From nobody Thu Mar 1 03:18:38 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1821B126DEE for ; Thu, 1 Mar 2018 03:18:37 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.73.0 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secretary@mit.edu Message-ID: <151990311709.10176.8597398421673650706.idtracker@ietfa.amsl.com> Date: Thu, 01 Mar 2018 03:18:37 -0800 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2018 11:18:37 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2018-03-08 Reviewer LC end Draft John Bradley 2018-03-06 draft-ietf-trill-smart-endnodes-09 Shaun Cooley 2018-03-06 draft-ietf-trill-over-ip-15 Roman Danyliw 2018-03-06 draft-ietf-trill-multilevel-unique-nickname-05 Magnus Nystrom 2018-03-06 draft-ietf-trill-multi-topology-05 Hilarie Orman 2018-03-06 draft-ietf-trill-directory-assisted-encap-09 Tim Polk 2018-03-02 draft-ietf-core-object-security-08 Kyle Rose 2018-03-06 draft-ietf-ace-cbor-web-token-12 Rifaat Shekh-Yusef R2018-02-27 draft-ietf-teas-rsvp-egress-protection-13 Melinda Shore 2018-02-27 draft-ietf-lisp-signal-free-multicast-08 Dacheng Zhang 2018-03-06 draft-ietf-trill-vendor-channel-00 For telechat 2018-04-05 Reviewer LC end Draft Donald Eastlake 2018-03-06 draft-ietf-teas-scheduled-resources-06 Shawn Emery R2018-01-26 draft-ietf-mmusic-trickle-ice-sip-14 Shawn Emery 2018-03-06 draft-ietf-pce-lsp-setup-type-08 Daniel Gillmor 2018-03-19 draft-gutmann-scep-09 Daniel Gillmor 2018-03-26 draft-ietf-l2sm-l2vpn-service-model-08 Ben Laurie 2018-03-26 draft-ietf-6tisch-6top-protocol-09 David Mandelberg 2018-02-22 draft-ietf-ice-trickle-17 Matthew Miller 2018-02-20 draft-ietf-tram-stunbis-15 Vincent Roca None draft-ietf-core-cocoa-03 Stefan Santesson 2018-03-01 draft-ietf-tls-iana-registry-updates-04 Klaas Wierenga 2018-02-23 draft-ietf-nfsv4-layout-types-10 Last calls: Reviewer LC end Draft John Bradley None draft-ietf-acme-acme-09 Daniel Franke 2018-03-30 draft-ietf-mmusic-rid-14 Tobias Gondrom 2018-03-12 draft-ietf-tokbind-https-12 Tobias Gondrom 2018-02-21 draft-ietf-sacm-nea-swima-patnc-03 Leif Johansson R2018-02-26 draft-ietf-homenet-babel-profile-06 Adam Montville R2018-02-22 draft-ietf-bier-ospf-bier-extensions-15 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-12 Tina Tsou 2018-02-26 draft-ietf-softwire-dslite-yang-15 Carl Wallace 2018-02-26 draft-ietf-hip-native-nat-traversal-27 Taylor Yu 2018-03-16 draft-housley-suite-b-to-historic-04 Early review requests: Reviewer Due Draft Daniel Franke 2018-01-31 draft-ietf-intarea-provisioning-domains-00 Ólafur Guðmundsson 2018-01-09 draft-ietf-opsawg-nat-yang-09 Next in the reviewer rotation: Ólafur Guðmundsson Phillip Hallam-Baker Steve Hanna Dan Harkins Paul Hoffman Russ Housley Christian Huitema Leif Johansson Benjamin Kaduk Charlie Kaufman From nobody Thu Mar 1 05:19:41 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F5DE1204DA; Thu, 1 Mar 2018 05:19:29 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Rifaat Shekh-Yusef To: Cc: draft-ietf-teas-rsvp-egress-protection.all@ietf.org, ietf@ietf.org, teas@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.73.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <151991036929.10142.15530875347611140227@ietfa.amsl.com> Date: Thu, 01 Mar 2018 05:19:29 -0800 Archived-At: Subject: [secdir] Secdir telechat review of draft-ietf-teas-rsvp-egress-protection-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2018 13:19:29 -0000 Reviewer: Rifaat Shekh-Yusef Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This version -13 of the document addressed my comments on version -09. I have no further comments. Regards, Rifaat From nobody Thu Mar 1 12:07:14 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74B2712025C; Thu, 1 Mar 2018 12:07:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4S8GUEyNCPGF; Thu, 1 Mar 2018 12:07:01 -0800 (PST) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A745212EC42; Thu, 1 Mar 2018 12:06:57 -0800 (PST) Received: by mail-wm0-x22a.google.com with SMTP id s206so47864wme.0; Thu, 01 Mar 2018 12:06:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=7QivAaMO5rnXrYYr8xrKROfGXXyKXxAF5GxDXuCpq+I=; b=b7IhYo96krrY165YhBdSIw4cWKMWlO+k3oNuwm4pQWYiw8TgnmBdUBs9yxq4v+lho4 4HJEzuD+bTeryxUxTUQRpar1YT+RjolKRoT6s8ArCiXqOUFv1MhU9fqA6iV0/ccoAB4j okkORM3cn9BIw6RUyunvn6DdFXaa4urOk8lUCf5aZ3KyA9F5bWL03jtCM2Qq/PDQ12g1 /HOPC/V+mZupD19UnKcuaMYj6Csri5mhMqwEIxSuNPalwkz7/PqG8PnniK/pJjBBf7bZ bWgaGL4Qeo8pqSOGk7II5BR1jWwiszG0z4NVGaL2HsBqXJSBPez+jXYApA0iNPhWHKy2 0Qrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=7QivAaMO5rnXrYYr8xrKROfGXXyKXxAF5GxDXuCpq+I=; b=rkZdZvc+fectSDTCR2R6UucdOQfWO1ZAWVgBU7P8WFENCZwMJ4tMcCn/hShX0tazWM Zifq2/pE5k0payt6dSX/1ApSkeYHAE7dRD5OoqN64GTFzSX2mmaprq1ViUIye8bNScu4 saINWEsAsl1bbRGKbzGnUJtplRbx5VYy+8ASwBfp86XaXHB5nHTr2KBVx1w6w7+mq1om oV08Xh2Gw05QaXoaYf8jek1BXR5rY+7zdfKQYMBEW/Q1meADuPHM81BOLosgNhHPxpd6 J97aE50LFa/yR6Cw9RiwoQTDsWkTfX0QFEi8ok6hTj5c/2fHwMW4oLTXaqgEZNONh+gi g6OQ== X-Gm-Message-State: AElRT7H7aDeoTm0dFyUpIjcMYtbj8JtSf57pucuyO74f6DLV2qrkqyWn vejVwHeS505BpPNnn2c2nJJdvdKx X-Google-Smtp-Source: AG47ELuJOZyZNCAOYqAAlM1r0UYh88+UyUO9u2q53FpoDNQwq0SqCWiQAkRAQnrcu4i8LTOo445nuw== X-Received: by 10.28.166.201 with SMTP id p192mr2572538wme.132.1519934816012; Thu, 01 Mar 2018 12:06:56 -0800 (PST) Received: from [192.168.2.126] (host213-123-124-182.in-addr.btopenworld.com. [213.123.124.182]) by smtp.gmail.com with ESMTPSA id f23sm8846558wrf.77.2018.03.01.12.06.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Mar 2018 12:06:55 -0800 (PST) To: Daniel Franke , secdir@ietf.org Cc: draft-ietf-mpls-flow-ident.all@ietf.org, ietf@ietf.org, mpls@ietf.org References: <151562021088.5645.6014648171409606834@ietfa.amsl.com> From: Stewart Bryant Message-ID: <7a2b19b9-7c5e-035a-49c9-e87186f77eeb@gmail.com> Date: Thu, 1 Mar 2018 20:06:54 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <151562021088.5645.6014648171409606834@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-flow-ident-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2018 20:07:02 -0000 Hi Daniel Thank you for the review. On 10/01/2018 21:36, Daniel Franke wrote: > Reviewer: Daniel Franke > Review result: Has Nits > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These comments > were written primarily for the benefit of the security area directors. Document > editors and WG chairs should treat these comments just like any other last call > comments. > > I know next to nothing about MPLS. The proposed functionality seems reasonable > and persuasively justified, but it is possible that there are significant > issues I'm overlooking. I have a couple nitpicks about the Security > Considerations section. > > The lowercased (i.e., non-RFC-2119) "must"s and "should"s are weasel words when > not connected with a statement of what objective is achieved by following those > recommendations. For example, the sentence "Propagation of identification > information outside the MPLS network imposing it must be disabled by default" > ought to be prefaced or suffixed with something along the lines of "In order to > preserve present assumptions about MPLS privacy properties". This is a useful point and I have included it in the security section. > I see a lot of discussion about confidentiality concerns when flow information > is propagated across trust boundaries, but no discussion about the dual > integrity concerns. I am not sure what a dual integrity concern is. Do you mean data integrity? > I suggest including some word of warning that flow > information received from an untrusted LSR cannot be assumed correct, so > caution is advised before relying on it, e.g., to determine for billing > purposes whether SLAs are being met. In an MPLS network we would not have any exchange with an untrusted LSR. It is a fundamental assumption that routers within the same domain are trustworthy. If a router was untrustworthy it could cause immense damage to the whole network, for example, by sending false reachability information that would bring the whole network down.  So within an MPLS network we tend to trust that the routers tell the truth. - Stewart > From nobody Thu Mar 1 12:42:51 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4525212FA87 for ; Thu, 1 Mar 2018 12:42:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.01 X-Spam-Level: X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fbz4BDTWeOgf for ; Thu, 1 Mar 2018 12:42:47 -0800 (PST) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2BC4124C27 for ; Thu, 1 Mar 2018 12:42:47 -0800 (PST) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3zsks062Jjz3H3; Thu, 1 Mar 2018 21:42:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1519936964; bh=ZYZoXwQCBWCWVzjrI5GG4MqKY/BfSajwrfDLXu/jeZs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Ta9VNltMZTjKa0OadG6VFjHwku14w2d8oWwN7NDfFd7urQeiAuHPci70y/scVKC/Y X0naXTFoHbonIX7Ar2twHn1UNNsF2bV1oFs0aezhlicLtOa7nvm+f1c9Mq/mwvx0Gh +0c7vb8IdMuXYbvu1e+U940Z6Twj5vCJAUHEICbA= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FgJJF3F3ix5f; Thu, 1 Mar 2018 21:42:43 +0100 (CET) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 1 Mar 2018 21:42:43 +0100 (CET) Received: by bofh.nohats.ca (Postfix, from userid 1000) id E60E3366715; Thu, 1 Mar 2018 15:42:42 -0500 (EST) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E60E3366715 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D5F4C44DA25D; Thu, 1 Mar 2018 15:42:42 -0500 (EST) Date: Thu, 1 Mar 2018 15:42:42 -0500 (EST) From: Paul Wouters To: Benjamin Kaduk cc: secdir@ietf.org In-Reply-To: <20180228225105.GN50954@kduck.kaduk.org> Message-ID: References: <151958515603.12934.11779217462614817262@ietfa.amsl.com> <002a01d3ae92$9b899660$d29cc320$@ndzh.com> <20180228224114.GM50954@kduck.kaduk.org> <20180228225105.GN50954@kduck.kaduk.org> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [secdir] [i2rs] Secdir last call review of draft-ietf-i2rs-rib-info-model-14 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2018 20:42:49 -0000 On Wed, 28 Feb 2018, Benjamin Kaduk wrote: > And to follow up, to get to the review *request* page (as opposed to > the page for the review itself, which is linked from the document > page), you can go to "my reviews" in the left sidebar. thanks! That worked for me. I'm not sure if my brain just never saw the edit button before of if it wasn't there. So since my brain is more likely to produce indetermine results, I'll blame me. I've updated the review, Thanks Paul From nobody Fri Mar 2 10:17:15 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B7712E8DF for ; Fri, 2 Mar 2018 10:16:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htkcQ9ZzMBbl for ; Fri, 2 Mar 2018 10:16:55 -0800 (PST) Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CC5012E892 for ; Fri, 2 Mar 2018 10:16:21 -0800 (PST) Received: by mail-qk0-x22c.google.com with SMTP id y137so13045883qka.4 for ; Fri, 02 Mar 2018 10:16:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=rmrJXY3UjPDWlo6KTStRWPBo+LO3Uo4ZYqg2gNMzdI8=; b=JFndGGyqGkuUMdo6jhOMcanXxJQS6HMaYDhwwrw4SKTW1HkW7rh1HAtCpmkzMYBpg4 uKJNdljIcYs5LYvHOp5RXvaMLyC9F3uqRdha/syu4hgBrM+svqrXl76VQuPmTMI8l+Fu iRztMEKdpdjfryUVEBQtsEH0FSv7aIpRC7xZI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=rmrJXY3UjPDWlo6KTStRWPBo+LO3Uo4ZYqg2gNMzdI8=; b=mp2h4Z+YBLw6kltaTo0XQJ0D4mHFQ1DHUyaygNUVUXIZrq/6j9mL1LiJaAkCEbBZNr zzZ5eQjx5coNn2WdgO+1MQZhyUJ59UjgJbxdKNseGYNQ1dkYxs+CURoOV/2/bfn3sCd+ zc132Uu3XTu/cn+cjkWV/qJEsoP6GawJ22tZczdE6yk7uVW1h8gdNY4cQMMah37DaztZ x5SYABeBvY0z3Dum7osxM6c1+ZwoQ+MFfl5zVNdDz2mKKxjuozMNhyMKQEevBmvy8dMB SrYw2bgQLDICrJHxhE8PDTJ7l7lAerH7TTP9+Py7GhgkO4UmqxP8390TWK705lNGxzUo nJbw== X-Gm-Message-State: AElRT7H+4/jZiVeJsA3t+VoPB8oc7XQIFBZmEQWVQVnqNtvqQYGr4JKo foLghJySOp+uoxTLm+QPjkpPavEmgzBD3DDGZBR/qM7TpuZkwQ== X-Google-Smtp-Source: AG47ELsB4cMbV+GabDjSkPxSK7M8pHmgS7mv8Ngvshn7E+VEu4BCNuBS8uZZeA3rwl6XhxHG/qGNBOAz572YwO6eXrI= X-Received: by 10.55.27.18 with SMTP id b18mr9022888qkb.355.1520014580035; Fri, 02 Mar 2018 10:16:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.215.204 with HTTP; Fri, 2 Mar 2018 10:16:19 -0800 (PST) X-Originating-IP: [2001:4878:a000:3000:6584:986b:3cfa:536b] From: Kyle Rose Date: Fri, 2 Mar 2018 13:16:19 -0500 Message-ID: To: secdir@ietf.org, The IESG , draft-ietf-ace-cbor-web-token.all@ietf.org Content-Type: multipart/alternative; boundary="001a1147ed3618fb54056671f913" Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2018 18:17:08 -0000 --001a1147ed3618fb54056671f913 Content-Type: text/plain; charset="UTF-8" Reviewer: Kyle Rose Review result: Ready with nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft specifies a means for representing claims in CBOR, and for using COSE to encrypt and authenticate such claims. The listed security considerations seem to cover the same ground as the respective slices of the corresponding JWT references: the COSE RFC 8152 covers issues of trust establishment, as well as the vagaries of signature algorithms and key reuse, in more depth. My only nit for this document is the repeated use of the phrasing "...has the same meaning, syntax, and processing rules as..." throughout section 3.1: specifically, the inclusion of "syntax". For example, it doesn't seem to make sense to talk about the syntax of a CBOR NumericDate being the same as, or different from, the syntax of a JSON NumericDate: clearly, the binary representation is different, and it's not at all clear that it makes sense to talk about the human-readable source representation in this context. That said, there is some parallelism with respect to StringOrURI, as presumably the intent is to require that all strings containing a colon also be valid URIs. --001a1147ed3618fb54056671f913 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Reviewer: Kyle Rose
Review result:= Ready with nits

I have reviewed this document as part of the securi= ty directorate's ongoing effort to review all IETF documents being proc= essed by the IESG.=C2=A0 These comments were written primarily for the bene= fit of the security area directors.=C2=A0 Document editors and WG chairs sh= ould treat these comments just like any other last call comments.

This draft specifies a means for representing claims in CBOR, and for u= sing COSE to encrypt and authenticate such claims. The listed security cons= iderations seem to cover the same ground as the respective slices of the co= rresponding JWT references: the COSE RFC 8152 covers issues of trust establ= ishment, as well as the vagaries of signature algorithms and key reuse, in = more depth.

My only nit for this document is the repeated use = of the phrasing "...has the same meaning, syntax, and processing rules= as..." throughout section 3.1: specifically, the inclusion of "s= yntax". For example, it doesn't seem to make sense to talk about t= he syntax of a CBOR NumericDate being the same as, or different from, the s= yntax of a JSON NumericDate: clearly, the binary representation is differen= t, and it's not at all clear that it makes sense to talk about the huma= n-readable source representation in this context. That said, there is some = parallelism with respect to StringOrURI, as presumably the intent is to req= uire that all strings containing a colon also be valid URIs.

--001a1147ed3618fb54056671f913-- From nobody Fri Mar 2 10:29:46 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A61E12E8B1; Fri, 2 Mar 2018 10:29:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PHYkLQhid0S7; Fri, 2 Mar 2018 10:29:32 -0800 (PST) Received: from mail-ot0-x22a.google.com (mail-ot0-x22a.google.com [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0071812E878; Fri, 2 Mar 2018 10:29:28 -0800 (PST) Received: by mail-ot0-x22a.google.com with SMTP id 108so9539856otv.3; Fri, 02 Mar 2018 10:29:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0zAH+2wKqkP0d+h5Q5oQgM1GXDXGT4P2Oh7SddYN7Ok=; b=BIm+3Ixb2SKeTczgTe4O75T1LW7RfT9RGk+Q3WSBiMHQuRxfz4kK2rCf75l8va8QpV io0io15B8nCP/EZh0CkgxqyFpyhC54BmLOPAiHA9U+q8vxpuw5j6Z+laS3Atl116KuKo Jpt7JBpgaUeHbA8e2nIkIQvCAi/Orh092/lBKWpNiEYa6ZROf1ujHbE+glRy4Ss6BUvj c8rXVO0jE0asLjLeBmn1VlsaaKlxM2XsUtoMyPrjiV7b+I/qGvG35889PuM/Qsert6I0 WxSF8bIhsKqbSyqFPaJA1N6mnUk5OVxgwYrOTKz6fUZJyHjRkRw7RHti6guB8f5Z4g6s 3o9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0zAH+2wKqkP0d+h5Q5oQgM1GXDXGT4P2Oh7SddYN7Ok=; b=b0gh8b0lgIeVxw1sEEtjrMBiJOGBtfTWcaluFXdr2fznSUz8dm1s78zpq7ATT1PhVs JQa061gL1NiPvl6WahGpNC7CM7197m7S6d4CXWEXUC8Nhj+lPi6yfyOp2gq1HTQxXiNa N9wXw+Mdq3HU4zseanLyAjXchWJ3L/L3wBpViyzxWp0wBXASlLSuuRiHT0osSg2lI6Y9 zjjeSd0nE8Jg/lUH8y0WMAE15kp2sYqdefniToKyk3WYZ1xLCSoTX/ZIa4V6vLaB6K15 odbf9M0PDuSGhSl3dOtbJA17YJ6jH7Vn4u1ErXz/UXd6ASre52sJY4D9J4W/0+iV2+bO z8dQ== X-Gm-Message-State: AElRT7FX8c9H63Ef/WZQ80oiqshs5RRJX3IHvytDtVPu0EqaqQ8TU88a 2U6KOSmI/LYaaoc0aru2AA1P4Y+xpXz04zdC/v4= X-Google-Smtp-Source: AG47ELtRsEEN1s02yqwoLezN2LCCXR5AKuB+7G90QwB1wvpMLENWQ8P3nWKuv6Tf2xGZkCZUdx4pmXIra+SA/GySXkA= X-Received: by 10.157.64.189 with SMTP id n58mr4348283ote.215.1520015368430; Fri, 02 Mar 2018 10:29:28 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.46.119 with HTTP; Fri, 2 Mar 2018 10:28:48 -0800 (PST) In-Reply-To: References: From: Kathleen Moriarty Date: Fri, 2 Mar 2018 13:28:48 -0500 Message-ID: To: Kyle Rose Cc: IETF SecDir , The IESG , draft-ietf-ace-cbor-web-token.all@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2018 18:29:35 -0000 Thanks for your review, Kyle! On Fri, Mar 2, 2018 at 1:16 PM, Kyle Rose wrote: > Reviewer: Kyle Rose > Review result: Ready with nits > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > This draft specifies a means for representing claims in CBOR, and for using > COSE to encrypt and authenticate such claims. The listed security > considerations seem to cover the same ground as the respective slices of the > corresponding JWT references: the COSE RFC 8152 covers issues of trust > establishment, as well as the vagaries of signature algorithms and key > reuse, in more depth. > > My only nit for this document is the repeated use of the phrasing "...has > the same meaning, syntax, and processing rules as..." throughout section > 3.1: specifically, the inclusion of "syntax". For example, it doesn't seem > to make sense to talk about the syntax of a CBOR NumericDate being the same > as, or different from, the syntax of a JSON NumericDate: clearly, the binary > representation is different, and it's not at all clear that it makes sense > to talk about the human-readable source representation in this context. That > said, there is some parallelism with respect to StringOrURI, as presumably > the intent is to require that all strings containing a colon also be valid > URIs. > Good point. Authors, please put these adjustments in your working copy of the draft and ack the changes made here. Thank you, Kathleen -- Best regards, Kathleen From nobody Fri Mar 2 10:48:11 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5993126C25; Fri, 2 Mar 2018 10:48:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gI5DkxqB3guY; Fri, 2 Mar 2018 10:48:01 -0800 (PST) Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0133.outbound.protection.outlook.com [104.47.33.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54710126C22; Fri, 2 Mar 2018 10:48:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eK7gB8ljVcUpSezstEpC5YbWUvF2sb8DGE2ryxvTQ6c=; b=DgunAFo7k+yvL1JK7piyLT23Sz/WXb5Ec4PgtPgwNoqDFGlE1YPUqVZs9QCWBhyFBbk+u/4XY2A/m4Aa1Pc6kdBnDtmlQX64e333I0pIovXi2hbB1C3rwzeUspPmVVbheXWxcripvuptmqRawm/+ptRcyeSKNVPZFwZXU4rdcog= Received: from SN6PR2101MB0943.namprd21.prod.outlook.com (52.132.114.20) by SN6PR2101MB0974.namprd21.prod.outlook.com (52.132.114.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.3; Fri, 2 Mar 2018 18:47:59 +0000 Received: from SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50]) by SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50%2]) with mapi id 15.20.0567.006; Fri, 2 Mar 2018 18:47:59 +0000 From: Mike Jones To: Kathleen Moriarty , Kyle Rose CC: IETF SecDir , The IESG , "draft-ietf-ace-cbor-web-token.all@ietf.org" Thread-Topic: Secdir last call review of draft-ietf-ace-cbor-web-token-12 Thread-Index: AQHTslKnGqkTlElBUUmHtMtpYOQ4daO9Q/YAgAAFIJA= Date: Fri, 2 Mar 2018 18:47:59 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-03-02T18:47:57.6281908Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General x-originating-ip: [2001:4898:80e8:c::42e] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN6PR2101MB0974; 7:L4s5yNaoHlybbdLFpip7LAa2gxl41GDHJFwM07AvKn9JBxZ8cUilO2k1Y47NRKMqka3fIjjTH1kqmJqlZhi4arQYvDZxKOlUgs1EWjwBHZaBWjZFrj8sxU6X+4DYIenIRp7HXysYmeZH5Tj7yDkzw/f8XU9YAR7Ej/MdANPzfGBmcy80AruX/CLU3q9TqwR1iwD0iq7OqnzwzvMFEGeXFAAD0cJNyegHeRwqBUmqGVUU8JhpZXwbh9FrC/DoOq6t x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 006927b9-d8cf-46d6-d49b-08d5806e1ed6 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:SN6PR2101MB0974; x-ms-traffictypediagnostic: SN6PR2101MB0974: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231220)(944501236)(52105095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:SN6PR2101MB0974; BCL:0; PCL:0; RULEID:; SRVR:SN6PR2101MB0974; x-forefront-prvs: 05991796DF x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(39380400002)(376002)(396003)(366004)(346002)(189003)(13464003)(199004)(110136005)(6246003)(305945005)(229853002)(7736002)(74316002)(68736007)(54906003)(53936002)(5660300001)(6116002)(10290500003)(3660700001)(8676002)(6436002)(55016002)(81166006)(81156014)(39060400002)(9686003)(2900100001)(316002)(4326008)(106356001)(2950100002)(25786009)(8936002)(99286004)(5250100002)(14454004)(2906002)(72206003)(86612001)(478600001)(3280700002)(22452003)(10090500001)(7696005)(59450400001)(186003)(6506007)(53546011)(102836004)(76176011)(33656002)(46003)(105586002)(8990500004)(97736004)(86362001)(6346003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR2101MB0974; H:SN6PR2101MB0943.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-microsoft-antispam-message-info: fD2WQkz8wEUFihaGHN6JLVAUdNmXQuZuUpG+gE4VBJlGjYDCrnchA+5unMtf5MHyNNolrJSXk8oHsHyyG3/vyww0n/2HiORq3SNQ49gyGG+w2awco2rMygf8Mo5XQPpBm0olkaSs/jfupSvovTD2YF/QDeGQ7I98UWJmtrOUdtM= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 006927b9-d8cf-46d6-d49b-08d5806e1ed6 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2018 18:47:59.3696 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR2101MB0974 Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Mar 2018 18:48:04 -0000 VGhhbmtzLCBLeWxlLiAgSSdsbCBwbGFuIHRvIHVwZGF0ZSB0aGUgZG9jdW1lbnQgYWNjb3JkaW5n bHkuDQoNCgkJCQktLSBNaWtlDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBL YXRobGVlbiBNb3JpYXJ0eSA8a2F0aGxlZW4ubW9yaWFydHkuaWV0ZkBnbWFpbC5jb20+IA0KU2Vu dDogRnJpZGF5LCBNYXJjaCAyLCAyMDE4IDEwOjI5IEFNDQpUbzogS3lsZSBSb3NlIDxrcm9zZUBr cm9zZS5vcmc+DQpDYzogSUVURiBTZWNEaXIgPHNlY2RpckBpZXRmLm9yZz47IFRoZSBJRVNHIDxp ZXNnQGlldGYub3JnPjsgZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4uYWxsQGlldGYub3Jn DQpTdWJqZWN0OiBSZTogU2VjZGlyIGxhc3QgY2FsbCByZXZpZXcgb2YgZHJhZnQtaWV0Zi1hY2Ut Y2Jvci13ZWItdG9rZW4tMTINCg0KVGhhbmtzIGZvciB5b3VyIHJldmlldywgS3lsZSENCg0KT24g RnJpLCBNYXIgMiwgMjAxOCBhdCAxOjE2IFBNLCBLeWxlIFJvc2UgPGtyb3NlQGtyb3NlLm9yZz4g d3JvdGU6DQo+IFJldmlld2VyOiBLeWxlIFJvc2UNCj4gUmV2aWV3IHJlc3VsdDogUmVhZHkgd2l0 aCBuaXRzDQo+DQo+IEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhl IHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3MgDQo+IG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwg SUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSANCj4gSUVTRy4gIFRoZXNlIGNv bW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSANCj4g c2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuICBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMg c2hvdWxkIHRyZWF0IA0KPiB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3Qg Y2FsbCBjb21tZW50cy4NCj4NCj4gVGhpcyBkcmFmdCBzcGVjaWZpZXMgYSBtZWFucyBmb3IgcmVw cmVzZW50aW5nIGNsYWltcyBpbiBDQk9SLCBhbmQgZm9yIA0KPiB1c2luZyBDT1NFIHRvIGVuY3J5 cHQgYW5kIGF1dGhlbnRpY2F0ZSBzdWNoIGNsYWltcy4gVGhlIGxpc3RlZCANCj4gc2VjdXJpdHkg Y29uc2lkZXJhdGlvbnMgc2VlbSB0byBjb3ZlciB0aGUgc2FtZSBncm91bmQgYXMgdGhlIA0KPiBy ZXNwZWN0aXZlIHNsaWNlcyBvZiB0aGUgY29ycmVzcG9uZGluZyBKV1QgcmVmZXJlbmNlczogdGhl IENPU0UgUkZDIA0KPiA4MTUyIGNvdmVycyBpc3N1ZXMgb2YgdHJ1c3QgZXN0YWJsaXNobWVudCwg YXMgd2VsbCBhcyB0aGUgdmFnYXJpZXMgb2YgDQo+IHNpZ25hdHVyZSBhbGdvcml0aG1zIGFuZCBr ZXkgcmV1c2UsIGluIG1vcmUgZGVwdGguDQo+DQo+IE15IG9ubHkgbml0IGZvciB0aGlzIGRvY3Vt ZW50IGlzIHRoZSByZXBlYXRlZCB1c2Ugb2YgdGhlIHBocmFzaW5nIA0KPiAiLi4uaGFzIHRoZSBz YW1lIG1lYW5pbmcsIHN5bnRheCwgYW5kIHByb2Nlc3NpbmcgcnVsZXMgYXMuLi4iIA0KPiB0aHJv dWdob3V0IHNlY3Rpb24NCj4gMy4xOiBzcGVjaWZpY2FsbHksIHRoZSBpbmNsdXNpb24gb2YgInN5 bnRheCIuIEZvciBleGFtcGxlLCBpdCBkb2Vzbid0IA0KPiBzZWVtIHRvIG1ha2Ugc2Vuc2UgdG8g dGFsayBhYm91dCB0aGUgc3ludGF4IG9mIGEgQ0JPUiBOdW1lcmljRGF0ZSANCj4gYmVpbmcgdGhl IHNhbWUgYXMsIG9yIGRpZmZlcmVudCBmcm9tLCB0aGUgc3ludGF4IG9mIGEgSlNPTiANCj4gTnVt ZXJpY0RhdGU6IGNsZWFybHksIHRoZSBiaW5hcnkgcmVwcmVzZW50YXRpb24gaXMgZGlmZmVyZW50 LCBhbmQgaXQncyANCj4gbm90IGF0IGFsbCBjbGVhciB0aGF0IGl0IG1ha2VzIHNlbnNlIHRvIHRh bGsgYWJvdXQgdGhlIGh1bWFuLXJlYWRhYmxlIA0KPiBzb3VyY2UgcmVwcmVzZW50YXRpb24gaW4g dGhpcyBjb250ZXh0LiBUaGF0IHNhaWQsIHRoZXJlIGlzIHNvbWUgDQo+IHBhcmFsbGVsaXNtIHdp dGggcmVzcGVjdCB0byBTdHJpbmdPclVSSSwgYXMgcHJlc3VtYWJseSB0aGUgaW50ZW50IGlzIA0K PiB0byByZXF1aXJlIHRoYXQgYWxsIHN0cmluZ3MgY29udGFpbmluZyBhIGNvbG9uIGFsc28gYmUg dmFsaWQgVVJJcy4NCj4NCg0KR29vZCBwb2ludC4gIEF1dGhvcnMsIHBsZWFzZSBwdXQgdGhlc2Ug YWRqdXN0bWVudHMgaW4geW91ciB3b3JraW5nIGNvcHkgb2YgdGhlIGRyYWZ0IGFuZCBhY2sgdGhl IGNoYW5nZXMgbWFkZSBoZXJlLg0KDQpUaGFuayB5b3UsDQpLYXRobGVlbg0KDQoNCg0KLS0gDQoN CkJlc3QgcmVnYXJkcywNCkthdGhsZWVuDQo= From nobody Fri Mar 2 18:00:42 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B752712708C; Fri, 2 Mar 2018 18:00:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wWeNEIoA6rOd; Fri, 2 Mar 2018 18:00:38 -0800 (PST) Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6470B127078; Fri, 2 Mar 2018 18:00:35 -0800 (PST) Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2320XvZ011035; Fri, 2 Mar 2018 21:00:33 -0500 DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w2320XvZ011035 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1520042433; bh=LAKCrQ1UpGKQEroHGdhuIahYKJrbmDakIMKEHIWxSiM=; h=From:To:Subject:Date:From; b=sKG5XMdXTFMYmklOwlDfpJTQynzIp8+nJURwMIORZ2yxi0Zq+QhdLoGCoxUJPMgr0 YfPVt6Cg98ghjU/TdyyhPqoh0VWi98winr5tPvChJHmflgxPwm2woQ+Q17VjSR8zgL oDR+Pnn4pVJ7NRUosralFGHfSPqXSsgPhhplXSlw= Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2320Vuh031481; Fri, 2 Mar 2018 21:00:31 -0500 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0361.001; Fri, 2 Mar 2018 21:00:31 -0500 From: Roman Danyliw To: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" Thread-Topic: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 Thread-Index: AdOyXwuroB0yJVJhRMeJvvm4FEzIkQ== Date: Sat, 3 Mar 2018 02:00:30 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Mar 2018 02:00:40 -0000 Reviewer: Roman Danyliw Review result: Ready with nits I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. The summary of the review is Ready with nits. My feedback is as follows: (1) Section 4.1, Multilevel TRILL Basics, Page 8 Thus Level 1 link state information stays within a Level 1 area and Level 2 link state information stays in Level 2 unless there are specific provisions for leaking (copying) information between levels. ** What are these provisions where such leakage of information should occur= beyond expected routing behavior? (2) Section 4.2, Nickname Allocation, Page 8-9. Level 2 RBridges contend for nicknames in the range from 0xF000 through 0xFBFF the same way as specified in [RFC6325], using Level 2 LSPs. The highest priority border router for a Level 1 area should contend with others in Level 2 for smallish blocks of nicknames for the range from 0x0001 to 0xEFFF. Blocks of 64 aligned on multiple of 64 boundaries are RECOMMENDED in this document. ** This text provides guidance to allocate nicknames from the range 0x0001 = - 0xFBFF (0x0001 - 0xEFFF and 0xF000 - 0xFBFF); and Section 3.7 of RFC6325 = says that 0xFFC0 - 0xFFFF and 0x0 are reserved. Collectively, these two do= cuments leave the range of 0xFC00 - 0xFFBF unspecified. If that's intentio= nal, describe how these values should be handled. Or, perhaps there a typo = and L2 Rbridges should allocate from 0xF000 - 0xFFBF (i.e., s/0xFBFF/0xFFBF= /)? ** (Editorial) The language "smallish blocks of nicknames" seems imprecise. (3) Section 6, Security Considerations, Page 12. With TRILL multilevel, flooding of control traffic for link state information of Level 1 and Level 2 is separated. This addresses the TRILL scalability issues as specified in Section 2 of [RFC8243] and also confines the effective scope of possible malicious events. ** Per the sentence "With TRILL ... is separated", I recommend clarifying t= he language on what and in what way there is separation ** Per the follow-up sentence, "... also confines the effective scope of po= ssible malicious events", I recommend discussing in more detail how the sco= pe of malicious events is reduced with this approach. (4) Section 6, Security Considerations, Page 12. However, due to the nature that unique nickname areas share a unique nickname space, border RBridges still have to leak nickname information between levels. For this purpose, border RBridges need to fabricate the nickname announcements as specified in Section 4.3. ** As it is raised as an issue with a mitigation, I recommend articulating = the implication of leaking nicknames across levels. (5) Section 6, Security Considerations, Page 12. Malicious devices may also fake the NickBlockFlags APPsub-TLV to announce a range of nicknames. By doing this, the attacker can attract TRILL data packets that are originally to reach a bunch of other RBridges. ** Recommend articulating the implications of a rogue device changing the p= ath -- it might deny service, expose traffic to inspection, etc. ** (Editorial) Recommend alternate language for the colloquial "... bunch o= f other RBridges" (6) Section 6, Security Considerations, Page 12. For this reason, RBridges SHOULD be configured to include the IS-IS Authentication TLV (10) in the IS-IS PDUs that contains the NickBlockFlags APPsub-TLV, so that IS-IS security ([RFC5304] [RFC5310]) can be used to secure the network. ** Should a preference be expressed for RFC5310 over RFC5304? To quote RFC= 5310, "[while at the time of this writing there are no openly published att= acks on the HMAC-MD5 mechanism, some reports ([Dobb96a], [Dobb96b]) create = concern about the ultimate strength of the MD5 cryptographic hash function.= " ** Recommend being more specific with the language "to secure the network".= Perhaps "For this reason, RBridges SHOULD authenticate their peer by usin= g the IS-IS Authentication TLV (10) in the IS-IS PDUs that contains the Nic= kBlockFlags APPsub-TLV." (7) Section 6, Security Considerations, Page 12. If border RBridges do not prune multi-destination distribution tree traffic in Data Labels that are configured to be area local, then traffic that should have been contained within an area might be wrongly delivered to end stations in that Data Label in other areas. This would generally violate security constraints. ** Recommend being more specific on the security constraints being violated= . (8) There appear to be a few instances of key protocol behavior not using R= FC2119 language. I'd suggest: Section 3.2.2, Global Distribution Tree, Page 6 (old) Also, this border RBridge needs to advertise the set of local distrib= ution trees by providing another set of nicknames (new) Also, this border RBridge MUST advertise the set of local distributio= n trees by providing another set of nicknames Section 3.2.2, Global Distribution Tree, Page 6 (old) If a border RBridge has been assigned both as a global tree root and = a local tree root, it has to acquire both a global tree root nickname(s) an= d local tree root nickname(s) (new) If a border RBridge has been assigned both as a global tree root and = a local tree root, it MUST acquire both a global tree root nickname(s) and = local tree root nickname(s) Section 4.3, Nickname Announcements, Page 9 (old) Besides its own nickname(s), a border RBridge needs to announce, in i= ts area, the ownership of all external nicknames that are reachable from th= is border RBridge. (new) Besides its own nickname(s), a border RBridge MUST announce, in its a= rea, the ownership of all external nicknames that are reachable from this b= order RBridge. Section 4.3, Nickname Announcements, Page 9 (old) Also, a border RBridge needs to announce, in Level 2, the ownership o= f all nicknames within its area. From listening to these Level 2 announceme= nts, border RBridges can figure out the nicknames used by other areas. (new) Also, a border RBridge MUST announce, in Level 2, the ownership of al= l nicknames within its area. From listening to these Level 2 announcements,= border RBridges can figure out the nicknames used by other areas. Section 4.3, Nickname Announcements, Page 9 (old) To address this issue, border RBridges should make use of the NickBlo= ckFlags APPsub-TLV to advertise into the Level 1 area the inclusive range o= f nicknames that are available or not for self allocation by the Level 1 RB= ridges in that area. (new) To address this issue, border RBridges SHOULD use the NickBlockFlags = APPsub-TLV to advertise into the Level 1 area the inclusive range of nickna= mes that are available or not for self allocation by the Level 1 RBridges i= n that area. Section 4.4, Capability Indication, Page 11 (old) If there are RBridges that do not understand the NickBlockFlags APPsu= b-TLV, border RBridges of the area will also use the traditional Nickname S= ub-TLV [RFC7176] to announce into the area those nicknames covered by the n= ickname blocks of the NickBlockFlags APPsub-TLV whose OK is 0. (new) If there are RBridges that do not understand the NickBlockFlags APPsu= b-TLV, border RBridges of the area MUST also use the traditional Nickname S= ub-TLV [RFC7176] to announce into the area those nicknames covered by the n= ickname blocks of the NickBlockFlags APPsub-TLV whose OK is 0. Section 5, Mix with Aggregated nickname Areas, Page 11 (old) Usage of nickname space must be planed so that nicknames used in any = one unique nickname area and Level 2 are never used in any other areas whic= h includes unique nickname areas as well as aggregated nickname areas. (new) Usage of nickname space MUST be planed so that nicknames used in any = one unique nickname area and Level 2 are never used in any other areas whic= h includes unique nickname areas as well as aggregated nickname areas. Section 5, Mix with Aggregated nickname Areas, Page 11 (old) Border RBridges of an aggregated area need to announce nicknames hear= d from Level 2 into their area like just like an unique nickname border RBr= idge. (new) Border RBridges of an aggregated area MUST announce nicknames heard f= rom Level 2 into their area like just like an unique nickname border RBridg= e. Regards, Roman From nobody Sat Mar 3 23:38:21 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 921FF126C19 for ; Sat, 3 Mar 2018 23:38:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4HWV7lCzgRr for ; Sat, 3 Mar 2018 23:38:19 -0800 (PST) Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A04CE1241F5 for ; Sat, 3 Mar 2018 23:38:18 -0800 (PST) Received: by mail-lf0-x235.google.com with SMTP id h127so17782909lfg.12 for ; Sat, 03 Mar 2018 23:38:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=iAYnp2r96eaSChzxDjb7Pma+w49XSloDYdyWmKGx9h8=; b=e5YiAlBNJTeeRxlbcg3OXhsDuioKLRmh9ykg0DNH/zIqPnkq4kJnYnXHeKji+dPNwB 8Cc2tEN0GYmjYocIEPP1AcFA4A01vnXff7fqGxIrCoi4YJlTEtrAhXubBjWzk9mLYV5w K5wLWzmTWZ8Z/TQPhfUDjmdJH+KTsHoMPiKiaEU6a/XXmH74f+CiJpSZm9N+ww78ZkQu 8mZdWILCBepb7BAvzh0XhzXVgVGwgmRmUCAXV1OuU9BdSSpoLQc3KpbbfMNPWUAFP3SI 5xP2vs7k8lbEJtxyySfdN0PUsJo8myRKv3UOrErxLkV2nF2ExWQ4xIRRBA9qWf4eZkGg DGcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=iAYnp2r96eaSChzxDjb7Pma+w49XSloDYdyWmKGx9h8=; b=sE/4rFVmoyqgoWBLh0ROTLTMa8HeU9cwGOKLXyVPrWKE3f8mFN+iBzABr0/Gvl8Otk n+PWCDdv1gVWWmPrMnN4su/sIBT7wxYS4dIFDx0pPrrltlNnOmXl3erbs2D6qbRzZs3e KU7MNzuUaT/F7aFJu/CgjEoR1PIOxHgSjHyF/r98q4h1T/hUop1SuRSuoIAU1lEdEfic 30B5GCJD5IPa32/z2JNlXSZkf0J6+hY4DtzBDGjIbampdf8KZ1NTJWXgg+dI61+Lg61T 4PF4USKP03yGHmeVx2/3lGehkIrTy80IIw4YfBEGb7sQZ8iMh8Fdk3tcowZsXOxPuzMh QqTg== X-Gm-Message-State: AElRT7FKwY8Ks8wIlTmvDzcAeFcYSawoHTGYzTVDX7TdCxUuxc4vvBVc fQ4SQIy867nsfoM+WSfax02teQsgouU1QP6L4fJNDnmq X-Google-Smtp-Source: AG47ELv2IeVT1ReO/CmMXwaPUeCtFkXAPN5qYMbOCaXQY93Y3QXCntDRky2JdS0wYOVfVmA/SG799HySDrXX6AZxezY= X-Received: by 10.25.163.85 with SMTP id m82mr7100736lfe.54.1520149096708; Sat, 03 Mar 2018 23:38:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.46.113.7 with HTTP; Sat, 3 Mar 2018 23:38:16 -0800 (PST) From: Shawn Emery Date: Sun, 4 Mar 2018 00:38:16 -0700 Message-ID: To: secdir@ietf.org, draft-ietf-pce-lsp-setup-type.all@tools.ietf.org Content-Type: multipart/alternative; boundary="001a11402f52ea421d0566914a0a" Archived-At: Subject: [secdir] Review of draft-ietf-pce-lsp-setup-type-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2018 07:38:21 -0000 --001a11402f52ea421d0566914a0a Content-Type: text/plain; charset="UTF-8" Reviewer: Shawn M Emery Review result: Ready with nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft specifies an extension to the Path Computation Element communication Protocol (PCEP) that allows for different path setup methods for a given session. The security considerations section does exist and defers security aspects related to this draft to RFC 5440 and 8281. I agree with this assertion. I believe that the base specifications cover the security concerns and ways to mitigate sufficiently for this protocol. It was also good to see that PCEP is developing security as a forethought [RFC 8253]. General comments: None. Editorial comments: s/A Path Computation Element can/A Path Computation Element (PCE) can/ s/extension to PCEP/extension to the PCE communication Protocol (PCEP)/ s/be able take control/be able to take control/ Shawn. -- --001a11402f52ea421d0566914a0a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Reviewer: Shawn M Emery
Review result: Ready with nits

I have = reviewed this document as part of the security directorate's
ongo= ing effort to review all=C2=A0IETF=C2=A0documents being processed by= the IESG.
These comments were written primarily for the benefit of t= he security
area directors. Document editors and WG chairs should tre= at these
comments just like any other last call comments.

This draft speci= fies an extension to the=C2=A0Path Computation Element communication
Protocol (PCEP)=C2=A0that allows for different path setup methods for a give= n session.
=
The security = considerations section does exist and defers security aspects
related to this draft to=C2=A0<= span style=3D"font-size:12.8px">RFC 5440 and 8281.=C2=A0 I agree with this = assertion.=C2=A0 I believe
that the base=C2=A0= specifications cover the security concerns= and ways to mitigate
sufficiently for this=C2=A0protocol.=C2=A0 It was also good to see= that PCEP is developing
security as a forethought [R= FC 8253].
<= br>
General commen= ts:

None.

Editorial comments:

s/A Path Computation Element can/A Path Computation Element=
 (PCE) can/
s/extension to PCEP/extension to=
 the PCE communication Protocol (PCEP)/
s/be=
 able take control/be able to take control/

<= /div>
Shawn= .
--
--001a11402f52ea421d0566914a0a-- From nobody Sun Mar 4 07:57:32 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE96C12711A; Sun, 4 Mar 2018 07:57:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KenEOjrPlM-g; Sun, 4 Mar 2018 07:57:28 -0800 (PST) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on060a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::60a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E14D120726; Sun, 4 Mar 2018 07:57:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gZ3rgh7lySRWDnfxHYsp0avb3igONlQqFHGhGWUcoh8=; b=iIn6Z4Vtafjb0C1Jnua+LFe7Ka+Gp06dS5MRapP9C3gQ8Ki7dSbPY/5H8BfvqinUiNxuqFPU1fCjZMnIuA0r/UyJa8d9DQiv9DJOsui6mwRVzhi0eIUezjsHHUe38Re+IAnEMEdNQhiCvEz1z0NxCAl5KJk9IMEMuCCirXD7w+c= Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB2707.eurprd08.prod.outlook.com (10.167.90.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Sun, 4 Mar 2018 15:57:24 +0000 Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::7954:44ac:aab4:bc2c]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::7954:44ac:aab4:bc2c%14]) with mapi id 15.20.0548.014; Sun, 4 Mar 2018 15:57:24 +0000 From: Hannes Tschofenig To: Martin Thomson CC: Benjamin Kaduk , Alan DeKok , "draft-ietf-tls-record-limit@ietf.org" , IESG , "secdir@ietf.org" Thread-Topic: Secdir review of draft-ietf-tls-record-limit Thread-Index: AQHTrqGSa72OyyaNEUOT8kn5vxYs5KO4BpFggAD7SYCAB0Hm4A== Date: Sun, 4 Mar 2018 15:57:24 +0000 Message-ID: References: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com> <20180223191714.GG50954@kduck.kaduk.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [80.92.122.126] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; AM4PR0801MB2707; 7:5nVxBEEoCiI3Lud128ZXKgsZ0kxSvEC9RkxoBe7xQ3EM8JuozfTgEy+q8Ce8tESrXiMiG6HND9qGOQ9SfAbcBuc8aoS1a0wx+4SHwK3utjUUyi54utFUA5hSe7aNvDfv3Q2CtcBqmQpsxj8ujn1wzIQtv2bW7EW8SYvNtYkw3h68Xm6LA+ROgbO/nmdB00BaIdlwDP/5bhKb3gb1j9VRu2pWd8KebCsutjKkWEZojb6xTySqTKZvIQzQTQENSMMh x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 8a300d3c-fb61-460c-62c5-08d581e89f11 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:AM4PR0801MB2707; x-ms-traffictypediagnostic: AM4PR0801MB2707: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(85827821059158); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231220)(944501244)(52105095)(6055026)(6041288)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(6072148)(201708071742011); SRVR:AM4PR0801MB2707; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB2707; x-forefront-prvs: 060166847D x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(376002)(39380400002)(366004)(346002)(189003)(199004)(40434004)(13464003)(26005)(305945005)(74316002)(102836004)(55016002)(186003)(8936002)(478600001)(7736002)(59450400001)(72206003)(6506007)(53546011)(97736004)(106356001)(9686003)(86362001)(6346003)(6436002)(8676002)(68736007)(81166006)(81156014)(14454004)(229853002)(33656002)(5660300001)(53936002)(54906003)(76176011)(2906002)(66066001)(3280700002)(4326008)(3846002)(316002)(6116002)(2950100002)(105586002)(93886005)(5250100002)(5890100001)(2900100001)(7696005)(6246003)(39060400002)(6916009)(25786009)(99286004)(3660700001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB2707; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com; x-microsoft-antispam-message-info: VNakyhT0917Kj23+d0x1Tyk6c6/C57FZnWINZ0FN2yalC/wJWlTwN4w3HZAGJiyE7PzKvDKa5aqsJERJtxRA3KE86AmLLU2Z1T5RZ9Yd2O1Bj8IWPIhOZjYObp+JZFf11eB0Cs7+vOwNaDZtp7z7ijnlAYX6g/MqlACa5vxOQUzpwMbRYvSxVBI5nOxdvq2Cg+nLurhxlFUtYkW1t2sl21doiwXbWO6+3vPKjUXbRO67c1hUin+VY1+fp31IMkx84dteq8GqtC1QAG2EnfLo/owS7qVCcY21n7IJZqOTlSh7P52Wu4RdBUsyPg1Ht5wid1iQ19WLgNaX9ra/WrS/bw== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8a300d3c-fb61-460c-62c5-08d581e89f11 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2018 15:57:24.3280 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB2707 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2018 15:57:31 -0000 SGkgTWFydGluLA0KDQpBIHNob3J0IHJlbWFyayBiZWxvdzoNCg0KLS0tLS1PcmlnaW5hbCBNZXNz YWdlLS0tLS0NCkZyb206IE1hcnRpbiBUaG9tc29uIFttYWlsdG86bWFydGluLnRob21zb25AZ21h aWwuY29tXQ0KU2VudDogMjggRmVicnVhcnkgMjAxOCAwMjowMQ0KVG86IEhhbm5lcyBUc2Nob2Zl bmlnDQpDYzogQmVuamFtaW4gS2FkdWs7IEFsYW4gRGVLb2s7IGRyYWZ0LWlldGYtdGxzLXJlY29y ZC1saW1pdEBpZXRmLm9yZzsgSUVTRzsgc2VjZGlyQGlldGYub3JnDQpTdWJqZWN0OiBSZTogU2Vj ZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXRscy1yZWNvcmQtbGltaXQNCg0KVGhhbmtzIEhhbm5l cywNCg0KT24gVHVlLCBGZWIgMjcsIDIwMTggYXQgOToyNyBQTSwgSGFubmVzIFRzY2hvZmVuaWcg PEhhbm5lcy5Uc2Nob2ZlbmlnQGFybS5jb20+IHdyb3RlOg0KPiBGb3IgZXhhbXBsZSwgaW1hZ2lu ZSBhIGNlcnRpZmljYXRlIG1lc3NhZ2UgdGhhdCBtYXkgY29udGFpbiBtdWx0aXBsZSBjZXJ0aWZp Y2F0ZXMgdGhhdCB0aGVuIG5lZWQgdG8gYmUgcHJvY2Vzc2VkIG9uZSBieSBvbmUgYnkgdGhlIHJl Y2lwaWVudC4gSGVyZSB0aGUgc3RhY2sgbmVlZHMgdG8gYmUgInNtYXJ0IiBlbm91Z2ggdG8gc2Vu ZCBlbm91Z2ggZGF0YSB0aGF0IHRoZSByZWNpcGllbnQgY2FuIGFjdHVhbGx5IGRvIHNvbWV0aGlu ZyB3aXRoIGl0IChsaWtlIG9uZSBjb21wbGV0ZSBjZXJ0aWZpY2F0ZSkgYnV0IGFsc28gbm90IHRv byBtdWNoIHNvIHRoYXQgaXQgc3RpbGwgZml0cyBpbnRvIHRoZSBidWZmZXIuIEZvciBhcHBsaWNh dGlvbiBkYXRhIGl0IG1heSBiZSBsZXNzIGNvbXBsaWNhdGVkIHNpbmNlIHRoZSBhcHBsaWNhdGlv biBkZXZlbG9wZXIgd2hvIGhhZCBzZXQgdGhlIFJTTCBsaW1pdCBpcyBtb3N0IGxpa2VseSBhd2Fy ZSBvZiB3aGF0IHRvIGRvIHdoZW4gdGhlIHN0YWNrIGNhbm5vdCBzZW5kIGFsbCB0aGUgZGF0YS4N Cg0KWWVhaCwgaWYgeW91IGFyZSBzbyBjb25zdHJhaW5lZCB0aGF0IGEgc2luZ2xlIGRhdGFncmFt IGlzIGFsbCB0aGUgc2NyYXRjaCBzcGFjZSB5b3UgaGF2ZSwgdGhlbiBiaWcgY2VydGlmaWNhdGVz IGNhbiBiZSBuaWdoIG9uIGltcG9zc2libGUgdG8gbWFuYWdlLiAgTXkgdW5kZXJzdGFuZGluZyBp cyB0aGF0IHJhdyBwdWJsaWMga2V5cyBhcmUgbW9yZSBjb21tb24gaW4gdGhpcyBjb250ZXh0Lg0K DQpbSGFubmVzXSBUaGVyZSBhcmUgaW5kZWVkIHdheXMgdG8gcmVkdWNlIHRoZSBvdmVyIHRoZSB3 aXJlIHRyYW5zbWlzc2lvbiBvdmVyaGVhZCBhbmQgcmF3IHB1YmxpYyBrZXlzIGFyZSBhIHVzZWZ1 bCBhcHByb2FjaC4NCg0KPiBGV0lXOiBUaGUgZHJhZnQgY3VycmVudGx5IHNheXMgdGhhdCAidW5w cm90ZWN0ZWQgbWVzc2FnZXMgLSBoYW5kc2hha2UgbWVzc2FnZXMgaW4gcGFydGljdWxhciAtIGFy ZSBub3Qgc3ViamVjdCB0byB0aGlzIGxpbWl0LiIuIEkgYW0gbm90IHN1cmUgd2hldGhlciBJIGZ1 bGx5IHVuZGVyc3RhbmQgdGhhdCBzZW50ZW5jZS4gRG9lcyBpdCBtZWFuIHRoYXQgdGhlIGxpbWl0 IGRvZXMgbm90IGFwcGx5IHRvIGhhbmRzaGFrZSBtZXNzYWdlcyBhdCBhbGwgb3Igb25seSB0byBo YW5kc2hha2UgbWVzc2FnZXMgdGhhdCBhcmUgdW5wcm90ZWN0ZWQ/IEluIGVpdGhlciBjYXNlIEkg YW0gbm90IHN1cmUgd2hldGhlciB0aGF0IHNjb3BpbmcgbWFrZXMgc2Vuc2Ugc2luY2UgaGFuZHNo YWtlIG1lc3NhZ2VzIGNhbiBiZWNvbWUgZmFpcmx5IGxhcmdlLg0KDQpUaGlzIHdhcyB3cml0dGVu IHdpdGggdHdvIHRoaW5ncyBpbiBtaW5kLiAgVENQIG1ha2VzIGl0IGVhc3kgdG8gYXBwbHkgYmFj ayBwcmVzc3VyZSBhbmQgdGhlcmVieSBlbmFibGUgcHJvZ3Jlc3NpdmUgcmVhZHMgZm9yIGxhcmdl ciBjbGVhcnRleHQgbWVzc2FnZXMsIGFzc3VtaW5nIHRoYXQgeW91IGNhbiByZWFkIGl0IGFsbCB3 aXRob3V0IGhvbGRpbmcgZXZlcnl0aGluZyBpbiBtZW1vcnkgYXQgb25jZS4gIE1vcmUgY3JpdGlj YWxseSwgYSBDbGllbnRIZWxsbyB3aWxsIGJlIHNlbnQgaW4gaWdub3JhbmNlIG9mIGFueSBwcmVm ZXJlbmNlcyBvbiBhIHNlcnZlciwgc28gYSBzZXJ2ZXIgaGFzIHRvIGNvcGUgc29tZWhvdy4NCg0K W0hhbm5lc10gSSBhbSBub3Qgc3VyZSBJIGZ1bGx5IHVuZGVyc3RhbmQgdGhlIGFwcHJvYWNoLiBF dmVuIGlmIHNvbWVvbmUgdXNlcyBUQ1AgYSBSQU0gbGltaXRhdGlvbiB3aWxsIG5vdCBnbyBhd2F5 LiBUQ1AgaXMgbGlrZWx5IHRvIG1ha2UgdGhlIHNpdHVhdGlvbiB3b3JzZSBzaW5jZSBpdCByZXF1 aXJlcyBzb21lIGFtb3VudCBvZiBSQU0gYXMgd2VsbCBldmVuIHdpdGggdGhlIGJlc3QgcG9zc2li bGUgY29uZmlndXJhdGlvbi4gKFRoZXJlIGlzIHRoaXMgd29yayBpbiBMV0lHIG9uIFRDUCBpbXBs ZW1lbnRhdGlvbiBndWlkYW5jZSB3aGVyZSB0aGUgYXV0aG9ycyBhcmUgc3VwcG9zZWQgdG8gcHJv dmlkZSBzb21lIGluZm9ybWF0aW9uIGFib3V0IHRoZSBhY3R1YWwgUkFNIHVzYWdlIG9mIHZhcmlv dXMgVENQIGZlYXR1cmVzIGFuZCBzZXR0aW5ncy4pDQoNCklmIHlvdSByZW1haW4gY29uY2VybmVk IGFib3V0IGNvbnN0cmFpbmVkICpjbGllbnRzKiwgbWF5YmUgd2UgY2FuIGNoYW5nZSB0aGUgcmVx dWlyZW1lbnQgYW5kIGhhdmUgaXQgYXBwbHkgaW1tZWRpYXRlbHkgZm9yIHRoZSBzZXJ2ZXIncyBo YW5kc2hha2UgbWVzc2FnZXMuICBJbiBUTFMgMS4yLCBpdCB3b3VsZCB0aGVuIGFsc28gYXBwbHkg dG8gdGhlIGNsaWVudCBDZXJ0aWZpY2F0ZSwgd2hpY2ggSSBzdXBwb3NlIGlzIHNvbWV0aGluZy4g IEl0J3MgZGVmaW5pdGVseSBwb3NzaWJsZSB0byBtYWtlIHRoaXMgY2hhbmdlLiAoTm93IHRoYXQg SSB0aGluayBvbiBpdCwgbXkgaW1wbGVtZW50YXRpb24gbWF5IGFscmVhZHkgZG8gdGhpcy4gIEkg c2hvdWxkIGNoZWNrLikNCg0KW0hhbm5lc10gSSBhbSBjb252aW5jZWQgdGhhdCB3ZSBoYXZlIHRv IGFwcGx5IHRoZSBSU0wgbGltaXQgYWxzbyB0aGUgaGFuZHNoYWtlIG1lc3NhZ2UuIEluIG1vc3Qg Y2FzZXMgdG9kYXkgY2xpZW50cyBhcmUgY29uc3RyYWluZWQgYnV0IHRoZSB3YXkgc29tZSBjb21t dW5pY2F0aW9uIG1vZGVscyB3b3JrIHRoZXkgbWF5IGFsc28gc2VlIGNvbnN0cmFpbmVkIHNlcnZl cnMuDQoNCkNpYW8NCkhhbm5lcw0KDQpJTVBPUlRBTlQgTk9USUNFOiBUaGUgY29udGVudHMgb2Yg dGhpcyBlbWFpbCBhbmQgYW55IGF0dGFjaG1lbnRzIGFyZSBjb25maWRlbnRpYWwgYW5kIG1heSBh bHNvIGJlIHByaXZpbGVnZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQs IHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVseSBhbmQgZG8gbm90IGRpc2Nsb3Nl IHRoZSBjb250ZW50cyB0byBhbnkgb3RoZXIgcGVyc29uLCB1c2UgaXQgZm9yIGFueSBwdXJwb3Nl LCBvciBzdG9yZSBvciBjb3B5IHRoZSBpbmZvcm1hdGlvbiBpbiBhbnkgbWVkaXVtLiBUaGFuayB5 b3UuDQo= From nobody Sun Mar 4 09:58:47 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59F9F124BAC for ; Sun, 4 Mar 2018 09:58:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUZAtoJniWgm for ; Sun, 4 Mar 2018 09:58:45 -0800 (PST) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9CE21242F7 for ; Sun, 4 Mar 2018 09:58:44 -0800 (PST) Received: by mail-lf0-x231.google.com with SMTP id f75so19934152lfg.6 for ; Sun, 04 Mar 2018 09:58:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=7M6OPz/h/uUzXf9w3PBXx1slSj6y1Ac82cgH/T2KwVE=; b=QawQKuN+KIyAD4Yp+qSDK9qWSDrA2N5WH8ykYP0dWJeFeJ43FME42YM8wVlQ/xCN+j tWQ+FJiTZCTyOualbd67n0y4v5WWcfvS+fApOhUsY640XxxFF4cTUvnEw5zxL1v37/gC 7nd7WqHXs4/rCV+kXVW4SloOozYUx9N0Thz8QLTxmztiC93HXWt2gm6nVMrmLgDDlrWI HqhiY+MyuzTRy/RKaVNHkIDh2r21TR5y8cI+/GUvj9cQVfzq+kryKYcLCobevS8H2kbL eCpNewgCSzWYT0s+5guzcuDwNNVej50T0BmC3Yb4k4SfkhUtOL4H5PAwZYCiwIl+uOfe KNzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7M6OPz/h/uUzXf9w3PBXx1slSj6y1Ac82cgH/T2KwVE=; b=g/9QaFmhDjSH2cz6qrVA6pe0UE9UD3+/bsIMIbk+eVjn50aqS+yxu0GzMiRK6pClk9 e1yRUcA5n17tnYXas1d/4oHWWkmVwS1x2wzWGtelhdTbGb0zWuKz26F6bRVoPD4KYR3P bF2Ir/bFq7HHn2IMLq2d+4zBfoPuYifx/GrZpdhiTJUtwMYwbHHLkO4J0N8DNToi5IL7 jW2DGR7Sy6fXBS9yOHID1qAy4/0X/t0ZmdTBLDebj3VCYkvlPjQGSyqj1m2uWmm18nfa p/UCM8OAnqurJaK8qIqo5GMVA7tZgHxw5aHw6uW6G54n2S8yYSIap4mvwZCvM0gp02rB m2yw== X-Gm-Message-State: APf1xPASWgaA30DIZzzBbZQw3Yw92V6GKOG+FBQZO44QECAsuJfpJcCs mZyj5dmfP6hJFj7QmLZyfpeKmFgn/c5Oi+b2WK32RZPN X-Google-Smtp-Source: AG47ELtikwxQez4K/Yfd/LbxvMVN8+7zOqPUfOaCuLEzf62tEGxn7Pcfg1C2otcmvpjEH2UabJ2/j4t4xy2+ESqVL7I= X-Received: by 10.46.23.219 with SMTP id 88mr8246763ljx.49.1520186322751; Sun, 04 Mar 2018 09:58:42 -0800 (PST) MIME-Version: 1.0 Received: by 10.46.113.7 with HTTP; Sun, 4 Mar 2018 09:58:42 -0800 (PST) From: Shawn Emery Date: Sun, 4 Mar 2018 10:58:42 -0700 Message-ID: To: secdir@ietf.org, draft-ietf-mmusic-trickle-ice-sip.all@tools.ietf.org Content-Type: multipart/alternative; boundary="94eb2c1c16bec294b3056699f521" Archived-At: Subject: [secdir] Review of draft-ietf-mmusic-trickle-ice-sip-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2018 17:58:46 -0000 --94eb2c1c16bec294b3056699f521 Content-Type: text/plain; charset="UTF-8" This a re-review from draft-ietf-mmusic-trickle-ice-sip-12. Reviewer: Shawn M Emery Summary: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. General comments: Hopefully ietf-mmusic-ice-sip-sdp will be progressed soon as there a number of normative references to this draft. Editorial comments: None. Shawn. -- --94eb2c1c16bec294b3056699f521 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

This a re-review from draft-ietf-mmusi= c-trickle-ice-sip-12.

Reviewer: Shawn M Emery
Summary: Ready

I have reviewed this doc= ument as part of the security directorate's
ongoing effort to= review all IETF documents being processed by the IESG.
These com= ments were written primarily for the benefit of the security
area= directors. Document editors and WG chairs should treat these
com= ments just like any other last call comments.

Gene= ral comments:

Hopefully ietf-mmusic-ice-sip-sdp wi= ll be progressed soon as there a number
of normative references t= o this draft.

Editorial comments:

None.

Shawn.
--
--94eb2c1c16bec294b3056699f521-- From nobody Sun Mar 4 10:58:31 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0674124C27; Sun, 4 Mar 2018 10:58:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzciUOw4-aZV; Sun, 4 Mar 2018 10:58:27 -0800 (PST) Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 549121205D3; Sun, 4 Mar 2018 10:58:27 -0800 (PST) Received: by mail-it0-x22a.google.com with SMTP id e64so7417471ita.5; Sun, 04 Mar 2018 10:58:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1tWdmPO2wnriAcdkUBLjOvGXX0NmvMUVNIMRmvxkqa0=; b=YsWIEjzoRJXD67dv+xM6NqOhGDH70Hdz4BGsC4HlHrEXALnLWtfCZNF9HL+X8We3xZ HPs7PvX5TwmlSGRGMS01sm7hPz29L68hDdbFuqp4qpHQonM7Ap/wjoKGb7K6wbcptts2 gftGMmD+ggnMQYGHTg/ZkCVPhTyx/wWK0zjJQxJ1ikZjakxJxMi1ePVNFPPnEyjHUVxp EjqrPJWOkCJygsrjIE3wxZImJg5mSTY0GripY+QKsPZc/iBOzUvHU8NC1aEUpg/IqNaD pcZvWGNcv6bE5BIvOc2CGEhmwBTv1SL44syJOQu797Db2CbPNK/SNu7sel/XuQazdeHy x8pQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1tWdmPO2wnriAcdkUBLjOvGXX0NmvMUVNIMRmvxkqa0=; b=hjcWVPCn1ixXpTdvqqLAC7YlhnErzyTZ72dxEIymSDekm5OdYp+6HTfHQU8/mcXNd1 T0MDRjYkKWoIl1QoEIwxHZHl5ByG/mRaXGjSKY6PrEQaK4LkuEF8Y6ne30gtXXnODF59 FzUrXgk3HT2kwS9nNyi4Uvtw2ahR6/QtFWXpavNImMrzuREIG2xIK9Kk23thSNOOmt56 aNUp9UtzLR/0xPWh0ZBtC40azWxSkvQOtk68JvXhYPaAe2T3seP8qwoL85ZEOycmhhTu Ga/B/NpcRiBtulL3UuNzFU6equGwBkteirtMopstlYoCFrvfen4gAv/SnTC9BeQyNqqB sh6w== X-Gm-Message-State: AElRT7GkXwfU0TmhILgpFDtrvn50avFwUMUrbKvRLCd1LMg7usYO37Li diSLRqlRgGu60eoNugNN6p+Eq0Y+dte59iALFe07wiJs X-Google-Smtp-Source: AG47ELswnGkRdBJEPLlA17c2BxkuJ9ANljSe6UZHriuiV33D9CrcEc74Z54ZhnEUlOxX6i3aTTG4qzWBiu16AUb8Ta0= X-Received: by 10.36.50.196 with SMTP id j187mr10954749ita.85.1520189906365; Sun, 04 Mar 2018 10:58:26 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.58.193 with HTTP; Sun, 4 Mar 2018 10:58:10 -0800 (PST) In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> From: Donald Eastlake Date: Sun, 4 Mar 2018 13:58:10 -0500 Message-ID: To: Roman Danyliw Cc: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2018 18:58:30 -0000 Hi Roman, Thanks for doing a review. See responses below. On Fri, Mar 2, 2018 at 9:00 PM, Roman Danyliw wrote: > Reviewer: Roman Danyliw > Review result: Ready with nits > > I have reviewed this document as part of the security directorate's ongoi= ng effort to review all IETF documents being processed by the IESG. These = comments were written primarily for the benefit of the security area direct= ors. Document editors and WG chairs should treat these comments just like = any other last call comments. > > The summary of the review is Ready with nits. > > My feedback is as follows: > > (1) Section 4.1, Multilevel TRILL Basics, Page 8 > > Thus Level 1 link state > information stays within a Level 1 area and Level 2 link state > information stays in Level 2 unless there are specific provisions for > leaking (copying) information between levels. > > ** What are these provisions where such leakage of information should occ= ur beyond expected routing behavior? Typically "link state" information stays within a Level 1 area or within the Level 2 routers. Occasionally there is information that it is desirable to flood throughout the domain at both Level 1 and Level 2. IS-IS "link state" information is in the form of TLVs. Typically this domain wide flooding is accomplished by using two flags in the value portion of the TLV. One flag indicates the the TLV is to be flooded domain wide while the other is initially zero and is set when the TLV is flooded from Level 2 to Level 1 -- this second flag is to stop a TLV from being flooded from Level 2 to Level 1 and then back to Level 2 again resulting in TLV looping. See, for example, the IS-IS Router Capabilities TLV D and S flags as specified in Section 2 of RFC 7981. This is all standard IS-IS machinery that someone familiar with IS-IS would know -- there is nothing TRILL specific about it. > (2) Section 4.2, Nickname Allocation, Page 8-9. > > Level 2 RBridges contend for nicknames in the range from 0xF000 > through 0xFBFF the same way as specified in [RFC6325], using Level 2 > LSPs. The highest priority border router for a Level 1 area should > contend with others in Level 2 for smallish blocks of nicknames for > the range from 0x0001 to 0xEFFF. Blocks of 64 aligned on multiple of > 64 boundaries are RECOMMENDED in this document. > > ** This text provides guidance to allocate nicknames from the range 0x000= 1 - 0xFBFF (0x0001 - 0xEFFF and 0xF000 - 0xFBFF); and Section 3.7 of RFC632= 5 says that 0xFFC0 - 0xFFFF and 0x0 are reserved. Collectively, these two = documents leave the range of 0xFC00 - 0xFFBF unspecified. If that's intent= ional, describe how these values should be handled. Or, perhaps there a typ= o and L2 Rbridges should allocate from 0xF000 - 0xFFBF (i.e., s/0xFBFF/0xFF= BF/)? I believe it's a typo and is should by 0xF000 - 0xFFBF. > ** (Editorial) The language "smallish blocks of nicknames" seems imprecis= e. I think we could just delete the word "smallish". > (3) Section 6, Security Considerations, Page 12. > > With TRILL multilevel, flooding of control traffic for link state > information of Level 1 and Level 2 is separated. This addresses the > TRILL scalability issues as specified in Section 2 of [RFC8243] and > also confines the effective scope of possible malicious events. > > ** Per the sentence "With TRILL ... is separated", I recommend clarifying= the language on what and in what way there is separation This is basic to multilevel IS-IS and anyone familiar with that would understand. We could add a reference to IS-IS. > ** Per the follow-up sentence, "... also confines the effective scope of = possible malicious events", I recommend discussing in more detail how the s= cope of malicious events is reduced with this approach. I suggest the following replacement text: Since TRILL multilevel uses the existing IS-IS multilevel facilities [IS-IS], flooding of control traffic for link state information is automatically confined to a Level 1 area or to Level 2 except (for limited types of information that can be specifically flagged for wider flooding). This addresses the TRILL scalability issues as specified in Section 2 of [RFC8243] and also, except of the wider flooding case, this confines the scope of the effects of malicious events that could be communicated through the link state. > (4) Section 6, Security Considerations, Page 12. > > However, due to the nature that unique nickname areas share a unique > nickname space, border RBridges still have to leak nickname > information between levels. For this purpose, border RBridges need to > fabricate the nickname announcements as specified in Section 4.3. > > ** As it is raised as an issue with a mitigation, I recommend articulatin= g the implication of leaking nicknames across levels. Since nicknames must be unique across the multi-level domain, and nicknames in TRILL are auto-allocated, clearly RBridges inside an area need to know what nicknames are in use, which is the effect and purpose of leaking nickname claim information across levels. I suggest the following wording: However, due to the nature that unique nickname areas share a common nickname space, border RBridges still have to leak nickname information between levels. Such leaking means that nickname related events in one area can affect other areas. For this purpose, border RBridges need to fabricate the nickname announcements as specified in Section 4.3. > (5) Section 6, Security Considerations, Page 12. > > Malicious devices may also fake the NickBlockFlags APPsub-TLV to > announce a range of nicknames. By doing this, the attacker can > attract TRILL data packets that are originally to reach a bunch of > other RBridges. > > ** Recommend articulating the implications of a rogue device changing the= path -- it might deny service, expose traffic to inspection, etc. This is not that much different from an RBridge announcing low cost to some MAC address to attract data packets. It is typical that all routers in some routing domain have to be, to a reasonable extent, trusted since there is a large variety of information they could maliciously announce to cause problems. If a rogue router makes false announcements to attract traffic, typically the traffic goes to that router and not to the intended destination. Anyone familiar with common routing techniques would be aware of this. > ** (Editorial) Recommend alternate language for the colloquial "... bunch= of other RBridges" bunch -> number > (6) Section 6, Security Considerations, Page 12. > > For this reason, RBridges SHOULD be configured to > include the IS-IS Authentication TLV (10) in the IS-IS PDUs that > contains the NickBlockFlags APPsub-TLV, so that IS-IS security > ([RFC5304] [RFC5310]) can be used to secure the network. > > ** Should a preference be expressed for RFC5310 over RFC5304? To quote R= FC5310, "[while at the time of this writing there are no openly published a= ttacks on the HMAC-MD5 mechanism, some reports ([Dobb96a], [Dobb96b]) creat= e concern about the ultimate strength of the MD5 cryptographic hash functio= n." I would agree that RFC 5310 security is superior to RFC 5304 security. Perhaps references to 5304 can be removed. > ** Recommend being more specific with the language "to secure the network= ". Perhaps "For this reason, RBridges SHOULD authenticate their peer by us= ing the IS-IS Authentication TLV (10) in the IS-IS PDUs that contains the N= ickBlockFlags APPsub-TLV." Suggest replacing "to secure the network" with "to authenticate those PDUs and discard them if they are forged." > (7) Section 6, Security Considerations, Page 12. > > If border RBridges do not prune multi-destination distribution tree > traffic in Data Labels that are configured to be area local, then > traffic that should have been contained within an area might be > wrongly delivered to end stations in that Data Label in other areas. > This would generally violate security constraints. > > ** Recommend being more specific on the security constraints being violat= ed OK. Thanks, Donald =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com From nobody Sun Mar 4 14:02:47 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8FE1126B72; Sun, 4 Mar 2018 14:02:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaZVv1YNOQ61; Sun, 4 Mar 2018 14:02:34 -0800 (PST) Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B53E126CC7; Sun, 4 Mar 2018 14:02:34 -0800 (PST) Received: by mail-ot0-x22f.google.com with SMTP id f11so13271245otj.12; Sun, 04 Mar 2018 14:02:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=GojSAyWi4oCo0cRmAOqTy/9oAY/k7LDesatcR40XbQ0=; b=JRP0AqHLp3Rru/mcrQLTtvTcYVGp4D4Y3R+C7udTUWgLuDxD3hLBbK3e2KqSUpOUgy o+e23ngzYGv8SFdVbJQjHPb7VHrJi2SUI24agox6hJjR+lmDVlVNyMvMk1Wk097abXOm tQwZ8i4oG8nXFJgwhXZ6FEw7zmWwceQkCspUiBmzOvDgZ9XtLICz5mVAK05URNLJhq7i V3yqESesXU34wtTtZlKmvJucarTJwR67SlbfhCxwqB2W44WPK2rFvVtfhmLYSPx+cFeD DFF/IhvHc/vVs1rE2KCWpd4JBqZtiHL9Uq0xYmELa4WvB1lwvBABSzQBKNBkFNaRwXnG q+Vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=GojSAyWi4oCo0cRmAOqTy/9oAY/k7LDesatcR40XbQ0=; b=GVrYb3mWScIpFvKM7OY6Rs6QcFiATsa05J5XNNO6HfkNRuTtmoCXaUr7lAHE/aMER/ qVeF07L+zAbiOrALhdfhmXczBiGZjfm9FHrHE8DJSxSVjm6WUciYmKsVw+uZmKQEv5+R mvrwuSYXe2p0bLRy41EXq6FELAyTzNz1qezNyHkYTzDo79TWSMI7k1CGmpHU7GpR+HLj cktVDdCVDtUI+bcVwMwGKrmT8WhAbuTuJhixPAhRLRDd0feOlgbEKJ28BDLMBp7P4is/ Z0a/UsCP8tYGNGobNWT7viXKf8Rjgq5jwVjRrEERZlWJXxmPkqydc/uVczfCptR8xBlO TXCg== X-Gm-Message-State: AElRT7HakSRtBE21jCtk+tGHS2a0bI3NFN2V9pdJIusF68rne2mbvpue a7nyXYl8rDaU57IilPQgpxPkRJBGvh2PMoWd/kU= X-Google-Smtp-Source: AG47ELuh729xv8JcP7decbL1WZ6zTUVxGghrCPC0fTJCWfEr2jdpcV5hDyvBzwsA/cowL9Zu9JPEwaTYdoAW2zCiJ78= X-Received: by 10.157.78.16 with SMTP id p16mr1378774otf.15.1520200953587; Sun, 04 Mar 2018 14:02:33 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.16.85 with HTTP; Sun, 4 Mar 2018 14:02:33 -0800 (PST) In-Reply-To: References: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com> <20180223191714.GG50954@kduck.kaduk.org> From: Martin Thomson Date: Mon, 5 Mar 2018 09:02:33 +1100 Message-ID: To: Hannes Tschofenig Cc: Benjamin Kaduk , Alan DeKok , "draft-ietf-tls-record-limit@ietf.org" , IESG , "secdir@ietf.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Mar 2018 22:02:36 -0000 On Mon, Mar 5, 2018 at 2:57 AM, Hannes Tschofenig wrote: > [Hannes] I am not sure I fully understand the approach. Even if someone u= ses TCP a RAM limitation will not go away. TCP is likely to make the situat= ion worse since it requires some amount of RAM as well even with the best p= ossible configuration. (There is this work in LWIG on TCP implementation gu= idance where the authors are supposed to provide some information about the= actual RAM usage of various TCP features and settings.) Let me try to explain more. An endpoint that can't handle a big packet (whether that be a big TCP segment or a big UDP datagram) can always pretend that this is a link issue and send the appropriate ICMP message. That limits the size of packets they receive, at least to the point that the minimum for the IP version in use is reached (576 for v4, 1280 for v6). I'm not sure what fragmentation does here, other than make things far worse. If there are multiple packets arriving and no space for more than one, then the endpoint can pretend that it didn't receive the packet. TCP also has ACKs, which the endpoint can withhold until it has space. Thus, the endpoint can hold as little as a single MTU of data at once. Given that it is not encrypted, my understanding is that there is no need to constrain how it is turned into records. Note that a constrained server has to handle a full ClientHello - the client won't know the limit at the server. From nobody Sun Mar 4 19:50:02 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66519124C27; Sun, 4 Mar 2018 19:49:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.23 X-Spam-Level: X-Spam-Status: No, score=-4.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ulmm5KR0xrlb; Sun, 4 Mar 2018 19:49:53 -0800 (PST) Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C46D1241F3; Sun, 4 Mar 2018 19:49:53 -0800 (PST) Received: from LHREML712-CAH.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 3A200BFE55C37; Mon, 5 Mar 2018 03:49:50 +0000 (GMT) Received: from NKGEML411-HUB.china.huawei.com (10.98.56.70) by LHREML712-CAH.china.huawei.com (10.201.108.35) with Microsoft SMTP Server (TLS) id 14.3.382.0; Mon, 5 Mar 2018 03:49:51 +0000 Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by nkgeml411-hub.china.huawei.com ([10.98.56.70]) with mapi id 14.03.0361.001; Mon, 5 Mar 2018 11:49:47 +0800 From: "Zhangmingui (Martin)" To: Donald Eastlake , Roman Danyliw CC: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" Thread-Topic: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 Thread-Index: AdOyXwuroB0yJVJhRMeJvvm4FEzIkQBSKNIAACNBjRA= Date: Mon, 5 Mar 2018 03:49:47 +0000 Message-ID: <4552F0907735844E9204A62BBDD325E7AAFE1B27@NKGEML515-MBX.china.huawei.com> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> In-Reply-To: Accept-Language: en-US, zh-CN Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.146.93] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 03:49:56 -0000 SGkgRG9uYWxkLCBSb21hbiwNCg0KVGhhbmtzIGEgbG90IGZvciB0aGUgcmV2aWV3ISBUaGUgY29t bWVudHMgaGF2ZSBiZWVuIGluY29ycG9yYXRlZCBpbiB0aGUgMDYgdmVyc2lvbiB3aGljaCBoYXMg YmVlbiB1cGxvYWRlZC4NCg0KVGhhbmtzLA0KTWluZ3VpDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNz YWdlLS0tLS0NCj4gRnJvbTogRG9uYWxkIEVhc3RsYWtlIFttYWlsdG86ZDNlM2UzQGdtYWlsLmNv bV0NCj4gU2VudDogTW9uZGF5LCBNYXJjaCAwNSwgMjAxOCAyOjU4IEFNDQo+IFRvOiBSb21hbiBE YW55bGl3IDxyZGRAY2VydC5vcmc+DQo+IENjOiBpZXNnQGlldGYub3JnOyBzZWNkaXJAaWV0Zi5v cmc7DQo+IGRyYWZ0LWlldGYtdHJpbGwtbXVsdGlsZXZlbC11bmlxdWUtbmlja25hbWUuYWxsQGll dGYub3JnDQo+IFN1YmplY3Q6IFJlOiBTZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtdHJpbGwt bXVsdGlsZXZlbC11bmlxdWUtbmlja25hbWUtMDUNCj4gDQo+IEhpIFJvbWFuLA0KPiANCj4gVGhh bmtzIGZvciBkb2luZyBhIHJldmlldy4gU2VlIHJlc3BvbnNlcyBiZWxvdy4NCj4gDQo+IE9uIEZy aSwgTWFyIDIsIDIwMTggYXQgOTowMCBQTSwgUm9tYW4gRGFueWxpdyA8cmRkQGNlcnQub3JnPiB3 cm90ZToNCj4gPiBSZXZpZXdlcjogUm9tYW4gRGFueWxpdw0KPiA+IFJldmlldyByZXN1bHQ6IFJl YWR5IHdpdGggbml0cw0KPiA+DQo+ID4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMg cGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBvbmdvaW5nDQo+IGVmZm9ydCB0byBy ZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4gIFRo ZXNlDQo+IGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9m IHRoZSBzZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4NCj4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cg Y2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55DQo+IG90aGVy IGxhc3QgY2FsbCBjb21tZW50cy4NCj4gPg0KPiA+IFRoZSBzdW1tYXJ5IG9mIHRoZSByZXZpZXcg aXMgUmVhZHkgd2l0aCBuaXRzLg0KPiA+DQo+ID4gTXkgZmVlZGJhY2sgaXMgYXMgZm9sbG93czoN Cj4gPg0KPiA+ICgxKSBTZWN0aW9uIDQuMSwgTXVsdGlsZXZlbCBUUklMTCBCYXNpY3MsIFBhZ2Ug OA0KPiA+DQo+ID4gVGh1cyBMZXZlbCAxIGxpbmsgc3RhdGUNCj4gPiBpbmZvcm1hdGlvbiBzdGF5 cyB3aXRoaW4gYSBMZXZlbCAxIGFyZWEgYW5kIExldmVsIDIgbGluayBzdGF0ZQ0KPiA+IGluZm9y bWF0aW9uIHN0YXlzIGluIExldmVsIDIgdW5sZXNzIHRoZXJlIGFyZSBzcGVjaWZpYyBwcm92aXNp b25zIGZvcg0KPiA+IGxlYWtpbmcgKGNvcHlpbmcpIGluZm9ybWF0aW9uIGJldHdlZW4gbGV2ZWxz Lg0KPiA+DQo+ID4gKiogV2hhdCBhcmUgdGhlc2UgcHJvdmlzaW9ucyB3aGVyZSBzdWNoIGxlYWth Z2Ugb2YgaW5mb3JtYXRpb24gc2hvdWxkIG9jY3VyDQo+IGJleW9uZCBleHBlY3RlZCByb3V0aW5n IGJlaGF2aW9yPw0KPiANCj4gVHlwaWNhbGx5ICJsaW5rIHN0YXRlIiBpbmZvcm1hdGlvbiBzdGF5 cyB3aXRoaW4gYSBMZXZlbCAxIGFyZWEgb3Igd2l0aGluIHRoZSBMZXZlbA0KPiAyIHJvdXRlcnMu IE9jY2FzaW9uYWxseSB0aGVyZSBpcyBpbmZvcm1hdGlvbiB0aGF0IGl0IGlzIGRlc2lyYWJsZSB0 byAgZmxvb2QNCj4gdGhyb3VnaG91dCB0aGUgZG9tYWluIGF0IGJvdGggTGV2ZWwgMSBhbmQgTGV2 ZWwgMi4gSVMtSVMgImxpbmsgc3RhdGUiDQo+IGluZm9ybWF0aW9uIGlzIGluIHRoZSBmb3JtIG9m IFRMVnMuIFR5cGljYWxseSB0aGlzIGRvbWFpbiB3aWRlIGZsb29kaW5nIGlzDQo+IGFjY29tcGxp c2hlZCBieSB1c2luZyB0d28gZmxhZ3MgaW4gdGhlIHZhbHVlIHBvcnRpb24gb2YgdGhlIFRMVi4g T25lIGZsYWcNCj4gaW5kaWNhdGVzIHRoZSB0aGUgVExWIGlzIHRvIGJlIGZsb29kZWQgZG9tYWlu IHdpZGUgd2hpbGUgdGhlIG90aGVyIGlzIGluaXRpYWxseQ0KPiB6ZXJvIGFuZCBpcyBzZXQgd2hl biB0aGUgVExWIGlzIGZsb29kZWQgZnJvbSBMZXZlbCAyIHRvIExldmVsIDEgLS0gdGhpcyBzZWNv bmQgZmxhZw0KPiBpcyB0byBzdG9wIGEgVExWIGZyb20gYmVpbmcgZmxvb2RlZCBmcm9tIExldmVs IDIgdG8gTGV2ZWwgMSBhbmQgdGhlbiBiYWNrIHRvDQo+IExldmVsIDIgYWdhaW4gcmVzdWx0aW5n IGluIFRMViBsb29waW5nLiBTZWUsIGZvciBleGFtcGxlLCB0aGUgSVMtSVMgUm91dGVyDQo+IENh cGFiaWxpdGllcyBUTFYgRCBhbmQgUyBmbGFncyBhcyBzcGVjaWZpZWQgaW4gU2VjdGlvbiAyIG9m IFJGQyA3OTgxLiAgVGhpcyBpcyBhbGwNCj4gc3RhbmRhcmQgSVMtSVMgbWFjaGluZXJ5IHRoYXQg c29tZW9uZSBmYW1pbGlhciB3aXRoIElTLUlTIHdvdWxkIGtub3cgLS0gdGhlcmUNCj4gaXMgbm90 aGluZyBUUklMTCBzcGVjaWZpYyBhYm91dCBpdC4NCj4gDQo+ID4gKDIpIFNlY3Rpb24gNC4yLCBO aWNrbmFtZSBBbGxvY2F0aW9uLCBQYWdlIDgtOS4NCj4gPg0KPiA+IExldmVsIDIgUkJyaWRnZXMg Y29udGVuZCBmb3Igbmlja25hbWVzIGluIHRoZSByYW5nZSBmcm9tIDB4RjAwMA0KPiA+IHRocm91 Z2ggMHhGQkZGIHRoZSBzYW1lIHdheSBhcyBzcGVjaWZpZWQgaW4gW1JGQzYzMjVdLCB1c2luZyBM ZXZlbCAyDQo+ID4gTFNQcy4gVGhlIGhpZ2hlc3QgcHJpb3JpdHkgYm9yZGVyIHJvdXRlciBmb3Ig YSBMZXZlbCAxIGFyZWEgc2hvdWxkDQo+ID4gY29udGVuZCB3aXRoIG90aGVycyBpbiBMZXZlbCAy IGZvciBzbWFsbGlzaCBibG9ja3Mgb2Ygbmlja25hbWVzIGZvcg0KPiA+IHRoZSByYW5nZSBmcm9t IDB4MDAwMSB0byAweEVGRkYuIEJsb2NrcyBvZiA2NCBhbGlnbmVkIG9uIG11bHRpcGxlIG9mDQo+ ID4gNjQgYm91bmRhcmllcyBhcmUgUkVDT01NRU5ERUQgaW4gdGhpcyBkb2N1bWVudC4NCj4gPg0K PiA+ICoqIFRoaXMgdGV4dCBwcm92aWRlcyBndWlkYW5jZSB0byBhbGxvY2F0ZSBuaWNrbmFtZXMg ZnJvbSB0aGUgcmFuZ2UgMHgwMDAxIC0NCj4gMHhGQkZGICgweDAwMDEgLSAweEVGRkYgYW5kIDB4 RjAwMCAtIDB4RkJGRik7IGFuZCBTZWN0aW9uIDMuNyBvZiBSRkM2MzI1IHNheXMNCj4gdGhhdCAw eEZGQzAgLSAweEZGRkYgYW5kIDB4MCBhcmUgcmVzZXJ2ZWQuICBDb2xsZWN0aXZlbHksIHRoZXNl IHR3byBkb2N1bWVudHMNCj4gbGVhdmUgdGhlIHJhbmdlIG9mIDB4RkMwMCAtIDB4RkZCRiB1bnNw ZWNpZmllZC4gIElmIHRoYXQncyBpbnRlbnRpb25hbCwgZGVzY3JpYmUNCj4gaG93IHRoZXNlIHZh bHVlcyBzaG91bGQgYmUgaGFuZGxlZC4gT3IsIHBlcmhhcHMgdGhlcmUgYSB0eXBvIGFuZCBMMiBS YnJpZGdlcw0KPiBzaG91bGQgYWxsb2NhdGUgZnJvbSAweEYwMDAgLSAweEZGQkYgKGkuZS4sIHMv MHhGQkZGLzB4RkZCRi8pPw0KPiANCj4gSSBiZWxpZXZlIGl0J3MgYSB0eXBvIGFuZCBpcyBzaG91 bGQgYnkgMHhGMDAwIC0gMHhGRkJGLg0KPiANCj4gPiAqKiAoRWRpdG9yaWFsKSBUaGUgbGFuZ3Vh Z2UgInNtYWxsaXNoIGJsb2NrcyBvZiBuaWNrbmFtZXMiIHNlZW1zIGltcHJlY2lzZS4NCj4gDQo+ IEkgdGhpbmsgd2UgY291bGQganVzdCBkZWxldGUgdGhlIHdvcmQgInNtYWxsaXNoIi4NCj4gDQo+ ID4gKDMpIFNlY3Rpb24gNiwgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMsIFBhZ2UgMTIuDQo+ID4N Cj4gPiBXaXRoIFRSSUxMIG11bHRpbGV2ZWwsIGZsb29kaW5nIG9mIGNvbnRyb2wgdHJhZmZpYyBm b3IgbGluayBzdGF0ZQ0KPiA+IGluZm9ybWF0aW9uIG9mIExldmVsIDEgYW5kIExldmVsIDIgaXMg c2VwYXJhdGVkLiBUaGlzIGFkZHJlc3NlcyB0aGUNCj4gPiBUUklMTCBzY2FsYWJpbGl0eSBpc3N1 ZXMgYXMgc3BlY2lmaWVkIGluIFNlY3Rpb24gMiBvZiBbUkZDODI0M10gYW5kDQo+ID4gYWxzbyBj b25maW5lcyB0aGUgZWZmZWN0aXZlIHNjb3BlIG9mIHBvc3NpYmxlIG1hbGljaW91cyBldmVudHMu DQo+ID4NCj4gPiAqKiBQZXIgdGhlIHNlbnRlbmNlICJXaXRoIFRSSUxMIC4uLiBpcyBzZXBhcmF0 ZWQiLCBJIHJlY29tbWVuZA0KPiA+IGNsYXJpZnlpbmcgdGhlIGxhbmd1YWdlIG9uIHdoYXQgYW5k IGluIHdoYXQgd2F5IHRoZXJlIGlzIHNlcGFyYXRpb24NCj4gDQo+IFRoaXMgaXMgYmFzaWMgdG8g bXVsdGlsZXZlbCBJUy1JUyBhbmQgYW55b25lIGZhbWlsaWFyIHdpdGggdGhhdCB3b3VsZCB1bmRl cnN0YW5kLg0KPiBXZSBjb3VsZCBhZGQgYSByZWZlcmVuY2UgdG8gSVMtSVMuDQo+IA0KPiA+ICoq IFBlciB0aGUgZm9sbG93LXVwIHNlbnRlbmNlLCAiLi4uIGFsc28gY29uZmluZXMgdGhlIGVmZmVj dGl2ZSBzY29wZSBvZg0KPiBwb3NzaWJsZSBtYWxpY2lvdXMgZXZlbnRzIiwgSSByZWNvbW1lbmQg ZGlzY3Vzc2luZyBpbiBtb3JlIGRldGFpbCBob3cgdGhlDQo+IHNjb3BlIG9mIG1hbGljaW91cyBl dmVudHMgaXMgcmVkdWNlZCB3aXRoIHRoaXMgYXBwcm9hY2guDQo+IA0KPiBJIHN1Z2dlc3QgdGhl IGZvbGxvd2luZyByZXBsYWNlbWVudCB0ZXh0Og0KPiANCj4gICAgU2luY2UgVFJJTEwgbXVsdGls ZXZlbCB1c2VzIHRoZSBleGlzdGluZyBJUy1JUyBtdWx0aWxldmVsIGZhY2lsaXRpZXMgW0lTLUlT XSwNCj4gZmxvb2Rpbmcgb2YgY29udHJvbCB0cmFmZmljIGZvciBsaW5rIHN0YXRlIGluZm9ybWF0 aW9uIGlzIGF1dG9tYXRpY2FsbHkgY29uZmluZWQgdG8NCj4gYSBMZXZlbCAxIGFyZWEgb3IgdG8g TGV2ZWwgMiBleGNlcHQgKGZvciBsaW1pdGVkIHR5cGVzIG9mIGluZm9ybWF0aW9uIHRoYXQgY2Fu IGJlDQo+IHNwZWNpZmljYWxseSBmbGFnZ2VkIGZvciB3aWRlciBmbG9vZGluZykuIFRoaXMgYWRk cmVzc2VzIHRoZSBUUklMTCBzY2FsYWJpbGl0eQ0KPiBpc3N1ZXMgYXMgc3BlY2lmaWVkIGluIFNl Y3Rpb24gMiBvZiBbUkZDODI0M10gYW5kIGFsc28sIGV4Y2VwdCBvZiB0aGUgd2lkZXINCj4gZmxv b2RpbmcgY2FzZSwgdGhpcyBjb25maW5lcyB0aGUgc2NvcGUgb2YgdGhlIGVmZmVjdHMgb2YgbWFs aWNpb3VzIGV2ZW50cyB0aGF0DQo+IGNvdWxkIGJlIGNvbW11bmljYXRlZCB0aHJvdWdoIHRoZSBs aW5rIHN0YXRlLg0KPiANCj4gPiAoNCkgU2VjdGlvbiA2LCBTZWN1cml0eSBDb25zaWRlcmF0aW9u cywgUGFnZSAxMi4NCj4gPg0KPiA+IEhvd2V2ZXIsIGR1ZSB0byB0aGUgbmF0dXJlIHRoYXQgdW5p cXVlIG5pY2tuYW1lIGFyZWFzIHNoYXJlIGEgdW5pcXVlDQo+ID4gbmlja25hbWUgc3BhY2UsIGJv cmRlciBSQnJpZGdlcyBzdGlsbCBoYXZlIHRvIGxlYWsgbmlja25hbWUNCj4gPiBpbmZvcm1hdGlv biBiZXR3ZWVuIGxldmVscy4gRm9yIHRoaXMgcHVycG9zZSwgYm9yZGVyIFJCcmlkZ2VzIG5lZWQg dG8NCj4gPiBmYWJyaWNhdGUgdGhlIG5pY2tuYW1lIGFubm91bmNlbWVudHMgYXMgc3BlY2lmaWVk IGluIFNlY3Rpb24gNC4zLg0KPiA+DQo+ID4gKiogQXMgaXQgaXMgcmFpc2VkIGFzIGFuIGlzc3Vl IHdpdGggYSBtaXRpZ2F0aW9uLCBJIHJlY29tbWVuZCBhcnRpY3VsYXRpbmcgdGhlDQo+IGltcGxp Y2F0aW9uIG9mIGxlYWtpbmcgbmlja25hbWVzIGFjcm9zcyBsZXZlbHMuDQo+IA0KPiBTaW5jZSBu aWNrbmFtZXMgbXVzdCBiZSB1bmlxdWUgYWNyb3NzIHRoZSBtdWx0aS1sZXZlbCBkb21haW4sIGFu ZCBuaWNrbmFtZXMNCj4gaW4gVFJJTEwgYXJlIGF1dG8tYWxsb2NhdGVkLCBjbGVhcmx5IFJCcmlk Z2VzIGluc2lkZSBhbiBhcmVhIG5lZWQgdG8ga25vdyB3aGF0DQo+IG5pY2tuYW1lcyBhcmUgaW4g dXNlLCB3aGljaCBpcyB0aGUgZWZmZWN0IGFuZCBwdXJwb3NlIG9mIGxlYWtpbmcgbmlja25hbWUg Y2xhaW0NCj4gaW5mb3JtYXRpb24gYWNyb3NzIGxldmVscy4gSSBzdWdnZXN0IHRoZSBmb2xsb3dp bmcgd29yZGluZzoNCj4gDQo+ICAgICBIb3dldmVyLCBkdWUgdG8gdGhlIG5hdHVyZSB0aGF0IHVu aXF1ZSBuaWNrbmFtZSBhcmVhcyBzaGFyZSBhIGNvbW1vbg0KPiBuaWNrbmFtZSBzcGFjZSwgYm9y ZGVyIFJCcmlkZ2VzIHN0aWxsIGhhdmUgdG8gbGVhayBuaWNrbmFtZSBpbmZvcm1hdGlvbg0KPiBi ZXR3ZWVuIGxldmVscy4gU3VjaCBsZWFraW5nIG1lYW5zIHRoYXQgbmlja25hbWUgcmVsYXRlZCBl dmVudHMgaW4gb25lIGFyZWENCj4gY2FuIGFmZmVjdCBvdGhlciBhcmVhcy4gRm9yIHRoaXMgcHVy cG9zZSwgYm9yZGVyIFJCcmlkZ2VzIG5lZWQgdG8gZmFicmljYXRlIHRoZQ0KPiBuaWNrbmFtZSBh bm5vdW5jZW1lbnRzIGFzIHNwZWNpZmllZCBpbiBTZWN0aW9uIDQuMy4NCj4gDQo+ID4gKDUpIFNl Y3Rpb24gNiwgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMsIFBhZ2UgMTIuDQo+ID4NCj4gPiBNYWxp Y2lvdXMgZGV2aWNlcyBtYXkgYWxzbyBmYWtlIHRoZSBOaWNrQmxvY2tGbGFncyBBUFBzdWItVExW IHRvDQo+ID4gYW5ub3VuY2UgYSByYW5nZSBvZiBuaWNrbmFtZXMuIEJ5IGRvaW5nIHRoaXMsIHRo ZSBhdHRhY2tlciBjYW4gYXR0cmFjdA0KPiA+IFRSSUxMIGRhdGEgcGFja2V0cyB0aGF0IGFyZSBv cmlnaW5hbGx5IHRvIHJlYWNoIGEgYnVuY2ggb2Ygb3RoZXINCj4gPiBSQnJpZGdlcy4NCj4gPg0K PiA+ICoqIFJlY29tbWVuZCBhcnRpY3VsYXRpbmcgdGhlIGltcGxpY2F0aW9ucyBvZiBhIHJvZ3Vl IGRldmljZSBjaGFuZ2luZyB0aGUNCj4gcGF0aCAtLSBpdCBtaWdodCBkZW55IHNlcnZpY2UsIGV4 cG9zZSB0cmFmZmljIHRvIGluc3BlY3Rpb24sIGV0Yy4NCj4gDQo+IFRoaXMgaXMgbm90IHRoYXQg bXVjaCBkaWZmZXJlbnQgZnJvbSBhbiBSQnJpZGdlIGFubm91bmNpbmcgbG93IGNvc3QgdG8gc29t ZQ0KPiBNQUMgYWRkcmVzcyB0byBhdHRyYWN0IGRhdGEgcGFja2V0cy4gSXQgaXMgdHlwaWNhbCB0 aGF0IGFsbCByb3V0ZXJzIGluIHNvbWUNCj4gcm91dGluZyBkb21haW4gaGF2ZSB0byBiZSwgdG8g YSByZWFzb25hYmxlIGV4dGVudCwgdHJ1c3RlZCBzaW5jZSB0aGVyZSBpcyBhDQo+IGxhcmdlIHZh cmlldHkgb2YgaW5mb3JtYXRpb24gdGhleSBjb3VsZCBtYWxpY2lvdXNseSBhbm5vdW5jZSB0byBj YXVzZSBwcm9ibGVtcy4NCj4gSWYgYSByb2d1ZSByb3V0ZXIgbWFrZXMgZmFsc2UgYW5ub3VuY2Vt ZW50cyB0byBhdHRyYWN0IHRyYWZmaWMsIHR5cGljYWxseSB0aGUNCj4gdHJhZmZpYyBnb2VzIHRv IHRoYXQgcm91dGVyIGFuZCBub3QgdG8gdGhlIGludGVuZGVkIGRlc3RpbmF0aW9uLiBBbnlvbmUg ZmFtaWxpYXINCj4gd2l0aCBjb21tb24gcm91dGluZyB0ZWNobmlxdWVzIHdvdWxkIGJlIGF3YXJl IG9mIHRoaXMuDQo+IA0KPiA+ICoqIChFZGl0b3JpYWwpIFJlY29tbWVuZCBhbHRlcm5hdGUgbGFu Z3VhZ2UgZm9yIHRoZSBjb2xsb3F1aWFsICIuLi4gYnVuY2ggb2YNCj4gb3RoZXIgUkJyaWRnZXMi DQo+IA0KPiBidW5jaCAtPiBudW1iZXINCj4gDQo+ID4gKDYpIFNlY3Rpb24gNiwgU2VjdXJpdHkg Q29uc2lkZXJhdGlvbnMsIFBhZ2UgMTIuDQo+ID4NCj4gPiBGb3IgdGhpcyByZWFzb24sIFJCcmlk Z2VzIFNIT1VMRCBiZSBjb25maWd1cmVkIHRvIGluY2x1ZGUgdGhlIElTLUlTDQo+ID4gQXV0aGVu dGljYXRpb24gVExWICgxMCkgaW4gdGhlIElTLUlTIFBEVXMgdGhhdCBjb250YWlucyB0aGUNCj4g PiBOaWNrQmxvY2tGbGFncyBBUFBzdWItVExWLCBzbyB0aGF0IElTLUlTIHNlY3VyaXR5IChbUkZD NTMwNF0NCj4gPiBbUkZDNTMxMF0pIGNhbiBiZSB1c2VkIHRvIHNlY3VyZSB0aGUgbmV0d29yay4N Cj4gPg0KPiA+ICoqIFNob3VsZCBhIHByZWZlcmVuY2UgYmUgZXhwcmVzc2VkIGZvciBSRkM1MzEw IG92ZXIgUkZDNTMwND8gIFRvIHF1b3RlDQo+IFJGQzUzMTAsICJbd2hpbGUgYXQgdGhlIHRpbWUg b2YgdGhpcyB3cml0aW5nIHRoZXJlIGFyZSBubyBvcGVubHkgcHVibGlzaGVkDQo+IGF0dGFja3Mg b24gdGhlIEhNQUMtTUQ1IG1lY2hhbmlzbSwgc29tZSByZXBvcnRzIChbRG9iYjk2YV0sIFtEb2Ji OTZiXSkNCj4gY3JlYXRlIGNvbmNlcm4gYWJvdXQgdGhlIHVsdGltYXRlIHN0cmVuZ3RoIG9mIHRo ZSBNRDUgY3J5cHRvZ3JhcGhpYyBoYXNoDQo+IGZ1bmN0aW9uLiINCj4gDQo+IEkgd291bGQgYWdy ZWUgdGhhdCBSRkMgNTMxMCBzZWN1cml0eSBpcyBzdXBlcmlvciB0byBSRkMgNTMwNCBzZWN1cml0 eS4NCj4gUGVyaGFwcyByZWZlcmVuY2VzIHRvIDUzMDQgY2FuIGJlIHJlbW92ZWQuDQo+IA0KPiA+ ICoqIFJlY29tbWVuZCBiZWluZyBtb3JlIHNwZWNpZmljIHdpdGggdGhlIGxhbmd1YWdlICJ0byBz ZWN1cmUgdGhlDQo+IG5ldHdvcmsiLiAgUGVyaGFwcyAiRm9yIHRoaXMgcmVhc29uLCBSQnJpZGdl cyBTSE9VTEQgYXV0aGVudGljYXRlIHRoZWlyDQo+IHBlZXIgYnkgdXNpbmcgdGhlIElTLUlTIEF1 dGhlbnRpY2F0aW9uIFRMViAoMTApIGluIHRoZSBJUy1JUyBQRFVzIHRoYXQgY29udGFpbnMNCj4g dGhlIE5pY2tCbG9ja0ZsYWdzIEFQUHN1Yi1UTFYuIg0KPiANCj4gU3VnZ2VzdCByZXBsYWNpbmcg InRvIHNlY3VyZSB0aGUgbmV0d29yayIgd2l0aCAidG8gYXV0aGVudGljYXRlIHRob3NlIFBEVXMN Cj4gYW5kIGRpc2NhcmQgdGhlbSBpZiB0aGV5IGFyZSBmb3JnZWQuIg0KPiANCj4gPiAoNykgU2Vj dGlvbiA2LCBTZWN1cml0eSBDb25zaWRlcmF0aW9ucywgUGFnZSAxMi4NCj4gPg0KPiA+IElmIGJv cmRlciBSQnJpZGdlcyBkbyBub3QgcHJ1bmUgbXVsdGktZGVzdGluYXRpb24gZGlzdHJpYnV0aW9u IHRyZWUNCj4gPiB0cmFmZmljIGluIERhdGEgTGFiZWxzIHRoYXQgYXJlIGNvbmZpZ3VyZWQgdG8g YmUgYXJlYSBsb2NhbCwgdGhlbg0KPiA+IHRyYWZmaWMgdGhhdCBzaG91bGQgaGF2ZSBiZWVuIGNv bnRhaW5lZCB3aXRoaW4gYW4gYXJlYSBtaWdodCBiZQ0KPiA+IHdyb25nbHkgZGVsaXZlcmVkIHRv IGVuZCBzdGF0aW9ucyBpbiB0aGF0IERhdGEgTGFiZWwgaW4gb3RoZXIgYXJlYXMuDQo+ID4gVGhp cyB3b3VsZCBnZW5lcmFsbHkgdmlvbGF0ZSBzZWN1cml0eSBjb25zdHJhaW50cy4NCj4gPg0KPiA+ ICoqIFJlY29tbWVuZCBiZWluZyBtb3JlIHNwZWNpZmljIG9uIHRoZSBzZWN1cml0eSBjb25zdHJh aW50cyBiZWluZw0KPiA+IHZpb2xhdGVkDQo+IA0KPiBPSy4NCj4gDQo+IFRoYW5rcywNCj4gRG9u YWxkDQo+ID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCj4gIERvbmFsZCBFLiBFYXN0 bGFrZSAzcmQgICArMS01MDgtMzMzLTIyNzAgKGNlbGwpDQo+ICAxNTUgQmVhdmVyIFN0cmVldCwg TWlsZm9yZCwgTUEgMDE3NTcgVVNBICBkM2UzZTNAZ21haWwuY29tDQo= From nobody Sun Mar 4 21:30:42 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5227126C3D; Sun, 4 Mar 2018 21:30:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_2ybeNSGfKd; Sun, 4 Mar 2018 21:30:39 -0800 (PST) Received: from mail-pl0-x22f.google.com (mail-pl0-x22f.google.com [IPv6:2607:f8b0:400e:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C73A124235; Sun, 4 Mar 2018 21:30:39 -0800 (PST) Received: by mail-pl0-x22f.google.com with SMTP id 9-v6so3573064ple.11; Sun, 04 Mar 2018 21:30:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=hYVDXU6SV76C3RS3e1bgs0beq56Orpzz3lqsPVecvYI=; b=cUfbfGiQCUZNZNez4wzP9rJTb8Xs8ZDin8/SLjtxBzU6LEnLtVPY606viBI70B2niQ JFnepty62yVT4dsyDLXZwayvp0PlRIzGbq8IJehf06N9agQqq57RBIYpaoK2Qj9a90st +yciwL5Ajfu9YOD2Oi8tAbgs36SN8iFbVtQx+a4UE/EOBt5lcyhL3kZTu5Zp4aXHxSGX uZ1yTOSyp2cjQJhvwUKfbo+FkakQTH+gweofFz6p35Y3fcILFiAfmup8AdOwh46ERXAN hOJPJN7bt3ZwOV2P/C2Yzm5mNP4dcRjNHjNEWP1++gKf9n5e9efzfI/zFE7i0ZBmCNlR qVzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hYVDXU6SV76C3RS3e1bgs0beq56Orpzz3lqsPVecvYI=; b=jiI7PgejJ9ycaS6Uli1hWGTUvPBMTX1m0JJBkTmxMvj1AI803I7+4Ity42FIOxWotj uuv6lo4xicMoBVda21Ue8HQfBM8Dn5RS1lxMfUS+JFU2Hc4J1Xq8Q/U6Q3G6d6jG0yzw Q2Jfq2p3qYes1uy0pIVA4OE/p9+QzivpNARTecG4qB1OVY9b8wlAKyzN84PQSkMuL+tZ WqIXb0c4OrQiaGXjq8AwYrhgzrBx+Xt69FNcDqVpWVc6qyZt9aUqPzbvNIfQcCi5lqL9 bYO1JXB2P69eefvPN3ueJNPCiZykwKkZsie4sPQ0iv3If9ErNAzMS4r2z8a4IqpN8k3e /QdA== X-Gm-Message-State: AElRT7ECgq3txRbdyCYStJJQkUCBeslS2VyGgDButMjhipdonJT9vDok 1ZWnXC3r5T+Rcnk/BK7mvTavV5XtYZBycQhUdDUPPA== X-Google-Smtp-Source: AG47ELu4hU49CmBAHkMgw1gojy22z53+PYrLSPJ+Q5HZ0D/LS/AeS9lVKKgolzJuZgG+8Pp8XB0Chns6700BGuH0PLU= X-Received: by 2002:a17:902:901:: with SMTP id 1-v6mr12123529plm.404.1520227838568; Sun, 04 Mar 2018 21:30:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.100.241.204 with HTTP; Sun, 4 Mar 2018 21:30:38 -0800 (PST) From: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= Date: Sun, 4 Mar 2018 21:30:38 -0800 Message-ID: To: "secdir@ietf.org" , draft-ietf-trill-multi-topology@ietf.org Content-Type: multipart/alternative; boundary="0000000000004bac300566a3a02b" Archived-At: Subject: [secdir] Secdir review of draft-ietf-trill-multi-topology X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 05:30:41 -0000 --0000000000004bac300566a3a02b Content-Type: text/plain; charset="UTF-8" I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes additions to the IETF Transparent Interconnection of "Lots of Links" protocol to support multi-topology routing of unicast and multi-destination traffic. One of the reasons for this multi-topology work seems to be to allow for the isolation of traffic of certain sensitivity. While the draft does refer to RFC 5310, it doesn't mandate its use. Should that requirement be made? This would seem to also increase assurances of legit actors in a given "campus"? Thanks, -- Magnus --0000000000004bac300566a3a02b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have reviewed this document as part of the security dire= ctorate's ongoing effort to review all IETF documents being processed b= y the IESG. These comments were written primarily for the benefit of the se= curity area directors.=C2=A0 Document editors and WG chairs should treat th= ese comments just like any other last call comments.

