-ietf-sfc-nsh-18 Thread-Index: AQHTEvC/pwAKmK7nuE+363G/TDu7PaKqA5CA Date: Thu, 7 Sep 2017 16:06:00 +0000 Message-ID: References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> In-Reply-To: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.118.116.133] Content-Type: text/plain; charset="utf-8" Content-ID: <665FCFB3124B2B4C802FA976B54D1E56@emea.cisco.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2017 16:06:06 -0000 Q2hyaXN0aWFuLA0KDQpUaGFua3MgZm9yIHRha2luZyB0aW1lIHRvIHJldmlldyB0aGlzIGRvY3Vt ZW50LiBUaGUgbmV0LXJlc3VsdCBvZiBhZGRyZXNzaW5nIHRoZW0gd2lsbCBiZSBhbiBpbXByb3Zl ZCBzcGVjaWZpY2F0aW9uLg0KDQpXZSB0b29rIHNvbWUgYWRkaXRpb25hbCB0aW1lIGJlZm9yZSBy ZXNwb25kaW5nLCBiZWNhdXNlIHNvbWUgb2YgeW91ciBjb21tZW50cyBhcmUgdmVyeSBsaWtlbHkg YWRkcmVzc2VkIChvciBwYXJ0aWFsbHkgYWRkcmVzc2VkIGF0IGxlYXN0KSBpbiB0aGUgY3VycmVu dCByZXZpc2lvbiAtMjAuIA0KDQpZb3UgcmFpc2Ugc29tZSB2ZXJ5IGdlbmVyYWwgYnJvYWRseS1z Y29wZWQgcXVlc3Rpb25zLCBzdWNoIGFzIOKAnFdoeSBpcyB0aGUgSUVURiBldmVuIHdvcmtpbmcg b24gc3VjaCBzcGVjaWZpY2F0aW9ucz/igJ0gVGhvc2UgYXJlIHByb2JhYmx5IGJleW9uZCB0aGUg c2NvcGUgb2YgYSBTZWNEaXIgcmV2aWV3LCBidXQgbm9uZXRoZWxlc3MsIGltcG9ydGFudCBMQyBj b21tZW50cy4gQXMgdGhvc2UgYXJlIGJleW9uZCB0aGUgdGVjaG5vbG9neSBzcGVjaWZpY3Mgb2Yg ZHJhZnQtaWV0Zi1zZmMtbnNoLCBJIGNhbiAoYW5kIEkgZG8pIHNoYXJlIG15IHBlcnNwZWN0aXZl LCBidXQgSSB3aWxsIGxldCBvdGhlcnMgKHJlc3BvbnNpYmxlIEFELCBzZmMgY2hhaXJzLCBkb2Mg c2hlcGhlcmQpIGFkZCBvbiBtb3JlIGF1dGhvcml0YXRpdmVseS4NCg0KUGxlYXNlIGZpbmQgc29t ZSByZXNwb25zZXMgYW5kIG9ic2VydmF0aW9ucyBpbmxpbmUuDQoNCj4gT24gQXVnIDExLCAyMDE3 LCBhdCA2OjIwIFBNLCBDaHJpc3RpYW4gSHVpdGVtYSA8aHVpdGVtYUBodWl0ZW1hLm5ldD4gd3Jv dGU6DQo+IA0KPiBJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBz ZWN1cml0eSBkaXJlY3RvcmF0ZSdzDQo+IG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVU RiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSANCj4gSUVTRy4gIFRoZXNlIGNvbW1l bnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSANCj4gc2Vj dXJpdHkgYXJlYSBkaXJlY3RvcnMuICBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hv dWxkIHRyZWF0IA0KPiB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2Fs bCBjb21tZW50cy4NCj4gDQo+IFRoZSBzdW1tYXJ5IG9mIHRoaXMgcmV2aWV3IGlzIGEgcHV6emxl ZCByZXZpZXdlci4gV2h5IHdhcyBJIGFza2VkIHRvIA0KPiByZXZpZXcgdGhpcz8gV2h5IGlzIHRo ZSBJRVRGIGV2ZW4gd29ya2luZyBvbiBzdWNoIHNwZWNpZmljYXRpb25zPw0KDQpUaGUgZGlyZWN0 IGFuc3dlciB0byB0aGF0IHF1ZXN0aW9uIGlzIGJlY2F1c2UgdGhlcmUgaXMgYW4gSUVURiBXRyBj aGFydGVyZWQgdG8gZG8gc28uDQoNClRoZXJlIGlzIGEgY29udHJhY3QgKGJvcnJvd2luZyBCQ1Ag MjXigJlzIGRlZmluaXRpb24gb2Yg4oCcQ2hhcnRlcuKAnSkgYmV0d2VlbiB0aGUgU2VydmljZSBG dW5jdGlvbiBDaGFpbmluZyAoc2ZjKSB3b3JraW5nIGdyb3VwIGFuZCB0aGUgSUVURiB0byB3b3Jr IG9uIHN1Y2ggc3BlY3MuDQoNCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvd2cvc2ZjL2Fi b3V0Lw0KDQpGcm9tIHRoYXQgY29udHJhY3QsIGRlbGl2ZXJhYmxlcyAjMSBhbmQgIzIgYXJlIGZ1 bGZpbGxlZCBhcyBSRkMgNzQ5OCBhbmQgUkZDIDc2NjUsIHJlc3BlY3RpdmVseS4gVGhlIHNwZWMg ZHJhZnQtaWV0Zi1zZmMtbnNoIGlzIHRoZSBTRkMgV0cgdGFyZ2V0IGZvciBkZWxpdmVyYWJsZSAj Mywg4oCcR2VuZXJpYyBTRkMgRW5jYXBzdWxhdGlvbuKAnS4NCg0KQnV0LCBpZiB5b3Uga25ldyBh bGwgdGhpcywgSSBhbSBub3Qgc3VyZSB3aGF0IGlzIHRoZSBxdWVzdGlvbiBiZWhpbmQgeW91ciBx dWVzdGlvbuKApiANCg0KSSBjYW4gb2ZmZXIgdGhhdCB0aGVyZeKAmXMgbWFya2V0IGRlbWFuZCBm b3IgaW50ZXJvcGVyYWJsZSBpbXBsZW1lbnRhdGlvbnMgb2Ygc2VydmljZSBmdW5jdGlvbiBjaGFp bmluZyBzb2x1dGlvbnMuLi4NCg0KPiBXaGF0DQo+IGRvZXMgdGhpcyBoYXZlIHRvIGRvIHdpdGgg dGhlIEludGVybmV0Pw0KDQpJ4oCZbGwganVzdCBzaGFyZSB0aGF0LCBqdXN0IGxpa2UgUkZDIDc2 NjUsIHRoaXMgc3BlY2lmaWNhdGlvbiBuYXJyb3dzY29wZXMgaXRzZWxmIHRvIGEgc2luZ2xlIHBy b3ZpZGVy4oCZcyBvcGVyYXRpb25hbCBkb21haW4uIA0KDQpSZWxldmFudCB0ZXh0IGZyb20gcmV2 aXNpb24gLTIwLCB0aGF0IHdhcyBub3QgdGhlcmUgb24gdGhlIHJldmlzaW9uIC0xOCB5b3UgcmV2 aWV3ZWQsIGluY2x1ZGVzOg0KDQogICBUaGUgaW50ZW5kZWQgc2NvcGUgb2YgdGhlIE5TSCBpcyBm b3IgdXNlIHdpdGhpbiBhIHNpbmdsZSBwcm92aWRlcidzDQogICBvcGVyYXRpb25hbCBkb21haW4u ICBUaGlzIGRlcGxveW1lbnQgc2NvcGUgaXMgZGVsaWJlcmF0ZWx5DQogICBjb25zdHJhaW5lZCwg YXMgZXhwbGFpbmVkIGFsc28gaW4gW1JGQzc2NjVdLCBhbmQgbGltaXRlZCB0byBhIHNpbmdsZQ0K ICAgbmV0d29yayBhZG1pbmlzdHJhdGl2ZSBkb21haW4uICBJbiB0aGlzIGNvbnRleHQsIGEgImRv bWFpbiIgaXMgYSBzZXQNCiAgIG9mIG5ldHdvcmsgZW50aXRpZXMgd2l0aGluIGEgc2luZ2xlIGFk bWluaXN0cmF0aW9uLiAgRm9yIGV4YW1wbGUsIGENCiAgIG5ldHdvcmsgYWRtaW5pc3RyYXRpdmUg ZG9tYWluIGNhbiBpbmNsdWRlIGEgc2luZ2xlIGRhdGEgY2VudGVyLCBhDQogICBjYW1wdXMgcGh5 c2ljYWwgbmV0d29yaywgb3IgYW4gb3ZlcmxheSBkb21haW4gdXNpbmcgdmlydHVhbA0KICAgY29u bmVjdGlvbnMgYW5kIHR1bm5lbHMuICBBIGNvcm9sbGFyeSBpcyB0aGF0IGEgbmV0d29yaw0KICAg YWRtaW5pc3RyYXRpdmUgZG9tYWluIGhhcyBhIHdlbGwgZGVmaW5lZCBwZXJpbWV0ZXIuDQoNCj4g QW5kIHdoeSBzdWNoIGRpc3JlZ2FyZA0KPiBmb3IgcHJpdmFjeSBhbmQgc2VjdXJpdHk/IEluIGFu eSBjYXNlLCB0aGlzIGRvY3VtZW50IGhhcyBzaWduaWZpY2FudA0KPiBpc3N1ZXMuIEl0IGRvZXMg bm90IGV4cGxhaW5pbmcgd2hlcmUgZXhhY3RseSB0aGUgcHJvcG9zZWQgTmV0d29yaw0KPiBTZXJ2 aWNlIEhlYWRlciB3b3VsZCBiZSBpbnNlcnRlZCAoTVBMUyBvciBJUHY2PykuDQoNClRoaXMgaXMg YW5vdGhlciBnb29kIGNvbW1lbnQsIHdlIGJlbGlldmUgaXMgYWxyZWFkeSBhZGRyZXNzZWQgaW4g cmV2IC0yMCB3aXRoIHRoZSBhZGRpdGlvbnMgdG8gdGhlIEludHJvZHVjdGlvbiBhbmQgRmlndXJl IDEsIGFtb25nIG90aGVycy4NCg0KPiBUaGUgc2VjdXJpdHkNCj4gcHJvdmlzaW9ucyBib2lsIGRv d24gdG8gbGlwLXNlcnZpY2UgbWVudGlvbnMgb2YgSVBTRUMsIGFuZCB0aGF0J3Mgd2F5DQo+IGlu c3VmZmljaWVudCBnaXZlbiB0aGUgbmF0dXJlIG9mIHRoZSBwcm90b2NvbC4NCj4gDQoNCk1vcmUg YmVsb3cuDQoNCj4gU29tZXRpbWVzIHlvdSByZWFkIGEgZG9jdW1lbnQgYW5kIGl0IGdpdmVzIHlv dSBhIGdsaW1wc2Ugb2YgYW4gYWx0ZXJuYXRlDQo+IHVuaXZlcnNlIGluIHdoaWNoIHRoZSBJbnRl cm5ldCBoYXMgYmVlbiByZXBsYWNlZCBieSBhIG1hZCBwaWxlLXVwIG9mDQo+IG1pZGRsZSBib3hl cy4gT2YgY291cnNlLCB0aGV5IHdpbGwgbm90IGJlIGNhbGxlZCB0aGF0LiBJbnN0ZWFkLCB3ZSB3 aWxsDQo+IHNwZWFrIG9mICJzZXJ2aWNlIGZ1bmN0aW9ucyIgcHJvdmlkaW5nIHN1Y2ggZXNzZW50 aWFsIGZlYXR1cmVzIGFzIE5BVA0KPiBhbmQgZGVlcCBwYWNrZXQgaW5zcGVjdGlvbi4gSSBzdXBw b3NlIHRoYXQgY2Vuc29yc2hpcCBhbmQgc3VydmVpbGxhbmNlDQo+IGFyZSBub3QgZGVzaXJhYmxl IGtleSB3b3JkcyBpbiBtYXJrZXRpbmcgYnJvY2h1cmVzLCBhbmQgdGhhdCBtZXRhZGF0YQ0KPiBj b2xsZWN0aW9uIGFuZCB0aGUgaW5zZXJ0aW9uIG9mIGFkdmVydHMgYXJlIGJldHRlciBkZXNjcmli ZWQgaW4geWV0IHRvDQo+IGJlIHB1Ymxpc2hlZCBleHRlbnNpb25zLg0KPiANCg0KRG8gdGhlc2Ug Y29tbWVudHMgdGFyZ2V0IHRoZSBzZmMgY2hhcnRlciwgUkZDIDc0OTgsIG9yIFJGQyA3NjY1Pw0K DQo+IEFzIGZhciBhcyBJIGNhbiB0ZWxsLCB0aGUgc28gY2FsbGVkICJTZXJ2aWNlIEZ1bmN0aW9u IENoYWluaW5nDQo+IEFyY2hpdGVjdHVyZSIgdHJpZXMgdG8gc3RhbmRhcmRpemUgdGhpcyBwaWxl LXVwIG9mIG1pZGRsZWJveGVzLCBzbyB0aGF0DQo+IHNlcnZpY2UgcHJvdmlkZXJzIGNhbiBwcm9j dXJlIHRoZW0gZnJvbSBtdWx0aXBsZSB2ZW5kb3JzLiBUaGUgZHJhZnQgdGhhdA0KPiBJIGFtIHJl dmlld2luZywgZHJhZnQtaWV0Zi1zZmMtbnNoLTE4LCBkZWZpbmVzIGEgY2xlYXItdGV4dCAibmV0 d29yaw0KPiBzZXJ2aWNlIGhlYWRlciIgKE5TSCkgdGhhdCB3b3VsZCBpbnNlcnRlZCBiZXR3ZWVu IHRoZSAidHJhbnNwb3J0IiB1c2VkDQo+IGluIHRoZSBkb21haW4gYW5kIHRoZSBJUHY0IG9yIElQ djYgcGFja2V0IGl0c2VsZi4gQm94ZXMgY291bGQgbG9vayBhdA0KPiB0aGlzIGhlYWRlciwgYWRk IG1ldGFkYXRhIHRvIGl0LCBhbmQgZm9yd2FyZCBpdCB0byBvdGhlciBib3hlcyBhbG9uZyBhDQo+ ICJzZXJ2aWNlIHBhdGgiLiBJIG1lbnRpb25lZCBJUHY0IG9yIElQdjYsIGJ1dCB0aGVyZSBhcmUg YWxzbyBwcm92aXNpb25zDQo+IGZvciBwYXNzaW5nIHB1cmUgTlNIIGluZm9ybWF0aW9uLCBwcm9i YWJseSBmb3IgbWFpbnRhaW5pbmcgdGhlICJzZXJ2aWNlDQo+IHBhdGgiLCBvciBwYXNzaW5nIEV0 aGVybmV0LCBNUExTIG9yIGV4cGVyaW1lbnRhbCBmcmFtZXMsIGJlY2F1c2Ugd2h5IG5vdC4NCj4g DQo+IFRoZSBzcGVjaWZpY2F0aW9uIGl0c2VsZiBpcyBhcHByb3ByaWF0ZWx5IGJhcm9xdWUsIHdp dGggdGhlIGhlYWRlcg0KPiBjb21wb3NlZCBvZiB0aHJlZSBjb21wb25lbnRzIGFuZCBtdWx0aXBs ZSBvcHRpb25zLCBidXQgdGhlIGJhc2ljIGlkZWEgaXMNCj4gdG8gYWxsb3cgZGlmZmVyZW50IGJv eGVzIHRvIHNlZSB0aGUgcGFja2V0IHNvIHRoZXkgY2FuIHJlYWQsIHVwZGF0ZSBhbmQNCj4gcHJv Y2VzcyB0aGUgbWV0YWRhdGEuIEFzIGZhciBhcyBJIGNhbiB0ZWxsLCB0aGVyZSBhcmUgbm8gc2Vy aW91cyBhdHRlbXB0DQo+IHRvIHByb3ZpZGUgYW55IGtpbmQgb2Ygc2VjdXJpdHkgb3IgcHJpdmFj eSBwcm90ZWN0aW9uIGV4Y2VwdCBtYXliZSBzb21lDQo+IGJhc2ljIGluZ3Jlc3MgZmlsdGVyaW5n LCB3aGljaCBtZWFucyB0aGF0IHRoZSBtZXRhZGF0YSBjYW4gYmUgb2JzZXJ2ZWQNCj4gYnkgYW55 IGVudGl0eSBhYmxlIHRvIHRhcCB0aGUgcGF0aCwgb3IgY2FuIGJlIHNwb29mZWQgYnkgYW55IHN5 c3RlbQ0KPiBpbnNlcnRlZCBvbiB0aGUgcGF0aCwgc3VjaCBhcyBmb3IgZXhhbXBsZSBhIHZpcnVz IGluZmVjdGVkIGJveC4gVGhlIG9ubHkNCj4gc2VjdXJpdHkgcmVmZXJlbmNlIGlzIGEgc2hvcnQg bm90ZSB0aGF0IGRlcGxveW1lbnRzICJjb3VsZCB1c2UgSVBTRUMiLA0KPiB0aHJvdWdoIGEgdG9r ZW4gcmVmZXJlbmNlIHRvIFJGQyA2MDcxLg0KDQpJIGFncmVlIHdpdGggdGhlIGZhY3QgdGhhdCBk cmFmdC1pZXRmLXNmYy1uc2gtMTggbGVmdCBtdWNoIGFzc3VtZWQgaW4gdGhlIFNlY3VyaXR5IENv bnNpZGVyYXRpb25zIHNlY3Rpb24uDQoNCk9uZSBzdWNoIGFzc3VtcHRpb25zIGlzIHRoYXQgdGhl IHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIG9mIFJGQyA3NjY1IGFwcGx5IHRvIHRoaXMgZG9jdW1l bnQuIEluIHBhcnRpY3VsYXIsIHRoZSDigJxTRkMgRW5jYXBzdWxhdGlvbuKAnSBoZWFkaW5nIG9m IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM3NjY1I3NlY3Rpb24tNiwgd2hpY2ggd2Fz IHdvcmtlZCB3aXRoIHRoZSBTZWN1cml0eSBBRHMuDQoNClJldmlzaW9uIC0yMCBpcyBhIGZpcnN0 IHRha2UgYXQgY29ycmVjdGluZyB0aGF0IGFzc3VtcHRpb24gYW5kIGNvcnJlc3BvbmRpbmcgb21p c3Npb25zOg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvcmZjZGlmZj91cmwxPWRyYWZ0LWlldGYtc2Zj LW5zaC0xOCZ1cmwyPWRyYWZ0LWlldGYtc2ZjLW5zaC0yMCNkaWZmMDEyNQ0KDQo+IA0KPiBXaGVu IGZpcnN0IHJlYWRpbmcgdGhlIGRvY3VtZW50LCBJIHdhcyB1bmRlciB0aGUgaW1wcmVzc2lvbiB0 aGF0IHRoZQ0KPiAidHJhbnNwb3J0IiB1c2VkIGluIHRoZSBkb21haW4gd291bGQgYmUgc29tZSBr aW5kIG9mIGNsb3NlIGxheWVyIDINCj4gc3lzdGVtLCBNUExTIG9yIG1heWJlIEV0aGVybmV0LiBU aGF0IHdvdWxkIGdpdmUgc29tZSBhc3N1cmFuY2UgdGhhdCB0aGUNCj4gY29sbGVjdGlvbiBvZiBt aWRkbGUgYm94ZXMgd291bGQgYmUgcGFydCBvZiBhIHNvbWV3aGF0IGNvbnRyb2xsZWQNCj4gZG9t YWluLiBJdCB3YXMgb25seSB0aGUgcmVmZXJlbmNlIHRvIElQU0VDIHRoYXQgZW5saWdodGVuZWQg bWUuIElmIElQU0VDDQo+IGlzIHBsYXVzaWJsZSwgaXQgcHJvYmFibHkgbWVhbnMgdGhhdCB0aGUg cGFja2V0IHdvdWxkIGJlIGNvbXBvc2VkIG9mIGFuDQo+IElQIGhlYWRlciwgdGhlIFNGSCwgYW5k IHRoZSBvcmlnaW5hbCBJUCBwYXlsb2FkLg0KDQpJdCBpcyBjb25zdHJhaW5lZCB0byBhIHNpbmds ZSBhZG1pbiBkb21haW4gbm90IGJlY2F1c2Ugb2YgdGhlIHVuZGVybHlpbmcgdGVjaG5vbG9neSBv ZiBjaG9pY2UgKElQIHZzLiBNUExTIHZzLiBFdGhlcm5ldCksIGJ1dCByYXRoZXIgYnkgZGVwbG95 bWVudCBhbmQgYXBwbGljYWJpbGl0eSBjb25zaWRlcmF0aW9ucy4NCj4gIA0KDQo+IFNvIHRoZSBw cm9wb3NlZCB1c2FnZQ0KPiBpbXBsaWVzIGNhcnJ5aW5nIG1ldGFkYXRhIGxpa2Ugc3Vic2NyaWJl ciBpbmZvcm1hdGlvbiBhbmQgaWRlbnRpZmljYXRpb24NCj4gb2YgY29udGVudCBpbiBjbGVhciB0 ZXh0ICBvdmVyIGxvbmcgZGlzdGFuY2UgcGF0aHMuIFdoYXQgY291bGQgcG9zc2libHkNCj4gZ28g d3Jvbmc/IEFuZCBpZiB0aGF0IHdhcyBub3QgZW5vdWdoLCBpbWFnaW5lIHdoYXQgYW4gYWR2ZXJz YXJ5IGNvdWxkDQo+IGFjaGlldmUgYnkgc3Bvb2ZpbmcgdGhlIHNlcnZpY2UgcGFja2V0cy4NCg0K Tm8uIEFsdGhvdWdoIHRoYXQgd2FzIGNhcnJ5aW5nIG92ZXIgZnJvbSBSRkMgNzY2NSwgd2UgYXJl IG1ha2luZyBpdCBjbGVhciBhbmQgZXhwbGljaXQgaW4gdGhlIGRvY3VtZW50LiBNUExTIG9yIEV0 aGVybmV0IG9yIHNvbWV0aGluZyDigJxjbG9zZSBsYXllciAyIHN5c3RlbeKAnSB3b3VsZCBub3Qg Z2l2ZSB0aG9zZSBhc3N1cmFuY2VzLiBJdCBpcyBhbiBhcHBsaWNhYmlsaXR5Lg0KDQo+IA0KPiBP ZiBjb3Vyc2UsIHRoZSBzYW1lIHRocmVhdHMgd291bGQgc3RpbGwgYXBwbHkgaWYgdGhlIHByb3Rv Y29sIHdhcw0KPiBzdHJpY3RseSBjYXJyaWVkIG92ZXIgbGF5ZXIgMiwgYXMgc2V2ZXJhbCBhZHZl cnNhcmllcyBhcmUgcXVpdGUgY2FwYWJsZQ0KPiBvZiBzbm9vcGluZyBhbmQgc3Bvb2ZpbmcgbGF5 ZXIgMiB0cmFmZmljLg0KPiANCj4gQ29taW5nIGF0IHRoZSBlbmQgb2YgdGhpcyByZXZpZXcsIEkg aGVzaXRhdGUgYmV0d2VlbiB0d28gb3B0aW9ucy4gT25lDQo+IHdvdWxkIGJlIHRvIGp1c3QgZXhw cmVzcyBteSBkaXNndXN0LCB3YXNoIG15IGhhbmRzLCBhbmQgaG9wZSB0aGF0IHRoZQ0KPiBlZmZv cnQgd2lsbCBmYWlsIHVuZGVyIGl0cyBvd24gd2VpZ2h0LCBtYXliZSBhZnRlciBhIGNvdXBsZSBv Zg0KPiBjYXRhc3Ryb3BoaWMgc2VjdXJpdHkgZmFpbHVyZXMuIFRoZSBvdGhlciBvcHRpb24gaXMg dG8gcHJvdmlkZSBzb21lDQo+IGFkdmljZSBvbiBob3cgdG8gc29sdmUgdGhlIG1vc3QgYmxhdGFu dCBpc3N1ZXMuDQoNCkkgYmVsaWV2ZSBvbmUgc291cmNlIG9mIGNvbmZ1c2lvbiBoZXJlIGlzIHRo ZSBleHRyYXBvbGF0aW9uIG9mIGNhcnJ5aW5nIHByaXZhY3ktc2Vuc2l0aXZlIG1ldGFkYXRhIGFj cm9zcyB0aGUgSW50ZXJuZXQuIFRoYXQgaXMgbm90IHRoZSBjYXNlLg0KDQpUaGUgc28tY2FsbGVk ICJSRkMgNzY2NSIgZGVmaW5lZCB0aGUgYXBwbGljYWJpbGl0eSBzY29wZSwgYnV0IHdlIHRoZSBO U0ggc3BlY2lmaWNhdGlvbiBoYXMgZmFpbGVkIHRvIG1ha2UgdGhhdCBjbGVhci4gVGhpcyBpcyBh IGdvb2QgcG9pbnQsIGFuZCBvbmUgdGhhdCBuZWVkcyB0ZXh0IGNoYW5nZXMuIFdlIHRvb2sgaW5p dGlhbCBzdGVwcyBpbiAtMjAgdG8gY29ycmVjdCB0aGF0IGFuZCBiZSBjbGVhciBhbmQgZXhwbGlj aXQuDQoNCj4gSW4gYSBzcGlyaXQgb2YNCj4gY29vcGVyYXRpb24sIEkgY2hvb3NlIHRoZSBsYXR0 ZXIsIGFuZCBoZXJlIGlzIHRoZSB0d28gc3RlcHMgYWR2aWNlOg0KPiANCj4gVGhlIGZpcnN0IHN0 ZXAgdG8gYmV0dGVyIHNlY3VyaXR5IGFuZCBwcml2YWN5IHRoZXJlIHdvdWxkIGJlIHRvIHByZXNl bnQNCj4gdGhlIHByYWN0aWNhbCBkZXBsb3ltZW50IGNvbmRpdGlvbnMuIEkgY291bGQgb25seSBt YWtlIGd1ZXNzZXMsIGFuZA0KPiB0aGF0J3Mgc2lsbHkuIFRoZXJlIHNob3VsZCBiZSBzb21lIGtp bmQgb2YgZGlhZ3JhbSBleHBsYWluaW5nIGhvdyB0aGUNCj4gU0ZIIGlzIGluc2VydGVkIGluIHBh Y2tldHMsIGFuZCB3aGVyZSBpdCBzaXRzIGJldHdlZW4gRXRoZXJuZXQsIE1QTFMgYW5kDQo+IElQ Lg0KPiANCj4gVGhlIG5leHQgc3RlcCBpcyB0byBkZXZlbG9wIGEgcHJvdGVjdGlvbiBtb2RlbC4g R2l2ZW4gdGhhdCB0aGUgZ29hbCBvZg0KPiB0aGUgYXJjaGl0ZWN0dXJlIGlzIHRvIGRlY29yYXRl IHRoZSBwYWNrZXRzIHdpdGggc2Vuc2l0aXZlIG1ldGFkYXRhLA0KPiB0aGVyZSBuZWVkIHRvIGJl IHNvbWUgdGhpbmtpbmcgYWJvdXQgd2hvIHNob3VsZCBiZSBhYmxlIHRvIHNlZSBpdC4gSG93DQo+ IHdvdWxkIHBhdGggZW5jcnlwdGlvbiBsaWtlIElQU0VDIGJlIGRlcGxveWVkPyBTaG91bGQgYWxs IGVsZW1lbnRzIG9uDQo+IHBhdGggcmVhbGx5IGJlIGFibGUgdG8gYWNjZXNzIGFsbCBtZXRhZGF0 YSwgb3Igc2hvdWxkIHNvbWUgb2YgaXQgYmUNCj4gZnVydGhlciBwcm90ZWN0ZWQ/DQo+IA0KPiBQ bGVhc2UgZml4IHRoYXQgYmVmb3JlIHRoZSBkb2N1bWVudCBpcyBwdWJsaXNoZWQuDQo+IA0KDQpB IGxvdCBvZiB0aGlzIGNvbnZlcnNhdGlvbiBpcyBkw6lqw6AgdnUgb2YgdGhlIFJGQyA3NjY1IFdH LCBMQywgYW5kIGJhbGxvdCBkaXNjdXNzaW9ucy4gVGhvc2UgZGlzY3Vzc2lvbnMgcmVzdWx0ZWQg aW4gc2lnbmlmaWNhbnQgd29yayB3aXRoIHRoZSBTZWN1cml0eSBBRHMsIHNlY3VyaXR5LWZvY3Vz ZWQgU0ZDIGV4cGVydHMsIGFuZCBTRkMtZm9jdXNlZCBzZWN1cml0eSBleHBlcnRzOyB0aG9zZSBp biB0dXJuIGFyZSBjb2RpZmllZCBpbiB0aGUgdGV4dCBvZiBSRkMgNzY2NeKAmXMgc2VjdXJpdHkg Y29uc2lkZXJhdGlvbnMuDQoNCj4gDQo+IC0tIA0KPiBDaHJpc3RpYW4gSHVpdGVtYQ0KPiANCg0K QmVzdCwNCg0K4oCUDQpDYXJsb3MgUGlnbmF0YXJvLCBjYXJsb3NAY2lzY28uY29tDQoNCuKAnFNv bWV0aW1lcyBJIHVzZSBiaWcgd29yZHMgdGhhdCBJIGRvIG5vdCBmdWxseSB1bmRlcnN0YW5kLCB0 byBtYWtlIG15c2VsZiBzb3VuZCBtb3JlIHBob3Rvc3ludGhlc2lzLiINCg0KDQo+IA0KDQo= From nobody Fri Sep 8 14:25:13 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A545A124E15; Fri, 8 Sep 2017 14:25:12 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Yoav Nir To: Cc: draft-kille-ldap-xmpp-schema.all@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.60.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150490591260.17260.5826520927764819469@ietfa.amsl.com> Date: Fri, 08 Sep 2017 14:25:12 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-kille-ldap-xmpp-schema-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2017 21:25:13 -0000 Reviewer: Yoav Nir Review result: Has Nits The document defines a couple of OIDs for associating a Jabber ID with an LDAP object. As such, it is very short and straightforward. I'm not too happy with the Security Considerations section, which I'll quote here in its entirety: "This schema enables publishing for XMPP JIDs, and care should be taken to ensure that this information is not accessed inappropriately." This is rather generic, and it's true for any piece of information stored anywhere. If that is all there is to say, the section might as well read "This document only registers OIDs and has no special security considerations." However, I think there is a point that may need to be mentioned. Using this extension links a JID, which is a personal identifier that often appears on the public Internet (much like an email address), to an LDAP object, which is usually limited to an organization, usually the employer of that person. This linkability only exists for people who have access to the LDAP server, so it's just that users have to take the same care with JIDs that they do with email addresses - if you don't want your XMPP messages linked to your employer, or linked to you by your employer, it is better to use a private JID that is not linked to your employer's LDAP. This advice to users may be out of scope, but I would like to see a mention that JIDs are generally public and pseudonymous, and this links them to a real person within an LDAP domain. From nobody Sat Sep 9 16:42:17 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDC8813247A for ; Sat, 9 Sep 2017 16:42:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5SLXeOQhN2pp for ; Sat, 9 Sep 2017 16:42:14 -0700 (PDT) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79ABF124F57 for ; Sat, 9 Sep 2017 16:42:14 -0700 (PDT) Received: from xsmtp24.mail2web.com ([168.144.250.190] helo=xsmtp04.mail2web.com) by mx42.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1dqpO8-00061P-Il for secdir@ietf.org; Sun, 10 Sep 2017 01:42:13 +0200 Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1dqpO5-0001DM-JR for secdir@ietf.org; Sat, 09 Sep 2017 19:42:10 -0400 Received: (qmail 19967 invoked from network); 9 Sep 2017 23:42:07 -0000 Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.88]) (envelope-sender ) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 9 Sep 2017 23:42:07 -0000 To: "Carlos Pignataro (cpignata)" Cc: "draft-ietf-sfc-nsh.all@ietf.org" , IETF Discussion Mailing List , The IESG , "secdir@ietf.org" References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> From: Christian Huitema Message-ID: <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> Date: Sat, 9 Sep 2017 16:42:02 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Originating-IP: 168.144.250.190 X-SpamExperts-Domain: xsmtpout.mail2web.com X-SpamExperts-Username: 168.144.250.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com X-SpamExperts-Outgoing-Class: unsure X-SpamExperts-Outgoing-Evidence: Combined (0.30) X-Recommended-Action: accept X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJYoNzrMVvavOgy+9M5kGys4ND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA236IX1B/I/Kf5kM7f7MmxVp4mQ+OU0JIt78q8H P8BS4qjOdyacXG/GPY8yy9T4wgM6YOEkjsX7F8KmpUaZQHV+ScWIfGf9Fu8q9UhMPe0GR5O2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpKs+iZ7+uSas6Kaz0EAgJQDfPQj1kOyxNFg33kI1TaC7CpXSTy88 yKXT59k+LMPEe4JLqhxNFuv9gsbx4Jckhv+pb0YnYvmU5PphG8LogcC6a8Mrc8quJ4btPpt/2FLu FENuK6ldck0juAg+FVtv+IOo4y6frMgdTo7c9I9ngwHJYd/jKzjiuDYHz/0WYr1rUy6ggDjF/JYa A95R4z1aC/OoU7Wp8jKTGnwq+YJ5o8map17vcIhp4/vU15YpEcaF91b7LCVq2nuinYFw/C3rfJ2V 3KD8IdSHBSi9yjOsRb3kOBo9alPIsYsEQTlAhTyXeNdeQM+qg+BY9Oa+dkWSt3JycdQqvJYqsZIv 7DXp5rizPjVKi9GxJ6AQ2tth2z2hbW9uSl5jk2GSHPTeiS5jQRdhCzUOiI84TnM1VbcpKHR7xpOn 1bfMnWw/v8Bdr8FcBce5E3gE8Kl81GJcWDpdD/xGoON3HTTAwlo57pg+CKKIH471Mu+/byzf7wdX PQq6HJgFDaftEbbX+WcJwJH4K/0= X-Report-Abuse-To: spam@quarantine5.antispamcloud.com Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2017 23:42:16 -0000 On 9/7/2017 9:06 AM, Carlos Pignataro (cpignata) wrote: > Christian, > > Thanks for taking time to review this document. The net-result of addre= ssing them will be an improved specification. I am looking at the changes between draft-18 and draft-20, and draft-20 is indeed improved. > > We took some additional time before responding, because some of your co= mments are very likely addressed (or partially addressed at least) in the= current revision -20.=20 > > You raise some very general broadly-scoped questions, such as =E2=80=9C= Why is the IETF even working on such specifications?=E2=80=9D Those are p= robably beyond the scope of a SecDir review, but nonetheless, important L= C comments. As those are beyond the technology specifics of draft-ietf-sf= c-nsh, I can (and I do) share my perspective, but I will let others (resp= onsible AD, sfc chairs, doc shepherd) add on more authoritatively. > ... > > But, if you knew all this, I am not sure what is the question behind yo= ur question=E2=80=A6=20 > > I can offer that there=E2=80=99s market demand for interoperable implem= entations of service function chaining solutions... I have no doubt that there are multiple products developed and sold, and that interoperable specifications are preferable to competing proprietary specifications. My initial reaction was largely motivated by the lack of scoping in the document. Without that scoping, it looks like a general architecture for adding metadata to packets on the Internet, and that's a big red flag, big enough to state that no, the IETF should not endorse that at all, interop be damned. The scoping mitigates some of the concerns. I am still troubled by some of the specification, such as the example giving a scope as "a campus physical network". Environments like that are only partially controlled. Adding metadata to packets in such wide locations could enable many attacks. > >> What >> does this have to do with the Internet? > I=E2=80=99ll just share that, just like RFC 7665, this specification na= rrowscopes itself to a single provider=E2=80=99s operational domain.=20 > > Relevant text from revision -20, that was not there on the revision -18= you reviewed, includes: > > The intended scope of the NSH is for use within a single provider's > operational domain. This deployment scope is deliberately > constrained, as explained also in [RFC7665], and limited to a single= > network administrative domain. In this context, a "domain" is a set= > of network entities within a single administration. For example, a > network administrative domain can include a single data center, a > campus physical network, or an overlay domain using virtual > connections and tunnels. A corollary is that a network > administrative domain has a well defined perimeter. Yes, I saw that. That's good. But I also only see minimal mechanisms in the draft for enforcing the removal of the metadata before a packet leaves the specified domain. Section 2 states that "the last SFF in the service chain removes the NSH". That's fine, but that's not a fail-safe mechanism. The draft mentions using IPv4 or IPv6 as transport. It seems that in that case there should be some ingress/egress filtering, as in "packets originating outside the service domain must be dropped if they contain an NSH," and similarly must be drop on domain exit if they contain an NSH. > >> And why such disregard >> for privacy and security? In any case, this document has significant >> issues. It does not explaining where exactly the proposed Network >> Service Header would be inserted (MPLS or IPv6?). > This is another good comment, we believe is already addressed in rev -2= 0 with the additions to the Introduction and Figure 1, among others. Figure 1 does help, thank you. I assume that the intent is to complete the NSH draft with specifications of the actual encapsulations over MPLS, Ethernet, IPv4 and IPv6. But it is pretty hard to review the security of the system without a description of these encapsulations. > >> The security >> provisions boil down to lip-service mentions of IPSEC, and that's way >> insufficient given the nature of the protocol. >> ... >> ... > I believe one source of confusion here is the extrapolation of carrying= privacy-sensitive metadata across the Internet. That is not the case. > > The so-called "RFC 7665" defined the applicability scope, but we the NS= H specification has failed to make that clear. This is a good point, and = one that needs text changes. We took initial steps in -20 to correct that= and be clear and explicit. Yes, the new introduction is much better. > >> In a spirit of >> cooperation, I choose the latter, and here is the two steps advice: >> >> The first step to better security and privacy there would be to presen= t >> the practical deployment conditions. I could only make guesses, and >> that's silly. There should be some kind of diagram explaining how the >> SFH is inserted in packets, and where it sits between Ethernet, MPLS a= nd >> IP. >> >> The next step is to develop a protection model. Given that the goal of= >> the architecture is to decorate the packets with sensitive metadata, >> there need to be some thinking about who should be able to see it. How= >> would path encryption like IPSEC be deployed? Should all elements on >> path really be able to access all metadata, or should some of it be >> further protected? >> >> Please fix that before the document is published. >> > A lot of this conversation is d=C3=A9j=C3=A0 vu of the RFC 7665 WG, LC,= and ballot discussions. Those discussions resulted in significant work w= ith the Security ADs, security-focused SFC experts, and SFC-focused secur= ity experts; those in turn are codified in the text of RFC 7665=E2=80=99s= security considerations. The new security section does provide a number of recommendations, such as the obfuscation of metadata. That's definitely an improvement. But I believe there are still issues. The first issue is that "Metadata privacy and security considerations are a matter for the documents that define metadata format." That does not give me a warm and fuzzy feeling at all. I understand that the formats will be only registered "after IETF review", but these future reviews would be much easier if the NSH mechanism defined at least a baseline security posture, and maybe some generic mechanisms for obfuscation or encryption. The second issue is that the security section provide recommendations about solutions, but does not analyze the threats. In particular, one of the threats that I find worrisome is, what happens if a specific function in a service chain gets subverted? In the current version, it seems that subverting just one element in the chain will provide access to all the metadata. I may be paranoid, but there is already an history of adversaries attacking complex systems like data centers, network control systems or corporate networks, not to mention campus networks. These adversaries typically proceed by lateral movement after an initial penetration until they get closer to their actual target inside the domain. I can see an adversary trying to penetrate one of these domains in order to access the metadata. In our case, it would try to find a weak link in the service function chain. It maybe that one of the functions is deemed benign, and thus was less secured than the others. But if all functions see the metadata, then the adversaries will achieve their goal by targeting that weak link. Some application of the "least privilege" principle would be useful there. -- Christian Huitema --=20 Christian Huitema From nobody Mon Sep 11 00:33:41 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34B2813300C; Mon, 11 Sep 2017 00:33:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bric15w7xrvg; Mon, 11 Sep 2017 00:33:32 -0700 (PDT) Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id EA3AD132D4A; Mon, 11 Sep 2017 00:33:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1505115208; d=isode.com; s=june2016; i=@isode.com; bh=V/kTMfdAURvuUAO3rlxmfn8KTb1ULkhWWCAp9/+GDHI=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=aaWvnGqA+LhyxbmOJP8HjO+q6U5qC/QWO6IdljcHVmpt3yeP7TxBVjrNWcaoly1OHA1I9z W7dqTo5k+6DbpT6tOfAoB4gBnZoztSgaKWS7Xtk8QK+GvXriLWYgwBBcfBO7yMa0ApiBqM EEE+tNsW45QB1Y9L+E4WLw8bHYNWHoQ=; Received: from MonteRosa (cpc121136-nmal24-2-0-cust211.19-2.cable.virginm.net [77.98.232.212]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id ; Mon, 11 Sep 2017 08:33:27 +0100 From: "Steve Kille" To: "'Yoav Nir'" , Cc: , References: <150490591260.17260.5826520927764819469@ietfa.amsl.com> In-Reply-To: <150490591260.17260.5826520927764819469@ietfa.amsl.com> Date: Mon, 11 Sep 2017 08:33:20 +0100 Message-ID: <003701d32ad0$42239a30$c66ace90$@isode.com> X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQInXiG8xxTW5aRQsWv7bEQ9jDmZcaIG4VIw MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Language: en-gb Archived-At: Subject: Re: [secdir] Secdir last call review of draft-kille-ldap-xmpp-schema-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2017 07:33:33 -0000 Yoav, Thanks for this review. I think that you are right in your comment and = your suggestion is a good one. I will update the text and submit version -03 It has been suggested to add a reference to the LDAP security = considerations, which I think is sensible and I will also make this = change. Regards Steve > -----Original Message----- > From: Yoav Nir [mailto:ynir.ietf@gmail.com] > Sent: 08 September 2017 22:25 > To: secdir@ietf.org > Cc: draft-kille-ldap-xmpp-schema.all@ietf.org; ietf@ietf.org > Subject: Secdir last call review of draft-kille-ldap-xmpp-schema-02 >=20 > Reviewer: Yoav Nir > Review result: Has Nits >=20 > The document defines a couple of OIDs for associating a Jabber ID with = an > LDAP object. As such, it is very short and straightforward. I'm not = too happy > with the Security Considerations section, which I'll quote here in its = entirety: >=20 > "This schema enables publishing for XMPP JIDs, and care should be = taken to > ensure that this information is not accessed inappropriately." >=20 > This is rather generic, and it's true for any piece of information = stored > anywhere. If that is all there is to say, the section might as well = read "This > document only registers OIDs and has no special security = considerations." >=20 > However, I think there is a point that may need to be mentioned. Using = this > extension links a JID, which is a personal identifier that often = appears on the > public Internet (much like an email address), to an LDAP object, which = is > usually limited to an organization, usually the employer of that = person. This > linkability only exists for people who have access to the LDAP server, = so it's > just that users have to take the same care with JIDs that they do with = email > addresses - if you don't want your XMPP messages linked to your = employer, > or linked to you by your employer, it is better to use a private JID = that is not > linked to your employer's LDAP. >=20 > This advice to users may be out of scope, but I would like to see a = mention > that JIDs are generally public and pseudonymous, and this links them = to a real > person within an LDAP domain. From nobody Mon Sep 11 00:46:56 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD918133010; Mon, 11 Sep 2017 00:46:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cicJer1cBLm; Mon, 11 Sep 2017 00:46:54 -0700 (PDT) Received: from Mail.Yoyodyne.COM (mail.yoyodyne.com [139.60.72.138]) by ietfa.amsl.com (Postfix) with SMTP id 5CA211321A7; Mon, 11 Sep 2017 00:46:54 -0700 (PDT) Received: from [IPv6:2602:30a:c08e:83d0:1d63:312d:e841:bfa] ([2602:30a:c08e:83d0:1d63:312d:e841:bfa]) by Mail.Yoyodyne.COM via Internet for (and others); Mon, 11 Sep 2017 00:46:54 PDT From: Derrell Piper Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Message-Id: <6A5D2673-EA27-46A7-8506-AB9253AC5F24@electric-loft.org> Date: Mon, 11 Sep 2017 00:46:52 -0700 Cc: The IESG To: secdir@ietf.org X-Mailer: Apple Mail (2.3273) Archived-At: Subject: [secdir] review of draft-ietf-taps-transport-usage-udp-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2017 07:46:56 -0000 I have reviewed this document as part of the security directorate's = ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments = just like any other last call comments. The summary of the review is Ready with Nits. Since I'm not following TAPS, or most of this, I reviewed the ediff's = between -05, -06, -07, and this version -08. There were no changes from -07, so = -06 was the last relevant version. Radia's comments from her review of -05 were succinct, so I'll quote = them: This informational document contains tutorial information on the use = of the sockets API to send and receive data over the UDP and UDP-lite protocols. It is apparently part of an effort to write tutorial descriptions of APIs to all IETF-standardized transport protocols. This document refers the reader to the standards for all security considerations. That is probably appropriate. It=E2=80=99s always = difficult to decide what information to include and what to exclude in a tutorial. = I would have liked an explanation of how the sender knows whether to = request UDP or UDP-lite, since it doesn't look like UDP-lite would be = compatible with something that only speaks UDP. Section 3.4 has been expanded upon, presumably to address her second = point. I'm still not sure it gives the reader enough information to choose = between all these things, but it was basically informative, even if it seems to = raise more questions than it answers. Considering that this document doesn't even reference D/TLS or QUIC, I = guess it's fine for what it is, but I would have preferred more text in the = Security Considerations section and I guess more text overall about when these = things are useful.= From nobody Mon Sep 11 11:39:37 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EFB71331B0; Mon, 11 Sep 2017 11:39:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iNDvcvxFC9Uu; Mon, 11 Sep 2017 11:39:30 -0700 (PDT) Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [IPv6:2001:630:241:204::f0f0]) by ietfa.amsl.com (Postfix) with ESMTP id 8F156132EBE; Mon, 11 Sep 2017 11:39:30 -0700 (PDT) Received: from Gs-MacBook-Pro.local (at-zeroshell-1.erg.abdn.ac.uk [139.133.217.68]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPA id A30501B000E1; Mon, 11 Sep 2017 19:39:04 +0100 (BST) Message-ID: <59B6D847.5040709@erg.abdn.ac.uk> Date: Mon, 11 Sep 2017 19:39:03 +0100 From: Gorry Fairhurst Reply-To: gorry@erg.abdn.ac.uk Organization: University of Aberdeen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Radia Perlman CC: "secdir@ietf.org" , The IESG , draft-ietf-taps-transports-usage-udp.all@tools.ietf.org References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-taps-transports-usage-udp-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Sep 2017 18:39:36 -0000 Thanks Radia, I have started to collect together the comments I have received, and I am now preparing a revision that will address these. Your comment seems to suggest merit in the introduction explaining a little about when an App should choose UDP v. UDP-Lite. I can see that would help a reader, and I suggest adding this to the intro: "UDP is widely implemented and deployed. It is used for a wide range of applicatons. A special class of applications can derive benefit from having partially damaged payloads delivered, rather than discarded, when using paths that include error-prone links. Applications that can tolerate payload corruption can choose to use UDP-Lite instead of UDP. Conversely, UDP applications could choose to use UDP-Lite, but this is currently less widely deployed and users could encounter paths that do not support UDP-LIte. These topics are discussed more in section 3.4 of the UDP Usage Guidelines [RFC8085]." I have now addressed the editorial/format corrections requested in the version I edit - thanks again. Best wishes, Gorry --- On 04/09/2017, 05:33, Radia Perlman wrote: > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the IESG. > > These comments were written primarily for the benefit of the security > > area directors. Document editors and WG chairs should treat these > > comments just like any other last call comments. > > This informational document contains tutorial information on the use > of the sockets API to send and receive data over the UDP and UDP-lite > protocols. It is apparently part of an effort to write tutorial > descriptions of APIs to all IETF-standardized transport protocols. > > This document refers the reader to the standards for all security > considerations. That is probably appropriate. It’s always difficult to > decide what information to include and what to exclude in a tutorial. > I would have liked an explanation of how the sender knows whether to > request UDP or UDP-lite, since it doesn't look like UDP-lite would be > compatible with something that only speaks UDP. > > Nits: > > The abstract refers to a current I-D intended to advance with this one > as RFCxxxx, which I believe is non-standard, but the RFC editor can > probably sort it out. > > In the pdf version, one of the references to > [I-D.ietf-taps-transports-usage] is not preceded with a space and did > not get turned into a clickable link. There is a similar problem with > [RFC8200] on page 4. > > Page 4: “Operations should be provided that allows” -> “Operations > should be provided that allow” > > Page 4: “[RFC6935] and [RFC6936] defines” -> “[RFC6935] and [RFC6936] > define” > > > Radia > From nobody Mon Sep 11 23:34:01 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0AA6132D40; Mon, 11 Sep 2017 23:33:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6wkSVOKERZk9; Mon, 11 Sep 2017 23:33:58 -0700 (PDT) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EF901329F9; Mon, 11 Sep 2017 23:33:55 -0700 (PDT) Received: by mail-io0-x233.google.com with SMTP id d16so40589527ioj.3; Mon, 11 Sep 2017 23:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=o1+k8ItbwEnm/ROq3Fsf0OLdMjyLKgRjeO/bVRzmp1M=; b=Ip4xER8d4KPA3YCX+ahMu3atvOVMZ2bc581RbsjvZhh1ghuDHZ5f8b7LxuMJubXT9E LXPlt98d+xYjVX3lryxyOu2ZtWyHBnlqLlTzumIRxlZAToCVF6DCleecCTOhfFoK2cex uIwcVgz7y+ELnXw1WDZv+6bu4pLbNeauK6IlqxhCSewyYwbsJrDIK57skvQQIeonehOA vNULnWYK+jCLkV9gUVOQEaRIiYMF75OR+d9ak320ftlEKBV+/bdwj5T+t+QklHrJotXD HG2mkl1sMqa9+T0ry8FGFX8FvPOtQYOs+WX8kK9yJgoV0ouWaqQa+/xAbvnYtpgDt70I SxpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=o1+k8ItbwEnm/ROq3Fsf0OLdMjyLKgRjeO/bVRzmp1M=; b=pwMrr/JoM5bqAnIBoE5vODyAkSz7fkYhvyJz245VDlLAT7hW36mLvtAr2uMQELDeAg ZTovC3QT2PLUHmsAgn38gQqfYHopUrpsT9IRUdaZx625+pEIcs2jUwUbuixmOFFLnCg3 +lHCtf/xer8sSogAqvDgqNwbFqOWHShBM+8VJg8wuy6wfg8oOa17pHR2TnmdClJYABzv AH3J7PWkqB2YwnPw+wpkUU0dw5f5hadsIzKri976RiTsnPzW26jWVGUoKOAAJT6Rrw2B mZfBkyX5Bx3sgTZqYs8foCOT8e8JQgaqujtrANok/T3dkDPMrZozuYjPBlNGTOOVTni3 1org== X-Gm-Message-State: AHPjjUhX8eGhWycs2lGx+URczp9pdY7ibTDEG5JoWhOF7vyfVGcqnH/Z lk7wadPr6sTEhgbTceigr6QRqtF5fA== X-Google-Smtp-Source: AOwi7QCgx/oqUy4A/FT8fMnQT7bhWS0oryJC6mwIssVtdkX+U6TDS7MLwjIqIp4F+DLOLMuRpiNw49a3EZ4JcAdWxkE= X-Received: by 10.202.87.196 with SMTP id l187mr15767611oib.103.1505198034164; Mon, 11 Sep 2017 23:33:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.58.42.197 with HTTP; Mon, 11 Sep 2017 23:33:53 -0700 (PDT) From: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= Date: Mon, 11 Sep 2017 23:33:53 -0700 Message-ID: To: "secdir@ietf.org" , draft-ietf-dcrup-dkim-usage@ietf.org Content-Type: multipart/alternative; boundary="001a113de80424a14d0558f83a49" Archived-At: Subject: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Sep 2017 06:34:00 -0000 --001a113de80424a14d0558f83a49 Content-Type: text/plain; charset="UTF-8" I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document intends to update the DKIM specification with a new mandatory hash algorithm (SHA-256) and new RSA key size requirements. While I definitely agree with the stated direction, I do wonder about the RSA 1024 bit key size recommendation. Conventionally, this corresponds to about 80-bit security and to reach the equivalent of 128-bit security (which is what SHA-256 gives), a 3072-bit RSA key size should be recommended. In this day and age, mandating only 1024 bits seems a little weak. I recognize there may be limitations in the DNS records storing these keys, but it should be possible to store at least 2048-bit keys (256 bits) (corresponding roughly to 112-bit security) or at least close to it and thus why not require 2048 bit RSA keys as a minimum? 1024 bit keys are, as is also commonly known, considered "legacy" by NIST SP 800-57 part 1 and shouldn't be used for new signatures at this point. > -- Magnus --001a113de80424a14d0558f83a49 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have reviewed this document as part of the security= directorate's ongoing effort to review all IETF documents being proces= sed by the IESG. These comments were written primarily for the benefit of t= he security area directors. Document editors and WG chairs should treat the= se comments just like any other last call comments.

This document i= ntends to update the DKIM specification with a new mandatory hash algorithm= (SHA-256) and new RSA key size requirements.

While I definite= ly agree with the stated direction, I do wonder about the RSA 1024 bit key = size recommendation. Conventionally, this corresponds to about 80-bit secur= ity and to reach the equivalent of 128-bit security (which is what SHA-256 = gives), a 3072-bit RSA key size should be recommended. In this day and age,= mandating only 1024 bits seems a little weak. I recognize there may be lim= itations in the DNS records storing these keys, but it should be possible t= o store at=C2=A0 least 2048-bit keys (256 bits) (corresponding roughly to 1= 12-bit security) or at least close to it and thus why not require 2048 bit = RSA keys as a minimum? 1024 bit keys are, as is also commonly known, consid= ered "legacy" by NIST SP 800-57 part 1 and shouldn't be used = for new signatures at this point.

-- Magnus
--001a113de80424a14d0558f83a49-- From nobody Tue Sep 12 20:11:27 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1533113352B for ; Tue, 12 Sep 2017 20:11:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBI1v5Gu3s_C for ; Tue, 12 Sep 2017 20:11:24 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F91313292F for ; Tue, 12 Sep 2017 20:11:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id C7C9D3005A8 for ; Tue, 12 Sep 2017 23:11:23 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pV9JAwS3UeLB for ; Tue, 12 Sep 2017 23:11:20 -0400 (EDT) Received: from [172.26.37.150] (unknown [104.129.192.111]) by mail.smeinc.net (Postfix) with ESMTPSA id 6384D300277; Tue, 12 Sep 2017 23:11:19 -0400 (EDT) From: Russ Housley Message-Id: <9B7000BF-A3DA-4344-B12E-A0D678D76993@vigilsec.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_65E67875-CB5F-4FAE-B739-0CDCE1AB61B1" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Tue, 12 Sep 2017 23:11:22 -0400 In-Reply-To: Cc: IETF SecDir , draft-ietf-dcrup-dkim-usage@ietf.org To: Magnus Nystrom References: X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 03:11:26 -0000 --Apple-Mail=_65E67875-CB5F-4FAE-B739-0CDCE1AB61B1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Magnus: I agree with your recommendation, but I would like to make sure I = understand your suggestion. The document says: ... Since short RSA keys more easily succumb to off-line attacks, Signers MUST use RSA keys of at least 1024 bits for all keys. Signers SHOULD use RSA keys of at least 2048 bits. ... You want to change "1024" to "2048", and then drop the following = sentence, right? Russ > On Sep 12, 2017, at 2:33 AM, Magnus Nystr=C3=B6m > wrote: >=20 > I have reviewed this document as part of the security directorate's = ongoing effort to review all IETF documents being processed by the IESG. = These comments were written primarily for the benefit of the security = area directors. Document editors and WG chairs should treat these = comments just like any other last call comments.=20 >=20 > This document intends to update the DKIM specification with a new = mandatory hash algorithm (SHA-256) and new RSA key size requirements. >=20 > While I definitely agree with the stated direction, I do wonder about = the RSA 1024 bit key size recommendation. Conventionally, this = corresponds to about 80-bit security and to reach the equivalent of = 128-bit security (which is what SHA-256 gives), a 3072-bit RSA key size = should be recommended. In this day and age, mandating only 1024 bits = seems a little weak. I recognize there may be limitations in the DNS = records storing these keys, but it should be possible to store at least = 2048-bit keys (256 bits) (corresponding roughly to 112-bit security) or = at least close to it and thus why not require 2048 bit RSA keys as a = minimum? 1024 bit keys are, as is also commonly known, considered = "legacy" by NIST SP 800-57 part 1 and shouldn't be used for new = signatures at this point. >=20 > -- Magnus --Apple-Mail=_65E67875-CB5F-4FAE-B739-0CDCE1AB61B1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Magnus:

I = agree with your recommendation, but I would like to make sure I = understand your suggestion.  The document says:

  =  ...  Since short RSA keys more easily succumb to
   off-line attacks, Signers MUST use RSA keys of = at least 1024 bits for
   all keys. =  Signers SHOULD use RSA keys of at least 2048 bits. ...

You want to change = "1024" to "2048", and then drop the following sentence, right?

Russ


On Sep = 12, 2017, at 2:33 AM, Magnus Nystr=C3=B6m <magnusn@gmail.com> = wrote:

I have reviewed this document as = part of the security directorate's ongoing effort to review all IETF = documents being processed by the IESG. These comments were written = primarily for the benefit of the security area directors. Document = editors and WG chairs should treat these comments just like any other = last call comments.

This document intends = to update the DKIM specification with a new mandatory hash algorithm = (SHA-256) and new RSA key size requirements.

While I definitely agree with the stated direction, I = do wonder about the RSA 1024 bit key size recommendation. = Conventionally, this corresponds to about 80-bit security and to reach = the equivalent of 128-bit security (which is what SHA-256 gives), a = 3072-bit RSA key size should be recommended. In this day and age, = mandating only 1024 bits seems a little weak. I recognize there may be = limitations in the DNS records storing these keys, but it should be = possible to store at  least 2048-bit keys (256 bits) (corresponding = roughly to 112-bit security) or at least close to it and thus why not = require 2048 bit RSA keys as a minimum? 1024 bit keys are, as is also = commonly known, considered "legacy" by NIST SP 800-57 part 1 and = shouldn't be used for new signatures at this point.

-- Magnus

= --Apple-Mail=_65E67875-CB5F-4FAE-B739-0CDCE1AB61B1-- From nobody Tue Sep 12 20:43:09 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7312B1321DE; Tue, 12 Sep 2017 20:43:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bN9nmaZpVcC8; Tue, 12 Sep 2017 20:43:06 -0700 (PDT) Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A59A61320B5; Tue, 12 Sep 2017 20:43:06 -0700 (PDT) Received: by mail-oi0-x234.google.com with SMTP id r20so39157696oie.0; Tue, 12 Sep 2017 20:43:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W9ZlHOyUk2Ym8C9QHOG9ngrI7uOv3SGOUdh1iGqAAK0=; b=BNDsIOEjqnBrY9g5Ov/aa1DPzaDVTRkIXoOUbwWBIludSIu1z+HoHmCvRg/QriW5l6 RnCkG+t92BxJBjQ0fi5/89jfsE4TDtF+8cmtp4JrwqD4pvKiD8ZxTASn2B6OUq+98ubh VNWAxAjbbbBvlib1StlZSvuH22ejh10hEYDlNfq6Dg4J6W11lW7nxem8+sUFQCkicPBc 5IV+I6lXAffALNbTcUhvvv7hPramV3QICKpTAT9Y7Ywn3iaGXfauzSF8vCyhzrpccHkh P0bS3smcOVMxytWK/6EcXUk6AB5AvmetEYvECop8FYLNXjvXKsiWVn8V03PRFkRO+GuP Ib1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W9ZlHOyUk2Ym8C9QHOG9ngrI7uOv3SGOUdh1iGqAAK0=; b=MSM+pj+VQFTDVHtzTtaRuQh7Cm4YoIFKvS21WNwdPPXOeVAdi+JG2h3pV6UoacC5Tk m18BrtpBmxdqHs5mpISUMO2lxCvkcefRVoBVT8++lsMlm3xaQAAc7mrpDpO7ku3wjAA3 C/lzMxI6oYZleJeab2Cwl3fuaUu0zJw8C5BvbuERzcZkso4TSZtKsP1Tge3buf4h76no KQIcyuCbbHXn7fmaeofUwuX8YsXk4WePb7t3mlmQCIlchhT43LSs2KgDtCEBjmoYdSzh UJlnp1fvdDYNjZYno1Xnx00uktgBohgrxtxxIYXpmHwoWVPIY0NyqalfMCewnOX3jOv7 fqNA== X-Gm-Message-State: AHPjjUjjWF/E1q+S70Ot3o8AI+8atqrMw7aq2C5wfVAECUl0/ORpdNRy ptBnKP+U/B+z+U7fhjXUc4MESaZ3t1ojDLhin2Q= X-Google-Smtp-Source: AOwi7QAVy7cQTXlph3FYNSLu2hd+B4fX4AXfnZVYEhBFNLVICH5SLKZ4NnfXBkVWdguVxnvUsqhnzjxJ5iuAk3PHfkM= X-Received: by 10.202.196.195 with SMTP id u186mr5733056oif.315.1505274185814; Tue, 12 Sep 2017 20:43:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.58.53.148 with HTTP; Tue, 12 Sep 2017 20:43:05 -0700 (PDT) In-Reply-To: <9B7000BF-A3DA-4344-B12E-A0D678D76993@vigilsec.com> References: <9B7000BF-A3DA-4344-B12E-A0D678D76993@vigilsec.com> From: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= Date: Tue, 12 Sep 2017 20:43:05 -0700 Message-ID: To: Russ Housley Cc: IETF SecDir , draft-ietf-dcrup-dkim-usage@ietf.org Content-Type: multipart/alternative; boundary="001a11353034229a3c055909f54e" Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 03:43:08 -0000 --001a11353034229a3c055909f54e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Yes, Russ. Perhaps "When using RSA, signers MUST use keys at least 2048 bits long." (I could imagine that at some point DKIM would support ECC) Thanks, On Tue, Sep 12, 2017 at 8:11 PM, Russ Housley wrote: > Magnus: > > I agree with your recommendation, but I would like to make sure I > understand your suggestion. The document says: > > ... Since short RSA keys more easily succumb to > off-line attacks, Signers MUST use RSA keys of at least 1024 bits for > all keys. Signers SHOULD use RSA keys of at least 2048 bits. ... > > You want to change "1024" to "2048", and then drop the following sentence= , > right? > > Russ > > > On Sep 12, 2017, at 2:33 AM, Magnus Nystr=C3=B6m wrot= e: > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security are= a > directors. Document editors and WG chairs should treat these comments jus= t > like any other last call comments. > > This document intends to update the DKIM specification with a new > mandatory hash algorithm (SHA-256) and new RSA key size requirements. > > While I definitely agree with the stated direction, I do wonder about the > RSA 1024 bit key size recommendation. Conventionally, this corresponds to > about 80-bit security and to reach the equivalent of 128-bit security > (which is what SHA-256 gives), a 3072-bit RSA key size should be > recommended. In this day and age, mandating only 1024 bits seems a little > weak. I recognize there may be limitations in the DNS records storing the= se > keys, but it should be possible to store at least 2048-bit keys (256 bit= s) > (corresponding roughly to 112-bit security) or at least close to it and > thus why not require 2048 bit RSA keys as a minimum? 1024 bit keys are, a= s > is also commonly known, considered "legacy" by NIST SP 800-57 part 1 and > shouldn't be used for new signatures at this point. > >> > -- Magnus > > > --=20 -- Magnus --001a11353034229a3c055909f54e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Yes, Russ. Perhaps "When using RSA, signers MUST= use keys at least 2048 bits long." (I could imagine that at some poin= t DKIM would support ECC)
Thanks,

On Tue, Sep 12, 2017 at 8:11 PM, Russ Ho= usley <housley@vigilsec.com> wrote:
Magnus:

I agree with your recomme= ndation, but I would like to make sure I understand your suggestion.=C2=A0 = The document says:

=C2=A0 =C2=A0...=C2=A0 Sin= ce short RSA keys more easily succumb to
=C2=A0 =C2=A0off-line at= tacks, Signers MUST use RSA keys of at least 1024 bits for
=C2=A0= =C2=A0all keys.=C2=A0 Signers SHOULD use RSA keys of at least 2048 bits. .= ..

You want to change "1024" to "20= 48", and then drop the following sentence, right?

Russ


On Sep 12, 2017, at 2:33 AM, Magnus Nystr=C3=B6m <magnusn@gmail.com> w= rote:

I have reviewed this document as part of the secur= ity directorate's ongoing effort to review all IETF documents being pro= cessed by the IESG. These comments were written primarily for the benefit o= f the security area directors. Document editors and WG chairs should treat = these comments just like any other last call comments.

This documen= t intends to update the DKIM specification with a new mandatory hash algori= thm (SHA-256) and new RSA key size requirements.

While I defin= itely agree with the stated direction, I do wonder about the RSA 1024 bit k= ey size recommendation. Conventionally, this corresponds to about 80-bit se= curity and to reach the equivalent of 128-bit security (which is what SHA-2= 56 gives), a 3072-bit RSA key size should be recommended. In this day and a= ge, mandating only 1024 bits seems a little weak. I recognize there may be = limitations in the DNS records storing these keys, but it should be possibl= e to store at=C2=A0 least 2048-bit keys (256 bits) (corresponding roughly t= o 112-bit security) or at least close to it and thus why not require 2048 b= it RSA keys as a minimum? 1024 bit keys are, as is also commonly known, con= sidered "legacy" by NIST SP 800-57 part 1 and shouldn't be us= ed for new signatures at this point.

