From nobody Tue Dec 1 19:05:20 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4C13A1446; Tue, 1 Dec 2020 19:05:07 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Daniel Migault via Datatracker To: Cc: last-call@ietf.org, bess@ietf.org, draft-ietf-bess-mvpn-fast-failover.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160687830746.31155.12322884693503923028@ietfa.amsl.com> Reply-To: Daniel Migault Date: Tue, 01 Dec 2020 19:05:07 -0800 Archived-At: Subject: [secdir] Secdir telechat review of draft-ietf-bess-mvpn-fast-failover-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 03:05:12 -0000 Reviewer: Daniel Migault Review result: Ready I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Please note also that my expertise in BGP is limited, so feel free to take these comments with a pitch of salt. Review Results: Ready My comments of version 11 have been addressed. Yours, Daniel From nobody Tue Dec 1 19:09:05 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A37B23A0F74; Tue, 1 Dec 2020 19:09:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2yvozFKbJ_k; Tue, 1 Dec 2020 19:08:59 -0800 (PST) Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 546863A0FAF; Tue, 1 Dec 2020 19:08:24 -0800 (PST) Received: by mail-lj1-x22f.google.com with SMTP id s9so407610ljo.11; Tue, 01 Dec 2020 19:08:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nWNi3TLToOuG61UHxBYCvER2gvCxELaAQTj6BzCqI7g=; b=HCavx8oq9IKa89JWIZe2UumDPIP1CI+SnK+IEFXWSn5A9AkIvIKGOEK5J8ny9OFHrr YGT7E0GQHH/CwJOW6Y6QvTZrDnKBurwxg/KWRqKOyLJyX1scnhb4jEBoKtoaiQ2v46fR BgP/B2oRTPENOzzLhUHV2bEr53hp12GGsbHeQZVMb6MdITTG+NkM8YY6sp8Pn65txr1M mgCjHX55DwdEy71IJyxMj1maDVUmYKh28MGg+bSEvlmWuI84RYNQfg20jAqfg8PDVYq4 CPXGHdRu9kvuq+fmZgqKhzQLMWNVeW5b1Jl/LnY9htOFrD81Y2uoJVBgBjs3oCtOSa3a dKBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nWNi3TLToOuG61UHxBYCvER2gvCxELaAQTj6BzCqI7g=; b=arNYaOfmm4zfW5538hulMDHoQdfuslB6khSY+gxX+ZqZ92oOFgFJ8LPd23rZ+tsSob uGDOc/Ctqzv+Fot+dTak32/F2P6zy9QfxtPmlDJ16LMjEqtABcwvOEgfq/Jsi5Paa8fD r6nsw0Y6CG6dnwmKuOUDmR9/i0H9peVAvw7Ta9yV9thQNLq97OxIzt5UQobFklOHw1hN KWFLov+S3/6IKZfmcXupndaH/8uKzn2ZYcGur6Q+53FkAiT9kX7JyyZ8Qv+xSIIFh5TN sBgyPDNF97f0EIfAA1YBeQf+gY4cdFcWIE2Zah32PuVDRSZQPFm48FP07bXr+aKSFrj5 1WkQ== X-Gm-Message-State: AOAM533AflCzk9TsKSme93k3sNrGw5RLGml7vJ+JBSKN2OWKWsKMvGPZ hGpV630GbyBreYihCB7RUXQfED9ar/47KAomjU8= X-Google-Smtp-Source: ABdhPJzaUqRjisvKjvdwwG5zObcUVMgsNAMOGb19xEthanwgFRb6ocTmCDvM9xaTsyenN4z8zLYZGwzndaeRu5c0/q0= X-Received: by 2002:a2e:9694:: with SMTP id q20mr203895lji.279.1606878502354; Tue, 01 Dec 2020 19:08:22 -0800 (PST) MIME-Version: 1.0 References: <160687830746.31155.12322884693503923028@ietfa.amsl.com> In-Reply-To: <160687830746.31155.12322884693503923028@ietfa.amsl.com> From: Greg Mirsky Date: Tue, 1 Dec 2020 19:08:12 -0800 Message-ID: To: Daniel Migault Cc: secdir@ietf.org, last-call@ietf.org, BESS , draft-ietf-bess-mvpn-fast-failover.all@ietf.org Content-Type: multipart/alternative; boundary="0000000000005483d705b5728e96" Archived-At: Subject: Re: [secdir] Secdir telechat review of draft-ietf-bess-mvpn-fast-failover-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 03:09:01 -0000 --0000000000005483d705b5728e96 Content-Type: text/plain; charset="UTF-8" Hi Daniel, thank you for the review and your thoughtful comments that helped to improve the document. Regards, Greg On Tue, Dec 1, 2020 at 7:06 PM Daniel Migault via Datatracker < noreply@ietf.org> wrote: > Reviewer: Daniel Migault > Review result: Ready > > I reviewed this document as part of the Security Directorate's ongoing > effort to > review all IETF documents being processed by the IESG. These comments were > written primarily for the benefit of the Security Area Directors. Document > authors, document editors, and WG chairs should treat these comments just > like > any other IETF Last Call comments. Please note also that my expertise in > BGP is > limited, so feel free to take these comments with a pitch of salt. > > Review Results: Ready > > My comments of version 11 have been addressed. > > Yours, > Daniel > > > --0000000000005483d705b5728e96 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Daniel,
thank you for the review and your thoughtfu= l comments that helped to improve the document.

Re= gards,
Greg

On Tue, Dec 1, 2020 at 7:06 PM Daniel Migault vi= a Datatracker <noreply@ietf.org&= gt; wrote:
Revie= wer: Daniel Migault
Review result: Ready

I reviewed this document as part of the Security Directorate's ongoing = effort to
review all IETF documents being processed by the IESG.=C2=A0 These comments= were
written primarily for the benefit of the Security Area Directors.=C2=A0 Doc= ument
authors, document editors, and WG chairs should treat these comments just l= ike
any other IETF Last Call comments.=C2=A0 Please note also that my expertise= in BGP is
limited, so feel free to take these comments with a pitch of salt.

Review Results: Ready

My comments of version 11 have been addressed.

Yours,
Daniel


--0000000000005483d705b5728e96-- From nobody Wed Dec 2 07:49:58 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B196A3A13BB; Wed, 2 Dec 2020 07:49:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weGZ_Psw73z1; Wed, 2 Dec 2020 07:49:54 -0800 (PST) Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB3953A134A; Wed, 2 Dec 2020 07:49:50 -0800 (PST) Received: by mail-ej1-x62a.google.com with SMTP id d17so5027371ejy.9; Wed, 02 Dec 2020 07:49:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TPBmXN4yOxbFTlfq0nxpsectYKim65rY9em7pzZuA+M=; b=Z3bcTbLOlVK8CPXz7BuUyoS+OFvII20s30DbcoMF1Q9vxC5NQojSO60tMaxpvTet2f co8TX86idzR0E6gVEnFzYfGFfnNI4CFDsAA/S36UC8tgq5MFeCJnEEEtCImZZms9bUEh vlc+uVCd6pYjx+91J/ehTfNP32KSqYkdklkI06LCVnfSz0//eIkfLXyuz0eug/YkPcxJ i/tzGijr3xhO6vN/o2D7vvLUM1R4VrMS9iHQ+Pg6S3J64OW9s1pCVqCntNnFCJBHziJ8 Q4nWw/yifaUgTUJbcIcwNtWG/eWNQFr4F3OOO7X5F7pF/WMXBX9CZjx96Zff1b1cewYz b/YA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TPBmXN4yOxbFTlfq0nxpsectYKim65rY9em7pzZuA+M=; b=XD6Ccp4UZTsBf5Qk/z5a15kyZ/1eourQ8pwDknyvid3yHrFbtZzfGm/MId9zsRJXru u6vsepn+FkqLzLByOsF+8WYgqhpKUoCbYb7wBkuXKdfpruWO8iCaeZK/CSQ4b/AjWw36 8WO/LPS3qu+vO4W4nENvAV2f7QhAOuNISS/k2O531O5erqRX3rdw9121zhsZ/mIhRi3X bklBq5fnMDiWKW2nc9L8OKiHpCPY29U+Q6G2g4h1S3r3Hcw1wc+bpWPu+uWxQXS1Vxdz RLkjpBmZBR53aN5AisOoyM5axemFNjwIfWwidDfmIWQKIKAmA0ovWJkbA6jSM6OFeCXy fOkg== X-Gm-Message-State: AOAM531k7YiUBPQ+o7Uzg13GCRpr3c680vm15Ya+PAfKuQRCjcEdthRU hc2WzeCdI9t96cCLG/nocIkiGeMFYYn9gMBYCuM= X-Google-Smtp-Source: ABdhPJz1vVTzrS4cCyowLEnfWKNvzsBKTIC1ar8fyv7CDNhhGF0KqVC91JD7tEmQEYzazaR0QuIX0yMxhDZGjl9hA7U= X-Received: by 2002:a17:906:46d6:: with SMTP id k22mr379702ejs.542.1606924189180; Wed, 02 Dec 2020 07:49:49 -0800 (PST) MIME-Version: 1.0 References: <160357685316.11679.4088820464581761732@ietfa.amsl.com> In-Reply-To: From: Lucas Pardue Date: Wed, 2 Dec 2020 15:49:38 +0000 Message-ID: To: Lars Eggert Cc: Yoav Nir , secdir@ietf.org, last-call@ietf.org, IETF QUIC WG , draft-ietf-quic-invariants.all@ietf.org, Magnus Westerlund Content-Type: multipart/alternative; boundary="0000000000007a28cd05b57d317e" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-quic-invariants-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 15:49:56 -0000 --0000000000007a28cd05b57d317e Content-Type: text/plain; charset="UTF-8" Hello, As mentioned previously, review comments raised during the secdir invariants review were captured as issues on the QUIC WG GitHub repository. These issues have been assessed by the document editor(s) and shepherd, please see each individual issue for more-specific discussion. As a summary, the following resolutions for issues are: Close with no action ==================== https://github.com/quicwg/base-drafts/issues/4305 Kinds regards Lars and Lucas QUIC WG Co-chairs --0000000000007a28cd05b57d317e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

As m= entioned previously, review comments raised during the secdir invariants re= view were captured as issues on the QUIC WG GitHub repository. These issues= have been assessed by the document editor(s) and shepherd, please see each= individual issue for more-specific discussion. As a summary, the following= resolutions for issues are:

Close with no action
=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
https://github.com/quicwg/base-drafts/i= ssues/4305

Kinds regards
Lars and Lucas
=
QUIC WG Co-chairs
--0000000000007a28cd05b57d317e-- From nobody Wed Dec 2 07:57:01 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23A393A1462; Wed, 2 Dec 2020 07:56:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.847 X-Spam-Level: X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rrer663euwzd; Wed, 2 Dec 2020 07:56:50 -0800 (PST) Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A31713A134A; Wed, 2 Dec 2020 07:56:49 -0800 (PST) Received: by mail-ed1-x533.google.com with SMTP id r5so4405346eda.12; Wed, 02 Dec 2020 07:56:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mCsKTvf91JR/3DQ1vsQU35kR2LCSQbuNOzH7J1F4VwY=; b=GucjbGH6La3xKt9Xxz/YQhNnjgnbTkwojFyN2p40AisnMcE/aWboi3Ask37hWm6u2Q njXGZfsqFeOO/YUfq5iZIKN9KdUMmA/uQAP/5EbPSdsQKV0ohK8O6yGjAOfbywg+6FwG 87yf/uN7pYVDPTc0No339H8Mn1EW76n+2w4Au40w38reZ/pf46FUX8PHnxg0CxJkNf/1 qAySdR+FZtQddFY6uy7cK8R5JxQFr7fpU6ZtMZhth268NteQH87B9w2XxnHZ4TCkM/JU 6NV+EBrIKmxvAVRYsE4BRIj96s+2FLQxeGUX2pZiST8aoYwxQfI3WqtQaetNkNVS9NsQ a0Gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mCsKTvf91JR/3DQ1vsQU35kR2LCSQbuNOzH7J1F4VwY=; b=BUEIYJ/WJ30lznMRB4eLMUEOdDnou5JfUWVJQTjie4oe3d0TpwGXeNaJkcYeCXlHW1 P/m7c+9c8tYXRClRWvPabPCJo71Kmw2W3DnFuyLDRbES4IouNunRlJLQrxErfrcwmQQC FgWPBZsy/5DLfl+4Xhj4OLDZsVp0Y+ph2i+aES2Ua9SYolfrIlOxX5/DMZYG72yilQ8o HeXkosop4Is2VSQatZIi1G8wQd5Og3fEP+ma/ZQ3pZt8rEMM4QDqoJL3a/+qdves5Q/o QAhVE+Y2k/AjXJ+XtCAJbQ6EKZoFF+a1QdqxzqVjjFjXhcBm0ODgeAJtX67Fmz3m2Gt5 wsEg== X-Gm-Message-State: AOAM5323rsgH6/iRlwKagwFuyAYtExmBiUn4hx6LQJSZe/HhLSapDYpW lcD68/wbtGhq2dVBMLxkIloy4b7fJ7Epj0gOos4= X-Google-Smtp-Source: ABdhPJzluVR/dvyJ9dvnuQnvSVsImbaSPAA1l/cnPtjm3+SvT0pR+kBMm96+5QYN+Gv1odqPIt5/MqXC68+CPIGBm+s= X-Received: by 2002:a50:ccc8:: with SMTP id b8mr561984edj.152.1606924607972; Wed, 02 Dec 2020 07:56:47 -0800 (PST) MIME-Version: 1.0 References: <91D914EE-0205-47E4-9A38-3978DD9E18F1@eggert.org> In-Reply-To: <91D914EE-0205-47E4-9A38-3978DD9E18F1@eggert.org> From: Lucas Pardue Date: Wed, 2 Dec 2020 15:56:36 +0000 Message-ID: To: Lars Eggert Cc: Radia Perlman , secdir@ietf.org, The IESG , draft-ietf-quic-tls.all@ietf.org, IETF QUIC WG , Magnus Westerlund Content-Type: multipart/alternative; boundary="000000000000706ad505b57d4a18" Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-quic-tls-48 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 15:56:52 -0000 --000000000000706ad505b57d4a18 Content-Type: text/plain; charset="UTF-8" Hello, As mentioned previously, review comments raised during the secdir tls review were captured as issues on the QUIC WG GitHub repository. These issues have been assessed by the document editor(s) and shepherd, please see each individual issue for more-specific discussion. As a summary, the following resolutions for issues are: Close with no action ==================== https://github.com/quicwg/base-drafts/issues/4323 Kinds regards Lars and Lucas QUIC WG Co-chairs On Mon, Nov 2, 2020 at 7:42 AM Lars Eggert wrote: > Hi Radia, > > thank you for the review. I've opened a GitHub issue for any discussion > related to this review: https://github.com/quicwg/base-drafts/issues/4323 > > There is also a milestone at > https://github.com/quicwg/base-drafts/milestone/7. > > Thanks, > Lars > > > On 2020-11-1, at 4:40, Radia Perlman wrote: > > > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > > > This document specifies the cryptographic exchanges and formats > associated with the QUIC protocol, which in turn is an ambitious protocol > that could over time replace TCP. quic-transport, quic-tls, and > quic-recovery represent a triple of I-Ds that are always used together and > could be combined into a single spec, though the length of the existing > specs is already daunting. In many cases, it is impossible to evaluate them > independently. > > > > As an interested outsider, I see these protocols as exceptionally well > designed and the specs exceptionally well written. I could not find even > any nits in a very long spec. > > > > It is misleading to regard this as a specification of running QUIC over > TLS. It is related to TLS in the same way that DTLS is related to TLS: it > imports much of the syntax, but there are many differences and its security > must be evaluated largely independently. My initial reaction to this spec > was to wonder why it did not simply run QUIC over DTLS . I believe the > answer is that careful integration improves the performance and is > necessary for some of the address agility/transition design. > > > > Given its potential importance, this deserves a thorough review by our > best security people. Fortunately, from the acknowledgements list, it > appears it has gotten that. > > > > There are a few aspects of the design that might raise eyebrows. For > example: > > > > 1) TLS exchanges start out in cleartext until a key can be negotiated. > QUIC data is always encrypted. The initial packets are encrypted with fixed > keys whose derivation is specified in the I-D until fresh keys are > negotiated. This isn't a security problem...it will just surprise people. > > > > 2) Applications using TLS can usually be configured to run over TCP in > contexts where cryptographic protection is not needed. (e.g., use HTTP > instead of HTTPS). Applications using QUIC cannot. That is likely to mean > in practice that it will more frequently be the case that applications > using QUIC will need to connect to servers without certificates signed by a > CA trusted by the client (because that's the substitute when connecting to > a server without a certificate). It's not clear what the spec should say > about that, but perhaps the problem should be acknowledged. > > > > Radia > > > > --000000000000706ad505b57d4a18 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

As mentioned previous= ly, review comments raised during the secdir tls review were captured as is= sues on the QUIC WG GitHub repository. These issues have been assessed by t= he document editor(s) and shepherd, please see each individual issue for mo= re-specific discussion. As a summary, the following resolutions for issues = are:

Close with no action
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D
https://github.com/quicwg/base-drafts/issues/4323

Ki= nds regards
Lars and Lucas
QUIC WG Co-chairs

On Mon, Nov 2, 2020= at 7:42 AM Lars Eggert <lars@eggert.= org> wrote:
Hi Radia,

thank you for the review. I've opened a GitHub issue for any discussion= related to this review: https://github.com/quicwg/= base-drafts/issues/4323

There is also a milestone at https://github.com/qui= cwg/base-drafts/milestone/7.

Thanks,
Lars

> On 2020-11-1, at 4:40, Radia Perlman <radiaperlman@gmail.com> wrote:
>
> I have reviewed this document as part of the security directorate'= s ongoing effort to review all IETF documents being processed by the IESG.= =C2=A0 These comments were written primarily for the benefit of the securit= y area directors.=C2=A0 Document editors and WG chairs should treat these c= omments just like any other last call comments.
>
> This document specifies the cryptographic exchanges and formats associ= ated with the QUIC protocol, which in turn is an ambitious protocol that co= uld over time replace TCP. quic-transport, quic-tls, and quic-recovery repr= esent a triple of I-Ds that are always used together and could be combined = into a single spec, though the length of the existing specs is already daun= ting. In many cases, it is impossible to evaluate them independently.
>
> As an interested outsider, I see these protocols as exceptionally well= designed and the specs exceptionally well written. I could not find even a= ny nits in a very long spec.
>
> It is misleading to regard this as a specification of running QUIC ove= r TLS. It is related to TLS in the same way that DTLS is related to TLS: it= imports much of the syntax, but there are many differences and its securit= y must be evaluated largely independently. My initial reaction to this spec= was to wonder why it did not simply run QUIC over DTLS . I believe the ans= wer is that careful integration improves the performance and is necessary f= or some of the address agility/transition design.
>
> Given its potential importance, this deserves a thorough review by our= best security people. Fortunately, from the acknowledgements list, it appe= ars it has gotten that.
>
> There are a few aspects of the design that might raise eyebrows. For e= xample:
>
> 1) TLS exchanges start out in cleartext until a key can be negotiated.= QUIC data is always encrypted. The initial packets are encrypted with fixe= d keys whose derivation is specified in the I-D until fresh keys are negoti= ated. This isn't a security problem...it will just surprise people.
>
> 2) Applications using TLS can usually be configured to run over TCP in= contexts where cryptographic protection is not needed. (e.g., use HTTP ins= tead of HTTPS). Applications using QUIC cannot. That is likely to mean in p= ractice that it will more frequently be the case that applications using QU= IC will need to connect to servers without certificates signed by a CA trus= ted by the client (because that's the substitute when connecting to a s= erver without a certificate). It's not clear what the spec should say a= bout that, but perhaps the problem should be acknowledged.
>
> Radia
>

--000000000000706ad505b57d4a18-- From nobody Wed Dec 2 07:59:06 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B0863A1462; Wed, 2 Dec 2020 07:58:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AWe355On8iLF; Wed, 2 Dec 2020 07:58:55 -0800 (PST) Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 218353A145F; Wed, 2 Dec 2020 07:58:54 -0800 (PST) Received: by mail-ej1-x62b.google.com with SMTP id ga15so5133929ejb.4; Wed, 02 Dec 2020 07:58:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9lnhyV1q3ZH0LIDT1I/4smi0ivAcUhCHo415na18Mj8=; b=PuivKY8afuQGh38kfhE+WoYeRJiEPsL7RQ9uyRQ9vsWGJ3psO+FFU1XxZShzwhFI+h ch3R+SrZcB2pKoIFQ+E9fxjvk/b8zlr4XmMjK8wt9mWXs86pQjwO25EDHmfnxrrognrz FvID04PZo9yi0i78A1vKl46+ngpBthXQDlodZ/cfGTxjDWlzhrebG0mQUyQx2UL7AhUP jZMF5MPqO3IJBKceygpSqgGVd+4bbioHsgsVRUAt9sn8dpJ7WEkNmgzzbNSDduLgf5VW xnxnWVMmjvJ5ptHfIPp8dx7W4/OF9dvEj2+OSCPVIMr+Nd7muI6g8RX6YRW1kWp1tu9w iIsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9lnhyV1q3ZH0LIDT1I/4smi0ivAcUhCHo415na18Mj8=; b=Gq/hbux5dPNGTvObKoyhac1ihB4f5hgMV/60uLU4slzr21PvXQvWmrT1u1cLa+S6/v l5Q9rle/jiG/RMo8eUhqpTtQyZAGgoW/GgTz/3OUFB+6iU9Z5pw/O7qSFwDP5smoO7YL MVrAT3YqgBE3JgVXkPfr7S3yZ3Nq2HZYla6pYSaDuTz0dXEEelqhkqvTzL9bZdOtWUYr wE89TSy1R2cWQpRbNNbivPvfGBbScOYqIZt+sWyDx4vPvlpiXpcse+5xSt8Pz4Yf90L0 ra4wX9Lth3LFLu4LpcvqmBeHxLQNmMPQHKRpEUN9Eh8K3/iEtg1wNd/GRYasxGdVTrGJ aaQQ== X-Gm-Message-State: AOAM530EkzFeBM816tID1ZGg9LBSZ04UxO9mGdDvPl1MiHvJNxNMwCra Du+UFkagFGfaqn693Wb3z50fDSfY1nP3n1L6TsWcpvX9hOgOvg== X-Google-Smtp-Source: ABdhPJz84uqTruvXsjESumYhNd3gCFrnqzDcQ+DA0yTaJwRB6g7BtojxZf61zpf30ROE0x3LHWPvMz2HYwqogD6a9Dc= X-Received: by 2002:a17:906:c006:: with SMTP id e6mr422019ejz.374.1606924733525; Wed, 02 Dec 2020 07:58:53 -0800 (PST) MIME-Version: 1.0 References: <160434842876.26069.16673628080135964837@ietfa.amsl.com> In-Reply-To: From: Lucas Pardue Date: Wed, 2 Dec 2020 15:58:41 +0000 Message-ID: To: Derrell Piper Cc: secdir@ietf.org, last-call@ietf.org, draft-ietf-quic-recovery.all@ietf.org, QUIC WG , Magnus Westerlund Content-Type: multipart/alternative; boundary="000000000000ec324605b57d5191" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-quic-recovery-32 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 15:58:58 -0000 --000000000000ec324605b57d5191 Content-Type: text/plain; charset="UTF-8" Hello, As mentioned previously, review comments raised during the secdir recovery review were captured as issues on the QUIC WG GitHub repository. These issues have been assessed by the document editor(s) and shepherd, please see each individual issue for more-specific discussion. As a summary, the following resolutions for issues are: Addressed via Pull Request, changes will appear in the next I-D ======================================================= https://github.com/quicwg/base-drafts/issues/4324 - https://github.com/quicwg/base-drafts/pull/4340 Kinds regards Lars and Lucas QUIC WG Co-chairs --000000000000ec324605b57d5191 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

As mentioned previous= ly, review comments raised during the secdir recovery review were captured = as issues on the QUIC WG GitHub repository. These issues have been assessed= by the document editor(s) and shepherd, please see each individual issue f= or more-specific discussion. As a summary, the following resolutions for is= sues are:

