From nobody Mon Nov 2 00:52:37 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1210B1B34FD for ; Mon, 2 Nov 2015 00:52:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=unavailable Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPmaKc3gyQxw for ; Mon, 2 Nov 2015 00:52:34 -0800 (PST) Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D621B1B34B8 for ; Mon, 2 Nov 2015 00:52:33 -0800 (PST) Received: by pacfv9 with SMTP id fv9so148763330pac.3 for ; Mon, 02 Nov 2015 00:52:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=content-type:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=JR/4bDrwTjv29p+O6/Quqkqxq93NQnH1mvvy9OodOTY=; b=UhQY6e/hAcM891smR0k/5eVwSeVSoRBo+QcS55F+nJ8gdk+p6DPVZQmCYkIwRSY82b l6EammdI8q7xh/XwpqQ7teg5HKvM99YwBWCxLF9ZLlohQyfiz85alxXOQ05ZNyoh1Sdv IbalwZtkOfzbLx96tvOtAu8Jbqe1S8If6hwQk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=JR/4bDrwTjv29p+O6/Quqkqxq93NQnH1mvvy9OodOTY=; b=GldL65tA0fBEGOZCZP+lHZvpSrES1sTXTl8tOGrgafZUWas4uOaG6jftV2dcDmFQDq O0J1qjT5awsxHaekE8IFhab8bqq8RAOHTRTU9HQjKrNpZouMOJL1QDbYnIVaRV49Gcg4 EMD/2SHHnqU42mq2rBhc24qoWQpHJlxvdN+cLaxfz2Lu5WK4e7Lk+mb0bqI6nrkx2dfS TY9pqZzHqUj9ujE0DvPwSsKEguB6vSlM1nnJNLbvWiWLRHDoJ3xoqwis28F0Q+AaG3kG 6/Xej9OFxjEe73v8WkhaLX/N49NWwEJE6aHcD5BSjqurEdYFEbmjjOcEHt5fgUwx8A86 mKIw== X-Gm-Message-State: ALoCoQkJ1aGEYzOFg9iQcR/uMAjyz7zoGSXA77WMbrGcyxr7OGSRigE/+FtX8FrBF8yuXvRgvh3Z X-Received: by 10.68.183.228 with SMTP id ep4mr26147201pbc.54.1446454353504; Mon, 02 Nov 2015 00:52:33 -0800 (PST) Received: from t20010c4000003024a954d2ff947796cc.v6.meeting.ietf94.jp (t20010c4000003024a954d2ff947796cc.v6.meeting.ietf94.jp. [2001:c40:0:3024:a954:d2ff:9477:96cc]) by smtp.gmail.com with ESMTPSA id we9sm22682969pab.3.2015.11.02.00.52.32 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Nov 2015 00:52:32 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) From: Sean Turner In-Reply-To: <20151101165448.18272.29225.idtracker@ietfa.amsl.com> Date: Mon, 2 Nov 2015 17:52:29 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: <2205089A-4961-4582-824F-C21138775DC8@sn3rd.com> References: <20151101165448.18272.29225.idtracker@ietfa.amsl.com> To: draft-ietf-ntp-extension-field.all@tools.ietf.org, The IESG , secdir@ietf.org X-Mailer: Apple Mail (2.3096.5) Archived-At: Subject: [secdir] secdir review of Re: I-D Action: draft-ietf-ntp-extension-field-05.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 08:52:35 -0000 This version addresses my main concerns. Not sure what you=E2=80=99re going to do with this though, but I guess = that another draft=E2=80=99s problem: > On Sep 17, 2015, at 02:02, Danny Mayer = wrote: >=20 > We probably need to update the dgest field in RFC5905 to make it clear > that it can have multiple lengths depending on the algorithm used. On > the other hand I would prefer to get rid of the MAC and turn it into = an > extension field, assuming that the NTS/CMS scheme is not used. The > advantages of that is obvious especially as no guessing would be > required and we could specify the algorithm to use and you could have > multiple MAC extension fields that would cover different parts of the > packet. spt= From nobody Mon Nov 2 15:23:25 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E88DD1A904C for ; Mon, 2 Nov 2015 15:23:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.311 X-Spam-Level: X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjYfWTuy_m3S for ; Mon, 2 Nov 2015 15:23:22 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E15F11A904E for ; Mon, 2 Nov 2015 15:23:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 101F2BE3E for ; Mon, 2 Nov 2015 23:23:20 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K_7_UK1hda0T for ; Mon, 2 Nov 2015 23:23:18 +0000 (GMT) Received: from [133.93.24.87] (unknown [133.93.24.87]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 902D6BE2F for ; Mon, 2 Nov 2015 23:23:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1446506598; bh=iH5zoKO8jb563mLKR06c7I5RCFsKBhP2555nI7UTWQ8=; h=Subject:To:References:From:Date:In-Reply-To:From; b=WlFMAb9Ftss4FMck9z9PU8e2sZa+1QMgNM/dgXxP/+uA8XVC4mhfH4BwXfuhzSJ6c eDNUQi40hATCRNFjNtjeZ3Cpv3I7A15gCSkISQDk2HjUF6oPO7VenWp2PR62icepC9 8ep4CKmr/6BFHbUSguC22GDACbiHi9qXggo6v+dA= To: "secdir@ietf.org" References: <20151013192653.B8E531E5D85@c8a.amsl.com> <561D5C4B.9070703@cs.tcd.ie> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <5637F061.9030807@cs.tcd.ie> Date: Mon, 2 Nov 2015 23:23:13 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <561D5C4B.9070703@cs.tcd.ie> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] secdir lunch location @ ietf94 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Nov 2015 23:23:24 -0000 A reminder. And as usual it's a bring your own lunch thing. If folks figured out how to find a quick lunch yesterday, it may be useful to send info here. S On 13/10/15 20:32, Stephen Farrell wrote: > > Hiya, > > It's a bit early but if I send this now at least I'll know > where to find it again:-) > > S > > On 13/10/15 20:26, IESG wrote: >> Meeting Name: secdir >> Assigned Room: Room 419 >> Assigned Date: 11/03/2015 > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > From nobody Mon Nov 2 17:35:13 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B3C1B2B37 for ; Mon, 2 Nov 2015 17:35:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.011 X-Spam-Level: X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1xdpox8Nfj7p for ; Mon, 2 Nov 2015 17:35:10 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 31B701B2B2D for ; Mon, 2 Nov 2015 17:35:10 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 8A3E543348B; Tue, 3 Nov 2015 01:35:09 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 6FC11433484; Tue, 3 Nov 2015 01:35:09 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1446514509; bh=kGKIqUHZA6gZGMdA8sJBiYvfRVxXDwmJfq5a/rrGF7U=; l=487; h=From:To:Date:References:In-Reply-To:From; b=RYhnd/x4iD4ycj6WuS/2BPC0iZzoKuTplYeQE401wfWqSfQqRqfVik2CZ7zj/hWrS oz3ZngUDEaUobX8ycfOYBgZMEp6TpiwunozZw2tWefjs//ysU2K7vNclivublxK0fN wGNJxBzjbmkfGUeqc14tyVh81nMccR1lcG7MhX0w= Received: from email.msg.corp.akamai.com (ecp.msg.corp.akamai.com [172.27.123.34]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 6B0CE202D; Tue, 3 Nov 2015 01:35:09 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 2 Nov 2015 17:35:09 -0800 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1076.000; Mon, 2 Nov 2015 20:35:08 -0500 From: "Salz, Rich" To: Stephen Farrell , "secdir@ietf.org" Thread-Topic: [secdir] secdir lunch location @ ietf94 Thread-Index: AQHRBe3u0FEts3cDLEWm27iKeOGeUJ6J0tmA///QasA= Date: Tue, 3 Nov 2015 01:35:07 +0000 Message-ID: References: <20151013192653.B8E531E5D85@c8a.amsl.com> <561D5C4B.9070703@cs.tcd.ie> <5637F061.9030807@cs.tcd.ie> In-Reply-To: <5637F061.9030807@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.237.146] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir lunch location @ ietf94 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 01:35:11 -0000 > A reminder. And as usual it's a bring your own lunch thing. > If folks figured out how to find a quick lunch yesterday, it may be usefu= l to > send info here. I went to the "Daily Hot" yesterday. Down to 1F in the center go out the d= oor near the "lounge" and it's across the street. A small shop frequented = by lots of service industry types, judging by the overalls. Very local. N= o English. If you're adventurous, I found it a good way to get a cheap loc= al meal. From nobody Mon Nov 2 17:48:46 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 335171B2B92 for ; Mon, 2 Nov 2015 17:48:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.3 X-Spam-Level: X-Spam-Status: No, score=0.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MANGLED_SMALL=2.3, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPtD4QK3L9xC for ; Mon, 2 Nov 2015 17:48:45 -0800 (PST) Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80DB01B2B8B for ; Mon, 2 Nov 2015 17:48:42 -0800 (PST) Received: by padec8 with SMTP id ec8so2987242pad.1 for ; Mon, 02 Nov 2015 17:48:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0mI0oK9CZtMKePnKXy9NWn+/HxTTmfLY0j0QG+XE0Fk=; b=BbAE2Gj0JOMMYCh/po0IkkSFLf/cqgflz0duihtOStpAxmBTKB7EAYkbo02r68D8IH JI+95ZGLpesNqVU+Qiazw+4oYCryJZWSBETv2HdOxvwvAj+r5cYJ4n3ZGEpG9VbzU6r6 6btesxbz8mSrifsEBOmmPkd8uxdZHlXhrWzrFrvog5Az2zGWxecVaG+SH2tfUupoPLAT /ZFdabFIrYNLrkM1t71I8e/bGknoQIC9pkoXcb46thzxw6jkCR5ULb29xjh9hEbReZDz IPoWBwpg4NJ+M7Zdjrgsa4ejDnvxdd+Izwipzht0UikLX1JxYoGmJm0hOuiT3oxnJw5D Y5NA== X-Received: by 10.66.144.169 with SMTP id sn9mr31499383pab.15.1446515322054; Mon, 02 Nov 2015 17:48:42 -0800 (PST) Received: from t20010c4000003024ac3ee19e76c6a265.v6.meeting.ietf94.jp (t20010c4000003024ac3ee19e76c6a265.v6.meeting.ietf94.jp. [2001:c40:0:3024:ac3e:e19e:76c6:a265]) by smtp.gmail.com with ESMTPSA id eg5sm26415583pac.30.2015.11.02.17.48.39 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Nov 2015 17:48:40 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) From: Yoav Nir In-Reply-To: <5637F061.9030807@cs.tcd.ie> Date: Tue, 3 Nov 2015 10:48:36 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20151013192653.B8E531E5D85@c8a.amsl.com> <561D5C4B.9070703@cs.tcd.ie> <5637F061.9030807@cs.tcd.ie> To: Stephen Farrell X-Mailer: Apple Mail (2.3096.5) Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] secdir lunch location @ ietf94 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 01:48:46 -0000 For the totally non-adventurous, the Queen=E2=80=99s Mall has a food = court on the 1st floor with McDonald=E2=80=99s, KFC, and Subway, plus a = hotdog stand outside the door. > On 3 Nov 2015, at 8:23 AM, Stephen Farrell = wrote: >=20 >=20 > A reminder. And as usual it's a bring your own lunch thing. > If folks figured out how to find a quick lunch yesterday, > it may be useful to send info here. >=20 > S >=20 > On 13/10/15 20:32, Stephen Farrell wrote: >>=20 >> Hiya, >>=20 >> It's a bit early but if I send this now at least I'll know >> where to find it again:-) >>=20 >> S >>=20 >> On 13/10/15 20:26, IESG wrote: >>> Meeting Name: secdir >>> Assigned Room: Room 419 >>> Assigned Date: 11/03/2015 From nobody Mon Nov 2 20:38:32 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C841B2D9B for ; Mon, 2 Nov 2015 20:38:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.311 X-Spam-Level: X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GOz-byEG8T2n for ; Mon, 2 Nov 2015 20:38:22 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7723F1B2DA2 for ; Mon, 2 Nov 2015 20:38:22 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id CAD55BE3F for ; Tue, 3 Nov 2015 04:38:20 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBIT_kpeF75j for ; Tue, 3 Nov 2015 04:38:19 +0000 (GMT) Received: from [133.93.24.87] (unknown [133.93.24.87]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 6A5C8BE2F for ; Tue, 3 Nov 2015 04:38:16 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1446525499; bh=y88H2JdYn08JHAgghwYZCWPs/sClM8sfkK36QVHiGFo=; h=To:From:Subject:Date:From; b=EFq9vufciNAIijnSNk88uODaVIxS20T54FZwtasHPQ3/4JRgPODgXoCDx3uLz64tz WSd9IJNFFkQwAQes6K49LIEgM7v1lUbzC3zvW9geVdC2T/tJTPGXhDmpMsfNDzlaW9 eoTcsHqaP04BteR7p9IEXnABhySmSg+K+FnoAfzU= To: "secdir@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= X-Enigmail-Draft-Status: N1110 Message-ID: <56383A36.3020200@cs.tcd.ie> Date: Tue, 3 Nov 2015 04:38:14 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Subject: [secdir] a few new algs and a bunch of deprecation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 04:38:28 -0000 Hiya, At the secdir lunch we spoke about needing a bit of organisation around adding new curves and about deprecating some old algs (e.g. sha1). There's a scattered set of stuff that'll need doing some of which is in progress (e.g. drafts allocating OIDs for new curves), others of which may not yet be. One possibility would be to try do this as a WG with a charter that tightly defines which new things can be added but allows for deprecating anything that should be deprecated. (The putative WG here would not I think tackle items where we have a current WG active, e.g. TLS can handle defining codepoints for TLS.) As a separate but related thing, Alexey said he'd create a cfrg wiki page where folks could add the names of drafts that are defining things related to new curves. That might feed into the positive parts of chartering. FWIW, if this is something people supported and found useful, Kathleen and I are happy to help it happen. Next step would likely be to send a mail like this to saag then if nothing bad happens, to start a mailing list for this and see if there's enough energy to get stuff going. (If there is, I doubt a BoF would be needed.) Thoughts? S. From nobody Tue Nov 3 00:56:41 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056CD1B300F for ; Tue, 3 Nov 2015 00:56:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.551 X-Spam-Level: X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1ij49IGap6j for ; Tue, 3 Nov 2015 00:56:35 -0800 (PST) Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ABAD1B3014 for ; Tue, 3 Nov 2015 00:56:34 -0800 (PST) Received: from latte.josefsson.org ([IPv6:2001:9b0:104:42::a86]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tA38uIoG004015 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 3 Nov 2015 09:56:19 +0100 Date: Tue, 3 Nov 2015 09:56:11 +0100 From: Simon Josefsson To: Stephen Farrell Message-ID: <20151103095611.33a536b9@latte.josefsson.org> In-Reply-To: <56383A36.3020200@cs.tcd.ie> References: <56383A36.3020200@cs.tcd.ie> X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/E+y1fB/9HKNZb=aY7miNmT/"; protocol="application/pgp-signature" X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se X-Virus-Status: Clean Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] a few new algs and a bunch of deprecation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 08:56:41 -0000 --Sig_/E+y1fB/9HKNZb=aY7miNmT/ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable I'm following Curve25519/Ed25519 use in IETF protocols and is interested in helping that effort. It seems the intersection between this putative WG and existing WGs needs to be carefully explained though, it isn't clear to me how it could be done. Isn't deprecating crypto parts of a protocol up to each protocol community to think about? We've seen with TLS, OpenPGP, Secure Shell and PKIX that adding Curve25519/Ed25519 is highly protocol specific and requires domain knowledge. /Simon >=20 > Hiya, >=20 > At the secdir lunch we spoke about needing a bit of organisation > around adding new curves and about deprecating some old algs (e.g. > sha1). There's a scattered set of stuff that'll need doing some > of which is in progress (e.g. drafts allocating OIDs for new > curves), others of which may not yet be. One possibility would be > to try do this as a WG with a charter that tightly defines which > new things can be added but allows for deprecating anything > that should be deprecated. (The putative WG here would not I > think tackle items where we have a current WG active, e.g. TLS > can handle defining codepoints for TLS.) >=20 > As a separate but related thing, Alexey said he'd create a cfrg > wiki page where folks could add the names of drafts that are > defining things related to new curves. That might feed into the > positive parts of chartering. >=20 > FWIW, if this is something people supported and found useful, > Kathleen and I are happy to help it happen. Next step would likely > be to send a mail like this to saag then if nothing bad happens, to > start a mailing list for this and see if there's enough energy > to get stuff going. (If there is, I doubt a BoF would be needed.) >=20 > Thoughts? >=20 > S. >=20 > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview --Sig_/E+y1fB/9HKNZb=aY7miNmT/ Content-Type: application/pgp-signature Content-Description: OpenPGP digital signatur -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWOHasAAoJEIYLf7sy+BGdxlQH/0g75d5Ar6ydUAOMVh5TAIoU e4iOv2pdjQdLxnl8Ir9sCoYn+q7GmW9am2F1xxFwQufM4wYcgLBrq0FrwTsPg+v0 skNXOE4HW4mTfU9Ka7kOdTfb+KNa3xCy/P+BBTQjHEt1O5+Eih0ocWu8EdqIlP/8 OyHeafaiNV1WmrzjF3m3OGUklm79rNOR0B1+A1xXYr+e0R++CEm1KIo/dO9jib2V tThLvSKNONUrAnYwvRYxtYQ0jAqhgLbYg8LkAbxEnNcPGrIp5p5PNoIj+8VfoVO7 ZOMcVK90ZLlR56tfmgzk+ZL9y3l84RTpKA7FVqBX7uEdXQZQx/gsF+8gSh397Zg= =PnGj -----END PGP SIGNATURE----- --Sig_/E+y1fB/9HKNZb=aY7miNmT/-- From nobody Tue Nov 3 04:48:30 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFD071B331D for ; Tue, 3 Nov 2015 04:48:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulUFr_bEaknp for ; Tue, 3 Nov 2015 04:48:27 -0800 (PST) Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D6421B3316 for ; Tue, 3 Nov 2015 04:48:27 -0800 (PST) Received: by pasz6 with SMTP id z6so18079895pas.2 for ; Tue, 03 Nov 2015 04:48:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=lwj0g/ae6Zx7q6Uo0Xsr9D1JOz56F28HtZ9QadezFMk=; b=qutokiv7SKp3S2/XP9//pIJJnSz05du8przsd9sLvfP8wakuuAaw7cjGArcQa1QTcA 1VOBY8G8UQWICPhfihldagGEMl5hq1hKqjuIaiv7+k6vI3pBK8VYzA6c5mwu4MDW5eZ+ x0pRMSRoGEsdPTPxwGr2Lugg2yK3/siEUS4fKPMZna6DrOlEYfhCUeE5Y0wapnrZmdyK dCW+nZlukSwLftbcyKTDzzscS6o0ySQ3KONt/gIb9dp4oui7PpiSxoV48gI6WsrttXlI UgdeQvJKzQKUeH7KjgAd6mkKj/kq89Z53itArv/Twx/UDKAuVFxkAvPNO7dfXe/m1XV7 iBRQ== X-Received: by 10.66.224.201 with SMTP id re9mr33132009pac.98.1446554907151; Tue, 03 Nov 2015 04:48:27 -0800 (PST) Received: from [10.11.2.214] (y125063.ppp.asahi-net.or.jp. [118.243.125.63]) by smtp.gmail.com with ESMTPSA id w9sm29475023pbt.29.2015.11.03.04.48.24 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 03 Nov 2015 04:48:26 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) From: Yoav Nir In-Reply-To: <20151103095611.33a536b9@latte.josefsson.org> Date: Tue, 3 Nov 2015 21:48:22 +0900 Content-Transfer-Encoding: quoted-printable Message-Id: <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com> References: <56383A36.3020200@cs.tcd.ie> <20151103095611.33a536b9@latte.josefsson.org> To: Simon Josefsson X-Mailer: Apple Mail (2.3096.5) Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] a few new algs and a bunch of deprecation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Nov 2015 12:48:29 -0000 > On 3 Nov 2015, at 5:56 PM, Simon Josefsson = wrote: >=20 > I'm following Curve25519/Ed25519 use in IETF protocols and is > interested in helping that effort. It seems the intersection between > this putative WG and existing WGs needs to be carefully explained > though, it isn't clear to me how it could be done. Isn't deprecating > crypto parts of a protocol up to each protocol community to think > about? We've seen with TLS, OpenPGP, Secure Shell and PKIX that > adding Curve25519/Ed25519 is highly protocol specific and requires > domain knowledge. My take on this is the exact opposite. We=E2=80=99ve added = ChaCha20/Poly1305 to SSH and TLS and IPsec. Same algorithm in all three = (yes, I know SSH uses the old construction).=20 We=E2=80=99re adding Curve25519/Ed25519 to SSH and TLS and IKE and PGP = and PKIX. Same algorithm for all of them. Is it safe to use SHA-1 in signatures? Regardless of what you think the = answer is, it is the same in TLS and PGP and IKE and SSH and PKIX. I think the best thing with such algorithms is to have guidance = documents from either CFRG or Security AD-sponsored, and then have the = separate protocol documents be little more than code point allocations. Yoav=20= From nobody Tue Nov 3 20:22:48 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A31B1A916B for ; Tue, 3 Nov 2015 20:22:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.311 X-Spam-Level: X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzkVJoGz0LK2 for ; Tue, 3 Nov 2015 20:22:44 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D80711A9154 for ; Tue, 3 Nov 2015 20:22:43 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id AB7BFBE2F; Wed, 4 Nov 2015 04:22:42 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JtJ6CexFfc-k; Wed, 4 Nov 2015 04:22:41 +0000 (GMT) Received: from [133.93.24.87] (unknown [133.93.24.87]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 91544BDF9; Wed, 4 Nov 2015 04:22:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1446610961; bh=UYdkLN24NpAp7lH5prfvY45T1C/02fRxaJRfNFVXfpk=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=sdLSGwf5sHSZAUZmhYiiu1as/CVYZqx/zzaUqy8C5ZAq4zw58UkqOmrutBK2RufLL rocRDPbimuOdqpNdZE5D57oRZH+Q0XbStzNCXoIFBz/zxWu8wpOXKOa8aNF+2NTzGn JGP9XT97RY4sK24Xe5AHdjpVg0MdxQmdf5+CsuAs= To: Yoav Nir , Simon Josefsson References: <56383A36.3020200@cs.tcd.ie> <20151103095611.33a536b9@latte.josefsson.org> <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <56398808.6000005@cs.tcd.ie> Date: Wed, 4 Nov 2015 04:22:32 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] a few new algs and a bunch of deprecation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 04:22:46 -0000 As nobody said this was crazy, I'll shoot a mail to saag and we can discuss it there. The issue of how this would relate to existing WGs is clearly a fine one to chat about. Cheers, S. On 03/11/15 12:48, Yoav Nir wrote: > >> On 3 Nov 2015, at 5:56 PM, Simon Josefsson wrote: >> >> I'm following Curve25519/Ed25519 use in IETF protocols and is >> interested in helping that effort. It seems the intersection between >> this putative WG and existing WGs needs to be carefully explained >> though, it isn't clear to me how it could be done. Isn't deprecating >> crypto parts of a protocol up to each protocol community to think >> about? We've seen with TLS, OpenPGP, Secure Shell and PKIX that >> adding Curve25519/Ed25519 is highly protocol specific and requires >> domain knowledge. > > My take on this is the exact opposite. We’ve added ChaCha20/Poly1305 to SSH and TLS and IPsec. Same algorithm in all three (yes, I know SSH uses the old construction). > > We’re adding Curve25519/Ed25519 to SSH and TLS and IKE and PGP and PKIX. Same algorithm for all of them. > > Is it safe to use SHA-1 in signatures? Regardless of what you think the answer is, it is the same in TLS and PGP and IKE and SSH and PKIX. > > I think the best thing with such algorithms is to have guidance documents from either CFRG or Security AD-sponsored, and then have the separate protocol documents be little more than code point allocations. > > Yoav > From nobody Wed Nov 4 03:02:51 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 669FD1B2D61 for ; Wed, 4 Nov 2015 03:02:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.551 X-Spam-Level: X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2eOA_rkh8xHX for ; Wed, 4 Nov 2015 03:02:47 -0800 (PST) Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C8E1B2D62 for ; Wed, 4 Nov 2015 03:02:46 -0800 (PST) Received: from iller (c-c5b7e355.014-1001-73746f1.cust.bredbandsbolaget.se [85.227.183.197]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tA4B2QVV023008 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 4 Nov 2015 12:02:27 +0100 Message-ID: <1446634943.26563.23.camel@josefsson.org> From: Simon Josefsson To: Yoav Nir Date: Wed, 04 Nov 2015 12:02:23 +0100 In-Reply-To: <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com> References: <56383A36.3020200@cs.tcd.ie> <20151103095611.33a536b9@latte.josefsson.org> <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-vCq36tUWAdurqQYTK6dc" X-Mailer: Evolution 3.12.9-1+b1 Mime-Version: 1.0 X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se X-Virus-Status: Clean Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] a few new algs and a bunch of deprecation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Nov 2015 11:02:49 -0000 --=-vCq36tUWAdurqQYTK6dc Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable tis 2015-11-03 klockan 21:48 +0900 skrev Yoav Nir: > > On 3 Nov 2015, at 5:56 PM, Simon Josefsson wrote: > >=20 > > I'm following Curve25519/Ed25519 use in IETF protocols and is > > interested in helping that effort. It seems the intersection between > > this putative WG and existing WGs needs to be carefully explained > > though, it isn't clear to me how it could be done. Isn't deprecating > > crypto parts of a protocol up to each protocol community to think > > about? We've seen with TLS, OpenPGP, Secure Shell and PKIX that > > adding Curve25519/Ed25519 is highly protocol specific and requires > > domain knowledge. >=20 > My take on this is the exact opposite. We=E2=80=99ve added ChaCha20/Poly1= 305 to SSH and TLS and IPsec. Same algorithm in all three (yes, I know SSH = uses the old construction).=20 >=20 > We=E2=80=99re adding Curve25519/Ed25519 to SSH and TLS and IKE and PGP an= d PKIX. Same algorithm for all of them. Curve25519/Ed25519 will be published through CFRG so the algorithm description is covered there -- but the integration into each protocol proved to contain protocol-specific differences and considerations. I'm concerned that a separate WG will get such details wrong, or will have confusing overlap with any established WG. For ChaCha20/Poly1305 I agree, but it it is a simple add-in for any protocol that supports AEAD constructs. > Is it safe to use SHA-1 in signatures? Regardless of what you think the a= nswer is, it is the same in TLS and PGP and IKE and SSH and PKIX. >=20 > I think the best thing with such algorithms is to have guidance documents= from either CFRG or Security AD-sponsored, and then have the separate prot= ocol documents be little more than code point allocations. I agree. What do you see a putative WG doing then? Code point allocation discussion typically happens in each protocol WG, if there is any. For Secure Shell and PKIX where there aren't active WGs, I suppose Security AD-sponsored would work. Saying that you MUST NOT rely on SHA1 to provide collision resistance is an obvious document to publish (isn't there one already?), but I'm not sure it needs a WG around it. /Simon --=-vCq36tUWAdurqQYTK6dc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAABCAAGBQJWOeW/AAoJEIYLf7sy+BGdqLYH/jXI5piNN+8OxpUe4BTaMMC1 1ugnludwy1z2hlxODPupU8tYi6O0fqk2uSBTWOxhj2AOm4oGebIL3eCOl1WorFuW nzJ7UYyt3GBVg6I1IW6nc0NZRYi0L26enIb08uRdcKmBgZTfLZQPr7J6q+HPO2ku PN+fTmkAD5MaEpBaBCqu1DuTTvagI2W5o5L9gwqRQZ+7olpFxQGcUZiySZ2rYbtx MLg2tYqD3ewIp+Fs8nK/eIGgg0VyQp7TApX7rmSX7UNXSZPCr2Ogf9MqaQcx5/0M eP4CUIzx6oVYcBaq9aO7igV2YL0emgKBJgHmus5ewQF13cfNA0hq4I+nTk/rK2c= =zvI0 -----END PGP SIGNATURE----- --=-vCq36tUWAdurqQYTK6dc-- From nobody Wed Nov 4 16:15:16 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 376FD1ACC8A for ; Wed, 4 Nov 2015 16:15:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQvWOcwsMpHy for ; Wed, 4 Nov 2015 16:15:12 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E3C81ACD82 for ; Wed, 4 Nov 2015 16:15:12 -0800 (PST) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.1/8.14.8) with ESMTPS id tA50F88Q019097 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 5 Nov 2015 02:15:08 +0200 (EET) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.1/8.14.8/Submit) id tA50F8Mv018947; Thu, 5 Nov 2015 02:15:08 +0200 (EET) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22074.40844.285958.400733@fireball.acr.fi> Date: Thu, 5 Nov 2015 02:15:08 +0200 From: Tero Kivinen To: secdir@ietf.org X-Edit-Time: 0 min X-Total-Time: 0 min Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2015 00:15:15 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Shaun Cooley is next in the rotation. For telechat 2015-11-19 Reviewer LC end Draft Eric Osterweil T 2015-10-20 draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 Tom Yu T 2015-11-16 draft-ietf-isis-sbfd-discriminator-02 For telechat 2015-12-03 Dacheng Zhang T 2015-11-23 draft-ietf-manet-olsrv2-dat-metric-08 Last calls and special requests: Derek Atkins 2015-11-15 draft-ietf-softwire-dslite-mib-11 John Bradley 2015-11-15 draft-ietf-softwire-mesh-mib-11 Donald Eastlake 2015-09-11 draft-ietf-dane-openpgpkey-05 Daniel Kahn Gillmor E None draft-ietf-rtcweb-security-08 Chris Inacio 2015-10-02 draft-ietf-lwig-ikev2-minimal-04 Warren Kumari 2015-10-26 draft-ietf-ipfix-mib-variable-export-09 Alexey Melnikov 2015-10-27 draft-mglt-ipsecme-clone-ike-sa-06 Tina TSOU 2015-11-02 draft-ietf-pcp-third-party-id-option-04 Carl Wallace 2015-11-09 draft-ietf-ccamp-flexible-grid-rsvp-te-ext-03 Brian Weis E None draft-ietf-cdni-uri-signing-05 Klaas Wierenga 2015-11-09 draft-ietf-pce-pcep-domain-sequence-09 Paul Wouters 2015-11-17 draft-ietf-straw-b2bua-dtls-srtp-08 Frank Xialiang 2015-11-09 draft-ietf-teas-rsvp-te-domain-subobjects-03 -- kivinen@iki.fi From nobody Wed Nov 4 17:55:13 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E62831B369E for ; Wed, 4 Nov 2015 17:55:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.311 X-Spam-Level: X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NSBvbu_YQbL2 for ; Wed, 4 Nov 2015 17:55:01 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87D2E1B3687 for ; Wed, 4 Nov 2015 17:54:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 39733BDF9; Thu, 5 Nov 2015 01:54:57 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJ_6FWlQhgbe; Thu, 5 Nov 2015 01:54:55 +0000 (GMT) Received: from [133.93.24.87] (unknown [133.93.24.87]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 15B1DBDCF; Thu, 5 Nov 2015 01:54:53 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1446688495; bh=crot30ZDFO/7tRyhOee2M5baPor7Opi1ugr9etAnv/A=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=tlnm771mHHWEy9a+X+EpaaB1/g08Pvdci5urJxs/h0To+QRud5Q7Dd3303pfPk8Sr vfx9jv70CD9P8wK/o1jrk5tt0tpIhGFMZnoT6JAAvVlZsaaXKutb2mNO0oZgiXtF1U UkwxbtHql5JPWMHLbXS6QHc65NDEcBXod4Iqqyx8= To: Simon Josefsson , Yoav Nir References: <56383A36.3020200@cs.tcd.ie> <20151103095611.33a536b9@latte.josefsson.org> <5113E79E-D8DA-4B19-A730-2EDC58FCE41A@gmail.com> <1446634943.26563.23.camel@josefsson.org> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <563AB6E4.4040705@cs.tcd.ie> Date: Thu, 5 Nov 2015 01:54:44 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <1446634943.26563.23.camel@josefsson.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] a few new algs and a bunch of deprecation X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2015 01:55:07 -0000 Can we move the discussion to saag? Thanks, S. On 04/11/15 11:02, Simon Josefsson wrote: > tis 2015-11-03 klockan 21:48 +0900 skrev Yoav Nir: >>> On 3 Nov 2015, at 5:56 PM, Simon Josefsson wrote: >>> >>> I'm following Curve25519/Ed25519 use in IETF protocols and is >>> interested in helping that effort. It seems the intersection between >>> this putative WG and existing WGs needs to be carefully explained >>> though, it isn't clear to me how it could be done. Isn't deprecating >>> crypto parts of a protocol up to each protocol community to think >>> about? We've seen with TLS, OpenPGP, Secure Shell and PKIX that >>> adding Curve25519/Ed25519 is highly protocol specific and requires >>> domain knowledge. >> >> My take on this is the exact opposite. We’ve added ChaCha20/Poly1305 to SSH and TLS and IPsec. Same algorithm in all three (yes, I know SSH uses the old construction). >> >> We’re adding Curve25519/Ed25519 to SSH and TLS and IKE and PGP and PKIX. Same algorithm for all of them. > > Curve25519/Ed25519 will be published through CFRG so the algorithm > description is covered there -- but the integration into each protocol > proved to contain protocol-specific differences and considerations. I'm > concerned that a separate WG will get such details wrong, or will have > confusing overlap with any established WG. For ChaCha20/Poly1305 I > agree, but it it is a simple add-in for any protocol that supports AEAD > constructs. > >> Is it safe to use SHA-1 in signatures? Regardless of what you think the answer is, it is the same in TLS and PGP and IKE and SSH and PKIX. >> >> I think the best thing with such algorithms is to have guidance documents from either CFRG or Security AD-sponsored, and then have the separate protocol documents be little more than code point allocations. > > I agree. What do you see a putative WG doing then? Code point > allocation discussion typically happens in each protocol WG, if there is > any. For Secure Shell and PKIX where there aren't active WGs, I suppose > Security AD-sponsored would work. > > Saying that you MUST NOT rely on SHA1 to provide collision resistance is > an obvious document to publish (isn't there one already?), but I'm not > sure it needs a WG around it. > > /Simon > From nobody Sun Nov 8 23:10:54 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0DD1A8724; Sun, 8 Nov 2015 23:10:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g2w_Pu2vRIMz; Sun, 8 Nov 2015 23:10:48 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1F261A87A0; Sun, 8 Nov 2015 23:10:46 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CDV46875; Mon, 09 Nov 2015 07:10:44 +0000 (GMT) Received: from SZXEMA412-HUB.china.huawei.com (10.82.72.71) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Mon, 9 Nov 2015 07:10:42 +0000 Received: from SZXEMA502-MBS.china.huawei.com ([169.254.4.77]) by SZXEMA412-HUB.china.huawei.com ([10.82.72.71]) with mapi id 14.03.0235.001; Mon, 9 Nov 2015 15:10:39 +0800 From: "Xialiang (Frank)" To: "draft-ietf-teas-rsvp-te-domain-subobjects.all@tools.ietf.org" Thread-Topic: secdir review of draft-ietf-teas-rsvp-te-domain-subobjects-03 Thread-Index: AdEavbx10LBa4DqQRhy7hQBNRVDkOw== Date: Mon, 9 Nov 2015 07:10:39 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.135.43.91] Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12AE924D3SZXEMA502MBSchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.564046F4.0112, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.77, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 1f110b538856a6688cc43cbc74a2d0c0 Archived-At: Cc: "iesg@ietf.org" , "secdir@ietf.org" Subject: [secdir] secdir review of draft-ietf-teas-rsvp-te-domain-subobjects-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Nov 2015 07:10:52 -0000 --_000_C02846B1344F344EB4FAA6FA7AF481F12AE924D3SZXEMA502MBSchi_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. This experimental ID specifies new subobjects for RSVP-TE and GMPLS extensi= ons to RSVP-TE to include or exclude 4-Byte Autonomous System (AS) and Inte= rior Gateway Protocol (IGP) area during path setup. The document appears in reasonably good shape. Based on good existing security works on the RSVP-TE and GMPLS, such as [RF= C3209], [RFC3473], [RFC4874] and [RFC5920], as well as only introducing som= e new subobjects for LSP path setup using the same process as before, this = document does not introduce new risks in theory. There are still several open issues (TBDs) in the document that need to be = completed before publication. Below a series of my own comments, questions for your consideration. Comment: One side effect from the misbehaviors of trusted LSR I would suggest you to= consider: If the LSR includes the new defined subobjects with right AS-ID/IGP area id= but still using the already existed Types, the legacy nodes will process i= ts content wrongly, and vice versa. In this condition, the length filed che= cking is sometimes useful although not always; Question: For the inter-domain scenarios, is it possible that there is not authentica= tion and data protection mechanisms between the two boundary nodes? Further= more, if the connection between these two nodes are not hop-by-hop, how to = guarantee the data integrity and mutual trust? Editorial changes: Section 6: the first sentence "Security considerations for MPLS-TE and GMPL= S signaling are covered in [RFC3209] and [RFC3473].", using the phrases lik= e "MPLS-TE" and "GMPLS signaling" is not very accurate, suggesting to chang= e to "Security considerations for RSVP-TE and GMPLS signaling RSVP-TE exten= sions are covered in [RFC3209] and [RFC3473]. " Thank you. B.R. Frank --_000_C02846B1344F344EB4FAA6FA7AF481F12AE924D3SZXEMA502MBSchi_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello,

 

I have reviewed this document a= s part of the security directorate's ongoing effort to review all IETF docu= ments being processed by the IESG.  These comments were written primar= ily for the benefit of the security area directors.  Document editors and WG chairs should treat these comment= s just like any other last call comments.

 

This experimental ID specifies = new subobjects for RSVP-TE and GMPLS extensions to RSVP-TE to include or ex= clude 4-Byte Autonomous System (AS) and Interior Gateway Protocol (IGP) are= a during path setup.

 

The document appears in reasona= bly good shape.

Based on good existing security= works on the RSVP-TE and GMPLS, such as [RFC3209], [RFC3473], [RFC4874] an= d [RFC5920], as well as only introducing some new subobjects for LSP path s= etup using the same process as before, this document does not introduce new risks in theory.

There are still several open is= sues (TBDs) in the document that need to be completed before publication.

 

= Below a series of my own comments, questions for your consideration.

 

Comment:

One side effect from the misbeh= aviors of trusted LSR I would suggest you to consider:

If the LSR includes the new def= ined subobjects with right AS-ID/IGP area id but still using the already ex= isted Types, the legacy nodes will process its content wrongly, and vice ve= rsa. In this condition, the length filed checking is sometimes useful although not always;

 

Question:

For the inter-domain scenarios,= is it possible that there is not authentication and data protection mechan= isms between the two boundary nodes? Furthermore, if the connection between= these two nodes are not hop-by-hop, how to guarantee the data integrity and mutual trust?

 

Editorial changes:

Section 6: the first sentence &= #8220;Security considerations for MPLS-TE and GMPLS signaling are covere= d in [RFC3209] and [RFC3473].”, using the phrases like “MPL= S-TE” and “GMPLS signaling” is not very accurate, suggest= ing to change to “Security considerations for RSVP-TE and GMPLS signa= ling RSVP-TE extensions are covered in [RFC3209] and [RFC3473]. ”=

 

Thank you.

 

B.R.

Frank

 

--_000_C02846B1344F344EB4FAA6FA7AF481F12AE924D3SZXEMA502MBSchi_-- From nobody Mon Nov 9 07:40:56 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12AF01B2E2D; Mon, 9 Nov 2015 07:40:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.511 X-Spam-Level: X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgTeqhvxuDf7; Mon, 9 Nov 2015 07:40:53 -0800 (PST) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52F211B2D84; Mon, 9 Nov 2015 07:40:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2756; q=dns/txt; s=iport; t=1447083653; x=1448293253; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=zAYK1jcvooQ1vGSgF4z4/qiVDzmk7KBdGYVWtAOZ1Ug=; b=jDgPTonouJYhTISaJhqxVLL7Cx/KzH2fYxPs4I6xOQke3fmHZ8fRSJZ4 Km0olnkmhGHLkTn3JlYngZ1EDR7YVtxCNb+/YSOOigMNFYJlXx5rzUdjl SnMSeApzAujd7dVkmF6FbJmUHC2LOXD6Pd6H6+2Me2xg1gIhEtLH/mwT0 4=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AJAgAzvUBW/4MNJK1VCYM7gUi+NwENg?= =?us-ascii?q?WGGLoEjOBQBAQEBAQEBgQqEPCMROB8BIgImAgQwFRIEAYhAsBuQOgEBAQEBAQE?= =?us-ascii?q?BAgEBAQEBHoEBhVOCEIJuhDGDRC+BFQWWSAGNJpxEAR8BAUKEBIVRgQcBAQE?= X-IronPort-AV: E=Sophos;i="5.20,266,1444694400"; d="scan'208";a="43344392" Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-8.cisco.com with ESMTP; 09 Nov 2015 15:40:52 +0000 Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id tA9FeqU7014372 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 9 Nov 2015 15:40:52 GMT Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 9 Nov 2015 09:40:51 -0600 Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1104.000; Mon, 9 Nov 2015 09:40:52 -0600 From: "Klaas Wierenga (kwiereng)" To: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-pce-pcep-domain-sequence.all@ietf.org" Thread-Topic: review of draft-ietf-pce-pcep-domain-sequence-09 Thread-Index: AQHRGwUD9OAYpOIf9kWtChw4jaJrVg== Date: Mon, 9 Nov 2015 15:40:52 +0000 Message-ID: <0424E22D-879D-4F05-B474-DE421FF1FADB@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.61.160.241] Content-Type: text/plain; charset="utf-8" Content-ID: <75F4D9188A24B64C889B2B44B5655B8E@emea.cisco.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: [secdir] review of draft-ietf-pce-pcep-domain-sequence-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Nov 2015 15:40:55 -0000 SGksDQoNCkkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3Vy aXR5IGRpcmVjdG9yYXRlJ3MgDQpvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9j dW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgDQpJRVNHLiAgVGhlc2UgY29tbWVudHMgd2Vy ZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIA0Kc2VjdXJpdHkgYXJl YSBkaXJlY3RvcnMuICBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0 IA0KdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMu DQoNCkkgY29uc2lkZXIgdGhlIGRvY3VtZW50IOKAnHJlYWR5IHdpdGggaXNzdWVz4oCdLCBzZWUg YmVsb3cgZm9yIGRldGFpbGVkIGNvbW1lbnRzOg0KDQoqIDQuMSBJbnRlci1BcmVhIFBhdGggQ29t cHV0YXRpb24NCg0KeW91IHdyaXRlOiAiVGhpcyBjb3VsZCBiZSByZXByZXNlbnRlZCBpbiB0aGUg SVJPIGFzOuKAnSBhbmQgdGhlbiBhIG51bWJlciBvZiBkaWFncmFtcy4gSXQgaXMgdW5jbGVhciB0 byBtZSB3aGV0aGVyIHRob3NlIGRpZmZlcmVudCBvcHRpb24gYXJlIGZ1bmN0aW9uYWxseSBlcXVp dmFsZW50LiBUaGUgdGV4dCBzdWdnZXN0cyBzbyB0byBtZSwgYnV0IHRoYXQgZG9lc27igJl0IHNl ZW0gdG8gbWFrZSBzZW5zZeKApi4uIChvciBJIGNvbXBsZXRlbHkgbWlzdW5kZXJzdGFuZCB0aGUg dGV4dCkNCg0KVG8gbWUgaXQgc2VlbXMgdGhhdCB0aGUgdGhyZWUgc2VxdWVuY2VzIHlvdSBnaXZl IGFyZSBhbGwgcG9zc2libGUgc2VxdWVuY2VzIGZvciB0aGUgZ2l2ZW4gdG9wb2xvZ3kgbm90IGVx dWl2YWxlbnQsIEkgdGhpbmsgdGhlIHRleHQgbmVlZHMgc29tZSBjbGFyaWZpY2F0aW9uIGluIHRo YXQgY2FzZS4NCg0KVGhlIHNhbWUgZ29lcyBmb3IgNC4yLCA0LjMgZXRjLg0KDQoNCiogNC41IFAy TVANCg0KSSBhbSBndWVzc2luZyB0aGF0IHRoZSB0cmVlIHlvdSBzaG93IGlzIHRoZSByZXN1bHQg b2YgdGhlIHRocmVlIHBhdGhzIHlvdSBnaXZlIGJlZm9yZSwgYnV0IHNvbWUgZXhwbGFuYXRpb24g d291bGQgYmUgZ29vZC4NCg0KNyBzZWN1cml0eSBjb25zaWRlcmF0aW9ucw0KDQpJIHRoaW5rIHRo ZXNlIGFyZSBhIGJpdCB3ZWFrLiBFc3BlY2lhbGx5IGNvbXBhcmVkIHRvIHdoYXQgUkZDNTQ0MCBw cm92aWRlcy4gSSBjb25zaWRlciBhbiBhdHRhY2tlciBnYWluaW5nIGZpbmUgZ3JhaW5lZCBjb250 cm9sIG92ZXIgdGhlIG5ldHdvcmsgcGF0aCBhIHZlcnkgc2VyaW91cyByaXNrLiBUaGUgZmxpcHBh bnQgY29tbWVudCBhYm91dCDigJxyb3V0aW5nIGFyb3VuZCB0cm91Ymxl4oCdIGRvZXNu4oCZdCBy ZWFsbHkgZG8gaXQgZm9yIG1lLiBJIHdvdWxkIGVuY291cmFnZSB5b3UgdG8gdGFrZSBhIGdvb2Qg bG9vayBhdCB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgaW4gNTQ0MCBhbmQgYXNzZXNzIGhv dyB0aG9zZSBjb25zaWRlcmF0aW9ucyBjaGFuZ2UgZ2l2ZW4gdGhlIGZpbmVyIGdyYWluZWQgY29u dHJvbCB5b3UgcHJvdmlkZS4gU29tZSBvciBldmVuIG1vc3QgbWF5IHJlbWFpbiB0aGUgc2FtZSwg YW5kIGl0IGlzIGZpbmUgdG8gc2F5IHNvLCBidXQgSSBjYW4gaW1hZ2luZSB0aGF0IHNvbWUgcmlz a3MgYXJlIGhpZ2hlciBiZWNhdXNlIG9mIHRoZSBmaW5lLWdyYWluZWQgY29udHJvbCwgYW5kIHlv dSBzZWVtIHRvIHN1Z2dlc3Qgc28gdG9vIGdpdmVuIHRoZSDigJx0aGUgc2VjdXJpdHkgdGVjaG5p cXVlcyBpbiByZmM1NDQwIGFyZSBjb25zaWRlcmVkIG1vcmUgaW1wb3J0YW504oCdLiBTbyBJIHJl YWxseSB0aGluayB0aGlzIGRyYWZ0IHdvdWxkIGJlbmVmaXQgZnJvbSBhIGJldHRlciBzZWN1cml0 eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uLg0KDQpIb3BlIHRoaXMgaGVscHMsDQoNCktsYWFzDQoN Ci0tDQpLbGFhcyBXaWVyZW5nYQ0KSWRlbnRpdHkgQXJjaGl0ZWN0DQpDaXNjbyBDbG91ZCBTZXJ2 aWNlcw0KDQoNCg0KDQoNCg0K From nobody Tue Nov 10 04:12:18 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 182F81A90AB; Tue, 10 Nov 2015 04:12:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.011 X-Spam-Level: X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUZCMRdj2tqG; Tue, 10 Nov 2015 04:12:16 -0800 (PST) Received: from statler.isode.com (statler.isode.com [217.34.220.151]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2631A901E; Tue, 10 Nov 2015 04:12:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1447156888; d=isode.com; s=selector; i=@isode.com; bh=d9Ldw3UDvLfTFKWZO2IuosRnq9WDPpQ+9YtRFHH+1z0=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=Ih4+IYlAjVL/pbP8P7s4WIBTJTJXUPq3V6+y20y/Uil0mULp+m4xX5ZFWOUKFilP079nY3 y41BQjlXkqm29W1hIaeLE3+W5EEGE286vnoghbhH8Q1vV2Yo79DlN5IOMNzsHSkPy7StLI tx4BhslPL8asb0vCzjppTIHJAaWrzug=; Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by statler.isode.com (submission channel) via TCP with ESMTPSA id ; Tue, 10 Nov 2015 12:01:28 +0000 Message-ID: <5641DC96.3060801@isode.com> Date: Tue, 10 Nov 2015 12:01:26 +0000 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 To: draft-mglt-ipsecme-clone-ike-sa.all@ietf.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: "secdir@ietf.org" Subject: [secdir] Review of draft-mglt-ipsecme-clone-ike-sa-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2015 12:12:17 -0000 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: This document is ready for Proposed Standard. This is a well written document with detailed Security Considerations and I couldn't think of anything that is missing. From nobody Tue Nov 10 20:14:43 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 389231B47D3; Tue, 10 Nov 2015 20:14:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.61 X-Spam-Level: X-Spam-Status: No, score=-3.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fP5y_pA1mcjH; Tue, 10 Nov 2015 20:14:37 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 893481B47CF; Tue, 10 Nov 2015 20:14:36 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml404-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CAE28694; Wed, 11 Nov 2015 04:14:34 +0000 (GMT) Received: from SZXEML429-HUB.china.huawei.com (10.82.67.184) by lhreml404-hub.china.huawei.com (10.201.5.218) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 11 Nov 2015 04:14:34 +0000 Received: from szxeml557-mbs.china.huawei.com ([169.254.6.227]) by SZXEML429-HUB.china.huawei.com ([10.82.67.184]) with mapi id 14.03.0235.001; Wed, 11 Nov 2015 12:14:03 +0800 From: Tina TSOU To: The IESG , "secdir@ietf.org" , "draft-ietf-pcp-third-party-id-option.all@ietf.org" Thread-Topic: Secdir Review of draft-ietf-pcp-third-party-id-option-04 Thread-Index: AdEcN2Zzfw6PDcwVTluSTfgPI5/0vw== Date: Wed, 11 Nov 2015 04:14:03 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.66.87.91] Content-Type: multipart/alternative; boundary="_000_C0E0A32284495243BDE0AC8A066631A818F2C586szxeml557mbschi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.5642C0AA.00F9, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.6.227, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 684fa502a8131d3a1b5552d9e1301a5e Archived-At: Subject: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Nov 2015 04:14:40 -0000 --_000_C0E0A32284495243BDE0AC8A066631A818F2C586szxeml557mbschi_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Dear all, I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area = directors. Document editors and WG chairs should treat these comments just = like any other last call comments. ** Technical ** * Section 7, page 11: I think you should make comments regarding the (privacy) implications of em= ploying identifiers such as MAC addresses when essentially any other value = -- e.g. a long-enough random number would do. Besides, you should comment on how the ID can be somehow validated, and wha= t could happen if a client were able to predict the ID employed by other cl= ients. ** Editorial ** * Section 1, page 2: > The IETF has specified the Port Control Protocol (PCP) [RFC6887] to > control how packets are translated and forwarded by a PCP-controlled > device such as a network address translator (NAT) or firewall. Please replace "and" with "and/or", since a firewall will not translate pac= kets. * Section 1, page 2: > This document focuses on the scenarios where the PCP client sends > requests that concern internal addresses other than the address of > the PCP client itself. s/the scenarios/scenarios/ (since at least at this point in the text you have not yet mentioned what t= hose scenarios are about) * Section 1, page 2: > There is already an option defined for this purpose in the RFC 6887 > [RFC6887] called the THIRD_PARTY option. Please rephrase as: "There is already an option defined for this purpose in [RFC6887], called t= he THIRD_PARTY option." * Section 1, page 3: > CGN deployments Please expand the acronym on first usage. * Section 1, page 3: > This applies to some of the PCP deployment scenarios that are listed > in Section 2.1 of RFC 6887 [RFC6887], Just remove "RFC 6887" (the rfc number is already included by the ref). * Section 1, page 3: > in particular to a Layer-2 > aware NAT which is described in more detail in Section 3, or GI-DS- > Lite [RFC6674] and ds-extra-lite [RFC6619]. You refer to RFC6619 as "ds-extra-lite", but such RFC does not even include that term. Thoughts? * Section 3, page 4: > The scenarios serve as examples. This document does not restrict the > applicability of the THIRD_PARTY_ID to certain scenarios. Please replace "THIRD_PARTY_ID" with "THIRD_PARTY_ID option" (here, and in other places) * Section 3, page 4: > The THIRD_PARTY_ID > can also be used for the firewall control Please remove the "the". * Section 3.2, page 7: > tunnel ID of tunnel(BRAS, CGN) (two instances of this). Please rephrase as "ID of the tunnel (BRAS, CGN)". * Section 4, page 9: Why use "TBD" and "TBD-1" if there's a single value to be assigned? * Section 4, page 9: > are to be set As s/As/as/ Thank you, Tina --_000_C0E0A32284495243BDE0AC8A066631A818F2C586szxeml557mbschi_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear= all,

 

I have reviewed this documen= t as part of the security directorate's ongoing effort to review all IETF d= ocuments being processed by the IESG.

These comments were written = primarily for the benefit of the security area directors. Document editors = and WG chairs should treat these comments just like any other last call com= ments.

 

 

** Technical **

 

* Section 7, page 11:

I think you should make comm= ents regarding the (privacy) implications of employing identifiers such as = MAC addresses when essentially any other value -- e.g. a long-enough random= number would do.

 

Besides, you should comment = on how the ID can be somehow validated, and what could happen if a client w= ere able to predict the ID employed by other clients.

 

 

** Editorial **

 

* Section 1, page 2:

>    The I= ETF has specified the Port Control Protocol (PCP) [RFC6887] to

>    contr= ol how packets are translated and forwarded by a PCP-controlled<= /span>

>    devic= e such as a network address translator (NAT) or firewall.=

 

 

Please replace "and&quo= t; with "and/or", since a firewall will not translate packets.

 

 

* Section 1, page 2:

>    This = document focuses on the scenarios where the PCP client sends

>    reque= sts that concern internal addresses other than the address of

>    the P= CP client itself.

 

 

s/the scenarios/scenarios/

 

(since at least at this poin= t in the text you have not yet mentioned what those scenarios are about)

 

 

* Section 1, page 2:

>    There= is already an option defined for this purpose in the RFC 6887

>    [RFC6= 887] called the THIRD_PARTY option.

 

Please rephrase as:

"There is already an op= tion defined for this purpose in [RFC6887], called the THIRD_PARTY option.&= quot;

 

 

 

* Section 1, page 3:

> CGN deployments

 

 

Please expand the acronym on= first usage.

 

 

* Section 1, page 3:

>    This = applies to some of the PCP deployment scenarios that are listed<= /span>

>    in Se= ction 2.1 of RFC 6887 [RFC6887],

 

Just remove "RFC 6887&q= uot; (the rfc number is already included by the ref).

 

 

* Section 1, page 3:

>    in pa= rticular to a Layer-2

>    aware= NAT which is described in more detail in Section 3, or GI-DS-

>    Lite = [RFC6674] and ds-extra-lite [RFC6619].

 

 

You refer to RFC6619 as &quo= t;ds-extra-lite", but such RFC does not even

include that term. Thoughts?=

 

 

* Section 3, page 4:

>   The scenari= os serve as examples.  This document does not restrict the<= /span>

>    appli= cability of the THIRD_PARTY_ID to certain scenarios. 

 

Please replace "THIRD_P= ARTY_ID" with "THIRD_PARTY_ID option" (here, and<= /span>

in other places)<= /span>

 

 

* Section 3, page 4:

> The THIRD_PARTY_ID=

>    can a= lso be used for the firewall control

 

Please remove the "the&= quot;.

 

 

* Section 3.2, page 7:<= /o:p>

> tunnel ID of tunnel(BRA= S, CGN)

 

(two instances of this). Ple= ase rephrase as "ID of the tunnel (BRAS, CGN)".=

 

 

* Section 4, page 9:

Why use "TBD" and = "TBD-1" if there's a single value to be assigned?

 

 

* Section 4, page 9:

> are to be set As

 

s/As/as/

&nbs= p;

 

Thank you,

Tina

 

--_000_C0E0A32284495243BDE0AC8A066631A818F2C586szxeml557mbschi_-- From nobody Thu Nov 12 06:46:26 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB75A1B2F92 for ; Thu, 12 Nov 2015 06:46:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iq4lpROtsj7E for ; Thu, 12 Nov 2015 06:46:23 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6F561B2F8A for ; Thu, 12 Nov 2015 06:46:22 -0800 (PST) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.1/8.14.8) with ESMTPS id tACEkIoj018939 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 12 Nov 2015 16:46:18 +0200 (EET) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.1/8.14.8/Submit) id tACEkIsi020524; Thu, 12 Nov 2015 16:46:18 +0200 (EET) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22084.42554.908836.921307@fireball.acr.fi> Date: Thu, 12 Nov 2015 16:46:18 +0200 From: Tero Kivinen To: secdir@ietf.org X-Edit-Time: 0 min X-Total-Time: 0 min Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 14:46:25 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Olafur Gudmundsson is next in the rotation. For telechat 2015-11-19 Reviewer LC end Draft Warren Kumari T 2015-10-26 draft-ietf-ipfix-mib-variable-export-09 Eric Osterweil T 2015-10-20 draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 Carl Wallace T 2015-11-09 draft-ietf-ccamp-flexible-grid-rsvp-te-ext-03 Tom Yu T 2015-11-16 draft-ietf-isis-sbfd-discriminator-02 For telechat 2015-12-03 Donald Eastlake T 2015-11-24 draft-ietf-bess-virtual-subnet-05 Dacheng Zhang T 2015-11-23 draft-ietf-manet-olsrv2-dat-metric-08 Last calls and special requests: Derek Atkins 2015-11-15 draft-ietf-softwire-dslite-mib-11 John Bradley 2015-11-15 draft-ietf-softwire-mesh-mib-11 Shaun Cooley 2015-11-24 draft-ietf-avtcore-rtp-multi-stream-09 Dave Cridland 2015-11-23 draft-ietf-dnsop-rfc6598-rfc6303-05 Alan DeKok 2015-11-24 draft-ietf-avtcore-rtp-multi-stream-optimisation-08 Donald Eastlake 2015-09-11 draft-ietf-dane-openpgpkey-05 Shawn Emery 2015-11-23 draft-ietf-dnsop-qname-minimisation-07 Daniel Kahn Gillmor E None draft-ietf-rtcweb-security-08 Daniel Kahn Gillmor 2015-11-24 draft-ietf-l2vpn-vpls-pe-etree-10 Chris Inacio 2015-10-02 draft-ietf-lwig-ikev2-minimal-04 Brian Weis E None draft-ietf-cdni-uri-signing-05 Paul Wouters 2015-11-17 draft-ietf-straw-b2bua-dtls-srtp-08 -- kivinen@iki.fi From nobody Fri Nov 13 00:39:55 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D97C1A1B8F; Fri, 13 Nov 2015 00:39:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.91 X-Spam-Level: X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Pbeu2EDqIQQ; Fri, 13 Nov 2015 00:39:48 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B03D1A1B84; Fri, 13 Nov 2015 00:39:47 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml404-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CAG87352; Fri, 13 Nov 2015 08:39:43 +0000 (GMT) Received: from SZXEMA412-HUB.china.huawei.com (10.82.72.71) by lhreml404-hub.china.huawei.com (10.201.5.218) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 13 Nov 2015 08:39:40 +0000 Received: from SZXEMA502-MBS.china.huawei.com ([169.254.4.77]) by SZXEMA412-HUB.china.huawei.com ([10.82.72.71]) with mapi id 14.03.0235.001; Fri, 13 Nov 2015 16:39:14 +0800 From: "Xialiang (Frank)" To: Dhruv Dhody Thread-Topic: secdir review of draft-ietf-teas-rsvp-te-domain-subobjects-03 Thread-Index: AdEavbx10LBa4DqQRhy7hQBNRVDkOwC1fOAAABZnt5A= Date: Fri, 13 Nov 2015 08:39:14 +0000 Message-ID: References: In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.135.43.91] Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12AE93493SZXEMA502MBSchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090204.5645A1D0.00F8, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.77, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 41b99925240016efdc388af77c1e4041 Archived-At: Cc: "secdir@ietf.org" , "draft-ietf-teas-rsvp-te-domain-subobjects.all@tools.ietf.org" , "teas-chairs@ietf.org" , Dhruv Dhody , "pce-chairs@tools.ietf.org" , "iesg@ietf.org" Subject: [secdir] =?utf-8?b?562U5aSNOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWll?= =?utf-8?q?tf-teas-rsvp-te-domain-subobjects-03?= X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 08:39:51 -0000 --_000_C02846B1344F344EB4FAA6FA7AF481F12AE93493SZXEMA502MBSchi_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgRGhydXYsDQpQbGVhc2Ugc2VlIG15IGNvbW1lbnRzIGlubGluZToNCg0KVGhhbmtzIQ0KDQpC LlIuDQpGcmFuaw0K5Y+R5Lu25Lq6OiBkaHJ1dmRob2R5QGdtYWlsLmNvbSBbbWFpbHRvOmRocnV2 ZGhvZHlAZ21haWwuY29tXSDku6PooaggRGhydXYgRGhvZHkNCuWPkemAgeaXtumXtDogMjAxNeW5 tDEx5pyIMTPml6UgMTM6NDcNCuaUtuS7tuS6ujogWGlhbGlhbmcgKEZyYW5rKQ0K5oqE6YCBOiBk cmFmdC1pZXRmLXRlYXMtcnN2cC10ZS1kb21haW4tc3Vib2JqZWN0cy5hbGxAdG9vbHMuaWV0Zi5v cmc7IGllc2dAaWV0Zi5vcmc7IHNlY2RpckBpZXRmLm9yZzsgVG9iaWFzIEdvbmRyb207IHRlYXMt Y2hhaXJzQGlldGYub3JnOyBEaHJ1diBEaG9keTsgcGNlLWNoYWlyc0B0b29scy5pZXRmLm9yZw0K 5Li76aKYOiBSZTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXRlYXMtcnN2cC10ZS1kb21h aW4tc3Vib2JqZWN0cy0wMw0KDQpIaSBGcmFuaywNCg0KVGhhbmsgeW91IGZvciB5b3VyIHJldmll dyBhbmQgc29ycnkgZm9yIHRoZSBkZWxheSBpbiB0aGUgcmVwbHkgWyBEaXdhbGkgZmVzdGl2aXRp ZXMgaW4gdGhlc2UgbmVjayBvZiB3b29kcyA6KSBdDQpQbGVhc2Ugc2VlIGlubGluZS4uLg0KDQpP biBNb24sIE5vdiA5LCAyMDE1IGF0IDEyOjQwIFBNLCBYaWFsaWFuZyAoRnJhbmspIDxmcmFuay54 aWFsaWFuZ0BodWF3ZWkuY29tPG1haWx0bzpmcmFuay54aWFsaWFuZ0BodWF3ZWkuY29tPj4gd3Jv dGU6DQpIZWxsbywNCg0KSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0 aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElF VEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gIFRoZXNlIGNvbW1lbnRz IHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBh cmVhIGRpcmVjdG9ycy4gIERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJl YXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMu DQoNClRoaXMgZXhwZXJpbWVudGFsIElEIHNwZWNpZmllcyBuZXcgc3Vib2JqZWN0cyBmb3IgUlNW UC1URSBhbmQgR01QTFMgZXh0ZW5zaW9ucyB0byBSU1ZQLVRFIHRvIGluY2x1ZGUgb3IgZXhjbHVk ZSA0LUJ5dGUgQXV0b25vbW91cyBTeXN0ZW0gKEFTKSBhbmQgSW50ZXJpb3IgR2F0ZXdheSBQcm90 b2NvbCAoSUdQKSBhcmVhIGR1cmluZyBwYXRoIHNldHVwLg0KDQpUaGUgZG9jdW1lbnQgYXBwZWFy cyBpbiByZWFzb25hYmx5IGdvb2Qgc2hhcGUuDQpCYXNlZCBvbiBnb29kIGV4aXN0aW5nIHNlY3Vy aXR5IHdvcmtzIG9uIHRoZSBSU1ZQLVRFIGFuZCBHTVBMUywgc3VjaCBhcyBbUkZDMzIwOV0sIFtS RkMzNDczXSwgW1JGQzQ4NzRdIGFuZCBbUkZDNTkyMF0sIGFzIHdlbGwgYXMgb25seSBpbnRyb2R1 Y2luZyBzb21lIG5ldyBzdWJvYmplY3RzIGZvciBMU1AgcGF0aCBzZXR1cCB1c2luZyB0aGUgc2Ft ZSBwcm9jZXNzIGFzIGJlZm9yZSwgdGhpcyBkb2N1bWVudCBkb2VzIG5vdCBpbnRyb2R1Y2UgbmV3 IHJpc2tzIGluIHRoZW9yeS4NClRoZXJlIGFyZSBzdGlsbCBzZXZlcmFsIG9wZW4gaXNzdWVzIChU QkRzKSBpbiB0aGUgZG9jdW1lbnQgdGhhdCBuZWVkIHRvIGJlIGNvbXBsZXRlZCBiZWZvcmUgcHVi bGljYXRpb24uDQoNCkJlbG93IGEgc2VyaWVzIG9mIG15IG93biBjb21tZW50cywgcXVlc3Rpb25z IGZvciB5b3VyIGNvbnNpZGVyYXRpb24uDQoNCkNvbW1lbnQ6DQpPbmUgc2lkZSBlZmZlY3QgZnJv bSB0aGUgbWlzYmVoYXZpb3JzIG9mIHRydXN0ZWQgTFNSIEkgd291bGQgc3VnZ2VzdCB5b3UgdG8g Y29uc2lkZXI6DQpJZiB0aGUgTFNSIGluY2x1ZGVzIHRoZSBuZXcgZGVmaW5lZCBzdWJvYmplY3Rz IHdpdGggcmlnaHQgQVMtSUQvSUdQIGFyZWEgaWQgYnV0IHN0aWxsIHVzaW5nIHRoZSBhbHJlYWR5 IGV4aXN0ZWQgVHlwZXMsIHRoZSBsZWdhY3kgbm9kZXMgd2lsbCBwcm9jZXNzIGl0cyBjb250ZW50 IHdyb25nbHksIGFuZCB2aWNlIHZlcnNhLiBJbiB0aGlzIGNvbmRpdGlvbiwgdGhlIGxlbmd0aCBm aWxlZCBjaGVja2luZyBpcyBzb21ldGltZXMgdXNlZnVsIGFsdGhvdWdoIG5vdCBhbHdheXM7DQoN CuKAi1tEaHJ1dl06IFRoZSBhbHJlYWR5IGV4aXN0aW5nIHR5cGVzIGFyZSAtIGh0dHA6Ly93d3cu aWFuYS5vcmcvYXNzaWdubWVudHMvcnN2cC1wYXJhbWV0ZXJzL3JzdnAtcGFyYW1ldGVycy54aHRt bCNyc3ZwLXBhcmFtZXRlcnMtMjUNCi0gVGhlcmUgaXMgbm8gd2F5IHRvIGluY2x1ZGUgSUdQIGFy ZWEgd2l0aCBleGlzdGluZyB0eXBlcw0KLSBUaGVyZSBleGlzdCAyLUJ5dGUgQVMgbnVtYmVyIHR5 cGUsIFJGQzMyMDkgc2F5IHRoZSBsZW5ndGggb2Ygc3ViLW9iamVjdCBpcyBmaXhlZCB0byA0IHdo ZW4gVHlwZSBpcyBBUyAoMzIpLCB0aGlzIGRyYWZ0IHNheXMgdGhlIGxlbmd0aCBpcyBmaXhlZCA4 IGZvciB0aGUgbmV3IHN1Ym9iamVjdCB0eXBlIGZvciA0LUJ5dGUgQVMgbnVtYmVyLiBUaGUgZml4 ZWQgbGVuZ3RoIHRha2VzIGNhcmUgb2YgaXQ/IERvIHlvdSBzZWUgYSBuZWVkIHRvIGFkZCBhbnkg b3RoZXIgdGV4dD/igIsNCg0KW0ZyYW5rXTogSW4gdGhlb3J5LCB0aGVyZSBpcyBwb3NzaWJpbGl0 eSBmb3IgdGhlIGVycm9yIGhhbmRsaW5nIGNvbmRpdGlvbiB0aGF0IEkgbWVudGlvbmVkLiBTbywg SSBzdWdnZXN0IHlvdSB0byBjb25zaWRlciB1c2luZyB0aGUgbGVuZ3RoIGZpZWxkIGNoZWNraW5n IGFzIGEgc3VwcGxlbWVudGFyeSB0b29sIHRvIGF2b2lkIGl0Lg0KDQpRdWVzdGlvbjoNCkZvciB0 aGUgaW50ZXItZG9tYWluIHNjZW5hcmlvcywgaXMgaXQgcG9zc2libGUgdGhhdCB0aGVyZSBpcyBu b3QgYXV0aGVudGljYXRpb24gYW5kIGRhdGEgcHJvdGVjdGlvbiBtZWNoYW5pc21zIGJldHdlZW4g dGhlIHR3byBib3VuZGFyeSBub2Rlcz8gRnVydGhlcm1vcmUsIGlmIHRoZSBjb25uZWN0aW9uIGJl dHdlZW4gdGhlc2UgdHdvIG5vZGVzIGFyZSBub3QgaG9wLWJ5LWhvcCwgaG93IHRvIGd1YXJhbnRl ZSB0aGUgZGF0YSBpbnRlZ3JpdHkgYW5kIG11dHVhbCB0cnVzdD8NCg0K4oCLW0RocnV2XTogVGhp cyBhbmFseXNpcyBpcyBkb25lIGF0IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM1OTIw I3NlY3Rpb24tOA0KQ2hhaXJzLCB3b3VsZCB5b3UgbGlrZSB0byBhZGQgYW55dGhpbmcgZWxzZT8g 4oCLDQoNCltGcmFua106IGFncmVlIHdpdGggeW91ciBvYnNlcnZhdGlvbnMuIERvIHlvdSBuZWVk IHRvIGFkZCBzb21lIHJlZmVyZW5jZSBmb3IgdGhpcyBjb250ZW50IGluIHRoZSBzZWN1cml0eSBj b25zaWRlcmF0aW9ucyBzZWN0aW9uIG9mIHlvdXIgZHJhZnQ/DQoNCkVkaXRvcmlhbCBjaGFuZ2Vz Og0KU2VjdGlvbiA2OiB0aGUgZmlyc3Qgc2VudGVuY2Ug4oCcU2VjdXJpdHkgY29uc2lkZXJhdGlv bnMgZm9yIE1QTFMtVEUgYW5kIEdNUExTIHNpZ25hbGluZyBhcmUgY292ZXJlZCBpbiBbUkZDMzIw OV0gYW5kIFtSRkMzNDczXS7igJ0sIHVzaW5nIHRoZSBwaHJhc2VzIGxpa2Ug4oCcTVBMUy1UReKA nSBhbmQg4oCcR01QTFMgc2lnbmFsaW5n4oCdIGlzIG5vdCB2ZXJ5IGFjY3VyYXRlLCBzdWdnZXN0 aW5nIHRvIGNoYW5nZSB0byDigJxTZWN1cml0eSBjb25zaWRlcmF0aW9ucyBmb3IgUlNWUC1URSBh bmQgR01QTFMgc2lnbmFsaW5nIFJTVlAtVEUgZXh0ZW5zaW9ucyBhcmUgY292ZXJlZCBpbiBbUkZD MzIwOV0gYW5kIFtSRkMzNDczXS4g4oCdDQoNCuKAi1tEaHJ1dl06IEFjay4NCg0KVGhhbmsgeW91 IGZvciB5b3VyIHJldmlldyBhbmQgY29tbWVudHMuDQoNClJlZ2FyZHMsDQpEaHJ1dg0K4oCLDQoN Cg0KDQpUaGFuayB5b3UuDQoNCkIuUi4NCkZyYW5rDQoNCg0K --_000_C02846B1344F344EB4FAA6FA7AF481F12AE93493SZXEMA502MBSchi_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 5a6L5L2TOw0KCXBhbm9zZS0xOjIgMSA2IDAgMyAxIDEgMSAxIDE7fQ0KQGZvbnQtZmFjZQ0KCXtm b250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQOWui+S9kyI7DQoJ cGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5 OiJUcmVidWNoZXQgTVMiOw0KCXBhbm9zZS0xOjIgMTEgNiAzIDIgMiAyIDIgMiA0O30NCi8qIFN0 eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9y bWFsDQoJe21hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTox Mi4wcHQ7DQoJZm9udC1mYW1pbHk65a6L5L2TO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsN Cgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5k ZXJsaW5lO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJl cGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3 RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTt9DQpAcGFn ZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA5 MC4wcHQgNzIuMHB0IDkwLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rp b24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1 bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEt LVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzpp ZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtl bmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IlpILUNOIiBsaW5rPSJibHVlIiB2bGluaz0i cHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PkhpIERocnV2LDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+UGxl YXNlIHNlZSBteSBjb21tZW50cyBpbmxpbmU6PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuNXB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPlRoYW5rcyE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Qi5SLjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+RnJhbms8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNC NUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+5Y+R5Lu25Lq6PHNwYW4gbGFu Zz0iRU4tVVMiPjo8L3NwYW4+PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZv bnQtc2l6ZToxMC4wcHQiPiBkaHJ1dmRob2R5QGdtYWlsLmNvbSBbbWFpbHRvOmRocnV2ZGhvZHlA Z21haWwuY29tXQ0KPC9zcGFuPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij7ku6Po oaggPC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQi PkRocnV2IERob2R5PGJyPg0KPC9zcGFuPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 Ij7lj5HpgIHml7bpl7Q8c3BhbiBsYW5nPSJFTi1VUyI+Ojwvc3Bhbj48L3NwYW4+PC9iPjxzcGFu IGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+IDIwMTU8L3NwYW4+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPuW5tDxzcGFuIGxhbmc9IkVOLVVTIj4xMTwvc3Bhbj7m nIg8c3BhbiBsYW5nPSJFTi1VUyI+MTM8L3NwYW4+5pelPHNwYW4gbGFuZz0iRU4tVVMiPiAxMzo0 Nzxicj4NCjwvc3Bhbj48Yj7mlLbku7bkuro8c3BhbiBsYW5nPSJFTi1VUyI+Ojwvc3Bhbj48L2I+ PHNwYW4gbGFuZz0iRU4tVVMiPiBYaWFsaWFuZyAoRnJhbmspPGJyPg0KPC9zcGFuPjxiPuaKhOmA gTxzcGFuIGxhbmc9IkVOLVVTIj46PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyI+IGRyYWZ0 LWlldGYtdGVhcy1yc3ZwLXRlLWRvbWFpbi1zdWJvYmplY3RzLmFsbEB0b29scy5pZXRmLm9yZzsg aWVzZ0BpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnOyBUb2JpYXMgR29uZHJvbTsgdGVhcy1jaGFp cnNAaWV0Zi5vcmc7IERocnV2IERob2R5OyBwY2UtY2hhaXJzQHRvb2xzLmlldGYub3JnPGJyPg0K PC9zcGFuPjxiPuS4u+mimDxzcGFuIGxhbmc9IkVOLVVTIj46PC9zcGFuPjwvYj48c3BhbiBsYW5n PSJFTi1VUyI+IFJlOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtdGVhcy1yc3ZwLXRlLWRv bWFpbi1zdWJvYmplY3RzLTAzPG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+SGkgRnJhbmssJm5ic3A7 PC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj5UaGFuayB5b3UgZm9y IHlvdXIgcmV2aWV3IGFuZCBzb3JyeSBmb3IgdGhlIGRlbGF5IGluIHRoZSByZXBseSBbIERpd2Fs aSBmZXN0aXZpdGllcyBpbiB0aGVzZSBuZWNrIG9mIHdvb2RzIDopIF08L3NwYW4+PHNwYW4gbGFu Zz0iRU4tVVMiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7 VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+ UGxlYXNlIHNlZSBpbmxpbmUuLi48L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+T24gTW9uLCBOb3YgOSwgMjAx NSBhdCAxMjo0MCBQTSwgWGlhbGlhbmcgKEZyYW5rKSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZyYW5r LnhpYWxpYW5nQGh1YXdlaS5jb20iIHRhcmdldD0iX2JsYW5rIj5mcmFuay54aWFsaWFuZ0BodWF3 ZWkuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5IZWxsbyw8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVT Ij4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz cGFuIGxhbmc9IkVOLVVTIj5JIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9m IHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwg SUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSBJRVNHLiZuYnNwOyBUaGVzZSBj b21tZW50cyB3ZXJlDQogd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBz ZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4mbmJzcDsgRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hh aXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3Qg Y2FsbCBjb21tZW50cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5UaGlzIGV4cGVyaW1lbnRhbCBJ RCBzcGVjaWZpZXMgbmV3IHN1Ym9iamVjdHMgZm9yIFJTVlAtVEUgYW5kIEdNUExTIGV4dGVuc2lv bnMgdG8gUlNWUC1URSB0byBpbmNsdWRlIG9yIGV4Y2x1ZGUgNC1CeXRlIEF1dG9ub21vdXMgU3lz dGVtIChBUykgYW5kIEludGVyaW9yIEdhdGV3YXkNCiBQcm90b2NvbCAoSUdQKSBhcmVhIGR1cmlu ZyBwYXRoIHNldHVwLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+PHNwYW4gbGFuZz0iRU4tVVMiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPlRoZSBkb2N1bWVudCBhcHBlYXJz IGluIHJlYXNvbmFibHkgZ29vZCBzaGFwZS4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPkJhc2VkIG9uIGdvb2QgZXhpc3Rp bmcgc2VjdXJpdHkgd29ya3Mgb24gdGhlIFJTVlAtVEUgYW5kIEdNUExTLCBzdWNoIGFzIFtSRkMz MjA5XSwgW1JGQzM0NzNdLCBbUkZDNDg3NF0gYW5kIFtSRkM1OTIwXSwgYXMgd2VsbCBhcyBvbmx5 IGludHJvZHVjaW5nIHNvbWUgbmV3IHN1Ym9iamVjdHMNCiBmb3IgTFNQIHBhdGggc2V0dXAgdXNp bmcgdGhlIHNhbWUgcHJvY2VzcyBhcyBiZWZvcmUsIHRoaXMgZG9jdW1lbnQgZG9lcyBub3QgaW50 cm9kdWNlIG5ldyByaXNrcyBpbiB0aGVvcnkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhlcmUgYXJlIHN0aWxsIHNldmVy YWwgb3BlbiBpc3N1ZXMgKFRCRHMpIGluIHRoZSBkb2N1bWVudCB0aGF0IG5lZWQgdG8gYmUgY29t cGxldGVkIGJlZm9yZSBwdWJsaWNhdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxzcGFuIGxhbmc9IkVOLVVTIj5CZWxvdyBhIHNlcmll cyBvZiBteSBvd24gY29tbWVudHMsIHF1ZXN0aW9ucyBmb3IgeW91ciBjb25zaWRlcmF0aW9uLg0K PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5n PSJFTi1VUyI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Q29tbWVudDo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5PbmUgc2lkZSBlZmZlY3Qg ZnJvbSB0aGUgbWlzYmVoYXZpb3JzIG9mIHRydXN0ZWQgTFNSIEkgd291bGQgc3VnZ2VzdCB5b3Ug dG8gY29uc2lkZXI6PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij48c3BhbiBsYW5nPSJFTi1VUyI+SWYgdGhlIExTUiBpbmNsdWRlcyB0aGUgbmV3IGRlZmluZWQg c3Vib2JqZWN0cyB3aXRoIHJpZ2h0IEFTLUlEL0lHUCBhcmVhIGlkIGJ1dCBzdGlsbCB1c2luZyB0 aGUgYWxyZWFkeSBleGlzdGVkIFR5cGVzLCB0aGUgbGVnYWN5IG5vZGVzIHdpbGwgcHJvY2VzcyBp dHMgY29udGVudA0KIHdyb25nbHksIGFuZCB2aWNlIHZlcnNhLiBJbiB0aGlzIGNvbmRpdGlvbiwg dGhlIGxlbmd0aCBmaWxlZCBjaGVja2luZyBpcyBzb21ldGltZXMgdXNlZnVsIGFsdGhvdWdoIG5v dCBhbHdheXM7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj7igIs8L3NwYW4+PHNwYW4gbGFuZz0i RU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj5bRGhydXZdOiBUaGUgYWxyZWFkeSBleGlz dGluZyB0eXBlcyBhcmUgLQ0KPGEgaHJlZj0iaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50 cy9yc3ZwLXBhcmFtZXRlcnMvcnN2cC1wYXJhbWV0ZXJzLnhodG1sI3JzdnAtcGFyYW1ldGVycy0y NSI+DQpodHRwOi8vd3d3LmlhbmEub3JnL2Fzc2lnbm1lbnRzL3JzdnAtcGFyYW1ldGVycy9yc3Zw LXBhcmFtZXRlcnMueGh0bWwjcnN2cC1wYXJhbWV0ZXJzLTI1PC9hPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+LSBUaGVyZSBpcyBubyB3YXkgdG8gaW5jbHVk ZSBJR1AgYXJlYSB3aXRoIGV4aXN0aW5nIHR5cGVzPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojNEMxMTMwIj4tIFRoZXJlIGV4aXN0IDItQnl0ZSBBUyBudW1iZXIgdHlwZSwg UkZDMzIwOSBzYXkgdGhlIGxlbmd0aCBvZiBzdWItb2JqZWN0IGlzIGZpeGVkIHRvIDQgd2hlbiBU eXBlIGlzIEFTICgzMiksIHRoaXMgZHJhZnQgc2F5cyB0aGUgbGVuZ3RoIGlzIGZpeGVkIDggZm9y IHRoZQ0KIG5ldyBzdWJvYmplY3QgdHlwZSBmb3IgNC1CeXRlIEFTIG51bWJlci4gVGhlIGZpeGVk IGxlbmd0aCB0YWtlcyBjYXJlIG9mIGl0PyBEbyB5b3Ugc2VlIGEgbmVlZCB0byBhZGQgYW55IG90 aGVyIHRleHQ/PC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj7igIs8 L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNo ZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9 IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImNvbG9yOiMxRjQ5N0Qi PltGcmFua106IEluIHRoZW9yeSwgdGhlcmUgaXMgcG9zc2liaWxpdHkgZm9yIHRoZSBlcnJvciBo YW5kbGluZyBjb25kaXRpb24gdGhhdCBJIG1lbnRpb25lZC4gU28sIEkgc3VnZ2VzdCB5b3UgdG8g Y29uc2lkZXIgdXNpbmcgdGhlIGxlbmd0aCBmaWVsZCBjaGVja2luZyBhcyBhIHN1cHBsZW1lbnRh cnkgdG9vbCB0byBhdm9pZCBpdC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRl ci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowY20gMGNtIDBjbSA2LjBwdDttYXJn aW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGNtIj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+UXVlc3Rpb246 PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5n PSJFTi1VUyI+Rm9yIHRoZSBpbnRlci1kb21haW4gc2NlbmFyaW9zLCBpcyBpdCBwb3NzaWJsZSB0 aGF0IHRoZXJlIGlzIG5vdCBhdXRoZW50aWNhdGlvbiBhbmQgZGF0YSBwcm90ZWN0aW9uIG1lY2hh bmlzbXMgYmV0d2VlbiB0aGUgdHdvIGJvdW5kYXJ5IG5vZGVzPyBGdXJ0aGVybW9yZSwgaWYNCiB0 aGUgY29ubmVjdGlvbiBiZXR3ZWVuIHRoZXNlIHR3byBub2RlcyBhcmUgbm90IGhvcC1ieS1ob3As IGhvdyB0byBndWFyYW50ZWUgdGhlIGRhdGEgaW50ZWdyaXR5IGFuZCBtdXR1YWwgdHJ1c3Q/PG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj7igIs8L3NwYW4+PHNwYW4gbGFu Zz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1 b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj5bRGhydXZdOiBUaGlzIGFuYWx5c2lz IGlzIGRvbmUgYXQNCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM1OTIw I3NlY3Rpb24tOCI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzU5MjAjc2VjdGlvbi04 PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVj aGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+Q2hhaXJz LCB3b3VsZCB5b3UgbGlrZSB0byBhZGQgYW55dGhpbmcgZWxzZT8NCjwvc3Bhbj48c3BhbiBsYW5n PSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMt c2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+4oCLPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBz dHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu Zz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5bRnJhbmtdOiBhZ3JlZSB3aXRoIHlvdXIg b2JzZXJ2YXRpb25zLiBEbyB5b3UgbmVlZCB0byBhZGQgc29tZSByZWZlcmVuY2UgZm9yIHRoaXMg Y29udGVudCBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgc2VjdGlvbiBvZiB5b3VyIGRy YWZ0Pzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0ND Q0NDQyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21h cmdpbi1yaWdodDowY20iPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxz cGFuIGxhbmc9IkVOLVVTIj4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5FZGl0b3JpYWwgY2hhbmdlczo8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVT Ij5TZWN0aW9uIDY6IHRoZSBmaXJzdCBzZW50ZW5jZSDigJw8aT5TZWN1cml0eSBjb25zaWRlcmF0 aW9ucyBmb3IgTVBMUy1URSBhbmQgR01QTFMgc2lnbmFsaW5nIGFyZSBjb3ZlcmVkIGluIFtSRkMz MjA5XSBhbmQgW1JGQzM0NzNdLjwvaT7igJ0sIHVzaW5nIHRoZSBwaHJhc2VzIGxpa2UNCiDigJxN UExTLVRF4oCdIGFuZCDigJxHTVBMUyBzaWduYWxpbmfigJ0gaXMgbm90IHZlcnkgYWNjdXJhdGUs IHN1Z2dlc3RpbmcgdG8gY2hhbmdlIHRvIOKAnDxpPlNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGZv ciBSU1ZQLVRFIGFuZCBHTVBMUyBzaWduYWxpbmcgUlNWUC1URSBleHRlbnNpb25zIGFyZSBjb3Zl cmVkIGluIFtSRkMzMjA5XSBhbmQgW1JGQzM0NzNdLjwvaT4g4oCdPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojNEMxMTMwIj7igIs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojNEMxMTMwIj5bRGhydXZdOiBBY2suJm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9 IkVOLVVTIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj5UaGFuayB5b3UgZm9yIHlvdXIgcmV2aWV3IGFuZCBj b21tZW50cy4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90 O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM0QzExMzAi PlJlZ2FyZHMsPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIg c3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiM0QzExMzAiPkRocnV2PC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+4oCLPC9zcGFuPjxzcGFuIGxh bmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZx dW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gbGFuZz0iRU4tVVMiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0ND Q0MgMS4wcHQ7cGFkZGluZzowY20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJn aW4tcmlnaHQ6MGNtIj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh biBsYW5nPSJFTi1VUyI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+VGhhbmsgeW91LjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0iRU4tVVMiPiZuYnNwOzxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gbGFuZz0i RU4tVVMiPkIuUi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+RnJhbms8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIiBz dHlsZT0iY29sb3I6Izg4ODg4OCI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_C02846B1344F344EB4FAA6FA7AF481F12AE93493SZXEMA502MBSchi_-- From nobody Fri Nov 13 01:28:38 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59F701A86EC; Fri, 13 Nov 2015 01:28:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.91 X-Spam-Level: X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VYRLQtGzcSJR; Fri, 13 Nov 2015 01:28:35 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96E791A86EB; Fri, 13 Nov 2015 01:28:33 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CAG93144; Fri, 13 Nov 2015 09:28:31 +0000 (GMT) Received: from SZXEMA413-HUB.china.huawei.com (10.82.72.72) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 13 Nov 2015 09:28:29 +0000 Received: from SZXEMA502-MBS.china.huawei.com ([169.254.4.77]) by SZXEMA413-HUB.china.huawei.com ([10.82.72.72]) with mapi id 14.03.0235.001; Fri, 13 Nov 2015 17:28:18 +0800 From: "Xialiang (Frank)" To: Dhruv Dhody , Dhruv Dhody Thread-Topic: secdir review of draft-ietf-teas-rsvp-te-domain-subobjects-03 Thread-Index: AdEavbx10LBa4DqQRhy7hQBNRVDkOwC1fOAAABZnt5D//4lagP//eTFw Date: Fri, 13 Nov 2015 09:28:18 +0000 Message-ID: References: <23CE718903A838468A8B325B80962F9B8C445C86@BLREML509-MBX.china.huawei.com> In-Reply-To: <23CE718903A838468A8B325B80962F9B8C445C86@BLREML509-MBX.china.huawei.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.135.43.91] Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12AE934C6SZXEMA502MBSchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090202.5645AD3F.016B, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.77, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 41b99925240016efdc388af77c1e4041 Archived-At: Cc: "secdir@ietf.org" , "draft-ietf-teas-rsvp-te-domain-subobjects.all@tools.ietf.org" , "teas-chairs@ietf.org" , "iesg@ietf.org" , "pce-chairs@tools.ietf.org" Subject: [secdir] =?utf-8?b?562U5aSNOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWll?= =?utf-8?q?tf-teas-rsvp-te-domain-subobjects-03?= X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 09:28:37 -0000 --_000_C02846B1344F344EB4FAA6FA7AF481F12AE934C6SZXEMA502MBSchi_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgRGhydXYsDQpUaGFua3MgZm9yIHlvdXIgZGV0YWlsZWQgZXhwbGFuYXRpb24gYW5kIHF1aWNr IHByb2JsZW0gc29sdmluZy4NCg0KQi5SLg0KRnJhbmsNCg0K5Y+R5Lu25Lq6OiBEaHJ1diBEaG9k eQ0K5Y+R6YCB5pe26Ze0OiAyMDE15bm0MTHmnIgxM+aXpSAxNzoyNA0K5pS25Lu25Lq6OiBYaWFs aWFuZyAoRnJhbmspOyBEaHJ1diBEaG9keQ0K5oqE6YCBOiBkcmFmdC1pZXRmLXRlYXMtcnN2cC10 ZS1kb21haW4tc3Vib2JqZWN0cy5hbGxAdG9vbHMuaWV0Zi5vcmc7IGllc2dAaWV0Zi5vcmc7IHNl Y2RpckBpZXRmLm9yZzsgVG9iaWFzIEdvbmRyb207IHRlYXMtY2hhaXJzQGlldGYub3JnOyBwY2Ut Y2hhaXJzQHRvb2xzLmlldGYub3JnDQrkuLvpopg6IFJFOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0 LWlldGYtdGVhcy1yc3ZwLXRlLWRvbWFpbi1zdWJvYmplY3RzLTAzDQoNCkhpIEZyYW5rLA0KDQpT ZWUgaW5saW5lIFtEaHJ1djJdLg0KDQo8c25pcD4NCkNvbW1lbnQ6DQpPbmUgc2lkZSBlZmZlY3Qg ZnJvbSB0aGUgbWlzYmVoYXZpb3JzIG9mIHRydXN0ZWQgTFNSIEkgd291bGQgc3VnZ2VzdCB5b3Ug dG8gY29uc2lkZXI6DQpJZiB0aGUgTFNSIGluY2x1ZGVzIHRoZSBuZXcgZGVmaW5lZCBzdWJvYmpl Y3RzIHdpdGggcmlnaHQgQVMtSUQvSUdQIGFyZWEgaWQgYnV0IHN0aWxsIHVzaW5nIHRoZSBhbHJl YWR5IGV4aXN0ZWQgVHlwZXMsIHRoZSBsZWdhY3kgbm9kZXMgd2lsbCBwcm9jZXNzIGl0cyBjb250 ZW50IHdyb25nbHksIGFuZCB2aWNlIHZlcnNhLiBJbiB0aGlzIGNvbmRpdGlvbiwgdGhlIGxlbmd0 aCBmaWxlZCBjaGVja2luZyBpcyBzb21ldGltZXMgdXNlZnVsIGFsdGhvdWdoIG5vdCBhbHdheXM7 DQoNCuKAi1tEaHJ1dl06IFRoZSBhbHJlYWR5IGV4aXN0aW5nIHR5cGVzIGFyZSAtIGh0dHA6Ly93 d3cuaWFuYS5vcmcvYXNzaWdubWVudHMvcnN2cC1wYXJhbWV0ZXJzL3JzdnAtcGFyYW1ldGVycy54 aHRtbCNyc3ZwLXBhcmFtZXRlcnMtMjUNCi0gVGhlcmUgaXMgbm8gd2F5IHRvIGluY2x1ZGUgSUdQ IGFyZWEgd2l0aCBleGlzdGluZyB0eXBlcw0KLSBUaGVyZSBleGlzdCAyLUJ5dGUgQVMgbnVtYmVy IHR5cGUsIFJGQzMyMDkgc2F5IHRoZSBsZW5ndGggb2Ygc3ViLW9iamVjdCBpcyBmaXhlZCB0byA0 IHdoZW4gVHlwZSBpcyBBUyAoMzIpLCB0aGlzIGRyYWZ0IHNheXMgdGhlIGxlbmd0aCBpcyBmaXhl ZCA4IGZvciB0aGUgbmV3IHN1Ym9iamVjdCB0eXBlIGZvciA0LUJ5dGUgQVMgbnVtYmVyLiBUaGUg Zml4ZWQgbGVuZ3RoIHRha2VzIGNhcmUgb2YgaXQ/IERvIHlvdSBzZWUgYSBuZWVkIHRvIGFkZCBh bnkgb3RoZXIgdGV4dD/igIsNCg0KW0ZyYW5rXTogSW4gdGhlb3J5LCB0aGVyZSBpcyBwb3NzaWJp bGl0eSBmb3IgdGhlIGVycm9yIGhhbmRsaW5nIGNvbmRpdGlvbiB0aGF0IEkgbWVudGlvbmVkLiBT bywgSSBzdWdnZXN0IHlvdSB0byBjb25zaWRlciB1c2luZyB0aGUgbGVuZ3RoIGZpZWxkIGNoZWNr aW5nIGFzIGEgc3VwcGxlbWVudGFyeSB0b29sIHRvIGF2b2lkIGl0Lg0KDQpbRGhydXYyXTogVGhl IGZpeGVkIGxlbmd0aCBjaGVjayBmb3IgZXhpc3Rpbmcgc3ViLW9iamVjdCB0eXBlIGlzIGFscmVh ZHkgaW4gcGxhY2UgdmlhIFJGQzMyMDkuIFNvIHRoaXMgZXJyb3IgaGFuZGxpbmcgeW91IG1lbnRp b24gaXMgYWxyZWFkeSBpbiBwbGFjZS4NCg0KUXVlc3Rpb246DQpGb3IgdGhlIGludGVyLWRvbWFp biBzY2VuYXJpb3MsIGlzIGl0IHBvc3NpYmxlIHRoYXQgdGhlcmUgaXMgbm90IGF1dGhlbnRpY2F0 aW9uIGFuZCBkYXRhIHByb3RlY3Rpb24gbWVjaGFuaXNtcyBiZXR3ZWVuIHRoZSB0d28gYm91bmRh cnkgbm9kZXM/IEZ1cnRoZXJtb3JlLCBpZiB0aGUgY29ubmVjdGlvbiBiZXR3ZWVuIHRoZXNlIHR3 byBub2RlcyBhcmUgbm90IGhvcC1ieS1ob3AsIGhvdyB0byBndWFyYW50ZWUgdGhlIGRhdGEgaW50 ZWdyaXR5IGFuZCBtdXR1YWwgdHJ1c3Q/DQoNCuKAi1tEaHJ1dl06IFRoaXMgYW5hbHlzaXMgaXMg ZG9uZSBhdCBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNTkyMCNzZWN0aW9uLTgNCkNo YWlycywgd291bGQgeW91IGxpa2UgdG8gYWRkIGFueXRoaW5nIGVsc2U/IOKAiw0KDQpbRnJhbmtd OiBhZ3JlZSB3aXRoIHlvdXIgb2JzZXJ2YXRpb25zLiBEbyB5b3UgbmVlZCB0byBhZGQgc29tZSBy ZWZlcmVuY2UgZm9yIHRoaXMgY29udGVudCBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMg c2VjdGlvbiBvZiB5b3VyIGRyYWZ0Pw0KDQpbRGhydXYyXTogQWNrDQoNCjxzbmlwPg0KDQpUaGUg d29ya2luZyBjb3B5IGRpZmYgaXMgYXR0YWNoZWQgZm9yIHJlZmVyZW5jZSAoaW5jbHVkZXMgSUFO QSwgR2VuLUFSVCwgU2VjLURpciByZXZpZXdzKS4NCg0KUmVnYXJkcywNCkRocnV24oCLDQoNCg== --_000_C02846B1344F344EB4FAA6FA7AF481F12AE934C6SZXEMA502MBSchi_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 5a6L5L2TOw0KCXBhbm9zZS0xOjIgMSA2IDAgMyAxIDEgMSAxIDE7fQ0KQGZvbnQtZmFjZQ0KCXtm b250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJcQOWui+S9kyI7DQoJ cGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5 OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpAZm9udC1mYWNlDQoJ e2ZvbnQtZmFtaWx5OiJUcmVidWNoZXQgTVMiOw0KCXBhbm9zZS0xOjIgMTEgNiAzIDIgMiAyIDIg MiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFs LCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0K CWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk65a6L5L2TO30NCmE6bGluaywgc3Bhbi5N c29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4 dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9s bG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRl Y29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1z b0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiLmibnm s6jmoYbmlofmnKwgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7 DQoJZm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9 DQpzcGFuLkNoYXINCgl7bXNvLXN0eWxlLW5hbWU6IuaJueazqOahhuaWh+acrCBDaGFyIjsNCglt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms65om55rOo5qGG5paH5pysOw0K CWZvbnQtZmFtaWx5OuWui+S9kzt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUtdHlw ZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9y OiMxRjQ5N0Q7fQ0KcC5CYWxsb29uVGV4dCwgbGkuQmFsbG9vblRleHQsIGRpdi5CYWxsb29uVGV4 dA0KCXttc28tc3R5bGUtbmFtZToiQmFsbG9vbiBUZXh0IjsNCgltc28tc3R5bGUtbGluazoiQmFs bG9vbiBUZXh0IENoYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0K CWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk65a6L5L2TO30NCnNwYW4uQmFsbG9vblRl eHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxl LXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0KCWZvbnQtZmFt aWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28tc3R5 bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiVHJlYnVjaGV0IE1TIiwic2Fucy1zZXJp ZiI7DQoJY29sb3I6Izk5MzM2Njt9DQpzcGFuLkVtYWlsU3R5bGUyMw0KCXttc28tc3R5bGUtdHlw ZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0K CWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0 LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2 MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA5MC4wcHQgNzIuMHB0IDkwLjBwdDt9DQpk aXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtp ZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4 PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8 bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0i MSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5 IGxhbmc9IlpILUNOIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9Ildv cmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5 bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhpIERocnV2LDxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0i Zm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhhbmtzIGZvciB5b3VyIGRldGFpbGVkIGV4 cGxhbmF0aW9uIGFuZCBxdWljayBwcm9ibGVtIHNvbHZpbmcuPG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNp emU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp ZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41 cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPkIuUi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPkZyYW5rPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5v bmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAw Y20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQiPuWPkeS7tuS6ujxzcGFuIGxhbmc9IkVOLVVTIj46PC9zcGFuPjwvc3Bhbj48L2I+PHNwYW4g bGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij4gRGhydXYgRGhvZHkNCjxicj4N Cjwvc3Bhbj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+5Y+R6YCB5pe26Ze0PHNw YW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQiPiAyMDE1PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0Ij7lubQ8c3BhbiBsYW5nPSJFTi1VUyI+MTE8L3NwYW4+5pyIPHNwYW4gbGFuZz0iRU4t VVMiPjEzPC9zcGFuPuaXpTxzcGFuIGxhbmc9IkVOLVVTIj4gMTc6MjQ8YnI+DQo8L3NwYW4+PGI+ 5pS25Lu25Lq6PHNwYW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVT Ij4gWGlhbGlhbmcgKEZyYW5rKTsgRGhydXYgRGhvZHk8YnI+DQo8L3NwYW4+PGI+5oqE6YCBPHNw YW4gbGFuZz0iRU4tVVMiPjo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIj4gZHJhZnQtaWV0 Zi10ZWFzLXJzdnAtdGUtZG9tYWluLXN1Ym9iamVjdHMuYWxsQHRvb2xzLmlldGYub3JnOyBpZXNn QGlldGYub3JnOyBzZWNkaXJAaWV0Zi5vcmc7IFRvYmlhcyBHb25kcm9tOyB0ZWFzLWNoYWlyc0Bp ZXRmLm9yZzsgcGNlLWNoYWlyc0B0b29scy5pZXRmLm9yZzxicj4NCjwvc3Bhbj48Yj7kuLvpopg8 c3BhbiBsYW5nPSJFTi1VUyI+Ojwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tVVMiPiBSRTogc2Vj ZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXRlYXMtcnN2cC10ZS1kb21haW4tc3Vib2JqZWN0cy0w MzxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij5IaSBGcmFuaywNCjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7 c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5MzM2NiI+U2VlIGlubGluZSBbRGhydXYyXS48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIg c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5MzM2NiI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPiZsdDtzbmlwJmd0Ozwvc3Bh bj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0i Ym9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20g MGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Q29tbWVudDo8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5PbmUgc2lk ZSBlZmZlY3QgZnJvbSB0aGUgbWlzYmVoYXZpb3JzIG9mIHRydXN0ZWQgTFNSIEkgd291bGQgc3Vn Z2VzdCB5b3UgdG8gY29uc2lkZXI6PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+SWYgdGhlIExTUiBpbmNsdWRlcyB0aGUgbmV3 IGRlZmluZWQgc3Vib2JqZWN0cyB3aXRoIHJpZ2h0IEFTLUlEL0lHUCBhcmVhIGlkIGJ1dCBzdGls bCB1c2luZyB0aGUgYWxyZWFkeSBleGlzdGVkIFR5cGVzLCB0aGUgbGVnYWN5IG5vZGVzIHdpbGwg cHJvY2VzcyBpdHMgY29udGVudA0KIHdyb25nbHksIGFuZCB2aWNlIHZlcnNhLiBJbiB0aGlzIGNv bmRpdGlvbiwgdGhlIGxlbmd0aCBmaWxlZCBjaGVja2luZyBpcyBzb21ldGltZXMgdXNlZnVsIGFs dGhvdWdoIG5vdCBhbHdheXM7PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj7igIs8L3NwYW4+PHNw YW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj5bRGhydXZdOiBUaGUgYWxy ZWFkeSBleGlzdGluZyB0eXBlcyBhcmUgLQ0KPGEgaHJlZj0iaHR0cDovL3d3dy5pYW5hLm9yZy9h c3NpZ25tZW50cy9yc3ZwLXBhcmFtZXRlcnMvcnN2cC1wYXJhbWV0ZXJzLnhodG1sI3JzdnAtcGFy YW1ldGVycy0yNSI+DQpodHRwOi8vd3d3LmlhbmEub3JnL2Fzc2lnbm1lbnRzL3JzdnAtcGFyYW1l dGVycy9yc3ZwLXBhcmFtZXRlcnMueGh0bWwjcnN2cC1wYXJhbWV0ZXJzLTI1PC9hPjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+LSBUaGVyZSBpcyBubyB3YXkg dG8gaW5jbHVkZSBJR1AgYXJlYSB3aXRoIGV4aXN0aW5nIHR5cGVzPG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t VVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj4tIFRoZXJlIGV4aXN0IDItQnl0ZSBBUyBudW1i ZXIgdHlwZSwgUkZDMzIwOSBzYXkgdGhlIGxlbmd0aCBvZiBzdWItb2JqZWN0IGlzIGZpeGVkIHRv IDQgd2hlbiBUeXBlIGlzIEFTICgzMiksIHRoaXMgZHJhZnQgc2F5cyB0aGUgbGVuZ3RoIGlzIGZp eGVkIDggZm9yIHRoZQ0KIG5ldyBzdWJvYmplY3QgdHlwZSBmb3IgNC1CeXRlIEFTIG51bWJlci4g VGhlIGZpeGVkIGxlbmd0aCB0YWtlcyBjYXJlIG9mIGl0PyBEbyB5b3Ugc2VlIGEgbmVlZCB0byBh ZGQgYW55IG90aGVyIHRleHQ/PC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMx MTMwIj7igIs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMw Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIGxhbmc9IkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImNvbG9y OiMxRjQ5N0QiPltGcmFua106IEluIHRoZW9yeSwgdGhlcmUgaXMgcG9zc2liaWxpdHkgZm9yIHRo ZSBlcnJvciBoYW5kbGluZyBjb25kaXRpb24gdGhhdCBJIG1lbnRpb25lZC4gU28sIEkgc3VnZ2Vz dCB5b3UgdG8gY29uc2lkZXIgdXNpbmcgdGhlIGxlbmd0aCBmaWVsZCBjaGVja2luZyBhcyBhIHN1 cHBsZW1lbnRhcnkgdG9vbCB0byBhdm9pZCBpdC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQg TVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij48bzpwPiZuYnNw OzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V UyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1T JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5MzM2NiI+W0RocnV2Ml06IFRo ZSBmaXhlZCBsZW5ndGggY2hlY2sgZm9yIGV4aXN0aW5nIHN1Yi1vYmplY3QgdHlwZSBpcyBhbHJl YWR5IGluIHBsYWNlIHZpYSBSRkMzMjA5LiBTbyB0aGlzIGVycm9yIGhhbmRsaW5nIHlvdSBtZW50 aW9uIGlzIGFscmVhZHkNCiBpbiBwbGFjZS4gPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0ND QyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdp bi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Jm5ic3A7 PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBsYW5n PSJFTi1VUyI+UXVlc3Rpb246PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj48c3BhbiBsYW5nPSJFTi1VUyI+Rm9yIHRoZSBpbnRlci1kb21haW4gc2NlbmFyaW9z LCBpcyBpdCBwb3NzaWJsZSB0aGF0IHRoZXJlIGlzIG5vdCBhdXRoZW50aWNhdGlvbiBhbmQgZGF0 YSBwcm90ZWN0aW9uIG1lY2hhbmlzbXMgYmV0d2VlbiB0aGUgdHdvIGJvdW5kYXJ5IG5vZGVzPyBG dXJ0aGVybW9yZSwgaWYNCiB0aGUgY29ubmVjdGlvbiBiZXR3ZWVuIHRoZXNlIHR3byBub2RlcyBh cmUgbm90IGhvcC1ieS1ob3AsIGhvdyB0byBndWFyYW50ZWUgdGhlIGRhdGEgaW50ZWdyaXR5IGFu ZCBtdXR1YWwgdHJ1c3Q/PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv YmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V UyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6 JnF1b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj7i gIs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVi dWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj5bRGhy dXZdOiBUaGlzIGFuYWx5c2lzIGlzIGRvbmUgYXQNCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0 Zi5vcmcvaHRtbC9yZmM1OTIwI3NlY3Rpb24tOCI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1s L3JmYzU5MjAjc2VjdGlvbi04PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1m YW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29s b3I6IzRDMTEzMCI+Q2hhaXJzLCB3b3VsZCB5b3UgbGlrZSB0byBhZGQgYW55dGhpbmcgZWxzZT8N Cjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+4oCLPC9zcGFuPjxz cGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1 b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+PG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMUY0OTdEIj5bRnJhbmtd OiBhZ3JlZSB3aXRoIHlvdXIgb2JzZXJ2YXRpb25zLiBEbyB5b3UgbmVlZCB0byBhZGQgc29tZSBy ZWZlcmVuY2UgZm9yIHRoaXMgY29udGVudCBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMg c2VjdGlvbiBvZiB5b3VyIGRyYWZ0Pzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij5bRGhydXYyXTogQWNrPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVv dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij4mbHQ7c25pcCZndDs8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1V UyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1T JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5MzM2NiI+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tVVMi IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZx dW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPlRoZSB3b3JraW5nIGNv cHkgZGlmZiBpcyBhdHRhY2hlZCBmb3IgcmVmZXJlbmNlIChpbmNsdWRlcyBJQU5BLCBHZW4tQVJU LCBTZWMtRGlyIHJldmlld3MpLiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90 Oztjb2xvcjojOTkzMzY2Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6Izk5MzM2NiI+UmVnYXJkcyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7 Y29sb3I6Izk5MzM2NiI+RGhydXY8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2Vy aWYmcXVvdDs7Y29sb3I6Izk5MzM2NiI+4oCLPC9zcGFuPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDss JnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5MzM2NiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5 Pg0KPC9odG1sPg0K --_000_C02846B1344F344EB4FAA6FA7AF481F12AE934C6SZXEMA502MBSchi_-- From nobody Fri Nov 13 02:25:28 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 655211B406F; Thu, 12 Nov 2015 21:47:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V3ymhQtqMuY4; Thu, 12 Nov 2015 21:47:13 -0800 (PST) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CC2A1B4068; Thu, 12 Nov 2015 21:47:13 -0800 (PST) Received: by igbxm8 with SMTP id xm8so8581230igb.1; Thu, 12 Nov 2015 21:47:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=oVTXJfWgmM8WkIDXX/+yAtFV1SRdIFJy0/7Ixvn+r7M=; b=hiJNgEs5IbzDGCByyiGCIlqEarO+GEKyqimqwPGj8mptp5+DJ/Di/YsPaxZEwYKZPO aTU7b0OVmovl2kQres6JNcE6ARTHOWVe0+2I5I4C4jl8IkFzGjNrpG7ADhrYhqcOBKTv vdwWxe+kKrSmayfe5ONlQFu/JDsP+GXtKrmnxDSBcY9ZcVG+gUOarxYM0W4V/nWUqvX2 k0cG0PnJY2nM4dfV5PAsbPOkwvnWNRB79i57db1cnY2OLophLaCi2UreZX21m3JBWsD/ cOq3OYkG1hI83L8FreZNN7ZoBSLS9FHPBwRg7BElqK2Ex0jVZPZXqXcu6TCEsnjBKc/I ZpiA== MIME-Version: 1.0 X-Received: by 10.50.107.104 with SMTP id hb8mr1453915igb.1.1447393632242; Thu, 12 Nov 2015 21:47:12 -0800 (PST) Sender: dhruvdhody@gmail.com X-Google-Sender-Delegation: dhruvdhody@gmail.com Received: by 10.50.138.129 with HTTP; Thu, 12 Nov 2015 21:47:12 -0800 (PST) In-Reply-To: References: Date: Fri, 13 Nov 2015 11:17:12 +0530 X-Google-Sender-Auth: HiWd1H2Fcz5TylA0BB4-MdXLZuw Message-ID: From: Dhruv Dhody To: "Xialiang (Frank)" Content-Type: multipart/alternative; boundary=047d7b10ca474cd5780524659744 Archived-At: X-Mailman-Approved-At: Fri, 13 Nov 2015 02:25:27 -0800 Cc: "secdir@ietf.org" , "draft-ietf-teas-rsvp-te-domain-subobjects.all@tools.ietf.org" , "teas-chairs@ietf.org" , "dhruv.dhody@huawei.com" , "pce-chairs@tools.ietf.org" , "iesg@ietf.org" Subject: Re: [secdir] secdir review of draft-ietf-teas-rsvp-te-domain-subobjects-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 05:47:15 -0000 --047d7b10ca474cd5780524659744 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Frank, Thank you for your review and sorry for the delay in the reply [ Diwali festivities in these neck of woods :) ] Please see inline... On Mon, Nov 9, 2015 at 12:40 PM, Xialiang (Frank) wrote: > Hello, > > > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security are= a > directors. Document editors and WG chairs should treat these comments ju= st > like any other last call comments. > > > > This experimental ID specifies new subobjects for RSVP-TE and GMPLS > extensions to RSVP-TE to include or exclude 4-Byte Autonomous System (AS) > and Interior Gateway Protocol (IGP) area during path setup. > > > > The document appears in reasonably good shape. > > Based on good existing security works on the RSVP-TE and GMPLS, such as > [RFC3209], [RFC3473], [RFC4874] and [RFC5920], as well as only introducin= g > some new subobjects for LSP path setup using the same process as before, > this document does not introduce new risks in theory. > > There are still several open issues (TBDs) in the document that need to b= e > completed before publication. > > > > Below a series of my own comments, questions for your consideration. > > > > Comment: > > One side effect from the misbehaviors of trusted LSR I would suggest you > to consider: > > If the LSR includes the new defined subobjects with right AS-ID/IGP area > id but still using the already existed Types, the legacy nodes will proce= ss > its content wrongly, and vice versa. In this condition, the length filed > checking is sometimes useful although not always; > =E2=80=8B[Dhruv]: The already existing types are - http://www.iana.org/assignments/rsvp-parameters/rsvp-parameters.xhtml#rsvp-= parameters-25 - There is no way to include IGP area with existing types - There exist 2-Byte AS number type, RFC3209 say the length of sub-object is fixed to 4 when Type is AS (32), this draft says the length is fixed 8 for the new subobject type for 4-Byte AS number. The fixed length takes care of it? Do you see a need to add any other text?=E2=80=8B > > > Question: > > For the inter-domain scenarios, is it possible that there is not > authentication and data protection mechanisms between the two boundary > nodes? Furthermore, if the connection between these two nodes are not > hop-by-hop, how to guarantee the data integrity and mutual trust? > =E2=80=8B[Dhruv]: This analysis is done at https://tools.ietf.org/html/rfc5920#section-8 Chairs, would you like to add anything else? =E2=80=8B > > > Editorial changes: > > Section 6: the first sentence =E2=80=9C*Security considerations for MPLS-= TE and > GMPLS signaling are covered in [RFC3209] and [RFC3473].*=E2=80=9D, using = the > phrases like =E2=80=9CMPLS-TE=E2=80=9D and =E2=80=9CGMPLS signaling=E2=80= =9D is not very accurate, > suggesting to change to =E2=80=9C*Security considerations for RSVP-TE and= GMPLS > signaling RSVP-TE extensions are covered in [RFC3209] and [RFC3473].* =E2= =80=9D > =E2=80=8B[Dhruv]: Ack. Thank you for your review and comments. Regards, Dhruv =E2=80=8B > > > Thank you. > > > > B.R. > > Frank > > > --047d7b10ca474cd5780524659744 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Frank,=C2=A0

