From nobody Sun Jan 1 08:26:40 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D85B71293F4; Sun, 1 Jan 2017 08:26:34 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Yaron Sheffer To: X-Test-IDTracker: no X-IETF-IDTracker: 6.40.3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> Date: Sun, 01 Jan 2017 08:26:34 -0800 Archived-At: Cc: draft-ietf-sidr-bgpsec-pki-profiles.all@ietf.org, sidr@ietf.org Subject: [secdir] Review of draft-ietf-sidr-bgpsec-pki-profiles-19 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2017 16:26:35 -0000 Reviewer: Yaron Sheffer Review result: Has Nits * 3.1.1: The serial number in RFC 6487 is still a real, unique serial number that uniquely identifies the certificate. Here it is used as something other than a serial number, which is explicitly NOT unique, and the CA is left to decide how to make it unique in the face of potentially repeating BGP IDs. If this is not a real issue (e.g. because duplicate IDs are rare and never within a RIR), please say so. * 3.2: earlier we said that Basic Constraints must not be included in the EE cert. Now we are saying that only a particular boolean flag must not be honored when processing the Cert Request. What happens if Basic Constraints is included in the Cert Request but with other flags? * 3.3: ID.sidr-rfc6485bis -> RFC 7935 * 6: in the paragraph that discusses hash functions, please spell out the names of the two key identifiers, because I cannot determine what they are from the document. From nobody Sun Jan 1 11:16:02 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C422126B6D; Sun, 1 Jan 2017 11:15:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.001 X-Spam-Level: X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CTB72VH1oXOQ; Sun, 1 Jan 2017 11:15:55 -0800 (PST) Received: from khatovar.hactrn.net (khatovar.hactrn.net [IPv6:2001:418:8006::30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DD9312941E; Sun, 1 Jan 2017 11:15:55 -0800 (PST) Received: from minas-ithil.hactrn.net (c-73-47-197-23.hsd1.ma.comcast.net [73.47.197.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by khatovar.hactrn.net (Postfix) with ESMTPS id 5223B1399E; Sun, 1 Jan 2017 19:15:53 +0000 (UTC) Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id ADABC4576F68; Sun, 1 Jan 2017 14:16:11 -0500 (EST) Date: Sun, 01 Jan 2017 14:16:11 -0500 From: Rob Austein To: Yaron Sheffer In-Reply-To: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> References: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20170101191611.ADABC4576F68@minas-ithil.hactrn.net> Archived-At: Cc: sidr@ietf.org, draft-ietf-sidr-bgpsec-pki-profiles.all@ietf.org, secdir@ietf.org Subject: Re: [secdir] [sidr] Review of draft-ietf-sidr-bgpsec-pki-profiles-19 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2017 19:15:56 -0000 At Sun, 01 Jan 2017 08:26:34 -0800, Yaron Sheffer wrote: > > Reviewer: Yaron Sheffer > Review result: Has Nits > > * 3.1.1: The serial number in RFC 6487 is still a real, unique serial > number that uniquely identifies the certificate. Here it is used as > something other than a serial number, which is explicitly NOT unique, > and the CA is left to decide how to make it unique in the face of > potentially repeating BGP IDs. If this is not a real issue (e.g. > because duplicate IDs are rare and never within a RIR), please say > so. Er, I suspect you're confusing serial numbers with serial numbers. 3.1.1 of this draft is talking about the id-at-serialNumber attribute in the Subject field (RFC 5280 4.1.2.6, naming attribute type X520SerialNumber), a different thing entirely from the certificate Serial Number (RFC 5280 4.1.2.2, type CertificateSerialNumber). Just to make things more interesting, both are called serialNumber in different contexts. Clear as mud, I know. So, agreed that this probably does need clarification, but perhaps not quite the clarification you thought it needed. From nobody Sun Jan 1 11:29:31 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3231D126B6D; Sun, 1 Jan 2017 11:29:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.8 X-Spam-Level: X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNHHxc6xvdg4; Sun, 1 Jan 2017 11:29:24 -0800 (PST) Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 550A012941E; Sun, 1 Jan 2017 11:29:24 -0800 (PST) Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id BB7C7433417; Sun, 1 Jan 2017 19:29:23 +0000 (GMT) Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id A511F433409; Sun, 1 Jan 2017 19:29:23 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1483298963; bh=ihk1LwEYK4SdE/FJ6u/Kl1EKoIGt+n56nhDHuMtpwCQ=; l=7759; h=From:To:Date:From; b=0IHhvXU+Yhf3E4N+3/5yJvXHsp+X1wZP1D6cK5UJor44eql1pkXcQwxeOh/bp6n7E 4Hf+jIFrFmfjAQ4qJE7yZgLns9OPxbWFCLZzwGiS1DYw1o2ZsAj+NrrYekuOiwTaKk KIZat571yQRLLM3LZcWqXNd5R4dMBAu1yDpBE/Io= Received: from email.msg.corp.akamai.com (usma1ex-cas1.msg.corp.akamai.com [172.27.123.30]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id A14321FC86; Sun, 1 Jan 2017 19:29:23 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 1 Jan 2017 14:29:22 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Sun, 1 Jan 2017 14:29:23 -0500 From: "Salz, Rich" To: "'secdir@ietf.org'" , "'iesg@ietf.org'" , "draft-ietf-sidr-bgpsec-ops@ietf.org" Thread-Topic: Secdir review of draft-ietf-sidr-bgpsec-ops-12 Thread-Index: AdJkXqQzDkwZEaaUQ7KgXUE2Xma9NA== Date: Sun, 1 Jan 2017 19:29:23 +0000 Message-ID: <76b79dc5ec924487aaa3d098126d6ab6@usma1ex-dag1mb1.msg.corp.akamai.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.33.205] Content-Type: multipart/alternative; boundary="_000_76b79dc5ec924487aaa3d098126d6ab6usma1exdag1mb1msgcorpak_" MIME-Version: 1.0 Archived-At: Subject: [secdir] Secdir review of draft-ietf-sidr-bgpsec-ops-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jan 2017 19:29:26 -0000 --_000_76b79dc5ec924487aaa3d098126d6ab6usma1exdag1mb1msgcorpak_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. This document is Ready. I have a few purely editorial suggestions below. I= also have a question which is perhaps out of scope for the review of this = document, which is why I say ready as opposed to with nits or almost ready.= The document explains that BGPsec is a new protocol that will be deployed = over years. Is there a plan or intent to update this document as the commu= nity gains experience? The Introduction section is great with pointers to relevant documents. We n= eed to do more of that kind of thing. My nits follow, and all are optional= , in the hopes of increasing clarify. Section 1: BGPsec need be spoken only by an AS's eBGP speaking, AKA border, routers, I suggest the following (if I got the meaning right); hyphenate and use or = not AKA BGPsec need be spoken only by an AS's eBGP-speaking, or border, routers= , Should section 2 be merged into section 1? ROA should be spelled out when = first used. Section 4, "A large operator ... may accept" Perhaps deploy, not accept? = I think the "On the other extreme" is redundant and could be removed. Section 5 change the comma to a colon in the first sentence? In "The opera= tor should be aware..." change to "An" ? Similarly in section 6, "Operator= s might need to ..." Change to "An operator"? This is part of having over= all consistency about one/the/an operator reference. A level of nit we don= 't ordinarily think about :) Section 7, spell out iBGP at first use? Section 9, perhaps add a sentence like: "This document outlines some of the= operational issues defined there" or some such. Section 11, are you thinking three parties or two? If three, put the desig= n group last; if two, put the two names in parens. Thanks for writing this. --_000_76b79dc5ec924487aaa3d098126d6ab6usma1exdag1mb1msgcorpak_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the securit= y directorate's ongoing effort to review all IETF documents being processed= by the IESG.  These comments were written primarily for the benefit o= f the security area directors.  Document editors and WG chairs should treat these comments just like any other last= call comments.

 

This document is Ready.  I have a few purely ed= itorial suggestions below. I also have a question which is perhaps out of s= cope for the review of this document, which is why I say ready as opposed t= o with nits or almost ready. The document explains that BGPsec is a new protocol that will be deployed over years.&n= bsp; Is there a plan or intent to update this document as the community gai= ns experience?

 

The Introduction section is great with pointers to r= elevant documents. We need to do more of that kind of thing.  My nits = follow, and all are optional, in the hopes of increasing clarify.

 

Section 1:

  BGPsec need be spoken only by an AS's eB= GP speaking, AKA border, routers,

I suggest the following (if I got the meaning right)= ; hyphenate and use or not AKA

   BGPsec need be spoken only by an AS's e= BGP-speaking, or border,  routers,

 

Should section 2 be merged into section 1?  ROA= should be spelled out when first used.

 

Section 4, “A large operator … may accep= t”  Perhaps deploy, not accept?  I think the “On the = other extreme” is redundant and could be removed.

 

Section 5 change the comma to a colon in the first s= entence?  In “The operator should be aware…” change = to “An” ?  Similarly in section 6, “Operators might = need to …”  Change to “An operator”?  Thi= s is part of having overall consistency about one/the/an operator reference.  A level of nit we don’t o= rdinarily think about J

 

Section 7, spell out iBGP at first use?

 

Section 9, perhaps add a sentence like: “This = document outlines some of the operational issues defined there” or so= me such.

 

Section 11, are you thinking three parties or two?&n= bsp; If three, put the design group last; if two, put the two names in pare= ns.

 

Thanks for writing this.

 

 

 

 

--_000_76b79dc5ec924487aaa3d098126d6ab6usma1exdag1mb1msgcorpak_-- From nobody Sun Jan 1 16:26:49 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E34D129493; Sun, 1 Jan 2017 16:26:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.001 X-Spam-Level: X-Spam-Status: No, score=-10.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pX59toofUlR; Sun, 1 Jan 2017 16:26:47 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A9C5129475; Sun, 1 Jan 2017 16:26:47 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from ) id 1cNqSa-0004KX-Gj; Mon, 02 Jan 2017 00:26:44 +0000 Date: Mon, 02 Jan 2017 09:26:41 +0900 Message-ID: From: Randy Bush To: Rich Salz In-Reply-To: <76b79dc5ec924487aaa3d098126d6ab6@usma1ex-dag1mb1.msg.corp.akamai.com> References: <76b79dc5ec924487aaa3d098126d6ab6@usma1ex-dag1mb1.msg.corp.akamai.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: Cc: IESG , secdir Subject: Re: [secdir] Secdir review of draft-ietf-sidr-bgpsec-ops-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2017 00:26:48 -0000 thanks for the review. always a pleasure to get competent reviews. > Section 1: > BGPsec need be spoken only by an AS's eBGP speaking, AKA border, routers, > I suggest the following (if I got the meaning right); hyphenate and use or not AKA > BGPsec need be spoken only by an AS's eBGP-speaking, or border, routers, no problem with hyphen. but "or" implies an alternative, which could confuse. what bothers you about "AKA?" want it unpacked? "often termed?" > Should section 2 be merged into section 1? certainly could. dunno about should. :) > ROA should be spelled out when first used. ack > Section 4, "A large operator ... may accept" Perhaps deploy, not > accept? eenie meenie. by "accept" i meant to imply a tradeoff. but fine. > I think the "On the other extreme" is redundant and could be removed. ok, how about "At the other end of the spectrum?" i am trying to paint a tradeoff space. > Section 5 change the comma to a colon in the first sentence? you drove me back to strunk & white. imiho, the second clause is insufficiently independent (no verb, does not begin with "and," "but," etc), to use a semicolon. and it certainly is not a 'follow' list, which would use a colon. > In "The operator should be aware..." change to "An" ? Similarly in > section 6, "Operators might need to ..." Change to "An operator"? > This is part of having overall consistency about one/the/an operator > reference. A level of nit we don't ordinarily think about :) you're worse than my grandmother, an english teacher, who used to send my letters back red-marked. > Section 7, spell out iBGP at first use? hmmm. we did not unpack eBGP, BGP, or BGPsec. we could go nuts, or is it nits, here. let's save finding the detent on this knob to rfced. they are pretty careful in this space. > Section 9, perhaps add a sentence like: "This document outlines some > of the operational issues defined there" or some such. i tried that, changing "defined" to "described." but actually that document does not describe, let alone define, most of the operational considerations this document tries to address. as adding such a sentence does not really add a lot to the semantics, i hope you do not mind if i pass on this one. > Section 11, are you thinking three parties or two? If three, put the > design group last; if two, put the two names in parens. one where the oxford comma did not bail me out. good catch. i have the edits in my xml copy. shout if you think any are sufficiently serious to warrant pussing the button. otherwise i will hold for other reviews. again, thanks. randy From nobody Sun Jan 1 16:37:49 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5864F12953C; Sun, 1 Jan 2017 16:37:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.801 X-Spam-Level: X-Spam-Status: No, score=-5.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VD5gy4k165Bs; Sun, 1 Jan 2017 16:37:43 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 58CD312953B; Sun, 1 Jan 2017 16:37:43 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 6508C433404; Mon, 2 Jan 2017 00:37:42 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 4EEAA4E062; Mon, 2 Jan 2017 00:37:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1483317462; bh=6TCXmoDKU5/jhQpKxpXmtQfMLC4nunI0MhjpiWa0CVo=; l=286; h=From:To:CC:Date:References:In-Reply-To:From; b=ML7BftoKckNuxGn/BdFoHB04syOmbYxT4bZmTFFkie28rdqD5rFSSEj6jKTWCOy/t /bgvJCvReeNZw1/pf7DC8LZQa5WKGpePVHd6aYm7taJyybI2G+LtF0bFqMPoSut1q6 75R8MgZU/1iZmlzMdDHaq1IfhqWHRg4WZlP7GPMM= Received: from email.msg.corp.akamai.com (ecp.msg.corp.akamai.com [172.27.123.33]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 4B1761FC88; Mon, 2 Jan 2017 00:37:42 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 1 Jan 2017 19:37:41 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Sun, 1 Jan 2017 19:37:41 -0500 From: "Salz, Rich" To: Randy Bush Thread-Topic: Secdir review of draft-ietf-sidr-bgpsec-ops-12 Thread-Index: AdJkXqQzDkwZEaaUQ7KgXUE2Xma9NAAWigCAAAohlIA= Date: Mon, 2 Jan 2017 00:37:41 +0000 Message-ID: References: <76b79dc5ec924487aaa3d098126d6ab6@usma1ex-dag1mb1.msg.corp.akamai.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.36.165] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: IESG , secdir Subject: Re: [secdir] Secdir review of draft-ietf-sidr-bgpsec-ops-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2017 00:37:44 -0000 =20 > no problem with hyphen. but "or" implies an alternative, which could > confuse. what bothers you about "AKA?" want it unpacked? "often > termed?" Often termed clears it up for me. As for the rest, they really are fleas on a flea, and whatever you do is fi= ne with me. From nobody Mon Jan 2 03:10:21 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 246631294FF; Mon, 2 Jan 2017 03:10:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.001 X-Spam-Level: X-Spam-Status: No, score=-10.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6XDaEQvcwqU; Mon, 2 Jan 2017 03:10:19 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A82D129437; Mon, 2 Jan 2017 03:10:19 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from ) id 1cO0VN-0006mj-TS; Mon, 02 Jan 2017 11:10:18 +0000 Date: Mon, 02 Jan 2017 20:10:15 +0900 Message-ID: From: Randy Bush To: Yaron Sheffer In-Reply-To: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> References: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: Cc: sidr@ietf.org, draft-ietf-sidr-bgpsec-pki-profiles.all@ietf.org, secdir@ietf.org Subject: Re: [secdir] [sidr] Review of draft-ietf-sidr-bgpsec-pki-profiles-19 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jan 2017 11:10:20 -0000 > potentially repeating BGP IDs not weighing in on the rest. but i am not sure what you mean by bgp id. if it is routerID, those are unique within an AS. randy From nobody Mon Jan 2 22:20:12 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A14EC129434; Mon, 2 Jan 2017 22:20:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.321 X-Spam-Level: X-Spam-Status: No, score=-7.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0JuWAZB_O89; Mon, 2 Jan 2017 22:20:10 -0800 (PST) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B2F6129508; Mon, 2 Jan 2017 22:20:09 -0800 (PST) X-AuditID: 1209190e-717ff70000005a86-bf-586b4298f449 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id D5.71.23174.8924B685; Tue, 3 Jan 2017 01:20:08 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v036K76K029374; Tue, 3 Jan 2017 01:20:07 -0500 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v036K2Dt010607 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 3 Jan 2017 01:20:04 -0500 Date: Tue, 3 Jan 2017 00:20:02 -0600 From: Benjamin Kaduk To: Christian Huitema Message-ID: <20170103062001.GN8460@kduck.kaduk.org> References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <006f01d263d8$435dc430$ca194c90$@huitema.net> User-Agent: Mutt/1.6.1 (2016-04-27) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplleLIzCtJLcpLzFFi42IRYrdT0Z3hlB1hcPSeqsXclt8sFpMbZ7Nb zPgzkdliwpvbrBZzv85itfiw8CGLA5vHrRmnWDyWLPnJ5PF+31W2AOYoLpuU1JzMstQifbsE rozv6/4xFsw2r3h2uIO9gXG6bhcjJ4eEgInEmf7lTF2MXBxCAm1MEhPW7mSEcDYwSjRf3cYM 4Vxhkti9dT4bSAuLgIrEtn9HGEFsNiC7ofsyM4gtIqAtsWb2PbBRzAKrGCXOfT0G1iAs4Cfx +vplFhCbV8BYYtP22WC2kECmxJNvrVBxQYmTM5+A2cwCWhI3/r0EGsQBZEtLLP/HARLmFLCS mH72LtguUQFliYYZD5gnMArMQtI9C0n3LITuBYzMqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3SN 9XIzS/RSU0o3MYJCm1OSbwfjpAbvQ4wCHIxKPLwdUVkRQqyJZcWVuYcYJTmYlER5oxmyI4T4 kvJTKjMSizPii0pzUosPMUpwMCuJ8JpaAOV4UxIrq1KL8mFS0hwsSuK8lzLdI4QE0hNLUrNT UwtSi2CyMhwcShK8jI5AjYJFqempFWmZOSUIaSYOTpDhPEDD60FqeIsLEnOLM9Mh8qcYFaXE eeNBEgIgiYzSPLheUOqRyN5f84pRHOgVYd7TDkBVPMC0Bdf9CmgwE9Dgr3HpIINLEhFSUg2M VkcPyPIZ3p12rk68e96N/KW1bvV2+YV/9yf33OKUyPyyQaujzef4RmvbYGHPIJaK0AMct/dH N0lOecSyapFb0hHPj4e3nT70fF1CkPLEvEb74hlsxlZatlnqF8/EKd7K/KDHdvSjPHur8sOb 9w9E5ElE61grp/+/GRzIsNZObofglSjOgIVKLMUZiYZazEXFiQA8aechGAMAAA== Archived-At: Cc: npmccallum@redhat.com, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, nkinder@redhat.com, 'IESG' , 'secdir' Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 06:20:11 -0000 Hi Christian, Thanks for the review! On Sat, Dec 31, 2016 at 06:39:21PM -0800, Christian Huitema wrote: > Copying to Nathan Kinder and Nathaniel McCallum, since their mail server > rejects messages relayed by the IETF server. > > -----Original Message----- > From: secdir [mailto:secdir-bounces@ietf.org] On Behalf Of Christian Huitema > Sent: Saturday, December 31, 2016 6:20 PM > To: 'IESG' ; 'secdir' ; > draft-ietf-kitten-krb-auth-indicator.all@ietf.org > Subject: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 > [...] > The document is almost ready, by I wish a few issues were addressed before > publication. > > My first issue is that the document describes an update to the Kerberos > protocol specification, RFC 4120, but does not define the specific way in > which RFC 4120 is updated. Could the draft be updated to include something > like the section "6. Assigned Numbers" of RFC 7751? If I understand > correctly, the changes are a new ad-type number 97, pointing to a CAMMAC > container, in which the "elements" are encoded according to the syntax > specified in Appendix A of the draft. Having that explained succinctly would > help future readers. I noticed the "Updates but doesn't really update" issue while preparing the shepherd review, and opted to leave in the "Updates" marker since it's probably something an implementor of 4120 should know about. The "Assigned Numbers" section is a good idea, thanks for pointing it out (and yes, you understand correctly). Authors, can you prepare another update? > My second issue is with the use of site-defined strings. I understand that > the site defined strings are defined by the administrator of a realm. What > happens if these strings appear outside the original realm, for example in > an environment connecting multiple realms? Don't we have a potential there > for name collision? Should there not be some guidance to implementers? There is maybe some potential for confusion, though not, I think, at the protocol level. The authentication indicator should always originate from the realm of orignial authentication, which is the realm of the client principal (in general). Even with some of the more exotic flows, like anonymous (or semi-anonymous) principals and making cross-realm TGS requests for foreign-realm TGTs, the client principal's realm is unchanged, so at a protocol level, the meaning of "this realm asserts that this authentication mechanism was used" remains clear. The confusion is when applications just check strings against a table without special-casing foreign-realm principals (which is likely to happen and the natural thing for application authors to do; I am not trying to belittle the issue you raised). In many cases, cross-realm operations occur when the administrators of the different realms are tightly coordinated (or even the same group), in which case they probably use the same semantics for the authentication indicator. In cases where the administrators of the different realms are genuinely different organizations, there are already risks for application services in such realms, such as for applications that grant access to "valid user". That said, the authentication indicator does introduce a new type of risk, and it is appropriate to have some text about it in the security considerations. Authors, do you think you can come up with text, or should one of us try to make a contribution? > I note that the proposed short string syntax forbids use of the ":" > character in site-defined strings. Did the WG look at the consequences of > that choice? If site administrators cannot use the URI like syntax, what is > the preferred way of defining unique strings and preventing collisions? I don't think the WG looked at the consequences, no -- IIRC this requirement was introduced at my urging due to the shepherd review, in order to avoid conflict between the two classes of possible values. If URIs must be LoA profiles and site-local values must be not-URIs, then there is no conflict. My expectation is that what will happen in practice is that the site-local short strings will actually be implementation-local, and the name of the preauthentication plugin or module will be used, like "otp" or "pkinit" or "spake". I don't expect anyone to try to make globally unique values, but of course there are always options like UUIDs or using alternate separator characters for those who wish to try. (It is debatable whether UUIDs count as "short", but there is no enforcement on "short", so they are in practice fair game.) > What are application services supposed to do when they encounter URI or > site-defined strings that they do not understand? The same thing they do now (in practice) when receiving other unknown authorization data types: ignore it. (This is in violation of the spec, that says unknown types should be treated as critical unless wrapped in AD-IF-RELEVANT, but that behavior is not implemented in the major implementations.) That may end up being a default-deny or default-permit mode, depending on the application service's configuration. > The ASN.1 syntax defines the element as a "SEQUENCE OF UTF8String". The > document mentions that "Each UTF8String value is a short string". How short > exactly should these strings be? How many of them should an application > expect in the "SEQUENCE OF" element? The syntax itself does not constrain > the length or number of these strings. Are we not worried with potential > interoperability issues? Could this be abused in some attacks? Should the > security considerations mention that? If I remember the history of the document correctly, there is intentionally no limit. URIs for LoA profiles could end up being pretty long, and there was a desire to not artificially limit those; it doesn't seem worth complicating the semantics of the indicator just to impose a length restriction on the non-URI strings. As far as the number of elements in the sequence, in practice there is probably no issue, since the authentication indicator is issued by the KDC in response to the actual authentication that occurred -- well-behaved KDCs should only include as many strings as authentication methods were used (which is in practice one or two at the moment, and probably not going to get much above three ever). There is always the concern about a client parsing untrusted/unvalidated input, but the consumer should be validating the MAC(s) in the CAMMAC container before parsing, and the implementation ticket size (and similar) constraints will also limit the possible size here. So, probably no attacks (absent compromised KDCs, which have other ways to wreak havoc) and probably no need for security consideration mention. I can't come up with any potential interoperability issues, either, but I didn't spend a whole lot of time thinking about it. Thanks again, Ben From nobody Tue Jan 3 08:12:56 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D9C012966B for ; Tue, 3 Jan 2017 08:12:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9c788TMGuL4C for ; Tue, 3 Jan 2017 08:12:52 -0800 (PST) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8210A12965B for ; Tue, 3 Jan 2017 08:12:52 -0800 (PST) Received: by mail-qt0-x22e.google.com with SMTP id c47so466509505qtc.2 for ; Tue, 03 Jan 2017 08:12:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EVCzkpFkXVxAAqe3J+2UkWE9YYvJcIzgY6rDbUyF8oM=; b=csmw5CWMZvJlzd2V8Zxts+Ee/zymSQAGTvrFHSjrWlaIND2Gj3mR4z3umFSE3kJtZ5 gvhUpKp9hCEJRSiBleB88Otmsbp1sbNS1K+6fUjTqgUu0MuJfF2WCwb6KlVrNXghbl6e xpnYViAOAjwJRq/Y/3evjygZ8+QAxspg+tauA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=EVCzkpFkXVxAAqe3J+2UkWE9YYvJcIzgY6rDbUyF8oM=; b=YKuE6WwJkijOlX2pTBEUxZwCKyMTcc3mmpxHfpiFxsXZJ4kmuRhTrPvKoBQSM1l3OB N9BflxzgblgaLCEWL5f+vPDVmFESSd/3RpT3YjbBahC3O/kPMDUGVMPpmdPnTC7QvuQ8 yQlrN4lcMfx7mJqlGvchfiFRRDm/6VGCwIe/puycDKE2XX/bv/7f06R+uiIelbV6mBw8 iH21eWe18ifCTMHtpXpRaRWH4taZKKScvqcJalCtHlJAI+6wvC9CsWDRVFU7pKMerou6 BaPiUK1XQbuKWsP5gF7jofUgDf3rVOHfv2Uog/uJ01SQFfYM0w2K3k0xB8TDBoBLJF+4 ZR1Q== X-Gm-Message-State: AIkVDXIcQOhE2GYDpZNCZEY2cvSrPu1JyQzXZg+I5b2MnYzW9udh5XHRha7PcNj98WhXgQ== X-Received: by 10.237.62.153 with SMTP id n25mr65305661qtf.50.1483459971490; Tue, 03 Jan 2017 08:12:51 -0800 (PST) Received: from [172.16.0.92] (pool-173-73-120-80.washdc.east.verizon.net. [173.73.120.80]) by smtp.gmail.com with ESMTPSA id i41sm44019203qtc.18.2017.01.03.08.12.50 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 03 Jan 2017 08:12:50 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Sean Turner In-Reply-To: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> Date: Tue, 3 Jan 2017 11:12:48 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> To: Yaron Sheffer X-Mailer: Apple Mail (2.3124) Archived-At: Cc: sidr@ietf.org, draft-ietf-sidr-bgpsec-pki-profiles.all@ietf.org, secdir@ietf.org Subject: Re: [secdir] Review of draft-ietf-sidr-bgpsec-pki-profiles-19 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 16:12:54 -0000 Yaron, Thanks for the review. > On Jan 1, 2017, at 11:26, Yaron Sheffer wrote: >=20 > Reviewer: Yaron Sheffer > Review result: Has Nits >=20 > * 3.1.1: The serial number in RFC 6487 is still a real, unique serial > number that uniquely identifies the certificate. Here it is used as > something other than a serial number, which is explicitly NOT unique, > and the CA is left to decide how to make it unique in the face of > potentially repeating BGP IDs. If this is not a real issue (e.g. > because duplicate IDs are rare and never within a RIR), please say > so. As Rob pointed out this paragraph is talking about the serial number = naming attribute. Maybe something like: r/only two attributes/only two naming attributes and r/common name and serial number/common name (i.e., X520CommonName) and = serial number (i.e., X520SerialNumber)=20 People ought to them be able to track down the definitions. > * 3.2: earlier we said that Basic Constraints must not be included in > the EE cert. Now we are saying that only a particular boolean flag > must not be honored when processing the Cert Request. What happens if > Basic Constraints is included in the Cert Request but with other > flags? The CA is ultimately the one who decides what gets issued. A good CA = would know to only issue properly formatted BGPsec certificates either = by ignoring the improperly requested =E2=80=9Cfeature" or rejecting it = outright. Since these CAs really aren=E2=80=99t open CAs then the CA = ought not get caught off-guard with requests. > * 3.3: ID.sidr-rfc6485bis -> RFC 7935 drat I missed one. > * 6: in the paragraph that discusses hash functions, please spell out > the names of the two key identifiers, because I cannot determine what > they are from the document. Ack they=E2=80=99re the key identifiers in the cert: Subject Key = Identifier and Issuer Key Identifier=20 r/two key identifier extensions./two key identifier extensions (i.e., = Subject Key Identifier and Issuer Key Identifier) spt= From nobody Tue Jan 3 08:15:17 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D0AA129665; Tue, 3 Jan 2017 08:15:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.439 X-Spam-Level: X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gsb8Q8OK9tpq; Tue, 3 Jan 2017 08:15:09 -0800 (PST) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56B0A129579; Tue, 3 Jan 2017 08:15:06 -0800 (PST) Received: by mail-it0-x233.google.com with SMTP id x2so300549353itf.1; Tue, 03 Jan 2017 08:15:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=PJ/VSR++GG0RD54Q8cJFvFc2kIu3klpriF2+B9Ttezg=; b=Ka/hnzjM3r1BO/rfHdMxIcjYssyn8VHRJseMdk8Dh5p36lVb8j3Q7K+J8qoCLvsvv7 sgrZnwncln9DvvfyALNW2I3XkuSqVBukYpk0L5Qenbq/V9T9ogoiaTk+Hjr3dSOnTMq/ IshFLiO77e4XtyxKQEf2xc1TaVSsZjrrbHHzKSyCmZBYa+pcfblL55XsnYjgGtq+4KEx LmGEl2xdYR6pBxPMOM2gOxSNvIylCXvRo0pLSdIFVuXNB4Df9EC/VOMJjjX/mTz3ejUN Av4Yi7bEBDw6LEsjq4/rRXC56NI9/w4orQh3MOEx2NP4MOVgBbiNmh/FLWw9li0BIOM7 N93g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=PJ/VSR++GG0RD54Q8cJFvFc2kIu3klpriF2+B9Ttezg=; b=o1RUdgWF3D0Acmngs6WiruDbYdmv2Je9r0Jz+aA7/5nD0KZ2wbypee4hr3MKuKxok7 d/ATW13re90aF6iuyMY7/JfxcVq6ZtykgrbwD/1ZI+MzWdUZb+XLGjM7NwG2YXt+zw1u UHKvAvSR4nSsdmj5UlzKtqsjmKHu5/C4IJIxHPzA4CVOxJhBk5wrD1peVvPC0ySHd3dv pHNA955hdok0b7T5ZDoTctb/qkOitSyS8R94UlhRfyaM7W5qQwOKVGOOfMsSHV6swRdL NWTW5zGJ00Nt0FFJbKxSVL5RuW7UuliKguOa18yMxV1xdaVIyrXvCRdJjMbwQ1OXdEUk GShw== X-Gm-Message-State: AIkVDXL498UtCGo2noFe3oJCxnNm9Rxg92vnnx3xBARjGiI6oCEWG+auKeoxCCGR+5xgbIUF3JrUf1kr1c0Fcw== X-Received: by 10.36.33.151 with SMTP id e145mr46918105ita.14.1483460105406; Tue, 03 Jan 2017 08:15:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.41.136 with HTTP; Tue, 3 Jan 2017 08:14:49 -0800 (PST) From: Donald Eastlake Date: Tue, 3 Jan 2017 11:14:49 -0500 Message-ID: To: "iesg@ietf.org" , draft-ietf-nvo3-use-case.all@ietf.org Content-Type: multipart/mixed; boundary=001a114794ee9f327e054532f891 Archived-At: Cc: "secdir@ietf.org" Subject: [secdir] draft-ietf-nvo3-use-case-15 SECDIR review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 16:15:11 -0000 --001a114794ee9f327e054532f891 Content-Type: multipart/alternative; boundary=001a114794ee9f327a054532f88f --001a114794ee9f327a054532f88f Content-Type: text/plain; charset=UTF-8 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. This draft described use cases for network virtualization overlay networks focusing on Data Center use. I think this document is Ready with issues. *Security:* As an Informational use case document, security is not a major focus of this draft. Nevertheless: The existing Security Considerations section says that Data Center operators need to provide tenants with a virtual network that is "isolated from other tenants' traffic as well as from underlay networks". But I don't think tenants can, in general, be protected from the underlay network. I would say that tenants are vulnerable to observation and data modification/injection by the operator of the underlay and should only use operators they trust. The existing Security Considerations section says that tenants need to be isolated from each other but I believe there will always be covert channels, based on resource contention and the like, by which tenants can communicate with each other and the best that can be done is to limit the bandwidth of such communications. *Minor:* "BUM" and "ASBR" used without definition or expansion. Wording: I think the wording is off in some places for a reader for whom English is their native language. See attached for suggestions. I probably haven't caught all the wording glitches. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com --001a114794ee9f327a054532f88f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I have reviewed this document as part of the security dire= ctorate's ongoing effort to review all IETF documents being processed b= y the IESG. Document editors and WG chairs should treat these comments just= like any other last call comments.

This draft described= use cases for network virtualization overlay networks focusing on Data Cen= ter use. I think this document is Ready with issues.

= Security:

As an Informational use case documen= t, security is not a major focus of this draft. Nevertheless:
d3e3e3@gmail.com
--001a114794ee9f327a054532f88f-- --001a114794ee9f327e054532f891 Content-Type: application/msword; name="draft-ietf-nvo3-use-case-15-dee.doc" Content-Disposition: attachment; filename="draft-ietf-nvo3-use-case-15-dee.doc" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ixhok2h10 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAiQAAAAAAAAAA EAAAiwAAAAEAAAD+////AAAAAIcAAACIAAAA//////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////s pcEAg8MJBAAA8BK/AAAAAAABEQABAAEACAAAg4cAAA4AYmpianbTdtMAAAAAAAAAAAAAAAAAAAAA AAAJBBYAssgAABS5AQAUuQEAg38AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAA AAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAAAAAAAAAAAALcAAAAAADYGAAAAAAAANgYAAAYU AAAAAAAABhQAAAAAAAAGFAAAAAAAAAYUAAAAAAAABhQAAEQAAAAAAAAAAAAAAP////8AAAAAShQA AAAAAABKFAAAAAAAAEoUAAAAAAAAShQAACQAAABuFAAA5AAAAEoUAAAAAAAAXxYAAJwBAABSFQAA AAAAAFIVAAAAAAAAUhUAAAAAAABSFQAAAAAAAFIVAAAAAAAAUhUAAAAAAABSFQAAAAAAAFIVAAAA AAAAqhUAAAIAAACsFQAAAAAAAKwVAAAAAAAArBUAAAAAAACsFQAAAAAAAKwVAAAAAAAArBUAACwA AAD7FwAAsgIAAK0aAABmAAAA2BUAABUAAAAAAAAAAAAAAAAAAAAAAAAABhQAAAAAAABSFQAAAAAA AAAAAAAAAAAAAAAAAAAAAABSFQAAAAAAAFIVAAAAAAAAUhUAAAAAAABSFQAAAAAAANgVAAAAAAAA UhUAAAAAAAAGFAAAAAAAAAYUAAAAAAAAUhUAAAAAAAAAAAAAAAAAAFIVAAAAAAAA7RUAADYAAABS FQAAAAAAAFIVAAAAAAAAUhUAAAAAAABSFQAAAAAAAAYUAAAAAAAAUhUAAAAAAAAGFAAAAAAAAFIV AAAAAAAAqhUAAAAAAAAAAAAAAAAAAFIVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAUhUAAAAAAACqFQAAAAAAAAAAAAAAAAAAUhUAAAAAAAAAAAAA AAAAAFIVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUhUAAAAAAAAAAAAAAAAAAP////8AAAAAoPShMNdl 0gEAAAAAAAAAAP////8AAAAAUhUAAAAAAABSFQAAAAAAAAAAAAAAAAAAlhUAABQAAAAjFgAAPAAA AF8WAAAAAAAAUhUAAAAAAAATGwAAAAAAAFIVAAAAAAAAExsAAAAAAABSFQAAAAAAAFIVAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFAAAAAAAAFIVAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUhUA AAAAAABSFQAAAAAAAFIVAAAAAAAA2BUAAAAAAADYFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAUhUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFIVAAAA AAAAUhUAAAAAAABSFQAAAAAAAF8WAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAP////8AAAAA/////wAAAAD/////AAAAAAAAAAAAAAAA/////wAAAAD/////AAAA AP////8AAAAA/////wAAAAD/////AAAAAP////8AAAAA/////wAAAAD/////AAAAAP////8AAAAA /////wAAAAD/////AAAAAP////8AAAAA/////wAAAAD/////AAAAABMbAAAAAAAAUhUAAAAAAABS FQAAAAAAAFIVAAAAAAAAUhUAAAAAAABSFQAAAAAAAFIVAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSFQAAAAAAAFIVAAAAAAAAUhUA AAAAAAA2BgAAlgwAAMwSAAA6AQAABwAMAQ8ADQEAAAkEEQQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE5ldHdv cmsgV29ya2luZyBHcm91cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBMLiBZb25nDUludGVybmV0IERyYWZ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgTC4gRHVuYmFyDUNhdGVnb3J5OiBJbmZvcm1hdGlvbmFsICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSHVhd2VpDSAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTS4gVG95DSAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICBWZXJpem9uDSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIEEuIElzYWFjDSAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBKdW5pcGVyIE5ldHdvcmtzDSAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVi4gTWFucmFs DSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IElvbm9zIE5ldHdvcmtzDQ0NRXhwaXJlczogSnVuZSAyMDE3ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgRGVjZW1iZXIgMjEsIDIwMTYNDQ0gICAgIFVzZSBDYXNlcyBmb3IgRGF0YSBD ZW50ZXIgTmV0d29yayBWaXJ0dWFsaXphdGlvbiBPdmVybGF5IE5ldHdvcmtzDQ0gICAgICAgICAg ICAgICAgICAgICAgIGRyYWZ0LWlldGYtbnZvMy11c2UtY2FzZS0xNQ0NQWJzdHJhY3QNDSAgIFRo aXMgZG9jdW1lbnQgZGVzY3JpYmVzIGRhdGEgY2VudGVyIG5ldHdvcmsgdmlydHVhbGl6YXRpb24g b3ZlcmxheQ0gICAoTlZPMykgbmV0d29yayB1c2UgY2FzZXMgdGhhdCBjYW4gYmUgZGVwbG95ZWQg aW4gdmFyaW91cyBkYXRhDSAgIGNlbnRlcnMgYW5kIHNlcnZlIGRpZmZlcmVudCBkYXRhIGNlbnRl ciBhcHBsaWNhdGlvbnMuDQ1TdGF0dXMgb2YgdGhpcyBNZW1vDQ0gICBUaGlzIEludGVybmV0LURy YWZ0IGlzIHN1Ym1pdHRlZCB0byBJRVRGIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aA0gICB0aGUg cHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4NDSAgIEludGVybmV0LURyYWZ0cyBhcmUg d29ya2luZyBkb2N1bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2luZWVyaW5nDSAgIFRhc2sgRm9y Y2UgKElFVEYpLCBpdHMgYXJlYXMsIGFuZCBpdHMgd29ya2luZyBncm91cHMuIE5vdGUgdGhhdA0g ICBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZSB3b3JraW5nIGRvY3VtZW50cyBhcyBJ bnRlcm5ldC0NICAgRHJhZnRzLg0NICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVu dHMgdmFsaWQgZm9yIGEgbWF4aW11bSBvZiBzaXgNICAgbW9udGhzIGFuZCBtYXkgYmUgdXBkYXRl ZCwgcmVwbGFjZWQsIG9yIG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMNICAgYXQgYW55IHRp bWUuIEl0IGlzIGluYXBwcm9wcmlhdGUgdG8gdXNlIEludGVybmV0LURyYWZ0cyBhcyByZWZlcmVu Y2UNICAgbWF0ZXJpYWwgb3IgdG8gY2l0ZSB0aGVtIG90aGVyIHRoYW4gYXMgIndvcmsgaW4gcHJv Z3Jlc3MuIg0NICAgVGhlIGxpc3Qgb2YgY3VycmVudCBJbnRlcm5ldC1EcmFmdHMgY2FuIGJlIGFj Y2Vzc2VkIGF0DSAgIGh0dHA6Ly93d3cuaWV0Zi5vcmcvaWV0Zi8xaWQtYWJzdHJhY3RzLnR4dC4N DSAgIFRoZSBsaXN0IG9mIEludGVybmV0LURyYWZ0IFNoYWRvdyBEaXJlY3RvcmllcyBjYW4gYmUg YWNjZXNzZWQgYXQNICAgaHR0cDovL3d3dy5pZXRmLm9yZy9zaGFkb3cuaHRtbC4NDSAgIFRoaXMg SW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gSnVuZSAyMSwgMjAxNy4NDQ0NDVlvbmcsIGV0 IGFsLiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFtQ YWdlIDFdDQwNSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICBOVk8zIFVzZSBDYXNlICAgICAg ICAgICAgICAgIERlY2VtYmVyIDIwMTYNDUNvcHlyaWdodCBOb3RpY2UNDSAgIENvcHlyaWdodCAo YykgMjAxNiBJRVRGIFRydXN0IGFuZCB0aGUgcGVyc29ucyBpZGVudGlmaWVkIGFzIHRoZQ0gICBk b2N1bWVudCBhdXRob3JzLiAgQWxsIHJpZ2h0cyByZXNlcnZlZC4NDSAgIFRoaXMgZG9jdW1lbnQg aXMgc3ViamVjdCB0byBCQ1AgNzggYW5kIHRoZSBJRVRGIFRydXN0J3MgTGVnYWwNICAgUHJvdmlz aW9ucyBSZWxhdGluZyB0byBJRVRGIERvY3VtZW50cw0gICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5v cmcvbGljZW5zZS1pbmZvKSBpbiBlZmZlY3Qgb24gdGhlIGRhdGUgb2YNICAgcHVibGljYXRpb24g b2YgdGhpcyBkb2N1bWVudC4gUGxlYXNlIHJldmlldyB0aGVzZSBkb2N1bWVudHMNICAgY2FyZWZ1 bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFuZCByZXN0cmljdGlvbnMgd2l0aA0g ICByZXNwZWN0IHRvIHRoaXMgZG9jdW1lbnQuIENvZGUgQ29tcG9uZW50cyBleHRyYWN0ZWQgZnJv bSB0aGlzDSAgIGRvY3VtZW50IG11c3QgaW5jbHVkZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlIHRl eHQgYXMgZGVzY3JpYmVkIGluDSAgIFNlY3Rpb24gNC5lIG9mIHRoZSBUcnVzdCBMZWdhbCBQcm92 aXNpb25zIGFuZCBhcmUgcHJvdmlkZWQgd2l0aG91dA0gICB3YXJyYW50eSBhcyBkZXNjcmliZWQg aW4gdGhlIFNpbXBsaWZpZWQgQlNEIExpY2Vuc2UuDQ1UYWJsZSBvZiBDb250ZW50cw0NDSAgIDEu IEludHJvZHVjdGlvbi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLjMNICAgICAgMS4xLiBUZXJtaW5vbG9neS4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uNA0gICAyLiBCYXNpYyBOVk8zIE5ldHdvcmtzLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi41DSAgIDMuIERDIE5WTzMgTmV0d29y ayBhbmQgRXh0ZXJuYWwgTmV0d29yayBJbnRlcmNvbm5lY3Rpb24uLi4uLi4uLi4uLjYNICAgICAg My4xLiBEQyBOVk8zIE5ldHdvcmsgQWNjZXNzIHZpYSB0aGUgSW50ZXJuZXQuLi4uLi4uLi4uLi4u Li4uLi4uNg0gICAgICAzLjIuIERDIE5WTzMgTmV0d29yayBhbmQgU1AgV0FOIFZQTiBJbnRlcmNv bm5lY3Rpb24uLi4uLi4uLi4uLi43DSAgIDQuIERDIEFwcGxpY2F0aW9ucyBVc2luZyBOVk8zLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLjgNICAgICAgNC4xLiBTdXBwb3J0aW5n IE11bHRpcGxlIFRlY2hub2xvZ2llcy4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uOQ0gICAgICA0 LjIuIERDIEFwcGxpY2F0aW9uIHdpdGggTXVsdGlwbGUgVmlydHVhbCBOZXR3b3Jrcy4uLi4uLi4u Li4uLi45DSAgICAgIDQuMy4gVmlydHVhbCBEYXRhIENlbnRlciAodkRDKS4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uMTANICAgNS4gU3VtbWFyeS4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4xMg0gICA2LiBTZWN1cml0eSBDb25zaWRl cmF0aW9ucy4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLjEyDSAgIDcuIElB TkEgQ29uc2lkZXJhdGlvbnMuLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uMTINICAgOC4gSW5mb3JtYXRpdmUgUmVmZXJlbmNlcy4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4xMw0gICBDb250cmlidXRvcnMuLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLjE0DSAgIEFja25vd2xlZGdlbWVudHMuLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uMTQNICAgQXV0aG9y cycgQWRkcmVzc2VzLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4xNA0NDQ0NDQ0NDQ0NDQ0NDQ1Zb25nLCBldCBhbC4gICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICBbUGFnZSAyXQ0MDUludGVybmV0LURyYWZ0ICAgICAg ICAgICAgICAgTlZPMyBVc2UgQ2FzZSAgICAgICAgICAgICAgICBEZWNlbWJlciAyMDE2DQ0xLiBJ bnRyb2R1Y3Rpb24NDSAgIFNlcnZlciB2aXJ0dWFsaXphdGlvbiBoYXMgY2hhbmdlZCB0aGUgSW5m b3JtYXRpb24gVGVjaG5vbG9neSAoSVQpDSAgIGluZHVzdHJ5IGluIHRlcm1zIG9mIHRoZSBlZmZp Y2llbmN5LCBjb3N0LCBhbmQgc3BlZWQgb2YgcHJvdmlkaW5nDSAgIG5ldyBhcHBsaWNhdGlvbnMg YW5kL29yIHNlcnZpY2VzIHN1Y2ggYXMgY2xvdWQgYXBwbGljYXRpb25zLiBIb3dldmVyDSAgIHRy YWRpdGlvbmFsIGRhdGEgY2VudGVyIChEQykgbmV0d29ya3MgaGF2ZSBzb21lIGxpbWl0cyBpbiBz dXBwb3J0aW5nDSAgIGNsb3VkIGFwcGxpY2F0aW9ucyBhbmQgbXVsdGkgdGVuYW50IG5ldHdvcmtz IFtSRkM3MzY0XS4gVGhlIGdvYWwgb2YNICAgZGF0YSBjZW50ZXIgbmV0d29yayB2aXJ0dWFsaXph dGlvbiBvdmVybGF5IChOVk8zKSBuZXR3b3JrcyBpcyB0bw0gICBkZWNvdXBsZSB0aGUgY29tbXVu aWNhdGlvbiBhbW9uZyB0ZW5hbnQgc3lzdGVtcyBmcm9tIERDIHBoeXNpY2FsDSAgIGluZnJhc3Ry dWN0dXJlIG5ldHdvcmtzIGFuZCB0byBhbGxvdyBvbmUgcGh5c2ljYWwgbmV0d29yaw0gICBpbmZy YXN0cnVjdHVyZSB0bzoNDSAgIG8gIENhcnJ5IG1hbnkgTlZPMyBuZXR3b3JrcyBhbmQgaXNvbGF0 ZSB0aGUgdHJhZmZpYyBvZiBkaWZmZXJlbnQgTlZPMyBuZXR3b3JrbmV0d29ya3MNICAgICAgdHJh ZmZpYyBvbiBhIHBoeXNpY2FsIG5ldHdvcmsgdGhhdCBjYXJyaWVzIE5WTzMgbmV0d29yayB0cmFm ZmljLg0NICAgbyAgSW5kZXBlbmRlbnQgUHJvdmlkZSBpbmRlcGVuZGVudCBhZGRyZXNzIHNwYWNl cyBpbiBpbmRpdmlkdWFsIE5WTzMgbmV0d29ya3Mgc3VjaCBhcw0gICAgICBNQUMgYW5kIElQLg0N ICAgbyAgRmxleGlibGUgU3VwcG9ydCBmbGV4aWJsZSBWaXJ0dWFsIE1hY2hpbmVzIChWTSkgYW5k L29yIHdvcmtsb2FkIHBsYWNlbWVudA0gICAgICBpbmNsdWRpbmcgdGhlIGFiaWxpdHkgdG8gbW92 ZSB0aGVtIGZyb20gb25lIHNlcnZlciB0byBhbm90aGVyDSAgICAgIHdpdGhvdXQgcmVxdWlyaW5n IFZNIGFkZHJlc3MgY2hhbmdlcyBhbmQgcGh5c2ljYWwgaW5mcmFzdHJ1Y3R1cmUNICAgICAgbmV0 d29yayBjb25maWd1cmF0aW9uIGNoYW5nZXMsIGFuZCB0aGUgYWJpbGl0eSB0byBwZXJmb3JtIGEg ImhvdA0gICAgICBtb3ZlIiB3aXRoIG5vIGRpc3J1cHRpb24gdG8gdGhlIGxpdmUgYXBwbGljYXRp b24gcnVubmluZyBvbiBWTXMuDQ0gICBUaGVzZSBjaGFyYWN0ZXJpc3RpY3Mgb2YgTlZPMyBuZXR3 b3JrcyBoZWxwIGFkZHJlc3MgdGhlIGlzc3VlcyB0aGF0DSAgIGNsb3VkIGFwcGxpY2F0aW9ucyBm YWNlIGluIGRhdGEgY2VudGVycyBbUkZDNzM2NF0uDQ0gICBBbiBOVk8zIG5ldHdvcmsgbWF5IGlu dGVyY29ubmVjdCB3aXRoIGFub3RoZXIgTlZPMyBuZXR3b3JrIG9uIHRoZQ0gICBzYW1lIHBoeXNp Y2FsIG5ldHdvcmssIG9yIGFub3RoZXIgcGh5c2ljYWwgbmV0d29yayAoaS5lLiwgbm90IHRoZQ0g ICBwaHlzaWNhbCBuZXR3b3JrIHRoYXQgdGhlIE5WTzMgbmV0d29yayBpcyBjYXJyaWVkIG92ZXIp LCB2aWEgYQ0gICBnYXRld2F5LiBUaGUgdXNlIGNhc2UgZXhhbXBsZXMgZm9yIHRoZSBsYXR0ZXIg YXJlOiAxKSBEQ3MgdGhhdA0gICBtaWdyYXRlIHRvd2FyZCBhbiBOVk8zIHNvbHV0aW9uIHdpbGwg YmUgZG9uZSBpbiBzdGVwcywgd2hlcmUgYQ0gICBwb3J0aW9uIG9mIHRlbmFudCBzeXN0ZW1zIGlu IGEgVk4gaXMgb24gdmlydHVhbGl6ZWQgc2VydmVycyB3aGlsZQ0gICBvdGhlcnMgZXhpc3Qgb24g YSBMQU4uIDIpIG1hbnkgREMgYXBwbGljYXRpb25zIHNlcnZlIHRvIEludGVybmV0DSAgIHVzZXJz IHdobyBhcmUgb24gcGh5c2ljYWwgbmV0d29ya3M7IDMpIHNvbWUgYXBwbGljYXRpb25zIGFyZSBD UFUNICAgYm91bmQsIHN1Y2ggYXMgQmlnIERhdGEgYW5hbHl0aWNzLCBhbmQgbWF5IG5vdCBydW4g b24gdmlydHVhbGl6ZWQNICAgcmVzb3VyY2VzLiBTb21lIGludGVyLVZOIHBvbGljaWVzIGNhbiBi ZSBlbmZvcmNlZCBhdCB0aGUgZ2F0ZXdheS4NDSAgIFRoaXMgZG9jdW1lbnQgZGVzY3JpYmVzIGdl bmVyYWwgTlZPMyBuZXR3b3JrIHVzZSBjYXNlcyB0aGF0IGFwcGx5IHRvDSAgIHZhcmlvdXMgZGF0 YSBjZW50ZXJzLiBUaGUgdXNlIGNhc2VzIGRlc2NyaWJlZCBoZXJlIHJlcHJlc2VudCBEQw0gICBw cm92aWRlcidzIGludGVyZXN0cyBhbmQgdmlzaW9uIGZvciB0aGVpciBjbG91ZCBzZXJ2aWNlcy4g VGhlDSAgIGRvY3VtZW50IGdyb3VwcyB0aGUgdXNlIGNhc2VzIGludG8gdGhyZWUgY2F0ZWdvcmll cyBmcm9tIHNpbXBsZSB0bw0gICBhZHZhbmNlIGFkdmFuY2VkIGluIHRlcm0gdGVybXMgb2YgaW1w bGVtZW50YXRpb24uIEhvd2V2ZXIgdGhlIGltcGxlbWVudGF0aW9uIGRldGFpbHMgb2YNICAgdGhl c2UgdXNlIGNhc2VzIGFyZSBvdXRzaWRlIHRoZSBzY29wZSBvZiB0aGlzIGRvY3VtZW50LiBUaGVz ZSB0aHJlZQ0gICBjYXRlZ29yaWVzIGFyZSBoaWdobGlnaHRlZCBiZWxvdzoNDQ0NDQ1Zb25nLCBl dCBhbC4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBb UGFnZSAzXQ0MDUludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgTlZPMyBVc2UgQ2FzZSAgICAg ICAgICAgICAgICBEZWNlbWJlciAyMDE2DQ0gICBvICBCYXNpYyBOVk8zIG5ldHdvcmtzIChTZWN0 aW9uIDIpLiBBbGwgVGVuYW50IFN5c3RlbXMgKFRTKSBpbiB0aGUNICAgICAgbmV0d29yayBhcmUg bG9jYXRlZCB3aXRoaW4gdGhlIHNhbWUgREMuIFRoZSBpbmRpdmlkdWFsIG5ldHdvcmtzDSAgICAg IGNhbiBiZSBlaXRoZXIgTGF5ZXIgMiAoTDIpIG9yIExheWVyIDMgKEwzKS4gVGhlIG51bWJlciBv ZiBOVk8zDSAgICAgIG5ldHdvcmtzIGluIGEgREMgaXMgbXVjaCBoaWdoZXIgdGhhbiB3aGF0IHRy YWRpdGlvbmFsIFZMQU4gYmFzZWQNICAgICAgdmlydHVhbCBuZXR3b3JrcyBbSUVFRSA4MDIuMVFd IGNhbiBzdXBwb3J0LiBUaGlzIGNhc2UgaXMgb2Z0ZW4NICAgICAgcmVmZXJyZWQgYXMgdG8gdGhl IERDIEVhc3QtV2VzdCB0cmFmZmljLg0NICAgbyAgQSB2aXJ0dWFsIG5ldHdvcmsgdGhhdCBzcGFu cyBhY3Jvc3MgbXVsdGlwbGUgRGF0YSBDZW50ZXJzIGFuZC9vcg0gICAgICB0byBjdXN0b21lciBw cmVtaXNlcyB3aGVyZSBOVk8zIG5ldHdvcmtzIGFyZSBjb25zdHJ1Y3RlZCBhbmQNICAgICAgaW50 ZXJjb25uZWN0IGFub3RoZXIgdmlydHVhbCBvciBwaHlzaWNhbCBuZXR3b3JrIG91dHNpZGUgdGhl IGRhdGENICAgICAgY2VudGVyLiBBbiBlbnRlcnByaXNlIGN1c3RvbWVyIG1heSB1c2UgYSB0cmFk aXRpb25hbCBjYXJyaWVyIFZQTg0gICAgICBvciBhbiBJUHNlYyB0dW5uZWwgb3ZlciB0aGUgSW50 ZXJuZXQgdG8gY29tbXVuaWNhdGUgd2l0aCBpdHMNICAgICAgc3lzdGVtcyBpbiB0aGUgREMuIFRo aXMgaXMgZGVzY3JpYmVkIGluIFNlY3Rpb24gMy4NDSAgIG8gIERDIGFwcGxpY2F0aW9ucyBvciBz ZXJ2aWNlcyByZXF1aXJlIGFuIGFkdmFuY2VkIG5ldHdvcmsgdGhhdA0gICAgICBjb250YWlucyBz ZXZlcmFsIE5WTzMgbmV0d29ya3MgdGhhdCBhcmUgaW50ZXJjb25uZWN0ZWQgYnkgdGhlDSAgICAg IGdhdGV3YXlzLiBUaHJlZSBzY2VuYXJpb3MgYXJlIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDQuICAo MSkNICAgICAgc3VwcG9ydGluZyBtdWx0aXBsZSB0ZWNobm9sb2dpZXM7ICgyKSBjb25zdHJ1Y3Rp bmcgc2V2ZXJhbCB2aXJ0dWFsDSAgICAgIG5ldHdvcmtzIGFzIGEgdGVuYW50IG5ldHdvcms7ICgz KSBhcHBseWluZyBOVk8zIHRvIGEgdmlydHVhbCBEYXRhDSAgICAgIENlbnRlciAodkRDKS4NDSAg IFRoZSBkb2N1bWVudCB1c2VzIHRoZSBhcmNoaXRlY3R1cmUgcmVmZXJlbmNlIG1vZGVsIGRlZmlu ZWQgaW4NICAgW1JGQzczNjVdIHRvIGRlc2NyaWJlIHRoZSB1c2UgY2FzZXMuDQ0xLjEuICBUZXJt aW5vbG9neQ0NICAgVGhpcyBkb2N1bWVudCB1c2VzIHRoZSB0ZXJtaW5vbG9naWVzIGRlZmluZWQg aW4gW1JGQzczNjVdIGFuZA0gICBbUkZDNDM2NF0uIFNvbWUgYWRkaXRpb25hbCB0ZXJtcyB1c2Vk IGluIHRoZSBkb2N1bWVudCBhcmUgbGlzdGVkDSAgIGhlcmUuDQ0gICBETVo6IERlbWlsaXRhcml6 ZWQgWm9uZS4gQSBjb21wdXRlciBvciBzbWFsbCBzdWItbmV0d29yayB0aGF0IHNpdHMNICAgYmV0 d2VlbiBhIHRydXN0ZWQgaW50ZXJuYWwgbmV0d29yaywgc3VjaCBhcyBhIGNvcnBvcmF0ZSBwcml2 YXRlIExBTiwNICAgYW5kIGFuIHVuLXRydXN0ZWQgZXh0ZXJuYWwgbmV0d29yaywgc3VjaCBhcyB0 aGUgcHVibGljIEludGVybmV0Lg0NICAgRE5TOiBEb21haW4gTmFtZSBTZXJ2aWNlIFtSRkMxMDM1 XQ0NICAgREMgT3BlcmF0b3I6IEEgcm9sZSB3aG8gdGhhdCBpcyByZXNwb25zaWJsZSB0byBmb3Ig Y29uc3RydWN0IGNvbnN0cnVjdGluZyBhbmQgbWFuYWdlIG1hbmFnaW5nIGNsb3VkDSAgIHNlcnZp Y2UgaW5zdGFuY2VzIGluIHRocm91Z2hvdXQgdGhlaXIgbGlmZS1jeWNsZSBhbmQgbWFuYWdlIERD IGluZnJhc3RydWN0dXJlDSAgIHRoYXQgcnVucyB0aGVzZSBjbG91ZCBpbnN0YW5jZXMuDQ0gICBE QyBQcm92aWRlcjogQSBjb21wYW55IHRoYXQgdXNlcyBpdHMgREMgaW5mcmFzdHJ1Y3R1cmUgdG8g b2ZmZXINICAgY2xvdWQgc2VydmljZXMgdG8gaXRzIGN1c3RvbWVycy4NDSAgIE5BVDogTmV0d29y ayBBZGRyZXNzIFRyYW5zbGF0aW9uIFtSRkMzMDIyXQ0NICAgdkdXOiB2aXJ0dWFsIEdhdGV3YXk7 IGEgZ2F0ZXdheSBjb21wb25lbnQgdXNlZCBmb3IgYW4gTlZPMyB2aXJ0dWFsDSAgIG5ldHdvcmsg dG8gaW50ZXJjb25uZWN0IHdpdGggYW5vdGhlciB2aXJ0dWFsL3BoeXNpY2FsIG5ldHdvcmsuDQ0N DVlvbmcsIGV0IGFsLiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIFtQYWdlIDRdDQwNSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICBOVk8zIFVzZSBD YXNlICAgICAgICAgICAgICAgIERlY2VtYmVyIDIwMTYNDTIuIEJhc2ljIE5WTzMgTmV0d29ya3MN DSAgIEFuIE5WTzMgbmV0d29yayBwcm92aWRlcyBjb21tdW5pY2F0aW9ucyBhbW9uZyBUZW5hbnQg U3lzdGVtcyAoVFMpIGluDSAgIGEgREMuIEEgVFMgY2FuIGJlIGEgcGh5c2ljYWwgc2VydmVyL2Rl dmljZSBvciBhIHZpcnR1YWwgbWFjaGluZSAoVk0pDSAgIG9uIGEgc2VydmVyLCBpLmUuLCBlbmQt ZGV2aWNlIFtSRkM3MzY1XS4gQSBEQyBwcm92aWRlciBvZnRlbiB1c2VzDSAgIE5WTzMgbmV0d29y a3MgZm9yIGl0cyBpbnRlcm5hbCBhcHBsaWNhdGlvbnMgaW4gd2hpY2ggZWFjaA0gICBhcHBsaWNh dGlvbiBydW5zIG9uIG1hbnkgVk1zIG9yIHBoeXNpY2FsIHNlcnZpY2VzIGFuZCByZXF1aXJlcw0g ICBhcHBsaWNhdGlvbiBzZWdyZWdhdGlvbi4NDSAgIEEgTmV0d29yayBWaXJ0dWFsIEVkZ2UgKE5W RSkgaXMgYW4gTlZPMyBhcmNoaXRlY3R1cmUgY29tcG9uZW50DSAgIFtSRkM3MzY1XV0uIEl0IGlz IHJlc3BvbnNpYmxlIHRvIGZvcndhcmQgYW5kIGVuY2Fwc3VsYXRlIHRoZSBOVk8zDSAgIHRyYWZm aWMgaW4gb3V0Ym91bmQgZGlyZWN0aW9uOyBhbmQgZGVjYXBzdWxhdGUgYW5kIGZvcndhcmQgdGhl IE5WTzMNICAgdHJhZmZpYyBpbiBpbmJvdW5kIGRpcmVjdGlvbiBbTlZPM0FSQ0hdLiBBIE5ldHdv cmsgVmlydHVhbGl6YXRpb24NICAgQXV0aG9yaXR5IChOVkEpIGlzIGFub3RoZXIgTlZPMyBhcmNo aXRlY3R1cmUgY29tcG9uZW50IFtSRkM3MzY1XS4gQW4NICAgTlZFIG9idGFpbnMgdGhlIHJlYWNo YWJpbGl0eSBpbmZvcm1hdGlvbiBvZiB0ZW5hbnQgc3lzdGVtcyBpbiBhIE5WTzMNICAgbmV0d29y ayBmcm9tIHRoZSBOVkEuIFRoZSB0ZW5hbnQgc3lzdGVtcyBhdHRhY2hlZCB0byB0aGUgc2FtZSBO VkUNICAgbWF5IGJlbG9uZyB0byBhIHRoZSBzYW1lIG9yIGRpZmZlcmVudCBOVk8zIG5ldHdvcmtz Lg0NICAgVGhlIG5ldHdvcmsgdmlydHVhbGl6YXRpb24gb3ZlcmxheSBpbiB0aGlzIGNvbnRleHQg bWVhbnMgdGhhdCBhDSAgIHZpcnR1YWwgbmV0d29yayBpcyBpbXBsZW1lbnRlZCB3aXRoIGFuIG92 ZXJsYXkgdGVjaG5vbG9neSwgaS5lLiwNICAgd2l0aGluIGEgREMsIE5WTzMgdHJhZmZpYyBpcyBl bmNhcHN1bGF0ZWQgYXQgYW4gTlZFIGFuZCBjYXJyaWVkIGJ5IGENICAgdHVubmVsIHRvIGFub3Ro ZXIgTlZFIHdoZXJlIHRoZSBwYWNrZXQgaXMgZGVjYXBzdWxhdGVkIGFuZCBzZW50IHRvIGENICAg dGFyZ2V0IHRlbmFudCBzeXN0ZW0gW05WTzNBUkNIXS4gVGhpcyBhcmNoaXRlY3R1cmUgZGVjb3Vw bGVzIGFuIE5WTzMNICAgbmV0d29yayBjb25zdHJ1Y3Rpb24gZnJvbSB0aGUgREMgcGh5c2ljYWwg bmV0d29yayBjb25maWd1cmF0aW9uLA0gICB3aGljaCBwcm92aWRlcyB0aGUgZmxleGliaWxpdHkg Zm9yIFZNIHBsYWNlbWVudCBhbmQgbW9iaWxpdHkuIFRoZQ0gICBhcmNoaXRlY3R1cmUgc3VwcG9y dHMgb25lIHR1bm5lbCB0byBjYXJyeWNhcnJ5aW5nIE5WTzMgdHJhZmZpYyBiZWxvbmdpbmcgdG8N ICAgZGlmZmVyZW50IE5WTzMgbmV0d29ya3M7IHRodXMgdGhlIE5WTzMgZW5jYXBzdWxhdGlvbiBo ZWFkZXIgY2Fycmllcw0gICBhIHZpcnR1YWwgbmV0d29yayBpZGVudGlmaWVyIHRvIGRpZmZlcmVu dGlhdGUgTlZPMyB0cmFmZmljIGluIGENICAgdHVubmVsLg0NICAgQW4gTlZPMyBuZXR3b3JrIG1h eSBiZSBhbiBMMiBvciBMMyBkb21haW4uIFRoZSBuZXR3b3JrIHByb3ZpZGVzDSAgIHN3aXRjaGlu ZyAoTDIpIG9yIHJvdXRpbmcgKEwzKSBjYXBhYmlsaXR5IHRvIHN1cHBvcnQgaG9zdCAoaS5lLg0g ICB0ZW5lbnQgc3lzdGVtcykgY29tbXVuaWNhdGlvbnMuIEFuIE5WTzMgbmV0d29yayBtYXkgcmVx dWlyZWQgdG8NICAgY2FycnkgdW5pY2FzdCB0cmFmZmljIGFuZC9vciBtdWx0aWNhc3QsIGJyb2Fk Y2FzdC91bmtub3duIChmb3IgTDINICAgb25seSkgdHJhZmZpYyBmcm9tL3RvIHRlbmFudCBzeXN0 ZW1zLiBUaGVyZSBhcmUgc2V2ZXJhbCB3YXlzIHRvDSAgIHRyYW5zcG9ydCBOVk8zIG5ldHdvcmsg QlVNIHRyYWZmaWMgW05WTzNNQ0FTVF0uDQ0gICBJdCBpcyB3b3J0aCBtZW50aW9uaW5nIHR3byBk aXN0aW5jdCBjYXNlcyByZWdhcmRpbmcgdG8gTlZFIGxvY2F0aW9ucGxhY2VtZW50Lg0gICBUaGUg Zmlyc3QgaXMgd2hlcmUgVFNzIGFuZCBhbiBOVkUgYXJlIGNvLWxvY2F0ZWQgb24gYSBzaW5nbGUg ZW5kDSAgIGhvc3QvZGV2aWNlLCB3aGljaCBtZWFucyB0aGF0IHRoZSBOVkUgY2FuIGJlIGF3YXJl IG9mIHRoZSBUUydzIHN0YXRlDSAgIGF0IGFueSB0aW1lIHZpYSBhbiBpbnRlcm5hbCBBUEkuIFRo ZSBzZWNvbmQgaXMgd2hlcmUgVFNzIGFuZCBhbiBOVkUNICAgYXJlIG5vdCBjby1sb2NhdGVkLCB3 aXRoIHRoZSBOVkUgcmVzaWRpbmcgb24gYSBuZXR3b3JrIGRldmljZTsgaW4NICAgdGhpcyBjYXNl LCBhIHByb3RvY29sIGlzIG5lY2Vzc2FyeSB0byBhbGxvdyB0aGUgTlZFIHRvIGJlIGF3YXJlIG9m DSAgIHRoZSBUUydzIHN0YXRlIFtOVk8zSFlWUjJOVkVdLg0NICBPbmUgTlZPMyBuZXR3b3JrIGNh biBwcm92aWRlIGNvbm5lY3Rpdml0eSB0byBtYW55IFRTcyB0aGF0IGF0dGFjaCB0bw0gIG1hbnkg ZGlmZmVyZW50IE5WRXMgaW4gYSBEQy4gVFMgZHluYW1pYyBwbGFjZW1lbnQgYW5kIG1vYmlsaXR5 DQ0NDVlvbmcsIGV0IGFsLiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIFtQYWdlIDVdDQwNSW50ZXJuZXQtRHJhZnQgICAgICAgICAgICAgICBOVk8zIFVz ZSBDYXNlICAgICAgICAgICAgICAgIERlY2VtYmVyIDIwMTYNDSAgcmVzdWx0cyBpbiBmcmVxdWVu dCBjaGFuZ2VzIG9mIHRoZSBiaW5kaW5nIGJldHdlZW4gYSBUUyBhbmQgYW4gTlZFLg0gIFRoZSBU UyByZWFjaGFiaWxpdHkgdXBkYXRlIG1lY2hhbmlzbXMgbmVlZCBiZSBmYXN0IGVub3VnaCBzbyB0 aGF0DSAgdGhlIHVwZGF0ZXMgZG8gbm90IGNhdXNlIGFueSBjb21tdW5pY2F0aW9uIGRpc3J1cHRp b24vaW50ZXJydXB0aW9uLg0gIFRoZSBjYXBhYmlsaXR5IG9mIHN1cHBvcnRpbmcgbWFueSBUU3Mg aW4gYSB2aXJ0dWFsIG5ldHdvcmsgYW5kIG1hbnkNICBtb3JlIHZpcnR1YWwgbmV0d29ya3MgaW4g YSBEQyBpcyBjcml0aWNhbCBmb3IgdGhlIE5WTzMgc29sdXRpb24uDQ0gICBJZiBhIHZpcnR1YWwg bmV0d29yayBzcGFucyBhY3Jvc3MgbXVsdGlwbGUgREMgc2l0ZXMsIG9uZSBkZXNpZ24NICAgdXNp bmcgTlZPMyBpcyB0byBhbGxvdyB0aGUgbmV0d29yayB0byBzZWFtbGVzc2x5IHNwYW4gYWNyb3Nz IHRoZQ0gICBzaXRlcyB3aXRob3V0IERDIGdhdGV3YXkgcm91dGVycycgdGVybWluYXRpb24uIElu IHRoaXMgY2FzZSwgdGhlDSAgIHR1bm5lbCBiZXR3ZWVuIGEgcGFpciBvZiBOVkVzIGNhbiBiZSBj YXJyaWVkIHdpdGhpbiBvdGhlcg0gICBpbnRlcm1lZGlhdGUgdHVubmVscyBvdmVyIHRoZSBJbnRl cm5ldCBvciBvdGhlciBXQU5zLCBvciBhbiBpbnRyYSBEQw0gICB0dW5uZWwgYW5kIGludGVyIERD IHR1bm5lbChzKSBjYW4gYmUgc3RpdGNoZWQgdG9nZXRoZXIgdG8gZm9ybSBhbg0gICBlbmQtdG8t ZW5kIHR1bm5lbCBiZXR3ZWVuIHRoZSBwYWlyIG9mIE5WRXMgdGhhdCBhcmUgaW4gZGlmZmVyZW50 IERDDSAgIHNpdGVzLiBCb3RoIGNhc2VzIHdpbGwgZm9ybSBvbmUgdmlydHVhbCBuZXR3b3JrIGFj cm9zcyBtdWx0aXBsZSBEQw0gICBzaXRlcy4NDTMuIERDIE5WTzMgTmV0d29yayBhbmQgRXh0ZXJu YWwgTmV0d29yayBJbnRlcmNvbm5lY3Rpb24NDSAgIE1hbnkgY3VzdG9tZXJzIChhbiBlbnRlcnBy aXNlIGVudGVycHJpc2VzIG9yIGluZGl2aWR1YWxzKSB3aG8gdXRpbGl6ZSBhIERDDSAgIHByb3Zp ZGVyJ3MgY29tcHV0ZSBhbmQgc3RvcmFnZSByZXNvdXJjZXMgdG8gcnVuIHRoZWlyIGFwcGxpY2F0 aW9ucw0gICBuZWVkIHRvIGFjY2VzcyB0aGVpciBzeXN0ZW1zIGhvc3RlZCBpbiBhIERDIHRocm91 Z2ggSW50ZXJuZXQgb3INICAgU2VydmljZSBQcm92aWRlcnMnIFdpZGUgQXJlYSBOZXR3b3JrcyAo V0FOKS4gQSBEQyBwcm92aWRlciBjYW4NICAgY29uc3RydWN0IGEgTlZPMyBuZXR3b3JrIHRoYXQg cHJvdmlkZXMgY29ubmVjdGl2aXR5IHRvIGFsbCB0aGUNICAgcmVzb3VyY2VzIGRlc2lnbmF0ZWQg Zm9yIGEgY3VzdG9tZXIgYW5kIGFsbG93cyB0aGUgY3VzdG9tZXIgdG8NICAgYWNjZXNzIHRoZSBy ZXNvdXJjZXMgdmlhIGEgdmlydHVhbCBnYXRld2F5ICh2R1cpLiBUaGlzLCBpbiB0dXJuLA0gICBi ZWNvbWVzIHRoZSBjYXNlIG9mIGludGVyY29ubmVjdGluZyBhbiBOVk8zIG5ldHdvcmsgYW5kIHRo ZSB2aXJ0dWFsDSAgIHByaXZhdGUgbmV0d29yayAoVlBOKSBvbiB0aGUgSW50ZXJuZXQgb3Igd2lk ZS1hcmVhIG5ldHdvcmtzIChXQU4pLg0gICBOb3RlIHRoYXQgYSBWUE4gaXMgbm90IGltcGxlbWVu dGVkIGJ5IHRoZSBOVk8zIHNvbHV0aW9uLiBUd28gdXNlIGNhc2VzDSAgIGFyZSBkZXNjcmliZWQg aGVyZS4NDTMuMS4gREMgTlZPMyBOZXR3b3JrIEFjY2VzcyB2aWEgdGhlIEludGVybmV0DQ0gICBB IGN1c3RvbWVyIGNhbiBjb25uZWN0IHRvIGFuIE5WTzMgbmV0d29yayB2aWEgdGhlIEludGVybmV0 IGluIGENICAgc2VjdXJlIHdheS4gRmlndXJlIDEgaWxsdXN0cmF0ZXMgYW4gZXhhbXBsZSBvZiB0 aGlzIGNhc2UuIFRoZSBOVk8zDSAgIG5ldHdvcmsgaGFzIGFuIGluc3RhbmNlIGF0IE5WRTEgYW5k IE5WRTIgYW5kIHRoZSB0d28gTlZFcyBhcmUNICAgY29ubmVjdGVkIHZpYSBhbiBJUCB0dW5uZWwg aW4gdGhlIERhdGEgQ2VudGVyLiBBIHNldCBvZiB0ZW5hbnQNICAgc3lzdGVtcyBhcmUgYXR0YWNo ZWQgdG8gTlZFMSBvbiBhIHNlcnZlci4gTlZFMiByZXNpZGVzIG9uIGEgREMNICAgR2F0ZXdheSBk ZXZpY2UuIE5WRTIgdGVybWluYXRlcyB0aGUgdHVubmVsIGFuZCB1c2VzIHRoZSBWTklEIG9uIHRo ZQ0gICBwYWNrZXQgdG8gcGFzcyB0aGUgcGFja2V0IHRvIHRoZSBjb3JyZXNwb25kaW5nIHZHVyBl bnRpdHkgb24gdGhlIERDDSAgIEdXICh0aGUgdkdXIGlzIHRoZSBkZWZhdWx0IGdhdGV3YXkgZm9y IHRoZSB2aXJ0dWFsIG5ldHdvcmspLiBBDSAgIGN1c3RvbWVyIGNhbiBhY2Nlc3MgdGhlaXIgc3lz dGVtcywgaS5lLiwgVFMxIG9yIFRTbiwgaW4gdGhlIERDIHZpYQ0gICB0aGUgSW50ZXJuZXQgYnkg dXNpbmcgYW4gSVBzZWMgdHVubmVsIFtSRkM0MzAxXS4gVGhlIElQc2VjIHR1bm5lbCBpcw0gICBj b25maWd1cmVkIGJldHdlZW4gdGhlIHZHVyBhbmQgdGhlIGN1c3RvbWVyIGdhdGV3YXkgYXQgdGhl IGN1c3RvbWVyDSAgIHNpdGUuIEVpdGhlciBhIHN0YXRpYyByb3V0ZSBvciBpQkdQIG1heSBiZSB1 c2VkIGZvciBwcmVmaXgNICAgYWR2ZXJ0aXNlbWVudC4gVGhlIHZHVyBwcm92aWRlcyBJUHNlYyBm dW5jdGlvbmFsaXR5IHN1Y2ggYXMNICAgYXV0aGVudGljYXRpb24gc2NoZW1lIGFuZCBlbmNyeXB0 aW9uOyBpQkdQIHByb3RvY29sIHRyYWZmaWMgaXMNICAgY2FycmllZCB3aXRoaW4gdGhlIElQc2Vj IHR1bm5lbC4gU29tZSB2R1cgZmVhdHVyZXMgYXJlIGxpc3RlZCBiZWxvdzoNDQ0NWW9uZywgZXQg YWwuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgW1Bh Z2UgNl0NDA1JbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgIE5WTzMgVXNlIENhc2UgICAgICAg ICAgICAgICAgRGVjZW1iZXIgMjAxNg0NICAgbyAgVGhlIHZHVyBtYWludGFpbnMgdGhlIFRTL05W RSBtYXBwaW5ncyBhbmQgYWR2ZXJ0aXNlcyB0aGUgVFMNICAgICAgcHJlZml4IHRvIHRoZSBjdXN0 b21lciB2aWEgc3RhdGljIHJvdXRlIG9yIGlCR1AuDQ0gICBvICBTb21lIHZHVyBmdW5jdGlvbnMg c3VjaCBhcyBmaXJld2FsbCBhbmQgbG9hZCBiYWxhbmNlciBjYW4gYmUNICAgICAgcGVyZm9ybWVk IGJ5IGxvY2FsbHkgYXR0YWNoZWQgbmV0d29yayBhcHBsaWFuY2UgZGV2aWNlcy4NDSAgIG8gIElm IHRoZSBOVk8zIG5ldHdvcmsgdXNlcyBkaWZmZXJlbnQgYWRkcmVzcyBzcGFjZSB0aGFuIGV4dGVy bmFsDSAgICAgIHVzZXJzLCB0aGVuIHRoZSB2R1cgbmVlZHMgdG8gcHJvdmlkZSB0aGUgTkFUIGZ1 bmN0aW9uLg0NICAgbyAgTW9yZSB0aGFuIG9uZSBJUHNlYyB0dW5uZWwgY2FuIGJlIGNvbmZpZ3Vy ZWQgZm9yIHJlZHVuZGFuY3kuDQ0gICBvICBUaGUgdkdXIGNhbiBiZSBpbXBsZW1lbnRlZCBvbiBh IHNlcnZlciBvciBWTS4gSW4gdGhpcyBjYXNlLCBJUA0gICAgICB0dW5uZWxzIG9yIElQc2VjIHR1 bm5lbHMgY2FuIGJlIHVzZWQgb3ZlciB0aGUgREMgaW5mcmFzdHJ1Y3R1cmUuDQ0gICBvICBEQyBv cGVyYXRvcnMgbmVlZCB0byBjb25zdHJ1Y3QgYSB2R1cgZm9yIGVhY2ggY3VzdG9tZXIuDQ0gICBT ZXJ2ZXIrLS0tLS0tLS0tLS0tLS0tKw0gICAgICAgICB8ICAgVFMxIFRTbiAgICAgfA0gICAgICAg ICB8ICAgIHwuLi58ICAgICAgfA0gICAgICAgICB8ICArLSstLS0rLSsgICAgfCAgICAgICAgICAg ICBDdXN0b21lciBTaXRlDSAgICAgICAgIHwgIHwgIE5WRTEgfCAgICB8ICAgICAgICAgICAgICAg Ky0tLS0tKw0gICAgICAgICB8ICArLS0tKy0tLSsgICAgfCAgICAgICAgICAgICAgIHwgQ0dXIHwN ICAgICAgICAgKy0tLS0tLSstLS0tLS0tLSsgICAgICAgICAgICAgICArLS0rLS0rDSAgICAgICAg ICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgKg0gICAgICAgICAgICBMMyBUdW5u ZWwgICAgICAgICAgICAgICAgICAgICAgICoNICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg ICAgICAgICAgICAgICAqDSAgIERDIEdXICstLS0tLS0rLS0tLS0tLS0tKyAgICAgICAgICAgIC4t LS4gIC4tLS4NICAgICAgICAgfCAgKy0tLSstLS0rICAgICB8ICAgICAgICAgICAoICAgICcqICAg Jy4tLS4NICAgICAgICAgfCAgfCAgTlZFMiB8ICAgICB8ICAgICAgICAuLS4nICAgKiAgICAgICAg ICApDSAgICAgICAgIHwgICstLS0rLS0tKyAgICAgfCAgICAgICAoICAgICogIEludGVybmV0ICAg ICkNICAgICAgICAgfCAgKy0tLSstLS0rLiAgICB8ICAgICAgICAoICogICAgICAgICAgICAgICAv DSAgICAgICAgIHwgIHwgIHZHVyAgfCAqICogKiAqICogKiAqICogJy0nICAgICAgICAgICctJw0g ICAgICAgICB8ICArLS0tLS0tLSsgfCAgIHwgSVBzZWMgICAgICAgXC4uLyBcLi0tLycNICAgICAg ICAgfCAgICstLS0tLS0tLSsgICB8IFR1bm5lbA0gICAgICAgICArLS0tLS0tLS0tLS0tLS0tLSsN DSAgICAgICAgICAgREMgUHJvdmlkZXIgU2l0ZQ0NICAgICAgICAgIEZpZ3VyZSAxIC0gREMgVmly dHVhbCBOZXR3b3JrIEFjY2VzcyB2aWEgdGhlIEludGVybmV0DQ0zLjIuIERDIE5WTzMgTmV0d29y ayBhbmQgU1AgV0FOIFZQTiBJbnRlcmNvbm5lY3Rpb24NDSAgIEluIHRoaXMgY2FzZSwgYW4gRW50 ZXJwcmlzZSBjdXN0b21lciB3YW50cyB0byB1c2UgYSBTZXJ2aWNlIFByb3ZpZGVyDSAgIChTUCkg V0FOIFZQTiBbUkZDNDM2NF0gW1JGQzc0MzJdIHRvIGludGVyY29ubmVjdCBpdHMgc2l0ZXMgd2l0 aCBhbg0gICBOVk8zIG5ldHdvcmsgaW4gYSBEQyBzaXRlLiBUaGUgU2VydmljZSBQcm92aWRlciBj b25zdHJ1Y3RzIGEgVlBOIGZvcg0NDVlvbmcsIGV0IGFsLiAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIFtQYWdlIDddDQwNSW50ZXJuZXQtRHJhZnQgICAg ICAgICAgICAgICBOVk8zIFVzZSBDYXNlICAgICAgICAgICAgICAgIERlY2VtYmVyIDIwMTYNDSAg IHRoZSBlbnRlcnByaXNlIGN1c3RvbWVyLiBFYWNoIGVudGVycHJpc2Ugc2l0ZSBwZWVycyB3aXRo IGFuIFNQIFBFLg0gICBUaGUgREMgUHJvdmlkZXIgYW5kIFZQTiBTZXJ2aWNlIFByb3ZpZGVyIGNh biBidWlsZCBhbiBOVk8zIG5ldHdvcmsNICAgYW5kIGEgV0FOIFZQTiBpbmRlcGVuZGVudGx5LCBh bmQgdGhlbiBpbnRlcmNvbm5lY3QgdGhlbSB2aWEgYSBsb2NhbA0gICBsaW5rLCBvciBhIHR1bm5l bCBiZXR3ZWVuIHRoZSBEQyBHVyBhbmQgV0FOIFBFIGRldmljZXMuIFRoZSBjb250cm9sDSAgIHBs YW5lIGludGVyY29ubmVjdGlvbiBvcHRpb25zIGJldHdlZW4gdGhlIERDIGFuZCBXQU4gYXJlIGRl c2NyaWJlZA0gICBpbiBSRkM0MzY0IFtSRkM0MzY0XS4gVXNpbmcgT3B0aW9uIEEgd2l0aCBWUkYt TElURSBbVlJGLUxJVEVdLCBib3RoDSAgIEFTQlJzLCBpLmUuLCBEQyBHVyBhbmQgU1AgUEUsIG1h aW50YWluIGEgcm91dGluZy9mb3J3YXJkaW5nIHRhYmxlDSAgIChWUkYpLiBVc2luZyBPcHRpb24g QiwgdGhlIERDIEFTQlIgYW5kIFNQIEFTQlIgZG8gbm90IG1haW50YWluIHRoZQ0gICBWUkYgdGFi bGU7IHRoZXkgb25seSBtYWludGFpbiB0aGUgTlZPMyBuZXR3b3JrIGFuZCBWUE4gaWRlbnRpZmll cg0gICBtYXBwaW5ncywgaS5lLiwgbGFiZWwgbWFwcGluZywgYW5kIHN3YXAgdGhlIGxhYmVsIG9u IHRoZSBwYWNrZXRzIGluDSAgIHRoZSBmb3J3YXJkaW5nIHByb2Nlc3MuIEJvdGggb3B0aW9uIEEg YW5kIEIgYWxsb3cgdGhlIE5WTzMgbmV0d29yaw0gICBhbmQgVlBOIHVzaW5nIG93biBpZGVudGlm aWVyIGFuZCB0d28gaWRlbnRpZmllcnMgYXJlIG1hcHBlZCBhdCBEQyBHVy4NICAgV2l0aCBvcHRp b24gQywgdGhlIFZOIGFuZCBWUE4gdXNlIHRoZSBzYW1lIGlkZW50aWZpZXIgYW5kIGJvdGggQVNC UnMNICAgcGVyZm9ybSB0aGUgdHVubmVsIHN0aXRjaGluZywgaS5lLiwgdHVubmVsIHNlZ21lbnQg bWFwcGluZy4gRWFjaA0gICBvcHRpb24gaGFzIHByb3MvY29ucyBbUkZDNDM2NF0gYW5kIGhhcyBi ZWVuIGRlcGxveWVkIGluIFNQIG5ldHdvcmtzDSAgIGRlcGVuZGluZyBvbiB0aGUgYXBwbGljYXRp b25zIGluIHVzZS4gQkdQIGlzIHVzZWQgd2l0aCB0aGVzZSBvcHRpb25zDSAgIGZvciByb3V0ZSBk aXN0cmlidXRpb24gYmV0d2VlbiBEQ3MgYW5kIFNQIFdBTnMuIE5vdGUgdGhhdCBpZiB0aGUgREMN ICAgaXMgdGhlIFNQJ3MgRGF0YSBDZW50ZXIsIHRoZSBEQyBHVyBhbmQgU1AgUEUgaW4gdGhpcyBj YXNlIGNhbiBiZQ0gICBtZXJnZWQgaW50byBvbmUgZGV2aWNlIHRoYXQgcGVyZm9ybXMgdGhlIGlu dGVyd29ya2luZyBvZiB0aGUgVk4gYW5kDSAgIFZQTiB3aXRoaW4gYW4gQVMuDQ0gICBUaGUgY29u ZmlndXJhdGlvbnMgYWJvdmUgYWxsb3cgdGhlIGVudGVycHJpc2UgbmV0d29ya3MgdG8NICAgY29t bXVuaWNhdGUgd2l0aCB0aGUgdGVuYW50IHN5c3RlbXMgYXR0YWNoZWQgdG8gdGhlIE5WTzMgbmV0 d29yayBpbg0gICB0aGUgREMgd2l0aG91dCBpbnRlcmZlcmluZyB3aXRoIHRoZSBEQyBwcm92aWRl cidzIHVuZGVybHlpbmcNICAgcGh5c2ljYWwgbmV0d29ya3MgYW5kIG90aGVyIE5WTzMgbmV0d29y a3MgaW4gdGhlIERDLiBUaGUgZW50ZXJwcmlzZQ0gICBjYW4gdXNlIGl0cyBvd24gYWRkcmVzcyBz cGFjZSBpbiB0aGUgTlZPMyBuZXR3b3JrLiBUaGUgREMgcHJvdmlkZXINICAgY2FuIG1hbmFnZSB3 aGljaCBWTSBhbmQgc3RvcmFnZSBlbGVtZW50cyBhdHRhY2ggdG8gdGhlIE5WTzMgbmV0d29yay4N ICAgVGhlIGVudGVycHJpc2UgY3VzdG9tZXIgbWFuYWdlcyB3aGljaCBhcHBsaWNhdGlvbnMgcnVu IG9uIHRoZSBWTXMNICAgd2l0aG91dCBrbm93aW5nIHRoZSBsb2NhdGlvbiBvZiB0aGUgVk1zIGlu IHRoZSBEQy4gKFNlZSBTZWN0aW9uIDQNICAgZm9yIG1vcmUpDQ0gICBGdXJ0aGVybW9yZSwgaW4g dGhpcyB1c2UgY2FzZSwgdGhlIERDIG9wZXJhdG9yIGNhbiBtb3ZlIHRoZSBWTXMNICAgYXNzaWdu ZWQgdG8gdGhlIGVudGVycHJpc2UgZnJvbSBvbmUgc2V2ZXIgdG8gYW5vdGhlciBpbiB0aGUgREMN ICAgd2l0aG91dCB0aGUgZW50ZXJwcmlzZSBjdXN0b21lciBiZWluZyBhd2FyZSwgaS5lLiwgd2l0 aCBubyBpbXBhY3Qgb24NICAgdGhlIGVudGVycHJpc2UncyAnbGl2ZScgYXBwbGljYXRpb25zLiBT dWNoIGFkdmFuY2VkIHRlY2hub2xvZ2llcw0gICBicmluZyBEQyBwcm92aWRlcnMgZ3JlYXQgYmVu ZWZpdHMgaW4gb2ZmZXJpbmcgY2xvdWQgc2VydmljZXMsIGJ1dA0gICBhZGQgc29tZSByZXF1aXJl bWVudHMgZm9yIE5WTzMgW1JGQzczNjRdIGFzIHdlbGwuDQ00LiBEQyBBcHBsaWNhdGlvbnMgVXNp bmcgTlZPMw0NICAgTlZPMyB0ZWNobm9sb2d5IHByb3ZpZGVzIERDIG9wZXJhdG9ycyB3aXRoIHRo ZSBmbGV4aWJpbGl0eSBpbg0gICBkZXNpZ25pbmcgYW5kIGRlcGxveWluZyBkaWZmZXJlbnQgYXBw bGljYXRpb25zIGluIGFuIGVuZC10by1lbmQNICAgdmlydHVhbGl6YXRpb24gb3ZlcmxheSBlbnZp cm9ubWVudC4gVGhlIG9wZXJhdG9ycyBubyBsb25nZXIgbmVlZCB0bw0gICB3b3JyeSBhYm91dCB0 aGUgY29uc3RyYWludHMgb2YgdGhlIERDIHBoeXNpY2FsIG5ldHdvcmsgY29uZmlndXJhdGlvbg0g ICB3aGVuIGNyZWF0aW5nIFZNcyBhbmQgY29uZmlndXJpbmcgYSBuZXR3b3JrIHRvIGNvbm5lY3Qg dGhlbS4gQSBEQw0gICBwcm92aWRlciBtYXkgdXNlIE5WTzMgaW4gdmFyaW91cyB3YXlzLCBpbiBj b25qdW5jdGlvbiB3aXRoIG90aGVyDQ0NDQ1Zb25nLCBldCBhbC4gICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBbUGFnZSA4XQ0MDUludGVybmV0LURyYWZ0 ICAgICAgICAgICAgICAgTlZPMyBVc2UgQ2FzZSAgICAgICAgICAgICAgICBEZWNlbWJlciAyMDE2 DQ0gICBwaHlzaWNhbCBuZXR3b3JrcyBhbmQvb3IgdmlydHVhbCBuZXR3b3JrcyBpbiB0aGUgREMg Zm9yIGEgcmVhc29uLg0gICBUaGlzIHNlY3Rpb24gaGlnaGxpZ2h0cyBzb21lIHVzZSBjYXNlcyBm b3IgdGhpcyBnb2FsLg0NNC4xLiBTdXBwb3J0aW5nIE11bHRpcGxlIFRlY2hub2xvZ2llcw0NICAg U2VydmVycyBkZXBsb3llZCBpbiBhIGxhcmdlIGRhdGEgY2VudGVyIGFyZSBvZnRlbiBpbnN0YWxs ZWQgYXQNICAgZGlmZmVyZW50IHRpbWVzLCBhbmQgbWF5IGhhdmUgZGlmZmVyZW50IGNhcGFiaWxp dGllcy9mZWF0dXJlcy4gU29tZQ0gICBzZXJ2ZXJzIG1heSBiZSB2aXJ0dWFsaXplZCwgd2hpbGUg b3RoZXJzIG1heSBub3Q7IHNvbWUgbWF5IGJlDSAgIGVxdWlwcGVkIHdpdGggdmlydHVhbCBzd2l0 Y2hlcywgd2hpbGUgb3RoZXJzIG1heSBub3QuIEZvciB0aGUNICAgc2VydmVycyBlcXVpcHBlZCB3 aXRoIEh5cGVydmlzb3ItYmFzZWQgdmlydHVhbCBzd2l0Y2hlcywgc29tZSBtYXkNICAgc3VwcG9y dCBhIHN0YW5kYXJkaXplZCBOVk8zIGVuY2Fwc3VsYXRpb24sIHNvbWUgbWF5IG5vdCBzdXBwb3J0 IGFueQ0gICBlbmNhcHN1bGF0aW9uLCBhbmQgc29tZSBtYXkgc3VwcG9ydCBhIGRvY3VtZW50ZWQg ZW5jYXBzdWxhdGlvbg0gICBwcm90b2NvbCAoZS5nLiBWeExBTiBbUkZDNzM0OF0sIE5WR1JFIFtS RkM3NjM3XSkgb3IgcHJvcHJpZXRhcnkNICAgZW5jYXBzdWxhdGlvbnMuIFRvIGNvbnN0cnVjdCBh IHRlbmFudCBuZXR3b3JrIGFtb25nIHRoZXNlIHNlcnZlcnMNICAgYW5kIHRoZSBUb1Igc3dpdGNo ZXMsIG9wZXJhdG9ycyBjYW4gY29uc3RydWN0IG9uZSB0cmFkaXRpb25hbCBWTEFODSAgIG5ldHdv cmsgYW5kIHR3byB2aXJ0dWFsIG5ldHdvcmtzIHdoZXJlIG9uZSB1c2VzIFZ4TEFOIGVuY2Fwc3Vs YXRpb24NICAgYW5kIHRoZSBvdGhlciB1c2VzIE5WR1JFLCBhbmQgaW50ZXJjb25uZWN0IHRoZXNl IHRocmVlIG5ldHdvcmtzIHZpYQ0gICBhIGdhdGV3YXkgb3IgdmlydHVhbCBHVy4gVGhlIEdXIHBl cmZvcm1zIHBhY2tldA0gICBlbmNhcHN1bGF0aW9uL2RlY2Fwc3VsYXRpb24gdHJhbnNsYXRpb24g YmV0d2VlbiB0aGUgbmV0d29ya3MuDQ0gICBBbm90aGVyIGNhc2UgaXMgdGhhdCBzb21lIHNvZnR3 YXJlIG9mIGEgdGVuYW50IGlzIGhhcyBoaWdoIENQVSBhbmQNICAgbWVtb3J5IGNvbnN1bXB0aW9u LCB3aGljaCBvbmx5IG1ha2VzIGEgc2Vuc2UgdG8gcnVuIG9uIG1ldGFsIHNlcnZlcnM7DSAgIG90 aGVyIHNvZnR3YXJlIG9mIHRoZSB0ZW5hbnQgbWF5IGJlIGdvb2QgdG8gcnVuIG9uIFZNcy4gSG93 ZXZlcg0gICBwcm92aWRlciBEQyBpbmZyYXN0cnVjdHVyZSBpcyBjb25maWd1cmVkIHRvIHVzZSBO Vk8zIHRvIGNvbm5lY3QgdG8NICAgVk1zIGFuZCBWTEFOIFtJRUVFODAyLjFRXSBjb25uZWN0IHRv IG1ldGFsIHNlcnZpY2VzLiBUaGUgdGVuYW50DSAgIG5ldHdvcmsgcmVxdWlyZXMgaW50ZXJ3b3Jr aW5nIGJldHdlZW4gTlZPMyBhbmQgdHJhZGl0aW9uYWwgVkxBTi4NDTQuMi4gREMgQXBwbGljYXRp b24gd2l0aCBNdWx0aXBsZSBWaXJ0dWFsIE5ldHdvcmtzDQ0gICBBIERDIGFwcGxpY2F0aW9uIG1h eSBuZWNlc3NhcmlseSBiZSBjb25zdHJ1Y3RlZCB3aXRoIG11bHRpLXRpZXINICAgem9uZXMsIHdo ZXJlIGVhY2ggem9uZSBoYXMgZGlmZmVyZW50IGFjY2VzcyBwZXJtaXNzaW9ucyBhbmQgcnVucw0g ICBkaWZmZXJlbnQgYXBwbGljYXRpb25zLiBGb3IgZXhhbXBsZSwgYSB0aHJlZS10aWVyIHpvbmUg ZGVzaWduIGhhcyBhDSAgIGZyb250IHpvbmUgKFdlYiB0aWVyKSB3aXRoIFdlYiBhcHBsaWNhdGlv bnMsIGEgbWlkIHpvbmUgKGFwcGxpY2F0aW9uDSAgIHRpZXIpIHdoZXJlIHNlcnZpY2UgYXBwbGlj YXRpb25zIHN1Y2ggYXMgY3JlZGl0IHBheW1lbnQgb3IgdGlja2V0DSAgIGJvb2tpbmcgcnVuLCBh bmQgYSBiYWNrIHpvbmUgKGRhdGFiYXNlIHRpZXIpIHdpdGggRGF0YS4gRXh0ZXJuYWwNICAgdXNl cnMgYXJlIG9ubHkgYWJsZSB0byBjb21tdW5pY2F0ZSB3aXRoIHRoZSBXZWIgYXBwbGljYXRpb24g aW4gdGhlDSAgIGZyb250IHpvbmU7IHRoZSBiYWNrIHpvbmUgY2FuIG9ubHkgcmVjZWl2ZSB0cmFm ZmljIGZyb20gdGhlDSAgIGFwcGxpY2F0aW9uIHpvbmUuIEluIHRoaXMgY2FzZSwgY29tbXVuaWNh dGlvbnMgYmV0d2VlbiB0aGUgem9uZXMNICAgbXVzdCBwYXNzIHRocm91Z2ggYSBHVy9maXJld2Fs bC4gRWFjaCB6b25lIGNhbiBiZSBpbXBsZW1lbnRlZCBieSBvbmUNICAgTlZPMyBuZXR3b3JrIGFu ZCBhIEdXL2ZpcmV3YWxsIGNhbiBiZSB1c2VkIHRvIGJldHdlZW4gdHdvIE5WTzMNICAgbmV0d29y a3MsIGkuZS4sIHR3byB6b25lcy4gQXMgYSByZXN1bHQsIGEgdHVubmVsIGNhcnJ5aW5nIE5WTzMN ICAgbmV0d29yayB0cmFmZmljIG11c3QgYmUgdGVybWluYXRlZCBhdCB0aGUgR1cvZmlyZXdhbGwg d2hlcmUgdGhlIE5WTzMNICAgdHJhZmZpYyBpcyBwcm9jZXNzZWQuDQ0NDQ0NDQ1Zb25nLCBldCBh bC4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBbUGFn ZSA5XQ0MDUludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgTlZPMyBVc2UgQ2FzZSAgICAgICAg ICAgICAgICBEZWNlbWJlciAyMDE2DQ00LjMuIFZpcnR1YWwgRGF0YSBDZW50ZXIgKHZEQykNDSAg IEFuIGVudGVycHJpc2UgZGF0YSBjZW50ZXIgdG9kYXkgbWF5IGRlcGxveSByb3V0ZXJzLCBzd2l0 Y2hlcywgYW5kDSAgIG5ldHdvcmsgYXBwbGlhbmNlIGRldmljZXMgdG8gY29uc3RydWN0IGl0cyBp bnRlcm5hbCBuZXR3b3JrLCBETVosDSAgIGFuZCBleHRlcm5hbCBuZXR3b3JrIGFjY2VzczsgaXQg bWF5IGhhdmUgbWFueSBzZXJ2ZXJzIGFuZCBzdG9yYWdlDSAgIHJ1bm5pbmcgdmFyaW91cyBhcHBs aWNhdGlvbnMuIFdpdGggTlZPMyB0ZWNobm9sb2d5LCBhIERDIFByb3ZpZGVyDSAgIGNhbiBjb25z dHJ1Y3QgYSB2aXJ0dWFsIERhdGEgQ2VudGVyICh2REMpIG92ZXIgaXRzIHBoeXNpY2FsIERDDSAg IGluZnJhc3RydWN0dXJlIGFuZCBvZmZlciBhIHZpcnR1YWwgRGF0YSBDZW50ZXIgc2VydmljZSB0 byBlbnRlcnByaXNlDSAgIGN1c3RvbWVycy4gQSB2REMgYXQgdGhlIERDIFByb3ZpZGVyIHNpdGUg cHJvdmlkZXMgdGhlIHNhbWUNICAgY2FwYWJpbGl0eSBhcyB0aGUgcGh5c2ljYWwgREMgYXQgYSBj dXN0b21lciBzaXRlLiBBIGN1c3RvbWVyIG1hbmFnZXMNICAgaXRzIG93biBhcHBsaWNhdGlvbnMg cnVubmluZyBpbiBpdHMgdkRDLiBBIERDIFByb3ZpZGVyIGNhbiBmdXJ0aGVyDSAgIG9mZmVyIGRp ZmZlcmVudCBuZXR3b3JrIHNlcnZpY2UgZnVuY3Rpb25zIHRvIHRoZSBjdXN0b21lci4gVGhlDSAg IG5ldHdvcmsgc2VydmljZSBmdW5jdGlvbnMgbWF5IGluY2x1ZGUgZmlyZXdhbGwsIEROUywgbG9h ZCBiYWxhbmNlciwNICAgZ2F0ZXdheSwgZXRjLg0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N DQ0NDQ0NDQ1Zb25nLCBldCBhbC4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIFtQYWdlIDEwXQ0MDUludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgTlZP MyBVc2UgQ2FzZSAgICAgICAgICAgICAgICBEZWNlbWJlciAyMDE2DQ0gICBGaWd1cmUgMiBiZWxv dyBpbGx1c3RyYXRlcyBvbmUgc3VjaCBzY2VuYXJpbyBhdCB0aGUgc2VydmljZSBhYnN0cmFjdGlv bg0gICBsZXZlbC4gSW4gdGhpcyBleGFtcGxlLCB0aGUgdkRDIGNvbnRhaW5zIHNldmVyYWwgTDIg Vk5zIChMMlZOeCwNICAgTDJWTnksIEwyVk56KSB0byBncm91cCB0aGUgdGVuYW50IHN5c3RlbXMg dG9nZXRoZXIgb24gYSBwZXItDSAgIGFwcGxpY2F0aW9uIGJhc2lzLCBhbmQgb25lIEwzIFZOIChM M1ZOYSkgZm9yIHRoZSBpbnRlcm5hbCByb3V0aW5nLiBBDSAgIG5ldHdvcmsgZmlyZXdhbGwgYW5k IGdhdGV3YXkgcnVucyBvbiBhIFZNIG9yIHNlcnZlciB0aGF0IGNvbm5lY3RzIHRvDSAgIEwzVk5h IGFuZCBpcyB1c2VkIGZvciBpbmJvdW5kIGFuZCBvdXRib3VuZCB0cmFmZmljIHByb2Nlc3Npbmcu IEENICAgbG9hZCBiYWxhbmNlciAoTEIpIGlzIHVzZWQgaW4gTDJWTnguIEEgVlBOIGlzIGFsc28g YnVpbHQgYmV0d2VlbiB0aGUNICAgZ2F0ZXdheSBhbmQgZW50ZXJwcmlzZSByb3V0ZXIuIEFuIEVu dGVycHJpc2UgY3VzdG9tZXIgcnVucw0gICBXZWIvTWFpbC9Wb2ljZSBhcHBsaWNhdGlvbnMgb24g Vk1zIHdpdGhpbiB0aGUgdkRDLiBUaGUgdXNlcnMgYXQgdGhlDSAgIEVudGVycHJpc2Ugc2l0ZSBh Y2Nlc3MgdGhlIGFwcGxpY2F0aW9ucyBydW5uaW5nIGluIHRoZSB2REMgdmlhIHRoZQ0gICBWUE47 IEludGVybmV0IHVzZXJzIGFjY2VzcyB0aGVzZSBhcHBsaWNhdGlvbnMgdmlhIHRoZQ0gICBnYXRl d2F5L2ZpcmV3YWxsIGF0IHRoZSBwcm92aWRlciBEQyBzaXRlLg0NICAgICAgICAgICAgICAgICAg ICAgICAgICAgSW50ZXJuZXQgICAgICAgICAgICAgICAgICAgIF4gSW50ZXJuZXQNICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwNICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgXiAgICAgICAgICAgICAgICAgICAgICstLSstLS0rDSAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgICAgICAgICAgICB8ICBHVyAgfA0g ICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICAgICAgICAgICAgKy0tKy0t LSsNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAg IHwNICAgICAgICAgICAgICAgICAgICAgICstLS0tLS0tKy0tLS0tLS0tKyAgICAgICAgICAgICst LSstLS0rDSAgICAgICAgICAgICAgICAgICAgICB8RmlyZXdhbGwvR2F0ZXdheSstLS0gVlBOLS0t LS0rcm91dGVyfA0gICAgICAgICAgICAgICAgICAgICAgKy0tLS0tLS0rLS0tLS0tLS0rICAgICAg ICAgICAgKy0rLS0rLSsNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgICAgICAg ICAgICAgICAgICAgfCAgfA0gICAgICAgICAgICAgICAgICAgICAgICAgICAuLi4rLi4uLiAgICAg ICAgICAgICAgICAgICB8Li58DSAgICAgICAgICAgICAgICAgICstLS0tLS0tOiBMMyBWTmEgOi0t LS0tLS0tLSsgICAgICAgIExBTnMNICAgICAgICAgICAgICAgICstKy0rICAgICAgLi4uLi4uLi4g ICAgICAgICAgfA0gICAgICAgICAgICAgICAgfExCIHwgICAgICAgICAgfCAgICAgICAgICAgICB8 ICAgICBFbnRlcnByaXNlIFNpdGUNICAgICAgICAgICAgICAgICstKy0rICAgICAgICAgIHwgICAg ICAgICAgICAgfA0gICAgICAgICAgICAgICAuLi4rLi4uICAgICAgLi4uKy4uLiAgICAgICAuLi4r Li4uDSAgICAgICAgICAgICAgOiBMMlZOeCA6ICAgIDogTDJWTnkgOiAgICAgOiBMMlZOeiA6DSAg ICAgICAgICAgICAgIC4uLi4uLi4gICAgICAuLi4uLi4uICAgICAgIC4uLi4uLi4NICAgICAgICAg ICAgICAgICB8Li58ICAgICAgICAgfC4ufCAgICAgICAgICB8Li58DSAgICAgICAgICAgICAgICAg fCAgfCAgICAgICAgIHwgIHwgICAgICAgICAgfCAgfA0gICAgICAgICAgICAgICBXZWIgQXBwLiAg ICAgTWFpbCBBcHAuICAgICAgVm9JUCBBcHAuDQ0gICAgICAgICAgICAgICAgICAgICAgICBQcm92 aWRlciBEQyBTaXRlDQ0NICAgICAgICAgICAgIEZpZ3VyZSAyIC0gVmlydHVhbCBEYXRhIENlbnRl ciBBYnN0cmFjdGlvbiBWaWV3DQ0gICBUaGUgZW50ZXJwcmlzZSBjdXN0b21lciBkZWNpZGVzIHdo aWNoIGFwcGxpY2F0aW9ucyBzaG91bGQgYmUNICAgYWNjZXNzaWJsZSBvbmx5IHZpYSB0aGUgaW50 cmFuZXQgYW5kIHdoaWNoIHNob3VsZCBiZSBhc3Nlc3NhYmxlIHZpYQ0gICBib3RoIHRoZSBpbnRy YW5ldCBhbmQgSW50ZXJuZXQsIGFuZCBjb25maWd1cmVzIHRoZSBwcm9wZXIgc2VjdXJpdHkNICAg cG9saWN5IGFuZCBnYXRld2F5IGZ1bmN0aW9uIGF0IHRoZSBmaXJld2FsbC9nYXRld2F5LiBGdXJ0 aGVybW9yZSwgYW4NDQ1Zb25nLCBldCBhbC4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIFtQYWdlIDExXQ0MDUludGVybmV0LURyYWZ0ICAgICAgICAgICAg ICAgTlZPMyBVc2UgQ2FzZSAgICAgICAgICAgICAgICBEZWNlbWJlciAyMDE2DQ0gICBlbnRlcnBy aXNlIGN1c3RvbWVyIG1heSB3YW50IG11bHRpLXpvbmVzIGluIGEgdkRDIChTZWUgc2VjdGlvbiA0 LjIpDSAgIGZvciB0aGUgc2VjdXJpdHkgYW5kL29yIHRoZSBhYmlsaXR5IHRvIHNldCBkaWZmZXJl bnQgUW9TIGxldmVscyBmb3INICAgdGhlIGRpZmZlcmVudCBhcHBsaWNhdGlvbnMuDQ0gICBUaGUg dkRDIHVzZSBjYXNlIHJlcXVpcmVzIGFuIE5WTzMgc29sdXRpb24gdG8gcHJvdmlkZSBEQyBvcGVy YXRvcnMNICAgd2l0aCBhbiBlYXN5IGFuZCBxdWljayB3YXkgdG8gY3JlYXRlIGFuIE5WTzMgbmV0 d29yayBhbmQgTlZFcyBmb3INICAgYW55IHZEQyBkZXNpZ24sIHRvIGFsbG9jYXRlIFRTcyBhbmQg YXNzaWduIFRTcyB0byB0aGUgY29ycmVzcG9uZGluZw0gICBOVk8zIG5ldHdvcmssIGFuZCB0byBp bGx1c3RyYXRlIHZEQyB0b3BvbG9neSBhbmQgbWFuYWdlL2NvbmZpZ3VyZQ0gICBpbmRpdmlkdWFs IGVsZW1lbnRzIGluIHRoZSB2REMgaW4gYSBzZWN1cmUgd2F5Lg0NNS4gU3VtbWFyeQ0NICAgVGhp cyBkb2N1bWVudCBkZXNjcmliZXMgc29tZSBnZW5lcmFsIGFuZCBwb3RlbnRpYWwgTlZPMyB1c2Ug Y2FzZXMgaW4NICAgRENzLiBUaGUgY29tYmluYXRpb24gb2YgdGhlc2UgY2FzZXMgd2lsbCBnaXZl IG9wZXJhdG9ycyB0aGUNICAgZmxleGliaWxpdHkgYW5kIGNhcGFiaWxpdHkgdG8gZGVzaWduIG1v cmUgc29waGlzdGljYXRlZCBjYXNlcyBzdXBwb3J0IGZvcg0gICB2YXJpb3VzIGNsb3VkIGFwcGxp Y2F0aW9ucy4NDSAgIERDIHNlcnZpY2VzIG1heSB2YXJ5LCBmcm9tIGluZnJhc3RydWN0dXJlIGFz IGEgc2VydmljZSAoSWFhUyksIHRvDSAgIHBsYXRmb3JtIGFzIGEgc2VydmljZSAoUGFhUyksIHRv IHNvZnR3YXJlIGFzIGEgc2VydmljZSAoU2FhUykuDSAgIEluIHRoZXNlIHNlcnZpY2VzLCBOVk8z IG5ldHdvcmtzIGFyZSBqdXN0IGEgcG9ydGlvbiBvZiBzdWNoIHNlcnZpY2VzLg0NICAgTlZPMyB1 c2VzIHR1bm5lbCB0ZWNobmlxdWVzIHRvIGRlbGl2ZXIgTlZPMyB0cmFmZmljIG92ZXIgREMgcGh5 c2ljYWwNICAgaW5mcmFzdHJ1Y3R1cmUgbmV0d29yay4gIEEgdHVubmVsIGVuY2Fwc3VsYXRpb24g cHJvdG9jb2wgaXMNICAgbmVjZXNzYXJ5LiBBbiBOVk8zIHR1bm5lbCBtYXkgaW4gdHVybiBiZSB0 dW5uZWxlZCBvdmVyIG90aGVyDSAgIGludGVybWVkaWF0ZSB0dW5uZWxzIG92ZXIgdGhlIEludGVy bmV0IG9yIG90aGVyIFdBTnMuDQ0gICBBbiBOVk8zIG5ldHdvcmsgaW4gYSBEQyBtYXkgYmUgYWNj ZXNzZWQgYnkgZXh0ZXJuYWwgdXNlcnMgaW4gYQ0gICBzZWN1cmUgd2F5LiBNYW55IGV4aXN0aW5n IHRlY2hub2xvZ2llcyBjYW4gaGVscCBhY2hpZXZlIHRoaXMuDQ02LiBTZWN1cml0eSBDb25zaWRl cmF0aW9ucw0NICAgU2VjdXJpdHkgaXMgYSBjb25jZXJuLiBEQyBvcGVyYXRvcnMgbmVlZCB0byBw cm92aWRlIGEgdGVuYW50IHdpdGggYQ0gICBzZWN1cmVkIHZpcnR1YWwgbmV0d29yaywgd2hpY2gg bWVhbnMgb25lIHRlbmFudCdzIHRyYWZmaWMgaXMNICAgaXNvbGF0ZWQgZnJvbSBvdGhlciB0ZW5h bnRzJyB0cmFmZmljIGFzIHdlbGwgYXMgZnJvbSB1bmRlcmxheQ0gICBuZXR3b3Jrcy4gREMgb3Bl cmF0b3JzIGFsc28gbmVlZCB0byBwcmV2ZW50IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFnYWluc3QgYSB0ZW5hbnQNICAgYXBwbGljYXRpb24gYXR0 YWNraW5nIHRoZWlyIHVuZGVybGF5IERDIG5ldHdvcms7IGZ1cnRoZXIsIHRoZXkgbmVlZA0gICB0 byBwcm90ZWN0IGFnYWluc3QgYSB0ZW5hbnQgYXBwbGljYXRpb24gYXR0YWNraW5nIGFub3RoZXIg dGVuYW50DSAgIGFwcGxpY2F0aW9uIHZpYSB0aGUgREMgaW5mcmFzdHJ1Y3R1cmUgbmV0d29yay4g Rm9yIGV4YW1wbGUsIGEgdGVuYW50DSAgIGFwcGxpY2F0aW9uIGF0dGVtcHRzIHRvIGdlbmVyYXRl IGEgbGFyZ2Ugdm9sdW1lIG9mIHRyYWZmaWMgdG8NICAgb3ZlcmxvYWQgdGhlIERDJ3MgdW5kZXJs eWluZyBuZXR3b3JrLiBBbiBOVk8zIHNvbHV0aW9uIGhhcyB0bw0gICBhZGRyZXNzIHRoZXNlIGlz c3Vlcy4NDTcuIElBTkEgQ29uc2lkZXJhdGlvbnMNDSAgIFRoaXMgZG9jdW1lbnQgZG9lcyBub3Qg cmVxdWVzdCBhbnkgYWN0aW9uIGZyb20gSUFOQS4NDQ0NDQ1Zb25nLCBldCBhbC4gICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFtQYWdlIDEyXQ0MDUludGVy bmV0LURyYWZ0ICAgICAgICAgICAgICAgTlZPMyBVc2UgQ2FzZSAgICAgICAgICAgICAgICBEZWNl bWJlciAyMDE2DQ04LiBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzDQ0gICBbSUVFRTgwMi4xUV0gIElF RUUsICJJRUVFIFN0YW5kYXJkIGZvciBMb2NhbCBhbmQgbWV0cm9wb2xpdGFuIGFyZWENICAgICAg ICAgICAgIG5ldHdvcmtzIC0tIE1lZGlhIEFjY2VzcyBDb250cm9sIChNQUMpIEJyaWRnZXMgYW5k IFZpcnR1YWwNICAgICAgICAgICAgIEJyaWRnZWQgTG9jYWwgQXJlYSIsIElFRUUgU3RkIDgwMi4x USwgMjAxMS4NDSAgIFtOVk8zSFlWUjJOVkVdIExpLCBZLiwgZXQgYWwsICJIeXBlcnZpc29yIHRv IE5WRSBDb250cm9sIFBsYW5lDSAgICAgICAgICAgICBSZXF1aXJlbWVudHMiLCBkcmFmdC1pZXRm LW52bzMtaHB2cjJudmUtY3AtcmVxLTA1LCB3b3JrIGluDSAgICAgICAgICAgICBwcm9ncmVzcy4N DSAgIFtOVk8zQVJDSF0gQmxhY2ssIEQuLCBldCBhbCwgIkFuIEFyY2hpdGVjdHVyZSBmb3IgT3Zl cmxheSBOZXR3b3Jrcw0gICAgICAgICAgICAgKE5WTzMpIiwgZHJhZnQtaWV0Zi1udm8zLWFyY2gt MDgsIHdvcmsgaW4gcHJvZ3Jlc3MuDQ0gICBbTlZPM01DQVNUXSBHaGFud2FuaSwgQS4sIER1bmJh ciwgTC4sIGV0IGFsLCAiQSBGcmFtZXdvcmsgZm9yDSAgICAgICAgICAgICBNdWx0aWNhc3QgaW4g TmV0d29yayBWaXJ0dWFsaXphdGlvbiBPdmVybGF5cyIsIGRyYWZ0LWlldGYtDSAgICAgICAgICAg ICBudm8zLW1jYXN0LWZyYW1ld29yay0wNSwgd29yayBpbiBwcm9ncmVzcy4NDSAgIFtSRkMxMDM1 XSBNb2NrYXBldHJpcywgUC4sICJET01BSU4gTkFNRVMgLSBJbXBsZW1lbnRhdGlvbiBhbmQNICAg ICAgICAgICAgIFNwZWNpZmljYXRpb24iLCBSRkMxMDM1LCBOb3ZlbWJlciAxOTg3Lg0NICAgW1JG QzMwMjJdIFNyaXN1cmVzaCwgUC4gYW5kIEVnZXZhbmcsIEsuLCAiVHJhZGl0aW9uYWwgSVAgTmV0 d29yaw0gICAgICAgICAgICAgQWRkcmVzcyBUcmFuc2xhdG9yIChUcmFkaXRpb25hbCBOQVQpIiwg UkZDMzAyMiwgSmFudWFyeQ0gICAgICAgICAgICAgMjAwMS4NDSAgIFtSRkM0MzAxXSBLZW50LCBT LiwgIlNlY3VyaXR5IEFyY2hpdGVjdHVyZSBmb3IgdGhlIEludGVybmV0DSAgICAgICAgICAgICBQ cm90b2NvbCIsIHJmYzQzMDEsIERlY2VtYmVyIDIwMDUNDSAgIFtSRkM0MzY0XSBSb3NlbiwgRS4g YW5kIFkuIFJla2h0ZXIsICJCR1AvTVBMUyBJUCBWaXJ0dWFsIFByaXZhdGUNICAgICAgICAgICAg IE5ldHdvcmtzIChWUE5zKSIsIFJGQyA0MzY0LCBGZWJydWFyeSAyMDA2Lg0NICAgW1JGQzczNDhd IE1haGFsaW5nYW0sIE0uLCBEdXR0LCBELiwgZXQgYWwsICJWaXJ0dWFsIGVYdGVuc2libGUgTG9j YWwNICAgICAgICAgICAgIEFyZWEgTmV0d29yayAoVlhMQU4pOiBBIEZyYW1ld29yayBmb3IgT3Zl cmxheWluZw0gICAgICAgICAgICAgVmlydHVhbGl6ZWQgTGF5ZXIgMiBOZXR3b3JrcyBvdmVyIExh eWVyIDMgTmV0d29ya3MiLA0gICAgICAgICAgICAgUkZDNzM0OCBBdWd1c3QgMjAxNC4NDSAgIFtS RkM3MzY0XSBOYXJ0ZW4sIFQuLCBldCBhbCAiUHJvYmxlbSBTdGF0ZW1lbnQ6IE92ZXJsYXlzIGZv ciBOZXR3b3JrDSAgICAgICAgICAgICBWaXJ0dWFsaXphdGlvbiIsIFJGQzczNjQsIE9jdG9iZXIg MjAxNC4NDSAgIFtSRkM3MzY1XSBMYXNzZXJyZSwgTS4sIE1vdGluLCBULiwgZXQgYWwsICJGcmFt ZXdvcmsgZm9yIERDIE5ldHdvcmsNICAgICAgICAgICAgIFZpcnR1YWxpemF0aW9uIiwgUkZDNzM2 NSwgT2N0b2JlciAyMDE0Lg0NICAgW1JGQzc0MzJdICBTYWphc3NpLCBBLiwgRWQuLCBBZ2dhcndh bCwgUi4sIEJpdGFyLCBOLiwgSXNhYWMsIEEuIGFuZA0gICAgICAgICAgICAgSi4gVXR0YXJvLCAi QkdQIE1QTFMgQmFzZWQgRXRoZXJuZXQgVlBOIiwgUkZDNzQzMiwNICAgICAgICAgICAgIEZlYnJ1 YXJ5IDIwMTUNDSAgIFtSRkM3NjM3XSBHYXJnLCBQLiwgYW5kIFdhbmcsIFkuLCAiTlZHUkU6IE5l dHdvcmsgVmlydHVhbGl6YXRpb24NICAgICAgICAgICAgIHVzaW5nIEdlbmVyaWMgUm91dGluZyBF bmNhcHN1bGF0aW9uIiwgUkZDNzYzNywgU2VwdC4gMjAxNS4NDQ0NWW9uZywgZXQgYWwuICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBbUGFnZSAxM10NDA1J bnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgIE5WTzMgVXNlIENhc2UgICAgICAgICAgICAgICAg RGVjZW1iZXIgMjAxNg0NICAgW1ZSRi1MSVRFXSBDaXNjbywgIkNvbmZpZ3VyaW5nIFZSRi1saXRl IiwgaHR0cDovL3d3dy5jaXNjby5jb20NDUNvbnRyaWJ1dG9ycw0NDSAgICAgIFZpbmF5IEJhbm5h aQ0gICAgICBQYXlQYWwNICAgICAgMjIxMSBOLiBGaXJzdCBTdCwNICAgICAgU2FuIEpvc2UsIENB IDk1MTMxDSAgICAgIFBob25lOiArMS00MDgtOTY3LTc3ODQNICAgICAgRW1haWw6IHZiYW5uYWlA cGF5cGFsLmNvbQ0NICAgICAgUmFtIEtyaXNobmFuDSAgICAgIEJyb2NhZGUgQ29tbXVuaWNhdGlv bnMNICAgICAgU2FuIEpvc2UsIENBIDk1MTM0DSAgICAgIFBob25lOiArMS00MDgtNDA2LTc4OTAN ICAgICAgRW1haWw6IHJhbWtAYnJvY2FkZS5jb20NDSAgICAgIEtpZXJhbiBNaWxuZQ0gICAgICBK dW5pcGVyIE5ldHdvcmtzDSAgICAgIDExMzMgSW5ub3ZhdGlvbiBXYXkNICAgICAgU3Vubnl2YWxl LCBDQSA5NDA4OQ0gICAgICBQaG9uZTogKzEtNDA4LTc0NS0yMDAwDSAgICAgIEVtYWlsOiBrbWls bmVAanVuaXBlci5uZXQNDQ1BY2tub3dsZWRnZW1lbnRzDQ0gICBBdXRob3JzIGxpa2UgdG8gdGhh bmsgU3VlIEhhcmVzLCBZb3VuZyBMZWUsIERhdmlkIEJsYWNrLCBQZWRybw0gICBNYXJxdWVzLCBN aWtlIE1jQnJpZGUsIERhdmlkIE1jRHlzYW4sIFJhbmR5IEJ1c2gsIFVtYSBDaHVuZHVyaSwgRXJp Yw0gICBHcmF5LCBEYXZpZCBBbGxhbiwgSm9lIFRvdWNoLCBPbHVmZW1pIEtvbW9sYWZlLCBNYXR0 aGV3IEJvY2NpLCBhbmQNICAgQWxpYSBBdGxhcyBmb3IgdGhlIHJldmlldywgY29tbWVudHMsIGFu ZCBzdWdnZXN0aW9ucy4NDQ0NIEF1dGhvcnMnIEFkZHJlc3Nlcw0NICAgTHVjeSBZb25nDSAgIEh1 YXdlaSBUZWNobm9sb2dpZXMNDSAgIFBob25lOiArMS05MTgtODA4LTE5MTgNICAgRW1haWw6IGx1 Y3kueW9uZ0BodWF3ZWkuY29tDQ0gICBMaW5kYSBEdW5iYXINICAgSHVhd2VpIFRlY2hub2xvZ2ll cywNDQ1Zb25nLCBldCBhbC4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIFtQYWdlIDE0XQ0MDUludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgTlZPMyBV c2UgQ2FzZSAgICAgICAgICAgICAgICBEZWNlbWJlciAyMDE2DQ0gICA1MzQwIExlZ2FjeSBEci4N ICAgUGxhbm8sIFRYIDc1MDI1IFVTDQ0gICBQaG9uZTogKzEtNDY5LTI3Ny01ODQwDSAgIEVtYWls OiBsaW5kYS5kdW5iYXJAaHVhd2VpLmNvbQ0NDSAgIE1laG1ldCBUb3kNICAgVmVyaXpvbg0NICAg RS1tYWlsIDogbXRveTA1NEB5YWhvby5jb20NDSAgIEFsZHJpbiBJc2FhYw0gICBKdW5pcGVyIE5l dHdvcmtzDSAgIEUtbWFpbDogYWxkcmluLmlzYWFjQGdtYWlsLmNvbQ0NICAgVmlzaHdhcyBNYW5y YWwNDSAgIEVtYWlsOiB2aXNod2FzQGlvbm9zbmV0d29ya3MuY29tDQ0NDQ0NDQ0NDQ0NDQ0NDQ0N DQ0NDQ0NDQ0NDQ0NDVlvbmcsIGV0IGFsLiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgW1BhZ2UgMTVdDQwNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAFMZAABYGQAA ihoAAI0aAAC7GgAAyhoAANkaAADgGgAA5hoAAOgaAADqGgAA9xoAAAwbAAAuGwAANxsAAEMbAABM GwAAVxsAAKMbAACsGwAAtRsAAL0bAAD6HgAA/R4AAEIhAABKIQAAUCEAAFIhAABTIQAAViEAAFsh AABeIQAAYCEAAGEhAACOIQAAlSEAAJojAAD56fnf+d/5z8Lf+bL5svmyqJv5sqib+Yv5e25kbvl7 bmRu+WT5AAAAAAAAAAAAAAATAQiBBEgBAAVogBVRJxZob2HyABkBCIEESAEABWiAFVEnFWi1I0YA FmhvYfIAHwAIgRVotSNGABZoSC54ABdob2HyAGNIAQBkaIAVUScfAAiBFWi1I0YAFmhILngAF2hv YfIAY0gBAGRoexVRJxkBCIEESAEABWhTFVEnFWi1I0YAFmgFCdQAEwEIgQRIAQAFaFMVUScWaAUJ 1AAfAAiBFWi1I0YAFmhILngAF2gFCdQAY0gBAGRoUxVRJxkBCIEESAEABWhSFVEnFWi1I0YAFmgF CdQAHwAIgRVotSNGABZoSC54ABdoBQnUAGNIAQBkaFIVUScTAQiBBEgBAAVoUhVRJxZoBQnUAB8A CIEVaLUjRgAWaEgueAAXaF1yYgBjSAEAZGhOFVEnDBVotSNGABZoSC54ACUACAAASAgAAJAIAADY CAAAIAkAAGgJAACwCQAA+AkAAEAKAACICgAAiQoAAIoKAADPCgAA0AoAANEKAAAYCwAAGQsAAEwL AABNCwAAVgsAAFcLAACdCwAA3gsAABcMAAAYDAAALAwAAC0MAAByDAAAmgwAAJsMAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAAAAAAAEDwBnZLUjRgAAHZsMAADgDAAAIw0AAGYN AABxDQAAcg0AALQNAAD8DQAARA4AAIIOAACDDgAAvQ4AAOwOAADtDgAAMQ8AAFUPAABWDwAAiw8A AIwPAACNDwAAjg8AAI8PAADXDwAA2Q8AACEQAAAiEAAAMxAAADQQAAB3EAAAohAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAAAAAAAAQPAGdktSNGAAAdohAAAKMQAADkEAAADREA AFARAACPEQAA0BEAABESAABWEgAAnBIAANQSAADVEgAA5xIAAOgSAADpEgAAMBMAAHcTAAC+EwAA BRQAAEwUAACTFAAA2hQAACEVAABoFQAArxUAAPYVAAA9FgAAhBYAAMsWAAASFwAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAAAAAAABA8AZ2S1I0YAAB0SFwAAWRcAAKAXAAChFwAA ohcAAKMXAACkFwAApRcAAKYXAACnFwAAqBcAAKkXAACqFwAAqxcAAKwXAACtFwAArhcAAK8XAAD3 FwAA+RcAAEEYAABCGAAAUhgAAFMYAACYGAAA3RgAACUZAABtGQAAtBkAAPgZAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAAAAAAAEDwBnZLUjRgAAHfgZAAA8GgAAeRoAAI8aAACQ GgAA6RoAADAbAAAxGwAAihsAAJwbAACdGwAA7RsAADEcAAB4HAAAvxwAAAYdAAAHHQAATh0AAIQd AACFHQAAyh0AAA8eAABRHgAAkx4AANUeAAAaHwAAXh8AAKIfAADnHwAALCAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAAAAAAAAQPAGdktSNGAAAdLCAAAC0gAAB1IAAAuCAAAPkg AAA/IQAAmiEAAOEhAAAGIgAAByIAAAgiAAAJIgAACiIAAAsiAABTIgAAVSIAAJ0iAACeIgAA5CIA ACojAABvIwAAtiMAAPsjAAAqJAAAKyQAAHIkAAC1JAAA/SQAAEQlAACHJQAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAAAAAAABA8AZ2S1I0YAAB2aIwAAnyMAAEQmAABHJgAAgyYA AIYmAACxJgAAsiYAAPYmAAD3JgAATCkAAFApAABUKQAAVSkAAGQpAABnKQAAaikAAGspAAB1KQAA fSkAAIEpAACCKQAAhikAAI0pAACSKQAAlSkAAJYpAACxKQAAtCkAAL4pAAC/KQAASS8AAEsvAABO LwAA7+jY6M7oxOjE6LSqnei0qp20naqd6LSdqp3ojYN26GZcAAAAAAAAAAAAAAAAAAAAEwEIgQRI AQAFaI4VUScWaNZJSgAfAAiBFWi1I0YAFmhILngAF2jWSUoAY0gBAGRojhVRJxkBCIEESAEABWiH FVEnFWi1I0YAFmjWSUoAEwEIgQRIAQAFaIcVUScWaNZJSgAfAAiBFWi1I0YAFmhILngAF2jWSUoA Y0gBAGRohxVRJxkBCIEESAEABWiGFVEnFWi1I0YAFmhvYfIAEwEIgQRIAQAFaIYVUScWaG9h8gAf AAiBFWi1I0YAFmhILngAF2hvYfIAY0gBAGRohhVRJxMBCIEESAEABWiEFVEnFmhvYfIAEwEIgQRI AQAFaIMVUScWaG9h8gAfAAiBFWi1I0YAFmhILngAF2hvYfIAY0gBAGRogxVRJwwVaLUjRgAWaEgu eAAAHwAIgRVotSNGABZoSC54ABdob2HyAGNIAQBkaIEVUScAIYclAADAJQAAwSUAAAQmAABIJgAA iSYAANImAAAaJwAALicAAC8nAABwJwAAmCcAAJknAACrJwAArCcAAO0nAAAxKAAAOigAADsoAACB KAAAySgAAA0pAAAOKQAANCkAADUpAACcKQAA7SkAABEqAAASKgAAVSoAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAAAAAAAAQPAGdktSNGAAAdVSoAAHkqAAB6KgAAqCoAAKkqAADv KgAAMSsAADIrAAAzKwAANCsAAHwrAAB+KwAAxisAAMcrAADeKwAA3ysAACcsAABvLAAAtCwAAPEs AAAzLQAATy0AAFAtAACSLQAA1y0AAB4uAABjLgAAqy4AAPMuAAA4LwAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAAAAAAABA8AZ2S1I0YAAB1OLwAATy8AAH0xAACFMQAAjTEAAPoz AAD9MwAAATQAAAk0AAASNAAAKzgAADI4AACJOAAAkDgAAIY6AACUOgAAnToAAJ86AACgOgAACj0A AA49AACAVQAAjVUAAMxZAADPWQAA0lkAAPLr29HrwevBt+un66frl4qAiut262brVkwAAAAAAAAA AAAAAAAAAAAAAAAAAAAAABMBCIEESAEABWiPGlFHFmgXAT8AHwAIgRVotSNGABZoSC54ABdoFwE/ AGNIAQBkaI8aUUcfAAiBFWi1I0YAFmhILngAF2gXAT8AY0gBAGRojhpRRxMBCIEESAEABWiZFVEn FmjUZGEAEwEIgQRIAQAFaJYVUScWaNRkYQAZAQiBBEgBAAVolhVRJxVotSNGABZo1GRhAB8ACIEV aLUjRgAWaEgueAAXaNRkYQBjSAEAZGiWFVEnHwAIgRVotSNGABZoSC54ABdo1GRhAGNIAQBkaJUV UScTAQiBBEgBAAVokxVRJxZo1GRhAB8ACIEVaLUjRgAWaEgueAAXaNRkYQBjSAEAZGiTFVEnEwEI gQRIAQAFaJAVUScWaNZJSgAfAAiBFWi1I0YAFmhILngAF2jWSUoAY0gBAGRokBVRJwwVaLUjRgAW aEgueAAAGQEIgQRIAQAFaI4VUScVaLUjRgAWaNZJSgAAGTgvAABwLwAAcS8AALQvAAD4LwAAQDAA AIgwAADQMAAAFDEAAFkxAACoMQAA7zEAADIyAAA9MgAAPjIAAIEyAADEMgAABzMAAEwzAACPMwAA wjMAAMMzAAAUNAAAWDQAAKA0AADnNAAALDUAAHI1AACUNQAAlTUAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAAAAAAAAQPAGdktSNGAAAdlTUAANw1AAAdNgAAHjYAAB82AAAgNgAA aDYAAGo2AACyNgAAszYAAPk2AAA9NwAAgzcAAMk3AAAMOAAADTgAAFA4AACUOAAA2DgAABU5AABd OQAAojkAAOk5AAAvOgAAOToAADo6AAByOgAAczoAAME6AAAHOwAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAAAAAAABA8AZ2S1I0YAAB0HOwAASjsAAIw7AADOOwAAEDwAAFQ8AACb PAAA4TwAACs9AABCPQAAQz0AAHA9AABxPQAAtD0AAPo9AAA7PgAAfT4AAL8+AAAGPwAATT8AAI8/ AADVPwAAHUAAAGRAAACiQAAA4UAAACNBAABrQQAAbEEAAG1BAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAAAAAAAEDwBnZLUjRgAAHW1BAABuQQAAtkEAALhBAAAAQgAAAUIAAENC AAB6QgAAe0IAAL5CAAD9QgAA/kIAAENDAACAQwAAgUMAAMRDAADFQwAACkQAAFFEAABSRAAAkEQA AJFEAACsRAAAx0QAAOJEAAAXRQAASEUAAHlFAACqRQAA2EUAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAAAAAAAAQPAGdktSNGAAAd2EUAAAZGAAA0RgAAZkYAAJxGAADTRgAAC0cA AEJHAAB5RwAArUcAANBHAADsRwAA7UcAAAlIAAAKSAAASkgAAEtIAAB/SAAAgEgAAMhIAAAOSQAA VkkAAFdJAABYSQAAoEkAAKJJAADqSQAA60kAADFKAAB3SgAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAAAAAAABA8AZ2S1I0YAAB13SgAAvkoAAAVLAABLSwAAkksAANdLAAAdTAAA YkwAAKlMAADvTAAAOE0AAIBNAADETQAAC04AAFNOAACaTgAA3k4AACVPAAA6TwAAO08AAHhPAAC/ TwAA/08AAEZQAACMUAAA1FAAABlRAABeUQAAa1EAAGxRAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAAAAAAAEDwBnZLUjRgAAHWxRAACvUQAA8VEAADlSAAB9UgAAwlIAAPdSAAD4 UgAAFlMAABdTAABYUwAAm1MAAOJTAAAqVAAAb1QAALNUAAC0VAAAtVQAALZUAAC3VAAA/1QAAAFV AABJVQAASlUAAI9VAADIVQAAyVUAAO9VAADwVQAAMlYAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAAAAAAAAQPAGdktSNGAAAdMlYAAHlWAAC6VgAA+1YAAEBXAACHVwAAyVcAAAxY AABRWAAAl1gAAN5YAAAlWQAAWFkAAJlZAACaWQAA4FkAAClaAABsWgAAsloAAPVaAAA5WwAAOlsA AG1bAABuWwAAsVsAAPVbAAA8XAAAhFwAAMlcAAANXQAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAAAAAAABA8AZ2S1I0YAAB3SWQAA01kAAKtjAACvYwAAd28AAIVvAAARcAAAF3AA AB5wAAAfcAAAy3AAAOBwAACscwAAIXYAANOGAACDhwAA8uvh69Hrwbeq68HrmuuWAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFmi1I0YAAB8ACIEVaLUj RgAWaEgueAAXaKYydwBjSAEAZGiXGlFHGQEIgQRIAQAFaJUaUUcVaLUjRgAWaBcBPwATAQiBBEgB AAVolRpRRxZoFwE/AB8ACIEVaLUjRgAWaEgueAAXaBcBPwBjSAEAZGiVGlFHHwAIgRVotSNGABZo SC54ABdoFwE/AGNIAQBkaJQaUUcTAQiBBEgBAAVokRpRRxZoFwE/AAwVaLUjRgAWaEgueAAAGQEI gQRIAQAFaI8aUUcVaLUjRgAWaBcBPwAADw1dAABTXQAAkl0AANZdAAAeXgAAYF4AAKJeAADqXgAA A18AAARfAAAFXwAABl8AAAdfAAAIXwAACV8AAApfAABSXwAAVF8AAJxfAACdXwAAvF8AAL1fAAAC YAAAR2AAAIxgAADRYAAAE2EAAFthAACZYQAA4WEAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAAAAAAAAQPAGdktSNGAAAd4WEAACdiAABpYgAAsGIAAMFiAADCYgAAw2IAAMRiAADF YgAAxmIAAMdiAADIYgAAyWIAAMpiAADLYgAAzGIAAM1iAADOYgAAz2IAANBiAADRYgAA0mIAANNi AADUYgAA1WIAANZiAADXYgAA2GIAANliAADaYgAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAAAAAAABA8AZ2S1I0YAAB3aYgAA22IAANxiAADdYgAA3mIAAN9iAADgYgAA4WIAAOJi AADjYgAA5GIAAOViAAAtYwAAL2MAAHdjAAB4YwAAw2MAAAZkAABGZAAAjmQAANZkAAAaZQAAYmUA AKBlAADnZQAALWYAAGZmAACTZgAAlGYAANZmAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAAAAAAAEDwBnZLUjRgAAHdZmAAAPZwAATGcAAIlnAADGZwAA/2cAADxoAAB5aAAAtmgA APFoAAAsaQAAZ2kAAJZpAADZaQAACGoAADpqAABtagAAn2oAANBqAAABawAANmsAADdrAABgawAA YWsAAGJrAACfawAAoGsAAOBrAAAnbAAAbWwAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAAAAAAAAQPAGdktSNGAAAdbWwAALVsAAC2bAAAt2wAAP9sAAABbQAASW0AAEptAACRbQAA 2G0AAPdtAAD4bQAAPm4AAINuAADKbgAAD28AAEJvAABDbwAATm8AAE9vAACXbwAA1m8AACNwAABC cAAAQ3AAAIhwAADKcAAAE3EAABRxAABccQAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAAAAAAABA8AZ2S1I0YAAB1ccQAAm3EAANtxAAAUcgAAFXIAAFdyAACYcgAAmXIAALRyAAC1 cgAA/HIAADxzAAB9cwAAKnYAAHF2AAC1dgAA/XYAAD53AAB/dwAAmHcAAJl3AACwdwAAsXcAAOl3 AADqdwAA63cAAOx3AADtdwAA7ncAADZ4AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAAAAAAAEDwBnZLUjRgAAHTZ4AAA4eAAAgHgAAIF4AACbeAAAnHgAAOJ4AAAqeQAAY3kAAGR5 AACmeQAA7nkAAAV6AAAGegAATHoAAI16AACOegAAz3oAABd7AABPewAAUHsAAJF7AADGewAAx3sA AAt8AABQfAAAY3wAAGR8AACjfAAA0nwAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAAAAAAAAQPAGdktSNGAAAd0nwAANN8AAAXfQAAT30AAFB9AACYfQAA1n0AABh+AAA6fgAAO34A AIN+AAC4fgAAuX4AAAB/AAA1fwAANn8AAH1/AAC9fwAA2H8AANl/AAAdgAAAZYAAAGaAAABngAAA aIAAALCAAACygAAA+oAAAPuAAAA9gQAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAAAAAAABA8AZ2S1I0YAAB09gQAAPoEAAEuBAABMgQAATYEAAGCBAABtgQAAhYEAAJ6BAAC7gQAA 24EAANyBAADvgQAADIIAACWCAABCggAAYIIAAGGCAAB0ggAAi4IAAKWCAAC/ggAA3IIAAPyCAAD9 ggAA/oIAAA+DAAAQgwAAUoMAAJqDAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA +gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAA AAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA AAAAAAAEDwBnZLUjRgAAHZqDAADggwAAGYQAABqEAAAbhAAAHIQAADCEAAAxhAAAPoQAAFWEAABW hAAAcIQAAI+EAACQhAAAoIQAALiEAAC5hAAAuoQAAAKFAAAEhQAATIUAAE2FAABghQAAdoUAAHeF AACRhQAAs4UAALSFAAC1hQAAw4UAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAA AAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAA AAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA AAAAAAQPAGdktSNGAAAdw4UAAM6FAADPhQAA7YUAAO6FAAD+hQAAEoYAADSGAAA1hgAAR4YAAEiG AABshgAAbYYAAG6GAABvhgAAcIYAAHGGAAByhgAAc4YAAHSGAAB1hgAAdoYAAHeGAAB4hgAAeYYA AHqGAAB7hgAAfIYAAH2GAAB+hgAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAA AAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoA AAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAA AAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAA APoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAA AAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAAA AAAABA8AZ2S1I0YAAB1+hgAAf4YAAICGAACBhgAAgoYAAIOGAACEhgAAhYYAAIaGAACHhgAAiIYA AImGAACKhgAA0oYAANSGAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6 AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAA AAAAAAAAAPoAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAPoAAAAAAAAAAAAA AAD6AAAAAAAAAAAAAAAA+gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAEDwBnZLUjRgAADjIAMZBoATpwtSNGAB+w0C8gsOA9IbA3BCKwNwQjkKAFJJCgBSWwAAAXsNAC GLDQAgyQ0AIoAB+w0C8gsOA9IbAIByKwCAcjkKAFJJCgBSWwAAAXsNACGLDQAgyQ0AIoAB+w0C8g sOA9IbAIByKwCAcjkKAFJJCgBSWwAAAXsNACGLDQAgyQ0AIoAB+w0C8gsOA9IbAIByKwCAcjkKAF JJCgBSWwAAAXsNACGLDQAgyQ0AIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAjgQRABIAAQAUAQ8ACAADAAQAAwAAAAQACAAAAJgAAACeAAAAngAAAJ4AAACe AAAAngAAAJ4AAACeAAAAngAAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAAHYC AAB2AgAAdgIAAHYCAAB2AgAAdgIAAHYCAAB2AgAAdgIAADYGAAA2BgAANgYAADYGAAA2BgAANgYA AD4CAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAA NgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAACo AAAANgYAADYGAAAWAAAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAC4AAAANgYAADYG AAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAAaAEAAEgBAAA2BgAANgYA ADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAA NgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2 BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYG AAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAANgYA ADYGAAA2BgAANgYAADYGAAA2BgAANgYAALADAAA2BgAANgYAADYGAAA2BgAANgYAADYGAAA2BgAA NgYAADYGAAA2BgAAMgYAABgAAADAAwAA0AMAAOADAADwAwAAAAQAABAEAAAgBAAAMAQAAEAEAABQ BAAAYAQAAHAEAACABAAAkAQAAMADAADQAwAA4AMAAPADAAAABAAAEAQAADIGAAAoAgAA2AEAAOgB AAAgBAAAMAQAAEAEAABQBAAAYAQAAHAEAACABAAAkAQAAMADAADQAwAA4AMAAPADAAAABAAAEAQA ACAEAAAwBAAAQAQAAFAEAABgBAAAcAQAAIAEAACQBAAAwAMAANADAADgAwAA8AMAAAAEAAAQBAAA IAQAADAEAABABAAAUAQAAGAEAABwBAAAgAQAAJAEAADAAwAA0AMAAOADAADwAwAAAAQAABAEAAAg BAAAMAQAAEAEAABQBAAAYAQAAHAEAACABAAAkAQAAMADAADQAwAA4AMAAPADAAAABAAAEAQAACAE AAAwBAAAQAQAAFAEAABgBAAAcAQAAIAEAACQBAAAwAMAANADAADgAwAA8AMAAAAEAAAQBAAAIAQA ADAEAABABAAAUAQAAGAEAABwBAAAgAQAAJAEAAA4AQAAWAEAAPgBAAAIAgAAGAIAAFYCAAB+AgAA IAAAAE9KAwBQSgQAUUoDAF9IAQRtSAkEbkgJBHNICQR0SAkEAAAAAEAAAGDx/wIAQAAMEAAAAAAA AAAABgBOAG8AcgBtAGEAbAAAAAIAAAAYAENKGABfSAEEYUoYAG1ICQRzSAkEdEgJBAAAAAAAAAAA AAAAAAAAAAAAAEQAQSDy/6EARAAMDQAAAAAAABAAFgBEAGUAZgBhAHUAbAB0ACAAUABhAHIAYQBn AHIAYQBwAGgAIABGAG8AbgB0AAAAAABSAGkA8/+zAFIADA0AAAAAAAAwBgwAVABhAGIAbABlACAA TgBvAHIAbQBhAGwAAAAcABf2AwAANNYGAAEKA2wANNYGAAEFAwAAYfYDAAACAAsAAAAoAGsg9P/B ACgAAA0AAAAAAAAwBgcATgBvACAATABpAHMAdAAAAAIADAAAAAAAQABaQAEA8gBAAAwMEAC1I0YA MAYKAFAAbABhAGkAbgAgAFQAZQB4AHQAAAACAA8AEABDShUAT0oFAFFKBQBhShUARgD+b/L/AQFG AAwADwC1I0YAMAYPAFAAbABhAGkAbgAgAFQAZQB4AHQAIABDAGgAYQByAAAAEABDShUAT0oFAFFK BQBhShUAUEsDBBQABgAIAAAAIQCb6HBP/AAAABwCAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKyR y2rDMBBF94X+g9C22HK6KKXYzqKPXR+L9AMGeWyL2CMhTULy9x07LpQSAoVuBNLMvffMqFwfxkHt MSbnqdKrvNAKyfrGUVfpz81Ldq9VYqAGBk9Y6SMmva6vr8rNMWBSoqZU6Z45PBiTbI8jpNwHJKm0 Po7Aco2dCWC30KG5LYo7Yz0xEmc8eei6fMIWdgOr54M8n0hErtXjqW+KqjSEMDgLLKBmqpqzuohD uiDcU/OLLlvIclHO5ql3Id0sCe+ymugaVB8Q+Q1G4TAsQ+LP8xVIRov5ZeYz0b5tncXG290o68hn 48XsTwCr/4n+zjTz39ZfAAAA//8DAFBLAwQUAAYACAAAACEApdan58AAAAA2AQAACwAAAF9yZWxz Ly5yZWxzhI/PasMwDIfvhb2D0X1R0sMYJXYvpZBDL6N9AOEof2giG9sb69tPxwYKuwiEpO/3qT3+ rov54ZTnIBaaqgbD4kM/y2jhdj2/f4LJhaSnJQhbeHCGo3vbtV+8UNGjPM0xG6VItjCVEg+I2U+8 Uq5CZNHJENJKRds0YiR/p5FxX9cfmJ4Z4DZM0/UWUtc3YK6PqMn/s8MwzJ5PwX+vLOVFBG43lExp 5GKhqC/jU72QqGWq1B7Qtbj51v0BAAD//wMAUEsDBBQABgAIAAAAIQBreZYWgwAAAIoAAAAcAAAA dGhlbWUvdGhlbWUvdGhlbWVNYW5hZ2VyLnhtbAzMTQrDIBBA4X2hd5DZN2O7KEVissuuu/YAQ5wa Qceg0p/b1+XjgzfO3xTVm0sNWSycBw2KZc0uiLfwfCynG6jaSBzFLGzhxxXm6XgYybSNE99JyHNR fSPVkIWttd0g1rUr1SHvLN1euSRqPYtHV+jT9yniResrJgoCOP0BAAD//wMAUEsDBBQABgAIAAAA IQAhWqKEIQcAANsdAAAWAAAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbOxZT28bRRS/I/EdRnsvsRMn TaI6VezYDbRpo9gt6nG8O/ZOM7uzmhkn8Q21RyQkREEcqMSNAwIqtRKX8mkCRVCkfgXezOyud+Jx k5QAFTSH1jv7e2/e+70/82evXD1KGDogQlKeNoP6e7UAkTTkEU1HzeB2v3tpNUBS4TTCjKekGUyI DK5uvPvOFbyuYpIQBPKpXMfNIFYqW19YkCEMY/kez0gK74ZcJFjBoxgtRAIfgt6ELSzWaisLCaZp gFKcgNpbwyENCeprlcFGobzD4DFVUg+ETPS0auJIGGy0X9cIOZFtJtABZs0A5on4YZ8cqQAxLBW8 aAY18xcsbFxZwOu5EFNzZCtyXfOXy+UC0f6imVOMBuWk9W5j7fJWqd8AmJrFdTqddqde6jMAHIbg qbWlqrPRXa23Cp0VkP05q7tdW641XHxF/9KMzWutVmt5LbfFKjUg+7Mxg1+trTQ2Fx28AVn88gy+ 0dpst1ccvAFZ/MoMvnt5baXh4g0oZjTdn0HrgHa7ufYSMuRs2wtfBfhqLYdPUZANZXbpKYY8VfNy LcH3uOgCQAMZVjRFapKRIQ4hi9uY0YGgegK8TnDljR0K5cyQngvJUNBMNYMPMgwVMdX38tl3L589 Qcf3nx7f//H4wYPj+z9YRY7UNk5HVakX33z6x6OP0O9Pvn7x8HM/Xlbxv3z/8c8/feYHQvlMzXn+ xeNfnz5+/uUnv3370APfFHhQhfdpQiS6SQ7RHk/AMcOKazkZiPNJ9GNMqxKb6UjiFOtZPPo7KnbQ NyeYYQ+uRVwG7whoHz7gtfE9x+BeLMYqj7fj2fU4cYA7nLMWF14Wruu5KjT3x+nIP7kYV3F7GB/4 5m7j1IlvZ5xB36Q+le2YOGbuMpwqPCIpUUi/4/uEePi6S6nD6w4NBZd8qNBdilqYeinp04GTTVOh bZpAXCY+AyHeDjc7d1CLM5/XW+TARUJVYOYxvk+YQ+M1PFY48ans44RVCb+BVewzsjcRYRXXkQoi PSKMo05EpPTJ3BLgbyXo16F1+MO+wyaJixSK7vt03sCcV5FbfL8d4yTzYXs0javY9+U+pChGu1z5 4DvcrRD9DHHA6dxw36HECffp3eA2HTkmTRNEvxkLTyyvEe7kb2/ChpiYVgNN3enVCU1f1bgT6Nu5 4xfXuKFVPv/qkcfuN7VlbwIJvprZPtGo5+FOtuc2FxF987vzFh6nuwQKYnaJetuc3zbn4D/fnOfV 88W35GkXhgatt0x2o2223cncXfeQMtZTE0ZuSLPxlrD2RF0Y1HLmxEnKU1gWw09dyTCBgxsJbGSQ 4OpDquJejDPYtNcDrWQkc9UjiTIu4bBohr26NR42/soeNZf1IcR2DonVDo/s8JIeLs4apRpj1cgc aIuJlrSCs062dDlXCr69zmR1bdSZZ6sb00xTdGYrXdYUm0M5UF66BoMlm7CpQbAVApZX4Myvp4bD DmYk0rzbGBVhMVH4e0KUe20diXFEbIic4QqbdRO7IoVm/NPu2Rw5H5sla0Da6UaYtJifP2ckuVAw JRkET1YTS6u1xVJ02AzWlheXAxTirBkM4ZgLP5MMgib1NhCzEdwVhUrYrD21Fk2RTj1e82dVHW4u 5hSMU8aZkGoLy9jG0LzKQ8VSPZO1f3G5oZPtYhzwNJOzWbG0Cinyr1kBoXZDS4ZDEqpqsCsjmjv7 mHdCPlZE9OLoEA3YWOxhCD9wqv2JqITbClPQ+gGu1jTb5pXbW/NOU73QMjg7jlkW47xb6quZouIs 3PST0gbzVDEPfPPabpw7vyu64i/KlWoa/89c0csBXB4sRToCIdzsCox0pTQDLlTMoQtlMQ27AtZ9 0zsgW+B6Fl4D+XC/bP4X5ED/b2vO6jBlDWdAtUdHSFBYTlQsCNmFtmSy7xRl9XzpsSpZrshkVMVc mVmzB+SAsL7ugSu6BwcohlQ33SRvAwZ3Mv/c57yCBiO9R6nWm9PJyqXT1sA/vXGxxQxOndhL6Pwt +C9NLFf36epn5Y14sUZWHdEvprukRlEVzuK3tpZP9ZomnGUBrqy1tmPNeLy4XBgHUZz1GAbL/UwG V0BI/wPrHxUhsx8r9ILa53vQWxF8e7D8IcjqS7qrQQbpBml/DWDfYwdtMmlVltp856NZKxbrC96o lvOeIFtbdpZ4n5PschPlTufU4kWSnTPscG3H5lINkT1ZojA0LM4hJjDmK1f1QxQf3INAb8GV/5jZ T1MygydTB9muMNk14NEk/8mkXXBt1ukzjEaydI8MEY2OivNHyYQtIft5pNgiG7QW04lWCi75Dg2u YI7Xona1LIUXTxcuJczM0LJLYXOX5lMAH8fyxq2PdoC3TdZ6rYurYIqlf4WyMxjvp8x78jkrZfag +MpAvQZl6ujVlOVMAXmziQefNwWGo1fP9F9YdGymm5Td+BMAAP//AwBQSwMEFAAGAAgAAAAhAA3R kJ+2AAAAGwEAACcAAAB0aGVtZS90aGVtZS9fcmVscy90aGVtZU1hbmFnZXIueG1sLnJlbHOEj00K wjAUhPeCdwhvb9O6EJEm3YjQrdQDhOQ1DTY/JFHs7Q2uLAguh2G+mWm7l53JE2My3jFoqhoIOumV cZrBbbjsjkBSFk6J2TtksGCCjm837RVnkUsoTSYkUiguMZhyDidKk5zQilT5gK44o49W5CKjpkHI u9BI93V9oPGbAXzFJL1iEHvVABmWUJr/s/04GolnLx8WXf5RQXPZhQUoosbM4CObqkwEylu6usTf AAAA//8DAFBLAQItABQABgAIAAAAIQCb6HBP/AAAABwCAAATAAAAAAAAAAAAAAAAAAAAAABbQ29u dGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAKXWp+fAAAAANgEAAAsAAAAAAAAAAAAAAAAA LQEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAGt5lhaDAAAAigAAABwAAAAAAAAAAAAAAAAA FgIAAHRoZW1lL3RoZW1lL3RoZW1lTWFuYWdlci54bWxQSwECLQAUAAYACAAAACEAIVqihCEHAADb HQAAFgAAAAAAAAAAAAAAAADTAgAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAA IQAN0ZCftgAAABsBAAAnAAAAAAAAAAAAAAAAACgKAAB0aGVtZS90aGVtZS9fcmVscy90aGVtZU1h bmFnZXIueG1sLnJlbHNQSwUGAAAAAAUABQBdAQAAIwsAAAAAPD94bWwgdmVyc2lvbj0iMS4wIiBl bmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KPGE6Y2xyTWFwIHhtbG5zOmE9Imh0 dHA6Ly9zY2hlbWFzLm9wZW54bWxmb3JtYXRzLm9yZy9kcmF3aW5nbWwvMjAwNi9tYWluIiBiZzE9 Imx0MSIgdHgxPSJkazEiIGJnMj0ibHQyIiB0eDI9ImRrMiIgYWNjZW50MT0iYWNjZW50MSIgYWNj ZW50Mj0iYWNjZW50MiIgYWNjZW50Mz0iYWNjZW50MyIgYWNjZW50ND0iYWNjZW50NCIgYWNjZW50 NT0iYWNjZW50NSIgYWNjZW50Nj0iYWNjZW50NiIgaGxpbms9ImhsaW5rIiBmb2xIbGluaz0iZm9s SGxpbmsiLz4AAAAAaHwAAGl8AABofAAAg38AABEAAMgAAAAA/////xEANMgAAAsA/////xEAXsgA AAAA/////xEAiMgAAAsA/////wAIAACaIwAATi8AANJZAACDhwAARAAAAEsAAABOAAAAVwAAAAAI AACbDAAAohAAABIXAAD4GQAALCAAAIclAABVKgAAOC8AAJU1AAAHOwAAbUEAANhFAAB3SgAAbFEA ADJWAAANXQAA4WEAANpiAADWZgAAbWwAAFxxAAA2eAAA0nwAAD2BAACagwAAw4UAAH6GAADUhgAA RQAAAEYAAABHAAAASAAAAEkAAABKAAAATAAAAE0AAABPAAAAUAAAAFEAAABSAAAAUwAAAFQAAABV AAAAVgAAAFgAAABZAAAAWgAAAFsAAABcAAAAXQAAAF4AAABfAAAAYAAAAGEAAABiAAAAYwAAAAsA AAAEAAAACAAAAOUAAAAAAAAACgAAABcBPwC1I0YA1klKANRkYQBdcmIApjJ3AEgueACnTJ4A1yuf AAUJ1ABvYfIAAAAAAIN/AACFfwAAAAAAAAEAAAD/QAGAAQCsawAArGsAAAjOq34BAAEArGsAAAAA AACsawAAAAAAAAAAAAAAAAAAAhAAAAAAAAAAg38AAIgAABAAQAAA//8CAAAABwBVAG4AawBuAG8A dwBuAA8ARABvAG4AYQBsAGQAIABFAGEAcwB0AGwAYQBrAGUA//8CAAgAAAAAAAAAAAAAAAAAAAAA AAAAAQD//wIAAAAAAAAA//8AAAIA//8AAAAA//8AAAIA//8AAAAABwAAAEcOkAEAAAICBgMFBAUC AwT/KgDgQXgAwAkAAAAAAAAA/wEAAAAAAABUAGkAbQBlAHMAIABOAGUAdwAgAFIAbwBtAGEAbgAA ADUGkAECAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAgAAAAABTAHkAbQBiAG8AbAAAADMO kAEAAAILBgQCAgICAgT/KgDgQ3gAwAkAAAAAAAAA/wEAAAAAAABBAHIAaQBhAGwAAAA3DpABAAAC BAUDBQQGAwIE/wIA4P8EAEAAAAAAAAAAAJ8BAAAAAAAAQwBhAG0AYgByAGkAYQAAADMOkAFOAAAA AAAAAAAAAAABAAAAAAAHCBAAAAAAAAAAAAACAAAAAAAt/zP/IAAOZh1nAAA3BpABAAACAAUAAAAA AAAAAwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAQwBvAHUAcgBpAGUAcgAAAEEOkAEAAAIEBQMFBAYD AgT/AgDg/yQAQgAAAAAAAAAAnwEAAAAAAABDAGEAbQBiAHIAaQBhACAATQBhAHQAaAAAACAABABx iIgYAPDQAhAnaAEAAAAApBpRR6QaUUekGlFHAgAAAAAACBMAAHtsAABTGkEAAAAEAAOQ5wAAAAgT AAB7bAAAUxpBAAAA5wAAAAAAAADpAwDwEAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA3BKAF tAC0AIGBMjAAAAAAAAAAAAAAAAAAAEJ/AABCfwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAABKIxEA8BAACAD8/QEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACSFAAAAAACfH/DwAAJFAAALUBAADEEQAA////f////3// //9/////f////3////9/1yufAAAEAAAyAAAAAAAAAAAAAAAAAAAAAAAAAAAAIQAAAAAAAAAAAAAA AAAAAAAAAAAQHAAABgAAAAAAAAAAAHgAAAB4AAAAAAAAAAAAAACgBQAAovFheAsAAAAAAAAALAEA AP//EgAAAAAAAAAAAAAAAAAAAA8ARABvAG4AYQBsAGQAIABFAGEAcwB0AGwAYQBrAGUADwBEAG8A bgBhAGwAZAAgAEUAYQBzAHQAbABhAGsAZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP7/ AAADCgEAAAAAAAAAAAAAAAAAAAAAAAEAAADghZ/y+U9oEKuRCAArJ7PZMAAAADwWAAATAAAAAQAA AKAAAAACAAAAqAAAAAMAAAC0AAAABAAAAMAAAAAFAAAA2AAAAAYAAADkAAAABwAAAPAAAAAIAAAA BAEAAAkAAAAcAQAAEgAAACgBAAAKAAAATAEAAAsAAABYAQAADAAAAGQBAAANAAAAcAEAAA4AAAB8 AQAADwAAAIQBAAAQAAAAjAEAABMAAACUAQAAEQAAAJwBAAACAAAAECcAAB4AAAAEAAAAAAAAAB4A AAAEAAAAAAAAAB4AAAAQAAAARG9uYWxkIEVhc3RsYWtlAB4AAAAEAAAAAAAAAB4AAAAEAAAAAAAA AB4AAAAMAAAATm9ybWFsLmRvdG0AHgAAABAAAABEb25hbGQgRWFzdGxha2UAHgAAAAQAAAAyAAAA HgAAABwAAABNaWNyb3NvZnQgTWFjaW50b3NoIFdvcmQAAAAAQAAAAAAAAAAAAAAAQAAAAAAwfBXX ZdIBQAAAAAAwfBXXZdIBQAAAAAAwfBXXZdIBAwAAAFMaAAADAAAACBMAAAMAAAB7bAAAAwAAAAAA AABHAAAAmBQAAP7///9QSUNUFI4AAAAAAIAAYgARAv8MAP/+AAAASAAAAEgAAAAAAAAAgABiAAAA AAAeAAEACoABgAF//3//AJr/AAAAgMQAAAAAAIAAYgAAAAMAAAAAAEgAAABIAAAAEAAQAAMABQAA ABB99afAAAAAAAAAAAAAgABiAAAAAACAAGIAAAOff/8Dn3//A59//wOff/8Dn3//A59//wOff/8D n3//A59//wOff/8Dn3//L/l//wF73nve/X//BXvef/973nvef/973vx//wB73tN//wR73n//f/97 3nve7H//R/l//xVve1rWXvdjGF73XvdnOW97b3te9173ZzlnOWMYYxhrWm97XvdnOWMYWtZve9d/ /wdve3Ocf/9ve2c5XvdjGG9773//Mfl//wF73nve+n//BHvee95//3ved737f/8Ae97Yf/8Gd71/ /3//d71//3//e97sf/85+X//AHve/mMYCl73Zzle9173d71znGMYZzle92c5d73Sf/8Eb3tznH// c5xjGP5e9wFa1nve73//Q/l//wR3vXOcb3t3vXe9/nOcBXe9f/973nOcb3tve/5znAZve3e9d71z nHe9c5x73th//wV3vW97d713vXOcc5zuf/9H+X//F3e9b3trWm97a1pnOWtab3tznHvee95ve2ta c5xrWnOcZzlrWnOcb3tve2taa1p73th//wF3vWta/mc5AWtae97vf/8VuH//BnOcc5x//297b3tz nHve73//E7h//wV3vW97f/93vXOcZznuf/8XuX//B3OcYxhrWmtac5xrWmc5d73vf/8PuH//AHve /He9AHve73//F7p//wRrWm97f/9ve2ta/mMYAHe973//Drl//wF73n///Hve7n//J8J//wBznP5e 9wxnOVrWXvd73mc5VrVe92MYXvde92MYXvdznO9//x2+f/8Hd71//3//e9573n//e9573v5//wB7 3u5//xu7f/8Jc5xve3//a1pa1l73XvdnOWMYe97vf/8bwH//AXvee979f/8Cd713vXve/n//AHe9 7X//JcB//w5znGtaYxhjGF73c5xve173YxhnOWMYXvdrWmMYc5zvf/8Dn3//A59//wOff/8Dn3// U/l//wJznGtaa1r+b3sMa1pznHvee95rWm97a1pznHveZzlve3Occ5zhf/8Rc5xnOWtaa1pnOWc5 a1prWnved71rWn//f/93vWtaZzlve3e97H//Svl//w13vXOca1pznHOcd71znHe9e9573ne9c5xz nHve/Xe94H//DHe9c5xznHe9c5xve3Occ5x//3e9d71znH///Xe9AHve7H//A59//wOff/8Dn3// X/R//wV73nvef/9//3vee978f/8Ee95//3//e9573v5//wF73nve/H//AXvee979f/8De95//3ve d739f/8Ae975f/8Ee9573n//f/93vf5//wF73nve/X//AHve7H//i/R//0FznGMYWtZve3Oca1pa 1lrWXvdve297Zzle93e9c5xjGF73Zzlve3OcZzle92MYYxhe93e9b3te9173Yxhe9173ZzlznHOc a1pnOWc5a1pe92MYa1pnOV73XvdrWmc5XvdznHOcYxhe9173a1prWla1d71ve1rWYxhjGF73Xvdn OWMYc5zuf/8Dn3//A59//znif/8Le95rWnOcb3trWnved713vWtab3t3vXe9/XOcBHvec5xznHe9 d73+c5wDd71znHOce97af/834n//Cne9a1pznGtad713vXOcb3tznHOcd737c5wKb3trWnOcc5xv e2taa1pznHOcd7173tp//wOff/8Dn3//Gfl//whznGMYa1pnOXOcc5xrWmtae96wf/8Z+X//CHve c5xznHe9c5x3vXOcd7173rB//wOff/8V4n//AHve5H//AHve9X//AHve6n//i/Z//x1ve1rWa1pj GG97b3ta1mMYYxha1la1Xvde93e9b3tWtV73XvdjGGtaXvda1l73b3tve1rWWtZnOW97b3v+Xvch Yxhe93e9b3te9173Yxhe9173YxhznHOcYxhrWmMYa1pe9173b3tnOV73WtZnOWtaXvdznG97Yxhe 9173ZzlnOV73d73tf/9V9X//BHe9c5xznHe9d73+f/8Ae97+f/8Ad732f/8De9573n//e978f/8A e97+f/8Cd71//3e9/X//AXvee978f/8Ae978f/8Bd7173vx//wB3vex//4H2f/8Uc5xrWmc5Zzlr Wm97c5xznF73YxhnOV73YxhrWnOcc5xe9173b3tznGMY/l73JXOcb3trWmMYXvd3vW97Yxhe93Oc b3te93Ocb3ta1la1ZzlrWlrWYxhe9297b3trWnOcc5xjGF73a1prWmMYXvdznG97Xvde92c5c5zo f/9f9n//AHve/ne9E3vee953vXvee953vXved71//3e9e953vXe9f/9//3Occ5xve3e9e97+d70G f/9//3Ocd7173n//e97+d739e979d70Ae97+d70De953vXvee97ff/9x9n//NHOcZzlnOWtaa1pn OW97c5xznGMYZzlznHOcYxhnOXOcZzlznHOca1prWm97b3tnOWtaZzlrWnvec5xjGGc5a1pznHOc ZzlnOWtaa1pnOX//c5xa1l73a1pve2taa1pnOW97a1prWmc5b3vff/8Dn3//A59//y/5f/8Td71n OXOcZzlznG97d713vWtad71znG97c5xve3e9b3tjGGc5a1p3vbt//yf5f/8Bd713vf1znAR73nve c5x73nve/nOcAXvee97+c5wAe967f/8Dn3//A59//4P2f/8ab3ta1mtaXvdve3OcYxhe92MYXvdn OV73Xvdve2MYWtZnOVrWYxh3vXOcZzlznG97YxhWtVa1/WMYGF73a1pve2c5c5xve173VrVa1nOc c5xnOXOca1pnOWMYa1p73m97Yxhe91rWZzle91rW/V73BXOca1pe92c5YxhznOx//yflf/8Ge95/ /3//e95//3vee979f/8Ge95//3//e95//3vee97Nf/9P9n//I297Yxhe9297a1pe92c5YxhnOWMY YxhnOV73Xvdve297Xvd73mtaVrVe93Oce95jGG97b3te9173a1prWla1XvdznHveZzlrWs5//wny f/8Ae96vf/8Dn3//h/Z//zl73nOcc5x3vXe9c5x3vXOce953vXOcd71znG97d7173nved713vXve e953vXe9c5xznHe9d7173nveb3t3vXe9c5x3vXe9c5x3vXvee95znHe9d71znHe9e953vXe9c5x3 vXe9c5x3vXOcf/93vXOcd71znP13vQNznHved7173ux//4n2f/8rd71ve297a1pnOXOcZzlrWnOc b3trWnOcZzlznG97d71znGc5b3tznHOcZzlnOW97a1pve2c5b3tznGc5a1pve2c5YxhrWmtab3t3 vXOca1p//3e9b3tnOf5znBJrWmtaZzlznGc5a1p73m97b3tnOWc5b3tjGGMYZzlznHOcZzlve+x/ /4P2f/8Gc5xve3e9b3t73nOcb3v+c5w0e9573ne9a1prWmc5b3t//3//e95znHe9e9573nOcc5x3 vXe9e95//3vec5x3vXOcd71znHe9e9573nOcc5xve3Ocd713vXvee95znHOcd71znHe9e95//3Oc b3tve3e9e95znG97d71ve+l//4L2f/8Je95ve2c5a1p3vXOcc5xrWnOca1r+d73+b3svd71znH// e95ve297d71znGc5b3tnOWc5b3t//3Oca1prWnOcd71znG97d71znGtaa1pznG97b3trWnOcc5xn OXOcb3tjGGtac5x//3e9a1pve2tad713vXOca1prWnve6n//h/Z//z93vWc5b3trWmtae953vWta b3tve2taa1p3vXOcZzlrWne9d71rWm97a1p3vXe9Zzlve2c5c5xznGtab3tnOW97d71znGtaa1pn OW97c5xve3e9d71nOWtab3tnOWc5a1prWnOcd713vWtad71znG97a1pve2tab3trWmc5d7173up/ /4H2f/8Be953vf5znAx//3e9b3t3vXOca1pznHvee95znG97e9573v5znCl73nvec5xznHe9c5x3 vXOcc5x3vXOce9573nOcc5x3vXOcd71znHe9e95znHOcd71ve3Ocd713vXOce9573nOce9573ne9 d71znHOcd71znHe9e97pf/8V9n//BnOcZzlve2MYZzlznHOcsX//E/Z//wB73v53vQJ73ne9e96x f/8Dn3//N+1//wB73v5//wB73vp//wZ73n//f/973n//f/973vd//wV73n//f/973n//e97zf/8A e97lf/+D9n//AHe9/mMYOl73Zzle9173b3tnOV73Zzla1mc5Zzlve297XvdjGG97b3ta1mc5WtZn OXe9b3ta1l73YxhWtVrWXvde92c5c5xznGMYYxhrWmc5b3trWmc5Xvd3vW97b3tnOVrWXvdjGF73 XvdWtXOcb3te93vea1pjGGc5c5zpf/9N8n//AHve/H//AHve/X//AHve/H//AHve/n//AHve/X// AHve/X//AHve/H//A3vef/9//3ve/X//AXvee979f/8Ae979f/8Ae97nf/+N9n//H2taWtZe92MY Zzle9297b3te9173a1prWlrWWtZznG97WtZznHOcVrVe91rWXvdjGF73Yxh//297Yxha1mMYZzn+ XvcFZzl//297Xvd73m97/l73GGMYZzljGGMYXvdve2taXvd3vW97XvdnOVrWXvd73mtaWtZe92c5 UpRa1l73XvdjGHe973//hPZ//w573nOce9573ne9d7173ne9d71znHOce95//3e9b3v9e979d70E c5x3vXOcc5x3vf5znBJ3vXved713vXvee953vXe9e953vXe9c5x3vXe9c5x3vXOcf/93vf5znA9v e3e9e9573ne9e9573ne9c5xznHe9d71znHe9c5x73u9//432f/8cc5xrWnvec5xnOWc5d713vXOc a1pjGG97e9573m97e953vW97d7173m97Zzle9173a1pznGMYa1p3vf5rWiB3vXe9b3t3vXe9Zzln OXe9d71znG97a1prWnOcZzlrWnOcb3trWnOcZzlznG97d71znGc5d71znG97a1pve2tab3v+a1oA d73vf/9z9n//J3e9c5xve3e9c5xznHe9b3t//3vec5x73ne9d7173nveb3tznHe9e953vW97c5xv e3e9e95ve297c5xznHvec5xve3e9c5x73nvec5x73nve/nOcBW97e953vXe9e953vf5znABve/5z nP573uV//3n2f/84d71nOW97b3trWne9a1prWnved71ve3//e95znHe9d71znHOcb3t3vXvec5xr Wmtad713vW97c5xrWm97f/973nOca1prWne9c5xnOXe9f/93vWtab3tznHved71znHe9a1prWnOc a1pnOW97a1prWnOc43//A59//wOff/9z9n//LXOcXvdnOXOcd71znGtaYxh73nOcYxh3vXOca1pn OW97a1pnOWc5e95znG97ZzlrWmc5b3tnOWMYd71rWmc5b3tjGGc5b3tznHOca1pnOXe9a1pjGHe9 c5xnOWta/mc5BWMYZzlve3OcYxh73uF//171f/8Ad73+e94Fd713vXvee95//3e9/nveA3e9d717 3ne9/nveAXe9e979d73+e97+d70Re953vX//e953vXe9e9573ne9f/973ne9d7173ne9d7173ne9 /Xve4X//V/Z//wFrWl73/mc5EnOcb3tnOV73XvdrWnOcZzle92c5b3tve2MYa1pnOWtaZzle92c5 /WtaDmMYa1pWtV73XvdnOWc5XvdjGGtab3trWmtaXvd3vdV//xHzf/8Ad73zf/8Be953vb5//wOf f/9H9n//BXe9c5x//3//e9573v1///173vp//w573nvef/973ne9f/973nOcf/9//3vef/9//3ve e97zf/8Ae973f/8Ae97of/9/9n//HHe9Zzle9297d71rWmMYYxh3vW97Xvd3vXe9ZzljGGMYXvdn OV73Xvdve2taYxhnOV73Zzl3vW97Yxj9XvcWb3tznGMYZzljGF73YxhnOV73a1pjGF73c5xve2MY XvdznGtaXvdznG97XvdjGPxe9wNve297Xvd73ut//0P2f/8Gc5xve3Occ5x3vXved73+c5wUe957 3ne9b3tznHe9e95znHOcd71znG97d713vW97c5x73nOcb3tznG97yX//R/Z//x93vW97c5xnOW97 c5x3vXOcZzlnOW97d71rWm97b3t3vXOca1pznGc5c5xve2taZzlrWmtab3tznG97b3trWne9yn// A59//wOff/9p9n//MHOcYxhznG97d713vW97a1pznGtab3trWmc5d71ve2tac5xrWmtae953vW97 d71znHvec5xrWm97b3tznG97d713vW97e9573mtab3trWne9d71rWn//f/93vWtaZzl73ne923// Y/Z//wV73nOcd71znHvee979c5wZd71znHe9e953vXOcd71ve3e9e9573nOcd71znHved71znGc5 c5xznHe9e9573nOce953vf5znAl73ne9c5xznH//d713vXOce9573tt//wOff/8Dn3//A59//wOf f/8Dn3//A59//wOff/8u+X///ne9B3vee95//3//d71//3ved73Nf/8He953vXe9e953vX//e957 3u5//zf5f/8Me95rWmc5ZzljGH//c5xnOXvec5xrWnOce97Pf/8Ib3tve2taYxhe93e9d71znHe9 73//A59//wOff/8Dn3//A59//wOff/8Dn3//A59//wOff/8Dn3//A59//wOff/8Dn3//A59//wOf f/8Dn3//A59//wOff/8Dn3//A59//wOff/8Dn3//A59//wD/AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP7/AAADCgEAAAAAAAAA AAAAAAAAAAAAAAEAAAAC1c3VnC4bEJOXCAArLPmuMAAAAOgAAAAMAAAAAQAAAGgAAAAPAAAAcAAA AAUAAAB8AAAABgAAAIQAAAARAAAAjAAAABcAAACUAAAACwAAAJwAAAAQAAAApAAAABMAAACsAAAA FgAAALQAAAANAAAAvAAAAAwAAADJAAAAAgAAABAnAAAeAAAABAAAAAAAAAADAAAA5wAAAAMAAABB AAAAAwAAAEJ/AAADAAAAAAAOAAsAAAAAAAAACwAAAAAAAAALAAAAAAAAAAsAAAAAAAAAHhAAAAEA AAABAAAAAAwQAAACAAAAHgAAAAYAAABUaXRsZQADAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAgAAAAMAAAAEAAAABQAAAAYA AAAHAAAACAAAAAkAAAAKAAAACwAAAAwAAAANAAAADgAAAA8AAAAQAAAAEQAAABIAAAATAAAAFAAA ABUAAAAWAAAAFwAAABgAAAAZAAAAGgAAABsAAAAcAAAAHQAAAB4AAAAfAAAAIAAAACEAAAAiAAAA IwAAACQAAAAlAAAAJgAAACcAAAAoAAAAKQAAACoAAAArAAAALAAAAC0AAAAuAAAALwAAADAAAAAx AAAAMgAAADMAAAA0AAAANQAAADYAAAA3AAAAOAAAADkAAAA6AAAAOwAAADwAAAA9AAAAPgAAAD8A AABAAAAAQQAAAEIAAABDAAAARAAAAEUAAABGAAAARwAAAEgAAABJAAAASgAAAEsAAABMAAAATQAA AE4AAABPAAAAUAAAAFEAAABSAAAAUwAAAFQAAABVAAAAVgAAAFcAAABYAAAAWQAAAFoAAABbAAAA XAAAAF0AAABeAAAAXwAAAGAAAABhAAAAYgAAAGMAAABkAAAA/v///2YAAABnAAAAaAAAAGkAAABq AAAAawAAAGwAAABtAAAAbgAAAG8AAABwAAAAcQAAAHIAAAD+////dAAAAHUAAAB2AAAAdwAAAHgA AAB5AAAAegAAAHsAAAB8AAAAfQAAAH4AAAD+////gAAAAIEAAACCAAAAgwAAAIQAAACFAAAAhgAA AP7////9/////f///4oAAAD+/////v////7///////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////UgBvAG8AdAAgAEUAbgB0AHIAeQAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYABQH//////////wMAAAAG CQIAAAAAAMAAAAAAAABGAAAAAAAAAAAAAAAAXEKiMNdl0gGMAAAAgAAAAAAAAAAxAFQAYQBiAGwA ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgAC Af////8FAAAA/////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGUAAAATGwAA AAAAAFcAbwByAGQARABvAGMAdQBtAGUAbgB0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAaAAIBAQAAAP//////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAALLIAAAAAAAABQBTAHUAbQBtAGEAcgB5AEkAbgBmAG8AcgBtAGEAdABpAG8AbgAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAAgECAAAABAAAAP////8AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAABzAAAAbBYAAAAAAAAFAEQAbwBjAHUAbQBlAG4AdABTAHUAbQBt AGEAcgB5AEkAbgBmAG8AcgBtAGEAdABpAG8AbgAAAAAAAAAAAAAAOAACAf///////////////wAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH8AAAAAEAAAAAAAAAEAQwBvAG0AcABP AGIAagAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASAAIA ////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAD///////////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAD+//////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////AQD+/wIAAQD/////BgkCAAAAAADAAAAAAAAA RiAAAABNaWNyb3NvZnQgV29yZCA5Ny0yMDA0IERvY3VtZW50AP7///9OQjZXEAAAAFdvcmQuRG9j dW1lbnQuOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= --001a114794ee9f327e054532f891-- From nobody Tue Jan 3 12:48:59 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06366129412; Tue, 3 Jan 2017 12:48:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.32 X-Spam-Level: X-Spam-Status: No, score=-7.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGLxTlgDSnz6; Tue, 3 Jan 2017 12:48:52 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACDEA129456; Tue, 3 Jan 2017 12:48:51 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml701-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CYE82698; Tue, 03 Jan 2017 20:48:49 +0000 (GMT) Received: from DFWEML702-CAH.china.huawei.com (10.193.5.176) by lhreml701-cah.china.huawei.com (10.201.5.93) with Microsoft SMTP Server (TLS) id 14.3.301.0; Tue, 3 Jan 2017 20:48:48 +0000 Received: from DFWEML501-MBB.china.huawei.com ([10.193.5.179]) by dfweml702-cah.china.huawei.com ([10.193.5.176]) with mapi id 14.03.0301.000; Tue, 3 Jan 2017 12:48:47 -0800 From: Lucy yong To: Donald Eastlake , "iesg@ietf.org" , "draft-ietf-nvo3-use-case.all@ietf.org" Thread-Topic: draft-ietf-nvo3-use-case-15 SECDIR review Thread-Index: AQHSZdyt7iX3NRyJR0eGUIv7lCweNKEnLhBQ Date: Tue, 3 Jan 2017 20:48:47 +0000 Message-ID: <2691CE0099834E4A9C5044EEC662BB9D57B9C24B@dfweml501-mbb> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.47.148.214] Content-Type: multipart/alternative; boundary="_000_2691CE0099834E4A9C5044EEC662BB9D57B9C24Bdfweml501mbb_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.586C0E32.0028, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 3e6330543c6f3144747d1156a7e03124 Archived-At: Cc: "secdir@ietf.org" Subject: Re: [secdir] draft-ietf-nvo3-use-case-15 SECDIR review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 20:48:55 -0000 --_000_2691CE0099834E4A9C5044EEC662BB9D57B9C24Bdfweml501mbb_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgRG9uYWxkLA0KDQpUaGFuayB5b3UgZm9yIHRoZSByZXZpZXcuDQoNCkZyb206IERvbmFsZCBF YXN0bGFrZSBbbWFpbHRvOmQzZTNlM0BnbWFpbC5jb21dDQpTZW50OiBUdWVzZGF5LCBKYW51YXJ5 IDAzLCAyMDE3IDEwOjE1IEFNDQpUbzogaWVzZ0BpZXRmLm9yZzsgZHJhZnQtaWV0Zi1udm8zLXVz ZS1jYXNlLmFsbEBpZXRmLm9yZw0KQ2M6IHNlY2RpckBpZXRmLm9yZw0KU3ViamVjdDogZHJhZnQt aWV0Zi1udm8zLXVzZS1jYXNlLTE1IFNFQ0RJUiByZXZpZXcNCg0KSSBoYXZlIHJldmlld2VkIHRo aXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5n IGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0 aGUgSUVTRy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVz ZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0KVGhp cyBkcmFmdCBkZXNjcmliZWQgdXNlIGNhc2VzIGZvciBuZXR3b3JrIHZpcnR1YWxpemF0aW9uIG92 ZXJsYXkgbmV0d29ya3MgZm9jdXNpbmcgb24gRGF0YSBDZW50ZXIgdXNlLiBJIHRoaW5rIHRoaXMg ZG9jdW1lbnQgaXMgUmVhZHkgd2l0aCBpc3N1ZXMuDQoNClNlY3VyaXR5Og0KDQpBcyBhbiBJbmZv cm1hdGlvbmFsIHVzZSBjYXNlIGRvY3VtZW50LCBzZWN1cml0eSBpcyBub3QgYSBtYWpvciBmb2N1 cyBvZiB0aGlzIGRyYWZ0LiBOZXZlcnRoZWxlc3M6DQoNClRoZSBleGlzdGluZyBTZWN1cml0eSBD b25zaWRlcmF0aW9ucyBzZWN0aW9uIHNheXMgdGhhdCBEYXRhIENlbnRlciBvcGVyYXRvcnMgbmVl ZCB0byBwcm92aWRlIHRlbmFudHMgd2l0aCBhIHZpcnR1YWwgbmV0d29yayB0aGF0IGlzICJpc29s YXRlZCBmcm9tIG90aGVyIHRlbmFudHMnIHRyYWZmaWMgYXMgd2VsbCBhcyBmcm9tIHVuZGVybGF5 IG5ldHdvcmtzIi4gQnV0IEkgZG9uJ3QgdGhpbmsgdGVuYW50cyBjYW4sIGluIGdlbmVyYWwsIGJl IHByb3RlY3RlZCBmcm9tIHRoZSB1bmRlcmxheSBuZXR3b3JrLiBJIHdvdWxkIHNheSB0aGF0IHRl bmFudHMgYXJlIHZ1bG5lcmFibGUgdG8gb2JzZXJ2YXRpb24gYW5kIGRhdGEgbW9kaWZpY2F0aW9u L2luamVjdGlvbiBieSB0aGUgb3BlcmF0b3Igb2YgdGhlIHVuZGVybGF5IGFuZCBzaG91bGQgb25s eSB1c2Ugb3BlcmF0b3JzIHRoZXkgdHJ1c3QuDQpbTHVjeV0gSG93IGFib3V0OiBEQyBvcGVyYXRv cnMgbmVlZCB0byBwcm92aWRlIGEgdGVuYW50IHdpdGggYSBzZWN1cmVkIHZpcnR1YWwgbmV0d29y aywgd2hpY2ggbWVhbnMgb25lIHRlbmFudOKAmXMgdHJhZmZpYyBpcyBpc29sYXRlZCBmcm9tIG90 aGVyIHRlbmFudHPigJkgdHJhZmZpYyBhbmQgaXMgbm90IGxlYWtlZCB0byB0aGUgdW5kZXJsYXkg bmV0d29ya3MuIFRlbmFudHMgYXJlIHZ1bG5lcmFibGUgdG8gb2JzZXJ2YXRpb24gYW5kIGRhdGEg bW9kaWZpY2F0aW9uL2luamVjdGlvbiBieSB0aGUgb3BlcmF0b3Igb2YgdGhlIHVuZGVybGF5IGFu ZCBzaG91bGQgb25seSB1c2Ugb3BlcmF0b3JzIHRoZXkgdHJ1c3QuDQoNClRoZSBleGlzdGluZyBT ZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0aW9uIHNheXMgdGhhdCB0ZW5hbnRzIG5lZWQgdG8g YmUgaXNvbGF0ZWQgZnJvbSBlYWNoIG90aGVyIGJ1dCBJIGJlbGlldmUgdGhlcmUgd2lsbCBhbHdh eXMgYmUgY292ZXJ0IGNoYW5uZWxzLCBiYXNlZCBvbiByZXNvdXJjZSBjb250ZW50aW9uIGFuZCB0 aGUgbGlrZSwgYnkgd2hpY2ggdGVuYW50cyBjYW4gY29tbXVuaWNhdGUgd2l0aCBlYWNoIG90aGVy IGFuZCB0aGUgYmVzdCB0aGF0IGNhbiBiZSBkb25lIGlzIHRvIGxpbWl0IHRoZSBiYW5kd2lkdGgg b2Ygc3VjaCBjb21tdW5pY2F0aW9ucy4NCltMdWN5XSBzdWdnZXN0ZWQgdGV4dCBpcyB0YWtlbi4N Cg0KTWlub3I6DQoNCiJCVU0iIGFuZCAiQVNCUiIgdXNlZCB3aXRob3V0IGRlZmluaXRpb24gb3Ig ZXhwYW5zaW9uLg0KW0x1Y3ldIGFjay4gRml4IHNvbWUgb3RoZXJzIHRvby4NCg0KDQpXb3JkaW5n OiBJIHRoaW5rIHRoZSB3b3JkaW5nIGlzIG9mZiBpbiBzb21lIHBsYWNlcyBmb3IgYSByZWFkZXIg Zm9yIHdob20gRW5nbGlzaCBpcyB0aGVpciBuYXRpdmUgbGFuZ3VhZ2UuIFNlZSBhdHRhY2hlZCBm b3Igc3VnZ2VzdGlvbnMuIEkgcHJvYmFibHkgaGF2ZW4ndCBjYXVnaHQgYWxsIHRoZSB3b3JkaW5n IGdsaXRjaGVzLg0KW0x1Y3ldIHRoYW5rIHZlcnkgbXVjaCBmb3IgdGhlIGNvcnJlY3Rpb24uICBT aG91bGQgSSB1cGxvYWQgdGhlIHVwZGF0ZWQgdmVyc2lvbiBvciB3YWl0IHRoZSBmZWVkYmFjayBm cm9tIG90aGVyIGFyZWFzPw0KDQpUaGFua3MsDQpMdWN5DQoNCg0KVGhhbmtzLA0KRG9uYWxkDQo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQogRG9uYWxkIEUuIEVhc3RsYWtlIDNyZCAg ICsxLTUwOC0zMzMtMjI3MCAoY2VsbCkNCiAxNTUgQmVhdmVyIFN0cmVldCwgTWlsZm9yZCwgTUEg MDE3NTcgVVNBDQogZDNlM2UzQGdtYWlsLmNvbTxtYWlsdG86ZDNlM2UzQGdtYWlsLmNvbT4NCg== --_000_2691CE0099834E4A9C5044EEC662BB9D57B9C24Bdfweml501mbb_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTIgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 U2ltU3VuOw0KCXBhbm9zZS0xOjIgMSA2IDAgMyAxIDEgMSAxIDE7fQ0KQGZvbnQtZmFjZQ0KCXtm b250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0 O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUg MiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5v c2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJc QFNpbVN1biI7DQoJcGFub3NlLTE6MiAxIDYgMCAzIDEgMSAxIDEgMTt9DQovKiBTdHlsZSBEZWZp bml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXtt YXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0K CWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1z b0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0 LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xs b3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVj b3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6 cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCglj b2xvcjojMUY0OTdEOw0KCWZvbnQtc3R5bGU6aXRhbGljO30NCi5Nc29DaHBEZWZhdWx0DQoJe21z by1zdHlsZS10eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjgu NWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRT ZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIg Lz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVs YXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8 L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJF Ti1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlv bjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGk+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPkhpIERvbmFsZCw8bzpwPjwvbzpwPjwvc3Bhbj48L2k+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PGk+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvaT48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48aT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhhbmsg eW91IGZvciB0aGUgcmV2aWV3LjxvOnA+PC9vOnA+PC9zcGFuPjwvaT48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48aT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9pPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25l O2JvcmRlci10b3A6c29saWQgI0I1QzRERiAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGlu Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5G cm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiBEb25hbGQgRWFzdGxh a2UgW21haWx0bzpkM2UzZTNAZ21haWwuY29tXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFR1ZXNkYXks IEphbnVhcnkgMDMsIDIwMTcgMTA6MTUgQU08YnI+DQo8Yj5Ubzo8L2I+IGllc2dAaWV0Zi5vcmc7 IGRyYWZ0LWlldGYtbnZvMy11c2UtY2FzZS5hbGxAaWV0Zi5vcmc8YnI+DQo8Yj5DYzo8L2I+IHNl Y2RpckBpZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBkcmFmdC1pZXRmLW52bzMtdXNlLWNh c2UtMTUgU0VDRElSIHJldmlldzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+SSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2Vj dXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9j dW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQg V0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVy IGxhc3QgY2FsbCBjb21tZW50cy48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPlRoaXMgZHJhZnQgZGVzY3JpYmVkIHVzZSBjYXNlcyBmb3IgbmV0d29yayB2aXJ0 dWFsaXphdGlvbiBvdmVybGF5IG5ldHdvcmtzIGZvY3VzaW5nIG9uIERhdGEgQ2VudGVyIHVzZS4g SSB0aGluayB0aGlzIGRvY3VtZW50IGlzIFJlYWR5IHdpdGggaXNzdWVzLjxvOnA+PC9vOnA+PC9w Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHU+U2VjdXJpdHk6PC91PjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BcyBhbiBJbmZv cm1hdGlvbmFsIHVzZSBjYXNlIGRvY3VtZW50LCBzZWN1cml0eSBpcyBub3QgYSBtYWpvciBmb2N1 cyBvZiB0aGlzIGRyYWZ0LiBOZXZlcnRoZWxlc3M6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MzAuMHB0O21hcmdpbi1yaWdo dDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGUgZXhpc3Rpbmcg U2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBzYXlzIHRoYXQgRGF0YSBDZW50ZXIgb3Bl cmF0b3JzIG5lZWQgdG8gcHJvdmlkZSB0ZW5hbnRzIHdpdGggYSB2aXJ0dWFsIG5ldHdvcmsgdGhh dCBpcyAmcXVvdDtpc29sYXRlZCBmcm9tIG90aGVyIHRlbmFudHMnIHRyYWZmaWMgYXMgd2VsbCBh cyBmcm9tIHVuZGVybGF5IG5ldHdvcmtzJnF1b3Q7LiBCdXQgSSBkb24ndCB0aGluayB0ZW5hbnRz IGNhbiwNCiBpbiBnZW5lcmFsLCBiZSBwcm90ZWN0ZWQgZnJvbSB0aGUgdW5kZXJsYXkgbmV0d29y ay4gSSB3b3VsZCBzYXkgdGhhdCB0ZW5hbnRzIGFyZSB2dWxuZXJhYmxlIHRvIG9ic2VydmF0aW9u IGFuZCBkYXRhIG1vZGlmaWNhdGlvbi9pbmplY3Rpb24gYnkgdGhlIG9wZXJhdG9yIG9mIHRoZSB1 bmRlcmxheSBhbmQgc2hvdWxkIG9ubHkgdXNlIG9wZXJhdG9ycyB0aGV5IHRydXN0LjxzcGFuIHN0 eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48Yj48aT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+ W0x1Y3ldIEhvdyBhYm91dDogREMgb3BlcmF0b3JzIG5lZWQgdG8gcHJvdmlkZSBhIHRlbmFudCB3 aXRoIGEgc2VjdXJlZCB2aXJ0dWFsIG5ldHdvcmssIHdoaWNoIG1lYW5zIG9uZSB0ZW5hbnTigJlz IHRyYWZmaWMgaXMgaXNvbGF0ZWQgZnJvbSBvdGhlciB0ZW5hbnRz4oCZDQogdHJhZmZpYyBhbmQg aXMgbm90IGxlYWtlZCB0byB0aGUgdW5kZXJsYXkgbmV0d29ya3MuIFRlbmFudHMgYXJlIHZ1bG5l cmFibGUgdG8gb2JzZXJ2YXRpb24gYW5kIGRhdGEgbW9kaWZpY2F0aW9uL2luamVjdGlvbiBieSB0 aGUgb3BlcmF0b3Igb2YgdGhlIHVuZGVybGF5IGFuZCBzaG91bGQgb25seSB1c2Ugb3BlcmF0b3Jz IHRoZXkgdHJ1c3QuPC9zcGFuPjwvaT48L2I+PGk+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7 O2NvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9zcGFuPjwvaT48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRo ZSBleGlzdGluZyBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0aW9uIHNheXMgdGhhdCB0ZW5h bnRzIG5lZWQgdG8gYmUgaXNvbGF0ZWQgZnJvbSBlYWNoIG90aGVyIGJ1dCBJIGJlbGlldmUgdGhl cmUgd2lsbCBhbHdheXMgYmUgY292ZXJ0IGNoYW5uZWxzLCBiYXNlZCBvbiByZXNvdXJjZSBjb250 ZW50aW9uIGFuZCB0aGUgbGlrZSwgYnkgd2hpY2ggdGVuYW50cyBjYW4gY29tbXVuaWNhdGUgd2l0 aCBlYWNoDQogb3RoZXIgYW5kIHRoZSBiZXN0IHRoYXQgY2FuIGJlIGRvbmUgaXMgdG8gbGltaXQg dGhlIGJhbmR3aWR0aCBvZiBzdWNoIGNvbW11bmljYXRpb25zLjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PGI+PGk+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9y OiMxRjQ5N0QiPltMdWN5XSBzdWdnZXN0ZWQgdGV4dCBpcyB0YWtlbi4NCjwvc3Bhbj48L2k+PC9i PjxpPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPjwvbzpw Pjwvc3Bhbj48L2k+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPHU+TWlub3I6PC91Pjxicj4NCjxicj4N CiZxdW90O0JVTSZxdW90OyBhbmQgJnF1b3Q7QVNCUiZxdW90OyB1c2VkIHdpdGhvdXQgZGVmaW5p dGlvbiBvciBleHBhbnNpb24uPHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxpPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5bTHVjeV0gYWNrLiBGaXggc29tZSBvdGhlcnMgdG9v LjxvOnA+PC9vOnA+PC9zcGFuPjwvaT48L2I+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJy Pg0KPGJyPg0KV29yZGluZzogSSB0aGluayB0aGUgd29yZGluZyBpcyBvZmYgaW4gc29tZSBwbGFj ZXMgZm9yIGEgcmVhZGVyIGZvciB3aG9tIEVuZ2xpc2ggaXMgdGhlaXIgbmF0aXZlIGxhbmd1YWdl LiBTZWUgYXR0YWNoZWQgZm9yIHN1Z2dlc3Rpb25zLiBJIHByb2JhYmx5IGhhdmVuJ3QgY2F1Z2h0 IGFsbCB0aGUgd29yZGluZyBnbGl0Y2hlcy48c3BhbiBzdHlsZT0iY29sb3I6IzFGNDk3RCI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PGk+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVv dDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPltMdWN5XSB0aGFuayB2ZXJ5IG11Y2gg Zm9yIHRoZSBjb3JyZWN0aW9uLiAmbmJzcDtTaG91bGQgSSB1cGxvYWQgdGhlIHVwZGF0ZWQgdmVy c2lvbiBvciB3YWl0IHRoZSBmZWVkYmFjayBmcm9tIG90aGVyIGFyZWFzPzxvOnA+PC9vOnA+PC9z cGFuPjwvaT48L2I+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PGk+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv aT48L2I+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PGk+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyw8bzpwPjwvbzpwPjwvc3Bhbj48L2k+PC9i PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxpPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx dW90Oztjb2xvcjojMUY0OTdEIj5MdWN5PG86cD48L286cD48L3NwYW4+PC9pPjwvYj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQpUaGFua3MsPGJyPg0KRG9uYWxkPGJyPg0K PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PTxicj4NCiZuYnNwO0RvbmFsZCBFLiBFYXN0 bGFrZSAzcmQgJm5ic3A7ICYjNDM7MS01MDgtMzMzLTIyNzAgKGNlbGwpPGJyPg0KJm5ic3A7MTU1 IEJlYXZlciBTdHJlZXQsIE1pbGZvcmQsIE1BIDAxNzU3IFVTQTxicj4NCiZuYnNwOzxhIGhyZWY9 Im1haWx0bzpkM2UzZTNAZ21haWwuY29tIj5kM2UzZTNAZ21haWwuY29tPC9hPjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_2691CE0099834E4A9C5044EEC662BB9D57B9C24Bdfweml501mbb_-- From nobody Tue Jan 3 13:47:45 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E13371297BC; Tue, 3 Jan 2017 13:47:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9yw6BKFUoCY; Tue, 3 Jan 2017 13:47:41 -0800 (PST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 909231297A7; Tue, 3 Jan 2017 13:47:06 -0800 (PST) Received: from [10.0.0.13] ([79.177.158.66]) by mail.gmx.com (mrgmx003 [212.227.17.184]) with ESMTPSA (Nemesis) id 0LztHH-1ccm1M35Od-01546h; Tue, 03 Jan 2017 22:47:04 +0100 To: Sean Turner References: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> From: Yaron Sheffer Message-ID: Date: Tue, 3 Jan 2017 23:47:01 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------161B0AC6809EC36B16E83D53" X-Provags-ID: V03:K0:4lgKQNzYkldrkBW6qQ+aO304NoHE21lhQpz/bjrQxrPhX7Ny2f8 KiF5svvaAnF9+3v8KClzqUnhdF16fccd2HdXj9pHWmYToBtk19wfI2+sEqVivYK0cxTFVsG XslK9vyTFSsjFegfaz4lk+4O9zDjE3ed7+4pKc/+VYSmUysF3/MLdcM2bEVgk7CZGsjz9ek WAGqPTWztC+B7d/8veWig== X-UI-Out-Filterresults: notjunk:1;V01:K0:AnUGOv4GaKg=:v6oXwLLAH3iVbvwj9BdU+f TANXek75RjrZ8hLxIqV0rjcrNAzTU4wEzTDDGuavjiw78ay3rTMWPYhWb/tZ9Hnt+p0jioAai Mtk8dfBx94OtpJ7bhzyNBqMmin0DmvY/cD7rNoA+WC3flgFxwZo+9EXrTk3jjaHTVK9yQJx6b TcA2+jcogSHLj7Q4UnSGEms0GM7m6rAVOqHCC71A0jUCxaqiPSTLOUc5J/F8C0smKTX0TvXP4 jDfwQeiHLaKuq7ES8hn9EOSmnBPBYcMGY6/P0SwC5VJBHlFruTpU3hUuybmY8lTzykraRWPWe 2jSCyvw71jJYMUIP7fw+YSzcDo7Y/WpIfDTjek0jA43UCEgNFmmOtpY7+EtzdWzLw5tmVbrXE 9lUkZxETbDy0pQ+x1gubZdKhOGOoX69vR5dhClgpDgwArPFLtcTLQRl0APv+URq1WMSYJc2Y1 7+AJQ1HaCoBG7TiNA38IxSO1K+QvsCTO5FYGt/xEWUrLRNxDm9QY9zXh/VCeex7SweAxzUp2q ELo/bYHLdIYtpXk1nsINtuJsbOts5mhQEVC2Zgoll4/RcKcsYR1FbcwB911+nLaxv02yIdMoi TVPkcZtKXyKT7pXI7VjttR43ZyhrxfJ9RV/dtxwzDHovgnovzWEM9hp4M85y5eowbJXukHFc8 djAv8WJ1y6fWj3S6hkjgC/8mGNHk0yd7QHyIGJPSJoGNvV6vNJHqDzzJRRo6THS9Lded0rqjm IwsCsyEnbKd/9Fim8B5EZgkWoTG7IcTOWAXyrn5lYaMdwc1U4uVf/38bM0uEg2z9qWCRggp4H oh63YDa Archived-At: Cc: sidr@ietf.org, draft-ietf-sidr-bgpsec-pki-profiles.all@ietf.org, secdir@ietf.org Subject: Re: [secdir] Review of draft-ietf-sidr-bgpsec-pki-profiles-19 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 21:47:44 -0000 This is a multi-part message in MIME format. --------------161B0AC6809EC36B16E83D53 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Hi Sean, Please see below. On 03/01/17 18:12, Sean Turner wrote: > Yaron, > > Thanks for the review. > >> On Jan 1, 2017, at 11:26, Yaron Sheffer wrote: >> >> Reviewer: Yaron Sheffer >> Review result: Has Nits >> >> * 3.1.1: The serial number in RFC 6487 is still a real, unique serial >> number that uniquely identifies the certificate. Here it is used as >> something other than a serial number, which is explicitly NOT unique, >> and the CA is left to decide how to make it unique in the face of >> potentially repeating BGP IDs. If this is not a real issue (e.g. >> because duplicate IDs are rare and never within a RIR), please say >> so. > As Rob pointed out this paragraph is talking about the serial number naming attribute. Maybe something like: > > r/only two attributes/only two naming attributes > and > r/common name and serial number/common name (i.e., X520CommonName) and serial number (i.e., X520SerialNumber) > > People ought to them be able to track down the definitions. I'm good with these changes. However, according to Randy's response to my review, the text later on is subtly incorrect (or at least misleading). Router IDs are not globally unique, but the combination of AS Number and Router ID is in fact globally unique. > >> * 3.2: earlier we said that Basic Constraints must not be included in >> the EE cert. Now we are saying that only a particular boolean flag >> must not be honored when processing the Cert Request. What happens if >> Basic Constraints is included in the Cert Request but with other >> flags? > The CA is ultimately the one who decides what gets issued. A good CA would know to only issue properly formatted BGPsec certificates either by ignoring the improperly requested feature" or rejecting it outright. Since these CAs really arent open CAs then the CA ought not get caught off-guard with requests. I'm not sure I understand. Why not give a consistent advice to EEs and CAs, e.g., reject any request that includes any Basic Constraints. > >> * 3.3: ID.sidr-rfc6485bis -> RFC 7935 > drat I missed one. > >> * 6: in the paragraph that discusses hash functions, please spell out >> the names of the two key identifiers, because I cannot determine what >> they are from the document. > Ack theyre the key identifiers in the cert: Subject Key Identifier and Issuer Key Identifier > > r/two key identifier extensions./two key identifier extensions (i.e., Subject Key Identifier and Issuer Key Identifier) Yes. > > spt --------------161B0AC6809EC36B16E83D53 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit

Hi Sean,

Please see below.


On 03/01/17 18:12, Sean Turner wrote:
Yaron,

Thanks for the review.


On Jan 1, 2017, at 11:26, Yaron Sheffer <yaronf@gmx.com> wrote:

Reviewer: Yaron Sheffer
Review result: Has Nits

* 3.1.1: The serial number in RFC 6487 is still a real, unique serial
number that uniquely identifies the certificate. Here it is used as
something other than a serial number, which is explicitly NOT unique,
and the CA is left to decide how to make it unique in the face of
potentially repeating BGP IDs. If this is not a real issue (e.g.
because duplicate IDs are rare and never within a RIR), please say
so.

As Rob pointed out this paragraph is talking about the serial number naming attribute.  Maybe something like:

r/only two attributes/only two naming attributes
and
r/common name and serial number/common name (i.e., X520CommonName) and serial number (i.e., X520SerialNumber) 

People ought to them be able to track down the definitions.
I'm good with these changes. However, according to Randy's response to my review, the text later on is subtly incorrect (or at least misleading). Router IDs are not globally unique, but the combination of AS Number and Router ID is in fact globally unique.



* 3.2: earlier we said that Basic Constraints must not be included in
the EE cert. Now we are saying that only a particular boolean flag
must not be honored when processing the Cert Request. What happens if
Basic Constraints is included in the Cert Request but with other
flags?

The CA is ultimately the one who decides what gets issued.  A good CA would know to only issue properly formatted BGPsec certificates either by ignoring the improperly requested feature" or rejecting it outright.  Since these CAs really arent open CAs then the CA ought not get caught off-guard with requests.
I'm not sure I understand. Why not give a consistent advice to EEs and CAs, e.g., reject any request that includes any Basic Constraints.


* 3.3: ID.sidr-rfc6485bis -> RFC 7935

drat I missed one.


* 6: in the paragraph that discusses hash functions, please spell out
the names of the two key identifiers, because I cannot determine what
they are from the document.

Ack theyre the key identifiers in the cert: Subject Key Identifier and Issuer Key Identifier 

r/two key identifier extensions./two key identifier extensions (i.e., Subject Key Identifier and Issuer Key Identifier)
Yes.

spt

--------------161B0AC6809EC36B16E83D53-- From nobody Tue Jan 3 19:50:11 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58CCD129BA0; Tue, 3 Jan 2017 19:50:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhJlrgoSsc2X; Tue, 3 Jan 2017 19:50:09 -0800 (PST) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7440129B8E; Tue, 3 Jan 2017 19:50:08 -0800 (PST) Received: by mail-io0-x22f.google.com with SMTP id p42so446175161ioo.1; Tue, 03 Jan 2017 19:50:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=r3mK+prKqxz33CO87frISxTfBN/isdKIcHgNY7rg288=; b=fkHkdkGZmio+BCwhYH+U2EW6kDOy1tgFOyJDlXPHjl7hpGCSdmbcSABMFQKi+I9JOK ZVfosBf6jvkBmpT/Whm4KsLJ0C35eKErt9mTt4x7JzJZtFJV1CA2a2G4QVwVYegNErxA bj/D0IhictRfiDuCD6d9luEV5yaQBcpi+Krr0fykv6WHjazyCxkZvwtn4Ar8CEi8nJWZ Zvf/cqvDjlhBsZ6CrRGnidXi1qwuyVkCZq2qCfwnSD3sqAG+i3j9/CIkZRQv8V/mQ4pp hxJLPltU2Fy7+4KkiyBdrItXmW/srTmEtzdjVgBKAD5E1DSUoHRa/ZS5JN0HBto1u5se 8jNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=r3mK+prKqxz33CO87frISxTfBN/isdKIcHgNY7rg288=; b=eH/PW15Y603CG04laTU47bRzT3LZURHW5iYBwHv75qvL76g6Yg3bF0PyIYc9RBFcxT 6d0qFbjeb908psRyqkhKZDEzP0XPmmYRTARAhJac4/nrdof17R6wQCm6hWoOXGlHpSDB a67DKV7TogsxFg2FiqTCvrBppxCGEQS6AHw5VO70wGJ990ct27Ayk9x72UcjlEehLWxl Wg/QecXoEoeAWkupDF/b3rUDAQUNLsIzJIOmR/ijLwGKUamj+YqY+F8oT8nTRzdBefRe yYu6YdBc0tlE1LXQOYqbL8DIiIh/u/ooQmqQn45aadjBG5eypQBor8/BMfM+BQv8ncba r2Eg== X-Gm-Message-State: AIkVDXKeLklNPvaFf+9rUJ90f4sAw4r5lqsX26A8S8Of9hS/Zx1sv+g+ReLQMrv9vnhUED76MzXE88I3xeFffA== X-Received: by 10.107.175.80 with SMTP id y77mr46975240ioe.12.1483501808196; Tue, 03 Jan 2017 19:50:08 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.41.136 with HTTP; Tue, 3 Jan 2017 19:49:52 -0800 (PST) In-Reply-To: <2691CE0099834E4A9C5044EEC662BB9D57B9C24B@dfweml501-mbb> References: <2691CE0099834E4A9C5044EEC662BB9D57B9C24B@dfweml501-mbb> From: Donald Eastlake Date: Tue, 3 Jan 2017 22:49:52 -0500 Message-ID: To: Lucy yong Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "draft-ietf-nvo3-use-case.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] draft-ietf-nvo3-use-case-15 SECDIR review X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2017 03:50:10 -0000 Hi Lucy, On Tue, Jan 3, 2017 at 3:48 PM, Lucy yong wrote: > Hi Donald, > > > Thank you for the review. > > > From: Donald Eastlake [mailto:d3e3e3@gmail.com] > Sent: Tuesday, January 03, 2017 10:15 AM > To: iesg@ietf.org; draft-ietf-nvo3-use-case.all@ietf.org > Cc: secdir@ietf.org > Subject: draft-ietf-nvo3-use-case-15 SECDIR review > > > I have reviewed this document as part of the security directorate's ongoi= ng > effort to review all IETF documents being processed by the IESG. Document > editors and WG chairs should treat these comments just like any other las= t > call comments. > > > This draft described use cases for network virtualization overlay network= s > focusing on Data Center use. I think this document is Ready with issues. > > > Security: > > > As an Informational use case document, security is not a major focus of t= his > draft. Nevertheless: > > > The existing Security Considerations section says that Data Center operat= ors > need to provide tenants with a virtual network that is "isolated from oth= er > tenants' traffic as well as from underlay networks". But I don't think > tenants can, in general, be protected from the underlay network. I would = say > that tenants are vulnerable to observation and data modification/injectio= n > by the operator of the underlay and should only use operators they trust. > > [Lucy] How about: DC operators need to provide a tenant with a secured > virtual network, which means one tenant=E2=80=99s traffic is isolated fro= m other > tenants=E2=80=99 traffic and is not leaked to the underlay networks. Tena= nts are > vulnerable to observation and data modification/injection by the operator= of > the underlay and should only use operators they trust. OK. > The existing Security Considerations section says that tenants need to be > isolated from each other but I believe there will always be covert channe= ls, > based on resource contention and the like, by which tenants can communica= te > with each other and the best that can be done is to limit the bandwidth o= f > such communications. > > [Lucy] suggested text is taken. OK. > Minor: > > "BUM" and "ASBR" used without definition or expansion. > > [Lucy] ack. Fix some others too. OK. > Wording: I think the wording is off in some places for a reader for whom > English is their native language. See attached for suggestions. I probabl= y > haven't caught all the wording glitches. > > [Lucy] thank very much for the correction. Should I upload the updated > version or wait the feedback from other areas? I would say that you should not update the draft while the IETF Last Call is running. So you should at least wait until after January 11th. And in general, after that, you should check with the document Shepherd (Matthew Bocci) or the AD (Alia Atlas). Thanks, Donald =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com > Thanks, > > Lucy > > > > Thanks, > Donald > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street, Milford, MA 01757 USA > d3e3e3@gmail.com From nobody Wed Jan 4 06:56:53 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 249D91293D9 for ; Wed, 4 Jan 2017 06:56:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6KHHxdXS0ERY for ; Wed, 4 Jan 2017 06:56:44 -0800 (PST) Received: from nm30-vm8.bullet.mail.gq1.yahoo.com (nm30-vm8.bullet.mail.gq1.yahoo.com [98.136.216.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 982F712958A for ; Wed, 4 Jan 2017 06:56:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1483541803; bh=q3kkoO3oFHfcAexFMtuK7TYSf6/ocrfNkX0lyT4pQxQ=; h=Date:From:Reply-To:To:Cc:Subject:References:From:Subject; b=E/Ek5+6kiaVJvbFUovG28++4MH2rnSNeMuEaBW5wieqd0SMpbJUxkNwder3iu83pSAIun8YVqS0GaPfxFwrmylhcct8D7uW0H4lo3u6GSkZbgZHFJXOL6YTiBddkOnn557d8EuaAZKb+Dzp4KMXLHkGPVCgI7bxScmwsD6KapNuntWwhdIPbjn2jbJlp9kQ2dyTcF2u12pZDKS5hZIO68Z6l4exHGxC+e5w6+YRrzm9F1asI0n9ldzf5TwZEWbMi5Uihi/SoZqZBa83TydAtnHlRGex7R2/ET4NPfPUfk6k1vDjt8cV//WCCdVq6BuGxKC8KBte2vZRpgAt2xbJabg== Received: from [98.137.12.174] by nm30.bullet.mail.gq1.yahoo.com with NNFMP; 04 Jan 2017 14:56:43 -0000 Received: from [98.137.12.192] by tm13.bullet.mail.gq1.yahoo.com with NNFMP; 04 Jan 2017 14:56:43 -0000 Received: from [127.0.0.1] by omp1000.mail.gq1.yahoo.com with NNFMP; 04 Jan 2017 14:56:43 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 846030.74235.bm@omp1000.mail.gq1.yahoo.com X-YMail-OSG: PbdznzIVM1kokTF0MqLo2b_iVEhHdFBaa2LF4tPUewCaMQGLW6CovwozAYOeiIn 4XrPVcdX819A6jMnnmsvjbKOSKJFA1sj4NqdyzSzIqbm1v7dLcEMm400Shrq3b8UzRMGVC_qVGTP yDBOJw1aktifSqSERiiiZ6f1SCkXRXb0Bp9vpCgEMPOiOREWdP8kbH10vsv5vF9leM.voQ_CqMFL wfA7LqRhXSCYl.K9.Q6Nu5IotTonPQVo6wfOk7GFsGtCd9a9J0mO8uP82lfxY0XbJvPBi9FcEOJ6 KpYGXZGscxve3WXocAZBDwb5_apGKzxMwEZ8N.Nsbc5WFw5gR72zS9HsBd9cXwf8OQAyePYd8aMf C3KK7sNdSTE7gtXR2B8FkdmTGO2sgT5WNrlrQ5rK4KsYCGugMrAX9yClYkurSrW4lboEbQU5BJUw WagHwHjNNhmQkz0Hl6pUyfX4TG7Vy_ZP9Gx891_00JRUrGBh8spDElD3MmGXt09T04rYlqnnPHIP hteuZ.W_3L0oVPTptqwh7B20dMIb_Tm4d4oiyxzXThBo7G4yRuYqEGC.l5.YkZohz Received: from jws300046.mail.gq1.yahoo.com by sendmailws133.mail.gq1.yahoo.com; Wed, 04 Jan 2017 14:56:43 +0000; 1483541803.468 Date: Wed, 4 Jan 2017 14:56:43 +0000 (UTC) From: To: Tero Kivinen Message-ID: <884033410.7600072.1483541803113@mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit References: <884033410.7600072.1483541803113.ref@mail.yahoo.com> Archived-At: Cc: "iesg@ietf.org" , "draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: ESP Processing X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: nalini.elkins@insidethestack.com List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2017 14:56:46 -0000 nalini.elkins@insidethestack.com writes: >> New Section 3.4 >> >> 3.4 Header Placement Using IPSec ESP Mode >> >> IPSec Encapsulating Security Payload (ESP) is defined in [RFC4303] and >> is widely used. Section 3.1.1 of [RFC4303] discusses placement of >> Destination Options Headers. >> >> The placement of PDM is different depending on if ESP is used in >> tunnel or transport mode. >> >> 3.4.1 Using Transport Mode >> >> Below is the diagram from [RFC4303] discussing placement of headers. >> >> Note that Destination Options MAY be placed before or after ESP or >> both. In transport mode, PDM MUST be placed after the ESP header so >> as not to leak information. >> >> BEFORE APPLYING ESP >> >> --------------------------------------- >> IPv6 | | ext hdrs | | | >> | orig IP hdr |if present| TCP | Data | >> --------------------------------------- >> >> AFTER APPLYING ESP >> --------------------------------------------------------- >> IPv6 | orig |hop-by-hop,dest*,| |dest| | | ESP | ESP| >> |IP hdr|routing,fragment.|ESP|opt*|TCP|Data|Trailer| ICV| >> --------------------------------------------------------- >> |<--- encryption ---->| >> |<------ integrity ------>| >> >> * = if present, could be before ESP, after ESP, or both >> >> 3.4.2 Using Tunnel Mode >> >> Below is the diagram from [RFC4303] discussing placement of headers. >> >> Note that Destination Options MAY be placed before or after ESP or >> both in both the outer set of IP headers and the inner set of IP >> headers. >> >> In tunnel mode, PDM MAY be placed before or after the ESP header >> or both. >> >> BEFORE APPLYING ESP >> >> --------------------------------------- >> IPv6 | | ext hdrs | | | >> | orig IP hdr |if present| TCP | Data | >> --------------------------------------- >> >> AFTER APPLYING ESP >> >> ------------------------------------------------------------ >> IPv6 | new* |new ext | | orig*|orig ext | | | ESP | ESP| >> |IP hdr| hdrs* |ESP|IP hdr| hdrs * |TCP|Data|Trailer| ICV| >> ------------------------------------------------------------ >> |<--------- encryption ---------->| >> |<------------ integrity ------------>| >> >> * = if present, construction of outer IP hdr/extensions and >> modification of inner IP hdr/extensions is discussed in >> the Security Architecture document. >For tunnel mode you could add text noting, that as the sgw will make >completely new IP packet, it means that PDM information for that >packet does not contain any information from the inner packet, i.e. >the PDM information will NOT be based on the TCP ports etc in the >inner header, but will be specific to the ESP flow. >If you want to see PDM information for the inner packet, the original >host sending the inner packet needs to put PDM header in the tunneled >packet, and then the PDM information will be specific for that TCP >stream. OK. >So if the PDM header is part of "new ext hdrs*" then it specifies the >ESP flow, and it will not be end to end, it will only between SGSs. If >the PDM is part of the "orig ext hdrs*", then it will be end to end >PDM header, and ESP processing does not modify it at all. This >location is only place, where you can get end to end information about >the flow. >The first PDM header which is part of the ESP, will not separate TCP >flows at all, as it is for the ESP packets, thus it might not be that >useful, especially as there is no relation between the inbound ESP >packet and outbound ESP packet. The inbound ESP packet might be TCP >packet, and the tunneled packet is sent forward to the inner network, >and then the next outbound ESP packet might be from some completely >different host in different stream, and might be for example UDP DNS >packet. Having PDM information between those packets does not really >help debuggin at all. I think the first PDM header is, of course, not as helpful as the first. I suppose what one has is a sense of how that stack (server / client) is responding to various requests. I think that might be useful. If one sees very good service at one time and not so good service for others, then one knows that it is not the server or client itself that is "hung". If that makes sense. Or if there is a network issue to that device. That is the kind of thing that I get involved in often. Nalini From nobody Wed Jan 4 09:37:56 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69472129697; Wed, 4 Jan 2017 09:37:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.622 X-Spam-Level: X-Spam-Status: No, score=-17.622 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7xrR_-HziSg; Wed, 4 Jan 2017 09:37:54 -0800 (PST) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2453D12968D; Wed, 4 Jan 2017 09:37:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2268; q=dns/txt; s=iport; t=1483551474; x=1484761074; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=D9Jfy9Glp72dYZeQYVzagtIPI78RH2o/+tabwuKJ0A4=; b=AIdK9N8FmFkuWvcosUTAb26ggV6HZw7nGrKaAamTkhFnVa7nyjL1b3Kj PiR72y8s4ttNfMorLVwTLRuOu+apUbIeoehR92GO6i6IOP4CklXxZCA4R mZVniTxnbbp3DPyZiuX30QJhqlRs0E3gbKnQ6WSu+3Ns7EMnqhsazuW0r g=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BrAQA0Mm1Y/4cNJK1eGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBgzgBAQEBAR+Bco1QqWmCCIY+gTw/FAECAQEBAQEBAWMohRIRVwEiAiY?= =?us-ascii?q?CBDAVEgQBiQKvU4IliioBAQEBAQEBAQIBAQEBAQEBIYELhzwIiiItgjEFmwkBk?= =?us-ascii?q?UCQWZI/AR84gSs8AYVUiBeBDQEBAQ?= X-IronPort-AV: E=Sophos;i="5.33,459,1477958400"; d="scan'208";a="188079869" Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Jan 2017 17:37:53 +0000 Received: from XCH-RTP-005.cisco.com (xch-rtp-005.cisco.com [64.101.220.145]) by alln-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id v04HbqDY006700 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 4 Jan 2017 17:37:53 GMT Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-005.cisco.com (64.101.220.145) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 4 Jan 2017 12:37:52 -0500 Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1210.000; Wed, 4 Jan 2017 12:37:52 -0500 From: "Brian Weis (bew)" To: secdir , The IESG , "draft-ietf-sidr-adverse-actions.all@tools.ietf.org" Thread-Topic: SecDir review of draft-ietf-sidr-adverse-actions-03 Thread-Index: AQHSZrFGyP8oViwbEkKwjJSI9pFi2w== Date: Wed, 4 Jan 2017 17:37:52 +0000 Message-ID: <92CD5332-0DA4-4DD9-8973-17D0597A2696@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.19.191.172] Content-Type: text/plain; charset="utf-8" Content-ID: <4B20C8693C376045A3B028F57F9A2F04@emea.cisco.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: [secdir] SecDir review of draft-ietf-sidr-adverse-actions-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2017 17:37:55 -0000 SSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGly ZWN0b3JhdGUncyBvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJl aW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHBy aW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5IGFyZWEgZGlyZWN0b3JzLiBE b2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRz IGp1c3QgbGlrZSBhbnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLg0KDQpBcyBzdGF0ZWQgaW4g dGhlIEFic3RyYWN0LCB0aGlzIGRvY3VtZW50IGFuYWx5emVzIGFjdGlvbnMgYnkgb3IgYWdhaW5z dCBhIENBIG9yIGluZGVwZW5kZW50IHJlcG9zaXRvcnkgbWFuYWdlciBpbiB0aGUgUlBLSSB0aGF0 IGNhbiBhZHZlcnNlbHkgYWZmZWN0IHRoZSBJbnRlcm5ldCBOdW1iZXIgUmVzb3VyY2VzIChJTlJz KSBhc3NvY2lhdGVkIHdpdGggdGhhdCBDQSBvciBpdHMgc3Vib3JkaW5hdGUgQ0FzLiBQdXQgYW5v dGhlciB3YXksIGl0IGRvY3VtZW50cyB0aHJlYXRzIHRvIHRoZSBSUEtJL0JHUFNFQyBQS0ksIGlu IHdoaWNoIHRoZXJlIGFyZSB1bmlxdWUgdGhyZWF0cyB0byB0aGUgUEtJIHRoYXQgY2FuIGFkdmVy c2VseSBhZmZlY3QgSW50ZXJuZXQgcm91dGluZy4gVGhlIGRvY3VtZW50IGlzIHdlbGwgd3JpdHRl biBhbmQgaW50ZXJuYWxseSBjb25zaXN0ZW50LiBUaGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMg c2VjdGlvbiBpcyBhZGVxdWF0ZS4NCg0KSSBjb25zaWRlciB0aGlzIGRyYWZ0IFJlYWR5IHRvIHB1 Ymxpc2gsIGJ1dCBoZXJlIGFyZSBhIGNvdXBsZSBvZiBkaXNjcmV0aW9uYXJ5IGNvbW1lbnRzIGZv ciB0aGUgYXV0aG9ycy4NCg0KMS4gVGhlIGVuZCBvZiBzZWN0aW9uIDIgc2F5cyAiTm90ZSB0aGF0 IG5vdCBhbGwgYWR2ZXJzZSBhY3Rpb25zIG1heSBiZSBhZGRyZXNzZWQgYnkgdGhpcyB0YXhvbm9t eS7igJ0uIFRoZSBwaHJhc2Ug4oCcYWRkcmVzc2VkIGJ54oCdIGNvbmZ1c2VkIG1lIGEgbGl0dGxl IGJpdCwgYXMgaXQgaW1wbGllcyBzb21lIHJlY29tbWVuZGF0aW9uIG9yIHJlbWVkaWF0aW9uIOKA lCB3aGljaCB0aGlzIGRvY3VtZW50IGRvZXMgbm90IGF0dGVtcHQgdG8gZG8uIFRoaXMgbWlnaHQg YmUgbW9yZSBjbGVhcmx5IHdvcmRlZCBhcyDigJxkZXNjcmliZWQgYnnigJ0gb3Ig4oCcaW5jbHVk ZWQgaW7igJ0uDQoNCjIuIEluIHNlY3Rpb24gMi4xLCBBLTEuMiAoU3VwcHJlc3Npb24pLCBpdCBz ZWVtcyB0aGF0IHN1cHByZXNzaW9uIGNvdWxkIHJlc3VsdCBpbiB0aGUgQ0EgY2VydGlmaWNhdGUg aW50ZW5kZWQgdG8gYmUgcmVwbGFjZWQgdG8gZXhwaXJlIGJlZm9yZSBhbiBpbnRlbmRlZCBDQSBy b2xsb3ZlciBvcGVyYXRpb24gaGFwcGVucyBkdWUgdG8gdGhlcyBzdXBwcmVzc2VkIHJlcGxhY2Vt ZW50IGNlcnRpZmljYXRlLiBQZXJoYXBzIGl0IGlzIG5vdCBub3RlZCBiZWNhdXNlIHRoaXMgdGhy ZWF0IGlzIG5vdCBzcGVjaWZpYyB0byBSUEtJL0JHUFNFQywgYnV0IGl0IGNvdWxkIGJlIGFub3Ro ZXIgc2VyaW91cyBzdXBwcmVzc2lvbiBhZmZlY3RpbmcgSW50ZXJuZXQgcm91dGluZy4gDQoNCkJy aWFu From nobody Wed Jan 4 11:23:46 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9DF3129A81 for ; Wed, 4 Jan 2017 11:23:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0KQce1wntCT for ; Wed, 4 Jan 2017 11:23:41 -0800 (PST) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D451299B3 for ; Wed, 4 Jan 2017 11:23:41 -0800 (PST) Received: from [10.32.60.33] (50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v04JMqJw013156 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 4 Jan 2017 12:22:53 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163] claimed to be [10.32.60.33] From: "Paul Hoffman" To: secdir Date: Wed, 04 Jan 2017 11:23:38 -0800 Message-ID: <164C5B0F-1606-4D8D-BB34-1FF9F8DA7081@vpnc.org> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.6r5319) Archived-At: Subject: [secdir] SecDir review of draft-ietf-bfcpbis-sdp-ws-uri X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Jan 2017 19:23:45 -0000 This document specifies extensions to SDP that can be used by application protocols (most likely SIP endpoints) that rely on WebSocket as a transport. For this, they need a URI that will appear in an SDP attribute. The Security Considerations section of the document adequately covers the problems with creating this SDP attribute to carry the URI, namely that SDP can be run either with or without authentication in the message and transport. The security considerations say that the entities SHOULD use S/MIME and TLS for these; this common-sense suggestions apply to all use of SDP, and is no more important here than for other uses of SDP. --Paul Hoffman From nobody Wed Jan 4 16:52:11 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87DEF1294B0 for ; Wed, 4 Jan 2017 16:52:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VCLHiqnVsi1q for ; Wed, 4 Jan 2017 16:52:06 -0800 (PST) Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ADC71294A5 for ; Wed, 4 Jan 2017 16:52:05 -0800 (PST) Received: by mail-qk0-x234.google.com with SMTP id s140so5545979qke.0 for ; Wed, 04 Jan 2017 16:52:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3KWTKhi6ZWFqcVA+qbp12Y/8xx04rTjfHgWaXDKcnIo=; b=OJ0JSQ9GLFiPD+Xtf0MMxhk6qxw4h2TMOn87Pg1HpAj4mjlDVoRWX+NyH6KxJvETBa I+BtyVF7R/8LkUAQ3P4HgHoiOcJCoR4AyeVXzgQl7WYg1puTgFq6q6ZNMAdyKS6p8gqi 69owZBbDy7YWaauQJOVLdFHVbDO2WrBliXAX4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3KWTKhi6ZWFqcVA+qbp12Y/8xx04rTjfHgWaXDKcnIo=; b=OwyEYB/2CC0kR6oBmgsuFqHQTXftTjGeO6FlDJ+bzg5E+gy7OZoQeP1AQcpwbCa0r4 iMJWw6AePGudE8oHkIhBnb1qIL8IodsTPLAS0Nfao6rh4c2A5HpshRAZgx93NR0Yn5jT 7TjMZbe93TTBW58klQ8BUzvQxhcPch3wngb0vfQiQH3Jt8hComJs1WmBvuZ9S9pzRcn9 0ihT8IkKnMStavaRUhSjdefn6+gZp2CQLljG353ThdD00F/lmVKlDOLGeQ0dKYezFzWz +5AD5A2Qr3rwbiTJB9nCxVxlqQaksvGnYgdisZO7mptli4ih36QDyzyMLOJkGGu3qvNA ST7A== X-Gm-Message-State: AIkVDXJ3tOS0jIGod45PtJ5LXXGZh4hAnLm6gazXmbmvGquzKNPKIoOchggd7fth3Q0sgQ== X-Received: by 10.55.125.194 with SMTP id y185mr67229649qkc.38.1483577524324; Wed, 04 Jan 2017 16:52:04 -0800 (PST) Received: from [172.16.0.92] (pool-173-73-120-80.washdc.east.verizon.net. [173.73.120.80]) by smtp.gmail.com with ESMTPSA id 53sm47101653qtm.5.2017.01.04.16.52.02 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 04 Jan 2017 16:52:03 -0800 (PST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Sean Turner In-Reply-To: Date: Wed, 4 Jan 2017 19:52:00 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <148328799488.25220.17994465220699555250.idtracker@ietfa.amsl.com> To: Yaron Sheffer X-Mailer: Apple Mail (2.3124) Archived-At: Cc: sidr@ietf.org, draft-ietf-sidr-bgpsec-pki-profiles.all@ietf.org, secdir@ietf.org Subject: Re: [secdir] Review of draft-ietf-sidr-bgpsec-pki-profiles-19 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 00:52:07 -0000 > On Jan 3, 2017, at 16:47, Yaron Sheffer wrote: >=20 > Hi Sean, >=20 > Please see below. >=20 > On 03/01/17 18:12, Sean Turner wrote: >> Yaron, >>=20 >> Thanks for the review. >>=20 >>=20 >>> On Jan 1, 2017, at 11:26, Yaron Sheffer >>> wrote: >>>=20 >>> Reviewer: Yaron Sheffer >>> Review result: Has Nits >>>=20 >>> * 3.1.1: The serial number in RFC 6487 is still a real, unique = serial >>> number that uniquely identifies the certificate. Here it is used as >>> something other than a serial number, which is explicitly NOT = unique, >>> and the CA is left to decide how to make it unique in the face of >>> potentially repeating BGP IDs. If this is not a real issue (e.g. >>> because duplicate IDs are rare and never within a RIR), please say >>> so. >>>=20 >> As Rob pointed out this paragraph is talking about the serial number = naming attribute. Maybe something like: >>=20 >> r/only two attributes/only two naming attributes >> and >> r/common name and serial number/common name (i.e., X520CommonName) = and serial number (i.e., X520SerialNumber)=20 >>=20 >> People ought to them be able to track down the definitions. >>=20 > I'm good with these changes. However, according to Randy's response to = my review, the text later on is subtly incorrect (or at least = misleading). Router IDs are not globally unique, but the combination of = AS Number and Router ID is in fact globally unique. This bit is now OBE based on Stephen=92s discuss. >>> * 3.2: earlier we said that Basic Constraints must not be included = in >>> the EE cert. Now we are saying that only a particular boolean flag >>> must not be honored when processing the Cert Request. What happens = if >>> Basic Constraints is included in the Cert Request but with other >>> flags? >>>=20 >> The CA is ultimately the one who decides what gets issued. A good CA = would know to only issue properly formatted BGPsec certificates either = by ignoring the improperly requested =93feature" or rejecting it = outright. Since these CAs really aren=92t open CAs then the CA ought = not get caught off-guard with requests. > I'm not sure I understand. Why not give a consistent advice to EEs and = CAs, e.g., reject any request that includes any Basic Constraints. So there=92s really no good way to put this but it=92s primarily because = the common PKCS#10/PKCS#7 dance doesn=92t support errors; it=92s either = success or silence. It=92s better to assume they=92ve dorked their = request and to give =91em a proper certificate. Remember these CAs are = pretty clued into what=92s going on here this isn=92t the webPKI. >>> * 3.3: ID.sidr-rfc6485bis -> RFC 7935 >>>=20 >> drat I missed one. >>=20 >>=20 >>> * 6: in the paragraph that discusses hash functions, please spell = out >>> the names of the two key identifiers, because I cannot determine = what >>> they are from the document. >>>=20 >> Ack they=92re the key identifiers in the cert: Subject Key Identifier = and Issuer Key Identifier=20 >>=20 >> r/two key identifier extensions./two key identifier extensions (i.e., = Subject Key Identifier and Issuer Key Identifier) >>=20 > Yes. >>=20 >> spt >>=20 >=20 From nobody Wed Jan 4 19:42:37 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 226DA129448; Wed, 4 Jan 2017 19:42:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.32 X-Spam-Level: X-Spam-Status: No, score=-7.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yUaxttD5VkL5; Wed, 4 Jan 2017 19:42:35 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39DF6126CD8; Wed, 4 Jan 2017 19:42:35 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml708-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CYG60084; Thu, 05 Jan 2017 03:42:33 +0000 (GMT) Received: from SZXEMI412-HUB.china.huawei.com (10.86.210.35) by lhreml708-cah.china.huawei.com (10.201.5.202) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 5 Jan 2017 03:42:32 +0000 Received: from SZXEMI502-MBX.china.huawei.com ([169.254.5.216]) by szxemi412-hub.china.huawei.com ([10.86.210.35]) with mapi id 14.03.0235.001; Thu, 5 Jan 2017 11:42:28 +0800 From: zhangdacheng To: secdir Thread-Topic: Secdir review of draft-ietf-ecrit-ecall-21 Thread-Index: AdJnBG+gbmu/FF/IT9OUyRIsRQ3NAg== Date: Thu, 5 Jan 2017 03:42:27 +0000 Message-ID: <879E76B64CF340468BF5E4DE504C2242C1364E@szxemi502-mbx.china.huawei.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.130.167.227] Content-Type: multipart/alternative; boundary="_000_879E76B64CF340468BF5E4DE504C2242C1364Eszxemi502mbxchina_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.586DC0A9.01CD, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.5.216, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 86924388571e4f5a55be8152775f17b1 Archived-At: Cc: "draft-ietf-ecrit-ecall.all@ietf.org" , The IESG Subject: [secdir] Secdir review of draft-ietf-ecrit-ecall-21 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 03:42:37 -0000 --_000_879E76B64CF340468BF5E4DE504C2242C1364Eszxemi502mbxchina_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These com= ments were written primarily for the benefit of the security area directors= . Document editors and WG chairs should treat these comments just like any = other last call comments. The security considerations cites multiple RFCs. In those RFCs, the securit= y issues related with this work are extensively discussed, although I have = to look up those RFCs to find out how to deal with, for example, DDoS attac= ks. I think it would really helpful if authors can briefly introduce what issue= s are discuss in those RFCs. Apart from this, this document is ready for pu= blication. --_000_879E76B64CF340468BF5E4DE504C2242C1364Eszxemi502mbxchina_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have reviewed this document a= s part of the security directorate's ongoing effort to review all IETF docu= ments being processed by the IESG. These comments were written primarily fo= r the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any o= ther last call comments.

 

 

The security considerations cit= es multiple RFCs. In those RFCs, the security issues related with this work= are extensively discussed, although I have to look up those RFCs to find o= ut how to deal with, for example, DDoS attacks.

 

I think it would really helpful= if authors can briefly introduce what issues are discuss in those RFCs. Ap= art from this, this document is ready for publication.

 

--_000_879E76B64CF340468BF5E4DE504C2242C1364Eszxemi502mbxchina_-- From nobody Wed Jan 4 19:46:15 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E27FF129526; Wed, 4 Jan 2017 19:46:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.32 X-Spam-Level: X-Spam-Status: No, score=-7.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpYjyfVpslKW; Wed, 4 Jan 2017 19:46:08 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5792712988C; Wed, 4 Jan 2017 19:36:45 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml706-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CYG59598; Thu, 05 Jan 2017 03:36:43 +0000 (GMT) Received: from SZXEMA417-HUB.china.huawei.com (10.82.72.34) by lhreml706-cah.china.huawei.com (10.201.5.182) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 5 Jan 2017 03:36:42 +0000 Received: from SZXEMA502-MBS.china.huawei.com ([169.254.4.53]) by SZXEMA417-HUB.china.huawei.com ([10.82.72.34]) with mapi id 14.03.0235.001; Thu, 5 Jan 2017 11:36:36 +0800 From: "Xialiang (Frank)" To: secdir , The IESG , "draft-ietf-ecrit-car-crash.all@tools.ietf.org" Thread-Topic: [secdir] SecDir review of draft-ietf-ecrit-car-crash-20 Thread-Index: AdJnBOiI2uOclm7mRIGNPgfQq8n+vw== Date: Thu, 5 Jan 2017 03:36:35 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.135.43.91] Content-Type: multipart/alternative; boundary="_000_C02846B1344F344EB4FAA6FA7AF481F12B099E25SZXEMA502MBSchi_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.586DBF4B.025D, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.4.53, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 0a215eadc670b448717f5bd47445141b Archived-At: Subject: [secdir] SecDir review of draft-ietf-ecrit-car-crash-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 03:46:10 -0000 --_000_C02846B1344F344EB4FAA6FA7AF481F12B099E25SZXEMA502MBSchi_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. This document describes how to use IP-based emergency services mechanisms t= o support the next generation of emergency calls placed by vehicles and con= veying vehicle, sensor, and location data related to the crash or incident.= Comparing to the ECRIT basic drafts [draft-ietf-ecrit-ecall] [RFC7852], th= is extension draft mostly reuses the same technical aspects of the basic dr= afts, with the introduction of some new things: a new set of vehicle (crash= ) data -- the Vehicle Emergency Data Set (VEDS), new attribute values to th= e metadata/control object, a new SIP INFO package of the VEDS MIME type, et= c. Since most technical aspects of this draft are unchanged from the basic dra= fts, all the security considerations in them apply for this draft well. The= security consideration in [RFC5069] applies for this draft too. And these = basic drafts already have very comprehensive and detailed considerations ab= out privacy and security threats. Regarding the new introduced data and act= ion values, this draft discusses the general security mechanisms to protect= their CIA (e.g., certificate, encryption, ...) too. In Summary, I have no = more security issues. Summary: this document appears in reasonably good shape, and is written wel= l. I think it is ready. Thanks! B.R. Frank --_000_C02846B1344F344EB4FAA6FA7AF481F12B099E25SZXEMA502MBSchi_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello,

I have reviewed this document as part of the security directorate's ongoin= g effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the= benefit of the security area directors.  Document editors and WG chai= rs should treat these comments just like any other last call comments.=

 

This document describes how to use IP-based emergency services mechanisms = to support the next generation of emergency calls placed by vehicles and conveying vehicle, sensor, and location data = related to the crash or incident. Comparing to the ECRIT basic drafts [draf= t-ietf-ecrit-ecall] [RFC7852], this extension draft mostly reuses the same = technical aspects of the basic drafts, with the introduction of some new things: a new set of vehicle (crash) dat= a -- the Vehicle Emergency Data Set (VEDS), new attribute values to the met= adata/control object, a new SIP INFO package of the VEDS MIME type, etc.

 

Since most technical aspects of this draft are unchanged from the basic dr= afts, all the security considerations in them apply for this draft well. The security consideration in [RFC5069] ap= plies for this draft too. And these basic drafts already have very comprehe= nsive and detailed considerations about privacy and security threats. Regar= ding the new introduced data and action values, this draft discusses the general security mechanisms to pro= tect their CIA (e.g., certificate, encryption, ...) too. In Summary, I have= no more security issues.

 

Summary: this document appears in reasonably good shape, and is written we= ll. I think it is ready.

 

Thanks!

B.R.

Frank

--_000_C02846B1344F344EB4FAA6FA7AF481F12B099E25SZXEMA502MBSchi_-- From nobody Thu Jan 5 02:47:04 2017 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2415212969F for ; Thu, 5 Jan 2017 02:47:03 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: "Tero Kivinen" To: X-Test-IDTracker: no X-IETF-IDTracker: 6.40.3 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <148361322311.20649.7151825142474849351.idtracker@ietfa.amsl.com> Date: Thu, 05 Jan 2017 02:47:03 -0800 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 10:47:03 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2017-01-05 Reviewer LC end Draft Ólafur Guðmundsson 2017-01-03 draft-ietf-ospf-ttz-05 Matt Lepinski 2016-12-14 draft-ietf-avtext-avpf-ccm-layered-03 Eric Osterweil 2016-12-19 draft-ietf-i2rs-yang-network-topo-10 For telechat 2017-01-19 Reviewer LC end Draft Derek Atkins 2017-01-06 draft-ietf-6man-rdnss-rfc6106bis-14 Shaun Cooley 2017-01-11 draft-ietf-rtgwg-rlfa-node-protection-10 Shawn Emery 2017-01-10 draft-ietf-trill-rfc6439bis-03 Daniel Franke 2017-01-09 draft-ietf-trill-directory-assist-mechanisms-10 Dan Harkins 2017-01-12 draft-ietf-clue-rtp-mapping-10 Hilarie Orman 2017-01-17 draft-ietf-i2rs-yang-l3-topology-08 Carl Wallace 2017-01-11 draft-ietf-bfcpbis-bfcp-websocket-13 David Waltermire 2017-01-10 draft-ietf-sidr-rpki-oob-setup-05 Paul Wouters 2017-01-06 draft-ietf-sidr-publication-09 For telechat 2017-02-02 Reviewer LC end Draft Steve Hanna 2017-01-12 draft-ietf-softwire-dslite-multicast-14 Christopher Inacio 2017-01-12 draft-ietf-softwire-multicast-prefix-option-11 Leif Johansson 2017-01-17 draft-ietf-teas-p2mp-loose-path-reopt-08 Simon Josefsson 2017-01-17 draft-ietf-teas-gmpls-resource-sharing-proc-06 Benjamin Kaduk 2017-01-17 draft-ietf-mpls-residence-time-12 Charlie Kaufman 2017-01-17 draft-ietf-lisp-type-iana-04 For telechat 2017-02-16 Reviewer LC end Draft Scott Kelly 2017-01-16 draft-ietf-dnsop-edns-key-tag-03 Last calls: Reviewer LC end Draft Alan DeKok 2016-04-30 draft-bradner-rfc3979bis-08 Phillip Hallam-Baker 2016-12-30 draft-ietf-ipsecme-rfc4307bis-15 Christian Huitema R2017-01-06 draft-ietf-kitten-krb-auth-indicator-06 Matthew Miller 2017-01-13 draft-harkins-owe-05 Sandra Murphy 2016-12-20 draft-ietf-6tisch-minimal-17 Melinda Shore 2017-01-09 draft-holmberg-dispatch-mcptt-rp-namespace-03 Hannes Tschofenig 2017-01-16 draft-murchison-webdav-prefer-12 Tina Tsou 2017-01-13 draft-ietf-payload-melpe-04 Sean Turner 2017-01-13 draft-ietf-insipid-logme-reqs-11 Early review requests: Reviewer Due Draft Daniel Gillmor 2016-02-01 draft-ietf-rtcweb-security-08 Hannes Tschofenig 2016-03-18 draft-ietf-ntp-cms-for-nts-message-06 Hannes Tschofenig 2016-03-18 draft-ietf-ntp-network-time-security-15 Hannes Tschofenig 2016-03-18 draft-ietf-ntp-using-nts-for-ntp-07 Brian Weis 2016-02-01 draft-ietf-cdni-uri-signing-10 Next in the reviewer rotation: Stephen Kent Tero Kivinen Warren Kumari Watson Ladd Ben Laurie Barry Leiba Matt Lepinski Chris Lonvick David Mandelberg Catherine Meadows From nobody Thu Jan 5 07:14:17 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBC4D129B51 for ; Thu, 5 Jan 2017 07:14:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.602 X-Spam-Level: X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZOfC7hfIY4ng for ; Thu, 5 Jan 2017 07:14:13 -0800 (PST) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0A68129B4A for ; Thu, 5 Jan 2017 07:14:12 -0800 (PST) Received: from xsmtp05.mail2web.com ([168.144.250.245]) by mx43.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from ) id 1cP9k1-00058B-Up for secdir@ietf.org; Thu, 05 Jan 2017 16:14:11 +0100 Received: from [10.5.2.52] (helo=xmail12.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1cP9jv-0008BW-62 for secdir@ietf.org; Thu, 05 Jan 2017 10:14:08 -0500 Received: (qmail 21929 invoked from network); 5 Jan 2017 15:14:02 -0000 Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[172.56.38.210]) (envelope-sender ) by xmail12.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 5 Jan 2017 15:14:00 -0000 From: "Christian Huitema" To: "'Benjamin Kaduk'" References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> In-Reply-To: <20170103062001.GN8460@kduck.kaduk.org> Date: Thu, 5 Jan 2017 07:13:55 -0800 Message-ID: <00c901d26766$566e9ae0$034bd0a0$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Content-Language: en-us Thread-Index: AQEaPs7iLwqOaTNknblhLQFEtN95CQJSROSwAhA+0NaidzjJMA== X-Originating-IP: 168.144.250.245 X-SpamExperts-Domain: xsmtpout.mail2web.com X-SpamExperts-Username: 168.144.250.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com X-SpamExperts-Outgoing-Class: ham X-SpamExperts-Outgoing-Evidence: Combined (0.05) X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49EdlGitVsfXsrKty9N3esIJTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXoA6Y1VfyGGMltVgOLwMgmmRcOb18WfxGyg6Om6u4YYm3WJW+kg3QAx4RnO qbcEsZE5hjoyEb9Oq0NWpyO3vrfYy2h1mQR50Wwo5hSyeApVLD3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSB0ktSrwQbrgk6jfwMHIN4qhQRCdMNhge1Unb77YyuZq41nA42b0gFbNywN+yolirFRBdQ80wr wyng3wNtDYr6IWSdEOMftBjsWb6BDQzjSsEw7+KMtoemwN8keIAcPKMBBQ67muZNm3G2c8/Pjjqy k0k0bdVHmDm5y9NcoZdM30MpNkbYYJ8YZ7d5zi74j6F/edseI+0iffshWIcU02XSgP6DwZpjxPTx I2S/vwoydU2Z0wfN9VTx9JdR4F4pphrEJ0EukYkH0+QwgTkvGReJqYh2OsKXXkoVR3vRgp+PhUTh 7upESYb585WZ0BSQoLJUjOCcLUUG/UOs31dB7P9JEwxIEpbinxK0oowxQTVJtR37NlKfHadlY9VB h5JyIzzQ/I1dpLTifeoHWo0A7trCgivvMbIIty1BrdRX3euPU+v6hYCF0D67O+iDK8Lnv/b7J/X5 GQwKZQYRThYbfgBJgSejWzj+l6oKAXkmxo75jgs= X-Report-Abuse-To: spam@quarantine5.antispamcloud.com X-Recommended-Action: accept Archived-At: Cc: npmccallum@redhat.com, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, nkinder@redhat.com, 'IESG' , 'secdir' Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 15:14:15 -0000 Thanks for the corrections. I checked the new draft version, draft-ietf-kitten-krb-auth-indicator-06, and the changes address my concern. The new section "4. Assigned Numbers" provides a clear update to RFC 4120, and the added paragraph in the security section addresses cross-realm indicator collisions. One point, though. The new section 4 states: o The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR". Should that not be "DER encoding of AD-AUTHENTICATION-INDICATOR wrapped in a CANMAC container"? -- Christian Huitema -----Original Message----- From: Benjamin Kaduk [mailto:kaduk@mit.edu] Sent: Monday, January 2, 2017 10:20 PM To: Christian Huitema Cc: 'IESG' ; 'secdir' ; draft-ietf-kitten-krb-auth-indicator.all@ietf.org; nkinder@redhat.com; npmccallum@redhat.com Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 Hi Christian, Thanks for the review! On Sat, Dec 31, 2016 at 06:39:21PM -0800, Christian Huitema wrote: > Copying to Nathan Kinder and Nathaniel McCallum, since their mail server > rejects messages relayed by the IETF server. > > -----Original Message----- > From: secdir [mailto:secdir-bounces@ietf.org] On Behalf Of Christian Huitema > Sent: Saturday, December 31, 2016 6:20 PM > To: 'IESG' ; 'secdir' ; > draft-ietf-kitten-krb-auth-indicator.all@ietf.org > Subject: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 > [...] > The document is almost ready, by I wish a few issues were addressed before > publication. > > My first issue is that the document describes an update to the Kerberos > protocol specification, RFC 4120, but does not define the specific way in > which RFC 4120 is updated. Could the draft be updated to include something > like the section "6. Assigned Numbers" of RFC 7751? If I understand > correctly, the changes are a new ad-type number 97, pointing to a CAMMAC > container, in which the "elements" are encoded according to the syntax > specified in Appendix A of the draft. Having that explained succinctly would > help future readers. I noticed the "Updates but doesn't really update" issue while preparing the shepherd review, and opted to leave in the "Updates" marker since it's probably something an implementor of 4120 should know about. The "Assigned Numbers" section is a good idea, thanks for pointing it out (and yes, you understand correctly). Authors, can you prepare another update? > My second issue is with the use of site-defined strings. I understand that > the site defined strings are defined by the administrator of a realm. What > happens if these strings appear outside the original realm, for example in > an environment connecting multiple realms? Don't we have a potential there > for name collision? Should there not be some guidance to implementers? There is maybe some potential for confusion, though not, I think, at the protocol level. The authentication indicator should always originate from the realm of orignial authentication, which is the realm of the client principal (in general). Even with some of the more exotic flows, like anonymous (or semi-anonymous) principals and making cross-realm TGS requests for foreign-realm TGTs, the client principal's realm is unchanged, so at a protocol level, the meaning of "this realm asserts that this authentication mechanism was used" remains clear. The confusion is when applications just check strings against a table without special-casing foreign-realm principals (which is likely to happen and the natural thing for application authors to do; I am not trying to belittle the issue you raised). In many cases, cross-realm operations occur when the administrators of the different realms are tightly coordinated (or even the same group), in which case they probably use the same semantics for the authentication indicator. In cases where the administrators of the different realms are genuinely different organizations, there are already risks for application services in such realms, such as for applications that grant access to "valid user". That said, the authentication indicator does introduce a new type of risk, and it is appropriate to have some text about it in the security considerations. Authors, do you think you can come up with text, or should one of us try to make a contribution? > I note that the proposed short string syntax forbids use of the ":" > character in site-defined strings. Did the WG look at the consequences of > that choice? If site administrators cannot use the URI like syntax, what is > the preferred way of defining unique strings and preventing collisions? I don't think the WG looked at the consequences, no -- IIRC this requirement was introduced at my urging due to the shepherd review, in order to avoid conflict between the two classes of possible values. If URIs must be LoA profiles and site-local values must be not-URIs, then there is no conflict. My expectation is that what will happen in practice is that the site-local short strings will actually be implementation-local, and the name of the preauthentication plugin or module will be used, like "otp" or "pkinit" or "spake". I don't expect anyone to try to make globally unique values, but of course there are always options like UUIDs or using alternate separator characters for those who wish to try. (It is debatable whether UUIDs count as "short", but there is no enforcement on "short", so they are in practice fair game.) > What are application services supposed to do when they encounter URI or > site-defined strings that they do not understand? The same thing they do now (in practice) when receiving other unknown authorization data types: ignore it. (This is in violation of the spec, that says unknown types should be treated as critical unless wrapped in AD-IF-RELEVANT, but that behavior is not implemented in the major implementations.) That may end up being a default-deny or default-permit mode, depending on the application service's configuration. > The ASN.1 syntax defines the element as a "SEQUENCE OF UTF8String". The > document mentions that "Each UTF8String value is a short string". How short > exactly should these strings be? How many of them should an application > expect in the "SEQUENCE OF" element? The syntax itself does not constrain > the length or number of these strings. Are we not worried with potential > interoperability issues? Could this be abused in some attacks? Should the > security considerations mention that? If I remember the history of the document correctly, there is intentionally no limit. URIs for LoA profiles could end up being pretty long, and there was a desire to not artificially limit those; it doesn't seem worth complicating the semantics of the indicator just to impose a length restriction on the non-URI strings. As far as the number of elements in the sequence, in practice there is probably no issue, since the authentication indicator is issued by the KDC in response to the actual authentication that occurred -- well-behaved KDCs should only include as many strings as authentication methods were used (which is in practice one or two at the moment, and probably not going to get much above three ever). There is always the concern about a client parsing untrusted/unvalidated input, but the consumer should be validating the MAC(s) in the CAMMAC container before parsing, and the implementation ticket size (and similar) constraints will also limit the possible size here. So, probably no attacks (absent compromised KDCs, which have other ways to wreak havoc) and probably no need for security consideration mention. I can't come up with any potential interoperability issues, either, but I didn't spend a whole lot of time thinking about it. Thanks again, Ben From nobody Thu Jan 5 11:12:41 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C84D129640; Thu, 5 Jan 2017 11:12:34 -0800 (PST) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "MIME-Version" X-Spam-Flag: NO X-Spam-Score: -5 X-Spam-Level: X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N23SODGAmOnO; Thu, 5 Jan 2017 11:12:33 -0800 (PST) Received: from turing.pensive.org (turing.pensive.org [99.111.97.161]) by ietfa.amsl.com (Postfix) with ESMTP id 9F08A129646; Thu, 5 Jan 2017 11:12:28 -0800 (PST) Received: from [192.168.202.67] (99.111.97.161) by turing.pensive.org with ESMTP (EIMS X 3.3.9); Thu, 5 Jan 2017 11:11:38 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: References: X-Mailer: Eudora for Mac OS X Date: Thu, 5 Jan 2017 11:12:23 -0800 To: "Xialiang (Frank)" , secdir , The IESG , "draft-ietf-ecrit-car-crash.all@tools.ietf.org" From: Randall Gellens Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Random-Sig-Tag: 1.0b28 X-Random-Sig-Tag: 1.0b28 X-Random-Sig-Tag: 1.0b28 X-Random-Sig-Tag: 1.0b28 Archived-At: Subject: Re: [secdir] SecDir review of draft-ietf-ecrit-car-crash-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 19:12:34 -0000 Hi Frank, Thank you for your review. --Randy At 3:36 AM +0000 1/5/17, Xialiang (Frank) wrote: > Hello, > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > This document describes how to use IP-based emergency services > mechanisms to support the next generation of emergency calls placed > by vehicles and conveying vehicle, sensor, and location data > related to the crash or incident. Comparing to the ECRIT basic > drafts [draft-ietf-ecrit-ecall] [RFC7852], this extension draft > mostly reuses the same technical aspects of the basic drafts, with > the introduction of some new things: a new set of vehicle (crash) > data -- the Vehicle Emergency Data Set (VEDS), new attribute values > to the metadata/control object, a new SIP INFO package of the VEDS > MIME type, etc. > > Since most technical aspects of this draft are unchanged from the > basic drafts, all the security considerations in them apply for > this draft well. The security consideration in [RFC5069] applies > for this draft too. And these basic drafts already have very > comprehensive and detailed considerations about privacy and > security threats. Regarding the new introduced data and action > values, this draft discusses the general security mechanisms to > protect their CIA (e.g., certificate, encryption, ...) too. In > Summary, I have no more security issues. > > Summary: this document appears in reasonably good shape, and is > written well. I think it is ready. > > Thanks! > B.R. > Frank -- Randall Gellens Opinions are personal; facts are suspect; I speak for myself only -------------- Randomly selected tag: --------------- If you would look up bad labor relations in the dictionary, you would have an American Airlines logo beside it. --U.S. District Judge Joe Kendall, issuing a restraining order against an American Airlines APA pilot union sick out, 10 Feb 1999. From nobody Thu Jan 5 11:20:24 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3192C12962A; Thu, 5 Jan 2017 11:20:17 -0800 (PST) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "MIME-Version" X-Spam-Flag: NO X-Spam-Score: -5 X-Spam-Level: X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkM3R9x1mMwn; Thu, 5 Jan 2017 11:20:16 -0800 (PST) Received: from turing.pensive.org (turing.pensive.org [99.111.97.161]) by ietfa.amsl.com (Postfix) with ESMTP id 5C30812961F; Thu, 5 Jan 2017 11:20:16 -0800 (PST) Received: from [192.168.202.67] (99.111.97.161) by turing.pensive.org with ESMTP (EIMS X 3.3.9); Thu, 5 Jan 2017 11:19:25 -0800 Mime-Version: 1.0 Message-Id: In-Reply-To: <879E76B64CF340468BF5E4DE504C2242C1364E@szxemi502-mbx.china.huawei.com > References: <879E76B64CF340468BF5E4DE504C2242C1364E@szxemi502-mbx.china.huawei.com > X-Mailer: Eudora for Mac OS X Date: Thu, 5 Jan 2017 11:20:09 -0800 To: zhangdacheng , secdir From: Randall Gellens Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Random-Sig-Tag: 1.0b28 X-Random-Sig-Tag: 1.0b28 X-Random-Sig-Tag: 1.0b28 X-Random-Sig-Tag: 1.0b28 Archived-At: Cc: "draft-ietf-ecrit-ecall.all@ietf.org" , The IESG Subject: Re: [secdir] Secdir review of draft-ietf-ecrit-ecall-21 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 19:20:17 -0000 At 3:42 AM +0000 1/5/17, zhangdacheng wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > > The security considerations cites multiple RFCs. In those RFCs, the > security issues related with this work are extensively discussed, > although I have to look up those RFCs to find out how to deal with, > for example, DDoS attacks. > > I think it would really helpful if authors can briefly introduce > what issues are discuss in those RFCs. Apart from this, this > document is ready for publication. Thank you for your review, I appreciate it. I added some text to mention the issues covered by RFC 5069, which I took to be the focus of your suggestion. --Randy -- Randall Gellens Opinions are personal; facts are suspect; I speak for myself only -------------- Randomly selected tag: --------------- If you can't annoy somebody there's little point in writing --Kingsley Amis From nobody Thu Jan 5 11:47:45 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 444CB129654; Thu, 5 Jan 2017 11:47:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.301 X-Spam-Level: X-Spam-Status: No, score=-7.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ziZHGatVHtu; Thu, 5 Jan 2017 11:47:36 -0800 (PST) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67443129653; Thu, 5 Jan 2017 11:47:36 -0800 (PST) X-AuditID: 12074425-80fff70000001995-49-586ea2d7c2d9 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 61.0C.06549.7D2AE685; Thu, 5 Jan 2017 14:47:35 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v05JlX8R011228; Thu, 5 Jan 2017 14:47:34 -0500 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v05JlTRQ027616 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 Jan 2017 14:47:31 -0500 Date: Thu, 5 Jan 2017 13:47:29 -0600 From: Benjamin Kaduk To: Christian Huitema Message-ID: <20170105194728.GU8460@kduck.kaduk.org> References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00c901d26766$566e9ae0$034bd0a0$@huitema.net> User-Agent: Mutt/1.6.1 (2016-04-27) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupileLIzCtJLcpLzFFi42IR4hTV1r2+KC/C4OUtPou5Lb9ZLCY3zma3 mPFnIrPF0c2rWCwmvLnNajH36yxWiw8LH7I4sHvcmnGKxWPJkp9MHu/3XWULYI7isklJzcks Sy3St0vgylje9Yyx4I17xZfnz1gbGPutuhg5OCQETCS6N2V1MXJxCAm0MUl8+T+DFcLZwCjx +fw0JgjnCpPEoy+n2boYOTlYBFQk5h3byw5iswHZDd2XmUFsEQFtiTWz74E1MAvsZpT4s38x E0hCWMBP4vX1yywgNq+AscThlsuMEFMPM0q8OPOQGSIhKHFy5hOwImYBLYkb/14ygdzHLCAt sfwfB0iYU8BK4sCfF6wgtqiAskTDjAfMExgFZiHpnoWkexZC9wJG5lWMsim5Vbq5iZk5xanJ usXJiXl5qUW6Fnq5mSV6qSmlmxhBQc7uorqDcc5fr0OMAhyMSjy8EV55EUKsiWXFlbmHGCU5 mJREeVNnAIX4kvJTKjMSizPii0pzUosPMUpwMCuJ8K6bB5TjTUmsrEotyodJSXOwKInzXsp0 jxASSE8sSc1OTS1ILYLJynBwKEnwci8EahQsSk1PrUjLzClBSDNxcIIM5wEaXgFSw1tckJhb nJkOkT/FqCglzlu5ACghAJLIKM2D6wUlIYns/TWvGMWBXhHm/QLSzgNMYHDdr4AGMwEN3h6Q DTK4JBEhJdXAWLu2W4M7yYXbpCTqTvMWsQ+bkuS3dvkWXXLl/WXqPSNuWw773RmnxUo2CU/k u/gzedM9V2PXtxcmmHyuLvFjXDzB05rha7e1/wTBpe/2pEwRLj0ZUb/L1Tog/mhuiuLXW8pT fu2NVD301OW8Q+N6nXQmvX/1+t967qmm9L37G7Rn9fGDnBMilViKMxINtZiLihMBVU0XNB0D AAA= Archived-At: Cc: 'secdir' , nkinder@redhat.com, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, npmccallum@redhat.com, kitten@ietf.org, 'IESG' Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 19:47:39 -0000 On Thu, Jan 05, 2017 at 07:13:55AM -0800, Christian Huitema wrote: > Thanks for the corrections. I checked the new draft version, > draft-ietf-kitten-krb-auth-indicator-06, and the changes address my concern. > The new section "4. Assigned Numbers" provides a clear update to RFC 4120, > and the added paragraph in the security section addresses cross-realm > indicator collisions. Thanks for finding the new document -- I was going to send you a pointer today to confirm that it addressed your concerns, but you beat me to it. > One point, though. The new section 4 states: > > o The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map > the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR". > > Should that not be "DER encoding of AD-AUTHENTICATION-INDICATOR wrapped in a > CANMAC container"? I don't think so, but will loop in the WG to confirm. The ad-type should indicate what is immediately inside the next encoding layer of the ad-data. So a Ticket might have an AuthorizationData that contains ad-type 1 (AD-IF-RELEVANT), that itself contains AuthorizationData with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with ad-type 97 (AD-AUTHENTICATION-INDICATOR). So, 97 should appear only at the lowest level, and correspond to ad-data that's just the AD-AUTHENTICATION-INDICATOR itself. But thanks again for double-checking! -Ben > > > > -----Original Message----- > From: Benjamin Kaduk [mailto:kaduk@mit.edu] > Sent: Monday, January 2, 2017 10:20 PM > To: Christian Huitema > Cc: 'IESG' ; 'secdir' ; > draft-ietf-kitten-krb-auth-indicator.all@ietf.org; nkinder@redhat.com; > npmccallum@redhat.com > Subject: Re: [secdir] SECDIR review of > draft-ietf-kitten-krb-auth-indicator-04 > > Hi Christian, > > Thanks for the review! > > On Sat, Dec 31, 2016 at 06:39:21PM -0800, Christian Huitema wrote: > > Copying to Nathan Kinder and Nathaniel McCallum, since their mail server > > rejects messages relayed by the IETF server. > > > > -----Original Message----- > > From: secdir [mailto:secdir-bounces@ietf.org] On Behalf Of Christian > Huitema > > Sent: Saturday, December 31, 2016 6:20 PM > > To: 'IESG' ; 'secdir' ; > > draft-ietf-kitten-krb-auth-indicator.all@ietf.org > > Subject: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 > > > [...] > > The document is almost ready, by I wish a few issues were addressed before > > publication. > > > > My first issue is that the document describes an update to the Kerberos > > protocol specification, RFC 4120, but does not define the specific way in > > which RFC 4120 is updated. Could the draft be updated to include something > > like the section "6. Assigned Numbers" of RFC 7751? If I understand > > correctly, the changes are a new ad-type number 97, pointing to a CAMMAC > > container, in which the "elements" are encoded according to the syntax > > specified in Appendix A of the draft. Having that explained succinctly > would > > help future readers. > > I noticed the "Updates but doesn't really update" issue while preparing the > shepherd review, and opted to leave in the "Updates" marker since it's > probably something an implementor of 4120 should know about. > The "Assigned Numbers" section is a good idea, thanks for pointing it out > (and yes, you understand correctly). > > Authors, can you prepare another update? > > > My second issue is with the use of site-defined strings. I understand that > > the site defined strings are defined by the administrator of a realm. What > > happens if these strings appear outside the original realm, for example in > > an environment connecting multiple realms? Don't we have a potential there > > for name collision? Should there not be some guidance to implementers? > > There is maybe some potential for confusion, though not, I think, at the > protocol level. The authentication indicator should always originate from > the realm of orignial authentication, which is the realm of the client > principal (in general). Even with some of the more exotic flows, like > anonymous (or semi-anonymous) principals and making cross-realm TGS > requests for foreign-realm TGTs, the client principal's realm is unchanged, > so at a protocol level, the meaning of "this realm asserts that this > authentication mechanism was used" remains clear. The confusion is when > applications just check strings against a table without special-casing > foreign-realm principals (which is likely to happen and the natural thing > for application authors to do; I am not trying to belittle the issue > you raised). > > In many cases, cross-realm operations occur when the administrators > of the different realms are tightly coordinated (or even the same > group), in which case they probably use the same semantics for the > authentication indicator. In cases where the administrators of the > different realms are genuinely different organizations, there are already > risks for application services in such realms, such as for applications > that grant access to "valid user". That said, the authentication indicator > does introduce a new type of risk, and it is appropriate to have some > text about it in the security considerations. > > Authors, do you think you can come up with text, or should one of us > try to make a contribution? > > > I note that the proposed short string syntax forbids use of the ":" > > character in site-defined strings. Did the WG look at the consequences of > > that choice? If site administrators cannot use the URI like syntax, what > is > > the preferred way of defining unique strings and preventing collisions? > > I don't think the WG looked at the consequences, no -- IIRC this requirement > was introduced at my urging due to the shepherd review, in order to > avoid conflict between the two classes of possible values. If URIs must > be LoA profiles and site-local values must be not-URIs, then there is > no conflict. > > My expectation is that what will happen in practice is that the site-local > short strings will actually be implementation-local, and the name of the > preauthentication plugin or module will be used, like "otp" or "pkinit" > or "spake". I don't expect anyone to try to make globally unique values, > but of course there are always options like UUIDs or using alternate > separator characters for those who wish to try. (It is debatable whether > UUIDs count as "short", but there is no enforcement on "short", so > they are in practice fair game.) > > > What are application services supposed to do when they encounter URI or > > site-defined strings that they do not understand? > > The same thing they do now (in practice) when receiving other unknown > authorization data types: ignore it. (This is in violation of the > spec, that says unknown types should be treated as critical unless > wrapped in AD-IF-RELEVANT, but that behavior is not implemented in the > major implementations.) That may end up being a default-deny or > default-permit mode, depending on the application service's configuration. > > > The ASN.1 syntax defines the element as a "SEQUENCE OF UTF8String". The > > document mentions that "Each UTF8String value is a short string". How > short > > exactly should these strings be? How many of them should an application > > expect in the "SEQUENCE OF" element? The syntax itself does not constrain > > the length or number of these strings. Are we not worried with potential > > interoperability issues? Could this be abused in some attacks? Should the > > security considerations mention that? > > If I remember the history of the document correctly, there is intentionally > no limit. URIs for LoA profiles could end up being pretty long, and > there was a desire to not artificially limit those; it doesn't seem > worth complicating the semantics of the indicator just to impose a length > restriction on the non-URI strings. As far as the number of elements in > the sequence, in practice there is probably no issue, since the > authentication indicator is issued by the KDC in response to the actual > authentication that occurred -- well-behaved KDCs should only include > as many strings as authentication methods were used (which is in practice > one or two at the moment, and probably not going to get much above three > ever). There is always the concern about a client parsing > untrusted/unvalidated input, but the consumer should be validating the > MAC(s) in the CAMMAC container before parsing, and the implementation > ticket size (and similar) constraints will also limit the possible > size here. > > So, probably no attacks (absent compromised KDCs, which have other > ways to wreak havoc) and probably no need for security consideration > mention. I can't come up with any potential interoperability issues, > either, but I didn't spend a whole lot of time thinking about it. > > Thanks again, > > Ben > From nobody Thu Jan 5 11:57:57 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC13E129601; Thu, 5 Jan 2017 11:57:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.3 X-Spam-Level: X-Spam-Status: No, score=-7.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czbU5Ybi5S5f; Thu, 5 Jan 2017 11:57:53 -0800 (PST) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C13129654; Thu, 5 Jan 2017 11:57:53 -0800 (PST) X-AuditID: 12074423-4c3ff70000003dbe-4b-586ea53f0feb Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 13.8D.15806.F35AE685; Thu, 5 Jan 2017 14:57:52 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v05JvoD3028325; Thu, 5 Jan 2017 14:57:51 -0500 Received: from [18.101.8.126] (vpn-18-101-8-126.mit.edu [18.101.8.126]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v05Jvmw0030807 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 5 Jan 2017 14:57:49 -0500 To: Benjamin Kaduk , Christian Huitema References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> From: Greg Hudson Message-ID: Date: Thu, 5 Jan 2017 14:57:48 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <20170105194728.GU8460@kduck.kaduk.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgleLIzCtJLcpLzFFi42IR4hRV1nVYmhdhMH2bkMXclt8sFpMbZ7Nb zPgzkdni6OZVLBYfFj5kcWD1uDXjFIvHkiU/mQKYorhsUlJzMstSi/TtErgyXu55y1LwlKVi Yv9PpgbGb8xdjJwcEgImEq/b7jB1MXJxCAm0MUkc7t0AlhAS2MAo8elUNkTiCJPE/V37wBLC ApESW2/PZwKxRQS8JT42zWKBKHrLKHHywxdmEIdZYAKjxIzPJ9hBqtgElCXW79/KAmLzClhJ tBzqZQSxWQRUJKa3/gSq4eAQFYiQaDicDlEiKHFy5hOwck6g854eWAq2mFlAT2LH9V+sELa8 xPa3c5gnMArMQtIyC0nZLCRlCxiZVzHKpuRW6eYmZuYUpybrFicn5uWlFuma6eVmluilppRu YgQFMruL8g7Gl33ehxgFOBiVeHgjvPIihFgTy4orcw8xSnIwKYnyps4ACvEl5adUZiQWZ8QX leakFh9ilOBgVhLhXTcPKMebklhZlVqUD5OS5mBREue9lOkeISSQnliSmp2aWpBaBJOV4eBQ kuCVWwLUKFiUmp5akZaZU4KQZuLgBBnOAzRcejHI8OKCxNzizHSI/ClGXY4D71c8ZRJiycvP S5US560DKRIAKcoozYObA05AqRx1rxjFgd4S5p0Iso4HmLzgJr0CWsIEtGR7QDbIkpJEhJRU A6O4j89kkftXVtqXtB5U7vBf17smtKNRYYNOMUPLL5l/5RyZBSIqE1m6J8p1l3wr8CnOesqg 9OfLXuHN5+xnn1tX89Io1fK1YX/W++rL9+wOnf5nv/vUUoHDRWknzz2qrWLef/vaV62tld7f Waewm+aHqV/6J86mriTJKxl9qXFZ+uu1dkkL7JRYijMSDbWYi4oTAc4q4jEbAwAA Archived-At: Cc: kitten@ietf.org, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, 'IESG' , 'secdir' Subject: Re: [secdir] [kitten] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 19:57:56 -0000 On 01/05/2017 02:47 PM, Benjamin Kaduk wrote: > I don't think so, but will loop in the WG to confirm. > The ad-type should indicate what is immediately inside the next encoding > layer of the ad-data. So a Ticket might have an AuthorizationData that > contains ad-type 1 (AD-IF-RELEVANT), that itself contains AuthorizationData > with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with > ad-type 97 (AD-AUTHENTICATION-INDICATOR). So, 97 should appear only at > the lowest level, and correspond to ad-data that's just the > AD-AUTHENTICATION-INDICATOR itself. I agree with Ben. From nobody Thu Jan 5 12:19:03 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0FB4129609 for ; Thu, 5 Jan 2017 12:18:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.602 X-Spam-Level: X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOA2Z2FTXpN2 for ; Thu, 5 Jan 2017 12:18:55 -0800 (PST) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07EDE129606 for ; Thu, 5 Jan 2017 12:18:55 -0800 (PST) Received: from xsmtp12.mail2web.com ([168.144.250.177]) by mx43.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from ) id 1cPEUv-0002oG-5U for secdir@ietf.org; Thu, 05 Jan 2017 21:18:53 +0100 Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp12.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1cPEUp-0002I4-6a for secdir@ietf.org; Thu, 05 Jan 2017 15:18:51 -0500 Received: (qmail 28148 invoked from network); 5 Jan 2017 20:18:46 -0000 Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[172.56.38.210]) (envelope-sender ) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 5 Jan 2017 20:18:46 -0000 From: "Christian Huitema" To: "'Benjamin Kaduk'" References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> In-Reply-To: <20170105194728.GU8460@kduck.kaduk.org> Date: Thu, 5 Jan 2017 12:18:40 -0800 Message-ID: <042f01d26790$e936a5f0$bba3f1d0$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Content-Language: en-us Thread-Index: AQEaPs7iLwqOaTNknblhLQFEtN95CQJSROSwAhA+0NYCGZkF0AHkJ1kioledNuA= X-Originating-IP: 168.144.250.177 X-SpamExperts-Domain: xsmtpout.mail2web.com X-SpamExperts-Username: 168.144.250.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com X-SpamExperts-Outgoing-Class: ham X-SpamExperts-Outgoing-Evidence: Combined (0.03) X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49L/N1imVzxQGuMdyq1ILpVFTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXp3+eDq3ngOgAQn1xwUS0XtRcOb18WfxGyg6Om6u4YYm8Ex7JmehmyvzkXA 1zAmRsc5hjoyEb9Oq0NWpyO3vrfYNrJwCbVSZviV1vzVlxiUlT3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSBe34TY+s3lj/RgDQoaICKQxQRCdMNhge1Unb77YyuZq76lAzddpUcwS9Qm3gS0C5jRBdQ80wr wyng3wNtDYr6IWSdEOMftBjsWb6BDQzjSsEw7+KMtoemwN8keIAcPKMBBQ67muZNm3G2c8/Pjjqy k0k0bdVHmDm5y9NcoZdM30MpNkbYYJ8YZ7d5zi74j6F/edseI+0iffshWIcU02XSgP6DwZpjxPTx I2S/vwoydU2Z0wfN9VTx9JdR4F4pphrEJ0EukYkH0+QwgTkvGReJqYh2OsKXXkoVR3vRgp+PhUTh 7upESYb585WZ0BSQoLJUc3YD8Cz3MOYLfFCW0hRKKw246snhpY0AHiBL6U5bHxz7NlKfHadlY9VB h5JyIzzQ/I1dpLTifeoHWo0A7trCgivvMbIIty1BrdRX3euPU+v6hYCF0D67O+iDK8Lnv/b7J/X5 GQwKZQYRThYbfgBJgSejWzj+l6oKAXkmxo75jgs= X-Report-Abuse-To: spam@quarantine5.antispamcloud.com X-Recommended-Action: accept Archived-At: Cc: 'secdir' , nkinder@redhat.com, draft-ietf-kitten-krb-auth-indicator.all@ietf.org, npmccallum@redhat.com, kitten@ietf.org, 'IESG' Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 20:18:56 -0000 On Thursday, January 5, 2017 11:47 AM, Benjamin Kaduk wrote: > > Thanks for finding the new document -- I was going to send you a pointer > today to confirm that it addressed your concerns, but you beat me to it. Blame Tero Kivinen. He sent me a reminder this morning. >> One point, though. The new section 4 states: >> >> o The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map >> the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR". >> >> Should that not be "DER encoding of AD-AUTHENTICATION-INDICATOR wrapped in a >> CAMMAC container"? > > I don't think so, but will loop in the WG to confirm. > The ad-type should indicate what is immediately inside the next encoding > layer of the ad-data. So a Ticket might have an AuthorizationData that > contains ad-type 1 (AD-IF-RELEVANT), that itself contains AuthorizationData > with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with > ad-type 97 (AD-AUTHENTICATION-INDICATOR). So, 97 should appear only at > the lowest level, and correspond to ad-data that's just the > AD-AUTHENTICATION-INDICATOR itself. OK, I get that now. It was not entirely obvious from reading the text. What is supposed to happen if the outside Authorization Data type is set to 97 instead of 96? Should that be specified somewhere? The text says: Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST be included in an AD-CAMMAC container so that their contents can be verified as originating from the KDC. That's a fine constraint for the sender, but what about receivers? -- Christian Huitema From nobody Thu Jan 5 12:39:47 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECE6129415 for ; Thu, 5 Jan 2017 12:39:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.421 X-Spam-Level: X-Spam-Status: No, score=-1.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mtdOKnwuMgQL for ; Thu, 5 Jan 2017 12:39:39 -0800 (PST) Received: from mail-it0-f41.google.com (mail-it0-f41.google.com [209.85.214.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68F361293F9 for ; Thu, 5 Jan 2017 12:39:37 -0800 (PST) Received: by mail-it0-f41.google.com with SMTP id x2so914168itf.1 for ; Thu, 05 Jan 2017 12:39:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Bcya9tiKOzoC4numKkh8Qtikzk4BmNGvNbSS7DFiASc=; b=agW+fxXwfVfYeCf0lZ1X964O2d0m56lYPKTe6WakrKQC4SfNAHtipeI6EPpzpEln6x +oNEXTC2FKHGHCp8DBL4gOnCcyWjX08jU9YUzBfnv6a0lNenI4LIhq1YP5EPNA1wBDSW /YqhYv1f4hqjT1Pn90mhdsUi7a0ce8Y4Rs5V16qizlpLukoBq1Ufg3xYQx6Y2HERXKPf ypHalNVmBQ/TFRi+/+fOCrFbLrQl8zjLGC1H488gJQJXD29WXlQwk6sYgYjvO4fhmYJV g9Sr8KXdqhUqe0IQq30SrVqARGzxOiwM5iL0UOlSl+ahgY/Gy0ohJPusZrWAysvKIRYg Inbw== X-Gm-Message-State: AIkVDXKjOlodr24jXJmaOMzheB6bDv+7Peb04xboa3xjLgoSHFEyTgMKME22JLuZz0VdvzUprxdvFij3+pzpNOHo X-Received: by 10.36.203.194 with SMTP id u185mr6954747itg.93.1483648776660; Thu, 05 Jan 2017 12:39:36 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.34.195 with HTTP; Thu, 5 Jan 2017 12:39:36 -0800 (PST) In-Reply-To: <042f01d26790$e936a5f0$bba3f1d0$@huitema.net> References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> <042f01d26790$e936a5f0$bba3f1d0$@huitema.net> From: Nathaniel McCallum Date: Thu, 5 Jan 2017 15:39:36 -0500 Message-ID: To: Christian Huitema Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: secdir , draft-ietf-kitten-krb-auth-indicator.all@ietf.org, "Kinder, Nathan" , kitten@ietf.org, IESG Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 20:39:40 -0000 On Thu, Jan 5, 2017 at 3:18 PM, Christian Huitema wrote: > On Thursday, January 5, 2017 11:47 AM, Benjamin Kaduk wrote: >> >> Thanks for finding the new document -- I was going to send you a pointer >> today to confirm that it addressed your concerns, but you beat me to it. > > Blame Tero Kivinen. He sent me a reminder this morning. > >>> One point, though. The new section 4 states: >>> >>> o The table in Section 5.2.6 of RFC 4120 [RFC4120] is updated to map >>> the ad-type 97 to "DER encoding of AD-AUTHENTICATION-INDICATOR". >>> >>> Should that not be "DER encoding of AD-AUTHENTICATION-INDICATOR wrapped > in a >>> CAMMAC container"? >> >> I don't think so, but will loop in the WG to confirm. >> The ad-type should indicate what is immediately inside the next encoding >> layer of the ad-data. So a Ticket might have an AuthorizationData that >> contains ad-type 1 (AD-IF-RELEVANT), that itself contains > AuthorizationData >> with ad-type 96 (AD-CAMMAC), that in turn contains AuthorizationData with >> ad-type 97 (AD-AUTHENTICATION-INDICATOR). So, 97 should appear only at >> the lowest level, and correspond to ad-data that's just the >> AD-AUTHENTICATION-INDICATOR itself. > > OK, I get that now. It was not entirely obvious from reading the text. > > What is supposed to happen if the outside Authorization Data type is set to > 97 instead of 96? Should that be specified somewhere? The text says: > > Authorization data elements of type AD-AUTHENTICATION-INDICATOR MUST > be included in an AD-CAMMAC container so that their contents can be > verified as originating from the KDC. > > That's a fine constraint for the sender, but what about receivers? 5. Security Considerations ... Application servers MUST validate the AD-CAMMAC container before making authorization decisions based on AD-AUTHENTICATION-INDICATOR elements. Application servers MUST NOT make authorization decisions based on AD-AUTHENTICATION-INDICATOR elements which appear outside of AD-CAMMAC containers. ... From nobody Thu Jan 5 14:35:01 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C80531296EC for ; Thu, 5 Jan 2017 14:34:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.602 X-Spam-Level: X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OoVyjfpBarOn for ; Thu, 5 Jan 2017 14:34:57 -0800 (PST) Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C90C129717 for ; Thu, 5 Jan 2017 14:34:57 -0800 (PST) Received: from xsmtp05.mail2web.com ([168.144.250.245]) by mx36.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from ) id 1cPGcZ-0008Bg-UM for secdir@ietf.org; Thu, 05 Jan 2017 23:34:56 +0100 Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp05.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1cPGcY-0000uD-BT for secdir@ietf.org; Thu, 05 Jan 2017 17:34:55 -0500 Received: (qmail 23007 invoked from network); 5 Jan 2017 22:34:54 -0000 Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[172.56.39.5]) (envelope-sender ) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 5 Jan 2017 22:34:53 -0000 From: "Christian Huitema" To: "'Nathaniel McCallum'" References: <005f01d263d5$84b14680$8e13d380$@huitema.net> <006f01d263d8$435dc430$ca194c90$@huitema.net> <20170103062001.GN8460@kduck.kaduk.org> <00c901d26766$566e9ae0$034bd0a0$@huitema.net> <20170105194728.GU8460@kduck.kaduk.org> <042f01d26790$e936a5f0$bba3f1d0$@huitema.net> In-Reply-To: Date: Thu, 5 Jan 2017 14:34:47 -0800 Message-ID: <045e01d267a3$ed12d410$c7387c30$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Content-Language: en-us Thread-Index: AQEaPs7iLwqOaTNknblhLQFEtN95CQJSROSwAhA+0NYCGZkF0AHkJ1kiAwSBZ48C3tfbXaIorGEA X-Originating-IP: 168.144.250.245 X-SpamExperts-Domain: xsmtpout.mail2web.com X-SpamExperts-Username: 168.144.250.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com X-SpamExperts-Outgoing-Class: ham X-SpamExperts-Outgoing-Evidence: Combined (0.04) X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49EdlGitVsfXsrKty9N3esIJTugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXrs7BAYzBd2DtqdgZMhlvC0RcOb18WfxGyg6Om6u4YYm8yvirzuaUZD8mZj nf1sECw5hjoyEb9Oq0NWpyO3vrfYy2h1mQR50Wwo5hSyeApVLD3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSB0ktSrwQbrgk6jfwMHIN4qhQRCdMNhge1Unb77YyuZq7wk85aMwGs/fhx7ekSIUrURBdQ80wr wyng3wNtDYr6IWSdEOMftBjsWb6BDQzjSsEw7+KMtoemwN8keIAcPKMBBQ67muZNm3G2c8/Pjjqy k0k0bdVHmDm5y9NcoZdM30MpNkbYYJ8YZ7d5zi74j6F/pxvnk7PJGygctl3LC86in/6DwZpjxPTx I2S/vwoydU2Z0wfN9VTx9JdR4F4pphrEJ0EukYkH0+QwgTkvGReJqS3AA1zi4L4OJ0M18xnuBW/6 592ULW4vfh/b1HrXegYtA3cm/DwdU6xqS1kZAplbQ2QjYLkjiU0LQFG/kzylkBW6elFFgxvixKHD +ndZqoQq0JFb5sY5yvsuaKnQYvhP+274nM+117vLjWiTA8zC3e5qTjAEzQR26Rr0dPOgWImrJASn HPpo89VhQ79BRQQ5y0H9asyhHPHrk1fOl/Hbtww= X-Report-Abuse-To: spam@quarantine5.antispamcloud.com X-Recommended-Action: accept Archived-At: Cc: 'secdir' , draft-ietf-kitten-krb-auth-indicator.all@ietf.org, "'Kinder, Nathan'" , kitten@ietf.org, 'IESG' Subject: Re: [secdir] SECDIR review of draft-ietf-kitten-krb-auth-indicator-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jan 2017 22:34:59 -0000 On Thursday, January 5, 2017 12:40 PM, Nathaniel McCallum wrote: >> What is supposed to happen if the outside Authorization Data type is = set to >> 97 instead of 96? Should that be specified somewhere? The text says: >> >> Authorization data elements of type AD-AUTHENTICATION-INDICATOR = MUST >> be included in an AD-CAMMAC container so that their contents can = be >> verified as originating from the KDC. >> >> That's a fine constraint for the sender, but what about receivers? > > 5. Security Considerations > > ... Application servers MUST validate the AD-CAMMAC container before > making authorization decisions based on AD-AUTHENTICATION-INDICATOR > elements. Application servers MUST NOT make authorization decisions > based on AD-AUTHENTICATION-INDICATOR elements which appear outside = of > AD-CAMMAC containers. ... You are right, and I was confused.=20 As far as I am concerned, the draft is fine and ready for publication. = The "reserved number" section and the additional paragraph in the = security consideration addressed the concerned that I raised in the = initial review. -- Christian Huitema From nobody Thu Jan 5 23:18:20 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76B17129C44 for ; Thu, 5 Jan 2017 23:18:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dp00FIxz0JNt for ; Thu, 5 Jan 2017 23:18:17 -0800 (PST) Received: from gw1.turbomail.org (gw1.turbomail.org [159.8.83.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BE59129C42 for ; Thu, 5 Jan 2017 23:18:17 -0800 (PST) X-TM-DID: 9f06655e8208d580e0bc5702617c76e2 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) From: Declan Ma In-Reply-To: <92CD5332-0DA4-4DD9-8973-17D0597A2696@cisco.com> Date: Fri, 6 Jan 2017 15:16:02 +0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <92CD5332-0DA4-4DD9-8973-17D0597A2696@cisco.com> To: "Brian Weis (bew)" X-Mailer: Apple Mail (2.3259) Archived-At: Cc: Chris Morrow , Declan Ma , Stephen Kent , db3546@att.com, secdir , Declan Ma , akatlas@gmail.com, "draft-ietf-sidr-adverse-actions.all@tools.ietf.org" , The IESG , "Alvaro Retana \(aretana\)" , draft-ietf-sidr-adverse-actions.all@ietf.org Subject: Re: [secdir] SecDir review of draft-ietf-sidr-adverse-actions-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2017 07:18:18 -0000 Dear Brian, Thanks for reviewing this document. > =E5=9C=A8 2017=E5=B9=B41=E6=9C=885=E6=97=A5=EF=BC=8C01:37=EF=BC=8CBrian = Weis (bew) =E5=86=99=E9=81=93=EF=BC=9A >=20 > I have reviewed this document as part of the security directorate's = ongoing effort to review all IETF documents being processed by the IESG. = These comments were written primarily for the benefit of the security = area directors. Document editors and WG chairs should treat these = comments just like any other last call comments. >=20 > As stated in the Abstract, this document analyzes actions by or = against a CA or independent repository manager in the RPKI that can = adversely affect the Internet Number Resources (INRs) associated with = that CA or its subordinate CAs. Put another way, it documents threats to = the RPKI/BGPSEC PKI, in which there are unique threats to the PKI that = can adversely affect Internet routing. The document is well written and = internally consistent. The Security Considerations section is adequate. >=20 > I consider this draft Ready to publish, but here are a couple of = discretionary comments for the authors. >=20 > 1. The end of section 2 says "Note that not all adverse actions may be = addressed by this taxonomy.=E2=80=9D. The phrase =E2=80=9Caddressed = by=E2=80=9D confused me a little bit, as it implies some recommendation = or remediation =E2=80=94 which this document does not attempt to do. = This might be more clearly worded as =E2=80=9Cdescribed by=E2=80=9D or = =E2=80=9Cincluded in=E2=80=9D. I think this is really a good suggestion.=20 >=20 > 2. In section 2.1, A-1.2 (Suppression), it seems that suppression = could result in the CA certificate intended to be replaced to expire = before an intended CA rollover operation happens due to thes suppressed = replacement certificate. Perhaps it is not noted because this threat is = not specific to RPKI/BGPSEC, but it could be another serious suppression = affecting Internet routing.=20 CA rollover operation is a specific scenario where CA certificate = suppression could take place. As this document focuses on the harmful = results of adverse actions not the causes nor motivations of adverse = actions, we authors don=E2=80=99t note this case specially you just = mentioned. Anyway, we authors will be considering this comments from = you when updating this draft in its next version. Di From nobody Fri Jan 6 07:14:10 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50271129542; Fri, 6 Jan 2017 07:14:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5 X-Spam-Level: X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9CKk6Z_6PWzI; Fri, 6 Jan 2017 07:14:03 -0800 (PST) Received: from dfw-mailout10.raytheon.com (dfw-mailout10.raytheon.com [199.46.199.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D73D3129451; Fri, 6 Jan 2017 07:14:03 -0800 (PST) Received: from ca-mailout10.rtnmail.ray.com (ca-mailout10.rtnmail.ray.com [147.25.146.12]) by dfw-mailout10.ext.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id v06FDv1j033086 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 6 Jan 2017 15:13:58 GMT Received: from 008-smtp-out.ray.com ([23.103.8.215]) by ca-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id v06FDu5d029052 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT); Fri, 6 Jan 2017 15:13:57 GMT Received: from CY1PR0601MB023.008f.mgd2.msft.net (23.103.8.215) by CY1PR0601MB023.008f.mgd2.msft.net (23.103.8.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.789.16; Fri, 6 Jan 2017 15:13:56 +0000 Received: from CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) by CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) with mapi id 15.01.0789.014; Fri, 6 Jan 2017 15:13:56 +0000 From: Steve KENT To: Declan Ma , "Brian Weis (bew)" Thread-Topic: SecDir review of draft-ietf-sidr-adverse-actions-03 Thread-Index: AQHSZrFGyP8oViwbEkKwjJSI9pFi26ErDBYAgACEbss= Date: Fri, 6 Jan 2017 15:13:56 +0000 Message-ID: <761fc144f6364e6c97a3bf9df2e3349a@CY1PR0601MB023.008f.mgd2.msft.net> References: <92CD5332-0DA4-4DD9-8973-17D0597A2696@cisco.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [23.103.8.5] Content-Type: multipart/alternative; boundary="_000_761fc144f6364e6c97a3bf9df2e3349aCY1PR0601MB023008fmgd2m_" MIME-Version: 1.0 X-CC: madi@zdns.cn, bew@cisco.com, secdir@ietf.org, iesg@ietf.org, draft-ietf-sidr-adverse-actions.all@tools.ietf.org, kent@bbn.com, morrowc@ops-netman.net, sandy@tislabs.com, aretana@cisco.com, db3546@att.com, akatlas@gmail.com, draft-ietf-sidr-adverse-actions.all@ietf.org, madihello@icloud.com X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-06_13:, , signatures=0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-06_13:, , signatures=0 X-Original-Sender: steve.kent@raytheon.com X-Original-Recipients: madihello@icloud.com, draft-ietf-sidr-adverse-actions.all@ietf.org, akatlas@gmail.com, db3546@att.com, aretana@cisco.com, sandy@tislabs.com, morrowc@ops-netman.net, draft-ietf-sidr-adverse-actions.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org, bew@cisco.com, madi@zdns.cn X-Attachments: X-DMZ-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701060239 X-DMZ-Spam-Reason: mlx Archived-At: Cc: Chris Morrow , Declan Ma , Stephen Kent , "db3546@att.com" , secdir , "akatlas@gmail.com" , "draft-ietf-sidr-adverse-actions.all@tools.ietf.org" , The IESG , "Alvaro Retana \(aretana\)" , "draft-ietf-sidr-adverse-actions.all@ietf.org" Subject: Re: [secdir] SecDir review of draft-ietf-sidr-adverse-actions-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2017 15:14:05 -0000 --_000_761fc144f6364e6c97a3bf9df2e3349aCY1PR0601MB023008fmgd2m_ Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 QnJpYW4sDQoNCg0KSSBhZ3JlZSB0aGF0ICJhZGRyZXNzZWQiIHNob3VsZCBiZSBjaGFuZ2VkLiBI b3cgYWJvdXQgImVuY29tcGFzc2VkIj8NCg0KDQpJIGFncmVlIHRoYXQgc3VwcHJlc3Npb24gYWxz byBhcHBsaWVzIGluIHRoZSBjb250ZXh0IG9mIGEgcGxhbm5lZCAgKG9yIGVtZXJnZW5jeSkgY2Vy dCByb2xsb3Zlci4gV2UgY2FuIGFkZCBhIHNlbnRlbmNlIHRvIG5vdGUgdGhhdCBleHBpcmF0aW9u IG9mIGEgY2VydCB0aGF0IHdhcyBpbnRlbmRlZCB0byBiZSByb2xsZWQgb3ZlciBpcyBhbHNvIGEg cG90ZW50aWFsIG91dGNvbWUuDQoNCg0KVGhhbmtzLA0KDQoNClN0ZXZlDQoNCl9fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fDQpGcm9tOiBEZWNsYW4gTWEgPG1hZGlAemRucy5jbj4NClNl bnQ6IEZyaWRheSwgSmFudWFyeSA2LCAyMDE3IDI6MTY6MDIgQU0NClRvOiBCcmlhbiBXZWlzIChi ZXcpDQpDYzogc2VjZGlyOyBUaGUgSUVTRzsgZHJhZnQtaWV0Zi1zaWRyLWFkdmVyc2UtYWN0aW9u cy5hbGxAdG9vbHMuaWV0Zi5vcmc7IFN0ZXBoZW4gS2VudDsgRGVjbGFuIE1hOyBDaHJpcyBNb3Jy b3c7IFNhbmRyYSBNdXJwaHk7IEFsdmFybyBSZXRhbmEgKGFyZXRhbmEpOyBkYjM1NDZAYXR0LmNv bTsgYWthdGxhc0BnbWFpbC5jb207IGRyYWZ0LWlldGYtc2lkci1hZHZlcnNlLWFjdGlvbnMuYWxs QGlldGYub3JnOyBEZWNsYW4gTWENClN1YmplY3Q6IFJlOiBTZWNEaXIgcmV2aWV3IG9mIGRyYWZ0 LWlldGYtc2lkci1hZHZlcnNlLWFjdGlvbnMtMDMNCg0KRGVhciBCcmlhbiwNCg0KVGhhbmtzIGZv ciByZXZpZXdpbmcgdGhpcyBkb2N1bWVudC4NCg0KDQo+INTaIDIwMTfE6jHUwjXI1aOsMDE6Mzej rEJyaWFuIFdlaXMgKGJldykgPGJld0BjaXNjby5jb20+INC0tcCjug0KPg0KPiBJIGhhdmUgcmV2 aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdz IG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vz c2VkIGJ5IHRoZSBJRVNHLiBUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZv ciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuIERvY3VtZW50IGVk aXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtl IGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQo+DQo+IEFzIHN0YXRlZCBpbiB0aGUgQWJz dHJhY3QsIHRoaXMgZG9jdW1lbnQgYW5hbHl6ZXMgYWN0aW9ucyBieSBvciBhZ2FpbnN0IGEgQ0Eg b3IgaW5kZXBlbmRlbnQgcmVwb3NpdG9yeSBtYW5hZ2VyIGluIHRoZSBSUEtJIHRoYXQgY2FuIGFk dmVyc2VseSBhZmZlY3QgdGhlIEludGVybmV0IE51bWJlciBSZXNvdXJjZXMgKElOUnMpIGFzc29j aWF0ZWQgd2l0aCB0aGF0IENBIG9yIGl0cyBzdWJvcmRpbmF0ZSBDQXMuIFB1dCBhbm90aGVyIHdh eSwgaXQgZG9jdW1lbnRzIHRocmVhdHMgdG8gdGhlIFJQS0kvQkdQU0VDIFBLSSwgaW4gd2hpY2gg dGhlcmUgYXJlIHVuaXF1ZSB0aHJlYXRzIHRvIHRoZSBQS0kgdGhhdCBjYW4gYWR2ZXJzZWx5IGFm ZmVjdCBJbnRlcm5ldCByb3V0aW5nLiBUaGUgZG9jdW1lbnQgaXMgd2VsbCB3cml0dGVuIGFuZCBp bnRlcm5hbGx5IGNvbnNpc3RlbnQuIFRoZSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0aW9u IGlzIGFkZXF1YXRlLg0KPg0KPiBJIGNvbnNpZGVyIHRoaXMgZHJhZnQgUmVhZHkgdG8gcHVibGlz aCwgYnV0IGhlcmUgYXJlIGEgY291cGxlIG9mIGRpc2NyZXRpb25hcnkgY29tbWVudHMgZm9yIHRo ZSBhdXRob3JzLg0KPg0KPiAxLiBUaGUgZW5kIG9mIHNlY3Rpb24gMiBzYXlzICJOb3RlIHRoYXQg bm90IGFsbCBhZHZlcnNlIGFjdGlvbnMgbWF5IGJlIGFkZHJlc3NlZCBieSB0aGlzIHRheG9ub215 LqGxLiBUaGUgcGhyYXNlIKGwYWRkcmVzc2VkIGJ5obEgY29uZnVzZWQgbWUgYSBsaXR0bGUgYml0 LCBhcyBpdCBpbXBsaWVzIHNvbWUgcmVjb21tZW5kYXRpb24gb3IgcmVtZWRpYXRpb24goaogd2hp Y2ggdGhpcyBkb2N1bWVudCBkb2VzIG5vdCBhdHRlbXB0IHRvIGRvLiBUaGlzIG1pZ2h0IGJlIG1v cmUgY2xlYXJseSB3b3JkZWQgYXMgobBkZXNjcmliZWQgYnmhsSBvciChsGluY2x1ZGVkIGluobEu DQoNCkkgdGhpbmsgdGhpcyBpcyByZWFsbHkgYSBnb29kIHN1Z2dlc3Rpb24uDQoNCj4NCj4gMi4g SW4gc2VjdGlvbiAyLjEsIEEtMS4yIChTdXBwcmVzc2lvbiksIGl0IHNlZW1zIHRoYXQgc3VwcHJl c3Npb24gY291bGQgcmVzdWx0IGluIHRoZSBDQSBjZXJ0aWZpY2F0ZSBpbnRlbmRlZCB0byBiZSBy ZXBsYWNlZCB0byBleHBpcmUgYmVmb3JlIGFuIGludGVuZGVkIENBIHJvbGxvdmVyIG9wZXJhdGlv biBoYXBwZW5zIGR1ZSB0byB0aGVzIHN1cHByZXNzZWQgcmVwbGFjZW1lbnQgY2VydGlmaWNhdGUu IFBlcmhhcHMgaXQgaXMgbm90IG5vdGVkIGJlY2F1c2UgdGhpcyB0aHJlYXQgaXMgbm90IHNwZWNp ZmljIHRvIFJQS0kvQkdQU0VDLCBidXQgaXQgY291bGQgYmUgYW5vdGhlciBzZXJpb3VzIHN1cHBy ZXNzaW9uIGFmZmVjdGluZyBJbnRlcm5ldCByb3V0aW5nLg0KDQpDQSByb2xsb3ZlciBvcGVyYXRp b24gaXMgYSBzcGVjaWZpYyBzY2VuYXJpbyB3aGVyZSBDQSBjZXJ0aWZpY2F0ZSBzdXBwcmVzc2lv biBjb3VsZCB0YWtlIHBsYWNlLiBBcyB0aGlzIGRvY3VtZW50IGZvY3VzZXMgb24gdGhlIGhhcm1m dWwgcmVzdWx0cyBvZiBhZHZlcnNlIGFjdGlvbnMgbm90IHRoZSBjYXVzZXMgbm9yIG1vdGl2YXRp b25zIG9mIGFkdmVyc2UgYWN0aW9ucywgd2UgYXV0aG9ycyBkb26hr3Qgbm90ZSB0aGlzIGNhc2Ug c3BlY2lhbGx5IHlvdSBqdXN0IG1lbnRpb25lZC4gIEFueXdheSwgd2UgYXV0aG9ycyB3aWxsIGJl IGNvbnNpZGVyaW5nIHRoaXMgY29tbWVudHMgZnJvbSB5b3Ugd2hlbiB1cGRhdGluZyB0aGlzIGRy YWZ0IGluIGl0cyBuZXh0IHZlcnNpb24uDQoNCkRpDQoNCg0K --_000_761fc144f6364e6c97a3bf9df2e3349aCY1PR0601MB023008fmgd2m_ Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable

Brian,


I agree that "addressed" should be changed. How about "en= compassed"?


I agree that suppression also applies in the context of a planned  = (or emergency) cert rollover. We can add a sentence to note that expiration= of a cert that was intended to be rolled over is also a potential outcome.=


Thanks,


Steve

From: Declan Ma <madi@= zdns.cn>
Sent: Friday, January 6, 2017 2:16:02 AM
To: Brian Weis (bew)
Cc: secdir; The IESG; draft-ietf-sidr-adverse-actions.all@tools.ietf= .org; Stephen Kent; Declan Ma; Chris Morrow; Sandra Murphy; Alvaro Retana (= aretana); db3546@att.com; akatlas@gmail.com; draft-ietf-sidr-adverse-action= s.all@ietf.org; Declan Ma
Subject: Re: SecDir review of draft-ietf-sidr-adverse-actions-03
 
Dear Brian,

Thanks for reviewing this document.


> =D4=DA 2017=C4=EA1=D4=C25=C8=D5=A3=AC01:37=A3=ACBrian Weis (bew) <b= ew@cisco.com> =D0=B4=B5=C0=A3=BA
>
> I have reviewed this document as part of the security directorate's on= going effort to review all IETF documents being processed by the IESG. Thes= e comments were written primarily for the benefit of the security area dire= ctors. Document editors and WG chairs should treat these comments just like any other last call comments.
>
> As stated in the Abstract, this document analyzes actions by or agains= t a CA or independent repository manager in the RPKI that can adversely aff= ect the Internet Number Resources (INRs) associated with that CA or its sub= ordinate CAs. Put another way, it documents threats to the RPKI/BGPSEC PKI, in which there are unique threats to the P= KI that can adversely affect Internet routing. The document is well written= and internally consistent. The Security Considerations section is adequate= .
>
> I consider this draft Ready to publish, but here are a couple of discr= etionary comments for the authors.
>
> 1. The end of section 2 says "Note that not all adverse actions m= ay be addressed by this taxonomy.=A1=B1. The phrase =A1=B0addressed by=A1= =B1 confused me a little bit, as it implies some recommendation or remediat= ion =A1=AA which this document does not attempt to do. This might be more clearly worded as =A1=B0described by=A1=B1 or =A1=B0included in=A1= =B1.

I think this is really a good suggestion.

>
> 2. In section 2.1, A-1.2 (Suppression), it seems that suppression coul= d result in the CA certificate intended to be replaced to expire before an = intended CA rollover operation happens due to thes suppressed replacement c= ertificate. Perhaps it is not noted because this threat is not specific to RPKI/BGPSEC, but it could be anothe= r serious suppression affecting Internet routing.

CA rollover operation is a specific scenario where CA certificate suppressi= on could take place. As this document focuses on the harmful results of adv= erse actions not the causes nor motivations of adverse actions, we authors = don=A1=AFt note this case specially you just mentioned.  Anyway, we authors will be considering this comments= from you when updating this draft in its next version.

Di


 --_000_761fc144f6364e6c97a3bf9df2e3349aCY1PR0601MB023008fmgd2m_-- From nobody Fri Jan 6 08:27:10 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D041294C1; Fri, 6 Jan 2017 08:27:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.621 X-Spam-Level: X-Spam-Status: No, score=-17.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGKf7kvUnkr8; Fri, 6 Jan 2017 08:27:04 -0800 (PST) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1BB4129411; Fri, 6 Jan 2017 08:27:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16654; q=dns/txt; s=iport; t=1483720024; x=1484929624; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=918XoXiR27zK0SHl5py/kYIi5DVg4juiCo6tawzbI6U=; b=YuAA4T8SxAdDD6JI44KaHtw9ZwiiVGcuwVXJ0dn9nezDE1Ebd7reJ2wJ hqK4vIpMK71NJza8RI9k9v8Lb5sxUYKclaV15QqniphjRB01k/igM7QEZ JN66WG3Ffqna8hjPzCL22IHMRXsWHmhWGkBSjqPQodNXcCL1jOoeYh0Zd A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A3AQCyxG9Y/5FdJa1bAxkBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYJxSAEBAQEBH4FrB41QkiGHf4d9hSqCCYYiAhqBOz8UAQIBAQE?= =?us-ascii?q?BAQEBYyiEaAEBAQMBI1YQAgEGAhEEAQEoAwICAh8RFAkIAgQOBYhVAxAIkmOdT?= =?us-ascii?q?oIlhzQNglYBAQEBAQEBAQEBAQEBAQEBAQEBAQEdiEcIgleCToFKEQEkDwoVEYJ?= =?us-ascii?q?BLYIxBZUahUM4AY1Kg3yQW4oDiE0BHzhtTxVEAYYUcwGGN4EhgQ0BAQE?= X-IronPort-AV: E=Sophos;i="5.33,325,1477958400"; d="scan'208,217";a="191193190" Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Jan 2017 16:27:03 +0000 Received: from XCH-RTP-004.cisco.com (xch-rtp-004.cisco.com [64.101.220.144]) by rcdn-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id v06GR3Gk006179 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Jan 2017 16:27:03 GMT Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-004.cisco.com (64.101.220.144) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 6 Jan 2017 11:27:02 -0500 Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1210.000; Fri, 6 Jan 2017 11:27:02 -0500 From: "Brian Weis (bew)" To: Steve KENT Thread-Topic: SecDir review of draft-ietf-sidr-adverse-actions-03 Thread-Index: AQHSZrFG45dF37AheEGMo+qlJtTspKErX+gAgACFhgCAABRrgA== Date: Fri, 6 Jan 2017 16:27:02 +0000 Message-ID: <3971C5C5-1877-4205-88A4-CC1E2760AC1E@cisco.com> References: <92CD5332-0DA4-4DD9-8973-17D0597A2696@cisco.com> <761fc144f6364e6c97a3bf9df2e3349a@CY1PR0601MB023.008f.mgd2.msft.net> In-Reply-To: <761fc144f6364e6c97a3bf9df2e3349a@CY1PR0601MB023.008f.mgd2.msft.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.19.191.172] Content-Type: multipart/alternative; boundary="_000_3971C5C51877420588A4CC1E2760AC1Eciscocom_" MIME-Version: 1.0 Archived-At: Cc: Chris Morrow , Declan Ma , Stephen Kent , "db3546@att.com" , secdir , Declan Ma , "akatlas@gmail.com" , "draft-ietf-sidr-adverse-actions.all@tools.ietf.org" , The IESG , "Alvaro Retana \(aretana\)" , "draft-ietf-sidr-adverse-actions.all@ietf.org" Subject: Re: [secdir] SecDir review of draft-ietf-sidr-adverse-actions-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2017 16:27:06 -0000 --_000_3971C5C51877420588A4CC1E2760AC1Eciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgU3RldmUgJiBEZWNsYW4sDQoNCk9uIEphbiA2LCAyMDE3LCBhdCA3OjEzIEFNLCBTdGV2ZSBL RU5UIDxzdGV2ZS5rZW50QHJheXRoZW9uLmNvbTxtYWlsdG86c3RldmUua2VudEByYXl0aGVvbi5j b20+PiB3cm90ZToNCg0KQnJpYW4sDQoNCkkgYWdyZWUgdGhhdCAiYWRkcmVzc2VkIiBzaG91bGQg YmUgY2hhbmdlZC4gSG93IGFib3V0ICJlbmNvbXBhc3NlZOKAnT8NCg0KUGVyZmVjdCBjaG9pY2Ug b2Ygd29yZC4NCg0KDQpJIGFncmVlIHRoYXQgc3VwcHJlc3Npb24gYWxzbyBhcHBsaWVzIGluIHRo ZSBjb250ZXh0IG9mIGEgcGxhbm5lZCAgKG9yIGVtZXJnZW5jeSkgY2VydCByb2xsb3Zlci4gV2Ug Y2FuIGFkZCBhIHNlbnRlbmNlIHRvIG5vdGUgdGhhdCBleHBpcmF0aW9uIG9mIGEgY2VydCB0aGF0 IHdhcyBpbnRlbmRlZCB0byBiZSByb2xsZWQgb3ZlciBpcyBhbHNvIGEgcG90ZW50aWFsIG91dGNv bWUuDQoNClRoYXQgd291bGQgYmUgdmVyeSB1c2VmdWwsIEkgdGhpbmsuDQoNClRoYW5rcywNCkJy aWFuDQoNCg0KVGhhbmtzLA0KDQpTdGV2ZQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18NCkZyb206IERlY2xhbiBNYSA8bWFkaUB6ZG5zLmNuPG1haWx0bzptYWRpQHpkbnMuY24+Pg0K U2VudDogRnJpZGF5LCBKYW51YXJ5IDYsIDIwMTcgMjoxNjowMiBBTQ0KVG86IEJyaWFuIFdlaXMg KGJldykNCkNjOiBzZWNkaXI7IFRoZSBJRVNHOyBkcmFmdC1pZXRmLXNpZHItYWR2ZXJzZS1hY3Rp b25zLmFsbEB0b29scy5pZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1zaWRyLWFkdmVyc2UtYWN0 aW9ucy5hbGxAdG9vbHMuaWV0Zi5vcmc+OyBTdGVwaGVuIEtlbnQ7IERlY2xhbiBNYTsgQ2hyaXMg TW9ycm93OyBTYW5kcmEgTXVycGh5OyBBbHZhcm8gUmV0YW5hIChhcmV0YW5hKTsgZGIzNTQ2QGF0 dC5jb208bWFpbHRvOmRiMzU0NkBhdHQuY29tPjsgYWthdGxhc0BnbWFpbC5jb208bWFpbHRvOmFr YXRsYXNAZ21haWwuY29tPjsgZHJhZnQtaWV0Zi1zaWRyLWFkdmVyc2UtYWN0aW9ucy5hbGxAaWV0 Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtc2lkci1hZHZlcnNlLWFjdGlvbnMuYWxsQGlldGYub3Jn PjsgRGVjbGFuIE1hDQpTdWJqZWN0OiBSZTogU2VjRGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXNp ZHItYWR2ZXJzZS1hY3Rpb25zLTAzDQoNCkRlYXIgQnJpYW4sDQoNClRoYW5rcyBmb3IgcmV2aWV3 aW5nIHRoaXMgZG9jdW1lbnQuDQoNCg0KPiDlnKggMjAxN+W5tDHmnIg15pel77yMMDE6MzfvvIxC cmlhbiBXZWlzIChiZXcpIDxiZXdAY2lzY28uY29tPG1haWx0bzpiZXdAY2lzY28uY29tPj4g5YaZ 6YGT77yaDQo+DQo+IEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhl IHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRG IGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRoZXNlIGNvbW1lbnRzIHdl cmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBhcmVh IGRpcmVjdG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0 aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCj4N Cj4gQXMgc3RhdGVkIGluIHRoZSBBYnN0cmFjdCwgdGhpcyBkb2N1bWVudCBhbmFseXplcyBhY3Rp b25zIGJ5IG9yIGFnYWluc3QgYSBDQSBvciBpbmRlcGVuZGVudCByZXBvc2l0b3J5IG1hbmFnZXIg aW4gdGhlIFJQS0kgdGhhdCBjYW4gYWR2ZXJzZWx5IGFmZmVjdCB0aGUgSW50ZXJuZXQgTnVtYmVy IFJlc291cmNlcyAoSU5ScykgYXNzb2NpYXRlZCB3aXRoIHRoYXQgQ0Egb3IgaXRzIHN1Ym9yZGlu YXRlIENBcy4gUHV0IGFub3RoZXIgd2F5LCBpdCBkb2N1bWVudHMgdGhyZWF0cyB0byB0aGUgUlBL SS9CR1BTRUMgUEtJLCBpbiB3aGljaCB0aGVyZSBhcmUgdW5pcXVlIHRocmVhdHMgdG8gdGhlIFBL SSB0aGF0IGNhbiBhZHZlcnNlbHkgYWZmZWN0IEludGVybmV0IHJvdXRpbmcuIFRoZSBkb2N1bWVu dCBpcyB3ZWxsIHdyaXR0ZW4gYW5kIGludGVybmFsbHkgY29uc2lzdGVudC4gVGhlIFNlY3VyaXR5 IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gaXMgYWRlcXVhdGUuDQo+DQo+IEkgY29uc2lkZXIgdGhp cyBkcmFmdCBSZWFkeSB0byBwdWJsaXNoLCBidXQgaGVyZSBhcmUgYSBjb3VwbGUgb2YgZGlzY3Jl dGlvbmFyeSBjb21tZW50cyBmb3IgdGhlIGF1dGhvcnMuDQo+DQo+IDEuIFRoZSBlbmQgb2Ygc2Vj dGlvbiAyIHNheXMgIk5vdGUgdGhhdCBub3QgYWxsIGFkdmVyc2UgYWN0aW9ucyBtYXkgYmUgYWRk cmVzc2VkIGJ5IHRoaXMgdGF4b25vbXku4oCdLiBUaGUgcGhyYXNlIOKAnGFkZHJlc3NlZCBieeKA nSBjb25mdXNlZCBtZSBhIGxpdHRsZSBiaXQsIGFzIGl0IGltcGxpZXMgc29tZSByZWNvbW1lbmRh dGlvbiBvciByZW1lZGlhdGlvbiDigJUgd2hpY2ggdGhpcyBkb2N1bWVudCBkb2VzIG5vdCBhdHRl bXB0IHRvIGRvLiBUaGlzIG1pZ2h0IGJlIG1vcmUgY2xlYXJseSB3b3JkZWQgYXMg4oCcZGVzY3Jp YmVkIGJ54oCdIG9yIOKAnGluY2x1ZGVkIGlu4oCdLg0KDQpJIHRoaW5rIHRoaXMgaXMgcmVhbGx5 IGEgZ29vZCBzdWdnZXN0aW9uLg0KDQo+DQo+IDIuIEluIHNlY3Rpb24gMi4xLCBBLTEuMiAoU3Vw cHJlc3Npb24pLCBpdCBzZWVtcyB0aGF0IHN1cHByZXNzaW9uIGNvdWxkIHJlc3VsdCBpbiB0aGUg Q0EgY2VydGlmaWNhdGUgaW50ZW5kZWQgdG8gYmUgcmVwbGFjZWQgdG8gZXhwaXJlIGJlZm9yZSBh biBpbnRlbmRlZCBDQSByb2xsb3ZlciBvcGVyYXRpb24gaGFwcGVucyBkdWUgdG8gdGhlcyBzdXBw cmVzc2VkIHJlcGxhY2VtZW50IGNlcnRpZmljYXRlLiBQZXJoYXBzIGl0IGlzIG5vdCBub3RlZCBi ZWNhdXNlIHRoaXMgdGhyZWF0IGlzIG5vdCBzcGVjaWZpYyB0byBSUEtJL0JHUFNFQywgYnV0IGl0 IGNvdWxkIGJlIGFub3RoZXIgc2VyaW91cyBzdXBwcmVzc2lvbiBhZmZlY3RpbmcgSW50ZXJuZXQg cm91dGluZy4NCg0KQ0Egcm9sbG92ZXIgb3BlcmF0aW9uIGlzIGEgc3BlY2lmaWMgc2NlbmFyaW8g d2hlcmUgQ0EgY2VydGlmaWNhdGUgc3VwcHJlc3Npb24gY291bGQgdGFrZSBwbGFjZS4gQXMgdGhp cyBkb2N1bWVudCBmb2N1c2VzIG9uIHRoZSBoYXJtZnVsIHJlc3VsdHMgb2YgYWR2ZXJzZSBhY3Rp b25zIG5vdCB0aGUgY2F1c2VzIG5vciBtb3RpdmF0aW9ucyBvZiBhZHZlcnNlIGFjdGlvbnMsIHdl IGF1dGhvcnMgZG9u4oCZdCBub3RlIHRoaXMgY2FzZSBzcGVjaWFsbHkgeW91IGp1c3QgbWVudGlv bmVkLiAgQW55d2F5LCB3ZSBhdXRob3JzIHdpbGwgYmUgY29uc2lkZXJpbmcgdGhpcyBjb21tZW50 cyBmcm9tIHlvdSB3aGVuIHVwZGF0aW5nIHRoaXMgZHJhZnQgaW4gaXRzIG5leHQgdmVyc2lvbi4N Cg0KRGkNCg0KLS0NCkJyaWFuIFdlaXMNClNlY3VyaXR5LCBDU0csIENpc2NvIFN5c3RlbXMNClRl bGVwaG9uZTogKzEgNDA4IDUyNiA0Nzk2DQpFbWFpbDogYmV3QGNpc2NvLmNvbTxtYWlsdG86YmV3 QGNpc2NvLmNvbT4NCg0K --_000_3971C5C51877420588A4CC1E2760AC1Eciscocom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IHN0eWxlPSJ3b3JkLXdy YXA6IGJyZWFrLXdvcmQ7IC13ZWJraXQtbmJzcC1tb2RlOiBzcGFjZTsgLXdlYmtpdC1saW5lLWJy ZWFrOiBhZnRlci13aGl0ZS1zcGFjZTsiIGNsYXNzPSIiPg0KSGkgU3RldmUgJmFtcDsgRGVjbGFu LA0KPGRpdiBjbGFzcz0iIj48YnIgY2xhc3M9IiI+DQo8L2Rpdj4NCjxkaXYgY2xhc3M9IiI+DQo8 ZGl2Pg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0ZSIgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiPk9u IEphbiA2LCAyMDE3LCBhdCA3OjEzIEFNLCBTdGV2ZSBLRU5UICZsdDs8YSBocmVmPSJtYWlsdG86 c3RldmUua2VudEByYXl0aGVvbi5jb20iIGNsYXNzPSIiPnN0ZXZlLmtlbnRAcmF5dGhlb24uY29t PC9hPiZndDsgd3JvdGU6PC9kaXY+DQo8YnIgY2xhc3M9IkFwcGxlLWludGVyY2hhbmdlLW5ld2xp bmUiPg0KPGRpdiBjbGFzcz0iIj4NCjxkaXYgZGlyPSJsdHIiIHN0eWxlPSJmb250LWZhbWlseTog SGVsdmV0aWNhOyBmb250LXNpemU6IDEycHg7IGZvbnQtc3R5bGU6IG5vcm1hbDsgZm9udC12YXJp YW50LWNhcHM6IG5vcm1hbDsgZm9udC13ZWlnaHQ6IG5vcm1hbDsgbGV0dGVyLXNwYWNpbmc6IG5v cm1hbDsgb3JwaGFuczogYXV0bzsgdGV4dC1hbGlnbjogc3RhcnQ7IHRleHQtaW5kZW50OiAwcHg7 IHRleHQtdHJhbnNmb3JtOiBub25lOyB3aGl0ZS1zcGFjZTogbm9ybWFsOyB3aWRvd3M6IGF1dG87 IHdvcmQtc3BhY2luZzogMHB4OyAtd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7IiBjbGFz cz0iIj4NCjxkaXYgaWQ9InhfZGl2dGFnZGVmYXVsdHdyYXBwZXIiIGRpcj0ibHRyIiBzdHlsZT0i Zm9udC1zaXplOiAxMnB0OyBmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwg c2Fucy1zZXJpZjsiIGNsYXNzPSIiPg0KPGRpdiBzdHlsZT0ibWFyZ2luLXRvcDogMHB4OyBtYXJn aW4tYm90dG9tOiAwcHg7IiBjbGFzcz0iIj5Ccmlhbiw8L2Rpdj4NCjxkaXYgc3R5bGU9Im1hcmdp bi10b3A6IDBweDsgbWFyZ2luLWJvdHRvbTogMHB4OyIgY2xhc3M9IiI+PGJyIGNsYXNzPSIiPg0K PC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tdG9wOiAwcHg7IG1hcmdpbi1ib3R0b206IDBweDsi IGNsYXNzPSIiPkkgYWdyZWUgdGhhdCAmcXVvdDthZGRyZXNzZWQmcXVvdDsgc2hvdWxkIGJlIGNo YW5nZWQuIEhvdyBhYm91dCAmcXVvdDtlbmNvbXBhc3NlZOKAnT88L2Rpdj4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQpQ ZXJmZWN0IGNob2ljZSBvZiB3b3JkLjwvZGl2Pg0KPGRpdj48YnIgY2xhc3M9IiI+DQo8YmxvY2tx dW90ZSB0eXBlPSJjaXRlIiBjbGFzcz0iIj4NCjxkaXYgY2xhc3M9IiI+DQo8ZGl2IGRpcj0ibHRy IiBzdHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zaXplOiAxMnB4OyBmb250LXN0 eWxlOiBub3JtYWw7IGZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7IGZvbnQtd2VpZ2h0OiBub3Jt YWw7IGxldHRlci1zcGFjaW5nOiBub3JtYWw7IG9ycGhhbnM6IGF1dG87IHRleHQtYWxpZ246IHN0 YXJ0OyB0ZXh0LWluZGVudDogMHB4OyB0ZXh0LXRyYW5zZm9ybTogbm9uZTsgd2hpdGUtc3BhY2U6 IG5vcm1hbDsgd2lkb3dzOiBhdXRvOyB3b3JkLXNwYWNpbmc6IDBweDsgLXdlYmtpdC10ZXh0LXN0 cm9rZS13aWR0aDogMHB4OyIgY2xhc3M9IiI+DQo8ZGl2IGlkPSJ4X2RpdnRhZ2RlZmF1bHR3cmFw cGVyIiBkaXI9Imx0ciIgc3R5bGU9ImZvbnQtc2l6ZTogMTJwdDsgZm9udC1mYW1pbHk6IENhbGli cmksIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IiBjbGFzcz0iIj4NCjxkaXYgc3R5bGU9 Im1hcmdpbi10b3A6IDBweDsgbWFyZ2luLWJvdHRvbTogMHB4OyIgY2xhc3M9IiI+PGJyIGNsYXNz PSIiPg0KPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tdG9wOiAwcHg7IG1hcmdpbi1ib3R0b206 IDBweDsiIGNsYXNzPSIiPkkgYWdyZWUgdGhhdCBzdXBwcmVzc2lvbiBhbHNvIGFwcGxpZXMgaW4g dGhlIGNvbnRleHQgb2YgYSBwbGFubmVkJm5ic3A7IChvciBlbWVyZ2VuY3kpIGNlcnQgcm9sbG92 ZXIuIFdlIGNhbiBhZGQgYSBzZW50ZW5jZSB0byBub3RlIHRoYXQgZXhwaXJhdGlvbiBvZiBhIGNl cnQgdGhhdCB3YXMgaW50ZW5kZWQgdG8gYmUgcm9sbGVkIG92ZXIgaXMgYWxzbyBhDQogcG90ZW50 aWFsIG91dGNvbWUuPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+ DQo8ZGl2PjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KVGhhdCB3b3VsZCBiZSB2ZXJ5IHVzZWZ1bCwg SSB0aGluay48L2Rpdj4NCjxkaXY+PGJyIGNsYXNzPSIiPg0KPC9kaXY+DQo8ZGl2PlRoYW5rcyw8 L2Rpdj4NCjxkaXY+QnJpYW48L2Rpdj4NCjxkaXY+PGJyIGNsYXNzPSIiPg0KPGJsb2NrcXVvdGUg dHlwZT0iY2l0ZSIgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiPg0KPGRpdiBkaXI9Imx0ciIgc3R5 bGU9ImZvbnQtZmFtaWx5OiBIZWx2ZXRpY2E7IGZvbnQtc2l6ZTogMTJweDsgZm9udC1zdHlsZTog bm9ybWFsOyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdodDogbm9ybWFsOyBs ZXR0ZXItc3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiBhdXRvOyB0ZXh0LWFsaWduOiBzdGFydDsg dGV4dC1pbmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3Jt YWw7IHdpZG93czogYXV0bzsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Ut d2lkdGg6IDBweDsiIGNsYXNzPSIiPg0KPGRpdiBpZD0ieF9kaXZ0YWdkZWZhdWx0d3JhcHBlciIg ZGlyPSJsdHIiIHN0eWxlPSJmb250LXNpemU6IDEycHQ7IGZvbnQtZmFtaWx5OiBDYWxpYnJpLCBB cmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmOyIgY2xhc3M9IiI+DQo8ZGl2IHN0eWxlPSJtYXJn aW4tdG9wOiAwcHg7IG1hcmdpbi1ib3R0b206IDBweDsiIGNsYXNzPSIiPjxiciBjbGFzcz0iIj4N CjwvZGl2Pg0KPGRpdiBzdHlsZT0ibWFyZ2luLXRvcDogMHB4OyBtYXJnaW4tYm90dG9tOiAwcHg7 IiBjbGFzcz0iIj5UaGFua3MsPC9kaXY+DQo8ZGl2IHN0eWxlPSJtYXJnaW4tdG9wOiAwcHg7IG1h cmdpbi1ib3R0b206IDBweDsiIGNsYXNzPSIiPjxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPGRpdiBz dHlsZT0ibWFyZ2luLXRvcDogMHB4OyBtYXJnaW4tYm90dG9tOiAwcHg7IiBjbGFzcz0iIj5TdGV2 ZTxiciBjbGFzcz0iIj4NCjwvZGl2Pg0KPC9kaXY+DQo8aHIgdGFiaW5kZXg9Ii0xIiBzdHlsZT0i ZGlzcGxheTogaW5saW5lLWJsb2NrOyB3aWR0aDogMTExMi4yOTY4NzVweDsiIGNsYXNzPSIiPg0K PGRpdiBpZD0ieF9kaXZScGx5RndkTXNnIiBkaXI9Imx0ciIgY2xhc3M9IiI+PGZvbnQgZmFjZT0i Q2FsaWJyaSwgc2Fucy1zZXJpZiIgc3R5bGU9ImZvbnQtc2l6ZTogMTFwdDsiIGNsYXNzPSIiPjxi IGNsYXNzPSIiPkZyb206PC9iPjxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZu YnNwOzwvc3Bhbj5EZWNsYW4gTWEgJmx0OzxhIGhyZWY9Im1haWx0bzptYWRpQHpkbnMuY24iIGNs YXNzPSIiPm1hZGlAemRucy5jbjwvYT4mZ3Q7PGJyIGNsYXNzPSIiPg0KPGIgY2xhc3M9IiI+U2Vu dDo8L2I+PHNwYW4gY2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPkZy aWRheSwgSmFudWFyeSA2LCAyMDE3IDI6MTY6MDIgQU08YnIgY2xhc3M9IiI+DQo8YiBjbGFzcz0i Ij5Ubzo8L2I+PHNwYW4gY2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFu PkJyaWFuIFdlaXMgKGJldyk8YnIgY2xhc3M9IiI+DQo8YiBjbGFzcz0iIj5DYzo8L2I+PHNwYW4g Y2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPnNlY2RpcjsgVGhlIElF U0c7IDxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLXNpZHItYWR2ZXJzZS1hY3Rpb25zLmFsbEB0 b29scy5pZXRmLm9yZyIgY2xhc3M9IiI+DQpkcmFmdC1pZXRmLXNpZHItYWR2ZXJzZS1hY3Rpb25z LmFsbEB0b29scy5pZXRmLm9yZzwvYT47IFN0ZXBoZW4gS2VudDsgRGVjbGFuIE1hOyBDaHJpcyBN b3Jyb3c7IFNhbmRyYSBNdXJwaHk7IEFsdmFybyBSZXRhbmEgKGFyZXRhbmEpOw0KPGEgaHJlZj0i bWFpbHRvOmRiMzU0NkBhdHQuY29tIiBjbGFzcz0iIj5kYjM1NDZAYXR0LmNvbTwvYT47IDxhIGhy ZWY9Im1haWx0bzpha2F0bGFzQGdtYWlsLmNvbSIgY2xhc3M9IiI+DQpha2F0bGFzQGdtYWlsLmNv bTwvYT47IDxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLXNpZHItYWR2ZXJzZS1hY3Rpb25zLmFs bEBpZXRmLm9yZyIgY2xhc3M9IiI+DQpkcmFmdC1pZXRmLXNpZHItYWR2ZXJzZS1hY3Rpb25zLmFs bEBpZXRmLm9yZzwvYT47IERlY2xhbiBNYTxiciBjbGFzcz0iIj4NCjxiIGNsYXNzPSIiPlN1Ympl Y3Q6PC9iPjxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5S ZTogU2VjRGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXNpZHItYWR2ZXJzZS1hY3Rpb25zLTAzPC9m b250Pg0KPGRpdiBjbGFzcz0iIj4mbmJzcDs8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8Zm9udCBz aXplPSIyIiBzdHlsZT0iZm9udC1mYW1pbHk6IEhlbHZldGljYTsgZm9udC1zdHlsZTogbm9ybWFs OyBmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsOyBmb250LXdlaWdodDogbm9ybWFsOyBsZXR0ZXIt c3BhY2luZzogbm9ybWFsOyBvcnBoYW5zOiBhdXRvOyB0ZXh0LWFsaWduOiBzdGFydDsgdGV4dC1p bmRlbnQ6IDBweDsgdGV4dC10cmFuc2Zvcm06IG5vbmU7IHdoaXRlLXNwYWNlOiBub3JtYWw7IHdp ZG93czogYXV0bzsgd29yZC1zcGFjaW5nOiAwcHg7IC13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDsiIGNsYXNzPSIiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6IDEwcHQ7IiBjbGFzcz0iIj4N CjxkaXYgY2xhc3M9IlBsYWluVGV4dCI+RGVhciBCcmlhbiw8YnIgY2xhc3M9IiI+DQo8YnIgY2xh c3M9IiI+DQpUaGFua3MgZm9yIHJldmlld2luZyB0aGlzIGRvY3VtZW50LjxiciBjbGFzcz0iIj4N CjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCiZndDsg5ZyoIDIwMTflubQx5pyINeaXpe+8 jDAxOjM377yMQnJpYW4gV2VpcyAoYmV3KSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmJld0BjaXNjby5j b20iIGNsYXNzPSIiPmJld0BjaXNjby5jb208L2E+Jmd0OyDlhpnpgZPvvJo8YnIgY2xhc3M9IiI+ DQomZ3Q7PHNwYW4gY2xhc3M9IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxi ciBjbGFzcz0iIj4NCiZndDsgSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBv ZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxs IElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gVGhlc2UgY29tbWVu dHMgd2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5 IGFyZWEgZGlyZWN0b3JzLiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMNCiBzaG91bGQg dHJlYXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVu dHMuPGJyIGNsYXNzPSIiPg0KJmd0OzxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2Ui PiZuYnNwOzwvc3Bhbj48YnIgY2xhc3M9IiI+DQomZ3Q7IEFzIHN0YXRlZCBpbiB0aGUgQWJzdHJh Y3QsIHRoaXMgZG9jdW1lbnQgYW5hbHl6ZXMgYWN0aW9ucyBieSBvciBhZ2FpbnN0IGEgQ0Egb3Ig aW5kZXBlbmRlbnQgcmVwb3NpdG9yeSBtYW5hZ2VyIGluIHRoZSBSUEtJIHRoYXQgY2FuIGFkdmVy c2VseSBhZmZlY3QgdGhlIEludGVybmV0IE51bWJlciBSZXNvdXJjZXMgKElOUnMpIGFzc29jaWF0 ZWQgd2l0aCB0aGF0IENBIG9yIGl0cyBzdWJvcmRpbmF0ZSBDQXMuIFB1dCBhbm90aGVyIHdheSwg aXQgZG9jdW1lbnRzDQogdGhyZWF0cyB0byB0aGUgUlBLSS9CR1BTRUMgUEtJLCBpbiB3aGljaCB0 aGVyZSBhcmUgdW5pcXVlIHRocmVhdHMgdG8gdGhlIFBLSSB0aGF0IGNhbiBhZHZlcnNlbHkgYWZm ZWN0IEludGVybmV0IHJvdXRpbmcuIFRoZSBkb2N1bWVudCBpcyB3ZWxsIHdyaXR0ZW4gYW5kIGlu dGVybmFsbHkgY29uc2lzdGVudC4gVGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24g aXMgYWRlcXVhdGUuPGJyIGNsYXNzPSIiPg0KJmd0OzxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0 ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YnIgY2xhc3M9IiI+DQomZ3Q7IEkgY29uc2lkZXIgdGhp cyBkcmFmdCBSZWFkeSB0byBwdWJsaXNoLCBidXQgaGVyZSBhcmUgYSBjb3VwbGUgb2YgZGlzY3Jl dGlvbmFyeSBjb21tZW50cyBmb3IgdGhlIGF1dGhvcnMuPGJyIGNsYXNzPSIiPg0KJmd0OzxzcGFu IGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48YnIgY2xhc3M9IiI+ DQomZ3Q7IDEuIFRoZSBlbmQgb2Ygc2VjdGlvbiAyIHNheXMgJnF1b3Q7Tm90ZSB0aGF0IG5vdCBh bGwgYWR2ZXJzZSBhY3Rpb25zIG1heSBiZSBhZGRyZXNzZWQgYnkgdGhpcyB0YXhvbm9teS7igJ0u IFRoZSBwaHJhc2Ug4oCcYWRkcmVzc2VkIGJ54oCdIGNvbmZ1c2VkIG1lIGEgbGl0dGxlIGJpdCwg YXMgaXQgaW1wbGllcyBzb21lIHJlY29tbWVuZGF0aW9uIG9yIHJlbWVkaWF0aW9uIOKAlSB3aGlj aCB0aGlzIGRvY3VtZW50IGRvZXMgbm90IGF0dGVtcHQgdG8gZG8uIFRoaXMgbWlnaHQNCiBiZSBt b3JlIGNsZWFybHkgd29yZGVkIGFzIOKAnGRlc2NyaWJlZCBieeKAnSBvciDigJxpbmNsdWRlZCBp buKAnS48YnIgY2xhc3M9IiI+DQo8YnIgY2xhc3M9IiI+DQpJIHRoaW5rIHRoaXMgaXMgcmVhbGx5 IGEgZ29vZCBzdWdnZXN0aW9uLjxzcGFuIGNsYXNzPSJBcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZu YnNwOzwvc3Bhbj48YnIgY2xhc3M9IiI+DQo8YnIgY2xhc3M9IiI+DQomZ3Q7PHNwYW4gY2xhc3M9 IkFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxiciBjbGFzcz0iIj4NCiZndDsg Mi4gSW4gc2VjdGlvbiAyLjEsIEEtMS4yIChTdXBwcmVzc2lvbiksIGl0IHNlZW1zIHRoYXQgc3Vw cHJlc3Npb24gY291bGQgcmVzdWx0IGluIHRoZSBDQSBjZXJ0aWZpY2F0ZSBpbnRlbmRlZCB0byBi ZSByZXBsYWNlZCB0byBleHBpcmUgYmVmb3JlIGFuIGludGVuZGVkIENBIHJvbGxvdmVyIG9wZXJh dGlvbiBoYXBwZW5zIGR1ZSB0byB0aGVzIHN1cHByZXNzZWQgcmVwbGFjZW1lbnQgY2VydGlmaWNh dGUuIFBlcmhhcHMgaXQgaXMgbm90IG5vdGVkDQogYmVjYXVzZSB0aGlzIHRocmVhdCBpcyBub3Qg c3BlY2lmaWMgdG8gUlBLSS9CR1BTRUMsIGJ1dCBpdCBjb3VsZCBiZSBhbm90aGVyIHNlcmlvdXMg c3VwcHJlc3Npb24gYWZmZWN0aW5nIEludGVybmV0IHJvdXRpbmcuPHNwYW4gY2xhc3M9IkFwcGxl LWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxiciBjbGFzcz0iIj4NCjxiciBjbGFzcz0i Ij4NCkNBIHJvbGxvdmVyIG9wZXJhdGlvbiBpcyBhIHNwZWNpZmljIHNjZW5hcmlvIHdoZXJlIENB IGNlcnRpZmljYXRlIHN1cHByZXNzaW9uIGNvdWxkIHRha2UgcGxhY2UuIEFzIHRoaXMgZG9jdW1l bnQgZm9jdXNlcyBvbiB0aGUgaGFybWZ1bCByZXN1bHRzIG9mIGFkdmVyc2UgYWN0aW9ucyBub3Qg dGhlIGNhdXNlcyBub3IgbW90aXZhdGlvbnMgb2YgYWR2ZXJzZSBhY3Rpb25zLCB3ZSBhdXRob3Jz IGRvbuKAmXQgbm90ZSB0aGlzIGNhc2Ugc3BlY2lhbGx5IHlvdQ0KIGp1c3QgbWVudGlvbmVkLiZu YnNwOyBBbnl3YXksIHdlIGF1dGhvcnMgd2lsbCBiZSBjb25zaWRlcmluZyB0aGlzIGNvbW1lbnRz IGZyb20geW91IHdoZW4gdXBkYXRpbmcgdGhpcyBkcmFmdCBpbiBpdHMgbmV4dCB2ZXJzaW9uLjxi ciBjbGFzcz0iIj4NCjxiciBjbGFzcz0iIj4NCkRpPC9kaXY+DQo8L3NwYW4+PC9mb250PjwvZGl2 Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8YnIgY2xhc3M9IiI+DQo8ZGl2IGNsYXNzPSIiPi0t Jm5ic3A7PGJyIGNsYXNzPSIiPg0KQnJpYW4gV2VpczxiciBjbGFzcz0iIj4NClNlY3VyaXR5LCBD U0csIENpc2NvIFN5c3RlbXM8YnIgY2xhc3M9IiI+DQpUZWxlcGhvbmU6ICYjNDM7MSA0MDggNTI2 IDQ3OTY8YnIgY2xhc3M9IiI+DQpFbWFpbDogPGEgaHJlZj0ibWFpbHRvOmJld0BjaXNjby5jb20i IGNsYXNzPSIiPmJld0BjaXNjby5jb208L2E+IDwvZGl2Pg0KPGJyIGNsYXNzPSIiPg0KPC9kaXY+ DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_3971C5C51877420588A4CC1E2760AC1Eciscocom_-- From nobody Fri Jan 6 13:51:38 2017 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D532A129458; Fri, 6 Jan 2017 13:51:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNhDGMHccpZD; Fri, 6 Jan 2017 13:51:35 -0800 (PST) Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 44A1412944B; Fri, 6 Jan 2017 13:51:35 -0800 (PST) Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id A7B7DA888004; Fri, 6 Jan 2017 13:51:34 -0800 (PST) To: iesg@ietf.org, secdir@ietf.org, draft-ietf-clue-rtp-mapping.all@ietf.org From: Dan Harkins Message-ID: <80663eab-d5d4-07ae-7aa6-3924a5b7a579@lounge.org> Date: Fri, 6 Jan 2017 13:51:33 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.5.0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------02FC40002406B3F482997456" Archived-At: Subject: [secdir] secdir review of draft-ietf-clue-rtp-mapping X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jan 2017 21:51:37 -0000 This is a multi-part message in MIME format. --------------02FC40002406B3F482997456 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Greetings, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft provides some recommendations and mappings to allow RTP to be used in the CLUE protocol. I believe this draft is Ready with the following nits: 1) it makes normative reference to 3 other I-Ds. I am not familiar with those drafts or their status or whether any of the normative behavior this draft relies upon is contentious or not. Somebody (not me) should make sure that all ducks are in a row before this draft advances. 2) having RFC 2119 words in the Security Considerations seems OK for saying things like "CLUE endpoints MUST support RTP/SAVPF and DTLS-SRTP keying [RFC5764]" because it's just saying you need to support something else that is providing you security. But I think MUST language describing how the protocol needs to behave in order to be secure itself belongs outside the Security Considerations. I'm referring to: "Inappropriate choice of CNAME values can be a privacy concern, since long-term persistent CNAME identifiers can be used to track users across multiple calls. CLUE endpoint MUST generate short-term persistent RTCP CNAMES, as specified in RFC7022 [RFC7022], resulting in untraceable CNAME values that alleviate this risk." I suggest placing that in a different section, possibly making a new section that describes has all the various recommendations being made on CLUE in one place. regards, Dan. --------------02FC40002406B3F482997456 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
  Greetings,  
  I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

  This draft provides some recommendations and mappings to allow RTP
to be used in the CLUE protocol.