Addressed via Pull Request, changes will appear in the n= ext I-D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D
https://github.com/quicwg/base-drafts/issues/4324
= =C2=A0- https:/= /github.com/quicwg/base-drafts/pull/4340
=C2=A0
=C2=A0
Kinds r= egards
Lars and Lucas
QUIC WG Co-chairs
--000000000000ec324605b57d5191-- From nobody Wed Dec 2 09:47:07 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CD8703A14FA; Wed, 2 Dec 2020 09:46:58 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Stephen Farrell via Datatracker To: Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160693121881.9413.5642470305677631145@ietfa.amsl.com> Reply-To: Stephen Farrell Date: Wed, 02 Dec 2020 09:46:58 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 17:46:59 -0000 Reviewer: Stephen Farrell Review result: Has Issues I see two issues here worth checking: 1. I don't recall SipHash being used as a MAC in any IETF standard before. We normally use HMAC, even if truncated. Why make this change and was that checked with e.g. CFRG? (And the URL given in the reference gets me a 404.) 2. Is it really a good idea to use a 32 bit seconds since 1970-01-01 in 2020? I'd have thought that e.g. a timestamp in hours since then or seconds since some date in 2020 would be better. Here's a couple of nits too: - section 1: what's a "strong cookie"? - "gallimaufry" - cute! but not sure it'll help readers to learn that word. From nobody Wed Dec 2 10:27:21 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CE863A17A9; Wed, 2 Dec 2020 10:27:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7KqxIiYkcCH; Wed, 2 Dec 2020 10:27:04 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDF383A1903; Wed, 2 Dec 2020 10:26:01 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8A9103AB0DB; Wed, 2 Dec 2020 18:26:01 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6AB55160046; Wed, 2 Dec 2020 18:26:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 57ED216006E; Wed, 2 Dec 2020 18:26:01 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rDQYEsV1rJwU; Wed, 2 Dec 2020 18:26:01 +0000 (UTC) Received: from [10.10.10.141] (unknown [78.80.211.217]) by zmx1.isc.org (Postfix) with ESMTPSA id D31EB160046; Wed, 2 Dec 2020 18:26:00 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= Mime-Version: 1.0 (1.0) Date: Wed, 2 Dec 2020 19:25:58 +0100 Message-Id: <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> Cc: secdir@ietf.org, last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org In-Reply-To: <160693121881.9413.5642470305677631145@ietfa.amsl.com> To: Stephen Farrell X-Mailer: iPhone Mail (18B121) Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 18:27:13 -0000 Stephen, ad 1) the performance is crucial for DNS over UDP and PRF such as SipHash is= more efficient than HMACs. No, it wasn=E2=80=99t consulted with CFRG, and I= can=E2=80=99t speak for Willem, but I am confident enough to make the decis= ion. SipHash is widely used for hash tables virtually anywhere now. ad 2) we need a value that=E2=80=99s synchronized well enough and monotonic.= I honestly don=E2=80=99t see any value in using 64-bit value here. Using un= ixtime has a value in itself, it=E2=80=99s a well-known and there=E2=80=99s a= little room for any implementor to make a mistake in an implementation. The= interoperability is more important than the actual value of the counter. It= =E2=80=99s write only counter, nobody is going to interpret it after it has b= een generated, and it=E2=80=99s wide enough to prevent brute forcing. Cheers, Ond=C5=99ej -- Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him) > On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker wrote: >=20 > =EF=BB=BFReviewer: Stephen Farrell > Review result: Has Issues >=20 > I see two issues here worth checking: >=20 > 1. I don't recall SipHash being used as a MAC in > any IETF standard before. We normally use HMAC, > even if truncated. Why make this change and was > that checked with e.g. CFRG? (And the URL given > in the reference gets me a 404.) >=20 > 2. Is it really a good idea to use a 32 bit seconds > since 1970-01-01 in 2020? I'd have thought that e.g. > a timestamp in hours since then or seconds since > some date in 2020 would be better. >=20 > Here's a couple of nits too: > - section 1: what's a "strong cookie"? > - "gallimaufry" - cute! but not sure it'll help readers to learn that word= . >=20 >=20 >=20 >=20 From nobody Wed Dec 2 12:38:21 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 961DC3A1491; Wed, 2 Dec 2020 12:38:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PzJFUuTZmtp; Wed, 2 Dec 2020 12:38:08 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FF1F3A148B; Wed, 2 Dec 2020 12:38:07 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3C353BE1C; Wed, 2 Dec 2020 20:38:04 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15sMEhRQMRsA; Wed, 2 Dec 2020 20:37:59 +0000 (GMT) Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 94984BE20; Wed, 2 Dec 2020 20:37:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1606941479; bh=hQw1N4hW+6YTWGjt2fzTyaLMn17aB1ADz27S1cxB+/c=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=ObmL36bLlCjGNLFMlh0b67Ve7LlQGUrOeeAfhO7pc6sTvkYbFeOrRUC2Y4QlXf5Gx 2HMRn/rhF3CgrTwaMgAI1sYAUkFP/1JS8gKZga+oskQ/Zf9tLesWRCTrQmVrvw/M0L wZbsFFuIvMPMK7CfDo7oRTeYWAB3DPZFOXiTA1p4= To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> From: Stephen Farrell Message-ID: <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> Date: Wed, 2 Dec 2020 20:37:57 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y37CmToVLBK4ueKrOXn6fvra4AbAVdNT5" Archived-At: Subject: Re: [secdir] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 20:38:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --y37CmToVLBK4ueKrOXn6fvra4AbAVdNT5 Content-Type: multipart/mixed; boundary="tNeJtOy9Irs94WyrJ6qMCVGWqJNS846Bt"; protected-headers="v1" From: Stephen Farrell To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org Message-ID: <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> Subject: Re: [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> In-Reply-To: <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> --tNeJtOy9Irs94WyrJ6qMCVGWqJNS846Bt Content-Type: multipart/mixed; boundary="------------11BC015D512BA1851E903115" Content-Language: en-US This is a multi-part message in MIME format. --------------11BC015D512BA1851E903115 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hiya, On 02/12/2020 18:25, Ond=C5=99ej Sur=C3=BD wrote: > Stephen, >=20 > ad 1) the performance is crucial for DNS over UDP and PRF such as > SipHash is more efficient than HMACs. No, it wasn=E2=80=99t consulted w= ith > CFRG, and I can=E2=80=99t speak for Willem, but I am confident enough t= o make > the decision. SipHash is widely used for hash tables virtually > anywhere now. The text says that you need a MAC though. Personally, I think it'd be wiser to (double-)check before using novel crypto even if the only novelty is use in a standards track RFC. >=20 > ad 2) we need a value that=E2=80=99s synchronized well enough and monot= onic. > I honestly don=E2=80=99t see any value in using 64-bit value here. Usin= g > unixtime has a value in itself, it=E2=80=99s a well-known and there=E2=80= =99s a > little room for any implementor to make a mistake in an > implementation. The interoperability is more important than the > actual value of the counter. It=E2=80=99s write only counter, nobody is= going > to interpret it after it has been generated, and it=E2=80=99s wide enou= gh to > prevent brute forcing. So what happens after 2038? That's really not v. far in the future any more. Cheers, S. >=20 > Cheers, Ond=C5=99ej -- Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him) >=20 >> On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker >> wrote: >>=20 >> =EF=BB=BFReviewer: Stephen Farrell Review result: Has Issues >>=20 >> I see two issues here worth checking: >>=20 >> 1. I don't recall SipHash being used as a MAC in any IETF standard >> before. We normally use HMAC, even if truncated. Why make this >> change and was that checked with e.g. CFRG? (And the URL given in >> the reference gets me a 404.) >>=20 >> 2. Is it really a good idea to use a 32 bit seconds since >> 1970-01-01 in 2020? I'd have thought that e.g. a timestamp in hours >> since then or seconds since some date in 2020 would be better. >>=20 >> Here's a couple of nits too: - section 1: what's a "strong >> cookie"? - "gallimaufry" - cute! but not sure it'll help readers to >> learn that word. >>=20 >>=20 >>=20 >>=20 >=20 > _______________________________________________ DNSOP mailing list=20 > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >=20 --------------11BC015D512BA1851E903115 Content-Type: application/pgp-keys; name="OpenPGP_0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="OpenPGP_0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh5= Cg8 gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+QtaFq= 978 CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGu= D/Q 9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4= tNn cejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqB= wV+ 4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghVB5Uir= 1GC YChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5FmBKjG7cGcpBGmWav= ACY Ea7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK7uB7E7HlVE1IM1zNkVTYYGkKreU8D= VQu 8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER= 8la 5lsEEPbU/cDTcwARAQABzSFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT7CwX0EE= wEI ACcFAlo9UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qGC= xAA pYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKkrRl8beJ7j1CWX= Az9 +VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBrsjC+1uULaTU8zYEyET//GOGPL= F+X +degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZsdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4= g1U QAcCA4xlucY8QkJEyCrSNGpGnvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advre= k3U P71CKxpgtPmkd3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2= niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBGFEZYJGuaL= 4Nw tBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wVN3p46RyBQuXqJV8ccE11m= 6vt ZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8vovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7= +8A CcxRU3b9Ihd7WYjJ+pQPCoWYKozvtEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQ= LvC wFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8= rpK o9OkCz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqmuKhYr= qJs CcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMTAAr2p7PSaHgo+hIVa= W/r KSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQIAQlFxtgvOqpPOZNzeKBa/+KbE8TG= gMW rkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3u= rqR 1cLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/= 0A9 J9nrnBMqZpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5hc= JBD EN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPpMyEs04zvsbsl4= vrp 2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouBur45UDKTZkMZrr9FGrtkyXCGA= xvK dcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQyoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaK= xlf tjO+Bj3Jj73Cr5eqej3qB5+V4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjg= Uky o1s4vjUOY8DyI+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIO= aHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg2YVf0izSp= yyz JeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc/MoSjTS65vNWbpzONZWMZ= uLE FraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5w= sDc BBABCgAGBQJbxcflAAoJEGo7ETk8pK1gE7QL/ApC5P68W5DrI1787WJVZv1u4t/g39vTr7Xer= 3UM TVQg10vpa7pmqOGhjIDzDMg3Pe3K3M7fVzfAlUA1qw6ne4RCueVoRKpubeF4AlYbMr0K6hNCP= jt5 uAxmbBVuejKTc6pru5rv5gKL0nDbr+Snft5xt7juBLSSimw0/41sZnkjCxo9rF/RA/v6+uWyK= 171 RKmsEYu8fFtw1eqUNt/Xj792TUixE3pxXheNtQtZGk/9P3W83ChhG4Fh5EQsn0pIh9wZIAbMR= Lpg RKyW87fWHZC8/YH8h7afarvn9Thl5pFUldCe22mNJj6KLChn2aEHQd+PdY1GBpZEcmNEUPuov= wza tM0h64hCzTm41eDqRfihZVBT7TbfXQnv8rywa42Mk756RGzzEZcQEhwQXZcMQUfxIQQ2VyJo0= zG3 6VdZTQF7TF/4Lz7/3cJ56jOIm+dwPXtu+C2wAQuD4USOLt4JWPYpqzDfHYJIND/497P9Z9SuQ= eah r2ez3DRBg3qsHEjBV80yU3RlcGhlbiBGYXJyZWxsICgyMDE3KSA8c3RlcGhlbi5mYXJyZWxsQ= GNz LnRjZC5pZT7CwYAEEwEIACoCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AFAlo+o= 3cC GQEACgkQWrL68XsXK+qO0A//ZsfQzyXrZlu/eEV5jU620yeOM3P7SW3C3UQYdCgZ/TlvxGgKo= w5o DSXgjMiUyq9csGqbPBxlDYSxFZHNeDVKYIuP2ZK24tw5k6duTh4+sFwUualTMlcp0zBCIzn3h= Rcs RvuPKHfl5+6oOi0+xqx3jX/s/69L/fvHmdSKet5LIUAxoYaZkTCruFrPWb01tgAl5JExWkhmC= Y98 iD+EeiIMAWBjMw1xV+p0uCwNbN6XDzcToK7wsm+tAIiWUy3DpP60a6WbVwdV0HNt2WZq5U5Jd= h2k 4S+sN2CnYk4tTW7jHjsWarV3FLISCOObADZuB7ljU4kYfdwZ+WzenXY4LGlxGQSlAblGjwZe4= EIk CXAJUtzJhoFUuGaF/PlWjxqV3UFRcgTERZTijguVyREre8GNERNgvDxZvuXssEjvz9X5JfcIZ= DIJ pdzhLiEIj9noUbfx1SzB5KDPQj0O7elMHa1671/rwWcpGr/MfVPTOik4H7F8rcVJelceZTzC4= tvy a7M+jM4fyFWWt8Y4atTixUiP7U9o4uBZCQ0GzvsmFA4XLqn2pA5rVizMXnGbGOjufAP/efEJ4= ul3 qvjYe8ye8DXEDjKAxo/tuHYtk19XCi83QzFhWls5TT+XQeVTMEvVqo9Wek8yoxo67qvLKKqIc= G9g ivQd8MxYNAbNYgSPtkbhZ8TCwFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLzHAgAlWT6NXEGt= w/r 1miKNGcopzvzILQ9oB8rKI9U9EL6tOf/y2V5oYee/GyQDb3ZdoPxxYYcJf+RyiH1nMoqUIZiZ= Jaf 3bJXinDZ5+AdfE++UR2NBvqaNyC6u3r24jo1B/sagKbYtWgsYtRqHLD4IWi37MZrVyjBuF7u1= 4Q0 7+uhjq6mX2O/tHpCYw/Q82tbeTRPyUf1WQOAfD1kfBpW9PvAva5Iw9FWeXpCXRzwxnCZhYfGf= qtu Sw6CPBYLdbikqML6FZ7EDuTBb/8um1wK7Y9bgeIQC+CYjhYB5RXa1tDJRab2Js4luCvSR0w/C= gHw 26293tlve2Q6UTrmHxP5U22DlsLBfQQTAQgAJwUCWj1QMgIbAwUJCZQmAAULCQgHAgYVCAkKC= wIE FgIDAQIeAQIXgAAKCRBasvrxexcr6tJpD/4rrILH+meP07vrx8wW5eYuqCiPGYnh/CXxIF8eL= rfb e5d4QRgtq+w6UeQPMyzKRIRiCoBXB2oJLBZHyxBPxZlg33dTMrEGn8QWKx2iNuz9rZMXyOSWF= etu O01d/aUPd5BnbLbIyK5of8xCQlXM6KH8bc+9gQ7edR9mfLTdvBf2FR522hg8BRBM1imKc3vO8= v39 +qIHHRjuiwxBBCAOhHtHRsZXripS0uFA07dM46Oi/E8osjx6fQt/lH5z/PN+2adxYSrLSAXfr= 1oD 3RxYNhuWgyGFL64/VCQb1YGjf0Z5MBPnWm9jgUoOY5K9eNSS0L83WeJjlF5+Q/WOgB+rb49Pr= m2D Feo9+S9f2V53Llz1WIspXJg6f+n9lmHE94MfQj1GAHCzI0FeL19lvM+LhD8jJSCbhrC3+yoby= y/A UOs5Z3E+njjX1FF/VCVAs6iOa6i+XG+Y1hh3ir2y1kckJ5auT10MSU8GEZu9ayU4M3o3N9yxO= jao P0NuQ4MMLL/n/u4u94AeZaHPNBXn/hVfVRRmpRXtGKvJtFAEppGEYezB+bLKIm6XlpPkhnwYz= leL Z7AMEco2C6QM8QPB3g3JpS3sqRhA5rEP4lL16BmijmF+CHoPE/zwgKZbKpyVDqvIW5IDgvfIC= 2X4 pbZDRvGIUKaGSB4+ksZgUUnNyvfQr2p7jsLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g= 1MS BQJbtySbAAoJEBDvedn9g1MSeKkQAJm44jt1kwHgQgeDBKdjdvl0AjE0xVEQxriZ6lP/l//34= YT0 auFfzsYIrChSpQXAEtobBAr4Ohw1Us+BZe+H5P8vm6LRuPwozC3SjwfX4Iec8+9ot6tIVg4sb= edD Sgb/CCFVjsmIGcQ1P73JLJTBJ6mxYCV/gn3QC6bwDOFo7kD9FDHCjRN8XfhHQ4Q9cYyt06uF3= 1qG /aumgWYC9geCGgAwiHgwxNYb9GoJ0iZjCROwbYvLTcQgsVUW2bTmsVR13UVKDsdl02sRV7qcV= YW6 R0a3Ra8KudX+nt25H5DRGd382KZ5W8pydsy/viTvD9z6v0ulChBYxAedIvGIClrhbxlLEPmIg= 4Im VOLGqsUgVm32J95WOjEkk4PEZ12xSDBtwhSJqmJNboWlfmw43KdIbY8zNhffIO3N6O7FsdGxm= qyH eLoTpqY+ySVUPpbuyW8ujnI/J//+6hdTZ9dQsEJQlWngKuWOQ5ma58MPSN88zllsqhZAFQjNx= qnk SzL6ZQ+v/jvuRRe16B80AeO55DsmbWsMv/YLLD1mSi7+Khy2EtMBhgojWwrGMvdLN6X3mnzNJ= Esc YyLxM9tSk+iySP2sLthK0BVgpAzBSdaf/ezIz60P+neHDzteNFf8Mn7lmgYk1amvZoJ29s5+n= 2Hw xyRL5dVMyMdyQmntubbctfqrZ0tIwsDcBBABCgAGBQJbxcflAAoJEGo7ETk8pK1gnCYMAJY4F= eIY jlIXGghFWzsB4fYwK1+iaFpU3fSto5qcrqVtVPjXpwqczqBWeXGyQxiB0kan4OVAXydIeaP8E= AuF CA7paP3s9STLJBO3KurkwyRkPW5zo0X7xVqaVToRsX2Ul98KVJoHYQD1KdezEtwlvpNwiiBr4= 2AY R751Vm6JBVAbQXuFpB3c8bUV0OkkRxNFtL8/2PieHar58n5dntGkbPlPkztahsFqktgacIgXH= X5v aT+7YeeZ1DWLOYjGO0wNhkOSeroCmxwJUikU7joBp823L7r5KfpqWTPpSCzVstQKZUGmmoE1q= Csw Y/Ud5wvp9SccpIILkRXj0rZRtfnE5MpL3hjmtNzfDd9qIsJtBJlSB2hZwAsVm1l+EWN9hG3tq= yA4 3niUMy2n6q690of3berSiQ+kvY/aC9Hx8I+bKzOV9/J2VUTqfaPZa4Uy2rVX5Q2p69n/PMj7m= Eer 0rCL3j9V16J9c+s0BSkXoKdtYdB0TWVhBgUybd9qtYcwHWvhP80uU3RlcGhlbiBGYXJyZWxsI= Dxz dGVwaGVuQHRvbGVyYW50bmV0d29ya3MuY29tPsLBfQQTAQgAJwUCWj1RWgIbAwUJCZQmAAULC= QgH AgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBasvrxexcr6jscEADEcB0WQEZn2AkrzDs1RhL0Lp6cZ= i0B igofkbcGfdhJyMSs19C0dhvncrAFClVI6/Udw3yFtDyYtOCf2W3M3A1K6/RfEizCLzTsdFIhn= i9g OJLlUpXViQtgrlstjk7hqVV3Ooz4BlCqS4cG7rfqf4LQQPpTAuFUEV9I28FBUB2irqC+v4gTy= sIg pMw0bA1yBU9sX5jE/tRkzqnuzZrkwiobDtRFJ9qp+7O2JtcY4EsVtLAsaodJKc5cF8R4OvB1n= 66v xxcgg9Eh4JNWZ47xsaCmAGo1Bcb2jIY35OtgAL7gCGLRSMKTtAaPy1/fEgIqhCljJ9x40Fkn/= 3r2 BX21WC9HFSPFTBz2RluLRzxdgxOrkYK8EiHUPoE5b1AEzZKw2AbeXfr57f5zYsN3IqfbQLUjM= YtU N1wK3Pjb+idD972wyXMWt8uOzlI7b9Ocu+nYm2whBfJv9Pmp3QYTmPz+LB9lH65VNVUSxSXVr= 5iW XO3qx1HtEiGEqkporMQCTh3T5Ud3PvMSRBFFKNs9WhJ/Lxz+SV30WLwG6dr5mQqlzAhb4Phc/= zek ZyXRdS/oDKrBLUucS36O//49JeyRi1QvOfxnfmIqRIAf/k3PoYJmTo5E82//r5Qj3YGlRu78b= a0H Arxs+ACD6AnEHHcbswpbtVEKYzlSu0Ar0Dc7vRWM/IyQdMLAXAQQAQgABgUCWj1SoAAKCRAvP= Ic2 gF+NosIsB/9f/29FNla3BJfGIEIDnhrqGD0i9bSa89SqBd++uG06TQgW5wsqtNcrwn81yZTq6= XE6 i9VtD4GKfqC0d4KZJr9bnbeD81cI64VOdL8zJWJs0vj5EIXCobKyX74Kb4uePUyZqwT2Q74I1= 16u /HwA9/FXsPo5isbh4ZqD4t0VHpWkmfq1FPT9a/JPyX46qKqB2Fce/7Qy+SQP1NfkuUlbhUH/J= G9a SSYvk3lznNiH41x9M+FDlL106itXOubrl3oi2fT3fsSedq7uzt+IV0DQEeNaoQAUuwEhdB8IW= OMq N2woDjGVKJftfsSWY9ilZrnDBNDrp0vRqcx33LUMkIw4d7iBwsFzBBABCAAdFiEEfhcKBFyEz= 0YO K3mgEO952f2DUxIFAlu3JJwACgkQEO952f2DUxJjuw/6ApHSsVTWD4a0H6FJ23A9Ftpy+aXZ4= vYl zkSrfsn2ECrEfK3lXQh/uzwjJUDYZeB1/BQsFZtcYNQOJSSHbQ49BFRLwb1J/wBZG4bbmrkLx= nNb KDKQvzxEpclkMW0Dj0J6o7kGrmzIGGrhB+JJN99AcineHRug8ZSFIERRCmigxdhAKU0BFD7P+= 5HN HltSL3DF1c2fFOf2JrgBKVoE+9RhMZjWNbYetFFLCkjXb5Rpay9zeMm1DxfSTGAnuOwUXW6qq= 4hn l5+VC/48ceDZElLLfu7RQUZv44pkSTOWZs+iQoJiHMFHk9wPqyB2Vok1yJ2a2j27WhXrJlPwn= Zbg JO5RyWDG3p/eVmpl5Uuc2dsfIpR17KnAuWpghK6V+cyFncDoGCl/YG2MvoolsW08FiZh3Ej4d= nJj j25TZkeFG74JJDXLvMYpJfSBGnmETv4Dhcm2xPqVMuFuL1qJlMbVLrMo2GXeo03OzNyvbs+u8= WLI aGm5hC7N1CXY8wZs4jo6OJ/expvnc07dEuws4zT3AiWv3nIouWReRStZy9QkavDocqbyPmilc= dPC Yk4BsOlzpwwO74hNG7iyl0KdAlwTxGQ7y0rJou6HYa1TmRhIEr3vKvlW+JfUUrqtjXgsuacTX= o4+ Ira2JUErL2cYzQMq1j4r1ZyhFnuz93s7Rsx/Nw0+0YvCwNwEEAEKAAYFAlvFx+UACgkQajsRO= Tyk rWCJqwv+NLVPE4sD4sDA2/6Ek7UsRIUkg+S39fhqWsLc4rtw/mDunv8Un61I3K04fZ2Ry4nF9= hZM 0a710UvXFbStvrzRJO3EAAcdJR9LTCd19e8UeruQbIee3YT91U4NkC9JMpecfq62/teOAU2e5= P3f WYaLs5ZX7zCLwWuBcW2l3SyoljQczM85HhJ3XHm+FnwQ6D9xRle+lvWTcuC9d1yAyUb8IOosp= cL2 lJTmy8e3r79R24hPlSB4LDe0wEN8AXbagrcAQZjwyaHyWxjJbTwZ0b43WGdfIqZ1ElOeoffbk= etP GRmWvx5xUvb2ALFBBdETzV270gs5XDJgJ1SIIKOyDADxwvroTe2jD8C/841eEql5QSow3s/U3= zRq k3mttto8Qw/DN71aeh6dmYSsvd2UjsHw/vofOPRBGxZLEkKTEvMnhmMW9hiKPkPia+QgevYE0= 20q pKSxLEdWA8nprHwxmGiDNesCfXSC6vm1qfyj5g8HzxSckq9ZaMhKMCo7vxflUEDuzsFNBFo9U= DIB EAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiezGPuBHmpvceBRZgRasdbaMc4HJee+R9+5x= /nL PCuy/DxDyIjwIUeJNgc+l7LjI9WfpHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHE= hOV fBZO59ipSeZL5iQC6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1D= VI9 DYo2D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFeA7PbT= uW/ eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ/Vf3vDUew1h5QU1yD= aWT 3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbptPEcmoazpiKZt91CrFPOaoXDPck/Q6= 1df mr/oPikfByYnASIM3OwEuXqyQ9JDRfKrem5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8= MAv 2TGXmxpVJ8Nu4je6wf96Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOA= HZR 5iCunYghx8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQo= qj1 gwARAQABwsFlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P/1tF6TeR83xD6= Mas qXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8Wpfdn3BmvqGyh8+ouHX9jMOxi= RkM dNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJgx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB= ++/ KAmi5UJV7zsZ7uYJ5jm97LV5SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lX= xMD rvKnXMkjseQ2oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrf= ZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIAypqYo3pcN= 2OE 0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoMeDQkd0YjcqlB1E0svODHT= zcS oRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS/qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7= IKP 3ngUP4wEoiPx5ZE5+fPIScGmVUcZIMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeW= Iys s6uTiyF+ZbJSo2XOKVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3D40Nd -----END PGP PUBLIC KEY BLOCK----- --------------11BC015D512BA1851E903115-- --tNeJtOy9Irs94WyrJ6qMCVGWqJNS846Bt-- --y37CmToVLBK4ueKrOXn6fvra4AbAVdNT5 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAl/H+yUFAwAAAAAACgkQWrL68XsXK+rn vxAAhzus0b578TgE9Zf3rQFp7votSU98e+X1v3FzMrCUDLeCDDzNc9JhVg7z2rvBXV6lFfhN531J JZ74KWEn3qYObTxZSIhtoOBgcX3Xa/yVw34Z0HWWg1Af0/pLBadHD8OGST2aV4zhBQtUCfEEh3QQ J5OmZfmVydh+Bv/OrDrheY2cEtA3f5aUtM0Ut66cXI8dvJjco9vDrNGm74aYLarh/hLwPzOY7Lu7 27gcIYOuIIOw1Z0QUFd6j0NVOxpwE4ooR34Fx4ZDjrJlCnZBCyBN8Lo+7SFmeWE6gQxzlyvl8V12 Tf/MeqZWf+TpFeetwl5kttkFQoihKNaK9ctwYT0WX5uBkeO6VotLwiabjSldpjpM1yNpu/k3Iew+ 6rb6gYdQu6DtYuDKi475hbRV3I8ijVcG68jWrXRVVLCaDuMjFcHbSHJCXZ1oufEdh3YRwsFL683E Ia6xhLS73/QaFvF/QGR6EJAAqh4ZyLtSetbMNE7Eu2mAJGWBUnQTGkl0lDZsRdDr6XXWlkuP2RSN Dh8acz/3jmSuGjlzexG+ewzU0wFs2fhPX2Mx5wunIINT0LvQMqtXQ/OhkX4q7PVAAZ2PtN5Hhame CvrZQOu6sy3jW8txd0zkhZRqLJ28ZQX6v3fUx2d83GkNv61vruHouE00TteGh+NrcFfz7mdhOxAr kV8= =t3oO -----END PGP SIGNATURE----- --y37CmToVLBK4ueKrOXn6fvra4AbAVdNT5-- From nobody Wed Dec 2 13:18:11 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557B83A17AD for ; Wed, 2 Dec 2020 13:17:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjGwPiTW61_C for ; Wed, 2 Dec 2020 13:17:52 -0800 (PST) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697A43A1899 for ; Wed, 2 Dec 2020 13:16:28 -0800 (PST) Received: by mail-lj1-x229.google.com with SMTP id z1so70982ljn.4 for ; Wed, 02 Dec 2020 13:16:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0YlVylj4WOzBuA3hkTomKw3Otae8/7qH9ANg8s2VXJs=; b=fBoIkKqGYI9rpv6injVqS9Do+Sfscq1XHulgU2VaGwmzvBvnW9RIFuoiJlXu39gWcP k0utXtcSdiQOHsNGvIUF/yE453GTkJSGBJUGdjlFokvLe9AzR+y6d+0myTjwFCojngzY taoxgJxb6d2QlcDYZRWDaPtd5GgpRjvNzvagJEBnzo0LyCvTtal5aYHlJCMFursrqqia FbakM7wXcJqHkeo8sKs3Wt5NXuPIPCEJilFJCOd2d1zsUYbZQzPwl3qPKPw7tVRD52z1 r+9HDYJIuyamntIJkclNuwBWLF06f/B2v/D4wJiduw/fFeg8vrOGCZA2OJebLerNqxG2 X5LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0YlVylj4WOzBuA3hkTomKw3Otae8/7qH9ANg8s2VXJs=; b=AcSherB8tXCsheiPiId1TmdksZs+pyJj0NZNgkl8UxcqakzzuwqXNO4h6Kf9W36cXP 8Fx0r4mGPOeGUqc45w3s8OeT/Se6SFhx6syQ0ToQ/flv69gIqWue4lmZaaaD6d8H4Wwx cwIlP8DMEAcc+KT4wVTGGk93BAMAZSilIFXu+iLFIc43+P2ml+Qr7BIE70QfGd7vxmRp /8GHNO0JZtZt3P6khAqdzEvr8nZfkti2KsQkGNf1hZFvOrlET8SQap/suToZdNjZGJ0l l1MV9aBikLN/l8EYU4Zd7NCJaurLJYDRGh/nR1PLozt9GxA67bigcD9/PpMxO5qZzCEA x5Sg== X-Gm-Message-State: AOAM531+BDiLK6p1Nr0K9PPPwB7bW8UgYQ4dtyhatcnDnYcbOMNL7mfz dccCKiYxjfORHhjKv1PyyiLDDRiqyJqus3SAG/RBYg== X-Google-Smtp-Source: ABdhPJyGTsVwlxSvzkDp9pVcun4Czopexm1Oc8atypOhJkZpw6KaJXwJhYN63ILoeUekhBhVoDzGdkE6xbRJmfsQ3r8= X-Received: by 2002:a2e:988:: with SMTP id 130mr1986370ljj.409.1606943786406; Wed, 02 Dec 2020 13:16:26 -0800 (PST) MIME-Version: 1.0 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> In-Reply-To: <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> From: Eric Rescorla Date: Wed, 2 Dec 2020 13:15:49 -0800 Message-ID: To: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: Stephen Farrell , last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop WG , secdir@ietf.org Content-Type: multipart/alternative; boundary="00000000000090507b05b581c1b1" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 21:18:04 -0000 --00000000000090507b05b581c1b1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Dec 2, 2020 at 10:32 AM Ond=C5=99ej Sur=C3=BD wrot= e: > Stephen, > > ad 1) the performance is crucial for DNS over UDP and PRF such as SipHash > is more efficient than HMACs. No, it wasn=E2=80=99t consulted with CFRG, = and I > can=E2=80=99t speak for Willem, but I am confident enough to make the dec= ision. > SipHash is widely used for hash tables virtually anywhere now. > Well hash tables are an application with somewhat different security properties than MACs, so I don't think this is dispositive. I concur with Stephen that CFRG should sign off on the use of SipHash here. With that said, how does SipHash compare to GMAC in terms of performance? -Ekr > ad 2) we need a value that=E2=80=99s synchronized well enough and monoton= ic. I > honestly don=E2=80=99t see any value in using 64-bit value here. Using un= ixtime has > a value in itself, it=E2=80=99s a well-known and there=E2=80=99s a little= room for any > implementor to make a mistake in an implementation. The interoperability = is > more important than the actual value of the counter. It=E2=80=99s write o= nly > counter, nobody is going to interpret it after it has been generated, and > it=E2=80=99s wide enough to prevent brute forcing. > > Cheers, > Ond=C5=99ej > -- > Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him) > > > On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker < > noreply@ietf.org> wrote: > > > > =EF=BB=BFReviewer: Stephen Farrell > > Review result: Has Issues > > > > I see two issues here worth checking: > > > > 1. I don't recall SipHash being used as a MAC in > > any IETF standard before. We normally use HMAC, > > even if truncated. Why make this change and was > > that checked with e.g. CFRG? (And the URL given > > in the reference gets me a 404.) > > > > 2. Is it really a good idea to use a 32 bit seconds > > since 1970-01-01 in 2020? I'd have thought that e.g. > > a timestamp in hours since then or seconds since > > some date in 2020 would be better. > > > > Here's a couple of nits too: > > - section 1: what's a "strong cookie"? > > - "gallimaufry" - cute! but not sure it'll help readers to learn that > word. > > > > > > > > > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > --00000000000090507b05b581c1b1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Wed, Dec 2, 2020 at 10:32 AM Ond=C5=99= ej Sur=C3=BD <ondrej@isc.org> w= rote:
Stephen,
ad 1) the performance is crucial for DNS over UDP and PRF such as SipHash i= s more efficient than HMACs. No, it wasn=E2=80=99t consulted with CFRG, and= I can=E2=80=99t speak for Willem, but I am confident enough to make the de= cision. SipHash is widely used for hash tables virtually anywhere now.
<= /blockquote>

Well hash tables are an application with so= mewhat different security properties than MACs, so I don't think this i= s dispositive.

I concur with Stephen that CFRG= should sign off on the use of SipHash here. With that said, how does SipHa= sh compare to GMAC in terms of performance?

-E= kr


ad 2) we need a value that=E2=80=99s synchronized well enough and monotonic= . I honestly don=E2=80=99t see any value in using 64-bit value here. Using = unixtime has a value in itself, it=E2=80=99s a well-known and there=E2=80= =99s a little room for any implementor to make a mistake in an implementati= on. The interoperability is more important than the actual value of the cou= nter. It=E2=80=99s write only counter, nobody is going to interpret it afte= r it has been generated, and it=E2=80=99s wide enough to prevent brute forc= ing.

Cheers,
Ond=C5=99ej
--
Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him)

> On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker <noreply@ietf.org> wro= te:
>
> =EF=BB=BFReviewer: Stephen Farrell
> Review result: Has Issues
>
> I see two issues here worth checking:
>
> 1. I don't recall SipHash being used as a MAC in
> any IETF standard before. We normally use HMAC,
> even if truncated. Why make this change and was
> that checked with e.g. CFRG? (And the URL given
> in the reference gets me a 404.)
>
> 2. Is it really a good idea to use a 32 bit seconds
> since 1970-01-01 in 2020? I'd have thought that e.g.
> a timestamp in hours since then or seconds since
> some date in 2020 would be better.
>
> Here's a couple of nits too:
> - section 1: what's a "strong cookie"?
> - "gallimaufry" - cute! but not sure it'll help readers = to learn that word.
>
>
>
>