Thank you for your review and sorry for the delay in t= he reply [ Diwali festivities in these neck of woods :) ]
Please see inline...

On Mon, Nov 9, 2015 at 12:40 PM, Xi= aliang (Frank) <frank.xialiang@huawei.com> wrote:

Hello,

=C2=A0

I have reviewed this document a= s part of the security directorate's ongoing effort to review all IETF = documents being processed by the IESG.=C2=A0 These comments were written pr= imarily for the benefit of the security area directors.=C2=A0 Document editors and WG chairs should treat these comment= s just like any other last call comments.

=C2=A0

This experimental ID specifies = new subobjects for RSVP-TE and GMPLS extensions to RSVP-TE to include or ex= clude 4-Byte Autonomous System (AS) and Interior Gateway Protocol (IGP) are= a during path setup.

=C2=A0

The document appears in reasona= bly good shape.

Based on good existing security= works on the RSVP-TE and GMPLS, such as [RFC3209], [RFC3473], [RFC4874] an= d [RFC5920], as well as only introducing some new subobjects for LSP path s= etup using the same process as before, this document does not introduce new risks in theory.=

There are still several open is= sues (TBDs) in the document that need to be completed before publication.

=C2=A0

Be= low a series of my own comments, questions for your consideration.

=C2=A0

Comment:

One side effect from the misbeh= aviors of trusted LSR I would suggest you to consider:=

If the LSR includes the new def= ined subobjects with right AS-ID/IGP area id but still using the already ex= isted Types, the legacy nodes will process its content wrongly, and vice ve= rsa. In this condition, the length filed checking is sometimes useful although not always;


=E2=80=8B[Dhru= v]: The already existing types are - http://www.i= ana.org/assignments/rsvp-parameters/rsvp-parameters.xhtml#rsvp-parameters-2= 5
- There is no way to include IGP a= rea with existing types
- There exist 2-= Byte AS number type, RFC3209 say the length of sub-object is fixed to 4 whe= n Type is AS (32), this draft says the length is fixed 8 for the new subobj= ect type for 4-Byte AS number. The fixed length takes care of it? Do you se= e a need to add any other text?=E2=80=8B

=C2=A0

=C2=A0

Question:<= /p>

For the inter-domain scenarios,= is it possible that there is not authentication and data protection mechan= isms between the two boundary nodes? Furthermore, if the connection between= these two nodes are not hop-by-hop, how to guarantee the data integrity and mutual trust?


=E2=80=8B[= Dhruv]: This analysis is done at https://tools.ietf.org/html/rfc5920#section-8
Chairs, would you like to add anything else? =E2= =80=8B

=C2=A0

=C2=A0

Editorial changes:

Section 6: the first sentence = =E2=80=9CSecurity considerations for MPLS-TE and GMPLS signaling are cov= ered in [RFC3209] and [RFC3473].=E2=80=9D, using the phrases like =E2= =80=9CMPLS-TE=E2=80=9D and =E2=80=9CGMPLS signaling=E2=80=9D is not very ac= curate, suggesting to change to =E2=80=9CSecurity considerations for RSVP-TE and GMPLS sig= naling RSVP-TE extensions are covered in [RFC3209] and [RFC3473]. =E2= =80=9D


=E2=80=8B[Dhruv]: Ack.=C2=A0

Thank you for your rev= iew and comments.=C2=A0

Regards,
Dhruv
=E2=80=8B

=C2= =A0

=C2=A0

Thank you.=

=C2=A0

B.R.

Frank

=C2=A0


--047d7b10ca474cd5780524659744-- From nobody Fri Nov 13 02:25:30 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 501411A1BCC; Fri, 13 Nov 2015 00:53:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.598 X-Spam-Level: X-Spam-Status: No, score=-0.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZNS9lk3TTpQ; Fri, 13 Nov 2015 00:53:02 -0800 (PST) Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C55951A6F38; Fri, 13 Nov 2015 00:49:55 -0800 (PST) Received: by iouu10 with SMTP id u10so83941768iou.0; Fri, 13 Nov 2015 00:49:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=0rddT2vp7S33TfWMqZOjwSDzqwOcWT5nzzURJ9iHg2Q=; b=i6MxqFNAAXqxIydgiCrQVN4oL3jluXMT66uDPBFophnKs+IFrT4h6siKmSDKuSV5rM ed1rt8/Ol6ShDvr5WOTPDZWTkpafBo4jobLtKNkKgM15NzhK8XGIgbbtTrPutpWS5PGA dmBJgaCfJTbCDdcHAG4Hdhp+YwX53yRpV3e4OKMv76sOGZElNKVyjhXtWaXI5iviuhjU 4Ru9fDCC5JopMTqJ/mBzwEWpqfRZfpTNL75wZks8swTWea2JWG75hIrDDWClS1nywndD aoWaL+r7JfKLzn55yqgOaJdRP679ZJuyiULdq6/Dk9nxckMIqiFdMqvzQ73izSGJYuAh +OrA== MIME-Version: 1.0 X-Received: by 10.107.164.24 with SMTP id n24mr19547773ioe.21.1447404595046; Fri, 13 Nov 2015 00:49:55 -0800 (PST) Sender: dhruvdhody@gmail.com X-Google-Sender-Delegation: dhruvdhody@gmail.com Received: by 10.50.138.129 with HTTP; Fri, 13 Nov 2015 00:49:54 -0800 (PST) In-Reply-To: <0424E22D-879D-4F05-B474-DE421FF1FADB@cisco.com> References: <0424E22D-879D-4F05-B474-DE421FF1FADB@cisco.com> Date: Fri, 13 Nov 2015 14:19:54 +0530 X-Google-Sender-Auth: o0Gnu9hTUaU8Cnht7GnpwN4ixRk Message-ID: From: Dhruv Dhody To: "Klaas Wierenga (kwiereng)" Content-Type: multipart/mixed; boundary=001a1141bc5cbc27eb052468244f Archived-At: X-Mailman-Approved-At: Fri, 13 Nov 2015 02:25:27 -0800 Cc: "draft-ietf-pce-pcep-domain-sequence.all@ietf.org" , "dhruv.dhody@huawei.com" , "pce-chairs@tools.ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] review of draft-ietf-pce-pcep-domain-sequence-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 08:53:10 -0000 --001a1141bc5cbc27eb052468244f Content-Type: multipart/alternative; boundary=001a1141bc5cbc27e4052468244d --001a1141bc5cbc27e4052468244d Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Klaas, Thank you for your review and sorry for the delay in the reply [ Diwali festivities in these neck of woods :) ] Please see inline... On Mon, Nov 9, 2015 at 9:10 PM, Klaas Wierenga (kwiereng) < kwiereng@cisco.com> wrote: > Hi, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > I consider the document =E2=80=9Cready with issues=E2=80=9D, see below fo= r detailed > comments: > > * 4.1 Inter-Area Path Computation > > you write: "This could be represented in the IRO as:=E2=80=9D and then a = number of > diagrams. It is unclear to me whether those different option are > functionally equivalent. The text suggests so to me, but that doesn=E2=80= =99t seem > to make sense=E2=80=A6.. (or I completely misunderstand the text) > > To me it seems that the three sequences you give are all possible > sequences for the given topology not equivalent, I think the text needs > some clarification in that case. > > The same goes for 4.2, 4.3 etc. > > =E2=80=8B[Dhruv]: They are equivalent in the sense that if the source is in= Area 2, destination in Area 4 and transit through Area 0, a PCC can encode the IRO in any of these combinations to get the same result. I can add clarification to make it clearer. =E2=80=8B > > * 4.5 P2MP > > I am guessing that the tree you show is the result of the three paths you > give before, but some explanation would be good. > > =E2=80=8B[Dhruv]: Ok, i can use the same example as https://tools.ietf.org/html/rfc7334#section-7.2 and add some more text here. =E2=80=8B > 7 security considerations > > I think these are a bit weak. Especially compared to what RFC5440 > provides. I consider an attacker gaining fine grained control over the > network path a very serious risk. The flippant comment about =E2=80=9Crou= ting > around trouble=E2=80=9D doesn=E2=80=99t really do it for me. I would enco= urage you to take > a good look at the security considerations in 5440 and assess how those > considerations change given the finer grained control you provide. Some o= r > even most may remain the same, and it is fine to say so, but I can imagin= e > that some risks are higher because of the fine-grained control, and you > seem to suggest so too given the =E2=80=9Cthe security techniques in rfc5= 440 are > considered more important=E2=80=9D. So I really think this draft would be= nefit from > a better security considerations section. > =E2=80=8B[Dhruv]: Here is the updated text, let me know if you would like t= o see any changes. Text would be extra helpful. =E2=80=8B =E2=80=8B7. Security Considerations The protocol extensions defined in this document do not substantially change the nature of PCEP. Therefore, the security considerations set out in [RFC5440] apply unchanged. Note that further security considerations for the use of PCEP over TCP are presented in [RFC6952]. This document specifies a representation of Domain-Sequence and new subobjects, which could be used in inter-domain PCE scenarios as explained in [RFC5152], [RFC5441], [RFC6805], [RFC7334] etc. The security considerations set out in each of these mechanisms remain unchanged by the new subobjects and Domain-Sequence representation in this document. But the new subobjects do allow finer and more specific control of the path computed by a cooperating PCE(s). Such control increases the risk if a PCEP message is intercepted, modified, or spoofed because it allows the attacker to exert control over the path that the PCE will compute or to make the path computation impossible. Consequently, it is important that implementations conform to the relevant security requirements of [RFC5440]. These mechanisms include: o Securing the PCEP session messages using TCP security techniques (Section 10.2 of [RFC5440]). PCEP implementations SHOULD also consider the additional security provided by the TCP Authentication Option (TCP-AO) [RFC5925] or [PCEPS]. o Authenticating the PCEP messages to ensure the message is intact and sent from an authorized node (Section 10.3 of [RFC5440]). o PCEP operates over TCP, so it is also important to secure the PCE and PCC against TCP denial-of-service attacks. Section 10.7.1 of [RFC5440] outlines a number of mechanisms for minimizing the risk of TCP-based denial-of-service attacks against PCEs and PCCs. o In inter-AS scenarios, attacks may be particularly significant with commercial as well as service-level implications. Note, however, that the Domain-Sequence mechanisms also provide the operator with the ability to route around vulnerable parts of the network and may be used to increase overall network security.=E2=80=8B =E2=80=8BThank you for your review. The working copy diff is attached for reference (includes IANA, Gen-ART, Sec-Dir reviews). Regards, Dhruv=E2=80=8B > > Hope this helps, > > Klaas > > -- > Klaas Wierenga > Identity Architect > Cisco Cloud Services > > > > > > > --001a1141bc5cbc27e4052468244d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Klaas,=C2=A0

Thank you for your review = and sorry for the delay in the reply [ Diwali festivities in these neck of = woods :) ]
Please see inline...<= /div>

On Mon= , Nov 9, 2015 at 9:10 PM, Klaas Wierenga (kwiereng) <<= a href=3D"mailto:kwiereng@cisco.com" target=3D"_blank">kwiereng@cisco.com> wrote:
Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.=C2=A0 These comments were written primarily for the benefit of the security area directors.=C2=A0 Document editors and WG chairs should treat<= br> these comments just like any other last call comments.

I consider the document =E2=80=9Cready with issues=E2=80=9D, see below for = detailed comments:

* 4.1 Inter-Area Path Computation

you write: "This could be represented in the IRO as:=E2=80=9D and then= a number of diagrams. It is unclear to me whether those different option a= re functionally equivalent. The text suggests so to me, but that doesn=E2= =80=99t seem to make sense=E2=80=A6.. (or I completely misunderstand the te= xt)

To me it seems that the three sequences you give are all possible sequences= for the given topology not equivalent, I think the text needs some clarifi= cation in that case.

The same goes for 4.2, 4.3 etc.


=E2=80= =8B[Dhruv]: They are equivalent in the sense that if the source is in Area = 2, destination in Area 4 and transit through Area 0, a PCC can encode the I= RO in any of these combinations to get the same result. I can add clarifica= tion to make it clearer.=C2=A0=E2=80=8B

=C2=A0

* 4.5 P2MP

I am guessing that the tree you show is the result of the three paths you g= ive before, but some explanation would be good.


=E2=80= =8B[Dhruv]: Ok, i can use the same example as https://tools.ietf.org/html/rfc7334#section-= 7.2 and add some more text here.=C2=A0=E2=80=8B

=C2= =A0
7 security considerations

I think these are a bit weak. Especially compared to what RFC5440 provides.= I consider an attacker gaining fine grained control over the network path = a very serious risk. The flippant comment about =E2=80=9Crouting around tro= uble=E2=80=9D doesn=E2=80=99t really do it for me. I would encourage you to= take a good look at the security considerations in 5440 and assess how tho= se considerations change given the finer grained control you provide. Some = or even most may remain the same, and it is fine to say so, but I can imagi= ne that some risks are higher because of the fine-grained control, and you = seem to suggest so too given the =E2=80=9Cthe security techniques in rfc544= 0 are considered more important=E2=80=9D. So I really think this draft woul= d benefit from a better security considerations section.

=E2=80=8B[Dhruv]: Here is t= he updated text, let me know if you would like to see any changes. Text wou= ld be extra helpful.=C2=A0=E2=80=8B

= =E2= =80=8B7.=C2=A0 Security Considerations

=C2=A0= =C2=A0The protocol extensions defined in this document do not substantiall= y
=C2=A0 =C2=A0change the nature of PCEP.=C2= =A0 Therefore, the security considerations
= =C2=A0 =C2=A0set out in [RFC5440] apply unchanged.=C2=A0 Note that further = security
=C2=A0 =C2=A0considerations for the= use of PCEP over TCP are presented in
=C2= =A0 =C2=A0[RFC6952].

=C2=A0 =C2=A0This document specifies a representation of Domai= n-Sequence and new
=C2=A0 =C2=A0subobjects, = which could be used in inter-domain PCE scenarios as
=C2=A0 =C2=A0explained in [RFC5152], [RFC5441], [RFC6805], [RFC733= 4] etc.=C2=A0 The
=C2=A0 =C2=A0security cons= iderations set out in each of these mechanisms remain
=C2=A0 =C2=A0unchanged by the new subobjects and Domain-Sequence = representation in
=C2=A0 =C2=A0this document= .

=C2=A0 =C2=A0But the new subobjects do allow finer a= nd more specific control of
=C2=A0 =C2= =A0the path computed by a cooperating PCE(s).=C2=A0 Such control increases<= /font>
=C2=A0 =C2=A0the risk if a PCEP message is i= ntercepted, modified, or spoofed
=C2=A0 =C2= =A0because it allows the attacker to exert control over the path that
=C2=A0 =C2=A0the PCE will compute or to make the = path computation impossible.
=C2=A0 =C2=A0Co= nsequently, it is important that implementations conform to the
=C2=A0 =C2=A0relevant security requirements of [RFC5440= ].=C2=A0 These mechanisms
=C2=A0 =C2=A0inclu= de:

=C2= =A0 =C2=A0o =C2=A0Securing the PCEP session messages using TCP security tec= hniques
=C2=A0 =C2=A0 =C2=A0 (Section 10.2 o= f [RFC5440]).=C2=A0 PCEP implementations SHOULD also
=C2=A0 =C2=A0 =C2=A0 consider the additional security provided by = the TCP
=C2=A0 =C2=A0 =C2=A0 Authentication = Option (TCP-AO) [RFC5925] or [PCEPS].

=C2=A0 =C2=A0o =C2=A0Authenticating the PCEP = messages to ensure the message is intact
=C2= =A0 =C2=A0 =C2=A0 and sent from an authorized node (Section 10.3 of [RFC544= 0]).

=C2= =A0 =C2=A0o =C2=A0PCEP operates over TCP, so it is also important to secure= the PCE
=C2=A0 =C2=A0 =C2=A0 and PCC agains= t TCP denial-of-service attacks.=C2=A0 Section 10.7.1 of
=C2=A0 =C2=A0 =C2=A0 [RFC5440] outlines a number of mechanisms= for minimizing the risk
=C2=A0 =C2=A0 =C2= =A0 of TCP-based denial-of-service attacks against PCEs and PCCs.

=C2=A0 =C2=A0o = =C2=A0In inter-AS scenarios, attacks may be particularly significant=
=C2=A0 =C2=A0 =C2=A0 with commercial as well as s= ervice-level implications.

=C2=A0 =C2=A0Note, however, that the Domain-Sequence m= echanisms also provide the
=C2=A0 =C2=A0op= erator with the ability to route around vulnerable parts of the
=C2=A0 =C2=A0network and may be used to increase = overall network security.=E2=80= =8B

=E2=80=8BThank you for your review.=C2=A0
The working copy diff is attached= for reference (includes IANA, Gen-ART, Sec-Dir reviews).=C2=A0
<= /div>