-- Magnus




--
-- Magnus
--001a11353034229a3c055909f54e-- From nobody Tue Sep 12 21:23:05 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 372DF133529; Tue, 12 Sep 2017 21:23:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.79 X-Spam-Level: X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YO83c6aAlAO1; Tue, 12 Sep 2017 21:23:01 -0700 (PDT) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C744E132964; Tue, 12 Sep 2017 21:23:01 -0700 (PDT) Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id B6025C4026D; Tue, 12 Sep 2017 23:23:00 -0500 (CDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2001409; t=1505276580; bh=/Q3ZcBZ4tJ5guRIflAZw2OW4KbWxbVllRJsbGrRlcdQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YF2BpDKhYe/g2XxNn+yEv9mOav7RcnZpaMhwQRKei8jrKbTWp0Za2Gwd2rExSmk3M MSGw6kBxXavwLHoiik1SqUCVNloV37n/5f9NqVUFdWaOW2NsMsKvEWnOXv2fLpX2kW 7MhQZhzeH6zHCA66IOwEZHn6P1SAUgfC5cChW7CI= From: Scott Kitterman To: Magnus =?ISO-8859-1?Q?Nystr=F6m?= Cc: Russ Housley , IETF SecDir , draft-ietf-dcrup-dkim-usage@ietf.org Date: Wed, 13 Sep 2017 00:23 -0400 Message-ID: <2566282.xocsd9b6fN@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-125-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: References: <9B7000BF-A3DA-4344-B12E-A0D678D76993@vigilsec.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 04:23:03 -0000 We did consider a larger minimum in the working group. The conclusion = we=20 reached was that, given the other text that is in a key record the long= est key=20 that would reliably fit in a single DNS TXT string is 1156 bits. There are a surprisingly large number of DNS providers that do not allo= w=20 multi-string DNS TXT records, so any requirement for larger that 1156 b= its=20 would create a large, new barrier to deployment. The WG perspective was that the added security changing from 1024 bits = (which=20 is very commonly used today) to 1156 bits was not worth the friction it= would=20 cause. There is another document coming that will add Ed25519 to DKIM. Ed2551= 9 keys=20 do not have the same length issues that RSA keys do. The long-term path= for=20 DKIM to improve security in the face of the common shortfalls of DNS=20= provisioning systems is Ed25519, but that will take time to deploy. Is there enough value in 1156 bits over 1024 bits that we should change= it to=20 an unusual key size? Scott K P.S. I am not subscribed to the secdir list, so please keep me in cc o= n=20 replies. On Tuesday, September 12, 2017 08:43:05 PM Magnus Nystr=F6m wrote: > Yes, Russ. Perhaps "When using RSA, signers MUST use keys at least 20= 48 > bits long." (I could imagine that at some point DKIM would support EC= C) > Thanks, >=20 > On Tue, Sep 12, 2017 at 8:11 PM, Russ Housley = wrote: > > Magnus: > >=20 > > I agree with your recommendation, but I would like to make sure I > >=20 > > understand your suggestion. The document says: > > ... Since short RSA keys more easily succumb to > > off-line attacks, Signers MUST use RSA keys of at least 1024 bit= s for > > all keys. Signers SHOULD use RSA keys of at least 2048 bits. ..= . > >=20 > > You want to change "1024" to "2048", and then drop the following se= ntence, > > right? > >=20 > > Russ > >=20 > >=20 > > On Sep 12, 2017, at 2:33 AM, Magnus Nystr=F6m w= rote: > >=20 > > I have reviewed this document as part of the security directorate's= > > ongoing effort to review all IETF documents being processed by the = IESG. > > These comments were written primarily for the benefit of the securi= ty area > > directors. Document editors and WG chairs should treat these commen= ts just > > like any other last call comments. > >=20 > > This document intends to update the DKIM specification with a new > > mandatory hash algorithm (SHA-256) and new RSA key size requirement= s. > >=20 > > While I definitely agree with the stated direction, I do wonder abo= ut the > > RSA 1024 bit key size recommendation. Conventionally, this correspo= nds to > > about 80-bit security and to reach the equivalent of 128-bit securi= ty > > (which is what SHA-256 gives), a 3072-bit RSA key size should be > > recommended. In this day and age, mandating only 1024 bits seems a = little > > weak. I recognize there may be limitations in the DNS records stori= ng > > these > > keys, but it should be possible to store at least 2048-bit keys (2= 56 > > bits) > > (corresponding roughly to 112-bit security) or at least close to it= and > > thus why not require 2048 bit RSA keys as a minimum? 1024 bit keys = are, as > > is also commonly known, considered "legacy" by NIST SP 800-57 part = 1 and > > shouldn't be used for new signatures at this point. > >=20 > >=20 > > -- Magnus From nobody Wed Sep 13 06:05:32 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B9A3132A1A; Wed, 13 Sep 2017 06:05:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8OOn35pZV4D; Wed, 13 Sep 2017 06:05:28 -0700 (PDT) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AB4213291C; Wed, 13 Sep 2017 06:05:28 -0700 (PDT) Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v8DD5Puc003404; Wed, 13 Sep 2017 14:05:25 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=6UHh5Lgpq5dpfXihOzu+m6dd99W4xv7Xx+UPqv3Lj9A=; b=khX+UFxHXKwRQ6vu6HDexQDGCQ0vHVDahClbQjJNSh2/SkC9+fHDydGtK+ST0WPAQHQW tPb+goApe2/v4iXRBz3mKTDSZKzfvNwLhFNxtO6aq8BTNqTyblE1GzYo05PoKYaEaa6Q bXMBncUm5luVh0aVW3ls1k+j0+Tb0NHCodYNbOKcABXzPfsyuKicgMnEwMT8q2f02HYw CCWFZuBuM/9gJuiudffs4plHx/CBb/uE/ClDYjVJkMiDmu4DdWFSohqb4iDvUwOcHvKw Pa9/bsdDuO0xwmpNSc6I4IOo0m3FliJ4e45P//ACtFxMST8p21mq1EM01Ypa3w/RFQOM uA== Received: from prod-mail-ppoint3 ([96.6.114.86]) by m0050102.ppops.net-00190b01. with ESMTP id 2cx9syfmx2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Sep 2017 14:05:25 +0100 Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id v8DD1dv1002305; Wed, 13 Sep 2017 09:05:24 -0400 Received: from email.msg.corp.akamai.com ([172.27.25.34]) by prod-mail-ppoint3.akamai.com with ESMTP id 2cwwtxdp29-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 13 Sep 2017 09:05:23 -0400 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 13 Sep 2017 08:05:13 -0500 Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1263.000; Wed, 13 Sep 2017 08:05:13 -0500 From: "Salz, Rich" To: =?utf-8?B?TWFnbnVzIE55c3Ryw7Zt?= , Russ Housley CC: "draft-ietf-dcrup-dkim-usage@ietf.org" , IETF SecDir Thread-Topic: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04 Thread-Index: AQHTK5ErVbgeVvdF1024CzuDI7ABUqKyeKMAgAAI3ICAAFoBgA== Date: Wed, 13 Sep 2017 13:05:12 +0000 Message-ID: <1B4FD5B0-AB8F-4BD4-B564-46251BAB92E6@akamai.com> References: <9B7000BF-A3DA-4344-B12E-A0D678D76993@vigilsec.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/f.1b.0.161010 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.41.157] Content-Type: multipart/alternative; boundary="_000_1B4FD5B0AB8F4BD4B56446251BAB92E6akamaicom_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-09-13_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1709130205 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-09-13_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1709130205 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-dcrup-dkim-usage-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 13:05:30 -0000 --_000_1B4FD5B0AB8F4BD4B56446251BAB92E6akamaicom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QmVjYXVzZSBvZiBsaW1pdGF0aW9ucyBpbiB0aGUgRE5TIHN5c3RlbSwgUlNBIDFLIGlzIHJlYWxs eSBhbGwgdGhhdOKAmXMgcHJhY3RpY2FsLiAgRm9yIHN0cm9uZ2VyIHNlY3VyaXR5IHdlIGFyZSBt b3ZpbmcgdG8gRUNDLCB3aGljaCBpcyBjb3ZlcmVkIGluIGEgc2VwYXJhdGUgSS1ELiAgVGhpcyBk b2N1bWVudCBpcyByZWFsbHkgYWJvdXQgZ2V0dGluZyByaWQgb2YgUlNBLTUxMi4NCg0KDQpGcm9t OiBNYWdudXMgTnlzdHLDtm0gPG1hZ251c25AZ21haWwuY29tPg0KRGF0ZTogVHVlc2RheSwgU2Vw dGVtYmVyIDEyLCAyMDE3IGF0IDExOjQzIFBNDQpUbzogUnVzcyBIb3VzbGV5IDxob3VzbGV5QHZp Z2lsc2VjLmNvbT4NCkNjOiAiZHJhZnQtaWV0Zi1kY3J1cC1ka2ltLXVzYWdlQGlldGYub3JnIiA8 ZHJhZnQtaWV0Zi1kY3J1cC1ka2ltLXVzYWdlQGlldGYub3JnPiwgInNlY2RpckBpZXRmLm9yZyIg PHNlY2RpckBpZXRmLm9yZz4NClN1YmplY3Q6IFJlOiBbc2VjZGlyXSBTZWNkaXIgcmV2aWV3IG9m IGRyYWZ0LWlldGYtZGNydXAtZGtpbS11c2FnZS0wNA0KDQpZZXMsIFJ1c3MuIFBlcmhhcHMgIldo ZW4gdXNpbmcgUlNBLCBzaWduZXJzIE1VU1QgdXNlIGtleXMgYXQgbGVhc3QgMjA0OCBiaXRzIGxv bmcuIiAoSSBjb3VsZCBpbWFnaW5lIHRoYXQgYXQgc29tZSBwb2ludCBES0lNIHdvdWxkIHN1cHBv cnQgRUNDKQ0KVGhhbmtzLA0KDQpPbiBUdWUsIFNlcCAxMiwgMjAxNyBhdCA4OjExIFBNLCBSdXNz IEhvdXNsZXkgPGhvdXNsZXlAdmlnaWxzZWMuY29tPG1haWx0bzpob3VzbGV5QHZpZ2lsc2VjLmNv bT4+IHdyb3RlOg0KTWFnbnVzOg0KDQpJIGFncmVlIHdpdGggeW91ciByZWNvbW1lbmRhdGlvbiwg YnV0IEkgd291bGQgbGlrZSB0byBtYWtlIHN1cmUgSSB1bmRlcnN0YW5kIHlvdXIgc3VnZ2VzdGlv bi4gIFRoZSBkb2N1bWVudCBzYXlzOg0KDQogICAuLi4gIFNpbmNlIHNob3J0IFJTQSBrZXlzIG1v cmUgZWFzaWx5IHN1Y2N1bWIgdG8NCiAgIG9mZi1saW5lIGF0dGFja3MsIFNpZ25lcnMgTVVTVCB1 c2UgUlNBIGtleXMgb2YgYXQgbGVhc3QgMTAyNCBiaXRzIGZvcg0KICAgYWxsIGtleXMuICBTaWdu ZXJzIFNIT1VMRCB1c2UgUlNBIGtleXMgb2YgYXQgbGVhc3QgMjA0OCBiaXRzLiAuLi4NCg0KWW91 IHdhbnQgdG8gY2hhbmdlICIxMDI0IiB0byAiMjA0OCIsIGFuZCB0aGVuIGRyb3AgdGhlIGZvbGxv d2luZyBzZW50ZW5jZSwgcmlnaHQ/DQoNClJ1c3MNCg0KDQpPbiBTZXAgMTIsIDIwMTcsIGF0IDI6 MzMgQU0sIE1hZ251cyBOeXN0csO2bSA8bWFnbnVzbkBnbWFpbC5jb208bWFpbHRvOm1hZ251c25A Z21haWwuY29tPj4gd3JvdGU6DQoNCkkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBh cnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3 IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRoZXNlIGNv bW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1 cml0eSBhcmVhIGRpcmVjdG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3Vs ZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21t ZW50cy4NCg0KVGhpcyBkb2N1bWVudCBpbnRlbmRzIHRvIHVwZGF0ZSB0aGUgREtJTSBzcGVjaWZp Y2F0aW9uIHdpdGggYSBuZXcgbWFuZGF0b3J5IGhhc2ggYWxnb3JpdGhtIChTSEEtMjU2KSBhbmQg bmV3IFJTQSBrZXkgc2l6ZSByZXF1aXJlbWVudHMuDQpXaGlsZSBJIGRlZmluaXRlbHkgYWdyZWUg d2l0aCB0aGUgc3RhdGVkIGRpcmVjdGlvbiwgSSBkbyB3b25kZXIgYWJvdXQgdGhlIFJTQSAxMDI0 IGJpdCBrZXkgc2l6ZSByZWNvbW1lbmRhdGlvbi4gQ29udmVudGlvbmFsbHksIHRoaXMgY29ycmVz cG9uZHMgdG8gYWJvdXQgODAtYml0IHNlY3VyaXR5IGFuZCB0byByZWFjaCB0aGUgZXF1aXZhbGVu dCBvZiAxMjgtYml0IHNlY3VyaXR5ICh3aGljaCBpcyB3aGF0IFNIQS0yNTYgZ2l2ZXMpLCBhIDMw NzItYml0IFJTQSBrZXkgc2l6ZSBzaG91bGQgYmUgcmVjb21tZW5kZWQuIEluIHRoaXMgZGF5IGFu ZCBhZ2UsIG1hbmRhdGluZyBvbmx5IDEwMjQgYml0cyBzZWVtcyBhIGxpdHRsZSB3ZWFrLiBJIHJl Y29nbml6ZSB0aGVyZSBtYXkgYmUgbGltaXRhdGlvbnMgaW4gdGhlIEROUyByZWNvcmRzIHN0b3Jp bmcgdGhlc2Uga2V5cywgYnV0IGl0IHNob3VsZCBiZSBwb3NzaWJsZSB0byBzdG9yZSBhdCAgbGVh c3QgMjA0OC1iaXQga2V5cyAoMjU2IGJpdHMpIChjb3JyZXNwb25kaW5nIHJvdWdobHkgdG8gMTEy LWJpdCBzZWN1cml0eSkgb3IgYXQgbGVhc3QgY2xvc2UgdG8gaXQgYW5kIHRodXMgd2h5IG5vdCBy ZXF1aXJlIDIwNDggYml0IFJTQSBrZXlzIGFzIGEgbWluaW11bT8gMTAyNCBiaXQga2V5cyBhcmUs IGFzIGlzIGFsc28gY29tbW9ubHkga25vd24sIGNvbnNpZGVyZWQgImxlZ2FjeSIgYnkgTklTVCBT UCA4MDAtNTcgcGFydCAxIGFuZCBzaG91bGRuJ3QgYmUgdXNlZCBmb3IgbmV3IHNpZ25hdHVyZXMg YXQgdGhpcyBwb2ludC4NCg0KLS0gTWFnbnVzDQoNCg0KDQoNCi0tDQotLSBNYWdudXMNCg== --_000_1B4FD5B0AB8F4BD4B56446251BAB92E6akamaicom_ Content-Type: text/html; charset="utf-8" Content-ID: <803149B6D7D0F14B8A3A6C8577E36C72@akamai.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iVGl0bGUiIGNvbnRlbnQ9IiI+DQo8bWV0YSBuYW1lPSJLZXl3b3JkcyIgY29udGVu dD0iIj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUg KGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8N CkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0 IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJ cGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8N CnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsN CgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWls eToiVGltZXMgTmV3IFJvbWFuIjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1z dHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1w cmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9 DQpzcGFuLmhvZW56Yg0KCXttc28tc3R5bGUtbmFtZTpob2VuemI7fQ0Kc3Bhbi5FbWFpbFN0eWxl MTgNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6Q2FsaWJy aTsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4ubXNvSW5zDQoJe21zby1zdHlsZS10eXBlOmV4 cG9ydC1vbmx5Ow0KCW1zby1zdHlsZS1uYW1lOiIiOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxp bmU7DQoJY29sb3I6dGVhbDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBv cnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXpl OjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2Lldv cmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPg0KPC9oZWFkPg0K PGJvZHkgYmdjb2xvcj0id2hpdGUiIGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDYWxpYnJpIj5CZWNhdXNl IG9mIGxpbWl0YXRpb25zIGluIHRoZSBETlMgc3lzdGVtLCBSU0EgMUsgaXMgcmVhbGx5IGFsbCB0 aGF04oCZcyBwcmFjdGljYWwuJm5ic3A7IEZvciBzdHJvbmdlciBzZWN1cml0eSB3ZSBhcmUgbW92 aW5nIHRvIEVDQywgd2hpY2ggaXMgY292ZXJlZCBpbiBhIHNlcGFyYXRlIEktRC4mbmJzcDsgVGhp cyBkb2N1bWVudCBpcyByZWFsbHkNCiBhYm91dCBnZXR0aW5nIHJpZCBvZiBSU0EtNTEyLjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNhbGlicmkiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OkNhbGlicmkiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5n OjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTpDYWxpYnJpO2NvbG9yOmJsYWNrIj5Gcm9tOiA8L3NwYW4+DQo8L2I+PHNw YW4gc3R5bGU9ImZvbnQtZmFtaWx5OkNhbGlicmk7Y29sb3I6YmxhY2siPk1hZ251cyBOeXN0csO2 bSAmbHQ7bWFnbnVzbkBnbWFpbC5jb20mZ3Q7PGJyPg0KPGI+RGF0ZTogPC9iPlR1ZXNkYXksIFNl cHRlbWJlciAxMiwgMjAxNyBhdCAxMTo0MyBQTTxicj4NCjxiPlRvOiA8L2I+UnVzcyBIb3VzbGV5 ICZsdDtob3VzbGV5QHZpZ2lsc2VjLmNvbSZndDs8YnI+DQo8Yj5DYzogPC9iPiZxdW90O2RyYWZ0 LWlldGYtZGNydXAtZGtpbS11c2FnZUBpZXRmLm9yZyZxdW90OyAmbHQ7ZHJhZnQtaWV0Zi1kY3J1 cC1ka2ltLXVzYWdlQGlldGYub3JnJmd0OywgJnF1b3Q7c2VjZGlyQGlldGYub3JnJnF1b3Q7ICZs dDtzZWNkaXJAaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDogPC9iPlJlOiBbc2VjZGlyXSBT ZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtZGNydXAtZGtpbS11c2FnZS0wNDxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlllcywgUnVzcy4gUGVyaGFwcyAmcXVvdDtXaGVuIHVzaW5nIFJTQSwgc2lnbmVycyBNVVNUIHVz ZSBrZXlzIGF0IGxlYXN0IDIwNDggYml0cyBsb25nLiZxdW90OyAoSSBjb3VsZCBpbWFnaW5lIHRo YXQgYXQgc29tZSBwb2ludCBES0lNIHdvdWxkIHN1cHBvcnQgRUNDKTxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGFua3MsPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBUdWUsIFNlcCAxMiwgMjAxNyBhdCA4OjExIFBN LCBSdXNzIEhvdXNsZXkgJmx0OzxhIGhyZWY9Im1haWx0bzpob3VzbGV5QHZpZ2lsc2VjLmNvbSIg dGFyZ2V0PSJfYmxhbmsiPmhvdXNsZXlAdmlnaWxzZWMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48 L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29s aWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQu OHB0O21hcmdpbi1yaWdodDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPk1hZ251czogPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5JIGFncmVlIHdpdGggeW91ciByZWNvbW1lbmRhdGlvbiwgYnV0IEkgd291 bGQgbGlrZSB0byBtYWtlIHN1cmUgSSB1bmRlcnN0YW5kIHlvdXIgc3VnZ2VzdGlvbi4mbmJzcDsg VGhlIGRvY3VtZW50IHNheXM6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgJm5ic3A7Li4uJm5ic3A7IFNpbmNlIHNob3J0 IFJTQSBrZXlzIG1vcmUgZWFzaWx5IHN1Y2N1bWIgdG88bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyAmbmJzcDtvZmYtbGluZSBhdHRhY2tz LCBTaWduZXJzIE1VU1QgdXNlIFJTQSBrZXlzIG9mIGF0IGxlYXN0IDEwMjQgYml0cyBmb3I8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyAm bmJzcDthbGwga2V5cy4mbmJzcDsgU2lnbmVycyBTSE9VTEQgdXNlIFJTQSBrZXlzIG9mIGF0IGxl YXN0IDIwNDggYml0cy4gLi4uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPllvdSB3YW50IHRvIGNoYW5nZSAmcXVvdDsxMDI0JnF1b3Q7IHRvICZx dW90OzIwNDgmcXVvdDssIGFuZCB0aGVuIGRyb3AgdGhlIGZvbGxvd2luZyBzZW50ZW5jZSwgcmln aHQ/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiM4 ODg4ODgiPlJ1c3M8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90 dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBTZXAgMTIsIDIwMTcs IGF0IDI6MzMgQU0sIE1hZ251cyBOeXN0csO2bSAmbHQ7PGEgaHJlZj0ibWFpbHRvOm1hZ251c25A Z21haWwuY29tIiB0YXJnZXQ9Il9ibGFuayI+bWFnbnVzbkBnbWFpbC5jb208L2E+Jmd0OyB3cm90 ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50 IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZyBlZmZvcnQgdG8g cmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRo ZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRo ZSBzZWN1cml0eQ0KIGFyZWEgZGlyZWN0b3JzLiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFp cnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZSBhbnkgb3RoZXIgbGFzdCBj YWxsIGNvbW1lbnRzLg0KPGJyPg0KPGJyPg0KVGhpcyBkb2N1bWVudCBpbnRlbmRzIHRvIHVwZGF0 ZSB0aGUgREtJTSBzcGVjaWZpY2F0aW9uIHdpdGggYSBuZXcgbWFuZGF0b3J5IGhhc2ggYWxnb3Jp dGhtIChTSEEtMjU2KSBhbmQgbmV3IFJTQSBrZXkgc2l6ZSByZXF1aXJlbWVudHMuPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldoaWxlIEkgZGVmaW5pdGVseSBh Z3JlZSB3aXRoIHRoZSBzdGF0ZWQgZGlyZWN0aW9uLCBJIGRvIHdvbmRlciBhYm91dCB0aGUgUlNB IDEwMjQgYml0IGtleSBzaXplIHJlY29tbWVuZGF0aW9uLiBDb252ZW50aW9uYWxseSwgdGhpcyBj b3JyZXNwb25kcyB0byBhYm91dCA4MC1iaXQgc2VjdXJpdHkgYW5kIHRvIHJlYWNoIHRoZSBlcXVp dmFsZW50IG9mIDEyOC1iaXQgc2VjdXJpdHkgKHdoaWNoIGlzIHdoYXQgU0hBLTI1Ng0KIGdpdmVz KSwgYSAzMDcyLWJpdCBSU0Ega2V5IHNpemUgc2hvdWxkIGJlIHJlY29tbWVuZGVkLiBJbiB0aGlz IGRheSBhbmQgYWdlLCBtYW5kYXRpbmcgb25seSAxMDI0IGJpdHMgc2VlbXMgYSBsaXR0bGUgd2Vh ay4gSSByZWNvZ25pemUgdGhlcmUgbWF5IGJlIGxpbWl0YXRpb25zIGluIHRoZSBETlMgcmVjb3Jk cyBzdG9yaW5nIHRoZXNlIGtleXMsIGJ1dCBpdCBzaG91bGQgYmUgcG9zc2libGUgdG8gc3RvcmUg YXQmbmJzcDsgbGVhc3QgMjA0OC1iaXQga2V5cw0KICgyNTYgYml0cykgKGNvcnJlc3BvbmRpbmcg cm91Z2hseSB0byAxMTItYml0IHNlY3VyaXR5KSBvciBhdCBsZWFzdCBjbG9zZSB0byBpdCBhbmQg dGh1cyB3aHkgbm90IHJlcXVpcmUgMjA0OCBiaXQgUlNBIGtleXMgYXMgYSBtaW5pbXVtPyAxMDI0 IGJpdCBrZXlzIGFyZSwgYXMgaXMgYWxzbyBjb21tb25seSBrbm93biwgY29uc2lkZXJlZCAmcXVv dDtsZWdhY3kmcXVvdDsgYnkgTklTVCBTUCA4MDAtNTcgcGFydCAxIGFuZCBzaG91bGRuJ3QgYmUg dXNlZCBmb3IgbmV3DQogc2lnbmF0dXJlcyBhdCB0aGlzIHBvaW50LjxvOnA+PC9vOnA+PC9wPg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tLSBNYWdudXM8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVv dGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiciBjbGVhcj0iYWxsIj4N Cjxicj4NCi0tIDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0t IE1hZ251czxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0K PC9odG1sPg0K --_000_1B4FD5B0AB8F4BD4B56446251BAB92E6akamaicom_-- From nobody Wed Sep 13 10:47:29 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714C41323B4; Wed, 13 Sep 2017 10:47:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.801 X-Spam-Level: X-Spam-Status: No, score=-0.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_SUBJECT=1.799, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8isLXNKWogX; Wed, 13 Sep 2017 10:47:22 -0700 (PDT) Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1D9B1320D9; Wed, 13 Sep 2017 10:47:22 -0700 (PDT) Received: from in02.mta.xmission.com ([166.70.13.52]) by out03.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1dsBkv-00034i-F4; Wed, 13 Sep 2017 11:47:21 -0600 Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1dsBku-0004nB-H2; Wed, 13 Sep 2017 11:47:21 -0600 Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id v8DHk3ic010835; Wed, 13 Sep 2017 11:46:03 -0600 Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id v8DHk2xY010834; Wed, 13 Sep 2017 11:46:02 -0600 Date: Wed, 13 Sep 2017 11:46:02 -0600 Message-Id: <201709131746.v8DHk2xY010834@rumpleteazer.rhmr.com> From: "Hilarie Orman" Reply-To: "Hilarie Orman" To: iesg@ietf.org, secdir@ietf.org Cc: draft-ietf-tsvwg-ecn-experimentation.all@tools.ietf.org X-XM-SPF: eid=1dsBku-0004nB-H2; ; ; mid=<201709131746.v8DHk2xY010834@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none X-XM-AID: U2FsdGVkX19Yzafye8kchzfbfP6Q90qo X-SA-Exim-Connect-IP: 72.250.219.84 X-SA-Exim-Mail-From: hilarie@purplestreak.com X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ******;iesg@ietf.org, secdir@ietf.org X-Spam-Relay-Country: X-Spam-Timing: total 582 ms - load_scoreonly_sql: 0.10 (0.0%), signal_user_changed: 5 (0.9%), b_tie_ro: 3.8 (0.6%), parse: 1.23 (0.2%), extract_message_metadata: 6 (1.1%), get_uri_detail_list: 1.83 (0.3%), tests_pri_-1000: 5.0 (0.9%), tests_pri_-950: 2.4 (0.4%), tests_pri_-900: 2.0 (0.3%), tests_pri_-400: 28 (4.8%), check_bayes: 25 (4.4%), b_tokenize: 8 (1.4%), b_tok_get_all: 6 (1.1%), b_comp_prob: 4.3 (0.7%), b_tok_touch_all: 2.8 (0.5%), b_finish: 0.94 (0.2%), tests_pri_0: 517 (88.9%), check_dkim_signature: 1.01 (0.2%), check_dkim_adsp: 6 (1.1%), tests_pri_500: 10 (1.7%), rewrite_mail: 0.00 (0.0%) X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Archived-At: Subject: [secdir] (no subject) X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 17:47:23 -0000 Security review of Explicit Congestion Notification (ECN) Experimentation draft-ietf-tsvwg-ecn-experimentation-05 Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document liberalizes the ways in which experiments can be conducted on explicit congestion notification with TCP, RTP, and DCCP. RFC 3168 imposes limits on what can be marked and what cannot, how the endpoints should respond, and reserves codepoints for particular experiments. There are three areas of experimentation that this document intends to enable by removing standards track limitations: congestion response differences, congestion marking differences, TCP control packets and retransmissions. Other than the alarming statement: "... this memo places the responsibility for not breaking Internet congestion control on the experiments and the experimenters who propose them, as specified in Section 4.4." there are no security considerations that occur to me. I realize that people experiment with TCP modifications all the time, and the ECN experiments can provide valuable engineering information. Nonetheless, it seems that some higher standard of safety could be in order for today's Internet. But that is outside the scope of this document. Hilarie From nobody Wed Sep 13 11:05:53 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1ED132403; Wed, 13 Sep 2017 11:05:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GXhzo1SPH2j8; Wed, 13 Sep 2017 11:05:44 -0700 (PDT) Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7FBE1320D9; Wed, 13 Sep 2017 11:05:44 -0700 (PDT) Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1dsC2i-00021T-2U; Wed, 13 Sep 2017 12:05:44 -0600 Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1dsC2h-00019J-BE; Wed, 13 Sep 2017 12:05:43 -0600 Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id v8DI4Qup014124; Wed, 13 Sep 2017 12:04:26 -0600 Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id v8DI4QUh014123; Wed, 13 Sep 2017 12:04:26 -0600 Date: Wed, 13 Sep 2017 12:04:26 -0600 Message-Id: <201709131804.v8DI4QUh014123@rumpleteazer.rhmr.com> From: "Hilarie Orman" Reply-To: "Hilarie Orman" To: iesg@ietf.org, secdir@ietf.org Cc: draft-ietf-tsvwg-ecn-experimentation.all@ietf.org X-XM-SPF: eid=1dsC2h-00019J-BE; ; ; mid=<201709131804.v8DI4QUh014123@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none X-XM-AID: U2FsdGVkX1+zvTGDAI+OST3RVikW/DFi X-SA-Exim-Connect-IP: 72.250.219.84 X-SA-Exim-Mail-From: hilarie@purplestreak.com X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;iesg@ietf.org, secdir@ietf.org X-Spam-Relay-Country: X-Spam-Timing: total 325 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.4 (0.7%), b_tie_ro: 1.63 (0.5%), parse: 0.72 (0.2%), extract_message_metadata: 2.8 (0.9%), get_uri_detail_list: 0.72 (0.2%), tests_pri_-1000: 2.8 (0.9%), tests_pri_-950: 1.18 (0.4%), tests_pri_-900: 0.99 (0.3%), tests_pri_-400: 15 (4.6%), check_bayes: 14 (4.2%), b_tokenize: 4.2 (1.3%), b_tok_get_all: 4.0 (1.2%), b_comp_prob: 1.74 (0.5%), b_tok_touch_all: 2.3 (0.7%), b_finish: 0.52 (0.2%), tests_pri_0: 292 (89.8%), check_dkim_signature: 0.45 (0.1%), check_dkim_adsp: 28 (8.6%), tests_pri_500: 6 (1.7%), rewrite_mail: 0.00 (0.0%) X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Archived-At: Subject: [secdir] Review of draft-ietf-tsvwg-ecn-experimentation-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 18:05:46 -0000 Security review of Explicit Congestion Notification (ECN) Experimentation draft-ietf-tsvwg-ecn-experimentation-05 Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document liberalizes the ways in which experiments can be conducted on explicit congestion notification with TCP, RTP, and DCCP. Other than the alarming statement: "... this memo places the responsibility for not breaking Internet congestion control on the experiments and the experimenters who propose them, as specified in Section 4.4." there are no security considerations that occur to me. I realize that people experiment with TCP modifications all the time, and the ECN experiments can provide valuable engineering information. Nonetheless, it seems that some higher standard of safety could be in order for today's Internet. But that is outside the scope of this document. Hilarie From nobody Wed Sep 13 11:28:24 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84F4A132D4C; Wed, 13 Sep 2017 11:28:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.22 X-Spam-Level: X-Spam-Status: No, score=-2.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=dZk42+vZ; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=M+d7qFJA Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCART7mRBTxl; Wed, 13 Sep 2017 11:28:22 -0700 (PDT) Received: from esa3.dell-outbound.iphmx.com (esa3.dell-outbound.iphmx.com [68.232.153.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FFE71200F3; Wed, 13 Sep 2017 11:28:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1505327220; x=1536863220; h=from:cc:to:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KU+9vD3WSQIZmyvUfD3jcMVl47d/KgOHiy+0rfR4u9Q=; b=dZk42+vZYEUMqwOAJYMpG0yRTU/4dcN23v/TqS6shOU4qLSUJUduC6oK n1sI9ZMfy+1RBURbIPNs70xB0YWdcb6DDcOOcYVXIBFh8RUWglxG9AoZ5 f9s+1YEkIKyggBkNN3yXHIl3wpsJg6AGmYbJJ1LrBAE348B3CfMrtQtZj A=; Received: from esa2.dell-outbound2.iphmx.com ([68.232.153.202]) by esa3.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Sep 2017 13:26:59 -0500 From: "Black, David" Cc: "draft-ietf-tsvwg-ecn-experimentation.all@ietf.org" , "Black, David" Received: from mailuogwhop.emc.com ([168.159.213.141]) by esa2.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Sep 2017 00:27:03 +0600 Received: from maildlpprd04.lss.emc.com (maildlpprd04.lss.emc.com [10.253.24.36]) by mailuogwprd02.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v8DISHTS009622 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 13 Sep 2017 14:28:20 -0400 X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com v8DISHTS009622 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1505327300; bh=ilgdaCk4QzYHLgybmXpIyOSkK3M=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=M+d7qFJAKBJbiIR1rbOLba1zubrN/Zv0wE/h0lFQQ8kBrHPUvKWSC3+6yeIOZVPlW bLu5AlS3YV8tX9aS1jfsWAy2mpw+sw6lsyxxgLb2M42HGcCmLHwgCxRRUNmemWsttw XAf/m7NWZQ8Qh6gP73X4dlhiQfBChCN5xwFD/Txs= X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd02.lss.emc.com v8DISHTS009622 Received: from mailusrhubprd52.lss.emc.com (mailusrhubprd52.lss.emc.com [10.106.48.25]) by maildlpprd04.lss.emc.com (RSA Interceptor); Wed, 13 Sep 2017 14:26:38 -0400 Received: from MXHUB316.corp.emc.com (MXHUB316.corp.emc.com [10.146.3.94]) by mailusrhubprd52.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v8DIRupO023800 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=FAIL); Wed, 13 Sep 2017 14:27:56 -0400 Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB316.corp.emc.com ([10.146.3.94]) with mapi id 14.03.0352.000; Wed, 13 Sep 2017 14:27:56 -0400 To: Hilarie Orman , "iesg@ietf.org" , "secdir@ietf.org" Thread-Topic: Review of draft-ietf-tsvwg-ecn-experimentation-05 Thread-Index: AQHTLLr4WQvk51ntSUOPm3l8GZJ72KKzINLQ Date: Wed, 13 Sep 2017 18:27:55 +0000 Message-ID: References: <201709131804.v8DI4QUh014123@rumpleteazer.rhmr.com> In-Reply-To: <201709131804.v8DI4QUh014123@rumpleteazer.rhmr.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.238.44.138] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Sentrion-Hostname: mailusrhubprd52.lss.emc.com X-RSA-Classifications: public Archived-At: Subject: Re: [secdir] Review of draft-ietf-tsvwg-ecn-experimentation-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 18:28:23 -0000 Hilarie, Thank you for the review.=20 > I realize that people experiment with TCP modifications all the time, > and the ECN experiments can provide valuable engineering information. > Nonetheless, it seems that some higher standard of safety could be > in order for today's Internet. But that is outside the scope of this > document. Well, there is a higher standard of safety and it is outside the scope of t= his document. Experiments that take advantage of the liberation (I like that word!) in th= is document are required to first be documented in an Experimental RFC. T= hat requirement should provide both the Transport Area and the IESG with th= e ability to ensure that such experiments do not pose unacceptable risks to= the continued operation of the Internet - a statement to that effect could= be added if you or the Security ADs think it would be helpful. Thanks, --David > -----Original Message----- > From: Hilarie Orman [mailto:hilarie@purplestreak.com] > Sent: Wednesday, September 13, 2017 2:04 PM > To: iesg@ietf.org; secdir@ietf.org > Cc: draft-ietf-tsvwg-ecn-experimentation.all@ietf.org > Subject: Review of draft-ietf-tsvwg-ecn-experimentation-05 >=20 > Security review of > Explicit Congestion Notification (ECN) Experimentation > draft-ietf-tsvwg-ecn-experimentation-05 >=20 > Do not be alarmed. I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. >=20 > This document liberalizes the ways in which experiments can be > conducted on explicit congestion notification with TCP, RTP, and DCCP. >=20 > Other than the alarming statement: >=20 > "... this memo places the > responsibility for not breaking Internet congestion control on the > experiments and the experimenters who propose them, as specified in > Section 4.4." >=20 > there are no security considerations that occur to me. >=20 > I realize that people experiment with TCP modifications all the time, > and the ECN experiments can provide valuable engineering information. > Nonetheless, it seems that some higher standard of safety could be > in order for today's Internet. But that is outside the scope of this > document. >=20 >=20 > Hilarie >=20 >=20 >=20 >=20 From nobody Wed Sep 13 16:12:01 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56E53132D8C; Wed, 13 Sep 2017 16:11:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNIf_qq3tUNR; Wed, 13 Sep 2017 16:11:51 -0700 (PDT) Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDEDC12421A; Wed, 13 Sep 2017 16:11:51 -0700 (PDT) Received: from in01.mta.xmission.com ([166.70.13.51]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1dsGox-0001wi-7O; Wed, 13 Sep 2017 17:11:51 -0600 Received: from mta2.zcs.xmission.com ([166.70.13.66]) by in01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1dsGos-0001Hh-3M; Wed, 13 Sep 2017 17:11:50 -0600 Received: from localhost (localhost [127.0.0.1]) by mta2.zcs.xmission.com (Postfix) with ESMTP id 0C326600209; Wed, 13 Sep 2017 17:11:46 -0600 (MDT) Received: from mta2.zcs.xmission.com ([127.0.0.1]) by localhost (mta2.zcs.xmission.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JPA_uX5cn8IY; Wed, 13 Sep 2017 17:11:45 -0600 (MDT) Received: from zms04.zcs.xmission.com (zms04.zcs.xmission.com [166.70.13.74]) by mta2.zcs.xmission.com (Postfix) with ESMTP id EB1C3600208; Wed, 13 Sep 2017 17:11:45 -0600 (MDT) Date: Wed, 13 Sep 2017 17:11:45 -0600 (MDT) From: Hilarie Orman To: "Black, David" Cc: The IESG , secdir , draft-ietf-tsvwg-ecn-experimentation all Message-ID: <1607661178.655872.1505344305163.JavaMail.zimbra@purplestreak.com> In-Reply-To: References: <201709131804.v8DI4QUh014123@rumpleteazer.rhmr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [72.250.219.84] X-Mailer: Zimbra 8.7.4_GA_1730 (ZimbraWebClient - FF53 (Linux)/8.7.4_GA_1730) Thread-Topic: Review of draft-ietf-tsvwg-ecn-experimentation-05 Thread-Index: AQHTLLr4WQvk51ntSUOPm3l8GZJ72KKzINLQ5YpUX6I= X-XM-SPF: eid=1dsGos-0001Hh-3M; ; ; mid=<1607661178.655872.1505344305163.JavaMail.zimbra@purplestreak.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=166.70.13.66; ; ; frm=hilarie@purplestreak.com; ; ; spf=none X-SA-Exim-Connect-IP: 166.70.13.66 X-SA-Exim-Mail-From: hilarie@purplestreak.com X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ****;"Black, David" X-Spam-Relay-Country: US X-Spam-Timing: total 4742 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.8 (0.1%), b_tie_ro: 1.92 (0.0%), parse: 1.34 (0.0%), extract_message_metadata: 20 (0.4%), get_uri_detail_list: 2.9 (0.1%), tests_pri_-1000: 5 (0.1%), tests_pri_-950: 0.90 (0.0%), tests_pri_-900: 0.95 (0.0%), tests_pri_-400: 24 (0.5%), check_bayes: 23 (0.5%), b_tokenize: 8 (0.2%), b_tok_get_all: 7 (0.2%), b_comp_prob: 3.0 (0.1%), b_tok_touch_all: 3.0 (0.1%), b_finish: 0.64 (0.0%), tests_pri_0: 518 (10.9%), check_dkim_signature: 0.56 (0.0%), check_dkim_adsp: 160 (3.4%), tests_pri_500: 4161 (87.8%), poll_dns_idle: 4156 (87.6%), rewrite_mail: 0.00 (0.0%) X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Archived-At: Subject: Re: [secdir] Review of draft-ietf-tsvwg-ecn-experimentation-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2017 23:11:53 -0000 Yes, I think it would be suitable to include such a statement. People read these things, they wonder, does anyone try to prevent Internet from turning into ice-9? Hilarie ----- Original Message ----- From: "Black, David" To: "Hilarie Orman" , "The IESG" , "secdir" Cc: "draft-ietf-tsvwg-ecn-experimentation all" , "Black, David" Sent: Wednesday, September 13, 2017 12:27:55 PM Subject: RE: Review of draft-ietf-tsvwg-ecn-experimentation-05 Hilarie, Thank you for the review. > I realize that people experiment with TCP modifications all the time, > and the ECN experiments can provide valuable engineering information. > Nonetheless, it seems that some higher standard of safety could be > in order for today's Internet. But that is outside the scope of this > document. Well, there is a higher standard of safety and it is outside the scope of this document. Experiments that take advantage of the liberation (I like that word!) in this document are required to first be documented in an Experimental RFC. That requirement should provide both the Transport Area and the IESG with the ability to ensure that such experiments do not pose unacceptable risks to the continued operation of the Internet - a statement to that effect could be added if you or the Security ADs think it would be helpful. Thanks, --David > -----Original Message----- > From: Hilarie Orman [mailto:hilarie@purplestreak.com] > Sent: Wednesday, September 13, 2017 2:04 PM > To: iesg@ietf.org; secdir@ietf.org > Cc: draft-ietf-tsvwg-ecn-experimentation.all@ietf.org > Subject: Review of draft-ietf-tsvwg-ecn-experimentation-05 > > Security review of > Explicit Congestion Notification (ECN) Experimentation > draft-ietf-tsvwg-ecn-experimentation-05 > > Do not be alarmed. I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. > > This document liberalizes the ways in which experiments can be > conducted on explicit congestion notification with TCP, RTP, and DCCP. > > Other than the alarming statement: > > "... this memo places the > responsibility for not breaking Internet congestion control on the > experiments and the experimenters who propose them, as specified in > Section 4.4." > > there are no security considerations that occur to me. > > I realize that people experiment with TCP modifications all the time, > and the ECN experiments can provide valuable engineering information. > Nonetheless, it seems that some higher standard of safety could be > in order for today's Internet. But that is outside the scope of this > document. > > > Hilarie > > > > From nobody Thu Sep 14 04:22:34 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0725C132F81; Thu, 14 Sep 2017 04:22:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.521 X-Spam-Level: X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pjwsORfxvfuw; Thu, 14 Sep 2017 04:22:23 -0700 (PDT) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D0741321A7; Thu, 14 Sep 2017 04:22:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12689; q=dns/txt; s=iport; t=1505388142; x=1506597742; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=PCRHFFwYnG80EmuVlGfpezzV+0buNwLsz+Z7gIVCtrE=; b=F9CSzDBiLKcbCJ8txL/K9BOaWE6D2gu/Q9qnG1I2Z3InR/F1DIEfLVnO h/78Z8uPI2QZSfPw8qeM52vVMIzdl7YA+GAjFSpld+qu87yEv25llEnlX Q/L2LOys/DD0PS2FK68CCCHUgD7RI7T7XWlnMwVsGX6GV8piWWeLV4JdZ M=; X-Files: PGPMIME Versions Identification, encrypted.asc : 13, 8440 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0COAQBWZbpZ/4oNJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1qBUi6gCZhKEgcDhTwChB9XAQIBAgEBAmsohRkGGWAQAgEIRgI?= =?us-ascii?q?wJQIEDhOJP2WuUIRGhm4BAQEBAQEBAQEBAQEBAQEBAQEBAQEOD4MrgQ11gVCCD?= =?us-ascii?q?guCcog6gjEFkX2PBQKENoIhjXmBewGQepUEAhEZAYE4AVeBDXcVXAGHCYhUgQ8?= =?us-ascii?q?BAQE?= X-IronPort-AV: E=Sophos; i="5.42,392,1500940800"; d="asc'?scan'208"; a="2839417" Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Sep 2017 11:22:21 +0000 Received: from XCH-RTP-018.cisco.com (xch-rtp-018.cisco.com [64.101.220.158]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v8EBMLtD000914 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Sep 2017 11:22:21 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-018.cisco.com (64.101.220.158) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 14 Sep 2017 07:22:20 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1263.000; Thu, 14 Sep 2017 07:22:20 -0400 From: "Carlos Pignataro (cpignata)" To: Christian Huitema CC: "draft-ietf-sfc-nsh.all@ietf.org" , "IETF Discussion Mailing List" , The IESG , "secdir@ietf.org" Thread-Topic: SECDIR review of draft-ietf-sfc-nsh-18 Thread-Index: AQHTEvC/pwAKmK7nuE+363G/TDu7PaKqA5CAgAOkFQCABwz8AA== Date: Thu, 14 Sep 2017 11:22:20 +0000 Message-ID: <287077A8-7F63-4C21-9900-29352914F39E@cisco.com> References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> In-Reply-To: <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.70.233.115] Content-Type: multipart/mixed; boundary="_003_287077A87F634C21990029352914F39Eciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2017 11:22:24 -0000 --_003_287077A87F634C21990029352914F39Eciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable --_003_287077A87F634C21990029352914F39Eciscocom_ Content-Type: application/pgp-encrypted; name="PGPMIME Versions Identification" Content-Description: PGP/MIME Versions Identification Content-Disposition: attachment; filename="PGPMIME Versions Identification"; size=13; creation-date="Thu, 14 Sep 2017 11:22:20 GMT"; modification-date="Thu, 14 Sep 2017 11:22:20 GMT" Content-ID: <3E80FEBC0335154AAFB6F4CC400CE6BA@emea.cisco.com> Content-Transfer-Encoding: base64 VmVyc2lvbjogMQ0NCg== --_003_287077A87F634C21990029352914F39Eciscocom_ Content-Type: application/octet-stream; name="encrypted.asc" Content-Description: OpenPGP encrypted message.asc Content-Disposition: attachment; filename="encrypted.asc"; size=8440; creation-date="Thu, 14 Sep 2017 11:22:20 GMT"; modification-date="Thu, 14 Sep 2017 11:22:20 GMT" Content-ID: <7BB44A7F9A93DF4D83734D011B25FCDD@emea.cisco.com> Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpDb21tZW50OiBHUEdUb29scyAtIGh0dHA6Ly9n cGd0b29scy5vcmcNCg0KaFFJTUEyTlZaNk96b0Q3Y0FRLzhDeHBIN0srRGxvL1JPK2RJWlNmREw5 SmRtU2EzTHlFMnFaZ1JrZXI5dU1PcA0KRkNqdDZmUnlGR3lqN1R4bXVIK3N2a0ZvRWplb3BiR29v bWpvVm5BZExDS2c5Y1pBb01raGVsU3M1NHhoNDJoOQ0KNDE0RmVVN2dON3l1Sm05M1VDa1lsb01W QjFDcm1BdXZQSzl1MDFRSEIzRHZ2SHBqTzNQdVN2TVV1bHpVMGR1Vw0KNTZaSCtxQTJ0VmxzOU85 bjhUNlRRVzZFb25rdXhKQjA4d1ZtV2k3K29ib2hRNUNjUG13ek5iYVpkSG9EUHVPYw0KM2xvbEZj c1dMY2NZbHN1S0VqbXpXekwxa01qMllQNGlLbmFPZGdKOGgxaVZ4VjhxWUlFLzZUMHZkVkRLamxX Zw0KL3J2ZlNOVFlxejBOcXlsUjF5ZlJJaEZ1R2lTa2ZFNkQ5SUszMk1VTlNpWnlSNmpoQjFZTWRr WXRwNmE3bDBkSA0KTzMzZXJhZWRiZm5xRkljOU0vM3BLVEFIWWNFUVQ2WngxYXJkd2N0ZzJaN2I4 VXh5Ti80cnhaTHNzNk90Vk9QbQ0KWlc0Q0ZsdWxyUmwydExod3lZYWFjS2o0Z2JXYkpjMmxQRklx enQxamhGN3VpTExpem5LNjZzRXdXMkROcEZ1dw0KRENFdUEvT1R5VUFBb3lZcTZJSGkzdzRpdU5n WnJQckR2c1ZPaUZaSG1jb0NGdElTbFZqRHB0ZDNzcGZ1aFBCZg0KSUJuVVdtcGRaMjVjbkswUzZU a092WlhVbmMwUWFXSk5rQmJJbUpXREJyRjlHeUNxV1JQZDJ2dGc5c0ZzdDRTZQ0KWlk4b3F5OUNo MGJsRUlNQWhKWWJzNjJnZGRZbEFla3JtZFdKMnA3MmIwaGhpSUpXdG56RjZFU0xabnEwMzJUUw0K N0FHcUNHUVhURTF0blpYTDVPWS9ITU5NZG5BdU8xR0ptQVpQRkpqbEdhUHllZElxWDVNd2lmaTJL MHdZZHdWVA0KRWZ5UlZlYVZ0bGxLd2J1N3JqU3JmdmZ1THUzWjVYcVZqeG9pTGZZL2MwNnJOdXBH OXhMZEJOT3c4bHFJc1NPUg0KZkVNN0dOazM5SGQzNWNNbnQwSmNtN3pnc1FMbSs3U2dEVG43aXF2 WDNBVUNYbTVNYThWdGlSQy9mTFM0cnVsQw0KZVdGMDduS2VEL3ZWdmlYcmIrK1Fza09DTXZBSTMv aDNaRU5YYTBPT1BzWHF0ZmlBd09FT0ZzaWJlMHVGS3lyWA0KdTJUWm40eGJFczJ4ZGIxR29MRFRo Um13Y1JDV2c5VlgyYzlwUUtYMDFWeWJ2R1ordXk2em8rbXkwVE5PSC9USQ0KMkRKV0MwNkQvWEdu TzJncU9EZyt2T0R1NVl0MXV4NnNXSlpMMUtlTCtpRk9FNFRqVmFmSWN4MGMzMEhxZWFVSw0KWUpV MkJUemFRQmJIeW9RU2JwaDl0Vy9OOHNuT3R1YWRxdVFraXNQSmJWYzF1QnZtZ0FHYmVsV0YxdEg3 L3ZHUQ0KeDU5MjdtZ3JzM05Yb1pOSHRSYVpsSlVkZzR6c0ZwVUVETUVNT3RHek8rNytZdkNOa0lw MzBGQnlIZEpLS2pILw0KMEFiQ0YraTJRUy9OQnkrd3g3c25lQkIwdjBBMXFBT0NSUjdldGVWK3JD ck1IaTlBMnZQQ1FKUGxSVDBCZnZBOQ0KMm1ZNXNzRHVWYUEzZk5vWHlNZjJQSElqeklybW5Na2F6 dUF5ZFNaNmZleXpuVytqaFBOZXVKYjJEMDhlajBZeQ0KQzI4engzMHZWV2VGSmJhWWJsWXM3NWNn YmgxUnZnRWE0L2pqSUtnQmJHWVk0QzIxRnVKSGI0K1RaR1JMeWpCMA0KbjhuekJoaDFDdDdtQk56 c1RvRTdnajRUbGNhalZLQ1JnVFQ4ZFp4RzVzT3E1L3pnWitqVHRESFVNNmcza2dGMA0KNTY5YVJx amZmc05ZQVliWUROWUpMdldSMjdLQmZxc1E0MUlqOElHWjQ3YWd0THp5YnZjanAzRlNsYmlSNnV6 Sw0KVi9kVlVnUEFIWEJRRVo1WFFYVVZLbEZ0Yzh1TFJKUEZYZVN0RTc3MjZWRTRoT0RQRlBUU2dy QkJFbFlYV0JBKw0KT21ocTFrZmhqMUkxb1dtNlMzTzcyV3FBaTdwRTliUlFISXZFTjA4YUpZM0Y2 dXNwdVljNDZUeWRMWUJDRjZaeg0KSFB0THRTQTNMZm9WTGJXVHdSa0tRWU9UWU9zNVpMc3pLMjZ1 eWZQN3NUNzUzKy9jSWpycTVtYzBpeFB6ZllRWg0KSXJPa1VtYkZlUHVVSVd2WlBsb2dCenQ3NHlQ bHVwWDVuYkFsb2hsT2lYSlpjeTErRFJjVVdaWXZxOGxveG9Gcg0KUnpJbzFuTDJ0ZHhtUDQ1dWNF OXYzQlBGRGFnZ0tIV2owTG5rZW15TUJVand6YlQ1eC9ESGQ0c1REcDJpNkc3eQ0KOGZKUmZna1Nw SzNrdTRKWk00T3FZOU1lOWhTWmQvNUQ3Rm9NSXQvZ2tPWXJzUTVTSE9FbEJqT3E2TzhvQjZScw0K Nzd0dW4vVU1kdFV4K0xtZU1IYU1VbUk0UExFQWhIbXpKMmVqejFkSDM2ckVtTlE3bElicE52bnhZ NmJBajA4dQ0KN1kzTGV3Nm1rZUFIYitGRUV5QVROSXNCbU5DcWxyaVhwbjdRV2QwSVpZaXZoYmhM VEphWC9qNDRsMEU0N0NqYQ0KUk0zd0gxc012WnU0OGVjZEpxV0lzalU3OXZZa2w1cVdDTzU5T3hJ ZlRPczBVcUc1VTkrQkJORE83OG9JblQ0Sg0KL3N5UzhXVzVReS9oOGRIRkZPbm4rMjIzS04wNkJo QjdrMkkzTE5KanJZNG5XaFFiNTltTURtUlJBckI4aHBUZA0KQytXL2NLWU9rMGNZUEx2OS9mRS9E REZIR2ZoMmM3eTNKVjd6cVl4TFhhTW5OZlUwMHZBU2FhNU13dGVleDZ2Vw0KME1Ob1QzL0dEb3JS VVE1MG1qVXpSUHdFZWVKZXlRRkNkTEljYVVhaVBObHhRdnhUZkNIN2k5WmRyZEdZSlY2Rw0Kb1pX RldHaExTUDQ0cy8wV1VMbnlhS09meGdtb2lCQnBLZzV4b3RwNUhjMXdsYi9OWTJ0MDNxdFhEOEp2 MTRWTQ0KUitiVER6Q0lqS2Vza1NlZk5DYytLeVNHay9BWHJkbzF2M0ZyWU50WndFSjZzWXRZZUcy OEowOGxVWUx2elNLSg0KYjlCMXlwdFpENUhlTHY4SFhkT3NWMmNwUmZ1TGFxRnhPalVIMDlxK3dB UlpkRDQzUnNzenl3SVhwNHJUODNldw0KRm85RFJteFR1VlFmcEl4MnhKN2pIODhBWEViOWFBS3cr OUNSOFRGNk5Pek5qdktQNDFLYU81QVNRQkY5MG1BaQ0KUisvQVZCRTlzVzhRU2F2WW9rK3VRVmtX b0I3V2pORnFQQzRHMlhTRHZoTytIRWNjNEcwUENreWpJam14ZmhUMg0KNURCTCtJc2VEeUsrVHJa SlZ6a3c1RERjOW1ldGtVWjBOZCtXY0dGME5tUFBjakFiaHVJRXhUL29TK01WV3YzNw0KaDVNUHND RmJkSHY3TC9sUTcvOU9pZmJOSVZyZlY4V1h3UEk3cEZRNm1iWmllVkFaemI2OU9mMWxpN0tWcHBF Zg0KWGUvbDVBS0N3UDVPYzJFNUVUM01KNUhoblhKcHBUKzJCajQ5QTFpcGZmWDBJcjlINENBRmtR VXF1WjRmODFnVQ0KQ0kvZTBKWGplTStKeGJWWkRFdG9LWisrNDAvdXc5Q1lJSmVwZlRuZnZZbVZX TVpTNmZlUGZiMWtzN0h4ZlFIOA0KZlJLWFFSYjBpTFNmTFQ0aHpYc2IrdGxFN0ovRVgvaFR5ZVZK eDhuY0VNcTYwdDJIaWxteUZkdWlPVDhLVE85SA0KVWdZc29FbmlBSXNGdjlZdnVId1kvaWZBVDdi Rzd3ODkvU0M0UW05Z3dHVytJdWxMYytQMzQyeFhyQVBZYXgwSQ0Kc3d3ZVk5MFZGS2p2Q1RYZFBm VE91bjFDaFd1L1hGdU4yU1FwQVJueitxN0M4N3ZJVkFXV3NNSEhZWUx0VVFRag0KcW5qMnd4azd3 VThCVzBhVDEyOXVPSjNsWUc1MUxRaFQ2bjJuQ0Z3K2U3MzMvclFsR1F4Njh6QkhiTlF3ZERzVw0K OWhMQzlBQ2dsMExuQ0x4UkxZMGlML3FkZFZOM2lpWE9rcyt6RGRQMS84VGRlR2VISFFFRDdSSHR3 WHhKU3RRTQ0Ka043Rkx0NWJMcEk3N1djYUQ2QUJicmszcTBSdWlzNlFCSzJpOXF3eWU3NllMSklW Qjl3S0kxamJQdmVQdFpudw0KWTRHaVlnTTZzVnJsRlA5VHEvMkJCSWpkd1R3VDEwYXJlcEtxSHJG LyszQ1dhVm9ZSUNnRHdSc0NsZ2tZRmRRTg0KQ0x6Qkl3dnlPYU9KK05JelJua2R3dkVKOFlNY0ND MkJVTTl0QmpRQTYzV3VOZkRGOFhRcC9DNkkwYWt5NFBFQg0Kc3NNcjJtSWZCUENHRmhCLzB6dzll M1liTWswQ2IyVUYxN1ljbFF5NmxuOTRPT3hzVUNldlNodVNtaGZLcTJxMA0KZjB5M2YxUUFPazFK YldXOVkweWNGRGwyM0w5NWd6MHp5VEExYzNNUWM1eFI4Tk1aSXpMTllTdW5CdGZHTmZJRg0KVTBv WEo4MFVBVkdoSEpKV0w0TUpSeHhMRkdvV1VONUJXcEsxdnZYM2JaRjlaYXpUV1JzTmRaRjhIWFdB NHBZMg0KYWgvc2tXUDNlSU8rSXU5U2MzUC83ZVREdlpDQ1I2RGNGOHNOZGhpdnVwWFFCYk9zZlBR Qk9ZVWRqVkkwQXZ1Rg0Kell5Q0NQYnNYeXk3VmlDeUwwT2psMEJGVWlzTVdCemZDTUR3L1NodmZV SmJqYURmeEZjNkJIWEoxSlp5MStDRg0Kd3B1bU94UXl1Y1lSc21hN0FodStYZmhiN2RkWGwvRm1t UU5tOGQ0SllmaXVtY2ZtRkhNZS96VTdjOU1OVitJYg0KYWhkZ016bXJDWTI5QlE4OXMybERzYjlE dy82WmE1cEdmMm9pcW5ZWUNHb1p5dkkzMkFWNENPK0hnRVNFc2dCbg0KWkJmNVhYK2FXWWNySEhi U1daMkE5TlJZLytKM2toNUxnanNZaUwzdXBuMUt3U3FrSWliaXVzWkJoWHA4bzFiSQ0KQ3lNdU9C ZG9IMFJVN2hPRUxEeTREeTJWODVpMUJvU2grNkhMZlVibnp5VE9wOXdIaHdWTFBUbXpId01WWWxU Nw0KZFVOYnJ6cFNoS2NXYllENWt5bS9HOFZYbTU0S0JuYjBWSmh4bmVobEpuVEJIanlTMXJMcnBG YlZUYjYyVEh1UA0KNitxaWVqOU5UcGZjUklyT3V1QkJrS3pORWhmMW9ORU55b3hwNkExL3BCQUFm eWxwTmppYkk0cHRzWk5TY2Z6ag0KN3B5MExYb0JzTlBnREljakZsY0Y2OGd2WklpMTMwYnpJTXND cGQvMklrY2RJRVhuTmpyTFYxNnVvZnJJZklMTQ0KaEtKY21RenhGczByQ0prbGtOUm1abE9pTzNE NU1uRjdzY2VrcVY3anhkVkFvai9TVHJWb1kyRkMxU1pKc2k0Vw0KNEYrSVc0UXZsQTVHNXFEV2J0 cEQ5RnZyMVdWTmQ5YVNjMUFvQnVQdzQwMmlrYmF6cGpqaUplY3BlUmM0YkRaZA0KTjRIRGs2Y3NE dFpuQW5pWkdWSVJvak1SV2tLWmduSHRDV1lqY2RwdmhRcXNVQWlocm9EbjNHeEpnaFEyVytHVw0K NXE5MGUvOHBUclZldVpwb0E2ZldYMC9UbWtrYi9xVzd3R1BDNzJRQ01OcGw2NHZmUWhpNEY5MGh0 ZmFZd3hGRw0KdEQ5M0VzbEc1S1VMaGtQbnh2blduSnlNU1ZzYUpUQ3M0dHlmbndacExiQlV4dkJa a08xcXd5NUszblBIdE12UQ0KU0xOYkw0REJLRDFQeTVoTFpUSkFYdGhIWDhmUUVpMEIrZDVYZHo1 Y3BhQndmU0I1dGJGa2N0QWlZRVJnL1EyMw0KYnp0YUJoRkVTaEhwNHBmSGEyd25oZVlQdjE1K092 N0RxQWM4TTN5QUMzWWtPQ0R5VTdjckdjRXdxYXRvNzcxOA0KOHc4Qk5ubnF6bVVQMEpsMUloT2Rn NWFzV3J5d2RKVENwSi8wZCtlVzlFZjMyc2tWQUlJMGRsMHhmN0Erakw2eg0Kam5MVSsrNU90VHoz RXVoMEoyOVlKZ29Nbk1kbXRJOER2SEErUlVmUi9SZHVuMW5pNmozLzg0Ykx0V044Ly9FZw0KaHM5 SGhoUEladVR1QUdka0pDTjdTRGl3TlM3VngvanVxTG5mYlVFVkh0c3pqdEhTODQzMGtIdC9ZcllM RkcrOA0KU2lqd1IwQXZubXExMnZxTXB2bXMyWUFZNkd5K2pzWmxtd0ZYWDRBYlB6SlVYbEthSTVT QXZHWFFWTXJ1SGhRaw0KWmFKbXJQdlhvQ0lHa1VvZTQyU2xPNHdITE5IOWdweDA1cGt6UW1rbHcy OGZ2Y1Y5djZIeFhRTENDekgvN0M4Zg0KdnFOMi90KzRjaHd4dUlkdXZvODhYQW1lQVMyRCtoK01h OE44QVRVOFE2ekE1aTNzTjZNYWwyNnRkbUtyaUM1eA0KZGNpR1grb0F3dlVuNmw0djNhbGxEMnFl R1pPK05FRU9YbEQrYS95ZjBJbVpzazJpVGZxWk1PZ2R2OFNaNmZQSQ0KRjBVdFZRS0JmVkwya1RC QTh6VG1qR21idWp6d2lJUG42NVlsZmM0dXU4YVAwUWFyYXd1aVU0ZFpBVExnRlNCMQ0KWVZ1TGFj KzNGR3ZtYzJ5UXVvcDRZZkh3RGVmVEI5MG84ZHF0YkN0YWFpaW9ld2Nuek4xdTZIaXBtTU1TNSsw RA0KMjZXTzBzN1lwVHErU09wVmNWTTVnd0trTnh5TXU4N055Sk10ZTUyYnlOWEZkSFlZNkZrdnN6 c3dCRVgwZG9iMw0Ka3hiek9vWEJIUFpiRU9tVTRBUWdiU0ZxSFNFQjJZWWtncVJmT0xkeGkyci9N OWloNXNycGJ5alUwSzROcHNwNw0KbTladGtFMzg4d2sxem13dEpHS2JtNGtMVUtOVkJ4RzRCS0hP QnNNaHNDNGVUYm1CUkFlRk5TMjIzSUk3R0o0WQ0KZFNnTU5RaW9IY0U3VU85QTdsWFF6OVJVOGRU WVpoR3NIS3l5aUFJNmFjRWdpZy9uZk9IWFhiM1YzOWpTaitFTg0KaVpFT1FOOHM2QlU0R2gxRW5O cG5rVHBFbEtrRUdjdVI5TG1aR3kxTUNRUHpVdUliUC92Z2pSQXhMRDRtNk9Ucg0KbTJuYUozaHRP SzBGNjMrQlM0d3N3MzN3ck5pc1ZKejgzcFZxQ1h4TnN0bmpSTThoVWgwRHpodDN6Q29YUVRiSQ0K bGlQZzNvNDZ4cUR0TDRoc2pwbmoyZnllSXZ3b2xhTDdIMFN2dzB4NzROUE9tbFJ0MFBZVEZYQVhz Mml6S2pqUQ0KMnh1ZEcrS2diSnFGRVNLeU5BL1NmWW5wTFIzMXRLZncxZ0VhRnhRbThqMjZId0di WTRCV204QjA3bDRKYitGcg0KaGdTci9hTWxlcmc5cGdIblREM3JjVDVLbmNrV2gybEpmOGIrQnpS TmptODdxZjhXNm8yN2pJaW5ZcDhWYnhyNA0KTUhuSXVDdFFWQWs4UUR5Rkh1akx3aU5qbzhzWlRO UlhIS0pnQnFLY01EcURBZTBrZGplT3RnN3JUVklaZ0l4OQ0KanV0NEg5WEFvYWxJYlpCbTVsSzJ5 Y0pvNEp3bmpwaGpDWW1jVlppQ1NiRExuOStDelRrYlZlbVdsbXhOVDR6TQ0KTEhNNW9uNUhtVWJv aUQ2NnB0dXVYV1Fyam9BU3hVazNMSjk3b2UyL29mcHc5RjR3SmVhZmxOQ2VQSERoa2s1Kw0KdGRC L2Rib2FNYlpJSUNEQzdLU0hPYXliY0JBQXFCZC9hNFVkVzBwNDdTUWc2R2FKMVVXVjlXQWdJbCs4 bHYvQg0KNUljcjhhNTdqd2s3TGF1QnF2a3hlV2JhbEUvS29GYmJ2VFI1SDhOUGsxYmN4czJEQ2VD d1J1WHhqdktxQ3lVNA0KNjNwZXZPYjZ6cEdEK2JjQUJVV0ZRRUVMdWN2a3E4b09QVTViNExCQjFo emtITVNxZk9uUDhHUE5WZlVnajJCRQ0KOFRYR1dRWUJDbjRYV2ZuT2hyTUpob3ZxNUpPNzhoa2xN RnFSU0lYSHkxZytSWUgxS0taWnByeDVZV0MzUmZWaA0KNVgrOHJEVWZIdWRMSnNYeS9UU2xnbnNS VkoxdHVlekUrMTJQQktHaWdtclNWa0FaREZRRmQrUmgwaWtxM3FSSQ0KWG5LVk05S0xGemo4T05N bTY2RFZFbTY0dXRTbmIxMkd1MzdOWVlrMU9mWWUvNHE3T21rOVNXY054cWFpTWJ0SQ0KV0tPUm5D RldIYVNjeGpMVGZMaXdiTmFyaHVMZzZoOS9yZGRsVzFGY3dnUi9xYVdFdEhjbFEwaWF1bFVhbm54 ZA0KMUVUakJQRDE4YXJ0dHBCU1JYQ3dndlh0SVlQaFh0eDhiNWhSOUI0TDRPL0Z5R0w0dDRxclFO QndBU09nYjRoag0KODFnZ2lsZGp6QklUcExROUxkS1g5VGFzc3BWWkVRTGVYa21oN0lGZDRJWmFY U25USnQ2WWVjWGNqY3dIdVZXeQ0KS09FYmcyRXRUVmJRcDB4WFE1MCs4SzVLK3dZK3daMUY1SG9H d3FwaUM1TmFmeHhMUG1oU2NhcjlUeU9SOWVNMQ0KTUUveWdKMlhBM0xtemlkdGxhVnFiVVlYMm1s bE5iQkh3T1dsTnpUWlQ5WUphVkpjQ2RweGQyemZ1OXdtSUozSQ0KNDd2Y09KWHlpc2JreG9PeXVX bTZ4UXRuOW9IV3hHRTU0d0s5MnF1ck8yR25DTmR6ZW9GcWRDajBVb1FCVHhRTw0KUlMzQjVaNWVs N1laQ1RoQTRsa2NNbUpZU25YWk5LKy85QjViQ1NTejlubjJyUTRDb0dwaW9IUFNhK2xjQnZvSA0K dUtWOVY2aXl5M2FhMFdyMExMb3RGTkpZMm5wUFEwUXM0ejZtRVVaVXBIWkloRExibG5zZHk3Tlll NDN4TFNKcw0KUzVnVVhVWUx1NjlWb0xJdk02NlFleEg3TWVtaW5ONG9rZjU0OWtJMFFNcmwvN0hx ZTF4UGJxTUVYUHppWlFBUA0KcVdYSjdmVDBwR3hpQS9UTkdSL0tVdnJYbXdkcUg1OEpBUVR2Rmwx RmZwYnV6TlNLWURsQmd2UTBrdjkxWktQag0Kalh1TlpXdzQ0UUp0SkJ6R0VsL0lHZjdXMFd5NG1w c2ZTZ3VwNmYreDJPVHd0MlduVGFnUzl1dVFFdHZheDZ4eg0KRlBUb1hhTGJkSlFOMTdkNFRMcVZL a092L0UwSXIyRU41cVBIbGdZNVRzZGNxcXVBWkhsMUkwU0VGMWFid0ZDMg0KVDhsVk5GbDNiNkVJ QzFvaG9MemZtNks0U1h1a0k1YmhjdTNWMDF3YTNiUmVIbmM4ZWprYkxMZWRWeXRqeXhXbA0KQXFE dmxvNkd5ZURRLzlCWnJaQmZOOEFjUkNibzkxcEFFTFVIdm1yUks2OGUvK0UvUTl4QlNkcU1kV3E4 Q2R3Zw0KY2tXeTVxcy9lalFDdFRIWVMyYzV6SU5jUkJrRkNqSm1xMVRQLzhmWG14dnU4eStKZVpD aU1PSzBtOHZSODBseQ0KZVNpWjZGOERBWE9xaDU5QkRpaEhqVFE2ME5sdTZrRXlCUHB3eHdqb2k0 V1Z3Vjd3bXMvMnhJblVVZ0VMOE9tMg0Kb0hOaGpqeGZuUVRIWkdycUpYYWFDWm1JUFRadERWakhU ZkFxREliUGVNSGtkMzB6bTZjQnhWd0MyL2cwYlhqcg0KSXR0Tm5JQUcwZHlDbFhVaTU0UzB5d21W VU1WaXNtWXdVOFBYd1plVENNSDU4aXl3UGwrWTNrbEVjeFEvUUhVUQ0KUDRpNjUrVkQxaGVnMlhh OW9JTGFFUmJxMTNiTXZnVnFpa0xaVkVOMVVOYXZxTURZUGIvVW4ra3J5OTh5SHlWbw0KSk0wVkRw QmM5N2YwOGNSTXpyVFdHM2QwdkhNSEZKZUxZdzdZM2VUVU1IZy9uTTZ6aTNBNytVWEQ3ZElwNWRW aA0KeS9UQnd6YmZmb21jOGNwTEhpWmdDcEU2VFJtNk5XNWUzdlNOSG5BVWRiclJNZU9kZ0x1L1Rl RTlNRGdZZHJOaw0KUUUrQzQvQ0QrWEVrT3cyTFE3RDkzQ2xLNC9uNzFVZG1nalBMTm1RaEdxMjg1 NE9BNFIvRFd3ZUR1dWtOWUk3VA0KLzdmZ2pNbFhYZER1bFlDTXB1ZE9aSjNOZ1c0Smo5RzJqTTBa Y3FBK0tqb1ZtRnJ6eGtMYlYyUWNubElrQy9nbA0KMWFBQldpZS9JemNOUGZNV2YwRys3K0pDRVlh ZTM4NnVhWE9Vc0VVUFVqZWlrQnFsWkJveDg2SHJDOWt2TjlDVg0KOFVQVlpHa2k4d3oxSnIwdEJJ WFVsWkVxRi8yc3AyQmpkYzJhM09aRjJjWWFyNXljWmtGb0V5U05ScmNtR0ZDYQ0KVXdIQ0x1RERs QU5jU2JMYmNoK2k5MDF0N1p0MTVOYUVLdnY1OEtRY2cxRjdRUnRNT1hQbmRMTE9EbHN2S3dhTA0K OEs1NFV2dUNwUXBEN0hFa1pUWFY0UURrWmllYVMzNVdKN0JiZXorcmYvZTRCcTBWYmY0b0xsUU1D TVRDUFZkTA0KcjRSZVlXdC9FYVZMNDRUQQ0KPWs5YVMNCi0tLS0tRU5EIFBHUCBNRVNTQUdFLS0t LS0NCg== --_003_287077A87F634C21990029352914F39Eciscocom_-- From nobody Thu Sep 14 04:22:58 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7578132F81; Thu, 14 Sep 2017 04:22:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.521 X-Spam-Level: X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84bKKQkTkJtn; Thu, 14 Sep 2017 04:22:23 -0700 (PDT) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29AD4132944; Thu, 14 Sep 2017 04:22:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15868; q=dns/txt; s=iport; t=1505388143; x=1506597743; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=pobSHZOaMSvbBI2fwezKGwhW3BJCUUh1ENP8FQRxfqg=; b=Rps2DwZucdKFqCqXueCChPRTsoBmzPnlIvl+GpGejTCw+GDFOyS2teS6 aRXsMZOf8akDSCQV8KAqBp7erfL7CVFV15bjSZAeL2dbww6xhRn7ZDSKs OwmLmAXNLp9Fu3YL8os50MeCZ5MVzrDAnJ2K8/jPoenBliWF+JXxuD9pl o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CRAQBWZbpZ/5BdJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgy0tgVInB4NwnDt5l0EKhTwCGoQFVwECAQEBAQECayiFGAEBAQE?= =?us-ascii?q?CAQwXETcOBQsCAQgSBgICJgICAjAVAg4CBA4FG4oPCKwpgieLNAEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEfgQ6CHYELd4FQgWMrgXBYNYRRJ4MTL4IxBYoCiRSNbAKLMok?= =?us-ascii?q?eghOFaIN+hn2VBAIRGQGBOAFXgQ13FVwBhQYcgWd2hiyBMoEPAQEB?= X-IronPort-AV: E=Sophos;i="5.42,392,1500940800"; d="scan'208";a="2839420" Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Sep 2017 11:22:22 +0000 Received: from XCH-RTP-017.cisco.com (xch-rtp-017.cisco.com [64.101.220.157]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id v8EBMMkW002155 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Sep 2017 11:22:22 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-017.cisco.com (64.101.220.157) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 14 Sep 2017 07:22:21 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1263.000; Thu, 14 Sep 2017 07:22:21 -0400 From: "Carlos Pignataro (cpignata)" To: Christian Huitema CC: "draft-ietf-sfc-nsh.all@ietf.org" , "IETF Discussion Mailing List" , The IESG , "secdir@ietf.org" Thread-Topic: SECDIR review of draft-ietf-sfc-nsh-18 Thread-Index: AQHTEvC/pwAKmK7nuE+363G/TDu7PaKqA5CAgAOkFQCABwz8AA== Date: Thu, 14 Sep 2017 11:22:21 +0000 Message-ID: References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> In-Reply-To: <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.70.233.115] Content-Type: text/plain; charset="utf-8" Content-ID: <07D49673DC025A4EB7C2E06F0ED5D9E9@emea.cisco.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2017 11:22:26 -0000 Q2hyaXN0aWFuLA0KDQpUaGFuayB5b3UgZm9yIHRoZSBkaWFsb2d1ZSDigJQgcGxlYXNlIHNlZSBp bmxpbmUuDQoNCj4gT24gU2VwIDksIDIwMTcsIGF0IDc6NDIgUE0sIENocmlzdGlhbiBIdWl0ZW1h IDxodWl0ZW1hQGh1aXRlbWEubmV0PiB3cm90ZToNCj4gDQo+IA0KPiANCj4gT24gOS83LzIwMTcg OTowNiBBTSwgQ2FybG9zIFBpZ25hdGFybyAoY3BpZ25hdGEpIHdyb3RlOg0KPj4gQ2hyaXN0aWFu LA0KPj4gDQo+PiBUaGFua3MgZm9yIHRha2luZyB0aW1lIHRvIHJldmlldyB0aGlzIGRvY3VtZW50 LiBUaGUgbmV0LXJlc3VsdCBvZiBhZGRyZXNzaW5nIHRoZW0gd2lsbCBiZSBhbiBpbXByb3ZlZCBz cGVjaWZpY2F0aW9uLg0KPiBJIGFtIGxvb2tpbmcgYXQgdGhlIGNoYW5nZXMgYmV0d2VlbiBkcmFm dC0xOCBhbmQgZHJhZnQtMjAsIGFuZCBkcmFmdC0yMA0KPiBpcyBpbmRlZWQgaW1wcm92ZWQuDQoN ClRoaXMgaXMgZ3JlYXQgdG8gaGVhci4gVGhhbmsgeW91IGZvciB5b3VyIGNvbW1lbnRzIHRoYXQs IGFsb25nIHdpdGggb3RoZXJzJywgcmVzdWx0ZWQgaW4gaW5jb3Jwb3JhdGluZyBuZWVkZWQgY2xh cmlmaWNhdGlvbnMgYW5kIGEgbW9yZSBwcmVjaXNlbHktc2NvcGVkIHNwZWNpZmljYXRpb24uDQoN Cj4+IA0KPj4gV2UgdG9vayBzb21lIGFkZGl0aW9uYWwgdGltZSBiZWZvcmUgcmVzcG9uZGluZywg YmVjYXVzZSBzb21lIG9mIHlvdXIgY29tbWVudHMgYXJlIHZlcnkgbGlrZWx5IGFkZHJlc3NlZCAo b3IgcGFydGlhbGx5IGFkZHJlc3NlZCBhdCBsZWFzdCkgaW4gdGhlIGN1cnJlbnQgcmV2aXNpb24g LTIwLiANCj4+IA0KPj4gWW91IHJhaXNlIHNvbWUgdmVyeSBnZW5lcmFsIGJyb2FkbHktc2NvcGVk IHF1ZXN0aW9ucywgc3VjaCBhcyDigJxXaHkgaXMgdGhlIElFVEYgZXZlbiB3b3JraW5nIG9uIHN1 Y2ggc3BlY2lmaWNhdGlvbnM/4oCdIFRob3NlIGFyZSBwcm9iYWJseSBiZXlvbmQgdGhlIHNjb3Bl IG9mIGEgU2VjRGlyIHJldmlldywgYnV0IG5vbmV0aGVsZXNzLCBpbXBvcnRhbnQgTEMgY29tbWVu dHMuIEFzIHRob3NlIGFyZSBiZXlvbmQgdGhlIHRlY2hub2xvZ3kgc3BlY2lmaWNzIG9mIGRyYWZ0 LWlldGYtc2ZjLW5zaCwgSSBjYW4gKGFuZCBJIGRvKSBzaGFyZSBteSBwZXJzcGVjdGl2ZSwgYnV0 IEkgd2lsbCBsZXQgb3RoZXJzIChyZXNwb25zaWJsZSBBRCwgc2ZjIGNoYWlycywgZG9jIHNoZXBo ZXJkKSBhZGQgb24gbW9yZSBhdXRob3JpdGF0aXZlbHkuDQo+PiAuLi4NCj4+IA0KPj4gQnV0LCBp ZiB5b3Uga25ldyBhbGwgdGhpcywgSSBhbSBub3Qgc3VyZSB3aGF0IGlzIHRoZSBxdWVzdGlvbiBi ZWhpbmQgeW91ciBxdWVzdGlvbuKApiANCj4+IA0KPj4gSSBjYW4gb2ZmZXIgdGhhdCB0aGVyZeKA mXMgbWFya2V0IGRlbWFuZCBmb3IgaW50ZXJvcGVyYWJsZSBpbXBsZW1lbnRhdGlvbnMgb2Ygc2Vy dmljZSBmdW5jdGlvbiBjaGFpbmluZyBzb2x1dGlvbnMuLi4NCj4gDQo+IEkgaGF2ZSBubyBkb3Vi dCB0aGF0IHRoZXJlIGFyZSBtdWx0aXBsZSBwcm9kdWN0cyBkZXZlbG9wZWQgYW5kIHNvbGQsIGFu ZA0KPiB0aGF0IGludGVyb3BlcmFibGUgc3BlY2lmaWNhdGlvbnMgYXJlIHByZWZlcmFibGUgdG8g Y29tcGV0aW5nDQo+IHByb3ByaWV0YXJ5IHNwZWNpZmljYXRpb25zLiBNeSBpbml0aWFsIHJlYWN0 aW9uIHdhcyBsYXJnZWx5IG1vdGl2YXRlZCBieQ0KPiB0aGUgbGFjayBvZiBzY29waW5nIGluIHRo ZSBkb2N1bWVudC4NCg0KaXTigJlzIG5vdCB1bmNvbW1vbiB0byBmb3JnZXQgaG93IGJyb2FkbHkg dW5kZXJzdG9vZCBhc3N1bXB0aW9ucyBhbmQgZGVzaWduIGNyaXRlcmlhIGZvciBhIGRvY3VtZW50 IGFyZSwgd2hlbiBiZWluZyBrbmVlLWRlZXAgaW4gd29yay4gVGhpcyBpcyBwcm9iYWJseSB0aGUg Y2FzZSBoZXJlLCBpbiB3aGljaCBzY29wZSBzaG91bGQgaGF2ZSBiZWVuIG1vcmUgZXhwbGljaXQu DQoNCkZvciBjb21wbGV0ZW5lc3MsIHRoZSBkb2N1bWVudCBpcyB0aGUgZG9jdW1lbnQgcGx1cyBp dHMgY29udGV4dC4gQSBwZWVrIGF0IHRoZSBub3JtYXRpdmVseS1jaXRlZCBSRkMgNzY2NSwgU0ZD IGFyY2hpdGVjdHVyZSwgKG9yIGF0IHRoZSBjaGFydGVyIGFzIHBhcnQgb2YgYSBEaXJlY3RvcmF0 ZSByZXZpZXcpIHdvdWxkIGhhdmUgcHJvYWN0aXZlbHkgcmVkdWNlZCB5b3VyIGNvbmNlcm5zLCBs ZWF2aW5nIHRoZSBlZGl0b3JpYWwgbmVlZCB0byBtYWtlIGl0IHZlcnkgY2xlYXIgYW5kIGV4cGxp Y2l0IGluIOKAnHRoZSBkb2N1bWVudOKAnSAoYXMgb3Bwb3NlZCB0byB5b3VyIGluaXRpYWwgcmVh Y3Rpb24pLg0KDQpUaGF0IHNhaWQsIHdlIGFycml2ZWQgYXQgdGhlIHNhbWUgcGxhY2UgYWZ0ZXIg anVzdCBvbmUgcm91bmQtdHJpcCwgYW5kIHJldiAtMTkgcGx1cyByZXYgLTIwIHN1Y2Nlc3NpdmVs eSBtYWtlIHRoYXQgbW9yZSBjbGVhciBhbmQgbGVzcyBhbWJpZ3VvdXMuDQoNClRoZSBkb2MgaXMg aW1wcm92ZWQsIG1ha2luZyB0aG9zZSBhc3N1bXB0aW9ucyBleHBsaWNpdCBpbiB0aGUgdGV4dC4N Cg0KPiBXaXRob3V0IHRoYXQgc2NvcGluZywgaXQgbG9va3MgbGlrZQ0KPiBhIGdlbmVyYWwgYXJj aGl0ZWN0dXJlIGZvciBhZGRpbmcgbWV0YWRhdGEgdG8gcGFja2V0cyBvbiB0aGUgSW50ZXJuZXQs DQo+IGFuZCB0aGF0J3MgYSBiaWcgcmVkIGZsYWcsIGJpZyBlbm91Z2ggdG8gc3RhdGUgdGhhdCBu bywgdGhlIElFVEYgc2hvdWxkDQo+IG5vdCBlbmRvcnNlIHRoYXQgYXQgYWxsLCBpbnRlcm9wIGJl IGRhbW5lZC4NCj4gDQo+IFRoZSBzY29waW5nIG1pdGlnYXRlcyBzb21lIG9mIHRoZSBjb25jZXJu cy4gSSBhbSBzdGlsbCB0cm91YmxlZCBieSBzb21lDQo+IG9mIHRoZSBzcGVjaWZpY2F0aW9uLCBz dWNoIGFzIHRoZSBleGFtcGxlIGdpdmluZyBhIHNjb3BlIGFzICJhIGNhbXB1cw0KPiBwaHlzaWNh bCBuZXR3b3JrIi4gRW52aXJvbm1lbnRzIGxpa2UgdGhhdCBhcmUgb25seSBwYXJ0aWFsbHkgY29u dHJvbGxlZC4NCj4gQWRkaW5nIG1ldGFkYXRhIHRvIHBhY2tldHMgaW4gc3VjaCB3aWRlIGxvY2F0 aW9ucyBjb3VsZCBlbmFibGUgbWFueQ0KPiBhdHRhY2tzLg0KDQpPSywgd2UgY2FuIHF1YWxpZnkg dGhlIGNhbXB1cyBuZXR3b3JrIHdpdGgg4oCcY29udHJvbGxlZOKAnSwgb3IgZnJhbmtseSByZW1v dmUgaXQgb3IgY2hvb3NlIGEgZGlmZmVyZW50IGV4YW1wbGUuIEl0IGlzLCBhZnRlciBhbGwsIGFu IGV4YW1wbGUuDQoNCj4gDQo+PiANCj4+PiBXaGF0DQo+Pj4gZG9lcyB0aGlzIGhhdmUgdG8gZG8g d2l0aCB0aGUgSW50ZXJuZXQ/DQo+PiBJ4oCZbGwganVzdCBzaGFyZSB0aGF0LCBqdXN0IGxpa2Ug UkZDIDc2NjUsIHRoaXMgc3BlY2lmaWNhdGlvbiBuYXJyb3dzY29wZXMgaXRzZWxmIHRvIGEgc2lu Z2xlIHByb3ZpZGVy4oCZcyBvcGVyYXRpb25hbCBkb21haW4uIA0KPj4gDQo+PiBSZWxldmFudCB0 ZXh0IGZyb20gcmV2aXNpb24gLTIwLCB0aGF0IHdhcyBub3QgdGhlcmUgb24gdGhlIHJldmlzaW9u IC0xOCB5b3UgcmV2aWV3ZWQsIGluY2x1ZGVzOg0KPj4gDQo+PiBUaGUgaW50ZW5kZWQgc2NvcGUg b2YgdGhlIE5TSCBpcyBmb3IgdXNlIHdpdGhpbiBhIHNpbmdsZSBwcm92aWRlcidzDQo+PiBvcGVy YXRpb25hbCBkb21haW4uICBUaGlzIGRlcGxveW1lbnQgc2NvcGUgaXMgZGVsaWJlcmF0ZWx5DQo+ PiBjb25zdHJhaW5lZCwgYXMgZXhwbGFpbmVkIGFsc28gaW4gW1JGQzc2NjVdLCBhbmQgbGltaXRl ZCB0byBhIHNpbmdsZQ0KPj4gbmV0d29yayBhZG1pbmlzdHJhdGl2ZSBkb21haW4uICBJbiB0aGlz IGNvbnRleHQsIGEgImRvbWFpbiIgaXMgYSBzZXQNCj4+IG9mIG5ldHdvcmsgZW50aXRpZXMgd2l0 aGluIGEgc2luZ2xlIGFkbWluaXN0cmF0aW9uLiAgRm9yIGV4YW1wbGUsIGENCj4+IG5ldHdvcmsg YWRtaW5pc3RyYXRpdmUgZG9tYWluIGNhbiBpbmNsdWRlIGEgc2luZ2xlIGRhdGEgY2VudGVyLCBh DQo+PiBjYW1wdXMgcGh5c2ljYWwgbmV0d29yaywgb3IgYW4gb3ZlcmxheSBkb21haW4gdXNpbmcg dmlydHVhbA0KPj4gY29ubmVjdGlvbnMgYW5kIHR1bm5lbHMuICBBIGNvcm9sbGFyeSBpcyB0aGF0 IGEgbmV0d29yaw0KPj4gYWRtaW5pc3RyYXRpdmUgZG9tYWluIGhhcyBhIHdlbGwgZGVmaW5lZCBw ZXJpbWV0ZXIuDQo+IA0KPiBZZXMsIEkgc2F3IHRoYXQuIFRoYXQncyBnb29kLiBCdXQgSSBhbHNv IG9ubHkgc2VlIG1pbmltYWwgbWVjaGFuaXNtcyBpbg0KPiB0aGUgZHJhZnQgZm9yIGVuZm9yY2lu ZyB0aGUgcmVtb3ZhbCBvZiB0aGUgbWV0YWRhdGEgYmVmb3JlIGEgcGFja2V0DQo+IGxlYXZlcyB0 aGUgc3BlY2lmaWVkIGRvbWFpbi4gU2VjdGlvbiAyIHN0YXRlcyB0aGF0ICJ0aGUgbGFzdCBTRkYg aW4gdGhlDQo+IHNlcnZpY2UgY2hhaW4gcmVtb3ZlcyB0aGUgTlNIIi4gVGhhdCdzIGZpbmUsIGJ1 dCB0aGF0J3Mgbm90IGEgZmFpbC1zYWZlDQo+IG1lY2hhbmlzbS4NCg0KVGhlIEktRCBtZW50aW9u cyBpbiBzZXZlcmFsIHBsYWNlcyBiZXlvbmQgU2VjdGlvbiAyIHRoZSByZXF1aXJlbWVudCB0byBy ZW1vdmUgdGhlIE5TSCBvbiBTRlAgZXhpdC4gVGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIGN1 cnJlbnRseSBpbmNsdWRlczoNCg0KIE1lYW5zIHRvIHByZXZlbnQNCiBsZWFraW5nIHByaXZhY3kt cmVsYXRlZCBpbmZvcm1hdGlvbiBvdXRzaWRlIGFuIGFkbWluaXN0cmF0aXZlIGRvbWFpbg0KIGFy ZSBuYXRpdmVseSBzdXBwb3J0ZWQgYnkgdGhlIE5TSCBnaXZlbiB0aGF0IHRoZSBsYXN0IFNGRiBv ZiBhDQogc2VydmljZSBwYXRoIHdpbGwgc3lzdGVtYXRpY2FsbHkgcmVtb3ZlIHRoZSBOU0ggZW5j YXBzdWxhdGlvbiBiZWZvcmUNCiBmb3J3YXJkaW5nIGEgcGFja2V0IGV4aXRpbmcgdGhlIHNlcnZp Y2UgcGF0aC4NCg0KSG93IHdvdWxkIHlvdSBzdWdnZXN0IHRoaXMgY2FuIGJlIHN0cmVuZ3RoZW5l ZD8gV2UgZG8gYWRkIHNvbWUgcmVsZXZhbnQgdGV4dCBiYXNlZCBvbiB0aGUgbmV4dCBjb21tZW50 Lg0KDQo+IFRoZSBkcmFmdCBtZW50aW9ucyB1c2luZyBJUHY0IG9yIElQdjYgYXMgdHJhbnNwb3J0 LiBJdCBzZWVtcw0KPiB0aGF0IGluIHRoYXQgY2FzZSB0aGVyZSBzaG91bGQgYmUgc29tZSBpbmdy ZXNzL2VncmVzcyBmaWx0ZXJpbmcsIGFzIGluDQo+ICJwYWNrZXRzIG9yaWdpbmF0aW5nIG91dHNp ZGUgdGhlIHNlcnZpY2UgZG9tYWluIG11c3QgYmUgZHJvcHBlZCBpZiB0aGV5DQo+IGNvbnRhaW4g YW4gTlNILCIgYW5kIHNpbWlsYXJseSBtdXN0IGJlIGRyb3Agb24gZG9tYWluIGV4aXQgaWYgdGhl eQ0KPiBjb250YWluIGFuIE5TSC4NCj4gDQoNClRoaXMgaXMgYSBnb29kIHN1Z2dlc3Rpb24uIFdl IGNhbiBhZGQgc29tZSBjbGFyaWZ5aW5nIHRleHQgYWZ0ZXIgdGhlIGZpcnN0IHBhcmFncmFwaCBv ZiB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMuDQpUaGlzIGNhbiB0YWtlIGNhcmUgb2YgeW91 ciBwcmV2aW91cyBjb21tZW50IGFzIHdlbGwuDQoNCj4+IA0KPj4+IEFuZCB3aHkgc3VjaCBkaXNy ZWdhcmQNCj4+PiBmb3IgcHJpdmFjeSBhbmQgc2VjdXJpdHk/IEluIGFueSBjYXNlLCB0aGlzIGRv Y3VtZW50IGhhcyBzaWduaWZpY2FudA0KPj4+IGlzc3Vlcy4gSXQgZG9lcyBub3QgZXhwbGFpbmlu ZyB3aGVyZSBleGFjdGx5IHRoZSBwcm9wb3NlZCBOZXR3b3JrDQo+Pj4gU2VydmljZSBIZWFkZXIg d291bGQgYmUgaW5zZXJ0ZWQgKE1QTFMgb3IgSVB2Nj8pLg0KPj4gVGhpcyBpcyBhbm90aGVyIGdv b2QgY29tbWVudCwgd2UgYmVsaWV2ZSBpcyBhbHJlYWR5IGFkZHJlc3NlZCBpbiByZXYgLTIwIHdp dGggdGhlIGFkZGl0aW9ucyB0byB0aGUgSW50cm9kdWN0aW9uIGFuZCBGaWd1cmUgMSwgYW1vbmcg b3RoZXJzLg0KPiANCj4gRmlndXJlIDEgZG9lcyBoZWxwLCB0aGFuayB5b3UuIEkgYXNzdW1lIHRo YXQgdGhlIGludGVudCBpcyB0byBjb21wbGV0ZQ0KPiB0aGUgTlNIIGRyYWZ0IHdpdGggc3BlY2lm aWNhdGlvbnMgb2YgdGhlIGFjdHVhbCBlbmNhcHN1bGF0aW9ucyBvdmVyDQo+IE1QTFMsIEV0aGVy bmV0LCBJUHY0IGFuZCBJUHY2LiBCdXQgaXQgaXMgcHJldHR5IGhhcmQgdG8gcmV2aWV3IHRoZQ0K PiBzZWN1cml0eSBvZiB0aGUgc3lzdGVtIHdpdGhvdXQgYSBkZXNjcmlwdGlvbiBvZiB0aGVzZSBl bmNhcHN1bGF0aW9ucy4NCg0KVGhlIHNwZWNpZmljcyBvZiB0aG9zZSBhcmUgZXhwZWN0ZWQgaW4g c2VwYXJhdGUgZG9jdW1lbnRzLCBhcyBuZWVkZWQgKGZvciBNUExTLCBvciBVRFAsIG9yIFZYTEFO LUdQRSwgZXRjKS4NCg0KPiANCj4+IA0KPj4+IFRoZSBzZWN1cml0eQ0KPj4+IHByb3Zpc2lvbnMg Ym9pbCBkb3duIHRvIGxpcC1zZXJ2aWNlIG1lbnRpb25zIG9mIElQU0VDLCBhbmQgdGhhdCdzIHdh eQ0KPj4+IGluc3VmZmljaWVudCBnaXZlbiB0aGUgbmF0dXJlIG9mIHRoZSBwcm90b2NvbC4NCj4+ PiAuLi4NCj4+PiAuLi4NCj4+IEkgYmVsaWV2ZSBvbmUgc291cmNlIG9mIGNvbmZ1c2lvbiBoZXJl IGlzIHRoZSBleHRyYXBvbGF0aW9uIG9mIGNhcnJ5aW5nIHByaXZhY3ktc2Vuc2l0aXZlIG1ldGFk YXRhIGFjcm9zcyB0aGUgSW50ZXJuZXQuIFRoYXQgaXMgbm90IHRoZSBjYXNlLg0KPj4gDQo+PiBU aGUgc28tY2FsbGVkICJSRkMgNzY2NSIgZGVmaW5lZCB0aGUgYXBwbGljYWJpbGl0eSBzY29wZSwg YnV0IHdlIHRoZSBOU0ggc3BlY2lmaWNhdGlvbiBoYXMgZmFpbGVkIHRvIG1ha2UgdGhhdCBjbGVh ci4gVGhpcyBpcyBhIGdvb2QgcG9pbnQsIGFuZCBvbmUgdGhhdCBuZWVkcyB0ZXh0IGNoYW5nZXMu IFdlIHRvb2sgaW5pdGlhbCBzdGVwcyBpbiAtMjAgdG8gY29ycmVjdCB0aGF0IGFuZCBiZSBjbGVh ciBhbmQgZXhwbGljaXQuDQo+IFllcywgdGhlIG5ldyBpbnRyb2R1Y3Rpb24gaXMgbXVjaCBiZXR0 ZXIuDQoNCkdvb2QgdG8gc2VlLiBUaGFuayB5b3UuDQoNCj4+IA0KPj4+IEluIGEgc3Bpcml0IG9m DQo+Pj4gY29vcGVyYXRpb24sIEkgY2hvb3NlIHRoZSBsYXR0ZXIsIGFuZCBoZXJlIGlzIHRoZSB0 d28gc3RlcHMgYWR2aWNlOg0KPj4+IA0KPj4+IFRoZSBmaXJzdCBzdGVwIHRvIGJldHRlciBzZWN1 cml0eSBhbmQgcHJpdmFjeSB0aGVyZSB3b3VsZCBiZSB0byBwcmVzZW50DQo+Pj4gdGhlIHByYWN0 aWNhbCBkZXBsb3ltZW50IGNvbmRpdGlvbnMuIEkgY291bGQgb25seSBtYWtlIGd1ZXNzZXMsIGFu ZA0KPj4+IHRoYXQncyBzaWxseS4gVGhlcmUgc2hvdWxkIGJlIHNvbWUga2luZCBvZiBkaWFncmFt IGV4cGxhaW5pbmcgaG93IHRoZQ0KPj4+IFNGSCBpcyBpbnNlcnRlZCBpbiBwYWNrZXRzLCBhbmQg d2hlcmUgaXQgc2l0cyBiZXR3ZWVuIEV0aGVybmV0LCBNUExTIGFuZA0KPj4+IElQLg0KPj4+IA0K Pj4+IFRoZSBuZXh0IHN0ZXAgaXMgdG8gZGV2ZWxvcCBhIHByb3RlY3Rpb24gbW9kZWwuIEdpdmVu IHRoYXQgdGhlIGdvYWwgb2YNCj4+PiB0aGUgYXJjaGl0ZWN0dXJlIGlzIHRvIGRlY29yYXRlIHRo ZSBwYWNrZXRzIHdpdGggc2Vuc2l0aXZlIG1ldGFkYXRhLA0KPj4+IHRoZXJlIG5lZWQgdG8gYmUg c29tZSB0aGlua2luZyBhYm91dCB3aG8gc2hvdWxkIGJlIGFibGUgdG8gc2VlIGl0LiBIb3cNCj4+ PiB3b3VsZCBwYXRoIGVuY3J5cHRpb24gbGlrZSBJUFNFQyBiZSBkZXBsb3llZD8gU2hvdWxkIGFs bCBlbGVtZW50cyBvbg0KPj4+IHBhdGggcmVhbGx5IGJlIGFibGUgdG8gYWNjZXNzIGFsbCBtZXRh ZGF0YSwgb3Igc2hvdWxkIHNvbWUgb2YgaXQgYmUNCj4+PiBmdXJ0aGVyIHByb3RlY3RlZD8NCj4+ PiANCj4+PiBQbGVhc2UgZml4IHRoYXQgYmVmb3JlIHRoZSBkb2N1bWVudCBpcyBwdWJsaXNoZWQu DQo+Pj4gDQo+PiBBIGxvdCBvZiB0aGlzIGNvbnZlcnNhdGlvbiBpcyBkw6lqw6AgdnUgb2YgdGhl IFJGQyA3NjY1IFdHLCBMQywgYW5kIGJhbGxvdCBkaXNjdXNzaW9ucy4gVGhvc2UgZGlzY3Vzc2lv bnMgcmVzdWx0ZWQgaW4gc2lnbmlmaWNhbnQgd29yayB3aXRoIHRoZSBTZWN1cml0eSBBRHMsIHNl Y3VyaXR5LWZvY3VzZWQgU0ZDIGV4cGVydHMsIGFuZCBTRkMtZm9jdXNlZCBzZWN1cml0eSBleHBl cnRzOyB0aG9zZSBpbiB0dXJuIGFyZSBjb2RpZmllZCBpbiB0aGUgdGV4dCBvZiBSRkMgNzY2NeKA mXMgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMuDQo+IFRoZSBuZXcgc2VjdXJpdHkgc2VjdGlvbiBk b2VzIHByb3ZpZGUgYSBudW1iZXIgb2YgcmVjb21tZW5kYXRpb25zLCBzdWNoDQo+IGFzIHRoZSBv YmZ1c2NhdGlvbiBvZiBtZXRhZGF0YS4gVGhhdCdzIGRlZmluaXRlbHkgYW4gaW1wcm92ZW1lbnQu IEJ1dCBJDQo+IGJlbGlldmUgdGhlcmUgYXJlIHN0aWxsIGlzc3Vlcy4NCj4gDQo+IFRoZSBmaXJz dCBpc3N1ZSBpcyB0aGF0ICJNZXRhZGF0YSBwcml2YWN5IGFuZCBzZWN1cml0eSBjb25zaWRlcmF0 aW9ucw0KPiBhcmUgYSBtYXR0ZXIgZm9yIHRoZSBkb2N1bWVudHMgdGhhdCBkZWZpbmUgbWV0YWRh dGEgZm9ybWF0LiIgVGhhdCBkb2VzDQo+IG5vdCBnaXZlIG1lIGEgd2FybSBhbmQgZnV6enkgZmVl bGluZyBhdCBhbGwuIEkgdW5kZXJzdGFuZCB0aGF0IHRoZQ0KPiBmb3JtYXRzIHdpbGwgYmUgb25s eSByZWdpc3RlcmVkICJhZnRlciBJRVRGIHJldmlldyIsIGJ1dCB0aGVzZSBmdXR1cmUNCj4gcmV2 aWV3cyB3b3VsZCBiZSBtdWNoIGVhc2llciBpZiB0aGUgTlNIIG1lY2hhbmlzbSBkZWZpbmVkIGF0 IGxlYXN0IGENCj4gYmFzZWxpbmUgc2VjdXJpdHkgcG9zdHVyZSwgYW5kIG1heWJlIHNvbWUgZ2Vu ZXJpYyBtZWNoYW5pc21zIGZvcg0KPiBvYmZ1c2NhdGlvbiBvciBlbmNyeXB0aW9uLg0KDQpJIGRv IG5vdCBrbm93IGlmIGZ1dHVyZSByZXZpZXdzIG1pZ2h0IG9yIG1pZ2h0IG5vdCBiZSBlYXNpZXIs IHNpbmNlIHRoZXJlIHdvdWxkIGJlIGEgbmVlZCBmb3IgYSByZXZpZXdlciB0byBmb2xsb3cgYW5k IHJlYWQgbm9ybWF0aXZlIHJlZmVyZW5jZXMsIHdoaWNoIHByYWN0aWNlIHNob3dzIG5vdCBhbHdh eXMgaGFwcGVucy4uLiBCdXQsIHRoYXQgYXNpZGUsIGVhc2Ugb2YgZnV0dXJlIHJldmlldyBmb3Ig cmV2aWV3ZXJzIGlzIG5vdCBhIGRlc2lnbiBwcmluY2lwbGUgZm9yIE5TSCA6LSkNCg0KVGhhdCBz YWlkLCBJIGFncmVlIHRoYXQgdGhlcmUgaXMgYW4gb3Bwb3J0dW5pdHkgdG8sIHdpdGhvdXQgc3Bl Y2lmeWluZywgcHJvdmlkZSBmb3J3YXJkLWxvb2tpbmcgZ3VpZGFuY2Ugb3IgcmVmZXJlbmNlcyB0 byBwb3RlbnRpYWwgd29yay4gV2Ugd2lsbCBhZGQgdGhhdCBpbi4NCg0KPiANCj4gVGhlIHNlY29u ZCBpc3N1ZSBpcyB0aGF0IHRoZSBzZWN1cml0eSBzZWN0aW9uIHByb3ZpZGUgcmVjb21tZW5kYXRp b25zDQo+IGFib3V0IHNvbHV0aW9ucywgYnV0IGRvZXMgbm90IGFuYWx5emUgdGhlIHRocmVhdHMu IEluIHBhcnRpY3VsYXIsIG9uZSBvZg0KPiB0aGUgdGhyZWF0cyB0aGF0IEkgZmluZCB3b3JyaXNv bWUgaXMsIHdoYXQgaGFwcGVucyBpZiBhIHNwZWNpZmljDQo+IGZ1bmN0aW9uIGluIGEgc2Vydmlj ZSBjaGFpbiBnZXRzIHN1YnZlcnRlZD8NCg0KSWYgYSBmaXJld2FsbCBvciBhIHJvdXRlciBnZXRz IHN1YnZlcnRlZCwgd2UgbGlrZWx5IGhhdmUgYmlnZ2VyIHByb2JsZW1zLiBNb3JlIGJlbG93Lg0K DQo+IEluIHRoZSBjdXJyZW50IHZlcnNpb24sIGl0DQo+IHNlZW1zIHRoYXQgc3VidmVydGluZyBq dXN0IG9uZSBlbGVtZW50IGluIHRoZSBjaGFpbiB3aWxsIHByb3ZpZGUgYWNjZXNzDQo+IHRvIGFs bCB0aGUgbWV0YWRhdGEuDQoNCk5vdCByZWFsbHkuIE5TSCByZXBsaWVzIG9uIGEgZXhpc3Rpbmcg ZW5jcnlwdGlvbiBzb2x1dGlvbnMgZm9yIGJvdGggY29uZmlkZW50aWFsaXR5IGFuZCBpbnRlZ3Jp dHkgcHJvdGVjdGlvbi4gIEFzIHBlciB0aGUgZHJhZnQsIGlmIGFuIG9wZXJhdG9yIGRlZW1zIGFk ZGl0aW9uYWwgcHJvdGVjdGlvbiBuZWVkZWQsIHRoZW4gdGhleSB1dGlsaXplIHRpbWUgcHJvdmVu LCBzdGFuZGFyZCBwcm90b2NvbHMgaW4gY29uanVuY3Rpb24gd2l0aCBOU0guICBOb3Qgb25seSBp cyB0aGlzIGNvbnNpc3RlbnQgbGF5ZXJpbmctd2lzZSwgYnV0IGFsc28gZW5zdXJlIHRoYXQgdGhl IGNyeXB0byBzb2x1dGlvbiBpcyBvbmUgdGhhdCBpcyB3ZWxsIHZldHRlZCBhbmQgdW5kZXJzdG9v ZC4NCg0KSWYgeW91IGFyZSBkaXJlY3RseSB0YWxraW5nIGFib3V0IG1ldGFkYXRhLWxldmVsIGVu Y3J5cHRpb24sIEnigJlsbCBsZXQgSm9lbCAoYXMgc2hlcGhlcmQgYW5kIGNoYWlyKSBjb21tZW50 IHNpbmNlIHRoYXQgd2FzIGEgdG9waWMgZGlzY3Vzc2VkIGluIHRoZSBXRy4NCg0KVGhhdCBzYWlk LCBhZ2FpbiwgdGhlcmUgaXMgbGlrZWx5IGFuIG9wcG9ydHVuaXR5IHRvIHBvbGlzaCBhIGJpdC4g V2lsbCB0cnkuDQoNCj4gDQo+IEkgbWF5IGJlIHBhcmFub2lkLCBidXQgdGhlcmUgaXMgYWxyZWFk eSBhbiBoaXN0b3J5IG9mIGFkdmVyc2FyaWVzDQo+IGF0dGFja2luZyBjb21wbGV4IHN5c3RlbXMg bGlrZSBkYXRhIGNlbnRlcnMsIG5ldHdvcmsgY29udHJvbCBzeXN0ZW1zIG9yDQo+IGNvcnBvcmF0 ZSBuZXR3b3Jrcywgbm90IHRvIG1lbnRpb24gY2FtcHVzIG5ldHdvcmtzLiBUaGVzZSBhZHZlcnNh cmllcw0KPiB0eXBpY2FsbHkgcHJvY2VlZCBieSBsYXRlcmFsIG1vdmVtZW50IGFmdGVyIGFuIGlu aXRpYWwgcGVuZXRyYXRpb24gdW50aWwNCj4gdGhleSBnZXQgY2xvc2VyIHRvIHRoZWlyIGFjdHVh bCB0YXJnZXQgaW5zaWRlIHRoZSBkb21haW4uIEkgY2FuIHNlZSBhbg0KPiBhZHZlcnNhcnkgdHJ5 aW5nIHRvIHBlbmV0cmF0ZSBvbmUgb2YgdGhlc2UgZG9tYWlucyBpbiBvcmRlciB0byBhY2Nlc3MN Cj4gdGhlIG1ldGFkYXRhLiBJbiBvdXIgY2FzZSwgaXQgd291bGQgdHJ5IHRvIGZpbmQgYSB3ZWFr IGxpbmsgaW4gdGhlDQo+IHNlcnZpY2UgZnVuY3Rpb24gY2hhaW4uIEl0IG1heWJlIHRoYXQgb25l IG9mIHRoZSBmdW5jdGlvbnMgaXMgZGVlbWVkDQo+IGJlbmlnbiwgYW5kIHRodXMgd2FzIGxlc3Mg c2VjdXJlZCB0aGFuIHRoZSBvdGhlcnMuIEJ1dCBpZiBhbGwgZnVuY3Rpb25zDQo+IHNlZSB0aGUg bWV0YWRhdGEsIHRoZW4gdGhlIGFkdmVyc2FyaWVzIHdpbGwgYWNoaWV2ZSB0aGVpciBnb2FsIGJ5 DQo+IHRhcmdldGluZyB0aGF0IHdlYWsgbGluay4gU29tZSBhcHBsaWNhdGlvbiBvZiB0aGUgImxl YXN0IHByaXZpbGVnZSINCj4gcHJpbmNpcGxlIHdvdWxkIGJlIHVzZWZ1bCB0aGVyZS4NCg0KU2Vl IGFib3ZlLiBOb3QgYWxsIGZ1bmN0aW9ucyBzZWUgdGhlIG1ldGFkYXRhLCBpZiBzbyBkZXNpcmVk LiBGb3IgZXhhbXBsZSwgYWxsIFNGRnMgZG8gbm90IHNlZSBhbnkgbWV0YWRhdGEgaWYgdGhlIHRy YW5zcG9ydCB1c2VzIGV4aXN0aW5nIHByb3ZlbiBlbmNyeXB0aW9uIHRlY2huaXF1ZXMsIElQc2Vj LCBUTFMsIGV0Yy4NCg0KVGhhbmtzIGFnYWluIGZvciB0aGUgcmV2aWV3IGFuZCBjb21tZW50cy4N Cg0KQmVzdCwNCg0K4oCUDQpDYXJsb3MgUGlnbmF0YXJvLCBjYXJsb3NAY2lzY28uY29tDQoNCuKA nFNvbWV0aW1lcyBJIHVzZSBiaWcgd29yZHMgdGhhdCBJIGRvIG5vdCBmdWxseSB1bmRlcnN0YW5k LCB0byBtYWtlIG15c2VsZiBzb3VuZCBtb3JlIHBob3Rvc3ludGhlc2lzLuKAnQ0KDQo+IA0KPiAt LSBDaHJpc3RpYW4gSHVpdGVtYQ0KPiANCj4gDQo+IA0KPiANCj4gDQo+IC0tIA0KPiBDaHJpc3Rp YW4gSHVpdGVtYQ0KPiANCj4gDQoNCg== From nobody Thu Sep 14 04:23:12 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1A13133021; Thu, 14 Sep 2017 04:22:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.51 X-Spam-Level: X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yMDMuIfLdrgP; Thu, 14 Sep 2017 04:22:26 -0700 (PDT) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDAB5132944; Thu, 14 Sep 2017 04:22:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=223026; q=dns/txt; s=iport; t=1505388146; x=1506597746; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=YXpGABtLn7ymurUwRpn9B0u+mf1DynLB0ai1L/CFqZ0=; b=Ux+WEC1TZpsDxUjEk3DZJ4tdgg8vAtQ2A2dkssbrr/vuc5FNnz6IKm3F 9EkkaL01nv+rFFbIqX3dZNGSkqQ+fBvHyJf3eRNC0CBcnTpGYQ9bmRMdv no9Vwfz3koC6AgbShiVBuiXF9InnlFWc1JywaW+GEqr3p2CJtE1be/hcu c=; X-Files: draft-ietf-sfc-nsh-21-from-0.diff.html, ATT00001.htm, draft-ietf-sfc-nsh-21-from-0.wdiff.html, ATT00002.htm : 69741, 683, 87279, 1700 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CTAQC7ZbpZ/51dJa1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgy0tZG4nB4NwnTSPb4VOggQKI4E5AYNfAhqEBVcBAgEBAQEBAms?= =?us-ascii?q?ohRkGGgEIBEAEBwcQAgEIBA4bFQICAjAXDgIEDgUOiiQQrA6BbTqLNAEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQ4PgycEgWEBIIFQgWMrgXBYNYQzCggBCwcBBwItGA8?= =?us-ascii?q?BglSCYAWJew6HJYlWLoVQAoQ2giGBAYNag1iFRoITG0CFDYN+hTSBSYl/JIdsg?= =?us-ascii?q?nUCERkBgTgBV4ECC3cVShIBhQECAxyBZgF2hiwPF4EMgQ8BAQE?= X-IronPort-AV: E=Sophos;i="5.42,392,1500940800"; d="htm'217?html'217,217?scan'217,217,208,217";a="3367799" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Sep 2017 11:22:21 +0000 Received: from XCH-RTP-020.cisco.com (xch-rtp-020.cisco.com [64.101.220.160]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id v8EBML0A015029 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Sep 2017 11:22:21 GMT Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-020.cisco.com (64.101.220.160) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 14 Sep 2017 07:22:20 -0400 Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1263.000; Thu, 14 Sep 2017 07:22:20 -0400 From: "Carlos Pignataro (cpignata)" To: Christian Huitema CC: "draft-ietf-sfc-nsh.all@ietf.org" , "secdir@ietf.org" Thread-Topic: SECDIR review of draft-ietf-sfc-nsh-18 Thread-Index: AQHTEvC/pwAKmK7nuE+363G/TDu7PaKqA5CAgAOkFQCABwz5gA== Date: Thu, 14 Sep 2017 11:22:20 +0000 Message-ID: References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> In-Reply-To: <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.70.233.115] Content-Type: multipart/mixed; boundary="_007_D59135F4CEEC4A0BBA610126203710ACciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2017 11:22:38 -0000 --_007_D59135F4CEEC4A0BBA610126203710ACciscocom_ Content-Type: multipart/alternative; boundary="_000_D59135F4CEEC4A0BBA610126203710ACciscocom_" --_000_D59135F4CEEC4A0BBA610126203710ACciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Q2hyaXN0aWFuLA0KDQpXZSB3b3JrZWQgb24gYSByZXZpc2lvbiAtMjEgYXR0ZW1wdGluZyB0byBh ZGRyZXNzIHlvdXIgZm9sbG93LXVwcyBhbmQgcmVtYWluaW5nIGNvbmNlcm5zLg0KDQpJbiBhbiBl ZmZvcnQgdG8gaW1wcm92ZSB0aGUgcmV2aWV3IGVmZmljaWVuY3ksIHdlIGFyZSBzZW5kaW5nIHRo ZSBEaWZmcyAoSFRNTCBzaWRlLWJ5LXNpZGUgYW5kIHdkaWZmcykgb2YgdGhhdCAtMjEgY2FuZGlk YXRlIHRvIGEgcmVkdWNlZCBhdWRpZW5jZS4NCg0KV2Ugd291bGQgYWJzb2x1dGVseSBhcHByZWNp YXRlIGFsbCBmZWVkYmFjaywgcGFydGljdWxhcmx5IGNvbmNyZXRlIChyZWFkOiBhY3R1YWwgdGV4 dHVhbCByZWNvbW1lbmRhdGlvbnMpIGlucHV0IHdoZW5ldmVyIHBvc3NpYmxlLg0KDQpBbmQgb2Yg Y291cnNlIHdlIHdpbGwgZ2V0IGJhY2sgdG8gdGhlIGxhcmdlciBsaXN0cyBhZnRlciBjb252ZXJn aW5nIGFuZCBwb3N0aW5nIGEgbmV3IHJldmlzaW9uLg0KDQpMZXQgdXMga25vdyDigJQgVGhhbmtz IQ0KDQo= --_000_D59135F4CEEC4A0BBA610126203710ACciscocom_ Content-Type: text/html; charset="utf-8" Content-ID: <9B598D29C129714588E3D22CDEF5087E@emea.cisco.com> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPg0KPGRpdiBkaXI9ImF1dG8iIHN0eWxl PSJ3b3JkLXdyYXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtp dC1saW5lLWJyZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPg0KPGRpdiBzdHlsZT0i d29yZC13cmFwOiBicmVhay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTogc3BhY2U7IC13ZWJraXQt bGluZS1icmVhazogYWZ0ZXItd2hpdGUtc3BhY2U7IiBjbGFzcz0iIj4NCkNocmlzdGlhbiwNCjxk aXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPldlIHdvcmtl ZCBvbiBhIHJldmlzaW9uIC0yMSBhdHRlbXB0aW5nIHRvIGFkZHJlc3MgeW91ciBmb2xsb3ctdXBz IGFuZCByZW1haW5pbmcgY29uY2VybnMuPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0i Ij4NCjwvZGl2Pg0KPGRpdiBjbGFzcz0iIj5JbiBhbiBlZmZvcnQgdG8gaW1wcm92ZSB0aGUgcmV2 aWV3IGVmZmljaWVuY3ksIHdlIGFyZSBzZW5kaW5nIHRoZSBEaWZmcyAoSFRNTCBzaWRlLWJ5LXNp ZGUgYW5kIHdkaWZmcykgb2YgdGhhdCAtMjEgY2FuZGlkYXRlIHRvIGEgcmVkdWNlZCBhdWRpZW5j ZS48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2IGNsYXNz PSIiPldlIHdvdWxkIGFic29sdXRlbHkgYXBwcmVjaWF0ZSBhbGwgZmVlZGJhY2ssIHBhcnRpY3Vs YXJseSBjb25jcmV0ZSAocmVhZDogYWN0dWFsIHRleHR1YWwgcmVjb21tZW5kYXRpb25zKSBpbnB1 dCB3aGVuZXZlciBwb3NzaWJsZS48L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0K PC9kaXY+DQo8ZGl2IGNsYXNzPSIiPkFuZCBvZiBjb3Vyc2Ugd2Ugd2lsbCBnZXQgYmFjayB0byB0 aGUgbGFyZ2VyIGxpc3RzIGFmdGVyIGNvbnZlcmdpbmcgYW5kIHBvc3RpbmcgYSBuZXcgcmV2aXNp b24uPC9kaXY+DQo8ZGl2IGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBjbGFz cz0iIj5MZXQgdXMga25vdyDigJQgVGhhbmtzITwvZGl2Pg0KPGRpdiBjbGFzcz0iIj48YnIgY2xh c3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9i b2R5Pg0KPC9odG1sPg0K --_000_D59135F4CEEC4A0BBA610126203710ACciscocom_-- --_007_D59135F4CEEC4A0BBA610126203710ACciscocom_ Content-Type: text/html; name="draft-ietf-sfc-nsh-21-from-0.diff.html" Content-Description: draft-ietf-sfc-nsh-21-from-0.diff.html Content-Disposition: attachment; filename="draft-ietf-sfc-nsh-21-from-0.diff.html"; size=69741; creation-date="Thu, 14 Sep 2017 11:22:19 GMT"; modification-date="Thu, 14 Sep 2017 11:22:19 GMT" Content-ID: Content-Transfer-Encoding: base64 PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25h bC5kdGQiPiANCjwhLS0gR2VuZXJhdGVkIGJ5IHJmY2RpZmYgMS4zMjogcmZjZGlmZiBkcmFmdC1p ZXRmLXNmYy1uc2gtMjAudHh0IGRyYWZ0LWlldGYtc2ZjLW5zaC0yMS50eHQgLS0+IA0KPGh0bWw+ IA0KPGhlYWQ+IA0KICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRl eHQvaHRtbDsgY2hhcnNldD1pc28tODg1OS0xIiAvPiANCiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29u dGVudC1TdHlsZS1UeXBlIiBjb250ZW50PSJ0ZXh0L2NzcyIgLz4gDQogIDx0aXRsZT5EaWZmOiBk cmFmdC1pZXRmLXNmYy1uc2gtMjAudHh0IC0gZHJhZnQtaWV0Zi1zZmMtbnNoLTIxLnR4dDwvdGl0 bGU+IA0KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPiANCiAgICBib2R5ICAgIHsgbWFyZ2luOiAw LjRleDsgbWFyZ2luLXJpZ2h0OiBhdXRvOyB9IA0KICAgIHRyICAgICAgeyB9IA0KICAgIHRkICAg ICAgeyB3aGl0ZS1zcGFjZTogcHJlOyBmb250LWZhbWlseTogbW9ub3NwYWNlOyB2ZXJ0aWNhbC1h bGlnbjogdG9wOyBmb250LXNpemU6IDAuODZlbTt9IA0KICAgIHRoICAgICAgeyBmb250LXNpemU6 IDAuODZlbTsgfSANCiAgICAuc21hbGwgIHsgZm9udC1zaXplOiAwLjZlbTsgZm9udC1zdHlsZTog aXRhbGljOyBmb250LWZhbWlseTogVmVyZGFuYSwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmOyB9IA0K ICAgIC5sZWZ0ICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRUVFOyB9IA0KICAgIC5yaWdodCAgeyBi YWNrZ3JvdW5kLWNvbG9yOiAjRkZGOyB9IA0KICAgIC5kaWZmICAgeyBiYWNrZ3JvdW5kLWNvbG9y OiAjQ0NGOyB9IA0KICAgIC5sYmxvY2sgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjQkZCOyB9IA0KICAg IC5yYmxvY2sgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkY4OyB9IA0KICAgIC5pbnNlcnQgeyBiYWNr Z3JvdW5kLWNvbG9yOiAjOEZGOyB9IA0KICAgIC5kZWxldGUgeyBiYWNrZ3JvdW5kLWNvbG9yOiAj QUNGOyB9IA0KICAgIC52b2lkICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZCOyB9IA0KICAgIC5j b250ICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRUVFOyB9IA0KICAgIC5saW5lYnIgeyBiYWNrZ3Jv dW5kLWNvbG9yOiAjQUFBOyB9IA0KICAgIC5saW5lbm8geyBjb2xvcjogcmVkOyBiYWNrZ3JvdW5k LWNvbG9yOiAjRkZGOyBmb250LXNpemU6IDAuN2VtOyB0ZXh0LWFsaWduOiByaWdodDsgcGFkZGlu ZzogMCAycHg7IH0gDQogICAgLmVsaXBzaXN7IGJhY2tncm91bmQtY29sb3I6ICNBQUE7IH0gDQog ICAgLmxlZnQgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjREREOyB9IA0KICAgIC5yaWdodCAu Y29udCB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IH0gDQogICAgLmxibG9jayAuY29udCB7IGJh Y2tncm91bmQtY29sb3I6ICM5RDk7IH0gDQogICAgLnJibG9jayAuY29udCB7IGJhY2tncm91bmQt Y29sb3I6ICNERDY7IH0gDQogICAgLmluc2VydCAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICMw REQ7IH0gDQogICAgLmRlbGV0ZSAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICM4QUQ7IH0gDQog ICAgLnN0YXRzLCAuc3RhdHMgdGQsIC5zdGF0cyB0aCB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7 IHBhZGRpbmc6IDJweCAwOyB9IA0KICA8L3N0eWxlPiANCjwvaGVhZD4gDQo8Ym9keSA+IA0KICA8 dGFibGUgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiPiANCiAgPHRy IGJnY29sb3I9Im9yYW5nZSI+PHRoPjwvdGg+PHRoPiZuYnNwO2RyYWZ0LWlldGYtc2ZjLW5zaC0y MC50eHQmbmJzcDs8L3RoPjx0aD4gPC90aD48dGg+Jm5ic3A7ZHJhZnQtaWV0Zi1zZmMtbnNoLTIx LnR4dCZuYnNwOzwvdGg+PHRoPjwvdGg+PC90cj4gDQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij5TZXJ2aWNlIEZ1bmN0aW9uIENoYWluaW5nICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIFAuIFF1aW5uLCBFZC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij5TZXJ2aWNlIEZ1bmN0aW9uIENoYWluaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIFAuIFF1aW5uLCBFZC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaXNjbzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICBDaXNjbzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+SW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFyZHMgVHJhY2sg ICAgICAgICAgICAgICAgICAgICAgICAgICBVLiBFbHp1ciwgRWQuPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+SW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFyZHMgVHJhY2sgICAgICAgICAg ICAgICAgICAgICAgICAgICBVLiBFbHp1ciwgRWQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDEiIC8+ PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+RXhwaXJlczogTWFyY2ggPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ NSwgMjAxOCA8L3NwYW4+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBJbnRlbDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj5FeHBpcmVzOiBNYXJjaCA8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xNywgMjAxODwvc3Bhbj4gICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIEludGVsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgQy4gUGlnbmF0YXJvLCBFZC48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgQy4gUGlnbmF0YXJvLCBFZC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaXNjbzwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaXNjbzwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYw MDAyIiAvPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPiBTZXB0ZW1iZXIg MTwvc3Bhbj4sIDIwMTc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9 Imluc2VydCI+U2VwdGVtYmVyIDEzPC9zcGFuPiwgMjAxNzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4N CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNI KTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICAgICAgICBO ZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDMiIC8+PC90 ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgIGRyYWZ0LWlldGYtc2Zj LW5zaC0yPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgIGRyYWZ0LWlldGYtc2ZjLW5zaC0y PHNwYW4gY2xhc3M9Imluc2VydCI+MTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+QWJzdHJhY3Q8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5BYnN0cmFjdDwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGlzIGRvY3VtZW50IGRlc2NyaWJlcyBhIE5l dHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgaW1wb3NlZCBvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIFRoaXMgZG9jdW1lbnQgZGVzY3JpYmVzIGEgTmV0d29yayBTZXJ2aWNl IEhlYWRlciAoTlNIKSBpbXBvc2VkIG9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBwYWNrZXRzIG9yIGZyYW1lcyB0byByZWFsaXplIHNl cnZpY2UgZnVuY3Rpb24gcGF0aHMuICBUaGUgTlNIIGFsc288L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBwYWNrZXRzIG9yIGZyYW1lcyB0byByZWFsaXplIHNlcnZpY2UgZnVuY3Rp b24gcGF0aHMuICBUaGUgTlNIIGFsc288L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHByb3ZpZGVzIGEgbWVjaGFuaXNtIGZvciBtZXRhZGF0 YSBleGNoYW5nZSBhbG9uZyB0aGUgaW5zdGFudGlhdGVkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgcHJvdmlkZXMgYSBtZWNoYW5pc20gZm9yIG1ldGFkYXRhIGV4Y2hhbmdlIGFs b25nIHRoZSBpbnN0YW50aWF0ZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHNlcnZpY2UgcGF0aHMuICBUaGUgTlNIIGlzIHRoZSBTRkMg ZW5jYXBzdWxhdGlvbiByZXF1aXJlZCB0byBzdXBwb3J0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgc2VydmljZSBwYXRocy4gIFRoZSBOU0ggaXMgdGhlIFNGQyBlbmNhcHN1bGF0 aW9uIHJlcXVpcmVkIHRvIHN1cHBvcnQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoZSBTZXJ2aWNlIEZ1bmN0aW9uIENoYWluaW5nIChT RkMpIGFyY2hpdGVjdHVyZSAoZGVmaW5lZCBpbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIHRoZSBTZXJ2aWNlIEZ1bmN0aW9uIENoYWluaW5nIChTRkMpIGFyY2hpdGVjdHVyZSAo ZGVmaW5lZCBpbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgUkZDNzY2NSkuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg UkZDNzY2NSkuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4N CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPlN0YXR1cyBvZiBUaGlzIE1l bW88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5TdGF0dXMgb2YgVGhpcyBNZW1vPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgaXMgc3Vi bWl0dGVkIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBUaGlzIEludGVybmV0LURyYWZ0IGlzIHN1Ym1pdHRlZCBpbiBmdWxsIGNv bmZvcm1hbmNlIHdpdGggdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBwcm92aXNpb25zIG9mIEJDUCA3OCBhbmQgQkNQIDc5LjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHByb3Zpc2lvbnMgb2YgQkNQIDc4IGFuZCBC Q1AgNzkuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEludGVybmV0LURyYWZ0cyBh cmUgd29ya2luZyBkb2N1bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2luZWVyaW5nPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRv Y3VtZW50cyBvZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmc8L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRhc2sgRm9yY2UgKElFVEYpLiAg Tm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgVGFzayBGb3JjZSAoSUVURikuICBOb3RlIHRoYXQgb3RoZXIg Z3JvdXBzIG1heSBhbHNvIGRpc3RyaWJ1dGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0 LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgd29ya2luZyBkb2N1bWVudHMgYXMgSW50ZXJuZXQtRHJhZnRzLiAg VGhlIGxpc3Qgb2YgY3VycmVudCBJbnRlcm5ldC08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwNCIgLz48 L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBEcmFmdHMgaXMgYXQgaHR0cDovL2RhdGF0cmFja2VyLmll dGYub3JnL2RyYWZ0cy9jdXJyZW50Ly48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ ICAgRHJhZnRzIGlzIGF0IGh0dHA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5zPC9zcGFuPjovL2RhdGF0 cmFja2VyLmlldGYub3JnL2RyYWZ0cy9jdXJyZW50Ly48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMgdmFsaWQgZm9yIGEg bWF4aW11bSBvZiBzaXggbW9udGhzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg SW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMgdmFsaWQgZm9yIGEgbWF4aW11bSBv ZiBzaXggbW9udGhzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBhbmQgbWF5IGJlIHVwZGF0ZWQsIHJlcGxhY2VkLCBvciBvYnNvbGV0ZWQg Ynkgb3RoZXIgZG9jdW1lbnRzIGF0IGFueTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIGFuZCBtYXkgYmUgdXBkYXRlZCwgcmVwbGFjZWQsIG9yIG9ic29sZXRlZCBieSBvdGhlciBk b2N1bWVudHMgYXQgYW55PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICB0aW1lLiAgSXQgaXMgaW5hcHByb3ByaWF0ZSB0byB1c2UgSW50ZXJu ZXQtRHJhZnRzIGFzIHJlZmVyZW5jZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVm ZXJlbmNlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBtYXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBpbiBw cm9ncmVzcy4iPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbWF0ZXJpYWwgb3Ig dG8gY2l0ZSB0aGVtIG90aGVyIHRoYW4gYXMgIndvcmsgaW4gcHJvZ3Jlc3MuIjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDUiIC8+PC90ZD48L3Ry Pg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxibG9jayI+ICAgVGhpcyBJbnRlcm5ldC1EcmFmdCB3aWxsIGV4cGlyZSBvbiBNYXJjaCA8 c3BhbiBjbGFzcz0iZGVsZXRlIj41PC9zcGFuPiwgMjAxOC48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+ICAgVGhpcyBJbnRlcm5ldC1EcmFmdCB3aWxsIGV4cGlyZSBvbiBNYXJjaCA8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xNzwvc3Bhbj4sIDIwMTguPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry Pg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPkNvcHlyaWdodCBOb3RpY2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij5Db3B5cmlnaHQgTm90aWNlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIENvcHly aWdodCAoYykgMjAxNyBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29ucyBpZGVudGlmaWVkIGFzIHRo ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIENvcHlyaWdodCAoYykgMjAxNyBJ RVRGIFRydXN0IGFuZCB0aGUgcGVyc29ucyBpZGVudGlmaWVkIGFzIHRoZTwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZG9jdW1lbnQgYXV0 aG9ycy4gIEFsbCByaWdodHMgcmVzZXJ2ZWQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgZG9jdW1lbnQgYXV0aG9ycy4gIEFsbCByaWdodHMgcmVzZXJ2ZWQuPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzgg YW5kIHRoZSBJRVRGIFRydXN0J3MgTGVnYWw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBUaGlzIGRvY3VtZW50IGlzIHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBUcnVz dCdzIExlZ2FsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4N CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1lbnRzPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERv Y3VtZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDA2IiAvPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAg IChodHRwOi8vdHJ1c3RlZS5pZXRmLm9yZy9saWNlbnNlLWluZm8pIGluIGVmZmVjdCBvbiB0aGUg ZGF0ZSBvZjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAoaHR0cDxzcGFuIGNs YXNzPSJpbnNlcnQiPnM8L3NwYW4+Oi8vdHJ1c3RlZS5pZXRmLm9yZy9saWNlbnNlLWluZm8pIGlu IGVmZmVjdCBvbiB0aGUgZGF0ZSBvZjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBs ZWFzZSByZXZpZXcgdGhlc2UgZG9jdW1lbnRzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFzZSByZXZpZXcgdGhlc2Ug ZG9jdW1lbnRzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4N CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBjYXJlZnVsbHksIGFzIHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMgYW5kIHJl c3RyaWN0aW9ucyB3aXRoIHJlc3BlY3Q8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBjYXJlZnVsbHksIGFzIHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMgYW5kIHJlc3RyaWN0aW9u cyB3aXRoIHJlc3BlY3Q8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIHRvIHRoaXMgZG9jdW1lbnQuICBDb2RlIENvbXBvbmVudHMgZXh0cmFj dGVkIGZyb20gdGhpcyBkb2N1bWVudCBtdXN0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgdG8gdGhpcyBkb2N1bWVudC4gIENvZGUgQ29tcG9uZW50cyBleHRyYWN0ZWQgZnJvbSB0 aGlzIGRvY3VtZW50IG11c3Q8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIGluY2x1ZGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0IGFz IGRlc2NyaWJlZCBpbiBTZWN0aW9uIDQuZSBvZjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIGluY2x1ZGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0IGFzIGRlc2NyaWJlZCBp biBTZWN0aW9uIDQuZSBvZjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIFRydXN0IExlZ2FsIFByb3Zpc2lvbnMgYW5kIGFyZSBwcm92 aWRlZCB3aXRob3V0IHdhcnJhbnR5IGFzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgdGhlIFRydXN0IExlZ2FsIFByb3Zpc2lvbnMgYW5kIGFyZSBwcm92aWRlZCB3aXRob3V0IHdh cnJhbnR5IGFzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4N CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBkZXNjcmliZWQgaW4gdGhlIFNpbXBsaWZpZWQgQlNEIExpY2Vuc2UuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZGVzY3JpYmVkIGluIHRoZSBTaW1wbGlmaWVk IEJTRCBMaWNlbnNlLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5UYWJsZSBvZiBDb250 ZW50czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPlRhYmxlIG9mIENvbnRlbnRzPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDEuICBJbnRyb2R1Y3Rpb24gIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgMzwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIDEuICBJbnRyb2R1Y3Rpb24gIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgMzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+DQogICAgICA8dHIgYmdjb2xvcj0iZ3JheSIg Pjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwyIiAvPjxzbWFsbD5za2lwcGluZyB0byBjaGFu Z2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAyLCBsaW5lIDM5PC9lbT48L3RoPjx0aD4gPC90aD48dGg+ PGEgbmFtZT0icGFydC1yMiIgLz48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48 ZW0+IHBhZ2UgMiwgbGluZSAzOTwvZW0+PC90aD48dGQ+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAg Ni4zLiAgU2VydmljZSBQbGFuZSBWaXNpYmlsaXR5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAyMTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgNi4zLiAgU2Vy dmljZSBQbGFuZSBWaXNpYmlsaXR5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAy MTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgICA2LjQuICBTZXJ2aWNlIEdyYXBocyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gIDIxPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICA2LjQu ICBTZXJ2aWNlIEdyYXBocyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gIDIxPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICA3LiAgUG9saWN5IEVuZm9yY2VtZW50IHdpdGggTlNIIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgMjE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICA3 LiAgUG9saWN5IEVuZm9yY2VtZW50IHdpdGggTlNIIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgMjE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry Pg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgICAgNy4xLiAgTlNIIE1ldGFkYXRhIGFuZCBQb2xpY3kgRW5mb3JjZW1lbnQg LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyMTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgICAgNy4xLiAgTlNIIE1ldGFkYXRhIGFuZCBQb2xpY3kgRW5mb3JjZW1lbnQgLiAuIC4gLiAu IC4gLiAuIC4gLiAuICAyMTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgICA3LjIuICBVcGRhdGluZy9BdWdtZW50aW5nIE1ldGFkYXRhICAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgICA3LjIuICBVcGRhdGluZy9BdWdtZW50aW5nIE1ldGFkYXRhICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gIDIzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDcuMy4gIFNlcnZpY2UgUGF0aCBJZGVudGlmaWVyIGFu