  I believe this draft is Ready with the following nits:

1) it makes normative reference to 3 other I-Ds. I am not familiar
with those drafts or their status or whether any of the normative
behavior this draft relies upon is contentious or not. Somebody
(not me) should make sure that all ducks are in a row before this
draft advances.

2) having RFC 2119 words in the Security Considerations seems OK
for saying things like "CLUE endpoints MUST support RTP/SAVPF and 
DTLS-SRTP keying [RFC5764]" because it's just saying you need to
support something else that is providing you security. But I think
MUST language describing how the protocol needs to behave in order
to be secure itself belongs outside the Security Considerations.
I'm referring to: "Inappropriate choice of CNAME values can be a
privacy concern, since long-term persistent CNAME identifiers can be
used to track users across multiple calls.  CLUE endpoint MUST
generate short-term persistent RTCP CNAMES, as specified in RFC7022
[RFC7022], resulting in untraceable CNAME values that alleviate this
risk." I suggest placing that in a different section, possibly making
a new section that describes has all the various recommendations
being made on CLUE in one place.

  regards,

  Dan.






--------------02FC40002406B3F482997456--


From nobody Fri Jan  6 14:17:20 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF8E612944A; Fri,  6 Jan 2017 14:17:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level: 
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wV00RYFHaKUZ; Fri,  6 Jan 2017 14:17:17 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE14A129452; Fri,  6 Jan 2017 14:17:16 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3twJnP1B6wz3Tp; Fri,  6 Jan 2017 23:17:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1483741033; bh=l4QQ12hNyLrWNPlKE4Wmsm0IcObEMKiMXdbn2CcSfaM=; h=Date:From:To:cc:Subject; b=EkCPib2HlmcwgZq2VHpW9AKgiMWF/Or5tT0qiV5iB75gEV9T/1jBlq4hIUSp2k1NZ De2Z+ak4rirHcSbqZwB3dbA2mT6T9KBjJh/9cAIIVyWjik6dfFKAgbEZfFSfkWqf+W fFudeIzjzpHgwFvjV2p9Wz5KbjItya3Hc+tzJ1Y0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id tVzlxKDgRPtv; Fri,  6 Jan 2017 23:17:11 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri,  6 Jan 2017 23:17:11 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id C558761A3C; Fri,  6 Jan 2017 17:17:08 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca C558761A3C
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id BE5764070EB3; Fri,  6 Jan 2017 17:17:08 -0500 (EST)
Date: Fri, 6 Jan 2017 17:17:08 -0500 (EST)
From: Paul Wouters 
To: iesg@ietf.org, secdir 
Message-ID: 
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: 
Cc: draft-ietf-sidr-publication.all@ietf.org
Subject: [secdir] SecDir review of draft-ietf-sidr-publication-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 06 Jan 2017 22:17:18 -0000

SecDir review of draft-ietf-sidr-publication-09

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.

This document is Almost Ready.

Title and intro say:

"A Publication Protocol for the Resource Public Key Infrastructure (RPKI)"

"This document defines a protocol for publishing Resource Public Key
Infrastructure (RPKI) objects. "

It seems the protocol is not just about publication, but also about
withdrawing publications. I would call that "Maintaining" rather than
"Publishing" and also brings up the question of who can make changes and
how those are secured and/or validated. However, the document's Security
Considerations places all of the client authentication and authorization
as "out of scope" and deems this is protected securely.

I do think that this document should explain when a publication or
withdrawal request is received using this protocol, what should be
checked before allowing the transaction. This could be something as
simple as a reference to another document, or some text in this document.

Is there another document that describes consuming this information?
If not, shouldn't this document contain some information on how to safely
consume this data?

It feels to me this document is only describing transport of RPKI
objects between a client and a publication server, but does not describe
how to consume this data on the server side or how to consume the
published/withdrawn data as a client. Perhaps a title adjustment is in
order to clarify that?

The Security Considerations doenot talk about the security impact of
"Publication". The document really describes the transport of the data
and not the publication of the data. So again, this might be correct if we
had a more appropriate title for this document.  Now I am left wondering
if this "publication" is compromised, populated with bogus data, or made
unavailable in general, what happens. If this is documented in another
document, a reference should be added.

It seems a natural fit to perform some kind of transparency (audit)
logs for RPKI announcements. Why not use Certificate Transparency and
leverage existing standards and software? Which would include monitoring,
auditing and gossiping of this data in a distributed way. Are we talking
about too much (changing) data for the CT model to handle?

The term PDU is not expanded on first use, and not described anywhere,
not even in the "required reading" of RFC-6480. I still do not know what
it actually stands for.

Section 2.2 has a reference [SHS] for SHA-256 to a non-RFC document.
Why not refer to RFC-4634 instead?

What would be the criteria for a client to be allowed to publish or
withdraw an object? Apparently the data is signed (with [CMS]) but I
find no discussion of client/server or data authenticaiton/authorization
other then "out of scope". How is it prevented that one client can update
another clients object?

I'm little nervous about hardcoding SHA-256 but it seems to be mostly used
as an uniqueid lookup identifier and other access controls are supposed to
be in place to prevent abuse. Hopefully there will be some client-server
authentication that would further protect a rogue client from modifying a
(hash collision based) object identified by a SHA-256 hash so a client
can only delete its own (or its group?) objects. Should some of this be
discussed in the Security Considerations? I also assume creating a hash
collision would require stuffing weird data inside, which would hopefully
get detected. But no where does it mention that as part of accepting a
publication, someone is checking the content of the RPKI object.

    "Note the authors have taken liberties with the Base64, hash, and
    URI text in these examples in the interest of making the examples
    fit nicely into RFC text format."

While I understand that, I think it is still not a good idea to write:

 	hash="01a97a70ac477f06"

in the example as an example of a SHA-256 hash. I would prefer:

 	hash=

or

 	hash=""

or even:

 	hash="01a97a70[...]ac477f06"

In this case it actually shows some confusion too. The SHA256 hash is
probably not in its binary format, but in hex format, which should be
stated more clearly in the document.

Similarly, it seems the blobs submitted are base64 blobs, even though it
does not actually state that anywhere in this document. It could be that
all RPKI objects are base64, in which case this comment can be ignored.

I also find the following usage confusing:

 	error_code="no_object_matching_hash"

When we talk about error code, we normally really mean a number like
404, not a string. If we name such strings, we tend to use upper case,
like NO_OBJECT_MATCHING_HASH, but that might be my C experience.

I would personally also avoid single quotes in the text message and write
"Can not" and "Do not" instead of "Can't" and "don't" to avoid confusion
about when to mask single quotes in xml syntax.

What is the data in the "tag" supposed to be. Since the hash is used
to identify the objects, it seems like some human readable aid? Is it a
"query id" kind of identifier? Can these be the same for multiple objects?
If no one owns these and how are clients preventing from using another
client's tag ? Or can clients use unixtime as a tag and get into a
race condition? I feel that I should probably understand tag better,
but again this document nor RFC-6480 describes what a tag is.


Reading secion 4, it seems "tag" is really "client ID". But it is not
clear to me how one client is prevented from using another client's tag?
Or if it is authenticated, how tags are registered with clients?

Section 4 mentions " setup messages" without explaining what
this is, and it is not obvious to me.

The Security Consideration puts client authentication as out of scope
of this document. I think that is fine, assuming my above questions are
answered (possibly filling in my lack of knowledge of RPKI, or possibly
by adding clarifying text to the document.

Paul


From nobody Fri Jan  6 18:56:35 2017
Return-Path: 
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF2B1270B4; Fri,  6 Jan 2017 18:56:33 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Sean Turner 
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.40.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148375779374.17442.8516164323586796119.idtracker@ietfa.amsl.com>
Date: Fri, 06 Jan 2017 18:56:33 -0800
Archived-At: 
Cc: insipid@ietf.org, ietf@ietf.org, draft-ietf-insipid-logme-reqs.all@ietf.org
Subject: [secdir] Review of draft-ietf-insipid-logme-reqs-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 07 Jan 2017 02:56:34 -0000

Reviewer: Sean Turner
Review result: Has Nits

After getting over my initial reaction that was something like
"srsly!? we're going to standardize the exact opposite of 'do not
track'", I realized that this is a requirements draft for an IETF
approved WG and a chartered work item of that WG :)

0) s3.2: Is the intent to define a protocol mechanism to determine if
the two or domains are part of the same trust domain?  This
requirement could be achieved by saying out-of-band bilateral
agreements are the mechanism to establish the domain.

1) s5.1: REQ1 - Did you mean to say "using SIP standard logging
format"?  Is there another logging format other than SIP CLF?

2) s5.1: Should the must be MUST in the following:

  All log retrieval mechanisms must adhere to
  authorization and privacy protection policies
  set forth by the network administrator.

3) s5.2: REQ3 seems odd to me - Isn't this kind of like a SIP thing? 
I mean if SIP doesn't allow adding new headers then didn't somebody
sink your battleship?  But SIP does allow you to add arbitrary headers
so I think I'm missing something as to why this is needed?

4) s5.2: REQ3 - Reads a bit awkward to me how about:

  It MUST be possible to mark a SIP request or response for
  logging by inserting a "log me" marker.

i.e., remove "of interest"

5) s5.2: REQ4 - Again this seems like a basic SIP thing - I mean are
there fields that SIP requires be stripped?

6) Is there a missing requirement based on the security considerations
that requires the this marker MUST be removed at the earliest
opportunity if it has been incorrectly inserted?


From nobody Fri Jan  6 21:44:10 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5032D129879; Fri,  6 Jan 2017 21:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wOuYtWNEncdf; Fri,  6 Jan 2017 21:44:07 -0800 (PST)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6985129416; Fri,  6 Jan 2017 21:44:04 -0800 (PST)
Received: by mail-pf0-x233.google.com with SMTP id d2so98152974pfd.0; Fri, 06 Jan 2017 21:44:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:subject:to:message-id:date:user-agent:mime-version; bh=hSgTzydU5xOGWZyhactO37FRmZL+m7H1HOR8lQpYIgI=; b=tVfr1v3lDXEfynRGM6B9NKOwxqWqImC6b2doYgRFZegzDSCx4exe2f0XVsLTXSexa5 azyIB/R+OrnACnHrEhTX/KaMGwa7WrKBpfYc7YflKBmRJehadVSgxjM1e7f3+Yvdr4fa KmgRiGV+axBRQ6DsyAqSaf4MODVylkyjmTOkV0+rUbTT31BDUw3nCg17YP/DaqE9ymww ricPfLEQtsdk/PCoOZVd+VPxNt5t/sonH/QIofwUJZqyuUVteG4/2O5bgaLt2IeJhDuc iiCaTvLOuV0M1m/5YyPOiMVRWns2DhD8KT+YePVsm8O+Q8UnVwuzzPpy0nan+GA/MmVs YtEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version; bh=hSgTzydU5xOGWZyhactO37FRmZL+m7H1HOR8lQpYIgI=; b=L1cANhptBOvE43pKGDtG/eJsz1ddc8w3du+VkZcmEs13A+UDEgVO+Zhbvc3s4t7eH8 qEUSXqj1Hj6S7W23pUp4lOTLM6C5XzUGojmDFZSSAux8EvMW5A1hWnzOXC+UtN2rEkZD WEGM+lu6eKSA7RWkX8I46YM6cdsVoiLkMeE2ogKm6ntLZ1ZjVD0cobttIm4yX10Tta/x QKP+UUfuNbTDn8nuYxhbZl6dBQFgtbMBsQAbFDGFDzMI2VvpE3r3Yl4D93skw9cSZZHM j1gqSDP8pstrEamxd68GjEjqpcqFVoYu5xcC6JBzlhaiHH77uNwZgAEXmb9Dj/dCEelI +Ijg==
X-Gm-Message-State: AIkVDXKtj0tm46LUeqg4/h7ahZhMjvkxd9KI8qX4qgmTUAca0/QcJbzoEvKu2pcIeB503A==
X-Received: by 10.84.254.15 with SMTP id b15mr22180628plm.114.1483767844206; Fri, 06 Jan 2017 21:44:04 -0800 (PST)
Received: from Melindas-MacBook-Pro.local (63-140-95-105-radius.dynamic.acsalaska.net. [63.140.95.105]) by smtp.googlemail.com with ESMTPSA id u64sm157344505pgc.39.2017.01.06.21.43.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Jan 2017 21:44:03 -0800 (PST)
From: Melinda Shore 
To: draft-holmberg-dispatch-mcptt-rp-namespace@ietf.org, secdir@ietf.org, iesg@ietf.org
Message-ID: <43a2d0d2-9613-1ee5-4f2d-0b8f72bec5c1@gmail.com>
Date: Fri, 6 Jan 2017 20:43:54 -0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uOHqqxXrG2TxfvfOLVHH8wguc47fU8GMX"
Archived-At: 
Subject: [secdir] secdir review of draft-holmberg-dispatch-mcptt-rp-namespace-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 07 Jan 2017 05:44:09 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--uOHqqxXrG2TxfvfOLVHH8wguc47fU8GMX
Content-Type: multipart/mixed; boundary="H5ECv2Jnu6et6dDibDvbX80BCi7G6K3rL";
 protected-headers="v1"
From: Melinda Shore 
To: draft-holmberg-dispatch-mcptt-rp-namespace@ietf.org, secdir@ietf.org,
 iesg@ietf.org
Message-ID: <43a2d0d2-9613-1ee5-4f2d-0b8f72bec5c1@gmail.com>
Subject: secdir review of draft-holmberg-dispatch-mcptt-rp-namespace-03

--H5ECv2Jnu6et6dDibDvbX80BCi7G6K3rL
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: Ready, with issues

This draft defines an additional Session Initiation Protocol (SIP)
Resource-Priority namespace to meet the requirements of the 3GPP
defined Mission Critical Push To Talk, and places this namespace in
the IANA registry.  The "Security Considerations" section is brief,
stating only "[t]his document has the same Security Considerations as
[RFC4412]."  I think that is actually not the case, as the security
considerations for a namespace registry are not the same as the
security considerations for the protocol in which the namespace is
being used.  It would probably be more correct to follow the model in,
say, RFC 6878 ("SIP Priority Field Registry") and say only "This
document does not have any impact on the security of the SIP MCPTT
protocol.  Its purpose is purely administrative in nature."

Otherwise, all's well.

Melinda


--H5ECv2Jnu6et6dDibDvbX80BCi7G6K3rL--

--uOHqqxXrG2TxfvfOLVHH8wguc47fU8GMX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJYcIAaAAoJELiGRpM6HoEurRMQAIXOHB6e69fTqtc/oLvJPCBU
XJriX+U14bSITt3weis9rMmeqUnieXh3uT+2uyjgCLQSwMUo4dJU0GCMsHIg4/Yc
pH5F6+nFpRBxf+BWjq4kbdVoeT1RJdk96qCMq/IDOZOjUNQhA7OrsEoHX03OdGPN
CvICFX5aQ6f/Qjo9EklLzkUAlPcr9f7A9BGnJAyrCdKvgky4SH3t9Vv/gMn4pmZY
Q7BaN6VFT98qizckiGo0zvQhd9hJV4v4xGMUGXBt77+q4poO8oNqJF8VppKTTNJl
f7KLxgTI2/9bf9uhb4IVWjwKvjn12Fe/cYCqlzgtEZj7LHv0l3dz7fnkYMiTYI+q
GDOOrDh43r/fkS1Pcs1/FrJBN1oeWq4Eo54cwnDvsfwP1gaDZLyE7+AEf4EZ5vnP
+yOisHgPlDYtej6vIH+pyMYmsJQQ/51GRJvq79BGh/Qnf5gsQBu5bFUcVF+mPSdk
u+6+J2tfK32wTjtNjiD3+mLXZijaLViATstnW463ydd7sLgf5b2EdKLI6+ULVQad
ilA9XpRkkQ4HgsatihPS9iI2ZgwBBThwATz+Fp5XlirnReAUVaqXZ5d2CSO20KDr
CLIXmhar9YrLauQJIJQCVBZKp2mgAOk5hJBNGHehX+VNK88nQJqzhicJwozUpRk+
wSnbvON0/ZuewEyyOqFo
=h7RV
-----END PGP SIGNATURE-----

--uOHqqxXrG2TxfvfOLVHH8wguc47fU8GMX--


From nobody Sun Jan  8 12:34:11 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E63D3127ABE; Sun,  8 Jan 2017 12:34:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level: 
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YT5OsNaqHb1P; Sun,  8 Jan 2017 12:34:05 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 945DF1298B9; Sun,  8 Jan 2017 12:34:04 -0800 (PST)
X-AuditID: c1b4fb3a-46fff70000005d1c-46-5872a23aa34d
Received: from ESESSHC023.ericsson.se (Unknown_Domain [153.88.183.87]) by  (Symantec Mail Security) with SMTP id 92.A0.23836.A32A2785; Sun,  8 Jan 2017 21:34:02 +0100 (CET)
Received: from ESESSMB209.ericsson.se ([169.254.9.169]) by ESESSHC023.ericsson.se ([153.88.183.87]) with mapi id 14.03.0319.002; Sun, 8 Jan 2017 21:34:44 +0100
From: Christer Holmberg 
To: Melinda Shore , "draft-holmberg-dispatch-mcptt-rp-namespace@ietf.org" , "secdir@ietf.org" , "iesg@ietf.org" 
Thread-Topic: secdir review of draft-holmberg-dispatch-mcptt-rp-namespace-03
Thread-Index: AQHSaKkSg8yUgjsWtEClPr+gVJEw4KEvC2zA
Date: Sun, 8 Jan 2017 20:34:00 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B4BF5DB81@ESESSMB209.ericsson.se>
References: <43a2d0d2-9613-1ee5-4f2d-0b8f72bec5c1@gmail.com>
In-Reply-To: <43a2d0d2-9613-1ee5-4f2d-0b8f72bec5c1@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [153.88.183.154]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGLMWRmVeSWpSXmKPExsUyM2J7uK7VoqIIg3unJS1W3U+1mPFnIrNF W9ssFosPCx+yOLB47Jx1l91jyZKfTAFMUVw2Kak5mWWpRfp2CVwZG+4WFnwRrPi2+z57A+MO wS5GTg4JAROJvWefM3cxcnEICaxjlJh6bg47hLOYUWLa1Q6gDAcHm4CFRPc/bZAGEYEnjBKN k0NBbGEBb4kLi/6yQcR9JGYfO88OYRtJnL7TxQRiswioSCza9AwszivgKzFhxyZWEFtIwEbi Yl8XI4jNKWArsXvyKmYQm1FATOL7qTVgvcwC4hK3nsxngjhUQGLJnvPMELaoxMvH/1ghbCWJ Rbc/M4GcySygKbF+lz5Eq6LElO6HUGsFJU7OfMIygVFkFpKpsxA6ZiHpmIWkYwEjyypG0eLU 4uLcdCMjvdSizOTi4vw8vbzUkk2MwNg4uOW31Q7Gg88dDzEKcDAq8fB+CC6KEGJNLCuuzD3E KMHBrCTCa7YAKMSbklhZlVqUH19UmpNafIhRmoNFSZzXbOX9cCGB9MSS1OzU1ILUIpgsEwen VAPj4j2H1tb+fVjx5vWyBaHBx89cPV+2wCo4vlV4xiX5Y6vLNifNlfvJtyJ4j0cRx6rcLvOr hQ+nexe9jZ5xsen+y/rwYzM27XJ75F1VMXkjl9m7wIeFTe1+ff/MnCXbfkcE5MgqL3NLalE+ 8qo15ZL0zq3vTrdkHo0pXqK27LnqmZSbTIZs58v0lFiKMxINtZiLihMB5ZkYUYkCAAA=
Archived-At: 
Subject: Re: [secdir] secdir review of draft-holmberg-dispatch-mcptt-rp-namespace-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 08 Jan 2017 20:34:07 -0000

SGkgTWVsaW5kYSwNCg0KVGhhbmtzIGZvciB5b3VyIHJldmlldyENCg0KWW91IGhhdmUgYSBnb29k
IHBvaW50IHJlZ2FyZGluZyB0aGUgc3RhdGVtZW50IGluIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0
aW9ucywgYW5kIEknbSBvayB0byBtb2RpZnkgdGhlIHRleHQgYXMgc3VnZ2VzdGVkLg0KDQpSZWdh
cmRzLA0KDQpDaHJpc3RlciANCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTog
TWVsaW5kYSBTaG9yZSBbbWFpbHRvOm1lbGluZGEuc2hvcmVAZ21haWwuY29tXSANClNlbnQ6IDA3
IEphbnVhcnkgMjAxNyAwNzo0NA0KVG86IGRyYWZ0LWhvbG1iZXJnLWRpc3BhdGNoLW1jcHR0LXJw
LW5hbWVzcGFjZUBpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnOyBpZXNnQGlldGYub3JnDQpTdWJq
ZWN0OiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWhvbG1iZXJnLWRpc3BhdGNoLW1jcHR0LXJwLW5h
bWVzcGFjZS0wMw0KDQpJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRo
ZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVU
RiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSBJRVNHLiAgVGhlc2UgY29tbWVudHMg
d2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5IGFy
ZWEgZGlyZWN0b3JzLiAgRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVh
dCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4N
Cg0KU3VtbWFyeTogUmVhZHksIHdpdGggaXNzdWVzDQoNClRoaXMgZHJhZnQgZGVmaW5lcyBhbiBh
ZGRpdGlvbmFsIFNlc3Npb24gSW5pdGlhdGlvbiBQcm90b2NvbCAoU0lQKSBSZXNvdXJjZS1Qcmlv
cml0eSBuYW1lc3BhY2UgdG8gbWVldCB0aGUgcmVxdWlyZW1lbnRzIG9mIHRoZSAzR1BQIGRlZmlu
ZWQgTWlzc2lvbiBDcml0aWNhbCBQdXNoIFRvIFRhbGssIGFuZCBwbGFjZXMgdGhpcyBuYW1lc3Bh
Y2UgaW4gdGhlIElBTkEgcmVnaXN0cnkuICBUaGUgIlNlY3VyaXR5IENvbnNpZGVyYXRpb25zIiBz
ZWN0aW9uIGlzIGJyaWVmLCBzdGF0aW5nIG9ubHkgIlt0XWhpcyBkb2N1bWVudCBoYXMgdGhlIHNh
bWUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgYXMgW1JGQzQ0MTJdLiIgIEkgdGhpbmsgdGhhdCBp
cyBhY3R1YWxseSBub3QgdGhlIGNhc2UsIGFzIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBm
b3IgYSBuYW1lc3BhY2UgcmVnaXN0cnkgYXJlIG5vdCB0aGUgc2FtZSBhcyB0aGUgc2VjdXJpdHkg
Y29uc2lkZXJhdGlvbnMgZm9yIHRoZSBwcm90b2NvbCBpbiB3aGljaCB0aGUgbmFtZXNwYWNlIGlz
IGJlaW5nIHVzZWQuICBJdCB3b3VsZCBwcm9iYWJseSBiZSBtb3JlIGNvcnJlY3QgdG8gZm9sbG93
IHRoZSBtb2RlbCBpbiwgc2F5LCBSRkMgNjg3OCAoIlNJUCBQcmlvcml0eSBGaWVsZCBSZWdpc3Ry
eSIpIGFuZCBzYXkgb25seSAiVGhpcyBkb2N1bWVudCBkb2VzIG5vdCBoYXZlIGFueSBpbXBhY3Qg
b24gdGhlIHNlY3VyaXR5IG9mIHRoZSBTSVAgTUNQVFQgcHJvdG9jb2wuICBJdHMgcHVycG9zZSBp
cyBwdXJlbHkgYWRtaW5pc3RyYXRpdmUgaW4gbmF0dXJlLiINCg0KT3RoZXJ3aXNlLCBhbGwncyB3
ZWxsLg0KDQpNZWxpbmRhDQoNCg==


From nobody Sun Jan  8 16:10:53 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7ABF129A09; Sun,  8 Jan 2017 16:10:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.019
X-Spam-Level: 
X-Spam-Status: No, score=-2.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sveIXeXSDXtB; Sun,  8 Jan 2017 16:10:47 -0800 (PST)
Received: from BLU004-OMC4S30.hotmail.com (blu004-omc4s30.hotmail.com [65.55.111.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90317129A08; Sun,  8 Jan 2017 16:10:47 -0800 (PST)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com ([65.55.111.136]) by BLU004-OMC4S30.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Sun, 8 Jan 2017 16:10:46 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TH66C+B5lEFsSjbgAgfKYDmhZd4iyK6N0Q2gNQNx8sM=; b=ewp/KBTunph1N6o+O0ZUy6mIuzXYxKfCrRQrlMT+6Drw40bWKv2ezOifGHW4tQP0lb3YoKECOVZE/xbzP5eXd0zhwgYTfotnLBHD4nF4HgOiYGhkgf8J8kr7gAgn/Zyi0BCsYVTRlQyTirgl9uQQ3TCXILD8mfdxLNevcRIEE/7iB5mznXiuPdmqMAHd+frQZW6HBO3bwHOdpQiZCCzxpb0FI6hb+W9REmp7QN7dKQwb7VZ0o8Xw+rO+v9Q0oVYLbCbpXKKA4iFMgFqqzM4qKqvUYXbGjlG3Tp2VsZweEWuGi+aYEhdikQyQqf94aH96LxIXYFl7qWi3lxUTiglKyQ==
Received: from SN1NAM01FT045.eop-nam01.prod.protection.outlook.com (10.152.64.51) by SN1NAM01HT234.eop-nam01.prod.protection.outlook.com (10.152.65.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.803.8; Mon, 9 Jan 2017 00:10:45 +0000
Received: from CY4PR17MB0997.namprd17.prod.outlook.com (10.152.64.58) by SN1NAM01FT045.mail.protection.outlook.com (10.152.65.226) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.803.8 via Frontend Transport; Mon, 9 Jan 2017 00:10:45 +0000
Received: from CY4PR17MB0997.namprd17.prod.outlook.com ([10.173.181.7]) by CY4PR17MB0997.namprd17.prod.outlook.com ([10.173.181.7]) with mapi id 15.01.0829.013; Mon, 9 Jan 2017 00:10:45 +0000
From: Charlie Kaufman 
To: "secdir@ietf.org" , "draft-ietf-lisp-type-iana.all@tools.ietf.org" , 'The IESG' 
Thread-Topic: Secdir review of draft-ietf-lisp-type-iana-04
Thread-Index: AQHSagjbiUfYI4y900KEQY8wFG97hg==
Date: Mon, 9 Jan 2017 00:10:45 +0000
Message-ID: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=outlook.com;
x-incomingtopheadermarker: OriginalChecksum:30BCD05BB94B4850FF157E5980D1E22A3B1238E73855538BC5C18251DF07F007; UpperCasedChecksum:86215B9A83908D609046D393227D559653D6644E8B636B6EDEF2F154DD678169; SizeAsReceived:7652; Count:37
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [bb91tSqbqvCQK81iQ5jp45Dw0bk+DWPH]
x-incomingheadercount: 37
x-eopattributedmessage: 0
x-microsoft-exchange-diagnostics: 1; SN1NAM01HT234; 7:Qdk2v4IuyERR8UfYHNtprGFffMOE91CWA4TD4obi8wRLO1jZmUnZuFwgVW1KQnOhwK3eSOK9QjwzTrvU3F6VTkzy921BRXg4ipOa6NjhQbVrmyxOYV+4rpcUUydvNikuQSSICSyi0RSWC02eVxmCXcgLRNv2zBLKVYSc882fOFghnLbdfIEzN2e/OSOxcaSd+O88AIfN/eGlB2shYjkPEDMJcmIpgtC9vL1VUNDV0h5GhgypGMubzUgLyq17sxF4wGvIfnbLavkUMs8V9AnLUPivzqdBiRCND2dBe8Zag4h8Sqx4+Ai11sD7+BRx10VjOxnpMBelLfVY8LmEfTsh0GFCY2/JcXVHOCtAzYkec/3XTDWGWAONLCtOpwIacw3UhVU4B1z+blYpNphVy1O0uTAAmPPxHe8/v0en/KPHsjoHo7grN0gRMtH6BzNoUDB05+T//qp53CFVoeWyQdPdBg==
x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1NAM01HT234; H:CY4PR17MB0997.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; 
x-ms-office365-filtering-correlation-id: bef016b4-fac1-4bdd-3d6a-08d43823f554
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(1601124038)(1603103113)(1603101340)(1601125047)(1701031023); SRVR:SN1NAM01HT234; 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444111334)(444112120)(432015012)(82015046); SRVR:SN1NAM01HT234; BCL:0;  PCL:0; RULEID:; SRVR:SN1NAM01HT234; 
x-forefront-prvs: 0182DBBB05
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR17MB09976540F211EFAC84EF3831DF650CY4PR17MB0997namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2017 00:10:45.6121 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM01HT234
X-OriginalArrivalTime: 09 Jan 2017 00:10:46.0549 (UTC) FILETIME=[D35E4C50:01D26A0C]
Archived-At: 
Subject: [secdir] Secdir review of draft-ietf-lisp-type-iana-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 09 Jan 2017 00:10:49 -0000

--_000_CY4PR17MB09976540F211EFAC84EF3831DF650CY4PR17MB0997namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG. These com=
ments were written primarily for the benefit of the security area directors=
. Document editors and WG chairs should treat these comments just like any =
other last call comments.

This document is: Ready

No security concerns.


This document proposes creation of two new IANA registries and defines a ne=
w message type within the Locator/ID Separation Protocol (RFC6830). The fir=
st registry should have been created by RFC6830, which assigned codes to 5 =
values for a four bit field. This document proposes creating a registry for=
 holding those 5 values and a sixth value for the purpose of holding experi=
mental extensions.


Because the 4 bit field can only ever support 16 values and several indepen=
dent extensions are already being proposed, the proposal is to reserve the =
value 15 for experimental extensions where it has a 12 bit sub-type field t=
o distinguish those extensions. This document proposes to create a second I=
ANA registry for holding up to 4096 assigned values for that field, to be h=
anded out on a first come first served basis.


While future extensions might have security implications, defining these ne=
w registries does not.


I don't know what IANA's experience has been with first come first served r=
egistries. With no review procedure, they are subject to abuse and I don't =
know who gets to exercise judgment as to whether a particular request is ab=
usive.


The document states that the subtypes of value 15 are reserved for Experime=
ntal Use. My sense is that the intention of the authors is that should an e=
xperimental protocol be promoted to standards track that it will at that ti=
me be assigned on of the 16 values from the 4 bit field. This might be an u=
nfortunate restriction for two reasons: 1) Given that there are only 16 typ=
es available and 6 have already been assigned, it seems possible that this =
space would eventually be exhausted; and 2) Requiring that protocols change=
 syntax when they are promoted from experimental to standards track places =
a burden on implementers who often end up supporting both syntaxes indefini=
tely (and having interoperability problems if they don't). There's no reaso=
n obvious to me why subtypes could not be kept for standardized usage later=
. That is one of the advantages of having an IANA registry over reserving t=
hem for private use.


The intended status of this document is listed as Experimental. This seems =
wrong to me. While any future documents defining uses of newly assigned val=
ues might well be experimental, I would expect that this document would see=
k the same status as RFC6830 (and this document should be incorporated into=
 any future revisions of that one).


--Charlie

--_000_CY4PR17MB09976540F211EFAC84EF3831DF650CY4PR17MB0997namp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable












I have reviewed this document as part of the security directorate's on=
going effort to review all IETF documents being processed by the IESG. Thes=
e comments were written primarily for the benefit of the security area dire=
ctors. Document editors and WG chairs
 should treat these comments just like any other last call comments.



This document is: Ready







No security concerns.






This document proposes creation of two new IANA registries and defines a=
 new message type within the Locator/ID Separation Protocol (RFC6830). The =
first registry should have been created by RFC6830, which assigned codes to=
 5 values for a four bit field.
 This document proposes creating a registry for holding those 5 values and =
a sixth value for the purpose of holding experimental extensions.







Because the 4 bit field can only ever support 16 values and several inde=
pendent extensions are already being proposed, the proposal is to reserve t=
he value 15 for experimental extensions where it has a 12 bit sub-type fiel=
d to distinguish those extensions.
 This document proposes to create a second IANA registry for holding up to =
4096 assigned values for that field, to be handed out on a first come first=
 served basis.







While future extensions might have security implications, defining these=
 new registries does not.







I don't know what IANA's experience has been with first come first serve=
d registries. With no review procedure, they are subject to abuse and I don=
't know who gets to exercise judgment as to whether a particular request is=
 abusive.







The document states that the subtypes of value 15 are reserved for Exper=
imental Use. My sense is that the intention of the authors is that should a=
n experimental protocol be promoted to standards track that it will at that=
 time be assigned on of the 16 values
 from the 4 bit field. This might be an unfortunate restriction for two rea=
sons: 1) Given that there are only 16 types available and 6 have already be=
en assigned, it seems possible that this space would eventually be exhauste=
d; and 2) Requiring that protocols
 change syntax when they are promoted from experimental to standards track =
places a burden on implementers who often end up supporting both syntaxes i=
ndefinitely (and having interoperability problems if they don't). There's n=
o reason obvious to me why subtypes
 could not be kept for standardized usage later. That is one of the advanta=
ges of having an IANA registry over reserving them for private use.







The intended status of this document is listed as Experimental. This see=
ms wrong to me. While any future documents defining uses of newly assigned =
values might well be experimental, I would expect that this document would =
seek the same status as RFC6830
 (and this document should be incorporated into any future revisions of tha=
t one).







--Charlie








--_000_CY4PR17MB09976540F211EFAC84EF3831DF650CY4PR17MB0997namp_--


From nobody Sun Jan  8 21:08:34 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95388129A8F for ; Sun,  8 Jan 2017 21:08:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.7
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86t98C_m0mKP for ; Sun,  8 Jan 2017 21:08:31 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90C621295BA for ; Sun,  8 Jan 2017 21:08:31 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v0958UUL014126 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Jan 2017 05:08:30 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v0958Tq5027321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 9 Jan 2017 05:08:29 GMT
Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v0958ToL026933; Mon, 9 Jan 2017 05:08:29 GMT
Received: from [10.154.169.77] (/10.154.169.77) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 08 Jan 2017 21:08:29 -0800
References: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com>
From: Shawn M Emery 
To: "secdir@ietf.org" 
X-Forwarded-Message-Id: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com>
Message-ID: <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com>
Date: Sun, 8 Jan 2017 22:11:09 -0700
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: 
Cc: draft-ietf-trill-rfc6439bis.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-trill-rfc6439bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 09 Jan 2017 05:08:32 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft updates the Appointed Forwarders mechanism (RFC 6439);
which supports multiple TRILL switches that handle native traffic
to and from end stations on a single link.

The security considerations section does exist and states that this
update does not change the security properties of the TRILL base
protocol.  The section goes on to state that the Port-Shutdown message
SHOULD be secured through the Tunnel Channel protocol (which is in draft
state).  Was this intended to be a normative reference?  The section quickly
finishes with a reference to Authentication TLVs as a way to secure E-LICS
FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult to
distinguish between the usage of Tunnel Channels and Authentication TLVs for
securing Port Shutdown messaging.  Could you please clarify?

General comments:

None.

Editorial comments:

s/the need to "inhibition"/the need for "inhibition"/
s/forarding/forwarding/
s/two optimization/two optimizations/
s/messages are build/messages are built/

Shawn.
--


From nobody Mon Jan  9 11:27:23 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A24B129DA5 for ; Mon,  9 Jan 2017 11:27:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.056
X-Spam-Level: 
X-Spam-Status: No, score=-3.056 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9uNQbJusEeO for ; Mon,  9 Jan 2017 11:27:21 -0800 (PST)
Received: from smtp98.iad3a.emailsrvr.com (smtp98.iad3a.emailsrvr.com [173.203.187.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4453B129449 for ; Mon,  9 Jan 2017 11:27:21 -0800 (PST)
Received: from smtp13.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp13.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 55DA05A8D; Mon,  9 Jan 2017 14:27:18 -0500 (EST)
Received: from app53.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp13.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 3A0BA5ACA; Mon,  9 Jan 2017 14:27:18 -0500 (EST)
X-Sender-Id: scott@hyperthought.com
Received: from app53.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Mon, 09 Jan 2017 14:27:18 -0500
Received: from hyperthought.com (localhost [127.0.0.1]) by app53.wa-webapps.iad3a (Postfix) with ESMTP id 2957540123; Mon,  9 Jan 2017 14:27:18 -0500 (EST)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com)  with HTTP; Mon, 9 Jan 2017 11:27:18 -0800 (PST)
Date: Mon, 9 Jan 2017 11:27:18 -0800 (PST)
From: "Scott G. Kelly" 
To: "secdir@ietf.org" , "iesg@ietf.org" , draft-ietf-dnsop-edns-key-tag.all@ietf.org
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
X-Auth-ID: scott@hyperthought.com
Message-ID: <1483990038.1669640@apps.rackspace.com>
X-Mailer: webmail/12.7.1-RC1
Archived-At: 
Subject: [secdir] secdir review of draft-ietf-dnsop-edns-key-tag-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 09 Jan 2017 19:27:22 -0000

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG.  These co=
mments were written primarily for the benefit of the security area director=
s.  Document editors and WG chairs should treat these comments just like an=
y other last call comments.=0A=0ASummary: this draft is ready.=0A=0AFrom th=
e introduction, =0A=0A   This draft sets out to specify a way for validatin=
g resolvers to tell=0A   a server in a DNS query which DNSSEC key(s) they w=
ould use to=0A   validate responses from that zone.  This is done in two wa=
ys: using=0A   an EDNS option for use in the OPT meta-RR [RFC6891] that con=
tains the=0A   key tags (described in Section 4), and by periodically sendi=
ng=0A   special "key tag queries" to a server authoritative for the zone=0A=
   (described in Section 5).=0A=0AThat pretty well sums it up. The security=
 and privacy considerations sections cover all relevant issues. I see no pr=
oblems with this document.=0A=0AMinor editorial comment: section 5.3 ends w=
ith this bracketed comment:=0A=0A [ Note RFC1035 says NULL=0A   RRs are not=
 allowed in master files, but I believe that to be=0A   incorrect ]=0A=0AI =
assume this will be resolved prior to publication?=0A=0A--Scott=0A


From nobody Mon Jan  9 16:55:20 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C45A21299AC; Mon,  9 Jan 2017 16:55:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level: 
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ac46oZpjxvE; Mon,  9 Jan 2017 16:55:14 -0800 (PST)
Received: from adrilankha.hactrn.net (adrilankha.hactrn.net [IPv6:2001:418:1::19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BD6A129665; Mon,  9 Jan 2017 16:55:14 -0800 (PST)
Received: from minas-ithil.hactrn.net (c-73-47-197-23.hsd1.ma.comcast.net [73.47.197.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by adrilankha.hactrn.net (Postfix) with ESMTPS id 75BE0B8E6; Tue, 10 Jan 2017 00:55:13 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 78CCA461A613; Mon,  9 Jan 2017 19:55:12 -0500 (EST)
Date: Mon, 09 Jan 2017 19:55:12 -0500
From: Rob Austein 
To: Paul Wouters 
In-Reply-To: 
References: 
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20170110005512.78CCA461A613@minas-ithil.hactrn.net>
Archived-At: 
Cc: draft-ietf-sidr-publication.all@ietf.org, iesg@ietf.org, secdir 
Subject: Re: [secdir] SecDir review of draft-ietf-sidr-publication-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 00:55:16 -0000

Hi, Paul.  Thanks for the review!  Sorry about taking so long to get
back to you on it, but there was a bit more to yours than just "fix
these few nits".

I'm not going to attempt to answer point by point, because that would
drive us both nuts.  Instead, I'm going to answer a few specific
points, then let you see if the text changes I made are satisfactory.

Overall, this required a bit more new text than I would have preferred
at the end of Last Call, but I think you identified some missing
background information that needed adding, and none of the new text is
intended to change the protocol itself in any way, so I'm hoping this
will be acceptable to all parties.

To specific points, in no particular order:

* Authentication was covered in the doc, but I added a bit more text
  to make it a bit more obvious.  Authorization is a private matter
  between client and server operators (just as it would be when
  signing up for any application protocol, eg, an IMAP account), but I
  added a bit of text to make that more obvious too.

* See the new ASCII art in the introduction for how this protocol fits
  into the overall picture, and, in particular, why this protocol is
  indeed mostly concerned just with shipping RPKI objects between
  certificate engines and publication servers rather than what the
  RPKI relying parties do with those objects.

  Many thanks to Randy Bush for providing the ASCII art.

* We've been calling this the "RPKI publication protocol" for about
  ten years now, so, with respect, we would prefer not to change that.
  One could quibble about whether the ability to withdraw published
  objects is implied by the ability to publish both new and updated
  objects, but, really, it's a name, and it is what it is.

* Certificate Transparency is an interesting idea, and if somebody had
  raised it a year ago I might have been interested in exploring it,
  but we're dealing with a protocol that should have shipped years
  ago, which is now part of a bundle of other RPKI-related protocols,
  and which is trying to keep its use of CMS compatible with RFC 6492,
  so I'd really rather not go back to the drawing board on this one
  right now.  My preference would be to leave this as a topic for
  future work, to be handled in an updated specification if and when
  somebody gets a chance to look into it properly.

* "PDU" stands for "Protocol Data Unit". it's an old ITU term which
  entered the IETF lexicon via SNMP, IIRC.  Anyway, it's an
  RFC-Editor-blessed abbreviation, see:

  https://www.rfc-editor.org/materials/abbrev.expansion.txt

* We use [SHS] as the reference for SHA-256 because that's what
  somebody advised us to do, years ago.  I'm fine with changing that
  to RFC-4634 if that's what the IESG wants us to do this year.

* I did not take your recommendation on changing the examples.
  There's a very specific reason why we wrote the examples the way we
  did: because they're syntactically correct XML, we can run them
  through the RelaxNG schema checker to make sure we didn't mess up
  the syntax.  Your preferred form ("hash=" or whatever)
  would not pass that syntax check, so we'd be back to (error-prone)
  manual checking of the example syntax.  Been there, broke that.

  In an attempt to meet you part way on this, I added XML comments to
  some of the examples, which I hope will suffice to address this.

* The text already said that the various DER blobs are encoded in
  Base64, as does the schema.  Syntax of hash attributes is nailed
  down pretty tightly as hexadecimal in the schema but was not
  explicit in the text (oops): fixed, thanks!

* "" was an editorial oversight, it was old text that should
  have been removed at the same time as the mechanism to which it was
  referring was taken out (at the WG's request).  Thanks for catching
  that.

* "tags" in this protocol are transaction IDs, modeled roughly on the
  tags in IMAP4.   I added some text making this more explicit.


I have not yet submitted the updated I-D (-10).  Will do so tomorrow
unless I hear loud screaming, as our AD wants an updated I-D this
week.  For the moment, you can see the updated version and a diffs at:

https://subvert-ietf.hactrn.net/sidr-publication/draft-ietf-sidr-publication-10.txt
https://subvert-ietf.hactrn.net/sidr-publication/draft-ietf-sidr-publication-10-from-09.diff.html


From nobody Mon Jan  9 19:45:56 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D78C129A48 for ; Mon,  9 Jan 2017 19:45:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.756
X-Spam-Level: 
X-Spam-Status: No, score=-3.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.156] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCeap2Mvjagr for ; Mon,  9 Jan 2017 19:45:47 -0800 (PST)
Received: from nm26-vm3.bullet.mail.gq1.yahoo.com (nm26-vm3.bullet.mail.gq1.yahoo.com [98.136.216.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8373612943D for ; Mon,  9 Jan 2017 19:45:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1484019947; bh=yOu9sGkUmOWtZBez//aoJjF3L25GbTftV0waWSaJfnY=; h=Date:From:Reply-To:To:Cc:Subject:References:From:Subject; b=dmpS8bYWbUVfmK1+rHEX5TlaakNX9jYv4IG205ed+i5J5I0Jzf9a2mzXkr3cInp+T1xw3JPCKR0ScGj5Y13jp/BG+f+2rYNQRiLuI4IoZWmllHGGXNZWfU/Lj7EcCVdkKI/DKEZMQkVY00Ztt9RNq8ySMIv0l+9x4ftfGFu6vWxxVMnBuDSMw/IfwVk1005nCk9pnHkB01+k3Ed8H/ImVth6jTpk8suZrpEX03HRWDx0/HvhMCd4KEuAEZWufY60iGmGICpK7fsw+9DolSfOXzFGqmqvqN3FsKztSimrLnh5c9uwBy/CpNYEYsC13DncWJjMXcHm2CAVnhO/CUS4UA==
Received: from [98.137.12.59] by nm26.bullet.mail.gq1.yahoo.com with NNFMP; 10 Jan 2017 03:45:47 -0000
Received: from [98.137.12.224] by tm4.bullet.mail.gq1.yahoo.com with NNFMP; 10 Jan 2017 03:45:47 -0000
Received: from [127.0.0.1] by omp1032.mail.gq1.yahoo.com with NNFMP; 10 Jan 2017 03:45:47 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 24836.69817.bm@omp1032.mail.gq1.yahoo.com
X-YMail-OSG: r_ZmJ8QVM1k8.i.AvDYuLHPQPG1oUhYCphPreH1I6hRsUYSslLFru3kET5M90sr 6wJC7YFeT_FVXklQG0MVaJOcpzWwRg3XoL7ImzkAVWuvtX_RzpbxsYih4CmN4SGSJ0OGH610p22w mpVrQjG825ZOZzZRWPtRwqplIVavp1Q6.QeR35VL9e6UL_Gr0AzXyRegGA8HSeCHZJ5PBtV6lolD fqSDvigVbAGhQdbflIp9OWkH9eopL_xxRaFwPoQMW6dp8OdzGvmdeWQXQ2BozQBUUr4h1DttRGZN Zq5XKTvMhdkZu9Nv_Amrzf9VNnUoOP2YVlNjHVpZzawZm5iWZ1KIimKecj_3adk3sP8hsaDI0GID fYbczOAkf0YWBjL1V4HXgQtYm6WypNtwdHT3Q7lkheivpWUmqkdVV_u8XmxibUuHmc_QUHZqq4mO OTUIDFOPc8Q5Me9MJBmkB.RyvYO7IsktSwuphargWQpGZP23oJutKmMsBAg1KbLN6VO2JVVp3tq_ u5D_w9bbLd1zbxCZN_0W2qPYNWz7D3jtBnfTF7_OgPZsl09dLDeGryiezXltnRZF.
Received: from jws300048.mail.gq1.yahoo.com by sendmailws121.mail.gq1.yahoo.com; Tue, 10 Jan 2017 03:45:46 +0000; 1484019946.657
Date: Tue, 10 Jan 2017 03:45:46 +0000 (UTC)
From: 
To: Tero Kivinen 
Message-ID: <970641405.98311.1484019946430@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
References: <970641405.98311.1484019946430.ref@mail.yahoo.com>
Archived-At: 
Cc: "iesg@ietf.org" , "draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org" , "secdir@ietf.org" 
Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: Timing Attacks
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: nalini.elkins@insidethestack.com
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 03:45:49 -0000

Tero,

I believe this is the last outstanding issue!  After we reach agreement, I will rewrite the draft to:

1) incorporate the new changes

2) incorporate the changes suggested by the Gen-Art reviewer.

This particular thread relates to timing attacks in the Security section.

nalini.elkins@insidethestack.com writes: 
>>> 8.4 Timing Attacks 
>>> 
>>> The fact that PDM can help in the separation of node processing time 
>>> from network latency brings value to performance monitoring.  Yet, 
>>> it is this very characteristic of PDM which may be misused to make 
>>> certain new type of timing attacks against protocols and 
>>> implementations possible.  Having said that, PDM is more likely to 
>>> be used in response to an attack to find whether there are problems 
>>> in the network or the node rather than its temporary use being 
>>> exploited to mount an attack.  The normal use of PDM is likely to be 
>>> for testing and diagnostics.  So, this is a short-term opportunity 
>>> for an attacker. 
>>> 
>>> Even so, if using PDM, we introduce the concept of user "Consent to 
>>> be Measured" as a pre-requisite for using PDM.  Consent is common in 
>>> enterprises and with some subscription services. So, if with PDM, we 
>>> recommend that the user SHOULD consent to its use. 
> 
> 
> [Tero's comments below] 
> >I think this text might need bit more text about the attacks. I.e. the 
> >nature of these attacks is that they can leak out the long term 
> >credentials of the device. So if attacker is able to make attack, 
> >which causes the enterprice to turn on PDM to diagnose the attack, 
> >then the attacker might use PDM during that debugging time to do 
> >timing attack against the long term keying material used by the crypto 
> >protocol. Immediately when they get the keying material out, they stop 
> >the actual attack, which might then cause the defender to think that 
> >nothing bad happend, and just disable PDM and go on, without realizing 
> >that their long term keying material got stolen during the attack, and 
> >that the visible attack was there only to cause them to turn on PDM... 
> 
> 
> 
>>> Tero, I am a bit reluctant to be completely specific as I think that 
>>> will give people ideas that they might not have had before. 

>Security by obscurity never works. Attackers have much more time to 
>think and plan about attacks than people who are implementing code for 
>something unrelated. If you are too vague, people who are implementing 
>PDM or the crypto protocols, thinks that those attacks are impossible. 
>It is better to spell them out for those implementing those so they 
>can make needed security measures for those. 

>One of those security measures could for example be that PDM is 
>enabled only for certain ip-addresses, or only for some ports. Another 
>would be to enable it for certain timeperiod (for example for 1 hour), 
>so it can be made sure that PDM is not accidently left on after 
>debugging has been done etc. 

>> That is, before I say it, few people might think to launch such 
>> attacks but if I spell it out clearly that such attacks can be 
>> launched, then people who might not even have thought that this was 
>> possible, will now think that they can do it. 

>I think it is better to explain the attacks properly to the PDM 
>implementors, so they understand what kind of things they need to 
>think about when implementing PDM. Same thing for the people 
>implementing crypto protocols. They need to understand that with PDM 
>some things that used to be hard will be easy. 

>If you just give general warnings, that means that quite a lot of 
>implementors think that this text is just general text, not really 
>specific for this. So implementors might think it does not concern 
>them, and ignore the issue. 


8.4 Timing Attacks 

The fact that PDM can help in the separation of node processing time 
from network latency brings value to performance monitoring.  Yet, 
it is this very characteristic of PDM which may be misused to make 
certain new type of timing attacks against protocols and 
implementations possible. 

That is, in some cases, depending on the nature of the cryptographic 
protocol used, it may be possible to leak the long term credentials 
of the device.  For example, if and attacker is able to create an attack 
which causes the enterprise to turn on PDM to diagnose the attack, 
then the attacker might use PDM during that debugging time to launch 
a timing attack against the long term keying material used by the 
cryptographic protocol. 

An implementation may want to be sure that PDM is enabled only for 
certain ip addresses, or only for some ports.  Additionally, we 
recommend that the implementation SHOULD require an explicit 
restart of monitoring after a certain timeperiod (for example for 1 hour), 
to make sure that PDM is not accidently left on after 
debugging has been done etc. 

Even so, if using PDM, we introduce the concept of user "Consent to 
be Measured" as a pre-requisite for using PDM.  Consent is common in 
enterprises and with some subscription services. So, if with PDM, we 
recommend that the user SHOULD consent to its use. 


Thanks,
Nalini


From nobody Mon Jan  9 20:49:52 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B671129A8D; Mon,  9 Jan 2017 20:49:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.199
X-Spam-Level: 
X-Spam-Status: No, score=-5.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikfkHkDZryH0; Mon,  9 Jan 2017 20:49:49 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 792991295BF; Mon,  9 Jan 2017 20:49:49 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3tyKLz3ggbz1Ht; Tue, 10 Jan 2017 05:49:47 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1484023787; bh=cXPZVqRzQ6MJR9FDxnv/1Q4nCK9Bz9mwBBbIk14fXak=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=rvGWHe4rfKy48hGG4gLRgDydSlHObXbqFUR4iVp0cN93kE31jErrjuQpSOHN3a+C1 7HZAx/zdlLEA4mosiDsWgnIIFbWSObHsDDhumI/Qgn7FV/v9/310LkyE2O7O8QuTbZ 57yDrrLK77fjU9frxapWzHi0JGtk1p0l7+laY/w0=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id w1Ao05obCQmi; Tue, 10 Jan 2017 05:49:45 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 10 Jan 2017 05:49:45 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 4EE3B717D61; Mon,  9 Jan 2017 23:49:42 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 4EE3B717D61
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 476FC44836E7; Mon,  9 Jan 2017 23:49:42 -0500 (EST)
Date: Mon, 9 Jan 2017 23:49:42 -0500 (EST)
From: Paul Wouters 
To: Rob Austein 
In-Reply-To: <20170110005512.78CCA461A613@minas-ithil.hactrn.net>
Message-ID: 
References:  <20170110005512.78CCA461A613@minas-ithil.hactrn.net>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: 
Cc: draft-ietf-sidr-publication.all@ietf.org, iesg@ietf.org, secdir 
Subject: Re: [secdir] SecDir review of draft-ietf-sidr-publication-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 04:49:50 -0000

On Mon, 9 Jan 2017, Rob Austein wrote:

> I'm not going to attempt to answer point by point, because that would
> drive us both nuts.  Instead, I'm going to answer a few specific
> points, then let you see if the text changes I made are satisfactory.
>
> Overall, this required a bit more new text than I would have preferred
> at the end of Last Call, but I think you identified some missing
> background information that needed adding, and none of the new text is
> intended to change the protocol itself in any way, so I'm hoping this
> will be acceptable to all parties.

The text and your email clarified a lot. Thanks!

> I have not yet submitted the updated I-D (-10).  Will do so tomorrow
> unless I hear loud screaming, as our AD wants an updated I-D this
> week.  For the moment, you can see the updated version and a diffs at:
>
> https://subvert-ietf.hactrn.net/sidr-publication/draft-ietf-sidr-publication-10.txt
> https://subvert-ietf.hactrn.net/sidr-publication/draft-ietf-sidr-publication-10-from-09.diff.html

I've read the changes. Those along with the clarifications in your email
resolve all my issues. So from a SecDir review point of view, this
document is now Ready.

Thank you,

Paul


From nobody Tue Jan 10 04:05:24 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA782129BCE; Tue, 10 Jan 2017 04:05:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZCtjKq6heZhE; Tue, 10 Jan 2017 04:05:21 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F27CA127077; Tue, 10 Jan 2017 04:05:20 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v0AC5GK0025206 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 10 Jan 2017 14:05:16 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v0AC5FQH004742; Tue, 10 Jan 2017 14:05:15 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <22644.52731.787564.284071@fireball.acr.fi>
Date: Tue, 10 Jan 2017 14:05:15 +0200
From: Tero Kivinen 
To: 
In-Reply-To: <970641405.98311.1484019946430@mail.yahoo.com>
References: <970641405.98311.1484019946430.ref@mail.yahoo.com> <970641405.98311.1484019946430@mail.yahoo.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 4 min
X-Total-Time: 1 min
Archived-At: 
Cc: "iesg@ietf.org" , "draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org" , "secdir@ietf.org" 
Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: Timing Attacks
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 12:05:22 -0000

nalini.elkins@insidethestack.com writes:
> Tero,
> 
> I believe this is the last outstanding issue!  After we reach
> agreement, I will rewrite the draft to: 
...
> 8.4 Timing Attacks 
> 
> The fact that PDM can help in the separation of node processing time 
> from network latency brings value to performance monitoring.  Yet, 
> it is this very characteristic of PDM which may be misused to make 
> certain new type of timing attacks against protocols and 
> implementations possible. 
> 
> That is, in some cases, depending on the nature of the cryptographic 
> protocol used, it may be possible to leak the long term credentials 
> of the device.  For example, if and attacker is able to create an attack 
> which causes the enterprise to turn on PDM to diagnose the attack, 
> then the attacker might use PDM during that debugging time to launch 
> a timing attack against the long term keying material used by the 
> cryptographic protocol. 
> 
> An implementation may want to be sure that PDM is enabled only for 
> certain ip addresses, or only for some ports.  Additionally, we 
> recommend that the implementation SHOULD require an explicit 
> restart of monitoring after a certain timeperiod (for example for 1 hour), 
> to make sure that PDM is not accidently left on after 
> debugging has been done etc. 
> 
> Even so, if using PDM, we introduce the concept of user "Consent to 
> be Measured" as a pre-requisite for using PDM.  Consent is common in 
> enterprises and with some subscription services. So, if with PDM, we 
> recommend that the user SHOULD consent to its use. 

This new text looks good.
-- 
kivinen@iki.fi


From nobody Tue Jan 10 04:58:11 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D07F129C45; Tue, 10 Jan 2017 04:58:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level: 
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZR_lnLmAGY9; Tue, 10 Jan 2017 04:58:09 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 453D6129898; Tue, 10 Jan 2017 04:58:09 -0800 (PST)
Received: from pps.filterd (m0049459.ppops.net [127.0.0.1]) by m0049459.ppops.net-00191d01. (8.16.0.17/8.16.0.17) with SMTP id v0ACtbAp048633; Tue, 10 Jan 2017 07:58:08 -0500
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0049459.ppops.net-00191d01. with ESMTP id 27vyk88h5v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 10 Jan 2017 07:58:07 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id v0ACw7BF006537; Tue, 10 Jan 2017 07:58:07 -0500
Received: from mlpi409.sfdc.sbc.com (mlpi409.sfdc.sbc.com [130.9.128.241]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id v0ACvuhC006438 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 10 Jan 2017 07:57:59 -0500
Received: from clpi183.sldc.sbc.com (clpi183.sldc.sbc.com [135.41.1.46]) by mlpi409.sfdc.sbc.com (RSA Interceptor); Tue, 10 Jan 2017 12:57:40 GMT
Received: from sldc.sbc.com (localhost [127.0.0.1]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id v0ACveZJ011712; Tue, 10 Jan 2017 06:57:40 -0600
Received: from mail-green.research.att.com (mail-green.research.att.com [135.207.255.15]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id v0ACvOxQ011120; Tue, 10 Jan 2017 06:57:25 -0600
Received: from exchange.research.att.com (njmtcas2.research.att.com [135.207.255.47]) by mail-green.research.att.com (Postfix) with ESMTP id E6F5BE033D; Tue, 10 Jan 2017 07:56:46 -0500 (EST)
Received: from njmtexg5.research.att.com ([fe80::b09c:ff13:4487:78b6]) by njmtcas2.research.att.com ([fe80::d550:ec84:f872:cad9%15]) with mapi id 14.03.0319.002; Tue, 10 Jan 2017 07:57:23 -0500
From: "MORTON, ALFRED C (AL)" 
To: Tero Kivinen , "nalini.elkins@insidethestack.com" 
Thread-Topic: Secdir review of draft-ietf-ippm-6man-pdm-option-05: Timing Attacks
Thread-Index: AQHSavgF3LTCeQELV0WiDyBzECKAhaEx8XyA//+56PA=
Date: Tue, 10 Jan 2017 12:57:22 +0000
Message-ID: <4D7F4AD313D3FC43A053B309F97543CF67BF01@njmtexg5.research.att.com>
References: <970641405.98311.1484019946430.ref@mail.yahoo.com> <970641405.98311.1484019946430@mail.yahoo.com> <22644.52731.787564.284071@fireball.acr.fi>
In-Reply-To: <22644.52731.787564.284071@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [156.106.228.67]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-10_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701100188
Archived-At: 
Cc: "iesg@ietf.org" , "draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org" , "secdir@ietf.org" 
Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: Timing Attacks
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 12:58:10 -0000

Hi Nalini and Tero,
Allow me to make two editorial suggestions.
(see below)
Al

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi]
> Sent: Tuesday, January 10, 2017 7:05 AM
> To: nalini.elkins@insidethestack.com
> Cc: iesg@ietf.org; secdir@ietf.org; draft-ietf-ippm-6man-pdm-
> option.all@tools.ietf.org
> Subject: Re: Secdir review of draft-ietf-ippm-6man-pdm-option-05: Timing
> Attacks
>=20
> nalini.elkins@insidethestack.com writes:
> > Tero,
> >
> > I believe this is the last outstanding issue!  After we reach
> > agreement, I will rewrite the draft to:
> ...
> > 8.4 Timing Attacks
> >
> > The fact that PDM can help in the separation of node processing time
> > from network latency brings value to performance monitoring.  Yet,
> > it is this very characteristic of PDM which may be misused to make
> > certain new type of timing attacks against protocols and
> > implementations possible.
> >
> > That is, in some cases, depending on the nature of the cryptographic
> > protocol used, it may be possible to leak the long term credentials
> > of the device.  For example, if and attacker is able to create an
> attack
> > which causes the enterprise to turn on PDM to diagnose the attack,
> > then the attacker might use PDM during that debugging time to launch
> > a timing attack against the long term keying material used by the
> > cryptographic protocol.
> >
> > An implementation may want to be sure that PDM is enabled only for
> > certain ip addresses, or only for some ports.  Additionally, we
> > recommend that the implementation SHOULD require an explicit
> > restart of monitoring after a certain timeperiod (for example for 1
> hour),
> > to make sure that PDM is not accidently left on after
> > debugging has been done etc.
> >
> > Even so, if using PDM, we introduce the concept of user "Consent to
> > be Measured" as a pre-requisite for using PDM.  Consent is common in
> > enterprises and with some subscription services. So, if with PDM, we
> > recommend that the user SHOULD consent to its use.
>=20
> This new text looks good.
> --
> kivinen@iki.fi
[ACM]=20
OLD
> That is, in some cases, depending on the nature of the cryptographic=20
> protocol used, it may be possible to leak the long term credentials=20
> of the device.  For example, if and attacker is able to create an attack
NEW
Depending on the nature of the cryptographic=20
protocol used, it may be possible to leak the long term credentials=20
of the device.  For example, if an attacker is able to create an attack
                                ^^
...

Thanks for your extensive efforts to resolve these issues!
Al
doc shepherd


From nobody Tue Jan 10 05:33:41 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4895129FC2; Tue, 10 Jan 2017 05:33:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level: 
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBlenJtlkze3; Tue, 10 Jan 2017 05:33:39 -0800 (PST)
Received: from adrilankha.hactrn.net (adrilankha.hactrn.net [147.28.0.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D34B129C7B; Tue, 10 Jan 2017 05:33:39 -0800 (PST)
Received: from minas-ithil.hactrn.net (c-73-47-197-23.hsd1.ma.comcast.net [73.47.197.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by adrilankha.hactrn.net (Postfix) with ESMTPS id 3A841B8F5; Tue, 10 Jan 2017 13:33:38 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 5E497461C934; Tue, 10 Jan 2017 08:33:36 -0500 (EST)
Date: Tue, 10 Jan 2017 08:33:36 -0500
From: Rob Austein 
To: Paul Wouters 
In-Reply-To: 
References:  <20170110005512.78CCA461A613@minas-ithil.hactrn.net> 
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20170110133336.5E497461C934@minas-ithil.hactrn.net>
Archived-At: 
Cc: draft-ietf-sidr-publication.all@ietf.org, secdir , iesg@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-sidr-publication-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 13:33:41 -0000

At Mon, 9 Jan 2017 23:49:42 -0500 (EST), Paul Wouters wrote:
...
> I've read the changes. Those along with the clarifications in your email
> resolve all my issues. So from a SecDir review point of view, this
> document is now Ready.

Cool.  Thanks!


From nobody Tue Jan 10 06:51:29 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39DE1294EE; Tue, 10 Jan 2017 06:51:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.056
X-Spam-Level: 
X-Spam-Status: No, score=-3.056 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xApgLQtx8Hxf; Tue, 10 Jan 2017 06:51:25 -0800 (PST)
Received: from mail1.bemta3.messagelabs.com (mail1.bemta3.messagelabs.com [195.245.230.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22425129422; Tue, 10 Jan 2017 06:51:21 -0800 (PST)
Received: from [195.245.230.51] by server-8.bemta-3.messagelabs.com id 76/E9-31649-8E4F4785; Tue, 10 Jan 2017 14:51:20 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprGKsWRWlGSWpSXmKPExsWi75nTqfv8S0m Ewb8VOhYLb0VYPNs4n8Vi/v1nTBZXVjUyW3xY+JDFgdVjyZKfTB4HDzIGMEWxZuYl5VcksGZs n3+VtWCxZsWGJzOZGxgfKHYxcnEICWxnlJi1ZTEThHOYUWLa+8NQziZGie2rr7N1MXJwsAnYS 8zYE9PFyMkhIuAqcWDvEWaQGmaB5YwSfxoa2EASwgKOEruPHGaBKHKSWHRkGzuEbSTRtWE1K4 jNIqAq8fHjTEYQm1cgVOLU1Q1gcSEBX4nLlxaA1XMK+EnserYSzGYUkJX40riaGcRmFhCXuPV kPhOILSEgILFkz3lmCFtU4uXjf6wQNToSC3Z/YoOwtSWWLXzNDLFLUOLkzCcsELtUJf6tXMQ0 gVF0FpKxs5C0z0LSPgtJ+wJGllWM6sWpRWWpRbqmeklFmekZJbmJmTm6hgbGermpxcWJ6ak5i UnFesn5uZsYgfFVz8DAuIPx8lenQ4ySHExKorzLPpdECPEl5adUZiQWZ8QXleakFh9ilOHgUJ LgZQXGq5BgUWp6akVaZg4w0mHSEhw8SiK8HCBp3uKCxNzizHSI1ClGRSlx3m8gMwVAEhmleXB tsORyiVFWSpiXkYGBQYinILUoN7MEVf4VozgHo5IwLx/IeJ7MvBK46a+AFjMBLY60KwZZXJKI kJJqYOxa5JBu9LBhaazoPbN7L1du7RMWzu66Waz5gE3tpdOc8x6znfknf5bhfvvO/cYa3UVsL QvvB2x16uw8viVc4Kfc1089jtkSpYZ8h7Y78vyJ8Lya2me0RkBycWjAv5tO6hHNN7Z/eJ9ZXR C+2SYm1zj4f6v/Za3JglnLjdTvpTlmmGiHeOlKK7EUZyQaajEXFScCAFpVWsQpAwAA
X-Env-Sender: Peter.Dawes@vodafone.com
X-Msg-Ref: server-11.tower-33.messagelabs.com!1484059879!83783586!1
X-Originating-IP: [47.73.108.137]
X-StarScan-Received: 
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 20516 invoked from network); 10 Jan 2017 14:51:19 -0000
Received: from vgdpm11vr.vodafone.com (HELO voxe05hw.internal.vodafone.com) (47.73.108.137) by server-11.tower-33.messagelabs.com with AES256-SHA encrypted SMTP; 10 Jan 2017 14:51:19 -0000
Received: from VOEXH11W.internal.vodafone.com (47.73.211.215) by edge1.vodafone.com (195.232.244.50) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 10 Jan 2017 15:51:11 +0100
Received: from VOEXC01W.internal.vodafone.com (145.230.101.21) by VOEXH11W.internal.vodafone.com (47.73.211.215) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Tue, 10 Jan 2017 15:51:10 +0100
Received: from VOEXM31W.internal.vodafone.com ([169.254.7.53]) by VOEXC01W.internal.vodafone.com ([145.230.101.21]) with mapi id 14.03.0294.000; Tue, 10 Jan 2017 15:51:09 +0100
From: "Dawes, Peter, Vodafone Group" 
To: Sean Turner , "secdir@ietf.org" 
Thread-Topic: [Insipid] Review of draft-ietf-insipid-logme-reqs-11
Thread-Index: AQHSaJGvOGgPjzgqkUKSx9NtoblxqqExzr0A
Date: Tue, 10 Jan 2017 14:51:09 +0000
Message-ID: <4A4F136CBD0E0D44AE1EDE36C4CD9D99C8C4D0D0@VOEXM31W.internal.vodafone.com>
References: <148375779374.17442.8516164323586796119.idtracker@ietfa.amsl.com>
In-Reply-To: <148375779374.17442.8516164323586796119.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: 
Cc: "insipid@ietf.org" , "ietf@ietf.org" , "draft-ietf-insipid-logme-reqs.all@ietf.org" 
Subject: Re: [secdir] [Insipid] Review of draft-ietf-insipid-logme-reqs-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 14:51:28 -0000

Hello Sean,
Thanks very much for your review, some proposals and answers from the co-au=
thors inline below to cover the points raised.

Best regards,
Peter

> -----Original Message-----
> From: insipid [mailto:insipid-bounces@ietf.org] On Behalf Of Sean Turner
> Sent: 07 January 2017 02:57
> To: secdir@ietf.org
> Cc: insipid@ietf.org; ietf@ietf.org; draft-ietf-insipid-logme-reqs.all@ie=
tf.org
> Subject: [Insipid] Review of draft-ietf-insipid-logme-reqs-11
>=20
> Reviewer: Sean Turner
> Review result: Has Nits
>=20
> After getting over my initial reaction that was something like "srsly!? w=
e're
> going to standardize the exact opposite of 'do not track'", I realized th=
at this
> is a requirements draft for an IETF approved WG and a chartered work item
> of that WG :)
>=20
> 0) s3.2: Is the intent to define a protocol mechanism to determine if the=
 two
> or domains are part of the same trust domain?  This requirement could be
> achieved by saying out-of-band bilateral agreements are the mechanism to
> establish the domain.

There is no intent to define a protocol mechanism to determine if two or
more domains are part of the same trust domain. s3.2 explains the meaning
of the term "trust domain" as it is used in this draft because the term "tr=
ust
domain" does not have a fixed meaning throughout its use in RFCs. RFC 3324
section 2.3 defines "trust domain" for network asserted identity and this
definition is re-used by RFC 7316 for a private network indicator. "Trust
domain" is used without definition in RFC6404. So we define the term " trus=
t
domain" as it applies to log-me marking.

>=20
> 1) s5.1: REQ1 - Did you mean to say "using SIP standard logging format"? =
 Is
> there another logging format other than SIP CLF?

We am not aware of any other SIP logging formats and SIP CLF is expected to=
 be used, but the logging format will be defined in the solutions draft. =20

>=20
> 2) s5.1: Should the must be MUST in the following:
>=20
>   All log retrieval mechanisms must adhere to
>   authorization and privacy protection policies
>   set forth by the network administrator.
>=20

This "must" was left lower case as retrieval itself is out of scope, but we=
 think
capitalizing MUST would be consistent with the rest of the draft so we
can do that. Although this MUST does not impact interoperability, we
extended the use of MUST beyond interoperability required to satisfy RFC
2119 as a result of a comment from area director Ben Campbell.

> 3) s5.2: REQ3 seems odd to me - Isn't this kind of like a SIP thing?
> I mean if SIP doesn't allow adding new headers then didn't somebody sink
> your battleship?  But SIP does allow you to add arbitrary headers so I th=
ink
> I'm missing something as to why this is needed?

The purpose of REQ3 is to make it clear that the solution needs a new
protocol element, i.e. "log me" marking cannot be done using existing SIP.
The text says: "REQ3: It MUST be possible to mark a SIP request or response
as of interest for logging by inserting a "log me" marker.  This is known a=
s "log
me" marking. "

>=20
> 4) s5.2: REQ3 - Reads a bit awkward to me how about:
>=20
>   It MUST be possible to mark a SIP request or response for
>   logging by inserting a "log me" marker.
>=20
> i.e., remove "of interest"

We can see your point. The purpose of the words "of interest" is to avoid
suggesting that marking requests and responses forces them to be logged.
The decision of whether to honour the log-me marking is largely left to the
admin policy (e.g. s6.2.1 says " The presence of a "log me" marker
might cause some SIP entities to log signaling.") but "log me" marking is n=
ot
expected to force logging in all cases.
=20
The following revision of REQ3 would clarify:
REQ3: It MUST be possible to mark a SIP request or response to be considere=
d for logging by inserting a "log me" marker.

>=20
> 5) s5.2: REQ4 - Again this seems like a basic SIP thing - I mean are ther=
e fields
> that SIP requires be stripped?

The purpose of REQ4 (It MUST be possible for a "log me" marker to cross
network boundaries.) is to ensure that the log me marker is not defined in =
a
way that will very probably cause it to be removed by real-world networks
such as described earlier in the draft in s3.1 ("A  network boundary is
significant in this document because manipulation of signaling at the
boundary could prevent end-to-end testing or troubleshooting. "). Also,
some protocol elements might change at a network boundary, for example
an outgoing network boundary may obfuscate some fields, or an incoming
network boundary might translate the request URI from a public identity to
one that is private to that network.

>=20
> 6) Is there a missing requirement based on the security considerations th=
at
> requires the this marker MUST be removed at the earliest opportunity if i=
t
> has been incorrectly inserted?

We can move the text "The presence of a "log me" marker might cause some SI=
P entities to log signaling.  Therefore, this marker MUST be removed at the=
 earliest opportunity if it has been incorrectly inserted."
from s6.2.1 and add a REQ12 in s5.3.

>=20
> _______________________________________________
> insipid mailing list
> insipid@ietf.org
> https://www.ietf.org/mailman/listinfo/insipid


From nobody Tue Jan 10 07:35:57 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 483FE129434 for ; Tue, 10 Jan 2017 07:35:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.755
X-Spam-Level: 
X-Spam-Status: No, score=-3.755 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.156] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2F1IbCmUqSNg for ; Tue, 10 Jan 2017 07:35:51 -0800 (PST)
Received: from nm24-vm4.bullet.mail.gq1.yahoo.com (nm24-vm4.bullet.mail.gq1.yahoo.com [98.136.217.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A0AE129508 for ; Tue, 10 Jan 2017 07:35:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1484062550; bh=pD+bi0JXEk83v9xPTrecwfX2X7uij3sLg8DYEKLxhpQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=r/zKta2/G6R6TJiiUQIEvr8aoT+m/3eEXcV2A0RA2k/m5aA25wQnWuJNgXdndmXe26XmC4/7HH+yMeylqlzMo5MkE6JopUPFG1cKY3n1BISpZIS60KeL5AlCjMuUHWrC4tG0q5Hj4b/SpqHjPV2yoTT0rnctLeBcSqX4F2949vPw8pGskmS1uLWlSp90tWCxi6ZRPxpDeRCTViFSjqeITxImfuTpeAi1bOj+ZPPy5JTiMG4SDbo+w+/MpmyAYbFHnGe1FpxLgTh9/iLelL2w9R7m+TaVfNNTq05XUoKigFww4WTjzKXoak19THL9J1Pn9nt2AzNrGwrR57GejEFWTQ==
Received: from [98.137.12.58] by nm24.bullet.mail.gq1.yahoo.com with NNFMP; 10 Jan 2017 15:35:50 -0000
Received: from [98.137.12.236] by tm3.bullet.mail.gq1.yahoo.com with NNFMP; 10 Jan 2017 15:35:50 -0000
Received: from [127.0.0.1] by omp1044.mail.gq1.yahoo.com with NNFMP; 10 Jan 2017 15:35:50 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 217271.49551.bm@omp1044.mail.gq1.yahoo.com
X-YMail-OSG: aNrPtwUVM1mu6ANpN1hbS3ouUASPz0.Mw6.sqZntvDeTy36JAlkk0dOLkTZvBMo Tjz6Cx9oPsOe8is4B3OwYDxDkc7RXmIbLnOpqu7mujfj0H7WmYK6tRT1WTTcJ03mp99X0sNuZ8.y SIV8P445RnzGoiTzQzr9TvI7YMQbnLiM.Yce8ZLTwUGwuvDiBYfDRWf8VkhQcmnHsDOzFtbJnixk qR0PXHaMJQ6COETV7COcZDJQdwYubGoDsiPVXnDn.yDfBhuQdbYN.iqA3uZl1anctNqvBWd_03_y XlkON9yE1RAci.vRV61BmO3bsAoZTiRxbwj8s1_9UC5GCtuCM_7hs8GMwHQRO1UDqugr9BoSsfxn t.QiGvLRKTnuQvtu4iXigy3QvD.QltF_TyuVVpo7IUtV.dIGlG4KElFi66NJDZSAv6k3H9OuMuy2 oNfznWwERFw65PYFH9g4NCxUTs5.LJiG_MxYs10xI6Enr0UClU4WowcuYtefg6Xm_hXiexuOJfi0 PRluEpO23xmazR8gONIvyVxaXBbEfa_TDJBUiy1yLi3oy4e11QELt6a8-
Received: from jws300027.mail.gq1.yahoo.com by sendmailws117.mail.gq1.yahoo.com; Tue, 10 Jan 2017 15:35:49 +0000; 1484062549.802
Date: Tue, 10 Jan 2017 15:35:49 +0000 (UTC)
From: 
To: "MORTON, ALFRED C (AL)" , Tero Kivinen 
Message-ID: <2005125701.562109.1484062549432@mail.yahoo.com>
In-Reply-To: <4D7F4AD313D3FC43A053B309F97543CF67BF01@njmtexg5.research.att.com>
References: <970641405.98311.1484019946430.ref@mail.yahoo.com> <970641405.98311.1484019946430@mail.yahoo.com> <22644.52731.787564.284071@fireball.acr.fi> <4D7F4AD313D3FC43A053B309F97543CF67BF01@njmtexg5.research.att.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;  boundary="----=_Part_562108_53955821.1484062549430"
Archived-At: 
Cc: "iesg@ietf.org" , "draft-ietf-ippm-6man-pdm-option.all@tools.ietf.org" , "secdir@ietf.org" 
Subject: Re: [secdir] Secdir review of draft-ietf-ippm-6man-pdm-option-05: Timing Attacks
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: nalini.elkins@insidethestack.com
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 10 Jan 2017 15:35:53 -0000

------=_Part_562108_53955821.1484062549430
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Thanks, Al!=C2=A0
Nalini ElkinsInside Products, Inc.www.insidethestack.com(831) 659-8360=20

    On Tuesday, January 10, 2017 4:58 AM, "MORTON, ALFRED C (AL)"  wrote:
=20

 Hi Nalini and Tero,
Allow me to make two editorial suggestions.
(see below)
Al

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi]
> Sent: Tuesday, January 10, 2017 7:05 AM
> To: nalini.elkins@insidethestack.com
> Cc: iesg@ietf.org; secdir@ietf.org; draft-ietf-ippm-6man-pdm-
> option.all@tools.ietf.org
> Subject: Re: Secdir review of draft-ietf-ippm-6man-pdm-option-05: Timing
> Attacks
>=20
> nalini.elkins@insidethestack.com writes:
> > Tero,
> >
> > I believe this is the last outstanding issue!=C2=A0 After we reach
> > agreement, I will rewrite the draft to:
> ...
> > 8.4 Timing Attacks
> >
> > The fact that PDM can help in the separation of node processing time
> > from network latency brings value to performance monitoring.=C2=A0 Yet,
> > it is this very characteristic of PDM which may be misused to make
> > certain new type of timing attacks against protocols and
> > implementations possible.
> >
> > That is, in some cases, depending on the nature of the cryptographic
> > protocol used, it may be possible to leak the long term credentials
> > of the device.=C2=A0 For example, if and attacker is able to create an
> attack
> > which causes the enterprise to turn on PDM to diagnose the attack,
> > then the attacker might use PDM during that debugging time to launch
> > a timing attack against the long term keying material used by the
> > cryptographic protocol.
> >
> > An implementation may want to be sure that PDM is enabled only for
> > certain ip addresses, or only for some ports.=C2=A0 Additionally, we
> > recommend that the implementation SHOULD require an explicit
> > restart of monitoring after a certain timeperiod (for example for 1
> hour),
> > to make sure that PDM is not accidently left on after
> > debugging has been done etc.
> >
> > Even so, if using PDM, we introduce the concept of user "Consent to
> > be Measured" as a pre-requisite for using PDM.=C2=A0 Consent is common =
in
> > enterprises and with some subscription services. So, if with PDM, we
> > recommend that the user SHOULD consent to its use.
>=20
> This new text looks good.
> --
> kivinen@iki.fi
[ACM]=20
OLD
> That is, in some cases, depending on the nature of the cryptographic=20
> protocol used, it may be possible to leak the long term credentials=20
> of the device.=C2=A0 For example, if and attacker is able to create an at=
tack
NEW
Depending on the nature of the cryptographic=20
protocol used, it may be possible to leak the long term credentials=20
of the device.=C2=A0 For example, if an attacker is able to create an attac=
k
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ^^
...

Thanks for your extensive efforts to resolve these issues!
Al
doc shepherd


  =20
------=_Part_562108_53955821.1484062549430
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


Thanks, Al!
 
Nalini Elkins
Inside Products, Inc.
www.insidethestack.co=
m
(831) 659-8360
 


 
 
 
 On Tuesday, January 1=
0, 2017 4:58 AM, "MORTON, ALFRED C (AL)" <acmorton@att.com> wrote:
  

 
Hi Nalini and Tero,=

Allow me to make two editorial suggestions.
(see below)
Al

> -----Original Message-----
> From: Tero Kivinen =
[mailto:kivinen@iki.fi]
> Sent: Tuesday, J=
anuary 10, 2017 7:05 AM
> To: nalini.elkins@insidethestack.com
=
> Cc: iesg@ietf.org; secdir@ietf.org; draft-ietf=
-ippm-6man-pdm-
> option=
.all@tools.ietf.org
> Subject: Re: Secdir review o=
f draft-ietf-ippm-6man-pdm-option-05: Timing
> Attacks=

> 
> nalini.elkins@insidethestack.com writes:
> > Tero,
> >
> &=
gt; I believe this is the last outstanding issue!  After we reach
> > agreement, I will rewrite the draft to:
> ...
> > 8.4 Timing Attacks
> >
> > The fact that PDM can help in t=
he separation of node processing time
> > from netw=
ork latency brings value to performance monitoring.  Yet,
> > it is this very characteristic of PDM which may be misused =
to make
> > certain new type of timing attacks agai=
nst protocols and
> > implementations possible.
> >
> > That is, in some cases=
, depending on the nature of the cryptographic
> > =
protocol used, it may be possible to leak the long term credentials
> > of the device.  For example, if and attacker is a=
ble to create an
> attack
> > =
which causes the enterprise to turn on PDM to diagnose the attack,
> > then the attacker might use PDM during that debugging t=
ime to launch
> > a timing attack against the long =
term keying material used by the
> > cryptographic =
protocol.
> >
> > An implem=
entation may want to be sure that PDM is enabled only for
> > certain ip addresses, or only for some ports.  Additionally=
, we
> > recommend that the implementation SHOULD r=
equire an explicit
> > restart of monitoring after =
a certain timeperiod (for example for 1
> hour),
> > to make sure that PDM is not accidently left on afte=
r
> > debugging has been done etc.
> >
> > Even so, if using PDM, we introduce=
 the concept of user "Consent to
> > be Measured" a=
s a pre-requisite for using PDM.  Consent is common in
> > enterprises and with some subscription services. So, if with P=
DM, we
> > recommend that the user SHOULD consent t=
o its use.
> 
> This new text loo=
ks good.
> --
> kivinen@i=
ki.fi
[ACM] 
OLD
=
> That is, in some cases, depending on the nature of the cryptographic <=
br clear=3D"none">> protocol used, it may be possible to leak the long t=
erm credentials 
> of the device.  For example, i=
f and attacker is able to create an attack
NEW
Depending on the nature of the cryptographic 

protocol used, it may be poss=
ible to leak the long term credentials 

of the devi=
ce.  For example, if an attacker is able to create an attack
                  &n=
bsp;             ^^
...

Thanks for your extensive efforts to reso=
lve these issues!
Al
doc shepherd



<=
/div>  
 
  

------=_Part_562108_53955821.1484062549430--


From nobody Tue Jan 10 17:04:17 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87559129441 for ; Tue, 10 Jan 2017 17:04:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level: 
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EXZDqOp24vFh for ; Tue, 10 Jan 2017 17:04:14 -0800 (PST)
Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8563129428 for ; Tue, 10 Jan 2017 17:04:14 -0800 (PST)
Received: by mail-it0-x22f.google.com with SMTP id c20so86937870itb.0 for ; Tue, 10 Jan 2017 17:04:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=unoFXmL9S2PVZ8j9ArIb3OPOj2frpLH66q5kU0Y4Hgk=; b=b8K0NF9vrw1dfghgmpE2bMZBXymujoEyHrsStlGx58Nl4UV4beehyYima8USytVKA7 ib/E0+uSKxS0ddEJ7AWo0nZ28wp1WS9IeO3+hPO7LBQxQoQEX3hmDmPX/sA+1hx20h9S UxFeVz7pprsVmtAXL6GfG8HtKdB5HilwCl3xBMHGJfBJ218gxqp+eiuU8obOVLcbHBea 1yyq7oAn1EUYbxyekj7byaZLv+H7Z8a1gEUJqJNVdZuB6IUGcBlQexR+10yegBDQ8cyl c9sJdfESvGcCYCwHu0vhwRmt4fjnyduAU08DULIdAzvRD4ZNcj7I6ldt2x82t9XXHnhc 0Xxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=unoFXmL9S2PVZ8j9ArIb3OPOj2frpLH66q5kU0Y4Hgk=; b=N4TAUQp9dwyFW1A+i16frvybFMR7QdmsSokWhThsEd6WRbGvCJItOrxAe9tOpC8cYW XjVFQNSaabZ4u5W8Oivw+8Ki5KCJ24A9YW+x5dpi2o7lnMBadDdb+3j8tIk16B0gm+yL NH+YXdeUvUofx0FXmTaH05bAle6EmjX6GpUGl5msxG9Ap5ELF1743DjnUgCsdcBPh84y DcvKZ62ovJ2zVrltxAfIjV1yntxlGkCbl34s+8CiC4bMitjZGQAAK7KwwTnUMdL7GGOa dSEv3DAhQ6PrekGygTixYVTazmbaUtrYhBMIaYM1cQ2RTvGPBa6Aj/z4o1xIL2YkF10d yB2w==
X-Gm-Message-State: AIkVDXIwmeTLgUCMAOEoJAMCm21a1ED162bB8jd4XrcN6+U7YXjgSGrCvlBuYi2u1jSwIN710EwvIg1hD3HjKw==
X-Received: by 10.36.96.70 with SMTP id i67mr5811454itc.59.1484096654028; Tue, 10 Jan 2017 17:04:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.41.72 with HTTP; Tue, 10 Jan 2017 17:03:58 -0800 (PST)
In-Reply-To: <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com>
References: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com> <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com>
From: Donald Eastlake 
Date: Tue, 10 Jan 2017 20:03:58 -0500
Message-ID: 
To: Shawn M Emery 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Cc: draft-ietf-trill-rfc6439bis.all@tools.ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] Review of draft-ietf-trill-rfc6439bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 11 Jan 2017 01:04:16 -0000

Hi Shawn,

Thanks for your comments. See below.

On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery  wrote:
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> This draft updates the Appointed Forwarders mechanism (RFC 6439);
> which supports multiple TRILL switches that handle native traffic
> to and from end stations on a single link.
>
> The security considerations section does exist and states that this
> update does not change the security properties of the TRILL base
> protocol.  The section goes on to state that the Port-Shutdown message
> SHOULD be secured through the Tunnel Channel protocol (which is in draft
> state).  Was this intended to be a normative reference?

That reference is out of date. draft-ietf-trill-channel-tunnel has
issued as RFC 7978. That should be updated and I agree that this
should be a normative reference.

>                                                                                           The section quickly
> finishes with a reference to Authentication TLVs as a way to secure E-LICS
> FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult to
> distinguish between the usage of Tunnel Channels and Authentication TLVs for
> securing Port Shutdown messaging.  Could you please clarify?

"Channel Tunnel", although left in the draft name for convenience, was
basically changed to RBridge Header Extension. This is a way to add a
layer of header to RBridge Channel messages (specified in RFC 7178) to
secure their content. The Authentication TLV is an IS-IS TLV and
including that TLV in an IS-IS PDU can be used to secure the content
of the PDU. Some text can be added to clarify this.

> General comments:
>
> None.
>
> Editorial comments:
>
> s/the need to "inhibition"/the need for "inhibition"/
> s/forarding/forwarding/
> s/two optimization/two optimizations/
> s/messages are build/messages are built/

Thanks for spotting those. We'll fix them.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

> Shawn.
> --
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview


From nobody Tue Jan 10 21:20:06 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EDC7129479 for ; Tue, 10 Jan 2017 21:20:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.42
X-Spam-Level: 
X-Spam-Status: No, score=-7.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4m01CRBPSoRh for ; Tue, 10 Jan 2017 21:20:04 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A05071293F2 for ; Tue, 10 Jan 2017 21:20:04 -0800 (PST)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v0B5K2Ro003561 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Jan 2017 05:20:02 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v0B5K2vT012002 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 11 Jan 2017 05:20:02 GMT
Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v0B5K0nn018195; Wed, 11 Jan 2017 05:20:00 GMT
Received: from [192.168.0.251] (/97.122.70.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 10 Jan 2017 21:20:00 -0800
To: Donald Eastlake 
References: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com> <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com> 
From: Shawn M Emery 
Message-ID: <4a04ae5b-f30c-303e-e035-aa3819c1f691@oracle.com>
Date: Tue, 10 Jan 2017 22:22:40 -0700
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: 
Cc: draft-ietf-trill-rfc6439bis.all@tools.ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] Review of draft-ietf-trill-rfc6439bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 11 Jan 2017 05:20:05 -0000

On 01/10/17 06:03 PM, Donald Eastlake wrote:
> Hi Shawn,
>
> Thanks for your comments. See below.
>
> On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery  wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the IESG.
>> These comments were written primarily for the benefit of the security
>> area directors. Document editors and WG chairs should treat these
>> comments just like any other last call comments.
>>
>> This draft updates the Appointed Forwarders mechanism (RFC 6439);
>> which supports multiple TRILL switches that handle native traffic
>> to and from end stations on a single link.
>>
>> The security considerations section does exist and states that this
>> update does not change the security properties of the TRILL base
>> protocol.  The section goes on to state that the Port-Shutdown message
>> SHOULD be secured through the Tunnel Channel protocol (which is in draft
>> state).  Was this intended to be a normative reference?
> That reference is out of date. draft-ietf-trill-channel-tunnel has
> issued as RFC 7978. That should be updated and I agree that this
> should be a normative reference.

Thanks.

>>                                                                                            The section quickly
>> finishes with a reference to Authentication TLVs as a way to secure E-LICS
>> FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult to
>> distinguish between the usage of Tunnel Channels and Authentication TLVs for
>> securing Port Shutdown messaging.  Could you please clarify?
> "Channel Tunnel", although left in the draft name for convenience, was
> basically changed to RBridge Header Extension. This is a way to add a
> layer of header to RBridge Channel messages (specified in RFC 7178) to
> secure their content. The Authentication TLV is an IS-IS TLV and
> including that TLV in an IS-IS PDU can be used to secure the content
> of the PDU. Some text can be added to clarify this.

Ah, I see.  Yes, clarifying text would be helpful for the nascent reader.

>> General comments:
>>
>> None.
>>
>> Editorial comments:
>>
>> s/the need to "inhibition"/the need for "inhibition"/
>> s/forarding/forwarding/
>> s/two optimization/two optimizations/
>> s/messages are build/messages are built/
> Thanks for spotting those. We'll fix them.

No problem.

Regards,

Shawn.
-- 


From nobody Tue Jan 10 23:38:37 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD36129A33; Tue, 10 Jan 2017 23:38:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.409
X-Spam-Level: 
X-Spam-Status: No, score=-7.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54JQC72b-CFb; Tue, 10 Jan 2017 23:38:35 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADFDE129A2B; Tue, 10 Jan 2017 23:30:57 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml706-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DEF27481; Wed, 11 Jan 2017 07:30:53 +0000 (GMT)
Received: from DGGEMM401-HUB.china.huawei.com (10.3.20.209) by lhreml706-cah.china.huawei.com (10.201.5.182) with Microsoft SMTP Server (TLS) id 14.3.301.0; Wed, 11 Jan 2017 07:30:52 +0000
Received: from DGGEMM506-MBX.china.huawei.com ([169.254.3.117]) by DGGEMM401-HUB.china.huawei.com ([10.3.20.209]) with mapi id 14.03.0301.000; Wed, 11 Jan 2017 15:30:47 +0800
From: Roni Even 
To: Dan Harkins , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-clue-rtp-mapping.all@ietf.org" 
Thread-Topic: secdir review of draft-ietf-clue-rtp-mapping
Thread-Index: AQHSaGcWUaZbliSvJ0ie2TwNHoJBX6Ey5YmQ
Date: Wed, 11 Jan 2017 07:30:46 +0000
Message-ID: <6E58094ECC8D8344914996DAD28F1CCD76C117@DGGEMM506-MBX.china.huawei.com>
References: <80663eab-d5d4-07ae-7aa6-3924a5b7a579@lounge.org>
In-Reply-To: <80663eab-d5d4-07ae-7aa6-3924a5b7a579@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.200.201.242]
Content-Type: multipart/alternative; boundary="_000_6E58094ECC8D8344914996DAD28F1CCD76C117DGGEMM506MBXchina_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.5875DF2E.0340, ss=1, re=0.000, recu=0.000, reip=0.000,  cl=1, cld=1, fgs=0, ip=169.254.3.117, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 59470c6ffe19e9aeea39fc992eb2350c
Archived-At: 
Subject: Re: [secdir] secdir review of draft-ietf-clue-rtp-mapping
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 11 Jan 2017 07:38:36 -0000

--_000_6E58094ECC8D8344914996DAD28F1CCD76C117DGGEMM506MBXchina_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgRGFuLA0KVGhhbmtzIGZvciB0aGUgcmV2aWV3DQpTZWUgaW5saW5lDQpSb25pDQoNCkZyb206
IERhbiBIYXJraW5zIFttYWlsdG86ZGhhcmtpbnNAbG91bmdlLm9yZ10NClNlbnQ6INeZ15XXnSDX
lSAwNiDXmdeg15XXkNeoIDIwMTcgMjM6NTINClRvOiBpZXNnQGlldGYub3JnOyBzZWNkaXJAaWV0
Zi5vcmc7IGRyYWZ0LWlldGYtY2x1ZS1ydHAtbWFwcGluZy5hbGxAaWV0Zi5vcmcNClN1YmplY3Q6
IHNlY2RpciByZXZpZXcgb2YgZHJhZnQtaWV0Zi1jbHVlLXJ0cC1tYXBwaW5nDQoNCg0KICBHcmVl
dGluZ3MsDQoNCiAgSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUg
c2VjdXJpdHkgZGlyZWN0b3JhdGUncw0KDQpvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElF
VEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUNCg0KSUVTRy4gIFRoZXNlIGNvbW1l
bnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZQ0KDQpzZWN1
cml0eSBhcmVhIGRpcmVjdG9ycy4gIERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91
bGQgdHJlYXQNCg0KdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwg
Y29tbWVudHMuDQoNCg0KDQogIFRoaXMgZHJhZnQgcHJvdmlkZXMgc29tZSByZWNvbW1lbmRhdGlv
bnMgYW5kIG1hcHBpbmdzIHRvIGFsbG93IFJUUA0KDQp0byBiZSB1c2VkIGluIHRoZSBDTFVFIHBy
b3RvY29sLg0KDQoNCg0KICBJIGJlbGlldmUgdGhpcyBkcmFmdCBpcyBSZWFkeSB3aXRoIHRoZSBm
b2xsb3dpbmcgbml0czoNCg0KDQoNCjEpIGl0IG1ha2VzIG5vcm1hdGl2ZSByZWZlcmVuY2UgdG8g
MyBvdGhlciBJLURzLiBJIGFtIG5vdCBmYW1pbGlhcg0KDQp3aXRoIHRob3NlIGRyYWZ0cyBvciB0
aGVpciBzdGF0dXMgb3Igd2hldGhlciBhbnkgb2YgdGhlIG5vcm1hdGl2ZQ0KDQpiZWhhdmlvciB0
aGlzIGRyYWZ0IHJlbGllcyB1cG9uIGlzIGNvbnRlbnRpb3VzIG9yIG5vdC4gU29tZWJvZHkNCg0K
KG5vdCBtZSkgc2hvdWxkIG1ha2Ugc3VyZSB0aGF0IGFsbCBkdWNrcyBhcmUgaW4gYSByb3cgYmVm
b3JlIHRoaXMNCg0KZHJhZnQgYWR2YW5jZXMuDQoNCltSb25pIEV2ZW5dIEkgYXNzdW1lIHlvdSBh
cmUgcmVmZXJyaW5nIHRvIHRoZSBub3JtYXRpdmUgcmVmZXJlbmNlcyBpbiBnZW5lcmFsIHNpbmNl
IHRoZXJlIGFsbCByZWZlcmVuY2VzIGluIHRoZSBTZWN1cml0eSBzZWN0aW9uIGFyZSBpbmZvcm1h
dGlvbmFsLg0KDQoNCg0KMikgaGF2aW5nIFJGQyAyMTE5IHdvcmRzIGluIHRoZSBTZWN1cml0eSBD
b25zaWRlcmF0aW9ucyBzZWVtcyBPSw0KDQpmb3Igc2F5aW5nIHRoaW5ncyBsaWtlICJDTFVFIGVu
ZHBvaW50cyBNVVNUIHN1cHBvcnQgUlRQL1NBVlBGIGFuZA0KDQpEVExTLVNSVFAga2V5aW5nIFtS
RkM1NzY0XSIgYmVjYXVzZSBpdCdzIGp1c3Qgc2F5aW5nIHlvdSBuZWVkIHRvDQoNCnN1cHBvcnQg
c29tZXRoaW5nIGVsc2UgdGhhdCBpcyBwcm92aWRpbmcgeW91IHNlY3VyaXR5LiBCdXQgSSB0aGlu
aw0KDQpNVVNUIGxhbmd1YWdlIGRlc2NyaWJpbmcgaG93IHRoZSBwcm90b2NvbCBuZWVkcyB0byBi
ZWhhdmUgaW4gb3JkZXINCg0KdG8gYmUgc2VjdXJlIGl0c2VsZiBiZWxvbmdzIG91dHNpZGUgdGhl
IFNlY3VyaXR5IENvbnNpZGVyYXRpb25zLg0KDQpJJ20gcmVmZXJyaW5nIHRvOiAiSW5hcHByb3By
aWF0ZSBjaG9pY2Ugb2YgQ05BTUUgdmFsdWVzIGNhbiBiZSBhDQoNCnByaXZhY3kgY29uY2Vybiwg
c2luY2UgbG9uZy10ZXJtIHBlcnNpc3RlbnQgQ05BTUUgaWRlbnRpZmllcnMgY2FuIGJlDQoNCnVz
ZWQgdG8gdHJhY2sgdXNlcnMgYWNyb3NzIG11bHRpcGxlIGNhbGxzLiAgQ0xVRSBlbmRwb2ludCBN
VVNUDQoNCmdlbmVyYXRlIHNob3J0LXRlcm0gcGVyc2lzdGVudCBSVENQIENOQU1FUywgYXMgc3Bl
Y2lmaWVkIGluIFJGQzcwMjINCg0KW1JGQzcwMjJdLCByZXN1bHRpbmcgaW4gdW50cmFjZWFibGUg
Q05BTUUgdmFsdWVzIHRoYXQgYWxsZXZpYXRlIHRoaXMNCg0Kcmlzay4iIEkgc3VnZ2VzdCBwbGFj
aW5nIHRoYXQgaW4gYSBkaWZmZXJlbnQgc2VjdGlvbiwgcG9zc2libHkgbWFraW5nDQoNCmEgbmV3
IHNlY3Rpb24gdGhhdCBkZXNjcmliZXMgaGFzIGFsbCB0aGUgdmFyaW91cyByZWNvbW1lbmRhdGlv
bnMNCg0KYmVpbmcgbWFkZSBvbiBDTFVFIGluIG9uZSBwbGFjZS4NCg0KW1JvbmkgRXZlbl0gSSBh
bSBub3Qgc3VyZSwgYm90aCBjYXNlcyBhcmUgdGhlIHNhbWUuIFJUUCBoYXMgbXVsdGlwbGUgcHJv
ZmlsZXMgYW5kIGZvciBzZWN1cml0eSB0aGUgc2VjdXJlIHByb2ZpbGUgTVVTVCBiZSBzdXBwb3J0
ZWQuIFJUUCBhbHNvIGhhcyBDTkFNRSBhbmQgdGhlIGNyZWF0aW9uIG9mIENOQU1FIGlzIHNwZWNp
ZmllZCBpbiBhbm90aGVyIGRvY3VtZW50IFtSRkMgNzAyMl0sICBmb3Igc2VjdXJpdHkgcmVhc29u
cyB5b3UgTVVTVCBjaG9vc2UgYSBzcGVjaWZpYyBtb2RlIHRvIGNyZWF0ZSB0aGUgQ05BTUVzLiBJ
IGFtIG5vdCBzdXJlIHRoYXQgaGF2aW5nIGEgc2VjdGlvbiB3aXRoIGFsbCB0aGUgbm9ybWF0aXZl
IGxhbmd1YWdlIGluIHRoZSBkb2N1bWVudCBtYWtlIG11Y2ggc2Vuc2Ugc2luY2UgdGhleSB3aWxs
IGJlIG91dCBvZiBjb250ZXh0Lg0KDQoNCg0KICByZWdhcmRzLA0KDQoNCg0KICBEYW4uDQoNCg0K
DQoNCg0KDQoNCg0K

--_000_6E58094ECC8D8344914996DAD28F1CCD76C117DGGEMM506MBXchina_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ
e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg
MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv
Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAw
MXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIs
InNlcmlmIjsNCgljb2xvcjpibGFjazt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21z
by1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl
cmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHls
ZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGlu
ZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1M
IFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFw
dDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7DQoJY29s
b3I6YmxhY2s7fQ0KdHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWZvbnQtZmFtaWx5OiJD
b3VyaWVyIE5ldyI7fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFt
ZToiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1z
by1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7DQoJZm9udC1mYW1pbHk6IkNvbnNvbGFz
Iiwic2VyaWYiOw0KCWNvbG9yOmJsYWNrO30NCnNwYW4uRW1haWxTdHlsZTIwDQoJe21zby1zdHls
ZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJp
ZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpl
eHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtz
aXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0
O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48
IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNw
aWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHht
bD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBk
YXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0K
PGJvZHkgYmdjb2xvcj0id2hpdGUiIGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVy
cGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+SGkgRGFuLDxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5UaGFua3MgZm9yIHRoZSByZXZpZXc8bzpwPjwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv
dDs7Y29sb3I6IzFGNDk3RCI+U2VlIGlubGluZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5
OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE
Ij5Sb25pPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oywm
cXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z
cGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUg
MS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9y
ZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNt
IDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm
cXVvdDs7Y29sb3I6d2luZG93dGV4dCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90OywmcXVvdDtzYW5zLXNl
cmlmJnF1b3Q7O2NvbG9yOndpbmRvd3RleHQiPiBEYW4gSGFya2lucyBbbWFpbHRvOmRoYXJraW5z
QGxvdW5nZS5vcmddDQo8YnI+DQo8Yj5TZW50OjwvYj4gPHNwYW4gbGFuZz0iSEUiIGRpcj0iUlRM
Ij7XmdeV150mbmJzcDvXlSAwNiDXmdeg15XXkNeoIDIwMTcgMjM6NTI8L3NwYW4+PGJyPg0KPGI+
VG86PC9iPiBpZXNnQGlldGYub3JnOyBzZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtY2x1ZS1y
dHAtbWFwcGluZy5hbGxAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gc2VjZGlyIHJldmll
dyBvZiBkcmFmdC1pZXRmLWNsdWUtcnRwLW1hcHBpbmc8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8
L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8dHQ+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
MC4wcHQiPiZuYnNwOyBHcmVldGluZ3MsJm5ic3A7IDwvc3Bhbj48L3R0PjxvOnA+PC9vOnA+PC9w
Pg0KPHByZT4mbmJzcDsmbmJzcDtJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0
IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPm9u
Z29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2Vk
IGJ5IHRoZSA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5JRVNHLiZuYnNwOyBUaGVzZSBjb21tZW50
cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgPG86cD48L286
cD48L3ByZT4NCjxwcmU+c2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuJm5ic3A7IERvY3VtZW50IGVk
aXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgPG86cD48L286cD48L3ByZT4NCjxwcmU+
dGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuPG86
cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7
IFRoaXMgZHJhZnQgcHJvdmlkZXMgc29tZSByZWNvbW1lbmRhdGlvbnMgYW5kIG1hcHBpbmdzIHRv
IGFsbG93IFJUUDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnRvIGJlIHVzZWQgaW4gdGhlIENMVUUg
cHJvdG9jb2wuPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4N
CjxwcmU+Jm5ic3A7IEkgYmVsaWV2ZSB0aGlzIGRyYWZ0IGlzIFJlYWR5IHdpdGggdGhlIGZvbGxv
d2luZyBuaXRzOjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+
DQo8cHJlPjEpIGl0IG1ha2VzIG5vcm1hdGl2ZSByZWZlcmVuY2UgdG8gMyBvdGhlciBJLURzLiBJ
IGFtIG5vdCBmYW1pbGlhcjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPndpdGggdGhvc2UgZHJhZnRz
IG9yIHRoZWlyIHN0YXR1cyBvciB3aGV0aGVyIGFueSBvZiB0aGUgbm9ybWF0aXZlPG86cD48L286
cD48L3ByZT4NCjxwcmU+YmVoYXZpb3IgdGhpcyBkcmFmdCByZWxpZXMgdXBvbiBpcyBjb250ZW50
aW91cyBvciBub3QuIFNvbWVib2R5PG86cD48L286cD48L3ByZT4NCjxwcmU+KG5vdCBtZSkgc2hv
dWxkIG1ha2Ugc3VyZSB0aGF0IGFsbCBkdWNrcyBhcmUgaW4gYSByb3cgYmVmb3JlIHRoaXM8bzpw
PjwvbzpwPjwvcHJlPg0KPHByZT5kcmFmdCBhZHZhbmNlcy48bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT48Yj48aT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+W1Jvbmkg
RXZlbl0gSSBhc3N1bWUgeW91IGFyZSByZWZlcnJpbmcgdG8gdGhlIG5vcm1hdGl2ZSByZWZlcmVu
Y2VzIGluIGdlbmVyYWwgc2luY2UgdGhlcmUgYWxsIHJlZmVyZW5jZXMgaW4gdGhlIFNlY3VyaXR5
IHNlY3Rpb24gYXJlIGluZm9ybWF0aW9uYWwuIDwvc3Bhbj48L2k+PC9iPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxw
cmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+MikgaGF2aW5nIFJGQyAyMTE5IHdvcmRz
IGluIHRoZSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWVtcyBPSzxvOnA+PC9vOnA+PC9wcmU+
DQo8cHJlPmZvciBzYXlpbmcgdGhpbmdzIGxpa2UgJnF1b3Q7Q0xVRSBlbmRwb2ludHMgTVVTVCBz
dXBwb3J0IFJUUC9TQVZQRiBhbmQgPG86cD48L286cD48L3ByZT4NCjxwcmU+RFRMUy1TUlRQIGtl
eWluZyBbUkZDNTc2NF0mcXVvdDsgYmVjYXVzZSBpdCdzIGp1c3Qgc2F5aW5nIHlvdSBuZWVkIHRv
PG86cD48L286cD48L3ByZT4NCjxwcmU+c3VwcG9ydCBzb21ldGhpbmcgZWxzZSB0aGF0IGlzIHBy
b3ZpZGluZyB5b3Ugc2VjdXJpdHkuIEJ1dCBJIHRoaW5rPG86cD48L286cD48L3ByZT4NCjxwcmU+
TVVTVCBsYW5ndWFnZSBkZXNjcmliaW5nIGhvdyB0aGUgcHJvdG9jb2wgbmVlZHMgdG8gYmVoYXZl
IGluIG9yZGVyPG86cD48L286cD48L3ByZT4NCjxwcmU+dG8gYmUgc2VjdXJlIGl0c2VsZiBiZWxv
bmdzIG91dHNpZGUgdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zLjxvOnA+PC9vOnA+PC9wcmU+
DQo8cHJlPkknbSByZWZlcnJpbmcgdG86ICZxdW90O0luYXBwcm9wcmlhdGUgY2hvaWNlIG9mIENO
QU1FIHZhbHVlcyBjYW4gYmUgYTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnByaXZhY3kgY29uY2Vy
biwgc2luY2UgbG9uZy10ZXJtIHBlcnNpc3RlbnQgQ05BTUUgaWRlbnRpZmllcnMgY2FuIGJlPG86
cD48L286cD48L3ByZT4NCjxwcmU+dXNlZCB0byB0cmFjayB1c2VycyBhY3Jvc3MgbXVsdGlwbGUg
Y2FsbHMuJm5ic3A7IENMVUUgZW5kcG9pbnQgTVVTVDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPmdl
bmVyYXRlIHNob3J0LXRlcm0gcGVyc2lzdGVudCBSVENQIENOQU1FUywgYXMgc3BlY2lmaWVkIGlu
IFJGQzcwMjI8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5bUkZDNzAyMl0sIHJlc3VsdGluZyBpbiB1
bnRyYWNlYWJsZSBDTkFNRSB2YWx1ZXMgdGhhdCBhbGxldmlhdGUgdGhpczxvOnA+PC9vOnA+PC9w
cmU+DQo8cHJlPnJpc2suJnF1b3Q7IEkgc3VnZ2VzdCBwbGFjaW5nIHRoYXQgaW4gYSBkaWZmZXJl
bnQgc2VjdGlvbiwgcG9zc2libHkgbWFraW5nPG86cD48L286cD48L3ByZT4NCjxwcmU+YSBuZXcg
c2VjdGlvbiB0aGF0IGRlc2NyaWJlcyBoYXMgYWxsIHRoZSB2YXJpb3VzIHJlY29tbWVuZGF0aW9u
czxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPmJlaW5nIG1hZGUgb24gQ0xVRSBpbiBvbmUgcGxhY2Uu
PG86cD48L286cD48L3ByZT4NCjxwcmU+PGI+PGk+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w
cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7
O2NvbG9yOiMxRjQ5N0QiPltSb25pIEV2ZW5dIEkgYW0gbm90IHN1cmUsIGJvdGggY2FzZXMgYXJl
IHRoZSBzYW1lLiBSVFAgaGFzIG11bHRpcGxlIHByb2ZpbGVzIGFuZCBmb3Igc2VjdXJpdHkgdGhl
IHNlY3VyZSBwcm9maWxlIE1VU1QgYmUgc3VwcG9ydGVkLiBSVFAgYWxzbyBoYXMgQ05BTUUgYW5k
IHRoZSBjcmVhdGlvbiBvZiBDTkFNRSBpcyBzcGVjaWZpZWQgaW4gYW5vdGhlciBkb2N1bWVudCBb
UkZDIDcwMjJdLCAmbmJzcDtmb3Igc2VjdXJpdHkgcmVhc29ucyB5b3UgTVVTVCBjaG9vc2UgYSBz
cGVjaWZpYyBtb2RlIHRvIGNyZWF0ZSB0aGUgQ05BTUVzLiBJIGFtIG5vdCBzdXJlIHRoYXQgaGF2
aW5nIGEgc2VjdGlvbiB3aXRoIGFsbCB0aGUgbm9ybWF0aXZlIGxhbmd1YWdlIGluIHRoZSBkb2N1
bWVudCBtYWtlIG11Y2ggc2Vuc2Ugc2luY2UgdGhleSB3aWxsIGJlIG91dCBvZiBjb250ZXh0LiAm
bmJzcDs8L3NwYW4+PC9pPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh
bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG
NDk3RCI+PG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
cmU+DQo8cHJlPiZuYnNwOyByZWdhcmRzLDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5i
c3A7PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyBEYW4uPG86cD48L286cD48L3ByZT4NCjxwcmU+
PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxw
cmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_6E58094ECC8D8344914996DAD28F1CCD76C117DGGEMM506MBXchina_--


From nobody Wed Jan 11 09:50:24 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3471296FB; Wed, 11 Jan 2017 09:50:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.191
X-Spam-Level: 
X-Spam-Status: No, score=-4.191 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NzGyNWtnMdz6; Wed, 11 Jan 2017 09:50:20 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id BB7F81296EC; Wed, 11 Jan 2017 09:50:19 -0800 (PST)
Received: from thinny.local (69-12-173-8.static.dsltransport.net [69.12.173.8]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by colo.trepanning.net (Postfix) with ESMTPSA id 2D0241022404C; Wed, 11 Jan 2017 09:50:19 -0800 (PST)
To: Roni Even , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-clue-rtp-mapping.all@ietf.org" 
References: <80663eab-d5d4-07ae-7aa6-3924a5b7a579@lounge.org> <6E58094ECC8D8344914996DAD28F1CCD76C117@DGGEMM506-MBX.china.huawei.com>
From: Dan Harkins 
Message-ID: <346721a9-b50c-51c5-dbbd-55470091b027@lounge.org>
Date: Wed, 11 Jan 2017 09:50:17 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <6E58094ECC8D8344914996DAD28F1CCD76C117@DGGEMM506-MBX.china.huawei.com>
Content-Type: multipart/alternative; boundary="------------E7457EFEB45235D3F7C79281"
Archived-At: 
Subject: Re: [secdir] secdir review of draft-ietf-clue-rtp-mapping
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 11 Jan 2017 17:50:23 -0000

This is a multi-part message in MIME format.
--------------E7457EFEB45235D3F7C79281
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit


   Hi Roni,

On 1/10/17 11:30 PM, Roni Even wrote:
>
> Hi Dan,
>
> Thanks for the review
>
> See inline
>
> Roni
>
> *From:*Dan Harkins [mailto:dharkins@lounge.org]
> *Sent:* יום ו 06 ינואר 2017 23:52
> *To:* iesg@ietf.org; secdir@ietf.org; 
> draft-ietf-clue-rtp-mapping.all@ietf.org
> *Subject:* secdir review of draft-ietf-clue-rtp-mapping
>
>
>   Greetings,
>
>    I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>    This draft provides some recommendations and mappings to allow RTP
> to be used in the CLUE protocol.
>    I believe this draft is Ready with the following nits:
> 1) it makes normative reference to 3 other I-Ds. I am not familiar
> with those drafts or their status or whether any of the normative
> behavior this draft relies upon is contentious or not. Somebody
> (not me) should make sure that all ducks are in a row before this
> draft advances.
> */[Roni Even] I assume you are referring to the normative references in 
> general since there all references in the Security section are 
> informational. /*
   I'm referring to the 3 Internet-Drafts referenced in the
section called "Normative References", section 10.1. An I-D
is, as noted, a "work in progress". So you're making a normative
reference to a document in a state of flux. That sounds a bit
alarming to me. What if, as they progress, the things you are
normatively depending on change in a way that make this
dependency not work anymore?

   I'm just saying someone (not me) has to make sure that that
does not happen. The alternative is to wait for them to be
published and then refer to them as RFCs.
> 2) having RFC 2119 words in the Security Considerations seems OK
> for saying things like "CLUE endpoints MUST support RTP/SAVPF and
> DTLS-SRTP keying [RFC5764]" because it's just saying you need to
> support something else that is providing you security. But I think
> MUST language describing how the protocol needs to behave in order
> to be secure itself belongs outside the Security Considerations.
> I'm referring to: "Inappropriate choice of CNAME values can be a
> privacy concern, since long-term persistent CNAME identifiers can be
> used to track users across multiple calls.  CLUE endpoint MUST
> generate short-term persistent RTCP CNAMES, as specified in RFC7022
> [RFC7022], resulting in untraceable CNAME values that alleviate this
> risk." I suggest placing that in a different section, possibly making
> a new section that describes has all the various recommendations
> being made on CLUE in one place.
> */[Roni Even] I am not sure, both cases are the same. RTP has multiple 
> profiles and for security the secure profile MUST be supported. RTP 
> also has CNAME and the creation of CNAME is specified in another 
> document [RFC 7022],  for security reasons you MUST choose a specific 
> mode to create the CNAMEs. I am not sure that having a section with 
> all the normative language in the document make much sense since they 
> will be out of context. /*
   RFC 7022 does not place a requirement on CLUE endpoints. Its
seems this I-D is placing a requirement on CLUE endpoints, namely
that they MUST generate RTCP CNAMES per RFC 7022. Now maybe I'm
misreading this and there is actually some other RFC that places
this requirement on CLUE endpoints. In which case you should refer
to that document for the requirement. But if it is this document
placing a behavioral requirement on CLUE endpoints, then it is my
personal opinion that such a requirement is not appropriate for
the Security Considerations.

   regards,

   Dan.


--------------E7457EFEB45235D3F7C79281
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    

      Hi Roni,

    

    
On 1/10/17 11:30 PM, Roni Even wrote:

    

    

      
      
      
      

        
Hi
            Dan,

        
Thanks
            for the review

        
See
            inline

        
Roni

        
 

        

          

            

              
From:
                  Dan Harkins [mailto:dharkins@lounge.org]
                  

                  Sent: יום ו 06 ינואר
                    2017 23:52

                  To: iesg@ietf.org; secdir@ietf.org;
                  draft-ietf-clue-rtp-mapping.all@ietf.org

                  Subject: secdir review of
                  draft-ietf-clue-rtp-mapping

            

          

          
 

          


              Greetings,  

          
  I have reviewed this document as part of the security directorate's 

          
ongoing effort to review all IETF documents being processed by the 

          
IESG.  These comments were written primarily for the benefit of the 

          
security area directors.  Document editors and WG chairs should treat 

          
these comments just like any other last call comments.

          
 

          
  This draft provides some recommendations and mappings to allow RTP

          
to be used in the CLUE protocol.

          
 

          
  I believe this draft is Ready with the following nits:

          
 

          
1) it makes normative reference to 3 other I-Ds. I am not familiar

          
with those drafts or their status or whether any of the normative

          
behavior this draft relies upon is contentious or not. Somebody

          
(not me) should make sure that all ducks are in a row before this

          
draft advances.

          
[Roni Even] I assume you are referring to the normative references in general since there all references in the Security section are informational. 

          
 

        

      

    

      I'm referring to the 3 Internet-Drafts
      referenced in the

      section called "Normative References", section 10.1. An I-D

      is, as noted, a "work in progress". So you're making a normative

      reference to a document in a state of flux. That sounds a bit

      alarming to me. What if, as they progress, the things you are

      normatively depending on change in a way that make this

      dependency not work anymore?

      

        I'm just saying someone (not me) has to make sure that that

      does not happen. The alternative is to wait for them to be

      published and then refer to them as RFCs.

    
    

      

        

          
2) having RFC 2119 words in the Security Considerations seems OK

          
for saying things like "CLUE endpoints MUST support RTP/SAVPF and 

          
DTLS-SRTP keying [RFC5764]" because it's just saying you need to

          
support something else that is providing you security. But I think

          
MUST language describing how the protocol needs to behave in order

          
to be secure itself belongs outside the Security Considerations.

          
I'm referring to: "Inappropriate choice of CNAME values can be a

          
privacy concern, since long-term persistent CNAME identifiers can be

          
used to track users across multiple calls.  CLUE endpoint MUST

          
generate short-term persistent RTCP CNAMES, as specified in RFC7022

          
[RFC7022], resulting in untraceable CNAME values that alleviate this

          
risk." I suggest placing that in a different section, possibly making

          
a new section that describes has all the various recommendations

          
being made on CLUE in one place.

          
[Roni Even] I am not sure, both cases are the same. RTP has multiple profiles and for security the secure profile MUST be supported. RTP also has CNAME and the creation of CNAME is specified in another document [RFC 7022],  for security reasons you MUST choose a specific mode to create the CNAMEs. I am not sure that having a section with all the normative language in the document make much sense since they will be out of context.  

          
 

        

      

    

      RFC 7022 does not place a requirement on
      CLUE endpoints. Its

      seems this I-D is placing a requirement on CLUE endpoints, namely

      that they MUST generate RTCP CNAMES per RFC 7022. Now maybe I'm

      misreading this and there is actually some other RFC that places

      this requirement on CLUE endpoints. In which case you should refer

      to that document for the requirement. But if it is this document

      placing a behavioral requirement on CLUE endpoints, then it is my

      personal opinion that such a requirement is not appropriate for

      the Security Considerations. 

      

        regards,

      

        Dan.

    

  


--------------E7457EFEB45235D3F7C79281--


From nobody Wed Jan 11 10:56:41 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19E73129D50 for ; Wed, 11 Jan 2017 10:56:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level: 
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkyoSfoTgiS2 for ; Wed, 11 Jan 2017 10:56:38 -0800 (PST)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 881F3129561 for ; Wed, 11 Jan 2017 10:56:38 -0800 (PST)
Received: by mail-io0-x22c.google.com with SMTP id j18so453907ioe.2 for ; Wed, 11 Jan 2017 10:56:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pBLx00tzIU4DVU476rswI7wZ6wdygva8vQ4aq7fOQ4I=; b=q6fZ6FfSHrweExJicNMXEtN3qkDET8ocwm/J9AR8LsxruQ8xCkg12inY6dVzF8GUYr Iaqz7nQw0+2/9Ynhpmxg06TFPtE8bkd694vpm758tvUEGWdGnHMPbpCf5a5zc3xrOFc9 r0rEFTk8Gs+OiR65IhA1LifjBaXSLx7WvuRYLF4q6yxU74ELDEfGpL7e7jkUySuGZzY6 2fS9mpLNSXDYE1zVYhwY0w+dg2qUy3jC97DX5yOK8muC9fuO44761a1eKb6v90CukIQ8 s27jnAVzdeDpcHHo5ZSVVvHqStY7QVnx6nqZvaRdyswC6KK55PhtdJCAhVSb6a9ZbGRI YtFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pBLx00tzIU4DVU476rswI7wZ6wdygva8vQ4aq7fOQ4I=; b=l/GFUKH1C9BJ5BeoYYd0XTIwDmfqiX8YflQha3NhCQTAiL/tD7vLVQyEoQEdq2IjsG 4sVYAhsyR5HOG2G3Q5pElwoth3fbs8Xjn9rtRJFrOwG++Gb4RUXPU/97SNt1ZBMSnvzN B9uexRZQA90RA4xOnHl03s0xQpwlewl9Q5vyjGynVoY5jCRBGR6Nkfq+zZoZFX+4f6vr 8PrliqCD9/tozgomRtW4+u20GPgrLCaDibEUTIF7ezWdy+SOHTPf5W9k6BSpHF2l0w29 vhwEr1C4LUZvjlq+BHusAWgeMcQF3mjR1rykdNRhoSsK+K5p5NPfLiS1/sc5myZfmEYk +KGw==
X-Gm-Message-State: AIkVDXLr4hdHkUiu+KecGm7PvRt7kEdeK0PoYbqv/mSuuQdSFS2yqhZjKE70tMWOwT+5JqA/NY48e6qNo7sh1g==
X-Received: by 10.107.141.80 with SMTP id p77mr7208253iod.97.1484160997611; Wed, 11 Jan 2017 10:56:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.41.72 with HTTP; Wed, 11 Jan 2017 10:56:22 -0800 (PST)
In-Reply-To: <4a04ae5b-f30c-303e-e035-aa3819c1f691@oracle.com>
References: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com> <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com>  <4a04ae5b-f30c-303e-e035-aa3819c1f691@oracle.com>
From: Donald Eastlake 
Date: Wed, 11 Jan 2017 13:56:22 -0500
Message-ID: 
To: Shawn M Emery 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Cc: draft-ietf-trill-rfc6439bis.all@tools.ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] Review of draft-ietf-trill-rfc6439bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 11 Jan 2017 18:56:40 -0000

Hi Shawn,

A version -04 has been uploaded with these fixes.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com


On Wed, Jan 11, 2017 at 12:22 AM, Shawn M Emery  wrote:
> On 01/10/17 06:03 PM, Donald Eastlake wrote:
>>
>> Hi Shawn,
>>
>> Thanks for your comments. See below.
>>
>> On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery 
>> wrote:
>>>
>>> I have reviewed this document as part of the security directorate's
>>> ongoing effort to review all IETF documents being processed by the IESG.
>>> These comments were written primarily for the benefit of the security
>>> area directors. Document editors and WG chairs should treat these
>>> comments just like any other last call comments.
>>>
>>> This draft updates the Appointed Forwarders mechanism (RFC 6439);
>>> which supports multiple TRILL switches that handle native traffic
>>> to and from end stations on a single link.
>>>
>>> The security considerations section does exist and states that this
>>> update does not change the security properties of the TRILL base
>>> protocol.  The section goes on to state that the Port-Shutdown message
>>> SHOULD be secured through the Tunnel Channel protocol (which is in draft
>>> state).  Was this intended to be a normative reference?
>>
>> That reference is out of date. draft-ietf-trill-channel-tunnel has
>> issued as RFC 7978. That should be updated and I agree that this
>> should be a normative reference.
>
>
> Thanks.
>
>>>
>>> The section quickly
>>> finishes with a reference to Authentication TLVs as a way to secure
>>> E-LICS
>>> FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult
>>> to
>>> distinguish between the usage of Tunnel Channels and Authentication TLVs
>>> for
>>> securing Port Shutdown messaging.  Could you please clarify?
>>
>> "Channel Tunnel", although left in the draft name for convenience, was
>> basically changed to RBridge Header Extension. This is a way to add a
>> layer of header to RBridge Channel messages (specified in RFC 7178) to
>> secure their content. The Authentication TLV is an IS-IS TLV and
>> including that TLV in an IS-IS PDU can be used to secure the content
>> of the PDU. Some text can be added to clarify this.
>
>
> Ah, I see.  Yes, clarifying text would be helpful for the nascent reader.
>
>>> General comments:
>>>
>>> None.
>>>
>>> Editorial comments:
>>>
>>> s/the need to "inhibition"/the need for "inhibition"/
>>> s/forarding/forwarding/
>>> s/two optimization/two optimizations/
>>> s/messages are build/messages are built/
>>
>> Thanks for spotting those. We'll fix them.
>
>
> No problem.
>
> Regards,
>
> Shawn.
> --


From nobody Wed Jan 11 21:56:33 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B7A812948B; Wed, 11 Jan 2017 21:56:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.409
X-Spam-Level: 
X-Spam-Status: No, score=-7.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUydIIE8JCPv; Wed, 11 Jan 2017 21:56:29 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CA8412943B; Wed, 11 Jan 2017 21:56:27 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml708-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CYQ67932; Thu, 12 Jan 2017 05:56:26 +0000 (GMT)
Received: from DGGEMM406-HUB.china.huawei.com (10.3.20.214) by lhreml708-cah.china.huawei.com (10.201.5.202) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 12 Jan 2017 05:56:25 +0000
Received: from DGGEMM506-MBX.china.huawei.com ([169.254.3.117]) by DGGEMM406-HUB.china.huawei.com ([10.3.20.214]) with mapi id 14.03.0301.000; Thu, 12 Jan 2017 13:56:20 +0800
From: Roni Even 
To: Dan Harkins , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-clue-rtp-mapping.all@ietf.org" 
Thread-Topic: secdir review of draft-ietf-clue-rtp-mapping
Thread-Index: AQHSbDMyJjETUj3gX0KgDullUhuDFqE0VV4A
Date: Thu, 12 Jan 2017 05:56:20 +0000
Message-ID: <6E58094ECC8D8344914996DAD28F1CCD76C67C@DGGEMM506-MBX.china.huawei.com>
References: <80663eab-d5d4-07ae-7aa6-3924a5b7a579@lounge.org> <6E58094ECC8D8344914996DAD28F1CCD76C117@DGGEMM506-MBX.china.huawei.com> <346721a9-b50c-51c5-dbbd-55470091b027@lounge.org>
In-Reply-To: <346721a9-b50c-51c5-dbbd-55470091b027@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.201.119.125]
Content-Type: multipart/alternative; boundary="_000_6E58094ECC8D8344914996DAD28F1CCD76C67CDGGEMM506MBXchina_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.58771A8A.02AC, ss=1, re=0.000, recu=0.000, reip=0.000,  cl=1, cld=1, fgs=0, ip=169.254.3.117, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: d6a2ef53dea3ee7b874a65371b192f0c
Archived-At: 
Subject: Re: [secdir] secdir review of draft-ietf-clue-rtp-mapping
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 12 Jan 2017 05:56:31 -0000

--_000_6E58094ECC8D8344914996DAD28F1CCD76C67CDGGEMM506MBXchina_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SEkgRGFuLA0KDQoxLiAgICAgICBUaGUgZmlyc3QgdHdvIGRvY3VtZW50cyBhcmUgaW4gdGhlIFJG
QyBlZGl0b3IgcXVldWUgYW5kIHRoZSB0aGlyZCBvbmUgaXMgd2VsbCBhZHZhbmNlZCBhbmQgaXMg
YW4gaW1wb3J0YW50IGRvY3VtZW50IGZvciBhIGxvdCBvZiB3b3JrIGluIHRoZSBBUlQgYXJlYSBh
bmQgaXMgaW4gaXRzIGZpbmFsIHN0YWdlcy4gVGhlIFJGQyBlZGl0b3Igd2FpdHMgZm9yIFJGQ3Mg
Zm9yIG5vcm1hdGl2ZSByZWZlcmVuY2VzIGJlZm9yZSBwdWJsaXNoaW5nIHRoZSBkb2N1bWVudC4N
Cg0KMi4gICAgICAgUkZDNzAyMiBpcyByZWxldmFudCBmb3IgYWxsIFJUUCBwYXlsb2FkcywgaXQg
dXBkYXRlcyBSRkMzNTUwIHdoaWNoIGlzIHRoZSBSVFAgc3BlY2lmaWNhdGlvbiBhbmQgcHJvdmlk
ZSBndWlkZWxpbmVzIGZvciBjaG9vc2luZyBSVENQIENOQU1Fcy4gVGhlIENOQU1FIGlzIHRoZSBp
ZGVudGlmaWNhdGlvbiBvZiB0aGUgUlRQIGVuZHBvaW50LiBUaGUgQ0xVRSBSVFAgdXNhZ2UgZG9j
dW1lbnQgb3V0bGluZXMgaG93IHRvIHVzZSBSVFAgaW4gQ0xVRSBhbmQgaW4gdGhlIHNlY3VyaXR5
IHNlY3Rpb24gd2Ugb3VsaW5lIGhvdyB0byBhZGRyZXNzIHNlY3VyaXR5IGNvbmNlcm5zIGZvciBS
VFAgYnkgdXNpbmcgYSBzcGVjaWZpYyBSVFAgcHJvZmlsZSBhbmQgY2hvb3Npbmcgc3BlY2lmaWMg
d2F5cyB0byBjcmVhdGUgdGhlIHJlbGV2YW50IHBhcmFtZXRlcnMuDQpSb25pDQoNCkZyb206IERh
biBIYXJraW5zIFttYWlsdG86ZGhhcmtpbnNAbG91bmdlLm9yZ10NClNlbnQ6INeZ15XXnSDXkyAx
MSDXmdeg15XXkNeoIDIwMTcgMTk6NTANClRvOiBSb25pIEV2ZW47IGllc2dAaWV0Zi5vcmc7IHNl
Y2RpckBpZXRmLm9yZzsgZHJhZnQtaWV0Zi1jbHVlLXJ0cC1tYXBwaW5nLmFsbEBpZXRmLm9yZw0K
U3ViamVjdDogUmU6IHNlY2RpciByZXZpZXcgb2YgZHJhZnQtaWV0Zi1jbHVlLXJ0cC1tYXBwaW5n
DQoNCg0KICBIaSBSb25pLA0KT24gMS8xMC8xNyAxMTozMCBQTSwgUm9uaSBFdmVuIHdyb3RlOg0K
SGkgRGFuLA0KVGhhbmtzIGZvciB0aGUgcmV2aWV3DQpTZWUgaW5saW5lDQpSb25pDQoNCkZyb206
IERhbiBIYXJraW5zIFttYWlsdG86ZGhhcmtpbnNAbG91bmdlLm9yZ10NClNlbnQ6INeZ15XXnSDX
lSAwNiDXmdeg15XXkNeoIDIwMTcgMjM6NTINClRvOiBpZXNnQGlldGYub3JnPG1haWx0bzppZXNn
QGlldGYub3JnPjsgc2VjZGlyQGlldGYub3JnPG1haWx0bzpzZWNkaXJAaWV0Zi5vcmc+OyBkcmFm
dC1pZXRmLWNsdWUtcnRwLW1hcHBpbmcuYWxsQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLWNs
dWUtcnRwLW1hcHBpbmcuYWxsQGlldGYub3JnPg0KU3ViamVjdDogc2VjZGlyIHJldmlldyBvZiBk
cmFmdC1pZXRmLWNsdWUtcnRwLW1hcHBpbmcNCg0KDQogIEdyZWV0aW5ncywNCg0KICBJIGhhdmUg
cmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0
ZSdzDQoNCm9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcg
cHJvY2Vzc2VkIGJ5IHRoZQ0KDQpJRVNHLiAgVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHBy
aW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlDQoNCnNlY3VyaXR5IGFyZWEgZGlyZWN0b3Jz
LiAgRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdA0KDQp0aGVzZSBj
b21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0KDQoNCiAg
VGhpcyBkcmFmdCBwcm92aWRlcyBzb21lIHJlY29tbWVuZGF0aW9ucyBhbmQgbWFwcGluZ3MgdG8g
YWxsb3cgUlRQDQoNCnRvIGJlIHVzZWQgaW4gdGhlIENMVUUgcHJvdG9jb2wuDQoNCg0KDQogIEkg
YmVsaWV2ZSB0aGlzIGRyYWZ0IGlzIFJlYWR5IHdpdGggdGhlIGZvbGxvd2luZyBuaXRzOg0KDQoN
Cg0KMSkgaXQgbWFrZXMgbm9ybWF0aXZlIHJlZmVyZW5jZSB0byAzIG90aGVyIEktRHMuIEkgYW0g
bm90IGZhbWlsaWFyDQoNCndpdGggdGhvc2UgZHJhZnRzIG9yIHRoZWlyIHN0YXR1cyBvciB3aGV0
aGVyIGFueSBvZiB0aGUgbm9ybWF0aXZlDQoNCmJlaGF2aW9yIHRoaXMgZHJhZnQgcmVsaWVzIHVw
b24gaXMgY29udGVudGlvdXMgb3Igbm90LiBTb21lYm9keQ0KDQoobm90IG1lKSBzaG91bGQgbWFr
ZSBzdXJlIHRoYXQgYWxsIGR1Y2tzIGFyZSBpbiBhIHJvdyBiZWZvcmUgdGhpcw0KDQpkcmFmdCBh
ZHZhbmNlcy4NCg0KW1JvbmkgRXZlbl0gSSBhc3N1bWUgeW91IGFyZSByZWZlcnJpbmcgdG8gdGhl
IG5vcm1hdGl2ZSByZWZlcmVuY2VzIGluIGdlbmVyYWwgc2luY2UgdGhlcmUgYWxsIHJlZmVyZW5j
ZXMgaW4gdGhlIFNlY3VyaXR5IHNlY3Rpb24gYXJlIGluZm9ybWF0aW9uYWwuDQoNCg0KICBJJ20g
cmVmZXJyaW5nIHRvIHRoZSAzIEludGVybmV0LURyYWZ0cyByZWZlcmVuY2VkIGluIHRoZQ0Kc2Vj
dGlvbiBjYWxsZWQgIk5vcm1hdGl2ZSBSZWZlcmVuY2VzIiwgc2VjdGlvbiAxMC4xLiBBbiBJLUQN
CmlzLCBhcyBub3RlZCwgYSAid29yayBpbiBwcm9ncmVzcyIuIFNvIHlvdSdyZSBtYWtpbmcgYSBu
b3JtYXRpdmUNCnJlZmVyZW5jZSB0byBhIGRvY3VtZW50IGluIGEgc3RhdGUgb2YgZmx1eC4gVGhh
dCBzb3VuZHMgYSBiaXQNCmFsYXJtaW5nIHRvIG1lLiBXaGF0IGlmLCBhcyB0aGV5IHByb2dyZXNz
LCB0aGUgdGhpbmdzIHlvdSBhcmUNCm5vcm1hdGl2ZWx5IGRlcGVuZGluZyBvbiBjaGFuZ2UgaW4g
YSB3YXkgdGhhdCBtYWtlIHRoaXMNCmRlcGVuZGVuY3kgbm90IHdvcmsgYW55bW9yZT8NCg0KICBJ
J20ganVzdCBzYXlpbmcgc29tZW9uZSAobm90IG1lKSBoYXMgdG8gbWFrZSBzdXJlIHRoYXQgdGhh
dA0KZG9lcyBub3QgaGFwcGVuLiBUaGUgYWx0ZXJuYXRpdmUgaXMgdG8gd2FpdCBmb3IgdGhlbSB0
byBiZQ0KcHVibGlzaGVkIGFuZCB0aGVuIHJlZmVyIHRvIHRoZW0gYXMgUkZDcy4NCg0KDQoyKSBo
YXZpbmcgUkZDIDIxMTkgd29yZHMgaW4gdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlZW1z
IE9LDQoNCmZvciBzYXlpbmcgdGhpbmdzIGxpa2UgIkNMVUUgZW5kcG9pbnRzIE1VU1Qgc3VwcG9y
dCBSVFAvU0FWUEYgYW5kDQoNCkRUTFMtU1JUUCBrZXlpbmcgW1JGQzU3NjRdIiBiZWNhdXNlIGl0
J3MganVzdCBzYXlpbmcgeW91IG5lZWQgdG8NCg0Kc3VwcG9ydCBzb21ldGhpbmcgZWxzZSB0aGF0
IGlzIHByb3ZpZGluZyB5b3Ugc2VjdXJpdHkuIEJ1dCBJIHRoaW5rDQoNCk1VU1QgbGFuZ3VhZ2Ug
ZGVzY3JpYmluZyBob3cgdGhlIHByb3RvY29sIG5lZWRzIHRvIGJlaGF2ZSBpbiBvcmRlcg0KDQp0
byBiZSBzZWN1cmUgaXRzZWxmIGJlbG9uZ3Mgb3V0c2lkZSB0aGUgU2VjdXJpdHkgQ29uc2lkZXJh
dGlvbnMuDQoNCkknbSByZWZlcnJpbmcgdG86ICJJbmFwcHJvcHJpYXRlIGNob2ljZSBvZiBDTkFN
RSB2YWx1ZXMgY2FuIGJlIGENCg0KcHJpdmFjeSBjb25jZXJuLCBzaW5jZSBsb25nLXRlcm0gcGVy
c2lzdGVudCBDTkFNRSBpZGVudGlmaWVycyBjYW4gYmUNCg0KdXNlZCB0byB0cmFjayB1c2VycyBh
Y3Jvc3MgbXVsdGlwbGUgY2FsbHMuICBDTFVFIGVuZHBvaW50IE1VU1QNCg0KZ2VuZXJhdGUgc2hv
cnQtdGVybSBwZXJzaXN0ZW50IFJUQ1AgQ05BTUVTLCBhcyBzcGVjaWZpZWQgaW4gUkZDNzAyMg0K
DQpbUkZDNzAyMl0sIHJlc3VsdGluZyBpbiB1bnRyYWNlYWJsZSBDTkFNRSB2YWx1ZXMgdGhhdCBh
bGxldmlhdGUgdGhpcw0KDQpyaXNrLiIgSSBzdWdnZXN0IHBsYWNpbmcgdGhhdCBpbiBhIGRpZmZl
cmVudCBzZWN0aW9uLCBwb3NzaWJseSBtYWtpbmcNCg0KYSBuZXcgc2VjdGlvbiB0aGF0IGRlc2Ny
aWJlcyBoYXMgYWxsIHRoZSB2YXJpb3VzIHJlY29tbWVuZGF0aW9ucw0KDQpiZWluZyBtYWRlIG9u
IENMVUUgaW4gb25lIHBsYWNlLg0KDQpbUm9uaSBFdmVuXSBJIGFtIG5vdCBzdXJlLCBib3RoIGNh
c2VzIGFyZSB0aGUgc2FtZS4gUlRQIGhhcyBtdWx0aXBsZSBwcm9maWxlcyBhbmQgZm9yIHNlY3Vy
aXR5IHRoZSBzZWN1cmUgcHJvZmlsZSBNVVNUIGJlIHN1cHBvcnRlZC4gUlRQIGFsc28gaGFzIENO
QU1FIGFuZCB0aGUgY3JlYXRpb24gb2YgQ05BTUUgaXMgc3BlY2lmaWVkIGluIGFub3RoZXIgZG9j
dW1lbnQgW1JGQyA3MDIyXSwgIGZvciBzZWN1cml0eSByZWFzb25zIHlvdSBNVVNUIGNob29zZSBh
IHNwZWNpZmljIG1vZGUgdG8gY3JlYXRlIHRoZSBDTkFNRXMuIEkgYW0gbm90IHN1cmUgdGhhdCBo
YXZpbmcgYSBzZWN0aW9uIHdpdGggYWxsIHRoZSBub3JtYXRpdmUgbGFuZ3VhZ2UgaW4gdGhlIGRv
Y3VtZW50IG1ha2UgbXVjaCBzZW5zZSBzaW5jZSB0aGV5IHdpbGwgYmUgb3V0IG9mIGNvbnRleHQu
DQoNCg0KICBSRkMgNzAyMiBkb2VzIG5vdCBwbGFjZSBhIHJlcXVpcmVtZW50IG9uIENMVUUgZW5k
cG9pbnRzLiBJdHMNCnNlZW1zIHRoaXMgSS1EIGlzIHBsYWNpbmcgYSByZXF1aXJlbWVudCBvbiBD
TFVFIGVuZHBvaW50cywgbmFtZWx5DQp0aGF0IHRoZXkgTVVTVCBnZW5lcmF0ZSBSVENQIENOQU1F
UyBwZXIgUkZDIDcwMjIuIE5vdyBtYXliZSBJJ20NCm1pc3JlYWRpbmcgdGhpcyBhbmQgdGhlcmUg
aXMgYWN0dWFsbHkgc29tZSBvdGhlciBSRkMgdGhhdCBwbGFjZXMNCnRoaXMgcmVxdWlyZW1lbnQg
b24gQ0xVRSBlbmRwb2ludHMuIEluIHdoaWNoIGNhc2UgeW91IHNob3VsZCByZWZlcg0KdG8gdGhh
dCBkb2N1bWVudCBmb3IgdGhlIHJlcXVpcmVtZW50LiBCdXQgaWYgaXQgaXMgdGhpcyBkb2N1bWVu
dA0KcGxhY2luZyBhIGJlaGF2aW9yYWwgcmVxdWlyZW1lbnQgb24gQ0xVRSBlbmRwb2ludHMsIHRo
ZW4gaXQgaXMgbXkNCnBlcnNvbmFsIG9waW5pb24gdGhhdCBzdWNoIGEgcmVxdWlyZW1lbnQgaXMg
bm90IGFwcHJvcHJpYXRlIGZvcg0KdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zLg0KDQogIHJl
Z2FyZHMsDQoNCiAgRGFuLg0K

--_000_6E58094ECC8D8344914996DAD28F1CCD76C67CDGGEMM506MBXchina_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ
e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDIg
MiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNv
Tm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAw
MXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIs
InNlcmlmIjsNCgljb2xvcjpibGFjazt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21z
by1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl
cmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHls
ZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGlu
ZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1M
IFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFw
dDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7DQoJY29s
b3I6YmxhY2s7fQ0KdHQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWZvbnQtZmFtaWx5OiJD
b3VyaWVyIE5ldyI7fQ0KcC5Nc29BY2V0YXRlLCBsaS5Nc29BY2V0YXRlLCBkaXYuTXNvQWNldGF0
ZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkJhbGxvb24gVGV4
dCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp
emU6OC4wcHQ7DQoJZm9udC1mYW1pbHk6IlRhaG9tYSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOmJs
YWNrO30NCnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xp
c3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1hcmdpbi10b3A6MGNtOw0K
CW1hcmdpbi1yaWdodDowY207DQoJbWFyZ2luLWJvdHRvbTowY207DQoJbWFyZ2luLWxlZnQ6MzYu
MHB0Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQt
ZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7DQoJY29sb3I6YmxhY2s7fQ0Kc3Bhbi5I
VE1MUHJlZm9ybWF0dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFtZToiSFRNTCBQcmVmb3JtYXR0ZWQg
Q2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFBy
ZWZvcm1hdHRlZCI7DQoJZm9udC1mYW1pbHk6Q29uc29sYXM7DQoJY29sb3I6YmxhY2s7fQ0Kc3Bh
bi5FbWFpbFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6
IkNhbGlicmkiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uQmFsbG9vblRl
eHRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJCYWxsb29uIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxl
LXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJCYWxsb29uIFRleHQiOw0KCWZvbnQtZmFt
aWx5OiJUYWhvbWEiLCJzYW5zLXNlcmlmIjsNCgljb2xvcjpibGFjazt9DQpzcGFuLkVtYWlsU3R5
bGUyMw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2Fs
aWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7
bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBX
b3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4w
cHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24x
O30NCi8qIExpc3QgRGVmaW5pdGlvbnMgKi8NCkBsaXN0IGwwDQoJe21zby1saXN0LWlkOjE1Mzcw
NDI0Nzg7DQoJbXNvLWxpc3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOjM2
OTY2NjM1NiA2NzY5ODcwMyA2NzY5ODcxMyA2NzY5ODcxNSA2NzY5ODcwMyA2NzY5ODcxMyA2NzY5
ODcxNSA2NzY5ODcwMyA2NzY5ODcxMyA2NzY5ODcxNTt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNv
LWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K
CXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1i
ZXItZm9ybWF0OmFscGhhLWxvd2VyOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1s
ZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0
IGwwOmxldmVsMw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpyb21hbi1sb3dlcjsNCgltc28t
bGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOnJpZ2h0Ow0K
CXRleHQtaW5kZW50Oi05LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDQNCgl7bXNvLWxldmVsLXRhYi1z
dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50
Oi0xOC4wcHQ7fQ0KQGxpc3QgbDA6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFs
cGhhLWxvd2VyOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt
cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwwOmxldmVsNg0K
CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpyb21hbi1sb3dlcjsNCgltc28tbGV2ZWwtdGFiLXN0
b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOnJpZ2h0Ow0KCXRleHQtaW5kZW50
Oi05LjBwdDt9DQpAbGlzdCBsMDpsZXZlbDcNCgl7bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJ
bXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0K
QGxpc3QgbDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLWxvd2VyOw0K
CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm
dDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwwOmxldmVsOQ0KCXttc28tbGV2ZWwt
bnVtYmVyLWZvcm1hdDpyb21hbi1sb3dlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt
c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOnJpZ2h0Ow0KCXRleHQtaW5kZW50Oi05LjBwdDt9DQpv
bA0KCXttYXJnaW4tYm90dG9tOjBjbTt9DQp1bA0KCXttYXJnaW4tYm90dG9tOjBjbTt9DQotLT48
L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0i
ZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1z
byA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9
ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8
L2hlYWQ+DQo8Ym9keSBiZ2NvbG9yPSJ3aGl0ZSIgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZs
aW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5ISSBEYW4s
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxl
PSJ0ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0OmwwIGxldmVsMSBsZm8xIj48IVtpZiAhc3Vw
cG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv
dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PHNw
YW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+MS48c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVv
dDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxzcGFuIGRpcj0iTFRSIj48L3Nw
YW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoZSBmaXJzdCB0
d28gZG9jdW1lbnRzIGFyZSBpbiB0aGUgUkZDIGVkaXRvciBxdWV1ZSBhbmQgdGhlIHRoaXJkIG9u
ZSBpcyB3ZWxsIGFkdmFuY2VkIGFuZCBpcyBhbiBpbXBvcnRhbnQgZG9jdW1lbnQgZm9yIGEgbG90
DQogb2Ygd29yayBpbiB0aGUgQVJUIGFyZWEgYW5kIGlzIGluIGl0cyBmaW5hbCBzdGFnZXMuIFRo
ZSBSRkMgZWRpdG9yIHdhaXRzIGZvciBSRkNzIGZvciBub3JtYXRpdmUgcmVmZXJlbmNlcyBiZWZv
cmUgcHVibGlzaGluZyB0aGUgZG9jdW1lbnQuDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTGlzdFBhcmFncmFwaCIgc3R5bGU9InRleHQtaW5kZW50Oi0xOC4wcHQ7bXNvLWxp
c3Q6bDAgbGV2ZWwxIGxmbzEiPjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z
ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj4y
LjxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48
IVtlbmRpZl0+PHNwYW4gZGlyPSJMVFIiPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVv
dDs7Y29sb3I6IzFGNDk3RCI+UkZDNzAyMiBpcyByZWxldmFudCBmb3IgYWxsIFJUUCBwYXlsb2Fk
cywgaXQgdXBkYXRlcyBSRkMzNTUwIHdoaWNoIGlzIHRoZSBSVFAgc3BlY2lmaWNhdGlvbiBhbmQg
cHJvdmlkZSBndWlkZWxpbmVzIGZvciBjaG9vc2luZw0KIFJUQ1AgQ05BTUVzLiBUaGUgQ05BTUUg
aXMgdGhlIGlkZW50aWZpY2F0aW9uIG9mIHRoZSBSVFAgZW5kcG9pbnQuIFRoZSBDTFVFIFJUUCB1
c2FnZSBkb2N1bWVudCBvdXRsaW5lcyBob3cgdG8gdXNlIFJUUCBpbiBDTFVFIGFuZCBpbiB0aGUg
c2VjdXJpdHkgc2VjdGlvbiB3ZSBvdWxpbmUgaG93IHRvIGFkZHJlc3Mgc2VjdXJpdHkgY29uY2Vy
bnMgZm9yIFJUUCBieSB1c2luZyBhIHNwZWNpZmljIFJUUCBwcm9maWxlIGFuZCBjaG9vc2luZyBz
cGVjaWZpYw0KIHdheXMgdG8gY3JlYXRlIHRoZSByZWxldmFudCBwYXJhbWV0ZXJzLjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5Sb25pPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0Qi
PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2Jv
cmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8
ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEu
MHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6d2luZG93dGV4dCI+RnJvbTo8L3NwYW4+
PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9t
YSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOndpbmRvd3RleHQiPiBEYW4gSGFy
a2lucyBbbWFpbHRvOmRoYXJraW5zQGxvdW5nZS5vcmddDQo8YnI+DQo8Yj5TZW50OjwvYj4gPHNw
YW4gbGFuZz0iSEUiIGRpcj0iUlRMIj7XmdeV150mbmJzcDvXkyAxMSDXmdeg15XXkNeoIDIwMTcg
MTk6NTA8L3NwYW4+PGJyPg0KPGI+VG86PC9iPiBSb25pIEV2ZW47IGllc2dAaWV0Zi5vcmc7IHNl
Y2RpckBpZXRmLm9yZzsgZHJhZnQtaWV0Zi1jbHVlLXJ0cC1tYXBwaW5nLmFsbEBpZXRmLm9yZzxi
cj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLWNsdWUt
cnRwLW1hcHBpbmc8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxicj4NCjx0dD48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjEwLjBwdCI+Jm5ic3A7IEhpIFJvbmksPC9zcGFuPjwvdHQ+PG86cD48L286cD48L3A+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gMS8xMC8xNyAxMTozMCBQTSwgUm9uaSBF
dmVuIHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFy
Z2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5IaSBEYW4sPC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNl
cmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoYW5rcyBmb3IgdGhlIHJldmlldzwvc3Bhbj48bzpw
PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx
dW90Oztjb2xvcjojMUY0OTdEIj5TZWUgaW5saW5lPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5
N0QiPlJvbmk8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7
LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+
PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1
ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJi
b3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAw
Y20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1z
aXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90Oztjb2xvcjp3aW5kb3d0ZXh0Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1b3Q7LCZxdW90O3NhbnMt
c2VyaWYmcXVvdDs7Y29sb3I6d2luZG93dGV4dCI+IERhbiBIYXJraW5zIFs8YSBocmVmPSJtYWls
dG86ZGhhcmtpbnNAbG91bmdlLm9yZyI+bWFpbHRvOmRoYXJraW5zQGxvdW5nZS5vcmc8L2E+XQ0K
PGJyPg0KPGI+U2VudDo8L2I+IDxzcGFuIGxhbmc9IkhFIiBkaXI9IlJUTCI+15nXldedJm5ic3A7
15UgMDYg15nXoNeV15DXqCAyMDE3IDIzOjUyPC9zcGFuPjxicj4NCjxiPlRvOjwvYj4gPGEgaHJl
Zj0ibWFpbHRvOmllc2dAaWV0Zi5vcmciPmllc2dAaWV0Zi5vcmc8L2E+OyA8YSBocmVmPSJtYWls
dG86c2VjZGlyQGlldGYub3JnIj4NCnNlY2RpckBpZXRmLm9yZzwvYT47IDxhIGhyZWY9Im1haWx0
bzpkcmFmdC1pZXRmLWNsdWUtcnRwLW1hcHBpbmcuYWxsQGlldGYub3JnIj5kcmFmdC1pZXRmLWNs
dWUtcnRwLW1hcHBpbmcuYWxsQGlldGYub3JnPC9hPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBzZWNk
aXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtY2x1ZS1ydHAtbWFwcGluZzwvc3Bhbj48bzpwPjwvbzpw
PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjx0dD48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjEwLjBwdCI+Jm5ic3A7IEdyZWV0aW5ncywmbmJzcDsgPC9zcGFuPjwvdHQ+PG86cD48
L286cD48L3A+DQo8cHJlPiZuYnNwOyZuYnNwO0kgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50
IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3MgPG86cD48L286cD48L3ByZT4N
CjxwcmU+b25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBw
cm9jZXNzZWQgYnkgdGhlIDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPklFU0cuJm5ic3A7IFRoZXNl
IGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSA8
bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5zZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4mbmJzcDsgRG9j
dW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCA8bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT50aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21t
ZW50cy48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDs8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT4mbmJzcDsgVGhpcyBkcmFmdCBwcm92aWRlcyBzb21lIHJlY29tbWVuZGF0aW9ucyBhbmQgbWFw
cGluZ3MgdG8gYWxsb3cgUlRQPG86cD48L286cD48L3ByZT4NCjxwcmU+dG8gYmUgdXNlZCBpbiB0
aGUgQ0xVRSBwcm90b2NvbC48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDs8bzpwPjwvbzpw
PjwvcHJlPg0KPHByZT4mbmJzcDsgSSBiZWxpZXZlIHRoaXMgZHJhZnQgaXMgUmVhZHkgd2l0aCB0
aGUgZm9sbG93aW5nIG5pdHM6PG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7PG86cD48L286
cD48L3ByZT4NCjxwcmU+MSkgaXQgbWFrZXMgbm9ybWF0aXZlIHJlZmVyZW5jZSB0byAzIG90aGVy
IEktRHMuIEkgYW0gbm90IGZhbWlsaWFyPG86cD48L286cD48L3ByZT4NCjxwcmU+d2l0aCB0aG9z
ZSBkcmFmdHMgb3IgdGhlaXIgc3RhdHVzIG9yIHdoZXRoZXIgYW55IG9mIHRoZSBub3JtYXRpdmU8
bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5iZWhhdmlvciB0aGlzIGRyYWZ0IHJlbGllcyB1cG9uIGlz
IGNvbnRlbnRpb3VzIG9yIG5vdC4gU29tZWJvZHk8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4obm90
IG1lKSBzaG91bGQgbWFrZSBzdXJlIHRoYXQgYWxsIGR1Y2tzIGFyZSBpbiBhIHJvdyBiZWZvcmUg
dGhpczxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPmRyYWZ0IGFkdmFuY2VzLjxvOnA+PC9vOnA+PC9w
cmU+DQo8cHJlPjxiPjxpPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5
OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdE
Ij5bUm9uaSBFdmVuXSBJIGFzc3VtZSB5b3UgYXJlIHJlZmVycmluZyB0byB0aGUgbm9ybWF0aXZl
IHJlZmVyZW5jZXMgaW4gZ2VuZXJhbCBzaW5jZSB0aGVyZSBhbGwgcmVmZXJlbmNlcyBpbiB0aGUg
U2VjdXJpdHkgc2VjdGlvbiBhcmUgaW5mb3JtYXRpb25hbC4gPC9zcGFuPjwvaT48L2I+PG86cD48
L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7PG86cD48L286cD48L3ByZT4NCjwvZGl2Pg0KPC9ibG9j
a3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZx
dW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsgSSdtIHJlZmVycmluZyB0byB0aGUgMyBJbnRl
cm5ldC1EcmFmdHMgcmVmZXJlbmNlZCBpbiB0aGU8YnI+DQpzZWN0aW9uIGNhbGxlZCAmcXVvdDtO
b3JtYXRpdmUgUmVmZXJlbmNlcyZxdW90Oywgc2VjdGlvbiAxMC4xLiBBbiBJLUQ8YnI+DQppcywg
YXMgbm90ZWQsIGEgJnF1b3Q7d29yayBpbiBwcm9ncmVzcyZxdW90Oy4gU28geW91J3JlIG1ha2lu
ZyBhIG5vcm1hdGl2ZTxicj4NCnJlZmVyZW5jZSB0byBhIGRvY3VtZW50IGluIGEgc3RhdGUgb2Yg
Zmx1eC4gVGhhdCBzb3VuZHMgYSBiaXQ8YnI+DQphbGFybWluZyB0byBtZS4gV2hhdCBpZiwgYXMg
dGhleSBwcm9ncmVzcywgdGhlIHRoaW5ncyB5b3UgYXJlPGJyPg0Kbm9ybWF0aXZlbHkgZGVwZW5k
aW5nIG9uIGNoYW5nZSBpbiBhIHdheSB0aGF0IG1ha2UgdGhpczxicj4NCmRlcGVuZGVuY3kgbm90
IHdvcmsgYW55bW9yZT88YnI+DQo8YnI+DQombmJzcDsgSSdtIGp1c3Qgc2F5aW5nIHNvbWVvbmUg
KG5vdCBtZSkgaGFzIHRvIG1ha2Ugc3VyZSB0aGF0IHRoYXQ8YnI+DQpkb2VzIG5vdCBoYXBwZW4u
IFRoZSBhbHRlcm5hdGl2ZSBpcyB0byB3YWl0IGZvciB0aGVtIHRvIGJlPGJyPg0KcHVibGlzaGVk
IGFuZCB0aGVuIHJlZmVyIHRvIHRoZW0gYXMgUkZDcy48YnI+DQo8YnI+DQo8L3NwYW4+PG86cD48
L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVl
IDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPHByZT4yKSBoYXZpbmcgUkZDIDIx
MTkgd29yZHMgaW4gdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlZW1zIE9LPG86cD48L286
cD48L3ByZT4NCjxwcmU+Zm9yIHNheWluZyB0aGluZ3MgbGlrZSAmcXVvdDtDTFVFIGVuZHBvaW50
cyBNVVNUIHN1cHBvcnQgUlRQL1NBVlBGIGFuZCA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5EVExT
LVNSVFAga2V5aW5nIFtSRkM1NzY0XSZxdW90OyBiZWNhdXNlIGl0J3MganVzdCBzYXlpbmcgeW91
IG5lZWQgdG88bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5zdXBwb3J0IHNvbWV0aGluZyBlbHNlIHRo
YXQgaXMgcHJvdmlkaW5nIHlvdSBzZWN1cml0eS4gQnV0IEkgdGhpbms8bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT5NVVNUIGxhbmd1YWdlIGRlc2NyaWJpbmcgaG93IHRoZSBwcm90b2NvbCBuZWVkcyB0
byBiZWhhdmUgaW4gb3JkZXI8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT50byBiZSBzZWN1cmUgaXRz
ZWxmIGJlbG9uZ3Mgb3V0c2lkZSB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMuPG86cD48L286
cD48L3ByZT4NCjxwcmU+SSdtIHJlZmVycmluZyB0bzogJnF1b3Q7SW5hcHByb3ByaWF0ZSBjaG9p
Y2Ugb2YgQ05BTUUgdmFsdWVzIGNhbiBiZSBhPG86cD48L286cD48L3ByZT4NCjxwcmU+cHJpdmFj
eSBjb25jZXJuLCBzaW5jZSBsb25nLXRlcm0gcGVyc2lzdGVudCBDTkFNRSBpZGVudGlmaWVycyBj
YW4gYmU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT51c2VkIHRvIHRyYWNrIHVzZXJzIGFjcm9zcyBt
dWx0aXBsZSBjYWxscy4mbmJzcDsgQ0xVRSBlbmRwb2ludCBNVVNUPG86cD48L286cD48L3ByZT4N
CjxwcmU+Z2VuZXJhdGUgc2hvcnQtdGVybSBwZXJzaXN0ZW50IFJUQ1AgQ05BTUVTLCBhcyBzcGVj
aWZpZWQgaW4gUkZDNzAyMjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPltSRkM3MDIyXSwgcmVzdWx0
aW5nIGluIHVudHJhY2VhYmxlIENOQU1FIHZhbHVlcyB0aGF0IGFsbGV2aWF0ZSB0aGlzPG86cD48
L286cD48L3ByZT4NCjxwcmU+cmlzay4mcXVvdDsgSSBzdWdnZXN0IHBsYWNpbmcgdGhhdCBpbiBh
IGRpZmZlcmVudCBzZWN0aW9uLCBwb3NzaWJseSBtYWtpbmc8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT5hIG5ldyBzZWN0aW9uIHRoYXQgZGVzY3JpYmVzIGhhcyBhbGwgdGhlIHZhcmlvdXMgcmVjb21t
ZW5kYXRpb25zPG86cD48L286cD48L3ByZT4NCjxwcmU+YmVpbmcgbWFkZSBvbiBDTFVFIGluIG9u
ZSBwbGFjZS48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48Yj48aT48c3BhbiBzdHlsZT0iZm9udC1z
aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2Vy
aWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+W1JvbmkgRXZlbl0gSSBhbSBub3Qgc3VyZSwgYm90aCBj
YXNlcyBhcmUgdGhlIHNhbWUuIFJUUCBoYXMgbXVsdGlwbGUgcHJvZmlsZXMgYW5kIGZvciBzZWN1
cml0eSB0aGUgc2VjdXJlIHByb2ZpbGUgTVVTVCBiZSBzdXBwb3J0ZWQuIFJUUCBhbHNvIGhhcyBD
TkFNRSBhbmQgdGhlIGNyZWF0aW9uIG9mIENOQU1FIGlzIHNwZWNpZmllZCBpbiBhbm90aGVyIGRv
Y3VtZW50IFtSRkMgNzAyMl0sICZuYnNwO2ZvciBzZWN1cml0eSByZWFzb25zIHlvdSBNVVNUIGNo
b29zZSBhIHNwZWNpZmljIG1vZGUgdG8gY3JlYXRlIHRoZSBDTkFNRXMuIEkgYW0gbm90IHN1cmUg
dGhhdCBoYXZpbmcgYSBzZWN0aW9uIHdpdGggYWxsIHRoZSBub3JtYXRpdmUgbGFuZ3VhZ2UgaW4g
dGhlIGRvY3VtZW50IG1ha2UgbXVjaCBzZW5zZSBzaW5jZSB0aGV5IHdpbGwgYmUgb3V0IG9mIGNv
bnRleHQuICZuYnNwOzwvc3Bhbj48L2k+PC9iPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNw
OzxvOnA+PC9vOnA+PC9wcmU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
YXJnaW4tYm90dG9tOjEyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJp
ZXIgTmV3JnF1b3Q7Ij4mbmJzcDsgUkZDIDcwMjIgZG9lcyBub3QgcGxhY2UgYSByZXF1aXJlbWVu
dCBvbiBDTFVFIGVuZHBvaW50cy4gSXRzPGJyPg0Kc2VlbXMgdGhpcyBJLUQgaXMgcGxhY2luZyBh
IHJlcXVpcmVtZW50IG9uIENMVUUgZW5kcG9pbnRzLCBuYW1lbHk8YnI+DQp0aGF0IHRoZXkgTVVT
VCBnZW5lcmF0ZSBSVENQIENOQU1FUyBwZXIgUkZDIDcwMjIuIE5vdyBtYXliZSBJJ208YnI+DQpt
aXNyZWFkaW5nIHRoaXMgYW5kIHRoZXJlIGlzIGFjdHVhbGx5IHNvbWUgb3RoZXIgUkZDIHRoYXQg
cGxhY2VzPGJyPg0KdGhpcyByZXF1aXJlbWVudCBvbiBDTFVFIGVuZHBvaW50cy4gSW4gd2hpY2gg
Y2FzZSB5b3Ugc2hvdWxkIHJlZmVyPGJyPg0KdG8gdGhhdCBkb2N1bWVudCBmb3IgdGhlIHJlcXVp
cmVtZW50LiBCdXQgaWYgaXQgaXMgdGhpcyBkb2N1bWVudDxicj4NCnBsYWNpbmcgYSBiZWhhdmlv
cmFsIHJlcXVpcmVtZW50IG9uIENMVUUgZW5kcG9pbnRzLCB0aGVuIGl0IGlzIG15PGJyPg0KcGVy
c29uYWwgb3BpbmlvbiB0aGF0IHN1Y2ggYSByZXF1aXJlbWVudCBpcyBub3QgYXBwcm9wcmlhdGUg
Zm9yPGJyPg0KdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zLiA8YnI+DQo8YnI+DQombmJzcDsg
cmVnYXJkcyw8YnI+DQo8YnI+DQombmJzcDsgRGFuLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_6E58094ECC8D8344914996DAD28F1CCD76C67CDGGEMM506MBXchina_--


From nobody Thu Jan 12 02:48:46 2017
Return-Path: 
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DAB5120725 for ; Thu, 12 Jan 2017 02:48:45 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Tero Kivinen" 
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.40.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148421812555.19403.11322726969137049527.idtracker@ietfa.amsl.com>
Date: Thu, 12 Jan 2017 02:48:45 -0800
Archived-At: 
Subject: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 12 Jan 2017 10:48:45 -0000

Review instructions and related resources are at:
http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

For telechat 2017-01-19

Reviewer               LC end     Draft
Derek Atkins           2017-01-06 draft-ietf-6man-rdnss-rfc6106bis-14
Shaun Cooley           2017-01-11 draft-ietf-rtgwg-rlfa-node-protection-10
Daniel Franke          2017-01-09 draft-ietf-trill-directory-assist-mechanisms-10
Hilarie Orman          2017-01-17 draft-ietf-i2rs-yang-l3-topology-08
Hannes Tschofenig      2017-01-16 draft-murchison-webdav-prefer-13
Carl Wallace           2017-01-11 draft-ietf-bfcpbis-bfcp-websocket-13
David Waltermire       2017-01-10 draft-ietf-sidr-rpki-oob-setup-06
Paul Wouters          R2017-01-06 draft-ietf-sidr-publication-10

For telechat 2017-02-02

Reviewer               LC end     Draft
Phillip Hallam-Baker   2016-12-30 draft-ietf-ipsecme-rfc4307bis-15
Steve Hanna            2017-01-12 draft-ietf-softwire-dslite-multicast-14
Christopher Inacio     2017-01-12 draft-ietf-softwire-multicast-prefix-option-11
Leif Johansson         2017-01-17 draft-ietf-teas-p2mp-loose-path-reopt-08
Simon Josefsson        2017-01-17 draft-ietf-teas-gmpls-resource-sharing-proc-06
Benjamin Kaduk         2017-01-17 draft-ietf-mpls-residence-time-12
Stephen Kent           None       draft-ietf-oauth-jwsreq-09
Tero Kivinen           2017-01-24 draft-ietf-geojson-text-sequence-03
Barry Leiba            2017-01-19 draft-ietf-intarea-hostname-practice-03
Matt Lepinski          2017-01-19 draft-ietf-dhc-dhcpv6-failover-protocol-03

Last calls:

Reviewer               LC end     Draft
Alan DeKok             2016-04-30 draft-bradner-rfc3979bis-08
Watson Ladd            2017-01-23 draft-ietf-dime-agent-overload-08
Ben Laurie             2017-01-23 draft-ietf-bmwg-ipv6-nd-04
Matthew Miller         2017-01-13 draft-harkins-owe-05
Sandra Murphy          2016-12-20 draft-ietf-6tisch-minimal-17
Tina Tsou              2017-01-13 draft-ietf-payload-melpe-04

Early review requests:

Reviewer               Due        Draft
Daniel Gillmor         2016-02-01 draft-ietf-rtcweb-security-08
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-cms-for-nts-message-06
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-network-time-security-15
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-using-nts-for-ntp-07
Brian Weis             2016-02-01 draft-ietf-cdni-uri-signing-10

Next in the reviewer rotation:

  Chris Lonvick
  David Mandelberg
  Catherine Meadows
  Alexey Melnikov
  Matthew Miller
  Adam Montville
  Lt. Mundy
  Sandra Murphy
  Yoav Nir
  Magnus Nystrom


From nobody Thu Jan 12 10:33:03 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E8D12945F; Thu, 12 Jan 2017 10:32:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.2
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uj73j_UGGflR; Thu, 12 Jan 2017 10:32:58 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D78991294E9; Thu, 12 Jan 2017 10:32:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1501; q=dns/txt; s=VRSN; t=1484245968; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=H1NKrUj/HbWkxe89Zw1aO8MchSy5ZZeuGpe+R2ZACXo=; b=fUpa/QdL6fHiGSebVJn0D3Uiiq9h0M5KaqBR8TjvhyPVwd4Ocn23/uAw 10LhctdDfQWC3gyzoWcMFWKpqoyc6/X+jHHzSDH/rYicrymgmFeEXeFJ0 vUtabcgYTsw/00n88s6yIr3nSnMgx5pxVQGIkX4VxBvfSulpq4wWkEirD 659oXr5OBxEgXes2+SjH49HB5ckwEt7scn+alvjEehQJxTzeDXZ8BBfkZ 9MVVYEcTaenp+qmSYhpOZHphXzl6NSYGKhMYtl+l074wSr6ELgfpFAK+w avBWqZT1eAD4lvQarX9N0+pWd0VRhkpcc3TxBdHVbtMWoEPev527it/Zq A==;
X-IronPort-AV: E=Sophos;i="5.33,219,1477958400";  d="scan'208";a="1174980"
IronPort-PHdr: =?us-ascii?q?9a23=3AyelGLBMHP86Q6f5gMGQl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0K/z/osbcNUDSrc9gkEXOFd2CrakV16yN6+u5ADBIyK3CmUhKSIZLWR4BhJ?= =?us-ascii?q?detC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+?= =?us-ascii?q?KPjrFY7OlcS30P2594HObwlSijewZbx/IA+4oAnNucUanJZuJ6kswRbVv3VEfP?= =?us-ascii?q?hby3l1LlyJhRb84cmw/J9n8ytOvv8q6tBNX6bncakmVLJUFDspPXw7683trhnD?= =?us-ascii?q?UBCA5mAAXWUMkxpHGBbK4RfnVZrsqCT6t+592C6HPc3qSL0/RDqv47t3RBLulS?= =?us-ascii?q?wKLCAy/n3JhcNsjaJbuBOhqAJ5w47Ie4GeKf5ycrrAcd8GWWZNW8BcXDFDDIyh?= =?us-ascii?q?dYsCF+oPM/hFoYnhqVUArhW+CgutBOzzxTFHiWT73bEj0+QkDQ3KwBAsE8wIvX?= =?us-ascii?q?/JrNv1LqASUeWtwaXGzTrMcehW2Szj54jMaRAtueyHU7xtccXLz0kgCQ3JhUiX?= =?us-ascii?q?pIP4MTKayP8Ns3OF4OpkTuKikHAnpB9rojiu3ccsi4bJhoQPxl/Y8iV5xZ84KN?= =?us-ascii?q?ulQ0B4ed6pCIZcuz2AO4drQM4vTXtktDs6x7AIo5K3YicHxZs/yxLCd/CLaZWE?= =?us-ascii?q?7xDtWeqLPDt1hGxpdKiwihu07EOu0PfzVtOu31ZPtidFl97MuW0T2BHL8ciHT+?= =?us-ascii?q?d9/l+m2TaSywDf8uFELl4wlarcM5Mu2aQwlpwOvUTHES72nV/5jK6SdkUj5+io?= =?us-ascii?q?9/jrbqj8qp+CKYB0kAD+Mr8vmsywB+Q0KBQBX2+e+eik1b3j+1P2QKlSg/Erjq?= =?us-ascii?q?XVqo3WKMYVq6KjHgNY0ogu5wyhAzqp39kUhXwHI0hEeBKDgYjpIVbOIPXgAPii?= =?us-ascii?q?jVWjjixrx+vYMb3lGZXANWbDn6n7fbZ88E5cyQUzzdZF651IDbEBJer/WlXtu9?= =?us-ascii?q?zAEh85Lwu0zv76B9VnzIweV36PDraYMKzMrV+I6PsjLPSKZI8Ovzb9M+Ep6ODz?= =?us-ascii?q?gn8/gl8RZKqp0oUXaXyhAvRpOUqZbWD2jdcFFWcHpQs+Q/L2iF2MSzJTYGyyX6?= =?us-ascii?q?0k7DEhFI2mFZvDRpyqgLGZ3Se0AIZWZm9dB1CND3joa4uEV+0LaCKILc9riiYE?= =?us-ascii?q?WqS5S489yRGusxf3y6F5IeXI5yIYtIjj2cN05+LNiREy+yZ4D8OH02GCV2t0hH?= =?us-ascii?q?8HRycq3KBjpkxw0kyD3rR/g/xECdxe/PNJUwciNZHC1ex6F9DyWgXcfteGSFam?= =?us-ascii?q?Xs+qDi02TtI0kJcyZBM3IN6lkgyL8GziILIRk63BTMgv+aXAw1DxNt5w0WrG07?= =?us-ascii?q?Quj0VgScxKYz6InKl6okLsCpXSnkGC0+6GaK0a0WSFoGucwHGVsUVDeBB9S6Te?= =?us-ascii?q?XH8ZIEDRqIKqtQv5U7ayBOF/YUN6wsmYJ/4PM4WxgA=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2G7AQA2y3dY//SZrQpdHAEBBAEBCgEBFwEBBAEBCgEBgxE?= =?us-ascii?q?BAQEBAYIHB41RkhSTG4IPgg2GIgKCRRQBAQEBAQEBAQEBAQKBCIIzGwGCGgEBA?= =?us-ascii?q?QECATo/BQsCAQgNCx4QMiUCBA4FiHizM4oTAQEBAQEBBAEBAQEBAQEhhkaCAQi?= =?us-ascii?q?CV4QwFoMzgjEFmyYGAaI/kmQfgX0VSgGGHnOGKyuBA4ENAQEB?=
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id v0CIWkEQ022101 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Jan 2017 13:32:46 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Thu, 12 Jan 2017 13:32:45 -0500
From: "Wessels, Duane" 
To: "Scott G. Kelly" 
Thread-Topic: [EXTERNAL] secdir review of draft-ietf-dnsop-edns-key-tag-03
Thread-Index: AQHSaq5p6bKby0QbAU6Vp0HRlZZooKE1gwAA
Date: Thu, 12 Jan 2017 18:32:45 +0000
Message-ID: <6CC26A67-84B2-4227-8FBD-B01DD78D7C94@verisign.com>
References: <1483990038.1669640@apps.rackspace.com>
In-Reply-To: <1483990038.1669640@apps.rackspace.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: 
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: 
Cc: "draft-ietf-dnsop-edns-key-tag.all@ietf.org" , "iesg@ietf.org" , "secdir@ietf.org" 
Subject: Re: [secdir] secdir review of draft-ietf-dnsop-edns-key-tag-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 12 Jan 2017 18:33:00 -0000

> On Jan 9, 2017, at 2:27 PM, Scott G. Kelly  wrote=
:
>=20
> I have reviewed this document as part of the security directorate's ongoi=
ng effort to review all IETF documents being processed by the IESG.  These =
comments were written primarily for the benefit of the security area direct=
ors.  Document editors and WG chairs should treat these comments just like =
any other last call comments.
>=20
> Summary: this draft is ready.
>=20
> From the introduction,=20
>=20
>   This draft sets out to specify a way for validating resolvers to tell
>   a server in a DNS query which DNSSEC key(s) they would use to
>   validate responses from that zone.  This is done in two ways: using
>   an EDNS option for use in the OPT meta-RR [RFC6891] that contains the
>   key tags (described in Section 4), and by periodically sending
>   special "key tag queries" to a server authoritative for the zone
>   (described in Section 5).
>=20
> That pretty well sums it up. The security and privacy considerations sect=
ions cover all relevant issues. I see no problems with this document.
>=20
> Minor editorial comment: section 5.3 ends with this bracketed comment:
>=20
> [ Note RFC1035 says NULL
>   RRs are not allowed in master files, but I believe that to be
>   incorrect ]
>=20
> I assume this will be resolved prior to publication?