This document describes additions to the IETF Tran= sparent Interconnection of "Lots of Links" protocol to support mu= lti-topology routing of unicast and multi-destination traffic.

O= ne of the reasons for this multi-topology work seems to be to allow for the= isolation of traffic of certain sensitivity. While the draft does refer to= RFC 5310, it doesn't mandate its use. Should that requirement be made?= This would seem to also increase assurances of legit actors in a given &qu= ot;campus"?

Thanks,
-- Magnus
--0000000000004bac300566a3a02b-- From nobody Mon Mar 5 05:26:18 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90E65120454 for ; Mon, 5 Mar 2018 05:26:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=metaswitch.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZh-GaadwiE4 for ; Mon, 5 Mar 2018 05:26:11 -0800 (PST) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0116.outbound.protection.outlook.com [104.47.41.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D55BD12D777 for ; Mon, 5 Mar 2018 05:26:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=metaswitch.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CX8DoTwSetk6dQu/BjCPHJd5XJJRf0iDu+ld0f1xzJs=; b=oOqQ6PYNfpsbAAUJtx2u836bu8ArMXwVECY9m1Fg5ShNhst0zuHxdNw22wgDik4ORPdizQI+rM4E8Q91qdmI2odlMuviozxAr1Yq3CcI+irBKojkUL5tHHJnu2PgCI7v5OMjCpSw15HKAFKq0SwacjJV15qYoU60vx6KZtqP9VI= Received: from CY4PR0201MB3603.namprd02.prod.outlook.com (52.132.99.21) by CY4PR0201MB3489.namprd02.prod.outlook.com (52.132.99.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.548.13; Mon, 5 Mar 2018 13:26:08 +0000 Received: from CY4PR0201MB3603.namprd02.prod.outlook.com ([fe80::60f2:dcec:f4d6:9192]) by CY4PR0201MB3603.namprd02.prod.outlook.com ([fe80::60f2:dcec:f4d6:9192%13]) with mapi id 15.20.0548.016; Mon, 5 Mar 2018 13:26:08 +0000 From: Jonathan Hardwick To: Shawn Emery , "secdir@ietf.org" , "draft-ietf-pce-lsp-setup-type.all@tools.ietf.org" Thread-Topic: Review of draft-ietf-pce-lsp-setup-type-08 Thread-Index: AQHTs4vKZ59TgBBAL0qCc6rqmJEieKPBo6/A Date: Mon, 5 Mar 2018 13:26:08 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Jonathan.Hardwick@metaswitch.com; x-originating-ip: [86.137.0.247] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CY4PR0201MB3489; 7:z15bZngjUyKUi9GnBQEnFS5hRvAsdccXs/2F2iFq1bBF7RR8yRp5kGoFgtMGtJtSo/EvckOIMD7/W8mSS6S77pl2IYiVBEV1wrifDlzPxxQ899R+eRyvr5a/u2UBMNG6iGsOauGOdWLn08KnYqCXl9CUuRSmOjAGZ1Ff4qDFLh1L/+OFz6O5WjciXUgpECp5R0MFbtqcjcKW38B3WD0VxezonhD4qgH0ldCVNV92cgqFjC8UlHyWxHYChrEW6YjL x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: 952ffd90-c3ef-403e-be5a-08d5829ca813 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:CY4PR0201MB3489; x-ms-traffictypediagnostic: CY4PR0201MB3489: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(85827821059158)(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(3231220)(944501244)(52105095)(3002001)(10201501046)(93006095)(93001095)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:CY4PR0201MB3489; BCL:0; PCL:0; RULEID:; SRVR:CY4PR0201MB3489; x-forefront-prvs: 06022AA85F x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(39850400004)(396003)(39380400002)(366004)(51914003)(199004)(189003)(6506007)(99286004)(186003)(7736002)(33656002)(2201001)(86362001)(6116002)(316002)(25786009)(790700001)(3846002)(106356001)(39060400002)(5660300001)(3280700002)(110136005)(59450400001)(102836004)(26005)(2906002)(66066001)(105586002)(74316002)(53546011)(8936002)(2900100001)(3660700001)(76176011)(6436002)(97736004)(8676002)(81156014)(81166006)(53936002)(2501003)(229853002)(6306002)(9686003)(54896002)(55016002)(6246003)(72206003)(478600001)(68736007)(5250100002)(2950100002)(14454004)(7696005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR0201MB3489; H:CY4PR0201MB3603.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: metaswitch.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: /u20Gyy+7EH378phB+C5GgK3pSXysmApFCtIrjvFS4NuYmBQHEVAbzF9wwsAhG3oFkc9+Yrm46WXepWzx2RaY0FoArGWfmK0LACm0FsGtoczqtfavtS1V6thtDaQo+uwNU7bETDo+BJqZ5sgCXTy685OW8s1RlKrJOtQrbkgnIF2SNGC2tRQ2Ynq+zrBPJEk2DpnrcNTfqGxrG5pw5yIZHikwwr+AsoaB6eY+ZNqDKRI0k/xhCszNBCdyWeF7DPUJeyb/Hax1wS02x0vXLyFmdKl6HrYkU7gXkZQLxgdPjdVwmCcF/FuVThuU27b1Tu/w6gETmhXCD6aNgg+Qazmgg== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY4PR0201MB3603F83CDD2179BF0AD25A8184DA0CY4PR0201MB3603_" MIME-Version: 1.0 X-OriginatorOrg: metaswitch.com X-MS-Exchange-CrossTenant-Network-Message-Id: 952ffd90-c3ef-403e-be5a-08d5829ca813 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2018 13:26:08.8487 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9d9e56eb-f613-4ddb-b27b-bfcdf14b2cdb X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR0201MB3489 Archived-At: Subject: Re: [secdir] Review of draft-ietf-pce-lsp-setup-type-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 13:26:15 -0000 --_000_CY4PR0201MB3603F83CDD2179BF0AD25A8184DA0CY4PR0201MB3603_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmtzIGZvciB0aGUgY29tbWVudHMsIFNoYXduLiAgSSBhZ3JlZSB3aXRoIHlvdXIgbWFyay11 cHMgYmVsb3cgYW5kIHdpbGwgbWFrZSBzdXJlIHRoZXkgYXJlIHVwZGF0ZWQgaW4gdGhlIG5leHQg cmV2aXNpb24uDQpCZXN0IHJlZ2FyZHMNCkpvbg0KDQpGcm9tOiBTaGF3biBFbWVyeSBbbWFpbHRv OnNoYXduLmVtZXJ5QGdtYWlsLmNvbV0NClNlbnQ6IDA0IE1hcmNoIDIwMTggMDc6MzgNClRvOiBz ZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtcGNlLWxzcC1zZXR1cC10eXBlLmFsbEB0b29scy5p ZXRmLm9yZw0KU3ViamVjdDogUmV2aWV3IG9mIGRyYWZ0LWlldGYtcGNlLWxzcC1zZXR1cC10eXBl LTA4DQoNClJldmlld2VyOiBTaGF3biBNIEVtZXJ5DQpSZXZpZXcgcmVzdWx0OiBSZWFkeSB3aXRo IG5pdHMNCg0KSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2Vj dXJpdHkgZGlyZWN0b3JhdGUncw0Kb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRv Y3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuDQpUaGVzZSBjb21tZW50cyB3ZXJl IHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkNCmFyZWEg ZGlyZWN0b3JzLiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRo ZXNlDQpjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0K VGhpcyBkcmFmdCBzcGVjaWZpZXMgYW4gZXh0ZW5zaW9uIHRvIHRoZSBQYXRoIENvbXB1dGF0aW9u IEVsZW1lbnQgY29tbXVuaWNhdGlvbg0KUHJvdG9jb2wgKFBDRVApIHRoYXQgYWxsb3dzIGZvciBk aWZmZXJlbnQgcGF0aCBzZXR1cCBtZXRob2RzIGZvciBhIGdpdmVuIHNlc3Npb24uDQoNClRoZSBz ZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uIGRvZXMgZXhpc3QgYW5kIGRlZmVycyBzZWN1 cml0eSBhc3BlY3RzDQpyZWxhdGVkIHRvIHRoaXMgZHJhZnQgdG8gUkZDIDU0NDAgYW5kIDgyODEu ICBJIGFncmVlIHdpdGggdGhpcyBhc3NlcnRpb24uICBJIGJlbGlldmUNCnRoYXQgdGhlIGJhc2Ug c3BlY2lmaWNhdGlvbnMgY292ZXIgdGhlIHNlY3VyaXR5IGNvbmNlcm5zIGFuZCB3YXlzIHRvIG1p dGlnYXRlDQpzdWZmaWNpZW50bHkgZm9yIHRoaXMgcHJvdG9jb2wuICBJdCB3YXMgYWxzbyBnb29k IHRvIHNlZSB0aGF0IFBDRVAgaXMgZGV2ZWxvcGluZw0Kc2VjdXJpdHkgYXMgYSBmb3JldGhvdWdo dCBbUkZDIDgyNTNdLg0KDQpHZW5lcmFsIGNvbW1lbnRzOg0KDQpOb25lLg0KDQpFZGl0b3JpYWwg Y29tbWVudHM6DQoNCg0Kcy9BIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCBjYW4vQSBQYXRoIENv bXB1dGF0aW9uIEVsZW1lbnQgKFBDRSkgY2FuLw0KDQpzL2V4dGVuc2lvbiB0byBQQ0VQL2V4dGVu c2lvbiB0byB0aGUgUENFIGNvbW11bmljYXRpb24gUHJvdG9jb2wgKFBDRVApLw0KDQpzL2JlIGFi bGUgdGFrZSBjb250cm9sL2JlIGFibGUgdG8gdGFrZSBjb250cm9sLw0KDQpTaGF3bi4NCi0tDQo= --_000_CY4PR0201MB3603F83CDD2179BF0AD25A8184DA0CY4PR0201MB3603_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0 b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg Um9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9 DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpw cmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5rOiJIVE1MIFByZWZv cm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglm b250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5tc29ub3Jt YWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29u b3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCglt c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowY207DQoJZm9udC1zaXpl OjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9DQpzcGFuLm0z NjY4MDI5Nzg4Njk4NTQ5ODQwZ21haWwtbS02MDcwNTc4ODc3Mjk1MTczNDUzZ21haWwtbTc3MzM5 ODU2Mzg3ODQ4MTEzOW0tNjk1OTQ4MDg1MjI1OTc0NDEwZ21haWwtbTE2MjM3NDY0NzIwODk2MjUw NTdnbWFpbC1tLTg2MTg0Mjg2MDA5NTQwNjExNDZnbWFpbC1tNzcwODc0MDA1NzM3NzU4ODIwN20t NTU0NjI0Mjk4Mzc2MDk1NDEzNWdtYWlsLW00NDU3MDg2MjMzODIwNDA5MTAxZ21haWwtbTQ3Mjg1 Mzc0NjA1Njk3MTc5NA0KCXttc28tc3R5bGUtbmFtZToibV8zNjY4MDI5Nzg4Njk4NTQ5ODQwZ21h aWwtbV8tNjA3MDU3ODg3NzI5NTE3MzQ1M2dtYWlsLW1fNzczMzk4NTYzODc4NDgxMTM5bV8tNjk1 OTQ4MDg1MjI1OTc0NDEwZ21haWwtbV8xNjIzNzQ2NDcyMDg5NjI1MDU3Z21haWwtbV8tODYxODQy ODYwMDk1NDA2MTE0NmdtYWlsLW1fNzcwODc0MDA1NzM3NzU4ODIwN21fLTU1NDYyNDI5ODM3NjA5 NTQxMzVnbWFpbC1tXzQ0NTcwODYyMzM4MjA0MDkxMDFnbWFpbC1tXzQ3Mjg1Mzc0NjA1Njk3MTc5 NCI7fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFtZToiSFRNTCBQ cmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1s aW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7DQoJZm9udC1mYW1pbHk6IkNvbnNvbGFzIixzZXJpZjsN Cgltc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1HQjt9DQpzcGFuLkVtYWlsU3R5bGUyMQ0KCXttc28t c3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1z ZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCW1z by1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYx Mi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30NCmRp di5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lm IGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9 IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxv OnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIx IiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkg bGFuZz0iRU4tR0IiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxkaXYgY2xhc3M9 IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7bXNv LWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPlRoYW5rcyBmb3IgdGhlIGNvbW1lbnRzLCBTaGF3bi4m bmJzcDsgSSBhZ3JlZSB3aXRoIHlvdXIgbWFyay11cHMgYmVsb3cgYW5kIHdpbGwgbWFrZSBzdXJl IHRoZXkgYXJlIHVwZGF0ZWQgaW4gdGhlIG5leHQgcmV2aXNpb24uPG86cD48L286cD48L3NwYW4+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO21zby1mYXJlYXN0LWxh bmd1YWdlOkVOLVVTIj5CZXN0IHJlZ2FyZHM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom cXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMi PkpvbjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu cy1zZXJpZjttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z ZXJpZiI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiBTaGF3 biBFbWVyeSBbbWFpbHRvOnNoYXduLmVtZXJ5QGdtYWlsLmNvbV0NCjxicj4NCjxiPlNlbnQ6PC9i PiAwNCBNYXJjaCAyMDE4IDA3OjM4PGJyPg0KPGI+VG86PC9iPiBzZWNkaXJAaWV0Zi5vcmc7IGRy YWZ0LWlldGYtcGNlLWxzcC1zZXR1cC10eXBlLmFsbEB0b29scy5pZXRmLm9yZzxicj4NCjxiPlN1 YmplY3Q6PC9iPiBSZXZpZXcgb2YgZHJhZnQtaWV0Zi1wY2UtbHNwLXNldHVwLXR5cGUtMDg8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZTo5LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2Nv bG9yOiMyMjIyMjI7YmFja2dyb3VuZDp3aGl0ZSI+UmV2aWV3ZXI6IFNoYXduIE0gRW1lcnk8YnI+ DQpSZXZpZXcgcmVzdWx0OiBSZWFkeSB3aXRoIG5pdHM8L3NwYW4+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjVw dDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMyMjIyMjI7 YmFja2dyb3VuZDp3aGl0ZSI+SSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBv ZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUnczwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjkuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzIy MjIyMiI+PGJyPg0KPHNwYW4gc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPm9uZ29pbmcgZWZmb3J0 IHRvIHJldmlldyBhbGwmbmJzcDs8c3BhbiBjbGFzcz0ibTM2NjgwMjk3ODg2OTg1NDk4NDBnbWFp bC1tLTYwNzA1Nzg4NzcyOTUxNzM0NTNnbWFpbC1tNzczMzk4NTYzODc4NDgxMTM5bS02OTU5NDgw ODUyMjU5NzQ0MTBnbWFpbC1tMTYyMzc0NjQ3MjA4OTYyNTA1N2dtYWlsLW0tODYxODQyODYwMDk1 NDA2MTE0NmdtYWlsLW03NzA4NzQwMDU3Mzc3NTg4MjA3bS01NTQ2MjQyOTgzNzYwOTU0MTM1Z21h aWwtbTQ0NTcwODYyMzM4MjA0MDkxMDFnbWFpbC1tNDcyODUzNzQ2MDU2OTcxNzk0Ij5JRVRGPC9z cGFuPiZuYnNwO2RvY3VtZW50cw0KIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy48L3NwYW4+ PGJyPg0KPHNwYW4gc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPlRoZXNlIGNvbW1lbnRzIHdlcmUg d3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eTwvc3Bhbj48 YnI+DQo8c3BhbiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+YXJlYSBkaXJlY3RvcnMuIERvY3Vt ZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2U8L3NwYW4+PGJyPg0K PHNwYW4gc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPmNvbW1lbnRzIGp1c3QgbGlrZSBhbnkgb3Ro ZXIgbGFzdCBjYWxsIGNvbW1lbnRzLjwvc3Bhbj48L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6OS41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1z ZXJpZjtjb2xvcjojMjIyMjIyIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hp dGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwm cXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMjIyMjIyIj5UaGlzIGRyYWZ0IHNwZWNpZmllcyBhbiBl eHRlbnNpb24gdG8gdGhlJm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPlBh dGggQ29tcHV0YXRpb24NCiBFbGVtZW50IGNvbW11bmljYXRpb248L3NwYW4+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZTo5LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOiMyMjIyMjIiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlm O2NvbG9yOmJsYWNrIj5Qcm90b2NvbCAoUENFUCkmbmJzcDt0aGF0IGFsbG93cyBmb3IgZGlmZmVy ZW50IHBhdGggc2V0dXAgbWV0aG9kcyBmb3IgYSBnaXZlbiBzZXNzaW9uLjwvc3Bhbj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjkuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMt c2VyaWY7Y29sb3I6IzIyMjIyMiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6OS41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1z ZXJpZjtjb2xvcjojMjIyMjIyIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oyxz YW5zLXNlcmlmO2NvbG9yOiMyMjIyMjIiPlRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzZWN0 aW9uIGRvZXMgZXhpc3QgYW5kIGRlZmVycyBzZWN1cml0eSBhc3BlY3RzPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tn cm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS41cHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMjIyMjIyIj5yZWxhdGVkIHRvIHRoaXMg ZHJhZnQgdG8mbmJzcDtSRkMgNTQ0MCBhbmQgODI4MS4mbmJzcDsgSSBhZ3JlZSB3aXRoIHRoaXMg YXNzZXJ0aW9uLiZuYnNwOyBJIGJlbGlldmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjVwdDtmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oyxz YW5zLXNlcmlmO2NvbG9yOiMyMjIyMjIiPnRoYXQgdGhlIGJhc2UmbmJzcDtzcGVjaWZpY2F0aW9u cyBjb3ZlciB0aGUgc2VjdXJpdHkgY29uY2VybnMgYW5kIHdheXMgdG8gbWl0aWdhdGU8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0iYmFja2dyb3VuZDp3aGl0ZSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjVwdDtmb250LWZh bWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMyMjIyMjIiPnN1ZmZpY2ll bnRseSBmb3IgdGhpcyZuYnNwO3Byb3RvY29sLiZuYnNwOyBJdCB3YXMgYWxzbyBnb29kIHRvIHNl ZSB0aGF0IFBDRVAgaXMgZGV2ZWxvcGluZzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjkuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNh bnMtc2VyaWY7Y29sb3I6IzIyMjIyMiI+c2VjdXJpdHkgYXMgYSBmb3JldGhvdWdodCBbUkZDIDgy NTNdLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjku NXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzIyMjIy MiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6OS41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj MjIyMjIyIj5HZW5lcmFsIGNvbW1lbnRzOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjkuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNh bnMtc2VyaWY7Y29sb3I6IzIyMjIyMiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssc2Fucy1zZXJpZjtjb2xvcjojMjIyMjIyIj5Ob25lLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJiYWNrZ3JvdW5kOndo aXRlIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFs JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzIyMjIyMiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91 bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMjIyMjIyIj5FZGl0b3JpYWwgY29tbWVudHM6 PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS41cHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMjIyMjIyIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cHJlIHN0eWxlPSJi YWNrZ3JvdW5kOndoaXRlO2ZvbnQtdmFyaWFudC1saWdhdHVyZXM6bm9ybWFsO2ZvbnQtdmFyaWFu dC1jYXBzOm5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0O3RleHQtZGVjb3JhdGlvbi1zdHlsZTppbml0 aWFsO3RleHQtZGVjb3JhdGlvbi1jb2xvcjppbml0aWFsO3dvcmQtc3BhY2luZzowcHgiPjxzcGFu IHN0eWxlPSJjb2xvcjpibGFjayI+cy9BIFBhdGggQ29tcHV0YXRpb24gRWxlbWVudCBjYW4vQSBQ YXRoIENvbXB1dGF0aW9uIEVsZW1lbnQgKFBDRSkgY2FuLzxvOnA+PC9vOnA+PC9zcGFuPjwvcHJl Pg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZTtmb250LXZhcmlhbnQtbGlnYXR1cmVzOm5v cm1hbDtmb250LXZhcmlhbnQtY2Fwczpub3JtYWw7dGV4dC1hbGlnbjpzdGFydDt0ZXh0LWRlY29y YXRpb24tc3R5bGU6aW5pdGlhbDt0ZXh0LWRlY29yYXRpb24tY29sb3I6aW5pdGlhbDt3b3JkLXNw YWNpbmc6MHB4Ij48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPnMvZXh0ZW5zaW9uIHRvIFBDRVAv ZXh0ZW5zaW9uIHRvIHRoZSBQQ0UgY29tbXVuaWNhdGlvbiBQcm90b2NvbCAoUENFUCkvPG86cD48 L286cD48L3NwYW4+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlO2ZvbnQtdmFy aWFudC1saWdhdHVyZXM6bm9ybWFsO2ZvbnQtdmFyaWFudC1jYXBzOm5vcm1hbDt0ZXh0LWFsaWdu OnN0YXJ0O3RleHQtZGVjb3JhdGlvbi1zdHlsZTppbml0aWFsO3RleHQtZGVjb3JhdGlvbi1jb2xv cjppbml0aWFsO3dvcmQtc3BhY2luZzowcHgiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+cy9i ZSBhYmxlIHRha2UgY29udHJvbC9iZSBhYmxlIHRvIHRha2UgY29udHJvbC88bzpwPjwvbzpwPjwv c3Bhbj48L3ByZT4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJi YWNrZ3JvdW5kOndoaXRlIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVv dDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMt c2VyaWY7Y29sb3I6YmxhY2siPlNoYXduLjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6 JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImJhY2tncm91bmQ6d2hpdGUi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6YmxhY2siPi0tPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_CY4PR0201MB3603F83CDD2179BF0AD25A8184DA0CY4PR0201MB3603_-- From nobody Mon Mar 5 08:10:51 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69AF212D964 for ; Mon, 5 Mar 2018 08:10:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxsfC-S5GQL6 for ; Mon, 5 Mar 2018 08:10:47 -0800 (PST) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3450D12EB20 for ; Mon, 5 Mar 2018 08:10:13 -0800 (PST) Received: by mail-qk0-x235.google.com with SMTP id s188so21198529qkb.2 for ; Mon, 05 Mar 2018 08:10:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dImOYBZ/jzpScMePEIT6j9OPCXJZCkHP+8aoV4+mmOA=; b=NAsHFI09AAhiMkD/yG9sIvT8jAV9f1XDTn07ixK6O/UKuFl1kmc45QUxjC6C/tWfBT CmLap8CR6EU2GAl55dwF2ComBJgedixeTBYGOQI0Kq20FdN/MaxK8MfxYlAy7w4YZo/G 1J4sa0w2o1i6dUxsMdDB6yD+mPmzrz+8HV9pQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dImOYBZ/jzpScMePEIT6j9OPCXJZCkHP+8aoV4+mmOA=; b=JfGmvRCsjz65idBDOx2KW985tLskO1X8lWgge7P0Ae1FQZLs1rAAY57Cjgr7xA96Wc tYur/ZqjLtp1SE0sB4oziNnrRfuSAgqjkJkUCbTohXWT4/6f9330c51tACNSdDJoDpo8 dQQzgaaNggVLuNswkAm0chHKJjOD4182u5G81KYryW/oaiy7UGuWnBDbgWX+pbICesgq us9m5OcHDmwhXShoKpD+ePZSJtknHAHCWSnzIA52uyUjiPim2TEewFHYT1JiWGEWhUai bgmD1ViPFesfeXei313++Nk67PMqn5TLmYjZnaD0C8M8Og7VC5rk5gArKr2bJYGZ+5XU J3zg== X-Gm-Message-State: AElRT7GK/rec8RHY4mbI1X6oGeZwifwER38mQy/QYzTgcWJ7iEKPstu1 VpP8BZpny3upmZs2G4qEcmyJhg== X-Google-Smtp-Source: AG47ELtGFy1cgABAgr949wWLtbUmvoAJrgI7CenLy9T1osj+Og3VyGsKqVoRvOoaFIQRD9KmuKPjKQ== X-Received: by 10.55.153.3 with SMTP id b3mr21615233qke.65.1520266212308; Mon, 05 Mar 2018 08:10:12 -0800 (PST) Received: from [172.16.0.18] ([96.231.225.106]) by smtp.gmail.com with ESMTPSA id n29sm9516747qtf.18.2018.03.05.08.10.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Mar 2018 08:10:11 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) From: Sean Turner In-Reply-To: <61df7006-3ce9-2929-b58d-af500fa40ea8@ericsson.com> Date: Mon, 5 Mar 2018 11:10:09 -0500 Cc: secdir@ietf.org, draft-ietf-hip-rfc4423-bis.all@ietf.org, hipsec@ietf.org, ietf@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <151974401093.28581.6727583492292312298@ietfa.amsl.com> <61df7006-3ce9-2929-b58d-af500fa40ea8@ericsson.com> To: Miika Komu X-Mailer: Apple Mail (2.3445.5.20) Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-hip-rfc4423-bis-19 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 16:10:49 -0000 > On Feb 28, 2018, at 10:34, Miika Komu wrote: >=20 > Hi Sean, >=20 > On 02/27/2018 05:06 PM, Sean Turner wrote: >> Reviewer: Sean Turner >> Review result: Has Nits >> This is a bis draft of the HIP (Host Identity Protocol) Architecture = and >> because of that I focused on what=E2=80=99s changed (i.e., I reviewed = the diffs from >> = https://www.ietf.org/rfcdiff?url1=3Drfc4423&url2=3Ddraft-ietf-hip-rfc4423-= bis-18). >> It=E2=80=99s still HIP but with a slightly expanded scope; it=E2=80=99s= still Informational. >> 1. s4: The one place where I=E2=80=99ll step out from not looking at = the old is a >> similar-ish recommendation that was in the RF4423: >> In this document, the non-cryptographic forms of HI and HIP are >> presented to complete the theory of HI, but they should not be >> implemented as they could produce worse denial-of-service attacks >> than the Internet has without Host Identity. >> Should the should not be a SHOULD NOT? >=20 > I can change this for sure but the whole document is written without = the capitalized terms due to its informal nature... actually, this = sentence is a bit moot since non-cryptographic forms of HI are only = referenced in the text. I would suggest rephrasing this as follows: >=20 > "In this document, some non-cryptographic forms of HI and HIP are > referenced, but cryptographic forms should be preferred because they = are more secure than their non-cryptographic counterparts." >=20 > Would that work for you? Yep - works just fine. >> 2. (none security) s4.4: Is the paragraph about IPv4 vs IPv6 vs LSI = really >> necessary? I.e., is this yet another thing that folks are going to = use to not >> transition to IPv6? >=20 > I think the draft should discuss IPv4 compatibility because it is part = of architecture design. >=20 > Btw, do you mean this paragraph or something else? >=20 > The interoperability mechanism > should not be used to avoid transition to IPv6; the authors firmly > believe in IPv6 adoption and encourage developers to port existing > IPv4-only applications to use IPv6. However, some proprietary, > closed-source, IPv4-only applications may never see the daylight of > IPv6, and the LSI mechanism is suitable for extending the lifetime = of > such applications even in IPv6-only networks. >=20 > IMHO, the LSIs should be supported mainly for the sake of proprietary, = legacy applications which should be supported for backwards = compatibility. The next paragraph also mentions a limitation of the = LSIs: >=20 > The main disadvantage of an LSI is its local scope. Applications may > violate layering principles and pass LSIs to each other in > application-layer protocols. >=20 > Let me know if you would like change or emphasize something? No - I think after re-reading this the LSI is sufficiently poo-pooed to = not be something folks will want to use ;) >> 3. s11.2: Isn=E2=80=99t an additional drawback the need to have a = HIP-aware firewall? >=20 > Good point. It's both a benefit and drawback from the viewpoint of = firewalls. s11.1 mentions: >=20 > [...] First, the use of > HITs can potentially halve the size of access control lists > because separate rules for IPv4 are not needed [komu-diss]. > Second, HIT-based configuration rules in HIP-aware middleboxes > remain static and independent of topology changes, thus > simplifying administrative efforts particularly for mobile > environments. >=20 > As a drawback, I could add something like this to s11.2: >=20 > In the current Internet, firewalls are commonly used to control access = to various services and devices. Since HIP introduces a new namespace, = it is expected that also the HIP namespace would be filtered for = unwanted connectivity. While this can be achieved with existing tools = directly in the end-hosts, filtering at the middleboxes requires = modifications to existing firewall software or new middleboxes = [RFC6538]. >=20 > How does this sound? wfm Cheers, spt From nobody Mon Mar 5 08:52:11 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35E3612D94F; Mon, 5 Mar 2018 08:52:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fzJVNG7car51; Mon, 5 Mar 2018 08:52:02 -0800 (PST) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on062e.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe02::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0822112D94A; Mon, 5 Mar 2018 08:52:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RpU7rnsj1Sks80lLhTXGyqaKALjCcU5BzquMc33yOGk=; b=j20fWwN+OhcBbDLytj9L5D/vAlPBDZaSX6qCk10NXRDcmHR/1GwHzMQuRRSDzKge09O9OM2xiuMGwexSeq+zqKj0MnCnDuZ364IYoid7HUK4833+0Q1IOvBUMmr4PQisk3nh76vm82kfyAO+0gK4xUHVy4Bd+rZpz4Ng407oRkg= Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1759.eurprd08.prod.outlook.com (10.168.67.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Mon, 5 Mar 2018 16:51:58 +0000 Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::783f:d09c:fea6:f83d]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::783f:d09c:fea6:f83d%17]) with mapi id 15.20.0548.016; Mon, 5 Mar 2018 16:51:58 +0000 From: Hannes Tschofenig To: Martin Thomson CC: Benjamin Kaduk , Alan DeKok , "draft-ietf-tls-record-limit@ietf.org" , IESG , "secdir@ietf.org" Thread-Topic: Secdir review of draft-ietf-tls-record-limit Thread-Index: AQHTrqGSa72OyyaNEUOT8kn5vxYs5KO4BpFggAD7SYCAB0Hm4IAAZ/uAgAE7axA= Date: Mon, 5 Mar 2018 16:51:58 +0000 Message-ID: References: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com> <20180223191714.GG50954@kduck.kaduk.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com; x-originating-ip: [80.92.122.126] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1759; 7:dKxjuxG4gRePf7vdlArWOHX9BmfTuVKQoEMOotkLxGuxwp+bZvRmQqlKiOC3xXfDY8fA/YvFpjrrGMZrwP5wugnqUgIaRTBsrMCsWoOSzNqip8NaJfZP4cqckpK823PhA8wPjmAPaJLrnhjknBxQDrmPCnm3MUPKwajkbyYrmX4cr0Ngu3Z8ms6xrXjMpWiLL1IuVCZ1Bv6C6E0+DDKl3FVDYGsiUXwz9ymvym4fTKVlPNH65wKnO5zzCsn9mT3J x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: cb48f0b2-64ec-433c-86e1-08d582b9693e x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:VI1PR0801MB1759; x-ms-traffictypediagnostic: VI1PR0801MB1759: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(85827821059158); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3231220)(944501244)(52105095)(3002001)(6055026)(6041288)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:VI1PR0801MB1759; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1759; x-forefront-prvs: 06022AA85F x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39380400002)(376002)(346002)(39860400002)(40434004)(13464003)(199004)(189003)(55016002)(186003)(26005)(93886005)(8676002)(9686003)(102836004)(478600001)(53546011)(6506007)(6436002)(72206003)(59450400001)(5890100001)(4326008)(14454004)(5250100002)(81166006)(8936002)(81156014)(53936002)(68736007)(6246003)(3660700001)(25786009)(66066001)(106356001)(7736002)(86362001)(7696005)(97736004)(39060400002)(105586002)(2900100001)(6116002)(74316002)(316002)(2906002)(3280700002)(305945005)(5660300001)(76176011)(229853002)(6916009)(99286004)(3846002)(2950100002)(54906003)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1759; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: Z7UPGA2PzlUKvqW1zSCvt/oGYywXrbErXaMStGE01qg4LNhWfMK5oPXW8my5iuF1i2AAqxiKsF4/jdm9w33p/vzU/s6Nv6d0a/mv+ZKgheE5Q6XfBwJCGnxorOyux8Tyok05O3S5vTQJ4r0sNTtsJTjB7HnxrMyAUFLZTqB+1cDKDgxfAsAB4lYDSvKeDys+ONxR+uCc037pUauCpGmf0AuAxck3A9l0uQIs10woLaQcgsedlDpkyUHJ/51rpudERhelTj60FrHfW+FqFhk5Ts2JNH7u9t6l0YwCUQz3P5VI7tqVrNjbzN9oF7n+nLG8CA5d6c1TeEanafv/su71CA== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: cb48f0b2-64ec-433c-86e1-08d582b9693e X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2018 16:51:58.7965 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1759 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Mar 2018 16:52:05 -0000 SSBiZWxpZXZlIHdlIGFyZSBvbiB0aGUgc2FtZSBwYWdlIHdpdGggcmVnYXJkcyB0byB0aGlzIGlz c3VlLg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KRnJvbTogTWFydGluIFRob21zb24g W21haWx0bzptYXJ0aW4udGhvbXNvbkBnbWFpbC5jb21dDQpTZW50OiAwNCBNYXJjaCAyMDE4IDIz OjAzDQpUbzogSGFubmVzIFRzY2hvZmVuaWcNCkNjOiBCZW5qYW1pbiBLYWR1azsgQWxhbiBEZUtv azsgZHJhZnQtaWV0Zi10bHMtcmVjb3JkLWxpbWl0QGlldGYub3JnOyBJRVNHOyBzZWNkaXJAaWV0 Zi5vcmcNClN1YmplY3Q6IFJlOiBTZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtdGxzLXJlY29y ZC1saW1pdA0KDQpPbiBNb24sIE1hciA1LCAyMDE4IGF0IDI6NTcgQU0sIEhhbm5lcyBUc2Nob2Zl bmlnIDxIYW5uZXMuVHNjaG9mZW5pZ0Bhcm0uY29tPiB3cm90ZToNCj4gW0hhbm5lc10gSSBhbSBu b3Qgc3VyZSBJIGZ1bGx5IHVuZGVyc3RhbmQgdGhlIGFwcHJvYWNoLiBFdmVuIGlmDQo+IHNvbWVv bmUgdXNlcyBUQ1AgYSBSQU0gbGltaXRhdGlvbiB3aWxsIG5vdCBnbyBhd2F5LiBUQ1AgaXMgbGlr ZWx5IHRvDQo+IG1ha2UgdGhlIHNpdHVhdGlvbiB3b3JzZSBzaW5jZSBpdCByZXF1aXJlcyBzb21l IGFtb3VudCBvZiBSQU0gYXMgd2VsbA0KPiBldmVuIHdpdGggdGhlIGJlc3QgcG9zc2libGUgY29u ZmlndXJhdGlvbi4gKFRoZXJlIGlzIHRoaXMgd29yayBpbiBMV0lHDQo+IG9uIFRDUCBpbXBsZW1l bnRhdGlvbiBndWlkYW5jZSB3aGVyZSB0aGUgYXV0aG9ycyBhcmUgc3VwcG9zZWQgdG8NCj4gcHJv dmlkZSBzb21lIGluZm9ybWF0aW9uIGFib3V0IHRoZSBhY3R1YWwgUkFNIHVzYWdlIG9mIHZhcmlv dXMgVENQDQo+IGZlYXR1cmVzIGFuZCBzZXR0aW5ncy4pDQoNCkxldCBtZSB0cnkgdG8gZXhwbGFp biBtb3JlLg0KDQpBbiBlbmRwb2ludCB0aGF0IGNhbid0IGhhbmRsZSBhIGJpZyBwYWNrZXQgKHdo ZXRoZXIgdGhhdCBiZSBhIGJpZyBUQ1Agc2VnbWVudCBvciBhIGJpZyBVRFAgZGF0YWdyYW0pIGNh biBhbHdheXMgcHJldGVuZCB0aGF0IHRoaXMgaXMgYSBsaW5rIGlzc3VlIGFuZCBzZW5kIHRoZSBh cHByb3ByaWF0ZSBJQ01QIG1lc3NhZ2UuICBUaGF0IGxpbWl0cyB0aGUgc2l6ZSBvZiBwYWNrZXRz IHRoZXkgcmVjZWl2ZSwgYXQgbGVhc3QgdG8gdGhlIHBvaW50IHRoYXQgdGhlIG1pbmltdW0gZm9y IHRoZSBJUCB2ZXJzaW9uIGluIHVzZSBpcyByZWFjaGVkICg1NzYgZm9yIHY0LCAxMjgwIGZvciB2 NikuICBJJ20gbm90IHN1cmUgd2hhdCBmcmFnbWVudGF0aW9uIGRvZXMgaGVyZSwgb3RoZXIgdGhh biBtYWtlIHRoaW5ncyBmYXIgd29yc2UuDQoNCklmIHRoZXJlIGFyZSBtdWx0aXBsZSBwYWNrZXRz IGFycml2aW5nIGFuZCBubyBzcGFjZSBmb3IgbW9yZSB0aGFuIG9uZSwgdGhlbiB0aGUgZW5kcG9p bnQgY2FuIHByZXRlbmQgdGhhdCBpdCBkaWRuJ3QgcmVjZWl2ZSB0aGUgcGFja2V0LiAgVENQIGFs c28gaGFzIEFDS3MsIHdoaWNoIHRoZSBlbmRwb2ludCBjYW4gd2l0aGhvbGQgdW50aWwgaXQgaGFz IHNwYWNlLg0KDQpUaHVzLCB0aGUgZW5kcG9pbnQgY2FuIGhvbGQgYXMgbGl0dGxlIGFzIGEgc2lu Z2xlIE1UVSBvZiBkYXRhIGF0IG9uY2UuDQpHaXZlbiB0aGF0IGl0IGlzIG5vdCBlbmNyeXB0ZWQs IG15IHVuZGVyc3RhbmRpbmcgaXMgdGhhdCB0aGVyZSBpcyBubyBuZWVkIHRvIGNvbnN0cmFpbiBo b3cgaXQgaXMgdHVybmVkIGludG8gcmVjb3Jkcy4NCg0KTm90ZSB0aGF0IGEgY29uc3RyYWluZWQg c2VydmVyIGhhcyB0byBoYW5kbGUgYSBmdWxsIENsaWVudEhlbGxvIC0gdGhlIGNsaWVudCB3b24n dCBrbm93IHRoZSBsaW1pdCBhdCB0aGUgc2VydmVyLg0KSU1QT1JUQU5UIE5PVElDRTogVGhlIGNv bnRlbnRzIG9mIHRoaXMgZW1haWwgYW5kIGFueSBhdHRhY2htZW50cyBhcmUgY29uZmlkZW50aWFs IGFuZCBtYXkgYWxzbyBiZSBwcml2aWxlZ2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQg cmVjaXBpZW50LCBwbGVhc2Ugbm90aWZ5IHRoZSBzZW5kZXIgaW1tZWRpYXRlbHkgYW5kIGRvIG5v dCBkaXNjbG9zZSB0aGUgY29udGVudHMgdG8gYW55IG90aGVyIHBlcnNvbiwgdXNlIGl0IGZvciBh bnkgcHVycG9zZSwgb3Igc3RvcmUgb3IgY29weSB0aGUgaW5mb3JtYXRpb24gaW4gYW55IG1lZGl1 bS4gVGhhbmsgeW91Lg0K From nobody Mon Mar 5 16:45:54 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9732C12D7F4; Mon, 5 Mar 2018 16:45:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R76CiSffhJJD; Mon, 5 Mar 2018 16:45:43 -0800 (PST) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on071b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe49::71b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEE55126BF7; Mon, 5 Mar 2018 16:45:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ewi9YuJaNSQvAiGdXglDA+n9NX8DTEgjJV+9yjK6osA=; b=OC4D/9SQl8gKCIUH3ZbMd4uiCUNEXmfDx+p7b9SCO+R6FHYOOJbj9XwWR/Z4cjkXBTlTELlRTf7xXRc/GNrNEstWJKDvkdmrRjPh6uJimCqiEAi7z3oUlILO3zbQn18v2niFGbJBxE+mxnevicWU45qkd6H3jRxK/z/IAx7AVfQ= Received: from SN6PR2101MB0943.namprd21.prod.outlook.com (52.132.114.20) by SN6PR2101MB1103.namprd21.prod.outlook.com (52.132.115.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.3; Tue, 6 Mar 2018 00:45:38 +0000 Received: from SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50]) by SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::9866:f6b5:e2d6:50%2]) with mapi id 15.20.0588.001; Tue, 6 Mar 2018 00:45:38 +0000 From: Mike Jones To: Kyle Rose CC: IETF SecDir , The IESG , "draft-ietf-ace-cbor-web-token.all@ietf.org" , Kathleen Moriarty Thread-Topic: Secdir last call review of draft-ietf-ace-cbor-web-token-12 Thread-Index: AQHTslKnGqkTlElBUUmHtMtpYOQ4daO9Q/YAgAAFIJCABRroAA== Date: Tue, 6 Mar 2018 00:45:37 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-03-02T18:47:57.6281908Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General x-originating-ip: [2001:4898:80e8:a::562] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN6PR2101MB1103; 7:zGz7soUNSz+E85E7ESsC6tjNwfx8xYA3SfkAOnYL+g7Q/9e1qRH+DbYeJXegTVB3BXJPxdgbL0/Nf5y0cbu4g4KWDnf+/wpJcp5V7Ikktm3Kfyrs5ZZ2mf28wcX0DDMG3kX8DtYo5H6MpNmduhzG2LiO0lTEuL+942zt8rJvgO/PFkP3fc5zLfL9kV0YpUIZGyPAFBMGRED0VOEic4/Jb0JDJuvGf25xrKiQ98iw08ifXimoSgnHgPCgXZ9IpX/j; 20:N58PP7JlAhuPmgXl91H8KHTf/apuokBM3uZx9q0p3VgAvrHD2zJcvT2AfktgpdiPm6GHlTuPnVCXmrEBispMCGBKkalr+vBOOW4x1mai++h6I5/ChmLHCKo8B/R2ldVa4zYS0YXeFNpE+1A99p4x8+QfQFFl/NDuJh28jHcwtrE= x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: bf617bd2-5eeb-4e24-0312-08d582fb9478 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:SN6PR2101MB1103; x-ms-traffictypediagnostic: SN6PR2101MB1103: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705)(85827821059158); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040501)(2401047)(8121501046)(5005006)(3231220)(944501244)(52105095)(93006095)(93001095)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:SN6PR2101MB1103; BCL:0; PCL:0; RULEID:; SRVR:SN6PR2101MB1103; x-forefront-prvs: 06036BD506 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(39380400002)(39860400002)(366004)(189003)(199004)(13464003)(54906003)(305945005)(7736002)(6116002)(3660700001)(39060400002)(86612001)(3280700002)(33656002)(74316002)(2900100001)(22452003)(316002)(966005)(14454004)(478600001)(105586002)(72206003)(2906002)(46003)(55016002)(6436002)(186003)(8990500004)(106356001)(10090500001)(229853002)(99286004)(5250100002)(10290500003)(53936002)(59450400001)(6506007)(53546011)(6306002)(9686003)(102836004)(7696005)(6246003)(76176011)(86362001)(68736007)(81166006)(8936002)(4326008)(2950100002)(6916009)(5660300001)(97736004)(81156014)(8676002)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR2101MB1103; H:SN6PR2101MB0943.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: XMq1A92idIhQ/O3X/B5amlWjez+XmErkfpNH/E7I8RBoRK74vHKOyapA+wvGnJ9w8aCNDh2TGH2GeOsMxuHF/w6bcd+NpwGjaF3vOgl0JCrnIel+ZvPsbm4nddOzbeJmcZiy0bYLmKkc9j7WJvOi2WlgKviV83BmKHKvtabBfR99w+q6T4fAiWuNeOUKzwLW9HK/EC+Io1MiHEdwLdSyq1J+IskPsjBnCccF9f37bSNpWX1kkWAxEeMn0w44nEXa+jb4XWi1EngroFIufGDjSeCU29TWruiuMjm4VMXa0eBf/wT3JwqALfZafrParnJZukcZS4ErjVxej0U1iI7JZA== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: bf617bd2-5eeb-4e24-0312-08d582fb9478 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2018 00:45:37.6114 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR2101MB1103 Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 00:45:47 -0000 SGkgS3lsZSwNCg0KWW914oCZbGwgZmluZCBjaGFuZ2VzIHRoYXQgYWRkcmVzcyB5b3VyIHJldmll dyBjb21tZW50cyBpbiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1hY2Ut Y2Jvci13ZWItdG9rZW4tMTMuICBTZWUgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWlldGYtYWNlLWNib3Itd2ViLXRva2VuLTEzI2FwcGVuZGl4LUMgZm9yIGEgc3VtbWFyeSBvZiB0 aGUgY2hhbmdlcyBtYWRlLg0KDQpUaGFua3MgYWdhaW4gZm9yIHlvdXIgdXNlZnVsIHJldmlldyEN Cg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIC0tIE1pa2UNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IE1pa2UgSm9u ZXMgDQpTZW50OiBGcmlkYXksIE1hcmNoIDIsIDIwMTggMTA6NDggQU0NClRvOiBLYXRobGVlbiBN b3JpYXJ0eSA8a2F0aGxlZW4ubW9yaWFydHkuaWV0ZkBnbWFpbC5jb20+OyBLeWxlIFJvc2UgPGty b3NlQGtyb3NlLm9yZz4NCkNjOiBJRVRGIFNlY0RpciA8c2VjZGlyQGlldGYub3JnPjsgVGhlIElF U0cgPGllc2dAaWV0Zi5vcmc+OyBkcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbi5hbGxAaWV0 Zi5vcmcNClN1YmplY3Q6IFJFOiBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZiBkcmFmdC1pZXRm LWFjZS1jYm9yLXdlYi10b2tlbi0xMg0KDQpUaGFua3MsIEt5bGUuICBJJ2xsIHBsYW4gdG8gdXBk YXRlIHRoZSBkb2N1bWVudCBhY2NvcmRpbmdseS4NCg0KCQkJCS0tIE1pa2UNCg0KLS0tLS1Pcmln aW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IEthdGhsZWVuIE1vcmlhcnR5IDxrYXRobGVlbi5tb3Jp YXJ0eS5pZXRmQGdtYWlsLmNvbT4NClNlbnQ6IEZyaWRheSwgTWFyY2ggMiwgMjAxOCAxMDoyOSBB TQ0KVG86IEt5bGUgUm9zZSA8a3Jvc2VAa3Jvc2Uub3JnPg0KQ2M6IElFVEYgU2VjRGlyIDxzZWNk aXJAaWV0Zi5vcmc+OyBUaGUgSUVTRyA8aWVzZ0BpZXRmLm9yZz47IGRyYWZ0LWlldGYtYWNlLWNi b3Itd2ViLXRva2VuLmFsbEBpZXRmLm9yZw0KU3ViamVjdDogUmU6IFNlY2RpciBsYXN0IGNhbGwg cmV2aWV3IG9mIGRyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuLTEyDQoNClRoYW5rcyBmb3Ig eW91ciByZXZpZXcsIEt5bGUhDQoNCk9uIEZyaSwgTWFyIDIsIDIwMTggYXQgMToxNiBQTSwgS3ls ZSBSb3NlIDxrcm9zZUBrcm9zZS5vcmc+IHdyb3RlOg0KPiBSZXZpZXdlcjogS3lsZSBSb3NlDQo+ IFJldmlldyByZXN1bHQ6IFJlYWR5IHdpdGggbml0cw0KPg0KPiBJIGhhdmUgcmV2aWV3ZWQgdGhp cyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzIA0KPiBvbmdv aW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBi eSB0aGUgDQo+IElFU0cuICBUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZv ciB0aGUgYmVuZWZpdCBvZiB0aGUgDQo+IHNlY3VyaXR5IGFyZWEgZGlyZWN0b3JzLiAgRG9jdW1l bnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCANCj4gdGhlc2UgY29tbWVudHMg anVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQo+DQo+IFRoaXMgZHJhZnQg c3BlY2lmaWVzIGEgbWVhbnMgZm9yIHJlcHJlc2VudGluZyBjbGFpbXMgaW4gQ0JPUiwgYW5kIGZv ciANCj4gdXNpbmcgQ09TRSB0byBlbmNyeXB0IGFuZCBhdXRoZW50aWNhdGUgc3VjaCBjbGFpbXMu IFRoZSBsaXN0ZWQgDQo+IHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlZW0gdG8gY292ZXIgdGhl IHNhbWUgZ3JvdW5kIGFzIHRoZSANCj4gcmVzcGVjdGl2ZSBzbGljZXMgb2YgdGhlIGNvcnJlc3Bv bmRpbmcgSldUIHJlZmVyZW5jZXM6IHRoZSBDT1NFIFJGQw0KPiA4MTUyIGNvdmVycyBpc3N1ZXMg b2YgdHJ1c3QgZXN0YWJsaXNobWVudCwgYXMgd2VsbCBhcyB0aGUgdmFnYXJpZXMgb2YgDQo+IHNp Z25hdHVyZSBhbGdvcml0aG1zIGFuZCBrZXkgcmV1c2UsIGluIG1vcmUgZGVwdGguDQo+DQo+IE15 IG9ubHkgbml0IGZvciB0aGlzIGRvY3VtZW50IGlzIHRoZSByZXBlYXRlZCB1c2Ugb2YgdGhlIHBo cmFzaW5nIA0KPiAiLi4uaGFzIHRoZSBzYW1lIG1lYW5pbmcsIHN5bnRheCwgYW5kIHByb2Nlc3Np bmcgcnVsZXMgYXMuLi4iDQo+IHRocm91Z2hvdXQgc2VjdGlvbg0KPiAzLjE6IHNwZWNpZmljYWxs eSwgdGhlIGluY2x1c2lvbiBvZiAic3ludGF4Ii4gRm9yIGV4YW1wbGUsIGl0IGRvZXNuJ3QgDQo+ IHNlZW0gdG8gbWFrZSBzZW5zZSB0byB0YWxrIGFib3V0IHRoZSBzeW50YXggb2YgYSBDQk9SIE51 bWVyaWNEYXRlIA0KPiBiZWluZyB0aGUgc2FtZSBhcywgb3IgZGlmZmVyZW50IGZyb20sIHRoZSBz eW50YXggb2YgYSBKU09ODQo+IE51bWVyaWNEYXRlOiBjbGVhcmx5LCB0aGUgYmluYXJ5IHJlcHJl c2VudGF0aW9uIGlzIGRpZmZlcmVudCwgYW5kIGl0J3MgDQo+IG5vdCBhdCBhbGwgY2xlYXIgdGhh dCBpdCBtYWtlcyBzZW5zZSB0byB0YWxrIGFib3V0IHRoZSBodW1hbi1yZWFkYWJsZSANCj4gc291 cmNlIHJlcHJlc2VudGF0aW9uIGluIHRoaXMgY29udGV4dC4gVGhhdCBzYWlkLCB0aGVyZSBpcyBz b21lIA0KPiBwYXJhbGxlbGlzbSB3aXRoIHJlc3BlY3QgdG8gU3RyaW5nT3JVUkksIGFzIHByZXN1 bWFibHkgdGhlIGludGVudCBpcyANCj4gdG8gcmVxdWlyZSB0aGF0IGFsbCBzdHJpbmdzIGNvbnRh aW5pbmcgYSBjb2xvbiBhbHNvIGJlIHZhbGlkIFVSSXMuDQo+DQoNCkdvb2QgcG9pbnQuICBBdXRo b3JzLCBwbGVhc2UgcHV0IHRoZXNlIGFkanVzdG1lbnRzIGluIHlvdXIgd29ya2luZyBjb3B5IG9m IHRoZSBkcmFmdCBhbmQgYWNrIHRoZSBjaGFuZ2VzIG1hZGUgaGVyZS4NCg0KVGhhbmsgeW91LA0K S2F0aGxlZW4NCg0KDQoNCi0tIA0KDQpCZXN0IHJlZ2FyZHMsDQpLYXRobGVlbg0K From nobody Mon Mar 5 18:24:24 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02DB712EAB4 for ; Mon, 5 Mar 2018 18:24:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0DZDhQDEi1L for ; Mon, 5 Mar 2018 18:24:04 -0800 (PST) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B85A1275F4 for ; Mon, 5 Mar 2018 18:24:04 -0800 (PST) Received: by mail-qk0-x235.google.com with SMTP id o25so23176255qkl.7 for ; Mon, 05 Mar 2018 18:24:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/wmISbOZoZMDtLpmpRGPsZLnoaxITkybA59LjzbgYw0=; b=Oub4SjDohKQYfSfUTSpZlOO5WHpx8bsZetKEdd5NqJEZw3pok+0abo4mBN9xOU7mXm vxIPrIi+tGbAm5RNsDkEFJCer1cDkVU2Ie0w6PGUw+b41VxHO0TC3iytOOA78iG9mHVV Sy8krujveTTqHJSgGKL2KJY2IU+qEDHkIbMEA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/wmISbOZoZMDtLpmpRGPsZLnoaxITkybA59LjzbgYw0=; b=a5z8BFw7oZg036dZaDfY7LFYw5vMW6s0vOS2Fd0oTF8musVtHFKtOhJS4v7zHc1Els FY7/5Zc1+Ao34gzM5o5XKiiWchMboXGXFacvM7WIxNIU2N3ItMP8pCuoB3fIjwE69yAe 5Y/E6mjnvFBLCIZ6ArV1ial+Aomd12qW6KclZ5Omm+58ziT4oebxET1xx25tOXdqa4Zi koFhJGIa/cJz5x/ftkzdfGwPLVFiZcJC1EcJ5rJEMsuxJQOaOQwCJl/0MBjzx3gYQzaf kHKK15MnK2zNlmcgykqwy/8xxzWy6nYP6XkwuGNtE7ZIkTK6dDE4UK1zem0eGGW/qgZT JVkA== X-Gm-Message-State: AElRT7G+zqMsYO5SZhXOqMTlUDnEPUyDlRpv2RCI+E6w0ynBtNSe7Gt5 YJqHZSamrdhHL1mp+Wj8eLWtJkNRe5zd9h6U5gCJMA== X-Google-Smtp-Source: AG47ELtmWxBQmWMCf0Pkf6vgZWrzv4wevXYVYxh7K5UZuKJRGuNUCHEAEKOxh9vF8Ko+Kbhe8YGQjHpuDRUYP8oJEKg= X-Received: by 10.55.215.205 with SMTP id t74mr24599254qkt.259.1520303043626; Mon, 05 Mar 2018 18:24:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.215.204 with HTTP; Mon, 5 Mar 2018 18:24:03 -0800 (PST) X-Originating-IP: [2001:470:1f07:121:4874:d9ff:fead:6ea5] In-Reply-To: References: From: Kyle Rose Date: Mon, 5 Mar 2018 21:24:03 -0500 Message-ID: To: Mike Jones Cc: IETF SecDir , The IESG , "draft-ietf-ace-cbor-web-token.all@ietf.org" , Kathleen Moriarty Content-Type: multipart/alternative; boundary="001a1149a22cdde0f80566b5228c" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-ace-cbor-web-token-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 02:24:11 -0000 --001a1149a22cdde0f80566b5228c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I just perused the relevant parts of the diff. LGTM. Thanks, Kyle On Mon, Mar 5, 2018 at 7:45 PM, Mike Jones wrote: > Hi Kyle, > > You=E2=80=99ll find changes that address your review comments in > https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13. See > https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13#appendix-C > for a summary of the changes made. > > Thanks again for your useful review! > > -- Mike > > -----Original Message----- > From: Mike Jones > Sent: Friday, March 2, 2018 10:48 AM > To: Kathleen Moriarty ; Kyle Rose < > krose@krose.org> > Cc: IETF SecDir ; The IESG ; > draft-ietf-ace-cbor-web-token.all@ietf.org > Subject: RE: Secdir last call review of draft-ietf-ace-cbor-web-token-12 > > Thanks, Kyle. I'll plan to update the document accordingly. > > -- Mike > > -----Original Message----- > From: Kathleen Moriarty > Sent: Friday, March 2, 2018 10:29 AM > To: Kyle Rose > Cc: IETF SecDir ; The IESG ; > draft-ietf-ace-cbor-web-token.all@ietf.org > Subject: Re: Secdir last call review of draft-ietf-ace-cbor-web-token-12 > > Thanks for your review, Kyle! > > On Fri, Mar 2, 2018 at 1:16 PM, Kyle Rose wrote: > > Reviewer: Kyle Rose > > Review result: Ready with nits > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > > > This draft specifies a means for representing claims in CBOR, and for > > using COSE to encrypt and authenticate such claims. The listed > > security considerations seem to cover the same ground as the > > respective slices of the corresponding JWT references: the COSE RFC > > 8152 covers issues of trust establishment, as well as the vagaries of > > signature algorithms and key reuse, in more depth. > > > > My only nit for this document is the repeated use of the phrasing > > "...has the same meaning, syntax, and processing rules as..." > > throughout section > > 3.1: specifically, the inclusion of "syntax". For example, it doesn't > > seem to make sense to talk about the syntax of a CBOR NumericDate > > being the same as, or different from, the syntax of a JSON > > NumericDate: clearly, the binary representation is different, and it's > > not at all clear that it makes sense to talk about the human-readable > > source representation in this context. That said, there is some > > parallelism with respect to StringOrURI, as presumably the intent is > > to require that all strings containing a colon also be valid URIs. > > > > Good point. Authors, please put these adjustments in your working copy o= f > the draft and ack the changes made here. > > Thank you, > Kathleen > > > > -- > > Best regards, > Kathleen > --001a1149a22cdde0f80566b5228c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I just perused the relevant parts of the diff. L= GTM.

Thanks,
Kyle


On Mon, Mar 5, 2018 at 7:45 PM, Mike Jo= nes <Michael.Jones@microsoft.com> wrote:
Hi Kyle,

You=E2=80=99ll find changes that address your review comments in https://tools.ietf.org/html/draft-ietf-ace-cb= or-web-token-13.=C2=A0 See https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-= 13#appendix-C for a summary of the changes made.

Thanks again for your useful review!

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Mike

-----Original Message-----
From: Mike Jones
Sent: Friday, March 2, 2018 10:48 AM
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>; Kyle Rose <krose@krose.org>
Cc: IETF SecDir <secdir@ietf.org&= gt;; The IESG <iesg@ietf.org>; <= a href=3D"mailto:draft-ietf-ace-cbor-web-token.all@ietf.org">draft-ietf-ace= -cbor-web-token.all@ietf.org
Subject: RE: Secdir last cal= l review of draft-ietf-ace-cbor-web-token-12

Thanks, Kyle.=C2=A0 I'll plan to update the document accordingly.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 -- Mike

-----Original Message-----
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Sent: Friday, March 2, 2018 10:29 AM
To: Kyle Rose <krose@krose.org>= ;
Cc: IETF SecDir <secdir@ietf.org&= gt;; The IESG <iesg@ietf.org>; <= a href=3D"mailto:draft-ietf-ace-cbor-web-token.all@ietf.org">draft-ietf-ace= -cbor-web-token.all@ietf.org
Subject: Re: Secdir last call review of draft-ietf-ace-cbor-web-token-= 12

Thanks for your review, Kyle!

On Fri, Mar 2, 2018 at 1:16 PM, Kyle Rose <krose@krose.org> wrote:
> Reviewer: Kyle Rose
> Review result: Ready with nits
>
> I have reviewed this document as part of the security directorate'= s
> ongoing effort to review all IETF documents being processed by the
> IESG.=C2=A0 These comments were written primarily for the benefit of t= he
> security area directors.=C2=A0 Document editors and WG chairs should t= reat
> these comments just like any other last call comments.
>
> This draft specifies a means for representing claims in CBOR, and for<= br> > using COSE to encrypt and authenticate such claims. The listed
> security considerations seem to cover the same ground as the
> respective slices of the corresponding JWT references: the COSE RFC > 8152 covers issues of trust establishment, as well as the vagaries of<= br> > signature algorithms and key reuse, in more depth.
>
> My only nit for this document is the repeated use of the phrasing
> "...has the same meaning, syntax, and processing rules as..."= ;
> throughout section
> 3.1: specifically, the inclusion of "syntax". For example, i= t doesn't
> seem to make sense to talk about the syntax of a CBOR NumericDate
> being the same as, or different from, the syntax of a JSON
> NumericDate: clearly, the binary representation is different, and it&#= 39;s
> not at all clear that it makes sense to talk about the human-readable<= br> > source representation in this context. That said, there is some
> parallelism with respect to StringOrURI, as presumably the intent is > to require that all strings containing a colon also be valid URIs.
>

Good point.=C2=A0 Authors, please put these adjustments in your working cop= y of the draft and ack the changes made here.