_______________________________________________
secdir mailing list
secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/= SecDirReview
--00000000000090507b05b581c1b1-- From nobody Wed Dec 2 13:39:18 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB4D3A16F8; Wed, 2 Dec 2020 13:39:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqPZXHdD5MUp; Wed, 2 Dec 2020 13:39:00 -0800 (PST) Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::218]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A91343A160E; Wed, 2 Dec 2020 13:38:30 -0800 (PST) Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id EFC3660805; Wed, 2 Dec 2020 21:38:27 +0000 (UTC) Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1606945106; bh=6VrLCLscukP9Z60ZnXDv4G51odYaUiIUbTo2nKPpYuE=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=HZs9KnjXTfhH3elR9uHDh1ONHjGUKSro28xoTx7YrpbHoMaIh0MyX5b/jNRKunMna Hl4pQSIfP976XQOLA4oFcteuzLW9yGNJ+2haNTkYCE6ptHfsyB6r6cyHIMn+B2jxa9 SELQVjETk/v0fNxBSynJVHbg5+rpUCTy09SbNtTAfFHGXMen1UO9RWptG/Bk7Fy7WF sO4/8MvF2W3M9Cm2IAtMqpXaRSWBcnHfNIRdIJ9j7WTtYkAJ7zPCCUkhXgW6WcvZd1 9iFUmDTCNfpwHBwZAqIxOTIxvguZgZUJlcKNCSc+S4B5HF0x9s90NzzqG1tzDT5DQi OerfS9w0nJkOg== To: Stephen Farrell , =?UTF-8?B?T25kxZllaiBTdXI=?= =?UTF-8?B?w70=?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> From: Willem Toorop Message-ID: Date: Wed, 2 Dec 2020 22:38:22 +0100 MIME-Version: 1.0 In-Reply-To: <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 21:39:10 -0000 Op 02-12-2020 om 21:37 schreef Stephen Farrell: >> ad 2) we need a value that’s synchronized well enough and monotonic. >> I honestly don’t see any value in using 64-bit value here. Using >> unixtime has a value in itself, it’s a well-known and there’s a >> little room for any implementer to make a mistake in an >> implementation. The interoperability is more important than the >> actual value of the counter. It’s write only counter, nobody is going >> to interpret it after it has been generated, and it’s wide enough to >> prevent brute forcing. > > So what happens after 2038? That's really not v. far in the > future any more. The draft states that `All comparisons involving these fields MUST use "Serial number arithmetic", as defined in [RFC1982]'. So it can not be used to compare differences larger than 68 years, but comparisons of cookie timestamps are more in the "hours" order of magnitude. Cheers, -- Willem > > Cheers, > S. > >> >> Cheers, Ondřej -- Ondřej Surý — ISC (He/Him) >> >>> On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker >>> wrote: >>> >>> Reviewer: Stephen Farrell Review result: Has Issues >>> >>> I see two issues here worth checking: >>> >>> 1. I don't recall SipHash being used as a MAC in any IETF standard >>> before. We normally use HMAC, even if truncated. Why make this >>> change and was that checked with e.g. CFRG? (And the URL given in >>> the reference gets me a 404.) >>> >>> 2. Is it really a good idea to use a 32 bit seconds since >>> 1970-01-01 in 2020? I'd have thought that e.g. a timestamp in hours >>> since then or seconds since some date in 2020 would be better. >>> >>> Here's a couple of nits too: - section 1: what's a "strong >>> cookie"? - "gallimaufry" - cute! but not sure it'll help readers to >>> learn that word. >>> >>> >>> >>> >> >> _______________________________________________ DNSOP mailing list >> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > From nobody Wed Dec 2 13:43:27 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D947B3A1482; Wed, 2 Dec 2020 13:43:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOuDNxbk0fPx; Wed, 2 Dec 2020 13:43:14 -0800 (PST) Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C44E83A155D; Wed, 2 Dec 2020 13:43:01 -0800 (PST) Received: from pps.filterd (m0049295.ppops.net [127.0.0.1]) by m0049295.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0B2LYYD9027640; Wed, 2 Dec 2020 16:43:01 -0500 Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049295.ppops.net-00191d01. with ESMTP id 356g2vcaup-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Dec 2020 16:43:00 -0500 Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B2LgwUm031602; Wed, 2 Dec 2020 16:42:59 -0500 Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [135.47.91.189]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B2Lgtit031510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Dec 2020 16:42:55 -0500 Received: from zlp30483.vci.att.com (zlp30483.vci.att.com [127.0.0.1]) by zlp30483.vci.att.com (Service) with ESMTP id 8F34640002B6; Wed, 2 Dec 2020 21:42:55 +0000 (GMT) Received: from GAALPA1MSGEX1CF.ITServices.sbc.com (unknown [135.50.89.113]) by zlp30483.vci.att.com (Service) with ESMTPS id 5B2E740003E6; Wed, 2 Dec 2020 21:42:55 +0000 (GMT) Received: from GAALPA1MSGED2AA.ITServices.sbc.com (135.50.89.120) by GAALPA1MSGEX1CF.ITServices.sbc.com (135.50.89.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Wed, 2 Dec 2020 16:42:47 -0500 Received: from GAALPA1MSGETA02.tmg.ad.att.com (144.160.249.124) by GAALPA1MSGED2AA.ITServices.sbc.com (135.50.89.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4 via Frontend Transport; Wed, 2 Dec 2020 16:42:47 -0500 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.170) by edgeal2.exch.att.com (144.160.249.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2044.4; Wed, 2 Dec 2020 16:41:45 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ORy+8rDzyVS5H+OtN11CtltmZIr3xrSuilrUbzRJ3bwA3YNGffuCtJXGCr2ljTngqTGdA6yoBJG2gHj6sR3n9o/hFY+j1p+ukUXSu7aZWYc/UXXgZGACoYPsmWMYDeASGQC6/+tHKCDliDuXkXI3RnZmViCmsKkuUW0CCTYG0jPLeGbiKWJfb3lb8wTl6F8r+C6scYr8rxsy4YW0FEiZejt2Uod9d32ZLuFgHxnv/Ka4N1og7BVFkcSIy/tUhFVu7RVvLebLmAMRx0lIZyBfhprpUU8F8dqev6yWmUcW+S6jqyhSge6U0tt4i32lJ78FKhsSUWAUhEv9EiJ6mFXcYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q+9/wmjnDYrTWVbUfgRTLB5jEJiup/fXRR1Rc1zfEaM=; b=B7cmkBNZXtp/OSEZY/NZBR3uydKJTG42cL6nx2z5EO+BbAOeNew0JKWwbRTtKJp1FdP+wPH+V8ycdpazDR/er7hE0BjdPRrX0W8ykzPEPsMhu4+PWrxIwCFEcAvPG8TsU2Cb5A1iLcmhzAOnXj1vczS5qEKr85MRrDt8XlurC5hzd5V4Z0O2VqpTbi2OKLNNpc/MYft8l+WiQ0OOFb1gZm3/W05fQdMme++6nJnsQjQ00cOUZUP8VOgOtefTMT6hATB19Szi3hQ8oBYsSa7DsMZ8KOKo8GTu7vcd8Cl8TOR8zyONHpFWNAXBqAxscWC7DIWujmP91Bq0xNkGNe8QcQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q+9/wmjnDYrTWVbUfgRTLB5jEJiup/fXRR1Rc1zfEaM=; b=GWVOe0IIUyAkFLr6YVq9QOdb3g4ch+KIcdcHW9eHY8EKmesYWXRA5ej121xyid0BTdjkmMZPBFAgEr9HyJSoh8MyYew/0tJD0oj2BBj1EFwvo6T8IpSbJKV+GqNTL9p/FPg9jOymp0NLgsGlPIi+ST5Y5Oymr7fxXfSYYcpoJhE= Received: from SN6PR02MB4512.namprd02.prod.outlook.com (2603:10b6:805:a4::13) by SN6PR02MB4512.namprd02.prod.outlook.com (2603:10b6:805:a4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Wed, 2 Dec 2020 21:41:44 +0000 Received: from SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24]) by SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24%6]) with mapi id 15.20.3611.031; Wed, 2 Dec 2020 21:41:44 +0000 From: "STARK, BARBARA H" To: "'Valery Smyslov'" , "'secdir@ietf.org'" CC: "'last-call@ietf.org'" , "'babel@ietf.org'" , "'draft-ietf-babel-information-model.all@ietf.org'" Thread-Topic: [babel] Secdir last call review of draft-ietf-babel-information-model-11 Thread-Index: AQHWq6fzcO41VWb3pEKu2D6snc0rJ6m1UycwgAPxeACAAlengIAo89Ig Date: Wed, 2 Dec 2020 21:41:44 +0000 Message-ID: References: <160372407981.20077.17795340180313190981@ietfa.amsl.com> <000c01d6b34d$fc3bf5d0$f4b3e170$@smyslov.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: smyslov.net; dkim=none (message not signed) header.d=none;smyslov.net; dmarc=none action=none header.from=att.com; x-originating-ip: [45.18.123.63] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8e69a40d-784b-461d-628a-08d8970b0ff4 x-ms-traffictypediagnostic: SN6PR02MB4512: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Ouyyx+RAkDK94GgLgU2ZDIZWyrgyu2sEiXlkAjCHux7SKWnB8T0zR0LJV7T+y4NNRfWkmMnW2a/tm6LHDHf2ppxCtYrCKhhlxz+e3u3+UCkaEygui4OuYxxFix8k9MadFSmos/J+xWBUVqsmoAwEbfMzqgMfsOEOSoxYptCBFiP4duM3XZWx1IafZXTjgUMwylc/50jU9Lqv1y7osGHjLMytbHYs0I9f8IJZtwADMTgNEk0r+B0XnTegjguZKYoy1JvMVDYEwyAWd+2n1VA+k0N6AdUzQu6rVWK4gbfHlNZ4msbt10OH775A5ZsMlxma2KfHFSg9RBIwPHTNvAPfDubYbm0aJT78DUI2Chk6sHQVS8l+3wfkkfRd2qtnlFHKLkYNDsp1Mu0VlxVwEg4BWA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR02MB4512.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(396003)(376002)(346002)(39860400002)(52536014)(82202003)(66446008)(30864003)(83380400001)(33656002)(26005)(4326008)(316002)(54906003)(186003)(71200400001)(9686003)(55016002)(478600001)(110136005)(64756008)(66556008)(66476007)(53546011)(8936002)(2906002)(5660300002)(8676002)(76116006)(7696005)(66946007)(6506007)(86362001)(437434003)(491001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?Smk1dHJ4cTg5aE1icFE2dmNxaWxyZExqN0hhSDg3TE5EV0FtVDhreHNHSkcz?= =?utf-8?B?ZjY4MzAyUXkyRTN0VWVzQTQ4dm9KYzVqSHk0Sy95TzFJb29kdnNoUlE5a2px?= =?utf-8?B?dGdDQ0R6NGU1Zlp5YzhTWjVnb2VKZWkvYTR0NWwySTFwRlg0S1YvdWdZdjNy?= =?utf-8?B?OFZMMTVZckxIV1ZYR3dQa1pLb1hCNDRDVUhtQXJHOXFDb2lqTW1ZakdldFhp?= =?utf-8?B?a2E3NXE1eW1yZHBVR2dkU0dXaGlPZEF2amxRU014dzd4OXJJUldQYTlHcERa?= =?utf-8?B?TWZZTnhjcTVIN2t4M2tXenJETVhhWklDb3JiWEVGbVNrRWRjRW9RaVdNeFdS?= =?utf-8?B?bXJsTUsrTUJXWWlLRmgrRkQ2REJWNkxqQ1htMUdjUUdBME9SKzFidnM0am9E?= =?utf-8?B?OXI5cTM5dEtZMkFiblVRYWpaVkRyOWUyazdyQ2pCbW05SEpsS3EwSEhrdGFD?= =?utf-8?B?TWJtd2c3Tnc1b3hoMmhHVGxlc0pCSWhmWVVaMGRMd05kN3UwWjFjdkFOZDdL?= =?utf-8?B?LzY2ejZMemtxMForaUxNYS9rSUlkcEJ1a0c0NHVCTHpjajNKQmt3L0lvdWNk?= =?utf-8?B?S091VC9mYVFzNnB5blUyWjhrRkVWYzl3VGVTdW9aeTFyaGVEOXpDeXJqcUNO?= =?utf-8?B?dzc0R1pXK1pteDNWbkc1NmdxT1F3a0hrcXM5UVFGcWwrSFNYNlVKa2JmUHBi?= =?utf-8?B?OUxEbHErYnUyUlRPblRQOHdQeWNvaG5HZ2FseVM3YSsrWkR6UWRNTEJnNW8w?= =?utf-8?B?aEVIaUI0dDFCRklFdDdURkVpRDQyUHlncWh6MlRaQ1k4aFkyM2x2cVBQM29j?= =?utf-8?B?aURzOW12MUlERGFXM21UTndVNnVBNGdreUpKckVYNlgxcEQ2dnNURXVsdndI?= =?utf-8?B?WWliejBtejZpelkrUXF3MjB5NVNpRE4yRER3OEVNbHE1WHd5Q29YWEJMRnpY?= =?utf-8?B?L255b3AzTHAyNVVKMVVJRkZmejdTcnRUZHluZ24yd1h4ZG1mb3lOU3pxN3FR?= =?utf-8?B?R2hzOVFINUVjTDJjOXFPdnZjQUZOV0FZL1g3Q2NMU2pMQUxleVdqR0JvNWlM?= =?utf-8?B?Skdya0oyRmJRblh2TFpaSjh5UXJQR3dFeGpIS3ViU1lmR0ZhTktNbDl6OE1p?= =?utf-8?B?N2puM2JQM2VRdERrOFFtdE9TZUpYRkxLRUx6SnBGbnN0Q0xIWnBQM1dFaDFT?= =?utf-8?B?TVNsaVg0TDF2cGVZNm11S0N3bXBhWmFEUG5RZit6S2FGU2F0UzIxU0JjcjJy?= =?utf-8?B?a3dscnozZGxXY0N1bFdnT2RqYVlQeVowNnIxVzRJQTlNMkdsTk1WZHJNbHc0?= =?utf-8?Q?/R56m9ewi8I6g=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN6PR02MB4512.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8e69a40d-784b-461d-628a-08d8970b0ff4 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2020 21:41:44.0294 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: pP1HOYUMz4yhgJZdeXBzFRs/IGRqjaAL51Ps/emU5oNMYWZU7dZ7Y3z1kB0mIyw3 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB4512 X-OriginatorOrg: att.com X-TM-SNTS-SMTP: 42F06A7BF04CBE4963AE313F30FC9AC4FF1C786EF4139F754B86E5CB15B02A752 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-02_13:2020-11-30, 2020-12-02 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 priorityscore=1501 mlxlogscore=999 malwarescore=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012020130 Archived-At: Subject: [secdir] FW: [babel] Secdir last call review of draft-ietf-babel-information-model-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 21:43:17 -0000 QXBvbG9naWVzIHRvIFZhbGVyeSBmb3IgdGhpcyByZXNlbmQsIGJ1dCBJIGp1c3QgcmVhbGl6ZWQg dGhhdCBJJ2Qgb25seSBoaXQgIlJlcGx5IiBhbmQgbm90ICJSZXBseSBBbGwiLiDimLkNCkluY2x1 ZGluZyBhbGwgdGhlIGVtYWlsIGxpc3RzIHRoaXMgdGltZS4uLg0KU2luY2UgdGhlcmUgd2FzIG5v dGhpbmcgcHJpdmF0ZSBpbiB0aGUgcmVzcG9uc2UsIEknbGwgZm9yd2FyZCB0aGF0LCB0b28uDQpC YXJiYXJhDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBTVEFSSywgQkFSQkFS QSBIIA0KU2VudDogU3VuZGF5LCBOb3ZlbWJlciAwOCwgMjAyMCA2OjMzIFBNDQpUbzogJ1ZhbGVy eSBTbXlzbG92JyA8dmFsZXJ5QHNteXNsb3YubmV0Pg0KU3ViamVjdDogUkU6IFtiYWJlbF0gU2Vj ZGlyIGxhc3QgY2FsbCByZXZpZXcgb2YgZHJhZnQtaWV0Zi1iYWJlbC1pbmZvcm1hdGlvbi1tb2Rl bC0xMQ0KDQpIaSBWYWxlcnksDQpJJ3ZlIGN1dCB0aGlzIGRvd24gdG8ganVzdCB0aGUgcG9pbnRz IHRoYXQgc3RpbGwgbmVlZCBzb21lIGRpc2N1c3Npb24uIFRoeCwNCkJhcmJhcmENCg0KPiA+ID4g SXNzdWVzLg0KPiA+ID4NCj4gPiA+IDEuIFNlY3Rpb24gMy4xOg0KPiA+ID4NCj4gPiA+ICAgIGJh YmVsLW1hYy1hbGdvcml0aG1zOiAgTGlzdCBvZiBzdXBwb3J0ZWQgTUFDIGNvbXB1dGF0aW9uIGFs Z29yaXRobXMuDQo+ID4gPiAgICAgICBQb3NzaWJsZSB2YWx1ZXMgaW5jbHVkZSAiSE1BQy1TSEEy NTYiLCAiQkxBS0UycyIuDQo+ID4gPg0KPiA+ID4gQkxBS0UycyBjYW4gcHJvZHVjZSBNQUNzIG9m IGRpZmZlcmVudCBzaXplcyBmcm9tIDEgdG8gMzIgYnl0ZXMgYW5kIHRoZQ0KPiA+ID4gZGVzaXJl ZA0KPiA+ID4gc2l6ZSBvZiB0aGUgTUFDIGlzIGEgcGFyYW1ldGVyIGZvciBpdC4gV2hlcmUgdGhl IHNpemUgb2YgTUFDIGlzIHNwZWNpZmllZD8NCj4gRm9yDQo+ID4gPiBITUFDIHdpdGggU0hBMjU2 IEkgY2FuIGF0IGxlYXN0IGltYWdpbmUgdGhhdCBmdWxsIDI1NiBiaXRzIG91dHB1dCBpcyB1c2Vk DQo+IGFzIGENCj4gPiA+IE1BQy4uLg0KPiA+DQo+ID4gSnVsaXVzeiBzYWlkOg0KPiA+ID4gUmln aHQuICBUaGUgaW50ZW50IGlzIHRoYXQgQmxha2UycyBpcyB1c2VkIHdpdGggMzItb2N0ZXQga2V5 cyBhbmQgMTYtb2N0ZXQNCj4gPiA+IGhhc2hlcyAoY29sbGlzaW9uLXJlc2lzdGFuY2UgaXMgbm90 IGEgY29uY2VybiBmb3IgQmFiZWwtTUFDIHdoaWxlDQo+ID4gPiBkaWN0aW9uYXJ5IGF0dGFja3Mg YXJlKS4gIEJhcmJhcmEsIEkgdGhpbmsgdGhhdCB5b3Ugc2hvdWxkIGV4cGxpY2l0bHkNCj4gPiA+ IHN0YXRlIHRoYXQgQmxha2UycyBpbXBsaWVzIDEyOC1iaXQgaGFzaGVzLiAgKFlvdSBtYXkgYWxz byBjb25zaWRlcg0KPiA+ID4gcmVuYW1pbmcgQkxBS0UycyB0byBCTEFLRTJzLTEyOC4pDQo+ID4N Cj4gPiBUaGUgZGVmaW5lZCB2YWx1ZXMgZm9yIGJhYmVsLW1hYy1hbGdvcml0aG1zIGNvbWUgZGly ZWN0bHkgZnJvbSBkcmFmdC1pZXRmLQ0KPiBiYWJlbC1obWFjLiBUaGUgZGVmaW5lZCB2YWx1ZQ0K PiA+IG5hbWVzIHNob3VsZCBtYXAgY2xvc2VseSB0byB0aGUgbmFtZXMgdXNlZCBmb3IgdGhlIGFs Z29yaXRobXMgaW4gaW4gdGhhdA0KPiBkcmFmdCAtLSB3aGljaCB0aGV5IGN1cnJlbnRseSBkby4N Cj4gPg0KPiA+IElmIGl0IG5lZWRzIHRvIGJlIGV4cGxpY2l0bHkgc3RhdGVkIHNvbWV3aGVyZSB0 aGF0IGFuIGltcGxlbWVudGF0aW9uIG9mDQo+IGRyYWZ0LWlldGYtYmFiZWwtaG1hYyB3aXRoIEJM QUtFMnMNCj4gPiBvdXRwdXRzIDEyOC1iaXQgTUFDcywgdGhlbiBkcmFmdC1pZXRmLWJhYmVsLWht YWMgKHdoaWNoIHdhcyBhbHJlYWR5DQo+IHN1Ym1pdHRlZCBmb3IgcHVibGljYXRpb24pIHdvdWxk IGJlIHRoZQ0KPiA+IGNvcnJlY3QgcGxhY2UgdG8gc2F5IHRoYXQuIFRoZSBpbmZvcm1hdGlvbiBt b2RlbCBpcyBub3QgdGhlIHJpZ2h0IHBsYWNlLA0KPiB1bmxlc3MgdGhlcmUncyBzb21lIGV4cGVj dGF0aW9uIGZvciB0aGUNCj4gPiBzaXplIHRvIGJlIGNvbmZpZ3VyYWJsZSBvciByZXBvcnRhYmxl LiBJJ20gbm90IHNlZWluZyBhbnkgcmVxdWVzdCBmb3IgdGhlDQo+IE1BQyBzaXplIHRvIGJlIGNv bmZpZ3VyZWQgb3IgcmVwb3J0ZWQNCj4gPiB2aWEgdGhlIGluZm9ybWF0aW9uIG1vZGVsLg0KPiA+ DQo+ID4gSSdtIHByb3Bvc2luZyBubyBjaGFuZ2UgdG8gdGhlIGRlZmluZWQgdmFsdWVzIG9mIGJh YmVsLW1hYy1hbGdvcml0aG1zIGluDQo+IG9yZGVyIHRvIG1haW50YWluIGNvbXBsZXRlDQo+ID4g Y29uc2lzdGVuY3kgd2l0aCB0aGUgbmFtZXMgdXNlZCBpbiBkcmFmdC1pZXRmLWJhYmVsLWhtYWMt MTIuDQo+IA0KPiBNeSBwb2ludCB3YXMgdGhhdCB0aGUgaW50ZW50IEp1bGl1c3ogbWVudGlvbmVk ICh0aGF0IEJsYWtlMnMgaXMgdXNlZCB3aXRoIDMyLQ0KPiBvY3RldCBrZXlzIGFuZCAxNi1vY3Rl dA0KPiBoYXNoZXMpIG11c3QgYmUgZG9jdW1lbnRlZCBzb21ld2hlcmUuIElmIHlvdSB0aGluayBp dCBtdXN0IGJlIGluIHRoZQ0KPiBkcmFmdC1pZXRmLWJhYmVsLWhtYWMsDQo+IEknbSBmaW5lIHdp dGggdGhpcywgYnV0IGN1cnJlbnRseSBJIGNhbm5vdCBmaW5kIGFueSBzdWNoIHJlcXVpcmVtZW50 DQo+IGFueXdoZXJlLg0KDQpJIGhhZCBhIGNoYXQgd2l0aCBKdWxpdXN6IGFuZCBUb2tlLiBXZSBk aXNjdXNzZWQgdGhhdCB3ZSB0aGluayAgDQpkcmFmdC1pZXRmLWJhYmVsLWhtYWMgc2hvdWxkIG1l bnRpb24gdGhlIE1BQyBzaXplIGEgQkxBS0UycyANCmltcGxlbWVudGF0aW9uIHNob3VsZCBjcmVh dGUuIFRoaXMgZHJhZnQgaXMgY3VycmVudGx5IGluDQp0aGUgUkZDIEVkaXRvcidzIFF1ZXVlLCBi dXQgdGhlIHByZWZlcmVuY2Ugd291bGQgYmUgdG8gaW5jbHVkZSB0aGlzDQpiZWZvcmUgcHVibGlj YXRpb24uIFRoaXMgaGFzIGJlZW4gdGFrZW4gdG8gdGhlIGJhYmVsIFdHIGxpc3QNCnRvIGdldCBj b25zZW5zdXMgdGhlcmUuIFRoZXJlIGlzIHNvbWUgZGlzY3Vzc2lvbiBhcyB0byB3aGV0aGVyIGl0 DQpzaG91bGQgYmUgMTI4LWJpdCBvciAyNTYtYml0LiBKdWxpdXN6IGluY2x1ZGVkIFZhbGVyeSBv biB0aGUgV0cgdGhyZWFkLg0KDQpXaXRoIHRoYXQsIEkgd291bGQgYWxzbyBjaGFuZ2UgdGhlIHN1 Z2dlc3RlZCBzdHJpbmcgaGVyZSBpbiB0aGUgaW5mbyBtb2RlbA0KdG8gIkJMQUtFMnMtPGFncmVl ZC11cG9uIGJpdCBsZW5ndGg+IiwganVzdCBpbiBjYXNlIHNvbWVvbmUgd2FudGVkIHRvIA0KZG8g QkxBS0UycyB3aXRoIGRpZmZlcmVudCBsZW5ndGggTUFDcy4NCldpbGwgdGhpcyBiZSBhY2NlcHRh YmxlPw0KDQo+ID4gPiAyLiBTZWN0aW9uIDMuOToNCj4gPiA+DQo+ID4gPiAgICBiYWJlbC1jZXJ0 LXRlc3Q6ICBBbiBvcGVyYXRpb24gdGhhdCBhbGxvd3MgYSBoYXNoIG9mIHRoZSBwcm92aWRlZA0K PiA+ID4gICAgICAgaW5wdXQgc3RyaW5nIHRvIGJlIGNyZWF0ZWQgdXNpbmcgdGhlIGNlcnRpZmlj YXRlIHB1YmxpYyBrZXkgYW5kDQo+ID4gPiAgICAgICB0aGUgU0hBLTI1NiBoYXNoIGFsZ29yaXRo bS4gIElucHV0IHRvIHRoaXMgb3BlcmF0aW9uIGlzIGEgYmluYXJ5DQo+ID4gPiAgICAgICBzdHJp bmcuICBUaGUgb3V0cHV0IG9mIHRoaXMgb3BlcmF0aW9uIGlzIHRoZSByZXN1bHRpbmcgaGFzaCwg YXMgYQ0KPiA+ID4gICAgICAgYmluYXJ5IHN0cmluZy4NCj4gPiA+DQo+ID4gPiBJIGZhaWxlZCB0 byB1bmRlcnN0YW5kIHdoYXQgdGhpcyBvcGVyYXRpb24gc2hvdWxkIGRvLiBMaXRlcmFsbHkgcmVh ZGluZyBpdCBpcw0KPiA+ID4gaW50ZW5kZWQgdG8gcHJvZHVjZSBTSEEyLTI1NiBoYXNoIG9mIHB1 YmxpYyBrZXkgYW5kIHNvbWUgYXJiaXRyYXJ5DQo+IHN0cmluZw0KPiA+ID4gKGNvbmNhdGVuYXRl ZD8gaW4gd2hhdCBvcmRlcj8pLiBCdXQgdGhlbiBJIGZhaWxlZCB0byB1bmRlcnN0YW5kIHRoZQ0K PiBwdXJwb3NlDQo+ID4gPiBvZg0KPiA+ID4gdGhpcyB0ZXN0LiBJIHdvdWxkIGhhdmUgdW5kZXJz dG9vZCBpZiB0aGlzIG9wZXJhdGlvbiBwcm92aWRlcyBzaWduaW5nIG9mDQo+IHRoZQ0KPiA+ID4g YXJiaXRyYXJ5IHN0cmluZyB1c2luZyBwcml2YXRlIGtleSBhbmQgU0hBMi0yNTYgYXMgYSBoYXNo IGZ1bmN0aW9uDQo+IChzaW1pbGFybHkNCj4gPiA+IHRvIGJhYmVsLW1hYy1rZXktdGVzdCksIGJ1 dCBpdCBpbiBub3Qgd2hhdCBpcyB3cml0dGVuLi4uDQo+ID4NCj4gPiBPbmUgb2YgdGhlIG1vc3Qg Y29tbW9uIHByb2JsZW1zIGluIGNvbmZpZ3VyaW5nIHNlY3VyaXR5IG1lY2hhbmlzbXMgaXMgaW4N Cj4gdGhlIGZvcm1hdCBvZiB0aGUgaW5wdXQga2V5IChoZXgsDQo+ID4gQVNDSUksIGJhc2U2NCwg aGFzaGluZyB0aGF0IG9jY3VycyB0byBjcmVhdGUgImFjdHVhbCBrZXkiLCBldGMuKS4gV2hlbiBh DQo+IHNlY3VyaXR5IG1lY2hhbmlzbSBmYWlscyB0byB3b3JrLCBpdCBpcw0KPiA+IGltcG9ydGFu dCBmb3IgdXNlcnMgb3IgZGV2aWNlIG1hbmFnZXJzIHRvIGJlIGFibGUgdG8gdHJvdWJsZS1zaG9v dCB0aGlzDQo+IHNwZWNpZmljIHBvaW50IG9mIGZhaWx1cmUuIFRoaXMgdGVzdA0KPiA+IGFsbG93 cyB0aGUgdXNlci9tYW5hZ2VyIHRvIHNlZSBpZiB3aGF0IHRoaXMgZGV2aWNlIHRoaW5rcyB0aGUg TUFDIHNob3VsZA0KPiBiZSBpcyB0aGUgc2FtZSBhcyB3aGF0IGFub3RoZXINCj4gPiBkZXZpY2Ug dGhpbmtzIHRoZSBNQUMgc2hvdWxkIGJlIG9yIGlzIHRoZSBzYW1lIGFzIHRoZSBNQUMgYmVpbmcg c2VudCBvbg0KPiB0aGUgd2lyZS4gTWFueSBJU1BzIGhhdmUgYnVpbHQgYSB0ZXN0DQo+ID4gbGlr ZSB0aGlzIGludG8gdGhlaXIgSVNQLXN1cHBsaWVkIENFIHJvdXRlcnMgKGludm9rZWQgdXNpbmcg dGhlIFRSLTA2OQ0KPiBwcm90b2NvbCBhbmQgVFItMTgxIGRhdGEgbW9kZWwpIHRvIHRlc3QNCj4g PiB2YXJpb3VzIHN0b3JlZCBrZXkgdmFsdWVzLiBJdCBoYXMgcHJvdmVuIHVzZWZ1bC4NCj4gDQo+ IEknbSBzdGlsbCBjb25mdXNlZC4gQXJlIHdlIHRhbGtpbmcgYWJvdXQgTUFDcyBvciBhYm91dCBj ZXJ0aWZpY2F0ZXMgZm9yIERUTFM/DQo+IEkgaGF2ZSBubyBwcm9ibGVtcyB3aXRoIHRleHQgZGVz Y3JpYmluZyB0ZXN0IGZvciBNQUMga2V5cy4gVGhlIHRleHQgSSdtDQo+IGhhdmluZyBwcm9ibGVt IHdpdGgNCj4gaXMgYWJvdXQgdGVzdGluZyBjZXJ0aWZpY2F0ZXMgZm9yIERUTFMuIFRoZSB0ZXN0 IGl0IGRlc2NyaWJlcyBpcyBub3QgY2xlYXIgZm9yIG1lOg0KPiBpdCBzdWdnZXN0cyB0byBwZXJm b3JtIFNIQTItMjU2IGhhc2ggb2YgYW4gaW5wdXQgc3RyaW5nICJ1c2luZyB0aGUgY2VydGlmaWNh dGUNCj4gcHVibGljIGtleSIuDQo+IEl0IGlzIHVuY2xlYXIgZm9yIG1lIGhvdyB5b3Ugd291bGQg dXNlIHRoZSBjZXJ0aWZpY2F0ZSBwdWJsaWMga2V5IHRvIHByb2R1Y2UgYQ0KPiBoYXNoDQo+IG9m IHNvbWUgaW5wdXQgc3RyaW5nLiBTbyBJIGJlbGlldmUgdGhlIHRlc3Qgc2hvdWxkIGJlIGNsYXJp ZmllZC4NCg0KT29wcy4gU29ycnkuIEkgdG90YWxseSBtaXMtcmVhZCB5b3VyIGNvbW1lbnQuIFRo YW5rcyBmb3IgY2xhcmlmeWluZy4NCkkgc2VlIHlvdXIgcG9pbnQuIFRoYXQncyBwcmV0dHkgdXNl bGVzcywgYXMgc3BlY2lmaWVkLiANClRoZSBwdWJsaWMgYW5kIHByaXZhdGUgcGFydHMgb2YgdGhl IGtleSB3b3VsZCByZWFsbHkgbWFrZSBzb21ldGhpbmcNCmxpa2UgdGhpcyBwcmV0dHkgY29tcGxp Y2F0ZWQgdG8gYWN0dWFsbHkgdXNlLiANCkkgdGhpbmsgSSdkIGxpa2UgdG8gc3VnZ2VzdCBqdXN0 IGRlbGV0aW5nIGJhYmVsLWNlcnQtdGVzdC4gQ2VydGlmaWNhdGVzIGFyZW4ndA0KYXMgZmluaWNr eSBhcyBNQUMga2V5cy4NCg0KPiA+ID4gMy4gU2VjdGlvbiA1IChTZWN1cml0eSBDb25zaWRlcmF0 aW9ucyk6DQo+ID4gPg0KPiA+ID4gSSB0aGluayB0aGF0IHRleHQgYWJvdXQga2V5cyAodGhlaXIg bGVuZ3RoIGFuZCBwcm9wZXJ0aWVzKSBuZWVkcyBzb21lDQo+ID4gPiBleHBhbnNpb24uIEZpcnN0 LCB0aGVyZSBhcmUgbm8gYW55IFJGQzIxMTkgd29yZHMgZGlzY291cmFnaW5nIHVzaW5nIHNob3J0 DQo+ID4gPiBhbmQNCj4gPiA+IHdlYWsga2V5cyAodGhlcmUgaXMgc29tZSB0ZXh0LCBidXQgd2l0 aG91dCBSRkMyMTE5IHdvcmRzIGFuZCB3aXRoIG5vDQo+ID4gPiByZWZlcmVuY2VzDQo+ID4gPiBp dCdzIGp1c3QgaGFuZCB3YXZpbmcpLiBOb3RlLCB0aGF0IGRyYWZ0LWlldGYtYmFiZWwtaG1hYy0x MiBoYXMgc29tZSB0ZXh0DQo+ID4gPiBhYm91dA0KPiA+ID4gdGhlIHByb3BlcnRpZXMgb2YgdGhl IGtleXMsIHNvIEkgYmVsaWV2ZSBhdCBsZWFzdCBpdCBtdXN0IGJlIHJlZmVyZW5jZWQNCj4gaGVy ZS4gSQ0KPiA+ID4gYWxzbyBzdXNwZWN0IHRoYXQgZXhwbGljaXRseSBhbGxvd2luZyB6ZXJvLWxl bmd0aCBhbmQgc2hvcnQga2V5cyB3aWxsIGxlYWQgdG8NCj4gPiA+IHNpdHVhdGlvbnMgd2hlbiBz b21lIG5ldHdvcmsgb3BlcmF0b3JzIHdpbGwgdXNlIHRoZW0gKGJlY2F1c2UgdGhleQ0KPiBhcmUN Cj4gPiA+IG5vdA0KPiA+ID4gcHJvaGliaXRlZCksIHRodXMgc3VidmVydGluZyBzZWN1cml0eSBw cm9wZXJ0aWVzIG9mIE1BQy4uLg0KPiA+DQo+ID4gVGhhbmtzLiBJJ2xsIGFkZCBhIHJlZmVyZW5j ZSB0byBkcmFmdC1pZXRmLWJhYmVsLWhtYWMgU2VjdXJpdHkNCj4gQ29uc2lkZXJhdGlvbnMuDQo+ ID4NCj4gPiBaZXJvIGxlbmd0aCBhbmQgc2hvcnQga2V5cyB3ZXJlIGRpc2N1c3NlZCBvbiB0aGUg bWFpbGluZyBsaXN0LiBUaGUgZ3JvdXANCj4gY29uc2lkZXJlZCBpdCBhcHByb3ByaWF0ZSB0bw0K PiA+IGFsbG93IGNvbmZpZ3VyYXRpb24gb2YgemVyby1sZW5ndGgga2V5cyBmb3IgdGVzdGluZyBi dXQgdG8gYWR2aXNlIHBlb3BsZSB0bw0KPiBmb2xsb3cgYmVzdA0KPiA+IGN1cnJlbnQgcHJhY3Rp Y2VzLiBJIGZpbmQgdGhlIHVzZSBvZiBub3JtYXRpdmUgbGFuZ3VhZ2UgdG8gYXR0ZW1wdCB0bw0K PiBjb250cm9sIHRoZSBiZWhhdmlvciBvZg0KPiA+IGEgaG9tZSBuZXR3b3JrIG93bmVyIChmb3Ig ZXhhbXBsZSkgb3Igc29tZW9uZSBzZXR0aW5nIHVwIGFuIGluZm9ybWFsDQo+IGFkIGhvYyBtZXNo DQo+ID4gbmV0d29yayAoZm9yIGV4YW1wbGUpIHRvIGJlIG9kZC4gSU1PLCB0aGUgSUVURiBzaG91 bGQgbm90IHNlZWsgdG8gY29udHJvbA0KPiA+IHRoZSBjaG9pY2VzIG9mIHBlb3BsZSBwdXR0aW5n IHRvZ2V0aGVyIHN1Y2ggcmVsYXRpdmVseSBzbWFsbC1zY2FsZSBuZXR3b3Jrcw0KPiB0aHJvdWdo DQo+ID4gdGhlIHVzZSBvZiBzdHJvbmcgbm9ybWF0aXZlIGxhbmd1YWdlIGluIGFuIGluZm9ybWF0 aW9uIG1vZGVsDQo+IHNwZWNpZmljYXRpb24uIEl0J3MNCj4gPiBpbXBvc3NpYmxlIHRvIGVuZm9y Y2UgYW5kIHN1Y2ggcGVvcGxlIHByZXR0eSBtdWNoIG5ldmVyIHJlYWQgUkZDcy4NCj4gPg0KPiA+ IElmIHRoZXJlIGlzIGEgc3Ryb25nIGRlc2lyZSBmb3Igc29tZSBzb3J0IG9mIG5vcm1hdGl2ZSBs YW5ndWFnZSwgdGhlbiBJIGNvdWxkDQo+IHN1Z2dlc3QNCj4gPiBPTEQNCj4gPiAgICBNQUMga2V5 cyBhcmUgYWxsb3dlZCB0byBiZSBhcyBzaG9ydCBhcyB6ZXJvLWxlbmd0aC4gIFRoaXMgaXMgdXNl ZnVsDQo+ID4gICAgZm9yIHRlc3RpbmcuICBOZXR3b3JrIG9wZXJhdG9ycyBhcmUgYWR2aXNlZCB0 byBmb2xsb3cgY3VycmVudCBiZXN0DQo+ID4gICAgcHJhY3RpY2VzIGZvciBrZXkgbGVuZ3RoIGFu ZCBnZW5lcmF0aW9uIG9mIGtleXMgcmVsYXRlZCB0byB0aGUgTUFDDQo+ID4gICAgYWxnb3JpdGht IGFzc29jaWF0ZWQgd2l0aCB0aGUga2V5LiAgU2hvcnQgKGFuZCB6ZXJvLWxlbmd0aCkga2V5cyBh bmQNCj4gPiAgICBrZXlzIHRoYXQgbWFrZSB1c2Ugb2Ygb25seSBhbHBoYW51bWVyaWMgY2hhcmFj dGVycyBhcmUgaGlnaGx5DQo+ID4gICAgc3VzY2VwdGlibGUgdG8gYnJ1dGUgZm9yY2UgYXR0YWNr cy4NCj4gPiBORVcNCj4gPiAgICBNQUMga2V5cyBhcmUgYWxsb3dlZCB0byBiZSBhcyBzaG9ydCBh cyB6ZXJvLWxlbmd0aC4gIFRoaXMgaXMgdXNlZnVsDQo+ID4gICAgZm9yIHRlc3RpbmcuICBOZXR3 b3JrIG9wZXJhdG9ycyBhcmUgUkVDT01NRU5ERUQgdG8gZm9sbG93IGN1cnJlbnQNCj4gYmVzdA0K PiA+ICAgIHByYWN0aWNlcyBmb3Iga2V5IGxlbmd0aCBhbmQgZ2VuZXJhdGlvbiBvZiBrZXlzIHJl bGF0ZWQgdG8gdGhlIE1BQw0KPiA+ICAgIGFsZ29yaXRobSBhc3NvY2lhdGVkIHdpdGggdGhlIGtl eS4gIFNob3J0IChhbmQgemVyby1sZW5ndGgpIGtleXMgYW5kDQo+ID4gICAga2V5cyB0aGF0IG1h a2UgdXNlIG9mIG9ubHkgYWxwaGFudW1lcmljIGNoYXJhY3RlcnMgYXJlIGhpZ2hseQ0KPiA+ICAg IHN1c2NlcHRpYmxlIHRvIGJydXRlIGZvcmNlIGF0dGFja3MuIFNlZSB0aGUgU2VjdXJpdHkgQ29u c2lkZXJhdGlvbnMNCj4gPiAgIHNlY3Rpb24gb2YgW0lELmRyYWZ0LWlldGYtYmFiZWwtaG1hY10g Zm9yIGFkZGl0aW9uYWwgY29uc2lkZXJhdGlvbnMNCj4gPiAgIHJlbGF0ZWQgdG8gTUFDIGtleXMu DQo+IA0KPiBJIHdvdWxkIHN1Z2dlc3QgYWRkaXRpb25hbGx5IHVzaW5nICJTSE9VTEQgTk9UIiBm b3Igd2VhayBrZXlzLg0KPiBIb3cgYWJvdXQgdGhlIGZvbGxvd2luZyBuZXcgdGV4dDoNCj4gDQo+ ICAgICBNQUMga2V5cyBhcmUgYWxsb3dlZCB0byBiZSBhcyBzaG9ydCBhcyB6ZXJvLWxlbmd0aC4g IFRoaXMgaXMgdXNlZnVsDQo+ICAgICBmb3IgdGVzdGluZy4gIE5ldHdvcmsgb3BlcmF0b3JzIGFy ZSBSRUNPTU1FTkRFRCB0byBmb2xsb3cgY3VycmVudCBiZXN0DQo+ICAgICBwcmFjdGljZXMgZm9y IGtleSBsZW5ndGggYW5kIGdlbmVyYXRpb24gb2Yga2V5cyByZWxhdGVkIHRvIHRoZSBNQUMNCj4g ICAgIGFsZ29yaXRobSBhc3NvY2lhdGVkIHdpdGggdGhlIGtleS4gIFNob3J0IChhbmQgemVyby1s ZW5ndGgpIGtleXMgYW5kDQo+ICAgICBrZXlzIHRoYXQgbWFrZSB1c2Ugb2Ygb25seSBhbHBoYW51 bWVyaWMgY2hhcmFjdGVycyBhcmUgaGlnaGx5DQo+ICAgICBzdXNjZXB0aWJsZSB0byBicnV0ZSBm b3JjZSBhdHRhY2tzIGFuZCB0aHVzIFNIT1VMRCBOT1QgYmUgdXNlZC4NCj4gICAgIFNlZSB0aGUg U2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBvZiBbSUQuZHJhZnQtaWV0Zi1iYWJlbC1o bWFjXQ0KPiAgICAgZm9yIGFkZGl0aW9uYWwgY29uc2lkZXJhdGlvbnMgcmVsYXRlZCB0byBNQUMg a2V5cy4NCj4gDQo+IChub3RlIHRoYXQgIlNIT1VMRCBOT1QiIHN0aWxsIGFsbG93cyBwZW9wbGUg dG8gc2hvb3QgaW4gdGhlaXIgZmVldCBpZiB0aGV5DQo+IHdhbnQgdG8pLg0KDQpPSy4gSSdsbCBt YWtlIHRoYXQgY2hhbmdlLg0KIA0KPiA+ID4gTml0cy4NCj4gDQo+ID4gPiA0LiBTZWN0aW9uIDMu ODoNCj4gPiA+DQo+ID4gPiAgICBiYWJlbC1tYWMta2V5LXVzZS1zaWduOiAgSW5kaWNhdGVzIHdo ZXRoZXIgdGhpcyBrZXkgdmFsdWUgaXMgdXNlZCB0bw0KPiA+ID4gICAgICAgc2lnbiBzZW50IEJh YmVsIHBhY2tldHMuICBTZW50IHBhY2tldHMgYXJlIHNpZ25lZCB1c2luZyB0aGlzIGtleQ0KPiA+ ID4gICAgICAgaWYgdGhlIHZhbHVlIGlzICJ0cnVlIi4gIElmIHRoZSB2YWx1ZSBpcyAiZmFsc2Ui LCB0aGlzIGtleSBpcyBub3QNCj4gPiA+ICAgICAgIHVzZWQgdG8gc2lnbiBzZW50IEJhYmVsIHBh Y2tldHMuICBBbiBpbXBsZW1lbnRhdGlvbiBNQVkgY2hvb3NlIHRvDQo+ID4gPiAgICAgICBleHBv c2UgdGhpcyBwYXJhbWV0ZXIgYXMgcmVhZC1vbmx5ICgicm8iKS4NCj4gPiA+DQo+ID4gPiAiU2ln biIgaXMgbm90IGEgZ29vZCB3b3JkIHdoZW4geW91IGRlc2NyaWJlIHN5bW1ldHJpYyBrZXkgb3Bl cmF0aW9ucw0KPiA+ID4gKHdoaWNoDQo+ID4gPiBjb21wdXRpbmcgTUFDIGJlbG9uZ3MgdG8pLiBB bHRob3VnaCBpdCBpcyBvZnRlbiB1c2VkIGluZm9ybWFsbHksIEkgdGhpbmsNCj4gdGhhdA0KPiA+ ID4gUkZDIHNob3VsZCBiZSBtb3JlIG1ldGljdWxvdXMgaW4gc2VsZWN0aW5nIHdvcmRzLiBJJ2Qg cmF0aGVyIHJlcGxhY2UgaXQNCj4gd2l0aA0KPiA+ID4gImNvbXB1dGUgTUFDIiBhbmQgcmVuYW1l IHRoZSBlbnRyeSB0byBiYWJlbC1tYWMta2V5LXVzZS1jb21wdXRlDQo+IG9yDQo+ID4gPiBiYWJl bC1tYWMta2V5LXVzZS1tYWMgKGlmIGl0IGlzIHBvc3NpYmxlKS4gTm90ZSwgdGhhdCB1c2luZyAi dmVyaWZ5IE1BQyIgaXMNCj4gT0suDQo+ID4NCj4gPiBJJ3ZlIGJlZW4gdGhpbmtpbmcgdGhyb3Vn aCB0aGlzLiBJIGNhbid0IHNwZWFrIHRvIHRoZSBpbmZvcm1hbCBuYXR1cmUgb2YNCj4gInNpZ24i LCBidXQgSSBjYW4gc2F5IHRoYXQgc2ltcGx5DQo+ID4gcmVwbGFjaW5nICJzaWduIiB3aXRoICJj b21wdXRlIiBvciAibWFjIiB3b3VsZG4ndCBjb252ZXkgY29ycmVjdGx5IHdoYXQNCj4gdGhpcyBw YXJhbWV0ZXIgaXMgYWJvdXQuIFRoaXMNCj4gPiBwYXJhbWV0ZXIgaXMgcHJpbWFyaWx5IGNvbmNl cm5lZCB3aXRoIHdoZXRoZXIgb3Igbm90IGEgTUFDIGlzIGluY2x1ZGVkIGluDQo+IHRoZSBzZW50 IHBhY2tldC4gVGhlIHNlbmRpbmcgaXMgdGhlDQo+ID4gY3JpdGljYWwgcGllY2UsIGFuZCBub3Qg dGhlIGNvbXB1dGluZyAoaXQncyBwb3NzaWJsZSB0byBjb21wdXRlIHRoZSBNQUMNCj4gd2l0aG91 dCBzZW5kaW5nIGl0OyBhIE1BQyBpbiBhIHNlbnQNCj4gPiBwYWNrZXQgaXMgYXNzdW1lZCB0byBo YXZlIGJlZW4gY29tcHV0ZWQpLiBJIGNvdWxkIGNoYW5nZSB0aGUgZGVzY3JpcHRpb24NCj4gdG86 DQo+ID4gICAgICAgIEluZGljYXRlcyB3aGV0aGVyIHRoaXMga2V5IHZhbHVlIGlzIHVzZWQgdG8g Y29tcHV0ZSBhIE1BQyBhbmQgaW5jbHVkZQ0KPiB0aGF0IE1BQyBpbiB0aGUNCj4gPiAgICAgICAg c2VudCBCYWJlbCBwYWNrZXQuICBBIE1BQyBmb3Igc2VudCBwYWNrZXRzIGlzIGNvbXB1dGVkIHVz aW5nIHRoaXMga2V5DQo+ID4gICAgICAgIGlmIHRoZSB2YWx1ZSBpcyAidHJ1ZSIuICBJZiB0aGUg dmFsdWUgaXMgImZhbHNlIiwgdGhpcyBrZXkgaXMgbm90DQo+ID4gICAgICAgIHVzZWQgdG8gY29t cHV0ZSBhIE1BQyB0byBpbmNsdWRlIGluIHNlbnQgQmFiZWwgcGFja2V0cy4gIEFuDQo+IGltcGxl bWVudGF0aW9uIE1BWSBjaG9vc2UgdG8NCj4gPiAgICAgICAgZXhwb3NlIHRoaXMgcGFyYW1ldGVy IGFzIHJlYWQtb25seSAoInJvIikNCj4gDQo+IEknbSBmaW5lIHdpdGggdGhpcy4NCj4gDQo+ID4g QnV0IEkgc3RydWdnbGUgd2l0aCB0aGUgcHJvcG9zZWQgcGFyYW1ldGVyIHJlbmFtaW5nLiBJIHN0 cm9uZ2x5IGJlbGlldmUNCj4gdGhlIG5hbWUgc2hvdWxkIGNvbmNpc2VseSBkZXNjcmliZQ0KPiA+ IHRoYXQgdGhlIEJvb2xlYW4gdmFsdWUgaW5kaWNhdGVzIHdoZXRoZXIgb3Igbm90IHRvIGluY2x1 ZGUgYSBNQUMgaW4gdGhlDQo+IHNlbnQgcGFja2V0LiBUaGUgdGVybSAic2lnbiIgaXMgb25lDQo+ ID4gSSd2ZSBjb21tb25seSBzZWVuIHRvIGluZGljYXRlIHRoYXQgYSBNQUMgaXMgaW5jbHVkZWQg aW4gdGhlIHNlbnQgcGFja2V0Lg0KPiBJJ20gbm90IGF3YXJlIG9mIGEgZGlmZmVyZW50LA0KPiA+ IHNpbWlsYXJseSBzaG9ydCB3b3JkLiAiQ29tcHV0ZSIgYW5kICJtYWMiIGRvIG5vdCBjb252ZXkg dGhlIHNlbmRpbmcNCj4gYXNwZWN0LiBBbmQgc2VuZGluZyBpcyB2ZXJ5DQo+ID4gYXN5bW1ldHJp Yy4NCj4gDQo+IEhvdyBhYm91dCAidXNlIj8NCg0KVXNlIGhhcyB0d28gcHJvYmxlbXMgaW4gdGhh dCBpdCdzIGFscmVhZHkgYmVpbmcgdXNlZCBhcyBwYXJ0IG9mIGJhYmVsLW1hYy1rZXktdXNlLXZl cmlmeSwNCmFuZCB0aGF0IGl0IHJlYWxseSBuZWVkcyBhIHdvcmQgdG8gZ28gd2l0aCBpdCB0byBp bmRpY2F0ZSBob3cgaXQncyB1c2VkIChsaWtlIHRoZSAtdmVyaWZ5KS4NClBlcmhhcHMgInNlbmQi PyBiYWJlbC1tYWMta2V5LXVzZS1zZW5kID8NCiANCj4gPiA+IDUuIFNlY3Rpb24gMy44Og0KPiA+ ID4NCj4gPiA+ICAgIGJhYmVsLW1hYy1rZXktdmFsdWU6DQo+ID4gPiAgICAgICAgLi4uDQo+ID4g PiAgICAgICBUaGlzIHZhbHVlIGlzIG9mIGEgbGVuZ3RoIHN1aXRhYmxlIGZvciB0aGUgYXNzb2Np YXRlZCBiYWJlbC1tYWMta2V5LQ0KPiA+ID4gICAgICAgYWxnb3JpdGhtLiAgSWYgdGhlIGFsZ29y aXRobSBpcyBiYXNlZCBvbiB0aGUgSE1BQyBjb25zdHJ1Y3Rpb24NCj4gPiA+ICAgICAgIFtSRkMy MTA0XSwgdGhlIGxlbmd0aCBNVVNUIGJlIGJldHdlZW4gMCBhbmQgdGhlIGJsb2NrIHNpemUgb2Yg dGhlDQo+ID4gPiAgICAgICB1bmRlcmx5aW5nIGhhc2ggaW5jbHVzaXZlICh3aGVyZSAiSE1BQy1T SEEyNTYiIGJsb2NrIHNpemUgaXMgNjQNCj4gPiA+ICAgICAgIGJ5dGVzIGFzIGRlc2NyaWJlZCBp biBbUkZDNDg2OF0pLiAgSWYgdGhlIGFsZ29yaXRobSBpcyAiQkxBS0UycyIsDQo+ID4gPiAgICAg ICB0aGUgbGVuZ3RoIE1VU1QgYmUgYmV0d2VlbiAwIGFuZCAzMiBieXRlcyBpbmNsdXNpdmUsIGFz IGRlc2NyaWJlZA0KPiA+ID4gICAgICAgaW4gW1JGQzc2OTNdLg0KPiA+ID4NCj4gPiA+IEkgd29u