Thanks Scott,

Yes, I propose to simply remove that sentence for the next version of the d=
ocument.

DW


From nobody Thu Jan 12 11:01:23 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 197201294E3; Thu, 12 Jan 2017 11:01:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TVzVKJt5jsJX; Thu, 12 Jan 2017 11:01:19 -0800 (PST)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6981512947F; Thu, 12 Jan 2017 11:01:19 -0800 (PST)
Received: by mail-qt0-x230.google.com with SMTP id k15so26967379qtg.3; Thu, 12 Jan 2017 11:01:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:sender:from:date:message-id:subject:to:cc; bh=0ua2NWC/Db/zR4/cBj/nhmRdVvoCRJ9brFA9D6RvvfA=; b=JgsQ1jLNHTh7+01jmWXVIVmuBww0ByT6mFCtkdzEEVRyJJq7IVlLTrfRlzRM4groO4 IKbdcyPYvBwjwWJe++f2+PZXCYMWwwULj3Bs2slGVgJDO+0alVmJbIhAk4p4u2+hXUjE HD8tgxNIJUxMRg9gBgvQZTNcTxYxaWkxix92ID3mlsTKxgLKlHOFrCBw4/QEiMQ5FkKj 6xBa1K6loXFK/8t7jzb7BvsRtSSsaoM9WTpznGdFY/X+88D545+hHNuAtqCR8j/ifBm8 C4g3GWV4A+LHBzHnSvubgATpWjCGxTDcoY7hKrJX6UEbIeYmw27yW4vyqbGzHGlKkWCp 29bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=0ua2NWC/Db/zR4/cBj/nhmRdVvoCRJ9brFA9D6RvvfA=; b=iZzNtplL1nCVTq7U+MufyEPw8pmKts0giQ3aTCMEtgWYFetTNsyS4fLQheIHqSEkMj 7/ME23FGvdAZ+hriw1tf2UyHq4/Pw6nWs0+uonfKOgP7m7Gq6L3pqj2IArLHaNtXmS/x veVtL+i12wrU6XVOwoAtC+o+/Cc/MZzdQ1VLF693iVGiugXM93kwGodOZYzCPC5o5cKN 4Nx9MdyBn+/CYii+yRq/aQq1pbPVLZCQm6R0z71h1t64n0gmUQcrhlh2b4GsxbIDwXUu WhtLfI9baoPq1aT9PU1thzoMnqFg6b13UUGKldWH0acO+S3KQwllRObOeMaerERuMNZP A4Uw==
X-Gm-Message-State: AIkVDXIGTtyAZ8gOYyhszcNMVJoZFQNxkl9en6cdVhJoZICHZRqUfozFUhsw7CIgk2FJLqSz8gLYgbwbx7w6lg==
X-Received: by 10.237.44.228 with SMTP id g91mr13861754qtd.184.1484247678404;  Thu, 12 Jan 2017 11:01:18 -0800 (PST)
MIME-Version: 1.0
Sender: barryleiba@gmail.com
Received: by 10.140.19.72 with HTTP; Thu, 12 Jan 2017 11:01:17 -0800 (PST)
From: Barry Leiba 
Date: Thu, 12 Jan 2017 14:01:17 -0500
X-Google-Sender-Auth: jurKazU58M3cm0OIwTvfqYbRzkU
Message-ID: 
To: draft-ietf-intarea-hostname-practice.all@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Cc: IESG , "secdir@ietf.org" 
Subject: [secdir] SecDir review of draft-ietf-intarea-hostname-practice-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 12 Jan 2017 19:01:21 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document is ready.

I see no issues with the document, and every reason to approve it as
Informational tout de suite.

Barry


From nobody Thu Jan 12 16:22:17 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2A6212955E for ; Thu, 12 Jan 2017 16:22:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.419
X-Spam-Level: 
X-Spam-Status: No, score=-7.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_lCG0QroNtn for ; Thu, 12 Jan 2017 16:22:15 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1A11129554 for ; Thu, 12 Jan 2017 16:22:14 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v0D0MB7D020665 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 13 Jan 2017 00:22:12 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0021.oracle.com (8.13.8/8.14.4) with ESMTP id v0D0MB22015466 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 13 Jan 2017 00:22:11 GMT
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id v0D0M962005231; Fri, 13 Jan 2017 00:22:10 GMT
Received: from [10.154.98.66] (/10.154.98.66) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 12 Jan 2017 16:22:09 -0800
From: Shawn M Emery 
To: Donald Eastlake 
References: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com> <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com>  <4a04ae5b-f30c-303e-e035-aa3819c1f691@oracle.com> 
Message-ID: 
Date: Thu, 12 Jan 2017 17:24:48 -0700
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------A336AD94DB98670C636C415D"
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: 
Cc: draft-ietf-trill-rfc6439bis.all@tools.ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] Review of draft-ietf-trill-rfc6439bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 13 Jan 2017 00:22:17 -0000

This is a multi-part message in MIME format.
--------------A336AD94DB98670C636C415D
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 01/11/17 11:56 AM, Donald Eastlake wrote:
> Hi Shawn,
>
> A version -04 has been uploaded with these fixes.

I have just one suggested update, provided that the update is an 
accurate statement:

OLD:
As such, they are securable through the addition to those PDUs 
Authentication TLVs [RFC5310] in the same way as Hellos or other IS-IS PDUs.

NEW:
Therefore, they are securable through the addition of Authentication 
TLVs [RFC5310] in the same way as Hellos or other IS-IS PDUs.

and one editorial:

s/It this case/In this case/

The rest of the changes looks good to me.

Thanks,

Shawn.
-- 
> On Wed, Jan 11, 2017 at 12:22 AM, Shawn M Emery  wrote:
>> On 01/10/17 06:03 PM, Donald Eastlake wrote:
>>> Hi Shawn,
>>>
>>> Thanks for your comments. See below.
>>>
>>> On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery
>>> wrote:
>>>> I have reviewed this document as part of the security directorate's
>>>> ongoing effort to review all IETF documents being processed by the IESG.
>>>> These comments were written primarily for the benefit of the security
>>>> area directors. Document editors and WG chairs should treat these
>>>> comments just like any other last call comments.
>>>>
>>>> This draft updates the Appointed Forwarders mechanism (RFC 6439);
>>>> which supports multiple TRILL switches that handle native traffic
>>>> to and from end stations on a single link.
>>>>
>>>> The security considerations section does exist and states that this
>>>> update does not change the security properties of the TRILL base
>>>> protocol.  The section goes on to state that the Port-Shutdown message
>>>> SHOULD be secured through the Tunnel Channel protocol (which is in draft
>>>> state).  Was this intended to be a normative reference?
>>> That reference is out of date. draft-ietf-trill-channel-tunnel has
>>> issued as RFC 7978. That should be updated and I agree that this
>>> should be a normative reference.
>> Thanks.
>>
>>>> The section quickly
>>>> finishes with a reference to Authentication TLVs as a way to secure
>>>> E-LICS
>>>> FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult
>>>> to
>>>> distinguish between the usage of Tunnel Channels and Authentication TLVs
>>>> for
>>>> securing Port Shutdown messaging.  Could you please clarify?
>>> "Channel Tunnel", although left in the draft name for convenience, was
>>> basically changed to RBridge Header Extension. This is a way to add a
>>> layer of header to RBridge Channel messages (specified in RFC 7178) to
>>> secure their content. The Authentication TLV is an IS-IS TLV and
>>> including that TLV in an IS-IS PDU can be used to secure the content
>>> of the PDU. Some text can be added to clarify this.
>> Ah, I see.  Yes, clarifying text would be helpful for the nascent reader.
>>
>>>> General comments:
>>>>
>>>> None.
>>>>
>>>> Editorial comments:
>>>>
>>>> s/the need to "inhibition"/the need for "inhibition"/
>>>> s/forarding/forwarding/
>>>> s/two optimization/two optimizations/
>>>> s/messages are build/messages are built/
>>> Thanks for spotting those. We'll fix them.
>> No problem.
>>
>> Regards,
>>
>> Shawn.
>> --


--------------A336AD94DB98670C636C415D
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit


  
    
  
  
    
On 01/11/17 11:56 AM, Donald Eastlake
      wrote:

    

    

      
Hi Shawn,

A version -04 has been uploaded with these fixes.


    

    

    I have just one suggested update, provided that the update is an
    accurate statement:

    

    OLD:

    As such, they are securable through the addition to those PDUs
    Authentication TLVs [RFC5310] in the same way as Hellos or other
    IS-IS PDUs.

    

    NEW:

    Therefore, they are securable through the addition of Authentication
    TLVs [RFC5310] in the same way as Hellos or other IS-IS PDUs.

    

    and one editorial:

    

    s/It this case/In this case/

    

    The rest of the changes looks good to me.

    

    Thanks,

    

    Shawn.

    --
    

      
On Wed, Jan 11, 2017 at 12:22 AM, Shawn M Emery <shawn.emery@oracle.com> wrote:


      

        
On 01/10/17 06:03 PM, Donald Eastlake wrote:


        

          
Hi Shawn,

Thanks for your comments. See below.

On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery <shawn.emery@oracle.com>
wrote:


          

            
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft updates the Appointed Forwarders mechanism (RFC 6439);
which supports multiple TRILL switches that handle native traffic
to and from end stations on a single link.

The security considerations section does exist and states that this
update does not change the security properties of the TRILL base
protocol.  The section goes on to state that the Port-Shutdown message
SHOULD be secured through the Tunnel Channel protocol (which is in draft
state).  Was this intended to be a normative reference?


          

          
That reference is out of date. draft-ietf-trill-channel-tunnel has
issued as RFC 7978. That should be updated and I agree that this
should be a normative reference.


        

        
Thanks.



        

          

            
The section quickly
finishes with a reference to Authentication TLVs as a way to secure
E-LICS
FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult
to
distinguish between the usage of Tunnel Channels and Authentication TLVs
for
securing Port Shutdown messaging.  Could you please clarify?


          

          
"Channel Tunnel", although left in the draft name for convenience, was
basically changed to RBridge Header Extension. This is a way to add a
layer of header to RBridge Channel messages (specified in RFC 7178) to
secure their content. The Authentication TLV is an IS-IS TLV and
including that TLV in an IS-IS PDU can be used to secure the content
of the PDU. Some text can be added to clarify this.


        

        
Ah, I see.  Yes, clarifying text would be helpful for the nascent reader.



        

          

            
General comments:

None.

Editorial comments:

s/the need to "inhibition"/the need for "inhibition"/
s/forarding/forwarding/
s/two optimization/two optimizations/
s/messages are build/messages are built/


          

          
Thanks for spotting those. We'll fix them.


        

        
No problem.

Regards,

Shawn.
--


      

    

    

  


--------------A336AD94DB98670C636C415D--


From nobody Fri Jan 13 01:39:35 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C894F129461 for ; Fri, 13 Jan 2017 01:39:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.117
X-Spam-Level: 
X-Spam-Status: No, score=-5.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9byLZ0inE2Gh for ; Fri, 13 Jan 2017 01:39:31 -0800 (PST)
Received: from relais-inet.orange.com (mta241.mail.business.static.orange.com [80.12.66.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201D312944F for ; Fri, 13 Jan 2017 01:39:31 -0800 (PST)
Received: from opfedar06.francetelecom.fr (unknown [xx.xx.xx.8]) by opfedar20.francetelecom.fr (ESMTP service) with ESMTP id 508EC120ACA; Fri, 13 Jan 2017 10:39:29 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.58]) by opfedar06.francetelecom.fr (ESMTP service) with ESMTP id 321C580071; Fri, 13 Jan 2017 10:39:29 +0100 (CET)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM33.corporate.adroot.infra.ftgroup ([fe80::3881:fc15:b4b2:9017%19]) with mapi id 14.03.0319.002; Fri, 13 Jan 2017 10:39:26 +0100
From: 
To: "Charlie Kaufman (charliekaufman@outlook.com)" 
Thread-Topic: [secdir] Secdir review of draft-ietf-lisp-type-iana-04
Thread-Index: AdJtfiZacKQ2D09nS9CA4jvIThlj+QAAFaoQ
Date: Fri, 13 Jan 2017 09:39:25 +0000
Message-ID: 
References: <787AE7BB302AE849A7480A190F8B933009DE3CA7@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B933009DE3CA7@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.168.234.5]
Content-Type: multipart/alternative; boundary="_000_b5528dc993d34863b7f112205687997fOPEXCLILM33corporateadr_"
MIME-Version: 1.0
Archived-At: 
Cc: JACQUENET Christian IMT/OLN , "secdir@ietf.org" 
Subject: Re: [secdir] Secdir review of draft-ietf-lisp-type-iana-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 13 Jan 2017 09:39:34 -0000

--_000_b5528dc993d34863b7f112205687997fOPEXCLILM33corporateadr_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Dear Charlie,

Thank you for the review.

Please see inline.

Cheers,
Med

Objet : [secdir] Secdir review of draft-ietf-lisp-type-iana-04

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG. These com=
ments were written primarily for the benefit of the security area directors=
. Document editors and WG chairs should treat these comments just like any =
other last call comments.

This document is: Ready

[Med] OK, thank you.

No security concerns.


This document proposes creation of two new IANA registries and defines a ne=
w message type within the Locator/ID Separation Protocol (RFC6830). The fir=
st registry should have been created by RFC6830, which assigned codes to 5 =
values for a four bit field. This document proposes creating a registry for=
 holding those 5 values and a sixth value for the purpose of holding experi=
mental extensions.


Because the 4 bit field can only ever support 16 values and several indepen=
dent extensions are already being proposed, the proposal is to reserve the =
value 15 for experimental extensions where it has a 12 bit sub-type field t=
o distinguish those extensions. This document proposes to create a second I=
ANA registry for holding up to 4096 assigned values for that field, to be h=
anded out on a first come first served basis.


While future extensions might have security implications, defining these ne=
w registries does not.


I don't know what IANA's experience has been with first come first served r=
egistries. With no review procedure, they are subject to abuse and I don't =
know who gets to exercise judgment as to whether a particular request is ab=
usive.

[Med] FCFS is defined in https://tools.ietf.org/html/rfc5226#section-4.1. T=
his type of allocation is not specific to this document, but it is in use b=
y many protocols, e.g.,

*         http://www.iana.org/assignments/bgp-extended-communities/bgp-exte=
nded-communities.xhtml

*         http://www.iana.org/assignments/epp-repository-ids/epp-repository=
-ids.xhtml

*         https://www.iana.org/assignments/service-codes/service-codes.xhtm=
l

*         https://www.iana.org/assignments/imap-list-extended/imap-list-ext=
ended.xml

*         http://www.iana.org/assignments/ldp-namespaces/ldp-namespaces.xht=
ml

*         ...

The document states that the subtypes of value 15 are reserved for Experime=
ntal Use. My sense is that the intention of the authors is that should an e=
xperimental protocol be promoted to standards track that it will at that ti=
me be assigned on of the 16 values from the 4 bit field. This might be an u=
nfortunate restriction for two reasons: 1) Given that there are only 16 typ=
es available and 6 have already been assigned, it seems possible that this =
space would eventually be exhausted; and 2) Requiring that protocols change=
 syntax when they are promoted from experimental to standards track places =
a burden on implementers who often end up supporting both syntaxes indefini=
tely (and having interoperability problems if they don't). There's no reaso=
n obvious to me why subtypes could not be kept for standardized usage later=
. That is one of the advantages of having an IANA registry over reserving t=
hem for private use.


The intended status of this document is listed as Experimental. This seems =
wrong to me. While any future documents defining uses of newly assigned val=
ues might well be experimental, I would expect that this document would see=
k the same status as RFC6830 (and this document should be incorporated into=
 any future revisions of that one).

[Med] As noted in the write-up, the initial intended status was standard tr=
ack. But as an outcome of the rtgdir review, it was agreed to use the same =
status as RFC6830 (i.e., Experimental).


--Charlie


--_000_b5528dc993d34863b7f112205687997fOPEXCLILM33corporateadr_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











Dear Charlie,



 


Thank you for the review.



 


Please see inline.



 


Cheers,


Med


 








 [secdir] Secdir
 review of draft-ietf-lisp-type-iana-04






 


I have reviewed thi=
s document as part of the security directorate's ongoing effort to review a=
ll IETF documents being processed by the IESG. These
 comments were written primarily for the benefit of the security area direc=
tors. Document editors and WG chairs should treat these comments just like =
any other last call comments.


 


This document is: R=
eady


&n=
bsp;


[Med] O=
K, thank you.



 


No security concern=
s.


 


 


This document propo=
ses creation of two new IANA registries and defines a new message type with=
in the Locator/ID Separation Protocol (RFC6830).
 The first registry should have been created by RFC6830, which assigned cod=
es to 5 values for a four bit field. This document proposes creating a regi=
stry for holding those 5 values and a sixth value for the purpose of holdin=
g experimental extensions.


 


 


Because the 4 bit f=
ield can only ever support 16 values and several independent extensions are=
 already being proposed, the proposal is to reserve
 the value 15 for experimental extensions where it has a 12 bit sub-type fi=
eld to distinguish those extensions. This document proposes to create a sec=
ond IANA registry for holding up to 4096 assigned values for that field, to=
 be handed out on a first come first
 served basis.


 


 


While future extens=
ions might have security implications, defining these new registries does n=
ot.


 


 


I don't know what I=
ANA's experience has been with first come first served registries. With no =
review procedure, they are subject to abuse and
 I don't know who gets to exercise judgment as to whether a particular requ=
est is abusive.


&n=
bsp;


[Med] F=
CFS is defined in
https://tools.i=
etf.org/html/rfc5226#section-4.1. This type of allocation is not specif=
ic to this document, but it is in use by many protocols, e.g.,


·        
http://www.iana.org/assignments/bgp-extended-comm=
unities/bgp-extended-communities.xhtml



·        
http://www.iana.org/assignments/epp-repository-ids/epp-reposi=
tory-ids.xhtml



·        
https://www.iana.org/assignments/service-codes/service-codes.xhtml



·        
https://www.iana.org/assignments/imap-list-extended/imap-list-=
extended.xml


·        
http://www.iana.org/assignments/ldp-namespaces/ldp-namespaces.xhtml



·        
…  


 


The document states=
 that the subtypes of value 15 are reserved for Experimental Use. My sense =
is that the intention of the authors is that should
 an experimental protocol be promoted to standards track that it will at th=
at time be assigned on of the 16 values from the 4 bit field. This might be=
 an unfortunate restriction for two reasons: 1) Given that there are only 1=
6 types available and 6 have already
 been assigned, it seems possible that this space would eventually be exhau=
sted; and 2) Requiring that protocols change syntax when they are promoted =
from experimental to standards track places a burden on implementers who of=
ten end up supporting both syntaxes
 indefinitely (and having interoperability problems if they don't). There's=
 no reason obvious to me why subtypes could not be kept for standardized us=
age later. That is one of the advantages of having an IANA registry over re=
serving them for private use.


 


 


The intended status=
 of this document is listed as Experimental. This seems wrong to me. While =
any future documents defining uses of newly assigned
 values might well be experimental, I would expect that this document would=
 seek the same status as RFC6830 (and this document should be incorporated =
into any future revisions of that one).


&n=
bsp;


[Med] A=
s noted in the write-up, the initial intended status was standard track. Bu=
t as an outcome of the rtgdir review, it was agreed
 to use the same status as RFC6830 (i.e., Experimental). =



 


 


--Charlie


 








--_000_b5528dc993d34863b7f112205687997fOPEXCLILM33corporateadr_--


From nobody Fri Jan 13 07:55:07 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF19612947E for ; Fri, 13 Jan 2017 07:55:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level: 
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO-s01U_7KFO for ; Fri, 13 Jan 2017 07:55:04 -0800 (PST)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F1131293EB for ; Fri, 13 Jan 2017 07:55:04 -0800 (PST)
Received: by mail-it0-x231.google.com with SMTP id 203so35169982ith.0 for ; Fri, 13 Jan 2017 07:55:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Qo8P2Kmv7Djd2OWDikwWt2KjP29/QiSjpC54Xijfwyw=; b=J1Cn7C5rzujGxOSindUkWjkiQO/Zg/QkEly49d9bqlfSe4DTyU1MEnLBR7rcaQYz4C 2DyrHJ6vF0vlk5WBbozz9cktkO07ip8SICMDaeIFlzh++XR78dq0qL7k6Os3VzYVhbdE /24mhAAelHz3ej8nvZyiuKY+4qhNlKm9ulkrakoUiABmaucX8ktIuGqksH+6lCA1m5eU l3KGblPJnCjvv59+3zFX8qUCFcmU3ml3WCOfyN8YlUVir7MQmrRVQbt+zXkA205wItNG Lh+BIueH6jqBhvWY/zgBrhF3HUKSjh6sbjqHZSrPouN22GSIExD+f4zNKQByeGSnKL8h Ulvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Qo8P2Kmv7Djd2OWDikwWt2KjP29/QiSjpC54Xijfwyw=; b=rGC8+S3h6xmyZSN0Xw/ykoYL6kDleQlXLHYWzQ0OQmg8HYwhHUTKdhWF+GBrelMwIq WNbXtu1TLkhaFD1wF/lgJnCHTIefFsdN/WxWmc55Xtyv6tIZ7mo9cERggv1LwMfLs9dT qGXWndYftpbFaKQL4A7WMSHB5E4ahqdoS/nhhLCaS6FJSroa4xW2nLtTbC65Fs/kxMGi /QmIMf9pwKyACCBn6O5va5kidpO4hSeiEMP+NCVtUJ6C+Uy76KD5OL7c/e1aTXnXqkYI pxYKo4QkUcetOlHfjNTVYa4kLrXXx3miv0dhplK1DlkeE6d3mKqhGGz2lB9vlNw1pqmS Cgfw==
X-Gm-Message-State: AIkVDXL3H/RAEir7gkFcWpmp3Gix3Q2UA8kQE6uFxckerMziA21XwJm74t/0PCj04piqE/AJRxMsuFJBB+KQtQ==
X-Received: by 10.36.107.194 with SMTP id v185mr2971721itc.59.1484322903862; Fri, 13 Jan 2017 07:55:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.41.72 with HTTP; Fri, 13 Jan 2017 07:54:48 -0800 (PST)
In-Reply-To: 
References: <92774159-d56b-cc7f-b5cd-b8e17d038475@oracle.com> <10ed6c45-a8a7-e62e-78fb-62631442f4b9@oracle.com>  <4a04ae5b-f30c-303e-e035-aa3819c1f691@oracle.com>  
From: Donald Eastlake 
Date: Fri, 13 Jan 2017 10:54:48 -0500
Message-ID: 
To: Shawn M Emery 
Content-Type: multipart/alternative; boundary=001a114ac2326ae2190545fbdbd7
Archived-At: 
Cc: draft-ietf-trill-rfc6439bis.all@tools.ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] Review of draft-ietf-trill-rfc6439bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 13 Jan 2017 15:55:07 -0000

--001a114ac2326ae2190545fbdbd7
Content-Type: text/plain; charset=UTF-8

Hi Shawn,

Those fixed look good to me. We should be able to implement them.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

On Thu, Jan 12, 2017 at 7:24 PM, Shawn M Emery 
wrote:

> On 01/11/17 11:56 AM, Donald Eastlake wrote:
>
> Hi Shawn,
>
> A version -04 has been uploaded with these fixes.
>
>
> I have just one suggested update, provided that the update is an accurate
> statement:
>
> OLD:
> As such, they are securable through the addition to those PDUs
> Authentication TLVs [RFC5310] in the same way as Hellos or other IS-IS PDUs.
>
> NEW:
> Therefore, they are securable through the addition of Authentication TLVs
> [RFC5310] in the same way as Hellos or other IS-IS PDUs.
>
> and one editorial:
>
> s/It this case/In this case/
>
> The rest of the changes looks good to me.
>
> Thanks,
>
> Shawn.
> --
>
> On Wed, Jan 11, 2017 at 12:22 AM, Shawn M Emery   wrote:
>
> On 01/10/17 06:03 PM, Donald Eastlake wrote:
>
> Hi Shawn,
>
> Thanks for your comments. See below.
>
> On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery  
> wrote:
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> This draft updates the Appointed Forwarders mechanism (RFC 6439);
> which supports multiple TRILL switches that handle native traffic
> to and from end stations on a single link.
>
> The security considerations section does exist and states that this
> update does not change the security properties of the TRILL base
> protocol.  The section goes on to state that the Port-Shutdown message
> SHOULD be secured through the Tunnel Channel protocol (which is in draft
> state).  Was this intended to be a normative reference?
>
> That reference is out of date. draft-ietf-trill-channel-tunnel has
> issued as RFC 7978. That should be updated and I agree that this
> should be a normative reference.
>
> Thanks.
>
>
> The section quickly
> finishes with a reference to Authentication TLVs as a way to secure
> E-LICS
> FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficult
> to
> distinguish between the usage of Tunnel Channels and Authentication TLVs
> for
> securing Port Shutdown messaging.  Could you please clarify?
>
> "Channel Tunnel", although left in the draft name for convenience, was
> basically changed to RBridge Header Extension. This is a way to add a
> layer of header to RBridge Channel messages (specified in RFC 7178) to
> secure their content. The Authentication TLV is an IS-IS TLV and
> including that TLV in an IS-IS PDU can be used to secure the content
> of the PDU. Some text can be added to clarify this.
>
> Ah, I see.  Yes, clarifying text would be helpful for the nascent reader.
>
>
> General comments:
>
> None.
>
> Editorial comments:
>
> s/the need to "inhibition"/the need for "inhibition"/
> s/forarding/forwarding/
> s/two optimization/two optimizations/
> s/messages are build/messages are built/
>
> Thanks for spotting those. We'll fix them.
>
> No problem.
>
> Regards,
>
> Shawn.
> --
>
>
>

--001a114ac2326ae2190545fbdbd7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


Hi Shawn,

Those fixed look good to me. =
We should be able to implement them.



On Thu, Jan 12, 2017 at 7:24 PM, Shawn M Eme=
ry <shawn.emery@oracle.com> wrote:

 =20
   =20
 =20
  

    
On 01/11/17 11:56 AM=
, Donald Eastlake
      wrote:

    

    

      
Hi Shawn,

A version -04 has been uploaded with these fixes.


    

    

    I have just one suggested update, provided that the update is an
    accurate statement:

    

    OLD:

    As such, they are securable through the addition to those PDUs
    Authentication TLVs [RFC5310] in the same way as Hellos or other
    IS-IS PDUs.

    

    NEW:

    Therefore, they are securable through the addition of Authentication
    TLVs [RFC5310] in the same way as Hellos or other IS-IS PDUs.

    

    and one editorial:

    

    s/It this case/In this case/

    

    The rest of the changes looks good to me.

    

    Thanks,

    

    Shawn.

    --
    

      
On Wed, Jan 11, 2017 at 12:22 AM, Shawn M Emery <shawn.emery@oracle.com> wrote:


      

        
On 01/10/17 06:03 PM, Donald Eastlake wrote:


        

          
Hi Shawn,

Thanks for your comments. See below.

On Mon, Jan 9, 2017 at 12:11 AM, Shawn M Emery <shawn.emery@oracle.com>
wrote:


          

            
I have reviewed this document as part of the security dire=
ctorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft updates the Appointed Forwarders mechanism (RFC 6439);
which supports multiple TRILL switches that handle native traffic
to and from end stations on a single link.

The security considerations section does exist and states that this
update does not change the security properties of the TRILL base
protocol.  The section goes on to state that the Port-Shutdown message
SHOULD be secured through the Tunnel Channel protocol (which is in draft
state).  Was this intended to be a normative reference?


          

          
That reference is out of date. draft-ietf-trill-channel-tunnel has
issued as RFC 7978. That should be updated and I agree that this
should be a normative reference.


        

        
Thanks.



        

          

            
The section quickly
finishes with a reference to Authentication TLVs as a way to secure
E-LICS
FS-LSPs traffic.  I'm not a TRILL expert and therefore find it difficul=
t
to
distinguish between the usage of Tunnel Channels and Authentication TLVs
for
securing Port Shutdown messaging.  Could you please clarify?


          

          
"Channel Tunnel", although left in the draft name =
for convenience, was
basically changed to RBridge Header Extension. This is a way to add a
layer of header to RBridge Channel messages (specified in RFC 7178) to
secure their content. The Authentication TLV is an IS-IS TLV and
including that TLV in an IS-IS PDU can be used to secure the content
of the PDU. Some text can be added to clarify this.


        

        
Ah, I see.  Yes, clarifying text would be helpful for the nasc=
ent reader.



        

          

            
General comments:

None.

Editorial comments:

s/the need to "inhibition"/the need for "inhibition"/
s/forarding/forwarding/
s/two optimization/two optimizations/
s/messages are build/messages are built/


          

          
Thanks for spotting those. We'll fix them.


        

        
No problem.

Regards,

Shawn.
--


      

    

    

  






--001a114ac2326ae2190545fbdbd7--


From nobody Sun Jan 15 13:08:20 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F323F1296E9; Sun, 15 Jan 2017 13:08:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level: 
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dq4KLQIh4Oqr; Sun, 15 Jan 2017 13:08:18 -0800 (PST)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B151296ED; Sun, 15 Jan 2017 13:08:16 -0800 (PST)
Received: from in02.mta.xmission.com ([166.70.13.52]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1cSs2B-0005BW-Kr; Sun, 15 Jan 2017 14:08:15 -0700
Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1cSs2A-0003fZ-V4; Sun, 15 Jan 2017 14:08:15 -0700
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id v0FL83TS020238; Sun, 15 Jan 2017 14:08:03 -0700
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id v0FL83GA020237; Sun, 15 Jan 2017 14:08:03 -0700
Date: Sun, 15 Jan 2017 14:08:03 -0700
Message-Id: <201701152108.v0FL83GA020237@rumpleteazer.rhmr.com>
From: "Hilarie Orman" 
To: iesg@ietf.org, secdir@ietf.org
X-XM-SPF: eid=1cSs2A-0003fZ-V4; ; ; mid=<201701152108.v0FL83GA020237@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX19SRZH8SCnRb+ne+3YUmjnm
X-SA-Exim-Connect-IP: 72.250.219.84
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: **;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country: 
X-Spam-Timing: total 347 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 3.5 (1.0%), b_tie_ro: 2.4 (0.7%), parse: 0.67 (0.2%), extract_message_metadata: 3.3 (0.9%), get_uri_detail_list: 1.13 (0.3%), tests_pri_-1000: 2.8 (0.8%), tests_pri_-950: 1.28 (0.4%), tests_pri_-900: 1.13 (0.3%), tests_pri_-400: 25 (7.2%), check_bayes: 24 (6.9%), b_tokenize: 6 (1.7%), b_tok_get_all: 7 (1.9%), b_comp_prob: 2.6 (0.7%), b_tok_touch_all: 6 (1.8%), b_finish: 0.76 (0.2%), tests_pri_0: 304 (87.7%), check_dkim_signature: 0.43 (0.1%), check_dkim_adsp: 74 (21.4%), tests_pri_500: 3.1 (0.9%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Archived-At: 
Cc: draft-ietf-i2rs-yang-l3-topology-all@tools.ietf.org
Subject: [secdir] Security review of draft-ietf-i2rs-yang-l3-topology-08.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Hilarie Orman 
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 15 Jan 2017 21:08:19 -0000

			  Security review of
	       A YANG Data Model for Layer 3 Topologies
	       draft-ietf-i2rs-yang-l3-topology-08.txt

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

The document provides "illustrative examples" of extensions to the
YANG data model for IP unicast networks.  The specific cases covered
in the draft are OSPF and IS-IS.

The security considerations state:

"It is therefore important that the NETCONF access control model is
vigorously applied to prevent topology configuration by unauthorized
clients."

NETCONF (RFC6536) states:

  3.7.3.  Data Model Design Considerations

    Designers need to clearly identify any sensitive data, notifications,
    or protocol operations defined within a YANG module.  For such
    definitions, a "nacm:default-deny-write" or "nacm:default-deny-all"
    statement ought to be present, in addition to a clear description of
    the security risks.

I don't see any guidance or examples of this in the draft under
discussion.  Shouldn't there be some?  Or at least a statement of why
they aren't included?

NITS:

Page 27 typo "The moodel defines a protocol independent YANG ... ".
"moodel" should be "model".

The use of "holistic" and "conceptual" in the opening paragraph caused
me to pause in puzzlement:
"The model allows an application to have a holistic view of the
topology of a Layer 3 network, all contained in a single conceptual
YANG datastore."

I think that "holistic" means "stated in a single data language", and
"conceptual" means "it is not a single datastore but it could be,
conceptually."  Or something like that.  Less new-agey phrasing might
convey the idea more directly.

Hilarie


From nobody Mon Jan 16 12:15:00 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1FA9129A00 for ; Mon, 16 Jan 2017 12:14:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.398
X-Spam-Level: 
X-Spam-Status: No, score=-7.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyfhUW9oJBMs for ; Mon, 16 Jan 2017 12:14:55 -0800 (PST)
Received: from PCH.mit.edu (pch.mit.edu [18.7.21.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D2B5129671 for ; Mon, 16 Jan 2017 12:14:55 -0800 (PST)
Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0GKEsAO020392 for ; Mon, 16 Jan 2017 15:14:54 -0500
Received: from mailhub-dmz-3.mit.edu (mailhub-dmz-3.mit.edu [18.9.21.42]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0GKEo6T020384 for ; Mon, 16 Jan 2017 15:14:50 -0500
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id v0GKA5FD007617 for ; Mon, 16 Jan 2017 15:14:50 -0500
X-AuditID: 1209190c-267ff700000044ab-b7-587d29b7250a
Received: from dfw-mailout10.raytheon.com (dfw-mailout10.raytheon.com [199.46.199.220]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id A3.0F.17579.8B92D785; Mon, 16 Jan 2017 15:14:49 -0500 (EST)
Received: from tx-mailout10.rtnmail.ray.com (tx-mailout10.rtnmail.ray.com [138.126.127.234]) by dfw-mailout10.ext.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id v0GKEUAY023871 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 16 Jan 2017 20:14:31 GMT
Received: from 008-smtp-out.ray.com ([23.103.8.214]) by tx-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id v0GKEPXM026869 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT); Mon, 16 Jan 2017 20:14:31 GMT
Received: from CY1PR0601MB023.008f.mgd2.msft.net (23.103.8.215) by CY1PR0601MB022.008f.mgd2.msft.net (23.103.8.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.817.12; Mon, 16 Jan 2017 20:14:23 +0000
Received: from CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) by CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) with mapi id 15.01.0817.009; Mon, 16 Jan 2017 20:14:23 +0000
From: Steve KENT 
To: "secdir@mit.edu" 
Thread-Topic: SECDIR review of draft-ietf-oauth-jwsreq-09.txt
Thread-Index: AQHScDTQRIxTn2UcrUufc7jChpMgqA==
Date: Mon, 16 Jan 2017 20:14:23 +0000
Message-ID: <67adb90acb8c4a23beaeb5d0b39800bf@CY1PR0601MB023.008f.mgd2.msft.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [23.103.8.196]
MIME-Version: 1.0
X-CC: ve7jtb@ve7jtb.com, n-sakimura@nri.co.jp, hannes.tschofenig@gmx.net, derek@ihtfp.com, secdir@mit.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-16_15:, , signatures=0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-16_15:, , signatures=0
X-Original-Sender: steve.kent@raytheon.com
X-Original-Recipients: secdir@mit.edu, derek@ihtfp.com, hannes.tschofenig@gmx.net,  n-sakimura@nri.co.jp, ve7jtb@ve7jtb.com
X-Attachments: 
X-DMZ-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701160283
X-DMZ-Spam-Reason: mlx
Authentication-Results: symauth.service.identifier
X-Brightmail-Tracker: H4sIAAAAAAAAA2VSa0hTYRj23fW4duo4tb2ahg6i1FwrogtYFAWJWtiFWEbUsR3dcJuyM8uZ khkY7U9SWDYy7WYaKqQVhkWglmX3EqWrhpo1A7OsTKI6xy9t0Z+P532f533e5/v4KKmmTxFK cTlOzmFnrTqFStamb3sZezUq32joqZ25pOhtk2IFxBfeuylNhhRVnImzWnZxjnnLd6jM7uIy SVZrEeS83t8iK4CvvBsoCpmFeOtSkhtUlIapkODYiYdyUngkeNfjUbjBXyj6AQeqVhFiDHC0 5ruMFI2ABw6OKkWVgonGoX4viDiImYW19YMgiqRMF2D92cZxq0BmCX4ueyMhomV47EW1gmA9 9nSfBzGTTBj+cShIbNNMMt64/0IuYmCm47f2mvFRKaPF533l4xgZBs9eeyglOBjf9/6UExyB 505UKIk+E8u7HymJZwDeOd4nI5oMbDnshgl83Nsk+R9HY8koiYlMHjZ0dijI001Dd28aaQ8D VhboSXs6Xv6lI4kXYNMDr7wYZnp8Qnt8Anl8ApG+AYcelEsJjsHKU4N/8Dy8OHIffPsVoLwA 4SZbbqyNtVh5bmcsv5O12zlH7Hy9zeLUc6bsehC+iMY/RN0I9z4kNANDgU5Nl77KM2rk7C7e ZWuGEEqiC6aXzco3aqamZppcZpY3b3dkWzm+GZCS6oLohgiBo02sK5dzZE5QMyiZTkvnVrmM GiaddXIZHJfFOSZYCaVshjCK0iFdMEeYDnBw6VxOmsXq9NX4i4dKXKMW1uSKQprPYm28JZ2I 2iEyVEsPiwQjEuZs+6TBxOd/AuGhgTT4+flp1EIC4eL/8l7QCpcOpI2ii9pid066e4XFEmFx 19w94mIn+5cKLYDTHV1b98WUbrmC152KkQWqy2uqx6xDkeyXusG6nqbK2YXqk0m24hHD6YbV hteJeS1ru5duLO+/vbtm290Ncc6nCZ8j1xsWdz4O25vQSysH4JlK7eqbEVzo1d7RDEwZ/hYf tTm8tURf+W7Rx9Hbm5KPnknM8XatS0k60rnyU2o3NabUyXgzOz9a6uDZ3wCDOcX3AwAA
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: multipart/mixed; boundary="===============8092053268032793993=="
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Archived-At: 
Cc: "n-sakimura@nri.co.jp" 
Subject: [secdir]  SECDIR review of draft-ietf-oauth-jwsreq-09.txt
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 16 Jan 2017 20:14:58 -0000

--===============8092053268032793993==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_67adb90acb8c4a23beaeb5d0b39800bfCY1PR0601MB023008fmgd2m_"

--_000_67adb90acb8c4a23beaeb5d0b39800bfCY1PR0601MB023008fmgd2m_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable


I generated this review of this document as part of the security directorat=
e's ongoing effort to review all IETF documents being processed by the IESG=
.  These comments were written with the intent of improving security requir=
ements and considerations in IETF drafts.  Comments not addressed in last c=
all may be included in AD reviews during the IESG review.  Document editors=
 and WG chairs should treat these comments just like any other last call co=
mments.



This document proposes a mechanism to enable secure communication of OAuth =
2.0 Authorization Requests using a JSON Web Token (JWT). This mechanism rep=
resents an improvement over the current way that OAuth Authorization Reques=
ts are transmitted, i.e., encoded as an (unprotected) URI.



The document notes that the current Authorization Request mechanism fails t=
o provide integrity, authentic, or confidentiality. JSON is already used fo=
r OAuth responses, so using JWT to protect requests seems like an appropria=
te choice. (XML signatures and encryption were rejected as too complex.)



Section 4 defines the Request Object format and provides examples.

The text here is a bit confusing. It seems to state that only integrity and=
 authenticity are mandated by this specification; confidentiality is an opt=
ional feature. However, when discussing the use of encryption that does not=
 provide authentication, the text says that a signature =93should=94 (not S=
HOULD=94=94) be applied. The text then says that =93In this case, it [the t=
oken] MUST be signed then encrypted =85=94 This combination of sentences is=
 confusing and OUGHT J to be revised.



Section 6 describes how to validate a received JWT request token. Section 6=
.1 appears to not mandate use of a signature for an encrypted token, sugges=
ting that authentication and integrity need not be provided if the requesto=
r encrypts the token (and does not employ an authenticated encryption algor=
ithm).





Section 10 describes Security Considerations in addition to the ones alread=
y describes in RFC 6119 (OAuth 2.0). The wording of Section 10.1 is odd: =
=93 =85it MUST either be JWS signed with then considered appropriate algori=
thm or encrypted using [RFC7516].=94 Why is there no cite of 7515 for JWS a=
lgorithms here, to parallel the cite of JWE?



Section 10.2 indicates that a client and server might agree, a priori, to u=
se the non-protected parameters transmitted in a request. It does not indic=
ate how this might have been done (hopefully, in a secure fashion).



Section 10.3 finally mandates authentication of the request source, somethi=
ng that was ambiguous in earlier sections of this document. There are some =
ambiguous statement here, e.g. =93Since Request Object URI can be replayed,=
 the lifetime of the Request Object URI MUST be short and preferably one-ti=
me use.  The entropy of the Request Object URI MUST be sufficiently large.=
=94 The lack of guidance of what constitutes a =93short=94 lifetime or a =
=93sufficiently large=94 amount of entropy (in a short URI) is worrisome.  =
In (d) there is a typo: =93The same requirements as (b) above applies.=94 -=
> =93The same requirements as (b) above apply=94.



Section 10.4 includes several typos:



=93Although this specification does not require them, researchs such as =85=
=94 -> =93Although this specification does not require them, research such =
as =85=94 This is the beginning of a run-on sentence.



=93The endpoints that comes into question =85=94 -> The endpoints that come=
 into question =85=94



The wording in several places is awkward, e.g., missing articles.



This section ends with the statement =93An extension specification should b=
e created.=94 Presumably the intent here is to suggest that an extension is=
 needed to remedy the vulnerability resulting from the lack of explicit end=
point identifiers. This should be more clearly stated.



Section 11 discusses Privacy Considerations an unusual element of an RFC. (=
The authors state that ISO/IEC 29100 is freely accessible. That seems to be=
 true only if one follows the URL in the Informative References. A search f=
or this ISO document tends to yield copies available for a non-trivial fee,=
 i.e., ~ $150 USD.) Since there is standards language in this section (SHOU=
LD and MUST) I think 29100 needs to be a Normative (not Informational) refe=
rence.



The text here raises some good privacy concerns and suggests some means by =
which these concerns might be addressed. However, the wording here needs to=
 be significantly improved. There are extraneous articles and missing artic=
les that make the text harder to read. The ambiguous comment about entropy =
that appeared in 10.3 appears here as well.


--_000_67adb90acb8c4a23beaeb5d0b39800bfCY1PR0601MB023008fmgd2m_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
















I generated this review of this document as par=
t of the security
 directorate's ongoing effort to review all IETF documents being processed =
by the IESG. 
These comments were written with the intent of improving security re=
quirements and considerations in IETF drafts. 
Comments not addressed in last call may be included in AD reviews du=
ring the IESG review. 
Document editors and WG chairs should treat these comments just like=
 any other last call comments.


 


This docum=
ent proposes a mechanism to enable secure communication of OAuth 2.0 Author=
ization Requests using a JSON Web Token
 (JWT). This mechanism represents an improvement over the current way that =
OAuth Authorization Requests are transmitted, i.e., encoded as an (unprotec=
ted) URI.



 


The docume=
nt notes that the current Authorization Request mechanism fails to provide =
integrity, authentic, or confidentiality.
 JSON is already used for OAuth responses, so using JWT to protect requests=
 seems like an appropriate choice. (XML signatures and encryption were reje=
cted as too complex.)



 


Section 4 =
defines the Request Object format and provides examples.


The text h=
ere is a bit confusing. It seems to state that only integrity and authentic=
ity are mandated by this specification;
 confidentiality is an optional feature. However, when discussing the use o=
f encryption that does not provide authentication, the text says that a sig=
nature =93should=94 (not SHOULD=94=94) be applied. The text then says that =
=93In this case, it [the token] MUST be signed
 then encrypted =85=94 This combination of sentences is confusing and OUGHT=
 J
 to be revised. 


 


Section 6 =
describes how to validate a received JWT request token. Section 6.1 appears=
 to not mandate use of a signature for
 an encrypted token, suggesting that authentication and integrity need not =
be provided if the requestor encrypts the token (and does not employ an aut=
henticated encryption algorithm).



 


 


Section 10=
 describes Security Considerations in addition to the ones already describe=
s in RFC 6119 (OAuth 2.0). The wording
 of Section 10.1 is odd: =93 =85it MUST either be JW=
S signed with then considered appropriate algorithm or encrypted using [RFC7516].=94
 Why is there no cite of 7515 for JWS algorithms here, to parallel the cite=
 of JWE?


 


Section 10.2 indicates that a client and serv=
er might agree, a priori, to use the non-protected
 parameters transmitted in a request. It does not indicate how this might h=
ave been done (hopefully, in a secure fashion).



 


Section 10.3 finally mandates authentication =
of the request source, something that was ambiguous
 in earlier sections of this document. There are some ambiguous statement h=
ere, e.g. =93Since Request Object URI can be replayed, the lifetime of the =
Request Object URI MUST be short and preferably one-time use. 
The entropy of the Request Object URI MUST be sufficiently large.=94=
 The lack of guidance of what constitutes a =93short=94 lifetime or a =93su=
fficiently large=94 amount of entropy (in a
short URI) is worrisome.  In (d) there is a typo: =93The same requirements as (b) above applies.=
=94 -> =93The same requirements as (b) above apply=94.


 


Section 10.4 includes several typos:

 


=93Although this specification does not requi=
re them, researchs such as =85=94 -> =93Although this
 specification does not require them, research such as =85=94 This is the b=
eginning of a run-on sentence.



 


=93The endpoints that comes into question =85=
=94 -> The endpoints that come into question =85=94


 


The wording in several places is awkward, e.g=
., missing articles.


 


This section ends with the statement =93An ex=
tension specification should be created.=94 Presumably
 the intent here is to suggest that an extension is needed to remedy the vu=
lnerability resulting from the lack of explicit endpoint identifiers. This =
should be more clearly stated.


 


Section 11 discusses Privacy Considerations a=
n unusual element of an RFC. (The authors state
 that ISO/IEC 29100 is freely accessible. That seems to be true only if one=
 follows the URL in the Informative References. A search for this ISO docum=
ent tends to yield copies available for a non-trivial fee, i.e., ~ $150 USD=
.) Since there is standards language
 in this section (SHOULD and MUST) I think 29100 needs to be a Normative (n=
ot Informational) reference.



 


The text here raises some good privacy concer=
ns and suggests some means by which these concerns
 might be addressed. However, the wording here needs to be significantly im=
proved. There are extraneous articles and missing articles that make the te=
xt harder to read. The ambiguous comment about entropy that appeared in 10.=
3 appears here as well.












--_000_67adb90acb8c4a23beaeb5d0b39800bfCY1PR0601MB023008fmgd2m_--

--===============8092053268032793993==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir

--===============8092053268032793993==--


From nobody Mon Jan 16 12:18:21 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC49612963D for ; Mon, 16 Jan 2017 12:18:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.36
X-Spam-Level: 
X-Spam-Status: No, score=-6.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13OAUr3ZUD1M for ; Mon, 16 Jan 2017 12:18:16 -0800 (PST)
Received: from PCH.mit.edu (pch.mit.edu [18.7.21.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24D6F129535 for ; Mon, 16 Jan 2017 12:18:16 -0800 (PST)
Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0GKIFiY020834 for ; Mon, 16 Jan 2017 15:18:15 -0500
Received: from mailhub-dmz-3.mit.edu (mailhub-dmz-3.mit.edu [18.9.21.42]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0GKIDLU020826 for ; Mon, 16 Jan 2017 15:18:13 -0500
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id v0GKI7Yi009164 for ; Mon, 16 Jan 2017 15:18:13 -0500
X-AuditID: 1209190f-67fff70000006f3d-1d-587d2a83dca6
Received: from mail-qt0-f171.google.com (mail-qt0-f171.google.com [209.85.216.171]) (using TLS with cipher AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id 0F.9E.28477.48A2D785; Mon, 16 Jan 2017 15:18:12 -0500 (EST)
Received: by mail-qt0-f171.google.com with SMTP id k15so120052381qtg.3 for ; Mon, 16 Jan 2017 12:18:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5mnqldKaW1weXQrgzdCDeiXRnZbZ1Zp5/x6IBnhxCwk=; b=2OO65T4bqqDfs9OTh6MMcg2pdcwRnWzXV5dQwrQZjCdk1jXwqJlWv48EFFNAGH3fLt /BvwfGY9/5fUAaLns1pr1p7zq409ZBHWlOuQUS8croJ6/x+oexI/pZN288fXltTCchFX hChkAILTAISV87BgB7U1doFOVw2LBPZu8VNzn2GcOXCv1GOeGEOrtsqOoEvg0sZF553B jB6NDS05OfZXmarW5h43gD80ikkwRUzLJf/R8u47oxI3KnPf/UMgTAdxBiCGZ7s/XQEd qCQiwF7pqZeWagxxU8mu6HqSIV74MSf2D8vosyMku62iDbYF9ZqP3m4KoZBx+J6Enp0w ePzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5mnqldKaW1weXQrgzdCDeiXRnZbZ1Zp5/x6IBnhxCwk=; b=YSS1DTFl+gvOURDdVqX3TooO0fnTzPNkHtXkkCO40UtzyXyRVai7EiaN8qqQ3feIrK ysB0vG/k+MKbR5HUQ0dNtKZGr3YYxXOj71GD8dTyryvqA12A6jfqFiEXRnUAd5nW6jUb xydTK/cTee4XU7isz4d3Ki0LOHw3570HyW1Y75WH9tYMwngzYUZ2aQq1urswKGvn7E97 R0kxfcnPMxwowB8f4Y7gYhlKWe7sqgXaLAmz+zqISXxsOxEQJC3jIwCqAkQx9Dg61cmN oOpyqkp73XJDgMylepV8zrfWnOc5nmQwHqIeVlU/JcUCF+JxqSYKTzLY8IYOr/R1ikIz Xrfw==
X-Gm-Message-State: AIkVDXLWhmr9KMbLzJtqoo26+6v1pFBDZX8DBfgDkioX0wT16x2b1GSQqpKRoW7l0qyO3rYo
X-Received: by 10.55.215.129 with SMTP id t1mr30288901qkt.274.1484597891629; Mon, 16 Jan 2017 12:18:11 -0800 (PST)
Received: from [192.168.86.130] ([191.115.145.126]) by smtp.gmail.com with ESMTPSA id u29sm17026625qki.4.2017.01.16.12.18.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Jan 2017 12:18:10 -0800 (PST)
From: John Bradley 
Message-Id: 
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 16 Jan 2017 17:18:01 -0300
In-Reply-To: <67adb90acb8c4a23beaeb5d0b39800bf@CY1PR0601MB023.008f.mgd2.msft.net>
To: Steve KENT 
References: <67adb90acb8c4a23beaeb5d0b39800bf@CY1PR0601MB023.008f.mgd2.msft.net>
X-Mailer: Apple Mail (2.3259)
Authentication-Results: symauth.service.identifier
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrBJsWRWlGSWpSXmKPExsVyMfTGat0WrdoIgydTLS3anu1mc2D0aDpz lDmAMYrLJiU1J7MstUjfLoEro7/1BUvB7i+MFctX/WdtYPx9nbGLkZNDQsBE4uH0AyxdjFwc QgKLmSSOnutjg3C6GSXWTuxmB3FYBBaxSkxe2ssM4kgILGOVmPjiCjNEf4zE7uuzoexqiasP N7CB2EICChLds/6xQ4z6zyjx6dFOVpAEm4CaxNYZ+8GKeAVsJV4dXQ02lVlgCqPEzBWrmCES +hKzz1xiAbGFBWwkTi39DHYti4CqxJRPl8AGcQoESvTc/QXVvIRRYspXiNUiAhoS13d/YoI4 I0Ci/8ADFojzZCXe/loCtoBRwEhi97lXrBMYRWchWz4LyXIQm1kgSWLzpXNsELa2xLKFr5kh bE2J/d3LWTDFNSQ6v01khbBNJZ683Q7Vay3xc84jRghbUWJK90P2BYxcqxhlU3KrdHMTM3OK U5N1i5MT8/JSi3RN9HIzS/RSU0o3MQKjWIhTkn8H45wG70OMAhyMSjy8M+7WRAixJpYVV+Ye YpTkYFIS5bVVrY0Q4kvKT6nMSCzOiC8qzUktPsSoArTr0YbVFxilWPLy81KVRHg3KwDV8aYk VlalFuXDlElzsCiJ81atqIwQEkhPLEnNTk0tSC2CyTJxsB9ilOHgUJLgfaIB1C1YlJqeWpGW mVOCrIYTRHAdYpTg4AFao6sJsqa4IDG3ODMdougUoyVHT9fpl0wce3ZdBpJzbl99ySQEdpeU OO9HkMkCIA0ZpXlwg2EJ/BKjrJQwLyMDA4MQD9BlwMBBlX/FKA4MGGHeTpC1PJl5JXBbXwEd xAR00HWdapCDShIRUlINjNPLw3cfeXpn5j8HNveFqUm37Da1bnqaWzn/Q2Dhm7OF2wt0/I9t 0s88/+6pQoOgRUI6s/1tV6awYGuhcrbFz7uvPmZc1nxo6uKXJaVL5rVu5w8w3Ha8mXFhc9/f 9+dX9er7nPQsOGfoflT7b5qyQU7eLTa9LWcKGuyPP/Ndc739eMJV2YWbUpVYijMSDbWYi4oT AXuQ0a/bAwAA
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: multipart/mixed; boundary="===============7137822468120896674=="
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Archived-At: 
Cc: "secdir@mit.edu" , Nat Sakimura 
Subject: Re: [secdir] SECDIR review of draft-ietf-oauth-jwsreq-09.txt
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 16 Jan 2017 20:18:19 -0000

--===============7137822468120896674==
Content-Type: multipart/signed;
	boundary="Apple-Mail=_419F07FF-66B3-4DB5-81DC-DD7B7BB932CA";
	protocol="application/pkcs7-signature"; micalg=sha1


--Apple-Mail=_419F07FF-66B3-4DB5-81DC-DD7B7BB932CA
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_2ABF0B4A-9802-4B55-BF67-6D74B831605F"


--Apple-Mail=_2ABF0B4A-9802-4B55-BF67-6D74B831605F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Thanks for the review.=20

Nat and I will review and address your comments.

Regards
John B.

> On Jan 16, 2017, at 5:14 PM, Steve KENT  =
wrote:
>=20
>=20
> I generated this review of this document as part of the security =
directorate's ongoing effort to review all IETF documents being =
processed by the IESG.  These comments were written with the intent of =
improving security requirements and considerations in IETF drafts.  =
Comments not addressed in last call may be included in AD reviews during =
the IESG review.  Document editors and WG chairs should treat these =
comments just like any other last call comments.
> =20
> This document proposes a mechanism to enable secure communication of =
OAuth 2.0 Authorization Requests using a JSON Web Token (JWT). This =
mechanism represents an improvement over the current way that OAuth =
Authorization Requests are transmitted, i.e., encoded as an =
(unprotected) URI.
> =20
> The document notes that the current Authorization Request mechanism =
fails to provide integrity, authentic, or confidentiality. JSON is =
already used for OAuth responses, so using JWT to protect requests seems =
like an appropriate choice. (XML signatures and encryption were rejected =
as too complex.)
> =20
> Section 4 defines the Request Object format and provides examples.
> The text here is a bit confusing. It seems to state that only =
integrity and authenticity are mandated by this specification; =
confidentiality is an optional feature. However, when discussing the use =
of encryption that does not provide authentication, the text says that a =
signature =E2=80=9Cshould=E2=80=9D (not SHOULD=E2=80=9D=E2=80=9D) be =
applied. The text then says that =E2=80=9CIn this case, it [the token] =
MUST be signed then encrypted =E2=80=A6=E2=80=9D This combination of =
sentences is confusing and OUGHT J to be revised.=20
> =20
> Section 6 describes how to validate a received JWT request token. =
Section 6.1 appears to not mandate use of a signature for an encrypted =
token, suggesting that authentication and integrity need not be provided =
if the requestor encrypts the token (and does not employ an =
authenticated encryption algorithm).
> =20
> =20
> Section 10 describes Security Considerations in addition to the ones =
already describes in RFC 6119 (OAuth 2.0). The wording of Section 10.1 =
is odd: =E2=80=9C =E2=80=A6it MUST either be JWS signed with then =
considered appropriate algorithm or encrypted using [RFC7516 <>].=E2=80=9D=
 Why is there no cite of 7515 for JWS algorithms here, to parallel the =
cite of JWE?
> =20
> Section 10.2 indicates that a client and server might agree, a priori, =
to use the non-protected parameters transmitted in a request. It does =
not indicate how this might have been done (hopefully, in a secure =
fashion).
> =20
> Section 10.3 finally mandates authentication of the request source, =
something that was ambiguous in earlier sections of this document. There =
are some ambiguous statement here, e.g. =E2=80=9CSince Request Object =
URI can be replayed, the lifetime of the Request Object URI MUST be =
short and preferably one-time use.  The entropy of the Request Object =
URI MUST be sufficiently large.=E2=80=9D The lack of guidance of what =
constitutes a =E2=80=9Cshort=E2=80=9D lifetime or a =E2=80=9Csufficiently =
large=E2=80=9D amount of entropy (in ashort URI) is worrisome.  In (d) =
there is a typo: =E2=80=9CThe same requirements as (b) above applies.=E2=80=
=9D -> =E2=80=9CThe same requirements as (b) above apply=E2=80=9D.
> =20
> Section 10.4 includes several typos:
> =20
> =E2=80=9CAlthough this specification does not require them, researchs =
such as =E2=80=A6=E2=80=9D -> =E2=80=9CAlthough this specification does =
not require them, research such as =E2=80=A6=E2=80=9D This is the =
beginning of a run-on sentence.
> =20
> =E2=80=9CThe endpoints that comes into question =E2=80=A6=E2=80=9D -> =
The endpoints that come into question =E2=80=A6=E2=80=9D
> =20
> The wording in several places is awkward, e.g., missing articles.
> =20
> This section ends with the statement =E2=80=9CAn extension =
specification should be created.=E2=80=9D Presumably the intent here is =
to suggest that an extension is needed to remedy the vulnerability =
resulting from the lack of explicit endpoint identifiers. This should be =
more clearly stated.
> =20
> Section 11 discusses Privacy Considerations an unusual element of an =
RFC. (The authors state that ISO/IEC 29100 is freely accessible. That =
seems to be true only if one follows the URL in the Informative =
References. A search for this ISO document tends to yield copies =
available for a non-trivial fee, i.e., ~ $150 USD.) Since there is =
standards language in this section (SHOULD and MUST) I think 29100 needs =
to be a Normative (not Informational) reference.
> =20
> The text here raises some good privacy concerns and suggests some =
means by which these concerns might be addressed. However, the wording =
here needs to be significantly improved. There are extraneous articles =
and missing articles that make the text harder to read. The ambiguous =
comment about entropy that appeared in 10.3 appears here as well.


--Apple-Mail=_2ABF0B4A-9802-4B55-BF67-6D74B831605F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

Thanks for the review. 

Nat and I will review and address your =
comments.

Regards
John B.

On =
Jan 16, 2017, at 5:14 PM, Steve KENT <steve.kent@raytheon.com> wrote:


I generated this review of this =
document as part of the security directorate's ongoing effort to review =
all IETF documents being processed by the IESG.  These comments were =
written with the intent of improving security requirements and =
considerations in IETF drafts.  Comments not =
addressed in last call may be included in AD reviews during the IESG =
review.  Document editors and =
WG chairs should treat these comments just like any other last call =
comments.
 
This document proposes a mechanism to enable secure =
communication of OAuth 2.0 Authorization Requests using a JSON Web Token =
(JWT). This mechanism represents an improvement over the current way =
that OAuth Authorization Requests are transmitted, i.e., encoded as an =
(unprotected) URI.
 
The document notes that the current Authorization Request =
mechanism fails to provide integrity, authentic, or confidentiality. =
JSON is already used for OAuth responses, so using JWT to protect =
requests seems like an appropriate choice. (XML signatures and =
encryption were rejected as too complex.)
 
Section 4 defines the Request Object format and provides =
examples.
The =
text here is a bit confusing. It seems to state that only integrity and =
authenticity are mandated by this specification; confidentiality is an =
optional feature. However, when discussing the use of encryption that =
does not provide authentication, the text says that a signature =
=E2=80=9Cshould=E2=80=9D (not SHOULD=E2=80=9D=E2=80=9D) be applied. The =
text then says that =E2=80=9CIn this case, it [the token] MUST be signed =
then encrypted =E2=80=A6=E2=80=9D This combination of sentences is =
confusing and OUGHT J to be =
revised. 
 
Section 6 describes how to =
validate a received JWT request token. Section 6.1 appears to not =
mandate use of a signature for an encrypted token, suggesting that =
authentication and integrity need not be provided if the requestor =
encrypts the token (and does not employ an authenticated encryption =
algorithm).
 
 
Section 10 describes Security Considerations in addition to =
the ones already describes in RFC 6119 (OAuth 2.0). The wording of =
Section 10.1 is odd: =E2=80=9C =E2=80=A6it MUST either be JWS signed with then considered =
appropriate algorithm or encrypted using [RFC7516].=E2=80=9D Why is there no cite of 7515 for JWS algorithms =
here, to parallel the cite of JWE?
 
Section 10.2 indicates that a client and server might agree, =
a priori, to use the non-protected parameters transmitted in a request. =
It does not indicate how this might have been done (hopefully, in a =
secure fashion).
 
Section 10.3 finally mandates authentication of the request =
source, something that was ambiguous in earlier sections of this =
document. There are some ambiguous statement here, e.g. =E2=80=9CSince =
Request Object URI can be replayed, the lifetime of the Request Object =
URI MUST be short and preferably one-time use.  The entropy of the =
Request Object URI MUST be sufficiently large.=E2=80=9D The lack of =
guidance of what constitutes a =E2=80=9Cshort=E2=80=9D lifetime or a =
=E2=80=9Csufficiently large=E2=80=9D amount of entropy (in ashort URI) is worrisome.  In (d) there is a =
typo: =E2=80=9CThe same requirements as (b) above applies.=E2=80=9D =
-> =E2=80=9CThe same requirements as (b) above =
apply=E2=80=9D.
 
Section 10.4 includes several typos:
 
=E2=80=9CAlthough this =
specification does not require them, researchs such as =E2=80=A6=E2=80=9D =
-> =E2=80=9CAlthough this specification does not require them, =
research such as =E2=80=A6=E2=80=9D This is the beginning of a run-on =
sentence.
 
=E2=80=9CThe endpoints that comes into question =E2=80=A6=E2=80=
=9D -> The endpoints that come into question =E2=80=A6=E2=80=9D<=
/div>
 
The wording in several places is awkward, e.g., missing =
articles.
 
This section ends with the statement =E2=80=9CAn extension =
specification should be created.=E2=80=9D Presumably the intent here is =
to suggest that an extension is needed to remedy the vulnerability =
resulting from the lack of explicit endpoint identifiers. This should be =
more clearly stated.
 
Section 11 discusses Privacy Considerations an unusual =
element of an RFC. (The authors state that ISO/IEC 29100 is freely =
accessible. That seems to be true only if one follows the URL in the =
Informative References. A search for this ISO document tends to yield =
copies available for a non-trivial fee, i.e., ~ $150 USD.) Since there =
is standards language in this section (SHOULD and MUST) I think 29100 =
needs to be a Normative (not Informational) reference.
 
The text here raises some =
good privacy concerns and suggests some means by which these concerns =
might be addressed. However, the wording here needs to be significantly =
improved. There are extraneous articles and missing articles that make =
the text harder to read. The ambiguous comment about entropy that =
appeared in 10.3 appears here as =
well.

=

--Apple-Mail=_2ABF0B4A-9802-4B55-BF67-6D74B831605F--

--Apple-Mail=_419F07FF-66B3-4DB5-81DC-DD7B7BB932CA
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILMTCCBUcw
ggQvoAMCAQICEEAfBHP+tuqufC4R+F+Tu54wDQYJKoZIhvcNAQELBQAwdTELMAkGA1UEBhMCSUwx
FjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g
QXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAyIENsaWVudCBDQTAeFw0xNjA4MTIy
MTE5NDFaFw0xODA4MTIyMTE5NDFaMIGCMQswCQYDVQQGEwJDTDEiMCAGA1UECAwZTWV0cm9wb2xp
dGFuYSBkZSBTYW50aWFnbzEWMBQGA1UEBwwNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAwwMSm9obiBC
cmFkbGV5MSAwHgYJKoZIhvcNAQkBFhF2ZTdqdGJAdmU3anRiLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALhTcSiDGvVrm4hlJA8WyFcWWe0dqnuJzstQYTaF281JFOEPA/13kQYI
JMXAEUcS7NvW7KdUI0tHU0N6RTo0Ilf1E1nm8No++eqHO8pFUZ/cidpv0r+1Qcl9EgrpbZ00Y7Xg
pq06EZELzJAmds4QQcsTKdpLNFbVcFnM11i2Gj5VNsYgO+qPO2AS8rLHkgDWnNkc9/lA+ZK5wGiU
zxPU9KnIrERoTif3Zk7KjLvFpBWYD60M/lNoHZ5zxYgmYLmvoM1TSLn4Ms57wwT5MieV2l0aqlGC
7CKNa6XyeL1B0y0wSxL3PJQS4vSLDnttZC7od2A6yjeUMyM3rQ41vqUIMc8CAwEAAaOCAcMwggG/
MA4GA1UdDwEB/wQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUmA9bUmBmTYkCcZ3yYv8IRRP2nN4wHwYDVR0jBBgwFoAUmZerGDU6i1lFQ5iy
cnHI9PsJzxYwbwYIKwYBBQUHAQEEYzBhMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNz
bC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3NjYS5jbGll
bnQyLmNydDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zY2EtY2xp
ZW50Mi5jcmwwHAYDVR0RBBUwE4ERdmU3anRiQHZlN2p0Yi5jb20wIwYDVR0SBBwwGoYYaHR0cDov
L3d3dy5zdGFydHNzbC5jb20vMFUGA1UdIAROMEwwDAYKKwYBBAGBtTcGATA8BgsrBgEEAYG1NwEC
BTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3
DQEBCwUAA4IBAQBqcYJfFA/ITkX4L6JihqW168Wog1BOfkbPXO+wPn5G9P1NwruGfu41b70EPPwV
vol+/j+qhSSrDjFyfNBsq4G45GRR6hwx0ei/bH0UW15Y63ASYPkNlj3ydCcvhw5ItWD5aYPphBx9
C7tLnQ7ow09cqt2CIgPd3W/IGri7p4hWPbdcX0oFIhJcDxmCwTcWyoVoIo4aas5gP44LPGneCoqI
lXQMJinwneEnKd7rWXlzVWv7geaH3t79zARSw9ev9F4E61cDuHi+vgTFEpio7oxybqfj99yLibhX
uZjReYnYbDMRiWDXduVIrIGYwmnUuD8a0b20kJgHm+FEgB6UMa9JMIIF4jCCA8qgAwIBAgIQXLZI
bkcMmMZ/9oDbZErijTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3Rh
cnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEp
MCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTUxMjE2MDEwMDA1
WhcNMzAxMjE2MDEwMDA1WjB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEp
MCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0
Q29tIENsYXNzIDIgQ2xpZW50IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7g9Q
jJUJI4Ss9VBqj9Y3ok4h/TIJZUc+rzj61Rv3hNB/yeEEC1fz3i/EU+MXOOGxM7KCbtCIcJxHIW/k
8RP6sPPMO4cTg7sNzfBWsYsemtY6fN/kVr2R2X+/PjvtxmAaXpGX0znvQPxaE123IMGXy0zEKHZ/
nJDZ199TP9TNn9v+1QO0AZb4oaJ7ch0DpSJa8kF5xiNFDAg9taKKSrVuPHJL9MFFYPIqwShjHg+u
YEzjfxbMP2QWwamnaA9Y7fORSDNapduFlARAcDtXdMpAijiG4HKnrN323I0Ka7lDTAWyLtTDCETK
sI8fzOyL0inEu1WEVpdPytm8s1rwQB4f9QIDAQABo4IBZDCCAWAwDgYDVR0PAQH/BAQDAgEGMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDASBgNVHRMBAf8ECDAGAQH/AgEAMDIGA1UdHwQr
MCkwJ6AloCOGIWh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDBmBggrBgEFBQcBAQRa
MFgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTAwBggrBgEFBQcwAoYkaHR0
cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvY2EuY3J0MB0GA1UdDgQWBBSZl6sYNTqLWUVDmLJy
ccj0+wnPFjAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jA/BgNVHSAEODA2MDQGBFUd
IAAwLDAqBggrBgEFBQcCARYeaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3
DQEBCwUAA4ICAQCZQUEEzvYk9U4wNHhDu1f9QGwbzAH4m4wIKH8ZidNYwZhyoNKW041iJ002KMW9
ywYM95n4770tT45yH29vTMlZtBvz0h44KuxMLNXRCTDwvV07sT39nPjFi5MpwZaLVueNiaa1vok1
n2Wn8lLcyCltYZNGAEifM0ko/A/vvckftFIZG75RAiZHYtfnrdBGiOxyF+nHI9a33BRX5Vl/3z0+
uHZ/Y6YPbNJ7iboOFrFZBCtt+lp3WaDB62ZoBewiMmd09JrqmMJAEgw3EbfQNtaPzHPg/EOhlZik
Rgd4BCrzrbIqB2RKib+gnQJt2uoJaKOaV90S9Xgs3PC837OE9CEmY6/MTTG0xpbLh2hR/rLQ3sCr
H56aODeuDrQBq85lXxRbDCERDUR7FZUhHv+i1aQaY59NPu26hDd6nqksSDq2mCddpidPBuGJz9lN
X2nRyGkudDuWV6gIr6AZfaYv+ggTXOcCDJZFzMhWdLC7CPvRKxQ7vTiYV+4lgqOvV9MnZc149PPt
itTysq/oOv70zx7q+tyaLTa4cqFhCclhIwSwOEJiV3xqQebvmwsDX7BaXGAJZIhbdUbNr3poEgct
6uAxw2zyr69WCJmTUUhz/k1/TT/eCUZJqnMg/6mje7tiVdaUQJcBtJ6cq5+mUDNUB1fohW8EOFai
zFpP/0FaP62ctTGCA04wggNKAgEBMIGJMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UE
AxMaU3RhcnRDb20gQ2xhc3MgMiBDbGllbnQgQ0ECEEAfBHP+tuqufC4R+F+Tu54wCQYFKw4DAhoF
AKCCAZkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTcwMTE2MjAx
ODAxWjAjBgkqhkiG9w0BCQQxFgQUrcBVP5jF0/3cydDkT3U5K+lpzXQwgZoGCSsGAQQBgjcQBDGB
jDCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMgU3Rh
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDIg
Q2xpZW50IENBAhBAHwRz/rbqrnwuEfhfk7ueMIGcBgsqhkiG9w0BCRACCzGBjKCBiTB1MQswCQYD
VQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29tIENsYXNzIDIgQ2xpZW50IENBAhBA
HwRz/rbqrnwuEfhfk7ueMA0GCSqGSIb3DQEBAQUABIIBACY4mP38pUJYnC6Fd8unv+HnjY91LTax
7V04egI0P56odU5ME5a4MtMJLwnl5hk55E3PAJdlLXB0rctT5NF3Xj7Xo/iM9ZNdQnCekfok+sda
u+gfuv+UZQcRLl1Lqoz57zt/AwHfvnGgeJDlmTPXdxfVMETn7CDpBjKQF+EIJjJeykeC6fvzIPmZ
SBh1/gMVAPQl6GVg8ZXQgJW+6w6sIpBneFvHwo7HWi5epFLBQ7+NuONgCfvrlTqKQ25VJse/fFwV
RmMyVcmJE8HiIX/2OCdabjyYSudLrINQEOO+TCU1pnBz1KjcK4nCSlUTi9HVsA5EFj8Fz9xigZ5n
0i0O+C8AAAAAAAA=
--Apple-Mail=_419F07FF-66B3-4DB5-81DC-DD7B7BB932CA--

--===============7137822468120896674==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir

--===============7137822468120896674==--


From nobody Tue Jan 17 09:52:32 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B5591293D8; Tue, 17 Jan 2017 09:52:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzjQaMMgQavH; Tue, 17 Jan 2017 09:52:26 -0800 (PST)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F256A127077; Tue, 17 Jan 2017 09:52:25 -0800 (PST)
Received: by mail-qt0-x229.google.com with SMTP id v23so169970053qtb.0; Tue, 17 Jan 2017 09:52:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=aOiNmPXYBV49qD0p79dlOTzyLlsUYDk2xUxrbNGc5WE=; b=W1SeOfit1tXWHTzZh4H1LJ+qo2exRb4tbuBC/+AbXwaFQonJkcIJfys5AAQ2qHnvNA w2FHIiJMrDFBx3du5J0SyMA0SxC4or5FD7SlQF7AOB/sDalyrEqX74NWyJ+NUXd8dd7k jmeClNarzc0tuG1EFHDGGjOpPnrnEbhOeu3qvVwawKgmtC1YW9jflEiMcSOpv+ypLD+T xJ3Z8tfqQqSpw5ReW5Rqs1l35JQw5b55hiTRbq5jLbKmt9G/p1+1zJQD5NVvrvuF8FE1 DBL4qLyh6mup3BFlDAoKQxMrD4knelMhuttPIEVLsfA8oyGC09ffH4S0qlpY+H4F9/dl 51SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=aOiNmPXYBV49qD0p79dlOTzyLlsUYDk2xUxrbNGc5WE=; b=GwIp+hWtzBWEzON9Ly3eQ1rK4pFLoiDvG131KiHm7nxJL6iluWIEk8+jmBg7osJAXM ws2wQ4e02A+nvRVxOvMKGqSkZXB41JiNAlqKf695WhLDLDrao0csWoIp2Avp0Pr/mTqs 22uhKdelFxBjxXXectIqA8w8lmfWKmO4DxJ6Piz5DCySkCEDe6ngkntZ3iViixgu5hvP 7ABiZCcAUyMEOmD/+v04XNbiZqMRzR6nwUHJaE4yTPgBFVP8hqmLNGJALJt0risNy9/v CX3L5MeC3aA0fnMJ9arpot0rUAyozGIzhQpiR1qP9I27t+aHMxaXgrzYqHMT0FjX2O5Z DeIw==
X-Gm-Message-State: AIkVDXK1foh3nkbb91qZBVCmBajDk+BLzBaoOOaewvjQOD30i71BRRGXX7Nza5vJjPkMDlqY6umyVEj1pvgmgA==
X-Received: by 10.237.53.162 with SMTP id c31mr37548355qte.55.1484675545096; Tue, 17 Jan 2017 09:52:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.157.206 with HTTP; Tue, 17 Jan 2017 09:52:24 -0800 (PST)
From: Daniel Franke 
Date: Tue, 17 Jan 2017 12:52:24 -0500
Message-ID: 
To: iesg@ietf.org, secdir@ietf.org,  draft-ietf-trill-directory-assist-mechanisms-all@tools.ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Subject: [secdir] SECDIR review of draft-ietf-trill-directory-assist-mechanisms
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 17 Jan 2017 17:52:27 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

I believe this document is READY WITH NITS. I'm satisfied with its
normative content but the Security Considerations section could use
a bit of elaboration.

I had never heard of TRILL prior to being assigned this review and
the tree of normative references is a bit daunting, so these comments
will necessarily be based only on an extremely high-level view of
the system.

draft-ietf-trill-directory-assist-mechanisms proposes to augment
TRILL by adding directory servers which cache information about network
topology, allowing RBridges to sometimes shortcut the usual learning
algorithm that they would use to discover this information.

Here are the fundamental points which the Security Considerations
section either addresses or ought to address:

1. There are three relevant security goals:

   a. Availability: packets should reach their intended destination

   b. Confidentiality: packets should not reach unintended destinations

   c. Privacy: metadata concerning network presence should not be
      shared more widely than necessary

2. Access control to directory servers can be enforced using
   pre-existing cryptographic mechanisms specified in RFCs 5304, 5310,
   and 7978.

3. Principals authorized (duly or otherwise) to read directory data
   can violate privacy.

4. Principals authorized to modify directory data can violate
   availability and confidentiality.

5. Directory servers must therefore take care to implement and enforce
   access control policies which are not overly permissive.

The current text of the Security Considerations section directly
addresses points 1a, 1b, 2, and 4. The paragraph added in version 11 of
the draft obliquely implies points 1c and 3 but I wish they'd be
stated more explicitly. But the major omission is point 5: what does
a correct authorization predicate look like? What sort of access must
necessarily be authorized in order for protocol execution to succeed?
What sort of access generally ought *not* be authorized?


From nobody Tue Jan 17 12:51:31 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C65712946E; Tue, 17 Jan 2017 12:51:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PKLNKnee9xLy; Tue, 17 Jan 2017 12:51:25 -0800 (PST)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F1661293E4; Tue, 17 Jan 2017 12:43:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id A0A66E2045; Tue, 17 Jan 2017 15:43:26 -0500 (EST)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 10938-03; Tue, 17 Jan 2017 15:43:25 -0500 (EST)
Received: from securerf.ihtfp.org (unknown [IPv6:2001:470:e448:2:ea2a:eaff:fe7d:235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 1BA83E2044; Tue, 17 Jan 2017 15:43:25 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1484685805; bh=Po86mCo18HT3hHjUXU3d0AK9AruSAOZZU1cgHFX+H4Q=; h=From:To:Cc:Subject:Date; b=keFJP4IRdVzEhRskzrysiUyI0afcntKYRS8tkV/0e6ptgOZ9fKz+o31Q0KGUKUjxI dreF/JTNgvd7jLfAO7iZulFKUVdsB1SAS+ObQhQO/ZvvgXldvwCuUQ+d2JsEnwjKCB rKKo9tyvLMS4yrMzcnB4kziBS0JY0f5QdKhf8Zsk=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id v0HKhMJm019004; Tue, 17 Jan 2017 15:43:22 -0500
From: Derek Atkins 
To: iesg@ietf.org, secdir@ietf.org
Date: Tue, 17 Jan 2017 15:43:22 -0500
Message-ID: 
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: 
Cc: luc.beloeil@orange-ftgroup.com, pauljeong@skku.edu, soohong.park@samsung.com, smadanapalli@gmail.com, 6man-chairs@ietf.org
Subject: [secdir] sec-dir review of draft-ietf-6man-rdnss-rfc6106bis-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 17 Jan 2017 20:51:26 -0000

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written with the intent of improving
security requirements and considerations in IETF drafts.  Comments
not addressed in last call may be included in AD reviews during the
IESG review.  Document editors and WG chairs should treat these
comments just like any other last call comments.

Summary:

Ready to publish.

Details:

I found no issues with this document.

-derek

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant


From nobody Tue Jan 17 14:50:24 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F25AA12941D; Tue, 17 Jan 2017 14:50:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.157
X-Spam-Level: 
X-Spam-Status: No, score=-3.157 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAzcGWqQiP_T; Tue, 17 Jan 2017 14:50:19 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0102.outbound.protection.outlook.com [104.47.38.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 214501294F5; Tue, 17 Jan 2017 14:50:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dIYXw9oTPBOMSauMPQF4P1KUXjC4i72c4o6PrqMmXl4=; b=eVJt8nS7/nL/MOU3ZvvpH4y4Bg0HDX7MSinb1PPFx4K82MGDvET5YmR/Sg2prIRFHwXuiz4Bt6cKx8R3f++ezOYdT0EktQqy7/7bYlGb4Z6T6qPjffJtWGoE0c3CP/4x3/1b/M7DS7lg9axGhX5IaJeb8kG3w0zghAmjhYJeqLw=
Received: from BN3PR03MB2355.namprd03.prod.outlook.com (10.166.74.150) by BN3PR03MB2353.namprd03.prod.outlook.com (10.166.74.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Tue, 17 Jan 2017 22:50:17 +0000
Received: from BN3PR03MB2355.namprd03.prod.outlook.com ([10.166.74.150]) by BN3PR03MB2355.namprd03.prod.outlook.com ([10.166.74.150]) with mapi id 15.01.0845.013; Tue, 17 Jan 2017 22:50:17 +0000
From: Mike Jones 
To: Catherine Meadows , "secdir@ietf.org" , "iesg@ietf.org" , "draft-ietf-oauth-amr-values.all@ietf.org" 
Thread-Topic: SECDIR Review of draft-ietf-oauth-amr-values-04
Thread-Index: AQHSS+6/fStzUgjJAUCCQXTQjbD7cqE9hgsA
Date: Tue, 17 Jan 2017 22:50:17 +0000
Message-ID: 
References: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; 
x-originating-ip: [2001:4898:80e8:3::7c0]
x-ms-office365-filtering-correlation-id: a954c551-aee7-4d9f-5172-08d43f2b352a
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BN3PR03MB2353;
x-microsoft-exchange-diagnostics: 1; BN3PR03MB2353; 7:s3Sxw85Ah3g9t5nZMEfIQ4zlJ6VuAxE5inbsHc8V0F6uQbDMw+YuO9CwKpY09h7bCJSZp1W08CPCaGINTWpG/Vb6grbhCDZSEAp/TwYsuzheyKAiZFU/6wL0t2vxbhR7K55fJXWxP+TJABKyE6xv80g4N5A6nRv3HjmIZ09SWEP27kEfi4l2O4XtdEQC1Ui571sWAZP0dO/iuSxlEz/qbSu4XnpQRfxsbaWKXPRy2KB3wPhZ2x6j6lXXE27D5xxtFpTfn7JBnkZsKOznMkW7af5pXYNZQY+W3hWL+RSnSEA3NFRvSDJZGhQyTmdAOYfoYIVCy5/4uiXcMxHU2Y+afmATw7W+iXrOo/lwlBT2LkHqL0PuDJkiK3t1M0MxHksL1JTgjskm+nBx9h3RV9n1ON/HFl0vtfiivlbz/w/Lne5v0w6BsdAhyxf/LlSLNbskKqjmoEkfyVQYBcoJdZmPAkoZyCEZxsHjomuf9bMMado=
x-microsoft-antispam-prvs: 
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155)(4659246709749); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(6072148)(6047074); SRVR:BN3PR03MB2353; BCL:0; PCL:0; RULEID:; SRVR:BN3PR03MB2353; 
x-forefront-prvs: 01901B3451
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39840400002)(39410400002)(39850400002)(39860400002)(39450400003)(377454003)(252514010)(51444003)(189002)(199003)(3660700001)(189998001)(229853002)(92566002)(86362001)(2201001)(86612001)(2900100001)(6116002)(101416001)(38730400001)(106356001)(2950100002)(33656002)(53936002)(2501003)(105586002)(7736002)(790700001)(102836003)(106116001)(5660300001)(76176999)(54356999)(122556002)(6506006)(8936002)(8990500004)(68736007)(81156014)(8676002)(2906002)(236005)(9686003)(55016002)(7696004)(97736004)(54896002)(6436002)(10090500001)(77096006)(99286003)(5001770100001)(74316002)(10290500002)(25786008)(50986999)(345774005)(6306002)(230783001)(81166006)(5005710100001)(19609705001)(3280700002)(107886002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR03MB2353; H:BN3PR03MB2355.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;  MX:1; A:1; LANG:en; 
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR03MB23557BC12F4423468C7E1B23F57C0BN3PR03MB2355namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2017 22:50:17.1910 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB2353
Archived-At: 
Subject: Re: [secdir] SECDIR Review of draft-ietf-oauth-amr-values-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 17 Jan 2017 22:50:21 -0000

--_000_BN3PR03MB23557BC12F4423468C7E1B23F57C0BN3PR03MB2355namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmsgeW91IGZvciB0YWtpbmcgdGhlIHRpbWUgdG8gcmV2aWV3IHRoZSBkb2N1bWVudCwgQ2F0
aHkuICBXZSBhcHByZWNpYXRlIGl0IQ0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLS0gTWlrZQ0KDQpGcm9tOiBDYXRoZXJp
bmUgTWVhZG93cyBbbWFpbHRvOmNhdGhlcmluZS5tZWFkb3dzQG5ybC5uYXZ5Lm1pbF0NClNlbnQ6
IFRodXJzZGF5LCBEZWNlbWJlciAwMSwgMjAxNiA4OjIwIEFNDQpUbzogc2VjZGlyQGlldGYub3Jn
OyBpZXNnQGlldGYub3JnOyBkcmFmdC1pZXRmLW9hdXRoLWFtci12YWx1ZXMuYWxsQGlldGYub3Jn
DQpDYzogQ2F0aGVyaW5lIE1lYWRvd3MNClN1YmplY3Q6IFNFQ0RJUiBSZXZpZXcgb2YgZHJhZnQt
aWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA0DQoNCkkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50
IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZyBlZmZvcnQgdG8g
cmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRo
ZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRo
ZSBzZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJz
IHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2Fs
bCBjb21tZW50cy4NCg0KVGhpcyBkb2N1bWVudCBlc3RhYmxpc2hlcyBhIHJlZ2lzdHJ5IGZvciBB
dXRoZW50aWNhdGlvbiBNZXRob2QgUmVmZXJlbmNlIChhbXIpIHZhbHVlcyB1c2VkIGJ5IHRoZSBP
cGVuSUQgcHJvdG9jb2wgYW5kIGRlZmluZXMgYW4gaW5pdGlhbCBzZXQgb2Ygc3VjaCB2YWx1ZXMu
ICAgVGhlIGFtciBjbGFpbSBpcyBhbHJlYWR5IGRlZmluZWQgYW5kIHJlZ2lzdGVyZWQNCmluIElB
TkE7IHRoaXMgZG9jdW1lbnQgc2VydmVzIHRvIGltcGxlbWVudCBpdC4gIFRoZSBhbXIgcHJvdmlk
ZXMgYSBmaWVsZCBpbiB3aGljaCBpbmZvcm1hdGlvbiBhYm91dCB0aGUgdHlwZSBvZiBhdXRoZW50
aWNhdGlvbiBiZWluZyB1c2VkIGlzIHByb3ZpZGVkLCB1c2luZyB0aGUgYW1yIHZhbHVlcy4NCg0K
VGhlIGF1dGhvcnMgb2YgdGhlIGRvY3VtZW50IGFkZHJlc3MgYm90aCBzZWN1cml0eSBhbmQgcHJp
dmFjeSBjb25jZXJucywgIFRoZSBwcml2YWN5IGNvbmNlcm4gaXMgdGhhdCB0aGUgYW1yIGNsYWlt
IHByb3ZpZGVzIGluZm9ybWF0aW9uIGFib3V0IHRoZSBmb3JtIG9mIGF1dGhlbnRpY2F0aW9uIHVz
ZWQsIHdoaWNoIGNvdWxkIGhhdmUNCnByaXZhY3kgaW1wbGljYXRpb25zIGluIHNvbWUgY2FzZXMs
IGFuZCB0aGF0IHRoaXMgZG9jdW1lbnQgZG9lcyBub3QgcHJvdmlkZSBhbnkgZ3VpZGFuY2UgYXMg
dG8gaG93IHByaXZhY3ktcmVsZXZhbnQgY3JlZGVudGlhbHMsIHN1Y2ggYXMgYmlvbWV0cmljIGlu
Zm9ybWF0aW9uLCBhcmUgc3RvcmVkIGFuZCBwcm90ZWN0ZWQuICBBcyB0aGUgYXV0aG9ycw0KcG9p
bnQgb3V0LCB0aGUgbGF0dGVyIGlzIGJleW9uZCB0aGUgc2NvcGUgb2YgdGhlIGRvY3VtZW50Lg0K
DQpUaGUgc2VjdXJpdHkgY29uY2VybnMgYXJlIG1haW5seSBkZXJpdmVkIGZyb20gdGhvc2UgIG9m
IHRoZSBPcGVuSUQgcHJvdG9jb2wuICBUaGUgYXV0aG9ycyBhbHNvIHdhcm4gdGhhdCBhbXIgbWF5
IGJlIG1vcmUgYnJpdHRsZSB0aGFuIGFub3RoZXIgcmVsYXRlZCBjbGFpbSwgYWNyLCBzaW5jZSBh
Y3IgcHJvdmlkZXMgaW5mb3JtYXRpb24gYWJvdXQNCndoZXRoZXIgYSBwYXJ0aWN1bGFyIHNldCBv
ZiBidXNpbmVzcyBydWxlcyB3ZXJlIHNhdGlzZmllZCwgd2hpbGUgYWNtIG9ubHkgdGVsbHMgeW91
IHdoZXRoZXIgYSBwYXJ0aWN1bGFyIHR5cGUgb2YgYXV0aGVudGljYXRpb24gd2FzIHVzZWQuICBU
aGlzIGNvdWxkIGxlYWQgdG8gYSBwb2xpY3kgdGhhdCByZWxpZXMgb24gcGFydGljdWxhciBmb3Jt
cyBvZiBhdXRoZW50aWNhdGlvbiwNCndoaWNoIHdvdWxkIGJlIGhhcmRlciB0byB1cGRhdGUgYXMg
c2VjdXJpdHkgbmVlZHMgY2hhbmdlLg0KDQpJIHRoaW5rIHRoYXQgdGhlIGF1dGhvcnMgaGF2ZSBk
b25lIGEgZ29vZCBqb2Igb2YgYWRkcmVzc2luZyBzZWN1cml0eSBhbmQgcHJpdmFjeSBjb25jZXJu
cywgYW5kIEkgZG9u4oCZdCBzZWUgYW55IGlzc3VlcyBoZXJlLiBJIGNvbnNpZGVyIHRoaXMgZG9j
dW1lbnQgcmVhZHkuDQoNCkNhdGh5IE1lYWRvd3MNCg0KDQoNCkNhdGhlcmluZSBNZWFkb3dzDQpO
YXZhbCBSZXNlYXJjaCBMYWJvcmF0b3J5DQpDb2RlIDU1NDMNCjQ1NTUgT3Zlcmxvb2sgQXZlLiwg
Uy5XLg0KV2FzaGluZ3RvbiBEQywgMjAzNzUNCnBob25lOiAyMDItNzY3LTM0OTANCmZheDogMjAy
LTQwNC03OTQyDQplbWFpbDogY2F0aGVyaW5lLm1lYWRvd3NAbnJsLm5hdnkubWlsPG1haWx0bzpj
YXRoZXJpbmUubWVhZG93c0BucmwubmF2eS5taWw+DQoNCg==

--_000_BN3PR03MB23557BC12F4423468C7E1B23F57C0BN3PR03MB2355namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ
e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov
KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z
b05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp
emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps
aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6
Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I
eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl
Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5hcHBsZS1zdHlsZS1zcGFuDQoJ
e21zby1zdHlsZS1uYW1lOmFwcGxlLXN0eWxlLXNwYW47fQ0Kc3Bhbi5FbWFpbFN0eWxlMTgNCgl7
bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJz
YW5zLXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls
ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rp
b24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBp
bjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+
PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBz
cGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4
bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIg
ZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4N
Cjxib2R5IGxhbmc9IkVOLVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xh
c3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMt
c2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhhbmsgeW91IGZvciB0YWtpbmcgdGhlIHRpbWUg
dG8gcmV2aWV3IHRoZSBkb2N1bWVudCwgQ2F0aHkuJm5ic3A7IFdlIGFwcHJlY2lhdGUgaXQhPG86
cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt
ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj
MUY0OTdEIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1z
ZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8
ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjQjVDNERGIDEu
MHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VGFob21hJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90OyI+IENhdGhlcmluZSBNZWFkb3dzIFttYWlsdG86Y2F0aGVyaW5lLm1lYWRv
d3NAbnJsLm5hdnkubWlsXQ0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBEZWNlbWJlciAw
MSwgMjAxNiA4OjIwIEFNPGJyPg0KPGI+VG86PC9iPiBzZWNkaXJAaWV0Zi5vcmc7IGllc2dAaWV0
Zi5vcmc7IGRyYWZ0LWlldGYtb2F1dGgtYW1yLXZhbHVlcy5hbGxAaWV0Zi5vcmc8YnI+DQo8Yj5D
Yzo8L2I+IENhdGhlcmluZSBNZWFkb3dzPGJyPg0KPGI+U3ViamVjdDo8L2I+IFNFQ0RJUiBSZXZp
ZXcgb2YgZHJhZnQtaWV0Zi1vYXV0aC1hbXItdmFsdWVzLTA0PG86cD48L286cD48L3NwYW4+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUi
PkkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRp
cmVjdG9yYXRlJ3Mgb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBi
ZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRoZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBw
cmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eQ0KIGFyZWEgZGlyZWN0b3Jz
LiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1l
bnRzIGp1c3QgbGlrZSBhbnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLjwvc3Bhbj48bzpwPjwv
bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv
cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJiYWNr
Z3JvdW5kOndoaXRlIj5UaGlzIGRvY3VtZW50IGVzdGFibGlzaGVzIGEgcmVnaXN0cnkgZm9yIEF1
dGhlbnRpY2F0aW9uIE1ldGhvZCBSZWZlcmVuY2UgKGFtcikmbmJzcDt2YWx1ZXMgdXNlZCBieSB0
aGUgT3BlbklEIHByb3RvY29sIGFuZCBkZWZpbmVzIGFuIGluaXRpYWwgc2V0IG9mIHN1Y2ggdmFs
dWVzLiAmbmJzcDsgVGhlJm5ic3A7YW1yIGNsYWltIGlzIGFscmVhZHkgZGVmaW5lZCBhbmQgcmVn
aXN0ZXJlZDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj5pbiBJQU5BOyB0aGlzIGRv
Y3VtZW50IHNlcnZlcyB0byBpbXBsZW1lbnQgaXQuICZuYnNwO1RoZSZuYnNwOzwvc3Bhbj5hbXIg
cHJvdmlkZXMgYSBmaWVsZCBpbiB3aGljaCBpbmZvcm1hdGlvbiBhYm91dCB0aGUgdHlwZSBvZiBh
dXRoZW50aWNhdGlvbiBiZWluZyB1c2VkIGlzIHByb3ZpZGVkLCB1c2luZyB0aGUgYW1yIHZhbHVl
cy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
VGhlIGF1dGhvcnMgb2YgdGhlIGRvY3VtZW50IGFkZHJlc3MgYm90aCBzZWN1cml0eSBhbmQgcHJp
dmFjeSBjb25jZXJucywgJm5ic3A7VGhlIHByaXZhY3kgY29uY2VybiBpcyB0aGF0IHRoZSBhbXIg
Y2xhaW0gcHJvdmlkZXMgaW5mb3JtYXRpb24gYWJvdXQgdGhlIGZvcm0gb2YgYXV0aGVudGljYXRp
b24gdXNlZCwgd2hpY2ggY291bGQgaGF2ZTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+cHJpdmFjeSBpbXBsaWNhdGlvbnMgaW4gc29tZSBjYXNlcywg
YW5kIHRoYXQgdGhpcyBkb2N1bWVudCBkb2VzIG5vdCBwcm92aWRlIGFueSBndWlkYW5jZSBhcyB0
byBob3cgcHJpdmFjeS1yZWxldmFudCBjcmVkZW50aWFscywgc3VjaCBhcyBiaW9tZXRyaWMgaW5m
b3JtYXRpb24sIGFyZSBzdG9yZWQgYW5kIHByb3RlY3RlZC4gJm5ic3A7QXMgdGhlIGF1dGhvcnM8
bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPnBvaW50
IG91dCwgdGhlIGxhdHRlciBpcyBiZXlvbmQgdGhlIHNjb3BlIG9mIHRoZSBkb2N1bWVudC4gJm5i
c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PlRoZSBzZWN1cml0eSBjb25jZXJucyBhcmUgbWFpbmx5IGRlcml2ZWQgZnJvbSB0aG9zZSAmbmJz
cDtvZiB0aGUgT3BlbklEIHByb3RvY29sLiAmbmJzcDtUaGUgYXV0aG9ycyBhbHNvIHdhcm4gdGhh
dCBhbXIgbWF5IGJlIG1vcmUgYnJpdHRsZSB0aGFuIGFub3RoZXIgcmVsYXRlZCBjbGFpbSwgYWNy
LCBzaW5jZSBhY3IgcHJvdmlkZXMgaW5mb3JtYXRpb24gYWJvdXQ8bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPndoZXRoZXIgYSBwYXJ0aWN1bGFyIHNl
dCBvZiBidXNpbmVzcyBydWxlcyB3ZXJlIHNhdGlzZmllZCwgd2hpbGUgYWNtIG9ubHkgdGVsbHMg
eW91IHdoZXRoZXIgYSBwYXJ0aWN1bGFyIHR5cGUgb2YgYXV0aGVudGljYXRpb24gd2FzIHVzZWQu
ICZuYnNwO1RoaXMgY291bGQgbGVhZCB0byBhIHBvbGljeSB0aGF0IHJlbGllcyBvbiBwYXJ0aWN1
bGFyIGZvcm1zIG9mIGF1dGhlbnRpY2F0aW9uLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+d2hpY2ggd291bGQgYmUgaGFyZGVyIHRvIHVwZGF0ZSBh
cyBzZWN1cml0eSBuZWVkcyBjaGFuZ2UuICZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIHRoaW5rIHRoYXQgdGhlIGF1dGhvcnMgaGF2
ZSBkb25lIGEgZ29vZCBqb2Igb2YgYWRkcmVzc2luZyBzZWN1cml0eSBhbmQgcHJpdmFjeSBjb25j
ZXJucywgYW5kIEkgZG9u4oCZdCBzZWUgYW55IGlzc3VlcyBoZXJlLiBJIGNvbnNpZGVyIHRoaXMg
ZG9jdW1lbnQgcmVhZHkuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPkNhdGh5IE1lYWRvd3M8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdCI+
Q2F0aGVyaW5lIE1lYWRvd3M8YnI+DQpOYXZhbCBSZXNlYXJjaCBMYWJvcmF0b3J5PGJyPg0KQ29k
ZSA1NTQzPGJyPg0KNDU1NSBPdmVybG9vayBBdmUuLCBTLlcuPGJyPg0KV2FzaGluZ3RvbiBEQywg
MjAzNzU8YnI+DQpwaG9uZTogMjAyLTc2Ny0zNDkwPGJyPg0KZmF4OiAyMDItNDA0LTc5NDI8YnI+
DQplbWFpbDombmJzcDs8YSBocmVmPSJtYWlsdG86Y2F0aGVyaW5lLm1lYWRvd3NAbnJsLm5hdnku
bWlsIj5jYXRoZXJpbmUubWVhZG93c0BucmwubmF2eS5taWw8L2E+PG86cD48L286cD48L3NwYW4+
PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v
OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_BN3PR03MB23557BC12F4423468C7E1B23F57C0BN3PR03MB2355namp_--


From nobody Tue Jan 17 18:24:59 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C49A1289B0; Tue, 17 Jan 2017 18:24:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level: 
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tuCg7ZW46afG; Tue, 17 Jan 2017 18:24:57 -0800 (PST)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14CF112961D; Tue, 17 Jan 2017 18:24:54 -0800 (PST)
Received: by mail-wm0-x22a.google.com with SMTP id c85so225914314wmi.1; Tue, 17 Jan 2017 18:24:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:sender:from:date:message-id:subject:to; bh=gWW+ORhv5pfWRrTld1jhk5mQwdiRsr1s9nvLWFEq2mQ=; b=YJvcTCW65v+opS72tu7+uVfv9yLuczjkh5zmQt2LClArgJwsgpkJ8DipU09DBGPFJ2 LhGdN1ki4VqMFVjM3dJ65t4WHKHIC/55V5M6vf2i7PrmmCGe2AF4L8u/IEO9Y/MhYfPF j0LLqInpn7e3KFStU6FMEmcH6YiYr7w7INu99RknH/zKscE8nBGIjMdmxfOjiKwwuu3n g3iSR2UML0rw5Cr7Tzv9ODIVsjgmip4F3UuifNtlVCDGqXLnsqg03PAGb74Ter8df8re Dz39SRJ5sY2xHyUKFLKXLGu3VwJFYhC1WjGmZFiAdkYK7BPjBxLlfyeDYLap3/C/khGF k8XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=gWW+ORhv5pfWRrTld1jhk5mQwdiRsr1s9nvLWFEq2mQ=; b=oYZ9q47hMn1wVw48Kiy4F+5cPK4Ta88Cue+d4zqj4ZludKdPqvLEsGFOA2MAVDtLHl CMamMOtckSJk8mNouFxOOktljD4jD2lPVq32jq4xPXKBRkXc3t3N1l9kEuzT5VAsT5q9 EwHVatgJCiGpsC7vI9VJ857Ja3MvYVtXmRDJlkhYQ9MdgeX0+wCfrT8Iyzq3fHrfy4F0 ZUkYK6iizHO8KOlHGD54axnEXPq1FpFDUEaZaVXwyJP74pbyR5j+WxWud7OrftFRzFHv tGfgkI+uJNEDXZhceczHPhb5s2f1Z6cesfNSwMokBbm9eBWfaNAp5IEsU6qjsrxG7X2l oRBQ==
X-Gm-Message-State: AIkVDXIyuZ31SO84sXShtcNqemD4L6+zgl5tbeOzINNgbCJtrFckC0qaOWcdZK+q6ChAnRCwEjuuv+qzWlNJRw==
X-Received: by 10.28.211.200 with SMTP id k191mr705546wmg.137.1484706292391; Tue, 17 Jan 2017 18:24:52 -0800 (PST)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.194.221.6 with HTTP; Tue, 17 Jan 2017 18:24:51 -0800 (PST)
From: Phillip Hallam-Baker 
Date: Tue, 17 Jan 2017 21:24:51 -0500
X-Google-Sender-Auth: d5i-OefvSymdxrZy5AWLU2a1IeI
Message-ID: 
To: draft-ietf-ipsecme-rfc4307bis.all@ietf.org,  "secdir@ietf.org" 
Content-Type: multipart/alternative; boundary=001a1147437427660c0546551fd5
Archived-At: 
Subject: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 18 Jan 2017 02:24:58 -0000

--001a1147437427660c0546551fd5
Content-Type: text/plain; charset=UTF-8

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

STATUS: Ready with one minor typo.


My personal taste would be to reduce the number of algorithms by half. But
that is not practical given the history so this is the best we can do in
the circumstances.



Typos

 Sec 3.4

   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
   are not safe-primes.  The seeds for these groups have not been

--001a1147437427660c0546551fd5
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable



I have rev=
iewed this document as part of the security directorate's=C2=A0
ongoing effort to review all IETF documents bein=
g processed by the=C2=A0
IESG.=C2=A0 Thes=
e comments were written primarily for the benefit of the=C2=A0
security area directors.=C2=A0 Document editors and W=
G chairs should treat=C2=A0
these comment=
s just like any other last call comments.

STATUS: Ready with one minor typo.


My personal taste would be to reduce the number of=
 algorithms by half. But that is not practical given the history so this is=
 the best we can do in the circumstances.



Typ=
os

=C2=A0Sec 3.4

   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
   are not safe-primes.  The seeds for these groups have not been


--001a1147437427660c0546551fd5--


From nobody Tue Jan 17 19:31:13 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67C46129671; Tue, 17 Jan 2017 19:31:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.356
X-Spam-Level: 
X-Spam-Status: No, score=-5.356 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.156, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id amuWps5yynNL; Tue, 17 Jan 2017 19:31:10 -0800 (PST)
Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DE15129667; Tue, 17 Jan 2017 19:31:09 -0800 (PST)
X-AuditID: c618062d-aa3ff70000007359-73-587ee82ce1dd
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by  (Symantec Mail Security) with SMTP id FF.83.29529.C28EE785; Wed, 18 Jan 2017 04:59:42 +0100 (CET)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.03.0319.002; Tue, 17 Jan 2017 22:31:07 -0500
From: Daniel Migault 
To: Phillip Hallam-Baker , "draft-ietf-ipsecme-rfc4307bis.all@ietf.org" , "secdir@ietf.org" 
Thread-Topic: SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
Thread-Index: AQHScTITQ6RpQiOoUUSWM42jvxKGBaE9kcMg
Date: Wed, 18 Jan 2017 03:31:06 +0000
Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C11800730D@eusaamb107.ericsson.se>
References: 
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [147.117.188.11]
Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C11800730Deusaamb107erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPLMWRmVeSWpSXmKPExsUyuXRPrK7ei7oIg7frxC1mv3rEZDHxw2xG iw8LH7I4MHtcWP2VyWPJkp9MAUxRXDYpqTmZZalF+nYJXBmfTuxhLriVVLH34mqWBsaGhC5G Tg4JAROJpv8r2LsYuTiEBNYzSvQc62QESQgJLGeUWHeQHcRmEzCSaDvUD2aLCGxjlPjeawBi CwvYSfy808EEEbeXmPtqPZRtJLH05VkWEJtFQFXi7ISjYDN5BXwltp97xAYxP0Di/ZTzYHFO gUCJKRe+g8UZBcQkvp9aAzaHWUBc4taT+UwQhwpILNlznhnCFpV4+fgfK4StJPHx93x2iPp8 iVdbPkDtEpQ4OfMJywRG4VlIRs1CUjYLSdksRg6guKbE+l36ECWKElO6H7JD2BoSrXPmsiOL L2BkX8XIUVpckJObbmSwiREYLcck2HR3MN6f7nmIUYCDUYmHt8CwLkKINbGsuDL3EKMEB7OS CG/PfaAQb0piZVVqUX58UWlOavEhRmkOFiVx3rjV98OFBNITS1KzU1MLUotgskwcnFINjPyJ EY0BWS+sTc7ZHvn+vl/qwrbFFm1XdUr9uC2/P17cunmzXNrNQy3JNY4Xpi/Wd/teJnrmdY/G 9An1kq5/C2p++l0Ud9l5rH7HrkczYvRt9tZIrxGuWNtcLucS3nDnQ3C7mEpM6tkgkRU8ZyLu H/m773nrlr3vJIxXz5p2q3qf95608s6Dj5RYijMSDbWYi4oTAUvygM2SAgAA
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 18 Jan 2017 03:31:11 -0000

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C11800730Deusaamb107erics_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgUGhpbGxpcCwNCg0KVGhhbmtzIGZvciB0aGUgcmV2aWV3LiBOZXh0IGl0ZXJhdGlvbnMgc2hv
dWxkIHNlZSB0aGF0IG51bWJlciByZWR1Y2VkIGEgYml0IG1vcmUg4oCmIDstKQ0KDQpZb3VycywN
CkRhbmllbA0KDQpGcm9tOiBoYWxsYW1AZ21haWwuY29tIFttYWlsdG86aGFsbGFtQGdtYWlsLmNv
bV0gT24gQmVoYWxmIE9mIFBoaWxsaXAgSGFsbGFtLUJha2VyDQpTZW50OiBUdWVzZGF5LCBKYW51
YXJ5IDE3LCAyMDE3IDk6MjUgUE0NClRvOiBkcmFmdC1pZXRmLWlwc2VjbWUtcmZjNDMwN2Jpcy5h
bGxAaWV0Zi5vcmc7IHNlY2RpckBpZXRmLm9yZw0KU3ViamVjdDogU0VDRElSIHJldmlldyBvZiBk
cmFmdC1pZXRmLWlwc2VjbWUtcmZjNDMwN2Jpcy0xNQ0KDQoNCkkgaGF2ZSByZXZpZXdlZCB0aGlz
IGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3MNCm9uZ29pbmcg
ZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRo
ZQ0KSUVTRy4gIFRoZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBi
ZW5lZml0IG9mIHRoZQ0Kc2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuICBEb2N1bWVudCBlZGl0b3Jz
IGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0DQp0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55
IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0KU1RBVFVTOiBSZWFkeSB3aXRoIG9uZSBtaW5v
ciB0eXBvLg0KDQoNCk15IHBlcnNvbmFsIHRhc3RlIHdvdWxkIGJlIHRvIHJlZHVjZSB0aGUgbnVt
YmVyIG9mIGFsZ29yaXRobXMgYnkgaGFsZi4gQnV0IHRoYXQgaXMgbm90IHByYWN0aWNhbCBnaXZl
biB0aGUgaGlzdG9yeSBzbyB0aGlzIGlzIHRoZSBiZXN0IHdlIGNhbiBkbyBpbiB0aGUgY2lyY3Vt
c3RhbmNlcy4NCg0KDQoNClR5cG9zDQoNCiBTZWMgMy40DQoNCg0KICAgR3JvdXAgMjIsIDIzIGFu
ZCAyNCBhcmUgTU9EUCBHcm91cHMgd2l0aCBQcmltZSBPcmRlciBTdWJncm91cHMgdGhhdGVyDQoN
CiAgIGFyZSBub3Qgc2FmZS1wcmltZXMuICBUaGUgc2VlZHMgZm9yIHRoZXNlIGdyb3VwcyBoYXZl
IG5vdCBiZWVuDQo=

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C11800730Deusaamb107erics_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg
MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1
IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNvbnNvbGFzOw0K
CXBhbm9zZS0xOjIgMTEgNiA5IDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICov
DQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47
DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1p
bHk6IlRpbWVzIE5ldyBSb21hbiIsc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246
dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t
c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl
cmxpbmU7fQ0KcHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi
SFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4w
MDAxcHQ7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30N
CnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xpc3RQYXJh
Z3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1hcmdpbi10b3A6MGluOw0KCW1hcmdp
bi1yaWdodDowaW47DQoJbWFyZ2luLWJvdHRvbTowaW47DQoJbWFyZ2luLWxlZnQ6LjVpbjsNCglt
YXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToi
VGltZXMgTmV3IFJvbWFuIixzZXJpZjt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25vcm1hbDAsIGRp
di5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28tbWFyZ2luLXRv
cC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5
OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7
bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlv
cml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFt
aWx5OiJDb25zb2xhcyIsc2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5
cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJ
Y29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBv
cnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFnZSBXb3Jk
U2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGlu
IDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyogTGlz
dCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6NDM1MDI4MzEzOw0KCW1z
by1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMTU5OTQ2MDc3MiA2
NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5
ODY4OSA2NzY5ODY5MSA2NzY5ODY5Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVsLW51
bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFi
LXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRl
bnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMDpsZXZlbDINCgl7bXNv
LWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxl
dmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRl
eHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGww
OmxldmVsMw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRl
eHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9z
aXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2luZ2Rpbmdz
O30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJ
bXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZl
bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1p
bHk6U3ltYm9sO30NCkBsaXN0IGwwOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpi
dWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt
c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZv
bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw2DQoJe21zby1sZXZlbC1u
dW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRh
Yi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k
ZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJ
e21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJ
bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0
Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDA6
bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4
dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp
b246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3
Ijt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K
CW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2
ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFt
aWx5OldpbmdkaW5nczt9DQpvbA0KCXttYXJnaW4tYm90dG9tOjBpbjt9DQp1bA0KCXttYXJnaW4t
Ym90dG9tOjBpbjt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hh
cGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlm
XS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQi
Pg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94
bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIg
dmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5IaSBQaGlsbGlwLDxvOnA+PC9vOnA+PC9zcGFuPjwv
cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv
bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5UaGFu
a3MgZm9yIHRoZSByZXZpZXcuIE5leHQgaXRlcmF0aW9ucyBzaG91bGQgc2VlIHRoYXQgbnVtYmVy
IHJlZHVjZWQgYSBiaXQgbW9yZSDigKYgOy0pDQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls
eTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0
O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+WW91cnMsDQo8bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYi
PkRhbmllbDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss
c2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlm
Ij4gaGFsbGFtQGdtYWlsLmNvbSBbbWFpbHRvOmhhbGxhbUBnbWFpbC5jb21dDQo8Yj5PbiBCZWhh
bGYgT2YgPC9iPlBoaWxsaXAgSGFsbGFtLUJha2VyPGJyPg0KPGI+U2VudDo8L2I+IFR1ZXNkYXks
IEphbnVhcnkgMTcsIDIwMTcgOToyNSBQTTxicj4NCjxiPlRvOjwvYj4gZHJhZnQtaWV0Zi1pcHNl
Y21lLXJmYzQzMDdiaXMuYWxsQGlldGYub3JnOyBzZWNkaXJAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJq
ZWN0OjwvYj4gU0VDRElSIHJldmlldyBvZiBkcmFmdC1pZXRmLWlwc2VjbWUtcmZjNDMwN2Jpcy0x
NTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5J
IGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJl
Y3RvcmF0ZSdzJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj5vbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJl
aW5nIHByb2Nlc3NlZCBieSB0aGUmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPklFU0cuJm5ic3A7IFRoZXNlIGNvbW1lbnRzIHdlcmUgd3Jp
dHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSZuYnNwOzxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+c2VjdXJpdHkgYXJlYSBkaXJl
Y3RvcnMuJm5ic3A7IERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQm
bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PnRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZSBhbnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLjxv
OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPlNUQVRVUzogUmVhZHkgd2l0aCBvbmUgbWlub3IgdHlwby48bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5NeSBwZXJzb25hbCB0YXN0ZSB3
b3VsZCBiZSB0byByZWR1Y2UgdGhlIG51bWJlciBvZiBhbGdvcml0aG1zIGJ5IGhhbGYuIEJ1dCB0
aGF0IGlzIG5vdCBwcmFjdGljYWwgZ2l2ZW4gdGhlIGhpc3Rvcnkgc28gdGhpcyBpcyB0aGUgYmVz
dCB3ZSBjYW4gZG8gaW4gdGhlIGNpcmN1bXN0YW5jZXMuPG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8
L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UeXBvczxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDtTZWMgMy40PG86cD48
L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNr
Ij4mbmJzcDsmbmJzcDsgR3JvdXAgMjIsIDIzIGFuZCAyNCBhcmUgTU9EUCBHcm91cHMgd2l0aCBQ
cmltZSBPcmRlciBTdWJncm91cHMgdGhhdGVyPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJl
PjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IGFyZSBub3Qgc2FmZS1wcmlt
ZXMuJm5ic3A7IFRoZSBzZWVkcyBmb3IgdGhlc2UgZ3JvdXBzIGhhdmUgbm90IGJlZW48bzpwPjwv
bzpwPjwvc3Bhbj48L3ByZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRt
bD4NCg==

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C11800730Deusaamb107erics_--


From nobody Tue Jan 17 22:00:44 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982C8129508; Tue, 17 Jan 2017 22:00:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.4
X-Spam-Level: 
X-Spam-Status: No, score=-7.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGclZclb4FN1; Tue, 17 Jan 2017 22:00:42 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B72E3129682; Tue, 17 Jan 2017 22:00:41 -0800 (PST)
X-AuditID: 1209190c-a0bff70000004c61-82-587f0486b062
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id D3.83.19553.6840F785; Wed, 18 Jan 2017 01:00:40 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v0I60bHS007138; Wed, 18 Jan 2017 01:00:37 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v0I60QRd024305 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Jan 2017 01:00:36 -0500
Date: Wed, 18 Jan 2017 00:00:26 -0600
From: Benjamin Kaduk 
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-mpls-residence-time.all@ietf.org
Message-ID: <20170118060025.GN8460@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrMIsWRmVeSWpSXmKPExsUixCmqrNvBUh9hMO8hr8X3f/vYLWb8mchs 8WHhQxYHZo8lS34yBTBGcdmkpOZklqUW6dslcGX07D/JWPDDoeJLV10D4yzTLkZODgkBE4kl H2+xdTFycQgJtDFJPOl7yQzhbGSUONFwih3Cucok0TBrL5DDwcEioCpx4Z4fSDebgIpEQ/dl ZpCwiECExI4NZSCmsIC1xOv1YiAVvALGEhcer2aDsAUlTs58wgJiMwtoSdz495IJpJxZQFpi +T8OkLCogLJEw4wHzBMYeWch6ZiFpGMWQscCRuZVjLIpuVW6uYmZOcWpybrFyYl5ealFuoZ6 uZkleqkppZsYwWElybOD8cwbr0OMAhyMSjy8K8TrIoRYE8uKK3MPMUpyMCmJ8nY8ro0Q4kvK T6nMSCzOiC8qzUktPsQowcGsJMJ79TdQOW9KYmVValE+TEqag0VJnLdqRWWEkEB6Yklqdmpq QWoRTFaGg0NJgncyc32EkGBRanpqRVpmTglCmomDE2Q4D9Dw1UxANbzFBYm5xZnpEPlTjIpS 4rx2IM0CIImM0jy4XlDcS2Tvr3nFKA70ijDvbpB2HmDKgOt+BTSYCWjwdZ1qkMEliQgpqQbG xPguL4bYAGU5+w39+5doBiwRXaFx99H5rZEXTZ5z7mFseeJj9cEvacqhCfPsAzMZdv0svTGf L2yT/t/AKvWpcX+2fJ57I3vuiSW7lnS8LFv7a+e0knUBr/lDLIK9Pu3tT07k2JA+7XJP6hOX 5sqeWAf+jJks8wz8VC6zd4dcSo6TtJy094mGEktxRqKhFnNRcSIA1IZTfdYCAAA=
Archived-At: 
Subject: [secdir] secdir review of draft-ietf-mpls-residence-time-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 18 Jan 2017 06:00:43 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document is Almost Ready.

This document describes a mechanism for recording the residence time of
timing packets along a network path, so that time protocols (NTP, PTP) can obtain
more accurate estimates of transit time.  (Well, the document just claims
to record the residence time and I am inferring the bit about more accurate
estimates; maybe there should be an explicit mention.)  It is limited (at
present) to MPLS networks established using RSVP-TE, to the exclusion of
LSPs established via LDP and non-MPLS networks.  The residence time measurement
is performed in a Generic Associated Channel, and several new data structures
(and sub-data structures) and corresponding type values (and sub-type values)
are established to carry the needed information.

I almost marked this document as Ready with Issues (discussion below), but
ended up changing to Almost Ready, since I think the document structure
needs some more work in order to clearly describe what an interoperable
implementation would need and how the pieces fit together, as is required
for Standards-Track documents.

The security considerations section incorporates that section from
RFC 5586 by reference, but 5586's security considerations are basically
just pointers to those considerations in RFCs 4385 and 5085.
This document also mentions RFC 7384, whose entirety is security requirements
of time procotols, which probably contains more detail than this document would
need if discussion was inline.  However, the security considerations of
draft-ietf-mpls-residence-time-12 also contains discussion about how
PTP-aware nodes on the path are required to modify the messages, and the
needed trust model involves these nodes being trusted to perform those modifications.
That seems true and is probably fine for a protocol that is running on
"trusted infrastructure", but the claim is also made that the messages modified
by intermediate nodes "cannot be authenticated".  This is only somewhat
true, as one can create complex crypto schemes that involve giving key
material to intermediate nodes that can let them make authenticated
(but detectable) modifications.  Such schemes seem far too complex for the
topic at hand, though, as they are likely to increase the processing delay
for the time packets, and it seems fine to defer investigating them in the
same way that it is fine to defer investigating authenticating/encrypting
the RTM data that does not need to be modified by intermediate nodes, which
is explicitly noted in the security considerations.

I do think there are some relevant security considerations that are not
mentioned, though -- for the two-step flow, an RTM-capable node is
required to wait for the follow-up RTM message and make the corresponding
residence time update.  This requirement is unbounded and could lead to
a resource leak if that follow-up packet fails to arrive, for an implementation
that blindly follows the spec without resorting to practical engineering
knowledge.  I do not expect there to be any such implementations, but this
document should probably indicate that timing out is okay within
"reasonable" bounds, or whatever similar workaround is best practice in this
domain.

In terms of other security/privacy considerations that are new in this
document, there is some information exposure about nodes along the path
that could potentially be used for fingerprinting, but since the timing
packets carry destination addresses already, and the LSP setup appears
to involve declaring the path anyway, this doesn't seem to merit any concern.

The other main issue I have with this document is arguably not an issue
at all, but it relates to the plethora of TLVs and sub-TLVs and TLVs
in other registries, with an IANA considerations section that sometimes
does not clearly indicate what registry is to be updated.  As per the
checklist at https://www.ietf.org/iesg/template/doc-writeup-essay-style.html,
the IANA considerations shoudl refer to registries by their exact names,
which probably means the name of the sub-registry and the overarching
parent registry should be clearly written out.  It might also be nice
to have more descriptive names, so I do not have to keep track that there
are RTM G-ACh packets whose values are sometimes sub-TLVs in the PTP case;
RTM Capability (or is it Capabilities?) sub-TLVs that can be contained
in any of OSPFv2, IS-IS, and maybe OSPFv3 data structures; an RTM_SET
TLV whose presence is indicated as an Attribute Flag from some registry that does
not seem to be named; sub-TLVs within those RTM_SET messages; and also
the RTM sub-TLVs that get a registry created for them in section 8.3
and I apparently missed when paging through the document to create this list.
The names used to refer to these structures have me flipping back and
forth to figure out which is which, whereas a name like "RTM_SET
address identifier" (viz. section 8.6) would help the reader a lot.
In a similar vein, it would be nice to have some test vectors that show
the encoding of these structures and their encapsulation in the parent
data structures, to make sure that the implementor gets all the right
layers of T+L wrapping in place.  Alternately (or additionally!), more
clear text that the T+L in the figures here are included in the encoded
data that is the contents of a specific, named, parent data structure
would be useful.


Some other more nit-level things:

In the example in section 4.6, when F is updating the correction field
of the PTP message, I assume that F should also use its measurement of
the residence time on F in addition to the value received in the scratch
pad field, but the example seems to not indicate that.

A couple paragraphs later, "[a]n ingress node that is configured to
perform RTM [...] verifies that the selected egress [node supports RTM]";
should that be a MUST-level requirement that the verification is done?

On page 12, last paragraph, we have some text "If no RTM_SET TLV has been
found, then the LSP setup MUST fail [...]".  Is this only in the case
when the RTM_SET flag is set?  If so, that should probably be made more
clear in the text, as on my first reading I was surprised, since
the RTM_SET generally goes in the LSP_ATTRIBUTES and not the
LSP_REQUIRED_ATTRIBUTES, and as such would not be globally mandatory.

Section 5 makes an offhand note that a 4.6 nanosecond error would
probably be ignorable, which leads to the question: what is the
actual measurment precision that is needed for this scheme to be useful?
The scratch pad uses an IEEE double to count nanoseconds, so potentially
sub-nanosecond values are in-scope, but as someone not well-versed in
PTP I really have no idea how good things can/need to be.

The "A" and "B" subcases mentioned in section 7 get multiple paragraphs
each; it might be more clear to make them subsections instead.

I'm also left puzzled by the last paragraph of section 7; it seems to say
that the *last* RTM(-capable) node of the LSP will generate the follow-up
message, but I thought it was generally an earlier node that would be
setting the S bit and generating the follow-up message.

This document uses several abbreviations/acronyms without introduction
that do not appear on the RFC Editor's abbreviations list
(https://www.rfc-editor.org/materials/abbrev.expansion.txt) as not
needing expansion: G-ACh (also appears in the abstract; the RFC Editor
will likely want to not use the acronym at all in the abstract),
RSVP-TE, and PW are ones I noted.
(LDP is also used without expansion, but does appear on the list as
"well-known".)


There are also a lot of grammar nits (including very many missing
instances of the definite article), but it does not seem worth enumerating
them here.  I will try to send a diff to the authors later this week,
but time is a bit short at the moment.

-Ben


From nobody Wed Jan 18 04:42:31 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CAEA1295A3 for ; Wed, 18 Jan 2017 04:42:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.2
X-Spam-Level: 
X-Spam-Status: No, score=-5.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwDUHnFVun6B for ; Wed, 18 Jan 2017 04:42:28 -0800 (PST)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B88C312940C for ; Wed, 18 Jan 2017 04:42:28 -0800 (PST)
Received: by mail-ua0-x233.google.com with SMTP id y9so8337038uae.2 for ; Wed, 18 Jan 2017 04:42:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+VXIv+P7iDbZiniQ2dBNswcR8vVuWyn4rgvUXB90Eyg=; b=pgI0Ays0t3GaC96+xrTx0/HJ6yG3d2HiY49MDZayDVpdd3ECmJ2F/PWA3fhSAwrqkG OPTQCYIFUJK3Lpq9j0aqXfnsrJRt2nRLdhrADty4Xe0CJlAjoHgjsV9fNTq4bkkXI1ci 01xpHrq7RUoDxKVATcdw8IxXEbSoDs7DKKqU0lZC6HHAQhLETSv8wW5/l4seOIN+EBDe wB4E1t3w4IJ5zleikbtQDRaIBMMiUpYvK/i/bJR0KBwyvK4JPr1gsf6F7GDd9QJfrFHp MoH8k70d3eqw8WaaYsskqVrEMZng+IA+pGNBmacdg0rrpR+e/8jEXAbGEuTqXcGiLj0B Bepw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+VXIv+P7iDbZiniQ2dBNswcR8vVuWyn4rgvUXB90Eyg=; b=ElNpEl08907vIqyjZV3uYEB53nUfiRIFGnsFujyoj5n1a6kNKvoVxJ0HVmQTxUs71d JbRmCi2tEewaejHg1dnAzlCllBWtF/ZGfzOHtmVLE07Z0vwuvcL/BuqDcrKNperT0eHi PuF9f0N/kUAk7zbSicO0d9THH83pAHd3fqj2hjnq+Z5xdgHqe8P9D3oCoYkzjZvcY6vI DRaok1AWVJVVHU3cEUx3dqex/9tEYjEqbLscf38PB9CqN2tQs7nfyL2gNASBzCBXwMr0 HTEYFJ54lcbwNKJh4sFeOnb/rTEaeC8h3Hszc7PDMUO69sAS7sK54rMgCeX1PTY8myPW 6+yA==
X-Gm-Message-State: AIkVDXJKlahftC1g6XMnt4NBm3jx9inj/MKHm0xNnKfxOAgecZEB1+CjIjoxQ1+yKSF+JSkgjI1xDJXkCmRYoz21
X-Received: by 10.176.65.198 with SMTP id 64mr1676610uap.40.1484743347734; Wed, 18 Jan 2017 04:42:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.130.199 with HTTP; Wed, 18 Jan 2017 04:42:27 -0800 (PST)
In-Reply-To: 
References: 
From: Ben Laurie 
Date: Wed, 18 Jan 2017 12:42:27 +0000
Message-ID: 
To: Phillip Hallam-Baker 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Cc: draft-ietf-ipsecme-rfc4307bis.all@ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 18 Jan 2017 12:42:30 -0000

Aren't we supposed to be deprecating 5114 primes?

On 18 January 2017 at 02:24, Phillip Hallam-Baker  wrote:
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> STATUS: Ready with one minor typo.
>
>
> My personal taste would be to reduce the number of algorithms by half. But
> that is not practical given the history so this is the best we can do in the
> circumstances.
>
>
>
> Typos
>
>  Sec 3.4
>
>    Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
>    are not safe-primes.  The seeds for these groups have not been
>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>


From nobody Wed Jan 18 07:03:45 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CAA9129476; Wed, 18 Jan 2017 07:03:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K9Sue-7kkq4K; Wed, 18 Jan 2017 07:03:42 -0800 (PST)
Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06A32126D73; Wed, 18 Jan 2017 07:03:42 -0800 (PST)
Received: by mail-wm0-x244.google.com with SMTP id r144so4714147wme.0; Wed, 18 Jan 2017 07:03:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=DmFaAfU1wxcbLOC0X4FpbmO5+CJODKPfdnDzfDSRtBc=; b=eFEiWaYwWd1ex6AXQYfRTTAuN2way58zp5zjsWr/IvIbQltQDvPKEcBuqyDnDBztTV 7C5wzp1VjasSHOUck1rPxUjtinbJ+1PVP504lHZSSAAwNZqsmMppjH0PJrZDcdx9eMMA 9rnBGXBy09nHAWpgcRwbCMeYlyaL6dp6pMJYrbdH2bex9mOhK3QTj4ONqn7v8vPzrmbu hunAmCJ2u0MM+GpU1IOsVQHrNDjdHbHwABIX37xfWnvSVIioa9qPQA1wLTwWz5iHCKMY LEmG0eCpo6/G/GJSBimQNkm/2Tr8VeK6hTcXzxWPmEgG0+ZbTTkkNxEx+4xs8sm8yadc GTHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=DmFaAfU1wxcbLOC0X4FpbmO5+CJODKPfdnDzfDSRtBc=; b=sw2tqL2USoZ+XxCDSj2hnNFzxeD3ok06f6gZKxMtUmlqPf93hK6f2ou+LvCFGzhR4j MEJxSlp07UnueUNl9nhpWfiiKLMN49BHItzz1aZPIF0CDjY0gSNoElv7kjZAQs90v5Ca 5Tz1kCfm1tIKzA5nv6d54SGmMKPKeaNdqWe+PLJ6rx4gPnm4D0qC7/hiR9cZhYrPaauw +pCvWj+/ByC+uSBA3J+Fv/7QO86BNpXjXr056WBd2FiMJhPhOJuw9ZpZJabOrox0fpLh 705A8lb07Gk1DO9JVNu4zd9c0MfKF+aLZx1pWi0hPwqZ00UJOmER2CR4cqXZUwGiEJEQ de9A==
X-Gm-Message-State: AIkVDXJgKC+6C2E4ZuTGg3Ue9qcS91toKrYIg+CqY0ELlGFt1kTRloIUuxtSGDI73vUhig==
X-Received: by 10.28.217.83 with SMTP id q80mr12074830wmg.58.1484751820468; Wed, 18 Jan 2017 07:03:40 -0800 (PST)
Received: from [172.24.250.243] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id k11sm5446545wmb.18.2017.01.18.07.03.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jan 2017 07:03:39 -0800 (PST)
From: Yoav Nir 
Message-Id: <2E57FFB8-20ED-410D-A5E4-21ED72270BA8@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A9F9750D-F8FA-4333-A777-303EAE8453B7"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 18 Jan 2017 17:03:34 +0200
In-Reply-To: 
To: Ben Laurie 
References:  
X-Mailer: Apple Mail (2.3259)
Archived-At: 
Cc: Phillip Hallam-Baker , draft-ietf-ipsecme-rfc4307bis.all@ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 18 Jan 2017 15:03:44 -0000

--Apple-Mail=_A9F9750D-F8FA-4333-A777-303EAE8453B7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii


> On 18 Jan 2017, at 14:42, Ben Laurie  wrote:
>=20
> Aren't we supposed to be deprecating 5114 primes?

Sure:

   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
   are not safe-primes.  The seeds for these groups have not been
   publicly released, resulting in reduced trust in these groups.  These
   groups were proposed as alternatives for group 2 and 14 but never saw
   wide deployment.  It has been shown that Group 22 with 1024-bit MODP
   is too weak and academia have the resources to generate malicious
   values at this size.  This has resulted in Group 22 to be demoted to
   MUST NOT.  Group 23 and 24 have been demoted to SHOULD NOT and are
   expected to be further downgraded in the near future to MUST NOT.

This is what deprecation looks like

Yoav


>=20
> On 18 January 2017 at 02:24, Phillip Hallam-Baker =
 wrote:
>>=20
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>>=20
>> STATUS: Ready with one minor typo.
>>=20
>>=20
>> My personal taste would be to reduce the number of algorithms by =
half. But
>> that is not practical given the history so this is the best we can do =
in the
>> circumstances.
>>=20
>>=20
>>=20
>> Typos
>>=20
>> Sec 3.4
>>=20
>>   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups =
thater
>>   are not safe-primes.  The seeds for these groups have not been
>>=20
>>=20
>> _______________________________________________
>> secdir mailing list
>> secdir@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdir
>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>>=20


--Apple-Mail=_A9F9750D-F8FA-4333-A777-303EAE8453B7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii


On 18 Jan 2017, at 14:42, Ben Laurie <benl@google.com> =
wrote:

Aren't we supposed to be deprecating 5114 primes?

Sure:

   Group 22, 23 and =
24 are MODP Groups with Prime Order Subgroups thater
   are not safe-primes.  The seeds for these groups have not been
   publicly released, resulting in reduced trust in these groups.  These
   groups were proposed as alternatives for group 2 and 14 but never saw
   wide deployment.  It has been shown that Group 22 with 1024-bit MODP
   is too weak and academia have the resources to generate malicious
   values at this size.  This has resulted in Group 22 to be demoted to
   MUST NOT.  Group 23 and 24 have been demoted to SHOULD NOT and are
   expected to be further downgraded in the near future to MUST =
NOT.

This is =
what deprecation looks like

Yoav



On 18 January 2017 at 02:24, Phillip =
Hallam-Baker <phill@hallambaker.com> wrote:

I have reviewed this document as =
part of the security directorate's
ongoing effort to =
review all IETF documents being processed by the
IESG. =
 These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs =
should treat
these comments just like any other last call =
comments.

STATUS: Ready with one minor =
typo.


My personal taste =
would be to reduce the number of algorithms by half. But
that is not practical given the history so this is the best =
we can do in the
circumstances.



Typos

 Sec 3.4

   Group 22, =
23 and 24 are MODP Groups with Prime Order Subgroups thater
=
   are not safe-primes.  The seeds for these groups have =
not been


_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir
wiki: =
http://tools.ietf.org/area/sec/trac/wiki/SecDirReview


=

--Apple-Mail=_A9F9750D-F8FA-4333-A777-303EAE8453B7--


From nobody Wed Jan 18 14:22:09 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB899129504; Wed, 18 Jan 2017 14:22:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level: 
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDWdhXFvIikt; Wed, 18 Jan 2017 14:22:06 -0800 (PST)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45153129416; Wed, 18 Jan 2017 14:22:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5732; q=dns/txt; s=iport; t=1484778125; x=1485987725; h=subject:to:references:from:message-id:date:mime-version: in-reply-to; bh=fZu3IwRnPxufOTdyPpa4ttgNn7/doMeknwzc71Vw+0g=; b=aNGavKPjDRqdSz9kvRmCDRvxwX94ktzXgA5PKQISC8BGeDIz0rrof6Kr ye25tG6hRvtquFdXCJpv3nUo+WCk2Nbqfp/4IZGkcYxpIxMg6ArSj8NzT P5Tp2Zg8lpglh3wA2nRzwYCbw9TkP06Y+jqXNzf7eWLr2vmNyIFCms+pt w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BDAQDv6X9Y/xbLJq1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgm9KAQEBAQGBKYQwighykRCQAYUrgguGIgKCQxgBAgEBAQEBAQF?= =?us-ascii?q?jKIRqAQUjZgsYKgICVwYBDAgBAReIaLAsgiUrihQBAQEBAQEBAQIBAQEBAQEBA?= =?us-ascii?q?QEfhkuCBYJph0+CXgWbQZFiii+GPo5chBMfOE9GEggVFYZuPYk2AQEB?=
X-IronPort-AV: E=Sophos;i="5.33,250,1477958400";  d="scan'208,217";a="651760105"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2017 22:22:03 +0000
Received: from [10.55.206.135] (ams-asmirnov-nitro6.cisco.com [10.55.206.135]) (authenticated bits=0) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v0IMM2S2001589 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 18 Jan 2017 22:22:03 GMT
To: Radia Perlman , "secdir@ietf.org" , The IESG , draft-ietf-lisp-ddt.all@tools.ietf.org
References: 
From: Anton Smirnov 
Organization: Cisco Systems
Message-ID: 
Date: Wed, 18 Jan 2017 23:22:02 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------5125F32A8E1A176DF262D21B"
X-Authenticated-User: asmirnov
Archived-At: 
Subject: Re: [secdir] secdir review of draft-ietf-lisp-ddt-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 18 Jan 2017 22:22:07 -0000

This is a multi-part message in MIME format.
--------------5125F32A8E1A176DF262D21B
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

    Hello Radia,

    authors of the draft has just published -09 revision. As part of 
editorial changes we expanded/rearranged Introduction text, so now it 
hopefully better explains positioning of DDT in the whole LISP solution 
and refers to relevant previous RFCs.

---
Anton

On Friday 14 October 2016 08:07, Radia Perlman wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This document describes a hierarchical distributed database that helps 
> a router find a mapping between what LISP calls an "endpoint 
> identifier" and "routing locator".
>
> I have not been following LISP, and am not completely convinced that 
> it solves a problem that can't be solved in other ways, but 
> hierarchical distributed databases do seem like the right solution for 
> lots of problems (like DNS).
>
> I do not recommend trying to dive into LISP starting with this 
> document.  Alia Atlas helpfully pointed me at the document "An 
> architectural Introduction to the Locator/ID Separation Protocol".  It 
> would have been nice if this document referenced it, though it's not 
> an RFC...it's an internet draft.
>
> Anyway, from a security point of view, it seems fine, mostly because 
> it's pretty much copied all the security mechanisms from DNSSEC. I do 
> wonder why a whole separate infrastructure would be necessary, and why 
> this information couldn't simply be in DNS.
>
> Radia
>


--------------5125F32A8E1A176DF262D21B
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
   Hello Radia,

    
   authors of the draft has just published -09 revision. As part
      of editorial changes we expanded/rearranged Introduction text, so
      now it hopefully better explains positioning of DDT in the whole
      LISP solution and refers to relevant previous RFCs.

    

    
---
Anton



    
On Friday 14 October 2016 08:07, Radia
      Perlman wrote:

    

    

      
      
I have reviewed this
          document as part of the security directorate's

        ongoing effort to review all IETF
          documents being processed by the

        IESG. These comments were written
          primarily for the benefit of the

        security area directors. Document
          editors and WG chairs should treat

        these comments just like any
          other last call comments.

        


          

        
This document describes a
            hierarchical distributed database that helps a router find a
            mapping between what LISP calls an "endpoint identifier" and
            "routing locator".

        


          

        
I have not been following
            LISP, and am not completely convinced that it solves a
            problem that can't be solved in other ways, but hierarchical
            distributed databases do seem like the right solution for
            lots of problems (like DNS).

        


          

        
I do not recommend trying to
            dive into LISP starting with this document.  Alia Atlas
            helpfully pointed me at the document "An architectural
            Introduction to the Locator/ID Separation Protocol".  It
            would have been nice if this document referenced it, though
            it's not an RFC...it's an internet draft.

        


          

        
Anyway, from a security
            point of view, it seems fine, mostly because it's pretty
            much copied all the security mechanisms from DNSSEC. I do
            wonder why a whole separate infrastructure would be
            necessary, and why this information couldn't simply be in
            DNS.

        


          

        
Radia

        


          

        
 

      

    

    

  


--------------5125F32A8E1A176DF262D21B--


From nobody Wed Jan 18 17:21:07 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6AF41295A6 for ; Wed, 18 Jan 2017 17:21:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgvFk69h9ohQ for ; Wed, 18 Jan 2017 17:21:04 -0800 (PST)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F8601293E9 for ; Wed, 18 Jan 2017 17:21:04 -0800 (PST)
Received: by mail-yw0-x230.google.com with SMTP id l19so21270363ywc.2 for ; Wed, 18 Jan 2017 17:21:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=+chUuSTg7A3vekhlDAZjQBlElakGJJCRG5DGQHAFBJk=; b=afSkKqxy6/E2nwe/e/Gnkl8118QsTorR8Aly4jVK/qD9ixEnUNUSos9peJc3bR6BgU a+37I1W+FHfoBimExSLVF1yKH1oJlf7s0ejtyQMOn/VDWXlV8bzBcJzfy9H2G5mKusWc ykd1oBPn8EvdWFTFo11t3oVcSCxZ5shOqP3ACKjyzLp0QWoplz6g1uTlxkxx4XG282SV drWb6J8MP/efx/WO8Fib6zt7M3R0iMHI/ZVnZ0NJtJ4zqp2N3g0OQE6roeNkZZYxc2TS VYvRBIwSW8KsBqV8GIeCoaGpbL/KgjarkGDVnhDMcICf/Que2LrvrYtHRtOA2JSl7Dfz 7+Bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+chUuSTg7A3vekhlDAZjQBlElakGJJCRG5DGQHAFBJk=; b=XgjnCJL0MQgaBgYfibOjBBsBGVirga1pMv2WAYdtvR/vdOm6SRAUX4tV7YGbngubcc 5d1QLfbklTaC5HYXD/yQZDNozsbSzN8Gdas3Sie95ypdx3EEljPX+7MkTmG5PDFnr7Nt tSpimRztmnKCLm7V/5husj/sEC20IrSuGzwlXdHQOjvCHNpWTu+DVx++3tDrTVCpNl3i PRuUZ+eOUzcSdkxex+GhheNEhlnDV63HP883cKEkcEdT1ZO/AWW036qzEv5zEggy4kHQ 0pMz0RKZwosGslb9I5YGe9TGNHAo/ugBEIGVqCs8myWgwwyne0QV6Sr7Y9hJL6a+J37b bTYQ==
X-Gm-Message-State: AIkVDXKIR67CxI2TF0dzlEQQPNuSlHMCTT8uafnQgM1qVbrl8+bv+sohufhrjKk3dT0FYoWhXDCcyGVwvH/rBQ==
X-Received: by 10.13.240.7 with SMTP id z7mr4671344ywe.37.1484788863422; Wed, 18 Jan 2017 17:21:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.235.136 with HTTP; Wed, 18 Jan 2017 17:21:03 -0800 (PST)
From: Watson Ladd 
Date: Wed, 18 Jan 2017 17:21:03 -0800
Message-ID: 
To: draft-ietf-dime-agent-overload.all@tools.ietf.org, secdir@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Subject: [secdir] SECDIR review of draft-ietf-dime-agent-overload-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Jan 2017 01:21:06 -0000

I have reviewed this as part of the SECDIR effort to review all
documents. I believe it is ready with nits.

I am concerned that this document doesn't adequately address the
consequences of malicious insertion of overload reports. While I am
not an expert on Diameter (and in particular what kinds of
authentication are used), merely noting that a malicious report can
have negative consequences is not enough. Mechanisms should be defined
to prevent this, such as authenticating all connections and ensuring
that reports only apply to the nodes that send them. The fact that
Diameter connections are authenticated may or may not be enough.

Sincerely,
Watson Ladd


From nobody Thu Jan 19 02:14:07 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98BF2129428; Thu, 19 Jan 2017 02:14:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljBgU7jOaIQG; Thu, 19 Jan 2017 02:14:04 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DACA6128B37; Thu, 19 Jan 2017 02:14:00 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v0JADtIl005480 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 19 Jan 2017 12:13:55 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v0JADtL0018738; Thu, 19 Jan 2017 12:13:55 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <22656.37219.134711.16896@fireball.acr.fi>
Date: Thu, 19 Jan 2017 12:13:55 +0200
From: Tero Kivinen 
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-geojson-text-sequence.all@ietf.org
X-Edit-Time: 11 min
X-Total-Time: 5 min
Archived-At: 
Subject: [secdir] Secdir review of draft-ietf-geojson-text-sequence-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Jan 2017 10:14:05 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary: This draft is ready.

This draft specifies how the text sequences in json can be used for
geographic data. Text sequences are way of splitting json in to pieces
so they can be parsed in smaller increments, and not requiring either
reading large json in and parsing it as one block, or using streaming
parser for json. Security considerations section refers to the
security considerations of json text sequences and geojson format.

I can see this helping in the security as writing streaming json
parser is much harder than normal json parser, and this allows using
normal json parser (which might have fixed max size for the input json
they accept) to be used even when processing very large datasets.
-- 
kivinen@iki.fi


From nobody Thu Jan 19 03:43:33 2017
Return-Path: 
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 987A2129411 for ; Thu, 19 Jan 2017 03:43:32 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Tero Kivinen" 
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.40.3
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148482621260.10426.4210589397025318406.idtracker@ietfa.amsl.com>
Date: Thu, 19 Jan 2017 03:43:32 -0800
Archived-At: 
Subject: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Jan 2017 11:43:32 -0000

Review instructions and related resources are at:
http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

For telechat 2017-01-19

Reviewer               LC end     Draft
Shaun Cooley           2017-01-11 draft-ietf-rtgwg-rlfa-node-protection-10
Hannes Tschofenig      2017-01-16 draft-murchison-webdav-prefer-14
Carl Wallace           2017-01-11 draft-ietf-bfcpbis-bfcp-websocket-14
David Waltermire       2017-01-10 draft-ietf-sidr-rpki-oob-setup-06

For telechat 2017-02-02

Reviewer               LC end     Draft
Steve Hanna            2017-01-12 draft-ietf-softwire-dslite-multicast-16
Christopher Inacio     2017-01-12 draft-ietf-softwire-multicast-prefix-option-12
Leif Johansson         2017-01-17 draft-ietf-teas-p2mp-loose-path-reopt-08
Simon Josefsson        2017-01-17 draft-ietf-teas-gmpls-resource-sharing-proc-07
Matt Lepinski          2017-01-19 draft-ietf-dhc-dhcpv6-failover-protocol-03

For telechat 2017-02-16

Reviewer               LC end     Draft
David Mandelberg       2017-01-31 draft-ietf-sidr-delta-protocol-05
Catherine Meadows      2017-01-31 draft-ietf-ccamp-flexible-grid-ospf-ext-07
Matthew Miller         2017-01-30 draft-ietf-sidr-rpki-rtr-rfc6810-bis-08

Last calls:

Reviewer               LC end     Draft
Alan DeKok             2017-02-15 draft-bradner-rfc3979bis-10
Ben Laurie             2017-01-23 draft-ietf-bmwg-ipv6-nd-04
Chris Lonvick          2017-02-14 draft-freytag-lager-variant-rules-02
Adam Montville         2017-01-30 draft-ietf-lamps-eai-addresses-05
Lt. Mundy              2017-01-26 draft-ietf-mpls-tp-linear-protection-mib-11
Sandra Murphy          2017-01-26 draft-ietf-mmusic-4572-update-11
Sandra Murphy          2016-12-20 draft-ietf-6tisch-minimal-17
Tina Tsou              2017-01-13 draft-ietf-payload-melpe-04

Early review requests:

Reviewer               Due        Draft
Daniel Gillmor         2016-02-01 draft-ietf-rtcweb-security-08
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-cms-for-nts-message-06
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-network-time-security-15
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-using-nts-for-ntp-07
Brian Weis             2016-02-01 draft-ietf-cdni-uri-signing-10

Next in the reviewer rotation:

  Yoav Nir
  Magnus Nystrom
  Hilarie Orman
  Eric Osterweil
  Radia Perlman
  Vincent Roca
  Joseph Salowey
  Rich Salz
  Yaron Sheffer
  Rifaat Shekh-Yusef


From nobody Thu Jan 19 04:40:14 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B258129499; Thu, 19 Jan 2017 04:40:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.911
X-Spam-Level: 
X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jcnB-Tgk3lG; Thu, 19 Jan 2017 04:40:10 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0089.outbound.protection.outlook.com [104.47.0.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5371D129478; Thu, 19 Jan 2017 04:40:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;  s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tHIGuA++3sgRtjEGrd5XTkugVoZiHw08/9L5BHLECME=; b=n+k/ghCqt04YFtUD5eyEb5hVyRtMCXquReavulo6eBaCwmqpM9e94yV5xnFTHlWF98M8LTaqoWeLtpfQfTEx1O4r6PVf6fvVinHdMLMYwc7rV0Ckni65pn4CXBKk6HZc86anO9dEgX4TVHtFNK0JLVl0tKL8oXzEG0G5DxfmYIc=
Received: from HE1PR0802MB2475.eurprd08.prod.outlook.com (10.175.34.148) by HE1PR0802MB2476.eurprd08.prod.outlook.com (10.175.34.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.817.10; Thu, 19 Jan 2017 12:40:07 +0000
Received: from HE1PR0802MB2475.eurprd08.prod.outlook.com ([10.175.34.148]) by HE1PR0802MB2475.eurprd08.prod.outlook.com ([10.175.34.148]) with mapi id 15.01.0817.020; Thu, 19 Jan 2017 12:40:07 +0000
From: Hannes Tschofenig 
To: "'secdir@ietf.org'" , "'secdir@ietf.org'" , "'draft-murchison-webdav-prefer@ietf.org'" 
Thread-Topic: Secdir review of draft-murchison-webdav-prefer-14
Thread-Index: AdJyUMEio00ZkfmaSJaZaPU0A9io3g==
Date: Thu, 19 Jan 2017 12:40:07 +0000
Message-ID: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com; 
x-originating-ip: [80.92.115.159]
x-ms-office365-filtering-correlation-id: 4303c00e-6496-45c7-a26f-08d440684d02
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:HE1PR0802MB2476; 
x-microsoft-exchange-diagnostics: 1; HE1PR0802MB2476; 7:KN+UX/fgqnMAb0iYxbJoU+u2nrrEjT2Q6veurKOOyPaFtzJbwhS9Yh4pO3EFQeuFeIVLNAV4aJgruGdIvjig4KnhbXQ4k7pafASrmfRq9sqvpE1rsyIuXkc6GYYMgTpn8VJEENdIOCAJ2M+piO1XiB4TflB78PkjAo/Z8V+zLKvOVoGH61oF8d9g/mk3VKA70Zam3aQmgqU3xZ2kHXdMbkbuJYYA/tvO4xuUJFdIApsO5TqQj9LCYLZKGF81lLwKvSm8EhJfZr6f3q/vRAOYtcJwukdwCfVdgFytzZt/SSVjIeSHDzVC0Fmj9HllLQjECqygKrVOYw9c9J/MRVB4U0qXR02nUuAK/CSzJw6ZWoS7NTJ3XqzuMt/tpya9nA9lEwJS260VE9RqCPz5Lq3huVaUddgpZnwyV4x/jAKUZagEnjYuxLI1uximx9ThOHnjFh7Cgcvoi4VDDvrrw7Xoig==
x-microsoft-antispam-prvs: 
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:HE1PR0802MB2476; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0802MB2476; 
x-forefront-prvs: 0192E812EC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39410400002)(39850400002)(39450400003)(39860400002)(39840400002)(199003)(40434004)(189002)(86362001)(101416001)(5890100001)(5660300001)(3660700001)(7736002)(230783001)(3280700002)(54356999)(2900100001)(99286003)(7696004)(38730400001)(55016002)(122556002)(25786008)(6506006)(50986999)(105586002)(92566002)(6436002)(77096006)(9686003)(8936002)(97736004)(74316002)(6116002)(189998001)(102836003)(106356001)(790700001)(68736007)(33656002)(3846002)(54896002)(5001770100001)(8676002)(81156014)(66066001)(2906002)(6306002)(81166006)(450100001)(53936002)(107886002)(491001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0802MB2476; H:HE1PR0802MB2475.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR0802MB24753ADDDF08A9D87EB27087FA7E0HE1PR0802MB2475_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2017 12:40:07.7406 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2476
Archived-At: 
Subject: [secdir] Secdir review of draft-murchison-webdav-prefer-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Jan 2017 12:40:13 -0000

--_000_HE1PR0802MB24753ADDDF08A9D87EB27087FA7E0HE1PR0802MB2475_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG.  These co=
mments were written primarily for the benefit of the security area director=
s.  Document editors and WG chairs should treat these comments just like an=
y other last call comments.