ZCBNZXRhZGF0YSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjU8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICAgIDcuMy4gIFNlcnZpY2UgUGF0aCBJZGVudGlmaWVyIGFuZCBNZXRhZGF0 YSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDguICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyNTwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIDguICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyNTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgOS4gIENvbnRyaWJ1dG9ycyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI3PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgOS4gIENvbnRyaWJ1dG9ycyAgLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI3PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAxMC4gQWNrbm93bGVkZ21lbnRz IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjg8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAxMC4gQWNrbm93bGVkZ21lbnRzIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjg8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDExLiBJQU5BIENvbnNp ZGVyYXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyODwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDExLiBJQU5BIENvbnNpZGVyYXRpb25z IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyODwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkPjxhIG5h bWU9ImRpZmYwMDA3IiAvPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgMTEuMS4gIE5TSCBFdGhl clR5cGUgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBj bGFzcz0iZGVsZXRlIj4yODwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ ICAgICAxMS4xLiAgTlNIIEV0aGVyVHlwZSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjI5PC9zcGFuPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDExLjIuICBO ZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpIFBhcmFtZXRlcnMgIC4gLiAuIC4gLiAuIC4gLiAg PHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjg8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy YmxvY2siPiAgICAgMTEuMi4gIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgUGFyYW1ldGVy cyAgLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yOTwvc3Bhbj48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAx MS4yLjEuICBOU0ggQmFzZSBIZWFkZXIgQml0cyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAyOTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAxMS4yLjEuICBO U0ggQmFzZSBIZWFkZXIgQml0cyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyOTwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAgIDExLjIuMi4gIE5TSCBWZXJzaW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gIDI5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgIDExLjIu Mi4gIE5TSCBWZXJzaW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDI5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICAgICAgMTEuMi4zLiAgTUQgVHlwZSBSZWdpc3RyeSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgMjk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAg MTEuMi4zLiAgTUQgVHlwZSBSZWdpc3RyeSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgMjk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0K ICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwOCIgLz48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g ICAgICAgMTEuMi40LiAgTUQgQ2xhc3MgUmVnaXN0cnkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjk8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAxMS4yLjQuICBNRCBDbGFzcyBSZWdpc3RyeSAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4zMDwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+ICAgICAgIDExLjIuNS4gIE5TSCBCYXNlIEhlYWRlciBOZXh0IFByb3RvY29sICAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPjMwPC9zcGFuPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgMTEuMi41LiAgTlNIIEJhc2UgSGVhZGVy IE5leHQgUHJvdG9jb2wgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9Imluc2Vy dCI+MzE8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICAgICAgMTEuMi42LiAgTmV3IElFVEYgQXNzaWduZWQgT3B0aW9uYWwgVmFy aWFibGUgTGVuZ3RoIE1ldGFkYXRhPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ICAgIDExLjIuNi4gIE5ldyBJRVRGIEFzc2lnbmVkIE9wdGlvbmFsIFZhcmlhYmxlIExlbmd0aCBN ZXRhZGF0YTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgICAgICAgICAgICAgIFR5cGUgUmVnaXN0cnkgIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gIDMxPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ICAgICAgICAgICAgIFR5cGUgUmVnaXN0cnkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gIDMxPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICAxMi4gUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMzE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICAxMi4gUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgMzE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPg0KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwOSIgLz48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj4gICAgIDEyLjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgMzxzcGFuIGNsYXNzPSJkZWxldGUiPjE8L3NwYW4+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgMTIuMS4gIE5vcm1hdGl2ZSBSZWZlcmVu Y2VzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAzPHNwYW4gY2xhc3M9Imlu c2VydCI+Mjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgICAgMTIuMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAzMjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgICAgMTIuMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICAzMjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+DQogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDEwIiAvPjwvdGQ+PC90cj4N CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPiAgIEF1dGhvcnMnIEFkZHJlc3NlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAzPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mzwvc3Bhbj48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDM8c3BhbiBjbGFzcz0i aW5zZXJ0Ij40PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4xLiAgSW50cm9k dWN0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+MS4gIEludHJvZHVjdGlvbjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBTZXJ2aWNlIGZ1bmN0aW9ucyBhcmUgd2lk ZWx5IGRlcGxveWVkIGFuZCBlc3NlbnRpYWwgaW4gbWFueSBuZXR3b3Jrcy48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBTZXJ2aWNlIGZ1bmN0aW9ucyBhcmUgd2lkZWx5IGRlcGxv eWVkIGFuZCBlc3NlbnRpYWwgaW4gbWFueSBuZXR3b3Jrcy48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoZXNlIHNlcnZpY2UgZnVuY3Rp b25zIHByb3ZpZGUgYSByYW5nZSBvZiBmZWF0dXJlcyBzdWNoIGFzIHNlY3VyaXR5LDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZXNlIHNlcnZpY2UgZnVuY3Rpb25zIHByb3Zp ZGUgYSByYW5nZSBvZiBmZWF0dXJlcyBzdWNoIGFzIHNlY3VyaXR5LDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgV0FOIGFjY2VsZXJhdGlv biwgYW5kIHNlcnZlciBsb2FkIGJhbGFuY2luZy4gIFNlcnZpY2UgZnVuY3Rpb25zIG1heTwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFdBTiBhY2NlbGVyYXRpb24sIGFuZCBzZXJ2 ZXIgbG9hZCBiYWxhbmNpbmcuICBTZXJ2aWNlIGZ1bmN0aW9ucyBtYXk8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGJlIGluc3RhbnRpYXRl ZCBhdCBkaWZmZXJlbnQgcG9pbnRzIGluIHRoZSBuZXR3b3JrIGluZnJhc3RydWN0dXJlPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYmUgaW5zdGFudGlhdGVkIGF0IGRpZmZlcmVu dCBwb2ludHMgaW4gdGhlIG5ldHdvcmsgaW5mcmFzdHJ1Y3R1cmU8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHN1Y2ggYXMgdGhlIHdpZGUg YXJlYSBuZXR3b3JrLCBkYXRhIGNlbnRlciwgY2FtcHVzLCBhbmQgc28gZm9ydGguPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc3VjaCBhcyB0aGUgd2lkZSBhcmVhIG5ldHdvcmss IGRhdGEgY2VudGVyLCBjYW1wdXMsIGFuZCBzbyBmb3J0aC48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgUHJpb3IgdG8gZGV2ZWxvcG1lbnQgb2YgdGhlIFNGQyBhcmNoaXRlY3R1cmUg W1JGQzc2NjVdIGFuZCB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBQcmlv ciB0byBkZXZlbG9wbWVudCBvZiB0aGUgU0ZDIGFyY2hpdGVjdHVyZSBbUkZDNzY2NV0gYW5kIHRo ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+DQog ICAgICA8dHIgYmdjb2xvcj0iZ3JheSIgPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwzIiAv PjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSA0LCBsaW5lIDIw PC9lbT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0icGFydC1yMyIgLz48c21hbGw+c2tpcHBp bmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgNCwgbGluZSAyMDwvZW0+PC90aD48dGQ+ PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhl IE5TSCBpcyBkZXNpZ25lZCB0byBiZSBlYXN5IHRvIGltcGxlbWVudCBhY3Jvc3MgYSByYW5nZSBv ZjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBOU0ggaXMgZGVzaWduZWQg dG8gYmUgZWFzeSB0byBpbXBsZW1lbnQgYWNyb3NzIGEgcmFuZ2Ugb2Y8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRldmljZXMsIGJvdGgg cGh5c2ljYWwgYW5kIHZpcnR1YWwsIGluY2x1ZGluZyBoYXJkd2FyZSBwbGF0Zm9ybXMuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZGV2aWNlcywgYm90aCBwaHlzaWNhbCBhbmQg dmlydHVhbCwgaW5jbHVkaW5nIGhhcmR3YXJlIHBsYXRmb3Jtcy48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgVGhlIGludGVuZGVkIHNjb3BlIG9mIHRoZSBOU0ggaXMgZm9yIHVzZSB3 aXRoaW4gYSBzaW5nbGUgcHJvdmlkZXInczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIFRoZSBpbnRlbmRlZCBzY29wZSBvZiB0aGUgTlNIIGlzIGZvciB1c2Ugd2l0aGluIGEgc2lu Z2xlIHByb3ZpZGVyJ3M8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIG9wZXJhdGlvbmFsIGRvbWFpbi4gIFRoaXMgZGVwbG95bWVudCBzY29w ZSBpcyBkZWxpYmVyYXRlbHk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvcGVy YXRpb25hbCBkb21haW4uICBUaGlzIGRlcGxveW1lbnQgc2NvcGUgaXMgZGVsaWJlcmF0ZWx5PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBj b25zdHJhaW5lZCwgYXMgZXhwbGFpbmVkIGFsc28gaW4gW1JGQzc2NjVdLCBhbmQgbGltaXRlZCB0 byBhIHNpbmdsZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGNvbnN0cmFpbmVk LCBhcyBleHBsYWluZWQgYWxzbyBpbiBbUkZDNzY2NV0sIGFuZCBsaW1pdGVkIHRvIGEgc2luZ2xl PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBuZXR3b3JrIGFkbWluaXN0cmF0aXZlIGRvbWFpbi4gIEluIHRoaXMgY29udGV4dCwgYSAiZG9t YWluIiBpcyBhIHNldDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG5ldHdvcmsg YWRtaW5pc3RyYXRpdmUgZG9tYWluLiAgSW4gdGhpcyBjb250ZXh0LCBhICJkb21haW4iIGlzIGEg c2V0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBvZiBuZXR3b3JrIGVudGl0aWVzIHdpdGhpbiBhIHNpbmdsZSBhZG1pbmlzdHJhdGlvbi4g IEZvciBleGFtcGxlLCBhPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgb2YgbmV0 d29yayBlbnRpdGllcyB3aXRoaW4gYSBzaW5nbGUgYWRtaW5pc3RyYXRpb24uICBGb3IgZXhhbXBs ZSwgYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgbmV0d29yayBhZG1pbmlzdHJhdGl2ZSBkb21haW4gY2FuIGluY2x1ZGUgYSBzaW5nbGUg ZGF0YSBjZW50ZXIsIGE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBuZXR3b3Jr IGFkbWluaXN0cmF0aXZlIGRvbWFpbiBjYW4gaW5jbHVkZSBhIHNpbmdsZSBkYXRhIGNlbnRlciwg YTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8 dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDExIiAvPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGNhbXB1 cyBwaHlzaWNhbCBuZXR3b3JrLCBvciBhbiBvdmVybGF5IGRvbWFpbiB1c2luZyB2aXJ0dWFsPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmNv bnRyb2xsZWQ8L3NwYW4+IGNhbXB1cyBwaHlzaWNhbCBuZXR3b3JrLCBvciBhbiBvdmVybGF5IGRv bWFpbiB1c2luZzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGJsb2NrIj4gICBjb25uZWN0aW9ucyBhbmQgdHVubmVscy4gIEEgY29yb2xsYXJ5IGlzIHRo YXQgYSBuZXR3b3JrPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHZpcnR1YWwg Y29ubmVjdGlvbnMgYW5kIHR1bm5lbHMuICBBIGNvcm9sbGFyeSBpcyB0aGF0IGEgbmV0d29yazwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg YWRtaW5pc3RyYXRpdmUgZG9tYWluIGhhcyBhIHdlbGwgZGVmaW5lZCBwZXJpbWV0ZXIuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWRtaW5pc3RyYXRpdmUgZG9tYWluIGhhcyBh IHdlbGwgZGVmaW5lZCBwZXJpbWV0ZXIuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IEFuIE5TSC1hd2FyZSBjb250cm9sIHBsYW5lIGlzIG91dHNpZGUgdGhlIHNjb3BlIG9mIHRoaXMg ZG9jdW1lbnQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQW4gTlNILWF3YXJl IGNvbnRyb2wgcGxhbmUgaXMgb3V0c2lkZSB0aGUgc2NvcGUgb2YgdGhpcyBkb2N1bWVudC48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzc2NjVdIHByb3ZpZGVzIGFuIG92ZXJ2 aWV3IG9mIGEgc2VydmljZSBjaGFpbmluZyBhcmNoaXRlY3R1cmU8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBbUkZDNzY2NV0gcHJvdmlkZXMgYW4gb3ZlcnZpZXcgb2YgYSBzZXJ2 aWNlIGNoYWluaW5nIGFyY2hpdGVjdHVyZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhhdCBjbGVhcmx5IGRlZmluZXMgdGhlIHJvbGVz IG9mIHRoZSB2YXJpb3VzIGVsZW1lbnRzIGFuZCB0aGUgc2NvcGU8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICB0aGF0IGNsZWFybHkgZGVmaW5lcyB0aGUgcm9sZXMgb2YgdGhlIHZh cmlvdXMgZWxlbWVudHMgYW5kIHRoZSBzY29wZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgb2YgYSBzZXJ2aWNlIGZ1bmN0aW9uIGNoYWlu aW5nIGVuY2Fwc3VsYXRpb24uICBUaGUgTlNIIGlzIHRoZSBTRkM8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBvZiBhIHNlcnZpY2UgZnVuY3Rpb24gY2hhaW5pbmcgZW5jYXBzdWxh dGlvbi4gIFRoZSBOU0ggaXMgdGhlIFNGQzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZW5jYXBzdWxhdGlvbiByZWZlcmVuY2VkIGluIFtS RkM3NjY1XS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBlbmNhcHN1bGF0aW9u IHJlZmVyZW5jZWQgaW4gW1JGQzc2NjVdLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4x LjEuICBSZXF1aXJlbWVudHMgTGFuZ3VhZ2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4xLjEuICBSZXF1aXJlbWVudHMgTGFuZ3VhZ2U8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPg0KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiID48dGQ+ PC90ZD48dGg+PGEgbmFtZT0icGFydC1sNCIgLz48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0 PC9zbWFsbD48ZW0+IHBhZ2UgMjYsIGxpbmUgNzwvZW0+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5h bWU9InBhcnQtcjQiIC8+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBw YWdlIDI2LCBsaW5lIDc8L2VtPjwvdGg+PHRkPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjguICBTZWN1cml0eSBDb25zaWRlcmF0aW9uczwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjguICBTZWN1cml0eSBDb25zaWRlcmF0aW9uczwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBBcyB3aXRoIG1hbnkgb3RoZXIgcHJvdG9jb2xz LCB0aGUgTlNIIGVuY2Fwc3VsYXRpb24gY291bGQgYmUgc3Bvb2ZlZDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIEFzIHdpdGggbWFueSBvdGhlciBwcm90b2NvbHMsIHRoZSBOU0gg ZW5jYXBzdWxhdGlvbiBjb3VsZCBiZSBzcG9vZmVkPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvciBvdGhlcndpc2UgbW9kaWZpZWQgaW4g dHJhbnNpdC4gIEhvd2V2ZXIsIHRoZSBkZXBsb3ltZW50IHNjb3BlIChhczwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIG9yIG90aGVyd2lzZSBtb2RpZmllZCBpbiB0cmFuc2l0LiAg SG93ZXZlciwgdGhlIGRlcGxveW1lbnQgc2NvcGUgKGFzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBkZWZpbmVkIGluIFtSRkM3NjY1XSkg b2YgdGhlIE5TSCBlbmNhcHN1bGF0aW9uIGlzIGxpbWl0ZWQgdG8gYSBzaW5nbGU8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBkZWZpbmVkIGluIFtSRkM3NjY1XSkgb2YgdGhlIE5T SCBlbmNhcHN1bGF0aW9uIGlzIGxpbWl0ZWQgdG8gYSBzaW5nbGU8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG5ldHdvcmsgYWRtaW5pc3Ry YXRpdmUgZG9tYWluIGFzIGEgY29udHJvbGxlZCBlbnZpcm9ubWVudCwgd2l0aDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG5ldHdvcmsgYWRtaW5pc3RyYXRpdmUgZG9tYWluIGFz IGEgY29udHJvbGxlZCBlbnZpcm9ubWVudCwgd2l0aDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdHJ1c3RlZCBkZXZpY2VzIChlLmcuLCBh IGRhdGEgY2VudGVyKSBoZW5jZSBtaXRpZ2F0aW5nIHRoZSByaXNrIG9mPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgdHJ1c3RlZCBkZXZpY2VzIChlLmcuLCBhIGRhdGEgY2VudGVy KSBoZW5jZSBtaXRpZ2F0aW5nIHRoZSByaXNrIG9mPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB1bmF1dGhvcml6ZWQgbWFuaXB1bGF0aW9u IG9mIHRoZSBlbmNhcHN1bGF0aW9uIGhlYWRlcnMgb3IgbWV0YWRhdGEuPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgdW5hdXRob3JpemVkIG1hbmlwdWxhdGlvbiBvZiB0aGUgZW5j YXBzdWxhdGlvbiBoZWFkZXJzIG9yIG1ldGFkYXRhLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTIiIC8+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPlBh Y2tldHMgb3JpZ2luYXRpbmcgb3V0c2lkZSB0aGUgU0ZDLWVuYWJsZWQgZG9tYWluIG11c3QgYmUg ZHJvcHBlZCBpZjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFu IGNsYXNzPSJpbnNlcnQiPiAgIHRoZXkgY29udGFpbiBhbiBOU0guICBTaW1pbGFybHksIHBhY2tl dHMgZXhpdGluZyB0aGUgU0ZDLWVuYWJsZWQ8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBkb21haW4gbXVzdCBiZSBkcm9wcGVk IGlmIHRoZXkgY29udGFpbiBhbiBOU0guPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgTlNIIGlzIGFsd2F5cyBlbmNhcHN1bGF0ZWQgaW4g YSB0cmFuc3BvcnQgcHJvdG9jb2wgKGFzIGRldGFpbGVkIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgTlNIIGlzIGFsd2F5cyBlbmNhcHN1bGF0ZWQgaW4gYSB0cmFuc3BvcnQg cHJvdG9jb2wgKGFzIGRldGFpbGVkIGluPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBTZWN0aW9uIDQgb2YgdGhpcyBzcGVjaWZpY2F0aW9u KTsgYW5kLCB0aGVyZWZvcmUsIHdoZW4gcmVxdWlyZWQsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgU2VjdGlvbiA0IG9mIHRoaXMgc3BlY2lmaWNhdGlvbik7IGFuZCwgdGhlcmVm b3JlLCB3aGVuIHJlcXVpcmVkLDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgZXhpc3Rpbmcgc2VjdXJpdHkgcHJvdG9jb2xzIHRoYXQgcHJv dmlkZSBhdXRoZW50aWNpdHkgKGUuZy4sPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgZXhpc3Rpbmcgc2VjdXJpdHkgcHJvdG9jb2xzIHRoYXQgcHJvdmlkZSBhdXRoZW50aWNpdHkg KGUuZy4sPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBbUkZDNjA3MV0pIGNhbiBiZSB1c2VkLiAgU2ltaWxhcmx5LCBpZiBjb25maWRlbnRp YWxpdHkgaXMgcmVxdWlyZWQsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JG QzYwNzFdKSBjYW4gYmUgdXNlZC4gIFNpbWlsYXJseSwgaWYgY29uZmlkZW50aWFsaXR5IGlzIHJl cXVpcmVkLDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgZXhpc3RpbmcgZW5jcnlwdGlvbiBwcm90b2NvbHMgY2FuIGJlIHVzZWQgaW4gY29u anVuY3Rpb24gd2l0aCB0aGUgTlNIPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ZXhpc3RpbmcgZW5jcnlwdGlvbiBwcm90b2NvbHMgY2FuIGJlIHVzZWQgaW4gY29uanVuY3Rpb24g d2l0aCB0aGUgTlNIPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBlbmNhcHN1bGF0aW9uLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIGVuY2Fwc3VsYXRpb24uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEZ1 cnRoZXIsIGV4aXN0aW5nIGJlc3QgcHJhY3RpY2VzLCBzdWNoIGFzIFtCQ1AzOF0gU0hPVUxEIGJl IGRlcGxveWVkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgRnVydGhlciwgZXhp c3RpbmcgYmVzdCBwcmFjdGljZXMsIHN1Y2ggYXMgW0JDUDM4XSBTSE9VTEQgYmUgZGVwbG95ZWQ8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IGF0IHRoZSBuZXR3b3JrIGxheWVyIHRvIGVuc3VyZSB0aGF0IHRyYWZmaWMgZW50ZXJpbmcgdGhl IHNlcnZpY2UgcGF0aDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGF0IHRoZSBu ZXR3b3JrIGxheWVyIHRvIGVuc3VyZSB0aGF0IHRyYWZmaWMgZW50ZXJpbmcgdGhlIHNlcnZpY2Ug cGF0aDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgaXMgaW5kZWVkICJ2YWxpZCIuICBbSS1ELmlldGYtcnRnd2ctZHQtZW5jYXBdIHByb3Zp ZGVzIGFkZGl0aW9uYWw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpcyBpbmRl ZWQgInZhbGlkIi4gIFtJLUQuaWV0Zi1ydGd3Zy1kdC1lbmNhcF0gcHJvdmlkZXMgYWRkaXRpb25h bDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+DQog ICAgICA8dHIgYmdjb2xvcj0iZ3JheSIgPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWw1IiAv PjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAyNiwgbGluZSA0 MDwvZW0+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjUiIC8+PHNtYWxsPnNraXBw aW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI2LCBsaW5lIDQ0PC9lbT48L3RoPjx0 ZD48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYXMgZGVzY3JpYmVkIHVuZGVyIHRoZSAiU0ZDIEVuY2Fw c3VsYXRpb24iIGFyZWEgb2YgdGhlIFNlY3VyaXR5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgYXMgZGVzY3JpYmVkIHVuZGVyIHRoZSAiU0ZDIEVuY2Fwc3VsYXRpb24iIGFyZWEg b2YgdGhlIFNlY3VyaXR5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBDb25zaWRlcmF0aW9ucyBvZiBbUkZDNzY2NV0sIG9wZXJhdG9ycyBj YW4gYW5kIHNob3VsZCB1c2UgaW5kaXJlY3Q8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBDb25zaWRlcmF0aW9ucyBvZiBbUkZDNzY2NV0sIG9wZXJhdG9ycyBjYW4gYW5kIHNob3Vs ZCB1c2UgaW5kaXJlY3Q8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIGlkZW50aWZpY2F0aW9uIGZvciBtZXRhZGF0YSBkZWVtZWQgdG8gYmUg c2Vuc2l0aXZlIChzdWNoIGFzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaWRl bnRpZmljYXRpb24gZm9yIG1ldGFkYXRhIGRlZW1lZCB0byBiZSBzZW5zaXRpdmUgKHN1Y2ggYXM8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IHBlcnNvbmFsbHkgaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24pIHNpZ25pZmljYW50bHkgbWl0aWdh dGluZyB0aGUgcmlzazwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHBlcnNvbmFs bHkgaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24pIHNpZ25pZmljYW50bHkgbWl0aWdhdGluZyB0aGUg cmlzazwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgb2YgcHJpdmFjeSB2aW9sYXRpb24uICBJbiBwYXJ0aWN1bGFyLCBzdWJzY3JpYmVyIGlk ZW50aWZ5aW5nPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgb2YgcHJpdmFjeSB2 aW9sYXRpb24uICBJbiBwYXJ0aWN1bGFyLCBzdWJzY3JpYmVyIGlkZW50aWZ5aW5nPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpbmZvcm1h dGlvbiBzaG91bGQgYmUgaGFuZGxlZCBjYXJlZnVsbHksIGFuZCBpbiBnZW5lcmFsIHNob3VsZCBi ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGluZm9ybWF0aW9uIHNob3VsZCBi ZSBoYW5kbGVkIGNhcmVmdWxseSwgYW5kIGluIGdlbmVyYWwgc2hvdWxkIGJlPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvYmZ1c2NhdGVk LiAgVGhpcyBpcyBjb3ZlcmVkIGluIHRoZSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBvZjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG9iZnVzY2F0ZWQuICBUaGlzIGlzIGNvdmVy ZWQgaW4gdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIG9mPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDNzY2NV0uICBGb3IgdGhv c2Ugc2l0dWF0aW9ucyB3aGVyZSBvYmZ1c2NhdGlvbiBpcyBlaXRoZXI8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNzY2NV0uICBGb3IgdGhvc2Ugc2l0dWF0aW9ucyB3aGVy ZSBvYmZ1c2NhdGlvbiBpcyBlaXRoZXI8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGluYXBwbGljYWJsZSBvciBqdWRnZWQgdG8gYmUgaW5z dWZmaWNpZW50LCBhbiBvcGVyYXRvciBjYW4gYWxzbzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIGluYXBwbGljYWJsZSBvciBqdWRnZWQgdG8gYmUgaW5zdWZmaWNpZW50LCBhbiBv cGVyYXRvciBjYW4gYWxzbzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgZW5jcnlwdCB0aGUgbWV0YWRhdGEuICBBbiBhcHByb2FjaCB0byBh biBvcHRpb25hbCBjYXBhYmlsaXR5IHRvIGRvPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgZW5jcnlwdCB0aGUgbWV0YWRhdGEuICBBbiBhcHByb2FjaCB0byBhbiBvcHRpb25hbCBj YXBhYmlsaXR5IHRvIGRvPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4NCiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTMiIC8+PC90ZD48L3RyPg0KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+ICAgdGhpcyB3YXMgZXhwbG9yZWQgaW4gW0ktRC5yZWRkeS1zZmMtbnNoLWVuY3J5cHRd LiAgTWVhbnMgdG8gcHJldmVudDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICB0 aGlzIHdhcyBleHBsb3JlZCBpbiBbSS1ELnJlZGR5LXNmYy1uc2gtZW5jcnlwdF0uICA8c3BhbiBj bGFzcz0iaW5zZXJ0Ij5Gb3Igb3RoZXI8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGxlYWtpbmcgcHJpdmFjeS1yZWxhdGVk IGluZm9ybWF0aW9uIG91dHNpZGUgYW4gYWRtaW5pc3RyYXRpdmUgZG9tYWluPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHNpdHVhdGlvbnMg d2hlcmUgZ3JlYXRlciBhc3N1cmFuY2UgaXMgZGVzaXJlZCwgb3B0aW9uYWwgbWVjaGFuaXNtczwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+ICAgYXJlIG5hdGl2ZWx5IHN1cHBvcnRlZCBieSB0aGUgTlNIIGdpdmVuIHRoYXQgdGhl IGxhc3QgU0ZGIG9mIGE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xh c3M9Imluc2VydCI+ICAgc3VjaCBhcyBbSS1ELmJyb2NrbmVycy1wcm9vZi1vZi10cmFuc2l0XSBj YW4gYmUgdXNlZC48L3NwYW4+ICBNZWFucyB0bzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgcHJldmVudCBsZWFraW5nIHByaXZhY3ktcmVsYXRlZCBpbmZvcm1hdGlvbiBvdXRz aWRlIGFuIGFkbWluaXN0cmF0aXZlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4g ICBkb21haW4gYXJlIG5hdGl2ZWx5IHN1cHBvcnRlZCBieSB0aGUgTlNIIGdpdmVuIHRoYXQgdGhl IGxhc3QgU0ZGIG9mIGE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIHNlcnZpY2UgcGF0aCB3aWxsIHN5c3RlbWF0aWNhbGx5IHJlbW92ZSB0 aGUgTlNIIGVuY2Fwc3VsYXRpb24gYmVmb3JlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgc2VydmljZSBwYXRoIHdpbGwgc3lzdGVtYXRpY2FsbHkgcmVtb3ZlIHRoZSBOU0ggZW5j YXBzdWxhdGlvbiBiZWZvcmU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIGZvcndhcmRpbmcgYSBwYWNrZXQgZXhpdGluZyB0aGUgc2Vydmlj ZSBwYXRoLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGZvcndhcmRpbmcgYSBw YWNrZXQgZXhpdGluZyB0aGUgc2VydmljZSBwYXRoLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBMYXN0bHksIFNGIHNlY3VyaXR5LCBhbHRob3VnaCBvdXQgb2Ygc2NvcGUgb2YgdGhp cyBkb2N1bWVudCwgc2hvdWxkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgTGFz dGx5LCBTRiBzZWN1cml0eSwgYWx0aG91Z2ggb3V0IG9mIHNjb3BlIG9mIHRoaXMgZG9jdW1lbnQs IHNob3VsZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgYmUgY29uc2lkZXJlZCwgcGFydGljdWxhcmx5IGlmIGFuIFNGIG5lZWRzIHRvIGFj Y2VzcywgYXV0aGVudGljYXRlLDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGJl IGNvbnNpZGVyZWQsIHBhcnRpY3VsYXJseSBpZiBhbiBTRiBuZWVkcyB0byBhY2Nlc3MsIGF1dGhl bnRpY2F0ZSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIG9yIHVwZGF0ZSB0aGUgTlNIIGVuY2Fwc3VsYXRpb24gb3IgbWV0YWRhdGEuICBI b3dldmVyLCBhZ2FpbiwgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgb3Ig dXBkYXRlIHRoZSBOU0ggZW5jYXBzdWxhdGlvbiBvciBtZXRhZGF0YS4gIEhvd2V2ZXIsIGFnYWlu LCB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIHBsYWNlbWVudCBvZiBTRnMgaXMgYXNzdW1lZCB0byBiZSBib3VuZGVkIHdpdGhpbiB0 aGUgc2NvcGUgb2YgYTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHBsYWNlbWVu dCBvZiBTRnMgaXMgYXNzdW1lZCB0byBiZSBib3VuZGVkIHdpdGhpbiB0aGUgc2NvcGUgb2YgYTwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg c2luZ2xlIGFkbWluaXN0cmF0aXZlIGRvbWFpbiBhbmQgdGhlcmVmb3JlIHVuZGVyIGRpcmVjdCBj b250cm9sIG9mPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc2luZ2xlIGFkbWlu aXN0cmF0aXZlIGRvbWFpbiBhbmQgdGhlcmVmb3JlIHVuZGVyIGRpcmVjdCBjb250cm9sIG9mPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0 aGUgb3BlcmF0b3IuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhlIG9wZXJh dG9yLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4NCiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5 IiA+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9InBhcnQtbDYiIC8+PHNtYWxsPnNraXBwaW5nIHRvIGNo YW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDMxLCBsaW5lIDQ3PC9lbT48L3RoPjx0aD4gPC90aD48 dGg+PGEgbmFtZT0icGFydC1yNiIgLz48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFs bD48ZW0+IHBhZ2UgMzIsIGxpbmUgOTwvZW0+PC90aD48dGQ+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IFRoZSB0eXBlIHZhbHVlcyBhcmUgYXNzaWduZWQgdmlhIFN0YW5kYXJkcyBBY3Rpb24gW1JGQzgx MjZdLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSB0eXBlIHZhbHVlcyBh cmUgYXNzaWduZWQgdmlhIFN0YW5kYXJkcyBBY3Rpb24gW1JGQzgxMjZdLjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBObyBpbml0aWFsIHZhbHVlcyBhcmUgYXNzaWduZWQgYXQgdGhl IGNyZWF0aW9uIG9mIHRoZSByZWdpc3RyeS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBObyBpbml0aWFsIHZhbHVlcyBhcmUgYXNzaWduZWQgYXQgdGhlIGNyZWF0aW9uIG9mIHRo ZSByZWdpc3RyeS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry Pg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+MTIuICBSZWZlcmVuY2Vz PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+MTIuICBSZWZlcmVuY2VzPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjEyLjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlczwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjEyLjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlczwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDMjExOV0gIEJyYWRuZXIsIFMuLCAiS2V5 IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIFtSRkMyMTE5XSAgQnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBp biBSRkNzIHRvIEluZGljYXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIFJlcXVpcmVtZW50IExldmVscyIsIEJDUCAx NCwgUkZDIDIxMTksPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAg ICBSZXF1aXJlbWVudCBMZXZlbHMiLCBCQ1AgMTQsIFJGQyAyMTE5LDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRp ZmYwMDE0IiAvPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3 L1JGQzIxMTksIE1hcmNoIDE5OTcsIDxzcGFuIGNsYXNzPSJkZWxldGUiPiZsdDtodHRwczovL3d3 dy5yZmMtPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAg ICAgIERPSSAxMC4xNzQ4Ny9SRkMyMTE5LCBNYXJjaCAxOTk3LDwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRl Ij4gICAgICAgICAgICAgIGVkaXRvci5vcmcvaW5mby9yZmMyMTE5Jmd0Oy48L3NwYW4+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9Imlu c2VydCI+Jmx0O2h0dHBzOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjMjExOSZndDsuPC9z cGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDNzY2NV0gIEhhbHBlcm4s IEouLCBFZC4gYW5kIEMuIFBpZ25hdGFybywgRWQuLCAiU2VydmljZSBGdW5jdGlvbjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtSRkM3NjY1XSAgSGFscGVybiwgSi4sIEVkLiBh bmQgQy4gUGlnbmF0YXJvLCBFZC4sICJTZXJ2aWNlIEZ1bmN0aW9uPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIENoYWlu aW5nIChTRkMpIEFyY2hpdGVjdHVyZSIsIFJGQyA3NjY1LDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgICAgICAgICAgICAgQ2hhaW5pbmcgKFNGQykgQXJjaGl0ZWN0dXJlIiwgUkZD IDc2NjUsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTUiIC8+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAg ICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDNzY2NSwgT2N0b2JlciAyMDE1LCA8c3BhbiBjbGFz cz0iZGVsZXRlIj4mbHQ7aHR0cHM6Ly93d3cucmZjLTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+ICAgICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDNzY2NSwgT2N0b2Jl ciAyMDE1LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICAgICAgICAgICAgIGVkaXRvci5vcmcvaW5m by9yZmM3NjY1Jmd0Oy48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg ICAgICAgICAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+Jmx0O2h0dHBzOi8vd3d3LnJmYy1lZGl0 b3Iub3JnL2luZm8vcmZjNzY2NSZndDsuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICBbUkZDODEyNl0gIENvdHRvbiwgTS4sIExlaWJhLCBCLiwgYW5kIFQuIE5hcnRlbiwg Ikd1aWRlbGluZXMgZm9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzgx MjZdICBDb3R0b24sIE0uLCBMZWliYSwgQi4sIGFuZCBULiBOYXJ0ZW4sICJHdWlkZWxpbmVzIGZv cjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgICAgICAgICAgICBXcml0aW5nIGFuIElBTkEgQ29uc2lkZXJhdGlvbnMgU2VjdGlvbiBpbiBS RkNzIiwgQkNQIDI2LDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAg ICAgV3JpdGluZyBhbiBJQU5BIENvbnNpZGVyYXRpb25zIFNlY3Rpb24gaW4gUkZDcyIsIEJDUCAy Niw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgICAgICAgICAgICAgUkZDIDgxMjYsIERPSSAxMC4xNzQ4Ny9SRkM4MTI2LCBKdW5lIDIwMTcs PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBSRkMgODEyNiwg RE9JIDEwLjE3NDg3L1JGQzgxMjYsIEp1bmUgMjAxNyw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgJmx0O2h0dHBzOi8v d3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjODEyNiZndDsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgICAgICAgICAgICAmbHQ7aHR0cHM6Ly93d3cucmZjLWVkaXRvci5vcmcv aW5mby9yZmM4MTI2Jmd0Oy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+MTIuMi4gIElu Zm9ybWF0aXZlIFJlZmVyZW5jZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4xMi4y LiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBbQkNQMzhdICAgIEZlcmd1c29uLCBQLiBhbmQgRC4gU2VuaWUsICJOZXR3b3JrIEluZ3Jlc3Mg RmlsdGVyaW5nOjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtCQ1AzOF0gICAg RmVyZ3Vzb24sIFAuIGFuZCBELiBTZW5pZSwgIk5ldHdvcmsgSW5ncmVzcyBGaWx0ZXJpbmc6PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg ICAgICAgICAgIERlZmVhdGluZyBEZW5pYWwgb2YgU2VydmljZSBBdHRhY2tzIHdoaWNoIGVtcGxv eSBJUCBTb3VyY2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAg IERlZmVhdGluZyBEZW5pYWwgb2YgU2VydmljZSBBdHRhY2tzIHdoaWNoIGVtcGxveSBJUCBTb3Vy Y2U8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgICAgICAgICAgICAgQWRkcmVzcyBTcG9vZmluZyIsIEJDUCAzOCwgUkZDIDI4MjcsIERPSSAx MC4xNzQ4Ny9SRkMyODI3LDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAg ICAgICAgQWRkcmVzcyBTcG9vZmluZyIsIEJDUCAzOCwgUkZDIDI4MjcsIERPSSAxMC4xNzQ4Ny9S RkMyODI3LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgICAgICAgICAgICBNYXkgMjAwMCwgJmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5v cmcvaW5mby9yZmMyODI3Jmd0Oy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg ICAgICAgICAgIE1heSAyMDAwLCAmbHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3Jm YzI4MjcmZ3Q7LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQ+PGEgbmFtZT0i ZGlmZjAwMTYiIC8+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPltJLUQuYnJvY2tuZXJzLXByb29mLW9m LXRyYW5zaXRdPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4g Y2xhc3M9Imluc2VydCI+ICAgICAgICAgICAgICBCcm9ja25lcnMsIEYuLCBCaGFuZGFyaSwgUy4s IERhcmEsIFMuLCBQaWduYXRhcm8sIEMuLDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICAgICAgICAgTGVkZHksIEouLCBZ b3VlbGwsIFMuLCBNb3plcywgRC4sIGFuZCBULiBNaXpyYWhpLCAiUHJvb2Y8L3NwYW4+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAg ICAgICAgIG9mIFRyYW5zaXQiLCBkcmFmdC1icm9ja25lcnMtcHJvb2Ytb2YtdHJhbnNpdC0wMyAo d29yayBpbjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs YXNzPSJpbnNlcnQiPiAgICAgICAgICAgICAgcHJvZ3Jlc3MpLCBNYXJjaCAyMDE3Ljwvc3Bhbj48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtJLUQu Z3VpY2hhcmQtc2ZjLW5zaC1kYy1hbGxvY2F0aW9uXTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIFtJLUQuZ3VpY2hhcmQtc2ZjLW5zaC1kYy1hbGxvY2F0aW9uXTwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAg ICBHdWljaGFyZCwgSi4sIFNtaXRoLCBNLiwgS3VtYXIsIFMuLCBNYWplZSwgUy4sIEFnYXJ3YWws PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBHdWljaGFyZCwg Si4sIFNtaXRoLCBNLiwgS3VtYXIsIFMuLCBNYWplZSwgUy4sIEFnYXJ3YWwsPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAg IFAuLCBHbGF2aW4sIEsuLCBMYXJpYmksIFkuLCBhbmQgVC4gTWl6cmFoaSwgIk5ldHdvcms8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIFAuLCBHbGF2aW4sIEsu LCBMYXJpYmksIFkuLCBhbmQgVC4gTWl6cmFoaSwgIk5ldHdvcms8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgU2Vydmlj ZSBIZWFkZXIgKE5TSCkgTUQgVHlwZSAxOiBDb250ZXh0IEhlYWRlciBBbGxvY2F0aW9uPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBTZXJ2aWNlIEhlYWRlciAo TlNIKSBNRCBUeXBlIDE6IENvbnRleHQgSGVhZGVyIEFsbG9jYXRpb248L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgKERh dGEgQ2VudGVyKSIsIGRyYWZ0LWd1aWNoYXJkLXNmYy1uc2gtZGMtYWxsb2NhdGlvbi0wNzwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgKERhdGEgQ2VudGVyKSIs IGRyYWZ0LWd1aWNoYXJkLXNmYy1uc2gtZGMtYWxsb2NhdGlvbi0wNzwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAod29y ayBpbiBwcm9ncmVzcyksIEF1Z3VzdCAyMDE3LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgICAgICAgICAgICAgKHdvcmsgaW4gcHJvZ3Jlc3MpLCBBdWd1c3QgMjAxNy48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW0ktRC5pZXRmLW52bzMtdnhsYW4tZ3BlXTwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtJLUQuaWV0Zi1udm8zLXZ4bGFuLWdwZV08 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgICAgICAgICAgTWFpbm8sIEYuLCBLcmVlZ2VyLCBMLiwgYW5kIFUuIEVsenVyLCAiR2VuZXJp YyBQcm90b2NvbDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAg TWFpbm8sIEYuLCBLcmVlZ2VyLCBMLiwgYW5kIFUuIEVsenVyLCAiR2VuZXJpYyBQcm90b2NvbDwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAgICAgICAgICBFeHRlbnNpb24gZm9yIFZYTEFOIiwgZHJhZnQtaWV0Zi1udm8zLXZ4bGFuLWdw ZS0wNCAod29yazwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAg RXh0ZW5zaW9uIGZvciBWWExBTiIsIGRyYWZ0LWlldGYtbnZvMy12eGxhbi1ncGUtMDQgKHdvcms8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPg0KICAg ICAgPHRyIGJnY29sb3I9ImdyYXkiID48dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFydC1sNyIgLz48 c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMzMsIGxpbmUgMTg8 L2VtPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXI3IiAvPjxzbWFsbD5za2lwcGlu ZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAzMywgbGluZSAyOTwvZW0+PC90aD48dGQ+ PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgZHJhZnQtbmFwcGVyLXNmYy1uc2gtYnJv YWRiYW5kLWFsbG9jYXRpb24tMDMgKHdvcmsgaW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICAgICAgICAgICAgIGRyYWZ0LW5hcHBlci1zZmMtbnNoLWJyb2FkYmFuZC1hbGxvY2F0 aW9uLTAzICh3b3JrIGluPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIHByb2dyZXNzKSwgSnVseSAyMDE3LjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgcHJvZ3Jlc3MpLCBKdWx5IDIw MTcuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtJLUQucmVkZHktc2ZjLW5zaC1l bmNyeXB0XTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtJLUQucmVkZHktc2Zj LW5zaC1lbmNyeXB0XTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBSZWRkeSwgVC4sIFBhdGlsLCBQLiwgRmx1aHJlciwg Uy4sIGFuZCBQLiBRdWlubiw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAg ICAgICAgIFJlZGR5LCBULiwgUGF0aWwsIFAuLCBGbHVocmVyLCBTLiwgYW5kIFAuIFF1aW5uLDwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAgICAgICAgICAiQXV0aGVudGljYXRlZCBhbmQgZW5jcnlwdGVkIE5TSCBzZXJ2aWNlIGNoYWlu cyIsIGRyYWZ0LTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAg IkF1dGhlbnRpY2F0ZWQgYW5kIGVuY3J5cHRlZCBOU0ggc2VydmljZSBjaGFpbnMiLCBkcmFmdC08 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgICAgICAgICAgcmVkZHktc2ZjLW5zaC1lbmNyeXB0LTAwICh3b3JrIGluIHByb2dyZXNzKSwg QXByaWwgMjAxNS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAg IHJlZGR5LXNmYy1uc2gtZW5jcnlwdC0wMCAod29yayBpbiBwcm9ncmVzcyksIEFwcmlsIDIwMTUu PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkMyNzg0XSAgRmFyaW5hY2NpLCBE LiwgTGksIFQuLCBIYW5rcywgUy4sIE1leWVyLCBELiwgYW5kIFAuPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgW1JGQzI3ODRdICBGYXJpbmFjY2ksIEQuLCBMaSwgVC4sIEhhbmtz LCBTLiwgTWV5ZXIsIEQuLCBhbmQgUC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgVHJhaW5hLCAiR2VuZXJpYyBSb3V0 aW5nIEVuY2Fwc3VsYXRpb24gKEdSRSkiLCBSRkMgMjc4NCw8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICAgICAgICAgICAgIFRyYWluYSwgIkdlbmVyaWMgUm91dGluZyBFbmNhcHN1 bGF0aW9uIChHUkUpIiwgUkZDIDI3ODQsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTciIC8+PC90ZD48 L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxibG9jayI+ICAgICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDMjc4NCwgTWFyY2gg MjAwMCwgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Jmx0O2h0dHBzOi8vd3d3LnJmYy08L3NwYW4+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3 L1JGQzI3ODQsIE1hcmNoIDIwMDAsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgICAgICAgICAg ZWRpdG9yLm9yZy9pbmZvL3JmYzI3ODQmZ3Q7Ljwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+ICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4mbHQ7aHR0cHM6 Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmMyNzg0Jmd0Oy48L3NwYW4+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkMzNjkyXSAgTmFydGVuLCBULiwgIkFzc2lnbmluZyBF eHBlcmltZW50YWwgYW5kIFRlc3RpbmcgTnVtYmVyczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIFtSRkMzNjkyXSAgTmFydGVuLCBULiwgIkFzc2lnbmluZyBFeHBlcmltZW50YWwg YW5kIFRlc3RpbmcgTnVtYmVyczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBDb25zaWRlcmVkIFVzZWZ1bCIsIEJDUCA4 MiwgUkZDIDM2OTIsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAg ICBDb25zaWRlcmVkIFVzZWZ1bCIsIEJDUCA4MiwgUkZDIDM2OTIsPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlm ZjAwMTgiIC8+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgICAgICAgICBET0kgMTAuMTc0ODcv UkZDMzY5MiwgSmFudWFyeSAyMDA0LCA8c3BhbiBjbGFzcz0iZGVsZXRlIj4mbHQ7aHR0cHM6Ly93 d3cucmZjLTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAg ICAgICBET0kgMTAuMTc0ODcvUkZDMzY5MiwgSmFudWFyeSAyMDA0LDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVs ZXRlIj4gICAgICAgICAgICAgIGVkaXRvci5vcmcvaW5mby9yZmMzNjkyJmd0Oy48L3NwYW4+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9 Imluc2VydCI+Jmx0O2h0dHBzOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjMzY5MiZndDsu PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDNjA3MV0gIEZyYW5r ZWwsIFMuIGFuZCBTLiBLcmlzaG5hbiwgIklQIFNlY3VyaXR5IChJUHNlYykgYW5kPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzYwNzFdICBGcmFua2VsLCBTLiBhbmQgUy4g S3Jpc2huYW4sICJJUCBTZWN1cml0eSAoSVBzZWMpIGFuZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBJbnRlcm5ldCBL ZXkgRXhjaGFuZ2UgKElLRSkgRG9jdW1lbnQgUm9hZG1hcCIsIFJGQyA2MDcxLDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgSW50ZXJuZXQgS2V5IEV4Y2hhbmdl IChJS0UpIERvY3VtZW50IFJvYWRtYXAiLCBSRkMgNjA3MSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAx OSIgLz48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM2 MDcxLCBGZWJydWFyeSAyMDExLCA8c3BhbiBjbGFzcz0iZGVsZXRlIj4mbHQ7aHR0cHM6Ly93d3cu cmZjLTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAgICAg ICBET0kgMTAuMTc0ODcvUkZDNjA3MSwgRmVicnVhcnkgMjAxMSw8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0 ZSI+ICAgICAgICAgICAgICBlZGl0b3Iub3JnL2luZm8vcmZjNjA3MSZndDsuPC9zcGFuPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJp bnNlcnQiPiZsdDtodHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzYwNzEmZ3Q7Ljwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzczMjVdICBWaWxsYW1p emFyLCBDLiwgRWQuLCBLb21wZWxsYSwgSy4sIEFtYW50ZSwgUy4sIE1hbGlzLCBBLiw8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNzMyNV0gIFZpbGxhbWl6YXIsIEMuLCBF ZC4sIEtvbXBlbGxhLCBLLiwgQW1hbnRlLCBTLiwgTWFsaXMsIEEuLDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBhbmQg Qy4gUGlnbmF0YXJvLCAiTVBMUyBGb3J3YXJkaW5nIENvbXBsaWFuY2UgYW5kPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBhbmQgQy4gUGlnbmF0YXJvLCAiTVBM UyBGb3J3YXJkaW5nIENvbXBsaWFuY2UgYW5kPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIFBlcmZvcm1hbmNlIFJlcXVp cmVtZW50cyIsIFJGQyA3MzI1LCBET0kgMTAuMTc0ODcvUkZDNzMyNSw8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIFBlcmZvcm1hbmNlIFJlcXVpcmVtZW50cyIs IFJGQyA3MzI1LCBET0kgMTAuMTc0ODcvUkZDNzMyNSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgQXVndXN0IDIwMTQs ICZsdDtodHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzczMjUmZ3Q7LjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgQXVndXN0IDIwMTQsICZsdDto dHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzczMjUmZ3Q7LjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDNzQ5OF0gIFF1aW5uLCBQLiwgRWQuIGFuZCBULiBOYWRl YXUsIEVkLiwgIlByb2JsZW0gU3RhdGVtZW50IGZvcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIFtSRkM3NDk4XSAgUXVpbm4sIFAuLCBFZC4gYW5kIFQuIE5hZGVhdSwgRWQuLCAi UHJvYmxlbSBTdGF0ZW1lbnQgZm9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIFNlcnZpY2UgRnVuY3Rpb24gQ2hhaW5p bmciLCBSRkMgNzQ5OCw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAg ICAgIFNlcnZpY2UgRnVuY3Rpb24gQ2hhaW5pbmciLCBSRkMgNzQ5OCw8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJk aWZmMDAyMCIgLz48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICAgICAgICAgIERPSSAxMC4xNzQ4 Ny9SRkM3NDk4LCBBcHJpbCAyMDE1LCA8c3BhbiBjbGFzcz0iZGVsZXRlIj4mbHQ7aHR0cHM6Ly93 d3cucmZjLTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAg ICAgICBET0kgMTAuMTc0ODcvUkZDNzQ5OCwgQXByaWwgMjAxNSw8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0 ZSI+ICAgICAgICAgICAgICBlZGl0b3Iub3JnL2luZm8vcmZjNzQ5OCZndDsuPC9zcGFuPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJp bnNlcnQiPiZsdDtodHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzc0OTgmZ3Q7Ljwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzc2NzZdICBQaWduYXRh cm8sIEMuLCBCb25pY2EsIFIuLCBhbmQgUy4gS3Jpc2huYW4sICJJUHY2IFN1cHBvcnQ8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNzY3Nl0gIFBpZ25hdGFybywgQy4sIEJv bmljYSwgUi4sIGFuZCBTLiBLcmlzaG5hbiwgIklQdjYgU3VwcG9ydDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBmb3Ig R2VuZXJpYyBSb3V0aW5nIEVuY2Fwc3VsYXRpb24gKEdSRSkiLCBSRkMgNzY3Niw8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIGZvciBHZW5lcmljIFJvdXRpbmcg RW5jYXBzdWxhdGlvbiAoR1JFKSIsIFJGQyA3Njc2LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDIxIiAv PjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzc2NzYs IE9jdG9iZXIgMjAxNSwgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Jmx0O2h0dHBzOi8vd3d3LnJmYy08 L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgRE9J IDEwLjE3NDg3L1JGQzc2NzYsIE9jdG9iZXIgMjAxNSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAg ICAgICAgICAgICBlZGl0b3Iub3JnL2luZm8vcmZjNzY3NiZndDsuPC9zcGFuPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJpbnNlcnQi PiZsdDtodHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzc2NzYmZ3Q7Ljwvc3Bhbj48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+QXV0aG9ycycgQWRkcmVzc2VzPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+QXV0aG9ycycgQWRkcmVzc2VzPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIFBhdWwgUXVpbm4gKGVkaXRvcik8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBQYXVsIFF1aW5uIChlZGl0b3IpPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBDaXNjbyBTeXN0ZW1zLCBJbmMu PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQ2lzY28gU3lzdGVtcywgSW5jLjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBFbWFpbDogcGF1bHFAY2lzY28uY29tPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgRW1haWw6IHBhdWxxQGNpc2NvLmNvbTwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8dHI+ PHRkPjxhIG5hbWU9ImRpZmYwMDIyIiAvPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ DQogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgVXJpIEVsenVyIChlZGl0b3IpPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgVXJpIEVsenVyIChlZGl0b3IpPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJbnRlbDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIEludGVsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4NCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVtYWls OiB1cmkuZWx6dXJAaW50ZWwuY29tPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg RW1haWw6IHVyaS5lbHp1ckBpbnRlbC5jb208L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+DQogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgQ2FybG9zIFBpZ25hdGFybyAoZWRpdG9yKTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIENhcmxvcyBQaWduYXRhcm8gKGVkaXRvcik8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIENpc2NvIFN5c3RlbXMsIEluYy48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBDaXNjbyBTeXN0ZW1zLCBJbmMuPC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPg0KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVtYWlsOiBjcGlnbmF0YUBjaXNjby5jb208L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBFbWFpbDogY3BpZ25hdGFAY2lzY28uY29t PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4NCg0KICAgICA8 dHI+PHRkPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZD48L3RkPjwvdHI+DQogICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGggY29s c3Bhbj0iNSIgYWxpZ249ImNlbnRlciI+PGEgbmFtZT0iZW5kIj4mbmJzcDtFbmQgb2YgY2hhbmdl cy4gMjIgY2hhbmdlIGJsb2Nrcy4mbmJzcDs8L2E+PC90aD48L3RyPg0KICAgICA8dHIgY2xhc3M9 InN0YXRzIj48dGQ+PC90ZD48dGg+PGk+MzEgbGluZXMgY2hhbmdlZCBvciBkZWxldGVkPC9pPjwv dGg+PHRoPjxpPiA8L2k+PC90aD48dGg+PGk+NDQgbGluZXMgY2hhbmdlZCBvciBhZGRlZDwvaT48 L3RoPjx0ZD48L3RkPjwvdHI+DQogICAgIDx0cj48dGQgY29sc3Bhbj0iNSIgYWxpZ249ImNlbnRl ciIgY2xhc3M9InNtYWxsIj48YnIvPlRoaXMgaHRtbCBkaWZmIHdhcyBwcm9kdWNlZCBieSByZmNk aWZmIDEuMzIuIFRoZSBsYXRlc3QgdmVyc2lvbiBpcyBhdmFpbGFibGUgZnJvbSA8YSBocmVmPSJo dHRwOi8vd3d3Lmxldmtvd2V0ei5jb20vaWV0Zi90b29scy9yZmNkaWZmLyIgPmh0dHA6Ly93d3cu bGV2a293ZXR6LmNvbS9pZXRmL3Rvb2xzL3JmY2RpZmYvPC9hPiA8L3RkPjwvdHI+DQogICA8L3Rh YmxlPg0KICAgPC9ib2R5Pg0KICAgPC9odG1sPg0K --_007_D59135F4CEEC4A0BBA610126203710ACciscocom_ Content-Type: text/html; name="ATT00001.htm" Content-Description: ATT00001.htm Content-Disposition: attachment; filename="ATT00001.htm"; size=683; creation-date="Thu, 14 Sep 2017 11:22:19 GMT"; modification-date="Thu, 14 Sep 2017 11:22:19 GMT" Content-ID: Content-Transfer-Encoding: base64 PGh0bWw+PGJvZHkgc3R5bGU9IndvcmQtd3JhcDogYnJlYWstd29yZDsgLXdlYmtpdC1uYnNwLW1v ZGU6IHNwYWNlOyAtd2Via2l0LWxpbmUtYnJlYWs6IGFmdGVyLXdoaXRlLXNwYWNlOyI+PGhlYWQ+ PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWwgY2hhcnNl dD11cy1hc2NpaSI+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0 L2h0bWwgY2hhcnNldD11cy1hc2NpaSI+PC9oZWFkPjxkaXYgZGlyPSJhdXRvIiBzdHlsZT0id29y ZC13cmFwOiBicmVhay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTogc3BhY2U7IC13ZWJraXQtbGlu ZS1icmVhazogYWZ0ZXItd2hpdGUtc3BhY2U7Ij48ZGl2IHN0eWxlPSJ3b3JkLXdyYXA6IGJyZWFr LXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJyZWFrOiBhZnRl ci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sIGNoYXJzZXQ9dXMtYXNjaWkiIGNsYXNzPSIiPjxtZXRhIGh0dHAt ZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sIGNoYXJzZXQ9dXMtYXNjaWki IGNsYXNzPSIiPjxkaXYgY2xhc3M9IiI+PC9kaXY+PC9kaXY+PC9kaXY+PC9ib2R5PjwvaHRtbD4= --_007_D59135F4CEEC4A0BBA610126203710ACciscocom_ Content-Type: text/html; name="draft-ietf-sfc-nsh-21-from-0.wdiff.html" Content-Description: draft-ietf-sfc-nsh-21-from-0.wdiff.html Content-Disposition: attachment; filename="draft-ietf-sfc-nsh-21-from-0.wdiff.html"; size=87279; creation-date="Thu, 14 Sep 2017 11:22:19 GMT"; modification-date="Thu, 14 Sep 2017 11:22:19 GMT" Content-ID: Content-Transfer-Encoding: base64 PGh0bWw+PGhlYWQ+PHRpdGxlPndkaWZmIGRyYWZ0LWlldGYtc2ZjLW5zaC0yMC50eHQgZHJhZnQt aWV0Zi1zZmMtbnNoLTIxLnR4dDwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPHByZT4NCg0KDQoNCg0K U2VydmljZSBGdW5jdGlvbiBDaGFpbmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBQLiBRdWlubiwgRWQuDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2lzY28NCkludGVuZGVkIHN0YXR1czogU3RhbmRh cmRzIFRyYWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgVS4gRWx6dXIsIEVkLg0KRXhwaXJl czogTWFyY2ggPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz41LDwvZm9udD48L3N0cmlrZT4gPHN0 cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPjE3LDwvZm9udD48L3N0cm9uZz4gMjAxOCAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSW50ZWwNCiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDLiBQaWduYXRhcm8sIEVk Lg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIENpc2NvDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBTZXB0ZW1iZXIgPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz4xLDwv Zm9udD48L3N0cmlrZT4gPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPjEzLDwvZm9udD48L3N0 cm9uZz4gMjAxNw0KDQoNCiAgICAgICAgICAgICAgICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVh ZGVyIChOU0gpDQogICAgICAgICAgICAgICAgICAgICAgICAgPHN0cmlrZT48Zm9udCBjb2xvcj0n cmVkJz5kcmFmdC1pZXRmLXNmYy1uc2gtMjA8L2ZvbnQ+PC9zdHJpa2U+DQogICAgICAgICAgICAg ICAgICAgICAgICAgPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPmRyYWZ0LWlldGYtc2ZjLW5z aC0yMTwvZm9udD48L3N0cm9uZz4NCg0KQWJzdHJhY3QNCg0KICAgVGhpcyBkb2N1bWVudCBkZXNj cmliZXMgYSBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpIGltcG9zZWQgb24NCiAgIHBhY2tl dHMgb3IgZnJhbWVzIHRvIHJlYWxpemUgc2VydmljZSBmdW5jdGlvbiBwYXRocy4gIFRoZSBOU0gg YWxzbw0KICAgcHJvdmlkZXMgYSBtZWNoYW5pc20gZm9yIG1ldGFkYXRhIGV4Y2hhbmdlIGFsb25n IHRoZSBpbnN0YW50aWF0ZWQNCiAgIHNlcnZpY2UgcGF0aHMuICBUaGUgTlNIIGlzIHRoZSBTRkMg ZW5jYXBzdWxhdGlvbiByZXF1aXJlZCB0byBzdXBwb3J0DQogICB0aGUgU2VydmljZSBGdW5jdGlv biBDaGFpbmluZyAoU0ZDKSBhcmNoaXRlY3R1cmUgKGRlZmluZWQgaW4NCiAgIFJGQzc2NjUpLg0K DQpTdGF0dXMgb2YgVGhpcyBNZW1vDQoNCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgaXMgc3VibWl0 dGVkIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUNCiAgIHByb3Zpc2lvbnMgb2YgQkNQIDc4 IGFuZCBCQ1AgNzkuDQoNCiAgIEludGVybmV0LURyYWZ0cyBhcmUgd29ya2luZyBkb2N1bWVudHMg b2YgdGhlIEludGVybmV0IEVuZ2luZWVyaW5nDQogICBUYXNrIEZvcmNlIChJRVRGKS4gIE5vdGUg dGhhdCBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZQ0KICAgd29ya2luZyBkb2N1bWVu dHMgYXMgSW50ZXJuZXQtRHJhZnRzLiAgVGhlIGxpc3Qgb2YgY3VycmVudCBJbnRlcm5ldC0NCiAg IERyYWZ0cyBpcyBhdCA8c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPmh0dHA6Ly9kYXRhdHJhY2tl ci5pZXRmLm9yZy9kcmFmdHMvY3VycmVudC8uPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250 IGNvbG9yPSdncmVlbic+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uPC9mb250Pjwvc3Ryb25nPg0KDQogICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRyYWZ0IGRvY3Vt ZW50cyB2YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCBtb250aHMNCiAgIGFuZCBtYXkgYmUgdXBk YXRlZCwgcmVwbGFjZWQsIG9yIG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55DQog ICB0aW1lLiAgSXQgaXMgaW5hcHByb3ByaWF0ZSB0byB1c2UgSW50ZXJuZXQtRHJhZnRzIGFzIHJl ZmVyZW5jZQ0KICAgbWF0ZXJpYWwgb3IgdG8gY2l0ZSB0aGVtIG90aGVyIHRoYW4gYXMgIndvcmsg aW4gcHJvZ3Jlc3MuIg0KDQogICBUaGlzIEludGVybmV0LURyYWZ0IHdpbGwgZXhwaXJlIG9uIE1h cmNoIDxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+NSw8L2ZvbnQ+PC9zdHJpa2U+IDxzdHJvbmc+ PGZvbnQgY29sb3I9J2dyZWVuJz4xNyw8L2ZvbnQ+PC9zdHJvbmc+IDIwMTguDQoNCkNvcHlyaWdo dCBOb3RpY2UNCg0KICAgQ29weXJpZ2h0IChjKSAyMDE3IElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJz b25zIGlkZW50aWZpZWQgYXMgdGhlDQogICBkb2N1bWVudCBhdXRob3JzLiAgQWxsIHJpZ2h0cyBy ZXNlcnZlZC4NCg0KICAgVGhpcyBkb2N1bWVudCBpcyBzdWJqZWN0IHRvIEJDUCA3OCBhbmQgdGhl IElFVEYgVHJ1c3QncyBMZWdhbA0KICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3Vt ZW50cw0KICAgPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz4oaHR0cDovL3RydXN0ZWUuaWV0Zi5v cmcvbGljZW5zZS1pbmZvKTwvZm9udD48L3N0cmlrZT4NCiAgIDxzdHJvbmc+PGZvbnQgY29sb3I9 J2dyZWVuJz4oaHR0cHM6Ly90cnVzdGVlLmlldGYub3JnL2xpY2Vuc2UtaW5mbyk8L2ZvbnQ+PC9z dHJvbmc+IGluIGVmZmVjdCBvbiB0aGUgZGF0ZSBvZg0KICAgcHVibGljYXRpb24gb2YgdGhpcyBk b2N1bWVudC4gIFBsZWFzZSByZXZpZXcgdGhlc2UgZG9jdW1lbnRzDQogICBjYXJlZnVsbHksIGFz IHRoZXkgZGVzY3JpYmUgeW91ciByaWdodHMgYW5kIHJlc3RyaWN0aW9ucyB3aXRoIHJlc3BlY3QN Cg0KDQoNClF1aW5uLCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDxzdHJpa2U+PGZv bnQgY29sb3I9J3JlZCc+NSw8L2ZvbnQ+PC9zdHJpa2U+IDxzdHJvbmc+PGZvbnQgY29sb3I9J2dy ZWVuJz4xNyw8L2ZvbnQ+PC9zdHJvbmc+IDIwMTggICAgICAgICAgICAgICAgIFtQYWdlIDFdDQoM DQpJbnRlcm5ldC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAg ICAgU2VwdGVtYmVyIDIwMTcNCg0KDQogICB0byB0aGlzIGRvY3VtZW50LiAgQ29kZSBDb21wb25l bnRzIGV4dHJhY3RlZCBmcm9tIHRoaXMgZG9jdW1lbnQgbXVzdA0KICAgaW5jbHVkZSBTaW1wbGlm aWVkIEJTRCBMaWNlbnNlIHRleHQgYXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mDQogICB0 aGUgVHJ1c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQgd2FycmFu dHkgYXMNCiAgIGRlc2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZS4NCg0KVGFi bGUgb2YgQ29udGVudHMNCg0KICAgMS4gIEludHJvZHVjdGlvbiAgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAzDQogICAgIDEuMS4gIFJlcXVpcmVtZW50 cyBMYW5ndWFnZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQNCiAgICAg MS4yLiAgRGVmaW5pdGlvbiBvZiBUZXJtcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAgNA0KICAgICAxLjMuICBQcm9ibGVtIFNwYWNlIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA1DQogICAgIDEuNC4gIE5TSC1iYXNlZCBTZXJ2aWNl IENoYWluaW5nICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDUNCiAgIDIuICBOZXR3 b3JrIFNlcnZpY2UgSGVhZGVyICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAgNg0KICAgICAyLjEuICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIEZvcm1hdCAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gICA3DQogICAgIDIuMi4gIE5TSCBCYXNlIEhlYWRlciAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDcNCiAgICAgMi4zLiAgU2Vydmlj ZSBQYXRoIEhlYWRlciAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMA0K ICAgICAyLjQuICBOU0ggTUQgVHlwZSAxIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gIDExDQogICAgIDIuNS4gIE5TSCBNRCBUeXBlIDIgLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTINCiAgICAgICAyLjUuMS4gIE9wdGlvbmFs IFZhcmlhYmxlIExlbmd0aCBNZXRhZGF0YSAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMg0KICAgMy4g IE5TSCBBY3Rpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gIDE0DQogICA0LiAgTlNIIFRyYW5zcG9ydCBFbmNhcHN1bGF0aW9uIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTYNCiAgIDUuICBGcmFnbWVudGF0aW9uIENvbnNpZGVy YXRpb25zICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNw0KICAgNi4gIFNlcnZp Y2UgUGF0aCBGb3J3YXJkaW5nIHdpdGggTlNIICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDE3DQogICAgIDYuMS4gIFNGRnMgYW5kIE92ZXJsYXkgU2VsZWN0aW9uICAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgMTcNCiAgICAgNi4yLiAgTWFwcGluZyB0aGUgTlNIIHRvIE5ldHdv cmsgVHJhbnNwb3J0ICAuIC4gLiAuIC4gLiAuIC4gLiAuICAyMA0KICAgICA2LjMuICBTZXJ2aWNl IFBsYW5lIFZpc2liaWxpdHkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIxDQog ICAgIDYuNC4gIFNlcnZpY2UgR3JhcGhzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgMjENCiAgIDcuICBQb2xpY3kgRW5mb3JjZW1lbnQgd2l0aCBOU0ggLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyMQ0KICAgICA3LjEuICBOU0ggTWV0YWRhdGEg YW5kIFBvbGljeSBFbmZvcmNlbWVudCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIxDQogICAgIDcu Mi4gIFVwZGF0aW5nL0F1Z21lbnRpbmcgTWV0YWRhdGEgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgMjMNCiAgICAgNy4zLiAgU2VydmljZSBQYXRoIElkZW50aWZpZXIgYW5kIE1ldGFkYXRh ICAuIC4gLiAuIC4gLiAuIC4gLiAuICAyNQ0KICAgOC4gIFNlY3VyaXR5IENvbnNpZGVyYXRpb25z IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI1DQogICA5LiAgQ29udHJp YnV0b3JzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAg MjcNCiAgIDEwLiBBY2tub3dsZWRnbWVudHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICAyOA0KICAgMTEuIElBTkEgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI4DQogICAgIDExLjEuICBOU0ggRXRo ZXJUeXBlICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHN0cmlr ZT48Zm9udCBjb2xvcj0ncmVkJz4yODwvZm9udD48L3N0cmlrZT4gIDxzdHJvbmc+PGZvbnQgY29s b3I9J2dyZWVuJz4yOTwvZm9udD48L3N0cm9uZz4NCiAgICAgMTEuMi4gIE5ldHdvcmsgU2Vydmlj ZSBIZWFkZXIgKE5TSCkgUGFyYW1ldGVycyAgLiAuIC4gLiAuIC4gLiAuICA8c3RyaWtlPjxmb250 IGNvbG9yPSdyZWQnPjI4PC9mb250Pjwvc3RyaWtlPiAgPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3Jl ZW4nPjI5PC9mb250Pjwvc3Ryb25nPg0KICAgICAgIDExLjIuMS4gIE5TSCBCYXNlIEhlYWRlciBC aXRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI5DQogICAgICAgMTEuMi4yLiAg TlNIIFZlcnNpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjkN CiAgICAgICAxMS4yLjMuICBNRCBUeXBlIFJlZ2lzdHJ5IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuICAyOQ0KICAgICAgIDExLjIuNC4gIE1EIENsYXNzIFJlZ2lzdHJ5ICAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+ Mjk8L2ZvbnQ+PC9zdHJpa2U+ICA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MzA8L2ZvbnQ+ PC9zdHJvbmc+DQogICAgICAgMTEuMi41LiAgTlNIIEJhc2UgSGVhZGVyIE5leHQgUHJvdG9jb2wg IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz4zMDwvZm9u dD48L3N0cmlrZT4gIDxzdHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz4zMTwvZm9udD48L3N0cm9u Zz4NCiAgICAgICAxMS4yLjYuICBOZXcgSUVURiBBc3NpZ25lZCBPcHRpb25hbCBWYXJpYWJsZSBM ZW5ndGggTWV0YWRhdGENCiAgICAgICAgICAgICAgICBUeXBlIFJlZ2lzdHJ5ICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAzMQ0KICAgMTIuIFJlZmVyZW5jZXMgIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDMxDQogICAgIDEy LjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz4zMTwvZm9udD48L3N0cmlrZT4gIDxzdHJv bmc+PGZvbnQgY29sb3I9J2dyZWVuJz4zMjwvZm9udD48L3N0cm9uZz4NCiAgICAgMTIuMi4gIElu Zm9ybWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAz Mg0KICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+MzM8L2ZvbnQ+PC9zdHJp a2U+ICA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MzQ8L2ZvbnQ+PC9zdHJvbmc+DQoNCg0K DQpRdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNv bG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+ MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgICBbUGFnZSAyXQ0KDA0KSW50 ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNl cHRlbWJlciAyMDE3DQoNCg0KMS4gIEludHJvZHVjdGlvbg0KDQogICBTZXJ2aWNlIGZ1bmN0aW9u cyBhcmUgd2lkZWx5IGRlcGxveWVkIGFuZCBlc3NlbnRpYWwgaW4gbWFueSBuZXR3b3Jrcy4NCiAg IFRoZXNlIHNlcnZpY2UgZnVuY3Rpb25zIHByb3ZpZGUgYSByYW5nZSBvZiBmZWF0dXJlcyBzdWNo IGFzIHNlY3VyaXR5LA0KICAgV0FOIGFjY2VsZXJhdGlvbiwgYW5kIHNlcnZlciBsb2FkIGJhbGFu Y2luZy4gIFNlcnZpY2UgZnVuY3Rpb25zIG1heQ0KICAgYmUgaW5zdGFudGlhdGVkIGF0IGRpZmZl cmVudCBwb2ludHMgaW4gdGhlIG5ldHdvcmsgaW5mcmFzdHJ1Y3R1cmUNCiAgIHN1Y2ggYXMgdGhl IHdpZGUgYXJlYSBuZXR3b3JrLCBkYXRhIGNlbnRlciwgY2FtcHVzLCBhbmQgc28gZm9ydGguDQoN CiAgIFByaW9yIHRvIGRldmVsb3BtZW50IG9mIHRoZSBTRkMgYXJjaGl0ZWN0dXJlIFtSRkM3NjY1 XSBhbmQgdGhlDQogICBwcm90b2NvbCBzcGVjaWZpZWQgaW4gdGhpcyBkb2N1bWVudCwgY3VycmVu dCBzZXJ2aWNlIGZ1bmN0aW9uDQogICBkZXBsb3ltZW50IG1vZGVscyBoYXZlIGJlZW4gcmVsYXRp dmVseSBzdGF0aWMgYW5kIGJvdW5kIHRvIHRvcG9sb2d5DQogICBmb3IgaW5zZXJ0aW9uIGFuZCBw b2xpY3kgc2VsZWN0aW9uLiAgRnVydGhlcm1vcmUsIHRoZXkgZG8gbm90IGFkYXB0DQogICB3ZWxs IHRvIGVsYXN0aWMgc2VydmljZSBlbnZpcm9ubWVudHMgZW5hYmxlZCBieSB2aXJ0dWFsaXphdGlv bi4NCg0KICAgTmV3IGRhdGEgY2VudGVyIG5ldHdvcmsgYW5kIGNsb3VkIGFyY2hpdGVjdHVyZXMg cmVxdWlyZSBtb3JlIGZsZXhpYmxlDQogICBzZXJ2aWNlIGZ1bmN0aW9uIGRlcGxveW1lbnQgbW9k ZWxzLiAgQWRkaXRpb25hbGx5LCB0aGUgdHJhbnNpdGlvbiB0bw0KICAgdmlydHVhbCBwbGF0Zm9y bXMgZGVtYW5kcyBhbiBhZ2lsZSBzZXJ2aWNlIGluc2VydGlvbiBtb2RlbCB0aGF0DQogICBzdXBw b3J0cyBkeW5hbWljIGFuZCBlbGFzdGljIHNlcnZpY2UgZGVsaXZlcnkuICBTcGVjaWZpY2FsbHks IHRoZQ0KICAgZm9sbG93aW5nIGZ1bmN0aW9ucyBhcmUgbmVjZXNzYXJ5Og0KDQogICAxLiAgVGhl IG1vdmVtZW50IG9mIHNlcnZpY2UgZnVuY3Rpb25zIGFuZCBhcHBsaWNhdGlvbiB3b3JrbG9hZHMg aW4NCiAgICAgICB0aGUgbmV0d29yay4NCg0KICAgMi4gIFRoZSBhYmlsaXR5IHRvIGVhc2lseSBi aW5kIHNlcnZpY2UgcG9saWN5IHRvIGdyYW51bGFyDQogICAgICAgaW5mb3JtYXRpb24sIHN1Y2gg YXMgcGVyLXN1YnNjcmliZXIgc3RhdGUuDQoNCiAgIDMuICBUaGUgY2FwYWJpbGl0eSB0byBzdGVl ciB0cmFmZmljIHRvIHRoZSByZXF1aXNpdGUgc2VydmljZQ0KICAgICAgIGZ1bmN0aW9uKHMpLg0K DQogICBUaGUgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSBzcGVjaWZpY2F0aW9uIGRlZmlu ZXMgYSBuZXcgcHJvdG9jb2wNCiAgIGFuZCBhc3NvY2lhdGVkIGVuY2Fwc3VsYXRpb24gZm9yIHRo ZSBjcmVhdGlvbiBvZiBkeW5hbWljIHNlcnZpY2UNCiAgIGNoYWlucywgb3BlcmF0aW5nIGF0IHRo ZSBzZXJ2aWNlIHBsYW5lLiAgVGhlIE5TSCBpcyBkZXNpZ25lZCB0bw0KICAgZW5jYXBzdWxhdGUg YW4gb3JpZ2luYWwgcGFja2V0IG9yIGZyYW1lLCBhbmQgaW4gdHVybiBiZSBlbmNhcHN1bGF0ZWQN CiAgIGJ5IGFuIG91dGVyIHRyYW5zcG9ydCAod2hpY2ggaXMgdXNlZCB0byBkZWxpdmVyIHRoZSBO U0ggdG8gTlNILWF3YXJlDQogICBuZXR3b3JrIGVsZW1lbnRzKSwgYXMgc2hvd24gaW4gRmlndXJl IDE6DQoNCiAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rDQogICAgICAgICAgICAgICAgICAgICB8ICAgIFRyYW5zcG9ydCBFbmNhcHN1bGF0aW9uICAg fA0KICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsN CiAgICAgICAgICAgICAgICAgICAgIHwgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSB8DQog ICAgICAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAg ICAgICAgICAgICAgICAgICAgfCAgICBPcmlnaW5hbCBQYWNrZXQgLyBGcmFtZSAgIHwNCiAgICAg ICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rDQoNCiAgICAg ICAgICAgICAgRmlndXJlIDE6IE5ldHdvcmsgU2VydmljZSBIZWFkZXIgRW5jYXBzdWxhdGlvbg0K DQogICBUaGUgTlNIIGlzIGNvbXBvc2VkIG9mIHRoZSBmb2xsb3dpbmcgZWxlbWVudHM6DQoNCg0K DQoNClF1aW5uLCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDxzdHJpa2U+PGZvbnQg Y29sb3I9J3JlZCc+NSw8L2ZvbnQ+PC9zdHJpa2U+IDxzdHJvbmc+PGZvbnQgY29sb3I9J2dyZWVu Jz4xNyw8L2ZvbnQ+PC9zdHJvbmc+IDIwMTggICAgICAgICAgICAgICAgIFtQYWdlIDNdDQoMDQpJ bnRlcm5ldC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAg U2VwdGVtYmVyIDIwMTcNCg0KDQogICAxLiAgU2VydmljZSBGdW5jdGlvbiBQYXRoIGlkZW50aWZp Y2F0aW9uLg0KDQogICAyLiAgSW5kaWNhdGlvbiBvZiBsb2NhdGlvbiB3aXRoaW4gYSBTZXJ2aWNl IEZ1bmN0aW9uIFBhdGguDQoNCiAgIDMuICBPcHRpb25hbCwgcGVyIHBhY2tldCBtZXRhZGF0YSAo Zml4ZWQgbGVuZ3RoIG9yIHZhcmlhYmxlKS4NCg0KICAgVGhlIE5TSCBpcyBkZXNpZ25lZCB0byBi ZSBlYXN5IHRvIGltcGxlbWVudCBhY3Jvc3MgYSByYW5nZSBvZg0KICAgZGV2aWNlcywgYm90aCBw aHlzaWNhbCBhbmQgdmlydHVhbCwgaW5jbHVkaW5nIGhhcmR3YXJlIHBsYXRmb3Jtcy4NCg0KICAg VGhlIGludGVuZGVkIHNjb3BlIG9mIHRoZSBOU0ggaXMgZm9yIHVzZSB3aXRoaW4gYSBzaW5nbGUg cHJvdmlkZXIncw0KICAgb3BlcmF0aW9uYWwgZG9tYWluLiAgVGhpcyBkZXBsb3ltZW50IHNjb3Bl IGlzIGRlbGliZXJhdGVseQ0KICAgY29uc3RyYWluZWQsIGFzIGV4cGxhaW5lZCBhbHNvIGluIFtS RkM3NjY1XSwgYW5kIGxpbWl0ZWQgdG8gYSBzaW5nbGUNCiAgIG5ldHdvcmsgYWRtaW5pc3RyYXRp dmUgZG9tYWluLiAgSW4gdGhpcyBjb250ZXh0LCBhICJkb21haW4iIGlzIGEgc2V0DQogICBvZiBu ZXR3b3JrIGVudGl0aWVzIHdpdGhpbiBhIHNpbmdsZSBhZG1pbmlzdHJhdGlvbi4gIEZvciBleGFt cGxlLCBhDQogICBuZXR3b3JrIGFkbWluaXN0cmF0aXZlIGRvbWFpbiBjYW4gaW5jbHVkZSBhIHNp bmdsZSBkYXRhIGNlbnRlciwgYQ0KICAgPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPmNvbnRy b2xsZWQ8L2ZvbnQ+PC9zdHJvbmc+IGNhbXB1cyBwaHlzaWNhbCBuZXR3b3JrLCBvciBhbiBvdmVy bGF5IGRvbWFpbiB1c2luZw0KICAgdmlydHVhbCBjb25uZWN0aW9ucyBhbmQgdHVubmVscy4gIEEg Y29yb2xsYXJ5IGlzIHRoYXQgYSBuZXR3b3JrDQogICBhZG1pbmlzdHJhdGl2ZSBkb21haW4gaGFz IGEgd2VsbCBkZWZpbmVkIHBlcmltZXRlci4NCg0KICAgQW4gTlNILWF3YXJlIGNvbnRyb2wgcGxh bmUgaXMgb3V0c2lkZSB0aGUgc2NvcGUgb2YgdGhpcyBkb2N1bWVudC4NCg0KICAgW1JGQzc2NjVd IHByb3ZpZGVzIGFuIG92ZXJ2aWV3IG9mIGEgc2VydmljZSBjaGFpbmluZyBhcmNoaXRlY3R1cmUN CiAgIHRoYXQgY2xlYXJseSBkZWZpbmVzIHRoZSByb2xlcyBvZiB0aGUgdmFyaW91cyBlbGVtZW50 cyBhbmQgdGhlIHNjb3BlDQogICBvZiBhIHNlcnZpY2UgZnVuY3Rpb24gY2hhaW5pbmcgZW5jYXBz dWxhdGlvbi4gIFRoZSBOU0ggaXMgdGhlIFNGQw0KICAgZW5jYXBzdWxhdGlvbiByZWZlcmVuY2Vk IGluIFtSRkM3NjY1XS4NCg0KMS4xLiAgUmVxdWlyZW1lbnRzIExhbmd1YWdlDQoNCiAgIFRoZSBr ZXkgd29yZHMgIk1VU1QiLCAiTVVTVCBOT1QiLCAiUkVRVUlSRUQiLCAiU0hBTEwiLCAiU0hBTEwg Tk9UIiwNCiAgICJTSE9VTEQiLCAiU0hPVUxEIE5PVCIsICJSRUNPTU1FTkRFRCIsICJNQVkiLCBh bmQgIk9QVElPTkFMIiBpbiB0aGlzDQogICBkb2N1bWVudCBhcmUgdG8gYmUgaW50ZXJwcmV0ZWQg YXMgZGVzY3JpYmVkIGluIFJGQyAyMTE5IFtSRkMyMTE5XS4NCg0KMS4yLiAgRGVmaW5pdGlvbiBv ZiBUZXJtcw0KDQogICBCeXRlOiAgQWxsIHJlZmVyZW5jZXMgdG8gImJ5dGVzIiBpbiB0aGlzIGRv Y3VtZW50IHJlZmVyIHRvIDgtYml0DQogICAgICBieXRlcywgb3Igb2N0ZXRzLg0KDQogICBDbGFz c2lmaWNhdGlvbjogIERlZmluZWQgaW4gW1JGQzc2NjVdLg0KDQogICBDbGFzc2lmaWVyOiAgRGVm aW5lZCBpbiBbUkZDNzY2NV0uDQoNCiAgIE1ldGFkYXRhOiAgRGVmaW5lZCBpbiBbUkZDNzY2NV0u ICBUaGUgbWV0YWRhdGEsIG9yIGNvbnRleHQNCiAgICAgIGluZm9ybWF0aW9uIHNoYXJlZCBiZXR3 ZWVuIGNsYXNzaWZpZXJzIGFuZCBTRnMsIGFuZCBhbW9uZyBTRnMsIGlzDQogICAgICBjYXJyaWVk IG9uIHRoZSBOU0gncyBDb250ZXh0IEhlYWRlcnMuICBJdCBhbGxvd3Mgc3VtbWFyaXppbmcgYQ0K ICAgICAgY2xhc3NpZmljYXRpb24gcmVzdWx0IGluIHRoZSBwYWNrZXQgaXRzZWxmLCBhdm9pZGlu ZyBzdWJzZXF1ZW50DQogICAgICByZS1jbGFzc2lmaWNhdGlvbnMuICBFeGFtcGxlcyBvZiBtZXRh ZGF0YSBpbmNsdWRlIGNsYXNzaWZpY2F0aW9uDQogICAgICBpbmZvcm1hdGlvbiB1c2VkIGZvciBw b2xpY3kgZW5mb3JjZW1lbnQgYW5kIG5ldHdvcmsgY29udGV4dCBmb3INCiAgICAgIGZvcndhcmRp bmcgcG9zdCBzZXJ2aWNlIGRlbGl2ZXJ5Lg0KDQoNCg0KUXVpbm4sIGV0IGFsLiAgICAgICAgICAg IEV4cGlyZXMgTWFyY2ggPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz41LDwvZm9udD48L3N0cmlr ZT4gPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPjE3LDwvZm9udD48L3N0cm9uZz4gMjAxOCAg ICAgICAgICAgICAgICAgW1BhZ2UgNF0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3Jr IFNlcnZpY2UgSGVhZGVyIChOU0gpICAgICAgICBTZXB0ZW1iZXIgMjAxNw0KDQoNCiAgIE5ldHdv cmsgTG9jYXRvcjogIERhdGEgcGxhbmUgYWRkcmVzcywgdHlwaWNhbGx5IElQdjQgb3IgSVB2Niwg dXNlZCB0bw0KICAgICAgc2VuZCBhbmQgcmVjZWl2ZSBuZXR3b3JrIHRyYWZmaWMuDQoNCiAgIE5l dHdvcmsgTm9kZS9FbGVtZW50OiAgRGV2aWNlIHRoYXQgZm9yd2FyZHMgcGFja2V0cyBvciBmcmFt ZXMgYmFzZWQNCiAgICAgIG9uIGFuIG91dGVyIGhlYWRlciAoaS5lLiwgZW5jYXBzdWxhdGlvbikg aW5mb3JtYXRpb24uDQoNCiAgIE5ldHdvcmsgT3ZlcmxheTogIExvZ2ljYWwgbmV0d29yayBidWls dCBvbiB0b3Agb2YgZXhpc3RpbmcgbmV0d29yaw0KICAgICAgKHRoZSB1bmRlcmxheSkuICBQYWNr ZXRzIGFyZSBlbmNhcHN1bGF0ZWQgb3IgdHVubmVsZWQgdG8gY3JlYXRlDQogICAgICB0aGUgb3Zl cmxheSBuZXR3b3JrIHRvcG9sb2d5Lg0KDQogICBOU0gtYXdhcmU6ICBOU0gtYXdhcmUgbWVhbnMg U0ZDLWVuY2Fwc3VsYXRpb24tYXdhcmUsIHdoZXJlIHRoZSBOU0gNCiAgICAgIHByb3ZpZGVzIHRo ZSBTRkMgZW5jYXBzdWxhdGlvbi4gIFRoaXMgc3BlY2lmaWNhdGlvbiB1c2VzIE5TSC1hd2FyZQ0K ICAgICAgYXMgYSBtb3JlIHNwZWNpZmljIHRlcm0gZnJvbSB0aGUgbW9yZSBnZW5lcmljIHRlcm0g U0ZDLWF3YXJlDQogICAgICBbUkZDNzY2NV0uDQoNCiAgIFNlcnZpY2UgQ2xhc3NpZmllcjogIExv Z2ljYWwgZW50aXR5IHByb3ZpZGluZyBjbGFzc2lmaWNhdGlvbg0KICAgICAgZnVuY3Rpb24uICBT aW5jZSB0aGV5IGFyZSBsb2dpY2FsLCBjbGFzc2lmaWVycyBtYXkgYmUgY28tcmVzaWRlbnQNCiAg ICAgIHdpdGggU0ZDIGVsZW1lbnRzIHN1Y2ggYXMgU0ZzIG9yIFNGRnMuICBTZXJ2aWNlIGNsYXNz aWZpZXJzDQogICAgICBwZXJmb3JtIGNsYXNzaWZpY2F0aW9uIGFuZCBpbXBvc2UgdGhlIE5TSC4g IFRoZSBpbml0aWFsIGNsYXNzaWZpZXINCiAgICAgIGltcG9zZXMgdGhlIGluaXRpYWwgTlNIIGFu ZCBzZW5kcyB0aGUgTlNIIHBhY2tldCB0byB0aGUgZmlyc3QgU0ZGDQogICAgICBpbiB0aGUgcGF0 aC4gIE5vbi1pbml0aWFsIChpLmUuLCBzdWJzZXF1ZW50KSBjbGFzc2lmaWNhdGlvbiBjYW4NCiAg ICAgIG9jY3VyIGFzIG5lZWRlZCBhbmQgY2FuIGFsdGVyLCBvciBjcmVhdGUgYSBuZXcgc2Vydmlj ZSBwYXRoLg0KDQogICBTZXJ2aWNlIEZ1bmN0aW9uIChTRik6ICBEZWZpbmVkIGluIFtSRkM3NjY1 XS4NCg0KICAgU2VydmljZSBGdW5jdGlvbiBDaGFpbiAoU0ZDKTogIERlZmluZWQgaW4gW1JGQzc2 NjVdLg0KDQogICBTZXJ2aWNlIEZ1bmN0aW9uIEZvcndhcmRlciAoU0ZGKTogIERlZmluZWQgaW4g W1JGQzc2NjVdLg0KDQogICBTZXJ2aWNlIEZ1bmN0aW9uIFBhdGggKFNGUCk6ICBEZWZpbmVkIGlu IFtSRkM3NjY1XS4NCg0KICAgU2VydmljZSBQbGFuZTogIFRoZSBjb2xsZWN0aW9uIG9mIFNGRnMg YW5kIGFzc29jaWF0ZWQgU0ZzIGNyZWF0ZXMgYQ0KICAgICAgc2VydmljZS1wbGFuZSBvdmVybGF5 IGluIHdoaWNoIGFsbCBTRnMgYW5kIFNGQyBQcm94aWVzIHJlc2lkZQ0KICAgICAgW1JGQzc2NjVd Lg0KDQogICBTRkMgUHJveHk6ICBEZWZpbmVkIGluIFtSRkM3NjY1XS4NCg0KMS4zLiAgUHJvYmxl bSBTcGFjZQ0KDQogICBUaGUgTlNIIGFkZHJlc3NlcyBzZXZlcmFsIGxpbWl0YXRpb25zIGFzc29j aWF0ZWQgd2l0aCBzZXJ2aWNlDQogICBmdW5jdGlvbiBkZXBsb3ltZW50cy4gIFtSRkM3NDk4XSBw cm92aWRlcyBhIGNvbXByZWhlbnNpdmUgcmV2aWV3IG9mDQogICB0aG9zZSBpc3N1ZXMuDQoNCjEu NC4gIE5TSC1iYXNlZCBTZXJ2aWNlIENoYWluaW5nDQoNCiAgIFRoZSBOU0ggY3JlYXRlcyBhIGRl ZGljYXRlZCBzZXJ2aWNlIHBsYW5lOyBtb3JlIHNwZWNpZmljYWxseSwgdGhlIE5TSA0KICAgZW5h YmxlczoNCg0KDQoNCg0KUXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgTWFyY2ggPHN0 cmlrZT48Zm9udCBjb2xvcj0ncmVkJz41LDwvZm9udD48L3N0cmlrZT4gPHN0cm9uZz48Zm9udCBj b2xvcj0nZ3JlZW4nPjE3LDwvZm9udD48L3N0cm9uZz4gMjAxOCAgICAgICAgICAgICAgICAgW1Bh Z2UgNV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChO U0gpICAgICAgICBTZXB0ZW1iZXIgMjAxNw0KDQoNCiAgIDEuICBUb3BvbG9naWNhbCBJbmRlcGVu ZGVuY2U6IFNlcnZpY2UgZm9yd2FyZGluZyBvY2N1cnMgd2l0aGluIHRoZQ0KICAgICAgIHNlcnZp Y2UgcGxhbmUsIHNvIHRoZSB1bmRlcmx5aW5nIG5ldHdvcmsgdG9wb2xvZ3kgZG9lcyBub3QNCiAg ICAgICByZXF1aXJlIG1vZGlmaWNhdGlvbi4gIFRoZSBOU0ggcHJvdmlkZXMgYW4gaWRlbnRpZmll ciB1c2VkIHRvDQogICAgICAgc2VsZWN0IHRoZSBuZXR3b3JrIG92ZXJsYXkgZm9yIG5ldHdvcmsg Zm9yd2FyZGluZy4NCg0KICAgMi4gIFNlcnZpY2UgQ2hhaW5pbmc6IFRoZSBOU0ggZW5hYmxlcyBz ZXJ2aWNlIGNoYWluaW5nIHBlciBbUkZDNzY2NV0uDQogICAgICAgVGhlIE5TSCBjb250YWlucyBw YXRoIGlkZW50aWZpY2F0aW9uIGluZm9ybWF0aW9uIG5lZWRlZCB0bw0KICAgICAgIHJlYWxpemUg YSBzZXJ2aWNlIHBhdGguICBGdXJ0aGVybW9yZSwgdGhlIE5TSCBwcm92aWRlcyB0aGUNCiAgICAg ICBhYmlsaXR5IHRvIG1vbml0b3IgYW5kIHRyb3VibGVzaG9vdCBhIHNlcnZpY2UgY2hhaW4sIGVu ZC10by1lbmQNCiAgICAgICB2aWEgc2VydmljZS1zcGVjaWZpYyBPQU0gbWVzc2FnZXMuICBUaGUg TlNIIGZpZWxkcyBjYW4gYmUgdXNlZCBieQ0KICAgICAgIGFkbWluaXN0cmF0b3JzICh2aWEsIGZv ciBleGFtcGxlLCBhIHRyYWZmaWMgYW5hbHl6ZXIpIHRvIHZlcmlmeQ0KICAgICAgIChhY2NvdW50 LCBlbnN1cmUgY29ycmVjdCBjaGFpbmluZywgcHJvdmlkZSByZXBvcnRzLCBldGMuKSB0aGUNCiAg ICAgICBwYXRoIHNwZWNpZmljcyBvZiBwYWNrZXRzIGJlaW5nIGZvcndhcmRlZCBhbG9uZyBhIHNl cnZpY2UgcGF0aC4NCg0KICAgMy4gIFRoZSBOU0ggcHJvdmlkZXMgYSBtZWNoYW5pc20gdG8gY2Fy cnkgc2hhcmVkIG1ldGFkYXRhIGJldHdlZW4NCiAgICAgICBwYXJ0aWNpcGF0aW5nIGVudGl0aWVz IGFuZCBzZXJ2aWNlIGZ1bmN0aW9ucy4gIFRoZSBzZW1hbnRpY3Mgb2YNCiAgICAgICB0aGUgc2hh cmVkIG1ldGFkYXRhIGlzIGNvbW11bmljYXRlZCB2aWEgYSBjb250cm9sIHBsYW5lLCB3aGljaCBp cw0KICAgICAgIG91dHNpZGUgdGhlIHNjb3BlIG9mIHRoaXMgZG9jdW1lbnQsIHRvIHBhcnRpY2lw YXRpbmcgbm9kZXMuDQogICAgICAgW0ktRC5pZXRmLXNmYy1jb250cm9sLXBsYW5lXSBwcm92aWRl cyBhbiBleGFtcGxlIG9mIHN1Y2ggaW4NCiAgICAgICBTZWN0aW9uIDMuMy4gIEV4YW1wbGVzIG9m IG1ldGFkYXRhIGluY2x1ZGUgY2xhc3NpZmljYXRpb24NCiAgICAgICBpbmZvcm1hdGlvbiB1c2Vk IGZvciBwb2xpY3kgZW5mb3JjZW1lbnQgYW5kIG5ldHdvcmsgY29udGV4dCBmb3INCiAgICAgICBm b3J3YXJkaW5nIHBvc3Qgc2VydmljZSBkZWxpdmVyeS4gIFNoYXJpbmcgdGhlIG1ldGFkYXRhIGFs bG93cw0KICAgICAgIHNlcnZpY2UgZnVuY3Rpb25zIHRvIHNoYXJlIGluaXRpYWwgYW5kIGludGVy bWVkaWF0ZQ0KICAgICAgIGNsYXNzaWZpY2F0aW9uIHJlc3VsdHMgd2l0aCBkb3duc3RyZWFtIHNl cnZpY2UgZnVuY3Rpb25zIHNhdmluZw0KICAgICAgIHJlLWNsYXNzaWZpY2F0aW9uLCB3aGVyZSBl bm91Z2ggaW5mb3JtYXRpb24gd2FzIGVuY2xvc2VkLg0KDQogICA0LiAgVGhlIE5TSCBvZmZlcnMg YSBjb21tb24gYW5kIHN0YW5kYXJkcy1iYXNlZCBoZWFkZXIgZm9yIHNlcnZpY2UNCiAgICAgICBj aGFpbmluZyB0byBhbGwgbmV0d29yayBhbmQgc2VydmljZSBub2Rlcy4NCg0KICAgNS4gIFRyYW5z cG9ydCBBZ25vc3RpYzogVGhlIE5TSCBpcyBlbmNhcHN1bGF0aW9uLWluZGVwZW5kZW50LCBtZWFu aW5nDQogICAgICAgaXQgY2FuIGJlIHRyYW5zcG9ydGVkIGJ5IGEgdmFyaWV0eSBvZiBwcm90b2Nv bHMuICBBbiBhcHByb3ByaWF0ZQ0KICAgICAgIChmb3IgYSBnaXZlbiBkZXBsb3ltZW50KSBlbmNh cHN1bGF0aW9uIHByb3RvY29sIGNhbiBiZSB1c2VkIHRvDQogICAgICAgY2FycnkgTlNILWVuY2Fw c3VsYXRlZCB0cmFmZmljLiAgVGhpcyB0cmFuc3BvcnQgbWF5IGZvcm0gYW4NCiAgICAgICBvdmVy bGF5IG5ldHdvcmsgYW5kIGlmIGFuIGV4aXN0aW5nIG92ZXJsYXkgdG9wb2xvZ3kgcHJvdmlkZXMg dGhlDQogICAgICAgcmVxdWlyZWQgc2VydmljZSBwYXRoIGNvbm5lY3Rpdml0eSwgdGhhdCBleGlz dGluZyBvdmVybGF5IG1heSBiZQ0KICAgICAgIHVzZWQuDQoNCjIuICBOZXR3b3JrIFNlcnZpY2Ug SGVhZGVyDQoNCiAgIEFuIE5TSCBpcyBpbXBvc2VkIG9uIHRoZSBvcmlnaW5hbCBwYWNrZXQvZnJh bWUuICBUaGlzIE5TSCBjb250YWlucw0KICAgc2VydmljZSBwYXRoIGluZm9ybWF0aW9uIGFuZCBv cHRpb25hbGx5IG1ldGFkYXRhIHRoYXQgYXJlIGFkZGVkIHRvIGENCiAgIHBhY2tldCBvciBmcmFt ZSBhbmQgdXNlZCB0byBjcmVhdGUgYSBzZXJ2aWNlIHBsYW5lLiAgU3Vic2VxdWVudGx5LCBhbg0K ICAgb3V0ZXIgZW5jYXBzdWxhdGlvbiBpcyBpbXBvc2VkIG9uIHRoZSBOU0gsIHdoaWNoIGlzIHVz ZWQgZm9yIG5ldHdvcmsNCiAgIGZvcndhcmRpbmcuDQoNCiAgIEEgU2VydmljZSBDbGFzc2lmaWVy IGFkZHMgdGhlIE5TSC4gIFRoZSBOU0ggaXMgcmVtb3ZlZCBieSB0aGUgbGFzdA0KICAgU0ZGIGlu IHRoZSBzZXJ2aWNlIGNoYWluIG9yIGJ5IGFuIFNGIHRoYXQgY29uc3VtZXMgdGhlIHBhY2tldC4N Cg0KDQoNCg0KUXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgTWFyY2ggPHN0cmlrZT48 Zm9udCBjb2xvcj0ncmVkJz41LDwvZm9udD48L3N0cmlrZT4gPHN0cm9uZz48Zm9udCBjb2xvcj0n Z3JlZW4nPjE3LDwvZm9udD48L3N0cm9uZz4gMjAxOCAgICAgICAgICAgICAgICAgW1BhZ2UgNl0N CgwNCkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAg ICAgICBTZXB0ZW1iZXIgMjAxNw0KDQoNCjIuMS4gIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgRm9y bWF0DQoNCiAgIFRoZSBOU0ggaXMgY29tcG9zZWQgb2YgYSA0LWJ5dGUgQmFzZSBIZWFkZXIsIGEg NC1ieXRlIFNlcnZpY2UgUGF0aA0KICAgSGVhZGVyIGFuZCBvcHRpb25hbCBDb250ZXh0IEhlYWRl cnMsIGFzIHNob3duIGluIEZpZ3VyZSAyIGJlbG93Lg0KDQogICAgICAwICAgICAgICAgICAgICAg ICAgIDEgICAgICAgICAgICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzDQogICAgICAwIDEg MiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAw IDENCiAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSsNCiAgICAgfCAgICAgICAgICAgICAgICBCYXNlIEhlYWRlciAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwNCiAgICAgKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCiAgICAgfCAg ICAgICAgICAgICAgICBTZXJ2aWNlIFBhdGggSGVhZGVyICAgICAgICAgICAgICAgICAgICAgICAg ICAgIHwNCiAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSsNCiAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwNCiAgICAgfiAgICAgICAgICAgICAg ICBDb250ZXh0IEhlYWRlcihzKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH4NCiAgICAg fCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHwNCiAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSsNCg0KICAgICAgICAgICAgICAgICAgICAgRmlndXJlIDI6 IE5ldHdvcmsgU2VydmljZSBIZWFkZXINCg0KICAgQmFzZSBoZWFkZXI6IFByb3ZpZGVzIGluZm9y bWF0aW9uIGFib3V0IHRoZSBzZXJ2aWNlIGhlYWRlciBhbmQgdGhlDQogICBwYXlsb2FkIHByb3Rv Y29sLg0KDQogICBTZXJ2aWNlIFBhdGggSGVhZGVyOiBQcm92aWRlcyBwYXRoIGlkZW50aWZpY2F0 aW9uIGFuZCBsb2NhdGlvbiB3aXRoaW4NCiAgIGEgc2VydmljZSBwYXRoLg0KDQogICBDb250ZXh0 IGhlYWRlcjogQ2FycmllcyBtZXRhZGF0YSAoaS5lLiwgY29udGV4dCBkYXRhKSBhbG9uZyBhIHNl cnZpY2UNCiAgIHBhdGguDQoNCjIuMi4gIE5TSCBCYXNlIEhlYWRlcg0KDQogICBGaWd1cmUgMyBk ZXBpY3RzIHRoZSBOU0ggYmFzZSBoZWFkZXI6DQoNCiAgICAgIDAgICAgICAgICAgICAgICAgICAg MSAgICAgICAgICAgICAgICAgICAyICAgICAgICAgICAgICAgICAgIDMNCiAgICAgIDAgMSAyIDMg NCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMQ0K ICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKw0KICAgICB8VmVyfE98VXwgICAgVFRMICAgIHwgICBMZW5ndGggIHxVfFV8 VXxVfE1EIFR5cGV8IE5leHQgUHJvdG9jb2wgfA0KICAgICArLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KDQogICAgICAgICAg ICAgICAgICAgICAgICAgRmlndXJlIDM6IE5TSCBCYXNlIEhlYWRlcg0KDQogICBCYXNlIEhlYWRl ciBGaWVsZCBEZXNjcmlwdGlvbnM6DQoNCiAgIFZlcnNpb246IFRoZSB2ZXJzaW9uIGZpZWxkIGlz IHVzZWQgdG8gZW5zdXJlIGJhY2t3YXJkIGNvbXBhdGliaWxpdHkNCiAgIGdvaW5nIGZvcndhcmQg d2l0aCBmdXR1cmUgTlNIIHNwZWNpZmljYXRpb24gdXBkYXRlcy4gIEl0IE1VU1QgYmUgc2V0DQog ICB0byAweDAgYnkgdGhlIHNlbmRlciwgaW4gdGhpcyBmaXJzdCByZXZpc2lvbiBvZiB0aGUgTlNI LiAgR2l2ZW4gdGhlDQogICB3aWRlc3ByZWFkIGltcGxlbWVudGF0aW9uIG9mIGV4aXN0aW5nIGhh cmR3YXJlIHRoYXQgdXNlcyB0aGUgZmlyc3QNCiAgIG5pYmJsZSBhZnRlciBhbiBNUExTIGxhYmVs IHN0YWNrIGZvciBlcXVhbC1jb3N0IG11bHRpcGF0aCAoRUNNUCkNCiAgIGRlY2lzaW9uIHByb2Nl c3NpbmcsIHRoaXMgZG9jdW1lbnQgcmVzZXJ2ZXMgdmVyc2lvbiAwMWIuICBUaGlzIHZhbHVlDQoN Cg0KDQpRdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250 IGNvbG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVl bic+MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgICBbUGFnZSA3XQ0KDA0K SW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAg IFNlcHRlbWJlciAyMDE3DQoNCg0KICAgTVVTVCBOT1QgYmUgdXNlZCBpbiBmdXR1cmUgdmVyc2lv bnMgb2YgdGhlIHByb3RvY29sLiAgUGxlYXNlIHNlZQ0KICAgW1JGQzczMjVdIGZvciBmdXJ0aGVy IGRpc2N1c3Npb24gb2YgTVBMUy1yZWxhdGVkIGZvcndhcmRpbmcNCiAgIHJlcXVpcmVtZW50cy4N Cg0KICAgTyBiaXQ6IFNldHRpbmcgdGhpcyBiaXQgaW5kaWNhdGVzIGFuIE9wZXJhdGlvbnMsIEFk bWluaXN0cmF0aW9uLCBhbmQNCiAgIE1haW50ZW5hbmNlIChPQU0pIHBhY2tldC4gIFRoZSBhY3R1 YWwgZm9ybWF0IGFuZCBwcm9jZXNzaW5nIG9mIFNGQw0KICAgT0FNIHBhY2tldHMgaXMgb3V0c2lk ZSB0aGUgc2NvcGUgb2YgdGhpcyBzcGVjaWZpY2F0aW9uIChzZWUgZm9yDQogICBleGFtcGxlIFtJ LUQuaWV0Zi1zZmMtb2FtLWZyYW1ld29ya10gZm9yIG9uZSBhcHByb2FjaCkuDQoNCiAgIFRoZSBP IGJpdCBNVVNUIGJlIHNldCBmb3IgT0FNIHBhY2tldHMgYW5kIE1VU1QgTk9UIGJlIHNldCBmb3Ig bm9uLU9BTQ0KICAgcGFja2V0cy4gIFRoZSBPIGJpdCBNVVNUIE5PVCBiZSBtb2RpZmllZCBhbG9u ZyB0aGUgU0ZQLg0KDQogICBTRi9TRkYvU0ZDIFByb3h5L0NsYXNzaWZpZXIgaW1wbGVtZW50YXRp b25zIHRoYXQgZG8gbm90IHN1cHBvcnQgU0ZDDQogICBPQU0gcHJvY2VkdXJlcyBTSE9VTEQgZGlz Y2FyZCBwYWNrZXRzIHdpdGggTyBiaXQgc2V0LCBidXQgTUFZIHN1cHBvcnQNCiAgIGEgY29uZmln dXJhYmxlIHBhcmFtZXRlciB0byBlbmFibGUgZm9yd2FyZGluZyByZWNlaXZlZCBTRkMgT0FNDQog ICBwYWNrZXRzIHVubW9kaWZpZWQgdG8gdGhlIG5leHQgZWxlbWVudCBpbiB0aGUgY2hhaW4uICBG b3J3YXJkaW5nIE9BTQ0KICAgcGFja2V0cyB1bm1vZGlmaWVkIGJ5IFNGQyBlbGVtZW50cyB0aGF0 IGRvIG5vdCBzdXBwb3J0IFNGQyBPQU0NCiAgIHByb2NlZHVyZXMgbWF5IGJlIGFjY2VwdGFibGUg Zm9yIGEgc3Vic2V0IG9mIE9BTSBmdW5jdGlvbnMsIGJ1dCBjYW4NCiAgIHJlc3VsdCBpbiB1bmV4 cGVjdGVkIG91dGNvbWVzIGZvciBvdGhlcnM7IHRodXMsIGl0IGlzIHJlY29tbWVuZGVkIHRvDQog ICBhbmFseXplIHRoZSBpbXBhY3Qgb2YgZm9yd2FyZGluZyBhbiBPQU0gcGFja2V0IGZvciBhbGwg T0FNIGZ1bmN0aW9ucw0KICAgcHJpb3IgdG8gZW5hYmxpbmcgdGhpcyBiZWhhdmlvci4gIFRoZSBj b25maWd1cmFibGUgcGFyYW1ldGVyIE1VU1QgYmUNCiAgIGRpc2FibGVkIGJ5IGRlZmF1bHQuDQoN Cg0KICAgVFRMOiBJbmRpY2F0ZXMgdGhlIG1heGltdW0gU0ZGIGhvcHMgZm9yIGFuIFNGUC4gIFRo aXMgZmllbGQgaXMgdXNlZA0KICAgZm9yIHNlcnZpY2UgcGxhbmUgbG9vcCBkZXRlY3Rpb24uICBU aGUgaW5pdGlhbCBUVEwgdmFsdWUgU0hPVUxEIGJlDQogICBjb25maWd1cmFibGUgdmlhIHRoZSBj b250cm9sIHBsYW5lOyB0aGUgY29uZmlndXJlZCBpbml0aWFsIHZhbHVlIGNhbg0KICAgYmUgc3Bl Y2lmaWMgdG8gb25lIG9yIG1vcmUgU0ZQcy4gIElmIG5vIGluaXRpYWwgdmFsdWUgaXMgZXhwbGlj aXRseQ0KICAgcHJvdmlkZWQsIHRoZSBkZWZhdWx0IGluaXRpYWwgVFRMIHZhbHVlIG9mIDYzIE1V U1QgYmUgdXNlZC4gIEVhY2ggU0ZGDQogICBpbnZvbHZlZCBpbiBmb3J3YXJkaW5nIGFuIE5TSCBw YWNrZXQgTVVTVCBkZWNyZW1lbnQgdGhlIFRUTCB2YWx1ZSBieQ0KICAgMSBwcmlvciB0byBOU0gg Zm9yd2FyZGluZyBsb29rdXAuICBEZWNyZW1lbnRpbmcgYnkgMSBmcm9tIGFuIGluY29taW5nDQog ICB2YWx1ZSBvZiAwIHNoYWxsIHJlc3VsdCBpbiBhIFRUTCB2YWx1ZSBvZiA2My4gIFRoZSBwYWNr ZXQgTVVTVCBOT1QgYmUNCiAgIGZvcndhcmRlZCBpZiBUVEwgaXMsIGFmdGVyIGRlY3JlbWVudCwg MC4NCg0KICAgVGhpcyBUVEwgZmllbGQgaXMgdGhlIHByaW1hcnkgbG9vcCBwcmV2ZW50aW9uIFRo aXMgVFRMIG1lY2hhbmlzbQ0KICAgcmVwcmVzZW50cyBhIHJvYnVzdCBjb21wbGVtZW50IHRvIHRo ZSBTZXJ2aWNlIEluZGV4LCBhcyB0aGUgVFRMIGlzDQogICBkZWNyZW1lbnQgYnkgZWFjaCBTRkYu ICBUaGUgaGFuZGxpbmcgb2YgaW5jb21pbmcgMCBUVEwgYWxsb3dzIGZvcg0KICAgYmV0dGVyLCBh bHRob3VnaCBub3QgcGVyZmVjdCwgaW50ZXJvcGVyYXRpb24gd2l0aCBwcmUtc3RhbmRhcmQNCiAg IGltcGxlbWVudGF0aW9ucyB0aGF0IGRvIG5vdCBzdXBwb3J0IHRoaXMgVFRMIGZpZWxkLg0KDQog ICBVbmFzc2lnbmVkIGJpdHM6IEFsbCBvdGhlciBmbGFnIGZpZWxkcywgbWFya2VkIFUsIGFyZSB1 bmFzc2lnbmVkIGFuZA0KICAgYXZhaWxhYmxlIGZvciBmdXR1cmUgdXNlLCBzZWUgU2VjdGlvbiAx MS4yLjEuICBVbmFzc2lnbmVkIGJpdHMgTVVTVA0KICAgYmUgc2V0IHRvIHplcm8gdXBvbiBvcmln aW5hdGlvbiwgYW5kIE1VU1QgYmUgaWdub3JlZCBhbmQgcHJlc2VydmVkDQogICB1bm1vZGlmaWVk IGJ5IG90aGVyIE5TSCBzdXBwb3J0aW5nIGVsZW1lbnRzLiAgQXQgcmVjZXB0aW9uLCBhbGwNCiAg IGVsZW1lbnRzIE1VU1QgTk9UIG1vZGlmeSB0aGVpciBhY3Rpb25zIGJhc2VkIG9uIHRoZXNlIHVu a25vd24gYml0cy4NCg0KICAgTGVuZ3RoOiBUaGUgdG90YWwgbGVuZ3RoLCBpbiA0LWJ5dGUgd29y ZHMsIG9mIHRoZSBOU0ggaW5jbHVkaW5nIHRoZQ0KICAgQmFzZSBIZWFkZXIsIHRoZSBTZXJ2aWNl IFBhdGggSGVhZGVyLCB0aGUgRml4ZWQgTGVuZ3RoIENvbnRleHQgSGVhZGVyDQoNCg0KDQpRdWlu biwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNvbG9yPSdy ZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MTcsPC9m b250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgICBbUGFnZSA4XQ0KDA0KSW50ZXJuZXQt RHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNlcHRlbWJl ciAyMDE3DQoNCg0KICAgb3IgVmFyaWFibGUgTGVuZ3RoIENvbnRleHQgSGVhZGVyKHMpLiAgVGhl IGxlbmd0aCBNVVNUIGJlIDB4NiBmb3IgTUQNCiAgIFR5cGUgZXF1YWwgdG8gMHgxLCBhbmQgTVVT VCBiZSAweDIgb3IgZ3JlYXRlciBmb3IgTUQgVHlwZSBlcXVhbCB0bw0KICAgMHgyLiAgVGhlIGxl bmd0aCBvZiB0aGUgTlNIIGhlYWRlciBNVVNUIGJlIGFuIGludGVnZXIgbXVsdGlwbGUgb2YgNA0K ICAgYnl0ZXMsIHRodXMgdmFyaWFibGUgbGVuZ3RoIG1ldGFkYXRhIGlzIGFsd2F5cyBwYWRkZWQg b3V0IHRvIGENCiAgIG11bHRpcGxlIG9mIDQgYnl0ZXMuDQoNCiAgIE1ldGFkYXRhIChNRCkgVHlw ZTogSW5kaWNhdGVzIHRoZSBmb3JtYXQgb2YgdGhlIE5TSCBiZXlvbmQgdGhlDQogICBtYW5kYXRv cnkgQmFzZSBIZWFkZXIgYW5kIHRoZSBTZXJ2aWNlIFBhdGggSGVhZGVyLiAgTUQgVHlwZSBkZWZp bmVzDQogICB0aGUgZm9ybWF0IG9mIHRoZSBtZXRhZGF0YSBiZWluZyBjYXJyaWVkLiAgUGxlYXNl IHNlZSB0aGUgSUFOQQ0KICAgQ29uc2lkZXJhdGlvbnMgU2VjdGlvbiAxMS4yLjMuDQoNCiAgIFRo aXMgZG9jdW1lbnQgc3BlY2lmaWVzIHRoZSBmb2xsb3dpbmcgZm91ciBNRCBUeXBlIHZhbHVlczoN Cg0KICAgMHgwIC0gVGhpcyBpcyBhIHJlc2VydmVkIHZhbHVlLiAgSW1wbGVtZW50YXRpb25zIFNI T1VMRCBzaWxlbnRseQ0KICAgZGlzY2FyZCBwYWNrZXRzIHdpdGggTUQgVHlwZSAweDAuDQoNCiAg IDB4MSAtIFRoaXMgaW5kaWNhdGVzIHRoYXQgdGhlIGZvcm1hdCBvZiB0aGUgaGVhZGVyIGluY2x1 ZGVzIGEgZml4ZWQNCiAgIGxlbmd0aCBDb250ZXh0IEhlYWRlciAoc2VlIEZpZ3VyZSA1IGJlbG93 KS4NCg0KICAgMHgyIC0gVGhpcyBkb2VzIG5vdCBtYW5kYXRlIGFueSBoZWFkZXJzIGJleW9uZCB0 aGUgQmFzZSBIZWFkZXIgYW5kDQogICBTZXJ2aWNlIFBhdGggSGVhZGVyLCBidXQgbWF5IGNvbnRh aW4gb3B0aW9uYWwgdmFyaWFibGUgbGVuZ3RoIENvbnRleHQNCiAgIEhlYWRlcihzKS4gIFRoZSBz ZW1hbnRpY3Mgb2YgdGhlIHZhcmlhYmxlIGxlbmd0aCBDb250ZXh0IEhlYWRlcihzKQ0KICAgYXJl IG5vdCBkZWZpbmVkIGluIHRoaXMgZG9jdW1lbnQuICBUaGUgZm9ybWF0IG9mIHRoZSBvcHRpb25h bA0KICAgdmFyaWFibGUgbGVuZ3RoIENvbnRleHQgSGVhZGVycyBpcyBwcm92aWRlZCBpbiBTZWN0 aW9uIDIuNS4xLg0KDQogICAweEYgLSBUaGlzIHZhbHVlIGlzIHJlc2VydmVkIGZvciBleHBlcmlt ZW50YXRpb24gYW5kIHRlc3RpbmcsIGFzIHBlcg0KICAgW1JGQzM2OTJdLiAgSW1wbGVtZW50YXRp b25zIG5vdCBleHBsaWNpdGx5IGNvbmZpZ3VyZWQgdG8gYmUgcGFydCBvZg0KICAgYW4gZXhwZXJp bWVudCBTSE9VTEQgc2lsZW50bHkgZGlzY2FyZCBwYWNrZXRzIHdpdGggTUQgVHlwZSAweEYuDQoN CiAgIFRoZSBmb3JtYXQgb2YgdGhlIEJhc2UgSGVhZGVyIGFuZCB0aGUgU2VydmljZSBQYXRoIEhl YWRlciBpcw0KICAgaW52YXJpYW50LCBhbmQgbm90IGFmZmVjdGVkIGJ5IE1EIFR5cGUuDQoNCiAg IFRoZSBOU0ggTUQgVHlwZSAxIGFuZCBNRCBUeXBlIDIgYXJlIGRlc2NyaWJlZCBpbiBkZXRhaWwg aW4gU2VjdGlvbnMNCiAgIDIuNCBhbmQgMi41LCByZXNwZWN0aXZlbHkuICBOU0ggaW1wbGVtZW50 YXRpb25zIE1VU1Qgc3VwcG9ydCBNRCB0eXBlcw0KICAgMHgxIGFuZCAweDIgKHdoZXJlIHRoZSBs ZW5ndGggaXMgMHgyKS4gIE5TSCBpbXBsZW1lbnRhdGlvbnMgU0hPVUxEDQogICBzdXBwb3J0IE1E IFR5cGUgMHgyIHdpdGggbGVuZ3RoIGdyZWF0ZXIgdGhhbiAweDIuICBUaGVyZSBleGlzdHMsDQog ICBob3dldmVyLCBhIG1pZGRsZSBncm91bmQsIHdoZXJlaW4gYSBkZXZpY2Ugd2lsbCBzdXBwb3J0 IE1EIFR5cGUgMHgxDQogICAoYXMgcGVyIHRoZSBNVVNUKSBtZXRhZGF0YSwgeWV0IGJlIGRlcGxv eWVkIGluIGEgbmV0d29yayB3aXRoIE1EIFR5cGUNCiAgIDB4MiBtZXRhZGF0YSBwYWNrZXRzLiAg SW4gdGhhdCBjYXNlLCB0aGUgTUQgVHlwZSAweDEgbm9kZSwgTVVTVA0KICAgdXRpbGl6ZSB0aGUg YmFzZSBoZWFkZXIgbGVuZ3RoIGZpZWxkIHRvIGRldGVybWluZSB0aGUgb3JpZ2luYWwNCiAgIHBh eWxvYWQgb2Zmc2V0IGlmIGl0IHJlcXVpcmVzIGFjY2VzcyB0byB0aGUgb3JpZ2luYWwgcGFja2V0 L2ZyYW1lLg0KICAgVGhpcyBzcGVjaWZpY2F0aW9uIGRvZXMgbm90IGRpc2FsbG93IHRoZSBNRCBU eXBlIHZhbHVlIGZyb20gY2hhbmdpbmcNCiAgIGFsb25nIGFuIFNGUDsgaG93ZXZlciwgdGhlIHNw ZWNpZmljYXRpb24gb2YgdGhlIG5lY2Vzc2FyeSBtZWNoYW5pc20NCiAgIHRvIGFsbG93IHRoZSBN RCBUeXBlIHRvIGNoYW5nZSBhbG9uZyBhbiBTRlAgYXJlIG91dHNpZGUgdGhlIHNjb3BlIG9mDQog ICB0aGlzIGRvY3VtZW50IGFuZCB3b3VsZCBuZWVkIHRvIGJlIGRlZmluZWQgZm9yIHRoYXQgZnVu Y3Rpb25hbGl0eSB0bw0KICAgYmUgYXZhaWxhYmxlLiAgUGFja2V0cyB3aXRoIE1EIFR5cGUgdmFs dWVzIG5vdCBzdXBwb3J0ZWQgYnkgYW4NCiAgIGltcGxlbWVudGF0aW9uIE1VU1QgYmUgc2lsZW50 bHkgZHJvcHBlZC4NCg0KDQoNCg0KUXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgTWFy Y2ggPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz41LDwvZm9udD48L3N0cmlrZT4gPHN0cm9uZz48 Zm9udCBjb2xvcj0nZ3JlZW4nPjE3LDwvZm9udD48L3N0cm9uZz4gMjAxOCAgICAgICAgICAgICAg ICAgW1BhZ2UgOV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVh ZGVyIChOU0gpICAgICAgICBTZXB0ZW1iZXIgMjAxNw0KDQoNCiAgIE5leHQgUHJvdG9jb2w6IGlu ZGljYXRlcyB0aGUgcHJvdG9jb2wgdHlwZSBvZiB0aGUgZW5jYXBzdWxhdGVkIGRhdGEuDQogICBU aGUgTlNIIGRvZXMgbm90IGFsdGVyIHRoZSBpbm5lciBwYXlsb2FkLCBhbmQgdGhlIHNlbWFudGlj cyBvbiB0aGUNCiAgIGlubmVyIHByb3RvY29sIHJlbWFpbiB1bmNoYW5nZWQgZHVlIHRvIE5TSCBz ZXJ2aWNlIGZ1bmN0aW9uIGNoYWluaW5nLg0KICAgUGxlYXNlIHNlZSB0aGUgSUFOQSBDb25zaWRl cmF0aW9ucyBzZWN0aW9uIGJlbG93LCBTZWN0aW9uIDExLjIuNS4NCg0KICAgVGhpcyBkb2N1bWVu dCBkZWZpbmVzIHRoZSBmb2xsb3dpbmcgTmV4dCBQcm90b2NvbCB2YWx1ZXM6DQoNCiAgIDB4MTog SVB2NA0KICAgMHgyOiBJUHY2DQogICAweDM6IEV0aGVybmV0DQogICAweDQ6IE5TSA0KICAgMHg1 OiBNUExTDQogICAweEZFOiBFeHBlcmltZW50IDENCiAgIDB4RkY6IEV4cGVyaW1lbnQgMg0KDQog ICBQYWNrZXRzIHdpdGggTmV4dCBQcm90b2NvbCB2YWx1ZXMgbm90IHN1cHBvcnRlZCBTSE9VTEQg YmUgc2lsZW50bHkNCiAgIGRyb3BwZWQgYnkgZGVmYXVsdCwgYWx0aG91Z2ggYW4gaW1wbGVtZW50 YXRpb24gTUFZIHByb3ZpZGUgYQ0KICAgY29uZmlndXJhdGlvbiBwYXJhbWV0ZXIgdG8gZm9yd2Fy ZCB0aGVtLiAgQWRkaXRpb25hbGx5LCBhbg0KICAgaW1wbGVtZW50YXRpb24gbm90IGV4cGxpY2l0 bHkgY29uZmlndXJlZCBmb3IgYSBzcGVjaWZpYyBleHBlcmltZW50DQogICBbUkZDMzY5Ml0gU0hP VUxEIHNpbGVudGx5IGRyb3AgcGFja2V0cyB3aXRoIE5leHQgUHJvdG9jb2wgdmFsdWVzIDB4RkUN CiAgIGFuZCAweEZGLg0KDQoyLjMuICBTZXJ2aWNlIFBhdGggSGVhZGVyDQoNCiAgIEZpZ3VyZSA0 IHNob3dzIHRoZSBmb3JtYXQgb2YgdGhlIFNlcnZpY2UgUGF0aCBIZWFkZXI6DQoNCiAgICAgIDAg ICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAgICAgICAyICAgICAgICAgICAgICAgICAg IDMNCiAgICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAz IDQgNSA2IDcgOCA5IDAgMQ0KICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KICAgICB8ICAgICAgICAgIFNlcnZpY2Ug UGF0aCBJZGVudGlmaWVyIChTUEkpICAgICAgICB8IFNlcnZpY2UgSW5kZXggfA0KICAgICArLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKw0KDQogICAgIFNlcnZpY2UgUGF0aCBJZGVudGlmaWVyIChTUEkpOiAyNCBiaXRzDQogICAg IFNlcnZpY2UgSW5kZXggKFNJKTogOCBiaXRzDQoNCiAgICAgICAgICAgICAgICAgICAgIEZpZ3Vy ZSA0OiBOU0ggU2VydmljZSBQYXRoIEhlYWRlcg0KDQogICBUaGUgbWVhbmluZyBvZiB0aGVzZSBm aWVsZHMgaXMgYXMgZm9sbG93czoNCg0KICAgU2VydmljZSBQYXRoIElkZW50aWZpZXIgKFNQSSk6 IElkZW50aWZpZXMgYSBzZXJ2aWNlIHBhdGguDQogICBQYXJ0aWNpcGF0aW5nIG5vZGVzIE1VU1Qg dXNlIHRoaXMgaWRlbnRpZmllciBmb3IgU2VydmljZSBGdW5jdGlvbg0KICAgUGF0aCBzZWxlY3Rp b24uICBUaGUgaW5pdGlhbCBjbGFzc2lmaWVyIE1VU1Qgc2V0IHRoZSBhcHByb3ByaWF0ZSBTUEkN CiAgIGZvciBhIGdpdmVuIGNsYXNzaWZpY2F0aW9uIHJlc3VsdC4NCg0KICAgU2VydmljZSBJbmRl eCAoU0kpOiBQcm92aWRlcyBsb2NhdGlvbiB3aXRoaW4gdGhlIFNGUC4gIFRoZSBpbml0aWFsDQog ICBjbGFzc2lmaWVyIGZvciBhIGdpdmVuIFNGUCBTSE9VTEQgc2V0IHRoZSBTSSB0byAyNTUsIGhv d2V2ZXIgdGhlDQogICBjb250cm9sIHBsYW5lIE1BWSBjb25maWd1cmUgdGhlIGluaXRpYWwgdmFs dWUgb2YgU0kgYXMgYXBwcm9wcmlhdGUNCiAgIChpLmUuLCB0YWtpbmcgaW50byBhY2NvdW50IHRo ZSBsZW5ndGggb2YgdGhlIHNlcnZpY2UgZnVuY3Rpb24gcGF0aCkuDQoNCg0KDQpRdWlubiwgZXQg YWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPjUs PC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MTcsPC9mb250Pjwv c3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgIFtQYWdlIDEwXQ0KDA0KSW50ZXJuZXQtRHJhZnQg ICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNlcHRlbWJlciAyMDE3 DQoNCg0KICAgVGhlIFNlcnZpY2UgSW5kZXggTVVTVCBiZSBkZWNyZW1lbnRlZCBieSBhIHZhbHVl IG9mIDEgYnkgU2VydmljZQ0KICAgRnVuY3Rpb25zIG9yIGJ5IFNGQyBQcm94eSBub2RlcyBhZnRl ciBwZXJmb3JtaW5nIHJlcXVpcmVkIHNlcnZpY2VzDQogICBhbmQgdGhlIG5ldyBkZWNyZW1lbnRl ZCBTSSB2YWx1ZSBNVVNUIGJlIHVzZWQgaW4gdGhlIGVncmVzcyBwYWNrZXQncw0KICAgTlNILiAg VGhlIGluaXRpYWwgQ2xhc3NpZmllciBNVVNUIHNlbmQgdGhlIHBhY2tldCB0byB0aGUgZmlyc3Qg U0ZGIGluDQogICB0aGUgaWRlbnRpZmllZCBTRlAgZm9yIGZvcndhcmRpbmcgYWxvbmcgYW4gU0ZQ LiAgSWYgcmUtY2xhc3NpZmljYXRpb24NCiAgIG9jY3VycywgYW5kIHRoYXQgcmUtY2xhc3NpZmlj YXRpb24gcmVzdWx0cyBpbiBhIG5ldyBTUEksIHRoZQ0KICAgKHJlKWNsYXNzaWZpZXIgaXMsIGlu IGVmZmVjdCwgdGhlIGluaXRpYWwgY2xhc3NpZmllciBmb3IgdGhlDQogICByZXN1bHRhbnQgU1BJ Lg0KDQogICBUaGUgU0kgaXMgdXNlZCBpbiBjb25qdW5jdGlvbiB0aGUgd2l0aCBTZXJ2aWNlIFBh dGggSWRlbnRpZmllciBmb3INCiAgIFNlcnZpY2UgRnVuY3Rpb24gUGF0aCBTZWxlY3Rpb24gYW5k IGZvciBkZXRlcm1pbmluZyB0aGUgbmV4dCBTRkYvU0YNCiAgIGluIHRoZSBwYXRoLiAgVGhlIFNJ IGlzIGFsc28gdmFsdWFibGUgd2hlbiB0cm91Ymxlc2hvb3Rpbmcgb3INCiAgIHJlcG9ydGluZyBz ZXJ2aWNlIHBhdGhzLiAgV2hpbGUgdGhlIFRUTCBwcm92aWRlcyB0aGUgcHJpbWFyeSBTRkYNCiAg IGJhc2VkIGxvb3AgcHJldmVudGlvbiBmb3IgdGhpcyBtZWNoYW5pc20sIFNJIGRlY3JlbWVudCBi eSBTRiBzZXJ2ZXMNCiAgIGFzIGEgbGltaXRlZCBsb29wIHByZXZlbnRpb24gbWVjaGFuaXNtLiAg TlNIIHBhY2tldHMsIGFzIGRlc2NyaWJlZA0KICAgYWJvdmUsIGFyZSBkaXNjYXJkZWQgd2hlbiBh biBTRkYgZGVjcmVtZW50cyB0aGUgVFRMIHRvIDAuICBJbg0KICAgYWRkaXRpb24sIGFuIFNGRiB3 aGljaCBpcyBub3QgdGhlIHRlcm1pbmFsIFNGRiBmb3IgYSBTZXJ2aWNlIEZ1bmN0aW9uDQogICBQ YXRoIHdpbGwgZGlzY2FyZCBhbnkgTlNIIHBhY2tldCB3aXRoIGFuIFNJIG9mIDAsIGFzIHRoZXJl IHdpbGwgYmUgbm8NCiAgIHZhbGlkIG5leHQgU0YgaW5mb3JtYXRpb24uDQoNCjIuNC4gIE5TSCBN RCBUeXBlIDENCg0KICAgV2hlbiB0aGUgQmFzZSBIZWFkZXIgc3BlY2lmaWVzIE1EIFR5cGUgPSAw eDEsIGEgRml4ZWQgTGVuZ3RoIENvbnRleHQNCiAgIEhlYWRlciAoMTYtYnl0ZXMpIE1VU1QgYmUg cHJlc2VudCBpbW1lZGlhdGVseSBmb2xsb3dpbmcgdGhlIFNlcnZpY2UNCiAgIFBhdGggSGVhZGVy LCBhcyBwZXIgRmlndXJlIDUuICBUaGUgdmFsdWUgb2YgYSBGaXhlZCBMZW5ndGggQ29udGV4dA0K ICAgSGVhZGVyIHRoYXQgY2FycmllcyBubyBtZXRhZGF0YSBNVVNUIGJlIHNldCB0byB6ZXJvLg0K DQogICAgICAwICAgICAgICAgICAgICAgICAgIDEgICAgICAgICAgICAgICAgICAgMiAgICAgICAg ICAgICAgICAgICAzDQogICAgICAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4 IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDENCiAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCiAgICAgfFZlcnxPfFV8 ICAgIFRUTCAgICB8ICAgTGVuZ3RoICB8VXxVfFV8VXxNRCBUeXBlfCBOZXh0IFByb3RvY29sIHwN CiAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSsNCiAgICAgfCAgICAgICAgICBTZXJ2aWNlIFBhdGggSWRlbnRpZmllciAg ICAgICAgICAgICAgfCBTZXJ2aWNlIEluZGV4IHwNCiAgICAgKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCiAgICAgfCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IHwNCiAgICAgfCAgICAgICAgICAgICAgICAgRml4ZWQgTGVuZ3RoIENvbnRleHQgSGVhZGVyICAg ICAgICAgICAgICAgICAgIHwNCiAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwNCiAgICAgKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsNCg0KICAgICAg ICAgICAgICAgICAgICAgICAgIEZpZ3VyZSA1OiBOU0ggTUQgVHlwZT0weDENCg0KICAgVGhpcyBz cGVjaWZpY2F0aW9uIGRvZXMgbm90IG1ha2UgYW55IGFzc3VtcHRpb25zIGFib3V0IHRoZSBjb250 ZW50IG9mDQogICB0aGUgMTYgYnl0ZSBDb250ZXh0IEhlYWRlciB0aGF0IG11c3QgYmUgcHJlc2Vu dCB3aGVuIHRoZSBNRCBUeXBlDQogICBmaWVsZCBpcyBzZXQgdG8gMSwgYW5kIGRvZXMgbm90IGRl c2NyaWJlIHRoZSBzdHJ1Y3R1cmUgb3IgbWVhbmluZyBvZg0KICAgdGhlIGluY2x1ZGVkIG1ldGFk YXRhLg0KDQogICBBbiBTRkMtYXdhcmUgU0YgTVVTVCByZWNlaXZlIHRoZSBkYXRhIHNlbWFudGlj cyBmaXJzdCBpbiBvcmRlciB0bw0KICAgcHJvY2VzcyB0aGUgZGF0YSBwbGFjZWQgaW4gdGhlIG1h bmRhdG9yeSBjb250ZXh0IGZpZWxkLiAgVGhlIGRhdGENCg0KDQoNClF1aW5uLCBldCBhbC4gICAg ICAgICAgICBFeHBpcmVzIE1hcmNoIDxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+NSw8L2ZvbnQ+ PC9zdHJpa2U+IDxzdHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz4xNyw8L2ZvbnQ+PC9zdHJvbmc+ IDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMTFdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAg TmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVyIDIwMTcNCg0KDQog ICBzZW1hbnRpY3MgaW5jbHVkZSBib3RoIHRoZSBhbGxvY2F0aW9uIHNjaGVtYSBhbmQgdGhlIG1l YW5pbmcgb2YgdGhlDQogICBpbmNsdWRlZCBkYXRhLiAgSG93IGFuIFNGQy1hd2FyZSBTRiBnZXRz IHRoZSBkYXRhIHNlbWFudGljcyBpcw0KICAgb3V0c2lkZSB0aGUgc2NvcGUgb2YgdGhpcyBzcGVj aWZpY2F0aW9uLg0KDQogICBBbiBTRiBvciBTRkMgUHJveHkgdGhhdCBkb2VzIG5vdCBrbm93IHRo ZSBmb3JtYXQgb3Igc2VtYW50aWNzIG9mIHRoZQ0KICAgQ29udGV4dCBIZWFkZXIgZm9yIGFuIE5T SCB3aXRoIE1EIFR5cGUgMSBNVVNUIGRpc2NhcmQgYW55IHBhY2tldCB3aXRoDQogICBzdWNoIGFu IE5TSCAoaS5lLiwgTVVTVCBOT1QgaWdub3JlIHRoZSBtZXRhZGF0YSB0aGF0IGl0IGNhbm5vdA0K ICAgcHJvY2VzcyksIGFuZCBNVVNUIGxvZyB0aGUgZXZlbnQgYXQgbGVhc3Qgb25jZSBwZXIgdGhl IFNQSSBmb3Igd2hpY2gNCiAgIHRoZSBldmVudCBvY2N1cnMgKHN1YmplY3QgdG8gdGhyZXNob2xk aW5nKS4NCg0KICAgW0ktRC5ndWljaGFyZC1zZmMtbnNoLWRjLWFsbG9jYXRpb25dIGFuZA0KICAg W0ktRC5uYXBwZXItc2ZjLW5zaC1icm9hZGJhbmQtYWxsb2NhdGlvbl0gcHJvdmlkZSBzcGVjaWZp YyBleGFtcGxlcw0KICAgb2YgaG93IG1ldGFkYXRhIGNhbiBiZSBhbGxvY2F0ZWQuDQoNCjIuNS4g IE5TSCBNRCBUeXBlIDINCg0KICAgV2hlbiB0aGUgYmFzZSBoZWFkZXIgc3BlY2lmaWVzIE1EIFR5 cGUgPSAweDIsIHplcm8gb3IgbW9yZSBWYXJpYWJsZQ0KICAgTGVuZ3RoIENvbnRleHQgSGVhZGVy cyBNQVkgYmUgYWRkZWQsIGltbWVkaWF0ZWx5IGZvbGxvd2luZyB0aGUNCiAgIFNlcnZpY2UgUGF0 aCBIZWFkZXIgKHNlZSBGaWd1cmUgNikuICBUaGVyZWZvcmUsIExlbmd0aCA9IDB4MiwNCiAgIGlu ZGljYXRlcyB0aGF0IG9ubHkgdGhlIEJhc2UgSGVhZGVyIGZvbGxvd2VkIGJ5IHRoZSBTZXJ2aWNl IFBhdGgNCiAgIEhlYWRlciBhcmUgcHJlc2VudC4gIFRoZSBvcHRpb25hbCBWYXJpYWJsZSBMZW5n dGggQ29udGV4dCBIZWFkZXJzDQogICBNVVNUIGJlIG9mIGFuIGludGVnZXIgbnVtYmVyIG9mIDQt Ynl0ZXMuICBUaGUgYmFzZSBoZWFkZXIgTGVuZ3RoDQogICBmaWVsZCBNVVNUIGJlIHVzZWQgdG8g ZGV0ZXJtaW5lIHRoZSBvZmZzZXQgdG8gbG9jYXRlIHRoZSBvcmlnaW5hbA0KICAgcGFja2V0IG9y