ZGVyIG9mIHRoZSByYXRpb25hbGUgZm9yIGltcG9zaW5nIHRoZSBhYm92ZSByZXN0cmljdGlvbnMg b24gSE1BQw0KPiBrZXkNCj4gPiA+IGxlbmd0aC4gSE1BQyBjYW4gdXNlIGtleXMgb2YgYW55IGxl bmd0aCwgYnV0IGlmIHRoZSBrZXkgaXMgZ3JlYXRlciB0aGFuDQo+IGJsb2NrDQo+ID4gPiBzaXpl IG9mIHVuZGVybHlpbmcgaGFzaCBmdW5jdGlvbiwgdGhlbiBpdCdzIGZpcnN0IGhhc2hlZCAoc21h bGwgcGVyZm9ybWFuY2UNCj4gPiA+IHBlbmFsdHkpLiBTbyBJIGltYWdpbmUgdGhhdCB0aGUgcmF0 aW9uYWxlIGlzIHRvIGF2b2lkIHRoaXMgcGVuYWx0eS4gSG93ZXZlciwNCj4gYXMNCj4gPiA+IFJG QzIxMDQgc3RhdGVzLCBrZXkgc2l6ZXMgZ3JlYXRlciB0aGFuIG91dHB1dCBsZW5ndGggb2YgdGhl IHVuZGVybHlpbmcNCj4gaGFzaA0KPiA+ID4gZnVuY3Rpb24gKDMyIGJ5dGVzIGluIGNhc2Ugb2Yg U0hBMi0yNTYpIHdvdWxkIG5vdCBzaWduaWZpY2FudGx5IGluY3JlYXNlDQo+IHRoZQ0KPiA+ID4g ZnVuY3Rpb24gc3RyZW5ndGgsIHNvIGl0J3MganVzdCBhIHdhc3RlIG9mIHNwYWNlLiBTZWUgYWxz byBJc3N1ZSAzIGFib3ZlLg0KPiA+DQo+ID4gSnVsaXVzeiBzYWlkOg0KPiA+ID4gVGhpcyB3YXMg ZGlzY3Vzc2VkIGF0IGxlbmd0aCBvbiB0aGUgbWFpbGluZyBsaXN0LiAgSXQncyBub3QgYWJvdXQN Cj4gPiA+IHBlcmZvcm1hbmNlLCBpdCdzIGFib3V0IG1ha2luZyBpdCBtb3JlIGRpZmZpY3VsdCB0 byB1c2UgYW4gdW5zYWZlDQo+ID4gPiBwcm9jZWR1cmUgZm9yIGdlbmVyYXRpbmcga2V5cy4NCj4g PiA+DQo+ID4gPiBTaW5jZSBCYWJlbC1NQUMgaXMgdnVsbmVyYWJsZSB0byBkaWN0aW9uYXJ5IGF0 dGFja3MsIHRoZSBrZXkgbXVzdCBlaXRoZXINCj4gPiA+IGJlIGRyYXduIHJhbmRvbWx5IG9yIGdl bmVyYXRlZCB1c2luZyBhIHByb2NlZHVyZSB0aGF0IGlzIGhhcmRlbmVkDQo+IGFnYWluc3QNCj4g PiA+IHN1Y2ggYXR0YWNrcyAoc2NyeXB0LCBldGMuKS4gIEFwcGx5aW5nIHRoZSBwcm9jZWR1cmUg ZGVzY3JpYmVkIGluIFJGQyAyMTA0DQo+ID4gPiB0byBhIHVzZXItcHJvdmlkZWQgcGFzc3BocmFz ZSBpcyBub3Qgc2FmZSwgYW5kIHRoZXJlZm9yZSB3ZSB0cnkgdG8gbWFrZQ0KPiBpdA0KPiA+ID4g ZGlmZmljdWx0IGZvciBhIG5haXZlIHVzZXIgdG8gZG8gc28uDQo+ID4gPg0KPiA+ID4gSSBhbSBv cHBvc2VkIHRvIHB1dHRpbmcgdGhlIFJGQyAyMTA0IGhhc2hpbmcgcHJvY2VkdXJlIGluIHRoZQ0K PiBpbmZvcm1hdGlvbg0KPiA+ID4gbW9kZWwuICBEb2luZyBzbyB3b3VsZCBiZSBhIGRpc3NlcnZp Y2UgdG8gb3VyIHVzZXJzLg0KPiA+DQo+ID4gSW4gYWRkaXRpb24gdG8gdGhlIHJhdGlvbmFsZSBK dWxpdXN6IG1lbnRpb25lZCwgd2UgKGJhYmVsIFdHKSBhbHNvIG5vdGVkDQo+IHRoYXQgaW1wbGVt ZW50ZXJzDQo+ID4gb2YgdGhlIGJhYmVsIE1BQyBmdW5jdGlvbiB3ZXJlIHVzaW5nIGV4aXN0aW5n IGxpYnJhcmllcyBmb3IgdGhlIEhNQUMtDQo+IFNIQTI1NiBhbGdvcml0aG0uDQo+ID4gVGhlIHVz ZXIgaW50ZXJmYWNlIChVSSkgdGhhdCBhY2NlcHRlZCBtYW51YWwga2V5IGVudHJ5IHdhcyBhbHNv IGZyb20gYW4NCj4gZXhpc3RpbmcgbGlicmFyeS4gV2hlbg0KPiA+IHRoZSBzYW1lIGxvbmdlciBz dHJpbmdzIHdlcmUgZW50ZXJlZCBpbnRvIGRpZmZlcmVudCBVSXMgb2YgdGhlIGRpZmZlcmVudA0K PiBpbXBsZW1lbnRhdGlvbnMsIHRoZXNlDQo+ID4gc3RyaW5ncyB3ZXJlIHRyZWF0ZWQgZGlmZmVy ZW50bHkgYW5kIHJlc3VsdGVkIGluIG5vbi1pbnRlcm9wZXJhYmlsaXR5LiBUaGUNCj4gImFjdHVh bCBrZXkiICh1c2luZw0KPiA+IFJGQyAyMTA0IHdvcmRzKSBlbmRlZCB1cCBkaWZmZXJlbnQuIFJl cXVpcmluZyBlbnRlcmVkIGtleXMgdG8gYmUgZGlyZWN0bHkNCj4gdXNhYmxlIGFzICJhY3R1YWwN Cj4gPiBrZXlzIiBzb2x2ZWQgdGhpcyBwcm9ibGVtLiBCVFcsIEkgaGF2ZSBjb25zaWRlcmVkIFVJ cyBmb3IgZGlyZWN0DQo+IG1hbmFnZW1lbnQgYW5kIGNvbmZpZ3VyYXRpb24NCj4gPiB0byBlZmZl Y3RpdmVseSBiZSBpbXBsZW1lbnRhdGlvbnMgb2YgdGhlIGluZm9ybWF0aW9uIG1vZGVsLg0KPiA+ DQo+ID4gSSByZWNvbW1lbmQgbm8gY2hhbmdlcyB0byB0aGlzIHRleHQuDQo+IA0KPiBJIGNhbiBs aXZlIHdpdGggdGhpcyBpZiB5b3UgYWRkICJTSE9VTEQgTk9UIiBmb3IgemVyby1sZW5ndGgga2V5 cyBpbiB0aGUNCj4gU2VjdXJpdHkgQ29uc2lkZXJhdGlvbg0KPiAoYXMgSSBzdWdnZXN0ZWQgYWJv dmUpLg0KDQpBZ3JlZWQgdG8gdGhlICJTSE9VTEQgTk9UIi4gVGh4Lg0KDQo+ID4gPiA4LiBTZWN0 aW9uIDUgKFNlY3VyaXR5IENvbnNpZGVyYXRpb25zKToNCj4gPiA+DQo+ID4gPiAgICBNQUMga2V5 cyBhcmUgYWxsb3dlZCB0byBiZSBhcyBzaG9ydCBhcyB6ZXJvLWxlbmd0aC4gIFRoaXMgaXMgdXNl ZnVsDQo+ID4gPiAgICBmb3IgdGVzdGluZy4NCj4gPiA+DQo+ID4gPiBJIHdvbmRlciB3aGF0J3Mg YmVuZWZpdCBvZiBhbGxvd2luZyB6ZXJvLWxlbmd0aCBrZXlzIGZvciB0ZXN0aW5nDQo+IHB1cnBv c2VzLg0KPiA+ID4gV2hhdA0KPiA+ID4gaXMgaW50ZW5kZWQgdG8gYmUgdGVzdGVkIGluIHRoaXMg Y2FzZT8gSW1wbGVtZW50YXRpb24gb2YgTUFDPyBJcyBpdCByZWFsbHkNCj4gPiA+IG5lZWRlZCBv dXRzaWRlIHRlc3QgbGFiPyBBbSBJIG1pc3Npbmcgc29tZXRoaW5nPw0KPiA+DQo+ID4gQXMgd2l0 aCB0aGUgLXRlc3QgYWN0aW9ucywgdGhpcyBhbGxvd3Mgc29tZW9uZSB0byBkaWFnbm9zZSB3aGV0 aGVyIGENCj4gcHJvYmxlbSB0aGV5IGFyZSBoYXZpbmcgaXMgd2l0aCB0aGUNCj4gPiBmb3JtYXR0 aW5nDQo+ID4gb2YgdGhlIGlucHV0IGtleSAoaGV4LCBwYWRkZWQsIEFTQ0lJLCBiYXNlNjQsIGV0 Yy4pLiBUaGlzIGlzIGJ5IGZhciBvbmUgb2YgdGhlDQo+IG1vc3QgY29tbW9uIHByb2JsZW1zIHdo ZW4NCj4gPiBhdHRlbXB0aW5nIHRvDQo+ID4gZ2V0IGRpZmZlcmVudCBpbXBsZW1lbnRhdGlvbnMg dG8gaW50ZXJvcGVyYXRlLg0KPiANCj4gT0ssIGJ1dCBJJ2QgcmF0aGVyIHN0aWxsIGFkZCAiU0hP VUxEIE5PVCIgZm9yIHVzaW5nIHRoZW0gYXMgSSBzdWdnZXN0ZWQNCj4gYWJvdmUuDQoNCkFncmVl ZCB0byB0aGUgIlNIT1VMRCBOT1QiLiBUaHguDQoNCg== From nobody Wed Dec 2 13:43:37 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2D823A1571; Wed, 2 Dec 2020 13:43:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t335_AlouVRY; Wed, 2 Dec 2020 13:43:17 -0800 (PST) Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED2E53A1471; Wed, 2 Dec 2020 13:43:16 -0800 (PST) Received: from pps.filterd (m0049462.ppops.net [127.0.0.1]) by m0049462.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0B2LY1jb029130; Wed, 2 Dec 2020 16:43:16 -0500 Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049462.ppops.net-00191d01. with ESMTP id 355xmnw9pb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Dec 2020 16:43:15 -0500 Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B2LhBl5032353; Wed, 2 Dec 2020 16:43:15 -0500 Received: from zlp30484.vci.att.com (zlp30484.vci.att.com [135.47.91.179]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id 0B2Lh7TA032061 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Dec 2020 16:43:07 -0500 Received: from zlp30484.vci.att.com (zlp30484.vci.att.com [127.0.0.1]) by zlp30484.vci.att.com (Service) with ESMTP id 8BAA04005C1E; Wed, 2 Dec 2020 21:43:07 +0000 (GMT) Received: from GAALPA1MSGEX1DA.ITServices.sbc.com (unknown [135.50.89.114]) by zlp30484.vci.att.com (Service) with ESMTPS id 5F2974005C1D; Wed, 2 Dec 2020 21:43:07 +0000 (GMT) Received: from GAALPA1MSGED2CA.ITServices.sbc.com (135.50.89.132) by GAALPA1MSGEX1DA.ITServices.sbc.com (135.50.89.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4; Wed, 2 Dec 2020 16:43:06 -0500 Received: from GAALPA1MSGETA02.tmg.ad.att.com (144.160.249.124) by GAALPA1MSGED2CA.ITServices.sbc.com (135.50.89.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2044.4 via Frontend Transport; Wed, 2 Dec 2020 16:43:06 -0500 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.49) by edgeal2.exch.att.com (144.160.249.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2044.4; Wed, 2 Dec 2020 16:42:04 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l0uZuuXVIh3rpxz4/JGcsnDaW9F7EY3i1dQPgvyU9HG/s6cuxbuwovb03WJmaarmlOQbdYWNEwuIy7rTTa7qhmbhthmjkLXg9kg/UnCLXj+Je8G7uN3zCJ7Yby5TzvjriFe9e2dVuTZH2jGzLrBxgUyHZBo5m2OqbfdtPji/cBMRn7RZqGy6qZtIYOVFdB3HP4GFgGrSjT+kHkzc0UdRGubCm5BCYNK6jszjpIKEiR+i1rJVivjN6WCr/HLZn8BmLywMuDCqxIH7YM/rtdaGdbGkhzUYI2hcXQW1T4GnMMisAQSPGEjrz8Mpa7UAmM/0dSq4anmJH2mXZwq4tyxF1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZVI/cd9XBKZMrYiDFmYmbcMQoM6W3XnQaZ3zt5cxRek=; b=YyuDz0UJOpiXRRjVxVhYCkXA3bpcBwVrnVhyu11X5WcJVtuZHVZddZQiMMZsTzhnFS+gkZmL24RV1oc7pHm/FNSmoVbvGYtaNxEqAecUH8l/6c3du0Tl1q/mvV56LwukNkz0rphJ702rfYgMN6RoVpVXrgg8hPNWHBpbAOrlPwes/1C3XEPwlq3GIP2nEjNdlzOJfuUyp5j9rhDvGsWW90ML9j5rvPzA92BLwy3TqrjNbrCtYX+DaEuvW7NuHYSSQ8PS+5W9LryOl/lcV8Ic7wg5sVy6UqqSBY7rvD+unvxLXTeZsXNsg+JETVexV0R6xSJeCdHjVPxPgD5LlE01Uw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=att.com; dmarc=pass action=none header.from=att.com; dkim=pass header.d=att.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.onmicrosoft.com; s=selector2-att-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZVI/cd9XBKZMrYiDFmYmbcMQoM6W3XnQaZ3zt5cxRek=; b=EWcVEkVJzLSEcpodXNOc+cixRwKPPbGtvGDJAMF3WxhfvHwh7YVoebG+ar9hq4feWjKZi/sm4ZT7iCex4tTrmloX5fwXdlQtuoEiS55GAWW8ckTrTXpEUZfFSxCIhizDuL/xnewUIdGslfTLGxIzoFkqvz0+N714TOkQbJn3Wb8= Received: from SN6PR02MB4512.namprd02.prod.outlook.com (2603:10b6:805:a4::13) by SN6PR02MB4512.namprd02.prod.outlook.com (2603:10b6:805:a4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.23; Wed, 2 Dec 2020 21:42:02 +0000 Received: from SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24]) by SN6PR02MB4512.namprd02.prod.outlook.com ([fe80::1813:2439:6aac:fc24%6]) with mapi id 15.20.3611.031; Wed, 2 Dec 2020 21:42:02 +0000 From: "STARK, BARBARA H" To: "'secdir@ietf.org'" CC: "'last-call@ietf.org'" , "'babel@ietf.org'" , "'draft-ietf-babel-information-model.all@ietf.org'" Thread-Topic: [babel] Secdir last call review of draft-ietf-babel-information-model-11 Thread-Index: AQHWq6fzcO41VWb3pEKu2D6snc0rJ6m1UycwgAPxeACAAlengIAD42SAgCUP0fA= Date: Wed, 2 Dec 2020 21:42:02 +0000 Message-ID: References: <160372407981.20077.17795340180313190981@ietfa.amsl.com> <000c01d6b34d$fc3bf5d0$f4b3e170$@smyslov.net> <027a01d6b66b$7f772940$7e657bc0$@smyslov.net> In-Reply-To: <027a01d6b66b$7f772940$7e657bc0$@smyslov.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=att.com; x-originating-ip: [45.18.123.63] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: c8cac812-ba0c-4c4b-a271-08d8970b1b26 x-ms-traffictypediagnostic: SN6PR02MB4512: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: lnsYdqGfNc5zNWe5GPtBuLgaErPVGTYv/DJlnj4VoNbsXlCWWBXYiXHABSxv0YOWhL186QguwIFGI54eGkYi+kPCREg9gxyhKZaUBlj5NtGh6irzRUGCsKcuVkqIQ9WJUi6sz/EujwlA9X1Q7euwHO4W9WiNwL/ioGd8hk9hw0+dXi8+z23x5i4v/Lxf39M2a1oBSFrMmNQA8ZCll+QUNaRl7zen7aUHjlUJMaQEDWk0O1zAIyhJmbwXY63eVIVdiJJD1iH0pIGVIxcj4xf/z1xdMQmU2VZOrye2iXHPWDVNyWpr8LpIxxsFzNcwK8u9F8pef1zFcqxsATbZE78EdkE4KXcet381/dkn8G1Ffdu6ZiAPwXtxLl5T2an6c2aE x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR02MB4512.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(396003)(376002)(346002)(39860400002)(52536014)(82202003)(66446008)(450100002)(30864003)(83380400001)(33656002)(26005)(4326008)(316002)(54906003)(186003)(71200400001)(9686003)(55016002)(478600001)(64756008)(66556008)(66476007)(53546011)(8936002)(2906002)(5660300002)(6916009)(8676002)(76116006)(7696005)(66946007)(6506007)(86362001)(491001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?us-ascii?Q?A/wLgweIeJhYWgY8gHJ+Pxw6D/GPJg+kYfjK8WlDH6Q3d5knxHcuhSiunA1Y?= =?us-ascii?Q?LUt3+tQxJ2nJM+WKlH2JRCrbiQvEUoHiSYY1LxMXzTSuuxyJxrcEWRGqOEyb?= =?us-ascii?Q?o3O26i2BqCnIJR1JpB/F8xn/+rsgkdnPmBzmVrj8E78MQnnRTvLk8lNI/bnL?= =?us-ascii?Q?q1fH4YeSDyP1E/5Vm4yuIdLn9bAyWilh5Pchc6bCFpTX1GR7ZaiHFAKROwSF?= =?us-ascii?Q?eWzhWrs00G5FHbpckM2VPZq4895KtLhaC22SJyjhoxJIiklO4ow9TRw+5/T8?= =?us-ascii?Q?OlUNOAPGNwrcx1G1AzR0y8E9rD8WMHM9MLlsg6pdasBtzrtwqGL/DSFaHRbh?= =?us-ascii?Q?Hnbf3S9GtOg5TzqSfFXKTsHy20ouJUI7GkRkpQ+YkrAinD5FZCcYggREEhfG?= =?us-ascii?Q?RNzhlow5DkUSDsrEnZmEUdnF0QHOdznc8prDFk1g41+MOmcD8uv2sYowXKIU?= =?us-ascii?Q?tG4iLpA9AVM+ADmJjGe4c9qGXnW8NNc1NVvNecbuBrkeZA+iKsmI8ul4YJNn?= =?us-ascii?Q?NaNKjInX3m9P0xmAz7eNixvGMSlna8i2mysKXHfwK+idN7FEhJNiX6rcoNZE?= =?us-ascii?Q?9g3MwreA7qKRPK5mxG89I5iyHnwcfEaU618OzYFwzRczzWhjElcsKKVN1APn?= =?us-ascii?Q?7xUk+VN7kATF+WbOe6J5COfci1nVjhsjTzL0KBIcpfzcrVgayBtAstNOEuJJ?= =?us-ascii?Q?qJMXCxFETeWvdjTmhAuJ8MM0h8KstmlseZtEowdv7twkrpHiCIKsczdrIHS5?= =?us-ascii?Q?gyCn4kuZ4ckb7tuwMxJ6x5mY53p0smiw8aI4c54QTqCQDmMZhNAjPov9zuer?= =?us-ascii?Q?NlJt3I73aW1al7Q2qdO3dG9YG85fDPgqKCYSbHQ82B/H8sqrKtuMETeSPZM6?= =?us-ascii?Q?Zysh0lSjKoavbfzeEePux0nNsa2sdkAlLeEN2Hg3hVDkdiX68jJK5kbFOMII?= =?us-ascii?Q?SdL9qdpLNYbYdUI9ylssa5vF+XbNu/YiTW3Ce3QhxTQ=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SN6PR02MB4512.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c8cac812-ba0c-4c4b-a271-08d8970b1b26 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2020 21:42:02.7956 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: e741d71c-c6b6-47b0-803c-0f3b32b07556 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: U3mgPOIOG2CAlAOTXSu9N3w3ciO1ka1B0DDnsTY3vhbM0bPy3/Fe6v87KNkrOSrn X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB4512 X-OriginatorOrg: att.com X-TM-SNTS-SMTP: F629FC06A23F33ED5E35CF633FB8AEAB2F4A982A5865D221C590AED91FD0A5EB2 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-02_13:2020-11-30, 2020-12-02 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 impostorscore=0 priorityscore=1501 adultscore=0 mlxscore=0 bulkscore=0 malwarescore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 mlxlogscore=999 spamscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012020130 Archived-At: Subject: [secdir] FW: [babel] Secdir last call review of draft-ietf-babel-information-model-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 21:43:25 -0000 This was the response Valery sent. -----Original Message----- From: Valery Smyslov =20 Sent: Monday, November 09, 2020 1:40 AM To: STARK, BARBARA H Subject: RE: [babel] Secdir last call review of draft-ietf-babel-informatio= n-model-11 Hi Barbara, please, see inline. > Hi Valery, > I've cut this down to just the points that still need some discussion. Th= x, > Barbara >=20 > > > > Issues. > > > > > > > > 1. Section 3.1: > > > > > > > > babel-mac-algorithms: List of supported MAC computation algorit= hms. > > > > Possible values include "HMAC-SHA256", "BLAKE2s". > > > > > > > > BLAKE2s can produce MACs of different sizes from 1 to 32 bytes and = the > > > > desired > > > > size of the MAC is a parameter for it. Where the size of MAC is spe= cified? > > For > > > > HMAC with SHA256 I can at least imagine that full 256 bits output i= s used > > as a > > > > MAC... > > > > > > Juliusz said: > > > > Right. The intent is that Blake2s is used with 32-octet keys and 1= 6-octet > > > > hashes (collision-resistance is not a concern for Babel-MAC while > > > > dictionary attacks are). Barbara, I think that you should explicit= ly > > > > state that Blake2s implies 128-bit hashes. (You may also consider > > > > renaming BLAKE2s to BLAKE2s-128.) > > > > > > The defined values for babel-mac-algorithms come directly from draft-= ietf- > > babel-hmac. The defined value > > > names should map closely to the names used for the algorithms in in t= hat > > draft -- which they currently do. > > > > > > If it needs to be explicitly stated somewhere that an implementation = of > > draft-ietf-babel-hmac with BLAKE2s > > > outputs 128-bit MACs, then draft-ietf-babel-hmac (which was already > > submitted for publication) would be the > > > correct place to say that. The information model is not the right pla= ce, > > unless there's some expectation for the > > > size to be configurable or reportable. I'm not seeing any request for= the > > MAC size to be configured or reported > > > via the information model. > > > > > > I'm proposing no change to the defined values of babel-mac-algorithms= in > > order to maintain complete > > > consistency with the names used in draft-ietf-babel-hmac-12. > > > > My point was that the intent Juliusz mentioned (that Blake2s is used wi= th 32- > > octet keys and 16-octet > > hashes) must be documented somewhere. If you think it must be in the > > draft-ietf-babel-hmac, > > I'm fine with this, but currently I cannot find any such requirement > > anywhere. >=20 > I had a chat with Juliusz and Toke. We discussed that we think > draft-ietf-babel-hmac should mention the MAC size a BLAKE2s > implementation should create. This draft is currently in > the RFC Editor's Queue, but the preference would be to include this > before publication. This has been taken to the babel WG list > to get consensus there. There is some discussion as to whether it > should be 128-bit or 256-bit. Juliusz included Valery on the WG thread. Yes, I received those messages. Thanks. > With that, I would also change the suggested string here in the info mode= l > to "BLAKE2s-", just in case someone wanted to > do BLAKE2s with different length MACs. > Will this be acceptable? Absolutely! > > > > 2. Section 3.9: > > > > > > > > babel-cert-test: An operation that allows a hash of the provide= d > > > > input string to be created using the certificate public key a= nd > > > > the SHA-256 hash algorithm. Input to this operation is a bin= ary > > > > string. The output of this operation is the resulting hash, = as a > > > > binary string. > > > > > > > > I failed to understand what this operation should do. Literally rea= ding it is > > > > intended to produce SHA2-256 hash of public key and some arbitrary > > string > > > > (concatenated? in what order?). But then I failed to understand the > > purpose > > > > of > > > > this test. I would have understood if this operation provides signi= ng of > > the > > > > arbitrary string using private key and SHA2-256 as a hash function > > (similarly > > > > to babel-mac-key-test), but it in not what is written... > > > > > > One of the most common problems in configuring security mechanisms is= in > > the format of the input key (hex, > > > ASCII, base64, hashing that occurs to create "actual key", etc.). Whe= n a > > security mechanism fails to work, it is > > > important for users or device managers to be able to trouble-shoot th= is > > specific point of failure. This test > > > allows the user/manager to see if what this device thinks the MAC sho= uld > > be is the same as what another > > > device thinks the MAC should be or is the same as the MAC being sent = on > > the wire. Many ISPs have built a test > > > like this into their ISP-supplied CE routers (invoked using the TR-06= 9 > > protocol and TR-181 data model) to test > > > various stored key values. It has proven useful. > > > > I'm still confused. Are we talking about MACs or about certificates for= DTLS? > > I have no problems with text describing test for MAC keys. The text I'm > > having problem with > > is about testing certificates for DTLS. The test it describes is not cl= ear for me: > > it suggests to perform SHA2-256 hash of an input string "using the cert= ificate > > public key". > > It is unclear for me how you would use the certificate public key to pr= oduce a > > hash > > of some input string. So I believe the test should be clarified. >=20 > Oops. Sorry. I totally mis-read your comment. Thanks for clarifying. That's probably my fault, I should have be more clear from the very beginni= ng. > I see your point. That's pretty useless, as specified. > The public and private parts of the key would really make something > like this pretty complicated to actually use. > I think I'd like to suggest just deleting babel-cert-test. Certificates a= ren't > as finicky as MAC keys. Another option would be to keep babel-cert-test, but redefine it=20 to perform something useful. E.g. to test whether certificate is not expired, not revoked and whether it's signature can be verified using some trusted CA certificate. But this is probably too complex for implementers and DTLS library checks c= ertificates in any case, so it's fine with me if you just delete babel-cert-test. > > > > 3. Section 5 (Security Considerations): > > > > > > > > I think that text about keys (their length and properties) needs so= me > > > > expansion. First, there are no any RFC2119 words discouraging using= short > > > > and > > > > weak keys (there is some text, but without RFC2119 words and with n= o > > > > references > > > > it's just hand waving). Note, that draft-ietf-babel-hmac-12 has som= e text > > > > about > > > > the properties of the keys, so I believe at least it must be refere= nced > > here. I > > > > also suspect that explicitly allowing zero-length and short keys wi= ll lead to > > > > situations when some network operators will use them (because they > > are > > > > not > > > > prohibited), thus subverting security properties of MAC... > > > > > > Thanks. I'll add a reference to draft-ietf-babel-hmac Security > > Considerations. > > > > > > Zero length and short keys were discussed on the mailing list. The gr= oup > > considered it appropriate to > > > allow configuration of zero-length keys for testing but to advise peo= ple to > > follow best > > > current practices. I find the use of normative language to attempt to > > control the behavior of > > > a home network owner (for example) or someone setting up an informal > > ad hoc mesh > > > network (for example) to be odd. IMO, the IETF should not seek to con= trol > > > the choices of people putting together such relatively small-scale ne= tworks > > through > > > the use of strong normative language in an information model > > specification. It's > > > impossible to enforce and such people pretty much never read RFCs. > > > > > > If there is a strong desire for some sort of normative language, then= I could > > suggest > > > OLD > > > MAC keys are allowed to be as short as zero-length. This is usefu= l > > > for testing. Network operators are advised to follow current best > > > practices for key length and generation of keys related to the MAC > > > algorithm associated with the key. Short (and zero-length) keys a= nd > > > keys that make use of only alphanumeric characters are highly > > > susceptible to brute force attacks. > > > NEW > > > MAC keys are allowed to be as short as zero-length. This is usefu= l > > > for testing. Network operators are RECOMMENDED to follow current > > best > > > practices for key length and generation of keys related to the MAC > > > algorithm associated with the key. Short (and zero-length) keys a= nd > > > keys that make use of only alphanumeric characters are highly > > > susceptible to brute force attacks. See the Security Consideration= s > > > section of [ID.draft-ietf-babel-hmac] for additional considerations > > > related to MAC keys. > > > > I would suggest additionally using "SHOULD NOT" for weak keys. > > How about the following new text: > > > > MAC keys are allowed to be as short as zero-length. This is useful > > for testing. Network operators are RECOMMENDED to follow current b= est > > practices for key length and generation of keys related to the MAC > > algorithm associated with the key. Short (and zero-length) keys an= d > > keys that make use of only alphanumeric characters are highly > > susceptible to brute force attacks and thus SHOULD NOT be used. > > See the Security Considerations section of [ID.draft-ietf-babel-hma= c] > > for additional considerations related to MAC keys. > > > > (note that "SHOULD NOT" still allows people to shoot in their feet if t= hey > > want to). >=20 > OK. I'll make that change. Thank you. > > > > Nits. > > > > > > 4. Section 3.8: > > > > > > > > babel-mac-key-use-sign: Indicates whether this key value is use= d to > > > > sign sent Babel packets. Sent packets are signed using this = key > > > > if the value is "true". If the value is "false", this key is= not > > > > used to sign sent Babel packets. An implementation MAY choos= e to > > > > expose this parameter as read-only ("ro"). > > > > > > > > "Sign" is not a good word when you describe symmetric key operation= s > > > > (which > > > > computing MAC belongs to). Although it is often used informally, I = think > > that > > > > RFC should be more meticulous in selecting words. I'd rather replac= e it > > with > > > > "compute MAC" and rename the entry to babel-mac-key-use-compute > > or > > > > babel-mac-key-use-mac (if it is possible). Note, that using "verify= MAC" is > > OK. > > > > > > I've been thinking through this. I can't speak to the informal nature= of > > "sign", but I can say that simply > > > replacing "sign" with "compute" or "mac" wouldn't convey correctly wh= at > > this parameter is about. This > > > parameter is primarily concerned with whether or not a MAC is include= d in > > the sent packet. The sending is the > > > critical piece, and not the computing (it's possible to compute the M= AC > > without sending it; a MAC in a sent > > > packet is assumed to have been computed). I could change the descript= ion > > to: > > > Indicates whether this key value is used to compute a MAC and = include > > that MAC in the > > > sent Babel packet. A MAC for sent packets is computed using t= his key > > > if the value is "true". If the value is "false", this key is = not > > > used to compute a MAC to include in sent Babel packets. An > > implementation MAY choose to > > > expose this parameter as read-only ("ro") > > > > I'm fine with this. > > > > > But I struggle with the proposed parameter renaming. I strongly belie= ve > > the name should concisely describe > > > that the Boolean value indicates whether or not to include a MAC in t= he > > sent packet. The term "sign" is one > > > I've commonly seen to indicate that a MAC is included in the sent pac= ket. > > I'm not aware of a different, > > > similarly short word. "Compute" and "mac" do not convey the sending > > aspect. And sending is very > > > asymmetric. > > > > How about "use"? >=20 > Use has two problems in that it's already being used as part of babel-mac= -key-use-verify, > and that it really needs a word to go with it to indicate how it's used (= like the -verify). > Perhaps "send"? babel-mac-key-use-send ? Great! Regards, Valery. > > > > 5. Section 3.8: > > > > > > > > babel-mac-key-value: > > > > ... > > > > This value is of a length suitable for the associated babel-m= ac-key- > > > > algorithm. If the algorithm is based on the HMAC constructio= n > > > > [RFC2104], the length MUST be between 0 and the block size of= the > > > > underlying hash inclusive (where "HMAC-SHA256" block size is = 64 > > > > bytes as described in [RFC4868]). If the algorithm is "BLAKE= 2s", > > > > the length MUST be between 0 and 32 bytes inclusive, as descr= ibed > > > > in [RFC7693]. > > > > > > > > I wonder of the rationale for imposing the above restrictions on HM= AC > > key > > > > length. HMAC can use keys of any length, but if the key is greater = than > > block > > > > size of underlying hash function, then it's first hashed (small per= formance > > > > penalty). So I imagine that the rationale is to avoid this penalty.