Thank you,
Kathleen



--

Best regards,
Kathleen

--001a1149a22cdde0f80566b5228c-- From nobody Tue Mar 6 00:41:56 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF27124D37; Tue, 6 Mar 2018 00:41:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KV6k0AW6nDm0; Tue, 6 Mar 2018 00:41:49 -0800 (PST) Received: from mail-ot0-x22e.google.com (mail-ot0-x22e.google.com [IPv6:2607:f8b0:4003:c0f::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3B23120724; Tue, 6 Mar 2018 00:41:48 -0800 (PST) Received: by mail-ot0-x22e.google.com with SMTP id r30so337853otr.2; Tue, 06 Mar 2018 00:41:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ev35vhhYBOosIFkSIOmXjTZ17Nutwj1jVHgc0Pv4tDU=; b=vCB0xdgR68JChZuxSE5m4M4bTVKR82bvbxhoJE+cpAPV+X/TcrweLbOfb8xfC7SGJ1 XMFLmFsTyMA9iWcWiaq0tYHKjXqX9SjjOlbWN7WRAj3Uwv2iJaxzJkeivwAiaX55ie1s fK8VQgWaqeqqlE2C3ZCwnt77A/xZ4ora7PXZSSv15qirTcaBICC4eaY/8Kbp34Y7txQe ryf24PQjyayXzYlTPx4pU+PuRVexUzjD1mJn43P2OacXJolUNdZw1QsxayfCRpGndVaX xA/O3m/clDIf0mR1Wl75FEgVUFKJk5oDAuNwcACCy61CP8JlUP8L0+f3nIu22m/ob6JH m1YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ev35vhhYBOosIFkSIOmXjTZ17Nutwj1jVHgc0Pv4tDU=; b=YKwRDSoTOTAjIBCsxF08DB4jOg5nqXzxCshU9GOMXkuJAK/YRNLdFUl06NsNmL9vyv WM+sb6e9GRIYhlFDiNxO6M/SwgrQfGxr1a6PswdFjDznI0BYxcRSOhEj+LLGTladg5gp lNcD0m04xxfcwQZ7d2vUFJpmrxrm7HZckvD+tivSyCxNtEpntBJ7416cevRQgQ7eFOTv A6FDbZ76VZsmPagmrQEhdHeuuClSi6WcImgnLSIiWYNOwItC6KUn/qgAc2qtHSCZJRd+ 6KUCKeouhu3FXJdGf4Y+74QuyAs9pT1haoJPEF/8wZedTBp87DX1pAYaHv9qe+wDE/A6 xcew== X-Gm-Message-State: AElRT7Gqco4LcA0Ynn4cLzztJN3YVmOxXcsYD6irRselRPCtD/ebvory CH0Zu8zWkOjJVYNbtikU21jLOdVhCbY+cgVVBsk= X-Google-Smtp-Source: AG47ELsZj7/EVSWAsEt4wSqdN/6srGtaIM9AupIcJZuzP++mN6w0WuXShGJkH4XD1QQmYvDTLxrOnsedzMpv1ZV1xQo= X-Received: by 10.157.78.16 with SMTP id p16mr4911576otf.15.1520325708249; Tue, 06 Mar 2018 00:41:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.16.85 with HTTP; Tue, 6 Mar 2018 00:41:47 -0800 (PST) In-Reply-To: References: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com> <20180223191714.GG50954@kduck.kaduk.org> From: Martin Thomson Date: Tue, 6 Mar 2018 19:41:47 +1100 Message-ID: To: Hannes Tschofenig Cc: Benjamin Kaduk , Alan DeKok , "draft-ietf-tls-record-limit@ietf.org" , IESG , "secdir@ietf.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 08:41:51 -0000 Just to follow-up. I think that removing the "especially handshake messages" will help resolve this. This implies that handshake messages are always unprotected, which is not the case. The change that I propose: -RecordSizeLimit value it receives from its peer. Unprotected messages - -handshake messages in particular - are not subject to this limit. +RecordSizeLimit value it receives from its peer. Unprotected messages are= not +subject to this limit. On Tue, Mar 6, 2018 at 3:51 AM, Hannes Tschofenig wrote: > I believe we are on the same page with regards to this issue. > > -----Original Message----- > From: Martin Thomson [mailto:martin.thomson@gmail.com] > Sent: 04 March 2018 23:03 > To: Hannes Tschofenig > Cc: Benjamin Kaduk; Alan DeKok; draft-ietf-tls-record-limit@ietf.org; IES= G; secdir@ietf.org > Subject: Re: Secdir review of draft-ietf-tls-record-limit > > On Mon, Mar 5, 2018 at 2:57 AM, Hannes Tschofenig wrote: >> [Hannes] I am not sure I fully understand the approach. Even if >> someone uses TCP a RAM limitation will not go away. TCP is likely to >> make the situation worse since it requires some amount of RAM as well >> even with the best possible configuration. (There is this work in LWIG >> on TCP implementation guidance where the authors are supposed to >> provide some information about the actual RAM usage of various TCP >> features and settings.) > > Let me try to explain more. > > An endpoint that can't handle a big packet (whether that be a big TCP seg= ment or a big UDP datagram) can always pretend that this is a link issue an= d send the appropriate ICMP message. That limits the size of packets they = receive, at least to the point that the minimum for the IP version in use i= s reached (576 for v4, 1280 for v6). I'm not sure what fragmentation does = here, other than make things far worse. > > If there are multiple packets arriving and no space for more than one, th= en the endpoint can pretend that it didn't receive the packet. TCP also ha= s ACKs, which the endpoint can withhold until it has space. > > Thus, the endpoint can hold as little as a single MTU of data at once. > Given that it is not encrypted, my understanding is that there is no need= to constrain how it is turned into records. > > Note that a constrained server has to handle a full ClientHello - the cli= ent won't know the limit at the server. > IMPORTANT NOTICE: The contents of this email and any attachments are conf= idential and may also be privileged. If you are not the intended recipient,= please notify the sender immediately and do not disclose the contents to a= ny other person, use it for any purpose, or store or copy the information i= n any medium. Thank you. From nobody Tue Mar 6 01:07:44 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D815A126BF0; Tue, 6 Mar 2018 01:07:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.911 X-Spam-Level: X-Spam-Status: No, score=-2.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJMtx7LTdI2o; Tue, 6 Mar 2018 01:07:40 -0800 (PST) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0087.outbound.protection.outlook.com [104.47.0.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24D18120724; Tue, 6 Mar 2018 01:07:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Keym2P+ja3mYGns//F2vmxpAl53Td4RdW0OoqLWozdg=; b=n06N4bGGm82TWHDmvXmEP/1VTLH5RZUkcWtH4gStkx1h14xSMRHCjrVBiqQCJDhNcJeMtG/jCTwkCNrpdkpfyjx1Gn3Od/evGUIzVZQPBxw3Z86P+7VRwONd2Pb8SMepdyL8V3ficEcOIT4wnTHir+y2LeRrkb2J3+YPyM9Hh+Q= Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1936.eurprd08.prod.outlook.com (10.173.73.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.548.13; Tue, 6 Mar 2018 09:07:36 +0000 Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::783f:d09c:fea6:f83d]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::783f:d09c:fea6:f83d%17]) with mapi id 15.20.0548.016; Tue, 6 Mar 2018 09:07:36 +0000 From: Hannes Tschofenig To: Martin Thomson CC: Benjamin Kaduk , Alan DeKok , "draft-ietf-tls-record-limit@ietf.org" , IESG , "secdir@ietf.org" Thread-Topic: Secdir review of draft-ietf-tls-record-limit Thread-Index: AQHTrqGSa72OyyaNEUOT8kn5vxYs5KO4BpFggAD7SYCAB0Hm4IAAZ/uAgAE7axCAAQmDgIAABxuA Date: Tue, 6 Mar 2018 09:07:36 +0000 Message-ID: References: <5C2E06FE-8685-457D-ACED-5600092C1CB1@deployingradius.com> <20180223191714.GG50954@kduck.kaduk.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com; x-originating-ip: [80.92.122.126] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1936; 7:M0Epfd4tDYiUo6Pp6T0tKpp85RpfdkwnlhPhWgtThp2pOmT1OPKkzCamiFzsph4X4Z7tdX4vBiNkK0fV4a1Sxg000j6DZlEDvsiGegNKHdwQuv0Qcyt5T8JNlI9Nk0NYYRb5wHKH0kuS6+Y2Ei0AdKioKvPOb+kfrANj2MvYQEiUNA24TAr04974nPy0xzgLmRXexV2PS+aOzkQXZiK5mIPvmOuCTARP7iRFbtOBPlCLPo161mkmcgIyiJr3znTV x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: bebdf606-739d-44a5-6e1a-08d58341b434 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1936; x-ms-traffictypediagnostic: VI1PR0801MB1936: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(85827821059158); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231220)(944501244)(52105095)(10201501046)(3002001)(6055026)(6041288)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:VI1PR0801MB1936; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1936; x-forefront-prvs: 06036BD506 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(39380400002)(39860400002)(346002)(376002)(40434004)(51444003)(199004)(189003)(13464003)(106356001)(66066001)(305945005)(2950100002)(5660300001)(6916009)(59450400001)(97736004)(33656002)(478600001)(74316002)(53546011)(186003)(6506007)(26005)(72206003)(2900100001)(6436002)(81156014)(8676002)(7736002)(81166006)(229853002)(102836004)(93886005)(8936002)(55016002)(9686003)(53936002)(54906003)(3280700002)(105586002)(6246003)(76176011)(7696005)(5250100002)(99286004)(6116002)(86362001)(3846002)(316002)(25786009)(4326008)(68736007)(5890100001)(3660700001)(39060400002)(2906002)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1936; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: Dzz+WOwXhWj6DnxnPa1ratRg/laIlFkFIOELMNLzTsZ+VhcvzqL2zFaQ8wLEOGNqDEbIaSNx2KX8wBexpJfaGyDSc8nvX/q5Ju9FQWxVlreD2cyRFQj/LB0hihm2apak/eudxyJ1jtNugk0YiPg9b1srcoXLX1ZuekaIxtyxDvYGQxFnbXm5tg4XjUv9EnfyOw7Sl90w1T8ElD9bV6Z/WoINOHrDr/pbM1VPZo55Kyy4ZXRMDaek7ZvaLNKFfrTzdOyt7g6weA6jvH/tcYwc0876aW5nrVmCOKpoTI/J+sPW772xikgc6BhD9RDFEFNbaKDrPaqtIZMAMKgxnNue9A== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: bebdf606-739d-44a5-6e1a-08d58341b434 X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2018 09:07:36.1147 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1936 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-tls-record-limit X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 09:07:43 -0000 VGhhbmtzLCBNYXJ0aW4hDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBNYXJ0 aW4gVGhvbXNvbiBbbWFpbHRvOm1hcnRpbi50aG9tc29uQGdtYWlsLmNvbV0NClNlbnQ6IDA2IE1h cmNoIDIwMTggMDk6NDINClRvOiBIYW5uZXMgVHNjaG9mZW5pZw0KQ2M6IEJlbmphbWluIEthZHVr OyBBbGFuIERlS29rOyBkcmFmdC1pZXRmLXRscy1yZWNvcmQtbGltaXRAaWV0Zi5vcmc7IElFU0c7 IHNlY2RpckBpZXRmLm9yZw0KU3ViamVjdDogUmU6IFNlY2RpciByZXZpZXcgb2YgZHJhZnQtaWV0 Zi10bHMtcmVjb3JkLWxpbWl0DQoNCkp1c3QgdG8gZm9sbG93LXVwLiBJIHRoaW5rIHRoYXQgcmVt b3ZpbmcgdGhlICJlc3BlY2lhbGx5IGhhbmRzaGFrZSBtZXNzYWdlcyIgd2lsbCBoZWxwIHJlc29s dmUgdGhpcy4gIFRoaXMgaW1wbGllcyB0aGF0IGhhbmRzaGFrZSBtZXNzYWdlcyBhcmUgYWx3YXlz IHVucHJvdGVjdGVkLCB3aGljaCBpcyBub3QgdGhlIGNhc2UuDQoNClRoZSBjaGFuZ2UgdGhhdCBJ IHByb3Bvc2U6DQoNCi1SZWNvcmRTaXplTGltaXQgdmFsdWUgaXQgcmVjZWl2ZXMgZnJvbSBpdHMg cGVlci4gIFVucHJvdGVjdGVkIG1lc3NhZ2VzIC0gLWhhbmRzaGFrZSBtZXNzYWdlcyBpbiBwYXJ0 aWN1bGFyIC0gYXJlIG5vdCBzdWJqZWN0IHRvIHRoaXMgbGltaXQuDQorUmVjb3JkU2l6ZUxpbWl0 IHZhbHVlIGl0IHJlY2VpdmVzIGZyb20gaXRzIHBlZXIuICBVbnByb3RlY3RlZCBtZXNzYWdlcw0K K2FyZSBub3Qgc3ViamVjdCB0byB0aGlzIGxpbWl0Lg0KDQoNCk9uIFR1ZSwgTWFyIDYsIDIwMTgg YXQgMzo1MSBBTSwgSGFubmVzIFRzY2hvZmVuaWcgPEhhbm5lcy5Uc2Nob2ZlbmlnQGFybS5jb20+ IHdyb3RlOg0KPiBJIGJlbGlldmUgd2UgYXJlIG9uIHRoZSBzYW1lIHBhZ2Ugd2l0aCByZWdhcmRz IHRvIHRoaXMgaXNzdWUuDQo+DQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206 IE1hcnRpbiBUaG9tc29uIFttYWlsdG86bWFydGluLnRob21zb25AZ21haWwuY29tXQ0KPiBTZW50 OiAwNCBNYXJjaCAyMDE4IDIzOjAzDQo+IFRvOiBIYW5uZXMgVHNjaG9mZW5pZw0KPiBDYzogQmVu amFtaW4gS2FkdWs7IEFsYW4gRGVLb2s7IGRyYWZ0LWlldGYtdGxzLXJlY29yZC1saW1pdEBpZXRm Lm9yZzsNCj4gSUVTRzsgc2VjZGlyQGlldGYub3JnDQo+IFN1YmplY3Q6IFJlOiBTZWNkaXIgcmV2 aWV3IG9mIGRyYWZ0LWlldGYtdGxzLXJlY29yZC1saW1pdA0KPg0KPiBPbiBNb24sIE1hciA1LCAy MDE4IGF0IDI6NTcgQU0sIEhhbm5lcyBUc2Nob2ZlbmlnIDxIYW5uZXMuVHNjaG9mZW5pZ0Bhcm0u Y29tPiB3cm90ZToNCj4+IFtIYW5uZXNdIEkgYW0gbm90IHN1cmUgSSBmdWxseSB1bmRlcnN0YW5k IHRoZSBhcHByb2FjaC4gRXZlbiBpZg0KPj4gc29tZW9uZSB1c2VzIFRDUCBhIFJBTSBsaW1pdGF0 aW9uIHdpbGwgbm90IGdvIGF3YXkuIFRDUCBpcyBsaWtlbHkgdG8NCj4+IG1ha2UgdGhlIHNpdHVh dGlvbiB3b3JzZSBzaW5jZSBpdCByZXF1aXJlcyBzb21lIGFtb3VudCBvZiBSQU0gYXMgd2VsbA0K Pj4gZXZlbiB3aXRoIHRoZSBiZXN0IHBvc3NpYmxlIGNvbmZpZ3VyYXRpb24uIChUaGVyZSBpcyB0 aGlzIHdvcmsgaW4NCj4+IExXSUcgb24gVENQIGltcGxlbWVudGF0aW9uIGd1aWRhbmNlIHdoZXJl IHRoZSBhdXRob3JzIGFyZSBzdXBwb3NlZCB0bw0KPj4gcHJvdmlkZSBzb21lIGluZm9ybWF0aW9u IGFib3V0IHRoZSBhY3R1YWwgUkFNIHVzYWdlIG9mIHZhcmlvdXMgVENQDQo+PiBmZWF0dXJlcyBh bmQgc2V0dGluZ3MuKQ0KPg0KPiBMZXQgbWUgdHJ5IHRvIGV4cGxhaW4gbW9yZS4NCj4NCj4gQW4g ZW5kcG9pbnQgdGhhdCBjYW4ndCBoYW5kbGUgYSBiaWcgcGFja2V0ICh3aGV0aGVyIHRoYXQgYmUg YSBiaWcgVENQIHNlZ21lbnQgb3IgYSBiaWcgVURQIGRhdGFncmFtKSBjYW4gYWx3YXlzIHByZXRl bmQgdGhhdCB0aGlzIGlzIGEgbGluayBpc3N1ZSBhbmQgc2VuZCB0aGUgYXBwcm9wcmlhdGUgSUNN UCBtZXNzYWdlLiAgVGhhdCBsaW1pdHMgdGhlIHNpemUgb2YgcGFja2V0cyB0aGV5IHJlY2VpdmUs IGF0IGxlYXN0IHRvIHRoZSBwb2ludCB0aGF0IHRoZSBtaW5pbXVtIGZvciB0aGUgSVAgdmVyc2lv biBpbiB1c2UgaXMgcmVhY2hlZCAoNTc2IGZvciB2NCwgMTI4MCBmb3IgdjYpLiAgSSdtIG5vdCBz dXJlIHdoYXQgZnJhZ21lbnRhdGlvbiBkb2VzIGhlcmUsIG90aGVyIHRoYW4gbWFrZSB0aGluZ3Mg ZmFyIHdvcnNlLg0KPg0KPiBJZiB0aGVyZSBhcmUgbXVsdGlwbGUgcGFja2V0cyBhcnJpdmluZyBh bmQgbm8gc3BhY2UgZm9yIG1vcmUgdGhhbiBvbmUsIHRoZW4gdGhlIGVuZHBvaW50IGNhbiBwcmV0 ZW5kIHRoYXQgaXQgZGlkbid0IHJlY2VpdmUgdGhlIHBhY2tldC4gIFRDUCBhbHNvIGhhcyBBQ0tz LCB3aGljaCB0aGUgZW5kcG9pbnQgY2FuIHdpdGhob2xkIHVudGlsIGl0IGhhcyBzcGFjZS4NCj4N Cj4gVGh1cywgdGhlIGVuZHBvaW50IGNhbiBob2xkIGFzIGxpdHRsZSBhcyBhIHNpbmdsZSBNVFUg b2YgZGF0YSBhdCBvbmNlLg0KPiBHaXZlbiB0aGF0IGl0IGlzIG5vdCBlbmNyeXB0ZWQsIG15IHVu ZGVyc3RhbmRpbmcgaXMgdGhhdCB0aGVyZSBpcyBubyBuZWVkIHRvIGNvbnN0cmFpbiBob3cgaXQg aXMgdHVybmVkIGludG8gcmVjb3Jkcy4NCj4NCj4gTm90ZSB0aGF0IGEgY29uc3RyYWluZWQgc2Vy dmVyIGhhcyB0byBoYW5kbGUgYSBmdWxsIENsaWVudEhlbGxvIC0gdGhlIGNsaWVudCB3b24ndCBr bm93IHRoZSBsaW1pdCBhdCB0aGUgc2VydmVyLg0KPiBJTVBPUlRBTlQgTk9USUNFOiBUaGUgY29u dGVudHMgb2YgdGhpcyBlbWFpbCBhbmQgYW55IGF0dGFjaG1lbnRzIGFyZSBjb25maWRlbnRpYWwg YW5kIG1heSBhbHNvIGJlIHByaXZpbGVnZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCBy ZWNpcGllbnQsIHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVseSBhbmQgZG8gbm90 IGRpc2Nsb3NlIHRoZSBjb250ZW50cyB0byBhbnkgb3RoZXIgcGVyc29uLCB1c2UgaXQgZm9yIGFu eSBwdXJwb3NlLCBvciBzdG9yZSBvciBjb3B5IHRoZSBpbmZvcm1hdGlvbiBpbiBhbnkgbWVkaXVt LiBUaGFuayB5b3UuDQpJTVBPUlRBTlQgTk9USUNFOiBUaGUgY29udGVudHMgb2YgdGhpcyBlbWFp bCBhbmQgYW55IGF0dGFjaG1lbnRzIGFyZSBjb25maWRlbnRpYWwgYW5kIG1heSBhbHNvIGJlIHBy aXZpbGVnZWQuIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFzZSBu b3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVseSBhbmQgZG8gbm90IGRpc2Nsb3NlIHRoZSBjb250 ZW50cyB0byBhbnkgb3RoZXIgcGVyc29uLCB1c2UgaXQgZm9yIGFueSBwdXJwb3NlLCBvciBzdG9y ZSBvciBjb3B5IHRoZSBpbmZvcm1hdGlvbiBpbiBhbnkgbWVkaXVtLiBUaGFuayB5b3UuDQo= From nobody Tue Mar 6 07:25:37 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E673124D68; Tue, 6 Mar 2018 07:25:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhaE-xl5IkVY; Tue, 6 Mar 2018 07:25:24 -0800 (PST) Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11AA9120454; Tue, 6 Mar 2018 07:25:23 -0800 (PST) Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w26FPJ0Z005132; Tue, 6 Mar 2018 10:25:20 -0500 DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w26FPJ0Z005132 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1520349920; bh=1obRh+W5po8OVN8Mb/x7W6aOCdkp+3S+4kvqaOY9ADE=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=iVafzgIaT+WR+JwJ7U4jiHGY8F9Auj8vqBLnzmkKHOyZW5ZQN99kY6LWp1AWn/a0Y Jb/vAX971z3BVEQ1iY3wMRQ6YNMQfLS+xFD/dtzlcA8L4Gvu70xSc5WihaFqU5K83v ouwneOW05Xnvsbv0i+7rG8fipel2eq8pZ9gFZga8= Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w26FPIS4032527; Tue, 6 Mar 2018 10:25:18 -0500 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0361.001; Tue, 6 Mar 2018 10:25:18 -0500 From: Roman Danyliw To: Donald Eastlake CC: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" Thread-Topic: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 Thread-Index: AdOyXwuroB0yJVJhRMeJvvm4FEzIkQBtZpAAAFHgKEA= Date: Tue, 6 Mar 2018 15:25:17 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC0137F70BBB@marathon> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 15:25:31 -0000 SGkgRG9uYWxkLA0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IERvbmFs ZCBFYXN0bGFrZSBbbWFpbHRvOmQzZTNlM0BnbWFpbC5jb21dDQo+IFNlbnQ6IFN1bmRheSwgTWFy Y2ggMDQsIDIwMTggMTo1OCBQTQ0KPiBUbzogUm9tYW4gRGFueWxpdyA8cmRkQGNlcnQub3JnPg0K PiBDYzogaWVzZ0BpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnOyBkcmFmdC1pZXRmLXRyaWxsLW11 bHRpbGV2ZWwtdW5pcXVlLQ0KPiBuaWNrbmFtZS5hbGxAaWV0Zi5vcmcNCj4gU3ViamVjdDogUmU6 IFNlY2RpciByZXZpZXcgb2YgZHJhZnQtaWV0Zi10cmlsbC1tdWx0aWxldmVsLXVuaXF1ZS1uaWNr bmFtZS0wNQ0KPiANCj4gSGkgUm9tYW4sDQo+IA0KPiBUaGFua3MgZm9yIGRvaW5nIGEgcmV2aWV3 LiBTZWUgcmVzcG9uc2VzIGJlbG93Lg0KPiANCj4gT24gRnJpLCBNYXIgMiwgMjAxOCBhdCA5OjAw IFBNLCBSb21hbiBEYW55bGl3IDxyZGRAY2VydC5vcmc+IHdyb3RlOg0KPiA+IFJldmlld2VyOiBS b21hbiBEYW55bGl3DQo+ID4gUmV2aWV3IHJlc3VsdDogUmVhZHkgd2l0aCBuaXRzDQo+ID4NCj4g PiBJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBk aXJlY3RvcmF0ZSdzIG9uZ29pbmcNCj4gZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVu dHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSBJRVNHLiAgVGhlc2UNCj4gY29tbWVudHMgd2VyZSB3 cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5IGFyZWENCj4g ZGlyZWN0b3JzLiAgRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0 aGVzZSBjb21tZW50cw0KPiBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4N Cj4gPg0KPiA+IFRoZSBzdW1tYXJ5IG9mIHRoZSByZXZpZXcgaXMgUmVhZHkgd2l0aCBuaXRzLg0K PiA+DQo+ID4gTXkgZmVlZGJhY2sgaXMgYXMgZm9sbG93czoNCj4gPg0KPiA+ICgxKSBTZWN0aW9u IDQuMSwgTXVsdGlsZXZlbCBUUklMTCBCYXNpY3MsIFBhZ2UgOA0KPiA+DQo+ID4gVGh1cyBMZXZl bCAxIGxpbmsgc3RhdGUNCj4gPiBpbmZvcm1hdGlvbiBzdGF5cyB3aXRoaW4gYSBMZXZlbCAxIGFy ZWEgYW5kIExldmVsIDIgbGluayBzdGF0ZQ0KPiA+IGluZm9ybWF0aW9uIHN0YXlzIGluIExldmVs IDIgdW5sZXNzIHRoZXJlIGFyZSBzcGVjaWZpYyBwcm92aXNpb25zIGZvcg0KPiA+IGxlYWtpbmcg KGNvcHlpbmcpIGluZm9ybWF0aW9uIGJldHdlZW4gbGV2ZWxzLg0KPiA+DQo+ID4gKiogV2hhdCBh cmUgdGhlc2UgcHJvdmlzaW9ucyB3aGVyZSBzdWNoIGxlYWthZ2Ugb2YgaW5mb3JtYXRpb24gc2hv dWxkDQo+IG9jY3VyIGJleW9uZCBleHBlY3RlZCByb3V0aW5nIGJlaGF2aW9yPw0KPiANCj4gVHlw aWNhbGx5ICJsaW5rIHN0YXRlIiBpbmZvcm1hdGlvbiBzdGF5cyB3aXRoaW4gYSBMZXZlbCAxIGFy ZWEgb3Igd2l0aGluIHRoZQ0KPiBMZXZlbCAyIHJvdXRlcnMuIE9jY2FzaW9uYWxseSB0aGVyZSBp cyBpbmZvcm1hdGlvbiB0aGF0IGl0IGlzIGRlc2lyYWJsZSB0byAgZmxvb2QNCj4gdGhyb3VnaG91 dCB0aGUgZG9tYWluIGF0IGJvdGggTGV2ZWwgMSBhbmQgTGV2ZWwgMi4gSVMtSVMgImxpbmsgc3Rh dGUiDQo+IGluZm9ybWF0aW9uIGlzIGluIHRoZSBmb3JtIG9mIFRMVnMuIFR5cGljYWxseSB0aGlz IGRvbWFpbiB3aWRlIGZsb29kaW5nIGlzDQo+IGFjY29tcGxpc2hlZCBieSB1c2luZyB0d28gZmxh Z3MgaW4gdGhlIHZhbHVlIHBvcnRpb24gb2YgdGhlIFRMVi4gT25lIGZsYWcNCj4gaW5kaWNhdGVz IHRoZSB0aGUgVExWIGlzIHRvIGJlIGZsb29kZWQgZG9tYWluIHdpZGUgd2hpbGUgdGhlIG90aGVy IGlzIGluaXRpYWxseQ0KPiB6ZXJvIGFuZCBpcyBzZXQgd2hlbiB0aGUgVExWIGlzIGZsb29kZWQg ZnJvbSBMZXZlbCAyIHRvIExldmVsIDEgLS0gdGhpcyBzZWNvbmQNCj4gZmxhZyBpcyB0byBzdG9w IGEgVExWIGZyb20gYmVpbmcgZmxvb2RlZCBmcm9tIExldmVsIDIgdG8gTGV2ZWwgMSBhbmQgdGhl biBiYWNrDQo+IHRvIExldmVsIDIgYWdhaW4gcmVzdWx0aW5nIGluIFRMViBsb29waW5nLiBTZWUs IGZvciBleGFtcGxlLCB0aGUgSVMtSVMgUm91dGVyDQo+IENhcGFiaWxpdGllcyBUTFYgRCBhbmQg UyBmbGFncyBhcyBzcGVjaWZpZWQgaW4gU2VjdGlvbiAyIG9mIFJGQyA3OTgxLiAgVGhpcyBpcyBh bGwNCj4gc3RhbmRhcmQgSVMtSVMgbWFjaGluZXJ5IHRoYXQgc29tZW9uZSBmYW1pbGlhciB3aXRo IElTLUlTIHdvdWxkIGtub3cgLS0NCj4gdGhlcmUgaXMgbm90aGluZyBUUklMTCBzcGVjaWZpYyBh Ym91dCBpdC4NCg0KVW5kZXJzdG9vZC4gIEkgd2FzIHN0cnVnZ2xlZCB3aXRoIHRoZSB3b3JkaW5n ICIuLi4gdW5sZXNzIHRoZXJlIGFyZSBzcGVjaWZpYyAuLi4iIGFzIHRoaXMgZGlkbid0IGltcGx5 IHRvIG1lIGEgZml4ZWQgc2V0IG9mIHByZXZpb3VzbHkgdW5kZXJzdG9vZCBjb25zdHJhaW50cy4g IEkgd291bGQgaGF2ZSBjaG9zZW4gIi4uLiBiZXlvbmQgdGhlIGV4cGVjdGVkIHByb3Zpc2lvbnMg Li4uIGJldHdlZW4gbGV2ZWxzIG5lY2Vzc2FyeSBmb3IgcHJvdG9jb2wgZnVuY3Rpb24uIg0KDQpb c25pcF0NCiANCj4gPiAoMykgU2VjdGlvbiA2LCBTZWN1cml0eSBDb25zaWRlcmF0aW9ucywgUGFn ZSAxMi4NCj4gPg0KPiA+IFdpdGggVFJJTEwgbXVsdGlsZXZlbCwgZmxvb2Rpbmcgb2YgY29udHJv bCB0cmFmZmljIGZvciBsaW5rIHN0YXRlDQo+ID4gaW5mb3JtYXRpb24gb2YgTGV2ZWwgMSBhbmQg TGV2ZWwgMiBpcyBzZXBhcmF0ZWQuIFRoaXMgYWRkcmVzc2VzIHRoZQ0KPiA+IFRSSUxMIHNjYWxh YmlsaXR5IGlzc3VlcyBhcyBzcGVjaWZpZWQgaW4gU2VjdGlvbiAyIG9mIFtSRkM4MjQzXSBhbmQN Cj4gPiBhbHNvIGNvbmZpbmVzIHRoZSBlZmZlY3RpdmUgc2NvcGUgb2YgcG9zc2libGUgbWFsaWNp b3VzIGV2ZW50cy4NCj4gPg0KPiA+ICoqIFBlciB0aGUgc2VudGVuY2UgIldpdGggVFJJTEwgLi4u IGlzIHNlcGFyYXRlZCIsIEkgcmVjb21tZW5kDQo+ID4gY2xhcmlmeWluZyB0aGUgbGFuZ3VhZ2Ug b24gd2hhdCBhbmQgaW4gd2hhdCB3YXkgdGhlcmUgaXMgc2VwYXJhdGlvbg0KPiANCj4gVGhpcyBp cyBiYXNpYyB0byBtdWx0aWxldmVsIElTLUlTIGFuZCBhbnlvbmUgZmFtaWxpYXIgd2l0aCB0aGF0 IHdvdWxkDQo+IHVuZGVyc3RhbmQuIFdlIGNvdWxkIGFkZCBhIHJlZmVyZW5jZSB0byBJUy1JUy4N Cg0KQWdyZWVkLiAgSXQgbWFrZXMgc2Vuc2UgdG8gYWRkIHRoZSByZWZlcmVuY2UuDQoNCj4gPiAq KiBQZXIgdGhlIGZvbGxvdy11cCBzZW50ZW5jZSwgIi4uLiBhbHNvIGNvbmZpbmVzIHRoZSBlZmZl Y3RpdmUgc2NvcGUgb2YNCj4gcG9zc2libGUgbWFsaWNpb3VzIGV2ZW50cyIsIEkgcmVjb21tZW5k IGRpc2N1c3NpbmcgaW4gbW9yZSBkZXRhaWwgaG93IHRoZQ0KPiBzY29wZSBvZiBtYWxpY2lvdXMg ZXZlbnRzIGlzIHJlZHVjZWQgd2l0aCB0aGlzIGFwcHJvYWNoLg0KPiANCj4gSSBzdWdnZXN0IHRo ZSBmb2xsb3dpbmcgcmVwbGFjZW1lbnQgdGV4dDoNCj4gDQo+ICAgIFNpbmNlIFRSSUxMIG11bHRp bGV2ZWwgdXNlcyB0aGUgZXhpc3RpbmcgSVMtSVMgbXVsdGlsZXZlbCBmYWNpbGl0aWVzIFtJUy1J U10sDQo+IGZsb29kaW5nIG9mIGNvbnRyb2wgdHJhZmZpYyBmb3IgbGluayBzdGF0ZSBpbmZvcm1h dGlvbiBpcyBhdXRvbWF0aWNhbGx5IGNvbmZpbmVkDQo+IHRvIGEgTGV2ZWwgMSBhcmVhIG9yIHRv IExldmVsIDIgZXhjZXB0IChmb3IgbGltaXRlZCB0eXBlcyBvZiBpbmZvcm1hdGlvbiB0aGF0DQo+ IGNhbiBiZSBzcGVjaWZpY2FsbHkgZmxhZ2dlZCBmb3Igd2lkZXIgZmxvb2RpbmcpLiBUaGlzIGFk ZHJlc3NlcyB0aGUgVFJJTEwNCj4gc2NhbGFiaWxpdHkgaXNzdWVzIGFzIHNwZWNpZmllZCBpbiBT ZWN0aW9uIDIgb2YgW1JGQzgyNDNdIGFuZCBhbHNvLCBleGNlcHQgb2YgdGhlDQo+IHdpZGVyIGZs b29kaW5nIGNhc2UsIHRoaXMgY29uZmluZXMgdGhlIHNjb3BlIG9mIHRoZSBlZmZlY3RzIG9mIG1h bGljaW91cw0KPiBldmVudHMgdGhhdCBjb3VsZCBiZSBjb21tdW5pY2F0ZWQgdGhyb3VnaCB0aGUg bGluayBzdGF0ZS4NCg0KVGhlIHN1Z2dlc3RlZCB3b3JkaW5nIHdvcmtzIGZvciBtZS4NCg0KPiA+ ICg0KSBTZWN0aW9uIDYsIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zLCBQYWdlIDEyLg0KPiA+DQo+ ID4gSG93ZXZlciwgZHVlIHRvIHRoZSBuYXR1cmUgdGhhdCB1bmlxdWUgbmlja25hbWUgYXJlYXMg c2hhcmUgYSB1bmlxdWUNCj4gPiBuaWNrbmFtZSBzcGFjZSwgYm9yZGVyIFJCcmlkZ2VzIHN0aWxs IGhhdmUgdG8gbGVhayBuaWNrbmFtZQ0KPiA+IGluZm9ybWF0aW9uIGJldHdlZW4gbGV2ZWxzLiBG b3IgdGhpcyBwdXJwb3NlLCBib3JkZXIgUkJyaWRnZXMgbmVlZCB0bw0KPiA+IGZhYnJpY2F0ZSB0 aGUgbmlja25hbWUgYW5ub3VuY2VtZW50cyBhcyBzcGVjaWZpZWQgaW4gU2VjdGlvbiA0LjMuDQo+ ID4NCj4gPiAqKiBBcyBpdCBpcyByYWlzZWQgYXMgYW4gaXNzdWUgd2l0aCBhIG1pdGlnYXRpb24s IEkgcmVjb21tZW5kIGFydGljdWxhdGluZyB0aGUNCj4gaW1wbGljYXRpb24gb2YgbGVha2luZyBu aWNrbmFtZXMgYWNyb3NzIGxldmVscy4NCj4gDQo+IFNpbmNlIG5pY2tuYW1lcyBtdXN0IGJlIHVu aXF1ZSBhY3Jvc3MgdGhlIG11bHRpLWxldmVsIGRvbWFpbiwgYW5kDQo+IG5pY2tuYW1lcyBpbiBU UklMTCBhcmUgYXV0by1hbGxvY2F0ZWQsIGNsZWFybHkgUkJyaWRnZXMgaW5zaWRlIGFuIGFyZWEg bmVlZCB0bw0KPiBrbm93IHdoYXQgbmlja25hbWVzIGFyZSBpbiB1c2UsIHdoaWNoIGlzIHRoZSBl ZmZlY3QgYW5kIHB1cnBvc2Ugb2YgbGVha2luZw0KPiBuaWNrbmFtZSBjbGFpbSBpbmZvcm1hdGlv biBhY3Jvc3MgbGV2ZWxzLiBJIHN1Z2dlc3QgdGhlIGZvbGxvd2luZyB3b3JkaW5nOg0KPiANCj4g ICAgIEhvd2V2ZXIsIGR1ZSB0byB0aGUgbmF0dXJlIHRoYXQgdW5pcXVlIG5pY2tuYW1lIGFyZWFz IHNoYXJlIGEgY29tbW9uDQo+IG5pY2tuYW1lIHNwYWNlLCBib3JkZXIgUkJyaWRnZXMgc3RpbGwg aGF2ZSB0byBsZWFrIG5pY2tuYW1lIGluZm9ybWF0aW9uDQo+IGJldHdlZW4gbGV2ZWxzLiBTdWNo IGxlYWtpbmcgbWVhbnMgdGhhdCBuaWNrbmFtZSByZWxhdGVkIGV2ZW50cyBpbiBvbmUNCj4gYXJl YSBjYW4gYWZmZWN0IG90aGVyIGFyZWFzLiBGb3IgdGhpcyBwdXJwb3NlLCBib3JkZXIgUkJyaWRn ZXMgbmVlZCB0bw0KPiBmYWJyaWNhdGUgdGhlIG5pY2tuYW1lIGFubm91bmNlbWVudHMgYXMgc3Bl Y2lmaWVkIGluIFNlY3Rpb24gNC4zLg0KDQpUaGUgc3VnZ2VzdGVkIHdvcmRpbmcgd29ya3MgZm9y IG1lLg0KDQpbc25pcF0NCj4gDQo+ID4gKDYpIFNlY3Rpb24gNiwgU2VjdXJpdHkgQ29uc2lkZXJh dGlvbnMsIFBhZ2UgMTIuDQo+ID4NCj4gPiBGb3IgdGhpcyByZWFzb24sIFJCcmlkZ2VzIFNIT1VM RCBiZSBjb25maWd1cmVkIHRvIGluY2x1ZGUgdGhlIElTLUlTDQo+ID4gQXV0aGVudGljYXRpb24g VExWICgxMCkgaW4gdGhlIElTLUlTIFBEVXMgdGhhdCBjb250YWlucyB0aGUNCj4gPiBOaWNrQmxv Y2tGbGFncyBBUFBzdWItVExWLCBzbyB0aGF0IElTLUlTIHNlY3VyaXR5IChbUkZDNTMwNF0NCj4g PiBbUkZDNTMxMF0pIGNhbiBiZSB1c2VkIHRvIHNlY3VyZSB0aGUgbmV0d29yay4NCj4gPg0KPiA+ ICoqIFNob3VsZCBhIHByZWZlcmVuY2UgYmUgZXhwcmVzc2VkIGZvciBSRkM1MzEwIG92ZXIgUkZD NTMwND8gIFRvIHF1b3RlDQo+IFJGQzUzMTAsICJbd2hpbGUgYXQgdGhlIHRpbWUgb2YgdGhpcyB3 cml0aW5nIHRoZXJlIGFyZSBubyBvcGVubHkgcHVibGlzaGVkDQo+IGF0dGFja3Mgb24gdGhlIEhN QUMtTUQ1IG1lY2hhbmlzbSwgc29tZSByZXBvcnRzIChbRG9iYjk2YV0sDQo+IFtEb2JiOTZiXSkg Y3JlYXRlIGNvbmNlcm4gYWJvdXQgdGhlIHVsdGltYXRlIHN0cmVuZ3RoIG9mIHRoZSBNRDUNCj4g Y3J5cHRvZ3JhcGhpYyBoYXNoIGZ1bmN0aW9uLiINCj4gDQo+IEkgd291bGQgYWdyZWUgdGhhdCBS RkMgNTMxMCBzZWN1cml0eSBpcyBzdXBlcmlvciB0byBSRkMgNTMwNCBzZWN1cml0eS4NCj4gUGVy aGFwcyByZWZlcmVuY2VzIHRvIDUzMDQgY2FuIGJlIHJlbW92ZWQuDQoNCkknZCByZWNvbW1lbmQg dGhlIG1vcmUgYWdpbGUgUkZDNTMxMCB0b28uDQoNCj4gPiAqKiBSZWNvbW1lbmQgYmVpbmcgbW9y ZSBzcGVjaWZpYyB3aXRoIHRoZSBsYW5ndWFnZSAidG8gc2VjdXJlIHRoZQ0KPiBuZXR3b3JrIi4g IFBlcmhhcHMgIkZvciB0aGlzIHJlYXNvbiwgUkJyaWRnZXMgU0hPVUxEIGF1dGhlbnRpY2F0ZSB0 aGVpcg0KPiBwZWVyIGJ5IHVzaW5nIHRoZSBJUy1JUyBBdXRoZW50aWNhdGlvbiBUTFYgKDEwKSBp biB0aGUgSVMtSVMgUERVcyB0aGF0IGNvbnRhaW5zDQo+IHRoZSBOaWNrQmxvY2tGbGFncyBBUFBz dWItVExWLiINCj4gDQo+IFN1Z2dlc3QgcmVwbGFjaW5nICJ0byBzZWN1cmUgdGhlIG5ldHdvcmsi IHdpdGggInRvIGF1dGhlbnRpY2F0ZSB0aG9zZSBQRFVzDQo+IGFuZCBkaXNjYXJkIHRoZW0gaWYg dGhleSBhcmUgZm9yZ2VkLiINCg0KVGhlIHN1Z2dlc3RlZCB3b3JkaW5nIHdvcmtzIGZvciBtZS4N Cg0KW3NuaXBdDQoNClRoYW5rcywNClJvbWFuDQoNCj4gVGhhbmtzLA0KPiBEb25hbGQNCg== From nobody Tue Mar 6 08:32:12 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F1FC129C53; Tue, 6 Mar 2018 08:31:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSftGoItpgx4; Tue, 6 Mar 2018 08:31:51 -0800 (PST) Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 194B712711D; Tue, 6 Mar 2018 08:31:50 -0800 (PST) Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w26GVnr1020738; Tue, 6 Mar 2018 11:31:49 -0500 DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w26GVnr1020738 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1520353909; bh=b/GZlp247jclciiaDjw1d2S4X0BzFoREp3fUiaJShoc=; h=From:To:Subject:Date:References:In-Reply-To:From; b=dUXMBmg32SSds2yG/4Y0Gqn+8pPaRsbpFm0TaHNOPkLJjtae9Ug4UBR7lztyN01oK qSzHW76hRa0FsJztl3kY9papg0Bu8NOpw9a+w3ewYr9r+drfWNzwInDY2FQIyZYnlh SekhlHLeK1S+3QjvdNbQ2V0iDxEHq6mFvpYJIMmY= Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w26GVknp017107; Tue, 6 Mar 2018 11:31:46 -0500 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0361.001; Tue, 6 Mar 2018 11:31:45 -0500 From: Roman Danyliw To: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" Thread-Topic: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 Thread-Index: AdOyXwuroB0yJVJhRMeJvvm4FEzIkQDCKukg Date: Tue, 6 Mar 2018 16:31:45 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC0137F70C6B@marathon> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 16:31:57 -0000 Hi Donald and Mingui! Thanks for the changes in -06. Any thoughts on item (8)? Roman > -----Original Message----- > From: Roman Danyliw > Sent: Friday, March 02, 2018 9:01 PM > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-trill-multilevel-unique- > nickname.all@ietf.org > Subject: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 =20 [snip] > (8) There appear to be a few instances of key protocol behavior not using > RFC2119 language. I'd suggest: >=20 > Section 3.2.2, Global Distribution Tree, Page 6 > (old) Also, this border RBridge needs to advertise the set of local distr= ibution > trees by providing another set of nicknames > (new) Also, this border RBridge MUST advertise the set of local distribut= ion > trees by providing another set of nicknames >=20 > Section 3.2.2, Global Distribution Tree, Page 6 > (old) If a border RBridge has been assigned both as a global tree root an= d a > local tree root, it has to acquire both a global tree root nickname(s) an= d local > tree root nickname(s) > (new) If a border RBridge has been assigned both as a global tree root an= d a > local tree root, it MUST acquire both a global tree root nickname(s) and = local > tree root nickname(s) >=20 > Section 4.3, Nickname Announcements, Page 9 > (old) Besides its own nickname(s), a border RBridge needs to announce, in= its > area, the ownership of all external nicknames that are reachable from thi= s > border RBridge. > (new) Besides its own nickname(s), a border RBridge MUST announce, in its > area, the ownership of all external nicknames that are reachable from thi= s > border RBridge. >=20 > Section 4.3, Nickname Announcements, Page 9 > (old) Also, a border RBridge needs to announce, in Level 2, the ownership= of > all nicknames within its area. From listening to these Level 2 announceme= nts, > border RBridges can figure out the nicknames used by other areas. > (new) Also, a border RBridge MUST announce, in Level 2, the ownership of = all > nicknames within its area. From listening to these Level 2 announcements, > border RBridges can figure out the nicknames used by other areas. >=20 > Section 4.3, Nickname Announcements, Page 9 > (old) To address this issue, border RBridges should make use of the > NickBlockFlags APPsub-TLV to advertise into the Level 1 area the inclusiv= e > range of nicknames that are available or not for self allocation by the L= evel 1 > RBridges in that area. > (new) To address this issue, border RBridges SHOULD use the NickBlockFlag= s > APPsub-TLV to advertise into the Level 1 area the inclusive range of > nicknames that are available or not for self allocation by the Level 1 RB= ridges > in that area. >=20 > Section 4.4, Capability Indication, Page 11 > (old) If there are RBridges that do not understand the NickBlockFlags > APPsub-TLV, border RBridges of the area will also use the traditional > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose OK > is 0. > (new) If there are RBridges that do not understand the NickBlockFlags > APPsub-TLV, border RBridges of the area MUST also use the traditional > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose OK > is 0. >=20 > Section 5, Mix with Aggregated nickname Areas, Page 11 > (old) Usage of nickname space must be planed so that nicknames used in an= y > one unique nickname area and Level 2 are never used in any other areas > which includes unique nickname areas as well as aggregated nickname areas= . > (new) Usage of nickname space MUST be planed so that nicknames used in > any one unique nickname area and Level 2 are never used in any other area= s > which includes unique nickname areas as well as aggregated nickname areas= . >=20 > Section 5, Mix with Aggregated nickname Areas, Page 11 > (old) Border RBridges of an aggregated area need to announce nicknames > heard from Level 2 into their area like just like an unique nickname bord= er > RBridge. > (new) Border RBridges of an aggregated area MUST announce nicknames > heard from Level 2 into their area like just like an unique nickname bord= er > RBridge. >=20 > Regards, > Roman From nobody Tue Mar 6 09:41:28 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4335B127876; Tue, 6 Mar 2018 09:41:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8sSZd1L5_7J; Tue, 6 Mar 2018 09:41:24 -0800 (PST) Received: from mail-ot0-x22c.google.com (mail-ot0-x22c.google.com [IPv6:2607:f8b0:4003:c0f::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 783F41270AC; Tue, 6 Mar 2018 09:41:20 -0800 (PST) Received: by mail-ot0-x22c.google.com with SMTP id 95so19110940ote.5; Tue, 06 Mar 2018 09:41:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/xUHQtSMJ6Wcnfpd228FDZc/wY3hK7lwThDpVvsU4Fw=; b=W8jIhQ6/zicMhKlYMvOlQQZCBUsFtvoh/WM5+ddUwIG8G77WyWuVlvOhUS2pe4x51t 99OwZFAFvrZukGx4d8QQHoDwYTlvLWYj6wWB1/bi/SCHYPMPxooVvESaB6FKa1NSZ5Ix kL2ZDMHZhnwrh046odfSIj5IYOuK1nKqlD1lUrGDQMt5o6IZ9FrUgcxcXkJwzg/2gwd9 3bwUqEobj7SIL9r6dyeIulpNl6k7a8beSvdk0ANnAYbS0rApFRI0BwdCBQHjo2QsdHzA 6sgmnF4qKXu4e7kubAPAcDUGsmY45uPXs9oF2k33F1PMIZjLzCq2M5azoy5IHza42jfs nN0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/xUHQtSMJ6Wcnfpd228FDZc/wY3hK7lwThDpVvsU4Fw=; b=RJBqhwJGwbQ2ddO/RaCYfvK/jk7YkHwLu7Ei45p+F/n6ouKc1EtFGlZTlEJ6OxcaQP 646ZhDHSKIIPIrySrgWq69HQCeMhMt5Z2oqCWUcxhnHSxBCCuFR3djTP1p79AlYUfUVt 54Kx1r2DMTjdJxpE/FY0nsyxBZkCayOKtYXYqcRjnqj+Oe0I9PBCH7dpUOpgua6hPEff +t0Sq2EHUBj3/6zStaqjT1/2cXSjcGaq6zJiOjzvkaGfoMUiEBXWqyjghsOYgZ+DvdRx iXWpHJXNPhddJF747T1+PP7B0jECQgfXJM8XqlCfRbAbI41aR+9CSGn+JUE/5sR3njV9 9HgA== X-Gm-Message-State: AElRT7G1YnB1UMoX4zq2lY2lmvT4t9fb20KzH5qjFfLVaJHqN/ezbiuo gu8HquujH2vXLdrX+EaoyfYU+FNlSNrhR5hMIr8= X-Google-Smtp-Source: AG47ELuV5mpbM7/4E8JZ9ZiJBPCLQ2HiihAQAOmRIhQZ42nJNCzlcXc7VOT70naSlHdLBi6tbaf2P/XLFUG9HVSCA3k= X-Received: by 10.157.85.214 with SMTP id z22mr14265899oti.75.1520358079796; Tue, 06 Mar 2018 09:41:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.46.119 with HTTP; Tue, 6 Mar 2018 09:40:39 -0800 (PST) In-Reply-To: <151932948231.8096.10376000064045374752@ietfa.amsl.com> References: <151932948231.8096.10376000064045374752@ietfa.amsl.com> From: Kathleen Moriarty Date: Tue, 6 Mar 2018 12:40:39 -0500 Message-ID: To: Stephen Farrell Cc: IETF SecDir , IETF , netmod@ietf.org, draft-ietf-netmod-rfc6087bis.all@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [secdir] Secdir telechat review of draft-ietf-netmod-rfc6087bis-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 17:41:26 -0000 Thanks for your review, Stephen! On Thu, Feb 22, 2018 at 2:58 PM, Stephen Farrell wrote: > Reviewer: Stephen Farrell > Review result: Ready > > > I reviewed the diff between -18 and RFC6087. [1] > > [1] https://www.ietf.org/rfcdiff?url1=rfc6087&url2=draft-ietf-netmod-rfc6087bis-18 > > I assume the security ADs were involved already in discussion about > the new security considerations template in 3.7.1 and the text there > does seem fine to me, so I won't even nit-pick about it:-) Yes and I sent it to the SAAG list for review as well along with a followup email on the security review process for YANG documents (a link to the OPSdir page on that). I don't think any feedback came through as a result of the request, so we should be good with the general considerations for a bit. > > I do have some other nits to note though. > > - There are a number of URLs given for access to updated materials > that use http schemed URLs and that do not use https schemed URLs. > There was a recent IESG statement to the effect that those'd be better > as https URLs. The first such example is in 3.1. In fact that URL is > re-directed (for me) to https. I think a general pass to fix such URLs > to use https wherever possible would be easy and better practice. > > - Some of the namespaces use http schemed URLs, for example in > section 4.2. I don't know if people are expected to de-reference such > URLs, but if they are then it'd be good to say if https is better to use > or not. (I'd argue it is.) If those URLs are not expected to be > de-referenced, then saying that would be good. (Not that it'd stop > people de-referencing 'em so the change is better in any case;-) I don't see any response on these questions on list and it would be good to get an answer, so I'll include a link in my ballot in case the authors are not seeing it for some reason. Thanks, Kathleen > > Cheers, > S. > -- Best regards, Kathleen From nobody Tue Mar 6 09:53:23 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C34412946D for ; Tue, 6 Mar 2018 09:53:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id seJFgWjXt3KT for ; Tue, 6 Mar 2018 09:53:14 -0800 (PST) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67AF5129C53 for ; Tue, 6 Mar 2018 09:53:14 -0800 (PST) Received: by mail-lf0-x22d.google.com with SMTP id m69so29791977lfe.8 for ; Tue, 06 Mar 2018 09:53:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RN5osWzOUY3WnxRvrjYd+ElLAZwBWY6FPvyKBVUhKMQ=; b=RjKGe+b2r+gzEdy6VXcqb3MMo54UG9qu01Sbp4PNpccqomu0JbauBuvQnkdpjNrCKv rbNST4GGH9fljzW3Pque8SwQu/2TSX38OgOmZinXqT6m1Lt6d8VN1N4JGne+V1vM5cKO DhAOH6oit77+UPy38YTxl3oNW8YzEJn0A06yfbWFujdBU0W906IUFMMzY4mtHzvXI11X ardX+5nHGPELGNkXEtCoL8qTltqPst9ArVEnBIhAUTfq6veSHqahCslmwh92JX9/mYcM wHbWZxgrfVJZCp53Wkt+duDKiM4gQjdKznbCysgOZihUXYWgYRZeyr+2QnRMpUCPo3nS UY3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RN5osWzOUY3WnxRvrjYd+ElLAZwBWY6FPvyKBVUhKMQ=; b=QdkRep9CD1gf3b0al66E4Mg9NJ8YBEIBfFjTUaoNcb17SdCUM/WEDg7vJE+J1IEVyY PLaEsy5EPjpgexDolGzyX65H9UHAmf71gK08H+5//xs/nJV4T76cWxMQOhH4EqtRYV0R RXCGO06uxWrfkHbGg+0i7SMV6yXRxw0rLgAU1ow/UYSI6dwwDASujS16eP7+dsw9Ze6M 5WFpSXremFbUqdO0qENigM4MJ3h/RO2yi2LImhuv5YkqbNtePBHTD4XR/9rqMJEJvinl zBIdTcprOa7KLJBkjDOWcPzRDPLBs1MEbQO/rk4h2P5ytZ+sIMGlmBSjHymfgLgh397g ZlmQ== X-Gm-Message-State: AElRT7F2lawtCyBXXJZGdaJ7mDvekyDzIMl47qtpRCnL5w8y1mkZ44+5 OeqI/G2H0RaHPTL0o5xtsezNOylsTdT7D3St+sUscg== X-Google-Smtp-Source: AG47ELvea4OmZ2ZVoz6a1/Cctoken0WEDa6nW2uuQW6FZVnr8V1bwLtlxW2Weu/eUmyrgP6FzjpALnJ2JbuW/8FXJwQ= X-Received: by 10.25.234.148 with SMTP id y20mr13099244lfi.53.1520358792565; Tue, 06 Mar 2018 09:53:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.21.210 with HTTP; Tue, 6 Mar 2018 09:53:11 -0800 (PST) In-Reply-To: References: <151932948231.8096.10376000064045374752@ietfa.amsl.com> From: Andy Bierman Date: Tue, 6 Mar 2018 09:53:11 -0800 Message-ID: To: Kathleen Moriarty Cc: Stephen Farrell , IETF SecDir , IETF , NetMod WG , draft-ietf-netmod-rfc6087bis.all@ietf.org Content-Type: multipart/alternative; boundary="94eb2c0ed1eac32fcf0566c21d9d" Archived-At: Subject: Re: [secdir] Secdir telechat review of draft-ietf-netmod-rfc6087bis-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 17:53:18 -0000 --94eb2c0ed1eac32fcf0566c21d9d Content-Type: text/plain; charset="UTF-8" On Tue, Mar 6, 2018 at 9:40 AM, Kathleen Moriarty < kathleen.moriarty.ietf@gmail.com> wrote: > Thanks for your review, Stephen! > > On Thu, Feb 22, 2018 at 2:58 PM, Stephen Farrell > wrote: > > Reviewer: Stephen Farrell > > Review result: Ready > > > > > > I reviewed the diff between -18 and RFC6087. [1] > > > > [1] https://www.ietf.org/rfcdiff?url1=rfc6087&url2=draft-ietf- > netmod-rfc6087bis-18 > > > > I assume the security ADs were involved already in discussion about > > the new security considerations template in 3.7.1 and the text there > > does seem fine to me, so I won't even nit-pick about it:-) > > Yes and I sent it to the SAAG list for review as well along with a > followup email on the security review process for YANG documents (a > link to the OPSdir page on that). I don't think any feedback came > through as a result of the request, so we should be good with the > general considerations for a bit. > > > > > I do have some other nits to note though. > > > > - There are a number of URLs given for access to updated materials > > that use http schemed URLs and that do not use https schemed URLs. > > There was a recent IESG statement to the effect that those'd be better > > as https URLs. The first such example is in 3.1. In fact that URL is > > re-directed (for me) to https. I think a general pass to fix such URLs > > to use https wherever possible would be easy and better practice. > > > no objection to changing the URLs to use https > > - Some of the namespaces use http schemed URLs, for example in > > section 4.2. I don't know if people are expected to de-reference such > > URLs, but if they are then it'd be good to say if https is better to use > > or not. (I'd argue it is.) If those URLs are not expected to be > > de-referenced, then saying that would be good. (Not that it'd stop > > people de-referencing 'em so the change is better in any case;-) > > no objection to changing the YANG namespace examples to something else > I don't see any response on these questions on list and it would be > good to get an answer, so I'll include a link in my ballot in case the > authors are not seeing it for some reason. > > Thanks, > Kathleen > > > > > Cheers, > > S. > > > > > Andy > > -- > > Best regards, > Kathleen > --94eb2c0ed1eac32fcf0566c21d9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Tue, Mar 6, 2018 at 9:40 AM, Kathleen Moriarty <= ;kath= leen.moriarty.ietf@gmail.com> wrote:
Thanks for your review, Stephen!

On Thu, Feb 22, 2018 at 2:58 PM, Stephen Farrell
<stephen.farrell@cs.tcd.ie<= /a>> wrote:
> Reviewer: Stephen Farrell
> Review result: Ready
>
>
> I reviewed the diff between -18 and RFC6087. [1]
>
>=C2=A0 =C2=A0 [1] https://www.ietf.org/rfcdiff?url1=3Drfc6087&url2=3Ddraft-i= etf-netmod-rfc6087bis-18
>
> I assume the security ADs were involved already in discussion about > the new security considerations template in 3.7.1 and the text there > does seem fine to me, so I won't even nit-pick about it:-)

Yes and I sent it to the SAAG list for review as well along with a
followup email on the security review process for YANG documents (a
link to the OPSdir page on that).=C2=A0 I don't think any feedback came=
through as a result of the request, so we should be good with the
general considerations for a bit.

>
> I do have some other nits to note though.
>
> - There are a number of URLs given for access to updated materials
> that use http schemed URLs and that do not use https schemed URLs.
> There was a recent IESG statement to the effect that those'd be be= tter
> as https URLs. The first such example is in 3.1. In fact that URL is > re-directed (for me) to https. I think a general pass to fix such URLs=
> to use https wherever possible would be easy and better practice.
>


no objection to cha= nging the URLs to use https

=C2=A0
> - Some of the namespaces use http schemed URLs, for example in
> section 4.2. I don't know if people are expected to de-reference s= uch
> URLs, but if they are then it'd be good to say if https is better = to use
> or not. (I'd argue it is.) If those URLs are not expected to be > de-referenced, then saying that would be good. (Not that it'd stop=
> people de-referencing 'em so the change is better in any case;-)

no objection to changing the YANG name= space examples to something else
=C2=A0
I don't see any response on these questions on list and it would be
good to get an answer, so I'll include a link in my ballot in case the<= br> authors are not seeing it for some reason.

Thanks,
Kathleen

>
> Cheers,
> S.
>




Andy
=C2=A0

--

Best regards,
Kathleen

--94eb2c0ed1eac32fcf0566c21d9d-- From nobody Tue Mar 6 10:33:25 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2CC129C6B; Tue, 6 Mar 2018 10:33:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A7AqE4FhMphl; Tue, 6 Mar 2018 10:33:15 -0800 (PST) Received: from mail-ot0-x234.google.com (mail-ot0-x234.google.com [IPv6:2607:f8b0:4003:c0f::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 296E5124F57; Tue, 6 Mar 2018 10:33:15 -0800 (PST) Received: by mail-ot0-x234.google.com with SMTP id n74so19283257ota.1; Tue, 06 Mar 2018 10:33:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=r+7uYwKlbnzAyJcboeSn5oIIAQLaa+4dqZWNPiQhKT0=; b=BInr3xXDdWFSMp4HYfTON7Gg+iqCpWt9tMpQ9tFF3spfhqH4dXDNNSxI6Bs3ulvlLi oMmqQSPg9+BoJ/CZ8/ZMry4zuWdmEhaetvyV/SOoAZmualfq+lCslQsLgJ41En8oYD+U NYCM5J2Pi0T5mMQZW1qXnRMmDS9V7YVkxb7XXiJuAzYJFZ8SC0takKtMzw51gqhIvbyx qLDnXMbCT7PTA9he53BDmbesGywFYRyS21zvj4l60GbLzzz2ecOBDxTFuU5hdQyhrYkL MtQ4uB8G4xPLK6nYgGScmBJapljo3mSA/u77W00aq90bwLykOt4x7V4mBRwB84pfRRfZ mO3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=r+7uYwKlbnzAyJcboeSn5oIIAQLaa+4dqZWNPiQhKT0=; b=oBNm0F69coIuqFO7M1TxioASDs6cLPFneLDFbwxi6SoFNZicnT2SfyE1BN+bJDK213 SdBZ15j/oj9DkqYn3mmidq9cOqseBCZFO77f2pwiRzXmC4GliwWHU3Qw88/alXmTPXTJ jOACPu3XJK+RewbZRVRkVqTJTkC6ie8DKHOE8PnrVUbEaUUsn5+oDoY1riFbWfX//qG8 ykA91paYUDghPGZCS9An42iwWREI74FcSD3GlZcC0cq7RDneUl1O/P87jRiepImtR410 F9ZJ5qH4kDkUqydQdOljSS4xXoGeOlHruJvoL8UKSIninES4suIuJGlWtrzbTgFcd6+R 9ZSg== X-Gm-Message-State: AElRT7H5XBDGbJ2TKlBzC223GfZrJzxYlnwU8qtwqAnpdztbe/+TRlzN P1/AHU83xZ5ooa24+bHDUdLZcpWJ9sqluZ9Y4ps= X-Google-Smtp-Source: AG47ELuiuDUpWKcj9R7AEGk7mKKwH/FStj+VklC6ETr3ZLD4D9HkIzFh6PLHEfTiroC7FW0LSbecsCSJPGSwPNbfTgs= X-Received: by 10.157.33.113 with SMTP id l46mr14317251otd.287.1520361194472; Tue, 06 Mar 2018 10:33:14 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.46.119 with HTTP; Tue, 6 Mar 2018 10:32:33 -0800 (PST) In-Reply-To: References: <151932948231.8096.10376000064045374752@ietfa.amsl.com> From: Kathleen Moriarty Date: Tue, 6 Mar 2018 13:32:33 -0500 Message-ID: To: Andy Bierman Cc: Stephen Farrell , IETF SecDir , IETF , NetMod WG , draft-ietf-netmod-rfc6087bis.all@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [secdir] Secdir telechat review of draft-ietf-netmod-rfc6087bis-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Mar 2018 18:33:17 -0000 Thanks, Andy! On Tue, Mar 6, 2018 at 12:53 PM, Andy Bierman wrote: > > > On Tue, Mar 6, 2018 at 9:40 AM, Kathleen Moriarty > wrote: >> >> Thanks for your review, Stephen! >> >> On Thu, Feb 22, 2018 at 2:58 PM, Stephen Farrell >> wrote: >> > Reviewer: Stephen Farrell >> > Review result: Ready >> > >> > >> > I reviewed the diff between -18 and RFC6087. [1] >> > >> > [1] >> > https://www.ietf.org/rfcdiff?url1=rfc6087&url2=draft-ietf-netmod-rfc6087bis-18 >> > >> > I assume the security ADs were involved already in discussion about >> > the new security considerations template in 3.7.1 and the text there >> > does seem fine to me, so I won't even nit-pick about it:-) >> >> Yes and I sent it to the SAAG list for review as well along with a >> followup email on the security review process for YANG documents (a >> link to the OPSdir page on that). I don't think any feedback came >> through as a result of the request, so we should be good with the >> general considerations for a bit. >> >> > >> > I do have some other nits to note though. >> > >> > - There are a number of URLs given for access to updated materials >> > that use http schemed URLs and that do not use https schemed URLs. >> > There was a recent IESG statement to the effect that those'd be better >> > as https URLs. The first such example is in 3.1. In fact that URL is >> > re-directed (for me) to https. I think a general pass to fix such URLs >> > to use https wherever possible would be easy and better practice. >> > > > > > no objection to changing the URLs to use https > > >> >> > - Some of the namespaces use http schemed URLs, for example in >> > section 4.2. I don't know if people are expected to de-reference such >> > URLs, but if they are then it'd be good to say if https is better to use >> > or not. (I'd argue it is.) If those URLs are not expected to be >> > de-referenced, then saying that would be good. (Not that it'd stop >> > people de-referencing 'em so the change is better in any case;-) >> > > no objection to changing the YANG namespace examples to something else > >> >> I don't see any response on these questions on list and it would be >> good to get an answer, so I'll include a link in my ballot in case the >> authors are not seeing it for some reason. >> >> Thanks, >> Kathleen >> >> > >> > Cheers, >> > S. >> > >> >> > > > Andy > >> >> >> -- >> >> Best regards, >> Kathleen > > -- Best regards, Kathleen From nobody Tue Mar 6 19:16:14 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E333126B72; Tue, 6 Mar 2018 19:16:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.23 X-Spam-Level: X-Spam-Status: No, score=-4.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGQVYuDk5J5O; Tue, 6 Mar 2018 19:16:11 -0800 (PST) Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12E7D124BE8; Tue, 6 Mar 2018 19:16:11 -0800 (PST) Received: from LHREML713-CAH.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 484CE87173E93; Wed, 7 Mar 2018 03:16:06 +0000 (GMT) Received: from NKGEML413-HUB.china.huawei.com (10.98.56.74) by LHREML713-CAH.china.huawei.com (10.201.108.36) with Microsoft SMTP Server (TLS) id 14.3.382.0; Wed, 7 Mar 2018 03:16:07 +0000 Received: from NKGEML515-MBX.china.huawei.com ([fe80::a54a:89d2:c471:ff]) by NKGEML413-HUB.china.huawei.com ([10.98.56.74]) with mapi id 14.03.0361.001; Wed, 7 Mar 2018 11:15:56 +0800 From: "Zhangmingui (Martin)" To: Roman Danyliw , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" Thread-Topic: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 Thread-Index: AdOyXwuroB0yJVJhRMeJvvm4FEzIkQDCKukgABWI5oA= Date: Wed, 7 Mar 2018 03:15:56 +0000 Message-ID: <4552F0907735844E9204A62BBDD325E7AAFE7004@NKGEML515-MBX.china.huawei.com> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> <359EC4B99E040048A7131E0F4E113AFC0137F70C6B@marathon> In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0137F70C6B@marathon> Accept-Language: en-US, zh-CN Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.111.146.93] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 03:16:13 -0000 Hi Roman, All changes you suggested in item (8) are fair. I've made these changes int= o the 07 version. Awaiting for uploading.=20 Thanks, Mingui > -----Original Message----- > From: Roman Danyliw [mailto:rdd@cert.org] > Sent: Wednesday, March 07, 2018 12:32 AM > To: iesg@ietf.org; secdir@ietf.org; > draft-ietf-trill-multilevel-unique-nickname.all@ietf.org > Subject: RE: Secdir review of draft-ietf-trill-multilevel-unique-nickname= -05 >=20 > Hi Donald and Mingui! >=20 > Thanks for the changes in -06. Any thoughts on item (8)? >=20 > Roman >=20 > > -----Original Message----- > > From: Roman Danyliw > > Sent: Friday, March 02, 2018 9:01 PM > > To: iesg@ietf.org; secdir@ietf.org; > > draft-ietf-trill-multilevel-unique- > > nickname.all@ietf.org > > Subject: Secdir review of > > draft-ietf-trill-multilevel-unique-nickname-05 >=20 > [snip] >=20 > > (8) There appear to be a few instances of key protocol behavior not > > using > > RFC2119 language. I'd suggest: > > > > Section 3.2.2, Global Distribution Tree, Page 6 > > (old) Also, this border RBridge needs to advertise the set of local > > distribution trees by providing another set of nicknames > > (new) Also, this border RBridge MUST advertise the set of local > > distribution trees by providing another set of nicknames > > > > Section 3.2.2, Global Distribution Tree, Page 6 > > (old) If a border RBridge has been assigned both as a global tree root > > and a local tree root, it has to acquire both a global tree root > > nickname(s) and local tree root nickname(s) > > (new) If a border RBridge has been assigned both as a global tree root > > and a local tree root, it MUST acquire both a global tree root > > nickname(s) and local tree root nickname(s) > > > > Section 4.3, Nickname Announcements, Page 9 > > (old) Besides its own nickname(s), a border RBridge needs to announce, > > in its area, the ownership of all external nicknames that are > > reachable from this border RBridge. > > (new) Besides its own nickname(s), a border RBridge MUST announce, in > > its area, the ownership of all external nicknames that are reachable > > from this border RBridge. > > > > Section 4.3, Nickname Announcements, Page 9 > > (old) Also, a border RBridge needs to announce, in Level 2, the > > ownership of all nicknames within its area. From listening to these > > Level 2 announcements, border RBridges can figure out the nicknames use= d > by other areas. > > (new) Also, a border RBridge MUST announce, in Level 2, the ownership > > of all nicknames within its area. From listening to these Level 2 > > announcements, border RBridges can figure out the nicknames used by oth= er > areas. > > > > Section 4.3, Nickname Announcements, Page 9 > > (old) To address this issue, border RBridges should make use of the > > NickBlockFlags APPsub-TLV to advertise into the Level 1 area the > > inclusive range of nicknames that are available or not for self > > allocation by the Level 1 RBridges in that area. > > (new) To address this issue, border RBridges SHOULD use the > > NickBlockFlags APPsub-TLV to advertise into the Level 1 area the > > inclusive range of nicknames that are available or not for self > > allocation by the Level 1 RBridges in that area. > > > > Section 4.4, Capability Indication, Page 11 > > (old) If there are RBridges that do not understand the NickBlockFlags > > APPsub-TLV, border RBridges of the area will also use the traditional > > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames > > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose > > OK is 0. > > (new) If there are RBridges that do not understand the NickBlockFlags > > APPsub-TLV, border RBridges of the area MUST also use the traditional > > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames > > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose > > OK is 0. > > > > Section 5, Mix with Aggregated nickname Areas, Page 11 > > (old) Usage of nickname space must be planed so that nicknames used in > > any one unique nickname area and Level 2 are never used in any other > > areas which includes unique nickname areas as well as aggregated nickna= me > areas From nobody Tue Mar 6 19:20:02 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADCED126CC7; Tue, 6 Mar 2018 19:19:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvQS1Hi1N_Bf; Tue, 6 Mar 2018 19:19:55 -0800 (PST) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C9B9124BE8; Tue, 6 Mar 2018 19:19:55 -0800 (PST) Received: by mail-oi0-x22d.google.com with SMTP id c83so638181oib.1; Tue, 06 Mar 2018 19:19:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rgnyq2ePgCAnY7uWAFUBPKp1tFY6IQaS8nvjXj9Brfg=; b=UU/EskVSolob9e8vHxM94WwqYbXq24DmHsyKQ9hf9tqysuuciOzVRbAVlDWVf78V7M RDv4c9/DkMkaGnpcc88pR0twCq1feMeGi20vxz8I7ZjetIBR9vDBY1sCHAJ1kPDNJI1D ig/6mzEe9nlGoCss1bPy3RfflL0EakwqbkFieadDN6N4psqKZswDfofYO/q2NyhYV0pP fUlmJoMITKg60fyKnMZavpm5AoIGNrAgZvC06Ky11oSoe+tJr7RJxCybTuIwR1Qmgu9Z TIF4ElpQvhHJvxoJOKzt0yEN+S2FJqFLx8Y9eH1BVQ/WF8Dm7drSOKHab5457E1Fg/6U U/Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rgnyq2ePgCAnY7uWAFUBPKp1tFY6IQaS8nvjXj9Brfg=; b=RudrHvnXZ+ggpb3t4satfJUQig5f4O7kYxGx3rkzlfNSI4/A8XN9eg6uaWu2XoFkAC 6bSwmPlXjjC0GNNvvFVywfrAGyQXiiQZDM+i4o58o2lpvvtHEhjodhS/gESlDEZA/EbP ies9v/LAC+Rjt37TDU1XabXNh5ecblpw5pEYjkkxhXpiARBng9MOX8RmS7gFuYII941K hsZ9dKaOv6cksvm/kIlLwXzbJSGIVQpaMzfhn/rrKp8O1vC9tjolrZubX4d8+4wzolgr BvS32x/HLuB9iTBEy/2uxXWHsc8Rquf90JX99XAcsZXcI6hLhApXk7ok90jnn8zjEhl6 RcXQ== X-Gm-Message-State: AElRT7FE0C19bgi1CHY5sFdMEe/r3vA7ecaYm7qsd//j0PnJ/PdEP44B LE+AUPzAc9FtxgiImnW6TzMMgFflXHNtGa/jZCw= X-Google-Smtp-Source: AG47ELtAlKqhRcypBY2tQY1z1kUDoRBemyLhZ3ukuYjsUxyJKqwvyI7QlM3CYaxthbHSYHp/dGXIaaRZFyHMDr9fK84= X-Received: by 10.202.64.131 with SMTP id n125mr14043514oia.26.1520392794423; Tue, 06 Mar 2018 19:19:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.46.119 with HTTP; Tue, 6 Mar 2018 19:19:14 -0800 (PST) In-Reply-To: <4552F0907735844E9204A62BBDD325E7AAFE7004@NKGEML515-MBX.china.huawei.com> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> <359EC4B99E040048A7131E0F4E113AFC0137F70C6B@marathon> <4552F0907735844E9204A62BBDD325E7AAFE7004@NKGEML515-MBX.china.huawei.com> From: Kathleen Moriarty Date: Tue, 6 Mar 2018 22:19:14 -0500 Message-ID: To: "Zhangmingui (Martin)" Cc: Roman Danyliw , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Mar 2018 03:19:57 -0000 Thank you, Roman for the review and authors for the responses and updates! Kathleen On Tue, Mar 6, 2018 at 10:15 PM, Zhangmingui (Martin) wrote: > Hi Roman, > > All changes you suggested in item (8) are fair. I've made these changes into the 07 version. Awaiting for uploading. > > Thanks, > Mingui > >> -----Original Message----- >> From: Roman Danyliw [mailto:rdd@cert.org] >> Sent: Wednesday, March 07, 2018 12:32 AM >> To: iesg@ietf.org; secdir@ietf.org; >> draft-ietf-trill-multilevel-unique-nickname.all@ietf.org >> Subject: RE: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 >> >> Hi Donald and Mingui! >> >> Thanks for the changes in -06. Any thoughts on item (8)? >> >> Roman >> >> > -----Original Message----- >> > From: Roman Danyliw >> > Sent: Friday, March 02, 2018 9:01 PM >> > To: iesg@ietf.org; secdir@ietf.org; >> > draft-ietf-trill-multilevel-unique- >> > nickname.all@ietf.org >> > Subject: Secdir review of >> > draft-ietf-trill-multilevel-unique-nickname-05 >> >> [snip] >> >> > (8) There appear to be a few instances of key protocol behavior not >> > using >> > RFC2119 language. I'd suggest: >> > >> > Section 3.2.2, Global Distribution Tree, Page 6 >> > (old) Also, this border RBridge needs to advertise the set of local >> > distribution trees by providing another set of nicknames >> > (new) Also, this border RBridge MUST advertise the set of local >> > distribution trees by providing another set of nicknames >> > >> > Section 3.2.2, Global Distribution Tree, Page 6 >> > (old) If a border RBridge has been assigned both as a global tree root >> > and a local tree root, it has to acquire both a global tree root >> > nickname(s) and local tree root nickname(s) >> > (new) If a border RBridge has been assigned both as a global tree root >> > and a local tree root, it MUST acquire both a global tree root >> > nickname(s) and local tree root nickname(s) >> > >> > Section 4.3, Nickname Announcements, Page 9 >> > (old) Besides its own nickname(s), a border RBridge needs to announce, >> > in its area, the ownership of all external nicknames that are >> > reachable from this border RBridge. >> > (new) Besides its own nickname(s), a border RBridge MUST announce, in >> > its area, the ownership of all external nicknames that are reachable >> > from this border RBridge. >> > >> > Section 4.3, Nickname Announcements, Page 9 >> > (old) Also, a border RBridge needs to announce, in Level 2, the >> > ownership of all nicknames within its area. From listening to these >> > Level 2 announcements, border RBridges can figure out the nicknames used >> by other areas. >> > (new) Also, a border RBridge MUST announce, in Level 2, the ownership >> > of all nicknames within its area. From listening to these Level 2 >> > announcements, border RBridges can figure out the nicknames used by other >> areas. >> > >> > Section 4.3, Nickname Announcements, Page 9 >> > (old) To address this issue, border RBridges should make use of the >> > NickBlockFlags APPsub-TLV to advertise into the Level 1 area the >> > inclusive range of nicknames that are available or not for self >> > allocation by the Level 1 RBridges in that area. >> > (new) To address this issue, border RBridges SHOULD use the >> > NickBlockFlags APPsub-TLV to advertise into the Level 1 area the >> > inclusive range of nicknames that are available or not for self >> > allocation by the Level 1 RBridges in that area. >> > >> > Section 4.4, Capability Indication, Page 11 >> > (old) If there are RBridges that do not understand the NickBlockFlags >> > APPsub-TLV, border RBridges of the area will also use the traditional >> > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames >> > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose >> > OK is 0. >> > (new) If there are RBridges that do not understand the NickBlockFlags >> > APPsub-TLV, border RBridges of the area MUST also use the traditional >> > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames >> > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose >> > OK is 0. >> > >> > Section 5, Mix with Aggregated nickname Areas, Page 11 >> > (old) Usage of nickname space must be planed so that nicknames used in >> > any one unique nickname area and Level 2 are never used in any other >> > areas which includes unique nickname areas as well as aggregated nickname >> areas > -- Best regards, Kathleen From nobody Wed Mar 7 08:01:53 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5432F12D881; Mon, 26 Feb 2018 09:17:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1519665462; bh=IblN4EaXCOfCwTpkWFObDiVf2T0D33qkhP6ohoOh5nM=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=U6LAA9vC6L4srYi7+67/owtfSGgdy2GegNn3XfN8UgrBJN1RkNEriuM4HWlS76PqR QCr9C0RuhHO8/1nc8tZooAhROixRPzfv+ea5lvMwFpXlaqWV62yJF8xz+jMB5i7dIB ZhGzDjvxpI3V2MENmrAy/674kHTL2UIgKe3Y0lkg= X-Original-To: new-work@ietf.org Delivered-To: new-work@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C7D81270A3 for ; Mon, 26 Feb 2018 09:17:30 -0800 (PST) MIME-Version: 1.0 From: The IESG To: X-Test-IDTracker: no X-IETF-IDTracker: 6.72.4 Auto-Submitted: auto-generated Precedence: bulk MIME-Version: 1.0 Reply_to: Message-ID: <151966545037.31361.10948283832067288856.idtracker@ietfa.amsl.com> Date: Mon, 26 Feb 2018 09:17:30 -0800 Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.22 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Wed, 07 Mar 2018 08:01:50 -0800 Subject: [secdir] [new-work] WG Review: Bit Indexed Explicit Replication (bier) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2018 17:17:42 -0000 The Bit Indexed Explicit Replication (bier) WG in the Routing Area of the IETF is undergoing rechartering. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2018-03-08. Bit Indexed Explicit Replication (bier) ----------------------------------------------------------------------- Current status: Active WG Chairs: Greg Shepherd Tony Przygienda Assigned Area Director: Alia Atlas Routing Area Directors: Alia Atlas Alvaro Retana Deborah Brungard Mailing list: Address: bier@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/bier Archive: https://mailarchive.ietf.org/arch/browse/bier/ Group page: https://datatracker.ietf.org/group/bier/ Charter: https://datatracker.ietf.org/doc/charter-ietf-bier/ The BIER (Bit Index Explicit Replication) Working Group has defined an architecture [RFC 8279] for multicast forwarding that uses an encapsulation [RFC 8296] that can be used on MPLS or Ethernet transport. The BIER-WG is now chartered to produce Standards Track RFCs, including the status update for RFCs 8279 and 8296. The BIER working group's original charter required the publication of an Informational RFC describing the benefits, problems, and trade-offs for using BIER instead of traditional multicast forwarding mechanisms as well as an analysis of the impact and benefit of the BIER data-plane to the overall Internet architecture. The WG did not produce this RFC, but the goals of that milestone have nevertheless been reached; i.e., the industry has demonstrated interest in deploying BIER and the trade-offs are now well understood. Therefore, BIER is proceeding with work on the Standards Track. The focus of the BIER-WG is on deployment: transition, partial deployments, applicability and management. First and primarily, the BIER-WG will complete its work on: 1) Transition Mechanisms and Partial Deployments: The WG will describe how BIER can be introduced in existing multicast networks to shift multicast delivery, either end-to-end or in part of a network, from mechanisms such as PIM, ng-MVPN, etc. BIER operation in networks where not all routers are BIER capable or have other BIER support constraints should be addressed. How to handle routers supporting BIER with different BitStringLengths and encapsulations should be addressed. Each new mechanism should include an applicability statement that clearly describes its utility and distinctions from already standardized mechanisms. 2) Applicability Statements: The WG will continue to work on documents describing how BIER can be applied, as has been done for MVPN in draft-ietf-bier-mvpn. A document describing applicability to EVPN should be published. 3) Use Case: The WG will produce one use-case document that clearly articulates the potential benefits of BIER for different use-cases. 4) Manageability and OAM: The WG will describe how OAM will work in a BIER domain and what simplifications BIER offers for managing the multicast traffic. A strong preference will be given to extensions to existing protocols. 5) Management models: The WG will work on YANG models to manage BIER. 6) Link-State Routing and BGP extensions: The BIER-WG has already defined the basic information needed to set up the BIER forwarding tables via advertisements in OSPFv2 and ISIS; the extensions to OSPFv3 will be specified. Additional extensions may be needed - for example, to support constraining the topology on which a particular BIER sub-domain operates. Any necessary extensions to the IGP will be specified by the WG as Standards Track, in cooperation with the LSR WG. The BIER-WG shall also specify the extensions to support BIER for BGP when used as an IGP (see RFC 7938) and to provide BIER-specific information in BGP-LS, in cooperation with IDR. The BIER-WG is additionally chartered to start Standards Track work on: 7) BIER in IPv6 : A mechanism to use BIER natively in IPv6 may be standardized if coordinated with the 6MAN WG and with understood applicability. 8) Forwarding Plane Mechanisms for BIER Traffic Engineering: definition of how the new BIER forwarding plane structures (e.g. BIFT) can be used to support engineered multicast trees. No control-plane work will be done in BIER-WG. The BIER-WG will serve as a forum to discuss how BIER can be applied. The BIER-WG will coordinate and collaborate with other WGs as needed. Specific expected interactions include: * mpls on the associated MPLS-based OAM mechanisms, * lsr on OSPF and ISIS extensions to flood BIER-related information, * babel on Babel extensions to support BIER, * bess and idr on BGP extensions to flood BIER-related information and the applicability of existing BGP-based mechanisms for providing multicast group membership information, * pim and mboned on the applicability of and extensions to PIM, IGMP, and MLD to support BIER operations and transition, * pce on extensions to program BIER forwarding on the BFIRs,and * teas on architecture and control-plane mechanisms to use BIER-TE forwarding mechanisms. Milestones: TBD _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From nobody Wed Mar 7 08:01:58 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5067112D873; Tue, 27 Feb 2018 09:25:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1519752312; bh=GN4ivHIeJSffRvKIuQNQxPUKd+b/yTtS5G5cPK3VYe4=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=l4FEHbNjj0NucO0K/gyHsUrZy0B8yaIItm1NS18eGYn+Y+kRgDvir244hMGsUW6rw VWe+E9diWpqDknhLRpj05S9Qjc/BiGWdqwsRInMb2/He+mYP86Corj+ZVF+vmZpok3 L+1dCXwQm7h3yE8spqtKEM5R4X0xiwzF96dyavCQ= X-Original-To: new-work@ietf.org Delivered-To: new-work@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id ECEDA12711A for ; Tue, 27 Feb 2018 09:25:04 -0800 (PST) MIME-Version: 1.0 From: The IESG To: X-Test-IDTracker: no X-IETF-IDTracker: 6.73.0 Auto-Submitted: auto-generated Precedence: bulk MIME-Version: 1.0 Reply_to: Message-ID: <151975230496.28569.545080368343459637.idtracker@ietfa.amsl.com> Date: Tue, 27 Feb 2018 09:25:04 -0800 Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.22 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Wed, 07 Mar 2018 08:01:50 -0800 Subject: [secdir] [new-work] WG Review: Dynamic Host Configuration (dhc) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Feb 2018 17:25:12 -0000 The Dynamic Host Configuration (dhc) WG in the Internet Area of the IETF is undergoing rechartering. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2018-03-06. Dynamic Host Configuration (dhc) ----------------------------------------------------------------------- Current status: Active WG Chairs: Bernie Volz Tomek Mrugalski Assigned Area Director: Suresh Krishnan Internet Area Directors: Terry Manderson Suresh Krishnan Mailing list: Address: dhcwg@ietf.org To subscribe: http://www.ietf.org/mailman/listinfo/dhcwg Archive: https://mailarchive.ietf.org/arch/browse/dhcwg/ Group page: https://datatracker.ietf.org/group/dhc/ Charter: https://datatracker.ietf.org/doc/charter-ietf-dhc/ The Dynamic Host Configuration Working Group (DHC WG) has developed DHCP for automated allocation, configuration and management of IP addresses, IPv6 prefixes, IP protocol stack and other parameters. DHCPv4 is currently a Draft Standard and is documented in RFC 2131 and RFC 2132. DHCPv6 is currently a Proposed Standard and is being updated. The WG plans to advance the DHCPv6 protocol to full standard. The DHC WG is responsible for defining DHCP protocol extensions. Definitions of new DHCP options that are delivered using standard mechanisms with documented semantics are not considered a protocol extension and thus are generally outside of scope for the DHC WG. Such options should be defined within their respective WGs or sponsored by an appropriate AD and reviewed by DHCP experts in the Internet Area Directorate. However, if such options require protocol extensions or new semantics, the protocol extension work must be done in the DHC WG. The DHC WG has the following main objectives: 1. Informational documents providing operational or implementation advice about DHCPv6, as well as documents specifying standard mechanisms for operating, administering and managing DHCPv6 servers, clients, and relay agents. 2. Assist other WGs and independent submissions in defining options (that follow RFC 7227 guidelines) and to assure DHCP operational considerations are properly documented. 3. Issue an updated version of the DHCPv6 base specification, and after an appropriate interval following publication, advance to full standard. Milestones: Mar 2018 - WGLC draft-ietf-dhc-dhcp4o6-saddr-opt Mar 2018 - WGLC draft-ietf-dhc-dhcpv4-forcerenew-extensions Mar 2018 - WGLC draft-ietf-dhc-dhcpv6-lwm2m-bootstrap-options Aug 2018 - WGLC draft-ietf-dhc-dhcpv6-yang Mar 2019 - Advance 3315bis RFC to Internet Standard _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From nobody Wed Mar 7 08:02:03 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8492812E8A2; Thu, 1 Mar 2018 06:32:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1519914752; bh=RmJVo5Yon60+mUGHoZXDXdrG8Jzs6WYgO01/m2oKH2c=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=ChewT4SIfMjxbuV9R+HNZKsVs4RBwUcoj0e/quH9s4KhVpbGjt445FZmeQkHhh1Hz 3jcNjyDvZKcwgRShmTNBhJBTggoLHIpAAbiH1YiF+EZgstNLnzg0SSMMVc7Vq9gX9A pMfqBv1SuIig5JRcKVwAhbmhwwxA9yWHSxAtmklk= X-Mailbox-Line: From new-work-bounces@ietf.org Thu Mar 1 06:32:32 2018 Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7FB12E858; Thu, 1 Mar 2018 06:32:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1519914752; bh=RmJVo5Yon60+mUGHoZXDXdrG8Jzs6WYgO01/m2oKH2c=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=ChewT4SIfMjxbuV9R+HNZKsVs4RBwUcoj0e/quH9s4KhVpbGjt445FZmeQkHhh1Hz 3jcNjyDvZKcwgRShmTNBhJBTggoLHIpAAbiH1YiF+EZgstNLnzg0SSMMVc7Vq9gX9A pMfqBv1SuIig5JRcKVwAhbmhwwxA9yWHSxAtmklk= X-Original-To: new-work@ietfa.amsl.com Delivered-To: new-work@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE4B129502 for ; Thu, 1 Mar 2018 06:32:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.21 X-Spam-Level: X-Spam-Status: No, score=-3.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsUMEZv9GzFK for ; Thu, 1 Mar 2018 06:32:28 -0800 (PST) Received: from raoul.w3.org (raoul.w3.org [128.30.52.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50D4812E858 for ; Thu, 1 Mar 2018 06:31:56 -0800 (PST) Received: from [42.185.127.203] (helo=XueyuandeMacBook-Pro.local) by raoul.w3.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1erPFS-0006xg-OU for new-work@ietf.org; Thu, 01 Mar 2018 14:31:55 +0000 To: new-work@ietf.org From: Xueyuan Message-ID: <6c7348b0-7121-7ec7-f781-99b16bb4b344@w3.org> Date: Thu, 1 Mar 2018 22:31:50 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Language: en-US Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.22 Precedence: list Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Wed, 07 Mar 2018 08:01:50 -0800 Subject: [secdir] [new-work] Proposed W3C Charter: Web Accessibility Initiative Interest Group (WAI IG) (until 2018-03-29) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Mar 2018 14:32:34 -0000 CkhlbGxvLAoKVG9kYXkgVzNDIEFkdmlzb3J5IENvbW1pdHRlZSBSZXByZXNlbnRhdGl2ZXMgcmVj ZWl2ZWQgYSBQcm9wb3NhbCB0byAKcmV2aWV3IGEgZHJhZnQgY2hhcnRlciBmb3IgdGhlIFdlYiBB Y2Nlc3NpYmlsaXR5IEluaXRpYXRpdmUgSW50ZXJlc3QgCkdyb3VwIChXQUkgSUcpOgogwqAgaHR0 cHM6Ly93d3cudzMub3JnL1dBSS9JRy9jaGFydGVyNgoKQXMgcGFydCBvZiBlbnN1cmluZyB0aGF0 IHRoZSBjb21tdW5pdHkgaXMgYXdhcmUgb2YgcHJvcG9zZWQgd29yayBhdCBXM0MsIAp0aGlzIGRy YWZ0IGNoYXJ0ZXIgaXMgcHVibGljIGR1cmluZyB0aGUgQWR2aXNvcnkgQ29tbWl0dGVlIHJldmll dyBwZXJpb2QuCgpXM0MgaW52aXRlcyBwdWJsaWMgY29tbWVudHMgdGhyb3VnaCAyMDE4LTAzLTI5 IG9uIHRoZSBwcm9wb3NlZCBjaGFydGVyLiAKUGxlYXNlIHNlbmQgY29tbWVudHMgdG8gcHVibGlj LW5ldy13b3JrQHczLm9yZywgd2hpY2ggaGFzIGEgcHVibGljIGFyY2hpdmU6CiDCoCBodHRwOi8v bGlzdHMudzMub3JnL0FyY2hpdmVzL1B1YmxpYy9wdWJsaWMtbmV3LXdvcmsvCgpPdGhlciB0aGFu IGNvbW1lbnRzIHNlbnQgaW4gZm9ybWFsIHJlc3BvbnNlcyBieSBXM0MgQWR2aXNvcnkgQ29tbWl0 dGVlIApSZXByZXNlbnRhdGl2ZXMsIFczQyBjYW5ub3QgZ3VhcmFudGVlIGEgcmVzcG9uc2UgdG8g Y29tbWVudHMuIElmIHlvdSAKd29yayBmb3IgYSBXM0MgTWVtYmVyIFsxXSwgcGxlYXNlIGNvb3Jk aW5hdGUgeW91ciBjb21tZW50cyB3aXRoIHlvdXIgCkFkdmlzb3J5IENvbW1pdHRlZSBSZXByZXNl bnRhdGl2ZS4gRm9yIGV4YW1wbGUsIHlvdSBtYXkgd2lzaCB0byBtYWtlIApwdWJsaWMgY29tbWVu dHMgdmlhIHRoaXMgbGlzdCBhbmQgaGF2ZSB5b3VyIEFkdmlzb3J5IENvbW1pdHRlZSAKUmVwcmVz ZW50YXRpdmUgcmVmZXIgdG8gaXQgZnJvbSBoaXMgb3IgaGVyIGZvcm1hbCByZXZpZXcgY29tbWVu dHMuCgpJZiB5b3Ugc2hvdWxkIGhhdmUgYW55IHF1ZXN0aW9ucyBvciBuZWVkIGZ1cnRoZXIgaW5m b3JtYXRpb24sIHBsZWFzZSAKY29udGFjdCBKdWR5IEJyZXdlciwgV0FJIERpcmVjdG9yIGFuZCBX QUkgSUcgVGVhbSBDb250YWN0LCBhdCAKPGpicmV3ZXJAdzMub3JnPi4KClRoYW5rIHlvdSwKClh1 ZXl1YW4gSmlhLCBXM0MgTWFya2V0aW5nICYgQ29tbXVuaWNhdGlvbnMKClsxXSBodHRwOi8vd3d3 LnczLm9yZy9Db25zb3J0aXVtL01lbWJlci9MaXN0CgoKX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18KbmV3LXdvcmsgbWFpbGluZyBsaXN0Cm5ldy13b3JrQGll dGYub3JnCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vbmV3LXdvcmsK From nobody Wed Mar 7 19:53:53 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A207E1271FD; Wed, 7 Mar 2018 19:53:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSPMm_DTX2NX; Wed, 7 Mar 2018 19:53:46 -0800 (PST) Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C380126BF7; Wed, 7 Mar 2018 19:53:46 -0800 (PST) Received: from in01.mta.xmission.com ([166.70.13.51]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from ) id 1etmcj-0006aR-4H; Wed, 07 Mar 2018 20:53:45 -0700 Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1etmci-0002dy-0q; Wed, 07 Mar 2018 20:53:44 -0700 Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w283rEG1016591; Wed, 7 Mar 2018 20:53:14 -0700 Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id w283rEZi016590; Wed, 7 Mar 2018 20:53:14 -0700 Date: Wed, 7 Mar 2018 20:53:14 -0700 Message-Id: <201803080353.w283rEZi016590@rumpleteazer.rhmr.com> From: "Hilarie Orman" Reply-To: "Hilarie Orman" To: iesg@ietf.org, secdir@ietf.org Cc: draft-ietf-trill-directory-assisted-encap.all@tools.ietf.org X-XM-SPF: eid=1etmci-0002dy-0q; ; ; mid=<201803080353.w283rEZi016590@rumpleteazer.rhmr.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none X-XM-AID: U2FsdGVkX18pwKFuWyzwAS01FS1jGAoa X-SA-Exim-Connect-IP: 72.250.219.84 X-SA-Exim-Mail-From: hilarie@purplestreak.com X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: ***;iesg@ietf.org, secdir@ietf.org X-Spam-Relay-Country: X-Spam-Timing: total 606 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 7 (1.2%), b_tie_ro: 6 (0.9%), parse: 1.81 (0.3%), extract_message_metadata: 8 (1.3%), get_uri_detail_list: 2.6 (0.4%), tests_pri_-1000: 6 (0.9%), tests_pri_-950: 2.5 (0.4%), tests_pri_-900: 1.90 (0.3%), tests_pri_-400: 30 (4.9%), check_bayes: 28 (4.5%), b_tokenize: 10 (1.7%), b_tok_get_all: 7 (1.1%), b_comp_prob: 4.6 (0.8%), b_tok_touch_all: 2.5 (0.4%), b_finish: 0.90 (0.1%), tests_pri_0: 534 (88.2%), check_dkim_signature: 1.29 (0.2%), check_dkim_adsp: 29 (4.8%), tests_pri_500: 9 (1.5%), rewrite_mail: 0.00 (0.0%) X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Archived-At: Subject: [secdir] Security review of draft-ietf-trill-directory-assisted-encap-09.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2018 03:53:47 -0000 Security review of Directory Assisted TRILL Encapsulation draft-ietf-trill-directory-assisted-encap-09.txt (A day late and a dollar short, sorry) Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document describes "the benefits of and a scheme for non-RBridge nodes performing TRILL encapsulation." The scheme uses TRILL directories to help with the scaling issues for large TRILL networks that co-exist with non-TRILL networks. Non-RBridge nodes can find a TRILL directory and properly encapsulate packets with TRILL headers to guide them to and from the network edges. The method reduces the amount of node information that might otherwise be assigned and flooded through the network. There are security considerations that mandate that the directory server and the TRILL encapsulating nodes "properly authenticate with each other to protect sensitive information," but there is no discussion what is "proper" or how the propriety is maintained. How does the directory server know which entities are authorized to be encapsulating nodes and what information are they allowed to see (or change)? How do the encapsulating nodes know how to authenticate the directory nodes? Is this essential configuration that has to be built in before the network can function with directory assisted encapsulation? Does it require cooperation between administrators in different parts of a campus? In some place the behavior of the nodes depends on whether or not the directory is "known to be complete". This seems like transient information that has to be communicated in some unspecified way at unspecified times. It may not affect security, but it might affect dependability? Nits about grammar are many, but the one that interferes with comprehension is the split infinitive in "it is still necessary to designate AF ports to, for example, be sure that multi-destination ..." Hilarie From nobody Thu Mar 8 09:59:31 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C9F41243F6 for ; Thu, 8 Mar 2018 09:59:30 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.74.0 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secretary@mit.edu Message-ID: <152053197017.13934.6702354069616435489.idtracker@ietfa.amsl.com> Date: Thu, 08 Mar 2018 09:59:30 -0800 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2018 17:59:30 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2018-03-08 Reviewer LC end Draft John Bradley 2018-03-06 draft-ietf-trill-smart-endnodes-10 Tim Polk 2018-03-02 draft-ietf-core-object-security-09 Melinda Shore 2018-02-27 draft-ietf-lisp-signal-free-multicast-08 Dacheng Zhang 2018-03-06 draft-ietf-trill-vendor-channel-00 For telechat 2018-04-05 Reviewer LC end Draft Shaun Cooley 2018-03-06 draft-ietf-trill-over-ip-15 Donald Eastlake 2018-03-28 draft-ietf-teas-scheduled-resources-06 Daniel Gillmor 2018-03-19 draft-gutmann-scep-10 Daniel Gillmor 2018-03-26 draft-ietf-l2sm-l2vpn-service-model-08 Ben Laurie 2018-03-26 draft-ietf-6tisch-6top-protocol-10 David Mandelberg 2018-02-22 draft-ietf-ice-trickle-17 Matthew Miller 2018-02-20 draft-ietf-tram-stunbis-16 Vincent Roca None draft-ietf-core-cocoa-03 Stefan Santesson 2018-03-01 draft-ietf-tls-iana-registry-updates-04 Klaas Wierenga 2018-02-23 draft-ietf-nfsv4-layout-types-10 Last calls: Reviewer LC end Draft John Bradley None draft-ietf-acme-acme-10 Daniel Franke 2018-03-30 draft-ietf-mmusic-rid-14 Tobias Gondrom 2018-03-12 draft-ietf-tokbind-https-12 Phillip Hallam-Baker 2018-04-02 draft-ietf-uta-smtp-tlsrpt-17 Steve Hanna 2018-03-30 draft-ietf-core-senml-13 Leif Johansson R2018-02-26 draft-ietf-homenet-babel-profile-06 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-12 Tina Tsou 2018-02-26 draft-ietf-softwire-dslite-yang-15 Carl Wallace 2018-02-26 draft-ietf-hip-native-nat-traversal-28 Taylor Yu 2018-03-16 draft-housley-suite-b-to-historic-04 Early review requests: Reviewer Due Draft Daniel Franke 2018-01-31 draft-ietf-intarea-provisioning-domains-00 Ólafur Guðmundsson 2018-01-09 draft-ietf-opsawg-nat-yang-09 Dan Harkins 2018-05-31 draft-ietf-dtn-bpsec-06 Next in the reviewer rotation: Paul Hoffman Russ Housley Christian Huitema Leif Johansson Benjamin Kaduk Charlie Kaufman Scott Kelly From nobody Thu Mar 8 11:39:22 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CE1AD12D7F2; Thu, 8 Mar 2018 11:39:05 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Phillip Hallam-Baker To: Cc: uta@ietf.org, draft-ietf-uta-smtp-tlsrpt.all@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.74.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <152053794569.13938.10396254284390037265@ietfa.amsl.com> Date: Thu, 08 Mar 2018 11:39:05 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Mar 2018 19:39:06 -0000 Reviewer: Phillip Hallam-Baker Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. General comments: Five minutes after I received the review request, a very similar proposal was made in CABForum for reporting PKIX cert issues. The Security Considerations section proposes use of DNSSEC, what happens if that is misconfigured? Well it should be reported. The logic of this proposal is that something like it become a standard deliverable for a certain class of service specification. I don't think we should delay this and meta-think it. But we should anticipate it being joined by others like it sharing syntax, DDoS mitigation, etc. Specific issues The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the IANA considerations. It is a code point being defined in a protocol that is outside the scope of UTA and therefore MUST have an IANA assignment and is a DNS code point which is shared space and therefore MUST have an assignment. If no IANA registry exists, one should be created. In general, the approach should be consistent with the following: [RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discovery" RFC 6763 DOI 10.17487/RFC6763 February 2013 It might well be appropriate to create a separate IANA prefix registry 'report'. That is probably easier since this prefix does not fit well with the existing ones. _smtp-tlsrpt._report From nobody Thu Mar 8 17:26:38 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7712120727 for ; Thu, 8 Mar 2018 17:26:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AuKVOF0TfK5x for ; Thu, 8 Mar 2018 17:26:29 -0800 (PST) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A23AA126BF6 for ; Thu, 8 Mar 2018 17:26:29 -0800 (PST) Received: by mail-qk0-x235.google.com with SMTP id f25so1997311qkm.0 for ; Thu, 08 Mar 2018 17:26:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :mime-version:content-transfer-encoding; bh=8rwC5sMAxCAf5rk/KviQJvqotPo+CQCCphDzrVFRHdU=; b=FW5gSf6i4OSMI93wjddbAR1SfJ2MAflLFK+UVlYX1pLdlRm8YKMMVuY61KFG0eU+yO EOfSC245tcpTqRC/3vByodRKp9EuNl8Dz1y6KXBSJnHJBuTJvxlTMgC2WPo9BDyaWBGp WGFcGGAoQal8lo0Yvd5T8M9p1fRCv3LgoznqI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:mime-version:content-transfer-encoding; bh=8rwC5sMAxCAf5rk/KviQJvqotPo+CQCCphDzrVFRHdU=; b=omvSsONfses9ZpAeXRs9ZVzb/tQMfEt0l10km9F54YH91LATynOAqDKqw9B/eL5Xnw 6UaqURm/f4xq5GNKWJS3XIKJDC3HQZnL412+M82lZkkE+bcAOcQLXJsBw3W0ne10n5LU cl0g9I4Q/7TnWda2gaQ+kPvhuEYT0hqIlOavlhg+c4jPJ65FWTK+UlOcV2PBScwtMyFj k3pRwQoMV0KzvQrnwRhWv78EFXiusYommPmJtAvw99eTlvCuHQyJSGkC1vE1uLsqqEOw 0b2aF6Pu7LDL5Jl9i6uQQ6FRwjytoU0KxEnwMsNuDpQHP5Djsnn9t4EKb9xtqBp5u/3L hbbw== X-Gm-Message-State: AElRT7GfXC8tTAcjFwmU9ZVslfeczmdZvCXMhaqw8VznVdO4ZawIJk9t 92TozrrpxxwojN6zoggiqzzqEw== X-Google-Smtp-Source: AG47ELsfpZgdNU4y4EasQ2j4w/gei0kai09tOSeN3nFWxwGqYW/rHGGcVNqdYgEmxYYGR1lN7ETa7g== X-Received: by 10.55.212.12 with SMTP id l12mr40801184qki.303.1520558788711; Thu, 08 Mar 2018 17:26:28 -0800 (PST) Received: from [192.168.2.246] (pool-74-96-253-73.washdc.fios.verizon.net. [74.96.253.73]) by smtp.googlemail.com with ESMTPSA id t68sm12348776qkf.62.2018.03.08.17.26.26 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 08 Mar 2018 17:26:27 -0800 (PST) User-Agent: Microsoft-MacOutlook/14.7.6.170621 Date: Thu, 08 Mar 2018 20:26:21 -0500 From: Carl Wallace To: CC: , Message-ID: Thread-Topic: secdir review of draft-ietf-hip-native-nat-traversal Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: 7bit Archived-At: Subject: [secdir] secdir review of draft-ietf-hip-native-nat-traversal X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2018 01:26:32 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies a new Network Address Translator (NAT) traversal mode for the Host Identity Protocol (HIP). While I am not a HIP guy, it seems ready for publication. It's well-written and the security considerations section is thorough. The only bit that raised a question was in section 4, which states "it should be noted that HIP version 2 [RFC7401 ] instead of HIPv1 is expected to be used with this NAT traversal mode". Earlier in the document, it states the draft is based on HIPv2. Are there any considerations worth noting in the cases where HIPv1 is used or should section 4 be revised to require v2? From nobody Fri Mar 9 13:50:11 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 06BB01242F7; Fri, 9 Mar 2018 13:50:10 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Matthew Miller To: Cc: draft-ietf-tram-stunbis.all@ietf.org, ietf@ietf.org, tram@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.74.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <152063220998.11155.12669577501214588133@ietfa.amsl.com> Date: Fri, 09 Mar 2018 13:50:10 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-tram-stunbis-16 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Mar 2018 21:50:10 -0000 Reviewer: Matthew Miller Review result: Has Issues [ I realize how unfortunate it is this arrives well past last call. I beg forgiveness and ask that you accept the comments as you would have if they arrived on time. ] I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Document: draft-ietf-stunbis-16 Reviewer: Matthew A. Miller Review Date: 2018-03-07 IETF LC End Date: 2018-02-20 IESG Telechat date: 2018-04-05 Summary: This document obsoletes 5389, adding some protection to downgrade attacks against message integrity usage, as well incorporating DTLS (over UDP). The document is mostly ready, but there are a couple of issues I have. Major Issues: N/A Minor Issues: * I am wondering why a more robust password algorithm (key derivation function) was not defined (e.g., HKDF-SHA-256) instead of or in addition to, a simple salted "SHA-256" hash. Some amount of parameterization is accounted for in the PASSWORD-ALGORITHM/S attributes. I think it is perfectly fair and appropriate to take this issue as "asking for a quick rationale (that maybe ought to be highlighted better in the document)" over "use a real key derivation function". * The description for 17.5.1. "MD5" list the key size as 20 bytes, but the hash length of MD5 is 16 bytes (128 bits). I think this is merely a typo, since the purpose appears to be for backwards compatibility with existing systems. * Both 17.5.1.1. "MD5" Section 9.2.2. "HMAC Key" (long-term credential) and Section appear to define the same functional algorithm, but with subtle syntax differences. As far as I can tell, they are actually the same algorithm; would it not be acceptable to have Section 9.2.2 point to Section 17.5.1.1 for the algorithm description? From nobody Sun Mar 11 06:55:27 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC163126D05; Sun, 11 Mar 2018 06:55:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.108 X-Spam-Level: X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A25aYAUy_WSx; Sun, 11 Mar 2018 06:55:19 -0700 (PDT) Received: from implementers.org (unknown [92.243.22.217]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AF311201FA; Sun, 11 Mar 2018 06:55:19 -0700 (PDT) Received: from [IPv6:2601:648:8301:730f:ac0b:c7cc:59a:561f] (unknown [IPv6:2601:648:8301:730f:ac0b:c7cc:59a:561f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id CA1C3AE8D9; Sun, 11 Mar 2018 14:55:16 +0100 (CET) To: Matthew Miller , secdir@ietf.org Cc: draft-ietf-tram-stunbis.all@ietf.org, ietf@ietf.org, tram@ietf.org References: <152063220998.11155.12669577501214588133@ietfa.amsl.com> From: Marc Petit-Huguenin Message-ID: Date: Sun, 11 Mar 2018 06:55:13 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <152063220998.11155.12669577501214588133@ietfa.amsl.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="JepqGcMYKMNSj0OfaJE8H9s7Wn8JeDWtk" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-tram-stunbis-16 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Mar 2018 13:55:20 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --JepqGcMYKMNSj0OfaJE8H9s7Wn8JeDWtk Content-Type: multipart/mixed; boundary="nVlF3NljHW3Z231NkszQLrPd5dwYgVMIX"; protected-headers="v1" From: Marc Petit-Huguenin To: Matthew Miller , secdir@ietf.org Cc: draft-ietf-tram-stunbis.all@ietf.org, ietf@ietf.org, tram@ietf.org Message-ID: Subject: Re: Secdir last call review of draft-ietf-tram-stunbis-16 References: <152063220998.11155.12669577501214588133@ietfa.amsl.com> In-Reply-To: <152063220998.11155.12669577501214588133@ietfa.amsl.com> --nVlF3NljHW3Z231NkszQLrPd5dwYgVMIX Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hi, Thanks for the review. Please see inline. On 03/09/2018 01:50 PM, Matthew Miller wrote: > Reviewer: Matthew Miller > Review result: Has Issues >=20 > [ I realize how unfortunate it is this arrives well past last call. > I beg forgiveness and ask that you accept the comments as you would > have if they arrived on time. ] >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. >=20 > Document: draft-ietf-stunbis-16 > Reviewer: Matthew A. Miller > Review Date: 2018-03-07 > IETF LC End Date: 2018-02-20 > IESG Telechat date: 2018-04-05 >=20 > Summary: This document obsoletes 5389, adding some protection to > downgrade attacks against message integrity usage, as well > incorporating DTLS (over UDP). >=20 > The document is mostly ready, but there are a couple of issues I > have. >=20 > Major Issues: N/A >=20 > Minor Issues: >=20 > * I am wondering why a more robust password algorithm (key derivation > function) was not defined (e.g., HKDF-SHA-256) instead of or in additio= n > to, a simple salted "SHA-256" hash. Some amount of parameterization is= > accounted for in the PASSWORD-ALGORITHM/S attributes. I think it is > perfectly fair and appropriate to take this issue as "asking for a quic= k > rationale (that maybe ought to be highlighted better in the document)" > over "use a real key derivation function". We proposed other algorithms to the Working Group but there was no consen= sus past using what we have today in the draft. We basically wanted to keep STUN aligned with HTTP Digest and SIP Digest = as much as possible. Rereading both RFC 7616 and draft-yusef-sipcore-dig= est-scheme I can not find mention of using a key derivation function for = these. Can you explain how that could be used with STUN (and potentially with HT= PP and SIP)? >=20 > * The description for 17.5.1. "MD5" list the key size as 20 bytes, but = the > hash length of MD5 is 16 bytes (128 bits). I think this is merely a ty= po, > since the purpose appears to be for backwards compatibility with existi= ng > systems. Fixed. >=20 > * Both 17.5.1.1. "MD5" Section 9.2.2. "HMAC Key" (long-term credential)= > and Section appear to define the same functional algorithm, but with su= btle > syntax differences. As far as I can tell, they are actually the same > algorithm; would it not be acceptable to have Section 9.2.2 point to > Section 17.5.1.1 for the algorithm description? >=20 >=20 This is going into the IANA registry so I left things there. I fixed the= discrepancy with section 9.2.2. I also fixed the definition of the key for SHA-256, which must use Opaque= String for the realm. --=20 Marc Petit-Huguenin Email: marc@petit-huguenin.org Blog: https://marc.petit-huguenin.org Profile: https://www.linkedin.com/in/petithug --nVlF3NljHW3Z231NkszQLrPd5dwYgVMIX-- --JepqGcMYKMNSj0OfaJE8H9s7Wn8JeDWtk Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBSI+IuCHU8MsI1GjKcRFldZqfsQFAlqlNUIACgkQKcRFldZq fsSGAA/+J/rGXho5aa1HwPjD67QM/HQ6BULBFP/JCJJs/NY01GYx9dfoH+Ao6PWV b988bkqIsGB1j/B3fr+67gJ8keK8Gq/Ymv6H5ino5ZU4kz9IpSWDx/QWzxMKNnWd gx16Kbr6HxXu4wB+C31Kr2rLNO9bLZ6Qqy8sGNfeXY6UpmhH0aNvD9JFkDVjNESc kqdbxe2PqROW2m1e9WimLrL8nfbQhkiy+69lX8JGvPG/sJm+YY+b6HzBuzZ4wQz1 DpN1shc6NzC1CBHD8ucz9MliE9hXNW6lvzR5fdlt8x35BeyPcIdPiZyYsj6Cm95W fyPil0oRFvREEM9Ed1C7wO7YcEMPeVMxA59KySqwEMoCmhOYt00cS4X9CSDkBeCE 36hzDjicDFShkTljutFT2BFEPNTjQjudCzROn9kmNfdSJQvpOpbfSgm6idBFrIuM KZ+NhiqX8mWkHiwdY2IshxsDtL1VW6yQntBR2EGjZASwTI+pIKMTlMFzcSY3oEH4 RCV96WQa9MIOZm76iGJnWB6lpaGKCWZaPWmJn5MgNb4hCSiCtk0TflErLSv0t2+j WLDfJ88YFZKIUpwSh+jIFG4ev1WhGLRKD0BL/GOqcMMklTcX1PTe+d/GQbV8rFNV DQUjPaHLUfAJr3dIiW7L9f2M50ctOyx6Gu/wea8KRU9sgpazWsg= =S3Pm -----END PGP SIGNATURE----- --JepqGcMYKMNSj0OfaJE8H9s7Wn8JeDWtk-- From nobody Mon Mar 12 15:36:25 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32E37127010; Mon, 12 Mar 2018 15:36:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.911 X-Spam-Level: X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5RMH_u7ECoFc; Mon, 12 Mar 2018 15:36:06 -0700 (PDT) Received: from vaadcmhout02.cable.comcast.com (vaadcmhout02.cable.comcast.com [96.114.28.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DC2C12422F; Mon, 12 Mar 2018 15:36:06 -0700 (PDT) X-AuditID: 60721c4c-14b539e00000248e-45-5aa700d44d40 Received: from VAADCEX09.cable.comcast.com (vaadcmhoutvip.cable.comcast.com [96.115.73.56]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by vaadcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id BA.5F.09358.4D007AA5; Mon, 12 Mar 2018 18:36:04 -0400 (EDT) Received: from COPDCEX23.cable.comcast.com (147.191.124.154) by VAADCEX09.cable.comcast.com (147.191.102.76) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 12 Mar 2018 18:34:59 -0400 Received: from COPDCEX19.cable.comcast.com (147.191.124.150) by COPDCEX23.cable.comcast.com (147.191.124.154) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 12 Mar 2018 16:34:58 -0600 Received: from COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380]) by COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380%19]) with mapi id 15.00.1365.000; Mon, 12 Mar 2018 16:34:58 -0600 From: "Brotman, Alexander" To: Phillip Hallam-Baker , "secdir@ietf.org" CC: "uta@ietf.org" , "draft-ietf-uta-smtp-tlsrpt.all@ietf.org" , "ietf@ietf.org" Thread-Topic: Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 Thread-Index: AQHTtxUkfu2V6vvAdU6QiQx2eVCljKPNNT0A Date: Mon, 12 Mar 2018 22:34:57 +0000 Message-ID: References: <152053794569.13938.10396254284390037265@ietfa.amsl.com> In-Reply-To: <152053794569.13938.10396254284390037265@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [96.114.156.8] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Forward X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrAIsWRmVeSWpSXmKPExsWSUOxpoXuFYXmUwfvLqhaLptxnsbi6/DiT xbON81ksPix8yGJx6mgzowOrx85Zd9k9liz5yRTAFMVlk5Kak1mWWqRvl8CVsffEJLaCHvGK z7cfsTYwHhDrYuTkkBAwkVj44zpLFyMXh5DAdiaJzpmf2CCcg4wSW6bvZYRwDjFK3Dm4Gso5 ySgxed4zJpB+NgEribf/25lBbBGBIIkf52aAtTMLzGSU6L9+mQ0kISzgKvFxziI2iCI3iQu3 DjBC2EYSLbdWgjWzCKhKvP/xjBXE5hXwkngy5zhYjZCAi0TX/3PsIDYn0JxHxzeB2YwCYhLf T60BO4JZQFzi1pP5TBAPCUgs2XOeGcIWlXj5+B8rhG0gsXXpPhYIW0Fi+/5tQDYHUK+mxPpd +hBjFCWmdD9khzhBUOLkzCcsECdoSey9sQtqjLjE4SM7WCcwSs1CsnkWwqRZSCbNQjJpASPL KkYeSzM9Q0MTPSMLPXOzTYygeC2S8dnB+GmaxyFGAQ5GJR7eGa+XRQmxJpYVV+YCA52DWUmE V/k/UIg3JbGyKrUoP76oNCe1+BCjNAeLkjhv8KOFUUIC6YklqdmpqQWpRTBZJg5OqQZGlqLn K5YuDgnwW/A0N2UiswSD+aYZchue3V0gkHJy36WCrY0v1Z+2dq6QZjtR45rp0+GqYr2iSi5i l0j8cf3duS039tqf/Pnoq9r89jcb2Sd5hm2U2CZZv33H4xLJQm0+jZaiBvObMr0pS1dt8pjz XZlj5m3ZebVnNI8c/97LVP8tV2vB9fJJSizFGYmGWsxFxYkAKMmnedMCAAA= Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2018 22:36:08 -0000 SSdtIG5vdCBvcHBvc2VkIHRvIGNoYW5nZSB0aGlzIHRvIGJlIGluIHRoYXQgZm9ybS4gIEkgZG9u J3QgYmVsaWV2ZSB0aGlzIHdvdWxkIGNhdXNlIGFueSB0ZWNobmljYWwgaXNzdWVzLg0KDQotLQ0K QWxleCBCcm90bWFuDQpTci4gRW5naW5lZXIsIEFudGktQWJ1c2UNCkNvbWNhc3QNCg0KLS0tLS1P cmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IFBoaWxsaXAgSGFsbGFtLUJha2VyIFttYWlsdG86 aGFsbGFtQGdtYWlsLmNvbV0gDQpTZW50OiBUaHVyc2RheSwgTWFyY2ggMDgsIDIwMTggMjozOSBQ TQ0KVG86IHNlY2RpckBpZXRmLm9yZw0KQ2M6IHV0YUBpZXRmLm9yZzsgZHJhZnQtaWV0Zi11dGEt c210cC10bHNycHQuYWxsQGlldGYub3JnOyBpZXRmQGlldGYub3JnDQpTdWJqZWN0OiBTZWNkaXIg bGFzdCBjYWxsIHJldmlldyBvZiBkcmFmdC1pZXRmLXV0YS1zbXRwLXRsc3JwdC0xNw0KDQpSZXZp ZXdlcjogUGhpbGxpcCBIYWxsYW0tQmFrZXINClJldmlldyByZXN1bHQ6IEhhcyBJc3N1ZXMNCg0K SSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGly ZWN0b3JhdGUncyBvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJl aW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4NClRoZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBw cmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4g RG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50 cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0KR2VuZXJhbCBjb21t ZW50czoNCg0KRml2ZSBtaW51dGVzIGFmdGVyIEkgcmVjZWl2ZWQgdGhlIHJldmlldyByZXF1ZXN0 LCBhIHZlcnkgc2ltaWxhciBwcm9wb3NhbCB3YXMgbWFkZSBpbiBDQUJGb3J1bSBmb3IgcmVwb3J0 aW5nIFBLSVggY2VydCBpc3N1ZXMuDQoNClRoZSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucyBzZWN0 aW9uIHByb3Bvc2VzIHVzZSBvZiBETlNTRUMsIHdoYXQgaGFwcGVucyBpZiB0aGF0IGlzIG1pc2Nv bmZpZ3VyZWQ/IFdlbGwgaXQgc2hvdWxkIGJlIHJlcG9ydGVkLg0KDQpUaGUgbG9naWMgb2YgdGhp cyBwcm9wb3NhbCBpcyB0aGF0IHNvbWV0aGluZyBsaWtlIGl0IGJlY29tZSBhIHN0YW5kYXJkIGRl bGl2ZXJhYmxlIGZvciBhIGNlcnRhaW4gY2xhc3Mgb2Ygc2VydmljZSBzcGVjaWZpY2F0aW9uLiBJ IGRvbid0IHRoaW5rIHdlIHNob3VsZCBkZWxheSB0aGlzIGFuZCBtZXRhLXRoaW5rIGl0LiBCdXQg d2Ugc2hvdWxkIGFudGljaXBhdGUgaXQgYmVpbmcgam9pbmVkIGJ5IG90aGVycyBsaWtlIGl0IHNo YXJpbmcgc3ludGF4LCBERG9TIG1pdGlnYXRpb24sIGV0Yy4NCg0KU3BlY2lmaWMgaXNzdWVzDQoN ClRoZSBETlMgcHJlZml4IF9zbXRwLXRsc3JwdCBpcyBkZWZpbmVkLiBUaGlzIGlzIG5vdCBtZW50 aW9uZWQgaW4gdGhlIElBTkEgY29uc2lkZXJhdGlvbnMuIEl0IGlzIGEgY29kZSBwb2ludCBiZWlu ZyBkZWZpbmVkIGluIGEgcHJvdG9jb2wgdGhhdCBpcyBvdXRzaWRlIHRoZSBzY29wZSBvZiBVVEEg YW5kIHRoZXJlZm9yZSBNVVNUIGhhdmUgYW4gSUFOQSBhc3NpZ25tZW50IGFuZCBpcyBhIEROUyBj b2RlIHBvaW50IHdoaWNoIGlzIHNoYXJlZCBzcGFjZSBhbmQgdGhlcmVmb3JlIE1VU1QgaGF2ZSBh biBhc3NpZ25tZW50Lg0KDQpJZiBubyBJQU5BIHJlZ2lzdHJ5IGV4aXN0cywgb25lIHNob3VsZCBi ZSBjcmVhdGVkLg0KDQpJbiBnZW5lcmFsLCB0aGUgYXBwcm9hY2ggc2hvdWxkIGJlIGNvbnNpc3Rl bnQgd2l0aCB0aGUgZm9sbG93aW5nOg0KDQpbUkZDNjc2M10gUy4gQ2hlc2hpcmUgYW5kIE0uIEty b2NobWFsICJETlMtQmFzZWQgU2VydmljZSBEaXNjb3ZlcnkiIFJGQyA2NzYzIERPSSAxMC4xNzQ4 Ny9SRkM2NzYzIEZlYnJ1YXJ5IDIwMTMNCg0KSXQgbWlnaHQgd2VsbCBiZSBhcHByb3ByaWF0ZSB0 byBjcmVhdGUgYSBzZXBhcmF0ZSBJQU5BIHByZWZpeCByZWdpc3RyeSAncmVwb3J0Jy4gVGhhdCBp cyBwcm9iYWJseSBlYXNpZXIgc2luY2UgdGhpcyBwcmVmaXggZG9lcyBub3QgZml0IHdlbGwgd2l0 aCB0aGUgZXhpc3Rpbmcgb25lcy4NCg0KX3NtdHAtdGxzcnB0Ll9yZXBvcnQNCg0KDQo= From nobody Tue Mar 13 08:50:23 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E31A126C22; Tue, 13 Mar 2018 08:50:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JliTzj5aomEq; Tue, 13 Mar 2018 08:50:20 -0700 (PDT) Received: from mail-ot0-x22a.google.com (mail-ot0-x22a.google.com [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B83D1205F0; Tue, 13 Mar 2018 08:50:20 -0700 (PDT) Received: by mail-ot0-x22a.google.com with SMTP id 79-v6so54629oth.11; Tue, 13 Mar 2018 08:50:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dgfGdl1hsU9WapP5cN2aj8blAJ9sk7hT+T60G6+qo6s=; b=Ak/6jOeRBc3F3HVeXWsbZx7LOx65R4HlbBvvsL17PjDCt1r3AdHISxJyn8mHTdjx0a l1RtKOncdE2Vw9MWnTWuamY4OHaJROYzGLyIFp261ljs+/xwOZ5fCQWioDshyb/kYSi2 zjbivEWH/1My7w+3sp/zUqh5VIIr356kgQ4vxQBJp382rjATBCyuun+/1Ztp2fhKP62M T4jdTF+BO8Mphz9h89pz/uZGv5R6ekOt+dQ0D0baUpGdJi7K1rEDwCViigJo+qpQAzP1 HXPTShLt3k95mTwMSu6vZZPkBlkKQb9e0JASyapiSLSQoDWiaLydv4FAYh2AMSE86+4K LN0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dgfGdl1hsU9WapP5cN2aj8blAJ9sk7hT+T60G6+qo6s=; b=p8MNzp3qeXrGOjjVIacfm21SyM3XaLekbqg6ZKW5gqcjiHhBVFITAuuEsouxsS93Ok 1FZvjKjHxSDX3Fz3Mu2GkUynTORGwGxjUE42HAgTvFyQZtHsNvH6QkpRJgnjtG6t4C72 DgpzgviZGcYEpvXTna8I3kojImHhIhUiiAp9Xi5AAdSG96Tfyle1Y2jxH4yQ8cbCP4G0 kK5+UtvQ16hSEwJJUo6QwCCr5HjmMNEMN7Q1ftl4PyGybe09gb3RDAtXffRhpYU0jgu/ c/AZ/bLLIshH16QKnaVE2bc8pOzgLGX4DHzzYkRzUeQYIQn8N5cBCvPpcI+jz0qbNa3j OLAA== X-Gm-Message-State: AElRT7ESOfZ+fYP2IlHwcJTZV/7ddoKjUHZ0YF8huEcYVrZZegDPu6wG uFCipc3jnblUSCbbP4nQ1voiZOJlw69YHDdVsfY= X-Google-Smtp-Source: AG47ELurHm7SdONxJBYIYowkyGVbA7fzqGop1Iv9P++R8ULt4PSnugTaM+g3HWXpsgbe7jBuIQB20aHWSBkyxqNUyVg= X-Received: by 10.157.62.93 with SMTP id h29mr232014otg.129.1520956219441; Tue, 13 Mar 2018 08:50:19 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:505:0:0:0:0:0 with HTTP; Tue, 13 Mar 2018 08:50:18 -0700 (PDT) In-Reply-To: References: <152053794569.13938.10396254284390037265@ietfa.amsl.com> From: Phillip Hallam-Baker Date: Tue, 13 Mar 2018 11:50:18 -0400 Message-ID: To: "Brotman, Alexander" Cc: "secdir@ietf.org" , "uta@ietf.org" , "draft-ietf-uta-smtp-tlsrpt.all@ietf.org" , "ietf@ietf.org" Content-Type: multipart/alternative; boundary="f403045e1fae2dc82205674d3703" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 15:50:22 -0000 --f403045e1fae2dc82205674d3703 Content-Type: text/plain; charset="UTF-8" If folk are in London, lets talk to IANA and maybe some DNS folk. I am pretty sure this is a straightforward issue. But it is one we need to get right. On Mon, Mar 12, 2018 at 6:34 PM, Brotman, Alexander < Alexander_Brotman@comcast.com> wrote: > I'm not opposed to change this to be in that form. I don't believe this > would cause any technical issues. > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse > Comcast > > -----Original Message----- > From: Phillip Hallam-Baker [mailto:hallam@gmail.com] > Sent: Thursday, March 08, 2018 2:39 PM > To: secdir@ietf.org > Cc: uta@ietf.org; draft-ietf-uta-smtp-tlsrpt.all@ietf.org; ietf@ietf.org > Subject: Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 > > Reviewer: Phillip Hallam-Baker > Review result: Has Issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > General comments: > > Five minutes after I received the review request, a very similar proposal > was made in CABForum for reporting PKIX cert issues. > > The Security Considerations section proposes use of DNSSEC, what happens > if that is misconfigured? Well it should be reported. > > The logic of this proposal is that something like it become a standard > deliverable for a certain class of service specification. I don't think we > should delay this and meta-think it. But we should anticipate it being > joined by others like it sharing syntax, DDoS mitigation, etc. > > Specific issues > > The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the IANA > considerations. It is a code point being defined in a protocol that is > outside the scope of UTA and therefore MUST have an IANA assignment and is > a DNS code point which is shared space and therefore MUST have an > assignment. > > If no IANA registry exists, one should be created. > > In general, the approach should be consistent with the following: > > [RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discovery" RFC > 6763 DOI 10.17487/RFC6763 February 2013 > > It might well be appropriate to create a separate IANA prefix registry > 'report'. That is probably easier since this prefix does not fit well with > the existing ones. > > _smtp-tlsrpt._report > > > -- Website: http://hallambaker.com/ --f403045e1fae2dc82205674d3703 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If = folk are in London, lets talk to IANA and maybe some DNS folk.