Regar= ds,
Dhruv=E2=80=8B<= /div>
=C2=A0

Hope this helps,

Klaas

--
Klaas Wierenga
Identity Architect
Cisco Cloud Services







--001a1141bc5cbc27e4052468244d-- --001a1141bc5cbc27eb052468244f Content-Type: text/html; charset=US-ASCII; name="Diff_ draft-ietf-pce-pcep-domain-sequence-09.txt - draft-ietf-pce-pcep-domain-sequence-10.txt.html" Content-Disposition: attachment; filename="Diff_ draft-ietf-pce-pcep-domain-sequence-09.txt - draft-ietf-pce-pcep-domain-sequence-10.txt.html" Content-Transfer-Encoding: base64 X-Attachment-Id: f_igxfasja0 CjwhLS0gc2F2ZWQgZnJvbSB1cmw9KDAwMjkpaHR0cDovL3Rvb2xzLmlldGYub3JnL3JmY2RpZmYg LS0+CjxodG1sPjxoZWFkPjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij48c3R5bGUgdHlwZT0idGV4dC9jc3MiPjwvc3R5bGU+ PHN0eWxlIHR5cGU9InRleHQvY3NzIiBpZD0iR0lOR0VSX1NPRlRXQVJFX3N0eWxlIj4uR0lOR0VS X1NPRlRXQVJFX25vTWFyayB7IGJhY2tncm91bmQgOiB0cmFuc3BhcmVudDsgfSAgLkdJTkdFUl9T T0ZUV0FSRV93cmFwcGVyeyBwb3NpdGlvbjogYWJzb2x1dGU7IG92ZXJmbG93OiBoaWRkZW47IG1h cmdpbjogMHB4OyBwYWRkaW5nOiAwcHg7IGJvcmRlcjogMHB4IHNvbGlkIHRyYW5zcGFyZW50IH0g LkdJTkdFUl9TT0ZUV0FSRV9jb250b3VyIHsgcG9zaXRpb24gOiBhYnNvbHV0ZTsgbWFyZ2luOiAw cHg7IH0gIC5HSU5HRVJfU09GVFdBUkVfcmljaFRleHQgeyBtYXJnaW4gOiAwcHg7IHBhZGRpbmct Ym90dG9tOiAzcHg7IGJvcmRlci13aWR0aDogMHB4OyBib3JkZXItY29sb3I6IHRyYW5zcGFyZW50 OyBkaXNwbGF5OiBibG9jazsgY29sb3I6IHRyYW5zcGFyZW50OyAtd2Via2l0LXRleHQtZmlsbC1j b2xvcjogdHJhbnNwYXJlbnQ7IG92ZXJmbG93OiBoaWRkZW47IHdoaXRlLXNwYWNlOiBwcmUtd3Jh cDt9ICAuR0lOR0VSX1NPRlRXQVJFX2lucHV0V3JhcHBlciAuR0lOR0VSX1NPRlRXQVJFX3JpY2hU ZXh0IHtwb3NpdGlvbjogYWJzb2x1dGU7fSAgLkdJTkdFUl9TT0ZUV0FSRV9jYW52YXMgeyBkaXNw bGF5Om5vbmU7IGJhY2tncm91bmQtcmVwZWF0Om5vLXJlcGVhdDt9ICAuR0lOR0VSX1NPRlRXQVJF X2NvbnRyb2wgLkdJTkdFUl9TT0ZUV0FSRV9jb3JyZWN0LCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRy b2wgLkdJTkdFUl9TT0ZUV0FSRV9TcGVsbGluZ0NvcnJlY3QsIC5HSU5HRVJfU09GVFdBUkVfY29u dHJvbCAuR0lOR0VSX1NPRlRXQVJFX3NwZWxsaW5nLCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wg LkdJTkdFUl9TT0ZUV0FSRV9tYXJrIHtib3JkZXItdG9wLWxlZnQtcmFkaXVzOjJweDsgYm9yZGVy LXRvcC1yaWdodC1yYWRpdXM6MnB4OyBib3JkZXItYm90dG9tLXJpZ2h0LXJhZGl1czoycHg7IGJv cmRlci1ib3R0b20tbGVmdC1yYWRpdXM6MnB4O30gLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5H SU5HRVJfU09GVFdBUkVfY29ycmVjdCwgLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5HSU5HRVJf U09GVFdBUkVfU3BlbGxpbmdDb3JyZWN0LCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wgLkdJTkdF Ul9TT0ZUV0FSRV9zcGVsbGluZywgLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5HSU5HRVJfU09G VFdBUkVfbWFyayB7YmFja2dyb3VuZC1pbWFnZTp1cmwoZGF0YTppbWFnZS9naWY7YmFzZTY0LGlW Qk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFBRUFBQUFCQ0FJQUFBQ1FkMVBlQUFBQUdYUkZXSFJUYjJa MGQyRnlaUUJCWkc5aVpTQkpiV0ZuWlZKbFlXUjVjY2xsUEFBQUF5QnBWRmgwV0UxTU9tTnZiUzVo Wkc5aVpTNTRiWEFBQUFBQUFEdy9lSEJoWTJ0bGRDQmlaV2RwYmowaTc3dS9JaUJwWkQwaVZ6Vk5N RTF3UTJWb2FVaDZjbVZUZWs1VVkzcHJZemxrSWo4K0lEeDRPbmh0Y0cxbGRHRWdlRzFzYm5NNmVE MGlZV1J2WW1VNmJuTTZiV1YwWVM4aUlIZzZlRzF3ZEdzOUlrRmtiMkpsSUZoTlVDQkRiM0psSURV dU1DMWpNRFl3SURZeExqRXpORGMzTnl3Z01qQXhNQzh3TWk4eE1pMHhOem96TWpvd01DQWdJQ0Fn SUNBZ0lqNGdQSEprWmpwU1JFWWdlRzFzYm5NNmNtUm1QU0pvZEhSd09pOHZkM2QzTG5jekxtOXla eTh4T1RrNUx6QXlMekl5TFhKa1ppMXplVzUwWVhndGJuTWpJajRnUEhKa1pqcEVaWE5qY21sd2RH bHZiaUJ5WkdZNllXSnZkWFE5SWlJZ2VHMXNibk02ZUcxd1BTSm9kSFJ3T2k4dmJuTXVZV1J2WW1V dVkyOXRMM2hoY0M4eExqQXZJaUI0Yld4dWN6cDRiWEJOVFQwaWFIUjBjRG92TDI1ekxtRmtiMkps TG1OdmJTOTRZWEF2TVM0d0wyMXRMeUlnZUcxc2JuTTZjM1JTWldZOUltaDBkSEE2THk5dWN5NWha RzlpWlM1amIyMHZlR0Z3THpFdU1DOXpWSGx3WlM5U1pYTnZkWEpqWlZKbFppTWlJSGh0Y0RwRGNt VmhkRzl5Vkc5dmJEMGlRV1J2WW1VZ1VHaHZkRzl6YUc5d0lFTlROU0JYYVc1a2IzZHpJaUI0YlhC TlRUcEpibk4wWVc1alpVbEVQU0o0YlhBdWFXbGtPamhGUTBZMk9FTkdNekU1T1RFeFJUSTROak14 T1RFeE5UVXlNRGhFTURNd0lpQjRiWEJOVFRwRWIyTjFiV1Z1ZEVsRVBTSjRiWEF1Wkdsa09qaEZR MFkyT0VRd016RTVPVEV4UlRJNE5qTXhPVEV4TlRVeU1EaEVNRE13SWo0Z1BIaHRjRTFOT2tSbGNt bDJaV1JHY205dElITjBVbVZtT21sdWMzUmhibU5sU1VROUluaHRjQzVwYVdRNk9FVkRSalk0UTBR ek1UazVNVEZGTWpnMk16RTVNVEUxTlRJd09FUXdNekFpSUhOMFVtVm1PbVJ2WTNWdFpXNTBTVVE5 SW5odGNDNWthV1E2T0VWRFJqWTRRMFV6TVRrNU1URkZNamcyTXpFNU1URTFOVEl3T0VRd016QWlM ejRnUEM5eVpHWTZSR1Z6WTNKcGNIUnBiMjQrSUR3dmNtUm1PbEpFUmo0Z1BDOTRPbmh0Y0cxbGRH RStJRHcvZUhCaFkydGxkQ0JsYm1ROUluSWlQejVSUnhSeEFBQUFEMGxFUVZSNDJtSzQ4K3c3UUlB QkFBVmJBcm9vd04wOEFBQUFBRWxGVGtTdVFtQ0MpIWltcG9ydGFudDt9IC5HSU5HRVJfU09GVFdB UkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX2NvcnJlY3QuR0lOR0VSX1NPRlRXQVJFX3N5bm9u eW0sIC5HSU5HRVJfU09GVFdBUkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX1NwZWxsaW5nQ29y cmVjdC5HSU5HRVJfU09GVFdBUkVfc3lub255bSwgLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5H SU5HRVJfU09GVFdBUkVfc3BlbGxpbmcuR0lOR0VSX1NPRlRXQVJFX3N5bm9ueW0sIC5HSU5HRVJf U09GVFdBUkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX21hcmsuR0lOR0VSX1NPRlRXQVJFX3N5 bm9ueW0ge2JhY2tncm91bmQtaW1hZ2U6dXJsKGRhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCxpVkJPUncw S0dnb0FBQUFOU1VoRVVnQUFBQUVBQUFBQkNBSUFBQUNRZDFQZUFBQUFDWEJJV1hNQUFBc1RBQUFM RXdFQW1wd1lBQUFLVDJsRFExQlFhRzkwYjNOb2IzQWdTVU5ESUhCeWIyWnBiR1VBQUhqYW5WTm5W RlBwRmozMzN2UkNTNGlBbEV0dlVoVUlJRkpDaTRBVWtTWXFJUWtRU29naG9ka1ZVY0VSUlVVRUc4 aWdpQU9Pam9DTUZWRXNESW9LMkFma0lhS09nNk9JaXNyNzRYdWphOWE4OStiTi9yWFhQdWVzODUy enp3ZkFDQXlXU0ROUk5ZQU1xVUllRWVDRHg4VEc0ZVF1UUlFS0pIQUFFQWl6WkNGei9TTUJBUGgr UER3cklzQUh2Z0FCZU5NTENBREFUWnZBTUJ5SC93L3FRcGxjQVlDRUFjQjBrVGhMQ0lBVUFFQjZq a0ttQUVCR0FZQ2RtQ1pUQUtBRUFHRExZMkxqQUZBdEFHQW5mK2JUQUlDZCtKbDdBUUJibENFVkFh Q1JBQ0FUWlloRUFHZzdBS3pQVm9wRkFGZ3dBQlJtUzhRNUFOZ3RBREJKVjJaSUFMQzNBTURPRUF1 eUFBZ01BREJSaUlVcEFBUjdBR0RJSXlONEFJU1pBQlJHOGxjODhTdXVFT2NxQUFCNG1iSTh1U1E1 UllGYkNDMXhCMWRYTGg0b3pra1hLeFEyWVFKaG1rQXV3bm1aR1RLQk5BL2c4OHdBQUtDUkZSSGdn L1A5ZU00T3JzN09ObzYyRGw4dDZyOEcveUppWXVQKzVjK3JjRUFBQU9GMGZ0SCtMQyt6R29BN0Jv QnQvcUlsN2dSb1hndWdkZmVMWnJJUFFMVUFvT25hVi9OdytINDhQRVdoa0xuWjJlWGs1TmhLeEVK YlljcFhmZjVud2wvQVYvMXMrWDQ4L1BmMTRMN2lKSUV5WFlGSEJQamd3c3owVEtVY3o1SUpoR0xj NW85SC9MY0wvL3dkMHlMRVNXSzVXQ29VNDFFU2NZNUVtb3p6TXFVaWlVS1NLY1VsMHY5azR0OHMr d00rM3pVQXNHbytBWHVSTGFoZFl3UDJTeWNRV0hUQTR2Y0FBUEs3YjhIVUtBZ0RnR2lENGM5My8r OC8vVWVnSlFDQVprbVNjUUFBWGtRa0xsVEtzei9IQ0FBQVJLQ0JLckJCRy9UQkdDekFCaHpCQmR6 QkMveGdOb1JDSk1UQ1FoQkNDbVNBSEhKZ0theUNRaWlHemJBZEttQXYxRUFkTk1CUmFJYVRjQTR1 d2xXNERqMXdEL3BoQ0o3QktMeUJDUVJCeUFnVFlTSGFpQUZpaWxnampnZ1htWVg0SWNGSUJCS0xK Q0RKaUJSUklrdVJOVWd4VW9wVUlGVklIZkk5Y2dJNWgxeEd1cEU3eUFBeWd2eUd2RWN4bElHeVVU M1VETFZEdWFnM0dvUkdvZ3ZRWkhReG1vOFdvSnZRY3JRYVBZdzJvZWZRcTJnUDJvOCtROGN3d09n WUJ6UEViREF1eHNOQ3NUZ3NDWk5qeTdFaXJBeXJ4aHF3VnF3RHU0bjFZOCt4ZHdRU2dVWEFDVFlF ZDBJZ1lSNUJTRmhNV0U3WVNLZ2dIQ1EwRWRvSk53a0RoRkhDSnlLVHFFdTBKcm9SK2NRWVlqSXho MWhJTENQV0VvOFRMeEI3aUVQRU55UVNpVU15SjdtUUFrbXhwRlRTRXRKRzBtNVNJK2tzcVpzMFNC b2prOG5hWkd1eUJ6bVVMQ0FyeUlYa25lVEQ1RFBrRytRaDhsc0tuV0pBY2FUNFUrSW9Vc3BxU2hu bEVPVTA1UVpsbURKQlZhT2FVdDJvb1ZRUk5ZOWFRcTJodGxLdlVZZW9FelIxbWpuTmd4WkpTNld0 b3BYVEdtZ1hhUGRwcitoMHVoSGRsUjVPbDlCWDBzdnBSK2lYNkFQMGR3d05oaFdEeDRobktCbWJH QWNZWnhsM0dLK1lUS1laMDRzWngxUXdOekhybU9lWkQ1bHZWVmdxdGlwOEZaSEtDcFZLbFNhVkd5 b3ZWS21xcHFyZXFndFY4MVhMVkkrcFhsTjlya1pWTTFQanFRblVscXRWcXAxUTYxTWJVMmVwTzZp SHFtZW9iMVEvcEg1Wi9Za0dXY05NdzA5RHBGR2dzVi9qdk1ZZ0MyTVpzM2dzSVdzTnE0WjFnVFhF SnJITjJYeDJLcnVZL1IyN2l6MnFxYUU1UXpOS00xZXpVdk9VWmo4SDQ1aHgrSngwVGdubktLZVg4 MzZLM2hUdktlSXBHNlkwVExreFpWeHJxcGFYbGxpclNLdFJxMGZydlRhdTdhZWRwcjFGdTFuN2dR NUJ4MG9uWENkSFo0L09CWjNuVTlsVDNhY0tweFpOUFRyMXJpNnFhNlVib2J0RWQ3OXVwKzZZbnI1 ZWdKNU1iNmZlZWIzbitoeDlMLzFVL1czNnAvVkhERmdHc3d3a0J0c016aGc4eFRWeGJ6d2RMOGZi OFZGRFhjTkFRNlZobFdHWDRZU1J1ZEU4bzlWR2pVWVBqR25HWE9NazQyM0diY2FqSmdZbUlTWkxU ZXBON3BwU1RibW1LYVk3VER0TXg4M016YUxOMXBrMW16MHgxekxubStlYjE1dmZ0MkJhZUZvc3Rx aTJ1R1ZKc3VSYXBsbnV0cnh1aFZvNVdhVllWVnBkczBhdG5hMGwxcnV0dTZjUnA3bE9rMDZybnRa bnc3RHh0c20ycWJjWnNPWFlCdHV1dG0yMmZXRm5ZaGRudDhXdXcrNlR2Wk45dW4yTi9UMEhEWWZa RHFzZFdoMStjN1J5RkRwV090NmF6cHp1UDMzRjlKYnBMMmRZenhEUDJEUGp0aFBMS2NScG5WT2Iw MGRuRjJlNWM0UHppSXVKUzRMTExwYytMcHNieHQzSXZlUktkUFZ4WGVGNjB2V2RtN09id3UybzI2 L3VOdTVwN29mY244dzBueW1lV1ROejBNUElRK0JSNWRFL0M1K1ZNR3Zmckg1UFEwK0JaN1huSXk5 akw1RlhyZGV3dDZWM3F2ZGg3eGMrOWo1eW4rTSs0enczM2pMZVdWL01OOEMzeUxmTFQ4TnZubCtG MzBOL0kvOWsvM3IvMFFDbmdDVUJad09KZ1VHQld3TDcrSHA4SWIrT1B6cmJaZmF5MmUxQmpLQzVR UlZCajRLdGd1WEJyU0ZveU95UXJTSDM1NWpPa2M1cERvVlFmdWpXMEFkaDVtR0x3MzRNSjRXSGhW ZUdQNDV3aUZnYTBUR1hOWGZSM0VOejMwVDZSSlpFM3B0bk1VODVyeTFLTlNvK3FpNXFQTm8zdWpT NlA4WXVabG5NMVZpZFdFbHNTeHc1TGlxdU5tNXN2dC84N2ZPSDRwM2lDK043RjVndnlGMXdlYUhP d3ZTRnB4YXBMaElzT3BaQVRJaE9PSlR3UVJBcXFCYU1KZklUZHlXT0NubkNIY0puSWkvUk50R0ky RU5jS2g1TzhrZ3FUWHFTN0pHOE5Ya2t4VE9sTE9XNWhDZXBrTHhNRFV6ZG16cWVGcHAySUcweVBU cTlNWU9Ta1pCeFFxb2hUWk8yWitwbjVtWjJ5NnhsaGJMK3hXNkx0eThlbFFmSmE3T1FyQVZaTFFx MlFxYm9WRm9vMXlvSHNtZGxWMmEvelluS09aYXJuaXZON2N5enl0dVFONXp2bi8vdEVzSVM0Wksy cFlaTFZ5MGRXT2E5ckdvNXNqeHhlZHNLNHhVRks0WldCcXc4dUlxMkttM1ZUNnZ0VjVldWZyMG1l azFyZ1Y3QnlvTEJ0UUZyNnd0VkN1V0ZmZXZjMSsxZFQxZ3ZXZCsxWWZxR25ScytGWW1LcmhUYkY1 Y1ZmOWdvM0hqbEc0ZHZ5citaM0pTMHFhdkV1V1RQWnRKbTZlYmVMWjViRHBhcWwrYVhEbTROMmRx MERkOVd0TzMxOWtYYkw1Zk5LTnU3ZzdaRHVhTy9QTGk4WmFmSnpzMDdQMVNrVlBSVStsUTI3dExk dFdIWCtHN1I3aHQ3dlBZMDdOWGJXN3ozL1Q3SnZ0dFZBVlZOMVdiVlpmdEorN1AzUDY2SnF1bjRs dnR0WGExT2JYSHR4d1BTQS8wSEl3NjIxN25VMVIzU1BWUlNqOVlyNjBjT3h4KysvcDN2ZHkwTk5n MVZqWnpHNGlOd1JIbms2ZmNKMy9jZURUcmFkb3g3ck9FSDB4OTJIV2NkTDJwQ212S2FScHRUbXZ0 YllsdTZUOHcrMGRicTNucjhSOXNmRDV3MFBGbDVTdk5VeVduYTZZTFRrMmZ5ejR5ZGxaMTlmaTc1 M0dEYm9yWjc1MlBPMzJvUGIrKzZFSFRoMGtYL2krYzd2RHZPWFBLNGRQS3kyK1VUVjdoWG1xODZY MjNxZE9vOC9wUFRUOGU3bkx1YXJybGNhN251ZXIyMWUyYjM2UnVlTjg3ZDlMMTU4UmIvMXRXZU9U M2R2Zk42Yi9mRjkvWGZGdDErY2lmOXpzdTcyWGNuN3EyOFQ3eGY5RUR0UWRsRDNZZlZQMXYrM05q djNIOXF3SGVnODlIY1IvY0doWVBQL3BIMWp3OURCWStaajh1R0RZYnJuamcrT1RuaVAzTDk2Znlu UTg5a3p5YWVGLzZpL3N1dUZ4WXZmdmpWNjlmTzBaalJvWmZ5bDVPL2JYeWwvZXJBNnhtdjI4YkN4 aDYreVhnek1WNzBWdnZ0d1hmY2R4M3ZvOThQVCtSOElIOG8vMmo1c2ZWVDBLZjdreG1Uay84RUE1 anovR016TGRzQUFBQWdZMGhTVFFBQWVpVUFBSUNEQUFENS93QUFnT2tBQUhVd0FBRHFZQUFBT3Bn QUFCZHZrbC9GUmdBQUFCSkpSRUZVZU5waStQOWdFd0FBQVAvL0F3QUZjd0tTM2Q3Qm53QUFBQUJK UlU1RXJrSmdnZz09KSFpbXBvcnRhbnQ7fSAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wgLkdJTkdF Ul9TT0ZUV0FSRV9jb3JyZWN0LkdJTkdFUl9TT0ZUV0FSRV9ub1N1Z2dlc3Rpb24sIC5HSU5HRVJf U09GVFdBUkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX1NwZWxsaW5nQ29ycmVjdC5HSU5HRVJf U09GVFdBUkVfbm9TdWdnZXN0aW9uLCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wgLkdJTkdFUl9T T0ZUV0FSRV9zcGVsbGluZy5HSU5HRVJfU09GVFdBUkVfbm9TdWdnZXN0aW9uLCAuR0lOR0VSX1NP RlRXQVJFX2NvbnRyb2wgLkdJTkdFUl9TT0ZUV0FSRV9tYXJrLkdJTkdFUl9TT0ZUV0FSRV9ub1N1 Z2dlc3Rpb24ge2JhY2tncm91bmQtaW1hZ2U6dXJsKGRhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCxpVkJP UncwS0dnb0FBQUFOU1VoRVVnQUFBQUVBQUFBQkNBSUFBQUNRZDFQZUFBQUFHWFJGV0hSVGIyWjBk MkZ5WlFCQlpHOWlaU0JKYldGblpWSmxZV1I1Y2NsbFBBQUFBeUJwVkZoMFdFMU1PbU52YlM1aFpH OWlaUzU0YlhBQUFBQUFBRHcvZUhCaFkydGxkQ0JpWldkcGJqMGk3N3UvSWlCcFpEMGlWelZOTUUx d1EyVm9hVWg2Y21WVGVrNVVZM3ByWXpsa0lqOCtJRHg0T25odGNHMWxkR0VnZUcxc2JuTTZlRDBp WVdSdlltVTZibk02YldWMFlTOGlJSGc2ZUcxd2RHczlJa0ZrYjJKbElGaE5VQ0JEYjNKbElEVXVN QzFqTURZd0lEWXhMakV6TkRjM055d2dNakF4TUM4d01pOHhNaTB4Tnpvek1qb3dNQ0FnSUNBZ0lD QWdJajRnUEhKa1pqcFNSRVlnZUcxc2JuTTZjbVJtUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4 eE9UazVMekF5THpJeUxYSmtaaTF6ZVc1MFlYZ3Ribk1qSWo0Z1BISmtaanBFWlhOamNtbHdkR2x2 YmlCeVpHWTZZV0p2ZFhROUlpSWdlRzFzYm5NNmVHMXdQU0pvZEhSd09pOHZibk11WVdSdlltVXVZ Mjl0TDNoaGNDOHhMakF2SWlCNGJXeHVjenA0YlhCTlRUMGlhSFIwY0RvdkwyNXpMbUZrYjJKbExt TnZiUzk0WVhBdk1TNHdMMjF0THlJZ2VHMXNibk02YzNSU1pXWTlJbWgwZEhBNkx5OXVjeTVoWkc5 aVpTNWpiMjB2ZUdGd0x6RXVNQzl6Vkhsd1pTOVNaWE52ZFhKalpWSmxaaU1pSUhodGNEcERjbVZo ZEc5eVZHOXZiRDBpUVdSdlltVWdVR2h2ZEc5emFHOXdJRU5UTlNCWGFXNWtiM2R6SWlCNGJYQk5U VHBKYm5OMFlXNWpaVWxFUFNKNGJYQXVhV2xrT2poRlEwWTJPRU5HTXpFNU9URXhSVEk0TmpNeE9U RXhOVFV5TURoRU1ETXdJaUI0YlhCTlRUcEViMk4xYldWdWRFbEVQU0o0YlhBdVpHbGtPamhGUTBZ Mk9FUXdNekU1T1RFeFJUSTROak14T1RFeE5UVXlNRGhFTURNd0lqNGdQSGh0Y0UxTk9rUmxjbWwy WldSR2NtOXRJSE4wVW1WbU9tbHVjM1JoYm1ObFNVUTlJbmh0Y0M1cGFXUTZPRVZEUmpZNFEwUXpN VGs1TVRGRk1qZzJNekU1TVRFMU5USXdPRVF3TXpBaUlITjBVbVZtT21SdlkzVnRaVzUwU1VROUlu aHRjQzVrYVdRNk9FVkRSalk0UTBVek1UazVNVEZGTWpnMk16RTVNVEUxTlRJd09FUXdNekFpTHo0 Z1BDOXlaR1k2UkdWelkzSnBjSFJwYjI0K0lEd3ZjbVJtT2xKRVJqNGdQQzk0T25odGNHMWxkR0Ur SUR3L2VIQmhZMnRsZENCbGJtUTlJbklpUHo1UlJ4UnhBQUFBRDBsRVFWUjQybUs0OCt3N1FJQUJB QVZiQXJvb3dOMDhBQUFBQUVsRlRrU3VRbUNDKSFpbXBvcnRhbnQ7fSAuR0lOR0VSX1NPRlRXQVJF X3JpY2hUZXh0IC5HSU5HRVJfU09GVFdBUkVfY29ycmVjdCwgLkdJTkdFUl9TT0ZUV0FSRV9yaWNo VGV4dCAuR0lOR0VSX1NPRlRXQVJFX1NwZWxsaW5nQ29ycmVjdCwgLkdJTkdFUl9TT0ZUV0FSRV9y aWNoVGV4dCAuR0lOR0VSX1NPRlRXQVJFX3NwZWxsaW5nLCAuR0lOR0VSX1NPRlRXQVJFX3JpY2hU ZXh0IC5HSU5HRVJfU09GVFdBUkVfbWFyayB7cG9zaXRpb246cmVsYXRpdmU7IGJhY2tncm91bmQt aW1hZ2U6bm9uZSFpbXBvcnRhbnQ7fSAuR0lOR0VSX1NPRlRXQVJFX3JpY2hUZXh0IC5HSU5HRVJf U09GVFdBUkVfbWFya0hpZ2hsaWdodExlZnQgeyBwb3NpdGlvbiA6IGFic29sdXRlOyBsZWZ0Oi0y cHg7IHRvcDowcHg7IGJvdHRvbTowcHg7IHdpZHRoOjJweDt9IC5HSU5HRVJfU09GVFdBUkVfcmlj aFRleHQgLkdJTkdFUl9TT0ZUV0FSRV9tYXJrSGlnaGxpZ2h0UmlnaHQgeyBwb3NpdGlvbiA6IGFi c29sdXRlOyByaWdodDotMnB4OyB0b3A6MHB4OyBib3R0b206MHB4OyB3aWR0aDoycHg7fSAuR0lO R0VSX1NPRlRXQVJFX3JpY2hUZXh0IC5HSU5HRVJfU09GVFdBUkVfbWFya0hpZ2hsaWdodFRvcCB7 IHBvc2l0aW9uIDogYWJzb2x1dGU7IGxlZnQ6MHB4OyByaWdodDowcHg7IHRvcDotMnB4OyBoZWln aHQ6M3B4O30gLkdJTkdFUl9TT0ZUV0FSRV9yaWNoVGV4dCAuR0lOR0VSX1NPRlRXQVJFX21hcmtI aWdobGlnaHRCb3R0b20geyBwb3NpdGlvbiA6IGFic29sdXRlOyBsZWZ0OjBweDsgcmlnaHQ6MHB4 OyBib3R0b206LTJweDsgaGVpZ2h0OjNweDt9PC9zdHlsZT48L2hlYWQ+PGJvZHkgZ2luZ2VyX3Nv ZnR3YXJlX3N0eWxlc2hlZXQ9InRydWUiIGdpbmdlcl9zb2Z0d2FyZV9kb2M9InRydWUiPkNvbnRl bnQtVHlwZTogdGV4dC9odG1sCgoKIAo8IS0tIEdlbmVyYXRlZCBieSByZmNkaWZmIDEuNDI6IHJm Y2RpZmYgIC0tPiAKPCEtLSA8IURPQ1RZUEUgaHRtbCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwg NC4wMSBUcmFuc2l0aW9uYWwiID4gLS0+CjwhLS0gU3lzdGVtOiBMaW51eCBnYW1heSAyLjYuMzkt Mi02ODYtcGFlICMxIFNNUCBUdWUgSnVsIDUgMDM6NDg6NDkgVVRDIDIwMTEgaTY4NiBHTlUvTGlu dXggLS0+IAo8IS0tIFVzaW5nIGF3azogL3Vzci9iaW4vZ2F3azogR05VIEF3ayA0LjAuMSAtLT4g CjwhLS0gVXNpbmcgZGlmZjogL3Vzci9iaW4vZGlmZjogZGlmZiAoR05VIGRpZmZ1dGlscykgMy4z IC0tPiAKPCEtLSBVc2luZyB3ZGlmZjogL3Vzci9iaW4vd2RpZmY6IHdkaWZmIChHTlUgd2RpZmYp IDEuMi4xIC0tPiAKIAogCiAgIAogIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtU3R5bGUtVHlw ZSIgY29udGVudD0idGV4dC9jc3MiPiAKICA8dGl0bGU+RGlmZjogZHJhZnQtaWV0Zi1wY2UtcGNl cC1kb21haW4tc2VxdWVuY2UtMDkudHh0IC0gZHJhZnQtaWV0Zi1wY2UtcGNlcC1kb21haW4tc2Vx dWVuY2UtMTAudHh0PC90aXRsZT4gCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4gCiAgICBib2R5 ICAgIHsgbWFyZ2luOiAwLjRleDsgbWFyZ2luLXJpZ2h0OiBhdXRvOyB9IAogICAgdHIgICAgICB7 IH0gCiAgICB0ZCAgICAgIHsgd2hpdGUtc3BhY2U6IHByZTsgZm9udC1mYW1pbHk6IG1vbm9zcGFj ZTsgdmVydGljYWwtYWxpZ246IHRvcDsgZm9udC1zaXplOiAwLjg2ZW07fSAKICAgIHRoICAgICAg eyBmb250LXNpemU6IDAuODZlbTsgfSAKICAgIC5zbWFsbCAgeyBmb250LXNpemU6IDAuNmVtOyBm b250LXN0eWxlOiBpdGFsaWM7IGZvbnQtZmFtaWx5OiBWZXJkYW5hLCBIZWx2ZXRpY2EsIHNhbnMt c2VyaWY7IH0gCiAgICAubGVmdCAgIHsgYmFja2dyb3VuZC1jb2xvcjogI0VFRTsgfSAKICAgIC5y aWdodCAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZGOyB9IAogICAgLmRpZmYgICB7IGJhY2tncm91 bmQtY29sb3I6ICNDQ0Y7IH0gCiAgICAubGJsb2NrIHsgYmFja2dyb3VuZC1jb2xvcjogI0JGQjsg fSAKICAgIC5yYmxvY2sgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkY4OyB9IAogICAgLmluc2VydCB7 IGJhY2tncm91bmQtY29sb3I6ICM4RkY7IH0gCiAgICAuZGVsZXRlIHsgYmFja2dyb3VuZC1jb2xv cjogI0FDRjsgfSAKICAgIC52b2lkICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZCOyB9IAogICAg LmNvbnQgICB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IH0gCiAgICAubGluZWJyIHsgYmFja2dy b3VuZC1jb2xvcjogI0FBQTsgfSAKICAgIC5saW5lbm8geyBjb2xvcjogcmVkOyBiYWNrZ3JvdW5k LWNvbG9yOiAjRkZGOyBmb250LXNpemU6IDAuN2VtOyB0ZXh0LWFsaWduOiByaWdodDsgcGFkZGlu ZzogMCAycHg7IH0gCiAgICAuZWxpcHNpc3sgYmFja2dyb3VuZC1jb2xvcjogI0FBQTsgfSAKICAg IC5sZWZ0IC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjogI0RERDsgfSAKICAgIC5yaWdodCAuY29u dCB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IH0gCiAgICAubGJsb2NrIC5jb250IHsgYmFja2dy b3VuZC1jb2xvcjogIzlEOTsgfSAKICAgIC5yYmxvY2sgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9y OiAjREQ2OyB9IAogICAgLmluc2VydCAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICMwREQ7IH0g CiAgICAuZGVsZXRlIC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjogIzhBRDsgfSAKICAgIC5zdGF0 cywgLnN0YXRzIHRkLCAuc3RhdHMgdGggeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRUVFOyBwYWRkaW5n OiAycHggMDsgfSAKICA8L3N0eWxlPiAKIAogCiAgPHRhYmxlIGJvcmRlcj0iMCIgY2VsbHBhZGRp bmc9IjAiIGNlbGxzcGFjaW5nPSIwIj4gCiAgPHRib2R5Pjx0ciBiZ2NvbG9yPSJvcmFuZ2UiPjx0 aD48L3RoPjx0aD48YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvcmZjZGlmZj91cmwyPWRy YWZ0LWlldGYtcGNlLXBjZXAtZG9tYWluLXNlcXVlbmNlLTA5LnR4dCIgc3R5bGU9ImNvbG9yOiMw MDg7IHRleHQtZGVjb3JhdGlvbjpub25lOyI+Jmx0OzwvYT4mbmJzcDs8YSBocmVmPSJodHRwczov L3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1wY2UtcGNlcC1kb21haW4tc2VxdWVuY2Ut MDkudHh0IiBzdHlsZT0iY29sb3I6IzAwOCI+ZHJhZnQtaWV0Zi1wY2UtcGNlcC1kb21haW4tc2Vx dWVuY2UtMDkudHh0PC9hPiZuYnNwOzwvdGg+PHRoPiA8L3RoPjx0aD4mbmJzcDs8YSBocmVmPSJo dHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1wY2UtcGNlcC1kb21haW4tc2Vx dWVuY2UtMTAudHh0IiBzdHlsZT0iY29sb3I6IzAwOCI+ZHJhZnQtaWV0Zi1wY2UtcGNlcC1kb21h aW4tc2VxdWVuY2UtMTAudHh0PC9hPiZuYnNwOzxhIGhyZWY9Imh0dHA6Ly90b29scy5pZXRmLm9y Zy9yZmNkaWZmP3VybDE9ZHJhZnQtaWV0Zi1wY2UtcGNlcC1kb21haW4tc2VxdWVuY2UtMTAudHh0 IiBzdHlsZT0iY29sb3I6IzAwODsgdGV4dC1kZWNvcmF0aW9uOm5vbmU7Ij4mZ3Q7PC9hPjwvdGg+ PHRoPjwvdGg+PC90cj4gCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+UENF IFdvcmtpbmcgR3JvdXAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIEQuIERob2R5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+UENFIFdvcmtpbmcg R3JvdXAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEQuIERo b2R5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBVLiBQYWxsZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPkludGVybmV0 LURyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBV LiBQYWxsZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij5JbnRlbmRlZCBzdGF0dXM6IEV4cGVyaW1lbnRhbCAgICAgICAgICAgICAgICAgICAgICAg IEh1YXdlaSBUZWNobm9sb2dpZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5JbnRl bmRlZCBzdGF0dXM6IEV4cGVyaW1lbnRhbCAgICAgICAgICAgICAgICAgICAgICAgIEh1YXdlaSBU ZWNobm9sb2dpZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDAxIj48L2E+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr Ij5FeHBpcmVzOiBNYTxzcGFuIGNsYXNzPSJkZWxldGUiPnJjaCAyMywgMjAxNjwvc3Bhbj4gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFIuIENhc2VsbGFzPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPkV4cGlyZXM6IE1hPHNwYW4gY2xhc3M9Imluc2VydCI+eSAx NiwgMjAxNiAgPC9zcGFuPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUi4g Q2FzZWxsYXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICBDVFRDPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBDVFRDPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwMiI+PC9hPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg PHNwYW4gY2xhc3M9ImRlbGV0ZSI+U2VwdGVtYmVyIDIwPC9zcGFuPiwgMjAxNTwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gTm92ZW1iZXIgMTM8L3Nw YW4+LCAyMDE1PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlm ZjAwMDMiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAgIDxzcGFuIGNsYXNz PSJkZWxldGUiPlN0YW5kYXJkIFJlcHJlc2VudGF0aW9uIG9mIERvbWFpbi1TZXF1ZW5jZTwvc3Bh bj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2Vy dCI+RG9tYWluIFN1Ym9iamVjdHMgZm9yIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCAoUENFKSBD b21tdW5pY2F0aW9uPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgICAgICAgICAgICAg ZHJhZnQtaWV0Zi1wY2UtcGNlcC1kb21haW4tc2VxdWVuY2UtMDk8L3NwYW4+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICAgICAgICAg ICAgICAgICAgICAgICBQcm90b2NvbCAoUENFUCkuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgICAgIGRyYWZ0 LWlldGYtcGNlLXBjZXAtZG9tYWluLXNlcXVlbmNlLTEwPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+QWJzdHJhY3Q8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5BYnN0 cmFjdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIGFiaWxpdHkgdG8gY29tcHV0 ZSBzaG9ydGVzdCBjb25zdHJhaW5lZCBUcmFmZmljIEVuZ2luZWVyaW5nIExhYmVsPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIGFiaWxpdHkgdG8gY29tcHV0ZSBzaG9ydGVz dCBjb25zdHJhaW5lZCBUcmFmZmljIEVuZ2luZWVyaW5nIExhYmVsPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFN3aXRjaGVkIFBhdGhzIChU RSBMU1BzKSBpbiBNdWx0aXByb3RvY29sIExhYmVsIFN3aXRjaGluZyAoTVBMUykgYW5kPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgU3dpdGNoZWQgUGF0aHMgKFRFIExTUHMpIGlu IE11bHRpcHJvdG9jb2wgTGFiZWwgU3dpdGNoaW5nIChNUExTKSBhbmQ8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgR2VuZXJhbGl6ZWQgTVBM UyAoR01QTFMpIG5ldHdvcmtzIGFjcm9zcyBtdWx0aXBsZSBkb21haW5zIGhhcyBiZWVuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgR2VuZXJhbGl6ZWQgTVBMUyAoR01QTFMpIG5l dHdvcmtzIGFjcm9zcyBtdWx0aXBsZSBkb21haW5zIGhhcyBiZWVuPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGlkZW50aWZpZWQgYXMgYSBr ZXkgcmVxdWlyZW1lbnQuICBJbiB0aGlzIGNvbnRleHQsIGEgZG9tYWluIGlzIGE8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpZGVudGlmaWVkIGFzIGEga2V5IHJlcXVpcmVtZW50 LiAgSW4gdGhpcyBjb250ZXh0LCBhIGRvbWFpbiBpcyBhPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGNvbGxlY3Rpb24gb2YgbmV0d29yayBl bGVtZW50cyB3aXRoaW4gYSBjb21tb24gc3BoZXJlIG9mIGFkZHJlc3M8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBjb2xsZWN0aW9uIG9mIG5ldHdvcmsgZWxlbWVudHMgd2l0aGlu IGEgY29tbW9uIHNwaGVyZSBvZiBhZGRyZXNzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG1hbmFnZW1lbnQgb3IgcGF0aCBjb21wdXRhdGlv bmFsIHJlc3BvbnNpYmlsaXR5IHN1Y2ggYXMgYW4gSW50ZXJpb3I8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBtYW5hZ2VtZW50IG9yIHBhdGggY29tcHV0YXRpb25hbCByZXNwb25z aWJpbGl0eSBzdWNoIGFzIGFuIEludGVyaW9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEdhdGV3YXkgUHJvdG9jb2wgKElHUCkgYXJlYSBv ciBhbiBBdXRvbm9tb3VzIFN5c3RlbSAoQVMpLiAgVGhpczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIEdhdGV3YXkgUHJvdG9jb2wgKElHUCkgYXJlYSBvciBhbiBBdXRvbm9tb3Vz IFN5c3RlbSAoQVMpLiAgVGhpczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDQiPjwvYT48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPiAgIGRvY3VtZW50IHNwZWNpZmllcyBhIDxzcGFuIGNsYXNzPSJkZWxldGUiPnN0 YW5kYXJkPC9zcGFuPiByZXByZXNlbnRhdGlvbiBhbmQgZW5jb2Rpbmcgb2YgYTwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBkb2N1bWVudCBzcGVjaWZpZXMgYSByZXByZXNlbnRh dGlvbiBhbmQgZW5jb2Rpbmcgb2YgYSA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5Eb21haW4tPC9zcGFu PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPkRvbWFpbi1TZXF1ZW5jZSw8L3NwYW4+IHdoaWNoIGlz IGRlZmluZWQgYXMgYW4gb3JkZXJlZCBzZXF1ZW5jZSBvZiBkb21haW5zPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFNlcXVlbmNlLDwvc3Bh bj4gd2hpY2ggaXMgZGVmaW5lZCBhcyBhbiBvcmRlcmVkIHNlcXVlbmNlIG9mIGRvbWFpbnM8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdHJh dmVyc2VkIHRvIHJlYWNoIHRoZSBkZXN0aW5hdGlvbiBkb21haW4gdG8gYmUgdXNlZCBieSBQYXRo PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdHJhdmVyc2VkIHRvIHJlYWNoIHRo ZSBkZXN0aW5hdGlvbiBkb21haW4gdG8gYmUgdXNlZCBieSBQYXRoPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIENvbXB1dGF0aW9uIEVsZW1l bnRzIChQQ0VzKSB0byBjb21wdXRlIGludGVyLWRvbWFpbiBjb25zdHJhaW5lZDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIENvbXB1dGF0aW9uIEVsZW1lbnRzIChQQ0VzKSB0byBj b21wdXRlIGludGVyLWRvbWFpbiBjb25zdHJhaW5lZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzaG9ydGVzdCBwYXRocyBhY3Jvc3MgYSBw cmVkZXRlcm1pbmVkIHNlcXVlbmNlIG9mIGRvbWFpbnMgLiBUaGlzPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgc2hvcnRlc3QgcGF0aHMgYWNyb3NzIGEgcHJlZGV0ZXJtaW5lZCBz ZXF1ZW5jZSBvZiBkb21haW5zIC4gVGhpczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBkb2N1bWVudCBhbHNvIGRlZmluZXMgbmV3IHN1Ym9i amVjdHMgdG8gYmUgdXNlZCB0byBlbmNvZGUgZG9tYWluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgZG9jdW1lbnQgYWxzbyBkZWZpbmVzIG5ldyBzdWJvYmplY3RzIHRvIGJlIHVz ZWQgdG8gZW5jb2RlIGRvbWFpbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICBpZGVudGlmaWVycy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBpZGVudGlmaWVycy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPlN0YXR1 cyBvZiBUaGlzIE1lbW88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5TdGF0dXMgb2Yg VGhpcyBNZW1vPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGlzIEludGVybmV0LURy YWZ0IGlzIHN1Ym1pdHRlZCBpbiBmdWxsIGNvbmZvcm1hbmNlIHdpdGggdGhlPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhpcyBJbnRlcm5ldC1EcmFmdCBpcyBzdWJtaXR0ZWQg aW4gZnVsbCBjb25mb3JtYW5jZSB3aXRoIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBwcm92aXNpb25zIG9mIEJDUCA3OCBhbmQgQkNQ IDc5LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHByb3Zpc2lvbnMgb2YgQkNQ IDc4IGFuZCBCQ1AgNzkuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHIgYmdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9 InBhcnQtbDIiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAx LCBsaW5lIDQ1PC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjIiPjxz bWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxLCBsaW5lIDQ2PC9l bT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3 b3JraW5nIGRvY3VtZW50cyBvZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmc8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1l bnRzIG9mIHRoZSBJbnRlcm5ldCBFbmdpbmVlcmluZzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUYXNrIEZvcmNlIChJRVRGKS4gIE5vdGUg dGhhdCBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIFRhc2sgRm9yY2UgKElFVEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3Vw cyBtYXkgYWxzbyBkaXN0cmlidXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0LURyYWZ0 cy4gIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgd29ya2luZyBkb2N1bWVudHMgYXMgSW50ZXJuZXQtRHJhZnRzLiAgVGhlIGxp c3Qgb2YgY3VycmVudCBJbnRlcm5ldC08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgRHJhZnRzIGlzIGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5p ZXRmLm9yZy9kcmFmdHMvY3VycmVudC8uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgRHJhZnRzIGlzIGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRy YWZ0IGRvY3VtZW50cyB2YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCBtb250aHM8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRyYWZ0IGRvY3Vt ZW50cyB2YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCBtb250aHM8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYW5kIG1heSBiZSB1cGRhdGVk LCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVyIGRvY3VtZW50cyBhdCBhbnk8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBhbmQgbWF5IGJlIHVwZGF0ZWQsIHJlcGxhY2Vk LCBvciBvYnNvbGV0ZWQgYnkgb3RoZXIgZG9jdW1lbnRzIGF0IGFueTwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aW1lLiAgSXQgaXMgaW5h cHByb3ByaWF0ZSB0byB1c2UgSW50ZXJuZXQtRHJhZnRzIGFzIHJlZmVyZW5jZTwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVz ZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG1hdGVyaWFsIG9yIHRvIGNpdGUgdGhlbSBv dGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNzLiI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBtYXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBp biBwcm9ncmVzcy4iPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0i ZGlmZjAwMDUiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQg d2lsbCBleHBpcmUgb24gTWE8c3BhbiBjbGFzcz0iZGVsZXRlIj5yY2ggMjM8L3NwYW4+LCAyMDE2 LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBUaGlzIEludGVybmV0LURyYWZ0 IHdpbGwgZXhwaXJlIG9uIE1hPHNwYW4gY2xhc3M9Imluc2VydCI+eSAxNjwvc3Bhbj4sIDIwMTYu PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5Db3B5cmlnaHQgTm90aWNlPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+Q29weXJpZ2h0IE5vdGljZTwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgQ29weXJpZ2h0IChjKSAyMDE1IElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJzb25z IGlkZW50aWZpZWQgYXMgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQ29w eXJpZ2h0IChjKSAyMDE1IElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJzb25zIGlkZW50aWZpZWQgYXMg dGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIGRvY3VtZW50IGF1dGhvcnMuICBBbGwgcmlnaHRzIHJlc2VydmVkLjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIGRvY3VtZW50IGF1dGhvcnMuICBBbGwgcmlnaHRzIHJlc2Vy dmVkLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhpcyBkb2N1bWVudCBpcyBzdWJq ZWN0IHRvIEJDUCA3OCBhbmQgdGhlIElFVEYgVHJ1c3QncyBMZWdhbDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIFRoaXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5k IHRoZSBJRVRGIFRydXN0J3MgTGVnYWw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3Vt ZW50czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFByb3Zpc2lvbnMgUmVsYXRp bmcgdG8gSUVURiBEb2N1bWVudHM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgKGh0dHA6Ly90cnVzdGVlLmlldGYub3JnL2xpY2Vuc2UtaW5m bykgaW4gZWZmZWN0IG9uIHRoZSBkYXRlIG9mPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgKGh0dHA6Ly90cnVzdGVlLmlldGYub3JnL2xpY2Vuc2UtaW5mbykgaW4gZWZmZWN0IG9u IHRoZSBkYXRlIG9mPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3 IHRoZXNlIGRvY3VtZW50czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHB1Ymxp Y2F0aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50czwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwzIj48c21hbGw+ c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMiwgbGluZSAyNTwvZW0+PC9h PjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXIzIj48c21hbGw+c2tpcHBpbmcgdG8g Y2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMiwgbGluZSAyNTwvZW0+PC9hPjwvdGg+PHRkPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIHRvIHRoaXMgZG9jdW1lbnQuICBDb2RlIENvbXBvbmVudHMgZXh0 cmFjdGVkIGZyb20gdGhpcyBkb2N1bWVudCBtdXN0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgdG8gdGhpcyBkb2N1bWVudC4gIENvZGUgQ29tcG9uZW50cyBleHRyYWN0ZWQgZnJv bSB0aGlzIGRvY3VtZW50IG11c3Q8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlIHRleHQg YXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC5lIG9mPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlIHRleHQgYXMgZGVzY3JpYmVk IGluIFNlY3Rpb24gNC5lIG9mPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIHRoZSBUcnVzdCBMZWdhbCBQcm92aXNpb25zIGFuZCBhcmUgcHJv dmlkZWQgd2l0aG91dCB3YXJyYW50eSBhczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIHRoZSBUcnVzdCBMZWdhbCBQcm92aXNpb25zIGFuZCBhcmUgcHJvdmlkZWQgd2l0aG91dCB3 YXJyYW50eSBhczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBkZXNjcmliZWQgaW4gdGhlIFNpbXBsaWZpZWQgQlNEIExpY2Vuc2UuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZGVzY3JpYmVkIGluIHRoZSBTaW1wbGlmaWVk IEJTRCBMaWNlbnNlLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+VGFibGUgb2YgQ29udGVu dHM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5UYWJsZSBvZiBDb250ZW50czwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgMS4gIEludHJvZHVjdGlvbiAgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAzPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgMS4gIEludHJvZHVjdGlvbiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgMS4xLiAgU2NvcGUgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNDwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgMS4xLiAgU2NvcGUgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDEuMi4gIFJlcXVpcmVtZW50cyBM YW5ndWFnZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQ8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDEuMi4gIFJlcXVpcmVtZW50cyBMYW5ndWFnZSAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQ8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYw MDA2Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAyLiAgVGVybWlub2xvZ3kgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDxzcGFuIGNsYXNzPSJk ZWxldGUiPjQ8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDIuICBU ZXJtaW5vbG9neSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAgPHNwYW4gY2xhc3M9Imluc2VydCI+NTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgMy4gIERldGFpbCBEZXNjcmlwdGlv biAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA2PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgMy4gIERldGFpbCBEZXNjcmlwdGlvbiAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA2PC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgMy4xLiAgRG9tYWlucyAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgMy4xLiAgRG9tYWlucyAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDMuMi4gIERvbWFp bi1TZXF1ZW5jZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDY8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDMuMi4gIERvbWFpbi1TZXF1ZW5j ZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDY8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAzLjMuICBE b21haW4tU2VxdWVuY2UgUmVwcmVzZW50YXRpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g ICA3PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAzLjMuICBEb21haW4tU2Vx dWVuY2UgUmVwcmVzZW50YXRpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA3PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgMy40 LiAgSW5jbHVkZSBSb3V0ZSBPYmplY3QgKElSTykgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICAgNzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgMy40LiAgSW5jbHVk ZSBSb3V0ZSBPYmplY3QgKElSTykgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNzwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg ICAgMy40LjEuICBTdWJvYmplY3RzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgIDg8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgMy40LjEu ICBTdWJvYmplY3RzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAg IDg8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgICAgICAgMy40LjEuMS4gIEF1dG9ub21vdXMgc3lzdGVtIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gICA4PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAg My40LjEuMS4gIEF1dG9ub21vdXMgc3lzdGVtIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gICA4PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgICAgICAgIDMuNC4xLjIuICBJR1AgQXJlYSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICAgOTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAg ICAgIDMuNC4xLjIuICBJR1AgQXJlYSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAgOTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICAgICAgMy40LjIuICBVcGRhdGUgaW4gSVJPIHNwZWNpZmljYXRpb24gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgMTA8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICAgICAgMy40LjIuICBVcGRhdGUgaW4gSVJPIHNwZWNpZmljYXRpb24gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgMTA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICAgIDMuNC4zLiAgSVJPIGZvciBEb21haW4tU2VxdWVuY2UgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEwPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgICAgIDMuNC4zLiAgSVJPIGZvciBEb21haW4tU2VxdWVuY2UgLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gIDEwPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgIDMuNC4zLjEuICBQQ0MgUHJvY2VkdXJlcyAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgICAgICAgIDMuNC4zLjEuICBQQ0MgUHJvY2VkdXJlcyAgLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICAxMTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAzLjQuMy4yLiAgUENFIFByb2NlZHVyZXMgIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTE8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICAgICAgICAzLjQuMy4yLiAgUENFIFByb2NlZHVyZXMgIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAzLjUuICBFeGNsdWRlIFJvdXRlIE9iamVjdCAo WFJPKSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEyPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgICAzLjUuICBFeGNsdWRlIFJvdXRlIE9iamVjdCAoWFJPKSAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEyPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwNyI+PC9h PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgIDMuNS4xLiAgU3Vib2JqZWN0cyAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE8c3BhbiBjbGFzcz0iZGVsZXRlIj4y PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgMy41LjEuICBT dWJvYmplY3RzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTxz cGFuIGNsYXNzPSJpbnNlcnQiPjM8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgIDMuNS4xLjEuICBBdXRvbm9tb3VzIHN5 c3RlbSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMzwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgIDMuNS4xLjEuICBBdXRvbm9tb3VzIHN5c3RlbSAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDgiPjwv YT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgIDMuNS4xLjIuICBJR1AgQXJlYSAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ Mzwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAgMy41LjEu Mi4gIElHUCBBcmVhICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij40PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDMuNi4gIEV4cGxpY2l0IEV4Y2x1c2lvbiBS b3V0ZSBTdWJvYmplY3QgKEVYUlMpIC4gLiAuIC4gLiAuIC4gLiAgMTU8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDMuNi4gIEV4cGxpY2l0IEV4Y2x1c2lvbiBSb3V0ZSBTdWJv YmplY3QgKEVYUlMpIC4gLiAuIC4gLiAuIC4gLiAgMTU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDA5Ij48 L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDMuNy4gIEV4cGxpY2l0IFJvdXRlIE9iamVjdCAo RVJPKSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTxzcGFuIGNsYXNzPSJkZWxldGUi PjU8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgMy43LiAgRXhw bGljaXQgUm91dGUgT2JqZWN0IChFUk8pIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAx PHNwYW4gY2xhc3M9Imluc2VydCI+Njwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgNC4gIEV4YW1wbGVzICAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgNC4gIEV4YW1wbGVzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE2PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgNC4xLiAgSW50ZXItQXJlYSBQYXRo IENvbXB1dGF0aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgNC4xLiAgSW50ZXItQXJlYSBQYXRoIENvbXB1dGF0 aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDQuMi4gIEludGVyLUFTIFBh dGggQ29tcHV0YXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTg8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDQuMi4gIEludGVyLUFTIFBhdGggQ29tcHV0 YXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTg8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgIDQuMi4xLiAgRXhh bXBsZSAxIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE5PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgIDQuMi4xLiAgRXhhbXBsZSAxIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE5PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICA0LjIuMi4g IEV4YW1wbGUgMiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAy MTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICA0LjIuMi4gIEV4YW1wbGUg MiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyMTwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDQuMy4g IEJvdW5kYXJ5IE5vZGUgYW5kIEludGVyLUFTLUxpbmsgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAgMjM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDQuMy4gIEJvdW5kYXJ5 IE5vZGUgYW5kIEludGVyLUFTLUxpbmsgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjM8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICA0 LjQuICBQQ0UgU2VydmluZyBtdWx0aXBsZSBEb21haW5zICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gIDI0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICA0LjQuICBQQ0Ug U2VydmluZyBtdWx0aXBsZSBEb21haW5zICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI0 PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgNC41LiAgUDJNUCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuICAyNDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgNC41LiAg UDJNUCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAyNDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTAiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAg NC42LiAgSGllcmFyY2hpY2FsIFBDRSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICAyPHNwYW4gY2xhc3M9ImRlbGV0ZSI+NDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+ICAgICA0LjYuICBIaWVyYXJjaGljYWwgUENFICAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI8c3BhbiBjbGFzcz0iaW5zZXJ0Ij42PC9zcGFu PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDExIj48 L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA1LiAgT3RoZXIgQ29uc2lkZXJhdGlvbnMgIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ MjU8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDUuICBPdGhlciBD b25zaWRlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yNjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDUuMS4gIFJlbGF0aW9uc2hpcCB0byBQ Q0UgU2VxdWVuY2UgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRl bGV0ZSI+MjU8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgNS4x LiAgUmVsYXRpb25zaGlwIHRvIFBDRSBTZXF1ZW5jZSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yNjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDUuMi4gIFJlbGF0aW9uc2hp cCB0byBSU1ZQLVRFIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xh c3M9ImRlbGV0ZSI+MjU8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg ICAgNS4yLiAgUmVsYXRpb25zaGlwIHRvIFJTVlAtVEUgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yNjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA2LiAgSUFOQSBDb25z aWRlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNw YW4gY2xhc3M9ImRlbGV0ZSI+MjY8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv Y2siPiAgIDYuICBJQU5BIENvbnNpZGVyYXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yNzwvc3Bhbj48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDYuMS4g IE5ldyBTdWJvYmplY3RzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MjY8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPiAgICAgNi4xLiAgTmV3IFN1Ym9iamVjdHMgIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yNzwvc3Bhbj48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA3 LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MjY8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyYmxvY2siPiAgIDcuICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yNzwvc3Bh bj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr Ij4gICA4LiAgTWFuYWdlYWJpbGl0eSBDb25zaWRlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MjY8L3NwYW4+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDguICBNYW5hZ2VhYmlsaXR5IENvbnNpZGVyYXRpb25z ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4y ODwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj4gICAgIDguMS4gIENvbnRyb2wgb2YgRnVuY3Rpb24gYW5kIFBvbGljeSAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MjY8L3NwYW4+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgOC4xLiAgQ29udHJvbCBvZiBGdW5jdGlv biBhbmQgUG9saWN5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5z ZXJ0Ij4yODwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGJsb2NrIj4gICAgIDguMi4gIEluZm9ybWF0aW9uIGFuZCBEYXRhIE1vZGVscyAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjc8L3NwYW4+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgOC4yLiAgSW5mb3JtYXRpb24g YW5kIERhdGEgTW9kZWxzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFz cz0iaW5zZXJ0Ij4yODwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDguMy4gIExpdmVuZXNzIERldGVjdGlvbiBhbmQgTW9u aXRvcmluZyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjc8 L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgOC4zLiAgTGl2ZW5l c3MgRGV0ZWN0aW9uIGFuZCBNb25pdG9yaW5nIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3Bh biBjbGFzcz0iaW5zZXJ0Ij4yOTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDguNC4gIFZlcmlmeSBDb3JyZWN0IE9wZXJh dGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0 ZSI+Mjc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgOC40LiAg VmVyaWZ5IENvcnJlY3QgT3BlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yOTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDguNS4gIFJlcXVpcmVtZW50cyBP biBPdGhlciBQcm90b2NvbHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9 ImRlbGV0ZSI+Mjc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAg OC41LiAgUmVxdWlyZW1lbnRzIE9uIE90aGVyIFByb3RvY29scyAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yOTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDguNi4gIEltcGFjdCBP biBOZXR3b3JrIE9wZXJhdGlvbnMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4g Y2xhc3M9ImRlbGV0ZSI+Mjc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PiAgICAgOC42LiAgSW1wYWN0IE9uIE5ldHdvcmsgT3BlcmF0aW9ucyAgLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yOTwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA5LiAgQWNrbm93 bGVkZ21lbnRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAg PHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjg8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy YmxvY2siPiAgIDkuICBBY2tub3dsZWRnbWVudHMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yOTwvc3Bhbj48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAxMC4g UmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjg8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPiAgIDEwLiBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4zMDwvc3Bhbj48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g ICAgIDEwLjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjg8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgMTAuMS4gIE5vcm1hdGl2ZSBSZWZlcmVuY2VzIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4zMDwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs b2NrIj4gICAgIDEwLjIuICBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjk8L3NwYW4+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgMTAuMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5j ZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0 Ij4zMTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGJsb2NrIj4gICBBdXRob3JzJyBBZGRyZXNzZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MzA8L3NwYW4+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIEF1dGhvcnMnIEFkZHJlc3NlcyAgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0i aW5zZXJ0Ij4zMzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjEuICBJbnRyb2R1 Y3Rpb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4xLiAgSW50cm9kdWN0aW9uPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBBIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCAo UENFKSBtYXkgYmUgdXNlZCB0byBjb21wdXRlIGVuZC10by1lbmQ8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBBIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCAoUENFKSBtYXkgYmUg dXNlZCB0byBjb21wdXRlIGVuZC10by1lbmQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcGF0aHMgYWNyb3NzIG11bHRpLWRvbWFpbiBlbnZp cm9ubWVudHMgdXNpbmcgYSBwZXItZG9tYWluIHBhdGg8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBwYXRocyBhY3Jvc3MgbXVsdGktZG9tYWluIGVudmlyb25tZW50cyB1c2luZyBh IHBlci1kb21haW4gcGF0aDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBjb21wdXRhdGlvbiB0ZWNobmlxdWUgW1JGQzUxNTJdLiAgVGhlIGJh Y2t3YXJkIHJlY3Vyc2l2ZSBwYXRoPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg Y29tcHV0YXRpb24gdGVjaG5pcXVlIFtSRkM1MTUyXS4gIFRoZSBiYWNrd2FyZCByZWN1cnNpdmUg cGF0aDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBjb21wdXRhdGlvbiAoQlJQQykgbWVjaGFuaXNtIFtSRkM1NDQxXSBhbHNvIGRlZmluZXMg YSBQQ0UtYmFzZWQgcGF0aDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGNvbXB1 dGF0aW9uIChCUlBDKSBtZWNoYW5pc20gW1JGQzU0NDFdIGFsc28gZGVmaW5lcyBhIFBDRS1iYXNl ZCBwYXRoPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIGNvbXB1dGF0aW9uIHByb2NlZHVyZSB0byBjb21wdXRlIGludGVyLWRvbWFpbiBjb25z dHJhaW5lZCBwYXRoIGZvcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGNvbXB1 dGF0aW9uIHByb2NlZHVyZSB0byBjb21wdXRlIGludGVyLWRvbWFpbiBjb25zdHJhaW5lZCBwYXRo IGZvcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICAoRylNUExTIFRFIExTUHMuICBIb3dldmVyLCBib3RoIHBlci1kb21haW4gYW5kIEJSUEMg dGVjaG5pcXVlcyBhc3N1bWU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAoRylN UExTIFRFIExTUHMuICBIb3dldmVyLCBib3RoIHBlci1kb21haW4gYW5kIEJSUEMgdGVjaG5pcXVl cyBhc3N1bWU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgdGhhdCB0aGUgc2VxdWVuY2Ugb2YgZG9tYWlucyB0byBiZSBjcm9zc2VkIGZyb20g c291cmNlIHRvIGRlc3RpbmF0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg dGhhdCB0aGUgc2VxdWVuY2Ugb2YgZG9tYWlucyB0byBiZSBjcm9zc2VkIGZyb20gc291cmNlIHRv IGRlc3RpbmF0aW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHIgYmdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9InBh cnQtbDQiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSA0LCBs aW5lIDIwPC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjQiPjxzbWFs bD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSA0LCBsaW5lIDIwPC9lbT48 L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW0RPTUFJTi1TVUJPQkpdLjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtET01BSU4tU1VCT0JKXS48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjEuMS4gIFNjb3BlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+MS4xLiAgU2NvcGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoZSBwcm9jZWR1 cmVzIGRlc2NyaWJlZCBpbiB0aGlzIGRvY3VtZW50IGFyZSBleHBlcmltZW50YWwuICBUaGU8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUgcHJvY2VkdXJlcyBkZXNjcmliZWQg aW4gdGhpcyBkb2N1bWVudCBhcmUgZXhwZXJpbWVudGFsLiAgVGhlPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGV4cGVyaW1lbnQgaXMgaW50 ZW5kZWQgdG8gZW5hYmxlIHJlc2VhcmNoIGZvciB0aGUgdXNhZ2Ugb2YgRG9tYWluLTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGV4cGVyaW1lbnQgaXMgaW50ZW5kZWQgdG8gZW5h YmxlIHJlc2VhcmNoIGZvciB0aGUgdXNhZ2Ugb2YgRG9tYWluLTwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBTZXF1ZW5jZSBhdCB0aGUgUENF cyBmb3IgaW50ZXItZG9tYWluIHBhdGhzLiAgRm9yIHRoaXMgcHVycG9zZSB0aGlzPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgU2VxdWVuY2UgYXQgdGhlIFBDRXMgZm9yIGludGVy LWRvbWFpbiBwYXRocy4gIEZvciB0aGlzIHB1cnBvc2UgdGhpczwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBkb2N1bWVudCBzcGVjaWZpZXMg bmV3IGRvbWFpbiBzdWJvYmplY3RzIGFzIHdlbGwgYXMgaG93IHRoZXk8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBkb2N1bWVudCBzcGVjaWZpZXMgbmV3IGRvbWFpbiBzdWJvYmpl Y3RzIGFzIHdlbGwgYXMgaG93IHRoZXk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW5jb3Jwb3JhdGUgd2l0aCBleGlzdGluZyBzdWJvYmpl Y3RzIHRvIHJlcHJlc2VudCBhIERvbWFpbi1TZXF1ZW5jZS48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBpbmNvcnBvcmF0ZSB3aXRoIGV4aXN0aW5nIHN1Ym9iamVjdHMgdG8gcmVw cmVzZW50IGEgRG9tYWluLVNlcXVlbmNlLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkPjxhIG5hbWU9ImRpZmYwMDEyIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+VGhlIGV4cGVy aW1lbnQgd2lsbCBlbmQgdHdvIHllYXJzIGFmdGVyIHRoZSBSRkMgaXMgcHVibGlzaGVkLiAgQXQ8 L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNl cnQiPiAgIHRoYXQgcG9pbnQsIHRoZSBSRkMgYXV0aG9ycyB3aWxsIGF0dGVtcHQgdG8gZGV0ZXJt aW5lIGhvdyB3aWRlbHkgdGhpczwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgaGFzIGJlZW4gaW1wbGVtZW50ZWQgYW5kIGRlcGxv eWVkLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBUaGlzIGRvY3VtZW50IGRvZXMgbm90IGNoYW5nZSB0aGUgcHJvY2VkdXJlcyBmb3IgaGFu ZGxpbmcgZXhpc3Rpbmc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGlzIGRv Y3VtZW50IGRvZXMgbm90IGNoYW5nZSB0aGUgcHJvY2VkdXJlcyBmb3IgaGFuZGxpbmcgZXhpc3Rp bmc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgc3Vib2JqZWN0cyBpbiBQQ0VQLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IHN1Ym9iamVjdHMgaW4gUENFUC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoZSBu ZXcgc3Vib2JqZWN0cyBpbnRyb2R1Y2VkIGJ5IHRoaXMgZG9jdW1lbnQgd2lsbCBub3QgYmUgdW5k ZXJzdG9vZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBuZXcgc3Vib2Jq ZWN0cyBpbnRyb2R1Y2VkIGJ5IHRoaXMgZG9jdW1lbnQgd2lsbCBub3QgYmUgdW5kZXJzdG9vZDwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBi eSBhIGxlZ2FjeSBpbXBsZW1lbnRhdGlvbi4gIElmIG9uZSBvZiB0aGUgc3Vib2JqZWN0cyBpcyBy ZWNlaXZlZCBpbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGJ5IGEgbGVnYWN5 IGltcGxlbWVudGF0aW9uLiAgSWYgb25lIG9mIHRoZSBzdWJvYmplY3RzIGlzIHJlY2VpdmVkIGlu PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IGEgUENFUCBvYmplY3QgdGhhdCBkb2VzIG5vdCB1bmRlcnN0YW5kIGl0LCBpdCB3aWxsIGJlaGF2 ZSBhczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGEgUENFUCBvYmplY3QgdGhh dCBkb2VzIG5vdCB1bmRlcnN0YW5kIGl0LCBpdCB3aWxsIGJlaGF2ZSBhczwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBkZXNjcmliZWQgaW4g U2VjdGlvbiAzLjQuMy4gIFRoZXJlZm9yZSwgaXQgaXMgYXNzdW1lZCB0aGF0IHRoaXM8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBkZXNjcmliZWQgaW4gU2VjdGlvbiAzLjQuMy4g IFRoZXJlZm9yZSwgaXQgaXMgYXNzdW1lZCB0aGF0IHRoaXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZXhwZXJpbWVudCB3aWxsIGJlIGNv bmR1Y3RlZCBvbmx5IHdoZW4gYm90aCB0aGUgUENFIGFuZCB0aGUgUENDIGZvcm08L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBleHBlcmltZW50IHdpbGwgYmUgY29uZHVjdGVkIG9u bHkgd2hlbiBib3RoIHRoZSBQQ0UgYW5kIHRoZSBQQ0MgZm9ybTwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBwYXJ0IG9mIHRoZSBleHBlcmlt ZW50LiAgSXQgaXMgcG9zc2libGUgdGhhdCBhIFBDQyBvciBQQ0UgY2FuIG9wZXJhdGU8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBwYXJ0IG9mIHRoZSBleHBlcmltZW50LiAgSXQg aXMgcG9zc2libGUgdGhhdCBhIFBDQyBvciBQQ0UgY2FuIG9wZXJhdGU8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgd2l0aCBwZWVycyBzb21l IG9mIHdoaWNoIGZvcm0gcGFydCBvZiB0aGUgZXhwZXJpbWVudCBhbmQgc29tZSB0aGF0IGRvPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgd2l0aCBwZWVycyBzb21lIG9mIHdoaWNo IGZvcm0gcGFydCBvZiB0aGUgZXhwZXJpbWVudCBhbmQgc29tZSB0aGF0IGRvPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgYmdjb2xv cj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9InBhcnQtbDUiPjxzbWFsbD5za2lwcGluZyB0 byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxMiwgbGluZSAzODwvZW0+PC9hPjwvdGg+PHRo PiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXI1Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0 PC9zbWFsbD48ZW0+IHBhZ2UgMTIsIGxpbmUgMzg8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICAgICAgICB0aGF0IGhhcyB0aGlzIGxpbmsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgICAgICAgdGhhdCBoYXMgdGhpcyBsaW5rLjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICAgKiAgT3RoZXJ3aXNlLCBpdCBhc3N1bWVzIHRoYXQgdGhlIHN1Ym9i amVjdCBiZWxvbmdzIHRvIHRoZSBjdXJyZW50PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgICAgKiAgT3RoZXJ3aXNlLCBpdCBhc3N1bWVzIHRoYXQgdGhlIHN1Ym9iamVjdCBiZWxv bmdzIHRvIHRoZSBjdXJyZW50PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgIEFyZWEuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgICAgICAgQXJlYS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG8gIElu IGNhc2UgdGhlIGN1cnJlbnQgUENFIGlzIG5vdCByZXNwb25zaWJsZSBmb3IgdGhlIHBhdGg8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBJbiBjYXNlIHRoZSBjdXJyZW50IFBD RSBpcyBub3QgcmVzcG9uc2libGUgZm9yIHRoZSBwYXRoPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIGNvbXB1dGF0aW9uIGluIHRoZSBj dXJyZW50IEFTIG9yIEFyZWEsIHRoZW4gdGhlIFBDRSBzZWxlY3RzIHRoZTwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIGNvbXB1dGF0aW9uIGluIHRoZSBjdXJyZW50IEFTIG9y IEFyZWEsIHRoZW4gdGhlIFBDRSBzZWxlY3RzIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAibmV4dCBQQ0UiIGluIHRoZSBkb21h aW4tc2VxdWVuY2UgYmFzZWQgb24gdGhlIGN1cnJlbnQgQVMgYW5kPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgICAgIm5leHQgUENFIiBpbiB0aGUgZG9tYWluLXNlcXVlbmNlIGJh c2VkIG9uIHRoZSBjdXJyZW50IEFTIGFuZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBBcmVhLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgICAgIEFyZWEuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+ PGEgbmFtZT0iZGlmZjAwMTMiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5Ob3RlIHRoYXQgaXQg aXMgYWR2aXNlZCB0aGF0LCBQQ0Mgc2hvdWxkIHVzZSBBUyBhbmQgQXJlYSBzdWJvYmplY3Q8L3Nw YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQi PiAgIHdoaWxlIGJ1aWxkaW5nIHRoZSBkb21haW4tc2VxdWVuY2UgaW4gSVJPIGFuZCBhdm9pZCB1 c2luZyBvdGhlcjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4g Y2xhc3M9Imluc2VydCI+ICAgbWVjaGFuaXNtIHRvIGNoYW5nZSB0aGUgImN1cnJlbnQgQVMiIGFu ZCAiY3VycmVudCBBcmVhIiBhcyBkZXNjcmliZWQ8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGFib3ZlLjwvc3Bhbj48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4zLjUuICBFeGNsdWRlIFJv dXRlIE9iamVjdCAoWFJPKTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjMuNS4gIEV4 Y2x1ZGUgUm91dGUgT2JqZWN0IChYUk8pPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBU aGUgRXhjbHVkZSBSb3V0ZSBPYmplY3QgKFhSTykgW1JGQzU1MjFdIGlzIGFuIG9wdGlvbmFsIG9i amVjdCB1c2VkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIEV4Y2x1ZGUg Um91dGUgT2JqZWN0IChYUk8pIFtSRkM1NTIxXSBpcyBhbiBvcHRpb25hbCBvYmplY3QgdXNlZDwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0 byBzcGVjaWZ5IGV4Y2x1c2lvbiBvZiBjZXJ0YWluIGFic3RyYWN0IG5vZGVzIG9yIHJlc291cmNl cyBmcm9tIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRvIHNwZWNpZnkg ZXhjbHVzaW9uIG9mIGNlcnRhaW4gYWJzdHJhY3Qgbm9kZXMgb3IgcmVzb3VyY2VzIGZyb20gdGhl PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IHdob2xlIHBhdGguPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgd2hvbGUgcGF0 aC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjMuNS4xLiAgU3Vib2JqZWN0czwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjMuNS4xLiAgU3Vib2JqZWN0czwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgU29tZSBzdWJvYmplY3RzIHRvIGJlIHVzZWQgaW4gWFJPIGFzIGRl ZmluZWQgaW4gW1JGQzMyMDldLCBbUkZDMzQ3N10sPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgU29tZSBzdWJvYmplY3RzIHRvIGJlIHVzZWQgaW4gWFJPIGFzIGRlZmluZWQgaW4g W1JGQzMyMDldLCBbUkZDMzQ3N10sPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkM0ODc0XSwgYW5kIFtSRkM1NTIwXSwgYnV0IG5ldyBz dWJvYmplY3RzIHJlbGF0ZWQgdG8gRG9tYWluLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIFtSRkM0ODc0XSwgYW5kIFtSRkM1NTIwXSwgYnV0IG5ldyBzdWJvYmplY3RzIHJlbGF0 ZWQgdG8gRG9tYWluLTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJw YXJ0LWw2Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMTUs IGxpbmUgMTA8L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0icGFydC1yNiI+PHNt YWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDE1LCBsaW5lIDE5PC9l bT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIEFsbCBvdGhlciBmaWVsZHMgYXJlIGNvbnNpc3RlbnQgd2l0aCB0aGUgZGVmaW5p dGlvbiBpbiBTZWN0aW9uIDMuNC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBB bGwgb3RoZXIgZmllbGRzIGFyZSBjb25zaXN0ZW50IHdpdGggdGhlIGRlZmluaXRpb24gaW4gU2Vj dGlvbiAzLjQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBBbGwgdGhlIHByb2Nlc3Np bmcgcnVsZXMgYXJlIGFzIHBlciBbUkZDNTUyMV0uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgQWxsIHRoZSBwcm9jZXNzaW5nIHJ1bGVzIGFyZSBhcyBwZXIgW1JGQzU1MjFdLjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgTm90ZSB0aGF0LCBpZiBhIFBDRSByZWNlaXZl cyBhbiBYUk8gaW4gYSBQQ1JlcSBtZXNzYWdlIHRoYXQgY29udGFpbnM8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBOb3RlIHRoYXQsIGlmIGEgUENFIHJlY2VpdmVzIGFuIFhSTyBp biBhIFBDUmVxIG1lc3NhZ2UgdGhhdCBjb250YWluczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzdWJvYmplY3RzIGRlZmluZWQgaW4gdGhp cyBkb2N1bWVudCwgdGhhdCBpdCBkb2VzIG5vdCByZWNvZ25pemUsIGl0PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgc3Vib2JqZWN0cyBkZWZpbmVkIGluIHRoaXMgZG9jdW1lbnQs IHRoYXQgaXQgZG9lcyBub3QgcmVjb2duaXplLCBpdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB3aWxsIHJlc3BvbmQgYWNjb3JkaW5nIHRv IHRoZSBydWxlcyBmb3IgYSBtYWxmb3JtZWQgb2JqZWN0IGFzIHBlcjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIHdpbGwgcmVzcG9uZCBhY2NvcmRpbmcgdG8gdGhlIHJ1bGVzIGZv ciBhIG1hbGZvcm1lZCBvYmplY3QgYXMgcGVyPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkM1NDQwXS48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBbUkZDNTQ0MF0uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTQiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5JR1AgQXJl YSBzdWJvYmplY3RzIGluIHRoZSBYUk8gYXJlIGxvY2FsIHRvIHRoZSBjdXJyZW50IEFTLiAgSW4g Y2FzZTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9 Imluc2VydCI+ICAgb2YgbXVsdGktQVMgcGF0aCBjb21wdXRhdGlvbiB0byBleGNsdWRlIGFuIElH UCBhcmVhIGluIGEgZGlmZmVyZW50PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs b2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBBUywgSUdQIEFyZWEgc3Vib2JqZWN0IHNob3Vs ZCBiZSBwYXJ0IG9mIEV4cGxpY2l0IEV4Y2x1c2lvbiBSb3V0ZTwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgU3Vib2JqZWN0IChF WFJTKSBpbiB0aGUgSVJPIHRvIHNwZWNpZnkgdGhlIEFTIGluIHdoaWNoIHRoZSBJR1AgYXJlYTwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs b2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2Vy dCI+ICAgaXMgdG8gYmUgZXhjbHVkZWQuICBGdXJ0aGVyIHBvbGljeSBtYXkgYmUgYXBwbGllZCB0 byBwcnVuZS9pZ25vcmU8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxz cGFuIGNsYXNzPSJpbnNlcnQiPiAgIEFyZWEgc3Vib2JqZWN0cyBpbiBYUk8gYWZ0ZXIgImN1cnJl bnQgQVMiIGNoYW5nZSBkdXJpbmcgcGF0aDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgY29tcHV0YXRpb24uPC9zcGFuPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjMuNi4gIEV4cGxpY2l0 IEV4Y2x1c2lvbiBSb3V0ZSBTdWJvYmplY3QgKEVYUlMpPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+My42LiAgRXhwbGljaXQgRXhjbHVzaW9uIFJvdXRlIFN1Ym9iamVjdCAoRVhSUyk8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxNSI+PC9h PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+RXhwbGljaXQgRXhj bHVzaW9uIFJvdXRlIFN1Ym9iamVjdCAoRVhSUyk8L3NwYW4+IFtSRkM1NTIxXSBpcyB1c2VkIHRv PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQi PkVYUlM8L3NwYW4+IFtSRkM1NTIxXSBpcyB1c2VkIHRvIHNwZWNpZnkgZXhjbHVzaW9uIG9mIGNl cnRhaW4gYWJzdHJhY3Qgbm9kZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBzcGVjaWZ5IGV4Y2x1c2lvbiBvZiBjZXJ0YWluIGFic3Ry YWN0IG5vZGVzIGJldHdlZW4gYSBzcGVjaWZpYyBwYWlyPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPiAgIGJldHdlZW4gYSBzcGVjaWZpYyBwYWlyIG9mIG5vZGVzLjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIG9mIG5vZGVz LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIFRoZSBFWFJTIHN1Ym9iamVjdCBjYW4gY2FycnkgYW55IG9mIHRoZSBzdWJvYmpl Y3RzIGRlZmluZWQgZm9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIEVY UlMgc3Vib2JqZWN0IGNhbiBjYXJyeSBhbnkgb2YgdGhlIHN1Ym9iamVjdHMgZGVmaW5lZCBmb3I8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg aW5jbHVzaW9uIGluIHRoZSBYUk8sIHRodXMgdGhlIG5ldyBzdWJvYmplY3RzIHRvIHN1cHBvcnQg NCBieXRlIEFTPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaW5jbHVzaW9uIGlu IHRoZSBYUk8sIHRodXMgdGhlIG5ldyBzdWJvYmplY3RzIHRvIHN1cHBvcnQgNCBieXRlIEFTPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFu ZCBJR1AgKE9TUEYgLyBJU0lTKSBBcmVhIGNhbiBhbHNvIGJlIHVzZWQgaW4gdGhlIEVYUlMuICBU aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBhbmQgSUdQIChPU1BGIC8gSVNJ UykgQXJlYSBjYW4gYWxzbyBiZSB1c2VkIGluIHRoZSBFWFJTLiAgVGhlPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG1lYW5pbmdzIG9mIHRo ZSBmaWVsZHMgb2YgdGhlIG5ldyBYUk8gc3Vib2JqZWN0cyBhcmUgdW5jaGFuZ2VkIHdoZW48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBtZWFuaW5ncyBvZiB0aGUgZmllbGRzIG9m IHRoZSBuZXcgWFJPIHN1Ym9iamVjdHMgYXJlIHVuY2hhbmdlZCB3aGVuPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoZSBzdWJvYmplY3Rz IGFyZSBpbmNsdWRlZCBpbiBhbiBFWFJTLCBleGNlcHQgdGhhdCBzY29wZSBvZiB0aGU8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0aGUgc3Vib2JqZWN0cyBhcmUgaW5jbHVkZWQg aW4gYW4gRVhSUywgZXhjZXB0IHRoYXQgc2NvcGUgb2YgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGV4Y2x1c2lvbiBpcyBsaW1pdGVk IHRvIHRoZSBzaW5nbGUgaG9wIGJldHdlZW4gdGhlIHByZXZpb3VzIGFuZDwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIGV4Y2x1c2lvbiBpcyBsaW1pdGVkIHRvIHRoZSBzaW5nbGUg aG9wIGJldHdlZW4gdGhlIHByZXZpb3VzIGFuZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzdWJzZXF1ZW50IGVsZW1lbnRzIGluIHRoZSBJ Uk8uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc3Vic2VxdWVudCBlbGVtZW50 cyBpbiB0aGUgSVJPLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIEVYUlMgc3Vi b2JqZWN0IHNob3VsZCBiZSBpbnRlcnByZXRlZCBpbiB0aGUgY29udGV4dCBvZiB0aGU8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUgRVhSUyBzdWJvYmplY3Qgc2hvdWxkIGJl IGludGVycHJldGVkIGluIHRoZSBjb250ZXh0IG9mIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0 ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWw3Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0 PC9zbWFsbD48ZW0+IHBhZ2UgMTgsIGxpbmUgNzwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48 YSBuYW1lPSJwYXJ0LXI3Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+ IHBhZ2UgMTgsIGxpbmUgNzwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwg ICAgICAgKy0tKyAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgfCAgfCAg ICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8ICAgICAgICstLSsg ICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIHwgIHwgICAgICAgICB8PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwg ICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgKy0tKyAg ICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8ICAgICAgICAgICAg ICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgICstLSsgICAgICAgICB8PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwg ICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8ICAgICAgICAgICAg ICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICB8PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwg QXJlYSAxICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgQXJlYSA1ICAg ICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8IEFyZWEgMSAgICAg ICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgIEFyZWEgNSAgICAgICAgICB8PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAt LS0tLS0tLS0tLS0tLS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0t LS0tLS0tLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAtLS0tLS0tLS0tLS0t LS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0tLS0tLTwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAgICAgIEZpZ3VyZSAxOiBJbnRl ci1BcmVhIFBhdGggQ29tcHV0YXRpb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICAgICAgICAgICAgICAgICAgRmlndXJlIDE6IEludGVyLUFyZWEgUGF0aCBDb21wdXRhdGlvbjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQVMgTnVtYmVyIGlzIDEwMC48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBBUyBOdW1iZXIgaXMgMTAwLjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDE2Ij48L2E+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5UaGlzIGNvdWxkIGJlIHJlcHJlc2VudGVk PC9zcGFuPiBpbiB0aGUgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+SVJPIGFzOjwvc3Bhbj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+SWYgdGhl IGluZ3Jlc3MgaXMgaW4gQXJlYSAyLCBlZ3Jlc3M8L3NwYW4+IGluIDxzcGFuIGNsYXNzPSJpbnNl cnQiPkFyZWEgNCBhbmQgdHJhbnNpdCB0aHJvdWdoPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBBcmVhIDAuICBTb21lIHBvc3Np YmxlIHdheSBhIFBDQyBjYW4gZW5jb2RlPC9zcGFuPiB0aGUgPHNwYW4gY2xhc3M9Imluc2VydCI+ SVJPOjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgKy0tLS0tLS0tLSsg Ky0tLS0tLS0tLSsgKy0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICAgICstLS0tLS0tLS0rICstLS0tLS0tLS0rICstLS0tLS0tLS0rPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgfElSTyAgICAgIHwgfFN1 YiAgICAgIHwgfFN1YiAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg IHxJUk8gICAgICB8IHxTdWIgICAgICB8IHxTdWIgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgfE9iamVjdCAgIHwgfE9iamVj dCAgIHwgfE9iamVjdCAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIHxP YmplY3QgICB8IHxPYmplY3QgICB8IHxPYmplY3QgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgfEhlYWRlciAgIHwgfEFyZWEgMCAg IHwgfEFyZWEgNCAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIHxIZWFk ZXIgICB8IHxBcmVhIDAgICB8IHxBcmVhIDQgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgfCAgICAgICAgIHwgfCAgICAgICAgIHwg fCAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIHwgICAgICAg ICB8IHwgICAgICAgICB8IHwgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgfCAgICAgICAgIHwgfCAgICAgICAgIHwgfCAg ICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIHwgICAgICAgICB8 IHwgICAgICAgICB8IHwgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgKy0tLS0tLS0tLSsgKy0tLS0tLS0tLSsgKy0tLS0t LS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICstLS0tLS0tLS0rICst LS0tLS0tLS0rICstLS0tLS0tLS0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIG9y PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICBvcjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9Imdy YXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWw4Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hh bmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMTksIGxpbmUgMzI8L2VtPjwvYT48L3RoPjx0aD4gPC90 aD48dGg+PGEgbmFtZT0icGFydC1yOCI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21h bGw+PGVtPiBwYWdlIDE5LCBsaW5lIDMyPC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgICAgICAgICAgICAgICBcICAgICAgICAgICAgICAgICAgICAgICAgLyAgICAgICAgICAv PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgICBcICAgICAg ICAgICAgICAgICAgICAgICAgLyAgICAgICAgICAvPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgIEEzLS0tLS0tLS0t LUQxLS0tRDItLS1EMy0tLS0tLS0tLUMzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgICAgICAgICAgICAgICAgQTMtLS0tLS0tLS0tRDEtLS1EMi0tLUQzLS0tLS0tLS0tQzM8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICZs dDstLS0tLS0tLS0tJmd0OzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICZsdDstLS0tLS0tLS0tJmd0OzwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgQVMgRDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBUyBEPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICAgICogQWxsIEFTIGhhdmUgb25lIGFyZWEgKGFyZWEgMCk8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgICogQWxsIEFTIGhhdmUgb25lIGFyZWEgKGFyZWEgMCk8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgRmlndXJlIDI6IElu dGVyLUFTIFBhdGggQ29tcHV0YXRpb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICAgICAgICAgICAgICAgICAgIEZpZ3VyZSAyOiBJbnRlci1BUyBQYXRoIENvbXB1dGF0aW9uPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTciPjwvYT48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPlRoaXMgY291bGQgYmUg cmVwcmVzZW50ZWQ8L3NwYW4+IGluIHRoZSA8c3BhbiBjbGFzcz0iZGVsZXRlIj5JUk8gYXM6PC9z cGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5z ZXJ0Ij5JZiB0aGUgaW5ncmVzcyBpcyBpbiBBUyBBLCBlZ3Jlc3M8L3NwYW4+IGluIDxzcGFuIGNs YXNzPSJpbnNlcnQiPkFTIEMgYW5kIHRyYW5zaXQgdGhyb3VnaCBBUyBCLjwvc3Bhbj48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgU29tZSBw b3NzaWJsZSB3YXkgYSBQQ0MgY2FuIGVuY29kZTwvc3Bhbj4gdGhlIDxzcGFuIGNsYXNzPSJpbnNl cnQiPklSTzo8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICArLS0tLS0tLSsg Ky0tLS0tLS0rICstLS0tLS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICst LS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHxJUk8gICAgfCB8U3ViICAgIHwgfFN1YiAgICB8 PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfElSTyAgICB8IHxTdWIgICAgfCB8 U3ViICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgfE9iamVjdCB8IHxPYmplY3QgfCB8T2JqZWN0IHw8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICB8T2JqZWN0IHwgfE9iamVjdCB8IHxPYmplY3QgfDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB8SGVhZGVyIHwg fEFTIEIgICB8IHxBUyBDICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHxI ZWFkZXIgfCB8QVMgQiAgIHwgfEFTIEMgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwgICAgICAgfCB8ICAgICAgIHwgfCAgICAgICB8 PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfCAgICAgICB8IHwgICAgICAgfCB8 ICAgICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICArLS0tLS0tLSsgKy0tLS0tLS0rICstLS0tLS0tKzwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgb3I8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBvcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48 dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFydC1sOSI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBh dDwvc21hbGw+PGVtPiBwYWdlIDIyLCBsaW5lIDMyPC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRo PjxhIG5hbWU9InBhcnQtcjkiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxl bT4gcGFnZSAyMiwgbGluZSAzMjwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgICAgICAgICAgICAgIHwgIHwgICArLS0rICAgICB8ICAgICAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAg ICAgICB8ICB8ICAgKy0tKyAgICAgfCAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICB8 PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgICAgICAgICAgICAgIHwgIHwgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICB8ICAgICAg ICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAg ICAgICB8ICB8ICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICB8 PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgICAgICAgICAgICAgIHwgICstLS0tLS0tLS0tLS0rICAgICAgICAgICAgICAgICArLS0tLS0t LS0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAg ICAgICB8ICArLS0tLS0tLS0tLS0tKyAgICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tLS0tLS0r PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAg ICAgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICAgICAgICAgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICBBUyAxMDAgICAgIHwgIEFTIDIwMDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICBBUyAxMDAgICAgIHwgIEFTIDIwMDwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAg ICAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAg ICAgICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAgICAgICBG aWd1cmUgMzogSW50ZXItQVMgUGF0aCBDb21wdXRhdGlvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgICAgICAgICAgICAgICAgICAgRmlndXJlIDM6IEludGVyLUFTIFBhdGggQ29t cHV0YXRpb248L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZm MDAxOCI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+VGhl IERvbWFpbi1TZXF1ZW5jZSBmb3IgdGhlPC9zcGFuPiBMU1AgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ KEEtQikgY2FuIGJlIGNhcnJpZWQ8L3NwYW4+IGluIHRoZSA8c3BhbiBjbGFzcz0iZGVsZXRlIj5J Uk8gYXM8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNs YXNzPSJpbnNlcnQiPkZvcjwvc3Bhbj4gTFNQIDxzcGFuIGNsYXNzPSJpbnNlcnQiPihBLUIpLCB3 aGVyZSBpbmdyZXNzIEEgaXM8L3NwYW4+IGluIDxzcGFuIGNsYXNzPSJpbnNlcnQiPihBUyAxMDAs IEFyZWEgMCksIGVncmVzcyBCIGluPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIHNob3du IGJlbG93Ojwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xh c3M9Imluc2VydCI+ICAgKEFTIDIwMCwgQXJlYSA0KSBhbmQgdHJhbnNpdCB0aHJvdWdoIChBUyAy MDAsIEFyZWEgMCkuICBTb21lIHBvc3NpYmxlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICB3YXkgYSBQQ0MgY2FuIGVuY29kZTwv c3Bhbj4gdGhlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPklSTzo8L3NwYW4+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICArLS0tLS0tLSsgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSs8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICArLS0tLS0tLSsgKy0tLS0tLS0rICst LS0tLS0tKyArLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgfElSTyAgICB8IHxTdWIgICAgfCB8U3ViICAgIHwgfFN1YiAgICB8 PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfElSTyAgICB8IHxTdWIgICAgfCB8 U3ViICAgIHwgfFN1YiAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIHxPYmplY3QgfCB8T2JqZWN0IHwgfE9iamVjdCB8IHxPYmplY3Qg fDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHxPYmplY3QgfCB8T2JqZWN0IHwg fE9iamVjdCB8IHxPYmplY3QgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICB8SGVhZGVyIHwgfEFTIDIwMCB8IHxBcmVhIDAgfCB8QXJlYSA0 IHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8SGVhZGVyIHwgfEFTIDIwMCB8 IHxBcmVhIDAgfCB8QXJlYSA0IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgfCAgICAgICB8IHwgICAgICAgfCB8ICAgICAgIHwgfCAgICAg ICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfCAgICAgICB8IHwgICAgICAg fCB8ICAgICAgIHwgfCAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgICstLS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rICstLS0t LS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICstLS0tLS0tKyArLS0tLS0t LSsgKy0tLS0tLS0rICstLS0tLS0tKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgb3I8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvcjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rICstLS0t LS0tKyArLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICArLS0tLS0t LSsgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rICstLS0tLS0tKzwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB8SVJP ICAgIHwgfFN1YiAgICB8IHxTdWIgICAgfCB8U3ViICAgIHwgfFN1YiAgICB8IHxTdWIgICAgfDwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHxJUk8gICAgfCB8U3ViICAgIHwgfFN1 YiAgICB8IHxTdWIgICAgfCB8U3ViICAgIHwgfFN1YiAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHxPYmplY3QgfCB8T2JqZWN0IHwg fE9iamVjdCB8IHxPYmplY3QgfCB8T2JqZWN0IHwgfE9iamVjdCB8PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgfE9iamVjdCB8IHxPYmplY3QgfCB8T2JqZWN0IHwgfE9iamVjdCB8 IHxPYmplY3QgfCB8T2JqZWN0IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgfEhlYWRlciB8IHxBUyAxMDAgfCB8QXJlYSAwIHwgfEFTIDIw MCB8IHxBcmVhIDAgfCB8QXJlYSA0IHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICB8SGVhZGVyIHwgfEFTIDEwMCB8IHxBcmVhIDAgfCB8QVMgMjAwIHwgfEFyZWEgMCB8IHxBcmVh IDQgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICB8ICAgICAgIHwgfCAgICAgICB8IHwgICAgICAgfCB8ICAgICAgIHwgfCAgICAgICB8IHwg ICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHwgICAgICAgfCB8ICAg ICAgIHwgfCAgICAgICB8IHwgICAgICAgfCB8ICAgICAgIHwgfCAgICAgICB8PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICstLS0tLS0tKyAr LS0tLS0tLSsgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSsg Ky0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDE5Ij48L2E+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5UaGUgRG9tYWluLVNl cXVlbmNlIGZvciB0aGU8L3NwYW4+IExTUCA8c3BhbiBjbGFzcz0iZGVsZXRlIj4oQS1DKSBjYW4g YmUgY2FycmllZDwvc3Bhbj4gaW4gdGhlIDxzcGFuIGNsYXNzPSJkZWxldGUiPklSTyBhczwvc3Bh bj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2Vy dCI+Rm9yPC9zcGFuPiBMU1AgPHNwYW4gY2xhc3M9Imluc2VydCI+KEEtQyksIHdoZXJlIGluZ3Jl c3MgQSBpczwvc3Bhbj4gaW4gPHNwYW4gY2xhc3M9Imluc2VydCI+KEFTIDEwMCwgQXJlYSAwKSwg ZWdyZXNzIEMgaW48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgc2hvd24gYmVsb3c6PC9z cGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0 Ij4gICAoQVMgMjAwLCBBcmVhIDUpIGFuZCB0cmFuc2l0IHRocm91Z2ggKEFTIDIwMCwgQXJlYSAw KS4gIFNvbWUgcG9zc2libGU8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHdheSBhIFBDQyBjYW4gZW5jb2RlPC9zcGFuPiB0aGUg PHNwYW4gY2xhc3M9Imluc2VydCI+SVJPOjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgICstLS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rICstLS0tLS0tKzwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICstLS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rICst LS0tLS0tKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICB8SVJPICAgIHwgfFN1YiAgICB8IHxTdWIgICAgfCB8U3ViICAgIHw8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8SVJPICAgIHwgfFN1YiAgICB8IHxTdWIgICAgfCB8 U3ViICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgfE9iamVjdCB8IHxPYmplY3QgfCB8T2JqZWN0IHwgfE9iamVjdCB8PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfE9iamVjdCB8IHxPYmplY3QgfCB8T2JqZWN0IHwg fE9iamVjdCB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIHxIZWFkZXIgfCB8QVMgMjAwIHwgfEFyZWEgMCB8IHxBcmVhIDUgfDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHxIZWFkZXIgfCB8QVMgMjAwIHwgfEFyZWEgMCB8 IHxBcmVhIDUgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICB8ICAgICAgIHwgfCAgICAgICB8IHwgICAgICAgfCB8ICAgICAgIHw8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8ICAgICAgIHwgfCAgICAgICB8IHwgICAgICAg fCB8ICAgICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0tLSsgKy0tLS0tLS0rPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKy0tLS0tLS0rICstLS0tLS0tKyArLS0tLS0t LSsgKy0tLS0tLS0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvcjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwxMCI+PHNt YWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI0LCBsaW5lIDI3PC9l bT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjEwIj48c21hbGw+c2tpcHBp bmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMjUsIGxpbmUgNTwvZW0+PC9hPjwvdGg+ PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEEgUENFIHdoaWNoIGNhbiBzdXBwb3J0IGFkamFjZW50 IGRvbWFpbnMgY2FuIGludGVybmFsbHkgaGFuZGxlIHRob3NlPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgQSBQQ0Ugd2hpY2ggY2FuIHN1cHBvcnQgYWRqYWNlbnQgZG9tYWlucyBj YW4gaW50ZXJuYWxseSBoYW5kbGUgdGhvc2U8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZG9tYWlucyBpbiB0aGUgRG9tYWluLVNlcXVlbmNl IHdpdGhvdXQgYW55IGltcGFjdCBvbiB0aGUgb3RoZXI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICBkb21haW5zIGluIHRoZSBEb21haW4tU2VxdWVuY2Ugd2l0aG91dCBhbnkgaW1w YWN0IG9uIHRoZSBvdGhlcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBkb21haW5zIGluIHRoZSBEb21haW4tU2VxdWVuY2UuPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZG9tYWlucyBpbiB0aGUgRG9tYWluLVNlcXVlbmNl LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+NC41LiAgUDJNUDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPjQuNS4gIFAyTVA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IFtSRkM3MzM0XSBkZXNjcmliZXMgYW4gZXhwZXJpbWVudGFsIGludGVyLWRvbWFpbiBQMk1QIHBh dGg8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNzMzNF0gZGVzY3JpYmVz IGFuIGV4cGVyaW1lbnRhbCBpbnRlci1kb21haW4gUDJNUCBwYXRoPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGNvbXB1dGF0aW9uIG1lY2hh bmlzbSB3aGVyZSB0aGUgcGF0aCBkb21haW4gdHJlZSBpcyBkZXNjcmliZWQgYXMgYTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGNvbXB1dGF0aW9uIG1lY2hhbmlzbSB3aGVyZSB0 aGUgcGF0aCBkb21haW4gdHJlZSBpcyBkZXNjcmliZWQgYXMgYTwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzZXJpZXMgb2YgRG9tYWluLVNl cXVlbmNlcywgYW4gZXhhbXBsZSBpcyBzaG93biBpbiB0aGUgYmVsb3cgZmlndXJlOjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHNlcmllcyBvZiBEb21haW4tU2VxdWVuY2VzLCBh biBleGFtcGxlIGlzIHNob3duIGluIHRoZSBiZWxvdyBmaWd1cmU6PC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMjAiPjwvYT48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPiAgICAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPkQxLUQzLUQ2LCBEMS1EMy1ENSBhbmQgRDEt RDItRDQuPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAg ICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4rLS0tLS0tLS0tLS0tLS0tLSs8 L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+ICAgICAgICAgICAgICAgICAgRDE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAg ICAgICAgICAgICB8RG9tYWluPC9zcGFuPiBEMTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAgICAgLyAgXDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAgICAgICAgICA8c3Bh biBjbGFzcz0iaW5zZXJ0Ij58ICAgICAgICBSICAgICAgIHw8L3NwYW4+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgICAgICAgICAg IEQyICBEMzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5z ZXJ0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgIHw8L3NwYW4+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ ICAgICAgICAgICAgICAgLyAgIC8gIFw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAg QSAgICAgICB8PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAgRDQgIEQ1ICBENjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgICAgICAg ICAgICAgICB8ICAgICAgICAgICAgICAgIHw8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICAgICAgICAgICAgICAgICAgICAg ICstQi0tLS0tLS0tLS0tLUMtKzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8gICAgICAgICAgICAgIFw8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4g Y2xhc3M9Imluc2VydCI+LyAgICAgICAgICAgICAgICBcPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgICAgICAg ICAgICAgIC8gICAgICAgICAgICAgICAgICBcPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgRG9tYWluPC9zcGFuPiBE MiAgICAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPi8gICAgICAgICAgICAgICAgICAgIFwgRG9tYWlu PC9zcGFuPiBEMzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgPHNw YW4gY2xhc3M9Imluc2VydCI+Ky0tLS0tLS0tLS0tLS1ELS0rICAgICAgICAgICAgICstLS0tLUUt LS0tLS0tLS0tKzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4g Y2xhc3M9Imluc2VydCI+ICAgICAgICAgIHwgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICB8 ICAgICAgICAgICAgICAgIHw8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICAgICB8ICBGICAgICAgICAgICAgIHwgICAgICAg ICAgICAgfCAgICAgICAgICAgICAgICB8PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgfCAgICAgICAgICBHICAgICB8 ICAgICAgICAgICAgIHwgICAgICAgSCAgICAgICAgfDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgICAgIHwgICAgICAgICAg ICAgICAgfCAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgIHw8L3NwYW4+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICAgICB8ICAg ICAgICAgICAgICAgIHwgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICB8PC9zcGFuPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAg ICAgKy1JLS0tLS0tLS0tLS0tLS0rICAgICAgICAgICAgICstSi0tLS0tLS0tLS0tLUstKzwvc3Bh bj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ ICAgICAgICAgICAvXCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLyAgICAgICAgICAgICAg XDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu c2VydCI+ICAgICAgICAgIC8gIFwgICAgICAgICAgICAgICAgICAgICAgICAgICAvICAgICAgICAg ICAgICAgIFw8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs YXNzPSJpbnNlcnQiPiAgICAgICAgIC8gICAgXCAgICAgICAgICAgICAgICAgICAgICAgICAvICAg ICAgICAgICAgICAgICAgXDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ ICAgICAgICAvICAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+XCAgICAgICAgICAgICAgICAgICAg ICAgLyAgICAgICAgICAgICAgICAgICAgXDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgIC8gICAgICAgIFwgICAgICAgICAg ICAgICAgICAgICAvICAgICAgICAgICAgICAgICAgICAgIFw8L3NwYW4+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgIC8gICAgICAgICAg XDwvc3Bhbj4gICAgICAgICAgICAgICAgICAgLyAgICAgICAgICAgICAgICAgICAgICAgIFw8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4v IERvbWFpbjwvc3Bhbj4gRDQgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPlwgICAgICBEb21haW48L3Nw YW4+IEQ1ICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4vICAgICAgICAgICAgICBEb21haW48L3NwYW4+ IEQ2ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+XDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgKy1MLS0tLS0tLS0tLS0tLVcrICAg ICAgICstLS0tLS1QLS0tLS0tLS0tKyAgICAgICstLS0tLS0tLS0tLVQtLS0tKzwvc3Bhbj48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgfCAg ICAgICAgICAgICAgICB8ICAgICAgIHwgICAgICAgICAgICAgICAgfCAgICAgIHwgICAgICAgICAg ICAgICAgfDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xh c3M9Imluc2VydCI+ICAgfCAgICAgICAgICAgICAgICB8ICAgICAgIHwgIFEgICAgICAgICAgICAg fCAgICAgIHwgICBVICAgICAgICAgICAgfDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgfCAgTSAgICAgICAgTyAgICB8ICAgICAg IHwgICAgICAgICBTICAgICAgfCAgICAgIHwgICAgICAgICAgICAgICAgfDwvc3Bhbj48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgfCAgICAg ICAgICAgICAgICB8ICAgICAgIHwgICAgICAgICAgICAgICAgfCAgICAgIHwgICAgICAgICAgViAg ICAgfDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9 Imluc2VydCI+ICAgfCAgICAgICAgICBOICAgICB8ICAgICAgIHwgICBSICAgICAgICAgICAgfCAg ICAgIHwgICAgICAgICAgICAgICAgfDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgKy0tLS0tLS0tLS0tLS0tLS0rICAgICAgICst LS0tLS0tLS0tLS0tLS0tKyAgICAgICstLS0tLS0tLS0tLS0tLS0tKzwvc3Bhbj48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+PC9zcGFuPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBUaGUg ZG9tYWluIHRyZWUgY2FuIGJlIHJlcHJlc2VudGVkIGFzIGEgc2VyaWVzIG9mIGRvbWFpbi1zZXF1 ZW5jZSAtPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFz cz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFu IGNsYXNzPSJpbnNlcnQiPiAgIG8gIERvbWlhbiBEMSwgRG9taWFuIEQzLCBEb21pYW4gRDY8L3Nw YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQi Pjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu c2VydCI+ICAgbyAgRG9taWFuIEQxLCBEb21pYW4gRDMsIERvbWlhbiBENTwvc3Bhbj48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+PC9zcGFuPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBv ICBEb21pYW4gRDEsIERvbWlhbiBEMiwgRG9taWFuIEQ0PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgVGhlIGRvbWFpbiBzZXF1ZW5jZSBoYW5kbGluZyBkZXNjcmliZWQgaW4g dGhpcyBkb2N1bWVudCBjb3VsZCBiZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IFRoZSBkb21haW4gc2VxdWVuY2UgaGFuZGxpbmcgZGVzY3JpYmVkIGluIHRoaXMgZG9jdW1lbnQg Y291bGQgYmU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgYXBwbGllZCB0byBQMk1QIHBhdGggZG9tYWluIHRyZWUuPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgYXBwbGllZCB0byBQMk1QIHBhdGggZG9tYWluIHRyZWUuPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij40LjYuICBIaWVyYXJjaGljYWwgUENFPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+NC42LiAgSGllcmFyY2hpY2FsIFBDRTwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgSW4gY2FzZSBvZiBILVBDRSBbUkZDNjgwNV0sIHRoZSBwYXJl bnQgUENFIGNhbiBiZSByZXF1ZXN0ZWQgdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBJbiBjYXNlIG9mIEgtUENFIFtSRkM2ODA1XSwgdGhlIHBhcmVudCBQQ0UgY2FuIGJlIHJl cXVlc3RlZCB0bzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBkZXRlcm1pbmUgdGhlIERvbWFpbi1TZXF1ZW5jZSBhbmQgcmV0dXJuIGl0IGlu IHRoZSBwYXRoIGNvbXB1dGF0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ZGV0ZXJtaW5lIHRoZSBEb21haW4tU2VxdWVuY2UgYW5kIHJldHVybiBpdCBpbiB0aGUgcGF0aCBj b21wdXRhdGlvbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICByZXBseSwgdXNpbmcgdGhlIEVSTy4gLiAgRm9yIHRoZSBleGFtcGxlIGluIHNl Y3Rpb24gNC42IG9mIFtSRkM2ODA1XSw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICByZXBseSwgdXNpbmcgdGhlIEVSTy4gLiAgRm9yIHRoZSBleGFtcGxlIGluIHNlY3Rpb24gNC42 IG9mIFtSRkM2ODA1XSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgdGhlIERvbWFpbi1TZXF1ZW5jZSBjYW4gcG9zc2libHkgYXBwZWFyIGFz OjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRoZSBEb21haW4tU2VxdWVuY2Ug Y2FuIHBvc3NpYmx5IGFwcGVhciBhczo8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+ PGEgbmFtZT0icGFydC1sMTEiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxl bT4gcGFnZSAyNiwgbGluZSAyMjwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJw YXJ0LXIxMSI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI3 LCBsaW5lIDI3PC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG8gICJJUk8gU3Vib2JqZWN0cyI6IGh0dHA6Ly93d3cuaWFu YS5vcmcvYXNzaWdubWVudHMvcGNlcC88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBvICAiSVJPIFN1Ym9iamVjdHMiOiBodHRwOi8vd3d3LmlhbmEub3JnL2Fzc2lnbm1lbnRzL3Bj ZXAvPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgICAgIHBjZXAueGh0bWwjaXJvLXN1Ym9iamVjdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgICAgIHBjZXAueGh0bWwjaXJvLXN1Ym9iamVjdDwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgbyAgIlhSTyBTdWJvYmplY3RzIjogaHR0cDovL3d3dy5pYW5hLm9yZy9hc3Np Z25tZW50cy9wY2VwLzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG8gICJYUk8g U3Vib2JqZWN0cyI6IGh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdubWVudHMvcGNlcC88L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgcGNl cC54aHRtbCN4cm8tc3Vib2JqZWN0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ICAgcGNlcC54aHRtbCN4cm8tc3Vib2JqZWN0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBVcG9uIGFwcHJvdmFsIG9mIHRoaXMgZG9jdW1lbnQsIElBTkEgaXMgcmVxdWVzdGVkIHRvIG1h a2UgaWRlbnRpY2FsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVXBvbiBhcHBy b3ZhbCBvZiB0aGlzIGRvY3VtZW50LCBJQU5BIGlzIHJlcXVlc3RlZCB0byBtYWtlIGlkZW50aWNh bDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBhZGRpdGlvbnMgdG8gdGhlc2UgcmVnaXN0cmllcyBhcyBmb2xsb3dzOjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFkZGl0aW9ucyB0byB0aGVzZSByZWdpc3RyaWVzIGFzIGZv bGxvd3M6PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAw MjEiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgIFN1Ym9iamVjdCBUeXBlICAgICAgICAg ICAgICAgICAgICAgICAgICBSZWZlcmVuY2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgU3Vib2JqZWN0IFR5cGUgICAgICAgICAgICAgICAgICAgIFJlZmVyZW5jZTwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgIFRC RDEgICAgICA0IGJ5dGUgQVMgbnVtYmVyICAgICAgICAgICAgICBbVGhpcyBJLkQuXVtET01BSU4t U1VCT0JKXTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBUQkQxICAgICAgNCBi eXRlIEFTIG51bWJlciAgICAgICAgW1RoaXMgSS5ELl1bRE9NQUlOLVNVQk9CSl08L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICBUQkQy ICAgICAgT1NQRiBBcmVhIElEICAgICAgICAgICAgICAgICAgW1RoaXMgSS5ELl1bRE9NQUlOLVNV Qk9CSl08L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgVEJEMiAgICAgIE9TUEYg QXJlYSBJRCAgICAgICAgICAgIFtUaGlzIEkuRC5dW0RPTUFJTi1TVUJPQkpdPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgVEJEMyAg ICAgIElTLUlTIEFyZWEgSUQgICAgICAgICAgICAgICAgIFtUaGlzIEkuRC5dW0RPTUFJTi1TVUJP QkpdPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIFRCRDMgICAgICBJUy1JUyBB cmVhIElEICAgICAgICAgICBbVGhpcyBJLkQuXVtET01BSU4tU1VCT0JKXTwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPkZ1cnRoZXIgdXBvbiBhcHByb3Zh bCBvZiB0aGlzIGRvY3VtZW50LCBJQU5BIGlzIHJlcXVlc3RlZCB0byBhZGQgYTwvc3Bhbj48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgcmVm ZXJlbmNlIHRvIHRoaXMgZG9jdW1lbnQgdG8gdGhlIG5ldyBSU1ZQIG51bWJlcnMgdGhhdCBhcmU8 L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNl cnQiPiAgIHJlZ2lzdGVyZWQgYnkgW0RPTUFJTi1TVUJPQkpdLjwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjcuICBTZWN1cml0eSBDb25zaWRlcmF0aW9uczwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPjcuICBTZWN1cml0eSBDb25zaWRlcmF0aW9uczwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDIyIj48L2E+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGJsb2NrIj4gICBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyBhIDxzcGFuIGNsYXNzPSJkZWxl dGUiPnN0YW5kYXJkPC9zcGFuPiByZXByZXNlbnRhdGlvbiBvZiBEb21haW4tU2VxdWVuY2U8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+VGhl IHByb3RvY29sIGV4dGVuc2lvbnMgZGVmaW5lZCBpbiB0aGlzIGRvY3VtZW50IGRvIG5vdCBzdWJz dGFudGlhbGx5PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPiAgIGFuZCBuZXcgc3Vib2JqZWN0cywgd2hpY2ggY291bGQgYmUgdXNl ZCBpbiBpbnRlci1kb21haW4gUENFIHNjZW5hcmlvczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBjaGFuZ2UgdGhlIG5hdHVyZSBvZiBQQ0VQ LiAgVGhlcmVmb3JlLCB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnM8L3NwYW4+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgYXMgZXhw bGFpbmVkIGluIDxzcGFuIGNsYXNzPSJkZWxldGUiPm90aGVyIFJGQyBhbmQgZHJhZnRzLjwvc3Bh bj4gIFRoZSBuZXcgc3Vib2JqZWN0cyBhbmQgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+RG9tYWluLTwv c3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2Vy dCI+ICAgc2V0IG91dCBpbiBbUkZDNTQ0MF0gYXBwbHkgdW5jaGFuZ2VkLiAgTm90ZSB0aGF0IGZ1 cnRoZXIgc2VjdXJpdHk8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgU2VxdWVuY2UgbWVj aGFuaXNtcyBkZWZpbmVkPC9zcGFuPiBpbiB0aGlzIDxzcGFuIGNsYXNzPSJkZWxldGUiPmRvY3Vt ZW50PC9zcGFuPiBhbGxvdyBmaW5lciBhbmQgbW9yZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBjb25zaWRlcmF0aW9ucyBmb3IgdGhlIHVz ZSBvZiBQQ0VQIG92ZXIgVENQIGFyZSBwcmVzZW50ZWQgaW48L3NwYW4+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgc3BlY2lmaWMgY29u dHJvbCBvZiB0aGUgcGF0aCBjb21wdXRlZCBieSBhIGNvb3BlcmF0aW5nIFBDRShzKS4gIFN1Y2g8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAg W1JGQzY5NTJdLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGJsb2NrIj4gICBjb250cm9sIGluY3JlYXNlcyB0aGUgcmlzayBpZiBhIFBDRVAg bWVzc2FnZSBpcyBpbnRlcmNlcHRlZCw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPiAgIG1vZGlmaWVkLCBvciBzcG9vZmVkIGJlY2F1c2UgaXQgYWxsb3dz IHRoZSBhdHRhY2tlciB0byBleGVydCBjb250cm9sPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy YmxvY2siPiAgIFRoaXMgZG9jdW1lbnQgc3BlY2lmaWVzIGEgcmVwcmVzZW50YXRpb24gb2YgRG9t YWluLVNlcXVlbmNlIGFuZCBuZXc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBvdmVyIHRoZSBwYXRoIHRoYXQgdGhlIFBDRSB3aWxsIGNv bXB1dGUgb3IgdG8gbWFrZSB0aGUgcGF0aDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr Ij4gICBzdWJvYmplY3RzLCB3aGljaCBjb3VsZCBiZSB1c2VkIGluIGludGVyLWRvbWFpbiBQQ0Ug c2NlbmFyaW9zIGFzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxibG9jayI+ICAgY29tcHV0YXRpb24gaW1wb3NzaWJsZS4gIDxzcGFuIGNsYXNzPSJkZWxl dGUiPlRoZXJlZm9yZSw8L3NwYW4+IHRoZSBzZWN1cml0eSB0ZWNobmlxdWVzIDxzcGFuIGNsYXNz PSJkZWxldGUiPmRlc2NyaWJlZDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgZXhwbGFpbmVkIGluIDxzcGFuIGNsYXNzPSJpbnNlcnQiPltSRkM1MTUyXSwgW1JGQzU0 NDFdLCBbUkZDNjgwNV0sIFtSRkM3MzM0XSBldGMuPC9zcGFuPiAgVGhlPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRl bGV0ZSI+ICAgaW48L3NwYW4+IFtSRkM1NDQwXSA8c3BhbiBjbGFzcz0iZGVsZXRlIj5hcmUgY29u c2lkZXJlZCBtb3JlIGltcG9ydGFudC48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy YmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPnNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNl dCBvdXQgaW4gZWFjaCBvZiB0aGVzZSBtZWNoYW5pc21zIHJlbWFpbjwvc3Bhbj48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgdW5jaGFuZ2Vk IGJ5IHRoZTwvc3Bhbj4gbmV3IHN1Ym9iamVjdHMgYW5kIDxzcGFuIGNsYXNzPSJpbnNlcnQiPkRv bWFpbi1TZXF1ZW5jZSByZXByZXNlbnRhdGlvbjwvc3Bhbj4gaW48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+ICAgdGhpcyA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5kb2N1bWVudC48L3Nw YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j ayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQi Pjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu c2VydCI+ICAgQnV0IHRoZSBuZXcgc3Vib2JqZWN0cyBkbzwvc3Bhbj4gYWxsb3cgZmluZXIgYW5k IG1vcmUgc3BlY2lmaWMgY29udHJvbCBvZjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr Ij4gICB0aGUgcGF0aCBjb21wdXRlZCBieSBhIGNvb3BlcmF0aW5nIFBDRShzKS4gIFN1Y2ggY29u dHJvbCBpbmNyZWFzZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgdGhlIHJp c2sgaWYgYSBQQ0VQIG1lc3NhZ2UgaXMgaW50ZXJjZXB0ZWQsIG1vZGlmaWVkLCBvciBzcG9vZmVk PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGJlY2F1c2UgaXQgYWxsb3dzIHRo ZSBhdHRhY2tlciB0byBleGVydCBjb250cm9sIG92ZXIgdGhlIHBhdGggdGhhdDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICB0aGUgUENFIHdpbGwgY29tcHV0ZSBvciB0byBtYWtl IHRoZSBwYXRoIGNvbXB1dGF0aW9uIGltcG9zc2libGUuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPkNvbnNlcXVlbnRseSwgaXQgaXMgaW1w b3J0YW50IHRoYXQgaW1wbGVtZW50YXRpb25zIGNvbmZvcm0gdG8gdGhlPC9zcGFuPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICByZWxldmFu dCBzZWN1cml0eSByZXF1aXJlbWVudHMgb2YgW1JGQzU0NDBdLiAgVGhlc2UgbWVjaGFuaXNtczwv c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs b2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2Vy dCI+ICAgaW5jbHVkZTo8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxz cGFuIGNsYXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgbyAgU2VjdXJpbmc8L3NwYW4+IHRoZSA8c3BhbiBj bGFzcz0iaW5zZXJ0Ij5QQ0VQIHNlc3Npb24gbWVzc2FnZXMgdXNpbmcgVENQPC9zcGFuPiBzZWN1 cml0eSB0ZWNobmlxdWVzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgIDxz cGFuIGNsYXNzPSJpbnNlcnQiPihTZWN0aW9uIDEwLjIgb2YgW1JGQzU0NDBdKS4gIFBDRVAgaW1w bGVtZW50YXRpb25zIFNIT1VMRCBhbHNvPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICBjb25zaWRlciB0aGUgYWRkaXRpb25h bCBzZWN1cml0eSBwcm92aWRlZCBieSB0aGUgVENQPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICBBdXRoZW50aWNhdGlvbiBP cHRpb24gKFRDUC1BTykgW1JGQzU5MjVdIG9yIFtQQ0VQU10uPC9zcGFuPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIG8gIEF1dGhl bnRpY2F0aW5nIHRoZSBQQ0VQIG1lc3NhZ2VzIHRvIGVuc3VyZSB0aGUgbWVzc2FnZSBpcyBpbnRh Y3Q8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJp bnNlcnQiPiAgICAgIGFuZCBzZW50IGZyb20gYW4gYXV0aG9yaXplZCBub2RlIChTZWN0aW9uIDEw LjMgb2YgW1JGQzU0NDBdKS48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PjxzcGFuIGNsYXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgbyAgUENFUCBvcGVyYXRlcyBvdmVyIFRDUCwg c28gaXQgaXMgYWxzbyBpbXBvcnRhbnQgdG8gc2VjdXJlIHRoZSBQQ0U8L3NwYW4+PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgIGFuZCBQ Q0MgYWdhaW5zdCBUQ1AgZGVuaWFsLW9mLXNlcnZpY2UgYXR0YWNrcy4gIFNlY3Rpb24gMTAuNy4x IG9mPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICBbUkZDNTQ0 MF0gPHNwYW4gY2xhc3M9Imluc2VydCI+b3V0bGluZXMgYSBudW1iZXIgb2YgbWVjaGFuaXNtcyBm b3IgbWluaW1pemluZyB0aGUgcmlzazwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgb2YgVENQLWJhc2VkIGRlbmlhbC1vZi1z ZXJ2aWNlIGF0dGFja3MgYWdhaW5zdCBQQ0VzIGFuZCBQQ0NzLjwvc3Bhbj48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+PC9zcGFuPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBvICBJbiBp bnRlci1BUyBzY2VuYXJpb3MsIGF0dGFja3MgbWF5IGJlIHBhcnRpY3VsYXJseSBzaWduaWZpY2Fu dDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu c2VydCI+ICAgICAgd2l0aCBjb21tZXJjaWFsIGFzIHdlbGwgYXMgc2VydmljZS1sZXZlbCBpbXBs aWNhdGlvbnMuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgTm90ZSwgaG93 ZXZlciwgdGhhdCB0aGUgRG9tYWluLVNlcXVlbmNlIG1lY2hhbmlzbXMgYWxzbyBwcm92aWRlIHRo ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIE5vdGUsIGhvd2V2ZXIsIHRoYXQg dGhlIERvbWFpbi1TZXF1ZW5jZSBtZWNoYW5pc21zIGFsc28gcHJvdmlkZSB0aGU8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgb3BlcmF0b3Ig d2l0aCB0aGUgYWJpbGl0eSB0byByb3V0ZSBhcm91bmQgdnVsbmVyYWJsZSBwYXJ0cyBvZiB0aGU8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvcGVyYXRvciB3aXRoIHRoZSBhYmls aXR5IHRvIHJvdXRlIGFyb3VuZCB2dWxuZXJhYmxlIHBhcnRzIG9mIHRoZTwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBuZXR3b3JrIGFuZCBt YXkgYmUgdXNlZCB0byBpbmNyZWFzZSBvdmVyYWxsIG5ldHdvcmsgc2VjdXJpdHkuPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbmV0d29yayBhbmQgbWF5IGJlIHVzZWQgdG8gaW5j cmVhc2Ugb3ZlcmFsbCBuZXR3b3JrIHNlY3VyaXR5LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+OC4gIE1hbmFnZWFiaWxpdHkgQ29uc2lkZXJhdGlvbnM8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij44LiAgTWFuYWdlYWJpbGl0eSBDb25zaWRlcmF0aW9uczwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+OC4xLiAgQ29udHJvbCBvZiBGdW5jdGlvbiBhbmQgUG9saWN5PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+OC4xLiAgQ29udHJvbCBvZiBGdW5jdGlvbiBhbmQg UG9saWN5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGUgZXhhY3QgYmVoYXZpb3Vy IHdpdGggcmVnYXJkcyB0byBkZXNpcmVkIGluY2x1c2lvbiBhbmQgZXhjbHVzaW9uPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIGV4YWN0IGJlaGF2aW91ciB3aXRoIHJlZ2Fy ZHMgdG8gZGVzaXJlZCBpbmNsdXNpb24gYW5kIGV4Y2x1c2lvbjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXki Pjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwxMiI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5n ZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI4LCBsaW5lIDE1PC9lbT48L2E+PC90aD48dGg+IDwvdGg+ PHRoPjxhIG5hbWU9InBhcnQtcjEyIj48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFs bD48ZW0+IHBhZ2UgMzAsIGxpbmUgNzwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjkuICBBY2tub3dsZWRnbWVudHM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij45LiAg QWNrbm93bGVkZ21lbnRzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBBdXRob3JzIHdv dWxkIGxpa2UgdG8gZXNwZWNpYWxseSB0aGFuayBBZHJpYW4gRmFycmVsIGZvciBoaXMgZGV0YWls ZWQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBBdXRob3JzIHdvdWxkIGxpa2Ug dG8gZXNwZWNpYWxseSB0aGFuayBBZHJpYW4gRmFycmVsIGZvciBoaXMgZGV0YWlsZWQ8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcmV2aWV3 cyBhcyB3ZWxsIGFzIHByb3ZpZGluZyB0ZXh0IHRvIGJlIGluY2x1ZGVkIGluIHRoZSBkb2N1bWVu dC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICByZXZpZXdzIGFzIHdlbGwgYXMg cHJvdmlkaW5nIHRleHQgdG8gYmUgaW5jbHVkZWQgaW4gdGhlIGRvY3VtZW50LjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgRnVydGhlciwgd2Ugd291bGQgbGlrZSB0byB0aGFuayBQcmFk ZWVwIFNoYXN0cnksIFN1cmVzaCBCYWJ1LCBRdWludGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgRnVydGhlciwgd2Ugd291bGQgbGlrZSB0byB0aGFuayBQcmFkZWVwIFNoYXN0 cnksIFN1cmVzaCBCYWJ1LCBRdWludGluPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFpoYW8sIEZhdGFpIFpoYW5nLCBEYW5pZWwgS2luZywg T3NjYXIgR29uemFsZXosIENoZW4gSHVhaW1vLDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIFpoYW8sIEZhdGFpIFpoYW5nLCBEYW5pZWwgS2luZywgT3NjYXIgR29uemFsZXosIENo ZW4gSHVhaW1vLDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBWZW51Z29wYWwgUmVkZHksIFJlZWphIFBhdWwsIFNhbmRlZXAgQm9pbmEsIEF2 YW50aWthIFNlcmdpbyBCZWxvdHRpPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg VmVudWdvcGFsIFJlZGR5LCBSZWVqYSBQYXVsLCBTYW5kZWVwIEJvaW5hLCBBdmFudGlrYSBTZXJn aW8gQmVsb3R0aTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBhbmQgSm9uYXRoYW4gSGFyZHdpY2sgZm9yIHRoZWlyIHVzZWZ1bCBjb21tZW50 cyBhbmQgc3VnZ2VzdGlvbnMuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYW5k IEpvbmF0aGFuIEhhcmR3aWNrIGZvciB0aGVpciB1c2VmdWwgY29tbWVudHMgYW5kIHN1Z2dlc3Rp b25zLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDIz Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+VGhhbmtzIHRvIEpvbmF0aGFuIEhhcmR3aWNrIGZv ciBzaHBlcmRpbmcgdGhpcyBkb2N1bWVudC48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgVGhhbmtzIHRvIEpvZWwgSGFs cGVybiBmb3IgR2VuLUFSVCBSZXZpZXcuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFRoYW5rcyB0byBLbGFhcyBXaWVy ZW5nYSBmb3IgU2VjRGlyIFJldmlldy48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy YmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+MTAuICBSZWZlcmVuY2VzPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+MTAuICBSZWZlcmVuY2VzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4x MC4xLiAgTm9ybWF0aXZlIFJlZmVyZW5jZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4xMC4xLiAgTm9ybWF0aXZlIFJlZmVyZW5jZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIFtSRkMyMTE5XSAgQnJhZG5lciwgUy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRv IEluZGljYXRlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzIxMTldICBC cmFkbmVyLCBTLiwgIktleSB3b3JkcyBmb3IgdXNlIGluIFJGQ3MgdG8gSW5kaWNhdGU8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAg ICAgICBSZXF1aXJlbWVudCBMZXZlbHMiLCBCQ1AgMTQsIFJGQyAyMTE5LDwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgUmVxdWlyZW1lbnQgTGV2ZWxzIiwgQkNQ IDE0LCBSRkMgMjExOSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDMjExOSwgTWFyY2ggMTk5 Nyw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIERPSSAxMC4x NzQ4Ny9SRkMyMTE5LCBNYXJjaCAxOTk3LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJmYy1l ZGl0b3Iub3JnL2luZm8vcmZjMjExOSZndDsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgICAgICAgICAgICAmbHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzIx MTkmZ3Q7LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzMyMDldICBBd2R1Y2hl LCBELiwgQmVyZ2VyLCBMLiwgR2FuLCBELiwgTGksIFQuLCBTcmluaXZhc2FuLCBWLiw8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDMzIwOV0gIEF3ZHVjaGUsIEQuLCBCZXJn ZXIsIEwuLCBHYW4sIEQuLCBMaSwgVC4sIFNyaW5pdmFzYW4sIFYuLDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9Imdy YXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwxMyI+PHNtYWxsPnNraXBwaW5nIHRvIGNo YW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI5LCBsaW5lIDMxPC9lbT48L2E+PC90aD48dGg+IDwv dGg+PHRoPjxhIG5hbWU9InBhcnQtcjEzIj48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9z bWFsbD48ZW0+IHBhZ2UgMzEsIGxpbmUgMzE8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW0lSTy1VUERBVEVdPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW0lSTy1VUERBVEVdPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgRGhv ZHksIEQuLCAiVXBkYXRlIHRvIEluY2x1ZGUgUm91dGUgT2JqZWN0IChJUk8pPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBEaG9keSwgRC4sICJVcGRhdGUgdG8g SW5jbHVkZSBSb3V0ZSBPYmplY3QgKElSTyk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBzcGVjaWZpY2F0aW9uIGluIFBh dGggQ29tcHV0YXRpb24gRWxlbWVudCBjb21tdW5pY2F0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgICAgICAgICAgICBzcGVjaWZpY2F0aW9uIGluIFBhdGggQ29tcHV0YXRp b24gRWxlbWVudCBjb21tdW5pY2F0aW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgUHJvdG9jb2wgKFBDRVAuIChkcmFm dC1pZXRmLXBjZS1pcm8tdXBkYXRlLTAyKSIsIE1heSAyMDE1LjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgUHJvdG9jb2wgKFBDRVAuIChkcmFmdC1pZXRmLXBj ZS1pcm8tdXBkYXRlLTAyKSIsIE1heSAyMDE1LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgW0RPTUFJTi1TVUJPQkpdPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW0RP TUFJTi1TVUJPQkpdPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgICAgICAgICAgICAgRGhvZHksIEQuLCBQYWxsZSwgVS4sIEtvbmRyZWRkeSwg Vi4sIGFuZCBSLiBDYXNlbGxhcyw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg ICAgICAgICAgIERob2R5LCBELiwgUGFsbGUsIFUuLCBLb25kcmVkZHksIFYuLCBhbmQgUi4gQ2Fz ZWxsYXMsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgICAgICAgICAgICAgIkRvbWFpbiBTdWJvYmplY3RzIGZvciBSZXNvdXJjZSBSZXNlclZh dGlvbiBQcm90b2NvbCAtPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAg ICAgICAiRG9tYWluIFN1Ym9iamVjdHMgZm9yIFJlc291cmNlIFJlc2VyVmF0aW9uIFByb3RvY29s IC08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgICAgICAgICAgICBUcmFmZmljIEVuZ2luZWVyaW5nIChSU1ZQLVRFKS4gKGRyYWZ0LWlldGYt dGVhcy1yc3ZwLXRlLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAg ICAgVHJhZmZpYyBFbmdpbmVlcmluZyAoUlNWUC1URSkuIChkcmFmdC1pZXRmLXRlYXMtcnN2cC10 ZS08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDI0Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICAg ICAgICAgIGRvbWFpbi1zdWJvYmplY3RzLTA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yKSIsIEp1bHk8 L3NwYW4+IDIwMTUuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAg ICAgZG9tYWluLXN1Ym9iamVjdHMtMDxzcGFuIGNsYXNzPSJpbnNlcnQiPjQpIiwgTm92ZW1iZXI8 L3NwYW4+IDIwMTUuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4xMC4yLiAgSW5mb3JtYXRp dmUgUmVmZXJlbmNlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjEwLjIuICBJbmZv cm1hdGl2ZSBSZWZlcmVuY2VzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDNDY1 NV0gIEZhcnJlbCwgQS4sIFZhc3NldXIsIEouLCBhbmQgSi4gQXNoLCAiQSBQYXRoIENvbXB1dGF0 aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzQ2NTVdICBGYXJyZWws IEEuLCBWYXNzZXVyLCBKLiwgYW5kIEouIEFzaCwgIkEgUGF0aCBDb21wdXRhdGlvbjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAg ICAgIEVsZW1lbnQgKFBDRSktQmFzZWQgQXJjaGl0ZWN0dXJlIiwgUkZDIDQ2NTUsPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBFbGVtZW50IChQQ0UpLUJhc2Vk IEFyY2hpdGVjdHVyZSIsIFJGQyA0NjU1LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM0NjU1 LCBBdWd1c3QgMjAwNiw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAg ICAgIERPSSAxMC4xNzQ4Ny9SRkM0NjU1LCBBdWd1c3QgMjAwNiw8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAmbHQ7aHR0 cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzQ2NTUmZ3Q7LjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgJmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5v cmcvaW5mby9yZmM0NjU1Jmd0Oy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkM0 NzI2XSAgRmFycmVsLCBBLiwgVmFzc2V1ciwgSi4sIGFuZCBBLiBBeXlhbmdhciwgIkEgRnJhbWV3 b3JrIGZvcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtSRkM0NzI2XSAgRmFy cmVsLCBBLiwgVmFzc2V1ciwgSi4sIGFuZCBBLiBBeXlhbmdhciwgIkEgRnJhbWV3b3JrIGZvcjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg ICAgICAgICAgIEludGVyLURvbWFpbiBNdWx0aXByb3RvY29sIExhYmVsIFN3aXRjaGluZyBUcmFm ZmljPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBJbnRlci1E b21haW4gTXVsdGlwcm90b2NvbCBMYWJlbCBTd2l0Y2hpbmcgVHJhZmZpYzwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9 ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwxNCI+PHNtYWxsPnNraXBwaW5nIHRv IGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDMwLCBsaW5lIDIyPC9lbT48L2E+PC90aD48dGg+ IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjE0Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0 PC9zbWFsbD48ZW0+IHBhZ2UgMzIsIGxpbmUgMjI8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICAgICAgICAgICAgICJQcmVzZXJ2aW5nIFRvcG9sb2d5IENvbmZpZGVudGlhbGl0 eSBpbiBJbnRlci1Eb21haW4gUGF0aDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg ICAgICAgICAgICAgIlByZXNlcnZpbmcgVG9wb2xvZ3kgQ29uZmlkZW50aWFsaXR5IGluIEludGVy LURvbWFpbiBQYXRoPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgICAgICAgICAgICAgQ29tcHV0YXRpb24gVXNpbmcgYSBQYXRoLUtleS1CYXNl ZCBNZWNoYW5pc20iLCBSRkMgNTUyMCw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICAgICAgICAgICAgIENvbXB1dGF0aW9uIFVzaW5nIGEgUGF0aC1LZXktQmFzZWQgTWVjaGFuaXNt IiwgUkZDIDU1MjAsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzU1MjAsIEFwcmlsIDIwMDks PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBET0kgMTAuMTc0 ODcvUkZDNTUyMCwgQXByaWwgMjAwOSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAmbHQ7aHR0cDovL3d3dy5yZmMtZWRp dG9yLm9yZy9pbmZvL3JmYzU1MjAmZ3Q7LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgICAgICAgICAgICAgJmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM1NTIw Jmd0Oy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkM1ODg2XSAgVmFzc2V1ciwg SlAuLCBFZC4sIExlIFJvdXgsIEpMLiwgYW5kIFkuIElrZWppcmksICJBIFNldCBvZjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtSRkM1ODg2XSAgVmFzc2V1ciwgSlAuLCBFZC4s IExlIFJvdXgsIEpMLiwgYW5kIFkuIElrZWppcmksICJBIFNldCBvZjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIE1vbml0 b3JpbmcgVG9vbHMgZm9yIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCAoUENFKS1CYXNlZDwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgTW9uaXRvcmluZyBUb29s cyBmb3IgUGF0aCBDb21wdXRhdGlvbiBFbGVtZW50IChQQ0UpLUJhc2VkPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgQXJj aGl0ZWN0dXJlIiwgUkZDIDU4ODYsIERPSSAxMC4xNzQ4Ny9SRkM1ODg2LCBKdW5lIDIwMTAsPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBBcmNoaXRlY3R1cmUi LCBSRkMgNTg4NiwgRE9JIDEwLjE3NDg3L1JGQzU4ODYsIEp1bmUgMjAxMCw8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAm bHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzU4ODYmZ3Q7LjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgJmx0O2h0dHA6Ly93d3cucmZjLWVk aXRvci5vcmcvaW5mby9yZmM1ODg2Jmd0Oy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZD48YSBuYW1lPSJkaWZmMDAyNSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPltSRkM1OTI1 XSAgVG91Y2gsIEouLCBNYW5raW4sIEEuLCBhbmQgUi4gQm9uaWNhLCAiVGhlIFRDUDwvc3Bhbj48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAg ICAgICAgICAgICBBdXRoZW50aWNhdGlvbiBPcHRpb24iLCBSRkMgNTkyNSwgRE9JIDEwLjE3NDg3 L1JGQzU5MjUsPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj bGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgIEp1bmUgMjAxMCwgJmx0O2h0dHA6Ly93d3cucmZj LWVkaXRvci5vcmcvaW5mby9yZmM1OTI1Jmd0Oy48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzY3OTNdICBWb2hyYSwgUS4gYW5kIEUu IENoZW4sICJCR1AgU3VwcG9ydCBmb3IgRm91ci1PY3RldDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIFtSRkM2NzkzXSAgVm9ocmEsIFEuIGFuZCBFLiBDaGVuLCAiQkdQIFN1cHBv cnQgZm9yIEZvdXItT2N0ZXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBBdXRvbm9tb3VzIFN5c3RlbSAoQVMpIE51bWJl ciBTcGFjZSIsIFJGQyA2NzkzLDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAg ICAgICAgICAgQXV0b25vbW91cyBTeXN0ZW0gKEFTKSBOdW1iZXIgU3BhY2UiLCBSRkMgNjc5Myw8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDNjc5MywgRGVjZW1iZXIgMjAxMiw8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM2Nzkz LCBEZWNlbWJlciAyMDEyLDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3Jn L2luZm8vcmZjNjc5MyZndDsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAg ICAgICAgICAmbHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzY3OTMmZ3Q7Ljwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDI2Ij48L2E+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg PHNwYW4gY2xhc3M9Imluc2VydCI+W1JGQzY5NTJdICBKZXRoYW5hbmRhbmksIE0uLCBQYXRlbCwg Sy4sIGFuZCBMLiBaaGVuZywgIkFuYWx5c2lzIG9mPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgIEJHUCwgTERQ LCBQQ0VQLCBhbmQgTVNEUCBJc3N1ZXMgQWNjb3JkaW5nIHRvIHRoZSBLZXlpbmc8L3NwYW4+PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAg ICAgICAgICAgYW5kIEF1dGhlbnRpY2F0aW9uIGZvciBSb3V0aW5nIFByb3RvY29scyAoS0FSUCkg RGVzaWduPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFz cz0iaW5zZXJ0Ij4gICAgICAgICAgICAgIEd1aWRlIiwgUkZDIDY5NTIsIERPSSAxMC4xNzQ4Ny9S RkM2OTUyLCBNYXkgMjAxMyw8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICAgICAgICAgJmx0O2h0dHA6Ly93d3cucmZjLWVk aXRvci5vcmcvaW5mby9yZmM2OTUyJmd0Oy48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzczMzRdICBaaGFvLCBRLiwgRGhvZHksIEQu LCBLaW5nLCBELiwgQWxpLCBaLiwgYW5kIFIuIENhc2VsbGFzLDwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIFtSRkM3MzM0XSAgWmhhbywgUS4sIERob2R5LCBELiwgS2luZywgRC4s IEFsaSwgWi4sIGFuZCBSLiBDYXNlbGxhcyw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAiUENFLUJhc2VkIENvbXB1dGF0 aW9uIFByb2NlZHVyZSB0byBDb21wdXRlIFNob3J0ZXN0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgICAgICAgICAgICAiUENFLUJhc2VkIENvbXB1dGF0aW9uIFByb2NlZHVyZSB0 byBDb21wdXRlIFNob3J0ZXN0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgQ29uc3RyYWluZWQgUG9pbnQtdG8tTXVsdGlw b2ludCAoUDJNUCkgSW50ZXItRG9tYWluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgICAgICAgICAgICBDb25zdHJhaW5lZCBQb2ludC10by1NdWx0aXBvaW50IChQMk1QKSBJbnRl ci1Eb21haW48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgICAgICAgICAgICBUcmFmZmljIEVuZ2luZWVyaW5nIExhYmVsIFN3aXRjaGVkIFBh dGhzIiwgUkZDIDczMzQsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAg ICAgICBUcmFmZmljIEVuZ2luZWVyaW5nIExhYmVsIFN3aXRjaGVkIFBhdGhzIiwgUkZDIDczMzQs PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg ICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzczMzQsIEF1Z3VzdCAyMDE0LDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzczMzQs IEF1Z3VzdCAyMDE0LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2lu Zm8vcmZjNzMzNCZndDsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAg ICAgICAmbHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzczMzQmZ3Q7LjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzc0MjBdICBLb3VzaGlrLCBBLiwgU3RlcGhh biwgRS4sIFpoYW8sIFEuLCBLaW5nLCBELiwgYW5kIEouPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgW1JGQzc0MjBdICBLb3VzaGlrLCBBLiwgU3RlcGhhbiwgRS4sIFpoYW8sIFEu LCBLaW5nLCBELiwgYW5kIEouPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgSGFyZHdpY2ssICJQYXRoIENvbXB1dGF0aW9u IEVsZW1lbnQgQ29tbXVuaWNhdGlvbiBQcm90b2NvbDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgICAgICAgICAgICAgSGFyZHdpY2ssICJQYXRoIENvbXB1dGF0aW9uIEVsZW1lbnQg Q29tbXVuaWNhdGlvbiBQcm90b2NvbDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIChQQ0VQKSBNYW5hZ2VtZW50IEluZm9y bWF0aW9uIEJhc2UgKE1JQikgTW9kdWxlIiw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICAgICAgICAgICAgIChQQ0VQKSBNYW5hZ2VtZW50IEluZm9ybWF0aW9uIEJhc2UgKE1JQikg TW9kdWxlIiw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgICAgICAgICAgICBSRkMgNzQyMCwgRE9JIDEwLjE3NDg3L1JGQzc0MjAsIERlY2Vt YmVyIDIwMTQsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBS RkMgNzQyMCwgRE9JIDEwLjE3NDg3L1JGQzc0MjAsIERlY2VtYmVyIDIwMTQsPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAg Jmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM3NDIwJmd0Oy48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJmYy1l ZGl0b3Iub3JnL2luZm8vcmZjNzQyMCZndDsuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQ+PGEgbmFtZT0iZGlmZjAwMjciPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5bUENFUFNd ICAgIExvcGV6LCBELiwgRGlvcywgTy4sIFd1LCBXLiwgYW5kIEQuIERob2R5LCAiU2VjdXJlPC9z cGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0 Ij4gICAgICAgICAgICAgIFRyYW5zcG9ydCBmb3IgUENFUCIsIGRyYWZ0LWlldGYtcGNlLXBjZXBz LTA1ICh3b3JrIGluPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh biBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgIHByb2dyZXNzKSwgTm92ZW1iZXIgMjAxNS48 L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+QXV0 aG9ycycgQWRkcmVzc2VzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+QXV0aG9ycycg QWRkcmVzc2VzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBEaHJ1diBEaG9keTwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIERocnV2IERob2R5PC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEh1YXdlaSBUZWNobm9s b2dpZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBIdWF3ZWkgVGVjaG5vbG9n aWVzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIERpdnlhc2hyZWUgVGVjaG5vIFBhcmssIFdoaXRlZmllbGQ8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBEaXZ5YXNocmVlIFRlY2hubyBQYXJrLCBXaGl0ZWZpZWxkPC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEJhbmdh bG9yZSwgS2FybmF0YWthICA1NjAwMzc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBCYW5nYWxvcmUsIEthcm5hdGFrYSAgNTYwMDM3PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEluZGlhPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgSW5kaWE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVNYWls OiBkaHJ1di5pZXRmQGdtYWlsLmNvbTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IEVNYWlsOiBkaHJ1di5pZXRmQGdtYWlsLmNvbTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMjgiPjwvYT48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh biBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBVZGF5YXNyZWUgUGFsbGU8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBVZGF5YXNyZWUgUGFsbGU8L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSHVhd2Vp IFRlY2hub2xvZ2llczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEh1YXdlaSBU ZWNobm9sb2dpZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgRGl2eWFzaHJlZSBUZWNobm8gUGFyaywgV2hpdGVmaWVsZDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIERpdnlhc2hyZWUgVGVjaG5vIFBhcmssIFdoaXRlZmll bGQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgQmFuZ2Fsb3JlLCBLYXJuYXRha2EgIDU2MDAzNzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIEJhbmdhbG9yZSwgS2FybmF0YWthICA1NjAwMzc8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSW5kaWE8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJbmRpYTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgRU1haWw6IHVkYXlhc3JlZS5wYWxsZUBodWF3ZWkuY29tPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgRU1haWw6IHVkYXlhc3JlZS5wYWxsZUBodWF3ZWkuY29tPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBSYW1vbiBDYXNlbGxhczwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIFJhbW9uIENhc2VsbGFzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIENUVEM8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBDVFRDPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KCiAgICAgPHRyPjx0ZD48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQ+PC90ZD48L3RyPgogICAgIDx0ciBiZ2NvbG9y PSJncmF5Ij48dGggY29sc3Bhbj0iNSIgYWxpZ249ImNlbnRlciI+PGEgbmFtZT0iZW5kIj4mbmJz cDtFbmQgb2YgY2hhbmdlcy4gMjggY2hhbmdlIGJsb2Nrcy4mbmJzcDs8L2E+PC90aD48L3RyPgog ICAgIDx0ciBjbGFzcz0ic3RhdHMiPjx0ZD48L3RkPjx0aD48aT42MCBsaW5lcyBjaGFuZ2VkIG9y IGRlbGV0ZWQ8L2k+PC90aD48dGg+PGk+IDwvaT48L3RoPjx0aD48aT4xNjcgbGluZXMgY2hhbmdl ZCBvciBhZGRlZDwvaT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgPHRyPjx0ZCBjb2xzcGFuPSI1 IiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic21hbGwiPjxicj5UaGlzIGh0bWwgZGlmZiB3YXMgcHJv ZHVjZWQgYnkgcmZjZGlmZiAxLjQyLiBUaGUgbGF0ZXN0IHZlcnNpb24gaXMgYXZhaWxhYmxlIGZy b20gPGEgaHJlZj0iaHR0cDovL3d3dy50b29scy5pZXRmLm9yZy90b29scy9yZmNkaWZmLyI+aHR0 cDovL3Rvb2xzLmlldGYub3JnL3Rvb2xzL3JmY2RpZmYvPC9hPiA8L3RkPjwvdHI+CiAgIDwvdGJv ZHk+PC90YWJsZT4KICAgCiAgIAo8IS0tIGFyZ3M6IHsnLS1vbGRjb2xvdXInOiAncmVkJywgJy0t d2lkdGgnOiAnJywgJ2RpZmZ0eXBlJzogJy0taHRtbCcsICd1cmwxJzogJ2RyYWZ0LWlldGYtcGNl LXBjZXAtZG9tYWluLXNlcXVlbmNlLTA5JywgJ3N1Ym1pdCc6ICdHZW5lcmF0ZSBkaWZmJywgJ3Vy bDInOiAnJywgJy0tbmV3Y29sb3VyJzogJ2dyZWVuJ30gLS0+PGlmcmFtZSB3aWR0aD0iMCIgaGVp Z2h0PSIwIiBmcmFtZWJvcmRlcj0iMCIgc3JjPSJhYm91dDpibGFuayIgaWQ9IkdJTkdFUl9TT0ZU V0FSRV9idWJibGVzSUZyYW1lIiBzY3JvbGxpbmc9Im5vIiBzdHlsZT0iYm9yZGVyOiAwcHggc29s aWQ7IGRpc3BsYXk6IG5vbmU7IHBvc2l0aW9uOiBhYnNvbHV0ZTsgei1pbmRleDogMjE0NzQ4MzY0 NzsgaGVpZ2h0OiAwcHg7IHdpZHRoOiAwcHg7IGJhY2tncm91bmQtY29sb3I6IHRyYW5zcGFyZW50 OyI+PC9pZnJhbWU+PGRpdiBpZD0iR2luZ2VyV2lkZ2V0SW5mbyIgc3R5bGU9ImRpc3BsYXk6bm9u ZTsiPnsidmVyc2lvbiI6IjAuMS4wLjU4NSIsImlzRXh0ZW5zaW9uIjp0cnVlLCJleHRlbnNpb25O YW1lIjoiQ2hyb21lIn08L2Rpdj48L2JvZHk+PC9odG1sPg== --001a1141bc5cbc27eb052468244f-- From nobody Fri Nov 13 02:25:33 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 212C41A7D84; Fri, 13 Nov 2015 01:24:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.809 X-Spam-Level: X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klk25EvtGmko; Fri, 13 Nov 2015 01:24:23 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86B761A7D83; Fri, 13 Nov 2015 01:24:20 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml401-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CEA83851; Fri, 13 Nov 2015 09:24:18 +0000 (GMT) Received: from BLREML406-HUB.china.huawei.com (10.20.4.43) by lhreml401-hub.china.huawei.com (10.201.5.240) with Microsoft SMTP Server (TLS) id 14.3.235.1; Fri, 13 Nov 2015 09:24:15 +0000 Received: from BLREML509-MBX.china.huawei.com ([169.254.7.243]) by BLREML406-HUB.china.huawei.com ([10.20.4.43]) with mapi id 14.03.0235.001; Fri, 13 Nov 2015 14:54:06 +0530 From: Dhruv Dhody To: "Xialiang (Frank)" , Dhruv Dhody Thread-Topic: secdir review of draft-ietf-teas-rsvp-te-domain-subobjects-03 Thread-Index: AQHRHdbC9u5EwhPk9kiiRxGrMZfQIp6ZRawAgABlqaA= Date: Fri, 13 Nov 2015 09:24:05 +0000 Message-ID: <23CE718903A838468A8B325B80962F9B8C445C86@BLREML509-MBX.china.huawei.com> References: In-Reply-To: Accept-Language: en-GB, zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.18.244.252] Content-Type: multipart/mixed; boundary="_004_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090202.5645AC42.006C, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.7.243, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 939e46ed8f81f22fb19f01e24a790415 Archived-At: X-Mailman-Approved-At: Fri, 13 Nov 2015 02:25:27 -0800 Cc: "secdir@ietf.org" , "draft-ietf-teas-rsvp-te-domain-subobjects.all@tools.ietf.org" , "teas-chairs@ietf.org" , "iesg@ietf.org" , "pce-chairs@tools.ietf.org" Subject: Re: [secdir] secdir review of draft-ietf-teas-rsvp-te-domain-subobjects-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 09:24:28 -0000 --_004_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_ Content-Type: multipart/alternative; boundary="_000_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_" --_000_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgRnJhbmssDQoNClNlZSBpbmxpbmUgW0RocnV2Ml0uDQoNCjxzbmlwPg0KQ29tbWVudDoNCk9u ZSBzaWRlIGVmZmVjdCBmcm9tIHRoZSBtaXNiZWhhdmlvcnMgb2YgdHJ1c3RlZCBMU1IgSSB3b3Vs ZCBzdWdnZXN0IHlvdSB0byBjb25zaWRlcjoNCklmIHRoZSBMU1IgaW5jbHVkZXMgdGhlIG5ldyBk ZWZpbmVkIHN1Ym9iamVjdHMgd2l0aCByaWdodCBBUy1JRC9JR1AgYXJlYSBpZCBidXQgc3RpbGwg dXNpbmcgdGhlIGFscmVhZHkgZXhpc3RlZCBUeXBlcywgdGhlIGxlZ2FjeSBub2RlcyB3aWxsIHBy b2Nlc3MgaXRzIGNvbnRlbnQgd3JvbmdseSwgYW5kIHZpY2UgdmVyc2EuIEluIHRoaXMgY29uZGl0 aW9uLCB0aGUgbGVuZ3RoIGZpbGVkIGNoZWNraW5nIGlzIHNvbWV0aW1lcyB1c2VmdWwgYWx0aG91 Z2ggbm90IGFsd2F5czsNCg0K4oCLW0RocnV2XTogVGhlIGFscmVhZHkgZXhpc3RpbmcgdHlwZXMg YXJlIC0gaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9yc3ZwLXBhcmFtZXRlcnMvcnN2 cC1wYXJhbWV0ZXJzLnhodG1sI3JzdnAtcGFyYW1ldGVycy0yNQ0KLSBUaGVyZSBpcyBubyB3YXkg dG8gaW5jbHVkZSBJR1AgYXJlYSB3aXRoIGV4aXN0aW5nIHR5cGVzDQotIFRoZXJlIGV4aXN0IDIt Qnl0ZSBBUyBudW1iZXIgdHlwZSwgUkZDMzIwOSBzYXkgdGhlIGxlbmd0aCBvZiBzdWItb2JqZWN0 IGlzIGZpeGVkIHRvIDQgd2hlbiBUeXBlIGlzIEFTICgzMiksIHRoaXMgZHJhZnQgc2F5cyB0aGUg bGVuZ3RoIGlzIGZpeGVkIDggZm9yIHRoZSBuZXcgc3Vib2JqZWN0IHR5cGUgZm9yIDQtQnl0ZSBB UyBudW1iZXIuIFRoZSBmaXhlZCBsZW5ndGggdGFrZXMgY2FyZSBvZiBpdD8gRG8geW91IHNlZSBh IG5lZWQgdG8gYWRkIGFueSBvdGhlciB0ZXh0P+KAiw0KDQpbRnJhbmtdOiBJbiB0aGVvcnksIHRo ZXJlIGlzIHBvc3NpYmlsaXR5IGZvciB0aGUgZXJyb3IgaGFuZGxpbmcgY29uZGl0aW9uIHRoYXQg SSBtZW50aW9uZWQuIFNvLCBJIHN1Z2dlc3QgeW91IHRvIGNvbnNpZGVyIHVzaW5nIHRoZSBsZW5n dGggZmllbGQgY2hlY2tpbmcgYXMgYSBzdXBwbGVtZW50YXJ5IHRvb2wgdG8gYXZvaWQgaXQuDQoN CltEaHJ1djJdOiBUaGUgZml4ZWQgbGVuZ3RoIGNoZWNrIGZvciBleGlzdGluZyBzdWItb2JqZWN0 IHR5cGUgaXMgYWxyZWFkeSBpbiBwbGFjZSB2aWEgUkZDMzIwOS4gU28gdGhpcyBlcnJvciBoYW5k bGluZyB5b3UgbWVudGlvbiBpcyBhbHJlYWR5IGluIHBsYWNlLg0KDQpRdWVzdGlvbjoNCkZvciB0 aGUgaW50ZXItZG9tYWluIHNjZW5hcmlvcywgaXMgaXQgcG9zc2libGUgdGhhdCB0aGVyZSBpcyBu b3QgYXV0aGVudGljYXRpb24gYW5kIGRhdGEgcHJvdGVjdGlvbiBtZWNoYW5pc21zIGJldHdlZW4g dGhlIHR3byBib3VuZGFyeSBub2Rlcz8gRnVydGhlcm1vcmUsIGlmIHRoZSBjb25uZWN0aW9uIGJl dHdlZW4gdGhlc2UgdHdvIG5vZGVzIGFyZSBub3QgaG9wLWJ5LWhvcCwgaG93IHRvIGd1YXJhbnRl ZSB0aGUgZGF0YSBpbnRlZ3JpdHkgYW5kIG11dHVhbCB0cnVzdD8NCg0K4oCLW0RocnV2XTogVGhp cyBhbmFseXNpcyBpcyBkb25lIGF0IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9yZmM1OTIw I3NlY3Rpb24tOA0KQ2hhaXJzLCB3b3VsZCB5b3UgbGlrZSB0byBhZGQgYW55dGhpbmcgZWxzZT8g 4oCLDQoNCltGcmFua106IGFncmVlIHdpdGggeW91ciBvYnNlcnZhdGlvbnMuIERvIHlvdSBuZWVk IHRvIGFkZCBzb21lIHJlZmVyZW5jZSBmb3IgdGhpcyBjb250ZW50IGluIHRoZSBzZWN1cml0eSBj b25zaWRlcmF0aW9ucyBzZWN0aW9uIG9mIHlvdXIgZHJhZnQ/DQoNCltEaHJ1djJdOiBBY2sNCg0K PHNuaXA+DQoNClRoZSB3b3JraW5nIGNvcHkgZGlmZiBpcyBhdHRhY2hlZCBmb3IgcmVmZXJlbmNl IChpbmNsdWRlcyBJQU5BLCBHZW4tQVJULCBTZWMtRGlyIHJldmlld3MpLg0KDQpSZWdhcmRzLA0K RGhydXbigIsNCg0K --_000_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 5a6L5L2TOw0KCXBhbm9zZS0xOjIgMSA2IDAgMyAxIDEgMSAxIDE7fQ0KQGZvbnQtZmFjZQ0KCXtm b250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJU cmVidWNoZXQgTVMiOw0KCXBhbm9zZS0xOjIgMTEgNiAzIDIgMiAyIDIgMiA0O30NCkBmb250LWZh Y2UNCgl7Zm9udC1mYW1pbHk6IlxA5a6L5L2TIjsNCglwYW5vc2UtMToyIDEgNiAwIDMgMSAxIDEg MSAxO30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFs LCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0K CWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk65a6L5L2TO30NCmE6bGluaywgc3Bhbi5N c29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4 dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9s bG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRl Y29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvQWNldGF0ZSwgbGkuTXNvQWNldGF0ZSwgZGl2Lk1z b0FjZXRhdGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxs b29uIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjguMHB0Ow0KCWZvbnQtZmFtaWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjt9DQpz cGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0Kc3Bhbi5CYWxsb29u VGV4dENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkJhbGxvb24gVGV4dCBDaGFyIjsNCgltc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4dCI7DQoJZm9udC1m YW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiO30NCnNwYW4uRW1haWxTdHlsZTIwDQoJe21zby1z dHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJUcmVidWNoZXQgTVMiLCJz YW5zLXNlcmlmIjsNCgljb2xvcjojOTkzMzY2O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rp b24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgOTAuMHB0IDcyLjBw dCA5MC4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48 L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0i ZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9 ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8 L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8 ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7 LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5MzM2NiI+SGkgRnJhbmssDQo8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fu cy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojOTkzMzY2Ij5TZWUgaW5saW5lIFtEaHJ1djJdLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2Nv bG9yOiM5OTMzNjYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Ry ZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPiZs dDtzbmlwJmd0Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25l O2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+ DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+Q29tbWVudDo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+T25lIHNp ZGUgZWZmZWN0IGZyb20gdGhlIG1pc2JlaGF2aW9ycyBvZiB0cnVzdGVkIExTUiBJIHdvdWxkIHN1 Z2dlc3QgeW91IHRvIGNvbnNpZGVyOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvIj5JZiB0aGUgTFNSIGluY2x1ZGVzIHRoZSBuZXcgZGVmaW5lZCBzdWJvYmplY3RzIHdpdGgg cmlnaHQgQVMtSUQvSUdQIGFyZWEgaWQgYnV0IHN0aWxsIHVzaW5nIHRoZSBhbHJlYWR5IGV4aXN0 ZWQgVHlwZXMsIHRoZSBsZWdhY3kgbm9kZXMgd2lsbCBwcm9jZXNzIGl0cyBjb250ZW50IHdyb25n bHksIGFuZCB2aWNlDQogdmVyc2EuIEluIHRoaXMgY29uZGl0aW9uLCB0aGUgbGVuZ3RoIGZpbGVk IGNoZWNraW5nIGlzIHNvbWV0aW1lcyB1c2VmdWwgYWx0aG91Z2ggbm90IGFsd2F5czs8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86 cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3Nh bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+4oCLPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztj b2xvcjojNEMxMTMwIj5bRGhydXZdOiBUaGUgYWxyZWFkeSBleGlzdGluZyB0eXBlcyBhcmUgLQ0K PGEgaHJlZj0iaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9yc3ZwLXBhcmFtZXRlcnMv cnN2cC1wYXJhbWV0ZXJzLnhodG1sI3JzdnAtcGFyYW1ldGVycy0yNSI+DQpodHRwOi8vd3d3Lmlh bmEub3JnL2Fzc2lnbm1lbnRzL3JzdnAtcGFyYW1ldGVycy9yc3ZwLXBhcmFtZXRlcnMueGh0bWwj cnN2cC1wYXJhbWV0ZXJzLTI1PC9hPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtU cmVidWNoZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj4t IFRoZXJlIGlzIG5vIHdheSB0byBpbmNsdWRlIElHUCBhcmVhIHdpdGggZXhpc3RpbmcgdHlwZXM8 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90 O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEzMCI+LSBUaGVyZSBleGlzdCAyLUJ5dGUgQVMg bnVtYmVyIHR5cGUsIFJGQzMyMDkgc2F5IHRoZSBsZW5ndGggb2Ygc3ViLW9iamVjdCBpcyBmaXhl ZCB0byA0IHdoZW4gVHlwZSBpcyBBUyAoMzIpLCB0aGlzIGRyYWZ0IHNheXMgdGhlIGxlbmd0aCBp cyBmaXhlZCA4IGZvciB0aGUgbmV3IHN1Ym9iamVjdA0KIHR5cGUgZm9yIDQtQnl0ZSBBUyBudW1i ZXIuIFRoZSBmaXhlZCBsZW5ndGggdGFrZXMgY2FyZSBvZiBpdD8gRG8geW91IHNlZSBhIG5lZWQg dG8gYWRkIGFueSBvdGhlciB0ZXh0Pzwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj7igIs8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM0QzExMzAiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6IzFG NDk3RCI+W0ZyYW5rXTogSW4gdGhlb3J5LCB0aGVyZSBpcyBwb3NzaWJpbGl0eSBmb3IgdGhlIGVy cm9yIGhhbmRsaW5nIGNvbmRpdGlvbiB0aGF0IEkgbWVudGlvbmVkLiBTbywgSSBzdWdnZXN0IHlv dSB0byBjb25zaWRlciB1c2luZyB0aGUgbGVuZ3RoIGZpZWxkIGNoZWNraW5nIGFzIGEgc3VwcGxl bWVudGFyeSB0b29sIHRvIGF2b2lkIGl0Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMz NjYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBN UyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPltEaHJ1djJdOiBU aGUgZml4ZWQgbGVuZ3RoIGNoZWNrIGZvciBleGlzdGluZyBzdWItb2JqZWN0IHR5cGUgaXMgYWxy ZWFkeSBpbiBwbGFjZSB2aWEgUkZDMzIwOS4gU28gdGhpcyBlcnJvciBoYW5kbGluZyB5b3UgbWVu dGlvbiBpcyBhbHJlYWR5IGluIHBsYWNlLg0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0ND QyAxLjBwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdp bi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBjbTttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+UXVlc3Rpb246PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPkZvciB0aGUgaW50ZXItZG9tYWluIHNjZW5hcmlvcywgaXMgaXQgcG9zc2li bGUgdGhhdCB0aGVyZSBpcyBub3QgYXV0aGVudGljYXRpb24gYW5kIGRhdGEgcHJvdGVjdGlvbiBt ZWNoYW5pc21zIGJldHdlZW4gdGhlIHR3byBib3VuZGFyeSBub2Rlcz8gRnVydGhlcm1vcmUsIGlm IHRoZSBjb25uZWN0aW9uIGJldHdlZW4NCiB0aGVzZSB0d28gbm9kZXMgYXJlIG5vdCBob3AtYnkt aG9wLCBob3cgdG8gZ3VhcmFudGVlIHRoZSBkYXRhIGludGVncml0eSBhbmQgbXV0dWFsIHRydXN0 PzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj7igIs8 L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90Oywm cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM0QzExMzAiPltEaHJ1dl06IFRoaXMgYW5hbHlz aXMgaXMgZG9uZSBhdA0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzU5 MjAjc2VjdGlvbi04Ij5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNTkyMCNzZWN0aW9u LTg8L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM0QzExMzAiPkNoYWlycywgd291bGQgeW91 IGxpa2UgdG8gYWRkIGFueXRoaW5nIGVsc2U/DQo8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtZmFt aWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzRDMTEz MCI+4oCLPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUcmVidWNoZXQgTVMm cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojNEMxMTMwIj48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNv bG9yOiMxRjQ5N0QiPltGcmFua106IGFncmVlIHdpdGggeW91ciBvYnNlcnZhdGlvbnMuIERvIHlv dSBuZWVkIHRvIGFkZCBzb21lIHJlZmVyZW5jZSBmb3IgdGhpcyBjb250ZW50IGluIHRoZSBzZWN1 cml0eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uIG9mIHlvdXIgZHJhZnQ/PC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm cXVvdDs7Y29sb3I6Izk5MzM2NiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5 MzM2NiI+W0RocnV2Ml06IEFjazxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Ry ZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPjxv OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90 OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPiZsdDtzbmlwJmd0OzxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiM5OTMzNjYiPlRoZSB3b3JraW5nIGNvcHkgZGlmZiBpcyBhdHRhY2hlZCBmb3IgcmVm ZXJlbmNlIChpbmNsdWRlcyBJQU5BLCBHZW4tQVJULCBTZWMtRGlyIHJldmlld3MpLiZuYnNwOzxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiM5OTMzNjYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RyZWJ1Y2hldCBNUyZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1 b3Q7O2NvbG9yOiM5OTMzNjYiPlJlZ2FyZHMsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VHJlYnVjaGV0IE1TJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6Izk5 MzM2NiI+RGhydXbigIs8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtUcmVidWNo ZXQgTVMmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojOTkzMzY2Ij48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_-- --_004_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_ Content-Type: text/html; name="Diff_ draft-ietf-teas-rsvp-te-domain-subobjects-03.txt - draft-ietf-teas-rsvp-te-domain-subobjects-04.txt.html" Content-Description: Diff_ draft-ietf-teas-rsvp-te-domain-subobjects-03.txt - draft-ietf-teas-rsvp-te-domain-subobjects-04.txt.html Content-Disposition: attachment; filename="Diff_ draft-ietf-teas-rsvp-te-domain-subobjects-03.txt - draft-ietf-teas-rsvp-te-domain-subobjects-04.txt.html"; size=68061; creation-date="Fri, 13 Nov 2015 09:22:54 GMT"; modification-date="Fri, 13 Nov 2015 09:22:54 GMT" Content-Transfer-Encoding: base64 CjwhLS0gc2F2ZWQgZnJvbSB1cmw9KDAwMjkpaHR0cDovL3Rvb2xzLmlldGYub3JnL3JmY2RpZmYg LS0+CjxodG1sPjxoZWFkPjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij48c3R5bGUgdHlwZT0idGV4dC9jc3MiPjwvc3R5bGU+ PHN0eWxlIHR5cGU9InRleHQvY3NzIiBpZD0iR0lOR0VSX1NPRlRXQVJFX3N0eWxlIj4uR0lOR0VS X1NPRlRXQVJFX25vTWFyayB7IGJhY2tncm91bmQgOiB0cmFuc3BhcmVudDsgfSAgLkdJTkdFUl9T T0ZUV0FSRV93cmFwcGVyeyBwb3NpdGlvbjogYWJzb2x1dGU7IG92ZXJmbG93OiBoaWRkZW47IG1h cmdpbjogMHB4OyBwYWRkaW5nOiAwcHg7IGJvcmRlcjogMHB4IHNvbGlkIHRyYW5zcGFyZW50IH0g LkdJTkdFUl9TT0ZUV0FSRV9jb250b3VyIHsgcG9zaXRpb24gOiBhYnNvbHV0ZTsgbWFyZ2luOiAw cHg7IH0gIC5HSU5HRVJfU09GVFdBUkVfcmljaFRleHQgeyBtYXJnaW4gOiAwcHg7IHBhZGRpbmct Ym90dG9tOiAzcHg7IGJvcmRlci13aWR0aDogMHB4OyBib3JkZXItY29sb3I6IHRyYW5zcGFyZW50 OyBkaXNwbGF5OiBibG9jazsgY29sb3I6IHRyYW5zcGFyZW50OyAtd2Via2l0LXRleHQtZmlsbC1j b2xvcjogdHJhbnNwYXJlbnQ7IG92ZXJmbG93OiBoaWRkZW47IHdoaXRlLXNwYWNlOiBwcmUtd3Jh cDt9ICAuR0lOR0VSX1NPRlRXQVJFX2lucHV0V3JhcHBlciAuR0lOR0VSX1NPRlRXQVJFX3JpY2hU ZXh0IHtwb3NpdGlvbjogYWJzb2x1dGU7fSAgLkdJTkdFUl9TT0ZUV0FSRV9jYW52YXMgeyBkaXNw bGF5Om5vbmU7IGJhY2tncm91bmQtcmVwZWF0Om5vLXJlcGVhdDt9ICAuR0lOR0VSX1NPRlRXQVJF X2NvbnRyb2wgLkdJTkdFUl9TT0ZUV0FSRV9jb3JyZWN0LCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRy b2wgLkdJTkdFUl9TT0ZUV0FSRV9TcGVsbGluZ0NvcnJlY3QsIC5HSU5HRVJfU09GVFdBUkVfY29u dHJvbCAuR0lOR0VSX1NPRlRXQVJFX3NwZWxsaW5nLCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wg LkdJTkdFUl9TT0ZUV0FSRV9tYXJrIHtib3JkZXItdG9wLWxlZnQtcmFkaXVzOjJweDsgYm9yZGVy LXRvcC1yaWdodC1yYWRpdXM6MnB4OyBib3JkZXItYm90dG9tLXJpZ2h0LXJhZGl1czoycHg7IGJv cmRlci1ib3R0b20tbGVmdC1yYWRpdXM6MnB4O30gLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5H SU5HRVJfU09GVFdBUkVfY29ycmVjdCwgLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5HSU5HRVJf U09GVFdBUkVfU3BlbGxpbmdDb3JyZWN0LCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wgLkdJTkdF Ul9TT0ZUV0FSRV9zcGVsbGluZywgLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5HSU5HRVJfU09G VFdBUkVfbWFyayB7YmFja2dyb3VuZC1pbWFnZTp1cmwoZGF0YTppbWFnZS9naWY7YmFzZTY0LGlW Qk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFBRUFBQUFCQ0FJQUFBQ1FkMVBlQUFBQUdYUkZXSFJUYjJa MGQyRnlaUUJCWkc5aVpTQkpiV0ZuWlZKbFlXUjVjY2xsUEFBQUF5QnBWRmgwV0UxTU9tTnZiUzVo Wkc5aVpTNTRiWEFBQUFBQUFEdy9lSEJoWTJ0bGRDQmlaV2RwYmowaTc3dS9JaUJwWkQwaVZ6Vk5N RTF3UTJWb2FVaDZjbVZUZWs1VVkzcHJZemxrSWo4K0lEeDRPbmh0Y0cxbGRHRWdlRzFzYm5NNmVE MGlZV1J2WW1VNmJuTTZiV1YwWVM4aUlIZzZlRzF3ZEdzOUlrRmtiMkpsSUZoTlVDQkRiM0psSURV dU1DMWpNRFl3SURZeExqRXpORGMzTnl3Z01qQXhNQzh3TWk4eE1pMHhOem96TWpvd01DQWdJQ0Fn SUNBZ0lqNGdQSEprWmpwU1JFWWdlRzFzYm5NNmNtUm1QU0pvZEhSd09pOHZkM2QzTG5jekxtOXla eTh4T1RrNUx6QXlMekl5TFhKa1ppMXplVzUwWVhndGJuTWpJajRnUEhKa1pqcEVaWE5qY21sd2RH bHZiaUJ5WkdZNllXSnZkWFE5SWlJZ2VHMXNibk02ZUcxd1BTSm9kSFJ3T2k4dmJuTXVZV1J2WW1V dVkyOXRMM2hoY0M4eExqQXZJaUI0Yld4dWN6cDRiWEJOVFQwaWFIUjBjRG92TDI1ekxtRmtiMkps TG1OdmJTOTRZWEF2TVM0d0wyMXRMeUlnZUcxc2JuTTZjM1JTWldZOUltaDBkSEE2THk5dWN5NWha RzlpWlM1amIyMHZlR0Z3THpFdU1DOXpWSGx3WlM5U1pYTnZkWEpqWlZKbFppTWlJSGh0Y0RwRGNt VmhkRzl5Vkc5dmJEMGlRV1J2WW1VZ1VHaHZkRzl6YUc5d0lFTlROU0JYYVc1a2IzZHpJaUI0YlhC TlRUcEpibk4wWVc1alpVbEVQU0o0YlhBdWFXbGtPamhGUTBZMk9FTkdNekU1T1RFeFJUSTROak14 T1RFeE5UVXlNRGhFTURNd0lpQjRiWEJOVFRwRWIyTjFiV1Z1ZEVsRVBTSjRiWEF1Wkdsa09qaEZR MFkyT0VRd016RTVPVEV4UlRJNE5qTXhPVEV4TlRVeU1EaEVNRE13SWo0Z1BIaHRjRTFOT2tSbGNt bDJaV1JHY205dElITjBVbVZtT21sdWMzUmhibU5sU1VROUluaHRjQzVwYVdRNk9FVkRSalk0UTBR ek1UazVNVEZGTWpnMk16RTVNVEUxTlRJd09FUXdNekFpSUhOMFVtVm1PbVJ2WTNWdFpXNTBTVVE5 SW5odGNDNWthV1E2T0VWRFJqWTRRMFV6TVRrNU1URkZNamcyTXpFNU1URTFOVEl3T0VRd016QWlM ejRnUEM5eVpHWTZSR1Z6WTNKcGNIUnBiMjQrSUR3dmNtUm1PbEpFUmo0Z1BDOTRPbmh0Y0cxbGRH RStJRHcvZUhCaFkydGxkQ0JsYm1ROUluSWlQejVSUnhSeEFBQUFEMGxFUVZSNDJtSzQ4K3c3UUlB QkFBVmJBcm9vd04wOEFBQUFBRWxGVGtTdVFtQ0MpIWltcG9ydGFudDt9IC5HSU5HRVJfU09GVFdB UkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX2NvcnJlY3QuR0lOR0VSX1NPRlRXQVJFX3N5bm9u eW0sIC5HSU5HRVJfU09GVFdBUkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX1NwZWxsaW5nQ29y cmVjdC5HSU5HRVJfU09GVFdBUkVfc3lub255bSwgLkdJTkdFUl9TT0ZUV0FSRV9jb250cm9sIC5H SU5HRVJfU09GVFdBUkVfc3BlbGxpbmcuR0lOR0VSX1NPRlRXQVJFX3N5bm9ueW0sIC5HSU5HRVJf U09GVFdBUkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX21hcmsuR0lOR0VSX1NPRlRXQVJFX3N5 bm9ueW0ge2JhY2tncm91bmQtaW1hZ2U6dXJsKGRhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCxpVkJPUncw S0dnb0FBQUFOU1VoRVVnQUFBQUVBQUFBQkNBSUFBQUNRZDFQZUFBQUFDWEJJV1hNQUFBc1RBQUFM RXdFQW1wd1lBQUFLVDJsRFExQlFhRzkwYjNOb2IzQWdTVU5ESUhCeWIyWnBiR1VBQUhqYW5WTm5W RlBwRmozMzN2UkNTNGlBbEV0dlVoVUlJRkpDaTRBVWtTWXFJUWtRU29naG9ka1ZVY0VSUlVVRUc4 aWdpQU9Pam9DTUZWRXNESW9LMkFma0lhS09nNk9JaXNyNzRYdWphOWE4OStiTi9yWFhQdWVzODUy enp3ZkFDQXlXU0ROUk5ZQU1xVUllRWVDRHg4VEc0ZVF1UUlFS0pIQUFFQWl6WkNGei9TTUJBUGgr UER3cklzQUh2Z0FCZU5NTENBREFUWnZBTUJ5SC93L3FRcGxjQVlDRUFjQjBrVGhMQ0lBVUFFQjZq a0ttQUVCR0FZQ2RtQ1pUQUtBRUFHRExZMkxqQUZBdEFHQW5mK2JUQUlDZCtKbDdBUUJibENFVkFh Q1JBQ0FUWlloRUFHZzdBS3pQVm9wRkFGZ3dBQlJtUzhRNUFOZ3RBREJKVjJaSUFMQzNBTURPRUF1 eUFBZ01BREJSaUlVcEFBUjdBR0RJSXlONEFJU1pBQlJHOGxjODhTdXVFT2NxQUFCNG1iSTh1U1E1 UllGYkNDMXhCMWRYTGg0b3pra1hLeFEyWVFKaG1rQXV3bm1aR1RLQk5BL2c4OHdBQUtDUkZSSGdn L1A5ZU00T3JzN09ObzYyRGw4dDZyOEcveUppWXVQKzVjK3JjRUFBQU9GMGZ0SCtMQyt6R29BN0Jv QnQvcUlsN2dSb1hndWdkZmVMWnJJUFFMVUFvT25hVi9OdytINDhQRVdoa0xuWjJlWGs1TmhLeEVK YlljcFhmZjVud2wvQVYvMXMrWDQ4L1BmMTRMN2lKSUV5WFlGSEJQamd3c3owVEtVY3o1SUpoR0xj NW85SC9MY0wvL3dkMHlMRVNXSzVXQ29VNDFFU2NZNUVtb3p6TXFVaWlVS1NLY1VsMHY5azR0OHMr d00rM3pVQXNHbytBWHVSTGFoZFl3UDJTeWNRV0hUQTR2Y0FBUEs3YjhIVUtBZ0RnR2lENGM5My8r OC8vVWVnSlFDQVprbVNjUUFBWGtRa0xsVEtzei9IQ0FBQVJLQ0JLckJCRy9UQkdDekFCaHpCQmR6 QkMveGdOb1JDSk1UQ1FoQkNDbVNBSEhKZ0theUNRaWlHemJBZEttQXYxRUFkTk1CUmFJYVRjQTR1 d2xXNERqMXdEL3BoQ0o3QktMeUJDUVJCeUFnVFlTSGFpQUZpaWxnampnZ1htWVg0SWNGSUJCS0xK Q0RKaUJSUklrdVJOVWd4VW9wVUlGVklIZkk5Y2dJNWgxeEd1cEU3eUFBeWd2eUd2RWN4bElHeVVU M1VETFZEdWFnM0dvUkdvZ3ZRWkhReG1vOFdvSnZRY3JRYVBZdzJvZWZRcTJnUDJvOCtROGN3d09n WUJ6UEViREF1eHNOQ3NUZ3NDWk5qeTdFaXJBeXJ4aHF3VnF3RHU0bjFZOCt4ZHdRU2dVWEFDVFlF ZDBJZ1lSNUJTRmhNV0U3WVNLZ2dIQ1EwRWRvSk53a0RoRkhDSnlLVHFFdTBKcm9SK2NRWVlqSXho MWhJTENQV0VvOFRMeEI3aUVQRU55UVNpVU15SjdtUUFrbXhwRlRTRXRKRzBtNVNJK2tzcVpzMFNC b2prOG5hWkd1eUJ6bVVMQ0FyeUlYa25lVEQ1RFBrRytRaDhsc0tuV0pBY2FUNFUrSW9Vc3BxU2hu bEVPVTA1UVpsbURKQlZhT2FVdDJvb1ZRUk5ZOWFRcTJodGxLdlVZZW9FelIxbWpuTmd4WkpTNld0 b3BYVEdtZ1hhUGRwcitoMHVoSGRsUjVPbDlCWDBzdnBSK2lYNkFQMGR3d05oaFdEeDRobktCbWJH QWNZWnhsM0dLK1lUS1laMDRzWngxUXdOekhybU9lWkQ1bHZWVmdxdGlwOEZaSEtDcFZLbFNhVkd5 b3ZWS21xcHFyZXFndFY4MVhMVkkrcFhsTjlya1pWTTFQanFRblVscXRWcXAxUTYxTWJVMmVwTzZp SHFtZW9iMVEvcEg1Wi9Za0dXY05NdzA5RHBGR2dzVi9qdk1ZZ0MyTVpzM2dzSVdzTnE0WjFnVFhF SnJITjJYeDJLcnVZL1IyN2l6MnFxYUU1UXpOS00xZXpVdk9VWmo4SDQ1aHgrSngwVGdubktLZVg4 MzZLM2hUdktlSXBHNlkwVExreFpWeHJxcGFYbGxpclNLdFJxMGZydlRhdTdhZWRwcjFGdTFuN2dR NUJ4MG9uWENkSFo0L09CWjNuVTlsVDNhY0tweFpOUFRyMXJpNnFhNlVib2J0RWQ3OXVwKzZZbnI1 ZWdKNU1iNmZlZWIzbitoeDlMLzFVL1czNnAvVkhERmdHc3d3a0J0c016aGc4eFRWeGJ6d2RMOGZi OFZGRFhjTkFRNlZobFdHWDRZU1J1ZEU4bzlWR2pVWVBqR25HWE9NazQyM0diY2FqSmdZbUlTWkxU ZXBON3BwU1RibW1LYVk3VER0TXg4M016YUxOMXBrMW16MHgxekxubStlYjE1dmZ0MkJhZUZvc3Rx aTJ1R1ZKc3VSYXBsbnV0cnh1aFZvNVdhVllWVnBkczBhdG5hMGwxcnV0dTZjUnA3bE9rMDZybnRa bnc3RHh0c20ycWJjWnNPWFlCdHV1dG0yMmZXRm5ZaGRudDhXdXcrNlR2Wk45dW4yTi9UMEhEWWZa RHFzZFdoMStjN1J5RkRwV090NmF6cHp1UDMzRjlKYnBMMmRZenhEUDJEUGp0aFBMS2NScG5WT2Iw MGRuRjJlNWM0UHppSXVKUzRMTExwYytMcHNieHQzSXZlUktkUFZ4WGVGNjB2V2RtN09id3UybzI2 L3VOdTVwN29mY244dzBueW1lV1ROejBNUElRK0JSNWRFL0M1K1ZNR3Zmckg1UFEwK0JaN1huSXk5 akw1RlhyZGV3dDZWM3F2ZGg3eGMrOWo1eW4rTSs0enczM2pMZVdWL01OOEMzeUxmTFQ4TnZubCtG MzBOL0kvOWsvM3IvMFFDbmdDVUJad09KZ1VHQld3TDcrSHA4SWIrT1B6cmJaZmF5MmUxQmpLQzVR UlZCajRLdGd1WEJyU0ZveU95UXJTSDM1NWpPa2M1cERvVlFmdWpXMEFkaDVtR0x3MzRNSjRXSGhW ZUdQNDV3aUZnYTBUR1hOWGZSM0VOejMwVDZSSlpFM3B0bk1VODVyeTFLTlNvK3FpNXFQTm8zdWpT NlA4WXVabG5NMVZpZFdFbHNTeHc1TGlxdU5tNXN2dC84N2ZPSDRwM2lDK043RjVndnlGMXdlYUhP d3ZTRnB4YXBMaElzT3BaQVRJaE9PSlR3UVJBcXFCYU1KZklUZHlXT0NubkNIY0puSWkvUk50R0ky RU5jS2g1TzhrZ3FUWHFTN0pHOE5Ya2t4VE9sTE9XNWhDZXBrTHhNRFV6ZG16cWVGcHAySUcweVBU cTlNWU9Ta1pCeFFxb2hUWk8yWitwbjVtWjJ5NnhsaGJMK3hXNkx0eThlbFFmSmE3T1FyQVZaTFFx MlFxYm9WRm9vMXlvSHNtZGxWMmEvelluS09aYXJuaXZON2N5enl0dVFONXp2bi8vdEVzSVM0Wksy cFlaTFZ5MGRXT2E5ckdvNXNqeHhlZHNLNHhVRks0WldCcXc4dUlxMkttM1ZUNnZ0VjVldWZyMG1l azFyZ1Y3QnlvTEJ0UUZyNnd0VkN1V0ZmZXZjMSsxZFQxZ3ZXZCsxWWZxR25ScytGWW1LcmhUYkY1 Y1ZmOWdvM0hqbEc0ZHZ5citaM0pTMHFhdkV1V1RQWnRKbTZlYmVMWjViRHBhcWwrYVhEbTROMmRx MERkOVd0TzMxOWtYYkw1Zk5LTnU3ZzdaRHVhTy9QTGk4WmFmSnpzMDdQMVNrVlBSVStsUTI3dExk dFdIWCtHN1I3aHQ3dlBZMDdOWGJXN3ozL1Q3SnZ0dFZBVlZOMVdiVlpmdEorN1AzUDY2SnF1bjRs dnR0WGExT2JYSHR4d1BTQS8wSEl3NjIxN25VMVIzU1BWUlNqOVlyNjBjT3h4KysvcDN2ZHkwTk5n MVZqWnpHNGlOd1JIbms2ZmNKMy9jZURUcmFkb3g3ck9FSDB4OTJIV2NkTDJwQ212S2FScHRUbXZ0 YllsdTZUOHcrMGRicTNucjhSOXNmRDV3MFBGbDVTdk5VeVduYTZZTFRrMmZ5ejR5ZGxaMTlmaTc1 M0dEYm9yWjc1MlBPMzJvUGIrKzZFSFRoMGtYL2krYzd2RHZPWFBLNGRQS3kyK1VUVjdoWG1xODZY MjNxZE9vOC9wUFRUOGU3bkx1YXJybGNhN251ZXIyMWUyYjM2UnVlTjg3ZDlMMTU4UmIvMXRXZU9U M2R2Zk42Yi9mRjkvWGZGdDErY2lmOXpzdTcyWGNuN3EyOFQ3eGY5RUR0UWRsRDNZZlZQMXYrM05q djNIOXF3SGVnODlIY1IvY0doWVBQL3BIMWp3OURCWStaajh1R0RZYnJuamcrT1RuaVAzTDk2Znlu UTg5a3p5YWVGLzZpL3N1dUZ4WXZmdmpWNjlmTzBaalJvWmZ5bDVPL2JYeWwvZXJBNnhtdjI4YkN4 aDYreVhnek1WNzBWdnZ0d1hmY2R4M3ZvOThQVCtSOElIOG8vMmo1c2ZWVDBLZjdreG1Uay84RUE1 anovR016TGRzQUFBQWdZMGhTVFFBQWVpVUFBSUNEQUFENS93QUFnT2tBQUhVd0FBRHFZQUFBT3Bn QUFCZHZrbC9GUmdBQUFCSkpSRUZVZU5waStQOWdFd0FBQVAvL0F3QUZjd0tTM2Q3Qm53QUFBQUJK UlU1RXJrSmdnZz09KSFpbXBvcnRhbnQ7fSAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wgLkdJTkdF Ul9TT0ZUV0FSRV9jb3JyZWN0LkdJTkdFUl9TT0ZUV0FSRV9ub1N1Z2dlc3Rpb24sIC5HSU5HRVJf U09GVFdBUkVfY29udHJvbCAuR0lOR0VSX1NPRlRXQVJFX1NwZWxsaW5nQ29ycmVjdC5HSU5HRVJf U09GVFdBUkVfbm9TdWdnZXN0aW9uLCAuR0lOR0VSX1NPRlRXQVJFX2NvbnRyb2wgLkdJTkdFUl9T T0ZUV0FSRV9zcGVsbGluZy5HSU5HRVJfU09GVFdBUkVfbm9TdWdnZXN0aW9uLCAuR0lOR0VSX1NP RlRXQVJFX2NvbnRyb2wgLkdJTkdFUl9TT0ZUV0FSRV9tYXJrLkdJTkdFUl9TT0ZUV0FSRV9ub1N1 Z2dlc3Rpb24ge2JhY2tncm91bmQtaW1hZ2U6dXJsKGRhdGE6aW1hZ2UvZ2lmO2Jhc2U2NCxpVkJP UncwS0dnb0FBQUFOU1VoRVVnQUFBQUVBQUFBQkNBSUFBQUNRZDFQZUFBQUFHWFJGV0hSVGIyWjBk MkZ5WlFCQlpHOWlaU0JKYldGblpWSmxZV1I1Y2NsbFBBQUFBeUJwVkZoMFdFMU1PbU52YlM1aFpH OWlaUzU0YlhBQUFBQUFBRHcvZUhCaFkydGxkQ0JpWldkcGJqMGk3N3UvSWlCcFpEMGlWelZOTUUx d1EyVm9hVWg2Y21WVGVrNVVZM3ByWXpsa0lqOCtJRHg0T25odGNHMWxkR0VnZUcxc2JuTTZlRDBp WVdSdlltVTZibk02YldWMFlTOGlJSGc2ZUcxd2RHczlJa0ZrYjJKbElGaE5VQ0JEYjNKbElEVXVN QzFqTURZd0lEWXhMakV6TkRjM055d2dNakF4TUM4d01pOHhNaTB4Tnpvek1qb3dNQ0FnSUNBZ0lD QWdJajRnUEhKa1pqcFNSRVlnZUcxc2JuTTZjbVJtUFNKb2RIUndPaTh2ZDNkM0xuY3pMbTl5Wnk4 eE9UazVMekF5THpJeUxYSmtaaTF6ZVc1MFlYZ3Ribk1qSWo0Z1BISmtaanBFWlhOamNtbHdkR2x2 YmlCeVpHWTZZV0p2ZFhROUlpSWdlRzFzYm5NNmVHMXdQU0pvZEhSd09pOHZibk11WVdSdlltVXVZ Mjl0TDNoaGNDOHhMakF2SWlCNGJXeHVjenA0YlhCTlRUMGlhSFIwY0RvdkwyNXpMbUZrYjJKbExt TnZiUzk0WVhBdk1TNHdMMjF0THlJZ2VHMXNibk02YzNSU1pXWTlJbWgwZEhBNkx5OXVjeTVoWkc5 aVpTNWpiMjB2ZUdGd0x6RXVNQzl6Vkhsd1pTOVNaWE52ZFhKalpWSmxaaU1pSUhodGNEcERjbVZo ZEc5eVZHOXZiRDBpUVdSdlltVWdVR2h2ZEc5emFHOXdJRU5UTlNCWGFXNWtiM2R6SWlCNGJYQk5U VHBKYm5OMFlXNWpaVWxFUFNKNGJYQXVhV2xrT2poRlEwWTJPRU5HTXpFNU9URXhSVEk0TmpNeE9U RXhOVFV5TURoRU1ETXdJaUI0YlhCTlRUcEViMk4xYldWdWRFbEVQU0o0YlhBdVpHbGtPamhGUTBZ Mk9FUXdNekU1T1RFeFJUSTROak14T1RFeE5UVXlNRGhFTURNd0lqNGdQSGh0Y0UxTk9rUmxjbWwy WldSR2NtOXRJSE4wVW1WbU9tbHVjM1JoYm1ObFNVUTlJbmh0Y0M1cGFXUTZPRVZEUmpZNFEwUXpN VGs1TVRGRk1qZzJNekU1TVRFMU5USXdPRVF3TXpBaUlITjBVbVZtT21SdlkzVnRaVzUwU1VROUlu aHRjQzVrYVdRNk9FVkRSalk0UTBVek1UazVNVEZGTWpnMk16RTVNVEUxTlRJd09FUXdNekFpTHo0 Z1BDOXlaR1k2UkdWelkzSnBjSFJwYjI0K0lEd3ZjbVJtT2xKRVJqNGdQQzk0T25odGNHMWxkR0Ur SUR3L2VIQmhZMnRsZENCbGJtUTlJbklpUHo1UlJ4UnhBQUFBRDBsRVFWUjQybUs0OCt3N1FJQUJB QVZiQXJvb3dOMDhBQUFBQUVsRlRrU3VRbUNDKSFpbXBvcnRhbnQ7fSAuR0lOR0VSX1NPRlRXQVJF X3JpY2hUZXh0IC5HSU5HRVJfU09GVFdBUkVfY29ycmVjdCwgLkdJTkdFUl9TT0ZUV0FSRV9yaWNo VGV4dCAuR0lOR0VSX1NPRlRXQVJFX1NwZWxsaW5nQ29ycmVjdCwgLkdJTkdFUl9TT0ZUV0FSRV9y aWNoVGV4dCAuR0lOR0VSX1NPRlRXQVJFX3NwZWxsaW5nLCAuR0lOR0VSX1NPRlRXQVJFX3JpY2hU ZXh0IC5HSU5HRVJfU09GVFdBUkVfbWFyayB7cG9zaXRpb246cmVsYXRpdmU7IGJhY2tncm91bmQt aW1hZ2U6bm9uZSFpbXBvcnRhbnQ7fSAuR0lOR0VSX1NPRlRXQVJFX3JpY2hUZXh0IC5HSU5HRVJf U09GVFdBUkVfbWFya0hpZ2hsaWdodExlZnQgeyBwb3NpdGlvbiA6IGFic29sdXRlOyBsZWZ0Oi0y cHg7IHRvcDowcHg7IGJvdHRvbTowcHg7IHdpZHRoOjJweDt9IC5HSU5HRVJfU09GVFdBUkVfcmlj aFRleHQgLkdJTkdFUl9TT0ZUV0FSRV9tYXJrSGlnaGxpZ2h0UmlnaHQgeyBwb3NpdGlvbiA6IGFi c29sdXRlOyByaWdodDotMnB4OyB0b3A6MHB4OyBib3R0b206MHB4OyB3aWR0aDoycHg7fSAuR0lO R0VSX1NPRlRXQVJFX3JpY2hUZXh0IC5HSU5HRVJfU09GVFdBUkVfbWFya0hpZ2hsaWdodFRvcCB7 IHBvc2l0aW9uIDogYWJzb2x1dGU7IGxlZnQ6MHB4OyByaWdodDowcHg7IHRvcDotMnB4OyBoZWln aHQ6M3B4O30gLkdJTkdFUl9TT0ZUV0FSRV9yaWNoVGV4dCAuR0lOR0VSX1NPRlRXQVJFX21hcmtI aWdobGlnaHRCb3R0b20geyBwb3NpdGlvbiA6IGFic29sdXRlOyBsZWZ0OjBweDsgcmlnaHQ6MHB4 OyBib3R0b206LTJweDsgaGVpZ2h0OjNweDt9PC9zdHlsZT48L2hlYWQ+PGJvZHkgZ2luZ2VyX3Nv ZnR3YXJlX3N0eWxlc2hlZXQ9InRydWUiIGdpbmdlcl9zb2Z0d2FyZV9kb2M9InRydWUiPkNvbnRl bnQtVHlwZTogdGV4dC9odG1sCgoKIAo8IS0tIEdlbmVyYXRlZCBieSByZmNkaWZmIDEuNDI6IHJm Y2RpZmYgIC0tPiAKPCEtLSA8IURPQ1RZUEUgaHRtbCBQVUJMSUMgIi0vL1czQy8vRFREIEhUTUwg NC4wMSBUcmFuc2l0aW9uYWwiID4gLS0+CjwhLS0gU3lzdGVtOiBMaW51eCB6aW5mYW5kZWwgMy4y LjAtNC1hbWQ2NCAjMSBTTVAgRGViaWFuIDMuMi42OC0xK2RlYjd1MiB4ODZfNjQgR05VL0xpbnV4 IC0tPiAKPCEtLSBVc2luZyBhd2s6IC91c3IvYmluL2dhd2s6IEdOVSBBd2sgNC4wLjEgLS0+IAo8 IS0tIFVzaW5nIGRpZmY6IC91c3IvYmluL2RpZmY6IGRpZmYgKEdOVSBkaWZmdXRpbHMpIDMuMiAt LT4gCjwhLS0gVXNpbmcgd2RpZmY6IC91c3IvYmluL3dkaWZmOiB3ZGlmZiAoR05VIHdkaWZmKSAx LjEuMiAtLT4gCiAKIAogICAKICA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVN0eWxlLVR5cGUi IGNvbnRlbnQ9InRleHQvY3NzIj4gCiAgPHRpdGxlPkRpZmY6IGRyYWZ0LWlldGYtdGVhcy1yc3Zw LXRlLWRvbWFpbi1zdWJvYmplY3RzLTAzLnR4dCAtIGRyYWZ0LWlldGYtdGVhcy1yc3ZwLXRlLWRv bWFpbi1zdWJvYmplY3RzLTA0LnR4dDwvdGl0bGU+IAogIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+ IAogICAgYm9keSAgICB7IG1hcmdpbjogMC40ZXg7IG1hcmdpbi1yaWdodDogYXV0bzsgfSAKICAg IHRyICAgICAgeyB9IAogICAgdGQgICAgICB7IHdoaXRlLXNwYWNlOiBwcmU7IGZvbnQtZmFtaWx5 OiBtb25vc3BhY2U7IHZlcnRpY2FsLWFsaWduOiB0b3A7IGZvbnQtc2l6ZTogMC44NmVtO30gCiAg ICB0aCAgICAgIHsgZm9udC1zaXplOiAwLjg2ZW07IH0gCiAgICAuc21hbGwgIHsgZm9udC1zaXpl OiAwLjZlbTsgZm9udC1zdHlsZTogaXRhbGljOyBmb250LWZhbWlseTogVmVyZGFuYSwgSGVsdmV0 aWNhLCBzYW5zLXNlcmlmOyB9IAogICAgLmxlZnQgICB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7 IH0gCiAgICAucmlnaHQgIHsgYmFja2dyb3VuZC1jb2xvcjogI0ZGRjsgfSAKICAgIC5kaWZmICAg eyBiYWNrZ3JvdW5kLWNvbG9yOiAjQ0NGOyB9IAogICAgLmxibG9jayB7IGJhY2tncm91bmQtY29s b3I6ICNCRkI7IH0gCiAgICAucmJsb2NrIHsgYmFja2dyb3VuZC1jb2xvcjogI0ZGODsgfSAKICAg IC5pbnNlcnQgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjOEZGOyB9IAogICAgLmRlbGV0ZSB7IGJhY2tn cm91bmQtY29sb3I6ICNBQ0Y7IH0gCiAgICAudm9pZCAgIHsgYmFja2dyb3VuZC1jb2xvcjogI0ZG QjsgfSAKICAgIC5jb250ICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRUVFOyB9IAogICAgLmxpbmVi ciB7IGJhY2tncm91bmQtY29sb3I6ICNBQUE7IH0gCiAgICAubGluZW5vIHsgY29sb3I6IHJlZDsg YmFja2dyb3VuZC1jb2xvcjogI0ZGRjsgZm9udC1zaXplOiAwLjdlbTsgdGV4dC1hbGlnbjogcmln aHQ7IHBhZGRpbmc6IDAgMnB4OyB9IAogICAgLmVsaXBzaXN7IGJhY2tncm91bmQtY29sb3I6ICNB QUE7IH0gCiAgICAubGVmdCAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICNEREQ7IH0gCiAgICAu cmlnaHQgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRUVFOyB9IAogICAgLmxibG9jayAuY29u dCB7IGJhY2tncm91bmQtY29sb3I6ICM5RDk7IH0gCiAgICAucmJsb2NrIC5jb250IHsgYmFja2dy b3VuZC1jb2xvcjogI0RENjsgfSAKICAgIC5pbnNlcnQgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9y OiAjMEREOyB9IAogICAgLmRlbGV0ZSAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICM4QUQ7IH0g CiAgICAuc3RhdHMsIC5zdGF0cyB0ZCwgLnN0YXRzIHRoIHsgYmFja2dyb3VuZC1jb2xvcjogI0VF RTsgcGFkZGluZzogMnB4IDA7IH0gCiAgPC9zdHlsZT4gCiAKIAogIDx0YWJsZSBib3JkZXI9IjAi IGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+IAogIDx0Ym9keT48dHIgYmdjb2xvcj0i b3JhbmdlIj48dGg+PC90aD48dGg+PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL3JmY2Rp ZmY/dXJsMj1kcmFmdC1pZXRmLXRlYXMtcnN2cC10ZS1kb21haW4tc3Vib2JqZWN0cy0wMy50eHQi IHN0eWxlPSJjb2xvcjojMDA4OyB0ZXh0LWRlY29yYXRpb246bm9uZTsiPiZsdDs8L2E+Jm5ic3A7 PGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtdGVhcy1yc3Zw LXRlLWRvbWFpbi1zdWJvYmplY3RzLTAzLnR4dCIgc3R5bGU9ImNvbG9yOiMwMDgiPmRyYWZ0LWll dGYtdGVhcy1yc3ZwLXRlLWRvbWFpbi1zdWJvYmplY3RzLTAzLnR4dDwvYT4mbmJzcDs8L3RoPjx0 aD4gPC90aD48dGg+Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2Ry YWZ0LWlldGYtdGVhcy1yc3ZwLXRlLWRvbWFpbi1zdWJvYmplY3RzLTA0LnR4dCIgc3R5bGU9ImNv bG9yOiMwMDgiPmRyYWZ0LWlldGYtdGVhcy1yc3ZwLXRlLWRvbWFpbi1zdWJvYmplY3RzLTA0LnR4 dDwvYT4mbmJzcDs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvcmZjZGlmZj91cmwxPWRy YWZ0LWlldGYtdGVhcy1yc3ZwLXRlLWRvbWFpbi1zdWJvYmplY3RzLTA0LnR4dCIgc3R5bGU9ImNv bG9yOiMwMDg7IHRleHQtZGVjb3JhdGlvbjpub25lOyI+Jmd0OzwvYT48L3RoPjx0aD48L3RoPjwv dHI+IAogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPlRFQVMgV29ya2luZyBH cm91cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBELiBEaG9k eTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPlRFQVMgV29ya2luZyBHcm91cCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBELiBEaG9keTwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5JbnRlcm5ldC1E cmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVS4g UGFsbGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5JbnRlcm5ldC1EcmFmdCAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVS4gUGFsbGU8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+SW50ZW5k ZWQgc3RhdHVzOiBFeHBlcmltZW50YWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVi4g S29uZHJlZGR5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+SW50ZW5kZWQgc3RhdHVz OiBFeHBlcmltZW50YWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVi4gS29uZHJlZGR5 PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZD48YSBuYW1lPSJkaWZmMDAwMSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+RXhwaXJlczog TWE8c3BhbiBjbGFzcz0iZGVsZXRlIj5yY2ggMjQsIDIwMTY8L3NwYW4+ICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgSHVhd2VpIFRlY2hub2xvZ2llczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj5FeHBpcmVzOiBNYTxzcGFuIGNsYXNzPSJpbnNlcnQiPnkgMTYsIDIwMTYgIDwv c3Bhbj4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIdWF3ZWkgVGVjaG5vbG9naWVzPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBS LiBDYXNlbGxhczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSLiBDYXNlbGxh czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIENUVEM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IENUVEM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDAyIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8c3BhbiBj bGFzcz0iZGVsZXRlIj5TZXB0ZW1iZXIgMjE8L3NwYW4+LCAyMDE1PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPiBOb3ZlbWJlciAxMzwvc3Bhbj4sIDIw MTU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgRG9tYWluIFN1Ym9iamVjdHMgZm9y IFJlc291cmNlIFJlc2VyVmF0aW9uIFByb3RvY29sIC0gVHJhZmZpYzwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgICAgRG9tYWluIFN1Ym9iamVjdHMgZm9yIFJlc291cmNlIFJlc2Vy VmF0aW9uIFByb3RvY29sIC0gVHJhZmZpYzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgRW5naW5lZXJp bmcgKFJTVlAtVEUpPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAg ICAgICAgICAgICAgIEVuZ2luZWVyaW5nIChSU1ZQLVRFKTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDMi PjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICAgICAgZHJhZnQtaWV0Zi10ZWFzLXJz dnAtdGUtZG9tYWluLXN1Ym9iamVjdHMtMDxzcGFuIGNsYXNzPSJkZWxldGUiPjM8L3NwYW4+PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgZHJhZnQtaWV0Zi10 ZWFzLXJzdnAtdGUtZG9tYWluLXN1Ym9iamVjdHMtMDxzcGFuIGNsYXNzPSJpbnNlcnQiPjQ8L3Nw YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5BYnN0cmFjdDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPkFic3RyYWN0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBU aGUgUmVzb3VyY2UgUmVzZXJWYXRpb24gUHJvdG9jb2wgLSBUcmFmZmljIEVuZ2luZWVyaW5nIChS U1ZQLVRFKTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBSZXNvdXJjZSBS ZXNlclZhdGlvbiBQcm90b2NvbCAtIFRyYWZmaWMgRW5naW5lZXJpbmcgKFJTVlAtVEUpPC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHNwZWNp ZmljYXRpb24gYW5kIHRoZSBHZW5lcmFsaXplZCBNdWx0aXByb3RvY29sIExhYmVsIFN3aXRjaGlu ZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHNwZWNpZmljYXRpb24gYW5kIHRo ZSBHZW5lcmFsaXplZCBNdWx0aXByb3RvY29sIExhYmVsIFN3aXRjaGluZzwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAoR01QTFMpIGV4dGVu c2lvbnMgdG8gUlNWUC1URSBhbGxvdyBhYnN0cmFjdCBub2RlcyBhbmQgcmVzb3VyY2VzIHRvPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKEdNUExTKSBleHRlbnNpb25zIHRvIFJT VlAtVEUgYWxsb3cgYWJzdHJhY3Qgbm9kZXMgYW5kIHJlc291cmNlcyB0bzwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBiZSBleHBsaWNpdGx5 IGluY2x1ZGVkIGluIGEgcGF0aCBzZXR1cC4gIEZ1cnRoZXIgRXhjbHVkZSBSb3V0ZXM8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBiZSBleHBsaWNpdGx5IGluY2x1ZGVkIGluIGEg cGF0aCBzZXR1cC4gIEZ1cnRoZXIgRXhjbHVkZSBSb3V0ZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZXh0ZW5zaW9ucyB0byBSU1ZQLVRF IGFsbG93IGFic3RyYWN0IG5vZGVzIGFuZCByZXNvdXJjZXMgdG8gYmU8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBleHRlbnNpb25zIHRvIFJTVlAtVEUgYWxsb3cgYWJzdHJhY3Qg bm9kZXMgYW5kIHJlc291cmNlcyB0byBiZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBleHBsaWNpdGx5IGV4Y2x1ZGVkIGluIGEgcGF0aCBz ZXR1cC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBleHBsaWNpdGx5IGV4Y2x1 ZGVkIGluIGEgcGF0aCBzZXR1cC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIg Ymdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9InBhcnQtbDIiPjxzbWFsbD5za2lw cGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxLCBsaW5lIDQzPC9lbT48L2E+PC90 aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjIiPjxzbWFsbD5za2lwcGluZyB0byBjaGFu Z2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxLCBsaW5lIDQzPC9lbT48L2E+PC90aD48dGQ+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRvY3VtZW50cyBvZiB0 aGUgSW50ZXJuZXQgRW5naW5lZXJpbmc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g ICBJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcgZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5ldCBF bmdpbmVlcmluZzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBUYXNrIEZvcmNlIChJRVRGKS4gIE5vdGUgdGhhdCBvdGhlciBncm91cHMgbWF5 IGFsc28gZGlzdHJpYnV0ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRhc2sg Rm9yY2UgKElFVEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRl PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJl bnQgSW50ZXJuZXQtPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgd29ya2luZyBk b2N1bWVudHMgYXMgSW50ZXJuZXQtRHJhZnRzLiAgVGhlIGxpc3Qgb2YgY3VycmVudCBJbnRlcm5l dC08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgRHJhZnRzIGlzIGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVu dC8uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgRHJhZnRzIGlzIGF0IGh0dHA6 Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVudC8uPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRyYWZ0IGRvY3VtZW50cyB2YWxpZCBm b3IgYSBtYXhpbXVtIG9mIHNpeCBtb250aHM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRyYWZ0IGRvY3VtZW50cyB2YWxpZCBmb3IgYSBtYXhp bXVtIG9mIHNpeCBtb250aHM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgYW5kIG1heSBiZSB1cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xl dGVkIGJ5IG90aGVyIGRvY3VtZW50cyBhdCBhbnk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBhbmQgbWF5IGJlIHVwZGF0ZWQsIHJlcGxhY2VkLCBvciBvYnNvbGV0ZWQgYnkgb3Ro ZXIgZG9jdW1lbnRzIGF0IGFueTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aW1lLiAgSXQgaXMgaW5hcHByb3ByaWF0ZSB0byB1c2UgSW50 ZXJuZXQtRHJhZnRzIGFzIHJlZmVyZW5jZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMg cmVmZXJlbmNlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIG1hdGVyaWFsIG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGlu IHByb2dyZXNzLiI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBtYXRlcmlhbCBv ciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAid29yayBpbiBwcm9ncmVzcy4iPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDQiPjwvYT48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gTWE8c3Bh biBjbGFzcz0iZGVsZXRlIj5yY2ggMjQ8L3NwYW4+LCAyMDE2LjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj4gICBUaGlzIEludGVybmV0LURyYWZ0IHdpbGwgZXhwaXJlIG9uIE1hPHNw YW4gY2xhc3M9Imluc2VydCI+eSAxNjwvc3Bhbj4sIDIwMTYuPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij5Db3B5cmlnaHQgTm90aWNlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ Q29weXJpZ2h0IE5vdGljZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQ29weXJpZ2h0 IChjKSAyMDE1IElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJzb25zIGlkZW50aWZpZWQgYXMgdGhlPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQ29weXJpZ2h0IChjKSAyMDE1IElFVEYg VHJ1c3QgYW5kIHRoZSBwZXJzb25zIGlkZW50aWZpZWQgYXMgdGhlPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRvY3VtZW50IGF1dGhvcnMu ICBBbGwgcmlnaHRzIHJlc2VydmVkLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IGRvY3VtZW50IGF1dGhvcnMuICBBbGwgcmlnaHRzIHJlc2VydmVkLjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgVGhpcyBkb2N1bWVudCBpcyBzdWJqZWN0IHRvIEJDUCA3OCBhbmQgdGhl IElFVEYgVHJ1c3QncyBMZWdhbDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRo aXMgZG9jdW1lbnQgaXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3MgTGVn YWw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgUHJvdmlzaW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50czwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIFByb3Zpc2lvbnMgUmVsYXRpbmcgdG8gSUVURiBEb2N1bWVudHM8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg KGh0dHA6Ly90cnVzdGVlLmlldGYub3JnL2xpY2Vuc2UtaW5mbykgaW4gZWZmZWN0IG9uIHRoZSBk YXRlIG9mPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKGh0dHA6Ly90cnVzdGVl LmlldGYub3JnL2xpY2Vuc2UtaW5mbykgaW4gZWZmZWN0IG9uIHRoZSBkYXRlIG9mPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHB1YmxpY2F0 aW9uIG9mIHRoaXMgZG9jdW1lbnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50czwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHB1YmxpY2F0aW9uIG9mIHRoaXMgZG9jdW1l bnQuICBQbGVhc2UgcmV2aWV3IHRoZXNlIGRvY3VtZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0 ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwzIj48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0 PC9zbWFsbD48ZW0+IHBhZ2UgMiwgbGluZSAyNTwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48 YSBuYW1lPSJwYXJ0LXIzIj48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+ IHBhZ2UgMiwgbGluZSAyNTwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPlRhYmxl IG9mIENvbnRlbnRzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+VGFibGUgb2YgQ29u dGVudHM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDEuICBJbnRyb2R1Y3Rpb24gIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgMjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDEuICBJbnRyb2R1Y3Rpb24gIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgMjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDEuMS4gIFNjb3BlIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDM8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDEuMS4gIFNjb3BlIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDM8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAxLjIuICBSZXF1 aXJlbWVudHMgTGFuZ3VhZ2UgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0 PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAxLjIuICBSZXF1aXJlbWVudHMg TGFuZ3VhZ2UgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA0PC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDIuICBUZXJt aW5vbG9neSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAgNDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDIuICBUZXJtaW5vbG9neSAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNDwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAzLiAg U3Vib2JqZWN0cyBmb3IgRG9tYWlucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAgIDU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAzLiAgU3Vib2JqZWN0 cyBmb3IgRG9tYWlucyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDU8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAzLjEuICBEb21haW5zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gICA1PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAzLjEuICBE b21haW5zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g ICA1PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgICAgMy4yLiAgRXhwbGljaXQgUm91dGUgT2JqZWN0IChFUk8pJ3MgU3Vib2JqZWN0cyAgLiAu IC4gLiAuIC4gLiAuICAgNTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgMy4y LiAgRXhwbGljaXQgUm91dGUgT2JqZWN0IChFUk8pJ3MgU3Vib2JqZWN0cyAgLiAuIC4gLiAuIC4g LiAuICAgNTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gICAgICAgMy4yLjEuICBBdXRvbm9tb3VzIHN5c3RlbSAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgIDY8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg ICAgMy4yLjEuICBBdXRvbm9tb3VzIHN5c3RlbSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgIDY8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDA1Ij48L2E+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr Ij4gICAgICAgMy4yLjIuICBJR1AgQXJlYSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjY8L3NwYW4+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAzLjIuMi4gIElHUCBBcmVhICAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgPHNwYW4gY2xhc3M9Imluc2VydCI+ Nzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgICAgIDMuMi4zLiAgTW9kZSBvZiBPcGVyYXRpb24gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gICA4PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ICAgIDMuMi4zLiAgTW9kZSBvZiBPcGVyYXRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gICA4PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgICAgMy4zLiAgRXhjbHVkZSBSb3V0ZSBPYmplY3QgKFhSTykncyBTdWJvYmpl Y3RzIC4gLiAuIC4gLiAuIC4gLiAuICAgODwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PiAgICAgMy4zLiAgRXhjbHVkZSBSb3V0ZSBPYmplY3QgKFhSTykncyBTdWJvYmplY3RzIC4gLiAu IC4gLiAuIC4gLiAuICAgODwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAgICAgMy4zLjEuICBBdXRvbm9tb3VzIHN5c3RlbSAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDg8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICAgICAgMy4zLjEuICBBdXRvbm9tb3VzIHN5c3RlbSAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgIDg8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgIDMuMy4yLiAgSUdQIEFyZWEgIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+ICAgICAgIDMuMy4yLiAgSUdQIEFyZWEgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gICA5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAzLjMuMy4gIE1vZGUgb2YgT3BlcmF0aW9uIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgOTwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgICAgICAzLjMuMy4gIE1vZGUgb2YgT3BlcmF0aW9uIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgOTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDMuNC4gIEV4cGxpY2l0IEV4Y2x1c2lvbiBS b3V0ZSBTdWJvYmplY3QgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDk8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDMuNC4gIEV4cGxpY2l0IEV4Y2x1c2lvbiBSb3V0ZSBTdWJv YmplY3QgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDA2Ij48 L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA0LiAgSW50ZXJhY3Rpb24gd2l0aCBQYXRoIENvbXB1 dGF0aW9uIEVsZW1lbnQgKFBDRSkgLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+ IDk8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDQuICBJbnRlcmFj dGlvbiB3aXRoIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCAoUENFKSAuIC4gLiAuIC4gLiAuICA8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xMDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgNS4gIElBTkEgQ29uc2lkZXJhdGlvbnMgLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEwPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgNS4gIElBTkEgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEwPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgNS4xLiAgTmV3IFN1Ym9iamVjdHMg IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgNS4xLiAgTmV3IFN1Ym9iamVjdHMgIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxMDwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAw MDciPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDYuICBTZWN1cml0eSBDb25zaWRlcmF0aW9u cyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iZGVs ZXRlIj4xMDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgNi4gIFNl Y3VyaXR5IENvbnNpZGVyYXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjExPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDcuICBBY2tub3dsZWRnbWVudHMg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFz cz0iZGVsZXRlIj4xMDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg Ny4gIEFja25vd2xlZGdtZW50cyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjExPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICA4LiAgUmVmZXJlbmNlcyAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTE8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICA4LiAgUmVmZXJlbmNlcyAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTE8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICA4LjEuICBOb3Jt YXRpdmUgUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEx PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICA4LjEuICBOb3JtYXRpdmUgUmVm ZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDExPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBu YW1lPSJkaWZmMDAwOCI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICA4LjIuICBJbmZvcm1h dGl2ZSBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDxzcGFu IGNsYXNzPSJkZWxldGUiPjExPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr Ij4gICAgIDguMi4gIEluZm9ybWF0aXZlIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9Imluc2VydCI+MTI8L3NwYW4+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgQXBwZW5kaXgg QS4gIEV4YW1wbGVzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g IDxzcGFuIGNsYXNzPSJkZWxldGUiPjEzPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj4gICBBcHBlbmRpeCBBLiAgRXhhbXBsZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9Imluc2VydCI+MTQ8L3NwYW4+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICBB LjEuICBJbnRlci1BcmVhIExTUCBQYXRoIFNldHVwIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPjEzPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj4gICAgIEEuMS4gIEludGVyLUFyZWEgTFNQIFBhdGggU2V0dXAgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9Imluc2VydCI+MTQ8L3NwYW4+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ ICAgICBBLjIuICBJbnRlci1BUyBMU1AgUGF0aCBTZXR1cCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPjE0PC9zcGFuPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgIEEuMi4gIEludGVyLUFTIExTUCBQYXRoIFNldHVwIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9Imluc2VydCI+MTU8 L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+ICAgICAgIEEuMi4xLiAgRXhhbXBsZSAxIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPjE0PC9zcGFuPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgQS4yLjEuICBFeGFtcGxlIDEgLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9Imluc2Vy dCI+MTU8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh c3M9ImxibG9jayI+ICAgICAgIEEuMi4yLiAgRXhhbXBsZSAyIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPjE1PC9zcGFuPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgQS4yLjIuICBFeGFtcGxlIDIg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9 Imluc2VydCI+MTY8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+ICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPjE2PC9z cGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBBdXRob3JzJyBBZGRyZXNz ZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4g Y2xhc3M9Imluc2VydCI+MTc8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4xLiAg SW50cm9kdWN0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+MS4gIEludHJvZHVj dGlvbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIFJTVlAtVEUgc3BlY2lmaWNh dGlvbiBbUkZDMzIwOV0gYW5kIHRoZSBHTVBMUyBleHRlbnNpb25zIHRvIFJTVlAtPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIFJTVlAtVEUgc3BlY2lmaWNhdGlvbiBbUkZD MzIwOV0gYW5kIHRoZSBHTVBMUyBleHRlbnNpb25zIHRvIFJTVlAtPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRFIFtSRkMzNDczXSBhbGxv dyBhYnN0cmFjdCBub2RlcyBhbmQgcmVzb3VyY2VzIHRvIGJlIGV4cGxpY2l0bHk8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBURSBbUkZDMzQ3M10gYWxsb3cgYWJzdHJhY3Qgbm9k ZXMgYW5kIHJlc291cmNlcyB0byBiZSBleHBsaWNpdGx5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGluY2x1ZGVkIGluIGEgcGF0aCBzZXR1 cCB1c2luZyB0aGUgRXhwbGljaXQgUm91dGUgT2JqZWN0IChFUk8pLjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIGluY2x1ZGVkIGluIGEgcGF0aCBzZXR1cCB1c2luZyB0aGUgRXhw bGljaXQgUm91dGUgT2JqZWN0IChFUk8pLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg RnVydGhlciBFeGNsdWRlIFJvdXRlcyBleHRlbnNpb25zIFtSRkM0ODc0XSBhbGxvdyBhYnN0cmFj dCBub2RlcyBvcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEZ1cnRoZXIgRXhj bHVkZSBSb3V0ZXMgZXh0ZW5zaW9ucyBbUkZDNDg3NF0gYWxsb3cgYWJzdHJhY3Qgbm9kZXMgb3I8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg cmVzb3VyY2VzIHRvIGJlIGV4Y2x1ZGVkIGZyb20gdGhlIHdob2xlIHBhdGggdXNpbmcgdGhlIEV4 Y2x1ZGUgUm91dGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICByZXNvdXJjZXMg dG8gYmUgZXhjbHVkZWQgZnJvbSB0aGUgd2hvbGUgcGF0aCB1c2luZyB0aGUgRXhjbHVkZSBSb3V0 ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBvYmplY3QgKFhSTykuICBUbyBleGNsdWRlIGNlcnRhaW4gYWJzdHJhY3Qgbm9kZXMgb3IgcmVz b3VyY2VzIGJldHdlZW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvYmplY3Qg KFhSTykuICBUbyBleGNsdWRlIGNlcnRhaW4gYWJzdHJhY3Qgbm9kZXMgb3IgcmVzb3VyY2VzIGJl dHdlZW48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+ CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFydC1sNCI+ PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDMsIGxpbmUgNDE8 L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0icGFydC1yNCI+PHNtYWxsPnNraXBw aW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDMsIGxpbmUgNDE8L2VtPjwvYT48L3Ro Pjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAoUENFUCkgZXh0ZW5zaW9ucyBmb3IgdGhlIGRvbWFp biBzZXF1ZW5jZSBbUENFLURPTUFJTl0uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgKFBDRVApIGV4dGVuc2lvbnMgZm9yIHRoZSBkb21haW4gc2VxdWVuY2UgW1BDRS1ET01BSU5d LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+MS4xLiAgU2NvcGU8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4xLjEuICBTY29wZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgVGhlIHByb2NlZHVyZXMgZGVzY3JpYmVkIGluIHRoaXMgZG9jdW1lbnQgYXJlIGV4cGVyaW1l bnRhbC4gIFRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBwcm9jZWR1 cmVzIGRlc2NyaWJlZCBpbiB0aGlzIGRvY3VtZW50IGFyZSBleHBlcmltZW50YWwuICBUaGU8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZXhw ZXJpbWVudCBpcyBpbnRlbmRlZCB0byBlbmFibGUgcmVzZWFyY2ggZm9yIHRoZSB1c2FnZSBvZiBE b21haW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBleHBlcmltZW50IGlzIGlu dGVuZGVkIHRvIGVuYWJsZSByZXNlYXJjaCBmb3IgdGhlIHVzYWdlIG9mIERvbWFpbjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBzdWJvYmpl Y3RzIGZvciBpbnRlci1kb21haW4gcGF0aCBzZXR1cC4gIEZvciB0aGlzIHB1cnBvc2UgdGhpczwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHN1Ym9iamVjdHMgZm9yIGludGVyLWRv bWFpbiBwYXRoIHNldHVwLiAgRm9yIHRoaXMgcHVycG9zZSB0aGlzPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRvY3VtZW50IHNwZWNpZnkg bmV3IGRvbWFpbiBzdWJvYmplY3RzIGFzIHdlbGwgYXMgaG93IHRoZXk8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBkb2N1bWVudCBzcGVjaWZ5IG5ldyBkb21haW4gc3Vib2JqZWN0 cyBhcyB3ZWxsIGFzIGhvdyB0aGV5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGluY29ycG9yYXRlIHdpdGggZXhpc3Rpbmcgc3Vib2JqZWN0 cy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbmNvcnBvcmF0ZSB3aXRoIGV4 aXN0aW5nIHN1Ym9iamVjdHMuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEg bmFtZT0iZGlmZjAwMDkiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5UaGUgZXhwZXJpbWVudCB3 aWxsIGVuZCB0d28geWVhcnMgYWZ0ZXIgdGhlIFJGQyBpcyBwdWJsaXNoZWQuICBBdDwvc3Bhbj48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAg dGhhdCBwb2ludCwgdGhlIFJGQyBhdXRob3JzIHdpbGwgYXR0ZW1wdCB0byBkZXRlcm1pbmUgaG93 IHdpZGVseSB0aGlzPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh biBjbGFzcz0iaW5zZXJ0Ij4gICBoYXMgYmVlbiBpbXBsZW1lbnRlZCBhbmQgZGVwbG95ZWQuPC9z cGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRo aXMgZG9jdW1lbnQgZG9lcyBub3QgY2hhbmdlIHRoZSBwcm9jZWR1cmVzIGZvciBoYW5kbGluZyBz dWJvYmplY3RzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhpcyBkb2N1bWVu dCBkb2VzIG5vdCBjaGFuZ2UgdGhlIHByb2NlZHVyZXMgZm9yIGhhbmRsaW5nIHN1Ym9iamVjdHM8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg aW4gUlNWUC1URS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbiBSU1ZQLVRF LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIG5ldyBzdWJvYmplY3RzIGludHJv ZHVjZWQgYnkgdGhpcyBkb2N1bWVudCB3aWxsIG5vdCBiZSB1bmRlcnN0b29kPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIG5ldyBzdWJvYmplY3RzIGludHJvZHVjZWQgYnkg dGhpcyBkb2N1bWVudCB3aWxsIG5vdCBiZSB1bmRlcnN0b29kPC90ZD48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGJ5IGxlZ2FjeSBpbXBsZW1lbnRh dGlvbnMuICBJZiBvbmUgb2YgdGhlIHN1Ym9iamVjdHMgaXMgcmVjZWl2ZWQgaW4gYTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGJ5IGxlZ2FjeSBpbXBsZW1lbnRhdGlvbnMuICBJ ZiBvbmUgb2YgdGhlIHN1Ym9iamVjdHMgaXMgcmVjZWl2ZWQgaW4gYTwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBSU1ZQLVRFIG9iamVjdCB0 aGF0IGRvZXMgbm90IHVuZGVyc3RhbmQgaXQsIGl0IHdpbGwgYmVoYXZlIGFzPC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgUlNWUC1URSBvYmplY3QgdGhhdCBkb2VzIG5vdCB1bmRl cnN0YW5kIGl0LCBpdCB3aWxsIGJlaGF2ZSBhczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBkZXNjcmliZWQgaW4gW1JGQzMyMDldIGFuZCBb UkZDNDg3NF0uICBUaGVyZWZvcmUsIGl0IGlzIGFzc3VtZWQgdGhhdDwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIGRlc2NyaWJlZCBpbiBbUkZDMzIwOV0gYW5kIFtSRkM0ODc0XS4g IFRoZXJlZm9yZSwgaXQgaXMgYXNzdW1lZCB0aGF0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoaXMgZXhwZXJpbWVudCB3aWxsIGJlIGNv bmR1Y3RlZCBvbmx5IHdoZW4gYWxsIG5vZGVzIHByb2Nlc3NpbmcgdGhlPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhpcyBleHBlcmltZW50IHdpbGwgYmUgY29uZHVjdGVkIG9u bHkgd2hlbiBhbGwgbm9kZXMgcHJvY2Vzc2luZyB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbmV3IHN1Ym9iamVjdCBmb3JtIHBhcnQg b2YgdGhlIGV4cGVyaW1lbnQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbmV3 IHN1Ym9iamVjdCBmb3JtIHBhcnQgb2YgdGhlIGV4cGVyaW1lbnQuPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJw YXJ0LWw1Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgOSwg bGluZSAzMTwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXI1Ij48c21h bGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgOSwgbGluZSA0MTwvZW0+ PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGluZ3Jlc3Mgbm9kZSBvZiB0aGUgTFNQ KS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbmdyZXNzIG5vZGUgb2YgdGhl IExTUCkuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBBbGwgdGhlIHJ1bGVzIG9mIHBy b2Nlc3NpbmcgYXJlIGFzIHBlciB0aGUgW1JGQzQ4NzRdLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIEFsbCB0aGUgcnVsZXMgb2YgcHJvY2Vzc2luZyBhcmUgYXMgcGVyIHRoZSBb UkZDNDg3NF0uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBOb3RlIHRoYXQgaWYgYSBu b2RlIGlzIGNhbGxlZCB1cG9uIHRvIHByb2Nlc3MgYSBzdWJvYmplY3QgZGVmaW5lZCBpbjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIE5vdGUgdGhhdCBpZiBhIG5vZGUgaXMgY2Fs bGVkIHVwb24gdG8gcHJvY2VzcyBhIHN1Ym9iamVjdCBkZWZpbmVkIGluPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoaXMgZG9jdW1lbnQs IGFuZCBpdCBkb2VzIG5vdCByZWNvZ25pemUsIGl0IHdpbGwgYmVoYXZlIGFzIGRlc2NyaWJlZDwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRoaXMgZG9jdW1lbnQsIGFuZCBpdCBk b2VzIG5vdCByZWNvZ25pemUsIGl0IHdpbGwgYmVoYXZlIGFzIGRlc2NyaWJlZDwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpbiBbUkZDNDg3 NF0gd2hlbiBhbiB1bnJlY29nbml6ZWQgWFJPIHN1Ym9iamVjdCBpcyBlbmNvdW50ZXJlZCwgaS5l LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGluIFtSRkM0ODc0XSB3aGVuIGFu IHVucmVjb2duaXplZCBYUk8gc3Vib2JqZWN0IGlzIGVuY291bnRlcmVkLCBpLmUuPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRvIGlnbm9y ZSBpdC4gIEluIHRoaXMgY2FzZSB0aGUgZGVzaXJlZCBleGNsdXNpb24gd2lsbCBub3QgYmUgY2Fy cmllZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRvIGlnbm9yZSBpdC4gIElu IHRoaXMgY2FzZSB0aGUgZGVzaXJlZCBleGNsdXNpb24gd2lsbCBub3QgYmUgY2FycmllZDwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvdXQu PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgb3V0LjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDEwIj48L2E+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs b2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imlu c2VydCI+SUdQIEFyZWEgc3Vib2JqZWN0cyBpbiB0aGUgWFJPIGFyZSBsb2NhbCB0byB0aGUgY3Vy cmVudCBBUy4gIEluIGNhc2U8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si PjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIG9mIG11bHRpLUFTIHBhdGggY29tcHV0YXRpb24gdG8g ZXhjbHVkZSBhbiBJR1AgYXJlYSBpbiBhIGRpZmZlcmVudDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgQVMsIElHUCBBcmVhIHN1 Ym9iamVjdCBzaG91bGQgYmUgcGFydCBvZiBFeHBsaWNpdCBFeGNsdXNpb24gUm91dGU8L3NwYW4+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAg IFN1Ym9iamVjdCAoRVhSUykgaW4gdGhlIEVSTyB0byBzcGVjaWZ5IHRoZSBBUyBpbiB3aGljaCB0 aGUgSUdQIGFyZWE8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFu IGNsYXNzPSJpbnNlcnQiPiAgIGlzIHRvIGJlIGV4Y2x1ZGVkLiAgRnVydGhlciBwb2xpY3kgbWF5 IGJlIGFwcGxpZWQgdG8gcHJ1bmUvaWdub3JlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBBcmVhIHN1Ym9iamVjdHMgaW4gWFJP IGF0IEFTIGJvdW5kYXJ5Ljwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4zLjQuICBFeHBsaWNpdCBFeGNsdXNpb24gUm91dGUgU3Vib2JqZWN0PC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+My40LiAgRXhwbGljaXQgRXhjbHVzaW9uIFJv dXRlIFN1Ym9iamVjdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQXMgcGVyIFtSRkM0 ODc0XSwgdGhlIEV4cGxpY2l0IEV4Y2x1c2lvbiBSb3V0ZSBpcyB1c2VkIHRvIHNwZWNpZnk8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBBcyBwZXIgW1JGQzQ4NzRdLCB0aGUgRXhw bGljaXQgRXhjbHVzaW9uIFJvdXRlIGlzIHVzZWQgdG8gc3BlY2lmeTwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBleGNsdXNpb24gb2YgY2Vy dGFpbiBhYnN0cmFjdCBub2RlcyBiZXR3ZWVuIGEgc3BlY2lmaWMgcGFpciBvZiBub2RlczwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGV4Y2x1c2lvbiBvZiBjZXJ0YWluIGFic3Ry YWN0IG5vZGVzIGJldHdlZW4gYSBzcGVjaWZpYyBwYWlyIG9mIG5vZGVzPC90ZD48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG9yIHJlc291cmNlcyBp biB0aGUgZXhwbGljaXQgcm91dGUuICBFWFJTIGlzIGFuIEVSTyBzdWJvYmplY3QgdGhhdDwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG9yIHJlc291cmNlcyBpbiB0aGUgZXhwbGlj aXQgcm91dGUuICBFWFJTIGlzIGFuIEVSTyBzdWJvYmplY3QgdGhhdDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBjb250YWlucyBvbmUgb3Ig bW9yZSBzdWJvYmplY3RzIG9mIGl0cyBvd24sIGNhbGxlZCBFWFJTIHN1Ym9iamVjdHMuPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgY29udGFpbnMgb25lIG9yIG1vcmUgc3Vib2Jq ZWN0cyBvZiBpdHMgb3duLCBjYWxsZWQgRVhSUyBzdWJvYmplY3RzLjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgVGhlIEVYUlMgc3Vib2JqZWN0IGNvdWxkIGNhcnJ5IGFueSBvZiB0aGUg c3Vib2JqZWN0cyBkZWZpbmVkIGZvciBYUk8sPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgVGhlIEVYUlMgc3Vib2JqZWN0IGNvdWxkIGNhcnJ5IGFueSBvZiB0aGUgc3Vib2JqZWN0 cyBkZWZpbmVkIGZvciBYUk8sPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPiAgIHRodXMgdGhlIG5ldyBzdWJvYmplY3RzIHRvIHN1cHBvcnQgNC1C eXRlIEFTIGFuZCBJR1AgKE9TUEYgLyBJU0lTKTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPiAgIHRodXMgdGhlIG5ldyBzdWJvYmplY3RzIHRvIHN1cHBvcnQgNC1CeXRlIEFTIGFuZCBJ R1AgKE9TUEYgLyBJU0lTKTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBBcmVhIGNhbiBhbHNvIGJlIHVzZWQgaW4gdGhlIEVYUlMuICBUaGUg bWVhbmluZ3Mgb2YgdGhlIGZpZWxkcyBvZiB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBBcmVhIGNhbiBhbHNvIGJlIHVzZWQgaW4gdGhlIEVYUlMuICBUaGUgbWVhbmluZ3Mg b2YgdGhlIGZpZWxkcyBvZiB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEg bmFtZT0icGFydC1sNiI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBw YWdlIDEwLCBsaW5lIDI3PC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQt cjYiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxMCwgbGlu ZSA0MzwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG8gICJFWFBMSUNJVF9S T1VURSBzdWJvYmplY3RzIjogaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9yc3ZwLTwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG8gICJFWFBMSUNJVF9ST1VURSBzdWJv YmplY3RzIjogaHR0cDovL3d3dy5pYW5hLm9yZy9hc3NpZ25tZW50cy9yc3ZwLTwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBwYXJhbWV0 ZXJzL3JzdnAtcGFyYW1ldGVycy54aHRtbCNyc3ZwLXBhcmFtZXRlcnMtMjU8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBwYXJhbWV0ZXJzL3JzdnAtcGFyYW1ldGVycy54aHRt bCNyc3ZwLXBhcmFtZXRlcnMtMjU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG8gICJF WENMVURFX1JPVVRFIHN1Ym9iamVjdHMiOiBodHRwOi8vd3d3LmlhbmEub3JnL2Fzc2lnbm1lbnRz L3JzdnAtPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbyAgIkVYQ0xVREVfUk9V VEUgc3Vib2JqZWN0cyI6IGh0dHA6Ly93d3cuaWFuYS5vcmcvYXNzaWdubWVudHMvcnN2cC08L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAg cGFyYW1ldGVycy9yc3ZwLXBhcmFtZXRlcnMueGh0bWwjcnN2cC1wYXJhbWV0ZXJzLTk1PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgcGFyYW1ldGVycy9yc3ZwLXBhcmFtZXRl cnMueGh0bWwjcnN2cC1wYXJhbWV0ZXJzLTk1PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBVcG9uIGFwcHJvdmFsIG9mIHRoaXMgZG9jdW1lbnQsIElBTkEgaXMgcmVxdWVzdGVkIHRvIG1h a2UgaWRlbnRpY2FsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVXBvbiBhcHBy b3ZhbCBvZiB0aGlzIGRvY3VtZW50LCBJQU5BIGlzIHJlcXVlc3RlZCB0byBtYWtlIGlkZW50aWNh bDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICBhZGRpdGlvbnMgdG8gdGhlc2UgcmVnaXN0cmllcyBhcyBmb2xsb3dzLCBpbiBzeW5jIHdpdGgg W1BDRS1ET01BSU5dOjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFkZGl0aW9u cyB0byB0aGVzZSByZWdpc3RyaWVzIGFzIGZvbGxvd3MsIGluIHN5bmMgd2l0aCBbUENFLURPTUFJ Tl06PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBTdWJvYmplY3QgVHlwZSAgICAgICAg ICAgICAgICAgICAgICAgICAgUmVmZXJlbmNlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgU3Vib2JqZWN0IFR5cGUgICAgICAgICAgICAgICAgICAgICAgICAgIFJlZmVyZW5jZTwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQ+PGEgbmFtZT0iZGlmZjAwMTEiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgICAgICBU QkQxICAgICAgNC1CeXRlIEFTIG51bWJlciAgICAgICAgICAgICAgW1RoaXMgPHNwYW4gY2xhc3M9 ImRlbGV0ZSI+SS5ELl08L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg IFRCRDEgICAgICA0LUJ5dGUgQVMgbnVtYmVyICAgICAgICAgICAgICBbVGhpcyA8c3BhbiBjbGFz cz0iaW5zZXJ0Ij5JLkQuXVtQQ0UtRE9NQUlOXTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICAgICAgVEJEMiAgICAgIE9T UEYgQXJlYSBJRCAgICAgICAgICAgICAgICAgIFtUaGlzIDxzcGFuIGNsYXNzPSJkZWxldGUiPkku RC5dPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBUQkQyICAgICAg T1NQRiBBcmVhIElEICAgICAgICAgICAgICAgICAgW1RoaXMgPHNwYW4gY2xhc3M9Imluc2VydCI+ SS5ELl1bUENFLURPTUFJTl08L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgICAgIFRCRDMgICAgICBJUy1JUyBBcmVhIElE ICAgICAgICAgICAgICAgICBbVGhpcyA8c3BhbiBjbGFzcz0iZGVsZXRlIj5JLkQuXTwvc3Bhbj48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgVEJEMyAgICAgIElTLUlTIEFyZWEg SUQgICAgICAgICAgICAgICAgIFtUaGlzIDxzcGFuIGNsYXNzPSJpbnNlcnQiPkkuRC5dW1BDRS1E T01BSU5dPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFz cz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFu IGNsYXNzPSJpbnNlcnQiPiAgIEZ1cnRoZXIgdXBvbiBhcHByb3ZhbCBvZiB0aGlzIGRvY3VtZW50 LCBJQU5BIGlzIHJlcXVlc3RlZCB0byBhZGQgYTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgcmVmZXJlbmNlIHRvIHRoaXMgZG9j dW1lbnQgdG8gdGhlIG5ldyBQQ0VQIG51bWJlcnMgdGhhdCBhcmU8L3NwYW4+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHJlZ2lzdGVyZWQg YnkgW1BDRS1ET01BSU5dLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90 ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjYuICBT ZWN1cml0eSBDb25zaWRlcmF0aW9uczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjYu ICBTZWN1cml0eSBDb25zaWRlcmF0aW9uczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkPjxhIG5hbWU9ImRpZmYwMDEyIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBTZWN1cml0 eSBjb25zaWRlcmF0aW9ucyBmb3IgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+TVBMUy1URTwvc3Bhbj4g YW5kIEdNUExTIHNpZ25hbGluZyBhcmUgY292ZXJlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj4gICBTZWN1cml0eSBjb25zaWRlcmF0aW9ucyBmb3IgPHNwYW4gY2xhc3M9Imluc2Vy dCI+UlNWUC1URTwvc3Bhbj4gYW5kIEdNUExTIHNpZ25hbGluZyA8c3BhbiBjbGFzcz0iaW5zZXJ0 Ij5SU1ZQLVRFPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPiAgIGluIFtSRkMzMjA5XSBhbmQgW1JGQzM0NzNdLiAgVGhpcyBkb2N1 bWVudCBkb2VzIG5vdCBpbnRyb2R1Y2UgYW55IG5ldzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBleHRlbnNpb25zPC9zcGFuPiBhcmUgY292 ZXJlZCBpbiBbUkZDMzIwOV0gYW5kIFtSRkMzNDczXS4gIFRoaXMgZG9jdW1lbnQ8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBtZXNzYWdl cyBvciBhbnkgc3Vic3RhbnRpdmUgbmV3IHByb2Nlc3NpbmcsIGFuZCBzbyB0aG9zZSBzZWN1cml0 eTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBkb2VzIG5vdCBpbnRyb2R1Y2Ug YW55IG5ldyBtZXNzYWdlcyBvciBhbnkgc3Vic3RhbnRpdmUgbmV3PC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgY29uc2lkZXJhdGlvbnMg Y29udGludWUgdG8gYXBwbHkuICBGdXJ0aGVyLCBnZW5lcmFsIGNvbnNpZGVyYXRpb25zPC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHByb2Nlc3NpbmcsIGFuZCBzbyB0aG9zZSBz ZWN1cml0eSBjb25zaWRlcmF0aW9ucyBjb250aW51ZSB0byBhcHBseS48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBmb3Igc2VjdXJpbmcg UlNWUC1URSBpbiBNUExTLVRFIGFuZCBHTVBMUyBuZXR3b3JrcyBjYW4gYmUgZm91bmQgaW48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgRnVydGhlciwgZ2VuZXJhbCBjb25zaWRl cmF0aW9ucyBmb3Igc2VjdXJpbmcgUlNWUC1URSBpbiBNUExTLVRFIGFuZDwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIFtSRkM1OTIwXS48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgR01QTFMgbmV0d29ya3MgY2FuIGJl IGZvdW5kIGluIFtSRkM1OTIwXS4gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPlRoZSBzZWN0aW9uIDgg b2YgW1JGQzU5MjBdPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh biBjbGFzcz0iaW5zZXJ0Ij4gICBkZXNjcmliZXMgdGhlIGludGVyLXByb3ZpZGVyIHNlY3VyaXR5 IGNvbnNpZGVyYXRpb25zLCB3aGljaCBjb250aW51ZTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgdG8gYXBwbHkuPC9zcGFuPjwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIHJvdXRlIGV4Y2x1c2lvbiBzZWN1cml0 eSBjb25zaWRlcmF0aW9uIGFyZSBjb3ZlcmVkIGluIFtSRkM0ODc0XTwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSByb3V0ZSBleGNsdXNpb24gc2VjdXJpdHkgY29uc2lkZXJh dGlvbiBhcmUgY292ZXJlZCBpbiBbUkZDNDg3NF08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYW5kIGNvbnRpbnVlIHRvIGFwcGx5LjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFuZCBjb250aW51ZSB0byBhcHBseS48L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48 dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjcuICBBY2tub3dsZWRnbWVudHM8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij43LiAgQWNrbm93bGVkZ21lbnRzPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBXZSB3b3VsZCBsaWtlIHRvIHRoYW5rIEFkcmlhbiBGYXJyZWwsIExvdSBC ZXJnZXIsIEdlb3JnZSBTd2FsbG93LDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IFdlIHdvdWxkIGxpa2UgdG8gdGhhbmsgQWRyaWFuIEZhcnJlbCwgTG91IEJlcmdlciwgR2Vvcmdl IFN3YWxsb3csPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIENoaXJhZyBTaGFoLCBSZWVqYSBQYXVsLCBTYW5kZWVwIEJvaW5hIGFuZCBBdmFu dGlrYSBmb3IgdGhlaXIgdXNlZnVsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg Q2hpcmFnIFNoYWgsIFJlZWphIFBhdWwsIFNhbmRlZXAgQm9pbmEgYW5kIEF2YW50aWthIGZvciB0 aGVpciB1c2VmdWw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgY29tbWVudHMgYW5kIHN1Z2dlc3Rpb25zLjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIGNvbW1lbnRzIGFuZCBzdWdnZXN0aW9ucy48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxMyI+PC9hPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJp bnNlcnQiPlRoYW5rcyB0byBWaXNobnUgUGF2YW4gQmVlcmFtIGZvciBzaHBlcmRpbmcgdGhpcyBk b2N1bWVudC48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs YXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk Pjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNw YW4gY2xhc3M9Imluc2VydCI+ICAgVGhhbmtzIHRvIEJyaWFuIENhcnBlbnRlciBmb3IgR2VuLUFS VCBSZXZpZXcuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj bGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxz cGFuIGNsYXNzPSJpbnNlcnQiPiAgIFRoYW5rcyB0byBMaWFuZyBYaWEgKEZyYW5rKSBmb3IgU2Vj RGlyIFJldmlldy48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+OC4gIFJlZmVyZW5jZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij44 LiAgUmVmZXJlbmNlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+OC4xLiAgTm9ybWF0aXZl IFJlZmVyZW5jZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij44LjEuICBOb3JtYXRp dmUgUmVmZXJlbmNlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzIxMTldICBC cmFkbmVyLCBTLiwgIktleSB3b3JkcyBmb3IgdXNlIGluIFJGQ3MgdG8gSW5kaWNhdGU8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDMjExOV0gIEJyYWRuZXIsIFMuLCAiS2V5 IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIFJlcXVpcmVtZW50 IExldmVscyIsIEJDUCAxNCwgUkZDIDIxMTksPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgICAgICAgICAgICBSZXF1aXJlbWVudCBMZXZlbHMiLCBCQ1AgMTQsIFJGQyAyMTE5LDwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg ICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkMyMTE5LCBNYXJjaCAxOTk3LDwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzIxMTksIE1h cmNoIDE5OTcsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgICAgICAgICAgICAgJmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9y ZmMyMTE5Jmd0Oy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAg ICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjMjExOSZndDsuPC90ZD48dGQg Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDMzIwOV0gIEF3ZHVjaGUsIEQuLCBCZXJnZXIsIEwu LCBHYW4sIEQuLCBMaSwgVC4sIFNyaW5pdmFzYW4sIFYuLDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgIFtSRkMzMjA5XSAgQXdkdWNoZSwgRC4sIEJlcmdlciwgTC4sIEdhbiwgRC4s IExpLCBULiwgU3Jpbml2YXNhbiwgVi4sPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgYmdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRo PjxhIG5hbWU9InBhcnQtbDciPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxl bT4gcGFnZSAxMSwgbGluZSA0MjwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJw YXJ0LXI3Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMTIs IGxpbmUgMjI8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAg IEVuZ2luZWVyaW5nIChSU1ZQLVRFKSIsIFJGQyA0ODc0LCBET0kgMTAuMTc0ODcvUkZDNDg3NCw8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIEVuZ2luZWVyaW5n IChSU1ZQLVRFKSIsIFJGQyA0ODc0LCBET0kgMTAuMTc0ODcvUkZDNDg3NCw8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBB cHJpbCAyMDA3LCAmbHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzQ4NzQmZ3Q7 LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgQXByaWwgMjAw NywgJmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM0ODc0Jmd0Oy48L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtJU08xMDU4OV08L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBbSVNPMTA1ODldPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgSVNPLCAiSW50ZXJtZWRpYXRlIHN5 c3RlbSB0byBJbnRlcm1lZGlhdGUgc3lzdGVtIHJvdXRpbmc8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICAgICAgICAgICAgIElTTywgIkludGVybWVkaWF0ZSBzeXN0ZW0gdG8gSW50 ZXJtZWRpYXRlIHN5c3RlbSByb3V0aW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0 b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgaW5mb3JtYXRpb24gZXhjaGFuZ2Ug cHJvdG9jb2wgZm9yIHVzZSBpbiBjb25qdW5jdGlvbiB3aXRoPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgICAgICAgICAgICBpbmZvcm1hdGlvbiBleGNoYW5nZSBwcm90b2NvbCBm b3IgdXNlIGluIGNvbmp1bmN0aW9uIHdpdGg8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICB0aGUgUHJvdG9jb2wgZm9yIHBy b3ZpZGluZyB0aGUgQ29ubmVjdGlvbmxlc3MtbW9kZSBOZXR3b3JrPC90ZD48dGQ+IDwvdGQ+PHRk IGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICB0aGUgUHJvdG9jb2wgZm9yIHByb3ZpZGluZyB0 aGUgQ29ubmVjdGlvbmxlc3MtbW9kZSBOZXR3b3JrPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249 InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgU2VydmljZSAoSVNPIDg0 NzMpIiwgSVNPL0lFQyAxMDU4OToyMDAyLCAxOTkyLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgICAgICAgICAgICAgU2VydmljZSAoSVNPIDg0NzMpIiwgSVNPL0lFQyAxMDU4OToy MDAyLCAxOTkyLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1BDRS1ET01BSU5dPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1BDRS1ET01BSU5dPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1l PSJkaWZmMDAxNCI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2 YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgICAgICAgICBEaG9keSwg RC4sIFBhbGxlLCBVLiwgYW5kIFIuIENhc2VsbGFzLCA8c3BhbiBjbGFzcz0iZGVsZXRlIj4iU3Rh bmRhcmQ8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAg ICAgRGhvZHksIEQuLCBQYWxsZSwgVS4sIGFuZCBSLiBDYXNlbGxhcywgPHNwYW4gY2xhc3M9Imlu c2VydCI+IkRvbWFpbiBTdWJvYmplY3RzPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAg ICAgICAgICAgUmVwcmVzZW50YXRpb24gT2YgRG9tYWluIFNlcXVlbmNlLiAoZHJhZnQtaWV0Zi1w Y2UtcGNlcC08L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs YXNzPSJpbnNlcnQiPiAgICAgICAgICAgICAgZm9yIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCAo UENFKSBDb21tdW5pY2F0aW9uIFByb3RvY29sPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAg ICAgICAgICAgICAgZG9tYWluLXNlcXVlbmNlKSIsIFNlcHRlbWJlcjwvc3Bhbj4gMjAxNS48L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAg ICAgICAgICAoUENFUCkuIChkcmFmdC1pZXRmLXBjZS1wY2VwLWRvbWFpbi1zZXF1ZW5jZSkiLCBO b3ZlbWJlcjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAg ICAgICAyMDE1LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+OC4yLiAgSW5mb3JtYXRpdmUg UmVmZXJlbmNlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjguMi4gIEluZm9ybWF0 aXZlIFJlZmVyZW5jZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkM0NjU1XSAg RmFycmVsLCBBLiwgVmFzc2V1ciwgSi4sIGFuZCBKLiBBc2gsICJBIFBhdGggQ29tcHV0YXRpb248 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNDY1NV0gIEZhcnJlbCwgQS4s IFZhc3NldXIsIEouLCBhbmQgSi4gQXNoLCAiQSBQYXRoIENvbXB1dGF0aW9uPC90ZD48dGQgY2xh c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAg RWxlbWVudCAoUENFKS1CYXNlZCBBcmNoaXRlY3R1cmUiLCBSRkMgNDY1NSw8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIEVsZW1lbnQgKFBDRSktQmFzZWQgQXJj aGl0ZWN0dXJlIiwgUkZDIDQ2NTUsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzQ2NTUsIEF1 Z3VzdCAyMDA2LDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAg RE9JIDEwLjE3NDg3L1JGQzQ2NTUsIEF1Z3VzdCAyMDA2LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8v d3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNDY1NSZndDsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgICAgICAgICAgICAmbHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9p bmZvL3JmYzQ2NTUmZ3Q7LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzQ3MjZd ICBGYXJyZWwsIEEuLCBWYXNzZXVyLCBKLiwgYW5kIEEuIEF5eWFuZ2FyLCAiQSBGcmFtZXdvcmsg Zm9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzQ3MjZdICBGYXJyZWws IEEuLCBWYXNzZXVyLCBKLiwgYW5kIEEuIEF5eWFuZ2FyLCAiQSBGcmFtZXdvcmsgZm9yPC90ZD48 dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAg ICAgICAgSW50ZXItRG9tYWluIE11bHRpcHJvdG9jb2wgTGFiZWwgU3dpdGNoaW5nIFRyYWZmaWM8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIEludGVyLURvbWFp biBNdWx0aXByb3RvY29sIExhYmVsIFN3aXRjaGluZyBUcmFmZmljPC90ZD48dGQgY2xhc3M9Imxp bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KCiAgICAgPHRyPjx0ZD48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQ+PC90ZD48 L3RyPgogICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGggY29sc3Bhbj0iNSIgYWxpZ249ImNlbnRl ciI+PGEgbmFtZT0iZW5kIj4mbmJzcDtFbmQgb2YgY2hhbmdlcy4gMTQgY2hhbmdlIGJsb2Nrcy4m bmJzcDs8L2E+PC90aD48L3RyPgogICAgIDx0ciBjbGFzcz0ic3RhdHMiPjx0ZD48L3RkPjx0aD48 aT4yNyBsaW5lcyBjaGFuZ2VkIG9yIGRlbGV0ZWQ8L2k+PC90aD48dGg+PGk+IDwvaT48L3RoPjx0 aD48aT41MSBsaW5lcyBjaGFuZ2VkIG9yIGFkZGVkPC9pPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAg ICA8dHI+PHRkIGNvbHNwYW49IjUiIGFsaWduPSJjZW50ZXIiIGNsYXNzPSJzbWFsbCI+PGJyPlRo aXMgaHRtbCBkaWZmIHdhcyBwcm9kdWNlZCBieSByZmNkaWZmIDEuNDIuIFRoZSBsYXRlc3QgdmVy c2lvbiBpcyBhdmFpbGFibGUgZnJvbSA8YSBocmVmPSJodHRwOi8vd3d3LnRvb2xzLmlldGYub3Jn L3Rvb2xzL3JmY2RpZmYvIj5odHRwOi8vdG9vbHMuaWV0Zi5vcmcvdG9vbHMvcmZjZGlmZi88L2E+ IDwvdGQ+PC90cj4KICAgPC90Ym9keT48L3RhYmxlPgogICAKICAgCjwhLS0gYXJnczogeyctLW9s ZGNvbG91cic6ICdyZWQnLCAnLS13aWR0aCc6ICcnLCAnZGlmZnR5cGUnOiAnLS1odG1sJywgJ3Vy bDEnOiAnZHJhZnQtaWV0Zi10ZWFzLXJzdnAtdGUtZG9tYWluLXN1Ym9iamVjdHMtMDMnLCAnc3Vi bWl0JzogJ0dlbmVyYXRlIGRpZmYnLCAndXJsMic6ICcnLCAnLS1uZXdjb2xvdXInOiAnZ3JlZW4n fSAtLT48aWZyYW1lIHdpZHRoPSIwIiBoZWlnaHQ9IjAiIGZyYW1lYm9yZGVyPSIwIiBzcmM9ImFi b3V0OmJsYW5rIiBpZD0iR0lOR0VSX1NPRlRXQVJFX2J1YmJsZXNJRnJhbWUiIHNjcm9sbGluZz0i bm8iIHN0eWxlPSJib3JkZXI6IDBweCBzb2xpZDsgZGlzcGxheTogbm9uZTsgcG9zaXRpb246IGFi c29sdXRlOyB6LWluZGV4OiAyMTQ3NDgzNjQ3OyBoZWlnaHQ6IDBweDsgd2lkdGg6IDBweDsgYmFj a2dyb3VuZC1jb2xvcjogdHJhbnNwYXJlbnQ7Ij48L2lmcmFtZT48ZGl2IGlkPSJHaW5nZXJXaWRn ZXRJbmZvIiBzdHlsZT0iZGlzcGxheTpub25lOyI+eyJ2ZXJzaW9uIjoiMC4xLjAuNTg1IiwiaXNF eHRlbnNpb24iOnRydWUsImV4dGVuc2lvbk5hbWUiOiJDaHJvbWUifTwvZGl2PjwvYm9keT48L2h0 bWw+ --_004_23CE718903A838468A8B325B80962F9B8C445C86BLREML509MBXchi_-- From nobody Fri Nov 13 09:17:23 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60E3F1B2CF0 for ; Fri, 13 Nov 2015 09:17:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.278 X-Spam-Level: X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IN9WzaMzRwZW for ; Fri, 13 Nov 2015 09:17:21 -0800 (PST) Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com [IPv6:2607:f8b0:4002:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F011B2CEF for ; Fri, 13 Nov 2015 09:17:21 -0800 (PST) Received: by ykfs79 with SMTP id s79so157963241ykf.1 for ; Fri, 13 Nov 2015 09:17:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari_net.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to:content-type; bh=dFhnATy8F/0nXfHh7OxEsl+t3X+XoeXCM5pR7hwAdTI=; b=FZZ7wLSQY2s1EtPdeezL5S5PtDuQVy8jOzmchmY3ypZrgI9KekjDTNOln5G4S3/CwY b904LX+epz3dOMm+O2UXfMJU+t8P7YufLn91/qV2NzXSjlFYVYptOM2BmLcRD8o4hnJ6 pLtwjw2pfTc/rV9+5CMT7MgWL3HdJP+NIiHSN4SvTaq0LVmEfHxiQaDhrSS/fSkw0dN+ jrWuW6jpuP6xaDAqEXRKrrOefPNLM0e2WE2mhEs1XfIlAb7eja2DMAOilXXgOVxwUGuQ U19w/7LFoctcveNL73lirmVmwW84JO62GxI0AhqPgV8pCApT4mHk7x5XpESaaOyxk/KY lD1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=dFhnATy8F/0nXfHh7OxEsl+t3X+XoeXCM5pR7hwAdTI=; b=ZyaOJV4+DYLTVdqAIu7EGg+gJtsxGr4+W/DEW5+0c63lAxZ4YRvO+JYhFUcpKevJbk 4yo4FjsCrxKQvMgy3D8Xx+89YiJzpq0YrvTnanGpb2mY7W3/UMA/JSlP6qA4RorNK/A3 DQAxtpiyV5voGSzmU7RUWXKQmHpR009zrP62JdkRdzrMFXJlYyh7UzUqHXfqsNfRyhUy TWbjyX8agWGhDV2O4bad1Ayd7lhPFvVgXotvxTp7yvvLrEPWbYVQ8ahGvc5zX8ui0+fj n50GS8pAP0n2kIdS4krVRf++4cqgDTiba62H2bztv9ZNmjT0mL+AAGajqhXrp+kiuVLq 7m2A== X-Gm-Message-State: ALoCoQmF83OBVOv81e8ZDNexdOvNHHDL8dM7X2AzhYwmeJ8gu2Rd5NN8cZB/Qo3buamv6uvxxaIP MIME-Version: 1.0 X-Received: by 10.13.194.193 with SMTP id e184mr16377629ywd.203.1447435040463; Fri, 13 Nov 2015 09:17:20 -0800 (PST) Received: by 10.37.202.11 with HTTP; Fri, 13 Nov 2015 09:17:20 -0800 (PST) Date: Sat, 14 Nov 2015 02:17:20 +0900 Message-ID: From: Warren Kumari To: IETF Security Directorate , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Nov 2015 17:17:22 -0000 Be ye not afraid... I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting MIB Variables using the IPFIX Protocol Summary: LGTM, Security AD attention not required, modulo questions below. I'm not quite sure what: "However if the exporter is a client of an SNMP engine on the same device it MUST abide by existing SNMP security rules." is supposed to mean. What exactly are "existing SNMP security rules"? Those defined in RFCs? Configured on the device? Also: "Network operators should take care that the only MIB objects which are included in IPFIX Data Records are ones which the receiving flow collector is allowed to receive." It may be worth mentioning that multiple users may have access to the data from the flow collector. I don't think that this is a major issue, as the sorts of data that are likely to be exported are not (in my wild-ass guess) likely to be sensitive. I suspect that the MIB Doctors should review this (if they haven't already) - while not a MIB, they will probably have useful input. W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf From nobody Sat Nov 14 23:40:26 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F39651A8AA8; Sat, 14 Nov 2015 23:40:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.009 X-Spam-Level: X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RfKFiGjQBIy7; Sat, 14 Nov 2015 23:40:18 -0800 (PST) Received: from BLU004-OMC4S4.hotmail.com (blu004-omc4s4.hotmail.com [65.55.111.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BC001A8AA7; Sat, 14 Nov 2015 23:40:17 -0800 (PST) Received: from BLU436-SMTP248 ([65.55.111.136]) by BLU004-OMC4S4.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sat, 14 Nov 2015 23:40:16 -0800 X-TMN: [2e+ocnsu/B28fLGpIEDfOZLBLV1fWfON] X-Originating-Email: [zhang_dacheng@hotmail.com] Message-ID: From: Dacheng Content-Type: multipart/alternative; boundary="Apple-Mail=_DED9753D-033E-4365-A553-4030F532C8C0" Date: Sun, 15 Nov 2015 15:40:00 +0800 To: The IESG , "secdir@ietf.org" MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-OriginalArrivalTime: 15 Nov 2015 07:40:14.0926 (UTC) FILETIME=[DDDD4EE0:01D11F78] Archived-At: Cc: draft-ietf-manet-olsrv2-dat-metric.all@ietf.org Subject: [secdir] Secdir Review of draft-ietf-manet-olsrv2-dat-metric-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2015 07:40:25 -0000 --Apple-Mail=_DED9753D-033E-4365-A553-4030F532C8C0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Dear all, I have reviewed this document as part of the security directorate's = ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security = area directors. Document editors and WG chairs should treat these = comments just like any other last call comments. This draft is about a new routing metro for OLSRv2. Technical questions/comments: 1) In this draft, =E2=80=9CRFC5444 packet=E2=80=9D can be found in many = places. I didn=E2=80=99t find the definition of this term. Do you = indicate this solution may need to process a packet which is not = specified in OLSRv2? 2) There is a good security consideration section in RFC 7181. Since = this draft is closely related to OLSRv2 (although this work does not = specify any new message or TLV), it will be good to build the security = considerations of this work based upon what has been discussed in = RFC7181. For example, maybe the authors could say =E2=80=99there will be = some new security issues introduced by this work but not mentioned in = RFC 7181, there will be some security issues if we only use the = mandatory security mechanism specified in RFC7181, or our work does not = introduce any additional security issues.. 3) This question is about the last sentence in the security = consideration=E2=80=94=E2=80=9CThe signature scheme described in = [RFC7183] does not protect the additional sequence number of the DAT = metric because it does only sign the RFC5444 messages, not the RFC5444 = packet header.=E2=80=9D First of all, there is no signature mechanism = specified in RFC7183, only HMAC is used to protect the message = integrity. In addition, the RFC7183 reuse the process specified in = RFC7182 to generate hashes, and so it should be able to cover the = message headers. Open for discussion. Editorial: Section 2: MAX(a,b) -> MAX(a, b) Section 3: The administrator should take care that link layer multicast = transmission do not not have -> The administrator should take care that = link layer multicast transmission do not have Section 4: The routing decision of most operation systems don't take packet size = into account. -> The routing decisions of most operation systems don't = take packet size into account. Section 7: with a very slow or very fast linklayer -> with a very slow or very fast = link layer Cheers Dacheng --Apple-Mail=_DED9753D-033E-4365-A553-4030F532C8C0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8"