= However, > > as > > > > RFC2104 states, key sizes greater than output length of the underly= ing > > hash > > > > function (32 bytes in case of SHA2-256) would not significantly inc= rease > > the > > > > function strength, so it's just a waste of space. See also Issue 3 = above. > > > > > > Juliusz said: > > > > This was discussed at length on the mailing list. It's not about > > > > performance, it's about making it more difficult to use an unsafe > > > > procedure for generating keys. > > > > > > > > Since Babel-MAC is vulnerable to dictionary attacks, the key must e= ither > > > > be drawn randomly or generated using a procedure that is hardened > > against > > > > such attacks (scrypt, etc.). Applying the procedure described in R= FC 2104 > > > > to a user-provided passphrase is not safe, and therefore we try to = make > > it > > > > difficult for a naive user to do so. > > > > > > > > I am opposed to putting the RFC 2104 hashing procedure in the > > information > > > > model. Doing so would be a disservice to our users. > > > > > > In addition to the rationale Juliusz mentioned, we (babel WG) also no= ted > > that implementers > > > of the babel MAC function were using existing libraries for the HMAC- > > SHA256 algorithm. > > > The user interface (UI) that accepted manual key entry was also from = an > > existing library. When > > > the same longer strings were entered into different UIs of the differ= ent > > implementations, these > > > strings were treated differently and resulted in non-interoperability= . The > > "actual key" (using > > > RFC 2104 words) ended up different. Requiring entered keys to be dire= ctly > > usable as "actual > > > keys" solved this problem. BTW, I have considered UIs for direct > > management and configuration > > > to effectively be implementations of the information model. > > > > > > I recommend no changes to this text. > > > > I can live with this if you add "SHOULD NOT" for zero-length keys in th= e > > Security Consideration > > (as I suggested above). >=20 > Agreed to the "SHOULD NOT". Thx. >=20 > > > > 8. Section 5 (Security Considerations): > > > > > > > > MAC keys are allowed to be as short as zero-length. This is use= ful > > > > for testing. > > > > > > > > I wonder what's benefit of allowing zero-length keys for testing > > purposes. > > > > What > > > > is intended to be tested in this case? Implementation of MAC? Is it= really > > > > needed outside test lab? Am I missing something? > > > > > > As with the -test actions, this allows someone to diagnose whether a > > problem they are having is with the > > > formatting > > > of the input key (hex, padded, ASCII, base64, etc.). This is by far o= ne of the > > most common problems when > > > attempting to > > > get different implementations to interoperate. > > > > OK, but I'd rather still add "SHOULD NOT" for using them as I suggested > > above. >=20 > Agreed to the "SHOULD NOT". Thx. From nobody Wed Dec 2 13:49:34 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9054E3A1482; Wed, 2 Dec 2020 13:49:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGib0djgCOX2; Wed, 2 Dec 2020 13:49:22 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862B53A1471; Wed, 2 Dec 2020 13:49:21 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 8316ABE1C; Wed, 2 Dec 2020 21:49:19 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hn6yCHsgOCYd; Wed, 2 Dec 2020 21:49:17 +0000 (GMT) Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 44954BE20; Wed, 2 Dec 2020 21:49:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1606945757; bh=t7iodKzyT92vzgebszZxN2YAI+Kcm1WYBFQY/D1BkWI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=bvmjI5G1UX335fQVBU7x5A5gYWy+4XE0+CQSARNQXXpG4QXa7A2dRsSnCEy97YWqb pPXX1BtNqCDkczEJZDuP7Ym4h/AC9EFcHz7lmHVJ+Q3lJNILw0JTElq1ubW/o/wbGG oPB7Cu6DsBwllgV/YoVILx7Z6w5I+3P0Qw/YTQn8= To: Willem Toorop , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> From: Stephen Farrell Message-ID: Date: Wed, 2 Dec 2020 21:49:15 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MkdrsTpbclBBl8g8WAfAxinKY4ikF0cXv" Archived-At: Subject: Re: [secdir] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 21:49:25 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --MkdrsTpbclBBl8g8WAfAxinKY4ikF0cXv Content-Type: multipart/mixed; boundary="IXA3Tx3WAdR7sPEBHBdNFWupdcjly0XnQ"; protected-headers="v1" From: Stephen Farrell To: Willem Toorop , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org Message-ID: Subject: Re: [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> In-Reply-To: --IXA3Tx3WAdR7sPEBHBdNFWupdcjly0XnQ Content-Type: multipart/mixed; boundary="------------33717FECCDD435185E3EE156" Content-Language: en-US This is a multi-part message in MIME format. --------------33717FECCDD435185E3EE156 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hiya, On 02/12/2020 21:38, Willem Toorop wrote: > Op 02-12-2020 om 21:37 schreef Stephen Farrell: >=20 > >=20 >>> ad 2) we need a value that=E2=80=99s synchronized well enough and mon= otonic. >>> I honestly don=E2=80=99t see any value in using 64-bit value here. Us= ing >>> unixtime has a value in itself, it=E2=80=99s a well-known and there=E2= =80=99s a >>> little room for any implementer to make a mistake in an >>> implementation. The interoperability is more important than the >>> actual value of the counter. It=E2=80=99s write only counter, nobody = is going >>> to interpret it after it has been generated, and it=E2=80=99s wide en= ough to >>> prevent brute forcing. >> >> So what happens after 2038? That's really not v. far in the >> future any more. >=20 > The draft states that `All comparisons involving these fields MUST > use "Serial number arithmetic", as defined in [RFC1982]'. So it can not= > be used to compare differences larger than 68 years, but comparisons of= > cookie timestamps are more in the "hours" order of magnitude. Sorry for being dim, but is clear what value to put in those 4 octets in say 2039 such that different implementations will do the right thing? I did glance at rfc1982, so there may be very far-sighted text in there that I missed:-) And it may even be fine for this purpose if different servers differ by a second or so at that point, but even if so, it may be a bad plan to leave that unspecified in case other timestamps use the same code. Cheers, S. >=20 > Cheers, > -- Willem >=20 >> >> Cheers, >> S. >> >>> >>> Cheers, Ond=C5=99ej -- Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him) >>> >>>> On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker >>>> wrote: >>>> >>>> =EF=BB=BFReviewer: Stephen Farrell Review result: Has Issues >>>> >>>> I see two issues here worth checking: >>>> >>>> 1. I don't recall SipHash being used as a MAC in any IETF standard >>>> before. We normally use HMAC, even if truncated. Why make this >>>> change and was that checked with e.g. CFRG? (And the URL given in >>>> the reference gets me a 404.) >>>> >>>> 2. Is it really a good idea to use a 32 bit seconds since >>>> 1970-01-01 in 2020? I'd have thought that e.g. a timestamp in hours >>>> since then or seconds since some date in 2020 would be better. >>>> >>>> Here's a couple of nits too: - section 1: what's a "strong >>>> cookie"? - "gallimaufry" - cute! but not sure it'll help readers to >>>> learn that word. >>>> >>>> >>>> >>>> >>> >>> _______________________________________________ DNSOP mailing list >>> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >>> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >=20 --------------33717FECCDD435185E3EE156 Content-Type: application/pgp-keys; name="OpenPGP_0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="OpenPGP_0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh5= Cg8 gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+QtaFq= 978 CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGu= D/Q 9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4= tNn cejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqB= wV+ 4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghVB5Uir= 1GC YChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5FmBKjG7cGcpBGmWav= ACY Ea7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK7uB7E7HlVE1IM1zNkVTYYGkKreU8D= VQu 8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER= 8la 5lsEEPbU/cDTcwARAQABzSFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT7CwX0EE= wEI ACcFAlo9UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qGC= xAA pYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKkrRl8beJ7j1CWX= Az9 +VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBrsjC+1uULaTU8zYEyET//GOGPL= F+X +degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZsdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4= g1U QAcCA4xlucY8QkJEyCrSNGpGnvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advre= k3U P71CKxpgtPmkd3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2= niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBGFEZYJGuaL= 4Nw tBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wVN3p46RyBQuXqJV8ccE11m= 6vt ZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8vovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7= +8A CcxRU3b9Ihd7WYjJ+pQPCoWYKozvtEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQ= LvC wFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8= rpK o9OkCz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqmuKhYr= qJs CcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMTAAr2p7PSaHgo+hIVa= W/r KSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQIAQlFxtgvOqpPOZNzeKBa/+KbE8TG= gMW rkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3u= rqR 1cLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/= 0A9 J9nrnBMqZpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5hc= JBD EN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPpMyEs04zvsbsl4= vrp 2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouBur45UDKTZkMZrr9FGrtkyXCGA= xvK dcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQyoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaK= xlf tjO+Bj3Jj73Cr5eqej3qB5+V4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjg= Uky o1s4vjUOY8DyI+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIO= aHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg2YVf0izSp= yyz JeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc/MoSjTS65vNWbpzONZWMZ= uLE FraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5w= sDc BBABCgAGBQJbxcflAAoJEGo7ETk8pK1gE7QL/ApC5P68W5DrI1787WJVZv1u4t/g39vTr7Xer= 3UM TVQg10vpa7pmqOGhjIDzDMg3Pe3K3M7fVzfAlUA1qw6ne4RCueVoRKpubeF4AlYbMr0K6hNCP= jt5 uAxmbBVuejKTc6pru5rv5gKL0nDbr+Snft5xt7juBLSSimw0/41sZnkjCxo9rF/RA/v6+uWyK= 171 RKmsEYu8fFtw1eqUNt/Xj792TUixE3pxXheNtQtZGk/9P3W83ChhG4Fh5EQsn0pIh9wZIAbMR= Lpg RKyW87fWHZC8/YH8h7afarvn9Thl5pFUldCe22mNJj6KLChn2aEHQd+PdY1GBpZEcmNEUPuov= wza tM0h64hCzTm41eDqRfihZVBT7TbfXQnv8rywa42Mk756RGzzEZcQEhwQXZcMQUfxIQQ2VyJo0= zG3 6VdZTQF7TF/4Lz7/3cJ56jOIm+dwPXtu+C2wAQuD4USOLt4JWPYpqzDfHYJIND/497P9Z9SuQ= eah r2ez3DRBg3qsHEjBV80yU3RlcGhlbiBGYXJyZWxsICgyMDE3KSA8c3RlcGhlbi5mYXJyZWxsQ= GNz LnRjZC5pZT7CwYAEEwEIACoCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AFAlo+o= 3cC GQEACgkQWrL68XsXK+qO0A//ZsfQzyXrZlu/eEV5jU620yeOM3P7SW3C3UQYdCgZ/TlvxGgKo= w5o DSXgjMiUyq9csGqbPBxlDYSxFZHNeDVKYIuP2ZK24tw5k6duTh4+sFwUualTMlcp0zBCIzn3h= Rcs RvuPKHfl5+6oOi0+xqx3jX/s/69L/fvHmdSKet5LIUAxoYaZkTCruFrPWb01tgAl5JExWkhmC= Y98 iD+EeiIMAWBjMw1xV+p0uCwNbN6XDzcToK7wsm+tAIiWUy3DpP60a6WbVwdV0HNt2WZq5U5Jd= h2k 4S+sN2CnYk4tTW7jHjsWarV3FLISCOObADZuB7ljU4kYfdwZ+WzenXY4LGlxGQSlAblGjwZe4= EIk CXAJUtzJhoFUuGaF/PlWjxqV3UFRcgTERZTijguVyREre8GNERNgvDxZvuXssEjvz9X5JfcIZ= DIJ pdzhLiEIj9noUbfx1SzB5KDPQj0O7elMHa1671/rwWcpGr/MfVPTOik4H7F8rcVJelceZTzC4= tvy a7M+jM4fyFWWt8Y4atTixUiP7U9o4uBZCQ0GzvsmFA4XLqn2pA5rVizMXnGbGOjufAP/efEJ4= ul3 qvjYe8ye8DXEDjKAxo/tuHYtk19XCi83QzFhWls5TT+XQeVTMEvVqo9Wek8yoxo67qvLKKqIc= G9g ivQd8MxYNAbNYgSPtkbhZ8TCwFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLzHAgAlWT6NXEGt= w/r 1miKNGcopzvzILQ9oB8rKI9U9EL6tOf/y2V5oYee/GyQDb3ZdoPxxYYcJf+RyiH1nMoqUIZiZ= Jaf 3bJXinDZ5+AdfE++UR2NBvqaNyC6u3r24jo1B/sagKbYtWgsYtRqHLD4IWi37MZrVyjBuF7u1= 4Q0 7+uhjq6mX2O/tHpCYw/Q82tbeTRPyUf1WQOAfD1kfBpW9PvAva5Iw9FWeXpCXRzwxnCZhYfGf= qtu Sw6CPBYLdbikqML6FZ7EDuTBb/8um1wK7Y9bgeIQC+CYjhYB5RXa1tDJRab2Js4luCvSR0w/C= gHw 26293tlve2Q6UTrmHxP5U22DlsLBfQQTAQgAJwUCWj1QMgIbAwUJCZQmAAULCQgHAgYVCAkKC= wIE FgIDAQIeAQIXgAAKCRBasvrxexcr6tJpD/4rrILH+meP07vrx8wW5eYuqCiPGYnh/CXxIF8eL= rfb e5d4QRgtq+w6UeQPMyzKRIRiCoBXB2oJLBZHyxBPxZlg33dTMrEGn8QWKx2iNuz9rZMXyOSWF= etu O01d/aUPd5BnbLbIyK5of8xCQlXM6KH8bc+9gQ7edR9mfLTdvBf2FR522hg8BRBM1imKc3vO8= v39 +qIHHRjuiwxBBCAOhHtHRsZXripS0uFA07dM46Oi/E8osjx6fQt/lH5z/PN+2adxYSrLSAXfr= 1oD 3RxYNhuWgyGFL64/VCQb1YGjf0Z5MBPnWm9jgUoOY5K9eNSS0L83WeJjlF5+Q/WOgB+rb49Pr= m2D Feo9+S9f2V53Llz1WIspXJg6f+n9lmHE94MfQj1GAHCzI0FeL19lvM+LhD8jJSCbhrC3+yoby= y/A UOs5Z3E+njjX1FF/VCVAs6iOa6i+XG+Y1hh3ir2y1kckJ5auT10MSU8GEZu9ayU4M3o3N9yxO= jao P0NuQ4MMLL/n/u4u94AeZaHPNBXn/hVfVRRmpRXtGKvJtFAEppGEYezB+bLKIm6XlpPkhnwYz= leL Z7AMEco2C6QM8QPB3g3JpS3sqRhA5rEP4lL16BmijmF+CHoPE/zwgKZbKpyVDqvIW5IDgvfIC= 2X4 pbZDRvGIUKaGSB4+ksZgUUnNyvfQr2p7jsLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g= 1MS BQJbtySbAAoJEBDvedn9g1MSeKkQAJm44jt1kwHgQgeDBKdjdvl0AjE0xVEQxriZ6lP/l//34= YT0 auFfzsYIrChSpQXAEtobBAr4Ohw1Us+BZe+H5P8vm6LRuPwozC3SjwfX4Iec8+9ot6tIVg4sb= edD Sgb/CCFVjsmIGcQ1P73JLJTBJ6mxYCV/gn3QC6bwDOFo7kD9FDHCjRN8XfhHQ4Q9cYyt06uF3= 1qG /aumgWYC9geCGgAwiHgwxNYb9GoJ0iZjCROwbYvLTcQgsVUW2bTmsVR13UVKDsdl02sRV7qcV= YW6 R0a3Ra8KudX+nt25H5DRGd382KZ5W8pydsy/viTvD9z6v0ulChBYxAedIvGIClrhbxlLEPmIg= 4Im VOLGqsUgVm32J95WOjEkk4PEZ12xSDBtwhSJqmJNboWlfmw43KdIbY8zNhffIO3N6O7FsdGxm= qyH eLoTpqY+ySVUPpbuyW8ujnI/J//+6hdTZ9dQsEJQlWngKuWOQ5ma58MPSN88zllsqhZAFQjNx= qnk SzL6ZQ+v/jvuRRe16B80AeO55DsmbWsMv/YLLD1mSi7+Khy2EtMBhgojWwrGMvdLN6X3mnzNJ= Esc YyLxM9tSk+iySP2sLthK0BVgpAzBSdaf/ezIz60P+neHDzteNFf8Mn7lmgYk1amvZoJ29s5+n= 2Hw xyRL5dVMyMdyQmntubbctfqrZ0tIwsDcBBABCgAGBQJbxcflAAoJEGo7ETk8pK1gnCYMAJY4F= eIY jlIXGghFWzsB4fYwK1+iaFpU3fSto5qcrqVtVPjXpwqczqBWeXGyQxiB0kan4OVAXydIeaP8E= AuF CA7paP3s9STLJBO3KurkwyRkPW5zo0X7xVqaVToRsX2Ul98KVJoHYQD1KdezEtwlvpNwiiBr4= 2AY R751Vm6JBVAbQXuFpB3c8bUV0OkkRxNFtL8/2PieHar58n5dntGkbPlPkztahsFqktgacIgXH= X5v aT+7YeeZ1DWLOYjGO0wNhkOSeroCmxwJUikU7joBp823L7r5KfpqWTPpSCzVstQKZUGmmoE1q= Csw Y/Ud5wvp9SccpIILkRXj0rZRtfnE5MpL3hjmtNzfDd9qIsJtBJlSB2hZwAsVm1l+EWN9hG3tq= yA4 3niUMy2n6q690of3berSiQ+kvY/aC9Hx8I+bKzOV9/J2VUTqfaPZa4Uy2rVX5Q2p69n/PMj7m= Eer 0rCL3j9V16J9c+s0BSkXoKdtYdB0TWVhBgUybd9qtYcwHWvhP80uU3RlcGhlbiBGYXJyZWxsI= Dxz dGVwaGVuQHRvbGVyYW50bmV0d29ya3MuY29tPsLBfQQTAQgAJwUCWj1RWgIbAwUJCZQmAAULC= QgH AgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBasvrxexcr6jscEADEcB0WQEZn2AkrzDs1RhL0Lp6cZ= i0B igofkbcGfdhJyMSs19C0dhvncrAFClVI6/Udw3yFtDyYtOCf2W3M3A1K6/RfEizCLzTsdFIhn= i9g OJLlUpXViQtgrlstjk7hqVV3Ooz4BlCqS4cG7rfqf4LQQPpTAuFUEV9I28FBUB2irqC+v4gTy= sIg pMw0bA1yBU9sX5jE/tRkzqnuzZrkwiobDtRFJ9qp+7O2JtcY4EsVtLAsaodJKc5cF8R4OvB1n= 66v xxcgg9Eh4JNWZ47xsaCmAGo1Bcb2jIY35OtgAL7gCGLRSMKTtAaPy1/fEgIqhCljJ9x40Fkn/= 3r2 BX21WC9HFSPFTBz2RluLRzxdgxOrkYK8EiHUPoE5b1AEzZKw2AbeXfr57f5zYsN3IqfbQLUjM= YtU N1wK3Pjb+idD972wyXMWt8uOzlI7b9Ocu+nYm2whBfJv9Pmp3QYTmPz+LB9lH65VNVUSxSXVr= 5iW XO3qx1HtEiGEqkporMQCTh3T5Ud3PvMSRBFFKNs9WhJ/Lxz+SV30WLwG6dr5mQqlzAhb4Phc/= zek ZyXRdS/oDKrBLUucS36O//49JeyRi1QvOfxnfmIqRIAf/k3PoYJmTo5E82//r5Qj3YGlRu78b= a0H Arxs+ACD6AnEHHcbswpbtVEKYzlSu0Ar0Dc7vRWM/IyQdMLAXAQQAQgABgUCWj1SoAAKCRAvP= Ic2 gF+NosIsB/9f/29FNla3BJfGIEIDnhrqGD0i9bSa89SqBd++uG06TQgW5wsqtNcrwn81yZTq6= XE6 i9VtD4GKfqC0d4KZJr9bnbeD81cI64VOdL8zJWJs0vj5EIXCobKyX74Kb4uePUyZqwT2Q74I1= 16u /HwA9/FXsPo5isbh4ZqD4t0VHpWkmfq1FPT9a/JPyX46qKqB2Fce/7Qy+SQP1NfkuUlbhUH/J= G9a SSYvk3lznNiH41x9M+FDlL106itXOubrl3oi2fT3fsSedq7uzt+IV0DQEeNaoQAUuwEhdB8IW= OMq N2woDjGVKJftfsSWY9ilZrnDBNDrp0vRqcx33LUMkIw4d7iBwsFzBBABCAAdFiEEfhcKBFyEz= 0YO K3mgEO952f2DUxIFAlu3JJwACgkQEO952f2DUxJjuw/6ApHSsVTWD4a0H6FJ23A9Ftpy+aXZ4= vYl zkSrfsn2ECrEfK3lXQh/uzwjJUDYZeB1/BQsFZtcYNQOJSSHbQ49BFRLwb1J/wBZG4bbmrkLx= nNb KDKQvzxEpclkMW0Dj0J6o7kGrmzIGGrhB+JJN99AcineHRug8ZSFIERRCmigxdhAKU0BFD7P+= 5HN HltSL3DF1c2fFOf2JrgBKVoE+9RhMZjWNbYetFFLCkjXb5Rpay9zeMm1DxfSTGAnuOwUXW6qq= 4hn l5+VC/48ceDZElLLfu7RQUZv44pkSTOWZs+iQoJiHMFHk9wPqyB2Vok1yJ2a2j27WhXrJlPwn= Zbg JO5RyWDG3p/eVmpl5Uuc2dsfIpR17KnAuWpghK6V+cyFncDoGCl/YG2MvoolsW08FiZh3Ej4d= nJj j25TZkeFG74JJDXLvMYpJfSBGnmETv4Dhcm2xPqVMuFuL1qJlMbVLrMo2GXeo03OzNyvbs+u8= WLI aGm5hC7N1CXY8wZs4jo6OJ/expvnc07dEuws4zT3AiWv3nIouWReRStZy9QkavDocqbyPmilc= dPC Yk4BsOlzpwwO74hNG7iyl0KdAlwTxGQ7y0rJou6HYa1TmRhIEr3vKvlW+JfUUrqtjXgsuacTX= o4+ Ira2JUErL2cYzQMq1j4r1ZyhFnuz93s7Rsx/Nw0+0YvCwNwEEAEKAAYFAlvFx+UACgkQajsRO= Tyk rWCJqwv+NLVPE4sD4sDA2/6Ek7UsRIUkg+S39fhqWsLc4rtw/mDunv8Un61I3K04fZ2Ry4nF9= hZM 0a710UvXFbStvrzRJO3EAAcdJR9LTCd19e8UeruQbIee3YT91U4NkC9JMpecfq62/teOAU2e5= P3f WYaLs5ZX7zCLwWuBcW2l3SyoljQczM85HhJ3XHm+FnwQ6D9xRle+lvWTcuC9d1yAyUb8IOosp= cL2 lJTmy8e3r79R24hPlSB4LDe0wEN8AXbagrcAQZjwyaHyWxjJbTwZ0b43WGdfIqZ1ElOeoffbk= etP GRmWvx5xUvb2ALFBBdETzV270gs5XDJgJ1SIIKOyDADxwvroTe2jD8C/841eEql5QSow3s/U3= zRq k3mttto8Qw/DN71aeh6dmYSsvd2UjsHw/vofOPRBGxZLEkKTEvMnhmMW9hiKPkPia+QgevYE0= 20q pKSxLEdWA8nprHwxmGiDNesCfXSC6vm1qfyj5g8HzxSckq9ZaMhKMCo7vxflUEDuzsFNBFo9U= DIB EAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiezGPuBHmpvceBRZgRasdbaMc4HJee+R9+5x= /nL PCuy/DxDyIjwIUeJNgc+l7LjI9WfpHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHE= hOV fBZO59ipSeZL5iQC6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1D= VI9 DYo2D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFeA7PbT= uW/ eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ/Vf3vDUew1h5QU1yD= aWT 3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbptPEcmoazpiKZt91CrFPOaoXDPck/Q6= 1df mr/oPikfByYnASIM3OwEuXqyQ9JDRfKrem5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8= MAv 2TGXmxpVJ8Nu4je6wf96Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOA= HZR 5iCunYghx8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQo= qj1 gwARAQABwsFlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P/1tF6TeR83xD6= Mas qXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8Wpfdn3BmvqGyh8+ouHX9jMOxi= RkM dNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJgx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB= ++/ KAmi5UJV7zsZ7uYJ5jm97LV5SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lX= xMD rvKnXMkjseQ2oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrf= ZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIAypqYo3pcN= 2OE 0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoMeDQkd0YjcqlB1E0svODHT= zcS oRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS/qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7= IKP 3ngUP4wEoiPx5ZE5+fPIScGmVUcZIMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeW= Iys s6uTiyF+ZbJSo2XOKVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3D40Nd -----END PGP PUBLIC KEY BLOCK----- --------------33717FECCDD435185E3EE156-- --IXA3Tx3WAdR7sPEBHBdNFWupdcjly0XnQ-- --MkdrsTpbclBBl8g8WAfAxinKY4ikF0cXv Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAl/IC9sFAwAAAAAACgkQWrL68XsXK+oQ yg/9Fhbx0HlBXvnYOnJKFJXQfP1NN1oOF4UhKGzgleTEyHS2duOlhXk2tddENz+0fFN6jvLFSkba SprN2qPiZSsV4IJLTA8mPU5UOJ2lA7oF5uEzMyc194oFGr39X53AwCROMBD6dGnxclif5EFytSjH ap/xT9uxwSdmNzEFLmlp9PNqZJGQT1pzA3LGMBc6VZUgBUmZdl321w9gPCZCb1yPh8IQoUU/8ky9 m2D3NtO8X9+NHB0e3ZKnReYnd2Pxy1yToRo3hJQYD0VjL1CmU9ffJTnLdo1hJtH6EGeEhjUHmPH6 3iTksa32+gnPWZqkjXNstHfrLJtm8eMEo0SQzymhHTiwKYblp/TcfHGX6hkXLINNUdf0EV4AUoQ1 EFwmdBvDNM53777tsUCpWlZ9s/0VEMQ6wED2vgYgLIH48wq45rDiIFr/ns1V7jfoML4iQnBXekjh E2/JE3cqVre90jQxloe4Js9+t5K/IJAfqj+rlym942X8sTwUHR3LCV3FQOt/vFcQAQDCr02a1lRg jjPtiQeru0wlqMAP57D0+33TmtE1kSM/tECkwLlMd0PvupTgquyewVXepWZDYIzj7RNtkS7o70Ms H9DQ/An6/6HIqXHSdGb6bgka4oZtNCCwzSMx4A/CtTatnt4IASBTOwv+l2lKL6wlOk8JzQvIgLHU /78= =bGw0 -----END PGP SIGNATURE----- --MkdrsTpbclBBl8g8WAfAxinKY4ikF0cXv-- From nobody Wed Dec 2 14:07:59 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1949B3A1574; Wed, 2 Dec 2020 14:07:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q7x2Ex7apzYE; Wed, 2 Dec 2020 14:07:48 -0800 (PST) Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::218]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0E343A1570; Wed, 2 Dec 2020 14:07:47 -0800 (PST) Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id B2D0760805; Wed, 2 Dec 2020 22:07:45 +0000 (UTC) Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1606946864; bh=qXZHLfxefBQdvVHHYh5Z+23RI4ERIw2OgA08IMz0Y5s=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=sWV5r69GNQOZBxKm1qkjfjOZmGAPJsvfbKioBd7uKT99g43WkVzGZ/xq4yBF5nOKU TuHRJOAZRW3P7dQtYycik7kaKtN5D1nauaDqpKGZeQapakkf2+7jGsd+7v1OYIkdcc Cw8BJPRVNaY7pP/K4KTN5h2DvHK3wGm4x4IjwVIKY1Pfx9OItC4PhSB/9gF6ja81B1 EKJ2BP9tyWHZ7YI0RZkhWtsNN0mQb16QiZ5euNWZj6U3+xyK4YcGl6AG97L2Q+uGud AqNDviXiGgoew4uQ2usmdGFfdnUAt5hJKZtBop8pX1VfR7WyUvJ28t5e64aPpHR+pc 3YHiu7qpbUe3Q== To: Stephen Farrell , =?UTF-8?B?T25kxZllaiBTdXI=?= =?UTF-8?B?w70=?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> From: Willem Toorop Message-ID: <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> Date: Wed, 2 Dec 2020 23:07:40 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 22:07:50 -0000 Op 02-12-2020 om 22:49 schreef Stephen Farrell: > > Hiya, > > On 02/12/2020 21:38, Willem Toorop wrote: >> Op 02-12-2020 om 21:37 schreef Stephen Farrell: >> >> >> >>>> ad 2) we need a value that’s synchronized well enough and monotonic. >>>> I honestly don’t see any value in using 64-bit value here. Using >>>> unixtime has a value in itself, it’s a well-known and there’s a >>>> little room for any implementer to make a mistake in an >>>> implementation. The interoperability is more important than the >>>> actual value of the counter. It’s write only counter, nobody is going >>>> to interpret it after it has been generated, and it’s wide enough to >>>> prevent brute forcing. >>> >>> So what happens after 2038? That's really not v. far in the >>> future any more. >> >> The draft states that `All comparisons involving these fields MUST >> use "Serial number arithmetic", as defined in [RFC1982]'. So it can not >> be used to compare differences larger than 68 years, but comparisons of >> cookie timestamps are more in the "hours" order of magnitude. > > Sorry for being dim, but is clear what value to put > in those 4 octets in say 2039 such that different > implementations will do the right thing Well the text does specify an "32-bit unsigned number of seconds elapsed since 1 January 1970 00:00:00 UTC", so because of the "unsigned" the wrap to 0 is only in 2106, not 2038. But even then, in 2106, it should not be a problem to check the age of a cookie because of the rfc1982 comparison (which takes care of the wrap) and the fact that Server Cookies will not be older than hours (and not years). Cheers, -- Willem > I did glance > at rfc1982, so there may be very far-sighted text > in there that I missed:-) And it may even be fine > for this purpose if different servers differ by a > second or so at that point, but even if so, it may > be a bad plan to leave that unspecified in case > other timestamps use the same code. > > Cheers, > S. > >> >> Cheers, >> -- Willem >> >>> >>> Cheers, >>> S. >>> >>>> >>>> Cheers, Ondřej -- Ondřej Surý — ISC (He/Him) >>>> >>>>> On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker >>>>> wrote: >>>>> >>>>> Reviewer: Stephen Farrell Review result: Has Issues >>>>> >>>>> I see two issues here worth checking: >>>>> >>>>> 1. I don't recall SipHash being used as a MAC in any IETF standard >>>>> before. We normally use HMAC, even if truncated. Why make this >>>>> change and was that checked with e.g. CFRG? (And the URL given in >>>>> the reference gets me a 404.) >>>>> >>>>> 2. Is it really a good idea to use a 32 bit seconds since >>>>> 1970-01-01 in 2020? I'd have thought that e.g. a timestamp in hours >>>>> since then or seconds since some date in 2020 would be better. >>>>> >>>>> Here's a couple of nits too: - section 1: what's a "strong >>>>> cookie"? - "gallimaufry" - cute! but not sure it'll help readers to >>>>> learn that word. >>>>> >>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ DNSOP mailing list >>>> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >>>> >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> From nobody Wed Dec 2 14:18:57 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FFB53A1605; Wed, 2 Dec 2020 14:18:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QllHowZkLsth; Wed, 2 Dec 2020 14:18:39 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A7F53A15CF; Wed, 2 Dec 2020 14:18:34 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 580113AB0D8; Wed, 2 Dec 2020 22:18:34 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id DC098160046; Wed, 2 Dec 2020 22:18:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C66F5160070; Wed, 2 Dec 2020 22:18:33 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qiUb59s_Rp7o; Wed, 2 Dec 2020 22:18:33 +0000 (UTC) Received: from ondrejs-mbp.home.sury.org (unknown [78.80.211.217]) by zmx1.isc.org (Postfix) with ESMTPSA id 6CBCB160046; Wed, 2 Dec 2020 22:18:32 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.20.0.2.21\)) From: =?utf-8?B?T25kxZllaiBTdXLDvQ==?= In-Reply-To: Date: Wed, 2 Dec 2020 23:18:29 +0100 Cc: Stephen Farrell , last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop WG , secdir@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> To: Eric Rescorla X-Mailer: Apple Mail (2.3654.20.0.2.21) Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 22:18:49 -0000 SYN cookies in both Linux and FreeBSD uses siphash. * FreeBSD: https://svnweb.freebsd.org/base?view=3Drevision&revision=3D2532= 10 (since 2013) * Linux: = https://github.com/torvalds/linux/commit/fe62d05b295bde037fa32476767454090= 7c89362#diff-14feef60c3dbcf67539f089de04546c907233cbae09e1b2dd2c2bc6d6eae4= 416 (since 2017) I believe that the SYN cookies have exactly the same properties as DNS = cookies. Ondrej -- Ond=C5=99ej Sur=C3=BD (He/Him) ondrej@isc.org > On 2. 12. 2020, at 22:15, Eric Rescorla wrote: >=20 > Well hash tables are an application with somewhat different security = properties than MACs, so I don't think this is dispositive. >=20 From nobody Wed Dec 2 14:25:48 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F8473A15A0; Wed, 2 Dec 2020 14:25:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJ0IcDEH4rMn; Wed, 2 Dec 2020 14:25:41 -0800 (PST) Received: from mail-vk1-xa2f.google.com (mail-vk1-xa2f.google.com [IPv6:2607:f8b0:4864:20::a2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F5C33A159F; Wed, 2 Dec 2020 14:25:41 -0800 (PST) Received: by mail-vk1-xa2f.google.com with SMTP id a129so778130vki.5; Wed, 02 Dec 2020 14:25:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UTxeo6VwaAwnh1jgC7xhH/C+o/4VfVHdKZIbL5I3Dqw=; b=XNm0HOWC159IbAe7zQcasFN7Js93UW0q4O3X/3inwgv+2UzJycV3wGD652/WysCMvp oBbSW4iLJTt/v/l/6w4ocfhCMFs0GTZRePC6URefKor9544yDjFmJ9g9uzltgMT/cp89 9Il3oKlEKke4F9BRZisC0AyTMWcnv6p4vxyviug2vj5W9Mqb01AnMQH78UspT31w0pLw QGXUWHUDj2wfPAhOWqkRBUCOd9kVF5L7HHwTr8Kn7vdMhkXz4bUhIsctTU2+gyap8Pbl zxVMLUMis7gYxlXOTzYbjUcHGysf614CjUjB2f2jUmF0SXwGdc14H7gGg+Cm+Q48LkhQ AdDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UTxeo6VwaAwnh1jgC7xhH/C+o/4VfVHdKZIbL5I3Dqw=; b=NJ35hr1vK+Lb01Dql4Wc/gSvZwGhmkagwDimOD6sWjgT8rLdY5bfe2+e+uQ27zIT35 33gsE6F3kW+KUV7QjmfRrAMLyljZZ2hLXJEx2wBz4JpHZLS8ri8OINYDIVfcnZWcmGIX 4aiaLpF5rFRtXY4f2NDidU8CUuIadIkzKwqSM11zmYG28tdkvBQfnwhjgssfCY8iThKU 0dUgCTgvGt4kgLOktYSlj0qOAQozcdw6Y3jOUcIE7KDtv2EewiR3b/R2zfMcT3Nt2q0N Hd1AaMSY+g3PpfjL1Bkwk1o9sNkrcvRY9nyolbuTVOCg4lSyKqv0qlfZDsXM0rVF8W8e 2qUQ== X-Gm-Message-State: AOAM533c64gX8a6HPdlt6mgsTPQD0OiluSyeeiZhbaDY1LbMVGvqd021 DH3vYOo42iDzURPH2Vp0q7I4L1hxTKJlyipNFBM= X-Google-Smtp-Source: ABdhPJyGDIuzE6jtvVrIOx1b4VygxrTiUiSB+WAE9AxNydum/HmkSbbSfissA7WhhWAENReAKRfbufkduJ0IwDU0ooo= X-Received: by 2002:a1f:e807:: with SMTP id f7mr278922vkh.2.1606947940409; Wed, 02 Dec 2020 14:25:40 -0800 (PST) MIME-Version: 1.0 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> In-Reply-To: From: Brian Dickson Date: Wed, 2 Dec 2020 14:25:29 -0800 Message-ID: To: Stephen Farrell Cc: Willem Toorop , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= , last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, "dnsop@ietf.org WG" , secdir@ietf.org Content-Type: multipart/alternative; boundary="00000000000029268e05b582b94d" Archived-At: Subject: Re: [secdir] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 22:25:43 -0000 --00000000000029268e05b582b94d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Dec 2, 2020 at 1:49 PM Stephen Farrell wrote: > > Hiya, > > On 02/12/2020 21:38, Willem Toorop wrote: > > Op 02-12-2020 om 21:37 schreef Stephen Farrell: > > > > > > > >>> ad 2) we need a value that=E2=80=99s synchronized well enough and mon= otonic. > >>> I honestly don=E2=80=99t see any value in using 64-bit value here. Us= ing > >>> unixtime has a value in itself, it=E2=80=99s a well-known and there= =E2=80=99s a > >>> little room for any implementer to make a mistake in an > >>> implementation. The interoperability is more important than the > >>> actual value of the counter. It=E2=80=99s write only counter, nobody = is going > >>> to interpret it after it has been generated, and it=E2=80=99s wide en= ough to > >>> prevent brute forcing. > >> > >> So what happens after 2038? That's really not v. far in the > >> future any more. > > > > The draft states that `All comparisons involving these fields MUST > > use "Serial number arithmetic", as defined in [RFC1982]'. So it can not > > be used to compare differences larger than 68 years, but comparisons of > > cookie timestamps are more in the "hours" order of magnitude. > > Sorry for being dim, but is clear what value to put > in those 4 octets in say 2039 such that different > implementations will do the right thing? I did glance > at rfc1982, so there may be very far-sighted text > in there that I missed:-) And it may even be fine > for this purpose if different servers differ by a > second or so at that point, but even if so, it may > be a bad plan to leave that unspecified in case > other timestamps use the same code. > The reference to RFC1982 pretty much implies use of modulo arithmetic. Maybe it would help to spell it out? (Basically, calculate seconds since Jan 1 1970 at 0000 UTC, and if the value is > 2^32, take the remainder mod 2^32.) The RFC1982 specifies how the differences should be handled, so regardless of which one is 0 and which one is 1 (or 2^32 - 1), the difference yielded is a small number (i.e. 1). This handles any relative time window less than 68 years, at any time in the future (2038 or 2106 or 2256 or 22209.) Brian --00000000000029268e05b582b94d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, Dec 2, 2020 at 1:49 PM Stephe= n Farrell <stephen.farrell@= cs.tcd.ie> wrote:

Hiya,

On 02/12/2020 21:38, Willem Toorop wrote:
> Op 02-12-2020 om 21:37 schreef Stephen Farrell:
>
> <snip>
>
>>> ad 2) we need a value that=E2=80=99s synchronized well enough = and monotonic.
>>> I honestly don=E2=80=99t see any value in using 64-bit value h= ere. Using
>>> unixtime has a value in itself, it=E2=80=99s a well-known and = there=E2=80=99s a
>>> little room for any implementer to make a mistake in an
>>> implementation. The interoperability is more important than th= e
>>> actual value of the counter. It=E2=80=99s write only counter, = nobody is going
>>> to interpret it after it has been generated, and it=E2=80=99s = wide enough to
>>> prevent brute forcing.
>>
>> So what happens after 2038? That's really not v. far in the >> future any more.
>
> The draft states that `All comparisons involving these fields MUST
> use "Serial number arithmetic", as defined in [RFC1982]'= . So it can not
> be used to compare differences larger than 68 years, but comparisons o= f
> cookie timestamps are more in the "hours" order of magnitude= .

Sorry for being dim, but is clear what value to put
in those 4 octets in say 2039 such that different
implementations will do the right thing? I did glance
at rfc1982, so there may be very far-sighted text
in there that I missed:-) And it may even be fine
for this purpose if different servers differ by a
second or so at that point, but even if so, it may
be a bad plan to leave that unspecified in case
other timestamps use the same code.

The= reference to RFC1982 pretty much implies use of modulo arithmetic.
Maybe it would help to spell it out?
(Basically, calculate seconds si= nce Jan 1 1970 at 0000 UTC, and if the value is > 2^32, take the remaind= er mod 2^32.)

The RFC1982 specifies how the differ= ences should be handled, so regardless of which one is 0 and which one is 1= (or 2^32 - 1), the difference yielded is a small number (i.e. 1).

This handles any relative time window less than 68 years, = at any time in the future (2038 or 2106 or 2256 or 22209.)