I am pretty sure this is a straightfo= rward issue. But it is one we need to get right.



On Mon, Mar 12, 2018 at 6:34 PM, Brotman, Alexander = <Alexander_Brotman@comcast.com> wrote:
I'm not opposed to change this to be in that f= orm.=C2=A0 I don't believe this would cause any technical issues.

--
Alex Brotman
Sr. Engineer, Anti-Abuse
Comcast

-----Original Message-----
From: Phillip Hallam-Baker [mailto:hall= am@gmail.com]
Sent: Thursday, March 08, 2018 2:39 PM
To: secdir@ietf.org
Cc: uta@ietf.org; draft-ietf-uta-smtp-tlsrpt.all@i= etf.org; ietf@ietf.org
Subject: Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17

Reviewer: Phillip Hallam-Baker
Review result: Has Issues

I have reviewed this document as part of the security directorate's ong= oing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area = directors. Document editors and WG chairs should treat these comments just = like any other last call comments.

General comments:

Five minutes after I received the review request, a very similar proposal w= as made in CABForum for reporting PKIX cert issues.

The Security Considerations section proposes use of DNSSEC, what happens if= that is misconfigured? Well it should be reported.

The logic of this proposal is that something like it become a standard deli= verable for a certain class of service specification. I don't think we = should delay this and meta-think it. But we should anticipate it being join= ed by others like it sharing syntax, DDoS mitigation, etc.

Specific issues

The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the IANA c= onsiderations. It is a code point being defined in a protocol that is outsi= de the scope of UTA and therefore MUST have an IANA assignment and is a DNS= code point which is shared space and therefore MUST have an assignment.
If no IANA registry exists, one should be created.

In general, the approach should be consistent with the following:

[RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discovery&quo= t; RFC 6763 DOI 10.17487/RFC6763 February 2013

It might well be appropriate to create a separate IANA prefix registry '= ;report'. That is probably easier since this prefix does not fit well w= ith the existing ones.

_smtp-tlsrpt._report





--
=
Website: = http://hallambaker.co= m/
--f403045e1fae2dc82205674d3703-- From nobody Wed Mar 14 04:13:51 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BE611241F3; Wed, 14 Mar 2018 04:13:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.01 X-Spam-Level: X-Spam-Status: No, score=-0.01 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6AfBVVmFyNA; Wed, 14 Mar 2018 04:13:47 -0700 (PDT) Received: from vaadcmhout02.cable.comcast.com (vaadcmhout02.cable.comcast.com [96.114.28.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E679129C51; Wed, 14 Mar 2018 04:13:47 -0700 (PDT) X-AuditID: 60721c4c-c0e6a7000000248e-d1-5aa903ea7379 Received: from VAADCEX14.cable.comcast.com (vaadcmhoutvip.cable.comcast.com [96.115.73.56]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by vaadcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 24.05.09358.AE309AA5; Wed, 14 Mar 2018 07:13:46 -0400 (EDT) Received: from COPDCEX24.cable.comcast.com (147.191.124.155) by VAADCEX14.cable.comcast.com (147.191.102.81) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 14 Mar 2018 07:13:45 -0400 Received: from COPDCEX19.cable.comcast.com (147.191.124.150) by COPDCEX24.cable.comcast.com (147.191.124.155) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 14 Mar 2018 05:13:44 -0600 Received: from COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380]) by COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380%19]) with mapi id 15.00.1365.000; Wed, 14 Mar 2018 05:13:44 -0600 From: "Brotman, Alexander" To: Phillip Hallam-Baker CC: "uta@ietf.org" , "draft-ietf-uta-smtp-tlsrpt.all@ietf.org" , "ietf@ietf.org" , "secdir@ietf.org" Thread-Topic: [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 Thread-Index: AQHTtxUkfu2V6vvAdU6QiQx2eVCljKPNNT0AgAGHJgCAAN5hIA== Date: Wed, 14 Mar 2018 11:13:44 +0000 Message-ID: <52346c59679e4623b1682784d7732a66@COPDCEX19.cable.comcast.com> References: <152053794569.13938.10396254284390037265@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [96.115.73.254] Content-Type: multipart/alternative; boundary="_000_52346c59679e4623b1682784d7732a66COPDCEX19cablecomcastco_" MIME-Version: 1.0 X-CFilter-Loop: Forward X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrJIsWRmVeSWpSXmKPExsWSUOxpofuKeWWUwe2l4haLptxnsbi6/DiT xbON81ksPix8yGJx6mgzowOrx85Zd9k9liz5yRTAFMVlk5Kak1mWWqRvl8CVMeHAU/aCbaUV +95OZGxgXFDUxcjJISFgIvHn/lOWLkYuDiGB7UwSs/sPMkE4BxklFlw/D+UcYpS4ObuNHcI5 ySix6cVsdpB+NgEribf/25lBbBEBbYmj+7awgtjMAgcYJQ7tsQCxhQW8JU6dOcYCUeMj0T57 AVS9k8S1R+vA6lkEVCXOLb3BBmLzCnhJLN/8FuqmM4wS00/9BUtwCgRK9Kx9xQhiMwqISXw/ tYYJYpm4xK0n85kgHhKQWLLnPDOELSrx8vE/VgjbQGLr0n0sELaixK95V9ggevMlOjrPsUIs FpQ4OfMJWI2QgJbE3hu7oHrFJQ4f2cE6gVFyFpJ1s5C0z0LSPouRAyiuKbF+lz5EiaLElO6H 7BC2hkTrnLnsyOILGNlXMfJYmukZGproGVnomZttYgRFeJGMzw7GT9M8DjEKcDAq8fBeZlgZ JcSaWFZcmQuMDQ5mJRHerTIrooR4UxIrq1KL8uOLSnNSiw8xSnOwKInzBj9aGCUkkJ5Ykpqd mlqQWgSTZeLglGpgvLYtKlT6lq3p1IJpz1aKyDWdq3av+M3B9PnD8dWavHlCWm8vFZ4+qeJ0 zfrtOp8fMoeWZi8+e/kk36nVZn8d1Zmi1T5lTP6zQiJElGvm2Yba+8bfhYPU9F2qmDcZHjt3 Y0/j2zmznWr3qKTe/SZp7xHLfo8x6bV4kFL9CzfBk/tqGB48Z05frcRSnJFoqMVcVJwIAO1v zG7sAgAA Archived-At: Subject: Re: [secdir] [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Mar 2018 11:13:49 -0000 --_000_52346c59679e4623b1682784d7732a66COPDCEX19cablecomcastco_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RHVlIHRvIHZhcmlvdXMgb2JsaWdhdGlvbnMsIEkgZG9u4oCZdCBiZWxpZXZlIGFueSBvZiB0aGUg YXV0aG9ycyBhcmUgZ29pbmcgdG8gYmUgaW4gTG9uZG9uIChJ4oCZbGwgZG91YmxlIGNoZWNrKS4g IEnigJltIG9wZW4gdG8gaGF2aW5nIGEgbWVldGluZy9jYWxsIHRvIGRpc2N1c3MgdGhpcyBwaWVj ZSBvZiB0aGUgZHJhZnQsIHdoZXRoZXIgaXQgYmUgZHVyaW5nIElFVEYgaW4gTG9uZG9uIG9yIGFu b3RoZXIgdGltZS4NCg0KLS0NCkFsZXggQnJvdG1hbg0KU3IuIEVuZ2luZWVyLCBBbnRpLUFidXNl DQpDb21jYXN0DQoNCkZyb206IFV0YSBbbWFpbHRvOnV0YS1ib3VuY2VzQGlldGYub3JnXSBPbiBC ZWhhbGYgT2YgUGhpbGxpcCBIYWxsYW0tQmFrZXINClNlbnQ6IFR1ZXNkYXksIE1hcmNoIDEzLCAy MDE4IDExOjUwIEFNDQpUbzogQnJvdG1hbiwgQWxleGFuZGVyIDxBbGV4YW5kZXJfQnJvdG1hbkBj YWJsZS5jb21jYXN0LmNvbT4NCkNjOiB1dGFAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtdXRhLXNtdHAt dGxzcnB0LmFsbEBpZXRmLm9yZzsgaWV0ZkBpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnDQpTdWJq ZWN0OiBSZTogW1V0YV0gU2VjZGlyIGxhc3QgY2FsbCByZXZpZXcgb2YgZHJhZnQtaWV0Zi11dGEt c210cC10bHNycHQtMTcNCg0KSWYgZm9sayBhcmUgaW4gTG9uZG9uLCBsZXRzIHRhbGsgdG8gSUFO QSBhbmQgbWF5YmUgc29tZSBETlMgZm9say4NCg0KSSBhbSBwcmV0dHkgc3VyZSB0aGlzIGlzIGEg c3RyYWlnaHRmb3J3YXJkIGlzc3VlLiBCdXQgaXQgaXMgb25lIHdlIG5lZWQgdG8gZ2V0IHJpZ2h0 Lg0KDQoNCg0KT24gTW9uLCBNYXIgMTIsIDIwMTggYXQgNjozNCBQTSwgQnJvdG1hbiwgQWxleGFu ZGVyIDxBbGV4YW5kZXJfQnJvdG1hbkBjb21jYXN0LmNvbTxtYWlsdG86QWxleGFuZGVyX0Jyb3Rt YW5AY29tY2FzdC5jb20+PiB3cm90ZToNCkknbSBub3Qgb3Bwb3NlZCB0byBjaGFuZ2UgdGhpcyB0 byBiZSBpbiB0aGF0IGZvcm0uICBJIGRvbid0IGJlbGlldmUgdGhpcyB3b3VsZCBjYXVzZSBhbnkg dGVjaG5pY2FsIGlzc3Vlcy4NCg0KLS0NCkFsZXggQnJvdG1hbg0KU3IuIEVuZ2luZWVyLCBBbnRp LUFidXNlDQpDb21jYXN0DQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBQaGls bGlwIEhhbGxhbS1CYWtlciBbbWFpbHRvOmhhbGxhbUBnbWFpbC5jb208bWFpbHRvOmhhbGxhbUBn bWFpbC5jb20+XQ0KU2VudDogVGh1cnNkYXksIE1hcmNoIDA4LCAyMDE4IDI6MzkgUE0NClRvOiBz ZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz4NCkNjOiB1dGFAaWV0Zi5vcmc8 bWFpbHRvOnV0YUBpZXRmLm9yZz47IGRyYWZ0LWlldGYtdXRhLXNtdHAtdGxzcnB0LmFsbEBpZXRm Lm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi11dGEtc210cC10bHNycHQuYWxsQGlldGYub3JnPjsgaWV0 ZkBpZXRmLm9yZzxtYWlsdG86aWV0ZkBpZXRmLm9yZz4NClN1YmplY3Q6IFNlY2RpciBsYXN0IGNh bGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtdXRhLXNtdHAtdGxzcnB0LTE3DQoNClJldmlld2VyOiBQ aGlsbGlwIEhhbGxhbS1CYWtlcg0KUmV2aWV3IHJlc3VsdDogSGFzIElzc3Vlcw0KDQpJIGhhdmUg cmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0 ZSdzIG9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJv Y2Vzc2VkIGJ5IHRoZSBJRVNHLg0KVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmls eSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5IGFyZWEgZGlyZWN0b3JzLiBEb2N1bWVu dCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3Qg bGlrZSBhbnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLg0KDQpHZW5lcmFsIGNvbW1lbnRzOg0K DQpGaXZlIG1pbnV0ZXMgYWZ0ZXIgSSByZWNlaXZlZCB0aGUgcmV2aWV3IHJlcXVlc3QsIGEgdmVy eSBzaW1pbGFyIHByb3Bvc2FsIHdhcyBtYWRlIGluIENBQkZvcnVtIGZvciByZXBvcnRpbmcgUEtJ WCBjZXJ0IGlzc3Vlcy4NCg0KVGhlIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gcHJv cG9zZXMgdXNlIG9mIEROU1NFQywgd2hhdCBoYXBwZW5zIGlmIHRoYXQgaXMgbWlzY29uZmlndXJl ZD8gV2VsbCBpdCBzaG91bGQgYmUgcmVwb3J0ZWQuDQoNClRoZSBsb2dpYyBvZiB0aGlzIHByb3Bv c2FsIGlzIHRoYXQgc29tZXRoaW5nIGxpa2UgaXQgYmVjb21lIGEgc3RhbmRhcmQgZGVsaXZlcmFi bGUgZm9yIGEgY2VydGFpbiBjbGFzcyBvZiBzZXJ2aWNlIHNwZWNpZmljYXRpb24uIEkgZG9uJ3Qg dGhpbmsgd2Ugc2hvdWxkIGRlbGF5IHRoaXMgYW5kIG1ldGEtdGhpbmsgaXQuIEJ1dCB3ZSBzaG91 bGQgYW50aWNpcGF0ZSBpdCBiZWluZyBqb2luZWQgYnkgb3RoZXJzIGxpa2UgaXQgc2hhcmluZyBz eW50YXgsIEREb1MgbWl0aWdhdGlvbiwgZXRjLg0KDQpTcGVjaWZpYyBpc3N1ZXMNCg0KVGhlIERO UyBwcmVmaXggX3NtdHAtdGxzcnB0IGlzIGRlZmluZWQuIFRoaXMgaXMgbm90IG1lbnRpb25lZCBp biB0aGUgSUFOQSBjb25zaWRlcmF0aW9ucy4gSXQgaXMgYSBjb2RlIHBvaW50IGJlaW5nIGRlZmlu ZWQgaW4gYSBwcm90b2NvbCB0aGF0IGlzIG91dHNpZGUgdGhlIHNjb3BlIG9mIFVUQSBhbmQgdGhl cmVmb3JlIE1VU1QgaGF2ZSBhbiBJQU5BIGFzc2lnbm1lbnQgYW5kIGlzIGEgRE5TIGNvZGUgcG9p bnQgd2hpY2ggaXMgc2hhcmVkIHNwYWNlIGFuZCB0aGVyZWZvcmUgTVVTVCBoYXZlIGFuIGFzc2ln bm1lbnQuDQoNCklmIG5vIElBTkEgcmVnaXN0cnkgZXhpc3RzLCBvbmUgc2hvdWxkIGJlIGNyZWF0 ZWQuDQoNCkluIGdlbmVyYWwsIHRoZSBhcHByb2FjaCBzaG91bGQgYmUgY29uc2lzdGVudCB3aXRo IHRoZSBmb2xsb3dpbmc6DQoNCltSRkM2NzYzXSBTLiBDaGVzaGlyZSBhbmQgTS4gS3JvY2htYWwg IkROUy1CYXNlZCBTZXJ2aWNlIERpc2NvdmVyeSIgUkZDIDY3NjMgRE9JIDEwLjE3NDg3L1JGQzY3 NjMgRmVicnVhcnkgMjAxMw0KDQpJdCBtaWdodCB3ZWxsIGJlIGFwcHJvcHJpYXRlIHRvIGNyZWF0 ZSBhIHNlcGFyYXRlIElBTkEgcHJlZml4IHJlZ2lzdHJ5ICdyZXBvcnQnLiBUaGF0IGlzIHByb2Jh Ymx5IGVhc2llciBzaW5jZSB0aGlzIHByZWZpeCBkb2VzIG5vdCBmaXQgd2VsbCB3aXRoIHRoZSBl eGlzdGluZyBvbmVzLg0KDQpfc210cC10bHNycHQuX3JlcG9ydA0KDQoNCg0KDQotLQ0KV2Vic2l0 ZTogaHR0cDovL2hhbGxhbWJha2VyLmNvbS8NCg== --_000_52346c59679e4623b1682784d7732a66COPDCEX19cablecomcastco_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxNw0K CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1z ZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsLWNvbXBvc2U7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7 DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpl eHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFnZSBX b3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEu MGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+ PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9 ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBt c28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0 PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0K PC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0K PGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu cy1zZXJpZjtjb2xvcjojMUY0OTdEIj5EdWUgdG8gdmFyaW91cyBvYmxpZ2F0aW9ucywgSSBkb27i gJl0IGJlbGlldmUgYW55IG9mIHRoZSBhdXRob3JzIGFyZSBnb2luZyB0byBiZSBpbiBMb25kb24g KEnigJlsbCBkb3VibGUgY2hlY2spLiAmbmJzcDtJ4oCZbSBvcGVuIHRvIGhhdmluZyBhIG1lZXRp bmcvY2FsbCB0byBkaXNjdXNzIHRoaXMNCiBwaWVjZSBvZiB0aGUgZHJhZnQsIHdoZXRoZXIgaXQg YmUgZHVyaW5nIElFVEYgaW4gTG9uZG9uIG9yIGFub3RoZXIgdGltZS48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3 RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90 OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPi0tPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPkFsZXggQnJv dG1hbjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu cy1zZXJpZjtjb2xvcjojMUY0OTdEIj5Tci4gRW5naW5lZXIsIEFudGktQWJ1c2U8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6 IzFGNDk3RCI+Q29tY2FzdDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9z cGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiBVdGEgW21haWx0bzp1dGEtYm91bmNlc0BpZXRmLm9y Z10NCjxiPk9uIEJlaGFsZiBPZiA8L2I+UGhpbGxpcCBIYWxsYW0tQmFrZXI8YnI+DQo8Yj5TZW50 OjwvYj4gVHVlc2RheSwgTWFyY2ggMTMsIDIwMTggMTE6NTAgQU08YnI+DQo8Yj5Ubzo8L2I+IEJy b3RtYW4sIEFsZXhhbmRlciAmbHQ7QWxleGFuZGVyX0Jyb3RtYW5AY2FibGUuY29tY2FzdC5jb20m Z3Q7PGJyPg0KPGI+Q2M6PC9iPiB1dGFAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtdXRhLXNtdHAtdGxz cnB0LmFsbEBpZXRmLm9yZzsgaWV0ZkBpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnPGJyPg0KPGI+ U3ViamVjdDo8L2I+IFJlOiBbVXRhXSBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZiBkcmFmdC1p ZXRmLXV0YS1zbXRwLXRsc3JwdC0xNzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5JZiBmb2xrIGFyZSBpbiBMb25kb24sIGxldHMgdGFsayB0byBJQU5BIGFuZCBt YXliZSBzb21lIEROUyBmb2xrLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5JIGFtIHByZXR0eSBzdXJlIHRoaXMgaXMgYSBzdHJhaWdodGZvcndh cmQgaXNzdWUuIEJ1dCBpdCBpcyBvbmUgd2UgbmVlZCB0byBnZXQgcmlnaHQuPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBNb24sIE1h ciAxMiwgMjAxOCBhdCA2OjM0IFBNLCBCcm90bWFuLCBBbGV4YW5kZXIgJmx0OzxhIGhyZWY9Im1h aWx0bzpBbGV4YW5kZXJfQnJvdG1hbkBjb21jYXN0LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPkFsZXhh bmRlcl9Ccm90bWFuQGNvbWNhc3QuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8 YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAx LjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1y aWdodDowaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSdtIG5vdCBvcHBvc2VkIHRvIGNoYW5n ZSB0aGlzIHRvIGJlIGluIHRoYXQgZm9ybS4mbmJzcDsgSSBkb24ndCBiZWxpZXZlIHRoaXMgd291 bGQgY2F1c2UgYW55IHRlY2huaWNhbCBpc3N1ZXMuPGJyPg0KPGJyPg0KLS08YnI+DQpBbGV4IEJy b3RtYW48YnI+DQpTci4gRW5naW5lZXIsIEFudGktQWJ1c2U8YnI+DQpDb21jYXN0PG86cD48L286 cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t Ym90dG9tOjEyLjBwdCI+PGJyPg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08YnI+DQpGcm9t OiBQaGlsbGlwIEhhbGxhbS1CYWtlciBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzpoYWxsYW1AZ21h aWwuY29tIj5oYWxsYW1AZ21haWwuY29tPC9hPl08YnI+DQpTZW50OiBUaHVyc2RheSwgTWFyY2gg MDgsIDIwMTggMjozOSBQTTxicj4NClRvOiA8YSBocmVmPSJtYWlsdG86c2VjZGlyQGlldGYub3Jn Ij5zZWNkaXJAaWV0Zi5vcmc8L2E+PGJyPg0KQ2M6IDxhIGhyZWY9Im1haWx0bzp1dGFAaWV0Zi5v cmciPnV0YUBpZXRmLm9yZzwvYT47IDxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLXV0YS1zbXRw LXRsc3JwdC5hbGxAaWV0Zi5vcmciPg0KZHJhZnQtaWV0Zi11dGEtc210cC10bHNycHQuYWxsQGll dGYub3JnPC9hPjsgPGEgaHJlZj0ibWFpbHRvOmlldGZAaWV0Zi5vcmciPmlldGZAaWV0Zi5vcmc8 L2E+PGJyPg0KU3ViamVjdDogU2VjZGlyIGxhc3QgY2FsbCByZXZpZXcgb2YgZHJhZnQtaWV0Zi11 dGEtc210cC10bHNycHQtMTc8YnI+DQo8YnI+DQpSZXZpZXdlcjogUGhpbGxpcCBIYWxsYW0tQmFr ZXI8YnI+DQpSZXZpZXcgcmVzdWx0OiBIYXMgSXNzdWVzPGJyPg0KPGJyPg0KSSBoYXZlIHJldmll d2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyBv bmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3Nl ZCBieSB0aGUgSUVTRy48YnI+DQpUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5 IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuIERvY3VtZW50 IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMganVzdCBs aWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuPGJyPg0KPGJyPg0KR2VuZXJhbCBjb21t ZW50czo8YnI+DQo8YnI+DQpGaXZlIG1pbnV0ZXMgYWZ0ZXIgSSByZWNlaXZlZCB0aGUgcmV2aWV3 IHJlcXVlc3QsIGEgdmVyeSBzaW1pbGFyIHByb3Bvc2FsIHdhcyBtYWRlIGluIENBQkZvcnVtIGZv ciByZXBvcnRpbmcgUEtJWCBjZXJ0IGlzc3Vlcy48YnI+DQo8YnI+DQpUaGUgU2VjdXJpdHkgQ29u c2lkZXJhdGlvbnMgc2VjdGlvbiBwcm9wb3NlcyB1c2Ugb2YgRE5TU0VDLCB3aGF0IGhhcHBlbnMg aWYgdGhhdCBpcyBtaXNjb25maWd1cmVkPyBXZWxsIGl0IHNob3VsZCBiZSByZXBvcnRlZC48YnI+ DQo8YnI+DQpUaGUgbG9naWMgb2YgdGhpcyBwcm9wb3NhbCBpcyB0aGF0IHNvbWV0aGluZyBsaWtl IGl0IGJlY29tZSBhIHN0YW5kYXJkIGRlbGl2ZXJhYmxlIGZvciBhIGNlcnRhaW4gY2xhc3Mgb2Yg c2VydmljZSBzcGVjaWZpY2F0aW9uLiBJIGRvbid0IHRoaW5rIHdlIHNob3VsZCBkZWxheSB0aGlz IGFuZCBtZXRhLXRoaW5rIGl0LiBCdXQgd2Ugc2hvdWxkIGFudGljaXBhdGUgaXQgYmVpbmcgam9p bmVkIGJ5IG90aGVycyBsaWtlIGl0IHNoYXJpbmcgc3ludGF4LA0KIEREb1MgbWl0aWdhdGlvbiwg ZXRjLjxicj4NCjxicj4NClNwZWNpZmljIGlzc3Vlczxicj4NCjxicj4NClRoZSBETlMgcHJlZml4 IF9zbXRwLXRsc3JwdCBpcyBkZWZpbmVkLiBUaGlzIGlzIG5vdCBtZW50aW9uZWQgaW4gdGhlIElB TkEgY29uc2lkZXJhdGlvbnMuIEl0IGlzIGEgY29kZSBwb2ludCBiZWluZyBkZWZpbmVkIGluIGEg cHJvdG9jb2wgdGhhdCBpcyBvdXRzaWRlIHRoZSBzY29wZSBvZiBVVEEgYW5kIHRoZXJlZm9yZSBN VVNUIGhhdmUgYW4gSUFOQSBhc3NpZ25tZW50IGFuZCBpcyBhIEROUyBjb2RlIHBvaW50IHdoaWNo IGlzIHNoYXJlZCBzcGFjZQ0KIGFuZCB0aGVyZWZvcmUgTVVTVCBoYXZlIGFuIGFzc2lnbm1lbnQu PGJyPg0KPGJyPg0KSWYgbm8gSUFOQSByZWdpc3RyeSBleGlzdHMsIG9uZSBzaG91bGQgYmUgY3Jl YXRlZC48YnI+DQo8YnI+DQpJbiBnZW5lcmFsLCB0aGUgYXBwcm9hY2ggc2hvdWxkIGJlIGNvbnNp c3RlbnQgd2l0aCB0aGUgZm9sbG93aW5nOjxicj4NCjxicj4NCltSRkM2NzYzXSBTLiBDaGVzaGly ZSBhbmQgTS4gS3JvY2htYWwgJnF1b3Q7RE5TLUJhc2VkIFNlcnZpY2UgRGlzY292ZXJ5JnF1b3Q7 IFJGQyA2NzYzIERPSSAxMC4xNzQ4Ny9SRkM2NzYzIEZlYnJ1YXJ5IDIwMTM8YnI+DQo8YnI+DQpJ dCBtaWdodCB3ZWxsIGJlIGFwcHJvcHJpYXRlIHRvIGNyZWF0ZSBhIHNlcGFyYXRlIElBTkEgcHJl Zml4IHJlZ2lzdHJ5ICdyZXBvcnQnLiBUaGF0IGlzIHByb2JhYmx5IGVhc2llciBzaW5jZSB0aGlz IHByZWZpeCBkb2VzIG5vdCBmaXQgd2VsbCB3aXRoIHRoZSBleGlzdGluZyBvbmVzLjxicj4NCjxi cj4NCl9zbXRwLXRsc3JwdC5fcmVwb3J0PGJyPg0KPGJyPg0KPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+LS0gPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2Vi c2l0ZTogPGEgaHJlZj0iaHR0cDovL2hhbGxhbWJha2VyLmNvbS8iIHRhcmdldD0iX2JsYW5rIj5o dHRwOi8vaGFsbGFtYmFrZXIuY29tLzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_52346c59679e4623b1682784d7732a66COPDCEX19cablecomcastco_-- From nobody Wed Mar 14 18:31:14 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 289111250B8; Wed, 14 Mar 2018 18:31:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JTxOEoxMBSl; Wed, 14 Mar 2018 18:31:05 -0700 (PDT) Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0E75124F57; Wed, 14 Mar 2018 18:31:04 -0700 (PDT) Received: by mail-it0-x231.google.com with SMTP id g7-v6so1200590itf.1; Wed, 14 Mar 2018 18:31:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+lfk7FqAQ73/KiP8fbrf4h7FGx/VW/eE8Rw55Eyw0X8=; b=n0T9pRkh4Xsb/QpwjSCuj17mWTNewJvpxqF353xKHqjhr0VwDc8n3Y9DUScABgADyB Z13fZO/LzTWY386Q79yx7/hRp/cZvgZG/luhmhvFvrJsFnB/lSM9QhAItQITtE11vhmI 5SUCBPhmtOzUZD2jRjTJ/wWSYnumxZUHNxEuFBZXB5gRTG/U5TIDOpkWg+L8iKlbASP3 D3HER9mwatCkgHEJQiVHdhjUKY29PYP5AjS66DUNaSg8KvDHJIK7hbIgeq3RPUUXGgYd RAvi47FcC3Jkckx4vTetGOG85hlGiValzk14WGT5eTQqMaq8aLtLZLQn7JSN3u5Ik8uM y6JQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+lfk7FqAQ73/KiP8fbrf4h7FGx/VW/eE8Rw55Eyw0X8=; b=hsxVC5NcCiGirDtH9zaF/dEJrR4PV+tyXXyrkj0fvLszCNUVPvymG1C9OMdNiIK3oW gOeiSR12LmDUxtyN+DGdew5BXmvklMEBk1+Nhn/lDDGBdwyymx1umToQCopDsNoQSLj6 dZw9mH6nukbjV+vT9vNlgrDDblpJykt+WvG9rKIglc8/hyN8W2p3Q3/+H3sPSQ7uSm9+ 4ddI5uVnDJfotMqojP13rULLi3H/K35sgA0Hc5Vv/ROLEiVYLtEoE1pyeokBDdYiMj+X iboY93z+Zar61DGHQLWgjJ/7Xv+9Bw+JgOSHKNPBoDRUwWqrPuZeSAEhzR21jJimTYMg H0Lw== X-Gm-Message-State: AElRT7G4x7535VtizjjtcQ0GUuuRb3NShsfSHKSOWO4dPtC79tvodz02 WKy3dmHOEvEBCqFXd/RH7k6DBQ1wOrkbY+E9Y/M= X-Google-Smtp-Source: AG47ELtWZPbT7Io8N427Kzc3fEpBoOrRc6AdAnQh98mR8Fud1hfods9FK5MTQEqpUYsUbA23deNI0N8LnTXztq62ag0= X-Received: by 2002:a24:108c:: with SMTP id 134-v6mr4139508ity.94.1521077464188; Wed, 14 Mar 2018 18:31:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.58.193 with HTTP; Wed, 14 Mar 2018 18:30:48 -0700 (PDT) In-Reply-To: <4552F0907735844E9204A62BBDD325E7AAFE7004@NKGEML515-MBX.china.huawei.com> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> <359EC4B99E040048A7131E0F4E113AFC0137F70C6B@marathon> <4552F0907735844E9204A62BBDD325E7AAFE7004@NKGEML515-MBX.china.huawei.com> From: Donald Eastlake Date: Wed, 14 Mar 2018 21:30:48 -0400 Message-ID: To: Roman Danyliw Cc: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" , "Zhangmingui (Martin)" Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 01:31:07 -0000 Hi Roman, A -07 version of draft-ietf-trill-multilevel-unique-nickname has been uploaded. I believe this resolves all of your comments. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com On Tue, Mar 6, 2018 at 10:15 PM, Zhangmingui (Martin) wrote: > Hi Roman, > > All changes you suggested in item (8) are fair. I've made these changes into the 07 version. Awaiting for uploading. > > Thanks, > Mingui > >> -----Original Message----- >> From: Roman Danyliw [mailto:rdd@cert.org] >> Sent: Wednesday, March 07, 2018 12:32 AM >> To: iesg@ietf.org; secdir@ietf.org; >> draft-ietf-trill-multilevel-unique-nickname.all@ietf.org >> Subject: RE: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 >> >> Hi Donald and Mingui! >> >> Thanks for the changes in -06. Any thoughts on item (8)? >> >> Roman >> >> > -----Original Message----- >> > From: Roman Danyliw >> > Sent: Friday, March 02, 2018 9:01 PM >> > To: iesg@ietf.org; secdir@ietf.org; >> > draft-ietf-trill-multilevel-unique- >> > nickname.all@ietf.org >> > Subject: Secdir review of >> > draft-ietf-trill-multilevel-unique-nickname-05 >> >> [snip] >> >> > (8) There appear to be a few instances of key protocol behavior not >> > using >> > RFC2119 language. I'd suggest: >> > >> > Section 3.2.2, Global Distribution Tree, Page 6 >> > (old) Also, this border RBridge needs to advertise the set of local >> > distribution trees by providing another set of nicknames >> > (new) Also, this border RBridge MUST advertise the set of local >> > distribution trees by providing another set of nicknames >> > >> > Section 3.2.2, Global Distribution Tree, Page 6 >> > (old) If a border RBridge has been assigned both as a global tree root >> > and a local tree root, it has to acquire both a global tree root >> > nickname(s) and local tree root nickname(s) >> > (new) If a border RBridge has been assigned both as a global tree root >> > and a local tree root, it MUST acquire both a global tree root >> > nickname(s) and local tree root nickname(s) >> > >> > Section 4.3, Nickname Announcements, Page 9 >> > (old) Besides its own nickname(s), a border RBridge needs to announce, >> > in its area, the ownership of all external nicknames that are >> > reachable from this border RBridge. >> > (new) Besides its own nickname(s), a border RBridge MUST announce, in >> > its area, the ownership of all external nicknames that are reachable >> > from this border RBridge. >> > >> > Section 4.3, Nickname Announcements, Page 9 >> > (old) Also, a border RBridge needs to announce, in Level 2, the >> > ownership of all nicknames within its area. From listening to these >> > Level 2 announcements, border RBridges can figure out the nicknames used >> by other areas. >> > (new) Also, a border RBridge MUST announce, in Level 2, the ownership >> > of all nicknames within its area. From listening to these Level 2 >> > announcements, border RBridges can figure out the nicknames used by other >> areas. >> > >> > Section 4.3, Nickname Announcements, Page 9 >> > (old) To address this issue, border RBridges should make use of the >> > NickBlockFlags APPsub-TLV to advertise into the Level 1 area the >> > inclusive range of nicknames that are available or not for self >> > allocation by the Level 1 RBridges in that area. >> > (new) To address this issue, border RBridges SHOULD use the >> > NickBlockFlags APPsub-TLV to advertise into the Level 1 area the >> > inclusive range of nicknames that are available or not for self >> > allocation by the Level 1 RBridges in that area. >> > >> > Section 4.4, Capability Indication, Page 11 >> > (old) If there are RBridges that do not understand the NickBlockFlags >> > APPsub-TLV, border RBridges of the area will also use the traditional >> > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames >> > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose >> > OK is 0. >> > (new) If there are RBridges that do not understand the NickBlockFlags >> > APPsub-TLV, border RBridges of the area MUST also use the traditional >> > Nickname Sub-TLV [RFC7176] to announce into the area those nicknames >> > covered by the nickname blocks of the NickBlockFlags APPsub-TLV whose >> > OK is 0. >> > >> > Section 5, Mix with Aggregated nickname Areas, Page 11 >> > (old) Usage of nickname space must be planed so that nicknames used in >> > any one unique nickname area and Level 2 are never used in any other >> > areas which includes unique nickname areas as well as aggregated nickname >> areas From nobody Wed Mar 14 18:53:45 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D795312702E for ; Wed, 14 Mar 2018 18:53:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6whnaY_Xkp9X for ; Wed, 14 Mar 2018 18:53:41 -0700 (PDT) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34F61127010 for ; Wed, 14 Mar 2018 18:53:40 -0700 (PDT) X-AuditID: 12074425-b63ff70000007358-18-5aa9d2214f43 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 59.DF.29528.222D9AA5; Wed, 14 Mar 2018 21:53:38 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w2F1raug022661 for ; Wed, 14 Mar 2018 21:53:36 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2F1rXWV003832 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Wed, 14 Mar 2018 21:53:35 -0400 Date: Wed, 14 Mar 2018 20:53:33 -0500 From: Benjamin Kaduk To: secdir@ietf.org Message-ID: <20180315015333.GK55987@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrHIsWRmVeSWpSXmKPExsUixCmqrat0aWWUwbF72hYfFj5kcWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxpEX/UwFn1kqZp5czdzA+Ie5i5GTQ0LARGLlsXmMXYxcHEIC i5kkpq34wAKSEBI4zihxflYcROI1k8TLyz/AOlgEVCX+/O9hA7HZBFQkGrovg8VFBIQlbh98 wApiCwvYSjTsnQAW5wXaMLvrMxOELShxcuYTsAXMAloSN/69BIpzANnSEsv/cYCERQWUJfb2 HWKfwMg7C0nHLCQdsxA6FjAyr2KUTcmt0s1NzMwpTk3WLU5OzMtLLdK10MvNLNFLTSndxAgK JHYX1R2Mc/56HWIU4GBU4uE1UFsZJcSaWFZcmXuIUZKDSUmUd/+UFVFCfEn5KZUZicUZ8UWl OanFhxglOJiVRHjvFwKV86YkVlalFuXDpKQ5WJTEeT1MtKOEBNITS1KzU1MLUotgsjIcHEoS vJMvAjUKFqWmp1akZeaUIKSZODhBhvMADZ8CUsNbXJCYW5yZDpE/xWjM0bbySRszx40Xr9uY hVjy8vNSpcR5vUFKBUBKM0rz4KaBkoFE9v6aV4ziQM8J876+AFTFA0wkcPNeAa1iAlqVuW0F yKqSRISUVAOjqlpn0jKWMAV1SWmToLASS6MQzv/vLl6wMMjRF2kxjIoXCmy+esNnxd+WFv3s DdptqzviOTwX+51KV2d/zBX5oqKNS83P/NLLucJXflq7CW14UDe9znrNXa/GySb8VVPLTPgN DSSv+FZGp73a0Jl65bDqlGKzCXPjvDtnpVmtb5Ge93I9uxJLcUaioRZzUXEiAIv5wBPhAgAA Archived-At: Subject: [secdir] Anyone available to help NETCONF with crypto design? X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 01:53:43 -0000 Hi all, The NETCONF agenda for London includes a hefty list of security-related topics: > >> Proposal for Refactoring the Keystore Model > >> https://tools.ietf.org/html/draft-ietf-netconf-keystore-04 > >> https://tools.ietf.org/html/draft-kwatsen-netconf-crypto-types-00 > >> https://tools.ietf.org/html/draft-kwatsen-netconf-trust-anchors-00 It would be great to have some security knowledge in the room, but the ADs have scheduling conflicts with IASA2.0 and TEEP. Is anyone available to attend the netconf session and provide some expert advice in these regards? Thanks, Ben From nobody Wed Mar 14 19:35:00 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D67B112D82F; Wed, 14 Mar 2018 19:34:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.348 X-Spam-Level: X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auyoJWsAqViA; Wed, 14 Mar 2018 19:34:57 -0700 (PDT) Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B9DF12D810; Wed, 14 Mar 2018 19:34:57 -0700 (PDT) Received: by mail-io0-x235.google.com with SMTP id d11so463357iop.6; Wed, 14 Mar 2018 19:34:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2gpUKzeWJhrD85soM9hHHYaeHkCJnrArOVOAskEdTto=; b=HO3f/X2noAWMwRmure906Xpjo05cfw+aFrKScopEMILN0WjckrbxK9geQwDj+FWrKM DEunkdZ1j/r/EN/ok+f5qBBIzyfliZSo1cVJKOgESqwbiKvIdaxE9ByoKDhz9u1U1RvG NkiCXmLtFlNU3wx0xUN8/OJatlxGqDAVdlSXDh/PMsKwhG2H6fJwLVw4QgfRo67pdq3U xZY8G9c+RHTmDWRC/PihtwmASXLYkigO7G1xx0qLBdb3EmPPV5M9SrmSfecRVmJ2wpK7 OF/X3VV6G1BdZ5OHlEEqnb7U1hE/phE3nu2cNFAN6jBErNq1vsfX6PlsmzD7puIqP5hs UNoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2gpUKzeWJhrD85soM9hHHYaeHkCJnrArOVOAskEdTto=; b=iFn2a5QJy4GwZlfmzi9A8cUNnIrBsVYBZMIxxE46k5vnCS5PmGroEVeYjxs1B4zWU5 k7hIEPsQ1maX81LrKC25CEYbfoR5B2NH18r8u58X18jTZNQD0mgNFeG80UMTUv7Kt16w aEnzUmwpYYmSCGrpk/i1qMhuV4aJBShM7l3oKHe+ud0cJuw7+o61/PpXqxcJyZw1z+7Z kRBfwjjCcreGuFWOuwixPiiXB1jYhjN6pZglAhPj5FkA6ThJseTpJvq1kTxmNpkEawP7 rtvTStabJMxPZkNXfQP9oRYim1HS7fARQWR/eGvA8TodqPMugKjpqtmk9v5bcTtPyTHp LbFA== X-Gm-Message-State: AElRT7HuLooDqHrm2krg/2cTftrLx3e+rkVGc7IULoRoF6W3ASucSwdV WIdTdt7s/ynvQwtxwNE821Tk434Eeo5LXEAKP5w= X-Google-Smtp-Source: AG47ELtJgft9CasBUib2mzUaGMnkmS+vOoYohBCm1kkLciyQ0l4O3f5FCZAA9VJrPKZmx2W3gZ9ImCfXbgjx5VU7iNw= X-Received: by 10.107.81.25 with SMTP id f25mr7230521iob.14.1521081296436; Wed, 14 Mar 2018 19:34:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.26.194 with HTTP; Wed, 14 Mar 2018 19:34:36 -0700 (PDT) In-Reply-To: References: From: Donald Eastlake Date: Wed, 14 Mar 2018 22:34:36 -0400 Message-ID: To: Derek Atkins Cc: "iesg@ietf.org" , secdir@ietf.org, trill-chairs@ietf.org, lucyyong , Kingston Smiler , Mohammad Umair Content-Type: multipart/alternative; boundary="089e0825d6d05942d705676a56a3" Archived-At: Subject: Re: [secdir] sec-dir review of draft-ietf-trill-transport-over-mpls-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 02:34:59 -0000 --089e0825d6d05942d705676a56a3 Content-Type: text/plain; charset="UTF-8" Hi Derek, My apologies for the delay in response. Thanks for noticing the typo. Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com On Thu, Feb 22, 2018 at 5:00 PM, Derek Atkins wrote: > Hi, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written with the intent of improving > security requirements and considerations in IETF drafts. Comments > not addressed in last call may be included in AD reviews during the > IESG review. Document editors and WG chairs should treat these > comments just like any other last call comments. > > Summary: > > Ready to publish (with minor edits). > > Details: > > There is a typo in Figure 2 on page 7 where you have two instances of > "Tenant2 Site 2". I suspect that RBat2 should be labeled Tenant2 Site > 1. The same mistake is in Figure 4 on page 11. > > -derek > > -- > Derek Atkins 617-623-3745 > derek@ihtfp.com www.ihtfp.com > Computer and Internet Security Consultant > --089e0825d6d05942d705676a56a3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Derek,

My apologies for the delay in= response.

Thanks for noticing the typo.

Donald
=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=C2= =A0Donald E. Eastlake 3rd =C2=A0 +1-508-333-2270 (cell)
=C2=A0155 Beaver= Street, Milford, MA 01757 USA
=C2=A0d3e3e3@gmail.com

On Thu, Feb 22, 2018 at 5:00 PM, Derek Atkin= s <derek@ihtfp.com> wrote:
H= i,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.=C2=A0 These comments were written with the intent of improving
security requirements and considerations in IETF drafts.=C2=A0 Comments
not addressed in last call may be included in AD reviews during the
IESG review.=C2=A0 Document editors and WG chairs should treat these
comments just like any other last call comments.

Summary:

Ready to publish (with minor edits).

Details:

There is a typo in Figure 2 on page 7 where you have two instances of
"Tenant2 Site 2".=C2=A0 I suspect that RBat2 should be labeled Te= nant2 Site
1.=C2=A0 The same mistake is in Figure 4 on page 11.

-derek

--
=C2=A0 =C2=A0 =C2=A0 =C2=A0Derek Atkins=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0617-623-3745
=C2=A0 =C2=A0 =C2=A0 =C2=A0derek@ihtfp.c= om=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0www.ihtfp.com
=C2=A0 =C2=A0 =C2=A0 =C2=A0Computer and Internet Security Consultant

--089e0825d6d05942d705676a56a3-- From nobody Thu Mar 15 07:31:55 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EEBD912D96A for ; Thu, 15 Mar 2018 07:31:50 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.75.1 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secretary@mit.edu Message-ID: <152112431091.12153.16901279215980522707.idtracker@ietfa.amsl.com> Date: Thu, 15 Mar 2018 07:31:50 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 14:31:53 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2018-04-05 Reviewer LC end Draft Shaun Cooley 2018-03-06 draft-ietf-trill-over-ip-15 Donald Eastlake 2018-03-28 draft-ietf-teas-scheduled-resources-06 Daniel Gillmor 2018-03-19 draft-gutmann-scep-10 Daniel Gillmor 2018-03-26 draft-ietf-l2sm-l2vpn-service-model-08 Ben Laurie 2018-03-26 draft-ietf-6tisch-6top-protocol-10 Vincent Roca None draft-ietf-core-cocoa-03 Stefan Santesson 2018-03-01 draft-ietf-tls-iana-registry-updates-04 Klaas Wierenga 2018-02-23 draft-ietf-nfsv4-layout-types-10 For telechat 2018-04-19 Reviewer LC end Draft Daniel Franke 2018-03-30 draft-ietf-mmusic-rid-14 Steve Hanna 2018-03-30 draft-ietf-core-senml-13 Last calls: Reviewer LC end Draft John Bradley None draft-ietf-acme-acme-10 Tobias Gondrom 2018-03-12 draft-ietf-tokbind-https-12 Leif Johansson R2018-02-26 draft-ietf-homenet-babel-profile-06 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-12 Tina Tsou 2018-02-26 draft-ietf-softwire-dslite-yang-15 Taylor Yu 2018-03-16 draft-housley-suite-b-to-historic-04 Early review requests: Reviewer Due Draft Daniel Franke 2018-01-31 draft-ietf-intarea-provisioning-domains-00 Ólafur Guðmundsson 2018-01-09 draft-ietf-opsawg-nat-yang-09 Dan Harkins 2018-05-31 draft-ietf-dtn-bpsec-06 Next in the reviewer rotation: Paul Hoffman Russ Housley Christian Huitema Leif Johansson Benjamin Kaduk Charlie Kaufman Scott Kelly From nobody Thu Mar 15 08:33:01 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DF0F12D7E8; Thu, 15 Mar 2018 06:35:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1521120904; bh=eLED4XDquEnmwqm7xKiADmbgJoSr8G800547OLgjvms=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=IpwV4IFS2OopWPZt7rbhwI+Oj9/3MUt8j63EKAt6ah5zEqN7vE0t/YX7EnKUnB2bz bImFqgjrdIbBYzQNAPVmzG+jvr1YYR1n0Sjt5MTaZ3bccuG6f8QQc2A29icw4V6rIG odE/iKZEbvulG72NFUJRW0gEJvnEwUH7bWCeqvv8= X-Mailbox-Line: From new-work-bounces@ietf.org Thu Mar 15 06:35:04 2018 Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 27326129C53; Thu, 15 Mar 2018 06:35:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1521120904; bh=eLED4XDquEnmwqm7xKiADmbgJoSr8G800547OLgjvms=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=IpwV4IFS2OopWPZt7rbhwI+Oj9/3MUt8j63EKAt6ah5zEqN7vE0t/YX7EnKUnB2bz bImFqgjrdIbBYzQNAPVmzG+jvr1YYR1n0Sjt5MTaZ3bccuG6f8QQc2A29icw4V6rIG odE/iKZEbvulG72NFUJRW0gEJvnEwUH7bWCeqvv8= X-Original-To: new-work@ietfa.amsl.com Delivered-To: new-work@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E90C129C59 for ; Thu, 15 Mar 2018 06:35:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTTjBgSjYDJG for ; Thu, 15 Mar 2018 06:35:01 -0700 (PDT) Received: from raoul.w3.org (raoul.w3.org [128.30.52.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23DB129C53 for ; Thu, 15 Mar 2018 06:35:00 -0700 (PDT) Received: from [123.165.92.139] (helo=[192.168.1.3]) by raoul.w3.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1ewT1z-000CRu-Fk for new-work@ietf.org; Thu, 15 Mar 2018 13:34:55 +0000 To: new-work@ietf.org From: Xueyuan Message-ID: <485ec810-c5a2-5ae8-90de-61489c2d121f@w3.org> Date: Thu, 15 Mar 2018 21:34:51 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Language: en-US Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.22 Precedence: list Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Thu, 15 Mar 2018 08:32:59 -0700 Subject: [secdir] [new-work] Proposed W3C Charter: JSON-LD Working Group (until 2018-04-29) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Mar 2018 13:35:05 -0000 CkhlbGxvLAoKVG9kYXkgVzNDIEFkdmlzb3J5IENvbW1pdHRlZSBSZXByZXNlbnRhdGl2ZXMgcmVj ZWl2ZWQgYSBQcm9wb3NhbAp0byByZXZpZXcgYSBkcmFmdCBjaGFydGVyIGZvciB0aGUgSlNPTi1M RCBXb3JraW5nIEdyb3VwOgogwqAgaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvMDMvanNvbmxkLXdn LWNoYXJ0ZXIuaHRtbAoKQXMgcGFydCBvZiBlbnN1cmluZyB0aGF0IHRoZSBjb21tdW5pdHkgaXMg YXdhcmUgb2YgcHJvcG9zZWQgd29yawphdCBXM0MsIHRoaXMgZHJhZnQgY2hhcnRlciBpcyBwdWJs aWMgZHVyaW5nIHRoZSBBZHZpc29yeQpDb21taXR0ZWUgcmV2aWV3IHBlcmlvZC4KClczQyBpbnZp dGVzIHB1YmxpYyBjb21tZW50cyB0aHJvdWdoIDIwMTgtMDQtMjkgb24gdGhlCnByb3Bvc2VkIGNo YXJ0ZXIuIFBsZWFzZSBzZW5kIGNvbW1lbnRzIHRvCnB1YmxpYy1uZXctd29ya0B3My5vcmcsIHdo aWNoIGhhcyBhIHB1YmxpYyBhcmNoaXZlOgogwqAgaHR0cDovL2xpc3RzLnczLm9yZy9BcmNoaXZl cy9QdWJsaWMvcHVibGljLW5ldy13b3JrLwoKT3RoZXIgdGhhbiBjb21tZW50cyBzZW50IGluIGZv cm1hbCByZXNwb25zZXMgYnkgVzNDIEFkdmlzb3J5CkNvbW1pdHRlZSBSZXByZXNlbnRhdGl2ZXMs IFczQyBjYW5ub3QgZ3VhcmFudGVlIGEgcmVzcG9uc2UgdG8KY29tbWVudHMuIElmIHlvdSB3b3Jr IGZvciBhIFczQyBNZW1iZXIgWzFdLCBwbGVhc2UgY29vcmRpbmF0ZQp5b3VyIGNvbW1lbnRzIHdp dGggeW91ciBBZHZpc29yeSBDb21taXR0ZWUgUmVwcmVzZW50YXRpdmUuIEZvcgpleGFtcGxlLCB5 b3UgbWF5IHdpc2ggdG8gbWFrZSBwdWJsaWMgY29tbWVudHMgdmlhIHRoaXMgbGlzdCBhbmQKaGF2 ZSB5b3VyIEFkdmlzb3J5IENvbW1pdHRlZSBSZXByZXNlbnRhdGl2ZSByZWZlciB0byBpdCBmcm9t IGhpcwpvciBoZXIgZm9ybWFsIHJldmlldyBjb21tZW50cy4KCklmIHlvdSBzaG91bGQgaGF2ZSBh bnkgcXVlc3Rpb25zIG9yIG5lZWQgZnVydGhlciBpbmZvcm1hdGlvbiwgcGxlYXNlCmNvbnRhY3Qg SXZhbiBIZXJtYW4sIFB1Ymxpc2hpbmcgU3RyYXRlZ2lzdCwgYXQgPGl2YW5AdzMub3JnPi4KClRo YW5rIHlvdSwKClh1ZXl1YW4gSmlhLCBXM0MgTWFya2V0aW5nICYgQ29tbXVuaWNhdGlvbnMKClsx XSBodHRwOi8vd3d3LnczLm9yZy9Db25zb3J0aXVtL01lbWJlci9MaXN0CgpfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpuZXctd29yayBtYWlsaW5nIGxpc3QK bmV3LXdvcmtAaWV0Zi5vcmcKaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9u ZXctd29yawo= From nobody Fri Mar 16 01:28:40 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50CC712762F; Fri, 16 Mar 2018 01:28:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.909 X-Spam-Level: X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eqR9EK04ApP; Fri, 16 Mar 2018 01:28:32 -0700 (PDT) Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE1811243FE; Fri, 16 Mar 2018 01:28:31 -0700 (PDT) X-IronPort-AV: E=Sophos;i="5.48,313,1517871600"; d="scan'208,217";a="258531353" Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO [192.168.1.118]) ([82.236.155.50]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Mar 2018 09:07:32 +0100 From: Vincent Roca Content-Type: multipart/alternative; boundary="Apple-Mail=_3FB12971-EFF9-4B88-8F3F-0D0CA0882A96" Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Message-Id: Date: Fri, 16 Mar 2018 09:07:31 +0100 To: The IESG , secdir@ietf.org, draft-ietf-core-cocoa.all@ietf.org X-Mailer: Apple Mail (2.3445.5.20) Archived-At: Subject: [secdir] Secdir review of draft-ietf-core-cocoa-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2018 08:28:34 -0000 --Apple-Mail=_3FB12971-EFF9-4B88-8F3F-0D0CA0882A96 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, I have reviewed this document as part of the security directorate=E2=80=99= s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments = just like any other last call comments. Summary: Ready with nits This document proposes an improved congestion control for CoAP. Its Security Considerations section lists several RFCs whose security = discussion may apply, and in particular [RFC7252]. This is a bit annoying as the security considerations section of RFC = 7252 is 6 pages long. What do you mean more precisely? What should the implementer care about? Otherwise I agree with the authors that attacks preventing the delivery = of some packets are hard to prevent while seriously impacting CoCoA. Such attacks are however = limited to a single flow. What about the opposite (misleading the sender and making him = unresponsive to congestion signals)? This would be a more serious issue. This is not specific to = CoAP but could CoAP simplify this type of attack? Other comments: ** Introduction: In sentence "For non-confirmable packets, it also = limits the sending rate to 1/RTO;" I have problems understanding what "non-confirmable" means. ** Section 3: When saying that "CoCoA has been found to perform well in = scenarios with latencies ranging from the order of milliseconds to peaks of dozens of = seconds,..." what do you mean by "latency"? Is it the transmission and/or = propagation times? Is it related to the access method? Not very clear. And I'm a bit surprised by the value of "dozens of seconds =C2=BB? Is = it just a simulation parameter or is it realistic. ** Section 3: (corollary) the default initial RTO is set to 2 to 3 = seconds, i.e., well below the "dozens of seconds" mentioned above. ** Appendix B. Pseudocode: As a general comment, I don't like function definitions where input = and output are not defined, where global versus local variables are not defined, where persistant = variables (global or static local variables) are not defined. For instance, between two calls to updateRTO(), should the RTO = variable keep its previous value (I assume it is the case) or not? Same question for RTTVAR_strong, = RTT_strong. And in appendix B.1., since you provide C-type pseudo-code, it's = better to use a final ";" during default value initialisation (or #define if this is a constant). Cheers, Vincent= --Apple-Mail=_3FB12971-EFF9-4B88-8F3F-0D0CA0882A96 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hello,

I have reviewed this document as part of the = security directorate=E2=80=99s ongoing
effort to review = all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the = security area
directors.  Document editors and WG = chairs should treat these comments just
like any other = last call comments.

Summary: Ready with nits

This document proposes an improved = congestion control for CoAP.
Its Security = Considerations section lists several RFCs whose security discussion =  may
apply, and in particular = [RFC7252].
This is a bit  annoying as the = security considerations section of RFC 7252 is 6 pages long.
What do you mean more precisely? What should = the implementer care about?

Otherwise I agree with the authors that attacks preventing = the delivery of some packets are hard
to prevent = while seriously impacting CoCoA. Such attacks are however limited to a = single flow.
What about the opposite (misleading = the sender and making him unresponsive to congestion
signals)? This would be a more serious issue. This is not = specific to CoAP but could CoAP simplify
this type = of attack?


Other comments:

** Introduction: In sentence "For = non-confirmable packets, it also limits the sending rate to = 1/RTO;"
  I have problems understanding what = "non-confirmable" means.

** Section 3: When saying that "CoCoA has been found to = perform well in scenarios with latencies
  =  ranging from the order of milliseconds to peaks of dozens of = seconds,..."
   what do you mean by = "latency"? Is it the transmission and/or propagation times?
   Is it related to the access method? Not very = clear.
   And I'm a bit surprised by the = value of "dozens of seconds =C2=BB? Is it just a simulation = parameter
   or is it = realistic.

** = Section 3: (corollary) the default initial RTO is set to 2 to 3 seconds, = i.e., well below the
  "dozens of seconds" = mentioned above.

** Appendix B. Pseudocode:
  As a = general comment, I don't like function definitions where input and = output are not defined,
  where global versus = local variables are not defined, where persistant variables (global or = static
  local variables) are not = defined.
  For instance, between two calls to = updateRTO(), should the RTO variable keep its previous value
  (I assume it is the case) or not? Same question for = RTTVAR_strong, RTT_strong.

  And in appendix B.1., since you provide C-type = pseudo-code, it's better to use a final ";" during
  default value initialisation (or #define if this is a = constant).