Dear all,

I have reviewed this document as part of the security directorate's = ongoing effort to review all IETF documents being processed by the = IESG.

These comments were written primarily for the benefit of the security area = directors. Document editors and WG chairs should treat these comments just like any = other last call comments.

This draft is about a new routing  metro for = OLSRv2.


Technical questions/comments:

1) In this draft, =E2=80=9CRFC5444 packet=E2=80=9D can be found in = many places. I didn=E2=80=99t find the definition of this term. Do you indicate this solution may need = to process a packet which is not specified in = OLSRv2?

2) There is a good security consideration section in RFC 7181. = Since this draft is closely related to OLSRv2 (although this work does not specify = any new message or TLV), it will be good to build the security considerations of = this work based upon what has been discussed in RFC7181. For example, maybe = the authors could say =E2=80=99there will be some new security issues introduced by = this work but not mentioned in RFC 7181, there will be some security issues if we only = use the mandatory security mechanism specified in RFC7181, or our work does = not introduce any additional security issues..

3) This question is = about the last sentence in the security consideration=E2=80=94=E2=80=9CThe signature = scheme described in [RFC7183] does not protect the additional sequence number of the DAT = metric because it does only sign the RFC5444 messages, not the RFC5444 packet = header.=E2=80=9D First of all, there is no signature mechanism specified in RFC7183, only = HMAC is used to protect the message integrity. In addition, the RFC7183 reuse = the process specified in RFC7182 to generate hashes, and so it should be = able to cover the message headers.   Open for = discussion.


Editorial:

Section = 2:

MAX(a,b) -> MAX(a, b)

Section = 3:

The administrator should take care that link layer multicast =
transmission do not not have ->  The administrator should take =
care that link layer multicast transmission do not have

Section = 4:

The routing decision of most operation systems don't take packet =
size into account. -> The routing decisions of most operation systems =
don't take packet size into account.
Section =
7:
with a very slow or very fast linklayer -> =
with a very slow or very fast link layer
Cheers
Dacheng

= --Apple-Mail=_DED9753D-033E-4365-A553-4030F532C8C0-- From nobody Sun Nov 15 02:18:00 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A7C81B2CEE; Sun, 15 Nov 2015 02:17:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.267 X-Spam-Level: X-Spam-Status: No, score=-2.267 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fiwNBci34xKr; Sun, 15 Nov 2015 02:17:54 -0800 (PST) Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB35A1B2C99; Sun, 15 Nov 2015 02:17:54 -0800 (PST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tAFAF1Qn003630; Sun, 15 Nov 2015 02:17:54 -0800 Received: from il-exch02.marvell.com ([199.203.130.102]) by mx0a-0016f401.pphosted.com with ESMTP id 1y636msqam-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 15 Nov 2015 02:17:54 -0800 Received: from IL-EXCH01.marvell.com (10.4.102.220) by IL-EXCH02.marvell.com (10.4.102.221) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Sun, 15 Nov 2015 12:17:50 +0200 Received: from IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a]) by IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a%20]) with mapi id 15.00.1044.021; Sun, 15 Nov 2015 12:17:50 +0200 From: Tal Mizrahi To: "Salz, Rich" , "draft-ietf-ippm-checksum-trailer.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Thread-Topic: secdir review of draft-ietf-ippm-checksum-trailer Thread-Index: AdEM2iPxQdxYCi6cQbaim/cdxrnsTAStIfvg Date: Sun, 15 Nov 2015 10:17:49 +0000 Message-ID: <1c72beca2b5c4c308cbf7ab9215bdd33@IL-EXCH01.marvell.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.4.102.210] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-11-15_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310000 definitions=main-1511150192 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ippm-checksum-trailer X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2015 10:17:56 -0000 Hi Rich, Thanks for the comments. > I think Figure 1 could be improved by showing how and/or where the checks= um trailer is applied inside the "enabled Node" box. Is it a separate node= , or is it all a single flow within a node before the packet is put onto th= e IP Network "cloud"? =20 It is meant to the latter, i.e., a single flow within a node. I will clarif= y this in the next version of the draft. Thanks, Tal. >-----Original Message----- >From: Salz, Rich [mailto:rsalz@akamai.com] >Sent: Thursday, October 22, 2015 6:07 PM >To: draft-ietf-ippm-checksum-trailer.all@ietf.org; iesg@ietf.org; >secdir@ietf.org >Subject: secdir review of draft-ietf-ippm-checksum-trailer > >[ My first review; please let me know if anything's wrong] > >I have reviewed this document as part of the security directorate's ongoin= g >effort to review all IETF documents being processed by the IESG. These >comments were written primarily for the benefit of the security area >directors. Document editors and WG chairs should treat these comments jus= t >like any other last call comments. > >In my view this document is Ready with nits; suggested clarification of Fi= gure >1, below. > >This document a mechanism for an intermediary to use space in a padding >area to counteract the effect of a prior intermediary adding a high-accura= cy >timestamp into a UDP packet. The technique is used elsewhere (draft-ietf-n= tp- >checksum-trailer and IEEE1588) and dates back to RFC 1624 from 1994. The >mechanism is better than the current approach, which zero's out the >checksum and makes any checksum impossible. > >The document and its security considerations are seem thorough, discussing >the impact on encrypted packets, the general idea of an MITM modifying >packets, and so on. > >I think Figure 1 could be improved by showing how and/or where the >checksum trailer is applied inside the "enabled Node" box. Is it a separa= te >node, or is it all a single flow within a node before the packet is put on= to the >IP Network "cloud"? Also, the art of the cloud is commendable :) > >-- >Senior Architect, Akamai Technologies >IM: richsalz@jabber.at Twitter: RichSalz > From nobody Mon Nov 16 21:41:23 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C221B29E4; Mon, 16 Nov 2015 21:41:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.885 X-Spam-Level: X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_64=0.6, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3XOf95YesKW; Mon, 16 Nov 2015 21:41:17 -0800 (PST) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 856F61B29E3; Mon, 16 Nov 2015 21:41:14 -0800 (PST) Received: from mb-2.local (c-73-158-58-32.hsd1.ca.comcast.net [73.158.58.32]) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id tAH5f7TY099757 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 17 Nov 2015 05:41:08 GMT (envelope-from joelja@bogus.com) To: Tina TSOU , The IESG , "secdir@ietf.org" , "draft-ietf-pcp-third-party-id-option.all@ietf.org" References: From: joel jaeggli Message-ID: <564ABDF3.3010107@bogus.com> Date: Mon, 16 Nov 2015 21:41:07 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Thunderbird/42.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="FskXA9ieGpMS9JOVuD4F9DiStoK7P26Op" Archived-At: Subject: Re: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2015 05:41:19 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FskXA9ieGpMS9JOVuD4F9DiStoK7P26Op Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 11/10/15 8:14 PM, Tina TSOU wrote: > Dear all, >=20 > =20 >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG= =2E >=20 > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. >=20 > =20 >=20 > =20 >=20 > ** Technical ** >=20 > =20 >=20 > * Section 7, page 11: >=20 > I think you should make comments regarding the (privacy) implications o= f > employing identifiers such as MAC addresses when essentially any other > value -- e.g. a long-enough random number would do. >=20 Thank you Tina, thank is quite useful review. joel >=20 > Besides, you should comment on how the ID can be somehow validated, and= > what could happen if a client were able to predict the ID employed by > other clients. >=20 > =20 >=20 > =20 >=20 > ** Editorial ** >=20 > =20 >=20 > * Section 1, page 2: >=20 >> The IETF has specified the Port Control Protocol (PCP) [RFC6887] to= >=20 >> control how packets are translated and forwarded by a PCP-controlle= d >=20 >> device such as a network address translator (NAT) or firewall. >=20 > =20 >=20 > =20 >=20 > Please replace "and" with "and/or", since a firewall will not translate= > packets. >=20 > =20 >=20 > =20 >=20 > * Section 1, page 2: >=20 >> This document focuses on the scenarios where the PCP client sends >=20 >> requests that concern internal addresses other than the address of >=20 >> the PCP client itself. >=20 > =20 >=20 > =20 >=20 > s/the scenarios/scenarios/ >=20 > =20 >=20 > (since at least at this point in the text you have not yet mentioned > what those scenarios are about) >=20 > =20 >=20 > =20 >=20 > * Section 1, page 2: >=20 >> There is already an option defined for this purpose in the RFC 6887= >=20 >> [RFC6887] called the THIRD_PARTY option. >=20 > =20 >=20 > Please rephrase as: >=20 > "There is already an option defined for this purpose in [RFC6887], > called the THIRD_PARTY option." >=20 > =20 >=20 > =20 >=20 > =20 >=20 > * Section 1, page 3: >=20 >> CGN deployments >=20 > =20 >=20 > =20 >=20 > Please expand the acronym on first usage. >=20 > =20 >=20 > =20 >=20 > * Section 1, page 3: >=20 >> This applies to some of the PCP deployment scenarios that are liste= d >=20 >> in Section 2.1 of RFC 6887 [RFC6887], >=20 > =20 >=20 > Just remove "RFC 6887" (the rfc number is already included by the ref).= >=20 > =20 >=20 > =20 >=20 > * Section 1, page 3: >=20 >> in particular to a Layer-2 >=20 >> aware NAT which is described in more detail in Section 3, or GI-DS-= >=20 >> Lite [RFC6674] and ds-extra-lite [RFC6619]. >=20 > =20 >=20 > =20 >=20 > You refer to RFC6619 as "ds-extra-lite", but such RFC does not even >=20 > include that term. Thoughts? >=20 > =20 >=20 > =20 >=20 > * Section 3, page 4: >=20 >> The scenarios serve as examples. This document does not restrict th= e >=20 >> applicability of the THIRD_PARTY_ID to certain scenarios.=20 >=20 > =20 >=20 > Please replace "THIRD_PARTY_ID" with "THIRD_PARTY_ID option" (here, and= >=20 > in other places) >=20 > =20 >=20 > =20 >=20 > * Section 3, page 4: >=20 >> The THIRD_PARTY_ID >=20 >> can also be used for the firewall control >=20 > =20 >=20 > Please remove the "the". >=20 > =20 >=20 > =20 >=20 > * Section 3.2, page 7: >=20 >> tunnel ID of tunnel(BRAS, CGN) >=20 > =20 >=20 > (two instances of this). Please rephrase as "ID of the tunnel (BRAS, CG= N)". >=20 > =20 >=20 > =20 >=20 > * Section 4, page 9: >=20 > Why use "TBD" and "TBD-1" if there's a single value to be assigned? >=20 > =20 >=20 > =20 >=20 > * Section 4, page 9: >=20 >> are to be set As >=20 > =20 >=20 > s/As/as/ >=20 > =20 >=20 > =20 >=20 > Thank you, >=20 > Tina >=20 > =20 >=20 --FskXA9ieGpMS9JOVuD4F9DiStoK7P26Op Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlZKvfMACgkQ8AA1q7Z/VrJDlACfRsHQuTb2euVkPMxeTkDp9jSO WxQAniMoMXYHyuKQlIXdafw+mNRRWKUy =LIbM -----END PGP SIGNATURE----- --FskXA9ieGpMS9JOVuD4F9DiStoK7P26Op-- From nobody Tue Nov 17 02:20:51 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 071C21B2D3E; Tue, 17 Nov 2015 01:14:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.363 X-Spam-Level: X-Spam-Status: No, score=0.363 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, J_CHICKENPOX_31=0.6, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 985hWWhqkoI0; Tue, 17 Nov 2015 01:14:47 -0800 (PST) Received: from a.mx.fkie.fraunhofer.de (mailguard.fkie.fraunhofer.de [IPv6:2001:638:401:102:1aa9:5ff:fe5f:7f22]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB97E1B2D3C; Tue, 17 Nov 2015 01:14:46 -0800 (PST) Received: from rufsun5.fkie.fraunhofer.de ([128.7.2.5] helo=mailhost.fkie.fraunhofer.de) by a.mx.fkie.fraunhofer.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1ZycLc-0001ld-K2; Tue, 17 Nov 2015 10:14:44 +0100 Received: from mailserv2bcas.fkie.fraunhofer.de ([128.7.96.56] helo=mailserv2.fkie.fraunhofer.de) by mailhost.fkie.fraunhofer.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1ZycLc-0005K3-Ge; Tue, 17 Nov 2015 10:14:44 +0100 Received: from [128.7.5.36] (128.7.5.36) by MAILSERV2BCAS.lorien.fkie.fgan.de (128.7.96.58) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 17 Nov 2015 10:14:44 +0100 To: Dacheng , The IESG , "secdir@ietf.org" References: From: Henning Rogge Message-ID: <564AF000.4080705@fkie.fraunhofer.de> Date: Tue, 17 Nov 2015 10:14:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000609020004000202000106" X-Originating-IP: [128.7.5.36] X-Virus-Scanned: yes (ClamAV 0.98.1/21062/Mon Nov 16 13:00:09 2015) by a.mx.fkie.fraunhofer.de X-Scan-Signature: 0ecef80a5bec7804fa4b6ab1e9eef018 Archived-At: X-Mailman-Approved-At: Tue, 17 Nov 2015 02:20:49 -0800 Cc: draft-ietf-manet-olsrv2-dat-metric.all@ietf.org Subject: Re: [secdir] Secdir Review of draft-ietf-manet-olsrv2-dat-metric-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2015 09:14:49 -0000 --------------ms000609020004000202000106 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 11/15/2015 08:40 AM, Dacheng wrote: > Dear all, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG= =2E > > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > This draft is about a new routing metro for OLSRv2. > > > Technical questions/comments: > > 1) In this draft, =E2=80=9CRFC5444 packet=E2=80=9D can be found in many= places. I didn=E2=80=99t > find the definition of this term. Do you indicate this solution may nee= d > to process a packet which is not specified in OLSRv2? The header of the Terminology Section contains the following paragraph: The terminology introduced in [RFC5444], [RFC7181] and [RFC6130], including the terms "packet", "message" and "TLV" are to be interpreted as described therein. Do you think this paragraph needs to be improved or extended? > 2) There is a good security consideration section in RFC 7181. Since > this draft is closely related to OLSRv2 (although this work does not > specify any new message or TLV), it will be good to build the security > considerations of this work based upon what has been discussed in > RFC7181. For example, maybe the authors could say =E2=80=99there will b= e some > new security issues introduced by this work but not mentioned in RFC > 7181, there will be some security issues if we only use the mandatory > security mechanism specified in RFC7181, or our work does not introduce= > any additional security issues.. I think my security considerations section explicitly says (in the last=20 sentence) that the Mandatory Security Mechanism for OLSRv2 (RFC7183)=20 does NOT protect against modified packet sequence numbers. > 3) This question is about the last sentence in the security > consideration=E2=80=94=E2=80=9CThe signature scheme described in [RFC71= 83] does not > protect the additional sequence number of the DAT metric because it doe= s > only sign the RFC5444 messages, not the RFC5444 packet header.=E2=80=9D= First of > all, there is no signature mechanism specified in RFC7183, only HMAC is= > used to protect the message integrity. In addition, the RFC7183 reuse > the process specified in RFC7182 to generate hashes, and so it should b= e > able to cover the message headers. Open for discussion. RFC7183 introduces a RFC5444 message level integrity protection=20 extension for RFC7181 (OLSRv2), based on the ICV Message TLV defined in=20 RFC7182 (see section 9.1 of RFC7182). The ICV Message TLV does NOT protect the PACKET header fields of RFC5444 = packets, including the RFC5444 packet sequence number. > Editorial: > > Section 2: > > MAX(a,b) -> MAX(a, b) > > Section 3: > > The administrator should take care that link layer multicast > transmission do not not have -> The administrator should take care tha= t > link layer multicast transmission do not have > > Section 4: > > The routing decision of most operation systems don't take packet size > into account. -> The routing decisions of most operation systems don't > take packet size into account. > > Section 7: > > with a very slow or very fast linklayer -> with a very slow or very fas= t > link layer Will be fixed in the next revision. Henning Rogge --=20 Diplom-Informatiker Henning Rogge , Fraunhofer-Institut f=C3=BCr Kommunikation, Informationsverarbeitung und Ergonomie FKIE Kommunikationssysteme (KOM) Fraunhofer Stra=C3=9Fe 20, 53343 Wachtberg, Germany Telefon +49 228 9435-961, Fax +49 228 9435 685 mailto:henning.rogge@fkie.fraunhofer.de http://www.fkie.fraunhofer.de --------------ms000609020004000202000106 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC FGAwggQuMIIDFqADAgECAgIBDDANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEcMBoG A1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRydXN0IENl bnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMDcxMjA1MTUx ODU4WhcNMTkwNjMwMjM1OTU5WjBnMQswCQYDVQQGEwJERTETMBEGA1UEChMKRnJhdW5ob2Zl cjEhMB8GA1UECxMYRnJhdW5ob2ZlciBDb3Jwb3JhdGUgUEtJMSAwHgYDVQQDExdGcmF1bmhv ZmVyIFJvb3QgQ0EgMjAwNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM9Hsll jVuIN/c+wSG2VN6wOlcbGhzumAh0AVpvtd82VytERc7zRhNldpWYVMeohRVuEqQX6AvhIacx PSnd/6PWT9K0if1jStqrU+9ZBbRP4jsqkZnAy2VXgaMwk5AOyb39FTIyCKRIfFYF8rs2ieJI wm9LkgwlRb6tPtTHAe2xyBK0MAhup29/eiCnu7TlNYBULBmP2UvAHatD+GEUlPuwHV23kexi wJHRXt2nC7MtH2Y5GDyuBBTl0n022bLNpxOwzEWdVgRRcTM2XC9dUROeT0iQDpdaS3DbuXnZ odaUyJLQpftgvy2tnnEAF4bA/UhmnRRMBU5M0XFEC9B6D7ECAwEAAaOB2TCB1jAfBgNVHSME GDAWgBQxw3kbuvVT1xfgiXotF2wKsyudMzAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFC9F Qh4xBYDVcNj4HVfLW3rVPZz3MBIGA1UdEwEB/wQIMAYBAf8CAQEwcAYDVR0fBGkwZzBloGOg YYZfaHR0cDovL3BraS50ZWxlc2VjLmRlL2NnaS1iaW4vc2VydmljZS9hZl9Eb3dubG9hZEFS TC5jcmw/LWNybF9mb3JtYXQ9WF81MDkmLWlzc3Vlcj1EVF9ST09UX0NBXzIwDQYJKoZIhvcN AQEFBQADggEBABq3THo85d3CY7LehiVORWJM9PKPX13X5Y3ODtf1lOGLkzE2p5oj52fhUsFa GNaZ4YBkOA9KNTNdZnoo3Dh/N3LNUnVuEI5sfYz3Ket3wrkZBdS3PWG66AUS1FBiU+8iVGL8 TQHDXtQNg3RpUdU8nqzbpCt8bYSW03FNz9UtcaOSxD9Vz5s9I3cHV+nIzh2XtjP7kZdglg/3 9t5vJZASqxlH1UQjrsGSNSi/KkNeD+oHXdJE0IWC4xK8R+osrfjwQVJ9Nroin3qgMu9LvPk6 B7Ypxn04XzVVfjjyP3yz7i1uIXhfuRPP795lgMgl9WYtVEqtztkuDjDPgDOnixly6kEwggTG MIIDrqADAgECAgphHTMZAAAAAAADMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYTAkRFMRMw EQYDVQQKEwpGcmF1bmhvZmVyMSEwHwYDVQQLExhGcmF1bmhvZmVyIENvcnBvcmF0ZSBQS0kx IDAeBgNVBAMTF0ZyYXVuaG9mZXIgUm9vdCBDQSAyMDA3MB4XDTA3MTIxMjE0NDkzNVoXDTE5 MDYzMDIzNTk1OVowZzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9mZXIxITAfBgNV BAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5ob2ZlciBVc2Vy IENBIDIwMDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCdBBRy3XRgfErNZ1a gjqvkq7NAvyuyPsgdw7/aBIVkEmnZ3xoJF/6DiYaZT5KngkK04dPMxGKa1WiS02lT1Yb48d4 efijC95VRmSH2owPPU6JYS8JPppdvVW6leZy4Ta0sHWctee2+nQruSX38b6TucFwp/eWf0y8 i3XrsYFR7PzJ4XM75gWwUUvjsPVKCp/j2b8mJlBHTh4PHAOTxhWkT/avPKu9+FZ5SPluPsuw aDecLbqla6lm26TkNrB2KPa4r92/seVnbDK1YnihgKUP3Tb4Aeb7rgHIUZ7ADWR4KQIjwsz+ /0BWGKpNrp3XMRF8D4KO9qInwd7kGd8Rzlf3AgMBAAGjggFyMIIBbjASBgNVHRMBAf8ECDAG AQH/AgEAMB0GA1UdDgQWBBRPHa+Iym24qhwJ+cXREe1ZtJP6CzAOBgNVHQ8BAf8EBAMCAQYw HwYDVR0jBBgwFoAUL0VCHjEFgNVw2PgdV8tbetU9nPcwdQYDVR0fBG4wbDBqoGigZoYxaHR0 cDovL2NybC5wa2kuZnJhdW5ob2Zlci5kZS9maGctcm9vdC1jYS0yMDA3LmNybIYxaHR0cDov L2NybC5mcmF1bmhvZmVyLXBraS5kZS9maGctcm9vdC1jYS0yMDA3LmNybDCBkAYIKwYBBQUH AQEEgYMwgYAwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jZXJ0LnBraS5mcmF1bmhvZmVyLmRlL2Zo Zy1yb290LWNhLTIwMDcuY2VyMD4GCCsGAQUFBzAChjJodHRwOi8vY2VydC5mcmF1bmhvZmVy LXBraS5kZS9maGctcm9vdC1jYS0yMDA3LmNlcjANBgkqhkiG9w0BAQUFAAOCAQEAAHdsjDP5 7lcEJcrLiDnmTkykzsKWSxmGTbhEV8KVqRA37DBVMV/1nrW7tWtaoXfseksl2OFdQs3BQzhh d8AO28iFf+ncgudyPZbmU48vc41LIy2bnA+I3jY2t0BLt/bELGLLhNzE3xRSYK/zXgBTB1ZJ Bxsd5VV2/hdyd/vcXlx5P8Af8iCnf0SIjDE0+Pmvq2tjEwrGAHuJICdL89k12BjfLbo4woLF FG8HyQvcKzogiTDSTNYu7FFalSiKLMFu4eUKVlDbtROEQLAxM+3XqVwmGgCMD6axCJK9HROt 86h4ZjOHoEu4hpgXzUKIVDuoyTljXCfXSManNHP+FlB4PDCCBagwggSQoAMCAQICCjQb63gA AAAAuucwDQYJKoZIhvcNAQEFBQAwZzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9m ZXIxITAfBgNVBAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5o b2ZlciBVc2VyIENBIDIwMDcwHhcNMTAwMjAxMTE0MDM0WhcNMTYwMTMxMTE0MDM0WjBaMQsw CQYDVQQGEwJERTETMBEGA1UEChMKRnJhdW5ob2ZlcjENMAsGA1UECxMERktJRTEPMA0GA1UE CxMGUGVvcGxlMRYwFAYDVQQDEw1IZW5uaW5nIFJvZ2dlMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAxsgT9VRlhiEraBMqzI0g5nkPrSTp7j5TS/GTjKhiwmyr4hZ6VuurgDhT Mulz7JRLZJMXJqEwjEBqPiHoGTEkgHl166P/lx2Or+j9XiHPYPxJjDOvRkWsrw+SWuiyacbr oSTaDwz7nA38R27jXUSEKyi0SmhXYiBUIhh1/sEf/uDmi9oBhfj6gOjzM/vLM7NJqi70CE6U Ma0Ph8R7H+rwYXhQlVWZzUnKvt6OJFJ4HLJvm6xHreiOrU97kPlwi3YQZUxC439gYPY0wmFE mddNHOQ2fjtkoQYR9IgGWfP3vbQ8nXxUTIlOhS5x9sSaSU/pTYBJv7xYyjPrS9SIGl5bqQID AQABo4ICYTCCAl0wDgYDVR0PAQH/BAQDAgbAMCsGA1UdEQQkMCKBIGhlbm5pbmcucm9nZ2VA ZmtpZS5mcmF1bmhvZmVyLmRlMB0GA1UdDgQWBBQBfgSrsBkuX2mKj92DUbzW0i0r8zAfBgNV HSMEGDAWgBRPHa+Iym24qhwJ+cXREe1ZtJP6CzB1BgNVHR8EbjBsMGqgaKBmhjFodHRwOi8v Y3JsLnBraS5mcmF1bmhvZmVyLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JshjFodHRwOi8vY3Js LmZyYXVuaG9mZXItcGtpLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JsMIIBCgYIKwYBBQUHAQEE gf0wgfowPgYIKwYBBQUHMAKGMmh0dHA6Ly9jZXJ0LnBraS5mcmF1bmhvZmVyLmRlL2ZoZy11 c2VyLWNhLTIwMDcuY2VyMD4GCCsGAQUFBzAChjJodHRwOi8vY2VydC5mcmF1bmhvZmVyLXBr aS5kZS9maGctdXNlci1jYS0yMDA3LmNlcjA7BggrBgEFBQcwAYYvaHR0cDovL2ZoZy11c2Vy LWNhLTIwMDcub2NzcC5wa2kuZnJhdW5ob2Zlci5kZS8wOwYIKwYBBQUHMAGGL2h0dHA6Ly9m aGctdXNlci1jYS0yMDA3Lm9jc3AuZnJhdW5ob2Zlci1wa2kuZGUvMBMGA1UdJQQMMAoGCCsG AQUFBwMEMEQGA1UdIAQ9MDswOQYLKwYBBAGGClADAQEwKjAoBggrBgEFBQcCARYcaHR0cDov L3BraS5mcmF1bmhvZmVyLmRlL2NwLzANBgkqhkiG9w0BAQUFAAOCAQEAOayOZLk0fQfhQ7I0 Qzn6KzuD4ixrzteSXITHu1RJ9/3xebplEm6YI/jwMLNFnfglXq+9I+rGjE/PxSOW6qK8CA31 DIo8qXhsxvvfF3yrFzHLzgyCcWdoxer2YvfKpJJfx0BKPGMvuAeTJp5L+PuWcGkvmDb/wRwA JOfjNSokNdc27k3T+HTtXNsMrQzGWeIZFnK+pSQm/gWoDX7dNZE592/Dq8Rp83jedwl5CDBK d0B6PDCM7vsEA9P+9L9/142H/1u6gYVNlR7GhsjCjUtsvpDZrMPNAd2wVAPoqiJ0WrfG/IEu A5SySue+aeflbvMxDT1cWFnighiatWYbxwNmPDCCBbQwggScoAMCAQICCjQb6OgAAAAAuuYw DQYJKoZIhvcNAQEFBQAwZzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9mZXIxITAf BgNVBAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5ob2ZlciBV c2VyIENBIDIwMDcwHhcNMTAwMjAxMTE0MDM0WhcNMTYwMTMxMTE0MDM0WjBaMQswCQYDVQQG EwJERTETMBEGA1UEChMKRnJhdW5ob2ZlcjENMAsGA1UECxMERktJRTEPMA0GA1UECxMGUGVv cGxlMRYwFAYDVQQDEw1IZW5uaW5nIFJvZ2dlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAosulW1xdX1xuHoX36m/A69SfDwvfsXmrYgI0qhSDgovRnWxT64dxCK2+vU+LskPn o1m0RJTRbKgVo6O8j1/oU/OBVpi82DM97mWMUxYEpweKLdq+ROTZPUwFY8Qfz8EJ/cZjyrEB Ys8NxAfRPFRWGd+BrkKNIvB9mr77PQa/rA+qEuNTmKY0Nbl4VAgwmGV37RFA2CLz38wc44ul oJJKyYIA7CbIMae3kjUKy9YY55kyjgCY3c21/YV4ruOEwBu9yfEBmxx0E1P0/fB7G3+7d6kB L+avP/QhwYmdJjFsarYSmUpXp9P1+c8HFTw5TYGULtj8f/FWQlmRjWDzSct4eQIDAQABo4IC bTCCAmkwDgYDVR0PAQH/BAQDAgQwMCsGA1UdEQQkMCKBIGhlbm5pbmcucm9nZ2VAZmtpZS5m cmF1bmhvZmVyLmRlMB0GA1UdDgQWBBRir/+EBYAUW6PBp6sYHmuGX1+fsjAfBgNVHSMEGDAW gBRPHa+Iym24qhwJ+cXREe1ZtJP6CzB1BgNVHR8EbjBsMGqgaKBmhjFodHRwOi8vY3JsLnBr aS5mcmF1bmhvZmVyLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JshjFodHRwOi8vY3JsLmZyYXVu aG9mZXItcGtpLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JsMIIBCgYIKwYBBQUHAQEEgf0wgfow PgYIKwYBBQUHMAKGMmh0dHA6Ly9jZXJ0LnBraS5mcmF1bmhvZmVyLmRlL2ZoZy11c2VyLWNh LTIwMDcuY2VyMD4GCCsGAQUFBzAChjJodHRwOi8vY2VydC5mcmF1bmhvZmVyLXBraS5kZS9m aGctdXNlci1jYS0yMDA3LmNlcjA7BggrBgEFBQcwAYYvaHR0cDovL2ZoZy11c2VyLWNhLTIw MDcub2NzcC5wa2kuZnJhdW5ob2Zlci5kZS8wOwYIKwYBBQUHMAGGL2h0dHA6Ly9maGctdXNl ci1jYS0yMDA3Lm9jc3AuZnJhdW5ob2Zlci1wa2kuZGUvMB8GA1UdJQQYMBYGCisGAQQBgjcK AwQGCCsGAQUFBwMEMEQGA1UdIAQ9MDswOQYLKwYBBAGGClADAQEwKjAoBggrBgEFBQcCARYc aHR0cDovL3BraS5mcmF1bmhvZmVyLmRlL2NwLzANBgkqhkiG9w0BAQUFAAOCAQEABPYI1Hbq ips/0o+2m6Guww7ys/5F++qSYPq6w4CtlyuPupLZdKzEVuZ2n1fopZuEndTyCTq8DUJwZXKP EIYKQGhkbFNy3IDaHB5VHaX0JsqV4DsgD6Xa2jnEBQpiy8RxMKP5mY5NRS4jO6J+bFjrMiKb jDlzvJJxy6kqy8efjxH6RdMjGxQRcMS4EUTs7DRu38A81XEGaqqtjcwN3n3EvJUVcBzXn63B mb4bgv1U6DYXFMSMcksssapmsdL0EPXKAWBRcswouetjRBXIFfu1xKFINtwyax6RCZycAEXd dFC6j/3BVvi6iNFSE1VVQx+HQz1EhGBcp80W3qnIvoO1UjGCA4swggOHAgEBMHUwZzELMAkG A1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9mZXIxITAfBgNVBAsTGEZyYXVuaG9mZXIgQ29y cG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5ob2ZlciBVc2VyIENBIDIwMDcCCjQb63gAAAAA uucwDQYJYIZIAWUDBAIBBQCgggHnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTE1MTExNzA5MTQ0M1owLwYJKoZIhvcNAQkEMSIEIDpDv+v5m0LxRCTaQE8Z Bm22BMMUi03NX3JUVJXwdqbVMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCG SAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYQGCSsGAQQBgjcQBDF3MHUwZzELMAkGA1UEBhMCREUx EzARBgNVBAoTCkZyYXVuaG9mZXIxITAfBgNVBAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBL STEgMB4GA1UEAxMXRnJhdW5ob2ZlciBVc2VyIENBIDIwMDcCCjQb6OgAAAAAuuYwgYYGCyqG SIb3DQEJEAILMXegdTBnMQswCQYDVQQGEwJERTETMBEGA1UEChMKRnJhdW5ob2ZlcjEhMB8G A1UECxMYRnJhdW5ob2ZlciBDb3Jwb3JhdGUgUEtJMSAwHgYDVQQDExdGcmF1bmhvZmVyIFVz ZXIgQ0EgMjAwNwIKNBvo6AAAAAC65jANBgkqhkiG9w0BAQEFAASCAQCrhwkOXVqJcJ1/7X5a /Rb7xJCOecPEoXQM2ml/7soV6apTsDsa1NEWjNG3+CR8+9Ry/S1yGKkOUZp4+LQg7Rh9lJOo gPkvU2AjWl7X1kA/T+7SkTHI0FGlueWpD8oufVStZd5i1QNuoxKmAxJBlUOcaNXtoCJg9YHb s5lBT3udUD8iozECSlJ/UccfvwZ0+vOObOlwbr7m15G72e5q9TzGsoXpUdkVba0dF12ApilO 5rXXxbfwJccIl9ufxXZvvojFM2p0u0DA5MS2eLyrcMTC79rQUM5J6czUKfjx+x/Mn0q1mj9j x2AP75S9c0Md0F/0kXwKn5aszSkOYgzJZx++AAAAAAAA --------------ms000609020004000202000106-- From nobody Tue Nov 17 03:00:16 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B23D41A8706; Tue, 17 Nov 2015 02:58:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.587 X-Spam-Level: X-Spam-Status: No, score=-2.587 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8XqZGsAqFpC; Tue, 17 Nov 2015 02:58:49 -0800 (PST) Received: from mailer1.neclab.eu (mailer1.neclab.eu [195.37.70.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02CE81A87BC; Tue, 17 Nov 2015 02:58:49 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailer1.neclab.eu (Postfix) with ESMTP id 7824D10B020; Tue, 17 Nov 2015 11:58:47 +0100 (CET) X-Virus-Scanned: Amavisd on Debian GNU/Linux (netlab.nec.de) Received: from mailer1.neclab.eu ([127.0.0.1]) by localhost (atlas-a.office.hd [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6LOwNSc8UsI; Tue, 17 Nov 2015 11:58:47 +0100 (CET) X-ENC: Last-Hop-TLS-encrypted X-ENC: Last-Hop-TLS-encrypted Received: from ENCELADUS.office.hd (enceladus.office.hd [192.168.24.52]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailer1.neclab.eu (Postfix) with ESMTPS id 583FB10B01E; Tue, 17 Nov 2015 11:58:39 +0100 (CET) Received: from PALLENE.office.hd ([169.254.1.59]) by ENCELADUS.office.hd ([192.168.24.52]) with mapi id 14.03.0210.002; Tue, 17 Nov 2015 11:58:18 +0100 From: Juergen Quittek To: Tina TSOU , The IESG , "secdir@ietf.org" , "draft-ietf-pcp-third-party-id-option.all@ietf.org" Thread-Topic: Secdir Review of draft-ietf-pcp-third-party-id-option-04 Thread-Index: AdEcN2Zzfw6PDcwVTluSTfgPI5/0vwE65edQ Date: Tue, 17 Nov 2015 10:58:17 +0000 Message-ID: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2C31@PALLENE.office.hd> References: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.1.99.69] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Tue, 17 Nov 2015 03:00:14 -0800 Subject: Re: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2015 10:58:51 -0000 Dear Tina, Thank you very much for your thorough review. Please find replies inline. > -----Original Message----- > From: Tina TSOU [mailto:Tina.Tsou.Zouting@huawei.com] > Sent: Mittwoch, 11. November 2015 05:14 > To: The IESG; secdir@ietf.org; draft-ietf-pcp-third-party-id-option.all@i= etf.org > Subject: Secdir Review of draft-ietf-pcp-third-party-id-option-04 >=20 > Dear all, >=20 > I have reviewed this document as part of the security directorate's ongoi= ng > effort to review all IETF documents being processed by the IESG. >=20 > These comments were written primarily for the benefit of the security are= a > directors. Document editors and WG chairs should treat these comments jus= t > like any other last call comments. >=20 > ** Technical ** >=20 > * Section 7, page 11: >=20 > I think you should make comments regarding the (privacy) implications of > employing identifiers such as MAC addresses when essentially any other va= lue - > - e.g. a long-enough random number would do. >=20 > Besides, you should comment on how the ID can be somehow validated, and > what could happen if a client were able to predict the ID employed by oth= er > clients. Here is a proposal for improving this section: OLD As this option is related to the use of the THIRD_PARTY option the corresponding security considerations in Section 18.1.1 of RFC 6887 [RFC6887] apply. Especially, the network on which the PCP messages are sent must be fully trusted. The THIRD_PARTY_ID option might carry privacy information like location or profile information. Means to protect unauthorized access to this information should be put in place. NEW As this option is related to the use of the THIRD_PARTY option the corresponding security considerations in Section 18.1.1 of RFC 6887 [RFC6887] apply. Especially, the network on which the PCP messages are sent must be fully trusted. The THIRD_PARTY_ID option might carry privacy sensitive information like location or profile information= .=20 Where possible, randomly assigned numbers should be preferred to=20 privacy sensitive information to be carried as values by the=20 THIRD_PARTY_ID option. Random numbers should be assigned such=20 That an attacker cannot guess which number is assigned to which=20 third party. Anyway, means to protect unauthorized access to=20 values carried by the THIRD_PARTY_ID option should be put in place. END Would this address your concerns? >=20 > ** Editorial ** >=20 > * Section 1, page 2: > > The IETF has specified the Port Control Protocol (PCP) [RFC6887] to > > control how packets are translated and forwarded by a PCP-controlled > > device such as a network address translator (NAT) or firewall. >=20 > Please replace "and" with "and/or", since a firewall will not translate p= ackets. In the past, the RFC Editor used to remove occurrences of "and/or" in RFCs.= =20 What about the following alternative, which is semantically equivalent to a= nd/or:=20 "such as a network address translator (NAT), a firewall, or a combination o= f both"? >=20 > * Section 1, page 2: > > This document focuses on the scenarios where the PCP client sends > > requests that concern internal addresses other than the address of > > the PCP client itself. >=20 > s/the scenarios/scenarios/ Agreed. >=20 > (since at least at this point in the text you have not yet mentioned what= those > scenarios are about) >=20 > * Section 1, page 2: > > There is already an option defined for this purpose in the RFC 6887 > > [RFC6887] called the THIRD_PARTY option. >=20 > Please rephrase as: >=20 > "There is already an option defined for this purpose in [RFC6887], called= the > THIRD_PARTY option." Agreed. >=20 > * Section 1, page 3: > > CGN deployments >=20 > Please expand the acronym on first usage. Agreed. >=20 > * Section 1, page 3: > > This applies to some of the PCP deployment scenarios that are listed > > in Section 2.1 of RFC 6887 [RFC6887], >=20 > Just remove "RFC 6887" (the rfc number is already included by the ref). Agreed. >=20 > * Section 1, page 3: > > in particular to a Layer-2 > > aware NAT which is described in more detail in Section 3, or GI-DS- > > Lite [RFC6674] and ds-extra-lite [RFC6619]. >=20 > You refer to RFC6619 as "ds-extra-lite", but such RFC does not even > include that term. Thoughts? Here is a proposal that addresses your issue: OLD This applies to some of the PCP deployment scenarios that are listed=20 in Section 2.1 of RFC 6887 [RFC6887], in particular to a Layer-2=20 aware NAT which is described in more detail in Section 3, or GI-DS-=20 Lite [RFC6674] and ds-extra-lite [RFC6619].=20 NEW This applies to some of the PCP deployment scenarios that are listed in Section 2.1 of [RFC6887], in particular to a Layer-2 aware NAT which is described in more detail in Section 3, as well as in other scenarios where overlapping address spaces occur like in [RFC6674] or [RFC6619]. END Would this solve your issue? >=20 > * Section 3, page 4: > > The scenarios serve as examples. This document does not restrict the > > applicability of the THIRD_PARTY_ID to certain scenarios. >=20 > Please replace "THIRD_PARTY_ID" with "THIRD_PARTY_ID option" (here, and > in other places) Agreed. >=20 > * Section 3, page 4: > > The THIRD_PARTY_ID > > can also be used for the firewall control >=20 > Please remove the "the". Agreed. >=20 > * Section 3.2, page 7: > > tunnel ID of tunnel(BRAS, CGN) >=20 > (two instances of this). Please rephrase as "ID of the tunnel (BRAS, CGN)= ". Agreed. >=20 > * Section 4, page 9: > Why use "TBD" and "TBD-1" if there's a single value to be assigned? There was no space for "-1" in the figure. All other TBDs are numbered as "= TBD-X". We will make sure that the RFC Editor gets the right message. >=20 > * Section 4, page 9: > > are to be set As >=20 > s/As/as/ Agreed. Thanks and best regards, Juergen >=20 > Thank you, >=20 > Tina >=20 >=20 From nobody Tue Nov 17 03:04:20 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438371A9071; Tue, 17 Nov 2015 03:04:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.286 X-Spam-Level: X-Spam-Status: No, score=-4.286 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SXXp9Qfcvh2; Tue, 17 Nov 2015 03:04:13 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A89C1A8871; Tue, 17 Nov 2015 03:04:12 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DA8F0BE58; Tue, 17 Nov 2015 11:04:10 +0000 (GMT) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Zd_VsdfS78o; Tue, 17 Nov 2015 11:04:10 +0000 (GMT) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 3A3BDBE4D; Tue, 17 Nov 2015 11:04:08 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1447758248; bh=iiylr7TYe/ltY2cKUOUFyy7lkH7VmsSIkOz2bY4glaQ=; h=Subject:To:References:From:Date:In-Reply-To:From; b=JjnuqXPYdZp+M8ImLdo9WvYhdyRem/NN0KaQ+jp0Lgl9t11dCJNxa+BBGm4aefZdy zF/6R/GZDYUCILAJsX697b6K40NCq2mxPS2kq3XMHYKsGR7JaqvKyftalR5fTTqxvF k2ye8ZEATrNkUbxWo413Q7kaWepRAhpDWGTVnsKQ= To: Juergen Quittek , Tina TSOU , The IESG , "secdir@ietf.org" , "draft-ietf-pcp-third-party-id-option.all@ietf.org" References: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2C31@PALLENE.office.hd> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <564B09A7.50904@cs.tcd.ie> Date: Tue, 17 Nov 2015 11:04:07 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2C31@PALLENE.office.hd> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2015 11:04:16 -0000 Hi Juergen, (Caveat: I've yet to read this, but I have a question nonetheless:-) On 17/11/15 10:58, Juergen Quittek wrote: > Dear Tina, > Thank you very much for your thorough review. > Please find replies inline. > >> -----Original Message----- >> From: Tina TSOU [mailto:Tina.Tsou.Zouting@huawei.com] >> Sent: Mittwoch, 11. November 2015 05:14 >> To: The IESG; secdir@ietf.org; draft-ietf-pcp-third-party-id-option.all@ietf.org >> Subject: Secdir Review of draft-ietf-pcp-third-party-id-option-04 >> >> Dear all, >> >> I have reviewed this document as part of the security directorate's ongoing >> effort to review all IETF documents being processed by the IESG. >> >> These comments were written primarily for the benefit of the security area >> directors. Document editors and WG chairs should treat these comments just >> like any other last call comments. >> >> ** Technical ** >> >> * Section 7, page 11: >> >> I think you should make comments regarding the (privacy) implications of >> employing identifiers such as MAC addresses when essentially any other value - >> - e.g. a long-enough random number would do. >> >> Besides, you should comment on how the ID can be somehow validated, and >> what could happen if a client were able to predict the ID employed by other >> clients. > > Here is a proposal for improving this section: > OLD > As this option is related to the use of the THIRD_PARTY option the > corresponding security considerations in Section 18.1.1 of RFC 6887 > [RFC6887] apply. Especially, the network on which the PCP messages > are sent must be fully trusted. The THIRD_PARTY_ID option might > carry privacy information like location or profile information. > Means to protect unauthorized access to this information should be > put in place. > NEW > As this option is related to the use of the THIRD_PARTY option the > corresponding security considerations in Section 18.1.1 of RFC 6887 > [RFC6887] apply. Especially, the network on which the PCP messages > are sent must be fully trusted. The THIRD_PARTY_ID option might > carry privacy sensitive information like location or profile information. > Where possible, randomly assigned numbers should be preferred to > privacy sensitive information to be carried as values by the > THIRD_PARTY_ID option. Random numbers should be assigned such > That an attacker cannot guess which number is assigned to which > third party. Anyway, means to protect unauthorized access to > values carried by the THIRD_PARTY_ID option should be put in place. > END > Would this address your concerns? Can you say why the value ever needs to be a long lived identifier and why a random number that changes periodically isn't always good enough? Ta, S. > >> >> ** Editorial ** >> >> * Section 1, page 2: >>> The IETF has specified the Port Control Protocol (PCP) [RFC6887] to >>> control how packets are translated and forwarded by a PCP-controlled >>> device such as a network address translator (NAT) or firewall. >> >> Please replace "and" with "and/or", since a firewall will not translate packets. > > In the past, the RFC Editor used to remove occurrences of "and/or" in RFCs. > What about the following alternative, which is semantically equivalent to and/or: > "such as a network address translator (NAT), a firewall, or a combination of both"? > >> >> * Section 1, page 2: >>> This document focuses on the scenarios where the PCP client sends >>> requests that concern internal addresses other than the address of >>> the PCP client itself. >> >> s/the scenarios/scenarios/ > > Agreed. > >> >> (since at least at this point in the text you have not yet mentioned what those >> scenarios are about) >> >> * Section 1, page 2: >>> There is already an option defined for this purpose in the RFC 6887 >>> [RFC6887] called the THIRD_PARTY option. >> >> Please rephrase as: >> >> "There is already an option defined for this purpose in [RFC6887], called the >> THIRD_PARTY option." > > Agreed. > >> >> * Section 1, page 3: >>> CGN deployments >> >> Please expand the acronym on first usage. > > Agreed. > >> >> * Section 1, page 3: >>> This applies to some of the PCP deployment scenarios that are listed >>> in Section 2.1 of RFC 6887 [RFC6887], >> >> Just remove "RFC 6887" (the rfc number is already included by the ref). > > Agreed. > >> >> * Section 1, page 3: >>> in particular to a Layer-2 >>> aware NAT which is described in more detail in Section 3, or GI-DS- >>> Lite [RFC6674] and ds-extra-lite [RFC6619]. >> >> You refer to RFC6619 as "ds-extra-lite", but such RFC does not even >> include that term. Thoughts? > > Here is a proposal that addresses your issue: > OLD > This applies to some of the PCP deployment scenarios that are listed > in Section 2.1 of RFC 6887 [RFC6887], in particular to a Layer-2 > aware NAT which is described in more detail in Section 3, or GI-DS- > Lite [RFC6674] and ds-extra-lite [RFC6619]. > NEW > This applies to some of the PCP deployment scenarios that are listed > in Section 2.1 of [RFC6887], in particular to a Layer-2 aware NAT > which is described in more detail in Section 3, as well as in other > scenarios where overlapping address spaces occur like in [RFC6674] or > [RFC6619]. > END > Would this solve your issue? > >> >> * Section 3, page 4: >>> The scenarios serve as examples. This document does not restrict the >>> applicability of the THIRD_PARTY_ID to certain scenarios. >> >> Please replace "THIRD_PARTY_ID" with "THIRD_PARTY_ID option" (here, and >> in other places) > > Agreed. > >> >> * Section 3, page 4: >>> The THIRD_PARTY_ID >>> can also be used for the firewall control >> >> Please remove the "the". > > Agreed. > >> >> * Section 3.2, page 7: >>> tunnel ID of tunnel(BRAS, CGN) >> >> (two instances of this). Please rephrase as "ID of the tunnel (BRAS, CGN)". > > Agreed. > >> >> * Section 4, page 9: >> Why use "TBD" and "TBD-1" if there's a single value to be assigned? > > There was no space for "-1" in the figure. All other TBDs are numbered as "TBD-X". We will make sure that the RFC Editor gets the right message. > >> >> * Section 4, page 9: >>> are to be set As >> >> s/As/as/ > > Agreed. > > Thanks and best regards, > Juergen > > >> >> Thank you, >> >> Tina >> >> > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > From nobody Tue Nov 17 03:27:54 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E89B1B2E54; Tue, 17 Nov 2015 03:27:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.587 X-Spam-Level: X-Spam-Status: No, score=-2.587 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ug1sF3878Fdg; Tue, 17 Nov 2015 03:27:50 -0800 (PST) Received: from mailer1.neclab.eu (mailer1.neclab.eu [195.37.70.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E43921B2E52; Tue, 17 Nov 2015 03:27:49 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailer1.neclab.eu (Postfix) with ESMTP id 9910F10B027; Tue, 17 Nov 2015 12:27:47 +0100 (CET) X-Virus-Scanned: Amavisd on Debian GNU/Linux (netlab.nec.de) Received: from mailer1.neclab.eu ([127.0.0.1]) by localhost (atlas-a.office.hd [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YlkkSa6SBn9o; Tue, 17 Nov 2015 12:27:47 +0100 (CET) X-ENC: Last-Hop-TLS-encrypted X-ENC: Last-Hop-TLS-encrypted Received: from ENCELADUS.office.hd (enceladus.office.hd [192.168.24.52]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailer1.neclab.eu (Postfix) with ESMTPS id 7681210B023; Tue, 17 Nov 2015 12:27:37 +0100 (CET) Received: from PALLENE.office.hd ([169.254.1.59]) by ENCELADUS.office.hd ([192.168.24.52]) with mapi id 14.03.0210.002; Tue, 17 Nov 2015 12:27:37 +0100 From: Juergen Quittek To: Stephen Farrell , Tina TSOU , The IESG , "secdir@ietf.org" , "draft-ietf-pcp-third-party-id-option.all@ietf.org" Thread-Topic: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 Thread-Index: AdEcN2Zzfw6PDcwVTluSTfgPI5/0vwE65edQ///4m4D//+2BAA== Date: Tue, 17 Nov 2015 11:27:36 +0000 Message-ID: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2D5A@PALLENE.office.hd> References: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2C31@PALLENE.office.hd> <564B09A7.50904@cs.tcd.ie> In-Reply-To: <564B09A7.50904@cs.tcd.ie> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.1.99.69] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2015 11:27:52 -0000 SGkgU3RlcGhlbiwNCg0KVGhlIGNvbW1vbiB1c2UgY2FzZSB0aGF0IHdlIGZvcmVzZWUgZm9yIHRo ZSBUSElSRF9QQVJUWV9JRCB3aGljaCBpcyB0aGUgb25lIHdlIGhhdmUgdXNlZCBpbiBhbGwgdHJp YWxzIHNvIGZhciBpcyB0aGUgdXNlIGZvciBlbmNvZGluZyBhIHR1bm5lbCBJRCB0aGF0IGlzIG5l ZWRlZCB0byBpZGVudGlmeSBhIHRoaXJkIHBhcnR5IGluIGFkZGl0aW9uIHRvIHRoZSBJUCBhZGRy ZXNzIG9mIHRoZSB0aGlyZCBwYXJ0eSB0aGF0IGlzIGNhcnJpZWQgYnkgdGhlIFRISVJEX1BBUlRZ IG9wdGlvbi4gSW4gdGhlc2UgY2FzZXMgdGhlIElQIGFkZHJlc3MgaW4gbm90IHVuaXF1ZSBhbmQg YW4gYWRkaXRpb25hbCB0dW5uZWwgSUQgaXMgbmVlZGVkIHRvIHVuaXF1ZWx5IGlkZW50aWZ5IHRo ZSB0aGlyZCBwYXJ0eS4gDQoNClRoZSBzdGFuZGFyZCBmb3IgdGhlIFRISVJEX1BBUlRZIG9wdGlv biAoUkZDIDY4ODcpIG1hbmRhdGVzIHRoYXQgaXQgY2FycmllcyB0aGUgSVAgYWRkcmVzcyBvZiB0 aGUgdGhpcmQgcGFydHkuIFRoZXJlIGlzIG5vIGFsdGVybmF0aXZlIHNwZWNpZmllZCB0aGF0IHdv dWxkIGFsbG93IHJlcGxhY2luZyBpdCBieSBhIHJhbmRvbSBudW1iZXIuIFRoZSBUSElSRF9QQVJU WV9JRCBpcyBvcGVuIHRvIHRoaXMgb3B0aW9uLCBidXQgc2luY2UgaXQgaXMgdXN1YWxseSB1c2Vk IGluIGNvbWJpbmF0aW9uIHdpdGggdGhlIFRISVJEX1BBUlRZIG9wdGlvbiwgdGhlIHVzZSBvZiBh IHNob3J0LWxpdmVkIGlkZW50aWZpZXIgZG9lcyBub3QgYWx3YXlzIHNlZW0gdG8gYmUgcmVjb21t ZW5kYWJsZSwgcGFydGljdWxhcmx5IHNpbmNlIHRoaXMgd291bGQgcmVxdWlyZSBhZGRpdGlvbmFs IGV4Y2hhbmdlIGJldHdlZW4gUENQIGNsaWVudCBhbmQgUENQIHNlcnZlciB0byBhZ3JlZSBvbiB0 aGUgbWFwcGluZyBiZXR3ZWVuIGFjdHVhbCB0dW5uZWwgSURzIGFuZCByYW5kb21seSBjaG9zZW4g SURzLiANCg0KQmVzdCByZWdhcmRzLA0KICAgIEp1ZXJnZW4NCg0KPiAtLS0tLU9yaWdpbmFsIE1l c3NhZ2UtLS0tLQ0KPiBGcm9tOiBTdGVwaGVuIEZhcnJlbGwgW21haWx0bzpzdGVwaGVuLmZhcnJl bGxAY3MudGNkLmllXQ0KPiBTZW50OiBEaWVuc3RhZywgMTcuIE5vdmVtYmVyIDIwMTUgMTI6MDQN Cj4gVG86IEp1ZXJnZW4gUXVpdHRlazsgVGluYSBUU09VOyBUaGUgSUVTRzsgc2VjZGlyQGlldGYu b3JnOyBkcmFmdC1pZXRmLXBjcC10aGlyZC0NCj4gcGFydHktaWQtb3B0aW9uLmFsbEBpZXRmLm9y Zw0KPiBTdWJqZWN0OiBSZTogW3NlY2Rpcl0gU2VjZGlyIFJldmlldyBvZiBkcmFmdC1pZXRmLXBj cC10aGlyZC1wYXJ0eS1pZC1vcHRpb24tMDQNCj4gDQo+IA0KPiBIaSBKdWVyZ2VuLA0KPiANCj4g KENhdmVhdDogSSd2ZSB5ZXQgdG8gcmVhZCB0aGlzLCBidXQgSSBoYXZlIGEgcXVlc3Rpb24gbm9u ZXRoZWxlc3M6LSkNCj4gDQo+IE9uIDE3LzExLzE1IDEwOjU4LCBKdWVyZ2VuIFF1aXR0ZWsgd3Jv dGU6DQo+ID4gRGVhciBUaW5hLA0KPiA+IFRoYW5rIHlvdSB2ZXJ5IG11Y2ggZm9yIHlvdXIgdGhv cm91Z2ggcmV2aWV3Lg0KPiA+IFBsZWFzZSBmaW5kIHJlcGxpZXMgaW5saW5lLg0KPiA+DQo+ID4+ IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+ID4+IEZyb206IFRpbmEgVFNPVSBbbWFpbHRv OlRpbmEuVHNvdS5ab3V0aW5nQGh1YXdlaS5jb21dDQo+ID4+IFNlbnQ6IE1pdHR3b2NoLCAxMS4g Tm92ZW1iZXIgMjAxNSAwNToxNA0KPiA+PiBUbzogVGhlIElFU0c7IHNlY2RpckBpZXRmLm9yZzsg ZHJhZnQtaWV0Zi1wY3AtdGhpcmQtcGFydHktaWQtDQo+IG9wdGlvbi5hbGxAaWV0Zi5vcmcNCj4g Pj4gU3ViamVjdDogU2VjZGlyIFJldmlldyBvZiBkcmFmdC1pZXRmLXBjcC10aGlyZC1wYXJ0eS1p ZC1vcHRpb24tMDQNCj4gPj4NCj4gPj4gRGVhciBhbGwsDQo+ID4+DQo+ID4+IEkgaGF2ZSByZXZp ZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mg b25nb2luZw0KPiA+PiBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBw cm9jZXNzZWQgYnkgdGhlIElFU0cuDQo+ID4+DQo+ID4+IFRoZXNlIGNvbW1lbnRzIHdlcmUgd3Jp dHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBhcmVhDQo+ID4+ IGRpcmVjdG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0 aGVzZSBjb21tZW50cw0KPiBqdXN0DQo+ID4+IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21t ZW50cy4NCj4gPj4NCj4gPj4gKiogVGVjaG5pY2FsICoqDQo+ID4+DQo+ID4+ICogU2VjdGlvbiA3 LCBwYWdlIDExOg0KPiA+Pg0KPiA+PiBJIHRoaW5rIHlvdSBzaG91bGQgbWFrZSBjb21tZW50cyBy ZWdhcmRpbmcgdGhlIChwcml2YWN5KSBpbXBsaWNhdGlvbnMgb2YNCj4gPj4gZW1wbG95aW5nIGlk ZW50aWZpZXJzIHN1Y2ggYXMgTUFDIGFkZHJlc3NlcyB3aGVuIGVzc2VudGlhbGx5IGFueSBvdGhl cg0KPiB2YWx1ZSAtDQo+ID4+IC0gZS5nLiBhIGxvbmctZW5vdWdoIHJhbmRvbSBudW1iZXIgd291 bGQgZG8uDQo+ID4+DQo+ID4+IEJlc2lkZXMsIHlvdSBzaG91bGQgY29tbWVudCBvbiBob3cgdGhl IElEIGNhbiBiZSBzb21laG93IHZhbGlkYXRlZCwgYW5kDQo+ID4+IHdoYXQgY291bGQgaGFwcGVu IGlmIGEgY2xpZW50IHdlcmUgYWJsZSB0byBwcmVkaWN0IHRoZSBJRCBlbXBsb3llZCBieSBvdGhl cg0KPiA+PiBjbGllbnRzLg0KPiA+DQo+ID4gSGVyZSBpcyBhIHByb3Bvc2FsIGZvciBpbXByb3Zp bmcgdGhpcyBzZWN0aW9uOg0KPiA+IE9MRA0KPiA+ICAgIEFzIHRoaXMgb3B0aW9uIGlzIHJlbGF0 ZWQgdG8gdGhlIHVzZSBvZiB0aGUgVEhJUkRfUEFSVFkgb3B0aW9uIHRoZQ0KPiA+ICAgIGNvcnJl c3BvbmRpbmcgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgaW4gU2VjdGlvbiAxOC4xLjEgb2YgUkZD IDY4ODcNCj4gPiAgICBbUkZDNjg4N10gYXBwbHkuICBFc3BlY2lhbGx5LCB0aGUgbmV0d29yayBv biB3aGljaCB0aGUgUENQIG1lc3NhZ2VzDQo+ID4gICAgYXJlIHNlbnQgbXVzdCBiZSBmdWxseSB0 cnVzdGVkLiAgVGhlIFRISVJEX1BBUlRZX0lEIG9wdGlvbiBtaWdodA0KPiA+ICAgIGNhcnJ5IHBy aXZhY3kgaW5mb3JtYXRpb24gbGlrZSBsb2NhdGlvbiBvciBwcm9maWxlIGluZm9ybWF0aW9uLg0K PiA+ICAgIE1lYW5zIHRvIHByb3RlY3QgdW5hdXRob3JpemVkIGFjY2VzcyB0byB0aGlzIGluZm9y bWF0aW9uIHNob3VsZCBiZQ0KPiA+ICAgIHB1dCBpbiBwbGFjZS4NCj4gPiBORVcNCj4gPiAgICBB cyB0aGlzIG9wdGlvbiBpcyByZWxhdGVkIHRvIHRoZSB1c2Ugb2YgdGhlIFRISVJEX1BBUlRZIG9w dGlvbiB0aGUNCj4gPiAgICBjb3JyZXNwb25kaW5nIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGlu IFNlY3Rpb24gMTguMS4xIG9mIFJGQyA2ODg3DQo+ID4gICAgW1JGQzY4ODddIGFwcGx5LiAgRXNw ZWNpYWxseSwgdGhlIG5ldHdvcmsgb24gd2hpY2ggdGhlIFBDUCBtZXNzYWdlcw0KPiA+ICAgIGFy ZSBzZW50IG11c3QgYmUgZnVsbHkgdHJ1c3RlZC4gIFRoZSBUSElSRF9QQVJUWV9JRCBvcHRpb24g bWlnaHQNCj4gPiAgICBjYXJyeSBwcml2YWN5IHNlbnNpdGl2ZSBpbmZvcm1hdGlvbiBsaWtlIGxv Y2F0aW9uIG9yIHByb2ZpbGUgaW5mb3JtYXRpb24uDQo+ID4gICAgV2hlcmUgcG9zc2libGUsIHJh bmRvbWx5IGFzc2lnbmVkIG51bWJlcnMgc2hvdWxkIGJlIHByZWZlcnJlZCB0bw0KPiA+ICAgIHBy aXZhY3kgc2Vuc2l0aXZlIGluZm9ybWF0aW9uIHRvIGJlIGNhcnJpZWQgYXMgdmFsdWVzIGJ5IHRo ZQ0KPiA+ICAgIFRISVJEX1BBUlRZX0lEIG9wdGlvbi4gUmFuZG9tIG51bWJlcnMgc2hvdWxkIGJl IGFzc2lnbmVkIHN1Y2gNCj4gPiAgICBUaGF0IGFuIGF0dGFja2VyIGNhbm5vdCBndWVzcyB3aGlj aCBudW1iZXIgaXMgYXNzaWduZWQgdG8gd2hpY2gNCj4gPiAgICB0aGlyZCBwYXJ0eS4gQW55d2F5 LCBtZWFucyB0byBwcm90ZWN0IHVuYXV0aG9yaXplZCBhY2Nlc3MgdG8NCj4gPiAgICB2YWx1ZXMg Y2FycmllZCBieSB0aGUgVEhJUkRfUEFSVFlfSUQgb3B0aW9uIHNob3VsZCBiZSBwdXQgaW4gcGxh Y2UuDQo+ID4gRU5EDQo+ID4gV291bGQgdGhpcyBhZGRyZXNzIHlvdXIgY29uY2VybnM/DQo+IA0K PiBDYW4geW91IHNheSB3aHkgdGhlIHZhbHVlIGV2ZXIgbmVlZHMgdG8gYmUgYSBsb25nIGxpdmVk IGlkZW50aWZpZXINCj4gYW5kIHdoeSBhIHJhbmRvbSBudW1iZXIgdGhhdCBjaGFuZ2VzIHBlcmlv ZGljYWxseSBpc24ndCBhbHdheXMgZ29vZA0KPiBlbm91Z2g/DQo+IA0KPiBUYSwNCj4gUy4NCj4g DQo+IA0KPiA+DQo+ID4+DQo+ID4+ICoqIEVkaXRvcmlhbCAqKg0KPiA+Pg0KPiA+PiAqIFNlY3Rp b24gMSwgcGFnZSAyOg0KPiA+Pj4gICAgVGhlIElFVEYgaGFzIHNwZWNpZmllZCB0aGUgUG9ydCBD b250cm9sIFByb3RvY29sIChQQ1ApIFtSRkM2ODg3XSB0bw0KPiA+Pj4gICAgY29udHJvbCBob3cg cGFja2V0cyBhcmUgdHJhbnNsYXRlZCBhbmQgZm9yd2FyZGVkIGJ5IGEgUENQLWNvbnRyb2xsZWQN Cj4gPj4+ICAgIGRldmljZSBzdWNoIGFzIGEgbmV0d29yayBhZGRyZXNzIHRyYW5zbGF0b3IgKE5B VCkgb3IgZmlyZXdhbGwuDQo+ID4+DQo+ID4+IFBsZWFzZSByZXBsYWNlICJhbmQiIHdpdGggImFu ZC9vciIsIHNpbmNlIGEgZmlyZXdhbGwgd2lsbCBub3QgdHJhbnNsYXRlDQo+IHBhY2tldHMuDQo+ ID4NCj4gPiBJbiB0aGUgcGFzdCwgdGhlIFJGQyBFZGl0b3IgdXNlZCB0byByZW1vdmUgb2NjdXJy ZW5jZXMgb2YgImFuZC9vciIgaW4gUkZDcy4NCj4gPiBXaGF0IGFib3V0IHRoZSBmb2xsb3dpbmcg YWx0ZXJuYXRpdmUsIHdoaWNoIGlzIHNlbWFudGljYWxseSBlcXVpdmFsZW50IHRvDQo+IGFuZC9v cjoNCj4gPiAic3VjaCBhcyBhIG5ldHdvcmsgYWRkcmVzcyB0cmFuc2xhdG9yIChOQVQpLCBhIGZp cmV3YWxsLCBvciBhIGNvbWJpbmF0aW9uIG9mDQo+IGJvdGgiPw0KPiA+DQo+ID4+DQo+ID4+ICog U2VjdGlvbiAxLCBwYWdlIDI6DQo+ID4+PiAgICBUaGlzIGRvY3VtZW50IGZvY3VzZXMgb24gdGhl IHNjZW5hcmlvcyB3aGVyZSB0aGUgUENQIGNsaWVudCBzZW5kcw0KPiA+Pj4gICAgcmVxdWVzdHMg dGhhdCBjb25jZXJuIGludGVybmFsIGFkZHJlc3NlcyBvdGhlciB0aGFuIHRoZSBhZGRyZXNzIG9m DQo+ID4+PiAgICB0aGUgUENQIGNsaWVudCBpdHNlbGYuDQo+ID4+DQo+ID4+IHMvdGhlIHNjZW5h cmlvcy9zY2VuYXJpb3MvDQo+ID4NCj4gPiBBZ3JlZWQuDQo+ID4NCj4gPj4NCj4gPj4gKHNpbmNl IGF0IGxlYXN0IGF0IHRoaXMgcG9pbnQgaW4gdGhlIHRleHQgeW91IGhhdmUgbm90IHlldCBtZW50 aW9uZWQgd2hhdA0KPiB0aG9zZQ0KPiA+PiBzY2VuYXJpb3MgYXJlIGFib3V0KQ0KPiA+Pg0KPiA+ PiAqIFNlY3Rpb24gMSwgcGFnZSAyOg0KPiA+Pj4gICAgVGhlcmUgaXMgYWxyZWFkeSBhbiBvcHRp b24gZGVmaW5lZCBmb3IgdGhpcyBwdXJwb3NlIGluIHRoZSBSRkMgNjg4Nw0KPiA+Pj4gICAgW1JG QzY4ODddIGNhbGxlZCB0aGUgVEhJUkRfUEFSVFkgb3B0aW9uLg0KPiA+Pg0KPiA+PiBQbGVhc2Ug cmVwaHJhc2UgYXM6DQo+ID4+DQo+ID4+ICJUaGVyZSBpcyBhbHJlYWR5IGFuIG9wdGlvbiBkZWZp bmVkIGZvciB0aGlzIHB1cnBvc2UgaW4gW1JGQzY4ODddLCBjYWxsZWQgdGhlDQo+ID4+IFRISVJE X1BBUlRZIG9wdGlvbi4iDQo+ID4NCj4gPiBBZ3JlZWQuDQo+ID4NCj4gPj4NCj4gPj4gKiBTZWN0 aW9uIDEsIHBhZ2UgMzoNCj4gPj4+IENHTiBkZXBsb3ltZW50cw0KPiA+Pg0KPiA+PiBQbGVhc2Ug ZXhwYW5kIHRoZSBhY3JvbnltIG9uIGZpcnN0IHVzYWdlLg0KPiA+DQo+ID4gQWdyZWVkLg0KPiA+ DQo+ID4+DQo+ID4+ICogU2VjdGlvbiAxLCBwYWdlIDM6DQo+ID4+PiAgICBUaGlzIGFwcGxpZXMg dG8gc29tZSBvZiB0aGUgUENQIGRlcGxveW1lbnQgc2NlbmFyaW9zIHRoYXQgYXJlIGxpc3RlZA0K PiA+Pj4gICAgaW4gU2VjdGlvbiAyLjEgb2YgUkZDIDY4ODcgW1JGQzY4ODddLA0KPiA+Pg0KPiA+ PiBKdXN0IHJlbW92ZSAiUkZDIDY4ODciICh0aGUgcmZjIG51bWJlciBpcyBhbHJlYWR5IGluY2x1 ZGVkIGJ5IHRoZSByZWYpLg0KPiA+DQo+ID4gQWdyZWVkLg0KPiA+DQo+ID4+DQo+ID4+ICogU2Vj dGlvbiAxLCBwYWdlIDM6DQo+ID4+PiAgICBpbiBwYXJ0aWN1bGFyIHRvIGEgTGF5ZXItMg0KPiA+ Pj4gICAgYXdhcmUgTkFUIHdoaWNoIGlzIGRlc2NyaWJlZCBpbiBtb3JlIGRldGFpbCBpbiBTZWN0 aW9uIDMsIG9yIEdJLURTLQ0KPiA+Pj4gICAgTGl0ZSBbUkZDNjY3NF0gYW5kIGRzLWV4dHJhLWxp dGUgW1JGQzY2MTldLg0KPiA+Pg0KPiA+PiBZb3UgcmVmZXIgdG8gUkZDNjYxOSBhcyAiZHMtZXh0 cmEtbGl0ZSIsIGJ1dCBzdWNoIFJGQyBkb2VzIG5vdCBldmVuDQo+ID4+IGluY2x1ZGUgdGhhdCB0 ZXJtLiBUaG91Z2h0cz8NCj4gPg0KPiA+IEhlcmUgaXMgYSBwcm9wb3NhbCB0aGF0IGFkZHJlc3Nl cyB5b3VyIGlzc3VlOg0KPiA+IE9MRA0KPiA+ICAgIFRoaXMgYXBwbGllcyB0byBzb21lIG9mIHRo ZSBQQ1AgZGVwbG95bWVudCBzY2VuYXJpb3MgdGhhdCBhcmUgbGlzdGVkDQo+ID4gICAgaW4gU2Vj dGlvbiAyLjEgb2YgUkZDIDY4ODcgW1JGQzY4ODddLCBpbiBwYXJ0aWN1bGFyIHRvIGEgTGF5ZXIt Mg0KPiA+ICAgIGF3YXJlIE5BVCB3aGljaCBpcyBkZXNjcmliZWQgaW4gbW9yZSBkZXRhaWwgaW4g U2VjdGlvbiAzLCBvciBHSS1EUy0NCj4gPiAgICBMaXRlIFtSRkM2Njc0XSBhbmQgZHMtZXh0cmEt bGl0ZSBbUkZDNjYxOV0uDQo+ID4gTkVXDQo+ID4gICAgVGhpcyBhcHBsaWVzIHRvIHNvbWUgb2Yg dGhlIFBDUCBkZXBsb3ltZW50IHNjZW5hcmlvcyB0aGF0IGFyZSBsaXN0ZWQNCj4gPiAgICBpbiBT ZWN0aW9uIDIuMSBvZiBbUkZDNjg4N10sIGluIHBhcnRpY3VsYXIgdG8gYSBMYXllci0yIGF3YXJl IE5BVA0KPiA+ICAgIHdoaWNoIGlzIGRlc2NyaWJlZCBpbiBtb3JlIGRldGFpbCBpbiBTZWN0aW9u IDMsIGFzIHdlbGwgYXMgaW4gb3RoZXINCj4gPiAgICBzY2VuYXJpb3Mgd2hlcmUgb3ZlcmxhcHBp bmcgYWRkcmVzcyBzcGFjZXMgb2NjdXIgbGlrZSBpbiBbUkZDNjY3NF0gb3INCj4gPiAgICBbUkZD NjYxOV0uDQo+ID4gRU5EDQo+ID4gV291bGQgdGhpcyBzb2x2ZSB5b3VyIGlzc3VlPw0KPiA+DQo+ ID4+DQo+ID4+ICogU2VjdGlvbiAzLCBwYWdlIDQ6DQo+ID4+PiAgIFRoZSBzY2VuYXJpb3Mgc2Vy dmUgYXMgZXhhbXBsZXMuICBUaGlzIGRvY3VtZW50IGRvZXMgbm90IHJlc3RyaWN0IHRoZQ0KPiA+ Pj4gICAgYXBwbGljYWJpbGl0eSBvZiB0aGUgVEhJUkRfUEFSVFlfSUQgdG8gY2VydGFpbiBzY2Vu YXJpb3MuDQo+ID4+DQo+ID4+IFBsZWFzZSByZXBsYWNlICJUSElSRF9QQVJUWV9JRCIgd2l0aCAi VEhJUkRfUEFSVFlfSUQgb3B0aW9uIiAoaGVyZSwNCj4gYW5kDQo+ID4+IGluIG90aGVyIHBsYWNl cykNCj4gPg0KPiA+IEFncmVlZC4NCj4gPg0KPiA+Pg0KPiA+PiAqIFNlY3Rpb24gMywgcGFnZSA0 Og0KPiA+Pj4gVGhlIFRISVJEX1BBUlRZX0lEDQo+ID4+PiAgICBjYW4gYWxzbyBiZSB1c2VkIGZv ciB0aGUgZmlyZXdhbGwgY29udHJvbA0KPiA+Pg0KPiA+PiBQbGVhc2UgcmVtb3ZlIHRoZSAidGhl Ii4NCj4gPg0KPiA+IEFncmVlZC4NCj4gPg0KPiA+Pg0KPiA+PiAqIFNlY3Rpb24gMy4yLCBwYWdl IDc6DQo+ID4+PiB0dW5uZWwgSUQgb2YgdHVubmVsKEJSQVMsIENHTikNCj4gPj4NCj4gPj4gKHR3 byBpbnN0YW5jZXMgb2YgdGhpcykuIFBsZWFzZSByZXBocmFzZSBhcyAiSUQgb2YgdGhlIHR1bm5l bCAoQlJBUywgQ0dOKSIuDQo+ID4NCj4gPiBBZ3JlZWQuDQo+ID4NCj4gPj4NCj4gPj4gKiBTZWN0 aW9uIDQsIHBhZ2UgOToNCj4gPj4gV2h5IHVzZSAiVEJEIiBhbmQgIlRCRC0xIiBpZiB0aGVyZSdz IGEgc2luZ2xlIHZhbHVlIHRvIGJlIGFzc2lnbmVkPw0KPiA+DQo+ID4gVGhlcmUgd2FzIG5vIHNw YWNlIGZvciAiLTEiIGluIHRoZSBmaWd1cmUuIEFsbCBvdGhlciBUQkRzIGFyZSBudW1iZXJlZCBh cw0KPiAiVEJELVgiLiBXZSB3aWxsIG1ha2Ugc3VyZSB0aGF0IHRoZSBSRkMgRWRpdG9yIGdldHMg dGhlIHJpZ2h0IG1lc3NhZ2UuDQo+ID4NCj4gPj4NCj4gPj4gKiBTZWN0aW9uIDQsIHBhZ2UgOToN Cj4gPj4+IGFyZSB0byBiZSBzZXQgQXMNCj4gPj4NCj4gPj4gcy9Bcy9hcy8NCj4gPg0KPiA+IEFn cmVlZC4NCj4gPg0KPiA+IFRoYW5rcyBhbmQgYmVzdCByZWdhcmRzLA0KPiA+ICAgICBKdWVyZ2Vu DQo+ID4NCj4gPg0KPiA+Pg0KPiA+PiBUaGFuayB5b3UsDQo+ID4+DQo+ID4+IFRpbmENCj4gPj4N Cj4gPj4NCj4gPg0KPiA+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fDQo+ID4gc2VjZGlyIG1haWxpbmcgbGlzdA0KPiA+IHNlY2RpckBpZXRmLm9yZw0KPiA+ IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc2VjZGlyDQo+ID4gd2lraTog aHR0cDovL3Rvb2xzLmlldGYub3JnL2FyZWEvc2VjL3RyYWMvd2lraS9TZWNEaXJSZXZpZXcNCj4g Pg0K From nobody Tue Nov 17 19:06:27 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42D221A9027; Tue, 17 Nov 2015 19:06:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.786 X-Spam-Level: X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRqjaXat9-nG; Tue, 17 Nov 2015 19:06:24 -0800 (PST) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 928CF1A901E; Tue, 17 Nov 2015 19:06:24 -0800 (PST) X-AuditID: 1209190c-f79c96d00000038e-d7-564beb2e7088 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id E7.0A.00910.E2BEB465; Tue, 17 Nov 2015 22:06:22 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id tAI36LQC007223; Tue, 17 Nov 2015 22:06:22 -0500 Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tAI36JIP026165; Tue, 17 Nov 2015 22:06:20 -0500 From: Tom Yu To: iesg@ietf.org, secdir@ietf.org, draft-ietf-isis-sbfd-discriminator.all@tools.ietf.org Date: Tue, 17 Nov 2015 22:06:19 -0500 Message-ID: Lines: 33 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIIsWRmVeSWpSXmKPExsUixG6nrqv32jvM4NMVZYt3636zWMz4M5HZ 4sPChywOzB5Llvxk8vhy+TNbAFMUl01Kak5mWWqRvl0CV8bXM03sBRt4Kja3N7M0ME7i6mLk 5JAQMJF42vKKDcIWk7hwbz2QzcUhJLCYSeLr7A4mCGcjo8S6mdPZIZw3jBLT/3YxgbSwCUhL HL+8C8wWEUiS+D1jJzOILSxgL/F4+3lWEJtFQFXi5M9ZYDW8AroSn7esBarh4OAR4JRo3+gD ERaUODnzCQuIzSygJXHj30umCYy8s5CkZiFJLWBkWsUom5JbpZubmJlTnJqsW5ycmJeXWqRr qJebWaKXmlK6iREUUpySPDsY3xxUOsQowMGoxMObsNg7TIg1say4MvcQoyQHk5Io7+8HQCG+ pPyUyozE4oz4otKc1OJDjBIczEoivJqvgHK8KYmVValF+TApaQ4WJXHeTT/4QoQE0hNLUrNT UwtSi2CyMhwcShK82SCNgkWp6akVaZk5JQhpJg5OkOE8QMO/vQQZXlyQmFucmQ6RP8WoKCXO yw3SLACSyCjNg+sFx7wQ475XjOJArwjzPgJp5wGmC7juV0CDmYAGn2jwBBlckoiQkmpgLJz6 0S35ZuhbN4aw/BcTZNWK2f89X9m59ieHls6Ri7WOp/7oL2Y4Ok9f94g5X4vLQteDek9+LokQ 2Lon6fWr0wwywiL/nCLXGpkdlXBZHL0jdvZOdsmrj2bPMHz3p5Z/vdjZ95+nnYj5NjG4ne1M 0f7nR7dLLmXinfTj4On0b+EzrjWsL1yt067EUpyRaKjFXFScCACea44O1AIAAA== Archived-At: Subject: [secdir] secdir review of draft-ietf-isis-sbfd-discriminator-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 03:06:26 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: ready with nits I agree with the first paragraph of the Security Considerations, in that I think it's unlikely that this document introduces security risks for IS-IS, which as I understand it, effectively transports the proposed S-BFD discriminators as an uninterpreted opaque payload. The second paragraph Advertisement of the S-BFD discriminators does make it possible for attackers to initiate S-BFD sessions using the advertised information. The vulnerabilities this poses and how to mitigate them are discussed in the Security Considerations section of [S-BFD]. refers to the Security Considerations of the [S-BFD] base document. The [S-BFD] Security Considerations describe some strengthening practices, but doesn't seem to describe the vulnerabilities in significant detail. [S-BFD] Security Considerations seems to describe an attack where someone impersonates the responder, but not one where someone impersonates an initiator. Other sections of [S-BFD] might imply the existence of this sort of vulnerability, but the Security considerations seems not to mention it explicitly. I'm not sure whether it's best to leave things alone, revise this document, or revise [S-BFD]. -Tom From nobody Tue Nov 17 23:10:38 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FB251AC429; Tue, 17 Nov 2015 20:31:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.086 X-Spam-Level: X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgNntX6MF6oq; Tue, 17 Nov 2015 20:31:54 -0800 (PST) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF71D1AC425; Tue, 17 Nov 2015 20:31:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2443; q=dns/txt; s=iport; t=1447821114; x=1449030714; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=QaqU088Vk7l+z28qhE6MWH0squ1PPeHiILDIyE+0KZA=; b=K5F4KL6tG9KU21Pp6v1Eux3KDDJKrTapWoUn6Vc7d5WRi6M0+5/CYhFX Prwm6wZqX5ABxuFghv40pe3/Ms3W8r9Tgxhv0/W0uhw97IUreUpsiNByV otkMqlxe3aMR3HTCdV8GJefTDjisyZrvvifFeLJg0cWT3hXeYP+oKzZcC w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D0AQCq/UtW/4UNJK1eDoMtgUIGvmEBD?= =?us-ascii?q?YFlhg8CgUs4FAEBAQEBAQGBCoQ0AQEBBDpLBAIBCA4DBAEBHwkHMhQJCAIEARI?= =?us-ascii?q?IiCa9WAEBAQEBAQEBAQEBAQEBAQEBAQEahlSEfok5BZJng2IBjSOcSwEfAQFCg?= =?us-ascii?q?0Y+cgGEBIEHAQEB?= X-IronPort-AV: E=Sophos;i="5.20,311,1444694400"; d="scan'208";a="209339238" Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 18 Nov 2015 04:31:53 +0000 Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id tAI4VrYs002131 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 18 Nov 2015 04:31:53 GMT Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 17 Nov 2015 22:31:53 -0600 Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1104.000; Tue, 17 Nov 2015 22:31:53 -0600 From: "Les Ginsberg (ginsberg)" To: Tom Yu , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-isis-sbfd-discriminator.all@tools.ietf.org" Thread-Topic: secdir review of draft-ietf-isis-sbfd-discriminator-02 Thread-Index: AQHRIa4iUTgfB7Eo3kutQLFKONAxpp6hL5qA Date: Wed, 18 Nov 2015 04:31:53 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.121.24] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Tue, 17 Nov 2015 23:10:35 -0800 Subject: Re: [secdir] secdir review of draft-ietf-isis-sbfd-discriminator-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 04:31:56 -0000 Tom - Thanx for the review. If you are not happy with the Security section of the base S-BFD draft it s= eems to me it makes the most sense to address any issues in that document. = Trying to make up for any shortcomings in S-BFD draft by adding to the IGP= drafts (there is a similar OSPF S-BFD draft) when the IGPs are merely acti= ng as a transport for opaque information (as you say) does not seem appropr= iate to me. Can we close on this issue? Les > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, November 17, 2015 7:06 PM > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-isis-sbfd- > discriminator.all@tools.ietf.org > Subject: secdir review of draft-ietf-isis-sbfd-discriminator-02 >=20 > I have reviewed this document as part of the security directorate's ongoi= ng > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. >=20 > Summary: ready with nits >=20 > I agree with the first paragraph of the Security Considerations, in that = I think > it's unlikely that this document introduces security risks for IS-IS, whi= ch as I > understand it, effectively transports the proposed S-BFD discriminators a= s an > uninterpreted opaque payload. >=20 > The second paragraph >=20 > Advertisement of the S-BFD discriminators does make it possible for > attackers to initiate S-BFD sessions using the advertised > information. The vulnerabilities this poses and how to mitigate them > are discussed in the Security Considerations section of [S-BFD]. >=20 > refers to the Security Considerations of the [S-BFD] base document. The = [S- > BFD] Security Considerations describe some strengthening practices, but > doesn't seem to describe the vulnerabilities in significant detail. > [S-BFD] Security Considerations seems to describe an attack where someone > impersonates the responder, but not one where someone impersonates an > initiator. >=20 > Other sections of [S-BFD] might imply the existence of this sort of > vulnerability, but the Security considerations seems not to mention it > explicitly. I'm not sure whether it's best to leave things alone, revise= this > document, or revise [S-BFD]. >=20 > -Tom From nobody Wed Nov 18 02:16:37 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18CFD1B2BC1 for ; Wed, 18 Nov 2015 02:16:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.435 X-Spam-Level: X-Spam-Status: No, score=-4.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKAX3OAc8mqf for ; Wed, 18 Nov 2015 02:16:34 -0800 (PST) Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A0E51B2BBF for ; Wed, 18 Nov 2015 02:16:34 -0800 (PST) Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 0C93013CD; Wed, 18 Nov 2015 11:16:33 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id v_KpW5lV9D65; Wed, 18 Nov 2015 11:16:31 +0100 (CET) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Wed, 18 Nov 2015 11:16:28 +0100 (CET) Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id AB87820091; Wed, 18 Nov 2015 11:13:46 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 7RFzfuwnCzGW; Wed, 18 Nov 2015 11:13:45 +0100 (CET) Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id D11CB20089; Wed, 18 Nov 2015 11:13:44 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 72B1B38E1F15; Wed, 18 Nov 2015 11:13:42 +0100 (CET) Date: Wed, 18 Nov 2015 11:13:41 +0100 From: Juergen Schoenwaelder To: Warren Kumari Message-ID: <20151118101339.GA17028@elstar.local> Mail-Followup-To: Warren Kumari , IETF Security Directorate , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Archived-At: Cc: draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org, IETF Security Directorate Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 10:16:36 -0000 On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: > Be ye not afraid... > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting > MIB Variables using the IPFIX Protocol > > Summary: > LGTM, Security AD attention not required, modulo questions below. > > I'm not quite sure what: > "However if the exporter is a client of an SNMP engine on the same > device it MUST abide by existing SNMP security rules." is supposed to > mean. What exactly are "existing SNMP security rules"? Those defined > in RFCs? Configured on the device? I agree that this statement is a bit confusing. In the SNMP world, a client must authenticate against the agent and then the agent uses the clients authenticated identity to apply access control rules. This text talks about a client of an "SNMP engine", which is a bit confusing. Perhaps the sentence was meant to say this: However, if the exporter is implemented as an SNMP manager accessing an SNMP agent, it MUST authenticate itself to the SNMP agent and the SNMP agent MUST enforce SNMP access control rules as it would for any other SNMP manager. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 From nobody Wed Nov 18 08:06:32 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0875F1B3872 for ; Wed, 18 Nov 2015 08:06:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.086 X-Spam-Level: X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6xqtzFYZWA2A for ; Wed, 18 Nov 2015 08:06:30 -0800 (PST) Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 856F41B3856 for ; Wed, 18 Nov 2015 08:06:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1826; q=dns/txt; s=iport; t=1447862789; x=1449072389; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=NiEWYSl+RV/vtSyQ1IwcMKYt+eqnKBzo63ElwLKTdhY=; b=D7++r2XDkvCLxsJxzi7rEeMHHqXWLXvI4hNCJ8CEkOwEtd8DmonBzzbU uKB5gbXBTf7T+s1hBWUZb/LcLTKmrxi13+n0IhupHpmeP6Wf/duXpxF66 1u0s18VlVe+IdH5zi+2Sxx3fHZ0ROdMLe3L/3eHtnXbjogjNEMUs+D7o1 U=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DsAQALoUxW/xbLJq1VCcNNAQ2BZYM9g?= =?us-ascii?q?lICggEUAQEBAQEBAYEKhDUBAQQ4QBELGAkWDwkDAgECAUUGAQwIAQGIKr8+AQE?= =?us-ascii?q?BAQEBAQECAQEBAQEBHYZUhH6EIBGFCAEEhU2QfYpzgjiJHZMoHwEBQoQFPYN/g?= =?us-ascii?q?UEBAQE?= X-IronPort-AV: E=Sophos;i="5.20,313,1444694400"; d="scan'208";a="612864381" Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Nov 2015 16:06:26 +0000 Received: from [10.60.67.93] (ams-bclaise-89112.cisco.com [10.60.67.93]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id tAIG6QVm020130; Wed, 18 Nov 2015 16:06:26 GMT To: Warren Kumari , IETF Security Directorate , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org References: <20151118101339.GA17028@elstar.local> From: Benoit Claise Message-ID: <564CA202.8030605@cisco.com> Date: Wed, 18 Nov 2015 17:06:26 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151118101339.GA17028@elstar.local> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 16:06:31 -0000 On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote: > On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: >> Be ye not afraid... >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> >> Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting >> MIB Variables using the IPFIX Protocol >> >> Summary: >> LGTM, Security AD attention not required, modulo questions below. >> >> I'm not quite sure what: >> "However if the exporter is a client of an SNMP engine on the same >> device it MUST abide by existing SNMP security rules." is supposed to >> mean. What exactly are "existing SNMP security rules"? Those defined >> in RFCs? Configured on the device? > I agree that this statement is a bit confusing. In the SNMP world, a > client must authenticate against the agent and then the agent uses the > clients authenticated identity to apply access control rules. This text > talks about a client of an "SNMP engine", which is a bit confusing. > > Perhaps the sentence was meant to say this: > > However, if the exporter is implemented as an SNMP manager > accessing an SNMP agent, it MUST authenticate itself to the SNMP > agent and the SNMP agent MUST enforce SNMP access control rules > as it would for any other SNMP manager. Yes, that was the meaning. For example, we can't export via IPFIX a MIB object for which we're not granted access, completely bypassing the SNMP access control rules Regards, Benoit (as a document author) > > /js > From nobody Wed Nov 18 08:24:58 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE911A0078 for ; Wed, 18 Nov 2015 08:24:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.435 X-Spam-Level: X-Spam-Status: No, score=-4.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SRqCt7LPnVti for ; Wed, 18 Nov 2015 08:24:54 -0800 (PST) Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38B301A005A for ; Wed, 18 Nov 2015 08:24:54 -0800 (PST) Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id B26C3100A; Wed, 18 Nov 2015 17:24:52 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id gdK9qNUl2nuo; Wed, 18 Nov 2015 17:24:51 +0100 (CET) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Wed, 18 Nov 2015 17:24:51 +0100 (CET) Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 7AA2A2004E; Wed, 18 Nov 2015 17:24:51 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id c6_c3lv010S1; Wed, 18 Nov 2015 17:24:50 +0100 (CET) Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id B61052003B; Wed, 18 Nov 2015 17:24:49 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 3256338E29EC; Wed, 18 Nov 2015 17:24:46 +0100 (CET) Date: Wed, 18 Nov 2015 17:24:45 +0100 From: Juergen Schoenwaelder To: Benoit Claise Message-ID: <20151118162443.GA394@elstar.local> Mail-Followup-To: Benoit Claise , Warren Kumari , IETF Security Directorate , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org References: <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <564CA202.8030605@cisco.com> User-Agent: Mutt/1.4.2.3i Archived-At: Cc: draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org, IETF Security Directorate Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 16:24:56 -0000 On Wed, Nov 18, 2015 at 05:06:26PM +0100, Benoit Claise wrote: > On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote: > >On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: > >>Be ye not afraid... > >>I have reviewed this document as part of the security directorate's > >>ongoing effort to review all IETF documents being processed by the > >>IESG. These comments were written primarily for the benefit of the > >>security area directors. Document editors and WG chairs should treat > >>these comments just like any other last call comments. > >> > >>Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting > >>MIB Variables using the IPFIX Protocol > >> > >>Summary: > >>LGTM, Security AD attention not required, modulo questions below. > >> > >>I'm not quite sure what: > >>"However if the exporter is a client of an SNMP engine on the same > >> device it MUST abide by existing SNMP security rules." is supposed to > >>mean. What exactly are "existing SNMP security rules"? Those defined > >>in RFCs? Configured on the device? > >I agree that this statement is a bit confusing. In the SNMP world, a > >client must authenticate against the agent and then the agent uses the > >clients authenticated identity to apply access control rules. This text > >talks about a client of an "SNMP engine", which is a bit confusing. > > > >Perhaps the sentence was meant to say this: > > > > However, if the exporter is implemented as an SNMP manager > > accessing an SNMP agent, it MUST authenticate itself to the SNMP > > agent and the SNMP agent MUST enforce SNMP access control rules > > as it would for any other SNMP manager. > Yes, that was the meaning. > For example, we can't export via IPFIX a MIB object for which we're not > granted access, completely bypassing the SNMP access control rules Well, this is not exactly what the I-D says in section 10. The I-D forsees two implementation options: a) The exporter acts as an SNMP manager retrieving data from an SNMP agent. In this case, the usual SNMP procedures concerning authentication and authorization apply b) The exporter is generating or capturing the field values itself. In this case the IPFIX approach applies that the IPFIX exporter defines what is exported to whom. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 From nobody Wed Nov 18 11:28:15 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 100FB1A8AE0; Wed, 18 Nov 2015 11:28:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.786 X-Spam-Level: X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BF50V8qelXyG; Wed, 18 Nov 2015 11:28:08 -0800 (PST) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DF181A888A; Wed, 18 Nov 2015 11:28:07 -0800 (PST) X-AuditID: 1209190e-f79046d0000036c0-f0-564cd144466f Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 4F.97.14016.441DC465; Wed, 18 Nov 2015 14:28:04 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id tAIJS36I022407; Wed, 18 Nov 2015 14:28:04 -0500 Received: from localhost (sarnath.mit.edu [18.18.1.190]) (authenticated bits=0) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id tAIJS2E4031613; Wed, 18 Nov 2015 14:28:02 -0500 From: Tom Yu To: "Les Ginsberg \(ginsberg\)" References: Date: Wed, 18 Nov 2015 14:28:01 -0500 In-Reply-To: (Les Ginsberg's message of "Wed, 18 Nov 2015 04:31:53 +0000") Message-ID: Lines: 58 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrIIsWRmVeSWpSXmKPExsUixG6nruty0SfMYN90M4t3636zWGz4s5Hd YsaficwWHxY+ZHFg8ZjyeyOrx5IlP5k8vlz+zBbAHMVlk5Kak1mWWqRvl8CV0XdmJ3vBEdGK pd8nsTcw7hbsYuTkkBAwkZg3azs7hC0mceHeerYuRi4OIYHFTBKztvyBcjYySlza/5cNpEpI 4A2jxPlPziA2m4C0xPHLu5hAbBGgSb9Or2YHaWAWOMoo8e7IREaQhLCAs8STRV8YIZozJOYs ewO2jkVAVeLu7U5GkAZOgVZGif6NzWCTeAV0JSZcfQPWwCPAKbFxcRdUXFDi5MwnLCA2s4CW xI1/L5kmMArMQpKahSS1gJFpFaNsSm6Vbm5iZk5xarJucXJiXl5qka6xXm5miV5qSukmRlDI ckry7WD8elDpEKMAB6MSDy/HWZ8wIdbEsuLK3EOMkhxMSqK8PeeAQnxJ+SmVGYnFGfFFpTmp xYcYJTiYlUR4LxwCyvGmJFZWpRblw6SkOViUxHk3/eALERJITyxJzU5NLUgtgsnKcHAoSfDy XQBqFCxKTU+tSMvMKUFIM3FwggznARpuCVLDW1yQmFucmQ6RP8WoKCXOqwSSEABJZJTmwfWC U4oQ475XjOJArwjzRoNU8QDTEVz3K6DBTECDTzR4ggwuSURISTUwsvpm8u5ZcdM+Jznm6M/k y3o71Pg/aXSc8Lhb0fLx1qzqjjlPfS/MUWleJTbH3GnRpZK0hjvpF71WXOJsW37irFbe6rcT oo5seO3DkcZTdCtiwvoPx/0FuF+fq1IKPa+WI5V8LND619tJvSc/NrPsD/inOKdvxxquuoOp Kbd3dFzdtMF6cvdjLyWW4oxEQy3mouJEAOxG4g0EAwAA Archived-At: Cc: "draft-ietf-isis-sbfd-discriminator.all@tools.ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-ietf-isis-sbfd-discriminator-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Nov 2015 19:28:10 -0000 Given that S-BFD is still in AD Evaluation, it seems that there is still an opportunity to update the S-BFD Security Considerations, so that the IS-IS draft will no longer point to apparently absent text in the S-BFD Security Considerations. "Les Ginsberg (ginsberg)" writes: > Tom - > > Thanx for the review. > > If you are not happy with the Security section of the base S-BFD draft it seems to me it makes the most sense to address any issues in that document. Trying to make up for any shortcomings in S-BFD draft by adding to the IGP drafts (there is a similar OSPF S-BFD draft) when the IGPs are merely acting as a transport for opaque information (as you say) does not seem appropriate to me. > > Can we close on this issue? > > Les > > >> -----Original Message----- >> From: Tom Yu [mailto:tlyu@mit.edu] >> Sent: Tuesday, November 17, 2015 7:06 PM >> To: iesg@ietf.org; secdir@ietf.org; draft-ietf-isis-sbfd- >> discriminator.all@tools.ietf.org >> Subject: secdir review of draft-ietf-isis-sbfd-discriminator-02 >> >> I have reviewed this document as part of the security directorate's ongoing >> effort to review all IETF documents being processed by the IESG. These >> comments were written primarily for the benefit of the security area >> directors. Document editors and WG chairs should treat these comments >> just like any other last call comments. >> >> Summary: ready with nits >> >> I agree with the first paragraph of the Security Considerations, in that I think >> it's unlikely that this document introduces security risks for IS-IS, which as I >> understand it, effectively transports the proposed S-BFD discriminators as an >> uninterpreted opaque payload. >> >> The second paragraph >> >> Advertisement of the S-BFD discriminators does make it possible for >> attackers to initiate S-BFD sessions using the advertised >> information. The vulnerabilities this poses and how to mitigate them >> are discussed in the Security Considerations section of [S-BFD]. >> >> refers to the Security Considerations of the [S-BFD] base document. The [S- >> BFD] Security Considerations describe some strengthening practices, but >> doesn't seem to describe the vulnerabilities in significant detail. >> [S-BFD] Security Considerations seems to describe an attack where someone >> impersonates the responder, but not one where someone impersonates an >> initiator. >> >> Other sections of [S-BFD] might imply the existence of this sort of >> vulnerability, but the Security considerations seems not to mention it >> explicitly. I'm not sure whether it's best to leave things alone, revise this >> document, or revise [S-BFD]. >> >> -Tom From nobody Thu Nov 19 00:42:25 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D6E1ACD47 for ; Thu, 19 Nov 2015 00:40:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.086 X-Spam-Level: X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQ6w6kaeSsrL for ; Thu, 19 Nov 2015 00:40:58 -0800 (PST) Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 636041ACD48 for ; Thu, 19 Nov 2015 00:40:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2476; q=dns/txt; s=iport; t=1447922457; x=1449132057; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=/0ATWlHfpL3iB/JK3EyGx+9nQXcaqYpjXJn7PTum7SY=; b=gtjz/YNVZhiUEG6IinYIMMHb47gGwRJDt4qd5s9pmYHwVn98GO5WUgo/ iC7K6G3hb0pfM81ATDe++2YkywCs92ZWUO3uB0C0gkSUETR6D+lUyXAba sfJ2anvPmrD2Nj+d9A81d8BiuzecQph5ML7u42RT36CbjZ4+tpMDnmk3R c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C/BAD3iU1W/xbLJq1VCcVcgz2CUgKCD?= =?us-ascii?q?AEBAQEBAYELhDQBAQEDAThABgsLGAkWDwkDAgECAUUGAQwIAQGIIgi/NQEBAQE?= =?us-ascii?q?BAQEBAgEBAQEBAR2GVIR+hCARhQgBBIVNkH2Kc4I4iR2TKGOEBT2EE4FBAQEB?= X-IronPort-AV: E=Sophos;i="5.20,317,1444694400"; d="scan'208";a="606399684" Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Nov 2015 08:40:55 +0000 Received: from [10.60.67.93] (ams-bclaise-89112.cisco.com [10.60.67.93]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id tAJ8et1o029351; Thu, 19 Nov 2015 08:40:55 GMT To: Warren Kumari , IETF Security Directorate , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org References: <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> <20151118162443.GA394@elstar.local> From: Benoit Claise Message-ID: <564D8B17.1000404@cisco.com> Date: Thu, 19 Nov 2015 09:40:55 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151118162443.GA394@elstar.local> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 08:41:00 -0000 Hi Juergen, > On Wed, Nov 18, 2015 at 05:06:26PM +0100, Benoit Claise wrote: >> On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote: >>> On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: >>>> Be ye not afraid... >>>> I have reviewed this document as part of the security directorate's >>>> ongoing effort to review all IETF documents being processed by the >>>> IESG. These comments were written primarily for the benefit of the >>>> security area directors. Document editors and WG chairs should treat >>>> these comments just like any other last call comments. >>>> >>>> Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting >>>> MIB Variables using the IPFIX Protocol >>>> >>>> Summary: >>>> LGTM, Security AD attention not required, modulo questions below. >>>> >>>> I'm not quite sure what: >>>> "However if the exporter is a client of an SNMP engine on the same >>>> device it MUST abide by existing SNMP security rules." is supposed to >>>> mean. What exactly are "existing SNMP security rules"? Those defined >>>> in RFCs? Configured on the device? >>> I agree that this statement is a bit confusing. In the SNMP world, a >>> client must authenticate against the agent and then the agent uses the >>> clients authenticated identity to apply access control rules. This text >>> talks about a client of an "SNMP engine", which is a bit confusing. >>> >>> Perhaps the sentence was meant to say this: >>> >>> However, if the exporter is implemented as an SNMP manager >>> accessing an SNMP agent, it MUST authenticate itself to the SNMP >>> agent and the SNMP agent MUST enforce SNMP access control rules >>> as it would for any other SNMP manager. >> Yes, that was the meaning. >> For example, we can't export via IPFIX a MIB object for which we're not >> granted access, completely bypassing the SNMP access control rules > Well, this is not exactly what the I-D says in section 10. The I-D > forsees two implementation options: > > a) The exporter acts as an SNMP manager retrieving data from an SNMP > agent. In this case, the usual SNMP procedures concerning > authentication and authorization apply > > b) The exporter is generating or capturing the field values itself. > In this case the IPFIX approach applies that the IPFIX exporter > defines what is exported to whom. My remark was in the context of a) Regards, Benoit > > /js > From nobody Thu Nov 19 01:44:42 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C511B30CB for ; Thu, 19 Nov 2015 01:42:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q848jiZKPU1a for ; Thu, 19 Nov 2015 01:42:41 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55F541B30C7 for ; Thu, 19 Nov 2015 01:42:41 -0800 (PST) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.1/8.14.8) with ESMTPS id tAJ9gbSZ012274 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 19 Nov 2015 11:42:37 +0200 (EET) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.1/8.14.8/Submit) id tAJ9gasa027865; Thu, 19 Nov 2015 11:42:36 +0200 (EET) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22093.39308.388001.264276@fireball.acr.fi> Date: Thu, 19 Nov 2015 11:42:36 +0200 From: Tero Kivinen To: secdir@ietf.org X-Edit-Time: 1 min X-Total-Time: 0 min Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 09:42:43 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Sam Hartman is next in the rotation. For telechat 2015-11-19 Reviewer LC end Draft Eric Osterweil T 2015-10-20 draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 Carl Wallace T 2015-11-09 draft-ietf-ccamp-flexible-grid-rsvp-te-ext-03 For telechat 2015-12-03 Derek Atkins T 2015-11-15 draft-ietf-softwire-dslite-mib-11 John Bradley T 2015-11-15 draft-ietf-softwire-mesh-mib-11 Donald Eastlake T 2015-11-24 draft-ietf-bess-virtual-subnet-05 Phillip Hallam-Baker T 2015-11-26 draft-ietf-clue-framework-24 Paul Wouters T 2015-11-17 draft-ietf-straw-b2bua-dtls-srtp-08 For telechat 2015-12-17 Olafur Gudmundsson T 2015-12-04 draft-ietf-bess-mvpn-extranet-04 Last calls and special requests: Shaun Cooley 2015-11-24 draft-ietf-avtcore-rtp-multi-stream-09 Dave Cridland 2015-11-23 draft-ietf-dnsop-rfc6598-rfc6303-05 Alan DeKok 2015-11-24 draft-ietf-avtcore-rtp-multi-stream-optimisation-08 Donald Eastlake 2015-09-11 draft-ietf-dane-openpgpkey-05 Shawn Emery 2015-11-23 draft-ietf-dnsop-qname-minimisation-07 Daniel Kahn Gillmor E None draft-ietf-rtcweb-security-08 Daniel Kahn Gillmor 2015-11-24 draft-ietf-l2vpn-vpls-pe-etree-10 Steve Hanna 2015-11-30 draft-ietf-dnsop-edns-tcp-keepalive-04 Dan Harkins E None draft-ietf-sfc-control-plane-00 Chris Inacio 2015-10-02 draft-ietf-lwig-ikev2-minimal-04 Brian Weis E None draft-ietf-cdni-uri-signing-05 -- kivinen@iki.fi From nobody Thu Nov 19 03:16:13 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D7931A004E; Thu, 19 Nov 2015 03:16:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.263 X-Spam-Level: X-Spam-Status: No, score=-1.263 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, KHOP_DYNAMIC=1.004, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id er-yk1ebyYF7; Thu, 19 Nov 2015 03:16:11 -0800 (PST) Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F4ED1A0015; Thu, 19 Nov 2015 03:16:11 -0800 (PST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tAJBFC6o018176; Thu, 19 Nov 2015 03:16:10 -0800 Received: from il-exch01.marvell.com ([199.203.130.101]) by mx0a-0016f401.pphosted.com with ESMTP id 1y9bbj8a1y-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 19 Nov 2015 03:16:10 -0800 Received: from IL-EXCH01.marvell.com (10.4.102.220) by IL-EXCH01.marvell.com (10.4.102.220) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 19 Nov 2015 13:16:07 +0200 Received: from IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a]) by IL-EXCH01.marvell.com ([fe80::41:1c9f:8611:3a4a%20]) with mapi id 15.00.1044.021; Thu, 19 Nov 2015 13:16:06 +0200 From: Tal Mizrahi To: "Salz, Rich" , "draft-ietf-ippm-checksum-trailer.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Thread-Topic: secdir review of draft-ietf-ippm-checksum-trailer Thread-Index: AdEM2iPxQdxYCi6cQbaim/cdxrnsTAStIfvgAMsx31A= Date: Thu, 19 Nov 2015 11:16:05 +0000 Message-ID: <7593cabdf3a6477ca5dbe14f160bfe13@IL-EXCH01.marvell.com> References: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [199.203.130.14] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-11-19_07:, , signatures=0 X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310000 definitions=main-1511190200 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-ippm-checksum-trailer X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 11:16:12 -0000 Hi Rich, The issue you raised was addressed in the current version of the draft (Fig= ure 1), which was posted this week. https://tools.ietf.org/html/draft-ietf-ippm-checksum-trailer-05 Please let me know if there are further comments. Thanks, Tal. >-----Original Message----- >From: Tal Mizrahi >Sent: Sunday, November 15, 2015 12:18 PM >To: 'Salz, Rich'; draft-ietf-ippm-checksum-trailer.all@ietf.org; iesg@ietf= .org; >secdir@ietf.org >Subject: RE: secdir review of draft-ietf-ippm-checksum-trailer > >Hi Rich, > >Thanks for the comments. > >> I think Figure 1 could be improved by showing how and/or where the >checksum trailer is applied inside the "enabled Node" box. Is it a separa= te >node, or is it all a single flow within a node before the packet is put on= to the >IP Network "cloud"? > >It is meant to the latter, i.e., a single flow within a node. I will clari= fy this in >the next version of the draft. > >Thanks, >Tal. > > >>-----Original Message----- >>From: Salz, Rich [mailto:rsalz@akamai.com] >>Sent: Thursday, October 22, 2015 6:07 PM >>To: draft-ietf-ippm-checksum-trailer.all@ietf.org; iesg@ietf.org; >>secdir@ietf.org >>Subject: secdir review of draft-ietf-ippm-checksum-trailer >> >>[ My first review; please let me know if anything's wrong] >> >>I have reviewed this document as part of the security directorate's >>ongoing effort to review all IETF documents being processed by the >>IESG. These comments were written primarily for the benefit of the >>security area directors. Document editors and WG chairs should treat >>these comments just like any other last call comments. >> >>In my view this document is Ready with nits; suggested clarification of >>Figure 1, below. >> >>This document a mechanism for an intermediary to use space in a padding >>area to counteract the effect of a prior intermediary adding a >>high-accuracy timestamp into a UDP packet. The technique is used >>elsewhere (draft-ietf-ntp- checksum-trailer and IEEE1588) and dates >>back to RFC 1624 from 1994. The mechanism is better than the current >>approach, which zero's out the checksum and makes any checksum >impossible. >> >>The document and its security considerations are seem thorough, >>discussing the impact on encrypted packets, the general idea of an MITM >>modifying packets, and so on. >> >>I think Figure 1 could be improved by showing how and/or where the >>checksum trailer is applied inside the "enabled Node" box. Is it a >>separate node, or is it all a single flow within a node before the >>packet is put onto the IP Network "cloud"? Also, the art of the cloud >>is commendable :) >> >>-- >>Senior Architect, Akamai Technologies >>IM: richsalz@jabber.at Twitter: RichSalz >> From nobody Thu Nov 19 05:23:41 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03FD31AD244; Thu, 19 Nov 2015 05:22:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.186 X-Spam-Level: X-Spam-Status: No, score=-4.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCCteKg6998M; Thu, 19 Nov 2015 05:22:17 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA8A11AD21C; Thu, 19 Nov 2015 05:22:16 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml406-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CEI43890; Thu, 19 Nov 2015 13:22:12 +0000 (GMT) Received: from SZXEML427-HUB.china.huawei.com (10.82.67.182) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 19 Nov 2015 13:22:10 +0000 Received: from szxeml557-mbs.china.huawei.com ([169.254.6.252]) by szxeml427-hub.china.huawei.com ([10.82.67.182]) with mapi id 14.03.0235.001; Thu, 19 Nov 2015 21:21:29 +0800 From: Tina TSOU To: Juergen Quittek , The IESG , "secdir@ietf.org" , "draft-ietf-pcp-third-party-id-option.all@ietf.org" Thread-Topic: Secdir Review of draft-ietf-pcp-third-party-id-option-04 Thread-Index: AdEcN2Zzfw6PDcwVTluSTfgPI5/0vwE65edQAGp8EgA= Date: Thu, 19 Nov 2015 13:21:28 +0000 Message-ID: References: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2C31@PALLENE.office.hd> In-Reply-To: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2C31@PALLENE.office.hd> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.46.115.253] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.564DCD05.0094, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.6.252, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: d462b528a57a4e4f0484aca4fc575467 Archived-At: Subject: Re: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 13:22:23 -0000 Dear Juergen, Yes, that seems to address it. Thank you, Tina -----Original Message----- From: Juergen Quittek [mailto:Quittek@neclab.eu]=20 Sent: Tuesday, November 17, 2015 6:58 PM To: Tina TSOU; The IESG; secdir@ietf.org; draft-ietf-pcp-third-party-id-opt= ion.all@ietf.org Subject: RE: Secdir Review of draft-ietf-pcp-third-party-id-option-04 Dear Tina, Thank you very much for your thorough review. Please find replies inline. > -----Original Message----- > From: Tina TSOU [mailto:Tina.Tsou.Zouting@huawei.com] > Sent: Mittwoch, 11. November 2015 05:14 > To: The IESG; secdir@ietf.org;=20 > draft-ietf-pcp-third-party-id-option.all@ietf.org > Subject: Secdir Review of draft-ietf-pcp-third-party-id-option-04 >=20 > Dear all, >=20 > I have reviewed this document as part of the security directorate's=20 > ongoing effort to review all IETF documents being processed by the IESG. >=20 > These comments were written primarily for the benefit of the security=20 > area directors. Document editors and WG chairs should treat these=20 > comments just like any other last call comments. >=20 > ** Technical ** >=20 > * Section 7, page 11: >=20 > I think you should make comments regarding the (privacy) implications=20 > of employing identifiers such as MAC addresses when essentially any=20 > other value - > - e.g. a long-enough random number would do. >=20 > Besides, you should comment on how the ID can be somehow validated,=20 > and what could happen if a client were able to predict the ID employed=20 > by other clients. Here is a proposal for improving this section: OLD As this option is related to the use of the THIRD_PARTY option the corresponding security considerations in Section 18.1.1 of RFC 6887 [RFC6887] apply. Especially, the network on which the PCP messages are sent must be fully trusted. The THIRD_PARTY_ID option might carry privacy information like location or profile information. Means to protect unauthorized access to this information should be put in place. NEW As this option is related to the use of the THIRD_PARTY option the corresponding security considerations in Section 18.1.1 of RFC 6887 [RFC6887] apply. Especially, the network on which the PCP messages are sent must be fully trusted. The THIRD_PARTY_ID option might carry privacy sensitive information like location or profile information= .=20 Where possible, randomly assigned numbers should be preferred to=20 privacy sensitive information to be carried as values by the=20 THIRD_PARTY_ID option. Random numbers should be assigned such=20 That an attacker cannot guess which number is assigned to which=20 third party. Anyway, means to protect unauthorized access to=20 values carried by the THIRD_PARTY_ID option should be put in place. END Would this address your concerns? >=20 > ** Editorial ** >=20 > * Section 1, page 2: > > The IETF has specified the Port Control Protocol (PCP) [RFC6887] to > > control how packets are translated and forwarded by a PCP-controlled > > device such as a network address translator (NAT) or firewall. >=20 > Please replace "and" with "and/or", since a firewall will not translate p= ackets. In the past, the RFC Editor used to remove occurrences of "and/or" in RFCs.= =20 What about the following alternative, which is semantically equivalent to a= nd/or:=20 "such as a network address translator (NAT), a firewall, or a combination o= f both"? >=20 > * Section 1, page 2: > > This document focuses on the scenarios where the PCP client sends > > requests that concern internal addresses other than the address of > > the PCP client itself. >=20 > s/the scenarios/scenarios/ Agreed. >=20 > (since at least at this point in the text you have not yet mentioned=20 > what those scenarios are about) >=20 > * Section 1, page 2: > > There is already an option defined for this purpose in the RFC 6887 > > [RFC6887] called the THIRD_PARTY option. >=20 > Please rephrase as: >=20 > "There is already an option defined for this purpose in [RFC6887],=20 > called the THIRD_PARTY option." Agreed. >=20 > * Section 1, page 3: > > CGN deployments >=20 > Please expand the acronym on first usage. Agreed. >=20 > * Section 1, page 3: > > This applies to some of the PCP deployment scenarios that are listed > > in Section 2.1 of RFC 6887 [RFC6887], >=20 > Just remove "RFC 6887" (the rfc number is already included by the ref). Agreed. >=20 > * Section 1, page 3: > > in particular to a Layer-2 > > aware NAT which is described in more detail in Section 3, or GI-DS- > > Lite [RFC6674] and ds-extra-lite [RFC6619]. >=20 > You refer to RFC6619 as "ds-extra-lite", but such RFC does not even=20 > include that term. Thoughts? Here is a proposal that addresses your issue: OLD This applies to some of the PCP deployment scenarios that are listed=20 in Section 2.1 of RFC 6887 [RFC6887], in particular to a Layer-2=20 aware NAT which is described in more detail in Section 3, or GI-DS-=20 Lite [RFC6674] and ds-extra-lite [RFC6619].=20 NEW This applies to some of the PCP deployment scenarios that are listed in Section 2.1 of [RFC6887], in particular to a Layer-2 aware NAT which is described in more detail in Section 3, as well as in other scenarios where overlapping address spaces occur like in [RFC6674] or [RFC6619]. END Would this solve your issue? >=20 > * Section 3, page 4: > > The scenarios serve as examples. This document does not restrict the > > applicability of the THIRD_PARTY_ID to certain scenarios. >=20 > Please replace "THIRD_PARTY_ID" with "THIRD_PARTY_ID option" (here,=20 > and in other places) Agreed. >=20 > * Section 3, page 4: > > The THIRD_PARTY_ID > > can also be used for the firewall control >=20 > Please remove the "the". Agreed. >=20 > * Section 3.2, page 7: > > tunnel ID of tunnel(BRAS, CGN) >=20 > (two instances of this). Please rephrase as "ID of the tunnel (BRAS, CGN)= ". Agreed. >=20 > * Section 4, page 9: > Why use "TBD" and "TBD-1" if there's a single value to be assigned? There was no space for "-1" in the figure. All other TBDs are numbered as "= TBD-X". We will make sure that the RFC Editor gets the right message. >=20 > * Section 4, page 9: > > are to be set As >=20 > s/As/as/ Agreed. Thanks and best regards, Juergen >=20 > Thank you, >=20 > Tina >=20 >=20 From nobody Thu Nov 19 05:23:58 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 645F31AD2F2; Thu, 19 Nov 2015 05:23:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.186 X-Spam-Level: X-Spam-Status: No, score=-4.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_64=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GzyAP1gUiCcz; Thu, 19 Nov 2015 05:23:40 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9EB01AD291; Thu, 19 Nov 2015 05:23:16 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CAO10120; Thu, 19 Nov 2015 13:23:14 +0000 (GMT) Received: from SZXEML425-HUB.china.huawei.com (10.82.67.180) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 19 Nov 2015 13:23:14 +0000 Received: from szxeml557-mbs.china.huawei.com ([169.254.6.252]) by szxeml425-hub.china.huawei.com ([10.82.67.180]) with mapi id 14.03.0235.001; Thu, 19 Nov 2015 21:22:46 +0800 From: Tina TSOU To: Juergen Quittek , Stephen Farrell , The IESG , "secdir@ietf.org" , "draft-ietf-pcp-third-party-id-option.all@ietf.org" Thread-Topic: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 Thread-Index: AdEcN2Zzfw6PDcwVTluSTfgPI5/0vwE65edQ//+DQoCAAAaQAP/8NX6g Date: Thu, 19 Nov 2015 13:22:45 +0000 Message-ID: References: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2C31@PALLENE.office.hd> <564B09A7.50904@cs.tcd.ie> <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2D5A@PALLENE.office.hd> In-Reply-To: <9AB93E4127C26F4BA7829DEFDCE5A6E8A99F2D5A@PALLENE.office.hd> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.46.115.253] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.564DCD43.004F, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.6.252, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: c4145580a86c80e98f28b7467e620b0d Archived-At: Subject: Re: [secdir] Secdir Review of draft-ietf-pcp-third-party-id-option-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 13:23:42 -0000 RGVhciBKdWVyZ2VuLA0KDQpJdCdkIGJlIGdyZWF0IHRvIGhhdmUgc29tZSBhbmFseXNpcyB0aGF0 IGRpZmZlcmVudGlhdGVzIGNhc2VzIGluIHdoaWNoIGluY2x1ZGluZyBzb21lIHByaXZhY3ktc2Vu c2libGUgaW5mb3JtYXRpb24gaXMgd2FycmFudGVkIHZzIGNhc2VzIHdoZXJlIHNvbWUgcmFuZG9t bHkgZGVmaW5lZCBJRCB3b3VsZCBkby4NCg0KSW5jbHVkaW5nIGEgdHVubmVsIElEIGlzIGZpbmUg KGlmIGl0J3MganVzdCBhICJzbWFsbCIgbnVtYmVyKS4gSW5jbHVkaW5nIGEgTUFDIGFkZHJlc3Mg cmVzdWx0cyBpbiBtb3JlIHNlcmlvdXMgcHJpdmFjeSBpbXBsaWNhdGlvbnMuDQoNCg0KVGhhbmsg eW91LA0KVGluYQ0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBKdWVyZ2Vu IFF1aXR0ZWsgW21haWx0bzpRdWl0dGVrQG5lY2xhYi5ldV0gDQpTZW50OiBUdWVzZGF5LCBOb3Zl bWJlciAxNywgMjAxNSA3OjI4IFBNDQpUbzogU3RlcGhlbiBGYXJyZWxsOyBUaW5hIFRTT1U7IFRo ZSBJRVNHOyBzZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtcGNwLXRoaXJkLXBhcnR5LWlkLW9w dGlvbi5hbGxAaWV0Zi5vcmcNClN1YmplY3Q6IFJFOiBbc2VjZGlyXSBTZWNkaXIgUmV2aWV3IG9m IGRyYWZ0LWlldGYtcGNwLXRoaXJkLXBhcnR5LWlkLW9wdGlvbi0wNA0KDQpIaSBTdGVwaGVuLA0K DQpUaGUgY29tbW9uIHVzZSBjYXNlIHRoYXQgd2UgZm9yZXNlZSBmb3IgdGhlIFRISVJEX1BBUlRZ X0lEIHdoaWNoIGlzIHRoZSBvbmUgd2UgaGF2ZSB1c2VkIGluIGFsbCB0cmlhbHMgc28gZmFyIGlz IHRoZSB1c2UgZm9yIGVuY29kaW5nIGEgdHVubmVsIElEIHRoYXQgaXMgbmVlZGVkIHRvIGlkZW50 aWZ5IGEgdGhpcmQgcGFydHkgaW4gYWRkaXRpb24gdG8gdGhlIElQIGFkZHJlc3Mgb2YgdGhlIHRo aXJkIHBhcnR5IHRoYXQgaXMgY2FycmllZCBieSB0aGUgVEhJUkRfUEFSVFkgb3B0aW9uLiBJbiB0 aGVzZSBjYXNlcyB0aGUgSVAgYWRkcmVzcyBpbiBub3QgdW5pcXVlIGFuZCBhbiBhZGRpdGlvbmFs IHR1bm5lbCBJRCBpcyBuZWVkZWQgdG8gdW5pcXVlbHkgaWRlbnRpZnkgdGhlIHRoaXJkIHBhcnR5 LiANCg0KVGhlIHN0YW5kYXJkIGZvciB0aGUgVEhJUkRfUEFSVFkgb3B0aW9uIChSRkMgNjg4Nykg bWFuZGF0ZXMgdGhhdCBpdCBjYXJyaWVzIHRoZSBJUCBhZGRyZXNzIG9mIHRoZSB0aGlyZCBwYXJ0 eS4gVGhlcmUgaXMgbm8gYWx0ZXJuYXRpdmUgc3BlY2lmaWVkIHRoYXQgd291bGQgYWxsb3cgcmVw bGFjaW5nIGl0IGJ5IGEgcmFuZG9tIG51bWJlci4gVGhlIFRISVJEX1BBUlRZX0lEIGlzIG9wZW4g dG8gdGhpcyBvcHRpb24sIGJ1dCBzaW5jZSBpdCBpcyB1c3VhbGx5IHVzZWQgaW4gY29tYmluYXRp b24gd2l0aCB0aGUgVEhJUkRfUEFSVFkgb3B0aW9uLCB0aGUgdXNlIG9mIGEgc2hvcnQtbGl2ZWQg aWRlbnRpZmllciBkb2VzIG5vdCBhbHdheXMgc2VlbSB0byBiZSByZWNvbW1lbmRhYmxlLCBwYXJ0 aWN1bGFybHkgc2luY2UgdGhpcyB3b3VsZCByZXF1aXJlIGFkZGl0aW9uYWwgZXhjaGFuZ2UgYmV0 d2VlbiBQQ1AgY2xpZW50IGFuZCBQQ1Agc2VydmVyIHRvIGFncmVlIG9uIHRoZSBtYXBwaW5nIGJl dHdlZW4gYWN0dWFsIHR1bm5lbCBJRHMgYW5kIHJhbmRvbWx5IGNob3NlbiBJRHMuIA0KDQpCZXN0 IHJlZ2FyZHMsDQogICAgSnVlcmdlbg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+ IEZyb206IFN0ZXBoZW4gRmFycmVsbCBbbWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVd DQo+IFNlbnQ6IERpZW5zdGFnLCAxNy4gTm92ZW1iZXIgMjAxNSAxMjowNA0KPiBUbzogSnVlcmdl biBRdWl0dGVrOyBUaW5hIFRTT1U7IFRoZSBJRVNHOyBzZWNkaXJAaWV0Zi5vcmc7IA0KPiBkcmFm dC1pZXRmLXBjcC10aGlyZC0gcGFydHktaWQtb3B0aW9uLmFsbEBpZXRmLm9yZw0KPiBTdWJqZWN0 OiBSZTogW3NlY2Rpcl0gU2VjZGlyIFJldmlldyBvZiANCj4gZHJhZnQtaWV0Zi1wY3AtdGhpcmQt cGFydHktaWQtb3B0aW9uLTA0DQo+IA0KPiANCj4gSGkgSnVlcmdlbiwNCj4gDQo+IChDYXZlYXQ6 IEkndmUgeWV0IHRvIHJlYWQgdGhpcywgYnV0IEkgaGF2ZSBhIHF1ZXN0aW9uIG5vbmV0aGVsZXNz Oi0pDQo+IA0KPiBPbiAxNy8xMS8xNSAxMDo1OCwgSnVlcmdlbiBRdWl0dGVrIHdyb3RlOg0KPiA+ IERlYXIgVGluYSwNCj4gPiBUaGFuayB5b3UgdmVyeSBtdWNoIGZvciB5b3VyIHRob3JvdWdoIHJl dmlldy4NCj4gPiBQbGVhc2UgZmluZCByZXBsaWVzIGlubGluZS4NCj4gPg0KPiA+PiAtLS0tLU9y aWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+PiBGcm9tOiBUaW5hIFRTT1UgW21haWx0bzpUaW5hLlRz b3UuWm91dGluZ0BodWF3ZWkuY29tXQ0KPiA+PiBTZW50OiBNaXR0d29jaCwgMTEuIE5vdmVtYmVy IDIwMTUgMDU6MTQNCj4gPj4gVG86IFRoZSBJRVNHOyBzZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0LWll dGYtcGNwLXRoaXJkLXBhcnR5LWlkLQ0KPiBvcHRpb24uYWxsQGlldGYub3JnDQo+ID4+IFN1Ympl Y3Q6IFNlY2RpciBSZXZpZXcgb2YgZHJhZnQtaWV0Zi1wY3AtdGhpcmQtcGFydHktaWQtb3B0aW9u LTA0DQo+ID4+DQo+ID4+IERlYXIgYWxsLA0KPiA+Pg0KPiA+PiBJIGhhdmUgcmV2aWV3ZWQgdGhp cyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIA0KPiA+PiBv bmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3Nl ZCBieSB0aGUgSUVTRy4NCj4gPj4NCj4gPj4gVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHBy aW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIA0KPiA+PiBzZWN1cml0eSBhcmVhIGRpcmVj dG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCANCj4gPj4gdHJlYXQg dGhlc2UgY29tbWVudHMNCj4ganVzdA0KPiA+PiBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29t bWVudHMuDQo+ID4+DQo+ID4+ICoqIFRlY2huaWNhbCAqKg0KPiA+Pg0KPiA+PiAqIFNlY3Rpb24g NywgcGFnZSAxMToNCj4gPj4NCj4gPj4gSSB0aGluayB5b3Ugc2hvdWxkIG1ha2UgY29tbWVudHMg cmVnYXJkaW5nIHRoZSAocHJpdmFjeSkgDQo+ID4+IGltcGxpY2F0aW9ucyBvZiBlbXBsb3lpbmcg aWRlbnRpZmllcnMgc3VjaCBhcyBNQUMgYWRkcmVzc2VzIHdoZW4gDQo+ID4+IGVzc2VudGlhbGx5 IGFueSBvdGhlcg0KPiB2YWx1ZSAtDQo+ID4+IC0gZS5nLiBhIGxvbmctZW5vdWdoIHJhbmRvbSBu dW1iZXIgd291bGQgZG8uDQo+ID4+DQo+ID4+IEJlc2lkZXMsIHlvdSBzaG91bGQgY29tbWVudCBv biBob3cgdGhlIElEIGNhbiBiZSBzb21laG93IHZhbGlkYXRlZCwgDQo+ID4+IGFuZCB3aGF0IGNv dWxkIGhhcHBlbiBpZiBhIGNsaWVudCB3ZXJlIGFibGUgdG8gcHJlZGljdCB0aGUgSUQgDQo+ID4+ IGVtcGxveWVkIGJ5IG90aGVyIGNsaWVudHMuDQo+ID4NCj4gPiBIZXJlIGlzIGEgcHJvcG9zYWwg Zm9yIGltcHJvdmluZyB0aGlzIHNlY3Rpb246DQo+ID4gT0xEDQo+ID4gICAgQXMgdGhpcyBvcHRp b24gaXMgcmVsYXRlZCB0byB0aGUgdXNlIG9mIHRoZSBUSElSRF9QQVJUWSBvcHRpb24gdGhlDQo+ ID4gICAgY29ycmVzcG9uZGluZyBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBpbiBTZWN0aW9uIDE4 LjEuMSBvZiBSRkMgNjg4Nw0KPiA+ICAgIFtSRkM2ODg3XSBhcHBseS4gIEVzcGVjaWFsbHksIHRo ZSBuZXR3b3JrIG9uIHdoaWNoIHRoZSBQQ1AgbWVzc2FnZXMNCj4gPiAgICBhcmUgc2VudCBtdXN0 IGJlIGZ1bGx5IHRydXN0ZWQuICBUaGUgVEhJUkRfUEFSVFlfSUQgb3B0aW9uIG1pZ2h0DQo+ID4g ICAgY2FycnkgcHJpdmFjeSBpbmZvcm1hdGlvbiBsaWtlIGxvY2F0aW9uIG9yIHByb2ZpbGUgaW5m b3JtYXRpb24uDQo+ID4gICAgTWVhbnMgdG8gcHJvdGVjdCB1bmF1dGhvcml6ZWQgYWNjZXNzIHRv IHRoaXMgaW5mb3JtYXRpb24gc2hvdWxkIGJlDQo+ID4gICAgcHV0IGluIHBsYWNlLg0KPiA+IE5F Vw0KPiA+ICAgIEFzIHRoaXMgb3B0aW9uIGlzIHJlbGF0ZWQgdG8gdGhlIHVzZSBvZiB0aGUgVEhJ UkRfUEFSVFkgb3B0aW9uIHRoZQ0KPiA+ICAgIGNvcnJlc3BvbmRpbmcgc2VjdXJpdHkgY29uc2lk ZXJhdGlvbnMgaW4gU2VjdGlvbiAxOC4xLjEgb2YgUkZDIDY4ODcNCj4gPiAgICBbUkZDNjg4N10g YXBwbHkuICBFc3BlY2lhbGx5LCB0aGUgbmV0d29yayBvbiB3aGljaCB0aGUgUENQIG1lc3NhZ2Vz DQo+ID4gICAgYXJlIHNlbnQgbXVzdCBiZSBmdWxseSB0cnVzdGVkLiAgVGhlIFRISVJEX1BBUlRZ X0lEIG9wdGlvbiBtaWdodA0KPiA+ICAgIGNhcnJ5IHByaXZhY3kgc2Vuc2l0aXZlIGluZm9ybWF0 aW9uIGxpa2UgbG9jYXRpb24gb3IgcHJvZmlsZSBpbmZvcm1hdGlvbi4NCj4gPiAgICBXaGVyZSBw b3NzaWJsZSwgcmFuZG9tbHkgYXNzaWduZWQgbnVtYmVycyBzaG91bGQgYmUgcHJlZmVycmVkIHRv DQo+ID4gICAgcHJpdmFjeSBzZW5zaXRpdmUgaW5mb3JtYXRpb24gdG8gYmUgY2FycmllZCBhcyB2 YWx1ZXMgYnkgdGhlDQo+ID4gICAgVEhJUkRfUEFSVFlfSUQgb3B0aW9uLiBSYW5kb20gbnVtYmVy cyBzaG91bGQgYmUgYXNzaWduZWQgc3VjaA0KPiA+ICAgIFRoYXQgYW4gYXR0YWNrZXIgY2Fubm90 IGd1ZXNzIHdoaWNoIG51bWJlciBpcyBhc3NpZ25lZCB0byB3aGljaA0KPiA+ICAgIHRoaXJkIHBh cnR5LiBBbnl3YXksIG1lYW5zIHRvIHByb3RlY3QgdW5hdXRob3JpemVkIGFjY2VzcyB0bw0KPiA+ ICAgIHZhbHVlcyBjYXJyaWVkIGJ5IHRoZSBUSElSRF9QQVJUWV9JRCBvcHRpb24gc2hvdWxkIGJl IHB1dCBpbiBwbGFjZS4NCj4gPiBFTkQNCj4gPiBXb3VsZCB0aGlzIGFkZHJlc3MgeW91ciBjb25j ZXJucz8NCj4gDQo+IENhbiB5b3Ugc2F5IHdoeSB0aGUgdmFsdWUgZXZlciBuZWVkcyB0byBiZSBh IGxvbmcgbGl2ZWQgaWRlbnRpZmllciBhbmQgDQo+IHdoeSBhIHJhbmRvbSBudW1iZXIgdGhhdCBj aGFuZ2VzIHBlcmlvZGljYWxseSBpc24ndCBhbHdheXMgZ29vZCANCj4gZW5vdWdoPw0KPiANCj4g VGEsDQo+IFMuDQo+IA0KPiANCj4gPg0KPiA+Pg0KPiA+PiAqKiBFZGl0b3JpYWwgKioNCj4gPj4N Cj4gPj4gKiBTZWN0aW9uIDEsIHBhZ2UgMjoNCj4gPj4+ICAgIFRoZSBJRVRGIGhhcyBzcGVjaWZp ZWQgdGhlIFBvcnQgQ29udHJvbCBQcm90b2NvbCAoUENQKSBbUkZDNjg4N10gdG8NCj4gPj4+ICAg IGNvbnRyb2wgaG93IHBhY2tldHMgYXJlIHRyYW5zbGF0ZWQgYW5kIGZvcndhcmRlZCBieSBhIFBD UC1jb250cm9sbGVkDQo+ID4+PiAgICBkZXZpY2Ugc3VjaCBhcyBhIG5ldHdvcmsgYWRkcmVzcyB0 cmFuc2xhdG9yIChOQVQpIG9yIGZpcmV3YWxsLg0KPiA+Pg0KPiA+PiBQbGVhc2UgcmVwbGFjZSAi YW5kIiB3aXRoICJhbmQvb3IiLCBzaW5jZSBhIGZpcmV3YWxsIHdpbGwgbm90IA0KPiA+PiB0cmFu c2xhdGUNCj4gcGFja2V0cy4NCj4gPg0KPiA+IEluIHRoZSBwYXN0LCB0aGUgUkZDIEVkaXRvciB1 c2VkIHRvIHJlbW92ZSBvY2N1cnJlbmNlcyBvZiAiYW5kL29yIiBpbiBSRkNzLg0KPiA+IFdoYXQg YWJvdXQgdGhlIGZvbGxvd2luZyBhbHRlcm5hdGl2ZSwgd2hpY2ggaXMgc2VtYW50aWNhbGx5IA0K PiA+IGVxdWl2YWxlbnQgdG8NCj4gYW5kL29yOg0KPiA+ICJzdWNoIGFzIGEgbmV0d29yayBhZGRy ZXNzIHRyYW5zbGF0b3IgKE5BVCksIGEgZmlyZXdhbGwsIG9yIGEgDQo+ID4gY29tYmluYXRpb24g b2YNCj4gYm90aCI/DQo+ID4NCj4gPj4NCj4gPj4gKiBTZWN0aW9uIDEsIHBhZ2UgMjoNCj4gPj4+ ICAgIFRoaXMgZG9jdW1lbnQgZm9jdXNlcyBvbiB0aGUgc2NlbmFyaW9zIHdoZXJlIHRoZSBQQ1Ag Y2xpZW50IHNlbmRzDQo+ID4+PiAgICByZXF1ZXN0cyB0aGF0IGNvbmNlcm4gaW50ZXJuYWwgYWRk cmVzc2VzIG90aGVyIHRoYW4gdGhlIGFkZHJlc3Mgb2YNCj4gPj4+ICAgIHRoZSBQQ1AgY2xpZW50 IGl0c2VsZi4NCj4gPj4NCj4gPj4gcy90aGUgc2NlbmFyaW9zL3NjZW5hcmlvcy8NCj4gPg0KPiA+ IEFncmVlZC4NCj4gPg0KPiA+Pg0KPiA+PiAoc2luY2UgYXQgbGVhc3QgYXQgdGhpcyBwb2ludCBp biB0aGUgdGV4dCB5b3UgaGF2ZSBub3QgeWV0IA0KPiA+PiBtZW50aW9uZWQgd2hhdA0KPiB0aG9z ZQ0KPiA+PiBzY2VuYXJpb3MgYXJlIGFib3V0KQ0KPiA+Pg0KPiA+PiAqIFNlY3Rpb24gMSwgcGFn ZSAyOg0KPiA+Pj4gICAgVGhlcmUgaXMgYWxyZWFkeSBhbiBvcHRpb24gZGVmaW5lZCBmb3IgdGhp cyBwdXJwb3NlIGluIHRoZSBSRkMgNjg4Nw0KPiA+Pj4gICAgW1JGQzY4ODddIGNhbGxlZCB0aGUg VEhJUkRfUEFSVFkgb3B0aW9uLg0KPiA+Pg0KPiA+PiBQbGVhc2UgcmVwaHJhc2UgYXM6DQo+ID4+ DQo+ID4+ICJUaGVyZSBpcyBhbHJlYWR5IGFuIG9wdGlvbiBkZWZpbmVkIGZvciB0aGlzIHB1cnBv c2UgaW4gW1JGQzY4ODddLCANCj4gPj4gY2FsbGVkIHRoZSBUSElSRF9QQVJUWSBvcHRpb24uIg0K PiA+DQo+ID4gQWdyZWVkLg0KPiA+DQo+ID4+DQo+ID4+ICogU2VjdGlvbiAxLCBwYWdlIDM6DQo+ ID4+PiBDR04gZGVwbG95bWVudHMNCj4gPj4NCj4gPj4gUGxlYXNlIGV4cGFuZCB0aGUgYWNyb255 bSBvbiBmaXJzdCB1c2FnZS4NCj4gPg0KPiA+IEFncmVlZC4NCj4gPg0KPiA+Pg0KPiA+PiAqIFNl Y3Rpb24gMSwgcGFnZSAzOg0KPiA+Pj4gICAgVGhpcyBhcHBsaWVzIHRvIHNvbWUgb2YgdGhlIFBD UCBkZXBsb3ltZW50IHNjZW5hcmlvcyB0aGF0IGFyZSBsaXN0ZWQNCj4gPj4+ICAgIGluIFNlY3Rp b24gMi4xIG9mIFJGQyA2ODg3IFtSRkM2ODg3XSwNCj4gPj4NCj4gPj4gSnVzdCByZW1vdmUgIlJG QyA2ODg3IiAodGhlIHJmYyBudW1iZXIgaXMgYWxyZWFkeSBpbmNsdWRlZCBieSB0aGUgcmVmKS4N Cj4gPg0KPiA+IEFncmVlZC4NCj4gPg0KPiA+Pg0KPiA+PiAqIFNlY3Rpb24gMSwgcGFnZSAzOg0K PiA+Pj4gICAgaW4gcGFydGljdWxhciB0byBhIExheWVyLTINCj4gPj4+ICAgIGF3YXJlIE5BVCB3 aGljaCBpcyBkZXNjcmliZWQgaW4gbW9yZSBkZXRhaWwgaW4gU2VjdGlvbiAzLCBvciBHSS1EUy0N Cj4gPj4+ICAgIExpdGUgW1JGQzY2NzRdIGFuZCBkcy1leHRyYS1saXRlIFtSRkM2NjE5XS4NCj4g Pj4NCj4gPj4gWW91IHJlZmVyIHRvIFJGQzY2MTkgYXMgImRzLWV4dHJhLWxpdGUiLCBidXQgc3Vj aCBSRkMgZG9lcyBub3QgZXZlbiANCj4gPj4gaW5jbHVkZSB0aGF0IHRlcm0uIFRob3VnaHRzPw0K PiA+DQo+ID4gSGVyZSBpcyBhIHByb3Bvc2FsIHRoYXQgYWRkcmVzc2VzIHlvdXIgaXNzdWU6DQo+ ID4gT0xEDQo+ID4gICAgVGhpcyBhcHBsaWVzIHRvIHNvbWUgb2YgdGhlIFBDUCBkZXBsb3ltZW50 IHNjZW5hcmlvcyB0aGF0IGFyZSBsaXN0ZWQNCj4gPiAgICBpbiBTZWN0aW9uIDIuMSBvZiBSRkMg Njg4NyBbUkZDNjg4N10sIGluIHBhcnRpY3VsYXIgdG8gYSBMYXllci0yDQo+ID4gICAgYXdhcmUg TkFUIHdoaWNoIGlzIGRlc2NyaWJlZCBpbiBtb3JlIGRldGFpbCBpbiBTZWN0aW9uIDMsIG9yIEdJ LURTLQ0KPiA+ICAgIExpdGUgW1JGQzY2NzRdIGFuZCBkcy1leHRyYS1saXRlIFtSRkM2NjE5XS4N Cj4gPiBORVcNCj4gPiAgICBUaGlzIGFwcGxpZXMgdG8gc29tZSBvZiB0aGUgUENQIGRlcGxveW1l bnQgc2NlbmFyaW9zIHRoYXQgYXJlIGxpc3RlZA0KPiA+ICAgIGluIFNlY3Rpb24gMi4xIG9mIFtS RkM2ODg3XSwgaW4gcGFydGljdWxhciB0byBhIExheWVyLTIgYXdhcmUgTkFUDQo+ID4gICAgd2hp Y2ggaXMgZGVzY3JpYmVkIGluIG1vcmUgZGV0YWlsIGluIFNlY3Rpb24gMywgYXMgd2VsbCBhcyBp biBvdGhlcg0KPiA+ICAgIHNjZW5hcmlvcyB3aGVyZSBvdmVybGFwcGluZyBhZGRyZXNzIHNwYWNl cyBvY2N1ciBsaWtlIGluIFtSRkM2Njc0XSBvcg0KPiA+ICAgIFtSRkM2NjE5XS4NCj4gPiBFTkQN Cj4gPiBXb3VsZCB0aGlzIHNvbHZlIHlvdXIgaXNzdWU/DQo+ID4NCj4gPj4NCj4gPj4gKiBTZWN0 aW9uIDMsIHBhZ2UgNDoNCj4gPj4+ICAgVGhlIHNjZW5hcmlvcyBzZXJ2ZSBhcyBleGFtcGxlcy4g IFRoaXMgZG9jdW1lbnQgZG9lcyBub3QgcmVzdHJpY3QgdGhlDQo+ID4+PiAgICBhcHBsaWNhYmls aXR5IG9mIHRoZSBUSElSRF9QQVJUWV9JRCB0byBjZXJ0YWluIHNjZW5hcmlvcy4NCj4gPj4NCj4g Pj4gUGxlYXNlIHJlcGxhY2UgIlRISVJEX1BBUlRZX0lEIiB3aXRoICJUSElSRF9QQVJUWV9JRCBv cHRpb24iIChoZXJlLA0KPiBhbmQNCj4gPj4gaW4gb3RoZXIgcGxhY2VzKQ0KPiA+DQo+ID4gQWdy ZWVkLg0KPiA+DQo+ID4+DQo+ID4+ICogU2VjdGlvbiAzLCBwYWdlIDQ6DQo+ID4+PiBUaGUgVEhJ UkRfUEFSVFlfSUQNCj4gPj4+ICAgIGNhbiBhbHNvIGJlIHVzZWQgZm9yIHRoZSBmaXJld2FsbCBj b250cm9sDQo+ID4+DQo+ID4+IFBsZWFzZSByZW1vdmUgdGhlICJ0aGUiLg0KPiA+DQo+ID4gQWdy ZWVkLg0KPiA+DQo+ID4+DQo+ID4+ICogU2VjdGlvbiAzLjIsIHBhZ2UgNzoNCj4gPj4+IHR1bm5l bCBJRCBvZiB0dW5uZWwoQlJBUywgQ0dOKQ0KPiA+Pg0KPiA+PiAodHdvIGluc3RhbmNlcyBvZiB0 aGlzKS4gUGxlYXNlIHJlcGhyYXNlIGFzICJJRCBvZiB0aGUgdHVubmVsIChCUkFTLCBDR04pIi4N Cj4gPg0KPiA+IEFncmVlZC4NCj4gPg0KPiA+Pg0KPiA+PiAqIFNlY3Rpb24gNCwgcGFnZSA5Og0K PiA+PiBXaHkgdXNlICJUQkQiIGFuZCAiVEJELTEiIGlmIHRoZXJlJ3MgYSBzaW5nbGUgdmFsdWUg dG8gYmUgYXNzaWduZWQ/DQo+ID4NCj4gPiBUaGVyZSB3YXMgbm8gc3BhY2UgZm9yICItMSIgaW4g dGhlIGZpZ3VyZS4gQWxsIG90aGVyIFRCRHMgYXJlIA0KPiA+IG51bWJlcmVkIGFzDQo+ICJUQkQt WCIuIFdlIHdpbGwgbWFrZSBzdXJlIHRoYXQgdGhlIFJGQyBFZGl0b3IgZ2V0cyB0aGUgcmlnaHQg bWVzc2FnZS4NCj4gPg0KPiA+Pg0KPiA+PiAqIFNlY3Rpb24gNCwgcGFnZSA5Og0KPiA+Pj4gYXJl IHRvIGJlIHNldCBBcw0KPiA+Pg0KPiA+PiBzL0FzL2FzLw0KPiA+DQo+ID4gQWdyZWVkLg0KPiA+ DQo+ID4gVGhhbmtzIGFuZCBiZXN0IHJlZ2FyZHMsDQo+ID4gICAgIEp1ZXJnZW4NCj4gPg0KPiA+ DQo+ID4+DQo+ID4+IFRoYW5rIHlvdSwNCj4gPj4NCj4gPj4gVGluYQ0KPiA+Pg0KPiA+Pg0KPiA+ DQo+ID4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4g PiBzZWNkaXIgbWFpbGluZyBsaXN0DQo+ID4gc2VjZGlyQGlldGYub3JnDQo+ID4gaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zZWNkaXINCj4gPiB3aWtpOiBodHRwOi8vdG9v bHMuaWV0Zi5vcmcvYXJlYS9zZWMvdHJhYy93aWtpL1NlY0RpclJldmlldw0KPiA+DQo= From nobody Thu Nov 19 06:54:24 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22FE91B2AB7 for ; Thu, 19 Nov 2015 06:46:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.896 X-Spam-Level: X-Spam-Status: No, score=-0.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.004, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yFLJo2KjBhzL for ; Thu, 19 Nov 2015 06:46:31 -0800 (PST) Received: from mx0b-000f0801.pphosted.com (mx0b-000f0801.pphosted.com [IPv6:2620:100:9005:71::1]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 890FB1B2AB6 for ; Thu, 19 Nov 2015 06:46:31 -0800 (PST) Received: from pps.filterd (m0000700.ppops.net [127.0.0.1]) by mx0b-000f0801.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tAJEUxOU014098; Thu, 19 Nov 2015 06:46:30 -0800 Received: from brmwp-exmb11.corp.brocade.com ([208.47.132.227]) by mx0b-000f0801.pphosted.com with ESMTP id 1y90gvtkxx-3 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 19 Nov 2015 06:46:29 -0800 Received: from EMEAWP-EXMB11.corp.brocade.com (172.29.11.85) by BRMWP-EXMB11.corp.brocade.com (172.16.59.77) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 19 Nov 2015 07:46:24 -0700 Received: from [172.27.212.109] (172.27.212.109) by EMEAWP-EXMB11.corp.brocade.com (172.29.11.85) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 19 Nov 2015 15:46:22 +0100 Message-ID: <564DE0BE.5080200@brocade.com> Date: Thu, 19 Nov 2015 14:46:22 +0000 From: Paul Aitken User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 MIME-Version: 1.0 To: Benoit Claise , Warren Kumari , IETF Security Directorate , References: <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> In-Reply-To: <564CA202.8030605@cisco.com> Content-Type: multipart/alternative; boundary="------------080607060607090202040905" X-Originating-IP: [172.27.212.109] X-ClientProxiedBy: EMEAWP-EXCAS11.corp.brocade.com (172.29.18.102) To EMEAWP-EXMB11.corp.brocade.com (172.29.11.85) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-11-19_09:2015-11-19,2015-11-19,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1511190249 Archived-At: X-Mailman-Approved-At: Thu, 19 Nov 2015 06:54:19 -0800 Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 14:46:33 -0000 --------------080607060607090202040905 Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit I've updated section 10 to capture both of these comments. Note that I haven't yet addressed Sephen Farrell's comment on privacy, which will also be in this section. 10. Security Considerations For this extension to the IPFIX protocol, the same security considerations as for the IPFIX protocol apply [RFC7011]. If the exporter is generating or capturing the field values itself, e.g. using the MIB objects only as an encoding or type mechanism, there are no extra security considerations beyond standard IPFIX. However, if the exporter is implemented as an SNMP manager accessing an SNMP agent, it MUST authenticate itself to the SNMP agent and the SNMP agent MUST enforce SNMP access control rules as it would for any other SNMP manager. An Exporter MUST NOT bypass SNMP access control rules to export a MIB object for which it is not granted access. The access to particular MIB objects is controlled by the configuration of the IPFIX exporter. This is consistent with the way IPFIX controls access to other Information Elements in general. The configuration of an IPFIX Exporter determines which MIB objects are included in IPFIX Data Records sent to certain collectors. Network operators should take care that the only MIB objects which are included in IPFIX Data Records are ones which the receiving flow collector is allowed to receive. P. On 18/11/15 16:06, Benoit Claise wrote: > On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote: >> On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: >>> Be ye not afraid... >>> I have reviewed this document as part of the security directorate's >>> ongoing effort to review all IETF documents being processed by the >>> IESG. These comments were written primarily for the benefit of the >>> security area directors. Document editors and WG chairs should treat >>> these comments just like any other last call comments. >>> >>> Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting >>> MIB Variables using the IPFIX Protocol >>> >>> Summary: >>> LGTM, Security AD attention not required, modulo questions below. >>> >>> I'm not quite sure what: >>> "However if the exporter is a client of an SNMP engine on the same >>> device it MUST abide by existing SNMP security rules." is supposed to >>> mean. What exactly are "existing SNMP security rules"? Those defined >>> in RFCs? Configured on the device? >> I agree that this statement is a bit confusing. In the SNMP world, a >> client must authenticate against the agent and then the agent uses the >> clients authenticated identity to apply access control rules. This text >> talks about a client of an "SNMP engine", which is a bit confusing. >> >> Perhaps the sentence was meant to say this: >> >> However, if the exporter is implemented as an SNMP manager >> accessing an SNMP agent, it MUST authenticate itself to the SNMP >> agent and the SNMP agent MUST enforce SNMP access control rules >> as it would for any other SNMP manager. > Yes, that was the meaning. > For example, we can't export via IPFIX a MIB object for which we're > not granted access, completely bypassing the SNMP access control rules > > Regards, Benoit (as a document author) >> >> /js >> > --------------080607060607090202040905 Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: 8bit I've updated section 10 to capture both of these comments.