Brian=C2=A0
--00000000000029268e05b582b94d-- From nobody Wed Dec 2 14:32:10 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26AD83A14F3; Wed, 2 Dec 2020 14:32:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KZYdR1mn8Yc4; Wed, 2 Dec 2020 14:32:04 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24E253A14D8; Wed, 2 Dec 2020 14:32:02 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 05E75BE2C; Wed, 2 Dec 2020 22:32:01 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rEdTZgVcGk7H; Wed, 2 Dec 2020 22:31:57 +0000 (GMT) Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8EB6FBE24; Wed, 2 Dec 2020 22:31:57 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1606948317; bh=BQng0Tk/GXYzKDM5RhU1WM0Yxt9tqzDDcMia26jpgG4=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=qYjD3D4wYfrfY1d0piHtSMfTsL2wDNUqkZDc3IyAKEmKTRdukprCbBut1UOaCjt5E qCK1wHoWBazh+4O4m4su3jEs2laTqgWNqqixNx1M1yYYZKcf+IAOcipB7qGclE5Wg7 hbg4WxVBOEZr1+m6OtdhyBrtiDWug97r3l6CXtu0= To: Willem Toorop , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> From: Stephen Farrell Message-ID: <86e60c0a-58c6-0ef8-d348-ef1f6f72fab9@cs.tcd.ie> Date: Wed, 2 Dec 2020 22:31:56 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ahy2N9KkI58fC8LJZ2k5AT08dNnUtZp5I" Archived-At: Subject: Re: [secdir] [Last-Call] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Dec 2020 22:32:06 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ahy2N9KkI58fC8LJZ2k5AT08dNnUtZp5I Content-Type: multipart/mixed; boundary="zNhQbSHMw3DhYiSeSveQieSudsUhrpHB5"; protected-headers="v1" From: Stephen Farrell To: Willem Toorop , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org Message-ID: <86e60c0a-58c6-0ef8-d348-ef1f6f72fab9@cs.tcd.ie> Subject: Re: [Last-Call] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> In-Reply-To: <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> --zNhQbSHMw3DhYiSeSveQieSudsUhrpHB5 Content-Type: multipart/mixed; boundary="------------A93F6807B3A98BD628916196" Content-Language: en-US This is a multi-part message in MIME format. --------------A93F6807B3A98BD628916196 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hiya, On 02/12/2020 22:07, Willem Toorop wrote: >=20 >=20 > Op 02-12-2020 om 22:49 schreef Stephen Farrell: >> >> Hiya, >> >> On 02/12/2020 21:38, Willem Toorop wrote: >>> Op 02-12-2020 om 21:37 schreef Stephen Farrell: >>> >>> >>> >>>>> ad 2) we need a value that=E2=80=99s synchronized well enough and m= onotonic. >>>>> I honestly don=E2=80=99t see any value in using 64-bit value here. = Using >>>>> unixtime has a value in itself, it=E2=80=99s a well-known and there= =E2=80=99s a >>>>> little room for any implementer to make a mistake in an >>>>> implementation. The interoperability is more important than the >>>>> actual value of the counter. It=E2=80=99s write only counter, nobod= y is going >>>>> to interpret it after it has been generated, and it=E2=80=99s wide = enough to >>>>> prevent brute forcing. >>>> >>>> So what happens after 2038? That's really not v. far in the >>>> future any more. >>> >>> The draft states that `All comparisons involving these fields MUST >>> use "Serial number arithmetic", as defined in [RFC1982]'. So it can n= ot >>> be used to compare differences larger than 68 years, but comparisons = of >>> cookie timestamps are more in the "hours" order of magnitude. >> >> Sorry for being dim, but is clear what value to put >> in those 4 octets in say 2039 such that different >> implementations will do the right thing > Well the text does specify an "32-bit unsigned number of seconds elapse= d > since 1 January 1970 00:00:00 UTC", so because of the "unsigned" the > wrap to 0 is only in 2106, not 2038. Ah. I missed that "unsigned." (Does that mean implementers might also?) > But even then, in 2106, it should not be a problem to check the age of = a > cookie because of the rfc1982 comparison (which takes care of the wrap)= > and the fact that Server Cookies will not be older than hours (and not > years). So the buggy case would be where a server re-constructs the input to the hash after some kind of round-trip of the octets (to e.g. struct tm or something and then back to time_t and to network byte order) at which point you could I think get failures depending on who implemented what incorrectly. That kind of thing has been seen before (even if it seems a bit mad;-) FWIW, I'd say it's worth a few more words to try reduce the probability of such failures happening, e.g. maybe just highlighting the "unsigned/2106" point you made above would be enough. But, if the WG don't want to do that, that's also fine by me. Cheers, S. >=20 > Cheers, > -- Willem >=20 >> I did glance >> at rfc1982, so there may be very far-sighted text >> in there that I missed:-) And it may even be fine >> for this purpose if different servers differ by a >> second or so at that point, but even if so, it may >> be a bad plan to leave that unspecified in case >> other timestamps use the same code. >> >> Cheers, >> S. >> >>> >>> Cheers, >>> -- Willem >>> >>>> >>>> Cheers, >>>> S. >>>> >>>>> >>>>> Cheers, Ond=C5=99ej -- Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him)= >>>>> >>>>>> On 2. 12. 2020, at 18:47, Stephen Farrell via Datatracker >>>>>> wrote: >>>>>> >>>>>> =EF=BB=BFReviewer: Stephen Farrell Review result: Has Issues >>>>>> >>>>>> I see two issues here worth checking: >>>>>> >>>>>> 1. I don't recall SipHash being used as a MAC in any IETF standard= >>>>>> before. We normally use HMAC, even if truncated. Why make this >>>>>> change and was that checked with e.g. CFRG? (And the URL given in >>>>>> the reference gets me a 404.) >>>>>> >>>>>> 2. Is it really a good idea to use a 32 bit seconds since >>>>>> 1970-01-01 in 2020? I'd have thought that e.g. a timestamp in hour= s >>>>>> since then or seconds since some date in 2020 would be better. >>>>>> >>>>>> Here's a couple of nits too: - section 1: what's a "strong >>>>>> cookie"? - "gallimaufry" - cute! but not sure it'll help readers t= o >>>>>> learn that word. >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ DNSOP mailing list >>>>> DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >>>>> >>>> >>>> _______________________________________________ >>>> DNSOP mailing list >>>> DNSOP@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dnsop >>>> >>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>> >=20 --------------A93F6807B3A98BD628916196 Content-Type: application/pgp-keys; name="OpenPGP_0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="OpenPGP_0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh5= Cg8 gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+QtaFq= 978 CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGu= D/Q 9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4= tNn cejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqB= wV+ 4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghVB5Uir= 1GC YChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5FmBKjG7cGcpBGmWav= ACY Ea7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK7uB7E7HlVE1IM1zNkVTYYGkKreU8D= VQu 8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER= 8la 5lsEEPbU/cDTcwARAQABzSFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT7CwX0EE= wEI ACcFAlo9UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qGC= xAA pYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKkrRl8beJ7j1CWX= Az9 +VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBrsjC+1uULaTU8zYEyET//GOGPL= F+X +degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZsdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4= g1U QAcCA4xlucY8QkJEyCrSNGpGnvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advre= k3U P71CKxpgtPmkd3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2= niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBGFEZYJGuaL= 4Nw tBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wVN3p46RyBQuXqJV8ccE11m= 6vt ZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8vovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7= +8A CcxRU3b9Ihd7WYjJ+pQPCoWYKozvtEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQ= LvC wFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8= rpK o9OkCz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqmuKhYr= qJs CcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMTAAr2p7PSaHgo+hIVa= W/r KSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQIAQlFxtgvOqpPOZNzeKBa/+KbE8TG= gMW rkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3u= rqR 1cLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/= 0A9 J9nrnBMqZpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5hc= JBD EN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPpMyEs04zvsbsl4= vrp 2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouBur45UDKTZkMZrr9FGrtkyXCGA= xvK dcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQyoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaK= xlf tjO+Bj3Jj73Cr5eqej3qB5+V4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjg= Uky o1s4vjUOY8DyI+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIO= aHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg2YVf0izSp= yyz JeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc/MoSjTS65vNWbpzONZWMZ= uLE FraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5w= sDc BBABCgAGBQJbxcflAAoJEGo7ETk8pK1gE7QL/ApC5P68W5DrI1787WJVZv1u4t/g39vTr7Xer= 3UM TVQg10vpa7pmqOGhjIDzDMg3Pe3K3M7fVzfAlUA1qw6ne4RCueVoRKpubeF4AlYbMr0K6hNCP= jt5 uAxmbBVuejKTc6pru5rv5gKL0nDbr+Snft5xt7juBLSSimw0/41sZnkjCxo9rF/RA/v6+uWyK= 171 RKmsEYu8fFtw1eqUNt/Xj792TUixE3pxXheNtQtZGk/9P3W83ChhG4Fh5EQsn0pIh9wZIAbMR= Lpg RKyW87fWHZC8/YH8h7afarvn9Thl5pFUldCe22mNJj6KLChn2aEHQd+PdY1GBpZEcmNEUPuov= wza tM0h64hCzTm41eDqRfihZVBT7TbfXQnv8rywa42Mk756RGzzEZcQEhwQXZcMQUfxIQQ2VyJo0= zG3 6VdZTQF7TF/4Lz7/3cJ56jOIm+dwPXtu+C2wAQuD4USOLt4JWPYpqzDfHYJIND/497P9Z9SuQ= eah r2ez3DRBg3qsHEjBV80yU3RlcGhlbiBGYXJyZWxsICgyMDE3KSA8c3RlcGhlbi5mYXJyZWxsQ= GNz LnRjZC5pZT7CwYAEEwEIACoCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AFAlo+o= 3cC GQEACgkQWrL68XsXK+qO0A//ZsfQzyXrZlu/eEV5jU620yeOM3P7SW3C3UQYdCgZ/TlvxGgKo= w5o DSXgjMiUyq9csGqbPBxlDYSxFZHNeDVKYIuP2ZK24tw5k6duTh4+sFwUualTMlcp0zBCIzn3h= Rcs RvuPKHfl5+6oOi0+xqx3jX/s/69L/fvHmdSKet5LIUAxoYaZkTCruFrPWb01tgAl5JExWkhmC= Y98 iD+EeiIMAWBjMw1xV+p0uCwNbN6XDzcToK7wsm+tAIiWUy3DpP60a6WbVwdV0HNt2WZq5U5Jd= h2k 4S+sN2CnYk4tTW7jHjsWarV3FLISCOObADZuB7ljU4kYfdwZ+WzenXY4LGlxGQSlAblGjwZe4= EIk CXAJUtzJhoFUuGaF/PlWjxqV3UFRcgTERZTijguVyREre8GNERNgvDxZvuXssEjvz9X5JfcIZ= DIJ pdzhLiEIj9noUbfx1SzB5KDPQj0O7elMHa1671/rwWcpGr/MfVPTOik4H7F8rcVJelceZTzC4= tvy a7M+jM4fyFWWt8Y4atTixUiP7U9o4uBZCQ0GzvsmFA4XLqn2pA5rVizMXnGbGOjufAP/efEJ4= ul3 qvjYe8ye8DXEDjKAxo/tuHYtk19XCi83QzFhWls5TT+XQeVTMEvVqo9Wek8yoxo67qvLKKqIc= G9g ivQd8MxYNAbNYgSPtkbhZ8TCwFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLzHAgAlWT6NXEGt= w/r 1miKNGcopzvzILQ9oB8rKI9U9EL6tOf/y2V5oYee/GyQDb3ZdoPxxYYcJf+RyiH1nMoqUIZiZ= Jaf 3bJXinDZ5+AdfE++UR2NBvqaNyC6u3r24jo1B/sagKbYtWgsYtRqHLD4IWi37MZrVyjBuF7u1= 4Q0 7+uhjq6mX2O/tHpCYw/Q82tbeTRPyUf1WQOAfD1kfBpW9PvAva5Iw9FWeXpCXRzwxnCZhYfGf= qtu Sw6CPBYLdbikqML6FZ7EDuTBb/8um1wK7Y9bgeIQC+CYjhYB5RXa1tDJRab2Js4luCvSR0w/C= gHw 26293tlve2Q6UTrmHxP5U22DlsLBfQQTAQgAJwUCWj1QMgIbAwUJCZQmAAULCQgHAgYVCAkKC= wIE FgIDAQIeAQIXgAAKCRBasvrxexcr6tJpD/4rrILH+meP07vrx8wW5eYuqCiPGYnh/CXxIF8eL= rfb e5d4QRgtq+w6UeQPMyzKRIRiCoBXB2oJLBZHyxBPxZlg33dTMrEGn8QWKx2iNuz9rZMXyOSWF= etu O01d/aUPd5BnbLbIyK5of8xCQlXM6KH8bc+9gQ7edR9mfLTdvBf2FR522hg8BRBM1imKc3vO8= v39 +qIHHRjuiwxBBCAOhHtHRsZXripS0uFA07dM46Oi/E8osjx6fQt/lH5z/PN+2adxYSrLSAXfr= 1oD 3RxYNhuWgyGFL64/VCQb1YGjf0Z5MBPnWm9jgUoOY5K9eNSS0L83WeJjlF5+Q/WOgB+rb49Pr= m2D Feo9+S9f2V53Llz1WIspXJg6f+n9lmHE94MfQj1GAHCzI0FeL19lvM+LhD8jJSCbhrC3+yoby= y/A UOs5Z3E+njjX1FF/VCVAs6iOa6i+XG+Y1hh3ir2y1kckJ5auT10MSU8GEZu9ayU4M3o3N9yxO= jao P0NuQ4MMLL/n/u4u94AeZaHPNBXn/hVfVRRmpRXtGKvJtFAEppGEYezB+bLKIm6XlpPkhnwYz= leL Z7AMEco2C6QM8QPB3g3JpS3sqRhA5rEP4lL16BmijmF+CHoPE/zwgKZbKpyVDqvIW5IDgvfIC= 2X4 pbZDRvGIUKaGSB4+ksZgUUnNyvfQr2p7jsLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g= 1MS BQJbtySbAAoJEBDvedn9g1MSeKkQAJm44jt1kwHgQgeDBKdjdvl0AjE0xVEQxriZ6lP/l//34= YT0 auFfzsYIrChSpQXAEtobBAr4Ohw1Us+BZe+H5P8vm6LRuPwozC3SjwfX4Iec8+9ot6tIVg4sb= edD Sgb/CCFVjsmIGcQ1P73JLJTBJ6mxYCV/gn3QC6bwDOFo7kD9FDHCjRN8XfhHQ4Q9cYyt06uF3= 1qG /aumgWYC9geCGgAwiHgwxNYb9GoJ0iZjCROwbYvLTcQgsVUW2bTmsVR13UVKDsdl02sRV7qcV= YW6 R0a3Ra8KudX+nt25H5DRGd382KZ5W8pydsy/viTvD9z6v0ulChBYxAedIvGIClrhbxlLEPmIg= 4Im VOLGqsUgVm32J95WOjEkk4PEZ12xSDBtwhSJqmJNboWlfmw43KdIbY8zNhffIO3N6O7FsdGxm= qyH eLoTpqY+ySVUPpbuyW8ujnI/J//+6hdTZ9dQsEJQlWngKuWOQ5ma58MPSN88zllsqhZAFQjNx= qnk SzL6ZQ+v/jvuRRe16B80AeO55DsmbWsMv/YLLD1mSi7+Khy2EtMBhgojWwrGMvdLN6X3mnzNJ= Esc YyLxM9tSk+iySP2sLthK0BVgpAzBSdaf/ezIz60P+neHDzteNFf8Mn7lmgYk1amvZoJ29s5+n= 2Hw xyRL5dVMyMdyQmntubbctfqrZ0tIwsDcBBABCgAGBQJbxcflAAoJEGo7ETk8pK1gnCYMAJY4F= eIY jlIXGghFWzsB4fYwK1+iaFpU3fSto5qcrqVtVPjXpwqczqBWeXGyQxiB0kan4OVAXydIeaP8E= AuF CA7paP3s9STLJBO3KurkwyRkPW5zo0X7xVqaVToRsX2Ul98KVJoHYQD1KdezEtwlvpNwiiBr4= 2AY R751Vm6JBVAbQXuFpB3c8bUV0OkkRxNFtL8/2PieHar58n5dntGkbPlPkztahsFqktgacIgXH= X5v aT+7YeeZ1DWLOYjGO0wNhkOSeroCmxwJUikU7joBp823L7r5KfpqWTPpSCzVstQKZUGmmoE1q= Csw Y/Ud5wvp9SccpIILkRXj0rZRtfnE5MpL3hjmtNzfDd9qIsJtBJlSB2hZwAsVm1l+EWN9hG3tq= yA4 3niUMy2n6q690of3berSiQ+kvY/aC9Hx8I+bKzOV9/J2VUTqfaPZa4Uy2rVX5Q2p69n/PMj7m= Eer 0rCL3j9V16J9c+s0BSkXoKdtYdB0TWVhBgUybd9qtYcwHWvhP80uU3RlcGhlbiBGYXJyZWxsI= Dxz dGVwaGVuQHRvbGVyYW50bmV0d29ya3MuY29tPsLBfQQTAQgAJwUCWj1RWgIbAwUJCZQmAAULC= QgH AgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBasvrxexcr6jscEADEcB0WQEZn2AkrzDs1RhL0Lp6cZ= i0B igofkbcGfdhJyMSs19C0dhvncrAFClVI6/Udw3yFtDyYtOCf2W3M3A1K6/RfEizCLzTsdFIhn= i9g OJLlUpXViQtgrlstjk7hqVV3Ooz4BlCqS4cG7rfqf4LQQPpTAuFUEV9I28FBUB2irqC+v4gTy= sIg pMw0bA1yBU9sX5jE/tRkzqnuzZrkwiobDtRFJ9qp+7O2JtcY4EsVtLAsaodJKc5cF8R4OvB1n= 66v xxcgg9Eh4JNWZ47xsaCmAGo1Bcb2jIY35OtgAL7gCGLRSMKTtAaPy1/fEgIqhCljJ9x40Fkn/= 3r2 BX21WC9HFSPFTBz2RluLRzxdgxOrkYK8EiHUPoE5b1AEzZKw2AbeXfr57f5zYsN3IqfbQLUjM= YtU N1wK3Pjb+idD972wyXMWt8uOzlI7b9Ocu+nYm2whBfJv9Pmp3QYTmPz+LB9lH65VNVUSxSXVr= 5iW XO3qx1HtEiGEqkporMQCTh3T5Ud3PvMSRBFFKNs9WhJ/Lxz+SV30WLwG6dr5mQqlzAhb4Phc/= zek ZyXRdS/oDKrBLUucS36O//49JeyRi1QvOfxnfmIqRIAf/k3PoYJmTo5E82//r5Qj3YGlRu78b= a0H Arxs+ACD6AnEHHcbswpbtVEKYzlSu0Ar0Dc7vRWM/IyQdMLAXAQQAQgABgUCWj1SoAAKCRAvP= Ic2 gF+NosIsB/9f/29FNla3BJfGIEIDnhrqGD0i9bSa89SqBd++uG06TQgW5wsqtNcrwn81yZTq6= XE6 i9VtD4GKfqC0d4KZJr9bnbeD81cI64VOdL8zJWJs0vj5EIXCobKyX74Kb4uePUyZqwT2Q74I1= 16u /HwA9/FXsPo5isbh4ZqD4t0VHpWkmfq1FPT9a/JPyX46qKqB2Fce/7Qy+SQP1NfkuUlbhUH/J= G9a SSYvk3lznNiH41x9M+FDlL106itXOubrl3oi2fT3fsSedq7uzt+IV0DQEeNaoQAUuwEhdB8IW= OMq N2woDjGVKJftfsSWY9ilZrnDBNDrp0vRqcx33LUMkIw4d7iBwsFzBBABCAAdFiEEfhcKBFyEz= 0YO K3mgEO952f2DUxIFAlu3JJwACgkQEO952f2DUxJjuw/6ApHSsVTWD4a0H6FJ23A9Ftpy+aXZ4= vYl zkSrfsn2ECrEfK3lXQh/uzwjJUDYZeB1/BQsFZtcYNQOJSSHbQ49BFRLwb1J/wBZG4bbmrkLx= nNb KDKQvzxEpclkMW0Dj0J6o7kGrmzIGGrhB+JJN99AcineHRug8ZSFIERRCmigxdhAKU0BFD7P+= 5HN HltSL3DF1c2fFOf2JrgBKVoE+9RhMZjWNbYetFFLCkjXb5Rpay9zeMm1DxfSTGAnuOwUXW6qq= 4hn l5+VC/48ceDZElLLfu7RQUZv44pkSTOWZs+iQoJiHMFHk9wPqyB2Vok1yJ2a2j27WhXrJlPwn= Zbg JO5RyWDG3p/eVmpl5Uuc2dsfIpR17KnAuWpghK6V+cyFncDoGCl/YG2MvoolsW08FiZh3Ej4d= nJj j25TZkeFG74JJDXLvMYpJfSBGnmETv4Dhcm2xPqVMuFuL1qJlMbVLrMo2GXeo03OzNyvbs+u8= WLI aGm5hC7N1CXY8wZs4jo6OJ/expvnc07dEuws4zT3AiWv3nIouWReRStZy9QkavDocqbyPmilc= dPC Yk4BsOlzpwwO74hNG7iyl0KdAlwTxGQ7y0rJou6HYa1TmRhIEr3vKvlW+JfUUrqtjXgsuacTX= o4+ Ira2JUErL2cYzQMq1j4r1ZyhFnuz93s7Rsx/Nw0+0YvCwNwEEAEKAAYFAlvFx+UACgkQajsRO= Tyk rWCJqwv+NLVPE4sD4sDA2/6Ek7UsRIUkg+S39fhqWsLc4rtw/mDunv8Un61I3K04fZ2Ry4nF9= hZM 0a710UvXFbStvrzRJO3EAAcdJR9LTCd19e8UeruQbIee3YT91U4NkC9JMpecfq62/teOAU2e5= P3f WYaLs5ZX7zCLwWuBcW2l3SyoljQczM85HhJ3XHm+FnwQ6D9xRle+lvWTcuC9d1yAyUb8IOosp= cL2 lJTmy8e3r79R24hPlSB4LDe0wEN8AXbagrcAQZjwyaHyWxjJbTwZ0b43WGdfIqZ1ElOeoffbk= etP GRmWvx5xUvb2ALFBBdETzV270gs5XDJgJ1SIIKOyDADxwvroTe2jD8C/841eEql5QSow3s/U3= zRq k3mttto8Qw/DN71aeh6dmYSsvd2UjsHw/vofOPRBGxZLEkKTEvMnhmMW9hiKPkPia+QgevYE0= 20q pKSxLEdWA8nprHwxmGiDNesCfXSC6vm1qfyj5g8HzxSckq9ZaMhKMCo7vxflUEDuzsFNBFo9U= DIB EAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiezGPuBHmpvceBRZgRasdbaMc4HJee+R9+5x= /nL PCuy/DxDyIjwIUeJNgc+l7LjI9WfpHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHE= hOV fBZO59ipSeZL5iQC6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1D= VI9 DYo2D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFeA7PbT= uW/ eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ/Vf3vDUew1h5QU1yD= aWT 3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbptPEcmoazpiKZt91CrFPOaoXDPck/Q6= 1df mr/oPikfByYnASIM3OwEuXqyQ9JDRfKrem5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8= MAv 2TGXmxpVJ8Nu4je6wf96Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOA= HZR 5iCunYghx8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQo= qj1 gwARAQABwsFlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P/1tF6TeR83xD6= Mas qXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8Wpfdn3BmvqGyh8+ouHX9jMOxi= RkM dNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJgx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB= ++/ KAmi5UJV7zsZ7uYJ5jm97LV5SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lX= xMD rvKnXMkjseQ2oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrf= ZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIAypqYo3pcN= 2OE 0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoMeDQkd0YjcqlB1E0svODHT= zcS oRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS/qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7= IKP 3ngUP4wEoiPx5ZE5+fPIScGmVUcZIMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeW= Iys s6uTiyF+ZbJSo2XOKVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3D40Nd -----END PGP PUBLIC KEY BLOCK----- --------------A93F6807B3A98BD628916196-- --zNhQbSHMw3DhYiSeSveQieSudsUhrpHB5-- --ahy2N9KkI58fC8LJZ2k5AT08dNnUtZp5I Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAl/IFdwFAwAAAAAACgkQWrL68XsXK+qW /A/+JFrOXGc2XFEeNDmEsPHQ6N9rT4BYBMMY2cU25TJdwXcoB+W90FMHzTY76Jkvc0XL5vB9NVXn uH6gvvZsttA8f7KDsfaUwIsEkNNSegEVoo7f1VJs3RLw6q+k2sc0LVM5mDjSAku7Lata3Gh+XCI7 80OduIZ1LqCD1ViW1Xyz8JgBCvra+fOGCAaYCnaYH/d+MdDNtuEtie0dREd1sga866ske89Vx41H rKy8PoPG2888GWbBfmyMAOoyImo6EwsKyoEW/Gd5Yf4dcxu6V2pCnNQmmYWXxHT2FF6BYbw+AdS0 qv8Ur+kNbhtsVbRqzYHZyg6ZwukAjFk1SbOqJAsJnc1RJM34I+7u3aeUdEkT496j2FeA5kS3PjBc eTkdkJdm7yyaM7/kyF+QmvBYPKGeAuZdwtpS9vBwfQTAP4pFS1YBe+wmRsCaLHRSC2eXWGzpEsV4 wWbmbunS00OwRG53CLC5GnplMAqwjRWfHFRYQZ8/CCnG7xoT7bwbvvME+ZTcKE+80sdggc6/F7BZ 3EyFSCrxXsMIqwIo7zq66qmKgdrRtcE6Now0Y9u0Os5K1yl0CVIehwXfWXM/DoYJkF4CehEIGtCM erE9xR3wYRHrnkQYa5M2rpWZpz3uHBob3m2pVhd8pf/boYTSmh4R8NH7134JHqKNeBGdhI+/5Mp3 GIw= =wlOZ -----END PGP SIGNATURE----- --ahy2N9KkI58fC8LJZ2k5AT08dNnUtZp5I-- From nobody Thu Dec 3 06:29:22 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B3D3A0C3A; Thu, 3 Dec 2020 06:29:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AcGNx88XXyIC; Thu, 3 Dec 2020 06:29:09 -0800 (PST) Received: from outbound.soverin.net (outbound.soverin.net [IPv6:2a01:4f8:fff0:2d:8::218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24D063A0CC3; Thu, 3 Dec 2020 06:28:46 -0800 (PST) Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 7A90960199; Thu, 3 Dec 2020 14:28:43 +0000 (UTC) Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1607005722; bh=yiiBaK5Bn+r/eav8uR9kBKEA5ApVZ9eJ1YbO8zKreFk=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=WPxAIyvsgSWmu77b6QcnUOZzhPxR49ds+iweMYGlSM7SvB5l36KHn7+zeZ0QJ+txU FuxywDDpQKUBiXudT4CHPRHBCIqcW8lVT1xZGFQ1GXyzvoClwHVvm5QEVpynoTk8rY UTO7HAyLYoGdmQhA9f7KYX0dL/K7Qn3HHvTCssWNU0sykmwMxzoi46oPi6i3NMdgrT XMYGLJW8FHlvrfbc0HrX7674a9MbctfAhFpCbwCmfO803heHnaiQiJZo+E9mxBTDiN JR1VpqLVctYgjMkV7PiJmvQV3l8m3nsM0NvIRjMvC/i45olulHHe1ACSRCWl/JS1DP I8L9QlFA4wNxQ== To: Stephen Farrell , =?UTF-8?B?T25kxZllaiBTdXI=?= =?UTF-8?B?w70=?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop@ietf.org, secdir@ietf.org References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> <86e60c0a-58c6-0ef8-d348-ef1f6f72fab9@cs.tcd.ie> From: Willem Toorop Message-ID: <4e1fee2b-9584-149b-cc48-e465715ffa87@nlnetlabs.nl> Date: Thu, 3 Dec 2020 15:28:37 +0100 MIME-Version: 1.0 In-Reply-To: <86e60c0a-58c6-0ef8-d348-ef1f6f72fab9@cs.tcd.ie> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] [Last-Call] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 14:29:14 -0000 Op 02-12-2020 om 23:31 schreef Stephen Farrell: > FWIW, I'd say it's worth a few more words to try reduce > the probability of such failures happening, e.g. maybe > just highlighting the "unsigned/2106" point you made > above would be enough. But, if the WG don't want to do > that, that's also fine by me. Sure, NP. I'll include Brian Dicksen's provided clarification in the text. Also, I approached Jean-Philippe Aumasson and he fixed the url we used in the draft for SipHash, but recommends to use this one in the future: https://www.aumasson.jp/siphash/ So I'll change that too. Cheers, -- Willem From nobody Thu Dec 3 09:40:42 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46FB93A0A71 for ; Thu, 3 Dec 2020 09:40:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oo-hwhW7-z8K for ; Thu, 3 Dec 2020 09:40:31 -0800 (PST) Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36DF33A0A96 for ; Thu, 3 Dec 2020 09:40:31 -0800 (PST) Received: by mail-lj1-x236.google.com with SMTP id s9so3434390ljo.11 for ; Thu, 03 Dec 2020 09:40:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XvEl9wQs+EMxRdSJbprFppeyf8IcCYulekcbqs24Flk=; b=l/FSnuZsNLaID3cROckwN3krr5gMlUumlBu7kfOy9DLZ99t4p+PGVziv76y6uMcIZJ NGtQmXkj1qqCxJT4FAFDtJXvYYavLTOwzE2zbqOSEXSS/+ssrEhBVQTZWuM0Biq96iXy L/2Vv5IWM+tXeevoNIl3FLbyHclno6Bdv9ACOZCtNh71O02MtVE1EXo23+Gxh8tehm7H Gs30oxhGxEwojY4ltnyppFp6HJ8uPVY0jOtKSV3HLCUBcy1vzmb/v/HAK5OVAjV+qNM+ xOBB37VEIuMkWZPGUvRULs6t5OHqUV+4KoLVHtM30z3uZjG6oIsluFDGbShTiMwoECuz v8Xw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XvEl9wQs+EMxRdSJbprFppeyf8IcCYulekcbqs24Flk=; b=S/T/APeYyce5eMGqDDRlXAgBj4/tNahgCvTepcC6MUSDYeHBUprDqpSHe4y0mQyQOt oAi4BwXqLWYRKzk6EvsTu03mPt7Yj835Vjq0j72MlYxLB35YRByyRNX58HkP6upiUWqO 6SUVxiSG2HUzayHpFIunkdvwJgZh91Fp5LZon1k81WxfujCIuU6cCvAhkHurHv5drjiN 8ZDoLfMzHZ39PqbsuGA9cEFv2xxId7POATnPqs7dttcAQ6d4iB0nAW4yHyC+DOms7vGm KPrSBM4zFkTIrw5KsddQ0znX84h6/78XyapcnX+0bpmXCMrKkANljDOew5DMtcs35TaG AbIA== X-Gm-Message-State: AOAM532JiYg0fRT65fLeifYdRNJ3QMYiIASbPYkZxuZ79pj9gCOY/KoW ZP+v+jNOMfhyKI/Ef3+qfkzfSvKoXQD+FlaK8eReaA== X-Google-Smtp-Source: ABdhPJyShYr3V0Bi9JAKJ1TZKvyhtJqmeqBWDePZAKlS+5cnvGtNjzJLW+fgJkjKg1GSU1Z1QEFoaMZezIaIe01NuCw= X-Received: by 2002:a2e:50c:: with SMTP id 12mr1599347ljf.371.1607017229071; Thu, 03 Dec 2020 09:40:29 -0800 (PST) MIME-Version: 1.0 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> <86e60c0a-58c6-0ef8-d348-ef1f6f72fab9@cs.tcd.ie> <4e1fee2b-9584-149b-cc48-e465715ffa87@nlnetlabs.nl> In-Reply-To: <4e1fee2b-9584-149b-cc48-e465715ffa87@nlnetlabs.nl> From: Eric Rescorla Date: Thu, 3 Dec 2020 09:39:52 -0800 Message-ID: To: Willem Toorop Cc: Stephen Farrell , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= , last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop WG , secdir@ietf.org Content-Type: multipart/alternative; boundary="000000000000166dfe05b592db34" Archived-At: Subject: Re: [secdir] [DNSOP] [Last-Call] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 17:40:33 -0000 --000000000000166dfe05b592db34 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 3, 2020 at 6:29 AM Willem Toorop wrote: > Op 02-12-2020 om 23:31 schreef Stephen Farrell: > > > > > FWIW, I'd say it's worth a few more words to try reduce > > the probability of such failures happening, e.g. maybe > > just highlighting the "unsigned/2106" point you made > > above would be enough. But, if the WG don't want to do > > that, that's also fine by me. > > Sure, NP. I'll include Brian Dicksen's provided clarification in the > text. Also, I approached Jean-Philippe Aumasson and he fixed the url we > used in the draft for SipHash, but recommends to use this one in the > future: > > https://www.aumasson.jp/siphash/ It seems like kind of a problem to have a normative algorithm reference to a random personal Website. -Ekr > > So I'll change that too. > > Cheers, > -- Willem > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --000000000000166dfe05b592db34 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Thu, Dec 3, 2020 at 6:29 AM Willem= Toorop <willem@nlnetlabs.nl&= gt; wrote:
Op 02= -12-2020 om 23:31 schreef Stephen Farrell:

<snip>

> FWIW, I'd say it's worth a few more words to try reduce
> the probability of such failures happening, e.g. maybe
> just highlighting the "unsigned/2106" point you made
> above would be enough. But, if the WG don't want to do
> that, that's also fine by me.

Sure, NP. I'll include Brian Dicksen's provided clarification in th= e
text. Also, I approached Jean-Philippe Aumasson and he fixed the url we
used in the draft for SipHash, but recommends to use this one in the future= :

https://www.aumasson.jp/siphash/

It seems like kind of a problem to have a normative algorithm reference to= a random personal Website.

-Ekr


So I'll change that too.