Cheers,

  =  Vincent
= --Apple-Mail=_3FB12971-EFF9-4B88-8F3F-0D0CA0882A96-- From nobody Fri Mar 16 04:35:25 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A381277BB for ; Fri, 16 Mar 2018 04:35:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ao47bR7ykCPJ for ; Fri, 16 Mar 2018 04:35:22 -0700 (PDT) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0E72127735 for ; Fri, 16 Mar 2018 04:35:21 -0700 (PDT) Received: by mail-wm0-x233.google.com with SMTP id e194so2428523wmd.3 for ; Fri, 16 Mar 2018 04:35:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=sender:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to; bh=mjfH8+sDDOY3keaN9cbSDqu7dpPGDDJaopPXIxzccS0=; b=n7F1a0FTgVE8fdRj3i5LkPCiX/iiYKsKXeMfCgGntvsQjfVGl80dnWanu5Ie7xGTxi b31665kDFBJcKlfaB4Ha6CO/ic1v+ElzdQO/jfPqJUF+l3puS2hFEnPeJHz1kXsSvy+B Nlv9AZcQSso/ovwqMDoPGRSe8ezTYXrL6L9QtBHyDG1CVKTQMTcks5Kf3BvvJDiZ2HSR ojPk4eR6WoOFS0dtjhVTBY9qTFhYc3zfGL1G1q0nyXj5aLQdARMII0xPiTokcEBTPlxu LVkHmctOMT3d27pqEEiJWBgUuqZ7ML44qlFsTZwbb5P2qqw8tNkB3yoDLpz8seQdPVaG 8jZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:message-id :date:user-agent:mime-version:in-reply-to; bh=mjfH8+sDDOY3keaN9cbSDqu7dpPGDDJaopPXIxzccS0=; b=iGwaMj1U+R3sJ4wOAdTmBAxk3RJDRbDZ6oZ/3KinlCIkYc59KzKyYcf/WfS41jQ2Jb BV7RJp4JP/XqtmqY3U91rdjvqpr4t4ZEZykDUhbXrgQ//7Oxx1Kv59B9ZU3Qi4ynuxph HhesSkfdEXVk/gFONQ99Noboarrq0oF5LC2mwR1cUS4pUD7afP7d83vn/JKb+ss5iA6T 5BXSSBRfJ3xV6pKexr5Lv8rLx1PWF7h3NHYxeZeKAKQy1WawEzU1+TsUw5C/ytEF4QFc wQR/iJCcXzlsi7v2tfvvahruGnrEgLc6gxkSQJZUZCAJe1a8sXLYIUGTtyMNFUIvBXnR HnUQ== X-Gm-Message-State: AElRT7G6JqRNfxD/3K0QOrC8+h+1BLJb827k3eIL/MfIGg5dqv99l/HQ 0jhV6r8hnjmgWdwfW7+UvHUtbQ== X-Google-Smtp-Source: AG47ELsGNAQ2viUfKxMPvSNIY7Kf9zVxMuTEPJRMo5E44CVp8oJYx72Mf/PqUgc4v6B1PS409ilMNQ== X-Received: by 10.28.62.16 with SMTP id l16mr1604302wma.54.1521200119980; Fri, 16 Mar 2018 04:35:19 -0700 (PDT) Received: from ?IPv6:2001:67c:1232:144:3dc5:da42:199a:6337? ([2001:67c:1232:144:3dc5:da42:199a:6337]) by smtp.gmail.com with ESMTPSA id m191sm6310234wma.21.2018.03.16.04.35.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Mar 2018 04:35:19 -0700 (PDT) Sender: Matthew Miller To: Marc Petit-Huguenin , secdir@ietf.org Cc: draft-ietf-tram-stunbis.all@ietf.org, ietf@ietf.org, tram@ietf.org References: <152063220998.11155.12669577501214588133@ietfa.amsl.com> From: "Matthew A. Miller" Message-ID: <8fdfe1a4-9aad-1b34-c05b-086020f0f8fa@outer-planes.net> Date: Fri, 16 Mar 2018 05:35:18 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ZH0RjWPipU5xcHAywaciiFNIpF79zZNQ2" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-tram-stunbis-16 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2018 11:35:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ZH0RjWPipU5xcHAywaciiFNIpF79zZNQ2 Content-Type: multipart/mixed; boundary="IgZ0PUS4ADpgTmao4uYVHnqneekamYIlG"; protected-headers="v1" From: "Matthew A. Miller" To: Marc Petit-Huguenin , secdir@ietf.org Cc: draft-ietf-tram-stunbis.all@ietf.org, ietf@ietf.org, tram@ietf.org Message-ID: <8fdfe1a4-9aad-1b34-c05b-086020f0f8fa@outer-planes.net> Subject: Re: Secdir last call review of draft-ietf-tram-stunbis-16 References: <152063220998.11155.12669577501214588133@ietfa.amsl.com> In-Reply-To: --IgZ0PUS4ADpgTmao4uYVHnqneekamYIlG Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 18/03/11 07:55, Marc Petit-Huguenin wrote: > Hi, >=20 > Thanks for the review. >=20 > Please see inline. >=20 > On 03/09/2018 01:50 PM, Matthew Miller wrote: >> Reviewer: Matthew Miller >> Review result: Has Issues >> >> [ I realize how unfortunate it is this arrives well past last call. >> I beg forgiveness and ask that you accept the comments as you would >> have if they arrived on time. ] >> >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should >> treat these comments just like any other last call comments. >> >> Document: draft-ietf-stunbis-16 >> Reviewer: Matthew A. Miller >> Review Date: 2018-03-07 >> IETF LC End Date: 2018-02-20 >> IESG Telechat date: 2018-04-05 >> >> Summary: This document obsoletes 5389, adding some protection to >> downgrade attacks against message integrity usage, as well >> incorporating DTLS (over UDP). >> >> The document is mostly ready, but there are a couple of issues I >> have. >> >> Major Issues: N/A >> >> Minor Issues: >> >> * I am wondering why a more robust password algorithm (key derivation >> function) was not defined (e.g., HKDF-SHA-256) instead of or in additi= on >> to, a simple salted "SHA-256" hash. Some amount of parameterization i= s >> accounted for in the PASSWORD-ALGORITHM/S attributes. I think it is >> perfectly fair and appropriate to take this issue as "asking for a qui= ck >> rationale (that maybe ought to be highlighted better in the document)"= >> over "use a real key derivation function". >=20 > We proposed other algorithms to the Working Group but there was no cons= ensus past using what we have today in the draft. >> We basically wanted to keep STUN aligned with HTTP Digest and SIP Digest as much as possible. Rereading both RFC 7616 and draft-yusef-sipcore-digest-scheme I can not find mention of using a key derivation function for these. >=20 > Can you explain how that could be used with STUN (and potentially with = HTTP and SIP)? Thank you for the extra context. The way this authentication is done looks like something that would benefit from a more robust KDF. I hesitate to add this, but these authentication schemes are quite distant from HTTP (and SIP) digest authentication. While they are using the same hash algorithm, how the inputs are processed are radically different from what STUN(bis) defines. But, my intent is not to boil this ocean. It's not clear to me this would be a worthwhile improvement by itself, and there is already a warning in the security considerations about the weaknesses of the authentication schemes. I'm willing to consider this point addressed. >=20 >> >> * The description for 17.5.1. "MD5" list the key size as 20 bytes, but= the >> hash length of MD5 is 16 bytes (128 bits). I think this is merely a t= ypo, >> since the purpose appears to be for backwards compatibility with exist= ing >> systems. >=20 > Fixed. >=20 >> >> * Both 17.5.1.1. "MD5" Section 9.2.2. "HMAC Key" (long-term credential= ) >> and Section appear to define the same functional algorithm, but with s= ubtle >> syntax differences. As far as I can tell, they are actually the same >> algorithm; would it not be acceptable to have Section 9.2.2 point to >> Section 17.5.1.1 for the algorithm description? >> >> >=20 > This is going into the IANA registry so I left things there. I fixed t= he discrepancy with section 9.2.2. >=20 > I also fixed the definition of the key for SHA-256, which must use Opaq= ueString for the realm. >=20 Thanks very much. - m&m Matthew A. Miller --IgZ0PUS4ADpgTmao4uYVHnqneekamYIlG-- --ZH0RjWPipU5xcHAywaciiFNIpF79zZNQ2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAlqrq/YACgkQ7PRyThCe BbtoYwgAo6BTfVn+B8A5g+6VOFLRrVA/0Y7bgsJZtdjQO+Lx/8+1AqfyhTuFc/+5 mz9l7bAdCI9POqomYjsKQicjYQskFokGyRpuFtdFCZ4XOTLs6cIMCk22UCM1xl0g 4z6wGjfOtS5qSG5uBCmDbUxHFUNyrQpYJoGSFDqi7Za/Ycjria5Iz751Gu121lLP XbM3/7YeVOLNRgFBZo0QuxHKJN7bYwDMEKL8wkMRQ5VVM5L+MzVuk90Opvjp757X Y2TfKAOSwmK7tDgZQp+LMqV50p9n8veDmxlDE2rB+W7uzyHm4tF4DbElHcY1fcR2 KZNr38lBOnk31WLACZzeOLnpF/xdzQ== =DuXV -----END PGP SIGNATURE----- --ZH0RjWPipU5xcHAywaciiFNIpF79zZNQ2-- From nobody Fri Mar 16 04:59:12 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E10D012D881; Fri, 16 Mar 2018 04:59:10 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Stefan Santesson To: Cc: tls@ietf.org, ietf@ietf.org, draft-ietf-tls-iana-registry-updates.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.75.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <152120155086.14540.4609302302838728763@ietfa.amsl.com> Date: Fri, 16 Mar 2018 04:59:10 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-tls-iana-registry-updates-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2018 11:59:11 -0000 Reviewer: Stefan Santesson Review result: Ready The document handles IANA registration of identifiers. Aspects and properties identified by these identifiers are relevant for security, but for the most part that is outside the scope of this document that deals only with registration. The provided security considerations section seems relevant and sufficient. From nobody Sat Mar 17 07:52:13 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0D4A127867; Sat, 17 Mar 2018 07:52:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDI9WiFSOmlK; Sat, 17 Mar 2018 07:52:03 -0700 (PDT) Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B7ED1242EA; Sat, 17 Mar 2018 07:52:03 -0700 (PDT) Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2HEpsQg009557; Sat, 17 Mar 2018 10:51:54 -0400 DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w2HEpsQg009557 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1521298314; bh=co1ucm33+goGKKUgoK85dR5LuUojUPUgW0wyE5etGZQ=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=PMAlZpo6YSg+cpNGgj5nCFcPqMGF48YFoRgfTBWJlB767/R0nUrTCTx0vxWqnCwU7 er/STfFesphKHqsUdfCBz4ouQnUeIAodui6fpMu3Cfo6JGtqGHo8/1ULDUbFNgqVRH NRUOKRU4XoE8lb2kN1ych6GLn+UdlWM8TNJqeGZg= Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2HEpmZW042297; Sat, 17 Mar 2018 10:51:48 -0400 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0361.001; Sat, 17 Mar 2018 10:51:48 -0400 From: Roman Danyliw To: Donald Eastlake CC: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" , "Zhangmingui (Martin)" Thread-Topic: Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 Thread-Index: AdOyXwuroB0yJVJhRMeJvvm4FEzIkQDCKukgABWI5oABmDrDAAB33c1g Date: Sat, 17 Mar 2018 14:51:46 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC0137F799F4@marathon> References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon> <359EC4B99E040048A7131E0F4E113AFC0137F70C6B@marathon> <4552F0907735844E9204A62BBDD325E7AAFE7004@NKGEML515-MBX.china.huawei.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Mar 2018 14:52:06 -0000 SGVsbG8gRG9uYWxkIQ0KDQpUaGFua3MgZm9yIG1ha2luZyB0aGVzZSBjaGFuZ2VzIGluIC0wNy4N Cg0KVGhpcyBhZGRyZXNzZXMgYWxsIG9mIG15IGZlZWRiYWNrLg0KDQpSb21hbg0KDQo+IC0tLS0t T3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IERvbmFsZCBFYXN0bGFrZSBbbWFpbHRvOmQz ZTNlM0BnbWFpbC5jb21dDQo+IFNlbnQ6IFdlZG5lc2RheSwgTWFyY2ggMTQsIDIwMTggOTozMSBQ TQ0KPiBUbzogUm9tYW4gRGFueWxpdyA8cmRkQGNlcnQub3JnPg0KPiBDYzogaWVzZ0BpZXRmLm9y Zzsgc2VjZGlyQGlldGYub3JnOyBkcmFmdC1pZXRmLXRyaWxsLW11bHRpbGV2ZWwtdW5pcXVlLQ0K PiBuaWNrbmFtZS5hbGxAaWV0Zi5vcmc7IFpoYW5nbWluZ3VpIChNYXJ0aW4pIDx6aGFuZ21pbmd1 aUBodWF3ZWkuY29tPg0KPiBTdWJqZWN0OiBSZTogU2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRm LXRyaWxsLW11bHRpbGV2ZWwtdW5pcXVlLW5pY2tuYW1lLTA1DQo+IA0KPiBIaSBSb21hbiwNCj4g DQo+IEEgLTA3IHZlcnNpb24gb2YgZHJhZnQtaWV0Zi10cmlsbC1tdWx0aWxldmVsLXVuaXF1ZS1u aWNrbmFtZSBoYXMgYmVlbiB1cGxvYWRlZC4NCj4gSSBiZWxpZXZlIHRoaXMgcmVzb2x2ZXMgYWxs IG9mIHlvdXIgY29tbWVudHMuDQo+IA0KPiBUaGFua3MsDQo+IERvbmFsZA0KPiA9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09DQo+ICBEb25hbGQgRS4gRWFzdGxha2UgM3JkICAgKzEtNTA4 LTMzMy0yMjcwIChjZWxsKQ0KPiAgMTU1IEJlYXZlciBTdHJlZXQsIE1pbGZvcmQsIE1BIDAxNzU3 IFVTQSAgZDNlM2UzQGdtYWlsLmNvbQ0KPiANCj4gDQo+IE9uIFR1ZSwgTWFyIDYsIDIwMTggYXQg MTA6MTUgUE0sIFpoYW5nbWluZ3VpIChNYXJ0aW4pDQo+IDx6aGFuZ21pbmd1aUBodWF3ZWkuY29t PiB3cm90ZToNCj4gPiBIaSBSb21hbiwNCj4gPg0KPiA+IEFsbCBjaGFuZ2VzIHlvdSBzdWdnZXN0 ZWQgaW4gaXRlbSAoOCkgYXJlIGZhaXIuIEkndmUgbWFkZSB0aGVzZSBjaGFuZ2VzIGludG8NCj4g dGhlIDA3IHZlcnNpb24uIEF3YWl0aW5nIGZvciB1cGxvYWRpbmcuDQo+ID4NCj4gPiBUaGFua3Ms DQo+ID4gTWluZ3VpDQo+ID4NCj4gPj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gPj4g RnJvbTogUm9tYW4gRGFueWxpdyBbbWFpbHRvOnJkZEBjZXJ0Lm9yZ10NCj4gPj4gU2VudDogV2Vk bmVzZGF5LCBNYXJjaCAwNywgMjAxOCAxMjozMiBBTQ0KPiA+PiBUbzogaWVzZ0BpZXRmLm9yZzsg c2VjZGlyQGlldGYub3JnOw0KPiA+PiBkcmFmdC1pZXRmLXRyaWxsLW11bHRpbGV2ZWwtdW5pcXVl LW5pY2tuYW1lLmFsbEBpZXRmLm9yZw0KPiA+PiBTdWJqZWN0OiBSRTogU2VjZGlyIHJldmlldyBv Zg0KPiA+PiBkcmFmdC1pZXRmLXRyaWxsLW11bHRpbGV2ZWwtdW5pcXVlLW5pY2tuYW1lLTA1DQo+ ID4+DQo+ID4+IEhpIERvbmFsZCBhbmQgTWluZ3VpIQ0KPiA+Pg0KPiA+PiBUaGFua3MgZm9yIHRo ZSBjaGFuZ2VzIGluIC0wNi4gIEFueSB0aG91Z2h0cyBvbiBpdGVtICg4KT8NCj4gPj4NCj4gPj4g Um9tYW4NCj4gPj4NCj4gPj4gPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+PiA+IEZy b206IFJvbWFuIERhbnlsaXcNCj4gPj4gPiBTZW50OiBGcmlkYXksIE1hcmNoIDAyLCAyMDE4IDk6 MDEgUE0NCj4gPj4gPiBUbzogaWVzZ0BpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnOw0KPiA+PiA+ IGRyYWZ0LWlldGYtdHJpbGwtbXVsdGlsZXZlbC11bmlxdWUtDQo+ID4+ID4gbmlja25hbWUuYWxs QGlldGYub3JnDQo+ID4+ID4gU3ViamVjdDogU2VjZGlyIHJldmlldyBvZg0KPiA+PiA+IGRyYWZ0 LWlldGYtdHJpbGwtbXVsdGlsZXZlbC11bmlxdWUtbmlja25hbWUtMDUNCj4gPj4NCj4gPj4gW3Nu aXBdDQo+ID4+DQo+ID4+ID4gKDgpIFRoZXJlIGFwcGVhciB0byBiZSBhIGZldyBpbnN0YW5jZXMg b2Yga2V5IHByb3RvY29sIGJlaGF2aW9yIG5vdA0KPiA+PiA+IHVzaW5nDQo+ID4+ID4gUkZDMjEx OSBsYW5ndWFnZS4gIEknZCBzdWdnZXN0Og0KPiA+PiA+DQo+ID4+ID4gU2VjdGlvbiAzLjIuMiwg R2xvYmFsIERpc3RyaWJ1dGlvbiBUcmVlLCBQYWdlIDYNCj4gPj4gPiAob2xkKSBBbHNvLCB0aGlz IGJvcmRlciBSQnJpZGdlIG5lZWRzIHRvIGFkdmVydGlzZSB0aGUgc2V0IG9mIGxvY2FsDQo+ID4+ ID4gZGlzdHJpYnV0aW9uIHRyZWVzIGJ5IHByb3ZpZGluZyBhbm90aGVyIHNldCBvZiBuaWNrbmFt ZXMNCj4gPj4gPiAobmV3KSBBbHNvLCB0aGlzIGJvcmRlciBSQnJpZGdlIE1VU1QgYWR2ZXJ0aXNl IHRoZSBzZXQgb2YgbG9jYWwNCj4gPj4gPiBkaXN0cmlidXRpb24gdHJlZXMgYnkgcHJvdmlkaW5n IGFub3RoZXIgc2V0IG9mIG5pY2tuYW1lcw0KPiA+PiA+DQo+ID4+ID4gU2VjdGlvbiAzLjIuMiwg R2xvYmFsIERpc3RyaWJ1dGlvbiBUcmVlLCBQYWdlIDYNCj4gPj4gPiAob2xkKSBJZiBhIGJvcmRl ciBSQnJpZGdlIGhhcyBiZWVuIGFzc2lnbmVkIGJvdGggYXMgYSBnbG9iYWwgdHJlZQ0KPiA+PiA+ IHJvb3QgYW5kIGEgbG9jYWwgdHJlZSByb290LCBpdCBoYXMgdG8gYWNxdWlyZSBib3RoIGEgZ2xv YmFsIHRyZWUNCj4gPj4gPiByb290DQo+ID4+ID4gbmlja25hbWUocykgYW5kIGxvY2FsIHRyZWUg cm9vdCBuaWNrbmFtZShzKQ0KPiA+PiA+IChuZXcpIElmIGEgYm9yZGVyIFJCcmlkZ2UgaGFzIGJl ZW4gYXNzaWduZWQgYm90aCBhcyBhIGdsb2JhbCB0cmVlDQo+ID4+ID4gcm9vdCBhbmQgYSBsb2Nh bCB0cmVlIHJvb3QsIGl0IE1VU1QgYWNxdWlyZSBib3RoIGEgZ2xvYmFsIHRyZWUgcm9vdA0KPiA+ PiA+IG5pY2tuYW1lKHMpIGFuZCBsb2NhbCB0cmVlIHJvb3Qgbmlja25hbWUocykNCj4gPj4gPg0K PiA+PiA+IFNlY3Rpb24gNC4zLCBOaWNrbmFtZSBBbm5vdW5jZW1lbnRzLCBQYWdlIDkNCj4gPj4g PiAob2xkKSBCZXNpZGVzIGl0cyBvd24gbmlja25hbWUocyksIGEgYm9yZGVyIFJCcmlkZ2UgbmVl ZHMgdG8NCj4gPj4gPiBhbm5vdW5jZSwgaW4gaXRzIGFyZWEsIHRoZSBvd25lcnNoaXAgb2YgYWxs IGV4dGVybmFsIG5pY2tuYW1lcyB0aGF0DQo+ID4+ID4gYXJlIHJlYWNoYWJsZSBmcm9tIHRoaXMg Ym9yZGVyIFJCcmlkZ2UuDQo+ID4+ID4gKG5ldykgQmVzaWRlcyBpdHMgb3duIG5pY2tuYW1lKHMp LCBhIGJvcmRlciBSQnJpZGdlIE1VU1QgYW5ub3VuY2UsDQo+ID4+ID4gaW4gaXRzIGFyZWEsIHRo ZSBvd25lcnNoaXAgb2YgYWxsIGV4dGVybmFsIG5pY2tuYW1lcyB0aGF0IGFyZQ0KPiA+PiA+IHJl YWNoYWJsZSBmcm9tIHRoaXMgYm9yZGVyIFJCcmlkZ2UuDQo+ID4+ID4NCj4gPj4gPiBTZWN0aW9u IDQuMywgTmlja25hbWUgQW5ub3VuY2VtZW50cywgUGFnZSA5DQo+ID4+ID4gKG9sZCkgQWxzbywg YSBib3JkZXIgUkJyaWRnZSBuZWVkcyB0byBhbm5vdW5jZSwgaW4gTGV2ZWwgMiwgdGhlDQo+ID4+ ID4gb3duZXJzaGlwIG9mIGFsbCBuaWNrbmFtZXMgd2l0aGluIGl0cyBhcmVhLiBGcm9tIGxpc3Rl bmluZyB0byB0aGVzZQ0KPiA+PiA+IExldmVsIDIgYW5ub3VuY2VtZW50cywgYm9yZGVyIFJCcmlk Z2VzIGNhbiBmaWd1cmUgb3V0IHRoZSBuaWNrbmFtZXMNCj4gPj4gPiB1c2VkDQo+ID4+IGJ5IG90 aGVyIGFyZWFzLg0KPiA+PiA+IChuZXcpIEFsc28sIGEgYm9yZGVyIFJCcmlkZ2UgTVVTVCBhbm5v dW5jZSwgaW4gTGV2ZWwgMiwgdGhlDQo+ID4+ID4gb3duZXJzaGlwIG9mIGFsbCBuaWNrbmFtZXMg d2l0aGluIGl0cyBhcmVhLiBGcm9tIGxpc3RlbmluZyB0byB0aGVzZQ0KPiA+PiA+IExldmVsIDIg YW5ub3VuY2VtZW50cywgYm9yZGVyIFJCcmlkZ2VzIGNhbiBmaWd1cmUgb3V0IHRoZSBuaWNrbmFt ZXMNCj4gPj4gPiB1c2VkIGJ5IG90aGVyDQo+ID4+IGFyZWFzLg0KPiA+PiA+DQo+ID4+ID4gU2Vj dGlvbiA0LjMsIE5pY2tuYW1lIEFubm91bmNlbWVudHMsIFBhZ2UgOQ0KPiA+PiA+IChvbGQpIFRv IGFkZHJlc3MgdGhpcyBpc3N1ZSwgYm9yZGVyIFJCcmlkZ2VzIHNob3VsZCBtYWtlIHVzZSBvZiB0 aGUNCj4gPj4gPiBOaWNrQmxvY2tGbGFncyBBUFBzdWItVExWIHRvIGFkdmVydGlzZSBpbnRvIHRo ZSBMZXZlbCAxIGFyZWEgdGhlDQo+ID4+ID4gaW5jbHVzaXZlIHJhbmdlIG9mIG5pY2tuYW1lcyB0 aGF0IGFyZSBhdmFpbGFibGUgb3Igbm90IGZvciBzZWxmDQo+ID4+ID4gYWxsb2NhdGlvbiBieSB0 aGUgTGV2ZWwgMSBSQnJpZGdlcyBpbiB0aGF0IGFyZWEuDQo+ID4+ID4gKG5ldykgVG8gYWRkcmVz cyB0aGlzIGlzc3VlLCBib3JkZXIgUkJyaWRnZXMgU0hPVUxEIHVzZSB0aGUNCj4gPj4gPiBOaWNr QmxvY2tGbGFncyBBUFBzdWItVExWIHRvIGFkdmVydGlzZSBpbnRvIHRoZSBMZXZlbCAxIGFyZWEg dGhlDQo+ID4+ID4gaW5jbHVzaXZlIHJhbmdlIG9mIG5pY2tuYW1lcyB0aGF0IGFyZSBhdmFpbGFi bGUgb3Igbm90IGZvciBzZWxmDQo+ID4+ID4gYWxsb2NhdGlvbiBieSB0aGUgTGV2ZWwgMSBSQnJp ZGdlcyBpbiB0aGF0IGFyZWEuDQo+ID4+ID4NCj4gPj4gPiBTZWN0aW9uIDQuNCwgQ2FwYWJpbGl0 eSBJbmRpY2F0aW9uLCBQYWdlIDExDQo+ID4+ID4gKG9sZCkgSWYgdGhlcmUgYXJlIFJCcmlkZ2Vz IHRoYXQgZG8gbm90IHVuZGVyc3RhbmQgdGhlDQo+ID4+ID4gTmlja0Jsb2NrRmxhZ3MgQVBQc3Vi LVRMViwgYm9yZGVyIFJCcmlkZ2VzIG9mIHRoZSBhcmVhIHdpbGwgYWxzbw0KPiA+PiA+IHVzZSB0 aGUgdHJhZGl0aW9uYWwgTmlja25hbWUgU3ViLVRMViBbUkZDNzE3Nl0gdG8gYW5ub3VuY2UgaW50 byB0aGUNCj4gPj4gPiBhcmVhIHRob3NlIG5pY2tuYW1lcyBjb3ZlcmVkIGJ5IHRoZSBuaWNrbmFt ZSBibG9ja3Mgb2YgdGhlDQo+ID4+ID4gTmlja0Jsb2NrRmxhZ3MgQVBQc3ViLVRMViB3aG9zZSBP SyBpcyAwLg0KPiA+PiA+IChuZXcpIElmIHRoZXJlIGFyZSBSQnJpZGdlcyB0aGF0IGRvIG5vdCB1 bmRlcnN0YW5kIHRoZQ0KPiA+PiA+IE5pY2tCbG9ja0ZsYWdzIEFQUHN1Yi1UTFYsIGJvcmRlciBS QnJpZGdlcyBvZiB0aGUgYXJlYSBNVVNUIGFsc28NCj4gPj4gPiB1c2UgdGhlIHRyYWRpdGlvbmFs IE5pY2tuYW1lIFN1Yi1UTFYgW1JGQzcxNzZdIHRvIGFubm91bmNlIGludG8gdGhlDQo+ID4+ID4g YXJlYSB0aG9zZSBuaWNrbmFtZXMgY292ZXJlZCBieSB0aGUgbmlja25hbWUgYmxvY2tzIG9mIHRo ZQ0KPiA+PiA+IE5pY2tCbG9ja0ZsYWdzIEFQUHN1Yi1UTFYgd2hvc2UgT0sgaXMgMC4NCj4gPj4g Pg0KPiA+PiA+IFNlY3Rpb24gNSwgTWl4IHdpdGggQWdncmVnYXRlZCBuaWNrbmFtZSBBcmVhcywg UGFnZSAxMQ0KPiA+PiA+IChvbGQpIFVzYWdlIG9mIG5pY2tuYW1lIHNwYWNlIG11c3QgYmUgcGxh bmVkIHNvIHRoYXQgbmlja25hbWVzIHVzZWQNCj4gPj4gPiBpbiBhbnkgb25lIHVuaXF1ZSBuaWNr bmFtZSBhcmVhIGFuZCBMZXZlbCAyIGFyZSBuZXZlciB1c2VkIGluIGFueQ0KPiA+PiA+IG90aGVy IGFyZWFzIHdoaWNoIGluY2x1ZGVzIHVuaXF1ZSBuaWNrbmFtZSBhcmVhcyBhcyB3ZWxsIGFzDQo+ ID4+ID4gYWdncmVnYXRlZCBuaWNrbmFtZQ0KPiA+PiBhcmVhcw0KDQo= From nobody Sun Mar 18 06:21:38 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D9C12D574 for ; Sun, 18 Mar 2018 06:21:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ohJHzxQdJ_rR for ; Sun, 18 Mar 2018 06:21:37 -0700 (PDT) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53032129515 for ; Sun, 18 Mar 2018 06:21:35 -0700 (PDT) X-AuditID: 1209190e-82fff70000004dd1-38-5aae67deee46 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 81.50.19921.ED76EAA5; Sun, 18 Mar 2018 09:21:34 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w2IDLXMO005867 for ; Sun, 18 Mar 2018 09:21:33 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2IDLUvl013212 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Sun, 18 Mar 2018 09:21:32 -0400 Date: Sun, 18 Mar 2018 08:21:30 -0500 From: Benjamin Kaduk To: secdir@ietf.org Message-ID: <20180318132129.GA55745@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKIsWRmVeSWpSXmKPExsUixCmqrHsvfV2UwY5d4hYfFj5kcWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxpWZ75kLTjBW3Hmxl6mBcTZjFyMnh4SAicTGuWeBbC4OIYHF TBI77q5ngXCOM0rseTGLDcJ5zSSxaNN+FpAWFgFVidZ1jWA2m4CKREP3ZWYQW0RAWOL2wQes ILawgLzEhD07wVbwAq14fXgjlC0ocXLmE7BeZgEtiRv/XjJ1MXIA2dISy/9xgIRFBZQl9vYd Yp/AyDsLSccsJB2zEDoWMDKvYpRNya3SzU3MzClOTdYtTk7My0st0jXWy80s0UtNKd3ECA4l Sb4djJMavA8xCnAwKvHwHiheGyXEmlhWXJl7iFGSg0lJlPfu5jVRQnxJ+SmVGYnFGfFFpTmp xYcYJTiYlUR4DaLWRQnxpiRWVqUW5cOkpDlYlMR53U20o4QE0hNLUrNTUwtSi2CyMhwcShK8 xsCYERIsSk1PrUjLzClBSDNxcIIM5wEaviQNZHhxQWJucWY6RP4UoyXHhk/32pg52lY+AZI3 XrxuYxZiycvPS5US560BaRAAacgozYObCUoNEtn7a14xigO9KMx7H6SKB5hW4Ka+AlrIBLTQ Z+kakIUliQgpqQbG2msHem4t2RH1cZ/anr5Flw8IPzr2dQprtZTkvub/gfL3PVKDF/6ydEjx OXKwYGlr8aUa9farEdH/qpY5cD3WeC3o4D9pZ/XDb8x3N/UeYNkw46Jt+lOeEm7Pew/WXrX6 M4990/YiMcNEpvMT1dYz687lenzS3Ojhj/Kr0td90h7uXLNyw0b/fiWW4oxEQy3mouJEAIcb +gPoAgAA Archived-At: Subject: [secdir] Secdir lunch in London X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2018 13:21:38 -0000 Hi folks, We've booked "Meeting Rooms 1-4" (tower wing, 3rd floor) for the secdir lunch on Tuesday. I think there are a few places nearby (and even one in the hotel?) to grab take-out. -Ben From nobody Sun Mar 18 07:57:38 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4BC126CC7; Sun, 18 Mar 2018 07:57:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RyF8z1-4KnzS; Sun, 18 Mar 2018 07:57:28 -0700 (PDT) Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A4B3126E01; Sun, 18 Mar 2018 07:57:27 -0700 (PDT) Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-11.bemta-8.messagelabs.com id 11/0B-09478-65E7EAA5; Sun, 18 Mar 2018 14:57:26 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA1WTfUgTYRzH99zdtlO8OKfmr6mUg8iEiRXVzP6 I6I00ekfypbrl5UbbtLtVBq6k6E2pBLVME7WWho1RamlKUoKKS6S0FxE1Ncu3pGVUlKHtduvt n+PD7/N9fs/veXiOxBVjMiXJpptZzsQYVDJvontBja969wl7fGSlc77mRt4bQvOyohXTvL9XQ micZYOExtF8Gq2RbnpY2CffZLV+x7Zh8VK9SZuavl+q6+k7j6Xd3JHe+Ggaz0TDsVnImyTojx ic+tpLZCEvUkHnY/DCelAQCnoAwY/vmXJByOhIePWoFRPYn94O08/6pEIIpwsQFBd34oLwo2P A0d5CiKFYOFdU6qqTLl4Kzd17hDJBL4S6iw3uPhSdCO22z1Jx43WQNdvh3suLXg9DrVVuRvRc +OawufM4HQg9wyVuBtofBp8/lYkcAGNvZ6RiPhGKPzd56qHws/eDJx8CnSXZSJgZ6FdycM524 aJQgzM/38NboOXnFCaGOhG8y60hRBEOztoyDx+CiQvjSOQk6Lefx8UFVhy6q697RDDMfCzwdL osg0Lba0w8ZzLkVQrzCWIag3xbI56Dwgv/OZ/IJQjKn4YUuu/JF9quDRNiXQ31jY9xkedD7eR 1D0dDwY8nMpFDIS97UC7ycpho/oRKEVmJwniWO8py6mUrIrScPkVnNjJ6g3pJpCbCyPI8k8Ia GC0fcSDVWIVcT+2kRILq0JfyhCY0j8RUAVRftS1eMUebmnxcx/C6fdwRA8s3oWCSVAHlb7HHK 3w5NoVNP6g3uN7rbw2kj8qfashwaYpPY4y8PkVUDhRFvrg6chYnu0cnXN+6vIpsXEGYUk2sMp CKFPrRwgLdEdOfdr//gE4UovSjkEQiUfiksZxRb/7fj6NAEqn8qDChi4/eZP6z67hrIMw1UOw tmzCQmfmrlJlIVudMGOqY3uizatQ62VZkDtn1bKp/JGfG4pDYc6ey+jeU596xL46O02ok0UFD h7deydkZE7dys1fu1Iqqdu9J7lzHbOKigIw1qij57Zhtq8fuDwTZlR2hwQx7abKmOcjSPnCGW vvYN1RV33W3y/I+ovhY8vqkjL0PFAFmS/+qgo0qgtcxS8Jxjmd+AZvnyEz8AwAA X-Env-Sender: tim.hollebeek@digicert.com X-Msg-Ref: server-9.tower-96.messagelabs.com!1521385044!100173914!1 X-Originating-IP: [216.32.180.17] X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass X-StarScan-Received: X-StarScan-Version: 9.9.15; banners=-,-,- X-VirusChecked: Checked Received: (qmail 21829 invoked from network); 18 Mar 2018 14:57:25 -0000 Received: from mail-sn1nam02lp0017.outbound.protection.outlook.com (HELO NAM02-SN1-obe.outbound.protection.outlook.com) (216.32.180.17) by server-9.tower-96.messagelabs.com with AES256-GCM-SHA384 encrypted SMTP; 18 Mar 2018 14:57:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kDx8REyhpJesdRHJkPWJD/wCh6oTZasgFDi1uj8YRBg=; b=kOvi9xhw14HE25Mhwr9UMO0JHMsM1DPRLv3+g1JQPyFWt13IuClkMQazzlnxwySlyl5UklkMLtRfdMXvb8MywR0aBb22FgQZQ6xebzEyEXvgqPEVIKaxjhKs8PfJZ4oxJ2hjGKRxOu0+rHCiMLKVpNT9bVl5QMgS7LXt/hIlu5M= Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1614.namprd14.prod.outlook.com (10.171.146.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Sun, 18 Mar 2018 14:57:22 +0000 Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32%18]) with mapi id 15.20.0588.016; Sun, 18 Mar 2018 14:57:13 +0000 From: Tim Hollebeek To: Phillip Hallam-Baker , "secdir@ietf.org" CC: "uta@ietf.org" , "draft-ietf-uta-smtp-tlsrpt.all@ietf.org" , "ietf@ietf.org" Thread-Topic: [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 Thread-Index: AQHTtxU/J7ta80iTZE2K9MRt2rqgUKPWIP3Q Date: Sun, 18 Mar 2018 14:57:13 +0000 Message-ID: References: <152053794569.13938.10396254284390037265@ietfa.amsl.com> In-Reply-To: <152053794569.13938.10396254284390037265@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [31.133.135.16] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; MWHPR14MB1614; 6:m6QGnaMBmCC2Rf/7Le2N5QpcC6nEtF2FXMG+2eYz82vSbRBDsvifcazikYbI2n5V9Owex9focze9HzljQElcPkw/pa7Inuvbvu0PaYF3bWVhjkSj9nEbLNd9xyT789Eb6Mo3l2rTHbj4fHGQRju13CP6cdOUjTn4lmmg0kbD6yu3g8bDk2OCzS2uV+zmKT3QaBAOmHJzULNQ1xqyyURJlbxGaWY+47c3rv8DKSBRYTrS3WqMjFUTssi8489pVf4d8iif74D/WgnxqwGR3XiGRzxFGascZhVEqFxybB9c8oAJcHWpHP87Rwa1oIJUiCuNWg2gdSkSVxYYIJ8k5zmNDXwo+6lLjlII9rZ28K2cuCHS91bLoRqF6gwajSKXqINp; 5:ZFs/fSYyVYkfB432BKn6Jh10GVbvcmUT5Dnuj2MCj49Qnl/anukiuYLsuroQSIBP7+qLJLMfCS4qUD3alUruHwDGCXP5+8Z9VSYZRfi9mv7EYo7MnB1eIdg98vslNhpia8LYjLt0Zjwyx1gfcFvzWSH7VsjMhHShBzeGsYaEryw=; 24:loKkXcDKv0UK8ulte+yyV0s04s7nTWZlCbdcnc+Lp/Yqxo8aXXGLsyAdxb4lgYaO6/r3VnDtAWQqeXZ4mMZlrpGZr24UB38NS/6uNJajoRM=; 7:C+MJ88EDM/2oe8jRHu3I479wJHAw2PBVe+KY3NS63ebIJJq9m7WVOcodL7AFH3hDg7NiSc6bPxc1nQBrBCxJ0UZtlqA3Mik7CN7kZ9xh/sPyCnp/pjrb5aSyhNytnTuBaQMmDvLfs9w6ihXrbnYMO6ggTQGgGztpVn+oPMOBPIofArBW6lW4ue7H3a4rLm3vsen05MBdjd5gjkj++HBWgysASvu6YQmMPsZW4Ztgx8scBvfor65tvTfx5XH156wZ x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: cca9dfe1-eaff-441b-78cf-08d58ce088a5 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1614; x-ms-traffictypediagnostic: MWHPR14MB1614: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(211171220733660); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231221)(944501300)(52105095)(10201501046)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123558120)(6072148)(201708071742011); SRVR:MWHPR14MB1614; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1614; x-forefront-prvs: 06157D541C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(39850400004)(396003)(376002)(39380400002)(13464003)(189003)(199004)(97736004)(33656002)(561944003)(4326008)(2950100002)(3846002)(66066001)(81156014)(229853002)(39060400002)(8936002)(81166006)(6116002)(106356001)(55016002)(6436002)(25786009)(8676002)(105586002)(2900100001)(5250100002)(2501003)(53936002)(102836004)(74316002)(305945005)(7736002)(5660300001)(76176011)(54906003)(110136005)(26005)(186003)(99936001)(6506007)(53546011)(99286004)(68736007)(14454004)(3280700002)(478600001)(3660700001)(86362001)(6246003)(59450400001)(966005)(2906002)(316002)(7696005)(6306002)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1614; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: Rva6SBCgZ0ieRjP0IZFCL74yo/JPr10AYq2NHRvzA4Ll0dynrA0eSBnCSHpFwl6+TAtcItRp9gyzM21MFdzatflDeuveY1a5iUE9kC41QR+MnQAhKs9d8UZIoZUl+Y8gwcaA8D+K645Irhal/aGF5A1AaCVz2L9QHZKL9QmUy+rXHb3M67heBUoPneReUOSTNT8W6Tm+pR+knu37ttZyXwB83+KdtaKSdvMoL5uwi/3eL0ow3SpgrI9EVD5JgHI6BeUnvxi6ChAAIgHPhf/V0x5HJ5ANX9/gjH/RCi39RwiP5fpfrVQwoSu4YzYbBUjD/Z2AKldSzE8N2Es0ecjDAw== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_039C_01D3BEC9.63910A30" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: cca9dfe1-eaff-441b-78cf-08d58ce088a5 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2018 14:57:13.4026 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1614 Archived-At: Subject: Re: [secdir] [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2018 14:57:31 -0000 ------=_NextPart_000_039C_01D3BEC9.63910A30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit So, the CABF discussion was similar, but different (I am a master of the obvious). I'll summarize a bit for those who weren't there, since that's most of the people reading this. This proposal is about Alice providing more information to Bob about problems she is experiencing sending secure messages to Bob. The CABF discussion was about how Phillip retrieves information from and provides feedback to Charlie, where Charlie is a trust provider for Alice and Bob, and Phillip is some random guy on the internet, whose name has been chosen at random. This may or may not be related to actual errors encountered, it was more of a problem reporting address discovery mechanism (at least, that's what motivated the discussion, and it diverged from there). It probably is worth thinking about these problems more in general and trying to group them into use cases. CAA iodef is another example, and closer to the CABF case, since Alice/Bob (whoever is the server, or both for mutual auth) is indicating she/he wants information about failures from Charlie. But yeah, the bigger discussion should not block attempts to solve specific instances of the problem. There are lots of them. There are probably other similar issues in other protocols that I'm less familiar with. -Tim > -----Original Message----- > From: Uta [mailto:uta-bounces@ietf.org] On Behalf Of Phillip Hallam-Baker > Sent: Thursday, March 8, 2018 7:39 PM > To: secdir@ietf.org > Cc: uta@ietf.org; draft-ietf-uta-smtp-tlsrpt.all@ietf.org; ietf@ietf.org > Subject: [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 > > Reviewer: Phillip Hallam-Baker > Review result: Has Issues > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > General comments: > > Five minutes after I received the review request, a very similar proposal was > made in CABForum for reporting PKIX cert issues. > > The Security Considerations section proposes use of DNSSEC, what happens if > that is misconfigured? Well it should be reported. > > The logic of this proposal is that something like it become a standard > deliverable for a certain class of service specification. I don't think we should > delay this and meta-think it. But we should anticipate it being joined by others > like it sharing syntax, DDoS mitigation, etc. > > Specific issues > > The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the IANA > considerations. It is a code point being defined in a protocol that is outside the > scope of UTA and therefore MUST have an IANA assignment and is a DNS code > point which is shared space and therefore MUST have an assignment. > > If no IANA registry exists, one should be created. > > In general, the approach should be consistent with the following: > > [RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discovery" RFC > 6763 DOI 10.17487/RFC6763 February 2013 > > It might well be appropriate to create a separate IANA prefix registry 'report'. > That is probably easier since this prefix does not fit well with the existing ones. > > _smtp-tlsrpt._report > > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta ------=_NextPart_000_039C_01D3BEC9.63910A30 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTgwMzE4MTQ1NzA5WjAvBgkqhkiG9w0BCQQxIgQg9JadZ/Vcvjo52/FgpxemmtBknFjK 1K0h5sFm0BPDbJwwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAJCNX8aMdceHcF98UeVKtc9+utBPVsjZRbi7ONuTXcgHpp7BmVk0RInoC2lyypAg6RWwV/jc SSl9XleYOSoyL9JNBqQrIJeOg5t2qBqgIYch9SjwWVKU6hO4YW3GN4MJ6wd3CM+zgMPPn7a5ld9Z esY+YeB+iOLtn8uEWi9Cdp3aPMlrzGaF8aOG13ikmUhl/dydzFE14oAgierPqWhssrwkpDmrsA3q HyZKxqeH4JXsv4aAoHgk6KqRJ/gyeQDdBs+ZIIzSBYBJm8MEc9SAZbT6+BzOfiDR1+LIjVgD9CxO jQT5h6imIs9av6dJzcbO14cA1caXIcCaPCTSknjiK1UAAAAAAAA= ------=_NextPart_000_039C_01D3BEC9.63910A30-- From nobody Mon Mar 19 17:06:54 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF8E312D864 for ; Mon, 19 Mar 2018 17:06:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.23 X-Spam-Level: X-Spam-Status: No, score=-4.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KG6vA_h-OzaV for ; Mon, 19 Mar 2018 17:06:51 -0700 (PDT) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BC6B126BF6 for ; Mon, 19 Mar 2018 17:06:51 -0700 (PDT) X-AuditID: 1209190d-62fff700000045c1-24-5ab0509943fb Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 07.09.17857.99050BA5; Mon, 19 Mar 2018 20:06:50 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w2K06klr030354 for ; Mon, 19 Mar 2018 20:06:47 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2K06hKx006150 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 19 Mar 2018 20:06:45 -0400 Date: Mon, 19 Mar 2018 19:06:43 -0500 From: Benjamin Kaduk To: secdir@ietf.org Message-ID: <20180320000643.GY55745@kduck.kaduk.org> References: <20180315015333.GK55987@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180315015333.GK55987@kduck.kaduk.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrAIsWRmVeSWpSXmKPExsUixG6nojsrYEOUwYsZXBYfFj5kcWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxsvlXcwFZzgq3q5tZ2lg/MHWxcjJISFgIjF3zX2mLkYuDiGB xUwSC9avY4FwjjNKtM9dyApSJSTwmkli2h9pEJtFQFXi7KVDzCA2m4CKREP3ZTBbREBY4vbB B2D1wgJeEkfbbjKB2LxAG/af72eDmGMiceDubEaIuKDEyZlPWEBsZgEtiRv/XgLVcwDZ0hLL /3GAhDkFTCVeTr0D1ioqoCyxt+8Q+wRG/llIumch6Z6F0L2AkXkVo2xKbpVubmJmTnFqsm5x cmJeXmqRrpFebmaJXmpK6SZGUOBxSvLuYPx31+sQowAHoxIPr8ad9VFCrIllxZW5hxglOZiU RHlPMW2IEuJLyk+pzEgszogvKs1JLT7EKMHBrCTC+/TKuigh3pTEyqrUonyYlDQHi5I4r7uJ dpSQQHpiSWp2ampBahFMVoaDQ0mC18kfaKhgUWp6akVaZk4JQpqJgxNkOA/Q8Dd+QDW8xQWJ ucWZ6RD5U4y6HDdevG5jFmLJy89LlRLnlQMZJABSlFGaBzcHlDAksvfXvGIUB3pLGGIdDzDZ wE16BbSECWiJz9I1IEtKEhFSUg2MWuxHv4YuMLbnUuETfVPNzhws9Wz1BIXO7KoeC1fGuIkV EbZFjHFMlioiH4VOHGxMFoiPe6PyI2GpT9ejiR+Y+duauHsNHY7O11h4ruFY+SzHH+enZixc 27sikX3Fo3u10r8dmrVfhkZxvepXOe8gtOxhe6qKnneJaPjWZw8PCk7qPqO4dYYSS3FGoqEW c1FxIgB1DqSO8wIAAA== Archived-At: Subject: Re: [secdir] Anyone available to help NETCONF with crypto design? X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2018 00:06:53 -0000 We still don't have anyone for this -- netconf is Tueday Afternoon I. Feel free to reach out to us if you're on the fence and want to talk about it. -Ben On Wed, Mar 14, 2018 at 08:53:33PM -0500, Benjamin Kaduk wrote: > Hi all, > > The NETCONF agenda for London includes a hefty list of > security-related topics: > > > >> Proposal for Refactoring the Keystore Model > > >> https://tools.ietf.org/html/draft-ietf-netconf-keystore-04 > > >> https://tools.ietf.org/html/draft-kwatsen-netconf-crypto-types-00 > > >> https://tools.ietf.org/html/draft-kwatsen-netconf-trust-anchors-00 > > It would be great to have some security knowledge in the room, but > the ADs have scheduling conflicts with IASA2.0 and TEEP. Is anyone > available to attend the netconf session and provide some expert > advice in these regards? > > Thanks, > > Ben > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview From nobody Tue Mar 20 03:41:17 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EDE35126C19; Mon, 19 Mar 2018 23:19:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1521526778; bh=1HL8cSvJVlNIJHnIAFFGonmHMn4nQ7xn5rqCz3EbMs0=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=W/istq1/TGopIRBki0ubhOHegXlLlTJ4VV0fToEv4kHkI03l4tgXASlRuwsJ88OE3 FadRWa2JSqXRHTHmaO6+mm7ygBZakJxlKLlNOGY0GVjqNCI3fmrN4roxCPaxhvcd2e PRunpPo8rCWR4jbYD2MavsGmxKhBLRq6pOod6RXY= X-Mailbox-Line: From new-work-bounces@ietf.org Mon Mar 19 23:19:37 2018 Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 836F0120724; Mon, 19 Mar 2018 23:19:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1521526777; bh=1HL8cSvJVlNIJHnIAFFGonmHMn4nQ7xn5rqCz3EbMs0=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=MUoXZVjhdmMYHm590ErCDunUN9JGEp3ky/19D1M751zeWqYLuh6nHIAnYzYlFvKYH /1Qdr2MeVKf3V/KmWfbwJUOV2I4rYqvBOdMnYlPnrBNQ4HQ9LnyiPtVoZJbOi71deF HsZqv58DtKlio4x64GkAYrpYdlcUKAtK8p6+rh2s= X-Original-To: new-work@ietfa.amsl.com Delivered-To: new-work@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2254120725 for ; Mon, 19 Mar 2018 23:19:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADiwLUOK4eq2 for ; Mon, 19 Mar 2018 23:19:33 -0700 (PDT) Received: from raoul.w3.org (raoul.w3.org [128.30.52.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AF0F120454 for ; Mon, 19 Mar 2018 23:19:33 -0700 (PDT) Received: from [123.165.92.139] (helo=[192.168.1.3]) by raoul.w3.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1eyAcJ-000AsG-9E for new-work@ietf.org; Tue, 20 Mar 2018 06:19:27 +0000 To: new-work@ietf.org From: Xueyuan Message-ID: <11081efd-841a-0561-b03c-916bd349d06c@w3.org> Date: Tue, 20 Mar 2018 14:19:23 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Language: en-US Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.22 Precedence: list Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Tue, 20 Mar 2018 03:41:16 -0700 Subject: [secdir] [new-work] Proposed W3C Charter: Automotive Working Group (until 2018-04-19) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2018 06:19:39 -0000 CkhlbGxvLAoKVG9kYXkgVzNDIEFkdmlzb3J5IENvbW1pdHRlZSBSZXByZXNlbnRhdGl2ZXMgcmVj ZWl2ZWQgYSBQcm9wb3NhbAp0byByZXZpZXcgYSBkcmFmdCBjaGFydGVyIGZvciB0aGUgQXV0b21v dGl2ZSBXb3JraW5nIEdyb3VwOgogwqAgaHR0cHM6Ly93d3cudzMub3JnL2F1dG8vY2hhcnRlci0y MDE4CgpBcyBwYXJ0IG9mIGVuc3VyaW5nIHRoYXQgdGhlIGNvbW11bml0eSBpcyBhd2FyZSBvZiBw cm9wb3NlZCB3b3JrCmF0IFczQywgdGhpcyBkcmFmdCBjaGFydGVyIGlzIHB1YmxpYyBkdXJpbmcg dGhlIEFkdmlzb3J5CkNvbW1pdHRlZSByZXZpZXcgcGVyaW9kLgoKVzNDIGludml0ZXMgcHVibGlj IGNvbW1lbnRzIHRocm91Z2ggMjAxOC0wNC0xOSBvbiB0aGUKcHJvcG9zZWQgY2hhcnRlci4gUGxl YXNlIHNlbmQgY29tbWVudHMgdG8KcHVibGljLW5ldy13b3JrQHczLm9yZywgd2hpY2ggaGFzIGEg cHVibGljIGFyY2hpdmU6CiDCoCBodHRwOi8vbGlzdHMudzMub3JnL0FyY2hpdmVzL1B1YmxpYy9w dWJsaWMtbmV3LXdvcmsvCgpPdGhlciB0aGFuIGNvbW1lbnRzIHNlbnQgaW4gZm9ybWFsIHJlc3Bv bnNlcyBieSBXM0MgQWR2aXNvcnkKQ29tbWl0dGVlIFJlcHJlc2VudGF0aXZlcywgVzNDIGNhbm5v dCBndWFyYW50ZWUgYSByZXNwb25zZSB0bwpjb21tZW50cy4gSWYgeW91IHdvcmsgZm9yIGEgVzND IE1lbWJlciBbMV0sIHBsZWFzZSBjb29yZGluYXRlCnlvdXIgY29tbWVudHMgd2l0aCB5b3VyIEFk dmlzb3J5IENvbW1pdHRlZSBSZXByZXNlbnRhdGl2ZS4gRm9yCmV4YW1wbGUsIHlvdSBtYXkgd2lz aCB0byBtYWtlIHB1YmxpYyBjb21tZW50cyB2aWEgdGhpcyBsaXN0IGFuZApoYXZlIHlvdXIgQWR2 aXNvcnkgQ29tbWl0dGVlIFJlcHJlc2VudGF0aXZlIHJlZmVyIHRvIGl0IGZyb20gaGlzCm9yIGhl ciBmb3JtYWwgcmV2aWV3IGNvbW1lbnRzLgoKSWYgeW91IHNob3VsZCBoYXZlIGFueSBxdWVzdGlv bnMgb3IgbmVlZCBmdXJ0aGVyIGluZm9ybWF0aW9uLCBwbGVhc2UKY29udGFjdCBUZWQgR3VpbGQs IEF1dG9tb3RpdmUgV0cgVGVhbSBDb250YWN0IDx0ZWRAdzMub3JnPi4KClRoYW5rIHlvdSwKClh1 ZXl1YW4gSmlhLCBXM0MgTWFya2V0aW5nICYgQ29tbXVuaWNhdGlvbnMKClsxXSBodHRwOi8vd3d3 LnczLm9yZy9Db25zb3J0aXVtL01lbWJlci9MaXN0CgpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXwpuZXctd29yayBtYWlsaW5nIGxpc3QKbmV3LXdvcmtAaWV0 Zi5vcmcKaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9uZXctd29yawo= From nobody Tue Mar 20 06:26:07 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9E7D1270AE for ; Tue, 20 Mar 2018 06:26:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UwnjSYXLVUgz for ; Tue, 20 Mar 2018 06:26:03 -0700 (PDT) Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 150D6126DED for ; Tue, 20 Mar 2018 06:26:02 -0700 (PDT) Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2KDQ1jt005815 for ; Tue, 20 Mar 2018 09:26:01 -0400 DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w2KDQ1jt005815 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1521552361; bh=ny2pDvUrsG1QVIGOjcpbpY6wAnEZpqpzEUCcyH6eGF8=; h=From:To:Subject:Date:From; b=ZYw6t4U0gN/u7OPTULp2RHG5pTW+wNc+UeeIE1UH2/WcQoguQLC1S/MEMUk4gQJnU w4stuE7fpnsI1YeVLvfA4WF981TmkTxMnsinDK+Sh/br7yQlNwdLzi+MNSopfCgIDY yssWaH0aeWUq2ZEu+QIYGElyUw0e7v5qBZKilk2U= Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2KDQ1ls016358 for ; Tue, 20 Mar 2018 09:26:01 -0400 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0361.001; Tue, 20 Mar 2018 09:26:00 -0400 From: Roman Danyliw To: "secdir@ietf.org" Thread-Topic: US-CERT TA 18-074A: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Thread-Index: AdPATpLmyoEWNb0gTzqF0f51O4Iyjg== Date: Tue, 20 Mar 2018 13:26:00 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC0137F7C302@marathon> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [secdir] US-CERT TA 18-074A: Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2018 13:26:05 -0000 Good afternoon! Per our discussion about the motivation for network visibility in an IoT/IC= S use case at today's meeting: Russian Government Cyber Activity Targeting Energy and Other Critical Infra= structure Sectors https://www.us-cert.gov/ncas/alerts/TA18-074A Regards, Roman From nobody Tue Mar 20 08:53:08 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED535126CC7 for ; Tue, 20 Mar 2018 08:53:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.321 X-Spam-Level: X-Spam-Status: No, score=-4.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6IqCqF2RUtL for ; Tue, 20 Mar 2018 08:53:00 -0700 (PDT) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CD6812708C for ; Tue, 20 Mar 2018 08:52:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1521561174; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mRPh7GilJzz6POAuhAOWvmSg0tes8B2jhccnK56l+WA=; b=gthuum4mNaJeez0kvUUr5nmC9i5KtHg5PXjvMpH40ZLG7skvcLsqbko/IpJR7ZgW MgoFsnlO5hI7a86ONAACjce2zHUgzEXOi5mTiKvZZHzZi64hSd/4Y8KuSLM8N+Ax LQkSWphB1rA68Jp6SZAEwZTvv3Au8q5I6vRdlnDfyyg=; X-AuditID: c1b4fb2d-87c029c000005540-ad-5ab12e5631c9 Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.183.51]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id CA.A2.21824.65E21BA5; Tue, 20 Mar 2018 16:52:54 +0100 (CET) Received: from [100.94.3.116] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.53) with Microsoft SMTP Server id 14.3.382.0; Tue, 20 Mar 2018 16:52:53 +0100 To: Carl Wallace References: <7B6AC48B-42BC-4821-AD79-DF25C584BE73@ericsson.com> CC: , , The IESG From: Miika Komu Organization: Ericsson AB Message-ID: Date: Tue, 20 Mar 2018 17:52:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <7B6AC48B-42BC-4821-AD79-DF25C584BE73@ericsson.com> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrHLMWRmVeSWpSXmKPExsUyM2K7sW6Y3sYog8ezBS1WL97EZLHp9B5W ixl/JjJbfFj4kMWBxWPJkp9MHvtm7GYPYIrisklJzcksSy3St0vgyli35QlbwRueinPdl5kb GJdwdTFyckgImEicP3KLqYuRi0NI4DCjxOZtB1ggnFWMEvtetAI5HBzCAm4SPSfjQRpEBHQk Xl3dywxiCwnYS0x60cHaxcjOwSyQKnEwCCTKJqAlserOdbAKfgFJiQ0Nu8FsXqDqlce3MIHY LAKqEvsvTQaLiwpESHSunM8CUSMocXLmE7ClnAIOErcPh4KEmQUsJGbOP88IYYtL3HoynwnC 1pZYtvA1M0i5kICKxMVjwRMYhWYhGTQLSfcsJN2zkHQvYGRZxShanFpcnJtuZKyXWpSZXFyc n6eXl1qyiREY6ge3/Nbdwbj6teMhRgEORiUe3kzFjVFCrIllxZW5hxglOJiVRHgzFYBCvCmJ lVWpRfnxRaU5qcWHGKU5WJTEeU968kYJCaQnlqRmp6YWpBbBZJk4OKUaGNVqlTR8NKauujLt xmMVHfEZU9jyVYI+vJyhtHD1VG7Pt6mCDmucE5+27xWTneitfeDi5Du7l3r4VGR+nRIf98tm m6//ntfrzmef8ti32V72ygRFY2apJetkd722Fc79EVwjM9UidVaM6x2W9c+jlL6Ec6nlFRa9 kHkdcappmfNkhzU6oY/2FyixFGckGmoxFxUnAgD4TMvqcQIAAA== Archived-At: Subject: Re: [secdir] Fwd: secdir review of draft-ietf-hip-native-nat-traversal X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2018 15:53:02 -0000 Hi Carl, (apologies for the delay in the response) > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG= =2E > These comments were written primarily for the benefit of the security a= rea > directors. Document editors and WG chairs should treat these comments j= ust > like any other last call comments. >=20 > This document specifies a new Network Address Translator (NAT) traversa= l > mode for the Host Identity Protocol (HIP). While I am not a HIP guy, it= > seems ready for publication. It's well-written and the security > considerations section is thorough. thanks! > The only bit that raised a question > was in section 4, which states "it should be noted that HIP version 2 > [RFC7401] instead of HIPv1 is > expected to be used with this NAT traversal mode". Earlier in the > document, it states the draft is based on HIPv2. Are there any > considerations worth noting in the cases where HIPv1 is used or should > section 4 be revised to require v2? there's nothing HIPv1/v2 specific in the draft really. It's more about=20 that the HIPv1 is obsoleted by HIPv2 RFC. Nevertheless, I can encourage=20 to stick to the latest specification by changing the text a bit: Original: Also, it should be noted that HIP version 2 [RFC7401] instead=20 of HIPv1 is expected to be used with this NAT traversal mode. New: Also, it should be noted that HIP version 2 [RFC7401] MUST be used=20 instead of HIPv1 with this NAT traversal mode. Does this address your concern? From nobody Tue Mar 20 10:19:03 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F24512D956 for ; Tue, 20 Mar 2018 10:18:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IR_vQJUdeK3T for ; Tue, 20 Mar 2018 10:18:54 -0700 (PDT) Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9054A1242EA for ; Tue, 20 Mar 2018 10:18:54 -0700 (PDT) Received: by mail-it0-x236.google.com with SMTP id d13-v6so3441145itf.0 for ; Tue, 20 Mar 2018 10:18:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=s+tTVG5wPAmTQe2Tpz/RcG4eGbWFKQ5ZhAK/OX2+GSU=; b=IWfKXnjTGu5JQx3BcWZf0rpd+iC39jWTbT24IyvIT+LeaAe4ojQ5Kqt4EBWYk+aDHN 9BX9/in4r4odOs/lrV3bnp1li0eJH+lGeRvfrCHek8VSxK5TRoBC8Cha75Qr0vxB++aN 8Zcfp2OSo4PJxJrzQFtzrie/JxS83YXui3FWBy3ZF6/UqJ+s6FSmS/iUdw7NqHUYoCSs 7HFQgF6lnfRTVTXxn+PYIaQwerQlTlyK4zhQIaWrUY02PzoTrdfoeCBfjhu2TVM1NU9C dlA8J78SCwfXcsr1sBFJA54efit19mYJNtLywNPVMHl7jfzzg090c9VM6vV0eUmGQog4 Z9OA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=s+tTVG5wPAmTQe2Tpz/RcG4eGbWFKQ5ZhAK/OX2+GSU=; b=ShgmancyJ6OAGlDPPv/veOixTRifZIR/zyoAUvahJM/d8q0yv87l3oleh9XboaAs1Z n8HLcXeKcLHZ3C79oyafDGroticxUy7WBvE7T9DbTp8P0m6ngJVKkiqoAmHfZSjgNjWE m5/aMt6bfJ9ODBe4oNMoSQ5R65V9Z1iB/aLAuYpPHo+aC+RdH+FNZy4A8QD+DeVyHBKl wKJ8CFL2b8/pDL/NDuJx4g3+RTiOBnovrNETUD/0k5TYrI9QbbM8rl2LaxMPlPsyXtyc bHxVShEelZnQTtmQGR1XIooAfkB3zU7GOBQRTSGHhT9bxj6L51uhYx4tdJ8YhImUXk/6 n28w== X-Gm-Message-State: AElRT7Hl9fH8GjWVSP7n/tq1hcWQ8c/1pei9DCVUsDK62lX9llRcamNR Mrhqn1ZbZ5Ii2upyOdQi+njKEk84xBYMaL54wi7YIw== X-Google-Smtp-Source: AG47ELt9RYDsayF3GquToG+OYluTEekUu6XCZ2/C39kCf4LDDDF19ej/lTs9W35vmHImVNxnyiNOFsKxG8zDWnpW/xs= X-Received: by 2002:a24:5d85:: with SMTP id w127-v6mr528920ita.66.1521566333819; Tue, 20 Mar 2018 10:18:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.192.156.137 with HTTP; Tue, 20 Mar 2018 10:18:13 -0700 (PDT) From: Kathleen Moriarty Date: Tue, 20 Mar 2018 13:18:13 -0400 Message-ID: To: IETF SecDir Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: [secdir] US CERT Report X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2018 17:18:58 -0000 Hi, If anyone is interested in the US CERT report I mentioned, here it is and I'm most concerned about how to detect the lateral movement as I think that may be the hardest without monitoring. I still haven't had time to dig far into it, but this may help with the additional information on use cases discussed as well. https://www.us-cert.gov/ncas/alerts/TA18-074A Ideas and brainstorming would be helpful IMO. Thanks. -- Best regards, Kathleen From nobody Thu Mar 22 04:53:53 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CA49D12420B for ; Thu, 22 Mar 2018 04:53:47 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.76.0 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secretary@mit.edu Message-ID: <152171962767.5676.12058054175723544485.idtracker@ietfa.amsl.com> Date: Thu, 22 Mar 2018 04:53:47 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 11:53:48 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2018-04-05 Reviewer LC end Draft Shaun Cooley 2018-03-06 draft-ietf-trill-over-ip-16 Donald Eastlake 2018-03-28 draft-ietf-teas-scheduled-resources-06 Daniel Gillmor 2018-03-19 draft-gutmann-scep-10 Daniel Gillmor 2018-03-26 draft-ietf-l2sm-l2vpn-service-model-08 Ben Laurie 2018-03-26 draft-ietf-6tisch-6top-protocol-10 Chris Lonvick R2018-03-06 draft-ietf-6lo-rfc6775-update-16 For telechat 2018-04-19 Reviewer LC end Draft Daniel Franke 2018-03-30 draft-ietf-mmusic-rid-14 Steve Hanna 2018-03-30 draft-ietf-core-senml-13 Christian Huitema None draft-ietf-stir-rph-03 Klaas Wierenga 2018-02-23 draft-ietf-nfsv4-layout-types-10 For telechat 2018-05-10 Reviewer LC end Draft John Bradley 2018-04-18 draft-ietf-acme-acme-10 Tobias Gondrom 2018-03-12 draft-ietf-tokbind-https-12 Paul Hoffman None draft-ietf-uta-mta-sts-14 Russ Housley None draft-ietf-secevent-token-07 Leif Johansson R2018-02-26 draft-ietf-homenet-babel-profile-06 For telechat 2018-05-24 Reviewer LC end Draft Tina Tsou 2018-02-26 draft-ietf-softwire-dslite-yang-15 Last calls: Reviewer LC end Draft Charlie Kaufman 2018-04-04 draft-ietf-dprive-padding-policy-04 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-12 Taylor Yu 2018-03-16 draft-housley-suite-b-to-historic-04 Early review requests: Reviewer Due Draft Daniel Franke 2018-01-31 draft-ietf-intarea-provisioning-domains-00 Ólafur Guðmundsson 2018-01-09 draft-ietf-opsawg-nat-yang-09 Dan Harkins 2018-05-31 draft-ietf-dtn-bpsec-06 Stephen Kent 2018-04-15 draft-ietf-tokbind-tls13-00 Next in the reviewer rotation: Scott Kelly Tero Kivinen Watson Ladd Ben Laurie Barry Leiba Chris Lonvick David Mandelberg Catherine Meadows Alexey Melnikov From nobody Thu Mar 22 08:06:59 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 401DC12D890 for ; Thu, 22 Mar 2018 08:06:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3QaySXSwbnH for ; Thu, 22 Mar 2018 08:06:56 -0700 (PDT) Received: from omr-m001e.mx.aol.com (omr-m001e.mx.aol.com [204.29.186.1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 055D81271FD for ; Thu, 22 Mar 2018 08:06:56 -0700 (PDT) Received: from mtaout-maa01.mx.aol.com (mtaout-maa01.mx.aol.com [172.26.222.141]) by omr-m001e.mx.aol.com (Outbound Mail Relay) with ESMTP id 9FCA338000B9; Thu, 22 Mar 2018 11:00:56 -0400 (EDT) Received: from iMac-Study.fios-router.home (0x694d61632d53747564792e66696f732d726f757465722e686f6d65 [108.49.30.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mtaout-maa01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 21D1A38000086; Thu, 22 Mar 2018 11:00:56 -0400 (EDT) To: secdir@ietf.org, nharper@google.com, leifj@sunet.se, uta@ietf.org, unbearable@ietf.org, Eric Rescorla From: Stephen Kent Message-ID: <7e489950-5f18-9ea8-5c49-d8e175a5606f@verizon.net> Date: Thu, 22 Mar 2018 11:00:55 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------68289448CC69AA43AF0D7243" Content-Language: en-US x-aol-global-disposition: G x-aol-sid: 3039ac1ade8d5ab3c5283f81 X-AOL-IP: 108.49.30.217 Archived-At: Subject: [secdir] SECDIR early review of draft-ietf-tokbind-tls13-00 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 15:06:57 -0000 This is a multi-part message in MIME format. --------------68289448CC69AA43AF0D7243 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit SECDIR *early* review of draft-ietf-tokbind-tls13-00 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written with the intent of improving security requirements and considerations in IETF drafts.Comments not addressed in last call may be included in AD reviews during the IESG review.Document editors and WG chairs should treat these comments just like any other last call comments. This (very brief) document defines how to negotiate Token Binding for TLS v1.3. Existing IETF documents (IDs) define this protocol and how to negotiate it capability only for earlier versions of TLS. The first question that comes to mind is why there is a need for a new ID, instead of adding text to draft-ietf-tokbind-negotiation-10. I realize that draft-ietf-tokbind-negotiation-10 is in last call, but the text here is so small that it seems overkill to create a separate RFC. I’m guessing that the argument is that this document references TLS 1.3, which is not yet an RFC, and thus the author is trying to avoid creating a down reference problem with draft-ietf-tokbind-negotiation-10. Right? Section 2 notes that the format of the extension is the same as defined in draft-ietf-tokbind-negotiation-10, so nothing new there. The section cites two differences from the behavior in draft-ietf-tokbind-negotiation-10, which are described in just two sentences. Section 3 adds one paragraph to deal with 0-RTT, a TLS 1.3 feature not present in earlier versions.Section 4 is non-normative, but, presumably useful. The security concerns are asserted to be the same as for draft-ietf-tokbind-negotiation-10, plus a sentence discussing why the 0-RTT exclusion avoids other potential security concerns. So, if folks don’t want to delay publication of draft-ietf-tokbind-negotiation-10, I guess this is OK as a separate document, updating that RFC. --------------68289448CC69AA43AF0D7243 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

SECDIR early review of draft-ietf-tokbind-tls13-00

 

 

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

 

This (very brief) document defines how to negotiate Token Binding for TLS v1.3. Existing IETF documents (IDs) define this protocol and how to negotiate it capability only for earlier versions of TLS.

 

The first question that comes to mind is why there is a need for a new ID, instead of adding text to draft-ietf-tokbind-negotiation-10. I realize that draft-ietf-tokbind-negotiation-10 is in last call, but the text here is so small that it seems overkill to create a separate RFC. I’m guessing that the argument is that this document references TLS 1.3, which is not yet an RFC, and thus the author is trying to avoid creating a down reference problem with draft-ietf-tokbind-negotiation-10. Right?

 

Section 2 notes that the format of the extension is the same as defined in draft-ietf-tokbind-negotiation-10, so nothing new there. The section cites two differences from the behavior in draft-ietf-tokbind-negotiation-10, which are described in just two sentences. Section 3 adds one paragraph to deal with 0-RTT, a TLS 1.3 feature not present in earlier versions.  Section 4 is non-normative, but, presumably useful. The security concerns are asserted to be the same as for draft-ietf-tokbind-negotiation-10, plus a sentence discussing why the 0-RTT exclusion avoids other potential security concerns.

 

So, if folks don’t want to delay publication of draft-ietf-tokbind-negotiation-10, I guess this is OK as a separate document, updating that RFC.

--------------68289448CC69AA43AF0D7243-- From nobody Thu Mar 22 08:17:25 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E502C12D88D; Thu, 22 Mar 2018 08:17:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.011 X-Spam-Level: X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcoWSFY0ubjq; Thu, 22 Mar 2018 08:17:19 -0700 (PDT) Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id BF96F126D05; Thu, 22 Mar 2018 08:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1521731839; d=isode.com; s=june2016; i=@isode.com; bh=/wpIYyrWjvBLLPvwQdWnqiEp0xfrDkQaLVkEf2Mdk3g=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=AZgCjPGuilyT8oVaVPjovy9iklUToYGtV/4iGsQIkbyv+hHptFDxkWYC9nnHyPlfZv8VcI MnNbhzy+02jKK78GMeObDgKs7MYHCg7gMthoedj6b/79/wAaW4rGhul0i/XJC8RH+dvj4m iyqIYMiFf6NKFKk/KtNGEjkhAPMGtjo=; Received: from [IPv6:2001:67c:370:1998:21d2:a616:ae1e:8775] (nat64-64.meeting.ietf.org [31.130.238.100]) by statler.isode.com (submission channel) via TCP with ESMTPSA id ; Thu, 22 Mar 2018 15:17:18 +0000 To: Phillip Hallam-Baker , secdir@ietf.org References: <152053794569.13938.10396254284390037265@ietfa.amsl.com> Cc: uta@ietf.org, draft-ietf-uta-smtp-tlsrpt.all@ietf.org, ietf@ietf.org From: Alexey Melnikov Message-ID: <5AB3C901.5010009@isode.com> Date: Thu, 22 Mar 2018 15:17:21 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 In-Reply-To: <152053794569.13938.10396254284390037265@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-transfer-encoding: quoted-printable Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 15:17:23 -0000 Hi Phillip, To followup on the IANA issue from your SecDir review: On 08/03/2018 19:39, Phillip Hallam-Baker wrote: >=20 > Specific issues >=20 > The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the IANA > considerations. It is a code point being defined in a protocol that is out= side > the scope of UTA and therefore MUST have an IANA assignment and is a DNS c= ode > point which is shared space and therefore MUST have an assignment. >=20 > If no IANA registry exists, one should be created. After looking at this in more details, I think a new registration in the registry being created by draft-ietf-dnsop-attrleaf is exactly what you are asking for. I think registering _smtp-tlsrpt there should be straightforward. However I don't think this document should be delayed until after draft-ietf-dnsop-attrleaf is done. So if draft-ietf-dnsop-attrleaf is taking time, the proposed registration can be moved to draft-ietf-dnsop-attrleaf itself. > In general, the approach should be consistent with the following: >=20 > [RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discovery" RFC 67= 63 > DOI 10.17487/RFC6763 February 2013 >=20 > It might well be appropriate to create a separate IANA prefix registry > 'report'. That is probably easier since this prefix does not fit well with= the > existing ones. >=20 > _smtp-tlsrpt._report I think this is covered by draft-ietf-dnsop-attrleaf. Best Regards, Alexey From nobody Thu Mar 22 09:09:38 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1519D1200FC; Thu, 22 Mar 2018 09:09:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BC4NMa4R9jlR; Thu, 22 Mar 2018 09:09:28 -0700 (PDT) Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAB901242F5; Thu, 22 Mar 2018 09:09:28 -0700 (PDT) Received: by mail-oi0-x234.google.com with SMTP id 23-v6so7807289oir.11; Thu, 22 Mar 2018 09:09:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QyoRXof/CxpvAE6mDcG4pE1XQTllc6sOr1JJZOIq5aU=; b=qdJrBG2u2aYQ6TFOio6CNfFUFNMGOP5HHQRLFKeuX6JErNUIi1qHcfH3diDumeR5xA 2f9WpsI0ZKgoqK+Gns6MnRdaoTDYeVd+2FajWc2Z+dktP5828wihFrM4E5M97Xj0YCTs ns+7KFgw+6FB+kkXTL0TIa7M7lbY8bc0xAbFSWLQfhtCRVDQhtbHBFNoPXBA8Vk/Yudb D9prwxXajpvRmMWiHW1bvWrfrxImwTz0D3SgkRpJJmPjFzTnBUiRLCEsJKL/iQYF46zt bssSWyVznQ8Nl6kH/lLOL0q6hl9nKeGzC1PMznpKEuvF6zfOk/JBsDa0UCoT5/0ORqJa M6uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QyoRXof/CxpvAE6mDcG4pE1XQTllc6sOr1JJZOIq5aU=; b=Z9yEFwOuoN6qMzJdKh1lAbKC5ccZEZSswrOtFMw8nf5OcAoi6S+zwq1cfRgvlBTfqQ uvgO+W/Y4dISQlSzmGxPSSvoJUXrEnmlSNtRFAkBMDPf5I+jbJM1P+ZEOJ3zsweUiZkp /FBRbVpHM3kMVzvJQQY9xyfYO5ZUSNv+gewWxE37v2fZZZWS33r4RcI3uGnU2CGwPVfW oEDoe7k7gLKG9VLKCcS8TceVShPJ3i1ayExnfzf8rfDggwJzyjdlei2rOfLC5tsGWeG4 +tnyLVa4L+H2b532+09kPmccX/IdYxcN5XWqjkh3hirnbYGaN0xuDlXI0GiTMMrI3YlN aerQ== X-Gm-Message-State: AElRT7HEmR6lXSbEFhGFcy0pldYhMl4BDwTJqsUV311Omz2rtLwy5u0B M379gjMh+dp81s7eaBeZhzHv54Fgwu45m7iQ88E= X-Google-Smtp-Source: AG47ELuzPc0lru4WLJo6ohN7GQH5rALM7vCVlXPs1CLuGraKnJDrn8r/3voQevHbCqYM2yGlkoy7jBNyO8vuQAtFMoM= X-Received: by 10.202.206.13 with SMTP id e13mr15280063oig.34.1521734967804; Thu, 22 Mar 2018 09:09:27 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:233c:0:0:0:0:0 with HTTP; Thu, 22 Mar 2018 09:09:27 -0700 (PDT) In-Reply-To: <5AB3C901.5010009@isode.com> References: <152053794569.13938.10396254284390037265@ietfa.amsl.com> <5AB3C901.5010009@isode.com> From: Phillip Hallam-Baker Date: Thu, 22 Mar 2018 16:09:27 +0000 Message-ID: To: Alexey Melnikov Cc: secdir@ietf.org, uta@ietf.org, draft-ietf-uta-smtp-tlsrpt.all@ietf.org, IETF Discussion Mailing List Content-Type: multipart/alternative; boundary="001a113d225a32cb65056802882f" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 16:09:31 -0000 --001a113d225a32cb65056802882f Content-Type: text/plain; charset="UTF-8" I concur, I had come to essentially the same conclusion after discussions with IANA. The registry we were looking for was the one Dave had proposed that has not yet been created. I can sync with Dave. It might well be that what we want is a sub registry of the form _smtp._rpt. That way the reporting info for any protocol can be discovered with no need to obtain a per service registration. On Thu, Mar 22, 2018 at 3:17 PM, Alexey Melnikov wrote: > Hi Phillip, > To followup on the IANA issue from your SecDir review: > > On 08/03/2018 19:39, Phillip Hallam-Baker wrote: > > > > Specific issues > > > > The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the IANA > > considerations. It is a code point being defined in a protocol that is > outside > > the scope of UTA and therefore MUST have an IANA assignment and is a DNS > code > > point which is shared space and therefore MUST have an assignment. > > > > If no IANA registry exists, one should be created. > > After looking at this in more details, I think a new registration in the > registry being created by draft-ietf-dnsop-attrleaf is exactly what you > are asking for. I think registering _smtp-tlsrpt there should be > straightforward. However I don't think this document should be delayed > until after draft-ietf-dnsop-attrleaf is done. So if > draft-ietf-dnsop-attrleaf is taking time, the proposed registration can > be moved to draft-ietf-dnsop-attrleaf itself. > > > In general, the approach should be consistent with the following: > > > > [RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discovery" RFC > 6763 > > DOI 10.17487/RFC6763 February 2013 > > > > It might well be appropriate to create a separate IANA prefix registry > > 'report'. That is probably easier since this prefix does not fit well > with the > > existing ones. > > > > _smtp-tlsrpt._report > > I think this is covered by draft-ietf-dnsop-attrleaf. > > Best Regards, > Alexey > > -- Website: http://hallambaker.com/ --001a113d225a32cb65056802882f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I c= oncur, I had come to essentially the same conclusion after discussions with= IANA. The registry we were looking for was the one Dave had proposed that = has not yet been created.

I can sync with Dave.

It= might well be that what we want is a sub registry of the form _smtp._rpt. = That way the reporting info for any protocol can be discovered with no need= to obtain a per service registration.

=
On Thu, Mar 22, 2018 at 3:17 PM, Alexey Melnikov= <alexey.melnikov@isode.com> wrote:
Hi Phillip,
To followup on the IANA issue from your SecDir review:

On 08/03/2018 19:39, Phillip Hallam-Baker wrote:
>
> Specific issues
>
> The DNS prefix _smtp-tlsrpt is defined. This is not mentioned in the I= ANA
> considerations. It is a code point being defined in a protocol that is= outside
> the scope of UTA and therefore MUST have an IANA assignment and is a D= NS code
> point which is shared space and therefore MUST have an assignment.
>
> If no IANA registry exists, one should be created.

After looking at this in more details, I think a new registration in= the
registry being created by draft-ietf-dnsop-attrleaf is exactly what you
are asking for. I think registering _smtp-tlsrpt there should be
straightforward. However I don't think this document should be delayed<= br> until after draft-ietf-dnsop-attrleaf is done. So if
draft-ietf-dnsop-attrleaf is taking time, the proposed registration can
be moved to draft-ietf-dnsop-attrleaf itself.

> In general, the approach should be consistent with the following:
>
> [RFC6763] S. Cheshire and M. Krochmal "DNS-Based Service Discover= y" RFC 6763
> DOI 10.17487/RFC6763 February 2013
>
> It might well be appropriate to create a separate IANA prefix registry=
> 'report'. That is probably easier since this prefix does not f= it well with the
> existing ones.
>
> _smtp-tlsrpt._report

I think this is covered by draft-ietf-dnsop-attrleaf.