Note that I haven't yet addressed Sephen Farrell's comment on privacy, which will also be in this section.


  10.  Security Considerations
 
     For this extension to the IPFIX protocol, the same security
     considerations as for the IPFIX protocol apply [RFC7011].
 
     If the exporter is generating or capturing the field values itself,
     e.g. using the MIB objects only as an encoding or type mechanism,
     there are no extra security considerations beyond standard IPFIX.
 
     However, if the exporter is implemented as an SNMP manager accessing                                                         
     an SNMP agent, it MUST authenticate itself to the SNMP agent and the                                                         
     SNMP agent MUST enforce SNMP access control rules as it would for any                                                        
     other SNMP manager.  An Exporter MUST NOT bypass SNMP access control                                                         
     rules to export a MIB object for which it is not granted access.                                                             
                                                                                                                                  
     The access to particular MIB objects is controlled by the
     configuration of the IPFIX exporter.  This is consistent with the way
     IPFIX controls access to other Information Elements in general.
 
     The configuration of an IPFIX Exporter determines which MIB objects
     are included in IPFIX Data Records sent to certain collectors.
     Network operators should take care that the only MIB objects which
     are included in IPFIX Data Records are ones which the receiving flow
     collector is allowed to receive.

P.

On 18/11/15 16:06, Benoit Claise wrote:
On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote:
On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote:
Be ye not afraid...
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting
MIB Variables using the IPFIX Protocol

Summary:
LGTM, Security AD attention not required, modulo questions below.

I'm not quite sure what:
"However if the exporter is a client of an SNMP engine on the same
  device it MUST abide by existing SNMP security rules." is supposed to
mean. What exactly are "existing SNMP security rules"? Those defined
in RFCs? Configured on the device?
I agree that this statement is a bit confusing. In the SNMP world, a
client must authenticate against the agent and then the agent uses the
clients authenticated identity to apply access control rules. This text
talks about a client of an "SNMP engine", which is a bit confusing.

Perhaps the sentence was meant to say this:

      However, if the exporter is implemented as an SNMP manager
      accessing an SNMP agent, it MUST authenticate itself to the SNMP
      agent and the SNMP agent MUST enforce SNMP access control rules
      as it would for any other SNMP manager.
Yes, that was the meaning.
For example, we can't export via IPFIX a MIB object for which we're not granted access, completely bypassing the SNMP access control rules

Regards, Benoit (as a document author)

/js



--------------080607060607090202040905-- From nobody Thu Nov 19 07:34:35 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7041B2B70 for ; Thu, 19 Nov 2015 07:34:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.435 X-Spam-Level: X-Spam-Status: No, score=-4.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arLiFdP8oeBL for ; Thu, 19 Nov 2015 07:34:25 -0800 (PST) Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CABAE1B2B6E for ; Thu, 19 Nov 2015 07:34:24 -0800 (PST) Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id 9622D1033; Thu, 19 Nov 2015 16:34:23 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id 6Du-27ZcXiGB; Thu, 19 Nov 2015 16:34:21 +0100 (CET) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Thu, 19 Nov 2015 16:34:21 +0100 (CET) Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id AB7BA20055; Thu, 19 Nov 2015 16:34:21 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 9PYaTAC0_7tq; Thu, 19 Nov 2015 16:34:19 +0100 (CET) Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 64D702003B; Thu, 19 Nov 2015 16:34:19 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 1F98A38E35FE; Thu, 19 Nov 2015 16:34:17 +0100 (CET) Date: Thu, 19 Nov 2015 16:34:17 +0100 From: Juergen Schoenwaelder To: Paul Aitken Message-ID: <20151119153417.GB3518@elstar.local> Mail-Followup-To: Paul Aitken , Benoit Claise , Warren Kumari , IETF Security Directorate , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org References: <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> <564DE0BE.5080200@brocade.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <564DE0BE.5080200@brocade.com> User-Agent: Mutt/1.4.2.3i Archived-At: Cc: Benoit Claise , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org, IETF Security Directorate Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 15:34:29 -0000 See my latest suggestion which adds a bunch of references to the third paragraph - which was the original request of the security directorate reviewer. However, if the exporter is implemented as an SNMP manager accessing an SNMP agent, it MUST authenticate itself to the SNMP agent [RFC3414], [RFC5591], [RFC5592], RFC6353] and the SNMP agent MUST enforce SNMP access control rules [RFC3415] as required by the SNMP architecture [RFC 3411]. The additional sentence is somewhat unclear: [...] An Exporter MUST NOT bypass SNMP access control rules to export a MIB object for which it is not granted access. Does this apply to any exporter or only to an exporter implemented as an SNMP manager accessing an SNMP agent? In the later case, I would say this sentence is not needed since the sentence before already says that the SNMP agent MUST enforce SNMP access control rules (and this is the entity that has knowledge about the access control rules). In the former case, more information would be needed since in order to apply SNMP access control rules, you need to have an authenticated identity to work with. /js On Thu, Nov 19, 2015 at 02:46:22PM +0000, Paul Aitken wrote: > I've updated section 10 to capture both of these comments. > > Note that I haven't yet addressed Sephen Farrell's comment on privacy, > which will also be in this section. > > > 10. Security Considerations > > For this extension to the IPFIX protocol, the same security > considerations as for the IPFIX protocol apply [RFC7011]. > > If the exporter is generating or capturing the field values itself, > e.g. using the MIB objects only as an encoding or type mechanism, > there are no extra security considerations beyond standard IPFIX. > > However, if the exporter is implemented as an SNMP manager accessing > an SNMP agent, it MUST authenticate itself to the SNMP agent and the > SNMP agent MUST enforce SNMP access control rules as it would for any > other SNMP manager. An Exporter MUST NOT bypass SNMP access control > rules to export a MIB object for which it is not granted access. > > The access to particular MIB objects is controlled by the > configuration of the IPFIX exporter. This is consistent with the way > IPFIX controls access to other Information Elements in general. > > The configuration of an IPFIX Exporter determines which MIB objects > are included in IPFIX Data Records sent to certain collectors. > Network operators should take care that the only MIB objects which > are included in IPFIX Data Records are ones which the receiving flow > collector is allowed to receive. > > P. > > On 18/11/15 16:06, Benoit Claise wrote: > >On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote: > >>On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: > >>>Be ye not afraid... > >>>I have reviewed this document as part of the security directorate's > >>>ongoing effort to review all IETF documents being processed by the > >>>IESG. These comments were written primarily for the benefit of the > >>>security area directors. Document editors and WG chairs should treat > >>>these comments just like any other last call comments. > >>> > >>>Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting > >>>MIB Variables using the IPFIX Protocol > >>> > >>>Summary: > >>>LGTM, Security AD attention not required, modulo questions below. > >>> > >>>I'm not quite sure what: > >>>"However if the exporter is a client of an SNMP engine on the same > >>> device it MUST abide by existing SNMP security rules." is supposed to > >>>mean. What exactly are "existing SNMP security rules"? Those defined > >>>in RFCs? Configured on the device? > >>I agree that this statement is a bit confusing. In the SNMP world, a > >>client must authenticate against the agent and then the agent uses the > >>clients authenticated identity to apply access control rules. This text > >>talks about a client of an "SNMP engine", which is a bit confusing. > >> > >>Perhaps the sentence was meant to say this: > >> > >> However, if the exporter is implemented as an SNMP manager > >> accessing an SNMP agent, it MUST authenticate itself to the SNMP > >> agent and the SNMP agent MUST enforce SNMP access control rules > >> as it would for any other SNMP manager. > >Yes, that was the meaning. > >For example, we can't export via IPFIX a MIB object for which we're > >not granted access, completely bypassing the SNMP access control rules > > > >Regards, Benoit (as a document author) > >> > >>/js > >> > > > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 From nobody Thu Nov 19 08:20:37 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9D21B2C46 for ; Thu, 19 Nov 2015 08:20:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=unavailable Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hjrK2NcEFhV for ; Thu, 19 Nov 2015 08:20:32 -0800 (PST) Received: from mail-oi0-x263.google.com (mail-oi0-x263.google.com [IPv6:2607:f8b0:4003:c06::263]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A5E21B2C30 for ; Thu, 19 Nov 2015 08:20:26 -0800 (PST) Received: by oiww189 with SMTP id w189so5510096oiw.2 for ; Thu, 19 Nov 2015 08:20:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:thread-topic:thread-index:date:message-id :accept-language:content-language:content-type:content-id :content-transfer-encoding:mime-version; bh=sTH+r7NtkbxwCbbF1z7Ow8DVtbD2mUqAWfsXGYStnTM=; b=KfbuUQe8AVV0qsEgyNGrUgYVLivL1N1vMFeXKMoIie4etQYO6Tb4aq7FUGreqG54Y7 dmX5QTwtJrkWxTXQNNWay4/sAQnWYYe7UAkvv70eQ3BZSd0atgPDgkKjWMeKjzkI0X3x 09FlAQi6PnXKuHQgCGpo1fs8+8iMgl/KrPEapkDq+N6x643Ka9S5oHf0wtLdRdVdqv3w 344mWXkRlS+4+ogIpsJWEnUJWw/jSK+ayOnpEyVDQ7xybSdb9vvAT02venJK0EP5belY jpIWB4GxietiTZte5yL2hcse4NiV2T9gzv6P7rmA6J9yvCXJWtlKNxb2EooUgkLbyNfY uHRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:content-type:content-id :content-transfer-encoding:mime-version; bh=sTH+r7NtkbxwCbbF1z7Ow8DVtbD2mUqAWfsXGYStnTM=; b=Bqblh3CehGKBkxlPVp13g+8ywoJt05pPqdn+H5r8vL9N2yBipX5KNND1Mq9fz4e0pm sA+pbBZx98rWNO8TAL4QL3BJmGA26zr12z4mriw2nohKFXMTqVFv3SF8RD6yDtHTqy3r 0xjiIwLZjmxZvCOpaij9OJNT0TfMrBY2q0fprqv91RJMav56VAgGwUmztDiAp9Wei0Gd D6h1wNNLfS+TxvC+vQB6PFN1NfzWrovf48AUwgDSZmeXKlUVN0/E6h/0SdbZYbgK/z5x OI3diA30KnebP/yvzpQdcocN2ttBmN+i2tW3wKb6DW2EPAzOqhQzLjRPhOQqOOtCP1Av m1oQ== X-Gm-Message-State: ALoCoQmmt0+NfrMZ74PE9GF+syhjplkkbhAVUKEDNyZAOYVXjorNSecXNVzFiEnpn647MVSmSfJAeG4dXKfIqS0kDjyDpq+0Ig== X-Received: by 10.141.1.6 with SMTP id c6mr8556803qhd.9.1447950025480; Thu, 19 Nov 2015 08:20:25 -0800 (PST) Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id f126sm654033qkb.8.2015.11.19.08.20.25 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 19 Nov 2015 08:20:25 -0800 (PST) X-Relaying-Domain: verisign.com Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id tAJGKOKC028221 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Nov 2015 11:20:24 -0500 Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 19 Nov 2015 11:20:23 -0500 From: "Osterweil, Eric" To: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@tools.ietf.org" Thread-Topic: draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 Thread-Index: AQHRIuYw7V87NEQ2wUqsDEPnZR2Utg== Date: Thu, 19 Nov 2015 16:20:23 +0000 Message-ID: <0C547F4D-FC84-4835-AA73-F6FA76319592@verisign.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.173.152.4] Content-Type: text/plain; charset="us-ascii" Content-ID: <957791C7A2ABE24B852F8A6BE020E250@verisign.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [secdir] draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 16:20:34 -0000 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These com= ments were written primarily for the benefit of the security area directors= . Document editors and WG chairs should treat these comments just like any = other last call comments. I believe this draft is ready with (possibly minor) issues: In Section 2.1.1, the authors describe BFD Authentication, and it seems qui= te appropriate and well described. I was, however, wondering if authentica= tion (the same sub-TLV or different) was needed or should be used for the m= echanisms in Sections 2.1.2 and 2.1.3. If the authentication described by = 2.1.1 is already expected to be applicable to these other TLVs, it was not = immediately clear. Maybe some additional description of this would be help= ful to readers. In Section 3, there is a great level of granularity proposed around describ= ing authorization errors: Auth not supported, Type not supported, and Key m= ismatch (this is excellent). One question, is there a missing statement fo= r an outright authentication failure? In Section 6 Security Considerations, it would be nice (if possible) to men= tion any privacy considerations. For example, can an unauthorized agents p= robe capabilities or configurations (such as, authentication or otherwise) = of devices? That is, can someone learn that authentication is being requir= ed, and what parameters are needed, etc? Is all data transmitted in the cl= ear? Eric= From nobody Thu Nov 19 09:05:58 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87901B2CD9 for ; Thu, 19 Nov 2015 09:05:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.086 X-Spam-Level: X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJdROfd4iNVw for ; Thu, 19 Nov 2015 09:05:55 -0800 (PST) Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8636D1B2CDE for ; Thu, 19 Nov 2015 09:05:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5000; q=dns/txt; s=iport; t=1447952754; x=1449162354; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=I1rDZyYvH6bsWJ++UcjzkotXLTq4vkN65nHuCENUEWc=; b=mYTEGaJQFmgYnILUv/OKFk7ZJa7sMpKI0owmD9jX/fX1z6WN3pzTLU9L UW/V0lhmDwnHv9jZPG6QsZq3w1zBo8tcEPnz4gmrGfFsXWgJxhqfK9FvO YpCAu/XvJJOTSokAw/KTwGhdFHYjdMcQq0LPFU8XqI3NBzn48g8YmKT/7 M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DuAQCTAE5W/xbLJq1VCcNwAQ2BZYM9g?= =?us-ascii?q?lICggYUAQEBAQEBAYEKhDUBAQQ4QBELDgQGCRYPCQMCAQIBNw4GAQwIAQGIKsA?= =?us-ascii?q?+AQEBAQEBAQECAQEBAQEBHYZUhH6EIBGFCAEEhU6QfogVgmGCOIkdkyofAQFCh?= =?us-ascii?q?AU9hBOBQQEBAQ?= X-IronPort-AV: E=Sophos;i="5.20,318,1444694400"; d="scan'208";a="612882057" Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Nov 2015 17:05:52 +0000 Received: from [10.60.67.93] (ams-bclaise-89112.cisco.com [10.60.67.93]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id tAJH5qYY018609; Thu, 19 Nov 2015 17:05:52 GMT To: Paul Aitken , Warren Kumari , IETF Security Directorate , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org References: <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> <564DE0BE.5080200@brocade.com> <20151119153417.GB3518@elstar.local> From: Benoit Claise Message-ID: <564E0170.7010908@cisco.com> Date: Thu, 19 Nov 2015 18:05:52 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <20151119153417.GB3518@elstar.local> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 17:05:56 -0000 On 11/19/2015 4:34 PM, Juergen Schoenwaelder wrote: > See my latest suggestion which adds a bunch of references to the third > paragraph - which was the original request of the security directorate > reviewer. > > However, if the exporter is implemented as an SNMP manager > accessing an SNMP agent, it MUST authenticate itself to the SNMP > agent [RFC3414], [RFC5591], [RFC5592], RFC6353] and the SNMP agent > MUST enforce SNMP access control rules [RFC3415] as required by > the SNMP architecture [RFC 3411]. > > The additional sentence is somewhat unclear: > > [...] An Exporter MUST NOT bypass SNMP access control rules to > export a MIB object for which it is not granted access. > > Does this apply to any exporter or only to an exporter implemented as > an SNMP manager accessing an SNMP agent? In the later case, I would > say this sentence is not needed since the sentence before already says > that the SNMP agent MUST enforce SNMP access control rules (and this > is the entity that has knowledge about the access control rules). Agreed. > In > the former case, more information would be needed since in order to > apply SNMP access control rules, you need to have an authenticated > identity to work with. Note that this not part of Stephen's DISCUSS. Regards, Benoit > > /js > > On Thu, Nov 19, 2015 at 02:46:22PM +0000, Paul Aitken wrote: >> I've updated section 10 to capture both of these comments. >> >> Note that I haven't yet addressed Sephen Farrell's comment on privacy, >> which will also be in this section. >> >> >> 10. Security Considerations >> >> For this extension to the IPFIX protocol, the same security >> considerations as for the IPFIX protocol apply [RFC7011]. >> >> If the exporter is generating or capturing the field values itself, >> e.g. using the MIB objects only as an encoding or type mechanism, >> there are no extra security considerations beyond standard IPFIX. >> >> However, if the exporter is implemented as an SNMP manager accessing >> an SNMP agent, it MUST authenticate itself to the SNMP agent and the >> SNMP agent MUST enforce SNMP access control rules as it would for any >> other SNMP manager. An Exporter MUST NOT bypass SNMP access control >> rules to export a MIB object for which it is not granted access. >> >> The access to particular MIB objects is controlled by the >> configuration of the IPFIX exporter. This is consistent with the way >> IPFIX controls access to other Information Elements in general. >> >> The configuration of an IPFIX Exporter determines which MIB objects >> are included in IPFIX Data Records sent to certain collectors. >> Network operators should take care that the only MIB objects which >> are included in IPFIX Data Records are ones which the receiving flow >> collector is allowed to receive. >> >> P. >> >> On 18/11/15 16:06, Benoit Claise wrote: >>> On 11/18/2015 11:13 AM, Juergen Schoenwaelder wrote: >>>> On Sat, Nov 14, 2015 at 02:17:20AM +0900, Warren Kumari wrote: >>>>> Be ye not afraid... >>>>> I have reviewed this document as part of the security directorate's >>>>> ongoing effort to review all IETF documents being processed by the >>>>> IESG. These comments were written primarily for the benefit of the >>>>> security area directors. Document editors and WG chairs should treat >>>>> these comments just like any other last call comments. >>>>> >>>>> Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting >>>>> MIB Variables using the IPFIX Protocol >>>>> >>>>> Summary: >>>>> LGTM, Security AD attention not required, modulo questions below. >>>>> >>>>> I'm not quite sure what: >>>>> "However if the exporter is a client of an SNMP engine on the same >>>>> device it MUST abide by existing SNMP security rules." is supposed to >>>>> mean. What exactly are "existing SNMP security rules"? Those defined >>>>> in RFCs? Configured on the device? >>>> I agree that this statement is a bit confusing. In the SNMP world, a >>>> client must authenticate against the agent and then the agent uses the >>>> clients authenticated identity to apply access control rules. This text >>>> talks about a client of an "SNMP engine", which is a bit confusing. >>>> >>>> Perhaps the sentence was meant to say this: >>>> >>>> However, if the exporter is implemented as an SNMP manager >>>> accessing an SNMP agent, it MUST authenticate itself to the SNMP >>>> agent and the SNMP agent MUST enforce SNMP access control rules >>>> as it would for any other SNMP manager. >>> Yes, that was the meaning. >>> For example, we can't export via IPFIX a MIB object for which we're >>> not granted access, completely bypassing the SNMP access control rules >>> >>> Regards, Benoit (as a document author) >>>> /js >>>> From nobody Thu Nov 19 09:20:40 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF341B2DAC; Thu, 19 Nov 2015 09:17:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.2 X-Spam-Level: X-Spam-Status: No, score=-104.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3KrJVl4QGj5; Thu, 19 Nov 2015 09:17:50 -0800 (PST) Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBDD21B2D99; Thu, 19 Nov 2015 09:17:49 -0800 (PST) X-AuditID: c6180641-f792c6d00000686a-62-564d9605d567 Received: from EUSAAHC005.ericsson.se (Unknown_Domain [147.117.188.87]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id BF.67.26730.5069D465; Thu, 19 Nov 2015 10:27:34 +0100 (CET) Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC005.ericsson.se ([147.117.188.87]) with mapi id 14.03.0248.002; Thu, 19 Nov 2015 12:17:48 -0500 From: Gregory Mirsky To: "Osterweil, Eric" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@tools.ietf.org" Thread-Topic: draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 Thread-Index: AQHRIuYw7V87NEQ2wUqsDEPnZR2Utp6jkbrw Date: Thu, 19 Nov 2015 17:17:47 +0000 Message-ID: <7347100B5761DC41A166AC17F22DF112219442EC@eusaamb103.ericsson.se> References: <0C547F4D-FC84-4835-AA73-F6FA76319592@verisign.com> In-Reply-To: <0C547F4D-FC84-4835-AA73-F6FA76319592@verisign.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.11] Content-Type: multipart/alternative; boundary="_000_7347100B5761DC41A166AC17F22DF112219442ECeusaamb103erics_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprKIsWRmVeSWpSXmKPExsUyuXRPuC7bNN8wg2/zOCwe//3HarHuwmUm ixl/JjJbfFj4kMWBxWPJkp9MHl8uf2bz2LW5gS2AOYrLJiU1J7MstUjfLoErY8u1nywFB30r Vm/8xtzAuMSpi5GTQ0LAROLp1omsELaYxIV769lAbCGBI4wSU2aYdTFyAdnLGSUu9m4EK2IT MJJ4sbGHHSQhIvCLUeLf3MlgCWEBS4mLK6YygtgiAlYSHw82QtlGEnO3r2QBsVkEVCW+z7zP 3MXIwcEr4CvR8T8axBQSsJc48KocpIJTwEGicU0b2ERGoHu+n1rDBGIzC4hL3HoynwniTgGJ JXvOM0PYohIvH/+Dul9J4uPv+ewQ9fkShyd3gV3AKyAocXLmE5YJjCKzkIyahaRsFpIyiLiO xILdn9ggbG2JZQtfM8PYZw48ZkIWX8DIvoqRo7Q4tSw33chwEyMwso5JsDnuYFzwyfIQowAH oxIPb8EknzAh1sSy4srcQ4wSHMxKIry/nvmGCfGmJFZWpRblxxeV5qQWH2KU5mBREuedN+N+ qJBAemJJanZqakFqEUyWiYNTqoExaO4iM6e5t5xnrkqYc0dEoTd923uzoKQjm/lWqvcf7F5o opXfOid4/Z9mBv/XnXOfzqqY+zusakros27b6l8Z9UKzJsX07tKRnj955iL+bO47Ky/k/bm9 NPBcwPc1YYXSV0+7GGnUVXTL/9h13szrjubMbxO7BPSY9nWGLXC8yFyvfXD2tdpkJZbijERD Leai4kQASei71qgCAAA= Archived-At: X-Mailman-Approved-At: Thu, 19 Nov 2015 09:20:26 -0800 Subject: Re: [secdir] draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 17:17:53 -0000 --_000_7347100B5761DC41A166AC17F22DF112219442ECeusaamb103erics_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Eric, thank you for the review and the comments. Please find my answers in-line a= nd tagged GIM>>. Your questions, suggestions are greatly appreciated. Regards, Greg -----Original Message----- From: Osterweil, Eric [mailto:eosterweil@verisign.com] Sent: Thursday, November 19, 2015 8:20 AM To: iesg@ietf.org; secdir@ietf.org; draft-ietf-mpls-lsp-ping-mpls-tp-oam-co= nf.all@tools.ietf.org Subject: draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These com= ments were written primarily for the benefit of the security area directors= . Document editors and WG chairs should treat these comments just like any = other last call comments. I believe this draft is ready with (possibly minor) issues: In Section 2.1.1, the authors describe BFD Authentication, and it seems qui= te appropriate and well described. I was, however, wondering if authentica= tion (the same sub-TLV or different) was needed or should be used for the m= echanisms in Sections 2.1.2 and 2.1.3. If the authentication described by = 2.1.1 is already expected to be applicable to these other TLVs, it was not = immediately clear. Maybe some additional description of this would be help= ful to readers. GIM>> MPLS-TP Performance Measurement being defined in RFC 6375 is the prof= ile of RFC 6374 and, as we can find across MPLS OAM, does not use any authe= ntication mechanism. Authentication mechanisms been defined for BFD over IP= networks and are available when BFD used to monitor MPLS-TP LSP. In Section 3, there is a great level of granularity proposed around describ= ing authorization errors: Auth not supported, Type not supported, and Key m= ismatch (this is excellent). One question, is there a missing statement fo= r an outright authentication failure? GIM>> The document defines configuration of MPLS-TP OAM and thus supports d= iagnostic of misconfiguration situations. Failure of authentication would b= e operational state and should be diagnosed and troubleshooted by other ins= truments then defined in this document. In Section 6 Security Considerations, it would be nice (if possible) to men= tion any privacy considerations. For example, can an unauthorized agents p= robe capabilities or configurations (such as, authentication or otherwise) = of devices? That is, can someone learn that authentication is being requir= ed, and what parameters are needed, etc? Is all data transmitted in the cl= ear? GIM>> RFC 4379 does not define any authentication mechanism for MPLS LSP pi= ng and the data are transmitted in the clear. That may be viewed as securit= y concern and perhaps can be discussed as part of work on RFC4379bis. At the same time, LS= P ping doesn't have constructs to allow an agent, authorized or not, to lea= rn of capabilities and/or configuration of the LSR. Eric --_000_7347100B5761DC41A166AC17F22DF112219442ECeusaamb103erics_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Eric,

thank you for the review and the comments. Please= find my answers in-line and tagged GIM>>.

Your questions, suggestions are greatly appreciat= ed.

 

        &= nbsp;       Regards,

        &= nbsp;           &nbs= p;           Greg

 

-----Original Message-----
From: Osterweil, Eric [mailto:eosterweil@verisign.com]
Sent: Thursday, November 19, 2015 8:20 AM
To: iesg@ietf.org; secdir@ietf.org; draft-ietf-mpls-lsp-ping-mpls-tp-oam-co= nf.all@tools.ietf.org
Subject: draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15

 

I have reviewed this document as part of the secu= rity directorate's ongoing effort to review all IETF documents being proces= sed by the IESG. These comments were written primarily for the benefit of t= he security area directors. Document editors and WG chairs should treat these comments just like any other last= call comments.

 

I believe this draft is ready with (possibly mino= r) issues:

 

In Section 2.1.1, the authors describe BFD Authen= tication, and it seems quite appropriate and well described.  I was, h= owever, wondering if authentication (the same sub-TLV or different) was nee= ded or should be used for the mechanisms in Sections 2.1.2 and 2.1.3.  If the authentication described by 2.1.= 1 is already expected to be applicable to these other TLVs, it was not imme= diately clear.  Maybe some additional description of this would be hel= pful to readers.

GIM>> MPLS-TP Performance Measurement being= defined in RFC 6375 is the profile of RFC 6374 and, as we can find across = MPLS OAM, does not use any authentication mechanism. Authentication mechani= sms been defined for BFD over IP networks and are available when BFD used to monitor MPLS-TP LSP.

 

In Section 3, there is a great level of granulari= ty proposed around describing authorization errors: Auth not supported, Typ= e not supported, and Key mismatch (this is excellent).  One question, = is there a missing statement for an outright authentication failure?

GIM>> The docum= ent defines configuration of MPLS-TP OAM and thus supports diagnostic of mi= sconfiguration situations. Failure of authentication would be operational s= tate and should be diagnosed and troubleshooted by other instruments then defined in this document.

 

In Section 6 Security Considerations, it would be= nice (if possible) to mention any privacy considerations.  For exampl= e, can an unauthorized agents probe capabilities or configurations (such as= , authentication or otherwise) of devices?  That is, can someone learn that authentication is being required, and what= parameters are needed, etc?  Is all data transmitted in the clear?

GIM>> RFC 4379 does not define any authenti= cation mechanism for MPLS LSP ping and the data are transmitted in the clea= r. That may be viewed as security concern and perhaps can be discussed as p= art of work on RFC4= 379bis. At the same time, LSP ping doesn’t have constructs to all= ow an agent, authorized or not, to learn of capabilities and/or configurati= on of the LSR.