IGZyYW1lIGZvciBTRkMgbm9kZXMgdGhhdCByZXF1aXJlIGFjY2VzcyB0byB0aGF0DQogICBpbmZv cm1hdGlvbi4NCg0KICAgICAgMCAgICAgICAgICAgICAgICAgICAxICAgICAgICAgICAgICAgICAg IDIgICAgICAgICAgICAgICAgICAgMw0KICAgICAgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAz IDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxDQogICAgICstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQogICAg IHxWZXJ8T3xVfCAgICBUVEwgICAgfCAgIExlbmd0aCAgfFV8VXxVfFV8TUQgVHlwZXwgTmV4dCBQ cm90b2NvbCB8DQogICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rDQogICAgIHwgICAgICAgICAgU2VydmljZSBQYXRoIElk ZW50aWZpZXIgICAgICAgICAgICAgIHwgU2VydmljZSBJbmRleCB8DQogICAgICstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rDQog ICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICB8DQogICAgIH4gICAgICAgICAgICAgIFZhcmlhYmxlIExlbmd0aCBDb250ZXh0 IEhlYWRlcnMgIChvcHQuKSAgICAgICAgICB+DQogICAgIHwgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8DQogICAgICstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICBGaWd1cmUgNjogTlNIIE1EIFR5cGU9MHgyDQoN CjIuNS4xLiAgT3B0aW9uYWwgVmFyaWFibGUgTGVuZ3RoIE1ldGFkYXRhDQoNCiAgIFRoZSBmb3Jt YXQgb2YgdGhlIG9wdGlvbmFsIHZhcmlhYmxlIGxlbmd0aCBDb250ZXh0IEhlYWRlcnMsIGlzIGFz DQogICBkZXBpY3RlZCBpbiBGaWd1cmUgNy4NCg0KDQoNCg0KDQoNCg0KUXVpbm4sIGV0IGFsLiAg ICAgICAgICAgIEV4cGlyZXMgTWFyY2ggPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz41LDwvZm9u dD48L3N0cmlrZT4gPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPjE3LDwvZm9udD48L3N0cm9u Zz4gMjAxOCAgICAgICAgICAgICAgICBbUGFnZSAxMl0NCgwNCkludGVybmV0LURyYWZ0ICAgICAg ICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAgICAgICBTZXB0ZW1iZXIgMjAxNw0KDQoN CiAgICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAgICAgICAyICAgICAgICAg ICAgICAgICAgIDMNCiAgICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDgg OSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMQ0KICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KICAgICB8ICAgICAgICAg IE1ldGFkYXRhIENsYXNzICAgICAgIHwgICAgICBUeXBlICAgICB8VXwgICAgTGVuZ3RoICAgfA0K ICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKw0KICAgICB8ICAgICAgICAgICAgICAgICAgICAgIFZhcmlhYmxlIE1ldGFk YXRhICAgICAgICAgICAgICAgICAgICAgICAgfA0KICAgICArLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKw0KDQogICAgICAgICAg ICAgICAgICAgIEZpZ3VyZSA3OiBWYXJpYWJsZSBDb250ZXh0IEhlYWRlcnMNCg0KICAgTWV0YWRh dGEgQ2xhc3MgKE1EIENsYXNzKTogRGVmaW5lcyB0aGUgc2NvcGUgb2YgdGhlICdUeXBlJyBmaWVs ZCB0bw0KICAgcHJvdmlkZSBhIGhpZXJhcmNoaWNhbCBuYW1lc3BhY2UuICBUaGUgSUFOQSBDb25z aWRlcmF0aW9ucw0KICAgU2VjdGlvbiAxMS4yLjQgZGVmaW5lcyBob3cgdGhlIE1EIENsYXNzIHZh bHVlcyBjYW4gYmUgYWxsb2NhdGVkIHRvDQogICBzdGFuZGFyZHMgYm9kaWVzLCB2ZW5kb3JzLCBh bmQgb3RoZXJzLg0KDQogICBUeXBlOiBJbmRpY2F0ZXMgdGhlIGV4cGxpY2l0IHR5cGUgb2YgbWV0 YWRhdGEgYmVpbmcgY2FycmllZC4gIFRoZQ0KICAgZGVmaW5pdGlvbiBvZiB0aGUgVHlwZSBpcyB0 aGUgcmVzcG9uc2liaWxpdHkgb2YgdGhlIE1EIENsYXNzIG93bmVyLg0KDQogICBVbmFzc2lnbmVk IGJpdDogT25lIHVuYXNzaWduZWQgYml0IGlzIGF2YWlsYWJsZSBmb3IgZnV0dXJlIHVzZS4gIFRo aXMNCiAgIGJpdCBNVVNUIE5PVCBiZSBzZXQsIGFuZCBNVVNUIGJlIGlnbm9yZWQgb24gcmVjZWlw dC4NCg0KICAgTGVuZ3RoOiBJbmRpY2F0ZXMgdGhlIGxlbmd0aCBvZiB0aGUgdmFyaWFibGUgbWV0 YWRhdGEsIGluIGJ5dGVzLiAgSW4NCiAgIGNhc2UgdGhlIG1ldGFkYXRhIGxlbmd0aCBpcyBub3Qg YW4gaW50ZWdlciBudW1iZXIgb2YgNC1ieXRlIHdvcmRzLA0KICAgdGhlIHNlbmRlciBNVVNUIGFk ZCBwYWQgYnl0ZXMgaW1tZWRpYXRlbHkgZm9sbG93aW5nIHRoZSBsYXN0IG1ldGFkYXRhDQogICBi eXRlIHRvIGV4dGVuZCB0aGUgbWV0YWRhdGEgdG8gYW4gaW50ZWdlciBudW1iZXIgb2YgNC1ieXRl IHdvcmRzLg0KICAgVGhlIHJlY2VpdmVyIE1VU1Qgcm91bmQgdXAgdGhlIGxlbmd0aCBmaWVsZCB0 byB0aGUgbmVhcmVzdCA0LWJ5dGUNCiAgIHdvcmQgYm91bmRhcnksIHRvIGxvY2F0ZSBhbmQgcHJv Y2VzcyB0aGUgbmV4dCBmaWVsZCBpbiB0aGUgcGFja2V0Lg0KICAgVGhlIHJlY2VpdmVyIE1VU1Qg YWNjZXNzIG9ubHkgdGhvc2UgYnl0ZXMgaW4gdGhlIG1ldGFkYXRhIGluZGljYXRlZA0KICAgYnkg dGhlIGxlbmd0aCBmaWVsZCAoaS5lLiwgYWN0dWFsIG51bWJlciBvZiBieXRlcykgYW5kIE1VU1Qg aWdub3JlDQogICB0aGUgcmVtYWluaW5nIGJ5dGVzIHVwIHRvIHRoZSBuZWFyZXN0IDQtYnl0ZSB3 b3JkIGJvdW5kYXJ5LiAgVGhlDQogICBMZW5ndGggbWF5IGJlIDAgb3IgZ3JlYXRlci4NCg0KICAg QSB2YWx1ZSBvZiAwIGRlbm90ZXMgYSBDb250ZXh0IEhlYWRlciB3aXRob3V0IGEgVmFyaWFibGUg TWV0YWRhdGENCiAgIGZpZWxkLg0KDQogICBUaGlzIHNwZWNpZmljYXRpb24gZG9lcyBub3QgbWFr ZSBhbnkgYXNzdW1wdGlvbiBhYm91dCBDb250ZXh0IEhlYWRlcnMNCiAgIHRoYXQgYXJlIG1hbmRh dG9yeS10by1pbXBsZW1lbnQgb3IgdGhvc2UgdGhhdCBhcmUgbWFuZGF0b3J5LXRvLQ0KICAgcHJv Y2Vzcy4gIFRoZXNlIGNvbnNpZGVyYXRpb25zIGFyZSBkZXBsb3ltZW50LXNwZWNpZmljLiAgSG93 ZXZlciwgdGhlDQogICBjb250cm9sIHBsYW5lIGlzIGVudGl0bGVkIHRvIGluc3RydWN0IFNGQy1h d2FyZSBTRnMgd2l0aCB0aGUgZGF0YQ0KICAgc3RydWN0dXJlIG9mIGNvbnRleHQgaGVhZGVyIHRv Z2V0aGVyIHdpdGggaXRzIHNjb3BpbmcgKHNlZSBlLmcuLA0KICAgU2VjdGlvbiAzLjMuMyBvZiBb SS1ELmlldGYtc2ZjLWNvbnRyb2wtcGxhbmVdKS4NCg0KICAgVXBvbiByZWNlaXB0IG9mIGEgcGFj a2V0IHRoYXQgYmVsb25ncyB0byBhIGdpdmVuIFNGUCwgaWYgYSBtYW5kYXRvcnktDQogICB0by1w cm9jZXNzIGNvbnRleHQgaGVhZGVyIGlzIG1pc3NpbmcgaW4gdGhhdCBwYWNrZXQsIHRoZSBTRkMt YXdhcmUgU0YNCiAgIE1VU1QgTk9UIHByb2Nlc3MgdGhlIHBhY2tldCBhbmQgTVVTVCBsb2cgYW4g ZXJyb3IgYXQgbGVhc3Qgb25jZSBwZXINCiAgIHRoZSBTUEkgZm9yIHdoaWNoIHRoZSBtYW5kYXRv cnkgbWV0YWRhdGEgaXMgbWlzc2luZy4NCg0KDQoNCg0KDQpRdWlubiwgZXQgYWwuICAgICAgICAg ICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPjUsPC9mb250Pjwvc3Ry aWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4 ICAgICAgICAgICAgICAgIFtQYWdlIDEzXQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdv cmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNlcHRlbWJlciAyMDE3DQoNCg0KICAgSWYg bXVsdGlwbGUgbWFuZGF0b3J5LXRvLXByb2Nlc3MgY29udGV4dCBoZWFkZXJzIGFyZSByZXF1aXJl ZCBmb3IgYQ0KICAgZ2l2ZW4gU0ZQLCB0aGUgY29udHJvbCBwbGFuZSBNQVkgaW5zdHJ1Y3QgdGhl IFNGQy1hd2FyZSBTRiB3aXRoIHRoZQ0KICAgb3JkZXIgdG8gY29uc3VtZSB0aGVzZSBDb250ZXh0 IEhlYWRlcnMuICBJZiBubyBpbnN0cnVjdGlvbnMgYXJlDQogICBwcm92aWRlZCBhbmQgdGhlIFNG Qy1hd2FyZSBTRiB3aWxsIG1ha2UgdXNlIG9mIG9yIG1vZGlmeSB0aGUgc3BlY2lmaWMNCiAgIGNv bnRleHQgaGVhZGVyLCB0aGVuIHRoZSBTRkMtYXdhcmUgU0YgTVVTVCBwcm9jZXNzIHRoZXNlIENv bnRleHQNCiAgIEhlYWRlcnMgaW4gdGhlIG9yZGVyIHRoZXkgYXBwZWFyIGluIGFuIE5TSCBwYWNr ZXQuDQoNCiAgIElmIG11bHRpcGxlIGluc3RhbmNlcyBvZiB0aGUgc2FtZSBtZXRhZGF0YSBhcmUg aW5jbHVkZWQgaW4gYW4gTlNIDQogICBwYWNrZXQsIGJ1dCB0aGUgZGVmaW5pdGlvbiBvZiB0aGF0 IGNvbnRleHQgaGVhZGVyIGRvZXMgbm90IGFsbG93IGZvcg0KICAgaXQsIHRoZSBTRkMtYXdhcmUg U0YgTVVTVCBwcm9jZXNzIHRoZSBmaXJzdCBpbnN0YW5jZSBhbmQgaWdub3JlDQogICBzdWJzZXF1 ZW50IGluc3RhbmNlcy4NCg0KMy4gIE5TSCBBY3Rpb25zDQoNCiAgIE5TSC1hd2FyZSBub2Rlcywg d2hpY2ggaW5jbHVkZSBzZXJ2aWNlIGNsYXNzaWZpZXJzLCBTRkZzLCBTRnMgYW5kIFNGQw0KICAg cHJveGllcywgbWF5IGFsdGVyIHRoZSBjb250ZW50cyBvZiB0aGUgTlNIIGhlYWRlcnMuICBUaGVz ZSBub2RlcyBoYXZlDQogICBzZXZlcmFsIHBvc3NpYmxlIE5TSC1yZWxhdGVkIGFjdGlvbnM6DQoN CiAgIDEuICBJbnNlcnQgb3IgcmVtb3ZlIHRoZSBOU0g6IFRoZXNlIGFjdGlvbnMgY2FuIG9jY3Vy IHJlc3BlY3RpdmVseSBhdA0KICAgICAgIHRoZSBzdGFydCBhbmQgZW5kIG9mIGEgc2VydmljZSBw YXRoLiAgUGFja2V0cyBhcmUgY2xhc3NpZmllZCwgYW5kDQogICAgICAgaWYgZGV0ZXJtaW5lZCB0 byByZXF1aXJlIHNlcnZpY2luZywgYW4gTlNIIHdpbGwgYmUgaW1wb3NlZC4gIEENCiAgICAgICBz ZXJ2aWNlIGNsYXNzaWZpZXIgTVVTVCBpbnNlcnQgYW4gTlNIIGF0IHRoZSBzdGFydCBvZiBhbiBT RlAuICBBbg0KICAgICAgIGltcG9zZWQgTlNIIE1VU1QgY29udGFpbiBib3RoIGEgdmFsaWQgQmFz ZSBIZWFkZXIgYW5kIFNlcnZpY2UNCiAgICAgICBQYXRoIEhlYWRlci4gIEF0IHRoZSBlbmQgb2Yg YSBzZXJ2aWNlIGZ1bmN0aW9uIHBhdGgsIGFuIFNGRiBNVVNUDQogICAgICAgcmVtb3ZlIHRoZSBO U0ggYmVmb3JlIGZvcndhcmRpbmcgb3IgZGVsaXZlcmluZyB0aGUgdW4tDQogICAgICAgZW5jYXBz dWxhdGVkIHBhY2tldC4gIEl0IGlzIHRoZXJlZm9yZSB0aGUgbGFzdCBub2RlIG9wZXJhdGluZyBv bg0KICAgICAgIHRoZSBzZXJ2aWNlIGhlYWRlci4NCg0KICAgICAgIE11bHRpcGxlIGxvZ2ljYWwg Y2xhc3NpZmllcnMgbWF5IGV4aXN0IHdpdGhpbiBhIGdpdmVuIHNlcnZpY2UNCiAgICAgICBwYXRo LiAgTm9uLWluaXRpYWwgY2xhc3NpZmllcnMgbWF5IHJlLWNsYXNzaWZ5IGRhdGEgYW5kIHRoYXQg cmUtDQogICAgICAgY2xhc3NpZmljYXRpb24gTUFZIHJlc3VsdCBpbiB0aGUgc2VsZWN0aW9uIG9m IGEgZGlmZmVyZW50IFNlcnZpY2UNCiAgICAgICBGdW5jdGlvbiBQYXRoLiAgV2hlbiB0aGUgbG9n aWNhbCBjbGFzc2lmaWVyIHBlcmZvcm1zIHJlLQ0KICAgICAgIGNsYXNzaWZpY2F0aW9uIHRoYXQg cmVzdWx0cyBpbiBhIGNoYW5nZSBvZiBzZXJ2aWNlIHBhdGgsIGl0IE1VU1QNCiAgICAgICByZXBs YWNlIHRoZSBleGlzdGluZyBOU0ggd2l0aCBhIG5ldyBOU0ggd2l0aCB0aGUgQmFzZSBIZWFkZXIg YW5kDQogICAgICAgU2VydmljZSBQYXRoIEhlYWRlciByZWZsZWN0aW5nIHRoZSBuZXcgc2Vydmlj ZSBwYXRoIGluZm9ybWF0aW9uDQogICAgICAgYW5kIE1VU1Qgc2V0IHRoZSBpbml0aWFsIFNJLiAg TWV0YWRhdGEgTUFZIGJlIHByZXNlcnZlZCBpbiB0aGUNCiAgICAgICBuZXcgTlNILg0KDQoNCg0K ICAgMi4gIFNlbGVjdCBzZXJ2aWNlIHBhdGg6IFRoZSBTZXJ2aWNlIFBhdGggSGVhZGVyIHByb3Zp ZGVzIHNlcnZpY2UNCiAgICAgICBwYXRoIGluZm9ybWF0aW9uIGFuZCBpcyB1c2VkIGJ5IFNGRnMg dG8gZGV0ZXJtaW5lIGNvcnJlY3Qgc2VydmljZQ0KICAgICAgIHBhdGggc2VsZWN0aW9uLiAgU0ZG cyBNVVNUIHVzZSB0aGUgU2VydmljZSBQYXRoIEhlYWRlciBmb3INCiAgICAgICBzZWxlY3Rpbmcg dGhlIG5leHQgU0Ygb3IgU0ZGIGluIHRoZSBzZXJ2aWNlIHBhdGguDQoNCiAgIDMuICBVcGRhdGUg dGhlIE5TSDogU0ZzIE1VU1QgZGVjcmVtZW50IHRoZSBzZXJ2aWNlIGluZGV4IGJ5IG9uZS4gIElm DQogICAgICAgYW4gU0ZGIHJlY2VpdmVzIGEgcGFja2V0IHdpdGggYW4gU1BJIGFuZCBTSSB0aGF0 IGRvIG5vdA0KDQoNCg0KDQpRdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8 c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250 IGNvbG9yPSdncmVlbic+MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgIFtQ YWdlIDE0XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIg KE5TSCkgICAgICAgIFNlcHRlbWJlciAyMDE3DQoNCg0KICAgICAgIGNvcnJlc3BvbmQgdG8gYSB2 YWxpZCBuZXh0IGhvcCBpbiBhIHZhbGlkIFNlcnZpY2UgRnVuY3Rpb24gUGF0aCwNCiAgICAgICB0 aGF0IHBhY2tldCBNVVNUIGJlIGRyb3BwZWQgYnkgdGhlIFNGRi4NCg0KICAgICAgIENsYXNzaWZp ZXJzIE1BWSB1cGRhdGUgQ29udGV4dCBIZWFkZXJzIGlmIG5ldy91cGRhdGVkIGNvbnRleHQgaXMN CiAgICAgICBhdmFpbGFibGUuDQoNCiAgICAgICBJZiBhbiBTRkMgcHJveHkgaXMgaW4gdXNlIChh Y3Rpbmcgb24gYmVoYWxmIG9mIGFuIE5TSC11bmF3YXJlDQogICAgICAgc2VydmljZSBmdW5jdGlv biBmb3IgTlNIIGFjdGlvbnMpLCB0aGVuIHRoZSBwcm94eSBNVVNUIHVwZGF0ZQ0KICAgICAgIFNl cnZpY2UgSW5kZXggYW5kIE1BWSB1cGRhdGUgY29udGV4dHMuICBXaGVuIGFuIFNGQyBwcm94eQ0K ICAgICAgIHJlY2VpdmVzIGFuIE5TSC1lbmNhcHN1bGF0ZWQgcGFja2V0LCBpdCBNVVNUIHJlbW92 ZSB0aGUgTlNIDQogICAgICAgYmVmb3JlIGZvcndhcmRpbmcgaXQgdG8gYW4gTlNILXVuYXdhcmUg U0YuICBXaGVuIHRoZSBTRkMgUHJveHkNCiAgICAgICByZWNlaXZlcyBhIHBhY2tldCBiYWNrIGZy b20gYW4gTlNILXVuYXdhcmUgU0YsIGl0IE1VU1QgcmUtDQogICAgICAgZW5jYXBzdWxhdGUgaXQg d2l0aCB0aGUgY29ycmVjdCBOU0gsIGFuZCBNVVNUIGRlY3JlbWVudCB0aGUNCiAgICAgICBTZXJ2 aWNlIEluZGV4IGJ5IG9uZS4NCg0KDQoNCiAgIDQuICBTZXJ2aWNlIHBvbGljeSBzZWxlY3Rpb246 IFNlcnZpY2UgRnVuY3Rpb25zIGRlcml2ZSBwb2xpY3kgKGkuZS4sDQogICAgICAgc2VydmljZSBh Y3Rpb25zIHN1Y2ggYXMgcGVybWl0IG9yIGRlbnkpIHNlbGVjdGlvbiBhbmQgZW5mb3JjZW1lbnQN CiAgICAgICBmcm9tIHRoZSBOU0guICBNZXRhZGF0YSBzaGFyZWQgaW4gdGhlIE5TSCBjYW4gcHJv dmlkZSBhIHJhbmdlIG9mDQogICAgICAgc2VydmljZS1yZWxldmFudCBpbmZvcm1hdGlvbiBzdWNo IGFzIHRyYWZmaWMgY2xhc3NpZmljYXRpb24uDQoNCiAgIEZpZ3VyZSA4IG1hcHMgZWFjaCBvZiB0 aGUgZm91ciBhY3Rpb25zIGFib3ZlIHRvIHRoZSBjb21wb25lbnRzIGluIHRoZQ0KICAgU0ZDIGFy Y2hpdGVjdHVyZSB0aGF0IGNhbiBwZXJmb3JtIGl0Lg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KUXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4 cGlyZXMgTWFyY2ggPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz41LDwvZm9udD48L3N0cmlrZT4g PHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPjE3LDwvZm9udD48L3N0cm9uZz4gMjAxOCAgICAg ICAgICAgICAgICBbUGFnZSAxNV0NCgwNCkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNl cnZpY2UgSGVhZGVyIChOU0gpICAgICAgICBTZXB0ZW1iZXIgMjAxNw0KDQoNCiAgICstLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSstLS0t LS0tKw0KICAgfCAgICAgICAgICAgfCBJbnNlcnQsIHJlbW92ZSwgb3IgICAgfEZvcndhcmR8IFVw ZGF0ZSAgICAgICAgfFNlcnZpY2V8DQogICB8ICAgICAgICAgICB8IHJlcGxhY2UgdGhlIE5TSCAg ICAgICB8dGhlIE5TSHwgdGhlIE5TSCAgICAgICB8cG9saWN5IHwNCiAgIHwgICAgICAgICAgIHwg ICAgICAgICAgICAgICAgICAgICAgIHxQYWNrZXRzfCAgICAgICAgICAgICAgIHxzZWwuICAgfA0K ICAgfENvbXBvbmVudCAgKy0tLS0tLS0rLS0tLS0tLSstLS0tLS0tKyAgICAgICArLS0tLS0tLSst LS0tLS0tKyAgICAgICB8DQogICB8ICAgICAgICAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8 ICAgICAgIHxEZWMuICAgfFVwZGF0ZSB8ICAgICAgIHwNCiAgIHwgICAgICAgICAgIHxJbnNlcnQg fFJlbW92ZSB8UmVwbGFjZXwgICAgICAgfFNlcnZpY2V8Q29udGV4dHwgICAgICAgfA0KICAgfCAg ICAgICAgICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8SW5kZXggIHxIZWFkZXIg fCAgICAgICB8DQogICArLS0tLS0tLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tLS0t LSstLS0tLS0tKy0tLS0tLS0rLS0tLS0tLSsNCiAgIHwgICAgICAgICAgIHwgICsgICAgfCAgICAg ICB8ICAgKyAgIHwgICAgICAgfCAgICAgICB8ICAgKyAgIHwgICAgICAgfA0KICAgfENsYXNzaWZp ZXIgfCAgICAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfCAgICAg ICB8DQogICArLS0tLS0tLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tLS0tLSstLS0t LS0tKy0tLS0tLS0rLS0tLS0tLSsNCiAgIHxTZXJ2aWNlICAgIHwgICAgICAgfCAgICsgICB8ICAg ICAgIHwgICArICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfA0KICAgfEZ1bmN0aW9uICAgfCAg ICAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8DQog ICB8Rm9yd2FyZGVyICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfCAg ICAgICB8ICAgICAgIHwNCiAgIHwoU0ZGKSAgICAgIHwgICAgICAgfCAgICAgICB8ICAgICAgIHwg ICAgICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfA0KICAgKy0tLS0tLS0tLS0tKy0tLS0tLS0r LS0tLS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0tLS0tLS0rDQogICB8U2Vy dmljZSAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8ICAgICAgIHwgICArICAgfCAgICsgICB8 ICAgKyAgIHwNCiAgIHxGdW5jdGlvbiAgIHwgICAgICAgfCAgICAgICB8ICAgICAgIHwgICAgICAg fCAgICAgICB8ICAgICAgIHwgICAgICAgfA0KICAgfChTRikgICAgICAgfCAgICAgICB8ICAgICAg IHwgICAgICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8DQogICArLS0tLS0tLS0t LS0rLS0tLS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tLS0t LSsNCiAgIHwgICAgICAgICAgIHwgICsgICAgfCAgICsgICB8ICAgICAgIHwgICAgICAgfCAgICsg ICB8ICAgKyAgIHwgICAgICAgfA0KICAgfFNGQyBQcm94eSAgfCAgICAgICB8ICAgICAgIHwgICAg ICAgfCAgICAgICB8ICAgICAgIHwgICAgICAgfCAgICAgICB8DQogICArLS0tLS0tLS0tLS0rLS0t LS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tLS0tLSstLS0tLS0tKy0tLS0tLS0rLS0tLS0tLSsNCg0K ICAgICAgICAgICAgICAgICAgIEZpZ3VyZSA4OiBOU0ggQWN0aW9uIGFuZCBSb2xlIE1hcHBpbmcN Cg0KNC4gIE5TSCBUcmFuc3BvcnQgRW5jYXBzdWxhdGlvbg0KDQogICBPbmNlIHRoZSBOU0ggaXMg YWRkZWQgdG8gYSBwYWNrZXQsIGFuIG91dGVyIGVuY2Fwc3VsYXRpb24gaXMgdXNlZCB0bw0KICAg Zm9yd2FyZCB0aGUgb3JpZ2luYWwgcGFja2V0IGFuZCB0aGUgYXNzb2NpYXRlZCBtZXRhZGF0YSB0 byB0aGUgc3RhcnQNCiAgIG9mIGEgc2VydmljZSBjaGFpbi4gIFRoZSBlbmNhcHN1bGF0aW9uIHNl cnZlcyB0d28gcHVycG9zZXM6DQoNCiAgIDEuICBDcmVhdGVzIGEgdG9wb2xvZ2ljYWxseSBpbmRl cGVuZGVudCBzZXJ2aWNlcyBwbGFuZS4gIFBhY2tldHMgYXJlDQogICAgICAgZm9yd2FyZGVkIHRv IHRoZSByZXF1aXJlZCBzZXJ2aWNlcyB3aXRob3V0IGNoYW5naW5nIHRoZQ0KICAgICAgIHVuZGVy bHlpbmcgbmV0d29yayB0b3BvbG9neS4NCg0KICAgMi4gIFRyYW5zaXQgbmV0d29yayBub2RlcyBz aW1wbHkgZm9yd2FyZCB0aGUgZW5jYXBzdWxhdGVkIHBhY2tldHMNCiAgICAgICB3aXRob3V0IG1v ZGlmaWNhdGlvbi4NCg0KICAgVGhlIHNlcnZpY2UgaGVhZGVyIGlzIGluZGVwZW5kZW50IG9mIHRo ZSBlbmNhcHN1bGF0aW9uIHVzZWQgYW5kIGlzDQogICBlbmNhcHN1bGF0ZWQgaW4gZXhpc3Rpbmcg dHJhbnNwb3J0cy4gIFRoZSBwcmVzZW5jZSBvZiBhbiBOU0ggaXMNCiAgIGluZGljYXRlZCB2aWEg cHJvdG9jb2wgdHlwZSBvciBvdGhlciBpbmRpY2F0b3IgaW4gdGhlIG91dGVyDQogICBlbmNhcHN1 bGF0aW9uLg0KDQoNCg0KDQoNCg0KDQpRdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBN YXJjaCA8c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25n Pjxmb250IGNvbG9yPSdncmVlbic+MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAg ICAgIFtQYWdlIDE2XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBI ZWFkZXIgKE5TSCkgICAgICAgIFNlcHRlbWJlciAyMDE3DQoNCg0KNS4gIEZyYWdtZW50YXRpb24g Q29uc2lkZXJhdGlvbnMNCg0KICAgVGhlIE5TSCBhbmQgdGhlIGFzc29jaWF0ZWQgdHJhbnNwb3J0 IGhlYWRlciBhcmUgImFkZGVkIiB0byB0aGUNCiAgIGVuY2Fwc3VsYXRlZCBwYWNrZXQvZnJhbWUu ICBUaGlzIGFkZGl0aW9uYWwgaW5mb3JtYXRpb24gaW5jcmVhc2VzIHRoZQ0KICAgc2l6ZSBvZiB0 aGUgcGFja2V0Lg0KDQogICBXaXRoaW4gYSBtYW5hZ2VkIGFkbWluaXN0cmF0aXZlIGRvbWFpbiwg YW4gb3BlcmF0b3IgY2FuIGVuc3VyZSB0aGF0DQogICB0aGUgdW5kZXJsYXkgTVRVIGlzIHN1ZmZp Y2llbnQgdG8gY2FycnkgU0ZDIHRyYWZmaWMgd2l0aG91dCByZXF1aXJpbmcNCiAgIGZyYWdtZW50 YXRpb24uICBHaXZlbiB0aGF0IHRoZSBpbnRlbmRlZCBzY29wZSBvZiB0aGUgTlNIIGlzIHdpdGhp biBhDQogICBzaW5nbGUgcHJvdmlkZXIncyBvcGVyYXRpb25hbCBkb21haW4sIHRoYXQgYXBwcm9h Y2ggaXMgc3VmZmljaWVudC4NCg0KICAgSG93ZXZlciwgYWx0aG91Z2ggZXhwbGljaXRseSBvdXRz aWRlIHRoZSBzY29wZSBvZiB0aGlzIHNwZWNpZmljYXRpb24sDQogICB0aGVyZSBtaWdodCBiZSBj YXNlcyB3aGVyZSB0aGUgdW5kZXJsYXkgTVRVIGlzIG5vdCBsYXJnZSBlbm91Z2ggdG8NCiAgIGNh cnJ5IHRoZSBOU0ggdHJhZmZpYy4gIFNpbmNlIHRoZSBOU0ggZG9lcyBub3QgcHJvdmlkZSBmcmFn bWVudGF0aW9uDQogICBzdXBwb3J0IGF0IHRoZSBzZXJ2aWNlIHBsYW5lLCB0aGUgb3ZlcmxheSBs YXllciBvdWdodCB0byBwcm92aWRlIHRoZQ0KICAgcmVxdWlzaXRlIGZyYWdtZW50YXRpb24gaGFu ZGxpbmcuICBGb3IgaW5zdGFuY2UsIFNlY3Rpb24gOSBvZg0KICAgW0ktRC5pZXRmLXJ0Z3dnLWR0 LWVuY2FwXSBwcm92aWRlcyBleGVtcGxhcnkgYXBwcm9hY2hlcyBhbmQgZ3VpZGFuY2UNCiAgIGZv ciB0aG9zZSBzY2VuYXJpb3MuDQoNCiAgIEZvciBleGFtcGxlLCB3aGVuIHRoZSBOU0ggaXMgZW5j YXBzdWxhdGVkIGluIElQLCBJUC1sZXZlbA0KICAgZnJhZ21lbnRhdGlvbiBjb3VwbGVkIHdpdGgg UGF0aCBNVFUgRGlzY292ZXJ5IChQTVRVRCkgaXMgdXNlZC4gIFdoZW4sDQogICBvbiB0aGUgb3Ro ZXIgaGFuZCwgdGhlIHVuZGVybGF5IGRvZXMgbm90IHN1cHBvcnQgZnJhZ21lbnRhdGlvbg0KICAg cHJvY2VkdXJlcywgYW4gZXJyb3IgbWVzc2FnZSBTSE9VTEQgYmUgbG9nZ2VkIHdoZW4gZHJvcHBp bmcgYSBwYWNrZXQNCiAgIHRvbyBiaWcuICBMYXN0bHksIE5TSC1zcGVjaWZpYyBmcmFnbWVudGF0 aW9uIGFuZCByZWFzc2VtYmx5IG1ldGhvZHMNCiAgIG1heSBiZSBkZWZpbmVkIGFzIHdlbGwsIGJ1 dCB0aGVzZSBtZXRob2RzIGFyZSBvdXRzaWRlIHRoZSBzY29wZSBvZg0KICAgdGhpcyBkb2N1bWVu dCwgYW5kIHN1YmplY3QgZm9yIGZ1dHVyZSB3b3JrLg0KDQo2LiAgU2VydmljZSBQYXRoIEZvcndh cmRpbmcgd2l0aCBOU0gNCg0KNi4xLiAgU0ZGcyBhbmQgT3ZlcmxheSBTZWxlY3Rpb24NCg0KICAg QXMgZGVzY3JpYmVkIGFib3ZlLCB0aGUgTlNIIGNvbnRhaW5zIGEgU2VydmljZSBQYXRoIElkZW50 aWZpZXIgKFNQSSkNCiAgIGFuZCBhIFNlcnZpY2UgSW5kZXggKFNJKS4gIFRoZSBTUEkgaXMsIGFz IHBlciBpdHMgbmFtZSwgYW4NCiAgIGlkZW50aWZpZXIuICBUaGUgU1BJIGFsb25lIGNhbm5vdCBi ZSB1c2VkIHRvIGZvcndhcmQgcGFja2V0cyBhbG9uZyBhDQogICBzZXJ2aWNlIHBhdGguICBSYXRo ZXIgdGhlIFNQSSBwcm92aWRlcyBhIGxldmVsIG9mIGluZGlyZWN0aW9uIGJldHdlZW4NCiAgIHRo ZSBzZXJ2aWNlIHBhdGgvdG9wb2xvZ3kgYW5kIHRoZSBuZXR3b3JrIHRyYW5zcG9ydC4gIEZ1cnRo ZXJtb3JlLA0KICAgdGhlcmUgaXMgbm8gcmVxdWlyZW1lbnQsIG9yIGV4cGVjdGF0aW9uIG9mIGFu IFNQSSBiZWluZyBib3VuZCB0byBhDQogICBwcmUtZGV0ZXJtaW5lZCBvciBzdGF0aWMgbmV0d29y ayBwYXRoLg0KDQogICBUaGUgU2VydmljZSBJbmRleCBwcm92aWRlcyBhbiBpbmRpY2F0aW9uIG9m IGxvY2F0aW9uIHdpdGhpbiBhIHNlcnZpY2UNCiAgIHBhdGguICBUaGUgY29tYmluYXRpb24gb2Yg U1BJIGFuZCBTSSBwcm92aWRlcyB0aGUgaWRlbnRpZmljYXRpb24gb2YgYQ0KICAgbG9naWNhbCBT RiBhbmQgaXRzIG9yZGVyIHdpdGhpbiB0aGUgc2VydmljZSBwbGFuZSwgYW5kIGlzIHVzZWQgdG8N CiAgIHNlbGVjdCB0aGUgYXBwcm9wcmlhdGUgbmV0d29yayBsb2NhdG9yKHMpIGZvciBvdmVybGF5 IGZvcndhcmRpbmcuDQogICBUaGUgbG9naWNhbCBTRiBtYXkgYmUgYSBzaW5nbGUgU0YsIG9yIGEg c2V0IG9mIGVsaWdpYmxlIFNGcyB0aGF0IGFyZQ0KICAgZXF1aXZhbGVudC4gIEluIHRoZSBsYXR0 ZXIgY2FzZSwgdGhlIFNGRiBwcm92aWRlcyBsb2FkIGRpc3RyaWJ1dGlvbg0KICAgYW1vbmdzdCB0 aGUgY29sbGVjdGlvbiBvZiBTRnMgYXMgbmVlZGVkLg0KDQoNCg0KDQoNClF1aW5uLCBldCBhbC4g ICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+NSw8L2Zv bnQ+PC9zdHJpa2U+IDxzdHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz4xNyw8L2ZvbnQ+PC9zdHJv bmc+IDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMTddDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAg ICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVyIDIwMTcNCg0K DQogICBTSSBzZXJ2ZXMgYXMgYSBtZWNoYW5pc20gZm9yIGRldGVjdGluZyBpbnZhbGlkIHNlcnZp Y2UgZnVuY3Rpb24NCiAgIHBhdGhzLiAgSW4gcGFydGljdWxhciwgYW4gU0kgdmFsdWUgb2YgemVy byBpbmRpY2F0ZXMgdGhhdCBmb3J3YXJkaW5nDQogICBpcyBpbmNvcnJlY3QgYW5kIHRoZSBwYWNr ZXQgbXVzdCBiZSBkaXNjYXJkZWQuDQoNCiAgIFRoaXMgaW5kaXJlY3Rpb24gLS0gU1BJIHRvIG92 ZXJsYXkgLS0gY3JlYXRlcyBhIHRydWUgc2VydmljZSBwbGFuZS4NCiAgIFRoYXQgaXMsIHRoZSBT RkYvU0YgdG9wb2xvZ3kgaXMgY29uc3RydWN0ZWQgd2l0aG91dCBpbXBhY3RpbmcgdGhlDQogICBu ZXR3b3JrIHRvcG9sb2d5IGJ1dCBtb3JlIGltcG9ydGFudGx5LCBzZXJ2aWNlIHBsYW5lIG9ubHkN CiAgIHBhcnRpY2lwYW50cyAoaS5lLiwgbW9zdCBTRnMpIG5lZWQgbm90IGJlIHBhcnQgb2YgdGhl IG5ldHdvcmsgb3ZlcmxheQ0KICAgdG9wb2xvZ3kgYW5kIGl0cyBhc3NvY2lhdGVkIGluZnJhc3Ry dWN0dXJlIChlLmcuLCBjb250cm9sIHBsYW5lLA0KICAgcm91dGluZyB0YWJsZXMsIGV0Yy4pICBT RnMgbmVlZCB0byBiZSBhYmxlIHRvIHJldHVybiBhIHBhY2tldCB0byBhbg0KICAgYXBwcm9wcmlh dGUgU0ZGIChpLmUuLCBoYXMgdGhlIHJlcXVpc2l0ZSBOU0ggaW5mb3JtYXRpb24pIHdoZW4NCiAg IHNlcnZpY2UgcHJvY2Vzc2luZyBpcyBjb21wbGV0ZS4gIFRoaXMgY2FuIGJlIHZpYSB0aGUgb3Zl cmxheSBvcg0KICAgdW5kZXJsYXkgYW5kIGluIHNvbWUgY2FzZXMgcmVxdWlyZSBhZGRpdGlvbmFs IGNvbmZpZ3VyYXRpb24gb24gdGhlDQogICBTRi4gIEFzIG1lbnRpb25lZCBhYm92ZSwgYW4gZXhp c3Rpbmcgb3ZlcmxheSB0b3BvbG9neSBtYXkgYmUgdXNlZA0KICAgcHJvdmlkZWQgaXQgb2ZmZXJz IHRoZSByZXF1aXNpdGUgY29ubmVjdGl2aXR5Lg0KDQogICBUaGUgbWFwcGluZyBvZiBTUEkgdG8g dHJhbnNwb3J0IG9jY3VycyBvbiBhbiBTRkYgKGFzIGRpc2N1c3NlZCBhYm92ZSwNCiAgIHRoZSBm aXJzdCBTRkYgaW4gdGhlIHBhdGggZ2V0cyBhbiBOU0ggZW5jYXBzdWxhdGVkIHBhY2tldCBmcm9t IHRoZQ0KICAgQ2xhc3NpZmllcikuICBUaGUgU0ZGIGNvbnN1bHRzIHRoZSBTUEkvSUQgdmFsdWVz IHRvIGRldGVybWluZSB0aGUNCiAgIGFwcHJvcHJpYXRlIG92ZXJsYXkgdHJhbnNwb3J0IHByb3Rv Y29sIChzZXZlcmFsIG1heSBiZSB1c2VkIHdpdGhpbiBhDQogICBnaXZlbiBuZXR3b3JrKSBhbmQg bmV4dCBob3AgZm9yIHRoZSByZXF1aXNpdGUgU0YuICBUYWJsZSAxIGJlbG93DQogICBkZXBpY3Rz IGFuIGV4YW1wbGUgb2YgYSBzaW5nbGUgbmV4dC1ob3AgU1BJL1NJIHRvIG5ldHdvcmsgb3Zlcmxh eQ0KICAgbmV0d29yayBsb2NhdG9yIG1hcHBpbmcuDQoNCiAgICAgICAgICstLS0tLS0rLS0tLS0t Ky0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tKw0KICAgICAgICAgfCBT UEkgIHwgU0kgICB8IE5leHQgaG9wKHMpICAgICAgICAgfCBUcmFuc3BvcnQgICAgICAgICB8DQog ICAgICAgICArLS0tLS0tKy0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0t LS0tLS0tLSsNCiAgICAgICAgIHwgMTAgICB8IDI1NSAgfCAxOTIuMC4yLjEgICAgICAgICAgIHwg VlhMQU4tZ3BlICAgICAgICAgfA0KICAgICAgICAgfCAgICAgIHwgICAgICB8ICAgICAgICAgICAg ICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8DQogICAgICAgICB8IDEwICAgfCAyNTQgIHwg MTk4LjUxLjEwMC4xMCAgICAgICB8IEdSRSAgICAgICAgICAgICAgIHwNCiAgICAgICAgIHwgICAg ICB8ICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgfA0KICAg ICAgICAgfCAxMCAgIHwgMjUxICB8IDE5OC41MS4xMDAuMTUgICAgICAgfCBHUkUgICAgICAgICAg ICAgICB8DQogICAgICAgICB8ICAgICAgfCAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8ICAg ICAgICAgICAgICAgICAgIHwNCiAgICAgICAgIHwgNDAgICB8IDI1MSAgfCAxOTguNTEuMTAwLjE1 ICAgICAgIHwgR1JFICAgICAgICAgICAgICAgfA0KICAgICAgICAgfCAgICAgIHwgICAgICB8ICAg ICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICB8DQogICAgICAgICB8IDUwICAg fCAyMDAgIHwgMDE6MjM6NDU6Njc6ODk6YWIgICB8IEV0aGVybmV0ICAgICAgICAgIHwNCiAgICAg ICAgIHwgICAgICB8ICAgICAgfCAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAg ICAgfA0KICAgICAgICAgfCAxNSAgIHwgMjEyICB8IE51bGwgKGVuZCBvZiBwYXRoKSAgfCBOb25l ICAgICAgICAgICAgICB8DQogICAgICAgICArLS0tLS0tKy0tLS0tLSstLS0tLS0tLS0tLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLSsNCg0KICAgICAgICAgICAgICAgICAgICAgVGFibGUg MTogU0ZGIE5TSCBNYXBwaW5nIEV4YW1wbGUNCg0KICAgQWRkaXRpb25hbGx5LCBmdXJ0aGVyIGlu ZGlyZWN0aW9uIGlzIHBvc3NpYmxlOiB0aGUgcmVzb2x1dGlvbiBvZiB0aGUNCiAgIHJlcXVpcmVk IFNGIG5ldHdvcmsgbG9jYXRvciBtYXkgYmUgYSBsb2NhbGl6ZWQgcmVzb2x1dGlvbiBvbiBhbiBT RkYsDQogICByYXRoZXIgdGhhbiBhIHNlcnZpY2UgZnVuY3Rpb24gY2hhaW4gY29udHJvbCBwbGFu ZSByZXNwb25zaWJpbGl0eSwgYXMNCiAgIHBlciBUYWJsZSAyIGFuZCBUYWJsZSAzIGJlbG93Lg0K DQoNCg0KDQoNClF1aW5uLCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDxzdHJpa2U+ PGZvbnQgY29sb3I9J3JlZCc+NSw8L2ZvbnQ+PC9zdHJpa2U+IDxzdHJvbmc+PGZvbnQgY29sb3I9 J2dyZWVuJz4xNyw8L2ZvbnQ+PC9zdHJvbmc+IDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMThd DQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAg ICAgICAgU2VwdGVtYmVyIDIwMTcNCg0KDQogICBQbGVhc2Ugbm90ZTogVlhMQU4tZ3BlIGFuZCBH UkUgaW4gdGhlIGFib3ZlIHRhYmxlIHJlZmVyIHRvDQogICBbSS1ELmlldGYtbnZvMy12eGxhbi1n cGVdIGFuZCBbUkZDMjc4NF0gW1JGQzc2NzZdLCByZXNwZWN0aXZlbHkuDQoNCiAgICAgICAgICAg ICAgICAgICAgICArLS0tLS0tKy0tLS0tKy0tLS0tLS0tLS0tLS0tLS0rDQogICAgICAgICAgICAg ICAgICAgICAgfCBTUEkgIHwgU0kgIHwgTmV4dCBob3AocykgICAgfA0KICAgICAgICAgICAgICAg ICAgICAgICstLS0tLS0rLS0tLS0rLS0tLS0tLS0tLS0tLS0tLSsNCiAgICAgICAgICAgICAgICAg ICAgICB8IDEwICAgfCAzICAgfCBTRjIgICAgICAgICAgICB8DQogICAgICAgICAgICAgICAgICAg ICAgfCAgICAgIHwgICAgIHwgICAgICAgICAgICAgICAgfA0KICAgICAgICAgICAgICAgICAgICAg IHwgMjQ1ICB8IDEyICB8IFNGMzQgICAgICAgICAgIHwNCiAgICAgICAgICAgICAgICAgICAgICB8 ICAgICAgfCAgICAgfCAgICAgICAgICAgICAgICB8DQogICAgICAgICAgICAgICAgICAgICAgfCA0 MCAgIHwgOSAgIHwgU0Y5ICAgICAgICAgICAgfA0KICAgICAgICAgICAgICAgICAgICAgICstLS0t LS0rLS0tLS0rLS0tLS0tLS0tLS0tLS0tLSsNCg0KICAgICAgICAgICAgICAgICAgICBUYWJsZSAy OiBOU0ggdG8gU0YgTWFwcGluZyBFeGFtcGxlDQoNCiAgICAgICAgICAgICAgICArLS0tLS0tKy0t LS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLSsNCiAgICAgICAgICAgICAgICB8IFNGICAg fCBOZXh0IGhvcChzKSAgICAgICB8IFRyYW5zcG9ydCAgIHwNCiAgICAgICAgICAgICAgICArLS0t LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLSsNCiAgICAgICAgICAgICAgICB8 IFNGMiAgfCAxOTIuMC4yLjIgICAgICAgICB8IFZYTEFOLWdwZSAgIHwNCiAgICAgICAgICAgICAg ICB8ICAgICAgfCAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgIHwNCiAgICAgICAgICAg ICAgICB8IFNGMzQgfCAxOTguNTEuMTAwLjM0ICAgICB8IFVEUCAgICAgICAgIHwNCiAgICAgICAg ICAgICAgICB8ICAgICAgfCAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgIHwNCiAgICAg ICAgICAgICAgICB8IFNGOSAgfCAyMDAxOmRiODo6MSAgICAgICB8IEdSRSAgICAgICAgIHwNCiAg ICAgICAgICAgICAgICArLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLSsN Cg0KICAgICAgICAgICAgICAgICAgICBUYWJsZSAzOiBTRiBMb2NhdG9yIE1hcHBpbmcgRXhhbXBs ZQ0KDQogICBTaW5jZSB0aGUgU1BJIGlzIGEgcmVwcmVzZW50YXRpb24gb2YgdGhlIHNlcnZpY2Ug cGF0aCwgdGhlIGxvb2t1cCBtYXkNCiAgIHJldHVybiBtb3JlIHRoYW4gb25lIHBvc3NpYmxlIG5l eHQtaG9wIHdpdGhpbiBhIHNlcnZpY2UgcGF0aCBmb3IgYQ0KICAgZ2l2ZW4gU0YsIGVzc2VudGlh bGx5IGEgc2VyaWVzIG9mIHdlaWdodGVkIChlcXVhbGx5IG9yIG90aGVyd2lzZSkNCiAgIHBhdGhz IHRvIGJlIHVzZWQgKGZvciBsb2FkIGRpc3RyaWJ1dGlvbiwgcmVkdW5kYW5jeSwgb3IgcG9saWN5 KSwgc2VlDQogICBUYWJsZSA0LiAgVGhlIG1ldHJpYyBkZXBpY3RlZCBpbiBUYWJsZSA0IGlzIGFu IGV4YW1wbGUgdG8gaGVscA0KICAgaWxsdXN0cmF0ZWQgd2VpZ2hpbmcgU0ZzLiAgSW4gYSByZWFs IG5ldHdvcmssIHRoZSBtZXRyaWMgd2lsbCByYW5nZQ0KICAgZnJvbSBhIHNpbXBsZSBwcmVmZXJl bmNlIChzaW1pbGFyIHRvIHJvdXRpbmcgbmV4dC1ob3ApLCB0byBhIHRydWUNCiAgIGR5bmFtaWMg Y29tcG9zaXRlIG1ldHJpYyBiYXNlZCBvbiBzb21lIHNlcnZpY2UgZnVuY3Rpb24tY2VudHJpYyBz dGF0ZQ0KICAgKGluY2x1ZGluZyBsb2FkLCBzZXNzaW9ucyBzdGF0ZSwgY2FwYWNpdHksIGV0Yy4p DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpRdWlubiwgZXQgYWwuICAgICAgICAgICAg RXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtl PiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAg ICAgICAgICAgICAgIFtQYWdlIDE5XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsg U2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNlcHRlbWJlciAyMDE3DQoNCg0KICAgICAgICAg ICAgICAgICAgKy0tLS0tLSstLS0tLSstLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0rDQogICAgICAg ICAgICAgICAgICB8IFNQSSAgfCBTSSAgfCBOSCAgICAgICAgICAgfCBNZXRyaWMgIHwNCiAgICAg ICAgICAgICAgICAgICstLS0tLS0rLS0tLS0rLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tKw0KICAg ICAgICAgICAgICAgICAgfCAxMCAgIHwgMyAgIHwgMjAzLjAuMTEzLjEgIHwgMSAgICAgICB8DQog ICAgICAgICAgICAgICAgICB8ICAgICAgfCAgICAgfCAgICAgICAgICAgICAgfCAgICAgICAgIHwN CiAgICAgICAgICAgICAgICAgIHwgICAgICB8ICAgICB8IDIwMy4wLjExMy4yICB8IDEgICAgICAg fA0KICAgICAgICAgICAgICAgICAgfCAgICAgIHwgICAgIHwgICAgICAgICAgICAgIHwgICAgICAg ICB8DQogICAgICAgICAgICAgICAgICB8IDIwICAgfCAxMiAgfCAxOTIuMC4yLjEgICAgfCAxICAg ICAgIHwNCiAgICAgICAgICAgICAgICAgIHwgICAgICB8ICAgICB8ICAgICAgICAgICAgICB8ICAg ICAgICAgfA0KICAgICAgICAgICAgICAgICAgfCAgICAgIHwgICAgIHwgMjAzLjAuMTEzLjQgIHwg MSAgICAgICB8DQogICAgICAgICAgICAgICAgICB8ICAgICAgfCAgICAgfCAgICAgICAgICAgICAg fCAgICAgICAgIHwNCiAgICAgICAgICAgICAgICAgIHwgMzAgICB8IDcgICB8IDE5Mi4wLjIuMTAg ICB8IDEwICAgICAgfA0KICAgICAgICAgICAgICAgICAgfCAgICAgIHwgICAgIHwgICAgICAgICAg ICAgIHwgICAgICAgICB8DQogICAgICAgICAgICAgICAgICB8ICAgICAgfCAgICAgfCAxOTguNTEu MTAwLjEgfCA1ICAgICAgIHwNCiAgICAgICAgICAgICAgICAgICstLS0tLS0rLS0tLS0rLS0tLS0t LS0tLS0tLS0rLS0tLS0tLS0tKw0KDQogICAgICAgICAgICAgICAgKGVuY2Fwc3VsYXRpb24gdHlw ZSBvbWl0dGVkIGZvciBmb3JtYXR0aW5nKQ0KDQogICAgICAgICAgICAgICAgICAgIFRhYmxlIDQ6 IE5TSCBXZWlnaHRlZCBTZXJ2aWNlIFBhdGgNCg0KNi4yLiAgTWFwcGluZyB0aGUgTlNIIHRvIE5l dHdvcmsgVHJhbnNwb3J0DQoNCiAgIEFzIGRlc2NyaWJlZCBhYm92ZSwgdGhlIG1hcHBpbmcgb2Yg U1BJIHRvIG5ldHdvcmsgdG9wb2xvZ3kgbWF5IHJlc3VsdA0KICAgaW4gYSBzaW5nbGUgcGF0aCwg b3IgaXQgbWlnaHQgcmVzdWx0IGluIGEgbW9yZSBjb21wbGV4IHRvcG9sb2d5Lg0KICAgRnVydGhl cm1vcmUsIHRoZSBTUEkgdG8gb3ZlcmxheSBtYXBwaW5nIG9jY3VycyBhdCBlYWNoIFNGRg0KICAg aW5kZXBlbmRlbnRseS4gIEFueSBjb21iaW5hdGlvbiBvZiB0b3BvbG9neSBzZWxlY3Rpb24gaXMg cG9zc2libGUuDQogICBQbGVhc2Ugbm90ZSwgdGhlcmUgaXMgbm8gcmVxdWlyZW1lbnQgdG8gY3Jl YXRlIGEgbmV3IG92ZXJsYXkgdG9wb2xvZ3kNCiAgIGlmIGEgc3VpdGFibGUgb25lIGFscmVhZHkg ZXhpc3RzLiAgTlNIIHBhY2tldHMgY2FuIHVzZSBhbnkgKG5ldyBvcg0KICAgZXhpc3RpbmcpIG92 ZXJsYXkgcHJvdmlkZWQgdGhlIHJlcXVpc2l0ZSBjb25uZWN0aXZpdHkgcmVxdWlyZW1lbnRzDQog ICBhcmUgc2F0aXNmaWVkLg0KDQogICBFeGFtcGxlcyBvZiBtYXBwaW5nIGZvciBhIHRvcG9sb2d5 Og0KDQogICAxLiAgTmV4dCBTRiBpcyBsb2NhdGVkIGF0IFNGRmIgd2l0aCBsb2NhdG9yIDIwMDE6 ZGI4OjoxDQogICAgICAgU0ZGYSBtYXBwaW5nOiBTUEk9MTAgLS0mZ3Q7IFZYTEFOLWdwZSwgZHN0 LWlwOiAyMDAxOmRiODo6MQ0KDQogICAyLiAgTmV4dCBTRiBpcyBsb2NhdGVkIGF0IFNGRmMgd2l0 aCBtdWx0aXBsZSBuZXR3b3JrIGxvY2F0b3JzIGZvcg0KICAgICAgIGxvYWQgZGlzdHJpYnV0aW9u IHB1cnBvc2VzOg0KICAgICAgIFNGRmIgbWFwcGluZzogU1BJPTEwIC0tJmd0OyBWWExBTi1ncGUs IGRzdF9pcDoyMDMuMC4xMTMuMSwNCiAgICAgICAyMDMuMC4xMTMuMiwgMjAzLjAuMTEzLjMsIGVx dWFsIGNvc3QNCg0KICAgMy4gIE5leHQgU0YgaXMgbG9jYXRlZCBhdCBTRkZkIHdpdGggdHdvIHBh dGhzIGZyb20gU0ZGYywgb25lIGZvcg0KICAgICAgIHJlZHVuZGFuY3k6DQogICAgICAgU0ZGYyBt YXBwaW5nOiBTUEk9MTAgLS0mZ3Q7IFZYTEFOLWdwZSwgZHN0X2lwOjE5Mi4wLjIuMTAgY29zdD0x MCwNCiAgICAgICAyMDMuMC4xMTMuMTAsIGNvc3Q9MjANCg0KICAgSW4gdGhlIGFib3ZlIGV4YW1w bGUsIGVhY2ggU0ZGIG1ha2VzIGFuIGluZGVwZW5kZW50IGRlY2lzaW9uIGFib3V0DQogICB0aGUg bmV0d29yayBvdmVybGF5IHBhdGggYW5kIHBvbGljeSBmb3IgdGhhdCBwYXRoLiAgSW4gb3RoZXIg d29yZHMsDQoNCg0KDQpRdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3Ry aWtlPjxmb250IGNvbG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNv bG9yPSdncmVlbic+MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgIFtQYWdl IDIwXQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5T SCkgICAgICAgIFNlcHRlbWJlciAyMDE3DQoNCg0KICAgdGhlcmUgaXMgbm8gYSBwcmlvcmkgbWFu ZGF0ZSBhYm91dCBob3cgdG8gZm9yd2FyZCBwYWNrZXRzIGluIHRoZQ0KICAgbmV0d29yayAob25s eSB0aGUgb3JkZXIgb2Ygc2VydmljZXMgdGhhdCBtdXN0IGJlIHRyYXZlcnNlZCkuDQoNCiAgIFRo ZSBuZXR3b3JrIG9wZXJhdG9yIHJldGFpbnMgdGhlIGFiaWxpdHkgdG8gZW5naW5lZXIgdGhlIG5l dHdvcmsNCiAgIHBhdGhzIGFzIHJlcXVpcmVkLiAgRm9yIGV4YW1wbGUsIHRoZSBvdmVybGF5IHBh dGggYmV0d2VlbiBTRkZzIG1heQ0KICAgdXRpbGl6ZSB0cmFmZmljIGVuZ2luZWVyaW5nLCBRb1Mg bWFya2luZywgb3IgRUNNUCwgd2l0aG91dCByZXF1aXJpbmcNCiAgIGNvbXBsZXggY29uZmlndXJh dGlvbiBhbmQgbmV0d29yayBwcm90b2NvbCBzdXBwb3J0IHRvIGJlIGV4dGVuZGVkIHRvDQogICB0 aGUgc2VydmljZSBwYXRoIGV4cGxpY2l0bHkuICBJbiBvdGhlciB3b3JkcywgdGhlIG5ldHdvcmsg b3BlcmF0ZXMgYXMNCiAgIGV4cGVjdGVkLCBhbmQgZXZvbHZlcyBhcyByZXF1aXJlZCwgYXMgZG9l cyB0aGUgc2VydmljZSBwbGFuZS4NCg0KNi4zLiAgU2VydmljZSBQbGFuZSBWaXNpYmlsaXR5DQoN CiAgIFRoZSBTUEkgYW5kIFNJIHNlcnZlIGFuIGltcG9ydGFudCBmdW5jdGlvbiBmb3IgdmlzaWJp bGl0eSBpbnRvIHRoZQ0KICAgc2VydmljZSB0b3BvbG9neS4gIEFuIG9wZXJhdG9yIGNhbiBkZXRl cm1pbmUgd2hhdCBzZXJ2aWNlIHBhdGggYQ0KICAgcGFja2V0IGlzICJvbiIsIGFuZCBpdHMgbG9j YXRpb24gd2l0aGluIHRoYXQgcGF0aCBzaW1wbHkgYnkgdmlld2luZw0KICAgTlNIIGluZm9ybWF0 aW9uIChwYWNrZXQgY2FwdHVyZSwgSVBGSVgsIGV0Yy4pICBUaGUgaW5mb3JtYXRpb24gY2FuIGJl DQogICB1c2VkIGZvciBzZXJ2aWNlIHNjaGVkdWxpbmcgYW5kIHBsYWNlbWVudCBkZWNpc2lvbnMs IHRyb3VibGVzaG9vdGluZywNCiAgIGFuZCBjb21wbGlhbmNlIHZlcmlmaWNhdGlvbi4NCg0KNi40 LiAgU2VydmljZSBHcmFwaHMNCg0KICAgV2hpbGUgYSBnaXZlbiByZWFsaXplZCBzZXJ2aWNlIGZ1 bmN0aW9uIHBhdGggaXMgYSBzcGVjaWZpYyBzZXF1ZW5jZQ0KICAgb2Ygc2VydmljZSBmdW5jdGlv bnMsIHRoZSBzZXJ2aWNlIGFzIHNlZW4gYnkgYSB1c2VyIGNhbiBhY3R1YWxseSBiZSBhDQogICBj b2xsZWN0aW9uIG9mIHNlcnZpY2UgZnVuY3Rpb24gcGF0aHMsIHdpdGggdGhlIGludGVyY29ubmVj dGlvbg0KICAgcHJvdmlkZWQgYnkgY2xhc3NpZmllcnMgKGluLXNlcnZpY2UgcGF0aCwgbm9uLWlu aXRpYWwNCiAgIHJlY2xhc3NpZmljYXRpb24pLiAgVGhlc2UgaW50ZXJuYWwgcmVjbGFzc2lmaWVy cyBleGFtaW5lIHRoZSBwYWNrZXQNCiAgIGF0IHJlbGV2YW50IHBvaW50cyBpbiB0aGUgbmV0d29y aywgYW5kLCBpZiBuZWVkZWQsIFNQSSBhbmQgU0kgYXJlDQogICB1cGRhdGVkICh3aGV0aGVyIHRo aXMgdXBkYXRlIGlzIGEgcmUtd3JpdGUsIG9yIHRoZSBpbXBvc2l0aW9uIG9mIGENCiAgIG5ldyBO U0ggd2l0aCBuZXcgdmFsdWVzIGlzIGltcGxlbWVudGF0aW9uIHNwZWNpZmljKSB0byByZWZsZWN0 IHRoZQ0KICAgInJlc3VsdCIgb2YgdGhlIGNsYXNzaWZpY2F0aW9uLiAgVGhlc2UgY2xhc3NpZmll cnMgbWF5LCBvZiBjb3Vyc2UsDQogICBhbHNvIG1vZGlmeSB0aGUgbWV0YWRhdGEgYXNzb2NpYXRl ZCB3aXRoIHRoZSBwYWNrZXQuDQogICBbUkZDNzY2NV0sIFNlY3Rpb24gMi4xIGRlc2NyaWJlcyBT ZXJ2aWNlIEdyYXBocyBpbiBkZXRhaWwuDQoNCjcuICBQb2xpY3kgRW5mb3JjZW1lbnQgd2l0aCBO U0gNCg0KNy4xLiAgTlNIIE1ldGFkYXRhIGFuZCBQb2xpY3kgRW5mb3JjZW1lbnQNCg0KICAgQXMg ZGVzY3JpYmVkIGluIFNlY3Rpb24gMiwgTlNIIHByb3ZpZGVzIHRoZSBhYmlsaXR5IHRvIGNhcnJ5 IG1ldGFkYXRhDQogICBhbG9uZyBhIHNlcnZpY2UgcGF0aC4gIFRoaXMgbWV0YWRhdGEgbWF5IGJl IGRlcml2ZWQgZnJvbSBzZXZlcmFsDQogICBzb3VyY2VzLiAgQ29tbW9uIGV4YW1wbGVzIGluY2x1 ZGU6DQoNCiAgICAgIE5ldHdvcmsgbm9kZXMvZGV2aWNlczogSW5mb3JtYXRpb24gcHJvdmlkZWQg YnkgbmV0d29yayBub2RlcyBjYW4NCiAgICAgIGluZGljYXRlIG5ldHdvcmstY2VudHJpYyBpbmZv cm1hdGlvbiAoc3VjaCBhcyBWUkYgb3IgdGVuYW50KSB0aGF0DQogICAgICBtYXkgYmUgdXNlZCBi eSBzZXJ2aWNlIGZ1bmN0aW9ucyBvciBjb252ZXllZCB0byBhbm90aGVyIG5ldHdvcmsNCiAgICAg IG5vZGUgcG9zdCBzZXJ2aWNlIHBhdGggZWdyZXNzLg0KDQogICAgICBFeHRlcm5hbCAodG8gdGhl IG5ldHdvcmspIHN5c3RlbXM6IEV4dGVybmFsIHN5c3RlbXMsIHN1Y2ggYXMNCiAgICAgIG9yY2hl c3RyYXRpb24gc3lzdGVtcywgb2Z0ZW4gY29udGFpbiBpbmZvcm1hdGlvbiB0aGF0IGlzIHZhbHVh YmxlDQoNCg0KDQpRdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtl Pjxmb250IGNvbG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9y PSdncmVlbic+MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgIFtQYWdlIDIx XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkg ICAgICAgIFNlcHRlbWJlciAyMDE3DQoNCg0KICAgICAgZm9yIHNlcnZpY2UgZnVuY3Rpb24gcG9s aWN5IGRlY2lzaW9ucy4gIEluIG1vc3QgY2FzZXMsIHRoaXMNCiAgICAgIGluZm9ybWF0aW9uIGNh bm5vdCBiZSBkZWR1Y2VkIGJ5IG5ldHdvcmsgbm9kZXMuICBGb3IgZXhhbXBsZSwgYQ0KICAgICAg Y2xvdWQgb3JjaGVzdHJhdGlvbiBwbGF0Zm9ybSBwbGFjaW5nIHdvcmtsb2FkcyAia25vd3MiIHdo YXQNCiAgICAgIGFwcGxpY2F0aW9uIGlzIGJlaW5nIGluc3RhbnRpYXRlZCBhbmQgY2FuIGNvbW11 bmljYXRlIHRoaXMNCiAgICAgIGluZm9ybWF0aW9uIHRvIGFsbCBOU0ggbm9kZXMgdmlhIG1ldGFk YXRhIGNhcnJpZWQgaW4gdGhlIGNvbnRleHQNCiAgICAgIGhlYWRlcihzKS4NCg0KICAgICAgU2Vy dmljZSBGdW5jdGlvbnM6IEEgY2xhc3NpZmllciBjby1yZXNpZGVudCB3aXRoIFNlcnZpY2UgRnVu Y3Rpb25zDQogICAgICBvZnRlbiBwZXJmb3JtIHZlcnkgZGV0YWlsZWQgYW5kIHZhbHVhYmxlIGNs YXNzaWZpY2F0aW9uLg0KDQogICBSZWdhcmRsZXNzIG9mIHRoZSBzb3VyY2UsIG1ldGFkYXRhIHJl ZmxlY3RzIHRoZSAicmVzdWx0IiBvZg0KICAgY2xhc3NpZmljYXRpb24uICBUaGUgZ3JhbnVsYXJp dHkgb2YgY2xhc3NpZmljYXRpb24gbWF5IHZhcnkuICBGb3INCiAgIGV4YW1wbGUsIGEgbmV0d29y ayBzd2l0Y2gsIGFjdGluZyBhcyBhIGNsYXNzaWZpZXIsIG1pZ2h0IG9ubHkgYmUgYWJsZQ0KICAg dG8gY2xhc3NpZnkgYmFzZWQgb24gYSA1LXR1cGxlLCB3aGlsZSBhIHNlcnZpY2UgZnVuY3Rpb24g bWF5IGJlIGFibGUNCiAgIHRvIGluc3BlY3QgYXBwbGljYXRpb24gaW5mb3JtYXRpb24uICBSZWdh cmRsZXNzIG9mIGdyYW51bGFyaXR5LCB0aGUNCiAgIGNsYXNzaWZpY2F0aW9uIGluZm9ybWF0aW9u IGNhbiBiZSByZXByZXNlbnRlZCBpbiB0aGUgTlNILg0KDQogICBPbmNlIHRoZSBkYXRhIGlzIGFk ZGVkIHRvIHRoZSBOU0gsIGl0IGlzIGNhcnJpZWQgYWxvbmcgdGhlIHNlcnZpY2UNCiAgIHBhdGgs IE5TSC1hd2FyZSBTRnMgcmVjZWl2ZSB0aGUgbWV0YWRhdGEsIGFuZCBjYW4gdXNlIHRoYXQgbWV0 YWRhdGENCiAgIGZvciBsb2NhbCBkZWNpc2lvbnMgYW5kIHBvbGljeSBlbmZvcmNlbWVudC4gIEZp Z3VyZSA5IGFuZCBGaWd1cmUgMTANCiAgIGhpZ2hsaWdodCB0aGUgcmVsYXRpb25zaGlwIGJldHdl ZW4gbWV0YWRhdGEgYW5kIHBvbGljeToNCg0KICAgICAgICAgICAgICAgICstLS0tLS0tKyAgICAg ICAgKy0tLS0tLS0rICAgICAgICArLS0tLS0tLSsNCiAgICAgICAgICAgICAgICB8ICBTRkYgICkt LS0tLS0tJmd0OyggIFNGRiAgfC0tLS0tLS0mZ3Q7fCAgU0ZGICB8DQogICAgICAgICAgICAgICAg Ky0tLSstLS0rICAgICAgICArLS0tKy0tLSsgICAgICAgICstLS0rLS0tKw0KICAgICAgICAgICAg ICAgICAgICBeICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgfA0KICAgICAgICAgICAg ICAgICAgLC18LS4gICAgICAgICAgICAsLXwtLiAgICAgICAgICAgICwtfC0uDQogICAgICAgICAg ICAgICAgIC8gICAgIFwgICAgICAgICAgLyAgICAgXCAgICAgICAgICAvICAgICBcDQogICAgICAg ICAgICAgICAgKCBDbGFzcyApICAgICAgICAoICBTRjEgICkgICAgICAgICggIFNGMiAgKQ0KICAg ICAgICAgICAgICAgICBcIGlmeSAvICAgICAgICAgIFwgICAgIC8gICAgICAgICAgXCAgICAgLw0K ICAgICAgICAgICAgICAgICAgYC0tLScgICAgICAgICAgICBgLS0tJyAgICAgICAgICAgIGAtLS0n DQogICAgICAgICAgICAgICAgIDUtdHVwbGU6ICAgICAgICBQZXJtaXQgICAgICAgICAgICAgSW5z cGVjdA0KICAgICAgICAgICAgICAgICBUZW5hbnQgQSAgICAgICAgVGVuYW50IEEgICAgICAgICAg IEFwcFkNCiAgICAgICAgICAgICAgICAgQXBwWQ0KDQogICAgICAgICAgICAgICAgICAgICAgIEZp Z3VyZSA5OiBNZXRhZGF0YSBhbmQgUG9saWN5DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQpRdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNv bG9yPSdyZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+ MTcsPC9mb250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgIFtQYWdlIDIyXQ0KDA0KSW50 ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNl cHRlbWJlciAyMDE3DQoNCg0KICAgICAgICAgICAgICAgKy0tLS0tKyAgICAgICAgICAgKy0tLS0t KyAgICAgICAgICAgICstLS0tLSsNCiAgICAgICAgICAgICAgIHwgU0ZGIHwtLS0tLS0tLS0mZ3Q7 IHwgU0ZGIHwtLS0tLS0tLS0tJmd0OyB8IFNGRiB8DQogICAgICAgICAgICAgICArLS0rLS0rICAg ICAgICAgICArLS0rLS0rICAgICAgICAgICAgKy0tKy0tKw0KICAgICAgICAgICAgICAgICAgXiAg ICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICAgICAsLSst LiAgICAgICAgICAgICAsLSstLiAgICAgICAgICAgICAgLC0rLS4NCiAgICAgICAgICAgICAgIC8g ICAgIFwgICAgICAgICAgIC8gICAgIFwgICAgICAgICAgICAvICAgICBcDQogICAgICAgICAgICAg ICggQ2xhc3MgKSAgICAgICAgICggIFNGMSAgKSAgICAgICAgICAoICBTRjIgICkNCiAgICAgICAg ICAgICAgIFwgaWZ5IC8gICAgICAgICAgIFwgICAgIC8gICAgICAgICAgICBcICAgICAvDQogICAg ICAgICAgICAgICAgYC0rLScgICAgICAgICAgICAgYC0tLScgICAgICAgICAgICAgIGAtLS0nDQog ICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICBQZXJtaXQgICAgICAgICAgICBEZW55IEFw cFoNCiAgICAgICAgICAgICAgKy0tLSstLS0rICAgICAgICAgIGVtcGxveWVlcw0KICAgICAgICAg ICAgICB8ICAgICAgIHwNCiAgICAgICAgICAgICAgKy0tLS0tLS0rDQogICAgICAgICAgICAgIEV4 dGVybmFsDQogICAgICAgICAgICAgIHN5c3RlbToNCiAgICAgICAgICAgICAgRW1wbG95ZWUNCiAg ICAgICAgICAgICAgQXBwWg0KDQogICAgICAgICAgICAgICAgICBGaWd1cmUgMTA6IEV4dGVybmFs IE1ldGFkYXRhIGFuZCBQb2xpY3kNCg0KICAgSW4gYm90aCBvZiB0aGUgZXhhbXBsZXMgYWJvdmUs IHRoZSBzZXJ2aWNlIGZ1bmN0aW9ucyBwZXJmb3JtIHBvbGljeQ0KICAgZGVjaXNpb25zIGJhc2Vk IG9uIHRoZSByZXN1bHQgb2YgdGhlIGluaXRpYWwgY2xhc3NpZmljYXRpb246IHRoZSBTRnMNCiAg IGRpZCBub3QgbmVlZCB0byBwZXJmb3JtIHJlLWNsYXNzaWZpY2F0aW9uOyBpbnN0ZWFkLCB0aGV5 IHJlbHkgb24gYQ0KICAgYW50ZWNlZGVudCBjbGFzc2lmaWNhdGlvbiBmb3IgbG9jYWwgcG9saWN5 IGVuZm9yY2VtZW50Lg0KDQogICBEZXBlbmRpbmcgb24gdGhlIGluZm9ybWF0aW9uIGNhcnJpZWQg aW4gdGhlIG1ldGFkYXRhLCBkYXRhIHByaXZhY3kNCiAgIGNvbnNpZGVyYXRpb25zIG1heSBuZWVk IHRvIGJlIGNvbnNpZGVyZWQuICBGb3IgZXhhbXBsZSwgaWYgdGhlDQogICBtZXRhZGF0YSBjb252 ZXlzIHRlbmFudCBpbmZvcm1hdGlvbiwgdGhhdCBpbmZvcm1hdGlvbiBtYXkgbmVlZCB0byBiZQ0K ICAgYXV0aGVudGljYXRlZCBhbmQvb3IgZW5jcnlwdGVkIGJldHdlZW4gdGhlIG9yaWdpbmF0b3Ig YW5kIHRoZQ0KICAgaW50ZW5kZWQgcmVjaXBpZW50cyAod2hpY2ggbWF5IGluY2x1ZGUgaW50ZW5k ZWQgU0ZzIG9ubHkpLiAgVGhlIE5TSA0KICAgaXRzZWxmIGRvZXMgbm90IHByb3ZpZGUgcHJpdmFj eSBmdW5jdGlvbnMsIHJhdGhlciBpdCByZWxpZXMgb24gdGhlDQogICB0cmFuc3BvcnQvb3Zlcmxh eSBsYXllci4gIEFuIG9wZXJhdG9yIGNhbiBzZWxlY3QgdGhlIGFwcHJvcHJpYXRlDQogICB0cmFu c3BvcnQgdG8gZW5zdXJlIGNvbmZpZGVudGlhbGl0eSAoYW5kIG90aGVyIHNlY3VyaXR5KQ0KICAg Y29uc2lkZXJhdGlvbnMgYXJlIG1ldC4gIE1ldGFkYXRhIHByaXZhY3kgYW5kIHNlY3VyaXR5IGNv bnNpZGVyYXRpb25zDQogICBhcmUgYSBtYXR0ZXIgZm9yIHRoZSBkb2N1bWVudHMgdGhhdCBkZWZp bmUgbWV0YWRhdGEgZm9ybWF0Lg0KDQo3LjIuICBVcGRhdGluZy9BdWdtZW50aW5nIE1ldGFkYXRh DQoNCiAgIFBvc3QtaW5pdGlhbCBtZXRhZGF0YSBpbXBvc2l0aW9uICh0eXBpY2FsbHkgcGVyZm9y bWVkIGR1cmluZyBpbml0aWFsDQogICBzZXJ2aWNlIHBhdGggZGV0ZXJtaW5hdGlvbiksIHRoZSBt ZXRhZGF0YSBtYXkgYmUgYXVnbWVudGVkIG9yDQogICB1cGRhdGVkOg0KDQogICAxLiAgTWV0YWRh dGEgQXVnbWVudGF0aW9uOiBJbmZvcm1hdGlvbiBtYXkgYmUgYWRkZWQgdG8gdGhlIE5TSCdzDQog ICAgICAgZXhpc3RpbmcgbWV0YWRhdGEsIGFzIGRlcGljdGVkIGluIEZpZ3VyZSAxMS4gIEZvciBl eGFtcGxlLCBpZiB0aGUNCiAgICAgICBpbml0aWFsIGNsYXNzaWZpY2F0aW9uIHJldHVybnMgdGhl IHRlbmFudCBpbmZvcm1hdGlvbiwgYQ0KICAgICAgIHNlY29uZGFyeSBjbGFzc2lmaWNhdGlvbiAo cGVyaGFwcyBjby1yZXNpZGVudCB3aXRoIERQSSBvciBTTEIpDQogICAgICAgbWF5IGF1Z21lbnQg dGhlIHRlbmFudCBjbGFzc2lmaWNhdGlvbiB3aXRoIGFwcGxpY2F0aW9uDQogICAgICAgaW5mb3Jt YXRpb24sIGFuZCBpbXBvc2UgdGhhdCBuZXcgaW5mb3JtYXRpb24gaW4gTlNIIG1ldGFkYXRhLg0K DQoNCg0KUXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgTWFyY2ggPHN0cmlrZT48Zm9u dCBjb2xvcj0ncmVkJz41LDwvZm9udD48L3N0cmlrZT4gPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3Jl ZW4nPjE3LDwvZm9udD48L3N0cm9uZz4gMjAxOCAgICAgICAgICAgICAgICBbUGFnZSAyM10NCgwN CkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAgICAg ICBTZXB0ZW1iZXIgMjAxNw0KDQoNCiAgICAgICBUaGUgdGVuYW50IGNsYXNzaWZpY2F0aW9uIGlz IHN0aWxsIHZhbGlkIGFuZCBwcmVzZW50LCBidXQNCiAgICAgICBhZGRpdGlvbmFsIGluZm9ybWF0 aW9uIGhhcyBiZWVuIGFkZGVkIHRvIGl0Lg0KDQogICAyLiAgTWV0YWRhdGEgVXBkYXRlOiBTdWJz ZXF1ZW50IGNsYXNzaWZpZXJzIG1heSB1cGRhdGUgdGhlIGluaXRpYWwNCiAgICAgICBjbGFzc2lm aWNhdGlvbiBpZiBpdCBpcyBkZXRlcm1pbmVkIHRvIGJlIGluY29ycmVjdCBvciBub3QNCiAgICAg ICBkZXNjcmlwdGl2ZSBlbm91Z2guICBGb3IgZXhhbXBsZSwgdGhlIGluaXRpYWwgY2xhc3NpZmll ciBhZGRzDQogICAgICAgbWV0YWRhdGEgdGhhdCBkZXNjcmliZXMgdGhlIHRyYWZmaWMgYXMgIklu dGVybmV0IiBidXQgYSBzZWN1cml0eQ0KICAgICAgIHNlcnZpY2UgZnVuY3Rpb24gZGV0ZXJtaW5l cyB0aGF0IHRoZSB0cmFmZmljIGlzIHJlYWxseSAiYXR0YWNrIi4NCiAgICAgICBGaWd1cmUgMTIg aWxsdXN0cmF0ZXMgYW4gZXhhbXBsZSBvZiB1cGRhdGluZyBtZXRhZGF0YS4NCg0KICAgICAgICAg ICAgICAgKy0tLS0tKyAgICAgICAgICAgKy0tLS0tKyAgICAgICAgICAgICstLS0tLSsNCiAgICAg ICAgICAgICAgIHwgU0ZGIHwtLS0tLS0tLS0mZ3Q7IHwgU0ZGIHwtLS0tLS0tLS0tJmd0OyB8IFNG RiB8DQogICAgICAgICAgICAgICArLS0rLS0rICAgICAgICAgICArLS0rLS0rICAgICAgICAgICAg Ky0tKy0tKw0KICAgICAgICAgICAgICAgICAgXiAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgIHwNCiAgICAgICAgICAgICAgICAsLS0tLiAgICAgICAgICAgICAsLS0tLiAgICAgICAg ICAgICAgLC0tLS4NCiAgICAgICAgICAgICAgIC8gICAgIFwgICAgICAgICAgIC8gICAgIFwgICAg ICAgICAgICAvICAgICBcDQogICAgICAgICAgICAgICggQ2xhc3MgKSAgICAgICAgICggIFNGMSAg KSAgICAgICAgICAoICBTRjIgICkNCiAgICAgICAgICAgICAgIFwgICAgIC8gICAgICAgICAgIFwg ICAgIC8gICAgICAgICAgICBcICAgICAvDQogICAgICAgICAgICAgICAgYC0rLScgICAgICAgICAg ICAgYC0tLScgICAgICAgICAgICAgIGAtLS0nDQogICAgICAgICAgICAgICAgICB8ICAgICAgICAg ICAgICBJbnNwZWN0ICAgICAgICAgICBEZW55DQogICAgICAgICAgICAgICstLS0rLS0tKyAgICAg ICAgICBlbXBsb3llZXMgICAgICAgICBlbXBsb3llZSsNCiAgICAgICAgICAgICAgfCAgICAgICB8 ICAgICAgICAgIENsYXNzPUFwcFogICAgICAgIGFwcFoNCiAgICAgICAgICAgICAgKy0tLS0tLS0r DQogICAgICAgICAgICAgIEV4dGVybmFsDQogICAgICAgICAgICAgIHN5c3RlbToNCiAgICAgICAg ICAgICAgRW1wbG95ZWUNCg0KICAgICAgICAgICAgICAgICAgICAgRmlndXJlIDExOiBNZXRhZGF0 YSBBdWdtZW50YXRpb24NCg0KICAgICAgICAgICAgICAgICstLS0tLSsgICAgICAgICAgICstLS0t LSsgICAgICAgICAgICArLS0tLS0rDQogICAgICAgICAgICAgICAgfCBTRkYgfC0tLS0tLS0tLSZn dDsgfCBTRkYgfC0tLS0tLS0tLS0mZ3Q7IHwgU0ZGIHwNCiAgICAgICAgICAgICAgICArLS0rLS0r ICAgICAgICAgICArLS0rLS0rICAgICAgICAgICAgKy0tKy0tKw0KICAgICAgICAgICAgICAgICAg IF4gICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8DQogICAgICAgICAgICAgICAg ICwtLS0uICAgICAgICAgICAgICwtLS0uICAgICAgICAgICAgICAsLS0tLg0KICAgICAgICAgICAg ICAgIC8gICAgIFwgICAgICAgICAgIC8gICAgIFwgICAgICAgICAgICAvICAgICBcDQogICAgICAg ICAgICAgICAoIENsYXNzICkgICAgICAgICAoICBTRjEgICkgICAgICAgICAgKCAgU0YyICApDQog ICAgICAgICAgICAgICAgXCAgICAgLyAgICAgICAgICAgXCAgICAgLyAgICAgICAgICAgIFwgICAg IC8NCiAgICAgICAgICAgICAgICAgYC0tLScgICAgICAgICAgICAgYC0tLScgICAgICAgICAgICAg IGAtLS0nDQogICAgICAgICAgICAgIDUtdHVwbGU6ICAgICAgICAgICAgSW5zcGVjdCAgICAgICAg ICAgICBEZW55DQogICAgICAgICAgICAgIFRlbmFudCBBICAgICAgICAgICAgVGVuYW50IEEgICAg ICAgICAgICBhdHRhY2sNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0mZ3Q7 IGF0dGFjaw0KDQogICAgICAgICAgICAgICAgICAgICAgICBGaWd1cmUgMTI6IE1ldGFkYXRhIFVw ZGF0ZQ0KDQoNCg0KDQoNCg0KDQoNClF1aW5uLCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIE1h cmNoIDxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+NSw8L2ZvbnQ+PC9zdHJpa2U+IDxzdHJvbmc+ PGZvbnQgY29sb3I9J2dyZWVuJz4xNyw8L2ZvbnQ+PC9zdHJvbmc+IDIwMTggICAgICAgICAgICAg ICAgW1BhZ2UgMjRdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhl YWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVyIDIwMTcNCg0KDQo3LjMuICBTZXJ2aWNlIFBhdGgg SWRlbnRpZmllciBhbmQgTWV0YWRhdGENCg0KICAgTWV0YWRhdGEgaW5mb3JtYXRpb24gbWF5IGlu Zmx1ZW5jZSB0aGUgc2VydmljZSBwYXRoIHNlbGVjdGlvbiBzaW5jZQ0KICAgdGhlIFNlcnZpY2Ug UGF0aCBJZGVudGlmaWVyIHZhbHVlcyBjYW4gcmVwcmVzZW50IHRoZSByZXN1bHQgb2YNCiAgIGNs YXNzaWZpY2F0aW9uLiAgQSBnaXZlbiBTUEkgY2FuIGJlIGRlZmluZWQgYmFzZWQgb24gY2xhc3Np ZmljYXRpb24NCiAgIHJlc3VsdHMgKGluY2x1ZGluZyBtZXRhZGF0YSBjbGFzc2lmaWNhdGlvbiku ICBUaGUgaW1wb3NpdGlvbiBvZiB0aGUNCiAgIFNQSSBhbmQgU0kgcmVzdWx0cyBpbiB0aGUgcGFj a2V0IGJlaW5nIHBsYWNlZCBvbiB0aGUgbmV3bHkgc3BlY2lmaWVkDQogICBTRlAgYXQgdGhlIHBv c2l0aW9uIGluZGljYXRlZCBieSB0aGUgaW1wb3NlZCBTUEkgYW5kIFNJLg0KDQogICBUaGlzIHJl bGF0aW9uc2hpcCBwcm92aWRlcyB0aGUgYWJpbGl0eSB0byBjcmVhdGUgYSBkeW5hbWljIHNlcnZp Y2UNCiAgIHBsYW5lIGJhc2VkIG9uIGNvbXBsZXggY2xhc3NpZmljYXRpb24gd2l0aG91dCByZXF1 aXJpbmcgZWFjaCBub2RlIHRvDQogICBiZSBjYXBhYmxlIG9mIHN1Y2ggY2xhc3NpZmljYXRpb24s IG9yIHJlcXVpcmluZyBhIGNvdXBsaW5nIHRvIHRoZQ0KICAgbmV0d29yayB0b3BvbG9neS4gIFRo aXMgeWllbGRzIHNlcnZpY2UgZ3JhcGggZnVuY3Rpb25hbGl0eSBhcw0KICAgZGVzY3JpYmVkIGlu IFNlY3Rpb24gNi40LiAgRmlndXJlIDEzIGlsbHVzdHJhdGVzIGFuIGV4YW1wbGUgb2YgdGhpcw0K ICAgYmVoYXZpb3IuDQoNCiAgICAgICAgICAgICAgICstLS0tLSsgICAgICAgICAgICstLS0tLSsg ICAgICAgICAgICArLS0tLS0rDQogICAgICAgICAgICAgICB8IFNGRiB8LS0tLS0tLS0tJmd0OyB8 IFNGRiB8LS0tLS0tKy0tLSZndDsgfCBTRkYgfA0KICAgICAgICAgICAgICAgKy0tKy0tKyAgICAg ICAgICAgKy0tKy0tKyAgICAgIHwgICAgICstLSstLSsNCiAgICAgICAgICAgICAgICAgIHwgICAg ICAgICAgICAgICAgIHwgICAgICAgICB8ICAgICAgICB8DQogICAgICAgICAgICAgICAgLC0tLS4g ICAgICAgICAgICAgLC0tLS4gICAgICAgfCAgICAgICwtLS0uDQogICAgICAgICAgICAgICAvICAg ICBcICAgICAgICAgICAvIFNGMSBcICAgICAgfCAgICAgLyAgICAgXA0KICAgICAgICAgICAgICAo ICBTQ0wgICkgICAgICAgICAoICAgKyAgICkgICAgIHwgICAgKCAgU0YyICApDQogICAgICAgICAg ICAgICBcICAgICAvICAgICAgICAgICBcU0NMMiAvICAgICAgfCAgICAgXCAgICAgLw0KICAgICAg ICAgICAgICAgIGAtLS0nICAgICAgICAgICAgIGAtLS0nICAgICstLS0tLSsgICBgLS0tJw0KICAg ICAgICAgICAgIDUtdHVwbGU6ICAgICAgICAgICAgSW5zcGVjdCAgIHwgU0ZGIHwgICAgT3JpZ2lu YWwNCiAgICAgICAgICAgICBUZW5hbnQgQSAgICAgICAgICAgIFRlbmFudCBBICArLS0rLS0rICAg IG5leHQgU0YNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSZndDsgRG9TICAg ICB8DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVg0KICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAsLSstLg0KICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8gICAgIFwNCiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICggIFNGMTAgKQ0KICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIFwgICAgIC8NCiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgYC0tLScNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIERvUw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIlNjcnViYmVyIg0KDQogICAgICAgICAgICAgICAgICAgICAgRmlndXJlIDEzOiBQYXRo IElEIGFuZCBNZXRhZGF0YQ0KDQogICBTcGVjaWZpYyBhbGdvcml0aG1zIGZvciBtYXBwaW5nIG1l dGFkYXRhIHRvIGFuIFNQSSBhcmUgb3V0c2lkZSB0aGUNCiAgIHNjb3BlIG9mIHRoaXMgZG9jdW1l bnQuDQoNCjguICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucw0KDQogICBBcyB3aXRoIG1hbnkgb3Ro ZXIgcHJvdG9jb2xzLCB0aGUgTlNIIGVuY2Fwc3VsYXRpb24gY291bGQgYmUgc3Bvb2ZlZA0KICAg b3Igb3RoZXJ3aXNlIG1vZGlmaWVkIGluIHRyYW5zaXQuICBIb3dldmVyLCB0aGUgZGVwbG95bWVu dCBzY29wZSAoYXMNCiAgIGRlZmluZWQgaW4gW1JGQzc2NjVdKSBvZiB0aGUgTlNIIGVuY2Fwc3Vs YXRpb24gaXMgbGltaXRlZCB0byBhIHNpbmdsZQ0KICAgbmV0d29yayBhZG1pbmlzdHJhdGl2ZSBk b21haW4gYXMgYSBjb250cm9sbGVkIGVudmlyb25tZW50LCB3aXRoDQoNCg0KDQpRdWlubiwgZXQg YWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPjUs PC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MTcsPC9mb250Pjwv c3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgIFtQYWdlIDI1XQ0KDA0KSW50ZXJuZXQtRHJhZnQg ICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNlcHRlbWJlciAyMDE3 DQoNCg0KICAgdHJ1c3RlZCBkZXZpY2VzIChlLmcuLCBhIGRhdGEgY2VudGVyKSBoZW5jZSBtaXRp Z2F0aW5nIHRoZSByaXNrIG9mDQogICB1bmF1dGhvcml6ZWQgbWFuaXB1bGF0aW9uIG9mIHRoZSBl bmNhcHN1bGF0aW9uIGhlYWRlcnMgb3IgbWV0YWRhdGEuDQoNCiAgIDxzdHJvbmc+PGZvbnQgY29s b3I9J2dyZWVuJz5QYWNrZXRzIG9yaWdpbmF0aW5nIG91dHNpZGUgdGhlIFNGQy1lbmFibGVkIGRv bWFpbiBtdXN0IGJlIGRyb3BwZWQgaWYNCiAgIHRoZXkgY29udGFpbiBhbiBOU0guICBTaW1pbGFy bHksIHBhY2tldHMgZXhpdGluZyB0aGUgU0ZDLWVuYWJsZWQNCiAgIGRvbWFpbiBtdXN0IGJlIGRy b3BwZWQgaWYgdGhleSBjb250YWluIGFuIE5TSC48L2ZvbnQ+PC9zdHJvbmc+DQoNCiAgIE5TSCBp cyBhbHdheXMgZW5jYXBzdWxhdGVkIGluIGEgdHJhbnNwb3J0IHByb3RvY29sIChhcyBkZXRhaWxl ZCBpbg0KICAgU2VjdGlvbiA0IG9mIHRoaXMgc3BlY2lmaWNhdGlvbik7IGFuZCwgdGhlcmVmb3Jl LCB3aGVuIHJlcXVpcmVkLA0KICAgZXhpc3Rpbmcgc2VjdXJpdHkgcHJvdG9jb2xzIHRoYXQgcHJv dmlkZSBhdXRoZW50aWNpdHkgKGUuZy4sDQogICBbUkZDNjA3MV0pIGNhbiBiZSB1c2VkLiAgU2lt aWxhcmx5LCBpZiBjb25maWRlbnRpYWxpdHkgaXMgcmVxdWlyZWQsDQogICBleGlzdGluZyBlbmNy eXB0aW9uIHByb3RvY29scyBjYW4gYmUgdXNlZCBpbiBjb25qdW5jdGlvbiB3aXRoIHRoZSBOU0gN CiAgIGVuY2Fwc3VsYXRpb24uDQoNCiAgIEZ1cnRoZXIsIGV4aXN0aW5nIGJlc3QgcHJhY3RpY2Vz LCBzdWNoIGFzIFtCQ1AzOF0gU0hPVUxEIGJlIGRlcGxveWVkDQogICBhdCB0aGUgbmV0d29yayBs YXllciB0byBlbnN1cmUgdGhhdCB0cmFmZmljIGVudGVyaW5nIHRoZSBzZXJ2aWNlIHBhdGgNCiAg IGlzIGluZGVlZCAidmFsaWQiLiAgW0ktRC5pZXRmLXJ0Z3dnLWR0LWVuY2FwXSBwcm92aWRlcyBh ZGRpdGlvbmFsDQogICB0cmFuc3BvcnQgZW5jYXBzdWxhdGlvbiBjb25zaWRlcmF0aW9ucy4NCg0K ICAgRXZlbiB0aG91Z2ggbXVjaCBvZiB0aGUgbWV0YWRhdGEgY2FycmllZCB3aXRoaW4gdGhlIE5T SCBlbmNhcHN1bGF0aW9uDQogICBpcyBkZXJpdmVkIGZyb20gdGhlIHBhY2tldCBjb250ZW50cywg YW5kIHRodXMgaXMgbm90IHByaXZhY3kgb3INCiAgIHNlY3VyaXR5IHNlbnNpdGl2ZSwgVGhlIE5T SCBtZXRhZGF0YSBhdXRoZW50aWNpdHkgYW5kIGNvbmZpZGVudGlhbGl0eQ0KICAgbXVzdCBiZSBj b25zaWRlcmVkIGFzIHdlbGwuICBJbiBvcmRlciB0byBwcm90ZWN0IHRoZSBtZXRhZGF0YSwgYW4N CiAgIG9wZXJhdG9yIGNhbiB1dGlsaXplIHRoZSBhZm9yZW1lbnRpb25lZCBtZWNoYW5pc21zIHBy b3ZpZGVkIGJ5IHRoZQ0KICAgdHJhbnNwb3J0IGxheWVyIGluY2x1ZGluZyBhdXRoZW50aWNpdHkg YW5kL29yIGNvbmZpZGVudGlhbGl0eS4gIEFuDQogICBvcGVyYXRvciBNVVNUIGNhcmVmdWxseSBz ZWxlY3QgdGhlIHRyYW5zcG9ydC91bmRlcmxheSBzZXJ2aWNlcyB0bw0KICAgZW5zdXJlIGVuZC10 by1lbmQgc2VjdXJpdHkgc2VydmljZXMsIHdoZW4gdGhvc2UgYXJlIGRlc2lyZWQuICBGb3INCiAg IGV4YW1wbGUsIGlmIFtSRkM2MDcxXSBpcyB1c2VkLCB0aGUgb3BlcmF0b3IgTVVTVCBlbnN1cmUg aXQgY2FuIGJlDQogICBzdXBwb3J0ZWQgYnkgdGhlIHRyYW5zcG9ydC91bmRlcmxheSBvZiBhbGwg cmVsZXZhbnQgbmV0d29yayBzZWdtZW50cw0KICAgYXMgd2VsbCBhcyBTRkZzLCBTRnMgYW5kIFNG QyBwcm94aWVzIGluIHRoZSBzZXJ2aWNlIHBhdGguICBGdXJ0aGVyLA0KICAgYXMgZGVzY3JpYmVk IHVuZGVyIHRoZSAiU0ZDIEVuY2Fwc3VsYXRpb24iIGFyZWEgb2YgdGhlIFNlY3VyaXR5DQogICBD b25zaWRlcmF0aW9ucyBvZiBbUkZDNzY2NV0sIG9wZXJhdG9ycyBjYW4gYW5kIHNob3VsZCB1c2Ug aW5kaXJlY3QNCiAgIGlkZW50aWZpY2F0aW9uIGZvciBtZXRhZGF0YSBkZWVtZWQgdG8gYmUgc2Vu c2l0aXZlIChzdWNoIGFzDQogICBwZXJzb25hbGx5IGlkZW50aWZ5aW5nIGluZm9ybWF0aW9uKSBz aWduaWZpY2FudGx5IG1pdGlnYXRpbmcgdGhlIHJpc2sNCiAgIG9mIHByaXZhY3kgdmlvbGF0aW9u LiAgSW4gcGFydGljdWxhciwgc3Vic2NyaWJlciBpZGVudGlmeWluZw0KICAgaW5mb3JtYXRpb24g c2hvdWxkIGJlIGhhbmRsZWQgY2FyZWZ1bGx5LCBhbmQgaW4gZ2VuZXJhbCBzaG91bGQgYmUNCiAg IG9iZnVzY2F0ZWQuICBUaGlzIGlzIGNvdmVyZWQgaW4gdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRp b25zIG9mDQogICBbUkZDNzY2NV0uICBGb3IgdGhvc2Ugc2l0dWF0aW9ucyB3aGVyZSBvYmZ1c2Nh dGlvbiBpcyBlaXRoZXINCiAgIGluYXBwbGljYWJsZSBvciBqdWRnZWQgdG8gYmUgaW5zdWZmaWNp ZW50LCBhbiBvcGVyYXRvciBjYW4gYWxzbw0KICAgZW5jcnlwdCB0aGUgbWV0YWRhdGEuICBBbiBh cHByb2FjaCB0byBhbiBvcHRpb25hbCBjYXBhYmlsaXR5IHRvIGRvDQogICB0aGlzIHdhcyBleHBs b3JlZCBpbiBbSS1ELnJlZGR5LXNmYy1uc2gtZW5jcnlwdF0uICA8c3Ryb25nPjxmb250IGNvbG9y PSdncmVlbic+Rm9yIG90aGVyDQogICBzaXR1YXRpb25zIHdoZXJlIGdyZWF0ZXIgYXNzdXJhbmNl IGlzIGRlc2lyZWQsIG9wdGlvbmFsIG1lY2hhbmlzbXMNCiAgIHN1Y2ggYXMgW0ktRC5icm9ja25l cnMtcHJvb2Ytb2YtdHJhbnNpdF0gY2FuIGJlIHVzZWQuPC9mb250Pjwvc3Ryb25nPiAgTWVhbnMg dG8NCiAgIHByZXZlbnQgbGVha2luZyBwcml2YWN5LXJlbGF0ZWQgaW5mb3JtYXRpb24gb3V0c2lk ZSBhbiBhZG1pbmlzdHJhdGl2ZQ0KICAgZG9tYWluIGFyZSBuYXRpdmVseSBzdXBwb3J0ZWQgYnkg dGhlIE5TSCBnaXZlbiB0aGF0IHRoZSBsYXN0IFNGRiBvZiBhDQogICBzZXJ2aWNlIHBhdGggd2ls bCBzeXN0ZW1hdGljYWxseSByZW1vdmUgdGhlIE5TSCBlbmNhcHN1bGF0aW9uIGJlZm9yZQ0KICAg Zm9yd2FyZGluZyBhIHBhY2tldCBleGl0aW5nIHRoZSBzZXJ2aWNlIHBhdGguDQoNCg0KDQoNCjxz dHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz5RdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJl cyBNYXJjaCAxNywgMjAxOCAgICAgICAgICAgICAgICBbUGFnZSAyNl0NCgwNCkludGVybmV0LURy YWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAgICAgICBTZXB0ZW1iZXIg MjAxNzwvZm9udD48L3N0cm9uZz4NCg0KDQogICBMYXN0bHksIFNGIHNlY3VyaXR5LCBhbHRob3Vn aCBvdXQgb2Ygc2NvcGUgb2YgdGhpcyBkb2N1bWVudCwgc2hvdWxkDQogICBiZSBjb25zaWRlcmVk LCBwYXJ0aWN1bGFybHkgaWYgYW4gU0YgbmVlZHMgdG8gYWNjZXNzLCBhdXRoZW50aWNhdGUsDQog ICBvciB1cGRhdGUgdGhlIE5TSCBlbmNhcHN1bGF0aW9uIG9yIG1ldGFkYXRhLiAgSG93ZXZlciwg YWdhaW4sIHRoZQ0KICAgcGxhY2VtZW50IG9mIFNGcyBpcyBhc3N1bWVkIHRvIGJlIGJvdW5kZWQg d2l0aGluIHRoZSBzY29wZSBvZiBhDQogICBzaW5nbGUgYWRtaW5pc3RyYXRpdmUgZG9tYWluIGFu ZCB0aGVyZWZvcmUgdW5kZXIgZGlyZWN0IGNvbnRyb2wgb2YNCiAgIHRoZSBvcGVyYXRvci4NCg0K DQoNCjxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+UXVpbm4sIGV0IGFsLiAgICAgICAgICAgICBF eHBpcmVzIE1hcmNoIDUsIDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMjZdDQoMDQpJbnRlcm5l dC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVt YmVyIDIwMTc8L2ZvbnQ+PC9zdHJpa2U+DQoNCjkuICBDb250cmlidXRvcnMNCg0KICAgVGhpcyBX RyBkb2N1bWVudCBvcmlnaW5hdGVkIGFzIGRyYWZ0LXF1aW5uLXNmYy1uc2g7IHRoZSBmb2xsb3dp bmcgYXJlDQogICBpdHMgY28tYXV0aG9ycyBhbmQgY29udHJpYnV0b3JzIGFsb25nIHdpdGggdGhl aXIgcmVzcGVjdGl2ZQ0KICAgYWZmaWxpYXRpb25zIGF0IHRoZSB0aW1lIG9mIFdHIGFkb3B0aW9u LiAgVGhlIGVkaXRvcnMgb2YgdGhpcw0KICAgZG9jdW1lbnQgd291bGQgbGlrZSB0byB0aGFuayBh bmQgcmVjb2duaXplIHRoZW0gYW5kIHRoZWlyDQogICBjb250cmlidXRpb25zLiAgVGhlc2UgY28t YXV0aG9ycyBhbmQgY29udHJpYnV0b3JzIHByb3ZpZGVkIGludmFsdWFibGUNCiAgIGNvbmNlcHRz IGFuZCBjb250ZW50IGZvciB0aGlzIGRvY3VtZW50J3MgY3JlYXRpb24uDQoNCiAgIG8gIEppbSBH dWljaGFyZCwgQ2lzY28gU3lzdGVtcywgSW5jLg0KDQogICBvICBTdXJlbmRyYSBLdW1hciwgQ2lz Y28gU3lzdGVtcywgSW5jLg0KDQogICBvICBNaWNoYWVsIFNtaXRoLCBDaXNjbyBTeXN0ZW1zLCBJ bmMuDQoNCiAgIG8gIFdpbSBIZW5kZXJpY2t4LCBBbGNhdGVsLUx1Y2VudA0KDQogICBvICBUb20g TmFkZWF1LCBCcm9jYWRlDQoNCiAgIG8gIFB1bmVldCBBZ2Fyd2FsDQoNCiAgIG8gIFJhamVldiBN YW51ciwgQnJvYWRjb20NCg0KICAgbyAgQWJoaXNoZWsgQ2hhdWhhbiwgQ2l0cml4DQoNCiAgIG8g IEpvZWwgSGFscGVybiwgRXJpY3Nzb24NCg0KICAgbyAgU3VtYW5kcmEgTWFqZWUsIEY1DQoNCiAg IG8gIERhdmlkIE1lbG1hbiwgTWFydmVsbA0KDQogICBvICBQYW5rYWogR2FyZywgTWljcm9zb2Z0 DQoNCiAgIG8gIEJyYWQgTWNDb25uZWxsLCBSYWNrc3BhY2UNCg0KICAgbyAgQ2hyaXMgV3JpZ2h0 LCBSZWQgSGF0LCBJbmMuDQoNCiAgIG8gIEtldmluIEdsYXZpbiwgUml2ZXJiZWQNCg0KICAgbyAg SG9uZyAoQ2F0aHkpIFpoYW5nLCBIdWF3ZWkgVVMgUiZhbXA7RA0KDQoNCg0KDQo8c3Ryb25nPjxm b250IGNvbG9yPSdncmVlbic+UXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgTWFyY2gg MTcsIDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMjddDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAg ICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVyIDIwMTc8L2Zv bnQ+PC9zdHJvbmc+DQoNCg0KICAgbyAgTG91aXMgRm91cmllLCBIdWF3ZWkgVVMgUiZhbXA7RA0K DQogICBvICBSb24gUGFya2VyLCBBZmZpcm1lZCBOZXR3b3Jrcw0KDQogICBvICBNeW8gWmFybnks IEdvbGRtYW4gU2FjaHMNCg0KICAgbyAgQW5kcmV3IERvbGdhbm93LCBBbGNhdGVsLUx1Y2VudA0K DQoNCg0KPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz5RdWlubiwgZXQgYWwuICAgICAgICAgICAg IEV4cGlyZXMgTWFyY2ggNSwgMjAxOCAgICAgICAgICAgICAgICBbUGFnZSAyN10NCgwNCkludGVy bmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAgICAgICBTZXB0 ZW1iZXIgMjAxNzwvZm9udD48L3N0cmlrZT4NCg0KICAgbyAgUmV4IEZlcm5hbmRvLCBDaXNjbyBT eXN0ZW1zLCBJbmMuDQoNCiAgIG8gIFByYXZlZW4gTXVsZXksIEFsY2F0ZWwtTHVjZW50DQoNCiAg IG8gIE5hdmluZHJhIFlhZGF2LCBDaXNjbyBTeXN0ZW1zLCBJbmMuDQoNCjEwLiAgQWNrbm93bGVk Z21lbnRzDQoNCiAgIFRoZSBhdXRob3JzIHdvdWxkIGxpa2UgdG8gdGhhbmsgU3VuaWwgVmFsbGFt a29uZGEsIE5hZ2FyYWogQmFnZXBhbGxpLA0KICAgQWJoaWppdCBQYXRyYSwgUGV0ZXIgQm9zY2gs IERhcnJlbCBMZXdpcywgUHJpdGVzaCBLb3RoYXJpLCBUYWwNCiAgIE1penJhaGkgYW5kIEtlbiBH cmF5IGZvciB0aGVpciBkZXRhaWxlZCByZXZpZXcsIGNvbW1lbnRzIGFuZA0KICAgY29udHJpYnV0 aW9ucy4NCg0KICAgQSBzcGVjaWFsIHRoYW5rIHlvdSBnb2VzIHRvIERhdmlkIFdhcmQgYW5kIFRv bSBFZHNhbGwgZm9yIHRoZWlyDQogICBndWlkYW5jZSBhbmQgZmVlZGJhY2suDQoNCiAgIEFkZGl0 aW9uYWxseSB0aGUgYXV0aG9ycyB3b3VsZCBsaWtlIHRvIHRoYW5rIExhcnJ5IEtyZWVnZXIgZm9y IGhpcw0KICAgaW52YWx1YWJsZSBpZGVhcyBhbmQgY29udHJpYnV0aW9ucyB3aGljaCBhcmUgcmVm bGVjdGVkIHRocm91Z2hvdXQNCiAgIHRoaXMgZG9jdW1lbnQuDQoNCiAgIExvYSBBbmRlcnNzb24g cHJvdmlkZWQgYSB0aG9yb3VnaCByZXZpZXcgYW5kIHZhbHVhYmxlIGNvbW1lbnRzLCB3ZQ0KICAg dGhhbmsgaGltIGZvciB0aGF0Lg0KDQogICBSZWluYWxkbyBQZW5ubyBkZXNlcnZlcyBhIHBhcnRp Y3VsYXIgdGhhbmsgeW91IGZvciBoaXMgYXJjaGl0ZWN0dXJlDQogICBhbmQgaW1wbGVtZW50YXRp b24gd29yayB0aGF0IGhlbHBlZCBndWlkZSB0aGUgcHJvdG9jb2wgY29uY2VwdHMgYW5kDQogICBk ZXNpZ24uDQoNCiAgIFRoZSBlZGl0b3JzIGFsc28gYWNrbm93bGVkZ2UgY29tcHJlaGVuc2l2ZSBy ZXZpZXdzIGFuZCByZXNwZWN0aXZlDQogICBzdWdnZXN0aW9ucyBieSBNZWQgQm91Y2FkYWlyLCBB ZHJpYW4gRmFycmVsLCBKdWVyZ2VuIFNjaG9lbndhZWxkZXIsDQogICBhbmQgQWNlZSBMaW5kZW0u DQoNCiAgIExhc3RseSwgRGF2aWQgRG9sc29uIGhhcyBwcm92aWRlcyBzaWduaWZpY2FudCByZXZp ZXcsIGZlZWRiYWNrIGFuZA0KICAgc3VnZ2VzdGlvbnMgdGhyb3VnaG91dCB0aGUgZXZvbHV0aW9u IG9mIHRoaXMgZG9jdW1lbnQuICBIaXMNCiAgIGNvbnRyaWJ1dGlvbnMgYXJlIHZlcnkgbXVjaCBh cHByZWNpYXRlZC4NCg0KMTEuICBJQU5BIENvbnNpZGVyYXRpb25zDQoNCg0KDQoNCg0KDQoNCjxz dHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz5RdWlubiwgZXQgYWwuICAgICAgICAgICAgRXhwaXJl cyBNYXJjaCAxNywgMjAxOCAgICAgICAgICAgICAgICBbUGFnZSAyOF0NCgwNCkludGVybmV0LURy YWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAgICAgICBTZXB0ZW1iZXIg MjAxNzwvZm9udD48L3N0cm9uZz4NCg0KDQoxMS4xLiAgTlNIIEV0aGVyVHlwZQ0KDQogICBBbiBJ RUVFIEV0aGVyVHlwZSwgMHg4OTRGLCBoYXMgYmVlbiBhbGxvY2F0ZWQgZm9yIE5TSC4NCg0KMTEu Mi4gIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgUGFyYW1ldGVycw0KDQogICBJQU5BIGlz IHJlcXVlc3RlZCB0byBjcmVhdGUgYSBuZXcgIk5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkN CiAgIFBhcmFtZXRlcnMiIHJlZ2lzdHJ5LiAgVGhlIGZvbGxvd2luZyBzdWItc2VjdGlvbnMgcmVx dWVzdCBuZXcNCiAgIHJlZ2lzdHJpZXMgd2l0aGluIHRoZSAiTmV0d29yayBTZXJ2aWNlIEhlYWRl ciAoTlNIKSBQYXJhbWV0ZXJzICINCiAgIHJlZ2lzdHJ5Lg0KDQoNCg0KDQo8c3RyaWtlPjxmb250 IGNvbG9yPSdyZWQnPlF1aW5uLCBldCBhbC4gICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA1LCAy MDE4ICAgICAgICAgICAgICAgIFtQYWdlIDI4XQ0KDA0KSW50ZXJuZXQtRHJhZnQgICAgICAgIE5l dHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAgIFNlcHRlbWJlciAyMDE3PC9mb250Pjwv c3RyaWtlPg0KDQoxMS4yLjEuICBOU0ggQmFzZSBIZWFkZXIgQml0cw0KDQogICBUaGVyZSBhcmUg Zml2ZSB1bmFzc2lnbmVkIGJpdHMgKFUgYml0cykgaW4gdGhlIE5TSCBCYXNlIEhlYWRlciwgYW5k DQogICBvbmUgYXNzaWduZWQgYml0IChPIGJpdCkuICBOZXcgYml0cyBhcmUgYXNzaWduZWQgdmlh IFN0YW5kYXJkcyBBY3Rpb24NCiAgIFtSRkM4MTI2XS4NCg0KICAgQml0IDIgLSBPIChPQU0pIGJp dA0KICAgQml0IDMgLSBVbmFzc2lnbmVkDQogICBCaXRzIDE2LTE5IC0gVW5hc3NpZ25lZA0KDQox MS4yLjIuICBOU0ggVmVyc2lvbg0KDQogICBJQU5BIGlzIHJlcXVlc3RlZCB0byBzZXR1cCBhIHJl Z2lzdHJ5IG9mICJOU0ggVmVyc2lvbiIuICBOZXcgdmFsdWVzDQogICBhcmUgYXNzaWduZWQgdmlh IFN0YW5kYXJkcyBBY3Rpb24gW1JGQzgxMjZdLg0KDQogICBWZXJzaW9uIDAwYjogUHJvdG9jb2wg YXMgZGVmaW5lZCBieSB0aGlzIGRvY3VtZW50Lg0KICAgVmVyc2lvbiAwMWI6IFJlc2VydmVkLiAg VGhpcyBkb2N1bWVudC4NCiAgIFZlcnNpb24gMTBiOiBVbmFzc2lnbmVkLg0KICAgVmVyc2lvbiAx MWI6IFVuYXNzaWduZWQuDQoNCjExLjIuMy4gIE1EIFR5cGUgUmVnaXN0cnkNCg0KICAgSUFOQSBp cyByZXF1ZXN0ZWQgdG8gc2V0IHVwIGEgcmVnaXN0cnkgb2YgIk1EIFR5cGVzIi4gIFRoZXNlIGFy ZQ0KICAgNC1iaXQgdmFsdWVzLiAgTUQgVHlwZSB2YWx1ZXMgMHgwLCAweDEsIDB4MiwgYW5kIDB4 RiBhcmUgc3BlY2lmaWVkIGluDQogICB0aGlzIGRvY3VtZW50LCBzZWUgVGFibGUgNS4gIFJlZ2lz dHJ5IGVudHJpZXMgYXJlIGFzc2lnbmVkIGJ5IHVzaW5nDQogICB0aGUgIklFVEYgUmV2aWV3IiBw b2xpY3kgZGVmaW5lZCBpbiBSRkMgODEyNiBbUkZDODEyNl0uDQoNCg0KDQoNCg0KDQoNCg0KDQoN Cg0KDQoNCg0KPHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPlF1aW5uLCBldCBhbC4gICAgICAg ICAgICBFeHBpcmVzIE1hcmNoIDE3LCAyMDE4ICAgICAgICAgICAgICAgIFtQYWdlIDI5XQ0KDA0K SW50ZXJuZXQtRHJhZnQgICAgICAgIE5ldHdvcmsgU2VydmljZSBIZWFkZXIgKE5TSCkgICAgICAg IFNlcHRlbWJlciAyMDE3PC9mb250Pjwvc3Ryb25nPg0KDQoNCiAgICAgICAgICAgICAgKy0tLS0t LS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKw0KICAgICAgICAgICAgICB8 IE1EIFR5cGUgIHwgRGVzY3JpcHRpb24gICAgIHwgUmVmZXJlbmNlICAgICB8DQogICAgICAgICAg ICAgICstLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsNCiAgICAg ICAgICAgICAgfCAweDAgICAgICB8IFJlc2VydmVkICAgICAgICB8IFRoaXMgZG9jdW1lbnQgfA0K ICAgICAgICAgICAgICB8ICAgICAgICAgIHwgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICB8DQogICAgICAgICAgICAgIHwgMHgxICAgICAgfCBOU0ggTUQgVHlwZSAxICAgfCBUaGlzIGRv Y3VtZW50IHwNCiAgICAgICAgICAgICAgfCAgICAgICAgICB8ICAgICAgICAgICAgICAgICB8ICAg ICAgICAgICAgICAgfA0KICAgICAgICAgICAgICB8IDB4MiAgICAgIHwgTlNIIE1EIFR5cGUgMiAg IHwgVGhpcyBkb2N1bWVudCB8DQogICAgICAgICAgICAgIHwgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgfCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICAgfCAweDMuLjB4RSB8IFVuYXNz aWduZWQgICAgICB8ICAgICAgICAgICAgICAgfA0KICAgICAgICAgICAgICB8ICAgICAgICAgIHwg ICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICB8DQogICAgICAgICAgICAgIHwgMHhGICAg ICAgfCBFeHBlcmltZW50YXRpb24gfCBUaGlzIGRvY3VtZW50IHwNCiAgICAgICAgICAgICAgKy0t LS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKw0KDQogICAgICAgICAg ICAgICAgICAgICAgICAgIFRhYmxlIDU6IE1EIFR5cGUgVmFsdWVzDQoNCjExLjIuNC4gIE1EIENs YXNzIFJlZ2lzdHJ5DQoNCiAgIElBTkEgaXMgcmVxdWVzdGVkIHRvIHNldCB1cCBhIHJlZ2lzdHJ5 IG9mICJNRCBDbGFzcyIuICBUaGVzZSBhcmUNCiAgIDE2LWJpdCB2YWx1ZXMuICBOZXcgYWxsb2Nh dGlvbnMgYXJlIHRvIGJlIG1hZGUgYWNjb3JkaW5nIHRvIHRoZQ0KICAgZm9sbG93aW5nIHBvbGlj aWVzOg0KDQoNCg0KPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz5RdWlubiwgZXQgYWwuICAgICAg ICAgICAgIEV4cGlyZXMgTWFyY2ggNSwgMjAxOCAgICAgICAgICAgICAgICBbUGFnZSAyOV0NCgwN CkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAgICAg ICBTZXB0ZW1iZXIgMjAxNzwvZm9udD48L3N0cmlrZT4NCg0KICAgMHgwMDAwIHRvIDB4MDFmZjog SUVURiBSZXZpZXcNCiAgIDB4MDIwMCB0byAweGZmZjU6IEV4cGVydCBSZXZpZXcNCiAgIDB4ZmZm NiB0byAweGZmZmU6IEV4cGVyaW1lbnRhbA0KICAgMHhmZmZmOiBSZXNlcnZlZA0KDQogICBJQU5B IGlzIHJlcXVlc3RlZCB0byBhc3NpZ24gdGhlIHZhbHVlcyBhcyBwZXIgVGFibGUgNjo6DQoNCiAg ICAgICAgICstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0rDQogICAgICAgICB8IE1EIENsYXNzICB8IE1lYW5pbmcgICAgICAgICAgICAgICAgICAg ICB8IFJlZmVyZW5jZSAgfA0KICAgICAgICAgKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSsNCiAgICAgICAgIHwgMHgwMDAwICAgIHwgSUVURiBC YXNlIE5TSCBNRCBDbGFzcyAgICAgIHwgVGhpcy5JLUQgICB8DQogICAgICAgICArLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKw0KDQogICAgICAg ICAgICAgICAgICAgICAgICAgIFRhYmxlIDY6IE1EIENsYXNzIFZhbHVlDQoNCiAgIERlc2lnbmF0 ZWQgRXhwZXJ0cyBldmFsdWF0aW5nIG5ldyBhbGxvY2F0aW9uIHJlcXVlc3RzIGZyb20gdGhlDQog ICAiRXhwZXJ0IFJldmlldyIgcmFuZ2Ugc2hvdWxkIHByaW5jaXBhbGx5IGNvbnNpZGVyIHdoZXRo ZXIgYSBuZXcgTUQNCiAgIGNsYXNzIGlzIG5lZWRlZCBjb21wYXJlZCB0byBhZGRpbmcgTUQgdHlw ZXMgdG8gYW4gZXhpc3RpbmcgY2xhc3MuDQogICBUaGUgRGVzaWduYXRlZCBFeHBlcnRzIHNob3Vs ZCBhbHNvIGVuY291cmFnZSB0aGUgZXhpc3RlbmNlIG9mIGFuDQogICBhc3NvY2lhdGVkIGFuZCBw dWJsaWNseSB2aXNpYmxlIHJlZ2lzdHJ5IG9mIE1EIHR5cGVzIGFsdGhvdWdoIHRoaXMNCiAgIHJl Z2lzdHJ5IG5lZWQgbm90IGJlIG1haW50YWluZWQgYnkgSUFOQS4NCg0KDQoNCg0KDQoNCg0KDQo8 c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+UXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4cGly ZXMgTWFyY2ggMTcsIDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMzBdDQoMDQpJbnRlcm5ldC1E cmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVy IDIwMTc8L2ZvbnQ+PC9zdHJvbmc+DQoNCg0KMTEuMi41LiAgTlNIIEJhc2UgSGVhZGVyIE5leHQg UHJvdG9jb2wNCg0KICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gc2V0IHVwIGEgcmVnaXN0cnkgb2Yg Ik5leHQgUHJvdG9jb2wiLiAgVGhlc2UgYXJlDQogICA4LWJpdCB2YWx1ZXMuICBOZXh0IFByb3Rv Y29sIHZhbHVlcyAwLCAxLCAyLCAzLCA0IGFuZCA1IGFyZSBkZWZpbmVkDQogICBpbiB0aGlzIGRv Y3VtZW50IChzZWUgVGFibGUgNy4gIE5ldyB2YWx1ZXMgYXJlIGFzc2lnbmVkIHZpYSAiRXhwZXJ0 DQogICBSZXZpZXdzIiBhcyBwZXIgW1JGQzgxMjZdLg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0K DQoNCg0KDQoNCg0KDQoNCg0KDQoNCjxzdHJpa2U+PGZvbnQgY29sb3I9J3JlZCc+UXVpbm4sIGV0 IGFsLiAgICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDUsIDIwMTggICAgICAgICAgICAgICAgW1Bh Z2UgMzBdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAo TlNIKSAgICAgICAgU2VwdGVtYmVyIDIwMTc8L2ZvbnQ+PC9zdHJpa2U+DQoNCiAgICAgICAgICAg ICArLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsNCiAgICAg ICAgICAgICB8IE5leHQgUHJvdG9jb2wgfCBEZXNjcmlwdGlvbiAgfCBSZWZlcmVuY2UgICAgIHwN CiAgICAgICAgICAgICArLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t LS0tLSsNCiAgICAgICAgICAgICB8IDB4MCAgICAgICAgICAgfCBVbmFzc2lnbmVkICAgfCAgICAg ICAgICAgICAgIHwNCiAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAg fCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICB8IDB4MSAgICAgICAgICAgfCBJUHY0ICAg ICAgICAgfCBUaGlzIGRvY3VtZW50IHwNCiAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgfCAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICB8IDB4MiAgICAgICAg ICAgfCBJUHY2ICAgICAgICAgfCBUaGlzIGRvY3VtZW50IHwNCiAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgfCAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICB8 IDB4MyAgICAgICAgICAgfCBFdGhlcm5ldCAgICAgfCBUaGlzIGRvY3VtZW50IHwNCiAgICAgICAg ICAgICB8ICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgIHwNCiAg ICAgICAgICAgICB8IDB4NCAgICAgICAgICAgfCBOU0ggICAgICAgICAgfCBUaGlzIGRvY3VtZW50 IHwNCiAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgfCAgICAgICAg ICAgICAgIHwNCiAgICAgICAgICAgICB8IDB4NSAgICAgICAgICAgfCBNUExTICAgICAgICAgfCBU aGlzIGRvY3VtZW50IHwNCiAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgfCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICB8IDB4Ni4uMHhGRCAgICAgfCBVbmFz c2lnbmVkICAgfCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICB8ICAgICAgICAgICAgICAg fCAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAgICB8IDB4RkUgICAg ICAgICAgfCBFeHBlcmltZW50IDEgfCBUaGlzIGRvY3VtZW50IHwNCiAgICAgICAgICAgICB8ICAg ICAgICAgICAgICAgfCAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgIHwNCiAgICAgICAgICAg ICB8IDB4RkYgICAgICAgICAgfCBFeHBlcmltZW50IDIgfCBUaGlzIGRvY3VtZW50IHwNCiAgICAg ICAgICAgICArLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsN Cg0KICAgICAgICAgICAgICAgVGFibGUgNzogTlNIIEJhc2UgSGVhZGVyIE5leHQgUHJvdG9jb2wg VmFsdWVzDQoNCjExLjIuNi4gIE5ldyBJRVRGIEFzc2lnbmVkIE9wdGlvbmFsIFZhcmlhYmxlIExl bmd0aCBNZXRhZGF0YSBUeXBlDQogICAgICAgICBSZWdpc3RyeQ0KDQogICBUaGlzIGRvY3VtZW50 IHJlcXVlc3RzIElBTkEgdG8gY3JlYXRlIGEgcmVnaXN0cnkgZm9yIHRoZSB0eXBlIHZhbHVlcw0K ICAgb3duZWQgYnkgdGhlIElFVEYgKGkuZS4sIE1EIENsYXNzIHNldCB0byAweDAwMDApIGNhbGxl ZCB0aGUgIklFVEYNCiAgIEFzc2lnbmVkIE9wdGlvbmFsIFZhcmlhYmxlIExlbmd0aCBNZXRhZGF0 YSBUeXBlIFJlZ2lzdHJ5IiwgYXMNCiAgIHNwZWNpZmllZCBpbiBTZWN0aW9uIDIuNS4xLg0KDQog ICBUaGUgdHlwZSB2YWx1ZXMgYXJlIGFzc2lnbmVkIHZpYSBTdGFuZGFyZHMgQWN0aW9uIFtSRkM4 MTI2XS4NCg0KICAgTm8gaW5pdGlhbCB2YWx1ZXMgYXJlIGFzc2lnbmVkIGF0IHRoZSBjcmVhdGlv biBvZiB0aGUgcmVnaXN0cnkuDQoNCjEyLiAgUmVmZXJlbmNlcw0KDQoNCg0KDQoNCg0KDQo8c3Ry b25nPjxmb250IGNvbG9yPSdncmVlbic+UXVpbm4sIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMg TWFyY2ggMTcsIDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMzFdDQoMDQpJbnRlcm5ldC1EcmFm dCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVyIDIw MTc8L2ZvbnQ+PC9zdHJvbmc+DQoNCg0KMTIuMS4gIE5vcm1hdGl2ZSBSZWZlcmVuY2VzDQoNCiAg IFtSRkMyMTE5XSAgQnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIElu ZGljYXRlDQogICAgICAgICAgICAgIFJlcXVpcmVtZW50IExldmVscyIsIEJDUCAxNCwgUkZDIDIx MTksDQogICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkMyMTE5LCBNYXJjaCAxOTk3LCA8c3Ry aWtlPjxmb250IGNvbG9yPSdyZWQnPiZsdDtodHRwczovL3d3dy5yZmMtDQogICAgICAgICAgICAg IGVkaXRvci5vcmcvaW5mby9yZmMyMTE5Jmd0Oy4NCg0KDQoNCg0KDQoNCg0KUXVpbm4sIGV0IGFs LiAgICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDUsIDIwMTggICAgICAgICAgICAgICAgW1BhZ2Ug MzFdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNI KSAgICAgICAgU2VwdGVtYmVyIDIwMTc8L2ZvbnQ+PC9zdHJpa2U+DQogICAgICAgICAgICAgIDxz dHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz4mbHQ7aHR0cHM6Ly93d3cucmZjLWVkaXRvci5vcmcv aW5mby9yZmMyMTE5Jmd0Oy48L2ZvbnQ+PC9zdHJvbmc+DQoNCiAgIFtSRkM3NjY1XSAgSGFscGVy biwgSi4sIEVkLiBhbmQgQy4gUGlnbmF0YXJvLCBFZC4sICJTZXJ2aWNlIEZ1bmN0aW9uDQogICAg ICAgICAgICAgIENoYWluaW5nIChTRkMpIEFyY2hpdGVjdHVyZSIsIFJGQyA3NjY1LA0KICAgICAg ICAgICAgICBET0kgMTAuMTc0ODcvUkZDNzY2NSwgT2N0b2JlciAyMDE1LCA8c3RyaWtlPjxmb250 IGNvbG9yPSdyZWQnPiZsdDtodHRwczovL3d3dy5yZmMtDQogICAgICAgICAgICAgIGVkaXRvci5v cmcvaW5mby9yZmM3NjY1Jmd0Oy48L2ZvbnQ+PC9zdHJpa2U+DQogICAgICAgICAgICAgIDxzdHJv bmc+PGZvbnQgY29sb3I9J2dyZWVuJz4mbHQ7aHR0cHM6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5m by9yZmM3NjY1Jmd0Oy48L2ZvbnQ+PC9zdHJvbmc+DQoNCiAgIFtSRkM4MTI2XSAgQ290dG9uLCBN LiwgTGVpYmEsIEIuLCBhbmQgVC4gTmFydGVuLCAiR3VpZGVsaW5lcyBmb3INCiAgICAgICAgICAg ICAgV3JpdGluZyBhbiBJQU5BIENvbnNpZGVyYXRpb25zIFNlY3Rpb24gaW4gUkZDcyIsIEJDUCAy NiwNCiAgICAgICAgICAgICAgUkZDIDgxMjYsIERPSSAxMC4xNzQ4Ny9SRkM4MTI2LCBKdW5lIDIw MTcsDQogICAgICAgICAgICAgICZsdDtodHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3Jm YzgxMjYmZ3Q7Lg0KDQoxMi4yLiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlcw0KDQogICBbQkNQMzhd ICAgIEZlcmd1c29uLCBQLiBhbmQgRC4gU2VuaWUsICJOZXR3b3JrIEluZ3Jlc3MgRmlsdGVyaW5n Og0KICAgICAgICAgICAgICBEZWZlYXRpbmcgRGVuaWFsIG9mIFNlcnZpY2UgQXR0YWNrcyB3aGlj aCBlbXBsb3kgSVAgU291cmNlDQogICAgICAgICAgICAgIEFkZHJlc3MgU3Bvb2ZpbmciLCBCQ1Ag MzgsIFJGQyAyODI3LCBET0kgMTAuMTc0ODcvUkZDMjgyNywNCiAgICAgICAgICAgICAgTWF5IDIw MDAsICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjMjgyNyZndDsuDQoNCiAg IDxzdHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz5bSS1ELmJyb2NrbmVycy1wcm9vZi1vZi10cmFu c2l0XQ0KICAgICAgICAgICAgICBCcm9ja25lcnMsIEYuLCBCaGFuZGFyaSwgUy4sIERhcmEsIFMu LCBQaWduYXRhcm8sIEMuLA0KICAgICAgICAgICAgICBMZWRkeSwgSi4sIFlvdWVsbCwgUy4sIE1v emVzLCBELiwgYW5kIFQuIE1penJhaGksICJQcm9vZg0KICAgICAgICAgICAgICBvZiBUcmFuc2l0 IiwgZHJhZnQtYnJvY2tuZXJzLXByb29mLW9mLXRyYW5zaXQtMDMgKHdvcmsgaW4NCiAgICAgICAg ICAgICAgcHJvZ3Jlc3MpLCBNYXJjaCAyMDE3LjwvZm9udD48L3N0cm9uZz4NCg0KICAgW0ktRC5n dWljaGFyZC1zZmMtbnNoLWRjLWFsbG9jYXRpb25dDQogICAgICAgICAgICAgIEd1aWNoYXJkLCBK LiwgU21pdGgsIE0uLCBLdW1hciwgUy4sIE1hamVlLCBTLiwgQWdhcndhbCwNCiAgICAgICAgICAg ICAgUC4sIEdsYXZpbiwgSy4sIExhcmliaSwgWS4sIGFuZCBULiBNaXpyYWhpLCAiTmV0d29yaw0K ICAgICAgICAgICAgICBTZXJ2aWNlIEhlYWRlciAoTlNIKSBNRCBUeXBlIDE6IENvbnRleHQgSGVh ZGVyIEFsbG9jYXRpb24NCiAgICAgICAgICAgICAgKERhdGEgQ2VudGVyKSIsIGRyYWZ0LWd1aWNo YXJkLXNmYy1uc2gtZGMtYWxsb2NhdGlvbi0wNw0KICAgICAgICAgICAgICAod29yayBpbiBwcm9n cmVzcyksIEF1Z3VzdCAyMDE3Lg0KDQogICBbSS1ELmlldGYtbnZvMy12eGxhbi1ncGVdDQogICAg ICAgICAgICAgIE1haW5vLCBGLiwgS3JlZWdlciwgTC4sIGFuZCBVLiBFbHp1ciwgIkdlbmVyaWMg UHJvdG9jb2wNCiAgICAgICAgICAgICAgRXh0ZW5zaW9uIGZvciBWWExBTiIsIGRyYWZ0LWlldGYt bnZvMy12eGxhbi1ncGUtMDQgKHdvcmsNCiAgICAgICAgICAgICAgaW4gcHJvZ3Jlc3MpLCBBcHJp bCAyMDE3Lg0KDQogICBbSS1ELmlldGYtcnRnd2ctZHQtZW5jYXBdDQogICAgICAgICAgICAgIE5v cmRtYXJrLCBFLiwgVGlhbiwgQS4sIEdyb3NzLCBKLiwgSHVkc29uLCBKLiwgS3JlZWdlciwNCiAg ICAgICAgICAgICAgTC4sIEdhcmcsIFAuLCBUaGFsZXIsIFAuLCBhbmQgVC4gSGVyYmVydCwgIkVu Y2Fwc3VsYXRpb24NCiAgICAgICAgICAgICAgQ29uc2lkZXJhdGlvbnMiLCBkcmFmdC1pZXRmLXJ0 Z3dnLWR0LWVuY2FwLTAyICh3b3JrIGluDQogICAgICAgICAgICAgIHByb2dyZXNzKSwgT2N0b2Jl ciAyMDE2Lg0KDQoNCg0KDQo8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+UXVpbm4sIGV0IGFs LiAgICAgICAgICAgIEV4cGlyZXMgTWFyY2ggMTcsIDIwMTggICAgICAgICAgICAgICAgW1BhZ2Ug MzJdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgTmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNI KSAgICAgICAgU2VwdGVtYmVyIDIwMTc8L2ZvbnQ+PC9zdHJvbmc+DQoNCg0KICAgW0ktRC5pZXRm LXNmYy1jb250cm9sLXBsYW5lXQ0KICAgICAgICAgICAgICBCb3VjYWRhaXIsIE0uLCAiU2Vydmlj ZSBGdW5jdGlvbiBDaGFpbmluZyAoU0ZDKSBDb250cm9sDQogICAgICAgICAgICAgIFBsYW5lIENv bXBvbmVudHMgJmFtcDsgUmVxdWlyZW1lbnRzIiwgZHJhZnQtaWV0Zi1zZmMtY29udHJvbC0NCiAg ICAgICAgICAgICAgcGxhbmUtMDggKHdvcmsgaW4gcHJvZ3Jlc3MpLCBPY3RvYmVyIDIwMTYuDQoN CiAgIFtJLUQuaWV0Zi1zZmMtb2FtLWZyYW1ld29ya10NCiAgICAgICAgICAgICAgQWxkcmluLCBT LiwgUGlnbmF0YXJvLCBDLiwgS3VtYXIsIE4uLCBBa2l5YSwgTi4sIEtyaXNobmFuLA0KICAgICAg ICAgICAgICBSLiwgYW5kIEEuIEdoYW53YW5pLCAiU2VydmljZSBGdW5jdGlvbiBDaGFpbmluZyBP cGVyYXRpb24sDQogICAgICAgICAgICAgIEFkbWluaXN0cmF0aW9uIGFuZCBNYWludGVuYW5jZSBG cmFtZXdvcmsiLCBkcmFmdC1pZXRmLXNmYy0NCiAgICAgICAgICAgICAgb2FtLWZyYW1ld29yay0w MiAod29yayBpbiBwcm9ncmVzcyksIEp1bHkgMjAxNy4NCg0KDQoNCg0KDQoNCjxzdHJpa2U+PGZv bnQgY29sb3I9J3JlZCc+UXVpbm4sIGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDUs IDIwMTggICAgICAgICAgICAgICAgW1BhZ2UgMzJdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAg TmV0d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVyIDIwMTc8L2ZvbnQ+ PC9zdHJpa2U+DQoNCiAgIFtJLUQubmFwcGVyLXNmYy1uc2gtYnJvYWRiYW5kLWFsbG9jYXRpb25d DQogICAgICAgICAgICAgIE5hcHBlciwgSi4sIEt1bWFyLCBTLiwgTXVsZXksIFAuLCBIZW5kZXJp Y2t4LCBXLiwgYW5kIE0uDQogICAgICAgICAgICAgIEJvdWNhZGFpciwgIk5TSCBDb250ZXh0IEhl YWRlciBBbGxvY2F0aW9uIC0tIEJyb2FkYmFuZCIsDQogICAgICAgICAgICAgIGRyYWZ0LW5hcHBl ci1zZmMtbnNoLWJyb2FkYmFuZC1hbGxvY2F0aW9uLTAzICh3b3JrIGluDQogICAgICAgICAgICAg IHByb2dyZXNzKSwgSnVseSAyMDE3Lg0KDQogICBbSS1ELnJlZGR5LXNmYy1uc2gtZW5jcnlwdF0N CiAgICAgICAgICAgICAgUmVkZHksIFQuLCBQYXRpbCwgUC4sIEZsdWhyZXIsIFMuLCBhbmQgUC4g UXVpbm4sDQogICAgICAgICAgICAgICJBdXRoZW50aWNhdGVkIGFuZCBlbmNyeXB0ZWQgTlNIIHNl cnZpY2UgY2hhaW5zIiwgZHJhZnQtDQogICAgICAgICAgICAgIHJlZGR5LXNmYy1uc2gtZW5jcnlw dC0wMCAod29yayBpbiBwcm9ncmVzcyksIEFwcmlsIDIwMTUuDQoNCiAgIFtSRkMyNzg0XSAgRmFy aW5hY2NpLCBELiwgTGksIFQuLCBIYW5rcywgUy4sIE1leWVyLCBELiwgYW5kIFAuDQogICAgICAg ICAgICAgIFRyYWluYSwgIkdlbmVyaWMgUm91dGluZyBFbmNhcHN1bGF0aW9uIChHUkUpIiwgUkZD IDI3ODQsDQogICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkMyNzg0LCBNYXJjaCAyMDAwLCA8 c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPiZsdDtodHRwczovL3d3dy5yZmMtDQogICAgICAgICAg ICAgIGVkaXRvci5vcmcvaW5mby9yZmMyNzg0Jmd0Oy48L2ZvbnQ+PC9zdHJpa2U+DQogICAgICAg ICAgICAgIDxzdHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz4mbHQ7aHR0cHM6Ly93d3cucmZjLWVk aXRvci5vcmcvaW5mby9yZmMyNzg0Jmd0Oy48L2ZvbnQ+PC9zdHJvbmc+DQoNCiAgIFtSRkMzNjky XSAgTmFydGVuLCBULiwgIkFzc2lnbmluZyBFeHBlcmltZW50YWwgYW5kIFRlc3RpbmcgTnVtYmVy cw0KICAgICAgICAgICAgICBDb25zaWRlcmVkIFVzZWZ1bCIsIEJDUCA4MiwgUkZDIDM2OTIsDQog ICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkMzNjkyLCBKYW51YXJ5IDIwMDQsIDxzdHJpa2U+ PGZvbnQgY29sb3I9J3JlZCc+Jmx0O2h0dHBzOi8vd3d3LnJmYy0NCiAgICAgICAgICAgICAgZWRp dG9yLm9yZy9pbmZvL3JmYzM2OTImZ3Q7LjwvZm9udD48L3N0cmlrZT4NCiAgICAgICAgICAgICAg PHN0cm9uZz48Zm9udCBjb2xvcj0nZ3JlZW4nPiZsdDtodHRwczovL3d3dy5yZmMtZWRpdG9yLm9y Zy9pbmZvL3JmYzM2OTImZ3Q7LjwvZm9udD48L3N0cm9uZz4NCg0KICAgW1JGQzYwNzFdICBGcmFu a2VsLCBTLiBhbmQgUy4gS3Jpc2huYW4sICJJUCBTZWN1cml0eSAoSVBzZWMpIGFuZA0KICAgICAg ICAgICAgICBJbnRlcm5ldCBLZXkgRXhjaGFuZ2UgKElLRSkgRG9jdW1lbnQgUm9hZG1hcCIsIFJG QyA2MDcxLA0KICAgICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDNjA3MSwgRmVicnVhcnkgMjAx MSwgPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz4mbHQ7aHR0cHM6Ly93d3cucmZjLQ0KICAgICAg ICAgICAgICBlZGl0b3Iub3JnL2luZm8vcmZjNjA3MSZndDsuPC9mb250Pjwvc3RyaWtlPg0KICAg ICAgICAgICAgICA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+Jmx0O2h0dHBzOi8vd3d3LnJm Yy1lZGl0b3Iub3JnL2luZm8vcmZjNjA3MSZndDsuPC9mb250Pjwvc3Ryb25nPg0KDQogICBbUkZD NzMyNV0gIFZpbGxhbWl6YXIsIEMuLCBFZC4sIEtvbXBlbGxhLCBLLiwgQW1hbnRlLCBTLiwgTWFs aXMsIEEuLA0KICAgICAgICAgICAgICBhbmQgQy4gUGlnbmF0YXJvLCAiTVBMUyBGb3J3YXJkaW5n IENvbXBsaWFuY2UgYW5kDQogICAgICAgICAgICAgIFBlcmZvcm1hbmNlIFJlcXVpcmVtZW50cyIs IFJGQyA3MzI1LCBET0kgMTAuMTc0ODcvUkZDNzMyNSwNCiAgICAgICAgICAgICAgQXVndXN0IDIw MTQsICZsdDtodHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzczMjUmZ3Q7Lg0KDQog ICBbUkZDNzQ5OF0gIFF1aW5uLCBQLiwgRWQuIGFuZCBULiBOYWRlYXUsIEVkLiwgIlByb2JsZW0g U3RhdGVtZW50IGZvcg0KICAgICAgICAgICAgICBTZXJ2aWNlIEZ1bmN0aW9uIENoYWluaW5nIiwg UkZDIDc0OTgsDQogICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM3NDk4LCBBcHJpbCAyMDE1 LCA8c3RyaWtlPjxmb250IGNvbG9yPSdyZWQnPiZsdDtodHRwczovL3d3dy5yZmMtDQogICAgICAg ICAgICAgIGVkaXRvci5vcmcvaW5mby9yZmM3NDk4Jmd0Oy48L2ZvbnQ+PC9zdHJpa2U+DQogICAg ICAgICAgICAgIDxzdHJvbmc+PGZvbnQgY29sb3I9J2dyZWVuJz4mbHQ7aHR0cHM6Ly93d3cucmZj LWVkaXRvci5vcmcvaW5mby9yZmM3NDk4Jmd0Oy4NCg0KDQoNCg0KDQpRdWlubiwgZXQgYWwuICAg ICAgICAgICAgRXhwaXJlcyBNYXJjaCAxNywgMjAxOCAgICAgICAgICAgICAgICBbUGFnZSAzM10N CgwNCkludGVybmV0LURyYWZ0ICAgICAgICBOZXR3b3JrIFNlcnZpY2UgSGVhZGVyIChOU0gpICAg ICAgICBTZXB0ZW1iZXIgMjAxNzwvZm9udD48L3N0cm9uZz4NCg0KDQogICBbUkZDNzY3Nl0gIFBp Z25hdGFybywgQy4sIEJvbmljYSwgUi4sIGFuZCBTLiBLcmlzaG5hbiwgIklQdjYgU3VwcG9ydA0K ICAgICAgICAgICAgICBmb3IgR2VuZXJpYyBSb3V0aW5nIEVuY2Fwc3VsYXRpb24gKEdSRSkiLCBS RkMgNzY3NiwNCiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzc2NzYsIE9jdG9iZXIgMjAx NSwgPHN0cmlrZT48Zm9udCBjb2xvcj0ncmVkJz4mbHQ7aHR0cHM6Ly93d3cucmZjLQ0KICAgICAg ICAgICAgICBlZGl0b3Iub3JnL2luZm8vcmZjNzY3NiZndDsuPC9mb250Pjwvc3RyaWtlPg0KICAg ICAgICAgICAgICA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+Jmx0O2h0dHBzOi8vd3d3LnJm Yy1lZGl0b3Iub3JnL2luZm8vcmZjNzY3NiZndDsuPC9mb250Pjwvc3Ryb25nPg0KDQpBdXRob3Jz JyBBZGRyZXNzZXMNCg0KICAgUGF1bCBRdWlubiAoZWRpdG9yKQ0KICAgQ2lzY28gU3lzdGVtcywg SW5jLg0KDQogICBFbWFpbDogcGF1bHFAY2lzY28uY29tDQoNCg0KDQoNCjxzdHJpa2U+PGZvbnQg Y29sb3I9J3JlZCc+UXVpbm4sIGV0IGFsLiAgICAgICAgICAgICBFeHBpcmVzIE1hcmNoIDUsIDIw MTggICAgICAgICAgICAgICAgW1BhZ2UgMzNdDQoMDQpJbnRlcm5ldC1EcmFmdCAgICAgICAgTmV0 d29yayBTZXJ2aWNlIEhlYWRlciAoTlNIKSAgICAgICAgU2VwdGVtYmVyIDIwMTc8L2ZvbnQ+PC9z dHJpa2U+DQoNCg0KICAgVXJpIEVsenVyIChlZGl0b3IpDQogICBJbnRlbA0KDQogICBFbWFpbDog dXJpLmVsenVyQGludGVsLmNvbQ0KDQoNCiAgIENhcmxvcyBQaWduYXRhcm8gKGVkaXRvcikNCiAg IENpc2NvIFN5c3RlbXMsIEluYy4NCg0KICAgRW1haWw6IGNwaWduYXRhQGNpc2NvLmNvbQ0KDQoN Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQpRdWlu biwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBNYXJjaCA8c3RyaWtlPjxmb250IGNvbG9yPSdy ZWQnPjUsPC9mb250Pjwvc3RyaWtlPiA8c3Ryb25nPjxmb250IGNvbG9yPSdncmVlbic+MTcsPC9m b250Pjwvc3Ryb25nPiAyMDE4ICAgICAgICAgICAgICAgIFtQYWdlIDM0XQ0KPC9wcmU+DQo8L2Jv ZHk+PC9odG1sPg0K --_007_D59135F4CEEC4A0BBA610126203710ACciscocom_ Content-Type: text/html; name="ATT00002.htm" Content-Description: ATT00002.htm Content-Disposition: attachment; filename="ATT00002.htm"; size=1700; creation-date="Thu, 14 Sep 2017 11:22:19 GMT"; modification-date="Thu, 14 Sep 2017 11:22:19 GMT" Content-ID: <5A0278DC3DBC804095DF5D63EA523DC1@emea.cisco.com> Content-Transfer-Encoding: base64 PGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0 L2h0bWwgY2hhcnNldD11dGYtOCI+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250 ZW50PSJ0ZXh0L2h0bWwgY2hhcnNldD11dGYtOCI+PC9oZWFkPjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPjxkaXYgZGlyPSJhdXRvIiBzdHlsZT0i d29yZC13cmFwOiBicmVhay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTogc3BhY2U7IC13ZWJraXQt bGluZS1icmVhazogYWZ0ZXItd2hpdGUtc3BhY2U7IiBjbGFzcz0iIj48bWV0YSBodHRwLWVxdWl2 PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbCBjaGFyc2V0PXV0Zi04IiBjbGFzcz0i Ij48bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbCBjaGFy c2V0PXV0Zi04IiBjbGFzcz0iIj48ZGl2IHN0eWxlPSJ3b3JkLXdyYXA6IGJyZWFrLXdvcmQ7IC13 ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJyZWFrOiBhZnRlci13aGl0ZS1z cGFjZTsiIGNsYXNzPSIiPjxkaXYgY2xhc3M9IiI+PC9kaXY+PGRpdiBjbGFzcz0iIj48YnIgY2xh c3M9IiI+PC9kaXY+PGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+PGRpdiBjbGFzcz0iIj4NCjxk aXYgc3R5bGU9ImNvbG9yOiByZ2IoMCwgMCwgMCk7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IHRl eHQtYWxpZ246IHN0YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsg d2hpdGUtc3BhY2U6IG5vcm1hbDsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDsgd29yZC13cmFwOiBicmVhay13b3JkOyAtd2Via2l0LW5ic3AtbW9kZTog c3BhY2U7IC13ZWJraXQtbGluZS1icmVhazogYWZ0ZXItd2hpdGUtc3BhY2U7IiBjbGFzcz0iIj7i gJQ8YnIgY2xhc3M9IiI+Q2FybG9zIFBpZ25hdGFybywmbmJzcDs8YSBocmVmPSJtYWlsdG86Y2Fy bG9zQGNpc2NvLmNvbSIgY2xhc3M9IiI+Y2FybG9zQGNpc2NvLmNvbTwvYT48YnIgY2xhc3M9IiI+ PGJyIGNsYXNzPSIiPjxpIGNsYXNzPSIiPuKAnFNvbWV0aW1lcyBJIHVzZSBiaWcgd29yZHMgdGhh dCBJIGRvIG5vdCBmdWxseSB1bmRlcnN0YW5kLCB0byBtYWtlIG15c2VsZiBzb3VuZCBtb3JlIHBo b3Rvc3ludGhlc2lzLiI8L2k+PC9kaXY+DQo8L2Rpdj4NCjxiciBjbGFzcz0iIj48ZGl2IGNsYXNz PSIiPjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiIGNsYXNzPSIiPjxkaXYgY2xhc3M9IiI+T24gU2Vw IDksIDIwMTcsIGF0IDc6NDIgUE0sIENocmlzdGlhbiBIdWl0ZW1hICZsdDs8YSBocmVmPSJtYWls dG86aHVpdGVtYUBodWl0ZW1hLm5ldCIgY2xhc3M9IiI+aHVpdGVtYUBodWl0ZW1hLm5ldDwvYT4m Z3Q7IHdyb3RlOjwvZGl2PjxkaXYgY2xhc3M9IiI+PGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+ PGJyIGNsYXNzPSIiPi0tIDxiciBjbGFzcz0iIj5DaHJpc3RpYW4gSHVpdGVtYTxiciBjbGFzcz0i Ij48YnIgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPjwvZGl2PjwvZGl2PjwvYmxvY2txdW90ZT48L2Rp dj48YnIgY2xhc3M9IiI+PC9kaXY+PC9kaXY+PC9kaXY+PC9ib2R5PjwvaHRtbD4= --_007_D59135F4CEEC4A0BBA610126203710ACciscocom_-- From nobody Thu Sep 14 09:17:24 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2693A133045; Thu, 14 Sep 2017 09:16:59 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Rich Salz To: Cc: draft-ietf-6man-maxra.all@ietf.org, ipv6@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.61.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150540581910.12546.16775859991578068994@ietfa.amsl.com> Date: Thu, 14 Sep 2017 09:16:59 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-6man-maxra-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2017 16:16:59 -0000 Reviewer: Rich Salz Review result: Has Nits I reviewed this document for SECDIR. It's ready. I have one minor editorial suggestion. The introduction has this text: There are already link technology specific clarifications how to tune protocol constants for certain system with the expectation to reduce excess Neighbor Discovery Protocol (NDP) traffic. 3GPP cellular links are one existing example [RFC6459][RFC7066]. I would suggest rewording it like this: Clarifications for how to tune protocol constants to reduce Neighbord Discover Protocol (NDP) traffic already exist; for example [RFC6459] and ]RFC7066] for 3GPP. From nobody Thu Sep 14 11:04:08 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10FD01326FE; Thu, 14 Sep 2017 11:04:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.619 X-Spam-Level: X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QcELCuGxCz9S; Thu, 14 Sep 2017 11:04:05 -0700 (PDT) Received: from relais-inet.orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE6F1126BF0; Thu, 14 Sep 2017 11:04:04 -0700 (PDT) Received: from opfedar07.francetelecom.fr (unknown [xx.xx.xx.9]) by opfedar25.francetelecom.fr (ESMTP service) with ESMTP id 8DB61120AC5; Thu, 14 Sep 2017 20:04:03 +0200 (CEST) Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.66]) by opfedar07.francetelecom.fr (ESMTP service) with ESMTP id 67CAAC0052; Thu, 14 Sep 2017 20:04:03 +0200 (CEST) Received: from OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06]) by OPEXCLILMA1.corporate.adroot.infra.ftgroup ([fe80::95e2:eb4b:3053:fabf%19]) with mapi id 14.03.0361.001; Thu, 14 Sep 2017 20:04:03 +0200 From: To: David Mandelberg CC: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06 Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZg Date: Thu, 14 Sep 2017 18:04:02 +0000 Message-ID: <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> In-Reply-To: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.168.234.3] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2017 18:04:06 -0000 SGkgRGF2aWQsDQoNClRoYW5rcyBmb3IgeW91ciByZXZpZXcuDQoNCj4gRnJvbTogRGF2aWQgTWFu ZGVsYmVyZyBbbWFpbHRvOmRhdmlkQG1hbmRlbGJlcmcub3JnXQ0KID4gU2VudDogU2F0dXJkYXks IEF1Z3VzdCAyNiwgMjAxNyA4OjQ5IFBNDQo+IA0KID4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9j dW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncw0KID4gb25nb2luZyBl ZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhl DQogPiBJRVNHLiAgVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhl IGJlbmVmaXQgb2YgdGhlDQogPiBzZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4gIERvY3VtZW50IGVk aXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQNCiA+IHRoZXNlIGNvbW1lbnRzIGp1c3Qg bGlrZSBhbnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLg0KID4gDQogPiBUaGUgc3VtbWFyeSBv ZiB0aGUgcmV2aWV3IGlzIFJlYWR5IHdpdGggbml0cy4NCiA+IA0KID4gVGhpcyBkb2N1bWVudCBl eHRlbmRzIE9TUEYgZm9yIHVzZSB3aXRoIHR1bm5lbHMuIEFzIG1lbnRpb25lZCBpbiB0aGUNCiA+ IHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zLCBhbiBhdHRhY2tlciB3aG8gY2FuIG1vZGlmeSByb3V0 aW5nIGluZm9ybWF0aW9uDQogPiBjYW4gY2F1c2UgcGFja2V0cyB0byBiZSBtaXNkaXJlY3RlZCBv ciBkcm9wcGVkLiBIb3dldmVyLCB0aGF0IHNlZW1zIHRvDQogPiBiZSB0aGUgZ2VuZXJhbCBuYXR1 cmUgb2Ygcm91dGluZyBhdHRhY2tzLiBJIGRvbid0IGtub3cgaWYgdGhpcyBkb2N1bWVudA0KID4g bWFrZXMgc3VjaCBhdHRhY2tzIGFueSBtb3JlIGxpa2VseSBvciBtb3JlIHNldmVyZSwgYnV0IGl0 IHdvdWxkIGJlIG5pY2UNCiA+IHRvIHNlZSBhIGJpdCBtb3JlIGRpc2N1c3Npb24gb2YgdGhhdCBp biB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMuDQogPiBFLmcuLCBhcmUgT1NQRiBhdHRhY2tz IHdpdGhvdXQgdHVubmVsaW5nIGxlc3Mgc2V2ZXJlIGJlY2F1c2Ugb2Ygc29tZQ0KID4gbGltaXRh dGlvbiBvbiB3aGVyZSBwYWNrZXRzIGNhbiBiZSBmb3J3YXJkZWQsIHdoaWxlIHR1bm5lbGluZyBt YWtlcyBpdA0KID4gZWFzaWVyIHRvIGZvcndhcmQgcGFja2V0cyB0byBhbnl3aGVyZSBvbiB0aGUg SW50ZXJuZXQ/IE9yIGlzIHRoYXQgbm90DQogPiB0aGUgY2FzZT8gKEknbSBub3QgdmVyeSBmYW1p bGlhciB3aXRoIE9TUEYgb3Igd2l0aCB0aGUgZW52aXJvbm1lbnRzIGl0J3MNCiA+IHR5cGljYWxs eSB1c2VkIGluLikNCg0KT1NQRiBpcyByb3V0aW5nIGludGVybmFsIHRvIGEgcm91dGluZyBvcGVy YXRvci4gSW5mb3JtYXRpb24gcmVjZWl2ZWQgZnJvbSBpbnRlcm5hbCBPU1BGIHJvdXRlcnMgYXJl IHN1cHBvc2VkIHRvIGJlIHRydXN0ZWQuIFBlcnNvbmFsbHksIEkgd291bGQgZmluZCB1bmFjY2Vw dGFibGUgaWYgYW4gYXR0YWNrZXIgY291bGQgbW9kaWZ5IHN1Y2ggcm91dGluZyBpbmZvcm1hdGlv bi4gSSBkb24ndCB0aGluayB0aGF0IHRoaXMgZXh0ZW5zaW9uIG1ha2UgaXQgYW55IG1vcmUgbGlr ZWx5LiBJbiB0ZXJtIG9mIHNldmVyaXR5LCBJIGRvbid0IHRoaW5rIHRoYXQgdGhpcyBpcyBtb3Jl IHNldmVyZSB0aGFuIG1vZGlmeWluZyByb3V0aW5nIGluZm9ybWF0aW9uLiBlLmcuIGxpbmsgYmFu ZHdpZHRoIGluIFRFIGFkdmVydGlzZW1lbnQuIE5vdCB0byBtZW50aW9uIGNoYW5naW5nIHRoZSBu ZXR3b3JrIHRvcG9sb2d5L2dyYXBoIHdoaWNoIGN1cnJlbnRseSBjcmVhdGVzIG1pY3JvLWZvcndh cmRpbmcgbG9vcHMgaW4gdGhlIG5ldHdvcmsuIFRoZSBvbmx5IGFkZGl0aW9uYWwgY29uc2VxdWVu Y2UgdGhhdCBJIGNvdWxkIHRoaW5rIG9mLCBpcyBhZHZlcnRpc2luZyAobW9yZSkgdHVubmVsaW5n IGluc3RydWN0aW9ucyB3aGVuIHRoZSBkZWNhcHN1bGF0b3IgaXMgbm90IGNhcGFibGUgb2YgZGVj YXBzdWxhdGluZyB0aGUgdHVubmVsIGF0IGxpbmUgcmF0ZS4gVGhpcyB3b3VsZCBvdmVybG9hZCBp dHMgZGVjYXBzdWxhdGlvbiBwcm9jZXNzaW5nLiBUaGlzIGlzIGFscmVhZHkgaWRlbnRpZmllZCBp biB0aGUgc2VjdXJpdHkgc2VjdGlvbiBvZiBSRkM1NTY1IHRoYXQgd2UgYXJlIGNpdGluZy4gSW4g YWRkaXRpb24sIGFzc3VtaW5nIHRoYXQgdGhlIG5vZGUgd291bGQgbm90IGNyYXNoIGJlY2F1c2Ug b2YgYnVncywgdGhhdCB3b3VsZCBtZXJlbHkgY3JlYXRlIHBhY2tldCBkcm9wcywgd2hpbGUgdGhl cmUgaXMgc28gbWFueSB3YXlzIHRvIGNyZWF0ZSBvbmVzIGlmIGFuIGF0dGFja2VyIGNvdWxkIG1v ZGlmeSByb3V0aW5nIGluZm9ybWF0aW9uLiBTdGFydGluZyB3aXRoIGEgd2hvbGUgbmV0d29yayBt ZWx0ZG93bi4NCkluIHNob3J0LCBJIGRvbid0IHRoaW5rIHRoYXQgdGhpcyBwcm90b2NvbCBleHRl bnNpb24gc2lnbmlmaWNhbnRseSBjaGFuZ2UgdGhlIE9TUEYgc2VjdXJpdHkgY29uc2lkZXJhdGlv bnMuDQoNCi0tQnJ1bm8NCgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fCgpDZSBtZXNzYWdlIGV0IHNlcyBwaWVjZXMgam9pbnRl cyBwZXV2ZW50IGNvbnRlbmlyIGRlcyBpbmZvcm1hdGlvbnMgY29uZmlkZW50aWVsbGVzIG91IHBy aXZpbGVnaWVlcyBldCBuZSBkb2l2ZW50IGRvbmMKcGFzIGV0cmUgZGlmZnVzZXMsIGV4cGxvaXRl cyBvdSBjb3BpZXMgc2FucyBhdXRvcmlzYXRpb24uIFNpIHZvdXMgYXZleiByZWN1IGNlIG1lc3Nh Z2UgcGFyIGVycmV1ciwgdmV1aWxsZXogbGUgc2lnbmFsZXIKYSBsJ2V4cGVkaXRldXIgZXQgbGUg ZGV0cnVpcmUgYWluc2kgcXVlIGxlcyBwaWVjZXMgam9pbnRlcy4gTGVzIG1lc3NhZ2VzIGVsZWN0 cm9uaXF1ZXMgZXRhbnQgc3VzY2VwdGlibGVzIGQnYWx0ZXJhdGlvbiwKT3JhbmdlIGRlY2xpbmUg dG91dGUgcmVzcG9uc2FiaWxpdGUgc2kgY2UgbWVzc2FnZSBhIGV0ZSBhbHRlcmUsIGRlZm9ybWUg b3UgZmFsc2lmaWUuIE1lcmNpLgoKVGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVudHMgbWF5 IGNvbnRhaW4gY29uZmlkZW50aWFsIG9yIHByaXZpbGVnZWQgaW5mb3JtYXRpb24gdGhhdCBtYXkg YmUgcHJvdGVjdGVkIGJ5IGxhdzsKdGhleSBzaG91bGQgbm90IGJlIGRpc3RyaWJ1dGVkLCB1c2Vk IG9yIGNvcGllZCB3aXRob3V0IGF1dGhvcmlzYXRpb24uCklmIHlvdSBoYXZlIHJlY2VpdmVkIHRo aXMgZW1haWwgaW4gZXJyb3IsIHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlciBhbmQgZGVsZXRlIHRo aXMgbWVzc2FnZSBhbmQgaXRzIGF0dGFjaG1lbnRzLgpBcyBlbWFpbHMgbWF5IGJlIGFsdGVyZWQs IE9yYW5nZSBpcyBub3QgbGlhYmxlIGZvciBtZXNzYWdlcyB0aGF0IGhhdmUgYmVlbiBtb2RpZmll ZCwgY2hhbmdlZCBvciBmYWxzaWZpZWQuClRoYW5rIHlvdS4KCg== From derrell.piper@gmail.com Wed Sep 6 13:12:49 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D9E5126B7E; Wed, 6 Sep 2017 13:12:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDuzEvFvZ3cO; Wed, 6 Sep 2017 13:12:47 -0700 (PDT) Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B56B132031; Wed, 6 Sep 2017 13:12:47 -0700 (PDT) Received: by mail-yw0-x234.google.com with SMTP id q80so249379ywg.2; Wed, 06 Sep 2017 13:12:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=eNr6jNC6V8CcXXQAdXNEcXVttCSqAIAuqwVq6S2dytY=; b=grcMvj52opmdhlPt5S5CT6uk/WqjnM//Sdqi8lkZl/Dx1ken9tYw3S18MuKz1ww35z 9JvRMhUPFGtjiAaUI0EK2jWdjBtkJigi8vPRyRs9ipYB24J/yITPj39yD08gj549h+bE zgVWocKK00hVgBfsRMY4fdA6L1mQbtLqJBDFEcaP3T3P2qzqez4pG3+897BXYfyLqojw 2x2Mq90GNveTLSK37DruWoMu2/w+DqL7lmap0Ha9lJc7ctH4+QkrprAt5UWPID/fp0UA 3vo/EViEY17pCW2GMqiyFod3c+Md5APoWCk4O/fARwbSVPtGeYXrsQigeAo50mIS1+zU 9HYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=eNr6jNC6V8CcXXQAdXNEcXVttCSqAIAuqwVq6S2dytY=; b=FflC82R4yEb8wZNqMLNTJvbnc8fdYdM/YhVVNnKUJu1OfNfugwGsuGD93kQxl4YvTA 4BMjAOnkp+a3dYbBgz9KJlEpwZhYGFSJz/fpS31QE5ZSdX5h02kvwDA0yyna53FkEpjd p7gChT2gN6LZOJNbD/yYZ+srtTBxXbJuDDx7L3eoKHc4aUswz9crhAtjQbxspIld/6SU Zr/RwowlPDH8CF1slPexuePFg0QYKd3gloBcw0MQ9FrbgI1xaETVh8gVDoRioxyS1h8h V6eJvJ/gaYD7sxMJIR/ywx0jz4e5XaFkKMZYqjGb+KXIta/5rSQKRGGLkTbXcbdCIm0P HnLA== X-Gm-Message-State: AHPjjUiE/kalZF6hMoGb1g/vzYHaLv32NohN6sAvkw6fo7W28E5pPrLn 1wGOHOa9MP0UhdITxoJi2RMm/9HZDg== X-Google-Smtp-Source: ADKCNb7Mz/ICW00zhw4dpTa2GCY1U7owAZ1ISuxewU0Abcvb/f4Gi0PLdSumlYmvStUMbgdlLIsR1b0FugNIWyTEBos= X-Received: by 10.37.122.130 with SMTP id v124mr315278ybc.308.1504728766738; Wed, 06 Sep 2017 13:12:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.102.130 with HTTP; Wed, 6 Sep 2017 13:12:46 -0700 (PDT) From: Derrell Piper Date: Wed, 6 Sep 2017 13:12:46 -0700 Message-ID: To: "secdir@ietf.org" , The IESG Cc: draft-ietf-taps-transports-usage.all@tools.ietf.org Content-Type: multipart/alternative; boundary="001a114baff09ffc4e05588af776" Archived-At: X-Mailman-Approved-At: Thu, 14 Sep 2017 11:32:20 -0700 Subject: [secdir] Secdir review of draft-ietf-taps-transports-usage-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2017 20:26:30 -0000 --001a114baff09ffc4e05588af776 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with Nits. Since I'm not following TAPS or most of this, I reviewed the ediff's betwee= n -05, -06, -07, and this version -08. There were no changes from -07, so -0= 6 was the last relevant version. Radia's comments from her review of -05 were succint, so I'll just quote them: This informational document contains tutorial information on the use of the sockets API to send and receive data over the UDP and UDP-lite protocols. It is apparently part of an effort to write tutorial descriptions of APIs to all IETF-standardized transport protocols. This document refers the reader to the standards for all security considerations. That is probably appropriate. It=E2=80=99s always diffic= ult to decide what information to include and what to exclude in a tutorial. I would have liked an explanation of how the sender knows whether to request UDP or UDP-lite, since it doesn't look like UDP-lite would be compatible with something that only speaks UDP. Section 3.4 has been expanded upon presumably to address her second point. I'm still not sure it gives the reader enough information to choose between all these things, but it was basically informative, even if it seems to raise more questions than it answers. Considering that this document doesn't even reference D/TLS or QUIC, I gues= s it's fine for what it is, but I would have preferred more text in the Security Considerations section and I guess more text overall about when these thing= s are useful. --001a114baff09ffc4e05588af776 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have reviewed this document as part of the security= directorate's ongoing
effort to review all IETF documents being pro= cessed by the IESG.=C2=A0 These
comments were written primarily for the = benefit of the security area
directors.=C2=A0 Document editors and WG ch= airs should treat these comments just
like any other last call comments.=