Best Regards,
Alexey




--
Website: http://hallambaker.com/
=
--001a113d225a32cb65056802882f-- From nobody Fri Mar 23 03:34:22 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A76212D7F2; Fri, 23 Mar 2018 03:34:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.519 X-Spam-Level: X-Spam-Status: No, score=-14.519 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vymOmNMHuc4T; Fri, 23 Mar 2018 03:34:19 -0700 (PDT) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF374126BF0; Fri, 23 Mar 2018 03:34:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12356; q=dns/txt; s=iport; t=1521801259; x=1523010859; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=cu1iOHaafo7/Nz02iExt9x+wQlFj70Ewf/whw2aKee4=; b=KnofrR+NzrmrzVRM+tHExs29oaMRpxlqzLLx/ht3JQK4mT6b7TLfh6MD Tx1jSHujy86DGf35FbkgSZQNWGttwbsy/iudd5fOZJ3vc3161SNMTGsTr bRsqjErO6iyKpifD9EKKW39txu2Sufl0h8imVRPYkSOAJymLeYYbZr/f1 E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AuAQAV17Ra/4QNJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYJJdGFwKAqDUod/jQ+BdIERjWiEYoIGCyWBVoMKAhqDTCE0GAE?= =?us-ascii?q?CAQEBAQEBAmsohSUBAQEDASMKUQcEAgEIEQQBASsCAgIwHQgCBAESCIQiXAgPq?= =?us-ascii?q?HGCIIhBghUFhS+CEYFUQIEMgwaDEwEBAgGBcoJqglQDlzsIAoVPiFaBN4NWhzK?= =?us-ascii?q?JEIY8AhETAYEkARw4gVJwFYJ9giEYjhZvAY4PK4EEgRYBAQ?= X-IronPort-AV: E=Sophos; i="5.48,349,1517875200"; d="scan'208,217"; a="87737297" Received: from alln-core-10.cisco.com ([173.36.13.132]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Mar 2018 10:34:18 +0000 Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id w2NAYIXk011845 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 23 Mar 2018 10:34:18 GMT Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 23 Mar 2018 05:34:17 -0500 Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1320.000; Fri, 23 Mar 2018 05:34:17 -0500 From: "Les Ginsberg (ginsberg)" To: David Mandelberg , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" Thread-Topic: secdir review of draft-ietf-spring-segment-routing-13 Thread-Index: AQHTVAN+h13Fy6LhA0quT26NkWnvTKPee6yw Date: Fri, 23 Mar 2018 10:34:17 +0000 Message-ID: References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> In-Reply-To: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.5.233] Content-Type: multipart/alternative; boundary="_000_e32e5f9bc00043e3a8b86205d434c35dXCHALN001ciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 10:34:21 -0000 --_000_e32e5f9bc00043e3a8b86205d434c35dXCHALN001ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGF2aWQgLQ0KDQoNCg0KQXBvbG9naWVzLiBJdCBhcHBlYXJzIHRoYXQgSSBuZWdsZWN0ZWQgdG8g cmVzcG9uZCB0byB0aGlzIG9sZCByZXZpZXcgY29tbWVudC4NCg0KVGhpcyB3YXMgbm90IGludGVu dGlvbmFsLiBBdXRob3JzIGFjdGl2ZWx5IGRpc2N1c3NlZCB5b3VyIGNvbW1lbnQgcHJvbXB0bHkg YW5kIHdlIGRpZCBhZGQgdGV4dCBpbiBWMTQgb2YgdGhlIGRyYWZ0IHRvIGFkZHJlc3MgdGhpcyBw b2ludDoNCg0KDQoNClBsZWFzZSBzZWU6IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFm dC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTUjc2VjdGlvbi0zLjQNCg0KDQoNCm8gIElu ZGljYXRpb24gd2hldGhlciB0aGUgQWRqLVNJRCBpcyBwZXJzaXN0ZW50IGFjcm9zcyBjb250cm9s IHBsYW5lDQoNCiAgICAgIHJlc3RhcnRzLiAgUGVyc2lzdGVuY2UgaXMgYSBrZXkgYXR0cmlidXRl IGluIGVuc3VyaW5nIHRoYXQgYW4gU1INCg0KICAgICAgUG9saWN5IGRvZXMgbm90IHRlbXBvcmFy aWx5IHJlc3VsdCBpbiBtaXNmb3J3YXJkaW5nIGR1ZSB0bw0KDQogICAgICByZWFzc2lnbm1lbnQg b2YgYW4gQWRqLVNJRC4NCg0KDQoNClBsZWFzZSBsZXQgdXMga25vdyBpZiB0aGlzIGFkZXF1YXRl bHkgYWRkcmVzc2VzIHlvdXIgY29tbWVudC4NCg0KDQoNCkFnYWluLCBhcG9sb2dpZXMgZm9yIHRo ZSBsb25nIGRlbGF5Lg0KDQoNCg0KICAgTGVzDQoNCg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2Fn ZS0tLS0tDQoNCj4gRnJvbTogRGF2aWQgTWFuZGVsYmVyZyA8ZGF2aWRAbWFuZGVsYmVyZy5vcmc+ DQoNCj4gU2VudDogVGh1cnNkYXksIE5vdmVtYmVyIDAyLCAyMDE3IDEwOjUzIEFNDQoNCj4gVG86 IGllc2dAaWV0Zi5vcmc7IHNlY2RpckBpZXRmLm9yZzsgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVu dC0NCg0KPiByb3V0aW5nLmFsbEBpZXRmLm9yZw0KDQo+IFN1YmplY3Q6IHNlY2RpciByZXZpZXcg b2YgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzDQoNCj4NCg0KPiBJIGhhdmUg cmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0 ZSdzIG9uZ29pbmcNCg0KPiBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWlu ZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuICBUaGVzZQ0KDQo+IGNvbW1lbnRzIHdlcmUgd3JpdHRl biBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBhcmVhIGRpcmVjdG9y cy4NCg0KPiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNl IGNvbW1lbnRzIGp1c3QgbGlrZSBhbnkNCg0KPiBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQoN Cj4NCg0KPiBUaGUgc3VtbWFyeSBvZiB0aGUgcmV2aWV3IGlzIFJlYWR5IHdpdGggbml0cy4NCg0K Pg0KDQo+IFRoaXMgZG9jdW1lbnQgYWZmZWN0cyByb3V0aW5nIHdpdGhpbiBhIHRydXN0ZWQgZG9t YWluLCBhbmQgdGhlIHNlY3VyaXR5DQoNCj4gY29uc2lkZXJhdGlvbnMgc2VjdGlvbiBhZGVxdWF0 ZWx5IHRhbGtzIGFib3V0IGZpbHRlcmluZyBhdCB0aGUgYm9yZGVyIG9mIGEgdHJ1c3RlZA0KDQo+ IGRvbWFpbi4NCg0KPg0KDQo+IEkgZG8gaGF2ZSBvbmUgcXVlc3Rpb24gYWJvdXQgc29tZXRoaW5n IEkgZGlkbid0IHNlZSBpbiB0aGUgZG9jdW1lbnQsIHdoYXQNCg0KPiBoYXBwZW5zIHdoZW4gU0lE cyBjaGFuZ2Ugd2hpbGUgcGFja2V0cyBhcmUgaW4gdHJhbnNpdD8gSGVyZSdzIGEgaHlwb3RoZXRp Y2FsDQoNCj4gc2l0dWF0aW9uIHRoYXQgY291bGQgYmUgYmFkIGZvciBzZWN1cml0eSwgYnV0IEkn bSBub3Qgc3VyZSB3aGV0aGVyIG9yIG5vdCBpdCBjb3VsZA0KDQo+IGhhcHBlbjogMS4gQW4gaW50 ZXJuYWwgbm9kZSBjYWxjdWxhdGVzIGFuIFNSIFBvbGljeSBhbmQgc2VuZHMgb3V0IGEgcGFja2V0 IHRoYXQNCg0KPiB3aWxsIGV2ZW50dWFsbHkgZWdyZXNzIHRvd2FyZHMgYSBCR1AgcGVlci4gMi4g TXVsdGlwbGUgbGlua3Mgb24gdGhlIEJHUCByb3V0ZXIgZ28NCg0KPiBkb3duIGFuZCB0aGVuIGJh Y2sgdXAsIGJ1dCBhcmUgYWxsb2NhdGVkIGRpZmZlcmVudCBQZWVyQWRqIFNJRHMgdGhhbiB0aGV5 IGhhZA0KDQo+IGJlZm9yZS4gMy4gVGhlIHBhY2tldCByZWFjaGVzIHRoZSBCR1Agcm91dGVyLCBi dXQgZWdyZXNzZXMgdG8gdGhlIHdyb25nIEJHUA0KDQo+IHBlZXIgYmVjYXVzZSB0aGUgb3JpZ2lu YWwgUGVlckFkaiBTSUQgaXMgbm93IG1hcHBlZCB0byBhIGRpZmZlcmVudCBQZWVyQWRqDQoNCj4g c2VnbWVudC4NCg0KPg0KDQo+IC0tDQoNCj4gRnJlZWxhbmNlIGN5YmVyIHNlY3VyaXR5IGNvbnN1 bHRhbnQsIHNvZnR3YXJlIGRldmVsb3BlciwgYW5kIG1vcmUNCg0KPiBodHRwczovL2RhdmlkLm1h bmRlbGJlcmcub3JnLw0K --_000_e32e5f9bc00043e3a8b86205d434c35dXCHALN001ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLk1zb1BsYWluVGV4dCwgbGkuTXNv UGxhaW5UZXh0LCBkaXYuTXNvUGxhaW5UZXh0DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglt c28tc3R5bGUtbGluazoiUGxhaW4gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCnNwYW4uUGxhaW5UZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiUGxh aW4gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IlBsYWluIFRleHQiOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCi5Nc29D aHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDEx LjBpbjsNCgltYXJnaW46MS4waW4gMTI5Ljc1cHQgMS4waW4gMTI5LjdwdDt9DQpkaXYuV29yZFNl Y3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNv IDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAv Pg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxh eW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwv bzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVO LVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9u MSI+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5EYXZpZCAtPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPkFwb2xvZ2llcy4gSXQgYXBwZWFycyB0aGF0IEkgbmVnbGVjdGVkIHRvIHJlc3Bv bmQgdG8gdGhpcyBvbGQgcmV2aWV3IGNvbW1lbnQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij5UaGlzIHdhcyBub3QgaW50ZW50aW9uYWwuIEF1dGhvcnMgYWN0aXZlbHkg ZGlzY3Vzc2VkIHlvdXIgY29tbWVudCBwcm9tcHRseSBhbmQgd2UgZGlkIGFkZCB0ZXh0IGluIFYx NCBvZiB0aGUgZHJhZnQgdG8gYWRkcmVzcyB0aGlzIHBvaW50OjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij5QbGVhc2Ugc2VlOiA8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0 bWwvZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTE1I3NlY3Rpb24tMy40Ij4NCmh0 dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRp bmctMTUjc2VjdGlvbi0zLjQ8L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxl PSJtYXJnaW4tbGVmdDouNWluIj48aT5vJm5ic3A7IEluZGljYXRpb24gd2hldGhlciB0aGUgQWRq LVNJRCBpcyBwZXJzaXN0ZW50IGFjcm9zcyBjb250cm9sIHBsYW5lPG86cD48L286cD48L2k+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxpPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyByZXN0YXJ0cy4mbmJzcDsgUGVyc2lzdGVuY2Ug aXMgYSBrZXkgYXR0cmlidXRlIGluIGVuc3VyaW5nIHRoYXQgYW4gU1I8bzpwPjwvbzpwPjwvaT48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PGk+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IFBvbGljeSBkb2VzIG5vdCB0ZW1wb3Jhcmls eSByZXN1bHQgaW4gbWlzZm9yd2FyZGluZyBkdWUgdG88bzpwPjwvbzpwPjwvaT48L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0IiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PGk+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHJlYXNzaWdubWVudCBvZiBhbiBBZGotU0lELjxvOnA+PC9v OnA+PC9pPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiIHN0eWxlPSJtYXJnaW4tbGVmdDou NWluIj48aT48bzpwPiZuYnNwOzwvbzpwPjwvaT48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij5QbGVhc2UgbGV0IHVzIGtub3cgaWYgdGhpcyBhZGVxdWF0ZWx5IGFkZHJlc3NlcyB5b3VyIGNv bW1lbnQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkFnYWluLCBhcG9sb2dpZXMgZm9y IHRoZSBsb25nIGRlbGF5LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJz cDsgTGVzPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgLS0tLS1PcmlnaW5hbCBN ZXNzYWdlLS0tLS08L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IEZyb206IERhdmlk IE1hbmRlbGJlcmcgJmx0O2RhdmlkQG1hbmRlbGJlcmcub3JnJmd0OzwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsgU2VudDogVGh1cnNkYXksIE5vdmVtYmVyIDAyLCAyMDE3IDEwOjUz IEFNPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBUbzogaWVzZ0BpZXRmLm9yZzsg c2VjZGlyQGlldGYub3JnOyBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LTwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgcm91dGluZy5hbGxAaWV0Zi5vcmc8L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij4mZ3Q7IFN1YmplY3Q6IHNlY2RpciByZXZpZXcgb2YgZHJhZnQtaWV0Zi1z cHJpbmctc2VnbWVudC1yb3V0aW5nLTEzPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0 OyA8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IEkgaGF2ZSByZXZpZXdlZCB0aGlz IGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZzwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVU RiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSBJRVNHLiZuYnNwOyBUaGVzZTwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1h cmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5IGFyZWEgZGlyZWN0b3JzLjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hh aXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0IGxpa2UgYW55PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuPC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyA8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7IFRoZSBzdW1tYXJ5IG9mIHRoZSByZXZpZXcgaXMgUmVhZHkgd2l0aCBuaXRzLjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyBUaGlzIGRvY3VtZW50IGFmZmVjdHMgcm91dGluZyB3aXRoaW4gYSB0cnVzdGVkIGRvbWFp biwgYW5kIHRoZSBzZWN1cml0eTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgY29u c2lkZXJhdGlvbnMgc2VjdGlvbiBhZGVxdWF0ZWx5IHRhbGtzIGFib3V0IGZpbHRlcmluZyBhdCB0 aGUgYm9yZGVyIG9mIGEgdHJ1c3RlZDwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg ZG9tYWluLjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyBJIGRvIGhhdmUgb25lIHF1ZXN0aW9uIGFib3V0IHNvbWV0aGlu ZyBJIGRpZG4ndCBzZWUgaW4gdGhlIGRvY3VtZW50LCB3aGF0PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyBoYXBwZW5zIHdoZW4gU0lEcyBjaGFuZ2Ugd2hpbGUgcGFja2V0cyBhcmUg aW4gdHJhbnNpdD8gSGVyZSdzIGEgaHlwb3RoZXRpY2FsPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyBzaXR1YXRpb24gdGhhdCBjb3VsZCBiZSBiYWQgZm9yIHNlY3VyaXR5LCBidXQg SSdtIG5vdCBzdXJlIHdoZXRoZXIgb3Igbm90IGl0IGNvdWxkPC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyBoYXBwZW46IDEuIEFuIGludGVybmFsIG5vZGUgY2FsY3VsYXRlcyBhbiBT UiBQb2xpY3kgYW5kIHNlbmRzIG91dCBhIHBhY2tldCB0aGF0PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyB3aWxsIGV2ZW50dWFsbHkgZWdyZXNzIHRvd2FyZHMgYSBCR1AgcGVlci4g Mi4gTXVsdGlwbGUgbGlua3Mgb24gdGhlIEJHUCByb3V0ZXIgZ288L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mZ3Q7IGRvd24gYW5kIHRoZW4gYmFjayB1cCwgYnV0IGFyZSBhbGxvY2F0ZWQg ZGlmZmVyZW50IFBlZXJBZGogU0lEcyB0aGFuIHRoZXkgaGFkPC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyBiZWZvcmUuIDMuIFRoZSBwYWNrZXQgcmVhY2hlcyB0aGUgQkdQIHJvdXRl ciwgYnV0IGVncmVzc2VzIHRvIHRoZSB3cm9uZyBCR1A8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4mZ3Q7IHBlZXIgYmVjYXVzZSB0aGUgb3JpZ2luYWwgUGVlckFkaiBTSUQgaXMgbm93IG1h cHBlZCB0byBhIGRpZmZlcmVudCBQZWVyQWRqPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyBzZWdtZW50LjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAtLTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgRnJlZWxhbmNlIGN5YmVyIHNlY3VyaXR5IGNvbnN1bHRhbnQsIHNvZnR3YXJlIGRldmVs b3BlciwgYW5kIG1vcmU8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDxhIGhyZWY9 Imh0dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93 dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9yZy88 L3NwYW4+PC9hPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_e32e5f9bc00043e3a8b86205d434c35dXCHALN001ciscocom_-- From nobody Fri Mar 23 15:17:31 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4F612DDD0 for ; Fri, 23 Mar 2018 15:17:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wn0lLQEQRjnV for ; Fri, 23 Mar 2018 15:17:23 -0700 (PDT) Received: from smtp.rcn.com (smtp.rcn.com [69.168.97.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2529712DDD2 for ; Fri, 23 Mar 2018 15:17:22 -0700 (PDT) X_CMAE_Category: , , X-CNFS-Analysis: v=2.2 cv=Le5+0XXi c=1 sm=1 tr=0 a=OXtaa+9CFT7WVSERtyqzJw==:117 a=OXtaa+9CFT7WVSERtyqzJw==:17 a=KGjhK52YXX0A:10 a=IkcTkHD0fZMA:10 a=NTnny0joGdQA:10 a=v2DPQv5-lfwA:10 a=bmmO2AaSJ7QA:10 a=48vgC7mUAAAA:8 a=BTUBnpS-AAAA:8 a=t_vtnJgi4ZqP-9O_qOAA:9 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=pblkFgjdBCuYZ9-HdJ6i:22 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine X-Authed-Username: ZHNlb21uQHJjbi5jb20= Authentication-Results: smtp01.rcn.cmh.synacor.com header.from=david+work@mandelberg.org; sender-id=neutral Authentication-Results: smtp01.rcn.cmh.synacor.com smtp.mail=david+work@mandelberg.org; spf=neutral; sender-id=neutral Authentication-Results: smtp01.rcn.cmh.synacor.com smtp.user=dseomn@rcn.com; auth=pass (LOGIN) Received-SPF: neutral (smtp01.rcn.cmh.synacor.com: 209.6.43.168 is neither permitted nor denied by domain of mandelberg.org) Received: from [209.6.43.168] ([209.6.43.168:42622] helo=uriel.mandelberg.org) by smtp.rcn.com (envelope-from ) (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTPSA (cipher=DHE-RSA-AES256-GCM-SHA384) id 1D/69-58381-CEC75BA5; Fri, 23 Mar 2018 18:17:16 -0400 Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id DC2871C609C; Fri, 23 Mar 2018 18:17:15 -0400 (EDT) To: "Les Ginsberg (ginsberg)" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> From: David Mandelberg Organization: David Mandelberg, LLC Message-ID: <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> Date: Fri, 23 Mar 2018 18:17:14 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 22:17:24 -0000 Hi, How will the indication of persistence be used? I scanned the changes from -13 to -15, but I didn't notice any other text about the new flag. On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote: > David - > > Apologies. It appears that I neglected to respond to this old review > comment. > > This was not intentional. Authors actively discussed your comment > promptly and we did add text in V14 of the draft to address this point: > > Please see: > https://tools.ietf.org/html/draft-ietf-spring-segment-routing-15#section-3.4 > > /o  Indication whether the Adj-SID is persistent across control plane/ > > /      restarts.  Persistence is a key attribute in ensuring that an SR/ > > /      Policy does not temporarily result in misforwarding due to/ > > /      reassignment of an Adj-SID./ > > // > > Please let us know if this adequately addresses your comment. > > Again, apologies for the long delay. > >    Les > > > -----Original Message----- > > > From: David Mandelberg > > > Sent: Thursday, November 02, 2017 10:53 AM > > > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-spring-segment- > > > routing.all@ietf.org > > > Subject: secdir review of draft-ietf-spring-segment-routing-13 > > > > > > I have reviewed this document as part of the security directorate's > ongoing > > > effort to review all IETF documents being processed by the IESG.  These > > > comments were written primarily for the benefit of the security area > directors. > > > Document editors and WG chairs should treat these comments just like any > > > other last call comments. > > > > > > The summary of the review is Ready with nits. > > > > > > This document affects routing within a trusted domain, and the security > > > considerations section adequately talks about filtering at the border > of a trusted > > > domain. > > > > > > I do have one question about something I didn't see in the document, what > > > happens when SIDs change while packets are in transit? Here's a > hypothetical > > > situation that could be bad for security, but I'm not sure whether or > not it could > > > happen: 1. An internal node calculates an SR Policy and sends out a > packet that > > > will eventually egress towards a BGP peer. 2. Multiple links on the > BGP router go > > > down and then back up, but are allocated different PeerAdj SIDs than > they had > > > before. 3. The packet reaches the BGP router, but egresses to the > wrong BGP > > > peer because the original PeerAdj SID is now mapped to a different > PeerAdj > > > segment. > > > > > > -- > > > Freelance cyber security consultant, software developer, and more > > > https://david.mandelberg.org/ > -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Fri Mar 23 15:44:07 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DBE512D94D; Fri, 23 Mar 2018 15:43:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.51 X-Spam-Level: X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x2M6jvMmKVUI; Fri, 23 Mar 2018 15:43:46 -0700 (PDT) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D92512946D; Fri, 23 Mar 2018 15:43:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5498; q=dns/txt; s=iport; t=1521845026; x=1523054626; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=50zWlKjFyo2RCH4Z0AK547U3OSnp/ubadgi2vu0TwIc=; b=mPEY1L/zeewIugSTJP6x938amllj8sItLgBmznj56NslkT+TGB8oelBN AhR7c7VxRXsOxZisIFvLwXRZfF4jg+D6bbb3vAi9m3HoLX0jaWPWUKlsC Ep/Su+P2b/MKRAggcCKQlXHP11A/pUdJZUUTKo/YpyHPtY5OPioug1pez Y=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A5AQD2gbVa/4gNJK1dGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYMSL2FwKAqDUod/jRCBdIERkk2CBgsjgViDCgIag1YhNBgBAgE?= =?us-ascii?q?BAQEBAQJrKIUlAQEBBCMRUQQCAQYCEQEDAQEBAgImAgICMBUCBggCBAESCIUGD?= =?us-ascii?q?41dmziCIIhBghUFgQiEJ4IRgVRAgQyDBoMTAQECAYFygmqCVAOXPAgChU+FMIM?= =?us-ascii?q?ngTgagz2HMokShjwCERMBgSQBHDiBUnAVgn2CIRiOFm+OFiuBBIEWAQE?= X-IronPort-AV: E=Sophos;i="5.48,352,1517875200"; d="scan'208";a="88942448" Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Mar 2018 22:43:45 +0000 Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id w2NMhjGm024897 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 23 Mar 2018 22:43:45 GMT Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 23 Mar 2018 17:43:45 -0500 Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1320.000; Fri, 23 Mar 2018 17:43:44 -0500 From: "Les Ginsberg (ginsberg)" To: David Mandelberg , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" Thread-Topic: secdir review of draft-ietf-spring-segment-routing-13 Thread-Index: AQHTVAN+h13Fy6LhA0quT26NkWnvTKPee6ywgAEZggD//7GikA== Date: Fri, 23 Mar 2018 22:43:44 +0000 Message-ID: References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> In-Reply-To: <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.5.233] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 22:43:59 -0000 RGF2aWQgLQ0KDQpUaGFueCBmb3IgdGhlIHZlcnkgcHJvbXB0IHJlc3BvbnNlLg0KDQpJZiBhIGNv bnRyb2xsZXIgKGZvciBleGFtcGxlKSBpcyBkZWZpbmluZyBhIFNJRCBzdGFjayBmb3IgYW4gU1Ig UG9saWN5LCBpdCBjYW4gY2hvb3NlIHRvIHVzZSBhbiAgQWRqLVNJRCB3aGljaCBpcyBhZHZlcnRp c2VkIGFzIFBlcnNpc3RlbnQgYW5kIGJlIGNvbmZpZGVudCB0aGF0IHRoZSBTSUQgd2lsbCBub3Qg YmUgcmV1c2VkIGZvciBzb21lIG90aGVyIHB1cnBvc2Ugbm8gbWF0dGVyIHdoYXQgaGFwcGVucyBv biB0aGUgb3duaW5nIG5vZGUuIA0KDQpCVFcsIHRoZSBmbGFnIGlzbuKAmXQgbmV3IC0gaXQgaGFz IGJlZW4gcGFydCBvZiB0aGUgSUdQIHNwZWNpZmljYXRpb25zIGZvciBxdWl0ZSBhIGxvbmcgd2hp bGUuIEl0IGp1c3Qgd2Fzbid0IG1lbnRpb25lZCBpbiB0aGUgU1IgQXJjaGl0ZWN0dXJlIGluIGVh cmxpZXIgdmVyc2lvbnMuDQoNCkhUSA0KDQogICAgIExlcw0KDQo+IC0tLS0tT3JpZ2luYWwgTWVz c2FnZS0tLS0tDQo+IEZyb206IERhdmlkIE1hbmRlbGJlcmcgPGRhdmlkK3dvcmtAbWFuZGVsYmVy Zy5vcmc+DQo+IFNlbnQ6IEZyaWRheSwgTWFyY2ggMjMsIDIwMTggMzoxNyBQTQ0KPiBUbzogTGVz IEdpbnNiZXJnIChnaW5zYmVyZykgPGdpbnNiZXJnQGNpc2NvLmNvbT47IGllc2dAaWV0Zi5vcmc7 DQo+IHNlY2RpckBpZXRmLm9yZzsgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFs bEBpZXRmLm9yZw0KPiBTdWJqZWN0OiBSZTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXNw cmluZy1zZWdtZW50LXJvdXRpbmctMTMNCj4gDQo+IEhpLA0KPiANCj4gSG93IHdpbGwgdGhlIGlu ZGljYXRpb24gb2YgcGVyc2lzdGVuY2UgYmUgdXNlZD8gSSBzY2FubmVkIHRoZSBjaGFuZ2VzIGZy b20gLTEzDQo+IHRvIC0xNSwgYnV0IEkgZGlkbid0IG5vdGljZSBhbnkgb3RoZXIgdGV4dCBhYm91 dCB0aGUgbmV3IGZsYWcuDQo+IA0KPiBPbiAwMy8yMy8yMDE4IDA2OjM0IEFNLCBMZXMgR2luc2Jl cmcgKGdpbnNiZXJnKSB3cm90ZToNCj4gPiBEYXZpZCAtDQo+ID4NCj4gPiBBcG9sb2dpZXMuIEl0 IGFwcGVhcnMgdGhhdCBJIG5lZ2xlY3RlZCB0byByZXNwb25kIHRvIHRoaXMgb2xkIHJldmlldw0K PiA+IGNvbW1lbnQuDQo+ID4NCj4gPiBUaGlzIHdhcyBub3QgaW50ZW50aW9uYWwuIEF1dGhvcnMg YWN0aXZlbHkgZGlzY3Vzc2VkIHlvdXIgY29tbWVudA0KPiA+IHByb21wdGx5IGFuZCB3ZSBkaWQg YWRkIHRleHQgaW4gVjE0IG9mIHRoZSBkcmFmdCB0byBhZGRyZXNzIHRoaXMgcG9pbnQ6DQo+ID4N Cj4gPiBQbGVhc2Ugc2VlOg0KPiA+IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1p ZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTUjc2VjdGkNCj4gPiBvbi0zLjQNCj4gPg0KPiA+ IC9vwqAgSW5kaWNhdGlvbiB3aGV0aGVyIHRoZSBBZGotU0lEIGlzIHBlcnNpc3RlbnQgYWNyb3Nz IGNvbnRyb2wgcGxhbmUvDQo+ID4NCj4gPiAvwqDCoMKgwqDCoCByZXN0YXJ0cy7CoCBQZXJzaXN0 ZW5jZSBpcyBhIGtleSBhdHRyaWJ1dGUgaW4gZW5zdXJpbmcgdGhhdCBhbg0KPiA+IFNSLw0KPiA+ DQo+ID4gL8KgwqDCoMKgwqAgUG9saWN5IGRvZXMgbm90IHRlbXBvcmFyaWx5IHJlc3VsdCBpbiBt aXNmb3J3YXJkaW5nIGR1ZSB0by8NCj4gPg0KPiA+IC/CoMKgwqDCoMKgIHJlYXNzaWdubWVudCBv ZiBhbiBBZGotU0lELi8NCj4gPg0KPiA+IC8vDQo+ID4NCj4gPiBQbGVhc2UgbGV0IHVzIGtub3cg aWYgdGhpcyBhZGVxdWF0ZWx5IGFkZHJlc3NlcyB5b3VyIGNvbW1lbnQuDQo+ID4NCj4gPiBBZ2Fp biwgYXBvbG9naWVzIGZvciB0aGUgbG9uZyBkZWxheS4NCj4gPg0KPiA+ICDCoMKgIExlcw0KPiA+ DQo+ID4gID4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gPg0KPiA+ICA+IEZyb206IERh dmlkIE1hbmRlbGJlcmcgPGRhdmlkQG1hbmRlbGJlcmcub3JnPg0KPiA+DQo+ID4gID4gU2VudDog VGh1cnNkYXksIE5vdmVtYmVyIDAyLCAyMDE3IDEwOjUzIEFNDQo+ID4NCj4gPiAgPiBUbzogaWVz Z0BpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnOyBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LQ0K PiA+DQo+ID4gID4gcm91dGluZy5hbGxAaWV0Zi5vcmcNCj4gPg0KPiA+ICA+IFN1YmplY3Q6IHNl Y2RpciByZXZpZXcgb2YgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzDQo+ID4N Cj4gPiAgPg0KPiA+DQo+ID4gID4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFy dCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncw0KPiA+IG9uZ29pbmcNCj4gPg0KPiA+ICA+ IGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0 aGUgSUVTRy4NCj4gPiBUaGVzZQ0KPiA+DQo+ID4gID4gY29tbWVudHMgd2VyZSB3cml0dGVuIHBy aW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5DQo+ID4gYXJlYSBkaXJlY3Rv cnMuDQo+ID4NCj4gPiAgPiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRy ZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3QNCj4gPiBsaWtlIGFueQ0KPiA+DQo+ID4gID4gb3RoZXIg bGFzdCBjYWxsIGNvbW1lbnRzLg0KPiA+DQo+ID4gID4NCj4gPg0KPiA+ICA+IFRoZSBzdW1tYXJ5 IG9mIHRoZSByZXZpZXcgaXMgUmVhZHkgd2l0aCBuaXRzLg0KPiA+DQo+ID4gID4NCj4gPg0KPiA+ ICA+IFRoaXMgZG9jdW1lbnQgYWZmZWN0cyByb3V0aW5nIHdpdGhpbiBhIHRydXN0ZWQgZG9tYWlu LCBhbmQgdGhlDQo+ID4gc2VjdXJpdHkNCj4gPg0KPiA+ICA+IGNvbnNpZGVyYXRpb25zIHNlY3Rp b24gYWRlcXVhdGVseSB0YWxrcyBhYm91dCBmaWx0ZXJpbmcgYXQgdGhlDQo+ID4gYm9yZGVyIG9m IGEgdHJ1c3RlZA0KPiA+DQo+ID4gID4gZG9tYWluLg0KPiA+DQo+ID4gID4NCj4gPg0KPiA+ICA+ IEkgZG8gaGF2ZSBvbmUgcXVlc3Rpb24gYWJvdXQgc29tZXRoaW5nIEkgZGlkbid0IHNlZSBpbiB0 aGUNCj4gPiBkb2N1bWVudCwgd2hhdA0KPiA+DQo+ID4gID4gaGFwcGVucyB3aGVuIFNJRHMgY2hh bmdlIHdoaWxlIHBhY2tldHMgYXJlIGluIHRyYW5zaXQ/IEhlcmUncyBhDQo+ID4gaHlwb3RoZXRp Y2FsDQo+ID4NCj4gPiAgPiBzaXR1YXRpb24gdGhhdCBjb3VsZCBiZSBiYWQgZm9yIHNlY3VyaXR5 LCBidXQgSSdtIG5vdCBzdXJlIHdoZXRoZXINCj4gPiBvciBub3QgaXQgY291bGQNCj4gPg0KPiA+ ICA+IGhhcHBlbjogMS4gQW4gaW50ZXJuYWwgbm9kZSBjYWxjdWxhdGVzIGFuIFNSIFBvbGljeSBh bmQgc2VuZHMgb3V0IGENCj4gPiBwYWNrZXQgdGhhdA0KPiA+DQo+ID4gID4gd2lsbCBldmVudHVh bGx5IGVncmVzcyB0b3dhcmRzIGEgQkdQIHBlZXIuIDIuIE11bHRpcGxlIGxpbmtzIG9uIHRoZQ0K PiA+IEJHUCByb3V0ZXIgZ28NCj4gPg0KPiA+ICA+IGRvd24gYW5kIHRoZW4gYmFjayB1cCwgYnV0 IGFyZSBhbGxvY2F0ZWQgZGlmZmVyZW50IFBlZXJBZGogU0lEcw0KPiA+IHRoYW4gdGhleSBoYWQN Cj4gPg0KPiA+ICA+IGJlZm9yZS4gMy4gVGhlIHBhY2tldCByZWFjaGVzIHRoZSBCR1Agcm91dGVy LCBidXQgZWdyZXNzZXMgdG8gdGhlDQo+ID4gd3JvbmcgQkdQDQo+ID4NCj4gPiAgPiBwZWVyIGJl Y2F1c2UgdGhlIG9yaWdpbmFsIFBlZXJBZGogU0lEIGlzIG5vdyBtYXBwZWQgdG8gYSBkaWZmZXJl bnQNCj4gPiBQZWVyQWRqDQo+ID4NCj4gPiAgPiBzZWdtZW50Lg0KPiA+DQo+ID4gID4NCj4gPg0K PiA+ICA+IC0tDQo+ID4NCj4gPiAgPiBGcmVlbGFuY2UgY3liZXIgc2VjdXJpdHkgY29uc3VsdGFu dCwgc29mdHdhcmUgZGV2ZWxvcGVyLCBhbmQgbW9yZQ0KPiA+DQo+ID4gID4gaHR0cHM6Ly9kYXZp ZC5tYW5kZWxiZXJnLm9yZy8NCj4gPg0KPiANCj4gDQo+IC0tDQo+IEZyZWVsYW5jZSBjeWJlciBz ZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBtb3JlDQo+IGh0dHBz Oi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvDQo= From nobody Fri Mar 23 15:57:02 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AADC612E03F for ; Fri, 23 Mar 2018 15:56:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjxndizQgm_k for ; Fri, 23 Mar 2018 15:56:55 -0700 (PDT) Received: from smtp.rcn.com (smtp.rcn.com [69.168.97.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D76A312E03B for ; Fri, 23 Mar 2018 15:56:53 -0700 (PDT) X_CMAE_Category: , , X-CNFS-Analysis: v=2.2 cv=Le5+0XXi c=1 sm=1 tr=0 a=OXtaa+9CFT7WVSERtyqzJw==:117 a=OXtaa+9CFT7WVSERtyqzJw==:17 a=KGjhK52YXX0A:10 a=IkcTkHD0fZMA:10 a=NTnny0joGdQA:10 a=v2DPQv5-lfwA:10 a=bmmO2AaSJ7QA:10 a=BTUBnpS-AAAA:8 a=AUd_NHdVAAAA:8 a=48vgC7mUAAAA:8 a=cVtrvwxoAORve3k4lU8A:9 a=QEXdDO2ut3YA:10 a=pblkFgjdBCuYZ9-HdJ6i:22 a=w1C3t2QeGrPiZgrLijVG:22 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine X-Authed-Username: ZHNlb21uQHJjbi5jb20= Authentication-Results: smtp01.rcn.cmh.synacor.com header.from=david+work@mandelberg.org; sender-id=neutral Authentication-Results: smtp01.rcn.cmh.synacor.com smtp.mail=david+work@mandelberg.org; spf=neutral; sender-id=neutral Authentication-Results: smtp01.rcn.cmh.synacor.com smtp.user=dseomn@rcn.com; auth=pass (LOGIN) Received-SPF: neutral (smtp01.rcn.cmh.synacor.com: 209.6.43.168 is neither permitted nor denied by domain of mandelberg.org) Received: from [209.6.43.168] ([209.6.43.168:42632] helo=uriel.mandelberg.org) by smtp.rcn.com (envelope-from ) (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTPSA (cipher=DHE-RSA-AES256-GCM-SHA384) id D2/7B-58381-33685BA5; Fri, 23 Mar 2018 18:56:52 -0400 Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 570E71C609C; Fri, 23 Mar 2018 18:56:51 -0400 (EDT) To: "Les Ginsberg (ginsberg)" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> From: David Mandelberg Organization: David Mandelberg, LLC Message-ID: <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> Date: Fri, 23 Mar 2018 18:56:48 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 22:56:57 -0000 Thanks, I didn't know it was in the IGP specs. If the usage you describe would be clear to anybody using this, then I think you've fully addressed my original comment. On 03/23/2018 06:43 PM, Les Ginsberg (ginsberg) wrote: > David - > > Thanx for the very prompt response. > > If a controller (for example) is defining a SID stack for an SR Policy, it can choose to use an Adj-SID which is advertised as Persistent and be confident that the SID will not be reused for some other purpose no matter what happens on the owning node. > > BTW, the flag isn’t new - it has been part of the IGP specifications for quite a long while. It just wasn't mentioned in the SR Architecture in earlier versions. > > HTH > > Les > >> -----Original Message----- >> From: David Mandelberg >> Sent: Friday, March 23, 2018 3:17 PM >> To: Les Ginsberg (ginsberg) ; iesg@ietf.org; >> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org >> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 >> >> Hi, >> >> How will the indication of persistence be used? I scanned the changes from -13 >> to -15, but I didn't notice any other text about the new flag. >> >> On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote: >>> David - >>> >>> Apologies. It appears that I neglected to respond to this old review >>> comment. >>> >>> This was not intentional. Authors actively discussed your comment >>> promptly and we did add text in V14 of the draft to address this point: >>> >>> Please see: >>> https://tools.ietf.org/html/draft-ietf-spring-segment-routing-15#secti >>> on-3.4 >>> >>> /o  Indication whether the Adj-SID is persistent across control plane/ >>> >>> /      restarts.  Persistence is a key attribute in ensuring that an >>> SR/ >>> >>> /      Policy does not temporarily result in misforwarding due to/ >>> >>> /      reassignment of an Adj-SID./ >>> >>> // >>> >>> Please let us know if this adequately addresses your comment. >>> >>> Again, apologies for the long delay. >>> >>>    Les >>> >>> > -----Original Message----- >>> >>> > From: David Mandelberg >>> >>> > Sent: Thursday, November 02, 2017 10:53 AM >>> >>> > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-spring-segment- >>> >>> > routing.all@ietf.org >>> >>> > Subject: secdir review of draft-ietf-spring-segment-routing-13 >>> >>> > >>> >>> > I have reviewed this document as part of the security directorate's >>> ongoing >>> >>> > effort to review all IETF documents being processed by the IESG. >>> These >>> >>> > comments were written primarily for the benefit of the security >>> area directors. >>> >>> > Document editors and WG chairs should treat these comments just >>> like any >>> >>> > other last call comments. >>> >>> > >>> >>> > The summary of the review is Ready with nits. >>> >>> > >>> >>> > This document affects routing within a trusted domain, and the >>> security >>> >>> > considerations section adequately talks about filtering at the >>> border of a trusted >>> >>> > domain. >>> >>> > >>> >>> > I do have one question about something I didn't see in the >>> document, what >>> >>> > happens when SIDs change while packets are in transit? Here's a >>> hypothetical >>> >>> > situation that could be bad for security, but I'm not sure whether >>> or not it could >>> >>> > happen: 1. An internal node calculates an SR Policy and sends out a >>> packet that >>> >>> > will eventually egress towards a BGP peer. 2. Multiple links on the >>> BGP router go >>> >>> > down and then back up, but are allocated different PeerAdj SIDs >>> than they had >>> >>> > before. 3. The packet reaches the BGP router, but egresses to the >>> wrong BGP >>> >>> > peer because the original PeerAdj SID is now mapped to a different >>> PeerAdj >>> >>> > segment. >>> >>> > >>> >>> > -- >>> >>> > Freelance cyber security consultant, software developer, and more >>> >>> > https://david.mandelberg.org/ >>> >> >> >> -- >> Freelance cyber security consultant, software developer, and more >> https://david.mandelberg.org/ -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Fri Mar 23 16:02:19 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16B5412E03B; Fri, 23 Mar 2018 16:02:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.511 X-Spam-Level: X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMRqJIAUHlk8; Fri, 23 Mar 2018 16:02:15 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABA93126DEE; Fri, 23 Mar 2018 16:02:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7362; q=dns/txt; s=iport; t=1521846135; x=1523055735; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=rVpiShSRnek214/Quym9iGObT3t2+5AmnAf423nSCbc=; b=k28pNH73qR9E+20jeBed+df0qWLqiPh8oRV/9lva6PGHHittBK2TKkME H6Aa0m2EguO3qjwb94B6MoI1D77kH0Xmij5nCbGBgYXNyWm+dC9BgCnh8 B0Z/wb0ADSdUwJ5MlAQ4Yy+HqJYV82Eq53eLgr5sIPsYDWIQFyueUogos I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A5AQAkh7Va/49dJa1dGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNBYXAoCoNSh3+NEIF0gRGSTYIGCyWBVoMKAhqDViE0GAE?= =?us-ascii?q?CAQEBAQEBAmsohSUBAQEDASMRUQQCAQYCEQEDAQEBAgImAgICMBUCBggCBAE?= =?us-ascii?q?SCIR+CA+NWJs4giCIQYIVBYEIhCeCEYFUQIEMgwaDEwEBAgGBcoJqglQDlzw?= =?us-ascii?q?IAoVPhTCDJ4E4GoM9hzKJEoY8AhETAYEkARw4gVJwFYJ9giEYjhZvAQGOFCu?= =?us-ascii?q?BBIEWAQE?= X-IronPort-AV: E=Sophos;i="5.48,352,1517875200"; d="scan'208";a="372957332" Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Mar 2018 23:02:14 +0000 Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id w2NN2E8I001765 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 23 Mar 2018 23:02:14 GMT Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 23 Mar 2018 18:02:13 -0500 Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1320.000; Fri, 23 Mar 2018 18:02:13 -0500 From: "Les Ginsberg (ginsberg)" To: David Mandelberg , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" Thread-Topic: secdir review of draft-ietf-spring-segment-routing-13 Thread-Index: AQHTVAN+h13Fy6LhA0quT26NkWnvTKPee6ywgAEZggD//7GikIAAWWwA//+s6BA= Date: Fri, 23 Mar 2018 23:02:13 +0000 Message-ID: References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> In-Reply-To: <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.5.233] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 23:02:18 -0000 RGF2aWQgLQ0KDQpZZXMgLSBJR1Agc3BlY3MgaGF2ZSB0aGlzLiBTZWUgKGZvciBleGFtcGxlKToN Cg0KaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtaXNpcy1zZWdtZW50LXJv dXRpbmctZXh0ZW5zaW9ucy0xNSNzZWN0aW9uLTIuMi4xDQoNCklmIHRoaXMgc3VmZmljZXMgcGxl YXNlIGNsZWFyIHlvdXIgRElTQ1VTUyBvbiB0aGUgZHJhZnQuDQoNCkFnYWluLCBhcG9sb2dpZXMg Zm9yIHRoZSBsb25nIGRlbGF5IGluIHJlc3BvbmRpbmcgLSBpdCB3YXMgbm90IGludGVudGlvbmFs Lg0KDQogICAgTGVzDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogRGF2 aWQgTWFuZGVsYmVyZyA8ZGF2aWQrd29ya0BtYW5kZWxiZXJnLm9yZz4NCj4gU2VudDogRnJpZGF5 LCBNYXJjaCAyMywgMjAxOCAzOjU3IFBNDQo+IFRvOiBMZXMgR2luc2JlcmcgKGdpbnNiZXJnKSA8 Z2luc2JlcmdAY2lzY28uY29tPjsgaWVzZ0BpZXRmLm9yZzsNCj4gc2VjZGlyQGlldGYub3JnOyBk cmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcuYWxsQGlldGYub3JnDQo+IFN1YmplY3Q6 IFJlOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0x Mw0KPiANCj4gVGhhbmtzLCBJIGRpZG4ndCBrbm93IGl0IHdhcyBpbiB0aGUgSUdQIHNwZWNzLiBJ ZiB0aGUgdXNhZ2UgeW91IGRlc2NyaWJlIHdvdWxkIGJlDQo+IGNsZWFyIHRvIGFueWJvZHkgdXNp bmcgdGhpcywgdGhlbiBJIHRoaW5rIHlvdSd2ZSBmdWxseSBhZGRyZXNzZWQgbXkgb3JpZ2luYWwN Cj4gY29tbWVudC4NCj4gDQo+IE9uIDAzLzIzLzIwMTggMDY6NDMgUE0sIExlcyBHaW5zYmVyZyAo Z2luc2JlcmcpIHdyb3RlOg0KPiA+IERhdmlkIC0NCj4gPg0KPiA+IFRoYW54IGZvciB0aGUgdmVy eSBwcm9tcHQgcmVzcG9uc2UuDQo+ID4NCj4gPiBJZiBhIGNvbnRyb2xsZXIgKGZvciBleGFtcGxl KSBpcyBkZWZpbmluZyBhIFNJRCBzdGFjayBmb3IgYW4gU1IgUG9saWN5LCBpdCBjYW4NCj4gY2hv b3NlIHRvIHVzZSBhbiAgQWRqLVNJRCB3aGljaCBpcyBhZHZlcnRpc2VkIGFzIFBlcnNpc3RlbnQg YW5kIGJlIGNvbmZpZGVudCB0aGF0DQo+IHRoZSBTSUQgd2lsbCBub3QgYmUgcmV1c2VkIGZvciBz b21lIG90aGVyIHB1cnBvc2Ugbm8gbWF0dGVyIHdoYXQgaGFwcGVucyBvbg0KPiB0aGUgb3duaW5n IG5vZGUuDQo+ID4NCj4gPiBCVFcsIHRoZSBmbGFnIGlzbuKAmXQgbmV3IC0gaXQgaGFzIGJlZW4g cGFydCBvZiB0aGUgSUdQIHNwZWNpZmljYXRpb25zIGZvciBxdWl0ZSBhDQo+IGxvbmcgd2hpbGUu IEl0IGp1c3Qgd2Fzbid0IG1lbnRpb25lZCBpbiB0aGUgU1IgQXJjaGl0ZWN0dXJlIGluIGVhcmxp ZXIgdmVyc2lvbnMuDQo+ID4NCj4gPiBIVEgNCj4gPg0KPiA+ICAgICAgIExlcw0KPiA+DQo+ID4+ IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+ID4+IEZyb206IERhdmlkIE1hbmRlbGJlcmcg PGRhdmlkK3dvcmtAbWFuZGVsYmVyZy5vcmc+DQo+ID4+IFNlbnQ6IEZyaWRheSwgTWFyY2ggMjMs IDIwMTggMzoxNyBQTQ0KPiA+PiBUbzogTGVzIEdpbnNiZXJnIChnaW5zYmVyZykgPGdpbnNiZXJn QGNpc2NvLmNvbT47IGllc2dAaWV0Zi5vcmc7DQo+ID4+IHNlY2RpckBpZXRmLm9yZzsgZHJhZnQt aWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZw0KPiA+PiBTdWJqZWN0OiBS ZTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTMN Cj4gPj4NCj4gPj4gSGksDQo+ID4+DQo+ID4+IEhvdyB3aWxsIHRoZSBpbmRpY2F0aW9uIG9mIHBl cnNpc3RlbmNlIGJlIHVzZWQ/IEkgc2Nhbm5lZCB0aGUgY2hhbmdlcw0KPiA+PiBmcm9tIC0xMyB0 byAtMTUsIGJ1dCBJIGRpZG4ndCBub3RpY2UgYW55IG90aGVyIHRleHQgYWJvdXQgdGhlIG5ldyBm bGFnLg0KPiA+Pg0KPiA+PiBPbiAwMy8yMy8yMDE4IDA2OjM0IEFNLCBMZXMgR2luc2JlcmcgKGdp bnNiZXJnKSB3cm90ZToNCj4gPj4+IERhdmlkIC0NCj4gPj4+DQo+ID4+PiBBcG9sb2dpZXMuIEl0 IGFwcGVhcnMgdGhhdCBJIG5lZ2xlY3RlZCB0byByZXNwb25kIHRvIHRoaXMgb2xkIHJldmlldw0K PiA+Pj4gY29tbWVudC4NCj4gPj4+DQo+ID4+PiBUaGlzIHdhcyBub3QgaW50ZW50aW9uYWwuIEF1 dGhvcnMgYWN0aXZlbHkgZGlzY3Vzc2VkIHlvdXIgY29tbWVudA0KPiA+Pj4gcHJvbXB0bHkgYW5k IHdlIGRpZCBhZGQgdGV4dCBpbiBWMTQgb2YgdGhlIGRyYWZ0IHRvIGFkZHJlc3MgdGhpcyBwb2lu dDoNCj4gPj4+DQo+ID4+PiBQbGVhc2Ugc2VlOg0KPiA+Pj4gaHR0cHM6Ly90b29scy5pZXRmLm9y Zy9odG1sL2RyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xNSNzZWMNCj4gPj4+IHRp DQo+ID4+PiBvbi0zLjQNCj4gPj4+DQo+ID4+PiAvb8KgIEluZGljYXRpb24gd2hldGhlciB0aGUg QWRqLVNJRCBpcyBwZXJzaXN0ZW50IGFjcm9zcyBjb250cm9sDQo+ID4+PiBwbGFuZS8NCj4gPj4+ DQo+ID4+PiAvwqDCoMKgwqDCoCByZXN0YXJ0cy7CoCBQZXJzaXN0ZW5jZSBpcyBhIGtleSBhdHRy aWJ1dGUgaW4gZW5zdXJpbmcgdGhhdCBhbg0KPiA+Pj4gU1IvDQo+ID4+Pg0KPiA+Pj4gL8KgwqDC oMKgwqAgUG9saWN5IGRvZXMgbm90IHRlbXBvcmFyaWx5IHJlc3VsdCBpbiBtaXNmb3J3YXJkaW5n IGR1ZSB0by8NCj4gPj4+DQo+ID4+PiAvwqDCoMKgwqDCoCByZWFzc2lnbm1lbnQgb2YgYW4gQWRq LVNJRC4vDQo+ID4+Pg0KPiA+Pj4gLy8NCj4gPj4+DQo+ID4+PiBQbGVhc2UgbGV0IHVzIGtub3cg aWYgdGhpcyBhZGVxdWF0ZWx5IGFkZHJlc3NlcyB5b3VyIGNvbW1lbnQuDQo+ID4+Pg0KPiA+Pj4g QWdhaW4sIGFwb2xvZ2llcyBmb3IgdGhlIGxvbmcgZGVsYXkuDQo+ID4+Pg0KPiA+Pj4gICDCoMKg IExlcw0KPiA+Pj4NCj4gPj4+ICAgPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+Pj4N Cj4gPj4+ICAgPiBGcm9tOiBEYXZpZCBNYW5kZWxiZXJnIDxkYXZpZEBtYW5kZWxiZXJnLm9yZz4N Cj4gPj4+DQo+ID4+PiAgID4gU2VudDogVGh1cnNkYXksIE5vdmVtYmVyIDAyLCAyMDE3IDEwOjUz IEFNDQo+ID4+Pg0KPiA+Pj4gICA+IFRvOiBpZXNnQGlldGYub3JnOyBzZWNkaXJAaWV0Zi5vcmc7 IGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtDQo+ID4+Pg0KPiA+Pj4gICA+IHJvdXRpbmcuYWxs QGlldGYub3JnDQo+ID4+Pg0KPiA+Pj4gICA+IFN1YmplY3Q6IHNlY2RpciByZXZpZXcgb2YgZHJh ZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzDQo+ID4+Pg0KPiA+Pj4gICA+DQo+ID4+ Pg0KPiA+Pj4gICA+IEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhl IHNlY3VyaXR5DQo+ID4+PiBkaXJlY3RvcmF0ZSdzIG9uZ29pbmcNCj4gPj4+DQo+ID4+PiAgID4g ZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRo ZSBJRVNHLg0KPiA+Pj4gVGhlc2UNCj4gPj4+DQo+ID4+PiAgID4gY29tbWVudHMgd2VyZSB3cml0 dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5DQo+ID4+PiBhcmVh IGRpcmVjdG9ycy4NCj4gPj4+DQo+ID4+PiAgID4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hh aXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBqdXN0DQo+ID4+PiBsaWtlIGFueQ0KPiA+ Pj4NCj4gPj4+ICAgPiBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQo+ID4+Pg0KPiA+Pj4gICA+ DQo+ID4+Pg0KPiA+Pj4gICA+IFRoZSBzdW1tYXJ5IG9mIHRoZSByZXZpZXcgaXMgUmVhZHkgd2l0 aCBuaXRzLg0KPiA+Pj4NCj4gPj4+ICAgPg0KPiA+Pj4NCj4gPj4+ICAgPiBUaGlzIGRvY3VtZW50 IGFmZmVjdHMgcm91dGluZyB3aXRoaW4gYSB0cnVzdGVkIGRvbWFpbiwgYW5kIHRoZQ0KPiA+Pj4g c2VjdXJpdHkNCj4gPj4+DQo+ID4+PiAgID4gY29uc2lkZXJhdGlvbnMgc2VjdGlvbiBhZGVxdWF0 ZWx5IHRhbGtzIGFib3V0IGZpbHRlcmluZyBhdCB0aGUNCj4gPj4+IGJvcmRlciBvZiBhIHRydXN0 ZWQNCj4gPj4+DQo+ID4+PiAgID4gZG9tYWluLg0KPiA+Pj4NCj4gPj4+ICAgPg0KPiA+Pj4NCj4g Pj4+ICAgPiBJIGRvIGhhdmUgb25lIHF1ZXN0aW9uIGFib3V0IHNvbWV0aGluZyBJIGRpZG4ndCBz ZWUgaW4gdGhlDQo+ID4+PiBkb2N1bWVudCwgd2hhdA0KPiA+Pj4NCj4gPj4+ICAgPiBoYXBwZW5z IHdoZW4gU0lEcyBjaGFuZ2Ugd2hpbGUgcGFja2V0cyBhcmUgaW4gdHJhbnNpdD8gSGVyZSdzIGEN Cj4gPj4+IGh5cG90aGV0aWNhbA0KPiA+Pj4NCj4gPj4+ICAgPiBzaXR1YXRpb24gdGhhdCBjb3Vs ZCBiZSBiYWQgZm9yIHNlY3VyaXR5LCBidXQgSSdtIG5vdCBzdXJlDQo+ID4+PiB3aGV0aGVyIG9y IG5vdCBpdCBjb3VsZA0KPiA+Pj4NCj4gPj4+ICAgPiBoYXBwZW46IDEuIEFuIGludGVybmFsIG5v ZGUgY2FsY3VsYXRlcyBhbiBTUiBQb2xpY3kgYW5kIHNlbmRzDQo+ID4+PiBvdXQgYSBwYWNrZXQg dGhhdA0KPiA+Pj4NCj4gPj4+ICAgPiB3aWxsIGV2ZW50dWFsbHkgZWdyZXNzIHRvd2FyZHMgYSBC R1AgcGVlci4gMi4gTXVsdGlwbGUgbGlua3Mgb24NCj4gPj4+IHRoZSBCR1Agcm91dGVyIGdvDQo+ ID4+Pg0KPiA+Pj4gICA+IGRvd24gYW5kIHRoZW4gYmFjayB1cCwgYnV0IGFyZSBhbGxvY2F0ZWQg ZGlmZmVyZW50IFBlZXJBZGogU0lEcw0KPiA+Pj4gdGhhbiB0aGV5IGhhZA0KPiA+Pj4NCj4gPj4+ ICAgPiBiZWZvcmUuIDMuIFRoZSBwYWNrZXQgcmVhY2hlcyB0aGUgQkdQIHJvdXRlciwgYnV0IGVn cmVzc2VzIHRvDQo+ID4+PiB0aGUgd3JvbmcgQkdQDQo+ID4+Pg0KPiA+Pj4gICA+IHBlZXIgYmVj YXVzZSB0aGUgb3JpZ2luYWwgUGVlckFkaiBTSUQgaXMgbm93IG1hcHBlZCB0byBhDQo+ID4+PiBk aWZmZXJlbnQgUGVlckFkag0KPiA+Pj4NCj4gPj4+ICAgPiBzZWdtZW50Lg0KPiA+Pj4NCj4gPj4+ ICAgPg0KPiA+Pj4NCj4gPj4+ICAgPiAtLQ0KPiA+Pj4NCj4gPj4+ICAgPiBGcmVlbGFuY2UgY3li ZXIgc2VjdXJpdHkgY29uc3VsdGFudCwgc29mdHdhcmUgZGV2ZWxvcGVyLCBhbmQNCj4gPj4+IG1v cmUNCj4gPj4+DQo+ID4+PiAgID4gaHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9yZy8NCj4gPj4+ DQo+ID4+DQo+ID4+DQo+ID4+IC0tDQo+ID4+IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBjb25z dWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBtb3JlDQo+ID4+IGh0dHBzOi8vZGF2aWQu bWFuZGVsYmVyZy5vcmcvDQo+IA0KPiANCj4gLS0NCj4gRnJlZWxhbmNlIGN5YmVyIHNlY3VyaXR5 IGNvbnN1bHRhbnQsIHNvZnR3YXJlIGRldmVsb3BlciwgYW5kIG1vcmUNCj4gaHR0cHM6Ly9kYXZp ZC5tYW5kZWxiZXJnLm9yZy8NCg== From nobody Fri Mar 23 16:18:31 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DE812E03E for ; Fri, 23 Mar 2018 16:18:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BJ2DH2v12ka for ; Fri, 23 Mar 2018 16:18:22 -0700 (PDT) Received: from smtp.rcn.com (smtp.rcn.com [69.168.97.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A53C712E03F for ; Fri, 23 Mar 2018 16:18:20 -0700 (PDT) X_CMAE_Category: , , X-CNFS-Analysis: v=2.2 cv=SsPS07G0 c=1 sm=1 tr=0 a=OXtaa+9CFT7WVSERtyqzJw==:117 a=OXtaa+9CFT7WVSERtyqzJw==:17 a=KGjhK52YXX0A:10 a=IkcTkHD0fZMA:10 a=NTnny0joGdQA:10 a=v2DPQv5-lfwA:10 a=bmmO2AaSJ7QA:10 a=48vgC7mUAAAA:8 a=BTUBnpS-AAAA:8 a=AUd_NHdVAAAA:8 a=ypeoqO8XFaIhN2hmt08A:9 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=pblkFgjdBCuYZ9-HdJ6i:22 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine X-Authed-Username: ZHNlb21uQHJjbi5jb20= Authentication-Results: smtp02.rcn.cmh.synacor.com header.from=david+work@mandelberg.org; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.mail=david+work@mandelberg.org; spf=neutral; sender-id=neutral Authentication-Results: smtp02.rcn.cmh.synacor.com smtp.user=dseomn@rcn.com; auth=pass (LOGIN) Received-SPF: neutral (smtp02.rcn.cmh.synacor.com: 209.6.43.168 is neither permitted nor denied by domain of mandelberg.org) Received: from [209.6.43.168] ([209.6.43.168:42638] helo=uriel.mandelberg.org) by smtp.rcn.com (envelope-from ) (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTPSA (cipher=DHE-RSA-AES256-GCM-SHA384) id 70/B5-15426-A3B85BA5; Fri, 23 Mar 2018 19:18:18 -0400 Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id E53691C609C; Fri, 23 Mar 2018 19:18:17 -0400 (EDT) To: "Les Ginsberg (ginsberg)" , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> From: David Mandelberg Organization: David Mandelberg, LLC Message-ID: <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> Date: Fri, 23 Mar 2018 19:18:15 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 23:18:23 -0000 No worries about the delay. And I'm just a secdir reviewer, not an IESG member, so I can't do anything about a DISCUSS. On 03/23/2018 07:02 PM, Les Ginsberg (ginsberg) wrote: > David - > > Yes - IGP specs have this. See (for example): > > https://tools.ietf.org/html/draft-ietf-isis-segment-routing-extensions-15#section-2.2.1 > > If this suffices please clear your DISCUSS on the draft. > > Again, apologies for the long delay in responding - it was not intentional. > > Les > >> -----Original Message----- >> From: David Mandelberg >> Sent: Friday, March 23, 2018 3:57 PM >> To: Les Ginsberg (ginsberg) ; iesg@ietf.org; >> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org >> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 >> >> Thanks, I didn't know it was in the IGP specs. If the usage you describe would be >> clear to anybody using this, then I think you've fully addressed my original >> comment. >> >> On 03/23/2018 06:43 PM, Les Ginsberg (ginsberg) wrote: >>> David - >>> >>> Thanx for the very prompt response. >>> >>> If a controller (for example) is defining a SID stack for an SR Policy, it can >> choose to use an Adj-SID which is advertised as Persistent and be confident that >> the SID will not be reused for some other purpose no matter what happens on >> the owning node. >>> >>> BTW, the flag isn’t new - it has been part of the IGP specifications for quite a >> long while. It just wasn't mentioned in the SR Architecture in earlier versions. >>> >>> HTH >>> >>> Les >>> >>>> -----Original Message----- >>>> From: David Mandelberg >>>> Sent: Friday, March 23, 2018 3:17 PM >>>> To: Les Ginsberg (ginsberg) ; iesg@ietf.org; >>>> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org >>>> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 >>>> >>>> Hi, >>>> >>>> How will the indication of persistence be used? I scanned the changes >>>> from -13 to -15, but I didn't notice any other text about the new flag. >>>> >>>> On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote: >>>>> David - >>>>> >>>>> Apologies. It appears that I neglected to respond to this old review >>>>> comment. >>>>> >>>>> This was not intentional. Authors actively discussed your comment >>>>> promptly and we did add text in V14 of the draft to address this point: >>>>> >>>>> Please see: >>>>> https://tools.ietf.org/html/draft-ietf-spring-segment-routing-15#sec >>>>> ti >>>>> on-3.4 >>>>> >>>>> /o  Indication whether the Adj-SID is persistent across control >>>>> plane/ >>>>> >>>>> /      restarts.  Persistence is a key attribute in ensuring that an >>>>> SR/ >>>>> >>>>> /      Policy does not temporarily result in misforwarding due to/ >>>>> >>>>> /      reassignment of an Adj-SID./ >>>>> >>>>> // >>>>> >>>>> Please let us know if this adequately addresses your comment. >>>>> >>>>> Again, apologies for the long delay. >>>>> >>>>>    Les >>>>> >>>>> > -----Original Message----- >>>>> >>>>> > From: David Mandelberg >>>>> >>>>> > Sent: Thursday, November 02, 2017 10:53 AM >>>>> >>>>> > To: iesg@ietf.org; secdir@ietf.org; draft-ietf-spring-segment- >>>>> >>>>> > routing.all@ietf.org >>>>> >>>>> > Subject: secdir review of draft-ietf-spring-segment-routing-13 >>>>> >>>>> > >>>>> >>>>> > I have reviewed this document as part of the security >>>>> directorate's ongoing >>>>> >>>>> > effort to review all IETF documents being processed by the IESG. >>>>> These >>>>> >>>>> > comments were written primarily for the benefit of the security >>>>> area directors. >>>>> >>>>> > Document editors and WG chairs should treat these comments just >>>>> like any >>>>> >>>>> > other last call comments. >>>>> >>>>> > >>>>> >>>>> > The summary of the review is Ready with nits. >>>>> >>>>> > >>>>> >>>>> > This document affects routing within a trusted domain, and the >>>>> security >>>>> >>>>> > considerations section adequately talks about filtering at the >>>>> border of a trusted >>>>> >>>>> > domain. >>>>> >>>>> > >>>>> >>>>> > I do have one question about something I didn't see in the >>>>> document, what >>>>> >>>>> > happens when SIDs change while packets are in transit? Here's a >>>>> hypothetical >>>>> >>>>> > situation that could be bad for security, but I'm not sure >>>>> whether or not it could >>>>> >>>>> > happen: 1. An internal node calculates an SR Policy and sends >>>>> out a packet that >>>>> >>>>> > will eventually egress towards a BGP peer. 2. Multiple links on >>>>> the BGP router go >>>>> >>>>> > down and then back up, but are allocated different PeerAdj SIDs >>>>> than they had >>>>> >>>>> > before. 3. The packet reaches the BGP router, but egresses to >>>>> the wrong BGP >>>>> >>>>> > peer because the original PeerAdj SID is now mapped to a >>>>> different PeerAdj >>>>> >>>>> > segment. >>>>> >>>>> > >>>>> >>>>> > -- >>>>> >>>>> > Freelance cyber security consultant, software developer, and >>>>> more >>>>> >>>>> > https://david.mandelberg.org/ >>>>> >>>> >>>> >>>> -- >>>> Freelance cyber security consultant, software developer, and more >>>> https://david.mandelberg.org/ >> >> >> -- >> Freelance cyber security consultant, software developer, and more >> https://david.mandelberg.org/ -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Fri Mar 23 16:27:44 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7FE612E046; Fri, 23 Mar 2018 16:27:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.5 X-Spam-Level: X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9rDkdNvmgrw; Fri, 23 Mar 2018 16:27:33 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFC7812E042; Fri, 23 Mar 2018 16:27:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=41108; q=dns/txt; s=iport; t=1521847652; x=1523057252; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=b30amnb7TUhK660VTasS411YX2efV+BZWoDFEhogiyA=; b=G3XlsGSPeIdxhbTOkO+pkTygMXgWp/H57FJbdVX+OvAs0PI/coHnskyv FOcE9wRrI6q8I/iELb4R8YR0uejnj2+lmciaGh1I26OYc/+9Aik6YNqwt pNvFXJ9wUFBO3pXfzNzsX9KTOZO3vKt0esLEj4TCMjpOao7w1H2IzCDgv s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0A5AQAWjLVa/5RdJa1dGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYJNdGFwKAqDUod/jRCBdIERkk2CBgsngVSDCgIag1YhNBg?= =?us-ascii?q?BAgEBAQEBAQJrKIUlAQEBAwEjClEHBAIBCBEBAwEBIQEGAwICAjAUAwYIAgQ?= =?us-ascii?q?BEgiEIlwID6kMgiCIQYIVBYUvghGBVECBDIMGgxMBAQIBAYFxH4JLglQDlzw?= =?us-ascii?q?IAoVPhTCDJ4E4GoM9hzKJEoY8AhETAYEkARw4gVJwFYJ9giEYjhZvjhYrgQS?= =?us-ascii?q?BFgEB?= X-IronPort-AV: E=Sophos;i="5.48,352,1517875200"; d="scan'208,217";a="361294752" Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Mar 2018 23:27:31 +0000 Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id w2NNRV7l004035 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 23 Mar 2018 23:27:31 GMT Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 23 Mar 2018 18:27:30 -0500 Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1320.000; Fri, 23 Mar 2018 18:27:30 -0500 From: "Les Ginsberg (ginsberg)" To: David Mandelberg , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" Thread-Topic: secdir review of draft-ietf-spring-segment-routing-13 Thread-Index: AQHTVAN+h13Fy6LhA0quT26NkWnvTKPee6ywgAEZggD//7GikIAAWWwA//+s6BCAAFkXgP//rdqw Date: Fri, 23 Mar 2018 23:27:30 +0000 Message-ID: <0735a0688ee64980b5d1da734fc8cbcd@XCH-ALN-001.cisco.com> References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> In-Reply-To: <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.5.233] Content-Type: multipart/alternative; boundary="_000_0735a0688ee64980b5d1da734fc8cbcdXCHALN001ciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 23:27:36 -0000 --_000_0735a0688ee64980b5d1da734fc8cbcdXCHALN001ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SG1tbS4uLndlbGwgaWYgeW91IGxvb2sgYXQgaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9k b2MvZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLyB3ZSBzZWUNCg0KDQoNCg0KUmV2 aWV3cw0KDQpPUFNESVIgTGFzdCBDYWxsIFJldmlldyAob2YgLTEzKTogUmVhZHkgPGh0dHBzOi8v ZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL3Jldmlldy1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRp bmctMTMtb3BzZGlyLWxjLWVyc3VlLTIwMTctMTItMTkvPg0KU0VDRElSIExhc3QgQ2FsbCBSZXZp ZXcgKG9mIC0xMyk6IEhhcyBOaXRzIDxodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9y ZXZpZXctaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzLXNlY2Rpci1sYy1tYW5kZWxiZXJn LTIwMTctMTEtMTgvPg0KUlRHRElSIFRlbGVjaGF0IFJldmlldyAob2YgLTEzKTogUmVhZHkgPGh0 dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL3Jldmlldy1pZXRmLXNwcmluZy1zZWdtZW50 LXJvdXRpbmctMTMtcnRnZGlyLXRlbGVjaGF0LWhhcmR3aWNrLTIwMTctMTItMTIvPg0KDQoNCg0K DQpBbmQgdGhlbiB0aGUgU0VDRElSIHJldmlldyBsaW5rIHBvaW50cyB0byB5b3VyIHJldmlldzog aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvcmV2aWV3LWlldGYtc3ByaW5nLXNlZ21l bnQtcm91dGluZy0xMy1zZWNkaXItbGMtbWFuZGVsYmVyZy0yMDE3LTExLTE4Lw0KDQoNCg0KU28g SSBkb27igJl0IGtub3cgd2hhdCBlbHNlIG5lZWRzIHRvIGJlIGRvbmUgdG8gY2xlYXIgdGhpcy4N Cg0KDQoNCkJydW5vPyBSb2I/IENhbiB5b3UgaGVscCBoZXJlPw0KDQoNCg0KICAgIExlcw0KDQoN Cg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KDQo+IEZyb206IERhdmlkIE1hbmRlbGJl cmcgPGRhdmlkK3dvcmtAbWFuZGVsYmVyZy5vcmc+DQoNCj4gU2VudDogRnJpZGF5LCBNYXJjaCAy MywgMjAxOCA0OjE4IFBNDQoNCj4gVG86IExlcyBHaW5zYmVyZyAoZ2luc2JlcmcpIDxnaW5zYmVy Z0BjaXNjby5jb20+OyBpZXNnQGlldGYub3JnOw0KDQo+IHNlY2RpckBpZXRmLm9yZzsgZHJhZnQt aWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZw0KDQo+IFN1YmplY3Q6IFJl OiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xMw0K DQo+DQoNCj4gTm8gd29ycmllcyBhYm91dCB0aGUgZGVsYXkuIEFuZCBJJ20ganVzdCBhIHNlY2Rp ciByZXZpZXdlciwgbm90IGFuIElFU0cgbWVtYmVyLA0KDQo+IHNvIEkgY2FuJ3QgZG8gYW55dGhp bmcgYWJvdXQgYSBESVNDVVNTLg0KDQo+DQoNCj4gT24gMDMvMjMvMjAxOCAwNzowMiBQTSwgTGVz IEdpbnNiZXJnIChnaW5zYmVyZykgd3JvdGU6DQoNCj4gPiBEYXZpZCAtDQoNCj4gPg0KDQo+ID4g WWVzIC0gSUdQIHNwZWNzIGhhdmUgdGhpcy4gU2VlIChmb3IgZXhhbXBsZSk6DQoNCj4gPg0KDQo+ ID4gaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtaXNpcy1zZWdtZW50LXJv dXRpbmctZXh0ZW5zaW9ucw0KDQo+ID4gLTE1I3NlY3Rpb24tMi4yLjENCg0KPiA+DQoNCj4gPiBJ ZiB0aGlzIHN1ZmZpY2VzIHBsZWFzZSBjbGVhciB5b3VyIERJU0NVU1Mgb24gdGhlIGRyYWZ0Lg0K DQo+ID4NCg0KPiA+IEFnYWluLCBhcG9sb2dpZXMgZm9yIHRoZSBsb25nIGRlbGF5IGluIHJlc3Bv bmRpbmcgLSBpdCB3YXMgbm90IGludGVudGlvbmFsLg0KDQo+ID4NCg0KPiA+ICAgICAgTGVzDQoN Cj4gPg0KDQo+ID4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQoNCj4gPj4gRnJvbTogRGF2 aWQgTWFuZGVsYmVyZyA8ZGF2aWQrd29ya0BtYW5kZWxiZXJnLm9yZzxtYWlsdG86ZGF2aWQrd29y a0BtYW5kZWxiZXJnLm9yZz4+DQoNCj4gPj4gU2VudDogRnJpZGF5LCBNYXJjaCAyMywgMjAxOCAz OjU3IFBNDQoNCj4gPj4gVG86IExlcyBHaW5zYmVyZyAoZ2luc2JlcmcpIDxnaW5zYmVyZ0BjaXNj by5jb208bWFpbHRvOmdpbnNiZXJnQGNpc2NvLmNvbT4+OyBpZXNnQGlldGYub3JnPG1haWx0bzpp ZXNnQGlldGYub3JnPjsNCg0KPiA+PiBzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRm Lm9yZz47IGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy5hbGxAaWV0Zi5vcmc8bWFp bHRvOmRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy5hbGxAaWV0Zi5vcmc+DQoNCj4g Pj4gU3ViamVjdDogUmU6IHNlY2RpciByZXZpZXcgb2YgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVu dC1yb3V0aW5nLTEzDQoNCj4gPj4NCg0KPiA+PiBUaGFua3MsIEkgZGlkbid0IGtub3cgaXQgd2Fz IGluIHRoZSBJR1Agc3BlY3MuIElmIHRoZSB1c2FnZSB5b3UNCg0KPiA+PiBkZXNjcmliZSB3b3Vs ZCBiZSBjbGVhciB0byBhbnlib2R5IHVzaW5nIHRoaXMsIHRoZW4gSSB0aGluayB5b3UndmUNCg0K PiA+PiBmdWxseSBhZGRyZXNzZWQgbXkgb3JpZ2luYWwgY29tbWVudC4NCg0KPiA+Pg0KDQo+ID4+ IE9uIDAzLzIzLzIwMTggMDY6NDMgUE0sIExlcyBHaW5zYmVyZyAoZ2luc2JlcmcpIHdyb3RlOg0K DQo+ID4+PiBEYXZpZCAtDQoNCj4gPj4+DQoNCj4gPj4+IFRoYW54IGZvciB0aGUgdmVyeSBwcm9t cHQgcmVzcG9uc2UuDQoNCj4gPj4+DQoNCj4gPj4+IElmIGEgY29udHJvbGxlciAoZm9yIGV4YW1w bGUpIGlzIGRlZmluaW5nIGEgU0lEIHN0YWNrIGZvciBhbiBTUg0KDQo+ID4+PiBQb2xpY3ksIGl0 IGNhbg0KDQo+ID4+IGNob29zZSB0byB1c2UgYW4gIEFkai1TSUQgd2hpY2ggaXMgYWR2ZXJ0aXNl ZCBhcyBQZXJzaXN0ZW50IGFuZCBiZQ0KDQo+ID4+IGNvbmZpZGVudCB0aGF0IHRoZSBTSUQgd2ls bCBub3QgYmUgcmV1c2VkIGZvciBzb21lIG90aGVyIHB1cnBvc2Ugbm8NCg0KPiA+PiBtYXR0ZXIg d2hhdCBoYXBwZW5zIG9uIHRoZSBvd25pbmcgbm9kZS4NCg0KPiA+Pj4NCg0KPiA+Pj4gQlRXLCB0 aGUgZmxhZyBpc27igJl0IG5ldyAtIGl0IGhhcyBiZWVuIHBhcnQgb2YgdGhlIElHUCBzcGVjaWZp Y2F0aW9ucw0KDQo+ID4+PiBmb3IgcXVpdGUgYQ0KDQo+ID4+IGxvbmcgd2hpbGUuIEl0IGp1c3Qg d2Fzbid0IG1lbnRpb25lZCBpbiB0aGUgU1IgQXJjaGl0ZWN0dXJlIGluIGVhcmxpZXIgdmVyc2lv bnMuDQoNCj4gPj4+DQoNCj4gPj4+IEhUSA0KDQo+ID4+Pg0KDQo+ID4+PiAgICAgICAgTGVzDQoN Cj4gPj4+DQoNCj4gPj4+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KDQo+ID4+Pj4gRnJv bTogRGF2aWQgTWFuZGVsYmVyZyA8ZGF2aWQrd29ya0BtYW5kZWxiZXJnLm9yZzxtYWlsdG86ZGF2 aWQrd29ya0BtYW5kZWxiZXJnLm9yZz4+DQoNCj4gPj4+PiBTZW50OiBGcmlkYXksIE1hcmNoIDIz LCAyMDE4IDM6MTcgUE0NCg0KPiA+Pj4+IFRvOiBMZXMgR2luc2JlcmcgKGdpbnNiZXJnKSA8Z2lu c2JlcmdAY2lzY28uY29tPG1haWx0bzpnaW5zYmVyZ0BjaXNjby5jb20+PjsgaWVzZ0BpZXRmLm9y ZzxtYWlsdG86aWVzZ0BpZXRmLm9yZz47DQoNCj4gPj4+PiBzZWNkaXJAaWV0Zi5vcmc8bWFpbHRv OnNlY2RpckBpZXRmLm9yZz47IGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy5hbGxA aWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy5hbGxAaWV0 Zi5vcmc+DQoNCj4gPj4+PiBTdWJqZWN0OiBSZTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRm LXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTMNCg0KPiA+Pj4+DQoNCj4gPj4+PiBIaSwNCg0KPiA+ Pj4+DQoNCj4gPj4+PiBIb3cgd2lsbCB0aGUgaW5kaWNhdGlvbiBvZiBwZXJzaXN0ZW5jZSBiZSB1 c2VkPyBJIHNjYW5uZWQgdGhlDQoNCj4gPj4+PiBjaGFuZ2VzIGZyb20gLTEzIHRvIC0xNSwgYnV0 IEkgZGlkbid0IG5vdGljZSBhbnkgb3RoZXIgdGV4dCBhYm91dCB0aGUgbmV3DQoNCj4gZmxhZy4N Cg0KPiA+Pj4+DQoNCj4gPj4+PiBPbiAwMy8yMy8yMDE4IDA2OjM0IEFNLCBMZXMgR2luc2Jlcmcg KGdpbnNiZXJnKSB3cm90ZToNCg0KPiA+Pj4+PiBEYXZpZCAtDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+ PiBBcG9sb2dpZXMuIEl0IGFwcGVhcnMgdGhhdCBJIG5lZ2xlY3RlZCB0byByZXNwb25kIHRvIHRo aXMgb2xkDQoNCj4gPj4+Pj4gcmV2aWV3IGNvbW1lbnQuDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBU aGlzIHdhcyBub3QgaW50ZW50aW9uYWwuIEF1dGhvcnMgYWN0aXZlbHkgZGlzY3Vzc2VkIHlvdXIg Y29tbWVudA0KDQo+ID4+Pj4+IHByb21wdGx5IGFuZCB3ZSBkaWQgYWRkIHRleHQgaW4gVjE0IG9m IHRoZSBkcmFmdCB0byBhZGRyZXNzIHRoaXMgcG9pbnQ6DQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBQ bGVhc2Ugc2VlOg0KDQo+ID4+Pj4+IGh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1p ZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTUjcw0KDQo+ID4+Pj4+IGVjDQoNCj4gPj4+Pj4g dGkNCg0KPiA+Pj4+PiBvbi0zLjQNCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+IC9vICBJbmRpY2F0aW9u IHdoZXRoZXIgdGhlIEFkai1TSUQgaXMgcGVyc2lzdGVudCBhY3Jvc3MgY29udHJvbA0KDQo+ID4+ Pj4+IHBsYW5lLw0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gLyAgICAgIHJlc3RhcnRzLiAgUGVyc2lz dGVuY2UgaXMgYSBrZXkgYXR0cmlidXRlIGluIGVuc3VyaW5nIHRoYXQNCg0KPiA+Pj4+PiBhbiBT Ui8NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+IC8gICAgICBQb2xpY3kgZG9lcyBub3QgdGVtcG9yYXJp bHkgcmVzdWx0IGluIG1pc2ZvcndhcmRpbmcgZHVlIHRvLw0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4g LyAgICAgIHJlYXNzaWdubWVudCBvZiBhbiBBZGotU0lELi8NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ IC8vDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBQbGVhc2UgbGV0IHVzIGtub3cgaWYgdGhpcyBhZGVx dWF0ZWx5IGFkZHJlc3NlcyB5b3VyIGNvbW1lbnQuDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBBZ2Fp biwgYXBvbG9naWVzIGZvciB0aGUgbG9uZyBkZWxheS4NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAg ICAgIExlcw0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2Ut LS0tLQ0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBGcm9tOiBEYXZpZCBNYW5kZWxiZXJnIDxk YXZpZEBtYW5kZWxiZXJnLm9yZzxtYWlsdG86ZGF2aWRAbWFuZGVsYmVyZy5vcmc+Pg0KDQo+ID4+ Pj4+DQoNCj4gPj4+Pj4gICAgPiBTZW50OiBUaHVyc2RheSwgTm92ZW1iZXIgMDIsIDIwMTcgMTA6 NTMgQU0NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gVG86IGllc2dAaWV0Zi5vcmc8bWFpbHRv Omllc2dAaWV0Zi5vcmc+OyBzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz47 DQoNCj4gPj4+Pj4gZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC0NCg0KPiA+Pj4+Pg0KDQo+ID4+ Pj4+ICAgID4gcm91dGluZy5hbGxAaWV0Zi5vcmc8bWFpbHRvOnJvdXRpbmcuYWxsQGlldGYub3Jn Pg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBTdWJqZWN0OiBzZWNkaXIgcmV2aWV3IG9mDQoN Cj4gPj4+Pj4gZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzDQoNCj4gPj4+Pj4N Cg0KPiA+Pj4+PiAgICA+DQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+IEkgaGF2ZSByZXZpZXdl ZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5DQoNCj4gPj4+Pj4gZGlyZWN0 b3JhdGUncyBvbmdvaW5nDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+IGVmZm9ydCB0byByZXZp ZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4NCg0KPiA+ Pj4+PiBUaGVzZQ0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBjb21tZW50cyB3ZXJlIHdyaXR0 ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUNCg0KPiA+Pj4+PiBzZWN1cml0eSBh cmVhIGRpcmVjdG9ycy4NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gRG9jdW1lbnQgZWRpdG9y cyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cw0KDQo+ID4+Pj4+IGp1 c3QgbGlrZSBhbnkNCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gb3RoZXIgbGFzdCBjYWxsIGNv bW1lbnRzLg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4g ICAgPiBUaGUgc3VtbWFyeSBvZiB0aGUgcmV2aWV3IGlzIFJlYWR5IHdpdGggbml0cy4NCg0KPiA+ Pj4+Pg0KDQo+ID4+Pj4+ICAgID4NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gVGhpcyBkb2N1 bWVudCBhZmZlY3RzIHJvdXRpbmcgd2l0aGluIGEgdHJ1c3RlZCBkb21haW4sIGFuZA0KDQo+ID4+ Pj4+IHRoZSBzZWN1cml0eQ0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBjb25zaWRlcmF0aW9u cyBzZWN0aW9uIGFkZXF1YXRlbHkgdGFsa3MgYWJvdXQgZmlsdGVyaW5nIGF0DQoNCj4gPj4+Pj4g dGhlIGJvcmRlciBvZiBhIHRydXN0ZWQNCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gZG9tYWlu Lg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBJ IGRvIGhhdmUgb25lIHF1ZXN0aW9uIGFib3V0IHNvbWV0aGluZyBJIGRpZG4ndCBzZWUgaW4gdGhl DQoNCj4gPj4+Pj4gZG9jdW1lbnQsIHdoYXQNCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gaGFw cGVucyB3aGVuIFNJRHMgY2hhbmdlIHdoaWxlIHBhY2tldHMgYXJlIGluIHRyYW5zaXQ/IEhlcmUn cw0KDQo+ID4+Pj4+IGEgaHlwb3RoZXRpY2FsDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+IHNp dHVhdGlvbiB0aGF0IGNvdWxkIGJlIGJhZCBmb3Igc2VjdXJpdHksIGJ1dCBJJ20gbm90IHN1cmUN Cg0KPiA+Pj4+PiB3aGV0aGVyIG9yIG5vdCBpdCBjb3VsZA0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4g ICAgPiBoYXBwZW46IDEuIEFuIGludGVybmFsIG5vZGUgY2FsY3VsYXRlcyBhbiBTUiBQb2xpY3kg YW5kIHNlbmRzDQoNCj4gPj4+Pj4gb3V0IGEgcGFja2V0IHRoYXQNCg0KPiA+Pj4+Pg0KDQo+ID4+ Pj4+ICAgID4gd2lsbCBldmVudHVhbGx5IGVncmVzcyB0b3dhcmRzIGEgQkdQIHBlZXIuIDIuIE11 bHRpcGxlIGxpbmtzDQoNCj4gPj4+Pj4gb24gdGhlIEJHUCByb3V0ZXIgZ28NCg0KPiA+Pj4+Pg0K DQo+ID4+Pj4+ICAgID4gZG93biBhbmQgdGhlbiBiYWNrIHVwLCBidXQgYXJlIGFsbG9jYXRlZCBk aWZmZXJlbnQgUGVlckFkag0KDQo+ID4+Pj4+IFNJRHMgdGhhbiB0aGV5IGhhZA0KDQo+ID4+Pj4+ DQoNCj4gPj4+Pj4gICAgPiBiZWZvcmUuIDMuIFRoZSBwYWNrZXQgcmVhY2hlcyB0aGUgQkdQIHJv dXRlciwgYnV0IGVncmVzc2VzIHRvDQoNCj4gPj4+Pj4gdGhlIHdyb25nIEJHUA0KDQo+ID4+Pj4+ DQoNCj4gPj4+Pj4gICAgPiBwZWVyIGJlY2F1c2UgdGhlIG9yaWdpbmFsIFBlZXJBZGogU0lEIGlz IG5vdyBtYXBwZWQgdG8gYQ0KDQo+ID4+Pj4+IGRpZmZlcmVudCBQZWVyQWRqDQoNCj4gPj4+Pj4N Cg0KPiA+Pj4+PiAgICA+IHNlZ21lbnQuDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+DQoNCj4g Pj4+Pj4NCg0KPiA+Pj4+PiAgICA+IC0tDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+IEZyZWVs YW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZA0K DQo+ID4+Pj4+IG1vcmUNCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gaHR0cHM6Ly9kYXZpZC5t YW5kZWxiZXJnLm9yZy8NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4NCg0KPiA+Pj4+DQoNCj4gPj4+PiAt LQ0KDQo+ID4+Pj4gRnJlZWxhbmNlIGN5YmVyIHNlY3VyaXR5IGNvbnN1bHRhbnQsIHNvZnR3YXJl IGRldmVsb3BlciwgYW5kIG1vcmUNCg0KPiA+Pj4+IGh0dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5v cmcvDQoNCj4gPj4NCg0KPiA+Pg0KDQo+ID4+IC0tDQoNCj4gPj4gRnJlZWxhbmNlIGN5YmVyIHNl Y3VyaXR5IGNvbnN1bHRhbnQsIHNvZnR3YXJlIGRldmVsb3BlciwgYW5kIG1vcmUNCg0KPiA+PiBo dHRwczovL2RhdmlkLm1hbmRlbGJlcmcub3JnLw0KDQo+DQoNCj4NCg0KPiAtLQ0KDQo+IEZyZWVs YW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBt b3JlDQoNCj4gaHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9yZy8NCg== --_000_0735a0688ee64980b5d1da734fc8cbcdXCHALN001ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQph OmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv cjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJw bGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLk1zb1BsYWluVGV4dCwgbGkuTXNv UGxhaW5UZXh0LCBkaXYuTXNvUGxhaW5UZXh0DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglt c28tc3R5bGUtbGluazoiUGxhaW4gVGV4dCBDaGFyIjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCnNwYW4uUGxhaW5UZXh0Q2hhcg0KCXttc28tc3R5bGUtbmFtZToiUGxh aW4gVGV4dCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IlBsYWluIFRleHQiOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCi5Nc29D aHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDEx LjBpbjsNCgltYXJnaW46MS4waW4gMTI5Ljc1cHQgMS4waW4gMTI5LjdwdDt9DQpkaXYuV29yZFNl Y3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNv IDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAv Pg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxh eW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwv bzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVO LVVTIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9u MSI+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij5IbW1tLi4ud2VsbCBpZiB5b3UgbG9vayBhdCA8 YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLXNwcmlu Zy1zZWdtZW50LXJvdXRpbmcvIj4NCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2Ry YWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy88L2E+IHdlIHNlZTxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjx0YWJsZSBjbGFzcz0iTXNv Tm9ybWFsVGFibGUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjMiIGNlbGxwYWRkaW5nPSIwIj4N Cjx0Ym9keT4NCjx0cj4NCjx0ZCBzdHlsZT0icGFkZGluZzouNzVwdCAuNzVwdCAuNzVwdCAuNzVw dCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBhbGlnbj0iY2VudGVyIiBzdHlsZT0idGV4dC1hbGln bjpjZW50ZXIiPjxiPlJldmlld3M8bzpwPjwvbzpwPjwvYj48L3A+DQo8L3RkPg0KPHRkIHN0eWxl PSJwYWRkaW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ij48L3RkPg0KPHRkIHN0eWxlPSJwYWRk aW5nOi43NXB0IC43NXB0IC43NXB0IC43NXB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIGhy ZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL3Jldmlldy1pZXRmLXNwcmluZy1z ZWdtZW50LXJvdXRpbmctMTMtb3BzZGlyLWxjLWVyc3VlLTIwMTctMTItMTkvIj5PUFNESVIgTGFz dCBDYWxsIFJldmlldyAob2YgLTEzKTogUmVhZHkNCjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEyLjBwdCI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGEg aHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvcmV2aWV3LWlldGYtc3ByaW5n LXNlZ21lbnQtcm91dGluZy0xMy1zZWNkaXItbGMtbWFuZGVsYmVyZy0yMDE3LTExLTE4LyI+U0VD RElSIExhc3QgQ2FsbCBSZXZpZXcgKG9mIC0xMyk6IEhhcyBOaXRzDQo8L2E+PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmll dGYub3JnL2RvYy9yZXZpZXctaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzLXJ0Z2Rpci10 ZWxlY2hhdC1oYXJkd2ljay0yMDE3LTEyLTEyLyI+UlRHRElSIFRlbGVjaGF0IFJldmlldyAob2Yg LTEzKTogUmVhZHkNCjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvdGQ+DQo8L3RyPg0KPC90Ym9keT4N CjwvdGFibGU+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkFuZCB0aGVuIHRoZSBTRUNESVIgcmV2aWV3IGxpbmsg cG9pbnRzIHRvIHlvdXIgcmV2aWV3OiA8YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYu b3JnL2RvYy9yZXZpZXctaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzLXNlY2Rpci1sYy1t YW5kZWxiZXJnLTIwMTctMTEtMTgvIj4NCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9j L3Jldmlldy1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTMtc2VjZGlyLWxjLW1hbmRlbGJl cmctMjAxNy0xMS0xOC88L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPlNvIEkgZG9u 4oCZdCBrbm93IHdoYXQgZWxzZSBuZWVkcyB0byBiZSBkb25lIHRvIGNsZWFyIHRoaXMuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPkJydW5vPyBSb2I/IENhbiB5b3UgaGVscCBoZXJlPzxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsmbmJzcDsgTGVzPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IEZyb206IERhdmlkIE1hbmRlbGJlcmcg Jmx0O2RhdmlkJiM0Mzt3b3JrQG1hbmRlbGJlcmcub3JnJmd0OzwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsgU2VudDogRnJpZGF5LCBNYXJjaCAyMywgMjAxOCA0OjE4IFBNPC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBUbzogTGVzIEdpbnNiZXJnIChnaW5zYmVyZykg Jmx0O2dpbnNiZXJnQGNpc2NvLmNvbSZndDs7IGllc2dAaWV0Zi5vcmc7PC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyBzZWNkaXJAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtc3ByaW5nLXNl Z21lbnQtcm91dGluZy5hbGxAaWV0Zi5vcmc8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7IFN1YmplY3Q6IFJlOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21l bnQtcm91dGluZy0xMzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgPC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBObyB3b3JyaWVzIGFib3V0IHRoZSBkZWxheS4gQW5k IEknbSBqdXN0IGEgc2VjZGlyIHJldmlld2VyLCBub3QgYW4gSUVTRyBtZW1iZXIsPC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBzbyBJIGNhbid0IGRvIGFueXRoaW5nIGFib3V0IGEg RElTQ1VTUy48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgT24gMDMvMjMvMjAxOCAwNzowMiBQTSwgTGVzIEdpbnNiZXJn IChnaW5zYmVyZykgd3JvdGU6PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7 IERhdmlkIC08L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDs8L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsgWWVzIC0gSUdQIHNwZWNzIGhhdmUgdGhpcy4g U2VlIChmb3IgZXhhbXBsZSk6PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7 PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7IDxhIGhyZWY9Imh0dHBzOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWlzaXMtc2VnbWVudC1yb3V0aW5nLWV4dGVu c2lvbnMiPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5v bmUiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWlzaXMtc2VnbWVudC1y b3V0aW5nLWV4dGVuc2lvbnM8L3NwYW4+PC9hPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgJmd0OyAtMTUjc2VjdGlvbi0yLjIuMTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgJmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyBJZiB0aGlz IHN1ZmZpY2VzIHBsZWFzZSBjbGVhciB5b3VyIERJU0NVU1Mgb24gdGhlIGRyYWZ0LjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPiZndDsgJmd0OyBBZ2FpbiwgYXBvbG9naWVzIGZvciB0aGUgbG9uZyBkZWxheSBpbiByZXNw b25kaW5nIC0gaXQgd2FzIG5vdCBpbnRlbnRpb25hbC48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4mZ3Q7ICZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgTGVzPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyAmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyAt LS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn dDsgJmd0OyZndDsgRnJvbTogRGF2aWQgTWFuZGVsYmVyZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmRh dmlkJiM0Mzt3b3JrQG1hbmRlbGJlcmcub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4 dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+ZGF2aWQmIzQzO3dvcmtAbWFuZGVsYmVyZy5vcmc8L3Nw YW4+PC9hPiZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7IFNl bnQ6IEZyaWRheSwgTWFyY2ggMjMsIDIwMTggMzo1NyBQTTwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgJmd0OyZndDsgVG86IExlcyBHaW5zYmVyZyAoZ2luc2JlcmcpICZsdDs8YSBo cmVmPSJtYWlsdG86Z2luc2JlcmdAY2lzY28uY29tIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93 dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+Z2luc2JlcmdAY2lzY28uY29tPC9zcGFuPjwvYT4m Z3Q7Ow0KPGEgaHJlZj0ibWFpbHRvOmllc2dAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3 aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5pZXNnQGlldGYub3JnPC9zcGFuPjwvYT47 PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyA8YSBocmVmPSJtYWls dG86c2VjZGlyQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRl Y29yYXRpb246bm9uZSI+c2VjZGlyQGlldGYub3JnPC9zcGFuPjwvYT47DQo8YSBocmVmPSJtYWls dG86ZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZyI+PHNwYW4g c3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmRyYWZ0LWlldGYt c3ByaW5nLXNlZ21lbnQtcm91dGluZy5hbGxAaWV0Zi5vcmc8L3NwYW4+PC9hPjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsgU3ViamVjdDogUmU6IHNlY2RpciByZXZp ZXcgb2YgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzPC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgJmd0OyZndDsgVGhhbmtzLCBJIGRpZG4ndCBrbm93IGl0IHdhcyBpbiB0aGUgSUdQIHNw ZWNzLiBJZiB0aGUgdXNhZ2UgeW91PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAm Z3Q7Jmd0OyBkZXNjcmliZSB3b3VsZCBiZSBjbGVhciB0byBhbnlib2R5IHVzaW5nIHRoaXMsIHRo ZW4gSSB0aGluayB5b3UndmU8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsm Z3Q7IGZ1bGx5IGFkZHJlc3NlZCBteSBvcmlnaW5hbCBjb21tZW50LjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsgJmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7ICZndDsmZ3Q7IE9uIDAzLzIzLzIwMTggMDY6NDMgUE0sIExlcyBHaW5zYmVyZyAoZ2luc2Jl cmcpIHdyb3RlOjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7 IERhdmlkIC08L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0Ozwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7IFRoYW54IGZvciB0 aGUgdmVyeSBwcm9tcHQgcmVzcG9uc2UuPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0 OyAmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7 Jmd0OyBJZiBhIGNvbnRyb2xsZXIgKGZvciBleGFtcGxlKSBpcyBkZWZpbmluZyBhIFNJRCBzdGFj ayBmb3IgYW4gU1I8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0 OyBQb2xpY3ksIGl0IGNhbjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZn dDsgY2hvb3NlIHRvIHVzZSBhbiZuYnNwOyBBZGotU0lEIHdoaWNoIGlzIGFkdmVydGlzZWQgYXMg UGVyc2lzdGVudCBhbmQgYmU8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsm Z3Q7IGNvbmZpZGVudCB0aGF0IHRoZSBTSUQgd2lsbCBub3QgYmUgcmV1c2VkIGZvciBzb21lIG90 aGVyIHB1cnBvc2Ugbm88L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7 IG1hdHRlciB3aGF0IGhhcHBlbnMgb24gdGhlIG93bmluZyBub2RlLjwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsgQlRXLCB0aGUgZmxhZyBpc27igJl0IG5ldyAtIGl0IGhhcyBi ZWVuIHBhcnQgb2YgdGhlIElHUCBzcGVjaWZpY2F0aW9uczwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgJmd0OyZndDsmZ3Q7IGZvciBxdWl0ZSBhPC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyBsb25nIHdoaWxlLiBJdCBqdXN0IHdhc24ndCBtZW50aW9u ZWQgaW4gdGhlIFNSIEFyY2hpdGVjdHVyZSBpbiBlYXJsaWVyIHZlcnNpb25zLjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsgSFRIPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyAmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZn dDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBMZXM8 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyAtLS0tLU9yaWdpbmFsIE1l c3NhZ2UtLS0tLTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7 Jmd0OyBGcm9tOiBEYXZpZCBNYW5kZWxiZXJnICZsdDs8YSBocmVmPSJtYWlsdG86ZGF2aWQmIzQz O3dvcmtAbWFuZGVsYmVyZy5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQt ZGVjb3JhdGlvbjpub25lIj5kYXZpZCYjNDM7d29ya0BtYW5kZWxiZXJnLm9yZzwvc3Bhbj48L2E+ Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyBT ZW50OiBGcmlkYXksIE1hcmNoIDIzLCAyMDE4IDM6MTcgUE08L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsgVG86IExlcyBHaW5zYmVyZyAoZ2luc2Jlcmcp ICZsdDs8YSBocmVmPSJtYWlsdG86Z2luc2JlcmdAY2lzY28uY29tIj48c3BhbiBzdHlsZT0iY29s b3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+Z2luc2JlcmdAY2lzY28uY29tPC9z cGFuPjwvYT4mZ3Q7Ow0KPGEgaHJlZj0ibWFpbHRvOmllc2dAaWV0Zi5vcmciPjxzcGFuIHN0eWxl PSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5pZXNnQGlldGYub3JnPC9z cGFuPjwvYT47PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsm Z3Q7IDxhIGhyZWY9Im1haWx0bzpzZWNkaXJAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjp3 aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5zZWNkaXJAaWV0Zi5vcmc8L3NwYW4+PC9h PjsNCjxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcuYWxs QGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246 bm9uZSI+ZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZzwvc3Bh bj48L2E+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7 IFN1YmplY3Q6IFJlOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQt cm91dGluZy0xMzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7 Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyBI aSw8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDs8L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsgSG93IHdpbGwg dGhlIGluZGljYXRpb24gb2YgcGVyc2lzdGVuY2UgYmUgdXNlZD8gSSBzY2FubmVkIHRoZTwvcD4N CjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyBjaGFuZ2VzIGZy b20gLTEzIHRvIC0xNSwgYnV0IEkgZGlkbid0IG5vdGljZSBhbnkgb3RoZXIgdGV4dCBhYm91dCB0 aGUgbmV3PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyBmbGFnLjwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyBPbiAwMy8yMy8yMDE4IDA2OjM0IEFN LCBMZXMgR2luc2JlcmcgKGdpbnNiZXJnKSB3cm90ZTo8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IERhdmlkIC08L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBBcG9sb2dpZXMuIEl0IGFwcGVhcnMg dGhhdCBJIG5lZ2xlY3RlZCB0byByZXNwb25kIHRvIHRoaXMgb2xkPC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyByZXZpZXcgY29tbWVudC48L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBUaGlzIHdh cyBub3QgaW50ZW50aW9uYWwuIEF1dGhvcnMgYWN0aXZlbHkgZGlzY3Vzc2VkIHlvdXIgY29tbWVu dDwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsg cHJvbXB0bHkgYW5kIHdlIGRpZCBhZGQgdGV4dCBpbiBWMTQgb2YgdGhlIGRyYWZ0IHRvIGFkZHJl c3MgdGhpcyBwb2ludDo8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7 Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDsmZ3Q7Jmd0OyBQbGVhc2Ugc2VlOjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg Jmd0OyZndDsmZ3Q7Jmd0OyZndDsgPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1s L2RyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xNSNzIj4NCjxzcGFuIHN0eWxlPSJj b2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRwczovL3Rvb2xzLmlldGYu b3JnL2h0bWwvZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTE1I3M8L3NwYW4+PC9h PjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsg ZWM8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7 IHRpPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0 OyBvbi0zLjQ8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZn dDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7 Jmd0OyAvbyZuYnNwOyBJbmRpY2F0aW9uIHdoZXRoZXIgdGhlIEFkai1TSUQgaXMgcGVyc2lzdGVu dCBhY3Jvc3MgY29udHJvbDwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZn dDsmZ3Q7Jmd0OyZndDsgcGxhbmUvPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAm Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0 OyZndDsmZ3Q7Jmd0OyZndDsgLyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyByZXN0YXJ0 cy4mbmJzcDsgUGVyc2lzdGVuY2UgaXMgYSBrZXkgYXR0cmlidXRlIGluIGVuc3VyaW5nIHRoYXQ8 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IGFu IFNSLzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZn dDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7 IC8mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgUG9saWN5IGRvZXMgbm90IHRlbXBvcmFy aWx5IHJlc3VsdCBpbiBtaXNmb3J3YXJkaW5nIGR1ZSB0by88L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyAvJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7IHJlYXNzaWdubWVudCBvZiBhbiBBZGotU0lELi88L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyAvLzwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IFBsZWFzZSBsZXQgdXMga25vdyBpZiB0aGlz IGFkZXF1YXRlbHkgYWRkcmVzc2VzIHlvdXIgY29tbWVudC48L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBBZ2FpbiwgYXBvbG9naWVzIGZvciB0aGUg bG9uZyBkZWxheS48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0 OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsm Z3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmbmJzcDsmbmJzcDsgTGVzPC9wPg0KPHAgY2xhc3M9 Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJN c29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsg Jmd0OyAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRl eHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgRnJvbTog RGF2aWQgTWFuZGVsYmVyZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmRhdmlkQG1hbmRlbGJlcmcub3Jn Ij48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+ZGF2 aWRAbWFuZGVsYmVyZy5vcmc8L3NwYW4+PC9hPiZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5U ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IFNlbnQ6 IFRodXJzZGF5LCBOb3ZlbWJlciAwMiwgMjAxNyAxMDo1MyBBTTwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsg VG86IDxhIGhyZWY9Im1haWx0bzppZXNnQGlldGYub3JnIj48c3BhbiBzdHlsZT0iY29sb3I6d2lu ZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aWVzZ0BpZXRmLm9yZzwvc3Bhbj48L2E+Ow0K PGEgaHJlZj0ibWFpbHRvOnNlY2RpckBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRv d3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPnNlY2RpckBpZXRmLm9yZzwvc3Bhbj48L2E+Ozwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgZHJh ZnQtaWV0Zi1zcHJpbmctc2VnbWVudC08L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAm Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IDxhIGhyZWY9Im1haWx0 bzpyb3V0aW5nLmFsbEBpZXRmLm9yZyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4 dC1kZWNvcmF0aW9uOm5vbmUiPnJvdXRpbmcuYWxsQGlldGYub3JnPC9zcGFuPjwvYT48L3A+DQo8 cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNw OyZuYnNwOyAmZ3Q7IFN1YmplY3Q6IHNlY2RpciByZXZpZXcgb2Y8L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IGRyYWZ0LWlldGYtc3ByaW5nLXNl Z21lbnQtcm91dGluZy0xMzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZn dDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7 Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxh aW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWlu VGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IEkg aGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5PC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBkaXJlY3Rv cmF0ZSdzIG9uZ29pbmc8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7 Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IGVmZm9ydCB0byByZXZpZXcgYWxsIElF VEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy48L3A+DQo8cCBjbGFzcz0i TXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IFRoZXNlPC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJz cDsgJmd0OyBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBv ZiB0aGU8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsm Z3Q7IHNlY3VyaXR5IGFyZWEgZGlyZWN0b3JzLjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgRG9jdW1lbnQg ZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50czwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsganVzdCBsaWtl IGFueTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZn dDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7 Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLjwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBj bGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7 Jm5ic3A7ICZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0 OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsm Z3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IFRoZSBzdW1tYXJ5IG9mIHRoZSByZXZpZXcg aXMgUmVhZHkgd2l0aCBuaXRzLjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0 OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsm Z3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDs8L3A+DQo8cCBjbGFzcz0iTXNv UGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7 IFRoaXMgZG9jdW1lbnQgYWZmZWN0cyByb3V0aW5nIHdpdGhpbiBhIHRydXN0ZWQgZG9tYWluLCBh bmQ8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7 IHRoZSBzZWN1cml0eTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsm Z3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0 OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgY29uc2lkZXJhdGlvbnMgc2VjdGlvbiBh ZGVxdWF0ZWx5IHRhbGtzIGFib3V0IGZpbHRlcmluZyBhdDwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgdGhlIGJvcmRlciBvZiBhIHRydXN0ZWQ8 L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9w Pg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNw OyZuYnNwOyZuYnNwOyAmZ3Q7IGRvbWFpbi48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0 OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7PC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJz cDsgJmd0OyBJIGRvIGhhdmUgb25lIHF1ZXN0aW9uIGFib3V0IHNvbWV0aGluZyBJIGRpZG4ndCBz ZWUgaW4gdGhlPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsm Z3Q7Jmd0OyBkb2N1bWVudCwgd2hhdDwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg Jmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZn dDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgaGFwcGVucyB3aGVuIFNJ RHMgY2hhbmdlIHdoaWxlIHBhY2tldHMgYXJlIGluIHRyYW5zaXQ/IEhlcmUnczwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgYSBoeXBvdGhldGlj YWw8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7 PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZu YnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IHNpdHVhdGlvbiB0aGF0IGNvdWxkIGJlIGJhZCBmb3Igc2Vj dXJpdHksIGJ1dCBJJ20gbm90IHN1cmU8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IHdoZXRoZXIgb3Igbm90IGl0IGNvdWxkPC9wPg0KPHAgY2xh c3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJz cDsgJmd0OyBoYXBwZW46IDEuIEFuIGludGVybmFsIG5vZGUgY2FsY3VsYXRlcyBhbiBTUiBQb2xp Y3kgYW5kIHNlbmRzPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDsmZ3Q7Jmd0OyBvdXQgYSBwYWNrZXQgdGhhdDwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgd2lsbCBldmVu dHVhbGx5IGVncmVzcyB0b3dhcmRzIGEgQkdQIHBlZXIuIDIuIE11bHRpcGxlIGxpbmtzPC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBvbiB0aGUg QkdQIHJvdXRlciBnbzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsm Z3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0 OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgZG93biBhbmQgdGhlbiBiYWNrIHVwLCBi dXQgYXJlIGFsbG9jYXRlZCBkaWZmZXJlbnQgUGVlckFkajwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgU0lEcyB0aGFuIHRoZXkgaGFkPC9wPg0K PHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJz cDsmbmJzcDsgJmd0OyBiZWZvcmUuIDMuIFRoZSBwYWNrZXQgcmVhY2hlcyB0aGUgQkdQIHJvdXRl ciwgYnV0IGVncmVzc2VzIHRvPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7 Jmd0OyZndDsmZ3Q7Jmd0OyB0aGUgd3JvbmcgQkdQPC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4 dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQi PiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJmd0OyBwZWVyIGJl Y2F1c2UgdGhlIG9yaWdpbmFsIFBlZXJBZGogU0lEIGlzIG5vdyBtYXBwZWQgdG8gYTwvcD4NCjxw IGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgZGlmZmVyZW50 IFBlZXJBZGo8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZn dDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7 Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IHNlZ21lbnQuPC9wPg0KPHAgY2xhc3M9Ik1zb1Bs YWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFp blRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJmd0Ozwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+ DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7 Jm5ic3A7Jm5ic3A7ICZndDsgLS08L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZn dDsmZ3Q7Jmd0OyZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7 Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IEZyZWVsYW5jZSBjeWJlciBz ZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZDwvcD4NCjxwIGNsYXNz PSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgbW9yZTwvcD4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5i c3A7ICZndDsgPGEgaHJlZj0iaHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9yZy8iPjxzcGFuIHN0 eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRwczovL2Rhdmlk Lm1hbmRlbGJlcmcub3JnLzwvc3Bhbj48L2E+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZn dDsgJmd0OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0 OyZndDsmZ3Q7Jmd0OzwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsm Z3Q7Jmd0OyAtLTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsmZ3Q7 Jmd0OyBGcmVlbGFuY2UgY3liZXIgc2VjdXJpdHkgY29uc3VsdGFudCwgc29mdHdhcmUgZGV2ZWxv cGVyLCBhbmQgbW9yZTwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsm Z3Q7Jmd0OyA8YSBocmVmPSJodHRwczovL2RhdmlkLm1hbmRlbGJlcmcub3JnLyI+PHNwYW4gc3R5 bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmh0dHBzOi8vZGF2aWQu bWFuZGVsYmVyZy5vcmcvPC9zcGFuPjwvYT48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4m Z3Q7ICZndDsmZ3Q7PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0Ozwv cD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsgJmd0OyZndDsgLS08L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7ICZndDsmZ3Q7IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBj b25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBtb3JlPC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+Jmd0OyAmZ3Q7Jmd0OyA8YSBocmVmPSJodHRwczovL2RhdmlkLm1hbmRlbGJl cmcub3JnLyI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5v bmUiPmh0dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvPC9zcGFuPjwvYT48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7IDwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZndDsg PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jmd0OyAtLTwvcD4NCjxwIGNsYXNzPSJNc29Q bGFpblRleHQiPiZndDsgRnJlZWxhbmNlIGN5YmVyIHNlY3VyaXR5IGNvbnN1bHRhbnQsIHNvZnR3 YXJlIGRldmVsb3BlciwgYW5kIG1vcmU8L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0Ij4mZ3Q7 IDxhIGhyZWY9Imh0dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvIj48c3BhbiBzdHlsZT0iY29s b3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly9kYXZpZC5tYW5kZWxi ZXJnLm9yZy88L3NwYW4+PC9hPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_0735a0688ee64980b5d1da734fc8cbcdXCHALN001ciscocom_-- From nobody Sat Mar 24 03:40:37 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3336126C2F for ; Sat, 24 Mar 2018 03:40:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.889 X-Spam-Level: X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYB8DMQMQgh4 for ; Sat, 24 Mar 2018 03:40:32 -0700 (PDT) Received: from mail-ot0-x22f.google.com (mail-ot0-x22f.google.com [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC1661201FA for ; Sat, 24 Mar 2018 03:40:31 -0700 (PDT) Received: by mail-ot0-x22f.google.com with SMTP id 108-v6so15910260otv.3 for ; Sat, 24 Mar 2018 03:40:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Rhm+GEJ7nJPr/C4TRkEGsB1SgGYhnRknsPJ7cNNDSTo=; b=VQiixCP95yqN9DPUsgJXq/q7KiD/skbPKXj9RpTFipx/7mm46XMfvyRuEHxU0Vo9XA O3xornz4V6g3BerK1lp/teSajcvfmviQ2+U7nSn09yoFkU71vNRjGxdlHOYa+bJCfMMF o73LDQGnnFr9gAcGyaGEMwdr5a6rTfEiVd+EBVs2NHiWPpUuVhkHt6fmbxeIrRG9h8Nn 3I8WSjf4ifS41/u35HYaUaMGU87Kti4pcIgisQibNzQaf7J2vyDaxKfkMxOqOwmjC4eA ZHPVufHY5UYg99P4SPvmaBQcqtJn4FueBuHcPJYfShEitommrCrKE/6DVaTZKuwaJeec KnqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Rhm+GEJ7nJPr/C4TRkEGsB1SgGYhnRknsPJ7cNNDSTo=; b=kNljzL3OnaIyP7rNUBd47S5YGYF9Y56EiGCaQ6truiGA4epE/F5rQL3RkV7GDfjAoI eQdo8VjRUKVncwIMdPMyM+26cJ30/3MG8JGGciAOI0nVdSiUykI9ci3eBwplfcFWJzr3 T26+5VOIFxGScR7Nd1jp8ay3Qetj6eEDlkUya1O3D50Qsa+cC3V0adYQs0GcHvAeVAse L6zWKC4aItNjMQv2CmJbULUoJUMmw1JWXrUGaMCo7lzjzVh8RHFI5uWZh9polpJBNevS 0N0/MeLnWsCoBykgbfASZBVQ5OWjEtAuBtfLN0y8oHjjWPmfkdkZnpRg4UN0ACkawBWw shJw== X-Gm-Message-State: AElRT7FFtJ+5G4SO9AMtw+6My7ZkZlPkjCytziiyoj3GD/PCtdxqhQ5D Tqjiez0Fkrxqiz35TAEUVovGD5B8R+mpUieiMewq+A== X-Google-Smtp-Source: AIpwx4+vrOsWhXcK7qu9yh8uI0KbGMY2rXyY8K1w/V4x19ViZHE7oGraFoSeYQ/S8SZO4zMykEILjVsYSepthq38NLw= X-Received: by 2002:a9d:4289:: with SMTP id r9-v6mr7633949ote.44.1521888030909; Sat, 24 Mar 2018 03:40:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.201.23.21 with HTTP; Sat, 24 Mar 2018 03:39:50 -0700 (PDT) In-Reply-To: <0735a0688ee64980b5d1da734fc8cbcd@XCH-ALN-001.cisco.com> References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <0735a0688ee64980b5d1da734fc8cbcd@XCH-ALN-001.cisco.com> From: Eric Rescorla Date: Sat, 24 Mar 2018 10:39:50 +0000 Message-ID: To: "Les Ginsberg (ginsberg)" Cc: David Mandelberg , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" Content-Type: multipart/alternative; boundary="00000000000078846a0568262b19" Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2018 10:40:36 -0000 --00000000000078846a0568262b19 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The DISCUSS on this document is being held by Alissa Cooper. https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routing/ballot/ I would suggest responding to her points (there should be an associated email thread) -Ekr On Fri, Mar 23, 2018 at 11:27 PM, Les Ginsberg (ginsberg) < ginsberg@cisco.com> wrote: > Hmmm...well if you look at https://datatracker.ietf.org/ > doc/draft-ietf-spring-segment-routing/ we see > > > > > > *Reviews* > > OPSDIR Last Call Review (of -13): Ready > > > SECDIR Last Call Review (of -13): Has Nits > > > RTGDIR Telechat Review (of -13): Ready > > > > > And then the SECDIR review link points to your review: > https://datatracker.ietf.org/doc/review-ietf-spring- > segment-routing-13-secdir-lc-mandelberg-2017-11-18/ > > > > So I don=E2=80=99t know what else needs to be done to clear this. > > > > Bruno? Rob? Can you help here? > > > > Les > > > > > -----Original Message----- > > > From: David Mandelberg > > > Sent: Friday, March 23, 2018 4:18 PM > > > To: Les Ginsberg (ginsberg) ; iesg@ietf.org; > > > secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org > > > Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 > > > > > > No worries about the delay. And I'm just a secdir reviewer, not an IESG > member, > > > so I can't do anything about a DISCUSS. > > > > > > On 03/23/2018 07:02 PM, Les Ginsberg (ginsberg) wrote: > > > > David - > > > > > > > > Yes - IGP specs have this. See (for example): > > > > > > > > https://tools.ietf.org/html/draft-ietf-isis-segment-routing-extension= s > > > > -15#section-2.2.1 > > > > > > > > If this suffices please clear your DISCUSS on the draft. > > > > > > > > Again, apologies for the long delay in responding - it was not > intentional. > > > > > > > > Les > > > > > > > >> -----Original Message----- > > > >> From: David Mandelberg > > > >> Sent: Friday, March 23, 2018 3:57 PM > > > >> To: Les Ginsberg (ginsberg) ; iesg@ietf.org; > > > >> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org > > > >> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 > > > >> > > > >> Thanks, I didn't know it was in the IGP specs. If the usage you > > > >> describe would be clear to anybody using this, then I think you've > > > >> fully addressed my original comment. > > > >> > > > >> On 03/23/2018 06:43 PM, Les Ginsberg (ginsberg) wrote: > > > >>> David - > > > >>> > > > >>> Thanx for the very prompt response. > > > >>> > > > >>> If a controller (for example) is defining a SID stack for an SR > > > >>> Policy, it can > > > >> choose to use an Adj-SID which is advertised as Persistent and be > > > >> confident that the SID will not be reused for some other purpose no > > > >> matter what happens on the owning node. > > > >>> > > > >>> BTW, the flag isn=E2=80=99t new - it has been part of the IGP speci= fications > > > >>> for quite a > > > >> long while. It just wasn't mentioned in the SR Architecture in > earlier versions. > > > >>> > > > >>> HTH > > > >>> > > > >>> Les > > > >>> > > > >>>> -----Original Message----- > > > >>>> From: David Mandelberg > > > >>>> Sent: Friday, March 23, 2018 3:17 PM > > > >>>> To: Les Ginsberg (ginsberg) ; iesg@ietf.org; > > > >>>> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org > > > >>>> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 > > > >>>> > > > >>>> Hi, > > > >>>> > > > >>>> How will the indication of persistence be used? I scanned the > > > >>>> changes from -13 to -15, but I didn't notice any other text about > the new > > > flag. > > > >>>> > > > >>>> On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote: > > > >>>>> David - > > > >>>>> > > > >>>>> Apologies. It appears that I neglected to respond to this old > > > >>>>> review comment. > > > >>>>> > > > >>>>> This was not intentional. Authors actively discussed your comment > > > >>>>> promptly and we did add text in V14 of the draft to address this > point: > > > >>>>> > > > >>>>> Please see: > > > >>>>> https://tools.ietf.org/html/draft-ietf-spring-segment-routing-15#= s > > > >>>>> ec > > > >>>>> ti > > > >>>>> on-3.4 > > > >>>>> > > > >>>>> /o Indication whether the Adj-SID is persistent across control > > > >>>>> plane/ > > > >>>>> > > > >>>>> / restarts. Persistence is a key attribute in ensuring that > > > >>>>> an SR/ > > > >>>>> > > > >>>>> / Policy does not temporarily result in misforwarding due to= / > > > >>>>> > > > >>>>> / reassignment of an Adj-SID./ > > > >>>>> > > > >>>>> // > > > >>>>> > > > >>>>> Please let us know if this adequately addresses your comment. > > > >>>>> > > > >>>>> Again, apologies for the long delay. > > > >>>>> > > > >>>>> Les > > > >>>>> > > > >>>>> > -----Original Message----- > > > >>>>> > > > >>>>> > From: David Mandelberg > > > >>>>> > > > >>>>> > Sent: Thursday, November 02, 2017 10:53 AM > > > >>>>> > > > >>>>> > To: iesg@ietf.org; secdir@ietf.org; > > > >>>>> draft-ietf-spring-segment- > > > >>>>> > > > >>>>> > routing.all@ietf.org > > > >>>>> > > > >>>>> > Subject: secdir review of > > > >>>>> draft-ietf-spring-segment-routing-13 > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > I have reviewed this document as part of the security > > > >>>>> directorate's ongoing > > > >>>>> > > > >>>>> > effort to review all IETF documents being processed by the > IESG. > > > >>>>> These > > > >>>>> > > > >>>>> > comments were written primarily for the benefit of the > > > >>>>> security area directors. > > > >>>>> > > > >>>>> > Document editors and WG chairs should treat these comments > > > >>>>> just like any > > > >>>>> > > > >>>>> > other last call comments. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > The summary of the review is Ready with nits. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > This document affects routing within a trusted domain, and > > > >>>>> the security > > > >>>>> > > > >>>>> > considerations section adequately talks about filtering at > > > >>>>> the border of a trusted > > > >>>>> > > > >>>>> > domain. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > I do have one question about something I didn't see in the > > > >>>>> document, what > > > >>>>> > > > >>>>> > happens when SIDs change while packets are in transit? Here'= s > > > >>>>> a hypothetical > > > >>>>> > > > >>>>> > situation that could be bad for security, but I'm not sure > > > >>>>> whether or not it could > > > >>>>> > > > >>>>> > happen: 1. An internal node calculates an SR Policy and send= s > > > >>>>> out a packet that > > > >>>>> > > > >>>>> > will eventually egress towards a BGP peer. 2. Multiple links > > > >>>>> on the BGP router go > > > >>>>> > > > >>>>> > down and then back up, but are allocated different PeerAdj > > > >>>>> SIDs than they had > > > >>>>> > > > >>>>> > before. 3. The packet reaches the BGP router, but egresses t= o > > > >>>>> the wrong BGP > > > >>>>> > > > >>>>> > peer because the original PeerAdj SID is now mapped to a > > > >>>>> different PeerAdj > > > >>>>> > > > >>>>> > segment. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > -- > > > >>>>> > > > >>>>> > Freelance cyber security consultant, software developer, and > > > >>>>> more > > > >>>>> > > > >>>>> > https://david.mandelberg.org/ > > > >>>>> > > > >>>> > > > >>>> > > > >>>> -- > > > >>>> Freelance cyber security consultant, software developer, and more > > > >>>> https://david.mandelberg.org/ > > > >> > > > >> > > > >> -- > > > >> Freelance cyber security consultant, software developer, and more > > > >> https://david.mandelberg.org/ > > > > > > > > > -- > > > Freelance cyber security consultant, software developer, and more > > > https://david.mandelberg.org/ > --00000000000078846a0568262b19 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The DISCUSS on this document is being held by Alissa Coope= r.

I would suggest respon= ding to her points (there should be an associated email thread)
<= br>
-Ekr


On Fri, Mar 23, 2018 at 11:27 PM, Les Ginsberg (ginsberg) = <ginsberg@cisco.com> wrote:

Hmmm...well if you lo= ok at https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routin= g/ we see

=C2=A0<= /p>

=C2=A0<= /p>

Revi= ews

OPSDIR Last Call Review (of -13): Ready

SECDIR Last Call Review (of -13): Has Nits

RTGDIR Telechat Review (of -13): Ready

=C2=A0<= /p>

And then the SECDIR r= eview link points to your review: https://datatracker.ietf.org/doc/review-ietf-spring-segment-routi= ng-13-secdir-lc-mandelberg-2017-11-18/

=C2=A0<= /p>

So I don=E2=80=99t kn= ow what else needs to be done to clear this.

=C2=A0<= /p>

Bruno? Rob? Can you h= elp here?

=C2=A0<= /p>

=C2=A0=C2=A0=C2=A0 Le= s

=C2=A0<= /p>

> -----Original Me= ssage-----

> From: David Mand= elberg <david+work@mandelberg.org>

> Sent: Fri= day, March 23, 2018 4:18 PM

> To: Les Ginsberg= (ginsberg) <gin= sberg@cisco.com>; iesg@ietf.org;

> secdir@ietf.org; draft-ie= tf-spring-segment-routing.all@ietf.org

> Subject: Re: sec= dir review of draft-ietf-spring-segment-routing-13

>

> No worrie= s about the delay. And I'm just a secdir reviewer, not an IESG member,<= /p>

> so I can't d= o anything about a DISCUSS.

>

> On 03/23/2018 07= :02 PM, Les Ginsberg (ginsberg) wrote:

> > David -

> >

> > Yes - IGP s= pecs have this. See (for example):

> >

> > https://tools.ietf.or= g/html/draft-ietf-isis-segment-routing-extensions

> > -15#section= -2.2.1

> >

> > If this suf= fices please clear your DISCUSS on the draft.

> >

> > Again, apol= ogies for the long delay in responding - it was not intentional.

> >

> >=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 Les

> >

> >> -----Or= iginal Message-----

> >> From: D= avid Mandelberg <david+work@ma= ndelberg.org>

> >> Sent: F= riday, March 23, 2018 3:57 PM

> >> To: Les= Ginsberg (ginsberg) <ginsberg@cisco.= com>; iesg@ietf.org;

> >> secdir@ietf.org; draft-ietf-s= pring-segment-routing.all@ietf.org

> >> Subject= : Re: secdir review of draft-ietf-spring-segment-routing-13

> >>

> >> Thanks,= I didn't know it was in the IGP specs. If the usage you

> >> describ= e would be clear to anybody using this, then I think you've

> >> fully a= ddressed my original comment.

> >>

> >> On 03/2= 3/2018 06:43 PM, Les Ginsberg (ginsberg) wrote:

> >>> Dav= id -

> >>>

> >>> Tha= nx for the very prompt response.

> >>>

> >>> If = a controller (for example) is defining a SID stack for an SR

> >>> Pol= icy, it can

> >> choose = to use an=C2=A0 Adj-SID which is advertised as Persistent and be

> >> confide= nt that the SID will not be reused for some other purpose no

> >> matter = what happens on the owning node.

> >>>

> >>> BTW= , the flag isn=E2=80=99t new - it has been part of the IGP specifications

> >>> for= quite a

> >> long wh= ile. It just wasn't mentioned in the SR Architecture in earlier version= s.

> >>>

> >>> HTH=

> >>>

> >>>=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Les

> >>>

> >>>>= -----Original Message-----

> >>>>= From: David Mandelberg <david= +work@mandelberg.org>

> >>>>= Sent: Friday, March 23, 2018 3:17 PM

> >>>>= To: Les Ginsberg (ginsberg) <ginsber= g@cisco.com>; iesg@ietf.org;

> >>>>= secdir@ietf.org; draft-ietf-s= pring-segment-routing.all@ietf.org

> >>>>= Subject: Re: secdir review of draft-ietf-spring-segment-routing-13

> >>>>=

> >>>>= Hi,

> >>>>=

> >>>>= How will the indication of persistence be used? I scanned the

> >>>>= changes from -13 to -15, but I didn't notice any other text about the = new

> flag.

> >>>>=

> >>>>= On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote:

> >>>>= > David -

> >>>>= >

> >>>>= > Apologies. It appears that I neglected to respond to this old

> >>>>= > review comment.

> >>>>= >

> >>>>= > This was not intentional. Authors actively discussed your comment

> >>>>= > promptly and we did add text in V14 of the draft to address this point= :

> >>>>= >

> >>>>= > Please see:

> >>>>= > https://tools.ietf.or= g/html/draft-ietf-spring-segment-routing-15#s

> >>>>= > ec

> >>>>= > ti

> >>>>= > on-3.4

> >>>>= >

> >>>>= > /o=C2=A0 Indication whether the Adj-SID is persistent across control

> >>>>= > plane/

> >>>>= >

> >>>>= > /=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 restarts.=C2=A0 Persistence is a key a= ttribute in ensuring that

> >>>>= > an SR/

> >>>>= >

> >>>>= > /=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Policy does not temporarily result in = misforwarding due to/

> >>>>= >

> >>>>= > /=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 reassignment of an Adj-SID./

> >>>>= >

> >>>>= > //

> >>>>= >

> >>>>= > Please let us know if this adequately addresses your comment.

> >>>>= >

> >>>>= > Again, apologies for the long delay.

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0 Les

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > -----Original Message-----

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > From: David Mandelberg <david@mandelberg.org>

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > Sent: Thursday, November 02, 2017 10:53 AM

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > To: iesg@ietf.org= ; secdir@ietf.org;

> >>>>= > draft-ietf-spring-segment-

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > routing.a= ll@ietf.org

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > Subject: secdir review of

> >>>>= > draft-ietf-spring-segment-routing-13

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 >

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > I have reviewed this document as part of the se= curity

> >>>>= > directorate's ongoing

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > effort to review all IETF documents being proce= ssed by the IESG.

> >>>>= > These

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > comments were written primarily for the benefit= of the

> >>>>= > security area directors.

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > Document editors and WG chairs should treat the= se comments

> >>>>= > just like any

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > other last call comments.

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 >

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > The summary of the review is Ready with nits.

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 >

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > This document affects routing within a trusted = domain, and

> >>>>= > the security

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > considerations section adequately talks about f= iltering at

> >>>>= > the border of a trusted

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > domain.

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 >

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > I do have one question about something I didn&#= 39;t see in the

> >>>>= > document, what

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > happens when SIDs change while packets are in t= ransit? Here's

> >>>>= > a hypothetical

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > situation that could be bad for security, but I= 'm not sure

> >>>>= > whether or not it could

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > happen: 1. An internal node calculates an SR Po= licy and sends

> >>>>= > out a packet that

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > will eventually egress towards a BGP peer. 2. M= ultiple links

> >>>>= > on the BGP router go

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > down and then back up, but are allocated differ= ent PeerAdj

> >>>>= > SIDs than they had

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > before. 3. The packet reaches the BGP router, b= ut egresses to

> >>>>= > the wrong BGP

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > peer because the original PeerAdj SID is now ma= pped to a

> >>>>= > different PeerAdj

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > segment.