The document defines an update to the HTTP Prefer header field to specify h=
ow it can be used by a WebDAV client.



This document is Ready.


The security consideration section of this document refers to the security =
consideration section of RFC 7240. RFC 7240 actually does not say much. Whi=
le this is a bit funny I couldn't find any negative security implications c=
aused by draft-murchison-webdav-prefer-14.


IMPORTANT NOTICE: The contents of this email and any attachments are confid=
ential and may also be privileged. If you are not the intended recipient, p=
lease notify the sender immediately and do not disclose the contents to any=
 other person, use it for any purpose, or store or copy the information in =
any medium. Thank you.

--_000_HE1PR0802MB24753ADDDF08A9D87EB27087FA7E0HE1PR0802MB2475_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable











I have reviewed this document a=
s part of the security directorate's ongoing effort to review all IETF docu=
ments being processed by the IESG.  These comments were written primar=
ily for the benefit of the security area
 directors.  Document editors and WG chairs should treat these comment=
s just like any other last call comments.


 


The document de=
fines an update to the HTTP Prefer header field to specify how it can be us=
ed by a WebDAV client. 


 


This document i=
s Ready. 


 


The security consideration section of this document =
refers to the security consideration section of RFC 7240. RFC 7240 actually=
 does not say much. While this is a bit funny I couldn’t find any neg=
ative security implications caused by draft-murchison-webdav-prefer-14.



 


 



IMPORTANT NOTICE: The contents of this email and any attachments are confid=
ential and may also be privileged. If you are not the intended recipient, p=
lease notify the sender immediately and do not disclose the contents to any=
 other person, use it for any purpose,
 or store or copy the information in any medium. Thank you.



--_000_HE1PR0802MB24753ADDDF08A9D87EB27087FA7E0HE1PR0802MB2475_--


From nobody Thu Jan 19 07:06:15 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8784129463 for ; Thu, 19 Jan 2017 07:06:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.9
X-Spam-Level: 
X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggtsgZrXb3LH for ; Thu, 19 Jan 2017 07:06:10 -0800 (PST)
Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com [IPv6:2607:f8b0:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65FA01293F2 for ; Thu, 19 Jan 2017 07:06:10 -0800 (PST)
Received: by mail-vk0-x22a.google.com with SMTP id t8so31992822vke.3 for ; Thu, 19 Jan 2017 07:06:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=WJzzFd5n09mWwgYnyravvNYI7KKQRNQTtq+Kdgx6bPs=; b=U/TTSpVrSGX/cZldUFoUJLr7r6Oh5ArTTn+lnyB2itfkizO6zIEpkZLkWmfOEJ+XHz Tabon5evnYzPjzoHGuiAORSipaAw/tbKpw+4dtylqx8qJSyWRpS8j9BUvgIGxmqzMaHK RaXL2rb+Q9KCX0WzzvEjfDIvA6HiOT2jr4HRTPzlXzYoHlhFY9njzfv/N0rPzo+yE1S3 ETMeyel7nfCn09KbIxKcl1LBBvWwmkbPVf3p5G266BMKLds3rBsEi87juWzCDtPWHDmv cTLngUSS1JBBq5r68xOfi3O760pVA/z6CQDcwAqwzaAUywmkY64PkxHkCWjcE1Pj8JlZ 5/UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WJzzFd5n09mWwgYnyravvNYI7KKQRNQTtq+Kdgx6bPs=; b=Ea/A7FUx4zhU7izvUyu1peBcZyFL9evp8ZG+zXmyTQji7+FFrCghZWaswQlQkrvynR iF0jbaxEzzoAxevbg6s5aYn2X2URuiWqwoCccG4ki43nXdQnNotO/uHlZMYSBtmhtLb6 Q+fh8gvni0GxxEuItg6Q9kID3RRGIErJ6KBHYoCXxdtMfvRbtfLakok6Fbi8szXuv4ap jlcK5jrfcPwZiNCdvZksjVIyRcu6S+nEzT7pQnFun5lFFBwvb9jiqsFRnqYpAofI651T jb2gEi3xrHwkUX/L2gKADYJuhRUxUfwD/D9ZGBv7lgPOuRXfpNtLVRqlnPvWzzpmBKuZ YFZA==
X-Gm-Message-State: AIkVDXKquiGyM58rlQjWqvEWnui5x9vYxb1Ew6wgfbmXq6j4NYGzKVgc7SxTb+d110PnfqD2TfnPj8Bu365g2viY
X-Received: by 10.31.10.213 with SMTP id 204mr4713947vkk.5.1484838369406; Thu, 19 Jan 2017 07:06:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.130.199 with HTTP; Thu, 19 Jan 2017 07:06:08 -0800 (PST)
From: Ben Laurie 
Date: Thu, 19 Jan 2017 15:06:08 +0000
Message-ID: 
To: The IESG , "secdir@ietf.org" , draft-ietf-bmwg-ipv6-nd.all@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Subject: [secdir] Security review of draft-ietf-bmwg-ipv6-nd-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Jan 2017 15:06:12 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Status: ready.

Since this I-D is about benchmarking an unmodified device in an
isolated network, it seems it doesn't introduce any security
considerations of its own.


From nobody Thu Jan 19 10:15:43 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFCD91294BE for ; Thu, 19 Jan 2017 10:15:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.9
X-Spam-Level: 
X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1NcXkvZxD1Z0 for ; Thu, 19 Jan 2017 10:15:32 -0800 (PST)
Received: from mail-vk0-x232.google.com (mail-vk0-x232.google.com [IPv6:2607:f8b0:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23266129499 for ; Thu, 19 Jan 2017 10:15:32 -0800 (PST)
Received: by mail-vk0-x232.google.com with SMTP id t8so36032294vke.3 for ; Thu, 19 Jan 2017 10:15:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hYNLrpzLdbVav/ltHowsvsZnJXvooqjz3/MIKa8cNqE=; b=me4UlFspPIlvRYxh0Bbfm5CvQM1dqrez90aUkVmY3Tis5V/YbwzPXT2zOt+e1q9iFn L0IDlRbluLHoC/RhCgiTgpIQtbIpi/CMPuNnilbUESmtRZJqfW6EmJ/BJKn2HOTyW2u5 OUnQEHEuUREFHXJmyZErbQdS3VCXeymm22LivMY6r935RH23828zelf0xHh+vQfeyFVN RZqfiIysiiofahg6+tiWNwlPAUjk/Xe7y9HZO7fSzd/9nR97/rbJG+UW3j6Mak7O6REr dP2zP/wYX3xEW9ooiqEmfqpZj8wo+KIGewDbe5KdNjBzNJ0HxJDZ99WL6E5cpXf3X9yO zfpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hYNLrpzLdbVav/ltHowsvsZnJXvooqjz3/MIKa8cNqE=; b=Vv/jlcDjthV3Ehco35EdtV4ElVHNE8aymiclyjpgzvMGp/N4rcq3UXwCPz61QGZ1Pb VIbIgmFHEaofPjBxair3MBR0XX3806EqVciVEq6EtpJ97fX0wke1P03g14+sGZTuyrXa s2WL2KWdQjUlkFxpuaw3AEQzhz88xehgoWCphgb8EjRa+mK9a5y+ZMBfspS1aThhcJ38 6xcweF0oXj6bqtGaFh1k5bmZEs/BAk25jM+MbpgC/eo58lJDI4MjDi8fXu2H91poGhdB R89Mz+YxnJ5PVPsGdLm5+s3s3mRqWIvW4zKeIihz1MXjBTbLEMDh3JB1ASw5jzd4LmDf EYQw==
X-Gm-Message-State: AIkVDXJMqP18wl9WWpbSr5KLsw/IT8RTBvlv149WwDhV9ORaFmWdKmy8SaW5tYIRdE2q+AYgRf3PGoAgF7PKpAmJ
X-Received: by 10.31.50.84 with SMTP id y81mr4180415vky.103.1484849730819; Thu, 19 Jan 2017 10:15:30 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.130.199 with HTTP; Thu, 19 Jan 2017 10:15:30 -0800 (PST)
In-Reply-To: <2E57FFB8-20ED-410D-A5E4-21ED72270BA8@gmail.com>
References:   <2E57FFB8-20ED-410D-A5E4-21ED72270BA8@gmail.com>
From: Ben Laurie 
Date: Thu, 19 Jan 2017 18:15:30 +0000
Message-ID: 
To: Yoav Nir 
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Cc: Phillip Hallam-Baker , draft-ietf-ipsecme-rfc4307bis.all@ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] SECDIR review of draft-ietf-ipsecme-rfc4307bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Jan 2017 18:15:34 -0000

On 18 January 2017 at 15:03, Yoav Nir  wrote:
>
> On 18 Jan 2017, at 14:42, Ben Laurie  wrote:
>
> Aren't we supposed to be deprecating 5114 primes?
>
>
> Sure:
>
>    Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
>    are not safe-primes.  The seeds for these groups have not been
>    publicly released, resulting in reduced trust in these groups.  These
>    groups were proposed as alternatives for group 2 and 14 but never saw
>    wide deployment.  It has been shown that Group 22 with 1024-bit MODP
>    is too weak and academia have the resources to generate malicious
>    values at this size.  This has resulted in Group 22 to be demoted to
>    MUST NOT.  Group 23 and 24 have been demoted to SHOULD NOT and are
>    expected to be further downgraded in the near future to MUST NOT.
>
>
> This is what deprecation looks like

Apologies. I did not read carefully enough. I blame jetlag. :-)

>
> Yoav
>
>
>
> On 18 January 2017 at 02:24, Phillip Hallam-Baker 
> wrote:
>
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> STATUS: Ready with one minor typo.
>
>
> My personal taste would be to reduce the number of algorithms by half. But
> that is not practical given the history so this is the best we can do in the
> circumstances.
>
>
>
> Typos
>
> Sec 3.4
>
>   Group 22, 23 and 24 are MODP Groups with Prime Order Subgroups thater
>   are not safe-primes.  The seeds for these groups have not been
>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>
>


From nobody Thu Jan 19 15:24:38 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 424301295BC; Thu, 19 Jan 2017 15:24:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.1
X-Spam-Level: 
X-Spam-Status: No, score=-5.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBP7Ng1UWrTo; Thu, 19 Jan 2017 15:24:34 -0800 (PST)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5E66129688; Thu, 19 Jan 2017 15:24:33 -0800 (PST)
Received: from ashurbanipal.fw5540.net (fw5540.nrl.navy.mil [132.250.196.100]) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id v0JNOV8B011476 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 19 Jan 2017 18:24:32 -0500
From: Catherine Meadows 
Content-Type: multipart/alternative; boundary="Apple-Mail=_C28807D6-41B5-4E11-8D30-360A9F593982"
Date: Thu, 19 Jan 2017 18:24:31 -0500
Message-Id: <898B3216-8D9F-47F8-971C-1CD7CC61A4CE@nrl.navy.mil>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-ccamp-flexible-grid-ospf-ext.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: 
Subject: [secdir] Secdir review of draft-ietf-ccamp-flexible-grid-ospf-ext-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 19 Jan 2017 23:24:37 -0000

--Apple-Mail=_C28807D6-41B5-4E11-8D30-360A9F593982
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I have reviewed this document as part of the security directorate's=20
ongoing effort to review all IETF documents being processed by the=20
IESG.  These comments were written primarily for the benefit of the=20
security area directors.  Document editors and WG chairs should treat=20
these comments just like any other last call comments.

This document describes extensions to the Open Shortest Path First =
(OSPF) Traffic-Engineering (TE) protocol to support GPLS control of =
networks that include devices that use
the new flexible optical grid introduced by the International =
Telecommunication Union Telecommunications Standardization Sector =
(ITU-T). It defines GLMPS OSPF-TE extensions that
support advertising available frequency ranges for flex-grid links.

In the Security Considerations section, the authors point out that this =
document extends RFCs [RFC3630] and [RFC7580] to carry flex-grid =
specific information in OSPF Opaque LSAs.
Thus this document does not introduce any new security considerations =
beyond previous RFCs  specifying these LSAs, and the security mechanisms =
described in [RFC2328] applying
to these mechanisms still apply. =20

I think this is a valid point, and well expressed.  However, when I =
looked through the document (using both manual and automatic search =
methods) I was surprised to find that no explicit mention of
OSPF Opaque LSAs other than in the Security Considerations section.  It =
would be helpful to have a specific mention of them in the body of the =
document, and a brief discussion of how
they are used to implement the extensions.  This would give a the reader =
a better understanding of how the Security Considerations section =
relates to the rest of the document.

Other than that, I think the document is ready.

Cathy Meadows

=20

=20

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil =


--Apple-Mail=_C28807D6-41B5-4E11-8D30-360A9F593982
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii


I have reviewed this document =
as part of the security directorate's 
ongoing =
effort to review all IETF documents being processed by =
the 
IESG.  These comments were written =
primarily for the benefit of the 
security =
area directors.  Document editors and WG chairs should =
treat 
these comments just like any other last =
call comments.

This =
document describes extensions to the Open Shortest Path First (OSPF) =
Traffic-Engineering (TE) protocol to support GPLS control of networks =
that include devices that use
the new flexible optical =
grid introduced by the International Telecommunication Union =
Telecommunications Standardization Sector (ITU-T). It defines GLMPS =
OSPF-TE extensions that
support advertising =
available frequency ranges for flex-grid links.

In the Security Considerations section, =
the authors point out that this document extends RFCs [RFC3630] and =
[RFC7580] to carry flex-grid specific information in OSPF Opaque =
LSAs.
Thus this document does not introduce any new =
security considerations beyond previous RFCs  specifying these =
LSAs, and the security mechanisms described in [RFC2328] =
applying
to these mechanisms still apply. =
 

I think =
this is a valid point, and well expressed.  However, when I looked =
through the document (using both manual and automatic search methods) I =
was surprised to find that no explicit mention of
OSPF Opaque LSAs other than in the Security Considerations =
section.  It would be helpful to have a specific mention of them in =
the body of the document, and a brief discussion of how
they are used to implement the extensions.  This would =
give a the reader a better understanding of how the Security =
Considerations section relates to the rest of the document.

Other than that, I think =
the document is ready.

Cathy Meadows

 

 



Catherine Meadows
Naval Research =
Laboratory
Code 5543
4555 Overlook Ave., =
S.W.
Washington DC, 20375
phone: =
202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil





=

--Apple-Mail=_C28807D6-41B5-4E11-8D30-360A9F593982--


From nobody Fri Jan 20 17:47:12 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5D4112962D; Fri, 20 Jan 2017 17:47:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.559
X-Spam-Level: 
X-Spam-Status: No, score=0.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=1.157, SPF_PASS=-0.001, T_HTML_ATTACH=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SSkfTkjhKh2Y; Fri, 20 Jan 2017 17:47:03 -0800 (PST)
Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A0F12961D; Fri, 20 Jan 2017 17:47:02 -0800 (PST)
Received: by mail-ot0-x22f.google.com with SMTP id 65so68136050otq.2; Fri, 20 Jan 2017 17:47:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=BEI0usTJBnturX1l6o8bLdCvp7w3EU5ZyofOXFNUIpY=; b=rT50BE6Ms3xRpboQJy7g+QHFx8Wi131EUOXUkjJnKLr3/dKdw/CuR5VBC/jgfK8ZPa ElXdzQyQoQypd2Djx5OSSEis2QEHIYNVH2Gv+xjOtPyoWyO2Vuq/njISGtkxwsvLQevN ftNIl7Iwvp+mIstfHglR7a5RWP79LtOt9TpiVHV65z+wGWCn2SqwssWL3W1gXWsG0HrA 063WeQTaqdMwDGxfzjDU65uGc/HUPS3s66H6LJvx6FAfAmPVPSGrolLGj/RF/rw20Qa9 Cat5rQRqi+iY740LCRw1svNwBnLJuAWaO28MacLZbmJGSDs1Bi5K8ZSdwKBECLf3XKjk iIrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=BEI0usTJBnturX1l6o8bLdCvp7w3EU5ZyofOXFNUIpY=; b=kuKM8C9aoUoA/st+xnYeHoOvbRJf69PTPCVxBL9nNityL0YkYkB/FKDW2ufEgQkvVZ Jb+ONQwy3MARN0+XugsFH1mE1yYs5jJVdIqbFMUJSJ5juh8CUVtRWGMfJgI+qAC8vl2E Xep7TLKuADyOTYxWKqhGjgDAIdtPb3BZva5fl/m3nxJaF2OfKLE/HyyQcOwf5s39mFPR anNUcR+bSQpgyaV8xSFZyn5Lr11EWL1n6P015fBuoUxmSVzD6++UCJPf+BgxzNrMKnVG RESd//tRYsMVdFl6U8zcg2S450D+8zJR9UNdHj8t7UxfCxiAQGmNuyTzTzUGJcK3LXk8 ywsA==
X-Gm-Message-State: AIkVDXIYsd1WBCPynGxkOTFkvd9fkvvzZera5wLxUnr/wmakaRhSS32WuGB8RroJaHRQvgG+P5dNuzr98AqSMg==
X-Received: by 10.157.3.22 with SMTP id 22mr9778039otv.118.1484963221771; Fri, 20 Jan 2017 17:47:01 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.1.103 with HTTP; Fri, 20 Jan 2017 17:47:00 -0800 (PST)
In-Reply-To: <20170118060025.GN8460@kduck.kaduk.org>
References: <20170118060025.GN8460@kduck.kaduk.org>
From: Greg Mirsky 
Date: Fri, 20 Jan 2017 17:47:00 -0800
Message-ID: 
To: Benjamin Kaduk 
Content-Type: multipart/mixed; boundary=94eb2c04308856df94054690f1d3
Archived-At: 
Cc: draft-ietf-mpls-residence-time.all@ietf.org, "iesg@ietf.org" , secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-mpls-residence-time-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 21 Jan 2017 01:47:09 -0000

--94eb2c04308856df94054690f1d3
Content-Type: multipart/alternative; boundary=94eb2c04308856df8f054690f1d1

--94eb2c04308856df8f054690f1d1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Ben,
thank you for the careful review and the most helpful comments and
suggestions. We're working on the new version to address GEN-ART, OPS and
Security comments. I've attached the diff and current working version of
the draft. Please find my responses to your comments in-lined and tagged
GIM>>.

Regards,
Greg


On Tue, Jan 17, 2017 at 10:00 PM, Benjamin Kaduk  wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This document is Almost Ready.
>
> This document describes a mechanism for recording the residence time of
> timing packets along a network path, so that time protocols (NTP, PTP) ca=
n
> obtain
> more accurate estimates of transit time.  (Well, the document just claims
> to record the residence time and I am inferring the bit about more accura=
te
> estimates; maybe there should be an explicit mention.)  It is limited (at
> present) to MPLS networks established using RSVP-TE, to the exclusion of
> LSPs established via LDP and non-MPLS networks.  The residence time
> measurement
> is performed in a Generic Associated Channel, and several new data
> structures
> (and sub-data structures) and corresponding type values (and sub-type
> values)
> are established to carry the needed information.
>
> I almost marked this document as Ready with Issues (discussion below), bu=
t
> ended up changing to Almost Ready, since I think the document structure
> needs some more work in order to clearly describe what an interoperable
> implementation would need and how the pieces fit together, as is required
> for Standards-Track documents.
>
> The security considerations section incorporates that section from
> RFC 5586 by reference, but 5586's security considerations are basically
> just pointers to those considerations in RFCs 4385 and 5085.
>
 GIM>> Will reference RFC 4385 and RFC 5085 directly.


> This document also mentions RFC 7384, whose entirety is security
> requirements
> of time procotols, which probably contains more detail than this document
> would
> need if discussion was inline.  However, the security considerations of
> draft-ietf-mpls-residence-time-12 also contains discussion about how
> PTP-aware nodes on the path are required to modify the messages, and the
> needed trust model involves these nodes being trusted to perform those
> modifications.
> That seems true and is probably fine for a protocol that is running on
> "trusted infrastructure", but the claim is also made that the messages
> modified
> by intermediate nodes "cannot be authenticated".  This is only somewhat
> true, as one can create complex crypto schemes that involve giving key
> material to intermediate nodes that can let them make authenticated
> (but detectable) modifications.  Such schemes seem far too complex for th=
e
> topic at hand, though, as they are likely to increase the processing dela=
y
> for the time packets, and it seems fine to defer investigating them in th=
e
> same way that it is fine to defer investigating authenticating/encrypting
> the RTM data that does not need to be modified by intermediate nodes, whi=
ch
> is explicitly noted in the security considerations.
>
GIM>> I agree with your suggestion. Would the following change address your
comment:

---

OLD TEXT:

   As a result, the content of the PTP-related data in RTM messages that

   will be modified by intermediate nodes cannot be authenticated, and

   the additional information that must be accessible for proper

   operation of PTP 1-step and 2-step modes MUST be accessible to

   intermediate nodes (i.e. - MUST NOT be encrypted in a manner that

   makes this data inaccessible).

...

   The ability for potentially authenticating and/or encrypting RTM and

   PTP data that is not needed by intermediate RTM/PTP-capable nodes is

   for further study.

NEW TEXT:

  That likely to require some complex crypto schemes that involve giving ke=
y

material to intermediate RTM/PTP-capable nodes that can let them make

authenticated (but detectable) modifications to the additional

information in RTM messages.

   The ability for potentially authenticating and/or encrypting RTM and

   PTP data for scenarios both with and without participation of

   intermediate RTM/PTP-capable nodes is for further study.

-------

>
> I do think there are some relevant security considerations that are not
> mentioned, though -- for the two-step flow, an RTM-capable node is
> required to wait for the follow-up RTM message and make the corresponding
> residence time update.  This requirement is unbounded and could lead to
> a resource leak if that follow-up packet fails to arrive, for an
> implementation
> that blindly follows the spec without resorting to practical engineering
> knowledge.  I do not expect there to be any such implementations, but thi=
s
> document should probably indicate that timing out is okay within
> "reasonable" bounds, or whatever similar workaround is best practice in
> this
> domain.
>
GIM>> Indeed, we've implicitly relied on good engineering practice and left
out discussion of the timer associated with two-step RTM.

I agree with your observation and propose the following update to text

in section One-step Clock and two-step Clock Modes (added sentence
underlined):

If the S bit is already set, then the RTM capable node MUST wait for the
RTM message with the PTP type of follow-up and matching

originator and sequence number to make the corresponding residence time
update to the Scratch Pad field.

*The wait period MUST be reasonably bound.*



>
> In terms of other security/privacy considerations that are new in this
> document, there is some information exposure about nodes along the path
> that could potentially be used for fingerprinting, but since the timing
> packets carry destination addresses already, and the LSP setup appears
> to involve declaring the path anyway, this doesn't seem to merit any
> concern.
>
> The other main issue I have with this document is arguably not an issue
> at all, but it relates to the plethora of TLVs and sub-TLVs and TLVs
> in other registries, with an IANA considerations section that sometimes
> does not clearly indicate what registry is to be updated.  As per the
> checklist at https://www.ietf.org/iesg/template/doc-writeup-essay-
> style.html,
> the IANA considerations shoudl refer to registries by their exact names,
> which probably means the name of the sub-registry and the overarching
> parent registry should be clearly written out.  It might also be nice
> to have more descriptive names, so I do not have to keep track that there
> are RTM G-ACh packets whose values are sometimes sub-TLVs in the PTP case=
;
> RTM Capability (or is it Capabilities?) sub-TLVs that can be contained
> in any of OSPFv2, IS-IS, and maybe OSPFv3 data structures; an RTM_SET
> TLV whose presence is indicated as an Attribute Flag from some registry
> that does
> not seem to be named;

GIM>> There is one registry for Attribute Fags in LSP_ATTRIBUTES  Class
Types or C-Types =E2=80=92 197 LSP_ATTRIBUTES

> sub-TLVs within those RTM_SET messages; and also
> the RTM sub-TLVs that get a registry created for them in section 8.3
> and I apparently missed when paging through the document to create this
> list.
> The names used to refer to these structures have me flipping back and
> forth to figure out which is which, whereas a name like "RTM_SET
> address identifier" (viz. section 8.6) would help the reader a lot.
> In a similar vein, it would be nice to have some test vectors that show
> the encoding of these structures and their encapsulation in the parent
> data structures, to make sure that the implementor gets all the right
> layers of T+L wrapping in place.  Alternately (or additionally!), more
> clear text that the T+L in the figures here are included in the encoded
> data that is the contents of a specific, named, parent data structure
> would be useful.
>
>
> Some other more nit-level things:
>
> In the example in section 4.6, when F is updating the correction field
> of the PTP message, I assume that F should also use its measurement of
> the residence time on F in addition to the value received in the scratch
> pad field, but the example seems to not indicate that.
>
GIM>> Yes, node F should add its residence time to correctionField in PTP
message. The proposed new text:

   o  F is the egress LER and the last RTM capable node.  It removes the
      RTM ACH encapsulation and processes the timing packet carried in
      the Value field using the value in the Scratch Pad field.  In
      particular, the value in the Scratch Pad field of the RTM ACH is
      used in updating the Correction field of the PTP message(s).  The
      LER should also include its own residence time before creating the
      outgoing PTP packets.  The details of this process depend on
      whether or not the node F is itself operating as one-step or two-
      step clock.


> A couple paragraphs later, "[a]n ingress node that is configured to
> perform RTM [...] verifies that the selected egress [node supports RTM]";
> should that be a MUST-level requirement that the verification is done?
>
GIM>> Agree. Will use s/verifies/MUST verify/

>
> On page 12, last paragraph, we have some text "If no RTM_SET TLV has been
> found, then the LSP setup MUST fail [...]".  Is this only in the case
> when the RTM_SET flag is set?  If so, that should probably be made more
> clear in the text, as on my first reading I was surprised, since
> the RTM_SET generally goes in the LSP_ATTRIBUTES and not the
> LSP_REQUIRED_ATTRIBUTES, and as such would not be globally mandatory.
>
GIM>> Earlier, in the same paragraph, we've said

"If the RTM_SET flag set, the node MUST inspect the LSP_ATTRIBUTES object
for presence of RTM_SET TLV." ("Node" is used in place of "RTM-capable
node")
Thus nodes that are not RTM-capable would not act on RTM_SET Attribure
Flag, would not be chacking for presence of RTM_SET TLV.

>
> Section 5 makes an offhand note that a 4.6 nanosecond error would
> probably be ignorable, which leads to the question: what is the
> actual measurment precision that is needed for this scheme to be useful?
> The scratch pad uses an IEEE double to count nanoseconds, so potentially
> sub-nanosecond values are in-scope, but as someone not well-versed in
> PTP I really have no idea how good things can/need to be.
>
GIM>> Adding informational reference to

   [ITU-T.G.8271]
              "Packet over Transport aspects - Synchronization, quality
              and availability targets", ITU-T Recomendation
              G.8271/Y.1366, July 2016.

 and the text to follow:

This may be acceptable for applications where the target accuracy is in the
order
of hundreds of ns. As an example several applications being
considered in the area of wireless applications are satisfied with an
accuracy of 1.5 microseconds [ITU-T.G.8271].

>
> The "A" and "B" subcases mentioned in section 7 get multiple paragraphs
> each; it might be more clear to make them subsections instead.
>
> I'm also left puzzled by the last paragraph of section 7; it seems to say
> that the *last* RTM(-capable) node of the LSP will generate the follow-up
> message, but I thought it was generally an earlier node that would be
> setting the S bit and generating the follow-up message.
>
GIM>> Updated text as the following:

   The egress RTM-capable node of the LSP will be removing RTM
   encapsulation and, in case of two-step clock mode being indicated,
   will generate PTP messages as appropriate (according to the
   [IEEE.1588.2008]).  In this case, the common header of the PTP packet
   carrying the synchronization message would have to be modified in the
   twoStepFlag field indicating that there is now a follow up message
associated to that.


> This document uses several abbreviations/acronyms without introduction
> that do not appear on the RFC Editor's abbreviations list
> (https://www.rfc-editor.org/materials/abbrev.expansion.txt) as not
> needing expansion: G-ACh (also appears in the abstract; the RFC Editor
> will likely want to not use the acronym at all in the abstract),
> RSVP-TE, and PW are ones I noted.
> (LDP is also used without expansion, but does appear on the list as
> "well-known".)
>
GIM>> Expanded all acronyms in the Abstract.

>
>
> There are also a lot of grammar nits (including very many missing
> instances of the definite article), but it does not seem worth enumeratin=
g
> them here.  I will try to send a diff to the authors later this week,
> but time is a bit short at the moment.
>
GIM>> Many thanks and greatly appreciate your kind help.

>
> -Ben
>

--94eb2c04308856df8f054690f1d1
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


Hi Ben,
thank you for the careful review and the most helpful=
 comments and suggestions. We're working on the new version to address =
GEN-ART, OPS and Security comments. I've attached the diff and current =
working version of the draft. Please find my responses to your comments in-=
lined and tagged GIM>>.

Regards,
Greg


On Tue, Jan 17, 2017 at 10:00 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
I have reviewed this document as p=
art of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.=C2=A0 These comments were written primarily for the benefit of the
security area directors.=C2=A0 Document editors and WG chairs should treat<=
br>
these comments just like any other last call comments.



This document is Almost Ready.



This document describes a mechanism for recording the residence time of

timing packets along a network path, so that time protocols (NTP, PTP) can =
obtain

more accurate estimates of transit time.=C2=A0 (Well, the document just cla=
ims

to record the residence time and I am inferring the bit about more accurate=


estimates; maybe there should be an explicit mention.)=C2=A0 It is limited =
(at

present) to MPLS networks established using RSVP-TE, to the exclusion of
LSPs established via LDP and non-MPLS networks.=C2=A0 The residence time me=
asurement

is performed in a Generic Associated Channel, and several new data structur=
es

(and sub-data structures) and corresponding type values (and sub-type value=
s)

are established to carry the needed information.



I almost marked this document as Ready with Issues (discussion below), but<=
br>
ended up changing to Almost Ready, since I think the document structure

needs some more work in order to clearly describe what an interoperable

implementation would need and how the pieces fit together, as is required
for Standards-Track documents.



The security considerations section incorporates that section from

RFC 5586 by reference, but 5586's security considerations are basically=


just pointers to those considerations in RFCs 4385 and 5085.
=C2=A0GIM>>=
; Will reference RFC 4385 and RFC 5085 directly.
=C2=A0

This document also mentions RFC 7384, whose entirety is security requiremen=
ts

of time procotols, which probably contains more detail than this document w=
ould

need if discussion was inline.=C2=A0 However, the security considerations o=
f

draft-ietf-mpls-residence-time-12 also contains discussion about how
PTP-aware nodes on the path are required to modify the messages, and the
needed trust model involves these nodes being trusted to perform those modi=
fications.

That seems true and is probably fine for a protocol that is running on

"trusted infrastructure", but the claim is also made that the mes=
sages modified

by intermediate nodes "cannot be authenticated".=C2=A0 This is on=
ly somewhat

true, as one can create complex crypto schemes that involve giving key

material to intermediate nodes that can let them make authenticated

(but detectable) modifications.=C2=A0 Such schemes seem far too complex for=
 the

topic at hand, though, as they are likely to increase the processing delay<=
br>
for the time packets, and it seems fine to defer investigating them in the<=
br>
same way that it is fine to defer investigating authenticating/encrypting
the RTM data that does not need to be modified by intermediate nodes, which=


is explicitly noted in the security considerations.
GIM>&=
gt; I agree with your suggestion. Would the following change address your c=
omment:
---
OLD TEXT:=

=C2=A0=C2=A0 As a result, the content of the PTP-rela=
ted data in RTM messages that
=C2=A0=C2=
=A0 will be modified by intermediate nodes cannot be authenticated, and<=
/u>
=C2=A0=C2=A0 the additional information that=
 must be accessible for proper
=C2=A0=C2=
=A0 operation of PTP 1-step and 2-step modes MUST be accessible to
=C2=A0=C2=A0 intermediate nodes (i.e. - MUST NOT =
be encrypted in a manner that
=C2=A0=C2=
=A0 makes this data inaccessible).
...=

=C2=A0=C2=A0 The abili=
ty for potentially authenticating and/or encrypting RTM and
=C2=A0=C2=A0 PTP data that is not needed by intermediate=
 RTM/PTP-capable nodes is
=C2=A0=C2=A0 fo=
r further study.
NEW TEXT:
=

=
=C2=A0=C2=A0That=C2=A0likely to require some co=
mplex crypto schemes that involve giving key
=

<=
span style=3D"color:black">material to intermediate RTM/PTP-capable nodes t=
hat can let them make
authenticated (but detectable) modifications to the additional
information in RTM message=
s.
=C2=A0=C2=A0 =
The ability for potentially authenticating and/or encrypting RTM and=

=
=C2=A0=C2=A0 PTP data for scenarios both with a=
nd without participation of
=C2=A0=C2=A0 =
intermediate RTM/PTP-capable nodes is for further study.
-------=C2=A0



I do think there are some relevant security considerations that are not

mentioned, though -- for the two-step flow, an RTM-capable node is

required to wait for the follow-up RTM message and make the corresponding
residence time update.=C2=A0 This requirement is unbounded and could lead t=
o

a resource leak if that follow-up packet fails to arrive, for an implementa=
tion

that blindly follows the spec without resorting to practical engineering
knowledge.=C2=A0 I do not expect there to be any such implementations, but =
this

document should probably indicate that timing out is okay within

"reasonable" bounds, or whatever similar workaround is best pract=
ice in this

domain.
=

GIM>> Indeed, we've implicitly relied on g=
ood engineering practice and left out discussion of the timer associated wi=
th two-step RTM.
I agree with your observation and pr=
opose the following update to text
in section=C2=A0One-step Clock and two-step Clock Modes (added se=
ntence underlined):
If the S bit is already set, then the RTM capable node MUST wait for the =
RTM message with the PTP type of follow-up and matching=C2=A0
originator and sequence num=
ber to make the corresponding residence time update to the Scratch Pad fiel=
d.=C2=A0
Th=
e wait period MUST be reasonably bound.
<=
div style=3D"color:rgb(80,0,80);font-size:12.8px">



In terms of other security/privacy considerations that are new in this

document, there is some information exposure about nodes along the path

that could potentially be used for fingerprinting, but since the timing

packets carry destination addresses already, and the LSP setup appears

to involve declaring the path anyway, this doesn't seem to merit any co=
ncern.



The other main issue I have with this document is arguably not an issue

at all, but it relates to the plethora of TLVs and sub-TLVs and TLVs

in other registries, with an IANA considerations section that sometimes

does not clearly indicate what registry is to be updated.=C2=A0 As per the<=
br>
checklist at https://www.ietf.org/ies=
g/template/doc-writeup-essay-style.html,

the IANA considerations shoudl refer to registries by their exact names,
which probably means the name of the sub-registry and the overarching

parent registry should be clearly written out.=C2=A0 It might also be nice<=
br>
to have more descriptive names, so I do not have to keep track that there
are RTM G-ACh packets whose values are sometimes sub-TLVs in the PTP case;<=
br>
RTM Capability (or is it Capabilities?) sub-TLVs that can be contained

in any of OSPFv2, IS-IS, and maybe OSPFv3 data structures; an RTM_SET

TLV whose presence is indicated as an Attribute Flag from some registry tha=
t does

not seem to be named;
GIM>> There is one registry for Attribute Fags in=C2=
=A0LSP_ATTRIBUTES=C2=A0=C2=A0Class Types or C-Types =E2=80=92 197 LSP_ATT=
RIBUTES=C2=A0
sub-TLVs within those RTM_SET me=
ssages; and also

the RTM sub-TLVs that get a registry created for them in section 8.3

and I apparently missed when paging through the document to create this lis=
t.

The names used to refer to these structures have me flipping back and

forth to figure out which is which, whereas a name like "RTM_SET

address identifier" (viz. section 8.6) would help the reader a lot.
In a similar vein, it would be nice to have some test vectors that show

the encoding of these structures and their encapsulation in the parent

data structures, to make sure that the implementor gets all the right

layers of T+L wrapping in place.=C2=A0 Alternately (or additionally!), more=


clear text that the T+L in the figures here are included in the encoded

data that is the contents of a specific, named, parent data structure

would be useful.





Some other more nit-level things:



In the example in section 4.6, when F is updating the correction field

of the PTP message, I assume that F should also use its measurement of

the residence time on F in addition to the value received in the scratch
pad field, but the example seems to not indicate that.
GIM>> Yes, node F should add its residence time to correctionField i=
n PTP message. The proposed new text:

   o  F is the egr=
ess LER and the last RTM capable node.  It removes the
      RTM ACH encapsulation and processes the timing packet carried in
      the Value field using the value in the Scratch Pad field.  In
      particular, the value in the Scratch Pad field of the RTM ACH is
      used in updating the Correction field of the PTP message(s).  The
      LER should also include its own residence time before creating the
      outgoing PTP packets.  The details of this process depend on
      whether or not the node F is itself operating as one-step or two-
      step clock.=C2=A0



A couple paragraphs later, "[a]n ingress node that is configured to
perform RTM [...] verifies that the selected egress [node supports RTM]&quo=
t;;

should that be a MUST-level requirement that the verification is done?
<=
/blockquote>
GIM>=
;> Agree. Will use s/verifies/MUST verify/=C2=A0=C2=A0



On page 12, last paragraph, we have some text "If no RTM_SET TLV has b=
een

found, then the LSP setup MUST fail [...]".=C2=A0 Is this only in the =
case

when the RTM_SET flag is set?=C2=A0 If so, that should probably be made mor=
e

clear in the text, as on my first reading I was surprised, since

the RTM_SET generally goes in the LSP_ATTRIBUTES and not the

LSP_REQUIRED_ATTRIBUTES, and as such would not be globally mandatory.
GIM>> Earlier, in the same paragraph, we've said=

"If the RTM_SET flag set, the node MUST inspect the LS=
P_ATTRIBUTES object for presence of RTM_SET TLV." ("Node" is=
 used in place of "RTM-capable node")
Thus nodes that are no=
t RTM-capable would not act on RTM_SET Attribure Flag, would not be chackin=
g for presence of RTM_SET TLV.=C2=A0



Section 5 makes an offhand note that a 4.6 nanosecond error would

probably be ignorable, which leads to the question: what is the

actual measurment precision that is needed for this scheme to be useful?
The scratch pad uses an IEEE double to count nanoseconds, so potentially
sub-nanosecond values are in-scope, but as someone not well-versed in

PTP I really have no idea how good things can/need to be.
<=
div>GIM>> Adding informational reference to=C2=A0
   [ITU-T.=
G.8271]
              "Packet over Transport aspects - Synchronization, qualit=
y
              and availability targets", ITU-T Recomendation
              G.8271/Y.1366, July 2016.
=C2=A0and the text =
to follow:
=

This may be a=
cceptable for applications where the target accuracy is in the order=

 of hundre=
ds of ns.  As an example several applications being
 considered in the area of =
wireless applications are satisfied with an
accuracy of 1.5 microseconds [ITU-T=
.G.8271].



The "A" and "B" subcases mentioned in section 7 get mul=
tiple paragraphs

each; it might be more clear to make them subsections instead.



I'm also left puzzled by the last paragraph of section 7; it seems to s=
ay

that the *last* RTM(-capable) node of the LSP will generate the follow-up
message, but I thought it was generally an earlier node that would be

setting the S bit and generating the follow-up message.
GIM>> Updated text as the following:
   The egress RTM-capable =
node of the LSP will be removing RTM
   encapsulation and, in case of two-step clock mode being indicated,
   will generate PTP messages as appropriate (according to the
   [IEEE.1588.2008]).  In this case, the common header of the PTP packet
   carrying the synchronization message would have to be modified in the
   twoStepFlag field indicating that there is now a follow up message associated to that.=C2=A0
=




This document uses several abbreviations/acronyms without introduction

that do not appear on the RFC Editor's abbreviations list

(https://www.rfc-editor.org/materials=
/abbrev.expansion.txt) as not

needing expansion: G-ACh (also appears in the abstract; the RFC Editor

will likely want to not use the acronym at all in the abstract),

RSVP-TE, and PW are ones I noted.

(LDP is also used without expansion, but does appear on the list as

"well-known".)
GIM>> Expanded all acronyms in the Abstract.=
=C2=A0=C2=A0





There are also a lot of grammar nits (including very many missing

instances of the definite article), but it does not seem worth enumerating<=
br>
them here.=C2=A0 I will try to send a diff to the authors later this week,<=
br>
but time is a bit short at the moment.
GIM>> Many thanks and greatly ap=
preciate your kind help.=C2=A0=C2=A0



-Ben





--94eb2c04308856df8f054690f1d1--

--94eb2c04308856df94054690f1d3
Content-Type: text/plain; charset=US-ASCII; name="draft-ietf-mpls-residence-time-13.txt"
Content-Disposition: attachment; 
	filename="draft-ietf-mpls-residence-time-13.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_iy6kqht41

CgoKCk1QTFMgV29ya2luZyBHcm91cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIEcuIE1pcnNreQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICBaVEUgQ29ycC4KSW50ZW5kZWQgc3RhdHVzOiBTdGFu
ZGFyZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTLiBSdWZmaW5pCkV4cGly
ZXM6IEp1bHkgMjIsIDIwMTcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgRS4gR3JheQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgRXJpY3Nzb24KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEouIERyYWtlCiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSnVuaXBlciBOZXR3b3Jr
cwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICBTLiBCcnlhbnQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgSHVhd2VpCiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQS4gVmFpbnNodGVpbgogICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRUNJ
IFRlbGVjb20KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICBKYW51YXJ5IDE4LCAyMDE3CgoKICAgICAgICAgICAgICAgUmVzaWRlbmNlIFRpbWUg
TWVhc3VyZW1lbnQgaW4gTVBMUyBuZXR3b3JrCiAgICAgICAgICAgICAgICAgICBkcmFmdC1pZXRm
LW1wbHMtcmVzaWRlbmNlLXRpbWUtMTMKCkFic3RyYWN0CgogICBUaGlzIGRvY3VtZW50IHNwZWNp
ZmllcyBuZXcgR2VuZXJpYyBBc3NvY2lhdGVkIENoYW5uZWwgZm9yIFJlc2lkZW5jZQogICBUaW1l
IE1lYXN1cmVtZW50IGFuZCBob3cgaXQgY2FuIGJlIHVzZWQgYnkgdGltZSBzeW5jaHJvbml6YXRp
b24KICAgcHJvdG9jb2xzIGJlaW5nIHRyYW5zcG9ydGVkIG92ZXIgTVBMUyBkb21haW4uCgogICBS
ZXNpZGVuY2UgdGltZSBpcyB0aGUgdmFyaWFibGUgcGFydCBvZiBwcm9wYWdhdGlvbiBkZWxheSBv
ZiB0aW1pbmcKICAgYW5kIHN5bmNocm9uaXphdGlvbiBtZXNzYWdlcyBhbmQga25vd2luZyB3aGF0
IHRoaXMgZGVsYXkgaXMgZm9yIGVhY2gKICAgbWVzc2FnZSBhbGxvd3MgZm9yIGEgbW9yZSBhY2N1
cmF0ZSBkZXRlcm1pbmF0aW9uIG9mIHRoZSBkZWxheSB0byBiZQogICB0YWtlbiBpbnRvIGFjY291
bnQgaW4gYXBwbHlpbmcgdGhlIHZhbHVlIGluY2x1ZGVkIGluIGEgUHJlY2lzaW9uIFRpbWUKICAg
UHJvdG9jb2wgZXZlbnQgbWVzc2FnZS4KClN0YXR1cyBvZiBUaGlzIE1lbW8KCiAgIFRoaXMgSW50
ZXJuZXQtRHJhZnQgaXMgc3VibWl0dGVkIGluIGZ1bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGUKICAg
cHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS4KCiAgIEludGVybmV0LURyYWZ0cyBhcmUg
d29ya2luZyBkb2N1bWVudHMgb2YgdGhlIEludGVybmV0IEVuZ2luZWVyaW5nCiAgIFRhc2sgRm9y
Y2UgKElFVEYpLiAgTm90ZSB0aGF0IG90aGVyIGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlCiAg
IHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJl
bnQgSW50ZXJuZXQtCiAgIERyYWZ0cyBpcyBhdCBodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcv
ZHJhZnRzL2N1cnJlbnQvLgoKICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMg
dmFsaWQgZm9yIGEgbWF4aW11bSBvZiBzaXggbW9udGhzCiAgIGFuZCBtYXkgYmUgdXBkYXRlZCwg
cmVwbGFjZWQsIG9yIG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55CiAgIHRpbWUu
ICBJdCBpcyBpbmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNl
CiAgIG1hdGVyaWFsIG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dy
ZXNzLiIKCiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gSnVseSAyMiwgMjAx
Ny4KCgoKCgoKTWlyc2t5LCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIEp1bHkgMjIsIDIwMTcg
ICAgICAgICAgICAgICAgIFtQYWdlIDFdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICBSZXNpZGVu
Y2UgVGltZSBNZWFzdXJlbWVudCAgICAgICAgICAgSmFudWFyeSAyMDE3CgoKQ29weXJpZ2h0IE5v
dGljZQoKICAgQ29weXJpZ2h0IChjKSAyMDE3IElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJzb25zIGlk
ZW50aWZpZWQgYXMgdGhlCiAgIGRvY3VtZW50IGF1dGhvcnMuICBBbGwgcmlnaHRzIHJlc2VydmVk
LgoKICAgVGhpcyBkb2N1bWVudCBpcyBzdWJqZWN0IHRvIEJDUCA3OCBhbmQgdGhlIElFVEYgVHJ1
c3QncyBMZWdhbAogICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1lbnRzCiAgICho
dHRwOi8vdHJ1c3RlZS5pZXRmLm9yZy9saWNlbnNlLWluZm8pIGluIGVmZmVjdCBvbiB0aGUgZGF0
ZSBvZgogICBwdWJsaWNhdGlvbiBvZiB0aGlzIGRvY3VtZW50LiAgUGxlYXNlIHJldmlldyB0aGVz
ZSBkb2N1bWVudHMKICAgY2FyZWZ1bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIgcmlnaHRzIGFu
ZCByZXN0cmljdGlvbnMgd2l0aCByZXNwZWN0CiAgIHRvIHRoaXMgZG9jdW1lbnQuICBDb2RlIENv
bXBvbmVudHMgZXh0cmFjdGVkIGZyb20gdGhpcyBkb2N1bWVudCBtdXN0CiAgIGluY2x1ZGUgU2lt
cGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0IGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDQuZSBvZgog
ICB0aGUgVHJ1c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQgd2Fy
cmFudHkgYXMKICAgZGVzY3JpYmVkIGluIHRoZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlLgoKVGFi
bGUgb2YgQ29udGVudHMKCiAgIDEuICBJbnRyb2R1Y3Rpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgMwogICAgIDEuMS4gIENvbnZlbnRpb25zIHVz
ZWQgaW4gdGhpcyBkb2N1bWVudCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDMKICAgICAgIDEu
MS4xLiAgVGVybWlub2xvZ3kgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gICAzCiAgICAgICAxLjEuMi4gIFJlcXVpcmVtZW50cyBMYW5ndWFnZSAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuICAgNAogICAyLiAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQg
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQKICAgICAyLjEuICBPbmUtc3Rl
cCBDbG9jayBhbmQgdHdvLXN0ZXAgQ2xvY2sgTW9kZXMgLiAuIC4gLiAuIC4gLiAuIC4gICA1CiAg
IDMuICBHLUFDaCBmb3IgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuICAgNwogICAgIDMuMS4gIFBUUCBQYWNrZXQgU3ViLVRMViAgLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDkKICAgNC4gIENvbnRyb2wgUGxhbmUgVGhlb3J5
IG9mIE9wZXJhdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDEwCiAgICAgNC4xLiAg
UlRNIENhcGFiaWxpdHkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
ICAxMAogICAgIDQuMi4gIFJUTSBDYXBhYmlsaXR5IFN1Yi1UTFYgIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAgMTEKICAgICA0LjMuICBSVE0gQ2FwYWJpbGl0eSBBZHZlcnRpc2Vt
ZW50IGluIE9TUEZ2MiAgLiAuIC4gLiAuIC4gLiAuIC4gIDEyCiAgICAgNC40LiAgUlRNIENhcGFi
aWxpdHkgQWR2ZXJ0aXNlbWVudCBpbiBPU1BGdjMgIC4gLiAuIC4gLiAuIC4gLiAuICAxMgogICAg
IDQuNS4gIFJUTSBDYXBhYmlsaXR5IEFkdmVydGlzZW1lbnQgaW4gSVMtSVMgLiAuIC4gLiAuIC4g
LiAuIC4gLiAgMTIKICAgICA0LjYuICBSU1ZQLVRFIENvbnRyb2wgUGxhbmUgT3BlcmF0aW9uIHRv
IFN1cHBvcnQgUlRNICAuIC4gLiAuIC4gIDEzCiAgICAgNC43LiAgUlRNX1NFVCBUTFYgLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxNAogICAgICAgNC43LjEu
ICBSVE1fU0VUIFN1Yi1UTFZzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAg
MTYKICAgNS4gIERhdGEgUGxhbmUgVGhlb3J5IG9mIE9wZXJhdGlvbiAgLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gIDE4CiAgIDYuICBBcHBsaWNhYmxlIFBUUCBTY2VuYXJpb3MgIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxOQogICA3LiAgSUFOQSBDb25zaWRlcmF0
aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMTkKICAgICA3
LjEuICBOZXcgUlRNIEctQUNoIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gIDE5CiAgICAgNy4yLiAgTmV3IFJUTSBUTFYgUmVnaXN0cnkgIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyMAogICAgIDcuMy4gIE5ldyBSVE0gU3ViLVRMViBSZWdp
c3RyeSAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjAKICAgICA3LjQuICBSVE0g
Q2FwYWJpbGl0eSBzdWItVExWIGluIE9TUEZ2MiAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIx
CiAgICAgNy41LiAgSVMtSVMgUlRNIEFwcGxpY2F0aW9uIElEICAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuICAyMQogICAgIDcuNi4gIFJUTV9TRVQgU3ViLW9iamVjdCBSU1ZQIFR5cGUg
YW5kIHN1Yi1UTFZzIC4gLiAuIC4gLiAuIC4gLiAgMjEKICAgICA3LjcuICBSVE1fU0VUIEF0dHJp
YnV0ZSBGbGFnICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIyCiAgICAgNy44
LiAgTmV3IEVycm9yIENvZGVzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuICAyMwogICA4LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAgMjMKICAgOS4gIEFja25vd2xlZGdtZW50cyAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDI0CiAgIDEwLiBSZWZlcmVuY2Vz
ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyNAoK
CgpNaXJza3ksIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgSnVseSAyMiwgMjAxNyAgICAgICAg
ICAgICAgICAgW1BhZ2UgMl0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgIFJlc2lkZW5jZSBUaW1l
IE1lYXN1cmVtZW50ICAgICAgICAgICBKYW51YXJ5IDIwMTcKCgogICAgIDEwLjEuICBOb3JtYXRp
dmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjQKICAg
ICAxMC4yLiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gIDI1CiAgIEF1dGhvcnMnIEFkZHJlc3NlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyNgoKMS4gIEludHJvZHVjdGlvbgoKICAgVGltZSBz
eW5jaHJvbml6YXRpb24gcHJvdG9jb2xzLCBlLmcuLCBOZXR3b3JrIFRpbWUgUHJvdG9jb2wgdmVy
c2lvbiA0CiAgIChOVFB2NCkgW1JGQzU5MDVdIGFuZCBQcmVjaXNpb24gVGltZSBQcm90b2NvbCAo
UFRQKSBWZXJzaW9uIDIKICAgW0lFRUUuMTU4OC4yMDA4XSBkZWZpbmUgdGltaW5nIG1lc3NhZ2Vz
IHRoYXQgY2FuIGJlIHVzZWQgdG8KICAgc3luY2hyb25pemUgY2xvY2tzIGFjcm9zcyBhIG5ldHdv
cmsgZG9tYWluLiAgTWVhc3VyZW1lbnQgb2YgdGhlCiAgIGN1bXVsYXRpdmUgdGltZSBvbmUgb2Yg
dGhlc2UgdGltaW5nIG1lc3NhZ2VzIHNwZW5kcyB0cmFuc2l0aW5nIHRoZQogICBub2RlcyBvbiB0
aGUgcGF0aCBmcm9tIGluZ3Jlc3Mgbm9kZSB0byBlZ3Jlc3Mgbm9kZSBpcyB0ZXJtZWQKICAgUmVz
aWRlbmNlIFRpbWUgYW5kIGl0IGlzIHVzZWQgdG8gaW1wcm92ZSB0aGUgYWNjdXJhY3kgb2YgY2xv
Y2sKICAgc3luY2hyb25pemF0aW9uLiAgKEkuZS4sIGl0IGlzIHRoZSBzdW0gb2YgdGhlIGRpZmZl
cmVuY2UgYmV0d2VlbiB0aGUKICAgdGltZSBvZiByZWNlaXB0IGF0IGFuIGluZ3Jlc3MgaW50ZXJm
YWNlIGFuZCB0aGUgdGltZSBvZiB0cmFuc21pc3Npb24KICAgZnJvbSBhbiBlZ3Jlc3MgaW50ZXJm
YWNlIGZvciBlYWNoIG5vZGUgYWxvbmcgdGhlIHBhdGggZnJvbSBpbmdyZXNzCiAgIG5vZGUgdG8g
ZWdyZXNzIG5vZGUuKSAgVGhpcyBkb2N1bWVudCBkZWZpbmVzIGEgbmV3IEdlbmVyaWMgQXNzb2Np
YXRlZAogICBDaGFubmVsIChHLUFDaCkgdmFsdWUgYW5kIGFuIGFzc29jaWF0ZWQgcmVzaWRlbmNl
IHRpbWUgbWVhc3VyZW1lbnQKICAgKFJUTSkgbWVzc2FnZSB0aGF0IGNhbiBiZSB1c2VkIGluIGEg
TXVsdGktUHJvdG9jb2wgTGFiZWwgU3dpdGNoaW5nCiAgIChNUExTKSBuZXR3b3JrIHRvIG1lYXN1
cmUgcmVzaWRlbmNlIHRpbWUgb3ZlciBhIExhYmVsIFN3aXRjaGVkIFBhdGgKICAgKExTUCkuCgog
ICBBbHRob3VnaCBpdCBpcyBwb3NzaWJsZSB0byB1c2UgUlRNIG92ZXIgYW4gTFNQIGluc3RhbnRp
YXRlZCB1c2luZwogICBMRFAsIHRoYXQgaXMgb3V0c2lkZSB0aGUgc2NvcGUgb2YgdGhpcyBkb2N1
bWVudC4gIFJhdGhlciwgdGhpcwogICBkb2N1bWVudCBkZXNjcmliZXMgUlRNIG92ZXIgYW4gTFNQ
IHNpZ25hbGVkIHVzaW5nIFJTVlAtVEUgW1JGQzMyMDldCiAgIGJlY2F1c2UgdGhlIExTUCdzIHBh
dGggY2FuIGJlIGVpdGhlciBleHBsaWNpdGx5IHNwZWNpZmllZCBvcgogICBkZXRlcm1pbmVkIGR1
cmluZyBzaWduYWxpbmcuCgogICBDb21wYXJpc29uIHdpdGggYWx0ZXJuYXRpdmUgcHJvcG9zZWQg
c29sdXRpb25zIHN1Y2ggYXMKICAgW0ktRC5pZXRmLXRpY3RvYy0xNTg4b3Zlcm1wbHNdIGlzIG91
dHNpZGUgdGhlIHNjb3BlIG9mIHRoaXMgZG9jdW1lbnQuCgoxLjEuICBDb252ZW50aW9ucyB1c2Vk
IGluIHRoaXMgZG9jdW1lbnQKCjEuMS4xLiAgVGVybWlub2xvZ3kKCiAgIE1QTFM6IE11bHRpLVBy
b3RvY29sIExhYmVsIFN3aXRjaGluZwoKICAgQUNIOiBBc3NvY2lhdGVkIENoYW5uZWwKCiAgIFRU
TDogVGltZS10by1MaXZlCgogICBHLUFDaDogR2VuZXJpYyBBc3NvY2lhdGVkIENoYW5uZWwKCiAg
IEdBTDogR2VuZXJpYyBBc3NvY2lhdGVkIENoYW5uZWwgTGFiZWwKCiAgIE5UUDogTmV0d29yayBU
aW1lIFByb3RvY29sCgogICBwcG06IHBhcnRzIHBlciBtaWxsaW9uCgoKCk1pcnNreSwgZXQgYWwu
ICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIyLCAyMDE3ICAgICAgICAgICAgICAgICBbUGFnZSAz
XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgICAg
ICAgICAgIEphbnVhcnkgMjAxNwoKCiAgIFBUUDogUHJlY2lzaW9uIFRpbWUgUHJvdG9jb2wKCiAg
IEJDOiBCb3VuZGFyeSBDbG9jawoKICAgTFNQOiBMYWJlbCBTd2l0Y2hlZCBQYXRoCgogICBPQU06
IE9wZXJhdGlvbnMsIEFkbWluaXN0cmF0aW9uLCBhbmQgTWFpbnRlbmFuY2UKCiAgIFJSTzogUmVj
b3JkIFJvdXRlIE9iamVjdAoKICAgUlRNOiBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudAoKICAg
SUdQOiBJbnRlcm5hbCBHYXRld2F5IFByb3RvY29sCgoxLjEuMi4gIFJlcXVpcmVtZW50cyBMYW5n
dWFnZQoKICAgVGhlIGtleSB3b3JkcyAiTVVTVCIsICJNVVNUIE5PVCIsICJSRVFVSVJFRCIsICJT
SEFMTCIsICJTSEFMTCBOT1QiLAogICAiU0hPVUxEIiwgIlNIT1VMRCBOT1QiLCAiUkVDT01NRU5E
RUQiLCAiTk9UIFJFQ09NTUVOREVEIiwgIk1BWSIsIGFuZAogICAiT1BUSU9OQUwiIGluIHRoaXMg
ZG9jdW1lbnQgYXJlIHRvIGJlIGludGVycHJldGVkIGFzIGRlc2NyaWJlZCBpbgogICBbUkZDMjEx
OV0uCgoyLiAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQKCiAgIFBhY2tldCBMb3NzIGFuZCBE
ZWxheSBNZWFzdXJlbWVudCBmb3IgTVBMUyBOZXR3b3JrcyBbUkZDNjM3NF0gY2FuIGJlCiAgIHVz
ZWQgdG8gbWVhc3VyZSBvbmUtd2F5IG9yIHR3by13YXkgZW5kLXRvLWVuZCBwcm9wYWdhdGlvbiBk
ZWxheSBvdmVyCiAgIExTUCBvciBQVy4gIEJ1dCB0aGVzZSBtZWFzdXJlbWVudHMgYXJlIGluc3Vm
ZmljaWVudCBmb3IgdXNlIGluIHNvbWUKICAgYXBwbGljYXRpb25zLCBmb3IgZXhhbXBsZSwgdGlt
ZSBzeW5jaHJvbml6YXRpb24gYWNyb3NzIGEgbmV0d29yayBhcwogICBkZWZpbmVkIGluIHRoZSBQ
cmVjaXNpb24gVGltZSBQcm90b2NvbCAoUFRQKS4gIEluIFBUUHYyCiAgIFtJRUVFLjE1ODguMjAw
OF0gcmVzaWRlbmNlIHRpbWVzIGlzIGFjY3VtdWxhdGVkIGluIHRoZQogICBjb3JyZWN0aW9uRmll
bGQgb2YgdGhlIFBUUCBldmVudCBtZXNzYWdlLCBhcyBkZWZpbmVkIGluCiAgIFtJRUVFLjE1ODgu
MjAwOF0gYW5kIHJlZmVycmVkIHRvIGFzIHVzaW5nIGEgb25lLXN0ZXAgY2xvY2ssIG9yIGluIHRo
ZQogICBhc3NvY2lhdGVkIGZvbGxvdy11cCBtZXNzYWdlIChvciBEZWxheV9SZXNwIG1lc3NhZ2Ug
YXNzb2NpYXRlZCB3aXRoCiAgIHRoZSBEZWxheV9SZXEgbWVzc2FnZSksIHJlZmVycmVkIHRvIGFz
IHVzaW5nIGEgdHdvLXN0ZXAgY2xvY2sgKHNlZQogICB0aGUgZGV0YWlsZWQgZGlzY3Vzc2lvbiBp
biBTZWN0aW9uIDIuMSkuCgogICBJRUVFIDE1ODggdXNlcyB0aGlzIHJlc2lkZW5jZSB0aW1lIHRv
IGNvcnJlY3QgdGhlIHRyYW5zaXQgdGltZSBmcm9tCiAgIGluZ3Jlc3Mgbm9kZSB0byBlZ3Jlc3Mg
bm9kZSwgZWZmZWN0aXZlbHkgbWFraW5nIHRoZSB0cmFuc2l0IG5vZGVzCiAgIHRyYW5zcGFyZW50
LgoKICAgVGhpcyBkb2N1bWVudCBwcm9wb3NlcyBhIG1lY2hhbmlzbSB0aGF0IGNhbiBiZSB1c2Vk
IGFzIG9uZSBvZiB0eXBlcwogICBvZiBvbi1wYXRoIHN1cHBvcnQgZm9yIGEgY2xvY2sgc3luY2hy
b25pemF0aW9uIHByb3RvY29sIG9yIHRvIHBlcmZvcm0KICAgb25lLXdheSBtZWFzdXJlbWVudCBv
ZiByZXNpZGVuY2UgdGltZS4gIFRoZSBwcm9wb3NlZCBtZWNoYW5pc20KICAgYWNjdW11bGF0ZXMg
cmVzaWRlbmNlIHRpbWUgZnJvbSBhbGwgbm9kZXMgdGhhdCBzdXBwb3J0IHRoaXMgZXh0ZW5zaW9u
CiAgIGFsb25nIHRoZSBwYXRoIG9mIGEgcGFydGljdWxhciBMU1AgaW4gU2NyYXRjaCBQYWQgZmll
bGQgb2YgYW4gUlRNCiAgIG1lc3NhZ2UgRmlndXJlIDEuICBUaGlzIHZhbHVlIGNhbiB0aGVuIGJl
IHVzZWQgYnkgdGhlIGVncmVzcyBub2RlIHRvCiAgIHVwZGF0ZSwgZm9yIGV4YW1wbGUsIHRoZSBj
b3JyZWN0aW9uRmllbGQgb2YgdGhlIFBUUCBldmVudCBwYWNrZXQKICAgY2FycmllZCB3aXRoaW4g
dGhlIFJUTSBtZXNzYWdlIHByaW9yIHRvIHBlcmZvcm1pbmcgaXRzIFBUUAogICBwcm9jZXNzaW5n
LgoKCgpNaXJza3ksIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgSnVseSAyMiwgMjAxNyAgICAg
ICAgICAgICAgICAgW1BhZ2UgNF0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgIFJlc2lkZW5jZSBU
aW1lIE1lYXN1cmVtZW50ICAgICAgICAgICBKYW51YXJ5IDIwMTcKCgoyLjEuICBPbmUtc3RlcCBD
bG9jayBhbmQgdHdvLXN0ZXAgQ2xvY2sgTW9kZXMKCiAgIE9uZS1zdGVwIG1vZGUgcmVmZXJzIHRv
IHRoZSBtb2RlIG9mIG9wZXJhdGlvbiB3aGVyZSBhbiBlZ3Jlc3MKICAgaW50ZXJmYWNlIHVwZGF0
ZXMgdGhlIGNvcnJlY3Rpb25GaWVsZCB2YWx1ZSBvZiBhbiBvcmlnaW5hbCBldmVudAogICBtZXNz
YWdlLiAgVHdvLXN0ZXAgbW9kZSByZWZlcnMgdG8gdGhlIG1vZGUgb2Ygb3BlcmF0aW9uIHdoZXJl
IHRoaXMKICAgdXBkYXRlIGlzIG1hZGUgaW4gYSBzdWJzZXF1ZW50IGZvbGxvdy11cCBtZXNzYWdl
LgoKICAgUHJvY2Vzc2luZyBvZiB0aGUgZm9sbG93LXVwIG1lc3NhZ2UsIGlmIHByZXNlbnQsIHJl
cXVpcmVzIHRoZQogICBkb3duc3RyZWFtIGVuZC1wb2ludCB0byB3YWl0IGZvciB0aGUgYXJyaXZh
bCBvZiB0aGUgZm9sbG93LXVwIG1lc3NhZ2UKICAgaW4gb3JkZXIgdG8gY29tYmluZSBjb3JyZWN0
aW9uRmllbGQgdmFsdWVzIGZyb20gYm90aCB0aGUgb3JpZ2luYWwKICAgKGV2ZW50KSBtZXNzYWdl
IGFuZCB0aGUgc3Vic2VxdWVudCAoZm9sbG93LXVwKSBtZXNzYWdlLiAgSW4gYSBzaW1pbGFyCiAg
IGZhc2hpb24sIGVhY2ggdHdvLXN0ZXAgbm9kZSBuZWVkcyB0byB3YWl0IGZvciB0aGUgcmVsYXRl
ZCBmb2xsb3ctdXAKICAgbWVzc2FnZSwgaWYgdGhlcmUgaXMgb25lLCBpbiBvcmRlciB0byB1cGRh
dGUgdGhhdCBmb2xsb3ctdXAgbWVzc2FnZQogICAoYXMgb3Bwb3NlZCB0byBjcmVhdGluZyBhIG5l
dyBvbmUuICBIZW5jZSB0aGUgZmlyc3Qgbm9kZSB0aGF0IHVzZXMKICAgdHdvLXN0ZXAgbW9kZSBN
VVNUIGRvIHR3byB0aGluZ3M6CgogICAxLiAgTWFyayB0aGUgb3JpZ2luYWwgZXZlbnQgbWVzc2Fn
ZSB0byBpbmRpY2F0ZSB0aGF0IGEgZm9sbG93LXVwCiAgICAgICBtZXNzYWdlIHdpbGwgYmUgZm9y
dGhjb21pbmcuICBUaGlzIGlzIG5lY2Vzc2FyeSBpbiBvcmRlciB0bwoKICAgICAgICAgIExldCBh
bnkgc3Vic2VxdWVudCB0d28tc3RlcCBub2RlIGtub3cgdGhhdCB0aGVyZSBpcyBhbHJlYWR5IGEK
ICAgICAgICAgIGZvbGxvdy11cCBtZXNzYWdlLCBhbmQKCiAgICAgICAgICBMZXQgdGhlIGVuZC1w
b2ludCBrbm93IHRvIHdhaXQgZm9yIGEgZm9sbG93LXVwIG1lc3NhZ2U7CgogICAyLiAgQ3JlYXRl
IGEgZm9sbG93LXVwIG1lc3NhZ2UgaW4gd2hpY2ggdG8gcHV0IHRoZSBSVE0gZGV0ZXJtaW5lZCBh
cwogICAgICAgYW4gaW5pdGlhbCBjb3JyZWN0aW9uRmllbGQgdmFsdWUuCgogICBJRUVFIDE1ODh2
MiBbSUVFRS4xNTg4LjIwMDhdIGRlZmluZXMgdGhpcyBiZWhhdmlvciBmb3IgUFRQIG1lc3NhZ2Vz
LgoKICAgVGh1cywgZm9yIGV4YW1wbGUsIHdpdGggcmVmZXJlbmNlIHRvIHRoZSBQVFAgcHJvdG9j
b2wsIHRoZSBQVFBUeXBlCiAgIGZpZWxkIGlkZW50aWZpZXMgd2hldGhlciB0aGUgbWVzc2FnZSBp
cyBhIFN5bmMgbWVzc2FnZSwgRm9sbG93X3VwCiAgIG1lc3NhZ2UsIERlbGF5X1JlcSBtZXNzYWdl
LCBvciBEZWxheV9SZXNwIG1lc3NhZ2UuICBUaGUgMTAgb2N0ZXQgbG9uZwogICBQb3J0IElEIGZp
ZWxkIGNvbnRhaW5zIHRoZSBpZGVudGl0eSBvZiB0aGUgc291cmNlIHBvcnQKICAgW0lFRUUuMTU4
OC4yMDA4XSwgdGhhdCBpcywgdGhlIHNwZWNpZmljIFBUUCBwb3J0IG9mIHRoZSBib3VuZGFyeQog
ICBjbG9jayBjb25uZWN0ZWQgdG8gdGhlIE1QTFMgbmV0d29yay4gIFRoZSBTZXF1ZW5jZSBJRCBp
cyB0aGUgc2VxdWVuY2UKICAgSUQgb2YgdGhlIFBUUCBtZXNzYWdlIGNhcnJpZWQgaW4gdGhlIFZh
bHVlIGZpZWxkIG9mIHRoZSBtZXNzYWdlLgoKICAgUFRQIG1lc3NhZ2VzIGFsc28gaW5jbHVkZSBh
IGJpdCB0aGF0IGluZGljYXRlcyB3aGV0aGVyIG9yIG5vdCBhCiAgIGZvbGxvdy11cCBtZXNzYWdl
IHdpbGwgYmUgY29taW5nLiAgVGhpcyBiaXQsIG9uY2UgaXQgaXMgc2V0IGJ5IGEgdHdvLQogICBz
dGVwIG1vZGUgZGV2aWNlLCBNVVNUIHN0YXkgc2V0IGFjY29yZGluZ2x5IHVudGlsIHRoZSBvcmln
aW5hbCBhbmQKICAgZm9sbG93LXVwIG1lc3NhZ2VzIGFyZSBjb21iaW5lZCBieSBhbiBlbmQtcG9p
bnQgKHN1Y2ggYXMgYSBCb3VuZGFyeQogICBDbG9jaykuCgogICBUaHVzLCBhbiBSVE0gcGFja2V0
LCBjb250YWluaW5nIHJlc2lkZW5jZSB0aW1lIGluZm9ybWF0aW9uIHJlbGF0aW5nCiAgIHRvIGFu
IGVhcmxpZXIgcGFja2V0LCBhbHNvIGNvbnRhaW5zIGluZm9ybWF0aW9uIGlkZW50aWZ5aW5nIHRo
YXQKICAgZWFybGllciBwYWNrZXQuCgoKCgoKTWlyc2t5LCBldCBhbC4gICAgICAgICAgICBFeHBp
cmVzIEp1bHkgMjIsIDIwMTcgICAgICAgICAgICAgICAgIFtQYWdlIDVdCgwKSW50ZXJuZXQtRHJh
ZnQgICAgICAgICBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudCAgICAgICAgICAgSmFudWFyeSAy
MDE3CgoKICAgRm9yIGNvbXBhdGliaWxpdHkgd2l0aCBQVFAsIFJUTSAod2hlbiB1c2VkIGZvciBQ
VFAgcGFja2V0cykgbXVzdAogICBiZWhhdmUgaW4gYSBzaW1pbGFyIGZhc2hpb24uICBUbyBkbyB0
aGlzLCBhIHR3by1zdGVwIFJUTSBjYXBhYmxlCiAgIGVncmVzcyBpbnRlcmZhY2Ugd2lsbCBuZWVk
IHRvIGV4YW1pbmUgdGhlIFMtYml0IGluIHRoZSBGbGFncyBmaWVsZCBvZgogICB0aGUgUFRQIHN1
Yi1UTFYgKGZvciBSVE0gbWVzc2FnZXMgdGhhdCBpbmRpY2F0ZSB0aGV5IGFyZSBmb3IgUFRQKSBh
bmQKICAgLSBpZiBpdCBpcyBjbGVhciAoc2V0IHRvIHplcm8pLCBpdCBNVVNUIHNldCBpdCBhbmQg
Y3JlYXRlIGEgZm9sbG93LXVwCiAgIFBUUCBUeXBlIFJUTSBtZXNzYWdlLiAgSWYgdGhlIFMgYml0
IGlzIGFscmVhZHkgc2V0LCB0aGVuIHRoZSBSVE0KICAgY2FwYWJsZSBub2RlIE1VU1Qgd2FpdCBm
b3IgdGhlIFJUTSBtZXNzYWdlIHdpdGggdGhlIFBUUCB0eXBlIG9mCiAgIGZvbGxvdy11cCBhbmQg
bWF0Y2hpbmcgb3JpZ2luYXRvciBhbmQgc2VxdWVuY2UgbnVtYmVyIHRvIG1ha2UgdGhlCiAgIGNv
cnJlc3BvbmRpbmcgcmVzaWRlbmNlIHRpbWUgdXBkYXRlIHRvIHRoZSBTY3JhdGNoIFBhZCBmaWVs
ZC4gIFRoZQogICB3YWl0IHBlcmlvZCBNVVNUIGJlIHJlYXNvbmFibHkgYm91bmQuCgogICBJbiBw
cmFjdGljZSBhbiBSVE0gb3BlcmF0aW5nIGFjY29yZGluZyB0byB0d28tc3RlcCBjbG9jayBiZWhh
dmVzIGxpa2UKICAgYSB0d28tc3RlcHMgdHJhbnNwYXJlbnQgY2xvY2suCgogICBBIG9uZS1zdGVw
IGNhcGFibGUgUlRNIG5vZGUgTUFZIGVsZWN0IHRvIG9wZXJhdGUgaW4gZWl0aGVyIG9uZS1zdGVw
CiAgIG1vZGUgKGJ5IG1ha2luZyBhbiB1cGRhdGUgdG8gdGhlIFNjcmF0Y2ggUGFkIGZpZWxkIG9m
IHRoZSBSVE0gbWVzc2FnZQogICBjb250YWluaW5nIHRoZSBQVFAgZXZlbnQgbWVzc2FnZSksIG9y
IGluIHR3by1zdGVwIG1vZGUgKGJ5IG1ha2luZyBhbgogICB1cGRhdGUgdG8gdGhlIFNjcmF0Y2gg
UGFkIG9mIGEgZm9sbG93LXVwIG1lc3NhZ2Ugd2hlbiBpdHMgcHJlc2VuY2UgaXMKICAgaW5kaWNh
dGVkKSwgYnV0IE1VU1QgTk9UIGRvIGJvdGguCgogICBUd28gbWFpbiBzdWJjYXNlcyBjYW4gYmUg
aWRlbnRpZmllZCBmb3IgYW4gUlRNIG5vZGUgb3BlcmF0aW5nIGFzIGEKICAgdHdvLXN0ZXAgY2xv
Y2s6CgogICBBKSBJZiBhbnkgb2YgdGhlIHByZXZpb3VzIFJUTSBjYXBhYmxlIG5vZGUgb3IgdGhl
IHByZXZpb3VzIFBUUCBjbG9jawogICAoZS5nLiB0aGUgQkMgY29ubmVjdGVkIHRvIHRoZSBmaXJz
dCBub2RlKSwgaXMgYSB0d28tc3RlcCBjbG9jaywgdGhlCiAgIHJlc2lkZW5jZSB0aW1lIGlzIGFk
ZGVkIHRvIHRoZSBSVE0gcGFja2V0IHRoYXQgaGFzIGJlZW4gY3JlYXRlZCB0bwogICBpbmNsdWRl
IHRoZSBhc3NvY2lhdGVkIFBUUCBwYWNrZXQgKGkuZS4gZm9sbG93LXVwIG1lc3NhZ2UgaW4gdGhl
CiAgIGRvd25zdHJlYW0gZGlyZWN0aW9uKSwgaWYgdGhlIGxvY2FsIFJUTS1jYXBhYmxlIG5vZGUg
aXMgYWxzbwogICBvcGVyYXRpbmcgYXMgYSB0d28tc3RlcCBjbG9jay4gIFRoaXMgUlRNIHBhY2tl
dCBjYXJyaWVzIHRoZSByZWxhdGVkCiAgIGFjY3VtdWxhdGVkIHJlc2lkZW5jZSB0aW1lIGFuZCB0
aGUgYXBwcm9wcmlhdGUgdmFsdWVzIG9mIHRoZSBTZXF1ZW5jZQogICBJZCBhbmQgUG9ydCBJZCAo
dGhlIHNhbWUgaWRlbnRpZmllcnMgY2FycmllZCBpbiB0aGUgcGFja2V0IHByb2Nlc3NlZCkKICAg
YW5kIHRoZSBUd28tc3RlcCBGbGFnIHNldCB0byAxLgoKICAgTm90ZSB0aGF0IHRoZSBmYWN0IHRo
YXQgYW4gdXBzdHJlYW0gUlRNLWNhcGFibGUgbm9kZSBvcGVyYXRpbmcgaW4gdGhlCiAgIHR3by1z
dGVwIG1vZGUgaGFzIGNyZWF0ZWQgYSBmb2xsb3ctdXAgbWVzc2FnZSBkb2VzIG5vdCByZXF1aXJl
IGFueQogICBzdWJzZXF1ZW50IFJUTSBjYXBhYmxlIG5vZGUgdG8gYWxzbyBvcGVyYXRlIGluIHRo
ZSB0d28tc3RlcCBtb2RlLCBhcwogICBsb25nIGFzIHRoYXQgUlRNLWNhcGFibGUgbm9kZSBmb3J3
YXJkcyB0aGUgZm9sbG93LXVwIG1lc3NhZ2Ugb24gdGhlCiAgIHNhbWUgTFNQIG9uIHdoaWNoIGl0
IGZvcndhcmRzIHRoZSBjb3JyZXNwb25kaW5nIHByZXZpb3VzIG1lc3NhZ2UuCgogICBBIG9uZS1z
dGVwIGNhcGFibGUgUlRNIG5vZGUgTUFZIGVsZWN0IHRvIHVwZGF0ZSB0aGUgUlRNIGZvbGxvdy11
cAogICBtZXNzYWdlIGFzIGlmIGl0IHdlcmUgb3BlcmF0aW5nIGluIHR3by1zdGVwIG1vZGUsIGhv
d2V2ZXIsIGl0IE1VU1QKICAgTk9UIHVwZGF0ZSBib3RoIG1lc3NhZ2VzLgoKICAgQSBQVFAgZXZl
bnQgcGFja2V0IChzeW5jKSBpcyBjYXJyaWVkIGluIHRoZSBSVE0gcGFja2V0IGluIG9yZGVyIGZv
cgogICBhbiBSVE0gbm9kZSB0byBpZGVudGlmeSB0aGF0IHJlc2lkZW5jZSB0aW1lIG1lYXN1cmVt
ZW50IG11c3QgYmUKICAgcGVyZm9ybWVkIG9uIHRoYXQgc3BlY2lmaWMgcGFja2V0LgoKCgoKCk1p
cnNreSwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIyLCAyMDE3ICAgICAgICAgICAg
ICAgICBbUGFnZSA2XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgUmVzaWRlbmNlIFRpbWUgTWVh
c3VyZW1lbnQgICAgICAgICAgIEphbnVhcnkgMjAxNwoKCiAgIFRvIGhhbmRsZSB0aGUgcmVzaWRl
bmNlIHRpbWUgb2YgdGhlIERlbGF5IHJlcXVlc3QgbWVzc2FnZSBvbiB0aGUKICAgdXBzdHJlYW0g
ZGlyZWN0aW9uLCBhbiBSVE0gcGFja2V0IG11c3QgYmUgY3JlYXRlZCB0byBjYXJyeSB0aGUKICAg
cmVzaWRlbmNlIHRpbWUgb24gdGhlIGFzc29jaWF0ZWQgZG93bnN0cmVhbSBEZWxheSBSZXNwIG1l
c3NhZ2UuCgogICBUaGUgbGFzdCBSVE0gbm9kZSBvZiB0aGUgTVBMUyBuZXR3b3JrIGluIGFkZGl0
aW9uIHRvIHVwZGF0ZSB0aGUKICAgY29ycmVjdGlvbkZpZWxkIG9mIHRoZSBhc3NvY2lhdGVkIFBU
UCBwYWNrZXQsIG11c3QgYWxzbyBwcm9wZXJseQogICBoYW5kbGUgdGhlIHR3by1zdGVwIGZsYWcg
b2YgdGhlIFBUUCBwYWNrZXRzLgoKICAgQikgV2hlbiB0aGUgUFRQIG5ldHdvcmsgY29ubmVjdGVk
IHRvIHRoZSBNUExTIGFuZCBSVE0gbm9kZSwgb3BlcmF0ZXMKICAgaW4gb25lLXN0ZXAgY2xvY2sg
bW9kZSwgdGhlIGFzc29jaWF0ZWQgUlRNIHBhY2tldCBtdXN0IGJlIGNyZWF0ZWQgYnkKICAgdGhl
IFJUTSBub2RlIGl0c2VsZi4gIFRoZSBhc3NvY2lhdGVkIFJUTSBwYWNrZXQgaW5jbHVkaW5nIHRo
ZSBQVFAKICAgZXZlbnQgcGFja2V0IG5lZWRzIG5vdyB0byBpbmRpY2F0ZSB0aGF0IGEgZm9sbG93
IHVwIG1lc3NhZ2Ugd2lsbCBiZQogICBjb21pbmcuCgogICBUaGUgZWdyZXNzIFJUTS1jYXBhYmxl
IG5vZGUgb2YgdGhlIExTUCB3aWxsIGJlIHJlbW92aW5nIFJUTQogICBlbmNhcHN1bGF0aW9uIGFu
ZCwgaW4gY2FzZSBvZiB0d28tc3RlcCBjbG9jayBtb2RlIGJlaW5nIGluZGljYXRlZCwKICAgd2ls
bCBnZW5lcmF0ZSBQVFAgbWVzc2FnZXMgYXMgYXBwcm9wcmlhdGUgKGFjY29yZGluZyB0byB0aGUK
ICAgW0lFRUUuMTU4OC4yMDA4XSkuICBJbiB0aGlzIGNhc2UsIHRoZSBjb21tb24gaGVhZGVyIG9m
IHRoZSBQVFAgcGFja2V0CiAgIGNhcnJ5aW5nIHRoZSBzeW5jaHJvbml6YXRpb24gbWVzc2FnZSB3
b3VsZCBoYXZlIHRvIGJlIG1vZGlmaWVkIGluIHRoZQogICB0d29TdGVwRmxhZyBmaWVsZCBpbmRp
Y2F0aW5nIHRoYXQgdGhlcmUgaXMgbm93IGEgZm9sbG93IHVwIG1lc3NhZ2UKICAgYXNzb2NpYXRl
ZCB0byB0aGF0LgoKMy4gIEctQUNoIGZvciBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudAoKICAg
UkZDIDU1ODYgW1JGQzU1ODZdIGFuZCBSRkMgNjQyMyBbUkZDNjQyM10gZGVmaW5lIHRoZSBHLUFD
aCB0byBleHRlbmQKICAgdGhlIGFwcGxpY2FiaWxpdHkgb2YgdGhlIFBXIEFzc29jaWF0ZWQgQ2hh
bm5lbCAoQUNIKSBbUkZDNTA4NV0gdG8KICAgTFNQcy4gIEctQUNoIHByb3ZpZGVzIGEgbWVjaGFu
aXNtIHRvIHRyYW5zcG9ydCBPQU0gYW5kIG90aGVyIGNvbnRyb2wKICAgbWVzc2FnZXMgb3ZlciBh
biBMU1AuICBQcm9jZXNzaW5nIG9mIHRoZXNlIG1lc3NhZ2VzIGJ5IHNlbGVjdGVkCiAgIHRyYW5z
aXQgbm9kZXMgaXMgY29udHJvbGxlZCBieSB0aGUgdXNlIG9mIHRoZSBUaW1lLXRvLUxpdmUgKFRU
TCkKICAgdmFsdWUgaW4gdGhlIE1QTFMgaGVhZGVyIG9mIHRoZXNlIG1lc3NhZ2VzLgoKICAgVGhl
IG1lc3NhZ2UgZm9ybWF0IGZvciBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudCAoUlRNKSBpcyBw
cmVzZW50ZWQKICAgaW4gRmlndXJlIDEKCgoKCgoKCgoKCgoKCgoKCgoKTWlyc2t5LCBldCBhbC4g
ICAgICAgICAgICBFeHBpcmVzIEp1bHkgMjIsIDIwMTcgICAgICAgICAgICAgICAgIFtQYWdlIDdd
CgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudCAgICAg
ICAgICAgSmFudWFyeSAyMDE3CgoKICAgICAwICAgICAgICAgICAgICAgICAgIDEgICAgICAgICAg
ICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzCiAgICAgMCAxIDIgMyA0IDUgNiA3IDggOSAw
IDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxCiAgICArLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKwog
ICAgfDAgMCAwIDF8VmVyc2lvbnwgICBSZXNlcnZlZCAgICB8ICAgICAgICAgICBSVE0gRy1BQ2gg
ICAgICAgICAgIHwKICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rCiAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfAogICAgfCAgICAgICAgICAgICAg
ICAgICAgICAgIFNjcmF0Y2ggUGFkICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKICAgICst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rCiAgICB8ICAgICAgICAgICAgVHlwZSAgICAgICAgICAgICAgIHwgICAgICAgICAgICAg
TGVuZ3RoICAgICAgICAgICAgfAogICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsKICAgIHwgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIFZhbHVlICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CiAgICB+ICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
fgogICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIHwKICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rCgogICAgIEZpZ3VyZSAxOiBSVE0gRy1BQ2ggbWVz
c2FnZSBmb3JtYXQgZm9yIFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50CgogICBvICBGaXJzdCBm
b3VyIG9jdGV0cyBhcmUgZGVmaW5lZCBhcyBHLUFDaCBIZWFkZXIgaW4gW1JGQzU1ODZdCgogICBv
ICBUaGUgVmVyc2lvbiBmaWVsZCBpcyBzZXQgdG8gMCwgYXMgZGVmaW5lZCBpbiBSRkMgNDM4NSBb
UkZDNDM4NV0uCgogICBvICBUaGUgUmVzZXJ2ZWQgZmllbGQgTVVTVCBiZSBzZXQgdG8gMCBvbiB0
cmFuc21pdCBhbmQgaWdub3JlZCBvbgogICAgICByZWNlaXB0LgoKICAgbyAgVGhlIFJUTSBHLUFD
aCBmaWVsZCwgdmFsdWUgKFRCQTEpIHRvIGJlIGFsbG9jYXRlZCBieSBJQU5BLAogICAgICBpZGVu
dGlmaWVzIHRoZSBwYWNrZXQgYXMgc3VjaC4KCiAgIG8gIFRoZSBTY3JhdGNoIFBhZCBmaWVsZCBp
cyA4IG9jdGV0cyBpbiBsZW5ndGguICBJdCBpcyB1c2VkIHRvCiAgICAgIGFjY3VtdWxhdGUgdGhl
IHJlc2lkZW5jZSB0aW1lIHNwZW50IGluIGVhY2ggUlRNIGNhcGFibGUgbm9kZQogICAgICB0cmFu
c2l0ZWQgYnkgdGhlIHBhY2tldCBvbiBpdHMgcGF0aCBmcm9tIGluZ3Jlc3Mgbm9kZSB0byBlZ3Jl
c3MKICAgICAgbm9kZS4gIFRoZSBmaXJzdCBSVE0tY2FwYWJsZSBub2RlIE1VU1QgaW5pdGlhbGl6
ZSB0aGUgU2NyYXRjaCBQYWQKICAgICAgZmllbGQgd2l0aCBpdHMgcmVzaWRlbmNlIHRpbWUgbWVh
c3VyZW1lbnQuICBJdHMgZm9ybWF0IGlzIElFRUUKICAgICAgZG91YmxlIHByZWNpc2lvbiBhbmQg
aXRzIHVuaXRzIGFyZSBuYW5vc2Vjb25kcy4gIE5vdGUgdGhhdAogICAgICBkZXBlbmRpbmcgb24g
d2hldGhlciB0aGUgdGltaW5nIHByb2NlZHVyZSBpcyBvbmUtc3RlcCBvciB0d28tc3RlcAogICAg
ICBvcGVyYXRpb24gKFNlY3Rpb24gMi4xKSwgdGhlIHJlc2lkZW5jZSB0aW1lIGlzIGVpdGhlciBm
b3IgdGhlCiAgICAgIHRpbWluZyBwYWNrZXQgY2FycmllZCBpbiB0aGUgVmFsdWUgZmllbGQgb2Yg
dGhpcyBSVE0gbWVzc2FnZSBvcgogICAgICBmb3IgYW4gYXNzb2NpYXRlZCB0aW1pbmcgcGFja2V0
IGNhcnJpZWQgaW4gdGhlIFZhbHVlIGZpZWxkIG9mCiAgICAgIGFub3RoZXIgUlRNIG1lc3NhZ2Uu
CgogICBvICBUaGUgVHlwZSBmaWVsZCBpZGVudGlmaWVzIHRoZSB0eXBlIGFuZCBlbmNhcHN1bGF0
aW9uIG9mIGEgdGltaW5nCiAgICAgIHBhY2tldCBjYXJyaWVkIGluIHRoZSBWYWx1ZSBmaWVsZCwg
ZS5nLiwgTlRQIFtSRkM1OTA1XSBvciBQVFAKICAgICAgW0lFRUUuMTU4OC4yMDA4XS4gIFRoaXMg
ZG9jdW1lbnQgYXNrcyBJQU5BIHRvIGNyZWF0ZSBhIHN1Yi0KICAgICAgcmVnaXN0cnkgaW4gR2Vu
ZXJpYyBBc3NvY2lhdGVkIENoYW5uZWwgKEctQUNoKSBQYXJhbWV0ZXJzIFJlZ2lzdHJ5CiAgICAg
IGNhbGxlZCAiTVBMUyBSVE0gVExWIFJlZ2lzdHJ5IiBTZWN0aW9uIDcuMi4KCiAgIG8gIFRoZSBM
ZW5ndGggZmllbGQgY29udGFpbnMgdGhlIGxlbmd0aCwgaW4gb2N0ZXRzLCBvZiB0aGUgb2YgdGhl
CiAgICAgIHRpbWluZyBwYWNrZXQgY2FycmllZCBpbiB0aGUgVmFsdWUgZmllbGQuCgoKCgpNaXJz
a3ksIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgSnVseSAyMiwgMjAxNyAgICAgICAgICAgICAg
ICAgW1BhZ2UgOF0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgIFJlc2lkZW5jZSBUaW1lIE1lYXN1
cmVtZW50ICAgICAgICAgICBKYW51YXJ5IDIwMTcKCgogICBvICBUaGUgb3B0aW9uYWwgVmFsdWUg
ZmllbGQgTUFZIGNhcnJ5IGEgcGFja2V0IG9mIHRoZSB0aW1lCiAgICAgIHN5bmNocm9uaXphdGlv
biBwcm90b2NvbCBpZGVudGlmaWVkIGJ5IFR5cGUgZmllbGQuICBJdCBpcwogICAgICBpbXBvcnRh
bnQgdG8gbm90ZSB0aGF0IHRoZSBwYWNrZXQgbWF5IGJlIGF1dGhlbnRpY2F0ZWQgb3IKICAgICAg
ZW5jcnlwdGVkIGFuZCBjYXJyaWVkIG92ZXIgTFNQIGVkZ2UgdG8gZWRnZSB1bmNoYW5nZWQgd2hp
bGUgdGhlCiAgICAgIHJlc2lkZW5jZSB0aW1lIGlzIGFjY3VtdWxhdGVkIGluIHRoZSBTY3JhdGNo
IFBhZCBmaWVsZC4KCiAgIG8gIFRoZSBUTFYgTVVTVCBiZSBpbmNsdWRlZCBpbiB0aGUgUlRNIG1l
c3NhZ2UsIGV2ZW4gaWYgdGhlIGxlbmd0aCBvZgogICAgICB0aGUgVmFsdWUgZmllbGQgaXMgemVy
by4KCjMuMS4gIFBUUCBQYWNrZXQgU3ViLVRMVgoKICAgRmlndXJlIDIgcHJlc2VudHMgZm9ybWF0
IG9mIGEgUFRQIHN1Yi1UTFYgdGhhdCBNVVNUIGJlIGluY2x1ZGVkIGluCiAgIHRoZSBWYWx1ZSBm
aWVsZCBvZiBhbiBSVE0gbWVzc2FnZSBwcmVjZWRpbmcgdGhlIGNhcnJpZWQgdGltaW5nIHBhY2tl
dAogICB3aGVuIHRoZSB0aW1pbmcgcGFja2V0IGlzIFBUUC4KCiAgICAgMCAgICAgICAgICAgICAg
ICAgICAxICAgICAgICAgICAgICAgICAgIDIgICAgICAgICAgICAgICAgICAgMwogICAgIDAgMSAy
IDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAg
MQogICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSsKICAgIHwgICAgICAgICAgICAgVHlwZSAgICAgICAgICAgICAgfCAgICAg
ICAgICAgICBMZW5ndGggICAgICAgICAgICB8CiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKwogICAgfCAgICAgICAgICAg
ICAgICAgICAgICAgICBGbGFncyAgICAgICAgICAgICAgICAgICAgICAgICB8UFRQVHlwZXwKICAg
ICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rCiAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBvcnQgSUQgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgfAogICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rCiAgICB8ICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgICAgICAgIFNlcXVlbmNlIElEICAgICAg
ICAgfAogICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSsKCiAgICAgICAgICAgICAgICAgICAgICAgRmlndXJlIDI6IFBUUCBT
dWItVExWIGZvcm1hdAoKICAgd2hlcmUgRmxhZ3MgZmllbGQgaGFzIGZvcm1hdAoKICAgICAwICAg
ICAgICAgICAgICAgICAgIDEgICAgICAgICAgICAgICAgICAgMgogICAgIDAgMSAyIDMgNCA1IDYg
NyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcKICAgICstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKwogICAgfFN8ICAg
ICAgICAgICAgICAgICAgICAgIFJlc2VydmVkICAgICAgICAgICAgICAgICAgICAgICB8CiAgICAr
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsK
CiAgICAgICAgICAgIEZpZ3VyZSAzOiBGbGFncyBmaWVsZCBmb3JtYXQgb2YgUFRQIFBhY2tldCBT
dWItVExWCgogICBvICBUaGUgVHlwZSBmaWVsZCBpZGVudGlmaWVzIFBUUCBwYWNrZXQgc3ViLVRM
ViBhbmQgaXMgc2V0IHRvIDEKICAgICAgYWNjb3JkaW5nIHRvIFNlY3Rpb24gNy4zLgoKICAgbyAg
VGhlIExlbmd0aCBmaWVsZCBvZiB0aGUgUFRQIHN1Yi1UTFYgY29udGFpbnMgdGhlIG51bWJlciBv
ZiBvY3RldHMKICAgICAgb2YgdGhlIFZhbHVlIGZpZWxkIGFuZCBNVVNUIGJlIDIwLgoKICAgbyAg
VGhlIEZsYWdzIGZpZWxkIGN1cnJlbnRseSBkZWZpbmVzIG9uZSBiaXQsIHRoZSBTLWJpdCwgdGhh
dCBkZWZpbmVzCiAgICAgIHdoZXRoZXIgdGhlIGN1cnJlbnQgbWVzc2FnZSBoYXMgYmVlbiBwcm9j
ZXNzZWQgYnkgYSB0d28tc3RlcCBub2RlLAoKCgpNaXJza3ksIGV0IGFsLiAgICAgICAgICAgIEV4
cGlyZXMgSnVseSAyMiwgMjAxNyAgICAgICAgICAgICAgICAgW1BhZ2UgOV0KDApJbnRlcm5ldC1E
cmFmdCAgICAgICAgIFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50ICAgICAgICAgICBKYW51YXJ5
IDIwMTcKCgogICAgICB3aGVyZSB0aGUgZmxhZyBpcyBjbGVhcmVkIGlmIHRoZSBtZXNzYWdlIGhh
cyBiZWVuIGhhbmRsZWQKICAgICAgZXhjbHVzaXZlbHkgYnkgb25lLXN0ZXAgbm9kZXMgYW5kIHRo
ZXJlIGlzIG5vIGZvbGxvdy11cCBtZXNzYWdlLAogICAgICBhbmQgc2V0IGlmIHRoZXJlIGhhcyBi
ZWVuIGF0IGxlYXN0IG9uZSB0d28tc3RlcCBub2RlIGFuZCBhIGZvbGxvdy0KICAgICAgdXAgbWVz
c2FnZSBpcyBmb3J0aGNvbWluZy4KCiAgIG8gIFRoZSBQVFBUeXBlIGluZGljYXRlcyB0aGUgdHlw
ZSBvZiBQVFAgcGFja2V0IGNhcnJpZWQgaW4gdGhlIFRMVi4KICAgICAgUFRQVHlwZSBpcyB0aGUg
bWVzc2FnZVR5cGUgZmllbGQgb2YgdGhlIFBUUHYyIHBhY2tldCB3aG9zZSB2YWx1ZXMKICAgICAg
YXJlIGRlZmluZWQgaW4gVGFibGUgMTkgb2YgW0lFRUUuMTU4OC4yMDA4XS4KCiAgIG8gIFRoZSAx
MCBvY3RldHMgbG9uZyBQb3J0IElEIGZpZWxkIGNvbnRhaW5zIHRoZSBpZGVudGl0eSBvZiB0aGUK
ICAgICAgc291cmNlIHBvcnQuCgogICBvICBUaGUgU2VxdWVuY2UgSUQgaXMgdGhlIHNlcXVlbmNl
IElEIG9mIHRoZSBQVFAgbWVzc2FnZSBjYXJyaWVkIGluCiAgICAgIHRoZSBWYWx1ZSBmaWVsZCBv
ZiB0aGUgbWVzc2FnZS4KCjQuICBDb250cm9sIFBsYW5lIFRoZW9yeSBvZiBPcGVyYXRpb24KCiAg
IFRoZSBvcGVyYXRpb24gb2YgUlRNIGRlcGVuZHMgdXBvbiBUVEwgZXhwaXJ5IHRvIGRlbGl2ZXIg
YW4gUlRNIHBhY2tldAogICBmcm9tIG9uZSBSVE0gY2FwYWJsZSBpbnRlcmZhY2UgdG8gdGhlIG5l
eHQgYWxvbmcgdGhlIHBhdGggZnJvbQogICBpbmdyZXNzIG5vZGUgdG8gZWdyZXNzIG5vZGUuICBU
aGlzIG1lYW5zIHRoYXQgYSBub2RlIHdpdGggUlRNIGNhcGFibGUKICAgaW50ZXJmYWNlcyBNVVNU
IGJlIGFibGUgdG8gY29tcHV0ZSBhIFRUTCB3aGljaCB3aWxsIGNhdXNlIHRoZSBleHBpcnkKICAg
b2YgYW4gUlRNIHBhY2tldCBhdCB0aGUgbmV4dCBub2RlIHdpdGggUlRNIGNhcGFibGUgaW50ZXJm
YWNlcy4KCjQuMS4gIFJUTSBDYXBhYmlsaXR5CgogICBOb3RlIHRoYXQgdGhlIFJUTSBjYXBhYmls
aXR5IG9mIGEgbm9kZSBpcyB3aXRoIHJlc3BlY3QgdG8gdGhlIHBhaXIgb2YKICAgaW50ZXJmYWNl
cyB0aGF0IHdpbGwgYmUgdXNlZCB0byBmb3J3YXJkIGFuIFJUTSBwYWNrZXQuICBJbiBnZW5lcmFs
LAogICB0aGUgaW5ncmVzcyBpbnRlcmZhY2Ugb2YgdGhpcyBwYWlyIG11c3QgYmUgYWJsZSB0byBj
YXB0dXJlIHRoZQogICBhcnJpdmFsIHRpbWUgb2YgdGhlIHBhY2tldCBhbmQgZW5jb2RlIGl0IGlu
IHNvbWUgd2F5IHN1Y2ggdGhhdCB0aGlzCiAgIGluZm9ybWF0aW9uIHdpbGwgYmUgYXZhaWxhYmxl
IHRvIHRoZSBlZ3Jlc3MgaW50ZXJmYWNlLgoKICAgVGhlIHN1cHBvcnRlZCBtb2RlcyAob25lLXN0
ZXAgb3IgdHdvLXN0ZXApIG9mIGFueSBwYWlyIG9mIGludGVyZmFjZXMKICAgaXMgdGhlbiBkZXRl
cm1pbmVkIGJ5IHRoZSBjYXBhYmlsaXR5IG9mIHRoZSBlZ3Jlc3MgaW50ZXJmYWNlLiAgRm9yCiAg
IGJvdGggbW9kZXMsIHRoZSBlZ3Jlc3MgaW50ZXJmYWNlIGltcGxlbWVudGF0aW9uIE1VU1QgYmUg
YWJsZSB0bwogICBkZXRlcm1pbmUgdGhlIHByZWNpc2UgZGVwYXJ0dXJlIHRpbWUgb2YgdGhlIHNh
bWUgcGFja2V0IGFuZCBkZXRlcm1pbmUKICAgZnJvbSB0aGlzLCBhbmQgdGhlIGFycml2YWwgdGlt
ZSBpbmZvcm1hdGlvbiBmcm9tIHRoZSBjb3JyZXNwb25kaW5nCiAgIGluZ3Jlc3MgaW50ZXJmYWNl
LCB0aGUgZGlmZmVyZW5jZSByZXByZXNlbnRpbmcgdGhlIHJlc2lkZW5jZSB0aW1lIGZvcgogICB0
aGUgcGFja2V0LgoKICAgQW4gaW50ZXJmYWNlIHdpdGggdGhlIGFiaWxpdHkgdG8gZG8gdGhpcyBh
bmQgdXBkYXRlIHRoZSBhc3NvY2lhdGVkCiAgIFNjcmF0Y2ggUGFkIGluIHJlYWwtdGltZSAoaS5l
LiB3aGlsZSB0aGUgcGFja2V0IGlzIGJlaW5nIGZvcndhcmRlZCkKICAgaXMgc2FpZCB0byBiZSBv
bmUtc3RlcCBjYXBhYmxlLgoKICAgSGVuY2Ugd2hpbGUgYm90aCBpbmdyZXNzIGFuZCBlZ3Jlc3Mg
aW50ZXJmYWNlcyBhcmUgcmVxdWlyZWQgdG8KICAgc3VwcG9ydCBSVE0gZm9yIHRoZSBwYWlyIHRv
IGJlIFJUTS1jYXBhYmxlLCBpdCBpcyB0aGUgZWdyZXNzCiAgIGludGVyZmFjZSB0aGF0IGRldGVy
bWluZXMgd2hldGhlciBvciBub3QgdGhlIG5vZGUgaXMgb25lLXN0ZXAgb3IgdHdvLQogICBzdGVw
IGNhcGFibGUgd2l0aCByZXNwZWN0IHRvIHRoZSBpbnRlcmZhY2UtcGFpci4KCgoKCk1pcnNreSwg
ZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIyLCAyMDE3ICAgICAgICAgICAgICAgIFtQ
YWdlIDEwXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1l
bnQgICAgICAgICAgIEphbnVhcnkgMjAxNwoKCiAgIFRoZSBSVE0gY2FwYWJpbGl0eSB1c2VkIGlu
IHRoZSBzdWItVExWIHNob3duIGluIEZpZ3VyZSA0IGlzIHRodXMKICAgYXNzb2NpYXRlZCB3aXRo
IHRoZSBlZ3Jlc3MgcG9ydCBvZiB0aGUgbm9kZSBtYWtpbmcgdGhlIGFkdmVydGlzZW1lbnQsCiAg
IHdoaWxlIHRoZSBhYmlsaXR5IG9mIGFueSBwYWlyIG9mIGludGVyZmFjZXMgdGhhdCBpbmNsdWRl
cyB0aGlzIGVncmVzcwogICBpbnRlcmZhY2UgdG8gc3VwcG9ydCBhbnkgbW9kZSBvZiBSVE0gZGVw
ZW5kcyBvbiB0aGUgYWJpbGl0eSBvZiB0aGF0CiAgIGludGVyZmFjZSB0byByZWNvcmQgcGFja2V0
IGFycml2YWwgdGltZSBpbiBzb21lIHdheSB0aGF0IGNhbiBiZQogICBjb252ZXllZCB0byBhbmQg
dXNlZCBieSB0aGF0IGVncmVzcyBpbnRlcmZhY2UuCgogICBXaGVuIGEgbm9kZSB1c2VzIGFuIElH
UCB0byBjYXJyeSB0aGUgUlRNIGNhcGFiaWxpdHkgc3ViLVRMViwgdGhlIHN1Yi0KICAgVExWIE1V
U1QgcmVmbGVjdCB0aGUgUlRNIGNhcGFiaWxpdHkgKG9uZS1zdGVwIG9yIHR3by1zdGVwKSBhc3Nv
Y2lhdGVkCiAgIHdpdGggZWdyZXNzIGludGVyZmFjZXMuCgo0LjIuICBSVE0gQ2FwYWJpbGl0eSBT
dWItVExWCgogICBUaGUgZm9ybWF0IGZvciB0aGUgUlRNIENhcGFiaWxpdGllcyBzdWItVExWIGlz
IHByZXNlbnRlZCBpbiBGaWd1cmUgNAoKICAgICAwICAgICAgICAgICAgICAgICAgIDEgICAgICAg
ICAgICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzCiAgICAgMCAxIDIgMyA0IDUgNiA3IDgg
OSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxCiAgICArLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
KwogICAgfCAgICAgICAgICAgICAgVHlwZSAgICAgICAgICAgICB8ICAgICAgICAgICAgIExlbmd0
aCAgICAgICAgICAgIHwKICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rCiAgICB8IFJUTSB8ICAgICAgICAgICAgICAgICAg
ICAgICBSZXNlcnZlZCAgICAgICAgICAgICAgICAgICAgICAgICAgfAogICAgKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsKCiAg
ICAgICAgICAgICAgICAgICAgIEZpZ3VyZSA0OiBSVE0gQ2FwYWJpbGl0eSBzdWItVExWCgogICBv
ICBUeXBlIHZhbHVlIChUQkEyKSB3aWxsIGJlIGFzc2lnbmVkIGJ5IElBTkEgZnJvbSBhcHByb3By
aWF0ZQogICAgICByZWdpc3RyeSBmb3IgT1NQRnYyIFNlY3Rpb24gNy40LgoKICAgbyAgTGVuZ3Ro
IE1VU1QgYmUgc2V0IHRvIDQuCgogICBvICBSVE0gKGNhcGFiaWxpdHkpIC0gaXMgYSB0aHJlZS1i
aXQgbG9uZyBiaXQtbWFwIGZpZWxkIHdpdGggdmFsdWVzCiAgICAgIGRlZmluZWQgYXMgZm9sbG93
czoKCiAgICAgICogIDBiMDAxIC0gb25lLXN0ZXAgUlRNIHN1cHBvcnRlZDsKCiAgICAgICogIDBi
MDEwIC0gdHdvLXN0ZXAgUlRNIHN1cHBvcnRlZDsKCiAgICAgICogIDBiMTAwIC0gcmVzZXJ2ZWQu
CgogICBvICBSZXNlcnZlZCBmaWVsZCBtdXN0IGJlIHNldCB0byBhbGwgemVyb2VzIG9uIHRyYW5z
bWl0IGFuZCBpZ25vcmVkCiAgICAgIG9uIHJlY2VpcHQuCgogICBbUkZDNDIwMl0gZXhwbGFpbnMg
dGhhdCB0aGUgSW50ZXJmYWNlIFN3aXRjaGluZyBDYXBhYmlsaXR5IERlc2NyaXB0b3IKICAgZGVz
Y3JpYmVzIHN3aXRjaGluZyBjYXBhYmlsaXR5IG9mIGFuIGludGVyZmFjZS4gIEZvciBiaS1kaXJl
Y3Rpb25hbAogICBsaW5rcywgdGhlIHN3aXRjaGluZyBjYXBhYmlsaXRpZXMgb2YgYW4gaW50ZXJm
YWNlIGFyZSBkZWZpbmVkIHRvIGJlCiAgIHRoZSBzYW1lIGluIGVpdGhlciBkaXJlY3Rpb24uICBJ
LmUuLCBmb3IgZGF0YSBlbnRlcmluZyB0aGUgbm9kZQogICB0aHJvdWdoIHRoYXQgaW50ZXJmYWNl
IGFuZCBmb3IgZGF0YSBsZWF2aW5nIHRoZSBub2RlIHRocm91Z2ggdGhhdAoKCgoKTWlyc2t5LCBl
dCBhbC4gICAgICAgICAgICBFeHBpcmVzIEp1bHkgMjIsIDIwMTcgICAgICAgICAgICAgICAgW1Bh
Z2UgMTFdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVu
dCAgICAgICAgICAgSmFudWFyeSAyMDE3CgoKICAgaW50ZXJmYWNlLiAgVGhhdCBwcmluY2lwbGUg
U0hPVUxEIGJlIGFwcGxpZWQgd2hlbiBhIG5vZGUgYWR2ZXJ0aXNlcwogICBSVE0gQ2FwYWJpbGl0
eS4KCiAgIEEgbm9kZSB0aGF0IHN1cHBvcnRzIFJUTSBNVVNUIGJlIGFibGUgdG8gYWN0IGluIHR3
by1zdGVwIG1vZGUgYW5kIE1BWQogICBhbHNvIHN1cHBvcnQgb25lLXN0ZXAgUlRNIG1vZGUuICBE
ZXRhaWxlZCBkaXNjdXNzaW9uIG9mIG9uZS1zdGVwIGFuZAogICB0d28tc3RlcCBSVE0gbW9kZXMg
YXBwZWFycyBpbiBTZWN0aW9uIDIuMS4KCjQuMy4gIFJUTSBDYXBhYmlsaXR5IEFkdmVydGlzZW1l
bnQgaW4gT1NQRnYyCgogICBUaGUgY2FwYWJpbGl0eSB0byBzdXBwb3J0IFJUTSBvbiBhIHBhcnRp
Y3VsYXIgbGluayAoaW50ZXJmYWNlKSBpcwogICBhZHZlcnRpc2VkIGluIHRoZSBPU1BGdjIgRXh0
ZW5kZWQgTGluayBPcGFxdWUgTFNBIGRlc2NyaWJlZCBpbgogICBTZWN0aW9uIDMgW1JGQzc2ODRd
IHZpYSB0aGUgUlRNIENhcGFiaWxpdHkgc3ViLVRMVi4KCiAgIEl0cyBUeXBlIHZhbHVlIHdpbGwg
YmUgYXNzaWduZWQgYnkgSUFOQSBmcm9tIHRoZSBPU1BGIEV4dGVuZGVkIExpbmsKICAgVExWIFN1
Yi1UTFZzIHJlZ2lzdHJ5IFNlY3Rpb24gNy40LCB0aGF0IHdpbGwgYmUgY3JlYXRlZCBwZXIgW1JG
Qzc2ODRdCiAgIHJlcXVlc3QuCgo0LjQuICBSVE0gQ2FwYWJpbGl0eSBBZHZlcnRpc2VtZW50IGlu
IE9TUEZ2MwoKICAgVGhlIGNhcGFiaWxpdHkgdG8gc3VwcG9ydCBSVE0gb24gYSBwYXJ0aWN1bGFy
IGxpbmsgKGludGVyZmFjZSkgY2FuIGJlCiAgIGFkdmVydGlzZWQgaW4gT1NQRnYzIHVzaW5nIExT
QSBleHRlbnNpb25zIGFzIGRlc2NyaWJlZCBpbgogICBbSS1ELmlldGYtb3NwZi1vc3BmdjMtbHNh
LWV4dGVuZF0uICBFeGFjdCB1c2Ugb2YgT1NQRnYzIExTQQogICBleHRlbnNpb25zIGlzIGZvciBm
dXJ0aGVyIHN0dWR5LgoKNC41LiAgUlRNIENhcGFiaWxpdHkgQWR2ZXJ0aXNlbWVudCBpbiBJUy1J
UwoKICAgVGhlIGNhcGFiaWxpdHkgdG8gc3VwcG9ydCBSVE0gb24gYSBwYXJ0aWN1bGFyIGxpbmsg
KGludGVyZmFjZSkgaXMKICAgYWR2ZXJ0aXNlZCBpbiB0aGUgR0VOSU5GTyBUTFYgZGVzY3JpYmVk
IGluIFtSRkM2ODIzXSB2aWEgdGhlIFJUTQogICBDYXBhYmlsaXR5IHN1Yi1UTFYuCgogICBXaXRo
IHJlc3BlY3QgdG8gdGhlIEZsYWdzIGZpZWxkIG9mIHRoZSBHRU5JTkZPIFRMVjoKCiAgIG8gIFRo
ZSBTIGJpdCBNVVNUIGJlIGNsZWFyZWQgdG8gcHJldmVudCB0aGUgUlRNIENhcGFiaWxpdHkgc3Vi
LVRMVgogICAgICBmcm9tIGxlYWtpbmcgYmV0d2VlbiBsZXZlbHMuCgogICBvICBUaGUgRCBiaXQg
b2YgdGhlIEZsYWdzIGZpZWxkIE1VU1QgYmUgY2xlYXJlZCBhcyByZXF1aXJlZCBieQogICAgICBb
UkZDNjgyM10uCgogICBvICBUaGUgSSBiaXQgYW5kIHRoZSBWIGJpdCBNVVNUIGJlIHNldCBhY2Nv
cmRpbmdseSBkZXBlbmRpbmcgb24KICAgICAgd2hldGhlciBSVE0gY2FwYWJpbGl0eSBiZWluZyBh
ZHZlcnRpc2VkIGlzIGZvciBhbiBJUHY0IG9yIGFuIElQdjYKICAgICAgaW50ZXJmYWNlLgoKICAg
QXBwbGljYXRpb24gSUQgKFRCQTMpIHdpbGwgYmUgYXNzaWduZWQgZnJvbSB0aGUgQXBwbGljYXRp
b24KICAgSWRlbnRpZmllcnMgZm9yIFRMViAyNTEgSUFOQSByZWdpc3RyeSBTZWN0aW9uIDcuNS4g
IFRoZSBSVE0KICAgQ2FwYWJpbGl0eSBzdWItVExWIE1VU1QgYmUgaW5jbHVkZWQgaW4gR0VOSU5G
TyBUTFYgaW4gQXBwbGljYXRpb24KICAgU3BlY2lmaWMgSW5mb3JtYXRpb24uCgoKCgoKTWlyc2t5
LCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIEp1bHkgMjIsIDIwMTcgICAgICAgICAgICAgICAg
W1BhZ2UgMTJdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICBSZXNpZGVuY2UgVGltZSBNZWFzdXJl
bWVudCAgICAgICAgICAgSmFudWFyeSAyMDE3CgoKNC42LiAgUlNWUC1URSBDb250cm9sIFBsYW5l
IE9wZXJhdGlvbiB0byBTdXBwb3J0IFJUTQoKICAgVGhyb3VnaG91dCB0aGlzIGRvY3VtZW50IHdl
IHJlZmVyIHRvIGEgbm9kZSBhcyBSVE0gY2FwYWJsZSBub2RlIHdoZW4KICAgYXQgbGVhc3Qgb25l
IG9mIGl0cyBpbnRlcmZhY2VzIGlzIFJUTSBjYXBhYmxlLiAgRmlndXJlIDUgcHJvdmlkZXMgYW4K
ICAgZXhhbXBsZSBvZiByb2xlcyBhIG5vZGUgbWF5IGhhdmUgd2l0aCByZXNwZWN0IHRvIFJUTSBj
YXBhYmlsaXR5OgoKICAgIC0tLS0tICAgICAtLS0tLSAgICAgLS0tLS0gICAgIC0tLS0tICAgICAt
LS0tLSAgICAgLS0tLS0gICAgIC0tLS0tCiAgICB8IEEgfC0tLS0tfCBCIHwtLS0tLXwgQyB8LS0t
LS18IEQgfC0tLS0tfCBFIHwtLS0tLXwgRiB8LS0tLS18IEcgfAogICAgLS0tLS0gICAgIC0tLS0t
ICAgICAtLS0tLSAgICAgLS0tLS0gICAgIC0tLS0tICAgICAtLS0tLSAgICAgLS0tLS0KCiAgICAg
ICAgICAgICAgICAgICAgICAgIEZpZ3VyZSA1OiBSVE0gY2FwYWJsZSByb2xlcwoKICAgbyAgQSBp
cyBhIEJvdW5kYXJ5IENsb2NrIChCQykgd2l0aCBpdHMgZWdyZXNzIHBvcnQgaW4gTWFzdGVyIHN0
YXRlLgogICAgICBOb2RlIEEgdHJhbnNtaXRzIElQIGVuY2Fwc3VsYXRlZCB0aW1pbmcgcGFja2V0
cyB3aG9zZSBkZXN0aW5hdGlvbgogICAgICBJUCBhZGRyZXNzIGlzIEcuCgogICBvICBCIGlzIHRo
ZSBpbmdyZXNzIExFUiBmb3IgdGhlIE1QTFMgTFNQIGFuZCBpcyB0aGUgZmlyc3QgUlRNIGNhcGFi
bGUKICAgICAgbm9kZS4gIEl0IGNyZWF0ZXMgUlRNIHBhY2tldHMgYW5kIGluIGVhY2ggaXQgcGxh
Y2VzIGEgdGltaW5nCiAgICAgIHBhY2tldCwgcG9zc2libHkgZW5jcnlwdGVkLCBpbiB0aGUgVmFs
dWUgZmllbGQgYW5kIGluaXRpYWxpemVzIHRoZQogICAgICBTY3JhdGNoIFBhZCBmaWVsZCB3aXRo
IGl0cyByZXNpZGVuY2UgdGltZSBtZWFzdXJlbWVudAoKICAgbyAgQyBpcyBhIHRyYW5zaXQgbm9k
ZSB0aGF0IGlzIG5vdCBSVE0gY2FwYWJsZS4gIEl0IGZvcndhcmRzIFJUTQogICAgICBwYWNrZXRz
IHdpdGhvdXQgbW9kaWZpY2F0aW9uLgoKICAgbyAgRCBpcyBSVE0gY2FwYWJsZSB0cmFuc2l0IG5v
ZGUuICBJdCB1cGRhdGVzIHRoZSBTY3JhdGNoIFBhZCBmaWVsZAogICAgICBvZiB0aGUgUlRNIHBh
Y2tldCB3aXRob3V0IHVwZGF0aW5nIHRoZSB0aW1pbmcgcGFja2V0LgoKICAgbyAgRSBpcyBhIHRy
YW5zaXQgbm9kZSB0aGF0IGlzIG5vdCBSVE0gY2FwYWJsZS4gIEl0IGZvcndhcmRzIFJUTQogICAg
ICBwYWNrZXRzIHdpdGhvdXQgbW9kaWZpY2F0aW9uLgoKICAgbyAgRiBpcyB0aGUgZWdyZXNzIExF
UiBhbmQgdGhlIGxhc3QgUlRNIGNhcGFibGUgbm9kZS4gIEl0IHJlbW92ZXMgdGhlCiAgICAgIFJU
TSBBQ0ggZW5jYXBzdWxhdGlvbiBhbmQgcHJvY2Vzc2VzIHRoZSB0aW1pbmcgcGFja2V0IGNhcnJp
ZWQgaW4KICAgICAgdGhlIFZhbHVlIGZpZWxkIHVzaW5nIHRoZSB2YWx1ZSBpbiB0aGUgU2NyYXRj
aCBQYWQgZmllbGQuICBJbgogICAgICBwYXJ0aWN1bGFyLCB0aGUgdmFsdWUgaW4gdGhlIFNjcmF0
Y2ggUGFkIGZpZWxkIG9mIHRoZSBSVE0gQUNIIGlzCiAgICAgIHVzZWQgaW4gdXBkYXRpbmcgdGhl
IENvcnJlY3Rpb24gZmllbGQgb2YgdGhlIFBUUCBtZXNzYWdlKHMpLiAgVGhlCiAgICAgIExFUiBz
aG91bGQgYWxzbyBpbmNsdWRlIGl0cyBvd24gcmVzaWRlbmNlIHRpbWUgYmVmb3JlIGNyZWF0aW5n
IHRoZQogICAgICBvdXRnb2luZyBQVFAgcGFja2V0cy4gIFRoZSBkZXRhaWxzIG9mIHRoaXMgcHJv
Y2VzcyBkZXBlbmQgb24KICAgICAgd2hldGhlciBvciBub3QgdGhlIG5vZGUgRiBpcyBpdHNlbGYg
b3BlcmF0aW5nIGFzIG9uZS1zdGVwIG9yIHR3by0KICAgICAgc3RlcCBjbG9jay4KCiAgIG8gIEcg
aXMgYSBCb3VuZGFyeSBDbG9jayB3aXRoIGl0cyBpbmdyZXNzIHBvcnQgaW4gU2xhdmUgc3RhdGUu
ICBOb2RlCiAgICAgIEcgcmVjZWl2ZXMgUFRQIG1lc3NhZ2VzLgoKICAgQW4gaW5ncmVzcyBub2Rl
IHRoYXQgaXMgY29uZmlndXJlZCB0byBwZXJmb3JtIFJUTSBhbG9uZyBhIHBhdGgKICAgdGhyb3Vn
aCBhbiBNUExTIG5ldHdvcmsgdG8gYW4gZWdyZXNzIG5vZGUgTVVTVCB2ZXJpZnkgdGhhdCB0aGUK
ICAgc2VsZWN0ZWQgZWdyZXNzIG5vZGUgaGFzIGFuIGludGVyZmFjZSB0aGF0IHN1cHBvcnRzIFJU
TSB2aWEgdGhlCiAgIGVncmVzcyBub2RlJ3MgYWR2ZXJ0aXNlbWVudCBvZiB0aGUgUlRNIENhcGFi
aWxpdHkgc3ViLVRMVi4gIEluIHRoZQogICBQYXRoIG1lc3NhZ2UgdGhhdCB0aGUgaW5ncmVzcyBu
b2RlIHVzZXMgdG8gaW5zdGFudGlhdGUgdGhlIExTUCB0bwoKCgpNaXJza3ksIGV0IGFsLiAgICAg
ICAgICAgIEV4cGlyZXMgSnVseSAyMiwgMjAxNyAgICAgICAgICAgICAgICBbUGFnZSAxM10KDApJ
bnRlcm5ldC1EcmFmdCAgICAgICAgIFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50ICAgICAgICAg
ICBKYW51YXJ5IDIwMTcKCgogICB0aGF0IGVncmVzcyBub2RlIGl0IHBsYWNlcyBMU1BfQVRUUklC
VVRFUyBPYmplY3QgW1JGQzU0MjBdIHdpdGgKICAgUlRNX1NFVCBBdHRyaWJ1dGUgRmxhZyBzZXQs
IGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDcuNywgd2hpY2gKICAgaW5kaWNhdGVzIHRvIHRoZSBl
Z3Jlc3Mgbm9kZSB0aGF0IFJUTSBpcyByZXF1ZXN0ZWQgZm9yIHRoaXMgTFNQLgogICBSVE1fU0VU
IEF0dHJpYnV0ZSBGbGFnIFNIT1VMRCBOT1QgYmUgc2V0IGluIHRoZQogICBMU1BfUkVRVUlSRURf
QVRUUklCVVRFUyBvYmplY3QgW1JGQzU0MjBdICwgdW5sZXNzIGl0IGlzIGtub3duIHRoYXQKICAg
YWxsIG5vZGVzIHN1cHBvcnQgUlRNLCBiZWNhdXNlIGEgbm9kZSB0aGF0IGRvZXMgbm90IHJlY29n
bml6ZSBSVE1fU0VUCiAgIEF0dHJpYnV0ZSBGbGFnIHdvdWxkIHJlamVjdCB0aGUgUGF0aCBtZXNz
YWdlLgoKICAgSWYgZWdyZXNzIG5vZGUgcmVjZWl2ZXMgUGF0aCBtZXNzYWdlIHdpdGggUlRNX1NF
VCBBdHRyaWJ1dGUgRmxhZyBpbgogICBMU1BfQVRUUklCVVRFUyBvYmplY3QsIGl0IE1VU1QgaW5j
bHVkZSBpbml0aWFsaXplZCBSUk8gW1JGQzMyMDldIGFuZAogICBMU1BfQVRUUklCVVRFUyBvYmpl
Y3Qgd2hlcmUgUlRNX1NFVCBBdHRyaWJ1dGUgRmxhZyBpcyBzZXQgYW5kIFJUTV9TRVQKICAgVExW
IFNlY3Rpb24gNC43IGlzIGluaXRpYWxpemVkLiAgV2hlbiBSZXN2IG1lc3NhZ2UgcmVjZWl2ZWQg
YnkKICAgaW5ncmVzcyBub2RlIHRoZSBSVE1fU0VUIFRMViB3aWxsIGNvbnRhaW4gYW4gb3JkZXJl
ZCBsaXN0LCBmcm9tCiAgIGVncmVzcyBub2RlIHRvIGluZ3Jlc3Mgbm9kZSwgb2YgdGhlIFJUTSBj
YXBhYmxlIG5vZGUgYWxvbmcgdGhlIExTUCdzCiAgIHBhdGguCgogICBBZnRlciB0aGUgaW5ncmVz
cyBub2RlIHJlY2VpdmVzIHRoZSBSZXN2LCBpdCBNQVkgYmVnaW4gc2VuZGluZyBSVE0KICAgcGFj
a2V0cyBvbiB0aGUgTFNQJ3MgcGF0aC4gIEVhY2ggUlRNIHBhY2tldCBoYXMgaXRzIFNjcmF0Y2gg
UGFkIGZpZWxkCiAgIGluaXRpYWxpemVkIGFuZCBpdHMgVFRMIHNldCB0byBleHBpcmUgb24gdGhl
IGNsb3Nlc3QgZG93bnN0cmVhbSBSVE0KICAgY2FwYWJsZSBub2RlLgoKICAgSXQgc2hvdWxkIGJl
IG5vdGVkIHRoYXQgUlRNIGNhbiBhbHNvIGJlIHVzZWQgZm9yIExTUHMgaW5zdGFudGlhdGVkCiAg
IHVzaW5nIFtSRkMzMjA5XSBpbiBhbiBlbnZpcm9ubWVudCBpbiB3aGljaCBhbGwgaW50ZXJmYWNl
cyBpbiBhbiBJR1AKICAgc3VwcG9ydCBSVE0uICBJbiB0aGlzIGNhc2UgdGhlIFJUTV9TRVQgVExW
IGFuZCBMU1BfQVRUUklCVVRFUyBPYmplY3QKICAgTUFZIGJlIG9taXR0ZWQuCgo0LjcuICBSVE1f
U0VUIFRMVgoKICAgUlRNIGNhcGFibGUgaW50ZXJmYWNlcyBjYW4gYmUgcmVjb3JkZWQgdmlhIFJU
TV9TRVQgVExWLiAgVGhlIFJUTV9TRVQKICAgc3ViLW9iamVjdCBmb3JtYXQgaXMgb2YgZ2VuZXJp
YyBUeXBlLCBMZW5ndGgsIFZhbHVlIChUTFYpLCBwcmVzZW50ZWQKICAgaW4gRmlndXJlIDYgLgoK
ICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAgICAgICAyICAgICAgICAgICAg
ICAgICAgIDMKICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEg
MiAzIDQgNSA2IDcgOCA5IDAgMQogICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rCiAgICB8ICAgICBUeXBlICAgIHwgICAgIExl
bmd0aCAgICB8SXwgICAgICAgICBSZXNlcnZlZCAgICAgICAgICAgIHwKICAgICstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKwogICAg
fiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmFsdWUgICAgICAgICAgICAgICAgICAgICAg
ICAgICB+CiAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIHwKICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKwoKICAgICAgICAgICAgICAgICAgICAgICBGaWd1
cmUgNjogUlRNX1NFVCBUTFYgZm9ybWF0CgogICBUeXBlIHZhbHVlIChUQkE0KSB3aWxsIGJlIGFz
c2lnbmVkIGJ5IElBTkEgZnJvbSBpdHMgQXR0cmlidXRlcyBUTFYKICAgU3BhY2Ugc3ViLXJlZ2lz
dHJ5IFNlY3Rpb24gNy42LgoKICAgVGhlIExlbmd0aCBjb250YWlucyB0aGUgdG90YWwgbGVuZ3Ro
IG9mIHRoZSBzdWItb2JqZWN0IGluIGJ5dGVzLAogICBpbmNsdWRpbmcgdGhlIFR5cGUgYW5kIExl
bmd0aCBmaWVsZHMuCgoKCk1pcnNreSwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIy
LCAyMDE3ICAgICAgICAgICAgICAgIFtQYWdlIDE0XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAg
UmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgICAgICAgICAgIEphbnVhcnkgMjAxNwoKCiAgIFRo
ZSBJIGJpdCBmbGFnIGluZGljYXRlcyB3aGV0aGVyIHRoZSBkb3duc3RyZWFtIFJUTSBjYXBhYmxl
IG5vZGUKICAgYWxvbmcgdGhlIExTUCBpcyBwcmVzZW50IGluIHRoZSBSUk8uCgogICBSZXNlcnZl
ZCBmaWVsZCBtdXN0IGJlIHplcm9lZCBvbiBpbml0aWF0aW9uIGFuZCBpZ25vcmVkIG9uIHJlY2Vp
cHQuCgogICBUaGUgY29udGVudCBvZiBhbiBSVE1fU0VUIFRMViBpcyBhIHNlcmllcyBvZiB2YXJp
YWJsZS1sZW5ndGggc3ViLQogICBUTFZzLiAgT25seSBhIHNpbmdsZSBSVE1fU0VUIGNhbiBiZSBw
cmVzZW50IGluIHRoZSBMU1BfQVRUUklCVVRFUwogICBvYmplY3QuICBUaGUgc3ViLVRMVnMgYXJl
IGRlZmluZWQgaW4gU2VjdGlvbiA0LjcuMSBiZWxvdy4KCiAgIFRoZSBmb2xsb3dpbmcgcHJvY2Vz
c2luZyBwcm9jZWR1cmVzIGFwcGx5IHRvIGV2ZXJ5IFJUTSBjYXBhYmxlIG5vZGUKICAgYWxvbmcg
dGhlIExTUCB0aGF0IGluIHRoaXMgcGFyYWdyYXBoIGlzIHJlZmVycmVkIGFzIG5vZGUgZm9yIHNh
a2Ugb2YKICAgYnJldml0eS4gIEVhY2ggbm9kZSBNVVNUIGV4YW1pbmUgUmVzdiBtZXNzYWdlIHdo
ZXRoZXIgUlRNX1NFVAogICBBdHRyaWJ1dGUgRmxhZyBpbiB0aGUgTFNQX0FUVFJJQlVURVMgb2Jq
ZWN0IGlzIHNldC4gIElmIHRoZSBSVE1fU0VUCiAgIGZsYWcgc2V0LCB0aGUgbm9kZSBNVVNUIGlu
c3BlY3QgdGhlIExTUF9BVFRSSUJVVEVTIG9iamVjdCBmb3IKICAgcHJlc2VuY2Ugb2YgUlRNX1NF
VCBUTFYuICBJZiBtb3JlIHRoYW4gb25lIGZvdW5kLCB0aGVuIHRoZSBMU1Agc2V0dXAKICAgTVVT
VCBmYWlsIHdpdGggZ2VuZXJhdGlvbiBvZiB0aGUgUmVzdkVyciBtZXNzYWdlIHdpdGggRXJyb3Ig
Q29kZQogICBEdXBsaWNhdGUgVExWIFNlY3Rpb24gNy44IGFuZCBFcnJvciBWYWx1ZSB0aGF0IGNv
bnRhaW5zIFR5cGUgdmFsdWUgaW4KICAgaXRzIDggbGVhc3Qgc2lnbmlmaWNhbnQgYml0cy4gIElm
IG5vIFJUTV9TRVQgVExWIGhhcyBiZWVuIGZvdW5kLCB0aGVuCiAgIHRoZSBMU1Agc2V0dXAgTVVT
VCBmYWlsIHdpdGggZ2VuZXJhdGlvbiBvZiB0aGUgUmVzdkVyciBtZXNzYWdlIHdpdGgKICAgRXJy
b3IgQ29kZSBSVE1fU0VUIFRMViBBYnNlbnQgU2VjdGlvbiA3LjguICBJZiBvbmUgUlRNX1NFVCBU
TFYgaGFzCiAgIGJlZW4gZm91bmQgdGhlIG5vZGUgd2lsbCB1c2UgdGhlIElEIG9mIHRoZSBmaXJz
dCBub2RlIGluIHRoZSBSVE1fU0VUCiAgIGluIGNvbmp1bmN0aW9uIHdpdGggdGhlIFJSTyB0byBj
b21wdXRlIHRoZSBob3AgY291bnQgdG8gaXRzCiAgIGRvd25zdHJlYW0gbm9kZSB3aXRoIHJlYWNo
YWJsZSBSVE0gY2FwYWJsZSBpbnRlcmZhY2UuICBJZiB0aGUgbm9kZQogICBjYW5ub3QgZmluZCBt
YXRjaGluZyBJRCBpbiBSUk8sIHRoZW4gaXQgTVVTVCB0cnkgdG8gdXNlIElEIG9mIHRoZQogICBu
ZXh0IG5vZGUgaW4gdGhlIFJUTV9TRVQgdW50aWwgaXQgZmluZHMgdGhlIG1hdGNoIG9yIHJlYWNo
ZXMgdGhlIGVuZAogICBvZiBSVE1fU0VUIFRMVi4gIElmIG1hdGNoIGhhcyBiZWVuIGZvdW5kLCB0
aGUgY2FsY3VsYXRlZCB2YWx1ZSBpcwogICB1c2VkIGJ5IHRoZSBub2RlIGFzIFRUTCB2YWx1ZSBp
biBvdXRnb2luZyBsYWJlbCB0byByZWFjaCB0aGUgbmV4dCBSVE0KICAgY2FwYWJsZSBub2RlIG9u
IHRoZSBMU1AuICBPdGhlcndpc2UsIHRoZSBUVEwgdmFsdWUgTVVTVCBiZSBzZXQgdG8KICAgMjU1
LiAgVGhlIG5vZGUgTVVTVCBhZGQgUlRNX1NFVCBzdWItVExWIHdpdGggdGhlIHNhbWUgYWRkcmVz
cyBpdCB1c2VkCiAgIGluIFJSTyBzdWItb2JqZWN0IGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIFJU
TV9TRVQgVExWIGluIGFzc29jaWF0ZWQKICAgb3V0Z29pbmcgUmVzdiBtZXNzYWdlIGJlZm9yZSBm
b3J3YXJkaW5nIGl0IHVwc3RyZWFtLiAgSWYgdGhlCiAgIGNhbGN1bGF0ZWQgVFRMIHZhbHVlIGJl
ZW4gc2V0IHRvIDI1NSwgYXMgZGVzY3JpYmVkIGFib3ZlLCB0aGVuIHRoZSBJCiAgIGZsYWcgaW4g
bm9kZSBSVE1fU0VUIFRMViBNVVNUIGJlIHNldCB0byAxIGJlZm9yZSBSZXN2IG1lc3NhZ2UKICAg
Zm9yd2FyZGVkIHVwc3RyZWFtLiAgT3RoZXJ3aXNlLCB0aGUgSSBmbGFnIE1VU1QgYmUgY2xlYXJl
ZCAoMCkuCgogICBUaGUgaW5ncmVzcyBub2RlIE1BWSBpbnNwZWN0IHRoZSBJIGJpdCBmbGFnIHJl
Y2VpdmVkIGluIGVhY2ggUlRNX1NFVAogICBUTFYgY29udGFpbmVkIGluIHRoZSBMU1BfQVRUUklC
VVRFUyBvYmplY3Qgb2YgYSByZWNlaXZlZCBSZXN2CiAgIG1lc3NhZ2UuICBQcmVzZW5jZSBvZiB0
aGUgUlRNX1NFVCBUTFYgd2l0aCBJIGJpdCBmaWVsZCBzZXQgdG8gMQogICBpbmRpY2F0ZXMgdGhh
dCBzb21lIFJUTSBub2RlcyBhbG9uZyB0aGUgTFNQIGNvdWxkIGJlIGluY2x1ZGVkIGluIHRoZQog
ICBjYWxjdWxhdGlvbiBvZiB0aGUgcmVzaWRlbmNlIHRpbWUuICBBbiBpbmdyZXNzIG5vZGUgTUFZ
IGNob29zZSB0bwogICByZXNpZ25hbCB0aGUgTFNQIHRvIGluY2x1ZGUgYWxsIFJUTSBub2RlcyBv
ciBzaW1wbHkgbm90aWZ5IHRoZSB1c2VyCiAgIHZpYSBhIG1hbmFnZW1lbnQgaW50ZXJmYWNlLgoK
ICAgVGhlcmUgYXJlIHNjZW5hcmlvcyB3aGVuIHNvbWUgaW5mb3JtYXRpb24gaXMgcmVtb3ZlZCBm
cm9tIGFuIFJSTyBkdWUKICAgdG8gcG9saWN5IHByb2Nlc3NpbmcgKGUuZy4sIGFzIG1heSBoYXBw
ZW4gYmV0d2VlbiBwcm92aWRlcnMpIG9yIFJSTwogICBpcyBsaW1pdGVkIGR1ZSB0byBzaXplIGNv
bnN0cmFpbnRzIC4gIFN1Y2ggY2hhbmdlcyBhZmZlY3QgdGhlIGNvcmUKICAgYXNzdW1wdGlvbiBv
ZiB0aGUgbWV0aG9kIHRvIGNvbnRyb2wgcHJvY2Vzc2luZyBvZiBSVE0gcGFja2V0cy4gIFJUTQoK
CgoKTWlyc2t5LCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIEp1bHkgMjIsIDIwMTcgICAgICAg
ICAgICAgICAgW1BhZ2UgMTVdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICBSZXNpZGVuY2UgVGlt
ZSBNZWFzdXJlbWVudCAgICAgICAgICAgSmFudWFyeSAyMDE3CgoKICAgU0hPVUxEIE5PVCBiZSB1
c2VkIGlmIGl0IGlzIG5vdCBndWFyYW50ZWVkIHRoYXQgUlJPIGNvbnRhaW5zIGNvbXBsZXRlCiAg
IGluZm9ybWF0aW9uLgoKNC43LjEuICBSVE1fU0VUIFN1Yi1UTFZzCgogICBUaGUgUlRNIFNldCBz
dWItb2JqZWN0IGNvbnRhaW5zIGFuIG9yZGVyZWQgbGlzdCwgZnJvbSBlZ3Jlc3Mgbm9kZSB0bwog
ICBpbmdyZXNzIG5vZGUsIG9mIHRoZSBSVE0gY2FwYWJsZSBub2RlcyBhbG9uZyB0aGUgTFNQJ3Mg
cGF0aC4KCiAgIFRoZSBjb250ZW50cyBvZiBhIFJUTV9TRVQgc3ViLW9iamVjdCBhcmUgYSBzZXJp
ZXMgb2YgdmFyaWFibGUtbGVuZ3RoCiAgIHN1Yi1UTFZzLiAgRWFjaCBzdWItVExWIGhhcyBpdHMg
b3duIExlbmd0aCBmaWVsZC4gIFRoZSBMZW5ndGgKICAgY29udGFpbnMgdGhlIHRvdGFsIGxlbmd0
aCBvZiB0aGUgc3ViLVRMViBpbiBieXRlcywgaW5jbHVkaW5nIHRoZSBUeXBlCiAgIGFuZCBMZW5n
dGggZmllbGRzLiAgVGhlIExlbmd0aCBNVVNUIGFsd2F5cyBiZSBhIG11bHRpcGxlIG9mIDQsIGFu
ZCBhdAogICBsZWFzdCA4IChzbWFsbGVzdCBJUHY0IHN1Yi1vYmplY3QpLgoKICAgU3ViLVRMVnMg
YXJlIG9yZ2FuaXplZCBhcyBhIGxhc3QtaW4tZmlyc3Qtb3V0IHN0YWNrLiAgVGhlIGZpcnN0IC1v
dXQKICAgc3ViLVRMViByZWxhdGl2ZSB0byB0aGUgYmVnaW5uaW5nIG9mIFJUTV9TRVQgVExWIGlz
IGNvbnNpZGVyZWQgdGhlCiAgIHRvcC4gIFRoZSBsYXN0LW91dCBzdWItVExWIGlzIGNvbnNpZGVy
ZWQgdGhlIGJvdHRvbS4gIFdoZW4gYSBuZXcgc3ViLQogICBUTFYgaXMgYWRkZWQsIGl0IGlzIGFs
d2F5cyBhZGRlZCB0byB0aGUgdG9wLiAgT25seSBhIHNpbmdsZSBSVE1fU0VUCiAgIHN1Yi1UTFYg
d2l0aCB0aGUgZ2l2ZW4gVmFsdWUgZmllbGQgTVVTVCBiZSBwcmVzZW50IGluIHRoZSBSVE1fU0VU
CiAgIFRMVi4gIElmIG1vcmUgdGhhbiBvbmUgc3ViLVRMViBpcyBmb3VuZCB0aGUgTFNQIHNldHVw
IE1VU1QgZmFpbCB3aXRoCiAgIHRoZSBnZW5lcmF0aW9uIG9mIGEgUmVzdkVyciBtZXNzYWdlIHdp
dGggdGhlIEVycm9yIENvZGUgIkR1cGxpY2F0ZQogICBzdWItVExWIiBTZWN0aW9uIDcuOCBhbmQg
RXJyb3IgVmFsdWUgY29udGFpbnMgMTYtYml0IHZhbHVlIGNvbXBvc2VkCiAgIG9mIChUeXBlIG9m
IFRMViwgVHlwZSBvZiBzdWItVExWKS4KCiAgIFRocmVlIGtpbmRzIG9mIHN1Yi1UTFZzIGZvciBS
VE1fU0VUIGFyZSBjdXJyZW50bHkgZGVmaW5lZC4KCjQuNy4xLjEuICBJUHY0IFN1Yi1UTFYKCiAg
ICAwICAgICAgICAgICAgICAgICAgIDEgICAgICAgICAgICAgICAgICAgMiAgICAgICAgICAgICAg
ICAgICAzCiAgICAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIg
MyA0IDUgNiA3IDggOSAwIDEKICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKwogICAgfCAgICBUeXBlICAgICB8ICAgICBMZW5n
dGggICAgfCAgICAgICAgICAgUmVzZXJ2ZWQgICAgICAgICAgICB8CiAgICArLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsKICAgIHwg
ICAgICAgICAgICAgICAgICAgICAgIElQdjQgYWRkcmVzcyAgICAgICAgICAgICAgICAgICAgICAg
ICAgfAogICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rCgogICAgICAgICAgICAgICAgICAgICAgIEZpZ3VyZSA3OiBJUHY0IHN1
Yi1UTFYgZm9ybWF0CgogICBUeXBlCgogICAgICAweDAxIElQdjQgYWRkcmVzcwoKICAgTGVuZ3Ro
CgogICAgICBUaGUgTGVuZ3RoIGNvbnRhaW5zIHRoZSB0b3RhbCBsZW5ndGggb2YgdGhlIHN1Yi1U
TFYgaW4gYnl0ZXMsCiAgICAgIGluY2x1ZGluZyB0aGUgVHlwZSBhbmQgTGVuZ3RoIGZpZWxkcy4g
IFRoZSBMZW5ndGggaXMgYWx3YXlzIDguCgogICBJUHY0IGFkZHJlc3MKCgoKTWlyc2t5LCBldCBh
bC4gICAgICAgICAgICBFeHBpcmVzIEp1bHkgMjIsIDIwMTcgICAgICAgICAgICAgICAgW1BhZ2Ug
MTZdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudCAg
ICAgICAgICAgSmFudWFyeSAyMDE3CgoKICAgICAgQSAzMi1iaXQgdW5pY2FzdCBob3N0IGFkZHJl
c3MuCgogICBSZXNlcnZlZAoKICAgICAgWmVyb2VkIG9uIGluaXRpYXRpb24gYW5kIGlnbm9yZWQg
b24gcmVjZWlwdC4KCjQuNy4xLjIuICBJUHY2IFN1Yi1UTFYKCiAgICAwICAgICAgICAgICAgICAg
ICAgIDEgICAgICAgICAgICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzCiAgICAwIDEgMiAz
IDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEK
ICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKwogICAgfCAgICBUeXBlICAgICB8ICAgICBMZW5ndGggICAgfCAgICAgICAgICAg
UmVzZXJ2ZWQgICAgICAgICAgICB8CiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsKICAgIHwgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfAogICAgfCAgICAgICAg
ICAgICAgICAgICAgICAgICBJUHY2IGFkZHJlc3MgICAgICAgICAgICAgICAgICAgICAgICB8CiAg
ICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgIHwKICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgfAogICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rCgogICAgICAgICAgICAgICAgICAgICAgIEZp
Z3VyZSA4OiBJUHY2IHN1Yi1UTFYgZm9ybWF0CgogICBUeXBlCgogICAgICAweDAyIElQdjYgYWRk
cmVzcwoKICAgTGVuZ3RoCgogICAgICBUaGUgTGVuZ3RoIGNvbnRhaW5zIHRoZSB0b3RhbCBsZW5n
dGggb2YgdGhlIHN1Yi1UTFYgaW4gYnl0ZXMsCiAgICAgIGluY2x1ZGluZyB0aGUgVHlwZSBhbmQg
TGVuZ3RoIGZpZWxkcy4gIFRoZSBMZW5ndGggaXMgYWx3YXlzIDIwLgoKICAgSVB2NiBhZGRyZXNz
CgogICAgICBBIDEyOC1iaXQgdW5pY2FzdCBob3N0IGFkZHJlc3MuCgogICBSZXNlcnZlZAoKICAg
ICAgWmVyb2VkIG9uIGluaXRpYXRpb24gYW5kIGlnbm9yZWQgb24gcmVjZWlwdC4KCjQuNy4xLjMu
ICBVbm51bWJlcmVkIEludGVyZmFjZSBTdWItVExWCgoKCgoKCgoKCgoKCk1pcnNreSwgZXQgYWwu
ICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIyLCAyMDE3ICAgICAgICAgICAgICAgIFtQYWdlIDE3
XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgICAg
ICAgICAgIEphbnVhcnkgMjAxNwoKCiAgICAwICAgICAgICAgICAgICAgICAgIDEgICAgICAgICAg
ICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzCiAgICAwIDEgMiAzIDQgNSA2IDcgOCA5IDAg
MSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEKICAgICstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKwogICAg
fCAgICBUeXBlICAgICB8ICAgICBMZW5ndGggICAgfCAgICAgICAgICAgUmVzZXJ2ZWQgICAgICAg
ICAgICB8CiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSsKICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgIE5vZGUgSUQg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgfAogICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rCiAgICB8ICAgICAgICAgICAg
ICAgICAgICAgICBJbnRlcmZhY2UgSUQgICAgICAgICAgICAgICAgICAgICAgICAgIHwKICAgICst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKwoKICAgICAgICAgICAgICAgICAgICAgICBGaWd1cmUgOTogSVB2NCBzdWItVExWIGZvcm1h
dAoKICAgVHlwZQoKICAgICAgMHgwMyBVbm51bWJlcmVkIGludGVyZmFjZQoKICAgTGVuZ3RoCgog
ICAgICBUaGUgTGVuZ3RoIGNvbnRhaW5zIHRoZSB0b3RhbCBsZW5ndGggb2YgdGhlIHN1Yi1UTFYg
aW4gYnl0ZXMsCiAgICAgIGluY2x1ZGluZyB0aGUgVHlwZSBhbmQgTGVuZ3RoIGZpZWxkcy4gIFRo
ZSBMZW5ndGggaXMgYWx3YXlzIDEyLgoKICAgTm9kZSBJRAoKICAgICAgVGhlIE5vZGUgSUQgaW50
ZXJwcmV0ZWQgYXMgUm91dGVyIElEIGFzIGRpc2N1c3NlZCBpbiB0aGUgU2VjdGlvbiAyCiAgICAg
IFtSRkMzNDc3XS4KCiAgIEludGVyZmFjZSBJRAoKICAgICAgVGhlIGlkZW50aWZpZXIgYXNzaWdu
ZWQgdG8gdGhlIGxpbmsgYnkgdGhlIG5vZGUgc3BlY2lmaWVkIGJ5IHRoZQogICAgICBOb2RlIElE
LgoKICAgUmVzZXJ2ZWQKCiAgICAgIFplcm9lZCBvbiBpbml0aWF0aW9uIGFuZCBpZ25vcmVkIG9u
IHJlY2VpcHQuCgo1LiAgRGF0YSBQbGFuZSBUaGVvcnkgb2YgT3BlcmF0aW9uCgogICBBZnRlciBp
bnN0YW50aWF0aW5nIGFuIExTUCBmb3IgYSBwYXRoIHVzaW5nIFJTVlAtVEUgW1JGQzMyMDldIGFz
CiAgIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDQuNiwgaW5ncmVzcyBub2RlIE1BWSBiZWdpbiBzZW5k
aW5nIFJUTSBwYWNrZXRzCiAgIHRvIHRoZSBmaXJzdCBkb3duc3RyZWFtIFJUTSBjYXBhYmxlIG5v
ZGUgb24gdGhhdCBwYXRoLiAgRWFjaCBSVE0KICAgcGFja2V0IGhhcyBpdHMgU2NyYXRjaCBQYWQg
ZmllbGQgaW5pdGlhbGl6ZWQgYW5kIGl0cyBUVEwgc2V0IHRvCiAgIGV4cGlyZSBvbiB0aGUgbmV4
dCBkb3duc3RyZWFtIFJUTS1jYXBhYmxlIG5vZGUuICBFYWNoIFJUTS1jYXBhYmxlCiAgIG5vZGUg
b24gdGhlIGV4cGxpY2l0IHBhdGggcmVjZWl2ZXMgYW4gUlRNIHBhY2tldCBhbmQgcmVjb3JkcyB0
aGUgdGltZQogICBhdCB3aGljaCBpdCByZWNlaXZlcyB0aGF0IHBhY2tldCBhdCBpdHMgaW5ncmVz
cyBpbnRlcmZhY2UgYXMgd2VsbCBhcwogICB0aGUgdGltZSBhdCB3aGljaCBpdCB0cmFuc21pdHMg
dGhhdCBwYWNrZXQgZnJvbSBpdHMgZWdyZXNzIGludGVyZmFjZTsKICAgdGhpcyBzaG91bGQgYmUg
ZG9uZSBhcyBjbG9zZSB0byB0aGUgcGh5c2ljYWwgbGF5ZXIgYXMgcG9zc2libGUgdG8KICAgZW5z
dXJlIHByZWNpc2UgYWNjdXJhY3kgaW4gdGltZSBkZXRlcm1pbmF0aW9uLiAgVGhlIFJUTS1jYXBh
YmxlIG5vZGUKICAgZGV0ZXJtaW5lcyB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIHRob3NlIHR3byB0
aW1lczsgZm9yIG9uZS1zdGVwCgoKCk1pcnNreSwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBK
dWx5IDIyLCAyMDE3ICAgICAgICAgICAgICAgIFtQYWdlIDE4XQoMCkludGVybmV0LURyYWZ0ICAg
ICAgICAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgICAgICAgICAgIEphbnVhcnkgMjAxNwoK
CiAgIG9wZXJhdGlvbiwgdGhpcyBkaWZmZXJlbmNlIGlzIGRldGVybWluZWQganVzdCBwcmlvciB0
byBvciB3aGlsZQogICBzZW5kaW5nIHRoZSBwYWNrZXQsIGFuZCB0aGUgUlRNLWNhcGFibGUgZWdy
ZXNzIGludGVyZmFjZSBhZGRzIGl0IHRvCiAgIHRoZSB2YWx1ZSBpbiB0aGUgU2NyYXRjaCBQYWQg
ZmllbGQgb2YgdGhlIG1lc3NhZ2UgaW4gcHJvZ3Jlc3MuICBOb3RlLAogICBmb3IgdGhlIHB1cnBv
c2Ugb2YgY2FsY3VsYXRpbmcgYSByZXNpZGVuY2UgdGltZSwgYSBjb21tb24gZnJlZQogICBydW5u
aW5nIGNsb2NrIHN5bmNocm9uaXppbmcgYWxsIHRoZSBpbnZvbHZlZCBpbnRlcmZhY2VzIG1heSBi
ZQogICBzdWZmaWNpZW50LCBhcywgZm9yIGV4YW1wbGUsIDQuNiBwcG0gYWNjdXJhY3kgbGVhZHMg
dG8gNC42IG5hbm9zZWNvbmQKICAgZXJyb3IgZm9yIHJlc2lkZW5jZSB0aW1lIG9uIHRoZSBvcmRl
ciBvZiAxIG1pbGxpc2Vjb25kLiAgVGhpcyBtYXkgYmUKICAgYWNjZXB0YWJsZSBmb3IgYXBwbGlj
YXRpb25zIHdoZXJlIHRoZSB0YXJnZXQgYWNjdXJhY3kgaXMgaW4gdGhlIG9yZGVyCiAgIG9mIGh1
bmRyZWRzIG9mIG5zLiAgQXMgYW4gZXhhbXBsZSBzZXZlcmFsIGFwcGxpY2F0aW9ucyBiZWluZwog
ICBjb25zaWRlcmVkIGluIHRoZSBhcmVhIG9mIHdpcmVsZXNzIGFwcGxpY2F0aW9ucyBhcmUgc2F0
aXNmaWVkIHdpdGggYW4KICAgYWNjdXJhY3kgb2YgMS41IG1pY3Jvc2Vjb25kcyBbSVRVLVQuRy44
MjcxXS4KCiAgIEZvciB0d28tc3RlcCBvcGVyYXRpb24sIHRoZSBkaWZmZXJlbmNlIGJldHdlZW4g
cGFja2V0IGFycml2YWwgdGltZQogICAoYXQgYW4gaW5ncmVzcyBpbnRlcmZhY2UpIGFuZCBzdWJz
ZXF1ZW50IGRlcGFydHVyZSB0aW1lIChmcm9tIGFuCiAgIGVncmVzcyBpbnRlcmZhY2UpIGlzIGRl
dGVybWluZWQgYXQgc29tZSBsYXRlciB0aW1lIHByaW9yIHRvIHNlbmRpbmcgYQogICBzdWJzZXF1
ZW50IGZvbGxvdy11cCBtZXNzYWdlLCBzbyB0aGF0IHRoaXMgdmFsdWUgY2FuIGJlIHVzZWQgdG8K
ICAgdXBkYXRlIHRoZSBjb3JyZWN0aW9uRmllbGQgaW4gdGhlIGZvbGxvdy11cCBtZXNzYWdlLgoK
ICAgU2VlIFNlY3Rpb24gMi4xIGZvciBmdXJ0aGVyIGRldGFpbHMgb24gdGhlIGRpZmZlcmVuY2Ug
YmV0d2VlbiBvbmUtCiAgIHN0ZXAgYW5kIHR3by1zdGVwIG9wZXJhdGlvbi4KCiAgIFRoZSBsYXN0
IFJUTS1jYXBhYmxlIG5vZGUgb24gdGhlIExTUCBNQVkgdGhlbiB1c2UgdGhlIHZhbHVlIGluIHRo
ZQogICBTY3JhdGNoIFBhZCBmaWVsZCB0byBwZXJmb3JtIHRpbWUgY29ycmVjdGlvbiwgaWYgdGhl
cmUgaXMgbm8gZm9sbG93LQogICB1cCBtZXNzYWdlLiAgRm9yIGV4YW1wbGUsIHRoZSBlZ3Jlc3Mg
bm9kZSBtYXkgYmUgYSBQVFAgQm91bmRhcnkgQ2xvY2sKICAgc3luY2hyb25pemVkIHRvIGEgTWFz
dGVyIENsb2NrIGFuZCB3aWxsIHVzZSB0aGUgdmFsdWUgaW4gdGhlIFNjcmF0Y2gKICAgUGFkIGZp
ZWxkIHRvIHVwZGF0ZSBQVFAncyBjb3JyZWN0aW9uRmllbGQuCgo2LiAgQXBwbGljYWJsZSBQVFAg
U2NlbmFyaW9zCgogICBUaGUgcHJvcG9zZWQgYXBwcm9hY2ggY2FuIGJlIGRpcmVjdGx5IGludGVn
cmF0ZWQgaW4gYSBQVFAgbmV0d29yawogICBiYXNlZCBvbiB0aGUgSUVFRSAxNTg4IGRlbGF5IHJl
cXVlc3QtcmVzcG9uc2UgbWVjaGFuaXNtLiAgVGhlIFJUTQogICBjYXBhYmxlIG5vZGUgbm9kZXMg
YWN0IGFzIGVuZC10by1lbmQgdHJhbnNwYXJlbnQgY2xvY2tzLCBhbmQKICAgdHlwaWNhbGx5IGJv
dW5kYXJ5IGNsb2NrcywgYXQgdGhlIGVkZ2VzIG9mIHRoZSBNUExTIG5ldHdvcmssIHVzZSB0aGUK
ICAgdmFsdWUgaW4gdGhlIFNjcmF0Y2ggUGFkIGZpZWxkIHRvIHVwZGF0ZSB0aGUgY29ycmVjdGlv
bkZpZWxkIG9mIHRoZQogICBjb3JyZXNwb25kaW5nIFBUUCBldmVudCBwYWNrZXQgcHJpb3IgdG8g
cGVyZm9ybWluZyB0aGUgdXN1YWwgUFRQCiAgIHByb2Nlc3NpbmcuCgo3LiAgSUFOQSBDb25zaWRl
cmF0aW9ucwoKNy4xLiAgTmV3IFJUTSBHLUFDaAoKICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gcmVz
ZXJ2ZSBhIG5ldyBHLUFDaCBhcyBmb2xsb3dzOgoKCgoKCgoKCgpNaXJza3ksIGV0IGFsLiAgICAg
ICAgICAgIEV4cGlyZXMgSnVseSAyMiwgMjAxNyAgICAgICAgICAgICAgICBbUGFnZSAxOV0KDApJ
bnRlcm5ldC1EcmFmdCAgICAgICAgIFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50ICAgICAgICAg
ICBKYW51YXJ5IDIwMTcKCgogICAgICAgICAgKy0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rCiAgICAgICAgICB8IFZhbHVlIHwgICAgICAgIERlc2Ny
aXB0aW9uICAgICAgICAgfCBSZWZlcmVuY2UgICAgIHwKICAgICAgICAgICstLS0tLS0tKy0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKwogICAgICAgICAgfCBUQkEx
ICB8IFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50IHwgVGhpcyBkb2N1bWVudCB8CiAgICAgICAg
ICArLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsK
CiAgICAgICAgICAgICAgICAgIFRhYmxlIDE6IE5ldyBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVu
dAoKNy4yLiAgTmV3IFJUTSBUTFYgUmVnaXN0cnkKCiAgIElBTkEgaXMgcmVxdWVzdGVkIHRvIGNy
ZWF0ZSBzdWItcmVnaXN0cnkgaW4gR2VuZXJpYyBBc3NvY2lhdGVkCiAgIENoYW5uZWwgKEctQUNo
KSBQYXJhbWV0ZXJzIFJlZ2lzdHJ5IGNhbGxlZCAiTVBMUyBSVE0gVExWIFJlZ2lzdHJ5Ii4KICAg
QWxsIGNvZGUgcG9pbnRzIGluIHRoZSByYW5nZSAwIHRocm91Z2ggMTI3IGluIHRoaXMgcmVnaXN0
cnkgc2hhbGwgYmUKICAgYWxsb2NhdGVkIGFjY29yZGluZyB0byB0aGUgIklFVEYgUmV2aWV3IiBw
cm9jZWR1cmUgYXMgc3BlY2lmaWVkIGluCiAgIFtSRkM1MjI2XSAuIENvZGUgcG9pbnRzIGluIHRo
ZSByYW5nZSAxMjggdGhyb3VnaCAxOTEgaW4gdGhpcyByZWdpc3RyeQogICBzaGFsbCBiZSBhbGxv
Y2F0ZWQgYWNjb3JkaW5nIHRvIHRoZSAiRmlyc3QgQ29tZSBGaXJzdCBTZXJ2ZWQiCiAgIHByb2Nl
ZHVyZSBhcyBzcGVjaWZpZWQgaW4gW1JGQzUyMjZdLiAgVGhpcyBkb2N1bWVudCBkZWZpbmVzIHRo
ZQogICBmb2xsb3dpbmcgbmV3IHZhbHVlcyBSVE0gVExWIHR5cGUgczoKCiAgICAgICArLS0tLS0t
LS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rCiAg
ICAgICB8IFZhbHVlICAgICB8ICAgICAgICAgIERlc2NyaXB0aW9uICAgICAgICAgIHwgUmVmZXJl
bmNlICAgICB8CiAgICAgICArLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLSstLS0tLS0tLS0tLS0tLS0rCiAgICAgICB8IDAgICAgICAgICB8ICAgICAgICAgICAgUmVz
ZXJ2ZWQgICAgICAgICAgIHwgVGhpcyBkb2N1bWVudCB8CiAgICAgICB8IDEgICAgICAgICB8ICAg
ICAgICAgICBObyBwYXlsb2FkICAgICAgICAgIHwgVGhpcyBkb2N1bWVudCB8CiAgICAgICB8IDIg
ICAgICAgICB8IFBUUHYyLCBFdGhlcm5ldCBlbmNhcHN1bGF0aW9uIHwgVGhpcyBkb2N1bWVudCB8
CiAgICAgICB8IDMgICAgICAgICB8ICAgUFRQdjIsIElQdjQgRW5jYXBzdWxhdGlvbiAgIHwgVGhp
cyBkb2N1bWVudCB8CiAgICAgICB8IDQgICAgICAgICB8ICAgUFRQdjIsIElQdjYgRW5jYXBzdWxh
dGlvbiAgIHwgVGhpcyBkb2N1bWVudCB8CiAgICAgICB8IDUgICAgICAgICB8ICAgICAgICAgICAg
ICBOVFAgICAgICAgICAgICAgIHwgVGhpcyBkb2N1bWVudCB8CiAgICAgICB8IDYtMTI3ICAgICB8
ICAgICAgICAgICBVbmFzc2lnbmVkICAgICAgICAgIHwgICAgICAgICAgICAgICB8CiAgICAgICB8
IDEyOCAtIDE5MSB8ICAgICAgICAgICBVbmFzc2lnbmVkICAgICAgICAgIHwgICAgICAgICAgICAg
ICB8CiAgICAgICB8IDE5MiAtIDI1NCB8ICAgICAgICAgIFByaXZhdGUgVXNlICAgICAgICAgIHwg
VGhpcyBkb2N1bWVudCB8CiAgICAgICB8IDI1NSAgICAgICB8ICAgICAgICAgICAgUmVzZXJ2ZWQg
ICAgICAgICAgIHwgVGhpcyBkb2N1bWVudCB8CiAgICAgICArLS0tLS0tLS0tLS0rLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rCgogICAgICAgICAgICAgICAg
ICAgICAgICAgICBUYWJsZSAyOiBSVE0gVExWIFR5cGUKCjcuMy4gIE5ldyBSVE0gU3ViLVRMViBS
ZWdpc3RyeQoKICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gY3JlYXRlIHN1Yi1yZWdpc3RyeSBpbiBN
UExTIFJUTSBUTFYgUmVnaXN0cnksCiAgIHJlcXVlc3RlZCBpbiBTZWN0aW9uIDcuMiwgY2FsbGVk
ICJNUExTIFJUTSBTdWItVExWIFJlZ2lzdHJ5Ii4gIEFsbAogICBjb2RlIHBvaW50cyBpbiB0aGUg
cmFuZ2UgMCB0aHJvdWdoIDEyNyBpbiB0aGlzIHJlZ2lzdHJ5IHNoYWxsIGJlCiAgIGFsbG9jYXRl
ZCBhY2NvcmRpbmcgdG8gdGhlICJJRVRGIFJldmlldyIgcHJvY2VkdXJlIGFzIHNwZWNpZmllZCBp
bgogICBbUkZDNTIyNl0uICBDb2RlIHBvaW50cyBpbiB0aGUgcmFuZ2UgMTI4IHRocm91Z2ggMTkx
IGluIHRoaXMgcmVnaXN0cnkKICAgc2hhbGwgYmUgYWxsb2NhdGVkIGFjY29yZGluZyB0byB0aGUg
IkZpcnN0IENvbWUgRmlyc3QgU2VydmVkIgogICBwcm9jZWR1cmUgYXMgc3BlY2lmaWVkIGluIFtS
RkM1MjI2XS4gIFRoaXMgZG9jdW1lbnQgZGVmaW5lcyB0aGUKICAgZm9sbG93aW5nIG5ldyB2YWx1
ZXMgUlRNIHN1Yi1UTFYgdHlwZXM6CgoKCgoKTWlyc2t5LCBldCBhbC4gICAgICAgICAgICBFeHBp
cmVzIEp1bHkgMjIsIDIwMTcgICAgICAgICAgICAgICAgW1BhZ2UgMjBdCgwKSW50ZXJuZXQtRHJh
ZnQgICAgICAgICBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudCAgICAgICAgICAgSmFudWFyeSAy
MDE3CgoKICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tKy0tLS0tLS0t
LS0tLS0tLSsKICAgICAgICAgICAgICAgIHwgVmFsdWUgICAgIHwgRGVzY3JpcHRpb24gfCBSZWZl
cmVuY2UgICAgIHwKICAgICAgICAgICAgICAgICstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tKy0t
LS0tLS0tLS0tLS0tLSsKICAgICAgICAgICAgICAgIHwgMCAgICAgICAgIHwgICBSZXNlcnZlZCAg
fCBUaGlzIGRvY3VtZW50IHwKICAgICAgICAgICAgICAgIHwgMSAgICAgICAgIHwgICAgIFBUUCAg
ICAgfCBUaGlzIGRvY3VtZW50IHwKICAgICAgICAgICAgICAgIHwgMi0xMjcgICAgIHwgIFVuYXNz
aWduZWQgfCAgICAgICAgICAgICAgIHwKICAgICAgICAgICAgICAgIHwgMTI4IC0gMTkxIHwgIFVu
YXNzaWduZWQgfCAgICAgICAgICAgICAgIHwKICAgICAgICAgICAgICAgIHwgMTkyIC0gMjU0IHwg
UHJpdmF0ZSBVc2UgfCBUaGlzIGRvY3VtZW50IHwKICAgICAgICAgICAgICAgIHwgMjU1ICAgICAg
IHwgICBSZXNlcnZlZCAgfCBUaGlzIGRvY3VtZW50IHwKICAgICAgICAgICAgICAgICstLS0tLS0t
LS0tLSstLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsKCiAgICAgICAgICAgICAgICAgICAg
ICAgICBUYWJsZSAzOiBSVE0gU3ViLVRMViBUeXBlCgo3LjQuICBSVE0gQ2FwYWJpbGl0eSBzdWIt
VExWIGluIE9TUEZ2MgoKICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gYXNzaWduIGEgbmV3IHR5cGUg
Zm9yIFJUTSBDYXBhYmlsaXR5IHN1Yi1UTFYKICAgZnJvbSBPU1BGdjIgRXh0ZW5kZWQgTGluayBU
TFYgU3ViLVRMVnMgcmVnaXN0cnkgYXMgZm9sbG93czoKCiAgICAgICAgICAgICAgICArLS0tLS0t
LSstLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsKICAgICAgICAgICAgICAgIHwgVmFs
dWUgfCAgRGVzY3JpcHRpb24gICB8IFJlZmVyZW5jZSAgICAgfAogICAgICAgICAgICAgICAgKy0t
LS0tLS0rLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rCiAgICAgICAgICAgICAgICB8
IFRCQTIgIHwgUlRNIENhcGFiaWxpdHkgfCBUaGlzIGRvY3VtZW50IHwKICAgICAgICAgICAgICAg
ICstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKwoKICAgICAgICAgICAg
ICAgICAgICAgIFRhYmxlIDQ6IFJUTSBDYXBhYmlsaXR5IHN1Yi1UTFYKCjcuNS4gIElTLUlTIFJU
TSBBcHBsaWNhdGlvbiBJRAoKICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gYXNzaWduIGEgbmV3IEFw
cGxpY2F0aW9uIElEIGZvciBSVE0gZnJvbSB0aGUKICAgQXBwbGljYXRpb24gSWRlbnRpZmllcnMg
Zm9yIFRMViAyNTEgcmVnaXN0cnkgYXMgZm9sbG93czoKCiAgICAgICAgICAgICAgICAgICstLS0t
LS0tKy0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKwogICAgICAgICAgICAgICAgICB8IFZh
bHVlIHwgRGVzY3JpcHRpb24gfCBSZWZlcmVuY2UgICAgIHwKICAgICAgICAgICAgICAgICAgKy0t
LS0tLS0rLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rCiAgICAgICAgICAgICAgICAgIHwg
VEJBMyAgfCAgICAgUlRNICAgICB8IFRoaXMgZG9jdW1lbnQgfAogICAgICAgICAgICAgICAgICAr
LS0tLS0tLSstLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsKCiAgICAgICAgICAgICAgICAg
ICAgIFRhYmxlIDU6IElTLUlTIFJUTSBBcHBsaWNhdGlvbiBJRAoKNy42LiAgUlRNX1NFVCBTdWIt
b2JqZWN0IFJTVlAgVHlwZSBhbmQgc3ViLVRMVnMKCiAgIElBTkEgaXMgcmVxdWVzdGVkIHRvIGFz
c2lnbiBhIG5ldyBUeXBlIGZvciBSVE1fU0VUIHN1Yi1vYmplY3QgZnJvbQogICBBdHRyaWJ1dGVz
IFRMViBTcGFjZSBzdWItcmVnaXN0cnkgYXMgZm9sbG93czoKCgoKCgoKCgpNaXJza3ksIGV0IGFs
LiAgICAgICAgICAgIEV4cGlyZXMgSnVseSAyMiwgMjAxNyAgICAgICAgICAgICAgICBbUGFnZSAy
MV0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgIFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50ICAg
ICAgICAgICBKYW51YXJ5IDIwMTcKCgogICArLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t
Ky0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0rLS0tLS0tLS0tLSsKICAgfCBUeXAgfCAgICBOYW1l
ICAgIHwgIEFsbG93ZWQgIHwgQWxsb3dlZCAgb24gICB8IEFsbG93ZWQgfCBSZWZlcmVuYyB8CiAg
IHwgZSAgIHwgICAgICAgICAgICB8IG9uICBMU1BfQSB8IExTUF9SRVFVSVJFRF8gfCAgb24gTFNQ
IHwgZSAgICAgICAgfAogICB8ICAgICB8ICAgICAgICAgICAgfCBUVFJJQlVURVMgfCAgIEFUVFJJ
QlVURVMgIHwgSG9wIEF0dCB8ICAgICAgICAgIHwKICAgfCAgICAgfCAgICAgICAgICAgIHwgICAg
ICAgICAgIHwgICAgICAgICAgICAgICB8IHJpYnV0ZXMgfCAgICAgICAgICB8CiAgICstLS0tLSst
LS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLSstLS0tLS0t
LS0tKwogICB8IFRCQSB8ICBSVE1fU0VUICAgfCAgICBZZXMgICAgfCAgICAgICBObyAgICAgIHwg
ICAgTm8gICB8IFRoaXMgICAgIHwKICAgfCA0ICAgfCBzdWItb2JqZWN0IHwgICAgICAgICAgIHwg
ICAgICAgICAgICAgICB8ICAgICAgICAgfCBkb2N1bWVudCB8CiAgICstLS0tLSstLS0tLS0tLS0t
LS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLSstLS0tLS0tLS0tKwoKICAg
ICAgICAgICAgICAgICAgICAgVGFibGUgNjogUlRNX1NFVCBTdWItb2JqZWN0IFR5cGUKCiAgIElB
TkEgcmVxdWVzdGVkIHRvIGNyZWF0ZSBuZXcgc3ViLXJlZ2lzdHJ5IGZvciBzdWItVExWIHR5cGVz
IG9mCiAgIFJUTV9TRVQgc3ViLW9iamVjdC4gIEFsbCBjb2RlIHBvaW50cyBpbiB0aGUgcmFuZ2Ug
MCB0aHJvdWdoIDEyNyBpbgogICB0aGlzIHJlZ2lzdHJ5IHNoYWxsIGJlIGFsbG9jYXRlZCBhY2Nv
cmRpbmcgdG8gdGhlICJJRVRGIFJldmlldyIKICAgcHJvY2VkdXJlIGFzIHNwZWNpZmllZCBpbiBb
UkZDNTIyNl0gLiBDb2RlIHBvaW50cyBpbiB0aGUgcmFuZ2UgMTI4CiAgIHRocm91Z2ggMTkxIGlu
IHRoaXMgcmVnaXN0cnkgc2hhbGwgYmUgYWxsb2NhdGVkIGFjY29yZGluZyB0byB0aGUKICAgIkZp
cnN0IENvbWUgRmlyc3QgU2VydmVkIiBwcm9jZWR1cmUgYXMgc3BlY2lmaWVkIGluIFtSRkM1MjI2
XS4gIFRoaXMKICAgZG9jdW1lbnQgZGVmaW5lcyB0aGUgZm9sbG93aW5nIG5ldyB2YWx1ZXMgb2Yg
UlRNX1NFVCBvYmplY3Qgc3ViLQogICBvYmplY3QgdHlwZXM6CgogICAgICAgICAgICstLS0tLS0t
LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsKICAgICAgICAgICB8
IFZhbHVlICAgICB8ICAgICBEZXNjcmlwdGlvbiAgICAgIHwgUmVmZXJlbmNlICAgICB8CiAgICAg
ICAgICAgKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t
KwogICAgICAgICAgIHwgMCAgICAgICAgIHwgICAgICAgUmVzZXJ2ZWQgICAgICAgfCBUaGlzIGRv
Y3VtZW50IHwKICAgICAgICAgICB8IDEgICAgICAgICB8ICAgICBJUHY0IGFkZHJlc3MgICAgIHwg
VGhpcyBkb2N1bWVudCB8CiAgICAgICAgICAgfCAyICAgICAgICAgfCAgICAgSVB2NiBhZGRyZXNz
ICAgICB8IFRoaXMgZG9jdW1lbnQgfAogICAgICAgICAgIHwgMyAgICAgICAgIHwgVW5udW1iZXJl
ZCBpbnRlcmZhY2UgfCBUaGlzIGRvY3VtZW50IHwKICAgICAgICAgICB8IDQtMTI3ICAgICB8ICAg
ICAgVW5hc3NpZ25lZCAgICAgIHwgICAgICAgICAgICAgICB8CiAgICAgICAgICAgfCAxMjggLSAx
OTEgfCAgICAgIFVuYXNzaWduZWQgICAgICB8ICAgICAgICAgICAgICAgfAogICAgICAgICAgIHwg
MTkyIC0gMjU0IHwgICAgIFByaXZhdGUgVXNlICAgICAgfCBUaGlzIGRvY3VtZW50IHwKICAgICAg
ICAgICB8IDI1NSAgICAgICB8ICAgICAgIFJlc2VydmVkICAgICAgIHwgVGhpcyBkb2N1bWVudCB8
CiAgICAgICAgICAgKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0t
LS0tLS0tKwoKICAgICAgICAgICAgICAgICBUYWJsZSA3OiBSVE1fU0VUIG9iamVjdCBzdWItb2Jq
ZWN0IHR5cGVzCgo3LjcuICBSVE1fU0VUIEF0dHJpYnV0ZSBGbGFnCgogICBJQU5BIGlzIHJlcXVl
c3RlZCB0byBhc3NpZ24gbmV3IGZsYWcgZnJvbSBBdHRyaWJ1dGUgRmxhZ3MgcmVnaXN0cnkKCgoK
CgoKCgoKCgoKTWlyc2t5LCBldCBhbC4gICAgICAgICAgICBFeHBpcmVzIEp1bHkgMjIsIDIwMTcg
ICAgICAgICAgICAgICAgW1BhZ2UgMjJdCgwKSW50ZXJuZXQtRHJhZnQgICAgICAgICBSZXNpZGVu
Y2UgVGltZSBNZWFzdXJlbWVudCAgICAgICAgICAgSmFudWFyeSAyMDE3CgoKICAgKy0tLS0tKy0t
LS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLSstLS0tLSstLS0tLS0tLS0tLS0t
LS0rCiAgIHwgQml0IHwgIE5hbWUgIHwgQXR0cmlidXRlIHwgQXR0cmlidXRlICB8IFJSTyB8IEVS
TyB8IFJlZmVyZW5jZSAgICAgfAogICB8IE5vICB8ICAgICAgICB8ICAgRmxhZ3MgICB8IEZsYWdz
IFJlc3YgfCAgICAgfCAgICAgfCAgICAgICAgICAgICAgIHwKICAgfCAgICAgfCAgICAgICAgfCAg
ICBQYXRoICAgfCAgICAgICAgICAgIHwgICAgIHwgICAgIHwgICAgICAgICAgICAgICB8CiAgICst
LS0tLSstLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0rLS0tLS0t
LS0tLS0tLS0tKwogICB8IFRCQSB8IFJUTV9TRSB8ICAgIFllcyAgICB8ICAgIFllcyAgICAgfCAg
Tm8gfCAgTm8gfCBUaGlzIGRvY3VtZW50IHwKICAgfCA1ICAgfCAgIFQgICAgfCAgICAgICAgICAg
fCAgICAgICAgICAgIHwgICAgIHwgICAgIHwgICAgICAgICAgICAgICB8CiAgICstLS0tLSstLS0t
LS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0rLS0tLS0tLS0tLS0tLS0t
KwoKICAgICAgICAgICAgICAgICAgICAgIFRhYmxlIDg6IFJUTV9TRVQgQXR0cmlidXRlIEZsYWcK
CjcuOC4gIE5ldyBFcnJvciBDb2RlcwoKICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gYXNzaWduIG5l
dyBFcnJvciBDb2RlcyBmcm9tIEVycm9yIENvZGVzIGFuZAogICBHbG9iYWxseS1EZWZpbmVkIEVy
cm9yIFZhbHVlIFN1Yi1Db2RlcyByZWdpc3RyeQoKICAgICAgICAgICAgKy0tLS0tLS0tLS0tLSst
LS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rCiAgICAgICAgICAgIHwgRXJyb3Ig
Q29kZSB8ICAgICAgTWVhbmluZyAgICAgICB8IFJlZmVyZW5jZSAgICAgfAogICAgICAgICAgICAr
LS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsKICAgICAg
ICAgICAgfCBUQkE2ICAgICAgIHwgICBEdXBsaWNhdGUgVExWICAgIHwgVGhpcyBkb2N1bWVudCB8
CiAgICAgICAgICAgIHwgVEJBNyAgICAgICB8IER1cGxpY2F0ZSBzdWItVExWICB8IFRoaXMgZG9j
dW1lbnQgfAogICAgICAgICAgICB8IFRCQTggICAgICAgfCBSVE1fU0VUIFRMViBBYnNlbnQgfCBU
aGlzIGRvY3VtZW50IHwKICAgICAgICAgICAgKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0t
LS0tLSstLS0tLS0tLS0tLS0tLS0rCgogICAgICAgICAgICAgICAgICAgICAgICAgVGFibGUgOTog
TmV3IEVycm9yIENvZGVzCgo4LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMKCiAgIFJvdXRlcnMg
dGhhdCBzdXBwb3J0IFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50IGFyZSBzdWJqZWN0IHRvIHRo
ZQogICBzYW1lIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGFzIGRlZmluZWQgaW4gW1JGQzQzODVd
IGFuZCBbUkZDNTA4NV0gLgoKICAgSW4gYWRkaXRpb24gLSBwYXJ0aWN1bGFybHkgYXMgYXBwbGll
ZCB0byB1c2UgcmVsYXRlZCB0byBQVFAgLSB0aGVyZQogICBpcyBhIHByZXN1bWVkIHRydXN0IG1v
ZGVsIHRoYXQgZGVwZW5kcyBvbiB0aGUgZXhpc3RlbmNlIG9mIGEgdHJ1c3RlZAogICByZWxhdGlv
bnNoaXAgb2YgYXQgbGVhc3QgYWxsIFBUUC1hd2FyZSBub2RlcyBvbiB0aGUgcGF0aCB0cmF2ZXJz
ZWQgYnkKICAgUFRQIG1lc3NhZ2VzLiAgVGhpcyBpcyBuZWNlc3NhcnkgYXMgdGhlc2Ugbm9kZXMg
YXJlIGV4cGVjdGVkIHRvCiAgIGNvcnJlY3RseSBtb2RpZnkgc3BlY2lmaWMgY29udGVudCBvZiB0
aGUgZGF0YSBpbiBQVFAgbWVzc2FnZXMgYW5kCiAgIHByb3BlciBvcGVyYXRpb24gb2YgdGhlIHBy
b3RvY29sIGRlcGVuZHMgb24gdGhpcyBhYmlsaXR5LiAgVGhhdAogICBsaWtlbHkgdG8gcmVxdWly
ZSBzb21lIGNvbXBsZXggY3J5cHRvIHNjaGVtZXMgdGhhdCBpbnZvbHZlIGdpdmluZyBrZXkKICAg
bWF0ZXJpYWwgdG8gaW50ZXJtZWRpYXRlIFJUTS9QVFAtY2FwYWJsZSBub2RlcyB0aGF0IGNhbiBs
ZXQgdGhlbSBtYWtlCiAgIGF1dGhlbnRpY2F0ZWQgKGJ1dCBkZXRlY3RhYmxlKSBtb2RpZmljYXRp
b25zIHRvIHRoZSBhZGRpdGlvbmFsCiAgIGluZm9ybWF0aW9uIGluIFJUTSBtZXNzYWdlcy4KCiAg
IFRoZSBhYmlsaXR5IGZvciBwb3RlbnRpYWxseSBhdXRoZW50aWNhdGluZyBhbmQvb3IgZW5jcnlw
dGluZyBSVE0gYW5kCiAgIFBUUCBkYXRhIGZvciBzY2VuYXJpb3MgYm90aCB3aXRoIGFuZCB3aXRo
b3V0IHBhcnRpY2lwYXRpb24gb2YKICAgaW50ZXJtZWRpYXRlIFJUTS9QVFAtY2FwYWJsZSBub2Rl
cyBpcyBmb3IgZnVydGhlciBzdHVkeS4KCiAgIFdoaWxlIGl0IGlzIHBvc3NpYmxlIGZvciBhIHN1
cHBvc2VkIGNvbXByb21pc2VkIG5vZGUgdG8gaW50ZXJjZXB0IGFuZAogICBtb2RpZnkgdGhlIEct
QUNoIGNvbnRlbnQsIHRoaXMgaXMgYW4gaXNzdWUgdGhhdCBleGlzdHMgZm9yIG5vZGVzIGluCgoK
Ck1pcnNreSwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIyLCAyMDE3ICAgICAgICAg
ICAgICAgIFtQYWdlIDIzXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgUmVzaWRlbmNlIFRpbWUg
TWVhc3VyZW1lbnQgICAgICAgICAgIEphbnVhcnkgMjAxNwoKCiAgIGdlbmVyYWwgLSBmb3IgYW55
IGFuZCBhbGwgZGF0YSB0aGF0IG1heSBiZSBjYXJyaWVkIG92ZXIgYW4gTFNQIC0gYW5kCiAgIGlz
IHRoZXJlZm9yZSB0aGUgYmFzaXMgZm9yIGFuIGFkZGl0aW9uYWwgcHJlc3VtZWQgdHJ1c3QgbW9k
ZWwKICAgYXNzb2NpYXRlZCB3aXRoIGV4aXN0aW5nIExTUHMgYW5kIG5vZGVzLgoKICAgU2VjdXJp
dHkgcmVxdWlyZW1lbnRzIG9mIHRpbWUgcHJvdG9jb2xzIGFyZSBwcm92aWRlZCBpbiBSRkMgNzM4
NAogICBbUkZDNzM4NF0uCgo5LiAgQWNrbm93bGVkZ21lbnRzCgogICBBdXRob3JzIHdhbnQgdG8g
dGhhbmsgTG9hIEFuZGVyc3NvbiwgTG91IEJlcmdlciBhbmQgQWNlZSBMaW5kZW0gZm9yCiAgIHRo
ZWlyIHRob3JvdWdoIHJldmlld3MsIHRob3VnaHRmdWwgY29tbWVudHMgYW5kLCBtb3N0IG9mIGFs
bCwKICAgcGF0aWVuY2UuCgoxMC4gIFJlZmVyZW5jZXMKCjEwLjEuICBOb3JtYXRpdmUgUmVmZXJl
bmNlcwoKICAgW0lFRUUuMTU4OC4yMDA4XQogICAgICAgICAgICAgICJTdGFuZGFyZCBmb3IgYSBQ
cmVjaXNpb24gQ2xvY2sgU3luY2hyb25pemF0aW9uIFByb3RvY29sCiAgICAgICAgICAgICAgZm9y
IE5ldHdvcmtlZCBNZWFzdXJlbWVudCBhbmQgQ29udHJvbCBTeXN0ZW1zIiwKICAgICAgICAgICAg
ICBJRUVFIFN0YW5kYXJkIDE1ODgsIEp1bHkgMjAwOC4KCiAgIFtSRkMyMTE5XSAgQnJhZG5lciwg
Uy4sICJLZXkgd29yZHMgZm9yIHVzZSBpbiBSRkNzIHRvIEluZGljYXRlCiAgICAgICAgICAgICAg
UmVxdWlyZW1lbnQgTGV2ZWxzIiwgQkNQIDE0LCBSRkMgMjExOSwKICAgICAgICAgICAgICBET0kg
MTAuMTc0ODcvUkZDMjExOSwgTWFyY2ggMTk5NywKICAgICAgICAgICAgICA8aHR0cDovL3d3dy5y
ZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzIxMTk+LgoKICAgW1JGQzMyMDldICBBd2R1Y2hlLCBELiwg
QmVyZ2VyLCBMLiwgR2FuLCBELiwgTGksIFQuLCBTcmluaXZhc2FuLCBWLiwKICAgICAgICAgICAg
ICBhbmQgRy4gU3dhbGxvdywgIlJTVlAtVEU6IEV4dGVuc2lvbnMgdG8gUlNWUCBmb3IgTFNQCiAg
ICAgICAgICAgICAgVHVubmVscyIsIFJGQyAzMjA5LCBET0kgMTAuMTc0ODcvUkZDMzIwOSwgRGVj
ZW1iZXIgMjAwMSwKICAgICAgICAgICAgICA8aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZv
L3JmYzMyMDk+LgoKICAgW1JGQzM0NzddICBLb21wZWxsYSwgSy4gYW5kIFkuIFJla2h0ZXIsICJT
aWduYWxsaW5nIFVubnVtYmVyZWQgTGlua3MKICAgICAgICAgICAgICBpbiBSZXNvdXJjZSBSZVNl
clZhdGlvbiBQcm90b2NvbCAtIFRyYWZmaWMgRW5naW5lZXJpbmcKICAgICAgICAgICAgICAoUlNW
UC1URSkiLCBSRkMgMzQ3NywgRE9JIDEwLjE3NDg3L1JGQzM0NzcsIEphbnVhcnkgMjAwMywKICAg
ICAgICAgICAgICA8aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzM0Nzc+LgoKICAg
W1JGQzQzODVdICBCcnlhbnQsIFMuLCBTd2FsbG93LCBHLiwgTWFydGluaSwgTC4sIGFuZCBELiBN
Y1BoZXJzb24sCiAgICAgICAgICAgICAgIlBzZXVkb3dpcmUgRW11bGF0aW9uIEVkZ2UtdG8tRWRn
ZSAoUFdFMykgQ29udHJvbCBXb3JkIGZvcgogICAgICAgICAgICAgIFVzZSBvdmVyIGFuIE1QTFMg
UFNOIiwgUkZDIDQzODUsIERPSSAxMC4xNzQ4Ny9SRkM0Mzg1LAogICAgICAgICAgICAgIEZlYnJ1
YXJ5IDIwMDYsIDxodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNDM4NT4uCgogICBb
UkZDNTA4NV0gIE5hZGVhdSwgVC4sIEVkLiBhbmQgQy4gUGlnbmF0YXJvLCBFZC4sICJQc2V1ZG93
aXJlIFZpcnR1YWwKICAgICAgICAgICAgICBDaXJjdWl0IENvbm5lY3Rpdml0eSBWZXJpZmljYXRp
b24gKFZDQ1YpOiBBIENvbnRyb2wKICAgICAgICAgICAgICBDaGFubmVsIGZvciBQc2V1ZG93aXJl
cyIsIFJGQyA1MDg1LCBET0kgMTAuMTc0ODcvUkZDNTA4NSwKICAgICAgICAgICAgICBEZWNlbWJl
ciAyMDA3LCA8aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzUwODU+LgoKCgoKCk1p
cnNreSwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIyLCAyMDE3ICAgICAgICAgICAg
ICAgIFtQYWdlIDI0XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgUmVzaWRlbmNlIFRpbWUgTWVh
c3VyZW1lbnQgICAgICAgICAgIEphbnVhcnkgMjAxNwoKCiAgIFtSRkM1NDIwXSAgRmFycmVsLCBB
LiwgRWQuLCBQYXBhZGltaXRyaW91LCBELiwgVmFzc2V1ciwgSlAuLCBhbmQgQS4KICAgICAgICAg
ICAgICBBeXlhbmdhcnBzLCAiRW5jb2Rpbmcgb2YgQXR0cmlidXRlcyBmb3IgTVBMUyBMU1AKICAg
ICAgICAgICAgICBFc3RhYmxpc2htZW50IFVzaW5nIFJlc291cmNlIFJlc2VydmF0aW9uIFByb3Rv
Y29sIFRyYWZmaWMKICAgICAgICAgICAgICBFbmdpbmVlcmluZyAoUlNWUC1URSkiLCBSRkMgNTQy
MCwgRE9JIDEwLjE3NDg3L1JGQzU0MjAsCiAgICAgICAgICAgICAgRmVicnVhcnkgMjAwOSwgPGh0
dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM1NDIwPi4KCiAgIFtSRkM1NTg2XSAgQm9j
Y2ksIE0uLCBFZC4sIFZpZ291cmV1eCwgTS4sIEVkLiwgYW5kIFMuIEJyeWFudCwgRWQuLAogICAg
ICAgICAgICAgICJNUExTIEdlbmVyaWMgQXNzb2NpYXRlZCBDaGFubmVsIiwgUkZDIDU1ODYsCiAg
ICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzU1ODYsIEp1bmUgMjAwOSwKICAgICAgICAgICAg
ICA8aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzU1ODY+LgoKICAgW1JGQzU5MDVd
ICBNaWxscywgRC4sIE1hcnRpbiwgSi4sIEVkLiwgQnVyYmFuaywgSi4sIGFuZCBXLiBLYXNjaCwK
ICAgICAgICAgICAgICAiTmV0d29yayBUaW1lIFByb3RvY29sIFZlcnNpb24gNDogUHJvdG9jb2wg
YW5kIEFsZ29yaXRobXMKICAgICAgICAgICAgICBTcGVjaWZpY2F0aW9uIiwgUkZDIDU5MDUsIERP
SSAxMC4xNzQ4Ny9SRkM1OTA1LCBKdW5lIDIwMTAsCiAgICAgICAgICAgICAgPGh0dHA6Ly93d3cu
cmZjLWVkaXRvci5vcmcvaW5mby9yZmM1OTA1Pi4KCiAgIFtSRkM2NDIzXSAgTGksIEguLCBNYXJ0
aW5pLCBMLiwgSGUsIEouLCBhbmQgRi4gSHVhbmcsICJVc2luZyB0aGUKICAgICAgICAgICAgICBH
ZW5lcmljIEFzc29jaWF0ZWQgQ2hhbm5lbCBMYWJlbCBmb3IgUHNldWRvd2lyZSBpbiB0aGUKICAg
ICAgICAgICAgICBNUExTIFRyYW5zcG9ydCBQcm9maWxlIChNUExTLVRQKSIsIFJGQyA2NDIzLAog
ICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM2NDIzLCBOb3ZlbWJlciAyMDExLAogICAgICAg
ICAgICAgIDxodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNjQyMz4uCgogICBbUkZD
NjgyM10gIEdpbnNiZXJnLCBMLiwgUHJldmlkaSwgUy4sIGFuZCBNLiBTaGFuZCwgIkFkdmVydGlz
aW5nCiAgICAgICAgICAgICAgR2VuZXJpYyBJbmZvcm1hdGlvbiBpbiBJUy1JUyIsIFJGQyA2ODIz
LAogICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM2ODIzLCBEZWNlbWJlciAyMDEyLAogICAg
ICAgICAgICAgIDxodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNjgyMz4uCgogICBb
UkZDNzY4NF0gIFBzZW5haywgUC4sIEdyZWRsZXIsIEguLCBTaGFraXIsIFIuLCBIZW5kZXJpY2t4
LCBXLiwKICAgICAgICAgICAgICBUYW50c3VyYSwgSi4sIGFuZCBBLiBMaW5kZW0sICJPU1BGdjIg
UHJlZml4L0xpbmsgQXR0cmlidXRlCiAgICAgICAgICAgICAgQWR2ZXJ0aXNlbWVudCIsIFJGQyA3
Njg0LCBET0kgMTAuMTc0ODcvUkZDNzY4NCwgTm92ZW1iZXIKICAgICAgICAgICAgICAyMDE1LCA8
aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzc2ODQ+LgoKMTAuMi4gIEluZm9ybWF0
aXZlIFJlZmVyZW5jZXMKCiAgIFtJLUQuaWV0Zi1vc3BmLW9zcGZ2My1sc2EtZXh0ZW5kXQogICAg
ICAgICAgICAgIExpbmRlbSwgQS4sIE1pcnRvcmFiaSwgUy4sIFJveSwgQS4sIGFuZCBGLiBCYWtl
ciwgIk9TUEZ2MwogICAgICAgICAgICAgIExTQSBFeHRlbmRpYmlsaXR5IiwgZHJhZnQtaWV0Zi1v
c3BmLW9zcGZ2My1sc2EtZXh0ZW5kLTEzCiAgICAgICAgICAgICAgKHdvcmsgaW4gcHJvZ3Jlc3Mp
LCBPY3RvYmVyIDIwMTYuCgogICBbSS1ELmlldGYtdGljdG9jLTE1ODhvdmVybXBsc10KICAgICAg
ICAgICAgICBEYXZhcmksIFMuLCBPcmVuLCBBLiwgQmhhdGlhLCBNLiwgUm9iZXJ0cywgUC4sIGFu
ZCBMLgogICAgICAgICAgICAgIE1vbnRpbmksICJUcmFuc3BvcnRpbmcgVGltaW5nIG1lc3NhZ2Vz
IG92ZXIgTVBMUwogICAgICAgICAgICAgIE5ldHdvcmtzIiwgZHJhZnQtaWV0Zi10aWN0b2MtMTU4
OG92ZXJtcGxzLTA3ICh3b3JrIGluCiAgICAgICAgICAgICAgcHJvZ3Jlc3MpLCBPY3RvYmVyIDIw
MTUuCgoKCgoKCgpNaXJza3ksIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMgSnVseSAyMiwgMjAx
NyAgICAgICAgICAgICAgICBbUGFnZSAyNV0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgIFJlc2lk
ZW5jZSBUaW1lIE1lYXN1cmVtZW50ICAgICAgICAgICBKYW51YXJ5IDIwMTcKCgogICBbSVRVLVQu
Ry44MjcxXQogICAgICAgICAgICAgICJQYWNrZXQgb3ZlciBUcmFuc3BvcnQgYXNwZWN0cyAtIFN5
bmNocm9uaXphdGlvbiwgcXVhbGl0eQogICAgICAgICAgICAgIGFuZCBhdmFpbGFiaWxpdHkgdGFy
Z2V0cyIsIElUVS1UIFJlY29tZW5kYXRpb24KICAgICAgICAgICAgICBHLjgyNzEvWS4xMzY2LCBK
dWx5IDIwMTYuCgogICBbUkZDNDIwMl0gIEtvbXBlbGxhLCBLLiwgRWQuIGFuZCBZLiBSZWtodGVy
LCBFZC4sICJSb3V0aW5nIEV4dGVuc2lvbnMKICAgICAgICAgICAgICBpbiBTdXBwb3J0IG9mIEdl
bmVyYWxpemVkIE11bHRpLVByb3RvY29sIExhYmVsIFN3aXRjaGluZwogICAgICAgICAgICAgIChH
TVBMUykiLCBSRkMgNDIwMiwgRE9JIDEwLjE3NDg3L1JGQzQyMDIsIE9jdG9iZXIgMjAwNSwKICAg
ICAgICAgICAgICA8aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzQyMDI+LgoKICAg
W1JGQzUyMjZdICBOYXJ0ZW4sIFQuIGFuZCBILiBBbHZlc3RyYW5kLCAiR3VpZGVsaW5lcyBmb3Ig
V3JpdGluZyBhbgogICAgICAgICAgICAgIElBTkEgQ29uc2lkZXJhdGlvbnMgU2VjdGlvbiBpbiBS
RkNzIiwgQkNQIDI2LCBSRkMgNTIyNiwKICAgICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDNTIy
NiwgTWF5IDIwMDgsCiAgICAgICAgICAgICAgPGh0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5m
by9yZmM1MjI2Pi4KCiAgIFtSRkM2Mzc0XSAgRnJvc3QsIEQuIGFuZCBTLiBCcnlhbnQsICJQYWNr
ZXQgTG9zcyBhbmQgRGVsYXkKICAgICAgICAgICAgICBNZWFzdXJlbWVudCBmb3IgTVBMUyBOZXR3
b3JrcyIsIFJGQyA2Mzc0LAogICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM2Mzc0LCBTZXB0
ZW1iZXIgMjAxMSwKICAgICAgICAgICAgICA8aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZv
L3JmYzYzNzQ+LgoKICAgW1JGQzczODRdICBNaXpyYWhpLCBULiwgIlNlY3VyaXR5IFJlcXVpcmVt
ZW50cyBvZiBUaW1lIFByb3RvY29scyBpbgogICAgICAgICAgICAgIFBhY2tldCBTd2l0Y2hlZCBO
ZXR3b3JrcyIsIFJGQyA3Mzg0LCBET0kgMTAuMTc0ODcvUkZDNzM4NCwKICAgICAgICAgICAgICBP
Y3RvYmVyIDIwMTQsIDxodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNzM4ND4uCgpB
dXRob3JzJyBBZGRyZXNzZXMKCiAgIEdyZWcgTWlyc2t5CiAgIFpURSBDb3JwLgoKICAgRW1haWw6
IGdyZWdpbWlyc2t5QGdtYWlsLmNvbQoKCiAgIFN0ZWZhbm8gUnVmZmluaQogICBFcmljc3NvbgoK
ICAgRW1haWw6IHN0ZWZhbm8ucnVmZmluaUBlcmljc3Nvbi5jb20KCgogICBFcmljIEdyYXkKICAg
RXJpY3Nzb24KCiAgIEVtYWlsOiBlcmljLmdyYXlAZXJpY3Nzb24uY29tCgoKICAgSm9obiBEcmFr
ZQogICBKdW5pcGVyIE5ldHdvcmtzCgogICBFbWFpbDogamRyYWtlQGp1bmlwZXIubmV0CgoKCk1p
cnNreSwgZXQgYWwuICAgICAgICAgICAgRXhwaXJlcyBKdWx5IDIyLCAyMDE3ICAgICAgICAgICAg
ICAgIFtQYWdlIDI2XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgUmVzaWRlbmNlIFRpbWUgTWVh
c3VyZW1lbnQgICAgICAgICAgIEphbnVhcnkgMjAxNwoKCiAgIFN0ZXdhcnQgQnJ5YW50CiAgIEh1
YXdlaQoKICAgRW1haWw6IHN0ZXdhcnQuYnJ5YW50QGdtYWlsLmNvbQoKCiAgIEFsZXhhbmRlciBW
YWluc2h0ZWluCiAgIEVDSSBUZWxlY29tCgogICBFbWFpbDogQWxleGFuZGVyLlZhaW5zaHRlaW5A
ZWNpdGVsZS5jb207IFZhaW5zaHRlaW4uYWxleEBnbWFpbC5jb20KCgoKCgoKCgoKCgoKCgoKCgoK
CgoKCgoKCgoKCgoKCgoKCgoKCgoKCgpNaXJza3ksIGV0IGFsLiAgICAgICAgICAgIEV4cGlyZXMg
SnVseSAyMiwgMjAxNyAgICAgICAgICAgICAgICBbUGFnZSAyN10K
--94eb2c04308856df94054690f1d3
Content-Type: text/html; charset=US-ASCII; 
	name="Diff_ draft-ietf-mpls-residence-time-12.txt - draft-ietf-mpls-residence-time-13.txt.html"
Content-Disposition: attachment; 
	filename="Diff_ draft-ietf-mpls-residence-time-12.txt - draft-ietf-mpls-residence-time-13.txt.html"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_iy6kqhsi0

PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFs
Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25h
bC5kdGQiPgo8IS0tIHNhdmVkIGZyb20gdXJsPSgwMDM2KWh0dHA6Ly9pZXRmLm9yZy9yZmNkaWZm
L3JmY2RpZmYucHlodCAtLT4KPGh0bWw+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1U
eXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjUyIj4gCiAgIAogIDxt
ZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtU3R5bGUtVHlwZSIgY29udGVudD0idGV4dC9jc3MiPiAK
ICA8dGl0bGU+RGlmZjogZHJhZnQtaWV0Zi1tcGxzLXJlc2lkZW5jZS10aW1lLTEyLnR4dCAtIGRy
YWZ0LWlldGYtbXBscy1yZXNpZGVuY2UtdGltZS0xMy50eHQ8L3RpdGxlPiAKICA8c3R5bGUgdHlw
ZT0idGV4dC9jc3MiPiAKICAgIGJvZHkgICAgeyBtYXJnaW46IDAuNGV4OyBtYXJnaW4tcmlnaHQ6
IGF1dG87IH0gCiAgICB0ciAgICAgIHsgfSAKICAgIHRkICAgICAgeyB3aGl0ZS1zcGFjZTogcHJl
OyBmb250LWZhbWlseTogbW9ub3NwYWNlOyB2ZXJ0aWNhbC1hbGlnbjogdG9wOyBmb250LXNpemU6
IDAuODZlbTt9IAogICAgdGggICAgICB7IGZvbnQtc2l6ZTogMC44NmVtOyB9IAogICAgLnNtYWxs
ICB7IGZvbnQtc2l6ZTogMC42ZW07IGZvbnQtc3R5bGU6IGl0YWxpYzsgZm9udC1mYW1pbHk6IFZl
cmRhbmEsIEhlbHZldGljYSwgc2Fucy1zZXJpZjsgfSAKICAgIC5sZWZ0ICAgeyBiYWNrZ3JvdW5k
LWNvbG9yOiAjRUVFOyB9IAogICAgLnJpZ2h0ICB7IGJhY2tncm91bmQtY29sb3I6ICNGRkY7IH0g
CiAgICAuZGlmZiAgIHsgYmFja2dyb3VuZC1jb2xvcjogI0NDRjsgfSAKICAgIC5sYmxvY2sgeyBi
YWNrZ3JvdW5kLWNvbG9yOiAjQkZCOyB9IAogICAgLnJibG9jayB7IGJhY2tncm91bmQtY29sb3I6
ICNGRjg7IH0gCiAgICAuaW5zZXJ0IHsgYmFja2dyb3VuZC1jb2xvcjogIzhGRjsgfSAKICAgIC5k
ZWxldGUgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjQUNGOyB9IAogICAgLnZvaWQgICB7IGJhY2tncm91
bmQtY29sb3I6ICNGRkI7IH0gCiAgICAuY29udCAgIHsgYmFja2dyb3VuZC1jb2xvcjogI0VFRTsg
fSAKICAgIC5saW5lYnIgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjQUFBOyB9IAogICAgLmxpbmVubyB7
IGNvbG9yOiByZWQ7IGJhY2tncm91bmQtY29sb3I6ICNGRkY7IGZvbnQtc2l6ZTogMC43ZW07IHRl
eHQtYWxpZ246IHJpZ2h0OyBwYWRkaW5nOiAwIDJweDsgfSAKICAgIC5lbGlwc2lzeyBiYWNrZ3Jv
dW5kLWNvbG9yOiAjQUFBOyB9IAogICAgLmxlZnQgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9yOiAj
REREOyB9IAogICAgLnJpZ2h0IC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjogI0VFRTsgfSAKICAg
IC5sYmxvY2sgLmNvbnQgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjOUQ5OyB9IAogICAgLnJibG9jayAu
Y29udCB7IGJhY2tncm91bmQtY29sb3I6ICNERDY7IH0gCiAgICAuaW5zZXJ0IC5jb250IHsgYmFj
a2dyb3VuZC1jb2xvcjogIzBERDsgfSAKICAgIC5kZWxldGUgLmNvbnQgeyBiYWNrZ3JvdW5kLWNv
bG9yOiAjOEFEOyB9IAogICAgLnN0YXRzLCAuc3RhdHMgdGQsIC5zdGF0cyB0aCB7IGJhY2tncm91
bmQtY29sb3I6ICNFRUU7IHBhZGRpbmc6IDJweCAwOyB9IAogIDwvc3R5bGU+IAo8L2hlYWQ+IAo8
Ym9keT4gCiAgPHRhYmxlIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIw
Ij4gCiAgPHRib2R5Pjx0ciBiZ2NvbG9yPSJvcmFuZ2UiPjx0aD48L3RoPjx0aD48YSBocmVmPSJo
dHRwOi8vaWV0Zi5vcmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtbXBscy1yZXNpZGVuY2UtdGlt
ZS0xMi50eHQiIHN0eWxlPSJjb2xvcjojMDA4OyB0ZXh0LWRlY29yYXRpb246bm9uZTsiPiZsdDs8
L2E+Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt
bXBscy1yZXNpZGVuY2UtdGltZS0xMi50eHQiIHN0eWxlPSJjb2xvcjojMDA4Ij5kcmFmdC1pZXRm
LW1wbHMtcmVzaWRlbmNlLXRpbWUtMTIudHh0PC9hPiZuYnNwOzwvdGg+PHRoPiA8L3RoPjx0aD4m
bmJzcDs8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1tcGxz
LXJlc2lkZW5jZS10aW1lLTEzLnR4dCIgc3R5bGU9ImNvbG9yOiMwMDgiPmRyYWZ0LWlldGYtbXBs
cy1yZXNpZGVuY2UtdGltZS0xMy50eHQ8L2E+Jm5ic3A7PGEgaHJlZj0iaHR0cDovL2lldGYub3Jn
L3JmY2RpZmY/dXJsMT1kcmFmdC1pZXRmLW1wbHMtcmVzaWRlbmNlLXRpbWUtMTMudHh0IiBzdHls
ZT0iY29sb3I6IzAwODsgdGV4dC1kZWNvcmF0aW9uOm5vbmU7Ij4mZ3Q7PC9hPjwvdGg+PHRoPjwv
dGg+PC90cj4gCiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+TVBMUyBXb3Jr
aW5nIEdyb3VwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRy4g
TWlyc2t5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+TVBMUyBXb3JraW5nIEdyb3Vw
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRy4gTWlyc2t5PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZD48YSBuYW1lPSJkaWZmMDAwMSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+SW50ZXJuZXQtRHJh
ZnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxzcGFuIGNs
YXNzPSJkZWxldGUiPkluZGVwZW5kZW50PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmJsb2NrIj5JbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+ICBaVEUgQ29ycC48L3NwYW4+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPkludGVuZGVk
IHN0YXR1czogU3RhbmRhcmRzIFRyYWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUy4g
UnVmZmluaTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPkludGVuZGVkIHN0YXR1czog
U3RhbmRhcmRzIFRyYWNrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUy4gUnVmZmluaTwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQ+PGEgbmFtZT0iZGlmZjAwMDIiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPkV4cGlyZXM6IEp1
PHNwYW4gY2xhc3M9ImRlbGV0ZSI+bmUgMTY8L3NwYW4+LCAyMDE3ICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIEUuIEdyYXk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+RXhwaXJlczogSnU8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5seSAyMjwvc3Bhbj4sIDIw
MTcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRS4gR3JheTwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
RXJpY3Nzb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRXJpY3Nzb248
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIEouIERyYWtlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEouIERy
YWtlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
SnVuaXBlciBOZXR3b3JrczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSnVuaXBlciBO
ZXR3b3JrczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICBTLiBCcnlhbnQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICBTLiBCcnlhbnQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDAzIj48L2E+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+SW5kZXBlbmRlbnQ8L3NwYW4+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgIEh1YXdl
aTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICBBLiBWYWluc2h0ZWluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBB
LiBWYWluc2h0ZWluPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICBFQ0kgVGVsZWNvbTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICBFQ0kgVGVsZWNvbTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMDQiPjwvYT48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
YmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5EZWNlbWJlciAxMywgMjAxNjwvc3Bhbj48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPiBKYW51YXJ5IDE4
LCAyMDE3PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAg
UmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgaW4gTVBMUyBuZXR3b3JrPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1l
bnQgaW4gTVBMUyBuZXR3b3JrPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwNSI+PC9hPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxibG9jayI+ICAgICAgICAgICAgICAgICAgIGRyYWZ0LWlldGYtbXBscy1yZXNpZGVuY2UtdGlt
ZS0xPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+ICAgICAgICAgICAgICAgICAgIGRyYWZ0LWlldGYtbXBscy1yZXNpZGVuY2UtdGlt
ZS0xPHNwYW4gY2xhc3M9Imluc2VydCI+Mzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPkFic3RyYWN0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+QWJzdHJhY3Q8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAwNiI+PC9hPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxibG9jayI+ICAgVGhpcyBkb2N1bWVudCBzcGVjaWZpZXMgPHNwYW4gY2xhc3M9
ImRlbGV0ZSI+Ry1BQ2ggYmFzZWQ8L3NwYW4+IFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50IGFu
ZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBUaGlzIGRvY3VtZW50IHNwZWNp
ZmllcyA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5uZXcgR2VuZXJpYyBBc3NvY2lhdGVkIENoYW5uZWwg
Zm9yPC9zcGFuPiBSZXNpZGVuY2U8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBob3cgaXQgY2FuIGJlIHVzZWQgYnkgdGltZSBzeW5jaHJv
bml6YXRpb24gcHJvdG9jb2xzIGJlaW5nPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si
PiAgIFRpbWUgTWVhc3VyZW1lbnQgYW5kIGhvdyBpdCBjYW4gYmUgdXNlZCBieSB0aW1lIHN5bmNo
cm9uaXphdGlvbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsYmxvY2siPiAgIHRyYW5zcG9ydGVkIG92ZXIgTVBMUyBkb21haW4uPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPiAgIHByb3RvY29scyBiZWluZyB0cmFuc3BvcnRlZCBvdmVyIE1Q
TFMgZG9tYWluLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgUmVzaWRlbmNlIHRpbWUg
aXMgdGhlIHZhcmlhYmxlIHBhcnQgb2YgcHJvcGFnYXRpb24gZGVsYXkgb2YgdGltaW5nPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgUmVzaWRlbmNlIHRpbWUgaXMgdGhlIHZhcmlh
YmxlIHBhcnQgb2YgcHJvcGFnYXRpb24gZGVsYXkgb2YgdGltaW5nPC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFuZCBzeW5jaHJvbml6YXRp
b24gbWVzc2FnZXMgYW5kIGtub3dpbmcgd2hhdCB0aGlzIGRlbGF5IGlzIGZvciBlYWNoPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYW5kIHN5bmNocm9uaXphdGlvbiBtZXNzYWdl
cyBhbmQga25vd2luZyB3aGF0IHRoaXMgZGVsYXkgaXMgZm9yIGVhY2g8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbWVzc2FnZSBhbGxvd3Mg
Zm9yIGEgbW9yZSBhY2N1cmF0ZSBkZXRlcm1pbmF0aW9uIG9mIHRoZSBkZWxheSB0byBiZTwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG1lc3NhZ2UgYWxsb3dzIGZvciBhIG1vcmUg
YWNjdXJhdGUgZGV0ZXJtaW5hdGlvbiBvZiB0aGUgZGVsYXkgdG8gYmU8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRp
ZmYwMDA3Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICB0YWtlbiBpbnRvIGFjY291bnQgaW4g
YXBwbHlpbmcgdGhlIHZhbHVlIGluY2x1ZGVkIGluIGEgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+UFRQ
PC9zcGFuPiBldmVudDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICB0YWtlbiBp
bnRvIGFjY291bnQgaW4gYXBwbHlpbmcgdGhlIHZhbHVlIGluY2x1ZGVkIGluIGEgPHNwYW4gY2xh
c3M9Imluc2VydCI+UHJlY2lzaW9uIFRpbWU8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgbWVzc2FnZS48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgUHJvdG9jb2w8L3Nw
YW4+IGV2ZW50IG1lc3NhZ2UuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5TdGF0dXMgb2Yg
VGhpcyBNZW1vPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+U3RhdHVzIG9mIFRoaXMg
TWVtbzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhpcyBJbnRlcm5ldC1EcmFmdCBp
cyBzdWJtaXR0ZWQgaW4gZnVsbCBjb25mb3JtYW5jZSB3aXRoIHRoZTwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgIFRoaXMgSW50ZXJuZXQtRHJhZnQgaXMgc3VibWl0dGVkIGluIGZ1
bGwgY29uZm9ybWFuY2Ugd2l0aCB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcHJvdmlzaW9ucyBvZiBCQ1AgNzggYW5kIEJDUCA3OS48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBwcm92aXNpb25zIG9mIEJDUCA3OCBh
bmQgQkNQIDc5LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSW50ZXJuZXQtRHJhZnRz
IGFyZSB3b3JraW5nIGRvY3VtZW50cyBvZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmc8L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIHdvcmtpbmcg
ZG9jdW1lbnRzIG9mIHRoZSBJbnRlcm5ldCBFbmdpbmVlcmluZzwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUYXNrIEZvcmNlIChJRVRGKS4g
IE5vdGUgdGhhdCBvdGhlciBncm91cHMgbWF5IGFsc28gZGlzdHJpYnV0ZTwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRhc2sgRm9yY2UgKElFVEYpLiAgTm90ZSB0aGF0IG90aGVy
IGdyb3VwcyBtYXkgYWxzbyBkaXN0cmlidXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdvcmtpbmcgZG9jdW1lbnRzIGFzIEludGVybmV0
LURyYWZ0cy4gIFRoZSBsaXN0IG9mIGN1cnJlbnQgSW50ZXJuZXQtPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgd29ya2luZyBkb2N1bWVudHMgYXMgSW50ZXJuZXQtRHJhZnRzLiAg
VGhlIGxpc3Qgb2YgY3VycmVudCBJbnRlcm5ldC08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgRHJhZnRzIGlzIGF0IGh0dHA6Ly9kYXRhdHJh
Y2tlci5pZXRmLm9yZy9kcmFmdHMvY3VycmVudC8uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+ICAgRHJhZnRzIGlzIGF0IGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kcmFmdHMv
Y3VycmVudC8uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJbnRlcm5ldC1EcmFmdHMg
YXJlIGRyYWZ0IGRvY3VtZW50cyB2YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCBtb250aHM8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJbnRlcm5ldC1EcmFmdHMgYXJlIGRyYWZ0
IGRvY3VtZW50cyB2YWxpZCBmb3IgYSBtYXhpbXVtIG9mIHNpeCBtb250aHM8L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYW5kIG1heSBiZSB1
cGRhdGVkLCByZXBsYWNlZCwgb3Igb2Jzb2xldGVkIGJ5IG90aGVyIGRvY3VtZW50cyBhdCBhbnk8
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBhbmQgbWF5IGJlIHVwZGF0ZWQsIHJl
cGxhY2VkLCBvciBvYnNvbGV0ZWQgYnkgb3RoZXIgZG9jdW1lbnRzIGF0IGFueTwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aW1lLiAgSXQg
aXMgaW5hcHByb3ByaWF0ZSB0byB1c2UgSW50ZXJuZXQtRHJhZnRzIGFzIHJlZmVyZW5jZTwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRpbWUuICBJdCBpcyBpbmFwcHJvcHJpYXRl
IHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlPC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG1hdGVyaWFsIG9yIHRvIGNpdGUg
dGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNzLiI8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICBtYXRlcmlhbCBvciB0byBjaXRlIHRoZW0gb3RoZXIgdGhhbiBhcyAi
d29yayBpbiBwcm9ncmVzcy4iPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEg
bmFtZT0iZGlmZjAwMDgiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIFRoaXMgSW50ZXJuZXQt
RHJhZnQgd2lsbCBleHBpcmUgb24gSnU8c3BhbiBjbGFzcz0iZGVsZXRlIj5uZSAxNjwvc3Bhbj4s
IDIwMTcuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIFRoaXMgSW50ZXJuZXQt
RHJhZnQgd2lsbCBleHBpcmUgb24gSnU8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5seSAyMjwvc3Bhbj4s
IDIwMTcuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5Db3B5cmlnaHQgTm90aWNlPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+Q29weXJpZ2h0IE5vdGljZTwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDA5Ij48L2E+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGJsb2NrIj4gICBDb3B5cmlnaHQgKGMpIDIwMTxzcGFuIGNsYXNzPSJkZWxldGUiPjY8L3NwYW4+
IElFVEYgVHJ1c3QgYW5kIHRoZSBwZXJzb25zIGlkZW50aWZpZWQgYXMgdGhlPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIENvcHlyaWdodCAoYykgMjAxPHNwYW4gY2xhc3M9Imlu
c2VydCI+Nzwvc3Bhbj4gSUVURiBUcnVzdCBhbmQgdGhlIHBlcnNvbnMgaWRlbnRpZmllZCBhcyB0
aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgZG9jdW1lbnQgYXV0aG9ycy4gIEFsbCByaWdodHMgcmVzZXJ2ZWQuPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgZG9jdW1lbnQgYXV0aG9ycy4gIEFsbCByaWdodHMgcmVzZXJ2
ZWQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGlzIGRvY3VtZW50IGlzIHN1Ympl
Y3QgdG8gQkNQIDc4IGFuZCB0aGUgSUVURiBUcnVzdCdzIExlZ2FsPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgVGhpcyBkb2N1bWVudCBpcyBzdWJqZWN0IHRvIEJDUCA3OCBhbmQg
dGhlIElFVEYgVHJ1c3QncyBMZWdhbDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBQcm92aXNpb25zIFJlbGF0aW5nIHRvIElFVEYgRG9jdW1l
bnRzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgUHJvdmlzaW9ucyBSZWxhdGlu
ZyB0byBJRVRGIERvY3VtZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsZWZ0Ij4gICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZv
KSBpbiBlZmZlY3Qgb24gdGhlIGRhdGUgb2Y8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij4gICAoaHR0cDovL3RydXN0ZWUuaWV0Zi5vcmcvbGljZW5zZS1pbmZvKSBpbiBlZmZlY3Qgb24g
dGhlIGRhdGUgb2Y8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgcHVibGljYXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFzZSByZXZpZXcg
dGhlc2UgZG9jdW1lbnRzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcHVibGlj
YXRpb24gb2YgdGhpcyBkb2N1bWVudC4gIFBsZWFzZSByZXZpZXcgdGhlc2UgZG9jdW1lbnRzPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGNh
cmVmdWxseSwgYXMgdGhleSBkZXNjcmliZSB5b3VyIHJpZ2h0cyBhbmQgcmVzdHJpY3Rpb25zIHdp
dGggcmVzcGVjdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGNhcmVmdWxseSwg
YXMgdGhleSBkZXNjcmliZSB5b3VyIHJpZ2h0cyBhbmQgcmVzdHJpY3Rpb25zIHdpdGggcmVzcGVj
dDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICB0byB0aGlzIGRvY3VtZW50LiAgQ29kZSBDb21wb25lbnRzIGV4dHJhY3RlZCBmcm9tIHRoaXMg
ZG9jdW1lbnQgbXVzdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRvIHRoaXMg
ZG9jdW1lbnQuICBDb2RlIENvbXBvbmVudHMgZXh0cmFjdGVkIGZyb20gdGhpcyBkb2N1bWVudCBt
dXN0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIGluY2x1ZGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0IGFzIGRlc2NyaWJlZCBpbiBT
ZWN0aW9uIDQuZSBvZjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGluY2x1ZGUg
U2ltcGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0IGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9uIDQuZSBv
ZjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICB0aGUgVHJ1c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQgd2Fy
cmFudHkgYXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0aGUgVHJ1c3QgTGVn
YWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQgd2FycmFudHkgYXM8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZGVzY3Jp
YmVkIGluIHRoZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIGRlc2NyaWJlZCBpbiB0aGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZS48L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPlRhYmxlIG9mIENvbnRlbnRzPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+VGFibGUgb2YgQ29udGVudHM8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPiAgIDEuICBJbnRyb2R1Y3Rpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuICAgMzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
IDEuICBJbnRyb2R1Y3Rpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuICAgMzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICAgIDEuMS4gIENvbnZlbnRpb25zIHVzZWQgaW4gdGhpcyBkb2N1bWVudCAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij4gICAgIDEuMS4gIENvbnZlbnRpb25zIHVzZWQgaW4gdGhpcyBkb2N1bWVudCAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAgIDM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+ICAgICAgIDEuMS4xLiAgVGVybWlub2xvZ3kgLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+ICAgICAgIDEuMS4xLiAgVGVybWlub2xvZ3kgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gICAzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAxLjEuMi4gIFJlcXVpcmVtZW50cyBMYW5ndWFnZSAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgICAgICAxLjEuMi4gIFJlcXVpcmVtZW50cyBMYW5ndWFnZSAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAyLiAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQg
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQ8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICAyLiAgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDEwIj48L2E+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAzLiAgRy1BQ2ggZm9yIFJlc2lkZW5jZSBUaW1lIE1lYXN1
cmVtZW50ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjU8
L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgPHNwYW4gY2xhc3M9
Imluc2VydCI+Mi4xLiAgT25lLXN0ZXAgQ2xvY2sgYW5kIHR3by1zdGVwIENsb2NrIE1vZGVzIC4g
LiAuIC4gLiAuIC4gLiAuICAgNTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDMuMS4gIFBUUCBQYWNrZXQgU3ViLVRMViAg
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDxzcGFuIGNsYXNzPSJkZWxl
dGUiPjY8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDMuICBHLUFD
aCBmb3IgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
ICAgPHNwYW4gY2xhc3M9Imluc2VydCI+Nzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA0LiAgQ29udHJvbCBQbGFuZSBUaGVv
cnkgb2YgT3BlcmF0aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDxzcGFuIGNsYXNz
PSJkZWxldGUiPjc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAg
My4xLiAgUFRQIFBhY2tldCBTdWItVExWICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuICAgPHNwYW4gY2xhc3M9Imluc2VydCI+OTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDQuMS4gIFJUTSBDYXBh
YmlsaXR5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDxzcGFu
IGNsYXNzPSJkZWxldGUiPjc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si
PiAgIDQuICBDb250cm9sIFBsYW5lIFRoZW9yeSBvZiBPcGVyYXRpb24gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xMDwvc3Bhbj48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDQuMi4gIFJU
TSBDYXBhYmlsaXR5IFN1Yi1UTFYgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAg
IDxzcGFuIGNsYXNzPSJkZWxldGUiPjg8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPiAgICAgNC4xLiAgUlRNIENhcGFiaWxpdHkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xMDwvc3Bhbj48L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDQu
My4gIFJUTSBDYXBhYmlsaXR5IEFkdmVydGlzZW1lbnQgaW4gT1NQRnYyICAuIC4gLiAuIC4gLiAu
IC4gLiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjk8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPiAgICAgNC4yLiAgUlRNIENhcGFiaWxpdHkgU3ViLVRMViAgLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xMTwvc3Bhbj48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g
ICAgIDQuNC4gIFJUTSBDYXBhYmlsaXR5IEFkdmVydGlzZW1lbnQgaW4gT1NQRnYzICAuIC4gLiAu
IC4gLiAuIC4gLiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjk8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgNC4zLiAgUlRNIENhcGFiaWxpdHkgQWR2ZXJ0aXNlbWVu
dCBpbiBPU1BGdjIgIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xMjwv
c3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs
b2NrIj4gICAgIDQuNS4gIFJUTSBDYXBhYmlsaXR5IEFkdmVydGlzZW1lbnQgaW4gSVMtSVMgLiAu
IC4gLiAuIC4gLiAuIC4gLiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjk8L3NwYW4+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgNC40LiAgUlRNIENhcGFiaWxpdHkgQWR2ZXJ0
aXNlbWVudCBpbiBPU1BGdjMgIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0
Ij4xMjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj4gICAgIDQuNi4gIFJTVlAtVEUgQ29udHJvbCBQbGFuZSBPcGVyYXRpb24gdG8g
U3VwcG9ydCBSVE0gIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MTA8L3NwYW4+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgNC41LiAgUlRNIENhcGFiaWxpdHkg
QWR2ZXJ0aXNlbWVudCBpbiBJUy1JUyAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0i
aW5zZXJ0Ij4xMjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj4gICAgIDQuNy4gIFJUTV9TRVQgVExWIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MTE8L3Nw
YW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgNC42LiAgUlNWUC1URSBD
b250cm9sIFBsYW5lIE9wZXJhdGlvbiB0byBTdXBwb3J0IFJUTSAgLiAuIC4gLiAuICA8c3BhbiBj
bGFzcz0iaW5zZXJ0Ij4xMzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICAgNC43LjEuICBSVE1fU0VUIFN1Yi1UTFZzICAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+
MTM8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgNC43LiAgUlRN
X1NFVCBUTFYgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8
c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xNDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA1LiAgRGF0YSBQbGFuZSBUaGVvcnkgb2Yg
T3BlcmF0aW9uICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRl
bGV0ZSI+MTY8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICA0
LjcuMS4gIFJUTV9TRVQgU3ViLVRMVnMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xNjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA2LiAgQXBwbGljYWJsZSBQVFAg
U2NlbmFyaW9zICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xh
c3M9ImRlbGV0ZSI+MTY8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg
IDUuICBEYXRhIFBsYW5lIFRoZW9yeSBvZiBPcGVyYXRpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xODwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA3LiAgPHNwYW4gY2xh
c3M9ImRlbGV0ZSI+T25lLXN0ZXAgQ2xvY2sgYW5kIFR3by1zdGVwIENsb2NrIE1vZGVzIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAgMTc8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv
Y2siPiAgIDYuICBBcHBsaWNhYmxlIFBUUCBTY2VuYXJpb3MgIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4xOTwvc3Bhbj48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFz
cz0iZGVsZXRlIj4gICA4Ljwvc3Bhbj4gIElBTkEgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDE5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPiAgIDcuICBJQU5BIENvbnNpZGVyYXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxOTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+OC4xLjwv
c3Bhbj4gIE5ldyBSVE0gRy1BQ2ggLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAgMTk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICA8c3BhbiBj
bGFzcz0iaW5zZXJ0Ij43LjEuPC9zcGFuPiAgTmV3IFJUTSBHLUFDaCAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAxOTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+
OC4yLjwvc3Bhbj4gIE5ldyBSVE0gVExWIFJlZ2lzdHJ5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MTk8L3NwYW4+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+Ny4yLjwvc3Bh
bj4gIE5ldyBSVE0gVExWIFJlZ2lzdHJ5ICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAgPHNwYW4gY2xhc3M9Imluc2VydCI+MjA8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+
ICAgICA4LjMuPC9zcGFuPiAgTmV3IFJUTSBTdWItVExWIFJlZ2lzdHJ5ICAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAuICAyMDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48
c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgIDcuMy48L3NwYW4+ICBOZXcgUlRNIFN1Yi1UTFYgUmVn
aXN0cnkgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIwPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICA8c3BhbiBjbGFz
cz0iZGVsZXRlIj44LjQuPC9zcGFuPiAgUlRNIENhcGFiaWxpdHkgc3ViLVRMViBpbiBPU1BGdjIg
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yMDwvc3Bhbj48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICA8c3BhbiBjbGFzcz0iaW5zZXJ0
Ij43LjQuPC9zcGFuPiAgUlRNIENhcGFiaWxpdHkgc3ViLVRMViBpbiBPU1BGdjIgIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yMTwvc3Bhbj48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFz
cz0iZGVsZXRlIj4gICAgIDguNS48L3NwYW4+ICBJUy1JUyBSVE0gQXBwbGljYXRpb24gSUQgIC4g
LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIxPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgNy41Ljwvc3Bhbj4gIElTLUlTIFJU
TSBBcHBsaWNhdGlvbiBJRCAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjE8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAg
IDxzcGFuIGNsYXNzPSJkZWxldGUiPjguNi48L3NwYW4+ICBSVE1fU0VUIFN1Yi1vYmplY3QgUlNW
UCBUeXBlIGFuZCBzdWItVExWcyAuIC4gLiAuIC4gLiAuIC4gIDIxPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyYmxvY2siPiAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+Ny42Ljwvc3Bhbj4gIFJU
TV9TRVQgU3ViLW9iamVjdCBSU1ZQIFR5cGUgYW5kIHN1Yi1UTFZzIC4gLiAuIC4gLiAuIC4gLiAg
MjE8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij4gICAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjguNy48L3NwYW4+ICBSVE1fU0VUIEF0dHJpYnV0
ZSBGbGFnICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDIyPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgPHNwYW4gY2xhc3M9Imluc2VydCI+Ny43Ljwvc3Bh
bj4gIFJUTV9TRVQgQXR0cmlidXRlIEZsYWcgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAgMjI8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGJsb2NrIj4gICAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjguOC48L3NwYW4+ICBOZXcgRXJyb3Ig
Q29kZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDxzcGFuIGNs
YXNzPSJkZWxldGUiPjIyPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4g
ICAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjcuOC48L3NwYW4+ICBOZXcgRXJyb3IgQ29kZXMgLiAu
IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJpbnNl
cnQiPjIzPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIDkuPC9zcGFuPiAgU2VjdXJpdHkg
Q29uc2lkZXJhdGlvbnMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgMjM8
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAg
OC48L3NwYW4+ICBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gLiAuICAyMzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPjEwLjwvc3Bhbj4gQWNr
bm93bGVkZ21lbnRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MjM8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjkuPC9zcGFuPiAgQWNrbm93bGVkZ21l
bnRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgPHNwYW4g
Y2xhc3M9Imluc2VydCI+MjQ8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgMTEuPC9zcGFu
PiBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuICA8c3BhbiBjbGFzcz0iZGVsZXRlIj4yMzwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgMTAuPC9zcGFuPiBSZWZlcmVu
Y2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8
c3BhbiBjbGFzcz0iaW5zZXJ0Ij4yNDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICAgIDEx
LjEuPC9zcGFuPiAgTm9ybWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPjIzPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgIDEwLjEuPC9zcGFu
PiAgTm9ybWF0aXZlIFJlZmVyZW5jZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjI0PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAg
ICAgMTEuMi48L3NwYW4+ICBJbmZvcm1hdGl2ZSBSZWZlcmVuY2VzIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gLiAgMjU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNw
YW4gY2xhc3M9Imluc2VydCI+ICAgICAxMC4yLjwvc3Bhbj4gIEluZm9ybWF0aXZlIFJlZmVyZW5j
ZXMgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAyNTwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIEF1dGhvcnMnIEFkZHJl
c3NlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICA8c3Bh
biBjbGFzcz0iZGVsZXRlIj4yNTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j
ayI+ICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu
IC4gLiAuIC4gLiAuIC4gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjI2PC9zcGFuPjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+MS4gIEludHJvZHVjdGlvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPjEuICBJbnRyb2R1Y3Rpb248L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
IFRpbWUgc3luY2hyb25pemF0aW9uIHByb3RvY29scywgZS5nLiwgTmV0d29yayBUaW1lIFByb3Rv
Y29sIHZlcnNpb24gNDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRpbWUgc3lu
Y2hyb25pemF0aW9uIHByb3RvY29scywgZS5nLiwgTmV0d29yayBUaW1lIFByb3RvY29sIHZlcnNp
b24gNDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICAoTlRQdjQpIFtSRkM1OTA1XSBhbmQgUHJlY2lzaW9uIFRpbWUgUHJvdG9jb2wgKFBUUCkg
VmVyc2lvbiAyPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKE5UUHY0KSBbUkZD
NTkwNV0gYW5kIFByZWNpc2lvbiBUaW1lIFByb3RvY29sIChQVFApIFZlcnNpb24gMjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbSUVFRS4x
NTg4LjIwMDhdIGRlZmluZSB0aW1pbmcgbWVzc2FnZXMgdGhhdCBjYW4gYmUgdXNlZCB0bzwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtJRUVFLjE1ODguMjAwOF0gZGVmaW5lIHRp
bWluZyBtZXNzYWdlcyB0aGF0IGNhbiBiZSB1c2VkIHRvPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHN5bmNocm9uaXplIGNsb2NrcyBhY3Jv
c3MgYSBuZXR3b3JrIGRvbWFpbi4gIE1lYXN1cmVtZW50IG9mIHRoZTwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgIHN5bmNocm9uaXplIGNsb2NrcyBhY3Jvc3MgYSBuZXR3b3JrIGRv
bWFpbi4gIE1lYXN1cmVtZW50IG9mIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBjdW11bGF0aXZlIHRpbWUgb25lIG9mIHRoZXNlIHRp
bWluZyBtZXNzYWdlcyBzcGVuZHMgdHJhbnNpdGluZyB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij4gICBjdW11bGF0aXZlIHRpbWUgb25lIG9mIHRoZXNlIHRpbWluZyBtZXNzYWdl
cyBzcGVuZHMgdHJhbnNpdGluZyB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbm9kZXMgb24gdGhlIHBhdGggZnJvbSBpbmdyZXNzIG5v
ZGUgdG8gZWdyZXNzIG5vZGUgaXMgdGVybWVkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo
dCI+ICAgbm9kZXMgb24gdGhlIHBhdGggZnJvbSBpbmdyZXNzIG5vZGUgdG8gZWdyZXNzIG5vZGUg
aXMgdGVybWVkPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPiAgIFJlc2lkZW5jZSBUaW1lIGFuZCBpdCBpcyB1c2VkIHRvIGltcHJvdmUgdGhlIGFj
Y3VyYWN5IG9mIGNsb2NrPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgUmVzaWRl
bmNlIFRpbWUgYW5kIGl0IGlzIHVzZWQgdG8gaW1wcm92ZSB0aGUgYWNjdXJhY3kgb2YgY2xvY2s8
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
c3luY2hyb25pemF0aW9uLiAgKEkuZS4sIGl0IGlzIHRoZSBzdW0gb2YgdGhlIGRpZmZlcmVuY2Ug
YmV0d2VlbiB0aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBzeW5jaHJvbml6
YXRpb24uICAoSS5lLiwgaXQgaXMgdGhlIHN1bSBvZiB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIHRo
ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICB0aW1lIG9mIHJlY2VpcHQgYXQgYW4gaW5ncmVzcyBpbnRlcmZhY2UgYW5kIHRoZSB0aW1lIG9m
IHRyYW5zbWlzc2lvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRpbWUgb2Yg
cmVjZWlwdCBhdCBhbiBpbmdyZXNzIGludGVyZmFjZSBhbmQgdGhlIHRpbWUgb2YgdHJhbnNtaXNz
aW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIGZyb20gYW4gZWdyZXNzIGludGVyZmFjZSBmb3IgZWFjaCBub2RlIGFsb25nIHRoZSBwYXRo
IGZyb20gaW5ncmVzczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGZyb20gYW4g
ZWdyZXNzIGludGVyZmFjZSBmb3IgZWFjaCBub2RlIGFsb25nIHRoZSBwYXRoIGZyb20gaW5ncmVz
czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBub2RlIHRvIGVncmVzcyBub2RlLikgIFRoaXMgZG9jdW1lbnQgZGVmaW5lcyBhIG5ldyBHZW5l
cmljIEFzc29jaWF0ZWQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBub2RlIHRv
IGVncmVzcyBub2RlLikgIFRoaXMgZG9jdW1lbnQgZGVmaW5lcyBhIG5ldyBHZW5lcmljIEFzc29j
aWF0ZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgQ2hhbm5lbCAoRy1BQ2gpIHZhbHVlIGFuZCBhbiBhc3NvY2lhdGVkIHJlc2lkZW5jZSB0
aW1lIG1lYXN1cmVtZW50PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQ2hhbm5l
bCAoRy1BQ2gpIHZhbHVlIGFuZCBhbiBhc3NvY2lhdGVkIHJlc2lkZW5jZSB0aW1lIG1lYXN1cmVt
ZW50PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxMSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgKFJU
TSkgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+cGFja2V0PC9zcGFuPiB0aGF0IGNhbiBiZSB1c2VkIGlu
IGEgTXVsdGktUHJvdG9jb2wgTGFiZWwgU3dpdGNoaW5nPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPiAgIChSVE0pIDxzcGFuIGNsYXNzPSJpbnNlcnQiPm1lc3NhZ2U8L3NwYW4+IHRo
YXQgY2FuIGJlIHVzZWQgaW4gYSBNdWx0aS1Qcm90b2NvbCBMYWJlbCBTd2l0Y2hpbmc8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgKE1QTFMp
IG5ldHdvcmsgdG8gbWVhc3VyZSByZXNpZGVuY2UgdGltZSBvdmVyIGEgTGFiZWwgU3dpdGNoZWQg
UGF0aDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIChNUExTKSBuZXR3b3JrIHRv
IG1lYXN1cmUgcmVzaWRlbmNlIHRpbWUgb3ZlciBhIExhYmVsIFN3aXRjaGVkIFBhdGg8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgKExTUCku
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKExTUCkuPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsZWZ0Ij4gICBBbHRob3VnaCBpdCBpcyBwb3NzaWJsZSB0byB1c2UgUlRNIG92ZXIg
YW4gTFNQIGluc3RhbnRpYXRlZCB1c2luZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgIEFsdGhvdWdoIGl0IGlzIHBvc3NpYmxlIHRvIHVzZSBSVE0gb3ZlciBhbiBMU1AgaW5zdGFu
dGlhdGVkIHVzaW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgIExEUCwgdGhhdCBpcyBvdXRzaWRlIHRoZSBzY29wZSBvZiB0aGlzIGRvY3Vt
ZW50LiAgUmF0aGVyLCB0aGlzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgTERQ
LCB0aGF0IGlzIG91dHNpZGUgdGhlIHNjb3BlIG9mIHRoaXMgZG9jdW1lbnQuICBSYXRoZXIsIHRo
aXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgZG9jdW1lbnQgZGVzY3JpYmVzIFJUTSBvdmVyIGFuIExTUCBzaWduYWxlZCB1c2luZyBSU1ZQ
LVRFIFtSRkMzMjA5XTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGRvY3VtZW50
IGRlc2NyaWJlcyBSVE0gb3ZlciBhbiBMU1Agc2lnbmFsZWQgdXNpbmcgUlNWUC1URSBbUkZDMzIw
OV08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgYmVjYXVzZSB0aGUgTFNQJ3MgcGF0aCBjYW4gYmUgZWl0aGVyIGV4cGxpY2l0bHkgc3BlY2lm
aWVkIG9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYmVjYXVzZSB0aGUgTFNQ
J3MgcGF0aCBjYW4gYmUgZWl0aGVyIGV4cGxpY2l0bHkgc3BlY2lmaWVkIG9yPC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRldGVybWluZWQg
ZHVyaW5nIHNpZ25hbGluZy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBkZXRl
cm1pbmVkIGR1cmluZyBzaWduYWxpbmcuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBD
b21wYXJpc29uIHdpdGggYWx0ZXJuYXRpdmUgcHJvcG9zZWQgc29sdXRpb25zIHN1Y2ggYXM8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBDb21wYXJpc29uIHdpdGggYWx0ZXJuYXRp
dmUgcHJvcG9zZWQgc29sdXRpb25zIHN1Y2ggYXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk
IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90
ZD48dGg+PGEgbmFtZT0icGFydC1sMiI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21h
bGw+PGVtPiBwYWdlIDQsIGxpbmUgMzQ8L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFt
ZT0icGFydC1yMiI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdl
IDQsIGxpbmUgMzQ8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+Mi4gIFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+Mi4gIFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBQYWNrZXQgTG9zcyBhbmQgRGVsYXkgTWVh
c3VyZW1lbnQgZm9yIE1QTFMgTmV0d29ya3MgW1JGQzYzNzRdIGNhbiBiZTwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmlnaHQiPiAgIFBhY2tldCBMb3NzIGFuZCBEZWxheSBNZWFzdXJlbWVudCBm
b3IgTVBMUyBOZXR3b3JrcyBbUkZDNjM3NF0gY2FuIGJlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHVzZWQgdG8gbWVhc3VyZSBvbmUtd2F5
IG9yIHR3by13YXkgZW5kLXRvLWVuZCBwcm9wYWdhdGlvbiBkZWxheSBvdmVyPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdXNlZCB0byBtZWFzdXJlIG9uZS13YXkgb3IgdHdvLXdh
eSBlbmQtdG8tZW5kIHByb3BhZ2F0aW9uIGRlbGF5IG92ZXI8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgTFNQIG9yIFBXLiAgQnV0IHRoZXNl
IG1lYXN1cmVtZW50cyBhcmUgaW5zdWZmaWNpZW50IGZvciB1c2UgaW4gc29tZTwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIExTUCBvciBQVy4gIEJ1dCB0aGVzZSBtZWFzdXJlbWVu
dHMgYXJlIGluc3VmZmljaWVudCBmb3IgdXNlIGluIHNvbWU8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYXBwbGljYXRpb25zLCBmb3IgZXhh
bXBsZSwgdGltZSBzeW5jaHJvbml6YXRpb24gYWNyb3NzIGEgbmV0d29yayBhczwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFwcGxpY2F0aW9ucywgZm9yIGV4YW1wbGUsIHRpbWUg
c3luY2hyb25pemF0aW9uIGFjcm9zcyBhIG5ldHdvcmsgYXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZGVmaW5lZCBpbiB0aGUgUHJlY2lz
aW9uIFRpbWUgUHJvdG9jb2wgKFBUUCkuICBJbiBQVFB2MjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIGRlZmluZWQgaW4gdGhlIFByZWNpc2lvbiBUaW1lIFByb3RvY29sIChQVFAp
LiAgSW4gUFRQdjI8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgW0lFRUUuMTU4OC4yMDA4XSByZXNpZGVuY2UgdGltZXMgaXMgYWNjdW11bGF0
ZWQgaW4gdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW0lFRUUuMTU4OC4y
MDA4XSByZXNpZGVuY2UgdGltZXMgaXMgYWNjdW11bGF0ZWQgaW4gdGhlPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGNvcnJlY3Rpb25GaWVs
ZCBvZiB0aGUgUFRQIGV2ZW50IG1lc3NhZ2UsIGFzIGRlZmluZWQgaW48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij4gICBjb3JyZWN0aW9uRmllbGQgb2YgdGhlIFBUUCBldmVudCBtZXNz
YWdlLCBhcyBkZWZpbmVkIGluPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxMiI+PC9hPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxibG9jayI+ICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+W0lFRUUuMTU4OC4yMDA4XSw8L3NwYW4+
IG9yIGluIHRoZSBhc3NvY2lhdGVkIGZvbGxvdy11cCBtZXNzYWdlIChvcjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5bSUVFRS4xNTg4LjIw
MDhdIGFuZCByZWZlcnJlZCB0byBhcyB1c2luZyBhIG9uZS1zdGVwIGNsb2NrLDwvc3Bhbj4gb3Ig
aW4gdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi
bG9jayI+ICAgRGVsYXlfUmVzcCBtZXNzYWdlIGFzc29jaWF0ZWQgd2l0aCB0aGUgRGVsYXlfUmVx
IDxzcGFuIGNsYXNzPSJkZWxldGUiPm1lc3NhZ2UpIGluIGNhc2Ugb2Y8L3NwYW4+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGFzc29jaWF0ZWQgZm9sbG93LXVwIG1lc3NhZ2Ug
KG9yIERlbGF5X1Jlc3AgbWVzc2FnZSBhc3NvY2lhdGVkIHdpdGg8L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICB0d28tc3RlcCA8c3BhbiBj
bGFzcz0iZGVsZXRlIj5jbG9ja3M8L3NwYW4+IChzZWUgdGhlIGRldGFpbGVkIGRpc2N1c3Npb24g
aW4gU2VjdGlvbiA8c3BhbiBjbGFzcz0iZGVsZXRlIj43KS48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPiAgIHRoZSBEZWxheV9SZXEgPHNwYW4gY2xhc3M9Imluc2VydCI+
bWVzc2FnZSksIHJlZmVycmVkIHRvIGFzIHVzaW5nIGE8L3NwYW4+IHR3by1zdGVwIDxzcGFuIGNs
YXNzPSJpbnNlcnQiPmNsb2NrPC9zcGFuPiAoc2VlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPiAgIHRoZSBkZXRhaWxlZCBkaXNjdXNzaW9uIGluIFNlY3Rpb24gPHNwYW4gY2xhc3M9
Imluc2VydCI+Mi4xKS48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJRUVF
IDE1ODggdXNlcyB0aGlzIHJlc2lkZW5jZSB0aW1lIHRvIGNvcnJlY3QgdGhlIHRyYW5zaXQgdGlt
ZSBmcm9tPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgSUVFRSAxNTg4IHVzZXMg
dGhpcyByZXNpZGVuY2UgdGltZSB0byBjb3JyZWN0IHRoZSB0cmFuc2l0IHRpbWUgZnJvbTwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpbmdy
ZXNzIG5vZGUgdG8gZWdyZXNzIG5vZGUsIGVmZmVjdGl2ZWx5IG1ha2luZyB0aGUgdHJhbnNpdCBu
b2RlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGluZ3Jlc3Mgbm9kZSB0byBl
Z3Jlc3Mgbm9kZSwgZWZmZWN0aXZlbHkgbWFraW5nIHRoZSB0cmFuc2l0IG5vZGVzPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRyYW5zcGFy
ZW50LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRyYW5zcGFyZW50LjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhpcyBkb2N1bWVudCBwcm9wb3NlcyBhIG1lY2hh
bmlzbSB0aGF0IGNhbiBiZSB1c2VkIGFzIG9uZSBvZiB0eXBlczwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPiAgIFRoaXMgZG9jdW1lbnQgcHJvcG9zZXMgYSBtZWNoYW5pc20gdGhhdCBj
YW4gYmUgdXNlZCBhcyBvbmUgb2YgdHlwZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgb2Ygb24tcGF0aCBzdXBwb3J0IGZvciBhIGNsb2Nr
IHN5bmNocm9uaXphdGlvbiBwcm90b2NvbCBvciB0byBwZXJmb3JtPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgb2Ygb24tcGF0aCBzdXBwb3J0IGZvciBhIGNsb2NrIHN5bmNocm9u
aXphdGlvbiBwcm90b2NvbCBvciB0byBwZXJmb3JtPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG9uZS13YXkgbWVhc3VyZW1lbnQgb2YgcmVz
aWRlbmNlIHRpbWUuICBUaGUgcHJvcG9zZWQgbWVjaGFuaXNtPC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+ICAgb25lLXdheSBtZWFzdXJlbWVudCBvZiByZXNpZGVuY2UgdGltZS4gIFRo
ZSBwcm9wb3NlZCBtZWNoYW5pc208L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgYWNjdW11bGF0ZXMgcmVzaWRlbmNlIHRpbWUgZnJvbSBhbGwg
bm9kZXMgdGhhdCBzdXBwb3J0IHRoaXMgZXh0ZW5zaW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyaWdodCI+ICAgYWNjdW11bGF0ZXMgcmVzaWRlbmNlIHRpbWUgZnJvbSBhbGwgbm9kZXMgdGhh
dCBzdXBwb3J0IHRoaXMgZXh0ZW5zaW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFsb25nIHRoZSBwYXRoIG9mIGEgcGFydGljdWxhciBM
U1AgaW4gU2NyYXRjaCBQYWQgZmllbGQgb2YgYW4gUlRNPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyaWdodCI+ICAgYWxvbmcgdGhlIHBhdGggb2YgYSBwYXJ0aWN1bGFyIExTUCBpbiBTY3JhdGNo
IFBhZCBmaWVsZCBvZiBhbiBSVE08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDEzIj48L2E+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5wYWNrZXQ8L3NwYW4+IEZpZ3VyZSAx
LiAgVGhpcyB2YWx1ZSBjYW4gdGhlbiBiZSB1c2VkIGJ5IHRoZSBlZ3Jlc3Mgbm9kZSB0bzwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5tZXNz
YWdlPC9zcGFuPiBGaWd1cmUgMS4gIFRoaXMgdmFsdWUgY2FuIHRoZW4gYmUgdXNlZCBieSB0aGUg
ZWdyZXNzIG5vZGUgdG88L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGVmdCI+ICAgdXBkYXRlLCBmb3IgZXhhbXBsZSwgdGhlIGNvcnJlY3Rpb25GaWVsZCBv
ZiB0aGUgUFRQIGV2ZW50IHBhY2tldDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
IHVwZGF0ZSwgZm9yIGV4YW1wbGUsIHRoZSBjb3JyZWN0aW9uRmllbGQgb2YgdGhlIFBUUCBldmVu
dCBwYWNrZXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDE0Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g
ICBjYXJyaWVkIHdpdGhpbiB0aGUgUlRNIDxzcGFuIGNsYXNzPSJkZWxldGUiPnBhY2tldDwvc3Bh
bj4gcHJpb3IgdG8gcGVyZm9ybWluZyBpdHMgUFRQIHByb2Nlc3NpbmcuPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPiAgIGNhcnJpZWQgd2l0aGluIHRoZSBSVE0gPHNwYW4gY2xhc3M9
Imluc2VydCI+bWVzc2FnZTwvc3Bhbj4gcHJpb3IgdG8gcGVyZm9ybWluZyBpdHMgUFRQPC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHByb2Nlc3NpbmcuPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+Mi4xLiAgT25lLXN0ZXAgQ2xvY2sgYW5k
IHR3by1zdGVwIENsb2NrIE1vZGVzPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIE9uZS1zdGVwIG1vZGUgcmVmZXJzIHRv
IHRoZSBtb2RlIG9mIG9wZXJhdGlvbiB3aGVyZSBhbiBlZ3Jlc3M8L3NwYW4+PC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGludGVyZmFjZSB1
cGRhdGVzIHRoZSBjb3JyZWN0aW9uRmllbGQgdmFsdWUgb2YgYW4gb3JpZ2luYWwgZXZlbnQ8L3Nw
YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j
ayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQi
PiAgIG1lc3NhZ2UuICBUd28tc3RlcCBtb2RlIHJlZmVycyB0byB0aGUgbW9kZSBvZiBvcGVyYXRp
b24gd2hlcmUgdGhpczwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNw
YW4gY2xhc3M9Imluc2VydCI+ICAgdXBkYXRlIGlzIG1hZGUgaW4gYSBzdWJzZXF1ZW50IGZvbGxv
dy11cCBtZXNzYWdlLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNw
YW4gY2xhc3M9Imluc2VydCI+PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBQcm9jZXNzaW5nIG9mIHRoZSBmb2xsb3ctdXAgbWVz
c2FnZSwgaWYgcHJlc2VudCwgcmVxdWlyZXMgdGhlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBkb3duc3RyZWFtIGVuZC1wb2lu
dCB0byB3YWl0IGZvciB0aGUgYXJyaXZhbCBvZiB0aGUgZm9sbG93LXVwIG1lc3NhZ2U8L3NwYW4+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAg
IGluIG9yZGVyIHRvIGNvbWJpbmUgY29ycmVjdGlvbkZpZWxkIHZhbHVlcyBmcm9tIGJvdGggdGhl
IG9yaWdpbmFsPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj
bGFzcz0iaW5zZXJ0Ij4gICAoZXZlbnQpIG1lc3NhZ2UgYW5kIHRoZSBzdWJzZXF1ZW50IChmb2xs
b3ctdXApIG1lc3NhZ2UuICBJbiBhIHNpbWlsYXI8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGZhc2hpb24sIGVhY2ggdHdvLXN0
ZXAgbm9kZSBuZWVkcyB0byB3YWl0IGZvciB0aGUgcmVsYXRlZCBmb2xsb3ctdXA8L3NwYW4+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIG1l
c3NhZ2UsIGlmIHRoZXJlIGlzIG9uZSwgaW4gb3JkZXIgdG8gdXBkYXRlIHRoYXQgZm9sbG93LXVw
IG1lc3NhZ2U8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs
YXNzPSJpbnNlcnQiPiAgIChhcyBvcHBvc2VkIHRvIGNyZWF0aW5nIGEgbmV3IG9uZS4gIEhlbmNl
IHRoZSBmaXJzdCBub2RlIHRoYXQgdXNlczwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgdHdvLXN0ZXAgbW9kZSBNVVNUIGRvIHR3
byB0aGluZ3M6PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj
bGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxz
cGFuIGNsYXNzPSJpbnNlcnQiPiAgIDEuICBNYXJrIHRoZSBvcmlnaW5hbCBldmVudCBtZXNzYWdl
IHRvIGluZGljYXRlIHRoYXQgYSBmb2xsb3ctdXA8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICBtZXNzYWdlIHdpbGwgYmUg
Zm9ydGhjb21pbmcuICBUaGlzIGlzIG5lY2Vzc2FyeSBpbiBvcmRlciB0bzwvc3Bhbj48L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+PC9zcGFuPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAg
ICAgICAgTGV0IGFueSBzdWJzZXF1ZW50IHR3by1zdGVwIG5vZGUga25vdyB0aGF0IHRoZXJlIGlz
IGFscmVhZHkgYTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4g
Y2xhc3M9Imluc2VydCI+ICAgICAgICAgIGZvbGxvdy11cCBtZXNzYWdlLCBhbmQ8L3NwYW4+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPjwvc3Bh
bj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+
ICAgICAgICAgIExldCB0aGUgZW5kLXBvaW50IGtub3cgdG8gd2FpdCBmb3IgYSBmb2xsb3ctdXAg
bWVzc2FnZTs8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs
YXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNw
YW4gY2xhc3M9Imluc2VydCI+ICAgMi4gIENyZWF0ZSBhIGZvbGxvdy11cCBtZXNzYWdlIGluIHdo
aWNoIHRvIHB1dCB0aGUgUlRNIGRldGVybWluZWQgYXM8L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICBhbiBpbml0aWFsIGNv
cnJlY3Rpb25GaWVsZCB2YWx1ZS48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv
Y2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgSUVFRSAxNTg4djIgW0lFRUUuMTU4OC4y
MDA4XSBkZWZpbmVzIHRoaXMgYmVoYXZpb3IgZm9yIFBUUCBtZXNzYWdlcy48L3NwYW4+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPjwvc3Bhbj48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAg
VGh1cywgZm9yIGV4YW1wbGUsIHdpdGggcmVmZXJlbmNlIHRvIHRoZSBQVFAgcHJvdG9jb2wsIHRo
ZSBQVFBUeXBlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj
bGFzcz0iaW5zZXJ0Ij4gICBmaWVsZCBpZGVudGlmaWVzIHdoZXRoZXIgdGhlIG1lc3NhZ2UgaXMg
YSBTeW5jIG1lc3NhZ2UsIEZvbGxvd191cDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgbWVzc2FnZSwgRGVsYXlfUmVxIG1lc3Nh
Z2UsIG9yIERlbGF5X1Jlc3AgbWVzc2FnZS4gIFRoZSAxMCBvY3RldCBsb25nPC9zcGFuPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBQb3J0
IElEIGZpZWxkIGNvbnRhaW5zIHRoZSBpZGVudGl0eSBvZiB0aGUgc291cmNlIHBvcnQ8L3NwYW4+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAg
IFtJRUVFLjE1ODguMjAwOF0sIHRoYXQgaXMsIHRoZSBzcGVjaWZpYyBQVFAgcG9ydCBvZiB0aGUg
Ym91bmRhcnk8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs
YXNzPSJpbnNlcnQiPiAgIGNsb2NrIGNvbm5lY3RlZCB0byB0aGUgTVBMUyBuZXR3b3JrLiAgVGhl
IFNlcXVlbmNlIElEIGlzIHRoZSBzZXF1ZW5jZTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgSUQgb2YgdGhlIFBUUCBtZXNzYWdl
IGNhcnJpZWQgaW4gdGhlIFZhbHVlIGZpZWxkIG9mIHRoZSBtZXNzYWdlLjwvc3Bhbj48L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+PC9zcGFuPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBQ
VFAgbWVzc2FnZXMgYWxzbyBpbmNsdWRlIGEgYml0IHRoYXQgaW5kaWNhdGVzIHdoZXRoZXIgb3Ig
bm90IGE8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNz
PSJpbnNlcnQiPiAgIGZvbGxvdy11cCBtZXNzYWdlIHdpbGwgYmUgY29taW5nLiAgVGhpcyBiaXQs
IG9uY2UgaXQgaXMgc2V0IGJ5IGEgdHdvLTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgc3RlcCBtb2RlIGRldmljZSwgTVVTVCBz
dGF5IHNldCBhY2NvcmRpbmdseSB1bnRpbCB0aGUgb3JpZ2luYWwgYW5kPC9zcGFuPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBmb2xsb3ct
dXAgbWVzc2FnZXMgYXJlIGNvbWJpbmVkIGJ5IGFuIGVuZC1wb2ludCAoc3VjaCBhcyBhIEJvdW5k
YXJ5PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0i
aW5zZXJ0Ij4gICBDbG9jaykuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij48c3BhbiBjbGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFRodXMsIGFuIFJUTSBwYWNrZXQsIGNvbnRh
aW5pbmcgcmVzaWRlbmNlIHRpbWUgaW5mb3JtYXRpb24gcmVsYXRpbmc8L3NwYW4+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHRvIGFuIGVh
cmxpZXIgcGFja2V0LCBhbHNvIGNvbnRhaW5zIGluZm9ybWF0aW9uIGlkZW50aWZ5aW5nIHRoYXQ8
L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi
bG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNl
cnQiPiAgIGVhcmxpZXIgcGFja2V0Ljwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi
bG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBGb3IgY29tcGF0aWJpbGl0eSB3aXRo
IFBUUCwgUlRNICh3aGVuIHVzZWQgZm9yIFBUUCBwYWNrZXRzKSBtdXN0PC9zcGFuPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBiZWhhdmUg
aW4gYSBzaW1pbGFyIGZhc2hpb24uICBUbyBkbyB0aGlzLCBhIHR3by1zdGVwIFJUTSBjYXBhYmxl
PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
YmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5z
ZXJ0Ij4gICBlZ3Jlc3MgaW50ZXJmYWNlIHdpbGwgbmVlZCB0byBleGFtaW5lIHRoZSBTLWJpdCBp
biB0aGUgRmxhZ3MgZmllbGQgb2Y8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv
Y2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHRoZSBQVFAgc3ViLVRMViAoZm9yIFJUTSBtZXNz
YWdlcyB0aGF0IGluZGljYXRlIHRoZXkgYXJlIGZvciBQVFApIGFuZDwvc3Bhbj48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgLSBpZiBpdCBp
cyBjbGVhciAoc2V0IHRvIHplcm8pLCBpdCBNVVNUIHNldCBpdCBhbmQgY3JlYXRlIGEgZm9sbG93
LXVwPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0i
aW5zZXJ0Ij4gICBQVFAgVHlwZSBSVE0gbWVzc2FnZS4gIElmIHRoZSBTIGJpdCBpcyBhbHJlYWR5
IHNldCwgdGhlbiB0aGUgUlRNPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBjYXBhYmxlIG5vZGUgTVVTVCB3YWl0IGZvciB0aGUg
UlRNIG1lc3NhZ2Ugd2l0aCB0aGUgUFRQIHR5cGUgb2Y8L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGZvbGxvdy11cCBhbmQgbWF0
Y2hpbmcgb3JpZ2luYXRvciBhbmQgc2VxdWVuY2UgbnVtYmVyIHRvIG1ha2UgdGhlPC9zcGFuPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBj
b3JyZXNwb25kaW5nIHJlc2lkZW5jZSB0aW1lIHVwZGF0ZSB0byB0aGUgU2NyYXRjaCBQYWQgZmll
bGQuICBUaGU8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs
YXNzPSJpbnNlcnQiPiAgIHdhaXQgcGVyaW9kIE1VU1QgYmUgcmVhc29uYWJseSBib3VuZC48L3Nw
YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j
ayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQi
Pjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu
c2VydCI+ICAgSW4gcHJhY3RpY2UgYW4gUlRNIG9wZXJhdGluZyBhY2NvcmRpbmcgdG8gdHdvLXN0
ZXAgY2xvY2sgYmVoYXZlcyBsaWtlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBhIHR3by1zdGVwcyB0cmFuc3BhcmVudCBjbG9j
ay48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJp
bnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xh
c3M9Imluc2VydCI+ICAgQSBvbmUtc3RlcCBjYXBhYmxlIFJUTSBub2RlIE1BWSBlbGVjdCB0byBv
cGVyYXRlIGluIGVpdGhlciBvbmUtc3RlcDwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgbW9kZSAoYnkgbWFraW5nIGFuIHVwZGF0
ZSB0byB0aGUgU2NyYXRjaCBQYWQgZmllbGQgb2YgdGhlIFJUTSBtZXNzYWdlPC9zcGFuPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBjb250
YWluaW5nIHRoZSBQVFAgZXZlbnQgbWVzc2FnZSksIG9yIGluIHR3by1zdGVwIG1vZGUgKGJ5IG1h
a2luZyBhbjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xh
c3M9Imluc2VydCI+ICAgdXBkYXRlIHRvIHRoZSBTY3JhdGNoIFBhZCBvZiBhIGZvbGxvdy11cCBt
ZXNzYWdlIHdoZW4gaXRzIHByZXNlbmNlIGlzPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBpbmRpY2F0ZWQpLCBidXQgTVVTVCBO
T1QgZG8gYm90aC48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFu
IGNsYXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgVHdvIG1haW4gc3ViY2FzZXMgY2FuIGJlIGlkZW50aWZp
ZWQgZm9yIGFuIFJUTSBub2RlIG9wZXJhdGluZyBhcyBhPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICB0d28tc3RlcCBjbG9jazo8
L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi
bG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNl
cnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9
Imluc2VydCI+ICAgQSkgSWYgYW55IG9mIHRoZSBwcmV2aW91cyBSVE0gY2FwYWJsZSBub2RlIG9y
IHRoZSBwcmV2aW91cyBQVFAgY2xvY2s8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIChlLmcuIHRoZSBCQyBjb25uZWN0ZWQgdG8g
dGhlIGZpcnN0IG5vZGUpLCBpcyBhIHR3by1zdGVwIGNsb2NrLCB0aGU8L3NwYW4+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHJlc2lkZW5j
ZSB0aW1lIGlzIGFkZGVkIHRvIHRoZSBSVE0gcGFja2V0IHRoYXQgaGFzIGJlZW4gY3JlYXRlZCB0
bzwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu
c2VydCI+ICAgaW5jbHVkZSB0aGUgYXNzb2NpYXRlZCBQVFAgcGFja2V0IChpLmUuIGZvbGxvdy11
cCBtZXNzYWdlIGluIHRoZTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgZG93bnN0cmVhbSBkaXJlY3Rpb24pLCBpZiB0aGUgbG9j
YWwgUlRNLWNhcGFibGUgbm9kZSBpcyBhbHNvPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBvcGVyYXRpbmcgYXMgYSB0d28tc3Rl
cCBjbG9jay4gIFRoaXMgUlRNIHBhY2tldCBjYXJyaWVzIHRoZSByZWxhdGVkPC9zcGFuPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBhY2N1
bXVsYXRlZCByZXNpZGVuY2UgdGltZSBhbmQgdGhlIGFwcHJvcHJpYXRlIHZhbHVlcyBvZiB0aGUg
U2VxdWVuY2U8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs
YXNzPSJpbnNlcnQiPiAgIElkIGFuZCBQb3J0IElkICh0aGUgc2FtZSBpZGVudGlmaWVycyBjYXJy
aWVkIGluIHRoZSBwYWNrZXQgcHJvY2Vzc2VkKTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgYW5kIHRoZSBUd28tc3RlcCBGbGFn
IHNldCB0byAxLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4g
Y2xhc3M9Imluc2VydCI+PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48
c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBOb3RlIHRoYXQgdGhlIGZhY3QgdGhhdCBhbiB1cHN0cmVh
bSBSVE0tY2FwYWJsZSBub2RlIG9wZXJhdGluZyBpbiB0aGU8L3NwYW4+PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHR3by1zdGVwIG1vZGUg
aGFzIGNyZWF0ZWQgYSBmb2xsb3ctdXAgbWVzc2FnZSBkb2VzIG5vdCByZXF1aXJlIGFueTwvc3Bh
bj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+
ICAgc3Vic2VxdWVudCBSVE0gY2FwYWJsZSBub2RlIHRvIGFsc28gb3BlcmF0ZSBpbiB0aGUgdHdv
LXN0ZXAgbW9kZSwgYXM8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxz
cGFuIGNsYXNzPSJpbnNlcnQiPiAgIGxvbmcgYXMgdGhhdCBSVE0tY2FwYWJsZSBub2RlIGZvcndh
cmRzIHRoZSBmb2xsb3ctdXAgbWVzc2FnZSBvbiB0aGU8L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHNhbWUgTFNQIG9uIHdoaWNo
IGl0IGZvcndhcmRzIHRoZSBjb3JyZXNwb25kaW5nIHByZXZpb3VzIG1lc3NhZ2UuPC9zcGFuPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij48L3Nw
YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j
ayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQi
PiAgIEEgb25lLXN0ZXAgY2FwYWJsZSBSVE0gbm9kZSBNQVkgZWxlY3QgdG8gdXBkYXRlIHRoZSBS
VE0gZm9sbG93LXVwPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh
biBjbGFzcz0iaW5zZXJ0Ij4gICBtZXNzYWdlIGFzIGlmIGl0IHdlcmUgb3BlcmF0aW5nIGluIHR3
by1zdGVwIG1vZGUsIGhvd2V2ZXIsIGl0IE1VU1Q8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIE5PVCB1cGRhdGUgYm90aCBtZXNz
YWdlcy48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNz
PSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4g
Y2xhc3M9Imluc2VydCI+ICAgQSBQVFAgZXZlbnQgcGFja2V0IChzeW5jKSBpcyBjYXJyaWVkIGlu
IHRoZSBSVE0gcGFja2V0IGluIG9yZGVyIGZvcjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgYW4gUlRNIG5vZGUgdG8gaWRlbnRp
ZnkgdGhhdCByZXNpZGVuY2UgdGltZSBtZWFzdXJlbWVudCBtdXN0IGJlPC9zcGFuPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBwZXJmb3Jt
ZWQgb24gdGhhdCBzcGVjaWZpYyBwYWNrZXQuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFRvIGhhbmRsZSB0aGUgcmVz
aWRlbmNlIHRpbWUgb2YgdGhlIERlbGF5IHJlcXVlc3QgbWVzc2FnZSBvbiB0aGU8L3NwYW4+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHVw
c3RyZWFtIGRpcmVjdGlvbiwgYW4gUlRNIHBhY2tldCBtdXN0IGJlIGNyZWF0ZWQgdG8gY2Fycnkg
dGhlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0i
aW5zZXJ0Ij4gICByZXNpZGVuY2UgdGltZSBvbiB0aGUgYXNzb2NpYXRlZCBkb3duc3RyZWFtIERl
bGF5IFJlc3AgbWVzc2FnZS48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si
PjxzcGFuIGNsYXNzPSJpbnNlcnQiPjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi
bG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgVGhlIGxhc3QgUlRNIG5vZGUgb2YgdGhlIE1Q
TFMgbmV0d29yayBpbiBhZGRpdGlvbiB0byB1cGRhdGUgdGhlPC9zcGFuPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBjb3JyZWN0aW9uRmll
bGQgb2YgdGhlIGFzc29jaWF0ZWQgUFRQIHBhY2tldCwgbXVzdCBhbHNvIHByb3Blcmx5PC9zcGFu
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4g
ICBoYW5kbGUgdGhlIHR3by1zdGVwIGZsYWcgb2YgdGhlIFBUUCBwYWNrZXRzLjwvc3Bhbj48L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+PC9zcGFu
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4g
ICBCKSBXaGVuIHRoZSBQVFAgbmV0d29yayBjb25uZWN0ZWQgdG8gdGhlIE1QTFMgYW5kIFJUTSBu
b2RlLCBvcGVyYXRlczwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNw
YW4gY2xhc3M9Imluc2VydCI+ICAgaW4gb25lLXN0ZXAgY2xvY2sgbW9kZSwgdGhlIGFzc29jaWF0
ZWQgUlRNIHBhY2tldCBtdXN0IGJlIGNyZWF0ZWQgYnk8L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIHRoZSBSVE0gbm9kZSBpdHNl
bGYuICBUaGUgYXNzb2NpYXRlZCBSVE0gcGFja2V0IGluY2x1ZGluZyB0aGUgUFRQPC9zcGFuPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBl
dmVudCBwYWNrZXQgbmVlZHMgbm93IHRvIGluZGljYXRlIHRoYXQgYSBmb2xsb3cgdXAgbWVzc2Fn
ZSB3aWxsIGJlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj
bGFzcz0iaW5zZXJ0Ij4gICBjb21pbmcuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIFRoZSBlZ3Jlc3MgUlRNLWNhcGFi
bGUgbm9kZSBvZiB0aGUgTFNQIHdpbGwgYmUgcmVtb3ZpbmcgUlRNPC9zcGFuPjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBlbmNhcHN1bGF0
aW9uIGFuZCwgaW4gY2FzZSBvZiB0d28tc3RlcCBjbG9jayBtb2RlIGJlaW5nIGluZGljYXRlZCw8
L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi
bG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNl
cnQiPiAgIHdpbGwgZ2VuZXJhdGUgUFRQIG1lc3NhZ2VzIGFzIGFwcHJvcHJpYXRlIChhY2NvcmRp
bmcgdG8gdGhlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj
bGFzcz0iaW5zZXJ0Ij4gICBbSUVFRS4xNTg4LjIwMDhdKS4gIEluIHRoaXMgY2FzZSwgdGhlIGNv
bW1vbiBoZWFkZXIgb2YgdGhlIFBUUCBwYWNrZXQ8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGNhcnJ5aW5nIHRoZSBzeW5jaHJv
bml6YXRpb24gbWVzc2FnZSB3b3VsZCBoYXZlIHRvIGJlIG1vZGlmaWVkIGluIHRoZTwvc3Bhbj48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAg
dHdvU3RlcEZsYWcgZmllbGQgaW5kaWNhdGluZyB0aGF0IHRoZXJlIGlzIG5vdyBhIGZvbGxvdyB1
cCBtZXNzYWdlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj
bGFzcz0iaW5zZXJ0Ij4gICBhc3NvY2lhdGVkIHRvIHRoYXQuPC9zcGFuPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+My4gIEctQUNoIGZvciBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudDwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjMuICBHLUFDaCBmb3IgUmVzaWRlbmNlIFRp
bWUgTWVhc3VyZW1lbnQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFJGQyA1NTg2IFtS
RkM1NTg2XSBhbmQgUkZDIDY0MjMgW1JGQzY0MjNdIGRlZmluZSB0aGUgRy1BQ2ggdG8gZXh0ZW5k
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgUkZDIDU1ODYgW1JGQzU1ODZdIGFu
ZCBSRkMgNjQyMyBbUkZDNjQyM10gZGVmaW5lIHRoZSBHLUFDaCB0byBleHRlbmQ8L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIGFwcGxp
Y2FiaWxpdHkgb2YgdGhlIFBXIEFzc29jaWF0ZWQgQ2hhbm5lbCAoQUNIKSBbUkZDNTA4NV0gdG88
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0aGUgYXBwbGljYWJpbGl0eSBvZiB0
aGUgUFcgQXNzb2NpYXRlZCBDaGFubmVsIChBQ0gpIFtSRkM1MDg1XSB0bzwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBMU1BzLiAgRy1BQ2gg
cHJvdmlkZXMgYSBtZWNoYW5pc20gdG8gdHJhbnNwb3J0IE9BTSBhbmQgb3RoZXIgY29udHJvbDwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIExTUHMuICBHLUFDaCBwcm92aWRlcyBh
IG1lY2hhbmlzbSB0byB0cmFuc3BvcnQgT0FNIGFuZCBvdGhlciBjb250cm9sPC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG1lc3NhZ2VzIG92
ZXIgYW4gTFNQLiAgUHJvY2Vzc2luZyBvZiB0aGVzZSBtZXNzYWdlcyBieSBzZWxlY3RlZDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG1lc3NhZ2VzIG92ZXIgYW4gTFNQLiAgUHJv
Y2Vzc2luZyBvZiB0aGVzZSBtZXNzYWdlcyBieSBzZWxlY3RlZDwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0cmFuc2l0IG5vZGVzIGlzIGNv
bnRyb2xsZWQgYnkgdGhlIHVzZSBvZiB0aGUgVGltZS10by1MaXZlIChUVEwpPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdHJhbnNpdCBub2RlcyBpcyBjb250cm9sbGVkIGJ5IHRo
ZSB1c2Ugb2YgdGhlIFRpbWUtdG8tTGl2ZSAoVFRMKTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB2YWx1ZSBpbiB0aGUgTVBMUyBoZWFkZXIg
b2YgdGhlc2UgbWVzc2FnZXMuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdmFs
dWUgaW4gdGhlIE1QTFMgaGVhZGVyIG9mIHRoZXNlIG1lc3NhZ2VzLjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDE1Ij48L2E+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs
b2NrIj4gICBUaGUgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+cGFja2V0PC9zcGFuPiBmb3JtYXQgZm9y
IFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50IChSVE0pIGlzIHByZXNlbnRlZDwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBUaGUgPHNwYW4gY2xhc3M9Imluc2VydCI+bWVzc2Fn
ZTwvc3Bhbj4gZm9ybWF0IGZvciBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudCAoUlRNKSBpcyBw
cmVzZW50ZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgaW4gRmlndXJlIDE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBp
biBGaWd1cmUgMTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMTYiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si
PjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3NwYW4+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAg
ICAgICAgICAyICAgICAgICAgICAgICAgICAgIDM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAgICAgICAyICAgICAg
ICAgICAgICAgICAgIDM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGVmdCI+ICAgICAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkg
MCAxIDIgMyA0IDUgNiA3IDggOSAwIDE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g
ICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2
IDcgOCA5IDAgMTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgIHwwIDAgMCAxfFZlcnNpb258ICAgUmVzZXJ2ZWQgICAgfCAgICAgICAgICAgUlRN
IEctQUNoICAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgIHww
IDAgMCAxfFZlcnNpb258ICAgUmVzZXJ2ZWQgICAgfCAgICAgICAgICAgUlRNIEctQUNoICAgICAg
ICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICArLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgIHwgICAgICAgICAgICAgICAgICAgICAgICBTY3JhdGNoIFBhZCAgICAgICAgICAgICAgICAg
ICAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgIHwgICAgICAg
ICAgICAgICAgICAgICAgICBTY3JhdGNoIFBhZCAgICAgICAgICAgICAgICAgICAgICAgICAgICB8
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
ICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICArLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg
fCAgICAgICAgICAgIFR5cGUgICAgICAgICAgICAgICB8ICAgICAgICAgICAgIExlbmd0aCAgICAg
ICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCAgICAgICAgICAg
IFR5cGUgICAgICAgICAgICAgICB8ICAgICAgICAgICAgIExlbmd0aCAgICAgICAgICAgIHw8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIg
Ymdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9InBhcnQtbDMiPjxzbWFsbD5za2lw
cGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSA1LCBsaW5lIDMyPC9lbT48L2E+PC90
aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjMiPjxzbWFsbD5za2lwcGluZyB0byBjaGFu
Z2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSA4LCBsaW5lIDE5PC9lbT48L2E+PC90aD48dGQ+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGVmdCI+ICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+
ICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgU2NyYXRjaCBQYWQgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
ICB8ICAgICAgICAgICAgICAgICAgICAgICAgU2NyYXRjaCBQYWQgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgIHwgICAgICAgICAgICBUeXBlICAgICAgICAgICAgICAgfCAgICAgICAgICAgICBM
ZW5ndGggICAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgIHwg
ICAgICAgICAgICBUeXBlICAgICAgICAgICAgICAgfCAgICAgICAgICAgICBMZW5ndGggICAgICAg
ICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICArLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVmFsdWUgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgVmFsdWUgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgIH4gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICB+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgIH4gICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
ICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICB8ICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfDwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxNyI+PC9hPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxibG9jayI+ICAgICBGaWd1cmUgMTogUlRNIEctQUNoIDxzcGFuIGNsYXNzPSJk
ZWxldGUiPnBhY2tldDwvc3Bhbj4gZm9ybWF0IGZvciBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVu
dDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgIEZpZ3VyZSAxOiBSVE0gRy1B
Q2ggPHNwYW4gY2xhc3M9Imluc2VydCI+bWVzc2FnZTwvc3Bhbj4gZm9ybWF0IGZvciBSZXNpZGVu
Y2UgVGltZSBNZWFzdXJlbWVudDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbyAgRmly
c3QgZm91ciBvY3RldHMgYXJlIGRlZmluZWQgYXMgRy1BQ2ggSGVhZGVyIGluIFtSRkM1NTg2XTwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG8gIEZpcnN0IGZvdXIgb2N0ZXRzIGFy
ZSBkZWZpbmVkIGFzIEctQUNoIEhlYWRlciBpbiBbUkZDNTU4Nl08L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgIG8gIFRoZSBWZXJzaW9uIGZpZWxkIGlzIHNldCB0byAwLCBhcyBkZWZpbmVk
IGluIFJGQyA0Mzg1IFtSRkM0Mzg1XS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g
ICBvICBUaGUgVmVyc2lvbiBmaWVsZCBpcyBzZXQgdG8gMCwgYXMgZGVmaW5lZCBpbiBSRkMgNDM4
NSBbUkZDNDM4NV0uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBUaGUgUmVzZXJ2
ZWQgZmllbGQgTVVTVCBiZSBzZXQgdG8gMCBvbiB0cmFuc21pdCBhbmQgaWdub3JlZCBvbjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG8gIFRoZSBSZXNlcnZlZCBmaWVsZCBNVVNU
IGJlIHNldCB0byAwIG9uIHRyYW5zbWl0IGFuZCBpZ25vcmVkIG9uPC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHJlY2VpcHQuPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgcmVjZWlwdC48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPiAgIG8gIFRoZSBSVE0gRy1BQ2ggZmllbGQsIHZhbHVlIChUQkExKSB0byBi
ZSBhbGxvY2F0ZWQgYnkgSUFOQSw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBv
ICBUaGUgUlRNIEctQUNoIGZpZWxkLCB2YWx1ZSAoVEJBMSkgdG8gYmUgYWxsb2NhdGVkIGJ5IElB
TkEsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgICAgIGlkZW50aWZpZXMgdGhlIHBhY2tldCBhcyBzdWNoLjwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPiAgICAgIGlkZW50aWZpZXMgdGhlIHBhY2tldCBhcyBzdWNoLjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbyAgVGhlIFNjcmF0Y2ggUGFkIGZpZWxkIGlzIDggb2N0
ZXRzIGluIGxlbmd0aC4gIEl0IGlzIHVzZWQgdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICBvICBUaGUgU2NyYXRjaCBQYWQgZmllbGQgaXMgOCBvY3RldHMgaW4gbGVuZ3RoLiAg
SXQgaXMgdXNlZCB0bzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICAgICBhY2N1bXVsYXRlIHRoZSByZXNpZGVuY2UgdGltZSBzcGVudCBpbiBl
YWNoIFJUTSBjYXBhYmxlIG5vZGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg
ICBhY2N1bXVsYXRlIHRoZSByZXNpZGVuY2UgdGltZSBzcGVudCBpbiBlYWNoIFJUTSBjYXBhYmxl
IG5vZGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgICAgdHJhbnNpdGVkIGJ5IHRoZSBwYWNrZXQgb24gaXRzIHBhdGggZnJvbSBpbmdyZXNz
IG5vZGUgdG8gZWdyZXNzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgdHJh
bnNpdGVkIGJ5IHRoZSBwYWNrZXQgb24gaXRzIHBhdGggZnJvbSBpbmdyZXNzIG5vZGUgdG8gZWdy
ZXNzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgICAgIG5vZGUuICBUaGUgZmlyc3QgUlRNLWNhcGFibGUgbm9kZSBNVVNUIGluaXRpYWxpemUg
dGhlIFNjcmF0Y2ggUGFkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgbm9k
ZS4gIFRoZSBmaXJzdCBSVE0tY2FwYWJsZSBub2RlIE1VU1QgaW5pdGlhbGl6ZSB0aGUgU2NyYXRj
aCBQYWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgICAgZmllbGQgd2l0aCBpdHMgcmVzaWRlbmNlIHRpbWUgbWVhc3VyZW1lbnQuICBJdHMg
Zm9ybWF0IGlzIElFRUU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBmaWVs
ZCB3aXRoIGl0cyByZXNpZGVuY2UgdGltZSBtZWFzdXJlbWVudC4gIEl0cyBmb3JtYXQgaXMgSUVF
RTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICAgICBkb3VibGUgcHJlY2lzaW9uIGFuZCBpdHMgdW5pdHMgYXJlIG5hbm9zZWNvbmRzLiAgTm90
ZSB0aGF0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgZG91YmxlIHByZWNp
c2lvbiBhbmQgaXRzIHVuaXRzIGFyZSBuYW5vc2Vjb25kcy4gIE5vdGUgdGhhdDwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBkZXBlbmRp
bmcgb24gd2hldGhlciB0aGUgdGltaW5nIHByb2NlZHVyZSBpcyBvbmUtc3RlcCBvciB0d28tc3Rl
cDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIGRlcGVuZGluZyBvbiB3aGV0
aGVyIHRoZSB0aW1pbmcgcHJvY2VkdXJlIGlzIG9uZS1zdGVwIG9yIHR3by1zdGVwPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBu
YW1lPSJkaWZmMDAxOCI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgb3BlcmF0aW9uIChT
ZWN0aW9uIDxzcGFuIGNsYXNzPSJkZWxldGUiPjcpLDwvc3Bhbj4gdGhlIHJlc2lkZW5jZSB0aW1l
IGlzIGVpdGhlciBmb3IgdGhlIHRpbWluZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij4gICAgICBvcGVyYXRpb24gKFNlY3Rpb24gPHNwYW4gY2xhc3M9Imluc2VydCI+Mi4xKSw8L3Nw
YW4+IHRoZSByZXNpZGVuY2UgdGltZSBpcyBlaXRoZXIgZm9yIHRoZTwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgIHBhY2tldCBjYXJy
aWVkIGluIHRoZSBWYWx1ZSBmaWVsZCBvZiB0aGlzIFJUTSA8c3BhbiBjbGFzcz0iZGVsZXRlIj5w
YWNrZXQ8L3NwYW4+IG9yIGZvciBhbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4g
ICAgICB0aW1pbmcgcGFja2V0IGNhcnJpZWQgaW4gdGhlIFZhbHVlIGZpZWxkIG9mIHRoaXMgUlRN
IDxzcGFuIGNsYXNzPSJpbnNlcnQiPm1lc3NhZ2U8L3NwYW4+IG9yPC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgYXNzb2NpYXRlZCB0
aW1pbmcgcGFja2V0IGNhcnJpZWQgaW4gdGhlIFZhbHVlIGZpZWxkIG9mIGFub3RoZXIgUlRNPC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgIGZvciBhbiBhc3NvY2lhdGVkIHRp
bWluZyBwYWNrZXQgY2FycmllZCBpbiB0aGUgVmFsdWUgZmllbGQgb2Y8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICA8c3BhbiBjbGFz
cz0iZGVsZXRlIj5wYWNrZXQuPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij4gICAgICBhbm90aGVyIFJUTSA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5tZXNzYWdlLjwvc3Bhbj48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG8gIFRoZSBUeXBlIGZpZWxkIGlkZW50aWZp
ZXMgdGhlIHR5cGUgYW5kIGVuY2Fwc3VsYXRpb24gb2YgYSB0aW1pbmc8L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBUaGUgVHlwZSBmaWVsZCBpZGVudGlmaWVzIHRoZSB0eXBl
IGFuZCBlbmNhcHN1bGF0aW9uIG9mIGEgdGltaW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHBhY2tldCBjYXJyaWVkIGluIHRoZSBW
YWx1ZSBmaWVsZCwgZS5nLiwgTlRQIFtSRkM1OTA1XSBvciBQVFA8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICAgICBwYWNrZXQgY2FycmllZCBpbiB0aGUgVmFsdWUgZmllbGQsIGUu
Zy4sIE5UUCBbUkZDNTkwNV0gb3IgUFRQPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAxOSI+PC9hPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+ICAgICAgW0lFRUUuMTU4OC4yMDA4XS4gIElBTkEgPHNwYW4gY2xhc3M9
ImRlbGV0ZSI+d2lsbCBiZSBhc2tlZDwvc3Bhbj4gdG8gY3JlYXRlIGEgPHNwYW4gY2xhc3M9ImRl
bGV0ZSI+c3ViLXJlZ2lzdHJ5PC9zcGFuPiBpbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj4gICAgICBbSUVFRS4xNTg4LjIwMDhdLiAgPHNwYW4gY2xhc3M9Imluc2VydCI+VGhpcyBk
b2N1bWVudCBhc2tzPC9zcGFuPiBJQU5BIHRvIGNyZWF0ZSBhIDxzcGFuIGNsYXNzPSJpbnNlcnQi
PnN1Yi08L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxibG9jayI+ICAgICAgR2VuZXJpYyBBc3NvY2lhdGVkIENoYW5uZWwgKEctQUNoKSBQYXJh
bWV0ZXJzIFJlZ2lzdHJ5IGNhbGxlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48
c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICByZWdpc3RyeTwvc3Bhbj4gaW4gR2VuZXJpYyBBc3Nv
Y2lhdGVkIENoYW5uZWwgKEctQUNoKSBQYXJhbWV0ZXJzIFJlZ2lzdHJ5PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgIk1QTFMgUlRN
IFRMViA8c3BhbiBjbGFzcz0iZGVsZXRlIj5SZWdpc3RyeSIuPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICBjYWxsZWQgIk1QTFMgUlRNIFRMViA8c3BhbiBjbGFz
cz0iaW5zZXJ0Ij5SZWdpc3RyeSIgU2VjdGlvbiA3LjIuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDIwIj48L2E+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs
b2NrIj4gICBvICBUaGUgTGVuZ3RoIGZpZWxkIGNvbnRhaW5zIHRoZSBsZW5ndGgsIGluIG9jdGV0
czxzcGFuIGNsYXNzPSJkZWxldGUiPiA8L3NwYW4+LCBvZiB0aGUgb2YgdGhlPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIG8gIFRoZSBMZW5ndGggZmllbGQgY29udGFpbnMgdGhl
IGxlbmd0aCwgaW4gb2N0ZXRzLCBvZiB0aGUgb2YgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHRpbWluZyBwYWNrZXQgY2Fycmll
ZCBpbiB0aGUgVmFsdWUgZmllbGQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
ICAgdGltaW5nIHBhY2tldCBjYXJyaWVkIGluIHRoZSBWYWx1ZSBmaWVsZC48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPiAgIG8gIFRoZSBvcHRpb25hbCBWYWx1ZSBmaWVsZCBNQVkgY2Fycnkg
YSBwYWNrZXQgb2YgdGhlIHRpbWU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBv
ICBUaGUgb3B0aW9uYWwgVmFsdWUgZmllbGQgTUFZIGNhcnJ5IGEgcGFja2V0IG9mIHRoZSB0aW1l
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
ICAgIHN5bmNocm9uaXphdGlvbiBwcm90b2NvbCBpZGVudGlmaWVkIGJ5IFR5cGUgZmllbGQuICBJ
dCBpczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHN5bmNocm9uaXphdGlv
biBwcm90b2NvbCBpZGVudGlmaWVkIGJ5IFR5cGUgZmllbGQuICBJdCBpczwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBpbXBvcnRhbnQg
dG8gbm90ZSB0aGF0IHRoZSBwYWNrZXQgbWF5IGJlIGF1dGhlbnRpY2F0ZWQgb3I8L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBpbXBvcnRhbnQgdG8gbm90ZSB0aGF0IHRoZSBw
YWNrZXQgbWF5IGJlIGF1dGhlbnRpY2F0ZWQgb3I8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgZW5jcnlwdGVkIGFuZCBjYXJyaWVkIG92
ZXIgTFNQIGVkZ2UgdG8gZWRnZSB1bmNoYW5nZWQgd2hpbGUgdGhlPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgICAgZW5jcnlwdGVkIGFuZCBjYXJyaWVkIG92ZXIgTFNQIGVkZ2Ug
dG8gZWRnZSB1bmNoYW5nZWQgd2hpbGUgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHJlc2lkZW5jZSB0aW1lIGlzIGFjY3VtdWxh
dGVkIGluIHRoZSBTY3JhdGNoIFBhZCBmaWVsZC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICAgICByZXNpZGVuY2UgdGltZSBpcyBhY2N1bXVsYXRlZCBpbiB0aGUgU2NyYXRjaCBQ
YWQgZmllbGQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBUaGUgVExWIE1VU1Qg
YmUgaW5jbHVkZWQgaW4gdGhlIFJUTSBtZXNzYWdlLCBldmVuIGlmIHRoZSBsZW5ndGggb2Y8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBUaGUgVExWIE1VU1QgYmUgaW5jbHVk
ZWQgaW4gdGhlIFJUTSBtZXNzYWdlLCBldmVuIGlmIHRoZSBsZW5ndGggb2Y8L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgdGhlIFZhbHVl
IGZpZWxkIGlzIHplcm8uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgdGhl
IFZhbHVlIGZpZWxkIGlzIHplcm8uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4zLjEuICBQ
VFAgUGFja2V0IFN1Yi1UTFY8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4zLjEuICBQ
VFAgUGFja2V0IFN1Yi1UTFY8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEZpZ3VyZSAy
IHByZXNlbnRzIGZvcm1hdCBvZiBhIFBUUCBzdWItVExWIHRoYXQgTVVTVCBiZSBpbmNsdWRlZCBp
bjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEZpZ3VyZSAyIHByZXNlbnRzIGZv
cm1hdCBvZiBhIFBUUCBzdWItVExWIHRoYXQgTVVTVCBiZSBpbmNsdWRlZCBpbjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFt
ZT0iZGlmZjAwMjEiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIHRoZSBWYWx1ZSBmaWVsZCBv
ZiBhbiBSVE0gPHNwYW4gY2xhc3M9ImRlbGV0ZSI+cGFja2V0PC9zcGFuPiBwcmVjZWRpbmcgdGhl
IGNhcnJpZWQgdGltaW5nIHBhY2tldDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4g
ICB0aGUgVmFsdWUgZmllbGQgb2YgYW4gUlRNIDxzcGFuIGNsYXNzPSJpbnNlcnQiPm1lc3NhZ2U8
L3NwYW4+IHByZWNlZGluZyB0aGUgY2FycmllZCB0aW1pbmcgcGFja2V0PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdoZW4gdGhlIHRpbWlu
ZyBwYWNrZXQgaXMgUFRQLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHdoZW4g
dGhlIHRpbWluZyBwYWNrZXQgaXMgUFRQLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
ICAwICAgICAgICAgICAgICAgICAgIDEgICAgICAgICAgICAgICAgICAgMiAgICAgICAgICAgICAg
ICAgICAzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAwICAgICAgICAgICAg
ICAgICAgIDEgICAgICAgICAgICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgMCAxIDIg
MyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAx
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAwIDEgMiAzIDQgNSA2IDcgOCA5
IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDE8L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICB8ICAgICAgICAgICAg
IFR5cGUgICAgICAgICAgICAgIHwgICAgICAgICAgICAgTGVuZ3RoICAgICAgICAgICAgfDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICB8ICAgICAgICAgICAgIFR5cGUgICAgICAg
ICAgICAgIHwgICAgICAgICAgICAgTGVuZ3RoICAgICAgICAgICAgfDwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgIHwgICAgICAgICAgICAgICAg
ICAgICAgICAgRmxhZ3MgICAgICAgICAgICAgICAgICAgICAgICAgfFBUUFR5cGV8PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgRmxh
Z3MgICAgICAgICAgICAgICAgICAgICAgICAgfFBUUFR5cGV8PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICArLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgfCAgICAgICAgICAgICAgICAgICAg
ICAgICAgICBQb3J0IElEICAgICAgICAgICAgICAgICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCAgICAgICAgICAgICAgICAgICAgICAgICAgICBQb3J0
IElEICAgICAgICAgICAgICAgICAgICAgICAgICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+
PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+
PC90ZD48dGg+PGEgbmFtZT0icGFydC1sNCI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwv
c21hbGw+PGVtPiBwYWdlIDcsIGxpbmUgNDwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBu
YW1lPSJwYXJ0LXI0Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBh
Z2UgOSwgbGluZSAzNjwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICArLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICArLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgfCAgICAg
ICAgICAgICAgICAgICAgICAgICAgICBQb3J0IElEICAgICAgICAgICAgICAgICAgICAgICAgICAg
IHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCAgICAgICAgICAgICAgICAg
ICAgICAgICAgICBQb3J0IElEICAgICAgICAgICAgICAgICAgICAgICAgICAgIHw8L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgIHwgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgIHwgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8PC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICB8ICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICB8ICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgfCAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICB8ICAgICAgICAgICBTZXF1ZW5jZSBJRCAgICAgICAgIHw8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICB8ICAgICAgICAgICBTZXF1ZW5jZSBJRCAgICAgICAgIHw8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAgICAgIEZpZ3VyZSAyOiBQVFAgU3ViLVRMViBm
b3JtYXQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICAgICAg
ICAgIEZpZ3VyZSAyOiBQVFAgU3ViLVRMViBmb3JtYXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIHdoZXJlIEZsYWdzIGZpZWxkIGhhcyBmb3JtYXQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij4gICB3aGVyZSBGbGFncyBmaWVsZCBoYXMgZm9ybWF0PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJk
aWZmMDAyMiI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3NwYW4+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAg
MCAgICAgICAgICAgICAgICAgICAxICAgICAgICAgICAgICAgICAgIDI8L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAg
ICAgICAyPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgICAgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMg
NCA1IDYgNzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgMCAxIDIgMyA0IDUg
NiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNzwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgfFN8ICAgICAgICAgICAgICAgICAgICAgIFJlc2Vy
dmVkICAgICAgICAgICAgICAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo
dCI+ICAgIHxTfCAgICAgICAgICAgICAgICAgICAgICBSZXNlcnZlZCAgICAgICAgICAgICAgICAg
ICAgICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst
Ky0rLSstKy0rPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgRmlndXJlIDM6IEZsYWdzIGZpZWxkIGZvcm1h
dCBvZiBQVFAgUGFja2V0IFN1Yi1UTFY8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g
ICAgICAgICAgICBGaWd1cmUgMzogRmxhZ3MgZmllbGQgZm9ybWF0IG9mIFBUUCBQYWNrZXQgU3Vi
LVRMVjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDIz
Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBvICBUaGUgVHlwZSBmaWVsZCBpZGVudGlmaWVz
IFBUUCBwYWNrZXQgc3ViLVRMViBhbmQgaXMgc2V0IDE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+ICAgbyAgVGhlIFR5cGUgZmllbGQgaWRlbnRpZmllcyBQVFAgcGFja2V0IHN1Yi1U
TFYgYW5kIGlzIHNldCA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij50bzwvc3Bhbj4gMTwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgIGFjY29y
ZGluZyB0byBTZWN0aW9uIDxzcGFuIGNsYXNzPSJkZWxldGUiPjguMy48L3NwYW4+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgICAgIGFjY29yZGluZyB0byBTZWN0aW9uIDxzcGFu
IGNsYXNzPSJpbnNlcnQiPjcuMy48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBvICBUaGUgTGVuZ3RoIGZpZWxkIG9mIHRoZSBQVFAgc3ViLVRMViBjb250YWlucyB0aGUgbnVt
YmVyIG9mIG9jdGV0czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG8gIFRoZSBM
ZW5ndGggZmllbGQgb2YgdGhlIFBUUCBzdWItVExWIGNvbnRhaW5zIHRoZSBudW1iZXIgb2Ygb2N0
ZXRzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgICAgIG9mIHRoZSBWYWx1ZSBmaWVsZCBhbmQgTVVTVCBiZSAyMC48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBvZiB0aGUgVmFsdWUgZmllbGQgYW5kIE1VU1QgYmUgMjAu
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBUaGUgRmxhZ3MgZmllbGQgY3VycmVu
dGx5IGRlZmluZXMgb25lIGJpdCwgdGhlIFMtYml0LCB0aGF0IGRlZmluZXM8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBUaGUgRmxhZ3MgZmllbGQgY3VycmVudGx5IGRlZmlu
ZXMgb25lIGJpdCwgdGhlIFMtYml0LCB0aGF0IGRlZmluZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDI0
Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICAgICB3aGV0aGVyIHRoZSBjdXJyZW50IG1lc3Nh
Z2UgaGFzIGJlZW4gcHJvY2Vzc2VkIGJ5IGEgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mjwvc3Bhbj4t
c3RlcCBub2RlLDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICB3aGV0aGVy
IHRoZSBjdXJyZW50IG1lc3NhZ2UgaGFzIGJlZW4gcHJvY2Vzc2VkIGJ5IGEgPHNwYW4gY2xhc3M9
Imluc2VydCI+dHdvPC9zcGFuPi1zdGVwIG5vZGUsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHdoZXJlIHRoZSBmbGFnIGlzIGNsZWFy
ZWQgaWYgdGhlIG1lc3NhZ2UgaGFzIGJlZW4gaGFuZGxlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgICAgIHdoZXJlIHRoZSBmbGFnIGlzIGNsZWFyZWQgaWYgdGhlIG1lc3NhZ2Ug
aGFzIGJlZW4gaGFuZGxlZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwMjUiPjwvYT48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
YmxvY2siPiAgICAgIGV4Y2x1c2l2ZWx5IGJ5IDxzcGFuIGNsYXNzPSJkZWxldGUiPjEtc3RlcDwv
c3Bhbj4gbm9kZXMgYW5kIHRoZXJlIGlzIG5vIGZvbGxvdy11cCBtZXNzYWdlLCBhbmQ8L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgICAgZXhjbHVzaXZlbHkgYnkgPHNwYW4gY2xh
c3M9Imluc2VydCI+b25lLXN0ZXA8L3NwYW4+IG5vZGVzIGFuZCB0aGVyZSBpcyBubyBmb2xsb3ct
dXAgbWVzc2FnZSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj4gICAgICBzZXQgaWYgdGhlcmUgaGFzIGJlZW4gYXQgbGVhc3Qgb25lIDxzcGFu
IGNsYXNzPSJkZWxldGUiPjItc3RlcDwvc3Bhbj4gbm9kZSBhbmQgYSA8c3BhbiBjbGFzcz0iZGVs
ZXRlIj5mb2xsb3ctdXA8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg
ICAgIGFuZCBzZXQgaWYgdGhlcmUgaGFzIGJlZW4gYXQgbGVhc3Qgb25lIDxzcGFuIGNsYXNzPSJp
bnNlcnQiPnR3by1zdGVwPC9zcGFuPiBub2RlIGFuZCBhIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmZv
bGxvdy08L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxibG9jayI+ICAgICAgbWVzc2FnZSBpcyBmb3J0aGNvbWluZy48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgdXA8L3NwYW4+IG1l
c3NhZ2UgaXMgZm9ydGhjb21pbmcuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBU
aGUgUFRQVHlwZSBpbmRpY2F0ZXMgdGhlIHR5cGUgb2YgUFRQIHBhY2tldCBjYXJyaWVkIGluIHRo
ZSBUTFYuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbyAgVGhlIFBUUFR5cGUg
aW5kaWNhdGVzIHRoZSB0eXBlIG9mIFBUUCBwYWNrZXQgY2FycmllZCBpbiB0aGUgVExWLjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBQ
VFBUeXBlIGlzIHRoZSBtZXNzYWdlVHlwZSBmaWVsZCBvZiB0aGUgUFRQdjIgcGFja2V0IHdob3Nl
IHZhbHVlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIFBUUFR5cGUgaXMg
dGhlIG1lc3NhZ2VUeXBlIGZpZWxkIG9mIHRoZSBQVFB2MiBwYWNrZXQgd2hvc2UgdmFsdWVzPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZD48YSBuYW1lPSJkaWZmMDAyNiI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAgYXJlIGRl
ZmluZWQgaW4gPHNwYW4gY2xhc3M9ImRlbGV0ZSI+dGhlIFRhYmxlIDE5PC9zcGFuPiBbSUVFRS4x
NTg4LjIwMDhdLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICBhcmUgZGVm
aW5lZCBpbiA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5UYWJsZSAxOSBvZjwvc3Bhbj4gW0lFRUUuMTU4
OC4yMDA4XS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG8gIFRoZSAxMCBvY3RldHMg
bG9uZyBQb3J0IElEIGZpZWxkIGNvbnRhaW5zIHRoZSBpZGVudGl0eSBvZiB0aGU8L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBUaGUgMTAgb2N0ZXRzIGxvbmcgUG9ydCBJRCBm
aWVsZCBjb250YWlucyB0aGUgaWRlbnRpdHkgb2YgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHNvdXJjZSBwb3J0LjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHNvdXJjZSBwb3J0LjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+ICAgbyAgVGhlIFNlcXVlbmNlIElEIGlzIHRoZSBzZXF1ZW5jZSBJRCBv
ZiB0aGUgUFRQIG1lc3NhZ2UgY2FycmllZCBpbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgIG8gIFRoZSBTZXF1ZW5jZSBJRCBpcyB0aGUgc2VxdWVuY2UgSUQgb2YgdGhlIFBUUCBt
ZXNzYWdlIGNhcnJpZWQgaW48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+ICAgICAgdGhlIFZhbHVlIGZpZWxkIG9mIHRoZSBtZXNzYWdlLjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHRoZSBWYWx1ZSBmaWVsZCBvZiB0aGUg
bWVzc2FnZS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjQuICBDb250cm9sIFBsYW5lIFRo
ZW9yeSBvZiBPcGVyYXRpb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij40LiAgQ29u
dHJvbCBQbGFuZSBUaGVvcnkgb2YgT3BlcmF0aW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICBUaGUgb3BlcmF0aW9uIG9mIFJUTSBkZXBlbmRzIHVwb24gVFRMIGV4cGlyeSB0byBkZWxp
dmVyIGFuIFJUTSBwYWNrZXQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUg
b3BlcmF0aW9uIG9mIFJUTSBkZXBlbmRzIHVwb24gVFRMIGV4cGlyeSB0byBkZWxpdmVyIGFuIFJU
TSBwYWNrZXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv
dHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFydC1s
NSI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDgsIGxpbmUg
NTwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXI1Ij48c21hbGw+c2tp
cHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMTAsIGxpbmUgMzU8L2VtPjwvYT48
L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvZiBhbiBSVE0gcGFja2V0IGF0IHRoZSBuZXh0
IG5vZGUgd2l0aCBSVE0gY2FwYWJsZSBpbnRlcmZhY2VzLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIG9mIGFuIFJUTSBwYWNrZXQgYXQgdGhlIG5leHQgbm9kZSB3aXRoIFJUTSBj
YXBhYmxlIGludGVyZmFjZXMuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij40LjEuICBSVE0g
Q2FwYWJpbGl0eTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjQuMS4gIFJUTSBDYXBh
YmlsaXR5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBOb3RlIHRoYXQgdGhlIFJUTSBj
YXBhYmlsaXR5IG9mIGEgbm9kZSBpcyB3aXRoIHJlc3BlY3QgdG8gdGhlIHBhaXIgb2Y8L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBOb3RlIHRoYXQgdGhlIFJUTSBjYXBhYmlsaXR5
IG9mIGEgbm9kZSBpcyB3aXRoIHJlc3BlY3QgdG8gdGhlIHBhaXIgb2Y8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW50ZXJmYWNlcyB0aGF0
IHdpbGwgYmUgdXNlZCB0byBmb3J3YXJkIGFuIFJUTSBwYWNrZXQuICBJbiBnZW5lcmFsLDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGludGVyZmFjZXMgdGhhdCB3aWxsIGJlIHVz
ZWQgdG8gZm9yd2FyZCBhbiBSVE0gcGFja2V0LiAgSW4gZ2VuZXJhbCw8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIGluZ3Jlc3MgaW50
ZXJmYWNlIG9mIHRoaXMgcGFpciBtdXN0IGJlIGFibGUgdG8gY2FwdHVyZSB0aGU8L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0aGUgaW5ncmVzcyBpbnRlcmZhY2Ugb2YgdGhpcyBw
YWlyIG11c3QgYmUgYWJsZSB0byBjYXB0dXJlIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBhcnJpdmFsIHRpbWUgb2YgdGhlIHBhY2tl
dCBhbmQgZW5jb2RlIGl0IGluIHNvbWUgd2F5IHN1Y2ggdGhhdCB0aGlzPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgYXJyaXZhbCB0aW1lIG9mIHRoZSBwYWNrZXQgYW5kIGVuY29k
ZSBpdCBpbiBzb21lIHdheSBzdWNoIHRoYXQgdGhpczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpbmZvcm1hdGlvbiB3aWxsIGJlIGF2YWls
YWJsZSB0byB0aGUgZWdyZXNzIGludGVyZmFjZS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICBpbmZvcm1hdGlvbiB3aWxsIGJlIGF2YWlsYWJsZSB0byB0aGUgZWdyZXNzIGludGVy
ZmFjZS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAy
NyI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgVGhlIHN1cHBvcnRlZCBtb2RlcyAoPHNwYW4g
Y2xhc3M9ImRlbGV0ZSI+MS1zdGVwIHZlcnNlcyAyPC9zcGFuPi1zdGVwKSBvZiBhbnkgcGFpciBv
ZiBpbnRlcmZhY2VzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIFRoZSBzdXBw
b3J0ZWQgbW9kZXMgKDxzcGFuIGNsYXNzPSJpbnNlcnQiPm9uZS1zdGVwIG9yIHR3bzwvc3Bhbj4t
c3RlcCkgb2YgYW55IHBhaXIgb2YgaW50ZXJmYWNlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpcyB0aGVuIGRldGVybWluZWQgYnkgdGhl
IGNhcGFiaWxpdHkgb2YgdGhlIGVncmVzcyBpbnRlcmZhY2UuICBGb3I8L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij4gICBpcyB0aGVuIGRldGVybWluZWQgYnkgdGhlIGNhcGFiaWxpdHkg
b2YgdGhlIGVncmVzcyBpbnRlcmZhY2UuICBGb3I8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYm90aCBtb2RlcywgdGhlIGVncmVzcyBpbnRl
cmZhY2UgaW1wbGVtZW50YXRpb24gTVVTVCBiZSBhYmxlIHRvPC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+ICAgYm90aCBtb2RlcywgdGhlIGVncmVzcyBpbnRlcmZhY2UgaW1wbGVtZW50
YXRpb24gTVVTVCBiZSBhYmxlIHRvPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGRldGVybWluZSB0aGUgcHJlY2lzZSBkZXBhcnR1cmUgdGlt
ZSBvZiB0aGUgc2FtZSBwYWNrZXQgYW5kIGRldGVybWluZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIGRldGVybWluZSB0aGUgcHJlY2lzZSBkZXBhcnR1cmUgdGltZSBvZiB0aGUg
c2FtZSBwYWNrZXQgYW5kIGRldGVybWluZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBmcm9tIHRoaXMsIGFuZCB0aGUgYXJyaXZhbCB0aW1l
IGluZm9ybWF0aW9uIGZyb20gdGhlIGNvcnJlc3BvbmRpbmc8L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij4gICBmcm9tIHRoaXMsIGFuZCB0aGUgYXJyaXZhbCB0aW1lIGluZm9ybWF0aW9u
IGZyb20gdGhlIGNvcnJlc3BvbmRpbmc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW5ncmVzcyBpbnRlcmZhY2UsIHRoZSBkaWZmZXJlbmNl
IHJlcHJlc2VudGluZyB0aGUgcmVzaWRlbmNlIHRpbWUgZm9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+ICAgaW5ncmVzcyBpbnRlcmZhY2UsIHRoZSBkaWZmZXJlbmNlIHJlcHJlc2Vu
dGluZyB0aGUgcmVzaWRlbmNlIHRpbWUgZm9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRoZSBwYWNrZXQuPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgdGhlIHBhY2tldC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo
dCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIEFuIGludGVyZmFjZSB3aXRoIHRoZSBhYmlsaXR5IHRvIGRvIHRoaXMgYW5kIHVwZGF0ZSB0
aGUgYXNzb2NpYXRlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEFuIGludGVy
ZmFjZSB3aXRoIHRoZSBhYmlsaXR5IHRvIGRvIHRoaXMgYW5kIHVwZGF0ZSB0aGUgYXNzb2NpYXRl
ZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBTY3JhdGNoIFBhZCBpbiByZWFsLXRpbWUgKGkuZS4gd2hpbGUgdGhlIHBhY2tldCBpcyBiZWlu
ZyBmb3J3YXJkZWQpPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgU2NyYXRjaCBQ
YWQgaW4gcmVhbC10aW1lIChpLmUuIHdoaWxlIHRoZSBwYWNrZXQgaXMgYmVpbmcgZm9yd2FyZGVk
KTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQ+PGEgbmFtZT0iZGlmZjAwMjgiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGlzIHNh
aWQgdG8gYmUgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+MTwvc3Bhbj4tc3RlcCBjYXBhYmxlLjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBpcyBzYWlkIHRvIGJlIDxzcGFuIGNsYXNz
PSJpbnNlcnQiPm9uZTwvc3Bhbj4tc3RlcCBjYXBhYmxlLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgSGVuY2Ugd2hpbGUgYm90aCBpbmdyZXNzIGFuZCBlZ3Jlc3MgaW50ZXJmYWNlcyBh
cmUgcmVxdWlyZWQgdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBIZW5jZSB3
aGlsZSBib3RoIGluZ3Jlc3MgYW5kIGVncmVzcyBpbnRlcmZhY2VzIGFyZSByZXF1aXJlZCB0bzwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBz
dXBwb3J0IFJUTSBmb3IgdGhlIHBhaXIgdG8gYmUgUlRNLWNhcGFibGUsIGl0IGlzIHRoZSBlZ3Jl
c3M8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBzdXBwb3J0IFJUTSBmb3IgdGhl
IHBhaXIgdG8gYmUgUlRNLWNhcGFibGUsIGl0IGlzIHRoZSBlZ3Jlc3M8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRp
ZmYwMDI5Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBpbnRlcmZhY2UgdGhhdCBkZXRlcm1p
bmVzIHdoZXRoZXIgb3Igbm90IHRoZSBub2RlIGlzIDxzcGFuIGNsYXNzPSJkZWxldGUiPjEtc3Rl
cDwvc3Bhbj4gb3IgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+Mi1zdGVwPC9zcGFuPjwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBpbnRlcmZhY2UgdGhhdCBkZXRlcm1pbmVzIHdoZXRo
ZXIgb3Igbm90IHRoZSBub2RlIGlzIDxzcGFuIGNsYXNzPSJpbnNlcnQiPm9uZS1zdGVwPC9zcGFu
PiBvciA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij50d28tPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGNhcGFibGUgd2l0aCByZXNw
ZWN0IHRvIHRoZSBpbnRlcmZhY2UtcGFpci48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j
ayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgc3RlcDwvc3Bhbj4gY2FwYWJsZSB3aXRoIHJlc3Bl
Y3QgdG8gdGhlIGludGVyZmFjZS1wYWlyLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
VGhlIFJUTSBjYXBhYmlsaXR5IHVzZWQgaW4gdGhlIHN1Yi1UTFYgc2hvd24gaW4gRmlndXJlIDQg
aXMgdGh1czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBSVE0gY2FwYWJp
bGl0eSB1c2VkIGluIHRoZSBzdWItVExWIHNob3duIGluIEZpZ3VyZSA0IGlzIHRodXM8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYXNzb2Np
YXRlZCB3aXRoIHRoZSBlZ3Jlc3MgcG9ydCBvZiB0aGUgbm9kZSBtYWtpbmcgdGhlIGFkdmVydGlz
ZW1lbnQsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYXNzb2NpYXRlZCB3aXRo
IHRoZSBlZ3Jlc3MgcG9ydCBvZiB0aGUgbm9kZSBtYWtpbmcgdGhlIGFkdmVydGlzZW1lbnQsPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdo
aWxlIHRoZSBhYmlsaXR5IG9mIGFueSBwYWlyIG9mIGludGVyZmFjZXMgdGhhdCBpbmNsdWRlcyB0
aGlzIGVncmVzczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHdoaWxlIHRoZSBh
YmlsaXR5IG9mIGFueSBwYWlyIG9mIGludGVyZmFjZXMgdGhhdCBpbmNsdWRlcyB0aGlzIGVncmVz
czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBpbnRlcmZhY2UgdG8gc3VwcG9ydCBhbnkgbW9kZSBvZiBSVE0gZGVwZW5kcyBvbiB0aGUgYWJp
bGl0eSBvZiB0aGF0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgaW50ZXJmYWNl
IHRvIHN1cHBvcnQgYW55IG1vZGUgb2YgUlRNIGRlcGVuZHMgb24gdGhlIGFiaWxpdHkgb2YgdGhh
dDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBpbnRlcmZhY2UgdG8gcmVjb3JkIHBhY2tldCBhcnJpdmFsIHRpbWUgaW4gc29tZSB3YXkgdGhh
dCBjYW4gYmU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbnRlcmZhY2UgdG8g
cmVjb3JkIHBhY2tldCBhcnJpdmFsIHRpbWUgaW4gc29tZSB3YXkgdGhhdCBjYW4gYmU8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgY29udmV5
ZWQgdG8gYW5kIHVzZWQgYnkgdGhhdCBlZ3Jlc3MgaW50ZXJmYWNlLjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgIGNvbnZleWVkIHRvIGFuZCB1c2VkIGJ5IHRoYXQgZWdyZXNzIGlu
dGVyZmFjZS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFdoZW4gYSBub2RlIHVzZXMg
YW4gSUdQIHRvIGNhcnJ5IHRoZSBSVE0gY2FwYWJpbGl0eSBzdWItVExWLCB0aGUgc3ViLTwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFdoZW4gYSBub2RlIHVzZXMgYW4gSUdQIHRv
IGNhcnJ5IHRoZSBSVE0gY2FwYWJpbGl0eSBzdWItVExWLCB0aGUgc3ViLTwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0i
ZGlmZjAwMzAiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIFRMViBNVVNUIHJlZmxlY3QgdGhl
IFJUTSBjYXBhYmlsaXR5ICg8c3BhbiBjbGFzcz0iZGVsZXRlIj4xLXN0ZXAgb3IgMjwvc3Bhbj4t
c3RlcCkgYXNzb2NpYXRlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBUTFYg
TVVTVCByZWZsZWN0IHRoZSBSVE0gY2FwYWJpbGl0eSAoPHNwYW4gY2xhc3M9Imluc2VydCI+b25l
LXN0ZXAgb3IgdHdvPC9zcGFuPi1zdGVwKSBhc3NvY2lhdGVkPC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHdpdGggZWdyZXNzIGludGVyZmFj
ZXMuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgd2l0aCBlZ3Jlc3MgaW50ZXJm
YWNlcy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjQuMi4gIFJUTSBDYXBhYmlsaXR5IFN1
Yi1UTFY8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij40LjIuICBSVE0gQ2FwYWJpbGl0
eSBTdWItVExWPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGUgZm9ybWF0IGZvciB0
aGUgUlRNIENhcGFiaWxpdGllcyBzdWItVExWIGlzIHByZXNlbnRlZCBpbiBGaWd1cmUgNDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBmb3JtYXQgZm9yIHRoZSBSVE0gQ2Fw
YWJpbGl0aWVzIHN1Yi1UTFYgaXMgcHJlc2VudGVkIGluIEZpZ3VyZSA0PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsZWZ0Ij4gICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAgICAg
ICAyICAgICAgICAgICAgICAgICAgIDM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g
ICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAgICAgICAyICAgICAgICAgICAg
ICAgICAgIDM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgICAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIg
MyA0IDUgNiA3IDggOSAwIDE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDAg
MSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5
IDAgMTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgIHwgICAgICAgICAgICAgIFR5cGUgICAgICAgICAgICAgfCAgICAgICAgICAgICBMZW5ndGgg
ICAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgIHwgICAgICAg
ICAgICAgIFR5cGUgICAgICAgICAgICAgfCAgICAgICAgICAgICBMZW5ndGggICAgICAgICAgICB8
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
ICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICArLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg
fCBSVE0gfCAgICAgICAgICAgICAgICAgICAgICAgUmVzZXJ2ZWQgICAgICAgICAgICAgICAgICAg
ICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCBSVE0gfCAgICAg
ICAgICAgICAgICAgICAgICAgUmVzZXJ2ZWQgICAgICAgICAgICAgICAgICAgICAgICAgIHw8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICstKy0rLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAgICBGaWd1cmUgNDogUlRN
IENhcGFiaWxpdHkgc3ViLVRMVjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAg
ICAgICAgICAgICAgICAgIEZpZ3VyZSA0OiBSVE0gQ2FwYWJpbGl0eSBzdWItVExWPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBUeXBlIHZhbHVlIChUQkEyKSB3aWxsIGJlIGFzc2ln
bmVkIGJ5IElBTkEgZnJvbSBhcHByb3ByaWF0ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgIG8gIFR5cGUgdmFsdWUgKFRCQTIpIHdpbGwgYmUgYXNzaWduZWQgYnkgSUFOQSBmcm9t
IGFwcHJvcHJpYXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAzMSI+PC9hPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j
ayI+ICAgICAgcmVnaXN0cnkgZm9yIE9TUEZ2Mi48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi
bG9jayI+ICAgICAgcmVnaXN0cnkgZm9yIE9TUEZ2MjxzcGFuIGNsYXNzPSJpbnNlcnQiPiBTZWN0
aW9uIDcuNDwvc3Bhbj4uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBMZW5ndGgg
TVVTVCBiZSBzZXQgdG8gNC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBM
ZW5ndGggTVVTVCBiZSBzZXQgdG8gNC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG8g
IFJUTSAoY2FwYWJpbGl0eSkgLSBpcyBhIHRocmVlLWJpdCBsb25nIGJpdC1tYXAgZmllbGQgd2l0
aCB2YWx1ZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBSVE0gKGNhcGFi
aWxpdHkpIC0gaXMgYSB0aHJlZS1iaXQgbG9uZyBiaXQtbWFwIGZpZWxkIHdpdGggdmFsdWVzPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAg
IGRlZmluZWQgYXMgZm9sbG93czo8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg
ICBkZWZpbmVkIGFzIGZvbGxvd3M6PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAq
ICAwYjAwMSAtIG9uZS1zdGVwIFJUTSBzdXBwb3J0ZWQ7PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyaWdodCI+ICAgICAgKiAgMGIwMDEgLSBvbmUtc3RlcCBSVE0gc3VwcG9ydGVkOzwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgKiAgMGIwMTAgLSB0d28tc3RlcCBSVE0gc3VwcG9y
dGVkOzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICogIDBiMDEwIC0gdHdv
LXN0ZXAgUlRNIHN1cHBvcnRlZDs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIg
Ymdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9InBhcnQtbDYiPjxzbWFsbD5za2lw
cGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSA5LCBsaW5lIDI3PC9lbT48L2E+PC90
aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjYiPjxzbWFsbD5za2lwcGluZyB0byBjaGFu
Z2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxMiwgbGluZSA5PC9lbT48L2E+PC90aD48dGQ+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGVmdCI+ICAgW1JGQzQyMDJdIGV4cGxhaW5zIHRoYXQgdGhlIEludGVyZmFjZSBTd2l0
Y2hpbmcgQ2FwYWJpbGl0eSBEZXNjcmlwdG9yPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo
dCI+ICAgW1JGQzQyMDJdIGV4cGxhaW5zIHRoYXQgdGhlIEludGVyZmFjZSBTd2l0Y2hpbmcgQ2Fw
YWJpbGl0eSBEZXNjcmlwdG9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPiAgIGRlc2NyaWJlcyBzd2l0Y2hpbmcgY2FwYWJpbGl0eSBvZiBhbiBp
bnRlcmZhY2UuICBGb3IgYmktZGlyZWN0aW9uYWw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICBkZXNjcmliZXMgc3dpdGNoaW5nIGNhcGFiaWxpdHkgb2YgYW4gaW50ZXJmYWNlLiAg
Rm9yIGJpLWRpcmVjdGlvbmFsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPiAgIGxpbmtzLCB0aGUgc3dpdGNoaW5nIGNhcGFiaWxpdGllcyBvZiBh
biBpbnRlcmZhY2UgYXJlIGRlZmluZWQgdG8gYmU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICBsaW5rcywgdGhlIHN3aXRjaGluZyBjYXBhYmlsaXRpZXMgb2YgYW4gaW50ZXJmYWNl
IGFyZSBkZWZpbmVkIHRvIGJlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPiAgIHRoZSBzYW1lIGluIGVpdGhlciBkaXJlY3Rpb24uICBJLmUuLCBm
b3IgZGF0YSBlbnRlcmluZyB0aGUgbm9kZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgIHRoZSBzYW1lIGluIGVpdGhlciBkaXJlY3Rpb24uICBJLmUuLCBmb3IgZGF0YSBlbnRlcmlu
ZyB0aGUgbm9kZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij4gICB0aHJvdWdoIHRoYXQgaW50ZXJmYWNlIGFuZCBmb3IgZGF0YSBsZWF2aW5nIHRo
ZSBub2RlIHRocm91Z2ggdGhhdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRo
cm91Z2ggdGhhdCBpbnRlcmZhY2UgYW5kIGZvciBkYXRhIGxlYXZpbmcgdGhlIG5vZGUgdGhyb3Vn
aCB0aGF0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIGludGVyZmFjZS4gIFRoYXQgcHJpbmNpcGxlIFNIT1VMRCBiZSBhcHBsaWVkIHdoZW4g
YSBub2RlIGFkdmVydGlzZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbnRl
cmZhY2UuICBUaGF0IHByaW5jaXBsZSBTSE9VTEQgYmUgYXBwbGllZCB3aGVuIGEgbm9kZSBhZHZl
cnRpc2VzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIFJUTSBDYXBhYmlsaXR5LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
IFJUTSBDYXBhYmlsaXR5LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQSBub2RlIHRo
YXQgc3VwcG9ydHMgUlRNIE1VU1QgYmUgYWJsZSB0byBhY3QgaW4gdHdvLXN0ZXAgbW9kZSBhbmQg
TUFZPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQSBub2RlIHRoYXQgc3VwcG9y
dHMgUlRNIE1VU1QgYmUgYWJsZSB0byBhY3QgaW4gdHdvLXN0ZXAgbW9kZSBhbmQgTUFZPC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGFsc28g
c3VwcG9ydCBvbmUtc3RlcCBSVE0gbW9kZS4gIERldGFpbGVkIGRpc2N1c3Npb24gb2Ygb25lLXN0
ZXAgYW5kPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWxzbyBzdXBwb3J0IG9u
ZS1zdGVwIFJUTSBtb2RlLiAgRGV0YWlsZWQgZGlzY3Vzc2lvbiBvZiBvbmUtc3RlcCBhbmQ8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
PjxhIG5hbWU9ImRpZmYwMDMyIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICB0d28tc3RlcCBS
VE0gbW9kZXMgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+aW4gU2VjdGlvbiA3PC9zcGFuPi48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgdHdvLXN0ZXAgUlRNIG1vZGVzIDxzcGFuIGNs
YXNzPSJpbnNlcnQiPmFwcGVhcnMgaW4gU2VjdGlvbiAyLjE8L3NwYW4+LjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+NC4zLiAgUlRNIENhcGFiaWxpdHkgQWR2ZXJ0aXNlbWVudCBpbiBPU1BG
djI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij40LjMuICBSVE0gQ2FwYWJpbGl0eSBB
ZHZlcnRpc2VtZW50IGluIE9TUEZ2MjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhl
IGNhcGFiaWxpdHkgdG8gc3VwcG9ydCBSVE0gb24gYSBwYXJ0aWN1bGFyIGxpbmsgKGludGVyZmFj
ZSkgaXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUgY2FwYWJpbGl0eSB0
byBzdXBwb3J0IFJUTSBvbiBhIHBhcnRpY3VsYXIgbGluayAoaW50ZXJmYWNlKSBpczwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBhZHZlcnRp
c2VkIGluIHRoZSBPU1BGdjIgRXh0ZW5kZWQgTGluayBPcGFxdWUgTFNBIGRlc2NyaWJlZCBpbjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFkdmVydGlzZWQgaW4gdGhlIE9TUEZ2
MiBFeHRlbmRlZCBMaW5rIE9wYXF1ZSBMU0EgZGVzY3JpYmVkIGluPC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFNlY3Rpb24gMyBbUkZDNzY4
NF0gdmlhIHRoZSBSVE0gQ2FwYWJpbGl0eSBzdWItVExWLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIFNlY3Rpb24gMyBbUkZDNzY4NF0gdmlhIHRoZSBSVE0gQ2FwYWJpbGl0eSBz
dWItVExWLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSXRzIFR5cGUgdmFsdWUgd2ls
bCBiZSBhc3NpZ25lZCBieSBJQU5BIGZyb20gdGhlIE9TUEYgRXh0ZW5kZWQgTGluazwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEl0cyBUeXBlIHZhbHVlIHdpbGwgYmUgYXNzaWdu
ZWQgYnkgSUFOQSBmcm9tIHRoZSBPU1BGIEV4dGVuZGVkIExpbms8L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYw
MDMzIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBUTFYgU3ViLVRMVnMgcmVnaXN0cnkgdGhh
dCB3aWxsIGJlIGNyZWF0ZWQgcGVyIFtSRkM3Njg0XSByZXF1ZXN0LjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmJsb2NrIj4gICBUTFYgU3ViLVRMVnMgcmVnaXN0cnkgPHNwYW4gY2xhc3M9Imlu
c2VydCI+U2VjdGlvbiA3LjQsPC9zcGFuPiB0aGF0IHdpbGwgYmUgY3JlYXRlZCBwZXIgW1JGQzc2
ODRdPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j
ayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHJlcXVlc3QuPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij40LjQuICBSVE0gQ2FwYWJpbGl0eSBBZHZlcnRpc2VtZW50IGlu
IE9TUEZ2MzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjQuNC4gIFJUTSBDYXBhYmls
aXR5IEFkdmVydGlzZW1lbnQgaW4gT1NQRnYzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBUaGUgY2FwYWJpbGl0eSB0byBzdXBwb3J0IFJUTSBvbiBhIHBhcnRpY3VsYXIgbGluayAoaW50
ZXJmYWNlKSBjYW4gYmU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUgY2Fw
YWJpbGl0eSB0byBzdXBwb3J0IFJUTSBvbiBhIHBhcnRpY3VsYXIgbGluayAoaW50ZXJmYWNlKSBj
YW4gYmU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgYWR2ZXJ0aXNlZCBpbiBPU1BGdjMgdXNpbmcgTFNBIGV4dGVuc2lvbnMgYXMgZGVzY3Jp
YmVkIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWR2ZXJ0aXNlZCBpbiBP
U1BGdjMgdXNpbmcgTFNBIGV4dGVuc2lvbnMgYXMgZGVzY3JpYmVkIGluPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtJLUQuaWV0Zi1vc3Bm
LW9zcGZ2My1sc2EtZXh0ZW5kXS4gIEV4YWN0IHVzZSBvZiBPU1BGdjMgTFNBPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW0ktRC5pZXRmLW9zcGYtb3NwZnYzLWxzYS1leHRlbmRd
LiAgRXhhY3QgdXNlIG9mIE9TUEZ2MyBMU0E8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZXh0ZW5zaW9ucyBpcyBmb3IgZnVydGhlciBzdHVk
eS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBleHRlbnNpb25zIGlzIGZvciBm
dXJ0aGVyIHN0dWR5LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+NC41LiAgUlRNIENhcGFi
aWxpdHkgQWR2ZXJ0aXNlbWVudCBpbiBJUy1JUzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPjQuNS4gIFJUTSBDYXBhYmlsaXR5IEFkdmVydGlzZW1lbnQgaW4gSVMtSVM8L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgYmdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxh
IG5hbWU9InBhcnQtbDciPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4g
cGFnZSAxMCwgbGluZSAxNjwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0
LXI3Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMTIsIGxp
bmUgNDc8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBmcm9tIGxlYWtp
bmcgYmV0d2VlbiBsZXZlbHMuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAg
ZnJvbSBsZWFraW5nIGJldHdlZW4gbGV2ZWxzLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgbyAgVGhlIEQgYml0IG9mIHRoZSBGbGFncyBmaWVsZCBNVVNUIGJlIGNsZWFyZWQgYXMgcmVx
dWlyZWQgYnk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBUaGUgRCBiaXQg
b2YgdGhlIEZsYWdzIGZpZWxkIE1VU1QgYmUgY2xlYXJlZCBhcyByZXF1aXJlZCBieTwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBbUkZD
NjgyM10uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgW1JGQzY4MjNdLjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbyAgVGhlIEkgYml0IGFuZCB0aGUgViBiaXQg
TVVTVCBiZSBzZXQgYWNjb3JkaW5nbHkgZGVwZW5kaW5nIG9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+ICAgbyAgVGhlIEkgYml0IGFuZCB0aGUgViBiaXQgTVVTVCBiZSBzZXQgYWNj
b3JkaW5nbHkgZGVwZW5kaW5nIG9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHdoZXRoZXIgUlRNIGNhcGFiaWxpdHkgYmVpbmcgYWR2
ZXJ0aXNlZCBpcyBmb3IgYW4gSVB2NCBvciBhbiBJUHY2PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyaWdodCI+ICAgICAgd2hldGhlciBSVE0gY2FwYWJpbGl0eSBiZWluZyBhZHZlcnRpc2VkIGlz
IGZvciBhbiBJUHY0IG9yIGFuIElQdjY8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgaW50ZXJmYWNlLjwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPiAgICAgIGludGVyZmFjZS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo
dCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIEFwcGxpY2F0aW9uIElEIChUQkEzKSB3aWxsIGJlIGFzc2lnbmVkIGZyb20gdGhlIEFwcGxp
Y2F0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQXBwbGljYXRpb24gSUQg
KFRCQTMpIHdpbGwgYmUgYXNzaWduZWQgZnJvbSB0aGUgQXBwbGljYXRpb248L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9
ImRpZmYwMDM0Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBJZGVudGlmaWVycyBmb3IgVExW
IDI1MSBJQU5BIDxzcGFuIGNsYXNzPSJkZWxldGUiPnJlZ2lzdHJ5Ljwvc3Bhbj4gIFRoZSBSVE0g
Q2FwYWJpbGl0eSBzdWItVExWPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIElk
ZW50aWZpZXJzIGZvciBUTFYgMjUxIElBTkEgPHNwYW4gY2xhc3M9Imluc2VydCI+cmVnaXN0cnkg
U2VjdGlvbiA3LjUuPC9zcGFuPiAgVGhlIFJUTTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIE1VU1QgYmUgaW5jbHVkZWQgaW4gR0VOSU5G
TyBUTFYgaW4gQXBwbGljYXRpb24gU3BlY2lmaWMgSW5mb3JtYXRpb24uPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPiAgIENhcGFiaWxpdHkgc3ViLVRMViBNVVNUIGJlIGluY2x1ZGVk
IGluIEdFTklORk8gVExWIGluIEFwcGxpY2F0aW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPiAgIFNwZWNpZmljIEluZm9ybWF0aW9uLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+NC42LiAgUlNWUC1URSBDb250cm9sIFBsYW5lIE9wZXJhdGlvbiB0byBTdXBwb3J0IFJUTTwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjQuNi4gIFJTVlAtVEUgQ29udHJvbCBQbGFu
ZSBPcGVyYXRpb24gdG8gU3VwcG9ydCBSVE08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
IFRocm91Z2hvdXQgdGhpcyBkb2N1bWVudCB3ZSByZWZlciB0byBhIG5vZGUgYXMgUlRNIGNhcGFi
bGUgbm9kZSB3aGVuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhyb3VnaG91
dCB0aGlzIGRvY3VtZW50IHdlIHJlZmVyIHRvIGEgbm9kZSBhcyBSVE0gY2FwYWJsZSBub2RlIHdo
ZW48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgYXQgbGVhc3Qgb25lIG9mIGl0cyBpbnRlcmZhY2VzIGlzIFJUTSBjYXBhYmxlLiAgRmlndXJl
IDUgcHJvdmlkZXMgYW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBhdCBsZWFz
dCBvbmUgb2YgaXRzIGludGVyZmFjZXMgaXMgUlRNIGNhcGFibGUuICBGaWd1cmUgNSBwcm92aWRl
cyBhbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICBleGFtcGxlIG9mIHJvbGVzIGEgbm9kZSBtYXkgaGF2ZSB3aXRoIHJlc3BlY3QgdG8gUlRN
IGNhcGFiaWxpdHk6PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZXhhbXBsZSBv
ZiByb2xlcyBhIG5vZGUgbWF5IGhhdmUgd2l0aCByZXNwZWN0IHRvIFJUTSBjYXBhYmlsaXR5Ojwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgIC0tLS0tICAgICAtLS0tLSAgICAgLS0tLS0g
ICAgIC0tLS0tICAgICAtLS0tLSAgICAgLS0tLS0gICAgIC0tLS0tPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgIC0tLS0tICAgICAtLS0tLSAgICAgLS0tLS0gICAgIC0tLS0tICAg
ICAtLS0tLSAgICAgLS0tLS0gICAgIC0tLS0tPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICB8IEEgfC0tLS0tfCBCIHwtLS0tLXwgQyB8LS0t
LS18IEQgfC0tLS0tfCBFIHwtLS0tLXwgRiB8LS0tLS18IEcgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPiAgICB8IEEgfC0tLS0tfCBCIHwtLS0tLXwgQyB8LS0tLS18IEQgfC0tLS0t
fCBFIHwtLS0tLXwgRiB8LS0tLS18IEcgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgLS0tLS0gICAgIC0tLS0tICAgICAtLS0tLSAgICAg
LS0tLS0gICAgIC0tLS0tICAgICAtLS0tLSAgICAgLS0tLS08L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij4gICAgLS0tLS0gICAgIC0tLS0tICAgICAtLS0tLSAgICAgLS0tLS0gICAgIC0t
LS0tICAgICAtLS0tLSAgICAgLS0tLS08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+
PGEgbmFtZT0icGFydC1sOCI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVt
PiBwYWdlIDEwLCBsaW5lIDQzPC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBh
cnQtcjgiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxMywg
bGluZSAyOTwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIElQIGFkZHJl
c3MgaXMgRy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBJUCBhZGRyZXNz
IGlzIEcuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBCIGlzIHRoZSBpbmdyZXNz
IExFUiBmb3IgdGhlIE1QTFMgTFNQIGFuZCBpcyB0aGUgZmlyc3QgUlRNIGNhcGFibGU8L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBCIGlzIHRoZSBpbmdyZXNzIExFUiBmb3Ig
dGhlIE1QTFMgTFNQIGFuZCBpcyB0aGUgZmlyc3QgUlRNIGNhcGFibGU8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgbm9kZS4gIEl0IGNy
ZWF0ZXMgUlRNIHBhY2tldHMgYW5kIGluIGVhY2ggaXQgcGxhY2VzIGEgdGltaW5nPC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgbm9kZS4gIEl0IGNyZWF0ZXMgUlRNIHBhY2tl
dHMgYW5kIGluIGVhY2ggaXQgcGxhY2VzIGEgdGltaW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgIHBhY2tldCwgcG9zc2libHkgZW5j
cnlwdGVkLCBpbiB0aGUgVmFsdWUgZmllbGQgYW5kIGluaXRpYWxpemVzIHRoZTwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHBhY2tldCwgcG9zc2libHkgZW5jcnlwdGVkLCBp
biB0aGUgVmFsdWUgZmllbGQgYW5kIGluaXRpYWxpemVzIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBTY3JhdGNoIFBhZCBmaWVs
ZCB3aXRoIGl0cyByZXNpZGVuY2UgdGltZSBtZWFzdXJlbWVudDwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPiAgICAgIFNjcmF0Y2ggUGFkIGZpZWxkIHdpdGggaXRzIHJlc2lkZW5jZSB0
aW1lIG1lYXN1cmVtZW50PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBDIGlzIGEg
dHJhbnNpdCBub2RlIHRoYXQgaXMgbm90IFJUTSBjYXBhYmxlLiAgSXQgZm9yd2FyZHMgUlRNPC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbyAgQyBpcyBhIHRyYW5zaXQgbm9kZSB0
aGF0IGlzIG5vdCBSVE0gY2FwYWJsZS4gIEl0IGZvcndhcmRzIFJUTTwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBwYWNrZXRzIHdpdGhv
dXQgbW9kaWZpY2F0aW9uLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHBh
Y2tldHMgd2l0aG91dCBtb2RpZmljYXRpb24uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQ+PGEgbmFtZT0iZGlmZjAwMzUiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIG8gIEQg
aXMgUlRNIGNhcGFibGUgdHJhbnNpdCBub2RlLiAgSXQgdXBkYXRlcyB0aGUgU2NyYXRjaCBQYWQg
PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ZmlsZWQ8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPiAgIG8gIEQgaXMgUlRNIGNhcGFibGUgdHJhbnNpdCBub2RlLiAgSXQgdXBkYXRl
cyB0aGUgU2NyYXRjaCBQYWQgPHNwYW4gY2xhc3M9Imluc2VydCI+ZmllbGQ8L3NwYW4+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAg
b2YgdGhlIFJUTSBwYWNrZXQgd2l0aG91dCB1cGRhdGluZyA8c3BhbiBjbGFzcz0iZGVsZXRlIj5v
Zjwvc3Bhbj4gdGhlIHRpbWluZyBwYWNrZXQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv
Y2siPiAgICAgIG9mIHRoZSBSVE0gcGFja2V0IHdpdGhvdXQgdXBkYXRpbmcgdGhlIHRpbWluZyBw
YWNrZXQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvICBFIGlzIGEgdHJhbnNpdCBu
b2RlIHRoYXQgaXMgbm90IFJUTSBjYXBhYmxlLiAgSXQgZm9yd2FyZHMgUlRNPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbyAgRSBpcyBhIHRyYW5zaXQgbm9kZSB0aGF0IGlzIG5v
dCBSVE0gY2FwYWJsZS4gIEl0IGZvcndhcmRzIFJUTTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBwYWNrZXRzIHdpdGhvdXQgbW9kaWZp
Y2F0aW9uLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIHBhY2tldHMgd2l0
aG91dCBtb2RpZmljYXRpb24uPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEg
bmFtZT0iZGlmZjAwMzYiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIG8gIEYgaXMgdGhlIGVn
cmVzcyBMRVIgYW5kIHRoZSBsYXN0IFJUTSBjYXBhYmxlIG5vZGUuICBJdCBwcm9jZXNzZXM8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgbyAgRiBpcyB0aGUgZWdyZXNzIExFUiBh
bmQgdGhlIGxhc3QgUlRNIGNhcGFibGUgbm9kZS4gIEl0IDxzcGFuIGNsYXNzPSJpbnNlcnQiPnJl
bW92ZXMgdGhlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPiAgICAgIHRoZSB0aW1pbmcgcGFja2V0IGNhcnJpZWQgaW4gdGhlIFZh
bHVlIGZpZWxkIHVzaW5nIHRoZSB2YWx1ZSBpbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICBSVE0gQUNIIGVuY2Fwc3VsYXRpb24gYW5k
PC9zcGFuPiBwcm9jZXNzZXMgdGhlIHRpbWluZyBwYWNrZXQgY2FycmllZCBpbjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgICAgIHRoZSBT
Y3JhdGNoIFBhZCBmaWVsZC4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPkl0IHVwZGF0ZXMgdGhlIENv
cnJlY3Rpb24gZmllbGQgb2YgdGhlIFBUUDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+ICAgICAgdGhlIFZhbHVlIGZpZWxkIHVzaW5nIHRoZSB2YWx1ZSBpbiB0aGUgU2Ny
YXRjaCBQYWQgZmllbGQuICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5Jbjwvc3Bhbj48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFz
cz0iZGVsZXRlIj4gICAgICBtZXNzYWdlIHdpdGg8L3NwYW4+IHRoZSB2YWx1ZSBpbiB0aGUgU2Ny
YXRjaCBQYWQgZmllbGQgb2YgdGhlIFJUTSA8c3BhbiBjbGFzcz0iZGVsZXRlIj5BQ0gsPC9zcGFu
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4g
ICAgICBwYXJ0aWN1bGFyLDwvc3Bhbj4gdGhlIHZhbHVlIGluIHRoZSBTY3JhdGNoIFBhZCBmaWVs
ZCBvZiB0aGUgUlRNIEFDSCA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5pczwvc3Bhbj48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFz
cz0iZGVsZXRlIj4gICAgICBhbmQgcmVtb3ZlcyB0aGUgUlRNPC9zcGFuPiBBQ0ggPHNwYW4gY2xh
c3M9ImRlbGV0ZSI+ZW5jYXBzdWxhdGlvbi48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgIHVzZWQgaW4gdXBkYXRpbmcgdGhl
IENvcnJlY3Rpb24gZmllbGQgb2YgdGhlIFBUUCBtZXNzYWdlKHMpLiAgVGhlPC9zcGFuPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICBM
RVIgc2hvdWxkIGFsc28gaW5jbHVkZSBpdHMgb3duIHJlc2lkZW5jZSB0aW1lIGJlZm9yZSBjcmVh
dGluZyB0aGU8L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNs
YXNzPSJpbnNlcnQiPiAgICAgIG91dGdvaW5nIFBUUCBwYWNrZXRzLiAgVGhlIGRldGFpbHMgb2Yg
dGhpcyBwcm9jZXNzIGRlcGVuZCBvbjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi
bG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgd2hldGhlciBvciBub3QgdGhlIG5vZGUg
RiBpcyBpdHNlbGYgb3BlcmF0aW5nIGFzIG9uZS1zdGVwIG9yIHR3by08L3NwYW4+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgICAgIHN0ZXAg
Y2xvY2suPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgbyAgRyBpcyBhIEJv
dW5kYXJ5IENsb2NrIHdpdGggaXRzIGluZ3Jlc3MgcG9ydCBpbiBTbGF2ZSBzdGF0ZS4gIE5vZGU8
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvICBHIGlzIGEgQm91bmRhcnkgQ2xv
Y2sgd2l0aCBpdHMgaW5ncmVzcyBwb3J0IGluIFNsYXZlIHN0YXRlLiAgTm9kZTwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBHIHJlY2Vp
dmVzIFBUUCBtZXNzYWdlcy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICBH
IHJlY2VpdmVzIFBUUCBtZXNzYWdlcy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEFu
IGluZ3Jlc3Mgbm9kZSB0aGF0IGlzIGNvbmZpZ3VyZWQgdG8gcGVyZm9ybSBSVE0gYWxvbmcgYSBw
YXRoPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQW4gaW5ncmVzcyBub2RlIHRo
YXQgaXMgY29uZmlndXJlZCB0byBwZXJmb3JtIFJUTSBhbG9uZyBhIHBhdGg8L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9
ImRpZmYwMDM3Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICB0aHJvdWdoIGFuIE1QTFMgbmV0
d29yayB0byBhbiBlZ3Jlc3Mgbm9kZSA8c3BhbiBjbGFzcz0iZGVsZXRlIj52ZXJpZmllczwvc3Bh
bj4gdGhhdCB0aGUgc2VsZWN0ZWQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg
dGhyb3VnaCBhbiBNUExTIG5ldHdvcmsgdG8gYW4gZWdyZXNzIG5vZGUgPHNwYW4gY2xhc3M9Imlu
c2VydCI+TVVTVCB2ZXJpZnk8L3NwYW4+IHRoYXQgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgZWdyZXNzIG5vZGUgaGFzIGFuIGlu
dGVyZmFjZSB0aGF0IHN1cHBvcnRzIFJUTSB2aWEgdGhlIGVncmVzcyBub2RlJ3M8L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgc2VsZWN0ZWQgZWdyZXNzIG5vZGUgaGFzIGFuIGlu
dGVyZmFjZSB0aGF0IHN1cHBvcnRzIFJUTSB2aWEgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgYWR2ZXJ0aXNlbWVudCBvZiB0aGUg
UlRNIENhcGFiaWxpdHkgc3ViLVRMVi4gIEluIHRoZSBQYXRoIG1lc3NhZ2U8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJibG9jayI+ICAgZWdyZXNzIG5vZGUncyBhZHZlcnRpc2VtZW50IG9mIHRo
ZSBSVE0gQ2FwYWJpbGl0eSBzdWItVExWLiAgSW4gdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgdGhhdCB0aGUgaW5ncmVzcyBub2Rl
IHVzZXMgdG8gaW5zdGFudGlhdGUgdGhlIExTUCB0byB0aGF0IGVncmVzcyBub2RlPC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIFBhdGggbWVzc2FnZSB0aGF0IHRoZSBpbmdyZXNz
IG5vZGUgdXNlcyB0byBpbnN0YW50aWF0ZSB0aGUgTFNQIHRvPC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgaXQgcGxhY2VzIExTUF9BVFRS
SUJVVEVTIE9iamVjdCBbUkZDNTQyMF0gd2l0aCBSVE1fU0VUIEF0dHJpYnV0ZSBGbGFnPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHRoYXQgZWdyZXNzIG5vZGUgaXQgcGxhY2Vz
IExTUF9BVFRSSUJVVEVTIE9iamVjdCBbUkZDNTQyMF0gd2l0aDwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJkZWxl
dGUiPnNldDwvc3Bhbj4gU2VjdGlvbiA8c3BhbiBjbGFzcz0iZGVsZXRlIj44Ljc8L3NwYW4+IHdo
aWNoIGluZGljYXRlcyB0byB0aGUgZWdyZXNzIG5vZGUgdGhhdCBSVE0gaXM8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJibG9jayI+ICAgUlRNX1NFVCBBdHRyaWJ1dGUgRmxhZyA8c3BhbiBjbGFz
cz0iaW5zZXJ0Ij5zZXQsIGFzIGRlc2NyaWJlZCBpbjwvc3Bhbj4gU2VjdGlvbiA8c3BhbiBjbGFz
cz0iaW5zZXJ0Ij43LjcsPC9zcGFuPiB3aGljaDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIHJlcXVlc3RlZCBmb3IgdGhpcyBMU1AuICBS
VE1fU0VUIEF0dHJpYnV0ZSBGbGFnIFNIT1VMRCBOT1QgYmUgc2V0IGluPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPiAgIGluZGljYXRlcyB0byB0aGUgZWdyZXNzIG5vZGUgdGhhdCBS
VE0gaXMgcmVxdWVzdGVkIGZvciB0aGlzIExTUC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICB0aGUgTFNQX1JFUVVJUkVEX0FUVFJJQlVU
RVMgb2JqZWN0IFtSRkM1NDIwXSAsIHVubGVzcyBpdCBpcyBrbm93bjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmJsb2NrIj4gICBSVE1fU0VUIEF0dHJpYnV0ZSBGbGFnIFNIT1VMRCBOT1QgYmUg
c2V0IGluIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsYmxvY2siPiAgIHRoYXQgYWxsIG5vZGVzIHN1cHBvcnQgUlRNLCBiZWNhdXNlIGEgbm9kZSB0
aGF0IGRvZXMgbm90IHJlY29nbml6ZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4g
ICBMU1BfUkVRVUlSRURfQVRUUklCVVRFUyBvYmplY3QgW1JGQzU0MjBdICwgdW5sZXNzIGl0IGlz
IGtub3duIHRoYXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj4gICBSVE1fU0VUIEF0dHJpYnV0ZSBGbGFnIHdvdWxkIHJlamVjdCB0aGUgUGF0
aCBtZXNzYWdlLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBhbGwgbm9kZXMg
c3VwcG9ydCBSVE0sIGJlY2F1c2UgYSBub2RlIHRoYXQgZG9lcyBub3QgcmVjb2duaXplIFJUTV9T
RVQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgQXR0cmlidXRlIEZsYWcgd291
bGQgcmVqZWN0IHRoZSBQYXRoIG1lc3NhZ2UuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBJZiBlZ3Jlc3Mgbm9kZSByZWNlaXZlcyBQYXRoIG1lc3NhZ2Ugd2l0aCBSVE1fU0VUIEF0dHJp
YnV0ZSBGbGFnIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgSWYgZWdyZXNz
IG5vZGUgcmVjZWl2ZXMgUGF0aCBtZXNzYWdlIHdpdGggUlRNX1NFVCBBdHRyaWJ1dGUgRmxhZyBp
bjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBMU1BfQVRUUklCVVRFUyBvYmplY3QsIGl0IE1VU1QgaW5jbHVkZSBpbml0aWFsaXplZCBSUk8g
W1JGQzMyMDldIGFuZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIExTUF9BVFRS
SUJVVEVTIG9iamVjdCwgaXQgTVVTVCBpbmNsdWRlIGluaXRpYWxpemVkIFJSTyBbUkZDMzIwOV0g
YW5kPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIExTUF9BVFRSSUJVVEVTIG9iamVjdCB3aGVyZSBSVE1fU0VUIEF0dHJpYnV0ZSBGbGFnIGlz
IHNldCBhbmQgUlRNX1NFVDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIExTUF9B
VFRSSUJVVEVTIG9iamVjdCB3aGVyZSBSVE1fU0VUIEF0dHJpYnV0ZSBGbGFnIGlzIHNldCBhbmQg
UlRNX1NFVDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICBUTFYgU2VjdGlvbiA0LjcgaXMgaW5pdGlhbGl6ZWQuICBXaGVuIFJlc3YgbWVzc2Fn
ZSByZWNlaXZlZCBieTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRMViBTZWN0
aW9uIDQuNyBpcyBpbml0aWFsaXplZC4gIFdoZW4gUmVzdiBtZXNzYWdlIHJlY2VpdmVkIGJ5PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGlu
Z3Jlc3Mgbm9kZSB0aGUgUlRNX1NFVCBUTFYgd2lsbCBjb250YWluIGFuIG9yZGVyZWQgbGlzdCwg
ZnJvbTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGluZ3Jlc3Mgbm9kZSB0aGUg
UlRNX1NFVCBUTFYgd2lsbCBjb250YWluIGFuIG9yZGVyZWQgbGlzdCwgZnJvbTwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBlZ3Jlc3Mgbm9k
ZSB0byBpbmdyZXNzIG5vZGUsIG9mIHRoZSBSVE0gY2FwYWJsZSBub2RlIGFsb25nIHRoZSBMU1An
czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGVncmVzcyBub2RlIHRvIGluZ3Jl
c3Mgbm9kZSwgb2YgdGhlIFJUTSBjYXBhYmxlIG5vZGUgYWxvbmcgdGhlIExTUCdzPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHBhdGguPC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgcGF0aC48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgIEFmdGVyIHRoZSBpbmdyZXNzIG5vZGUgcmVjZWl2ZXMgdGhlIFJlc3YsIGl0
IE1BWSBiZWdpbiBzZW5kaW5nIFJUTTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
IEFmdGVyIHRoZSBpbmdyZXNzIG5vZGUgcmVjZWl2ZXMgdGhlIFJlc3YsIGl0IE1BWSBiZWdpbiBz
ZW5kaW5nIFJUTTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+
PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJwYXJ0
LWw5Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMTIsIGxp
bmUgMTc8L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0icGFydC1yOSI+PHNtYWxs
PnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDE0LCBsaW5lIDQ4PC9lbT48
L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgIHwgICAgIFR5cGUgICAgfCAgICAgTGVuZ3RoICAg
IHxJfCAgICAgICAgIFJlc2VydmVkICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgICB8ICAgICBUeXBlICAgIHwgICAgIExlbmd0aCAgICB8SXwgICAgICAgICBS
ZXNlcnZlZCAgICAgICAgICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGVmdCI+ICAgIH4gICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZhbHVlICAgICAg
ICAgICAgICAgICAgICAgICAgICAgfjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
ICB+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWYWx1ZSAgICAgICAgICAgICAgICAgICAg
ICAgICAgIH48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgIHwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICB8ICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
ICAgICstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICArLSstKy0rLSst
Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgICAgRmlndXJlIDY6
IFJUTV9TRVQgVExWIGZvcm1hdDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAg
ICAgICAgICAgICAgICAgICAgRmlndXJlIDY6IFJUTV9TRVQgVExWIGZvcm1hdDwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgVHlwZSB2YWx1ZSAoVEJBNCkgd2lsbCBiZSBhc3NpZ25lZCBi
eSBJQU5BIGZyb20gaXRzIEF0dHJpYnV0ZXMgVExWPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+ICAgVHlwZSB2YWx1ZSAoVEJBNCkgd2lsbCBiZSBhc3NpZ25lZCBieSBJQU5BIGZyb20g
aXRzIEF0dHJpYnV0ZXMgVExWPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDAzOCI+PC9hPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxibG9jayI+ICAgU3BhY2Ugc3ViLXJlZ2lzdHJ5LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmJsb2NrIj4gICBTcGFjZSBzdWItcmVnaXN0cnk8c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gU2VjdGlv
biA3LjY8L3NwYW4+LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIExlbmd0aCBj
b250YWlucyB0aGUgdG90YWwgbGVuZ3RoIG9mIHRoZSBzdWItb2JqZWN0IGluIGJ5dGVzLDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBMZW5ndGggY29udGFpbnMgdGhlIHRv
dGFsIGxlbmd0aCBvZiB0aGUgc3ViLW9iamVjdCBpbiBieXRlcyw8L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaW5jbHVkaW5nIHRoZSBUeXBl
IGFuZCBMZW5ndGggZmllbGRzLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGlu
Y2x1ZGluZyB0aGUgVHlwZSBhbmQgTGVuZ3RoIGZpZWxkcy48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPiAgIFRoZSBJIGJpdCBmbGFnIGluZGljYXRlcyB3aGV0aGVyIHRoZSBkb3duc3RyZWFt
IFJUTSBjYXBhYmxlIG5vZGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUg
SSBiaXQgZmxhZyBpbmRpY2F0ZXMgd2hldGhlciB0aGUgZG93bnN0cmVhbSBSVE0gY2FwYWJsZSBu
b2RlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIGFsb25nIHRoZSBMU1AgaXMgcHJlc2VudCBpbiB0aGUgUlJPLjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgIGFsb25nIHRoZSBMU1AgaXMgcHJlc2VudCBpbiB0aGUgUlJPLjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgUmVzZXJ2ZWQgZmllbGQgbXVzdCBiZSB6ZXJv
ZWQgb24gaW5pdGlhdGlvbiBhbmQgaWdub3JlZCBvbiByZWNlaXB0LjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgIFJlc2VydmVkIGZpZWxkIG11c3QgYmUgemVyb2VkIG9uIGluaXRp
YXRpb24gYW5kIGlnbm9yZWQgb24gcmVjZWlwdC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo
dCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIFRoZSBjb250ZW50IG9mIGFuIFJUTV9TRVQgVExWIGlzIGEgc2VyaWVzIG9mIHZhcmlhYmxl
LWxlbmd0aCBzdWItPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIGNvbnRl
bnQgb2YgYW4gUlRNX1NFVCBUTFYgaXMgYSBzZXJpZXMgb2YgdmFyaWFibGUtbGVuZ3RoIHN1Yi08
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
VExWcy4gIE9ubHkgYSBzaW5nbGUgUlRNX1NFVCBjYW4gYmUgcHJlc2VudCBpbiB0aGUgTFNQX0FU
VFJJQlVURVM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUTFZzLiAgT25seSBh
IHNpbmdsZSBSVE1fU0VUIGNhbiBiZSBwcmVzZW50IGluIHRoZSBMU1BfQVRUUklCVVRFUzwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvYmpl
Y3QuICBUaGUgc3ViLVRMVnMgYXJlIGRlZmluZWQgaW4gU2VjdGlvbiA0LjcuMSBiZWxvdy48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvYmplY3QuICBUaGUgc3ViLVRMVnMgYXJl
IGRlZmluZWQgaW4gU2VjdGlvbiA0LjcuMSBiZWxvdy48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIFRoZSBmb2xsb3dpbmcgcHJvY2Vzc2luZyBwcm9jZWR1cmVzIGFwcGx5IHRvIGV2ZXJ5
IFJUTSBjYXBhYmxlIG5vZGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUg
Zm9sbG93aW5nIHByb2Nlc3NpbmcgcHJvY2VkdXJlcyBhcHBseSB0byBldmVyeSBSVE0gY2FwYWJs
ZSBub2RlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIGFsb25nIHRoZSBMU1AgdGhhdCBpbiB0aGlzIHBhcmFncmFwaCBpcyByZWZlcnJlZCBh
cyBub2RlIGZvciBzYWtlIG9mPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWxv
bmcgdGhlIExTUCB0aGF0IGluIHRoaXMgcGFyYWdyYXBoIGlzIHJlZmVycmVkIGFzIG5vZGUgZm9y
IHNha2Ugb2Y8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgYnJldml0eS4gIEVhY2ggbm9kZSBNVVNUIGV4YW1pbmUgUmVzdiBtZXNzYWdlIHdo
ZXRoZXIgUlRNX1NFVDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGJyZXZpdHku
ICBFYWNoIG5vZGUgTVVTVCBleGFtaW5lIFJlc3YgbWVzc2FnZSB3aGV0aGVyIFJUTV9TRVQ8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQXR0
cmlidXRlIEZsYWcgaW4gdGhlIExTUF9BVFRSSUJVVEVTIG9iamVjdCBpcyBzZXQuICBJZiB0aGUg
UlRNX1NFVDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEF0dHJpYnV0ZSBGbGFn
IGluIHRoZSBMU1BfQVRUUklCVVRFUyBvYmplY3QgaXMgc2V0LiAgSWYgdGhlIFJUTV9TRVQ8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZmxh
ZyBzZXQsIHRoZSBub2RlIE1VU1QgaW5zcGVjdCB0aGUgTFNQX0FUVFJJQlVURVMgb2JqZWN0IGZv
cjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGZsYWcgc2V0LCB0aGUgbm9kZSBN
VVNUIGluc3BlY3QgdGhlIExTUF9BVFRSSUJVVEVTIG9iamVjdCBmb3I8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcHJlc2VuY2Ugb2YgUlRN
X1NFVCBUTFYuICBJZiBtb3JlIHRoYW4gb25lIGZvdW5kLCB0aGVuIHRoZSBMU1Agc2V0dXA8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBwcmVzZW5jZSBvZiBSVE1fU0VUIFRMVi4g
IElmIG1vcmUgdGhhbiBvbmUgZm91bmQsIHRoZW4gdGhlIExTUCBzZXR1cDwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBNVVNUIGZhaWwgd2l0
aCBnZW5lcmF0aW9uIG9mIHRoZSBSZXN2RXJyIG1lc3NhZ2Ugd2l0aCBFcnJvciBDb2RlPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgTVVTVCBmYWlsIHdpdGggZ2VuZXJhdGlvbiBv
ZiB0aGUgUmVzdkVyciBtZXNzYWdlIHdpdGggRXJyb3IgQ29kZTwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAw
MzkiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIER1cGxpY2F0ZSBUTFYgU2VjdGlvbiA8c3Bh
biBjbGFzcz0iZGVsZXRlIj44PC9zcGFuPi44IGFuZCBFcnJvciBWYWx1ZSB0aGF0IGNvbnRhaW5z
IFR5cGUgdmFsdWUgaW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgRHVwbGlj
YXRlIFRMViBTZWN0aW9uIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjc8L3NwYW4+LjggYW5kIEVycm9y
IFZhbHVlIHRoYXQgY29udGFpbnMgVHlwZSB2YWx1ZSBpbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpdHMgOCBsZWFzdCBzaWduaWZpY2Fu
dCBiaXRzLiAgSWYgbm8gUlRNX1NFVCBUTFYgaGFzIGJlZW4gZm91bmQsIHRoZW48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpdHMgOCBsZWFzdCBzaWduaWZpY2FudCBiaXRzLiAg
SWYgbm8gUlRNX1NFVCBUTFYgaGFzIGJlZW4gZm91bmQsIHRoZW48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIExTUCBzZXR1cCBNVVNU
IGZhaWwgd2l0aCBnZW5lcmF0aW9uIG9mIHRoZSBSZXN2RXJyIG1lc3NhZ2Ugd2l0aDwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRoZSBMU1Agc2V0dXAgTVVTVCBmYWlsIHdpdGgg
Z2VuZXJhdGlvbiBvZiB0aGUgUmVzdkVyciBtZXNzYWdlIHdpdGg8L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYw
MDQwIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBFcnJvciBDb2RlIFJUTV9TRVQgVExWIEFi
c2VudCBTZWN0aW9uIDxzcGFuIGNsYXNzPSJkZWxldGUiPjg8L3NwYW4+LjguICBJZiBvbmUgUlRN
X1NFVCBUTFYgaGFzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIEVycm9yIENv
ZGUgUlRNX1NFVCBUTFYgQWJzZW50IFNlY3Rpb24gPHNwYW4gY2xhc3M9Imluc2VydCI+Nzwvc3Bh
bj4uOC4gIElmIG9uZSBSVE1fU0VUIFRMViBoYXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYmVlbiBmb3VuZCB0aGUgbm9kZSB3aWxsIHVz
ZSB0aGUgSUQgb2YgdGhlIGZpcnN0IG5vZGUgaW4gdGhlIFJUTV9TRVQ8L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij4gICBiZWVuIGZvdW5kIHRoZSBub2RlIHdpbGwgdXNlIHRoZSBJRCBv
ZiB0aGUgZmlyc3Qgbm9kZSBpbiB0aGUgUlRNX1NFVDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpbiBjb25qdW5jdGlvbiB3aXRoIHRoZSBS
Uk8gdG8gY29tcHV0ZSB0aGUgaG9wIGNvdW50IHRvIGl0czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIGluIGNvbmp1bmN0aW9uIHdpdGggdGhlIFJSTyB0byBjb21wdXRlIHRoZSBo
b3AgY291bnQgdG8gaXRzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPiAgIGRvd25zdHJlYW0gbm9kZSB3aXRoIHJlYWNoYWJsZSBSVE0gY2FwYWJs
ZSBpbnRlcmZhY2UuICBJZiB0aGUgbm9kZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgIGRvd25zdHJlYW0gbm9kZSB3aXRoIHJlYWNoYWJsZSBSVE0gY2FwYWJsZSBpbnRlcmZhY2Uu
ICBJZiB0aGUgbm9kZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICBjYW5ub3QgZmluZCBtYXRjaGluZyBJRCBpbiBSUk8sIHRoZW4gaXQgTVVT
VCB0cnkgdG8gdXNlIElEIG9mIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
IGNhbm5vdCBmaW5kIG1hdGNoaW5nIElEIGluIFJSTywgdGhlbiBpdCBNVVNUIHRyeSB0byB1c2Ug
SUQgb2YgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPiAgIG5leHQgbm9kZSBpbiB0aGUgUlRNX1NFVCB1bnRpbCBpdCBmaW5kcyB0aGUgbWF0
Y2ggb3IgcmVhY2hlcyB0aGUgZW5kPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
bmV4dCBub2RlIGluIHRoZSBSVE1fU0VUIHVudGlsIGl0IGZpbmRzIHRoZSBtYXRjaCBvciByZWFj
aGVzIHRoZSBlbmQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgb2YgUlRNX1NFVCBUTFYuICBJZiBtYXRjaCBoYXMgYmVlbiBmb3VuZCwgdGhl
IGNhbGN1bGF0ZWQgdmFsdWUgaXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBv
ZiBSVE1fU0VUIFRMVi4gIElmIG1hdGNoIGhhcyBiZWVuIGZvdW5kLCB0aGUgY2FsY3VsYXRlZCB2
YWx1ZSBpczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICB1c2VkIGJ5IHRoZSBub2RlIGFzIFRUTCB2YWx1ZSBpbiBvdXRnb2luZyBsYWJlbCB0
byByZWFjaCB0aGUgbmV4dCBSVE08L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB1
c2VkIGJ5IHRoZSBub2RlIGFzIFRUTCB2YWx1ZSBpbiBvdXRnb2luZyBsYWJlbCB0byByZWFjaCB0
aGUgbmV4dCBSVE08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgY2FwYWJsZSBub2RlIG9uIHRoZSBMU1AuICBPdGhlcndpc2UsIHRoZSBUVEwg
dmFsdWUgTVVTVCBiZSBzZXQgdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBj
YXBhYmxlIG5vZGUgb24gdGhlIExTUC4gIE90aGVyd2lzZSwgdGhlIFRUTCB2YWx1ZSBNVVNUIGJl
IHNldCB0bzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICAyNTUuICBUaGUgbm9kZSBNVVNUIGFkZCBSVE1fU0VUIHN1Yi1UTFYgd2l0aCB0aGUg
c2FtZSBhZGRyZXNzIGl0IHVzZWQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAy
NTUuICBUaGUgbm9kZSBNVVNUIGFkZCBSVE1fU0VUIHN1Yi1UTFYgd2l0aCB0aGUgc2FtZSBhZGRy
ZXNzIGl0IHVzZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgaW4gUlJPIHN1Yi1vYmplY3QgYXQgdGhlIGJlZ2lubmluZyBvZiB0aGUgUlRN
X1NFVCBUTFYgaW4gYXNzb2NpYXRlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
IGluIFJSTyBzdWItb2JqZWN0IGF0IHRoZSBiZWdpbm5pbmcgb2YgdGhlIFJUTV9TRVQgVExWIGlu
IGFzc29jaWF0ZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk
PjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFy
dC1sMTAiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxMywg
bGluZSA0MTwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXIxMCI+PHNt
YWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDE2LCBsaW5lIDI1PC9l
bT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYW5kIExlbmd0aCBmaWVsZHMuICBU
aGUgTGVuZ3RoIE1VU1QgYWx3YXlzIGJlIGEgbXVsdGlwbGUgb2YgNCwgYW5kIGF0PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYW5kIExlbmd0aCBmaWVsZHMuICBUaGUgTGVuZ3Ro
IE1VU1QgYWx3YXlzIGJlIGEgbXVsdGlwbGUgb2YgNCwgYW5kIGF0PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGxlYXN0IDggKHNtYWxsZXN0
IElQdjQgc3ViLW9iamVjdCkuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbGVh
c3QgOCAoc21hbGxlc3QgSVB2NCBzdWItb2JqZWN0KS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIFN1Yi1UTFZzIGFyZSBvcmdhbml6ZWQgYXMgYSBsYXN0LWluLWZpcnN0LW91dCBzdGFj
ay4gIFRoZSBmaXJzdCAtb3V0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgU3Vi
LVRMVnMgYXJlIG9yZ2FuaXplZCBhcyBhIGxhc3QtaW4tZmlyc3Qtb3V0IHN0YWNrLiAgVGhlIGZp
cnN0IC1vdXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgc3ViLVRMViByZWxhdGl2ZSB0byB0aGUgYmVnaW5uaW5nIG9mIFJUTV9TRVQgVExW
IGlzIGNvbnNpZGVyZWQgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc3Vi
LVRMViByZWxhdGl2ZSB0byB0aGUgYmVnaW5uaW5nIG9mIFJUTV9TRVQgVExWIGlzIGNvbnNpZGVy
ZWQgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIHRvcC4gIFRoZSBsYXN0LW91dCBzdWItVExWIGlzIGNvbnNpZGVyZWQgdGhlIGJvdHRv
bS4gIFdoZW4gYSBuZXcgc3ViLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRv
cC4gIFRoZSBsYXN0LW91dCBzdWItVExWIGlzIGNvbnNpZGVyZWQgdGhlIGJvdHRvbS4gIFdoZW4g
YSBuZXcgc3ViLTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij4gICBUTFYgaXMgYWRkZWQsIGl0IGlzIGFsd2F5cyBhZGRlZCB0byB0aGUgdG9wLiAg
T25seSBhIHNpbmdsZSBSVE1fU0VUPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
VExWIGlzIGFkZGVkLCBpdCBpcyBhbHdheXMgYWRkZWQgdG8gdGhlIHRvcC4gIE9ubHkgYSBzaW5n
bGUgUlRNX1NFVDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij4gICBzdWItVExWIHdpdGggdGhlIGdpdmVuIFZhbHVlIGZpZWxkIE1VU1QgYmUgcHJl
c2VudCBpbiB0aGUgUlRNX1NFVDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHN1
Yi1UTFYgd2l0aCB0aGUgZ2l2ZW4gVmFsdWUgZmllbGQgTVVTVCBiZSBwcmVzZW50IGluIHRoZSBS
VE1fU0VUPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIFRMVi4gIElmIG1vcmUgdGhhbiBvbmUgc3ViLVRMViBpcyBmb3VuZCB0aGUgTFNQIHNl
dHVwIE1VU1QgZmFpbCB3aXRoPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVExW
LiAgSWYgbW9yZSB0aGFuIG9uZSBzdWItVExWIGlzIGZvdW5kIHRoZSBMU1Agc2V0dXAgTVVTVCBm
YWlsIHdpdGg8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgdGhlIGdlbmVyYXRpb24gb2YgYSBSZXN2RXJyIG1lc3NhZ2Ugd2l0aCB0aGUgRXJy
b3IgQ29kZSAiRHVwbGljYXRlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhl
IGdlbmVyYXRpb24gb2YgYSBSZXN2RXJyIG1lc3NhZ2Ugd2l0aCB0aGUgRXJyb3IgQ29kZSAiRHVw
bGljYXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA0MSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAg
c3ViLVRMViIgU2VjdGlvbiA8c3BhbiBjbGFzcz0iZGVsZXRlIj44PC9zcGFuPi44IGFuZCBFcnJv
ciBWYWx1ZSBjb250YWlucyAxNi1iaXQgdmFsdWUgY29tcG9zZWQ8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJibG9jayI+ICAgc3ViLVRMViIgU2VjdGlvbiA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij43
PC9zcGFuPi44IGFuZCBFcnJvciBWYWx1ZSBjb250YWlucyAxNi1iaXQgdmFsdWUgY29tcG9zZWQ8
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
b2YgKFR5cGUgb2YgVExWLCBUeXBlIG9mIHN1Yi1UTFYpLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIG9mIChUeXBlIG9mIFRMViwgVHlwZSBvZiBzdWItVExWKS48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRocmVlIGtpbmRzIG9mIHN1Yi1UTFZzIGZvciBSVE1fU0VU
IGFyZSBjdXJyZW50bHkgZGVmaW5lZC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g
ICBUaHJlZSBraW5kcyBvZiBzdWItVExWcyBmb3IgUlRNX1NFVCBhcmUgY3VycmVudGx5IGRlZmlu
ZWQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij40LjcuMS4xLiAgSVB2NCBTdWItVExWPC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+NC43LjEuMS4gIElQdjQgU3ViLVRMVjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+
PGEgbmFtZT0iZGlmZjAwNDIiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
PC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICAgMCAgICAgICAgICAgICAgICAgICAxICAgICAgICAgICAgICAgICAgIDIgICAgICAg
ICAgICAgICAgICAgMzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAwICAgICAg
ICAgICAgICAgICAgIDEgICAgICAgICAgICAgICAgICAgMiAgICAgICAgICAgICAgICAgICAzPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAw
IDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDgg
OSAwIDE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgMCAxIDIgMyA0IDUgNiA3
IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICArLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICB8ICAgIFR5cGUgICAg
IHwgICAgIExlbmd0aCAgICB8ICAgICAgICAgICBSZXNlcnZlZCAgICAgICAgICAgIHw8L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgfCAgICBUeXBlICAgICB8ICAgICBMZW5ndGgg
ICAgfCAgICAgICAgICAgUmVzZXJ2ZWQgICAgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICArLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICB8ICAgICAgICAgICAgICAgICAgICAgICBJ
UHY0IGFkZHJlc3MgICAgICAgICAgICAgICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICAgfCAgICAgICAgICAgICAgICAgICAgICAgSVB2NCBhZGRyZXNzICAg
ICAgICAgICAgICAgICAgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJpZ2h0Ij4gICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r
LSstKy0rLSstKy0rLSstKy0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAg
ICAgICAgICAgICAgIEZpZ3VyZSA3OiBJUHY0IHN1Yi1UTFYgZm9ybWF0PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgICAgICAgICBGaWd1cmUgNzogSVB2NCBz
dWItVExWIGZvcm1hdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9y
PSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFydC1sMTEiPjxzbWFsbD5za2lwcGluZyB0
byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAxNiwgbGluZSAxNzwvZW0+PC9hPjwvdGg+PHRo
PiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXIxMSI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBh
dDwvc21hbGw+PGVtPiBwYWdlIDE4LCBsaW5lIDUxPC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgQWZ0ZXIgaW5zdGFudGlhdGluZyBhbiBMU1AgZm9yIGEgcGF0aCB1c2luZyBS
U1ZQLVRFIFtSRkMzMjA5XSBhczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEFm
dGVyIGluc3RhbnRpYXRpbmcgYW4gTFNQIGZvciBhIHBhdGggdXNpbmcgUlNWUC1URSBbUkZDMzIw
OV0gYXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgZGVzY3JpYmVkIGluIFNlY3Rpb24gNC42LCBpbmdyZXNzIG5vZGUgTUFZIGJlZ2luIHNl
bmRpbmcgUlRNIHBhY2tldHM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBkZXNj
cmliZWQgaW4gU2VjdGlvbiA0LjYsIGluZ3Jlc3Mgbm9kZSBNQVkgYmVnaW4gc2VuZGluZyBSVE0g
cGFja2V0czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICB0byB0aGUgZmlyc3QgZG93bnN0cmVhbSBSVE0gY2FwYWJsZSBub2RlIG9uIHRoYXQg
cGF0aC4gIEVhY2ggUlRNPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdG8gdGhl
IGZpcnN0IGRvd25zdHJlYW0gUlRNIGNhcGFibGUgbm9kZSBvbiB0aGF0IHBhdGguICBFYWNoIFJU
TTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBwYWNrZXQgaGFzIGl0cyBTY3JhdGNoIFBhZCBmaWVsZCBpbml0aWFsaXplZCBhbmQgaXRzIFRU
TCBzZXQgdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBwYWNrZXQgaGFzIGl0
cyBTY3JhdGNoIFBhZCBmaWVsZCBpbml0aWFsaXplZCBhbmQgaXRzIFRUTCBzZXQgdG88L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZXhwaXJl
IG9uIHRoZSBuZXh0IGRvd25zdHJlYW0gUlRNLWNhcGFibGUgbm9kZS4gIEVhY2ggUlRNLWNhcGFi
bGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBleHBpcmUgb24gdGhlIG5leHQg
ZG93bnN0cmVhbSBSVE0tY2FwYWJsZSBub2RlLiAgRWFjaCBSVE0tY2FwYWJsZTwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBub2RlIG9uIHRo
ZSBleHBsaWNpdCBwYXRoIHJlY2VpdmVzIGFuIFJUTSBwYWNrZXQgYW5kIHJlY29yZHMgdGhlIHRp
bWU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBub2RlIG9uIHRoZSBleHBsaWNp
dCBwYXRoIHJlY2VpdmVzIGFuIFJUTSBwYWNrZXQgYW5kIHJlY29yZHMgdGhlIHRpbWU8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYXQgd2hp
Y2ggaXQgcmVjZWl2ZXMgdGhhdCBwYWNrZXQgYXQgaXRzIGluZ3Jlc3MgaW50ZXJmYWNlIGFzIHdl
bGwgYXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBhdCB3aGljaCBpdCByZWNl
aXZlcyB0aGF0IHBhY2tldCBhdCBpdHMgaW5ncmVzcyBpbnRlcmZhY2UgYXMgd2VsbCBhczwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aGUg
dGltZSBhdCB3aGljaCBpdCB0cmFuc21pdHMgdGhhdCBwYWNrZXQgZnJvbSBpdHMgZWdyZXNzIGlu
dGVyZmFjZTs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0aGUgdGltZSBhdCB3
aGljaCBpdCB0cmFuc21pdHMgdGhhdCBwYWNrZXQgZnJvbSBpdHMgZWdyZXNzIGludGVyZmFjZTs8
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
dGhpcyBzaG91bGQgYmUgZG9uZSBhcyBjbG9zZSB0byB0aGUgcGh5c2ljYWwgbGF5ZXIgYXMgcG9z
c2libGUgdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0aGlzIHNob3VsZCBi
ZSBkb25lIGFzIGNsb3NlIHRvIHRoZSBwaHlzaWNhbCBsYXllciBhcyBwb3NzaWJsZSB0bzwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBlbnN1
cmUgcHJlY2lzZSBhY2N1cmFjeSBpbiB0aW1lIGRldGVybWluYXRpb24uICBUaGUgUlRNLWNhcGFi
bGUgbm9kZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGVuc3VyZSBwcmVjaXNl
IGFjY3VyYWN5IGluIHRpbWUgZGV0ZXJtaW5hdGlvbi4gIFRoZSBSVE0tY2FwYWJsZSBub2RlPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZD48YSBuYW1lPSJkaWZmMDA0MyI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgZGV0ZXJtaW5l
cyB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIHRob3NlIHR3byB0aW1lczsgZm9yIDxzcGFuIGNsYXNz
PSJkZWxldGUiPjE8L3NwYW4+LXN0ZXA8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
ICAgZGV0ZXJtaW5lcyB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIHRob3NlIHR3byB0aW1lczsgZm9y
IDxzcGFuIGNsYXNzPSJpbnNlcnQiPm9uZTwvc3Bhbj4tc3RlcDwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvcGVyYXRpb24sIHRoaXMgZGlm
ZmVyZW5jZSBpcyBkZXRlcm1pbmVkIGp1c3QgcHJpb3IgdG8gb3Igd2hpbGU8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvcGVyYXRpb24sIHRoaXMgZGlmZmVyZW5jZSBpcyBkZXRl
cm1pbmVkIGp1c3QgcHJpb3IgdG8gb3Igd2hpbGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgc2VuZGluZyB0aGUgcGFja2V0LCBhbmQgdGhl
IFJUTS1jYXBhYmxlIGVncmVzcyBpbnRlcmZhY2UgYWRkcyBpdCB0bzwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgIHNlbmRpbmcgdGhlIHBhY2tldCwgYW5kIHRoZSBSVE0tY2FwYWJs
ZSBlZ3Jlc3MgaW50ZXJmYWNlIGFkZHMgaXQgdG88L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdGhlIHZhbHVlIGluIHRoZSBTY3JhdGNoIFBh
ZCBmaWVsZCBvZiB0aGUgbWVzc2FnZSBpbiBwcm9ncmVzcy4gIE5vdGUsPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgdGhlIHZhbHVlIGluIHRoZSBTY3JhdGNoIFBhZCBmaWVsZCBv
ZiB0aGUgbWVzc2FnZSBpbiBwcm9ncmVzcy4gIE5vdGUsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGZvciB0aGUgcHVycG9zZSBvZiBjYWxj
dWxhdGluZyBhIHJlc2lkZW5jZSB0aW1lLCBhIGNvbW1vbiBmcmVlPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgZm9yIHRoZSBwdXJwb3NlIG9mIGNhbGN1bGF0aW5nIGEgcmVzaWRl
bmNlIHRpbWUsIGEgY29tbW9uIGZyZWU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcnVubmluZyBjbG9jayBzeW5jaHJvbml6aW5nIGFsbCB0
aGUgaW52b2x2ZWQgaW50ZXJmYWNlcyBtYXkgYmU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICBydW5uaW5nIGNsb2NrIHN5bmNocm9uaXppbmcgYWxsIHRoZSBpbnZvbHZlZCBpbnRl
cmZhY2VzIG1heSBiZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICBzdWZmaWNpZW50LCBhcywgZm9yIGV4YW1wbGUsIDQuNiBwcG0gYWNjdXJh
Y3kgbGVhZHMgdG8gNC42IG5hbm9zZWNvbmQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij4gICBzdWZmaWNpZW50LCBhcywgZm9yIGV4YW1wbGUsIDQuNiBwcG0gYWNjdXJhY3kgbGVhZHMg
dG8gNC42IG5hbm9zZWNvbmQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDQ0Ij48L2E+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGJsb2NrIj4gICBlcnJvciBmb3IgcmVzaWRlbmNlIHRpbWUgb24gdGhlIG9yZGVyIG9mIDEgbWls
bGlzZWNvbmQuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGVycm9yIGZvciBy
ZXNpZGVuY2UgdGltZSBvbiB0aGUgb3JkZXIgb2YgMSBtaWxsaXNlY29uZC4gIDxzcGFuIGNsYXNz
PSJpbnNlcnQiPlRoaXMgbWF5IGJlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBhY2NlcHRhYmxlIGZvciBhcHBsaWNhdGlvbnMg
d2hlcmUgdGhlIHRhcmdldCBhY2N1cmFjeSBpcyBpbiB0aGUgb3JkZXI8L3NwYW4+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIG9mIGh1bmRy
ZWRzIG9mIG5zLiAgQXMgYW4gZXhhbXBsZSBzZXZlcmFsIGFwcGxpY2F0aW9ucyBiZWluZzwvc3Bh
bj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+
ICAgY29uc2lkZXJlZCBpbiB0aGUgYXJlYSBvZiB3aXJlbGVzcyBhcHBsaWNhdGlvbnMgYXJlIHNh
dGlzZmllZCB3aXRoIGFuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48
c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBhY2N1cmFjeSBvZiAxLjUgbWljcm9zZWNvbmRzIFtJVFUt
VC5HLjgyNzFdLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBu
YW1lPSJkaWZmMDA0NSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgRm9yIDxzcGFuIGNsYXNz
PSJkZWxldGUiPjItc3RlcDwvc3Bhbj4gb3BlcmF0aW9uLCB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVu
IHBhY2tldCBhcnJpdmFsIHRpbWUgKGF0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si
PiAgIEZvciA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij50d28tc3RlcDwvc3Bhbj4gb3BlcmF0aW9uLCB0
aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIHBhY2tldCBhcnJpdmFsIHRpbWU8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBhbiBpbmdyZXNzIGlu
dGVyZmFjZSkgYW5kIHN1YnNlcXVlbnQgZGVwYXJ0dXJlIHRpbWUgKGZyb20gYW4gZWdyZXNzPC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIChhdCBhbiBpbmdyZXNzIGludGVyZmFj
ZSkgYW5kIHN1YnNlcXVlbnQgZGVwYXJ0dXJlIHRpbWUgKGZyb20gYW48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBpbnRlcmZhY2UpIGlz
IGRldGVybWluZWQgYXQgc29tZSBsYXRlciB0aW1lIHByaW9yIHRvIHNlbmRpbmcgYTwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBlZ3Jlc3MgaW50ZXJmYWNlKSBpcyBkZXRlcm1p
bmVkIGF0IHNvbWUgbGF0ZXIgdGltZSBwcmlvciB0byBzZW5kaW5nIGE8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgc3Vic2VxdWVudCBmb2xs
b3ctdXAgbWVzc2FnZSwgc28gdGhhdCB0aGlzIHZhbHVlIGNhbiBiZSB1c2VkIHRvPC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc3Vic2VxdWVudCBmb2xsb3ctdXAgbWVzc2FnZSwg
c28gdGhhdCB0aGlzIHZhbHVlIGNhbiBiZSB1c2VkIHRvPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHVwZGF0ZSB0aGUgY29ycmVjdGlvbkZp
ZWxkIGluIHRoZSBmb2xsb3ctdXAgbWVzc2FnZS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICB1cGRhdGUgdGhlIGNvcnJlY3Rpb25GaWVsZCBpbiB0aGUgZm9sbG93LXVwIG1lc3Nh
Z2UuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwNDYi
PjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIFNlZSBTZWN0aW9uIDxzcGFuIGNsYXNzPSJkZWxl
dGUiPjc8L3NwYW4+IGZvciBmdXJ0aGVyIGRldGFpbHMgb24gdGhlIGRpZmZlcmVuY2UgYmV0d2Vl
biA8c3BhbiBjbGFzcz0iZGVsZXRlIj4xLXN0ZXA8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPiAgIFNlZSBTZWN0aW9uIDxzcGFuIGNsYXNzPSJpbnNlcnQiPjIuMTwvc3Bh
bj4gZm9yIGZ1cnRoZXIgZGV0YWlscyBvbiB0aGUgZGlmZmVyZW5jZSBiZXR3ZWVuIDxzcGFuIGNs
YXNzPSJpbnNlcnQiPm9uZS08L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgYW5kIDxzcGFuIGNsYXNzPSJkZWxldGUiPjItc3Rl
cDwvc3Bhbj4gb3BlcmF0aW9uLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh
biBjbGFzcz0iaW5zZXJ0Ij4gICBzdGVwPC9zcGFuPiBhbmQgPHNwYW4gY2xhc3M9Imluc2VydCI+
dHdvLXN0ZXA8L3NwYW4+IG9wZXJhdGlvbi48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
IFRoZSBsYXN0IFJUTS1jYXBhYmxlIG5vZGUgb24gdGhlIExTUCBNQVkgdGhlbiB1c2UgdGhlIHZh
bHVlIGluIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBsYXN0IFJU
TS1jYXBhYmxlIG5vZGUgb24gdGhlIExTUCBNQVkgdGhlbiB1c2UgdGhlIHZhbHVlIGluIHRoZTwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBT
Y3JhdGNoIFBhZCBmaWVsZCB0byBwZXJmb3JtIHRpbWUgY29ycmVjdGlvbiwgaWYgdGhlcmUgaXMg
bm8gZm9sbG93LTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFNjcmF0Y2ggUGFk
IGZpZWxkIHRvIHBlcmZvcm0gdGltZSBjb3JyZWN0aW9uLCBpZiB0aGVyZSBpcyBubyBmb2xsb3ct
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
IHVwIG1lc3NhZ2UuICBGb3IgZXhhbXBsZSwgdGhlIGVncmVzcyBub2RlIG1heSBiZSBhIFBUUCBC
b3VuZGFyeSBDbG9jazwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHVwIG1lc3Nh
Z2UuICBGb3IgZXhhbXBsZSwgdGhlIGVncmVzcyBub2RlIG1heSBiZSBhIFBUUCBCb3VuZGFyeSBD
bG9jazwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICBzeW5jaHJvbml6ZWQgdG8gYSBNYXN0ZXIgQ2xvY2sgYW5kIHdpbGwgdXNlIHRoZSB2YWx1
ZSBpbiB0aGUgU2NyYXRjaDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHN5bmNo
cm9uaXplZCB0byBhIE1hc3RlciBDbG9jayBhbmQgd2lsbCB1c2UgdGhlIHZhbHVlIGluIHRoZSBT
Y3JhdGNoPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIFBhZCBmaWVsZCB0byB1cGRhdGUgUFRQJ3MgY29ycmVjdGlvbkZpZWxkLjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFBhZCBmaWVsZCB0byB1cGRhdGUgUFRQJ3MgY29y
cmVjdGlvbkZpZWxkLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+Ni4gIEFwcGxpY2FibGUg
UFRQIFNjZW5hcmlvczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjYuICBBcHBsaWNh
YmxlIFBUUCBTY2VuYXJpb3M8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFRoZSBwcm9w
b3NlZCBhcHByb2FjaCBjYW4gYmUgZGlyZWN0bHkgaW50ZWdyYXRlZCBpbiBhIFBUUCBuZXR3b3Jr
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgVGhlIHByb3Bvc2VkIGFwcHJvYWNo
IGNhbiBiZSBkaXJlY3RseSBpbnRlZ3JhdGVkIGluIGEgUFRQIG5ldHdvcms8L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYmFzZWQgb24gdGhl
IElFRUUgMTU4OCBkZWxheSByZXF1ZXN0LXJlc3BvbnNlIG1lY2hhbmlzbS4gIFRoZSBSVE08L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBiYXNlZCBvbiB0aGUgSUVFRSAxNTg4IGRl
bGF5IHJlcXVlc3QtcmVzcG9uc2UgbWVjaGFuaXNtLiAgVGhlIFJUTTwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBjYXBhYmxlIG5vZGUgbm9k
ZXMgYWN0IGFzIGVuZC10by1lbmQgdHJhbnNwYXJlbnQgY2xvY2tzLCBhbmQ8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBjYXBhYmxlIG5vZGUgbm9kZXMgYWN0IGFzIGVuZC10by1l
bmQgdHJhbnNwYXJlbnQgY2xvY2tzLCBhbmQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdHlwaWNhbGx5IGJvdW5kYXJ5IGNsb2NrcywgYXQg
dGhlIGVkZ2VzIG9mIHRoZSBNUExTIG5ldHdvcmssIHVzZSB0aGU8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICB0eXBpY2FsbHkgYm91bmRhcnkgY2xvY2tzLCBhdCB0aGUgZWRnZXMg
b2YgdGhlIE1QTFMgbmV0d29yaywgdXNlIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB2YWx1ZSBpbiB0aGUgU2NyYXRjaCBQYWQgZmll
bGQgdG8gdXBkYXRlIHRoZSBjb3JyZWN0aW9uRmllbGQgb2YgdGhlPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgdmFsdWUgaW4gdGhlIFNjcmF0Y2ggUGFkIGZpZWxkIHRvIHVwZGF0
ZSB0aGUgY29ycmVjdGlvbkZpZWxkIG9mIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBjb3JyZXNwb25kaW5nIFBUUCBldmVudCBwYWNr
ZXQgcHJpb3IgdG8gcGVyZm9ybWluZyB0aGUgdXN1YWwgUFRQPC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+ICAgY29ycmVzcG9uZGluZyBQVFAgZXZlbnQgcGFja2V0IHByaW9yIHRvIHBl
cmZvcm1pbmcgdGhlIHVzdWFsIFBUUDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBwcm9jZXNzaW5nLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgIHByb2Nlc3NpbmcuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQ+PGEgbmFtZT0iZGlmZjAwNDciPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjcuICA8c3BhbiBj
bGFzcz0iZGVsZXRlIj5PbmUtc3RlcCBDbG9jayBhbmQgVHdvLXN0ZXAgQ2xvY2sgTW9kZXM8L3Nw
YW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjcuICBJQU5BIENvbnNpZGVyYXRp
b25zPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j
ayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBPbmUtc3RlcCBtb2RlIHJlZmVycyB0byB0
aGUgbW9kZSBvZiBvcGVyYXRpb24gd2hlcmUgYW4gZWdyZXNzPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBpbnRlcmZhY2UgdXBk
YXRlcyB0aGUgY29ycmVjdGlvbkZpZWxkIHZhbHVlIG9mIGFuIG9yaWdpbmFsIGV2ZW50PC9zcGFu
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4g
ICBtZXNzYWdlLiAgVHdvLXN0ZXAgbW9kZSByZWZlcnMgdG8gdGhlIG1vZGUgb2Ygb3BlcmF0aW9u
IHdoZXJlIHRoaXM8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFu
IGNsYXNzPSJkZWxldGUiPiAgIHVwZGF0ZSBpcyBtYWRlIGluIGEgc3Vic2VxdWVudCBmb2xsb3ct
dXAgbWVzc2FnZS48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFu
IGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgUHJvY2Vzc2luZyBvZiB0aGUgZm9sbG93LXVwIG1lc3Nh
Z2UsIGlmIHByZXNlbnQsIHJlcXVpcmVzIHRoZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgZG93bnN0cmVhbSBlbmQtcG9pbnQg
dG8gd2FpdCBmb3IgdGhlIGFycml2YWwgb2YgdGhlIGZvbGxvdy11cCBtZXNzYWdlPC9zcGFuPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBp
biBvcmRlciB0byBjb21iaW5lIGNvcnJlY3Rpb25GaWVsZCB2YWx1ZXMgZnJvbSBib3RoIHRoZSBv
cmlnaW5hbDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xh
c3M9ImRlbGV0ZSI+ICAgKGV2ZW50KSBtZXNzYWdlIGFuZCB0aGUgc3Vic2VxdWVudCAoZm9sbG93
LXVwKSBtZXNzYWdlLiAgSW4gYSBzaW1pbGFyPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBmYXNoaW9uLCBlYWNoIDItc3RlcCBu
b2RlIG5lZWRzIHRvIHdhaXQgZm9yIHRoZSByZWxhdGVkIGZvbGxvdy11cDwvc3Bhbj48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgbWVzc2Fn
ZSwgaWYgdGhlcmUgaXMgb25lLCBpbiBvcmRlciB0byB1cGRhdGUgdGhhdCBmb2xsb3ctdXAgbWVz
c2FnZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9
ImRlbGV0ZSI+ICAgKGFzIG9wcG9zZWQgdG8gY3JlYXRpbmcgYSBuZXcgb25lLiAgSGVuY2UgdGhl
IGZpcnN0IG5vZGUgdGhhdCB1c2VzPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs
b2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICAyLXN0ZXAgbW9kZSBNVVNUIGRvIHR3byB0aGlu
Z3M6PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0i
ZGVsZXRlIj48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNs
YXNzPSJkZWxldGUiPiAgIDEuICBNYXJrIHRoZSBvcmlnaW5hbCBldmVudCBtZXNzYWdlIHRvIGlu
ZGljYXRlIHRoYXQgYSBmb2xsb3ctdXA8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
YmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgICBtZXNzYWdlIHdpbGwgYmUgZm9ydGhj
b21pbmcgKHRoaXMgaXMgbmVjZXNzYXJ5IGluIG9yZGVyIHRvPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj48L3NwYW4+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgICAgICBM
ZXQgYW55IHN1YnNlcXVlbnQgMi1zdGVwIG5vZGUga25vdyB0aGF0IHRoZXJlIGlzIGFscmVhZHkg
YTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRl
bGV0ZSI+ICAgICAgICAgIGZvbGxvdy11cCBtZXNzYWdlLCBhbmQ8L3NwYW4+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0
ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgICAgICAg
IExldCB0aGUgZW5kLXBvaW50IGtub3cgdG8gd2FpdCBmb3IgYSBmb2xsb3ctdXAgbWVzc2FnZTs8
L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxl
dGUiPjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9
ImRlbGV0ZSI+ICAgMi4gIENyZWF0ZSBhIGZvbGxvdy11cCBtZXNzYWdlIGluIHdoaWNoIHRvIHB1
dCB0aGUgUlRNIGRldGVybWluZWQgYXM8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
YmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgICAgICBhbiBpbml0aWFsIGNvcnJlY3Rpb25G
aWVsZCB2YWx1ZS48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFu
IGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgSUVFRSAxNTg4djIgW0lFRUUuMTU4OC4yMDA4XSBkZWZp
bmVzIHRoaXMgYmVoYXZpb3IgZm9yIFBUUCBtZXNzYWdlcy48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgVGh1cywgZm9y
IGV4YW1wbGUsIHdpdGggcmVmZXJlbmNlIHRvIHRoZSBQVFAgcHJvdG9jb2wsIHRoZSBQVFBUeXBl
PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVs
ZXRlIj4gICBmaWVsZCBpZGVudGlmaWVzIHdoZXRoZXIgdGhlIG1lc3NhZ2UgaXMgYSBTeW5jIG1l
c3NhZ2UsIEZvbGxvd191cDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgbWVzc2FnZSwgRGVsYXlfUmVxIG1lc3NhZ2UsIG9yIERl
bGF5X1Jlc3AgbWVzc2FnZS4gIFRoZSAxMCBvY3RldCBsb25nPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBQb3J0IElEIGZpZWxk
IGNvbnRhaW5zIHRoZSBpZGVudGl0eSBvZiB0aGUgc291cmNlIHBvcnQsIHRoYXQgaXMsIHRoZTwv
c3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0
ZSI+ICAgc3BlY2lmaWMgUFRQIHBvcnQgb2YgdGhlIGJvdW5kYXJ5IGNsb2NrIGNvbm5lY3RlZCB0
byB0aGUgTVBMUzwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4g
Y2xhc3M9ImRlbGV0ZSI+ICAgbmV0d29yay4gIFRoZSBTZXF1ZW5jZSBJRCBpcyB0aGUgc2VxdWVu
Y2UgSUQgb2YgdGhlIFBUUCBtZXNzYWdlPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBjYXJyaWVkIGluIHRoZSBWYWx1ZSBmaWVs
ZCBvZiB0aGUgbWVzc2FnZS48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si
PjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi
bG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi
bG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgUFRQIG1lc3NhZ2VzIGFsc28gaW5jbHVkZSBh
IGJpdCB0aGF0IGluZGljYXRlcyB3aGV0aGVyIG9yIG5vdCBhPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBmb2xsb3ctdXAgbWVz
c2FnZSB3aWxsIGJlIGNvbWluZy4gIFRoaXMgYml0LCBvbmNlIGl0IGlzIHNldCBieSBhPC9zcGFu
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4g
ICAyLXN0ZXAgbW9kZSBkZXZpY2UsIE1VU1Qgc3RheSBzZXQgYWNjb3JkaW5nbHkgdW50aWwgdGhl
IG9yaWdpbmFsIGFuZDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNw
YW4gY2xhc3M9ImRlbGV0ZSI+ICAgZm9sbG93LXVwIG1lc3NhZ2VzIGFyZSBjb21iaW5lZCBieSBh
biBlbmQtcG9pbnQgKHN1Y2ggYXMgYSBCb3VuZGFyeTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgQ2xvY2spLjwvc3Bhbj48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+PC9zcGFu
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4g
ICBUaHVzLCBhbiBSVE0gcGFja2V0LCBjb250YWluaW5nIHJlc2lkZW5jZSB0aW1lIGluZm9ybWF0
aW9uIHJlbGF0aW5nPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3Bh
biBjbGFzcz0iZGVsZXRlIj4gICB0byBhbiBlYXJsaWVyIHBhY2tldCwgYWxzbyBjb250YWlucyBp
bmZvcm1hdGlvbiBpZGVudGlmeWluZyB0aGF0PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBlYXJsaWVyIHBhY2tldC48L3NwYW4+
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwv
c3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0
ZSI+ICAgRm9yIGNvbXBhdGliaWxpdHkgd2l0aCBQVFAsIFJUTSAod2hlbiB1c2VkIGZvciBQVFAg
cGFja2V0cykgbXVzdDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNw
YW4gY2xhc3M9ImRlbGV0ZSI+ICAgYmVoYXZlIGluIGEgc2ltaWxhciBmYXNoaW9uLiAgVG8gZG8g
dGhpcywgYSAyLXN0ZXAgUlRNIGNhcGFibGUgZWdyZXNzPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBpbnRlcmZhY2Ugd2lsbCBu
ZWVkIHRvIGV4YW1pbmUgdGhlIFMtYml0IGluIHRoZSBGbGFncyBmaWVsZCBvZiB0aGU8L3NwYW4+
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAg
IFBUUCBzdWItVExWIChmb3IgUlRNIG1lc3NhZ2VzIHRoYXQgaW5kaWNhdGUgdGhleSBhcmUgZm9y
IFBUUCkgYW5kIC08L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFu
IGNsYXNzPSJkZWxldGUiPiAgIGlmIGl0IGlzIGNsZWFyIChzZXQgdG8gemVybyksIGl0IE1VU1Qg
c2V0IGl0IGFuZCBjcmVhdGUgYSBmb2xsb3ctdXA8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIFBUUCBUeXBlIFJUTSBtZXNzYWdl
LiAgSWYgdGhlIFMgYml0IGlzIGFscmVhZHkgc2V0LCB0aGVuIHRoZSBSVE08L3NwYW4+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIGNhcGFi
bGUgbm9kZSBNVVNUIHdhaXQgZm9yIHRoZSBSVE0gbWVzc2FnZSB3aXRoIHRoZSBQVFAgdHlwZSBv
Zjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRl
bGV0ZSI+ICAgZm9sbG93LXVwIGFuZCBtYXRjaGluZyBvcmlnaW5hdG9yIGFuZCBzZXF1ZW5jZSBu
dW1iZXIgdG8gbWFrZSB0aGU8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si
PjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIGNvcnJlc3BvbmRpbmcgcmVzaWRlbmNlIHRpbWUgdXBk
YXRlIHRvIHRoZSBTY3JhdGNoIFBhZCBmaWVsZC48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgSW4gcHJhY3RpY2UgYW4g
UlRNIG9wZXJhdGluZyBhY2NvcmRpbmcgdG8gdHdvLXN0ZXAgY2xvY2sgYmVoYXZlcyBsaWtlPC9z
cGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRl
Ij4gICBhIHR3by1zdGVwcyB0cmFuc3BhcmVudCBjbG9jay48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgQSAxLXN0ZXAg
Y2FwYWJsZSBSVE0gbm9kZSBNQVkgZWxlY3QgdG8gb3BlcmF0ZSBpbiBlaXRoZXIgMS1zdGVwIG1v
ZGU8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJk
ZWxldGUiPiAgIChieSBtYWtpbmcgYW4gdXBkYXRlIHRvIHRoZSBTY3JhdGNoIFBhZCBmaWVsZCBv
ZiB0aGUgUlRNIG1lc3NhZ2U8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2si
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si
PjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIGNvbnRhaW5pbmcgdGhlIFBUUCBldmVuIG1lc3NhZ2Up
LCBvciBpbiAyLXN0ZXAgbW9kZSAoYnkgbWFraW5nIGFuPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICB1cGRhdGUgdG8gdGhlIFNj
cmF0Y2ggUGFkIG9mIGEgZm9sbG93LXVwIG1lc3NhZ2Ugd2hlbiBpdHMgcHJlc2VuY2UgaXM8L3Nw
YW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUi
PiAgIGluZGljYXRlZCksIGJ1dCBNVVNUIE5PVCBkbyBib3RoLjwvc3Bhbj48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+PC9zcGFuPjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBUd28gbWFp
biBzdWJjYXNlcyBjYW4gYmUgaWRlbnRpZmllZCBmb3IgYW4gUlRNIG5vZGUgb3BlcmF0aW5nIGFz
IGE8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJk
ZWxldGUiPiAgIHR3by1zdGVwIGNsb2NrOjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBBKSBJZiBhbnkgb2YgdGhlIHBy
ZXZpb3VzIFJUTSBjYXBhYmxlIG5vZGUgb3IgdGhlIHByZXZpb3VzIFBUUCBjbG9jazwvc3Bhbj48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAg
KGUuZy4gdGhlIEJDIGNvbm5lY3RlZCB0byB0aGUgZmlyc3Qgbm9kZSksIGlzIGEgdHdvLXN0ZXAg
Y2xvY2ssIHRoZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4g
Y2xhc3M9ImRlbGV0ZSI+ICAgcmVzaWRlbmNlIHRpbWUgaXMgYWRkZWQgdG8gdGhlIFJUTSBwYWNr
ZXQgdGhhdCBoYXMgYmVlbiBjcmVhdGVkIHRvPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBpbmNsdWRlIHRoZSBhc3NvY2lhdGVk
IFBUUCBwYWNrZXQgKGkuZS4gZm9sbG93LXVwIG1lc3NhZ2UgaW4gdGhlPC9zcGFuPjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBkb3duc3Ry
ZWFtIGRpcmVjdGlvbiksIGlmIHRoZSBsb2NhbCBSVE0tY2FwYWJsZSBub2RlIGlzIGFsc288L3Nw
YW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUi
PiAgIG9wZXJhdGluZyBhcyBhIHR3by1zdGVwIGNsb2NrLiAgVGhpcyBSVE0gcGFja2V0IGNhcnJp
ZXMgdGhlIHJlbGF0ZWQ8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxz
cGFuIGNsYXNzPSJkZWxldGUiPiAgIGFjY3VtdWxhdGVkIHJlc2lkZW5jZSB0aW1lIGFuZCB0aGUg
YXBwcm9wcmlhdGUgdmFsdWVzIG9mIHRoZSBTZXF1ZW5jZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgSWQgYW5kIFBvcnQgSWQg
KHRoZSBzYW1lIGlkZW50aWZpZXJzIGNhcnJpZWQgaW4gdGhlIHBhY2tldCBwcm9jZXNzZWQpPC9z
cGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRl
Ij4gICBhbmQgdGhlIFR3by1zdGVwIEZsYWcgc2V0IHRvIDEuPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj48L3NwYW4+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIE5vdGUgdGhh
dCB0aGUgZmFjdCB0aGF0IGFuIHVwc3RyZWFtIFJUTS1jYXBhYmxlIG5vZGUgb3BlcmF0aW5nIGlu
IHRoZTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9
ImRlbGV0ZSI+ICAgdHdvLXN0ZXAgbW9kZSBoYXMgY3JlYXRlZCBhIGZvbGxvdy11cCBtZXNzYWdl
IGRvZXMgbm90IHJlcXVpcmUgYW55PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs
b2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBzdWJzZXF1ZW50IFJUTSBjYXBhYmxlIG5vZGUg
dG8gYWxzbyBvcGVyYXRlIGluIHRoZSAyLXN0ZXAgbW9kZSwgYXM8L3NwYW4+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIGxvbmcgYXMgdGhh
dCBSVE0tY2FwYWJsZSBub2RlIGZvcndhcmRzIHRoZSBmb2xsb3ctdXAgbWVzc2FnZSBvbiB0aGU8
L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxl
dGUiPiAgIHNhbWUgTFNQIG9uIHdoaWNoIGl0IGZvcndhcmRzIHRoZSBjb3JyZXNwb25kaW5nIHBy
ZXZpb3VzIG1lc3NhZ2UuPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48
c3BhbiBjbGFzcz0iZGVsZXRlIj48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxv
Y2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxv
Y2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIEEgb25lLXN0ZXAgY2FwYWJsZSBSVE0gbm9kZSBN
QVkgZWxlY3QgdG8gdXBkYXRlIHRoZSBSVE0gZm9sbG93LXVwPC9zcGFuPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBtZXNzYWdlIGFzIGlm
IGl0IHdlcmUgb3BlcmF0aW5nIGluIHR3by1zdGVwIG1vZGUsIGhvd2V2ZXIsIGl0IE1VU1Q8L3Nw
YW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUi
PiAgIE5PVCB1cGRhdGUgYm90aCBtZXNzYWdlcy48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgQSBQVFAgZXZlbnQgcGFj
a2V0IChzeW5jKSBpcyBjYXJyaWVkIGluIHRoZSBSVE0gcGFja2V0IGluIG9yZGVyIGZvcjwvc3Bh
bj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+
ICAgYW4gUlRNIG5vZGUgdG8gaWRlbnRpZnkgdGhhdCByZXNpZGVuY2UgdGltZSBtZWFzdXJlbWVu
dCBtdXN0IGJlPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBj
bGFzcz0iZGVsZXRlIj4gICBwZXJmb3JtZWQgb24gdGhhdCBzcGVjaWZpYyBwYWNrZXQuPC9zcGFu
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj48
L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxl
dGUiPiAgIFRvIGhhbmRsZSB0aGUgcmVzaWRlbmNlIHRpbWUgb2YgdGhlIERlbGF5IHJlcXVlc3Qg
bWVzc2FnZSBvbiB0aGU8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxz
cGFuIGNsYXNzPSJkZWxldGUiPiAgIHVwc3RyZWFtIGRpcmVjdGlvbiwgYW4gUlRNIHBhY2tldCBt
dXN0IGJlIGNyZWF0ZWQgdG8gY2FycnkgdGhlPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICByZXNpZGVuY2UgdGltZSBvbiB0aGUg
YXNzb2NpYXRlZCBkb3duc3RyZWFtIERlbGF5IFJlc3AgbWVzc2FnZS48L3NwYW4+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjwvc3Bhbj48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgVGhl
IGxhc3QgUlRNIG5vZGUgb2YgdGhlIE1QTFMgbmV0d29yayBpbiBhZGRpdGlvbiB0byB1cGRhdGUg
dGhlPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0i
ZGVsZXRlIj4gICBjb3JyZWN0aW9uRmllbGQgb2YgdGhlIGFzc29jaWF0ZWQgUFRQIHBhY2tldCwg
bXVzdCBhbHNvIHByb3Blcmx5PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBoYW5kbGUgdGhlIHR3by1zdGVwIGZsYWcgb2YgdGhl
IFBUUCBwYWNrZXRzLjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNw
YW4gY2xhc3M9ImRlbGV0ZSI+PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2Nr
Ij48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBCKSBXaGVuIHRoZSBQVFAgbmV0d29yayBjb25uZWN0
ZWQgdG8gdGhlIE1QTFMgYW5kIFJUTSBub2RlLCBvcGVyYXRlczwvc3Bhbj48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgaW4gb25lLXN0ZXAg
Y2xvY2sgbW9kZSwgdGhlIGFzc29jaWF0ZWQgUlRNIHBhY2tldCBtdXN0IGJlIGNyZWF0ZWQgYnk8
L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxl
dGUiPiAgIHRoZSBSVE0gbm9kZSBpdHNlbGYuICBUaGUgYXNzb2NpYXRlZCBSVE0gcGFja2V0IGlu
Y2x1ZGluZyB0aGUgUFRQPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48
c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBldmVudCBwYWNrZXQgbmVlZHMgbm93IHRvIGluZGljYXRl
IHRoYXQgYSBmb2xsb3cgdXAgbWVzc2FnZSB3aWxsIGJlPC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBjb21pbmcuPC9zcGFuPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj48L3Nw
YW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUi
PiAgIFRoZSBsYXN0IFJUTSBub2RlIG9mIHRoZSBMU1AsIGlmIGl0IHJlY2VpdmVzIGFuIFJUTSBt
ZXNzYWdlIHdpdGggYTwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNw
YW4gY2xhc3M9ImRlbGV0ZSI+ICAgUFRQIHBheWxvYWQgaW5kaWNhdGluZyBhIGZvbGxvdy11cCBt
ZXNzYWdlIHdpbGwgYmUgZm9ydGhjb21pbmcsIG11c3Q8L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIGdlbmVyYXRlIGEgZm9sbG93
LXVwIG1lc3NhZ2UgYW5kIHByb3Blcmx5IHNldCB0aGUgdHdvLXN0ZXAgZmxhZyBvZjwvc3Bhbj48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAg
dGhlIFBUUCBwYWNrZXRzLjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
PHNwYW4gY2xhc3M9ImRlbGV0ZSI+PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJs
b2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJs
b2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj44Ljwvc3Bhbj4gIElBTkEgQ29uc2lkZXJhdGlvbnM8
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwNDgiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxz
cGFuIGNsYXNzPSJkZWxldGUiPjg8L3NwYW4+LjEuICBOZXcgUlRNIEctQUNoPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPjc8L3NwYW4+LjEuICBO
ZXcgUlRNIEctQUNoPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJQU5BIGlzIHJlcXVl
c3RlZCB0byByZXNlcnZlIGEgbmV3IEctQUNoIGFzIGZvbGxvd3M6PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gcmVzZXJ2ZSBhIG5ldyBHLUFD
aCBhcyBmb2xsb3dzOjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICstLS0t
LS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICArLS0tLS0tLSstLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgIHwgVmFsdWUgfCAgICAgICAg
RGVzY3JpcHRpb24gICAgICAgICB8IFJlZmVyZW5jZSAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPiAgICAgICAgICB8IFZhbHVlIHwgICAgICAgIERlc2NyaXB0aW9uICAgICAg
ICAgfCBSZWZlcmVuY2UgICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgICAgICAgICArLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t
LS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgICAgICAgIHwgVEJBMSAgfCBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudCB8IFRo
aXMgZG9jdW1lbnQgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICB8
IFRCQTEgIHwgUmVzaWRlbmNlIFRpbWUgTWVhc3VyZW1lbnQgfCBUaGlzIGRvY3VtZW50IHw8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAg
ICAgICstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t
KzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICArLS0tLS0tLSstLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgIFRhYmxlIDE6IE5ldyBSZXNpZGVuY2UgVGlt
ZSBNZWFzdXJlbWVudDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAg
ICAgICAgIFRhYmxlIDE6IE5ldyBSZXNpZGVuY2UgVGltZSBNZWFzdXJlbWVudDwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDQ5Ij48L2E+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj44PC9zcGFuPi4yLiAgTmV3IFJUTSBUTFYg
UmVnaXN0cnk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imlu
c2VydCI+Nzwvc3Bhbj4uMi4gIE5ldyBSVE0gVExWIFJlZ2lzdHJ5PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICBJQU5BIGlzIHJlcXVlc3RlZCB0byBjcmVhdGUgc3ViLXJlZ2lzdHJ5IGlu
IEdlbmVyaWMgQXNzb2NpYXRlZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIElB
TkEgaXMgcmVxdWVzdGVkIHRvIGNyZWF0ZSBzdWItcmVnaXN0cnkgaW4gR2VuZXJpYyBBc3NvY2lh
dGVkPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIENoYW5uZWwgKEctQUNoKSBQYXJhbWV0ZXJzIFJlZ2lzdHJ5IGNhbGxlZCAiTVBMUyBSVE0g
VExWIFJlZ2lzdHJ5Ii48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBDaGFubmVs
IChHLUFDaCkgUGFyYW1ldGVycyBSZWdpc3RyeSBjYWxsZWQgIk1QTFMgUlRNIFRMViBSZWdpc3Ry
eSIuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIEFsbCBjb2RlIHBvaW50cyBpbiB0aGUgcmFuZ2UgMCB0aHJvdWdoIDEyNyBpbiB0aGlzIHJl
Z2lzdHJ5IHNoYWxsIGJlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQWxsIGNv
ZGUgcG9pbnRzIGluIHRoZSByYW5nZSAwIHRocm91Z2ggMTI3IGluIHRoaXMgcmVnaXN0cnkgc2hh
bGwgYmU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgYWxsb2NhdGVkIGFjY29yZGluZyB0byB0aGUgIklFVEYgUmV2aWV3IiBwcm9jZWR1cmUg
YXMgc3BlY2lmaWVkIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYWxsb2Nh
dGVkIGFjY29yZGluZyB0byB0aGUgIklFVEYgUmV2aWV3IiBwcm9jZWR1cmUgYXMgc3BlY2lmaWVk
IGluPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIFtSRkM1MjI2XSAuIENvZGUgcG9pbnRzIGluIHRoZSByYW5nZSAxMjggdGhyb3VnaCAxOTEg
aW4gdGhpcyByZWdpc3RyeTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtSRkM1
MjI2XSAuIENvZGUgcG9pbnRzIGluIHRoZSByYW5nZSAxMjggdGhyb3VnaCAxOTEgaW4gdGhpcyBy
ZWdpc3RyeTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICBzaGFsbCBiZSBhbGxvY2F0ZWQgYWNjb3JkaW5nIHRvIHRoZSAiRmlyc3QgQ29tZSBG
aXJzdCBTZXJ2ZWQiPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgc2hhbGwgYmUg
YWxsb2NhdGVkIGFjY29yZGluZyB0byB0aGUgIkZpcnN0IENvbWUgRmlyc3QgU2VydmVkIjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBwcm9j
ZWR1cmUgYXMgc3BlY2lmaWVkIGluIFtSRkM1MjI2XS4gIFRoaXMgZG9jdW1lbnQgZGVmaW5lcyB0
aGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBwcm9jZWR1cmUgYXMgc3BlY2lm
aWVkIGluIFtSRkM1MjI2XS4gIFRoaXMgZG9jdW1lbnQgZGVmaW5lcyB0aGU8L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZm9sbG93aW5nIG5l
dyB2YWx1ZXMgUlRNIFRMViB0eXBlIHM6PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+
ICAgZm9sbG93aW5nIG5ldyB2YWx1ZXMgUlRNIFRMViB0eXBlIHM6PC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBj
bGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv
dGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1lPSJw
YXJ0LWwxMiI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDIw
LCBsaW5lIDIyPC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjEyIj48
c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMjAsIGxpbmUgNDE8
L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgfCA0ICAgICAgICAgfCAg
IFBUUHYyLCBJUHY2IEVuY2Fwc3VsYXRpb24gICB8IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICB8IDQgICAgICAgICB8ICAgUFRQdjIsIElQdjYg
RW5jYXBzdWxhdGlvbiAgIHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICB8IDUgICAgICAgICB8ICAgICAg
ICAgICAgICBOVFAgICAgICAgICAgICAgIHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgIHwgNSAgICAgICAgIHwgICAgICAgICAgICAgIE5UUCAg
ICAgICAgICAgICAgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgIHwgNi0xMjcgICAgIHwgICAgICAgICAg
IFVuYXNzaWduZWQgICAgICAgICAgfCAgICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICAgICAgfCA2LTEyNyAgICAgfCAgICAgICAgICAgVW5hc3NpZ25lZCAg
ICAgICAgICB8ICAgICAgICAgICAgICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgfCAxMjggLSAxOTEgfCAgICAgICAgICAgVW5h
c3NpZ25lZCAgICAgICAgICB8ICAgICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgICAgICB8IDEyOCAtIDE5MSB8ICAgICAgICAgICBVbmFzc2lnbmVkICAgICAg
ICAgIHwgICAgICAgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICB8IDE5MiAtIDI1NCB8ICAgICAgICAgIFByaXZhdGUg
VXNlICAgICAgICAgIHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+ICAgICAgIHwgMTkyIC0gMjU0IHwgICAgICAgICAgUHJpdmF0ZSBVc2UgICAgICAgICAg
fCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+ICAgICAgIHwgMjU1ICAgICAgIHwgICAgICAgICAgICBSZXNlcnZlZCAg
ICAgICAgICAgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij4gICAgICAgfCAyNTUgICAgICAgfCAgICAgICAgICAgIFJlc2VydmVkICAgICAgICAgICB8IFRo
aXMgZG9jdW1lbnQgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICAgICAgKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
ICAgICArLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t
LS0tLS0tLS0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAg
ICAgICAgICBUYWJsZSAyOiBSVE0gVExWIFR5cGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgICBUYWJsZSAyOiBSVE0gVExWIFR5cGU8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA1MCI+PC9hPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ODwvc3Bhbj4uMy4gIE5ldyBS
VE0gU3ViLVRMViBSZWdpc3RyeTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh
biBjbGFzcz0iaW5zZXJ0Ij43PC9zcGFuPi4zLiAgTmV3IFJUTSBTdWItVExWIFJlZ2lzdHJ5PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJQU5BIGlzIHJlcXVlc3RlZCB0byBjcmVhdGUg
c3ViLXJlZ2lzdHJ5IGluIE1QTFMgUlRNIFRMViBSZWdpc3RyeSw8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICBJQU5BIGlzIHJlcXVlc3RlZCB0byBjcmVhdGUgc3ViLXJlZ2lzdHJ5
IGluIE1QTFMgUlRNIFRMViBSZWdpc3RyeSw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDUxIj48L2E+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGJsb2NrIj4gICByZXF1ZXN0ZWQgaW4gU2VjdGlvbiA8c3BhbiBjbGFzcz0iZGVs
ZXRlIj44PC9zcGFuPi4yLCBjYWxsZWQgIk1QTFMgUlRNIFN1Yi1UTFYgUmVnaXN0cnkiLiAgQWxs
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHJlcXVlc3RlZCBpbiBTZWN0aW9u
IDxzcGFuIGNsYXNzPSJpbnNlcnQiPjc8L3NwYW4+LjIsIGNhbGxlZCAiTVBMUyBSVE0gU3ViLVRM
ViBSZWdpc3RyeSIuICBBbGw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+ICAgY29kZSBwb2ludHMgaW4gdGhlIHJhbmdlIDAgdGhyb3VnaCAxMjcg
aW4gdGhpcyByZWdpc3RyeSBzaGFsbCBiZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgIGNvZGUgcG9pbnRzIGluIHRoZSByYW5nZSAwIHRocm91Z2ggMTI3IGluIHRoaXMgcmVnaXN0
cnkgc2hhbGwgYmU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgYWxsb2NhdGVkIGFjY29yZGluZyB0byB0aGUgIklFVEYgUmV2aWV3IiBwcm9j
ZWR1cmUgYXMgc3BlY2lmaWVkIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
YWxsb2NhdGVkIGFjY29yZGluZyB0byB0aGUgIklFVEYgUmV2aWV3IiBwcm9jZWR1cmUgYXMgc3Bl
Y2lmaWVkIGluPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA1MiI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
ICAgW1JGQzUyMjZdPHNwYW4gY2xhc3M9ImRlbGV0ZSI+IC48L3NwYW4+IENvZGUgcG9pbnRzIGlu
IHRoZSByYW5nZSAxMjggdGhyb3VnaCAxOTEgaW4gdGhpcyByZWdpc3RyeTwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICBbUkZDNTIyNl08c3BhbiBjbGFzcz0iaW5zZXJ0Ij4uIDwv
c3Bhbj4gQ29kZSBwb2ludHMgaW4gdGhlIHJhbmdlIDEyOCB0aHJvdWdoIDE5MSBpbiB0aGlzIHJl
Z2lzdHJ5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIHNoYWxsIGJlIGFsbG9jYXRlZCBhY2NvcmRpbmcgdG8gdGhlICJGaXJzdCBDb21lIEZp
cnN0IFNlcnZlZCI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBzaGFsbCBiZSBh
bGxvY2F0ZWQgYWNjb3JkaW5nIHRvIHRoZSAiRmlyc3QgQ29tZSBGaXJzdCBTZXJ2ZWQiPC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48
YSBuYW1lPSJkaWZmMDA1MyI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgcHJvY2VkdXJlIGFz
IHNwZWNpZmllZCBpbiBbUkZDNTIyNl0uICA8c3BhbiBjbGFzcz0iZGVsZXRlIj4uICA8L3NwYW4+
VGhpcyBkb2N1bWVudCBkZWZpbmVzIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij4gICBwcm9jZWR1cmUgYXMgc3BlY2lmaWVkIGluIFtSRkM1MjI2XS4gIFRoaXMgZG9jdW1lbnQg
ZGVmaW5lcyB0aGU8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgZm9sbG93aW5nIG5ldyB2YWx1ZXMgUlRNIHN1Yi1UTFYgdHlwZXM6PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZm9sbG93aW5nIG5ldyB2YWx1ZXMgUlRNIHN1
Yi1UTFYgdHlwZXM6PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAg
Ky0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICArLS0tLS0tLS0tLS0rLS0tLS0tLS0t
LS0tLSstLS0tLS0tLS0tLS0tLS0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICB8IFZhbHVlICAgICB8IERlc2NyaXB0
aW9uIHwgUmVmZXJlbmNlICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
ICAgICAgICAgICAgIHwgVmFsdWUgICAgIHwgRGVzY3JpcHRpb24gfCBSZWZlcmVuY2UgICAgIHw8
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
ICAgICAgICAgICAgICstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICAgKy0tLS0tLS0t
LS0tKy0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgfCAwICAgICAg
ICAgfCAgIFJlc2VydmVkICB8IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgICAgICAgICAgICAgICB8IDAgICAgICAgICB8ICAgUmVzZXJ2ZWQgIHwgVGhp
cyBkb2N1bWVudCB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgICAgICAgICAgICAgICB8IDEgICAgICAgICB8ICAgICBQVFAgICAgIHwgVGhp
cyBkb2N1bWVudCB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAg
ICAgIHwgMSAgICAgICAgIHwgICAgIFBUUCAgICAgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAg
ICAgIHwgMi0xMjcgICAgIHwgIFVuYXNzaWduZWQgfCAgICAgICAgICAgICAgIHw8L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICAgfCAyLTEyNyAgICAgfCAgVW5h
c3NpZ25lZCB8ICAgICAgICAgICAgICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgfCAxMjggLSAxOTEgfCAgVW5h
c3NpZ25lZCB8ICAgICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgICAgICAgICAgICAgICB8IDEyOCAtIDE5MSB8ICBVbmFzc2lnbmVkIHwgICAgICAgICAgICAg
ICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgICAgICAgICAgICAgICB8IDE5MiAtIDI1NCB8IFByaXZhdGUgVXNlIHwgVGhpcyBkb2N1bWVu
dCB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgIHwgMTky
IC0gMjU0IHwgUHJpdmF0ZSBVc2UgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAgIHwgMjU1
ICAgICAgIHwgICBSZXNlcnZlZCAgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICAgfCAyNTUgICAgICAgfCAgIFJlc2VydmVkICB8
IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRk
IGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0r
LS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAg
ICAgICAgICArLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rPC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAgICAgICAgVGFibGUgMzog
UlRNIFN1Yi1UTFYgVHlwZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAg
ICAgICAgICAgICAgICAgICBUYWJsZSAzOiBSVE0gU3ViLVRMViBUeXBlPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwNTQiPjwvYT48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
YmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjg8L3NwYW4+LjQuICBSVE0gQ2FwYWJpbGl0eSBz
dWItVExWIGluIE9TUEZ2MjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBj
bGFzcz0iaW5zZXJ0Ij43PC9zcGFuPi40LiAgUlRNIENhcGFiaWxpdHkgc3ViLVRMViBpbiBPU1BG
djI8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIElBTkEgaXMgcmVxdWVzdGVkIHRvIGFz
c2lnbiBhIG5ldyB0eXBlIGZvciBSVE0gQ2FwYWJpbGl0eSBzdWItVExWPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gYXNzaWduIGEgbmV3IHR5
cGUgZm9yIFJUTSBDYXBhYmlsaXR5IHN1Yi1UTFY8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgZnJvbSBPU1BGdjIgRXh0ZW5kZWQgTGluayBU
TFYgU3ViLVRMVnMgcmVnaXN0cnkgYXMgZm9sbG93czo8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJpZ2h0Ij4gICBmcm9tIE9TUEZ2MiBFeHRlbmRlZCBMaW5rIFRMViBTdWItVExWcyByZWdpc3Ry
eSBhcyBmb2xsb3dzOjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAg
ICstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICArLS0tLS0tLSstLS0tLS0tLS0tLS0t
LS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAgIHwgVmFsdWUgfCAgRGVzY3JpcHRpb24g
ICB8IFJlZmVyZW5jZSAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAg
ICAgICAgICAgICB8IFZhbHVlIHwgIERlc2NyaXB0aW9uICAgfCBSZWZlcmVuY2UgICAgIHw8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAg
ICAgICAgICAgICstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICArLS0tLS0tLSstLS0t
LS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAgIHwgVEJBMiAgfCBSVE0g
Q2FwYWJpbGl0eSB8IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgICAgICAgICAgICAgICB8IFRCQTIgIHwgUlRNIENhcGFiaWxpdHkgfCBUaGlzIGRvY3Vt
ZW50IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgICAgICAgICAgICAgICstLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0t
LS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICArLS0t
LS0tLSstLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgICBUYWJsZSA0OiBSVE0gQ2FwYWJpbGl0eSBz
dWItVExWPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgICAg
ICAgIFRhYmxlIDQ6IFJUTSBDYXBhYmlsaXR5IHN1Yi1UTFY8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA1NSI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+
PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ODwvc3Bhbj4uNS4gIElTLUlTIFJUTSBBcHBsaWNhdGlvbiBJ
RDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij43
PC9zcGFuPi41LiAgSVMtSVMgUlRNIEFwcGxpY2F0aW9uIElEPC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij4gICBJQU5BIGlzIHJlcXVlc3RlZCB0byBhc3NpZ24gYSBuZXcgQXBwbGljYXRpb24g
SUQgZm9yIFJUTSBmcm9tIHRoZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIElB
TkEgaXMgcmVxdWVzdGVkIHRvIGFzc2lnbiBhIG5ldyBBcHBsaWNhdGlvbiBJRCBmb3IgUlRNIGZy
b20gdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgIEFwcGxpY2F0aW9uIElkZW50aWZpZXJzIGZvciBUTFYgMjUxIHJlZ2lzdHJ5IGFzIGZv
bGxvd3M6PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQXBwbGljYXRpb24gSWRl
bnRpZmllcnMgZm9yIFRMViAyNTEgcmVnaXN0cnkgYXMgZm9sbG93czo8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICstLS0tLS0tKy0tLS0tLS0tLS0tLS0rLS0t
LS0tLS0tLS0tLS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAg
ICAgICAgICstLS0tLS0tKy0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAg
ICAgICB8IFZhbHVlIHwgRGVzY3JpcHRpb24gfCBSZWZlcmVuY2UgICAgIHw8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICAgICB8IFZhbHVlIHwgRGVzY3JpcHRp
b24gfCBSZWZlcmVuY2UgICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAgICAgKy0tLS0tLS0rLS0tLS0tLS0tLS0t
LSstLS0tLS0tLS0tLS0tLS0rPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAg
ICAgICAgICAgICAgKy0tLS0tLS0rLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rPC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAg
ICAgICAgICAgIHwgVEJBMyAgfCAgICAgUlRNICAgICB8IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICAgIHwgVEJBMyAgfCAgICAg
UlRNICAgICB8IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICArLS0tLS0tLSstLS0tLS0t
LS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4g
ICAgICAgICAgICAgICAgICArLS0tLS0tLSstLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgIFRhYmxlIDU6
IElTLUlTIFJUTSBBcHBsaWNhdGlvbiBJRDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgICAgICAgICAgICAgICAgICAgIFRhYmxlIDU6IElTLUlTIFJUTSBBcHBsaWNhdGlvbiBJRDwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDU2Ij48L2E+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj44PC9zcGFuPi42LiAgUlRN
X1NFVCBTdWItb2JqZWN0IFJTVlAgVHlwZSBhbmQgc3ViLVRMVnM8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+Nzwvc3Bhbj4uNi4gIFJUTV9TRVQg
U3ViLW9iamVjdCBSU1ZQIFR5cGUgYW5kIHN1Yi1UTFZzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij4gICBJQU5BIGlzIHJlcXVlc3RlZCB0byBhc3NpZ24gYSBuZXcgVHlwZSBmb3IgUlRNX1NF
VCBzdWItb2JqZWN0IGZyb208L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBJQU5B
IGlzIHJlcXVlc3RlZCB0byBhc3NpZ24gYSBuZXcgVHlwZSBmb3IgUlRNX1NFVCBzdWItb2JqZWN0
IGZyb208L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgQXR0cmlidXRlcyBUTFYgU3BhY2Ugc3ViLXJlZ2lzdHJ5IGFzIGZvbGxvd3M6PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQXR0cmlidXRlcyBUTFYgU3BhY2Ugc3ViLXJl
Z2lzdHJ5IGFzIGZvbGxvd3M6PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICArLS0tLS0r
LS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0rLS0tLS0t
LS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICArLS0tLS0rLS0tLS0tLS0t
LS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0rLS0tLS0tLS0tLSs8L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgfCBU
eXAgfCAgICBOYW1lICAgIHwgIEFsbG93ZWQgIHwgQWxsb3dlZCAgb24gICB8IEFsbG93ZWQgfCBS
ZWZlcmVuYyB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfCBUeXAgfCAgICBO
YW1lICAgIHwgIEFsbG93ZWQgIHwgQWxsb3dlZCAgb24gICB8IEFsbG93ZWQgfCBSZWZlcmVuYyB8
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
IHwgZSAgIHwgICAgICAgICAgICB8IG9uICBMU1BfQSB8IExTUF9SRVFVSVJFRF8gfCAgb24gTFNQ
IHwgZSAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHwgZSAgIHwg
ICAgICAgICAgICB8IG9uICBMU1BfQSB8IExTUF9SRVFVSVJFRF8gfCAgb24gTFNQIHwgZSAgICAg
ICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICB8ICAgICB8ICAgICAgICAgICAgfCBUVFJJQlVURVMgfCAgIEFUVFJJQlVURVMgIHwgSG9w
IEF0dCB8ICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8ICAg
ICB8ICAgICAgICAgICAgfCBUVFJJQlVURVMgfCAgIEFUVFJJQlVURVMgIHwgSG9wIEF0dCB8ICAg
ICAgICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgfCAgICAgfCAgICAgICAgICAgIHwgICAgICAgICAgIHwgICAgICAgICAgICAgICB8
IHJpYnV0ZXMgfCAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
fCAgICAgfCAgICAgICAgICAgIHwgICAgICAgICAgIHwgICAgICAgICAgICAgICB8IHJpYnV0ZXMg
fCAgICAgICAgICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgICstLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0t
LS0tKy0tLS0tLS0tLSstLS0tLS0tLS0tKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgICstLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tKy0tLS0t
LS0tLSstLS0tLS0tLS0tKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
PjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48L3RkPjx0aD48YSBuYW1l
PSJwYXJ0LWwxMyI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdl
IDIyLCBsaW5lIDIwPC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxhIG5hbWU9InBhcnQtcjEz
Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2UgMjIsIGxpbmUg
NDE8L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgIHwgMiAgICAg
ICAgIHwgICAgIElQdjYgYWRkcmVzcyAgICAgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgIHwgMiAgICAgICAgIHwgICAgIElQdjYgYWRk
cmVzcyAgICAgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICB8IDMgICAgICAgICB8IFVubnVtYmVy
ZWQgaW50ZXJmYWNlIHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+ICAgICAgICAgICB8IDMgICAgICAgICB8IFVubnVtYmVyZWQgaW50ZXJmYWNlIHwgVGhp
cyBkb2N1bWVudCB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPiAgICAgICAgICAgfCA0LTEyNyAgICAgfCAgICAgIFVuYXNzaWduZWQgICAgICB8
ICAgICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAg
ICAgfCA0LTEyNyAgICAgfCAgICAgIFVuYXNzaWduZWQgICAgICB8ICAgICAgICAgICAgICAgfDwv
dGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAg
ICAgICAgIHwgMTI4IC0gMTkxIHwgICAgICBVbmFzc2lnbmVkICAgICAgfCAgICAgICAgICAgICAg
IHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgIHwgMTI4IC0gMTkx
IHwgICAgICBVbmFzc2lnbmVkICAgICAgfCAgICAgICAgICAgICAgIHw8L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICB8IDE5MiAt
IDI1NCB8ICAgICBQcml2YXRlIFVzZSAgICAgIHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICB8IDE5MiAtIDI1NCB8ICAgICBQcml2YXRl
IFVzZSAgICAgIHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgfCAyNTUgICAgICAgfCAgICAgICBS
ZXNlcnZlZCAgICAgICB8IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmlnaHQiPiAgICAgICAgICAgfCAyNTUgICAgICAgfCAgICAgICBSZXNlcnZlZCAgICAgICB8IFRo
aXMgZG9jdW1lbnQgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICAgICAgICAgICstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0t
Ky0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAg
ICAgICstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgVGFibGUgNzogUlRN
X1NFVCBvYmplY3Qgc3ViLW9iamVjdCB0eXBlczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgICAgICAgICAgICAgICAgVGFibGUgNzogUlRNX1NFVCBvYmplY3Qgc3ViLW9iamVjdCB0
eXBlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDU3
Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj44PC9zcGFuPi43
LiAgUlRNX1NFVCBBdHRyaWJ1dGUgRmxhZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2Nr
Ij48c3BhbiBjbGFzcz0iaW5zZXJ0Ij43PC9zcGFuPi43LiAgUlRNX1NFVCBBdHRyaWJ1dGUgRmxh
ZzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gYXNz
aWduIG5ldyBmbGFnIGZyb20gQXR0cmlidXRlIEZsYWdzIHJlZ2lzdHJ5PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gYXNzaWduIG5ldyBmbGFn
IGZyb20gQXR0cmlidXRlIEZsYWdzIHJlZ2lzdHJ5PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA1OCI+PC9h
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICstLS0tLSstLS0tLS0t
LSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICstLS0tLSstLS0tLS0tLSstLS0tLS0t
LS0tLSstLS0tLS0tLS0tLS0rLS0tLS0rLS0tLS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB8IEJpdCB8ICBO
YW1lICB8IEF0dHJpYnV0ZSB8IEF0dHJpYnV0ZSAgfCBSUk8gfCBFUk8gfCBSZWZlcmVuY2UgICAg
IHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8IEJpdCB8ICBOYW1lICB8IEF0
dHJpYnV0ZSB8IEF0dHJpYnV0ZSAgfCBSUk8gfCBFUk8gfCBSZWZlcmVuY2UgICAgIHw8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgfCBObyAg
fCAgICAgICAgfCAgIEZsYWdzICAgfCBGbGFncyBSZXN2IHwgICAgIHwgICAgIHwgICAgICAgICAg
ICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfCBObyAgfCAgICAgICAg
fCAgIEZsYWdzICAgfCBGbGFncyBSZXN2IHwgICAgIHwgICAgIHwgICAgICAgICAgICAgICB8PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwg
ICAgIHwgICAgICAgIHwgICAgUGF0aCAgIHwgICAgICAgICAgICB8ICAgICB8ICAgICB8ICAgICAg
ICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHwgICAgIHwgICAg
ICAgIHwgICAgUGF0aCAgIHwgICAgICAgICAgICB8ICAgICB8ICAgICB8ICAgICAgICAgICAgICAg
fDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICArLS0tLS0rLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tKy0tLS0tKy0t
LS0tLS0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICArLS0tLS0r
LS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tKy0tLS0tKy0tLS0tLS0tLS0t
LS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgfCBUQkEgfCBSVE1fU0UgfCAgICBZZXMgICAgfCAgICBZZXMgICAgIHwgIE5vIHwgIE5v
IHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfCBU
QkEgfCBSVE1fU0UgfCAgICBZZXMgICAgfCAgICBZZXMgICAgIHwgIE5vIHwgIE5vIHwgVGhpcyBk
b2N1bWVudCB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPiAgIHwgNSAgIHwgICBUICAgIHwgICAgICAgICAgIHwgICAgICAgICAgICB8ICAgICB8
ICAgICB8ICAgICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg
IHwgNSAgIHwgICBUICAgIHwgICAgICAgICAgIHwgICAgICAgICAgICB8ICAgICB8ICAgICB8ICAg
ICAgICAgICAgICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsZWZ0Ij4gICArLS0tLS0rLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0t
LS0tKy0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij4gICArLS0tLS0rLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tKy0tLS0t
Ky0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0
ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAg
ICAgICAgICAgICBUYWJsZSA4OiBSVE1fU0VUIEF0dHJpYnV0ZSBGbGFnPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgICAgICAgIFRhYmxlIDg6IFJUTV9TRVQg
QXR0cmlidXRlIEZsYWc8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48
L3RkPjwvdHI+CiAgICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0i
cGFydC1sMTQiPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAy
MiwgbGluZSAzNTwvZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXIxNCI+
PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDIzLCBsaW5lIDE1
PC9lbT48L2E+PC90aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgfCBCaXQgfCAgTmFtZSAgfCBB
dHRyaWJ1dGUgfCBBdHRyaWJ1dGUgIHwgUlJPIHwgRVJPIHwgUmVmZXJlbmNlICAgICB8PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgfCBCaXQgfCAgTmFtZSAgfCBBdHRyaWJ1dGUg
fCBBdHRyaWJ1dGUgIHwgUlJPIHwgRVJPIHwgUmVmZXJlbmNlICAgICB8PC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwgTm8gIHwgICAgICAg
IHwgICBGbGFncyAgIHwgRmxhZ3MgUmVzdiB8ICAgICB8ICAgICB8ICAgICAgICAgICAgICAgfDwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHwgTm8gIHwgICAgICAgIHwgICBGbGFn
cyAgIHwgRmxhZ3MgUmVzdiB8ICAgICB8ICAgICB8ICAgICAgICAgICAgICAgfDwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB8ICAgICB8ICAg
ICAgICB8ICAgIFBhdGggICB8ICAgICAgICAgICAgfCAgICAgfCAgICAgfCAgICAgICAgICAgICAg
IHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8ICAgICB8ICAgICAgICB8ICAg
IFBhdGggICB8ICAgICAgICAgICAgfCAgICAgfCAgICAgfCAgICAgICAgICAgICAgIHw8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgKy0tLS0t
Ky0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLSstLS0tLSstLS0tLS0tLS0t
LS0tLS0rPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKy0tLS0tKy0tLS0tLS0t
Ky0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLSstLS0tLSstLS0tLS0tLS0tLS0tLS0rPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHwg
VEJBIHwgUlRNX1NFIHwgICAgWWVzICAgIHwgICAgWWVzICAgICB8ICBObyB8ICBObyB8IFRoaXMg
ZG9jdW1lbnQgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHwgVEJBIHwgUlRN
X1NFIHwgICAgWWVzICAgIHwgICAgWWVzICAgICB8ICBObyB8ICBObyB8IFRoaXMgZG9jdW1lbnQg
fDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICB8IDUgICB8ICAgVCAgICB8ICAgICAgICAgICB8ICAgICAgICAgICAgfCAgICAgfCAgICAgfCAg
ICAgICAgICAgICAgIHw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB8IDUgICB8
ICAgVCAgICB8ICAgICAgICAgICB8ICAgICAgICAgICAgfCAgICAgfCAgICAgfCAgICAgICAgICAg
ICAgIHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgKy0tLS0tKy0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLSstLS0t
LSstLS0tLS0tLS0tLS0tLS0rPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgKy0t
LS0tKy0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLSstLS0tLSstLS0tLS0t
LS0tLS0tLS0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4K
ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9
ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICAgICAg
ICAgVGFibGUgODogUlRNX1NFVCBBdHRyaWJ1dGUgRmxhZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmlnaHQiPiAgICAgICAgICAgICAgICAgICAgICBUYWJsZSA4OiBSVE1fU0VUIEF0dHJpYnV0
ZSBGbGFnPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAw
NTkiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjg8L3NwYW4+
LjguICBOZXcgRXJyb3IgQ29kZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNw
YW4gY2xhc3M9Imluc2VydCI+Nzwvc3Bhbj4uOC4gIE5ldyBFcnJvciBDb2RlczwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgSUFOQSBpcyByZXF1ZXN0ZWQgdG8gYXNzaWduIG5ldyBFcnJv
ciBDb2RlcyBmcm9tIEVycm9yIENvZGVzIGFuZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgIElBTkEgaXMgcmVxdWVzdGVkIHRvIGFzc2lnbiBuZXcgRXJyb3IgQ29kZXMgZnJvbSBF
cnJvciBDb2RlcyBhbmQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBj
bGFzcz0ibGVmdCI+ICAgR2xvYmFsbHktRGVmaW5lZCBFcnJvciBWYWx1ZSBTdWItQ29kZXMgcmVn
aXN0cnk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBHbG9iYWxseS1EZWZpbmVk
IEVycm9yIFZhbHVlIFN1Yi1Db2RlcyByZWdpc3RyeTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp
Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgICAgICAgICAgKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t
LS0tLS0tLS0rPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgKy0t
LS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAg
IHwgRXJyb3IgQ29kZSB8ICAgICAgTWVhbmluZyAgICAgICB8IFJlZmVyZW5jZSAgICAgfDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgIHwgRXJyb3IgQ29kZSB8ICAg
ICAgTWVhbmluZyAgICAgICB8IFJlZmVyZW5jZSAgICAgfDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICArLS0tLS0tLS0tLS0t
Ky0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICArLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t
LS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgfCBUQkE2ICAgICAgIHwgICBEdXBsaWNhdGUg
VExWICAgIHwgVGhpcyBkb2N1bWVudCB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+
ICAgICAgICAgICAgfCBUQkE2ICAgICAgIHwgICBEdXBsaWNhdGUgVExWICAgIHwgVGhpcyBkb2N1
bWVudCB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxl
ZnQiPiAgICAgICAgICAgIHwgVEJBNyAgICAgICB8IER1cGxpY2F0ZSBzdWItVExWICB8IFRoaXMg
ZG9jdW1lbnQgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgIHwg
VEJBNyAgICAgICB8IER1cGxpY2F0ZSBzdWItVExWICB8IFRoaXMgZG9jdW1lbnQgfDwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAg
ICB8IFRCQTggICAgICAgfCBSVE1fU0VUIFRMViBBYnNlbnQgfCBUaGlzIGRvY3VtZW50IHw8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICB8IFRCQTggICAgICAgfCBS
VE1fU0VUIFRMViBBYnNlbnQgfCBUaGlzIGRvY3VtZW50IHw8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgKy0tLS0tLS0tLS0t
LSstLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0rPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0t
LS0tLSstLS0tLS0tLS0tLS0tLS0rPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAg
ICAgICAgICAgICAgICAgICAgVGFibGUgOTogTmV3IEVycm9yIENvZGVzPC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAgICAgICAgICAgIFRhYmxlIDk6IE5ldyBF
cnJvciBDb2RlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRp
ZmYwMDYwIj48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj45PC9z
cGFuPi4gIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
YmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPjg8L3NwYW4+LiAgU2VjdXJpdHkgQ29uc2lkZXJh
dGlvbnM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFJvdXRlcnMgdGhhdCBzdXBwb3J0
IFJlc2lkZW5jZSBUaW1lIE1lYXN1cmVtZW50IGFyZSBzdWJqZWN0IHRvIHRoZTwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFJvdXRlcnMgdGhhdCBzdXBwb3J0IFJlc2lkZW5jZSBU
aW1lIE1lYXN1cmVtZW50IGFyZSBzdWJqZWN0IHRvIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwNjEi
PjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIHNhbWUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMg
YXMgZGVmaW5lZCBpbiBbUkZDPHNwYW4gY2xhc3M9ImRlbGV0ZSI+NTU4Njwvc3Bhbj5dIC48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgc2FtZSBzZWN1cml0eSBjb25zaWRlcmF0
aW9ucyBhcyBkZWZpbmVkIGluIFtSRkM8c3BhbiBjbGFzcz0iaW5zZXJ0Ij40Mzg1XSBhbmQgW1JG
QzUwODU8L3NwYW4+XSAuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBJbiBhZGRpdGlv
biAtIHBhcnRpY3VsYXJseSBhcyBhcHBsaWVkIHRvIHVzZSByZWxhdGVkIHRvIFBUUCAtIHRoZXJl
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgSW4gYWRkaXRpb24gLSBwYXJ0aWN1
bGFybHkgYXMgYXBwbGllZCB0byB1c2UgcmVsYXRlZCB0byBQVFAgLSB0aGVyZTwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBpcyBhIHByZXN1
bWVkIHRydXN0IG1vZGVsIHRoYXQgZGVwZW5kcyBvbiB0aGUgZXhpc3RlbmNlIG9mIGEgdHJ1c3Rl
ZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGlzIGEgcHJlc3VtZWQgdHJ1c3Qg
bW9kZWwgdGhhdCBkZXBlbmRzIG9uIHRoZSBleGlzdGVuY2Ugb2YgYSB0cnVzdGVkPC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHJlbGF0aW9u
c2hpcCBvZiBhdCBsZWFzdCBhbGwgUFRQLWF3YXJlIG5vZGVzIG9uIHRoZSBwYXRoIHRyYXZlcnNl
ZCBieTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHJlbGF0aW9uc2hpcCBvZiBh
dCBsZWFzdCBhbGwgUFRQLWF3YXJlIG5vZGVzIG9uIHRoZSBwYXRoIHRyYXZlcnNlZCBieTwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBQVFAg
bWVzc2FnZXMuICBUaGlzIGlzIG5lY2Vzc2FyeSBhcyB0aGVzZSBub2RlcyBhcmUgZXhwZWN0ZWQg
dG88L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBQVFAgbWVzc2FnZXMuICBUaGlz
IGlzIG5lY2Vzc2FyeSBhcyB0aGVzZSBub2RlcyBhcmUgZXhwZWN0ZWQgdG88L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgY29ycmVjdGx5IG1v
ZGlmeSBzcGVjaWZpYyBjb250ZW50IG9mIHRoZSBkYXRhIGluIFBUUCBtZXNzYWdlcyBhbmQ8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBjb3JyZWN0bHkgbW9kaWZ5IHNwZWNpZmlj
IGNvbnRlbnQgb2YgdGhlIGRhdGEgaW4gUFRQIG1lc3NhZ2VzIGFuZDwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlm
ZjAwNjIiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIHByb3BlciBvcGVyYXRpb24gb2YgdGhl
IHByb3RvY29sIGRlcGVuZHMgb24gdGhpcyBhYmlsaXR5LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz
cz0icmJsb2NrIj4gICBwcm9wZXIgb3BlcmF0aW9uIG9mIHRoZSBwcm90b2NvbCBkZXBlbmRzIG9u
IHRoaXMgYWJpbGl0eS4gIDxzcGFuIGNsYXNzPSJpbnNlcnQiPlRoYXQ8L3NwYW4+PC90ZD48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIGxpa2VseSB0
byByZXF1aXJlIHNvbWUgY29tcGxleCBjcnlwdG8gc2NoZW1lcyB0aGF0IGludm9sdmUgZ2l2aW5n
IGtleTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9
Imluc2VydCI+ICAgbWF0ZXJpYWwgdG8gaW50ZXJtZWRpYXRlIFJUTS9QVFAtY2FwYWJsZSBub2Rl
cyB0aGF0IGNhbiBsZXQgdGhlbSBtYWtlPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i
cmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBhdXRoZW50aWNhdGVkIChidXQgZGV0ZWN0
YWJsZSkgbW9kaWZpY2F0aW9ucyB0byB0aGUgYWRkaXRpb25hbDwvc3Bhbj48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgaW5mb3JtYXRpb24g
aW4gUlRNIG1lc3NhZ2VzLjwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZD48YSBuYW1lPSJkaWZmMDA2MyI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgPHNwYW4gY2xh
c3M9ImRlbGV0ZSI+QXMgYSByZXN1bHQsIHRoZSBjb250ZW50IG9mIHRoZSBQVFAtcmVsYXRlZCBk
YXRhIGluPC9zcGFuPiBSVE0gPHNwYW4gY2xhc3M9ImRlbGV0ZSI+bWVzc2FnZXMgdGhhdDwvc3Bh
bj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9Imluc2Vy
dCI+VGhlIGFiaWxpdHkgZm9yIHBvdGVudGlhbGx5IGF1dGhlbnRpY2F0aW5nIGFuZC9vciBlbmNy
eXB0aW5nPC9zcGFuPiBSVE0gYW5kPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgd2lsbCBiZSBtb2Rp
ZmllZCBieSBpbnRlcm1lZGlhdGUgbm9kZXMgY2Fubm90IGJlIGF1dGhlbnRpY2F0ZWQsPC9zcGFu
PiBhbmQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgUFRQIDxzcGFuIGNsYXNz
PSJpbnNlcnQiPmRhdGEgZm9yIHNjZW5hcmlvcyBib3RoIHdpdGg8L3NwYW4+IGFuZCA8c3BhbiBj
bGFzcz0iaW5zZXJ0Ij53aXRob3V0IHBhcnRpY2lwYXRpb24gb2Y8L3NwYW4+PC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgPHNwYW4gY2xh
c3M9ImRlbGV0ZSI+dGhlIGFkZGl0aW9uYWwgaW5mb3JtYXRpb24gdGhhdCBtdXN0IGJlIGFjY2Vz
c2libGUgZm9yIHByb3Blcjwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+
ICAgaW50ZXJtZWRpYXRlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPlJUTS9QVFAtY2FwYWJsZTwvc3Bh
bj4gbm9kZXMgPHNwYW4gY2xhc3M9Imluc2VydCI+aXMgZm9yIGZ1cnRoZXIgc3R1ZHkuPC9zcGFu
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si
PjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIG9wZXJhdGlvbiBvZjwvc3Bhbj4gUFRQIDxzcGFuIGNs
YXNzPSJkZWxldGUiPjEtc3RlcDwvc3Bhbj4gYW5kIDxzcGFuIGNsYXNzPSJkZWxldGUiPjItc3Rl
cCBtb2RlcyBNVVNUIGJlIGFjY2Vzc2libGUgdG88L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNs
YXNzPSJsYmxvY2siPiAgIGludGVybWVkaWF0ZSBub2RlcyA8c3BhbiBjbGFzcz0iZGVsZXRlIj4o
aS5lLiAtIE1VU1QgTk9UIGJlIGVuY3J5cHRlZCBpbiBhIG1hbm5lciB0aGF0PC9zcGFuPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICBtYWtl
cyB0aGlzIGRhdGEgaW5hY2Nlc3NpYmxlKS48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgV2hpbGUgaXQgaXMgcG9z
c2libGUgZm9yIGEgc3VwcG9zZWQgY29tcHJvbWlzZWQgbm9kZSB0byBpbnRlcmNlcHQgYW5kPC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgV2hpbGUgaXQgaXMgcG9zc2libGUgZm9y
IGEgc3VwcG9zZWQgY29tcHJvbWlzZWQgbm9kZSB0byBpbnRlcmNlcHQgYW5kPC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG1vZGlmeSB0aGUg
Ry1BQ2ggY29udGVudCwgdGhpcyBpcyBhbiBpc3N1ZSB0aGF0IGV4aXN0cyBmb3Igbm9kZXMgaW48
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBtb2RpZnkgdGhlIEctQUNoIGNvbnRl
bnQsIHRoaXMgaXMgYW4gaXNzdWUgdGhhdCBleGlzdHMgZm9yIG5vZGVzIGluPC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGdlbmVyYWwgLSBm
b3IgYW55IGFuZCBhbGwgZGF0YSB0aGF0IG1heSBiZSBjYXJyaWVkIG92ZXIgYW4gTFNQIC0gYW5k
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgZ2VuZXJhbCAtIGZvciBhbnkgYW5k
IGFsbCBkYXRhIHRoYXQgbWF5IGJlIGNhcnJpZWQgb3ZlciBhbiBMU1AgLSBhbmQ8L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaXMgdGhlcmVm
b3JlIHRoZSBiYXNpcyBmb3IgYW4gYWRkaXRpb25hbCBwcmVzdW1lZCB0cnVzdCBtb2RlbDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGlzIHRoZXJlZm9yZSB0aGUgYmFzaXMgZm9y
IGFuIGFkZGl0aW9uYWwgcHJlc3VtZWQgdHJ1c3QgbW9kZWw8L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgYXNzb2NpYXRlZCB3aXRoIGV4aXN0
aW5nIExTUHMgYW5kIG5vZGVzLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGFz
c29jaWF0ZWQgd2l0aCBleGlzdGluZyBMU1BzIGFuZCBub2Rlcy48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA2NCI+PC9hPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9j
ayI+ICAgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+VGhlIGFiaWxpdHkgZm9yIHBvdGVudGlhbGx5IGF1
dGhlbnRpY2F0aW5nIGFuZC9vciBlbmNyeXB0aW5nIFJUTSBhbmQ8L3NwYW4+PC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPiAgIFBUUCBkYXRhIHRo
YXQgaXMgbm90IG5lZWRlZCBieSBpbnRlcm1lZGlhdGUgUlRNL1BUUC1jYXBhYmxlIG5vZGVzIGlz
PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48c3BhbiBjbGFzcz0iZGVs
ZXRlIj4gICBmb3IgZnVydGhlciBzdHVkeS48L3NwYW4+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j
ayI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAg
PHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQi
PiAgIFNlY3VyaXR5IHJlcXVpcmVtZW50cyBvZiB0aW1lIHByb3RvY29scyBhcmUgcHJvdmlkZWQg
aW4gUkZDIDczODQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBTZWN1cml0eSBy
ZXF1aXJlbWVudHMgb2YgdGltZSBwcm90b2NvbHMgYXJlIHByb3ZpZGVkIGluIFJGQyA3Mzg0PC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtS
RkM3Mzg0XS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNzM4NF0uPC90
ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0iZGlmZjAwNjUiPjwvYT48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsYmxvY2siPjxzcGFuIGNsYXNzPSJkZWxldGUiPjEwPC9zcGFuPi4gIEFja25v
d2xlZGdtZW50czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0i
aW5zZXJ0Ij45PC9zcGFuPi4gIEFja25vd2xlZGdtZW50czwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgQXV0aG9ycyB3YW50IHRvIHRoYW5rIExvYSBBbmRlcnNzb24sIExvdSBCZXJnZXIg
YW5kIEFjZWUgTGluZGVtIGZvcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEF1
dGhvcnMgd2FudCB0byB0aGFuayBMb2EgQW5kZXJzc29uLCBMb3UgQmVyZ2VyIGFuZCBBY2VlIExp
bmRlbSBmb3I8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDY2Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4g
ICB0aGVpciB0aG9yb3VnaCByZXZpZXdzLCB0aG91Z2h0ZnVsIGNvbW1lbnRzIGFuZCwgbW9zdCA8
c3BhbiBjbGFzcz0iZGVsZXRlIj5vZiw8L3NwYW4+IHBhdGllbmNlLjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmJsb2NrIj4gICB0aGVpciB0aG9yb3VnaCByZXZpZXdzLCB0aG91Z2h0ZnVsIGNv
bW1lbnRzIGFuZCwgbW9zdCA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5vZiBhbGwsPC9zcGFuPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg
Y2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBwYXRpZW5jZS48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA2NyI+PC9hPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9Imxi
bG9jayI+MTxzcGFuIGNsYXNzPSJkZWxldGUiPjE8L3NwYW4+LiAgUmVmZXJlbmNlczwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4xPHNwYW4gY2xhc3M9Imluc2VydCI+MDwvc3Bhbj4u
ICBSZWZlcmVuY2VzPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90
cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xh
c3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+PGEgbmFtZT0i
ZGlmZjAwNjgiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjE8c3BhbiBjbGFzcz0iZGVsZXRlIj4x
PC9zcGFuPi4xLiAgTm9ybWF0aXZlIFJlZmVyZW5jZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJibG9jayI+MTxzcGFuIGNsYXNzPSJpbnNlcnQiPjA8L3NwYW4+LjEuICBOb3JtYXRpdmUgUmVm
ZXJlbmNlczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAg
ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJs
ZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW0lFRUUuMTU4OC4yMDA4XTwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtJRUVFLjE1ODguMjAwOF08L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAg
ICAgICAiU3RhbmRhcmQgZm9yIGEgUHJlY2lzaW9uIENsb2NrIFN5bmNocm9uaXphdGlvbiBQcm90
b2NvbDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgIlN0YW5k
YXJkIGZvciBhIFByZWNpc2lvbiBDbG9jayBTeW5jaHJvbml6YXRpb24gUHJvdG9jb2w8L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAg
ICAgICBmb3IgTmV0d29ya2VkIE1lYXN1cmVtZW50IGFuZCBDb250cm9sIFN5c3RlbXMiLDwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgZm9yIE5ldHdvcmtlZCBN
ZWFzdXJlbWVudCBhbmQgQ29udHJvbCBTeXN0ZW1zIiw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBJRUVFIFN0YW5kYXJk
IDE1ODgsIEp1bHkgMjAwOC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAg
ICAgICAgIElFRUUgU3RhbmRhcmQgMTU4OCwgSnVseSAyMDA4LjwvdGQ+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGVmdCI+ICAgW1JGQzIxMTldICBCcmFkbmVyLCBTLiwgIktleSB3b3JkcyBmb3IgdXNlIGlu
IFJGQ3MgdG8gSW5kaWNhdGU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZD
MjExOV0gIEJyYWRuZXIsIFMuLCAiS2V5IHdvcmRzIGZvciB1c2UgaW4gUkZDcyB0byBJbmRpY2F0
ZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICAgICAgICAgICAgIFJlcXVpcmVtZW50IExldmVscyIsIEJDUCAxNCwgUkZDIDIxMTksPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBSZXF1aXJlbWVudCBMZXZl
bHMiLCBCQ1AgMTQsIFJGQyAyMTE5LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkMyMTE5LCBN
YXJjaCAxOTk3LDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAg
RE9JIDEwLjE3NDg3L1JGQzIxMTksIE1hcmNoIDE5OTcsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgJmx0O2h0dHA6Ly93
d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmMyMTE5Jmd0Oy48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2lu
Zm8vcmZjMjExOSZndDsuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+
PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+
PC90ZD48L3RyPgogICAgICA8dHIgYmdjb2xvcj0iZ3JheSI+PHRkPjwvdGQ+PHRoPjxhIG5hbWU9
InBhcnQtbDE1Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+IHBhZ2Ug
MjUsIGxpbmUgMTU8L2VtPjwvYT48L3RoPjx0aD4gPC90aD48dGg+PGEgbmFtZT0icGFydC1yMTUi
PjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAyNSwgbGluZSAz
NzwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtSRkM2ODIzXSAgR2luc2Jl
cmcsIEwuLCBQcmV2aWRpLCBTLiwgYW5kIE0uIFNoYW5kLCAiQWR2ZXJ0aXNpbmc8L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBbUkZDNjgyM10gIEdpbnNiZXJnLCBMLiwgUHJldmlk
aSwgUy4sIGFuZCBNLiBTaGFuZCwgIkFkdmVydGlzaW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgR2VuZXJpYyBJbmZv
cm1hdGlvbiBpbiBJUy1JUyIsIFJGQyA2ODIzLDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgICAgICAgICAgICAgR2VuZXJpYyBJbmZvcm1hdGlvbiBpbiBJUy1JUyIsIFJGQyA2ODIz
LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICAgICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM2ODIzLCBEZWNlbWJlciAyMDEyLDwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzY4
MjMsIERlY2VtYmVyIDIwMTIsPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgJmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5v
cmcvaW5mby9yZmM2ODIzJmd0Oy48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAg
ICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNjgyMyZndDsu
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBbUkZDNzY4NF0gIFBzZW5haywgUC4sIEdy
ZWRsZXIsIEguLCBTaGFraXIsIFIuLCBIZW5kZXJpY2t4LCBXLiw8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICBbUkZDNzY4NF0gIFBzZW5haywgUC4sIEdyZWRsZXIsIEguLCBTaGFr
aXIsIFIuLCBIZW5kZXJpY2t4LCBXLiw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBUYW50c3VyYSwgSi4sIGFuZCBBLiBM
aW5kZW0sICJPU1BGdjIgUHJlZml4L0xpbmsgQXR0cmlidXRlPC90ZD48dGQ+IDwvdGQ+PHRkIGNs
YXNzPSJyaWdodCI+ICAgICAgICAgICAgICBUYW50c3VyYSwgSi4sIGFuZCBBLiBMaW5kZW0sICJP
U1BGdjIgUHJlZml4L0xpbmsgQXR0cmlidXRlPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgQWR2ZXJ0aXNlbWVudCIsIFJG
QyA3Njg0LCBET0kgMTAuMTc0ODcvUkZDNzY4NCwgTm92ZW1iZXI8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIEFkdmVydGlzZW1lbnQiLCBSRkMgNzY4NCwgRE9J
IDEwLjE3NDg3L1JGQzc2ODQsIE5vdmVtYmVyPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgMjAxNSwgJmx0O2h0dHA6Ly93
d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM3Njg0Jmd0Oy48L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij4gICAgICAgICAgICAgIDIwMTUsICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iu
b3JnL2luZm8vcmZjNzY4NCZndDsuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90
ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQ+
PGEgbmFtZT0iZGlmZjAwNjkiPjwvYT48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjE8c3BhbiBjbGFzcz0i
ZGVsZXRlIj4xPC9zcGFuPi4yLiAgSW5mb3JtYXRpdmUgUmVmZXJlbmNlczwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmJsb2NrIj4xPHNwYW4gY2xhc3M9Imluc2VydCI+MDwvc3Bhbj4uMi4gIElu
Zm9ybWF0aXZlIFJlZmVyZW5jZXM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtJLUQu
aWV0Zi1vc3BmLW9zcGZ2My1sc2EtZXh0ZW5kXTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgIFtJLUQuaWV0Zi1vc3BmLW9zcGZ2My1sc2EtZXh0ZW5kXTwvdGQ+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgIExpbmRl
bSwgQS4sIE1pcnRvcmFiaSwgUy4sIFJveSwgQS4sIGFuZCBGLiBCYWtlciwgIk9TUEZ2MzwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgTGluZGVtLCBBLiwgTWly
dG9yYWJpLCBTLiwgUm95LCBBLiwgYW5kIEYuIEJha2VyLCAiT1NQRnYzPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgTFNB
IEV4dGVuZGliaWxpdHkiLCBkcmFmdC1pZXRmLW9zcGYtb3NwZnYzLWxzYS1leHRlbmQtMTM8L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIExTQSBFeHRlbmRpYmls
aXR5IiwgZHJhZnQtaWV0Zi1vc3BmLW9zcGZ2My1sc2EtZXh0ZW5kLTEzPC90ZD48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgKHdv
cmsgaW4gcHJvZ3Jlc3MpLCBPY3RvYmVyIDIwMTYuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+ICAgICAgICAgICAgICAod29yayBpbiBwcm9ncmVzcyksIE9jdG9iZXIgMjAxNi48L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFtJLUQuaWV0Zi10aWN0b2MtMTU4OG92ZXJtcGxz
XTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtJLUQuaWV0Zi10aWN0b2MtMTU4
OG92ZXJtcGxzXTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij4gICAgICAgICAgICAgIERhdmFyaSwgUy4sIE9yZW4sIEEuLCBCaGF0aWEsIE0uLCBS
b2JlcnRzLCBQLiwgYW5kIEwuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAg
ICAgICAgICBEYXZhcmksIFMuLCBPcmVuLCBBLiwgQmhhdGlhLCBNLiwgUm9iZXJ0cywgUC4sIGFu
ZCBMLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAg
IDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0
Ij4gICAgICAgICAgICAgIE1vbnRpbmksICJUcmFuc3BvcnRpbmcgVGltaW5nIG1lc3NhZ2VzIG92
ZXIgTVBMUzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgTW9u
dGluaSwgIlRyYW5zcG9ydGluZyBUaW1pbmcgbWVzc2FnZXMgb3ZlciBNUExTPC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAg
TmV0d29ya3MiLCBkcmFmdC1pZXRmLXRpY3RvYy0xNTg4b3Zlcm1wbHMtMDcgKHdvcmsgaW48L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIE5ldHdvcmtzIiwgZHJh
ZnQtaWV0Zi10aWN0b2MtMTU4OG92ZXJtcGxzLTA3ICh3b3JrIGluPC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgcHJvZ3Jl
c3MpLCBPY3RvYmVyIDIwMTUuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAg
ICAgICAgICBwcm9ncmVzcyksIE9jdG9iZXIgMjAxNS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAg
ICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA3MCI+PC9hPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPltJ
VFUtVC5HLjgyNzFdPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3Bh
biBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAgICJQYWNrZXQgb3ZlciBUcmFuc3BvcnQgYXNw
ZWN0cyAtIFN5bmNocm9uaXphdGlvbiwgcXVhbGl0eTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGlu
ZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgICAgICAgICBhbmQgYXZh
aWxhYmlsaXR5IHRhcmdldHMiLCBJVFUtVCBSZWNvbWVuZGF0aW9uPC9zcGFuPjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPjwvdGQ+PHRkPiA8
L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICAgICAgICAgICAg
IEcuODI3MS9ZLjEzNjYsIEp1bHkgMjAxNi48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIg
dmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxp
Z249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz
PSJyYmxvY2siPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzQyMDJdICBLb21wZWxsYSwgSy4sIEVkLiBh
bmQgWS4gUmVraHRlciwgRWQuLCAiUm91dGluZyBFeHRlbnNpb25zPC90ZD48dGQ+IDwvdGQ+PHRk
IGNsYXNzPSJyaWdodCI+ICAgW1JGQzQyMDJdICBLb21wZWxsYSwgSy4sIEVkLiBhbmQgWS4gUmVr
aHRlciwgRWQuLCAiUm91dGluZyBFeHRlbnNpb25zPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgaW4gU3VwcG9ydCBvZiBH
ZW5lcmFsaXplZCBNdWx0aS1Qcm90b2NvbCBMYWJlbCBTd2l0Y2hpbmc8L3RkPjx0ZD4gPC90ZD48
dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgIGluIFN1cHBvcnQgb2YgR2VuZXJhbGl6ZWQg
TXVsdGktUHJvdG9jb2wgTGFiZWwgU3dpdGNoaW5nPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgKEdNUExTKSIsIFJGQyA0
MjAyLCBET0kgMTAuMTc0ODcvUkZDNDIwMiwgT2N0b2JlciAyMDA1LDwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgKEdNUExTKSIsIFJGQyA0MjAyLCBET0kgMTAu
MTc0ODcvUkZDNDIwMiwgT2N0b2JlciAyMDA1LDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJm
Yy1lZGl0b3Iub3JnL2luZm8vcmZjNDIwMiZndDsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy
aWdodCI+ICAgICAgICAgICAgICAmbHQ7aHR0cDovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3Jm
YzQyMDImZ3Q7LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+
CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNz
PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzUyMjZdICBOYXJ0
ZW4sIFQuIGFuZCBILiBBbHZlc3RyYW5kLCAiR3VpZGVsaW5lcyBmb3IgV3JpdGluZyBhbjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtSRkM1MjI2XSAgTmFydGVuLCBULiBhbmQg
SC4gQWx2ZXN0cmFuZCwgIkd1aWRlbGluZXMgZm9yIFdyaXRpbmcgYW48L3RkPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l
bm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBJQU5B
IENvbnNpZGVyYXRpb25zIFNlY3Rpb24gaW4gUkZDcyIsIEJDUCAyNiwgUkZDIDUyMjYsPC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICBJQU5BIENvbnNpZGVyYXRp
b25zIFNlY3Rpb24gaW4gUkZDcyIsIEJDUCAyNiwgUkZDIDUyMjYsPC90ZD48dGQgY2xhc3M9Imxp
bmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgRE9JIDEw
LjE3NDg3L1JGQzUyMjYsIE1heSAyMDA4LDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzUyMjYsIE1heSAyMDA4LDwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgICAgICAg
ICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNTIyNiZndDsuPC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAgICAgICAmbHQ7aHR0cDovL3d3dy5yZmMt
ZWRpdG9yLm9yZy9pbmZvL3JmYzUyMjYmZ3Q7LjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8
dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg
ICAgIDx0ciBiZ2NvbG9yPSJncmF5Ij48dGQ+PC90ZD48dGg+PGEgbmFtZT0icGFydC1sMTYiPjxz
bWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxlbT4gcGFnZSAyNSwgbGluZSA1MDwv
ZW0+PC9hPjwvdGg+PHRoPiA8L3RoPjx0aD48YSBuYW1lPSJwYXJ0LXIxNiI+PHNtYWxsPnNraXBw
aW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGVtPiBwYWdlIDI2LCBsaW5lIDMyPC9lbT48L2E+PC90
aD48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICAgICAgICBET0kgMTAuMTc0ODcvUkZDNjM3
NCwgU2VwdGVtYmVyIDIwMTEsPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAg
ICAgICAgICBET0kgMTAuMTc0ODcvUkZDNjM3NCwgU2VwdGVtYmVyIDIwMTEsPC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAg
Jmx0O2h0dHA6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM2Mzc0Jmd0Oy48L3RkPjx0ZD4g
PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAgICAgICZsdDtodHRwOi8vd3d3LnJmYy1l
ZGl0b3Iub3JnL2luZm8vcmZjNjM3NCZndDsuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICBbUkZDNzM4NF0gIE1penJhaGksIFQuLCAiU2VjdXJpdHkgUmVxdWlyZW1lbnRzIG9mIFRpbWUg
UHJvdG9jb2xzIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgW1JGQzczODRd
ICBNaXpyYWhpLCBULiwgIlNlY3VyaXR5IFJlcXVpcmVtZW50cyBvZiBUaW1lIFByb3RvY29scyBp
bjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0
cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g
ICAgICAgICAgICAgIFBhY2tldCBTd2l0Y2hlZCBOZXR3b3JrcyIsIFJGQyA3Mzg0LCBET0kgMTAu
MTc0ODcvUkZDNzM4NCw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAg
ICAgIFBhY2tldCBTd2l0Y2hlZCBOZXR3b3JrcyIsIFJGQyA3Mzg0LCBET0kgMTAuMTc0ODcvUkZD
NzM4NCw8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAg
ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVm
dCI+ICAgICAgICAgICAgICBPY3RvYmVyIDIwMTQsICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iu
b3JnL2luZm8vcmZjNzM4NCZndDsuPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg
ICAgICAgICAgICBPY3RvYmVyIDIwMTQsICZsdDtodHRwOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2lu
Zm8vcmZjNzM4NCZndDsuPC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5BdXRob3JzJyBBZGRy
ZXNzZXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5BdXRob3JzJyBBZGRyZXNzZXM8
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90
ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEdyZWcgTWlyc2t5PC90ZD48dGQ+IDwvdGQ+
PHRkIGNsYXNzPSJyaWdodCI+ICAgR3JlZyBNaXJza3k8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDcxIj48
L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5JbmRlcGVuZGVu
dDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9
Imluc2VydCI+WlRFIENvcnAuPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0i
dG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3Ai
PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48
L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+
PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg
RW1haWw6IGdyZWdpbWlyc2t5QGdtYWlsLmNvbTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln
aHQiPiAgIEVtYWlsOiBncmVnaW1pcnNreUBnbWFpbC5jb208L3RkPjx0ZCBjbGFzcz0ibGluZW5v
IiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDcy
Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j
ayI+PHNwYW4gY2xhc3M9Imluc2VydCI+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc3Bhbj48L3RkPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz
PSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgU3RlZmFubyBS
dWZmaW5pPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgU3RlZmFubyBSdWZmaW5p
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg
IEVyaWNzc29uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgRXJpY3Nzb248L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWdu
PSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRv
cCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVtYWlsOiBzdGVmYW5vLnJ1ZmZpbmlAZXJpY3Nz
b24uY29tPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgRW1haWw6IHN0ZWZhbm8u
cnVmZmluaUBlcmljc3Nvbi5jb208L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVyaWMg
R3JheTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEVyaWMgR3JheTwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBFcmljc3Nv
bjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEVyaWNzc29uPC90ZD48dGQgY2xh
c3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i
bGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3Rk
Pjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48
L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+
PHRkIGNsYXNzPSJsZWZ0Ij4gICBFbWFpbDogZXJpYy5ncmF5QGVyaWNzc29uLmNvbTwvdGQ+PHRk
PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEVtYWlsOiBlcmljLmdyYXlAZXJpY3Nzb24uY29t
PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRy
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwv
dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48
dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk
IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGJnY29sb3I9ImdyYXkiPjx0ZD48
L3RkPjx0aD48YSBuYW1lPSJwYXJ0LWwxNyI+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwv
c21hbGw+PGVtPiBwYWdlIDI2LCBsaW5lIDE4PC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxh
IG5hbWU9InBhcnQtcjE3Ij48c21hbGw+c2tpcHBpbmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48ZW0+
IHBhZ2UgMjcsIGxpbmUgNDwvZW0+PC9hPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+
PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGln
bj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBFcmljIEdyYXk8L3RkPjx0ZD4gPC90ZD48dGQg
Y2xhc3M9InJpZ2h0Ij4gICBFcmljIEdyYXk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249
InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgRXJpY3Nzb248L3RkPjx0ZD4gPC90ZD48dGQgY2xh
c3M9InJpZ2h0Ij4gICBFcmljc3NvbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9w
Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwv
dGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3Rk
Pjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk
IGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgRW1h
aWw6IGVyaWMuZ3JheUBlcmljc3Nvbi5jb208L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0
Ij4gICBFbWFpbDogZXJpYy5ncmF5QGVyaWNzc29uLmNvbTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgSm9obiBEcmFrZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEpv
aG4gRHJha2U8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgSnVuaXBlciBOZXR3b3JrczwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi
PiAgIEp1bmlwZXIgTmV0d29ya3M8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3Rk
Pjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48
dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBj
bGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEVtYWls
OiBqZHJha2VAanVuaXBlci5uZXQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBF
bWFpbDogamRyYWtlQGp1bmlwZXIubmV0PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZD48YSBuYW1lPSJkaWZmMDA3MyI+PC9hPjwvdGQ+
PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48dGQg
Y2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvc3Bh
bj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PC90ZD48dGQgY2xhc3M9ImxpbmVu
byIgdmFsaWduPSJ0b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2
YWxpZ249InRvcCI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIFN0ZXdhcnQgQnJ5YW50PC90ZD48
dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgU3Rld2FydCBCcnlhbnQ8L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9
ImRpZmYwMDc0Ij48L2E+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZh
bGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRl
Ij5JbmRlcGVuZGVudDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg
PHNwYW4gY2xhc3M9Imluc2VydCI+SHVhd2VpPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i
IHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyIgdmFs
aWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9
InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgog
ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0i
bGVmdCI+ICAgRW1haWw6IHN0ZXdhcnQuYnJ5YW50QGdtYWlsLmNvbTwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPiAgIEVtYWlsOiBzdGV3YXJ0LmJyeWFudEBnbWFpbC5jb208L3RkPjx0
ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+
IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyIgdmFsaWduPSJ0
b3AiPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEFsZXhhbmRlciBWYWluc2h0ZWluPC90ZD48dGQ+IDwv
dGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgQWxleGFuZGVyIFZhaW5zaHRlaW48L3RkPjx0ZCBjbGFz
cz0ibGluZW5vIiB2YWxpZ249InRvcCI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs
aW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgRUNJIFRlbGVjb208
L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBFQ0kgVGVsZWNvbTwvdGQ+PHRkIGNs
YXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9
ImxpbmVubyIgdmFsaWduPSJ0b3AiPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90
ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIiB2YWxpZ249InRvcCI+
PC90ZD48L3RyPgogICAgICA8dHI+PHRkPjxhIG5hbWU9ImRpZmYwMDc1Ij48L2E+PC90ZD48L3Ry
PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjx0ZCBjbGFz
cz0ibGJsb2NrIj4gICBFbWFpbDogQWxleGFuZGVyLlZhaW5zaHRlaW5AZWNpdGVsZS5jb208L3Rk
Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgRW1haWw6IEFsZXhhbmRlci5WYWluc2h0
ZWluQGVjaXRlbGUuY29tPHNwYW4gY2xhc3M9Imluc2VydCI+OyBWYWluc2h0ZWluLmFsZXhAZ21h
aWwuY29tPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iIHZhbGlnbj0idG9wIj48L3RkPjwv
dHI+CgogICAgIDx0cj48dGQ+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0
ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkPjwvdGQ+PC90cj4KICAgICA8dHIgYmdjb2xvcj0iZ3Jh
eSI+PHRoIGNvbHNwYW49IjUiIGFsaWduPSJjZW50ZXIiPjxhIG5hbWU9ImVuZCI+Jm5ic3A7RW5k
IG9mIGNoYW5nZXMuIDc1IGNoYW5nZSBibG9ja3MuJm5ic3A7PC9hPjwvdGg+PC90cj4KICAgICA8
dHIgY2xhc3M9InN0YXRzIj48dGQ+PC90ZD48dGg+PGk+MjUwIGxpbmVzIGNoYW5nZWQgb3IgZGVs
ZXRlZDwvaT48L3RoPjx0aD48aT4gPC9pPjwvdGg+PHRoPjxpPjI3MCBsaW5lcyBjaGFuZ2VkIG9y
IGFkZGVkPC9pPjwvdGg+PHRkPjwvdGQ+PC90cj4KICAgICA8dHI+PHRkIGNvbHNwYW49IjUiIGFs
aWduPSJjZW50ZXIiIGNsYXNzPSJzbWFsbCI+PGJyPlRoaXMgaHRtbCBkaWZmIHdhcyBwcm9kdWNl
ZCBieSByZmNkaWZmIDEuNDEuIFRoZSBsYXRlc3QgdmVyc2lvbiBpcyBhdmFpbGFibGUgZnJvbSA8
YSBocmVmPSJodHRwOi8vd3d3LnRvb2xzLmlldGYub3JnL3Rvb2xzL3JmY2RpZmYvIj5odHRwOi8v
dG9vbHMuaWV0Zi5vcmcvdG9vbHMvcmZjZGlmZi88L2E+IDwvdGQ+PC90cj4KICAgPC90Ym9keT48
L3RhYmxlPgogICAKICAgCjwvYm9keT48L2h0bWw+
--94eb2c04308856df94054690f1d3--