The summary of the review is Ready with Nits.

Since I'm = not following TAPS or most of this, I reviewed the ediff's between
-= 05, -06, -07, and this version -08.=C2=A0 There were no changes from -07, s= o -06
was the last relevant version.

Radia's comments from he= r review of -05 were succint, so I'll just quote them:

=C2=A0= =C2=A0=C2=A0This informational document contains tutorial information on th= e use of
=C2=A0=C2=A0=C2=A0the sockets API to send and receive data ove= r the UDP and UDP-lite
=C2=A0=C2=A0=C2=A0protocols. It is apparently pa= rt of an effort to write tutorial
=C2=A0=C2=A0=C2=A0descriptions of API= s to all IETF-standardized transport protocols.

=C2=A0=C2=A0=C2=A0T= his document refers the reader to the standards for all security
=C2=A0= =C2=A0=C2=A0considerations. That is probably appropriate. It=E2=80=99s alwa= ys difficult to
=C2=A0=C2=A0=C2=A0decide what information to include an= d what to exclude in a tutorial. =C2=A0I
=C2=A0=C2=A0=C2=A0would have l= iked an explanation of how the sender knows whether to request
=C2=A0= =C2=A0=C2=A0UDP or UDP-lite, since it doesn't look like UDP-lite would = be compatible
=C2=A0=C2=A0=C2=A0with something that only speaks UDP.
Section 3.4 has been expanded upon presumably to address her second po= int.
I'm still not sure it gives the reader enough information to ch= oose between
all these things, but it was basically informative, even if= it seems to raise
more questions than it answers.

Considering th= at this document doesn't even reference D/TLS or QUIC, I guess
it= 9;s fine for what it is, but I would have preferred more text in the Securi= ty
Considerations section and I guess more text overall about when these= things
are useful.