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 >

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > --

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > Freelance cyber security consultant, software d= eveloper, and

> >>>>= > more

> >>>>= >

> >>>>= >=C2=A0=C2=A0=C2=A0 > https://= david.mandelberg.org/

> >>>>= >

> >>>>=

> >>>>=

> >>>>= --

> >>>>= Freelance cyber security consultant, software developer, and more

> >>>>= https://david.mandelberg.org/

> >>

> >>

> >> --

> >> Freelan= ce cyber security consultant, software developer, and more

> >> https://david.mandelberg.org/

>

>

> --

> Freelance cyber = security consultant, software developer, and more

> https://david.mandelberg.org/


--00000000000078846a0568262b19-- From nobody Sat Mar 24 04:14:15 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 544151241F8; Sat, 24 Mar 2018 04:14:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.51 X-Spam-Level: X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yX8gO_B-Xqu6; Sat, 24 Mar 2018 04:14:03 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F75B1201F2; Sat, 24 Mar 2018 04:14:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=80274; q=dns/txt; s=iport; t=1521890043; x=1523099643; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Y9wu6jepaswEp6kQDqM/f41STagANGZu7UF1nNahgBs=; b=Mjly+kJO59ywdKPgXAUGkdYS/uCr1AHTBXFNSr+5jySXXPXAqzYZd3sQ 8bXfSlF3J+4bTA7WYfcEt07oI3bO+JIcuM1iJlcx+WyNoksAS4rkYjDdT 5Yvmz3emum/7g1U2KZMjJHzU7cmCiOsF95lE1CMEftuuES0Thy+k7lVEU I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BLAQC9MbZa/40NJK1dGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYJNdGFwKAqDUogAjQ6BdIERhmCHDIRlFIFyCyeBVIMKAhq?= =?us-ascii?q?DViE0GAECAQEBAQEBAmsohSUBAQEDARoJVgUHBAIBCA4DAQMBASgDAgICHxE?= =?us-ascii?q?UAwYIAgQBDQUIBoRoAw0ID6lagiCHCA2BLIILCgWFKwSCGoFUQIEMgweCUUI?= =?us-ascii?q?BAQEBAQGBJwESATYVglWCVAOHJx6JBYZHLggCgzGCH4UwM4J0gTgagz2HMoc?= =?us-ascii?q?mgW07hgECERMBgSQBHDhhWBEIcBWCbQEPgiEYjhZvAY0+DxgEgQSBFwEB?= X-IronPort-AV: E=Sophos;i="5.48,354,1517875200"; d="scan'208,217";a="370121828" Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Mar 2018 11:14:00 +0000 Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id w2OBE0Ze005588 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 24 Mar 2018 11:14:00 GMT Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Sat, 24 Mar 2018 06:13:59 -0500 Received: from xch-aln-001.cisco.com ([173.36.7.11]) by XCH-ALN-001.cisco.com ([173.36.7.11]) with mapi id 15.00.1320.000; Sat, 24 Mar 2018 06:13:59 -0500 From: "Les Ginsberg (ginsberg)" To: Eric Rescorla , Alissa Cooper CC: David Mandelberg , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" Thread-Topic: secdir review of draft-ietf-spring-segment-routing-13 Thread-Index: AQHTVAN+h13Fy6LhA0quT26NkWnvTKPee6ywgAEZggD//7GikIAAWWwA//+s6BCAAFkXgP//rdqwACISmgAACWbCwA== Date: Sat, 24 Mar 2018 11:13:59 +0000 Message-ID: References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <0735a0688ee64980b5d1da734fc8cbcd@XCH-ALN-001.cisco.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.46.144] Content-Type: multipart/mixed; boundary="_004_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_" MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2018 11:14:07 -0000 --_004_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_ Content-Type: multipart/alternative; boundary="_000_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_" --_000_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RXJpYyDigJMNCg0KQWxpc3Nh4oCZcyBjb21tZW50cyB3ZXJlIGFkZHJlc3NlZCDigJMgYW5kIHdl IGhhdmUgYmVlbiB3YWl0aW5nIGZvciBhIHJlc3BvbnNlIGZyb20gaGVyIGZvciBuZWFybHkgMyBt b250aHMuDQpTZWUgYXR0YWNoZWQuDQoNCiAgIExlcw0KDQoNCkZyb206IEVyaWMgUmVzY29ybGEg PGVrckBydGZtLmNvbT4NClNlbnQ6IFNhdHVyZGF5LCBNYXJjaCAyNCwgMjAxOCAzOjQwIEFNDQpU bzogTGVzIEdpbnNiZXJnIChnaW5zYmVyZykgPGdpbnNiZXJnQGNpc2NvLmNvbT4NCkNjOiBEYXZp ZCBNYW5kZWxiZXJnIDxkYXZpZCt3b3JrQG1hbmRlbGJlcmcub3JnPjsgaWVzZ0BpZXRmLm9yZzsg c2VjZGlyQGlldGYub3JnOyBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcuYWxsQGll dGYub3JnDQpTdWJqZWN0OiBSZTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXNwcmluZy1z ZWdtZW50LXJvdXRpbmctMTMNCg0KVGhlIERJU0NVU1Mgb24gdGhpcyBkb2N1bWVudCBpcyBiZWlu ZyBoZWxkIGJ5IEFsaXNzYSBDb29wZXIuDQpodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2Rv Yy9kcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcvYmFsbG90Lw0KDQpJIHdvdWxkIHN1 Z2dlc3QgcmVzcG9uZGluZyB0byBoZXIgcG9pbnRzICh0aGVyZSBzaG91bGQgYmUgYW4gYXNzb2Np YXRlZCBlbWFpbCB0aHJlYWQpDQoNCi1Fa3INCg0KDQpPbiBGcmksIE1hciAyMywgMjAxOCBhdCAx MToyNyBQTSwgTGVzIEdpbnNiZXJnIChnaW5zYmVyZykgPGdpbnNiZXJnQGNpc2NvLmNvbTxtYWls dG86Z2luc2JlcmdAY2lzY28uY29tPj4gd3JvdGU6DQoNCkhtbW0uLi53ZWxsIGlmIHlvdSBsb29r IGF0IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtc3ByaW5nLXNl Z21lbnQtcm91dGluZy8gd2Ugc2VlDQoNCg0KDQoNClJldmlld3MNCg0KT1BTRElSIExhc3QgQ2Fs bCBSZXZpZXcgKG9mIC0xMyk6IFJlYWR5IDxodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2Rv Yy9yZXZpZXctaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzLW9wc2Rpci1sYy1lcnN1ZS0y MDE3LTEyLTE5Lz4NClNFQ0RJUiBMYXN0IENhbGwgUmV2aWV3IChvZiAtMTMpOiBIYXMgTml0cyA8 aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvcmV2aWV3LWlldGYtc3ByaW5nLXNlZ21l bnQtcm91dGluZy0xMy1zZWNkaXItbGMtbWFuZGVsYmVyZy0yMDE3LTExLTE4Lz4NClJUR0RJUiBU ZWxlY2hhdCBSZXZpZXcgKG9mIC0xMyk6IFJlYWR5IDxodHRwczovL2RhdGF0cmFja2VyLmlldGYu b3JnL2RvYy9yZXZpZXctaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzLXJ0Z2Rpci10ZWxl Y2hhdC1oYXJkd2ljay0yMDE3LTEyLTEyLz4NCg0KDQoNCg0KQW5kIHRoZW4gdGhlIFNFQ0RJUiBy ZXZpZXcgbGluayBwb2ludHMgdG8geW91ciByZXZpZXc6IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0 Zi5vcmcvZG9jL3Jldmlldy1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTMtc2VjZGlyLWxj LW1hbmRlbGJlcmctMjAxNy0xMS0xOC8NCg0KDQoNClNvIEkgZG9u4oCZdCBrbm93IHdoYXQgZWxz ZSBuZWVkcyB0byBiZSBkb25lIHRvIGNsZWFyIHRoaXMuDQoNCg0KDQpCcnVubz8gUm9iPyBDYW4g eW91IGhlbHAgaGVyZT8NCg0KDQoNCiAgICBMZXMNCg0KDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNz YWdlLS0tLS0NCg0KPiBGcm9tOiBEYXZpZCBNYW5kZWxiZXJnIDxkYXZpZCt3b3JrQG1hbmRlbGJl cmcub3JnPG1haWx0bzpkYXZpZCUyQndvcmtAbWFuZGVsYmVyZy5vcmc+Pg0KDQo+IFNlbnQ6IEZy aWRheSwgTWFyY2ggMjMsIDIwMTggNDoxOCBQTQ0KDQo+IFRvOiBMZXMgR2luc2JlcmcgKGdpbnNi ZXJnKSA8Z2luc2JlcmdAY2lzY28uY29tPG1haWx0bzpnaW5zYmVyZ0BjaXNjby5jb20+PjsgaWVz Z0BpZXRmLm9yZzxtYWlsdG86aWVzZ0BpZXRmLm9yZz47DQoNCj4gc2VjZGlyQGlldGYub3JnPG1h aWx0bzpzZWNkaXJAaWV0Zi5vcmc+OyBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcu YWxsQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcuYWxs QGlldGYub3JnPg0KDQo+IFN1YmplY3Q6IFJlOiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYt c3ByaW5nLXNlZ21lbnQtcm91dGluZy0xMw0KDQo+DQoNCj4gTm8gd29ycmllcyBhYm91dCB0aGUg ZGVsYXkuIEFuZCBJJ20ganVzdCBhIHNlY2RpciByZXZpZXdlciwgbm90IGFuIElFU0cgbWVtYmVy LA0KDQo+IHNvIEkgY2FuJ3QgZG8gYW55dGhpbmcgYWJvdXQgYSBESVNDVVNTLg0KDQo+DQoNCj4g T24gMDMvMjMvMjAxOCAwNzowMiBQTSwgTGVzIEdpbnNiZXJnIChnaW5zYmVyZykgd3JvdGU6DQoN Cj4gPiBEYXZpZCAtDQoNCj4gPg0KDQo+ID4gWWVzIC0gSUdQIHNwZWNzIGhhdmUgdGhpcy4gU2Vl IChmb3IgZXhhbXBsZSk6DQoNCj4gPg0KDQo+ID4gaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1s L2RyYWZ0LWlldGYtaXNpcy1zZWdtZW50LXJvdXRpbmctZXh0ZW5zaW9ucw0KDQo+ID4gLTE1I3Nl Y3Rpb24tMi4yLjENCg0KPiA+DQoNCj4gPiBJZiB0aGlzIHN1ZmZpY2VzIHBsZWFzZSBjbGVhciB5 b3VyIERJU0NVU1Mgb24gdGhlIGRyYWZ0Lg0KDQo+ID4NCg0KPiA+IEFnYWluLCBhcG9sb2dpZXMg Zm9yIHRoZSBsb25nIGRlbGF5IGluIHJlc3BvbmRpbmcgLSBpdCB3YXMgbm90IGludGVudGlvbmFs Lg0KDQo+ID4NCg0KPiA+ICAgICAgTGVzDQoNCj4gPg0KDQo+ID4+IC0tLS0tT3JpZ2luYWwgTWVz c2FnZS0tLS0tDQoNCj4gPj4gRnJvbTogRGF2aWQgTWFuZGVsYmVyZyA8ZGF2aWQrd29ya0BtYW5k ZWxiZXJnLm9yZzxtYWlsdG86ZGF2aWQrd29ya0BtYW5kZWxiZXJnLm9yZz4+DQoNCj4gPj4gU2Vu dDogRnJpZGF5LCBNYXJjaCAyMywgMjAxOCAzOjU3IFBNDQoNCj4gPj4gVG86IExlcyBHaW5zYmVy ZyAoZ2luc2JlcmcpIDxnaW5zYmVyZ0BjaXNjby5jb208bWFpbHRvOmdpbnNiZXJnQGNpc2NvLmNv bT4+OyBpZXNnQGlldGYub3JnPG1haWx0bzppZXNnQGlldGYub3JnPjsNCg0KPiA+PiBzZWNkaXJA aWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz47IGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21l bnQtcm91dGluZy5hbGxAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQt cm91dGluZy5hbGxAaWV0Zi5vcmc+DQoNCj4gPj4gU3ViamVjdDogUmU6IHNlY2RpciByZXZpZXcg b2YgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzDQoNCj4gPj4NCg0KPiA+PiBU aGFua3MsIEkgZGlkbid0IGtub3cgaXQgd2FzIGluIHRoZSBJR1Agc3BlY3MuIElmIHRoZSB1c2Fn ZSB5b3UNCg0KPiA+PiBkZXNjcmliZSB3b3VsZCBiZSBjbGVhciB0byBhbnlib2R5IHVzaW5nIHRo aXMsIHRoZW4gSSB0aGluayB5b3UndmUNCg0KPiA+PiBmdWxseSBhZGRyZXNzZWQgbXkgb3JpZ2lu YWwgY29tbWVudC4NCg0KPiA+Pg0KDQo+ID4+IE9uIDAzLzIzLzIwMTggMDY6NDMgUE0sIExlcyBH aW5zYmVyZyAoZ2luc2JlcmcpIHdyb3RlOg0KDQo+ID4+PiBEYXZpZCAtDQoNCj4gPj4+DQoNCj4g Pj4+IFRoYW54IGZvciB0aGUgdmVyeSBwcm9tcHQgcmVzcG9uc2UuDQoNCj4gPj4+DQoNCj4gPj4+ IElmIGEgY29udHJvbGxlciAoZm9yIGV4YW1wbGUpIGlzIGRlZmluaW5nIGEgU0lEIHN0YWNrIGZv ciBhbiBTUg0KDQo+ID4+PiBQb2xpY3ksIGl0IGNhbg0KDQo+ID4+IGNob29zZSB0byB1c2UgYW4g IEFkai1TSUQgd2hpY2ggaXMgYWR2ZXJ0aXNlZCBhcyBQZXJzaXN0ZW50IGFuZCBiZQ0KDQo+ID4+ IGNvbmZpZGVudCB0aGF0IHRoZSBTSUQgd2lsbCBub3QgYmUgcmV1c2VkIGZvciBzb21lIG90aGVy IHB1cnBvc2Ugbm8NCg0KPiA+PiBtYXR0ZXIgd2hhdCBoYXBwZW5zIG9uIHRoZSBvd25pbmcgbm9k ZS4NCg0KPiA+Pj4NCg0KPiA+Pj4gQlRXLCB0aGUgZmxhZyBpc27igJl0IG5ldyAtIGl0IGhhcyBi ZWVuIHBhcnQgb2YgdGhlIElHUCBzcGVjaWZpY2F0aW9ucw0KDQo+ID4+PiBmb3IgcXVpdGUgYQ0K DQo+ID4+IGxvbmcgd2hpbGUuIEl0IGp1c3Qgd2Fzbid0IG1lbnRpb25lZCBpbiB0aGUgU1IgQXJj aGl0ZWN0dXJlIGluIGVhcmxpZXIgdmVyc2lvbnMuDQoNCj4gPj4+DQoNCj4gPj4+IEhUSA0KDQo+ ID4+Pg0KDQo+ID4+PiAgICAgICAgTGVzDQoNCj4gPj4+DQoNCj4gPj4+PiAtLS0tLU9yaWdpbmFs IE1lc3NhZ2UtLS0tLQ0KDQo+ID4+Pj4gRnJvbTogRGF2aWQgTWFuZGVsYmVyZyA8ZGF2aWQrd29y a0BtYW5kZWxiZXJnLm9yZzxtYWlsdG86ZGF2aWQrd29ya0BtYW5kZWxiZXJnLm9yZz4+DQoNCj4g Pj4+PiBTZW50OiBGcmlkYXksIE1hcmNoIDIzLCAyMDE4IDM6MTcgUE0NCg0KPiA+Pj4+IFRvOiBM ZXMgR2luc2JlcmcgKGdpbnNiZXJnKSA8Z2luc2JlcmdAY2lzY28uY29tPG1haWx0bzpnaW5zYmVy Z0BjaXNjby5jb20+PjsgaWVzZ0BpZXRmLm9yZzxtYWlsdG86aWVzZ0BpZXRmLm9yZz47DQoNCj4g Pj4+PiBzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz47IGRyYWZ0LWlldGYt c3ByaW5nLXNlZ21lbnQtcm91dGluZy5hbGxAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtc3By aW5nLXNlZ21lbnQtcm91dGluZy5hbGxAaWV0Zi5vcmc+DQoNCj4gPj4+PiBTdWJqZWN0OiBSZTog c2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTMNCg0K PiA+Pj4+DQoNCj4gPj4+PiBIaSwNCg0KPiA+Pj4+DQoNCj4gPj4+PiBIb3cgd2lsbCB0aGUgaW5k aWNhdGlvbiBvZiBwZXJzaXN0ZW5jZSBiZSB1c2VkPyBJIHNjYW5uZWQgdGhlDQoNCj4gPj4+PiBj aGFuZ2VzIGZyb20gLTEzIHRvIC0xNSwgYnV0IEkgZGlkbid0IG5vdGljZSBhbnkgb3RoZXIgdGV4 dCBhYm91dCB0aGUgbmV3DQoNCj4gZmxhZy4NCg0KPiA+Pj4+DQoNCj4gPj4+PiBPbiAwMy8yMy8y MDE4IDA2OjM0IEFNLCBMZXMgR2luc2JlcmcgKGdpbnNiZXJnKSB3cm90ZToNCg0KPiA+Pj4+PiBE YXZpZCAtDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBBcG9sb2dpZXMuIEl0IGFwcGVhcnMgdGhhdCBJ IG5lZ2xlY3RlZCB0byByZXNwb25kIHRvIHRoaXMgb2xkDQoNCj4gPj4+Pj4gcmV2aWV3IGNvbW1l bnQuDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBUaGlzIHdhcyBub3QgaW50ZW50aW9uYWwuIEF1dGhv cnMgYWN0aXZlbHkgZGlzY3Vzc2VkIHlvdXIgY29tbWVudA0KDQo+ID4+Pj4+IHByb21wdGx5IGFu ZCB3ZSBkaWQgYWRkIHRleHQgaW4gVjE0IG9mIHRoZSBkcmFmdCB0byBhZGRyZXNzIHRoaXMgcG9p bnQ6DQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBQbGVhc2Ugc2VlOg0KDQo+ID4+Pj4+IGh0dHBzOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTUj cw0KDQo+ID4+Pj4+IGVjDQoNCj4gPj4+Pj4gdGkNCg0KPiA+Pj4+PiBvbi0zLjQNCg0KPiA+Pj4+ Pg0KDQo+ID4+Pj4+IC9vICBJbmRpY2F0aW9uIHdoZXRoZXIgdGhlIEFkai1TSUQgaXMgcGVyc2lz dGVudCBhY3Jvc3MgY29udHJvbA0KDQo+ID4+Pj4+IHBsYW5lLw0KDQo+ID4+Pj4+DQoNCj4gPj4+ Pj4gLyAgICAgIHJlc3RhcnRzLiAgUGVyc2lzdGVuY2UgaXMgYSBrZXkgYXR0cmlidXRlIGluIGVu c3VyaW5nIHRoYXQNCg0KPiA+Pj4+PiBhbiBTUi8NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+IC8gICAg ICBQb2xpY3kgZG9lcyBub3QgdGVtcG9yYXJpbHkgcmVzdWx0IGluIG1pc2ZvcndhcmRpbmcgZHVl IHRvLw0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gLyAgICAgIHJlYXNzaWdubWVudCBvZiBhbiBBZGot U0lELi8NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+IC8vDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBQbGVh c2UgbGV0IHVzIGtub3cgaWYgdGhpcyBhZGVxdWF0ZWx5IGFkZHJlc3NlcyB5b3VyIGNvbW1lbnQu DQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiBBZ2FpbiwgYXBvbG9naWVzIGZvciB0aGUgbG9uZyBkZWxh eS4NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgICAgIExlcw0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4g ICAgPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAg PiBGcm9tOiBEYXZpZCBNYW5kZWxiZXJnIDxkYXZpZEBtYW5kZWxiZXJnLm9yZzxtYWlsdG86ZGF2 aWRAbWFuZGVsYmVyZy5vcmc+Pg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBTZW50OiBUaHVy c2RheSwgTm92ZW1iZXIgMDIsIDIwMTcgMTA6NTMgQU0NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAg ID4gVG86IGllc2dAaWV0Zi5vcmc8bWFpbHRvOmllc2dAaWV0Zi5vcmc+OyBzZWNkaXJAaWV0Zi5v cmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz47DQoNCj4gPj4+Pj4gZHJhZnQtaWV0Zi1zcHJpbmct c2VnbWVudC0NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gcm91dGluZy5hbGxAaWV0Zi5vcmc8 bWFpbHRvOnJvdXRpbmcuYWxsQGlldGYub3JnPg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBT dWJqZWN0OiBzZWNkaXIgcmV2aWV3IG9mDQoNCj4gPj4+Pj4gZHJhZnQtaWV0Zi1zcHJpbmctc2Vn bWVudC1yb3V0aW5nLTEzDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+DQoNCj4gPj4+Pj4NCg0K PiA+Pj4+PiAgICA+IEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhl IHNlY3VyaXR5DQoNCj4gPj4+Pj4gZGlyZWN0b3JhdGUncyBvbmdvaW5nDQoNCj4gPj4+Pj4NCg0K PiA+Pj4+PiAgICA+IGVmZm9ydCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHBy b2Nlc3NlZCBieSB0aGUgSUVTRy4NCg0KPiA+Pj4+PiBUaGVzZQ0KDQo+ID4+Pj4+DQoNCj4gPj4+ Pj4gICAgPiBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBv ZiB0aGUNCg0KPiA+Pj4+PiBzZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4NCg0KPiA+Pj4+Pg0KDQo+ ID4+Pj4+ICAgID4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0 aGVzZSBjb21tZW50cw0KDQo+ID4+Pj4+IGp1c3QgbGlrZSBhbnkNCg0KPiA+Pj4+Pg0KDQo+ID4+ Pj4+ICAgID4gb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4g ICAgPg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBUaGUgc3VtbWFyeSBvZiB0aGUgcmV2aWV3 IGlzIFJlYWR5IHdpdGggbml0cy4NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4NCg0KPiA+Pj4+ Pg0KDQo+ID4+Pj4+ICAgID4gVGhpcyBkb2N1bWVudCBhZmZlY3RzIHJvdXRpbmcgd2l0aGluIGEg dHJ1c3RlZCBkb21haW4sIGFuZA0KDQo+ID4+Pj4+IHRoZSBzZWN1cml0eQ0KDQo+ID4+Pj4+DQoN Cj4gPj4+Pj4gICAgPiBjb25zaWRlcmF0aW9ucyBzZWN0aW9uIGFkZXF1YXRlbHkgdGFsa3MgYWJv dXQgZmlsdGVyaW5nIGF0DQoNCj4gPj4+Pj4gdGhlIGJvcmRlciBvZiBhIHRydXN0ZWQNCg0KPiA+ Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gZG9tYWluLg0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPg0K DQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBJIGRvIGhhdmUgb25lIHF1ZXN0aW9uIGFib3V0IHNv bWV0aGluZyBJIGRpZG4ndCBzZWUgaW4gdGhlDQoNCj4gPj4+Pj4gZG9jdW1lbnQsIHdoYXQNCg0K PiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gaGFwcGVucyB3aGVuIFNJRHMgY2hhbmdlIHdoaWxlIHBh Y2tldHMgYXJlIGluIHRyYW5zaXQ/IEhlcmUncw0KDQo+ID4+Pj4+IGEgaHlwb3RoZXRpY2FsDQoN Cj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+IHNpdHVhdGlvbiB0aGF0IGNvdWxkIGJlIGJhZCBmb3Ig c2VjdXJpdHksIGJ1dCBJJ20gbm90IHN1cmUNCg0KPiA+Pj4+PiB3aGV0aGVyIG9yIG5vdCBpdCBj b3VsZA0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBoYXBwZW46IDEuIEFuIGludGVybmFsIG5v ZGUgY2FsY3VsYXRlcyBhbiBTUiBQb2xpY3kgYW5kIHNlbmRzDQoNCj4gPj4+Pj4gb3V0IGEgcGFj a2V0IHRoYXQNCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gd2lsbCBldmVudHVhbGx5IGVncmVz cyB0b3dhcmRzIGEgQkdQIHBlZXIuIDIuIE11bHRpcGxlIGxpbmtzDQoNCj4gPj4+Pj4gb24gdGhl IEJHUCByb3V0ZXIgZ28NCg0KPiA+Pj4+Pg0KDQo+ID4+Pj4+ICAgID4gZG93biBhbmQgdGhlbiBi YWNrIHVwLCBidXQgYXJlIGFsbG9jYXRlZCBkaWZmZXJlbnQgUGVlckFkag0KDQo+ID4+Pj4+IFNJ RHMgdGhhbiB0aGV5IGhhZA0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBiZWZvcmUuIDMuIFRo ZSBwYWNrZXQgcmVhY2hlcyB0aGUgQkdQIHJvdXRlciwgYnV0IGVncmVzc2VzIHRvDQoNCj4gPj4+ Pj4gdGhlIHdyb25nIEJHUA0KDQo+ID4+Pj4+DQoNCj4gPj4+Pj4gICAgPiBwZWVyIGJlY2F1c2Ug dGhlIG9yaWdpbmFsIFBlZXJBZGogU0lEIGlzIG5vdyBtYXBwZWQgdG8gYQ0KDQo+ID4+Pj4+IGRp ZmZlcmVudCBQZWVyQWRqDQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+IHNlZ21lbnQuDQoNCj4g Pj4+Pj4NCg0KPiA+Pj4+PiAgICA+DQoNCj4gPj4+Pj4NCg0KPiA+Pj4+PiAgICA+IC0tDQoNCj4g Pj4+Pj4NCg0KPiA+Pj4+PiAgICA+IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50 LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZA0KDQo+ID4+Pj4+IG1vcmUNCg0KPiA+Pj4+Pg0KDQo+ ID4+Pj4+ICAgID4gaHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9yZy8NCg0KPiA+Pj4+Pg0KDQo+ ID4+Pj4NCg0KPiA+Pj4+DQoNCj4gPj4+PiAtLQ0KDQo+ID4+Pj4gRnJlZWxhbmNlIGN5YmVyIHNl Y3VyaXR5IGNvbnN1bHRhbnQsIHNvZnR3YXJlIGRldmVsb3BlciwgYW5kIG1vcmUNCg0KPiA+Pj4+ IGh0dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvDQoNCj4gPj4NCg0KPiA+Pg0KDQo+ID4+IC0t DQoNCj4gPj4gRnJlZWxhbmNlIGN5YmVyIHNlY3VyaXR5IGNvbnN1bHRhbnQsIHNvZnR3YXJlIGRl dmVsb3BlciwgYW5kIG1vcmUNCg0KPiA+PiBodHRwczovL2RhdmlkLm1hbmRlbGJlcmcub3JnLw0K DQo+DQoNCj4NCg0KPiAtLQ0KDQo+IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50 LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBtb3JlDQoNCj4gaHR0cHM6Ly9kYXZpZC5tYW5kZWxi ZXJnLm9yZy8NCg0K --_000_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1z b25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCglt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIuMHB0Ow0K CWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnAuZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0LCBsaS5nbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQsIGRpdi5nbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQN Cgl7bXNvLXN0eWxlLW5hbWU6Z21haWwtbV8tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4 dDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIu MHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4uZ21haWwt DQoJe21zby1zdHlsZS1uYW1lOmdtYWlsLTt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28tc3R5 bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJp ZjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4 cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdv cmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4w aW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48 L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0i ZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9 ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8 L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8 ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z LXNlcmlmO2NvbG9yOiMxRjQ5N0QiPkVyaWMg4oCTPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjojMUY0OTdEIj5BbGlzc2HigJlzIGNvbW1lbnRzIHdlcmUgYWRkcmVzc2VkIOKAkyBh bmQgd2UgaGF2ZSBiZWVuIHdhaXRpbmcgZm9yIGEgcmVzcG9uc2UgZnJvbSBoZXIgZm9yIG5lYXJs eSAzIG1vbnRocy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+U2VlIGF0dGFjaGVkLjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0 OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1 b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7Jm5ic3A7IExlczxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVw dDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6 bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGlu IDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9z cGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiBFcmljIFJlc2NvcmxhICZsdDtla3JAcnRmbS5jb20m Z3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gU2F0dXJkYXksIE1hcmNoIDI0LCAyMDE4IDM6NDAgQU08 YnI+DQo8Yj5Ubzo8L2I+IExlcyBHaW5zYmVyZyAoZ2luc2JlcmcpICZsdDtnaW5zYmVyZ0BjaXNj by5jb20mZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBEYXZpZCBNYW5kZWxiZXJnICZsdDtkYXZpZCYjNDM7 d29ya0BtYW5kZWxiZXJnLm9yZyZndDs7IGllc2dAaWV0Zi5vcmc7IHNlY2RpckBpZXRmLm9yZzsg ZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZzxicj4NCjxiPlN1 YmplY3Q6PC9iPiBSZTogc2VjZGlyIHJldmlldyBvZiBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50 LXJvdXRpbmctMTM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+VGhlIERJU0NVU1Mgb24gdGhpcyBkb2N1bWVudCBpcyBiZWluZyBoZWxkIGJ5IEFs aXNzYSBDb29wZXIuPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxhIGhyZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWll dGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy9iYWxsb3QvIj5odHRwczovL2RhdGF0cmFja2VyLmll dGYub3JnL2RvYy9kcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcvYmFsbG90LzwvYT48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSB3 b3VsZCBzdWdnZXN0IHJlc3BvbmRpbmcgdG8gaGVyIHBvaW50cyAodGhlcmUgc2hvdWxkIGJlIGFu IGFzc29jaWF0ZWQgZW1haWwgdGhyZWFkKTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4tRWtyPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj5PbiBGcmksIE1hciAyMywgMjAxOCBhdCAxMToyNyBQTSwgTGVzIEdpbnNiZXJn IChnaW5zYmVyZykgJmx0OzxhIGhyZWY9Im1haWx0bzpnaW5zYmVyZ0BjaXNjby5jb20iIHRhcmdl dD0iX2JsYW5rIj5naW5zYmVyZ0BjaXNjby5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwv cD4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0ND Q0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFy Z2luLXJpZ2h0OjBpbiI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3 OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPkhtbW0uLi53ZWxsIGlmIHlvdSBsb29rIGF0IDxhIGhy ZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtc3ByaW5nLXNl Z21lbnQtcm91dGluZy8iIHRhcmdldD0iX2JsYW5rIj4NCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0 Zi5vcmcvZG9jL2RyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy88L2E+IHdlIHNlZTxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3Bs YWludGV4dCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjx0YWJsZSBj bGFzcz0iTXNvTm9ybWFsVGFibGUiIGJvcmRlcj0iMCIgY2VsbHNwYWNpbmc9IjMiIGNlbGxwYWRk aW5nPSIwIj4NCjx0Ym9keT4NCjx0cj4NCjx0ZCBzdHlsZT0icGFkZGluZzouNzVwdCAuNzVwdCAu NzVwdCAuNzVwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBhbGlnbj0iY2VudGVyIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87dGV4dC1h bGlnbjpjZW50ZXIiPg0KPGI+UmV2aWV3czwvYj48bzpwPjwvbzpwPjwvcD4NCjwvdGQ+DQo8dGQg c3R5bGU9InBhZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1cHQiPjwvdGQ+DQo8dGQgc3R5bGU9 InBhZGRpbmc6Ljc1cHQgLjc1cHQgLjc1cHQgLjc1cHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9yZXZpZXctaWV0Zi1z cHJpbmctc2VnbWVudC1yb3V0aW5nLTEzLW9wc2Rpci1sYy1lcnN1ZS0yMDE3LTEyLTE5LyIgdGFy Z2V0PSJfYmxhbmsiPk9QU0RJUiBMYXN0IENhbGwgUmV2aWV3IChvZiAtMTMpOiBSZWFkeQ0KPC9h PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YSBocmVmPSJodHRwczov L2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9yZXZpZXctaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0 aW5nLTEzLXNlY2Rpci1sYy1tYW5kZWxiZXJnLTIwMTctMTEtMTgvIiB0YXJnZXQ9Il9ibGFuayI+ U0VDRElSIExhc3QgQ2FsbCBSZXZpZXcgKG9mIC0xMyk6IEhhcyBOaXRzDQo8L2E+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxhIGhyZWY9Imh0dHBzOi8vZGF0YXRyYWNr ZXIuaWV0Zi5vcmcvZG9jL3Jldmlldy1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTMtcnRn ZGlyLXRlbGVjaGF0LWhhcmR3aWNrLTIwMTctMTItMTIvIiB0YXJnZXQ9Il9ibGFuayI+UlRHRElS IFRlbGVjaGF0IFJldmlldyAob2YgLTEzKTogUmVhZHkNCjwvYT48bzpwPjwvbzpwPjwvcD4NCjwv dGQ+DQo8L3RyPg0KPC90Ym9keT4NCjwvdGFibGU+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPkFuZCB0aGVuIHRoZSBT RUNESVIgcmV2aWV3IGxpbmsgcG9pbnRzIHRvIHlvdXIgcmV2aWV3Og0KPGEgaHJlZj0iaHR0cHM6 Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvcmV2aWV3LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91 dGluZy0xMy1zZWNkaXItbGMtbWFuZGVsYmVyZy0yMDE3LTExLTE4LyIgdGFyZ2V0PSJfYmxhbmsi Pg0KaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvcmV2aWV3LWlldGYtc3ByaW5nLXNl Z21lbnQtcm91dGluZy0xMy1zZWNkaXItbGMtbWFuZGVsYmVyZy0yMDE3LTExLTE4LzwvYT48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFp bnRleHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5 MTczNjk4MjAzM21zb3BsYWludGV4dCI+U28gSSBkb27igJl0IGtub3cgd2hhdCBlbHNlIG5lZWRz IHRvIGJlIGRvbmUgdG8gY2xlYXIgdGhpcy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFp bC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+QnJ1 bm8/IFJvYj8gQ2FuIHlvdSBoZWxwIGhlcmU/PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21h aWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZu YnNwOyZuYnNwOyZuYnNwOyBMZXM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIw NTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAtLS0t LU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0t MjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyBGcm9tOiBEYXZpZCBNYW5kZWxi ZXJnICZsdDs8YSBocmVmPSJtYWlsdG86ZGF2aWQlMkJ3b3JrQG1hbmRlbGJlcmcub3JnIiB0YXJn ZXQ9Il9ibGFuayI+ZGF2aWQmIzQzO3dvcmtAbWFuZGVsYmVyZy5vcmc8L2E+Jmd0OzxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4 dCI+Jmd0OyBTZW50OiBGcmlkYXksIE1hcmNoIDIzLCAyMDE4IDQ6MTggUE08bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZn dDsgVG86IExlcyBHaW5zYmVyZyAoZ2luc2JlcmcpICZsdDs8YSBocmVmPSJtYWlsdG86Z2luc2Jl cmdAY2lzY28uY29tIiB0YXJnZXQ9Il9ibGFuayI+Z2luc2JlcmdAY2lzY28uY29tPC9hPiZndDs7 DQo8YSBocmVmPSJtYWlsdG86aWVzZ0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmllc2dAaWV0 Zi5vcmc8L2E+OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTcz Njk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyA8YSBocmVmPSJtYWlsdG86c2VjZGlyQGlldGYub3Jn IiB0YXJnZXQ9Il9ibGFuayI+DQpzZWNkaXJAaWV0Zi5vcmc8L2E+OyA8YSBocmVmPSJtYWlsdG86 ZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZyIgdGFyZ2V0PSJf YmxhbmsiPg0KZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZzwv YT48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgU3ViamVjdDogUmU6IHNlY2RpciByZXZpZXcgb2YgZHJhZnQtaWV0 Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21h aWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7IDxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0 OyBObyB3b3JyaWVzIGFib3V0IHRoZSBkZWxheS4gQW5kIEknbSBqdXN0IGEgc2VjZGlyIHJldmll d2VyLCBub3QgYW4gSUVTRyBtZW1iZXIsPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgc28g SSBjYW4ndCBkbyBhbnl0aGluZyBhYm91dCBhIERJU0NVU1MuPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7IDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWlu dGV4dCI+Jmd0OyBPbiAwMy8yMy8yMDE4IDA3OjAyIFBNLCBMZXMgR2luc2JlcmcgKGdpbnNiZXJn KSB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5 ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyBEYXZpZCAtPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDs8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29w bGFpbnRleHQiPiZndDsgJmd0OyBZZXMgLSBJR1Agc3BlY3MgaGF2ZSB0aGlzLiBTZWUgKGZvciBl eGFtcGxlKTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5 ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Imdt YWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7IDxhIGhyZWY9 Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWlzaXMtc2VnbWVudC1yb3V0 aW5nLWV4dGVuc2lvbnMiIHRhcmdldD0iX2JsYW5rIj4NCjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5k b3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwv ZHJhZnQtaWV0Zi1pc2lzLXNlZ21lbnQtcm91dGluZy1leHRlbnNpb25zPC9zcGFuPjwvYT48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFp bnRleHQiPiZndDsgJmd0OyAtMTUjc2VjdGlvbi0yLjIuMTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7PG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxh aW50ZXh0Ij4mZ3Q7ICZndDsgSWYgdGhpcyBzdWZmaWNlcyBwbGVhc2UgY2xlYXIgeW91ciBESVND VVNTIG9uIHRoZSBkcmFmdC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2 MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7 IEFnYWluLCBhcG9sb2dpZXMgZm9yIHRoZSBsb25nIGRlbGF5IGluIHJlc3BvbmRpbmcgLSBpdCB3 YXMgbm90IGludGVudGlvbmFsLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZn dDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgTGVzPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDs8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29w bGFpbnRleHQiPiZndDsgJmd0OyZndDsgLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS08bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRl eHQiPiZndDsgJmd0OyZndDsgRnJvbTogRGF2aWQgTWFuZGVsYmVyZyAmbHQ7PGEgaHJlZj0ibWFp bHRvOmRhdmlkJiM0Mzt3b3JrQG1hbmRlbGJlcmcub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4g c3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmRhdmlkJiM0Mzt3 b3JrQG1hbmRlbGJlcmcub3JnPC9zcGFuPjwvYT4mZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7 IFNlbnQ6IEZyaWRheSwgTWFyY2ggMjMsIDIwMTggMzo1NyBQTTxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7 Jmd0OyBUbzogTGVzIEdpbnNiZXJnIChnaW5zYmVyZykgJmx0OzxhIGhyZWY9Im1haWx0bzpnaW5z YmVyZ0BjaXNjby5jb20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93 dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+Z2luc2JlcmdAY2lzY28uY29tPC9zcGFuPjwvYT4m Z3Q7Ow0KPGEgaHJlZj0ibWFpbHRvOmllc2dAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3Bh biBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aWVzZ0BpZXRm Lm9yZzwvc3Bhbj48L2E+OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYw OTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyA8YSBocmVmPSJtYWlsdG86 c2VjZGlyQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHlsZT0iY29sb3I6d2lu ZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+c2VjZGlyQGlldGYub3JnPC9zcGFuPjwvYT47 IDxhIGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcuYWxsQGll dGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0 ZXh0LWRlY29yYXRpb246bm9uZSI+ZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFs bEBpZXRmLm9yZzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0y MDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7IFN1YmplY3Q6IFJl OiBzZWNkaXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xMzxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3Bs YWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0t MjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyBUaGFua3MsIEkg ZGlkbid0IGtub3cgaXQgd2FzIGluIHRoZSBJR1Agc3BlY3MuIElmIHRoZSB1c2FnZSB5b3U8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFp bnRleHQiPiZndDsgJmd0OyZndDsgZGVzY3JpYmUgd291bGQgYmUgY2xlYXIgdG8gYW55Ym9keSB1 c2luZyB0aGlzLCB0aGVuIEkgdGhpbmsgeW91J3ZlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i Z21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7IGZ1 bGx5IGFkZHJlc3NlZCBteSBvcmlnaW5hbCBjb21tZW50LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0 OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21z b3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyBPbiAwMy8yMy8yMDE4IDA2OjQzIFBNLCBMZXMgR2lu c2JlcmcgKGdpbnNiZXJnKSB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1t LTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7IERhdmlk IC08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i Z21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0 OyBUaGFueCBmb3IgdGhlIHZlcnkgcHJvbXB0IHJlc3BvbnNlLjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7 Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5 ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7IElmIGEgY29udHJvbGxlciAoZm9y IGV4YW1wbGUpIGlzIGRlZmluaW5nIGEgU0lEIHN0YWNrIGZvciBhbiBTUjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0 OyAmZ3Q7Jmd0OyZndDsgUG9saWN5LCBpdCBjYW48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJn bWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsgY2hv b3NlIHRvIHVzZSBhbiZuYnNwOyBBZGotU0lEIHdoaWNoIGlzIGFkdmVydGlzZWQgYXMgUGVyc2lz dGVudCBhbmQgYmU8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3 MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsgY29uZmlkZW50IHRoYXQgdGhlIFNJ RCB3aWxsIG5vdCBiZSByZXVzZWQgZm9yIHNvbWUgb3RoZXIgcHVycG9zZSBubzxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+ Jmd0OyAmZ3Q7Jmd0OyBtYXR0ZXIgd2hhdCBoYXBwZW5zIG9uIHRoZSBvd25pbmcgbm9kZS48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFp bnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwt bS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyBCVFcs IHRoZSBmbGFnIGlzbuKAmXQgbmV3IC0gaXQgaGFzIGJlZW4gcGFydCBvZiB0aGUgSUdQIHNwZWNp ZmljYXRpb25zPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2 OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyBmb3IgcXVpdGUgYTxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4 dCI+Jmd0OyAmZ3Q7Jmd0OyBsb25nIHdoaWxlLiBJdCBqdXN0IHdhc24ndCBtZW50aW9uZWQgaW4g dGhlIFNSIEFyY2hpdGVjdHVyZSBpbiBlYXJsaWVyIHZlcnNpb25zLjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAm Z3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3 MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7IEhUSDxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0 OyAmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3 OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IExlczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyAtLS0tLU9yaWdpbmFsIE1lc3NhZ2Ut LS0tLTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAz M21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7IEZyb206IERhdmlkIE1hbmRlbGJl cmcgJmx0OzxhIGhyZWY9Im1haWx0bzpkYXZpZCYjNDM7d29ya0BtYW5kZWxiZXJnLm9yZyIgdGFy Z2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlv bjpub25lIj5kYXZpZCYjNDM7d29ya0BtYW5kZWxiZXJnLm9yZzwvc3Bhbj48L2E+Jmd0OzxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWlu dGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7IFNlbnQ6IEZyaWRheSwgTWFyY2ggMjMsIDIwMTgg MzoxNyBQTTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4 MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7IFRvOiBMZXMgR2luc2Jlcmcg KGdpbnNiZXJnKSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmdpbnNiZXJnQGNpc2NvLmNvbSIgdGFyZ2V0 PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpu b25lIj5naW5zYmVyZ0BjaXNjby5jb208L3NwYW4+PC9hPiZndDs7DQo8YSBocmVmPSJtYWlsdG86 aWVzZ0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0 ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5pZXNnQGlldGYub3JnPC9zcGFuPjwvYT47PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50 ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsgPGEgaHJlZj0ibWFpbHRvOnNlY2RpckBpZXRmLm9y ZyIgdGFyZ2V0PSJfYmxhbmsiPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1k ZWNvcmF0aW9uOm5vbmUiPnNlY2RpckBpZXRmLm9yZzwvc3Bhbj48L2E+OyA8YSBocmVmPSJtYWls dG86ZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLmFsbEBpZXRmLm9yZyIgdGFyZ2V0 PSJfYmxhbmsiPg0KPHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9u Om5vbmUiPmRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy5hbGxAaWV0Zi5vcmc8L3Nw YW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4 MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7IFN1YmplY3Q6IFJlOiBzZWNk aXIgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xMzxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4 dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwt bS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsg SGksPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMz bXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZn dDsmZ3Q7Jmd0OyBIb3cgd2lsbCB0aGUgaW5kaWNhdGlvbiBvZiBwZXJzaXN0ZW5jZSBiZSB1c2Vk PyBJIHNjYW5uZWQgdGhlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsgY2hhbmdlcyBm cm9tIC0xMyB0byAtMTUsIGJ1dCBJIGRpZG4ndCBub3RpY2UgYW55IG90aGVyIHRleHQgYWJvdXQg dGhlIG5ldzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4 MjAzM21zb3BsYWludGV4dCI+Jmd0OyBmbGFnLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Imdt YWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsm Z3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMz bXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsgT24gMDMvMjMvMjAxOCAwNjozNCBB TSwgTGVzIEdpbnNiZXJnIChnaW5zYmVyZykgd3JvdGU6PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7 Jmd0OyZndDsmZ3Q7IERhdmlkIC08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIw NTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29w bGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgQXBvbG9naWVzLiBJdCBhcHBlYXJz IHRoYXQgSSBuZWdsZWN0ZWQgdG8gcmVzcG9uZCB0byB0aGlzIG9sZDxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAm Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OyByZXZpZXcgY29tbWVudC48bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZn dDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3 OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgVGhpcyB3 YXMgbm90IGludGVudGlvbmFsLiBBdXRob3JzIGFjdGl2ZWx5IGRpc2N1c3NlZCB5b3VyIGNvbW1l bnQ8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgcHJvbXB0bHkgYW5kIHdlIGRp ZCBhZGQgdGV4dCBpbiBWMTQgb2YgdGhlIGRyYWZ0IHRvIGFkZHJlc3MgdGhpcyBwb2ludDo8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFp bnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsm Z3Q7Jmd0OyZndDsgUGxlYXNlIHNlZTo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1t LTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZn dDsgPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtc3ByaW5n LXNlZ21lbnQtcm91dGluZy0xNSNzIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHlsZT0iY29s b3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly90b29scy5pZXRmLm9y Zy9odG1sL2RyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xNSNzPC9zcGFuPjwvYT48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29w bGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgZWM8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0 OyZndDsmZ3Q7Jmd0OyZndDsgdGk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIw NTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsg b24tMy40PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgy MDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7 ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IC9vJm5ic3A7IEluZGljYXRpb24gd2hldGhlciB0aGUgQWRq LVNJRCBpcyBwZXJzaXN0ZW50IGFjcm9zcyBjb250cm9sPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7 Jmd0OyZndDsmZ3Q7IHBsYW5lLzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0Ozxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3Bs YWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyAvJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IHJlc3RhcnRzLiZuYnNwOyBQZXJzaXN0ZW5jZSBpcyBhIGtleSBhdHRyaWJ1dGUg aW4gZW5zdXJpbmcgdGhhdDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYw OTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBhbiBT Ui88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0 OyZndDsmZ3Q7Jmd0OyZndDsgLyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyBQb2xpY3kg ZG9lcyBub3QgdGVtcG9yYXJpbHkgcmVzdWx0IGluIG1pc2ZvcndhcmRpbmcgZHVlIHRvLzxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWlu dGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDsmZ3Q7Jmd0OyAvJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHJlYXNzaWdubWVudCBv ZiBhbiBBZGotU0lELi88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3 OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRl eHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgLy88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsm Z3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3 MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgUGxlYXNlIGxl dCB1cyBrbm93IGlmIHRoaXMgYWRlcXVhdGVseSBhZGRyZXNzZXMgeW91ciBjb21tZW50LjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWlu dGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDsmZ3Q7Jmd0OyBBZ2FpbiwgYXBvbG9naWVzIGZvciB0aGUgbG9uZyBkZWxheS48bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQi PiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFp bC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0 OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7Jm5ic3A7IExlczxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAm Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZu YnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0 Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21h aWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZn dDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgRnJvbTogRGF2aWQgTWFuZGVsYmVyZyAmbHQ7 PGEgaHJlZj0ibWFpbHRvOmRhdmlkQG1hbmRlbGJlcmcub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNw YW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQ7dGV4dC1kZWNvcmF0aW9uOm5vbmUiPmRhdmlkQG1h bmRlbGJlcmcub3JnPC9zcGFuPjwvYT4mZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21h aWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZn dDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgy MDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5i c3A7ICZndDsgU2VudDogVGh1cnNkYXksIE5vdmVtYmVyIDAyLCAyMDE3IDEwOjUzIEFNPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50 ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i Z21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0 OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgVG86IDxhIGhyZWY9Im1haWx0bzppZXNn QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4 dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aWVzZ0BpZXRmLm9yZzwvc3Bhbj48L2E+OyA8YSBocmVm PSJtYWlsdG86c2VjZGlyQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHlsZT0i Y29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+c2VjZGlyQGlldGYub3JnPC9z cGFuPjwvYT47PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2 OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IGRyYWZ0LWlldGYt c3ByaW5nLXNlZ21lbnQtPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50 ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgPGEg aHJlZj0ibWFpbHRvOnJvdXRpbmcuYWxsQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3Bh biBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+cm91dGluZy5h bGxAaWV0Zi5vcmc8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0t MjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0 OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21z b3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAm Z3Q7IFN1YmplY3Q6IHNlY2RpciByZXZpZXcgb2Y8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJn bWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7 Jmd0OyZndDsgZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1yb3V0aW5nLTEzPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4m Z3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwt bS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsm Z3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFp bC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0 OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIw MzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJz cDsgJmd0OyBJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1 cml0eTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAz M21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBkaXJlY3RvcmF0ZSdzIG9u Z29pbmc8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIw MzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsg Jmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJmd0OyBlZmZvcnQgdG8gcmV2 aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuPG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50 ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IFRoZXNlPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsm Z3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7 Jm5ic3A7Jm5ic3A7ICZndDsgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhl IGJlbmVmaXQgb2YgdGhlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IHNlY3Vy aXR5IGFyZWEgZGlyZWN0b3JzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0Ozxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3Bs YWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7 IERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVu dHM8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsganVzdCBsaWtlIGFueTxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWlu dGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IG90aGVyIGxhc3QgY2FsbCBjb21tZW50 cy48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0 OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJmd0OzxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAm Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZu YnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IFRoZSBzdW1tYXJ5IG9mIHRoZSByZXZpZXcgaXMgUmVhZHkg d2l0aCBuaXRzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTcz Njk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+ Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0 Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21h aWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZn dDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgVGhpcyBkb2N1bWVudCBhZmZlY3RzIHJvdXRp bmcgd2l0aGluIGEgdHJ1c3RlZCBkb21haW4sIGFuZDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZn dDsmZ3Q7Jmd0OyB0aGUgc2VjdXJpdHk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1t LTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZn dDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsg Jmd0OyBjb25zaWRlcmF0aW9ucyBzZWN0aW9uIGFkZXF1YXRlbHkgdGFsa3MgYWJvdXQgZmlsdGVy aW5nIGF0PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgy MDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7IHRoZSBib3JkZXIgb2Yg YSB0cnVzdGVkPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2 OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4m Z3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgZG9tYWluLjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3Bs YWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0 OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsm Z3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7 Jm5ic3A7Jm5ic3A7ICZndDsgSSBkbyBoYXZlIG9uZSBxdWVzdGlvbiBhYm91dCBzb21ldGhpbmcg SSBkaWRuJ3Qgc2VlIGluIHRoZTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBk b2N1bWVudCwgd2hhdDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5 MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4 dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IGhhcHBl bnMgd2hlbiBTSURzIGNoYW5nZSB3aGlsZSBwYWNrZXRzIGFyZSBpbiB0cmFuc2l0PyBIZXJlJ3M8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29w bGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgYSBoeXBvdGhldGljYWw8bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRl eHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJn bWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7 Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJmd0OyBzaXR1YXRpb24gdGhhdCBjb3VsZCBiZSBi YWQgZm9yIHNlY3VyaXR5LCBidXQgSSdtIG5vdCBzdXJlPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7 Jmd0OyZndDsmZ3Q7IHdoZXRoZXIgb3Igbm90IGl0IGNvdWxkPG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsm Z3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7 Jm5ic3A7Jm5ic3A7ICZndDsgaGFwcGVuOiAxLiBBbiBpbnRlcm5hbCBub2RlIGNhbGN1bGF0ZXMg YW4gU1IgUG9saWN5IGFuZCBzZW5kczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0t MjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0 OyBvdXQgYSBwYWNrZXQgdGhhdDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0Ozxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3Bs YWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7 IHdpbGwgZXZlbnR1YWxseSBlZ3Jlc3MgdG93YXJkcyBhIEJHUCBwZWVyLiAyLiBNdWx0aXBsZSBs aW5rczxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAz M21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyBvbiB0aGUgQkdQIHJvdXRl ciBnbzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAz M21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAm Z3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7IGRvd24gYW5kIHRoZW4g YmFjayB1cCwgYnV0IGFyZSBhbGxvY2F0ZWQgZGlmZmVyZW50IFBlZXJBZGo8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZn dDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgU0lEcyB0aGFuIHRoZXkgaGFkPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7 ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0y MDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7 Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZndDsgYmVmb3JlLiAzLiBUaGUgcGFja2V0IHJlYWNoZXMgdGhl IEJHUCByb3V0ZXIsIGJ1dCBlZ3Jlc3NlcyB0bzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Imdt YWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsm Z3Q7Jmd0OyB0aGUgd3JvbmcgQkdQPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0y MDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7 PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNv cGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZn dDsgcGVlciBiZWNhdXNlIHRoZSBvcmlnaW5hbCBQZWVyQWRqIFNJRCBpcyBub3cgbWFwcGVkIHRv IGE8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNt c29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgZGlmZmVyZW50IFBlZXJBZGo8 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29w bGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZn dDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJmd0OyBzZWdtZW50LjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+ Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWls LW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7 Jmd0OyZuYnNwOyZuYnNwOyZuYnNwOyAmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21h aWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZn dDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgy MDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsmZ3Q7Jm5ic3A7Jm5ic3A7Jm5i c3A7ICZndDsgLS08bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3 MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQi PiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsmbmJzcDsmbmJzcDsmbmJzcDsgJmd0OyBGcmVlbGFu Y2UgY3liZXIgc2VjdXJpdHkgY29uc3VsdGFudCwgc29mdHdhcmUgZGV2ZWxvcGVyLCBhbmQ8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFp bnRleHQiPiZndDsgJmd0OyZndDsmZ3Q7Jmd0OyZndDsgbW9yZTxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7 Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYw OTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OyZuYnNw OyZuYnNwOyZuYnNwOyAmZ3Q7IDxhIGhyZWY9Imh0dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5vcmcv IiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRl Y29yYXRpb246bm9uZSI+aHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9yZy88L3NwYW4+PC9hPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3Bs YWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9ImdtYWlsLW0tMjA1OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0 OyZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2 OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDs8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJnbWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsg Jmd0OyZndDsmZ3Q7Jmd0OyAtLTxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1 OTYwOTc5MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyAmZ3Q7Jmd0OyZndDsmZ3Q7IEZyZWVs YW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBt b3JlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMz bXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7Jmd0OyZndDsgPGEgaHJlZj0iaHR0cHM6Ly9kYXZp ZC5tYW5kZWxiZXJnLm9yZy8iIHRhcmdldD0iX2JsYW5rIj4NCjxzcGFuIHN0eWxlPSJjb2xvcjp3 aW5kb3d0ZXh0O3RleHQtZGVjb3JhdGlvbjpub25lIj5odHRwczovL2RhdmlkLm1hbmRlbGJlcmcu b3JnLzwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5 NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZn dDsmZ3Q7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgy MDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7IC0tPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7 IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50LCBzb2Z0d2FyZSBkZXZlbG9wZXIs IGFuZCBtb3JlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2 OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7ICZndDsmZ3Q7IDxhIGhyZWY9Imh0dHBzOi8vZGF2aWQu bWFuZGVsYmVyZy5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHlsZT0iY29sb3I6d2lu ZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly9kYXZpZC5tYW5kZWxiZXJnLm9y Zy88L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9ImdtYWlsLW0tMjA1OTYwOTc5 MTczNjk4MjAzM21zb3BsYWludGV4dCI+Jmd0OyA8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJn bWFpbC1tLTIwNTk2MDk3OTE3MzY5ODIwMzNtc29wbGFpbnRleHQiPiZndDsgPG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4m Z3Q7IC0tPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iZ21haWwtbS0yMDU5NjA5NzkxNzM2OTgy MDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7IEZyZWVsYW5jZSBjeWJlciBzZWN1cml0eSBjb25zdWx0YW50 LCBzb2Z0d2FyZSBkZXZlbG9wZXIsIGFuZCBtb3JlPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i Z21haWwtbS0yMDU5NjA5NzkxNzM2OTgyMDMzbXNvcGxhaW50ZXh0Ij4mZ3Q7IDxhIGhyZWY9Imh0 dHBzOi8vZGF2aWQubWFuZGVsYmVyZy5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+DQo8c3BhbiBzdHls ZT0iY29sb3I6d2luZG93dGV4dDt0ZXh0LWRlY29yYXRpb246bm9uZSI+aHR0cHM6Ly9kYXZpZC5t YW5kZWxiZXJnLm9yZy88L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_-- --_004_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_ Content-Type: message/rfc822 Content-Disposition: attachment; creation-date="Sat, 24 Mar 2018 11:13:55 GMT"; modification-date="Sat, 24 Mar 2018 11:13:55 GMT" Received: from xch-aln-005.cisco.com (173.36.7.15) by xch-aln-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Mailbox Transport; Thu, 11 Jan 2018 15:58:54 -0600 Received: from xch-aln-001.cisco.com (173.36.7.11) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 11 Jan 2018 15:58:53 -0600 Received: from alln-iport-6.cisco.com (173.37.142.93) by mail.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4 via Frontend Transport; Thu, 11 Jan 2018 15:58:53 -0600 Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Jan 2018 21:58:53 +0000 Received: from alln-inbound-b.cisco.com (alln-inbound-b.cisco.com [173.37.147.232]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id w0BLwn2h023702 (version=TLSv1/SSLv3 cipher=DHE-RSA-SEED-SHA bits=128 verify=OK) for ; Thu, 11 Jan 2018 21:58:52 GMT Received: from mail-oi0-x22e.google.com ([IPv6:2607:f8b0:4003:c06::22e]) by alln-inbound-b.cisco.com with ESMTP/TLS/AES128-GCM-SHA256; 11 Jan 2018 21:58:51 +0000 Received: by mail-oi0-x22e.google.com with SMTP id t8so2684365oie.6 for ; Thu, 11 Jan 2018 13:58:51 -0800 (PST) Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 11 Jan 2018 13:58:49 -0800 From: Alvaro Retana To: "Les Ginsberg (ginsberg)" , Alissa Cooper , The IESG CC: "spring@ietf.org" , "spring-chairs@ietf.org" , "draft-ietf-spring-segment-routing@ietf.org" , "martin.vigoureux@nokia.com" Subject: RE: Alissa Cooper's Discuss on draft-ietf-spring-segment-routing-13: (with DISCUSS and COMMENT) Thread-Topic: Alissa Cooper's Discuss on draft-ietf-spring-segment-routing-13: (with DISCUSS and COMMENT) Thread-Index: AQHTdEIOG0UzK0e0qEeUmrtqvFiUQqNM6A1wgCLivIA= Date: Thu, 11 Jan 2018 21:58:49 +0000 Message-ID: References: <151319051482.30109.537791118842316529.idtracker@ietfa.amsl.com> <404fda4a03294dfeac55074a0937a54c@XCH-ALN-001.cisco.com> In-Reply-To: <404fda4a03294dfeac55074a0937a54c@XCH-ALN-001.cisco.com> Content-Language: en-US X-MS-Exchange-Organization-AuthAs: Internal X-MS-Exchange-Organization-AuthMechanism: 10 X-MS-Exchange-Organization-AuthSource: XCH-ALN-001.cisco.com X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ironport-av: E=Sophos;i="5.46,346,1511827200"; d="scan'208,217";a="52200642" authentication-results: alln-inbound-b.cisco.com; spf=Pass smtp.mailfrom=aretana.ietf@gmail.com; spf=None smtp.helo=postmaster@mail-oi0-x22e.google.com; dkim=pass (signature verified) header.i=@gmail.com; dmarc=pass (p=none dis=none) d=gmail.com x-ironport-anti-spam-filtered: true x-ironport-anti-spam-result: A8FuAABX3VdafbD4ByaEgIyYBgCELl0cAQEBBAEBCgEBgkoiAYE6dCeEEYE5iGuOYIICkV+FURSBP0MKI4UYAoQ+PxgBAQEBAQEBAQEBAhABAQkWCFeCOCQBDksqAwEBAQEBASYBAQEBAQEBAQEBHwIrExIBARgBAQEBAyMdARsdAQMIBAYFCwYBAwEBKAMCAiEBAREBBQELAwYIBgESCIoSAQMWD6EkQIwSggUFARyDCwWDYwoZJw1ZghcBAQEBAQEBAQEBAQEBAQEBAQEBAQEVAgEFEoQVBIIVg0CDLoJrRAIBAQEBgToBEgFMgmqCZQWKVIhohjaJNT2IC4g7hQGCGIYci1qKZ4JWQIkTFCWBFx+BGlcRCDIaI4EEgXiCRUSBbyA3AYoAgjwBAQE x-from-outside-cisco: 2607:f8b0:4003:c06::22e dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=u2Pc2Tbs41HCowYrImFhFbiQDxWkfC3XnMf9Osun2Nc=; b=qq9QAaEVDKEuPEmS79Bggq3hIn8cpH65yY3dSp5QQXXb40mTIT2YAHHurMphcv+d9Q l/dbEYYYvoVBsOPsbNgheRa9CADh8/TUrUKDT1gnUQfjRdM+nQA9t7XB4Xb/+m8RFahS sJRYelz2fpCTQzVrnBppGOuBzW2Wz83dD+pOM1wCF3+X3MtOZQRkiW6aMr8gpSmS2hNo bcW4daw0ovJNqAUiTwoqTD7c2Jyzd45YHwF4cERVqFEL7ge/d3VPGq9XJQLdSgBHUKv8 AKl5W/LFdrrnOLfxR1RLz9m0MNGsgNU3TjzTWtbyEL7p7NC8QJjM+VM7/k0Ts5QH/4kh vM1Q== received-spf: None (alln-inbound-b.cisco.com: no sender authenticity information available from domain of postmaster@mail-oi0-x22e.google.com) identity=helo; client-ip=2607:f8b0:4003:c06::22e; receiver=alln-inbound-b.cisco.com; envelope-from="aretana.ietf@gmail.com"; x-sender="postmaster@mail-oi0-x22e.google.com"; x-conformance=spf_only Content-Type: multipart/alternative; boundary="_000_CAMMESsxrRLZo5kZX7uqGRrKdwbeoxbWdQ7d0hLWCkasKnQmailgmai_" MIME-Version: 1.0 --_000_CAMMESsxrRLZo5kZX7uqGRrKdwbeoxbWdQ7d0hLWCkasKnQmailgmai_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QWxpc3NhOg0KDQpIaSENCg0KQW55IHRob3VnaHRzIG9uIHRoZSB1cGRhdGUgdG8gdGhpcyBkb2N1 bWVudD8NCg0KVGhhbmtzIQ0KDQpBbHZhcm8uDQoNCg0KT24gRGVjZW1iZXIgMjAsIDIwMTcgYXQg NjoxODoxMyBQTSwgTGVzIEdpbnNiZXJnIChnaW5zYmVyZykgKGdpbnNiZXJnQGNpc2NvLmNvbTxt YWlsdG86Z2luc2JlcmdAY2lzY28uY29tPikgd3JvdGU6DQoNCkFsaXNzYSAtDQoNClRoYW54IGZv ciB0aGUgcmV2aWV3Lg0KVjE0IGhhcyBiZWVuIHB1Ymxpc2hlZCBhbmQgaXQgYXR0ZW1wdHMgdG8g YWRkcmVzcyB0aGUgU2VjdXJpdHkgY29uY2VybnMgcmFpc2VkIGJ5IHlvdSBhbmQgb3RoZXJzLg0K TG9vayBmb3J3YXJkIHRvIHlvdXIgZmVlZGJhY2suDQoNCklubGluZS4NCg0KPiAtLS0tLU9yaWdp bmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9tOiBBbGlzc2EgQ29vcGVyIFttYWlsdG86YWxpc3NhQGNv b3BlcncuaW48bWFpbHRvOmFsaXNzYUBjb29wZXJ3LmluPl0NCj4gU2VudDogV2VkbmVzZGF5LCBE ZWNlbWJlciAxMywgMjAxNyAxMDo0MiBBTQ0KPiBUbzogVGhlIElFU0cgPGllc2dAaWV0Zi5vcmc8 bWFpbHRvOmllc2dAaWV0Zi5vcmc+Pg0KPiBDYzogZHJhZnQtaWV0Zi1zcHJpbmctc2VnbWVudC1y b3V0aW5nQGlldGYub3JnPG1haWx0bzpkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmdA aWV0Zi5vcmc+OyBhcmV0YW5hLmlldGZAZ21haWwuY29tPG1haWx0bzphcmV0YW5hLmlldGZAZ21h aWwuY29tPjsNCj4gc3ByaW5nLWNoYWlyc0BpZXRmLm9yZzxtYWlsdG86c3ByaW5nLWNoYWlyc0Bp ZXRmLm9yZz47IG1hcnRpbi52aWdvdXJldXhAbm9raWEuY29tPG1haWx0bzptYXJ0aW4udmlnb3Vy ZXV4QG5va2lhLmNvbT47IHNwcmluZ0BpZXRmLm9yZzxtYWlsdG86c3ByaW5nQGlldGYub3JnPg0K PiBTdWJqZWN0OiBBbGlzc2EgQ29vcGVyJ3MgRGlzY3VzcyBvbiBkcmFmdC1pZXRmLXNwcmluZy1z ZWdtZW50LXJvdXRpbmctMTM6DQo+ICh3aXRoIERJU0NVU1MgYW5kIENPTU1FTlQpDQo+DQo+IEFs aXNzYSBDb29wZXIgaGFzIGVudGVyZWQgdGhlIGZvbGxvd2luZyBiYWxsb3QgcG9zaXRpb24gZm9y DQo+IGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xMzogRGlzY3Vzcw0KPg0KPiBX aGVuIHJlc3BvbmRpbmcsIHBsZWFzZSBrZWVwIHRoZSBzdWJqZWN0IGxpbmUgaW50YWN0IGFuZCBy ZXBseSB0byBhbGwgZW1haWwNCj4gYWRkcmVzc2VzIGluY2x1ZGVkIGluIHRoZSBUbyBhbmQgQ0Mg bGluZXMuIChGZWVsIGZyZWUgdG8gY3V0IHRoaXMgaW50cm9kdWN0b3J5DQo+IHBhcmFncmFwaCwg aG93ZXZlci4pDQo+DQo+DQo+IFBsZWFzZSByZWZlciB0byBodHRwczovL3d3dy5pZXRmLm9yZy9p ZXNnL3N0YXRlbWVudC9kaXNjdXNzLWNyaXRlcmlhLmh0bWwNCj4gZm9yIG1vcmUgaW5mb3JtYXRp b24gYWJvdXQgSUVTRyBESVNDVVNTIGFuZCBDT01NRU5UIHBvc2l0aW9ucy4NCj4NCj4NCj4gVGhl IGRvY3VtZW50LCBhbG9uZyB3aXRoIG90aGVyIGJhbGxvdCBwb3NpdGlvbnMsIGNhbiBiZSBmb3Vu ZCBoZXJlOg0KPiBodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLXNw cmluZy1zZWdtZW50LXJvdXRpbmcvDQo+DQo+DQo+DQo+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCj4gRElTQ1VT UzoNCj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLQ0KPg0KPiBJIGVuZGVkIHVwIHJlYWRpbmcgZHJhZnQtaWV0Zi02 bWFuLXNlZ21lbnQtcm91dGluZy1oZWFkZXIgaW4gdGFuZGVtIHdpdGgNCj4gdGhpcyBkb2N1bWVu dCwgYW5kIEkgaGF2ZSBhIHF1ZXN0aW9uIGFyaXNpbmcgb3V0IG9mIHRoYXQuIFRoZSB0cnVzdCBt b2RlbCBmb3INCj4gU1J2NiBvdXRsaW5lZCBpbiB0aGlzIGRvY3VtZW50IGFwcGVhcnMgdG8gYmUg b25lIG9mIHJlbGlhbmNlIG9uIHRoZSBmYWN0IHRoYXQNCj4gYW4gU1JIIHdpbGwgb25seSBldmVy IGJlIGluc2VydGVkIGFuZCBhcHBlYXIgd2l0aGluIGEgc2luZ2xlIGFkbWluaXN0cmF0aXZlDQo+ IGRvbWFpbi4NCj4gQnV0IFNlY3Rpb24gNS4yLjIgb2YgZHJhZnQtaWV0Zi02bWFuLXNlZ21lbnQt cm91dGluZy1oZWFkZXIgdGFsa3MgYWJvdXQgYW4NCj4gU1JIIGJlaW5nIGluc2VydGVkIGJ5IGEg ZGV2aWNlIG91dHNpZGUgb2YgdGhlIHNlZ21lbnQgcm91dGluZyBkb21haW4uDQo+IFdoaWNoIGlz IGNvcnJlY3Q/IEkgdGhpbmsgdGhpcyBpcyBhbiBpbXBvcnRhbnQgcXVlc3Rpb24gYmVjYXVzZSB0 aGUgd2hvbGUNCj4gdHJ1c3QgbW9kZWwgZm9yIHRoZSBTUiBpbmZvcm1hdGlvbiBzZWVtcyB0byBy ZWx5IG9uIG91dC1vZi1iYW5kIHRydXN0DQo+IGJldHdlZW4gcGFydGljaXBhdGluZyBub2Rlcy4N Cj4NCj4gSSBhbHNvIHRoaW5rIHRoaXMgaXMgaW1wb3J0YW50IGJlY2F1c2UgdGhlcmUgaXMgbm8g ZGlzY3Vzc2lvbiBpbiB0aGlzIGRvY3VtZW50DQo+IG9mIHRoZSBpbXBhY3Qgb2YgdGhlIGluY2x1 c2lvbiBvZiB0aGUgU1IgbWV0YWRhdGEgb24gdGhlIGZpbmdlcnByaW50aW5nIG9mIHRoZQ0KPiBk ZXZpY2UgdGhhdCBpbnNlcnRlZCBpdC4gU2VjdGlvbiA1LjEuNCBvZiBkcmFmdC1pZXRmLTZtYW4t c2VnbWVudC1yb3V0aW5nLQ0KPiBoZWFkZXIgc29ydCBvZiBhbGx1ZGVzIHRvIHRoaXMgYnV0IHNl ZW1zIHRvIGVxdWF0ZSB0aGUgY2FwYWJpbGl0aWVzIG9mIGFuDQo+IGFjdGl2ZSBhdHRhY2tlciAo d2hvIGNhbiBjb25kdWN0IGEgdHJhY2Vyb3V0ZSkgd2l0aCBhIHBhc3NpdmUgYXR0YWNrZXIgd2hv DQo+IGNvdWxkIHBhc3NpdmVseSBjb2xsZWN0IHRvcG9sb2d5L2ZpbmdlcnByaW50aW5nIGluZm9y bWF0aW9uIHNpbXBseSBieQ0KPiBvYnNlcnZpbmcgU1JIZXMgZmxvd2luZyBieSBvbiB0aGUgbmV0 d29yay4gSWYgdGhlIGxpbWl0YXRpb24gdG8gYSBzaW5nbGUNCj4gYWRtaW5pc3RyYXRpdmUgZG9t YWluIGlzIG1lYW50IHRvIHByZXZlbnQgc3VjaCBhIHBhc3NpdmUgYXR0YWNrIChub3Qgc3VyZSBp Zg0KPiB0aGF0IGlzIHJlYWxseSB0cnVlLCBidXQgcGVyaGFwcyB0aGUgZG9jdW1lbnQgYXNzdW1l cyBpdD8pLCB0aGF0J3MgYW5vdGhlcg0KPiByZWFzb24gdGhhdCB0aGUgZXhpc3RlbmNlIG9mIHN1 Y2ggYSBsaW1pdGF0aW9uIG5lZWRzIHRvIGJlIGNsYXJpZmllZC4NCj4NCj4NCltMZXM6XSBXZSBz aGFyZSBhIGNvbW1vbiBjb25jZXJuIHJlZ2FyZGluZyB0cnVzdCBpc3N1ZXMuIFRoZSBhcmNoaXRl Y3R1cmUgZHJhZnQgc3BlYWtzIHRvIHRoZSBkZWZhdWx0IHBvbGljeSBvZiBvbmx5IGFsbG93aW5n IHRydXN0ZWQgc291cmNlcyB0byBpbnNlcnQgU1JILg0KVGhlIDZtYW4gZHJhZnQgY3VycmVudGx5 IGRpc2N1c3NlcyBleGNlcHRpb25zIHVuZGVyIHRoZSBwcm90ZWN0aW9uIG9mIGF1dGhlbnRpY2F0 aW9uLiBJIGRvbuKAmXQgc2VlIHRoYXQgYXMgYSBjb250cmFkaWN0aW9uLg0KVGhlIHJpc2svcmV3 YXJkIG9mIGFsbG93aW5nIHN1Y2ggZXhjZXB0aW9ucyBjYW4gKGFuZCBzaG91bGQpIGJlIGRpc2N1 c3NlZCBpbiB0aGUgcmV2aWV3IG9mIHRoZSA2bWFuIGRyYWZ0LCBidXQgSSBhbSBub3QgY29udmlu Y2VkIHRoZSBhcmNoaXRlY3R1cmUgZHJhZnQgbmVlZHMgdG8gc3BlYWsgdG8gdGhpcyBzaW5jZSBp dCBpcyBhIGNsZWFybHkgc3RhdGVkIGV4Y2VwdGlvbiB0byB0aGUgYmFzZSB0cnVzdCBtb2RlbC4N Cg0KVGhlIHBvaW50IHRoYXQgU1IgaXMgaW50ZW5kZWQgdG8gb3BlcmF0ZSB3aXRoaW4gYSB0cnVz dGVkIGRvbWFpbiBoYXMgYmVlbiBjbGFyaWZpZWQvcmVlbXBoYXNpemVkIGluIHRoZSBTZWN1cml0 eSBzZWN0aW9uIGNoYW5nZXMuDQoNCkxlcw0KDQoNCg0KPiAtLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQo+IENPTU1F TlQ6DQo+IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0NCj4NCj4NCj4gUGVyIG15IERJU0NVU1MgY29tbWVudCwgSSB0 aGluayB0aGlzIGRvY3VtZW50IG5lZWRzIHRvIGluY2x1ZGUgc29tZQ0KPiBjb25zaWRlcmF0aW9u cyBjb25jZXJuaW5nIHRoZSBhZGRpdGlvbmFsIG1ldGFkYXRhIHRoYXQgU1J2NiBhZGRzIHRvIHRo ZQ0KPiBwYWNrZXQuDQo+IFRoaXMgaGFzIGltcGxpY2F0aW9ucyBub3QganVzdCBmb3IgcGFzc2l2 ZSBvYnNlcnZlcnMgYnV0IGFsc28gZm9yIGFueSBub2RlIHRoYXQNCj4gbG9ncyB0aGUgU1JILg0K Pg0KDQo= --_000_CAMMESsxrRLZo5kZX7uqGRrKdwbeoxbWdQ7d0hLWCkasKnQmailgmai_ Content-Type: text/html; charset="utf-8" Content-ID: <002DCAFA47D0454CB7C8F880CF3CD895@emea.cisco.com> Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxzdHlsZT5ib2R5e2ZvbnQtZmFtaWx5OkhlbHZl dGljYSxBcmlhbDtmb250LXNpemU6MTNweH08L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHkgc3R5bGU9 IndvcmQtd3JhcDpicmVhay13b3JkIj4NCjxkaXYgaWQ9ImJsb29wX2N1c3RvbWZvbnQiIHN0eWxl PSJmb250LWZhbWlseTpIZWx2ZXRpY2EsQXJpYWw7Zm9udC1zaXplOjEzcHg7Y29sb3I6cmdiYSgw LDAsMCwxLjApO21hcmdpbjowcHg7bGluZS1oZWlnaHQ6YXV0byI+DQpBbGlzc2E6PC9kaXY+DQo8 ZGl2IGlkPSJibG9vcF9jdXN0b21mb250IiBzdHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhLEFy aWFsO2ZvbnQtc2l6ZToxM3B4O2NvbG9yOnJnYmEoMCwwLDAsMS4wKTttYXJnaW46MHB4O2xpbmUt aGVpZ2h0OmF1dG8iPg0KPGJyPg0KPC9kaXY+DQo8ZGl2IGlkPSJibG9vcF9jdXN0b21mb250IiBz dHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhLEFyaWFsO2ZvbnQtc2l6ZToxM3B4O2NvbG9yOnJn YmEoMCwwLDAsMS4wKTttYXJnaW46MHB4O2xpbmUtaGVpZ2h0OmF1dG8iPg0KSGkhPC9kaXY+DQo8 ZGl2IGlkPSJibG9vcF9jdXN0b21mb250IiBzdHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhLEFy aWFsO2ZvbnQtc2l6ZToxM3B4O2NvbG9yOnJnYmEoMCwwLDAsMS4wKTttYXJnaW46MHB4O2xpbmUt aGVpZ2h0OmF1dG8iPg0KPGJyPg0KPC9kaXY+DQo8ZGl2IGlkPSJibG9vcF9jdXN0b21mb250IiBz dHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhLEFyaWFsO2ZvbnQtc2l6ZToxM3B4O2NvbG9yOnJn YmEoMCwwLDAsMS4wKTttYXJnaW46MHB4O2xpbmUtaGVpZ2h0OmF1dG8iPg0KQW55IHRob3VnaHRz IG9uIHRoZSB1cGRhdGUgdG8gdGhpcyBkb2N1bWVudD88L2Rpdj4NCjxkaXYgaWQ9ImJsb29wX2N1 c3RvbWZvbnQiIHN0eWxlPSJmb250LWZhbWlseTpIZWx2ZXRpY2EsQXJpYWw7Zm9udC1zaXplOjEz cHg7Y29sb3I6cmdiYSgwLDAsMCwxLjApO21hcmdpbjowcHg7bGluZS1oZWlnaHQ6YXV0byI+DQo8 YnI+DQo8L2Rpdj4NCjxkaXYgaWQ9ImJsb29wX2N1c3RvbWZvbnQiIHN0eWxlPSJmb250LWZhbWls eTpIZWx2ZXRpY2EsQXJpYWw7Zm9udC1zaXplOjEzcHg7Y29sb3I6cmdiYSgwLDAsMCwxLjApO21h cmdpbjowcHg7bGluZS1oZWlnaHQ6YXV0byI+DQpUaGFua3MhPC9kaXY+DQo8ZGl2IGlkPSJibG9v cF9jdXN0b21mb250IiBzdHlsZT0iZm9udC1mYW1pbHk6SGVsdmV0aWNhLEFyaWFsO2ZvbnQtc2l6 ZToxM3B4O2NvbG9yOnJnYmEoMCwwLDAsMS4wKTttYXJnaW46MHB4O2xpbmUtaGVpZ2h0OmF1dG8i Pg0KPGJyPg0KPC9kaXY+DQo8ZGl2IGlkPSJibG9vcF9jdXN0b21mb250IiBzdHlsZT0iZm9udC1m YW1pbHk6SGVsdmV0aWNhLEFyaWFsO2ZvbnQtc2l6ZToxM3B4O2NvbG9yOnJnYmEoMCwwLDAsMS4w KTttYXJnaW46MHB4O2xpbmUtaGVpZ2h0OmF1dG8iPg0KQWx2YXJvLjwvZGl2Pg0KPGJyPg0KPHAg Y2xhc3M9ImFpcm1haWxfb24iPk9uIERlY2VtYmVyIDIwLCAyMDE3IGF0IDY6MTg6MTMgUE0sIExl cyBHaW5zYmVyZyAoZ2luc2JlcmcpICg8YSBocmVmPSJtYWlsdG86Z2luc2JlcmdAY2lzY28uY29t Ij5naW5zYmVyZ0BjaXNjby5jb208L2E+KSB3cm90ZTo8L3A+DQo8YmxvY2txdW90ZSB0eXBlPSJj aXRlIiBjbGFzcz0iY2xlYW5fYnEiPjxzcGFuPg0KPGRpdj4NCjxkaXY+PC9kaXY+DQo8ZGl2PkFs aXNzYSAtIDxicj4NCjxicj4NClRoYW54IGZvciB0aGUgcmV2aWV3LiA8YnI+DQpWMTQgaGFzIGJl ZW4gcHVibGlzaGVkIGFuZCBpdCBhdHRlbXB0cyB0byBhZGRyZXNzIHRoZSBTZWN1cml0eSBjb25j ZXJucyByYWlzZWQgYnkgeW91IGFuZCBvdGhlcnMuDQo8YnI+DQpMb29rIGZvcndhcmQgdG8geW91 ciBmZWVkYmFjay4gPGJyPg0KPGJyPg0KSW5saW5lLiA8YnI+DQo8YnI+DQomZ3Q7IC0tLS0tT3Jp Z2luYWwgTWVzc2FnZS0tLS0tIDxicj4NCiZndDsgRnJvbTogQWxpc3NhIENvb3BlciBbbWFpbHRv OjxhIGhyZWY9Im1haWx0bzphbGlzc2FAY29vcGVydy5pbiI+YWxpc3NhQGNvb3BlcncuaW48L2E+ XQ0KPGJyPg0KJmd0OyBTZW50OiBXZWRuZXNkYXksIERlY2VtYmVyIDEzLCAyMDE3IDEwOjQyIEFN IDxicj4NCiZndDsgVG86IFRoZSBJRVNHICZsdDs8YSBocmVmPSJtYWlsdG86aWVzZ0BpZXRmLm9y ZyI+aWVzZ0BpZXRmLm9yZzwvYT4mZ3Q7IDxicj4NCiZndDsgQ2M6IDxhIGhyZWY9Im1haWx0bzpk cmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmdAaWV0Zi5vcmciPmRyYWZ0LWlldGYtc3By aW5nLXNlZ21lbnQtcm91dGluZ0BpZXRmLm9yZzwvYT47DQo8YSBocmVmPSJtYWlsdG86YXJldGFu YS5pZXRmQGdtYWlsLmNvbSI+YXJldGFuYS5pZXRmQGdtYWlsLmNvbTwvYT47IDxicj4NCiZndDsg PGEgaHJlZj0ibWFpbHRvOnNwcmluZy1jaGFpcnNAaWV0Zi5vcmciPnNwcmluZy1jaGFpcnNAaWV0 Zi5vcmc8L2E+OyA8YSBocmVmPSJtYWlsdG86bWFydGluLnZpZ291cmV1eEBub2tpYS5jb20iPg0K bWFydGluLnZpZ291cmV1eEBub2tpYS5jb208L2E+OyA8YSBocmVmPSJtYWlsdG86c3ByaW5nQGll dGYub3JnIj5zcHJpbmdAaWV0Zi5vcmc8L2E+DQo8YnI+DQomZ3Q7IFN1YmplY3Q6IEFsaXNzYSBD b29wZXIncyBEaXNjdXNzIG9uIGRyYWZ0LWlldGYtc3ByaW5nLXNlZ21lbnQtcm91dGluZy0xMzog PGJyPg0KJmd0OyAod2l0aCBESVNDVVNTIGFuZCBDT01NRU5UKSA8YnI+DQomZ3Q7IDxicj4NCiZn dDsgQWxpc3NhIENvb3BlciBoYXMgZW50ZXJlZCB0aGUgZm9sbG93aW5nIGJhbGxvdCBwb3NpdGlv biBmb3IgPGJyPg0KJmd0OyBkcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmctMTM6IERp c2N1c3MgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFdoZW4gcmVzcG9uZGluZywgcGxlYXNlIGtlZXAg dGhlIHN1YmplY3QgbGluZSBpbnRhY3QgYW5kIHJlcGx5IHRvIGFsbCBlbWFpbCA8YnI+DQomZ3Q7 IGFkZHJlc3NlcyBpbmNsdWRlZCBpbiB0aGUgVG8gYW5kIENDIGxpbmVzLiAoRmVlbCBmcmVlIHRv IGN1dCB0aGlzIGludHJvZHVjdG9yeSA8YnI+DQomZ3Q7IHBhcmFncmFwaCwgaG93ZXZlci4pIDxi cj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFBsZWFzZSByZWZlciB0byA8YSBocmVmPSJo dHRwczovL3d3dy5pZXRmLm9yZy9pZXNnL3N0YXRlbWVudC9kaXNjdXNzLWNyaXRlcmlhLmh0bWwi Pg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWVzZy9zdGF0ZW1lbnQvZGlzY3Vzcy1jcml0ZXJpYS5o dG1sPC9hPiA8YnI+DQomZ3Q7IGZvciBtb3JlIGluZm9ybWF0aW9uIGFib3V0IElFU0cgRElTQ1VT UyBhbmQgQ09NTUVOVCBwb3NpdGlvbnMuIDxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQomZ3Q7 IFRoZSBkb2N1bWVudCwgYWxvbmcgd2l0aCBvdGhlciBiYWxsb3QgcG9zaXRpb25zLCBjYW4gYmUg Zm91bmQgaGVyZTogPGJyPg0KJmd0OyA8YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYu b3JnL2RvYy9kcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcvIj5odHRwczovL2RhdGF0 cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLXNwcmluZy1zZWdtZW50LXJvdXRpbmcvPC9h Pg0KPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0KJmd0OyAtLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tIDxicj4NCiZndDsgRElTQ1VTUzogPGJyPg0KJmd0OyAtLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIDxicj4NCiZn dDsgPGJyPg0KJmd0OyBJIGVuZGVkIHVwIHJlYWRpbmcgZHJhZnQtaWV0Zi02bWFuLXNlZ21lbnQt cm91dGluZy1oZWFkZXIgaW4gdGFuZGVtIHdpdGggPGJyPg0KJmd0OyB0aGlzIGRvY3VtZW50LCBh bmQgSSBoYXZlIGEgcXVlc3Rpb24gYXJpc2luZyBvdXQgb2YgdGhhdC4gVGhlIHRydXN0IG1vZGVs IGZvciA8YnI+DQomZ3Q7IFNSdjYgb3V0bGluZWQgaW4gdGhpcyBkb2N1bWVudCBhcHBlYXJzIHRv IGJlIG9uZSBvZiByZWxpYW5jZSBvbiB0aGUgZmFjdCB0aGF0IDxicj4NCiZndDsgYW4gU1JIIHdp bGwgb25seSBldmVyIGJlIGluc2VydGVkIGFuZCBhcHBlYXIgd2l0aGluIGEgc2luZ2xlIGFkbWlu aXN0cmF0aXZlIDxicj4NCiZndDsgZG9tYWluLiA8YnI+DQomZ3Q7IEJ1dCBTZWN0aW9uIDUuMi4y IG9mIGRyYWZ0LWlldGYtNm1hbi1zZWdtZW50LXJvdXRpbmctaGVhZGVyIHRhbGtzIGFib3V0IGFu IDxicj4NCiZndDsgU1JIIGJlaW5nIGluc2VydGVkIGJ5IGEgZGV2aWNlIG91dHNpZGUgb2YgdGhl IHNlZ21lbnQgcm91dGluZyBkb21haW4uIDxicj4NCiZndDsgV2hpY2ggaXMgY29ycmVjdD8gSSB0 aGluayB0aGlzIGlzIGFuIGltcG9ydGFudCBxdWVzdGlvbiBiZWNhdXNlIHRoZSB3aG9sZSA8YnI+ DQomZ3Q7IHRydXN0IG1vZGVsIGZvciB0aGUgU1IgaW5mb3JtYXRpb24gc2VlbXMgdG8gcmVseSBv biBvdXQtb2YtYmFuZCB0cnVzdCA8YnI+DQomZ3Q7IGJldHdlZW4gcGFydGljaXBhdGluZyBub2Rl cy4gPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IEkgYWxzbyB0aGluayB0aGlzIGlzIGltcG9ydGFudCBi ZWNhdXNlIHRoZXJlIGlzIG5vIGRpc2N1c3Npb24gaW4gdGhpcyBkb2N1bWVudCA8YnI+DQomZ3Q7 IG9mIHRoZSBpbXBhY3Qgb2YgdGhlIGluY2x1c2lvbiBvZiB0aGUgU1IgbWV0YWRhdGEgb24gdGhl IGZpbmdlcnByaW50aW5nIG9mIHRoZSA8YnI+DQomZ3Q7IGRldmljZSB0aGF0IGluc2VydGVkIGl0 LiBTZWN0aW9uIDUuMS40IG9mIGRyYWZ0LWlldGYtNm1hbi1zZWdtZW50LXJvdXRpbmctIDxicj4N CiZndDsgaGVhZGVyIHNvcnQgb2YgYWxsdWRlcyB0byB0aGlzIGJ1dCBzZWVtcyB0byBlcXVhdGUg dGhlIGNhcGFiaWxpdGllcyBvZiBhbiA8YnI+DQomZ3Q7IGFjdGl2ZSBhdHRhY2tlciAod2hvIGNh biBjb25kdWN0IGEgdHJhY2Vyb3V0ZSkgd2l0aCBhIHBhc3NpdmUgYXR0YWNrZXIgd2hvIDxicj4N CiZndDsgY291bGQgcGFzc2l2ZWx5IGNvbGxlY3QgdG9wb2xvZ3kvZmluZ2VycHJpbnRpbmcgaW5m b3JtYXRpb24gc2ltcGx5IGJ5IDxicj4NCiZndDsgb2JzZXJ2aW5nIFNSSGVzIGZsb3dpbmcgYnkg b24gdGhlIG5ldHdvcmsuIElmIHRoZSBsaW1pdGF0aW9uIHRvIGEgc2luZ2xlIDxicj4NCiZndDsg YWRtaW5pc3RyYXRpdmUgZG9tYWluIGlzIG1lYW50IHRvIHByZXZlbnQgc3VjaCBhIHBhc3NpdmUg YXR0YWNrIChub3Qgc3VyZSBpZiA8YnI+DQomZ3Q7IHRoYXQgaXMgcmVhbGx5IHRydWUsIGJ1dCBw ZXJoYXBzIHRoZSBkb2N1bWVudCBhc3N1bWVzIGl0PyksIHRoYXQncyBhbm90aGVyIDxicj4NCiZn dDsgcmVhc29uIHRoYXQgdGhlIGV4aXN0ZW5jZSBvZiBzdWNoIGEgbGltaXRhdGlvbiBuZWVkcyB0 byBiZSBjbGFyaWZpZWQuIDxicj4NCiZndDsgPGJyPg0KJmd0OyA8YnI+DQpbTGVzOl0gV2Ugc2hh cmUgYSBjb21tb24gY29uY2VybiByZWdhcmRpbmcgdHJ1c3QgaXNzdWVzLiBUaGUgYXJjaGl0ZWN0 dXJlIGRyYWZ0IHNwZWFrcyB0byB0aGUgZGVmYXVsdCBwb2xpY3kgb2Ygb25seSBhbGxvd2luZyB0 cnVzdGVkIHNvdXJjZXMgdG8gaW5zZXJ0IFNSSC4NCjxicj4NClRoZSA2bWFuIGRyYWZ0IGN1cnJl bnRseSBkaXNjdXNzZXMgZXhjZXB0aW9ucyB1bmRlciB0aGUgcHJvdGVjdGlvbiBvZiBhdXRoZW50 aWNhdGlvbi4gSSBkb27igJl0IHNlZSB0aGF0IGFzIGEgY29udHJhZGljdGlvbi4NCjxicj4NClRo ZSByaXNrL3Jld2FyZCBvZiBhbGxvd2luZyBzdWNoIGV4Y2VwdGlvbnMgY2FuIChhbmQgc2hvdWxk KSBiZSBkaXNjdXNzZWQgaW4gdGhlIHJldmlldyBvZiB0aGUgNm1hbiBkcmFmdCwgYnV0IEkgYW0g bm90IGNvbnZpbmNlZCB0aGUgYXJjaGl0ZWN0dXJlIGRyYWZ0IG5lZWRzIHRvIHNwZWFrIHRvIHRo aXMgc2luY2UgaXQgaXMgYSBjbGVhcmx5IHN0YXRlZCBleGNlcHRpb24gdG8gdGhlIGJhc2UgdHJ1 c3QgbW9kZWwuDQo8YnI+DQo8YnI+DQpUaGUgcG9pbnQgdGhhdCBTUiBpcyBpbnRlbmRlZCB0byBv cGVyYXRlIHdpdGhpbiBhIHRydXN0ZWQgZG9tYWluIGhhcyBiZWVuIGNsYXJpZmllZC9yZWVtcGhh c2l6ZWQgaW4gdGhlIFNlY3VyaXR5IHNlY3Rpb24gY2hhbmdlcy4NCjxicj4NCjxicj4NCkxlcyA8 YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQomZ3Q7IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gPGJyPg0KJmd0OyBDT01N RU5UOiA8YnI+DQomZ3Q7IC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IDxicj4N CiZndDsgUGVyIG15IERJU0NVU1MgY29tbWVudCwgSSB0aGluayB0aGlzIGRvY3VtZW50IG5lZWRz IHRvIGluY2x1ZGUgc29tZSA8YnI+DQomZ3Q7IGNvbnNpZGVyYXRpb25zIGNvbmNlcm5pbmcgdGhl IGFkZGl0aW9uYWwgbWV0YWRhdGEgdGhhdCBTUnY2IGFkZHMgdG8gdGhlIDxicj4NCiZndDsgcGFj a2V0LiA8YnI+DQomZ3Q7IFRoaXMgaGFzIGltcGxpY2F0aW9ucyBub3QganVzdCBmb3IgcGFzc2l2 ZSBvYnNlcnZlcnMgYnV0IGFsc28gZm9yIGFueSBub2RlIHRoYXQNCjxicj4NCiZndDsgbG9ncyB0 aGUgU1JILiA8YnI+DQomZ3Q7IDxicj4NCjxicj4NCjwvZGl2Pg0KPC9kaXY+DQo8L3NwYW4+PC9i bG9ja3F1b3RlPg0KPGRpdiBpZD0iYmxvb3Bfc2lnbl8xNTE1NzA3ODcyMjM3MzI3MTA0IiBjbGFz cz0iYmxvb3Bfc2lnbiI+PC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_CAMMESsxrRLZo5kZX7uqGRrKdwbeoxbWdQ7d0hLWCkasKnQmailgmai_-- --_004_b60d331d3fbe482d95a94487d81542afXCHALN001ciscocom_-- From nobody Sat Mar 24 04:40:00 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D7801250B8 for ; Sat, 24 Mar 2018 04:39:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.589 X-Spam-Level: X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fjQ3l0XV5Q5J for ; Sat, 24 Mar 2018 04:39:51 -0700 (PDT) Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A7311201F2 for ; Sat, 24 Mar 2018 04:39:47 -0700 (PDT) Received: by mail-oi0-x229.google.com with SMTP id c3-v6so12435534oib.5 for ; Sat, 24 Mar 2018 04:39:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FfF3QTUVW24z7jxLM7kiV5dL80kfhGQiep70dmIWlSQ=; b=uqj0QyavuYMaBCnWLtHKpxF+OMr44xseNiP3AjBMURbfnqEOGTyYZHyt8SqJi+7td3 Lo7JVNrl+KCWuHi1HgJUPDHNGFizmDYFDmEYO4DdxnU08Nf9ePC9zv/0esrqXXpaxo9w gxxw2awWGBBw/Qn6oVvRAMRxYBvm3+FsP7yEU8p6P7ZPZnQPRBLotsAYdT/suLKSzo+X dwaUUezgqNDBf5se1NspsGh86nTBmzzRlF7ufKCD6tPQsCJ8xZZCycRqIN3W2vOjfkM0 m0Cu4TNLhs248w0yYss9qhOb/oy19iQfYi/fXNY6s9qE/MY3NHjvsy+ej3QDGH2j/Bv9 6Nyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FfF3QTUVW24z7jxLM7kiV5dL80kfhGQiep70dmIWlSQ=; b=YAKLeEZrwVlYj0WfzRE71cigME7zaj6ZIVDg40DhsnkwiqSXtpKt4YV+lbkMPdTdwI nAyzJIJqZSM1L0Nd63KIOHKbClZfUEvdALKWsBhWapnEWJ2PIoqL4m1YQDWdOZRntCT4 OM/2DbgD8SuhFRKyz9rhruOdlY+CMMn1P8n7T9BjoKQY0gEHU7YB0XaJTd3KK+ddqFRa efYBIMPPBFz8l1DkXLDchfAa2gWD+sQOoBzXEwLFH+o44ZYPxPdByCgbLgd4spRJB2AX H3lePuLKNznCcxfP6OahkUlbNRAl7ncz4pWwnSbNzELkrqvwgZ6KsjYHMPOrru1VJONU ixwg== X-Gm-Message-State: AElRT7FQLxJENqCKp2NkhDZbfM3hIH89cPhPGYfPFE9TJ83T9NDxd/ri Flw9tvay5dij9ia30FEFODGC7t+GZX6t61ioMYAFfw== X-Google-Smtp-Source: AG47ELumMMePv4MxZ/rgcy89Q5FUdBUxcQxmxcoRbzjciqHrfTzz37weh0mHaUUmJTOrvA1w0SPvZVPlic13SDWn1Q0= X-Received: by 10.202.228.10 with SMTP id b10mr5831286oih.138.1521891586483; Sat, 24 Mar 2018 04:39:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.201.23.21 with HTTP; Sat, 24 Mar 2018 04:39:06 -0700 (PDT) In-Reply-To: References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <0735a0688ee64980b5d1da734fc8cbcd@XCH-ALN-001.cisco.com> From: Eric Rescorla Date: Sat, 24 Mar 2018 11:39:06 +0000 Message-ID: To: "Les Ginsberg (ginsberg)" Cc: Alissa Cooper , David Mandelberg , "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-segment-routing.all@ietf.org" Content-Type: multipart/alternative; boundary="001a11409334663cee056826ff0f" Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Mar 2018 11:39:54 -0000 --001a11409334663cee056826ff0f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, Mar 24, 2018 at 11:13 AM, Les Ginsberg (ginsberg) < ginsberg@cisco.com> wrote: > Eric =E2=80=93 > > > > Alissa=E2=80=99s comments were addressed =E2=80=93 and we have been waiti= ng for a response > from her for nearly 3 months. > > See attached. > > You need to take this up with Alissa. -Ekr > Les > > > > > > *From:* Eric Rescorla > *Sent:* Saturday, March 24, 2018 3:40 AM > *To:* Les Ginsberg (ginsberg) > *Cc:* David Mandelberg ; iesg@ietf.org; > secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org > > *Subject:* Re: secdir review of draft-ietf-spring-segment-routing-13 > > > > The DISCUSS on this document is being held by Alissa Cooper. > > https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routing/ballot= / > > > > I would suggest responding to her points (there should be an associated > email thread) > > > > -Ekr > > > > > > On Fri, Mar 23, 2018 at 11:27 PM, Les Ginsberg (ginsberg) < > ginsberg@cisco.com> wrote: > > Hmmm...well if you look at https://datatracker.ietf.org/ > doc/draft-ietf-spring-segment-routing/ we see > > > > > > *Reviews* > > OPSDIR Last Call Review (of -13): Ready > > > SECDIR Last Call Review (of -13): Has Nits > > > RTGDIR Telechat Review (of -13): Ready > > > > > And then the SECDIR review link points to your review: > https://datatracker.ietf.org/doc/review-ietf-spring- > segment-routing-13-secdir-lc-mandelberg-2017-11-18/ > > > > So I don=E2=80=99t know what else needs to be done to clear this. > > > > Bruno? Rob? Can you help here? > > > > Les > > > > > -----Original Message----- > > > From: David Mandelberg > > > Sent: Friday, March 23, 2018 4:18 PM > > > To: Les Ginsberg (ginsberg) ; iesg@ietf.org; > > > secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org > > > Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 > > > > > > No worries about the delay. And I'm just a secdir reviewer, not an IESG > member, > > > so I can't do anything about a DISCUSS. > > > > > > On 03/23/2018 07:02 PM, Les Ginsberg (ginsberg) wrote: > > > > David - > > > > > > > > Yes - IGP specs have this. See (for example): > > > > > > > > https://tools.ietf.org/html/draft-ietf-isis-segment-routing-extension= s > > > > -15#section-2.2.1 > > > > > > > > If this suffices please clear your DISCUSS on the draft. > > > > > > > > Again, apologies for the long delay in responding - it was not > intentional. > > > > > > > > Les > > > > > > > >> -----Original Message----- > > > >> From: David Mandelberg > > > >> Sent: Friday, March 23, 2018 3:57 PM > > > >> To: Les Ginsberg (ginsberg) ; iesg@ietf.org; > > > >> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org > > > >> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 > > > >> > > > >> Thanks, I didn't know it was in the IGP specs. If the usage you > > > >> describe would be clear to anybody using this, then I think you've > > > >> fully addressed my original comment. > > > >> > > > >> On 03/23/2018 06:43 PM, Les Ginsberg (ginsberg) wrote: > > > >>> David - > > > >>> > > > >>> Thanx for the very prompt response. > > > >>> > > > >>> If a controller (for example) is defining a SID stack for an SR > > > >>> Policy, it can > > > >> choose to use an Adj-SID which is advertised as Persistent and be > > > >> confident that the SID will not be reused for some other purpose no > > > >> matter what happens on the owning node. > > > >>> > > > >>> BTW, the flag isn=E2=80=99t new - it has been part of the IGP speci= fications > > > >>> for quite a > > > >> long while. It just wasn't mentioned in the SR Architecture in > earlier versions. > > > >>> > > > >>> HTH > > > >>> > > > >>> Les > > > >>> > > > >>>> -----Original Message----- > > > >>>> From: David Mandelberg > > > >>>> Sent: Friday, March 23, 2018 3:17 PM > > > >>>> To: Les Ginsberg (ginsberg) ; iesg@ietf.org; > > > >>>> secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org > > > >>>> Subject: Re: secdir review of draft-ietf-spring-segment-routing-13 > > > >>>> > > > >>>> Hi, > > > >>>> > > > >>>> How will the indication of persistence be used? I scanned the > > > >>>> changes from -13 to -15, but I didn't notice any other text about > the new > > > flag. > > > >>>> > > > >>>> On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote: > > > >>>>> David - > > > >>>>> > > > >>>>> Apologies. It appears that I neglected to respond to this old > > > >>>>> review comment. > > > >>>>> > > > >>>>> This was not intentional. Authors actively discussed your comment > > > >>>>> promptly and we did add text in V14 of the draft to address this > point: > > > >>>>> > > > >>>>> Please see: > > > >>>>> https://tools.ietf.org/html/draft-ietf-spring-segment-routing-15#= s > > > >>>>> ec > > > >>>>> ti > > > >>>>> on-3.4 > > > >>>>> > > > >>>>> /o Indication whether the Adj-SID is persistent across control > > > >>>>> plane/ > > > >>>>> > > > >>>>> / restarts. Persistence is a key attribute in ensuring that > > > >>>>> an SR/ > > > >>>>> > > > >>>>> / Policy does not temporarily result in misforwarding due to= / > > > >>>>> > > > >>>>> / reassignment of an Adj-SID./ > > > >>>>> > > > >>>>> // > > > >>>>> > > > >>>>> Please let us know if this adequately addresses your comment. > > > >>>>> > > > >>>>> Again, apologies for the long delay. > > > >>>>> > > > >>>>> Les > > > >>>>> > > > >>>>> > -----Original Message----- > > > >>>>> > > > >>>>> > From: David Mandelberg > > > >>>>> > > > >>>>> > Sent: Thursday, November 02, 2017 10:53 AM > > > >>>>> > > > >>>>> > To: iesg@ietf.org; secdir@ietf.org; > > > >>>>> draft-ietf-spring-segment- > > > >>>>> > > > >>>>> > routing.all@ietf.org > > > >>>>> > > > >>>>> > Subject: secdir review of > > > >>>>> draft-ietf-spring-segment-routing-13 > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > I have reviewed this document as part of the security > > > >>>>> directorate's ongoing > > > >>>>> > > > >>>>> > effort to review all IETF documents being processed by the > IESG. > > > >>>>> These > > > >>>>> > > > >>>>> > comments were written primarily for the benefit of the > > > >>>>> security area directors. > > > >>>>> > > > >>>>> > Document editors and WG chairs should treat these comments > > > >>>>> just like any > > > >>>>> > > > >>>>> > other last call comments. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > The summary of the review is Ready with nits. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > This document affects routing within a trusted domain, and > > > >>>>> the security > > > >>>>> > > > >>>>> > considerations section adequately talks about filtering at > > > >>>>> the border of a trusted > > > >>>>> > > > >>>>> > domain. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > I do have one question about something I didn't see in the > > > >>>>> document, what > > > >>>>> > > > >>>>> > happens when SIDs change while packets are in transit? Here'= s > > > >>>>> a hypothetical > > > >>>>> > > > >>>>> > situation that could be bad for security, but I'm not sure > > > >>>>> whether or not it could > > > >>>>> > > > >>>>> > happen: 1. An internal node calculates an SR Policy and send= s > > > >>>>> out a packet that > > > >>>>> > > > >>>>> > will eventually egress towards a BGP peer. 2. Multiple links > > > >>>>> on the BGP router go > > > >>>>> > > > >>>>> > down and then back up, but are allocated different PeerAdj > > > >>>>> SIDs than they had > > > >>>>> > > > >>>>> > before. 3. The packet reaches the BGP router, but egresses t= o > > > >>>>> the wrong BGP > > > >>>>> > > > >>>>> > peer because the original PeerAdj SID is now mapped to a > > > >>>>> different PeerAdj > > > >>>>> > > > >>>>> > segment. > > > >>>>> > > > >>>>> > > > > >>>>> > > > >>>>> > -- > > > >>>>> > > > >>>>> > Freelance cyber security consultant, software developer, and > > > >>>>> more > > > >>>>> > > > >>>>> > https://david.mandelberg.org/ > > > >>>>> > > > >>>> > > > >>>> > > > >>>> -- > > > >>>> Freelance cyber security consultant, software developer, and more > > > >>>> https://david.mandelberg.org/ > > > >> > > > >> > > > >> -- > > > >> Freelance cyber security consultant, software developer, and more > > > >> https://david.mandelberg.org/ > > > > > > > > > -- > > > Freelance cyber security consultant, software developer, and more > > > https://david.mandelberg.org/ > > > > > ---------- Forwarded message ---------- > From: Alvaro Retana > To: "Les Ginsberg (ginsberg)" , Alissa Cooper < > alissa@cooperw.in>, The IESG > Cc: "spring@ietf.org" , "spring-chairs@ietf.org" < > spring-chairs@ietf.org>, "draft-ietf-spring-segment-routing@ietf.org" < > draft-ietf-spring-segment-routing@ietf.org>, "martin.vigoureux@nokia.com" > > Bcc: > Date: Thu, 11 Jan 2018 21:58:49 +0000 > Subject: RE: Alissa Cooper's Discuss on > draft-ietf-spring-segment-routing-13: (with DISCUSS and COMMENT) > Alissa: > > Hi! > > Any thoughts on the update to this document? > > Thanks! > > Alvaro. > > On December 20, 2017 at 6:18:13 PM, Les Ginsberg (ginsberg) ( > ginsberg@cisco.com) wrote: > > Alissa - > > Thanx for the review. > V14 has been published and it attempts to address the Security concerns > raised by you and others. > Look forward to your feedback. > > Inline. > > > -----Original Message----- > > From: Alissa Cooper [mailto:alissa@cooperw.in] > > Sent: Wednesday, December 13, 2017 10:42 AM > > To: The IESG > > Cc: draft-ietf-spring-segment-routing@ietf.org; aretana.ietf@gmail.com; > > spring-chairs@ietf.org; martin.vigoureux@nokia.com; spring@ietf.org > > Subject: Alissa Cooper's Discuss on draft-ietf-spring-segment-routing-1= 3: > > > (with DISCUSS and COMMENT) > > > > Alissa Cooper has entered the following ballot position for > > draft-ietf-spring-segment-routing-13: Discuss > > > > When responding, please keep the subject line intact and reply to all > email > > addresses included in the To and CC lines. (Feel free to cut this > introductory > > paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria. > html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routing/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > I ended up reading draft-ietf-6man-segment-routing-header in tandem > with > > this document, and I have a question arising out of that. The trust > model for > > SRv6 outlined in this document appears to be one of reliance on the fac= t > that > > an SRH will only ever be inserted and appear within a single > administrative > > domain. > > But Section 5.2.2 of draft-ietf-6man-segment-routing-header talks about > an > > SRH being inserted by a device outside of the segment routing domain. > > Which is correct? I think this is an important question because the > whole > > trust model for the SR information seems to rely on out-of-band trust > > between participating nodes. > > > > I also think this is important because there is no discussion in this > document > > of the impact of the inclusion of the SR metadata on the fingerprinting > of the > > device that inserted it. Section 5.1.4 of draft-ietf-6man-segment-routi= ng- > > > header sort of alludes to this but seems to equate the capabilities of > an > > active attacker (who can conduct a traceroute) with a passive attacker > who > > could passively collect topology/fingerprinting information simply by > > observing SRHes flowing by on the network. If the limitation to a singl= e > > administrative domain is meant to prevent such a passive attack (not > sure if > > that is really true, but perhaps the document assumes it?), that's > another > > reason that the existence of such a limitation needs to be clarified. > > > > > [Les:] We share a common concern regarding trust issues. The architecture > draft speaks to the default policy of only allowing trusted sources to > insert SRH. > The 6man draft currently discusses exceptions under the protection of > authentication. I don=E2=80=99t see that as a contradiction. > The risk/reward of allowing such exceptions can (and should) be discussed > in the review of the 6man draft, but I am not convinced the architecture > draft needs to speak to this since it is a clearly stated exception to th= e > base trust model. > > The point that SR is intended to operate within a trusted domain has been > clarified/reemphasized in the Security section changes. > > Les > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > > > Per my DISCUSS comment, I think this document needs to include some > > considerations concerning the additional metadata that SRv6 adds to the > > packet. > > This has implications not just for passive observers but also for any > node that > > logs the SRH. > > > > > --001a11409334663cee056826ff0f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Sat, Mar 24, 2018 at 11:13 AM, Les Ginsberg (ginsberg) <ginsberg@c= isco.com> wrote:

Eric =E2=80=93

=C2=A0

Alissa=E2=80=99s comments were addres= sed =E2=80=93 and we have been waiting for a response from her for nearly 3= months.