From nobody Tue Jan 24 21:57:42 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DADA1297EA; Tue, 24 Jan 2017 21:57:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.4
X-Spam-Level: 
X-Spam-Status: No, score=-7.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLnACuuHSXyG; Tue, 24 Jan 2017 21:57:39 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAC3A1297E8; Tue, 24 Jan 2017 21:57:38 -0800 (PST)
X-AuditID: 1209190c-cc7ff700000045a6-53-58883e4f3ef5
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id D9.24.17830.F4E38885; Wed, 25 Jan 2017 00:57:36 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v0P5vYOs023176; Wed, 25 Jan 2017 00:57:34 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v0P5vURP005856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 25 Jan 2017 00:57:33 -0500
Date: Tue, 24 Jan 2017 23:57:31 -0600
From: Benjamin Kaduk 
To: Greg Mirsky 
Message-ID: <20170125055730.GK8460@kduck.kaduk.org>
References: <20170118060025.GN8460@kduck.kaduk.org> 
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: 
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixCmqrBtg1xFh0LGGyeL7v33sFt+mPWW1 mPFnIrPFh4UPWRxYPHbOusvusWTJT6YApigum5TUnMyy1CJ9uwSujC/LVzMXHHGreLfuL3MD 407zLkZODgkBE4n9c76wdzFycQgJtDFJTHx4gBXC2cgoceDPdSYI5yqTxI6Vp5hBWlgEVCU+ 7j7JBGKzCahINHRfBouLCKhLdG47zg5iMwtkSZy/180CYgsL2EusvP0TLM4rYCzRfXQ/mC0k UCVx89RSVoi4oMTJmU9YIHq1JG78ewk0nwPIlpZY/o8DJMwpECjRv/Y+2FpRAWWJhhkPmCcw CsxC0j0LSfcshO4FjMyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdA31cjNL9FJTSjcxgkNXkmcH 45k3XocYBTgYlXh4JyS1RwixJpYVV+YeYpTkYFIS5W0z6ogQ4kvKT6nMSCzOiC8qzUktPsQo wcGsJMIrawuU401JrKxKLcqHSUlzsCiJ80poNEYICaQnlqRmp6YWpBbBZGU4OJQkeA1AGgWL UtNTK9Iyc0oQ0kwcnCDDeYCGa4ANLy5IzC3OTIfIn2JUlBLnzbUBSgiAJDJK8+B6QalFInt/ zStGcaBXhHlTQdp5gGkJrvsV0GAmoMEXmNtBBpckIqSkGhglEw4rPPu/fIVzmVGLQob1o7mN M6MWRK5m4l4ZeGpRwdyuVc+tl5skHfoQ7Wq78c9BW96P+y/F/pz06+jkQ8XRvpmq910U4n2X WwZmNCjG5mdkZhSs/tPX/sl9udPjDUmFy5jbtI40CkZEzPpQ5/1HfmrLD5HmP5WXzRqM1Uwu T9xQbft47gclluKMREMt5qLiRABzdllrCAMAAA==
Archived-At: 
Cc: draft-ietf-mpls-residence-time.all@ietf.org, "iesg@ietf.org" , secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-mpls-residence-time-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Jan 2017 05:57:40 -0000

On Fri, Jan 20, 2017 at 05:47:00PM -0800, Greg Mirsky wrote:
> Hi Ben,
> thank you for the careful review and the most helpful comments and
> suggestions. We're working on the new version to address GEN-ART, OPS and
> Security comments. I've attached the diff and current working version of
> the draft. Please find my responses to your comments in-lined and tagged
> GIM>>.

Thanks!
Most of the changes are helpful; the only thing I would note about the
new text is in the security considerations, where the discussion of
"complex crypto schemes" seems like it should come after the mention
of "for further study", not before.

I as a new reader to the field would still benefit from some discussion
and/or examples of how the new data structures interact with each other
and the parent containers, but I should defer to the experts as to what
is actually needed.

I will trim the parts of the message that I sound good and I have no
further comment on.

> 
> On Tue, Jan 17, 2017 at 10:00 PM, Benjamin Kaduk  wrote:
> 
> > This document also mentions RFC 7384, whose entirety is security
> > requirements
> > of time procotols, which probably contains more detail than this document
> > would
> > need if discussion was inline.  However, the security considerations of
> > draft-ietf-mpls-residence-time-12 also contains discussion about how
> > PTP-aware nodes on the path are required to modify the messages, and the
> > needed trust model involves these nodes being trusted to perform those
> > modifications.
> > That seems true and is probably fine for a protocol that is running on
> > "trusted infrastructure", but the claim is also made that the messages
> > modified
> > by intermediate nodes "cannot be authenticated".  This is only somewhat
> > true, as one can create complex crypto schemes that involve giving key
> > material to intermediate nodes that can let them make authenticated
> > (but detectable) modifications.  Such schemes seem far too complex for the
> > topic at hand, though, as they are likely to increase the processing delay
> > for the time packets, and it seems fine to defer investigating them in the
> > same way that it is fine to defer investigating authenticating/encrypting
> > the RTM data that does not need to be modified by intermediate nodes, which
> > is explicitly noted in the security considerations.
> >
> GIM>> I agree with your suggestion. Would the following change address your
> comment:
> 
> ---
> 
> OLD TEXT:
> 
>    As a result, the content of the PTP-related data in RTM messages that
> 
>    will be modified by intermediate nodes cannot be authenticated, and
> 
>    the additional information that must be accessible for proper
> 
>    operation of PTP 1-step and 2-step modes MUST be accessible to
> 
>    intermediate nodes (i.e. - MUST NOT be encrypted in a manner that
> 
>    makes this data inaccessible).
> 
> ...
> 
>    The ability for potentially authenticating and/or encrypting RTM and
> 
>    PTP data that is not needed by intermediate RTM/PTP-capable nodes is
> 
>    for further study.
> 
> NEW TEXT:
> 
>   That likely to require some complex crypto schemes that involve giving key
> 
> material to intermediate RTM/PTP-capable nodes that can let them make
> 
> authenticated (but detectable) modifications to the additional
> 
> information in RTM messages.
> 
>    The ability for potentially authenticating and/or encrypting RTM and
> 
>    PTP data for scenarios both with and without participation of
> 
>    intermediate RTM/PTP-capable nodes is for further study.

I think this should be reordered to be more useful, something like
(with a few more tweaks):

   In addition - particularly as applied to use related to PTP - there
   is a presumed trust model that depends on the existence of a trusted
   relationship of at least all PTP-aware nodes on the path traversed by
   PTP messages.  This is necessary as these nodes are expected to
   correctly modify specific content of the data in PTP messages and
   proper operation of the protocol depends on this ability.  In practice,
   this means that those portions of the messages cannot be covered by
   either confidentiality or integrity protection.  Though there are
   methods that make it possible in theory to provide either or both such
   protections and still allow for intermediate nodes to make
   detectable but authenticated modifications, such methods do not seem
   practical at present, particularly for timing protocols that are
   sensitive to latency.

   The ability for potentially authenticating and/or encrypting RTM and
   PTP data for scenarios both with and without participation of
   intermediate RTM/PTP-capable nodes is left for further study.


> -------
> 
> >
> > I do think there are some relevant security considerations that are not
> > mentioned, though -- for the two-step flow, an RTM-capable node is
> > required to wait for the follow-up RTM message and make the corresponding
> > residence time update.  This requirement is unbounded and could lead to
> > a resource leak if that follow-up packet fails to arrive, for an
> > implementation
> > that blindly follows the spec without resorting to practical engineering
> > knowledge.  I do not expect there to be any such implementations, but this
> > document should probably indicate that timing out is okay within
> > "reasonable" bounds, or whatever similar workaround is best practice in
> > this
> > domain.
> >
> GIM>> Indeed, we've implicitly relied on good engineering practice and left
> out discussion of the timer associated with two-step RTM.
> 
> I agree with your observation and propose the following update to text
> 
> in section One-step Clock and two-step Clock Modes (added sentence
> underlined):
> 
> If the S bit is already set, then the RTM capable node MUST wait for the
> RTM message with the PTP type of follow-up and matching
> 
> originator and sequence number to make the corresponding residence time
> update to the Scratch Pad field.
> 
> *The wait period MUST be reasonably bound.*


Sounds good.


> 
> >
> > On page 12, last paragraph, we have some text "If no RTM_SET TLV has been
> > found, then the LSP setup MUST fail [...]".  Is this only in the case
> > when the RTM_SET flag is set?  If so, that should probably be made more
> > clear in the text, as on my first reading I was surprised, since
> > the RTM_SET generally goes in the LSP_ATTRIBUTES and not the
> > LSP_REQUIRED_ATTRIBUTES, and as such would not be globally mandatory.
> >
> GIM>> Earlier, in the same paragraph, we've said
> 
> "If the RTM_SET flag set, the node MUST inspect the LSP_ATTRIBUTES object
> for presence of RTM_SET TLV." ("Node" is used in place of "RTM-capable
> node")
> Thus nodes that are not RTM-capable would not act on RTM_SET Attribure
> Flag, would not be chacking for presence of RTM_SET TLV.


Okay.


> > I'm also left puzzled by the last paragraph of section 7; it seems to say
> > that the *last* RTM(-capable) node of the LSP will generate the follow-up
> > message, but I thought it was generally an earlier node that would be
> > setting the S bit and generating the follow-up message.
> >
> GIM>> Updated text as the following:
> 
>    The egress RTM-capable node of the LSP will be removing RTM
>    encapsulation and, in case of two-step clock mode being indicated,
>    will generate PTP messages as appropriate (according to the
>    [IEEE.1588.2008]).  In this case, the common header of the PTP packet
>    carrying the synchronization message would have to be modified in the
>    twoStepFlag field indicating that there is now a follow up message
> associated to that.

Ah, maybe I have un-confused myself.  This about the case where the
underlying PTP is a one-step clock, but the RTM path includes two-step
nodes, so the node that removes the RTM wrapper has to synthesize a
follow-up PTP message to contain the correction?

Making (A) and (B) fully fledged subsections would let them have
indicative tiles, like "Two-step RTM with two-step upstream" and
"Two-step RTM with one-step upstream".

In any case, I would suggest being more explicit than "the associated RTM
packet must be created" means, explicitly describing what type of RTM packet
is being created (i.e., the follow-up one?).


> > There are also a lot of grammar nits (including very many missing
> > instances of the definite article), but it does not seem worth enumerating
> > them here.  I will try to send a diff to the authors later this week,
> > but time is a bit short at the moment.
> >
> GIM>> Many thanks and greatly appreciate your kind help.

I guess it is lucky that I did not have time last week, since there is
an updated version that I could be basing changes onto.  (Things are still
busy for me, so no guarantees of anything.)

-Ben


From nobody Wed Jan 25 11:34:23 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73E6B129B3F; Wed, 25 Jan 2017 11:34:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaHEFlIUaj-y; Wed, 25 Jan 2017 11:34:08 -0800 (PST)
Received: from mail-ot0-x231.google.com (mail-ot0-x231.google.com [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2378A129B4B; Wed, 25 Jan 2017 11:34:08 -0800 (PST)
Received: by mail-ot0-x231.google.com with SMTP id f9so159638369otd.1; Wed, 25 Jan 2017 11:34:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FD5tHuh5iOVhqNzvf5B3mg8XqYopK82RKDUowgMNsDI=; b=UY/qsNwVem8sZRr9AkGAPvsUkx51PabTbJNJy15n3kn+lvBmuboEaRe2B6a+brfmgq tmiB1/Pfy7y07j15GTwagzzVT9+lYzHuAiFl6hqDg3NupRwrH38w+1AywRtd23lDNCMk N0y3GbOGJSiueFZ7XV7jr++owN5mpSDRTE07Yasr7skHIhxgx8LwgZDHLnfEevxrv4wW Ik/goL8IQbzT7s7yGmNrDdKYpp0xJL0Y4yIVbPNN74CX0TRKQ9+ayBCDzOnGBoMWpjMY +YpSbouAe0lO6GJwmNSaVUJhltICsrp3eX8TE9J4pxnfYHeQfLFCRCNsLNYbJkIh0P1f Fj+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FD5tHuh5iOVhqNzvf5B3mg8XqYopK82RKDUowgMNsDI=; b=ZqhCIXsPOh2buEYqgGqyw9jKD3Ut4PYUmQPEjOUrBO32srHyWnj8c+BuDj7ii+Sdb3 Yba/c0TGd7XDrEieEsOCHEMKHfnL1gaKfHmNQe3Oc+JpitMGY73NIo1SQNXqdRfCI3s9 9AsXuPVJ6MOu7Y1l++Nuua5z/l7p4OIyD8IPgaIA4xNuSZa5dclsHxg4gHQhyi1DzjyG 8uDJXjGPlfJ4S/311EmgDsnqTwNy8TqKb+fDsd+cirNMDDlvAArHYAzJtsZjIqt8J4GV txYqybHBSDwrRMBRkYchNTMXTzW0lZ2CjgHlDpd952D02sJmNoltXEqiACxsrB5+n04Y hr+Q==
X-Gm-Message-State: AIkVDXI4Gc4wkH7+PSH7wGZylLWUZbK5mIhRJIJ3frtO+jebm0RbZH1l//4l+QLlu+W9lThVEjunjIISnpA8rw==
X-Received: by 10.157.32.135 with SMTP id x7mr18793858ota.35.1485372847481; Wed, 25 Jan 2017 11:34:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.1.103 with HTTP; Wed, 25 Jan 2017 11:34:06 -0800 (PST)
In-Reply-To: <20170125055730.GK8460@kduck.kaduk.org>
References: <20170118060025.GN8460@kduck.kaduk.org>  <20170125055730.GK8460@kduck.kaduk.org>
From: Greg Mirsky 
Date: Wed, 25 Jan 2017 11:34:06 -0800
Message-ID: 
To: Benjamin Kaduk 
Content-Type: multipart/alternative; boundary=94eb2c033074eee9b40546f050ab
Archived-At: 
Cc: Loa Andersson , draft-ietf-mpls-residence-time.all@ietf.org, "iesg@ietf.org" , "BRUNGARD, DEBORAH A \(ATTLABS\)" , secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-mpls-residence-time-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 25 Jan 2017 19:34:11 -0000

--94eb2c033074eee9b40546f050ab
Content-Type: text/plain; charset=UTF-8

Hi Ben,
many thanks for taking time to review the proposed updates and share your
comments, much obliged.
My next steps:

   - Will use your text in the Security Considerations section, thank you.
   - Will place cases A and B as sub-sections, per your suggestion.
   - Will share the update by end of the week.

Kind regards,
Greg


On Tue, Jan 24, 2017 at 9:57 PM, Benjamin Kaduk  wrote:

> On Fri, Jan 20, 2017 at 05:47:00PM -0800, Greg Mirsky wrote:
> > Hi Ben,
> > thank you for the careful review and the most helpful comments and
> > suggestions. We're working on the new version to address GEN-ART, OPS and
> > Security comments. I've attached the diff and current working version of
> > the draft. Please find my responses to your comments in-lined and tagged
> > GIM>>.
>
> Thanks!
> Most of the changes are helpful; the only thing I would note about the
> new text is in the security considerations, where the discussion of
> "complex crypto schemes" seems like it should come after the mention
> of "for further study", not before.
>
> I as a new reader to the field would still benefit from some discussion
> and/or examples of how the new data structures interact with each other
> and the parent containers, but I should defer to the experts as to what
> is actually needed.
>
> I will trim the parts of the message that I sound good and I have no
> further comment on.
>
> >
> > On Tue, Jan 17, 2017 at 10:00 PM, Benjamin Kaduk  wrote:
> >
> > > This document also mentions RFC 7384, whose entirety is security
> > > requirements
> > > of time procotols, which probably contains more detail than this
> document
> > > would
> > > need if discussion was inline.  However, the security considerations of
> > > draft-ietf-mpls-residence-time-12 also contains discussion about how
> > > PTP-aware nodes on the path are required to modify the messages, and
> the
> > > needed trust model involves these nodes being trusted to perform those
> > > modifications.
> > > That seems true and is probably fine for a protocol that is running on
> > > "trusted infrastructure", but the claim is also made that the messages
> > > modified
> > > by intermediate nodes "cannot be authenticated".  This is only somewhat
> > > true, as one can create complex crypto schemes that involve giving key
> > > material to intermediate nodes that can let them make authenticated
> > > (but detectable) modifications.  Such schemes seem far too complex for
> the
> > > topic at hand, though, as they are likely to increase the processing
> delay
> > > for the time packets, and it seems fine to defer investigating them in
> the
> > > same way that it is fine to defer investigating
> authenticating/encrypting
> > > the RTM data that does not need to be modified by intermediate nodes,
> which
> > > is explicitly noted in the security considerations.
> > >
> > GIM>> I agree with your suggestion. Would the following change address
> your
> > comment:
> >
> > ---
> >
> > OLD TEXT:
> >
> >    As a result, the content of the PTP-related data in RTM messages that
> >
> >    will be modified by intermediate nodes cannot be authenticated, and
> >
> >    the additional information that must be accessible for proper
> >
> >    operation of PTP 1-step and 2-step modes MUST be accessible to
> >
> >    intermediate nodes (i.e. - MUST NOT be encrypted in a manner that
> >
> >    makes this data inaccessible).
> >
> > ...
> >
> >    The ability for potentially authenticating and/or encrypting RTM and
> >
> >    PTP data that is not needed by intermediate RTM/PTP-capable nodes is
> >
> >    for further study.
> >
> > NEW TEXT:
> >
> >   That likely to require some complex crypto schemes that involve giving
> key
> >
> > material to intermediate RTM/PTP-capable nodes that can let them make
> >
> > authenticated (but detectable) modifications to the additional
> >
> > information in RTM messages.
> >
> >    The ability for potentially authenticating and/or encrypting RTM and
> >
> >    PTP data for scenarios both with and without participation of
> >
> >    intermediate RTM/PTP-capable nodes is for further study.
>
> I think this should be reordered to be more useful, something like
> (with a few more tweaks):
>
>    In addition - particularly as applied to use related to PTP - there
>    is a presumed trust model that depends on the existence of a trusted
>    relationship of at least all PTP-aware nodes on the path traversed by
>    PTP messages.  This is necessary as these nodes are expected to
>    correctly modify specific content of the data in PTP messages and
>    proper operation of the protocol depends on this ability.  In practice,
>    this means that those portions of the messages cannot be covered by
>    either confidentiality or integrity protection.  Though there are
>    methods that make it possible in theory to provide either or both such
>    protections and still allow for intermediate nodes to make
>    detectable but authenticated modifications, such methods do not seem
>    practical at present, particularly for timing protocols that are
>    sensitive to latency.
>
>    The ability for potentially authenticating and/or encrypting RTM and
>    PTP data for scenarios both with and without participation of
>    intermediate RTM/PTP-capable nodes is left for further study.
>
>
> > -------
> >
> > >
> > > I do think there are some relevant security considerations that are not
> > > mentioned, though -- for the two-step flow, an RTM-capable node is
> > > required to wait for the follow-up RTM message and make the
> corresponding
> > > residence time update.  This requirement is unbounded and could lead to
> > > a resource leak if that follow-up packet fails to arrive, for an
> > > implementation
> > > that blindly follows the spec without resorting to practical
> engineering
> > > knowledge.  I do not expect there to be any such implementations, but
> this
> > > document should probably indicate that timing out is okay within
> > > "reasonable" bounds, or whatever similar workaround is best practice in
> > > this
> > > domain.
> > >
> > GIM>> Indeed, we've implicitly relied on good engineering practice and
> left
> > out discussion of the timer associated with two-step RTM.
> >
> > I agree with your observation and propose the following update to text
> >
> > in section One-step Clock and two-step Clock Modes (added sentence
> > underlined):
> >
> > If the S bit is already set, then the RTM capable node MUST wait for the
> > RTM message with the PTP type of follow-up and matching
> >
> > originator and sequence number to make the corresponding residence time
> > update to the Scratch Pad field.
> >
> > *The wait period MUST be reasonably bound.*
>
>
> Sounds good.
>
>
> >
> > >
> > > On page 12, last paragraph, we have some text "If no RTM_SET TLV has
> been
> > > found, then the LSP setup MUST fail [...]".  Is this only in the case
> > > when the RTM_SET flag is set?  If so, that should probably be made more
> > > clear in the text, as on my first reading I was surprised, since
> > > the RTM_SET generally goes in the LSP_ATTRIBUTES and not the
> > > LSP_REQUIRED_ATTRIBUTES, and as such would not be globally mandatory.
> > >
> > GIM>> Earlier, in the same paragraph, we've said
> >
> > "If the RTM_SET flag set, the node MUST inspect the LSP_ATTRIBUTES object
> > for presence of RTM_SET TLV." ("Node" is used in place of "RTM-capable
> > node")
> > Thus nodes that are not RTM-capable would not act on RTM_SET Attribure
> > Flag, would not be chacking for presence of RTM_SET TLV.
>
>
> Okay.
>
>
> > > I'm also left puzzled by the last paragraph of section 7; it seems to
> say
> > > that the *last* RTM(-capable) node of the LSP will generate the
> follow-up
> > > message, but I thought it was generally an earlier node that would be
> > > setting the S bit and generating the follow-up message.
> > >
> > GIM>> Updated text as the following:
> >
> >    The egress RTM-capable node of the LSP will be removing RTM
> >    encapsulation and, in case of two-step clock mode being indicated,
> >    will generate PTP messages as appropriate (according to the
> >    [IEEE.1588.2008]).  In this case, the common header of the PTP packet
> >    carrying the synchronization message would have to be modified in the
> >    twoStepFlag field indicating that there is now a follow up message
> > associated to that.
>
> Ah, maybe I have un-confused myself.  This about the case where the
> underlying PTP is a one-step clock, but the RTM path includes two-step
> nodes, so the node that removes the RTM wrapper has to synthesize a
> follow-up PTP message to contain the correction?
>
> Making (A) and (B) fully fledged subsections would let them have
> indicative tiles, like "Two-step RTM with two-step upstream" and
> "Two-step RTM with one-step upstream".
>
> In any case, I would suggest being more explicit than "the associated RTM
> packet must be created" means, explicitly describing what type of RTM
> packet
> is being created (i.e., the follow-up one?).
>
>
> > > There are also a lot of grammar nits (including very many missing
> > > instances of the definite article), but it does not seem worth
> enumerating
> > > them here.  I will try to send a diff to the authors later this week,
> > > but time is a bit short at the moment.
> > >
> > GIM>> Many thanks and greatly appreciate your kind help.
>
> I guess it is lucky that I did not have time last week, since there is
> an updated version that I could be basing changes onto.  (Things are still
> busy for me, so no guarantees of anything.)
>
> -Ben
>

--94eb2c033074eee9b40546f050ab
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


Hi Ben,
many thanks for taking time to review the prop=
osed updates and share your comments, much obliged.
My next steps=
:
  • Will use your text in the Security Considerations secti=
on, thank you.
  • Will place cases A and B as sub-sections, per yo=
ur suggestion.
  • Will share the update by end of the week.
<=
div>Kind regards,
Greg


On Tue, Jan 24, 2017 at 9:5=
7 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
On Fri, Jan 20, 2017 at 05:47:00PM -0800, Gr=
eg Mirsky wrote:

> Hi Ben,

> thank you for the careful review and the most helpful comments and

> suggestions. We're working on the new version to address GEN-ART, =
OPS and

> Security comments. I've attached the diff and current working vers=
ion of

> the draft. Please find my responses to your comments in-lined and tagg=
ed

> GIM>>.