--001a114baff09ffc4e05588af776-- From nobody Thu Sep 14 13:22:44 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 042E2132335 for ; Thu, 14 Sep 2017 13:22:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id strVFeXzs4Hg for ; Thu, 14 Sep 2017 13:22:37 -0700 (PDT) Received: from nm19-vm2.access.bullet.mail.bf1.yahoo.com (nm19-vm2.access.bullet.mail.bf1.yahoo.com [216.109.115.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AFF1132E2A for ; Thu, 14 Sep 2017 13:22:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1505420555; bh=Mg3sfP0T66EvJ9qxuVJKriPBXLGQJBE4z1YDM/xkpnA=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=aSrg/JCvkvVfyWF/x+8sX2+Crxq2UHnu7SSUV9wG0av+rp4oVBlZF3h6N9dPc92tzWfGfOUZPmMRxtr1SdJ07IJp7cfjd2RVMJuB5RgKLcmoOhKzrxUEDhdEjkhLWd7EDz3sU0zLCHzPv8geurnh1Y6iOD6Kssd8+u93xFD9YvWTj4uRpk/y3aX/oAzeIwVrcVJ8Jy91Y6ez6QBrp7RWRLIulQuFFPG2wJ4QrYjCr9ON7P2A14Q8SR0DmLI/uo+/raZTPFj2cC8M4FeZlGlIp4iEf3ObAr6MYqZ0CYJZhU0btsxH9/gu3DRE5c6pYz0NVSOPbPAsyWEI7N0toZ0TLg== Received: from [66.196.81.165] by nm19.access.bullet.mail.bf1.yahoo.com with NNFMP; 14 Sep 2017 20:22:35 -0000 Received: from [98.138.226.243] by tm11.access.bullet.mail.bf1.yahoo.com with NNFMP; 14 Sep 2017 20:22:35 -0000 Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 14 Sep 2017 20:22:35 -0000 X-Yahoo-Newman-Id: 250458.86989.bm@smtp114.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: lHPsJhAVM1nLcDCdg3BBpnCP.OxJaB8C6_EU1E1e_DKLgzE ZYiYus4e8UO.nvpNa6XvyOl25npq.KdKIhW6A99DsD2l2eNspP0Hy3s8psoE LZ3ECs84B22j3Jt1fQ2NHmeqdjbUXePgbfJnqAePhoPqV3G_yJu34Y1Errje bTCYOQdw9PY03_k30svNMLnWL_Eh4mQ8DazSpfoXjQo4BZ2T5xx2KwEmXpLs bf8pyoFJa25rZ.EEEsUQHQzwBAWhBBvMaVSf6PI6QlnU__bjUimXu8VbFZ1B BivDA97R3UbZnNwmhaCRskwg3Wy8kp7Ro5VHKmi5_GQFsWQI0RUANQUqsIhl isrhlnzksBl6VMrt8LrhzJwrbgrFpqlTGeblQVYXF8yMX67H3IIHfbDl7wJc OsOBUTYTST2Ysxpi6xvbpcKeabd5O.teg_ZSZRMGvBrij2y74_SRqqJaYra7 .PTZc9WHjIl7DwCrclp2bWHSnPHdCvUNJqoy.uJMHYHzid9AXSM_ULSRx5oh 9PIMNDzg- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id D81F11C609C; Thu, 14 Sep 2017 16:22:33 -0400 (EDT) To: bruno.decraene@orange.com Cc: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> From: David Mandelberg Message-ID: Date: Thu, 14 Sep 2017 16:22:31 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: base64 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2017 20:22:39 -0000 T24gMDkvMTQvMjAxNyAwMjowNCBQTSwgYnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbSB3cm90 ZToNCj4gSGkgRGF2aWQsDQo+IA0KPiBUaGFua3MgZm9yIHlvdXIgcmV2aWV3Lg0KPiANCj4+ IEZyb206IERhdmlkIE1hbmRlbGJlcmcgW21haWx0bzpkYXZpZEBtYW5kZWxiZXJnLm9yZ10N Cj4gICA+IFNlbnQ6IFNhdHVyZGF5LCBBdWd1c3QgMjYsIDIwMTcgODo0OSBQTQ0KPj4NCj4g ICA+IEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3Vy aXR5IGRpcmVjdG9yYXRlJ3MNCj4gICA+IG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwg SUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZQ0KPiAgID4gSUVTRy4gIFRo ZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9m IHRoZQ0KPiAgID4gc2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuICBEb2N1bWVudCBlZGl0b3Jz IGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0DQo+ICAgPiB0aGVzZSBjb21tZW50cyBqdXN0 IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCj4gICA+DQo+ICAgPiBUaGUg c3VtbWFyeSBvZiB0aGUgcmV2aWV3IGlzIFJlYWR5IHdpdGggbml0cy4NCj4gICA+DQo+ICAg PiBUaGlzIGRvY3VtZW50IGV4dGVuZHMgT1NQRiBmb3IgdXNlIHdpdGggdHVubmVscy4gQXMg bWVudGlvbmVkIGluIHRoZQ0KPiAgID4gc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMsIGFuIGF0 dGFja2VyIHdobyBjYW4gbW9kaWZ5IHJvdXRpbmcgaW5mb3JtYXRpb24NCj4gICA+IGNhbiBj YXVzZSBwYWNrZXRzIHRvIGJlIG1pc2RpcmVjdGVkIG9yIGRyb3BwZWQuIEhvd2V2ZXIsIHRo YXQgc2VlbXMgdG8NCj4gICA+IGJlIHRoZSBnZW5lcmFsIG5hdHVyZSBvZiByb3V0aW5nIGF0 dGFja3MuIEkgZG9uJ3Qga25vdyBpZiB0aGlzIGRvY3VtZW50DQo+ICAgPiBtYWtlcyBzdWNo IGF0dGFja3MgYW55IG1vcmUgbGlrZWx5IG9yIG1vcmUgc2V2ZXJlLCBidXQgaXQgd291bGQg YmUgbmljZQ0KPiAgID4gdG8gc2VlIGEgYml0IG1vcmUgZGlzY3Vzc2lvbiBvZiB0aGF0IGlu IHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucy4NCj4gICA+IEUuZy4sIGFyZSBPU1BGIGF0 dGFja3Mgd2l0aG91dCB0dW5uZWxpbmcgbGVzcyBzZXZlcmUgYmVjYXVzZSBvZiBzb21lDQo+ ICAgPiBsaW1pdGF0aW9uIG9uIHdoZXJlIHBhY2tldHMgY2FuIGJlIGZvcndhcmRlZCwgd2hp bGUgdHVubmVsaW5nIG1ha2VzIGl0DQo+ICAgPiBlYXNpZXIgdG8gZm9yd2FyZCBwYWNrZXRz IHRvIGFueXdoZXJlIG9uIHRoZSBJbnRlcm5ldD8gT3IgaXMgdGhhdCBub3QNCj4gICA+IHRo ZSBjYXNlPyAoSSdtIG5vdCB2ZXJ5IGZhbWlsaWFyIHdpdGggT1NQRiBvciB3aXRoIHRoZSBl bnZpcm9ubWVudHMgaXQncw0KPiAgID4gdHlwaWNhbGx5IHVzZWQgaW4uKQ0KPiANCj4gT1NQ RiBpcyByb3V0aW5nIGludGVybmFsIHRvIGEgcm91dGluZyBvcGVyYXRvci4gSW5mb3JtYXRp b24gcmVjZWl2ZWQgZnJvbSBpbnRlcm5hbCBPU1BGIHJvdXRlcnMgYXJlIHN1cHBvc2VkIHRv IGJlIHRydXN0ZWQuIFBlcnNvbmFsbHksIEkgd291bGQgZmluZCB1bmFjY2VwdGFibGUgaWYg YW4gYXR0YWNrZXIgY291bGQgbW9kaWZ5IHN1Y2ggcm91dGluZyBpbmZvcm1hdGlvbi4gSSBk b24ndCB0aGluayB0aGF0IHRoaXMgZXh0ZW5zaW9uIG1ha2UgaXQgYW55IG1vcmUgbGlrZWx5 LiBJbiB0ZXJtIG9mIHNldmVyaXR5LCBJIGRvbid0IHRoaW5rIHRoYXQgdGhpcyBpcyBtb3Jl IHNldmVyZSB0aGFuIG1vZGlmeWluZyByb3V0aW5nIGluZm9ybWF0aW9uLiBlLmcuIGxpbmsg YmFuZHdpZHRoIGluIFRFIGFkdmVydGlzZW1lbnQuIE5vdCB0byBtZW50aW9uIGNoYW5naW5n IHRoZSBuZXR3b3JrIHRvcG9sb2d5L2dyYXBoIHdoaWNoIGN1cnJlbnRseSBjcmVhdGVzIG1p Y3JvLWZvcndhcmRpbmcgbG9vcHMgaW4gdGhlIG5ldHdvcmsuIFRoZSBvbmx5IGFkZGl0aW9u YWwgY29uc2VxdWVuY2UgdGhhdCBJIGNvdWxkIHRoaW5rIG9mLCBpcyBhZHZlcnRpc2luZyAo bW9yZSkgdHVubmVsaW5nIGluc3RydWN0aW9ucyB3aGVuIHRoZSBkZWNhcHN1bGF0b3IgaXMg bm90IGNhcGFibGUgb2YgZGVjYXBzdWxhdGluZyB0aGUgdHVubmVsIGF0IGxpbmUgcmF0ZS4g VGhpcyB3b3VsZCBvdmVybG9hZCBpdHMgZGVjYXBzdWxhdGlvbiBwcm9jZXNzaW5nLiBUaGlz IGlzIGFscmVhZHkgaWRlbnRpZmllZCBpbiB0aGUgc2VjdXJpdHkgc2VjdGlvbiBvZiBSRkM1 NTY1IHRoYXQgd2UgYXJlIGNpdGluZy4gSW4gYWRkaXRpb24sIGFzc3VtaW5nIHRoYXQgdGhl IG5vZGUgd291bGQgbm90IGNyYXNoIGJlY2F1c2Ugb2YgYnVncywgdGhhdCB3b3VsZCBtZXJl bHkgY3JlYXRlIHBhY2tldCBkcm9wcywgd2hpbGUgdGhlcmUgaXMgc28gbWFueSB3YXlzIHRv IGNyZWF0ZSBvbmVzIGlmIGFuIGF0dGFja2VyIGNvdWxkIG1vZGlmeSByb3V0aW5nIGluZm9y bWF0aW9uLiBTdGFydGluZyB3aXRoIGEgd2hvbGUgbmV0d29yayBtZWx0ZG93bi4NCj4gSW4g c2hvcnQsIEkgZG9uJ3QgdGhpbmsgdGhhdCB0aGlzIHByb3RvY29sIGV4dGVuc2lvbiBzaWdu aWZpY2FudGx5IGNoYW5nZSB0aGUgT1NQRiBzZWN1cml0eSBjb25zaWRlcmF0aW9ucy4NCg0K WW91ciBwb2ludHMgYXJlIGFsbCBhYm91dCBob3cgdGhpcyBleHRlbnNpb24gZG9lcyBub3Qg YWZmZWN0IHNlY3VyaXR5IA0KY29uc2lkZXJhdGlvbnMgYXJvdW5kIHRoZSBhdmFpbGFiaWxp dHkgb2YgdGhlIG5ldHdvcmssIGFuZCBJIGFncmVlLiANCkhvd2V2ZXIsIHdoYXQgYWJvdXQg Y29uZmlkZW50aWFsaXR5PyBEb2VzIHRoZSBleHRlbnNpb24gbWFrZSBpdCBlYXNpZXIgDQpm b3IgYW4gYXR0YWNrZXIgdG8gcmVhZCBwYWNrZXRzIHRoZXkgd291bGRuJ3Qgb3RoZXJ3aXNl IGJlIGFibGUgdG8gcmVhZD8gDQooSSdtIG5vdCBhdCBhbGwgY29udmluY2VkIHRoZSBleHRl bnNpb24gZG9lcyBoYXZlIGEgcHJvYmxlbSB0aGVyZS4gSSANCmp1c3QgdGhpbmsgaXQncyBw bGF1c2libGUgZW5vdWdoIHRoYXQgaXQgd291bGQgbmljZSB0byBzZWUgYW4gDQpleHBsYW5h dGlvbiBvZiB3aHkgaXQncyBub3QgYSBwcm9ibGVtLikNCg0KLS0gDQpGcmVlbGFuY2UgY3li ZXIgc2VjdXJpdHkgY29uc3VsdGFudCwgc29mdHdhcmUgZGV2ZWxvcGVyLCBhbmQgbW9yZQ0K aHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9yZy8NCg== From nobody Fri Sep 15 00:32:03 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BF081321A4; Fri, 15 Sep 2017 00:31:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.618 X-Spam-Level: X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHSl0GKbXESi; Fri, 15 Sep 2017 00:31:54 -0700 (PDT) Received: from relais-inet.orange.com (mta134.mail.business.static.orange.com [80.12.70.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D29D132031; Fri, 15 Sep 2017 00:31:54 -0700 (PDT) Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 75AB740AC9; Fri, 15 Sep 2017 09:31:52 +0200 (CEST) Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.69]) by opfednr02.francetelecom.fr (ESMTP service) with ESMTP id 55A00120055; Fri, 15 Sep 2017 09:31:52 +0200 (CEST) Received: from OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06]) by OPEXCLILMA2.corporate.adroot.infra.ftgroup ([fe80::bc1c:ad2f:eda3:8c3d%18]) with mapi id 14.03.0361.001; Fri, 15 Sep 2017 09:31:52 +0200 From: To: David Mandelberg CC: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06 Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZggAAJ/YCAANdoUA== Date: Fri, 15 Sep 2017 07:31:52 +0000 Message-ID: <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.168.234.1] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 07:31:56 -0000 SGkgRGF2aWQsDQoNCj4gRnJvbTogRGF2aWQgTWFuZGVsYmVyZyBbbWFpbHRvOmRhdmlkQG1hbmRl bGJlcmcub3JnXQ0KPiANCiA+IE9uIDA5LzE0LzIwMTcgMDI6MDQgUE0sIGJydW5vLmRlY3JhZW5l QG9yYW5nZS5jb20gd3JvdGU6DQogPiA+IEhpIERhdmlkLA0KID4gPg0KID4gPiBUaGFua3MgZm9y IHlvdXIgcmV2aWV3Lg0KID4gPg0KID4gPj4gRnJvbTogRGF2aWQgTWFuZGVsYmVyZyBbbWFpbHRv OmRhdmlkQG1hbmRlbGJlcmcub3JnXQ0KID4gPiAgID4gU2VudDogU2F0dXJkYXksIEF1Z3VzdCAy NiwgMjAxNyA4OjQ5IFBNDQogPiA+Pg0KID4gPiAgID4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9j dW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncw0KID4gPiAgID4gb25n b2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQg YnkgdGhlDQogPiA+ICAgPiBJRVNHLiAgVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1h cmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlDQogPiA+ICAgPiBzZWN1cml0eSBhcmVhIGRpcmVj dG9ycy4gIERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQNCiA+ID4g ICA+IHRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZSBhbnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRz Lg0KID4gPiAgID4NCiA+ID4gICA+IFRoZSBzdW1tYXJ5IG9mIHRoZSByZXZpZXcgaXMgUmVhZHkg d2l0aCBuaXRzLg0KID4gPiAgID4NCiA+ID4gICA+IFRoaXMgZG9jdW1lbnQgZXh0ZW5kcyBPU1BG IGZvciB1c2Ugd2l0aCB0dW5uZWxzLiBBcyBtZW50aW9uZWQgaW4gdGhlDQogPiA+ICAgPiBzZWN1 cml0eSBjb25zaWRlcmF0aW9ucywgYW4gYXR0YWNrZXIgd2hvIGNhbiBtb2RpZnkgcm91dGluZyBp bmZvcm1hdGlvbg0KID4gPiAgID4gY2FuIGNhdXNlIHBhY2tldHMgdG8gYmUgbWlzZGlyZWN0ZWQg b3IgZHJvcHBlZC4gSG93ZXZlciwgdGhhdCBzZWVtcyB0bw0KID4gPiAgID4gYmUgdGhlIGdlbmVy YWwgbmF0dXJlIG9mIHJvdXRpbmcgYXR0YWNrcy4gSSBkb24ndCBrbm93IGlmIHRoaXMgZG9jdW1l bnQNCiA+ID4gICA+IG1ha2VzIHN1Y2ggYXR0YWNrcyBhbnkgbW9yZSBsaWtlbHkgb3IgbW9yZSBz ZXZlcmUsIGJ1dCBpdCB3b3VsZCBiZSBuaWNlDQogPiA+ICAgPiB0byBzZWUgYSBiaXQgbW9yZSBk aXNjdXNzaW9uIG9mIHRoYXQgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zLg0KID4gPiAg ID4gRS5nLiwgYXJlIE9TUEYgYXR0YWNrcyB3aXRob3V0IHR1bm5lbGluZyBsZXNzIHNldmVyZSBi ZWNhdXNlIG9mIHNvbWUNCiA+ID4gICA+IGxpbWl0YXRpb24gb24gd2hlcmUgcGFja2V0cyBjYW4g YmUgZm9yd2FyZGVkLCB3aGlsZSB0dW5uZWxpbmcgbWFrZXMgaXQNCiA+ID4gICA+IGVhc2llciB0 byBmb3J3YXJkIHBhY2tldHMgdG8gYW55d2hlcmUgb24gdGhlIEludGVybmV0PyBPciBpcyB0aGF0 IG5vdA0KID4gPiAgID4gdGhlIGNhc2U/IChJJ20gbm90IHZlcnkgZmFtaWxpYXIgd2l0aCBPU1BG IG9yIHdpdGggdGhlIGVudmlyb25tZW50cyBpdCdzDQogPiA+ICAgPiB0eXBpY2FsbHkgdXNlZCBp bi4pDQogPiA+DQogPiA+IE9TUEYgaXMgcm91dGluZyBpbnRlcm5hbCB0byBhIHJvdXRpbmcgb3Bl cmF0b3IuIEluZm9ybWF0aW9uIHJlY2VpdmVkIGZyb20gaW50ZXJuYWwgT1NQRiByb3V0ZXJzDQog PiBhcmUgc3VwcG9zZWQgdG8gYmUgdHJ1c3RlZC4gUGVyc29uYWxseSwgSSB3b3VsZCBmaW5kIHVu YWNjZXB0YWJsZSBpZiBhbiBhdHRhY2tlciBjb3VsZCBtb2RpZnkNCiA+IHN1Y2ggcm91dGluZyBp bmZvcm1hdGlvbi4gSSBkb24ndCB0aGluayB0aGF0IHRoaXMgZXh0ZW5zaW9uIG1ha2UgaXQgYW55 IG1vcmUgbGlrZWx5LiBJbiB0ZXJtIG9mDQogPiBzZXZlcml0eSwgSSBkb24ndCB0aGluayB0aGF0 IHRoaXMgaXMgbW9yZSBzZXZlcmUgdGhhbiBtb2RpZnlpbmcgcm91dGluZyBpbmZvcm1hdGlvbi4g ZS5nLiBsaW5rDQogPiBiYW5kd2lkdGggaW4gVEUgYWR2ZXJ0aXNlbWVudC4gTm90IHRvIG1lbnRp b24gY2hhbmdpbmcgdGhlIG5ldHdvcmsgdG9wb2xvZ3kvZ3JhcGggd2hpY2gNCiA+IGN1cnJlbnRs eSBjcmVhdGVzIG1pY3JvLWZvcndhcmRpbmcgbG9vcHMgaW4gdGhlIG5ldHdvcmsuIFRoZSBvbmx5 IGFkZGl0aW9uYWwgY29uc2VxdWVuY2UgdGhhdCBJDQogPiBjb3VsZCB0aGluayBvZiwgaXMgYWR2 ZXJ0aXNpbmcgKG1vcmUpIHR1bm5lbGluZyBpbnN0cnVjdGlvbnMgd2hlbiB0aGUgZGVjYXBzdWxh dG9yIGlzIG5vdCBjYXBhYmxlDQogPiBvZiBkZWNhcHN1bGF0aW5nIHRoZSB0dW5uZWwgYXQgbGlu ZSByYXRlLiBUaGlzIHdvdWxkIG92ZXJsb2FkIGl0cyBkZWNhcHN1bGF0aW9uIHByb2Nlc3Npbmcu IFRoaXMgaXMNCiA+IGFscmVhZHkgaWRlbnRpZmllZCBpbiB0aGUgc2VjdXJpdHkgc2VjdGlvbiBv ZiBSRkM1NTY1IHRoYXQgd2UgYXJlIGNpdGluZy4gSW4gYWRkaXRpb24sIGFzc3VtaW5nDQogPiB0 aGF0IHRoZSBub2RlIHdvdWxkIG5vdCBjcmFzaCBiZWNhdXNlIG9mIGJ1Z3MsIHRoYXQgd291bGQg bWVyZWx5IGNyZWF0ZSBwYWNrZXQgZHJvcHMsIHdoaWxlDQogPiB0aGVyZSBpcyBzbyBtYW55IHdh eXMgdG8gY3JlYXRlIG9uZXMgaWYgYW4gYXR0YWNrZXIgY291bGQgbW9kaWZ5IHJvdXRpbmcgaW5m b3JtYXRpb24uIFN0YXJ0aW5nIHdpdGgNCiA+IGEgd2hvbGUgbmV0d29yayBtZWx0ZG93bi4NCiA+ ID4gSW4gc2hvcnQsIEkgZG9uJ3QgdGhpbmsgdGhhdCB0aGlzIHByb3RvY29sIGV4dGVuc2lvbiBz aWduaWZpY2FudGx5IGNoYW5nZSB0aGUgT1NQRiBzZWN1cml0eQ0KID4gY29uc2lkZXJhdGlvbnMu DQogPiANCiA+IFlvdXIgcG9pbnRzIGFyZSBhbGwgYWJvdXQgaG93IHRoaXMgZXh0ZW5zaW9uIGRv ZXMgbm90IGFmZmVjdCBzZWN1cml0eQ0KID4gY29uc2lkZXJhdGlvbnMgYXJvdW5kIHRoZSBhdmFp bGFiaWxpdHkgb2YgdGhlIG5ldHdvcmssIGFuZCBJIGFncmVlLg0KDQpZZXMsIEkgY29uZmVzcyB0 aGF0IG5ldHdvcmsgYXZhaWxhYmlsaXR5IGlzIHVzdWFsbHkgbXkgbWFpbiBjb25jZXJuLg0KDQog PiBIb3dldmVyLCB3aGF0IGFib3V0IGNvbmZpZGVudGlhbGl0eT8gRG9lcyB0aGUgZXh0ZW5zaW9u IG1ha2UgaXQgZWFzaWVyDQogPiBmb3IgYW4gYXR0YWNrZXIgdG8gcmVhZCBwYWNrZXRzIHRoZXkg d291bGRuJ3Qgb3RoZXJ3aXNlIGJlIGFibGUgdG8gcmVhZD8NCiA+IChJJ20gbm90IGF0IGFsbCBj b252aW5jZWQgdGhlIGV4dGVuc2lvbiBkb2VzIGhhdmUgYSBwcm9ibGVtIHRoZXJlLiBJDQogPiBq dXN0IHRoaW5rIGl0J3MgcGxhdXNpYmxlIGVub3VnaCB0aGF0IGl0IHdvdWxkIG5pY2UgdG8gc2Vl IGFuDQogPiBleHBsYW5hdGlvbiBvZiB3aHkgaXQncyBub3QgYSBwcm9ibGVtLikNCg0KUmVnYXJk aW5nIGNvbmZpZGVudGlhbGl0eSwgSSBjYW4gdGhpbmsgb2YgMyB0aGluZ3M6DQphKSBUaGlzIGV4 dGVuc2lvbiBjYW4gaW50cm9kdWNlIHBhY2tldCBlbmNhcHN1bGF0aW9uLiBUaGlzIGRvZXMgbm90 IGFmZmVjdCB3aGV0aGVyIGVuY2Fwc3VsYXRlZCBwYWNrZXQgd2FzIGVuY3J5cHRlZCBvciB3aGV0 aGVyIHRoZSB0cmFuc3BvcnQgaW5mcmFzdHJ1Y3R1cmUgcHJvdmlkZSBlbmNyeXB0aW9uIChlLmcu IE1BQ1NFQykNCmIpIEFsdGhvdWdoIHRoaXMgaXMgbm90IGN1cnJlbnRseSB0aGUgY2FzZSwgdGhp cyBleHRlbnNpb24gY291bGQgYmUgZXh0ZW5kZWQgdG8gYWR2ZXJ0aXNlIHR1bm5lbCB3aXRoIGVu Y3J5cHRpb24gY2FwYWJpbGl0eS4gSW4gdGhpcyBjYXNlLCB0aGUgYXR0YWNrZXIgY291bGQgY2hh bmdlIHRoZSB0dW5uZWwgcHJvcGVydGllcyB0byByZW1vdmUgdGhlIGVuY3J5cHRpb24NCmMpIFNw ZWNpZmljIHR1bm5lbHMgY291bGQgYmUgYWR2ZXJ0aXNlZCBpbiBvcmRlciB0byByb3V0ZSBwYWNr ZXQgb3ZlciBhIHNwZWNpZmljIGxpbmsgdGhhdCBhbiBhdHRhY2tlciBpcyBtb25pdG9yaW5nLg0K DQpEbyB5b3UgdGhpbmsgdGhhdCBzb21lIG9mIHRoZXNlIHBvaW50cyB3b3VsZCBiZSB3b3JzZSBt ZW50aW9uaW5nPyBJZiBzbyBJIGNvdWxkIHdyaXRlIHNvbWUgdGV4dCB0byBjb3ZlciB0aG9zZS4N Cg0KDQpUaGFua3MsDQotLUJydW5vDQogDQogPiAtLQ0KID4gRnJlZWxhbmNlIGN5YmVyIHNlY3Vy aXR5IGNvbnN1bHRhbnQsIHNvZnR3YXJlIGRldmVsb3BlciwgYW5kIG1vcmUNCiA+IGh0dHBzOi8v ZGF2aWQubWFuZGVsYmVyZy5vcmcvDQoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKQ2UgbWVzc2FnZSBldCBzZXMgcGllY2Vz IGpvaW50ZXMgcGV1dmVudCBjb250ZW5pciBkZXMgaW5mb3JtYXRpb25zIGNvbmZpZGVudGllbGxl cyBvdSBwcml2aWxlZ2llZXMgZXQgbmUgZG9pdmVudCBkb25jCnBhcyBldHJlIGRpZmZ1c2VzLCBl eHBsb2l0ZXMgb3UgY29waWVzIHNhbnMgYXV0b3Jpc2F0aW9uLiBTaSB2b3VzIGF2ZXogcmVjdSBj ZSBtZXNzYWdlIHBhciBlcnJldXIsIHZldWlsbGV6IGxlIHNpZ25hbGVyCmEgbCdleHBlZGl0ZXVy IGV0IGxlIGRldHJ1aXJlIGFpbnNpIHF1ZSBsZXMgcGllY2VzIGpvaW50ZXMuIExlcyBtZXNzYWdl cyBlbGVjdHJvbmlxdWVzIGV0YW50IHN1c2NlcHRpYmxlcyBkJ2FsdGVyYXRpb24sCk9yYW5nZSBk ZWNsaW5lIHRvdXRlIHJlc3BvbnNhYmlsaXRlIHNpIGNlIG1lc3NhZ2UgYSBldGUgYWx0ZXJlLCBk ZWZvcm1lIG91IGZhbHNpZmllLiBNZXJjaS4KClRoaXMgbWVzc2FnZSBhbmQgaXRzIGF0dGFjaG1l bnRzIG1heSBjb250YWluIGNvbmZpZGVudGlhbCBvciBwcml2aWxlZ2VkIGluZm9ybWF0aW9uIHRo YXQgbWF5IGJlIHByb3RlY3RlZCBieSBsYXc7CnRoZXkgc2hvdWxkIG5vdCBiZSBkaXN0cmlidXRl ZCwgdXNlZCBvciBjb3BpZWQgd2l0aG91dCBhdXRob3Jpc2F0aW9uLgpJZiB5b3UgaGF2ZSByZWNl aXZlZCB0aGlzIGVtYWlsIGluIGVycm9yLCBwbGVhc2Ugbm90aWZ5IHRoZSBzZW5kZXIgYW5kIGRl bGV0ZSB0aGlzIG1lc3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cy4KQXMgZW1haWxzIG1heSBiZSBh bHRlcmVkLCBPcmFuZ2UgaXMgbm90IGxpYWJsZSBmb3IgbWVzc2FnZXMgdGhhdCBoYXZlIGJlZW4g bW9kaWZpZWQsIGNoYW5nZWQgb3IgZmFsc2lmaWVkLgpUaGFuayB5b3UuCgo= From nobody Fri Sep 15 08:56:54 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59AAB126BF3 for ; Fri, 15 Sep 2017 08:56:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c8Y2AKglnYcV for ; Fri, 15 Sep 2017 08:56:35 -0700 (PDT) Received: from nm16-vm4.access.bullet.mail.gq1.yahoo.com (nm16-vm4.access.bullet.mail.gq1.yahoo.com [216.39.63.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CBF313352B for ; Fri, 15 Sep 2017 08:56:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1505490992; bh=wqjLCJEwpHTzryDg7RAU1kFcoMKPc98xrEtgoqfd2Is=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=sc+SK1GfbtTSrW9ucxp6S1yQ2hECpU6IMX5PeGywL2aiP3lF5aQAoQwh3aSi5u9LxJhV8BBPTja/vFQWWvzKSCttB5FT5pxE4iktymZpPA2lY4HpiV3HgpNomwImtScBhHYvrSp6c/G3jWe+Ngl1vdfB6qwxOegs8f4SSNl75m/kK78C5M2fB+wavvsx/v71fMCqwzqrPyWyl+3Q1Jt6oTU176L7N4wborngrqhGJ904nLY/nRFek9V3uMnWhVwceZ52F6vo0VS3tOl6ZLzJztWEiX7WoK0jW+df155SnIoTuxTDgrNGV1cSUFpPxM0inO8nYWzuI981UVtq4wrVRQ== Received: from [216.39.60.166] by nm16.access.bullet.mail.gq1.yahoo.com with NNFMP; 15 Sep 2017 15:56:32 -0000 Received: from [98.138.226.244] by tm2.access.bullet.mail.gq1.yahoo.com with NNFMP; 15 Sep 2017 15:56:32 -0000 Received: from [127.0.0.1] by smtp115.sbc.mail.ne1.yahoo.com with NNFMP; 15 Sep 2017 15:56:32 -0000 X-Yahoo-Newman-Id: 555356.25303.bm@smtp115.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: UuolanEVM1nZrsnvw42HiXvmPQ6qLIWZXPXgMWAXb9KhK8g 8gOifUGocJWM8phEbxvqxdna.R01g8yFh1dqXCMx63GzzncfKYZeOGnvQlPZ FU15a6eC_sImwxQBXtL1fMNR8Ti0XeYt7IsyEnZ5X2cBSA8l0sSL4ulrG60F VgZBD6qZtrTsEGwNo6A3Zyaxxr8HbwyU8ekyaaO5UM9ABWWSMqYEiByZ.LWD pqIqzEmKpYeFnOakEUriHVentn2PIwVgTq65CWW7roRzx37ErtjuoULTHGlN wpdBcYZrUuyrIWnmyi8y8eB34VjtsDa8Dh1KYtYS4ym89JccCC2AjaCMo0A6 rjNJKZQ5UhI3aqmzVKUIyMpOpbEl.JGjC8IMIETJu5Nq27udUkRHReEZZ9ms sR53AmQJ.ipeMQA6VXwnGvNt4p42ZlsJhIiIq03K04lMkXeJhrQZdMRxuGuA vOScvnliuVj.FfydAd.L4ixz_2mqcA8M- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 59DCD1C60AB; Fri, 15 Sep 2017 11:56:31 -0400 (EDT) To: bruno.decraene@orange.com Cc: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> From: David Mandelberg Message-ID: <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> Date: Fri, 15 Sep 2017 11:56:29 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 15:56:36 -0000 On 09/15/2017 03:31 AM, bruno.decraene@orange.com wrote: > Hi David, > >> From: David Mandelberg [mailto:david@mandelberg.org] > > However, what about confidentiality? Does the extension make it easier > > for an attacker to read packets they wouldn't otherwise be able to read? > > (I'm not at all convinced the extension does have a problem there. I > > just think it's plausible enough that it would nice to see an > > explanation of why it's not a problem.) > > Regarding confidentiality, I can think of 3 things: > a) This extension can introduce packet encapsulation. This does not affect whether encapsulated packet was encrypted or whether the transport infrastructure provide encryption (e.g. MACSEC) > b) Although this is not currently the case, this extension could be extended to advertise tunnel with encryption capability. In this case, the attacker could change the tunnel properties to remove the encryption > c) Specific tunnels could be advertised in order to route packet over a specific link that an attacker is monitoring. > > Do you think that some of these points would be worse mentioning? If so I could write some text to cover those. I don't think (a) affects security at all, and I think (b) is probably out of scope for this document. For (b), I think the hypothetical document describing the encryption capability would have some work to do explaining how it's secure, but I don't see any reason to do that work in this document. (c) is the one that I think is worth looking into. E.g., does this new extension make it easier for an attacker to route a packet across AS boundaries, by setting a tunnel endpoint outside of the OSPF-routed network? -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Fri Sep 15 09:02:27 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F959132F8F; Fri, 15 Sep 2017 09:02:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.398 X-Spam-Level: X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmLrc1gt0L0B; Fri, 15 Sep 2017 09:02:18 -0700 (PDT) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8B7F1321A4; Fri, 15 Sep 2017 09:02:17 -0700 (PDT) Received: by mail-wm0-x233.google.com with SMTP id i189so9539522wmf.1; Fri, 15 Sep 2017 09:02:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=0NhPqzsbJdBST9wLIwdKv2RAPGOgSjatE8yqUqvG19I=; b=GVSrsRsmQflwizrcclgSNA5Ufosq/oM1TA39HA2QsiCWORB/v8YXr3HI80Cgcr+r+y JzpvFAy0YnCJUyhcmEhB6gbaoHGttSQuGJFeJx0tDPr3A4bb1vvKaWbLeIOzba8gG8SL twWpNyiq01gZvZQEjJpMHNOytTNOlVBjKETNNfNSEy3a7JDHOECBB42z61ugyEfco5sf UZMXUhR9sx4woXyy5YaPbs4p0x1JLXn6bDkK5CSE00CmTBXCmKcB3Hb98wY5eSYuS5vA M7JTeyout6wM7Fm/sd4965ppvpd/h+QhHvFiFLQL7Nax64LcWUSDBeENZsuUiYONMdPb /SOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=0NhPqzsbJdBST9wLIwdKv2RAPGOgSjatE8yqUqvG19I=; b=omYU0b8h/0gDb1pY8AqOZGF2HDSX1Cx6Q1sPyYCUI2U+FPoi0KyarAei6aqDCRWWtP WGgP/Vbgf537h/LPAlyx9EgALNAKk4S7+/T0FtnJ2rapbfsZZxDSe4efhEBsuQNeeoef J74ilW9j0CNXXVXHPTxoJltnBIyZUTPZAy3Qt/UtZAy+rUtpz+nTssZSsd6Xn159uUrk /Oh8MfebqZ93K8cK1KEYlDb0bhoyhORfZj1TLMKWiOn2+yWNb8Y+w7cLOLZsu7TNXdN+ y/OXBV3SJHNO8nGHYnx6sUvwKxAk5c3vFzqX669eSc36t0Sai8Nf+PGuXOOkvDAoDNXj oyJQ== X-Gm-Message-State: AHPjjUiZzhVhdyYFH+Kcug3h3fES8N3HRD7egN7573XtovB5Vz5XmMs5 8eKRpCCW0/eVRQb+b17U1KPP/0aQX1N+E1sQugeN7g== X-Google-Smtp-Source: AOwi7QBZGCGExrpJOKybikidTWWm8fod7uIpKyys+vGnXEVBzGS9k0OwPbF00mZaPv4jlTsWkwK8uNW6jpJ2EN3Z4Z8= X-Received: by 10.28.55.209 with SMTP id e200mr3191134wma.72.1505491335773; Fri, 15 Sep 2017 09:02:15 -0700 (PDT) MIME-Version: 1.0 Sender: rraszuk@gmail.com Received: by 10.28.151.75 with HTTP; Fri, 15 Sep 2017 09:02:15 -0700 (PDT) In-Reply-To: <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> From: Robert Raszuk Date: Fri, 15 Sep 2017 18:02:15 +0200 X-Google-Sender-Auth: F_w9r6veEdQy5XIUHxV3qLH-TfI Message-ID: To: David Mandelberg Cc: "bruno.decraene@orange.com" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" Content-Type: multipart/alternative; boundary="001a114436a848016805593c84a6" Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 16:02:20 -0000 --001a114436a848016805593c84a6 Content-Type: text/plain; charset="UTF-8" David, But how would an external attacker inject this information into OSPF ? Also note that this information is opaque to OSPF itself and it is highly recommended that set of policy rules (protecting from misuse or even accidental mistakes) to be applied on it when reaching the destination code (here encapsulation and forwarding subsystem). Thx, R. On Fri, Sep 15, 2017 at 5:56 PM, David Mandelberg wrote: > On 09/15/2017 03:31 AM, bruno.decraene@orange.com wrote: > >> Hi David, >> >> From: David Mandelberg [mailto:david@mandelberg.org] >>> >> > However, what about confidentiality? Does the extension make it easier >> > for an attacker to read packets they wouldn't otherwise be able to >> read? >> > (I'm not at all convinced the extension does have a problem there. I >> > just think it's plausible enough that it would nice to see an >> > explanation of why it's not a problem.) >> >> Regarding confidentiality, I can think of 3 things: >> a) This extension can introduce packet encapsulation. This does not >> affect whether encapsulated packet was encrypted or whether the transport >> infrastructure provide encryption (e.g. MACSEC) >> b) Although this is not currently the case, this extension could be >> extended to advertise tunnel with encryption capability. In this case, the >> attacker could change the tunnel properties to remove the encryption >> c) Specific tunnels could be advertised in order to route packet over a >> specific link that an attacker is monitoring. >> >> Do you think that some of these points would be worse mentioning? If so I >> could write some text to cover those. >> > > I don't think (a) affects security at all, and I think (b) is probably out > of scope for this document. For (b), I think the hypothetical document > describing the encryption capability would have some work to do explaining > how it's secure, but I don't see any reason to do that work in this > document. > > (c) is the one that I think is worth looking into. E.g., does this new > extension make it easier for an attacker to route a packet across AS > boundaries, by setting a tunnel endpoint outside of the OSPF-routed network? > > > -- > Freelance cyber security consultant, software developer, and more > https://david.mandelberg.org/ > --001a114436a848016805593c84a6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
David,

But how would an external attacker inject this informa= tion into OSPF ?

Also = note that this information is opaque to OSPF itself and it is highly recomm= ended that set of policy rules (protecting from misuse or even accidental m= istakes) to be applied on it when reaching the destination code (here encap= sulation and forwarding subsystem).=C2=A0

Thx,
R.

On Fri, Sep 15, 2017 at 5:5= 6 PM, David Mandelberg <david@mandelberg.org> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">On 09/15/2017 03:31 AM, bruno.decraene@o= range.com wrote:
Hi David,

From: David Mandelberg [mailto:david@mandelberg.org]
 =C2=A0 > However, what about confidentiality? Does the extension make it= easier
=C2=A0 > for an attacker to read packets they wouldn't otherwise be = able to read?
=C2=A0 > (I'm not at all convinced the extension does have a problem= there. I
=C2=A0 > just think it's plausible enough that it would nice to see = an
=C2=A0 > explanation of why it's not a problem.)

Regarding confidentiality, I can think of 3 things:
a) This extension can introduce packet encapsulation. This does not affect = whether encapsulated packet was encrypted or whether the transport infrastr= ucture provide encryption (e.g. MACSEC)
b) Although this is not currently the case, this extension could be extende= d to advertise tunnel with encryption capability. In this case, the attacke= r could change the tunnel properties to remove the encryption
c) Specific tunnels could be advertised in order to route packet over a spe= cific link that an attacker is monitoring.

Do you think that some of these points would be worse mentioning? If so I c= ould write some text to cover those.

I don't think (a) affects security at all, and I think (b) is probably = out of scope for this document. For (b), I think the hypothetical document = describing the encryption capability would have some work to do explaining = how it's secure, but I don't see any reason to do that work in this= document.

(c) is the one that I think is worth looking into. E.g., does this new exte= nsion make it easier for an attacker to route a packet across AS boundaries= , by setting a tunnel endpoint outside of the OSPF-routed network?


--
Freelance cyber security consultant, software developer, and more
https://david.mandelberg.org/

--001a114436a848016805593c84a6-- From nobody Fri Sep 15 09:17:46 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8871243F6 for ; Fri, 15 Sep 2017 09:17:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRg9-HWMO3zU for ; Fri, 15 Sep 2017 09:17:40 -0700 (PDT) Received: from nm26-vm5.access.bullet.mail.bf1.yahoo.com (nm26-vm5.access.bullet.mail.bf1.yahoo.com [216.109.115.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB5B1335D1 for ; Fri, 15 Sep 2017 09:17:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1505492258; bh=uX7iCQSfvZvLg5F7OWP/H/S12DtSHxXCMbC+saBSyq0=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=oC8DLBSgR/qRijIACznTnJ5MylMFFA5vP0NyCciJFolLaOKW43UCSOmYfUhiGKdHJdJf5aDnjjI/xWX5sidTbtfilhFJTTl1J1ubizZEWDxq+AOBgXCFBUwh5JIB1EyXS4feSTALMsOr5NEsrNf4kmh1doJTMKaovWEhIyYeyFkROXWZRDbrFAjrAnCkCyCkc0gqC3KUL06TfGbEE+Jaijn8Rta4jxDjv0v3p+SZFZYnLXfcWimsLgmobvJ5lp+pZ9b4Fk8/YS+V3SN+7ie8d5BlUQkdY/0ibDFRaIoGvV7sZjd+PtvZ2G+3O9GxoT1qpLzPlpDOINiT7MMdLXbsZw== Received: from [66.196.81.159] by nm26.access.bullet.mail.bf1.yahoo.com with NNFMP; 15 Sep 2017 16:17:38 -0000 Received: from [98.138.226.243] by tm5.access.bullet.mail.bf1.yahoo.com with NNFMP; 15 Sep 2017 16:17:38 -0000 Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 15 Sep 2017 16:17:37 -0000 X-Yahoo-Newman-Id: 987347.69157.bm@smtp114.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: mOyL6s4VM1mGAaC39RrKrm3DA5U1vCDswLHgEpARSeUthzX 4ZjaePnYnAR1upVxmqxz.nL9Hi845cinDkzM.kHLtor.6DXoa3XFMp.VyxP7 008y70HsaHEzvFRVoFdyLWIRW_PZ9iE5GlXnCUTxclRtUEzmr_JBz1q2fLLB Qo406rnBFJO91LDz5n4WMgBXWo.eDJDTqi0pZmv2qZ6mY5TL8bLBayusCy4. iRybXFszFq6hVH1AgcSka6hOb6qlyU_uoRLXD8iV5mqzpgHjYCAj62MN36Sl ny3fB5D9IRiUB2OBrDgFUxjgr1w0PwtnBIk66CbG.CTD9ixgB6Gakf.Zv7yM e_.Z6Tw_pZuFKpUsoscdAEhCElOzOIr9PSpG8e_5LEioebnW8loLljQACR7_ h1h9DV_0EwH0stBedaTy5rrOW7w5a6HrKh3TPX6PBk1NIWWN1tMjOmst_wrT 77oT5p6AD_xszvNkkpDSpkVlnifjksYMCMgFdJzRw9ulxuA-- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id EFBAC1C60AB; Fri, 15 Sep 2017 12:17:36 -0400 (EDT) To: Robert Raszuk Cc: "bruno.decraene@orange.com" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> From: David Mandelberg Message-ID: Date: Fri, 15 Sep 2017 12:17:34 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 16:17:41 -0000 On 09/15/2017 12:02 PM, Robert Raszuk wrote: > David, > > But how would an external attacker inject this information into OSPF ? By (partially) compromising a router, for example. I know an attacker with that capability can already do a lot of bad stuff, but it's not clear to me whether or not this extension gives them any additional capabilities. > Also note that this information is opaque to OSPF itself and it is > highly recommended that set of policy rules (protecting from misuse or > even accidental mistakes) to be applied on it when reaching the > destination code (here encapsulation and forwarding subsystem). That sounds like a simple and secure way to address my concerns. If the document already contains text recommending that local policy be used to prevent forwarding outside of the authorized network, then apologies for missing/forgetting it. If not, would you mind adding something to the security considerations about it? -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Fri Sep 15 09:28:49 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C96213209C; Fri, 15 Sep 2017 09:28:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.698 X-Spam-Level: X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66oC8-6B93_K; Fri, 15 Sep 2017 09:28:45 -0700 (PDT) Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A1F3126BF3; Fri, 15 Sep 2017 09:28:45 -0700 (PDT) Received: by mail-wr0-x22f.google.com with SMTP id u96so2237197wrb.6; Fri, 15 Sep 2017 09:28:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=RpNW4K19YcubgLkFFHAF/RayvD+CXiuTF6s+cvfHuL0=; b=sqr/iyL/3My7Sav/LZIURQulj9sCivzIxpl8oxEWhb/rkmDMpMwHuPbJzOSFPGB5AH YR+28VgXfRP3Ht3aTuw9Z51k6+Yw6oNgFCWUM5oJ+7Jmh1S96Jy6lZDB2f9vfeoSdsh5 +ZcS6XbZkfqK3rC/G4gF8lfmdZimt68NinL1SlBCDKuJzz0OIUwx3KkUhmjaoyHdUGYJ dMW5p4FPTCwr74T11BgmH0mJmuVKHyCxBevxQXB2dV8NgFeDPzqmVpYVkjCoEdKTcoTd Xs2oyEmUhibg5EEywQPwnTVi9Hq+gzHfi4vspHfWTGWcqPm4HyXvwepSfdnxDyJeM9V8 s9bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=RpNW4K19YcubgLkFFHAF/RayvD+CXiuTF6s+cvfHuL0=; b=BI0LJZzaDykqSWLGBLPBrbVR2gw3beaerCTUoMNjRDdRw4zz3dW3VxFMp33OTG2nWy 9L15nnURRdGbvA75cQZ3xgcnb82ccd1GTzvu32E9tMEcQ+E+vohVEKX3BzDtfPTluVc1 lDl4tUSN81arXAnU7Jn4EMaqBNJG89/2CGD9+vssAfNAJh4QlKtMOfXPyOXsgj03S7MR 90f7UjlLuYkwUiFjgnRvAYY53ElTLXEi1WjxP1PZ2KgaIY51WdMIzReuy4XD+o3ss1gE xL/dPkQ/RBJLI3qS4tvKpqS1fxr8l28QsKJax1gAkZzZbZd/9jX/RVz12kVFYWXN5nQ0 SMsQ== X-Gm-Message-State: AHPjjUjHbbHrlqHNYuERB5vwnuyT7i5AR/pCsYKdM8h0AiBk97uJQWH+ N3UiRt+RzUvAkziPURDs+j+8vg/hKk+Fh6I61fQ= X-Google-Smtp-Source: ADKCNb60uwgFa2qay730HO6uesz0oURk0S1zTsUW+1b4cMI2I2mRZbbZ/NnGIFCKKmBmDGPyZdc/fGTM1Q5JvsEG+5c= X-Received: by 10.223.164.206 with SMTP id h14mr21184147wrb.25.1505492923589; Fri, 15 Sep 2017 09:28:43 -0700 (PDT) MIME-Version: 1.0 Sender: rraszuk@gmail.com Received: by 10.28.151.75 with HTTP; Fri, 15 Sep 2017 09:28:42 -0700 (PDT) In-Reply-To: References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> From: Robert Raszuk Date: Fri, 15 Sep 2017 18:28:42 +0200 X-Google-Sender-Auth: RGDzIsqwIzhlwucCH9pk18kvgS0 Message-ID: To: David Mandelberg Cc: "bruno.decraene@orange.com" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" Content-Type: multipart/alternative; boundary="f403045f16a2ec2d1005593ce2bc" Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 16:28:47 -0000 --f403045f16a2ec2d1005593ce2bc Content-Type: text/plain; charset="UTF-8" Hi David, This draft inherits RFC 5565 security considerations so I was hoping this would be sufficient. However I have no objection to add extra text directly to this section 8 to recommend filtering/policy when flooded information is passed to data plane explicitly listing the allowed range of encapsulation destinations. Thx, R. On Fri, Sep 15, 2017 at 6:17 PM, David Mandelberg wrote: > On 09/15/2017 12:02 PM, Robert Raszuk wrote: > >> David, >> >> But how would an external attacker inject this information into OSPF ? >> > > By (partially) compromising a router, for example. I know an attacker with > that capability can already do a lot of bad stuff, but it's not clear to me > whether or not this extension gives them any additional capabilities. > > > Also note that this information is opaque to OSPF itself and it is highly >> recommended that set of policy rules (protecting from misuse or even >> accidental mistakes) to be applied on it when reaching the destination code >> (here encapsulation and forwarding subsystem). >> > > That sounds like a simple and secure way to address my concerns. If the > document already contains text recommending that local policy be used to > prevent forwarding outside of the authorized network, then apologies for > missing/forgetting it. If not, would you mind adding something to the > security considerations about it? > > > > -- > Freelance cyber security consultant, software developer, and more > https://david.mandelberg.org/ > --f403045f16a2ec2d1005593ce2bc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi David,

<= /div>
This draft inherits RFC 5565 security consideration= s so I was hoping this would be sufficient. However I have no objection to = add extra text directly to this section 8 to recommend filtering/policy whe= n flooded information is passed to data plane explicitly listing the allowe= d range of encapsulation destinations.=C2=A0

Thx,
R.


On Fri, Sep 15, 2017 at 6:17 PM, David Mandelberg <= david@mandelberg.= org> wrote:
On 09/15/2017 12:02 PM, Robert Raszuk wrote:
David,

But how would an external attacker inject this information into OSPF ?

 By (partially) compromising a router, for example. I know an attacker with = that capability can already do a lot of bad stuff, but it's not clear t= o me whether or not this extension gives them any additional capabilities.<= span class=3D"">


Also note that this information is opaque to OSPF itself and it is highly r= ecommended that set of policy rules (protecting from misuse or even acciden= tal mistakes) to be applied on it when reaching the destination code (here = encapsulation and forwarding subsystem).

That sounds like a simple and secure way to address my concerns. If the doc= ument already contains text recommending that local policy be used to preve= nt forwarding outside of the authorized network, then apologies for missing= /forgetting it. If not, would you mind adding something to the security con= siderations about it?



--
Freelance cyber security consultant, software developer, and more
https://david.mandelberg.org/

--f403045f16a2ec2d1005593ce2bc-- From nobody Fri Sep 15 09:36:32 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42A0013209C for ; Fri, 15 Sep 2017 09:36:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_-tFp2k9_yS for ; Fri, 15 Sep 2017 09:36:25 -0700 (PDT) Received: from nm1.access.bullet.mail.bf1.yahoo.com (nm1.access.bullet.mail.bf1.yahoo.com [216.109.114.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 125AE132FA7 for ; Fri, 15 Sep 2017 09:36:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1505493383; bh=wIsoNPj4jEnLIxo0OCZUW/3tCAsQJvbPHdauwknoG04=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=CuesdtP6ECRm1Wamil8IdqGSwXb7O/via1K7xF6rdh589ppiLnUKOUif1cX/WC2pmdPAZce9Ol208qYhQmUgHJ1QlCYH9NmSIWJaiyfW5YhDAUVC4Ya/sxpqnfBnQCjuRA+kAs9V3QMYe/99zUCxsb2r/J65qjq4cXlc93dN+jY317swbt6PuCtY/wTQqq7PL7SErK/951pxZDN6WV454QdWVreG+Sx1y3DEgXf7pCVGNBkhr/byc6+Uz3nwgGvRhigg3tCBkQTzGE1Oibl6P3zCjkx37qQ5vFQ3QB5Gbvu1crxltRF8fPM0rXXnsgHwAX5zbGzrR4PCgZvQ/zNbrg== Received: from [66.196.81.155] by nm1.access.bullet.mail.bf1.yahoo.com with NNFMP; 15 Sep 2017 16:36:23 -0000 Received: from [98.138.226.244] by tm1.access.bullet.mail.bf1.yahoo.com with NNFMP; 15 Sep 2017 16:36:23 -0000 Received: from [127.0.0.1] by smtp115.sbc.mail.ne1.yahoo.com with NNFMP; 15 Sep 2017 16:36:23 -0000 X-Yahoo-Newman-Id: 285673.35798.bm@smtp115.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: Jw3iZXYVM1n3XIwzGkjVh9zo_laEWhVZk7HLpfN1LJlLGKI XTZlLH61wvb44cjqC2CzMxoYij5_LLWylNQdFjblgl_.9NvWU8t0LKCwyn88 m5i6lI_KdxRzFPGQkjHekmfnT0eIyUXLBX.VUR8tiTt5TmfrVh_57C39i9fA nexgFwh25cCU9eKG6UJzy59eMqnZYQJa_Y3m03AxytCEbFDHLqO0NjXBmJo. YqJLNvTtd4FfimoHDx9uM6MIQCzKbArFJ3I0OXV99UG_2MNszmHoGr6A3czr RRJBstrtwXHNgom_rsc_f.6cftg2l8wfwUS_T.t.Wj.TrVLb.CK618IA9VES JTAed3eR74Xv_IT168g9s4wwCBj6sAxtN6nsx7Gc_nsvC0O9HsHmNfeeQ5Ae 5gZcKagy7hQrqcbL6kvnqhdvFe9npVwB3VhAL0ggi1qraksjVR76m.imfzDU 0_GVGjlvz_0OBJnHuj3bsL85kFZho9rYxnH.ib98r_bFL2NGj9TzIJg-- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 45FA41C60AB; Fri, 15 Sep 2017 12:36:22 -0400 (EDT) To: Robert Raszuk Cc: "bruno.decraene@orange.com" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> From: David Mandelberg Message-ID: <8fdd20ef-15ae-a735-778f-f087bbc2f63f@mandelberg.org> Date: Fri, 15 Sep 2017 12:36:20 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 16:36:27 -0000 Thanks! On 09/15/2017 12:28 PM, Robert Raszuk wrote: > Hi David, > > This draft inherits RFC 5565 security considerations so I was hoping > this would be sufficient. However I have no objection to add extra text > directly to this section 8 to recommend filtering/policy when flooded > information is passed to data plane explicitly listing the allowed range > of encapsulation destinations. > > Thx, > R. > > > On Fri, Sep 15, 2017 at 6:17 PM, David Mandelberg > wrote: > > On 09/15/2017 12:02 PM, Robert Raszuk wrote: > > David, > > But how would an external attacker inject this information into > OSPF ? > > > By (partially) compromising a router, for example. I know an > attacker with that capability can already do a lot of bad stuff, but > it's not clear to me whether or not this extension gives them any > additional capabilities. > > > Also note that this information is opaque to OSPF itself and it > is highly recommended that set of policy rules (protecting from > misuse or even accidental mistakes) to be applied on it when > reaching the destination code (here encapsulation and forwarding > subsystem). > > > That sounds like a simple and secure way to address my concerns. If > the document already contains text recommending that local policy be > used to prevent forwarding outside of the authorized network, then > apologies for missing/forgetting it. If not, would you mind adding > something to the security considerations about it? > > > > -- > Freelance cyber security consultant, software developer, and more > https://david.mandelberg.org/ > > -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Fri Sep 15 10:15:18 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BAA913305B; Fri, 15 Sep 2017 10:15:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.5 X-Spam-Level: X-Spam-Status: No, score=-5.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=nozv8ges; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=IXLRCh6b Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHMU892tsQtc; Fri, 15 Sep 2017 10:15:09 -0700 (PDT) Received: from esa6.dell-outbound.iphmx.com (esa6.dell-outbound.iphmx.com [68.232.149.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1208133050; Fri, 15 Sep 2017 10:15:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1505495708; x=1537031708; h=from:cc:to:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=xTXp2oqX1/ZohqhVkqEEV7kyAPPahXRRXCDa5X6us7w=; b=nozv8gesP0z7uGbFDQXAPcFU40u+LYxd3hoqgioQDVnRYrSCJPllRcin EoDr6srrG2B6CrXEij8gGEhyGgGVTg2NJKqnon+EZ2+M9OtKODAvw77yD 8waGjlEQek5BLD+gnzaGtzK97uBEkR21HpR0pV/ALPdGFWBvV8jKnaC3x E=; Received: from esa4.dell-outbound2.iphmx.com ([68.232.154.98]) by esa6.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Sep 2017 12:15:08 -0500 From: "Black, David" Cc: The IESG , secdir , draft-ietf-tsvwg-ecn-experimentation all , "Black, David" Received: from mailuogwhop.emc.com ([168.159.213.141]) by esa4.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Sep 2017 23:15:07 +0600 Received: from maildlpprd04.lss.emc.com (maildlpprd04.lss.emc.com [10.253.24.36]) by mailuogwprd03.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v8FHF5G8018384 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 15 Sep 2017 13:15:06 -0400 X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com v8FHF5G8018384 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1505495706; bh=TlGuMqY70n5hfFAd65wBO/ldPs4=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=IXLRCh6bRomHYgUtG9nQgMeatmOn0hpQnZbQfFXj7TDrqmueiRf0DLjkAt1ONyKxD EBsDa5SPEMGhT0DsFFav9JLxqmQjLdRd5kAnGPYr1l9MASo+XJh9/YQlR7x0Yp9jE7 J1bx1bJJKdPQT/jnK11IuHbl3QTmjPMruaJCo8Bw= X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd03.lss.emc.com v8FHF5G8018384 Received: from mailusrhubprd51.lss.emc.com (mailusrhubprd51.lss.emc.com [10.106.48.24]) by maildlpprd04.lss.emc.com (RSA Interceptor); Fri, 15 Sep 2017 13:13:29 -0400 Received: from MXHUB310.corp.emc.com (MXHUB310.corp.emc.com [10.146.3.36]) by mailusrhubprd51.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v8FHEn8K031423 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Fri, 15 Sep 2017 13:14:50 -0400 Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB310.corp.emc.com ([10.146.3.36]) with mapi id 14.03.0352.000; Fri, 15 Sep 2017 13:14:49 -0400 To: Hilarie Orman Thread-Topic: Review of draft-ietf-tsvwg-ecn-experimentation-05 Thread-Index: AQHTLLr4WQvk51ntSUOPm3l8GZJ72KKzINLQ5YpUX6KaeLz84A== Date: Fri, 15 Sep 2017 17:14:48 +0000 Message-ID: References: <201709131804.v8DI4QUh014123@rumpleteazer.rhmr.com> <1607661178.655872.1505344305163.JavaMail.zimbra@purplestreak.com> In-Reply-To: <1607661178.655872.1505344305163.JavaMail.zimbra@purplestreak.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.238.44.138] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Sentrion-Hostname: mailusrhubprd51.lss.emc.com X-RSA-Classifications: public Archived-At: Subject: Re: [secdir] Review of draft-ietf-tsvwg-ecn-experimentation-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 17:15:10 -0000 SSd2ZSBhZGRlZCBhIHNlbnRlbmNlIHRvIHRoYXQgZWZmZWN0IHRvIHRoZSBzZWN1cml0eSBjb25z aWRlcmF0aW9ucyBzZWN0aW9uIG9mIHdoYXQgd2lsbCBiZWNvbWUgdGhlIC0wNiB2ZXJzaW9uIG9m IHRoaXMgZHJhZnQ6DQoNCkhvd2V2ZXIsIGVmZmVjdGl2ZSBjb25nZXN0aW9uIGNvbnRyb2wgaXMg Y3J1Y2lhbCB0byB0aGUgY29udGludWVkIG9wZXJhdGlvbiBvZiB0aGUgSW50ZXJuZXQsIGFuZCBo ZW5jZSB0aGlzIG1lbW8gcGxhY2VzIHRoZSByZXNwb25zaWJpbGl0eSBmb3Igbm90IGJyZWFraW5n IEludGVybmV0IGNvbmdlc3Rpb24gY29udHJvbCBvbiB0aGUgZXhwZXJpbWVudHMgYW5kIHRoZSBl eHBlcmltZW50ZXJzIHdobyBwcm9wb3NlIHRoZW0sIGFzIHNwZWNpZmllZCBpbiBTZWN0aW9uIDQu NC4gVGhpcyByZXNwb25zaWJpbGl0eSBpcyBlbWJvZGllZCBpbiB0aGUgcmVxdWlyZW1lbnQgdG8g ZGlzY3VzcyBjb25nZXN0aW9uIGNvbnRyb2wgaW1wbGljYXRpb25zIGluIHRoZSBFeHBlcmltZW50 YWwgUkZDIGZvciBlYWNoIGV4cGVyaW1lbnQsIGFzIHJldmlldyBvZiB0aGF0IGRpc2N1c3Npb24g YnkgdGhlIElFVEYgY29tbXVuaXR5IGFuZCB0aGUgSUVTRyBwcmlvciB0byBwdWJsaWNhdGlvbiBh cHByb3ZhbCBvZiB0aGF0IFJGQyBzaG91bGQgZW5zdXJlIHRoYXQgdGhlIGV4cGVyaW1lbnQgZG9l cyBub3QgYnJlYWsgSW50ZXJuZXQgY29uZ2VzdGlvbiBjb250cm9sLg0KDQpUaGFua3MsIC0tRGF2 aWQNCg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBIaWxhcmllIE9ybWFu IFttYWlsdG86aGlsYXJpZUBwdXJwbGVzdHJlYWsuY29tXQ0KPiBTZW50OiBXZWRuZXNkYXksIFNl cHRlbWJlciAxMywgMjAxNyA3OjEyIFBNDQo+IFRvOiBCbGFjaywgRGF2aWQgPGRhdmlkLmJsYWNr QGVtYy5jb20+DQo+IENjOiBUaGUgSUVTRyA8aWVzZ0BpZXRmLm9yZz47IHNlY2RpciA8c2VjZGly QGlldGYub3JnPjsgZHJhZnQtaWV0Zi10c3Z3Zy1lY24tDQo+IGV4cGVyaW1lbnRhdGlvbiBhbGwg PGRyYWZ0LWlldGYtdHN2d2ctZWNuLWV4cGVyaW1lbnRhdGlvbi5hbGxAaWV0Zi5vcmc+DQo+IFN1 YmplY3Q6IFJlOiBSZXZpZXcgb2YgZHJhZnQtaWV0Zi10c3Z3Zy1lY24tZXhwZXJpbWVudGF0aW9u LTA1DQo+IA0KPiBZZXMsIEkgdGhpbmsgaXQgd291bGQgYmUgc3VpdGFibGUgdG8gaW5jbHVkZSBz dWNoIGEgc3RhdGVtZW50Lg0KPiBQZW9wbGUgcmVhZCB0aGVzZSB0aGluZ3MsIHRoZXkgd29uZGVy LCBkb2VzIGFueW9uZSB0cnkgdG8gcHJldmVudA0KPiBJbnRlcm5ldCBmcm9tIHR1cm5pbmcgaW50 byBpY2UtOT8NCj4gDQo+IEhpbGFyaWUNCj4gDQo+IC0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0t LS0NCj4gRnJvbTogIkJsYWNrLCBEYXZpZCIgPERhdmlkLkJsYWNrQGRlbGwuY29tPg0KPiBUbzog IkhpbGFyaWUgT3JtYW4iIDxoaWxhcmllQHB1cnBsZXN0cmVhay5jb20+LCAiVGhlIElFU0ciDQo+ IDxpZXNnQGlldGYub3JnPiwgInNlY2RpciIgPHNlY2RpckBpZXRmLm9yZz4NCj4gQ2M6ICJkcmFm dC1pZXRmLXRzdndnLWVjbi1leHBlcmltZW50YXRpb24gYWxsIiA8ZHJhZnQtaWV0Zi10c3Z3Zy1l Y24tDQo+IGV4cGVyaW1lbnRhdGlvbi5hbGxAaWV0Zi5vcmc+LCAiQmxhY2ssIERhdmlkIiA8RGF2 aWQuQmxhY2tAZGVsbC5jb20+DQo+IFNlbnQ6IFdlZG5lc2RheSwgU2VwdGVtYmVyIDEzLCAyMDE3 IDEyOjI3OjU1IFBNDQo+IFN1YmplY3Q6IFJFOiBSZXZpZXcgb2YgZHJhZnQtaWV0Zi10c3Z3Zy1l Y24tZXhwZXJpbWVudGF0aW9uLTA1DQo+IA0KPiBIaWxhcmllLA0KPiANCj4gVGhhbmsgeW91IGZv ciB0aGUgcmV2aWV3Lg0KPiANCj4gPiBJIHJlYWxpemUgdGhhdCBwZW9wbGUgZXhwZXJpbWVudCB3 aXRoIFRDUCBtb2RpZmljYXRpb25zIGFsbCB0aGUgdGltZSwNCj4gPiBhbmQgdGhlIEVDTiBleHBl cmltZW50cyBjYW4gcHJvdmlkZSB2YWx1YWJsZSBlbmdpbmVlcmluZyBpbmZvcm1hdGlvbi4NCj4g PiBOb25ldGhlbGVzcywgaXQgc2VlbXMgdGhhdCBzb21lIGhpZ2hlciBzdGFuZGFyZCBvZiBzYWZl dHkgY291bGQgYmUNCj4gPiBpbiBvcmRlciBmb3IgdG9kYXkncyBJbnRlcm5ldC4gIEJ1dCB0aGF0 IGlzIG91dHNpZGUgdGhlIHNjb3BlIG9mIHRoaXMNCj4gPiBkb2N1bWVudC4NCj4gDQo+IFdlbGws IHRoZXJlIGlzIGEgaGlnaGVyIHN0YW5kYXJkIG9mIHNhZmV0eSBhbmQgaXQgaXMgb3V0c2lkZSB0 aGUgc2NvcGUgb2YgdGhpcw0KPiBkb2N1bWVudC4NCj4gDQo+IEV4cGVyaW1lbnRzIHRoYXQgdGFr ZSBhZHZhbnRhZ2Ugb2YgdGhlIGxpYmVyYXRpb24gKEkgbGlrZSB0aGF0IHdvcmQhKSBpbiB0aGlz DQo+IGRvY3VtZW50IGFyZSByZXF1aXJlZCB0byBmaXJzdCBiZSBkb2N1bWVudGVkIGluIGFuIEV4 cGVyaW1lbnRhbCBSRkMuICAgVGhhdA0KPiByZXF1aXJlbWVudCBzaG91bGQgcHJvdmlkZSBib3Ro IHRoZSBUcmFuc3BvcnQgQXJlYSBhbmQgdGhlIElFU0cgd2l0aCB0aGUNCj4gYWJpbGl0eSB0byBl bnN1cmUgdGhhdCBzdWNoIGV4cGVyaW1lbnRzIGRvIG5vdCBwb3NlIHVuYWNjZXB0YWJsZSByaXNr cyB0byB0aGUNCj4gY29udGludWVkIG9wZXJhdGlvbiBvZiB0aGUgSW50ZXJuZXQgLSBhIHN0YXRl bWVudCB0byB0aGF0IGVmZmVjdCBjb3VsZCBiZQ0KPiBhZGRlZCBpZiB5b3Ugb3IgdGhlIFNlY3Vy aXR5IEFEcyB0aGluayBpdCB3b3VsZCBiZSBoZWxwZnVsLg0KPiANCj4gVGhhbmtzLCAtLURhdmlk DQo+IA0KPiANCj4gPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+IEZyb206IEhpbGFy aWUgT3JtYW4gW21haWx0bzpoaWxhcmllQHB1cnBsZXN0cmVhay5jb21dDQo+ID4gU2VudDogV2Vk bmVzZGF5LCBTZXB0ZW1iZXIgMTMsIDIwMTcgMjowNCBQTQ0KPiA+IFRvOiBpZXNnQGlldGYub3Jn OyBzZWNkaXJAaWV0Zi5vcmcNCj4gPiBDYzogZHJhZnQtaWV0Zi10c3Z3Zy1lY24tZXhwZXJpbWVu dGF0aW9uLmFsbEBpZXRmLm9yZw0KPiA+IFN1YmplY3Q6IFJldmlldyBvZiBkcmFmdC1pZXRmLXRz dndnLWVjbi1leHBlcmltZW50YXRpb24tMDUNCj4gPg0KPiA+ICAgICAgICAgICAgICAgICAgICAg IFNlY3VyaXR5IHJldmlldyBvZg0KPiA+ICAgICAgICAgIEV4cGxpY2l0IENvbmdlc3Rpb24gTm90 aWZpY2F0aW9uIChFQ04pIEV4cGVyaW1lbnRhdGlvbg0KPiA+ICAgICAgICAgICAgICAgICBkcmFm dC1pZXRmLXRzdndnLWVjbi1leHBlcmltZW50YXRpb24tMDUNCj4gPg0KPiA+IERvIG5vdCBiZSBh bGFybWVkLiAgSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUNCj4g PiBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVU RiBkb2N1bWVudHMNCj4gPiBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuICBUaGVzZSBjb21t ZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5DQo+ID4gZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBz ZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4gIERvY3VtZW50IGVkaXRvcnMgYW5kDQo+ID4gV0cgY2hh aXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3Qg Y2FsbA0KPiA+IGNvbW1lbnRzLg0KPiA+DQo+ID4gVGhpcyBkb2N1bWVudCBsaWJlcmFsaXplcyB0 aGUgd2F5cyBpbiB3aGljaCBleHBlcmltZW50cyBjYW4gYmUNCj4gPiBjb25kdWN0ZWQgb24gZXhw bGljaXQgY29uZ2VzdGlvbiBub3RpZmljYXRpb24gd2l0aCBUQ1AsIFJUUCwgYW5kIERDQ1AuDQo+ ID4NCj4gPiBPdGhlciB0aGFuIHRoZSBhbGFybWluZyBzdGF0ZW1lbnQ6DQo+ID4NCj4gPiAgICAi Li4uIHRoaXMgbWVtbyBwbGFjZXMgdGhlDQo+ID4gICAgcmVzcG9uc2liaWxpdHkgZm9yIG5vdCBi cmVha2luZyBJbnRlcm5ldCBjb25nZXN0aW9uIGNvbnRyb2wgb24gdGhlDQo+ID4gICAgZXhwZXJp bWVudHMgYW5kIHRoZSBleHBlcmltZW50ZXJzIHdobyBwcm9wb3NlIHRoZW0sIGFzIHNwZWNpZmll ZCBpbg0KPiA+ICAgIFNlY3Rpb24gNC40LiINCj4gPg0KPiA+IHRoZXJlIGFyZSBubyBzZWN1cml0 eSBjb25zaWRlcmF0aW9ucyB0aGF0IG9jY3VyIHRvIG1lLg0KPiA+DQo+ID4gSSByZWFsaXplIHRo YXQgcGVvcGxlIGV4cGVyaW1lbnQgd2l0aCBUQ1AgbW9kaWZpY2F0aW9ucyBhbGwgdGhlIHRpbWUs DQo+ID4gYW5kIHRoZSBFQ04gZXhwZXJpbWVudHMgY2FuIHByb3ZpZGUgdmFsdWFibGUgZW5naW5l ZXJpbmcgaW5mb3JtYXRpb24uDQo+ID4gTm9uZXRoZWxlc3MsIGl0IHNlZW1zIHRoYXQgc29tZSBo aWdoZXIgc3RhbmRhcmQgb2Ygc2FmZXR5IGNvdWxkIGJlDQo+ID4gaW4gb3JkZXIgZm9yIHRvZGF5 J3MgSW50ZXJuZXQuICBCdXQgdGhhdCBpcyBvdXRzaWRlIHRoZSBzY29wZSBvZiB0aGlzDQo+ID4g ZG9jdW1lbnQuDQo+ID4NCj4gPg0KPiA+IEhpbGFyaWUNCj4gPg0KPiA+DQo+ID4NCj4gPg0K From nobody Sat Sep 16 21:21:28 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFB0127517 for ; Sat, 16 Sep 2017 21:21:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id veIRBuhr2RjF for ; Sat, 16 Sep 2017 21:21:23 -0700 (PDT) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFFBD1200F3 for ; Sat, 16 Sep 2017 21:21:23 -0700 (PDT) Received: from xsmtp31.mail2web.com ([168.144.250.234] helo=xsmtp11.mail2web.com) by mx26.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1dtR57-00033l-0S for secdir@ietf.org; Sun, 17 Sep 2017 06:21:21 +0200 Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp11.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1dtR52-0005OW-KH for secdir@ietf.org; Sun, 17 Sep 2017 00:21:17 -0400 Received: (qmail 8126 invoked from network); 17 Sep 2017 04:21:15 -0000 Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.91]) (envelope-sender ) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 17 Sep 2017 04:21:15 -0000 To: "Carlos Pignataro (cpignata)" Cc: The IESG , "secdir@ietf.org" , IETF Discussion Mailing List , "draft-ietf-sfc-nsh.all@ietf.org" References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> From: Christian Huitema Message-ID: <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net> Date: Sat, 16 Sep 2017 21:21:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Originating-IP: 168.144.250.234 X-SpamExperts-Domain: xsmtpout.mail2web.com X-SpamExperts-Username: 168.144.250.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com X-SpamExperts-Outgoing-Class: unsure X-SpamExperts-Outgoing-Evidence: Combined (0.28) X-Recommended-Action: accept X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJY8hyefn/FOeAH6Zsqubs62ND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA23Ay97VuAo9HOF+4WPA88cNk5SvzZFcn5J62ab Al4JpFaCCwnU7/azu5UxZhQ9sHJhYOEkjsX7F8KmpUaZQHV+SWsC1ltxhvDAAiytf1zpGXO2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpKOHi0RYvlOYvJoUtCbvS/bfPQj1kOyxNFg33kI1TaC7CpXSTy88 yKXT59k+LMPEe4LisF0Dq9DuZcwm5uNxBQmpb0YnYvmU5PphG8LogcC6a8Mrc8quJ4btPpt/2FLu FENuK6ldck0juAg+FVtv+IOo4y6frMgdTo7c9I9ngwHJYd/jKzjiuDYHz/0WYr1rUy6ggDjF/JYa A95R4z1aC/OySQHb3iwsf1ON/gXoJDVrp17vcIhp4/vU15YpEcaF91b7LCVq2nuinYFw/C3rfJ2V 3KD8IdSHBSi9yjOsRb3k8wJfEo0cbb0YLkzPOD/FDLswybukjjR7SZbxkOJ/tGPwNhcKsc+Xm+VJ sLn9bJe22KGjjTPUPaUYynKQ5SwWK3B/3WCT/ywxqGyDcX7ymo81pn6M7II0pBZMP8Q2yl7HZ8cC 5NCzOtKFVG2OgcPUMeKVse1sVhWabI0/+PN3sILCmP4sL9m2Y1BvIAo6egCen+i6vxJ1XQV9OD+8 nG7yld4K6mLGc2whQNCsuCARgHQ= X-Report-Abuse-To: spam@quarantine5.antispamcloud.com Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Sep 2017 04:21:27 -0000 On 9/14/2017 4:22 AM, Carlos Pignataro (cpignata) wrote: > ... > it=E2=80=99s not uncommon to forget how broadly understood assumptions = and design criteria for a document are, when being knee-deep in work. Thi= s is probably the case here, in which scope should have been more explici= t. > > For completeness, the document is the document plus its context. A peek= at the normatively-cited RFC 7665, SFC architecture, (or at the charter = as part of a Directorate review) would have proactively reduced your conc= erns, leaving the editorial need to make it very clear and explicit in =E2= =80=9Cthe document=E2=80=9D (as opposed to your initial reaction). I did read RFC 7665. Before writing the initial review, and again now as a refresher. Yes, RFC 7665 mentions an "administrative domain". But it is also a very abstract document, leaving open many possibilities. And it does contain the text about sharing metadata along a function path that gave me pause: "For example, an external repository might provide user/subscriber information to a service chain classifier. This classifier could in turn impose that information in the SFC encapsulation for delivery to the requisite SFs. The SFs could in turn utilize the user/subscriber information for local policy decisions. Metadata can also share SF output along the SFP." The draft translates the architecture into practical protocol specification. It is good to include at that stage concrete protections. > OK, we can qualify the campus network with =E2=80=9Ccontrolled=E2=80=9D= , or frankly remove it or choose a different example. It is, after all, a= n example. I saw the "controlled" addition in your text, but I don't quite understand what a "controlled campus network" is. I understand that one of the goals is to place a variety of functions in separate boxes independently of topology, but if I was managing a campus network I would much rather place these functions in controlled spaces like data centers rather than, say, student dorms. Not all places on the campus will be tightly controlled. It might be simpler to just not mention these campus networks. =2E.. > How would you suggest this can be strengthened? We do add some relevant= text based on the next comment. > >> The draft mentions using IPv4 or IPv6 as transport. It seems >> that in that case there should be some ingress/egress filtering, as in= >> "packets originating outside the service domain must be dropped if the= y >> contain an NSH," and similarly must be drop on domain exit if they >> contain an NSH. >> > This is a good suggestion. We can add some clarifying text after the fi= rst paragraph of the Security Considerations. > This can take care of your previous comment as well. I saw the text added in the latest draft. That's fine. >> The new security section does provide a number of recommendations, suc= h >> as the obfuscation of metadata. That's definitely an improvement. But = I >> believe there are still issues. >> >> The first issue is that "Metadata privacy and security considerations >> are a matter for the documents that define metadata format." That does= >> not give me a warm and fuzzy feeling at all. I understand that the >> formats will be only registered "after IETF review", but these future >> reviews would be much easier if the NSH mechanism defined at least a >> baseline security posture, and maybe some generic mechanisms for >> obfuscation or encryption. > I do not know if future reviews might or might not be easier, since the= re would be a need for a reviewer to follow and read normative references= , which practice shows not always happens... But, that aside, ease of fut= ure review for reviewers is not a design principle for NSH :-) > > That said, I agree that there is an opportunity to, without specifying,= provide forward-looking guidance or references to potential work. We wil= l add that in. I see that you added references to "proof of transit" in draft-21. That, and the reference to obfuscating subscriber info, certainly helps. It seems that the security protection is based on three broad principles: 1) Encrypt the data in transit, using IPSEC or similar; 2) Obfuscate by default critical metadata such as subscriber info; 3) Encrypt some of the metadata. That's not a bad posture, but I wish that you were explicit about the threats. I am somewhat concerned that the "administrative domain" approach leads to complacency, as in "my domain is secure, I am only concerned with external leakage". I think it would be good to point at explicit threats. Encrypt in transit addresses one type of threats, adversaries tapping conduits to observe the data. But how about hacking into an SFF? Or providing a "free" function that pays for itself by collecting the meta-data? These all go into the idea that in a complex system, it is good to compartment who routinely sees what information. That's the rational motivating obfuscation and other such techniques, and it would be nice to be explicit about it. > >> The second issue is that the security section provide recommendations >> about solutions, but does not analyze the threats. In particular, one = of >> the threats that I find worrisome is, what happens if a specific >> function in a service chain gets subverted? > If a firewall or a router gets subverted, we likely have bigger problem= s. More below. Maybe. Maybe not. What if an intrusion detection system gets subverted? What if an accounting system gets subverted? You hope that the intrusion will be detected shortly, but principles like "least privilege" are a good way to provide defense in depth and minimize the damage during the early stages of the intrusion. >> I may be paranoid, but there is already an history of adversaries >> attacking complex systems like data centers, network control systems o= r >> corporate networks, not to mention campus networks. These adversaries >> typically proceed by lateral movement after an initial penetration unt= il >> they get closer to their actual target inside the domain. I can see an= >> adversary trying to penetrate one of these domains in order to access >> the metadata. In our case, it would try to find a weak link in the >> service function chain. It maybe that one of the functions is deemed >> benign, and thus was less secured than the others. But if all function= s >> see the metadata, then the adversaries will achieve their goal by >> targeting that weak link. Some application of the "least privilege" >> principle would be useful there. > See above. Not all functions see the metadata, if so desired. For examp= le, all SFFs do not see any metadata if the transport uses existing prove= n encryption techniques, IPsec, TLS, etc. Yes. Somehow stating that and explaining why it matters would be nice. -- Christian Huitema From nobody Sun Sep 17 00:51:20 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280A2132403; Sun, 17 Sep 2017 00:51:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKZTN_9vcRvg; Sun, 17 Sep 2017 00:51:05 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A0681320B5; Sun, 17 Sep 2017 00:51:05 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from ) id 1dtUM0-0003uJ-QD; Sun, 17 Sep 2017 07:51:01 +0000 Date: Sun, 17 Sep 2017 16:50:57 +0900 Message-ID: From: Randy Bush To: Christian Huitema Cc: "Carlos Pignataro (cpignata)" , "draft-ietf-sfc-nsh.all@ietf.org" , IETF Discussion Mailing List , The IESG , "secdir@ietf.org" In-Reply-To: <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net> References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.2 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Sep 2017 07:51:06 -0000 > 1) Encrypt the data in transit, using IPSEC or similar; like this is gonna happen. this is the secdir pacifier. > That's not a bad posture, but I wish that you were explicit about the > threats. I am somewhat concerned that the "administrative domain" > approach leads to complacency, as in "my domain is secure, I am only > concerned with external leakage". there is common talk about pushing some services in a chain to the cloud, aka other people's computers. randy From nobody Sun Sep 17 05:04:38 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B70C7133187; Sun, 17 Sep 2017 05:04:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyUvu9Ae7-Co; Sun, 17 Sep 2017 05:04:16 -0700 (PDT) Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11B231330AE; Sun, 17 Sep 2017 05:04:16 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id E0A3E1C5B4B; Sun, 17 Sep 2017 05:04:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1505649855; bh=sTJ3iYeZVVt/WLg0enTfDoF1xc9a/iAl5YMDf6wLZac=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=dj4bct7yuK2/InRNKwd6ISUngh6afnKKoTJuUZp1gJ0F5X+/5IZUEK9H4+A41KT/G N78b+KyKqrIBeEVzeVXjYN59/kVqvhaxzkosZcuWf908oC+xjHwaciv3F0dC3sJRmp HNyn6hFfBl9Ba97VS/W7kaMIeFoMTY2OO1f+gofA= X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net Received: from Joels-MacBook-Pro.local (unknown [50.225.209.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 26D1A1C01F2; Sun, 17 Sep 2017 05:04:14 -0700 (PDT) To: Christian Huitema , "Carlos Pignataro (cpignata)" Cc: The IESG , "secdir@ietf.org" , IETF Discussion Mailing List , "draft-ietf-sfc-nsh.all@ietf.org" References: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net> <3dca9d3d-de38-602c-222f-e111ae7d16a0@huitema.net> <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net> From: "Joel M. Halpern" Message-ID: Date: Sun, 17 Sep 2017 08:04:13 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <51afed5d-f1c7-00ef-3c6e-71035d315e8d@huitema.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-sfc-nsh-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Sep 2017 12:04:18 -0000 IF removing the two references to Campus networks would help, we can do that. deployment in a campus (sa distinct from the DC within campus) is indeed more complex. With regard to threats, a lot of the reason I have trouble with providing good answers is that a service function that stores the metadata for later analysis is perfectly legitimate. If the operator contract with the SF provider is that the provider gets the metadata the service function sees, that the operators chaice. Given that SFs have to be able to get at whatever metadata they need, the protocol can not inherently prevent that. People have suggested in Internet-Drafts mechanisms whereby the SFF trim and restore the metadata sets. that does not actually rpevent this, it merely adds the complication that the operator has to configure what is allowed where. If their contract for a given SF says that it gets all the metadata, it will get all the metadata. The one piece we can do is that personally identifying metadata can be obfuscated, preferably by indirection. We should however recognize that the indirection will be known to the operator, and if they choose to reveal it by other means we can not prevent that. Yours, Joel On 9/17/17 12:21 AM, Christian Huitema wrote: > > > On 9/14/2017 4:22 AM, Carlos Pignataro (cpignata) wrote: >> ... >> it’s not uncommon to forget how broadly understood assumptions and design criteria for a document are, when being knee-deep in work. This is probably the case here, in which scope should have been more explicit. >> >> For completeness, the document is the document plus its context. A peek at the normatively-cited RFC 7665, SFC architecture, (or at the charter as part of a Directorate review) would have proactively reduced your concerns, leaving the editorial need to make it very clear and explicit in “the document” (as opposed to your initial reaction). > I did read RFC 7665. Before writing the initial review, and again now as > a refresher. Yes, RFC 7665 mentions an "administrative domain". But it > is also a very abstract document, leaving open many possibilities. And > it does contain the text about sharing metadata along a function path > that gave me pause: "For example, an external repository might provide > user/subscriber information to a service chain classifier. This > classifier could in turn impose that information in the SFC > encapsulation for delivery to the requisite SFs. The SFs could in turn > utilize the user/subscriber information for local policy decisions. > Metadata can also share SF output along the SFP." The draft translates > the architecture into practical protocol specification. It is good to > include at that stage concrete protections. >> OK, we can qualify the campus network with “controlled”, or frankly remove it or choose a different example. It is, after all, an example. > I saw the "controlled" addition in your text, but I don't quite > understand what a "controlled campus network" is. I understand that one > of the goals is to place a variety of functions in separate boxes > independently of topology, but if I was managing a campus network I > would much rather place these functions in controlled spaces like data > centers rather than, say, student dorms. Not all places on the campus > will be tightly controlled. It might be simpler to just not mention > these campus networks. > ... >> How would you suggest this can be strengthened? We do add some relevant text based on the next comment. >> >>> The draft mentions using IPv4 or IPv6 as transport. It seems >>> that in that case there should be some ingress/egress filtering, as in >>> "packets originating outside the service domain must be dropped if they >>> contain an NSH," and similarly must be drop on domain exit if they >>> contain an NSH. >>> >> This is a good suggestion. We can add some clarifying text after the first paragraph of the Security Considerations. >> This can take care of your previous comment as well. > I saw the text added in the latest draft. That's fine. > >>> The new security section does provide a number of recommendations, such >>> as the obfuscation of metadata. That's definitely an improvement. But I >>> believe there are still issues. >>> >>> The first issue is that "Metadata privacy and security considerations >>> are a matter for the documents that define metadata format." That does >>> not give me a warm and fuzzy feeling at all. I understand that the >>> formats will be only registered "after IETF review", but these future >>> reviews would be much easier if the NSH mechanism defined at least a >>> baseline security posture, and maybe some generic mechanisms for >>> obfuscation or encryption. >> I do not know if future reviews might or might not be easier, since there would be a need for a reviewer to follow and read normative references, which practice shows not always happens... But, that aside, ease of future review for reviewers is not a design principle for NSH :-) >> >> That said, I agree that there is an opportunity to, without specifying, provide forward-looking guidance or references to potential work. We will add that in. > > I see that you added references to "proof of transit" in draft-21. That, > and the reference to obfuscating subscriber info, certainly helps. It > seems that the security protection is based on three broad principles: > > 1) Encrypt the data in transit, using IPSEC or similar; > > 2) Obfuscate by default critical metadata such as subscriber info; > > 3) Encrypt some of the metadata. > > That's not a bad posture, but I wish that you were explicit about the > threats. I am somewhat concerned that the "administrative domain" > approach leads to complacency, as in "my domain is secure, I am only > concerned with external leakage". I think it would be good to point at > explicit threats. Encrypt in transit addresses one type of threats, > adversaries tapping conduits to observe the data. But how about hacking > into an SFF? Or providing a "free" function that pays for itself by > collecting the meta-data? These all go into the idea that in a complex > system, it is good to compartment who routinely sees what information. > That's the rational motivating obfuscation and other such techniques, > and it would be nice to be explicit about it. > >> >>> The second issue is that the security section provide recommendations >>> about solutions, but does not analyze the threats. In particular, one of >>> the threats that I find worrisome is, what happens if a specific >>> function in a service chain gets subverted? >> If a firewall or a router gets subverted, we likely have bigger problems. More below. > Maybe. Maybe not. What if an intrusion detection system gets subverted? > What if an accounting system gets subverted? You hope that the intrusion > will be detected shortly, but principles like "least privilege" are a > good way to provide defense in depth and minimize the damage during the > early stages of the intrusion. > > > >>> I may be paranoid, but there is already an history of adversaries >>> attacking complex systems like data centers, network control systems or >>> corporate networks, not to mention campus networks. These adversaries >>> typically proceed by lateral movement after an initial penetration until >>> they get closer to their actual target inside the domain. I can see an >>> adversary trying to penetrate one of these domains in order to access >>> the metadata. In our case, it would try to find a weak link in the >>> service function chain. It maybe that one of the functions is deemed >>> benign, and thus was less secured than the others. But if all functions >>> see the metadata, then the adversaries will achieve their goal by >>> targeting that weak link. Some application of the "least privilege" >>> principle would be useful there. >> See above. Not all functions see the metadata, if so desired. For example, all SFFs do not see any metadata if the transport uses existing proven encryption techniques, IPsec, TLS, etc. > > Yes. Somehow stating that and explaining why it matters would be nice. > > -- Christian Huitema > > From nobody Sun Sep 17 12:32:17 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B4D813331E; Sun, 17 Sep 2017 12:32:04 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Joseph Salowey To: Cc: opsawg@ietf.org, iesg@ietf.org, draft-ietf-opsawg-service-model-explained.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.61.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150567672431.672.1037086780979343658@ietfa.amsl.com> Date: Sun, 17 Sep 2017 12:32:04 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-opsawg-service-model-explained-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Sep 2017 19:32:04 -0000 Reviewer: Joseph Salowey Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is the document is ready for publication. I think the document could be improved slightly by touching on the fact that the service models themselves may involve security parameters. You could add a sentence to the security considerations section following the last sentence: "The service model should expose security related parameters where they are available to the customer." Cheers, Joe From nobody Sun Sep 17 19:26:55 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17F1613247A; Sun, 17 Sep 2017 19:26:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.021 X-Spam-Level: X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mAar6Io_NVl; Sun, 17 Sep 2017 19:26:41 -0700 (PDT) Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0121.outbound.protection.outlook.com [104.47.33.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFEE413234B; Sun, 17 Sep 2017 19:26:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fY9fu9wmD+9EVGLnXBy77whHmwUu1eKuGK69Q4FYwQ8=; b=Ubd+LwdYuwvln2FMmM/SwtXrzpi6EQjjEoKobokW1kSc2LoNTB3P7xxAEpITvBB2sWDvwQn0q8ooHl7BRkxUEZxPswebFtEaPNWsIshALpndIrZJiAPEdfZpv2EO0uOCoZucTwu3Z5iAzivhhWZLsgSG16YjTkYb+ssCqIz6GQs= Received: from CO2PR05MB971.namprd05.prod.outlook.com (10.141.226.17) by CO2PR05MB764.namprd05.prod.outlook.com (10.141.227.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.5; Mon, 18 Sep 2017 02:26:38 +0000 Received: from CO2PR05MB971.namprd05.prod.outlook.com ([10.141.226.17]) by CO2PR05MB971.namprd05.prod.outlook.com ([10.141.226.17]) with mapi id 15.20.0077.008; Mon, 18 Sep 2017 02:26:38 +0000 From: Adrian Farrel To: Joseph Salowey , "secdir@ietf.org" CC: "opsawg@ietf.org" , "iesg@ietf.org" , "draft-ietf-opsawg-service-model-explained.all@ietf.org" Thread-Topic: Secdir last call review of draft-ietf-opsawg-service-model-explained-03 Thread-Index: AQHTL+umKROSgFAImUSAR1bBXyKHlqK56xUQ Date: Mon, 18 Sep 2017 02:26:38 +0000 Message-ID: References: <150567672431.672.1037086780979343658@ietfa.amsl.com> In-Reply-To: <150567672431.672.1037086780979343658@ietfa.amsl.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=afarrel@juniper.net; x-originating-ip: [116.197.184.13] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CO2PR05MB764; 6:6KaWQA5B9Uy1B46Botl6XAPI11lWV/QOJTKj7ZRUFeKRSWIZacVNekrT/ADP24++3uRjzLJyP1i0Tv/CBGsBgQhWBLS8zQ64QtcYNerf/6XTT0UkgWJD9fKXjD7qjqU6gK9ayUa/IzVybTOqMpEInEGShz5whQ/+efQQrM7tTXiaMgsjrUbXUbqnSTDj0Ytu+iZY4a+wTOR9dWRTwGrhxjX0Oa0J0krsKw9H3eH6Kic0tWUPf65Ybh8o1R0AkIyX7ieo8vhyHqe3dVCvJ58jahHFZOknYEnO7Lii++JOVLv0d+z+GcKKpce+pLk7waxLdjEn1VMfaukR33QUPY53LA==; 5:2eL6uX9uv4ouOmfsdrY3zMVfDrgoAnOT25p8tH9zOoKYe46QOGJ+8rKi6d6le8Vb0Wj2C8UySAE+Kvh5AzeHbmIwjspjum/m/xTQU+QLVnK37BzykUv6e1wMO5pKsqlP+lJkLZRwqRgtcVI2YERM1w==; 24:EvNrTwstW7nxRCGp9MQr+AzGJUsKxzApG2Kd8Aakl2HJnKFGdUuN6om51yuyavnZiVTloLT7ybOKgrFvEwjiY6L+IsXB1e+NL1Dh3mzW8nQ=; 7:RXgOJXFCBX8o+EmMtrQBEAoN+LVaQEPd9IlbxZV/gnOIpLEq/K6j/yTfshY9GvR9yLQJjWq5qqpCdltjVbsy45/n7PRbsPvWPg//L5k4ltmjlC6nw7Oqp2ey18rlqMdxzfXERzj6lskpx9+Fu8lMqi10fIdldBBoGWthpW3zjVbttAeotPfHmNdLK356LYvxCEIUcmn3D/z3m/Dl6XDE5izIB0fRzhSTvoVxuaFjTVs= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: d38af553-e7ee-4bb0-5add-08d4fe3cb0be x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CO2PR05MB764; x-ms-traffictypediagnostic: CO2PR05MB764: x-exchange-antispam-report-test: UriScan:(192374486261705); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(20161123555025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CO2PR05MB764; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CO2PR05MB764; x-forefront-prvs: 04347F8039 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(376002)(346002)(39860400002)(13464003)(189002)(199003)(99286003)(189998001)(25786009)(3280700002)(55016002)(54906002)(6116002)(3846002)(106356001)(102836003)(105586002)(9686003)(14454004)(8936002)(53936002)(97736004)(68736007)(86362001)(8676002)(3660700001)(81156014)(81166006)(478600001)(316002)(2906002)(229853002)(4326008)(33656002)(7696004)(305945005)(5660300001)(101416001)(6246003)(7736002)(66066001)(50986999)(76176999)(53546010)(54356999)(230783001)(77096006)(2950100002)(6436002)(6506006)(2501003)(74316002)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR05MB764; H:CO2PR05MB971.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2017 02:26:38.2059 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR05MB764 Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-opsawg-service-model-explained-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 02:26:43 -0000 SGV5IEpvZSwNCg0KVGhhbmtzIGZvciB0aGF0LiBMb29rcyBsaWtlIGFuIGVhc3kgY2hhbmdlIGZv ciB1cyB0byBwaWNrIHVwIGFsb25nIHRoZSB3YXkuDQoNCkJlc3QsDQpBZHJpYW4NCg0KLS0tLS1P cmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IEpvc2VwaCBTYWxvd2V5IFttYWlsdG86am9lQHNh bG93ZXkubmV0XSANClNlbnQ6IDE3IFNlcHRlbWJlciAyMDE3IDIwOjMyDQpUbzogc2VjZGlyQGll dGYub3JnDQpDYzogb3BzYXdnQGlldGYub3JnOyBpZXNnQGlldGYub3JnOyBkcmFmdC1pZXRmLW9w c2F3Zy1zZXJ2aWNlLW1vZGVsLWV4cGxhaW5lZC5hbGxAaWV0Zi5vcmcNClN1YmplY3Q6IFNlY2Rp ciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtb3BzYXdnLXNlcnZpY2UtbW9kZWwtZXhw bGFpbmVkLTAzDQoNClJldmlld2VyOiBKb3NlcGggU2Fsb3dleQ0KUmV2aWV3IHJlc3VsdDogUmVh ZHkNCg0KSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJp dHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1l bnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gIFRoZXNlIGNvbW1lbnRzIHdlcmUgd3Jp dHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBhcmVhIGRpcmVj dG9ycy4gIERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2Ug Y29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQoNClRoZSBz dW1tYXJ5IG9mIHRoZSByZXZpZXcgaXMgdGhlIGRvY3VtZW50IGlzIHJlYWR5IGZvciBwdWJsaWNh dGlvbi4NCg0KSSB0aGluayB0aGUgZG9jdW1lbnQgY291bGQgYmUgaW1wcm92ZWQgc2xpZ2h0bHkg YnkgdG91Y2hpbmcgb24gdGhlIGZhY3QgdGhhdCB0aGUgc2VydmljZSBtb2RlbHMgdGhlbXNlbHZl cyBtYXkgaW52b2x2ZSBzZWN1cml0eSBwYXJhbWV0ZXJzLiAgWW91IGNvdWxkIGFkZCBhIHNlbnRl bmNlIHRvIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uIGZvbGxvd2luZyB0aGUg bGFzdCBzZW50ZW5jZToNCg0KIlRoZSBzZXJ2aWNlIG1vZGVsIHNob3VsZCBleHBvc2Ugc2VjdXJp dHkgcmVsYXRlZCBwYXJhbWV0ZXJzIHdoZXJlIHRoZXkgYXJlIGF2YWlsYWJsZSB0byB0aGUgY3Vz dG9tZXIuIg0KDQpDaGVlcnMsDQoNCkpvZQ0KDQo= From nobody Mon Sep 18 02:08:42 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7563113420E; Mon, 18 Sep 2017 02:08:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.619 X-Spam-Level: X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TciFrxKlSpiT; Mon, 18 Sep 2017 02:08:33 -0700 (PDT) Received: from relais-inet.orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ECBF132932; Mon, 18 Sep 2017 02:08:33 -0700 (PDT) Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) by opfednr21.francetelecom.fr (ESMTP service) with ESMTP id 8F924C0204; Mon, 18 Sep 2017 11:08:31 +0200 (CEST) Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.34]) by opfednr02.francetelecom.fr (ESMTP service) with ESMTP id 6FBFA120063; Mon, 18 Sep 2017 11:08:31 +0200 (CEST) Received: from OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06]) by OPEXCLILM6F.corporate.adroot.infra.ftgroup ([fe80::bd00:88f8:8552:3349%17]) with mapi id 14.03.0361.001; Mon, 18 Sep 2017 11:08:31 +0200 From: To: David Mandelberg CC: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06 Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZggAAJ/YCAANdoUIAAcJiAgARhUyA= Date: Mon, 18 Sep 2017 09:08:30 +0000 Message-ID: <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> In-Reply-To: <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.168.234.1] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 09:08:35 -0000 SGkgRGF2aWQsDQoNCj4gRnJvbTogRGF2aWQgTWFuZGVsYmVyZyBbbWFpbHRvOmRhdmlkQG1hbmRl bGJlcmcub3JnXQ0KID4gU2VudDogRnJpZGF5LCBTZXB0ZW1iZXIgMTUsIDIwMTcgNTo1NiBQTQ0K PiANCiA+IE9uIDA5LzE1LzIwMTcgMDM6MzEgQU0sIGJydW5vLmRlY3JhZW5lQG9yYW5nZS5jb20g d3JvdGU6DQogPiA+IEhpIERhdmlkLA0KID4gPg0KID4gPj4gRnJvbTogRGF2aWQgTWFuZGVsYmVy ZyBbbWFpbHRvOmRhdmlkQG1hbmRlbGJlcmcub3JnXQ0KID4gPiAgID4gSG93ZXZlciwgd2hhdCBh Ym91dCBjb25maWRlbnRpYWxpdHk/IERvZXMgdGhlIGV4dGVuc2lvbiBtYWtlIGl0IGVhc2llcg0K ID4gPiAgID4gZm9yIGFuIGF0dGFja2VyIHRvIHJlYWQgcGFja2V0cyB0aGV5IHdvdWxkbid0IG90 aGVyd2lzZSBiZSBhYmxlIHRvIHJlYWQ/DQogPiA+ICAgPiAoSSdtIG5vdCBhdCBhbGwgY29udmlu Y2VkIHRoZSBleHRlbnNpb24gZG9lcyBoYXZlIGEgcHJvYmxlbSB0aGVyZS4gSQ0KID4gPiAgID4g anVzdCB0aGluayBpdCdzIHBsYXVzaWJsZSBlbm91Z2ggdGhhdCBpdCB3b3VsZCBuaWNlIHRvIHNl ZSBhbg0KID4gPiAgID4gZXhwbGFuYXRpb24gb2Ygd2h5IGl0J3Mgbm90IGEgcHJvYmxlbS4pDQog PiA+DQogPiA+IFJlZ2FyZGluZyBjb25maWRlbnRpYWxpdHksIEkgY2FuIHRoaW5rIG9mIDMgdGhp bmdzOg0KID4gPiBhKSBUaGlzIGV4dGVuc2lvbiBjYW4gaW50cm9kdWNlIHBhY2tldCBlbmNhcHN1 bGF0aW9uLiBUaGlzIGRvZXMgbm90IGFmZmVjdCB3aGV0aGVyDQogPiBlbmNhcHN1bGF0ZWQgcGFj a2V0IHdhcyBlbmNyeXB0ZWQgb3Igd2hldGhlciB0aGUgdHJhbnNwb3J0IGluZnJhc3RydWN0dXJl IHByb3ZpZGUgZW5jcnlwdGlvbg0KID4gKGUuZy4gTUFDU0VDKQ0KID4gPiBiKSBBbHRob3VnaCB0 aGlzIGlzIG5vdCBjdXJyZW50bHkgdGhlIGNhc2UsIHRoaXMgZXh0ZW5zaW9uIGNvdWxkIGJlIGV4 dGVuZGVkIHRvIGFkdmVydGlzZSB0dW5uZWwNCiA+IHdpdGggZW5jcnlwdGlvbiBjYXBhYmlsaXR5 LiBJbiB0aGlzIGNhc2UsIHRoZSBhdHRhY2tlciBjb3VsZCBjaGFuZ2UgdGhlIHR1bm5lbCBwcm9w ZXJ0aWVzIHRvIHJlbW92ZQ0KID4gdGhlIGVuY3J5cHRpb24NCiA+ID4gYykgU3BlY2lmaWMgdHVu bmVscyBjb3VsZCBiZSBhZHZlcnRpc2VkIGluIG9yZGVyIHRvIHJvdXRlIHBhY2tldCBvdmVyIGEg c3BlY2lmaWMgbGluayB0aGF0IGFuDQogPiBhdHRhY2tlciBpcyBtb25pdG9yaW5nLg0KID4gPg0K ID4gPiBEbyB5b3UgdGhpbmsgdGhhdCBzb21lIG9mIHRoZXNlIHBvaW50cyB3b3VsZCBiZSB3b3Jz ZSBtZW50aW9uaW5nPyBJZiBzbyBJIGNvdWxkIHdyaXRlIHNvbWUNCiA+IHRleHQgdG8gY292ZXIg dGhvc2UuDQogPiANCiA+IEkgZG9uJ3QgdGhpbmsgKGEpIGFmZmVjdHMgc2VjdXJpdHkgYXQgYWxs LCBhbmQgSSB0aGluayAoYikgaXMgcHJvYmFibHkNCiA+IG91dCBvZiBzY29wZSBmb3IgdGhpcyBk b2N1bWVudC4gRm9yIChiKSwgSSB0aGluayB0aGUgaHlwb3RoZXRpY2FsDQogPiBkb2N1bWVudCBk ZXNjcmliaW5nIHRoZSBlbmNyeXB0aW9uIGNhcGFiaWxpdHkgd291bGQgaGF2ZSBzb21lIHdvcmsg dG8gZG8NCiA+IGV4cGxhaW5pbmcgaG93IGl0J3Mgc2VjdXJlLCBidXQgSSBkb24ndCBzZWUgYW55 IHJlYXNvbiB0byBkbyB0aGF0IHdvcmsNCiA+IGluIHRoaXMgZG9jdW1lbnQuDQoNCk9rLiBHb29k Lg0KIA0KID4gKGMpIGlzIHRoZSBvbmUgdGhhdCBJIHRoaW5rIGlzIHdvcnRoIGxvb2tpbmcgaW50 by4gRS5nLiwgZG9lcyB0aGlzIG5ldw0KID4gZXh0ZW5zaW9uIG1ha2UgaXQgZWFzaWVyIGZvciBh biBhdHRhY2tlciB0byByb3V0ZSBhIHBhY2tldCBhY3Jvc3MgQVMNCiA+IGJvdW5kYXJpZXMsIGJ5 IHNldHRpbmcgYSB0dW5uZWwgZW5kcG9pbnQgb3V0c2lkZSBvZiB0aGUgT1NQRi1yb3V0ZWQgbmV0 d29yaz8NCiANCk5vLiBUaGUgZm9sbG93aW5nIHRleHQgYWxyZWFkeSBwcm9oaWJpdHMgZXZlbiBt b3JlIHRoYW4gdGhpczoNCg0KIiAgQSB0dW5uZWwgTVVTVCBOT1QgYmUNCiAgICAgIHVzZWQgaWYg dGhlcmUgaXMgbm8gcm91dGUgdG93YXJkIHRoZSBJUCBhZGRyZXNzIHNwZWNpZmllZCBpbiB0aGUN CiAgICAgIEVuZHBvaW50IFN1Yi1UTFYgKFNlZSA8eHJlZiB0YXJnZXQ9IkVuZHBvaW50VExWIi8+ KSBvciBpZiB0aGUgcm91dGUgaXMNCiAgICAgIG5vdCBhZHZlcnRpc2VkIGJ5IHRoZSByb3V0ZXIg YWR2ZXJ0aXNpbmcgdGhpcyBUdW5uZWwgU3ViLVRMVi4iDQoNCi0gQnkgZGVmaW5pdGlvbiwgdGhp cyBUdW5uZWwgU3ViLVRMViBpcyBhZHZlcnRpc2VkIGluIE9TUEYgaS5lLiBmcm9tIHdpdGhpbiB0 aGUgQVMuDQotIFRoZSB0ZXh0IGFsc28gcHJvaGliaXRzIHNldHRpbmcgYSB0dW5uZWwgZW5kcG9p bnQgdG8gYW5vdGhlciByb3V0ZXIgd2l0aGluIHRoZSBBUy4NCg0KDQpUaGF0IGJlaW5nIHNhaWQs IHdpdGhpbiB0aGUgQVMsIHRoZSBwb2ludCAiYyIgc3RpbGwgYXBwbGllcy4NCkhvd2V2ZXIsIHRo aW5raW5nIHR3aWNlLCB0aGUgcHJvYmFiaWxpdHkgaXMgZXZlbiBtb3JlIGxpbWl0ZWQuIEluZGVl ZCwgb25lIGNhbiBvbmx5IGFkdmVydGlzZSBhIHR1bm5lbCB0byBpdHNlbGYuIEFzc3VtaW5nIHRo YXQgdGhlIHRoaXJkIHBhcnR5IGNhbid0IGNvbnRyb2wgdGhlIHdob2xlIHJvdXRpbmcgdG9wb2xv Z3kgKGkuZS4gcm91dGluZyBhZHZlcnRpc2VtZW50IGZyb20gbW9zdCBjb3JlIHJvdXRlcnMpLCBp dCBjYW5ub3QgY29udHJvbCB0aGUgcGF0aCBmb2xsb3dlZCBieSB0aGUgdHVubmVsLiBIZW5jZSBp dCB3b3VsZCBuZWVkIHRvIGhhdmUgbW9uaXRvcmluZyBjYXBhYmlsaXRpZXMgb24gc3BlY2lmaWMg bGlua3MgdGhhdCBpdCBjYW5ub3QgY2hvb3NlLiAodGhlIGxpbmsgb24gdGhlIHBhdGggdG8gaXRz ZWxmKS4NClBsdXMgdGhpcyByaXNrIGlzIG5vdCBuZXcsIGFzIHRoZSB0aGlyZCBwYXJ0eSBjb3Vs ZCBhbHJlYWR5IGFkdmVydGlzZSB0aGUgZGVzdGluYXRpb24gSVAgYWRkcmVzcyBvZiB0aGUgcGFj a2V0cyAob3Igb2YgdGhlIEJHUCBOZXh0LWhvcCBvZiB0aGUgQkdQIHJvdXRlIG1hdGNoaW5nIHRo ZSBwYWNrZXQgZGVzdGluYXRpb24pLCB3aXRob3V0IHVzaW5nIGFueSB0dW5uZWwuDQpJbiBjb25j bHVzaW9uLCBhbHRob3VnaCBJIGNvdWxkIGJlIHdyb25nLCBJJ20gbm90IHNlZWluZyBzdWNoIG5l dyByaXNrLiAoYWdhaW4sIGFzc3VtaW5nIHRoYXQgYSB0aGlyZCBwYXJ0eSBjYW4gbW9kaWZ5IHRo ZSBPU1BGIHJvdXRpbmcgaXMgYSBiaWcgYXNzdW1wdGlvbikuDQoNCkJ1dCB0aGUgZGlzY3Vzc2lv biB3YXMgdXNlZnVsLCB0aGFua3MgZm9yIHRoZSBjb21tZW50cy4NCg0KLS1CcnVubw0KID4gLS0N CiA+IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9w ZXIsIGFuZCBtb3JlDQogPiBodHRwczovL2RhdmlkLm1hbmRlbGJlcmcub3JnLw0KCl9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18K CkNlIG1lc3NhZ2UgZXQgc2VzIHBpZWNlcyBqb2ludGVzIHBldXZlbnQgY29udGVuaXIgZGVzIGlu Zm9ybWF0aW9ucyBjb25maWRlbnRpZWxsZXMgb3UgcHJpdmlsZWdpZWVzIGV0IG5lIGRvaXZlbnQg ZG9uYwpwYXMgZXRyZSBkaWZmdXNlcywgZXhwbG9pdGVzIG91IGNvcGllcyBzYW5zIGF1dG9yaXNh dGlvbi4gU2kgdm91cyBhdmV6IHJlY3UgY2UgbWVzc2FnZSBwYXIgZXJyZXVyLCB2ZXVpbGxleiBs ZSBzaWduYWxlcgphIGwnZXhwZWRpdGV1ciBldCBsZSBkZXRydWlyZSBhaW5zaSBxdWUgbGVzIHBp ZWNlcyBqb2ludGVzLiBMZXMgbWVzc2FnZXMgZWxlY3Ryb25pcXVlcyBldGFudCBzdXNjZXB0aWJs ZXMgZCdhbHRlcmF0aW9uLApPcmFuZ2UgZGVjbGluZSB0b3V0ZSByZXNwb25zYWJpbGl0ZSBzaSBj ZSBtZXNzYWdlIGEgZXRlIGFsdGVyZSwgZGVmb3JtZSBvdSBmYWxzaWZpZS4gTWVyY2kuCgpUaGlz IG1lc3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cyBtYXkgY29udGFpbiBjb25maWRlbnRpYWwgb3Ig cHJpdmlsZWdlZCBpbmZvcm1hdGlvbiB0aGF0IG1heSBiZSBwcm90ZWN0ZWQgYnkgbGF3Owp0aGV5 IHNob3VsZCBub3QgYmUgZGlzdHJpYnV0ZWQsIHVzZWQgb3IgY29waWVkIHdpdGhvdXQgYXV0aG9y aXNhdGlvbi4KSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxlYXNl IG5vdGlmeSB0aGUgc2VuZGVyIGFuZCBkZWxldGUgdGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNo bWVudHMuCkFzIGVtYWlscyBtYXkgYmUgYWx0ZXJlZCwgT3JhbmdlIGlzIG5vdCBsaWFibGUgZm9y IG1lc3NhZ2VzIHRoYXQgaGF2ZSBiZWVuIG1vZGlmaWVkLCBjaGFuZ2VkIG9yIGZhbHNpZmllZC4K VGhhbmsgeW91LgoK From nobody Mon Sep 18 12:30:01 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4CE1321D8 for ; Mon, 18 Sep 2017 12:29:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUEgPFahXkw8 for ; Mon, 18 Sep 2017 12:29:52 -0700 (PDT) Received: from nm25-vm8.access.bullet.mail.gq1.yahoo.com (nm25-vm8.access.bullet.mail.gq1.yahoo.com [216.39.63.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E10F132320 for ; Mon, 18 Sep 2017 12:29:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1505762990; bh=qnzyJBtc6VFTSIHTvWHOW6a7L9Ha2/RZ2CerMDzwkzY=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=QS6Ej17ybnswe3lv1ax2Yxf3OWjl3dOYRQDFNA/0GOS4eYgNFtXp9ovTBRm/7FedekPhYSw7oEtf8sSUfg0ArLcHjncKj0DinmvwqsG7QZ7EvicuLbAFqgxrudMD+ZHlYbc1jBsmYhx3RwiCZY4chec/On78yAPEHARMaD4YS1/I0sjqnZa41Nxa7GuKRlBmmLTPPdSTfEwiTiBgOXV8D4LCe4CvoFJMrlNUql+3k+SIpI8XT2ifjoG+udRyYMvaEHcm+706J9ZiSg8LRAkbMyHj7NS3OfpVgXzp1awQXjZtp/ChW147qRbJGdFmh1LQNjck0d9Qek+u//dU0zCzZQ== Received: from [216.39.60.169] by nm25.access.bullet.mail.gq1.yahoo.com with NNFMP; 18 Sep 2017 19:29:50 -0000 Received: from [98.138.39.79] by tm5.access.bullet.mail.gq1.yahoo.com with NNFMP; 18 Sep 2017 19:29:50 -0000 Received: from [127.0.0.1] by smtp115.sbc.mail.ne1.yahoo.com with NNFMP; 18 Sep 2017 19:29:49 -0000 X-Yahoo-Newman-Id: 904781.2465.bm@smtp115.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: x1NOEQ8VM1nnK1A6S59rBIYHsjGaWhs76lJ_hHJrkq50AXA _pBw.9aLnzGKyL8w77ymyhUK0XwSpJvGghQzJBlGaaXryhTMglvDfo77LRO4 ixOhPlkinvPVy0DiVw33FTU5hr43kFWGhOvMilm9F3TTQ65hbf72Po2Gz8WX CnghzQxZhsw0gOjfBaSUh1gkKYqL1ii9SuWEJlVhhMY.FunqxvN5KMAdQG7p gUNda3rVQRGZ47GOdvu.5MwmOtwk52_GkS3rsfDecpsAQlm4afEUH6NmHf99 11KHtpteGPhuI3pDFtkJmt.yRgU7p8bT2nfARNT5zlSM40jC0YKtikxq9wmj XIM.TtK3TQCr8aB5Ox6quN.amTv4MdSVM54wckNIgPCUsut.zvWwbjXZAC0X K8A0qnRDaImHNkLNhEQjCiPX9YUePDPQ20xvc4NkmiTEOXiaFplkJ5GFINwB rpPD0tvppei.4qWWxqI11DgdxIf2nylMVPWvWVtbYyXUV_Q-- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id D2F011C60A5; Mon, 18 Sep 2017 15:29:48 -0400 (EDT) To: bruno.decraene@orange.com Cc: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> From: David Mandelberg Message-ID: <5ee2e3cf-4034-f9e6-4fca-92ceb57a65c5@mandelberg.org> Date: Mon, 18 Sep 2017 15:29:46 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Sep 2017 19:29:53 -0000 On 09/18/2017 05:08 AM, bruno.decraene@orange.com wrote: > > (c) is the one that I think is worth looking into. E.g., does this new > > extension make it easier for an attacker to route a packet across AS > > boundaries, by setting a tunnel endpoint outside of the OSPF-routed network? > > No. The following text already prohibits even more than this: > > " A tunnel MUST NOT be > used if there is no route toward the IP address specified in the > Endpoint Sub-TLV (See ) or if the route is > not advertised by the router advertising this Tunnel Sub-TLV." > > - By definition, this Tunnel Sub-TLV is advertised in OSPF i.e. from within the AS. > - The text also prohibits setting a tunnel endpoint to another router within the AS. > > > That being said, within the AS, the point "c" still applies. > However, thinking twice, the probability is even more limited. Indeed, one can only advertise a tunnel to itself. Assuming that the third party can't control the whole routing topology (i.e. routing advertisement from most core routers), it cannot control the path followed by the tunnel. Hence it would need to have monitoring capabilities on specific links that it cannot choose. (the link on the path to itself). > Plus this risk is not new, as the third party could already advertise the destination IP address of the packets (or of the BGP Next-hop of the BGP route matching the packet destination), without using any tunnel. > In conclusion, although I could be wrong, I'm not seeing such new risk. (again, assuming that a third party can modify the OSPF routing is a big assumption). > > But the discussion was useful, thanks for the comments. That explanation is great, thank you. I hadn't realized the implications of the paragraph you quoted, when I initially read it. I'm convinced that there isn't a security issue here, but it would be nice to see your explanation in the document itself, if it's not already obvious to anybody who knows OSPF better than I do. -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Tue Sep 19 00:18:49 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D4A126DFE; Tue, 19 Sep 2017 00:18:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.398 X-Spam-Level: X-Spam-Status: No, score=-5.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AuCLBgFGeoBA; Tue, 19 Sep 2017 00:18:45 -0700 (PDT) Received: from relais-inet.orange.com (mta135.mail.business.static.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15605132620; Tue, 19 Sep 2017 00:18:45 -0700 (PDT) Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 3E173404E9; Tue, 19 Sep 2017 09:18:43 +0200 (CEST) Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.66]) by opfednr03.francetelecom.fr (ESMTP service) with ESMTP id 215021A0065; Tue, 19 Sep 2017 09:18:43 +0200 (CEST) Received: from OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06]) by OPEXCLILMA1.corporate.adroot.infra.ftgroup ([fe80::95e2:eb4b:3053:fabf%19]) with mapi id 14.03.0361.001; Tue, 19 Sep 2017 09:18:42 +0200 From: To: David Mandelberg CC: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06 Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZggAAJ/YCAANdoUIAFhL03gADEpyA= Date: Tue, 19 Sep 2017 07:18:42 +0000 Message-ID: <11040_1505805523_59C0C4D3_11040_226_4_53C29892C857584299CBF5D05346208A4787AC94@OPEXCLILM21.corporate.adroot.infra.ftgroup> References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> <5ee2e3cf-4034-f9e6-4fca-92ceb57a65c5@mandelberg.org> In-Reply-To: <5ee2e3cf-4034-f9e6-4fca-92ceb57a65c5@mandelberg.org> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.168.234.1] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 07:18:47 -0000 PiBGcm9tOiBEYXZpZCBNYW5kZWxiZXJnIFttYWlsdG86ZGF2aWRAbWFuZGVsYmVyZy5vcmddDQog PiBTZW50OiBNb25kYXksIFNlcHRlbWJlciAxOCwgMjAxNyA5OjMwIFBNDQo+IA0KID4gT24gMDkv MTgvMjAxNyAwNTowOCBBTSwgYnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbSB3cm90ZToNCiA+ID4g ICA+IChjKSBpcyB0aGUgb25lIHRoYXQgSSB0aGluayBpcyB3b3J0aCBsb29raW5nIGludG8uIEUu Zy4sIGRvZXMgdGhpcyBuZXcNCiA+ID4gICA+IGV4dGVuc2lvbiBtYWtlIGl0IGVhc2llciBmb3Ig YW4gYXR0YWNrZXIgdG8gcm91dGUgYSBwYWNrZXQgYWNyb3NzIEFTDQogPiA+ICAgPiBib3VuZGFy aWVzLCBieSBzZXR0aW5nIGEgdHVubmVsIGVuZHBvaW50IG91dHNpZGUgb2YgdGhlIE9TUEYtcm91 dGVkIG5ldHdvcms/DQogPiA+DQogPiA+IE5vLiBUaGUgZm9sbG93aW5nIHRleHQgYWxyZWFkeSBw cm9oaWJpdHMgZXZlbiBtb3JlIHRoYW4gdGhpczoNCiA+ID4NCiA+ID4gIiAgQSB0dW5uZWwgTVVT VCBOT1QgYmUNCiA+ID4gICAgICAgIHVzZWQgaWYgdGhlcmUgaXMgbm8gcm91dGUgdG93YXJkIHRo ZSBJUCBhZGRyZXNzIHNwZWNpZmllZCBpbiB0aGUNCiA+ID4gICAgICAgIEVuZHBvaW50IFN1Yi1U TFYgKFNlZSA8eHJlZiB0YXJnZXQ9IkVuZHBvaW50VExWIi8+KSBvciBpZiB0aGUgcm91dGUgaXMN CiA+ID4gICAgICAgIG5vdCBhZHZlcnRpc2VkIGJ5IHRoZSByb3V0ZXIgYWR2ZXJ0aXNpbmcgdGhp cyBUdW5uZWwgU3ViLVRMVi4iDQogPiA+DQogPiA+IC0gQnkgZGVmaW5pdGlvbiwgdGhpcyBUdW5u ZWwgU3ViLVRMViBpcyBhZHZlcnRpc2VkIGluIE9TUEYgaS5lLiBmcm9tIHdpdGhpbiB0aGUgQVMu DQogPiA+IC0gVGhlIHRleHQgYWxzbyBwcm9oaWJpdHMgc2V0dGluZyBhIHR1bm5lbCBlbmRwb2lu dCB0byBhbm90aGVyIHJvdXRlciB3aXRoaW4gdGhlIEFTLg0KID4gPg0KID4gPg0KID4gPiBUaGF0 IGJlaW5nIHNhaWQsIHdpdGhpbiB0aGUgQVMsIHRoZSBwb2ludCAiYyIgc3RpbGwgYXBwbGllcy4N CiA+ID4gSG93ZXZlciwgdGhpbmtpbmcgdHdpY2UsIHRoZSBwcm9iYWJpbGl0eSBpcyBldmVuIG1v cmUgbGltaXRlZC4gSW5kZWVkLCBvbmUgY2FuIG9ubHkgYWR2ZXJ0aXNlIGENCiA+IHR1bm5lbCB0 byBpdHNlbGYuIEFzc3VtaW5nIHRoYXQgdGhlIHRoaXJkIHBhcnR5IGNhbid0IGNvbnRyb2wgdGhl IHdob2xlIHJvdXRpbmcgdG9wb2xvZ3kgKGkuZS4gcm91dGluZw0KID4gYWR2ZXJ0aXNlbWVudCBm cm9tIG1vc3QgY29yZSByb3V0ZXJzKSwgaXQgY2Fubm90IGNvbnRyb2wgdGhlIHBhdGggZm9sbG93 ZWQgYnkgdGhlIHR1bm5lbC4gSGVuY2UgaXQNCiA+IHdvdWxkIG5lZWQgdG8gaGF2ZSBtb25pdG9y aW5nIGNhcGFiaWxpdGllcyBvbiBzcGVjaWZpYyBsaW5rcyB0aGF0IGl0IGNhbm5vdCBjaG9vc2Uu ICh0aGUgbGluayBvbg0KID4gdGhlIHBhdGggdG8gaXRzZWxmKS4NCiA+ID4gUGx1cyB0aGlzIHJp c2sgaXMgbm90IG5ldywgYXMgdGhlIHRoaXJkIHBhcnR5IGNvdWxkIGFscmVhZHkgYWR2ZXJ0aXNl IHRoZSBkZXN0aW5hdGlvbiBJUCBhZGRyZXNzIG9mDQogPiB0aGUgcGFja2V0cyAob3Igb2YgdGhl IEJHUCBOZXh0LWhvcCBvZiB0aGUgQkdQIHJvdXRlIG1hdGNoaW5nIHRoZSBwYWNrZXQgZGVzdGlu YXRpb24pLCB3aXRob3V0DQogPiB1c2luZyBhbnkgdHVubmVsLg0KID4gPiBJbiBjb25jbHVzaW9u LCBhbHRob3VnaCBJIGNvdWxkIGJlIHdyb25nLCBJJ20gbm90IHNlZWluZyBzdWNoIG5ldyByaXNr LiAoYWdhaW4sIGFzc3VtaW5nIHRoYXQNCiA+IGEgdGhpcmQgcGFydHkgY2FuIG1vZGlmeSB0aGUg T1NQRiByb3V0aW5nIGlzIGEgYmlnIGFzc3VtcHRpb24pLg0KID4gPg0KID4gPiBCdXQgdGhlIGRp c2N1c3Npb24gd2FzIHVzZWZ1bCwgdGhhbmtzIGZvciB0aGUgY29tbWVudHMuDQogPiANCiA+IFRo YXQgZXhwbGFuYXRpb24gaXMgZ3JlYXQsIHRoYW5rIHlvdS4gSSBoYWRuJ3QgcmVhbGl6ZWQgdGhl IGltcGxpY2F0aW9ucw0KID4gb2YgdGhlIHBhcmFncmFwaCB5b3UgcXVvdGVkLCB3aGVuIEkgaW5p dGlhbGx5IHJlYWQgaXQuIEknbSBjb252aW5jZWQNCiA+IHRoYXQgdGhlcmUgaXNuJ3QgYSBzZWN1 cml0eSBpc3N1ZSBoZXJlLCBidXQgaXQgd291bGQgYmUgbmljZSB0byBzZWUgeW91cg0KID4gZXhw bGFuYXRpb24gaW4gdGhlIGRvY3VtZW50IGl0c2VsZiwgaWYgaXQncyBub3QgYWxyZWFkeSBvYnZp b3VzIHRvDQogPiBhbnlib2R5IHdobyBrbm93cyBPU1BGIGJldHRlciB0aGFuIEkgZG8uDQoNCkkn dmUganVzdCBhZGRlZCB0aGUgZm9sbG93aW5nIHRleHQgaW4gdGhlIHNlY3VyaXR5IHNlY3Rpb24g b2YgbXkgbG9jYWwgdmVyc2lvbjoNCiJXZSBub3RlIHRoYXQgdGhlIGxhc3QgcGFyYWdyYXBoIG9m IDx4cmVmIHRhcmdldD0iT3BlcmF0aW9uIi8+IGZvcmJpZCB0aGUgZXN0YWJsaXNobWVudCBvZiBh IHR1bm5lbCB0b3dhcmQgYXJiaXRyYXJ5IGRlc3RpbmF0aW9ucy4gSXQgcHJvaGliaXRzIGEgZGVz dGluYXRpb24gb3V0c2lkZSBvZiB0aGUgQXV0b25vbW91cyBTeXN0ZW0gYW5kIGFsc28gdG8gb3Ro ZXIgcm91dGVycyB3aXRoaW4gdGhlIEFTLiBUaGlzIGF2b2lkIHRoYXQgYSB0aGlyZC1wYXJ0eSBn YWluaW5nIGFjY2VzcyB0byBhbiBPU1BGIHJvdXRlciBiZSBhYmxlIHRvIHNlbmQgdGhlIHRyYWZm aWMgdG8gb3RoZXIgZGVzdGluYXRpb25zLCBmb3IgZS5nLiBpbnNwZWN0aW9uIHB1cnBvc2VzLiAi DQoNCkZlZWwgZnJlZSB0byBjb21tZW50L3Byb3Bvc2Ugb3RoZXIgdGV4dC4NCg0KU2luY2UgSSd2 ZSBqdXN0IHB1Ymxpc2hlZCAtMDggYSBmZXcgaG91cnMgYWdvLCBJJ2xsIHByb2JhYmx5IGRlbGF5 IHRoZSB1cGxvYWQgb2YgdGhpcyBuZXcgdXBkYXRlLg0KDQotLUJydW5vDQoNCg0KID4gLS0NCiA+ IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIs IGFuZCBtb3JlDQogPiBodHRwczovL2RhdmlkLm1hbmRlbGJlcmcub3JnLw0KCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KCkNl IG1lc3NhZ2UgZXQgc2VzIHBpZWNlcyBqb2ludGVzIHBldXZlbnQgY29udGVuaXIgZGVzIGluZm9y bWF0aW9ucyBjb25maWRlbnRpZWxsZXMgb3UgcHJpdmlsZWdpZWVzIGV0IG5lIGRvaXZlbnQgZG9u YwpwYXMgZXRyZSBkaWZmdXNlcywgZXhwbG9pdGVzIG91IGNvcGllcyBzYW5zIGF1dG9yaXNhdGlv bi4gU2kgdm91cyBhdmV6IHJlY3UgY2UgbWVzc2FnZSBwYXIgZXJyZXVyLCB2ZXVpbGxleiBsZSBz aWduYWxlcgphIGwnZXhwZWRpdGV1ciBldCBsZSBkZXRydWlyZSBhaW5zaSBxdWUgbGVzIHBpZWNl cyBqb2ludGVzLiBMZXMgbWVzc2FnZXMgZWxlY3Ryb25pcXVlcyBldGFudCBzdXNjZXB0aWJsZXMg ZCdhbHRlcmF0aW9uLApPcmFuZ2UgZGVjbGluZSB0b3V0ZSByZXNwb25zYWJpbGl0ZSBzaSBjZSBt ZXNzYWdlIGEgZXRlIGFsdGVyZSwgZGVmb3JtZSBvdSBmYWxzaWZpZS4gTWVyY2kuCgpUaGlzIG1l c3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cyBtYXkgY29udGFpbiBjb25maWRlbnRpYWwgb3IgcHJp dmlsZWdlZCBpbmZvcm1hdGlvbiB0aGF0IG1heSBiZSBwcm90ZWN0ZWQgYnkgbGF3Owp0aGV5IHNo b3VsZCBub3QgYmUgZGlzdHJpYnV0ZWQsIHVzZWQgb3IgY29waWVkIHdpdGhvdXQgYXV0aG9yaXNh dGlvbi4KSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxlYXNlIG5v dGlmeSB0aGUgc2VuZGVyIGFuZCBkZWxldGUgdGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVu dHMuCkFzIGVtYWlscyBtYXkgYmUgYWx0ZXJlZCwgT3JhbmdlIGlzIG5vdCBsaWFibGUgZm9yIG1l c3NhZ2VzIHRoYXQgaGF2ZSBiZWVuIG1vZGlmaWVkLCBjaGFuZ2VkIG9yIGZhbHNpZmllZC4KVGhh bmsgeW91LgoK From nobody Tue Sep 19 00:52:05 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFA7F1342C8; Tue, 19 Sep 2017 00:51:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.698 X-Spam-Level: X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G7puUJotRXgb; Tue, 19 Sep 2017 00:51:49 -0700 (PDT) Received: from mail-wr0-x232.google.com (mail-wr0-x232.google.com [IPv6:2a00:1450:400c:c0c::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B08413306A; Tue, 19 Sep 2017 00:51:49 -0700 (PDT) Received: by mail-wr0-x232.google.com with SMTP id c23so2288281wrg.9; Tue, 19 Sep 2017 00:51:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=nhk9QoEa7ezjLSmjV0LbQVaIsF/QbnqYzDcN0j8PiM8=; b=u98nDLQ957ERDq2nu4oO+y7BxByR1puyp60K7bVaf25Bt96FvFIToHZ1i6kA+EC3oS ro6GnYRoRKPNyfoNiKzBUKx9FtuMkLhNO2vGQW7av0HzcFCnfoDhSmWgxvxxPG2z1dk8 C7sUAtLUjTpTQImFgtkgYiu70hOUacId5apeMRC4lOZYjw+Vyc5X81q5Im3d+a6FQ0FE HZQ677rCdjfK70BIxf8WRSwnegTeFQKWjx7e8CNJa731ATuAgmuvYe6LtfrL1iKX2xh5 ejom9XNHYMB+2wiesN9GSAwKk95U7tJfPVT0adaQJvlcvdZlT30nzKTXvQIV8jIAV7yy OkDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=nhk9QoEa7ezjLSmjV0LbQVaIsF/QbnqYzDcN0j8PiM8=; b=o/XEKMwpRkVzbBnD8FU/PMt79bI99t33CM8yot2n5us5qbljdWpJAD5eSiEkDQBM4Z HomHtGHKWXN/mFP97k97mKI7RdeY+TV9mqnmfkAUJ1CDzDSlCWZ9qGqDzbjNDSg8PVjZ fUzgTTezdS0qJ+ZGPwxIGzmQrbZ2N3UuPATGpMTaFZe6cCHPeo9oFW5EsYmEn5PtIMwf vBO62c2Vju0fFPHMm4RiQqOc7yywApEo6i0MDjTpYZSiZDFiFF1XIHkBwL+qC8jl1BZF 1mKB4JxKG4pr+UOWXaCxZS2sblfdSyD8o2hGTVZ5sAsNGrMlVlRqxukqCn+6PS/sGvG5 f49A== X-Gm-Message-State: AHPjjUjdhLOoVotVdmQxYAL4GmS9DFKE+JKgDHrrZK03pirc9dJUoXU6 SfrfJfgVNN/7s7TDKSCFPyYC+D1Eob4a8fHpJ/g= X-Google-Smtp-Source: AOwi7QBT2BQ8TIP78z4z98VhVT5Z9IgmPI71gV+WAMlbGT1QCK6w5XsLZJyIYcxcMixxKpy/76LX/OELQ3HoVe4RrlI= X-Received: by 10.223.164.206 with SMTP id h14mr519110wrb.25.1505807507411; Tue, 19 Sep 2017 00:51:47 -0700 (PDT) MIME-Version: 1.0 Sender: rraszuk@gmail.com Received: by 10.28.151.75 with HTTP; Tue, 19 Sep 2017 00:51:46 -0700 (PDT) Received: by 10.28.151.75 with HTTP; Tue, 19 Sep 2017 00:51:46 -0700 (PDT) In-Reply-To: <11040_1505805523_59C0C4D3_11040_226_4_53C29892C857584299CBF5D05346208A4787AC94@OPEXCLILM21.corporate.adroot.infra.ftgroup> References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> <5ee2e3cf-4034-f9e6-4fca-92ceb57a65c5@mandelberg.org> <11040_1505805523_59C0C4D3_11040_226_4_53C29892C857584299CBF5D05346208A4787AC94@OPEXCLILM21.corporate.adroot.infra.ftgroup> From: Robert Raszuk Date: Tue, 19 Sep 2017 09:51:46 +0200 X-Google-Sender-Auth: JKb6aDY-O8d8RLLzGV--zBEgRDw Message-ID: To: bruno.decraene@orange.com Cc: iesg@ietf.org, David Mandelberg , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" , "secdir@ietf.org" Content-Type: multipart/alternative; boundary="f403045f16a2945acf05598621de" Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 07:51:52 -0000 --f403045f16a2945acf05598621de Content-Type: text/plain; charset="UTF-8" Please replace AS with Administrative Domain. If I have three ASes there should be no artificial limits prohibiting encap to my central collector. Thx R On Sep 19, 2017 08:18, wrote: > > From: David Mandelberg [mailto:david@mandelberg.org] > > Sent: Monday, September 18, 2017 9:30 PM > > > > On 09/18/2017 05:08 AM, bruno.decraene@orange.com wrote: > > > > (c) is the one that I think is worth looking into. E.g., does > this new > > > > extension make it easier for an attacker to route a packet across > AS > > > > boundaries, by setting a tunnel endpoint outside of the > OSPF-routed network? > > > > > > No. The following text already prohibits even more than this: > > > > > > " A tunnel MUST NOT be > > > used if there is no route toward the IP address specified in > the > > > Endpoint Sub-TLV (See ) or if the > route is > > > not advertised by the router advertising this Tunnel Sub-TLV." > > > > > > - By definition, this Tunnel Sub-TLV is advertised in OSPF i.e. from > within the AS. > > > - The text also prohibits setting a tunnel endpoint to another router > within the AS. > > > > > > > > > That being said, within the AS, the point "c" still applies. > > > However, thinking twice, the probability is even more limited. > Indeed, one can only advertise a > > tunnel to itself. Assuming that the third party can't control the whole > routing topology (i.e. routing > > advertisement from most core routers), it cannot control the path > followed by the tunnel. Hence it > > would need to have monitoring capabilities on specific links that it > cannot choose. (the link on > > the path to itself). > > > Plus this risk is not new, as the third party could already advertise > the destination IP address of > > the packets (or of the BGP Next-hop of the BGP route matching the > packet destination), without > > using any tunnel. > > > In conclusion, although I could be wrong, I'm not seeing such new > risk. (again, assuming that > > a third party can modify the OSPF routing is a big assumption). > > > > > > But the discussion was useful, thanks for the comments. > > > > That explanation is great, thank you. I hadn't realized the implications > > of the paragraph you quoted, when I initially read it. I'm convinced > > that there isn't a security issue here, but it would be nice to see your > > explanation in the document itself, if it's not already obvious to > > anybody who knows OSPF better than I do. > > I've just added the following text in the security section of my local > version: > "We note that the last paragraph of forbid the > establishment of a tunnel toward arbitrary destinations. It prohibits a > destination outside of the Autonomous System and also to other routers > within the AS. This avoid that a third-party gaining access to an OSPF > router be able to send the traffic to other destinations, for e.g. > inspection purposes. " > > Feel free to comment/propose other text. > > Since I've just published -08 a few hours ago, I'll probably delay the > upload of this new update. > > --Bruno > > > > -- > > Freelance cyber security consultant, software developer, and more > > https://david.mandelberg.org/ > > ____________________________________________________________ > _____________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez > recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and > delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > Thank you. > > --f403045f16a2945acf05598621de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Please replace AS with Administrative Domain.=C2=A0