See attached.


You= need to take this up with Alissa.

-Ekr
=

=C2=A0

=C2=A0=C2=A0 Les=

=C2=A0

=C2=A0

From: Eric Rescorla <ekr@rtfm.com>
Sent: Saturday, March 24, 2018 3:40 AM
To: Les Ginsberg (ginsberg) <ginsberg@cisco.com>
Cc: David Mandelberg <david+work@mandelberg.org>; iesg@ietf.org; secdir@ietf.org; draft-ie= tf-spring-segment-routing.all@ietf.org


Subject: Re: secdir review of draft-ietf-spring-segment-routing= -13

=C2=A0

The DISCUSS on this document is being held by Alissa= Cooper.

=C2=A0

I would suggest responding to her points (there shou= ld be an associated email thread)

=C2=A0

-Ekr

=C2=A0

=C2=A0

On Fri, Mar 23, 2018 at 11:27 PM, Les Ginsberg (gins= berg) <ginsberg@= cisco.com> wrote:

= Hmmm...well if you look at https://datatracker.ietf.org/doc/draft-ietf-spring-segment-routin= g/ we see

= =C2=A0

= =C2=A0

Reviews

OPSDIR Last Call Review (of -13): Ready

SECDIR Last Call Review (of -13): Has Nits

RTGDIR Telechat Review (of -13): Ready

= =C2=A0

= And then the SECDIR review link points to your review: https://datatracker.ietf.org/doc/review-ietf-spring-segment-routi= ng-13-secdir-lc-mandelberg-2017-11-18/

= =C2=A0

= So I don=E2=80=99t know what else needs to be done to clear this.=

= =C2=A0

= Bruno? Rob? Can you help here?

= =C2=A0

= =C2=A0=C2=A0=C2=A0 Les

= =C2=A0

= > -----Original Message-----

= > From: David Mandelberg <david+work@mandelberg.org>

= > Sent: Friday, March 23, 2018 4:18 PM

= > To: Les Ginsberg (ginsberg) <ginsberg@cisco.com>; iesg@ietf.org;

= > secdir@ietf.org; draft-ietf-spring-segment-routing.all@ietf.org

= > Subject: Re: secdir review of draft-ietf-spring-segment-routing-1= 3

= >

= > No worries about the delay. And I'm just a secdir reviewer, not an= IESG member,

= > so I can't do anything about a DISCUSS.

= >

= > On 03/23/2018 07:02 PM, Les Ginsberg (ginsberg) wrote:

= > > David -

= > >

= > > Yes - IGP specs have this. See (for example):

= > >

= > > https://tools.ietf.or= g/html/draft-ietf-isis-segment-routing-extensions

= > > -15#section-2.2.1

= > >

= > > If this suffices please clear your DISCUSS on the draft.

= > >

= > > Again, apologies for the long delay in responding - it was not in= tentional.

= > >

= > >=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Les

= > >

= > >> -----Original Message-----

= > >> From: David Mandelberg <david+work@mandelberg.org>

= > >> Sent: Friday, March 23, 2018 3:57 PM

= > >> To: Les Ginsberg (ginsberg) <ginsberg@cisco.com>; iesg@ietf.org;

= > >> secdir@ietf.org; draft-ietf-spring-seg= ment-routing.all@ietf.org

= > >> Subject: Re: secdir review of draft-ietf-spring-segment-= routing-13

= > >>

= > >> Thanks, I didn't know it was in the IGP specs. If the usa= ge you

= > >> describe would be clear to anybody using this, then I think y= ou've

= > >> fully addressed my original comment.

= > >>

= > >> On 03/23/2018 06:43 PM, Les Ginsberg (ginsberg) wrote:=

= > >>> David -

= > >>>

= > >>> Thanx for the very prompt response.

= > >>>

= > >>> If a controller (for example) is defining a SID stack for= an SR

= > >>> Policy, it can

= > >> choose to use an=C2=A0 Adj-SID which is advertised as Persist= ent and be

= > >> confident that the SID will not be reused for some other purp= ose no

= > >> matter what happens on the owning node.

= > >>>

= > >>> BTW, the flag isn=E2=80=99t new - it has been part of the= IGP specifications

= > >>> for quite a

= > >> long while. It just wasn't mentioned in the SR Architectu= re in earlier versions.

= > >>>

= > >>> HTH

= > >>>

= > >>>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Les

= > >>>

= > >>>> -----Original Message-----

= > >>>> From: David Mandelberg <david+work@mandelberg.org>

= > >>>> Sent: Friday, March 23, 2018 3:17 PM

= > >>>> To: Les Ginsberg (ginsberg) <ginsberg@cisco.com>; iesg@ietf.org;

= > >>>> secdir@ietf.org; draft-ietf-spring-seg= ment-routing.all@ietf.org

= > >>>> Subject: Re: secdir review of draft-ietf-spring-segme= nt-routing-13

= > >>>>

= > >>>> Hi,

= > >>>>

= > >>>> How will the indication of persistence be used? I sca= nned the

= > >>>> changes from -13 to -15, but I didn't notice any = other text about the new

= > flag.

= > >>>>

= > >>>> On 03/23/2018 06:34 AM, Les Ginsberg (ginsberg) wrote= :

= > >>>>> David -

= > >>>>>

= > >>>>> Apologies. It appears that I neglected to respond= to this old

= > >>>>> review comment.

= > >>>>>

= > >>>>> This was not intentional. Authors actively discus= sed your comment

= > >>>>> promptly and we did add text in V14 of the draft = to address this point:

= > >>>>>

= > >>>>> Please see:

= > >>>>> https://tools.ietf.or= g/html/draft-ietf-spring-segment-routing-15#s

= > >>>>> ec

= > >>>>> ti

= > >>>>> on-3.4

= > >>>>>

= > >>>>> /o=C2=A0 Indication whether the Adj-SID is persis= tent across control

= > >>>>> plane/

= > >>>>>

= > >>>>> /=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 restarts.=C2=A0 P= ersistence is a key attribute in ensuring that

= > >>>>> an SR/

= > >>>>>

= > >>>>> /=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Policy does not t= emporarily result in misforwarding due to/

= > >>>>>

= > >>>>> /=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 reassignment of a= n Adj-SID./

= > >>>>>

= > >>>>> //

= > >>>>>

= > >>>>> Please let us know if this adequately addresses y= our comment.

= > >>>>>

= > >>>>> Again, apologies for the long delay.

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0 Les<= /p>

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > -----Original Message-----=

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > From: David Mandelberg <= ;david@mandelberg.org>

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > Sent: Thursday, November 0= 2, 2017 10:53 AM

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > To: iesg@ietf.org<= /a>; secdir@ietf.org;

= > >>>>> draft-ietf-spring-segment-

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > routing.all@ietf.org<= /span>

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > Subject: secdir review of<= u>

= > >>>>> draft-ietf-spring-segment-routing-13<= u>

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 >

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > I have reviewed this docum= ent as part of the security

= > >>>>> directorate's ongoing

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > effort to review all IETF = documents being processed by the IESG.

= > >>>>> These

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > comments were written prim= arily for the benefit of the

= > >>>>> security area directors.

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > Document editors and WG ch= airs should treat these comments

= > >>>>> just like any

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > other last call comments.<= u>

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 >

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > The summary of the review = is Ready with nits.

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 >

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > This document affects rout= ing within a trusted domain, and

= > >>>>> the security

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > considerations section ade= quately talks about filtering at

= > >>>>> the border of a trusted

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > domain.

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 >

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > I do have one question abo= ut something I didn't see in the

= > >>>>> document, what

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > happens when SIDs change w= hile packets are in transit? Here's

= > >>>>> a hypothetical

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > situation that could be ba= d for security, but I'm not sure

= > >>>>> whether or not it could

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > happen: 1. An internal nod= e calculates an SR Policy and sends

= > >>>>> out a packet that

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > will eventually egress tow= ards a BGP peer. 2. Multiple links

= > >>>>> on the BGP router go

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > down and then back up, but= are allocated different PeerAdj

= > >>>>> SIDs than they had

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > before. 3. The packet reac= hes the BGP router, but egresses to

= > >>>>> the wrong BGP

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > peer because the original = PeerAdj SID is now mapped to a

= > >>>>> different PeerAdj

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > segment.

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 >

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > --

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > Freelance cyber security c= onsultant, software developer, and

= > >>>>> more

= > >>>>>

= > >>>>>=C2=A0=C2=A0=C2=A0 > https://david.mandelb= erg.org/

= > >>>>>

= > >>>>

= > >>>>

= > >>>> --

= > >>>> Freelance cyber security consultant, software develop= er, and more

= > >>>> https://david.mandelb= erg.org/

= > >>

= > >>

= > >> --

= > >> Freelance cyber security consultant, software developer, and = more

= > >> https://david.mandelb= erg.org/

= >

= >

= > --

= > Freelance cyber security consultant, software developer, and more

= > https://david.mandelb= erg.org/

=C2=A0



---------- Forwarded message ----------
From:=C2=A0Alvaro Retana= <aretana.ietf@gmail.com&g= t;
To:=C2=A0"Les Ginsberg (ginsberg)" <ginsberg@cisco.com>, Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Cc:=C2=A0"spring@ietf.org" <spring@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>, "draft-ietf-spring-segment-rout= ing@ietf.org" <draft-ietf-spring-segment-routing@ietf.org>, "martin.vigoureux@nokia.com&q= uot; <martin.vigoureux@nok= ia.com>
Bcc:=C2=A0
Date:=C2=A0Thu, 11 Jan 2018 21:58:49 +0000<= br>Subject:=C2=A0RE: Alissa Cooper's Discuss on draft-ietf-spring-segme= nt-routing-13: (with DISCUSS and COMMENT)
On December 20, 2017 at 6:18:13= PM, Les Ginsberg (ginsberg) (ginsberg@cisco.com) wrote:

Alissa -

Thanx for the review.
V14 has been published and it attempts to address the Security concerns rai= sed by you and others.
Look forward to your feedback.

Inline.

> -----Original Message-----
> From: Alissa Cooper [mailto:alissa@cooperw.in]
> Sent: Wednesday, December 13, 2017 10:42 AM
> To: The IESG <ie= sg@ietf.org>
> Cc: draft-ietf-spring-segment-routing@ietf.org; aretana.ietf@gm= ail.com;
> spring-cha= irs@ietf.org; martin.vigoureux@nokia.com; spring@ietf.org
> Subject: Alissa Cooper's Discuss on draft-ietf-spring-segment-routing-13:
> (with DISCUSS and COMMENT)
>
> Alissa Cooper has entered the following ballot position for
> draft-ietf-spring-segment-routing-13: Discuss
>
> When responding, please keep the subject line intact and reply to all = email
> addresses included in the To and CC lines. (Feel free to cut this intr= oductory
> paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-iet= f-spring-segment-routing/
>
>
>
> ------------------------------------------------------------= ----------
> DISCUSS:
> ------------------------------------------------------------= ----------
>
> I ended up reading draft-ietf-6man-segment-routing-header in tand= em with
> this document, and I have a question arising out of that. The trust mo= del for
> SRv6 outlined in this document appears to be one of reliance on the fa= ct that
> an SRH will only ever be inserted and appear within a single administr= ative
> domain.
> But Section 5.2.2 of draft-ietf-6man-segment-routing-header talks= about an
> SRH being inserted by a device outside of the segment routing domain. =
> Which is correct? I think this is an important question because the wh= ole
> trust model for the SR information seems to rely on out-of-band trust =
> between participating nodes.
>
> I also think this is important because there is no discussion in this = document
> of the impact of the inclusion of the SR metadata on the fingerprintin= g of the
> device that inserted it. Section 5.1.4 of draft-ietf-6man-segment-routing-
> header sort of alludes to this but seems to equate the capabilities of= an
> active attacker (who can conduct a traceroute) with a passive attacker= who
> could passively collect topology/fingerprinting information simply by =
> observing SRHes flowing by on the network. If the limitation to a sing= le
> administrative domain is meant to prevent such a passive attack (not s= ure if
> that is really true, but perhaps the document assumes it?), that's= another
> reason that the existence of such a limitation needs to be clarified. =
>
>
[Les:] We share a common concern regarding trust issues. The architecture d= raft speaks to the default policy of only allowing trusted sources to inser= t SRH.
The 6man draft currently discusses exceptions under the protection of authe= ntication. I don=E2=80=99t see that as a contradiction.
The risk/reward of allowing such exceptions can (and should) be discussed i= n the review of the 6man draft, but I am not convinced the architecture dra= ft needs to speak to this since it is a clearly stated exception to the bas= e trust model.

The point that SR is intended to operate within a trusted domain has been c= larified/reemphasized in the Security section changes.

Les



> ------------------------------------------------------------= ----------
> COMMENT:
> ------------------------------------------------------------= ----------
>
>
> Per my DISCUSS comment, I think this document needs to include some > considerations concerning the additional metadata that SRv6 adds to th= e
> packet.
> This has implications not just for passive observers but also for any = node that
> logs the SRH.
>



--001a11409334663cee056826ff0f-- From nobody Mon Mar 26 08:34:06 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A27212DA3E for ; Mon, 26 Mar 2018 08:33:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tnVCP8_a69I2 for ; Mon, 26 Mar 2018 08:33:55 -0700 (PDT) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7C9F12D953 for ; Mon, 26 Mar 2018 08:33:54 -0700 (PDT) X-AuditID: 12074423-f19ff70000005f96-37-5ab912e07de4 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id F1.64.24470.0E219BA5; Mon, 26 Mar 2018 11:33:53 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w2QFXpaL018613; Mon, 26 Mar 2018 11:33:51 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2QFXmSE014846 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 26 Mar 2018 11:33:50 -0400 Date: Mon, 26 Mar 2018 10:33:48 -0500 From: Benjamin Kaduk To: David Mandelberg Cc: "secdir@ietf.org" Message-ID: <20180326153348.GE44086@kduck.kaduk.org> References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IR4hRV1n0otDPKYPoOUYuJX/ezWnxY+JDF gcljyZKfTB4fJ75kCWCK4rJJSc3JLEst0rdL4MpY0vGCveAfa8XS5fkNjA9Yuhg5OSQETCSW zT3O1MXIxSEksJhJYte1w8wQzkZGibb/H6EyV5kkrnSdZQJpYRFQlTh+8BoriM0moCLR0H2Z GcQWETCQuPH1JTuIzSygLvHm/mo2EFtYwFti8cIORhCbF2hd1/ktYHEhgVnMEucOSUHEBSVO znzCAtGrJXHj30ugXRxAtrTE8n8cIGFOASeJTbO+g50gKqAssbfvEPsERoFZSLpnIemehdC9 gJF5FaNsSm6Vbm5iZk5xarJucXJiXl5qka6ZXm5miV5qSukmRlCQsrso72B82ed9iFGAg1GJ h9eBbWeUEGtiWXFl7iFGSQ4mJVHeCf92RAnxJeWnVGYkFmfEF5XmpBYfYpTgYFYS4eWbD5Tj TUmsrEotyodJSXOwKInzephoRwkJpCeWpGanphakFsFkZTg4lCR4VYDRKCRYlJqeWpGWmVOC kGbi4AQZzgM03Bqkhre4IDG3ODMdIn+K0ZKjbeWTNmaOXY9eAskbL163MQux5OXnpUqJ82YJ AjUIgDRklObBzQQlHYns/TWvGMWBXhTmrQIZywNMWHBTXwEtZAJauK0J5JvikkSElFQDY172 bpHf175vPGPwcJ5q74fTFV0Ki7r4rtU6r9rCvp/TwcCt58UmtkQOn/trC6SuyTQH8SbMzfnA 5R3x63EHR9LV72erdp79qd24Xv6AXEAUe8x925BJ/Kk3jyr1yM7fVWzTeGkJ83WV5f8CBWXl d2TW6M2Zr1/o9GNj1BGR1s73y6drVx6frsRSnJFoqMVcVJwIAHMuGq8VAwAA Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Mar 2018 15:34:00 -0000 On Fri, Mar 23, 2018 at 07:18:15PM -0400, David Mandelberg wrote: > No worries about the delay. And I'm just a secdir reviewer, not an IESG > member, so I can't do anything about a DISCUSS. FWIW, you should be able to edit the secdir review's summary evaulation by going into the dattracker (while logged in), finding the "my reviews" item from either the sidebar or the dropdown in the top, selecting the given review request from the list, and using the "correct review" button. I don't know that we have a huge amount of experience with doing this, whether you can change the reviewed revision as well, etc., so don't feel like you have to do this. (But if you do, please report back to the secdir list how it went!) Thanks, Ben From nobody Mon Mar 26 17:29:50 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7568A127871; Mon, 26 Mar 2018 17:29:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.911 X-Spam-Level: X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVr_9PgWqA0V; Mon, 26 Mar 2018 17:29:46 -0700 (PDT) Received: from vaadcmhout02.cable.comcast.com (vaadcmhout02.cable.comcast.com [96.114.28.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B5CC126BF7; Mon, 26 Mar 2018 17:29:46 -0700 (PDT) X-AuditID: 60721c4c-c0e6a7000000248e-b0-5ab99079ec7d Received: from VAADCEXC31.cable.comcast.com (vaadcmhoutvip.cable.comcast.com [96.115.73.56]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by vaadcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 04.13.09358.97099BA5; Mon, 26 Mar 2018 20:29:45 -0400 (EDT) Received: from COPDCEX22.cable.comcast.com (147.191.124.153) by VAADCEXC31.cable.comcast.com (147.191.103.208) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1415.2; Mon, 26 Mar 2018 20:28:56 -0400 Received: from COPDCEX19.cable.comcast.com (147.191.124.150) by COPDCEX22.cable.comcast.com (147.191.124.153) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Mon, 26 Mar 2018 18:28:55 -0600 Received: from COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380]) by COPDCEX19.cable.comcast.com ([fe80::3aea:a7ff:fe36:8380%19]) with mapi id 15.00.1365.000; Mon, 26 Mar 2018 18:28:55 -0600 From: "Brotman, Alexander" To: Phillip Hallam-Baker , Alexey Melnikov CC: "uta@ietf.org" , "draft-ietf-uta-smtp-tlsrpt.all@ietf.org" , IETF Discussion Mailing List , "secdir@ietf.org" Thread-Topic: [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 Thread-Index: AQHTtxUkfu2V6vvAdU6QiQx2eVCljKPc2CmAgAAOj4CABm5KIA== Date: Tue, 27 Mar 2018 00:28:55 +0000 Message-ID: <81b2c2944a9143baafb4dc71af3788c8@COPDCEX19.cable.comcast.com> References: <152053794569.13938.10396254284390037265@ietfa.amsl.com> <5AB3C901.5010009@isode.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [96.114.156.9] Content-Type: multipart/alternative; boundary="_000_81b2c2944a9143baafb4dc71af3788c8COPDCEX19cablecomcastco_" MIME-Version: 1.0 X-CFilter-Loop: Forward X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrIIsWRmVeSWpSXmKPExsWSUOxpoVs5YWeUwbbnwhYzVhdZLJpyn8Xi 6vLjTBbPNs5nsfiw8CGLxamjzYwObB47Z91l91iy5CeTx6lmwwDmKC6blNSczLLUIn27BK6M bzdPshT05FR8PbSBrYFxSmYXIyeHhICJxLxd19m6GLk4hAR2MElMetPIDuE0M0n0NK9khXAO MUq8O7odquwko8TPyxOYQPrZBKwk3v5vZwaxRQSiJE407WICKWIWOMso0XvwNiNIQljAW+LU mWMsEEU+Eu2zF0A1OEkcWfUWyObgYBFQlfhxIBwkzCvgJbH9wSKozasYJVbeWcgOkuAUCJTY 1dQKZjMKiEl8P7UG7AhmAXGJW0/mM0E8JCCxZM95ZghbVOLl43+sELaBxNal+1ggbAWJ9/9O sUH05ku0/jjJBrFYUOLkzCdgNUICWhJ7b+yC6hWXOHxkB+sERslZSNbNQtI+C0n7LKB3mAU0 Jdbv0ocoUZSY0v2QHcLWkGidM5cdWXwBI/sqRh5LMz1DQxM9Iws9c7NNjKCIL5Lx2cH4aZrH IUYBDkYlHl7Opp1RQqyJZcWVucDY4GBWEuHlm78jSog3JbGyKrUoP76oNCe1+BCjNAeLkjjv zBCgaoH0xJLU7NTUgtQimCwTB6dUAyODbLboAXnzSpcA9ZXSTauUYrYllezYGDbXVOuQ7ve/ +nXt5x/zOptukOsRspoZ5NF+zSH4a6infoT5i/LPHO/ZakUmrn19QfPs4y4Vldy0D5dK2Z15 /DWemjX2SJ29nBy7UnxCmMn3v/enXlGYsvm999zbmuvrhF4qfbvw3lHZ+OECl5XWkkosxRmJ hlrMRcWJAA3HqSf0AgAA Archived-At: Subject: Re: [secdir] [Uta] Secdir last call review of draft-ietf-uta-smtp-tlsrpt-17 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2018 00:29:48 -0000 --_000_81b2c2944a9143baafb4dc71af3788c8COPDCEX19cablecomcastco_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBtYXkgaGF2ZSBtaXNzZWQgdGhlIGNvbnNlbnN1cyBvbiB0aGlzLiAgSSBkb27igJl0IGJlbGll dmUgdGhlIGZpbmFsIEROUyBlbnRyeSBpcyBodWdlbHkgaW1wb3J0YW50IGFzIGl0IHBlcnRhaW5z IHRvIFRMU1JQVCBvbiBpdHMgb3duLCBhcyBsb25nIGFzIGl0IGV4dGVuZHMgZnJvbSB0aGUgdGFy Z2V0IGRvbWFpbi4gIFNvLCB0b2RheSB3ZSBoYXZlICJfc210cC10bHNycHQuZXhhbXBsZS5jb20i LCBidXQgaXQgc2VlbXMgbGlrZSB0byBnZXQgbW9yZSBpbiBsaW5lIHdpdGggYSBwcm9wZXIgSUFO QSByZWdpc3RyYXRpb24sIHdlIHNob3VsZCBhbHRlciB0aGlzIHNsaWdodGx5LiAgSXMgdGhlcmUg YW55IHJlYXNvbiB0byBub3QgZ28gZm9yd2FyZCB3aXRoIOKAnF9zbXRwLl90bHMuZXhhbXBsZS5j b23igJ0gb3Ig4oCcX3NtdHAuX3Rsc3JwdC5leGFtcGxlLmNvbeKAnT8NCg0KLS0NCkFsZXggQnJv dG1hbg0KU3IuIEVuZ2luZWVyLCBBbnRpLUFidXNlDQpDb21jYXN0DQoNCkZyb206IFV0YSBbbWFp bHRvOnV0YS1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgUGhpbGxpcCBIYWxsYW0tQmFr ZXINClNlbnQ6IFRodXJzZGF5LCBNYXJjaCAyMiwgMjAxOCAxMjowOSBQTQ0KVG86IEFsZXhleSBN ZWxuaWtvdiA8YWxleGV5Lm1lbG5pa292QGlzb2RlLmNvbT4NCkNjOiB1dGFAaWV0Zi5vcmc7IGRy YWZ0LWlldGYtdXRhLXNtdHAtdGxzcnB0LmFsbEBpZXRmLm9yZzsgSUVURiBEaXNjdXNzaW9uIE1h aWxpbmcgTGlzdCA8aWV0ZkBpZXRmLm9yZz47IHNlY2RpckBpZXRmLm9yZw0KU3ViamVjdDogUmU6 IFtVdGFdIFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtdXRhLXNtdHAtdGxz cnB0LTE3DQoNCkkgY29uY3VyLCBJIGhhZCBjb21lIHRvIGVzc2VudGlhbGx5IHRoZSBzYW1lIGNv bmNsdXNpb24gYWZ0ZXIgZGlzY3Vzc2lvbnMgd2l0aCBJQU5BLiBUaGUgcmVnaXN0cnkgd2Ugd2Vy ZSBsb29raW5nIGZvciB3YXMgdGhlIG9uZSBEYXZlIGhhZCBwcm9wb3NlZCB0aGF0IGhhcyBub3Qg eWV0IGJlZW4gY3JlYXRlZC4NCg0KSSBjYW4gc3luYyB3aXRoIERhdmUuDQoNCkl0IG1pZ2h0IHdl bGwgYmUgdGhhdCB3aGF0IHdlIHdhbnQgaXMgYSBzdWIgcmVnaXN0cnkgb2YgdGhlIGZvcm0gX3Nt dHAuX3JwdC4gVGhhdCB3YXkgdGhlIHJlcG9ydGluZyBpbmZvIGZvciBhbnkgcHJvdG9jb2wgY2Fu IGJlIGRpc2NvdmVyZWQgd2l0aCBubyBuZWVkIHRvIG9idGFpbiBhIHBlciBzZXJ2aWNlIHJlZ2lz dHJhdGlvbi4NCg0KT24gVGh1LCBNYXIgMjIsIDIwMTggYXQgMzoxNyBQTSwgQWxleGV5IE1lbG5p a292IDxhbGV4ZXkubWVsbmlrb3ZAaXNvZGUuY29tPG1haWx0bzphbGV4ZXkubWVsbmlrb3ZAaXNv ZGUuY29tPj4gd3JvdGU6DQpIaSBQaGlsbGlwLA0KVG8gZm9sbG93dXAgb24gdGhlIElBTkEgaXNz dWUgZnJvbSB5b3VyIFNlY0RpciByZXZpZXc6DQoNCk9uIDA4LzAzLzIwMTggMTk6MzksIFBoaWxs aXAgSGFsbGFtLUJha2VyIHdyb3RlOg0KPg0KPiBTcGVjaWZpYyBpc3N1ZXMNCj4NCj4gVGhlIERO UyBwcmVmaXggX3NtdHAtdGxzcnB0IGlzIGRlZmluZWQuIFRoaXMgaXMgbm90IG1lbnRpb25lZCBp biB0aGUgSUFOQQ0KPiBjb25zaWRlcmF0aW9ucy4gSXQgaXMgYSBjb2RlIHBvaW50IGJlaW5nIGRl ZmluZWQgaW4gYSBwcm90b2NvbCB0aGF0IGlzIG91dHNpZGUNCj4gdGhlIHNjb3BlIG9mIFVUQSBh bmQgdGhlcmVmb3JlIE1VU1QgaGF2ZSBhbiBJQU5BIGFzc2lnbm1lbnQgYW5kIGlzIGEgRE5TIGNv ZGUNCj4gcG9pbnQgd2hpY2ggaXMgc2hhcmVkIHNwYWNlIGFuZCB0aGVyZWZvcmUgTVVTVCBoYXZl IGFuIGFzc2lnbm1lbnQuDQo+DQo+IElmIG5vIElBTkEgcmVnaXN0cnkgZXhpc3RzLCBvbmUgc2hv dWxkIGJlIGNyZWF0ZWQuDQoNCkFmdGVyIGxvb2tpbmcgYXQgdGhpcyBpbiBtb3JlIGRldGFpbHMs IEkgdGhpbmsgYSBuZXcgcmVnaXN0cmF0aW9uIGluIHRoZQ0KcmVnaXN0cnkgYmVpbmcgY3JlYXRl ZCBieSBkcmFmdC1pZXRmLWRuc29wLWF0dHJsZWFmIGlzIGV4YWN0bHkgd2hhdCB5b3UNCmFyZSBh c2tpbmcgZm9yLiBJIHRoaW5rIHJlZ2lzdGVyaW5nIF9zbXRwLXRsc3JwdCB0aGVyZSBzaG91bGQg YmUNCnN0cmFpZ2h0Zm9yd2FyZC4gSG93ZXZlciBJIGRvbid0IHRoaW5rIHRoaXMgZG9jdW1lbnQg c2hvdWxkIGJlIGRlbGF5ZWQNCnVudGlsIGFmdGVyIGRyYWZ0LWlldGYtZG5zb3AtYXR0cmxlYWYg aXMgZG9uZS4gU28gaWYNCmRyYWZ0LWlldGYtZG5zb3AtYXR0cmxlYWYgaXMgdGFraW5nIHRpbWUs IHRoZSBwcm9wb3NlZCByZWdpc3RyYXRpb24gY2FuDQpiZSBtb3ZlZCB0byBkcmFmdC1pZXRmLWRu c29wLWF0dHJsZWFmIGl0c2VsZi4NCg0KPiBJbiBnZW5lcmFsLCB0aGUgYXBwcm9hY2ggc2hvdWxk IGJlIGNvbnNpc3RlbnQgd2l0aCB0aGUgZm9sbG93aW5nOg0KPg0KPiBbUkZDNjc2M10gUy4gQ2hl c2hpcmUgYW5kIE0uIEtyb2NobWFsICJETlMtQmFzZWQgU2VydmljZSBEaXNjb3ZlcnkiIFJGQyA2 NzYzDQo+IERPSSAxMC4xNzQ4Ny9SRkM2NzYzIEZlYnJ1YXJ5IDIwMTMNCj4NCj4gSXQgbWlnaHQg d2VsbCBiZSBhcHByb3ByaWF0ZSB0byBjcmVhdGUgYSBzZXBhcmF0ZSBJQU5BIHByZWZpeCByZWdp c3RyeQ0KPiAncmVwb3J0Jy4gVGhhdCBpcyBwcm9iYWJseSBlYXNpZXIgc2luY2UgdGhpcyBwcmVm aXggZG9lcyBub3QgZml0IHdlbGwgd2l0aCB0aGUNCj4gZXhpc3Rpbmcgb25lcy4NCj4NCj4gX3Nt dHAtdGxzcnB0Ll9yZXBvcnQNCg0KSSB0aGluayB0aGlzIGlzIGNvdmVyZWQgYnkgZHJhZnQtaWV0 Zi1kbnNvcC1hdHRybGVhZi4NCg0KQmVzdCBSZWdhcmRzLA0KQWxleGV5DQoNCg0KDQotLQ0KV2Vi c2l0ZTogaHR0cDovL2hhbGxhbWJha2VyLmNvbS8NCg== --_000_81b2c2944a9143baafb4dc71af3788c8COPDCEX19cablecomcastco_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxNw0K CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1z ZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCnNwYW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsLWNvbXBvc2U7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7 DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpl eHBvcnQtb25seTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFnZSBX b3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEu MGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+ PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9 ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBt c28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0 PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0K PC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0K PGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu cy1zZXJpZjtjb2xvcjojMUY0OTdEIj5JIG1heSBoYXZlIG1pc3NlZCB0aGUgY29uc2Vuc3VzIG9u IHRoaXMuJm5ic3A7IEkgZG9u4oCZdCBiZWxpZXZlIHRoZSBmaW5hbCBETlMgZW50cnkgaXMgaHVn ZWx5IGltcG9ydGFudCBhcyBpdCBwZXJ0YWlucyB0byBUTFNSUFQgb24gaXRzIG93biwgYXMgbG9u ZyBhcyBpdCBleHRlbmRzIGZyb20NCiB0aGUgdGFyZ2V0IGRvbWFpbi4mbmJzcDsgU28sIHRvZGF5 IHdlIGhhdmUgJnF1b3Q7X3NtdHAtdGxzcnB0LmV4YW1wbGUuY29tJnF1b3Q7LCBidXQgaXQgc2Vl bXMgbGlrZSB0byBnZXQgbW9yZSBpbiBsaW5lIHdpdGggYSBwcm9wZXIgSUFOQSByZWdpc3RyYXRp b24sIHdlIHNob3VsZCBhbHRlciB0aGlzIHNsaWdodGx5LiZuYnNwOyBJcyB0aGVyZSBhbnkgcmVh c29uIHRvIG5vdCBnbyBmb3J3YXJkIHdpdGgg4oCcX3NtdHAuX3Rscy5leGFtcGxlLmNvbeKAnSBv ciDigJxfc210cC5fdGxzcnB0LmV4YW1wbGUuY29t4oCdPyZuYnNwOw0KPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5 N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj4tLTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj5BbGV4IEJy b3RtYW48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh bnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+U3IuIEVuZ2luZWVyLCBBbnRpLUFidXNlPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9y OiMxRjQ5N0QiPkNvbWNhc3Q8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwv c3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gVXRhIFttYWlsdG86dXRhLWJvdW5jZXNAaWV0Zi5v cmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPlBoaWxsaXAgSGFsbGFtLUJha2VyPGJyPg0KPGI+U2Vu dDo8L2I+IFRodXJzZGF5LCBNYXJjaCAyMiwgMjAxOCAxMjowOSBQTTxicj4NCjxiPlRvOjwvYj4g QWxleGV5IE1lbG5pa292ICZsdDthbGV4ZXkubWVsbmlrb3ZAaXNvZGUuY29tJmd0Ozxicj4NCjxi PkNjOjwvYj4gdXRhQGlldGYub3JnOyBkcmFmdC1pZXRmLXV0YS1zbXRwLXRsc3JwdC5hbGxAaWV0 Zi5vcmc7IElFVEYgRGlzY3Vzc2lvbiBNYWlsaW5nIExpc3QgJmx0O2lldGZAaWV0Zi5vcmcmZ3Q7 OyBzZWNkaXJAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtVdGFdIFNlY2RpciBs YXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtdXRhLXNtdHAtdGxzcnB0LTE3PG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgY29uY3VyLCBJIGhhZCBjb21l IHRvIGVzc2VudGlhbGx5IHRoZSBzYW1lIGNvbmNsdXNpb24gYWZ0ZXIgZGlzY3Vzc2lvbnMgd2l0 aCBJQU5BLiBUaGUgcmVnaXN0cnkgd2Ugd2VyZSBsb29raW5nIGZvciB3YXMgdGhlIG9uZSBEYXZl IGhhZCBwcm9wb3NlZCB0aGF0IGhhcyBub3QgeWV0IGJlZW4gY3JlYXRlZC48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBjYW4gc3luYyB3aXRo IERhdmUuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkl0IG1pZ2h0IHdlbGwgYmUgdGhhdCB3aGF0IHdlIHdhbnQgaXMgYSBzdWIgcmVnaXN0cnkg b2YgdGhlIGZvcm0gX3NtdHAuX3JwdC4gVGhhdCB3YXkgdGhlIHJlcG9ydGluZyBpbmZvIGZvciBh bnkgcHJvdG9jb2wgY2FuIGJlIGRpc2NvdmVyZWQgd2l0aCBubyBuZWVkIHRvIG9idGFpbiBhIHBl ciBzZXJ2aWNlIHJlZ2lzdHJhdGlvbi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPk9uIFRodSwgTWFyIDIyLCAyMDE4IGF0IDM6MTcgUE0sIEFsZXhleSBNZWxu aWtvdiAmbHQ7PGEgaHJlZj0ibWFpbHRvOmFsZXhleS5tZWxuaWtvdkBpc29kZS5jb20iIHRhcmdl dD0iX2JsYW5rIj5hbGV4ZXkubWVsbmlrb3ZAaXNvZGUuY29tPC9hPiZndDsgd3JvdGU6PG86cD48 L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29s aWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQu OHB0O21hcmdpbi1yaWdodDowaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1ib3R0b206MTIuMHB0Ij5IaSBQaGlsbGlwLDxicj4NClRvIGZvbGxvd3VwIG9uIHRoZSBJQU5B IGlzc3VlIGZyb20geW91ciBTZWNEaXIgcmV2aWV3Ojxicj4NCjxicj4NCk9uIDA4LzAzLzIwMTgg MTk6MzksIFBoaWxsaXAgSGFsbGFtLUJha2VyIHdyb3RlOjxicj4NCiZndDs8YnI+DQomZ3Q7IFNw ZWNpZmljIGlzc3Vlczxicj4NCiZndDs8YnI+DQomZ3Q7IFRoZSBETlMgcHJlZml4IF9zbXRwLXRs c3JwdCBpcyBkZWZpbmVkLiBUaGlzIGlzIG5vdCBtZW50aW9uZWQgaW4gdGhlIElBTkE8YnI+DQom Z3Q7IGNvbnNpZGVyYXRpb25zLiBJdCBpcyBhIGNvZGUgcG9pbnQgYmVpbmcgZGVmaW5lZCBpbiBh IHByb3RvY29sIHRoYXQgaXMgb3V0c2lkZTxicj4NCiZndDsgdGhlIHNjb3BlIG9mIFVUQSBhbmQg dGhlcmVmb3JlIE1VU1QgaGF2ZSBhbiBJQU5BIGFzc2lnbm1lbnQgYW5kIGlzIGEgRE5TIGNvZGU8 YnI+DQomZ3Q7IHBvaW50IHdoaWNoIGlzIHNoYXJlZCBzcGFjZSBhbmQgdGhlcmVmb3JlIE1VU1Qg aGF2ZSBhbiBhc3NpZ25tZW50Ljxicj4NCiZndDs8YnI+DQomZ3Q7IElmIG5vIElBTkEgcmVnaXN0 cnkgZXhpc3RzLCBvbmUgc2hvdWxkIGJlIGNyZWF0ZWQuPGJyPg0KPGJyPg0KQWZ0ZXIgbG9va2lu ZyBhdCB0aGlzIGluIG1vcmUgZGV0YWlscywgSSB0aGluayBhIG5ldyByZWdpc3RyYXRpb24gaW4g dGhlPGJyPg0KcmVnaXN0cnkgYmVpbmcgY3JlYXRlZCBieSBkcmFmdC1pZXRmLWRuc29wLWF0dHJs ZWFmIGlzIGV4YWN0bHkgd2hhdCB5b3U8YnI+DQphcmUgYXNraW5nIGZvci4gSSB0aGluayByZWdp c3RlcmluZyBfc210cC10bHNycHQgdGhlcmUgc2hvdWxkIGJlPGJyPg0Kc3RyYWlnaHRmb3J3YXJk LiBIb3dldmVyIEkgZG9uJ3QgdGhpbmsgdGhpcyBkb2N1bWVudCBzaG91bGQgYmUgZGVsYXllZDxi cj4NCnVudGlsIGFmdGVyIGRyYWZ0LWlldGYtZG5zb3AtYXR0cmxlYWYgaXMgZG9uZS4gU28gaWY8 YnI+DQpkcmFmdC1pZXRmLWRuc29wLWF0dHJsZWFmIGlzIHRha2luZyB0aW1lLCB0aGUgcHJvcG9z ZWQgcmVnaXN0cmF0aW9uIGNhbjxicj4NCmJlIG1vdmVkIHRvIGRyYWZ0LWlldGYtZG5zb3AtYXR0 cmxlYWYgaXRzZWxmLjxicj4NCjxicj4NCiZndDsgSW4gZ2VuZXJhbCwgdGhlIGFwcHJvYWNoIHNo b3VsZCBiZSBjb25zaXN0ZW50IHdpdGggdGhlIGZvbGxvd2luZzo8YnI+DQomZ3Q7PGJyPg0KJmd0 OyBbUkZDNjc2M10gUy4gQ2hlc2hpcmUgYW5kIE0uIEtyb2NobWFsICZxdW90O0ROUy1CYXNlZCBT ZXJ2aWNlIERpc2NvdmVyeSZxdW90OyBSRkMgNjc2Mzxicj4NCiZndDsgRE9JIDEwLjE3NDg3L1JG QzY3NjMgRmVicnVhcnkgMjAxMzxicj4NCiZndDs8YnI+DQomZ3Q7IEl0IG1pZ2h0IHdlbGwgYmUg YXBwcm9wcmlhdGUgdG8gY3JlYXRlIGEgc2VwYXJhdGUgSUFOQSBwcmVmaXggcmVnaXN0cnk8YnI+ DQomZ3Q7ICdyZXBvcnQnLiBUaGF0IGlzIHByb2JhYmx5IGVhc2llciBzaW5jZSB0aGlzIHByZWZp eCBkb2VzIG5vdCBmaXQgd2VsbCB3aXRoIHRoZTxicj4NCiZndDsgZXhpc3Rpbmcgb25lcy48YnI+ DQomZ3Q7PGJyPg0KJmd0OyBfc210cC10bHNycHQuX3JlcG9ydDxicj4NCjxicj4NCkkgdGhpbmsg dGhpcyBpcyBjb3ZlcmVkIGJ5IGRyYWZ0LWlldGYtZG5zb3AtYXR0cmxlYWYuPGJyPg0KPGJyPg0K QmVzdCBSZWdhcmRzLDxicj4NCkFsZXhleTxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpw PjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0gPG86cD48L286cD48L3A+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+V2Vic2l0ZTogPGEgaHJlZj0iaHR0cDovL2hhbGxh bWJha2VyLmNvbS8iIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vaGFsbGFtYmFrZXIuY29tLzwvYT48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0K PC9odG1sPg0K --_000_81b2c2944a9143baafb4dc71af3788c8COPDCEX19cablecomcastco_-- From nobody Tue Mar 27 13:45:17 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E8C012E878; Tue, 27 Mar 2018 13:44:55 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Russ Housley To: Cc: draft-ietf-secevent-token.all@ietf.org, ietf@ietf.org, id-event@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.76.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <152218349510.5239.9026903316972844190@ietfa.amsl.com> Date: Tue, 27 Mar 2018 13:44:55 -0700 Archived-At: Subject: [secdir] Secdir telechat review of draft-ietf-secevent-token-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2018 20:45:03 -0000 Reviewer: Russ Housley Review result: Has Issues I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-secevent-token-07 Reviewer: Russ Housley Review Date: 2018-03-27 IETF LC End Date: unknown IESG Telechat date: 2018-05-10 Summary: Has Issues Process concern A request for a telechat review of draft-ietf-secevent-token was assigned to me. However, there has not yet been an IETF Last Call announced for this document. Major Concerns All of the examples in Section 2.1 are non-normative. Instead of staying that in each of the subsections, please add some text at the top of Section 2.1 that says so. I do not understand the first paragraph of Section 3. I think you are trying to impose some rules on future specifications that use SET to define events. Please reword. Minor Concerns The Abstract says: ... This statement of fact represents an event that occurred to the security subject. In some use cases, the security subject may be a digitial identity, but SETs are also applicable to non-identity use cases. ... Please correct the spelling of digital identity. I do not think this tells the reader when they might want to employ this specification. The following sentence from the Introduction does a better job: This specification is scoped to security and identity related events. In Section 2, the last bullet on page 5 talks about the "events" JSON object. The last sentence caught me by surprise, and I had to read it a few times to figure out the intent. The events object cannot be "{}", but the payload for an event in that object can be "{}". I think that a MUST statement about there being at least one URI string value would have helped me. From nobody Tue Mar 27 22:31:26 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56294124217; Tue, 27 Mar 2018 22:31:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.011 X-Spam-Level: X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4oIGeqGpY2p; Tue, 27 Mar 2018 22:31:18 -0700 (PDT) Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39DBB1205D3; Tue, 27 Mar 2018 22:31:18 -0700 (PDT) Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w2S5Kock054799; Wed, 28 Mar 2018 05:31:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2017-10-26; bh=UsBz8nUdUZ4XUf6K54P0TckaTCdi1ygu+vhya5PZyd0=; b=Bo9RTxhGfotud77BtRXZpWm9axeJL/fAKhMbmDQV6QLWU7YDLslH69S6Qxk3DTcQzQ6m 7sLeg+umiGWcV80UcteTg69zrLPSadmQpnDw+5SpFVHcMsTMYYLsohx2d/rOsxsOHABI Iqfu6OXeoFyrAHsrBoMDTglTMlGx6x7JbdMb5hIWwToSStQ4nOCZVuvSHd9ZTK6fkFrY 7XOjUP2g5MYUEQvI7lmmXUei/RoP4OMJ+/x/bs8y4yL6ejz0xfl3TT600wYlouYYZIde 4/46e1MqHIWH0TO6poTemY58yQ5wBUXzCMlosiX09rxyLyqwXaB6C31eBdhAX2MK2EDd wg== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2130.oracle.com with ESMTP id 2h04tu00nk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 28 Mar 2018 05:31:17 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w2S5VG0R012429 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 28 Mar 2018 05:31:16 GMT Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w2S5VF5w009653; Wed, 28 Mar 2018 05:31:15 GMT Received: from [192.168.1.70] (/108.172.184.55) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 27 Mar 2018 22:31:15 -0700 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Phil Hunt X-Mailer: iPhone Mail (15D100) In-Reply-To: <152218349510.5239.9026903316972844190@ietfa.amsl.com> Date: Tue, 27 Mar 2018 22:31:13 -0700 Cc: secdir@ietf.org, draft-ietf-secevent-token.all@ietf.org, ietf@ietf.org, id-event@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <0F1675A5-D2D0-425B-BB47-D2EC84B37AA6@oracle.com> References: <152218349510.5239.9026903316972844190@ietfa.amsl.com> To: Russ Housley X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8845 signatures=668695 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803280054 Archived-At: Subject: Re: [secdir] [Id-event] Secdir telechat review of draft-ietf-secevent-token-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 05:31:20 -0000 Russ Thanks for your review. I am away on holiday but hope to find an opportunity= to get back to you on your review in the coming days.=20 Thanks, Phil > On Mar 27, 2018, at 1:44 PM, Russ Housley wrote: >=20 > Reviewer: Russ Housley > Review result: Has Issues >=20 > I reviewed this document as part of the Security Directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the Security Area > Directors. Document authors, document editors, and WG chairs should > treat these comments just like any other IETF Last Call comments. >=20 > Document: draft-ietf-secevent-token-07 > Reviewer: Russ Housley > Review Date: 2018-03-27 > IETF LC End Date: unknown > IESG Telechat date: 2018-05-10 >=20 > Summary: Has Issues >=20 > Process concern >=20 > A request for a telechat review of draft-ietf-secevent-token was > assigned to me. However, there has not yet been an IETF Last Call > announced for this document. >=20 >=20 > Major Concerns >=20 > All of the examples in Section 2.1 are non-normative. Instead of > staying that in each of the subsections, please add some text at the > top of Section 2.1 that says so. >=20 > I do not understand the first paragraph of Section 3. I think you are > trying to impose some rules on future specifications that use SET to > define events. Please reword. >=20 >=20 > Minor Concerns >=20 > The Abstract says: >=20 > ... This statement of fact > represents an event that occurred to the security subject. In some > use cases, the security subject may be a digitial identity, but SETs > are also applicable to non-identity use cases. ... >=20 > Please correct the spelling of digital identity. >=20 > I do not think this tells the reader when they might want to employ this > specification. The following sentence from the Introduction does a > better job: >=20 > This specification is scoped to security and identity related events. >=20 >=20 > In Section 2, the last bullet on page 5 talks about the "events" JSON > object. The last sentence caught me by surprise, and I had to read it a > few times to figure out the intent. The events object cannot be "{}", > but the payload for an event in that object can be "{}". I think that > a MUST statement about there being at least one URI string value would > have helped me. >=20 >=20 > _______________________________________________ > Id-event mailing list > Id-event@ietf.org > https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_id-2Devent&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI= _JnE&r=3Dna5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=3DfnyJdKvhWPUuMKKzm5d= _t3Zs2s0pL22w8NMEZhfDYj0&s=3D5bt_aLpKCABqLuxercRiolomH_tFBb33PQnY1KM3CuE&e=3D= From nobody Wed Mar 28 05:59:14 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFC3A126FDC; Wed, 28 Mar 2018 05:59:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zznqm9qUjedd; Wed, 28 Mar 2018 05:59:04 -0700 (PDT) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 039411242F7; Wed, 28 Mar 2018 05:59:03 -0700 (PDT) X-AuditID: 12074422-49dff7000000583f-97-5abb91942575 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 9C.A6.22591.5919BBA5; Wed, 28 Mar 2018 08:59:02 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w2SCwuxa031086; Wed, 28 Mar 2018 08:58:58 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2SCwq2v001828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 28 Mar 2018 08:58:55 -0400 Date: Wed, 28 Mar 2018 07:58:52 -0500 From: Benjamin Kaduk To: Russ Housley Cc: secdir@ietf.org, draft-ietf-secevent-token.all@ietf.org, id-event@ietf.org Message-ID: <20180328125852.GC76724@kduck.kaduk.org> References: <152218349510.5239.9026903316972844190@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <152218349510.5239.9026903316972844190@ietfa.amsl.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgleLIzCtJLcpLzFFi42IRYrdT0Z02cXeUwZfvwhZP5ixktXj14ia7 RceCbiaLDwsfsjiweCxZ8pPJY9WdL6wBTFFcNimpOZllqUX6dglcGT+2nmUqWCJa8XhOH0sD 416BLkZODgkBE4mG35NZuhi5OIQEFjNJTDnWwQrhbGSU+Lf9CjuEc5VJYtauJkaQFhYBVYme T/OYQGw2ARWJhu7LzCC2iIC6xN/5F9hBbGYBP4lDX5qBbA4OYQFnieeHLEHCvEDbfh7pBGsV EnCSOHNqMStEXFDi5MwnLBCtWhI3/r1kAmllFpCWWP6PAyTMCTSl/c9ENhBbVEBZYm/fIfYJ jAKzkHTPQtI9C6F7ASPzKkbZlNwq3dzEzJzi1GTd4uTEvLzUIl1TvdzMEr3UlNJNjODAdVHa wTjxn9chRgEORiUe3oKYXVFCrIllxZW5hxglOZiURHkl43ZHCfEl5adUZiQWZ8QXleakFh9i lOBgVhLhfa8BlONNSaysSi3Kh0lJc7AoifN6mGhHCQmkJ5akZqemFqQWwWRlODiUJHgbJgA1 ChalpqdWpGXmlCCkmTg4QYbzAA1vAanhLS5IzC3OTIfIn2LU5bjx4nUbsxBLXn5eqpQ47weQ IgGQoozSPLg5oIQjkb2/5hWjONBbwrwFIFU8wGQFN+kV0BImoCXbmnaALClJREhJNTBqG92R 2XQlxsBbZln2n+NPom92VLWla3x/1DLjb/eqhLtn0oN6th/4uT9fka3nUIbpXnkT3twr6q9m fyy6f5+je3t8/rcfrzWTi1Q2y9xzS71VbJvas3Vzm1Jl2+pLWrZfrzObc1+9tUVvl+0XvVnL N525+XHihYnfuxSZMsM/WGROPldYuUdYiaU4I9FQi7moOBEAH2oTDxMDAAA= Archived-At: Subject: Re: [secdir] Secdir telechat review of draft-ietf-secevent-token-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 12:59:07 -0000 Hi Russ, On Tue, Mar 27, 2018 at 01:44:55PM -0700, Russ Housley wrote: > Reviewer: Russ Housley > Review result: Has Issues > > I reviewed this document as part of the Security Directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the Security Area > Directors. Document authors, document editors, and WG chairs should > treat these comments just like any other IETF Last Call comments. > > Document: draft-ietf-secevent-token-07 > Reviewer: Russ Housley > Review Date: 2018-03-27 > IETF LC End Date: unknown > IESG Telechat date: 2018-05-10 > > Summary: Has Issues > > Process concern > > A request for a telechat review of draft-ietf-secevent-token was > assigned to me. However, there has not yet been an IETF Last Call > announced for this document. Thanks for the review, and for pointing out the process nit. Getting on a telechat is pretty hard at the moment due to the large spike in documents we saw prior to the IESG cutover. I should still have time to complete my AD review and issue the IETF LC with time to spare before 2018-05-10, though. Authors, please feel free to address Russ's comments in a new revision if you can do so before the IETF LC is issued. Thanks, Ben > > Major Concerns > > All of the examples in Section 2.1 are non-normative. Instead of > staying that in each of the subsections, please add some text at the > top of Section 2.1 that says so. > > I do not understand the first paragraph of Section 3. I think you are > trying to impose some rules on future specifications that use SET to > define events. Please reword. > > > Minor Concerns > > The Abstract says: > > ... This statement of fact > represents an event that occurred to the security subject. In some > use cases, the security subject may be a digitial identity, but SETs > are also applicable to non-identity use cases. ... > > Please correct the spelling of digital identity. > > I do not think this tells the reader when they might want to employ this > specification. The following sentence from the Introduction does a > better job: > > This specification is scoped to security and identity related events. > > > In Section 2, the last bullet on page 5 talks about the "events" JSON > object. The last sentence caught me by surprise, and I had to read it a > few times to figure out the intent. The events object cannot be "{}", > but the payload for an event in that object can be "{}". I think that > a MUST statement about there being at least one URI string value would > have helped me. > > From nobody Wed Mar 28 12:09:54 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 744AF1275AB for ; Wed, 28 Mar 2018 12:09:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dj9vu7gfyhu2 for ; Wed, 28 Mar 2018 12:09:50 -0700 (PDT) Received: from smtp.rcn.com (smtp.rcn.com [69.168.97.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCF621274D2 for ; Wed, 28 Mar 2018 12:09:49 -0700 (PDT) X_CMAE_Category: , , X-CNFS-Analysis: v=2.2 cv=WbdOUApX c=1 sm=1 tr=0 a=OXtaa+9CFT7WVSERtyqzJw==:117 a=OXtaa+9CFT7WVSERtyqzJw==:17 a=KGjhK52YXX0A:10 a=IkcTkHD0fZMA:10 a=NTnny0joGdQA:10 a=v2DPQv5-lfwA:10 a=bmmO2AaSJ7QA:10 a=BTUBnpS-AAAA:8 a=V4z0csEw2s1RRhZfA9oA:9 a=QEXdDO2ut3YA:10 a=pblkFgjdBCuYZ9-HdJ6i:22 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine X-Authed-Username: ZHNlb21uQHJjbi5jb20= Authentication-Results: smtp03.rcn.cmh.synacor.com header.from=david+work@mandelberg.org; sender-id=neutral Authentication-Results: smtp03.rcn.cmh.synacor.com smtp.mail=david+work@mandelberg.org; spf=neutral; sender-id=neutral Authentication-Results: smtp03.rcn.cmh.synacor.com smtp.user=dseomn@rcn.com; auth=pass (LOGIN) Received-SPF: neutral (smtp03.rcn.cmh.synacor.com: 209.6.43.168 is neither permitted nor denied by domain of mandelberg.org) Received: from [209.6.43.168] ([209.6.43.168:44118] helo=uriel.mandelberg.org) by smtp.rcn.com (envelope-from ) (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTPSA (cipher=DHE-RSA-AES256-GCM-SHA384) id 46/F9-03546-C78EBBA5; Wed, 28 Mar 2018 15:09:49 -0400 Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 3CF791C603B; Wed, 28 Mar 2018 15:09:48 -0400 (EDT) To: Benjamin Kaduk Cc: "secdir@ietf.org" References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <20180326153348.GE44086@kduck.kaduk.org> From: David Mandelberg Organization: David Mandelberg, LLC Message-ID: Date: Wed, 28 Mar 2018 15:09:46 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180326153348.GE44086@kduck.kaduk.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 19:09:52 -0000 On 03/26/2018 11:33 AM, Benjamin Kaduk wrote: > On Fri, Mar 23, 2018 at 07:18:15PM -0400, David Mandelberg wrote: >> No worries about the delay. And I'm just a secdir reviewer, not an IESG >> member, so I can't do anything about a DISCUSS. > > FWIW, you should be able to edit the secdir review's summary > evaulation by going into the dattracker (while logged in), finding > the "my reviews" item from either the sidebar or the > dropdown in the top, selecting the given review request from the > list, and using the "correct review" button. I don't know that we > have a huge amount of experience with doing this, whether you can > change the reviewed revision as well, etc., so don't feel like you > have to do this. (But if you do, please report back to the secdir > list how it went!) I edited it, so the state is now Ready. One thing that surprised me though, is that adding a new review version changed the review link ("posted at") and status for the old review version. -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Wed Mar 28 12:21:39 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B54C21275AB for ; Wed, 28 Mar 2018 12:21:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JJnAHzJ52Zfp for ; Wed, 28 Mar 2018 12:21:37 -0700 (PDT) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00DC0126DC2 for ; Wed, 28 Mar 2018 12:21:36 -0700 (PDT) X-AuditID: 12074423-60fff70000005664-61-5abbeb3df1cd Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id FA.92.22116.E3BEBBA5; Wed, 28 Mar 2018 15:21:35 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w2SJLWuZ001369; Wed, 28 Mar 2018 15:21:33 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2SJLTBl024802 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 28 Mar 2018 15:21:31 -0400 Date: Wed, 28 Mar 2018 14:21:29 -0500 From: Benjamin Kaduk To: David Mandelberg Cc: "secdir@ietf.org" Message-ID: <20180328192129.GG76724@kduck.kaduk.org> References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <20180326153348.GE44086@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNIsWRmVeSWpSXmKPExsUixCmqrWv/eneUwaJeAYuJX/ezWnxY+JDF gcljyZKfTB4fJ75kCWCK4rJJSc3JLEst0rdL4Mr48nklW8FXrorZG2IaGM9ydDFyckgImEj8 PrSHrYuRi0NIYDGTxL9NB5lAEkICGxklPrVbQySuMkk8fXyeFSTBIqAq0fPxKiOIzSagItHQ fZkZxBYRMJC48fUlO4jNLKAu8eb+ajYQW1jAW2Lxwg6wel6gbfdfd7BDLPjLLHFkURpEXFDi 5MwnLBC9WhI3/r0EOoIDyJaWWP4P7FBOASeJvf1dYLeJCihL7O07xD6BUWAWku5ZSLpnIXQv YGRexSibklulm5uYmVOcmqxbnJyYl5dapGuml5tZopeaUrqJERSi7C7KOxhf9nkfYhTgYFTi 4bVYtDtKiDWxrLgy9xCjJAeTkijv0xlAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK87zWAcrwp iZVVqUX5MClpDhYlcV4PE+0oIYH0xJLU7NTUgtQimKwMB4eSBC/rK6BGwaLU9NSKtMycEoQ0 EwcnyHAeoOGmIDW8xQWJucWZ6RD5U4zGHCfeT+lh5piyZFoPsxBLXn5eqpQ4LwtIqQBIaUZp Htw0UJqRyN5f84pRHOg5Yd5qkCoeYIqCm/cKaBUT0KptTTtAVpUkIqSkGhj5Fu21nB+Xm5Mu GGOQ90as8jl3YYJbj4SEn//HoDsCDsamnLPuex3csInLt2xq3hV2X/FXM95eDlH9EMLAdV5t 1/nmPiN+4wNsEYZ+Bu6Sb+d/u1dzoi14fs72GaFFE2XKU8MyhB+J+DZ7mRjc0F7kdyJk+WTf zZfui7lVdAqYtDJe81h8X4mlOCPRUIu5qDgRADWUXEsOAwAA Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 19:21:39 -0000 On Wed, Mar 28, 2018 at 03:09:46PM -0400, David Mandelberg wrote: > On 03/26/2018 11:33 AM, Benjamin Kaduk wrote: > > On Fri, Mar 23, 2018 at 07:18:15PM -0400, David Mandelberg wrote: > >> No worries about the delay. And I'm just a secdir reviewer, not an IESG > >> member, so I can't do anything about a DISCUSS. > > > > FWIW, you should be able to edit the secdir review's summary > > evaulation by going into the dattracker (while logged in), finding > > the "my reviews" item from either the sidebar or the > > dropdown in the top, selecting the given review request from the > > list, and using the "correct review" button. I don't know that we > > have a huge amount of experience with doing this, whether you can > > change the reviewed revision as well, etc., so don't feel like you > > have to do this. (But if you do, please report back to the secdir > > list how it went!) > > I edited it, so the state is now Ready. One thing that surprised me > though, is that adding a new review version changed the review link > ("posted at") and status for the old review version. Perhaps that's a function of editing the existing review request instead of creating a new review object for the new version. Maybe Tero understands this better than I do and wants to say something about the expected/desired workflow... Thanks for circling back, Ben From nobody Wed Mar 28 14:38:42 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C1461273E2 for ; Wed, 28 Mar 2018 14:38:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbIPvNUxvuTy for ; Wed, 28 Mar 2018 14:38:38 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3BEC127337 for ; Wed, 28 Mar 2018 14:38:37 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w2SLcY5h006577 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 29 Mar 2018 00:38:34 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w2SLcYaO009039; Thu, 29 Mar 2018 00:38:34 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <23228.2906.789875.266549@fireball.acr.fi> Date: Thu, 29 Mar 2018 00:38:34 +0300 From: Tero Kivinen To: David Mandelberg Cc: Benjamin Kaduk , "secdir\@ietf.org" In-Reply-To: References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <20180326153348.GE44086@kduck.kaduk.org> X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd) X-Edit-Time: 8 min X-Total-Time: 14 min Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2018 21:38:40 -0000 David Mandelberg writes: > On 03/26/2018 11:33 AM, Benjamin Kaduk wrote: > > On Fri, Mar 23, 2018 at 07:18:15PM -0400, David Mandelberg wrote: > >> No worries about the delay. And I'm just a secdir reviewer, not an IESG > >> member, so I can't do anything about a DISCUSS. > > > > FWIW, you should be able to edit the secdir review's summary > > evaulation by going into the dattracker (while logged in), finding > > the "my reviews" item from either the sidebar or the > > dropdown in the top, selecting the given review request from the > > list, and using the "correct review" button. I don't know that we > > have a huge amount of experience with doing this, whether you can > > change the reviewed revision as well, etc., so don't feel like you > > have to do this. (But if you do, please report back to the secdir > > list how it went!) > > I edited it, so the state is now Ready. One thing that surprised me > though, is that adding a new review version changed the review link > ("posted at") and status for the old review version. "Correct review" is meant to be used when you want to correct some mistke in your review. For example link points to wrong location or version does not match. You can also use it to fix the "review summary" if it is incorrect for some reason, but it is not really meant to be used to mark whether the discussion triggered by the review caused the issues to be fixed. I.e., if the issues found in review are fixed, you do not edit the review, but simply reply to the review thread in mailing lists saying that "Yes, this solves my issues" or similar, so when ADs check the thread they will see that as final email in the thread and know that issues have been solved. Perhaps we should make #2217 higher priority, so reviewers could enter unsolicited reviews themselves. [1] https://trac.tools.ietf.org/tools/ietfdb/ticket/2217 -- kivinen@iki.fi From nobody Wed Mar 28 17:46:46 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3FF8128C0A for ; Wed, 28 Mar 2018 17:46:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.21 X-Spam-Level: X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NQ32q6NlQo3S for ; Wed, 28 Mar 2018 17:46:42 -0700 (PDT) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15927126C25 for ; Wed, 28 Mar 2018 17:46:41 -0700 (PDT) X-AuditID: 12074423-627ff70000005664-dd-5abc376fc72f Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 4E.26.22116.F673CBA5; Wed, 28 Mar 2018 20:46:40 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w2T0kctR009888; Wed, 28 Mar 2018 20:46:38 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2T0kXv3007490 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 28 Mar 2018 20:46:37 -0400 Date: Wed, 28 Mar 2018 19:46:33 -0500 From: Benjamin Kaduk To: Tero Kivinen Cc: "secdir@ietf.org" Message-ID: <20180329004632.GM76724@kduck.kaduk.org> References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <20180326153348.GE44086@kduck.kaduk.org> <23228.2906.789875.266549@fireball.acr.fi> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <23228.2906.789875.266549@fireball.acr.fi> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNIsWRmVeSWpSXmKPExsUixCmqrVtgvifKoO8+r8XR88/ZLD4sfMji wOSxZMlPJo/DXxeyBDBFcdmkpOZklqUW6dslcGXMnKJR8IWz4sHMn8wNjK/Zuxg5OSQETCR6 1i1m7GLk4hASWMwkMfnuX1YIZyOjROvctUwgVUICV5kk3nyoBbFZBFQlHvx8BdbNJqAi0dB9 mRnEFhFQlNj9ZCtYPbOAusSb+6vZQGxhAW+JxQs7GEFsXqBtt299Z4FYsIpFYsL6JywQCUGJ kzMhbGYBLYkb/14CDeIAsqUllv/jADE5BcwlJi1LB6kQFVCW2Nt3iH0Co8AsJM2zkDTPQmhe wMi8ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdMLzezRC81pXQTIyhE2V2UdzC+7PM+xCjAwajE w2uxaHeUEGtiWXFl7iFGSQ4mJVHew2+AQnxJ+SmVGYnFGfFFpTmpxYcYJTiYlUR432sA5XhT EiurUovyYVLSHCxK4rweJtpRQgLpiSWp2ampBalFMFkZDg4lCd65ZnuihASLUtNTK9Iyc0oQ 0kwcnCDDeYCGt4LU8BYXJOYWZ6ZD5E8xGnOceD+lh5ljypJpPcxCLHn5ealS4rxXTYFKBUBK M0rz4KaB0oxE9v6aV4ziQM8J8x4FGcgDTFFw814BrWICWrWtaQfIqpJEhJRUAyPLv7+n/ie8 LinyeHVr6yGByUt/S9pLb7xvcLZg+3bW6wfubmX13d7xIud1fPPB9ydVa4Re3Z3If8WPh0++ 5XgsT+qHOb5ST+c/UuoI1BPmXTVJTunZAmeeVUnlVjeCL+6M17mXa2v587OY6t8XZXY+Z9cL mpxQSLD0v/Z5qsW5q/GulXs+ls1VYinOSDTUYi4qTgQA3T4org4DAAA= Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2018 00:46:44 -0000 Hi Tero, On Thu, Mar 29, 2018 at 12:38:34AM +0300, Tero Kivinen wrote: > > "Correct review" is meant to be used when you want to correct some > mistke in your review. For example link points to wrong location or > version does not match. > > You can also use it to fix the "review summary" if it is incorrect for > some reason, but it is not really meant to be used to mark whether the > discussion triggered by the review caused the issues to be fixed. > I.e., if the issues found in review are fixed, you do not edit the > review, but simply reply to the review thread in mailing lists saying > that "Yes, this solves my issues" or similar, so when ADs check the > thread they will see that as final email in the thread and know that > issues have been solved. Thanks for the clarification! > Perhaps we should make #2217 higher priority, so reviewers could enter > unsolicited reviews themselves. > > [1] https://trac.tools.ietf.org/tools/ietfdb/ticket/2217 It's not entirely clear how often the situation comes up, so I'll not try to influence the tools team's prioritization. It will probably be fine to just tell document authors who want to see a "clean secdir review" that the system is set up to work differently. -Ben From nobody Wed Mar 28 21:27:05 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFC12126C0F for ; Wed, 28 Mar 2018 21:27:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XT8718ny7zQB for ; Wed, 28 Mar 2018 21:27:02 -0700 (PDT) Received: from smtp.rcn.com (smtp.rcn.com [69.168.97.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6A91124B0A for ; Wed, 28 Mar 2018 21:27:01 -0700 (PDT) X_CMAE_Category: , , X-CNFS-Analysis: v=2.2 cv=WbdOUApX c=1 sm=1 tr=0 a=OXtaa+9CFT7WVSERtyqzJw==:117 a=OXtaa+9CFT7WVSERtyqzJw==:17 a=KGjhK52YXX0A:10 a=IkcTkHD0fZMA:10 a=NTnny0joGdQA:10 a=v2DPQv5-lfwA:10 a=bmmO2AaSJ7QA:10 a=BTUBnpS-AAAA:8 a=t4eUvFSQmwmfZqTOtOgA:9 a=QEXdDO2ut3YA:10 a=pblkFgjdBCuYZ9-HdJ6i:22 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine X-Authed-Username: ZHNlb21uQHJjbi5jb20= Authentication-Results: smtp03.rcn.cmh.synacor.com header.from=david+work@mandelberg.org; sender-id=neutral Authentication-Results: smtp03.rcn.cmh.synacor.com smtp.mail=david+work@mandelberg.org; spf=neutral; sender-id=neutral Authentication-Results: smtp03.rcn.cmh.synacor.com smtp.user=dseomn@rcn.com; auth=pass (LOGIN) Received-SPF: neutral (smtp03.rcn.cmh.synacor.com: 209.6.43.168 is neither permitted nor denied by domain of mandelberg.org) Received: from [209.6.43.168] ([209.6.43.168:44252] helo=uriel.mandelberg.org) by smtp.rcn.com (envelope-from ) (ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTPSA (cipher=DHE-RSA-AES256-GCM-SHA384) id 4A/80-03546-41B6CBA5; Thu, 29 Mar 2018 00:27:00 -0400 Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id E34651C609C; Thu, 29 Mar 2018 00:26:59 -0400 (EDT) To: Benjamin Kaduk , Tero Kivinen , "secdir@ietf.org" References: <3b7c6cdc-0e9e-0a57-e030-ae3a715c6a03@mandelberg.org> <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <20180326153348.GE44086@kduck.kaduk.org> <23228.2906.789875.266549@fireball.acr.fi> <20180329004632.GM76724@kduck.kaduk.org> From: David Mandelberg Organization: David Mandelberg, LLC Message-ID: <6df7eedf-530f-91c4-05bf-8b514ec661c1@mandelberg.org> Date: Thu, 29 Mar 2018 00:26:57 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20180329004632.GM76724@kduck.kaduk.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2018 04:27:04 -0000 On 03/28/2018 08:46 PM, Benjamin Kaduk wrote: > Hi Tero, > > On Thu, Mar 29, 2018 at 12:38:34AM +0300, Tero Kivinen wrote: >> >> "Correct review" is meant to be used when you want to correct some >> mistke in your review. For example link points to wrong location or >> version does not match. >> >> You can also use it to fix the "review summary" if it is incorrect for >> some reason, but it is not really meant to be used to mark whether the >> discussion triggered by the review caused the issues to be fixed. >> I.e., if the issues found in review are fixed, you do not edit the >> review, but simply reply to the review thread in mailing lists saying >> that "Yes, this solves my issues" or similar, so when ADs check the >> thread they will see that as final email in the thread and know that >> issues have been solved. > > Thanks for the clarification! Ditto. Should I change the link and status back to what they were before? -- Freelance cyber security consultant, software developer, and more https://david.mandelberg.org/ From nobody Thu Mar 29 01:43:37 2018 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EFDF1241F3 for ; Thu, 29 Mar 2018 01:43:36 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen To: X-Test-IDTracker: no X-IETF-IDTracker: 6.76.1 Auto-Submitted: auto-generated Precedence: bulk Reply-to: secdir-secretary@mit.edu Message-ID: <152231301641.24087.1753561885569746181.idtracker@ietfa.amsl.com> Date: Thu, 29 Mar 2018 01:43:36 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2018 08:43:36 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2018-04-05 Reviewer LC end Draft Shaun Cooley 2018-03-06 draft-ietf-trill-over-ip-16 Donald Eastlake 2018-03-28 draft-ietf-teas-scheduled-resources-06 Daniel Gillmor 2018-03-19 draft-gutmann-scep-10 Daniel Gillmor 2018-03-26 draft-ietf-l2sm-l2vpn-service-model-08 Ben Laurie 2018-03-26 draft-ietf-6tisch-6top-protocol-10 Chris Lonvick R2018-03-06 draft-ietf-6lo-rfc6775-update-16 For telechat 2018-04-19 Reviewer LC end Draft Daniel Franke 2018-03-30 draft-ietf-mmusic-rid-14 Steve Hanna 2018-03-30 draft-ietf-core-senml-13 Christian Huitema 2018-04-06 draft-ietf-stir-rph-03 Klaas Wierenga 2018-02-23 draft-ietf-nfsv4-layout-types-10 For telechat 2018-05-10 Reviewer LC end Draft John Bradley 2018-04-18 draft-ietf-acme-acme-11 Tobias Gondrom 2018-03-12 draft-ietf-tokbind-https-12 Paul Hoffman None draft-ietf-uta-mta-sts-14 Leif Johansson R2018-02-26 draft-ietf-homenet-babel-profile-06 Barry Leiba 2018-04-10 draft-ietf-bess-evpn-prefix-advertisement-10 For telechat 2018-05-24 Reviewer LC end Draft Tina Tsou 2018-02-26 draft-ietf-softwire-dslite-yang-15 Last calls: Reviewer LC end Draft Charlie Kaufman 2018-04-04 draft-ietf-dprive-padding-policy-04 Scott Kelly 2018-04-23 draft-kucherawy-dispatch-zstd-01 Tero Kivinen 2018-04-24 draft-ietf-curdle-des-des-des-die-die-die-05 Watson Ladd 2018-04-20 draft-hoffman-dns-in-json-13 Russ Mundy 2017-09-14 draft-spinosa-urn-lex-12 Taylor Yu 2018-04-24 draft-housley-suite-b-to-historic-04 Early review requests: Reviewer Due Draft Daniel Franke 2018-01-31 draft-ietf-intarea-provisioning-domains-00 Ólafur Guðmundsson 2018-01-09 draft-ietf-opsawg-nat-yang-09 Dan Harkins 2018-05-31 draft-ietf-dtn-bpsec-06 Next in the reviewer rotation: Chris Lonvick David Mandelberg Catherine Meadows Alexey Melnikov Daniel Migault Matthew Miller Adam Montville Kathleen Moriarty Russ Mundy Sandra Murphy From nobody Thu Mar 29 02:12:37 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB4DC12D874; Thu, 29 Mar 2018 02:12:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.12 X-Spam-Level: X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBA5OB4QFtZC; Thu, 29 Mar 2018 02:12:33 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB2561241F3; Thu, 29 Mar 2018 02:12:32 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w2T9CREH013301 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 29 Mar 2018 12:12:27 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w2T9CRiB003236; Thu, 29 Mar 2018 12:12:27 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <23228.44539.59100.678232@fireball.acr.fi> Date: Thu, 29 Mar 2018 12:12:27 +0300 From: Tero Kivinen To: iesg@ietf.org, secdir@ietf.org, draft-ietf-curdle-des-des-des-die-die-die.all@tools.ietf.org X-Edit-Time: 9 min X-Total-Time: 9 min Archived-At: Subject: [secdir] Secdir review of draft-ietf-curdle-des-des-des-die-die-die-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2018 09:12:36 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document deprecates 3DES and RC4 in Kerberos. This should have been done several years ago, so the only problem I have with this document is that it has year 2017 not 2012 in header :-) This could go even further as it just marks those weak algorithms as "SHOULD NOT", and especially the RC4 with unsalted MD4 based string2key should be marked as "MUST NOT" at least for my opinion. The document properly explain the reasons why those algorithms are still there to maintaina backward compatibility with Windows XP and similars, but as Windows XP is already end of lifed, so I think those algorithms could also be marked as MUST NOT. This document also gives recommendations both for Kerberos implementations and deployments. Normally we do not give instructions for the adminstrators, we just tell what implementors SHOULD or SHOULD NOT do. If we give recommendations to deployments, then I think those should be MUST NOT instead of SHOULD NOT. I can still see some implementations wanting to implement those algorithms to allow backwards compatibility (i.e., go against SHOULD NOT), but no new deployment should use them ever, and old deployments needs to move away from them ASAP. Anyways as a summary I think this document is Ready. -- kivinen@iki.fi From nobody Thu Mar 29 04:53:17 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F068B12DA0A for ; Thu, 29 Mar 2018 04:53:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gWWOoPeGFqoo for ; Thu, 29 Mar 2018 04:53:14 -0700 (PDT) Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6631712DA07 for ; Thu, 29 Mar 2018 04:53:14 -0700 (PDT) X-AuditID: 1209190c-647ff700000035ce-e7-5abcd3a9f0dc Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 7F.62.13774.9A3DCBA5; Thu, 29 Mar 2018 07:53:13 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w2TBrC8U021979; Thu, 29 Mar 2018 07:53:12 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2TBr8de006853 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 29 Mar 2018 07:53:11 -0400 Date: Thu, 29 Mar 2018 06:53:08 -0500 From: Benjamin Kaduk To: David Mandelberg Cc: Tero Kivinen , "secdir@ietf.org" Message-ID: <20180329115308.GE77617@kduck.kaduk.org> References: <56ce2942-388f-d03b-721a-3b06af5559bc@mandelberg.org> <9521bc0e-a1f2-046e-8e92-9e4a64237036@mandelberg.org> <894918aa-b853-299c-38f4-6c56ce385c64@mandelberg.org> <20180326153348.GE44086@kduck.kaduk.org> <23228.2906.789875.266549@fireball.acr.fi> <20180329004632.GM76724@kduck.kaduk.org> <6df7eedf-530f-91c4-05bf-8b514ec661c1@mandelberg.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6df7eedf-530f-91c4-05bf-8b514ec661c1@mandelberg.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA01SS0wTQRjO7G7LtHbNsjw6vExcxCCkBQyHJhAjHJRITEjk1AuudG1X2oXs tkAJByIXBWIKcpAmijwMgsQop6IgWjACIRpAoJ6IiVEBDW1CjYigu2143L5/vtfM5Ic4fVOV DHnByYkCa2fUWoLWJGQbBhfHzLlTU6mm9vCEyvT2wze1KdjzmTiPl/T3b2Mlk+EeoiTUvkaU 4WZtoYWz87WcmHPuqtbW+25IXdOlqZ8fHcaagCemBWggovJR6N+OugVoIU31YejuziciOjwH aOXeMhYdljD0YHQaUywElYEmH/kidjV1CjW1LuIKjqdyUSC8FjnHqQtotXNWreA4qhT19dwC CiblutWgB0RDvQTaez6IR4lYNNP1hYias1Bgb00ugzJOQQN7UDnWUMXoyXZ35A4JVDoav+OP 8QDKe8TtPeL2HrofAnwIpFkcDQYHy9slrtIgVbKCwImGPKODdxo5i2sERL43SecDcz8u+QEF AaMjTb0vzbSKrZXcDj9IghiTQFrej5np49eqLW4bK9kqRJedk/wAQZyJJzczZTlpYd0NnFi9 T6VAgtGTF/OzzTRlZZ1cFcfVcOI+mwohg8iRBTk0VuSsXP113u48pDGoUcJ1cniioiGlGtYh 8dYoPwsMcHqzsw2nCaFa4JL15CtFRCkim0s4yFFWB1VNNK4DvfysOLJCUenkxTpIWpdLMLkk vjFS4mQPqeQmsLxSl3i/vrCjc/Pp65E3lOfP6b7S38GOs5d3B+rIuTMnivj1sm6q2CiyMd6/ bsfGgK/g50JoY2vYZ73ylSkKNPPl0g1aXx4IFnb8QqqC9NumqeX+gNDsPNm76ra+MGIoJ3zs 2WTf7tJ8RlpoPH3wY0Zm6/ct1wxsg+7HLQwh2di8LFyU2P+w0x8iFQMAAA== Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-spring-segment-routing-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2018 11:53:16 -0000 On Thu, Mar 29, 2018 at 12:26:57AM -0400, David Mandelberg wrote: > On 03/28/2018 08:46 PM, Benjamin Kaduk wrote: > > Hi Tero, > > > > On Thu, Mar 29, 2018 at 12:38:34AM +0300, Tero Kivinen wrote: > >> > >> "Correct review" is meant to be used when you want to correct some > >> mistke in your review. For example link points to wrong location or > >> version does not match. > >> > >> You can also use it to fix the "review summary" if it is incorrect for > >> some reason, but it is not really meant to be used to mark whether the > >> discussion triggered by the review caused the issues to be fixed. > >> I.e., if the issues found in review are fixed, you do not edit the > >> review, but simply reply to the review thread in mailing lists saying > >> that "Yes, this solves my issues" or similar, so when ADs check the > >> thread they will see that as final email in the thread and know that > >> issues have been solved. > > > > Thanks for the clarification! > > Ditto. Should I change the link and status back to what they were before? I wouldn't bother -- we can just go forward with the results we've learned from the experiment. -Ben From nobody Sat Mar 31 20:59:59 2018 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70FD8126CF6; Sat, 31 Mar 2018 20:59:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.701 X-Spam-Level: X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lTdob7S1puv3; Sat, 31 Mar 2018 20:59:47 -0700 (PDT) Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-oln040092003065.outbound.protection.outlook.com [40.92.3.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02C541205F0; Sat, 31 Mar 2018 20:59:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=nLB1MmPb53NC+otEioVDw1suIqdz6KCS0GcssjIzgCQ=; b=enxKHuUFlTUPhV2wulYG+0PkY6+ZpSEbMwuIWJciNDCIAVeLwg0Y3WyLL3SvGbrURXGyd4hYkYWb9zmmi69WfhHRNMrI8Rdc23UDcdG3Fh2aYg3MMBH8MnwacbEL3gKa0GNFVcuhFQE1RmkVj5VwJFRKIDyJouyT0Ut+inWb26lZN4CkQ8Bl9pwHGThlSLVPuRBw79tEnAHMivIpRnRJS+PxK5qbKiL89yZ9uEpacOD3BqlSJi7V7XFjoTZZgq431hX7bFQdu+OE6hiVYBtUDrTCw22smymWgULTQuNqcTmPI/rCM++tWR4RD7poVWBhT3xuFd4Eq4c5N7WjJFsP7Q== Received: from BL2NAM02FT019.eop-nam02.prod.protection.outlook.com (10.152.76.60) by BL2NAM02HT029.eop-nam02.prod.protection.outlook.com (10.152.77.4) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.631.7; Sun, 1 Apr 2018 03:59:42 +0000 Received: from CY4PR04MB1031.namprd04.prod.outlook.com (10.152.76.59) by BL2NAM02FT019.mail.protection.outlook.com (10.152.77.166) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.631.7 via Frontend Transport; Sun, 1 Apr 2018 03:59:42 +0000 Received: from CY4PR04MB1031.namprd04.prod.outlook.com ([10.171.244.153]) by CY4PR04MB1031.namprd04.prod.outlook.com ([10.171.244.153]) with mapi id 15.20.0631.013; Sun, 1 Apr 2018 03:59:42 +0000 From: Charlie Kaufman To: "secdir@ietf.org" , "iesg@ietf.org" , "draft-ietf-dprive-padding-policy.all@ietf.org" Thread-Topic: Secdir review of draft-ietf-dprive-padding-policy-04 Thread-Index: AQHTyW2atG5TU0ZcWUyBj0lqmSqtEg== Date: Sun, 1 Apr 2018 03:59:42 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:1C57B031070C7B336772122C867197F8BA9DA357685F2912796B0FDAFD7B311F; UpperCasedChecksum:916AB289147DB3B16841E2095761227FC2A6EB87AF5D40771E610B1026D88A0A; SizeAsReceived:7097; Count:43 x-tmn: [Xi0uWE+ZrssDFpxw4frdD7yxvEcVMo+bM7IfoWlpgKpoGn8gqAV7qF9hjwlpuT0k] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BL2NAM02HT029; 7:ZygblvUppfck05KJbUKvtZQWF9PvxlLi4l5nfLMjcIIrhHTkDnY7qnd9POB2A7lyBsV4HEPAS/2nH15yHvpdgDdz2VZ+CUEc/9WlUXgoW5cKZ8TkpDAvmrUnbbThQmg4ikt69R54eJC6rLhPJjPA+H8TPH5yIeMDSC5ARbMh4Aaxd//Yjk+qN4ILlhgd/hAAgZAT5+iLJRz4bvU4fQ86a6l5vFYy62cBK7I7780Qw6/25SfArioBpzon3K1iW/ta x-incomingheadercount: 43 x-eopattributedmessage: 0 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125374)(1603101448)(1701031045); SRVR:BL2NAM02HT029; x-ms-traffictypediagnostic: BL2NAM02HT029: x-ms-office365-filtering-correlation-id: 45a35235-474f-4750-2226-08d59784ffae x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:BL2NAM02HT029; BCL:0; PCL:0; RULEID:; SRVR:BL2NAM02HT029; x-forefront-prvs: 06290ECA9D x-forefront-antispam-report: SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:BL2NAM02HT029; H:CY4PR04MB1031.namprd04.prod.outlook.com; FPR:; SPF:None; LANG:; x-microsoft-antispam-message-info: ohRnSppEtJSNrH7fwHgWfn0Jolk/gH19Ag1OD+WsmAwdwQnwc7FkhF9nZoER+noBD2ns3l5lt8yFMLvDYjIsvKEuIJc+C11fjK7p0kbINoQpgg2aH+vbKQ9WF0cO1CytLPllktIk+6SVEITxE1shsZS4cGUp2RG+TWjcFDgeV+qtwn16J2/ba0C2KI1Hwy59 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY4PR04MB1031F3BE1AF7A66E5DCA0AF3DFA70CY4PR04MB1031namp_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 45a35235-474f-4750-2226-08d59784ffae X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2018 03:59:42.2981 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2NAM02HT029 Archived-At: Subject: [secdir] Secdir review of draft-ietf-dprive-padding-policy-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Apr 2018 03:59:49 -0000 --_000_CY4PR04MB1031F3BE1AF7A66E5DCA0AF3DFA70CY4PR04MB1031namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. Summary: Ready to advance to Experimental if typos are fixed unless someone= wants to quibble with the details of the algorithm. The proposed algorithm= has an empirical study to back it up. This document proposes a padding policy for encrypted DNS requests designed= to make such requests less susceptible to traffic analysis based on packet= length. RFC7830 specifies extension mechanisms to DNS to allow optional pa= dding but makes no recommendations concerning how much padding to use. Whil= e no agreement is necessary to assure interoperability between the two ends= of a connection, this document gives operational guidance to implementers = of reasonable policies to apply. There is a complex tradeoff between the privacy benefits of large amounts o= f padding vs. the performance benefits of minimal padding, so there can be = no one "optimal" scheme. This document does a good job of enumerating the i= mportant considerations for an implementer and the recommended strategy is = (in my opinion) a reasonable one for most scenarios. I believe, however, th= at no padding (listed in Appendix A as a Non-sensible Padding Policy) may b= e sensible in certain situations where performance is at a premium, and tha= t servers should take their cues from clients and omit padding in a respons= e if the client has omitted it in the request. I disagree with the "disadvantage" listed in section 4.3 that generating a = pseudo-random byte per packet sent could be a "hindrance" on servers. High = quality randomness is not needed (e.g., ARC4 would work just fine), and so = I would favor a scheme like the one listed in section 4.4. But I don't beli= eve the document should be held up to debate this. If anything, publishing = this document would get more people thinking about the problem and perhaps = find a reason to revise it later. Typos: Page 4: "pading" -> "padding" Page 5: "(pseudo) which" -> "(pseudo) random values which" Page 5: "transction" -> "transaction" Page 6: "does apply only" -> "applies only" Page 5: "inffective" -> "ineffective" --Charlie --_000_CY4PR04MB1031F3BE1AF7A66E5DCA0AF3DFA70CY4PR04MB1031namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's ongo= ing effort to review all IETF documents being processed by the IESG.  = These comments were written primarily for the benefit of the security area = directors.  Document editors and WG chairs should treat these comments just like any other last call comments.


Summary: Ready to advance to Experimental if typos are fixed unless some= one wants to quibble with the details of the algorithm. The proposed algori= thm has an empirical study to back it up.


This document proposes a padding policy for encrypted DNS requests desig= ned to make such requests less susceptible to traffic analysis based on pac= ket length. RFC7830 specifies extension mechanisms to DNS to allow optional= padding but makes no recommendations concerning how much padding to use. While no agreement is necessary to ass= ure interoperability between the two ends of a connection, this document gi= ves operational guidance to implementers of reasonable policies to apply.


There is a complex tradeoff between the privacy benefits of large amount= s of padding vs. the performance benefits of minimal padding, so there can = be no one "optimal" scheme. This document does a good job of enum= erating the important considerations for an implementer and the recommended strategy is (in my opinion) a reasonable o= ne for most scenarios. I believe, however, that no padding (listed in Appen= dix A as a Non-sensible Padding Policy) may be sensible in certain situatio= ns where performance is at a premium, and that servers should take their cues from clients and omit padding in a= response if the client has omitted it in the request.


I disagree with the "disadvantage" listed in section 4.3 that = generating a pseudo-random byte per packet sent could be a "hindrance&= quot; on servers. High quality randomness is not needed (e.g., ARC4 would w= ork just fine), and so I would favor a scheme like the one listed in section 4.4. But I don't believe the document should be held= up to debate this. If anything, publishing this document would get more pe= ople thinking about the problem and perhaps find a reason to revise it late= r.


Typos:

Page 4: "pading" -> "padding"
Page 5: "(pseudo) which" -> "(pseudo) random values which= "
Page 5: "transction" -> "transaction"
Page 6: "does apply only" -> "applies only"
Page 5: "inffective" -> "ineffective"


 --Charlie




--_000_CY4PR04MB1031F3BE1AF7A66E5DCA0AF3DFA70CY4PR04MB1031namp_--