 

Eric

--_000_7347100B5761DC41A166AC17F22DF112219442ECeusaamb103erics_-- From nobody Thu Nov 19 14:18:15 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D253A1B3661; Thu, 19 Nov 2015 14:18:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.086 X-Spam-Level: X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTHDCNZnkBYv; Thu, 19 Nov 2015 14:18:13 -0800 (PST) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09E391B3663; Thu, 19 Nov 2015 14:18:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3112; q=dns/txt; s=iport; t=1447971493; x=1449181093; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=Ox+8c0c3aVwo0JvBw2vUSexxpFpjUgbWkW/VkXtQ93w=; b=eZXIzHJyat7q0foqPkDAVdXAUtFanrGPt+z/WzUMYAfCH3gxc/i0HCL/ fIpZcbXvLEU/zWVy+WTNTegFuMjPw/GSexWYbQ24t2w2sQ/x61O1DPmHk cf57dVTIqeO1K3rwNdf/POzyHDtRgTs1fmUajUNakVT9fot+gT+4J3VkY M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AMAgBNSU5W/40NJK1eDoMtgUIGvngBD?= =?us-ascii?q?YFlhg8CgVU4FAEBAQEBAQGBCoQ0AQEBBDo/DAYBCA4DBAEBHwk5FAkKBAENBYg?= =?us-ascii?q?uwD8BAQEBAQEBAQEBAQEBAQEBAQEBGoZUAYR9iTkBBJJqg2IBjS2BW5IYhGKDc?= =?us-ascii?q?QEfAQFCgkSBAj5yAYQYgQcBAQE?= X-IronPort-AV: E=Sophos;i="5.20,319,1444694400"; d="scan'208";a="208837750" Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Nov 2015 22:18:12 +0000 Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id tAJMICTJ010303 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Nov 2015 22:18:12 GMT Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 19 Nov 2015 16:18:11 -0600 Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1104.000; Thu, 19 Nov 2015 16:18:11 -0600 From: "Alvaro Retana (aretana)" To: Tom Yu , "draft-ietf-bfd-seamless-base@ietf.org" Thread-Topic: secdir review of draft-ietf-isis-sbfd-discriminator-02 (draft-ietf-bfd-seamless-base) Thread-Index: AQHRIxgteMcoWJPLzE2CHXNZxBofNg== Date: Thu, 19 Nov 2015 22:18:11 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.117.15.3] Content-Type: text/plain; charset="us-ascii" Content-ID: <9784BAC79A4D1C42AD8BA1CC4C8349F5@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: "Les Ginsberg \(ginsberg\)" , "draft-ietf-isis-sbfd-discriminator.all@tools.ietf.org" , "iesg@ietf.org" , "bfd-chairs@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-ietf-isis-sbfd-discriminator-02 (draft-ietf-bfd-seamless-base) X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 22:18:15 -0000 Tom: Hi! I'm cc'ing the authors of draft-ietf-bfd-seamless-base on this thread so that your comments can be considered as they update the document. Thanks! Alvaro. On 11/18/15, 2:28 PM, "Tom Yu" wrote: >Given that S-BFD is still in AD Evaluation, it seems that there is still >an opportunity to update the S-BFD Security Considerations, so that the >IS-IS draft will no longer point to apparently absent text in the S-BFD >Security Considerations. > >"Les Ginsberg (ginsberg)" writes: > >> Tom - >> >> Thanx for the review. >> >> If you are not happy with the Security section of the base S-BFD draft >>it seems to me it makes the most sense to address any issues in that >>document. Trying to make up for any shortcomings in S-BFD draft by >>adding to the IGP drafts (there is a similar OSPF S-BFD draft) when the >>IGPs are merely acting as a transport for opaque information (as you >>say) does not seem appropriate to me. >> >> Can we close on this issue? >> >> Les >> >> >>> -----Original Message----- >>> From: Tom Yu [mailto:tlyu@mit.edu] >>> Sent: Tuesday, November 17, 2015 7:06 PM >>> To: iesg@ietf.org; secdir@ietf.org; draft-ietf-isis-sbfd- >>> discriminator.all@tools.ietf.org >>> Subject: secdir review of draft-ietf-isis-sbfd-discriminator-02 >>>=20 >>> I have reviewed this document as part of the security directorate's >>>ongoing >>> effort to review all IETF documents being processed by the IESG. These >>> comments were written primarily for the benefit of the security area >>> directors. Document editors and WG chairs should treat these comments >>> just like any other last call comments. >>>=20 >>> Summary: ready with nits >>>=20 >>> I agree with the first paragraph of the Security Considerations, in >>>that I think >>> it's unlikely that this document introduces security risks for IS-IS, >>>which as I >>> understand it, effectively transports the proposed S-BFD >>>discriminators as an >>> uninterpreted opaque payload. >>>=20 >>> The second paragraph >>>=20 >>> Advertisement of the S-BFD discriminators does make it possible for >>> attackers to initiate S-BFD sessions using the advertised >>> information. The vulnerabilities this poses and how to mitigate >>>them >>> are discussed in the Security Considerations section of [S-BFD]. >>>=20 >>> refers to the Security Considerations of the [S-BFD] base document. >>>The [S- >>> BFD] Security Considerations describe some strengthening practices, but >>> doesn't seem to describe the vulnerabilities in significant detail. >>> [S-BFD] Security Considerations seems to describe an attack where >>>someone >>> impersonates the responder, but not one where someone impersonates an >>> initiator. >>>=20 >>> Other sections of [S-BFD] might imply the existence of this sort of >>> vulnerability, but the Security considerations seems not to mention it >>> explicitly. I'm not sure whether it's best to leave things alone, >>>revise this >>> document, or revise [S-BFD]. >>>=20 >>> -Tom From nobody Thu Nov 19 18:35:19 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D55D41A1EEA; Thu, 19 Nov 2015 18:35:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.185 X-Spam-Level: X-Spam-Status: No, score=-1.185 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnYKQ9XTukQh; Thu, 19 Nov 2015 18:35:16 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 084BA1A1EB7; Thu, 19 Nov 2015 18:35:16 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3p22686cXrz1HG; Fri, 20 Nov 2015 03:35:12 +0100 (CET) Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=APnPkbwA X-OPENPGPKEY: Message passed unmodified X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id JU4qVo4akaoP; Fri, 20 Nov 2015 03:35:12 +0100 (CET) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 20 Nov 2015 03:35:12 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPS id 256CF8008F; Thu, 19 Nov 2015 21:35:10 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1447986910; bh=8RvOg+l3E5sZDnqmgnH/BYOQONRlJ7JIN2WHbRC5q/w=; h=Date:From:To:Subject; b=APnPkbwAyN1a1q8xAe4sHLS+SqqAnlinhXb4yoT/sMavvf1nZ3qsU9zgBat6Jdpdp 9egFprum4AQvcVndKUjjNNXlpD2CuwpVSXfVvztih09W4a2I7RYu93qXJhiD0NLMtc p/xnxVjDatw7tLlFTVGLsvD2XRIJ7/TIPp68I1vM= Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id tAK2Z9FC031773; Thu, 19 Nov 2015 21:35:09 -0500 X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs Date: Thu, 19 Nov 2015 21:35:09 -0500 (EST) From: Paul Wouters To: secdir , iesg@ietf.org, draft-ietf-straw-b2bua-dtls-srtp.all@tools.ietf.org Message-ID: User-Agent: Alpine 2.20 (LFD 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Archived-At: Subject: [secdir] Review of draft-ietf-straw-b2bua-dtls-srtp X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 02:35:18 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. As far as I understood the document and its dependancies (I'm not very familiar with the sip/srtp world), the document is Ready. One minor nit: Section 1.2 has a broken link for RFC-7092. This document describes how a "middle man" relaying connections between two sip endpoints should behave so it will not break the connection between the sip endpoints. The security section clearly lists the defenses the sip endpoints should take to ensure this "middle man" is not maliciously decrypting/re-encrypting the content of the connection it forwards between the endpoints. Paul From nobody Thu Nov 19 19:42:46 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7D51A8883; Thu, 19 Nov 2015 19:37:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.086 X-Spam-Level: X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNSfK4HhOMr3; Thu, 19 Nov 2015 19:37:40 -0800 (PST) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B64571A8900; Thu, 19 Nov 2015 19:37:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1570; q=dns/txt; s=iport; t=1447990659; x=1449200259; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=k6XTLOR0RYawF7CTA0Ev3ULelg6yBwi2eFuP4Sp6Bu8=; b=f3TXQUKPF7J0XN+kN/tukXoGkD18WeMxTc3dorfR8Q8+ghaHDWV0MLes bGFG6d1DYDw6eH3jFP6vMXCuXgNMcC/AbnL31f2yJBFrtAMkSBPZ9sjLH CuVBk+fRIUCgmQTIC2bT8q2GadagIpSe2VXM3aDz4dRchufsxR2Dm1h3g o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AMAgAFlE5W/5RdJa1egzuBQga+egENg?= =?us-ascii?q?WWGDwKBTTgUAQEBAQEBAYEKhDQBAQEEOj8MBAIBCBEDAQIfEDIdCAIEAQ0FiC7?= =?us-ascii?q?AGAEBAQEBAQEBAQEBAQEBAQEBAQEBARiGVYR9iTkBBJZMAY0tgVuWeoNxAR8BA?= =?us-ascii?q?UKEBHIBhCUBgQYBAQE?= X-IronPort-AV: E=Sophos;i="5.20,320,1444694400"; d="scan'208";a="46465307" Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2015 03:37:38 +0000 Received: from XCH-RTP-018.cisco.com (xch-rtp-018.cisco.com [64.101.220.158]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id tAK3bcNh002267 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 20 Nov 2015 03:37:38 GMT Received: from xch-rtp-017.cisco.com (64.101.220.157) by XCH-RTP-018.cisco.com (64.101.220.158) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 19 Nov 2015 22:37:37 -0500 Received: from xch-rtp-017.cisco.com ([64.101.220.157]) by XCH-RTP-017.cisco.com ([64.101.220.157]) with mapi id 15.00.1104.000; Thu, 19 Nov 2015 22:37:37 -0500 From: "Ram Mohan R (rmohanr)" To: Paul Wouters , secdir , "iesg@ietf.org" , "draft-ietf-straw-b2bua-dtls-srtp.all@tools.ietf.org" Thread-Topic: Review of draft-ietf-straw-b2bua-dtls-srtp Thread-Index: AQHRIzweWpDIRYtaR06omaZlBAbl0Z6k9FeA Date: Fri, 20 Nov 2015 03:37:37 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.8.151023 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [173.39.64.88] Content-Type: text/plain; charset="us-ascii" Content-ID: <89B34F0018F40541A849BF537740AEF2@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Thu, 19 Nov 2015 19:42:44 -0800 Cc: "straw@ietf.org" Subject: Re: [secdir] Review of draft-ietf-straw-b2bua-dtls-srtp X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 03:37:41 -0000 Hi Paul, Thanks for your feedback. I will fix the broken link to RFC7092 in section 1.2. Thanks for pointing that out. Regards, Ram -----Original Message----- From: Paul Wouters Date: Friday, 20 November 2015 at 8:05 AM To: secdir , "iesg@ietf.org" , "draft-ietf-straw-b2bua-dtls-srtp.all@tools.ietf.org" Subject: Review of draft-ietf-straw-b2bua-dtls-srtp Resent-From: Resent-To: Resent-Date: Friday, 20 November 2015 at 8:05 AM > >I have reviewed this document as part of the security directorate's >ongoing effort to review all IETF documents being processed by the >IESG. These comments were written primarily for the benefit of the >security area directors. Document editors and WG chairs should treat >these comments just like any other last call comments. > >As far as I understood the document and its dependancies (I'm not very >familiar with the sip/srtp world), the document is Ready. > >One minor nit: Section 1.2 has a broken link for RFC-7092. > >This document describes how a "middle man" relaying connections between >two sip endpoints should behave so it will not break the connection >between the sip endpoints. The security section clearly lists the >defenses the sip endpoints should take to ensure this "middle man" is >not maliciously decrypting/re-encrypting the content of the connection >it forwards between the endpoints. > >Paul From nobody Fri Nov 20 04:31:15 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F261B2F71 for ; Fri, 20 Nov 2015 04:31:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.551 X-Spam-Level: X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lj-JYsADGlHM for ; Fri, 20 Nov 2015 04:31:12 -0800 (PST) Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 421C01B2F72 for ; Fri, 20 Nov 2015 04:31:12 -0800 (PST) Received: from latte.josefsson.org ([155.4.17.2]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tAKCUvT8007789 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 20 Nov 2015 13:30:58 +0100 From: Simon Josefsson To: Joseph Salowey References: OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt X-Hashcash: 1:22:151120:joe@salowey.net::hstlY10rnvrX4VVq:rBX X-Hashcash: 1:22:151120:secdir@ietf.org::BheGs5upi5R1YxFJ:1qG3 X-Hashcash: 1:22:151120:draft-josefsson-scrypt-kdf.all@tools.ietf.org::J7Rr54B8OvB3ND7Y:8GKv X-Hashcash: 1:22:151120:iesg@ietf.org::2gqY3Y0l1sA2KPlS:BZUp Date: Fri, 20 Nov 2015 13:30:56 +0100 In-Reply-To: (Joseph Salowey's message of "Sun, 13 Sep 2015 16:36:29 -0700") Message-ID: <878u5shmyn.fsf@latte.josefsson.org> User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se X-Virus-Status: Clean Archived-At: Cc: draft-josefsson-scrypt-kdf.all@tools.ietf.org, secdir Subject: Re: [secdir] Sector review of draft-josefsson-scrypt-kdf-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 12:31:13 -0000 --=-=-= Content-Type: text/plain Hi Joseph. Thanks for your review, and sorry for the delay in answering this. In the new version [1] I have added a new section to discuss scrypt parameters. /Simon [1] https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-04 Joseph Salowey writes: > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors and document authors. > > I think this document is ready with issues. The document describes a > password to key function, scrypt, based on memory hard functions to make it > more expensive and difficult to develop specialized hardware to obtain the > password from a recovered key. I'd like to see this document published. A > few issues are listed below. > > First, I think Paul Kyzivat's GenArt review. > http://mailarchive.ietf.org/arch/msg/gen-art/fToZiioHo-6x5ZRQWNcTr-aUYVk > , > raised > some points that could help the readability of the document. > > Second, the script algorithm has several parameters, but the document has > very little discussion on how to choose those parameters or what they > affect (this is also pointed out in Paul's message). It would be good to > have some discussion or guidance for parameter selection in the security > considerations. > > Cheers, > > Joe > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJWTxKAAAoJEIYLf7sy+BGdoSYIAJfbO32t7qjDNT2qJp6FepQ/ lBmi5IdIWsnuUrbToFgusxcF5NzhUELSqplKBKAD1vuPm0pPF3q0SaDarSGVCz1l hyEwXuZ+1sVolCbuQBsTkK5c7YGsTQqJ76IIO3Qze/xJkGcS1j0JGOr3eZ4uE+fy y/No+1VaVwA0RlOSFwpIIyAEtxcrRJK+hJry+JQwEOY7TWKvTSkYYXtOn3pCP9Zt k1Hcbf5XDKKCGe++dudotIgq2PxjG2En9S+2dGhoL2s4fO/zMd3z7PYlDlsaUege GPJq4yZBD649E/oVU53Qk9++47z+5g+ZDn3KT2lgQ+BqkxqHilsGa+KRLqiWlsE= =0GDh -----END PGP SIGNATURE----- --=-=-=-- From nobody Fri Nov 20 07:23:10 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7FFF1B32E5; Fri, 20 Nov 2015 07:23:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.186 X-Spam-Level: X-Spam-Status: No, score=-2.186 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeuRGcnSV2j2; Fri, 20 Nov 2015 07:23:03 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C80F1B32E4; Fri, 20 Nov 2015 07:23:02 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E5C0CBE88; Fri, 20 Nov 2015 15:23:00 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QDnHZ97DIV3c; Fri, 20 Nov 2015 15:22:58 +0000 (GMT) Received: from [10.87.48.91] (unknown [86.46.27.72]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 68C86BE8A; Fri, 20 Nov 2015 15:22:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1448032954; bh=FEniEMAPb7AfztBhH8IBy3Vuz2hV5exN+mttV6mFCtU=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=zq5w3xoIxOiKp31P3TzyxrZlAwWfgphaHAD5tKwBkVnPd5HGIrU1kRv36UQRXLUeC JEOiC4jvH9vbuE7bnGBuJtqasqZLer1xibwsS3vUPvUYKwDF0AZARr6plBvfoAv4FO WvyGc23f5aJ2m+nVCRPQNSmu50S4F5kf9p/z6y4k= To: Simon Josefsson , Paul Kyzivat References: <55DCB0A2.5050102@alum.mit.edu> <87d1v4hn1h.fsf@latte.josefsson.org> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <564F3AB9.7060400@cs.tcd.ie> Date: Fri, 20 Nov 2015 15:22:33 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <87d1v4hn1h.fsf@latte.josefsson.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: draft-josefsson-scrypt-kdf.all@tools.ietf.org, General Area Review Team , secdir@ietf.org Subject: Re: [secdir] Gen-ART Last Call review of draft-josefsson-scrypt-kdf-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 15:23:07 -0000 (This combines the distributions for Simon's mail to gen-art and secdir. I think one thread responding to my question(s) below will work better.) Hi Simon, all, Thanks for the reviews and updates. Does anyone think we need more review for this or is it now ready for IESG eval? Modulo one question below, I think it is ready to move forward, but there are a lot of detailed changes in this revision, so it might be prudent to try get a few eyeballs on those. One other thing below... On 20/11/15 12:29, Simon Josefsson wrote: > Executive Summary: I have submitted > https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-04 > that (hopefully) resolve the gen-art and secdir feedback. > > Paul Kyzivat writes: > >> This draft is on the right track but has open issues, described in the >> review. > > Hello Paul. I am sorry for the delay in answering your thorough (much > appreciated!) review. Your review was emailed to the wrong > @tools.ietf.org address, but I can't blame that for my delay since I was > notified of your review through the secdir review. > >> (Issue-1): Intended status >> >> The intended status of this document is Informational. I question why >> it is not a normative document. As best I can tell, this is the formal >> specification of the algorithm. Those that use it would presumably >> want to claim conformance to it. The introduction describes this as an >> alternative to other KDF functions, including only one with an RFC >> reference - RFC2898. That one is also informational, but it is a >> restatement of an algorithm specified elsewhere, so that RFC can be >> viewed as an informational supplement to the actual definition. The >> same is not true of this document. >> >> (Of course changing this to a normative document would require >> significant changes, including adding 2119 language. And it probably >> could then not be handled as an AD-sponsored document.) > > As I understand it, the IETF tradition is that descriptions of crypto > algorithms that were invented elsewhere are not published as Standards > Tracks documents. So this is in line with that tradition. > >> (Issue-2): Type mismatch on call to scryptROMix >> >> The scryptROMix function calls scryptBlockMix with an octet vector of >> length 128*r octets. But the definition of scryptBlockMix specifies >> that the input argument should be a vector of 2*r 64-octet blocks. >> >> Clearly these don't match. One way to make them match would be to >> divide the single 128*r octet vector into two 64-octet vectors, and >> then to treat r as 2 inside of scryptBlockMix. I don't know if that is >> the intent. > > I believe this is a presentation issue. The intention is indeed that > conversion between these formats is transparent. In performant > implementations, B will refers to the same memory area. The document > was confusing here, and I believe the document was further problematic > since it described the inputs as an array of elements, rather than a > concatenation of octets. It now reads: > > Input: > B[0] || B[1] || ... || B[2 * r - 1] > Input octet string (of size 128 * r octets), > treated as 2 * r 64-octet blocks. > > Output: > B'[0] || B'[1] || ... || B'[2 * r - 1] > Output octet string. > > I hope this improves this aspect. > >> (Issue-3): Definition of Integerify >> >> The Integerify function is not clearly defined. The following is given >> in the document: >> >> j = Integerify (X) mod N >> where Integerify (B[0] ... B[2 * r - 1]) is defined >> as the result of interpreting B[2 * r - 1] as a >> little-endian integer. >> >> I can make no sense of this definition of Integerify. The description >> implies that B must be an array containing elements up to index >> 2*r-1. But the definition of B is "Input octet vector of length 128 * >> r octets". Taking the definition literally, B[2*r-1] must be an octet, >> and 2*r must be less than 128. That seems like nonsense to me. >> >> I found the following in the [SCRYPT] paper: >> >> "We expect that for reasons of performance and simplicity, >> implementors will restrict N to being a power of 2, in which case >> the function Integerify can be replaced by reading the first (or >> last) machine-length word from a k-bit block." >> >> Simply reading a machine-length word ignores the differences between >> little-endian and big-endian machines, and machines with different >> word sizes. Conveniently, [SALSA20SPEC] defines a littleendian >> function that yields a 32-bit integer from four bytes. That should be >> sufficient bits for computing "j". So Integerify(X) could be defined >> as: >> >> littleendian(X[0],X[1],X[2],X[3]) >> >> or >> >> littleendian(X[128*r-4],X[128*r-3],X[128*r-2],X[128*r-1]) >> >> (I don't think it matters which, as long as everyone does it the same way.) >> >> In any case, the language is ambiguous and needs to be clarified. > > Right. I have changed this into: > > j = Integerify (X) mod N > where Integerify (X) is defined as the result of > interpreting the last four octets of X as a little- > endian integer, i.e.: > littleendian(X[128*r-4], X[128*r-3], > X[128*r-2], X[128*r-1]) > >> ------------- >> Minor issues: >> >> (Issue-4): Identifiers reused for different meanings >> >> In scrypt, "B" is an array of "p" vectors, each of which is 128*r >> octets. In scryptROMix, "B" is a single vector of 128*r octets. In >> scryptBlockMix, "B" is a vector of 2*r 64-octet blocks. > > I'm not sure that changing variable names here is a good idea. For any > performant implementation, these variables will refer to the same memory > area and thus a consistent variable name helps to signal that. It is > just the interpretation of that memory area that is different in these > functions. > >> In both scrypt and scryptROMix "r" is the same block size >> parameter. But in scryptROMix it is only used in the (broken) >> definition of Integerify. > > It is used in the variable descriptions too, to indicate length of the > variables. > >> In scryptBlockMix "r" is (apparently, if I have figured things out) >> always 2, and unrelated to the other "r". > > No, r is the same throughout. > >> The document would be clearer if distinct identifiers were used for >> each unique concept. > > I believe the identifier refers to unique concepts. For B, what differs > is how that memory area is interpreted in each algorithm description. > > Can you think of some way to make this more clear, if the changes I've > made now aren't sufficient? I believe some changes I have made already > make this somewhat clearer though. > >> For those identifiers whose value is intended to be constant and >> common across all the functions (such as "N"), it would be better to >> define them once, globally. >> >> (Issue-5): Confusing/misleading names/definitions of identifiers >> >> The "Block size" parameter ("r") does not denote the size of a >> block. It is a factor in the size of blocks, varying from function to >> function. Exactly what concept it denotes, and how one would choose >> it, isn't clear to me. >> >> The definition of the "N" parameter (CPU/Memory cost parameter) isn't >> especially clear. It appears that increasing N increases the cost both >> of CPU and memory. But the "p" (parallelization) parameter acts as a >> multiplier on N, also increasing the cost. It is far from clear how >> one would choose appropriate values for N and p. For a given value of >> N*p, is it better for N to be large, or p to be large? >> >> I suggest that more thought be given to what these things mean in the >> context of this application, and then choose identifier names and >> descriptions accordingly. It may be better to refactor these some >> other way. > > This came from the secdir review as well -- I have added a section > "Scrypt parameters" to discuss this. > > 2. Scrypt Parameters > > The scrypt function takes several parameters. The passphrase P is > typically a human-chosen password. The salt is normally uniquely and > randomly generated [RFC4086]. The parameter r ("blockSize") specify > the block size. The CPU/Memory cost parameter N ("costParameter") > must be larger than 1, a power of 2 and less than 2^(128 * r / 8). > The parallelization parameter p ("parallelizationParameter"), a > positive integer less than or equal to ((2^32-1) * 32) / (128 * r). > The intended output length dkLen in octets of the derived key > ("keyLength"); a positive integer less than or equal to (2^32 - 1) * > 32. > > Users of scrypt can tune the parameters N, r, and p according to the > amount of memory and computing power available, the latency-bandwidth > product of the memory subsystem, and the amount of parallelism > desired. At the current time, taking r=8 and p=1 appears to yield > good results, but as memory latency and CPU parallelism increase it > is likely that the optimum values for both r and p will increase. > Note also that since the computations of SMix are independent, a > large value of p can be used to increase the computational cost of > scrypt without increasing the memory usage; so we can expect scrypt > to remain useful even if the growth rates of CPU power and memory > capacity diverge. I think that new text will almost certainly generate debate in the IESG. You introduce a whole bunch of parameters but only give recommended values for two. You will for sure be asked what's good for the others. So.... what's good for the others and why not include that in the draft? Cheers, S. > >> The ASN.1 in section 6 assigns names to several of these >> identifiers. It would be helpful to readers if the names used in >> defining the algorithms were also the names used here. > > I've added these names to the "Scrypt Parameters" section above. > >> (Issue-6): Dubious stability of references >> >> I looked for prior discussion of this draft, and found some on the >> saag mailing list regarding the references. >> >> The definition of the Salsa20 hash function in >> http://cr.yp.to/snuffle/spec.pdf seems clear enough, but is the >> document reference stable? It might be safer to replicate the >> definition in this document (in an appendix) with attribution. It >> doesn't appear that there is any copyright in the referenced >> document. > > I have included the brief C snippet that defines the function in the > section, which hopefully is sufficient clear for implementers (together > with the already included test vector) to transpose it into something > working in any language. This allowed me to move those two references > to informative ones. > >> I'll also note that call to this hash function in scryptBlockMix is to >> "Salsa", not Salso20. It ought to be consistent with the definition. > > This is explained in the section: > > Below, Salsa(T) corresponds to the Salsa20/8 Core function applied to > the octet vector T. > >> ------------------------ >> Nits/editorial comments: >> >> (Issue-7): IdNits reported errors >> >> IdNits reports: >> >> -- Obsolete informational reference (is this intentional?): RFC 5208 >> (Obsoleted by RFC 5958) >> >> This is triggered by the following in section 6: >> >> "To be usable in PKCS#8 [RFC5208] and Asymmetric Key Packages >> [RFC5958] the following extension of the PBES2-KDFs type is needed." >> >> Since RFC5958 is referenced, and it obsoletes RFC5208, what is the >> reason for referencing both? > > The reason was that a lot of protocols refers to 'PKCS#8' and RFC 5208 > is the IETF-canonical reference for that term, and a way to illustrate > that the scrypt ASN.1 schema is compliant with "old" PKCS#8. RFC 5958 > obsoletes RFC 5208 but the identifier 'PKCS#8' was lost in the process. > > I'm fine with dropping 5208 as a reference, but I do believe it provides > slightly more value to the reader. > >> (There is also an error about 2119, but it is bogus, triggered by the >> use of OPTIONAL in the ASN.1.) >> >> This completes my review. > > Thank you! > > /Simon > From nobody Fri Nov 20 07:43:23 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6001B2AAE for ; Fri, 20 Nov 2015 07:43:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.235 X-Spam-Level: X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZnJQAQIyhpA for ; Fri, 20 Nov 2015 07:43:19 -0800 (PST) Received: from resqmta-ch2-05v.sys.comcast.net (resqmta-ch2-05v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:37]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CD001B2AA9 for ; Fri, 20 Nov 2015 07:43:19 -0800 (PST) Received: from resomta-ch2-20v.sys.comcast.net ([69.252.207.116]) by resqmta-ch2-05v.sys.comcast.net with comcast id jrii1r0032XD5SV01rjJ12; Fri, 20 Nov 2015 15:43:18 +0000 Received: from Paul-Kyzivats-MacBook-Pro.local ([73.218.51.154]) by resomta-ch2-20v.sys.comcast.net with comcast id jrjG1r00T3KdFy101rjGhe; Fri, 20 Nov 2015 15:43:18 +0000 To: Stephen Farrell , Simon Josefsson References: <55DCB0A2.5050102@alum.mit.edu> <87d1v4hn1h.fsf@latte.josefsson.org> <564F3AB9.7060400@cs.tcd.ie> From: Paul Kyzivat Message-ID: <564F3F93.30604@alum.mit.edu> Date: Fri, 20 Nov 2015 10:43:15 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <564F3AB9.7060400@cs.tcd.ie> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1448034198; bh=GWN2SE6+4G8C93olK+3xchJOgWTViAEe6NRDClzQU8M=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=kGC+SsDkAFsEIes2plpoA9DLX1t0WatpfjcQZefEvc+M0jYUXNJOsyVQJD5u0eg1k llCeT4tPZDH0SrA7VoHHE+e3bYiUDT1gp0bMGoDztHFW33va8i+mlN6WMGIklmevQg A5G0v2LzwR+j0Y+lmzjItjvDKx/I+QgVzJsRBTAK5rGd932N09v28JF7wMhA8IhWoQ X8lVyNLh4RWy/XT0Ldr00TjmzgiV3OYuyVJUZjIclR5HaoZtmEHDOG8ZuUD7FZZ/Td KDb+HhH5j+DhwYQnFO7os3DTSOh8ue2/Lt3cJ48w0lfWZvhBHIwchc1+08AUw2gyzA armGq43ppjIHg== Archived-At: Cc: draft-josefsson-scrypt-kdf.all@tools.ietf.org, General Area Review Team , secdir@ietf.org Subject: Re: [secdir] Gen-ART Last Call review of draft-josefsson-scrypt-kdf-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 15:43:22 -0000 On 11/20/15 10:22 AM, Stephen Farrell wrote: > > (This combines the distributions for Simon's mail to gen-art > and secdir. I think one thread responding to my question(s) > below will work better.) +1 I was out of my depth reviewing this because I am not familiar with common practice in defining security algorithms. I reviewed this from the perspective of a software engineer and found it very difficult to follow. So it is probably better if secdir looks at my comments and decides if they have any merit and need further attention. Thanks, Paul > Hi Simon, all, > > Thanks for the reviews and updates. > > Does anyone think we need more review for this or is > it now ready for IESG eval? Modulo one question below, > I think it is ready to move forward, but there are a > lot of detailed changes in this revision, so it might > be prudent to try get a few eyeballs on those. > > One other thing below... > > On 20/11/15 12:29, Simon Josefsson wrote: >> Executive Summary: I have submitted >> https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-04 >> that (hopefully) resolve the gen-art and secdir feedback. >> >> Paul Kyzivat writes: >> >>> This draft is on the right track but has open issues, described in the >>> review. >> >> Hello Paul. I am sorry for the delay in answering your thorough (much >> appreciated!) review. Your review was emailed to the wrong >> @tools.ietf.org address, but I can't blame that for my delay since I was >> notified of your review through the secdir review. >> >>> (Issue-1): Intended status >>> >>> The intended status of this document is Informational. I question why >>> it is not a normative document. As best I can tell, this is the formal >>> specification of the algorithm. Those that use it would presumably >>> want to claim conformance to it. The introduction describes this as an >>> alternative to other KDF functions, including only one with an RFC >>> reference - RFC2898. That one is also informational, but it is a >>> restatement of an algorithm specified elsewhere, so that RFC can be >>> viewed as an informational supplement to the actual definition. The >>> same is not true of this document. >>> >>> (Of course changing this to a normative document would require >>> significant changes, including adding 2119 language. And it probably >>> could then not be handled as an AD-sponsored document.) >> >> As I understand it, the IETF tradition is that descriptions of crypto >> algorithms that were invented elsewhere are not published as Standards >> Tracks documents. So this is in line with that tradition. >> >>> (Issue-2): Type mismatch on call to scryptROMix >>> >>> The scryptROMix function calls scryptBlockMix with an octet vector of >>> length 128*r octets. But the definition of scryptBlockMix specifies >>> that the input argument should be a vector of 2*r 64-octet blocks. >>> >>> Clearly these don't match. One way to make them match would be to >>> divide the single 128*r octet vector into two 64-octet vectors, and >>> then to treat r as 2 inside of scryptBlockMix. I don't know if that is >>> the intent. >> >> I believe this is a presentation issue. The intention is indeed that >> conversion between these formats is transparent. In performant >> implementations, B will refers to the same memory area. The document >> was confusing here, and I believe the document was further problematic >> since it described the inputs as an array of elements, rather than a >> concatenation of octets. It now reads: >> >> Input: >> B[0] || B[1] || ... || B[2 * r - 1] >> Input octet string (of size 128 * r octets), >> treated as 2 * r 64-octet blocks. >> >> Output: >> B'[0] || B'[1] || ... || B'[2 * r - 1] >> Output octet string. >> >> I hope this improves this aspect. >> >>> (Issue-3): Definition of Integerify >>> >>> The Integerify function is not clearly defined. The following is given >>> in the document: >>> >>> j = Integerify (X) mod N >>> where Integerify (B[0] ... B[2 * r - 1]) is defined >>> as the result of interpreting B[2 * r - 1] as a >>> little-endian integer. >>> >>> I can make no sense of this definition of Integerify. The description >>> implies that B must be an array containing elements up to index >>> 2*r-1. But the definition of B is "Input octet vector of length 128 * >>> r octets". Taking the definition literally, B[2*r-1] must be an octet, >>> and 2*r must be less than 128. That seems like nonsense to me. >>> >>> I found the following in the [SCRYPT] paper: >>> >>> "We expect that for reasons of performance and simplicity, >>> implementors will restrict N to being a power of 2, in which case >>> the function Integerify can be replaced by reading the first (or >>> last) machine-length word from a k-bit block." >>> >>> Simply reading a machine-length word ignores the differences between >>> little-endian and big-endian machines, and machines with different >>> word sizes. Conveniently, [SALSA20SPEC] defines a littleendian >>> function that yields a 32-bit integer from four bytes. That should be >>> sufficient bits for computing "j". So Integerify(X) could be defined >>> as: >>> >>> littleendian(X[0],X[1],X[2],X[3]) >>> >>> or >>> >>> littleendian(X[128*r-4],X[128*r-3],X[128*r-2],X[128*r-1]) >>> >>> (I don't think it matters which, as long as everyone does it the same way.) >>> >>> In any case, the language is ambiguous and needs to be clarified. >> >> Right. I have changed this into: >> >> j = Integerify (X) mod N >> where Integerify (X) is defined as the result of >> interpreting the last four octets of X as a little- >> endian integer, i.e.: >> littleendian(X[128*r-4], X[128*r-3], >> X[128*r-2], X[128*r-1]) >> >>> ------------- >>> Minor issues: >>> >>> (Issue-4): Identifiers reused for different meanings >>> >>> In scrypt, "B" is an array of "p" vectors, each of which is 128*r >>> octets. In scryptROMix, "B" is a single vector of 128*r octets. In >>> scryptBlockMix, "B" is a vector of 2*r 64-octet blocks. >> >> I'm not sure that changing variable names here is a good idea. For any >> performant implementation, these variables will refer to the same memory >> area and thus a consistent variable name helps to signal that. It is >> just the interpretation of that memory area that is different in these >> functions. >> >>> In both scrypt and scryptROMix "r" is the same block size >>> parameter. But in scryptROMix it is only used in the (broken) >>> definition of Integerify. >> >> It is used in the variable descriptions too, to indicate length of the >> variables. >> >>> In scryptBlockMix "r" is (apparently, if I have figured things out) >>> always 2, and unrelated to the other "r". >> >> No, r is the same throughout. >> >>> The document would be clearer if distinct identifiers were used for >>> each unique concept. >> >> I believe the identifier refers to unique concepts. For B, what differs >> is how that memory area is interpreted in each algorithm description. >> >> Can you think of some way to make this more clear, if the changes I've >> made now aren't sufficient? I believe some changes I have made already >> make this somewhat clearer though. >> >>> For those identifiers whose value is intended to be constant and >>> common across all the functions (such as "N"), it would be better to >>> define them once, globally. >>> >>> (Issue-5): Confusing/misleading names/definitions of identifiers >>> >>> The "Block size" parameter ("r") does not denote the size of a >>> block. It is a factor in the size of blocks, varying from function to >>> function. Exactly what concept it denotes, and how one would choose >>> it, isn't clear to me. >>> >>> The definition of the "N" parameter (CPU/Memory cost parameter) isn't >>> especially clear. It appears that increasing N increases the cost both >>> of CPU and memory. But the "p" (parallelization) parameter acts as a >>> multiplier on N, also increasing the cost. It is far from clear how >>> one would choose appropriate values for N and p. For a given value of >>> N*p, is it better for N to be large, or p to be large? >>> >>> I suggest that more thought be given to what these things mean in the >>> context of this application, and then choose identifier names and >>> descriptions accordingly. It may be better to refactor these some >>> other way. >> >> This came from the secdir review as well -- I have added a section >> "Scrypt parameters" to discuss this. >> >> 2. Scrypt Parameters >> >> The scrypt function takes several parameters. The passphrase P is >> typically a human-chosen password. The salt is normally uniquely and >> randomly generated [RFC4086]. The parameter r ("blockSize") specify >> the block size. The CPU/Memory cost parameter N ("costParameter") >> must be larger than 1, a power of 2 and less than 2^(128 * r / 8). >> The parallelization parameter p ("parallelizationParameter"), a >> positive integer less than or equal to ((2^32-1) * 32) / (128 * r). >> The intended output length dkLen in octets of the derived key >> ("keyLength"); a positive integer less than or equal to (2^32 - 1) * >> 32. >> >> Users of scrypt can tune the parameters N, r, and p according to the >> amount of memory and computing power available, the latency-bandwidth >> product of the memory subsystem, and the amount of parallelism >> desired. At the current time, taking r=8 and p=1 appears to yield >> good results, but as memory latency and CPU parallelism increase it >> is likely that the optimum values for both r and p will increase. >> Note also that since the computations of SMix are independent, a >> large value of p can be used to increase the computational cost of >> scrypt without increasing the memory usage; so we can expect scrypt >> to remain useful even if the growth rates of CPU power and memory >> capacity diverge. > > I think that new text will almost certainly generate debate in > the IESG. You introduce a whole bunch of parameters but only > give recommended values for two. You will for sure be asked > what's good for the others. So.... what's good for the others > and why not include that in the draft? > > Cheers, > S. > > >> >>> The ASN.1 in section 6 assigns names to several of these >>> identifiers. It would be helpful to readers if the names used in >>> defining the algorithms were also the names used here. >> >> I've added these names to the "Scrypt Parameters" section above. >> >>> (Issue-6): Dubious stability of references >>> >>> I looked for prior discussion of this draft, and found some on the >>> saag mailing list regarding the references. >>> >>> The definition of the Salsa20 hash function in >>> http://cr.yp.to/snuffle/spec.pdf seems clear enough, but is the >>> document reference stable? It might be safer to replicate the >>> definition in this document (in an appendix) with attribution. It >>> doesn't appear that there is any copyright in the referenced >>> document. >> >> I have included the brief C snippet that defines the function in the >> section, which hopefully is sufficient clear for implementers (together >> with the already included test vector) to transpose it into something >> working in any language. This allowed me to move those two references >> to informative ones. >> >>> I'll also note that call to this hash function in scryptBlockMix is to >>> "Salsa", not Salso20. It ought to be consistent with the definition. >> >> This is explained in the section: >> >> Below, Salsa(T) corresponds to the Salsa20/8 Core function applied to >> the octet vector T. >> >>> ------------------------ >>> Nits/editorial comments: >>> >>> (Issue-7): IdNits reported errors >>> >>> IdNits reports: >>> >>> -- Obsolete informational reference (is this intentional?): RFC 5208 >>> (Obsoleted by RFC 5958) >>> >>> This is triggered by the following in section 6: >>> >>> "To be usable in PKCS#8 [RFC5208] and Asymmetric Key Packages >>> [RFC5958] the following extension of the PBES2-KDFs type is needed." >>> >>> Since RFC5958 is referenced, and it obsoletes RFC5208, what is the >>> reason for referencing both? >> >> The reason was that a lot of protocols refers to 'PKCS#8' and RFC 5208 >> is the IETF-canonical reference for that term, and a way to illustrate >> that the scrypt ASN.1 schema is compliant with "old" PKCS#8. RFC 5958 >> obsoletes RFC 5208 but the identifier 'PKCS#8' was lost in the process. >> >> I'm fine with dropping 5208 as a reference, but I do believe it provides >> slightly more value to the reader. >> >>> (There is also an error about 2119, but it is bogus, triggered by the >>> use of OPTIONAL in the ASN.1.) >>> >>> This completes my review. >> >> Thank you! >> >> /Simon >> > From nobody Fri Nov 20 08:16:31 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 269791B35E1 for ; Fri, 20 Nov 2015 08:16:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.235 X-Spam-Level: X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NEnyUrK2HDuT for ; Fri, 20 Nov 2015 08:16:28 -0800 (PST) Received: from resqmta-ch2-06v.sys.comcast.net (resqmta-ch2-06v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:38]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FA381B35B0 for ; Fri, 20 Nov 2015 08:16:27 -0800 (PST) Received: from resomta-ch2-13v.sys.comcast.net ([69.252.207.109]) by resqmta-ch2-06v.sys.comcast.net with comcast id jsG41r0052N9P4d01sGTEk; Fri, 20 Nov 2015 16:16:27 +0000 Received: from Paul-Kyzivats-MacBook-Pro.local ([73.218.51.154]) by resomta-ch2-13v.sys.comcast.net with comcast id jsGR1r0113KdFy101sGRFU; Fri, 20 Nov 2015 16:16:27 +0000 To: Stephen Farrell , Simon Josefsson References: <55DCB0A2.5050102@alum.mit.edu> <87d1v4hn1h.fsf@latte.josefsson.org> <564F3AB9.7060400@cs.tcd.ie> From: Paul Kyzivat Message-ID: <564F4758.3020200@alum.mit.edu> Date: Fri, 20 Nov 2015 11:16:24 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <564F3AB9.7060400@cs.tcd.ie> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1448036187; bh=UPlv3J4yNI1BjLT8Mo1ueSp2N6qFMIv02GvtGDIOiUw=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=gqBl1ODmeg+x3U3gMeD+OMJ5/QhZ8SP/SOnenWqT8YK6uQ51s+Y/4g9TCMsMIjL/C KxVm+VwhziLUJOpqy3gRfSGW5jbEMM06+CFS0o6W2af8ua8dPKnpgIfKU05SvskjTE MaKKeAirVI4JQFxFC/8xEttyM+cBsHBe3Z8MsR62Wa22DLmOvtdYuvt4GPhN5VcCu2 pKDw6TEe6RVxqOR+uwE9O931/7NTrTVCEYZSdxiCj3zVEyCTiPI6hw5yofp57GOlLo /PnnHwJ4FHn3W47WB7AiKnr9FsbVrUbTJ3rzG1vGQzjONkb5l+q9sjLoxPlEZIxY4w kOrFXJqw5AumA== Archived-At: Cc: draft-josefsson-scrypt-kdf.all@tools.ietf.org, General Area Review Team , secdir@ietf.org Subject: Re: [secdir] Gen-ART Last Call review of draft-josefsson-scrypt-kdf-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 16:16:29 -0000 I did want to comment on one other thing: >>> (Issue-4): Identifiers reused for different meanings >>> >>> In scrypt, "B" is an array of "p" vectors, each of which is 128*r >>> octets. In scryptROMix, "B" is a single vector of 128*r octets. In >>> scryptBlockMix, "B" is a vector of 2*r 64-octet blocks. >> >> I'm not sure that changing variable names here is a good idea. For any >> performant implementation, these variables will refer to the same memory >> area and thus a consistent variable name helps to signal that. It is >> just the interpretation of that memory area that is different in these >> functions. >>> The document would be clearer if distinct identifiers were used for >>> each unique concept. >> >> I believe the identifier refers to unique concepts. For B, what differs >> is how that memory area is interpreted in each algorithm description. I don't think it works for a *spec* to assume that a "memory area" can be interpreted differently, sometimes as a number, sometimes as an array of bytes, sometimes as an array of arrays, etc. Making such assumptions depends on the language being used mapping these things to the same memory in a consistent way. Some languages don't allow this at all, and those that do often lay out memory with padding for efficiency, according to little/big endianness, etc. So I think it is important to clearly define any type coercions that are needed. Thanks, Paul From nobody Fri Nov 20 12:07:24 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCAC51B343B for ; Fri, 20 Nov 2015 12:07:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.897 X-Spam-Level: X-Spam-Status: No, score=-0.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_DYNAMIC=1.004, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDn8GxrRz4Wc for ; Fri, 20 Nov 2015 12:07:22 -0800 (PST) Received: from mx0a-000f0801.pphosted.com (mx0a-000f0801.pphosted.com [IPv6:2620:100:9001:7a::1]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAB401B3438 for ; Fri, 20 Nov 2015 12:07:22 -0800 (PST) Received: from pps.filterd (m0048193.ppops.net [127.0.0.1]) by mx0a-000f0801.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tAKK0XKB009076; Fri, 20 Nov 2015 12:07:21 -0800 Received: from brmwp-exmb11.corp.brocade.com ([208.47.132.227]) by mx0a-000f0801.pphosted.com with ESMTP id 1ya75x0ep1-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Fri, 20 Nov 2015 12:07:20 -0800 Received: from EMEAWP-EXMB11.corp.brocade.com (172.29.11.85) by BRMWP-EXMB11.corp.brocade.com (172.16.59.77) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Fri, 20 Nov 2015 13:07:18 -0700 Received: from [10.252.53.4] (10.252.53.4) by EMEAWP-EXMB11.corp.brocade.com (172.29.11.85) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Fri, 20 Nov 2015 21:07:16 +0100 Message-ID: <564F7D72.9090400@brocade.com> Date: Fri, 20 Nov 2015 20:07:14 +0000 From: Paul Aitken User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 MIME-Version: 1.0 To: Benoit Claise , Warren Kumari , "IETF Security Directorate" , , "Juergen Schoenwaelder" References: <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> <564DE0BE.5080200@brocade.com> <20151119153417.GB3518@elstar.local> <564E0170.7010908@cisco.com> In-Reply-To: <564E0170.7010908@cisco.com> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.252.53.4] X-ClientProxiedBy: EMEAWP-EXCAS11.corp.brocade.com (172.29.18.102) To EMEAWP-EXMB11.corp.brocade.com (172.29.11.85) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.15.21, 1.0.33, 0.0.0000 definitions=2015-11-20_12:2015-11-20,2015-11-20,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1508030000 definitions=main-1511200339 Archived-At: Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2015 20:07:23 -0000 Benoit, Juergen, Warren, On 19/11/15 17:05, Benoit Claise wrote: > On 11/19/2015 4:34 PM, Juergen Schoenwaelder wrote: >> See my latest suggestion which adds a bunch of references to the third >> paragraph - which was the original request of the security directorate >> reviewer. >> >> However, if the exporter is implemented as an SNMP manager >> accessing an SNMP agent, it MUST authenticate itself to the SNMP >> agent [RFC3414], [RFC5591], [RFC5592], RFC6353] and the SNMP agent >> MUST enforce SNMP access control rules [RFC3415] as required by >> the SNMP architecture [RFC 3411]. I've updated the text with this paragraph and added the xrefs as Informative (except for 3411, which was already Normative). >> The additional sentence is somewhat unclear: >> >> [...] An Exporter MUST NOT bypass SNMP access control rules to >> export a MIB object for which it is not granted access. >> >> Does this apply to any exporter or only to an exporter implemented as >> an SNMP manager accessing an SNMP agent? In the later case, I would >> say this sentence is not needed since the sentence before already says >> that the SNMP agent MUST enforce SNMP access control rules (and this >> is the entity that has knowledge about the access control rules). > Agreed. +1. I've removed this line. >> In the former case, more information would be needed since in order to >> apply SNMP access control rules, you need to have an authenticated >> identity to work with. > Note that this not part of Stephen's DISCUSS. Good. So section 10 now reads: 10. Security Considerations For this extension to the IPFIX protocol, the same security considerations as for the IPFIX protocol apply [RFC7011]. If the exporter is generating or capturing the field values itself, e.g. using the MIB objects only as an encoding or type mechanism, there are no extra security considerations beyond standard IPFIX. However, if the exporter is implemented as an SNMP manager accessing an SNMP agent, it MUST authenticate itself to the SNMP agent [RFC3414], [RFC5591], [RFC5592], [RFC6353], and the SNMP agent MUST enforce SNMP access control rules [RFC3415] as required by the SNMP architecture [RFC3411]. The access to particular MIB objects is controlled by the configuration of the IPFIX exporter. This is consistent with the way IPFIX controls access to other Information Elements in general. The configuration of an IPFIX Exporter determines which MIB objects are included in IPFIX Data Records sent to certain collectors. Network operators should take care that the only MIB objects which are included in IPFIX Data Records are ones which the receiving flow collector is allowed to receive. Note that multiple users may have access to the data from the flow collector. I'll append another paragraph to this to address Stephen Farrell's comment on privacy, which I'll discuss in the relevant email thread. To address Warren's other point: > I suspect that the MIB Doctors should review this (if they haven't > already) - while not a MIB, they will probably have useful input. We've asked Joel (as the sponsoring AD). Are we all happy that the SecDir points have been addressed? Thanks, P. From nobody Fri Nov 20 19:45:02 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CFB91A1B8F for ; Fri, 20 Nov 2015 19:45:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.278 X-Spam-Level: X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2C9Ru9alnsW for ; Fri, 20 Nov 2015 19:45:00 -0800 (PST) Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF4581A1B8A for ; Fri, 20 Nov 2015 19:44:59 -0800 (PST) Received: by ykdr82 with SMTP id r82so186145046ykd.3 for ; Fri, 20 Nov 2015 19:44:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=BNK7d2mb8R8Q0XZOFwXegNaLE+Wycmd6DC6wjrXkDYM=; b=gruNjzqN3kS5/t78H475BqLV2FF6Vnq9IPhyDiI+/1X6fWPECYGcIUEzDSpOF0vFur TdtjF8C6Qe2cZ4Ek7Dp6T7nFOowlud+xfgrEba8TWz9T+q5hYOCOF2WwpDf/4Xl8O3AA BmFrQ6+rt+/28ceggmZmQ++7PQB0uVMkTBFDU2XYk4vrhstD1tf/LWsHDhbt6cKmDBUa SgWAWNd16/1Gi+C/WvHtP3P0aTURRzqxoaCQcPReX5CxY2gwzO1dYeaZwi+oM9/Z9N/5 NbwfJfOKCm038/Jnmyuq/spQhuZLkkc5qUMLlu00wLqXVH862IJzIpPCnjpmKVFT7kBg KMdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=BNK7d2mb8R8Q0XZOFwXegNaLE+Wycmd6DC6wjrXkDYM=; b=leNSDaccN6OptdMIHQzX9iEI80n4MhN5uhZ0iKMmk19iab45wcvfoQCmKvruVdw0NE 4niLiEibR4p5fscszSNdqj0MmepXwganYxAbuSpgGcc4grhnw23Q/4UWTsD7nLeyvByy WgsS0jXbNWrQzX7iLuVLWfSqAjc7mj2cpU3R9S5J+kqs8sufxjUm1ND6lfvdvGW9WhOj TvPF4xhSpgH3l1L2QpKy5R9zERZFysoL8czAVxI0sB3TVPWC4npC2PiEaE6uOy0QxcS3 Dm/9KmmDZBvfVSMlL4iL/mwlgmIUxcQZP+vtuRdraWeIspd7Lg3gwTDOzj2ObTscdc2Y ijDw== X-Gm-Message-State: ALoCoQlSVSWr+4kqHL1My1bwApE98pZUXAVHepp7tFb+2tE/ytmdwp9B65tkLijUuJlKRKdQImNy MIME-Version: 1.0 X-Received: by 10.13.204.19 with SMTP id o19mr9979558ywd.333.1448077499083; Fri, 20 Nov 2015 19:44:59 -0800 (PST) Received: by 10.37.202.11 with HTTP; Fri, 20 Nov 2015 19:44:58 -0800 (PST) In-Reply-To: <564F7D72.9090400@brocade.com> References: <20151118101339.GA17028@elstar.local> <564CA202.8030605@cisco.com> <564DE0BE.5080200@brocade.com> <20151119153417.GB3518@elstar.local> <564E0170.7010908@cisco.com> <564F7D72.9090400@brocade.com> Date: Sat, 21 Nov 2015 05:44:58 +0200 Message-ID: From: Warren Kumari To: Paul Aitken Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: Benoit Claise , Juergen Schoenwaelder , draft-ietf-ipfix-mib-variable-export.all@tools.ietf.org, IETF Security Directorate Subject: Re: [secdir] SecDir review of draft-ietf-ipfix-mib-variable-export. X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Nov 2015 03:45:01 -0000 On Fri, Nov 20, 2015 at 10:07 PM, Paul Aitken wrote: > Benoit, Juergen, Warren, > > > On 19/11/15 17:05, Benoit Claise wrote: >> >> On 11/19/2015 4:34 PM, Juergen Schoenwaelder wrote: >>> >>> See my latest suggestion which adds a bunch of references to the third >>> paragraph - which was the original request of the security directorate >>> reviewer. >>> >>> However, if the exporter is implemented as an SNMP manager >>> accessing an SNMP agent, it MUST authenticate itself to the SNMP >>> agent [RFC3414], [RFC5591], [RFC5592], RFC6353] and the SNMP agent >>> MUST enforce SNMP access control rules [RFC3415] as required by >>> the SNMP architecture [RFC 3411]. > > > I've updated the text with this paragraph and added the xrefs as Informative > (except for 3411, which was already Normative). > > >>> The additional sentence is somewhat unclear: >>> >>> [...] An Exporter MUST NOT bypass SNMP access control rules to >>> export a MIB object for which it is not granted access. >>> >>> Does this apply to any exporter or only to an exporter implemented as >>> an SNMP manager accessing an SNMP agent? In the later case, I would >>> say this sentence is not needed since the sentence before already says >>> that the SNMP agent MUST enforce SNMP access control rules (and this >>> is the entity that has knowledge about the access control rules). >> >> Agreed. > > > +1. I've removed this line. > > >>> In the former case, more information would be needed since in order to >>> apply SNMP access control rules, you need to have an authenticated >>> identity to work with. >> >> Note that this not part of Stephen's DISCUSS. > > > Good. > > > So section 10 now reads: > > 10. Security Considerations > > For this extension to the IPFIX protocol, the same security > considerations as for the IPFIX protocol apply [RFC7011]. > > If the exporter is generating or capturing the field values itself, > e.g. using the MIB objects only as an encoding or type mechanism, > there are no extra security considerations beyond standard IPFIX. > > However, if the exporter is implemented as an SNMP manager accessing > an SNMP agent, it MUST authenticate itself to the SNMP agent > [RFC3414], [RFC5591], [RFC5592], [RFC6353], and the SNMP agent MUST > enforce SNMP access control rules [RFC3415] as required by the SNMP > architecture [RFC3411]. > > The access to particular MIB objects is controlled by the > configuration of the IPFIX exporter. This is consistent with the way > IPFIX controls access to other Information Elements in general. > > The configuration of an IPFIX Exporter determines which MIB objects > are included in IPFIX Data Records sent to certain collectors. > Network operators should take care that the only MIB objects which > are included in IPFIX Data Records are ones which the receiving flow > collector is allowed to receive. Note that multiple users may have > access to the data from the flow collector. > > > > I'll append another paragraph to this to address Stephen Farrell's comment > on privacy, which I'll discuss in the relevant email thread. > > > To address Warren's other point: > >> I suspect that the MIB Doctors should review this (if they haven't >> already) - while not a MIB, they will probably have useful input. > > > We've asked Joel (as the sponsoring AD). > > > Are we all happy that the SecDir points have been addressed? > I'm happy. Thanks for taking this so seriously, W > > Thanks, > P. -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf From nobody Sun Nov 22 22:54:17 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E76161B3129; Sun, 22 Nov 2015 22:54:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.184 X-Spam-Level: X-Spam-Status: No, score=-1.184 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EKr4mQkvDhr; Sun, 22 Nov 2015 22:54:08 -0800 (PST) Received: from BLU004-OMC4S1.hotmail.com (blu004-omc4s1.hotmail.com [65.55.111.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 342ED1B30FF; Sun, 22 Nov 2015 22:54:08 -0800 (PST) Received: from BLU436-SMTP244 ([65.55.111.136]) by BLU004-OMC4S1.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sun, 22 Nov 2015 22:54:06 -0800 X-TMN: [niBwG/hAJk5aePcV8+TYKLn/cRqyEuDH] X-Originating-Email: [zhang_dacheng@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_3FC4AAB1-B2E3-4A87-AB95-98E5B2E699FC" MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Dacheng In-Reply-To: <564AF000.4080705@fkie.fraunhofer.de> Date: Mon, 23 Nov 2015 14:53:50 +0800 References: <564AF000.4080705@fkie.fraunhofer.de> To: Henning Rogge X-Mailer: Apple Mail (2.1878.6) X-OriginalArrivalTime: 23 Nov 2015 06:54:04.0958 (UTC) FILETIME=[BE23BBE0:01D125BB] Archived-At: Cc: draft-ietf-manet-olsrv2-dat-metric.all@ietf.org, The IESG , "secdir@ietf.org" Subject: Re: [secdir] Secdir Review of draft-ietf-manet-olsrv2-dat-metric-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2015 06:54:12 -0000 --Apple-Mail=_3FC4AAB1-B2E3-4A87-AB95-98E5B2E699FC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" =E5=9C=A8 2015=E5=B9=B411=E6=9C=8817=E6=97=A5=EF=BC=8C=E4=B8=8B=E5=8D=885:= 14=EF=BC=8CHenning Rogge =E5=86=99=E9=81= =93=EF=BC=9A > On 11/15/2015 08:40 AM, Dacheng wrote: >> Dear all, >>=20 >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the = IESG. >>=20 >> These comments were written primarily for the benefit of the security >> area directors. Document editors and WG chairs should treat these >> comments just like any other last call comments. >>=20 >> This draft is about a new routing metro for OLSRv2. >>=20 >>=20 >> Technical questions/comments: >>=20 >> 1) In this draft, =E2=80=9CRFC5444 packet=E2=80=9D can be found in = many places. I didn=E2=80=99t >> find the definition of this term. Do you indicate this solution may = need >> to process a packet which is not specified in OLSRv2? >=20 > The header of the Terminology Section contains the following = paragraph: >=20 > The terminology introduced in [RFC5444], [RFC7181] and [RFC6130], > including the terms "packet", "message" and "TLV" are to be > interpreted as described therein. >=20 > Do you think this paragraph needs to be improved or extended? Ok, I think =E2=80=99a packet specified in RFC5444' looks better. But it = is not a big problem. >=20 >> 2) There is a good security consideration section in RFC 7181. Since >> this draft is closely related to OLSRv2 (although this work does not >> specify any new message or TLV), it will be good to build the = security >> considerations of this work based upon what has been discussed in >> RFC7181. For example, maybe the authors could say =E2=80=99there will = be some >> new security issues introduced by this work but not mentioned in RFC >> 7181, there will be some security issues if we only use the mandatory >> security mechanism specified in RFC7181, or our work does not = introduce >> any additional security issues.. >=20 >=20 >=20 >> 3) This question is about the last sentence in the security >> consideration=E2=80=94=E2=80=9CThe signature scheme described in = [RFC7183] does not >> protect the additional sequence number of the DAT metric because it = does >> only sign the RFC5444 messages, not the RFC5444 packet header.=E2=80=9D= First of >> all, there is no signature mechanism specified in RFC7183, only HMAC = is >> used to protect the message integrity. In addition, the RFC7183 reuse >> the process specified in RFC7182 to generate hashes, and so it should = be >> able to cover the message headers. Open for discussion. >=20 > RFC7183 introduces a RFC5444 message level integrity protection = extension for RFC7181 (OLSRv2), based on the ICV Message TLV defined in = RFC7182 (see section 9.1 of RFC7182). >=20 > The ICV Message TLV does NOT protect the PACKET header fields of = RFC5444 packets, including the RFC5444 packet sequence number. I see and you are right. The only comment about this sentence is not to = use =E2=80=9Csecurity mechanism=E2=80=9D instead of =E2=80=9Csignature = mechanism =E2=80=9C because only a HMAC mechanism is specified in RFC = 7183. >=20 >> Editorial: >>=20 >> Section 2: >>=20 >> MAX(a,b) -> MAX(a, b) >>=20 >> Section 3: >>=20 >> The administrator should take care that link layer multicast >> transmission do not not have -> The administrator should take care = that >> link layer multicast transmission do not have >>=20 >> Section 4: >>=20 >> The routing decision of most operation systems don't take packet size >> into account. -> The routing decisions of most operation systems = don't >> take packet size into account. >>=20 >> Section 7: >>=20 >> with a very slow or very fast linklayer -> with a very slow or very = fast >> link layer >=20 > Will be fixed in the next revision. >=20 > Henning Rogge >=20 > --=20 > Diplom-Informatiker Henning Rogge , Fraunhofer-Institut f=C3=BCr > Kommunikation, Informationsverarbeitung und Ergonomie FKIE > Kommunikationssysteme (KOM) > Fraunhofer Stra=C3=9Fe 20, 53343 Wachtberg, Germany > Telefon +49 228 9435-961, Fax +49 228 9435 685 > mailto:henning.rogge@fkie.fraunhofer.de http://www.fkie.fraunhofer.de --Apple-Mail=_3FC4AAB1-B2E3-4A87-AB95-98E5B2E699FC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8"
=E5=9C=A8 = 2015=E5=B9=B411=E6=9C=8817=E6=97=A5=EF=BC=8C=E4=B8=8B=E5=8D=885:14=EF=BC=8C= Henning Rogge <henning.rogge@fkie.fraunh= ofer.de> =E5=86=99=E9=81=93=EF=BC=9A

On 11/15/2015 08:40 AM, Dacheng = wrote:
Dear all,

I have reviewed = this document as part of the security directorate's
ongoing effort to = review all IETF documents being processed by the IESG.

These = comments were written primarily for the benefit of the security
area = directors. Document editors and WG chairs should treat these
comments = just like any other last call comments.

This draft is about a new = routing  metro for OLSRv2.


Technical = questions/comments:

1) In this draft, =E2=80=9CRFC5444 packet=E2=80= =9D can be found in many places. I didn=E2=80=99t
find the definition = of this term. Do you indicate this solution may need
to process a = packet which is not specified in OLSRv2?

The header = of the Terminology Section contains the following = paragraph:

  The terminology introduced in [RFC5444], = [RFC7181] and [RFC6130],
  including the terms "packet", = "message" and "TLV" are to be
  interpreted as described = therein.

Do you think this paragraph needs to be improved or = extended?
Ok, I think =E2=80=99a packet = specified in RFC5444' looks better. But it is not a big = problem.


2) There is a good security = consideration section in RFC 7181. Since
this draft is closely = related to OLSRv2 (although this work does not
specify any new = message or TLV), it will be good to build the security
considerations = of this work based upon what has been discussed in
RFC7181. For = example, maybe the authors could say =E2=80=99there will be some
new = security issues introduced by this work but not mentioned in = RFC
7181, there will be some security issues if we only use the = mandatory
security mechanism specified in RFC7181, or our work does = not introduce
any additional security = issues..




3) = This question is about the last sentence in the = security
consideration=E2=80=94=E2=80=9CThe signature scheme = described in [RFC7183] does not
protect the additional sequence = number of the DAT metric because it does
only sign the RFC5444 = messages, not the RFC5444 packet header.=E2=80=9D First of
all, there = is no signature mechanism specified in RFC7183, only HMAC is
used to = protect the message integrity. In addition, the RFC7183 reuse
the = process specified in RFC7182 to generate hashes, and so it should = be
able to cover the message headers.   Open for = discussion.

RFC7183 introduces a RFC5444 message = level integrity protection extension for RFC7181 (OLSRv2), based on the = ICV Message TLV defined in RFC7182 (see section 9.1 of = RFC7182).

The ICV Message TLV does NOT protect the PACKET header = fields of RFC5444 packets, including the RFC5444 packet sequence = number.

I see and you are right. = The only comment about this sentence is not to use =E2=80=9Csecurity = mechanism=E2=80=9D instead of =E2=80=9Csignature mechanism =E2=80=9C = because only a HMAC mechanism is specified in RFC = 7183.



Editorial:

Section 2:

MAX(a,b) -> MAX(a, = b)

Section 3:

The administrator should take care that link = layer multicast
transmission do not not have ->  The = administrator should take care that
link layer multicast transmission = do not have

Section 4:

The routing decision of most = operation systems don't take packet size
into account. -> The = routing decisions of most operation systems don't
take packet size = into account.

Section 7:

with a very slow or very fast = linklayer -> with a very slow or very fast
link = layer

Will be fixed in the next = revision.

Henning Rogge

-- 
Diplom-Informatiker = Henning Rogge , Fraunhofer-Institut f=C3=BCr
Kommunikation, = Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme = (KOM)
Fraunhofer Stra=C3=9Fe 20, 53343 Wachtberg, Germany
Telefon = +49 228 9435-961,   Fax +49 228 9435 685
mailto:henning.rogge@fkie= .fraunhofer.de http://www.fkie.fraunhofer.de<= /div>

= --Apple-Mail=_3FC4AAB1-B2E3-4A87-AB95-98E5B2E699FC-- From nobody Sun Nov 22 23:04:52 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90AB71A1B1B; Sun, 22 Nov 2015 23:04:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.583 X-Spam-Level: X-Spam-Status: No, score=-2.583 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KmrUNhBVBhD4; Sun, 22 Nov 2015 23:04:44 -0800 (PST) Received: from BLU004-OMC4S30.hotmail.com (blu004-omc4s30.hotmail.com [65.55.111.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E92E21B30FF; Sun, 22 Nov 2015 23:04:43 -0800 (PST) Received: from BLU436-SMTP89 ([65.55.111.136]) by BLU004-OMC4S30.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sun, 22 Nov 2015 23:04:42 -0800 X-TMN: [vCuzzI2cACEXrXz9TmEZB0lKRTjFyYbq] X-Originating-Email: [zhang_dacheng@hotmail.com] Message-ID: Content-Type: multipart/alternative; boundary="Apple-Mail=_B6151869-99DB-4A37-B450-8750773BCA4A" MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Dacheng In-Reply-To: <564AF000.4080705@fkie.fraunhofer.de> Date: Mon, 23 Nov 2015 15:04:26 +0800 References: <564AF000.4080705@fkie.fraunhofer.de> To: Henning Rogge X-Mailer: Apple Mail (2.1878.6) X-OriginalArrivalTime: 23 Nov 2015 07:04:40.0435 (UTC) FILETIME=[38E9D430:01D125BD] Archived-At: Cc: draft-ietf-manet-olsrv2-dat-metric.all@ietf.org, The IESG , "secdir@ietf.org" Subject: Re: [secdir] Secdir Review of draft-ietf-manet-olsrv2-dat-metric-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2015 07:04:50 -0000 --Apple-Mail=_B6151869-99DB-4A37-B450-8750773BCA4A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Sorry for sending out an unfinished email by mistake. See my comments in = line please. =E5=9C=A8 2015=E5=B9=B411=E6=9C=8817=E6=97=A5=EF=BC=8C=E4=B8=8B=E5=8D=885:= 14=EF=BC=8CHenning Rogge =E5=86=99=E9=81= =93=EF=BC=9A > On 11/15/2015 08:40 AM, Dacheng wrote: >> Dear all, >>=20 >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the = IESG. >>=20 >> These comments were written primarily for the benefit of the security >> area directors. Document editors and WG chairs should treat these >> comments just like any other last call comments. >>=20 >> This draft is about a new routing metro for OLSRv2. >>=20 >>=20 >> Technical questions/comments: >>=20 >> 1) In this draft, =E2=80=9CRFC5444 packet=E2=80=9D can be found in = many places. I didn=E2=80=99t >> find the definition of this term. Do you indicate this solution may = need >> to process a packet which is not specified in OLSRv2? >=20 > The header of the Terminology Section contains the following = paragraph: >=20 > The terminology introduced in [RFC5444], [RFC7181] and [RFC6130], > including the terms "packet", "message" and "TLV" are to be > interpreted as described therein. >=20 > Do you think this paragraph needs to be improved or extended? Ok, I think =E2=80=99a packet specified in RFC5444' looks better. But it = is not a big problem. >=20 >> 2) There is a good security consideration section in RFC 7181. Since >> this draft is closely related to OLSRv2 (although this work does not >> specify any new message or TLV), it will be good to build the = security >> considerations of this work based upon what has been discussed in >> RFC7181. For example, maybe the authors could say =E2=80=99there will = be some >> new security issues introduced by this work but not mentioned in RFC >> 7181, there will be some security issues if we only use the mandatory >> security mechanism specified in RFC7181, or our work does not = introduce >> any additional security issues.. >=20 > I think my security considerations section explicitly says (in the = last sentence) that the Mandatory Security Mechanism for OLSRv2 = (RFC7183) does NOT protect against modified packet sequence numbers. It is fine. I just tried to give some comments to make this section = looks better, and I understand your point. In addition, maybe you could = mention at the end of the fist paragraph that the methods of protecting = against the MITM attacks performed by rogue routers are out of scope.=20 >=20 >> 3) This question is about the last sentencoe in the security >> consideration=E2=80=94=E2=80=9CThe signature scheme described in = [RFC7183] does not >> protect the additional sequence number of the DAT metric because it = does >> only sign the RFC5444 messages, not the RFC5444 packet header.=E2=80=9D= First of >> all, there is no signature mechanism specified in RFC7183, only HMAC = is >> used to protect the message integrity. In addition, the RFC7183 reuse >> the process specified in RFC7182 to generate hashes, and so it should = be >> able to cover the message headers. Open for discussion. >=20 > RFC7183 introduces a RFC5444 message level integrity protection = extension for RFC7181 (OLSRv2), based on the ICV Message TLV defined in = RFC7182 (see section 9.1 of RFC7182). >=20 > The ICV Message TLV does NOT protect the PACKET header fields of = RFC5444 packets, including the RFC5444 packet sequence number. Ok, you have answered my second question, and I think you are right. = The first comment about this sentence is to replace =E2=80=9Csignature = mechanism =E2=80=9C with =E2=80=9Csecurity mechanism=E2=80=9D, because = only there is only a HMAC mechanism specified in RFC 7183, right? >=20 >> Editorial: >>=20 >> Section 2: >>=20 >> MAX(a,b) -> MAX(a, b) >>=20 >> Section 3: >>=20 >> The administrator should take care that link layer multicast >> transmission do not not have -> The administrator should take care = that >> link layer multicast transmission do not have >>=20 >> Section 4: >>=20 >> The routing decision of most operation systems don't take packet size >> into account. -> The routing decisions of most operation systems = don't >> take packet size into account. >>=20 >> Section 7: >>=20 >> with a very slow or very fast linklayer -> with a very slow or very = fast >> link layer >=20 > Will be fixed in the next revision. >=20 > Henning Rogge >=20 > --=20 > Diplom-Informatiker Henning Rogge , Fraunhofer-Institut f=C3=BCr > Kommunikation, Informationsverarbeitung und Ergonomie FKIE > Kommunikationssysteme (KOM) > Fraunhofer Stra=C3=9Fe 20, 53343 Wachtberg, Germany > Telefon +49 228 9435-961, Fax +49 228 9435 685 > mailto:henning.rogge@fkie.fraunhofer.de http://www.fkie.fraunhofer.de --Apple-Mail=_B6151869-99DB-4A37-B450-8750773BCA4A Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="utf-8" Sorry = for sending out an unfinished email by mistake. See my comments in line = please.

=E5=9C=A8 = 2015=E5=B9=B411=E6=9C=8817=E6=97=A5=EF=BC=8C=E4=B8=8B=E5=8D=885:14=EF=BC=8C= Henning Rogge <henning.rogge@fkie.fraunh= ofer.de> =E5=86=99=E9=81=93=EF=BC=9A

On 11/15/2015 08:40 AM, Dacheng = wrote:
Dear all,

I have reviewed = this document as part of the security directorate's
ongoing effort to = review all IETF documents being processed by the IESG.

These = comments were written primarily for the benefit of the security
area = directors. Document editors and WG chairs should treat these
comments = just like any other last call comments.

This draft is about a new = routing  metro for OLSRv2.


Technical = questions/comments:

1) In this draft, =E2=80=9CRFC5444 packet=E2=80= =9D can be found in many places. I didn=E2=80=99t
find the definition = of this term. Do you indicate this solution may need
to process a = packet which is not specified in OLSRv2?

The header = of the Terminology Section contains the following = paragraph:

  The terminology introduced in [RFC5444], = [RFC7181] and [RFC6130],
  including the terms "packet", = "message" and "TLV" are to be
  interpreted as described = therein.

Do you think this paragraph needs to be improved or = extended?

Ok, I think =E2=80=99a = packet specified in RFC5444' looks better. But it is not a big = problem.

2) There is a good security = consideration section in RFC 7181. Since
this draft is closely = related to OLSRv2 (although this work does not
specify any new = message or TLV), it will be good to build the security
considerations = of this work based upon what has been discussed in
RFC7181. For = example, maybe the authors could say =E2=80=99there will be some
new = security issues introduced by this work but not mentioned in = RFC
7181, there will be some security issues if we only use the = mandatory
security mechanism specified in RFC7181, or our work does = not introduce
any additional security issues..

I = think my security considerations section explicitly says (in the last = sentence) that the Mandatory Security Mechanism for OLSRv2 (RFC7183) = does NOT protect against modified packet sequence = numbers.

It is fine. I just tried = to give some comments to make this section looks better, and I = understand your point. In addition, maybe you could mention at the end = of the fist paragraph that the methods of protecting against the MITM = attacks performed by rogue routers are out of = scope. 

3) This question is about the last = sentencoe in the security
consideration=E2=80=94=E2=80=9CThe signature scheme = described in [RFC7183] does not
protect the additional sequence = number of the DAT metric because it does
only sign the RFC5444 = messages, not the RFC5444 packet header.=E2=80=9D First of
all, there = is no signature mechanism specified in RFC7183, only HMAC is
used to = protect the message integrity. In addition, the RFC7183 reuse
the = process specified in RFC7182 to generate hashes, and so it should = be
able to cover the message headers.   Open for = discussion.

RFC7183 introduces a RFC5444 message = level integrity protection extension for RFC7181 (OLSRv2), based on the = ICV Message TLV defined in RFC7182 (see section 9.1 of = RFC7182).

The ICV Message TLV does NOT protect the PACKET header = fields of RFC5444 packets, including the RFC5444 packet sequence = number.

Ok, you have answered my = second question, and I think you are right.  The first comment = about this sentence is to replace  =E2=80=9Csignature mechanism =E2=80= =9C with =E2=80=9Csecurity mechanism=E2=80=9D, because only there is = only a HMAC mechanism specified in RFC 7183, = right?

Editorial:

Section = 2:

MAX(a,b) -> MAX(a, b)

Section 3:

The = administrator should take care that link layer multicast
transmission = do not not have ->  The administrator should take care = that
link layer multicast transmission do not have

Section = 4:

The routing decision of most operation systems don't take = packet size
into account. -> The routing decisions of most = operation systems don't
take packet size into account.

Section = 7:

with a very slow or very fast linklayer -> with a very slow = or very fast
link layer

Will be fixed in the next = revision.

Henning Rogge

-- 
Diplom-Informatiker = Henning Rogge , Fraunhofer-Institut f=C3=BCr
Kommunikation, = Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme = (KOM)
Fraunhofer Stra=C3=9Fe 20, 53343 Wachtberg, Germany
Telefon = +49 228 9435-961,   Fax +49 228 9435 685
mailto:henning.rogge@fkie= .fraunhofer.de http://www.fkie.fraunhofer.de<= /div>