If I have three ASes there should b= e no artificial limits prohibiting encap to my central collector.

Thx
R=C2= =A0

On= Sep 19, 2017 08:18, <brun= o.decraene@orange.com> wrote:
> From: David Mandelberg [mailto:david@mandelberg.org]
=C2=A0> Sent: Monday, September 18, 2017 9:30 PM
>
=C2=A0> On 09/18/2017 05:08 AM, bruno.decraene@orange.com wrote:
=C2=A0> >=C2=A0 =C2=A0> (c) is the one that I think is worth looki= ng into. E.g., does this new
=C2=A0> >=C2=A0 =C2=A0> extension make it easier for an attacker t= o route a packet across AS
=C2=A0> >=C2=A0 =C2=A0> boundaries, by setting a tunnel endpoint o= utside of the OSPF-routed network?
=C2=A0> >
=C2=A0> > No. The following text already prohibits even more than thi= s:
=C2=A0> >
=C2=A0> > "=C2=A0 A tunnel MUST NOT be
=C2=A0> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 used if there is no route toward= the IP address specified in the
=C2=A0> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 Endpoint Sub-TLV (See <xref t= arget=3D"EndpointTLV"/>) or if the route is
=C2=A0> >=C2=A0 =C2=A0 =C2=A0 =C2=A0 not advertised by the router adv= ertising this Tunnel Sub-TLV."
=C2=A0> >
=C2=A0> > - By definition, this Tunnel Sub-TLV is advertised in OSPF = i.e. from within the AS.
=C2=A0> > - The text also prohibits setting a tunnel endpoint to anot= her router within the AS.
=C2=A0> >
=C2=A0> >
=C2=A0> > That being said, within the AS, the point "c" sti= ll applies.
=C2=A0> > However, thinking twice, the probability is even more limit= ed. Indeed, one can only advertise a
=C2=A0> tunnel to itself. Assuming that the third party can't contro= l the whole routing topology (i.e. routing
=C2=A0> advertisement from most core routers), it cannot control the pat= h followed by the tunnel. Hence it
=C2=A0> would need to have monitoring capabilities on specific links tha= t it cannot choose. (the link on
=C2=A0> the path to itself).
=C2=A0> > Plus this risk is not new, as the third party could already= advertise the destination IP address of
=C2=A0> the packets (or of the BGP Next-hop of the BGP route matching th= e packet destination), without
=C2=A0> using any tunnel.
=C2=A0> > In conclusion, although I could be wrong, I'm not seein= g such new risk. (again, assuming that
=C2=A0> a third party can modify the OSPF routing is a big assumption).<= br> =C2=A0> >
=C2=A0> > But the discussion was useful, thanks for the comments.
=C2=A0>
=C2=A0> That explanation is great, thank you. I hadn't realized the = implications
=C2=A0> of the paragraph you quoted, when I initially read it. I'm c= onvinced
=C2=A0> that there isn't a security issue here, but it would be nice= to see your
=C2=A0> explanation in the document itself, if it's not already obvi= ous to
=C2=A0> anybody who knows OSPF better than I do.

I've just added the following text in the security section of my local = version:
"We note that the last paragraph of <xref target=3D"Operation&= quot;/> forbid the establishment of a tunnel toward arbitrary destinatio= ns. It prohibits a destination outside of the Autonomous System and also to= other routers within the AS. This avoid that a third-party gaining access = to an OSPF router be able to send the traffic to other destinations, for e.= g. inspection purposes. "

Feel free to comment/propose other text.

Since I've just published -08 a few hours ago, I'll probably delay = the upload of this new update.

--Bruno


=C2=A0> --
=C2=A0> Freelance cyber security consultant, software developer, and mor= e
=C2=A0> https://david.mandelberg.org/

_________________________________________________________________= ________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confiden= tielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu= ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les message= s electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou = falsifie. Merci.

This message and its attachments may contain confidential or privileged inf= ormation that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and dele= te this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been = modified, changed or falsified.
Thank you.

--f403045f16a2945acf05598621de-- From nobody Tue Sep 19 01:15:19 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3596413234B; Tue, 19 Sep 2017 01:15:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.617 X-Spam-Level: X-Spam-Status: No, score=-1.617 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8_coweQTM_P; Tue, 19 Sep 2017 01:15:11 -0700 (PDT) Received: from relais-inet.orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7BEB13207A; Tue, 19 Sep 2017 01:15:10 -0700 (PDT) Received: from opfednr05.francetelecom.fr (unknown [xx.xx.xx.69]) by opfednr23.francetelecom.fr (ESMTP service) with ESMTP id 3E087C049B; Tue, 19 Sep 2017 10:15:09 +0200 (CEST) Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.62]) by opfednr05.francetelecom.fr (ESMTP service) with ESMTP id 0A6D420057; Tue, 19 Sep 2017 10:15:09 +0200 (CEST) Received: from OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06]) by OPEXCLILM5E.corporate.adroot.infra.ftgroup ([fe80::2912:bfa5:91d3:bf63%18]) with mapi id 14.03.0361.001; Tue, 19 Sep 2017 10:15:08 +0200 From: To: Robert Raszuk CC: "iesg@ietf.org" , David Mandelberg , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" , "secdir@ietf.org" Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06 Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZggAAJ/YCAANdoUIAFhL03gADEpyD//+kaAIAAJRXg Date: Tue, 19 Sep 2017 08:15:08 +0000 Message-ID: <27250_1505808909_59C0D20D_27250_468_2_53C29892C857584299CBF5D05346208A4787AEEC@OPEXCLILM21.corporate.adroot.infra.ftgroup> References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> <5ee2e3cf-4034-f9e6-4fca-92ceb57a65c5@mandelberg.org> <11040_1505805523_59C0C4D3_11040_226_4_53C29892C857584299CBF5D05346208A4787AC94@OPEXCLILM21.corporate.adroot.infra.ftgroup> In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.168.234.1] Content-Type: multipart/alternative; boundary="_000_53C29892C857584299CBF5D05346208A4787AEECOPEXCLILM21corp_" MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 08:15:13 -0000 --_000_53C29892C857584299CBF5D05346208A4787AEECOPEXCLILM21corp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQoNCkZyb206IHJyYXN6dWtAZ21haWwuY29tIFttYWlsdG86cnJhc3p1a0BnbWFpbC5jb21dIE9u IEJlaGFsZiBPZiBSb2JlcnQgUmFzenVrDQoNCg0KUGxlYXNlIHJlcGxhY2UgQVMgd2l0aCBBZG1p bmlzdHJhdGl2ZSBEb21haW4uDQpbQnJ1bm9dIEkgcmVwbGFjZWQgQVMgd2l0aCDigJxPU1BGIGRv bWFpbuKAnSBhcyBpbmRlZWQsIEFTIGlzIGEgQkdQIHRlcm0gcmF0aGVyIHRoYW4gYW4gT1NQRiBv bmUuIEFuZCBhcyB5b3Ugbm90ZSwgaW4gc29tZSBjYXNlcywgdGhlIEFTIGFuZCB0aGUgSUdQIGRv bWFpbiBtYXkgYmUgZGlmZmVyZW50LiBUaGFua3MuDQoNCg0KSWYgSSBoYXZlIHRocmVlIEFTZXMg dGhlcmUgc2hvdWxkIGJlIG5vIGFydGlmaWNpYWwgbGltaXRzIHByb2hpYml0aW5nIGVuY2FwIHRv IG15IGNlbnRyYWwgY29sbGVjdG9yLg0KW0JydW5vXQ0KSWYgeW91ciBjZW50cmFsIGNvbGxlY3Rv ciBpcyBwYXJ0IG9mIHRoZSBPU1BGIGRvbWFpbiBvZiB0aGUgZW5jYXBzdWxhdG9yLCB0aGVyZSBp cyBubyBwcm9ibGVtLg0KT3RoZXJ3aXNlLCBpZiB0aGUgcm91dGUgdG8geW91ciBjZW50cmFsIGNv bGxlY3RvciBpcyBhZHZlcnRpc2VkIGluIE9TUEYgYnkgdGhlIGRlY2Fwc3VsYXRvciwgdGhlcmUg aXMgbm8gcHJvYmxlbS4NCk90aGVyd2lzZSwgaWYgdGhlIHJvdXRlIHRvIHlvdXIgY2VudHJhbCBj b2xsZWN0b3IgaXMgYWR2ZXJ0aXNlZCBpbiBCR1AsIHRoZW4gZHJhZnQtaWV0Zi1pZHItdHVubmVs LWVuY2FwcyBpcyBwcm9iYWJseSB0aGUgcmlnaHQgdG9vbC4NCg0KLS1CcnVubw0KDQoNClRoeA0K Ug0KDQpPbiBTZXAgMTksIDIwMTcgMDg6MTgsIDxicnVuby5kZWNyYWVuZUBvcmFuZ2UuY29tPG1h aWx0bzpicnVuby5kZWNyYWVuZUBvcmFuZ2UuY29tPj4gd3JvdGU6DQo+IEZyb206IERhdmlkIE1h bmRlbGJlcmcgW21haWx0bzpkYXZpZEBtYW5kZWxiZXJnLm9yZzxtYWlsdG86ZGF2aWRAbWFuZGVs YmVyZy5vcmc+XQ0KID4gU2VudDogTW9uZGF5LCBTZXB0ZW1iZXIgMTgsIDIwMTcgOTozMCBQTQ0K Pg0KID4gT24gMDkvMTgvMjAxNyAwNTowOCBBTSwgYnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbTxt YWlsdG86YnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbT4gd3JvdGU6DQogPiA+ICAgPiAoYykgaXMg dGhlIG9uZSB0aGF0IEkgdGhpbmsgaXMgd29ydGggbG9va2luZyBpbnRvLiBFLmcuLCBkb2VzIHRo aXMgbmV3DQogPiA+ICAgPiBleHRlbnNpb24gbWFrZSBpdCBlYXNpZXIgZm9yIGFuIGF0dGFja2Vy IHRvIHJvdXRlIGEgcGFja2V0IGFjcm9zcyBBUw0KID4gPiAgID4gYm91bmRhcmllcywgYnkgc2V0 dGluZyBhIHR1bm5lbCBlbmRwb2ludCBvdXRzaWRlIG9mIHRoZSBPU1BGLXJvdXRlZCBuZXR3b3Jr Pw0KID4gPg0KID4gPiBOby4gVGhlIGZvbGxvd2luZyB0ZXh0IGFscmVhZHkgcHJvaGliaXRzIGV2 ZW4gbW9yZSB0aGFuIHRoaXM6DQogPiA+DQogPiA+ICIgIEEgdHVubmVsIE1VU1QgTk9UIGJlDQog PiA+ICAgICAgICB1c2VkIGlmIHRoZXJlIGlzIG5vIHJvdXRlIHRvd2FyZCB0aGUgSVAgYWRkcmVz cyBzcGVjaWZpZWQgaW4gdGhlDQogPiA+ICAgICAgICBFbmRwb2ludCBTdWItVExWIChTZWUgPHhy ZWYgdGFyZ2V0PSJFbmRwb2ludFRMViIvPikgb3IgaWYgdGhlIHJvdXRlIGlzDQogPiA+ICAgICAg ICBub3QgYWR2ZXJ0aXNlZCBieSB0aGUgcm91dGVyIGFkdmVydGlzaW5nIHRoaXMgVHVubmVsIFN1 Yi1UTFYuIg0KID4gPg0KID4gPiAtIEJ5IGRlZmluaXRpb24sIHRoaXMgVHVubmVsIFN1Yi1UTFYg aXMgYWR2ZXJ0aXNlZCBpbiBPU1BGIGkuZS4gZnJvbSB3aXRoaW4gdGhlIEFTLg0KID4gPiAtIFRo ZSB0ZXh0IGFsc28gcHJvaGliaXRzIHNldHRpbmcgYSB0dW5uZWwgZW5kcG9pbnQgdG8gYW5vdGhl ciByb3V0ZXIgd2l0aGluIHRoZSBBUy4NCiA+ID4NCiA+ID4NCiA+ID4gVGhhdCBiZWluZyBzYWlk LCB3aXRoaW4gdGhlIEFTLCB0aGUgcG9pbnQgImMiIHN0aWxsIGFwcGxpZXMuDQogPiA+IEhvd2V2 ZXIsIHRoaW5raW5nIHR3aWNlLCB0aGUgcHJvYmFiaWxpdHkgaXMgZXZlbiBtb3JlIGxpbWl0ZWQu IEluZGVlZCwgb25lIGNhbiBvbmx5IGFkdmVydGlzZSBhDQogPiB0dW5uZWwgdG8gaXRzZWxmLiBB c3N1bWluZyB0aGF0IHRoZSB0aGlyZCBwYXJ0eSBjYW4ndCBjb250cm9sIHRoZSB3aG9sZSByb3V0 aW5nIHRvcG9sb2d5IChpLmUuIHJvdXRpbmcNCiA+IGFkdmVydGlzZW1lbnQgZnJvbSBtb3N0IGNv cmUgcm91dGVycyksIGl0IGNhbm5vdCBjb250cm9sIHRoZSBwYXRoIGZvbGxvd2VkIGJ5IHRoZSB0 dW5uZWwuIEhlbmNlIGl0DQogPiB3b3VsZCBuZWVkIHRvIGhhdmUgbW9uaXRvcmluZyBjYXBhYmls aXRpZXMgb24gc3BlY2lmaWMgbGlua3MgdGhhdCBpdCBjYW5ub3QgY2hvb3NlLiAodGhlIGxpbmsg b24NCiA+IHRoZSBwYXRoIHRvIGl0c2VsZikuDQogPiA+IFBsdXMgdGhpcyByaXNrIGlzIG5vdCBu ZXcsIGFzIHRoZSB0aGlyZCBwYXJ0eSBjb3VsZCBhbHJlYWR5IGFkdmVydGlzZSB0aGUgZGVzdGlu YXRpb24gSVAgYWRkcmVzcyBvZg0KID4gdGhlIHBhY2tldHMgKG9yIG9mIHRoZSBCR1AgTmV4dC1o b3Agb2YgdGhlIEJHUCByb3V0ZSBtYXRjaGluZyB0aGUgcGFja2V0IGRlc3RpbmF0aW9uKSwgd2l0 aG91dA0KID4gdXNpbmcgYW55IHR1bm5lbC4NCiA+ID4gSW4gY29uY2x1c2lvbiwgYWx0aG91Z2gg SSBjb3VsZCBiZSB3cm9uZywgSSdtIG5vdCBzZWVpbmcgc3VjaCBuZXcgcmlzay4gKGFnYWluLCBh c3N1bWluZyB0aGF0DQogPiBhIHRoaXJkIHBhcnR5IGNhbiBtb2RpZnkgdGhlIE9TUEYgcm91dGlu ZyBpcyBhIGJpZyBhc3N1bXB0aW9uKS4NCiA+ID4NCiA+ID4gQnV0IHRoZSBkaXNjdXNzaW9uIHdh cyB1c2VmdWwsIHRoYW5rcyBmb3IgdGhlIGNvbW1lbnRzLg0KID4NCiA+IFRoYXQgZXhwbGFuYXRp b24gaXMgZ3JlYXQsIHRoYW5rIHlvdS4gSSBoYWRuJ3QgcmVhbGl6ZWQgdGhlIGltcGxpY2F0aW9u cw0KID4gb2YgdGhlIHBhcmFncmFwaCB5b3UgcXVvdGVkLCB3aGVuIEkgaW5pdGlhbGx5IHJlYWQg aXQuIEknbSBjb252aW5jZWQNCiA+IHRoYXQgdGhlcmUgaXNuJ3QgYSBzZWN1cml0eSBpc3N1ZSBo ZXJlLCBidXQgaXQgd291bGQgYmUgbmljZSB0byBzZWUgeW91cg0KID4gZXhwbGFuYXRpb24gaW4g dGhlIGRvY3VtZW50IGl0c2VsZiwgaWYgaXQncyBub3QgYWxyZWFkeSBvYnZpb3VzIHRvDQogPiBh bnlib2R5IHdobyBrbm93cyBPU1BGIGJldHRlciB0aGFuIEkgZG8uDQoNCkkndmUganVzdCBhZGRl ZCB0aGUgZm9sbG93aW5nIHRleHQgaW4gdGhlIHNlY3VyaXR5IHNlY3Rpb24gb2YgbXkgbG9jYWwg dmVyc2lvbjoNCiJXZSBub3RlIHRoYXQgdGhlIGxhc3QgcGFyYWdyYXBoIG9mIDx4cmVmIHRhcmdl dD0iT3BlcmF0aW9uIi8+IGZvcmJpZCB0aGUgZXN0YWJsaXNobWVudCBvZiBhIHR1bm5lbCB0b3dh cmQgYXJiaXRyYXJ5IGRlc3RpbmF0aW9ucy4gSXQgcHJvaGliaXRzIGEgZGVzdGluYXRpb24gb3V0 c2lkZSBvZiB0aGUgQXV0b25vbW91cyBTeXN0ZW0gYW5kIGFsc28gdG8gb3RoZXIgcm91dGVycyB3 aXRoaW4gdGhlIEFTLiBUaGlzIGF2b2lkIHRoYXQgYSB0aGlyZC1wYXJ0eSBnYWluaW5nIGFjY2Vz cyB0byBhbiBPU1BGIHJvdXRlciBiZSBhYmxlIHRvIHNlbmQgdGhlIHRyYWZmaWMgdG8gb3RoZXIg ZGVzdGluYXRpb25zLCBmb3IgZS5nLiBpbnNwZWN0aW9uIHB1cnBvc2VzLiAiDQoNCkZlZWwgZnJl ZSB0byBjb21tZW50L3Byb3Bvc2Ugb3RoZXIgdGV4dC4NCg0KU2luY2UgSSd2ZSBqdXN0IHB1Ymxp c2hlZCAtMDggYSBmZXcgaG91cnMgYWdvLCBJJ2xsIHByb2JhYmx5IGRlbGF5IHRoZSB1cGxvYWQg b2YgdGhpcyBuZXcgdXBkYXRlLg0KDQotLUJydW5vDQoNCg0KID4gLS0NCiA+IEZyZWVsYW5jZSBj eWJlciBzZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBtb3JlDQog PiBodHRwczovL2RhdmlkLm1hbmRlbGJlcmcub3JnLw0KDQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQoNCkNlIG1lc3NhZ2Ug ZXQgc2VzIHBpZWNlcyBqb2ludGVzIHBldXZlbnQgY29udGVuaXIgZGVzIGluZm9ybWF0aW9ucyBj b25maWRlbnRpZWxsZXMgb3UgcHJpdmlsZWdpZWVzIGV0IG5lIGRvaXZlbnQgZG9uYw0KcGFzIGV0 cmUgZGlmZnVzZXMsIGV4cGxvaXRlcyBvdSBjb3BpZXMgc2FucyBhdXRvcmlzYXRpb24uIFNpIHZv dXMgYXZleiByZWN1IGNlIG1lc3NhZ2UgcGFyIGVycmV1ciwgdmV1aWxsZXogbGUgc2lnbmFsZXIN CmEgbCdleHBlZGl0ZXVyIGV0IGxlIGRldHJ1aXJlIGFpbnNpIHF1ZSBsZXMgcGllY2VzIGpvaW50 ZXMuIExlcyBtZXNzYWdlcyBlbGVjdHJvbmlxdWVzIGV0YW50IHN1c2NlcHRpYmxlcyBkJ2FsdGVy YXRpb24sDQpPcmFuZ2UgZGVjbGluZSB0b3V0ZSByZXNwb25zYWJpbGl0ZSBzaSBjZSBtZXNzYWdl IGEgZXRlIGFsdGVyZSwgZGVmb3JtZSBvdSBmYWxzaWZpZS4gTWVyY2kuDQoNClRoaXMgbWVzc2Fn ZSBhbmQgaXRzIGF0dGFjaG1lbnRzIG1heSBjb250YWluIGNvbmZpZGVudGlhbCBvciBwcml2aWxl Z2VkIGluZm9ybWF0aW9uIHRoYXQgbWF5IGJlIHByb3RlY3RlZCBieSBsYXc7DQp0aGV5IHNob3Vs ZCBub3QgYmUgZGlzdHJpYnV0ZWQsIHVzZWQgb3IgY29waWVkIHdpdGhvdXQgYXV0aG9yaXNhdGlv bi4NCklmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgZW1haWwgaW4gZXJyb3IsIHBsZWFzZSBub3Rp ZnkgdGhlIHNlbmRlciBhbmQgZGVsZXRlIHRoaXMgbWVzc2FnZSBhbmQgaXRzIGF0dGFjaG1lbnRz Lg0KQXMgZW1haWxzIG1heSBiZSBhbHRlcmVkLCBPcmFuZ2UgaXMgbm90IGxpYWJsZSBmb3IgbWVz c2FnZXMgdGhhdCBoYXZlIGJlZW4gbW9kaWZpZWQsIGNoYW5nZWQgb3IgZmFsc2lmaWVkLg0KVGhh bmsgeW91Lg0KCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX18KCkNlIG1lc3NhZ2UgZXQgc2VzIHBpZWNlcyBqb2ludGVzIHBldXZl bnQgY29udGVuaXIgZGVzIGluZm9ybWF0aW9ucyBjb25maWRlbnRpZWxsZXMgb3UgcHJpdmlsZWdp ZWVzIGV0IG5lIGRvaXZlbnQgZG9uYwpwYXMgZXRyZSBkaWZmdXNlcywgZXhwbG9pdGVzIG91IGNv cGllcyBzYW5zIGF1dG9yaXNhdGlvbi4gU2kgdm91cyBhdmV6IHJlY3UgY2UgbWVzc2FnZSBwYXIg ZXJyZXVyLCB2ZXVpbGxleiBsZSBzaWduYWxlcgphIGwnZXhwZWRpdGV1ciBldCBsZSBkZXRydWly ZSBhaW5zaSBxdWUgbGVzIHBpZWNlcyBqb2ludGVzLiBMZXMgbWVzc2FnZXMgZWxlY3Ryb25pcXVl cyBldGFudCBzdXNjZXB0aWJsZXMgZCdhbHRlcmF0aW9uLApPcmFuZ2UgZGVjbGluZSB0b3V0ZSBy ZXNwb25zYWJpbGl0ZSBzaSBjZSBtZXNzYWdlIGEgZXRlIGFsdGVyZSwgZGVmb3JtZSBvdSBmYWxz aWZpZS4gTWVyY2kuCgpUaGlzIG1lc3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cyBtYXkgY29udGFp biBjb25maWRlbnRpYWwgb3IgcHJpdmlsZWdlZCBpbmZvcm1hdGlvbiB0aGF0IG1heSBiZSBwcm90 ZWN0ZWQgYnkgbGF3Owp0aGV5IHNob3VsZCBub3QgYmUgZGlzdHJpYnV0ZWQsIHVzZWQgb3IgY29w aWVkIHdpdGhvdXQgYXV0aG9yaXNhdGlvbi4KSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBlbWFp bCBpbiBlcnJvciwgcGxlYXNlIG5vdGlmeSB0aGUgc2VuZGVyIGFuZCBkZWxldGUgdGhpcyBtZXNz YWdlIGFuZCBpdHMgYXR0YWNobWVudHMuCkFzIGVtYWlscyBtYXkgYmUgYWx0ZXJlZCwgT3Jhbmdl IGlzIG5vdCBsaWFibGUgZm9yIG1lc3NhZ2VzIHRoYXQgaGF2ZSBiZWVuIG1vZGlmaWVkLCBjaGFu Z2VkIG9yIGZhbHNpZmllZC4KVGhhbmsgeW91LgoK --_000_53C29892C857584299CBF5D05346208A4787AEECOPEXCLILM21corp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z b05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6 Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0 YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxl LWxpbms6IlRleHRlIGRlIGJ1bGxlcyBDYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRv bTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTo4LjBwdDsNCglmb250LWZhbWlseToiVGFob21hIiwic2Fu cy1zZXJpZiI7fQ0Kc3Bhbi5UZXh0ZWRlYnVsbGVzQ2FyDQoJe21zby1zdHlsZS1uYW1lOiJUZXh0 ZSBkZSBidWxsZXMgQ2FyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxp bms6IlRleHRlIGRlIGJ1bGxlcyI7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYi Ow0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkZSO30NCnNwYW4uRW1haWxTdHlsZTE5DQoJe21zby1z dHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJBcmlhbCIsInNhbnMtc2Vy aWYiOw0KCWNvbG9yOmJsYWNrOw0KCWZvbnQtd2VpZ2h0Om5vcm1hbDsNCglmb250LXN0eWxlOm5v cm1hbDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdl OkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCglt YXJnaW46NzAuODVwdCA3MC44NXB0IDcwLjg1cHQgNzAuODVwdDt9DQpkaXYuV29yZFNlY3Rpb24x DQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4 bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94 bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2 OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFw ZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkZSIiBsaW5r PSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWls eTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0 O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpu b25lO2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20g MGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBycmFzenVrQGdt YWlsLmNvbSBbbWFpbHRvOnJyYXN6dWtAZ21haWwuY29tXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5S b2JlcnQgUmFzenVrPGJyPg0KPGJyPg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlBsZWFzZSByZXBsYWNlIEFTIHdpdGggQWRtaW5pc3RyYXRp dmUgRG9tYWluLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+W0JydW5vXSBJIHJl cGxhY2VkIEFTIHdpdGgg4oCcT1NQRiBkb21haW7igJ0gYXMgaW5kZWVkLCBBUyBpcyBhIEJHUCB0 ZXJtIHJhdGhlciB0aGFuIGFuIE9TUEYgb25lLiBBbmQgYXMgeW91IG5vdGUsIGluIHNvbWUgY2Fz ZXMsIHRoZSBBUyBhbmQgdGhlIElHUCBkb21haW4gbWF5IGJlIGRpZmZlcmVudC4gVGhhbmtzLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOmJsYWNrIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SWYgSSBoYXZlIHRocmVlIEFTZXMg dGhlcmUgc2hvdWxkIGJlIG5vIGFydGlmaWNpYWwgbGltaXRzIHByb2hpYml0aW5nIGVuY2FwIHRv IG15IGNlbnRyYWwgY29sbGVjdG9yLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdE Ij5bQnJ1bm9dPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5JZiB5b3VyIGNlbnRyYWwgY29s bGVjdG9yIGlzIHBhcnQgb2YgdGhlIE9TUEYgZG9tYWluIG9mIHRoZSBlbmNhcHN1bGF0b3IsIHRo ZXJlIGlzIG5vIHByb2JsZW0uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5PdGhlcndpc2Us IGlmIHRoZSByb3V0ZSB0byB5b3VyIGNlbnRyYWwgY29sbGVjdG9yIGlzIGFkdmVydGlzZWQgaW4g T1NQRiBieSB0aGUgZGVjYXBzdWxhdG9yLCB0aGVyZSBpcyBubyBwcm9ibGVtLjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls ZT0iY29sb3I6IzFGNDk3RCI+T3RoZXJ3aXNlLCBpZiB0aGUgcm91dGUgdG8geW91ciBjZW50cmFs IGNvbGxlY3RvciBpcyBhZHZlcnRpc2VkIGluIEJHUCwgdGhlbiBkcmFmdC1pZXRmLWlkci10dW5u ZWwtZW5jYXBzIGlzIHByb2JhYmx5IHRoZSByaWdodCB0b29sLjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29sb3I6 IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj4tLUJydW5vPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi IHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+VGh4PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj5SJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIFNlcCAxOSwgMjAxNyAwODoxOCwgJmx0OzxhIGhy ZWY9Im1haWx0bzpicnVuby5kZWNyYWVuZUBvcmFuZ2UuY29tIj5icnVuby5kZWNyYWVuZUBvcmFu Z2UuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPiZndDsgRnJvbTogRGF2aWQgTWFuZGVsYmVy ZyBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzpkYXZpZEBtYW5kZWxiZXJnLm9yZyI+ZGF2aWRAbWFu ZGVsYmVyZy5vcmc8L2E+XTxicj4NCiZuYnNwOyZndDsgU2VudDogTW9uZGF5LCBTZXB0ZW1iZXIg MTgsIDIwMTcgOTozMCBQTTxicj4NCiZndDs8YnI+DQombmJzcDsmZ3Q7IE9uIDA5LzE4LzIwMTcg MDU6MDggQU0sIDxhIGhyZWY9Im1haWx0bzpicnVuby5kZWNyYWVuZUBvcmFuZ2UuY29tIj5icnVu by5kZWNyYWVuZUBvcmFuZ2UuY29tPC9hPiB3cm90ZTo8YnI+DQombmJzcDsmZ3Q7ICZndDsmbmJz cDsgJm5ic3A7Jmd0OyAoYykgaXMgdGhlIG9uZSB0aGF0IEkgdGhpbmsgaXMgd29ydGggbG9va2lu ZyBpbnRvLiBFLmcuLCBkb2VzIHRoaXMgbmV3PGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7Jm5ic3A7ICZu YnNwOyZndDsgZXh0ZW5zaW9uIG1ha2UgaXQgZWFzaWVyIGZvciBhbiBhdHRhY2tlciB0byByb3V0 ZSBhIHBhY2tldCBhY3Jvc3MgQVM8YnI+DQombmJzcDsmZ3Q7ICZndDsmbmJzcDsgJm5ic3A7Jmd0 OyBib3VuZGFyaWVzLCBieSBzZXR0aW5nIGEgdHVubmVsIGVuZHBvaW50IG91dHNpZGUgb2YgdGhl IE9TUEYtcm91dGVkIG5ldHdvcms/PGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7PGJyPg0KJm5ic3A7Jmd0 OyAmZ3Q7IE5vLiBUaGUgZm9sbG93aW5nIHRleHQgYWxyZWFkeSBwcm9oaWJpdHMgZXZlbiBtb3Jl IHRoYW4gdGhpczo8YnI+DQombmJzcDsmZ3Q7ICZndDs8YnI+DQombmJzcDsmZ3Q7ICZndDsgJnF1 b3Q7Jm5ic3A7IEEgdHVubmVsIE1VU1QgTk9UIGJlPGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7Jm5ic3A7 ICZuYnNwOyAmbmJzcDsgJm5ic3A7IHVzZWQgaWYgdGhlcmUgaXMgbm8gcm91dGUgdG93YXJkIHRo ZSBJUCBhZGRyZXNzIHNwZWNpZmllZCBpbiB0aGU8YnI+DQombmJzcDsmZ3Q7ICZndDsmbmJzcDsg Jm5ic3A7ICZuYnNwOyAmbmJzcDsgRW5kcG9pbnQgU3ViLVRMViAoU2VlICZsdDt4cmVmIHRhcmdl dD0mcXVvdDtFbmRwb2ludFRMViZxdW90Oy8mZ3Q7KSBvciBpZiB0aGUgcm91dGUgaXM8YnI+DQom bmJzcDsmZ3Q7ICZndDsmbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgbm90IGFkdmVydGlzZWQg YnkgdGhlIHJvdXRlciBhZHZlcnRpc2luZyB0aGlzIFR1bm5lbCBTdWItVExWLiZxdW90Ozxicj4N CiZuYnNwOyZndDsgJmd0Ozxicj4NCiZuYnNwOyZndDsgJmd0OyAtIEJ5IGRlZmluaXRpb24sIHRo aXMgVHVubmVsIFN1Yi1UTFYgaXMgYWR2ZXJ0aXNlZCBpbiBPU1BGIGkuZS4gZnJvbSB3aXRoaW4g dGhlIEFTLjxicj4NCiZuYnNwOyZndDsgJmd0OyAtIFRoZSB0ZXh0IGFsc28gcHJvaGliaXRzIHNl dHRpbmcgYSB0dW5uZWwgZW5kcG9pbnQgdG8gYW5vdGhlciByb3V0ZXIgd2l0aGluIHRoZSBBUy48 YnI+DQombmJzcDsmZ3Q7ICZndDs8YnI+DQombmJzcDsmZ3Q7ICZndDs8YnI+DQombmJzcDsmZ3Q7 ICZndDsgVGhhdCBiZWluZyBzYWlkLCB3aXRoaW4gdGhlIEFTLCB0aGUgcG9pbnQgJnF1b3Q7YyZx dW90OyBzdGlsbCBhcHBsaWVzLjxicj4NCiZuYnNwOyZndDsgJmd0OyBIb3dldmVyLCB0aGlua2lu ZyB0d2ljZSwgdGhlIHByb2JhYmlsaXR5IGlzIGV2ZW4gbW9yZSBsaW1pdGVkLiBJbmRlZWQsIG9u ZSBjYW4gb25seSBhZHZlcnRpc2UgYTxicj4NCiZuYnNwOyZndDsgdHVubmVsIHRvIGl0c2VsZi4g QXNzdW1pbmcgdGhhdCB0aGUgdGhpcmQgcGFydHkgY2FuJ3QgY29udHJvbCB0aGUgd2hvbGUgcm91 dGluZyB0b3BvbG9neSAoaS5lLiByb3V0aW5nPGJyPg0KJm5ic3A7Jmd0OyBhZHZlcnRpc2VtZW50 IGZyb20gbW9zdCBjb3JlIHJvdXRlcnMpLCBpdCBjYW5ub3QgY29udHJvbCB0aGUgcGF0aCBmb2xs b3dlZCBieSB0aGUgdHVubmVsLiBIZW5jZSBpdDxicj4NCiZuYnNwOyZndDsgd291bGQgbmVlZCB0 byBoYXZlIG1vbml0b3JpbmcgY2FwYWJpbGl0aWVzIG9uIHNwZWNpZmljIGxpbmtzIHRoYXQgaXQg Y2Fubm90IGNob29zZS4gKHRoZSBsaW5rIG9uPGJyPg0KJm5ic3A7Jmd0OyB0aGUgcGF0aCB0byBp dHNlbGYpLjxicj4NCiZuYnNwOyZndDsgJmd0OyBQbHVzIHRoaXMgcmlzayBpcyBub3QgbmV3LCBh cyB0aGUgdGhpcmQgcGFydHkgY291bGQgYWxyZWFkeSBhZHZlcnRpc2UgdGhlIGRlc3RpbmF0aW9u IElQIGFkZHJlc3Mgb2Y8YnI+DQombmJzcDsmZ3Q7IHRoZSBwYWNrZXRzIChvciBvZiB0aGUgQkdQ IE5leHQtaG9wIG9mIHRoZSBCR1Agcm91dGUgbWF0Y2hpbmcgdGhlIHBhY2tldCBkZXN0aW5hdGlv biksIHdpdGhvdXQ8YnI+DQombmJzcDsmZ3Q7IHVzaW5nIGFueSB0dW5uZWwuPGJyPg0KJm5ic3A7 Jmd0OyAmZ3Q7IEluIGNvbmNsdXNpb24sIGFsdGhvdWdoIEkgY291bGQgYmUgd3JvbmcsIEknbSBu b3Qgc2VlaW5nIHN1Y2ggbmV3IHJpc2suIChhZ2FpbiwgYXNzdW1pbmcgdGhhdDxicj4NCiZuYnNw OyZndDsgYSB0aGlyZCBwYXJ0eSBjYW4gbW9kaWZ5IHRoZSBPU1BGIHJvdXRpbmcgaXMgYSBiaWcg YXNzdW1wdGlvbikuPGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7PGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7IEJ1 dCB0aGUgZGlzY3Vzc2lvbiB3YXMgdXNlZnVsLCB0aGFua3MgZm9yIHRoZSBjb21tZW50cy48YnI+ DQombmJzcDsmZ3Q7PGJyPg0KJm5ic3A7Jmd0OyBUaGF0IGV4cGxhbmF0aW9uIGlzIGdyZWF0LCB0 aGFuayB5b3UuIEkgaGFkbid0IHJlYWxpemVkIHRoZSBpbXBsaWNhdGlvbnM8YnI+DQombmJzcDsm Z3Q7IG9mIHRoZSBwYXJhZ3JhcGggeW91IHF1b3RlZCwgd2hlbiBJIGluaXRpYWxseSByZWFkIGl0 LiBJJ20gY29udmluY2VkPGJyPg0KJm5ic3A7Jmd0OyB0aGF0IHRoZXJlIGlzbid0IGEgc2VjdXJp dHkgaXNzdWUgaGVyZSwgYnV0IGl0IHdvdWxkIGJlIG5pY2UgdG8gc2VlIHlvdXI8YnI+DQombmJz cDsmZ3Q7IGV4cGxhbmF0aW9uIGluIHRoZSBkb2N1bWVudCBpdHNlbGYsIGlmIGl0J3Mgbm90IGFs cmVhZHkgb2J2aW91cyB0bzxicj4NCiZuYnNwOyZndDsgYW55Ym9keSB3aG8ga25vd3MgT1NQRiBi ZXR0ZXIgdGhhbiBJIGRvLjxicj4NCjxicj4NCkkndmUganVzdCBhZGRlZCB0aGUgZm9sbG93aW5n IHRleHQgaW4gdGhlIHNlY3VyaXR5IHNlY3Rpb24gb2YgbXkgbG9jYWwgdmVyc2lvbjo8YnI+DQom cXVvdDtXZSBub3RlIHRoYXQgdGhlIGxhc3QgcGFyYWdyYXBoIG9mICZsdDt4cmVmIHRhcmdldD0m cXVvdDtPcGVyYXRpb24mcXVvdDsvJmd0OyBmb3JiaWQgdGhlIGVzdGFibGlzaG1lbnQgb2YgYSB0 dW5uZWwgdG93YXJkIGFyYml0cmFyeSBkZXN0aW5hdGlvbnMuIEl0IHByb2hpYml0cyBhIGRlc3Rp bmF0aW9uIG91dHNpZGUgb2YgdGhlIEF1dG9ub21vdXMgU3lzdGVtIGFuZCBhbHNvIHRvIG90aGVy IHJvdXRlcnMgd2l0aGluIHRoZSBBUy4gVGhpcyBhdm9pZCB0aGF0IGEgdGhpcmQtcGFydHkNCiBn YWluaW5nIGFjY2VzcyB0byBhbiBPU1BGIHJvdXRlciBiZSBhYmxlIHRvIHNlbmQgdGhlIHRyYWZm aWMgdG8gb3RoZXIgZGVzdGluYXRpb25zLCBmb3IgZS5nLiBpbnNwZWN0aW9uIHB1cnBvc2VzLiAm cXVvdDs8YnI+DQo8YnI+DQpGZWVsIGZyZWUgdG8gY29tbWVudC9wcm9wb3NlIG90aGVyIHRleHQu PGJyPg0KPGJyPg0KU2luY2UgSSd2ZSBqdXN0IHB1Ymxpc2hlZCAtMDggYSBmZXcgaG91cnMgYWdv LCBJJ2xsIHByb2JhYmx5IGRlbGF5IHRoZSB1cGxvYWQgb2YgdGhpcyBuZXcgdXBkYXRlLjxicj4N Cjxicj4NCi0tQnJ1bm88YnI+DQo8YnI+DQo8YnI+DQombmJzcDsmZ3Q7IC0tPGJyPg0KJm5ic3A7 Jmd0OyBGcmVlbGFuY2UgY3liZXIgc2VjdXJpdHkgY29uc3VsdGFudCwgc29mdHdhcmUgZGV2ZWxv cGVyLCBhbmQgbW9yZTxicj4NCiZuYnNwOyZndDsgPGEgaHJlZj0iaHR0cHM6Ly9kYXZpZC5tYW5k ZWxiZXJnLm9yZy8iIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2RhdmlkLm1hbmRlbGJlcmcub3Jn LzwvYT48YnI+DQo8YnI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KPGJyPg0KQ2UgbWVzc2FnZSBldCBzZXMgcGll Y2VzIGpvaW50ZXMgcGV1dmVudCBjb250ZW5pciBkZXMgaW5mb3JtYXRpb25zIGNvbmZpZGVudGll bGxlcyBvdSBwcml2aWxlZ2llZXMgZXQgbmUgZG9pdmVudCBkb25jPGJyPg0KcGFzIGV0cmUgZGlm ZnVzZXMsIGV4cGxvaXRlcyBvdSBjb3BpZXMgc2FucyBhdXRvcmlzYXRpb24uIFNpIHZvdXMgYXZl eiByZWN1IGNlIG1lc3NhZ2UgcGFyIGVycmV1ciwgdmV1aWxsZXogbGUgc2lnbmFsZXI8YnI+DQph IGwnZXhwZWRpdGV1ciBldCBsZSBkZXRydWlyZSBhaW5zaSBxdWUgbGVzIHBpZWNlcyBqb2ludGVz LiBMZXMgbWVzc2FnZXMgZWxlY3Ryb25pcXVlcyBldGFudCBzdXNjZXB0aWJsZXMgZCdhbHRlcmF0 aW9uLDxicj4NCk9yYW5nZSBkZWNsaW5lIHRvdXRlIHJlc3BvbnNhYmlsaXRlIHNpIGNlIG1lc3Nh Z2UgYSBldGUgYWx0ZXJlLCBkZWZvcm1lIG91IGZhbHNpZmllLiBNZXJjaS48YnI+DQo8YnI+DQpU aGlzIG1lc3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cyBtYXkgY29udGFpbiBjb25maWRlbnRpYWwg b3IgcHJpdmlsZWdlZCBpbmZvcm1hdGlvbiB0aGF0IG1heSBiZSBwcm90ZWN0ZWQgYnkgbGF3Ozxi cj4NCnRoZXkgc2hvdWxkIG5vdCBiZSBkaXN0cmlidXRlZCwgdXNlZCBvciBjb3BpZWQgd2l0aG91 dCBhdXRob3Jpc2F0aW9uLjxicj4NCklmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgZW1haWwgaW4g ZXJyb3IsIHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlciBhbmQgZGVsZXRlIHRoaXMgbWVzc2FnZSBh bmQgaXRzIGF0dGFjaG1lbnRzLjxicj4NCkFzIGVtYWlscyBtYXkgYmUgYWx0ZXJlZCwgT3Jhbmdl IGlzIG5vdCBsaWFibGUgZm9yIG1lc3NhZ2VzIHRoYXQgaGF2ZSBiZWVuIG1vZGlmaWVkLCBjaGFu Z2VkIG9yIGZhbHNpZmllZC48YnI+DQpUaGFuayB5b3UuPG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxQUkU+X19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKQ2UgbWVzc2FnZSBldCBzZXMg cGllY2VzIGpvaW50ZXMgcGV1dmVudCBjb250ZW5pciBkZXMgaW5mb3JtYXRpb25zIGNvbmZpZGVu dGllbGxlcyBvdSBwcml2aWxlZ2llZXMgZXQgbmUgZG9pdmVudCBkb25jCnBhcyBldHJlIGRpZmZ1 c2VzLCBleHBsb2l0ZXMgb3UgY29waWVzIHNhbnMgYXV0b3Jpc2F0aW9uLiBTaSB2b3VzIGF2ZXog cmVjdSBjZSBtZXNzYWdlIHBhciBlcnJldXIsIHZldWlsbGV6IGxlIHNpZ25hbGVyCmEgbCdleHBl ZGl0ZXVyIGV0IGxlIGRldHJ1aXJlIGFpbnNpIHF1ZSBsZXMgcGllY2VzIGpvaW50ZXMuIExlcyBt ZXNzYWdlcyBlbGVjdHJvbmlxdWVzIGV0YW50IHN1c2NlcHRpYmxlcyBkJ2FsdGVyYXRpb24sCk9y YW5nZSBkZWNsaW5lIHRvdXRlIHJlc3BvbnNhYmlsaXRlIHNpIGNlIG1lc3NhZ2UgYSBldGUgYWx0 ZXJlLCBkZWZvcm1lIG91IGZhbHNpZmllLiBNZXJjaS4KClRoaXMgbWVzc2FnZSBhbmQgaXRzIGF0 dGFjaG1lbnRzIG1heSBjb250YWluIGNvbmZpZGVudGlhbCBvciBwcml2aWxlZ2VkIGluZm9ybWF0 aW9uIHRoYXQgbWF5IGJlIHByb3RlY3RlZCBieSBsYXc7CnRoZXkgc2hvdWxkIG5vdCBiZSBkaXN0 cmlidXRlZCwgdXNlZCBvciBjb3BpZWQgd2l0aG91dCBhdXRob3Jpc2F0aW9uLgpJZiB5b3UgaGF2 ZSByZWNlaXZlZCB0aGlzIGVtYWlsIGluIGVycm9yLCBwbGVhc2Ugbm90aWZ5IHRoZSBzZW5kZXIg YW5kIGRlbGV0ZSB0aGlzIG1lc3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cy4KQXMgZW1haWxzIG1h eSBiZSBhbHRlcmVkLCBPcmFuZ2UgaXMgbm90IGxpYWJsZSBmb3IgbWVzc2FnZXMgdGhhdCBoYXZl IGJlZW4gbW9kaWZpZWQsIGNoYW5nZWQgb3IgZmFsc2lmaWVkLgpUaGFuayB5b3UuCjwvUFJFPjwv Ym9keT4NCjwvaHRtbD4NCg== --_000_53C29892C857584299CBF5D05346208A4787AEECOPEXCLILM21corp_-- From nobody Tue Sep 19 04:01:58 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EFE11320CF; Tue, 19 Sep 2017 04:01:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.519 X-Spam-Level: X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4n4g3yq9b6tx; Tue, 19 Sep 2017 04:01:47 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B30DB132055; Tue, 19 Sep 2017 04:01:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30471; q=dns/txt; s=iport; t=1505818906; x=1507028506; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=l3RkUWC6dU4GQvGOapYG+T4I21HJa7eyQ1Zg/P9RcXE=; b=QWGOKXtFmBqo2y04vKQjlCpHXBGuc7BJlEHCgo1oZMe5/0A3DchqEIUq A/t3F/mZT5Qptzo7KaZp3RGY34A678gUa3/vIWoYTd/Snn2i5AhdYvez4 EgWlPxt+G6M0LBZ3+TOGpg1iNFRgKeCyAlfejitcD6CwFtlaRL/Ukf9l9 M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CUAQAV+MBZ/4wNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgm9rZG4nB4NunAt5h0KNeIIECh+BYoM6AhqEO0MUAQIBAQEBAQE?= =?us-ascii?q?BayiFGAEBAQMBIwo/DQULAgEIEQMBAQEBJwMCAgIfERQJCAIEAQ0FiU9MAw0Iq?= =?us-ascii?q?XmCJ4c8DYNfAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWDK4ICgzOCG1g1gliBbQE?= =?us-ascii?q?LBwE2CQwKgl2CYAWgTzwCh1qIA4R3ghOFaoN+hn6KAIJciC4CERkBgTgBNiGBA?= =?us-ascii?q?gt3FYViHIFndoYaDxeBDIEPAQEB?= X-IronPort-AV: E=Sophos;i="5.42,418,1500940800"; d="scan'208,217";a="300237085" Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Sep 2017 11:01:45 +0000 Received: from XCH-RTP-013.cisco.com (xch-rtp-013.cisco.com [64.101.220.153]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v8JB1igr002335 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 19 Sep 2017 11:01:45 GMT Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-013.cisco.com (64.101.220.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 19 Sep 2017 07:01:44 -0400 Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1263.000; Tue, 19 Sep 2017 07:01:44 -0400 From: "Acee Lindem (acee)" To: "bruno.decraene@orange.com" , Robert Raszuk CC: "iesg@ietf.org" , David Mandelberg , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" , "secdir@ietf.org" Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06 Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZggAAJ/YCAANdoUIAFhL03gADEpyCAAE2vAIAABocA///rcYA= Date: Tue, 19 Sep 2017 11:01:43 +0000 Message-ID: References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> <5ee2e3cf-4034-f9e6-4fca-92ceb57a65c5@mandelberg.org> <11040_1505805523_59C0C4D3_11040_226_4_53C29892C857584299CBF5D05346208A4787AC94@OPEXCLILM21.corporate.adroot.infra.ftgroup> <27250_1505808909_59C0D20D_27250_468_2_53C29892C857584299CBF5D05346208A4787AEEC@OPEXCLILM21.corporate.adroot.infra.ftgroup> In-Reply-To: <27250_1505808909_59C0D20D_27250_468_2_53C29892C857584299CBF5D05346208A4787AEEC@OPEXCLILM21.corporate.adroot.infra.ftgroup> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.116.152.196] Content-Type: multipart/alternative; boundary="_000_D5E66FC2C878Eaceeciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 11:01:52 -0000 --_000_D5E66FC2C878Eaceeciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgQnJ1bm8sIFJvYmVydCwNCg0KU291bmRzIGdvb2QgdG8gbWUuIE9uZSBuaXQg4oCTIHJlcGxh Y2Ug4oCcZS5nLiDigJwgd2l0aCDigJwsIGUuZy4sIOKAnCBpbiB0aGUgYWRkZWQgdGV4dC4NClRo YW5rcywNCkFjZWUNCg0KRnJvbTogQnJ1bm8gRGVjcmFlbmUgPGJydW5vLmRlY3JhZW5lQG9yYW5n ZS5jb208bWFpbHRvOmJydW5vLmRlY3JhZW5lQG9yYW5nZS5jb20+Pg0KRGF0ZTogVHVlc2RheSwg U2VwdGVtYmVyIDE5LCAyMDE3IGF0IDQ6MTUgQU0NClRvOiBSb2JlcnQgUmFzenVrIDxyb2JlcnRA cmFzenVrLm5ldDxtYWlsdG86cm9iZXJ0QHJhc3p1ay5uZXQ+Pg0KQ2M6IFRoZSBJRVNHIDxpZXNn QGlldGYub3JnPG1haWx0bzppZXNnQGlldGYub3JnPj4sIERhdmlkIE1hbmRlbGJlcmcgPGRhdmlk QG1hbmRlbGJlcmcub3JnPG1haWx0bzpkYXZpZEBtYW5kZWxiZXJnLm9yZz4+LCAiZHJhZnQtaWV0 Zi1vc3BmLWVuY2Fwc3VsYXRpb24tY2FwLmFsbEBpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1v c3BmLWVuY2Fwc3VsYXRpb24tY2FwLmFsbEBpZXRmLm9yZz4iIDxkcmFmdC1pZXRmLW9zcGYtZW5j YXBzdWxhdGlvbi1jYXAuYWxsQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLW9zcGYtZW5jYXBz dWxhdGlvbi1jYXAuYWxsQGlldGYub3JnPj4sICJzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2Rp ckBpZXRmLm9yZz4iIDxzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz4+DQpT dWJqZWN0OiBSRTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLW9zcGYtZW5jYXBzdWxhdGlv bi1jYXAtMDYNClJlc2VudC1Gcm9tOiA8YWxpYXMtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86YWxp YXMtYm91bmNlc0BpZXRmLm9yZz4+DQpSZXNlbnQtVG86IFhpYW9odSBYdSA8eHV4aWFvaHVAaHVh d2VpLmNvbTxtYWlsdG86eHV4aWFvaHVAaHVhd2VpLmNvbT4+LCBCcnVubyBEZWNyYWVuZSA8YnJ1 bm8uZGVjcmFlbmVAb3JhbmdlLmNvbTxtYWlsdG86YnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbT4+ LCBSb2JlcnQgUmFzenVrIDxyb2JlcnRAcmFzenVrLm5ldDxtYWlsdG86cm9iZXJ0QHJhc3p1ay5u ZXQ+PiwgTHVpcyBDb250cmVyYXMgPGx1aXNtaWd1ZWwuY29udHJlcmFzbXVyaWxsb0B0ZWxlZm9u aWNhLmNvbTxtYWlsdG86bHVpc21pZ3VlbC5jb250cmVyYXNtdXJpbGxvQHRlbGVmb25pY2EuY29t Pj4sIEx1YXkgSmFsaWwgPGx1YXkuamFsaWxAdmVyaXpvbi5jb208bWFpbHRvOmx1YXkuamFsaWxA dmVyaXpvbi5jb20+PiwgQWNlZSBMaW5kZW0gPGFjZWVAY2lzY28uY29tPG1haWx0bzphY2VlQGNp c2NvLmNvbT4+LCA8YWtyQGNpc2NvLmNvbTxtYWlsdG86YWtyQGNpc2NvLmNvbT4+LCA8YXJldGFu YUBjaXNjby5jb208bWFpbHRvOmFyZXRhbmFAY2lzY28uY29tPj4sIERlYm9yYWggQnJ1bmdhcmQg PGRiMzU0NkBhdHQuY29tPG1haWx0bzpkYjM1NDZAYXR0LmNvbT4+LCBBbGlhIEF0bGFzIDxha2F0 bGFzQGdtYWlsLmNvbTxtYWlsdG86YWthdGxhc0BnbWFpbC5jb20+PiwgQWNlZSBMaW5kZW0gPGFj ZWVAY2lzY28uY29tPG1haWx0bzphY2VlQGNpc2NvLmNvbT4+DQpSZXNlbnQtRGF0ZTogVHVlc2Rh eSwgU2VwdGVtYmVyIDE5LCAyMDE3IGF0IDQ6MTUgQU0NCg0KDQoNCkZyb206IHJyYXN6dWtAZ21h aWwuY29tPG1haWx0bzpycmFzenVrQGdtYWlsLmNvbT4gW21haWx0bzpycmFzenVrQGdtYWlsLmNv bV0gT24gQmVoYWxmIE9mIFJvYmVydCBSYXN6dWsNCg0KDQpQbGVhc2UgcmVwbGFjZSBBUyB3aXRo IEFkbWluaXN0cmF0aXZlIERvbWFpbi4NCltCcnVub10gSSByZXBsYWNlZCBBUyB3aXRoIOKAnE9T UEYgZG9tYWlu4oCdIGFzIGluZGVlZCwgQVMgaXMgYSBCR1AgdGVybSByYXRoZXIgdGhhbiBhbiBP U1BGIG9uZS4gQW5kIGFzIHlvdSBub3RlLCBpbiBzb21lIGNhc2VzLCB0aGUgQVMgYW5kIHRoZSBJ R1AgZG9tYWluIG1heSBiZSBkaWZmZXJlbnQuIFRoYW5rcy4NCg0KDQpJZiBJIGhhdmUgdGhyZWUg QVNlcyB0aGVyZSBzaG91bGQgYmUgbm8gYXJ0aWZpY2lhbCBsaW1pdHMgcHJvaGliaXRpbmcgZW5j YXAgdG8gbXkgY2VudHJhbCBjb2xsZWN0b3IuDQpbQnJ1bm9dDQpJZiB5b3VyIGNlbnRyYWwgY29s bGVjdG9yIGlzIHBhcnQgb2YgdGhlIE9TUEYgZG9tYWluIG9mIHRoZSBlbmNhcHN1bGF0b3IsIHRo ZXJlIGlzIG5vIHByb2JsZW0uDQpPdGhlcndpc2UsIGlmIHRoZSByb3V0ZSB0byB5b3VyIGNlbnRy YWwgY29sbGVjdG9yIGlzIGFkdmVydGlzZWQgaW4gT1NQRiBieSB0aGUgZGVjYXBzdWxhdG9yLCB0 aGVyZSBpcyBubyBwcm9ibGVtLg0KT3RoZXJ3aXNlLCBpZiB0aGUgcm91dGUgdG8geW91ciBjZW50 cmFsIGNvbGxlY3RvciBpcyBhZHZlcnRpc2VkIGluIEJHUCwgdGhlbiBkcmFmdC1pZXRmLWlkci10 dW5uZWwtZW5jYXBzIGlzIHByb2JhYmx5IHRoZSByaWdodCB0b29sLg0KDQotLUJydW5vDQoNCg0K VGh4DQpSDQoNCk9uIFNlcCAxOSwgMjAxNyAwODoxOCwgPGJydW5vLmRlY3JhZW5lQG9yYW5nZS5j b208bWFpbHRvOmJydW5vLmRlY3JhZW5lQG9yYW5nZS5jb20+PiB3cm90ZToNCj4gRnJvbTogRGF2 aWQgTWFuZGVsYmVyZyBbbWFpbHRvOmRhdmlkQG1hbmRlbGJlcmcub3JnPG1haWx0bzpkYXZpZEBt YW5kZWxiZXJnLm9yZz5dDQogPiBTZW50OiBNb25kYXksIFNlcHRlbWJlciAxOCwgMjAxNyA5OjMw IFBNDQo+DQogPiBPbiAwOS8xOC8yMDE3IDA1OjA4IEFNLCBicnVuby5kZWNyYWVuZUBvcmFuZ2Uu Y29tPG1haWx0bzpicnVuby5kZWNyYWVuZUBvcmFuZ2UuY29tPiB3cm90ZToNCiA+ID4gICA+IChj KSBpcyB0aGUgb25lIHRoYXQgSSB0aGluayBpcyB3b3J0aCBsb29raW5nIGludG8uIEUuZy4sIGRv ZXMgdGhpcyBuZXcNCiA+ID4gICA+IGV4dGVuc2lvbiBtYWtlIGl0IGVhc2llciBmb3IgYW4gYXR0 YWNrZXIgdG8gcm91dGUgYSBwYWNrZXQgYWNyb3NzIEFTDQogPiA+ICAgPiBib3VuZGFyaWVzLCBi eSBzZXR0aW5nIGEgdHVubmVsIGVuZHBvaW50IG91dHNpZGUgb2YgdGhlIE9TUEYtcm91dGVkIG5l dHdvcms/DQogPiA+DQogPiA+IE5vLiBUaGUgZm9sbG93aW5nIHRleHQgYWxyZWFkeSBwcm9oaWJp dHMgZXZlbiBtb3JlIHRoYW4gdGhpczoNCiA+ID4NCiA+ID4gIiAgQSB0dW5uZWwgTVVTVCBOT1Qg YmUNCiA+ID4gICAgICAgIHVzZWQgaWYgdGhlcmUgaXMgbm8gcm91dGUgdG93YXJkIHRoZSBJUCBh ZGRyZXNzIHNwZWNpZmllZCBpbiB0aGUNCiA+ID4gICAgICAgIEVuZHBvaW50IFN1Yi1UTFYgKFNl ZSA8eHJlZiB0YXJnZXQ9IkVuZHBvaW50VExWIi8+KSBvciBpZiB0aGUgcm91dGUgaXMNCiA+ID4g ICAgICAgIG5vdCBhZHZlcnRpc2VkIGJ5IHRoZSByb3V0ZXIgYWR2ZXJ0aXNpbmcgdGhpcyBUdW5u ZWwgU3ViLVRMVi4iDQogPiA+DQogPiA+IC0gQnkgZGVmaW5pdGlvbiwgdGhpcyBUdW5uZWwgU3Vi LVRMViBpcyBhZHZlcnRpc2VkIGluIE9TUEYgaS5lLiBmcm9tIHdpdGhpbiB0aGUgQVMuDQogPiA+ IC0gVGhlIHRleHQgYWxzbyBwcm9oaWJpdHMgc2V0dGluZyBhIHR1bm5lbCBlbmRwb2ludCB0byBh bm90aGVyIHJvdXRlciB3aXRoaW4gdGhlIEFTLg0KID4gPg0KID4gPg0KID4gPiBUaGF0IGJlaW5n IHNhaWQsIHdpdGhpbiB0aGUgQVMsIHRoZSBwb2ludCAiYyIgc3RpbGwgYXBwbGllcy4NCiA+ID4g SG93ZXZlciwgdGhpbmtpbmcgdHdpY2UsIHRoZSBwcm9iYWJpbGl0eSBpcyBldmVuIG1vcmUgbGlt aXRlZC4gSW5kZWVkLCBvbmUgY2FuIG9ubHkgYWR2ZXJ0aXNlIGENCiA+IHR1bm5lbCB0byBpdHNl bGYuIEFzc3VtaW5nIHRoYXQgdGhlIHRoaXJkIHBhcnR5IGNhbid0IGNvbnRyb2wgdGhlIHdob2xl IHJvdXRpbmcgdG9wb2xvZ3kgKGkuZS4gcm91dGluZw0KID4gYWR2ZXJ0aXNlbWVudCBmcm9tIG1v c3QgY29yZSByb3V0ZXJzKSwgaXQgY2Fubm90IGNvbnRyb2wgdGhlIHBhdGggZm9sbG93ZWQgYnkg dGhlIHR1bm5lbC4gSGVuY2UgaXQNCiA+IHdvdWxkIG5lZWQgdG8gaGF2ZSBtb25pdG9yaW5nIGNh cGFiaWxpdGllcyBvbiBzcGVjaWZpYyBsaW5rcyB0aGF0IGl0IGNhbm5vdCBjaG9vc2UuICh0aGUg bGluayBvbg0KID4gdGhlIHBhdGggdG8gaXRzZWxmKS4NCiA+ID4gUGx1cyB0aGlzIHJpc2sgaXMg bm90IG5ldywgYXMgdGhlIHRoaXJkIHBhcnR5IGNvdWxkIGFscmVhZHkgYWR2ZXJ0aXNlIHRoZSBk ZXN0aW5hdGlvbiBJUCBhZGRyZXNzIG9mDQogPiB0aGUgcGFja2V0cyAob3Igb2YgdGhlIEJHUCBO ZXh0LWhvcCBvZiB0aGUgQkdQIHJvdXRlIG1hdGNoaW5nIHRoZSBwYWNrZXQgZGVzdGluYXRpb24p LCB3aXRob3V0DQogPiB1c2luZyBhbnkgdHVubmVsLg0KID4gPiBJbiBjb25jbHVzaW9uLCBhbHRo b3VnaCBJIGNvdWxkIGJlIHdyb25nLCBJJ20gbm90IHNlZWluZyBzdWNoIG5ldyByaXNrLiAoYWdh aW4sIGFzc3VtaW5nIHRoYXQNCiA+IGEgdGhpcmQgcGFydHkgY2FuIG1vZGlmeSB0aGUgT1NQRiBy b3V0aW5nIGlzIGEgYmlnIGFzc3VtcHRpb24pLg0KID4gPg0KID4gPiBCdXQgdGhlIGRpc2N1c3Np b24gd2FzIHVzZWZ1bCwgdGhhbmtzIGZvciB0aGUgY29tbWVudHMuDQogPg0KID4gVGhhdCBleHBs YW5hdGlvbiBpcyBncmVhdCwgdGhhbmsgeW91LiBJIGhhZG4ndCByZWFsaXplZCB0aGUgaW1wbGlj YXRpb25zDQogPiBvZiB0aGUgcGFyYWdyYXBoIHlvdSBxdW90ZWQsIHdoZW4gSSBpbml0aWFsbHkg cmVhZCBpdC4gSSdtIGNvbnZpbmNlZA0KID4gdGhhdCB0aGVyZSBpc24ndCBhIHNlY3VyaXR5IGlz c3VlIGhlcmUsIGJ1dCBpdCB3b3VsZCBiZSBuaWNlIHRvIHNlZSB5b3VyDQogPiBleHBsYW5hdGlv biBpbiB0aGUgZG9jdW1lbnQgaXRzZWxmLCBpZiBpdCdzIG5vdCBhbHJlYWR5IG9idmlvdXMgdG8N CiA+IGFueWJvZHkgd2hvIGtub3dzIE9TUEYgYmV0dGVyIHRoYW4gSSBkby4NCg0KSSd2ZSBqdXN0 IGFkZGVkIHRoZSBmb2xsb3dpbmcgdGV4dCBpbiB0aGUgc2VjdXJpdHkgc2VjdGlvbiBvZiBteSBs b2NhbCB2ZXJzaW9uOg0KIldlIG5vdGUgdGhhdCB0aGUgbGFzdCBwYXJhZ3JhcGggb2YgPHhyZWYg dGFyZ2V0PSJPcGVyYXRpb24iLz4gZm9yYmlkIHRoZSBlc3RhYmxpc2htZW50IG9mIGEgdHVubmVs IHRvd2FyZCBhcmJpdHJhcnkgZGVzdGluYXRpb25zLiBJdCBwcm9oaWJpdHMgYSBkZXN0aW5hdGlv biBvdXRzaWRlIG9mIHRoZSBBdXRvbm9tb3VzIFN5c3RlbSBhbmQgYWxzbyB0byBvdGhlciByb3V0 ZXJzIHdpdGhpbiB0aGUgQVMuIFRoaXMgYXZvaWQgdGhhdCBhIHRoaXJkLXBhcnR5IGdhaW5pbmcg YWNjZXNzIHRvIGFuIE9TUEYgcm91dGVyIGJlIGFibGUgdG8gc2VuZCB0aGUgdHJhZmZpYyB0byBv dGhlciBkZXN0aW5hdGlvbnMsIGZvciBlLmcuIGluc3BlY3Rpb24gcHVycG9zZXMuICINCg0KRmVl bCBmcmVlIHRvIGNvbW1lbnQvcHJvcG9zZSBvdGhlciB0ZXh0Lg0KDQpTaW5jZSBJJ3ZlIGp1c3Qg cHVibGlzaGVkIC0wOCBhIGZldyBob3VycyBhZ28sIEknbGwgcHJvYmFibHkgZGVsYXkgdGhlIHVw bG9hZCBvZiB0aGlzIG5ldyB1cGRhdGUuDQoNCi0tQnJ1bm8NCg0KDQogPiAtLQ0KID4gRnJlZWxh bmNlIGN5YmVyIHNlY3VyaXR5IGNvbnN1bHRhbnQsIHNvZnR3YXJlIGRldmVsb3BlciwgYW5kIG1v cmUNCiA+IGh0dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvDQoNCl9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KQ2UgbWVz c2FnZSBldCBzZXMgcGllY2VzIGpvaW50ZXMgcGV1dmVudCBjb250ZW5pciBkZXMgaW5mb3JtYXRp b25zIGNvbmZpZGVudGllbGxlcyBvdSBwcml2aWxlZ2llZXMgZXQgbmUgZG9pdmVudCBkb25jDQpw YXMgZXRyZSBkaWZmdXNlcywgZXhwbG9pdGVzIG91IGNvcGllcyBzYW5zIGF1dG9yaXNhdGlvbi4g U2kgdm91cyBhdmV6IHJlY3UgY2UgbWVzc2FnZSBwYXIgZXJyZXVyLCB2ZXVpbGxleiBsZSBzaWdu YWxlcg0KYSBsJ2V4cGVkaXRldXIgZXQgbGUgZGV0cnVpcmUgYWluc2kgcXVlIGxlcyBwaWVjZXMg am9pbnRlcy4gTGVzIG1lc3NhZ2VzIGVsZWN0cm9uaXF1ZXMgZXRhbnQgc3VzY2VwdGlibGVzIGQn YWx0ZXJhdGlvbiwNCk9yYW5nZSBkZWNsaW5lIHRvdXRlIHJlc3BvbnNhYmlsaXRlIHNpIGNlIG1l c3NhZ2UgYSBldGUgYWx0ZXJlLCBkZWZvcm1lIG91IGZhbHNpZmllLiBNZXJjaS4NCg0KVGhpcyBt ZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVudHMgbWF5IGNvbnRhaW4gY29uZmlkZW50aWFsIG9yIHBy aXZpbGVnZWQgaW5mb3JtYXRpb24gdGhhdCBtYXkgYmUgcHJvdGVjdGVkIGJ5IGxhdzsNCnRoZXkg c2hvdWxkIG5vdCBiZSBkaXN0cmlidXRlZCwgdXNlZCBvciBjb3BpZWQgd2l0aG91dCBhdXRob3Jp c2F0aW9uLg0KSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxlYXNl IG5vdGlmeSB0aGUgc2VuZGVyIGFuZCBkZWxldGUgdGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNo bWVudHMuDQpBcyBlbWFpbHMgbWF5IGJlIGFsdGVyZWQsIE9yYW5nZSBpcyBub3QgbGlhYmxlIGZv ciBtZXNzYWdlcyB0aGF0IGhhdmUgYmVlbiBtb2RpZmllZCwgY2hhbmdlZCBvciBmYWxzaWZpZWQu DQpUaGFuayB5b3UuDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18NCg0KQ2UgbWVzc2FnZSBldCBzZXMgcGllY2VzIGpvaW50 ZXMgcGV1dmVudCBjb250ZW5pciBkZXMgaW5mb3JtYXRpb25zIGNvbmZpZGVudGllbGxlcyBvdSBw cml2aWxlZ2llZXMgZXQgbmUgZG9pdmVudCBkb25jDQpwYXMgZXRyZSBkaWZmdXNlcywgZXhwbG9p dGVzIG91IGNvcGllcyBzYW5zIGF1dG9yaXNhdGlvbi4gU2kgdm91cyBhdmV6IHJlY3UgY2UgbWVz c2FnZSBwYXIgZXJyZXVyLCB2ZXVpbGxleiBsZSBzaWduYWxlcg0KYSBsJ2V4cGVkaXRldXIgZXQg bGUgZGV0cnVpcmUgYWluc2kgcXVlIGxlcyBwaWVjZXMgam9pbnRlcy4gTGVzIG1lc3NhZ2VzIGVs ZWN0cm9uaXF1ZXMgZXRhbnQgc3VzY2VwdGlibGVzIGQnYWx0ZXJhdGlvbiwNCk9yYW5nZSBkZWNs aW5lIHRvdXRlIHJlc3BvbnNhYmlsaXRlIHNpIGNlIG1lc3NhZ2UgYSBldGUgYWx0ZXJlLCBkZWZv cm1lIG91IGZhbHNpZmllLiBNZXJjaS4NCg0KVGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVu dHMgbWF5IGNvbnRhaW4gY29uZmlkZW50aWFsIG9yIHByaXZpbGVnZWQgaW5mb3JtYXRpb24gdGhh dCBtYXkgYmUgcHJvdGVjdGVkIGJ5IGxhdzsNCnRoZXkgc2hvdWxkIG5vdCBiZSBkaXN0cmlidXRl ZCwgdXNlZCBvciBjb3BpZWQgd2l0aG91dCBhdXRob3Jpc2F0aW9uLg0KSWYgeW91IGhhdmUgcmVj ZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxlYXNlIG5vdGlmeSB0aGUgc2VuZGVyIGFuZCBk ZWxldGUgdGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVudHMuDQpBcyBlbWFpbHMgbWF5IGJl IGFsdGVyZWQsIE9yYW5nZSBpcyBub3QgbGlhYmxlIGZvciBtZXNzYWdlcyB0aGF0IGhhdmUgYmVl biBtb2RpZmllZCwgY2hhbmdlZCBvciBmYWxzaWZpZWQuDQpUaGFuayB5b3UuDQoNCg== --_000_D5E66FC2C878Eaceeciscocom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsgY29sb3I6IHJnYigwLCAwLCAwKTsgZm9udC1zaXplOiAx NHB4OyBmb250LWZhbWlseTogQ2FsaWJyaSwgc2Fucy1zZXJpZjsiPg0KPGRpdj5IaSBCcnVubywg Um9iZXJ0LCZuYnNwOzwvZGl2Pg0KPGRpdj48YnI+DQo8L2Rpdj4NCjxkaXY+U291bmRzIGdvb2Qg dG8gbWUuIE9uZSBuaXQg4oCTIHJlcGxhY2Ug4oCcZS5nLiDigJwgd2l0aCDigJwsIGUuZy4sIOKA nCBpbiB0aGUgYWRkZWQgdGV4dC48L2Rpdj4NCjxkaXY+VGhhbmtzLDwvZGl2Pg0KPGRpdj5BY2Vl ICZuYnNwOzwvZGl2Pg0KPGRpdj48YnI+DQo8L2Rpdj4NCjxzcGFuIGlkPSJPTEtfU1JDX0JPRFlf U0VDVElPTiI+DQo8ZGl2IHN0eWxlPSJmb250LWZhbWlseTpDYWxpYnJpOyBmb250LXNpemU6MTFw dDsgdGV4dC1hbGlnbjpsZWZ0OyBjb2xvcjpibGFjazsgQk9SREVSLUJPVFRPTTogbWVkaXVtIG5v bmU7IEJPUkRFUi1MRUZUOiBtZWRpdW0gbm9uZTsgUEFERElORy1CT1RUT006IDBpbjsgUEFERElO Ry1MRUZUOiAwaW47IFBBRERJTkctUklHSFQ6IDBpbjsgQk9SREVSLVRPUDogI2I1YzRkZiAxcHQg c29saWQ7IEJPUkRFUi1SSUdIVDogbWVkaXVtIG5vbmU7IFBBRERJTkctVE9QOiAzcHQiPg0KPHNw YW4gc3R5bGU9ImZvbnQtd2VpZ2h0OmJvbGQiPkZyb206IDwvc3Bhbj5CcnVubyBEZWNyYWVuZSAm bHQ7PGEgaHJlZj0ibWFpbHRvOmJydW5vLmRlY3JhZW5lQG9yYW5nZS5jb20iPmJydW5vLmRlY3Jh ZW5lQG9yYW5nZS5jb208L2E+Jmd0Ozxicj4NCjxzcGFuIHN0eWxlPSJmb250LXdlaWdodDpib2xk Ij5EYXRlOiA8L3NwYW4+VHVlc2RheSwgU2VwdGVtYmVyIDE5LCAyMDE3IGF0IDQ6MTUgQU08YnI+ DQo8c3BhbiBzdHlsZT0iZm9udC13ZWlnaHQ6Ym9sZCI+VG86IDwvc3Bhbj5Sb2JlcnQgUmFzenVr ICZsdDs8YSBocmVmPSJtYWlsdG86cm9iZXJ0QHJhc3p1ay5uZXQiPnJvYmVydEByYXN6dWsubmV0 PC9hPiZndDs8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC13ZWlnaHQ6Ym9sZCI+Q2M6IDwvc3Bhbj5U aGUgSUVTRyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmllc2dAaWV0Zi5vcmciPmllc2dAaWV0Zi5vcmc8 L2E+Jmd0OywgRGF2aWQgTWFuZGVsYmVyZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmRhdmlkQG1hbmRl bGJlcmcub3JnIj5kYXZpZEBtYW5kZWxiZXJnLm9yZzwvYT4mZ3Q7LCAmcXVvdDs8YSBocmVmPSJt YWlsdG86ZHJhZnQtaWV0Zi1vc3BmLWVuY2Fwc3VsYXRpb24tY2FwLmFsbEBpZXRmLm9yZyI+ZHJh ZnQtaWV0Zi1vc3BmLWVuY2Fwc3VsYXRpb24tY2FwLmFsbEBpZXRmLm9yZzwvYT4mcXVvdDsNCiAm bHQ7PGEgaHJlZj0ibWFpbHRvOmRyYWZ0LWlldGYtb3NwZi1lbmNhcHN1bGF0aW9uLWNhcC5hbGxA aWV0Zi5vcmciPmRyYWZ0LWlldGYtb3NwZi1lbmNhcHN1bGF0aW9uLWNhcC5hbGxAaWV0Zi5vcmc8 L2E+Jmd0OywgJnF1b3Q7PGEgaHJlZj0ibWFpbHRvOnNlY2RpckBpZXRmLm9yZyI+c2VjZGlyQGll dGYub3JnPC9hPiZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNlY2RpckBpZXRmLm9yZyI+c2Vj ZGlyQGlldGYub3JnPC9hPiZndDs8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC13ZWlnaHQ6Ym9sZCI+ U3ViamVjdDogPC9zcGFuPlJFOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtb3NwZi1lbmNh cHN1bGF0aW9uLWNhcC0wNjxicj4NCjxzcGFuIHN0eWxlPSJmb250LXdlaWdodDpib2xkIj5SZXNl bnQtRnJvbTogPC9zcGFuPiZsdDs8YSBocmVmPSJtYWlsdG86YWxpYXMtYm91bmNlc0BpZXRmLm9y ZyI+YWxpYXMtYm91bmNlc0BpZXRmLm9yZzwvYT4mZ3Q7PGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQt d2VpZ2h0OmJvbGQiPlJlc2VudC1UbzogPC9zcGFuPlhpYW9odSBYdSAmbHQ7PGEgaHJlZj0ibWFp bHRvOnh1eGlhb2h1QGh1YXdlaS5jb20iPnh1eGlhb2h1QGh1YXdlaS5jb208L2E+Jmd0OywgQnJ1 bm8gRGVjcmFlbmUgJmx0OzxhIGhyZWY9Im1haWx0bzpicnVuby5kZWNyYWVuZUBvcmFuZ2UuY29t Ij5icnVuby5kZWNyYWVuZUBvcmFuZ2UuY29tPC9hPiZndDssIFJvYmVydCBSYXN6dWsgJmx0Ozxh IGhyZWY9Im1haWx0bzpyb2JlcnRAcmFzenVrLm5ldCI+cm9iZXJ0QHJhc3p1ay5uZXQ8L2E+Jmd0 OywNCiBMdWlzIENvbnRyZXJhcyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmx1aXNtaWd1ZWwuY29udHJl cmFzbXVyaWxsb0B0ZWxlZm9uaWNhLmNvbSI+bHVpc21pZ3VlbC5jb250cmVyYXNtdXJpbGxvQHRl bGVmb25pY2EuY29tPC9hPiZndDssIEx1YXkgSmFsaWwgJmx0OzxhIGhyZWY9Im1haWx0bzpsdWF5 LmphbGlsQHZlcml6b24uY29tIj5sdWF5LmphbGlsQHZlcml6b24uY29tPC9hPiZndDssIEFjZWUg TGluZGVtICZsdDs8YSBocmVmPSJtYWlsdG86YWNlZUBjaXNjby5jb20iPmFjZWVAY2lzY28uY29t PC9hPiZndDssDQogJmx0OzxhIGhyZWY9Im1haWx0bzpha3JAY2lzY28uY29tIj5ha3JAY2lzY28u Y29tPC9hPiZndDssICZsdDs8YSBocmVmPSJtYWlsdG86YXJldGFuYUBjaXNjby5jb20iPmFyZXRh bmFAY2lzY28uY29tPC9hPiZndDssIERlYm9yYWggQnJ1bmdhcmQgJmx0OzxhIGhyZWY9Im1haWx0 bzpkYjM1NDZAYXR0LmNvbSI+ZGIzNTQ2QGF0dC5jb208L2E+Jmd0OywgQWxpYSBBdGxhcyAmbHQ7 PGEgaHJlZj0ibWFpbHRvOmFrYXRsYXNAZ21haWwuY29tIj5ha2F0bGFzQGdtYWlsLmNvbTwvYT4m Z3Q7LCBBY2VlDQogTGluZGVtICZsdDs8YSBocmVmPSJtYWlsdG86YWNlZUBjaXNjby5jb20iPmFj ZWVAY2lzY28uY29tPC9hPiZndDs8YnI+DQo8c3BhbiBzdHlsZT0iZm9udC13ZWlnaHQ6Ym9sZCI+ UmVzZW50LURhdGU6IDwvc3Bhbj5UdWVzZGF5LCBTZXB0ZW1iZXIgMTksIDIwMTcgYXQgNDoxNSBB TTxicj4NCjwvZGl2Pg0KPGRpdj48YnI+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIGlkPSJNQUNfT1VU TE9PS19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIiBzdHlsZT0iQk9SREVSLUxFRlQ6ICNiNWM0ZGYg NSBzb2xpZDsgUEFERElORzowIDAgMCA1OyBNQVJHSU46MCAwIDAgNTsiPg0KPGRpdiB4bWxuczp2 PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnZtbCIgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWlj cm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQt Y29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29m ZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQw Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZp bHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBm b250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIg NCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToy IDExIDYgNCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBO ZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5l O30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0K cC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0ZQ0KCXttc28tc3R5bGUt cHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IlRleHRlIGRlIGJ1bGxlcyBDYXIiOw0KCW1h cmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTo4LjBwdDsNCglm b250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiI7fQ0Kc3Bhbi5UZXh0ZWRlYnVsbGVzQ2Fy DQoJe21zby1zdHlsZS1uYW1lOiJUZXh0ZSBkZSBidWxsZXMgQ2FyIjsNCgltc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IlRleHRlIGRlIGJ1bGxlcyI7DQoJZm9udC1mYW1p bHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkZSO30NCnNw YW4uRW1haWxTdHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQt ZmFtaWx5OiJBcmlhbCIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOmJsYWNrOw0KCWZvbnQtd2VpZ2h0 Om5vcm1hbDsNCglmb250LXN0eWxlOm5vcm1hbDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5 bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYi Ow0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtz aXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzAuODVwdCA3MC44NXB0IDcwLjg1cHQgNzAu ODVwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5 bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0 IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDld Pjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRp dCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjxkaXYg bGFuZz0iRlIiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNl Y3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDEw cHQ7IGZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgY29sb3I6IGJsYWNrOyI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTogMTBwdDsgZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBjb2xvcjog YmxhY2s7Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6 bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4w cHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0I1 QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDEwcHQ7IGZvbnQtZmFtaWx5OiBUYWhvbWEs IHNhbnMtc2VyaWY7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTogMTBw dDsgZm9udC1mYW1pbHk6IFRhaG9tYSwgc2Fucy1zZXJpZjsiPg0KPGEgaHJlZj0ibWFpbHRvOnJy YXN6dWtAZ21haWwuY29tIj5ycmFzenVrQGdtYWlsLmNvbTwvYT4gWzxhIGhyZWY9Im1haWx0bzpy cmFzenVrQGdtYWlsLmNvbSI+bWFpbHRvOnJyYXN6dWtAZ21haWwuY29tPC9hPl0NCjxiPk9uIEJl aGFsZiBPZiA8L2I+Um9iZXJ0IFJhc3p1azxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5QbGVhc2UgcmVwbGFjZSBBUyB3aXRo IEFkbWluaXN0cmF0aXZlIERvbWFpbi4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImNvbG9yOiMxRjQ5N0Qi PltCcnVub10gSSByZXBsYWNlZCBBUyB3aXRoIOKAnE9TUEYgZG9tYWlu4oCdIGFzIGluZGVlZCwg QVMgaXMgYSBCR1AgdGVybSByYXRoZXIgdGhhbiBhbiBPU1BGIG9uZS4gQW5kIGFzIHlvdSBub3Rl LCBpbiBzb21lIGNhc2VzLCB0aGUgQVMgYW5kIHRoZSBJR1AgZG9tYWluIG1heSBiZSBkaWZmZXJl bnQuIFRoYW5rcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZTogMTBwdDsgZm9udC1mYW1pbHk6IEFy aWFsLCBzYW5zLXNlcmlmOyBjb2xvcjogYmxhY2s7Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQt c2l6ZTogMTBwdDsgZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBjb2xvcjogYmxhY2s7 Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5JZiBJIGhhdmUgdGhyZWUgQVNlcyB0aGVyZSBzaG91bGQgYmUgbm8gYXJ0aWZp Y2lhbCBsaW1pdHMgcHJvaGliaXRpbmcgZW5jYXAgdG8gbXkgY2VudHJhbCBjb2xsZWN0b3IuPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBs YW5nPSJFTi1VUyIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPltCcnVub108bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPklmIHlvdXIgY2VudHJhbCBjb2xsZWN0b3IgaXMgcGFydCBvZiB0aGUgT1NQ RiBkb21haW4gb2YgdGhlIGVuY2Fwc3VsYXRvciwgdGhlcmUgaXMgbm8gcHJvYmxlbS48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIg c3R5bGU9ImNvbG9yOiMxRjQ5N0QiPk90aGVyd2lzZSwgaWYgdGhlIHJvdXRlIHRvIHlvdXIgY2Vu dHJhbCBjb2xsZWN0b3IgaXMgYWR2ZXJ0aXNlZCBpbiBPU1BGIGJ5IHRoZSBkZWNhcHN1bGF0b3Is IHRoZXJlIGlzIG5vIHByb2JsZW0uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5PdGhlcndp c2UsIGlmIHRoZSByb3V0ZSB0byB5b3VyIGNlbnRyYWwgY29sbGVjdG9yIGlzIGFkdmVydGlzZWQg aW4gQkdQLCB0aGVuIGRyYWZ0LWlldGYtaWRyLXR1bm5lbC1lbmNhcHMgaXMgcHJvYmFibHkgdGhl IHJpZ2h0IHRvb2wuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPi0tQnJ1bm88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxv OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOiAxMHB0OyBmb250LWZhbWlseTogQXJpYWwsIHNh bnMtc2VyaWY7IGNvbG9yOiBibGFjazsiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoeDxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBTZXAgMTksIDIwMTcgMDg6 MTgsICZsdDs8YSBocmVmPSJtYWlsdG86YnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbSI+YnJ1bm8u ZGVjcmFlbmVAb3JhbmdlLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij4mZ3Q7IEZyb206IERh dmlkIE1hbmRlbGJlcmcgW21haWx0bzo8YSBocmVmPSJtYWlsdG86ZGF2aWRAbWFuZGVsYmVyZy5v cmciPmRhdmlkQG1hbmRlbGJlcmcub3JnPC9hPl08YnI+DQombmJzcDsmZ3Q7IFNlbnQ6IE1vbmRh eSwgU2VwdGVtYmVyIDE4LCAyMDE3IDk6MzAgUE08YnI+DQomZ3Q7PGJyPg0KJm5ic3A7Jmd0OyBP biAwOS8xOC8yMDE3IDA1OjA4IEFNLCA8YSBocmVmPSJtYWlsdG86YnJ1bm8uZGVjcmFlbmVAb3Jh bmdlLmNvbSI+YnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbTwvYT4gd3JvdGU6PGJyPg0KJm5ic3A7 Jmd0OyAmZ3Q7Jm5ic3A7ICZuYnNwOyZndDsgKGMpIGlzIHRoZSBvbmUgdGhhdCBJIHRoaW5rIGlz IHdvcnRoIGxvb2tpbmcgaW50by4gRS5nLiwgZG9lcyB0aGlzIG5ldzxicj4NCiZuYnNwOyZndDsg Jmd0OyZuYnNwOyAmbmJzcDsmZ3Q7IGV4dGVuc2lvbiBtYWtlIGl0IGVhc2llciBmb3IgYW4gYXR0 YWNrZXIgdG8gcm91dGUgYSBwYWNrZXQgYWNyb3NzIEFTPGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7Jm5i c3A7ICZuYnNwOyZndDsgYm91bmRhcmllcywgYnkgc2V0dGluZyBhIHR1bm5lbCBlbmRwb2ludCBv dXRzaWRlIG9mIHRoZSBPU1BGLXJvdXRlZCBuZXR3b3JrPzxicj4NCiZuYnNwOyZndDsgJmd0Ozxi cj4NCiZuYnNwOyZndDsgJmd0OyBOby4gVGhlIGZvbGxvd2luZyB0ZXh0IGFscmVhZHkgcHJvaGli aXRzIGV2ZW4gbW9yZSB0aGFuIHRoaXM6PGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7PGJyPg0KJm5ic3A7 Jmd0OyAmZ3Q7ICZxdW90OyZuYnNwOyBBIHR1bm5lbCBNVVNUIE5PVCBiZTxicj4NCiZuYnNwOyZn dDsgJmd0OyZuYnNwOyAmbmJzcDsgJm5ic3A7ICZuYnNwOyB1c2VkIGlmIHRoZXJlIGlzIG5vIHJv dXRlIHRvd2FyZCB0aGUgSVAgYWRkcmVzcyBzcGVjaWZpZWQgaW4gdGhlPGJyPg0KJm5ic3A7Jmd0 OyAmZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IEVuZHBvaW50IFN1Yi1UTFYgKFNlZSAm bHQ7eHJlZiB0YXJnZXQ9JnF1b3Q7RW5kcG9pbnRUTFYmcXVvdDsvJmd0Oykgb3IgaWYgdGhlIHJv dXRlIGlzPGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IG5v dCBhZHZlcnRpc2VkIGJ5IHRoZSByb3V0ZXIgYWR2ZXJ0aXNpbmcgdGhpcyBUdW5uZWwgU3ViLVRM Vi4mcXVvdDs8YnI+DQombmJzcDsmZ3Q7ICZndDs8YnI+DQombmJzcDsmZ3Q7ICZndDsgLSBCeSBk ZWZpbml0aW9uLCB0aGlzIFR1bm5lbCBTdWItVExWIGlzIGFkdmVydGlzZWQgaW4gT1NQRiBpLmUu IGZyb20gd2l0aGluIHRoZSBBUy48YnI+DQombmJzcDsmZ3Q7ICZndDsgLSBUaGUgdGV4dCBhbHNv IHByb2hpYml0cyBzZXR0aW5nIGEgdHVubmVsIGVuZHBvaW50IHRvIGFub3RoZXIgcm91dGVyIHdp dGhpbiB0aGUgQVMuPGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7PGJyPg0KJm5ic3A7Jmd0OyAmZ3Q7PGJy Pg0KJm5ic3A7Jmd0OyAmZ3Q7IFRoYXQgYmVpbmcgc2FpZCwgd2l0aGluIHRoZSBBUywgdGhlIHBv aW50ICZxdW90O2MmcXVvdDsgc3RpbGwgYXBwbGllcy48YnI+DQombmJzcDsmZ3Q7ICZndDsgSG93 ZXZlciwgdGhpbmtpbmcgdHdpY2UsIHRoZSBwcm9iYWJpbGl0eSBpcyBldmVuIG1vcmUgbGltaXRl ZC4gSW5kZWVkLCBvbmUgY2FuIG9ubHkgYWR2ZXJ0aXNlIGE8YnI+DQombmJzcDsmZ3Q7IHR1bm5l bCB0byBpdHNlbGYuIEFzc3VtaW5nIHRoYXQgdGhlIHRoaXJkIHBhcnR5IGNhbid0IGNvbnRyb2wg dGhlIHdob2xlIHJvdXRpbmcgdG9wb2xvZ3kgKGkuZS4gcm91dGluZzxicj4NCiZuYnNwOyZndDsg YWR2ZXJ0aXNlbWVudCBmcm9tIG1vc3QgY29yZSByb3V0ZXJzKSwgaXQgY2Fubm90IGNvbnRyb2wg dGhlIHBhdGggZm9sbG93ZWQgYnkgdGhlIHR1bm5lbC4gSGVuY2UgaXQ8YnI+DQombmJzcDsmZ3Q7 IHdvdWxkIG5lZWQgdG8gaGF2ZSBtb25pdG9yaW5nIGNhcGFiaWxpdGllcyBvbiBzcGVjaWZpYyBs aW5rcyB0aGF0IGl0IGNhbm5vdCBjaG9vc2UuICh0aGUgbGluayBvbjxicj4NCiZuYnNwOyZndDsg dGhlIHBhdGggdG8gaXRzZWxmKS48YnI+DQombmJzcDsmZ3Q7ICZndDsgUGx1cyB0aGlzIHJpc2sg aXMgbm90IG5ldywgYXMgdGhlIHRoaXJkIHBhcnR5IGNvdWxkIGFscmVhZHkgYWR2ZXJ0aXNlIHRo ZSBkZXN0aW5hdGlvbiBJUCBhZGRyZXNzIG9mPGJyPg0KJm5ic3A7Jmd0OyB0aGUgcGFja2V0cyAo b3Igb2YgdGhlIEJHUCBOZXh0LWhvcCBvZiB0aGUgQkdQIHJvdXRlIG1hdGNoaW5nIHRoZSBwYWNr ZXQgZGVzdGluYXRpb24pLCB3aXRob3V0PGJyPg0KJm5ic3A7Jmd0OyB1c2luZyBhbnkgdHVubmVs Ljxicj4NCiZuYnNwOyZndDsgJmd0OyBJbiBjb25jbHVzaW9uLCBhbHRob3VnaCBJIGNvdWxkIGJl IHdyb25nLCBJJ20gbm90IHNlZWluZyBzdWNoIG5ldyByaXNrLiAoYWdhaW4sIGFzc3VtaW5nIHRo YXQ8YnI+DQombmJzcDsmZ3Q7IGEgdGhpcmQgcGFydHkgY2FuIG1vZGlmeSB0aGUgT1NQRiByb3V0 aW5nIGlzIGEgYmlnIGFzc3VtcHRpb24pLjxicj4NCiZuYnNwOyZndDsgJmd0Ozxicj4NCiZuYnNw OyZndDsgJmd0OyBCdXQgdGhlIGRpc2N1c3Npb24gd2FzIHVzZWZ1bCwgdGhhbmtzIGZvciB0aGUg Y29tbWVudHMuPGJyPg0KJm5ic3A7Jmd0Ozxicj4NCiZuYnNwOyZndDsgVGhhdCBleHBsYW5hdGlv biBpcyBncmVhdCwgdGhhbmsgeW91LiBJIGhhZG4ndCByZWFsaXplZCB0aGUgaW1wbGljYXRpb25z PGJyPg0KJm5ic3A7Jmd0OyBvZiB0aGUgcGFyYWdyYXBoIHlvdSBxdW90ZWQsIHdoZW4gSSBpbml0 aWFsbHkgcmVhZCBpdC4gSSdtIGNvbnZpbmNlZDxicj4NCiZuYnNwOyZndDsgdGhhdCB0aGVyZSBp c24ndCBhIHNlY3VyaXR5IGlzc3VlIGhlcmUsIGJ1dCBpdCB3b3VsZCBiZSBuaWNlIHRvIHNlZSB5 b3VyPGJyPg0KJm5ic3A7Jmd0OyBleHBsYW5hdGlvbiBpbiB0aGUgZG9jdW1lbnQgaXRzZWxmLCBp ZiBpdCdzIG5vdCBhbHJlYWR5IG9idmlvdXMgdG88YnI+DQombmJzcDsmZ3Q7IGFueWJvZHkgd2hv IGtub3dzIE9TUEYgYmV0dGVyIHRoYW4gSSBkby48YnI+DQo8YnI+DQpJJ3ZlIGp1c3QgYWRkZWQg dGhlIGZvbGxvd2luZyB0ZXh0IGluIHRoZSBzZWN1cml0eSBzZWN0aW9uIG9mIG15IGxvY2FsIHZl cnNpb246PGJyPg0KJnF1b3Q7V2Ugbm90ZSB0aGF0IHRoZSBsYXN0IHBhcmFncmFwaCBvZiAmbHQ7 eHJlZiB0YXJnZXQ9JnF1b3Q7T3BlcmF0aW9uJnF1b3Q7LyZndDsgZm9yYmlkIHRoZSBlc3RhYmxp c2htZW50IG9mIGEgdHVubmVsIHRvd2FyZCBhcmJpdHJhcnkgZGVzdGluYXRpb25zLiBJdCBwcm9o aWJpdHMgYSBkZXN0aW5hdGlvbiBvdXRzaWRlIG9mIHRoZSBBdXRvbm9tb3VzIFN5c3RlbSBhbmQg YWxzbyB0byBvdGhlciByb3V0ZXJzIHdpdGhpbiB0aGUgQVMuIFRoaXMgYXZvaWQgdGhhdCBhIHRo aXJkLXBhcnR5DQogZ2FpbmluZyBhY2Nlc3MgdG8gYW4gT1NQRiByb3V0ZXIgYmUgYWJsZSB0byBz ZW5kIHRoZSB0cmFmZmljIHRvIG90aGVyIGRlc3RpbmF0aW9ucywgZm9yIGUuZy4gaW5zcGVjdGlv biBwdXJwb3Nlcy4gJnF1b3Q7PGJyPg0KPGJyPg0KRmVlbCBmcmVlIHRvIGNvbW1lbnQvcHJvcG9z ZSBvdGhlciB0ZXh0Ljxicj4NCjxicj4NClNpbmNlIEkndmUganVzdCBwdWJsaXNoZWQgLTA4IGEg ZmV3IGhvdXJzIGFnbywgSSdsbCBwcm9iYWJseSBkZWxheSB0aGUgdXBsb2FkIG9mIHRoaXMgbmV3 IHVwZGF0ZS48YnI+DQo8YnI+DQotLUJydW5vPGJyPg0KPGJyPg0KPGJyPg0KJm5ic3A7Jmd0OyAt LTxicj4NCiZuYnNwOyZndDsgRnJlZWxhbmNlIGN5YmVyIHNlY3VyaXR5IGNvbnN1bHRhbnQsIHNv ZnR3YXJlIGRldmVsb3BlciwgYW5kIG1vcmU8YnI+DQombmJzcDsmZ3Q7IDxhIGhyZWY9Imh0dHBz Oi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9kYXZpZC5t YW5kZWxiZXJnLm9yZy88L2E+PGJyPg0KPGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCjxicj4NCkNlIG1lc3Nh Z2UgZXQgc2VzIHBpZWNlcyBqb2ludGVzIHBldXZlbnQgY29udGVuaXIgZGVzIGluZm9ybWF0aW9u cyBjb25maWRlbnRpZWxsZXMgb3UgcHJpdmlsZWdpZWVzIGV0IG5lIGRvaXZlbnQgZG9uYzxicj4N CnBhcyBldHJlIGRpZmZ1c2VzLCBleHBsb2l0ZXMgb3UgY29waWVzIHNhbnMgYXV0b3Jpc2F0aW9u LiBTaSB2b3VzIGF2ZXogcmVjdSBjZSBtZXNzYWdlIHBhciBlcnJldXIsIHZldWlsbGV6IGxlIHNp Z25hbGVyPGJyPg0KYSBsJ2V4cGVkaXRldXIgZXQgbGUgZGV0cnVpcmUgYWluc2kgcXVlIGxlcyBw aWVjZXMgam9pbnRlcy4gTGVzIG1lc3NhZ2VzIGVsZWN0cm9uaXF1ZXMgZXRhbnQgc3VzY2VwdGli bGVzIGQnYWx0ZXJhdGlvbiw8YnI+DQpPcmFuZ2UgZGVjbGluZSB0b3V0ZSByZXNwb25zYWJpbGl0 ZSBzaSBjZSBtZXNzYWdlIGEgZXRlIGFsdGVyZSwgZGVmb3JtZSBvdSBmYWxzaWZpZS4gTWVyY2ku PGJyPg0KPGJyPg0KVGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVudHMgbWF5IGNvbnRhaW4g Y29uZmlkZW50aWFsIG9yIHByaXZpbGVnZWQgaW5mb3JtYXRpb24gdGhhdCBtYXkgYmUgcHJvdGVj dGVkIGJ5IGxhdzs8YnI+DQp0aGV5IHNob3VsZCBub3QgYmUgZGlzdHJpYnV0ZWQsIHVzZWQgb3Ig Y29waWVkIHdpdGhvdXQgYXV0aG9yaXNhdGlvbi48YnI+DQpJZiB5b3UgaGF2ZSByZWNlaXZlZCB0 aGlzIGVtYWlsIGluIGVycm9yLCBwbGVhc2Ugbm90aWZ5IHRoZSBzZW5kZXIgYW5kIGRlbGV0ZSB0 aGlzIG1lc3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cy48YnI+DQpBcyBlbWFpbHMgbWF5IGJlIGFs dGVyZWQsIE9yYW5nZSBpcyBub3QgbGlhYmxlIGZvciBtZXNzYWdlcyB0aGF0IGhhdmUgYmVlbiBt b2RpZmllZCwgY2hhbmdlZCBvciBmYWxzaWZpZWQuPGJyPg0KVGhhbmsgeW91LjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cHJlPl9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCg0KQ2Ug bWVzc2FnZSBldCBzZXMgcGllY2VzIGpvaW50ZXMgcGV1dmVudCBjb250ZW5pciBkZXMgaW5mb3Jt YXRpb25zIGNvbmZpZGVudGllbGxlcyBvdSBwcml2aWxlZ2llZXMgZXQgbmUgZG9pdmVudCBkb25j DQpwYXMgZXRyZSBkaWZmdXNlcywgZXhwbG9pdGVzIG91IGNvcGllcyBzYW5zIGF1dG9yaXNhdGlv bi4gU2kgdm91cyBhdmV6IHJlY3UgY2UgbWVzc2FnZSBwYXIgZXJyZXVyLCB2ZXVpbGxleiBsZSBz aWduYWxlcg0KYSBsJ2V4cGVkaXRldXIgZXQgbGUgZGV0cnVpcmUgYWluc2kgcXVlIGxlcyBwaWVj ZXMgam9pbnRlcy4gTGVzIG1lc3NhZ2VzIGVsZWN0cm9uaXF1ZXMgZXRhbnQgc3VzY2VwdGlibGVz IGQnYWx0ZXJhdGlvbiwNCk9yYW5nZSBkZWNsaW5lIHRvdXRlIHJlc3BvbnNhYmlsaXRlIHNpIGNl IG1lc3NhZ2UgYSBldGUgYWx0ZXJlLCBkZWZvcm1lIG91IGZhbHNpZmllLiBNZXJjaS4NCg0KVGhp cyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVudHMgbWF5IGNvbnRhaW4gY29uZmlkZW50aWFsIG9y IHByaXZpbGVnZWQgaW5mb3JtYXRpb24gdGhhdCBtYXkgYmUgcHJvdGVjdGVkIGJ5IGxhdzsNCnRo ZXkgc2hvdWxkIG5vdCBiZSBkaXN0cmlidXRlZCwgdXNlZCBvciBjb3BpZWQgd2l0aG91dCBhdXRo b3Jpc2F0aW9uLg0KSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxl YXNlIG5vdGlmeSB0aGUgc2VuZGVyIGFuZCBkZWxldGUgdGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0 YWNobWVudHMuDQpBcyBlbWFpbHMgbWF5IGJlIGFsdGVyZWQsIE9yYW5nZSBpcyBub3QgbGlhYmxl IGZvciBtZXNzYWdlcyB0aGF0IGhhdmUgYmVlbiBtb2RpZmllZCwgY2hhbmdlZCBvciBmYWxzaWZp ZWQuDQpUaGFuayB5b3UuDQo8L3ByZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8 L3NwYW4+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_D5E66FC2C878Eaceeciscocom_-- From nobody Tue Sep 19 09:24:32 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70D6F133342 for ; Tue, 19 Sep 2017 09:24:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZlmfmt1xx9M for ; Tue, 19 Sep 2017 09:24:25 -0700 (PDT) Received: from nm19-vm2.access.bullet.mail.bf1.yahoo.com (nm19-vm2.access.bullet.mail.bf1.yahoo.com [216.109.115.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39204134294 for ; Tue, 19 Sep 2017 09:24:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1505838261; bh=dZfYNvuXZO9my4rMwT7ZmDDeFxXglfh7WgdBlY27JaU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=KosgS1JwnW5MWKNaa36Z3hvsV+xxHjBDEOQ+ZclYqV8mLjeBATVjdGnh9Hg7pZey7eqsUmRkYitr1qPkNnmnvO9n+5RWA0SHNDkWl82p75FhdOEjgGNVYg3sIl2SDWFXwx29gcm74gjaylo8SAQ0tszSZhmeqj9ysd/MgBheJQ9DhQ6YDlQpKdYJopEL+IkYY3oaB5dlbETf7Bii9v8XEVIfjoN/PBM1UwpsTB4gE7OuXb1jZhJWSK2JfyeNCKM7UmUec/ItFWDBWJItMjNi9HyZXGSHHQ8Y5aEhKjZ+FZ3vUREVEt80szW+mMOO1xew/vl3dUBTLkgsYQnq0EOURQ== Received: from [66.196.81.158] by nm19.access.bullet.mail.bf1.yahoo.com with NNFMP; 19 Sep 2017 16:24:21 -0000 Received: from [98.138.39.78] by tm4.access.bullet.mail.bf1.yahoo.com with NNFMP; 19 Sep 2017 16:24:21 -0000 Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 19 Sep 2017 16:24:21 -0000 X-Yahoo-Newman-Id: 532349.44326.bm@smtp114.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: qCrzKsEVM1lJCyEOuoTOHrwiDld_EGrS7Trq9efZBaM5YJ_ SHwfjH8lyuN20Qt2JSYmFNMFvFxfPriI_zNV.5Kyw69yHDvH8Hv9EeS43Ua4 .esRzRxlWru.dlZGFABYi5NWjAK0XlwQ_isbDNIVVSttiqeHUMaTO.KecXxV oyix4KlP_LJsV2wO0f9QLUEZUihFIyXqkxxS6tNLSR8PkM_0JNSXsCSF2HWr iuUdFLaPBcejBzjQ7YuUCTL.XP2YK4xCGOay1YeoEXWDWSrzObfGwAmjD8If 3kOrBXK87aDKpCRfUQfuAL2aY6YpGFJ9lRhOrPIrx0v2kQ6oFWuWpg3c8W0L 4154lYOYuWBrYp5GpxnIU017I1K9AkKI2SaENTd.R6kYQK2AgWSHoijNnYd8 FMSTvaKgfnqeoIwPrEUSWVBC6JjfUrXNp8pVaWadejY1deTw55ICZe5MuTzZ TeaIeRUkmrWzhSGH8Dp7d3qPM9DzGiA-- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id BC3DC1C6066; Tue, 19 Sep 2017 12:24:19 -0400 (EDT) To: "Acee Lindem (acee)" , "bruno.decraene@orange.com" , Robert Raszuk Cc: "iesg@ietf.org" , "draft-ietf-ospf-encapsulation-cap.all@ietf.org" , "secdir@ietf.org" References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> <5ee2e3cf-4034-f9e6-4fca-92ceb57a65c5@mandelberg.org> <11040_1505805523_59C0C4D3_11040_226_4_53C29892C857584299CBF5D05346208A4787AC94@OPEXCLILM21.corporate.adroot.infra.ftgroup> <27250_1505808909_59C0D20D_27250_468_2_53C29892C857584299CBF5D05346208A4787AEEC@OPEXCLILM21.corporate.adroot.infra.ftgroup> From: David Mandelberg Message-ID: Date: Tue, 19 Sep 2017 12:24:17 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Sep 2017 16:24:27 -0000 Looks good to me too. On 09/19/2017 07:01 AM, Acee Lindem (acee) wrote: > Hi Bruno, Robert, >=20 > Sounds good to me. One nit =E2=80=93 replace =E2=80=9Ce.g. =E2=80=9C wi= th =E2=80=9C, e.g., =E2=80=9C in the=20 > added text. > Thanks, > Acee >=20 > From: Bruno Decraene > > Date: Tuesday, September 19, 2017 at 4:15 AM > To: Robert Raszuk > > Cc: The IESG >, David Mandelberg=20 > >,=20 > "draft-ietf-ospf-encapsulation-cap.all@ietf.org=20 > "=20 > >,=20 > "secdir@ietf.org " > > Subject: RE: secdir review of draft-ietf-ospf-encapsulation-cap-06 > Resent-From: > > Resent-To: Xiaohu Xu >= ,=20 > Bruno Decraene >, Robert Raszuk >, Luis Contreras=20 > >, Luay Jalil=20 > >, Acee Lindem=20 > >, >, >= ,=20 > Deborah Brungard >, Alia Atlas=20 > >, Acee Lindem=20 > > > Resent-Date: Tuesday, September 19, 2017 at 4:15 AM >=20 > *From:*rraszuk@gmail.com > [mailto:rraszuk@gmail.com] *On Behalf Of *Robert Raszuk >=20 > Please replace AS with Administrative Domain. >=20 > [Bruno] I replaced AS with =E2=80=9COSPF domain=E2=80=9D as indeed,= AS is a BGP term > rather than an OSPF one. And as you note, in some cases, the AS and > the IGP domain may be different. Thanks. >=20 > If I have three ASes there should be no artificial limits > prohibiting encap to my central collector. >=20 > [Bruno] >=20 > If your central collector is part of the OSPF domain of the > encapsulator, there is no problem. >=20 > Otherwise, if the route to your central collector is advertised in > OSPF by the decapsulator, there is no problem. >=20 > Otherwise, if the route to your central collector is advertised in > BGP, then draft-ietf-idr-tunnel-encaps is probably the right tool. >=20 > --Bruno >=20 > Thx >=20 > R >=20 > On Sep 19, 2017 08:18, > wrote: >=20 > > From: David Mandelberg [mailto:david@mandelberg.org ] > > Sent: Monday, September 18, 2017 9:30 PM > > > > On 09/18/2017 05:08 AM, bruno.decraene@orange.com > wrote: > > > > (c) is the one that I think is worth looking into. E.g., > does this new > > > > extension make it easier for an attacker to route a packe= t > across AS > > > > boundaries, by setting a tunnel endpoint outside of the > OSPF-routed network? > > > > > > No. The following text already prohibits even more than this: > > > > > > " A tunnel MUST NOT be > > > used if there is no route toward the IP address > specified in the > > > Endpoint Sub-TLV (See ) = or > if the route is > > > not advertised by the router advertising this Tunnel > Sub-TLV." > > > > > > - By definition, this Tunnel Sub-TLV is advertised in OSPF > i.e. from within the AS. > > > - The text also prohibits setting a tunnel endpoint to anothe= r > router within the AS. > > > > > > > > > That being said, within the AS, the point "c" still applies. > > > However, thinking twice, the probability is even more limited= . > Indeed, one can only advertise a > > tunnel to itself. Assuming that the third party can't control > the whole routing topology (i.e. routing > > advertisement from most core routers), it cannot control the > path followed by the tunnel. Hence it > > would need to have monitoring capabilities on specific links > that it cannot choose. (the link on > > the path to itself). > > > Plus this risk is not new, as the third party could already > advertise the destination IP address of > > the packets (or of the BGP Next-hop of the BGP route matching > the packet destination), without > > using any tunnel. > > > In conclusion, although I could be wrong, I'm not seeing such > new risk. (again, assuming that > > a third party can modify the OSPF routing is a big assumption). > > > > > > But the discussion was useful, thanks for the comments. > > > > That explanation is great, thank you. I hadn't realized the > implications > > of the paragraph you quoted, when I initially read it. I'm conv= inced > > that there isn't a security issue here, but it would be nice to > see your > > explanation in the document itself, if it's not already obvious= to > > anybody who knows OSPF better than I do. >=20 > I've just added the following text in the security section of my > local version: > "We note that the last paragraph of > forbid the establishment of a tunnel toward arbitrary destinations. > It prohibits a destination outside of the Autonomous System and als= o > to other routers within the AS. This avoid that a third-party > gaining access to an OSPF router be able to send the traffic to > other destinations, for e.g. inspection purposes. " >=20 > Feel free to comment/propose other text. >=20 > Since I've just published -08 a few hours ago, I'll probably delay > the upload of this new update. >=20 > --Bruno >=20 >=20 > > -- > > Freelance cyber security consultant, software developer, and mo= re > > https://david.mandelberg.org/ >=20 > ___________________________________________________________________= ______________________________________________________ >=20 > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous > avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les > messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, > deforme ou falsifie. Merci. >=20 > This message and its attachments may contain confidential or > privileged information that may be protected by law; > they should not be distributed, used or copied without authorisatio= n. > If you have received this email in error, please notify the sender > and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that > have been modified, changed or falsified. > Thank you. >=20 > ___________________________________________________________________= ______________________________________________________ >=20 > Ce message et ses pieces jointes peuvent contenir des informations = confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous a= vez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les mes= sages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, def= orme ou falsifie. Merci. >=20 > This message and its attachments may contain confidential or privil= eged information that may be protected by law; > they should not be distributed, used or copied without authorisatio= n. > If you have received this email in error, please notify the sender = and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that ha= ve been modified, changed or falsified. > Thank you. >=20 --=20 Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Wed Sep 20 16:52:22 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3687B132A05 for ; Wed, 20 Sep 2017 16:52:21 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.62.0 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secretary@mit.edu Message-ID: <150595154121.24944.9803936756111860931.idtracker@ietfa.amsl.com> Date: Wed, 20 Sep 2017 16:52:21 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 23:52:21 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2017-09-28 Reviewer LC end Draft David Mandelberg R2017-06-28 draft-baeuerle-netnews-cancel-lock-06 Klaas Wierenga 2017-09-20 draft-ietf-bier-architecture-08 Liang Xia 2017-09-22 draft-ietf-teas-rsvp-te-scaling-rec-06 For telechat 2017-10-12 Reviewer LC end Draft Melinda Shore 2017-10-04 draft-ietf-rtgwg-uloop-delay-06 Takeshi Takahashi 2017-10-04 draft-ietf-lisp-sec-13 Tina Tsou 2017-10-03 draft-ietf-rtgwg-routing-types-14 Sean Turner 2017-10-02 draft-ietf-tcpm-cubic-06 Carl Wallace 2017-10-02 draft-ietf-nvo3-mcast-framework-09 Last calls: Reviewer LC end Draft Phillip Hallam-Baker 2017-08-11 draft-ietf-rtcweb-jsep-23 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-11 Yoav Nir R2017-09-27 draft-kille-ldap-xmpp-schema-06 Tim Polk 2017-09-11 draft-ietf-kitten-rfc5653bis-05 Vincent Roca 2017-09-11 draft-ietf-curdle-rsa-sha2-10 Yaron Sheffer 2017-10-16 draft-dawkins-iesg-nomcom-advisor-iaoc-03 Rifaat Shekh-Yusef 2017-10-11 draft-wu-l3sm-rfc8049bis-05 Brian Weis 2017-09-26 draft-ietf-v6ops-rfc6555bis-05 Paul Wouters 2017-09-25 draft-ietf-grow-bgp-session-culling-04 Tom Yu 2017-09-28 draft-ietf-ippm-alt-mark-10 Tom Yu 2017-07-25 draft-ietf-lamps-rfc5280-i18n-update-03 Tom Yu 2017-02-20 draft-ietf-slim-negotiating-human-language-13 Early review requests: Reviewer Due Draft Daniel Gillmor 2016-02-01 draft-ietf-rtcweb-security-08 Next in the reviewer rotation: Dacheng Zhang Derek Atkins John Bradley Shaun Cooley Alan DeKok Donald Eastlake Shawn Emery Stephen Farrell Daniel Franke Daniel Gillmor From nobody Wed Sep 20 23:27:18 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D87D1321A6; Wed, 20 Sep 2017 23:27:11 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Liang Xia To: Cc: draft-ietf-teas-rsvp-te-scaling-rec.all@ietf.org, ietf@ietf.org, teas@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.62.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150597523137.24776.3598419805081836880@ietfa.amsl.com> Date: Wed, 20 Sep 2017 23:27:11 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-teas-rsvp-te-scaling-rec-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 06:27:11 -0000 Reviewer: Liang Xia Review result: Ready It's in good shape and well written, and does not introduce any new security issues. Following the security design of RSVP (-TE) is just ok! From nobody Thu Sep 21 01:32:22 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CEB3A127517; Thu, 21 Sep 2017 01:32:21 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Yaron Sheffer To: Cc: ietf@ietf.org, draft-dawkins-iesg-nomcom-advisor-iaoc.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.62.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150598274177.24936.13834519803340430594@ietfa.amsl.com> Date: Thu, 21 Sep 2017 01:32:21 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-dawkins-iesg-nomcom-advisor-iaoc-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 08:32:22 -0000 Reviewer: Yaron Sheffer Review result: Ready Quoting from the draft: "This document updates an IETF process BCP and has no direct Internet security implications." And I fully agree. From nobody Thu Sep 21 07:00:57 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D6D9E1321C7; Thu, 21 Sep 2017 07:00:55 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Yoav Nir To: Cc: draft-kille-ldap-xmpp-schema.all@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.62.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150600245580.24892.3943252109133707724@ietfa.amsl.com> Date: Thu, 21 Sep 2017 07:00:55 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-kille-ldap-xmpp-schema-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 14:00:56 -0000 Reviewer: Yoav Nir Review result: Ready The original review is pasted below. I've reviewed version -06 and all my concerns have been addressed. ======================================================= Original review: The document defines a couple of OIDs for associating a Jabber ID with an LDAP object. As such, it is very short and straightforward. I'm not too happy with the Security Considerations section, which I'll quote here in its entirety: "This schema enables publishing for XMPP JIDs, and care should be taken to ensure that this information is not accessed inappropriately." This is rather generic, and it's true for any piece of information stored anywhere. If that is all there is to say, the section might as well read "This document only registers OIDs and has no special security considerations." However, I think there is a point that may need to be mentioned. Using this extension links a JID, which is a personal identifier that often appears on the public Internet (much like an email address), to an LDAP object, which is usually limited to an organization, usually the employer of that person. This linkability only exists for people who have access to the LDAP server, so it's just that users have to take the same care with JIDs that they do with email addresses - if you don't want your XMPP messages linked to your employer, or linked to you by your employer, it is better to use a private JID that is not linked to your employer's LDAP. This advice to users may be out of scope, but I would like to see a mention that JIDs are generally public and pseudonymous, and this links them to a real person within an LDAP domain. From nobody Thu Sep 21 14:02:56 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBAED120720 for ; Thu, 21 Sep 2017 14:02:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQIaiodVjrvg for ; Thu, 21 Sep 2017 14:02:48 -0700 (PDT) Received: from nm3-vm2.access.bullet.mail.bf1.yahoo.com (nm3-vm2.access.bullet.mail.bf1.yahoo.com [216.109.114.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F22A6132FB1 for ; Thu, 21 Sep 2017 14:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1506027765; bh=qUHJgx3vnkqItT/8iZP6yQ7bnHwVzCEuCXd5CDBm13A=; h=To:From:Subject:Date:From:Subject; b=tdWDidEA9FiHVMni2XSr7gdRbDPC18QsMIwAA8h/ZR3ReH/j/E2TMO5n17561Se+mj8EgROsMaVP1KqLRxyJqaGT5/CM4BBzJyWYVf6ZwPSrNGaCit2XmCVKS9obzKsmNffE6KYseaO8tG1QaKa+7RCzfTgSlSZ6Wef4avyrejLnSEEpJfXW5JtoeDGXlRFuhCc8hFRUvrTlqfCI2Dk4OfP9s5CPo6OdB6y1erqjNAnXUu3eYykkdhcYTg/sL+n2FzfqJFhWLhTsAlftBbeqq6y+qfmCs77+Sz5GoC17SzMrCtcCOSd8TtES9zwLXsLHkNWtALL/HeJNrcbVYi4aOg== Received: from [66.196.81.158] by nm3.access.bullet.mail.bf1.yahoo.com with NNFMP; 21 Sep 2017 21:02:45 -0000 Received: from [98.138.39.78] by tm4.access.bullet.mail.bf1.yahoo.com with NNFMP; 21 Sep 2017 21:02:45 -0000 Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 21 Sep 2017 21:02:45 -0000 X-Yahoo-Newman-Id: 228997.68431.bm@smtp114.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: bapCGyEVM1ka3wrUjGYMVhjobxYxdvrlE35JJ3tHvaVHWEv arrVgIoXXVJkVd9HAuWLPXROT9.zTJwYmzRLv3RBrI9wOGRaaS7PnZT70.Uu VbTvhEFiDiB5PDlqSE0hX1xzNg_fRlTh2AnbriK6ZD1lajSiHtueC0bzdGD7 GGwn4Z3OpeJvHf9AdLg7Ul5RY0wc3OWT73C5619bXhpMBiuv3WeqdXGNBgr4 I4486s5vkhu1q3ERmo1yAEtsFfbIkKOWaWB1KCBpkzvgzcgzNHsjD_KrJG1k quFEzfqdDYNpzGcRnYP_23HgLrbw12Un0b9h_WhzPw3pt8YRmPZEqkVYtZ74 bs3abtsVrLavKfxpzflRbrYK660UxvqpJgMIZuV6Ci5dNjQmkeUr4G0w5rZj WmpUUrSFiow3JYkHmTgv9bX6BA0XPhz55BhF2ICnTX1VIrtnOcRnVmhpjOgD aL5nbDejjGSmh2RxRclzQn8flL0tppdoKA5ZLw.N11CNIrnIIMeV7dKQDxga lF1FVnR10sKiM2Er4zj30aA-- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 279C41C6066; Thu, 21 Sep 2017 17:02:44 -0400 (EDT) To: iesg@ietf.org, secdir@ietf.org, draft-baeuerle-netnews-cancel-lock.all@ietf.org From: David Mandelberg Message-ID: <3f32f3fe-5f38-d4a8-c7c6-a40be5c2ebb6@mandelberg.org> Date: Thu, 21 Sep 2017 17:02:41 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: [secdir] secdir review of draft-baeuerle-netnews-cancel-lock-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 21:02:49 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with nits. Thanks for addressing almost all of the comments from my previous review, the changes in the document look good. I had one comment before (also, below) that I didn't see addressed (sorry if I missed it). Since I really don't know what the numbers should be, it's just a nit. Section 7 says "the key size used should be at least 128 bit with "sha256" for and at least 80 bit with "sha1" for ." Those key sizes seem rather low to me, but I don't know exactly what they should be. -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Mon Sep 25 08:16:11 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 68930133460; Fri, 15 Sep 2017 08:44:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1505490299; bh=7V/9BiMu+mUCGJGyXmHViImE08CoRFjj0SGi7e8zjqA=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=sMCVFsAnHhqXB+c4eCmWz1pHTwHuSKDVSCvJpQUuFI42FA/ZiigyDf+DqsG3uuM1W EcmqhlRgOTDJVmhNn4LJ1aupx7NvMZMi5/iSInfwR9I+1tDlMNSy5RExlM6NAx9Zv/ 7s8Y6Djr1Bw921r/WvPxLY7TgbNZzYcRtTto125w= X-Original-To: new-work@ietf.org Delivered-To: new-work@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F8C133010 for ; Fri, 15 Sep 2017 08:44:53 -0700 (PDT) MIME-Version: 1.0 From: The IESG To: X-Test-IDTracker: no X-IETF-IDTracker: 6.61.0 Auto-Submitted: auto-generated Precedence: bulk MIME-Version: 1.0 Reply_to: Message-ID: <150549029366.2975.1897173914163256892.idtracker@ietfa.amsl.com> Date: Fri, 15 Sep 2017 08:44:53 -0700 Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.22 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Mon, 25 Sep 2017 08:16:10 -0700 Subject: [secdir] [new-work] WG Review: DNS Over HTTPS (doh) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Sep 2017 15:44:59 -0000 A new IETF WG has been proposed in the Applications and Real-Time Area. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2017-09-25. DNS Over HTTPS (doh) ----------------------------------------------------------------------- Current status: Proposed WG Chairs: TBD Assigned Area Director: Adam Roach Applications and Real-Time Area Directors: Adam Roach Ben Campbell Alexey Melnikov Mailing list: Address: doh@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/doh Archive: https://mailarchive.ietf.org/arch/browse/doh/ Group page: https://datatracker.ietf.org/group/doh/ Charter: https://datatracker.ietf.org/doc/charter-ietf-doh/ This working group will standardize encodings for DNS queries and responses that are suitable for use in HTTPS. This will enable the domain name system to function over certain paths where existing DNS methods (UDP, TLS, and DTLS) experience problems. The working group will re-use HTTPS methods, error codes, and other semantics to the greatest extent possible. The use of HTTPS provides integrity and confidentiality, and it also allows the transport to interoperate with common HTTPS infrastructure and policy. The working group will coordinate with the DNSOP and INTAREA working groups for input on DNS-over-HTTPS's impact on DNS operations and DNS semantics, respectvely. In particular, DNSOP will be consulted for guidance on the operational impacts that result from traditional host behaviors (i.e., stub-resolver to recursive-resolver interaction) being replaced with the specified mechanism. Specification of how the DNS data may be used for new use cases, and the discovery of the DOH servers, are out of scope for the working group. The working group will use draft-hoffman-dispatch-dns-over-https as input. Milestones: Apr 2018 - Submit specification for performing DNS queries over HTTPS to the IESG for publication as PS _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From nobody Mon Sep 25 08:46:05 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E9157134307; Mon, 25 Sep 2017 08:45:49 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Paul Wouters To: Cc: grow@ietf.org, draft-ietf-grow-bgp-session-culling.all@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.62.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150635434992.27366.574012206348474088@ietfa.amsl.com> Date: Mon, 25 Sep 2017 08:45:49 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-grow-bgp-session-culling-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2017 15:45:50 -0000 Reviewer: Paul Wouters Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready. (note I am a tourist in the BGP area) This document basically states that people doing network maintenance so often make mistakes that leak into the global BGP table, that it would be a good idea to just firewall all the BGP traffic going out of your network edge as a preventive measure. It's a sad state of software/firmware that an external firewalling process is deemed necessary to properly (re)configure BGP. This document has an empty Security Considerations section. As this BCP document is basically a "cut yourself off the internet while doing maintenance" I agree that there is basically nothing worse that could happen other then not doing this RFC BCP and then leaking faulty BGP information onto the public internet. One could add something like "don't forget to delete the firewall rules afterwards" or "be sure to use ipv4 and ipv6 rules to prevent BGP leaks", but then again this whole band aid RFC is meant for people who apparently have shown an inability of properly executing RFC's anyway, and this document just tries to convince them to only cut themselves, and not everyone else. From nobody Mon Sep 25 09:29:45 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8EAA1344D8; Mon, 25 Sep 2017 09:29:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6D8RLVnCqfGe; Mon, 25 Sep 2017 09:29:30 -0700 (PDT) Received: from mail0.lonap.net (mail0.lonap.net [IPv6:2a00:eb20:100::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C86491344B4; Mon, 25 Sep 2017 09:29:29 -0700 (PDT) Received: from [188.246.198.145] by mail0.lonap.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1dwWG5-0008AH-6b; Mon, 25 Sep 2017 17:29:27 +0100 From: "Will Hargrave" To: "Paul Wouters" Cc: secdir@ietf.org, grow@ietf.org, draft-ietf-grow-bgp-session-culling.all@ietf.org, ietf@ietf.org Date: Mon, 25 Sep 2017 17:29:24 +0100 Message-ID: In-Reply-To: <150635434992.27366.574012206348474088@ietfa.amsl.com> References: <150635434992.27366.574012206348474088@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.7r5419) Archived-At: Subject: Re: [secdir] [GROW] Secdir last call review of draft-ietf-grow-bgp-session-culling-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2017 16:29:32 -0000 On 25 Sep 2017, at 16:45, Paul Wouters wrote: > This document basically states that people doing network maintenance > so often > make mistakes that leak into the global BGP table, that it would be a > good idea > to just firewall all the BGP traffic going out of your network edge as > a > preventive measure. It's a sad state of software/firmware that an > external > firewalling process is deemed necessary to properly (re)configure BGP. Hi Paul, I am afraid you have got the wrong end of the stick here. This technique is intended for IXP and other L2 operators, not those who operate BGP speakers / IP networks. It is a workaround to unwanted blackholing of traffic as a result of the dataplane being broken whilst waiting for BGP holdtimers to expire - nothing to do with actual BGP route policy. I gave a presentation earlier this year at the UK Network Operators Forum which attempts to explain this https://indico.uknof.org.uk/event/39/contribution/8 Regards, Will From nobody Mon Sep 25 09:36:37 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3A501344EE for ; Mon, 25 Sep 2017 09:36:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYu1yXfIsvLN for ; Mon, 25 Sep 2017 09:36:16 -0700 (PDT) Received: from mail-wm0-f47.google.com (mail-wm0-f47.google.com [74.125.82.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DE8F1344ED for ; Mon, 25 Sep 2017 09:36:15 -0700 (PDT) Received: by mail-wm0-f47.google.com with SMTP id m72so21531691wmc.1 for ; Mon, 25 Sep 2017 09:36:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=U17jD/RsnOZBpsGw4aDf87Gr+BQHGSEysR6CNsmhG18=; b=dKPXROknMV25jpR5pdzTcC47HqQmd2mVGD633KPd9l6/0nIqA3w3G5m8qINhoBxh9T wylEBj6JoW2oblbg6/R+U/aYrZGL6MlvGjBI09djR+Bqx0o3qEaU27BVYYKjLCTcWUsK vLSeLOTIRFq3D7BYy64xVoxcF64MuzddCw4NKFw9+ggKEspDw7hCvqUPn/FGC2wbaXy5 TtPNl688nQk33UoXVeiOWmUjJ4corC3frEHvXfE913EBgZHWjEHPk713q65SDx7pShI+ d8byIbgzFxzSQlZuywv4xSeD42svHI80J4dLLMUvGbr8NhiAbPzVcHgr76tFa2ZYsLo3 Lp8g== X-Gm-Message-State: AHPjjUgk9ah7QXTZODitoxz9i5J+t2/EkBdUq1bQL39bKAUQZJbNRBMt NhFEeornirXfXwPXyqet4fcTNw== X-Google-Smtp-Source: AOwi7QC9ALXRO9tHnWsdGpdbYya7S2+mTnvBovvVSKF2VmvoLsR40fzhQ24YH1DpikQvprFfCb3LNQ== X-Received: by 10.80.179.120 with SMTP id r53mr15069670edd.174.1506357373461; Mon, 25 Sep 2017 09:36:13 -0700 (PDT) Received: from localhost ([2001:67c:208c:10:1533:ae60:ce69:5c07]) by smtp.gmail.com with ESMTPSA id 26sm4134513eds.5.2017.09.25.09.36.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Sep 2017 09:36:12 -0700 (PDT) Date: Mon, 25 Sep 2017 18:36:11 +0200 From: Job Snijders To: Will Hargrave Cc: Paul Wouters , secdir@ietf.org, grow@ietf.org, draft-ietf-grow-bgp-session-culling.all@ietf.org, ietf@ietf.org Message-ID: <20170925163611.3tgzo5emijwickpn@hanna.meerval.net> References: <150635434992.27366.574012206348474088@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Clacks-Overhead: GNU Terry Pratchett User-Agent: NeoMutt/20170912 (1.9.0) Archived-At: Subject: Re: [secdir] [GROW] Secdir last call review of draft-ietf-grow-bgp-session-culling-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2017 16:36:25 -0000 On Mon, Sep 25, 2017 at 04:29:24PM +0000, Will Hargrave wrote: > On 25 Sep 2017, at 16:45, Paul Wouters wrote: > > This document basically states that people doing network maintenance > > so often make mistakes that leak into the global BGP table, that it > > would be a good idea to just firewall all the BGP traffic going out > > of your network edge as a preventive measure. It's a sad state of > > software/firmware that an external firewalling process is deemed > > necessary to properly (re)configure BGP. > > Hi Paul, > > I am afraid you have got the wrong end of the stick here. This > technique is intended for IXP and other L2 operators, not those who > operate BGP speakers / IP networks. Small nit pick: section 3.1 applies to those who operate BGP speakers / IP networks. But yes, it appears that the review is based on a misunderstanding about the layering of the ISO model and how the IP filters trigger rerouting as (desired) second order effect. > It is a workaround to unwanted blackholing of traffic as a result of > the dataplane being broken whilst waiting for BGP holdtimers to expire > - nothing to do with actual BGP route policy. > > I gave a presentation earlier this year at the UK Network Operators > Forum which attempts to explain this > https://indico.uknof.org.uk/event/39/contribution/8 I'd also like to note that the techniques described in the culling document have nothing to do with 'leaking' of any sort, nor is the BCP attempting or purposed to describe firewalling best practises from a general perspective. Kind regards, Job From nobody Tue Sep 26 07:15:31 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 56170120724; Tue, 26 Sep 2017 07:15:22 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Sean Turner To: Cc: tcpm@ietf.org, ietf@ietf.org, draft-ietf-tcpm-cubic.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.62.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150643532230.20822.2899916825960257300@ietfa.amsl.com> Date: Tue, 26 Sep 2017 07:15:22 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-tcpm-cubic-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 14:15:22 -0000 Reviewer: Sean Turner Review result: Has Nits Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies a TCP congestion control algorithm. It uses a cubic function instead of linear window increase function. It is the default function for Linux. It's ready with nits - basically a couple of more words the security considerations and maybe a reference or two and you’re done. Note: I know next to nothing about congestion control functions so I'm going to trust the function is properly specified and reflects what's actually implemented. The security considerations were a little bit terse. So here's a couple of questions that came to mind while searching around for where to refer: 1. I get that since CUBIC just changes the congestion window adjustment function on the sender side that it makes "no changes" to the underlying security of TCP. But, I kinda had to guess where the underlying security of TCP are documented - so how about adding "[RFC5681]" to end the sentence assuming that's where the security considerations for TCP are documented. 2. I think the answer is yes here, but wanted to check: In RFC5681's security considerations, there's some text about how to deal with the "ACK division attack" by: ... increasing the congestion window based on the number of bytes newly acknowledged in each arriving ACK rather than by a particular constant on each arriving ACK (as outlined in section 3.1). CUBIC has protections against this attack because it MUST support slowstart? Like I said, I think it's yes because s3.1 in RFC5681 is all about slowstart. WRT s5.1: In (quickly) reviewing SACK it refers to RFC5961 (aka dealing with the blind in-window attack), does CUBIC protect against this attack? If it does or doesn't it might be worth an informative reference to RFC5961 in s5.1 because it was published after RFC5681. From nobody Tue Sep 26 11:46:25 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 989CD1331D2 for ; Tue, 26 Sep 2017 11:46:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=ietf@kuehlewind.net header.d=kuehlewind.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TS30vdd3kf-v for ; Tue, 26 Sep 2017 11:46:22 -0700 (PDT) Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4222B1342FD for ; Tue, 26 Sep 2017 11:46:22 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kuehlewind.net; b=MjHBUPQGjD7n3yZ92wnkae51tWryUGHMhlxuGCkCEYKQ6iJIT5Qzcnr1hgj5Jy0M1kmCNObLjsvtGL9+9h0dqMIfyVGJoRdichuwXYwPPnbC+WDKoTx99KTPzIVhoU7b+5yzK24T8HpIFVUslNWdMoOlf25o/Dtndp2k9n4AM84=; h=Received:Received:Subject:To:Cc:References:From:Message-ID:Date:User-Agent:MIME-Version:In-Reply-To:Content-Type:Content-Language:Content-Transfer-Encoding:X-PPP-Message-ID:X-PPP-Vhost; Received: (qmail 8078 invoked from network); 26 Sep 2017 20:19:39 +0200 Received: from nb-10510.ethz.ch (HELO ?82.130.103.143?) (82.130.103.143) by kuehlewind.net with ESMTPSA (DHE-RSA-AES128-SHA encrypted, authenticated); 26 Sep 2017 20:19:39 +0200 To: Sean Turner , secdir@ietf.org Cc: tcpm@ietf.org, ietf@ietf.org, draft-ietf-tcpm-cubic.all@ietf.org References: <150643532230.20822.2899916825960257300@ietfa.amsl.com> From: =?UTF-8?Q?Mirja_K=c3=bchlewind?= Message-ID: Date: Tue, 26 Sep 2017 20:19:38 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <150643532230.20822.2899916825960257300@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-PPP-Message-ID: <20170926181939.8070.26405@lvps83-169-45-111.dedicated.hosteurope.de> X-PPP-Vhost: kuehlewind.net Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-tcpm-cubic-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Sep 2017 18:46:24 -0000 Hi Sean, thanks a lot for your review. These are good thoughts but after all mostly independent of cubic. Basically all that cubic does it that is provides an alternative for equation 3 in RFC5681 while all the rest of RFC5681 still applies and need to be implemented to have a working TCP implementation. Moe specifically also, the ACK division attack is actually not a problem for cubic because it does not use SMSS in any of its equation. In summary, while it probably doesn't hurt to point to the security considerations of RFC5681, I don't think it is absolutely necessary. Mirja On 26.09.2017 16:15, Sean Turner wrote: > Reviewer: Sean Turner > Review result: Has Nits > > Do not be alarmed. I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. > > This document specifies a TCP congestion control algorithm. It > uses a cubic function instead of linear window increase function. > It is the default function for Linux. > > It's ready with nits - basically a couple of more words the security > considerations and maybe a reference or two and you’re done. > > Note: I know next to nothing about congestion control functions > so I'm going to trust the function is properly specified and reflects > what's actually implemented. > > The security considerations were a little bit terse. So here's a couple > of questions that came to mind while searching around for where > to refer: > > 1. I get that since CUBIC just changes the congestion window > adjustment function on the sender side that it makes "no > changes" to the underlying security of TCP. But, I kinda had to > guess where the underlying security of TCP are documented - > so how about adding "[RFC5681]" to end the sentence assuming > that's where the security considerations for TCP are documented. > > 2. I think the answer is yes here, but wanted to check: > In RFC5681's security considerations, there's some text > about how to deal with the "ACK division attack" by: > > ... increasing the congestion window based on the > number of bytes newly acknowledged in each arriving ACK > rather than by a particular constant on each arriving ACK (as > outlined in section 3.1). > > CUBIC has protections against this attack because it MUST > support slowstart? Like I said, I think it's yes because s3.1 in > RFC5681 is all about slowstart. > > WRT s5.1: In (quickly) reviewing SACK it refers to RFC5961 > (aka dealing with the blind in-window attack), does CUBIC > protect against this attack? If it does or doesn't it might be > worth an informative reference to RFC5961 in s5.1 because > it was published after RFC5681. > From nobody Wed Sep 27 06:28:23 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 807BE1331F6; Wed, 27 Sep 2017 06:28:15 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Rifaat Shekh-Yusef To: Cc: ietf@ietf.org, draft-wu-l3sm-rfc8049bis.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.62.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150651889545.25051.18014743453686617959@ietfa.amsl.com> Date: Wed, 27 Sep 2017 06:28:15 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-wu-l3sm-rfc8049bis-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Sep 2017 13:28:16 -0000 Reviewer: Rifaat Shekh-Yusef Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: Ready with issues The document defines a YANG data model that defines service configuration elements that can be used in communication protocols between customers and network operators. Those elements can also be used as input to automated control and configuration applications. Issues ====== * Section 6.9, Security This section has an Authentication and Encryption sub-sections that apply to the site. As per section 6: "Authorization of traffic exchange is done through what we call a VPN policy or VPN service topology defining routing exchange rules between sites." It might be useful to add an Authorization sub-section to section 6.9 to capture that security aspect of the model. * Section 10, Security Considerations "..., and the server MUST authenticate client access to any protected resource." There is a need to differentiate between authentication and authorization. How about the following: "..., and the server MUST authenticate the client and authorize access to any protected resource." * Section 10, Security Considerations "The data nodes defined in the "ietf-l3vpn-svc" YANG module MUST be carefully created, read, updated, or deleted as appropriate." I think the above statement is too general, and need to be more specific. I am assuming that the above statement is trying to say that the identity of the requestor must be authenticated, and the operations on the model must be controlled based on authorization associated with the authenticated entity. If that is the case, then this should be clearly spelled out. Nits ==== * Section 6.9.2. Encryption "A hitless key-change mechanism may be added through augmentation." Replace "key-change" with "key-exchange" Regards, Rifaat From nobody Wed Sep 27 19:53:45 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDBD51344EC; Wed, 27 Sep 2017 19:53:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cdPKuvlNG5Uq; Wed, 27 Sep 2017 19:53:31 -0700 (PDT) Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23183133018; Wed, 27 Sep 2017 19:53:31 -0700 (PDT) Received: by mail-it0-x22a.google.com with SMTP id 85so638037ith.2; Wed, 27 Sep 2017 19:53:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4PqLF/ICtDAk5BQsOVSHCHD9EtWx8bV8xCZrdIvDPUo=; b=i0s5DX/a9DxACwijUxdFgdJQ7/4ZqFxqUiqyvwxgdvMOkVReU04AiogSMJZX6HvGTB rlTxgluJsOYgVYTr+aEex7sj5m3wlEYaGvaU6MBLxv2UDaQsRwtEIfu7fu4fdH5P0l2M UFIAnbz2aYVN1l2gkCPKQ45VYPG5vZg6x5QGw71DUb/2YwuRZYegZuas3BZbZQ0DEwSg UJo23EFEqZ7aG4D46TOwwk7gvukdydOOY1lAA8yog5THOM2Liu8MjFuslh5YaTUvVajD eJrAuW0redQ1RYJcBnEAfgZybt6ZMQS1qEdcl2zcmzxiEJPr4EJacyf8clH0RoBBzIle dDgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4PqLF/ICtDAk5BQsOVSHCHD9EtWx8bV8xCZrdIvDPUo=; b=R/STlvtwvvRjszfrEF3KwjcMP3DMcrFjF1eGlNbtM6gRdRV2zyWdRXUk0MALIOts24 ZmGROVB6g+5r4VhwUZ83SFyF72l9bx123f/ikaHmJRjF/YuJjQBVSUPzH0Tn9QUJ8OFD iIbXkcb4JvJj06iavGFyaUGdSLHPM4cHtDZt1hNGs624lg1TO9rhdFITd2YJpdSc7KXX yqutbuLha43dYnZKbiEjVL7HgMNi8G1nWRI0lmYfgv7M4TN7s7yD0QrXPhWKD9IooT4c NMNnO89UJPjpTaveK28gHgR8+AmmpEyYXEBgC+kOonASx9vLsybN2uUIK3NFl+0dh+2N N/9Q== X-Gm-Message-State: AHPjjUiso3SXHgZKNNstVFZs4ccoWe4+wOQ2mrxdGrjcfj/prQHuuJc/ acRYwlOR9P6kfZLVCH5jzAakwGUermR5dZE/5+o= X-Google-Smtp-Source: AOwi7QC1PcMVD2Fk63N8q/pX42Ja0nCXC7wNLVcrXUxDSV7gDF84AXvR4WE1YyjhwhdSD9xM0NL9YglttLBv7jeYwOo= X-Received: by 10.36.0.215 with SMTP id 206mr3918848ita.84.1506567210476; Wed, 27 Sep 2017 19:53:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.7.216 with HTTP; Wed, 27 Sep 2017 19:53:30 -0700 (PDT) In-Reply-To: <150597523137.24776.3598419805081836880@ietfa.amsl.com> References: <150597523137.24776.3598419805081836880@ietfa.amsl.com> From: Vishnu Pavan Beeram Date: Wed, 27 Sep 2017 22:53:30 -0400 Message-ID: To: Liang Xia Cc: secdir@ietf.org, draft-ietf-teas-rsvp-te-scaling-rec.all@ietf.org, ietf , "teas@ietf.org" Content-Type: multipart/alternative; boundary="001a11c141ec692cb1055a37032d" Archived-At: Subject: Re: [secdir] [Teas] Secdir last call review of draft-ietf-teas-rsvp-te-scaling-rec-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 02:53:33 -0000 --001a11c141ec692cb1055a37032d Content-Type: text/plain; charset="UTF-8" Liang, Hi! Thanks for the review. We just posted a new revision (-07) to address concerns raised by the Gen-Art reviewer. The new changes (https://www.ietf.org/rfcdiff?url2=draft-ietf-teas-rsvp-te- scaling-rec-07) do not introduce any new security issues. Regards, -Pavan On Thu, Sep 21, 2017 at 2:27 AM, Liang Xia wrote: > Reviewer: Liang Xia > Review result: Ready > > It's in good shape and well written, and does not introduce any new > security issues. > Following the security design of RSVP (-TE) is just ok! > > _______________________________________________ > Teas mailing list > Teas@ietf.org > https://www.ietf.org/mailman/listinfo/teas > --001a11c141ec692cb1055a37032d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Liang, Hi!