Thanks!

Most of the changes are helpful; the only thing I would note about the

new text is in the security considerations, where the discussion of

"complex crypto schemes" seems like it should come after the ment=
ion

of "for further study", not before.



I as a new reader to the field would still benefit from some discussion

and/or examples of how the new data structures interact with each other

and the parent containers, but I should defer to the experts as to what

is actually needed.



I will trim the parts of the message that I sound good and I have no

further comment on.



>

> On Tue, Jan 17, 2017 at 10:00 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:

>


> > This document also mentions RFC 738=
4, whose entirety is security

> > requirements

> > of time procotols, which probably contains more detail than this =
document

> > would

> > need if discussion was inline.=C2=A0 However, the security consid=
erations of

> > draft-ietf-mpls-residence-time-12 also contains discussion a=
bout how

> > PTP-aware nodes on the path are required to modify the messages, =
and the

> > needed trust model involves these nodes being trusted to perform =
those

> > modifications.

> > That seems true and is probably fine for a protocol that is runni=
ng on

> > "trusted infrastructure", but the claim is also made th=
at the messages

> > modified

> > by intermediate nodes "cannot be authenticated".=C2=A0 =
This is only somewhat

> > true, as one can create complex crypto schemes that involve givin=
g key

> > material to intermediate nodes that can let them make authenticat=
ed

> > (but detectable) modifications.=C2=A0 Such schemes seem far too c=
omplex for the

> > topic at hand, though, as they are likely to increase the process=
ing delay

> > for the time packets, and it seems fine to defer investigating th=
em in the

> > same way that it is fine to defer investigating authenticating/en=
crypting

> > the RTM data that does not need to be modified by intermediate no=
des, which

> > is explicitly noted in the security considerations.

> >

> GIM>> I agree with your suggestion. Would the following change a=
ddress your

> comment:

>

> ---

>

> OLD TEXT:

>

>=C2=A0 =C2=A0 As a result, the content of the PTP-related data in RTM m=
essages that

>

>=C2=A0 =C2=A0 will be modified by intermediate nodes cannot be authenti=
cated, and

>

>=C2=A0 =C2=A0 the additional information that must be accessible for pr=
oper

>

>=C2=A0 =C2=A0 operation of PTP 1-step and 2-step modes MUST be accessib=
le to

>

>=C2=A0 =C2=A0 intermediate nodes (i.e. - MUST NOT be encrypted in a man=
ner that

>

>=C2=A0 =C2=A0 makes this data inaccessible).

>

> ...

>

>=C2=A0 =C2=A0 The ability for potentially authenticating and/or encrypt=
ing RTM and

>

>=C2=A0 =C2=A0 PTP data that is not needed by intermediate RTM/PTP-capab=
le nodes is

>

>=C2=A0 =C2=A0 for further study.

>

> NEW TEXT:

>

>=C2=A0 =C2=A0That likely to require some complex crypto schemes that in=
volve giving key

>

> material to intermediate RTM/PTP-capable nodes that can let them make<=
br>
>

> authenticated (but detectable) modifications to the additional

>

> information in RTM messages.

>

>=C2=A0 =C2=A0 The ability for potentially authenticating and/or encrypt=
ing RTM and

>

>=C2=A0 =C2=A0 PTP data for scenarios both with and without participatio=
n of

>

>=C2=A0 =C2=A0 intermediate RTM/PTP-capable nodes is for further study.<=
br>



I think this should be reordered to be more useful, something l=
ike

(with a few more tweaks):



=C2=A0 =C2=A0In addition - particularly as applied to use related to PTP - =
there

=C2=A0 =C2=A0is a presumed trust model that depends on the existence of a t=
rusted

=C2=A0 =C2=A0relationship of at least all PTP-aware nodes on the path trave=
rsed by

=C2=A0 =C2=A0PTP messages.=C2=A0 This is necessary as these nodes are expec=
ted to

=C2=A0 =C2=A0correctly modify specific content of the data in PTP messages =
and

=C2=A0 =C2=A0proper operation of the protocol depends on this ability.=C2=
=A0 In practice,

=C2=A0 =C2=A0this means that those portions of the messages cannot be cover=
ed by

=C2=A0 =C2=A0either confidentiality or integrity protection.=C2=A0 Though t=
here are

=C2=A0 =C2=A0methods that make it possible in theory to provide either or b=
oth such

=C2=A0 =C2=A0protections and still allow for intermediate nodes to make

=C2=A0 =C2=A0detectable but authenticated modifications, such methods do no=
t seem

=C2=A0 =C2=A0practical at present, particularly for timing protocols that a=
re

=C2=A0 =C2=A0sensitive to latency.



=C2=A0 =C2=A0The ability for potentially authenticating and/or encrypting R=
TM and

=C2=A0 =C2=A0PTP data for scenarios both with and without participation of<=
br>
=C2=A0 =C2=A0intermediate RTM/PTP-capable nodes is left for further =
study.





> -------

>

> >

> > I do think there are some relevant security considerations that a=
re not

> > mentioned, though -- for the two-step flow, an RTM-capable node i=
s

> > required to wait for the follow-up RTM message and make the corre=
sponding

> > residence time update.=C2=A0 This requirement is unbounded and co=
uld lead to

> > a resource leak if that follow-up packet fails to arrive, for an<=
br>
> > implementation

> > that blindly follows the spec without resorting to practical engi=
neering

> > knowledge.=C2=A0 I do not expect there to be any such implementat=
ions, but this

> > document should probably indicate that timing out is okay within<=
br>
> > "reasonable" bounds, or whatever similar workaround is =
best practice in

> > this

> > domain.

> >

> GIM>> Indeed, we've implicitly relied on good engineering pr=
actice and left

> out discussion of the timer associated with two-step RTM.

>

> I agree with your observation and propose the following update to text=


>

> in section One-step Clock and two-step Clock Modes (added sentence

> underlined):

>

> If the S bit is already set, then the RTM capable node MUST wait for t=
he

> RTM message with the PTP type of follow-up and matching

>

> originator and sequence number to make the corresponding residence tim=
e

> update to the Scratch Pad field.

>

> *The wait period MUST be reasonably bound.*





Sounds good.





>

> >

> > On page 12, last paragraph, we have some text "If no RTM_SET=
 TLV has been

> > found, then the LSP setup MUST fail [...]".=C2=A0 Is this on=
ly in the case

> > when the RTM_SET flag is set?=C2=A0 If so, that should probably b=
e made more

> > clear in the text, as on my first reading I was surprised, since<=
br>
> > the RTM_SET generally goes in the LSP_ATTRIBUTES and not the

> > LSP_REQUIRED_ATTRIBUTES, and as such would not be globally mandat=
ory.

> >

> GIM>> Earlier, in the same paragraph, we've said

>

> "If the RTM_SET flag set, the node MUST inspect the LSP_ATTRIBUTE=
S object

> for presence of RTM_SET TLV." ("Node" is used in place =
of "RTM-capable

> node")

> Thus nodes that are not RTM-capable would not act on RTM_SET Attribure=


> Flag, would not be chacking for presence of RTM_SET TLV.





Okay.





> > I'm also left puzzled by the last paragraph of section 7; it =
seems to say

> > that the *last* RTM(-capable) node of the LSP will generate the f=
ollow-up

> > message, but I thought it was generally an earlier node that woul=
d be

> > setting the S bit and generating the follow-up message.

> >

> GIM>> Updated text as the following:

>

>=C2=A0 =C2=A0 The egress RTM-capable node of the LSP will be removing R=
TM

>=C2=A0 =C2=A0 encapsulation and, in case of two-step clock mode being i=
ndicated,

>=C2=A0 =C2=A0 will generate PTP messages as appropriate (according to t=
he

>=C2=A0 =C2=A0 [IEEE.1588.2008]).=C2=A0 In this case, the common header =
of the PTP packet

>=C2=A0 =C2=A0 carrying the synchronization message would have to be mod=
ified in the

>=C2=A0 =C2=A0 twoStepFlag field indicating that there is now a follow u=
p message

> associated to that.



Ah, maybe I have un-confused myself.=C2=A0 This about the case where=
 the

underlying PTP is a one-step clock, but the RTM path includes two-step

nodes, so the node that removes the RTM wrapper has to synthesize a

follow-up PTP message to contain the correction?



Making (A) and (B) fully fledged subsections would let them have

indicative tiles, like "Two-step RTM with two-step upstream" and<=
br>
"Two-step RTM with one-step upstream".



In any case, I would suggest being more explicit than "the associated =
RTM

packet must be created" means, explicitly describing what type of RTM =
packet

is being created (i.e., the follow-up one?).





> > There are also a lot of grammar nits (including very many missing=


> > instances of the definite article), but it does not seem worth en=
umerating

> > them here.=C2=A0 I will try to send a diff to the authors later t=
his week,

> > but time is a bit short at the moment.

> >

> GIM>> Many thanks and greatly appreciate your kind help.



I guess it is lucky that I did not have time last week, since there =
is

an updated version that I could be basing changes onto.=C2=A0 (Things are s=
till

busy for me, so no guarantees of anything.)



-Ben





--94eb2c033074eee9b40546f050ab--


From nobody Thu Jan 26 04:39:16 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC63612956B; Thu, 26 Jan 2017 04:39:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sge3APAYMa4K; Thu, 26 Jan 2017 04:39:09 -0800 (PST)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6C7912956A; Thu, 26 Jan 2017 04:39:06 -0800 (PST)
Received: by mail-oi0-x22c.google.com with SMTP id u143so136564310oif.3; Thu, 26 Jan 2017 04:39:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=g3MsoDSlYmhFxv6Y3x2PivRZHuKLDWa5N2Qgmd0Sz0I=; b=MmrioSc06MSf53pJzC5qQPirc27XHOT/9l0EB8JSE9ARArIYyTBSiGOcNbOqRZiOTa Go7PCBltAuXjtZz6q7UT8dBjCBwnZkrNVRGHdcirzXorjnO5hwGYVNaiG2dSMam4CxhN Mhe2cPVlviMilpTKFmhgRi3BMXbI7R/bhXz/v/+/PtO1ycgd1+3EPFiDNVlhoYy/SXAc yBG84MenWCEH78jCofT7Cme9Z0KiYPayU4bQ4nLGxd2Vj7Cvmm5ahcOJBls6vMsW2raf gKpy7PgELJlF9UkGXXgC4NTSGw5brODrf4FsxXITPAjhFNLk7ZV1oJ08KsFKAPXStikg L8kQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=g3MsoDSlYmhFxv6Y3x2PivRZHuKLDWa5N2Qgmd0Sz0I=; b=DQ3B6kgYjXxjdkmSKpH5qu9ZITJTFy8oaY7h27RIhA9lAtKH3bPklyaatOZR1vLDe0 Q7UzKgOaqMF3q3fL6plritiIlsOgjROOk/w06YgILd1Ae1InaHx8YVIyVY38iP+xQoju D2lcLF2DM6Jsk4xWP0/1V3OANG7ZvW5ZLwfvjCSCg35VYViRR3HNbOvYAH0HiZxOFwMG bTaMOROBmX3ELx2rg0t4YeS7gybylsnooCNc9oTlz2LIU5DGiTsndhWRJAOChN4gdsqZ B5GhVAAkU3a6iyY+BOskD/AY1mwWpGNJ5J538P5g+txPyNpeP9hVAZF0PQv+9GvpP70d ycRw==
X-Gm-Message-State: AIkVDXLwis3SHo3wVBaY+jq0BW2SU/qqXytRa1SbmeLMHXVBSQ6AlAw52BVe4TGHQ4FOEtW1u3MCgidGDNz2PQ==
X-Received: by 10.202.74.213 with SMTP id x204mr1714772oia.51.1485434345737; Thu, 26 Jan 2017 04:39:05 -0800 (PST)
MIME-Version: 1.0
From: Adam Montville 
Date: Thu, 26 Jan 2017 12:38:55 +0000
Message-ID: 
To: iesg@ietf.org, secdir@ietf.org,  draft-ietf-lamps-eai-addresses.all@ietf.org
Content-Type: multipart/alternative; boundary=001a1134fbc083d4a20546fea2ee
Archived-At: 
Subject: [secdir] secdir Review of draft-ietf-lamps-eai-addresses
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 26 Jan 2017 12:39:11 -0000

--001a1134fbc083d4a20546fea2ee
Content-Type: text/plain; charset=UTF-8

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document is ready with nits.

In Security Considerations, I recommend: s/but further/but is further/.
Then, I would change the second to last sentence in Security Considerations
as follows:

This complication, as mentioned in Section 4.4 of [RFC5890] and in Section
4 of [RFC6532], is that use of Unicode introduces the risk of visually
similar characters which can be exploited to deceive the recipient.

Kind regards,

Adam

--001a1134fbc083d4a20546fea2ee
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


I have reviewed this document as part of the security=
 directorate's=C2=A0
ongoing effort to review all IETF docume=
nts being processed by the=C2=A0
IESG.=C2=A0 These comments were =
written primarily for the benefit of the=C2=A0
security area dire=
ctors.=C2=A0 Document editors and WG chairs should treat=C2=A0
th=
ese comments just like any other last call comments.

This document is ready with nits.

In Security C=
onsiderations, I recommend: s/but further/but is further/.=C2=A0 Then, I wo=
uld change the second to last sentence in Security Considerations as follow=
s:

This complication, as mentioned in Section 4.4 =
of [RFC5890] and in Section 4 of [RFC6532], is that use of Unicode introduc=
es the risk of visually similar characters which can be exploited to deceiv=
e the recipient.

Kind regards,

Adam


--001a1134fbc083d4a20546fea2ee--


From nobody Thu Jan 26 08:44:14 2017
Return-Path: 
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 519AC129881 for ; Thu, 26 Jan 2017 08:44:13 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: "Tero Kivinen" 
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.41.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <148544905332.26862.8039335588114737289.idtracker@ietfa.amsl.com>
Date: Thu, 26 Jan 2017 08:44:13 -0800
Archived-At: 
Subject: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 26 Jan 2017 16:44:13 -0000

Review instructions and related resources are at:
http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

For telechat 2017-02-02

Reviewer               LC end     Draft
Steve Hanna            2017-01-12 draft-ietf-softwire-dslite-multicast-16
Christopher Inacio     2017-01-12 draft-ietf-softwire-multicast-prefix-option-12
Leif Johansson         2017-01-17 draft-ietf-teas-p2mp-loose-path-reopt-08
Simon Josefsson        2017-01-17 draft-ietf-teas-gmpls-resource-sharing-proc-08
Matt Lepinski          2017-01-19 draft-ietf-dhc-dhcpv6-failover-protocol-04
Tina Tsou              2017-01-13 draft-ietf-payload-melpe-05

For telechat 2017-02-16

Reviewer               LC end     Draft
David Mandelberg       2017-01-31 draft-ietf-sidr-delta-protocol-05
Matthew Miller         2017-01-30 draft-ietf-sidr-rpki-rtr-rfc6810-bis-08
Sandra Murphy          2016-12-20 draft-ietf-6tisch-minimal-19
Magnus Nystrom         None       draft-kivinen-802-15-ie-04
Hilarie Orman          2017-02-09 draft-ietf-dhc-dhcpv6-prefix-length-hint-issue-05
Joseph Salowey         2017-02-07 draft-ietf-dmm-4283mnids-04

Last calls:

Reviewer               LC end     Draft
Alan DeKok             2017-02-15 draft-bradner-rfc3979bis-11
Chris Lonvick          2017-02-14 draft-freytag-lager-variant-rules-03
Lt. Mundy              2017-01-26 draft-ietf-mpls-tp-linear-protection-mib-11
Sandra Murphy          2017-01-26 draft-ietf-mmusic-4572-update-12
Yoav Nir               2017-02-21 draft-hardie-privsec-metadata-insertion-05
Radia Perlman          2017-02-07 draft-ietf-nfsv4-rpcrdma-bidirection-06
Vincent Roca           2017-02-07 draft-ietf-nfsv4-rfc5666bis-09

Early review requests:

Reviewer               Due        Draft
Daniel Gillmor         2016-02-01 draft-ietf-rtcweb-security-08
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-cms-for-nts-message-06
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-network-time-security-15
Hannes Tschofenig      2016-03-18 draft-ietf-ntp-using-nts-for-ntp-07
Brian Weis             2016-02-01 draft-ietf-cdni-uri-signing-10

Next in the reviewer rotation:

  Rich Salz
  Yaron Sheffer
  Rifaat Shekh-Yusef
  Melinda Shore
  Robert Sparks
  Takeshi Takahashi
  Hannes Tschofenig
  Tina Tsou
  Sean Turner
  Carl Wallace


From nobody Thu Jan 26 19:41:51 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0554312940E for ; Thu, 26 Jan 2017 19:41:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crdCElxcZ2BR for ; Thu, 26 Jan 2017 19:41:49 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C83871289B0 for ; Thu, 26 Jan 2017 19:41:49 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id v200so8079869ywc.3; Thu, 26 Jan 2017 19:41:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=ScEau7bo8mvoBhxv5Vhz4w2yf6yye9MrLGFvsIkTtyM=; b=k7BRTQmhBYtGJKNp1zajP/OsALspAkGp0ebi2h0JpBOLtXM1xk4Mcum0C98YYZqh5L duHcgCBr7A52Ile6II9wKKV10CYv0ldfpo6b7SHLiLOE89NKPz++7gPV1xR3LQ3fxMqb J9pO+A9PVkHkkSIxoc7zZgiaGSqdLSQTfWFx8jarVlvZL0ubd7rhOn5/omigwg/ZQQWm HOc9de5YVTtEwFZcCcudIXf56PPZDee1s/bHijgmYerWHrnI7ERJWm6jlEeHG5quQ544 4NGs4b0irZscH8HDuTYC8dUG38Pv4hgpFg3gbnvtZNi5yHeqr4T3kEaLg3Q1p8xnf9Yv SiPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ScEau7bo8mvoBhxv5Vhz4w2yf6yye9MrLGFvsIkTtyM=; b=NuvU1kEV58xh3GKv3t22GUAeOqtJjapl4AHOwx0h7Yf64C3Ba0gYCoahSfJTt3cv6q ZX2DwKKECPps/2eYEJY1vJwKYSQxEjBopr5KOYxjnUZkzT1tGTBJIsrzr8ctpGl8hV5p +apLw9EnzypmdbOeWTZ6NCTLzfIFL3TBAewGTEoHJgafW1AJcXgi1g8dtQpwLOi/pIEF YY5H5j+/sPsMwoCZLtNlldCpDMd4XL974C1Ix5hWmW7vNHY6VzFvf67VT176X4SYoNRB hLMaemyazFE9PPtkV2mA88aPc1OZ8CBkQIQBbjZbECcmdAIls/wX8tf5ebh7D1N3Fowv HyiQ==
X-Gm-Message-State: AIkVDXKjuIFaE0DWxJbuqRLdkNQWzIXvsMctlQP6kFbpurW01NtYlgyLSFqCH5994xTck9kASeWyYnQiuXMPjw==
X-Received: by 10.129.175.5 with SMTP id n5mr4838831ywh.209.1485488508925; Thu, 26 Jan 2017 19:41:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.195.1 with HTTP; Thu, 26 Jan 2017 19:41:48 -0800 (PST)
From: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= 
Date: Thu, 26 Jan 2017 19:41:48 -0800
Message-ID: 
To: "secdir@ietf.org" , draft-kivinen-802-15-ie-04@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: 
Subject: [secdir] Secdir review of draft-kivinen-802-15-ie-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 27 Jan 2017 03:41:51 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document constitutes a request for the Assigned Numbers Authority
(ANA) to allocate an
IEEE Std 802.15.4 Information Element number for an IETF Information
Element, and describes how the IETF Information Element is formatted.

I have no concerns with this document.
-- Magnus


From nobody Sat Jan 28 13:30:04 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A19129DC5 for ; Sat, 28 Jan 2017 13:29:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8LHRCiQHdt8 for ; Sat, 28 Jan 2017 13:29:58 -0800 (PST)
Received: from nm6-vm1.access.bullet.mail.bf1.yahoo.com (nm6-vm1.access.bullet.mail.bf1.yahoo.com [216.109.114.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DA1E129DC8 for ; Sat, 28 Jan 2017 13:29:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1485638996; bh=ghtgTJCnF9b0fy1QP2kG5HzGMXnBpDTvnIwJaw5MTxc=; h=To:From:Subject:Date:From:Subject; b=aOCrbRhDFUXlaUqmesQtuL37WkqmM8a39/Zk/B25WmfRpb9Rtei/rV5SYH55ps9bIIcpGlXKQfzSyoaXZgbkLiGnSdtpsZhwz8CsRY+EA5MxDzW+x621r5RW4VJxWziT1tHzqsEK8Fi19o8Et0v9MC8WqiLE/n2HX+e4/8QdLFUc22pbPhLqAt23THP46AfOdtdToStgxwli4x6dx9rz/WVdfX7a18/ParHX75vE2hhc/CiRT+wUnS1u1W/sfvwRJDJZDWbR7gpoGyWYzdiq1jxXNoReLCvjB1poRsnxseSpVHo17psuKPzYicBL5yZoEu7H3Xf0BR97yu849KpMow==
Received: from [66.196.81.159] by nm6.access.bullet.mail.bf1.yahoo.com with NNFMP; 28 Jan 2017 21:29:56 -0000
Received: from [98.138.104.98] by tm5.access.bullet.mail.bf1.yahoo.com with NNFMP; 28 Jan 2017 21:29:56 -0000
Received: from [127.0.0.1] by smtp118.sbc.mail.ne1.yahoo.com with NNFMP; 28 Jan 2017 21:29:56 -0000
X-Yahoo-Newman-Id: 92631.60093.bm@smtp118.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: Ush9WqsVM1ksmkxn7GCU8QWfBa3yAhPlnzf3EaHcKYNiGGz 7V_4fGe7rrIaT2XM3uNGyZgU0xQ7ZqS34ePXSjwQoUSWA.ofuehs8aFOTLnC oEC8_VaXEnNYbz5nIv.NuDnZvUXX6Kyyh4ZWMeU335CzKRBGjktr5jR.cWqP o8LHj2eJelJIweMxwBdHfgl2wRYZWa5Ez5KyKwT3J5vq6oTcXURJY31iDDKv Khl7aY5ILsJbc4wiInHMlVy4lmn744nL.K.pjKG0pKjU2hPqgqbb0CDoFCr1 pfWyilS3_BHTaSapZQgx9aQxyQmfskcI_df4Npz0sNqf7c6qXnwXFMyEA5yH VMoPY5cDFCZIfHKcGUqizmCkfCM8U2i077rkiwMYVOtkQkgek105T_XUwovn VIii2LggD9QNRVE3Gya8cdXI3lKf9n.pKwDJus.ZqBZGTEYEUY53Q37ciVUS b104RBG.uJZCNSnEBobV8xIcxt5ZZt6cl_FzWUcFqaQp4O.0RhYFuLE9yp87 TJvSMY8Q8lKuZCLkrGsXBEvV3MJEnUubeIQ--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 9AA4F1C602E; Sat, 28 Jan 2017 16:29:54 -0500 (EST)
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-sidr-delta-protocol.all@ietf.org
From: David Mandelberg 
Message-ID: <8bee5b64-8b54-99f4-3e86-f6450f664fd6@mandelberg.org>
Date: Sat, 28 Jan 2017 16:29:50 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1Gwcx7Rlc96pit44mfgtPwVrSiETRhUBi"
Archived-At: 
Subject: [secdir] secdir review of draft-ietf-sidr-delta-protocol-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 28 Jan 2017 21:29:59 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--1Gwcx7Rlc96pit44mfgtPwVrSiETRhUBi
Content-Type: multipart/mixed; boundary="3RGkq6xm9ckxUXPUMFHOhK8MwQoQC1gDv"
From: David Mandelberg 
To: iesg@ietf.org, secdir@ietf.org,
 draft-ietf-sidr-delta-protocol.all@ietf.org
Message-ID: <8bee5b64-8b54-99f4-3e86-f6450f664fd6@mandelberg.org>
Subject: secdir review of draft-ietf-sidr-delta-protocol-05

--3RGkq6xm9ckxUXPUMFHOhK8MwQoQC1gDv
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document provides a new way for RPKI Relying Parties to download
RPKI objects. As mentioned in the Security Considerations, those objects
are already cryptographically signed. The RRDP protocol provides some
additional security to the download process, with no changes to the
security properties of the RPKI objects themselves.

I think this document is Ready with nits.


3.3.2: It seems strange to me that you use MUST when talking about the
timing/performance of the repository server. Is this relevant to
security? Or is there another reason for a MUST?

3.4.2: I think "update its last processed serial number to the serial
number of this snapshot file" should say "delta file" instead.

3.4.5: I'd recommend changing "in case of network issues" to "in case of
network issues, or temporary failures of the repository server(s) or
caching infrastructure".

3.5.1.2: I think the last paragraph might make it harder for the server
to recover from a temporary overload, since it can't tell clients to
wait longer than 1 minute before re-fetching. It seems to me that
letting the clients get a few minutes out of date until the server
operator can provision more capacity is better than accidentally DoSing
the server.

3.5.4: Why is serial not an xsd:positiveInteger? Section 3.3.1 says that
serials start at 1.

--=20
David Eric Mandelberg / dseomn
http://david.mandelberg.org/


--3RGkq6xm9ckxUXPUMFHOhK8MwQoQC1gDv--

--1Gwcx7Rlc96pit44mfgtPwVrSiETRhUBi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAliNDU4ACgkQRKlmUHCg4sB6NwCglDSOOvk19rBd2KXaa4tXCc1P
Yr4AnjKlcAWuMFiqWrMk99BhyTz0Opie
=rObi
-----END PGP SIGNATURE-----

--1Gwcx7Rlc96pit44mfgtPwVrSiETRhUBi--


From nobody Sun Jan 29 18:46:29 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA904127ABE; Sun, 29 Jan 2017 18:46:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-3_4K631T5a; Sun, 29 Jan 2017 18:46:26 -0800 (PST)
Received: from mail-ot0-x244.google.com (mail-ot0-x244.google.com [IPv6:2607:f8b0:4003:c0f::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10AE3126CD8; Sun, 29 Jan 2017 18:46:25 -0800 (PST)
Received: by mail-ot0-x244.google.com with SMTP id 36so37004243otx.3; Sun, 29 Jan 2017 18:46:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=to:from:subject:message-id:date:user-agent:mime-version; bh=VrxlRW4AQ9ZwVc0zl09QmYT1RxjFii2QKW+B9KzHJWs=; b=kwMBeo9Hs7+MokN5LrF86+RD8I/QX8CUAUZoZa8CYCcOedj6fIx+Ldt8fsBvVC/1zo lSTKi3G1uDfM7imAUpK8fSWMT7H6GvK1hPHupQIQUhDx1i6bYJEqPXTl9PSok7iooYlh 6Qj2oAfivCMuuz5wTpF3RPVs6OQwu4WMlpqXiVOrkYDi7GUoSMbca9BUQhYuZhdIB4fa TTnPTJus2y6IGLc1Wm6gpWu9a7dRxgAZBug65Nr2wmjU7m6LZH0etoSF2iVUn2NTBhD8 Dqs9zr1M74s7c48bTthCCtUkMzFvfsxn0T0am/0uaY0h3aaL/IYjIMUS6n3x0bfQbMNv Bkzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=VrxlRW4AQ9ZwVc0zl09QmYT1RxjFii2QKW+B9KzHJWs=; b=hRJyDjl7i18YcF9W+bvJNal6c7YL765EUnzRYRvusglifv70382baNc5QpBWhx8od5 0/phfxvRoSrkI7VkVAcZm7phydBpD7QVS4jljvQGSktE14tPY1pDWUXQtE/0Pdj8wLwa PpKQeKhYhnyh81ttLhfO7X4s97gRinJA337SY2DVAEFWrERaebVXuCGWVOJD25hctwY8 XyMnFv54W6yTTdKnpJj4ogai+6LNFqcfn/GQ9Pjz2dFcyvn6fEe9gLFz3W08zqJGh4uV uAetmgUxBbRNUQmI9hxfeP8lPR+cP303PbeYNe9Ra4QCMJlYCAac1eDxUOSk43RB1h3p 3Btg==
X-Gm-Message-State: AIkVDXKHlK9jCdwCu48XXz2pT/yCfD0j1yBl8lSjsaE8DTDOk7T3piFI3LVFuvnKimqkVw==
X-Received: by 10.157.49.70 with SMTP id v6mr8772742otd.38.1485744385172; Sun, 29 Jan 2017 18:46:25 -0800 (PST)
Received: from Chriss-Air.attlocal.net ([2602:306:838b:1c40:dde6:73af:35be:b173]) by smtp.googlemail.com with ESMTPSA id t130sm6434149oie.5.2017.01.29.18.46.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Jan 2017 18:46:24 -0800 (PST)
To: "iesg@ietf.org" , "secdir@ietf.org" , draft-freytag-lager-variant-rules.all@ietf.org
From: Chris Lonvick 
Message-ID: <588EA8FF.5030105@gmail.com>
Date: Sun, 29 Jan 2017 20:46:23 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------090305000302070302010104"
Archived-At: 
Subject: [secdir] SECDIR review of draft-freytag-lager-variant-rules-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 30 Jan 2017 02:46:28 -0000

This is a multi-part message in MIME format.
--------------090305000302070302010104
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

I consider this draft to be ready with issues.

The document is well written and thorough but has no content in the 
Security Considerations section. The guidance provided in this 
INFORMATIONAL document appears to be sound but it should still provide a 
statement of how this work attempts to address the security concerns of 
RFC 7948. For perspective, the title of section 12.1 of the Security 
Considerations section is "LGRs Are Only a Partial Remedy for Problem 
Space".

My recommendation is that a Security Considerations section for this 
document incorporate the Security Considerations section of RFC 7948, 
along with statements of how the document addresses the obtainable 
remediations, and what implementers should continue to be concerned about.

Thanks,
Chris

--------------090305000302070302010104
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit


  

    
  
  
    Hi,

    

    
    I have reviewed this document as part of the security directorate's
    ongoing effort to review all IETF documents being processed by the
    IESG. These comments were written primarily for the benefit of the
    security area directors. Document editors and WG chairs should treat
    these comments just like any other last call comments.
    

    

    I consider this draft to be ready with issues.

    

    The document is well written and thorough but has no content in the
    Security Considerations section. The guidance provided in this
    INFORMATIONAL document appears to be sound but it should still
    provide a statement of how this work attempts to address the
    security concerns of RFC 7948. For perspective, the title of section
    12.1 of the Security Considerations section is "LGRs Are Only a
    Partial Remedy for Problem Space". 

    

    My recommendation is that a Security Considerations section for this
    document incorporate the Security Considerations section of RFC
    7948, along with statements of how the document addresses the
    obtainable remediations, and what implementers should continue to be
    concerned about. 

    

    Thanks,

    Chris
    
  


--------------090305000302070302010104--


From nobody Sun Jan 29 19:11:10 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD3E0127735; Sun, 29 Jan 2017 19:11:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mwX8QhGPQBUV; Sun, 29 Jan 2017 19:11:08 -0800 (PST)
Received: from mail-ot0-x233.google.com (mail-ot0-x233.google.com [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E196126CD8; Sun, 29 Jan 2017 19:11:08 -0800 (PST)
Received: by mail-ot0-x233.google.com with SMTP id 32so75654374oth.3; Sun, 29 Jan 2017 19:11:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=ApT4lIc+5+2MPVZc/MDn4iKJr14z0BnGwgxyinmqJGY=; b=RbxRvdL3CmsmqL0DnhMgLmk7XPjWQVP2NySxP5KrsZdtfDeAOlM/CaAj6mS8K7a5hV WuNtS68D75EDwNr48hzr4Ofj3xnBQ++Iu4x3NvxO2OMxzOdcC+FHbInX/6lq9G3kc4W7 1h/N4p3UmlXuRePLnzdQrjfOAZfKnr7wbINtuL5Zd3FG915cb0x6B1aXWApUEqTxHY4b xo0FT+LHpWOJ0llskDJtp/vI8IfwhqkCnoDU6df1pu1iGWhNyCRWnFKuq1BjeuN0K06s g2DKXFy/iGCgU2ntGUDqgfZJP4NRLj5ZUgcm7DfpySlScv0GtI8j/jIf154PygA7Qik+ 1LKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ApT4lIc+5+2MPVZc/MDn4iKJr14z0BnGwgxyinmqJGY=; b=tEZiv6XVJOK/NpcdvruYeOQ0RwKO5OP4aVLWBZN73Q2X9X662QxOVg0ZuhCQo1jrNG XeJyDu20sLqSkFuvPRF9stKPGQcGSoFdRQPoYJEIfm1mAXlEtJtlfAyleMeldB0DKs9O LJYK6ynKKSKyvLEDsFHyWd+Y8s94igIhaG5bh5hzaz12Ym/1K1XZ5JuWDG4uvr9WGvS8 qYEQ+B3LiAHGx7NUf3Itw2PYfyn8KUQenhysQry/tKw3+F0CDwbScjyhQoHPUsnf5OEE YB8db4V+bDpwMMkKpyhWSLkemuEfCAljyquqJkqkDD6RzOm+zzZw/HyqVwvVEGtoHR62 +kiw==
X-Gm-Message-State: AIkVDXLIul8cni8fpDe9X9o3xAvP8Sb+vLBUQG5JAnxf5oQi5/XUNE3F/SuYI/hF9qXfg455n7sa93xHUah9Ww==
X-Received: by 10.157.15.144 with SMTP id d16mr8502680otd.169.1485745867738; Sun, 29 Jan 2017 19:11:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.217.72 with HTTP; Sun, 29 Jan 2017 19:11:07 -0800 (PST)
From: Radia Perlman 
Date: Sun, 29 Jan 2017 19:11:07 -0800
Message-ID: 
To: The IESG , "secdir@ietf.org" ,  draft-ietf-nfsv4-rpcrdma-bidirection.all@tools.ietf.org
Content-Type: multipart/alternative; boundary=001a113db17eac57080547472a93
Archived-At: 
Subject: [secdir] SECDIR review of draft-ietf-nfsv4-rpcrdma-bidirection
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 30 Jan 2017 03:11:10 -0000

--001a113db17eac57080547472a93
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

This draft concerns running NFS over RDMA (memory to memory access), and in
particular running RPC requests =E2=80=9Cin both directions=E2=80=9D (clien=
t to server =E2=80=93
called forward direction =E2=80=93 and callbacks from server to client call=
ed
reverse direction). The RFC claims to describe current practice rather than
to prescribe future practice, but it is intended to be Standards track,
which is a little odd, but I guess documenting what is current practice and
standardizing on it for the future is fine.



In any case, RDMA is a high performance protected channel considered to be
secure by its nature. If an RDMA protocol were run over a network tunnel,
it would be the responsibility of the tunnel to implement authentication
and encryption. And access rights of particular nodes and/or users is
defined in higher layers of NFS, and so is unaffected by the fact that this
is running over RDMA.



Bottom line is there are no security considerations. The security
considerations section refers readers to RFC5666bis (which is about NFS
over RDMA generally rather than the specific issue of callbacks). This
seems appropriate.


If I were to make one comment it's that I don't like the terminology
"backwards".  I might have used "reverse".  "Backwards" has a somewhat
negative connotation, and it's slightly confusing when discussing "Backward
Credits". I'd think a "backwards credit" would be taking away credits from
someone. "Reverse credits" would be just as bad, but perhaps
"reverse-direction credits" might be clear.


Radia

--001a113db17eac57080547472a93
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


I have reviewed this docu=
ment as part of the security directorate's ongoing effort to review all=
 IETF documents being processed by the IESG. These comments were written pr=
imarily for the benefit of the security area directors. Document editors an=
d WG chairs should treat these comments just like any other last call comme=
nts.=C2=A0

This draft =
concerns running NFS over RDMA (memory to memory access), and in particular=
 running RPC requests =E2=80=9Cin both directions=E2=80=9D (client to serve=
r =E2=80=93 called forward direction =E2=80=93 and callbacks from server to=
 client called reverse direction). The RFC claims to describe current pract=
ice rather than to prescribe future practice, but it is intended to be Stan=
dards track, which is a little odd, but I guess documenting what is current=
 practice and standardizing on it for the future is fine.
=

=C2=A0<=
/u>
In =
any case, RDMA is a high performance protected channel considered to be sec=
ure by its nature. If an RDMA protocol were run over a network tunnel, it w=
ould be the responsibility of the tunnel to implement authentication and en=
cryption. And access rights of particular nodes and/or users is defined in =
higher layers of NFS, and so is unaffected by the fact that this is running=
 over RDMA.
=C2=A0
Bottom line is there are no security consi=
derations. The security considerations section refers readers to RFC5666bis=
 (which is about NFS over RDMA generally rather than the specific issue of =
callbacks). This seems appropriate.

If I were to make one comment it's that I don't like the terminolo=
gy "backwards".=C2=A0 I might have used "reverse". =C2=
=A0"Backwards" has a somewhat negative connotation, and it's =
slightly confusing when discussing "Backward Credits".  =
I'd think a "backwards credit&q=
uot; would be taking away credits from someone.  "Reverse credits"=
; would be just as bad, but perhaps "reverse-direction credits" m=
ight be clear.

Radia


--001a113db17eac57080547472a93--


From nobody Mon Jan 30 00:49:00 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6B9F126B6D for ; Mon, 30 Jan 2017 00:48:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.969
X-Spam-Level: 
X-Spam-Status: No, score=-6.969 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odHhJLqoDoiT for ; Mon, 30 Jan 2017 00:48:57 -0800 (PST)
Received: from PCH.mit.edu (pch.mit.edu [18.7.21.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C13EE1293EC for ; Mon, 30 Jan 2017 00:48:56 -0800 (PST)
Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0U8mthW011664 for ; Mon, 30 Jan 2017 03:48:55 -0500
Received: from mailhub-dmz-2.mit.edu (mailhub-dmz-2.mit.edu [18.7.62.37]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0U8mpte011661 for ; Mon, 30 Jan 2017 03:48:52 -0500
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id v0U8mV9Y008955 for ; Mon, 30 Jan 2017 03:48:51 -0500
X-AuditID: 1209190c-2afff70000006de5-44-588efdef1d4b
Received: from nrifs02.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by  (Symantec Messaging Gateway) with SMTP id 42.26.28133.0FDFE885; Mon, 30 Jan 2017 03:48:50 -0500 (EST)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs02.index.or.jp (Postfix) with ESMTP id 211061968E0; Mon, 30 Jan 2017 17:48:47 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id 8489F4E0046; Mon, 30 Jan 2017 17:48:46 +0900 (JST)
Received: from nriea05.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id v0U8mkEu029636; Mon, 30 Jan 2017 17:48:46 +0900
Received: from nrims00b.nri.co.jp ([192.50.135.12]) by nriea05.index.or.jp with ESMTP id v0U8mjaI029630; Mon, 30 Jan 2017 17:48:46 +0900
Received: from nrims00b.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v0U8mjwN001716; Mon, 30 Jan 2017 17:48:45 +0900
Received: (from mailnull@localhost) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id v0U8mjDA001715; Mon, 30 Jan 2017 17:48:45 +0900
X-Authentication-Warning: nrims00b.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf12.index.or.jp ([172.100.25.21]) by nrims00b.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v0U8mjS1001712; Mon, 30 Jan 2017 17:48:45 +0900
From: "Nat Sakimura" 
To: "'Steve KENT'" , 
References: <67adb90acb8c4a23beaeb5d0b39800bf@CY1PR0601MB023.008f.mgd2.msft.net>
In-Reply-To: <67adb90acb8c4a23beaeb5d0b39800bf@CY1PR0601MB023.008f.mgd2.msft.net>
Date: Mon, 30 Jan 2017 17:48:45 +0900
Message-ID: <001201d27ad5$aa82d790$ff8886b0$@nri.co.jp>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJOm09WvX4P5pGJ5FM9qeQSqgTlmaBQaMUw
Content-Language: ja
X-MailAdviser: 20141126
Authentication-Results: symauth.service.identifier
X-Brightmail-Tracker: H4sIAAAAAAAAA1VSa0hTYRj23dnlbO7Icd4+TUsXgmSzDM0sEf+U5p/0R7QKzKM7udE2bWeK mtAqvCBmAyFqlGWS4KW85m1iMhBRhlkmBJEKRopa4gwqUeycHWf25+N93+d5n+f5+D4cU7wS h+B0sZk2GSm9UiwTlm9ugsq1Xas+vvom6lTFN7s4BdLuOkexDLgiS9LQel0RbTqWnC3Tbj10 YQV9g1C8YhkXW2DhBVSDFEdkHJqb+iOqBhmuIHsAzTkHJHzTBKhrfEnIN/WA3jc2YXzTAqh5 vQP4pgbQ8MbYrsAAoN5fbbs7dYDqBqwYb5ODRqZ6d/ebAf2en2NZOC4mo9FkdTjH8SeTkXXe 4o6FkanI1W1z7yrIDPRgZF7I1VIyE9V82XTP/cgk1LBT7p4LyUg09mNJzEkSZAJ6ao/jxgTp i8YffxXykldRy+qWgI8TjuyuURFvewKN1w9JeI4/aumf2I0chDomn7njAMuxTy6LrBBs2ydr 2ydr27duY1NgZAyq6AR+fAj1fX+C8bUK7Sx66mjU1LCCPQdJC4RpDKUqA6XTM3SuismljEba pIqNMejMMbSmsAvYt1ZIg+X94FxNdwCJg1JOfPKrVStEVBFTYnBAMC5QBhC16+zIJydfU6Kl GO01U6GeZhyAcEzpTzRvsRihoUpKaVO+BzqAC5VBBIq6o1aQeZSZvkHTBbTJgwpwiQNCcVyJ iHj2kyl8TXQeXXxdpzfv50i5Q8bZyFmbdrcNU0AZGF0eT5qAiJAgYo4DSA7QFhr3BDy/+AOE hfgR4OXlpZCzCdiL/48vQxB7aT9ihlOR64zmPfVl1ljAGqcuu43N1D8oxAJZwsGy+5VxjZce zUfad1p7vBNt9MiZo/qNIVuM97nhdmu2v1o3W9Uav+0SWG6np87cNJx+OTKoyUxYS6UWJYk5 PuerijsrV8OdIlt3RNvFg4GHpjsLLqRkveu41V32uumk7vPHaWlgxuGMywuzyY6B0HtMV8Da z46zCWlLb9eN9Uoho6Vij2AmhvoLS6eeocADAAA=
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: multipart/mixed; boundary="===============3145403237061402658=="
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-ietf-oauth-jwsreq-09.txt
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 30 Jan 2017 08:48:59 -0000

This is a multipart message in MIME format.

--===============3145403237061402658==
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0013_01D27B21.1A6DB3E0"
Content-Language: ja

This is a multipart message in MIME format.

------=_NextPart_000_0013_01D27B21.1A6DB3E0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello. 

 

Sorry to have taken more than a week to reply. 

 

I have pushed -10 which hopefully has addressed all the issues raised. 

 

I have recorded all your comments into the issue tracker [1] of my working
repository and was recording the changes so you can see how I tried to
resolve them there as well. 

 

[1]  
https://bitbucket.org/Nat/oauth-jwsreq/issues?q=SECDIR

 

Best, 

 

Nat Sakimura

 

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

 

From: Steve KENT [mailto:steve.kent@raytheon.com] 
Sent: Tuesday, January 17, 2017 5:14 AM
To: secdir@mit.edu
Cc: ve7jtb@ve7jtb.com; n-sakimura@nri.co.jp; Hannes.Tschofenig@gmx.net;
derek@ihtfp.com
Subject: SECDIR review of draft-ietf-oauth-jwsreq-09.txt

 

 

I generated this review of this document as part of the security
directorate's ongoing effort to review all IETF documents being processed by
the IESG.  These comments were written with the intent of improving security
requirements and considerations in IETF drafts.  Comments not addressed in
last call may be included in AD reviews during the IESG review.  Document
editors and WG chairs should treat these comments just like any other last
call comments.

 

This document proposes a mechanism to enable secure communication of OAuth
2.0 Authorization Requests using a JSON Web Token (JWT). This mechanism
represents an improvement over the current way that OAuth Authorization
Requests are transmitted, i.e., encoded as an (unprotected) URI. 

 

The document notes that the current Authorization Request mechanism fails to
provide integrity, authentic, or confidentiality. JSON is already used for
OAuth responses, so using JWT to protect requests seems like an appropriate
choice. (XML signatures and encryption were rejected as too complex.) 

 

Section 4 defines the Request Object format and provides examples.

The text here is a bit confusing. It seems to state that only integrity and
authenticity are mandated by this specification; confidentiality is an
optional feature. However, when discussing the use of encryption that does
not provide authentication, the text says that a signature "should" (not
SHOULD"") be applied. The text then says that "In this case, it [the token]
MUST be signed then encrypted ." This combination of sentences is confusing
and OUGHT :) to be revised. 

 

Section 6 describes how to validate a received JWT request token. Section
6.1 appears to not mandate use of a signature for an encrypted token,
suggesting that authentication and integrity need not be provided if the
requestor encrypts the token (and does not employ an authenticated
encryption algorithm). 

 

 

Section 10 describes Security Considerations in addition to the ones already
describes in RFC 6119 (OAuth 2.0). The wording of Section 10.1 is odd: " .it
MUST either be JWS signed with then considered appropriate algorithm or
encrypted using [RFC7516]." Why is there no cite of 7515 for JWS algorithms
here, to parallel the cite of JWE?

 

Section 10.2 indicates that a client and server might agree, a priori, to
use the non-protected parameters transmitted in a request. It does not
indicate how this might have been done (hopefully, in a secure fashion). 

 

Section 10.3 finally mandates authentication of the request source,
something that was ambiguous in earlier sections of this document. There are
some ambiguous statement here, e.g. "Since Request Object URI can be
replayed, the lifetime of the Request Object URI MUST be short and
preferably one-time use.  The entropy of the Request Object URI MUST be
sufficiently large." The lack of guidance of what constitutes a "short"
lifetime or a "sufficiently large" amount of entropy (in a short URI) is
worrisome.  In (d) there is a typo: "The same requirements as (b) above
applies." -> "The same requirements as (b) above apply".

 

Section 10.4 includes several typos:

 

"Although this specification does not require them, researchs such as ." ->
"Although this specification does not require them, research such as ." This
is the beginning of a run-on sentence. 

 

"The endpoints that comes into question ." -> The endpoints that come into
question ."

 

The wording in several places is awkward, e.g., missing articles.

 

This section ends with the statement "An extension specification should be
created." Presumably the intent here is to suggest that an extension is
needed to remedy the vulnerability resulting from the lack of explicit
endpoint identifiers. This should be more clearly stated.

 

Section 11 discusses Privacy Considerations an unusual element of an RFC.
(The authors state that ISO/IEC 29100 is freely accessible. That seems to be
true only if one follows the URL in the Informative References. A search for
this ISO document tends to yield copies available for a non-trivial fee,
i.e., ~ $150 USD.) Since there is standards language in this section (SHOULD
and MUST) I think 29100 needs to be a Normative (not Informational)
reference. 

 

The text here raises some good privacy concerns and suggests some means by
which these concerns might be addressed. However, the wording here needs to
be significantly improved. There are extraneous articles and missing
articles that make the text harder to read. The ambiguous comment about
entropy that appeared in 10.3 appears here as well.

 


------=_NextPart_000_0013_01D27B21.1A6DB3E0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


H=
ello. 
<=
o:p> 
S=
orry to have taken more than a week to reply. 
<=
o:p> 
I=
 have pushed -10 which hopefully has addressed all the issues raised. =

<=
o:p> 
I=
 have recorded all your comments into the issue tracker [1] of my =
working repository and was recording the changes so you can see how I =
tried to resolve them there as well. 
<=
o:p> 
[=
1] https://bitbuck=
et.org/Nat/oauth-jwsreq/issues?q=3DSECDIR<=
o:p>
<=
o:p> 
Best, =

 
Nat =
Sakimura
 
--
PLEASE =
READ :This e-mail is confidential and intended for =
the
named =
recipient only. If you are not an intended =
recipient,
please =
notify the sender  and delete this =
e-mail.
<=
o:p> 
From:<=
/b> Steve KENT =
[mailto:steve.kent@raytheon.com] 
Sent: Tuesday, January 17, =
2017 5:14 AM
To: secdir@mit.edu
Cc: =
ve7jtb@ve7jtb.com; n-sakimura@nri.co.jp; Hannes.Tschofenig@gmx.net; =
derek@ihtfp.com
Subject: SECDIR review of =
draft-ietf-oauth-jwsreq-09.txt
 
 <=
/span>
I =
generated this review of this document as part of the security =
directorate's ongoing effort to review all IETF documents being =
processed by the IESG.  These comments were written with the intent =
of improving security requirements and considerations in IETF =
drafts.  Comments not addressed in last call may be included in AD =
reviews during the IESG review.  Document editors and WG chairs =
should treat these comments just like any other last call =
comments.
<=
p> 
<=
p>This =
document proposes a mechanism to enable secure communication of OAuth =
2.0 Authorization Requests using a JSON Web Token (JWT). This mechanism =
represents an improvement over the current way that OAuth Authorization =
Requests are transmitted, i.e., encoded as an (unprotected) URI. =

<=
p> 
<=
p>The =
document notes that the current Authorization Request mechanism fails to =
provide integrity, authentic, or confidentiality. JSON is already used =
for OAuth responses, so using JWT to protect requests seems like an =
appropriate choice. (XML signatures and encryption were rejected as too =
complex.) 
<=
p> 
<=
p>Section 4 =
defines the Request Object format and provides examples.
<=
p>The text =
here is a bit confusing. It seems to state that only integrity and =
authenticity are mandated by this specification; confidentiality is an =
optional feature. However, when discussing the use of encryption that =
does not provide authentication, the text says that a signature =
“should” (not SHOULD””) be applied. The text =
then says that “In this case, it [the token] MUST be signed then =
encrypted …” This combination of sentences is confusing and =
OUGHT J to be revised. 
<=
p> 
<=
p>Section 6 =
describes how to validate a received JWT request token. Section 6.1 =
appears to not mandate use of a signature for an encrypted token, =
suggesting that authentication and integrity need not be provided if the =
requestor encrypts the token (and does not employ an authenticated =
encryption algorithm). 
<=
p> 
<=
p> 
<=
p>Section =
10 describes Security Considerations in addition to the ones already =
describes in RFC 6119 (OAuth 2.0). The wording of Section 10.1 is odd: =
“ …it MUST either be JWS signed =
with then considered appropriate algorithm or encrypted using =
[RFC7516].” Why is =
there no cite of 7515 for JWS algorithms here, to parallel the cite of =
JWE?
<=
p> 
<=
p>Section =
10.2 indicates that a client and server might agree, a priori, to use =
the non-protected parameters transmitted in a request. It does not =
indicate how this might have been done (hopefully, in a secure fashion). =

<=
p> 
<=
p>Section =
10.3 finally mandates authentication of the request source, something =
that was ambiguous in earlier sections of this document. There are some =
ambiguous statement here, e.g. “Since Request Object URI can be =
replayed, the lifetime of the Request Object URI MUST be short and =
preferably one-time use.  The entropy of the Request Object URI =
MUST be sufficiently large.” The lack of guidance of what =
constitutes a “short” lifetime or a “sufficiently =
large” amount of entropy (in a short URI) is =
worrisome.  In (d) there is a typo: “The same requirements as =
(b) above applies.” -> “The same requirements as (b) =
above apply”.
<=
p> 
<=
p>Section =
10.4 includes several typos:
<=
p> 
<=
p>“Although this =
specification does not require them, researchs such as …” =
-> “Although this specification does not require them, research =
such as …” This is the beginning of a run-on sentence. =

<=
p> 
<=
p>“The endpoints that =
comes into question …” -> The endpoints that come into =
question …”
<=
p> 
<=
p>The =
wording in several places is awkward, e.g., missing =
articles.
<=
p> 
<=
p>This =
section ends with the statement “An extension specification should =
be created.” Presumably the intent here is to suggest that an =
extension is needed to remedy the vulnerability resulting from the lack =
of explicit endpoint identifiers. This should be more clearly =
stated.
<=
p> 
<=
p>Section =
11 discusses Privacy Considerations an unusual element of an RFC. (The =
authors state that ISO/IEC 29100 is freely accessible. That seems to be =
true only if one follows the URL in the Informative References. A search =
for this ISO document tends to yield copies available for a non-trivial =
fee, i.e., ~ $150 USD.) Since there is standards language in this =
section (SHOULD and MUST) I think 29100 needs to be a Normative (not =
Informational) reference. 
<=
p> 
<=
p>The text =
here raises some good privacy concerns and suggests some means by which =
these concerns might be addressed. However, the wording here needs to be =
significantly improved. There are extraneous articles and missing =
articles that make the text harder to read. The ambiguous comment about =
entropy that appeared in 10.3 appears here as well.
<=
/div>
 <=
/span>

------=_NextPart_000_0013_01D27B21.1A6DB3E0--


--===============3145403237061402658==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir

--===============3145403237061402658==--


From nobody Mon Jan 30 08:19:38 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E51FC12953B; Mon, 30 Jan 2017 08:19:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.419
X-Spam-Level: 
X-Spam-Status: No, score=-7.419 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oF_clJJjwtkE; Mon, 30 Jan 2017 08:19:34 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6E6212955D; Mon, 30 Jan 2017 08:19:03 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v0UGJ0bW031517 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Jan 2017 16:19:01 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v0UGJ0w9032147 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Jan 2017 16:19:00 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v0UGIvu5019904; Mon, 30 Jan 2017 16:18:58 GMT
Received: from anon-dhcp-171.1015granger.net (/68.46.169.226) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 30 Jan 2017 08:18:57 -0800
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Chuck Lever 
In-Reply-To: 
Date: Mon, 30 Jan 2017 11:18:56 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <09B9253D-6C00-4584-B420-AD17202CC48B@oracle.com>
References: 
To: Radia Perlman 
X-Mailer: Apple Mail (2.3124)
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: 
Cc: The IESG , draft-ietf-nfsv4-rpcrdma-bidirection.all@tools.ietf.org, "secdir@ietf.org" 
Subject: Re: [secdir] SECDIR review of draft-ietf-nfsv4-rpcrdma-bidirection
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 30 Jan 2017 16:19:37 -0000

> On Jan 29, 2017, at 10:11 PM, Radia Perlman  =
wrote:
>=20
> I have reviewed this document as part of the security directorate's =
ongoing effort to review all IETF documents being processed by the IESG. =
These comments were written primarily for the benefit of the security =
area directors. Document editors and WG chairs should treat these =
comments just like any other last call comments.=20
>=20
> This draft concerns running NFS over RDMA (memory to memory access), =
and in particular running RPC requests =E2=80=9Cin both directions=E2=80=9D=
 (client to server =E2=80=93 called forward direction =E2=80=93 and =
callbacks from server to client called reverse direction). The RFC =
claims to describe current practice rather than to prescribe future =
practice, but it is intended to be Standards track, which is a little =
odd, but I guess documenting what is current practice and standardizing =
on it for the future is fine.
>=20
> =20
>=20
> In any case, RDMA is a high performance protected channel considered =
to be secure by its nature. If an RDMA protocol were run over a network =
tunnel, it would be the responsibility of the tunnel to implement =
authentication and encryption. And access rights of particular nodes =
and/or users is defined in higher layers of NFS, and so is unaffected by =
the fact that this is running over RDMA.
>=20
> =20
>=20
> Bottom line is there are no security considerations. The security =
considerations section refers readers to RFC5666bis (which is about NFS =
over RDMA generally rather than the specific issue of callbacks). This =
seems appropriate.
>=20
>=20
>=20
> If I were to make one comment it's that I don't like the terminology =
"backwards".  I might have used "reverse".  "Backwards" has a somewhat =
negative connotation, and it's slightly confusing when discussing =
"Backward Credits".  I'd think a "backwards credit" would be taking away =
credits from someone.  "Reverse credits" would be just as bad, but =
perhaps "reverse-direction credits" might be clear.

At first blush, this suggestion seems like an improvement to me. I'll =
need to
revisit the document to ensure that "reverse" and "reverse-direction" do =
not
introduce any specific issues. I'll consider this change for the next =
revision
if I don't hear objections.


--
Chuck Lever




From nobody Mon Jan 30 10:48:23 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2DC2129A93; Mon, 30 Jan 2017 10:48:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.188
X-Spam-Level: 
X-Spam-Status: No, score=-5.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHEmU6ryN6rI; Mon, 30 Jan 2017 10:48:20 -0800 (PST)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 619BC129A91; Mon, 30 Jan 2017 10:48:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10000; q=dns/txt; s=VRSN; t=1485802100; h=from:to:date:message-id:references:in-reply-to: mime-version; bh=5QKxFvfNA6q//WnxDCRva/5Ej96ghotvyAr9pG3AKiI=; b=PvxHWXscAj+JArZl6i2KWc95Wl9EYHqPX6asBJgK6ryCg95RqleaxUdw wMEVE9WW6rkC6VCmg4GXliK1JH+yjSXqDUhADvHu+sC1S/UwZ+mlZRXq5 FSdncQZCikXR4uc2FfCVR72zumM/KP4clFBQjzlHN5qLlZt2ojUwZJWSS atSY7tzJ+8uhyYNdSgT+ydYgKtuDEJUluA9FQModra2xzN2rt93w+G60i ibrgwgHNoMMxagxmYSzToTFq9D2jS/TE3vMe8YZycB+0UsMM8mVnZsDW2 Quia9G/wMPHuw+VLdgBZKlpnwzwNqYKW5nPzwOtsmUpmlzRL5cegCe3YJ Q==;
X-IronPort-AV: E=Sophos;i="5.33,312,1477958400"; d="scan'208,217";a="1369314"
IronPort-PHdr: =?us-ascii?q?9a23=3A/OoUihZqFGNF+8kUJurTDuL/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZps67ZR7h7PlgxGXEQZ/co6odzbGH7+a+AidZuMbJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6?= =?us-ascii?q?OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBq7oR/Qu8QYjoduN7s9xxjUqXZUZu?= =?us-ascii?q?pawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnF?= =?us-ascii?q?VguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hC?= =?us-ascii?q?oBKjU09nzchM5tg6JBuB+vpwJxzZPIYI+bN/R+cKHSfdIGSmVORcteTTBND4em?= =?us-ascii?q?YocTE+YMP+BVpJT9qVsUqhu+ABGhCO3txD9Pgn/22bM10+I6Hg7YwAMgHMoCu2?= =?us-ascii?q?nJotrpM6cSTfy1wKfVxjjEdPNW2TD96IzMch8/p/GDRqx/ftbSyUQ0CQPKkE+Q?= =?us-ascii?q?qY3+PzOU2eQNtXKX4PZnVeKqkmMqrRx6rDu3xso0l4XFmpgZxk3G+Ch32oo5ON?= =?us-ascii?q?21RUBhbdK6H5ZduDmWO5ZqTs84Xm1luig3xqcbtZO7YiQG0psqyhjCYPKdaYeI?= =?us-ascii?q?+AjsVOOJLDd9g3JqZaywig6p8Uil1u38Ts600EtWriZdktnDqHQN1xvL58ecUP?= =?us-ascii?q?t9+Fqt2TKA1gDW8O5EIEQ0la3GK5493rI8i4AfsVrdES/smUX2l66Wdkoi+uSy?= =?us-ascii?q?9+vnZbDmqoedN49ylA7+LrwjltGjDegiLwQDXWaW9f6h2LDj80D1WqtGg/I5n6?= =?us-ascii?q?XBtZDVP8Ubpqq3Aw9P1YYj7g6yDyym0NQfmXkHKExKeBScgIf3J17OI+v1Demh?= =?us-ascii?q?jFS2kTdr3PHGPrLnApnXMnfDl7Lhca5n60FA0Aoz0cxf55VMB74cOvL8QEHxtM?= =?us-ascii?q?DBAh83KQy73ebmCMln2YMRQG6PBrWWMKzMvl+S/+4vPfODZJUUuDnnLfgl++fi?= =?us-ascii?q?jWUkmV8ZY6apxoEbZ2q8HvRiOEiZYGTjgssPEWsQuQo+VuPqgkWYUTFPf3ayQ7?= =?us-ascii?q?485jYjBYK9E4jMWp2igL2b3CqgH51ZeHxGCl6WHXfvbYWEVO8GaDiOLc95jjwE?= =?us-ascii?q?Sb+hRpcg1R6wrw/6xKFqLuvK9S0Eu5Lvzt915/fclRsq7zx7E9yd032RT2Fzhm?= =?us-ascii?q?4IQzg23KZhoUx81liD0rJ0g/1GGtxP6fNESQg6NZvGwOx7D9D+QB7OftCMSAXu?= =?us-ascii?q?ftLzSzU2SMwwyNxIYkthFf2tixnC22yhBLpf3+iPA5oq86nfmXn8O8hVxHPP1a?= =?us-ascii?q?1nhF4jFI8Hf2yrnaFX9gXPCcjOiUrT3/KreL8T9C/A6GnFynCB6gUQGhV9WqnE?= =?us-ascii?q?R1gea1fY69Pj6QmKG6SjArgmKCNAxNKMbKxQZYutxR9KXv7tJJHQeW+gh26/QB?= =?us-ascii?q?KByb6WKZTjYWQU2jmYElUAnhtV9HKCHQkzGinnpHjRRnQ6GUjmbV+p//NzuW+y?= =?us-ascii?q?QQowxg6HdQh/3qC08xgJwOaBT/4ImLsAvA8gpil6WlGn0ISFJcCHol8rXKJYZd?= =?us-ascii?q?476lpM1iaRjAd6IoDqZ/R5hlkadwlxtU7l1D1pB59BisklqjUhyw8kevHQ609I?= =?us-ascii?q?az7NhcO4AbbQMGSnpB0=3D?=
X-IPAS-Result: =?us-ascii?q?A2EvAgD/iY9Y//SZrQpdHAEBBAEBCgEBFwEBBAEBCgEBgkQ?= =?us-ascii?q?5gQyBCQeDTooJkgSICYsagg+CDIYiAhqCSBgBAQEBAQEBAQEBAQKBB4IzGYIdA?= =?us-ascii?q?QEBAQMjClwCAQgNBAQBAQsdAwICAh8RFAkIAgQBEgiJQQOrP4IlK4cHDYNUAQE?= =?us-ascii?q?BAQEBAQEBAQEBAQEBAQEBAQEBHYZMhG6CUYFiGDSCUC6CMQWJapEyMgYBjWmGC?= =?us-ascii?q?oUViWmKJ4hYH3OBES2GXHWHJoEMAQEB?=
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id v0UImI47003632 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 30 Jan 2017 13:48:19 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Mon, 30 Jan 2017 13:48:18 -0500
From: "Hollenbeck, Scott" 
To: "lonvick.ietf@gmail.com" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-freytag-lager-variant-rules.all@ietf.org" 
Thread-Topic: [EXTERNAL] SECDIR review of draft-freytag-lager-variant-rules-03
Thread-Index: AQHSeqMPzJaBp6juTk+su1Vkfal3hKFRW0Zg
Date: Mon, 30 Jan 2017 18:48:17 +0000
Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A52AA1D@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
References: <588EA8FF.5030105@gmail.com>
In-Reply-To: <588EA8FF.5030105@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.173.152.4]
Content-Type: multipart/alternative; boundary="_000_831693C2CDA2E849A7D7A712B24E257F4A52AA1DBRN1WNEXMBX01vc_"
MIME-Version: 1.0
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-freytag-lager-variant-rules-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 30 Jan 2017 18:48:22 -0000

--_000_831693C2CDA2E849A7D7A712B24E257F4A52AA1DBRN1WNEXMBX01vc_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGZvciB0aGUgcmV2aWV3LCBDaHJpcy4gSSBzaG91bGQgbm90ZSB0aGF0IG15IGRvY3Vt
ZW50IHNoZXBoZXJkIHJldmlldyBvZiB0aGUgLTAyIHZlcnNpb24gb2YgdGhpcyBkcmFmdCBhbHNv
IHByb2R1Y2VkIGZlZWRiYWNrIGFib3V0IHRoZSBuZWVkIHRvIGFkZCBTZWN1cml0eSBDb25zaWRl
cmF0aW9ucyB0ZXh0LiBUaGUgYXV0aG9yIGFkZGVkIHRleHQgYW5kIHB1Ymxpc2hlZCB0aGUgLTAz
IHZlcnNpb24gb24gMjMgSmFudWFyeS4gQ2hyaXMsIGNvdWxkIHlvdSBwbGVhc2UgbG9vayBhdCAt
MDMgYW5kIHNlZSBob3cgd2VsbCB0aGUgdGV4dCBhZGRyZXNzZXMgeW91ciBjb21tZW50cyBtb2R1
bG8gd2hhdCB5b3XigJl2ZSBzaGFyZWQgYmVsb3c/IEkgYXNzdW1lIHRoYXQgeW91IG1lYW50IFJG
QyA3OTQwIChSZXByZXNlbnRpbmcgTGFiZWwgR2VuZXJhdGlvbiBSdWxlc2V0cyBVc2luZyBYTUwp
IHdoZW4geW91IHdyb3RlIFJGQyA3OTQ4IChJbnRlcm5ldCBFeGNoYW5nZSBCR1AgUm91dGUgU2Vy
dmVyIE9wZXJhdGlvbnMpLg0KDQoNCg0KU2NvdHQNCg0KDQoNCkZyb206IENocmlzIExvbnZpY2sg
W21haWx0bzpsb252aWNrLmlldGZAZ21haWwuY29tXQ0KU2VudDogU3VuZGF5LCBKYW51YXJ5IDI5
LCAyMDE3IDk6NDYgUE0NClRvOiBpZXNnQGlldGYub3JnOyBzZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0
LWZyZXl0YWctbGFnZXItdmFyaWFudC1ydWxlcy5hbGxAaWV0Zi5vcmcNClN1YmplY3Q6IFtFWFRF
Uk5BTF0gU0VDRElSIHJldmlldyBvZiBkcmFmdC1mcmV5dGFnLWxhZ2VyLXZhcmlhbnQtcnVsZXMt
MDMNCg0KDQoNCkhpLA0KDQpJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9m
IHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwg
SUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSBJRVNHLiBUaGVzZSBjb21tZW50
cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkg
YXJlYSBkaXJlY3RvcnMuIERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJl
YXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMu
DQoNCkkgY29uc2lkZXIgdGhpcyBkcmFmdCB0byBiZSByZWFkeSB3aXRoIGlzc3Vlcy4NCg0KVGhl
IGRvY3VtZW50IGlzIHdlbGwgd3JpdHRlbiBhbmQgdGhvcm91Z2ggYnV0IGhhcyBubyBjb250ZW50
IGluIHRoZSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0aW9uLiBUaGUgZ3VpZGFuY2UgcHJv
dmlkZWQgaW4gdGhpcyBJTkZPUk1BVElPTkFMIGRvY3VtZW50IGFwcGVhcnMgdG8gYmUgc291bmQg
YnV0IGl0IHNob3VsZCBzdGlsbCBwcm92aWRlIGEgc3RhdGVtZW50IG9mIGhvdyB0aGlzIHdvcmsg
YXR0ZW1wdHMgdG8gYWRkcmVzcyB0aGUgc2VjdXJpdHkgY29uY2VybnMgb2YgUkZDIDc5NDguIEZv
ciBwZXJzcGVjdGl2ZSwgdGhlIHRpdGxlIG9mIHNlY3Rpb24gMTIuMSBvZiB0aGUgU2VjdXJpdHkg
Q29uc2lkZXJhdGlvbnMgc2VjdGlvbiBpcyAiTEdScyBBcmUgT25seSBhIFBhcnRpYWwgUmVtZWR5
IGZvciBQcm9ibGVtIFNwYWNlIi4NCg0KTXkgcmVjb21tZW5kYXRpb24gaXMgdGhhdCBhIFNlY3Vy
aXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gZm9yIHRoaXMgZG9jdW1lbnQgaW5jb3Jwb3JhdGUg
dGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gb2YgUkZDIDc5NDgsIGFsb25nIHdp
dGggc3RhdGVtZW50cyBvZiBob3cgdGhlIGRvY3VtZW50IGFkZHJlc3NlcyB0aGUgb2J0YWluYWJs
ZSByZW1lZGlhdGlvbnMsIGFuZCB3aGF0IGltcGxlbWVudGVycyBzaG91bGQgY29udGludWUgdG8g
YmUgY29uY2VybmVkIGFib3V0Lg0KDQpUaGFua3MsDQpDaHJpcw0KDQo=

--_000_831693C2CDA2E849A7D7A712B24E257F4A52AA1DBRN1WNEXMBX01vc_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjsN
Cgljb2xvcjpibGFjazt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1w
cmlvcml0eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7
fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlv
cml0eTo5OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0K
cC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUt
bmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0
OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJ
Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjsN
Cgljb2xvcjpibGFjazt9DQpzcGFuLmgzDQoJe21zby1zdHlsZS1uYW1lOmgzO30NCnNwYW4uRW1h
aWxTdHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5
OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQN
Cgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFn
ZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGlu
IDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0K
LS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpl
eHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0
ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6
ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0t
Pg0KPC9oZWFkPg0KPGJvZHkgYmdjb2xvcj0id2hpdGUiIGxhbmc9IkVOLVVTIiBsaW5rPSIjMDU2
M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PGEgbmFtZT0iX01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7
Y29sb3I6IzFGNDk3RCI+VGhhbmtzIGZvciB0aGUgcmV2aWV3LCBDaHJpcy4gSSBzaG91bGQgbm90
ZSB0aGF0IG15IGRvY3VtZW50IHNoZXBoZXJkIHJldmlldyBvZiB0aGUgLTAyIHZlcnNpb24gb2Yg
dGhpcyBkcmFmdCBhbHNvIHByb2R1Y2VkIGZlZWRiYWNrDQogYWJvdXQgdGhlIG5lZWQgdG8gYWRk
IFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHRleHQuIFRoZSBhdXRob3IgYWRkZWQgdGV4dCBhbmQg
cHVibGlzaGVkIHRoZSAtMDMgdmVyc2lvbiBvbiAyMyBKYW51YXJ5LiBDaHJpcywgY291bGQgeW91
IHBsZWFzZSBsb29rIGF0IC0wMyBhbmQgc2VlIGhvdyB3ZWxsIHRoZSB0ZXh0IGFkZHJlc3NlcyB5
b3VyIGNvbW1lbnRzIG1vZHVsbyB3aGF0IHlvdeKAmXZlIHNoYXJlZCBiZWxvdz8gSSBhc3N1bWUg
dGhhdCB5b3UNCiBtZWFudCBSRkMgNzk0MCAoUmVwcmVzZW50aW5nIExhYmVsIEdlbmVyYXRpb24g
UnVsZXNldHMgVXNpbmcgWE1MKSB3aGVuIHlvdSB3cm90ZSBSRkMgNzk0OCAoSW50ZXJuZXQgRXhj
aGFuZ2UgQkdQIFJvdXRlIFNlcnZlciBPcGVyYXRpb25zKS48bzpwPjwvbzpwPjwvc3Bhbj48L2E+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFp
bEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwv
bzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0iZm9udC1z
aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29s
b3I6IzFGNDk3RCI+U2NvdHQ8bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPC9kaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29t
cG9zZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z
cGFuPjwvc3Bhbj48L3A+DQo8c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29tcG9z
ZSI+PC9zcGFuPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29s
aWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjp3aW5kb3d0ZXh0Ij5Gcm9tOjwvc3Bh
bj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs
aWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOndpbmRvd3RleHQiPiBDaHJpcyBMb252aWNrIFtt
YWlsdG86bG9udmljay5pZXRmQGdtYWlsLmNvbV0NCjxicj4NCjxiPlNlbnQ6PC9iPiBTdW5kYXks
IEphbnVhcnkgMjksIDIwMTcgOTo0NiBQTTxicj4NCjxiPlRvOjwvYj4gaWVzZ0BpZXRmLm9yZzsg
c2VjZGlyQGlldGYub3JnOyBkcmFmdC1mcmV5dGFnLWxhZ2VyLXZhcmlhbnQtcnVsZXMuYWxsQGll
dGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtFWFRFUk5BTF0gU0VDRElSIHJldmlldyBvZiBk
cmFmdC1mcmV5dGFnLWxhZ2VyLXZhcmlhbnQtcnVsZXMtMDM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSw8YnI+DQo8YnI+DQpJIGhhdmUgcmV2aWV3ZWQg
dGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIG9uZ29p
bmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5
IHRoZSBJRVNHLiBUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUg
YmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuIERvY3VtZW50IGVkaXRvcnMg
YW5kIFdHIGNoYWlycw0KIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55
IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4gPGJyPg0KPGJyPg0KSSBjb25zaWRlciB0aGlzIGRy
YWZ0IHRvIGJlIHJlYWR5IHdpdGggaXNzdWVzLjxicj4NCjxicj4NClRoZSBkb2N1bWVudCBpcyB3
ZWxsIHdyaXR0ZW4gYW5kIHRob3JvdWdoIGJ1dCBoYXMgbm8gY29udGVudCBpbiB0aGUgU2VjdXJp
dHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbi4gVGhlIGd1aWRhbmNlIHByb3ZpZGVkIGluIHRoaXMg
SU5GT1JNQVRJT05BTCBkb2N1bWVudCBhcHBlYXJzIHRvIGJlIHNvdW5kIGJ1dCBpdCBzaG91bGQg
c3RpbGwgcHJvdmlkZSBhIHN0YXRlbWVudCBvZiBob3cgdGhpcyB3b3JrIGF0dGVtcHRzIHRvIGFk
ZHJlc3MgdGhlIHNlY3VyaXR5DQogY29uY2VybnMgb2YgUkZDIDc5NDguIEZvciBwZXJzcGVjdGl2
ZSwgdGhlIHRpdGxlIG9mIHNlY3Rpb24gMTIuMSBvZiB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlv
bnMgc2VjdGlvbiBpcyAmcXVvdDtMR1JzIEFyZSBPbmx5IGEgUGFydGlhbCBSZW1lZHkgZm9yIFBy
b2JsZW0gU3BhY2UmcXVvdDsuDQo8YnI+DQo8YnI+DQpNeSByZWNvbW1lbmRhdGlvbiBpcyB0aGF0
IGEgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBmb3IgdGhpcyBkb2N1bWVudCBpbmNv
cnBvcmF0ZSB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBvZiBSRkMgNzk0OCwg
YWxvbmcgd2l0aCBzdGF0ZW1lbnRzIG9mIGhvdyB0aGUgZG9jdW1lbnQgYWRkcmVzc2VzIHRoZSBv
YnRhaW5hYmxlIHJlbWVkaWF0aW9ucywgYW5kIHdoYXQgaW1wbGVtZW50ZXJzIHNob3VsZCBjb250
aW51ZQ0KIHRvIGJlIGNvbmNlcm5lZCBhYm91dC4gPGJyPg0KPGJyPg0KVGhhbmtzLDxicj4NCkNo
cmlzIDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_831693C2CDA2E849A7D7A712B24E257F4A52AA1DBRN1WNEXMBX01vc_--


From nobody Tue Jan 31 05:38:01 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE581129EF5; Tue, 31 Jan 2017 05:37:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.189
X-Spam-Level: 
X-Spam-Status: No, score=-5.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yCFDWLk_WcUI; Tue, 31 Jan 2017 05:37:49 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FB95129EA7; Tue, 31 Jan 2017 05:37:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=18844; q=dns/txt; s=VRSN; t=1485869869; h=from:to:date:message-id:references:in-reply-to: mime-version; bh=nPw0/e8xxOSHjxsRrZhsRfUPNgJfh1krdjDPdhJwP1g=; b=fOPu5UpzRLKZWXvmYrqc6kXOEKsS1QQYaM/3dmawNOAZXD5nuSdurRfs WzAvihwUKX3I0KhUq9sOmRLxfD47kVxOu+vLOKtViXS7llD02Gp25nDDn pbSAwVeGOmpqrvKJDLDm/+5+hgPFZvepzj35adUIyjno0t6ZZeWfBCfzs FzIbgph0VsVagle0EahsVfsnl8kouzOX+b+bDZKjxZVe9qDEN2P9M7owZ 6M4dEolY7wBa/Rs4CXd0cX2Mu9xgJF+iH6xEr8WVlLrPkBeOllkd3LjvK ChUPb0xNdzQHhJVJFp5Qr+NGpdT9bsvL26EFcTnCM06AJB7C5cFkeQYGC g==;
X-IronPort-AV: E=Sophos;i="5.33,315,1477958400"; d="scan'208,217";a="1394032"
IronPort-PHdr: =?us-ascii?q?9a23=3AbKHLvRbE20tnl8ai+fV/51//LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZps66bB7h7PlgxGXEQZ/co6odzbGH7+a+BCddvd6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVr?= =?us-ascii?q?O+/7BpDdj9it1+C15pbffxhEiCCzbL52Ixi6twTcu8kZjYZiJas61wfErGZPd+?= =?us-ascii?q?lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLe?= =?us-ascii?q?TQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgz?= =?us-ascii?q?oBOjUk8m/Yl9Zwgbpbrhy/uhJ/34DaboKbNPV8f6PSYdwVSHFbUcpNUyFMGJ+w?= =?us-ascii?q?Y5cNAucHIO1Wr5P9p1wLrRamCwWiBuTvyjtMhnDo2601yPouHh3F3AA4AtkArW?= =?us-ascii?q?jbrNLpNKcOX+y+0a7FzS7Db/NR3Tf97JbHchY6rv6SQb1wctHcyVcxGAPfj1WQ?= =?us-ascii?q?so3lPzyT1ugXr2eb6O9gWPuphmU6qA9xuiCiytowhoXTm44YyF7J+T9kzIs1K9?= =?us-ascii?q?C0UlB3bNGkHZdIqi2WK5F6Tt4gTmxmoio2170LtYChcCUFzpks2gTRZOadc4eS?= =?us-ascii?q?5xLuTOORITBli317YL+/nBOy8VS4yu37S8m0zE5GripbndnIsXAAzwfc6tKBSv?= =?us-ascii?q?dg+keg1jOP2BrS6uFAJkA0iLbbJ4I/zrIqiJocr17DHi7tmEX3g6+WcF8o9fSv?= =?us-ascii?q?6+Tiernmp5mcOJFoigzmL6gihtazDfk6PwUARWSX5OSx2bP58UHnT7hHjuU6kq?= =?us-ascii?q?zDv5DbIcQbqLS5AwhQ0os78Ba/DzCm0NAcnXYZKlJKYwyIgJTqO1zVPvD3E+2/?= =?us-ascii?q?g1W3kDdqyPDGOKftDYnKLnjGiLvhZ6py61ZAyAovytBS/49bCqsbL/L9Rk/9rd?= =?us-ascii?q?LYDgUnPA203+boEtp92poaWW2VDa+WLrnSvUaW5u01OemMZZUauDDhK/Q8/f7u?= =?us-ascii?q?kHs5lkEGfaWzx5QXbHS4E+9nI0qHfXrsjM0NEWAQvgoxVObqkkGNUSZPZ3auWK?= =?us-ascii?q?Ix/io7B5y6AojeR4CtmqeM3CalEZ1KaGBKEFeMEW3nd4+cQfcDdDqSItN9kjwD?= =?us-ascii?q?TbWhSpEu1QqhtALhyrpoMPbU+iMCuZLkzth16PXZlQsu+jxsE8Sdz2aNQnlwnm?= =?us-ascii?q?MPQT82wqF/rlB+yluZ0Kh3neBYFdJI6vNGVwc1L5/cz+hgB9/uXQLBe4TBdFHz?= =?us-ascii?q?CNGhBy8wRdF3wtISbW5yHtyjilbI2C/gS+sRkLqVBZc3tKPRw3bZKMN0ynKA36?= =?us-ascii?q?4k2R1uCMpCLmKOh6Nj+U7UHYGD2xGYmr2lXaURwCCL832Mmy7G9lpVWwJxS43E?= =?us-ascii?q?UGwRIEzMop6xsljPRLOvE5wmPxdPj8mYJf0OIpfll1xIWLLtItnPf2u+3mO5Ch?= =?us-ascii?q?uSg62FdovjfXlYxjjZBVNCmgQX1XeLKQZ4AT2u6SqKACZnG06qbVnh4PV3pza/?= =?us-ascii?q?R0A51USUZldg3rypvwQIgfGHDfoX2poFtTsv7TJuEwDu8cjRDo/Khw1leKhaa9?= =?us-ascii?q?424xMP7mneqxA3dsi7L6dmglMYeQl8vGvw2g92EYRPl44hq3Z8n1k6Er6RzF4U?= =?us-ascii?q?L2DQ5pv3ILCCcmQ=3D?=
X-IPAS-Result: =?us-ascii?q?A2HDAQCkkpBY//WZrQpdHAEFAQsBGAEFAQsBgkU5gQyBCQe?= =?us-ascii?q?DT4oJkgaICosagg+CDYYiAhqCSBgBAQEBAQEBAQEBAQKBB4IzGYIdAQEBAQMjC?= =?us-ascii?q?lwCAQgNBAQBAQsdAwICAh8RFAkIAgQBEgiJTgOsBIIlK4cUDYNUAQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBAQEBHYZMhG6CUYFlGDSCUC6CMQWJa4tYhVwyBgGNaYYNhRWJa?= =?us-ascii?q?ooniFgfc4ERLYRfHIFhdYcegQwBAQE?=
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id v0VDblbx024350 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 31 Jan 2017 08:37:47 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Tue, 31 Jan 2017 08:37:46 -0500
From: "Hollenbeck, Scott" 
To: "lonvick.ietf@gmail.com" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-freytag-lager-variant-rules.all@ietf.org" 
Thread-Topic: [EXTERNAL] Re: SECDIR review of draft-freytag-lager-variant-rules-03
Thread-Index: AQHSe8bGnjinyKTPKkSIByE2XuY5L6FSlqYg
Date: Tue, 31 Jan 2017 13:37:46 +0000
Message-ID: <831693C2CDA2E849A7D7A712B24E257F4A52B721@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
References: <588EA8FF.5030105@gmail.com> <831693C2CDA2E849A7D7A712B24E257F4A52AA1D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <5890926D.1020903@gmail.com>
In-Reply-To: <5890926D.1020903@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.173.152.4]
Content-Type: multipart/alternative; boundary="_000_831693C2CDA2E849A7D7A712B24E257F4A52B721BRN1WNEXMBX01vc_"
MIME-Version: 1.0
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-freytag-lager-variant-rules-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 31 Jan 2017 13:37:51 -0000

--_000_831693C2CDA2E849A7D7A712B24E257F4A52B721BRN1WNEXMBX01vc_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzLCBDaHJpcy4gQXNtdXMsIGRvIHlvdSBoYXZlIGFueSBpc3N1ZXMgd2l0aCBDaHJpc+KA
mSBzdWdnZXN0aW9ucz8NCg0KDQoNClNjb3R0DQoNCg0KDQpGcm9tOiBDaHJpcyBMb252aWNrIFtt
YWlsdG86bG9udmljay5pZXRmQGdtYWlsLmNvbV0NClNlbnQ6IFR1ZXNkYXksIEphbnVhcnkgMzEs
IDIwMTcgODozNSBBTQ0KVG86IEhvbGxlbmJlY2ssIFNjb3R0IDxzaG9sbGVuYmVja0B2ZXJpc2ln
bi5jb20+OyBpZXNnQGlldGYub3JnOyBzZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0LWZyZXl0YWctbGFn
ZXItdmFyaWFudC1ydWxlcy5hbGxAaWV0Zi5vcmcNClN1YmplY3Q6IFtFWFRFUk5BTF0gUmU6IFNF
Q0RJUiByZXZpZXcgb2YgZHJhZnQtZnJleXRhZy1sYWdlci12YXJpYW50LXJ1bGVzLTAzDQoNCg0K
DQpIaSBTY290dCwNCg0KT29wcy4gOi0pIFRoZSBhc3NpZ25tZW50IEkgZ290IG9uIHRoZSAxOXRo
IHdhcyBmb3IgLTAyIHdoaWNoIHdhcyB3aGF0IEkgcmV2aWV3ZWQuIEkgZ290IGEgcmVtaW5kZXIg
b24gdGhlIDI2dGggd2hpY2ggd2FzIGZvciAtMDMgc28gSSBqdXN0IHB1dCB0aGF0IGluLiBBbmQg
eWVzLCBJIGRpZCBtZWFuIDc5NDAuDQoNClRoZSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0
aW9uIGlzIG11Y2ggYmV0dGVyIGluIC0wMy4gSG93ZXZlciwgaWYgaXQgaXMgcG9zc2libGUsIEkg
d291bGQgc3RpbGwgbGlrZSB0byBzZWUgc29tZXRoaW5nIG1vcmUgaW4gdGhlcmUuIFJGQyA3OTQw
IGhhcyBhIHNob3J0IHNlY3Rpb24gaW4gaXRzIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rp
b24sIG5vdGVkIGJlbG93LCBhYm91dCBob3cgTEdScyBhcmUgb25seSBhIHBhcnRpYWwgcmVtZWR5
IHRvIHRoZSBwcm9ibGVtLiBUaGUgbmV3IFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24g
aW4gLTAzIHNlZW1zIHRvIGluZGljYXRlIHRoYXQgdGhlIHByb2JsZW0gc3BhY2UgbWF5IGJlIGNv
bnN0cmFpbmVkIGJ5IHByb3Blcmx5IHV0aWxpemluZyBjZXJ0YWluIG9wdGlvbmFsIGZlYXR1cmVz
IG9mIDc5NDAuIElmIHRoYXQgaXMgY29ycmVjdCwgdGhlbiBwZXJoYXBzIHRoZSBhdXRob3Igd291
bGQgY29uc2lkZXIgcmV2aXNpbmcgdGhlIGxhc3QgcGFydCBvZiB0aGUgc2Vjb25kIHBhcmFncmFw
aCB0byBtb3JlIGNsZWFybHkgc3RhdGUgdGhhdD8NCg0KQ3VycmVudDoNCg0KDQoNCiAgIEJ5IGlu
Y2x1ZGluZw0KICAgY2VydGFpbiBkZWNsYXJhdGlvbnMgdGhhdCBhcmUgb3B0aW9uYWwgdW5kZXIg
dGhlIHNjaGVtYSBhbmQgbWF5IG5vdA0KICAgYWx0ZXIgdGhlIHJlc3VsdHMgb2YgcHJvY2Vzc2lu
ZyBhIGxhYmVsLCBzdWNoIGFuIExHUiBzdXBwb3J0cyB0aGUNCiAgIHRhc2sgb2YgcmV2aWV3IGFu
ZCB2ZXJpZmljYXRpb24gYnkgbW9yZSBjbGVhcmx5IGV4cHJlc3NpbmcgdGhlDQogICBpbnRlbnQu
DQoNCg0KUHJvcG9zZWQ6DQogICBVdGlsaXppbmcgY2VydGFpbiBvcHRpb25hbCBkZWNsYXJhdGlv
bnMgdW5kZXIgdGhlIHNjaGVtYSBwcm92aWRlcyBhIGNsZWFyIGV4cHJlc3Npb24NCiAgIG9mIHRo
ZSBsYWJlbC4gV2hlbiBwcm9wZXJseSB1c2VkLCB0aGUgbGFiZWwgYmVjb21lcyB1bmFsdGVyYWJs
ZSBhbmQgb2JzZXJ2YWJseQ0KICAgdmVyaWZpYWJsZS4NCg0KRnJvbSB0aGVyZSwgSSB3b3VsZCBh
bHNvIGxpa2UgdG8gc2VlIGEgcXVpY2sgc3RhdGVtZW50IGFib3V0IGFueSBvdGhlciBhcmVhcyB0
aGF0IGltcGxlbWVudGVycyBzaG91bGQgYmUgYXdhcmUgb2YgdGhhdCBhcmUgbm90IGFkZHJlc3Nl
ZCBpbiB0aGlzIGRvY3VtZW50LiBJJ20gbm90IGZhbWlsaWFyIGVub3VnaCB3aXRoIHRoaXMgdGVj
aG5vbG9neSB0byBrbm93IGlmIHRoZXJlIGlzIG9yIGlzbid0LiBJZiB0aGVyZSBhcmUgbm8gb3Ro
ZXIgaXNzdWVzLCBvciB0aGV5IGFyZSBmYXIgb3V0c2lkZSB0aGUgc2NvcGUgb2YgdGhpcyBkb2N1
bWVudCwgdGhlbiBkb24ndCB3b3JyeSBhYm91dCBpdC4NCg0KUmVnYXJkcywNCkNocmlzDQoNCg0K
DQpPbiAxLzMwLzE3IDEyOjQ4IFBNLCBIb2xsZW5iZWNrLCBTY290dCB3cm90ZToNCg0KICAgVGhh
bmtzIGZvciB0aGUgcmV2aWV3LCBDaHJpcy4gSSBzaG91bGQgbm90ZSB0aGF0IG15IGRvY3VtZW50
IHNoZXBoZXJkIHJldmlldyBvZiB0aGUgLTAyIHZlcnNpb24gb2YgdGhpcyBkcmFmdCBhbHNvIHBy
b2R1Y2VkIGZlZWRiYWNrIGFib3V0IHRoZSBuZWVkIHRvIGFkZCBTZWN1cml0eSBDb25zaWRlcmF0
aW9ucyB0ZXh0LiBUaGUgYXV0aG9yIGFkZGVkIHRleHQgYW5kIHB1Ymxpc2hlZCB0aGUgLTAzIHZl
cnNpb24gb24gMjMgSmFudWFyeS4gQ2hyaXMsIGNvdWxkIHlvdSBwbGVhc2UgbG9vayBhdCAtMDMg
YW5kIHNlZSBob3cgd2VsbCB0aGUgdGV4dCBhZGRyZXNzZXMgeW91ciBjb21tZW50cyBtb2R1bG8g
d2hhdCB5b3XigJl2ZSBzaGFyZWQgYmVsb3c/IEkgYXNzdW1lIHRoYXQgeW91IG1lYW50IFJGQyA3
OTQwIChSZXByZXNlbnRpbmcgTGFiZWwgR2VuZXJhdGlvbiBSdWxlc2V0cyBVc2luZyBYTUwpIHdo
ZW4geW91IHdyb3RlIFJGQyA3OTQ4IChJbnRlcm5ldCBFeGNoYW5nZSBCR1AgUm91dGUgU2VydmVy
IE9wZXJhdGlvbnMpLg0KDQoNCg0KICAgU2NvdHQNCg0KDQoNCiAgIEZyb206IENocmlzIExvbnZp
Y2sgW21haWx0bzpsb252aWNrLmlldGZAZ21haWwuY29tXQ0KICAgU2VudDogU3VuZGF5LCBKYW51
YXJ5IDI5LCAyMDE3IDk6NDYgUE0NCiAgIFRvOiBpZXNnQGlldGYub3JnPG1haWx0bzppZXNnQGll
dGYub3JnPjsgc2VjZGlyQGlldGYub3JnPG1haWx0bzpzZWNkaXJAaWV0Zi5vcmc+OyBkcmFmdC1m
cmV5dGFnLWxhZ2VyLXZhcmlhbnQtcnVsZXMuYWxsQGlldGYub3JnPG1haWx0bzpkcmFmdC1mcmV5
dGFnLWxhZ2VyLXZhcmlhbnQtcnVsZXMuYWxsQGlldGYub3JnPg0KICAgU3ViamVjdDogW0VYVEVS
TkFMXSBTRUNESVIgcmV2aWV3IG9mIGRyYWZ0LWZyZXl0YWctbGFnZXItdmFyaWFudC1ydWxlcy0w
Mw0KDQoNCg0KICAgSGksDQoNCiAgIEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBh
cnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3
IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRoZXNlIGNv
bW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1
cml0eSBhcmVhIGRpcmVjdG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3Vs
ZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21t
ZW50cy4NCg0KICAgSSBjb25zaWRlciB0aGlzIGRyYWZ0IHRvIGJlIHJlYWR5IHdpdGggaXNzdWVz
Lg0KDQogICBUaGUgZG9jdW1lbnQgaXMgd2VsbCB3cml0dGVuIGFuZCB0aG9yb3VnaCBidXQgaGFz
IG5vIGNvbnRlbnQgaW4gdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24uIFRoZSBn
dWlkYW5jZSBwcm92aWRlZCBpbiB0aGlzIElORk9STUFUSU9OQUwgZG9jdW1lbnQgYXBwZWFycyB0
byBiZSBzb3VuZCBidXQgaXQgc2hvdWxkIHN0aWxsIHByb3ZpZGUgYSBzdGF0ZW1lbnQgb2YgaG93
IHRoaXMgd29yayBhdHRlbXB0cyB0byBhZGRyZXNzIHRoZSBzZWN1cml0eSBjb25jZXJucyBvZiBS
RkMgNzk0OC4gRm9yIHBlcnNwZWN0aXZlLCB0aGUgdGl0bGUgb2Ygc2VjdGlvbiAxMi4xIG9mIHRo
ZSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0aW9uIGlzICJMR1JzIEFyZSBPbmx5IGEgUGFy
dGlhbCBSZW1lZHkgZm9yIFByb2JsZW0gU3BhY2UiLg0KDQogICBNeSByZWNvbW1lbmRhdGlvbiBp
cyB0aGF0IGEgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBmb3IgdGhpcyBkb2N1bWVu
dCBpbmNvcnBvcmF0ZSB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBvZiBSRkMg
Nzk0OCwgYWxvbmcgd2l0aCBzdGF0ZW1lbnRzIG9mIGhvdyB0aGUgZG9jdW1lbnQgYWRkcmVzc2Vz
IHRoZSBvYnRhaW5hYmxlIHJlbWVkaWF0aW9ucywgYW5kIHdoYXQgaW1wbGVtZW50ZXJzIHNob3Vs
ZCBjb250aW51ZSB0byBiZSBjb25jZXJuZWQgYWJvdXQuDQoNCiAgIFRoYW5rcywNCiAgIENocmlz
DQoNCg0KDQo=

--_000_831693C2CDA2E849A7D7A712B24E257F4A52B721BRN1WNEXMBX01vc_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg
Um9tYW4iLHNlcmlmOw0KCWNvbG9yOmJsYWNrO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsN
Cgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0
aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7
bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9u
OnVuZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1s
aW5rOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5l
dyI7DQoJY29sb3I6YmxhY2s7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNv
bm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsN
CgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGlt
ZXMgTmV3IFJvbWFuIixzZXJpZjsNCgljb2xvcjpibGFjazt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0
ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28t
c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsN
Cglmb250LWZhbWlseToiQ29uc29sYXMiLHNlcmlmOw0KCWNvbG9yOmJsYWNrO30NCnNwYW4uaDMN
Cgl7bXNvLXN0eWxlLW5hbWU6aDM7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjENCgl7bXNvLXN0eWxlLXR5
cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6
IzFGNDk3RDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1y
ZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjojOTkzMzY2
O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQt
c2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0K
CW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3Bh
Z2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8
bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFb
ZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0i
ZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91
dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGJnY29sb3I9IndoaXRlIiBsYW5n
PSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29y
ZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIG5hbWU9Il9NYWlsRW5kQ29tcG9z
ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiM5OTMzNjYiPlRoYW5rcywgQ2hyaXMuIEFzbXVzLCBk
byB5b3UgaGF2ZSBhbnkgaXNzdWVzIHdpdGggQ2hyaXPigJkgc3VnZ2VzdGlvbnM/PG86cD48L286
cD48L3NwYW4+PC9hPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28t
Ym9va21hcms6X01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Izk5MzM2NiI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29tcG9zZSI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz
YW5zLXNlcmlmO2NvbG9yOiM5OTMzNjYiPlNjb3R0PG86cD48L286cD48L3NwYW4+PC9zcGFuPjwv
cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFy
azpfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt
aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojOTkzMzY2Ij48bzpwPiZu
YnNwOzwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpf
TWFpbEVuZENvbXBvc2UiPjwvc3Bhbj4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti
b3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6d2luZG93dGV4
dCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt
aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjp3aW5kb3d0ZXh0Ij4gQ2hy
aXMgTG9udmljayBbbWFpbHRvOmxvbnZpY2suaWV0ZkBnbWFpbC5jb21dDQo8YnI+DQo8Yj5TZW50
OjwvYj4gVHVlc2RheSwgSmFudWFyeSAzMSwgMjAxNyA4OjM1IEFNPGJyPg0KPGI+VG86PC9iPiBI
b2xsZW5iZWNrLCBTY290dCAmbHQ7c2hvbGxlbmJlY2tAdmVyaXNpZ24uY29tJmd0OzsgaWVzZ0Bp
ZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnOyBkcmFmdC1mcmV5dGFnLWxhZ2VyLXZhcmlhbnQtcnVs
ZXMuYWxsQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFtFWFRFUk5BTF0gUmU6IFNFQ0RJ
UiByZXZpZXcgb2YgZHJhZnQtZnJleXRhZy1sYWdlci12YXJpYW50LXJ1bGVzLTAzPG86cD48L286
cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGkgU2NvdHQsPGJyPg0KPGJy
Pg0KT29wcy4gOi0pIFRoZSBhc3NpZ25tZW50IEkgZ290IG9uIHRoZSAxOXRoIHdhcyBmb3IgLTAy
IHdoaWNoIHdhcyB3aGF0IEkgcmV2aWV3ZWQuIEkgZ290IGEgcmVtaW5kZXIgb24gdGhlIDI2dGgg
d2hpY2ggd2FzIGZvciAtMDMgc28gSSBqdXN0IHB1dCB0aGF0IGluLiBBbmQgeWVzLCBJIGRpZCBt
ZWFuIDc5NDAuPGJyPg0KPGJyPg0KVGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24g
aXMgbXVjaCBiZXR0ZXIgaW4gLTAzLiBIb3dldmVyLCBpZiBpdCBpcyBwb3NzaWJsZSwgSSB3b3Vs
ZCBzdGlsbCBsaWtlIHRvIHNlZSBzb21ldGhpbmcgbW9yZSBpbiB0aGVyZS4gUkZDIDc5NDAgaGFz
IGEgc2hvcnQgc2VjdGlvbiBpbiBpdHMgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiwg
bm90ZWQgYmVsb3csIGFib3V0IGhvdyBMR1JzIGFyZSBvbmx5IGEgcGFydGlhbCByZW1lZHkNCiB0
byB0aGUgcHJvYmxlbS4gVGhlIG5ldyBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0aW9uIGlu
IC0wMyBzZWVtcyB0byBpbmRpY2F0ZSB0aGF0IHRoZSBwcm9ibGVtIHNwYWNlIG1heSBiZSBjb25z
dHJhaW5lZCBieSBwcm9wZXJseSB1dGlsaXppbmcgY2VydGFpbiBvcHRpb25hbCBmZWF0dXJlcyBv
ZiA3OTQwLiBJZiB0aGF0IGlzIGNvcnJlY3QsIHRoZW4gcGVyaGFwcyB0aGUgYXV0aG9yIHdvdWxk
IGNvbnNpZGVyIHJldmlzaW5nIHRoZSBsYXN0DQogcGFydCBvZiB0aGUgc2Vjb25kIHBhcmFncmFw
aCB0byBtb3JlIGNsZWFybHkgc3RhdGUgdGhhdD88YnI+DQo8YnI+DQpDdXJyZW50Ojxicj4NCjxi
cj4NCjxvOnA+PC9vOnA+PC9wPg0KPHByZT4mbmJzcDsmbmJzcDsgQnkgaW5jbHVkaW5nPG86cD48
L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7IGNlcnRhaW4gZGVjbGFyYXRpb25zIHRoYXQg
YXJlIG9wdGlvbmFsIHVuZGVyIHRoZSBzY2hlbWEgYW5kIG1heSBub3Q8bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT4mbmJzcDsmbmJzcDsgYWx0ZXIgdGhlIHJlc3VsdHMgb2YgcHJvY2Vzc2luZyBhIGxh
YmVsLCBzdWNoIGFuIExHUiBzdXBwb3J0cyB0aGU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJz
cDsmbmJzcDsgdGFzayBvZiByZXZpZXcgYW5kIHZlcmlmaWNhdGlvbiBieSBtb3JlIGNsZWFybHkg
ZXhwcmVzc2luZyB0aGU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgaW50ZW50
LjxvOnA+PC9vOnA+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJv
dHRvbToxMi4wcHQiPjxicj4NClByb3Bvc2VkOjxicj4NCiZuYnNwOyZuYnNwOyBVdGlsaXppbmcg
Y2VydGFpbiBvcHRpb25hbCBkZWNsYXJhdGlvbnMgdW5kZXIgdGhlIHNjaGVtYSBwcm92aWRlcyBh
IGNsZWFyIGV4cHJlc3Npb248YnI+DQombmJzcDsmbmJzcDsgb2YgdGhlIGxhYmVsLiBXaGVuIHBy
b3Blcmx5IHVzZWQsIHRoZSBsYWJlbCBiZWNvbWVzIHVuYWx0ZXJhYmxlIGFuZCBvYnNlcnZhYmx5
DQo8YnI+DQombmJzcDsmbmJzcDsgdmVyaWZpYWJsZS48YnI+DQo8YnI+DQpGcm9tIHRoZXJlLCBJ
IHdvdWxkIGFsc28gbGlrZSB0byBzZWUgYSBxdWljayBzdGF0ZW1lbnQgYWJvdXQgYW55IG90aGVy
IGFyZWFzIHRoYXQgaW1wbGVtZW50ZXJzIHNob3VsZCBiZSBhd2FyZSBvZiB0aGF0IGFyZSBub3Qg
YWRkcmVzc2VkIGluIHRoaXMgZG9jdW1lbnQuIEknbSBub3QgZmFtaWxpYXIgZW5vdWdoIHdpdGgg
dGhpcyB0ZWNobm9sb2d5IHRvIGtub3cgaWYgdGhlcmUgaXMgb3IgaXNuJ3QuIElmIHRoZXJlIGFy
ZSBubyBvdGhlciBpc3N1ZXMsDQogb3IgdGhleSBhcmUgZmFyIG91dHNpZGUgdGhlIHNjb3BlIG9m
IHRoaXMgZG9jdW1lbnQsIHRoZW4gZG9uJ3Qgd29ycnkgYWJvdXQgaXQuPGJyPg0KPGJyPg0KUmVn
YXJkcyw8YnI+DQpDaHJpczxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPk9uIDEvMzAvMTcgMTI6NDggUE0sIEhvbGxlbmJlY2ssIFNjb3R0IHdy
b3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRv
cDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss
c2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5UaGFua3MgZm9yIHRoZSByZXZpZXcsIENocmlzLiBJ
IHNob3VsZCBub3RlIHRoYXQgbXkgZG9jdW1lbnQgc2hlcGhlcmQgcmV2aWV3IG9mIHRoZSAtMDIg
dmVyc2lvbiBvZiB0aGlzIGRyYWZ0IGFsc28gcHJvZHVjZWQgZmVlZGJhY2sgYWJvdXQgdGhlIG5l
ZWQgdG8gYWRkIFNlY3VyaXR5DQogQ29uc2lkZXJhdGlvbnMgdGV4dC4gVGhlIGF1dGhvciBhZGRl
ZCB0ZXh0IGFuZCBwdWJsaXNoZWQgdGhlIC0wMyB2ZXJzaW9uIG9uIDIzIEphbnVhcnkuIENocmlz
LCBjb3VsZCB5b3UgcGxlYXNlIGxvb2sgYXQgLTAzIGFuZCBzZWUgaG93IHdlbGwgdGhlIHRleHQg
YWRkcmVzc2VzIHlvdXIgY29tbWVudHMgbW9kdWxvIHdoYXQgeW914oCZdmUgc2hhcmVkIGJlbG93
PyBJIGFzc3VtZSB0aGF0IHlvdSBtZWFudCBSRkMgNzk0MCAoUmVwcmVzZW50aW5nIExhYmVsDQog
R2VuZXJhdGlvbiBSdWxlc2V0cyBVc2luZyBYTUwpIHdoZW4geW91IHdyb3RlIFJGQyA3OTQ4IChJ
bnRlcm5ldCBFeGNoYW5nZSBCR1AgUm91dGUgU2VydmVyIE9wZXJhdGlvbnMpLjwvc3Bhbj4NCjxv
OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9y
OiMxRjQ5N0QiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv
dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+U2NvdHQ8L3NwYW4+PG86
cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp
Zjtjb2xvcjojMUY0OTdEIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRp
diBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRp
bmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z
LXNlcmlmO2NvbG9yOndpbmRvd3RleHQiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7
Y29sb3I6d2luZG93dGV4dCI+IENocmlzIExvbnZpY2sgWzxhIGhyZWY9Im1haWx0bzpsb252aWNr
LmlldGZAZ21haWwuY29tIj5tYWlsdG86bG9udmljay5pZXRmQGdtYWlsLmNvbTwvYT5dDQo8YnI+
DQo8Yj5TZW50OjwvYj4gU3VuZGF5LCBKYW51YXJ5IDI5LCAyMDE3IDk6NDYgUE08YnI+DQo8Yj5U
bzo8L2I+IDxhIGhyZWY9Im1haWx0bzppZXNnQGlldGYub3JnIj5pZXNnQGlldGYub3JnPC9hPjsg
PGEgaHJlZj0ibWFpbHRvOnNlY2RpckBpZXRmLm9yZyI+DQpzZWNkaXJAaWV0Zi5vcmc8L2E+OyA8
YSBocmVmPSJtYWlsdG86ZHJhZnQtZnJleXRhZy1sYWdlci12YXJpYW50LXJ1bGVzLmFsbEBpZXRm
Lm9yZyI+DQpkcmFmdC1mcmV5dGFnLWxhZ2VyLXZhcmlhbnQtcnVsZXMuYWxsQGlldGYub3JnPC9h
Pjxicj4NCjxiPlN1YmplY3Q6PC9iPiBbRVhURVJOQUxdIFNFQ0RJUiByZXZpZXcgb2YgZHJhZnQt
ZnJleXRhZy1sYWdlci12YXJpYW50LXJ1bGVzLTAzPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9k
aXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+SGksPGJyPg0KPGJyPg0KSSBoYXZlIHJldmlld2VkIHRoaXMg
ZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nIGVm
Zm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUg
SUVTRy4gVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVm
aXQgb2YgdGhlIHNlY3VyaXR5IGFyZWEgZGlyZWN0b3JzLiBEb2N1bWVudCBlZGl0b3JzIGFuZCBX
RyBjaGFpcnMNCiBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFueSBvdGhl
ciBsYXN0IGNhbGwgY29tbWVudHMuIDxicj4NCjxicj4NCkkgY29uc2lkZXIgdGhpcyBkcmFmdCB0
byBiZSByZWFkeSB3aXRoIGlzc3Vlcy48YnI+DQo8YnI+DQpUaGUgZG9jdW1lbnQgaXMgd2VsbCB3
cml0dGVuIGFuZCB0aG9yb3VnaCBidXQgaGFzIG5vIGNvbnRlbnQgaW4gdGhlIFNlY3VyaXR5IENv
bnNpZGVyYXRpb25zIHNlY3Rpb24uIFRoZSBndWlkYW5jZSBwcm92aWRlZCBpbiB0aGlzIElORk9S
TUFUSU9OQUwgZG9jdW1lbnQgYXBwZWFycyB0byBiZSBzb3VuZCBidXQgaXQgc2hvdWxkIHN0aWxs
IHByb3ZpZGUgYSBzdGF0ZW1lbnQgb2YgaG93IHRoaXMgd29yayBhdHRlbXB0cyB0byBhZGRyZXNz
IHRoZSBzZWN1cml0eQ0KIGNvbmNlcm5zIG9mIFJGQyA3OTQ4LiBGb3IgcGVyc3BlY3RpdmUsIHRo
ZSB0aXRsZSBvZiBzZWN0aW9uIDEyLjEgb2YgdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNl
Y3Rpb24gaXMgJnF1b3Q7TEdScyBBcmUgT25seSBhIFBhcnRpYWwgUmVtZWR5IGZvciBQcm9ibGVt
IFNwYWNlJnF1b3Q7Lg0KPGJyPg0KPGJyPg0KTXkgcmVjb21tZW5kYXRpb24gaXMgdGhhdCBhIFNl
Y3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gZm9yIHRoaXMgZG9jdW1lbnQgaW5jb3Jwb3Jh
dGUgdGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gb2YgUkZDIDc5NDgsIGFsb25n
IHdpdGggc3RhdGVtZW50cyBvZiBob3cgdGhlIGRvY3VtZW50IGFkZHJlc3NlcyB0aGUgb2J0YWlu
YWJsZSByZW1lZGlhdGlvbnMsIGFuZCB3aGF0IGltcGxlbWVudGVycyBzaG91bGQgY29udGludWUN
CiB0byBiZSBjb25jZXJuZWQgYWJvdXQuIDxicj4NCjxicj4NClRoYW5rcyw8YnI+DQpDaHJpcyA8
bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_831693C2CDA2E849A7D7A712B24E257F4A52B721BRN1WNEXMBX01vc_--


From nobody Tue Jan 31 05:40:22 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745B2129473; Tue, 31 Jan 2017 05:40:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level: 
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHsf344sF7OV; Tue, 31 Jan 2017 05:40:16 -0800 (PST)
Received: from mail-ot0-x243.google.com (mail-ot0-x243.google.com [IPv6:2607:f8b0:4003:c0f::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FBE3129EE5; Tue, 31 Jan 2017 05:34:39 -0800 (PST)
Received: by mail-ot0-x243.google.com with SMTP id 73so41803188otj.1; Tue, 31 Jan 2017 05:34:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=3/txZ6hHARkHyr+KnfhMoGyiRpqfh1WSBoMzUoZOQaQ=; b=BvZxdZEoJYMu7IL0xe0YiFJGLhUHiw8qrVWt0xKYfdO93l8LLkuV7QxdDJ5MgJvP2S 0UsfHDmyQGy2FNP5nalJ4s4uHnq2PXqF25irglaVBOVLe8xwY4jELMS3FBXT7yN54Az+ u1qPNgx/KvWMmAQ4KjUJ0+ique8pQjORVH7jM2UvAnNOCN4A6yiDE5ezyF2grLOhvvlE L3nZUb20hv7cvoA0MVBmRePwdo3tAknWN11o6B5anBywuhu0vJkzj4ayqwxJ9AjhQ6JQ IP0lo8+98CKUE9NsL7ltfCXqXA6BGkOcb213fF5OVasMddySDJnI0CjeL4B2BSJNSeiy Fm+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=3/txZ6hHARkHyr+KnfhMoGyiRpqfh1WSBoMzUoZOQaQ=; b=hAKxG+MFKmaXWfj4scvt6fSORT9SrRsjTbM32fvJrS1uYHpV7IM/Op1Id2rYDJIRXx q4WW9dOgxryl+C8bHQ4Hz5ayPQvvbqDIGRvElQFa+GUqbqDRarjHjL5Mxk7qbjgcF2oK XMM7asXBYlDzTQQDo2tQVvmTqOZ8/XsWNy6aAfLOeX2g53qOxdL3IXBACXEoIdWloAIA uvj/VPDaGB80xc41Cs/0BHyvI0Y1P7lLm1HDDD8pXsGv25gItu2yf65JtTVtstYdtUcN XgibxeYKqNkOwuLKasWDa5QluljizCo+byqmRQeB3x4+5+k8ZrHTaUdGEPkCtQL9ZS0e whUA==
X-Gm-Message-State: AIkVDXJhlxMzrdbg0MkDQd5+zTwOPg2lK2FfWkSbpH3Fov2nR0bx31JiDLOHBsNj9gyOTg==
X-Received: by 10.157.21.19 with SMTP id u19mr12281929otf.229.1485869678412; Tue, 31 Jan 2017 05:34:38 -0800 (PST)
Received: from Chriss-MacBook-Air.local ([216.201.230.154]) by smtp.googlemail.com with ESMTPSA id r41sm8756129otc.40.2017.01.31.05.34.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Jan 2017 05:34:38 -0800 (PST)
To: "Hollenbeck, Scott" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-freytag-lager-variant-rules.all@ietf.org" 
References: <588EA8FF.5030105@gmail.com> <831693C2CDA2E849A7D7A712B24E257F4A52AA1D@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
From: Chris Lonvick 
Message-ID: <5890926D.1020903@gmail.com>
Date: Tue, 31 Jan 2017 07:34:37 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A52AA1D@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Content-Type: multipart/alternative; boundary="------------000309030202080809080105"
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-freytag-lager-variant-rules-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 31 Jan 2017 13:40:17 -0000

This is a multi-part message in MIME format.
--------------000309030202080809080105
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Scott,

Oops. :-) The assignment I got on the 19th was for -02 which was what I 
reviewed. I got a reminder on the 26th which was for -03 so I just put 
that in. And yes, I did mean 7940.

The Security Considerations section is much better in -03. However, if 
it is possible, I would still like to see something more in there. RFC 
7940 has a short section in its Security Considerations section, noted 
below, about how LGRs are only a partial remedy to the problem. The new 
Security Considerations section in -03 seems to indicate that the 
problem space may be constrained by properly utilizing certain optional 
features of 7940. If that is correct, then perhaps the author would 
consider revising the last part of the second paragraph to more clearly 
state that?

Current:

    By including
    certain declarations that are optional under the schema and may not
    alter the results of processing a label, such an LGR supports the
    task of review and verification by more clearly expressing the
    intent.


Proposed:
    Utilizing certain optional declarations under the schema provides a 
clear expression
    of the label. When properly used, the label becomes unalterable and 
observably
    verifiable.

 From there, I would also like to see a quick statement about any other 
areas that implementers should be aware of that are not addressed in 
this document. I'm not familiar enough with this technology to know if 
there is or isn't. If there are no other issues, or they are far outside 
the scope of this document, then don't worry about it.

Regards,
Chris


On 1/30/17 12:48 PM, Hollenbeck, Scott wrote:
> Thanks for the review, Chris. I should note that my document shepherd 
> review of the -02 version of this draft also produced feedback about 
> the need to add Security Considerations text. The author added text 
> and published the -03 version on 23 January. Chris, could you please 
> look at -03 and see how well the text addresses your comments modulo 
> what you’ve shared below? I assume that you meant RFC 7940 
> (Representing Label Generation Rulesets Using XML) when you wrote RFC 
> 7948 (Internet Exchange BGP Route Server Operations).
>
> Scott
>
> *From:*Chris Lonvick [mailto:lonvick.ietf@gmail.com]
> *Sent:* Sunday, January 29, 2017 9:46 PM
> *To:* iesg@ietf.org; secdir@ietf.org; 
> draft-freytag-lager-variant-rules.all@ietf.org
> *Subject:* [EXTERNAL] SECDIR review of 
> draft-freytag-lager-variant-rules-03
>
> Hi,
>
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG. These comments were written primarily for the benefit of the 
> security area directors. Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
> I consider this draft to be ready with issues.
>
> The document is well written and thorough but has no content in the 
> Security Considerations section. The guidance provided in this 
> INFORMATIONAL document appears to be sound but it should still provide 
> a statement of how this work attempts to address the security concerns 
> of RFC 7948. For perspective, the title of section 12.1 of the 
> Security Considerations section is "LGRs Are Only a Partial Remedy for 
> Problem Space".
>
> My recommendation is that a Security Considerations section for this 
> document incorporate the Security Considerations section of RFC 7948, 
> along with statements of how the document addresses the obtainable 
> remediations, and what implementers should continue to be concerned 
> about.
>
> Thanks,
> Chris
>


--------------000309030202080809080105
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    Hi Scott,

    

    Oops. :-) The assignment I got on the 19th was for -02 which was
    what I reviewed. I got a reminder on the 26th which was for -03 so I
    just put that in. And yes, I did mean 7940.

    

    The Security Considerations section is much better in -03. However,
    if it is possible, I would still like to see something more in
    there. RFC 7940 has a short section in its Security Considerations
    section, noted below, about how LGRs are only a partial remedy to
    the problem. The new Security Considerations section in -03 seems to
    indicate that the problem space may be constrained by properly
    utilizing certain optional features of 7940. If that is correct,
    then perhaps the author would consider revising the last part of the
    second paragraph to more clearly state that?

    

    Current:

    
    
   By including
   certain declarations that are optional under the schema and may not
   alter the results of processing a label, such an LGR supports the
   task of review and verification by more clearly expressing the
   intent.

    

    Proposed:

       Utilizing certain optional declarations under the schema provides
    a clear expression

       of the label. When properly used, the label becomes unalterable
    and observably 

       verifiable.

    

    From there, I would also like to see a quick statement about any
    other areas that implementers should be aware of that are not
    addressed in this document. I'm not familiar enough with this
    technology to know if there is or isn't. If there are no other
    issues, or they are far outside the scope of this document, then
    don't worry about it.

    

    Regards,

    Chris

    

    

    
On 1/30/17 12:48 PM, Hollenbeck, Scott
      wrote:

    

    

      
      
      Thanks
          for the review, Chris. I should note that my document shepherd
          review of the -02 version of this draft also produced feedback
          about the need to add Security Considerations text. The author
          added text and published the -03 version on 23 January. Chris,
          could you please look at -03 and see how well the text
          addresses your comments modulo what you’ve shared below? I
          assume that you meant RFC 7940 (Representing Label Generation
          Rulesets Using XML) when you wrote RFC 7948 (Internet Exchange
          BGP Route Server Operations).
      

        
 

        

          
Scott

        

        
 

        
        

          

            
From:
                Chris Lonvick [mailto:lonvick.ietf@gmail.com]
                

                Sent: Sunday, January 29, 2017 9:46 PM

                To: iesg@ietf.org; secdir@ietf.org;
                draft-freytag-lager-variant-rules.all@ietf.org

                Subject: [EXTERNAL] SECDIR review of
                draft-freytag-lager-variant-rules-03

          

        

        
 

        
Hi,

          

          I have reviewed this document as part of the security
          directorate's ongoing effort to review all IETF documents
          being processed by the IESG. These comments were written
          primarily for the benefit of the security area directors.
          Document editors and WG chairs should treat these comments
          just like any other last call comments. 

          

          I consider this draft to be ready with issues.

          

          The document is well written and thorough but has no content
          in the Security Considerations section. The guidance provided
          in this INFORMATIONAL document appears to be sound but it
          should still provide a statement of how this work attempts to
          address the security concerns of RFC 7948. For perspective,
          the title of section 12.1 of the Security Considerations
          section is "LGRs Are Only a Partial Remedy for Problem Space".
          

          

          My recommendation is that a Security Considerations section
          for this document incorporate the Security Considerations
          section of RFC 7948, along with statements of how the document
          addresses the obtainable remediations, and what implementers
          should continue to be concerned about. 

          

          Thanks,

          Chris 

      

    

    

  


--------------000309030202080809080105--


From nobody Tue Jan 31 07:08:30 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 649971294B2 for ; Tue, 31 Jan 2017 07:08:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.829
X-Spam-Level: 
X-Spam-Status: No, score=-6.829 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_SBL=0.141, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRhJR7BpxWNR for ; Tue, 31 Jan 2017 07:08:23 -0800 (PST)
Received: from PCH.mit.edu (pch.mit.edu [18.7.21.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BD111294B5 for ; Tue, 31 Jan 2017 07:08:23 -0800 (PST)
Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0VF8MRd018014 for ; Tue, 31 Jan 2017 10:08:22 -0500
Received: from mailhub-dmz-2.mit.edu (mailhub-dmz-2.mit.edu [18.7.62.37]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v0VF8JeR018009 for ; Tue, 31 Jan 2017 10:08:19 -0500
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id v0VF1mAL009984 for ; Tue, 31 Jan 2017 10:08:19 -0500
X-AuditID: 12074425-69fff7000000616f-94-5890a862bb4d
Received: from dfw-mailout10.raytheon.com (dfw-mailout10.raytheon.com [199.46.199.220]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by  (Symantec Messaging Gateway) with SMTP id C5.9E.24943.268A0985; Tue, 31 Jan 2017 10:08:19 -0500 (EST)
Received: from tx-mailout10.rtnmail.ray.com (tx-mailout10.rtnmail.ray.com [138.126.127.234]) by dfw-mailout10.ext.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id v0VF84B3030652 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 31 Jan 2017 15:08:04 GMT
Received: from 008-smtp-out.ray.com ([23.103.8.215]) by tx-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id v0VF833n003464 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 31 Jan 2017 15:08:03 GMT
Received: from CY1PR0601MB023.008f.mgd2.msft.net (23.103.8.215) by CY1PR0601MB023.008f.mgd2.msft.net (23.103.8.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.16; Tue, 31 Jan 2017 15:08:02 +0000
Received: from CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) by CY1PR0601MB023.008f.mgd2.msft.net ([23.103.8.215]) with mapi id 15.01.0860.012; Tue, 31 Jan 2017 15:08:02 +0000
From: Steve KENT 
To: Nat Sakimura , "secdir@mit.edu" 
Thread-Topic: SECDIR review of draft-ietf-oauth-jwsreq-09.txt
Thread-Index: AQHScDTQRIxTn2UcrUufc7jChpMgqKFQyuqAgAH8LWE=
Date: Tue, 31 Jan 2017 15:08:02 +0000
Message-ID: <6904c3ea12444b64b827b4d3de176fe2@CY1PR0601MB023.008f.mgd2.msft.net>
References: <67adb90acb8c4a23beaeb5d0b39800bf@CY1PR0601MB023.008f.mgd2.msft.net>,  <001201d27ad5$aa82d790$ff8886b0$@nri.co.jp>
In-Reply-To: <001201d27ad5$aa82d790$ff8886b0$@nri.co.jp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [23.103.8.5]
MIME-Version: 1.0
X-CC: n-sakimura@nri.co.jp, secdir@mit.edu, ve7jtb@ve7jtb.com, hannes.tschofenig@gmx.net, derek@ihtfp.com
X-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-31_06:, , signatures=0
X-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-01-31_06:, , signatures=0
X-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701310130
X-DMZ-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701310129
X-DMZ-Spam-Reason: mlx
Authentication-Results: symauth.service.identifier
X-Brightmail-Tracker: H4sIAAAAAAAAA1VSa0gUURj1zozruO3UOKb7aSo4YKSx9vwholERVAZhP6JVhJzcyd3cFzur qfRjDVKxLKUkFUWrzRelqUXio2AjrGW1CCLQICR7rYVaRvTSZnZWW/9czvedc8/5vsslceaD Iprki+28zcwZWYWSGE0efa3J66jRbn1TrUopfz+k2I0OnPU8xjNRtjJNxxsNRbxty65cpb57 UG397kHFix2EA831oyoUSgK9E+rOXRKxkmToVgwWK/4QctGIweCX237mKwKn86KfqcRgamoE l4sBBD2LU4RkpqCTYPad12e8ns6A+vpmXMI43Yygqz9HwuF0GrhvfvNr0uHqZKdCxqnQ4Pgd UoVIkqAT4P1QpNSm6Ex4N3bDJ2foM/Cj8pPPMpROgUeOj75YREfCD/ctTI5Sw8R0CybvRoNz +Bku4wj49HYxWMZxcOHec7/eAgMzLwk5KwyeNkwTsqYAyiqf+N8oFzwPahWrsVLEXxDMzv8m 5GIegWew1rcAiBPdW2Ll4bbD0Lg3uAbFNQbM1xiQ3RiQLfe3wux4Cy7jzdB2bcaPt0DvwhgK 7LeikC4UqzOVakycwSjweRohjzObeZsmJdlksCfzusI+JP4SJmRfwgBq+pvhQjSJWBW1qfyS lgnmioQSkwtFkRgbQeVX1miZtScsuhI9J+iP2wqNvOBCQOLseqq1ReQoHVdSytssy9QGkmDV lHpTmZah8zk7X8DzVt62zGJkiAvFkCQL1OV28XaYjc/ni08ajPZATah0KKUYlRizQxJSgpUz CYZ8WeRG8dFqqrVNJGiJ0BeaVwyW//8LFBsdTqGgoCBGJU4gLr6a9yK1uHQ4FSXZqwxm+4q7 VwzGxOD93otSsJ37T0U70KFjDZFNnR/6foIzbK8re+G6Z4l+WGXpbbkysQ6pTAcXqvLK41NP jbxe0zsZtbd2ptq63R2v/VOfMRlxd6Mjp2mXrjqRTMx62sCNZ1msp42fO1+9UlTY2+t+Ha44 cofNnV/a72RiusmJivNdySNHs9J/9szFYfXD03smukIT7p9kCUHPbUvCbQL3DyTU29b6AwAA
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: multipart/mixed; boundary="===============7538861088664875098=="
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-ietf-oauth-jwsreq-09.txt
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 31 Jan 2017 15:08:27 -0000

--===============7538861088664875098==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_6904c3ea12444b64b827b4d3de176fe2CY1PR0601MB023008fmgd2m_"

--_000_6904c3ea12444b64b827b4d3de176fe2CY1PR0601MB023008fmgd2m_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Nat,


The revised text in the -11 version addressed my comments. There are still =
several places where the wording is rather awkward, but I'll defer to the R=
FC Editor to help you with these issues.

Steve


________________________________
From: Nat Sakimura 
Sent: Monday, January 30, 2017 3:48:45 AM
To: Steve KENT; secdir@mit.edu
Cc: ve7jtb@ve7jtb.com; Hannes.Tschofenig@gmx.net; derek@ihtfp.com
Subject: RE: SECDIR review of draft-ietf-oauth-jwsreq-09.txt

Hello.

Sorry to have taken more than a week to reply.

I have pushed -10 which hopefully has addressed all the issues raised.

I have recorded all your comments into the issue tracker [1] of my working =
repository and was recording the changes so you can see how I tried to reso=
lve them there as well.

[1] https://bitbucket.org/Nat/oauth-jwsreq/issues?q=3DSECDIR

Best,

Nat Sakimura

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

From: Steve KENT [mailto:steve.kent@raytheon.com]
Sent: Tuesday, January 17, 2017 5:14 AM
To: secdir@mit.edu
Cc: ve7jtb@ve7jtb.com; n-sakimura@nri.co.jp; Hannes.Tschofenig@gmx.net; der=
ek@ihtfp.com
Subject: SECDIR review of draft-ietf-oauth-jwsreq-09.txt



I generated this review of this document as part of the security directorat=
e's ongoing effort to review all IETF documents being processed by the IESG=
.  These comments were written with the intent of improving security requir=
ements and considerations in IETF drafts.  Comments not addressed in last c=
all may be included in AD reviews during the IESG review.  Document editors=
 and WG chairs should treat these comments just like any other last call co=
mments.



This document proposes a mechanism to enable secure communication of OAuth =
2.0 Authorization Requests using a JSON Web Token (JWT). This mechanism rep=
resents an improvement over the current way that OAuth Authorization Reques=
ts are transmitted, i.e., encoded as an (unprotected) URI.



The document notes that the current Authorization Request mechanism fails t=
o provide integrity, authentic, or confidentiality. JSON is already used fo=
r OAuth responses, so using JWT to protect requests seems like an appropria=
te choice. (XML signatures and encryption were rejected as too complex.)



Section 4 defines the Request Object format and provides examples.

The text here is a bit confusing. It seems to state that only integrity and=
 authenticity are mandated by this specification; confidentiality is an opt=
ional feature. However, when discussing the use of encryption that does not=
 provide authentication, the text says that a signature =93should=94 (not S=
HOULD=94=94) be applied. The text then says that =93In this case, it [the t=
oken] MUST be signed then encrypted =85=94 This combination of sentences is=
 confusing and OUGHT :) to be revised.



Section 6 describes how to validate a received JWT request token. Section 6=
.1 appears to not mandate use of a signature for an encrypted token, sugges=
ting that authentication and integrity need not be provided if the requesto=
r encrypts the token (and does not employ an authenticated encryption algor=
ithm).





Section 10 describes Security Considerations in addition to the ones alread=
y describes in RFC 6119 (OAuth 2.0). The wording of Section 10.1 is odd: =
=93 =85it MUST either be JWS signed with then considered appropriate algori=
thm or encrypted using [RFC7516].=94 Why is there no cite of 7515 for JWS a=
lgorithms here, to parallel the cite of JWE?



Section 10.2 indicates that a client and server might agree, a priori, to u=
se the non-protected parameters transmitted in a request. It does not indic=
ate how this might have been done (hopefully, in a secure fashion).



Section 10.3 finally mandates authentication of the request source, somethi=
ng that was ambiguous in earlier sections of this document. There are some =
ambiguous statement here, e.g. =93Since Request Object URI can be replayed,=
 the lifetime of the Request Object URI MUST be short and preferably one-ti=
me use.  The entropy of the Request Object URI MUST be sufficiently large.=
=94 The lack of guidance of what constitutes a =93short=94 lifetime or a =
=93sufficiently large=94 amount of entropy (in a short URI) is worrisome.  =
In (d) there is a typo: =93The same requirements as (b) above applies.=94 -=
> =93The same requirements as (b) above apply=94.



Section 10.4 includes several typos:



=93Although this specification does not require them, researchs such as =85=
=94 -> =93Although this specification does not require them, research such =
as =85=94 This is the beginning of a run-on sentence.



=93The endpoints that comes into question =85=94 -> The endpoints that come=
 into question =85=94



The wording in several places is awkward, e.g., missing articles.



This section ends with the statement =93An extension specification should b=
e created.=94 Presumably the intent here is to suggest that an extension is=
 needed to remedy the vulnerability resulting from the lack of explicit end=
point identifiers. This should be more clearly stated.



Section 11 discusses Privacy Considerations an unusual element of an RFC. (=
The authors state that ISO/IEC 29100 is freely accessible. That seems to be=
 true only if one follows the URL in the Informative References. A search f=
or this ISO document tends to yield copies available for a non-trivial fee,=
 i.e., ~ $150 USD.) Since there is standards language in this section (SHOU=
LD and MUST) I think 29100 needs to be a Normative (not Informational) refe=
rence.



The text here raises some good privacy concerns and suggests some means by =
which these concerns might be addressed. However, the wording here needs to=
 be significantly improved. There are extraneous articles and missing artic=
les that make the text harder to read. The ambiguous comment about entropy =
that appeared in 10.3 appears here as well.


--_000_6904c3ea12444b64b827b4d3de176fe2CY1PR0601MB023008fmgd2m_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
















Nat,






The revised text in the -11 version addressed my comments. There are still =
several places where the wording is rather awkward, but I'll defer to the R=
FC Editor to help you with these issues.



Steve












From: Nat Sakimura <n-sa=
kimura@nri.co.jp>

Sent: Monday, January 30, 2017 3:48:45 AM

To: Steve KENT; secdir@mit.edu

Cc: ve7jtb@ve7jtb.com; Hannes.Tschofenig@gmx.net; derek@ihtfp.com
Subject: RE: SECDIR review of draft-ietf-oauth-jwsreq-09.txt

 








Hello.



 =



Sorry to have taken more=
 than a week to reply.



 =



I have pushed -10 which =
hopefully has addressed all the issues raised.



 =



I have recorded all your=
 comments into the issue tracker [1] of my working repository and was recor=
ding the changes so you can see how I tried to resolve
 them there as well. 


 =



[1]
https://bitbucket.org/Nat/oauth-jwsreq/issues?q=3DSECDIR


 =





Best,



 


Nat Sakimura<=
/p>

 


--


PLEASE READ :This e-mail is con=
fidential and intended for the


named recipient only. If you ar=
e not an intended recipient,


please notify the sender  =
and delete this e-mail.




 =









From: =
Steve KENT [mailto:steve.kent@raytheon.com]


Sent: Tuesday, January 17, 2017 5:14 AM

To: secdir@mit.edu

Cc: ve7jtb@ve7jtb.com; n-sakimura@nri.co.jp; Hannes.Tschofenig@gmx.n=
et; derek@ihtfp.com

Subject: SECDIR review of draft-ietf-oauth-jwsreq-09.txt<=
/span>






 






 


I generated this review of this document as part of the s=
ecurity directorate's ongoing effort to review all IETF documents being pro=
cessed by the IESG.  These comments
 were written with the intent of improving security requirements and consid=
erations in IETF drafts.  Comments not addressed in last call may be i=
ncluded in AD reviews during the IESG review.  Document editors and WG=
 chairs should treat these comments just like
 any other last call comments.


 


This docu=
ment proposes a mechanism to enable secure communication of OAuth 2.0 Autho=
rization Requests using a JSON Web Token (JWT). This mechanism represents a=
n improvement over the current way that
 OAuth Authorization Requests are transmitted, i.e., encoded as an (unprote=
cted) URI.



 


The docum=
ent notes that the current Authorization Request mechanism fails to provide=
 integrity, authentic, or confidentiality. JSON is already used for OAuth r=
esponses, so using JWT to protect requests
 seems like an appropriate choice. (XML signatures and encryption were reje=
cted as too complex.)



 


Section 4=
 defines the Request Object format and provides examples.


The text =
here is a bit confusing. It seems to state that only integrity and authenti=
city are mandated by this specification; confidentiality is an optional fea=
ture. However, when discussing the use
 of encryption that does not provide authentication, the text says that a s=
ignature =93should=94 (not SHOULD=94=94) be applied. The text then says tha=
t =93In this case, it [the token] MUST be signed then encrypted =85=94 This=
 combination of sentences is confusing and OUGHT
J to be =
revised.



 


Section 6=
 describes how to validate a received JWT request token. Section 6.1 appear=
s to not mandate use of a signature for an encrypted token, suggesting that=
 authentication and integrity need not
 be provided if the requestor encrypts the token (and does not employ an au=
thenticated encryption algorithm).



 


 


Section 1=
0 describes Security Considerations in addition to the ones already describ=
es in RFC 6119 (OAuth 2.0). The wording of Section 10.1 is odd: =93 =85it
 MUST either be JWS signed with then considered appropriate algorithm or en=
crypted using [RFC7516].=94 Why is there no cite of
 7515 for JWS algorithms here, to parallel the cite of JWE?


 


Section 1=
0.2 indicates that a client and server might agree, a priori, to use the no=
n-protected parameters transmitted in a request. It does not indicate how t=
his might have been done (hopefully,
 in a secure fashion). 


 


Section 1=
0.3 finally mandates authentication of the request source, something that w=
as ambiguous in earlier sections of this document. There are some ambiguous=
 statement here, e.g. =93Since Request
 Object URI can be replayed, the lifetime of the Request Object URI MUST be=
 short and preferably one-time use.  The entropy of the Request Object=
 URI MUST be sufficiently large.=94 The lack of guidance of what constitute=
s a =93short=94 lifetime or a =93sufficiently
 large=94 amount of entropy (in a short URI) is worrisome.  In =
(d) there is a typo: =93The same requirements as (b) above applies.=94 ->=
; =93The same requirements as (b) above apply=94.


 


Section 1=
0.4 includes several typos:


 


=93Althou=
gh this specification does not require them, researchs such as =85=94 ->=
 =93Although this specification does not require them, research such as =85=
=94 This is the beginning of a run-on sentence.



 


=93The en=
dpoints that comes into question =85=94 -> The endpoints that come into =
question =85=94


 


The wordi=
ng in several places is awkward, e.g., missing articles.


 


This sect=
ion ends with the statement =93An extension specification should be created=
.=94 Presumably the intent here is to suggest that an extension is needed t=
o remedy the vulnerability resulting from
 the lack of explicit endpoint identifiers. This should be more clearly sta=
ted.


 


Section 1=
1 discusses Privacy Considerations an unusual element of an RFC. (The autho=
rs state that ISO/IEC 29100 is freely accessible. That seems to be true onl=
y if one follows the URL in the Informative
 References. A search for this ISO document tends to yield copies available=
 for a non-trivial fee, i.e., ~ $150 USD.) Since there is standards languag=
e in this section (SHOULD and MUST) I think 29100 needs to be a Normative (=
not Informational) reference.



 


The text =
here raises some good privacy concerns and suggests some means by which the=
se concerns might be addressed. However, the wording here needs to be signi=
ficantly improved. There are extraneous
 articles and missing articles that make the text harder to read. The ambig=
uous comment about entropy that appeared in 10.3 appears here as well.




 












--_000_6904c3ea12444b64b827b4d3de176fe2CY1PR0601MB023008fmgd2m_--

--===============7538861088664875098==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir

--===============7538861088664875098==--


From nobody Tue Jan 31 08:08:21 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A128129503; Tue, 31 Jan 2017 08:08:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.855
X-Spam-Level: 
X-Spam-Status: No, score=-3.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.156] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (384-bit key) header.from=asmusf@ix.netcom.com header.d=ix.netcom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KR4WmiGe7xxy; Tue, 31 Jan 2017 08:08:18 -0800 (PST)
Received: from elasmtp-curtail.atl.sa.earthlink.net (elasmtp-curtail.atl.sa.earthlink.net [209.86.89.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38748129501; Tue, 31 Jan 2017 08:08:18 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com; b=gidDfW9Uw2/e8ztFZ8t7WWxNyYw0lkNNCKBv1aVZbdp8TgvFrvwX/QwkLk5Gb3qU; h=Received:Subject:To:References:From:Message-ID:Date:User-Agent:MIME-Version:In-Reply-To:Content-Type:X-ELNK-Trace:X-Originating-IP;
Received: from [71.212.93.242] (helo=[192.168.1.101]) by elasmtp-curtail.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1cYayK-0008Vn-5z; Tue, 31 Jan 2017 11:07:56 -0500
To: "Hollenbeck, Scott" , lonvick.ietf@gmail.com, iesg@ietf.org, secdir@ietf.org, draft-freytag-lager-variant-rules.all@ietf.org
References: <588EA8FF.5030105@gmail.com> <831693C2CDA2E849A7D7A712B24E257F4A52AA1D@BRN1WNEXMBX01.vcorp.ad.vrsn.com> <5890926D.1020903@gmail.com> <831693C2CDA2E849A7D7A712B24E257F4A52B721@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
From: Asmus Freytag 
Message-ID: <880099e6-7428-21f9-c02c-8cd5649affdb@ix.netcom.com>
Date: Tue, 31 Jan 2017 08:07:55 -0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <831693C2CDA2E849A7D7A712B24E257F4A52B721@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Content-Type: multipart/alternative; boundary="------------88CDF6C740EAAB64CF5EB5B5"
X-ELNK-Trace: 464f085de979d7246f36dc87813833b2b92c5f0aecc81b516d280184db7d1119259e3c68bf37e940350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 71.212.93.242
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-freytag-lager-variant-rules-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 31 Jan 2017 16:08:20 -0000

This is a multi-part message in MIME format.
--------------88CDF6C740EAAB64CF5EB5B5
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

On 1/31/2017 5:37 AM, Hollenbeck, Scott wrote:
>
> Thanks, Chris. Asmus, do you have any issues with Chris’ suggestions?
>
See below.
>
> Scott
>
> *From:*Chris Lonvick [mailto:lonvick.ietf@gmail.com]
> *Sent:* Tuesday, January 31, 2017 8:35 AM
> *To:* Hollenbeck, Scott ; iesg@ietf.org; 
> secdir@ietf.org; draft-freytag-lager-variant-rules.all@ietf.org
> *Subject:* [EXTERNAL] Re: SECDIR review of 
> draft-freytag-lager-variant-rules-03
>
> Hi Scott,
>
> Oops. :-) The assignment I got on the 19th was for -02 which was what 
> I reviewed. I got a reminder on the 26th which was for -03 so I just 
> put that in. And yes, I did mean 7940.
>
> The Security Considerations section is much better in -03.
>
Thanks.
>
> However, if it is possible, I would still like to see something more 
> in there. RFC 7940 has a short section in its Security Considerations 
> section, noted below, about how LGRs are only a partial remedy to the 
> problem.
>
That's a fundamental limitation.
>
> The new Security Considerations section in -03 seems to indicate that 
> the problem space may be constrained by properly utilizing certain 
> optional features of 7940. If that is correct, then perhaps the author 
> would consider revising the last part of the second paragraph to more 
> clearly state that?
>
The use of variants can make an LGR more robust, but that was not the 
intended focus of the paragraph in question:
>
>
> Current:
>
>     By including
>     certain declarations that are optional under the schema and may not
>     alter the results of processing a label, such an LGR supports the
>     task of review and verification by more clearly expressing the
>     intent.
>
>
> Proposed:
>    Utilizing certain optional declarations under the schema provides a 
> clear expression
>    of the label. When properly used, the label becomes unalterable and 
> observably
>    verifiable.
>
The intent was that by following certain conventions in drafting the LGR 
itself becomes more easily reviewable and the implementation more 
verifiable.

There are ways of defining variants, that while syntactically legal, are 
difficult to anticipate or impossible to implement unambiguously. 
Avoiding those cases by following the guidance here would result in an 
LGR that is "well-behaved", or predictable in its effects to the 
LGR-author (and reviewer) and implementable without running into 
potentially self-contradictory edge cases.

In any case, I doubt that it is in principle possible to make every 
label (no matter the script or language) "unalterable and observably 
verifiable", in fact, I don't know what that means.

Labels depend on unambiguous identification by the user, but not all 
users are equally discriminating or careful. Some will click on 
"gargle.com" -- nothing an LGR can do about that.

>
> From there, I would also like to see a quick statement about any other 
> areas that implementers should be aware of that are not addressed in 
> this document.
>
Variants are an important part, but only  a part of an LGR design. There 
are other features of an LGR that the document does not give guidance 
on, if only to keep this document focused.
>
> ...ar enough with this technology to know if there is or isn't. If 
> there are no other issues, or they are far outside the scope of this 
> document, then don't worry about it.
>
I can check the text one more time to see whether there are some 
additional things that deserve to be mentioned.

A./
>
>
> Regards,
> Chris
>
> On 1/30/17 12:48 PM, Hollenbeck, Scott wrote:
>
>     Thanks for the review, Chris. I should note that my document
>     shepherd review of the -02 version of this draft also produced
>     feedback about the need to add Security Considerations text. The
>     author added text and published the -03 version on 23 January.
>     Chris, could you please look at -03 and see how well the text
>     addresses your comments modulo what you’ve shared below? I assume
>     that you meant RFC 7940 (Representing Label Generation Rulesets
>     Using XML) when you wrote RFC 7948 (Internet Exchange BGP Route
>     Server Operations).
>
>     Scott
>
>     *From:*Chris Lonvick [mailto:lonvick.ietf@gmail.com]
>     *Sent:* Sunday, January 29, 2017 9:46 PM
>     *To:* iesg@ietf.org ; secdir@ietf.org
>     ;
>     draft-freytag-lager-variant-rules.all@ietf.org
>     
>     *Subject:* [EXTERNAL] SECDIR review of
>     draft-freytag-lager-variant-rules-03
>
>     Hi,
>
>     I have reviewed this document as part of the security
>     directorate's ongoing effort to review all IETF documents being
>     processed by the IESG. These comments were written primarily for
>     the benefit of the security area directors. Document editors and
>     WG chairs should treat these comments just like any other last
>     call comments.
>
>     I consider this draft to be ready with issues.
>
>     The document is well written and thorough but has no content in
>     the Security Considerations section. The guidance provided in this
>     INFORMATIONAL document appears to be sound but it should still
>     provide a statement of how this work attempts to address the
>     security concerns of RFC 7948. For perspective, the title of
>     section 12.1 of the Security Considerations section is "LGRs Are
>     Only a Partial Remedy for Problem Space".
>
>     My recommendation is that a Security Considerations section for
>     this document incorporate the Security Considerations section of
>     RFC 7948, along with statements of how the document addresses the
>     obtainable remediations, and what implementers should continue to
>     be concerned about.
>
>     Thanks,
>     Chris
>


--------------88CDF6C740EAAB64CF5EB5B5
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
On 1/31/2017 5:37 AM, Hollenbeck, Scott
      wrote:

    

    

      
      
      

        
Thanks, Chris. Asmus, do you
              have any issues with Chris’ suggestions?

      

    

    See below.

    

      

        
 

        

          
Scott

        

        
 

        
        

          

            
From: Chris
                Lonvick [mailto:lonvick.ietf@gmail.com]
                

                Sent: Tuesday, January 31, 2017 8:35 AM

                To: Hollenbeck, Scott
                <shollenbeck@verisign.com>; iesg@ietf.org;
                secdir@ietf.org;
                draft-freytag-lager-variant-rules.all@ietf.org

                Subject: [EXTERNAL] Re: SECDIR review of
                draft-freytag-lager-variant-rules-03

          

        

        
 

        
Hi Scott,

          

          Oops. :-) The assignment I got on the 19th was for -02 which
          was what I reviewed. I got a reminder on the 26th which was
          for -03 so I just put that in. And yes, I did mean 7940.

          

          The Security Considerations section is much better in -03.

      

    

    Thanks.

    

      

        
 However, if it is possible, I would still
          like to see something more in there. RFC 7940 has a short
          section in its Security Considerations section, noted below,
          about how LGRs are only a partial remedy to the problem. 

      

    

    That's a fundamental limitation.

    

      

        
The new Security Considerations section in
          -03 seems to indicate that the problem space may be
          constrained by properly utilizing certain optional features of
          7940. If that is correct, then perhaps the author would
          consider revising the last part of the second paragraph to
          more clearly state that?

        

      

    

    The use of variants can make an LGR more robust, but that was not
    the intended focus of the paragraph in question:

    

      

        

          

          Current:

          

        

        
   By including

        
   certain declarations that are optional under the schema and may not

        
   alter the results of processing a label, such an LGR supports the

        
   task of review and verification by more clearly expressing the

        
   intent.

        


          Proposed:

             Utilizing certain optional declarations under the schema
          provides a clear expression

             of the label. When properly used, the label becomes
          unalterable and observably
          

             verifiable.

        

      

    

    The intent was that by following certain conventions in drafting the
    LGR itself becomes more easily reviewable and the implementation
    more verifiable. 

    

    There are ways of defining variants, that while syntactically legal,
    are difficult to anticipate or impossible to implement
    unambiguously. Avoiding those cases by following the guidance here
    would result in an LGR that is "well-behaved", or predictable in its
    effects to the LGR-author (and reviewer) and implementable without
    running into potentially self-contradictory edge cases.

    

    In any case, I doubt that it is in principle possible to make every
    label (no matter the script or language) "unalterable and observably
    verifiable", in fact, I don't know what that means.

    

    Labels depend on unambiguous identification by the user, but not all
    users are equally discriminating or careful. Some will click on
    "gargle.com" -- nothing an LGR can do about that.

    

    

      

        

          

          From there, I would also like to see a quick statement about
          any other areas that implementers should be aware of that are
          not addressed in this document.

      

    

    Variants are an important part, but only  a part of an LGR design.
    There are other features of an LGR that the document does not give
    guidance on, if only to keep this document focused.

    

      

        
...ar enough with this technology to know
          if there is or isn't. If there are no other issues, or they
          are far outside the scope of this document, then don't worry
          about it.

        

      

    

    I can check the text one more time to see whether there are some
    additional things that deserve to be mentioned.

    

    A./

    

      

        

          

          Regards,

          Chris

          

        

        

          
On 1/30/17 12:48 PM, Hollenbeck, Scott
            wrote:

        

        

          
Thanks for the review, Chris. I
              should note that my document shepherd review of the -02
              version of this draft also produced feedback about the
              need to add Security Considerations text. The author added
              text and published the -03 version on 23 January. Chris,
              could you please look at -03 and see how well the text
              addresses your comments modulo what you’ve shared below? I
              assume that you meant RFC 7940 (Representing Label
              Generation Rulesets Using XML) when you wrote RFC 7948
              (Internet Exchange BGP Route Server Operations).
          

          
 

          

            
Scott

          

          
 

          

            

              
From: Chris
                  Lonvick [mailto:lonvick.ietf@gmail.com]
                  

                  Sent: Sunday, January 29, 2017 9:46 PM

                  To: iesg@ietf.org; 
                    secdir@ietf.org; 
                    draft-freytag-lager-variant-rules.all@ietf.org

                  Subject: [EXTERNAL] SECDIR review of
                  draft-freytag-lager-variant-rules-03

            

          

          
 

          
Hi,

            

            I have reviewed this document as part of the security
            directorate's ongoing effort to review all IETF documents
            being processed by the IESG. These comments were written
            primarily for the benefit of the security area directors.
            Document editors and WG chairs should treat these comments
            just like any other last call comments. 

            

            I consider this draft to be ready with issues.

            

            The document is well written and thorough but has no content
            in the Security Considerations section. The guidance
            provided in this INFORMATIONAL document appears to be sound
            but it should still provide a statement of how this work
            attempts to address the security concerns of RFC 7948. For
            perspective, the title of section 12.1 of the Security
            Considerations section is "LGRs Are Only a Partial Remedy
            for Problem Space".
            

            

            My recommendation is that a Security Considerations section
            for this document incorporate the Security Considerations
            section of RFC 7948, along with statements of how the
            document addresses the obtainable remediations, and what
            implementers should continue to be concerned about. 

            

            Thanks,

            Chris 

        

        
 

      

    

    


    

  


--------------88CDF6C740EAAB64CF5EB5B5--


From nobody Tue Jan 31 23:11:34 2017
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04683129416 for ; Tue, 31 Jan 2017 23:11:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.969
X-Spam-Level: 
X-Spam-Status: No, score=-6.969 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25v33Y8bhDwX for ; Tue, 31 Jan 2017 23:11:30 -0800 (PST)
Received: from PCH.mit.edu (pch.mit.edu [18.7.21.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C5841293E8 for ; Tue, 31 Jan 2017 23:11:29 -0800 (PST)
Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v117BTPw005790 for ; Wed, 1 Feb 2017 02:11:29 -0500
Received: from mailhub-dmz-3.mit.edu (mailhub-dmz-3.mit.edu [18.9.21.42]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id v117BQhM005787 for ; Wed, 1 Feb 2017 02:11:26 -0500
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id v1178u8Y026754 for ; Wed, 1 Feb 2017 02:11:26 -0500
X-AuditID: 1209190c-2b3ff70000002704-dd-58918a1acfaa
Received: from nrifs04.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by  (Symantec Messaging Gateway) with SMTP id C5.E7.09988.B1A81985; Wed,  1 Feb 2017 02:11:24 -0500 (EST)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs04.index.or.jp (Postfix) with ESMTP id EC1BD472EDF; Wed,  1 Feb 2017 16:11:21 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id 525684E0046; Wed,  1 Feb 2017 16:11:21 +0900 (JST)
Received: from nriea02.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id v117BLD6025112; Wed, 1 Feb 2017 16:11:21 +0900
Received: from nrims00a.nri.co.jp ([192.50.135.11]) by nriea02.index.or.jp with ESMTP id v117BKZU025017; Wed, 01 Feb 2017 16:11:21 +0900
Received: from nrims00a.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v117BKlN036023; Wed, 1 Feb 2017 16:11:20 +0900
Received: (from mailnull@localhost) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id v117BKko036022; Wed, 1 Feb 2017 16:11:20 +0900
X-Authentication-Warning: nrims00a.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf14.index.or.jp ([172.100.25.23]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id v117BKWb036019; Wed, 1 Feb 2017 16:11:20 +0900
From: "Nat Sakimura" 
To: "'Steve KENT'" , 
References: <67adb90acb8c4a23beaeb5d0b39800bf@CY1PR0601MB023.008f.mgd2.msft.net>,  <001201d27ad5$aa82d790$ff8886b0$@nri.co.jp> <6904c3ea12444b64b827b4d3de176fe2@CY1PR0601MB023.008f.mgd2.msft.net>
In-Reply-To: <6904c3ea12444b64b827b4d3de176fe2@CY1PR0601MB023.008f.mgd2.msft.net>
Date: Wed, 1 Feb 2017 16:11:21 +0900
Message-ID: <00c301d27c5a$64291300$2c7b3900$@nri.co.jp>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJOm09WvX4P5pGJ5FM9qeQSqgTlmQJxuPp/AhArlwigN244QA==
Content-Language: ja
x-mailadviser: 20141126
Authentication-Results: symauth.service.identifier
X-Brightmail-Tracker: H4sIAAAAAAAAA1VSa0hTYRj23dnm2dqp09HYq2npipJsdiGoH1ESlRIZRQVWYp3a0a22JTtn 3vCHqzbUtLwSbpFZdNsPKY00/FEO/NEKuyEVSEqU0bILXUxMs3M80+zP4Xm+5/me5335Dkkw LepYkisUOIedtRrUWqV7dBSMcRU1mSs/+Feu8wx2qlMh/cSjbmIn7NeuN3FWSz7nWLHhkNbc 4NuaVz0OhSN3P0MpuPuhAjQk0mvwYWO5sgK0JEPfBuz3VYFMrgLW+prUMrkA+PlVT5jcAPx+ 1qeSSSVg7+3aMOkAbLl2P5xWC3hlJKCSaw5jx71xQhauAw79domEJNV0MvZUJEieaHoDVg+U To5F0Gn4rc0b9ncB+p+2E5KgoXdhS9WTydAoej02T7iVElbSi/Gl68ckpui1eGG0jpDxXHzQ +FYphx5A953e8EAJ2PmtWyUXb8If7i9hTzT6O4KE7NHj8FDf5EBAr8bOnpCqGmK8M2K9M2K9 M657xdUIOgU9t0A+Xojtn84TMjbixPspnIxXmz8SFyHSD/EmW7HRxlqsPHfEyB9h7XbOYVyV YrMIKZzJ2QriYzOaGF0HPBraFgCaBIOO+vqwOpNRsfl8kS0AMaTCMI/KLROPZh8+bioys7z5 oMNp5fgAIEkYoqlUT00mQ5nYomLOcXxKmk8qDXoKk1yZDJ3LCtwxjsvjHFOqgowMQBxJGpDS lYu35zq4XK4wx2IVZno00kcr1ejEmgWSkeLzWBtvyZVNQUiM1VNCmSjQkmB22qcDpn7jZxAf G0VBREQEoxMnEBf/Xw+BXlw6isqW4nUWuzCdHhKLFWJxWuiMVCyw/6TYUgjGGM79+hN83lbC juw5ebry+ov62rG333eXbMxetMOz2GNd90Zhbb70cp+i6pWecQXiJ9qGh0uq+rJcSQPBrjlD ugyrZvtYf4nQ8LoVfm72YeJT7cmeeYPROXsFU2LIvmVPOnP03fKfdYX+pYPOgib2MVkQ1XQ5 PWPJqVmam/VZBiVvZlctIxw8+xcTLkvtwQMAAA==
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: multipart/mixed; boundary="===============4356363951258756955=="
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Archived-At: 
Subject: Re: [secdir] SECDIR review of draft-ietf-oauth-jwsreq-09.txt
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 01 Feb 2017 07:11:33 -0000

This is a multipart message in MIME format.

--===============4356363951258756955==
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_00C4_01D27CA5.D41A09D0"
Content-Language: ja

This is a multipart message in MIME format.

------=_NextPart_000_00C4_01D27CA5.D41A09D0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Steve, 

 

Thanks very much. I am in the process of incorporating OpsDir comments. That
might solve some of your concerns re: awkward wordings. At the same time, if
you could send me the concrete text replacement for awkward phrases, I can
incorporate them in the process as well. 

 

Best, 

 

Nat Sakimura

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

 

From: Steve KENT [mailto:steve.kent@raytheon.com] 
Sent: Wednesday, February 1, 2017 12:08 AM
To: Nat Sakimura ; secdir@mit.edu
Cc: ve7jtb@ve7jtb.com; Hannes.Tschofenig@gmx.net; derek@ihtfp.com
Subject: Re: SECDIR review of draft-ietf-oauth-jwsreq-09.txt

 

Nat,

 

The revised text in the -11 version addressed my comments. There are still
several places where the wording is rather awkward, but I'll defer to the
RFC Editor to help you with these issues.

Steve

 

  _____  

From: Nat Sakimura  >
Sent: Monday, January 30, 2017 3:48:45 AM
To: Steve KENT; secdir@mit.edu  
Cc: ve7jtb@ve7jtb.com  ; Hannes.Tschofenig@gmx.net
 ; derek@ihtfp.com
 
Subject: RE: SECDIR review of draft-ietf-oauth-jwsreq-09.txt 

 

Hello. 

 

Sorry to have taken more than a week to reply. 

 

I have pushed -10 which hopefully has addressed all the issues raised. 

 

I have recorded all your comments into the issue tracker [1] of my working
repository and was recording the changes so you can see how I tried to
resolve them there as well. 

 

[1]  
https://bitbucket.org/Nat/oauth-jwsreq/issues?q=SECDIR

 

Best, 

 

Nat Sakimura

 

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

 

From: Steve KENT [mailto:steve.kent@raytheon.com] 
Sent: Tuesday, January 17, 2017 5:14 AM
To: secdir@mit.edu  
Cc: ve7jtb@ve7jtb.com  ; n-sakimura@nri.co.jp
 ; Hannes.Tschofenig@gmx.net
 ; derek@ihtfp.com
 
Subject: SECDIR review of draft-ietf-oauth-jwsreq-09.txt

 

 

I generated this review of this document as part of the security
directorate's ongoing effort to review all IETF documents being processed by
the IESG.  These comments were written with the intent of improving security
requirements and considerations in IETF drafts.  Comments not addressed in
last call may be included in AD reviews during the IESG review.  Document
editors and WG chairs should treat these comments just like any other last
call comments.

 

This document proposes a mechanism to enable secure communication of OAuth
2.0 Authorization Requests using a JSON Web Token (JWT). This mechanism
represents an improvement over the current way that OAuth Authorization
Requests are transmitted, i.e., encoded as an (unprotected) URI. 

 

The document notes that the current Authorization Request mechanism fails to
provide integrity, authentic, or confidentiality. JSON is already used for
OAuth responses, so using JWT to protect requests seems like an appropriate
choice. (XML signatures and encryption were rejected as too complex.) 

 

Section 4 defines the Request Object format and provides examples.

The text here is a bit confusing. It seems to state that only integrity and
authenticity are mandated by this specification; confidentiality is an
optional feature. However, when discussing the use of encryption that does
not provide authentication, the text says that a signature "should" (not
SHOULD"") be applied. The text then says that "In this case, it [the token]
MUST be signed then encrypted ." This combination of sentences is confusing
and OUGHT :) to be revised. 

 

Section 6 describes how to validate a received JWT request token. Section
6.1 appears to not mandate use of a signature for an encrypted token,
suggesting that authentication and integrity need not be provided if the
requestor encrypts the token (and does not employ an authenticated
encryption algorithm). 

 

 

Section 10 describes Security Considerations in addition to the ones already
describes in RFC 6119 (OAuth 2.0). The wording of Section 10.1 is odd: " .it
MUST either be JWS signed with then considered appropriate algorithm or
encrypted using [RFC7516]." Why is there no cite of 7515 for JWS algorithms
here, to parallel the cite of JWE?

 

Section 10.2 indicates that a client and server might agree, a priori, to
use the non-protected parameters transmitted in a request. It does not
indicate how this might have been done (hopefully, in a secure fashion). 

 

Section 10.3 finally mandates authentication of the request source,
something that was ambiguous in earlier sections of this document. There are
some ambiguous statement here, e.g. "Since Request Object URI can be
replayed, the lifetime of the Request Object URI MUST be short and
preferably one-time use.  The entropy of the Request Object URI MUST be
sufficiently large." The lack of guidance of what constitutes a "short"
lifetime or a "sufficiently large" amount of entropy (in a short URI) is
worrisome.  In (d) there is a typo: "The same requirements as (b) above
applies." -> "The same requirements as (b) above apply".

 

Section 10.4 includes several typos:

 

"Although this specification does not require them, researchs such as ." ->
"Although this specification does not require them, research such as ." This
is the beginning of a run-on sentence. 

 

"The endpoints that comes into question ." -> The endpoints that come into
question ."

 

The wording in several places is awkward, e.g., missing articles.

 

This section ends with the statement "An extension specification should be
created." Presumably the intent here is to suggest that an extension is
needed to remedy the vulnerability resulting from the lack of explicit
endpoint identifiers. This should be more clearly stated.

 

Section 11 discusses Privacy Considerations an unusual element of an RFC.
(The authors state that ISO/IEC 29100 is freely accessible. That seems to be
true only if one follows the URL in the Informative References. A search for
this ISO document tends to yield copies available for a non-trivial fee,
i.e., ~ $150 USD.) Since there is standards language in this section (SHOULD
and MUST) I think 29100 needs to be a Normative (not Informational)
reference. 

 

The text here raises some good privacy concerns and suggests some means by
which these concerns might be addressed. However, the wording here needs to
be significantly improved. There are extraneous articles and missing
articles that make the text harder to read. The ambiguous comment about
entropy that appeared in 10.3 appears here as well.

 


------=_NextPart_000_00C4_01D27CA5.D41A09D0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


S=
teve, 
<=
o:p> 
T=
hanks very much. I am in the process of incorporating OpsDir comments. =
That might solve some of your concerns re: awkward wordings. At the same =
time, if you could send me the concrete text replacement for awkward =
phrases, I can incorporate them in the process as well. =

<=
o:p> 
B=
est, 
<=
o:p> 
N=
at Sakimura
--
PLEASE =
READ :This e-mail is confidential and intended for =
the
named =
recipient only. If you are not an intended =
recipient,
please =
notify the sender  and delete this =
e-mail.
<=
o:p> 
From:<=
/b> Steve KENT =
[mailto:steve.kent@raytheon.com] 
Sent: Wednesday, February 1, =
2017 12:08 AM
To: Nat Sakimura <n-sakimura@nri.co.jp>; =
secdir@mit.edu
Cc: ve7jtb@ve7jtb.com; =
Hannes.Tschofenig@gmx.net; derek@ihtfp.com
Subject: Re: SECDIR =
review of =
draft-ietf-oauth-jwsreq-09.txt
 
Nat,
 
The revised text =
in the -11 version addressed my comments. There are still several places =
where the wording is rather awkward, but I'll defer to the RFC Editor to =
help you with these issues.

Steve
 <=
/span>
F=
rom: =
Nat Sakimura <n-sakimura@nri.co.jp>
S=
ent: Monday, January 30, 2017 3:48:45 AM
To: Steve KENT; =
secdir@mit.edu
Cc: ve7jtb@ve7jtb.com; Hannes.Tschofenig@gmx.net; =
derek@ihtfp.com
Subject: =
RE: SECDIR review of draft-ietf-oauth-jwsreq-09.txt 
 
H=
ello. 
<=
o:p> 
S=
orry to have taken more than a week to reply. 
<=
o:p> 
I=
 have pushed -10 which hopefully has addressed all the issues raised. =

<=
o:p> 
I=
 have recorded all your comments into the issue tracker [1] of my =
working repository and was recording the changes so you can see how I =
tried to resolve them there as well. 
<=
o:p> 
[=
1] https://bitbuck=
et.org/Nat/oauth-jwsreq/issues?q=3DSECDIR<=
o:p>
<=
o:p> 
Best, =

 
Nat =
Sakimura
 
--
PLEASE =
READ :This e-mail is confidential and intended for =
the
named =
recipient only. If you are not an intended =
recipient,
please =
notify the sender  and delete this =
e-mail.
<=
o:p> 
 
 <=
/span>
I =
generated this review of this document as part of the security =
directorate's ongoing effort to review all IETF documents being =
processed by the IESG.  =
These comments were written with the intent of improving security =
requirements and considerations in IETF drafts.  =
Comments not addressed in last call may be included in AD reviews during =
the IESG review.  =
Document editors and WG chairs should treat these comments just like any =
other last call comments.
<=
p> 
<=
p>This =
document proposes a mechanism to enable secure communication of OAuth =
2.0 Authorization Requests using a JSON Web Token (JWT). This mechanism =
represents an improvement over the current way that OAuth Authorization =
Requests are transmitted, i.e., encoded as an (unprotected) URI. =

<=
p> 
<=
p>The =
document notes that the current Authorization Request mechanism fails to =
provide integrity, authentic, or confidentiality. JSON is already used =
for OAuth responses, so using JWT to protect requests seems like an =
appropriate choice. (XML signatures and encryption were rejected as too =
complex.) 
<=
p> 
<=
p>Section 4 =
defines the Request Object format and provides examples.
<=
p>The text =
here is a bit confusing. It seems to state that only integrity and =
authenticity are mandated by this specification; confidentiality is an =
optional feature. However, when discussing the use of encryption that =
does not provide authentication, the text says that a signature =
“should” (not SHOULD””) be applied. The text =
then says that “In this case, it [the token] MUST be signed then =
encrypted …” This combination of sentences is confusing and =
OUGHT J to be revised. 
<=
p> 
<=
p>Section 6 =
describes how to validate a received JWT request token. Section 6.1 =
appears to not mandate use of a signature for an encrypted token, =
suggesting that authentication and integrity need not be provided if the =
requestor encrypts the token (and does not employ an authenticated =
encryption algorithm). 
<=
p> 
<=
p> 
<=
p>Section =
10 describes Security Considerations in addition to the ones already =
describes in RFC 6119 (OAuth 2.0). The wording of Section 10.1 is odd: =
“ …it MUST either be JWS signed with then considered =
appropriate algorithm or encrypted using [RFC7516].” Why is =
there no cite of 7515 for JWS algorithms here, to parallel the cite of =
JWE?
<=
p> 
<=
p>Section =
10.2 indicates that a client and server might agree, a priori, to use =
the non-protected parameters transmitted in a request. It does not =
indicate how this might have been done (hopefully, in a secure fashion). =

<=
p> 
<=
p>Section =
10.3 finally mandates authentication of the request source, something =
that was ambiguous in earlier sections of this document. There are some =
ambiguous statement here, e.g. “Since Request Object URI can be =
replayed, the lifetime of the Request Object URI MUST be short and =
preferably one-time use.  The entropy of =
the Request Object URI MUST be sufficiently large. The lack of =
guidance of what constitutes a short lifetime or a =
sufficiently =
large amount of =
entropy (in a short URI) is worrisome.  In (d) there is =
a typo: “The same requirements as (b) above applies.” -> =
“The same requirements as (b) above apply”.
<=
p> 
<=
p>Section =
10.4 includes several typos:
<=
p> 
<=
p>“Although this =
specification does not require them, researchs such as …” =
-> “Although this specification does not require them, research =
such as …” This is the beginning of a run-on sentence. =

<=
p> 
<=
p>“The endpoints that =
comes into question …” -> The endpoints that come into =
question …”
<=
p> 
<=
p>The =
wording in several places is awkward, e.g., missing =
articles.
<=
p> 
<=
p>This =
section ends with the statement “An extension specification should =
be created.” Presumably the intent here is to suggest that an =
extension is needed to remedy the vulnerability resulting from the lack =
of explicit endpoint identifiers. This should be more clearly =
stated.
<=
p> 
<=
p>Section =
11 discusses Privacy Considerations an unusual element of an RFC. (The =
authors state that ISO/IEC 29100 is freely accessible. That seems to be =
true only if one follows the URL in the Informative References. A search =
for this ISO document tends to yield copies available for a non-trivial =
fee, i.e., ~ $150 USD.) Since there is standards language in this =
section (SHOULD and MUST) I think 29100 needs to be a Normative (not =
Informational) reference. 
<=
p> 
<=
p>The text =
here raises some good privacy concerns and suggests some means by which =
these concerns might be addressed. However, the wording here needs to be =
significantly improved. There are extraneous articles and missing =
articles that make the text harder to read. The ambiguous comment about =
entropy that appeared in 10.3 appears here as well.
<=
/div>
 <=
/span>

------=_NextPart_000_00C4_01D27CA5.D41A09D0--


--===============4356363951258756955==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir

--===============4356363951258756955==--