= --Apple-Mail=_B6151869-99DB-4A37-B450-8750773BCA4A-- From nobody Tue Nov 24 05:24:45 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4661A6F02; Tue, 24 Nov 2015 05:24:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.136 X-Spam-Level: X-Spam-Status: No, score=-2.136 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6I2nduf8DtKW; Tue, 24 Nov 2015 05:24:42 -0800 (PST) Received: from a.mx.fkie.fraunhofer.de (a.mx.fkie.fraunhofer.de [IPv6:2001:638:401:102:1aa9:5ff:fe5f:7f22]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 172291A6EE6; Tue, 24 Nov 2015 05:24:42 -0800 (PST) Received: from rufsun5.fkie.fraunhofer.de ([128.7.2.5] helo=mailhost.fkie.fraunhofer.de) by a.mx.fkie.fraunhofer.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1a1DaK-0004Ug-BK; Tue, 24 Nov 2015 14:24:40 +0100 Received: from mailserv2bcas.fkie.fraunhofer.de ([128.7.96.56] helo=mailserv2.fkie.fraunhofer.de) by mailhost.fkie.fraunhofer.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from ) id 1a1DaK-0003d4-7R; Tue, 24 Nov 2015 14:24:40 +0100 Received: from [128.7.5.36] (128.7.5.36) by MAILSERV2BCAS.lorien.fkie.fgan.de (128.7.96.58) with Microsoft SMTP Server (TLS) id 14.3.248.2; Tue, 24 Nov 2015 14:24:39 +0100 To: Dacheng References: <564AF000.4080705@fkie.fraunhofer.de> From: Henning Rogge Message-ID: <56546516.5090409@fkie.fraunhofer.de> Date: Tue, 24 Nov 2015 14:24:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080505090109060609000605" X-Originating-IP: [128.7.5.36] X-Virus-Scanned: yes (ClamAV 0.98.1/21091/Tue Nov 24 06:36:04 2015) by a.mx.fkie.fraunhofer.de X-Scan-Signature: cf4e294f566e9b0166dbdd65a574298f Archived-At: Cc: draft-ietf-manet-olsrv2-dat-metric.all@ietf.org, The IESG , "secdir@ietf.org" Subject: Re: [secdir] Secdir Review of draft-ietf-manet-olsrv2-dat-metric-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Nov 2015 13:24:43 -0000 --------------ms080505090109060609000605 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Am 23.11.2015 um 08:04 schrieb Dacheng: > It is fine. I just tried to give some comments to make this section > looks better, and I understand your point. In addition, maybe you could= > mention at the end of the fist paragraph that the methods of protecting= > against the MITM attacks performed by rogue routers are out of scope. I will add a sentence mentioning MITM attacks are out of scope. > Ok, you have answered my second question, and I think you are right. > The first comment about this sentence is to replace =E2=80=9Csignatu= re > mechanism =E2=80=9C with =E2=80=9Csecurity mechanism=E2=80=9D, because = only there is only a HMAC > mechanism specified in RFC 7183, right? RFC7183 uses only a single type of signature described in RFC7182=20 (SHA256 HMAC). I will change the wording to "security mechanism". Henning Rogge --=20 Diplom-Informatiker Henning Rogge , Fraunhofer-Institut f=C3=BCr Kommunikation, Informationsverarbeitung und Ergonomie FKIE Kommunikationssysteme (KOM) Fraunhofer Stra=C3=9Fe 20, 53343 Wachtberg, Germany Telefon +49 228 9435-961, Fax +49 228 9435 685 mailto:henning.rogge@fkie.fraunhofer.de http://www.fkie.fraunhofer.de --------------ms080505090109060609000605 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC FGAwggQuMIIDFqADAgECAgIBDDANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEcMBoG A1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRydXN0IENl bnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMDcxMjA1MTUx ODU4WhcNMTkwNjMwMjM1OTU5WjBnMQswCQYDVQQGEwJERTETMBEGA1UEChMKRnJhdW5ob2Zl cjEhMB8GA1UECxMYRnJhdW5ob2ZlciBDb3Jwb3JhdGUgUEtJMSAwHgYDVQQDExdGcmF1bmhv ZmVyIFJvb3QgQ0EgMjAwNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM9Hsll jVuIN/c+wSG2VN6wOlcbGhzumAh0AVpvtd82VytERc7zRhNldpWYVMeohRVuEqQX6AvhIacx PSnd/6PWT9K0if1jStqrU+9ZBbRP4jsqkZnAy2VXgaMwk5AOyb39FTIyCKRIfFYF8rs2ieJI wm9LkgwlRb6tPtTHAe2xyBK0MAhup29/eiCnu7TlNYBULBmP2UvAHatD+GEUlPuwHV23kexi wJHRXt2nC7MtH2Y5GDyuBBTl0n022bLNpxOwzEWdVgRRcTM2XC9dUROeT0iQDpdaS3DbuXnZ odaUyJLQpftgvy2tnnEAF4bA/UhmnRRMBU5M0XFEC9B6D7ECAwEAAaOB2TCB1jAfBgNVHSME GDAWgBQxw3kbuvVT1xfgiXotF2wKsyudMzAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFC9F Qh4xBYDVcNj4HVfLW3rVPZz3MBIGA1UdEwEB/wQIMAYBAf8CAQEwcAYDVR0fBGkwZzBloGOg YYZfaHR0cDovL3BraS50ZWxlc2VjLmRlL2NnaS1iaW4vc2VydmljZS9hZl9Eb3dubG9hZEFS TC5jcmw/LWNybF9mb3JtYXQ9WF81MDkmLWlzc3Vlcj1EVF9ST09UX0NBXzIwDQYJKoZIhvcN AQEFBQADggEBABq3THo85d3CY7LehiVORWJM9PKPX13X5Y3ODtf1lOGLkzE2p5oj52fhUsFa GNaZ4YBkOA9KNTNdZnoo3Dh/N3LNUnVuEI5sfYz3Ket3wrkZBdS3PWG66AUS1FBiU+8iVGL8 TQHDXtQNg3RpUdU8nqzbpCt8bYSW03FNz9UtcaOSxD9Vz5s9I3cHV+nIzh2XtjP7kZdglg/3 9t5vJZASqxlH1UQjrsGSNSi/KkNeD+oHXdJE0IWC4xK8R+osrfjwQVJ9Nroin3qgMu9LvPk6 B7Ypxn04XzVVfjjyP3yz7i1uIXhfuRPP795lgMgl9WYtVEqtztkuDjDPgDOnixly6kEwggTG MIIDrqADAgECAgphHTMZAAAAAAADMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNVBAYTAkRFMRMw EQYDVQQKEwpGcmF1bmhvZmVyMSEwHwYDVQQLExhGcmF1bmhvZmVyIENvcnBvcmF0ZSBQS0kx IDAeBgNVBAMTF0ZyYXVuaG9mZXIgUm9vdCBDQSAyMDA3MB4XDTA3MTIxMjE0NDkzNVoXDTE5 MDYzMDIzNTk1OVowZzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9mZXIxITAfBgNV BAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5ob2ZlciBVc2Vy IENBIDIwMDcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCdBBRy3XRgfErNZ1a gjqvkq7NAvyuyPsgdw7/aBIVkEmnZ3xoJF/6DiYaZT5KngkK04dPMxGKa1WiS02lT1Yb48d4 efijC95VRmSH2owPPU6JYS8JPppdvVW6leZy4Ta0sHWctee2+nQruSX38b6TucFwp/eWf0y8 i3XrsYFR7PzJ4XM75gWwUUvjsPVKCp/j2b8mJlBHTh4PHAOTxhWkT/avPKu9+FZ5SPluPsuw aDecLbqla6lm26TkNrB2KPa4r92/seVnbDK1YnihgKUP3Tb4Aeb7rgHIUZ7ADWR4KQIjwsz+ /0BWGKpNrp3XMRF8D4KO9qInwd7kGd8Rzlf3AgMBAAGjggFyMIIBbjASBgNVHRMBAf8ECDAG AQH/AgEAMB0GA1UdDgQWBBRPHa+Iym24qhwJ+cXREe1ZtJP6CzAOBgNVHQ8BAf8EBAMCAQYw HwYDVR0jBBgwFoAUL0VCHjEFgNVw2PgdV8tbetU9nPcwdQYDVR0fBG4wbDBqoGigZoYxaHR0 cDovL2NybC5wa2kuZnJhdW5ob2Zlci5kZS9maGctcm9vdC1jYS0yMDA3LmNybIYxaHR0cDov L2NybC5mcmF1bmhvZmVyLXBraS5kZS9maGctcm9vdC1jYS0yMDA3LmNybDCBkAYIKwYBBQUH AQEEgYMwgYAwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jZXJ0LnBraS5mcmF1bmhvZmVyLmRlL2Zo Zy1yb290LWNhLTIwMDcuY2VyMD4GCCsGAQUFBzAChjJodHRwOi8vY2VydC5mcmF1bmhvZmVy LXBraS5kZS9maGctcm9vdC1jYS0yMDA3LmNlcjANBgkqhkiG9w0BAQUFAAOCAQEAAHdsjDP5 7lcEJcrLiDnmTkykzsKWSxmGTbhEV8KVqRA37DBVMV/1nrW7tWtaoXfseksl2OFdQs3BQzhh d8AO28iFf+ncgudyPZbmU48vc41LIy2bnA+I3jY2t0BLt/bELGLLhNzE3xRSYK/zXgBTB1ZJ Bxsd5VV2/hdyd/vcXlx5P8Af8iCnf0SIjDE0+Pmvq2tjEwrGAHuJICdL89k12BjfLbo4woLF FG8HyQvcKzogiTDSTNYu7FFalSiKLMFu4eUKVlDbtROEQLAxM+3XqVwmGgCMD6axCJK9HROt 86h4ZjOHoEu4hpgXzUKIVDuoyTljXCfXSManNHP+FlB4PDCCBagwggSQoAMCAQICCjQb63gA AAAAuucwDQYJKoZIhvcNAQEFBQAwZzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9m ZXIxITAfBgNVBAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5o b2ZlciBVc2VyIENBIDIwMDcwHhcNMTAwMjAxMTE0MDM0WhcNMTYwMTMxMTE0MDM0WjBaMQsw CQYDVQQGEwJERTETMBEGA1UEChMKRnJhdW5ob2ZlcjENMAsGA1UECxMERktJRTEPMA0GA1UE CxMGUGVvcGxlMRYwFAYDVQQDEw1IZW5uaW5nIFJvZ2dlMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAxsgT9VRlhiEraBMqzI0g5nkPrSTp7j5TS/GTjKhiwmyr4hZ6VuurgDhT Mulz7JRLZJMXJqEwjEBqPiHoGTEkgHl166P/lx2Or+j9XiHPYPxJjDOvRkWsrw+SWuiyacbr oSTaDwz7nA38R27jXUSEKyi0SmhXYiBUIhh1/sEf/uDmi9oBhfj6gOjzM/vLM7NJqi70CE6U Ma0Ph8R7H+rwYXhQlVWZzUnKvt6OJFJ4HLJvm6xHreiOrU97kPlwi3YQZUxC439gYPY0wmFE mddNHOQ2fjtkoQYR9IgGWfP3vbQ8nXxUTIlOhS5x9sSaSU/pTYBJv7xYyjPrS9SIGl5bqQID AQABo4ICYTCCAl0wDgYDVR0PAQH/BAQDAgbAMCsGA1UdEQQkMCKBIGhlbm5pbmcucm9nZ2VA ZmtpZS5mcmF1bmhvZmVyLmRlMB0GA1UdDgQWBBQBfgSrsBkuX2mKj92DUbzW0i0r8zAfBgNV HSMEGDAWgBRPHa+Iym24qhwJ+cXREe1ZtJP6CzB1BgNVHR8EbjBsMGqgaKBmhjFodHRwOi8v Y3JsLnBraS5mcmF1bmhvZmVyLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JshjFodHRwOi8vY3Js LmZyYXVuaG9mZXItcGtpLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JsMIIBCgYIKwYBBQUHAQEE gf0wgfowPgYIKwYBBQUHMAKGMmh0dHA6Ly9jZXJ0LnBraS5mcmF1bmhvZmVyLmRlL2ZoZy11 c2VyLWNhLTIwMDcuY2VyMD4GCCsGAQUFBzAChjJodHRwOi8vY2VydC5mcmF1bmhvZmVyLXBr aS5kZS9maGctdXNlci1jYS0yMDA3LmNlcjA7BggrBgEFBQcwAYYvaHR0cDovL2ZoZy11c2Vy LWNhLTIwMDcub2NzcC5wa2kuZnJhdW5ob2Zlci5kZS8wOwYIKwYBBQUHMAGGL2h0dHA6Ly9m aGctdXNlci1jYS0yMDA3Lm9jc3AuZnJhdW5ob2Zlci1wa2kuZGUvMBMGA1UdJQQMMAoGCCsG AQUFBwMEMEQGA1UdIAQ9MDswOQYLKwYBBAGGClADAQEwKjAoBggrBgEFBQcCARYcaHR0cDov L3BraS5mcmF1bmhvZmVyLmRlL2NwLzANBgkqhkiG9w0BAQUFAAOCAQEAOayOZLk0fQfhQ7I0 Qzn6KzuD4ixrzteSXITHu1RJ9/3xebplEm6YI/jwMLNFnfglXq+9I+rGjE/PxSOW6qK8CA31 DIo8qXhsxvvfF3yrFzHLzgyCcWdoxer2YvfKpJJfx0BKPGMvuAeTJp5L+PuWcGkvmDb/wRwA JOfjNSokNdc27k3T+HTtXNsMrQzGWeIZFnK+pSQm/gWoDX7dNZE592/Dq8Rp83jedwl5CDBK d0B6PDCM7vsEA9P+9L9/142H/1u6gYVNlR7GhsjCjUtsvpDZrMPNAd2wVAPoqiJ0WrfG/IEu A5SySue+aeflbvMxDT1cWFnighiatWYbxwNmPDCCBbQwggScoAMCAQICCjQb6OgAAAAAuuYw DQYJKoZIhvcNAQEFBQAwZzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9mZXIxITAf BgNVBAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5ob2ZlciBV c2VyIENBIDIwMDcwHhcNMTAwMjAxMTE0MDM0WhcNMTYwMTMxMTE0MDM0WjBaMQswCQYDVQQG EwJERTETMBEGA1UEChMKRnJhdW5ob2ZlcjENMAsGA1UECxMERktJRTEPMA0GA1UECxMGUGVv cGxlMRYwFAYDVQQDEw1IZW5uaW5nIFJvZ2dlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAosulW1xdX1xuHoX36m/A69SfDwvfsXmrYgI0qhSDgovRnWxT64dxCK2+vU+LskPn o1m0RJTRbKgVo6O8j1/oU/OBVpi82DM97mWMUxYEpweKLdq+ROTZPUwFY8Qfz8EJ/cZjyrEB Ys8NxAfRPFRWGd+BrkKNIvB9mr77PQa/rA+qEuNTmKY0Nbl4VAgwmGV37RFA2CLz38wc44ul oJJKyYIA7CbIMae3kjUKy9YY55kyjgCY3c21/YV4ruOEwBu9yfEBmxx0E1P0/fB7G3+7d6kB L+avP/QhwYmdJjFsarYSmUpXp9P1+c8HFTw5TYGULtj8f/FWQlmRjWDzSct4eQIDAQABo4IC bTCCAmkwDgYDVR0PAQH/BAQDAgQwMCsGA1UdEQQkMCKBIGhlbm5pbmcucm9nZ2VAZmtpZS5m cmF1bmhvZmVyLmRlMB0GA1UdDgQWBBRir/+EBYAUW6PBp6sYHmuGX1+fsjAfBgNVHSMEGDAW gBRPHa+Iym24qhwJ+cXREe1ZtJP6CzB1BgNVHR8EbjBsMGqgaKBmhjFodHRwOi8vY3JsLnBr aS5mcmF1bmhvZmVyLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JshjFodHRwOi8vY3JsLmZyYXVu aG9mZXItcGtpLmRlL2ZoZy11c2VyLWNhLTIwMDcuY3JsMIIBCgYIKwYBBQUHAQEEgf0wgfow PgYIKwYBBQUHMAKGMmh0dHA6Ly9jZXJ0LnBraS5mcmF1bmhvZmVyLmRlL2ZoZy11c2VyLWNh LTIwMDcuY2VyMD4GCCsGAQUFBzAChjJodHRwOi8vY2VydC5mcmF1bmhvZmVyLXBraS5kZS9m aGctdXNlci1jYS0yMDA3LmNlcjA7BggrBgEFBQcwAYYvaHR0cDovL2ZoZy11c2VyLWNhLTIw MDcub2NzcC5wa2kuZnJhdW5ob2Zlci5kZS8wOwYIKwYBBQUHMAGGL2h0dHA6Ly9maGctdXNl ci1jYS0yMDA3Lm9jc3AuZnJhdW5ob2Zlci1wa2kuZGUvMB8GA1UdJQQYMBYGCisGAQQBgjcK AwQGCCsGAQUFBwMEMEQGA1UdIAQ9MDswOQYLKwYBBAGGClADAQEwKjAoBggrBgEFBQcCARYc aHR0cDovL3BraS5mcmF1bmhvZmVyLmRlL2NwLzANBgkqhkiG9w0BAQUFAAOCAQEABPYI1Hbq ips/0o+2m6Guww7ys/5F++qSYPq6w4CtlyuPupLZdKzEVuZ2n1fopZuEndTyCTq8DUJwZXKP EIYKQGhkbFNy3IDaHB5VHaX0JsqV4DsgD6Xa2jnEBQpiy8RxMKP5mY5NRS4jO6J+bFjrMiKb jDlzvJJxy6kqy8efjxH6RdMjGxQRcMS4EUTs7DRu38A81XEGaqqtjcwN3n3EvJUVcBzXn63B mb4bgv1U6DYXFMSMcksssapmsdL0EPXKAWBRcswouetjRBXIFfu1xKFINtwyax6RCZycAEXd dFC6j/3BVvi6iNFSE1VVQx+HQz1EhGBcp80W3qnIvoO1UjGCA4swggOHAgEBMHUwZzELMAkG A1UEBhMCREUxEzARBgNVBAoTCkZyYXVuaG9mZXIxITAfBgNVBAsTGEZyYXVuaG9mZXIgQ29y cG9yYXRlIFBLSTEgMB4GA1UEAxMXRnJhdW5ob2ZlciBVc2VyIENBIDIwMDcCCjQb63gAAAAA uucwDQYJYIZIAWUDBAIBBQCgggHnMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTE1MTEyNDEzMjQzOFowLwYJKoZIhvcNAQkEMSIEIOZMf7FamUa8vptBaAnu qbVL1VL5lIUwQenchfw8TbawMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCG SAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYF Kw4DAgcwDQYIKoZIhvcNAwICASgwgYQGCSsGAQQBgjcQBDF3MHUwZzELMAkGA1UEBhMCREUx EzARBgNVBAoTCkZyYXVuaG9mZXIxITAfBgNVBAsTGEZyYXVuaG9mZXIgQ29ycG9yYXRlIFBL STEgMB4GA1UEAxMXRnJhdW5ob2ZlciBVc2VyIENBIDIwMDcCCjQb6OgAAAAAuuYwgYYGCyqG SIb3DQEJEAILMXegdTBnMQswCQYDVQQGEwJERTETMBEGA1UEChMKRnJhdW5ob2ZlcjEhMB8G A1UECxMYRnJhdW5ob2ZlciBDb3Jwb3JhdGUgUEtJMSAwHgYDVQQDExdGcmF1bmhvZmVyIFVz ZXIgQ0EgMjAwNwIKNBvo6AAAAAC65jANBgkqhkiG9w0BAQEFAASCAQCUlc9+17P+86ylzaJH es5MlSjIBLxL+uJtieXZju9RU1nMRLT2UDpGQp0aUXWEbLyRAGoZYbWz925snUDTlaDjASIC dkcJ6OX3fAStuL2Dyr5zmG5iUbWxc11xXmUJ9swrCGgh5fUuu5RVHacCK81812W8sJ5bF+rT bY/ij5WCqaKQiDfMGCqdnN848DxtM43/qig8UhgNYAoGfZQBU1oI8Mq7zBNsiJdgzRypqigG 7F/XBnT+teYD4p2sSn4QS+IZxtQ0Z+hEFJULXBMvRCcBh8PfWQU5CmmBQFUEzoeZk0FmNvuC dhkxkZJzf1sN0/4xX6RCwtyp8GjvrG4eNpT2AAAAAAAA --------------ms080505090109060609000605-- From nobody Tue Nov 24 10:34:34 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41C311A3BA3; Tue, 24 Nov 2015 10:34:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.149 X-Spam-Level: X-Spam-Status: No, score=0.149 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6VzdzfgcBZb; Tue, 24 Nov 2015 10:34:32 -0800 (PST) Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 206D71A1BEE; Tue, 24 Nov 2015 10:34:32 -0800 (PST) Received: by obbnk6 with SMTP id nk6so20289906obb.2; Tue, 24 Nov 2015 10:34:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=yKYgqhbqzEydebB/UYXc2iJzIgKsLDXmXoZAwOkiL0U=; b=jq/rQBTQ8s+WsTokYEKBFeD/cdpD5poZI7W2F3yAGyYzkdT1zg4iUa4W+Lhedc+Eq7 Fb4DDN0BS+xnx4Nkt4WYvhQUFaWhNJp6dS0jh2104r9+Dmdbxs0ysUymmRHlxKIoGGQf xv94/7e84Jw0q6QHTHmLfdBaxCpm6m+GnaFbURv2qtjN06WuGyUQ26qEbeDOx4JTCyMF wmqVMJk4Xp/2tUIwL/mJvu1dtEiHeC0pS6X2vDX+fnGGpV3yvB5D9TlyO3OW4Z/Tg4Iw HmAhb1x1nQ9GbsC2i85+Y3XEPJRVFoUkmO5CIa88rrNp3gNYP0nVHbBXYU/k/bMbghz9 Z4jQ== X-Received: by 10.60.54.168 with SMTP id k8mr7938109oep.51.1448390071594; Tue, 24 Nov 2015 10:34:31 -0800 (PST) MIME-Version: 1.0 Received: by 10.76.19.102 with HTTP; Tue, 24 Nov 2015 10:34:17 -0800 (PST) From: Donald Eastlake Date: Tue, 24 Nov 2015 13:34:17 -0500 Message-ID: To: draft-ietf-bess-virtual-subnet.all@ietf.org, "iesg@ietf.org" Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "secdir@ietf.org" Subject: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Nov 2015 18:34:33 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. This Informational document describes a straightforward method using existing BGP/MPLS VPN technology along with ARP/ND proxying to interconnect parts of an IP subnet spread across two or more data centers including support of VM migration between data centers. (It also suggest that bridging techniques be used if non-iP traffic has to be supported.) Security: The Security Considerations section in its entirety is as follows: This document doesn't introduce additional security risk to BGP/MPLS IP VPN, nor does it provide any additional security feature for BGP/ MPLS IP VPN. While I don't think the Security Considerations section of this Informational document needs to be particularly large or heavy, I believe there is more to be said. Perhaps points such as the security of the L2 or IP addresses used by the hosts/servers in the data centers or the PE devices seeming like ideal concentration points to observe traffic metadata and content so systems along the lines of those described here should take that into account. Other: While I understand that many disagree with me, I believe that, except in special circumstances, front page authors should list a postal address and/or telephone number in the Authors Addresses section as well as an email address. In my opinion, the Authors Addresses section of this draft is an example of schlock corner cutting. Trivia: Section 1, page 3, item b: "challenge on the forwarding" -> "challenge to the forwarding". item c: "growing by multiples" -> "multiplying" Section 1, page 4: "infrastructures and their corresponding experiences" -> "infrastructure and experience". Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting as an ARP or ND proxy, a PE router" I'm not sure what the occurrences of "Infrastructure-as-a-Service (IaaS)" and "IaaS" add other than buzzword compliance think the draft would be improved by deleting them. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com From nobody Tue Nov 24 18:04:00 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C978E1ACD89; Tue, 24 Nov 2015 18:03:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.786 X-Spam-Level: X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeEG-wKX97Sn; Tue, 24 Nov 2015 18:03:57 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9E61ACD94; Tue, 24 Nov 2015 18:03:56 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CAT59403; Wed, 25 Nov 2015 02:03:54 +0000 (GMT) Received: from NKGEML403-HUB.china.huawei.com (10.98.56.34) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 25 Nov 2015 02:03:54 +0000 Received: from NKGEML512-MBS.china.huawei.com ([169.254.8.64]) by nkgeml403-hub.china.huawei.com ([10.98.56.34]) with mapi id 14.03.0235.001; Wed, 25 Nov 2015 10:03:50 +0800 From: Xuxiaohu To: Donald Eastlake , "draft-ietf-bess-virtual-subnet.all@ietf.org" , "iesg@ietf.org" Thread-Topic: draft-ietf-bess-virtual-subnet-05 SECDIR Review Thread-Index: AQHRJubJoyl7jdPptUCMuxAuG7Ys3Z6r+HIQ Date: Wed, 25 Nov 2015 02:03:49 +0000 Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com> References: In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.99.55] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.5655170B.0027, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.64, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: ec5edbbf21dd3c486e2008d34f50e1dd Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2015 02:03:59 -0000 SGkgRG9uYWxkLA0KDQpUaGFua3MgYSBsb3QgZm9yIHlvdXIgcmV2aWV3LiBQbGVhc2Ugc2VlIG15 IHJlc3BvbnNlIGlubGluZS4NCg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9t OiBEb25hbGQgRWFzdGxha2UgW21haWx0bzpkM2UzZTNAZ21haWwuY29tXQ0KPiBTZW50OiBXZWRu ZXNkYXksIE5vdmVtYmVyIDI1LCAyMDE1IDI6MzQgQU0NCj4gVG86IGRyYWZ0LWlldGYtYmVzcy12 aXJ0dWFsLXN1Ym5ldC5hbGxAaWV0Zi5vcmc7IGllc2dAaWV0Zi5vcmcNCj4gQ2M6IHNlY2RpckBp ZXRmLm9yZw0KPiBTdWJqZWN0OiBkcmFmdC1pZXRmLWJlc3MtdmlydHVhbC1zdWJuZXQtMDUgU0VD RElSIFJldmlldw0KPiANCj4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBv ZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nDQo+IGVmZm9ydCB0byByZXZpZXcg YWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gIERvY3VtZW50 DQo+IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMganVz dCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwNCj4gY29tbWVudHMuDQo+IA0KPiBUaGlzIEluZm9y bWF0aW9uYWwgZG9jdW1lbnQgZGVzY3JpYmVzIGEgc3RyYWlnaHRmb3J3YXJkIG1ldGhvZCB1c2lu ZyBleGlzdGluZw0KPiBCR1AvTVBMUyBWUE4gdGVjaG5vbG9neSBhbG9uZyB3aXRoIEFSUC9ORCBw cm94eWluZyB0byBpbnRlcmNvbm5lY3QgcGFydHMgb2YNCj4gYW4gSVAgc3VibmV0IHNwcmVhZCBh Y3Jvc3MgdHdvIG9yIG1vcmUgZGF0YSBjZW50ZXJzIGluY2x1ZGluZyBzdXBwb3J0IG9mIFZNDQo+ IG1pZ3JhdGlvbiBiZXR3ZWVuIGRhdGEgY2VudGVycy4gKEl0IGFsc28gc3VnZ2VzdCB0aGF0IGJy aWRnaW5nIHRlY2huaXF1ZXMgYmUNCj4gdXNlZCBpZiBub24taVAgdHJhZmZpYyBoYXMgdG8gYmUg c3VwcG9ydGVkLikNCj4gDQo+IFNlY3VyaXR5Og0KPiANCj4gVGhlIFNlY3VyaXR5IENvbnNpZGVy YXRpb25zIHNlY3Rpb24gaW4gaXRzIGVudGlyZXR5IGlzIGFzIGZvbGxvd3M6DQo+IA0KPiAgICBU aGlzIGRvY3VtZW50IGRvZXNuJ3QgaW50cm9kdWNlIGFkZGl0aW9uYWwgc2VjdXJpdHkgcmlzayB0 byBCR1AvTVBMUw0KPiAgICBJUCBWUE4sIG5vciBkb2VzIGl0IHByb3ZpZGUgYW55IGFkZGl0aW9u YWwgc2VjdXJpdHkgZmVhdHVyZSBmb3IgQkdQLw0KPiAgICBNUExTIElQIFZQTi4NCj4gDQo+IFdo aWxlIEkgZG9uJ3QgdGhpbmsgdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gb2Yg dGhpcyBJbmZvcm1hdGlvbmFsDQo+IGRvY3VtZW50IG5lZWRzIHRvIGJlIHBhcnRpY3VsYXJseSBs YXJnZSBvciBoZWF2eSwgSSBiZWxpZXZlIHRoZXJlIGlzIG1vcmUgdG8gYmUNCj4gc2FpZC4gUGVy aGFwcyBwb2ludHMgc3VjaCBhcyB0aGUgc2VjdXJpdHkgb2YgdGhlIEwyIG9yIElQIGFkZHJlc3Nl cyB1c2VkIGJ5IHRoZQ0KPiBob3N0cy9zZXJ2ZXJzIGluIHRoZSBkYXRhIGNlbnRlcnMgb3IgdGhl IFBFIGRldmljZXMgc2VlbWluZyBsaWtlIGlkZWFsDQo+IGNvbmNlbnRyYXRpb24gcG9pbnRzIHRv IG9ic2VydmUgdHJhZmZpYyBtZXRhZGF0YSBhbmQgY29udGVudCBzbyBzeXN0ZW1zIGFsb25nDQo+ IHRoZSBsaW5lcyBvZiB0aG9zZSBkZXNjcmliZWQgaGVyZSBzaG91bGQgdGFrZSB0aGF0IGludG8g YWNjb3VudC4NCg0KSG93IGFib3V0IGFkZGluZyB0aGUgZm9sbG93aW5nIHRleHQgdG8gdGhlIHNl Y3VyaXR5IGNvbnNpZGVyYXRpb24gc2VjdGlvbj8NCg0KIlNpbmNlIHRoZSBCR1AvTVBMUyBJUCBW UE4gc2lnbmFsaW5nIGlzIHJldXNlZCB3aXRob3V0IGFueSBjaGFuZ2UsIHRob3NlIHNlY3VyaXR5 IGNvbnNpZGVyYXRpb25zIGFzIGRlc2NyaWJlZCBpbiBbUkZDNDM2NF0gYXJlIGFwcGxpY2FibGUg dG8gdGhpcyBkb2N1bWVudC4gTWVhbndoaWxlLCBzaW5jZSBzZWN1cml0eSBpc3N1ZXMgYXNzb2Np YXRlZCB3aXRoIHRoZSBORFAgYXJlIGluaGVyaXRlZCBkdWUgdG8gdGhlIHVzZSBvZiBORFAgcHJv eHksIHRob3NlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGFuZCByZWNvbW1lbmRhdGlvbnMgYXMg ZGVzY3JpYmVkIGluIFtSRkM2NTgzXSBhcmUgYXBwbGljYWJsZSB0byB0aGlzIGRvY3VtZW50IGFz IHdlbGwuIg0KDQo+IE90aGVyOg0KPiANCj4gV2hpbGUgSSB1bmRlcnN0YW5kIHRoYXQgbWFueSBk aXNhZ3JlZSB3aXRoIG1lLCBJIGJlbGlldmUgdGhhdCwgZXhjZXB0IGluIHNwZWNpYWwNCj4gY2ly Y3Vtc3RhbmNlcywgZnJvbnQgcGFnZSBhdXRob3JzIHNob3VsZCBsaXN0IGEgcG9zdGFsIGFkZHJl c3MgYW5kL29yIHRlbGVwaG9uZQ0KPiBudW1iZXIgaW4gdGhlIEF1dGhvcnMgQWRkcmVzc2VzIHNl Y3Rpb24gYXMgd2VsbCBhcyBhbiBlbWFpbCBhZGRyZXNzLiBJbiBteQ0KPiBvcGluaW9uLCB0aGUg QXV0aG9ycyBBZGRyZXNzZXMgc2VjdGlvbiBvZiB0aGlzIGRyYWZ0IGlzIGFuIGV4YW1wbGUgb2Yg c2NobG9jaw0KPiBjb3JuZXIgY3V0dGluZy4NCg0KT0ssIEkgd2lsbCBmaXggaXQuDQoNCj4gVHJp dmlhOg0KPiANCj4gU2VjdGlvbiAxLCBwYWdlIDMsIGl0ZW0gYjogImNoYWxsZW5nZSBvbiB0aGUg Zm9yd2FyZGluZyIgLT4gImNoYWxsZW5nZSB0byB0aGUNCj4gZm9yd2FyZGluZyIuDQo+ICAgICBp dGVtIGM6ICJncm93aW5nIGJ5IG11bHRpcGxlcyIgLT4gIm11bHRpcGx5aW5nIg0KDQpXaWxsIGZp eCBpdC4NCg0KPiBTZWN0aW9uIDEsIHBhZ2UgNDogImluZnJhc3RydWN0dXJlcyBhbmQgdGhlaXIg Y29ycmVzcG9uZGluZyBleHBlcmllbmNlcyIgLT4NCj4gImluZnJhc3RydWN0dXJlIGFuZCBleHBl cmllbmNlIi4NCg0KV2lsbCBmaXggaXQNCg0KPiBTZWN0aW9uIDMuNDogIkFjdGluZyBhcyBhbiBB UlAgb3IgTkQgcHJveGllcywgYSBQRSByb3V0ZXJzIiAtPiAiQWN0aW5nIGFzIGFuIEFSUA0KPiBv ciBORCBwcm94eSwgYSBQRSByb3V0ZXIiDQoNCldpbGwgZml4IGl0Lg0KIA0KPiBJJ20gbm90IHN1 cmUgd2hhdCB0aGUgb2NjdXJyZW5jZXMgb2YgIkluZnJhc3RydWN0dXJlLWFzLWEtU2VydmljZSAo SWFhUykiIGFuZA0KPiAiSWFhUyIgYWRkIG90aGVyIHRoYW4gYnV6endvcmQgY29tcGxpYW5jZSB0 aGluayB0aGUgZHJhZnQgd291bGQgYmUgaW1wcm92ZWQNCj4gYnkgZGVsZXRpbmcgdGhlbS4NCg0K V2lsbCBkZWxldGUgdGhlbS4gVGhhbmtzIGEgbG90IGFnYWluIGZvciB5b3VyIHJldmlldy4NCg0K QmVzdCByZWdhcmRzLA0KWGlhb2h1DQoNCj4gVGhhbmtzLA0KPiBEb25hbGQNCj4gPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0NCj4gIERvbmFsZCBFLiBFYXN0bGFrZSAzcmQgICArMS01MDgt MzMzLTIyNzAgKGNlbGwpDQo+ICAxNTUgQmVhdmVyIFN0cmVldCwgTWlsZm9yZCwgTUEgMDE3NTcg VVNBICBkM2UzZTNAZ21haWwuY29tDQo= From nobody Tue Nov 24 19:36:03 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D85FA1ACE8B; Tue, 24 Nov 2015 19:36:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.75 X-Spam-Level: X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVtOZAr597Ft; Tue, 24 Nov 2015 19:36:00 -0800 (PST) Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17C971ACE89; Tue, 24 Nov 2015 19:36:00 -0800 (PST) Received: by oies6 with SMTP id s6so22509511oie.1; Tue, 24 Nov 2015 19:35:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=qy0ck2Vc6LhRBAzchao8KFX6yPTM6E3BCEYItnGMi2k=; b=O6QxKDwSYyyJ42GB4UWLw+7wTgtotlVJtR6Q5+ivvqi8ITD+lte7UpL59YmlfhGvF7 IYs7/DuznkzRJtlz1Zn2Seg49dvRSi5c1OwSb/+ZhtJPYLtzcMfTTVpDw9L5h9Jmsn71 MgUWEVhOxhMwBdZnfg+jnZE5kktT6fsVkO64Usb6nAFjWLOH5oyTq/XLdutWrAahGSEF 7GpRJPJY6RQfGr9y5Ug5U/oiJRw8O1VOREpayeFHMEiRmukc6dKZ/kK77IadLudHSU8l zTiYxCSl7WO5Djthpg5IG3Z3VPYiOOFlCLRTtlkB4coz2uHv0fxhBe3psXMZbYN0GoIO vtzw== X-Received: by 10.202.72.132 with SMTP id v126mr21609710oia.84.1448422559417; Tue, 24 Nov 2015 19:35:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.76.19.102 with HTTP; Tue, 24 Nov 2015 19:35:45 -0800 (PST) In-Reply-To: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com> References: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com> From: Donald Eastlake Date: Tue, 24 Nov 2015 22:35:45 -0500 Message-ID: To: Xuxiaohu Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "draft-ietf-bess-virtual-subnet.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2015 03:36:02 -0000 Hi Xiaohu, On Tue, Nov 24, 2015 at 9:03 PM, Xuxiaohu wrote: > Hi Donald, > > Thanks a lot for your review. Please see my response inline. > >> -----Original Message----- >> From: Donald Eastlake [mailto:d3e3e3@gmail.com] >> Sent: Wednesday, November 25, 2015 2:34 AM >> To: draft-ietf-bess-virtual-subnet.all@ietf.org; iesg@ietf.org >> Cc: secdir@ietf.org >> Subject: draft-ietf-bess-virtual-subnet-05 SECDIR Review >> >>... >> >> Security: >> >> The Security Considerations section in its entirety is as follows: >> >> This document doesn't introduce additional security risk to BGP/MPLS >> IP VPN, nor does it provide any additional security feature for BGP/ >> MPLS IP VPN. >> >> While I don't think the Security Considerations section of this Informat= ional >> document needs to be particularly large or heavy, I believe there is mor= e to be >> said. Perhaps points such as the security of the L2 or IP addresses used= by the >> hosts/servers in the data centers or the PE devices seeming like ideal >> concentration points to observe traffic metadata and content so systems = along >> the lines of those described here should take that into account. > > How about adding the following text to the security consideration section= ? > > "Since the BGP/MPLS IP VPN signaling is reused without any change, those = security considerations as described in [RFC4364] are applicable to this do= cument. Meanwhile, since security issues associated with the NDP are inheri= ted due to the use of NDP proxy, those security considerations and recommen= dations as described in [RFC6583] are applicable to this document as well." Adding that would be a good. I have read the security considerations referred to above and they cover most of my concerns. So I would be satisfied if you added that text. Thanks for offering to fix all the things below. Donald =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com >> Other: >> >> While I understand that many disagree with me, I believe that, except in= special >> circumstances, front page authors should list a postal address and/or te= lephone >> number in the Authors Addresses section as well as an email address. In = my >> opinion, the Authors Addresses section of this draft is an example of sc= hlock >> corner cutting. > > OK, I will fix it. > >> Trivia: >> >> Section 1, page 3, item b: "challenge on the forwarding" -> "challenge t= o the >> forwarding". >> item c: "growing by multiples" -> "multiplying" > > Will fix it. > >> Section 1, page 4: "infrastructures and their corresponding experiences"= -> >> "infrastructure and experience". > > Will fix it > >> Section 3.4: "Acting as an ARP or ND proxies, a PE routers" -> "Acting a= s an ARP >> or ND proxy, a PE router" > > Will fix it. > >> I'm not sure what the occurrences of "Infrastructure-as-a-Service (IaaS)= " and >> "IaaS" add other than buzzword compliance think the draft would be impro= ved >> by deleting them. > > Will delete them. Thanks a lot again for your review. > > Best regards, > Xiaohu > >> Thanks, >> Donald >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D >> Donald E. Eastlake 3rd +1-508-333-2270 (cell) >> 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com From nobody Tue Nov 24 19:55:02 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D052D1ACEB8; Tue, 24 Nov 2015 19:55:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.786 X-Spam-Level: X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gjr4nZK527ig; Tue, 24 Nov 2015 19:54:58 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5FED1ACEDA; Tue, 24 Nov 2015 19:54:57 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml401-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CEO42412; Wed, 25 Nov 2015 03:54:55 +0000 (GMT) Received: from NKGEML402-HUB.china.huawei.com (10.98.56.33) by lhreml401-hub.china.huawei.com (10.201.5.240) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 25 Nov 2015 03:54:55 +0000 Received: from NKGEML512-MBS.china.huawei.com ([169.254.8.64]) by nkgeml402-hub.china.huawei.com ([10.98.56.33]) with mapi id 14.03.0235.001; Wed, 25 Nov 2015 11:54:47 +0800 From: Xuxiaohu To: Donald Eastlake Thread-Topic: draft-ietf-bess-virtual-subnet-05 SECDIR Review Thread-Index: AQHRJubJoyl7jdPptUCMuxAuG7Ys3Z6r+HIQ//+YYICAAIs8EA== Date: Wed, 25 Nov 2015 03:54:46 +0000 Message-ID: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52284@NKGEML512-MBS.china.huawei.com> References: <1FEE3F8F5CCDE64C9A8E8F4AD27C19EE0CB52228@NKGEML512-MBS.china.huawei.com> In-Reply-To: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.99.55] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.56553110.0053, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.64, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 95af64cb769781a9c820b80ca14e4cd2 Archived-At: Cc: "draft-ietf-bess-virtual-subnet.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] draft-ietf-bess-virtual-subnet-05 SECDIR Review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2015 03:55:01 -0000 SGkgRG9uYWxkLA0KDQpUaGFua3MgZm9yIHlvdXIgcXVpY2sgY29uZmlybWF0aW9uLg0KDQpCZXN0 IHJlZ2FyZHMsDQpYaWFvaHUNCg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9t OiBEb25hbGQgRWFzdGxha2UgW21haWx0bzpkM2UzZTNAZ21haWwuY29tXQ0KPiBTZW50OiBXZWRu ZXNkYXksIE5vdmVtYmVyIDI1LCAyMDE1IDExOjM2IEFNDQo+IFRvOiBYdXhpYW9odQ0KPiBDYzog ZHJhZnQtaWV0Zi1iZXNzLXZpcnR1YWwtc3VibmV0LmFsbEBpZXRmLm9yZzsgaWVzZ0BpZXRmLm9y Zzsgc2VjZGlyQGlldGYub3JnDQo+IFN1YmplY3Q6IFJlOiBkcmFmdC1pZXRmLWJlc3MtdmlydHVh bC1zdWJuZXQtMDUgU0VDRElSIFJldmlldw0KPiANCj4gSGkgWGlhb2h1LA0KPiANCj4gT24gVHVl LCBOb3YgMjQsIDIwMTUgYXQgOTowMyBQTSwgWHV4aWFvaHUgPHh1eGlhb2h1QGh1YXdlaS5jb20+ IHdyb3RlOg0KPiA+IEhpIERvbmFsZCwNCj4gPg0KPiA+IFRoYW5rcyBhIGxvdCBmb3IgeW91ciBy ZXZpZXcuIFBsZWFzZSBzZWUgbXkgcmVzcG9uc2UgaW5saW5lLg0KPiA+DQo+ID4+IC0tLS0tT3Jp Z2luYWwgTWVzc2FnZS0tLS0tDQo+ID4+IEZyb206IERvbmFsZCBFYXN0bGFrZSBbbWFpbHRvOmQz ZTNlM0BnbWFpbC5jb21dDQo+ID4+IFNlbnQ6IFdlZG5lc2RheSwgTm92ZW1iZXIgMjUsIDIwMTUg MjozNCBBTQ0KPiA+PiBUbzogZHJhZnQtaWV0Zi1iZXNzLXZpcnR1YWwtc3VibmV0LmFsbEBpZXRm Lm9yZzsgaWVzZ0BpZXRmLm9yZw0KPiA+PiBDYzogc2VjZGlyQGlldGYub3JnDQo+ID4+IFN1Ympl Y3Q6IGRyYWZ0LWlldGYtYmVzcy12aXJ0dWFsLXN1Ym5ldC0wNSBTRUNESVIgUmV2aWV3DQo+ID4+ DQo+ID4+Li4uDQo+ID4+DQo+ID4+IFNlY3VyaXR5Og0KPiA+Pg0KPiA+PiBUaGUgU2VjdXJpdHkg Q29uc2lkZXJhdGlvbnMgc2VjdGlvbiBpbiBpdHMgZW50aXJldHkgaXMgYXMgZm9sbG93czoNCj4g Pj4NCj4gPj4gICAgVGhpcyBkb2N1bWVudCBkb2Vzbid0IGludHJvZHVjZSBhZGRpdGlvbmFsIHNl Y3VyaXR5IHJpc2sgdG8gQkdQL01QTFMNCj4gPj4gICAgSVAgVlBOLCBub3IgZG9lcyBpdCBwcm92 aWRlIGFueSBhZGRpdGlvbmFsIHNlY3VyaXR5IGZlYXR1cmUgZm9yIEJHUC8NCj4gPj4gICAgTVBM UyBJUCBWUE4uDQo+ID4+DQo+ID4+IFdoaWxlIEkgZG9uJ3QgdGhpbmsgdGhlIFNlY3VyaXR5IENv bnNpZGVyYXRpb25zIHNlY3Rpb24gb2YgdGhpcw0KPiA+PiBJbmZvcm1hdGlvbmFsIGRvY3VtZW50 IG5lZWRzIHRvIGJlIHBhcnRpY3VsYXJseSBsYXJnZSBvciBoZWF2eSwgSQ0KPiA+PiBiZWxpZXZl IHRoZXJlIGlzIG1vcmUgdG8gYmUgc2FpZC4gUGVyaGFwcyBwb2ludHMgc3VjaCBhcyB0aGUgc2Vj dXJpdHkNCj4gPj4gb2YgdGhlIEwyIG9yIElQIGFkZHJlc3NlcyB1c2VkIGJ5IHRoZSBob3N0cy9z ZXJ2ZXJzIGluIHRoZSBkYXRhDQo+ID4+IGNlbnRlcnMgb3IgdGhlIFBFIGRldmljZXMgc2VlbWlu ZyBsaWtlIGlkZWFsIGNvbmNlbnRyYXRpb24gcG9pbnRzIHRvDQo+ID4+IG9ic2VydmUgdHJhZmZp YyBtZXRhZGF0YSBhbmQgY29udGVudCBzbyBzeXN0ZW1zIGFsb25nIHRoZSBsaW5lcyBvZiB0aG9z ZQ0KPiBkZXNjcmliZWQgaGVyZSBzaG91bGQgdGFrZSB0aGF0IGludG8gYWNjb3VudC4NCj4gPg0K PiA+IEhvdyBhYm91dCBhZGRpbmcgdGhlIGZvbGxvd2luZyB0ZXh0IHRvIHRoZSBzZWN1cml0eSBj b25zaWRlcmF0aW9uIHNlY3Rpb24/DQo+ID4NCj4gPiAiU2luY2UgdGhlIEJHUC9NUExTIElQIFZQ TiBzaWduYWxpbmcgaXMgcmV1c2VkIHdpdGhvdXQgYW55IGNoYW5nZSwgdGhvc2UNCj4gc2VjdXJp dHkgY29uc2lkZXJhdGlvbnMgYXMgZGVzY3JpYmVkIGluIFtSRkM0MzY0XSBhcmUgYXBwbGljYWJs ZSB0byB0aGlzDQo+IGRvY3VtZW50LiBNZWFud2hpbGUsIHNpbmNlIHNlY3VyaXR5IGlzc3VlcyBh c3NvY2lhdGVkIHdpdGggdGhlIE5EUCBhcmUNCj4gaW5oZXJpdGVkIGR1ZSB0byB0aGUgdXNlIG9m IE5EUCBwcm94eSwgdGhvc2Ugc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgYW5kDQo+IHJlY29tbWVu ZGF0aW9ucyBhcyBkZXNjcmliZWQgaW4gW1JGQzY1ODNdIGFyZSBhcHBsaWNhYmxlIHRvIHRoaXMg ZG9jdW1lbnQgYXMNCj4gd2VsbC4iDQo+IA0KPiBBZGRpbmcgdGhhdCB3b3VsZCBiZSBhIGdvb2Qu IEkgaGF2ZSByZWFkIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyByZWZlcnJlZCB0bw0KPiBh Ym92ZSBhbmQgdGhleSBjb3ZlciBtb3N0IG9mIG15IGNvbmNlcm5zLiBTbyBJIHdvdWxkIGJlIHNh dGlzZmllZCBpZiB5b3UgYWRkZWQNCj4gdGhhdCB0ZXh0Lg0KPiANCj4gVGhhbmtzIGZvciBvZmZl cmluZyB0byBmaXggYWxsIHRoZSB0aGluZ3MgYmVsb3cuDQo+IA0KPiBEb25hbGQNCj4gPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0NCj4gIERvbmFsZCBFLiBFYXN0bGFrZSAzcmQgICArMS01 MDgtMzMzLTIyNzAgKGNlbGwpDQo+ICAxNTUgQmVhdmVyIFN0cmVldCwgTWlsZm9yZCwgTUEgMDE3 NTcgVVNBICBkM2UzZTNAZ21haWwuY29tDQo+IA0KPiA+PiBPdGhlcjoNCj4gPj4NCj4gPj4gV2hp bGUgSSB1bmRlcnN0YW5kIHRoYXQgbWFueSBkaXNhZ3JlZSB3aXRoIG1lLCBJIGJlbGlldmUgdGhh dCwgZXhjZXB0DQo+ID4+IGluIHNwZWNpYWwgY2lyY3Vtc3RhbmNlcywgZnJvbnQgcGFnZSBhdXRo b3JzIHNob3VsZCBsaXN0IGEgcG9zdGFsDQo+ID4+IGFkZHJlc3MgYW5kL29yIHRlbGVwaG9uZSBu dW1iZXIgaW4gdGhlIEF1dGhvcnMgQWRkcmVzc2VzIHNlY3Rpb24gYXMNCj4gPj4gd2VsbCBhcyBh biBlbWFpbCBhZGRyZXNzLiBJbiBteSBvcGluaW9uLCB0aGUgQXV0aG9ycyBBZGRyZXNzZXMNCj4g Pj4gc2VjdGlvbiBvZiB0aGlzIGRyYWZ0IGlzIGFuIGV4YW1wbGUgb2Ygc2NobG9jayBjb3JuZXIg Y3V0dGluZy4NCj4gPg0KPiA+IE9LLCBJIHdpbGwgZml4IGl0Lg0KPiA+DQo+ID4+IFRyaXZpYToN Cj4gPj4NCj4gPj4gU2VjdGlvbiAxLCBwYWdlIDMsIGl0ZW0gYjogImNoYWxsZW5nZSBvbiB0aGUg Zm9yd2FyZGluZyIgLT4NCj4gPj4gImNoYWxsZW5nZSB0byB0aGUgZm9yd2FyZGluZyIuDQo+ID4+ ICAgICBpdGVtIGM6ICJncm93aW5nIGJ5IG11bHRpcGxlcyIgLT4gIm11bHRpcGx5aW5nIg0KPiA+ DQo+ID4gV2lsbCBmaXggaXQuDQo+ID4NCj4gPj4gU2VjdGlvbiAxLCBwYWdlIDQ6ICJpbmZyYXN0 cnVjdHVyZXMgYW5kIHRoZWlyIGNvcnJlc3BvbmRpbmcNCj4gPj4gZXhwZXJpZW5jZXMiIC0+ICJp bmZyYXN0cnVjdHVyZSBhbmQgZXhwZXJpZW5jZSIuDQo+ID4NCj4gPiBXaWxsIGZpeCBpdA0KPiA+ DQo+ID4+IFNlY3Rpb24gMy40OiAiQWN0aW5nIGFzIGFuIEFSUCBvciBORCBwcm94aWVzLCBhIFBF IHJvdXRlcnMiIC0+DQo+ID4+ICJBY3RpbmcgYXMgYW4gQVJQIG9yIE5EIHByb3h5LCBhIFBFIHJv dXRlciINCj4gPg0KPiA+IFdpbGwgZml4IGl0Lg0KPiA+DQo+ID4+IEknbSBub3Qgc3VyZSB3aGF0 IHRoZSBvY2N1cnJlbmNlcyBvZiAiSW5mcmFzdHJ1Y3R1cmUtYXMtYS1TZXJ2aWNlDQo+ID4+IChJ YWFTKSIgYW5kICJJYWFTIiBhZGQgb3RoZXIgdGhhbiBidXp6d29yZCBjb21wbGlhbmNlIHRoaW5r IHRoZSBkcmFmdA0KPiA+PiB3b3VsZCBiZSBpbXByb3ZlZCBieSBkZWxldGluZyB0aGVtLg0KPiA+ DQo+ID4gV2lsbCBkZWxldGUgdGhlbS4gVGhhbmtzIGEgbG90IGFnYWluIGZvciB5b3VyIHJldmll dy4NCj4gPg0KPiA+IEJlc3QgcmVnYXJkcywNCj4gPiBYaWFvaHUNCj4gPg0KPiA+PiBUaGFua3Ms DQo+ID4+IERvbmFsZA0KPiA+PiA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KPiA+PiAg RG9uYWxkIEUuIEVhc3RsYWtlIDNyZCAgICsxLTUwOC0zMzMtMjI3MCAoY2VsbCkNCj4gPj4gIDE1 NSBCZWF2ZXIgU3RyZWV0LCBNaWxmb3JkLCBNQSAwMTc1NyBVU0EgIGQzZTNlM0BnbWFpbC5jb20N Cg== From nobody Wed Nov 25 08:09:02 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39CDE1B2E6B for ; Wed, 25 Nov 2015 08:09:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.249 X-Spam-Level: X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqVZ0iV6EJWO for ; Wed, 25 Nov 2015 08:08:59 -0800 (PST) Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [194.9.95.112]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F3251B2E3C for ; Wed, 25 Nov 2015 08:08:59 -0800 (PST) Received: from s314.loopia.se (localhost [127.0.0.1]) by s314.loopia.se (Postfix) with ESMTP id 3D3BE1642281 for ; Wed, 25 Nov 2015 17:01:33 +0100 (CET) X-Loopia-Auth: user X-Loopia-Originating-IP: 90.228.174.201 X-Loopia-User: stefan@fiddler.nu Received: from s498.loopia.se (unknown [172.21.200.96]) by s314.loopia.se (Postfix) with ESMTP id D755D20068E9; Wed, 25 Nov 2015 17:01:30 +0100 (CET) Received: from s406.loopia.se (unknown [172.21.200.105]) by s498.loopia.se (Postfix) with ESMTP id 4666D45E630; Wed, 25 Nov 2015 17:01:30 +0100 (CET) X-Virus-Scanned: amavisd-new at amavis.loopia.se Received: from s500.loopia.se ([172.21.200.105]) by s406.loopia.se (s406.loopia.se [172.21.200.136]) (amavisd-new, port 10024) with LMTP id 4nQcrDDqkYk2; Wed, 25 Nov 2015 17:01:29 +0100 (CET) Received: from [192.168.0.111] (unknown [90.228.174.201]) (Authenticated sender: stefan@fiddler.nu) by s500.loopia.se (Postfix) with ESMTPSA id 0B47BA98501; Wed, 25 Nov 2015 17:01:29 +0100 (CET) User-Agent: Microsoft-MacOutlook/0.0.0.151105 Date: Wed, 25 Nov 2015 17:01:27 +0100 From: Stefan Santesson To: "Matt Miller (mamille2)" , "draft-santesson-auth-context-extension.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Message-Id: <4E62EBD1-F1AE-4FD5-B592-C451EAF64706@aaa-sec.com> Thread-Topic: [secdir] secdir review of draft-santesson-auth-context-extension-09 Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [secdir] secdir review of draft-santesson-auth-context-extension-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2015 16:09:01 -0000 Hi Matt, I=E2=80=99m sorry for this late response. I missed it until Stephen Farrel remind= ed me of this review. On 19/10/15 19:43, "secdir on behalf of Matt Miller (mamille2)" wrote: >I have reviewed draft-santesson-auth-context-extension-09 as part of >the security directorate's ongoing effort to review all IETF >documents being processed by the IESG. These comments were written >primarily for the benefit of the security area directors. Document >editors and WG chairs should treat these comments just like any >other last call comments. > > >SUMMARY: > >This document defines two things: 1) a PKIX extension for specifying a >number of authentication contexts a CA used in issuing the certificate, >and 2) a SAML-based authentication context. The authentication >context(s) are intended to provide additional information to the >software verifying the certificate on how the subject -- and possibly >various identifying attributes -- was assured. > >I believe this document is almost ready. I would like to see >discussion around my major issue. > > >MAJOR ISSUE: > >To me, allowing for multiple authentication contexts so generically >seems ripe for confusion. Do you have particular scenarios in mind >for when multiple contexts ought to be present? This mainly to keep the specification future proof. There is however a real possible use case. This extension is currently used to enhance signing certificates that are i= ssued at the instance of singing using a central signing service. A signed document may be widely distributed to many relying parties. If we at some point get into a situation where another context information = structure is defined and some applications can use one type and another appl= ication can use the other type, then at least we have the option to provide = both, making the same signature certificate useful for both systems. Consequently this also allows fro transition to a new context info type eve= n within the same community, taking into account that it is hard to update a= ll systems at the same time. > >I speculate one intent behind multiple authentication contexts is to >represent individual SAML AuthnContextClassRef's (e.g., for >two-factor authentication). This model of expression seems >potentially confusing unless there are further restrictions on the >sequence of AuthenticationContext instances (e.g., all instances >SHOULD/MUST be for the same contextType?). No this is not the intent. The intent is the one described above. > >Alternatively, a more radical approach could be to change the >structure to group all information for a particular contextType into >the same AuthenticationContext (e.g., sequence of UTF8Strings). No that would not work. Each context information may need a different type = declaration. > > >MINOR ISSUES: > >1) I don't see any specific discussion about security considerations >oriented at issuers of such certificates. One consideration I can >imagine is around mixing such outsourced assurance with more >traditional methods. I do realize this might look too much like >dictating CA policy, it seems to me there would be some concerns >about such mixing, and therefore might be worth at least noting. I=E2=80=99m not sure I understand what you would like to see here. All CAs have a registration process where data about the user is received a= nd validated before entered into the certificate. This extension simply allows the CA to express information about this in th= e certificate. I=E2=80=99m not sure how that adds security concerns. > >2) I notice that contextInfo is optional. I assume it is envisioned >that some contextTypes would not have any contextInfo. I think it >would be worthwhile to include some guidance for those that define >future contextTypes as to when contextInfo is not necessary, or >consider requiring contextInfo always be present (even if it is >UTF8String("")) if a missing contextInfo is likely to be rare. I am >personally struggling to envision a context type that wouldn't need >additional information, but I've admittedly not been thinking about >it much. It is optional since it is not the place of this standard to impose a certa= in policy on the CA. The goal of the CA is to provide sufficient information about the certifica= te to allow it to be trusted. The usage of the certificate in the community where it is used knows what i= nformation is needed. It=E2=80=99s is very hard on this level of specification to provide any guidance = on that. > >3) The enforcement of XML (and XML Schema) in Section 2 seems a bit >odd to me. It is certainly required for the contextType defined in >Section 3, but it seems overly restrictive to me for all possible >contextTypes to be XML. For instance, I can see a contextType >defined based on an OpenID-Connect claims token, which is JSON. At some stage, this was the design. It was eventually abandoned to simplify= the design. JSON was abandoned due to having no defined format for time information no = well developed schema at the time. > >Instead of mandating XML in section 2, I suggest the mandate for XML >be moved to Section 3. The definition of contextType then simply be >a URI that describes the type, and that contextInfo (if present) be >of an appropriate format for (and defined by) the contextType. I actually agree with you now when looking at this again, I came to the sam= e conclusion. There might be reasons for using new more compressed data formats, such as = CBOR in the future. This can be done without chaining the syntax of the data, which is importan= t given the many independent implementations of this. > >4) From my reading, it appears the following is a valid SAML >contextInfo: > > xmlns:saci=3D"http://id.elegnamnden.se/auth-cont/1.0/saci" > xmlns:saml=3D"urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"/> > >Is this intended? If so, can you explain what benefit there is to >such a SAML contextInfo; if not, consider mandating at least one of > and/or MUST be present. I >understand expressing this is difficult in XML Schema, but it seems >reasonable to me to add text to that effect in Section 3.1. There are pros and cons with this. I=E2=80=99m reluctant to change the XML schema= given the existing implementations. This is not a good enough reason for it. > >5) In "3.1.1. AuthContextInfo Element", the definition for >AuthenticationInstant points to a non-existent section 3.3. Some of >the examples in Appendix C illustrate XML Schema's dateTime data type >(XMLSchema-2 =C2=A7 3.2.7), but I wonder if that is enough and the missing >section intended to clarify or augment the basics of dateTime. At >the least the reference to Section 3.3 needs to be removed. > This is fixed in the latest version, and so are th > >NITS: > >* In "4. Security Considerations", the phrase "may differ form >certificate to certificate" should be "may differ from certificate to >certificate". > >* In "B.1 XML Schema", ref=3D"saci:AuthContextInfo" and >ref=3D"saci:IdAttribues" does not specify maxOccurs. I realize that by >default maxOccurs=3D1, but I always find myself looking it up every >time I deal with XSD. I find being explicit helps with >humans understanding. This will be used for machine processing by compilers, they will get this r= ight. I=E2=80=99d rather keep what comes out of my XML schema editor than to add things= by hand. Unless this is very important. > > >Thank you for your consideration, Thanks for this. Sorry for the late response. /Stefan From nobody Wed Nov 25 08:50:11 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B9D61A1EF1; Wed, 25 Nov 2015 08:50:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.086 X-Spam-Level: X-Spam-Status: No, score=-15.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cU7SbTrFpYhe; Wed, 25 Nov 2015 08:50:07 -0800 (PST) Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5032B1A1EEE; Wed, 25 Nov 2015 08:50:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11667; q=dns/txt; s=iport; t=1448470207; x=1449679807; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=EY7vxyNQQyhOc6qJcYfQlI0Tz0x/5mMmDcKaM4DTFqc=; b=IGBbI7vyDsaDrIf9Eyhp8ek6x8NaR9WkRuuzXOyCWS+bkGVax1Tm9uUg Od/h36Z8rxZgs9m6MXfSTowGaG6BoLyLB2vkbuqtGmLdRdcbfr3wBkhX/ Cl/HdtFie/MUd1QPF4Ke7nqfTemyaE3nJCh+2+NeVbcLBM/+FQbW0T+Je s=; X-Files: signature.asc : 496 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CyAgDh5VVW/40NJK1egztTbwa+Pw6BZ?= =?us-ascii?q?iGCPoMwAoFAOBQBAQEBAQEBgQqENAEBAQMBI1EFBQsCAQgYFRUCAjIlAgQOBQ4?= =?us-ascii?q?GiBIIDa1okCUBAQEBAQEBAQEBAQEBAQEBAQEBAQEPCYhkgm6FEweCWy+BFQWSb?= =?us-ascii?q?4MoQAGCW4FiaoVUgjmBXBaEK4MmikOEZoNxAR8BQ4QEcgGDYyUcgQcBAQE?= X-IronPort-AV: E=Sophos;i="5.20,343,1444694400"; d="asc'?scan'208";a="211905984" Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 25 Nov 2015 16:50:06 +0000 Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id tAPGo6eP014795 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 25 Nov 2015 16:50:06 GMT Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 25 Nov 2015 10:50:05 -0600 Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1104.000; Wed, 25 Nov 2015 10:50:05 -0600 From: "Matt Miller (mamille2)" To: Stefan Santesson Thread-Topic: [secdir] secdir review of draft-santesson-auth-context-extension-09 Thread-Index: AQHRJ5qSzkTBgVF4c02YL5m/q6/Iip6tWAwA Date: Wed, 25 Nov 2015 16:50:05 +0000 Message-ID: References: <4E62EBD1-F1AE-4FD5-B592-C451EAF64706@aaa-sec.com> In-Reply-To: <4E62EBD1-F1AE-4FD5-B592-C451EAF64706@aaa-sec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-pgp-agent: GPGMail 2.6b2 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.129.24.52] Content-Type: multipart/signed; boundary="Apple-Mail=_CBA1B53A-2EBA-4FB0-A89A-EA4661E188A8"; protocol="application/pgp-signature"; micalg=pgp-sha512 MIME-Version: 1.0 Archived-At: Cc: "draft-santesson-auth-context-extension.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-santesson-auth-context-extension-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2015 16:50:10 -0000 --Apple-Mail=_CBA1B53A-2EBA-4FB0-A89A-EA4661E188A8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Nov 25, 2015, at 09:01, Stefan Santesson = wrote: >=20 > Hi Matt, >=20 > I=E2=80=99m sorry for this late response. I missed it until Stephen = Farrel reminded me of this review. >=20 >=20 >=20 >=20 > On 19/10/15 19:43, "secdir on behalf of Matt Miller (mamille2)" = wrote: >=20 >> I have reviewed draft-santesson-auth-context-extension-09 as part of >> the security directorate's ongoing effort to review all IETF >> documents being processed by the IESG. These comments were written >> primarily for the benefit of the security area directors. Document >> editors and WG chairs should treat these comments just like any >> other last call comments. >>=20 >>=20 >> SUMMARY: >>=20 >> This document defines two things: 1) a PKIX extension for specifying = a >> number of authentication contexts a CA used in issuing the = certificate, >> and 2) a SAML-based authentication context. The authentication >> context(s) are intended to provide additional information to the >> software verifying the certificate on how the subject -- and possibly >> various identifying attributes -- was assured. >>=20 >> I believe this document is almost ready. I would like to see >> discussion around my major issue. >>=20 >>=20 >> MAJOR ISSUE: >>=20 >> To me, allowing for multiple authentication contexts so generically >> seems ripe for confusion. Do you have particular scenarios in mind >> for when multiple contexts ought to be present? >=20 >=20 > This mainly to keep the specification future proof. >=20 > There is however a real possible use case. > This extension is currently used to enhance signing certificates that = are issued at the instance of singing using a central signing service. > A signed document may be widely distributed to many relying parties. >=20 > If we at some point get into a situation where another context = information structure is defined and some applications can use one type = and another application can use the other type, then at least we have = the option to provide both, making the same signature certificate useful = for both systems. >=20 > Consequently this also allows fro transition to a new context info = type even within the same community, taking into account that it is hard = to update all systems at the same time. >=20 Thank you for describing the intent. It was not clear to me in the = document. I would suggest adding something like the above to be = explicit on the intent. Then I'm concerned about how the processing of this extension changes = based on whether it's marked critical. I'm not sure your intent is = compatible with the current text: Applications that find an authentication context information type they do not understand MUST ignore it if the extension is non- critical, and MUST reject the certificate if the extension is marked critical. If an application requires that an authentication context exist, and either the extension is absent, or none of the provided authentication contexts can be used, the end user certificate fails validation. As I read this and the intent, if a CA issues a cert with multiple = AuthenticationContexts (one for the SACI typed define therein, and one = for some hypothetical "foo" type): if this extension is present and = marked critical, and if my software understands SACI but not "foo", my = software is to reject. Also, what does it mean if there are AuthenticationContexts of type SACI = present? >>=20 >> I speculate one intent behind multiple authentication contexts is to >> represent individual SAML AuthnContextClassRef's (e.g., for >> two-factor authentication). This model of expression seems >> potentially confusing unless there are further restrictions on the >> sequence of AuthenticationContext instances (e.g., all instances >> SHOULD/MUST be for the same contextType?). >=20 > No this is not the intent. The intent is the one described above. >=20 >>=20 >> Alternatively, a more radical approach could be to change the >> structure to group all information for a particular contextType into >> the same AuthenticationContext (e.g., sequence of UTF8Strings). >=20 > No that would not work. Each context information may need a different = type declaration. >=20 I think this is moot given the intent. >>=20 >>=20 >> MINOR ISSUES: >>=20 >> 1) I don't see any specific discussion about security considerations >> oriented at issuers of such certificates. One consideration I can >> imagine is around mixing such outsourced assurance with more >> traditional methods. I do realize this might look too much like >> dictating CA policy, it seems to me there would be some concerns >> about such mixing, and therefore might be worth at least noting. >=20 > I=E2=80=99m not sure I understand what you would like to see here. >=20 > All CAs have a registration process where data about the user is = received and validated before entered into the certificate. > This extension simply allows the CA to express information about this = in the certificate. >=20 > I=E2=80=99m not sure how that adds security concerns. >=20 To be fair, I can't remember now what I'd like to see (-: Please ignore this one. >=20 >>=20 >> 2) I notice that contextInfo is optional. I assume it is envisioned >> that some contextTypes would not have any contextInfo. I think it >> would be worthwhile to include some guidance for those that define >> future contextTypes as to when contextInfo is not necessary, or >> consider requiring contextInfo always be present (even if it is >> UTF8String("")) if a missing contextInfo is likely to be rare. I am >> personally struggling to envision a context type that wouldn't need >> additional information, but I've admittedly not been thinking about >> it much. >=20 > It is optional since it is not the place of this standard to impose a = certain policy on the CA. > The goal of the CA is to provide sufficient information about the = certificate to allow it to be trusted. >=20 > The usage of the certificate in the community where it is used knows = what information is needed. > It=E2=80=99s is very hard on this level of specification to provide = any guidance on that. >=20 I don't understand how this is dictating policy; I see it as providing = recommendations to those that define future context types. I note that the SACI contextType therein mandates that contextInfo not = be empty (When this URI is specified as contextType, then associated XML = data MUST be provided in contextInfo). >=20 >>=20 >> 3) The enforcement of XML (and XML Schema) in Section 2 seems a bit >> odd to me. It is certainly required for the contextType defined in >> Section 3, but it seems overly restrictive to me for all possible >> contextTypes to be XML. For instance, I can see a contextType >> defined based on an OpenID-Connect claims token, which is JSON. >=20 > At some stage, this was the design. It was eventually abandoned to = simplify the design. > JSON was abandoned due to having no defined format for time = information no well developed schema at the time. >=20 I'm not suggesting that you support JSON now; this was just meant to be = an example for some future "foo" contextType. >>=20 >> Instead of mandating XML in section 2, I suggest the mandate for XML >> be moved to Section 3. The definition of contextType then simply be >> a URI that describes the type, and that contextInfo (if present) be >> of an appropriate format for (and defined by) the contextType. >=20 > I actually agree with you now when looking at this again, I came to = the same conclusion. > There might be reasons for using new more compressed data formats, = such as CBOR in the future. >=20 > This can be done without chaining the syntax of the data, which is = important given the many independent implementations of this. >=20 Great! >>=20 >> 4) =46rom my reading, it appears the following is a valid SAML >> contextInfo: >>=20 >> > xmlns:saci=3D"http://id.elegnamnden.se/auth-cont/1.0/saci" >> xmlns:saml=3D"urn:oasis:names:tc:SAML:2.0:assertion" >> xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"/> >>=20 >> Is this intended? If so, can you explain what benefit there is to >> such a SAML contextInfo; if not, consider mandating at least one of >> and/or MUST be present. I >> understand expressing this is difficult in XML Schema, but it seems >> reasonable to me to add text to that effect in Section 3.1. >=20 > There are pros and cons with this. I=E2=80=99m reluctant to change the = XML schema given the existing implementations. > This is not a good enough reason for it. >=20 Then can you add some of those pros and cons to the document? I think = it would greatly benefit implementers that need to validate such = certificates. >>=20 >> 5) In "3.1.1. AuthContextInfo Element", the definition for >> AuthenticationInstant points to a non-existent section 3.3. Some of >> the examples in Appendix C illustrate XML Schema's dateTime data type >> (XMLSchema-2 =C2=A7 3.2.7), but I wonder if that is enough and the = missing >> section intended to clarify or augment the basics of dateTime. At >> the least the reference to Section 3.3 needs to be removed. >>=20 >=20 >=20 > This is fixed in the latest version, and so are th >=20 >=20 >>=20 >> NITS: >>=20 >> * In "4. Security Considerations", the phrase "may differ form >> certificate to certificate" should be "may differ from certificate to >> certificate". >>=20 >> * In "B.1 XML Schema", ref=3D"saci:AuthContextInfo" and >> ref=3D"saci:IdAttribues" does not specify maxOccurs. I realize that = by >> default maxOccurs=3D1, but I always find myself looking it up every >> time I deal with XSD. I find being explicit helps with >> humans understanding. >=20 > This will be used for machine processing by compilers, they will get = this right. > I=E2=80=99d rather keep what comes out of my XML schema editor than to = add things by hand. >=20 > Unless this is very important. >=20 I see it as a nit, but something my experience with the XMPP Standards = Foundation leads me to do for my own documents. >=20 >>=20 >>=20 >> Thank you for your consideration, >=20 >=20 > Thanks for this. Sorry for the late response. >=20 And thank you for responding! -- - m&m Matt Miller Cisco Systems, Inc. --Apple-Mail=_CBA1B53A-2EBA-4FB0-A89A-EA4661E188A8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="signature.asc" Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJWVea+AAoJEDWi+S0W7cO1C/YH+gPu/V//pRZP4l28ofn/Xr2R moeh6rxtK0TOH5g5dr3Ja+KlheJQuzY7feMAhsqNutiRTZjOZ0qCYi8wl3Bi/z3v a8Z2DAcy+i+ga6rZSeug4wE1KcfrfzWCD7pjsNeJ56olQR7+Uuly3IQrE/EwdLf+ QK74b3d0sx6CYVNhw4Q+OxKn6G8rkGbhQy+0LFN82Qiz9j23IS52H4CDLDFZ3lDb YRQuqnX7NjnKwAiuLasxW5O/91zJbubqfOuWVvECwkrAecBXOP3UbmwRksee+CxH CgaUgfLg44yPMO7e/k35u3soZZxyNpbZCJdBuEd/8LLtEDKUTkC49rrBmCpkSTE= =pvaG -----END PGP SIGNATURE----- --Apple-Mail=_CBA1B53A-2EBA-4FB0-A89A-EA4661E188A8-- From nobody Thu Nov 26 03:47:21 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 712501A1A24 for ; Thu, 26 Nov 2015 03:47:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.778 X-Spam-Level: X-Spam-Status: No, score=0.778 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, SPF_NEUTRAL=0.779] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8s4PPlpzM0kT for ; Thu, 26 Nov 2015 03:47:17 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 745F31A1A17 for ; Thu, 26 Nov 2015 03:47:16 -0800 (PST) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.1/8.14.8) with ESMTPS id tAQBlCTV020163 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 26 Nov 2015 13:47:12 +0200 (EET) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.1/8.14.8/Submit) id tAQBlC78021332; Thu, 26 Nov 2015 13:47:12 +0200 (EET) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22102.61760.164083.188197@fireball.acr.fi> Date: Thu, 26 Nov 2015 13:47:12 +0200 From: Tero Kivinen To: secdir@ietf.org X-Edit-Time: 1 min X-Total-Time: 0 min Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Nov 2015 11:47:20 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Sandy Murphy is next in the rotation. For telechat 2015-12-03 Reviewer LC end Draft Derek Atkins T 2015-11-15 draft-ietf-softwire-dslite-mib-12 John Bradley T 2015-11-15 draft-ietf-softwire-mesh-mib-12 Shaun Cooley T 2015-11-24 draft-ietf-avtcore-rtp-multi-stream-10 Alan DeKok T 2015-11-24 draft-ietf-avtcore-rtp-multi-stream-optimisation-09 Daniel Kahn Gillmor T 2015-11-24 draft-ietf-l2vpn-vpls-pe-etree-10 Phillip Hallam-Baker T 2015-11-26 draft-ietf-clue-framework-24 Chris Inacio T 2015-10-02 draft-ietf-lwig-ikev2-minimal-05 For telechat 2015-12-17 Olafur Gudmundsson T 2015-12-04 draft-ietf-bess-mvpn-extranet-04 Paul Hoffman T 2015-12-04 draft-ietf-abfab-aaa-saml-12 Russ Housley T 2015-12-15 draft-ietf-httpauth-scram-auth-11 Benjamin Kaduk T 2015-12-09 draft-ietf-jose-jws-signing-input-options-06 Charlie Kaufman T 2015-12-04 draft-ietf-kitten-rfc4402bis-01 Matt Lepinski T 2015-12-15 draft-ietf-oauth-pop-architecture-06 Chris Lonvick T 2015-12-15 draft-ietf-oauth-proof-of-possession-07 Alexey Melnikov T 2015-12-04 draft-ietf-xrblock-rtcp-xr-video-lc-05 Matthew Miller T 2015-12-04 draft-ietf-tls-cached-info-20 Adam Montville T 2015-12-04 draft-ietf-uta-email-tls-certs-05 Last calls and special requests: Dave Cridland 2015-11-23 draft-ietf-dnsop-rfc6598-rfc6303-05 Donald Eastlake 2015-09-11 draft-ietf-dane-openpgpkey-05 Shawn Emery 2015-11-23 draft-ietf-dnsop-qname-minimisation-07 Daniel Kahn Gillmor E None draft-ietf-rtcweb-security-08 Steve Hanna 2015-11-30 draft-ietf-dnsop-edns-tcp-keepalive-04 Sam Hartman 2015-12-04 draft-ietf-appsawg-http-problem-01 Christian Huitema 2015-12-09 draft-ietf-avtcore-multi-media-rtp-session-11 Jeffrey Hutzelman 2015-12-04 draft-ietf-core-block-18 Chris Inacio 2015-12-07 draft-ietf-dnsop-5966bis-04 Leif Johansson 2015-12-04 draft-ietf-eppext-keyrelay-10 Simon Josefsson 2015-12-04 draft-ietf-eppext-tmch-smd-03 Scott Kelly 2015-12-09 draft-ietf-nfsv4-minorversion2-39 Tero Kivinen 2015-12-04 draft-ietf-httpbis-legally-restricted-status-04 Warren Kumari 2015-12-09 draft-ietf-nfsv4-minorversion2-dot-x-39 Ben Laurie 2015-12-09 draft-ietf-nfsv4-rpcsec-gssv3-13 David Mandelberg E None draft-ietf-pce-pceps-06 Catherine Meadows E None draft-ietf-sfc-control-plane-02 Russ Mundy 2015-12-21 draft-leiba-netmod-regpolicy-update-01 Brian Weis E None draft-ietf-cdni-uri-signing-05 -- kivinen@iki.fi From nobody Thu Nov 26 04:37:16 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 720E71A8A92; Thu, 26 Nov 2015 04:37:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.579 X-Spam-Level: * X-Spam-Status: No, score=1.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_NEUTRAL=0.779] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGiQL_NyR4nz; Thu, 26 Nov 2015 04:37:11 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697A51A8969; Thu, 26 Nov 2015 04:37:11 -0800 (PST) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.1/8.14.8) with ESMTPS id tAQCb8qF015126 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 26 Nov 2015 14:37:08 +0200 (EET) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.1/8.14.8/Submit) id tAQCb8Rh011191; Thu, 26 Nov 2015 14:37:08 +0200 (EET) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22102.64756.382780.262773@fireball.acr.fi> Date: Thu, 26 Nov 2015 14:37:08 +0200 From: Tero Kivinen To: iesg@ietf.org, secdir@ietf.org, draft-ietf-httpbis-legally-restricted-status.all@tools.ietf.org X-Edit-Time: 9 min X-Total-Time: 10 min Archived-At: Subject: [secdir] Secdir review of draft-ietf-httpbis-legally-restricted-status-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Nov 2015 12:37:12 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This documents adds new status code 451 which says that document is unavailable for legal reasons. It correctly points out that some entities blocking access might not want to tell that they are blocking this, so clients cannot rely on this, and also points out that users might be able to bypass the restrictions using VPNs or TORs. Summary: Ready. I just wonder why did the example singled out "the People's Front of Judea", and did not include "the Judean People's Front", "the Judean Popular People's Front", "the Campaign for a Free Galilee", and "the Popular Front of Judea".... :-) -- kivinen@iki.fi From nobody Thu Nov 26 04:53:42 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32AA81B2B7F; Thu, 26 Nov 2015 04:53:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrztOrOVSxfH; Thu, 26 Nov 2015 04:53:36 -0800 (PST) Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B882C1B2B7E; Thu, 26 Nov 2015 04:53:35 -0800 (PST) Received: by wmww144 with SMTP id w144so20421713wmw.1; Thu, 26 Nov 2015 04:53:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=7LMLkvXGO/7ukX/xsqqasuOrZqn9S8OHNND3OF39ZMg=; b=nnB6ao6b05vbSpUYyiX6iWiIWQAaOOYQ8LsopQwwKgYspK7ElIVRWbDJPVSP9dRAXI 5ECpJ75WECGrdD3YTEwqua6IcfBPKAeFRZTRE0MKHkEl3ZN+D5llsB+WDmIUJGXYEDRj CwrujigPMexz6fwB1ScEdMjSrLmE4kHguN/gysGFh7Gqv19MV8dt7rMIXEvONiMLtSl4 20ChnqH0vG86ScLFQZcPNlpGXXUDfi+eaIs+vDIVqbg5cCTk1JxZmlzYol554ky4bHZX xSzAbZklcPwzEQySWzspjtDBTILNYAA0fajBmYqjqec2DKKqROafUNVYtt6fcKhAMFu7 BvHw== X-Received: by 10.28.97.197 with SMTP id v188mr3757876wmb.63.1448542414293; Thu, 26 Nov 2015 04:53:34 -0800 (PST) Received: from [172.24.251.173] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id q1sm27890900wje.39.2015.11.26.04.53.32 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Nov 2015 04:53:33 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) From: Yoav Nir In-Reply-To: <22102.64756.382780.262773@fireball.acr.fi> Date: Thu, 26 Nov 2015 14:53:31 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <942C4EAB-5714-4818-BD98-834AF3B4FE43@gmail.com> References: <22102.64756.382780.262773@fireball.acr.fi> To: Tero Kivinen X-Mailer: Apple Mail (2.3096.5) Archived-At: Cc: draft-ietf-httpbis-legally-restricted-status.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-legally-restricted-status-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Nov 2015 12:53:37 -0000 > On 26 Nov 2015, at 2:37 PM, Tero Kivinen wrote: >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. >=20 > This documents adds new status code 451 which says that document is > unavailable for legal reasons. It correctly points out that some > entities blocking access might not want to tell that they are blocking > this, so clients cannot rely on this, and also points out that users > might be able to bypass the restrictions using VPNs or TORs. >=20 > Summary: Ready. >=20 > I just wonder why did the example singled out "the People's Front of > Judea", and did not include "the Judean People's Front", "the Judean > Popular People's Front", "the Campaign for a Free Galilee", and "the > Popular Front of Judea".... :-) Because the only people we hate more than the Romans, are the fucking = Judean People's Front.= From nobody Thu Nov 26 07:44:06 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A1BF1B3B45; Thu, 26 Nov 2015 07:44:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.686 X-Spam-Level: X-Spam-Status: No, score=-0.686 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dmx7fox8tzkT; Thu, 26 Nov 2015 07:44:02 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CF051B3B36; Thu, 26 Nov 2015 07:44:02 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3p63KX0gHVz20q; Thu, 26 Nov 2015 16:44:00 +0100 (CET) Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=Hlw29qdS X-OPENPGPKEY: Message passed unmodified X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id vcmMAlwMHMnF; Thu, 26 Nov 2015 16:43:59 +0100 (CET) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 26 Nov 2015 16:43:59 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPS id E9CA680096; Thu, 26 Nov 2015 10:43:57 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1448552637; bh=zxZljZwcXr0ZQmrP0yXk6sHR02Jo675aCB/PI2h1lnI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Hlw29qdSGwruX67Q4KI9EWDb7uNKRmuAZblT9ROLK0e0OS3RrDo6xxmvu9gEQUxCz 9UCwBV/f5zY5HAaC8URvKRR+VoV2PJtXTMWIjfXnRJG8jk9YrSYW55BsT21iXldOaB MTCxm+S415E5+Uil+yUcgTYphO2Spzb1WAo39+T4= Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id tAQFhvAP013615; Thu, 26 Nov 2015 10:43:57 -0500 X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs Date: Thu, 26 Nov 2015 10:43:56 -0500 (EST) From: Paul Wouters To: Yoav Nir In-Reply-To: <942C4EAB-5714-4818-BD98-834AF3B4FE43@gmail.com> Message-ID: References: <22102.64756.382780.262773@fireball.acr.fi> <942C4EAB-5714-4818-BD98-834AF3B4FE43@gmail.com> User-Agent: Alpine 2.20 (LFD 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Cc: draft-ietf-httpbis-legally-restricted-status.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-legally-restricted-status-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Nov 2015 15:44:05 -0000 On Thu, 26 Nov 2015, Yoav Nir wrote: >> I just wonder why did the example singled out "the People's Front of >> Judea", and did not include "the Judean People's Front", "the Judean >> Popular People's Front", "the Campaign for a Free Galilee", and "the >> Popular Front of Judea".... :-) > > Because the only people we hate more than the Romans, are the fucking Judean People's Front. Please people! We are _all_ individuals! Paul From nobody Thu Nov 26 08:45:58 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D60191B2BCF; Thu, 26 Nov 2015 08:45:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfY2_MBGoVVJ; Thu, 26 Nov 2015 08:45:51 -0800 (PST) Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604371B2BCE; Thu, 26 Nov 2015 08:45:51 -0800 (PST) Received: by wmec201 with SMTP id c201so29274648wme.1; Thu, 26 Nov 2015 08:45:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TY2uEsV4DXYBBFSgwwMvnTytbYS+fVh+udBOOXPssWs=; b=qkAssjyoKhfSk3OAowxFLXVlKOn1rHHqRD76V1h9g03ZVZ2JmqTaBFxw29L6+zZI3l /U6/o56/HG1qBbpxE5kkRpD8a6lsITFtWuWESXyFnzsJHDe0BlAUPgpm+owa7/7za5nV Oivf7iNLLSX+fNJkGItLWHuPs71iPa9A3OCYBXGormNykCAkW8I/vHafIyRnQ4oohovk a/q+BTokjAlP+brDSPMI3EZ/75TxMjn1WeC746BN6V89Uor+5b8/YoU68EUbP9lrdwg4 vuuv14QLpRBTIWUXdI//SLFwUC59gCEyaCRhDXeYkbqt2xrArjOyRlxNmbFnsAd0Vn5A rUpg== X-Received: by 10.28.222.138 with SMTP id v132mr5016008wmg.23.1448556349942; Thu, 26 Nov 2015 08:45:49 -0800 (PST) Received: from [192.168.137.224] ([176.13.17.187]) by smtp.gmail.com with ESMTPSA id w141sm3437420wmw.24.2015.11.26.08.45.40 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Nov 2015 08:45:48 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) From: Yoav Nir In-Reply-To: Date: Thu, 26 Nov 2015 18:45:24 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <22102.64756.382780.262773@fireball.acr.fi> <942C4EAB-5714-4818-BD98-834AF3B4FE43@gmail.com> To: Paul Wouters X-Mailer: Apple Mail (2.3096.5) Archived-At: Cc: draft-ietf-httpbis-legally-restricted-status.all@tools.ietf.org, The IESG , secdir@ietf.org Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-legally-restricted-status-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Nov 2015 16:45:53 -0000 > On 26 Nov 2015, at 5:43 PM, Paul Wouters wrote: >=20 > On Thu, 26 Nov 2015, Yoav Nir wrote: >=20 >>> I just wonder why did the example singled out "the People's Front of >>> Judea", and did not include "the Judean People's Front", "the Judean >>> Popular People's Front", "the Campaign for a Free Galilee", and "the >>> Popular Front of Judea".... :-) >>=20 >> Because the only people we hate more than the Romans, are the fucking = Judean People's Front. >=20 > Please people! We are _all_ individuals! I=E2=80=99m not. From nobody Fri Nov 27 14:53:44 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C77EE1B2D84; Fri, 27 Nov 2015 14:53:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.95 X-Spam-Level: X-Spam-Status: No, score=0.95 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q_kBCyAhneTR; Fri, 27 Nov 2015 14:53:41 -0800 (PST) Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94C511B2D80; Fri, 27 Nov 2015 14:53:41 -0800 (PST) Received: by obbbj7 with SMTP id bj7so90700350obb.1; Fri, 27 Nov 2015 14:53:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=DWqcM/z8oUrFtgaJfjMUt1F/tarHnBdDUyd7H9QWAs8=; b=Hwa6LaOsVjXjfSRzh/jqDd1Zxa8hfLKqv4R/odqXzn2HZKqpXaBbOuKW9i/rS7xr+1 4DcWIUNGo3EMjndYLUS5bddWZoEUx9iZ+FeFZ27+k/SDCM7GF9XnHgfi/tYViL7nMjB7 xbuLJNcvTVWp29J1rZuSCLZAYl1niqtCb3q753uL3tJrkiFFF3LBIUWRgBq642zw7Zrr DivAykQ3fjt/S0TQwnaPYeMZd4N4BZ0/SH1eddNkPbX76XX57RQA1rauZcg7m8LXW5r2 3biawZ0hhDbBp3EOxln0337EeCpX+rAqCj3u60sBmBmFbY43qvm+v9vBhSKp/LVEYUix +jfQ== X-Received: by 10.182.158.99 with SMTP id wt3mr37288019obb.18.1448664820984; Fri, 27 Nov 2015 14:53:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.76.19.102 with HTTP; Fri, 27 Nov 2015 14:53:26 -0800 (PST) In-Reply-To: References: <22102.64756.382780.262773@fireball.acr.fi> <942C4EAB-5714-4818-BD98-834AF3B4FE43@gmail.com> From: Donald Eastlake Date: Fri, 27 Nov 2015 17:53:26 -0500 Message-ID: To: The IESG , Barry Leiba Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: draft-ietf-httpbis-legally-restricted-status.all@tools.ietf.org, "secdir@ietf.org" Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-legally-restricted-status-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Nov 2015 22:53:42 -0000 Although I assume it is supposed to be a joke, this is not an April 1st dra= ft. I think it is an extremely bad idea to use, as an example, a real geographic region where people are dying due to conflict and to use an organization name which sounds like it could plausibly exist in that area. I do not consider the deaths in this region to be funny. See RFC 3797 for two examples of more clearly fictitious nation state names. Thanks, Donald =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com On Thu, Nov 26, 2015 at 11:45 AM, Yoav Nir wrote: > >> On 26 Nov 2015, at 5:43 PM, Paul Wouters wrote: >> >> On Thu, 26 Nov 2015, Yoav Nir wrote: >> >>>> I just wonder why did the example singled out "the People's Front of >>>> Judea", and did not include "the Judean People's Front", "the Judean >>>> Popular People's Front", "the Campaign for a Free Galilee", and "the >>>> Popular Front of Judea".... :-) >>> >>> Because the only people we hate more than the Romans, are the fucking J= udean People's Front. >> >> Please people! We are _all_ individuals! > > I=E2=80=99m not. > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview From nobody Fri Nov 27 15:02:13 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5DD1B2DA9; Fri, 27 Nov 2015 15:02:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.085 X-Spam-Level: X-Spam-Status: No, score=-1.085 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RP_MATCHES_RCVD=-0.585] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UujvOmN5GEiw; Fri, 27 Nov 2015 15:02:06 -0800 (PST) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 346E71B2DA7; Fri, 27 Nov 2015 15:02:06 -0800 (PST) Received: from mb-2.local ([IPv6:2601:1c0:c102:22fb:5e3:ff6c:5ce4:f12]) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id tARN21Bo013953 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 27 Nov 2015 23:02:01 GMT (envelope-from joelja@bogus.com) To: Donald Eastlake , The IESG , Barry Leiba References: <22102.64756.382780.262773@fireball.acr.fi> <942C4EAB-5714-4818-BD98-834AF3B4FE43@gmail.com> From: joel jaeggli Message-ID: <5658E0E8.8050900@bogus.com> Date: Fri, 27 Nov 2015 15:02:00 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:42.0) Gecko/20100101 Thunderbird/42.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="HOdqVRWcfdjj9vEOo4lqtFfHMb5ejn2ke" Archived-At: Cc: draft-ietf-httpbis-legally-restricted-status.all@tools.ietf.org, "secdir@ietf.org" Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-legally-restricted-status-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Nov 2015 23:02:07 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --HOdqVRWcfdjj9vEOo4lqtFfHMb5ejn2ke Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/27/15 2:53 PM, Donald Eastlake wrote: > Although I assume it is supposed to be a joke, this is not an April 1st= draft. >=20 > I think it is an extremely bad idea to use, as an example, a real > geographic region where people are dying due to conflict and to use an > organization name which sounds like it could plausibly exist in that > area. I do not consider the deaths in this region to be funny. See RFC > 3797 for two examples of more clearly fictitious nation state names. While I think the Life of Brian rises to the level of basic cultural literacy, it's probably all the way around if it is simply a generic example. > Thanks, > Donald > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street, Milford, MA 01757 USA > d3e3e3@gmail.com >=20 > On Thu, Nov 26, 2015 at 11:45 AM, Yoav Nir wrote:= >> >>> On 26 Nov 2015, at 5:43 PM, Paul Wouters wrote: >>> >>> On Thu, 26 Nov 2015, Yoav Nir wrote: >>> >>>>> I just wonder why did the example singled out "the People's Front o= f >>>>> Judea", and did not include "the Judean People's Front", "the Judea= n >>>>> Popular People's Front", "the Campaign for a Free Galilee", and "th= e >>>>> Popular Front of Judea".... :-) >>>> >>>> Because the only people we hate more than the Romans, are the fuckin= g Judean People's Front. >>> >>> Please people! We are _all_ individuals! >> >> I=E2=80=99m not. >> >> _______________________________________________ >> secdir mailing list >> secdir@ietf.org >> https://www.ietf.org/mailman/listinfo/secdir >> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview >=20 >=20 --HOdqVRWcfdjj9vEOo4lqtFfHMb5ejn2ke Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlZY4OkACgkQ8AA1q7Z/VrJ4YgCdGCY5rZK+0Nvbpmuwhq6yAgtw NZcAn0leZlszuthSY4fySq/b4qyy1uqT =RBHl -----END PGP SIGNATURE----- --HOdqVRWcfdjj9vEOo4lqtFfHMb5ejn2ke-- From nobody Fri Nov 27 23:21:25 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF361B3093 for ; Fri, 27 Nov 2015 23:21:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.786 X-Spam-Level: X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLwbcoJuUVSA for ; Fri, 27 Nov 2015 23:21:23 -0800 (PST) Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1AA91B3092 for ; Fri, 27 Nov 2015 23:21:22 -0800 (PST) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tAS7LL3h021711 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 28 Nov 2015 07:21:21 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.13.8/8.13.8) with ESMTP id tAS7LKo0011691 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 28 Nov 2015 07:21:20 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id tAS7LKa0019856; Sat, 28 Nov 2015 07:21:20 GMT Received: from [10.159.100.58] (/10.159.100.58) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 27 Nov 2015 23:21:20 -0800 Message-ID: <56595640.5060206@oracle.com> Date: Sat, 28 Nov 2015 00:22:40 -0700 From: Shawn M Emery User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: secdir@ietf.org References: <56025EEB.5060602@oracle.com> In-Reply-To: <56025EEB.5060602@oracle.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: userv0022.oracle.com [156.151.31.74] Archived-At: Cc: draft-ietf-dnsop-qname-minimisation.all@tools.ietf.org Subject: [secdir] Review of draft-ietf-dnsop-qname-minimisation-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2015 07:21:24 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft specifies a technique to increase privacy in unencrypted DNS traffic by not specifying a full domain name to the upstream name server. The security considerations section does exist and does relent that encryption would be a better form of privacy, but would require more coordination. The section also discloses that this protocol does not help in the case of recursive resolvers. I believe that the draft sufficiently describes the limitations of the QNAME minimization method as specified. General comments: None. Editorial comments: Should QNAME be initially expanded/defined? s/therefore do not give/therefore not give/ s/improving performances/improving performance/ Shawn. -- From nobody Sat Nov 28 08:28:27 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20B291AD049 for ; Sat, 28 Nov 2015 04:43:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t74wNis7gnwe for ; Sat, 28 Nov 2015 04:43:09 -0800 (PST) Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41BB41ACF60 for ; Sat, 28 Nov 2015 04:43:09 -0800 (PST) Received: by mail.bortzmeyer.org (Postfix, from userid 10) id D22C13BB9F; Sat, 28 Nov 2015 13:43:06 +0100 (CET) Received: by mail.sources.org (Postfix, from userid 1000) id 64C52190663; Sat, 28 Nov 2015 13:41:03 +0100 (CET) Date: Sat, 28 Nov 2015 13:41:03 +0100 From: Stephane Bortzmeyer To: Shawn M Emery Message-ID: <20151128124103.GC5710@sources.org> References: <56025EEB.5060602@oracle.com> <56595640.5060206@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56595640.5060206@oracle.com> X-Transport: UUCP rules X-Operating-System: Debian GNU/Linux 8.2 X-Charlie: Je suis Charlie User-Agent: Mutt/1.5.23 (2014-03-12) Archived-At: X-Mailman-Approved-At: Sat, 28 Nov 2015 08:28:26 -0800 Cc: draft-ietf-dnsop-qname-minimisation.all@tools.ietf.org, secdir@ietf.org Subject: Re: [secdir] Review of draft-ietf-dnsop-qname-minimisation-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2015 12:43:11 -0000 On Sat, Nov 28, 2015 at 12:22:40AM -0700, Shawn M Emery wrote a message of 27 lines which said: > I believe that the draft sufficiently describes the limitations of > the QNAME minimization method as specified. Thanks for the review. > Should QNAME be initially expanded/defined? I do not tkink so, since it is standard DNS terminology (RFC 1034, section 3.7.1). Other editorial comments have been integrated in my local copy. From nobody Sat Nov 28 18:04:35 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BFF01B394D; Sat, 28 Nov 2015 18:04:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGRQVtPjSlSx; Sat, 28 Nov 2015 18:04:32 -0800 (PST) Received: from BAY004-OMC1S27.hotmail.com (bay004-omc1s27.hotmail.com [65.54.190.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A3971B394B; Sat, 28 Nov 2015 18:04:32 -0800 (PST) Received: from na01-by2-obe.outbound.protection.outlook.com ([65.54.190.60]) by BAY004-OMC1S27.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sat, 28 Nov 2015 18:04:32 -0800 Received: from CY1PR17MB0425.namprd17.prod.outlook.com (10.163.253.19) by CY1PR17MB0427.namprd17.prod.outlook.com (10.163.253.21) with Microsoft SMTP Server (TLS) id 15.1.331.20; Sun, 29 Nov 2015 02:04:31 +0000 Received: from CY1PR17MB0425.namprd17.prod.outlook.com ([10.163.253.19]) by CY1PR17MB0425.namprd17.prod.outlook.com ([10.163.253.19]) with mapi id 15.01.0331.023; Sun, 29 Nov 2015 02:04:31 +0000 From: Charlie Kaufman To: "secdir@ietf.org" Thread-Topic: Secdir review of draft-ietf-kitten-rfc4402bis-01 Thread-Index: AQHRKkiPf2hCv2uv20KUhWNcoBRuhw== Date: Sun, 29 Nov 2015 02:04:30 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=outlook.com; x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [JOFqX80zypyu7SiO38h+v06C4UO+/jb8] x-microsoft-exchange-diagnostics: 1; CY1PR17MB0427; 23:l0o+TPsI2GyrEpcWX3C6dixzJtwna2LrsQb4q4/rPRlzBjFoFfOeROz3sqcAJ0UrCkU/ViF5S6XiOHawmaoqTC4EIRZpP8SSsOJ6pKCEn63kUXmeJ2mJqTdJY0KRh+4gqcspc4dA57K+yyoFmGMYBZ4n73obrp02rQTiayU9CnrBZM+zVYfaiNlmrGRzui1OqyefdSc9MEk45RZSXCeZ9g==; 5:4pIL4m8fxHGZ0KjnZviOanY3I81dRL04W45v9tA3wN23xR6LE4jtwx2cvF5gKX/5cj54OKeb5Up3eoXUlAjhM91YJNYkW6nmXOBpbmpvBk2KXSeU/CbDNwzIZQBdkStKphoOqxXdZOl9mfCby6LK+Q==; 24:rExTbedclgaOeDYemih5dbqSiGC5+ulUwzCb0l54u+SeZUXJK7PZ5qTlf/Ev3JbvQ2+mC7JclBsBIf+ykQ6zM4YfHeKJEF4JbiBF0WtZWYg= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR17MB0427; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:CY1PR17MB0427; BCL:0; PCL:0; RULEID:; SRVR:CY1PR17MB0427; x-forefront-prvs: 0775716B9D x-forefront-antispam-report: SFV:NSPM; SFS:(7070004)(98900002); DIR:OUT; SFP:1901; SCL:1; SRVR:CY1PR17MB0427; H:CY1PR17MB0425.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY1PR17MB0425B9E2FA8C66DEE1E3C313DF010CY1PR17MB0425namp_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2015 02:04:30.9092 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR17MB0427 X-OriginalArrivalTime: 29 Nov 2015 02:04:32.0475 (UTC) FILETIME=[49CFB2B0:01D12A4A] Archived-At: Cc: "draft-ietf-kitten-rfc4402bis.all@tools.ietf.org" , "iesg@ietf.org" Subject: [secdir] Secdir review of draft-ietf-kitten-rfc4402bis-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 02:04:34 -0000 --_000_CY1PR17MB0425B9E2FA8C66DEE1E3C313DF010CY1PR17MB0425namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. This is effectively a one byte change to RFC4402 to correct for the fact th= at the deployed implementations do not match the current spec. While it's o= pen, there is also the addition of some sample data to assure the problem w= on't happen again (or at least if it does, the sample data will indicate th= e correct interpretation). RFC4402 was already covering a detail of the Kerberos V5 design that probab= ly should have been folded into another RFC rather than getting its own, so= this change is truly covering a small detail (albeit one the affects inter= operability of implementations). Note that this spec defines a PRF function in what today would be considere= d a non-standard way. But the changed spec will reflect the state of the de= ployed base and there are no known cryptographic weaknesses in the algorith= m specified here. --Charlie --_000_CY1PR17MB0425B9E2FA8C66DEE1E3C313DF010CY1PR17MB0425namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's ongo= ing
effort to review all IETF documents being processed by the IESG.  Docu= ment
editors and WG chairs should treat these comments just like any other last<= br> call comments.

This is effectively a one byte change to RFC4402 to correct for the= fact that the deployed implementations do not match the current spec. Whil= e it's open, there is also the addition of some sample data to assure the p= roblem won't happen again (or at least if it does, the sample data will indicate the correct interpretation).


RFC4402 was already covering a detail of the Kerberos V5 design that pro= bably should have been folded into another RFC rather than getting its own,= so this change is truly covering a small detail (albeit one the affects in= teroperability of implementations).


Note that this spec defines a PRF function in what today would be consid= ered a non-standard way. But the changed spec will reflect the state of the= deployed base and there are no known cryptographic weaknesses in the algor= ithm specified here.


     --Charlie

--_000_CY1PR17MB0425B9E2FA8C66DEE1E3C313DF010CY1PR17MB0425namp_-- From nobody Sun Nov 29 07:10:52 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1D491B2A0C for ; Sun, 29 Nov 2015 07:10:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.8 X-Spam-Level: X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ipL4k_GKzDO for ; Sun, 29 Nov 2015 07:10:50 -0800 (PST) Received: from smtp66.iad3a.emailsrvr.com (smtp66.iad3a.emailsrvr.com [173.203.187.66]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E65791B2A0B for ; Sun, 29 Nov 2015 07:10:49 -0800 (PST) Received: from smtp25.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp25.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 00A89180383; Sun, 29 Nov 2015 10:10:48 -0500 (EST) Received: from app22.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp25.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id E4F0E18023D; Sun, 29 Nov 2015 10:10:48 -0500 (EST) X-Sender-Id: scott@hyperthought.com Received: from app22.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.5.4); Sun, 29 Nov 2015 10:10:48 -0500 Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by app22.wa-webapps.iad3a (Postfix) with ESMTP id D64F218006B; Sun, 29 Nov 2015 10:10:48 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Sun, 29 Nov 2015 07:10:48 -0800 (PST) Date: Sun, 29 Nov 2015 07:10:48 -0800 (PST) From: "Scott G. Kelly" To: "secdir@ietf.org" , "iesg@ietf.org" , draft-ietf-nfsv4-minorversion2.all@tools.ietf.org MIME-Version: 1.0 Content-Type: text/plain;charset=UTF-8 Content-Transfer-Encoding: quoted-printable Importance: Normal X-Priority: 3 (Normal) X-Type: plain X-Auth-ID: scott@hyperthought.com Message-ID: <1448809848.875230642@apps.rackspace.com> X-Mailer: webmail/11.6.7-RC Archived-At: Subject: [secdir] secdir review of draft-ietf-nfsv4-minorversion2-39 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 15:10:51 -0000 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments.=0A=0AThis doc describes minor version 2 updates= to NFSv4. There are 6 new operations/features supported: Server Side Copy,= Application I/O Advise, Space Reservations, Sparse Files, Application Data= Blocks, and Labeled NFS.=0A=0AConsistent with other NFS docs, security con= siderations specific to an operation are described in the section for that = operation. Server Side Copy and Labeled NFS each contain their own sub-sect= ions.=0A=0AThe main security considerations section states that this revisi= on has all the security considerations of NFS version 4.1 (referencing RFC5= 661), and also refers to the feature-specific discussions in previous secti= ons.=0A =0AI didn't find any issues not already addressed by the security c= onsiderations in this and referenced docs. =0A=0A--Scott=0A=0A From nobody Sun Nov 29 08:07:44 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9611B379F for ; Sun, 29 Nov 2015 07:57:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uB5iQNduUIfA for ; Sun, 29 Nov 2015 07:57:50 -0800 (PST) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A752B1B379B for ; Sun, 29 Nov 2015 07:57:50 -0800 (PST) Received: by igcto18 with SMTP id to18so55646244igc.0 for ; Sun, 29 Nov 2015 07:57:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=primarydata-com.20150623.gappssmtp.com; s=20150623; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=qCohYgxnq6S+axTZ7QLa9vr4AWdgNagtpFCXCdo8TR8=; b=lAHadml19dFy2t6C4QTtaTzhwor9C3a7/ZCiJFISWn5X0l+0GQyFUDr2ICt1ze9vF2 yvvy3q1aSmct/2AUiiusL94xm5H+2qV6UAYF2MmsDlYlNv/F/FZt/pWhs0LV3oloKfL5 fO8Q7ReyPll2lwRZMhi3PTKTWGvbAuK6OTKgVfJPXt6dC/ESpSsoWwFIwvp8rPWa3pDM abCsPDFm5qGcyy/DFiPeCjm+RskOuVS7mquAAf2/HhZTvb+WZnUh7MggdNMg4dZLIN2c wPnvS76OgsGcyBMul/RY2o7CgR/YPrwdcnKcjvI+HA4QjkQXIMO2x56+sU1UrPashtkd 9QOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=qCohYgxnq6S+axTZ7QLa9vr4AWdgNagtpFCXCdo8TR8=; b=UGqaBBsnmbALl1Y6M9c0KJeBpWLT9d+oZiQ8f7mRtTRCp8fGrSvgTCXz4HlE+zZsfH GqkbTq1SVFrcq4jYspjuLlCpj3bdiZ7c7RAxpVdXgoHwSlo3Oj9rrPl2UrMWNCi7u8YQ txrLHsdhsFHSRh0HFFeS9ZBAa2sLjJTjww8oef70L9wZH5cYn/QMY4v1ojAvvtMthE0z NuDdRj1crIvrPssvq3bpzj9kDsDS6aw/cSZdujr46jcThgIu/zsV2HU2glHEGUxdpMwW rzVZbGoJPXbu4fv03DbDiCrnfDu4BSboF1jm+bL5ceaVN8K6UW1JWKBHYZWwf/WZKk7+ rouA== X-Gm-Message-State: ALoCoQn47mmD9nGd/4AuCvYWrQgPPDOg5YAjEer3KupfbXtnpfddrhDLWyzTAdtYik4mBViVhP6F X-Received: by 10.50.136.226 with SMTP id qd2mr17299608igb.37.1448812669965; Sun, 29 Nov 2015 07:57:49 -0800 (PST) Received: from kinslayer.lan ([45.52.180.144]) by smtp.gmail.com with ESMTPSA id xg9sm6547858igb.7.2015.11.29.07.57.48 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 29 Nov 2015 07:57:49 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Content-Type: text/plain; charset=us-ascii From: Tom Haynes X-Priority: 3 (Normal) In-Reply-To: <1448809848.875230642@apps.rackspace.com> Date: Sun, 29 Nov 2015 10:57:47 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <1448809848.875230642@apps.rackspace.com> To: "Scott G. Kelly" X-Mailer: Apple Mail (2.3096.5) Archived-At: X-Mailman-Approved-At: Sun, 29 Nov 2015 08:07:42 -0800 Cc: draft-ietf-nfsv4-minorversion2.all@tools.ietf.org, "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-ietf-nfsv4-minorversion2-39 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 15:57:53 -0000 > On Nov 29, 2015, at 10:10 AM, Scott G. Kelly = wrote: >=20 > I have reviewed this document as part of the security directorate's = ongoing effort to review all IETF documents being processed by the IESG. = These comments were written primarily for the benefit of the security = area directors. Document editors and WG chairs should treat these = comments just like any other last call comments. >=20 > This doc describes minor version 2 updates to NFSv4. There are 6 new = operations/features supported: Server Side Copy, Application I/O Advise, = Space Reservations, Sparse Files, Application Data Blocks, and Labeled = NFS. >=20 > Consistent with other NFS docs, security considerations specific to an = operation are described in the section for that operation. Server Side = Copy and Labeled NFS each contain their own sub-sections. >=20 > The main security considerations section states that this revision has = all the security considerations of NFS version 4.1 (referencing = RFC5661), and also refers to the feature-specific discussions in = previous sections. >=20 > I didn't find any issues not already addressed by the security = considerations in this and referenced docs.=20 >=20 > --Scott >=20 >=20 >=20 Thanks for the review Scott.= From nobody Sun Nov 29 12:35:35 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2FFC1B33E4; Sun, 29 Nov 2015 12:35:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.95 X-Spam-Level: X-Spam-Status: No, score=0.95 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1KQtclfnyE6; Sun, 29 Nov 2015 12:35:32 -0800 (PST) Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8F921B33DF; Sun, 29 Nov 2015 12:35:31 -0800 (PST) Received: by obbbj7 with SMTP id bj7so112803946obb.1; Sun, 29 Nov 2015 12:35:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=KG25rk4RdeA2UPaJsVY9+ThnutzZCuWsqjN6mRqKaZQ=; b=hAwMJ7wo68trWNNgRiq0NyIf4jJyEKXqgauz4piZg1QEh/st5iEAb4A9XwULqVA27z ZyGwwPtHhfWJ/0r1c5SKogeJwL+FgnMNZQ3YzuxxY/hHg9czQgA7etHnuzJpix+9i6gV K2DKbqsAaHsFieJ+RDGIJkaUjoJ+l0zxcuVvg39gHNDrdqD8gWNQSWvsBDQ1FxSbRrh2 6IvPcqyHZCarv/ni96sP0XVXW7xY/eZZdkmwpdA2PCrHjZFiZ5HIiTz4ok6LV3ZRkzQ1 LChmr+fmvzXQj3iJOeb5YIL2etBlN/amABD0Z2/vH2cFPgx9wsFbF4RqAusiQgauIW0z DrlA== X-Received: by 10.60.77.34 with SMTP id p2mr40354368oew.21.1448829331208; Sun, 29 Nov 2015 12:35:31 -0800 (PST) MIME-Version: 1.0 Received: by 10.76.19.102 with HTTP; Sun, 29 Nov 2015 12:35:16 -0800 (PST) From: Donald Eastlake Date: Sun, 29 Nov 2015 15:35:16 -0500 Message-ID: To: "iesg@ietf.org" , draft-ietf-dane-openpgpkey.all@tools.ietf.org Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "secdir@ietf.org" Subject: [secdir] draft-ietf-dane-openpgpkey-06 SECDIR Review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 20:35:34 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I did not review Appendix A or Section 8 (Implementation Status). I think this draft is not ready for publication. It probably minimal technical changes but there are significant wording problems with it. Security: ------------ This document is "DANE for OpenPGP ..." but never says how what it documents is a use of DANE or what DANE is. While there is a reference to RFC 6698, at a minimum the DANE acronym should be expanded at first use and/or in Section 1.2. Preferably two or three sentences should be added to fix this gap. I am concerned about the use of the words "validate" and "verify" in this document in a wide variety of different ways, and in particular their use in connection with OPENPGPKEY RRs. The ordinary and usual meaning of these words, when they are not qualified in some way, is that something is completely valid/verified for use and can be used without further checking. But that isn't what seems to be meant in this document. Here it just seems to sometimes mean that it has validated under DNSSEC. It might also mean that it is of valid syntax and a bit more -- the document is unclear on whether that is included. But the use of these words for OPENPGPKEY RRs seems to exclude the validation under the web of trust or human judgement even though that step is mandated at a couple of places in the document. Looking at Section 5, the "obtain or verify" in the first sentence seems odd. Shouldn't it use "and" and be more like "obtain and DNSSEC verify"? And in the following sentence, I would say "... ; if DNSSEC validation reaches ..." Also, if you are going to start talking about a specific DNSSEC state name as is done here, there should be a reference to the specific DNSSEC RFC where that state name is defined. In Section 5.1, in the first sentence, I would say "to seek" rather than "to discover". "discover" makes it sound like it will always un-cover/find something; also I think it would be a bit better to say "corresponding to" rather than "belongs to". The last sentence in 5.1 has too many confusing "this"s. Suggest, assuming I have correctly understood what you want to say, replacing the current last sentence with "An application whose attempt fails to retrieve a DNSSEC verified OPENPGPKEY RR from the DNS should remember that failure for some time to avoid sending out a DNS request for each email message the application is sending out; such DNS requests constitute a privacy leak". I suggest changing the title of Section 5.2 to "Confirming that an OpenPGP key is current" since that is what it is about, not about general validity. The third sentence of Section 5.2 ("If verifying ... a failure") is unclear and not grammatical. Trying to re-write this third sentence I come up with "If a locally stored OpenPGP public key is found to be different from an OpenPGP retrieved from the DNS and DNSSEC verified as described herein, then ...." But I don't understand this and don't understand what the "..." should be. Can't there can be multiple good OpenPGP keys for the same email address? What if one key is stored locally and you retrieve two keys, one of which is equal to the local key and one of which is different? Presumably it depends on the local/user's policy what to do in such a case of different keys. How is it helpful to say "the verification MUST be treated as a failure"? (This certainly further confuses what "verification" means in this document.) It is not clear exactly what that means but if it says that a DNSSEC verified OpenPGP key retrieved from the DNS should be dropped/ignored, why is that always the right thing? And again, what if more than one are retrieved? (Possibly a re-written third sentence and the following two sentences in this Section should be a separate second paragraph.) In the second sentence of the first paragraph of Section 7, what does the initial "It" stand for? You might think from the previous sentence that "it" was for DNSSEC but as you keep reading that can't be right because I don't think "DNSSEC" equals "ease in obtaining". "DNS" might equal ease in obtaining. So maybe it is "DNSSEC and DNS" but things get more confusing as the sentence continues. What is "better then plaintext" (should be "than")? Presumably not the key retrieved but rather the email transmitted with that key? But is that always true? If you were faked-out and believed a false key so email was encrypted to the bad guy and could not be read by the intended recipient, I would say that was worse than plaintext. This paragraph goes on to talk about active attacks, which usually. in the email context, refers to active attacks on the email on the wire, but I would guess this text is actually talking about active attacks in the form of storing a wrong key in the DNS... In re Section 7.5, why isn't the domain name included in the hash? It seems to improve security a little and the effort is small. Other: -------- Section 1: The references for Secure DNS should be given when Secure DNS is first mentioned on page 3. Section 1.1: I do not think there is such a thing as an "Experimental RRtype". It would be better to say something like "This document specifies an RRtype whose use is Experimental." I don't quite grok the use of "generality of" on page 4. Perhaps it should be replaced with "diffuse support of" or something. Section 2: As long as you are bothering to say that the OPENPGPKEY RR has no special TTL requirements, you might as well say it has no special Additional section retrieval requirements, since I think that is the most common type of RR special processing. But I think the lack of such special requirements is the default so you could probably just leave these negative statements out. Section 2.3: "textual zone files" -> "master files [RFC1035]" and add [RFC1035] to the normative references. Section 3: The following statement seems at least a little misleading: The DNS does not allow the use of all characters that are supported in the "local-part" of email addresses as defined in [RFC5322] and [RFC6530]. DNS is binary clean. What left hand side characters allowed in [RFC5322] are now allowed in DNS? Seems to me that only international text as such [RFC6530] is a problem for DNS. Probably the first bullet should be split in two. The first time I read it, it seemed that the first sentence was talking about some encodings. Then the second sentence talks about other encodings and says they are hashed. So, of course, I thought that the encodings talked about in the first sentence were not hashed. But the example appears to show that the current text had conveyed the wrong thing to me and that it is always hashes. I suggest that after "If it is written in another encoding it should be converted to UTF-8" be followed by a period and then there should be a new bullet item talking about hashing, etc., to make it clear that the hashing, etc., apply to all encodings in the first bullet. Furthermore, I don't understand why the text fragment I quote says "should" rather than "must" or perhaps just replace "should be" with "is". Then we get to the truncation. "Truncation comes from the right-most octets." is completely ambiguous. At a minimum, a word needs to be added so it says "Truncation comes from using the right-most octets." or "Truncation comes from dropping the right-most octets." Alternatively some other non-ambiguous wording is needed. Presumably it is believed that the probability of a hash collision is small enough that it can be ignored. If so, it wouldn't hurt to say so. Section 7: The last paragraph of Section 7 seems to equate "Organizations" and "mail servers". Suggest recasting the second sentence as "Mail servers of such organizations MAY optionally re-encrypt a received message to an individual's OpenPGP key.". Section 7.1: Again, I assume "indeterminate" and "bogus" are used in their DNSSEC meaning. So there needs to be a reference here to the DNSSEC RFC that explains those words. Author's Address: I understand that many do not agree with me but I believe that first page authors should normally list a postal address and a telephone number to which a message could be sent or at which a message could be left for them in addition to an email address. This section looks like schlock corner cutting to me. Trivia: -------- "twart" -> "thwart" and "twarts" -> "thwarts" Section 6: "properties are not exported" -> "properties not be exported" and in the following sentence "have" -> "has" Section 7: "direct" -> "ask" (a mail client has no power to order the user to do anything) Section 7.1: 5th paragraph, "sent" -> "send" Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com From nobody Mon Nov 30 15:28:21 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F671B32FB; Mon, 30 Nov 2015 15:28:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.511 X-Spam-Level: X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bTfPvAloPbi3; Mon, 30 Nov 2015 15:28:16 -0800 (PST) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EF801B32F9; Mon, 30 Nov 2015 15:28:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1779; q=dns/txt; s=iport; t=1448926096; x=1450135696; h=from:to:subject:date:message-id:mime-version; bh=OVgfIo2Kn/apTOFGzYweseFk7v00c8KbLfezt2TJcTw=; b=IYbJ9SUpLaHpc28yezi/1bsm5nJLTLv/qPvD3vfXKjtxi2yAhOZHcTgq Abul7Laq2AlI33zcUldUUEHe/2cDGOwQiR8GQKyov0saj45De29CR+TSg va7kndpTrh3C+kXenyzXEjWAE0pj+ehIiQsmGq1fxPoh9nGpI2jgV9WWO Y=; X-Files: signature.asc : 496 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C5AgCd2lxW/49dJa1egzuBSL4qDoFmh?= =?us-ascii?q?0k4FAEBAQEBAQGBCoQ7gQsBgQAnBAEgiCC8FwEBAQEBAQEBAgEBAQEBAQETCYh?= =?us-ascii?q?kixKBFQWWVwGCXYFiiHicYAEfAUOEBIVcgQcBAQE?= X-IronPort-AV: E=Sophos;i="5.20,366,1444694400"; d="asc'?scan'208";a="51399761" Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Nov 2015 23:28:15 +0000 Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id tAUNSF0m000485 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 30 Nov 2015 23:28:15 GMT Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 30 Nov 2015 17:28:14 -0600 Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1104.000; Mon, 30 Nov 2015 17:28:14 -0600 From: "Matt Miller (mamille2)" To: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-tls-cached-info.all@ietf.org" Thread-Topic: SecDir review of draft-ietf-tls-cached-info-20 Thread-Index: AQHRK8bJqSQkCl+M1kuFG2MPQu2W7A== Date: Mon, 30 Nov 2015 23:28:14 +0000 Message-ID: <01725C3B-D180-4DE8-8ED4-85CF30462FD7@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-pgp-agent: GPGMail 2.6b2 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.129.24.61] Content-Type: multipart/signed; boundary="Apple-Mail=_F4C45072-7EA2-4531-9F24-F972036645A6"; protocol="application/pgp-signature"; micalg=pgp-sha512 MIME-Version: 1.0 Archived-At: Subject: [secdir] SecDir review of draft-ietf-tls-cached-info-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2015 23:28:17 -0000 --Apple-Mail=_F4C45072-7EA2-4531-9F24-F972036645A6 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii I have reviewed draft-ietf-tls-cached-info-20 as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a TLS extension that allows clients to indicate certificate information is cached, possibly (significantly) reducing the amount of data exchanged during the handshake. This document is ready for publication, but with one nit. The only nit I have is in Section 4, there is an extraneous "(" (or missing ")") in the phrase "attribute containing support for ('foo-bar'". -- - m&m Matt Miller Cisco Systems, Inc. --Apple-Mail=_F4C45072-7EA2-4531-9F24-F972036645A6 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="signature.asc" Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJWXNuOAAoJEDWi+S0W7cO1HucH/1e4ZtU0wMMw/cJdkyGBu7YD FDSTk1PmUiwYl4GaqLJBEz21CaI0bYc8JVrLDhEWi+kks95tLWtCKkz2z323ykbF pOEtZH/5KOtNY8Qnlz+IYZdIa1YUpifzA3Czlrlsq/7bJoVDZG9Hx5n4xlxzhUHn O11aepRopynOD0S2ZFbW0BzTTee78JhnyJf5G4Js4WIR3C7jgOfpM7S6vQc9sToY IsmYanEkWdJWOFqlpTpYGzPqB3gZPZESmOWQ+pDBSRlopHN2w2t73FBXFpjraHrQ fWd6wD2t31G94jciWdZW2hLl2JrsVX7DWTL6tv3MvYDZfhztnt5/6QJndCDuDag= =rl5z -----END PGP SIGNATURE----- --Apple-Mail=_F4C45072-7EA2-4531-9F24-F972036645A6-- From nobody Mon Nov 30 22:21:09 2015 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12BC91A7026 for ; Mon, 30 Nov 2015 22:21:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVbolNJnb0kL for ; Mon, 30 Nov 2015 22:21:03 -0800 (PST) Received: from nm4-vm1.access.bullet.mail.bf1.yahoo.com (nm4-vm1.access.bullet.mail.bf1.yahoo.com [216.109.114.112]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A3C1A7020 for ; Mon, 30 Nov 2015 22:21:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1448950862; bh=qDK8kMcsn0WtQLCmU4e44OuUQL1Jodl7lDILmu0jCtE=; h=Date:From:To:Subject:From:Subject; b=Q7WLjA7TjPUl161EU7dSLqgiakCKGmatTPNliZLMzbS0NK6cHfS2kr3MynX3JWvDy1nHjTn10uuFqiLpjm5kQ7iRzU7/pKsconh4LA2Y5nxpU2ZN/Y0x8Y2+MdohlGUzPDXCyanch+6/3q1n4hbqWOHVAHbhlJi62DojwlDX3Cg+JOnwLE2yrFmA3lIQ3xJNUI16wUvWuVtPtWNPxAaa7Y9ocP5pdppVJprSxxWETA2NpHzF8S61h6OzPutiZsfkx4mqcRjbemKOOo4KTnxCjuVTse3nfOQY2vjnUr5z+rz6VHIhfDpLRlkMPVs1v6cS/5U0rbhdkiyxVdln6myWiA== Received: from [66.196.81.165] by nm4.access.bullet.mail.bf1.yahoo.com with NNFMP; 01 Dec 2015 06:21:02 -0000 Received: from [98.138.104.96] by tm11.access.bullet.mail.bf1.yahoo.com with NNFMP; 01 Dec 2015 06:21:02 -0000 Received: from [127.0.0.1] by smtp116.sbc.mail.ne1.yahoo.com with NNFMP; 01 Dec 2015 06:21:02 -0000 X-Yahoo-Newman-Id: 30574.49991.bm@smtp116.sbc.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: .DbgZRwVM1lyioPw6GGNr0ZxNRRzYq5WS.mGH1GDmh2ETuu k6_ZFmYlRVZ6x2q97kjaHSeqdgyG7Tha.atKcbibDtVv81rXY3zQ1TRZ18LY xu3oktv56WA9VvZG0PVj3KTcppRNUUgSX2Ix6ljJwlvsm26XbGmDpAmrDgE0 8eS01eQt2o6r1qNqBZjaCiMlSzdptzfGU9tSWQKP5wM9kr1A2qiueq.5edwA aiuiC1QrmEX9gFVmugpQjuozg81k2LKyI2r7wg.wpsIgerL1.nCrZBbaSUUO ztawRaP26.x_j7ZmBKIMhhjIPwjDJoPGS4yIl6Fa90XKI2h_AU4giCIwMdGu akFvrky8_o8xC70euvsxU2jqj8rglhyQBOJHMOCxPrY6CTCz.mVh27tvI1hu CyKoPYOlTD4T7rurtN.7S1EOxjpDvomx.Cc7Q8gSFjWSSv85abr.rM3wKEQ6 O0wdPLD3NPCnSjhcgWAJNfBSZZPqR_qyRTQhRSATukfFWb.vyV738B1zda7_ VdwEsqaDcm_93VpaskMk4toD_tbSfaufnkWiHEg-- X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708- Received: from secure.mandelberg.org (c-76-24-31-176.hsd1.ma.comcast.net [76.24.31.176]) by uriel.mandelberg.org (Postfix) with ESMTPSA id C4DC11C6031; Tue, 1 Dec 2015 01:21:00 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 01 Dec 2015 01:21:00 -0500 From: David Mandelberg To: , , Message-ID: <3c90e45423a16059ac64e37c85bc71fe@mail.mandelberg.org> X-Sender: david@mandelberg.org User-Agent: Roundcube Webmail/0.7.2 Archived-At: Subject: [secdir] secdir review of draft-ietf-pce-pceps-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 06:21:05 -0000 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I have a few concerns about this draft, detailed below. Otherwise it looks good though. As such, I think this draft is Almost Ready. Major: In section 3.4, the text about cipher suites requires support for negotiation of some cipher suites that I think are considered comparatively weak (primarily TLS_RSA_WITH_3DES_EDE_CBC_SHA). Is there a reason for the choice of suites that (I believe) are considered relatively weak? Also, does "implementations MUST support negotiation of " mean that must be implemented as an option, or that must be implemented and enabled for use? If the latter, this might prevent people from disabling old cipher suites as new vulnerabilities are discovered. As I understand it, PCEP messages are sent unicast, so I don't see the value in enabling less secure cipher suites in situations where both endpoints are known to support more secure suites. Section 3.4 says "Certificate validation MUST include the verification rules as per [RFC5280]." Assuming that is referring to Section 6 of 5280, do you have any guidance on Section 6.1.3, step a.3 (revocation testing)? I.e., are PCEPS implementations expected to download CRLs, use OCSP stapling, or something else? Section 4.1 talks about the use of DANE/TLSA to authenticate a TLS server. While TLSA is sufficient for authentication, it is not sufficient for authorization, because anybody with a DNSSEC-enabled domain can create a valid TLSA record. And that's fine, as long as authorization is properly set up as described in section 3.5. However, the other two authentication models (PKI, and a list of acceptable certificate fingerprints) can be sufficient for authorization if only authorized parties are issued certificates or have their fingerprints listed (respectively). To avoid confusion, it would be nice if section 4.1 explicitly said that the server's domain name must be authorized separately, as TLSA does not provide any useful authorization guarantees. Minor: In section 3.3, I'm confused about the StartTLSWait timer. Is the timer started after the TCP connection is established (what the draft says) or after a StartTLS message is sent? If the latter, is the timer started even if a StartTLS message has already been received? -- David Eric Mandelberg / dseomn http://david.mandelberg.org/