Thanks for the review. We just= posted a new revision (-07) to=20 address concerns raised by the Gen-Art reviewer.=C2=A0

<= /div>
The new changes (https://www.ietf.o= rg/rfcdiff?url2=3Ddraft-ietf-teas-rsvp-te-scaling-rec-07) do = not introduce any new security issues.

Regards,
-Pava= n

On Thu, Se= p 21, 2017 at 2:27 AM, Liang Xia <frank.xialiang@huawei.com>= ; wrote:
Reviewer: Liang Xia
Review result: Ready

It's in good shape and well written, and does not introduce any new sec= urity issues.
Following the security design of RSVP (-TE) is just ok!

_______________________________________________
Teas mailing list
Teas@ietf.org
https://www.ietf.org/mailman/listinfo/teas

--001a11c141ec692cb1055a37032d-- From nobody Wed Sep 27 19:55:01 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6AF8133018; Wed, 27 Sep 2017 19:54:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.219 X-Spam-Level: X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ty2KMR6pqgSM; Wed, 27 Sep 2017 19:54:57 -0700 (PDT) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB7D4135273; Wed, 27 Sep 2017 19:54:56 -0700 (PDT) Received: from 172.18.7.190 (EHLO LHREML710-CAH.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DPM86063; Thu, 28 Sep 2017 02:54:54 +0000 (GMT) Received: from DGGEML404-HUB.china.huawei.com (10.3.17.39) by LHREML710-CAH.china.huawei.com (10.201.108.33) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 28 Sep 2017 03:54:53 +0100 Received: from DGGEML502-MBX.china.huawei.com ([169.254.2.114]) by DGGEML404-HUB.china.huawei.com ([fe80::b177:a243:7a69:5ab8%31]) with mapi id 14.03.0301.000; Thu, 28 Sep 2017 10:54:47 +0800 From: "Xialiang (Frank)" To: Vishnu Pavan Beeram CC: "secdir@ietf.org" , "draft-ietf-teas-rsvp-te-scaling-rec.all@ietf.org" , ietf , "teas@ietf.org" Thread-Topic: [Teas] Secdir last call review of draft-ietf-teas-rsvp-te-scaling-rec-06 Thread-Index: AQHTOAT79wyq37Ms2U2EHIOWFkLxzKLJme6w Date: Thu, 28 Sep 2017 02:54:47 +0000 Message-ID: References: <150597523137.24776.3598419805081836880@ietfa.amsl.com> In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.134.159.76] Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12BBA8EE7DGGEML502MBXchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090205.59CC647F.0032, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.2.114, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 9df51ec11beb60e0c8fca80d79259f63 Archived-At: Subject: [secdir] =?utf-8?b?562U5aSNOiBbVGVhc10gU2VjZGlyIGxhc3QgY2FsbCBy?= =?utf-8?q?eview_of_draft-ietf-teas-rsvp-te-scaling-rec-06?= X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 02:55:00 -0000 --_000_C02846B1344F344EB4FAA6FA7AF481F12BBA8EE7DGGEML502MBXchi_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 R290IGl0LCB0aGFua3MgZm9yIHVwZGF0aW5nIG1lIQ0KDQrlj5Hku7bkuro6IFZpc2hudSBQYXZh biBCZWVyYW0gW21haWx0bzp2aXNobnVwYXZhbkBnbWFpbC5jb21dDQrlj5HpgIHml7bpl7Q6IDIw MTflubQ55pyIMjjml6UgMTA6NTQNCuaUtuS7tuS6ujogWGlhbGlhbmcgKEZyYW5rKQ0K5oqE6YCB OiBzZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtdGVhcy1yc3ZwLXRlLXNjYWxpbmctcmVjLmFs bEBpZXRmLm9yZzsgaWV0ZjsgdGVhc0BpZXRmLm9yZw0K5Li76aKYOiBSZTogW1RlYXNdIFNlY2Rp ciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtdGVhcy1yc3ZwLXRlLXNjYWxpbmctcmVj LTA2DQoNCkxpYW5nLCBIaSENClRoYW5rcyBmb3IgdGhlIHJldmlldy4gV2UganVzdCBwb3N0ZWQg YSBuZXcgcmV2aXNpb24gKC0wNykgdG8gYWRkcmVzcyBjb25jZXJucyByYWlzZWQgYnkgdGhlIEdl bi1BcnQgcmV2aWV3ZXIuDQoNClRoZSBuZXcgY2hhbmdlcyAoaHR0cHM6Ly93d3cuaWV0Zi5vcmcv cmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtdGVhcy1yc3ZwLXRlLXNjYWxpbmctcmVjLTA3KSBkbyBu b3QgaW50cm9kdWNlIGFueSBuZXcgc2VjdXJpdHkgaXNzdWVzLg0KUmVnYXJkcywNCi1QYXZhbg0K DQpPbiBUaHUsIFNlcCAyMSwgMjAxNyBhdCAyOjI3IEFNLCBMaWFuZyBYaWEgPGZyYW5rLnhpYWxp YW5nQGh1YXdlaS5jb208bWFpbHRvOmZyYW5rLnhpYWxpYW5nQGh1YXdlaS5jb20+PiB3cm90ZToN ClJldmlld2VyOiBMaWFuZyBYaWENClJldmlldyByZXN1bHQ6IFJlYWR5DQoNCkl0J3MgaW4gZ29v ZCBzaGFwZSBhbmQgd2VsbCB3cml0dGVuLCBhbmQgZG9lcyBub3QgaW50cm9kdWNlIGFueSBuZXcg c2VjdXJpdHkgaXNzdWVzLg0KRm9sbG93aW5nIHRoZSBzZWN1cml0eSBkZXNpZ24gb2YgUlNWUCAo LVRFKSBpcyBqdXN0IG9rIQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fXw0KVGVhcyBtYWlsaW5nIGxpc3QNClRlYXNAaWV0Zi5vcmc8bWFpbHRvOlRlYXNA aWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3RlYXMNCg0K --_000_C02846B1344F344EB4FAA6FA7AF481F12BBA8EE7DGGEML502MBXchi_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 5a6L5L2TOw0KCXBhbm9zZS0xOjIgMSA2IDAgMyAxIDEgMSAxIDE7fQ0KQGZvbnQtZmFjZQ0KCXtm b250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQOWui+S9kyI7DQoJ cGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0K cC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0K CW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5 OuWui+S9kzt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNp dGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN Cgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLkVtYWls U3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToi Q2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQN Cgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3Np emU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgOTAuMHB0IDcyLjBwdCA5MC4wcHQ7 fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3Bp ZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1s Pg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRh dGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8 Ym9keSBsYW5nPSJaSC1DTiIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNz PSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi IHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5Hb3QgaXQsIHRoYW5rcyBmb3Ig dXBkYXRpbmcgbWUhPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk ZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+5Y+R 5Lu25Lq6PHNwYW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJF Ti1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPiBWaXNobnUgUGF2YW4gQmVlcmFtIFttYWls dG86dmlzaG51cGF2YW5AZ21haWwuY29tXQ0KPGJyPg0KPC9zcGFuPjxiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuMHB0Ij7lj5HpgIHml7bpl7Q8c3BhbiBsYW5nPSJFTi1VUyI+Ojwvc3Bhbj48 L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+IDIw MTc8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPuW5tDxzcGFuIGxhbmc9IkVO LVVTIj45PC9zcGFuPuaciDxzcGFuIGxhbmc9IkVOLVVTIj4yODwvc3Bhbj7ml6U8c3BhbiBsYW5n PSJFTi1VUyI+IDEwOjU0PGJyPg0KPC9zcGFuPjxiPuaUtuS7tuS6ujxzcGFuIGxhbmc9IkVOLVVT Ij46PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyI+IFhpYWxpYW5nIChGcmFuayk8YnI+DQo8 L3NwYW4+PGI+5oqE6YCBPHNwYW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9 IkVOLVVTIj4gc2VjZGlyQGlldGYub3JnOyBkcmFmdC1pZXRmLXRlYXMtcnN2cC10ZS1zY2FsaW5n LXJlYy5hbGxAaWV0Zi5vcmc7IGlldGY7IHRlYXNAaWV0Zi5vcmc8YnI+DQo8L3NwYW4+PGI+5Li7 6aKYPHNwYW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIj4gUmU6 IFtUZWFzXSBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZiBkcmFmdC1pZXRmLXRlYXMtcnN2cC10 ZS1zY2FsaW5nLXJlYy0wNjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0 b206MTIuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+TGlhbmcsIEhpITxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t VVMiPlRoYW5rcyBmb3IgdGhlIHJldmlldy4gV2UganVzdCBwb3N0ZWQgYSBuZXcgcmV2aXNpb24g KC0wNykgdG8gYWRkcmVzcyBjb25jZXJucyByYWlzZWQgYnkgdGhlIEdlbi1BcnQgcmV2aWV3ZXIu Jm5ic3A7DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0 b206MTIuMHB0Ij48c3BhbiBsYW5nPSJFTi1VUyI+VGhlIG5ldyBjaGFuZ2VzICg8YSBocmVmPSJo dHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQtaWV0Zi10ZWFzLXJzdnAtdGUt c2NhbGluZy1yZWMtMDciIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9yZmNk aWZmP3VybDI9ZHJhZnQtaWV0Zi10ZWFzLXJzdnAtdGUtc2NhbGluZy1yZWMtMDc8L2E+KQ0KIGRv IG5vdCBpbnRyb2R1Y2UgYW55IG5ldyBzZWN1cml0eSBpc3N1ZXMuPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+UmVn YXJkcyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLVVTIj4tUGF2YW48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh bmc9IkVOLVVTIj5PbiBUaHUsIFNlcCAyMSwgMjAxNyBhdCAyOjI3IEFNLCBMaWFuZyBYaWEgJmx0 OzxhIGhyZWY9Im1haWx0bzpmcmFuay54aWFsaWFuZ0BodWF3ZWkuY29tIiB0YXJnZXQ9Il9ibGFu ayI+ZnJhbmsueGlhbGlhbmdAaHVhd2VpLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIj5SZXZpZXdl cjogTGlhbmcgWGlhPGJyPg0KUmV2aWV3IHJlc3VsdDogUmVhZHk8YnI+DQo8YnI+DQpJdCdzIGlu IGdvb2Qgc2hhcGUgYW5kIHdlbGwgd3JpdHRlbiwgYW5kIGRvZXMgbm90IGludHJvZHVjZSBhbnkg bmV3IHNlY3VyaXR5IGlzc3Vlcy48YnI+DQpGb2xsb3dpbmcgdGhlIHNlY3VyaXR5IGRlc2lnbiBv ZiBSU1ZQICgtVEUpIGlzIGp1c3Qgb2shPGJyPg0KPGJyPg0KX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpUZWFzIG1haWxpbmcgbGlzdDxicj4NCjxh IGhyZWY9Im1haWx0bzpUZWFzQGlldGYub3JnIj5UZWFzQGlldGYub3JnPC9hPjxicj4NCjxhIGhy ZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdGVhcyIgdGFyZ2V0PSJf YmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vdGVhczwvYT48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh bmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9ib2R5Pg0KPC9odG1sPg0K --_000_C02846B1344F344EB4FAA6FA7AF481F12BBA8EE7DGGEML502MBXchi_-- From nobody Wed Sep 27 20:59:15 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C82E1352A4; Wed, 27 Sep 2017 20:59:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFRUfp_FlOXQ; Wed, 27 Sep 2017 20:59:06 -0700 (PDT) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30C491352A0; Wed, 27 Sep 2017 20:59:05 -0700 (PDT) Received: from 172.18.7.190 (EHLO lhreml707-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DWK41398; Thu, 28 Sep 2017 03:59:03 +0000 (GMT) Received: from NKGEML411-HUB.china.huawei.com (10.98.56.70) by lhreml707-cah.china.huawei.com (10.201.108.48) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 28 Sep 2017 04:58:55 +0100 Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.199]) by nkgeml411-hub.china.huawei.com ([10.98.56.70]) with mapi id 14.03.0235.001; Thu, 28 Sep 2017 11:58:49 +0800 From: Qin Wu To: Rifaat Shekh-Yusef , "secdir@ietf.org" CC: "ietf@ietf.org" , "draft-wu-l3sm-rfc8049bis.all@ietf.org" Thread-Topic: Secdir last call review of draft-wu-l3sm-rfc8049bis-05 Thread-Index: AQHTN5R+aJprcuiMT0iB9NGywBubdqLJorXQ Date: Thu, 28 Sep 2017 03:58:48 +0000 Message-ID: References: <150651889545.25051.18014743453686617959@ietfa.amsl.com> In-Reply-To: <150651889545.25051.18014743453686617959@ietfa.amsl.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.136.79.163] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090201.59CC7387.0095, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.199, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 3fd39385ea9c265b2788f43232f87fa5 Archived-At: Subject: Re: [secdir] Secdir last call review of draft-wu-l3sm-rfc8049bis-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 03:59:07 -0000 VGhhbmsgUmlmYWF0IHRvIHJldmlldyB0aGlzIGRvY3VtZW50LCBwbGVhc2Ugc2VlIG15IHJlcGxp ZXMgaW5saW5lIGJlbG93Lg0KDQotUWluDQotLS0tLemCruS7tuWOn+S7ti0tLS0tDQrlj5Hku7bk uro6IFJpZmFhdCBTaGVraC1ZdXNlZiBbbWFpbHRvOnJpZmFhdC5pZXRmQGdtYWlsLmNvbV0gDQrl j5HpgIHml7bpl7Q6IDIwMTflubQ55pyIMjfml6UgMjE6MjgNCuaUtuS7tuS6ujogc2VjZGlyQGll dGYub3JnDQrmioTpgIE6IGlldGZAaWV0Zi5vcmc7IGRyYWZ0LXd1LWwzc20tcmZjODA0OWJpcy5h bGxAaWV0Zi5vcmcNCuS4u+mimDogU2VjZGlyIGxhc3QgY2FsbCByZXZpZXcgb2YgZHJhZnQtd3Ut bDNzbS1yZmM4MDQ5YmlzLTA1DQoNClJldmlld2VyOiBSaWZhYXQgU2hla2gtWXVzZWYNClJldmll dyByZXN1bHQ6IEhhcyBJc3N1ZXMNCg0KSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMg cGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nIGVmZm9ydCB0byByZXZp ZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gIFRoZXNl IGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBz ZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4gIERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBz aG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwg Y29tbWVudHMuDQoNClN1bW1hcnk6IFJlYWR5IHdpdGggaXNzdWVzDQoNCg0KVGhlIGRvY3VtZW50 IGRlZmluZXMgYSBZQU5HIGRhdGEgbW9kZWwgdGhhdCBkZWZpbmVzIHNlcnZpY2UgY29uZmlndXJh dGlvbiBlbGVtZW50cyB0aGF0IGNhbiBiZSB1c2VkIGluIGNvbW11bmljYXRpb24gcHJvdG9jb2xz IGJldHdlZW4gY3VzdG9tZXJzIGFuZCBuZXR3b3JrIG9wZXJhdG9ycy4gVGhvc2UgZWxlbWVudHMg Y2FuIGFsc28gYmUgdXNlZCBhcyBpbnB1dCB0byBhdXRvbWF0ZWQgY29udHJvbCBhbmQgY29uZmln dXJhdGlvbiBhcHBsaWNhdGlvbnMuDQoNCg0KDQpJc3N1ZXMNCj09PT09PQ0KDQoqIFNlY3Rpb24g Ni45LCBTZWN1cml0eQ0KDQpUaGlzIHNlY3Rpb24gaGFzIGFuIEF1dGhlbnRpY2F0aW9uIGFuZCBF bmNyeXB0aW9uIHN1Yi1zZWN0aW9ucyB0aGF0IGFwcGx5IHRvIHRoZSBzaXRlLg0KDQpBcyBwZXIg c2VjdGlvbiA2Og0KICAgIkF1dGhvcml6YXRpb24gb2YgdHJhZmZpYyBleGNoYW5nZSBpcyBkb25l IHRocm91Z2ggd2hhdCB3ZSBjYWxsIGEgVlBODQogICAgcG9saWN5IG9yIFZQTiBzZXJ2aWNlIHRv cG9sb2d5IGRlZmluaW5nIHJvdXRpbmcgZXhjaGFuZ2UgcnVsZXMNCiAgICBiZXR3ZWVuIHNpdGVz LiINCg0KSXQgbWlnaHQgYmUgdXNlZnVsIHRvIGFkZCBhbiBBdXRob3JpemF0aW9uIHN1Yi1zZWN0 aW9uIHRvIHNlY3Rpb24gNi45IHRvIGNhcHR1cmUgdGhhdCBzZWN1cml0eSBhc3BlY3Qgb2YgdGhl IG1vZGVsLg0KDQpbUWluXTogQXMgZGVzY3JpYmVkIGFib3ZlLCBhdXRob3JpemF0aW9uIG9mIHRy YWZmaWMgZXhjaGFuZ2UgaXMgZG9uZSB0aHJvdWdoIFZQTiBwb2xpY3kgYW5kIFZQTiBzZXJ2aWNl IHRvcG9sb2d5Lg0KVlBOIHBvbGljeSBhbmQgVlBOIHNlcnZpY2UgdG9wb2xvZ3kgYXJlIHNwZWNp ZmllZCBpbiBzZWN0aW9uIDYuMi4xIGFuZCBzZWN0aW9uIDYuNS4yLjIuIEl0IGlzIG5vdCBuZWNl c3NhcnkgdG8gcmVwZWF0ZWRseQ0KRGlzY3VzcyBpdCBpbiBhIG5ldyBzZWN0aW9uLiANCg0KKiBT ZWN0aW9uIDEwLCBTZWN1cml0eSBDb25zaWRlcmF0aW9ucw0KDQoiLi4uLCBhbmQgdGhlIHNlcnZl ciBNVVNUIGF1dGhlbnRpY2F0ZSBjbGllbnQgYWNjZXNzIHRvIGFueSBwcm90ZWN0ZWQgcmVzb3Vy Y2UuIg0KDQpUaGVyZSBpcyBhIG5lZWQgdG8gZGlmZmVyZW50aWF0ZSBiZXR3ZWVuIGF1dGhlbnRp Y2F0aW9uIGFuZCBhdXRob3JpemF0aW9uLg0KSG93IGFib3V0IHRoZSBmb2xsb3dpbmc6DQogICAg Ii4uLiwgYW5kIHRoZSBzZXJ2ZXIgTVVTVCBhdXRoZW50aWNhdGUgdGhlIGNsaWVudCBhbmQgYXV0 aG9yaXplIGFjY2Vzcw0KICAgIHRvIGFueSBwcm90ZWN0ZWQgcmVzb3VyY2UuIg0KDQpbUWluXTog U291bmRzIGEgZ29vZCBzdWdnZXN0aW9uLiBUaGFua3MuDQoNCiogU2VjdGlvbiAxMCwgU2VjdXJp dHkgQ29uc2lkZXJhdGlvbnMNCg0KIlRoZSBkYXRhIG5vZGVzIGRlZmluZWQgaW4gdGhlICJpZXRm LWwzdnBuLXN2YyIgWUFORyBtb2R1bGUgTVVTVCBiZSBjYXJlZnVsbHkgY3JlYXRlZCwgcmVhZCwg dXBkYXRlZCwgb3IgZGVsZXRlZCBhcyBhcHByb3ByaWF0ZS4iDQoNCkkgdGhpbmsgdGhlIGFib3Zl IHN0YXRlbWVudCBpcyB0b28gZ2VuZXJhbCwgYW5kIG5lZWQgdG8gYmUgbW9yZSBzcGVjaWZpYy4N CkkgYW0gYXNzdW1pbmcgdGhhdCB0aGUgYWJvdmUgc3RhdGVtZW50IGlzIHRyeWluZyB0byBzYXkg dGhhdCB0aGUgaWRlbnRpdHkgb2YgdGhlIHJlcXVlc3RvciBtdXN0IGJlIGF1dGhlbnRpY2F0ZWQs IGFuZCB0aGUgb3BlcmF0aW9ucyBvbiB0aGUgbW9kZWwgbXVzdCBiZSBjb250cm9sbGVkIGJhc2Vk IG9uIGF1dGhvcml6YXRpb24gYXNzb2NpYXRlZCB3aXRoIHRoZSBhdXRoZW50aWNhdGVkIGVudGl0 eS4NCg0KSWYgdGhhdCBpcyB0aGUgY2FzZSwgdGhlbiB0aGlzIHNob3VsZCBiZSBjbGVhcmx5IHNw ZWxsZWQgb3V0Lg0KDQpbUWluXTogSSB0aGluayB0aGlzIHN0YXRlbWVudCBjb252ZXkgdHdvIG1l YW5pbmdzOg0KRm9yIHdyaXRhYmxlL2NyZWF0YWJsZS9kZWxldGFibGUgZGF0YSBub2RlcyBkZWZp bmVkIGluIHRoaXMgWUFORyBtb2R1bGUsIHRoZXNlIGRhdGEgbm9kZXMgbWF5IGJlIGNvbnNpZGVy ZWQgc2Vuc2l0aXZlIG9yIHZ1bG5lcmFibGUgaW4gc29tZSBuZXR3b3JrIGVudmlyb25tZW50cy4g V3JpdGUgb3BlcmF0aW9ucyAoZS5nLiwgZWRpdC1jb25maWcpIHRvIHRoZXNlIGRhdGEgbm9kZXMg d2l0aG91dCBwcm9wZXIgcHJvdGVjdGlvbiBjYW4gaGF2ZSBhIG5lZ2F0aXZlIGVmZmVjdCBvbiBu ZXR3b3JrIG9wZXJhdGlvbnMuDQpGb3IgdGhlIHJlYWRhYmxlIGRhdGEgbm9kZXMgaW4gdGhpcyBZ QU5HIG1vZHVsZSwgdGhlc2UgZGF0YSBub2RlcyBtYXkgYmUgY29uc2lkZXJlZCBzZW5zaXRpdmUg b3IgdnVsbmVyYWJsZSBpbiBzb21lIG5ldHdvcmsgZW52aXJvbm1lbnRzLiBJdCBpcyB0aHVzIGlt cG9ydGFudCB0byBjb250cm9sIHJlYWQgYWNjZXNzIChlLmcuLCB2aWEgZ2V0LCBnZXQtY29uZmln LCBvciBub3RpZmljYXRpb24pIHRvIHRoZXNlIGRhdGEgbm9kZXMuDQoNClNlY29uZGx5LCBpZiB5 b3Uga2VlcCBvbiByZWFkaW5nIHRoZSBzdWJzZXF1ZW50IHNlbnRlbmNlIGFmdGVyIHRoaXMgc3Rh dGVtZW50IGluIHRoZSBwYXJhZ3JhcGggMiBvZiBzZWN0aW9uIDEwLCB5b3Ugd2lsbCBzZWUgdGhp cyBpcyBleGFjdGx5IHdoYXQgeW91IHByb3Bvc2VkIHRvIGRvLg0KQlRXLCB0aGlzIGlzIGJpcyBv ZiBSRkM4MDQ5IGFuZCB3ZSBkaWRuJ3QgcHJvcG9zZSBhbnkgbmV3IGNoYW5nZSB0byBSRkM4MDQ5 Lg0KDQpOaXRzDQo9PT09DQoNCiogU2VjdGlvbiA2LjkuMi4gRW5jcnlwdGlvbg0KDQoiQSBoaXRs ZXNzIGtleS1jaGFuZ2UgbWVjaGFuaXNtIG1heSBiZSBhZGRlZCB0aHJvdWdoIGF1Z21lbnRhdGlv bi4iDQpSZXBsYWNlICJrZXktY2hhbmdlIiB3aXRoICJrZXktZXhjaGFuZ2UiDQoNCltRaW5dOiBy ZWdhcmRpbmcgImtleS1jaGFuZ2UiLCBvbmUgZXhhbXBsZSBnaXZlbiBpbiB0aGUgc2VjdGlvbiA2 LjkuMiBpcyBhYm91dA0KY3VzdG9tZXIgY2hhbmdlcyB0aGUgcHJlLXNoYXJlZCBrZXkgb24gYSBy ZWd1bGFyIGJhc2lzLiBTbyBJIHRoaW5rIHRoaXMgaXMgbm90IGFib3V0DQprZXkgZXhjaGFuZ2Ug YmV0d2VlbiB0d28gcGFydGllcywgdHdvIHdheSBvciB0aHJlZSB3YXkgaGFuZHNoYWtlcy4gVXNp bmcga2V5LWNoYW5nZSBpcyBjb25zaXN0ZW50IHdpdGggdGhlIGV4YW1wbGUgaW4gdGhlIHNlY3Rp b24gNi45LjIuDQpNYXliZSB3ZSBjYW4gY2hhbmdlICJrZXktY2hhbmdlIiBpbnRvICJrZXkgY2hh bmdlIi4gDQpCVFcsIEkgYmVsaWV2ZSBoaXRsZXNzIGtleSBjaGFuZ2UgaXMgcmVsYXRlZCB0byBr ZXljaGFpbg0KYW5kIGNhbiBhbHNvIGJlIHJlZmVycmVkIHRvIGFzIGhpdGxlc3Mga2V5IHJvbGxv dmVyLg0KDQpSZWdhcmRzLA0KIFJpZmFhdA0KDQoNCg== From nobody Thu Sep 28 06:11:20 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A796D132193 for ; Thu, 28 Sep 2017 06:11:18 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.62.1 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secratary@mit.edu Message-ID: <150660427864.13642.11676231257873049706.idtracker@ietfa.amsl.com> Date: Thu, 28 Sep 2017 06:11:18 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 13:11:19 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2017-09-28 Reviewer LC end Draft Christian Huitema R2017-08-25 draft-ietf-sfc-nsh-24 Klaas Wierenga 2017-09-20 draft-ietf-bier-architecture-08 For telechat 2017-10-12 Reviewer LC end Draft Stephen Farrell 2017-10-06 draft-ietf-mpls-spring-lsp-ping-11 Vincent Roca 2017-09-11 draft-ietf-curdle-rsa-sha2-10 Melinda Shore 2017-10-04 draft-ietf-rtgwg-uloop-delay-06 Takeshi Takahashi 2017-10-04 draft-ietf-lisp-sec-13 Tina Tsou 2017-10-03 draft-ietf-rtgwg-routing-types-14 Carl Wallace 2017-10-02 draft-ietf-nvo3-mcast-framework-09 Tom Yu 2017-07-25 draft-ietf-lamps-rfc5280-i18n-update-03 For telechat 2017-10-26 Reviewer LC end Draft Derek Atkins None draft-ietf-bier-mpls-encapsulation-09 John Bradley None draft-ietf-acme-acme-07 Dacheng Zhang None draft-ietf-mile-rolie-09 Last calls: Reviewer LC end Draft Shaun Cooley 2017-10-11 draft-ietf-grow-bgp-gshut-11 Alan DeKok 2017-10-09 draft-ietf-tsvwg-ieee-802-11-09 Donald Eastlake 2017-10-09 draft-ietf-oauth-discovery-07 Shawn Emery 2017-10-09 draft-ietf-curdle-pkix-06 Phillip Hallam-Baker 2017-08-11 draft-ietf-rtcweb-jsep-23 Adam Montville R2017-10-09 draft-ietf-lamps-eai-addresses-15 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-11 Tim Polk 2017-09-11 draft-ietf-kitten-rfc5653bis-05 Brian Weis 2017-09-26 draft-ietf-v6ops-rfc6555bis-05 Tom Yu 2017-09-28 draft-ietf-ippm-alt-mark-10 Tom Yu 2017-02-20 draft-ietf-slim-negotiating-human-language-13 Early review requests: Reviewer Due Draft Daniel Gillmor 2016-02-01 draft-ietf-rtcweb-security-08 Next in the reviewer rotation: Daniel Franke Daniel Gillmor Tobias Gondrom Ólafur Guðmundsson Phillip Hallam-Baker Steve Hanna Dan Harkins Paul Hoffman Russ Housley Christian Huitema From nobody Thu Sep 28 09:15:59 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C919134228; Thu, 28 Sep 2017 09:15:44 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Brian Weis To: Cc: v6ops@ietf.org, ietf@ietf.org, draft-ietf-v6ops-rfc6555bis.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.63.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150661534403.27693.10060826661300587258@ietfa.amsl.com> Date: Thu, 28 Sep 2017 09:15:44 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-v6ops-rfc6555bis-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 16:15:44 -0000 Reviewer: Brian Weis Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. >From the Introduction, "This document expands on "Happy Eyeballs" [RFC6555], a technique of reducing user-visible delays on dual-stack hosts." It lists a set of steps by which a client can asynchronously perform IPv6 and IPv4 DNS queries, and also semantics on how to handle the replies such that the user delay is minimized. The Security Considerations section simply states "This memo has no direct security considerations.", and I believe this is true. However, I wonder about "indirect" security considerations. RFC 6555 warns several times against breaking a browser's same-origin policy, which seems to me to be an "indirect" security consideration. I realize that browser policies have changed considerably since RFC 6555 was published, and I personally do not know if same-origin is still in general use or whether there are other newer but similar issues of which an implementor should be aware. But if there are, then this section should note them. Otherwise, I consider the document ready to be published. From nobody Thu Sep 28 12:42:52 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE571348BF; Thu, 28 Sep 2017 12:42:44 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Christian Huitema To: Cc: ietf@ietf.org, sfc@ietf.org, draft-ietf-sfc-nsh.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.63.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150662776428.27730.5006539542253170142@ietfa.amsl.com> Date: Thu, 28 Sep 2017 12:42:44 -0700 Archived-At: Subject: [secdir] Secdir telechat review of draft-ietf-sfc-nsh-25 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 19:42:44 -0000 Reviewer: Christian Huitema Review result: Serious Issues I have already reviewed previous iterations of this draft (18) and sent comments on the mailing lists about revisions 20 to 24. The draft has significantly improved through the revisions, but I still have concerns. First, it should be clear that standardizing addition of metadata to packet headers is, from a privacy standpoint, playing with fire. I understand that many ISP believe that they need to accumulate and use metadata in order to compete with the large scale tracking performed by some web companies. This existing competition may well be driving a race to the privacy bottom. Regardless, the minimum these ISP can do is ensure that the privacy sensitive metadata that they collect is well protected. Collecting metadata is bad enough; letting hackers access it would be disastrous, as shown in the Equifax breach. I would like to see a stronger recognition in the security consideration that this is indeed playing with fire. I am also concerned that when writing the security considerations the authors may be playing with words. Frankly, I do not believe that the data will be magically protected because they are only transported in a single administrative domain. As Randy Bush pointed out in an email comment, some of the service functions are already provided "in the cloud" by third party contractors to the ISP. This means that in practice, the data will probably not be confined to a single provider domain. In the email, I listed three threats: * Whether ISP believe it or not, their links will be snooped by third parties. We have to assume that adversaries will have access to some of the transmission equipment, even inside the perimeter. * We also have to assume that persistent attackers will be able to compromise some of the devices hosting some of the functions. * And we have to assume that some third party providers will re-purpose the metadata that they obtain through various contracts. What worries me is not so much the inadequacies of the defenses proposed in the security section as the absence of emphasis on the need to actually deploy these defenses. Everything seems to be optional, left to the good will of the ISP. Experience shows that in these conditions deployments use the most convenient setup, clear text transmission with little defense in depth. The security section ends up being so much empty talk designed to placate security reviewers, playing with words for security without recognizing that standardizing metadata collection is playing with fire. From nobody Thu Sep 28 12:54:13 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A70A81348D8; Thu, 28 Sep 2017 12:54:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4G9PRwxz4VZ0; Thu, 28 Sep 2017 12:54:10 -0700 (PDT) Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 957E71348DA; Thu, 28 Sep 2017 12:54:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 774972403A9; Thu, 28 Sep 2017 12:54:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1506628450; bh=vM0VH/6ZxZ+gham858MgDJ0vtgKj7XvG9Fzv1fIatgU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=DM340mx04j9aoOeIqdWORugDjUp0BJECypCXISgLsKI320f0eUspaiQEXUsIvZHfX 9gATpjx56mtQFW39gYi1juatY8YzwxzeglfeI/ncP8DW7CCSufcj07Wu5/UQXANrd9 EdR7t80gRvo7mXu/zkg82Z++9Lmf6vfmjgiHcufI= X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net Received: from Joels-MacBook-Pro.local (unknown [50.225.209.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id A8A87240E7D; Thu, 28 Sep 2017 12:54:09 -0700 (PDT) To: Christian Huitema , secdir@ietf.org Cc: ietf@ietf.org, sfc@ietf.org, draft-ietf-sfc-nsh.all@ietf.org References: <150662776428.27730.5006539542253170142@ietfa.amsl.com> From: "Joel M. Halpern" Message-ID: Date: Thu, 28 Sep 2017 15:54:08 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <150662776428.27730.5006539542253170142@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] Secdir telechat review of draft-ietf-sfc-nsh-25 - motivation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2017 19:54:12 -0000 We really need to separate issues here. The first part of your note talks about the need for metadata. You assert that this is related to a need to compete with large scale tracking. While I can not prohibit that use, that is NOT the problem that drives this work. Rather, the whole point is to support separating the currently monolithic service platofrms into component services that can be combined both to deliver existing services, and to deliver new service combinations. To do that, the existing internal methods for passing data within a service delivery monolith have to be replaced with an external, interoperable, method for doing this. My employer would be very happy if the operators would give up on this and go back to buying our nice, high reliability, high price, intgrated service platforms. But that is not what the operators are asking us to provide. Yours, Joel On 9/28/17 3:42 PM, Christian Huitema wrote: > Reviewer: Christian Huitema > Review result: Serious Issues > > I have already reviewed previous iterations of this draft (18) and sent > comments on the mailing lists about revisions 20 to 24. The draft has > significantly improved through the revisions, but I still have concerns. > > First, it should be clear that standardizing addition of metadata to packet > headers is, from a privacy standpoint, playing with fire. I understand that > many ISP believe that they need to accumulate and use metadata in order to > compete with the large scale tracking performed by some web companies. This > existing competition may well be driving a race to the privacy bottom. > Regardless, the minimum these ISP can do is ensure that the privacy sensitive > metadata that they collect is well protected. Collecting metadata is bad > enough; letting hackers access it would be disastrous, as shown in the Equifax > breach. I would like to see a stronger recognition in the security > consideration that this is indeed playing with fire. > > I am also concerned that when writing the security considerations the authors > may be playing with words. Frankly, I do not believe that the data will be > magically protected because they are only transported in a single > administrative domain. As Randy Bush pointed out in an email comment, some of > the service functions are already provided "in the cloud" by third party > contractors to the ISP. This means that in practice, the data will probably not > be confined to a single provider domain. In the email, I listed three threats: > > * Whether ISP believe it or not, their links will be snooped by third parties. > We have to assume that adversaries will have access to some of the transmission > equipment, even inside the perimeter. > > * We also have to assume that persistent attackers will be able to compromise > some of the devices hosting some of the functions. > > * And we have to assume that some third party providers will re-purpose the > metadata that they obtain through various contracts. > > What worries me is not so much the inadequacies of the defenses proposed in the > security section as the absence of emphasis on the need to actually deploy > these defenses. Everything seems to be optional, left to the good will of the > ISP. Experience shows that in these conditions deployments use the most > convenient setup, clear text transmission with little defense in depth. The > security section ends up being so much empty talk designed to placate security > reviewers, playing with words for security without recognizing that > standardizing metadata collection is playing with fire. > > From nobody Fri Sep 29 03:26:49 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB2C132320; Fri, 29 Sep 2017 03:26:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.62 X-Spam-Level: X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpHMNCkR2xRf; Fri, 29 Sep 2017 03:26:40 -0700 (PDT) Received: from asmtp5.iomartmail.com (asmtp5.iomartmail.com [62.128.201.176]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF3E81321AC; Fri, 29 Sep 2017 03:26:39 -0700 (PDT) Received: from asmtp5.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp5.iomartmail.com (8.13.8/8.13.8) with ESMTP id v8TAQVxC016263; Fri, 29 Sep 2017 11:26:31 +0100 Received: from 950129200 (218.122.115.87.dyn.plus.net [87.115.122.218]) (authenticated bits=0) by asmtp5.iomartmail.com (8.13.8/8.13.8) with ESMTP id v8TAQTC7016179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 29 Sep 2017 11:26:30 +0100 Reply-To: From: "Adrian Farrel" To: "'Joel M. Halpern'" , "'Christian Huitema'" , Cc: , , References: <150662776428.27730.5006539542253170142@ietfa.amsl.com> In-Reply-To: Date: Fri, 29 Sep 2017 11:26:28 +0100 Message-ID: <033901d3390d$6a2cb7f0$3e8627d0$@olddog.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQEliXjbI2Or5xvxRW3pzDGXGuSGJQJ/HwKupBMHgCA= Content-Language: en-gb X-TM-AS-MML: disable X-TM-AS-Product-Ver: IMSS-7.1.0.1679-8.1.0.1062-23358.006 X-TM-AS-Result: No--25.503-10.0-31-10 X-imss-scan-details: No--25.503-10.0-31-10 X-TMASE-MatchedRID: yebcs53SkkDMy6K24fisq0hEDfw/93BuYY0tNGdvli0ok+CLr2yyHGWg neUNsDqfl9FGugbqhB+zgMdZAMYlv08M9+aj5+3H+nWmWoRu6rEgzzoB6jqxgm3D6f6IpbLIq62 QoUap3IzoZBOhqhwyeEpO4zY8xTkRDMsCHReYlpBMcRwauwQkhIEcpMn6x9cZsVuGFxbE1A6W2J /NBggRJ5al1tG82W7b+wwsO0n+qSdpWmHn0ExnMuw8wbnnSw8blWXxvHK+rV7AOWCpvHcDOllBc zgblE9g2uR6RTfmd0El9+c89RK6DXMDoDWfAPKp1x307doliZsdo1DHlpWEea2/0wkFK1ccwdw0 ue2zGY2DywicQlwuFvuAJw2mWvNG8M+w5/vTMr3x5KZMlKYS/VHewY36PuY0ZutDqLozDshhXhA zuI3Nbt1LKh2WUgi4DZA4FyFICjp6ONMGRUQaGdjko+KiQPUGGSqdEmeD/nUPDqagyTbYYiVk0L E6h2m8CcoPHfTHqMK92pmHMjx8cQ9cNo8YWq5F7VfaTNztInId7wYwkPJ/mmeFbHzvVjbCMnadw j0BvkXTHbRm0pa0Vf1rZRkAcw2A1rPLmbp+RdYmtTGirqG/D34yToAKzDgm0mrr/YUV0CRHL8s9 F1wPzSoLoTJhxWiGu8diuhZv0fmLCOzKtNU0/gRH1Nr7oERdMaP9SSz/VBl5DaK0/x3HRgudF+v yDezAj7tE2dXz/ucCNjoa5H5Ln6Yy2qfD59i7MN+B8zdlz9F+S5m2/8VLmoKwF4K/wIz9fgzZAg JekePARBQVz0Nb6jU0orL4znuBo+y/iI95Xc2eAiCmPx4NwFkMvWAuahr8+gD2vYtOFhgqtq5d3 cxkNQP90fJP9eHt Archived-At: Subject: Re: [secdir] Secdir telechat review of draft-ietf-sfc-nsh-25 - motivation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2017 10:26:43 -0000 Maybe to expand on Joel's point about "metadata". There has (of course) been a lot of discussion of metadata in the = context of end-user privacy. I think that has left many people with a = specific understanding of "metadata", but as Joel says this is not the = intention in this case. That said, the description of metadata in this document and in RFC 7665 = is perhaps a little vague. 7665 has... Metadata: Provides the ability to exchange context information between classifiers and SFs, and among SFs. ...from which we might deduce that metadata does two things: 1. Provide a channel for communication between SFC entities for them to = synchronize state/actions related to traffic that follows a specific = service function chain. 2. Carry information related to a specific packet that has been = extracted or derived from that packet (for example, a hash) by an SFC = entity that save subsequent SFC entities from having to derive the same = information (thus allowing the subsequent SFC entities to be dumber or = less CPU-rich). 7665 also says... One use of metadata is to provide and share the result of classification (that occurs within the SFC-enabled domain, or external to it) along an SFP. For example, an external repository might provide user/subscriber information to a service chain classifier. This classifier could in turn impose that information in the SFC encapsulation for delivery to the requisite SFs. The SFs could in turn utilize the user/subscriber information for local policy decisions. Metadata can also share SF output along the SFP. ...which may help explaining the intention. Personally, I think that tightening the description and scope of = metadata might be a way to help address Christian's concerns. At the = moment the scope seems to be left wilfully open to allow freedom of = choice for future use cases: that seems to me to be dangerously = open-ended. Cheers, Adrian > -----Original Message----- > From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Joel M. Halpern > Sent: 28 September 2017 20:54 > To: Christian Huitema; secdir@ietf.org > Cc: ietf@ietf.org; sfc@ietf.org; draft-ietf-sfc-nsh.all@ietf.org > Subject: Re: Secdir telechat review of draft-ietf-sfc-nsh-25 - = motivation >=20 > We really need to separate issues here. >=20 > The first part of your note talks about the need for metadata. You > assert that this is related to a need to compete with large scale > tracking. While I can not prohibit that use, that is NOT the problem > that drives this work. > Rather, the whole point is to support separating the currently > monolithic service platofrms into component services that can be > combined both to deliver existing services, and to deliver new service > combinations. To do that, the existing internal methods for passing > data within a service delivery monolith have to be replaced with an > external, interoperable, method for doing this. > My employer would be very happy if the operators would give up on this > and go back to buying our nice, high reliability, high price, = intgrated > service platforms. But that is not what the operators are asking us > to provide. >=20 > Yours, > Joel >=20 > On 9/28/17 3:42 PM, Christian Huitema wrote: > > Reviewer: Christian Huitema > > Review result: Serious Issues > > > > I have already reviewed previous iterations of this draft (18) and = sent > > comments on the mailing lists about revisions 20 to 24. The draft = has > > significantly improved through the revisions, but I still have = concerns. > > > > First, it should be clear that standardizing addition of metadata to = packet > > headers is, from a privacy standpoint, playing with fire. I = understand that > > many ISP believe that they need to accumulate and use metadata in = order to > > compete with the large scale tracking performed by some web = companies. This > > existing competition may well be driving a race to the privacy = bottom. > > Regardless, the minimum these ISP can do is ensure that the privacy = sensitive > > metadata that they collect is well protected. Collecting metadata is = bad > > enough; letting hackers access it would be disastrous, as shown in = the Equifax > > breach. I would like to see a stronger recognition in the security > > consideration that this is indeed playing with fire. > > > > I am also concerned that when writing the security considerations = the authors > > may be playing with words. Frankly, I do not believe that the data = will be > > magically protected because they are only transported in a single > > administrative domain. As Randy Bush pointed out in an email = comment, some > of > > the service functions are already provided "in the cloud" by third = party > > contractors to the ISP. This means that in practice, the data will = probably not > > be confined to a single provider domain. In the email, I listed = three threats: > > > > * Whether ISP believe it or not, their links will be snooped by = third parties. > > We have to assume that adversaries will have access to some of the > transmission > > equipment, even inside the perimeter. > > > > * We also have to assume that persistent attackers will be able to = compromise > > some of the devices hosting some of the functions. > > > > * And we have to assume that some third party providers will = re-purpose the > > metadata that they obtain through various contracts. > > > > What worries me is not so much the inadequacies of the defenses = proposed in > the > > security section as the absence of emphasis on the need to actually = deploy > > these defenses. Everything seems to be optional, left to the good = will of the > > ISP. Experience shows that in these conditions deployments use the = most > > convenient setup, clear text transmission with little defense in = depth. The > > security section ends up being so much empty talk designed to = placate security > > reviewers, playing with words for security without recognizing that > > standardizing metadata collection is playing with fire. > > > > From nobody Sat Sep 30 06:42:01 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF40132D54; Sat, 30 Sep 2017 06:41:48 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Adam Montville To: Cc: spasm@ietf.org, ietf@ietf.org, draft-ietf-lamps-eai-addresses.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.63.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <150677890834.3451.1848734083648672272@ietfa.amsl.com> Date: Sat, 30 Sep 2017 06:41:48 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-lamps-eai-addresses-15 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Sep 2017 13:41:48 -0000 Reviewer: Adam Montville Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is ready. Previously raised nits have been addressed - thank you! A fresh review offers nothing new from my perspective. Kind regards, Adam