Cheers,
-- Willem

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--000000000000166dfe05b592db34-- From nobody Thu Dec 3 09:50:57 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332003A0B9D; Thu, 3 Dec 2020 09:50:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ll9Db0V308TR; Thu, 3 Dec 2020 09:50:42 -0800 (PST) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4246E3A0BFC; Thu, 3 Dec 2020 09:50:42 -0800 (PST) Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0B3HmbO8004361; Thu, 3 Dec 2020 17:50:35 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=TgHrgHmyw5fGpS8PFMTMSf98dtkxyiAYAJHPiPaTWcM=; b=oooxxXhCrpUXzUW1h9QdO4dARI9CkuT5tdRwQurIM3LU6yq/ALYi9taz/nZmAC7WzzQm AzO7MYhcYWHi6yaEBmkKLOZBlHHPiec9mVAyduapb27eDQYtVWv1cJJuYSYC2zSF4iIa BNfxSsUbcpjBbMd5oo9W5cgqwDOYq9T0JRvWNqbuXl5XDf7+jkWd68cYBZV+e8kTSFkj 4tQRBF+Il7wMrzRrzJSUDUWEVjTC5kl09KWw6Hn35Vh8qFS48tK6si+dbdi3gbeYQDmm 2GMGA+GREG7nGStTVyuEcPk9OL7iDYyYJ6WeqnCxu2sg7M0PcmpWzlEfIcSz3fswh1fl 4A== Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 355v3wa87j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 03 Dec 2020 17:50:35 +0000 Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 0B3HoWqH032049; Thu, 3 Dec 2020 12:50:34 -0500 Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint2.akamai.com with ESMTP id 353js2txpf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 03 Dec 2020 12:50:34 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 3 Dec 2020 12:50:33 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.008; Thu, 3 Dec 2020 12:50:33 -0500 From: "Salz, Rich" To: Eric Rescorla , Willem Toorop CC: "secdir@ietf.org" , dnsop WG , "last-call@ietf.org" , =?utf-8?B?T25kxZllaiBTdXLDvQ==?= , "draft-ietf-dnsop-server-cookies.all@ietf.org" , Stephen Farrell Thread-Topic: [Last-Call] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 Thread-Index: AQHWyZt2XYWKHb1jL0ylAkUkxNBf6KnlpmAA Date: Thu, 3 Dec 2020 17:50:33 +0000 Message-ID: <358D0BCF-90E0-4580-9273-55A93A6D63AD@akamai.com> References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> <86e60c0a-58c6-0ef8-d348-ef1f6f72fab9@cs.tcd.ie> <4e1fee2b-9584-149b-cc48-e465715ffa87@nlnetlabs.nl> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/16.43.20110804 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.27.164.43] Content-Type: multipart/alternative; boundary="_000_358D0BCF90E04580927355A93A6D63ADakamaicom_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-03_10:2020-12-03, 2020-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=905 malwarescore=0 mlxscore=0 bulkscore=0 phishscore=0 suspectscore=0 spamscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012030106 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-03_10:2020-12-03, 2020-12-03 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 adultscore=0 priorityscore=1501 spamscore=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 bulkscore=0 clxscore=1011 impostorscore=0 mlxscore=0 mlxlogscore=806 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012030106 X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.19) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint2 Archived-At: Subject: Re: [secdir] [Last-Call] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 17:50:52 -0000 --_000_358D0BCF90E04580927355A93A6D63ADakamaicom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpodHRwczovL3d3dy5hdW1hc3Nvbi5qcC9zaXBoYXNoLzxodHRwczovL3VybGRlZmVuc2UuY29t L3YzL19faHR0cHM6L3d3dy5hdW1hc3Nvbi5qcC9zaXBoYXNoL19fOyEhR2p2VHpfdmshSDl5dVZf SkdIOFdsc2dSUlJITTJaSzBHampMd2FXWU05QTliQzJGeWx1amxqaC13SGRKdlBxSXBwZVE0JD4N Cg0KDQogICogICBJdCBzZWVtcyBsaWtlIGtpbmQgb2YgYSBwcm9ibGVtIHRvIGhhdmUgYSBub3Jt YXRpdmUgYWxnb3JpdGhtIHJlZmVyZW5jZSB0byBhIHJhbmRvbSBwZXJzb25hbCBXZWJzaXRlLg0K DQpUaGF0IHdlYiBwYWdlIGhhcyBwb2ludGVycyB0byBwYXBlcnMsIHBlcmhhcHMgdGhleSBzaG91 bGQgYmUgdXNlZCBpbnN0ZWFkLg0KDQpPciBtYXliZSBzb21lb25lIGNhbiBjb252aW5jZSBTaW1v biBKb3NlZmZzb24gdG8gd3JpdGUgaXQgdXAgKGFzIGhlIGhhcyBmb3IgbWFueSBvdGhlcnMgOikN Cg== --_000_358D0BCF90E04580927355A93A6D63ADakamaicom_ Content-Type: text/html; charset="utf-8" Content-ID: <377273FF0AC4B0439C60F1D7199D0435@akamai.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpXaW5nZGluZ3M7DQoJcGFub3NlLTE6NSAwIDAgMCAwIDAgMCAwIDAg MDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0x OjIgNCA1IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJp Ow0KCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25z ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow aW47DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJp Zjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN Cgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29MaXN0UGFy YWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNvTGlzdFBhcmFncmFwaA0KCXttc28t c3R5bGUtcHJpb3JpdHk6MzQ7DQoJbWFyZ2luLXRvcDowaW47DQoJbWFyZ2luLXJpZ2h0OjBpbjsN CgltYXJnaW4tYm90dG9tOjBpbjsNCgltYXJnaW4tbGVmdDouNWluOw0KCWZvbnQtc2l6ZToxMS4w cHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxl MTgNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXtt c28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdv cmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4w aW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQovKiBM aXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1pZDoyMDU4MTI0NTc2Ow0K CW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczo1ODE3Mzc1Mzgg MTUzNTc4NjExNiA2NzY5ODY5MSA2NzY5ODY5MyA2NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5MyA2 NzY5ODY4OSA2NzY5ODY5MSA2NzY5ODY5Mzt9DQpAbGlzdCBsMDpsZXZlbDENCgl7bXNvLWxldmVs LXN0YXJ0LWF0OjM7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Ou+DmDsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVy LXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5Oldpbmdk aW5nczsNCgltc28tZmFyZWFzdC1mb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjsNCgltc28t YmlkaS1mb250LWZhbWlseTpDYWxpYnJpO30NCkBsaXN0IGwwOmxldmVsMg0KCXttc28tbGV2ZWwt bnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFi LXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRl bnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWwz DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxp c3QgbDA6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpTeW1i b2w7fQ0KQGxpc3QgbDA6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsN Cgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZl bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1p bHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1m b3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6 bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LS4y NWluOw0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDcNCgl7bXNvLWxl dmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2 ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4 dC1pbmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBsMDpsZXZlbDgN Cgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJ bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0 Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBs aXN0IGwwOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxl dmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1i ZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6V2lu Z2RpbmdzO30NCm9sDQoJe21hcmdpbi1ib3R0b206MGluO30NCnVsDQoJe21hcmdpbi1ib3R0b206 MGluO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1 ZSIgdmxpbms9InB1cnBsZSIgc3R5bGU9IndvcmQtd3JhcDpicmVhay13b3JkIj4NCjxkaXYgY2xh c3M9IldvcmRTZWN0aW9uMSI+DQo8ZGl2Pg0KPGRpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3Jk ZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAw aW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48YnI+DQo8YSBocmVmPSJodHRwczovL3VybGRlZmVuc2UuY29tL3YzL19faHR0 cHM6L3d3dy5hdW1hc3Nvbi5qcC9zaXBoYXNoL19fOyEhR2p2VHpfdmshSDl5dVZfSkdIOFdsc2dS UlJITTJaSzBHampMd2FXWU05QTliQzJGeWx1amxqaC13SGRKdlBxSXBwZVE0JCIgdGFyZ2V0PSJf YmxhbmsiPmh0dHBzOi8vd3d3LmF1bWFzc29uLmpwL3NpcGhhc2gvPC9hPjxvOnA+PC9vOnA+PC9w Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHVsIHN0eWxlPSJtYXJnaW4tdG9wOjBpbiIgdHlw ZT0iZGlzYyI+DQo8bGkgY2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiIHN0eWxlPSJtYXJnaW4tbGVm dDowaW47bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzEiPkl0IHNlZW1zIGxpa2Uga2luZCBvZiBhIHBy b2JsZW0gdG8gaGF2ZSBhIG5vcm1hdGl2ZSBhbGdvcml0aG0gcmVmZXJlbmNlIHRvIGEgcmFuZG9t IHBlcnNvbmFsIFdlYnNpdGUuPG86cD48L286cD48L2xpPjwvdWw+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYXQgd2Vi IHBhZ2UgaGFzIHBvaW50ZXJzIHRvIHBhcGVycywgcGVyaGFwcyB0aGV5IHNob3VsZCBiZSB1c2Vk IGluc3RlYWQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9yIG1heWJlIHNvbWVvbmUgY2FuIGNv bnZpbmNlIFNpbW9uIEpvc2VmZnNvbiB0byB3cml0ZSBpdCB1cCAoYXMgaGUgaGFzIGZvciBtYW55 IG90aGVycyA6KTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_358D0BCF90E04580927355A93A6D63ADakamaicom_-- From nobody Thu Dec 3 10:29:07 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 998913A0B9D for ; Thu, 3 Dec 2020 10:29:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.796 X-Spam-Level: X-Spam-Status: No, score=-1.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pb9581Qbvh7t for ; Thu, 3 Dec 2020 10:29:04 -0800 (PST) Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C127D3A0B36 for ; Thu, 3 Dec 2020 10:29:03 -0800 (PST) Received: by mail-lf1-x129.google.com with SMTP id s27so4154781lfp.5 for ; Thu, 03 Dec 2020 10:29:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wUCTmuDtztq7O/jDD+c2TrTMnAn2FlKJ/oQzXP1VM5s=; b=C3ARjR4Ft4pSJYwHVBXrBSXg6GLNC/nlHFYWRQK/+cWjYnVh9bY5I5Ophg0sgx4iSC kLF2URQ8ozawONcnUaqYu2Lr1RIVvmelhvJPF39usAZTg3zS/hSPTpJ+u4Hx8IWhfnbi WEuYi+ZRnFkJezg27me1M4B5e7mYuLJHJND6r9xrgiW8J6xWTFxypLmVpmxXzdXWaxNb nNJgZBKvEX2QfBROFVV7JazqV4WV0bRbK/UufsXQCtOKSzagxePYIUqaFbudSd5JSCX/ PIglNYPSAhd5Di9Oet2T7xViYpODNMj1YWm4e6UCruwwfYTKKV7JSVcrSZkEksmGtfT7 o9kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wUCTmuDtztq7O/jDD+c2TrTMnAn2FlKJ/oQzXP1VM5s=; b=QhTmpaXL5yatdTYv7ldXKGkPkr2hDBvmuY/3h/zWvgF4JzSnLeOxd2HuVB9dUrLC7n yuImrHHOk6Rkfx8kCJYHjsPQfEINPrvB7uLcMTSmKngHI5tAcnCMxK5oZFf4cRoNuIBn xRm1BgBMsFENwv/nrhIB4aHUXBB/SlbzCzw8NV+xkpafNPVoQEjWB/CjfwSdel2Ro6g2 Edd9sKhUeNHY5BBx44vkrR0gw74g/erjJ3gI3chRS5mWAPVUFxgIHOBGwTwHp0OpNcix +piEpx8PP+3n96D6gnwe71lnG2hxO0sue/K/sfDkHgPrH8vnLknopNWhm+uPo20CHQpq zbWQ== X-Gm-Message-State: AOAM531ma9rKaeolm3Ut3k6n/3C8ISxJ1YrAXONgVQ/SxfkyceD3gxVQ wbOXlZrJW8ACbKAXNps4EJ9B4kjad0NcDMF94UWnog== X-Google-Smtp-Source: ABdhPJy+YYkHX3rjxYV9CRaCstyCSTOCciCDbDNhy9DR67Dazv1nPZnu+5FT3gVdEKFzys1FcIJsceF9wU2EO9pACVA= X-Received: by 2002:a19:c701:: with SMTP id x1mr1920787lff.516.1607020141895; Thu, 03 Dec 2020 10:29:01 -0800 (PST) MIME-Version: 1.0 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <75c266ba-573a-29e3-621d-aea9b27f195f@cs.tcd.ie> <9a15fe4b-7850-3558-78d8-7ad7f90fd97d@nlnetlabs.nl> <86e60c0a-58c6-0ef8-d348-ef1f6f72fab9@cs.tcd.ie> <4e1fee2b-9584-149b-cc48-e465715ffa87@nlnetlabs.nl> <358D0BCF-90E0-4580-9273-55A93A6D63AD@akamai.com> In-Reply-To: <358D0BCF-90E0-4580-9273-55A93A6D63AD@akamai.com> From: Eric Rescorla Date: Thu, 3 Dec 2020 10:28:24 -0800 Message-ID: To: "Salz, Rich" Cc: Willem Toorop , "secdir@ietf.org" , dnsop WG , "last-call@ietf.org" , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= , "draft-ietf-dnsop-server-cookies.all@ietf.org" , Stephen Farrell Content-Type: multipart/alternative; boundary="000000000000b47a1705b59388eb" Archived-At: Subject: Re: [secdir] [Last-Call] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 18:29:06 -0000 --000000000000b47a1705b59388eb Content-Type: text/plain; charset="UTF-8" On Thu, Dec 3, 2020 at 9:52 AM Salz, Rich wrote: > > https://www.aumasson.jp/siphash/ > > > > > - It seems like kind of a problem to have a normative algorithm > reference to a random personal Website. > > > > That web page has pointers to papers, perhaps they should be used instead. > > That might be better. Basically, something that we can have some confidence will be stable. > > > Or maybe someone can convince Simon Joseffson to write it up (as he has > for many others :) > That seems great. -Ekr -- > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call > --000000000000b47a1705b59388eb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Thu, Dec 3, 2020 at 9:52 AM Salz, = Rich <rsalz=3D40akamai.co= m@dmarc.ietf.org> wrote:


https://www.aumasson.jp/siphash/

=C2=A0

  • It seems like kind of a problem to have a normative algorithm ref= erence to a random personal Website.

=C2=A0

That web page has pointers to papers, perhaps they s= hould be used instead.

=
That might be better. Basically, something that we can have = some confidence will be stable.

=C2=A0

Or maybe someone can convince Simon Joseffson to wri= te it up (as he has for many others :)

<= /div>

That seems great.
-Ekr

--
last-call mailing list
last-call@ietf.org<= /a>
https://www.ietf.org/mailman/listinfo/last-call
--000000000000b47a1705b59388eb-- From nobody Thu Dec 3 11:57:54 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2D03A0983; Thu, 3 Dec 2020 11:57:45 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Brian Weis via Datatracker To: Cc: last-call@ietf.org, draft-ietf-core-dev-urn.all@ietf.org, core@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160702546541.14061.15940689920006174458@ietfa.amsl.com> Reply-To: Brian Weis Date: Thu, 03 Dec 2020 11:57:45 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-core-dev-urn-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 19:57:46 -0000 Reviewer: Brian Weis Review result: Serious Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with nits. This document generally defines a new URN namespace for hardware device identifiers, and then further defines the URN body layout for several types of devices, where devices are identified by a global identity (e.g., a MAC address, organizational-specific serial number, etc.). Long-term identifiers have privacy considerations, and these are well documented here. Here are some things that ought to be thought about: (1) The Security Considerations section seems to focus on concerns around devices not allowing the device identifiers to be modified, and gives rather broad advice about a DEV URN implementation faithfully representing the device. It would be good for this section to also warn implementors of the risks of a DEV URN being transmitted without integrity protection. That is, if the device faithfully represents itself, a man in the middle changing the DEV URN in a protocol may cause the system using the device to not manage the device properly, or in some manner inappropriately adjust the privileges allowed by the device within that system. (2) Section 1 says about privacy “Note that long-term stable unique identifiers are problematic for privacy reasons and should be used with care or avoided as described in [RFC7721].” Given the later guidance that “The DEV URN type SHOULD only be used for persistent identifiers”, I think the “or avoided” portion of that sentence is inappropriate for this document. (3) Section 5 begins with “The following three examples provide examples of MAC-based, 1-Wire, and Cryptographic identifiers”. There are now more than three examples provided (thanks for that!), and it appears that cryptographic identifiers have ben removed in an earlier draft. From nobody Thu Dec 3 12:04:09 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557EF3A0A71; Thu, 3 Dec 2020 12:04:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RUS3cAhI0F7I; Thu, 3 Dec 2020 12:04:06 -0800 (PST) Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEEBF3A0A26; Thu, 3 Dec 2020 12:04:03 -0800 (PST) Received: by mail-pf1-x430.google.com with SMTP id t8so2026863pfg.8; Thu, 03 Dec 2020 12:04:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=O7LOZBcv5AUbyL1hB+zamToePkHY6bTqGg2rBeTzKd8=; b=hwwigHKdbdkZA+BdOm9rTgbcr3Ijgypw8X9ORLTyYJ9PTK+otOkRPqO6vqkeBg8fLr dPcdDnrtEpdDM4kBIND4TlGL7O7lYnw+Jf2REEaRF2eBpA45J73VgXrrM4PYFbkn/d2Q y07xRjx5qSdE/vjf3fg6u3hacdc9+A2nxO7Y5V6De+hT/6oRsM0JKo+pQcZSA2HiIa2A zFcp5sFMyvstnGVjiTb7WPM74xNcyWHLs1+BRjo5WaKrR2Z9PZk+xfJShBFDnwoWBinL pmdf0b6qegCftDoX2iTBQo2TX3tXxFWEFtLdW14Ljwhgt7MM8leNbQRR05gtQLkoyNA2 OE9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=O7LOZBcv5AUbyL1hB+zamToePkHY6bTqGg2rBeTzKd8=; b=EE8Y5pTPu9DUZKzZ4gw1/jT3Qqz2+9LIPReMNFzb8Zx/Zr2giEYG0mlQydQhOPMtTH QQNlIMYkxyhndjoQ7dJSO87UbxeVvaGt21HxGsLJJRovdQs/MjLaWnR4LvkbCJ8YBE9d 1jD1+xJGUAO3vHxwrNR+YVXZ7CZnMrsvyEv8QLrHFH3xTabP7CTQfMjMHgIIJTtaEvzq jvbadUmaef7yv0LkSadb28gc9x00X1a/HmVRTbjv7XZSrL3eyaTEpQlgkP59Qtx0ZeMI 95st5NZfu+pJhkD0Xye2ghk3vX/HdVgjftSaqejavqh9iKYPZIKs9FaOqxIISH6TjWUv kTyA== X-Gm-Message-State: AOAM5331YMWzERqfe2WlmhdY3u1neC2BxtgqBGeUQphErIABmlutJy/J 5GS2+ax62KwiZrap5M6+VJtrwQ8dU3E= X-Google-Smtp-Source: ABdhPJwvBHQ3HZHVFze8OdHtIj+85ig0fygQv9w8VvFFhbb02g+aKF31r5Nn2hfvPcGt7u/NsOu0Dg== X-Received: by 2002:aa7:864b:0:b029:18e:fc45:f2a1 with SMTP id a11-20020aa7864b0000b029018efc45f2a1mr603848pfo.58.1607025842762; Thu, 03 Dec 2020 12:04:02 -0800 (PST) Received: from ?IPv6:2603:3024:151c:c200:545f:374a:e165:7255? ([2603:3024:151c:c200:545f:374a:e165:7255]) by smtp.gmail.com with ESMTPSA id x10sm1305593pff.214.2020.12.03.12.04.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Dec 2020 12:04:02 -0800 (PST) From: Brian Weis Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) Date: Thu, 3 Dec 2020 12:04:01 -0800 References: <160702546541.14061.15940689920006174458@ietfa.amsl.com> To: secdir@ietf.org, last-call@ietf.org, draft-ietf-core-dev-urn.all@ietf.org, core@ietf.org In-Reply-To: <160702546541.14061.15940689920006174458@ietfa.amsl.com> Message-Id: X-Mailer: Apple Mail (2.3608.120.23.2.4) Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-core-dev-urn-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 20:04:08 -0000 Oops: this review is marked =E2=80=9CSerious Issues=E2=80=9D, where (as = mentioned in the comments)=20 I intended it to be =E2=80=9CReady with nits=E2=80=9D. Sorry for the = confusion. Brian > On Dec 3, 2020, at 11:57 AM, Brian Weis via Datatracker = wrote: >=20 > Reviewer: Brian Weis > Review result: Serious Issues >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. >=20 > The summary of the review is Ready with nits. >=20 > This document generally defines a new URN namespace for hardware > device identifiers, and then further defines the URN body layout > for several types of devices, where devices are identified by a > global identity (e.g., a MAC address, organizational-specific serial > number, etc.). >=20 > Long-term identifiers have privacy considerations, and these are > well documented here. >=20 > Here are some things that ought to be thought about: >=20 > (1) The Security Considerations section seems to focus on concerns > around devices not allowing the device identifiers to be modified, > and gives rather broad advice about a DEV URN implementation > faithfully representing the device. It would be good for this section > to also warn implementors of the risks of a DEV URN being transmitted > without integrity protection. That is, if the device faithfully > represents itself, a man in the middle changing the DEV URN in a > protocol may cause the system using the device to not manage the > device properly, or in some manner inappropriately adjust the = privileges > allowed by the device within that system. >=20 > (2) Section 1 says about privacy =E2=80=9CNote that long-term stable = unique > identifiers are problematic for privacy reasons and should be used > with care or avoided as described in [RFC7721].=E2=80=9D Given the = later > guidance that =E2=80=9CThe DEV URN type SHOULD only be used for = persistent > identifiers=E2=80=9D, I think the =E2=80=9Cor avoided=E2=80=9D portion = of that sentence is > inappropriate for this document. >=20 > (3) Section 5 begins with =E2=80=9CThe following three examples = provide > examples of MAC-based, 1-Wire, and Cryptographic identifiers=E2=80=9D. = There=20 > are now more than three examples provided (thanks for that!), and=20 > it appears that cryptographic identifiers have ben removed in an > earlier draft. >=20 >=20 > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview From nobody Thu Dec 3 13:03:42 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 590133A0E8A for ; Thu, 3 Dec 2020 13:03:33 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: secdir-secretary@mit.edu, Tero Kivinen Message-ID: <160702941334.9325.16324557339586409597@ietfa.amsl.com> Date: Thu, 03 Dec 2020 13:03:33 -0800 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 21:03:41 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2020-12-03 Reviewer LC end Draft Daniel Gillmor 2020-09-30 draft-ietf-ccamp-layer0-types-08 Steve Hanna 2020-09-30 draft-ietf-ccamp-wson-yang-27 Christopher Wood R2019-11-06 draft-ietf-dtn-tcpclv4-23 For telechat 2020-12-17 Reviewer LC end Draft Christian Huitema 2020-12-14 draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 Mališa Vučinić 2020-12-04 draft-ietf-bmwg-b2b-frame-03 Samuel Weiler 2020-12-02 draft-ietf-extra-sieve-mailboxid-06 Last calls: Reviewer LC end Draft Donald Eastlake 2020-12-10 draft-ietf-teas-pce-native-ip-14 Shawn Emery 2020-12-08 draft-ietf-ippm-ioam-data-11 Daniel Franke 2020-09-18 draft-ietf-jmap-mdn-15 Daniel Franke 2020-03-09 draft-ietf-regext-dnrd-objects-mapping-10 Daniel Gillmor 2020-09-30 draft-ietf-ccamp-layer0-types-08 Phillip Hallam-Baker 2020-12-03 draft-ietf-tls-ticketrequests-06 Phillip Hallam-Baker 2020-09-30 draft-ietf-lwig-tcp-constrained-node-networks-13 Steve Hanna 2020-09-30 draft-ietf-ccamp-wson-yang-27 Dan Harkins 2020-12-30 draft-carpenter-eligibility-expand-08 Dan Harkins None draft-ietf-rtgwg-policy-model-03 Russ Housley 2020-12-15 draft-ietf-bess-evpn-proxy-arp-nd-09 Christian Huitema 2020-12-14 draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 Leif Johansson None draft-ietf-netconf-crypto-types-18 Leif Johansson 2020-10-02 draft-ietf-lpwan-schc-over-lorawan-13 Kathleen Moriarty 2020-07-20 draft-ietf-ace-oscore-profile-13 Russ Mundy 2020-07-20 draft-ietf-ace-dtls-authorize-14 Sandra Murphy 2020-10-15 draft-ietf-tls-external-psk-importer-06 Tirumaleswar Reddy.K 2020-11-16 draft-ietf-quic-transport-32 Rich Salz R2020-08-14 draft-ietf-suit-architecture-14 Mališa Vučinić 2020-12-04 draft-ietf-bmwg-b2b-frame-03 Carl Wallace 2020-12-09 draft-ietf-roll-unaware-leaves-23 Samuel Weiler 2020-12-02 draft-ietf-extra-sieve-mailboxid-06 Klaas Wierenga 2020-12-02 draft-ietf-core-echo-request-tag-11 Klaas Wierenga 2020-05-26 draft-ietf-kitten-krb-spake-preauth-09 Christopher Wood 2020-09-23 draft-ietf-6man-rfc4941bis-12 Christopher Wood R2019-11-06 draft-ietf-dtn-tcpclv4-23 Paul Wouters 2020-09-08 draft-ietf-i2nsf-capability-data-model-13 Liang Xia 2020-11-30 draft-ietf-spring-sr-yang-28 Early review requests: Reviewer Due Draft Nancy Cam-Winget 2020-12-07 draft-ietf-idr-ext-opt-param-09 Linda Dunbar 2020-12-07 draft-ietf-idr-bgp-optimal-route-reflection-21 Steve Hanna 2020-12-23 draft-ietf-sfc-nsh-integrity-01 Dacheng Zhang 2020-12-07 draft-ietf-idr-eag-distribution-13 Next in the reviewer rotation: Charlie Kaufman Scott Kelly Tero Kivinen Watson Ladd Chris Lonvick Aanchal Malhotra David Mandelberg Catherine Meadows Alexey Melnikov Daniel Migault From nobody Thu Dec 3 13:58:16 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 644E83A0D31; Thu, 3 Dec 2020 13:58:15 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Kathleen Moriarty via Datatracker To: Cc: draft-ietf-ace-oscore-profile.all@ietf.org, ace@ietf.org, last-call@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160703269537.9405.5185911182037137110@ietfa.amsl.com> Reply-To: Kathleen Moriarty Date: Thu, 03 Dec 2020 13:58:15 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-ace-oscore-profile-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 21:58:15 -0000 Reviewer: Kathleen Moriarty Review result: Ready Thank you for your work on this document, it appears ready for publication. From nobody Fri Dec 4 12:03:24 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id F3AB33A0FF8; Fri, 4 Dec 2020 12:03:16 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Christian Huitema via Datatracker To: Cc: last-call@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160711219694.2677.7881042583251252532@ietfa.amsl.com> Reply-To: Christian Huitema Date: Fri, 04 Dec 2020 12:03:16 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2020 20:03:17 -0000 Reviewer: Christian Huitema Review result: Ready This document presents a set of requirements for how "Prefix Delegating Relays" should handle the relaying of IPv6 Prefix delegation requests between DHCP clients and DHCP servers. This document is Ready. But please fix one tiny nit. Prefix Delegating Relays are more complex than simple DHCP relays. Instead of merely passing information back and forth between DHCP clients and DHCP servers, they also need to install IPv6 routes so the allocated IPv6 prefix is routed towards the client to which the prefix is allocated via DHCP. The document explains issues found during past deployments, and presents a set of requirements to ensure smooth operation of the service. As written in the security section, stating these requrements does not add any new security considerations beyond those mentioned in RFC 8213, which requires using IPSEC between DHCP relay and DHCP server. This is fine and I believe that the draft is ready, except for one nit. The draft mentions "Section 22 of [RFC8213]", but RFC 8213 only has 6 sections. Since that RFC is entirely about "Security of Messages Exchanged between Servers and Relay Agents", I don't understand why the draft needs to mention this bogus "Section 22". Are the authors trying to trick this reviewer? There is a security issue concerning communication between clients and relays. This draft is not the place to address it, which is why I think it is ready, but I can't resist using this review to pass a message to the working group. On link attackers could spoof requests for prefix delegation, or responses, just like they can spoof any DHCP message. Spoofing prefix delegation requests might be a way to attack networks, or to cause support issues between clients and providers. RFC 8213 "suggests" using secure DHCPv6 between client and server, but the "secure DHCPv6" draft cited in RFC 8213 is now expired. I understand that solutions like RA Guard will in practice provide some protection, but the use of these solutions are not discussed in RFC 8213. The DHCP WG might want to address that. From nobody Fri Dec 4 12:37:19 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 022973A0C4D; Fri, 4 Dec 2020 12:37:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoGXXaH1FDOY; Fri, 4 Dec 2020 12:37:12 -0800 (PST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86ED63A0FCC; Fri, 4 Dec 2020 12:36:44 -0800 (PST) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0B4KaZoj000847 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 4 Dec 2020 15:36:41 -0500 Date: Fri, 4 Dec 2020 12:36:35 -0800 From: Benjamin Kaduk To: =?utf-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, secdir@ietf.org, dnsop WG Message-ID: <20201204203635.GS64351@kduck.mit.edu> References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2020 20:37:14 -0000 Hi Ondřej, Just because someone else does something, even a "big name", doesn't necessarily make it a good idea for us to also do it. We should be able to justify our algorithm choices on cryptographic principles, not just appeal to authority. In a similar vein, you said something about the 32-bit timestamp being wide enough to prevent brute-force attacks. Could you say a bit more about what attacks those are that are being prevented? I'm not really seeing how the width of the timestamp comes into play for that concern, just from a quick skim of the document. (Timestamps tend to not provide much protection against brute force by themselves, since time is relatively guessable, especially to seconds precision.) Thanks, Ben On Wed, Dec 02, 2020 at 11:18:29PM +0100, Ondřej Surý wrote: > SYN cookies in both Linux and FreeBSD uses siphash. > > * FreeBSD: https://svnweb.freebsd.org/base?view=revision&revision=253210 (since 2013) > * Linux: https://github.com/torvalds/linux/commit/fe62d05b295bde037fa324767674540907c89362#diff-14feef60c3dbcf67539f089de04546c907233cbae09e1b2dd2c2bc6d6eae4416 (since 2017) > > I believe that the SYN cookies have exactly the same properties as DNS cookies. > > Ondrej > -- > Ondřej Surý (He/Him) > ondrej@isc.org > > > On 2. 12. 2020, at 22:15, Eric Rescorla wrote: > > > > Well hash tables are an application with somewhat different security properties than MACs, so I don't think this is dispositive. > > > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir > wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview From nobody Fri Dec 4 13:14:40 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 861903A0C58; Fri, 4 Dec 2020 13:14:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLzdrdGoUtWJ; Fri, 4 Dec 2020 13:14:34 -0800 (PST) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC2603A0C37; Fri, 4 Dec 2020 13:14:33 -0800 (PST) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id CB6AD3AB070; Fri, 4 Dec 2020 21:14:32 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 9FE5816003F; Fri, 4 Dec 2020 21:14:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8D9CC160053; Fri, 4 Dec 2020 21:14:32 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id E1h4855PyRDI; Fri, 4 Dec 2020 21:14:32 +0000 (UTC) Received: from [10.10.10.141] (unknown [78.80.211.217]) by zmx1.isc.org (Postfix) with ESMTPSA id 430C316003F; Fri, 4 Dec 2020 21:14:32 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= Mime-Version: 1.0 (1.0) Date: Fri, 4 Dec 2020 22:14:29 +0100 Message-Id: References: <20201204203635.GS64351@kduck.mit.edu> Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, secdir@ietf.org, dnsop WG In-Reply-To: <20201204203635.GS64351@kduck.mit.edu> To: Benjamin Kaduk X-Mailer: iPhone Mail (18B121) Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2020 21:14:36 -0000 Hi Benjamin, I did not used appeal to authority as an argument, but I=E2=80=99ve just pro= vided examples that SipHash has been implemented in the similar scenarios an= d there hasn=E2=80=99t been reported issue with the choice for years now. Using fast PRF (pseudorandom function) for the DNS Cookies is a good choice b= ecause it matches the required properties - it needs to be fast and secure i= n a sense that attacker can=E2=80=99t compute neither the key nor the output= of the function. DNS Cookies are not MACs. Sorry for the misnomer of the brute force - what I meant was a protection ag= ainst a replay attack. I=E2=80=99m just currently very tired with day to day= job. Please note that DNS Cookies doesn=E2=80=99t protect the actual DNS message p= ayload, it merely provide means to establish trust between the client and th= e server as to distinguish between a legitimate and spoofed traffic, so diff= erent policies can be used - Response Rate Limiting (RRL) could be turned of= f for DNS messages with cookies or when under attack it could require fallba= ck to TCP for DNS queries without the DNS Cookie. The DNS cookies doesn=E2=80= =99t protect the actual content in any way, neither it does protect the comm= unication from the on path adversary. In that regard, the client cookie is just nonce (and it=E2=80=99s just conve= nient to use same algorithm to generate it, but it could be output from CSPR= NG as well) and the server cookie is a cryptographic primitive that uses the= client nonce, key and timestamp to construct the server cookie. Such server= cookie is used by the DNS client to authenticate to the server (it=E2=80=99= s shared secret, but it requires no per-client state on the server). Just to= repeat, the actual payload (DNS message) is not protected by the DNS cookie= . If the DNS server could keep a state for every DNS client, a CS random numbe= r would be as good as the output of the SipHash. I might not be a cryptographer as my daily job, but I am reasonably confiden= t that SipHash has matching properties, it hasn=E2=80=99t been broken as of t= oday. Also all DNS vendors have agreed to make this choice and the RFC here i= s merely a way how to ensure interoperability between various implementation= s. (Typing this on phone, so excuse any irregularities in the text.) Ondrej -- Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him) > On 4. 12. 2020, at 21:37, Benjamin Kaduk wrote: >=20 > =EF=BB=BFHi Ond=C5=99ej, >=20 > Just because someone else does something, even a "big name", doesn't > necessarily make it a good idea for us to also do it. > We should be able to justify our algorithm choices on cryptographic > principles, not just appeal to authority. >=20 > In a similar vein, you said something about the 32-bit timestamp being wid= e > enough to prevent brute-force attacks. Could you say a bit more about wha= t > attacks those are that are being prevented? I'm not really seeing how the= > width of the timestamp comes into play for that concern, just from a quick= > skim of the document. (Timestamps tend to not provide much protection > against brute force by themselves, since time is relatively guessable, > especially to seconds precision.) >=20 > Thanks, >=20 > Ben >=20 >> On Wed, Dec 02, 2020 at 11:18:29PM +0100, Ond=C5=99ej Sur=C3=BD wrote: >> SYN cookies in both Linux and FreeBSD uses siphash. >>=20 >> * FreeBSD: https://svnweb.freebsd.org/base?view=3Drevision&revision=3D253= 210 (since 2013) >> * Linux: https://github.com/torvalds/linux/commit/fe62d05b295bde037fa3247= 67674540907c89362#diff-14feef60c3dbcf67539f089de04546c907233cbae09e1b2dd2c2b= c6d6eae4416 (since 2017) >>=20 >> I believe that the SYN cookies have exactly the same properties as DNS co= okies. >>=20 >> Ondrej >> -- >> Ond=C5=99ej Sur=C3=BD (He/Him) >> ondrej@isc.org >>=20 >>>> On 2. 12. 2020, at 22:15, Eric Rescorla wrote: >>>=20 >>> Well hash tables are an application with somewhat different security pro= perties than MACs, so I don't think this is dispositive. >>>=20 >>=20 >> _______________________________________________ >> secdir mailing list >> secdir@ietf.org >> https://www.ietf.org/mailman/listinfo/secdir >> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview From nobody Fri Dec 4 13:31:32 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1D33A0C1B; Fri, 4 Dec 2020 13:31:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDCqJdYsWpMH; Fri, 4 Dec 2020 13:31:22 -0800 (PST) Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A34DD3A0C17; Fri, 4 Dec 2020 13:31:21 -0800 (PST) Received: by mail-vs1-xe35.google.com with SMTP id s85so4085678vsc.3; Fri, 04 Dec 2020 13:31:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eKhI0skIpfD2LsAfZW9QasAKKjSkoz5772XizFNcoTw=; b=AQ4/1AI/pJtN3hsSXrtXPCS1dP+Q4BycTSJhKokPqWZRvdWa27Lz8n/YloGQ0Gmhpw hxvegLMdqc7HOjkn9KO3VIXeoyrfkBEMqUccepU9DYR1bcJ/ieoavxDh/wzHQi+wogkY WoqWlUh2CldJMHRLTvmI/b67XedoRo3RG5E6X1bz4wUHl48wij8GzHE5SyXtJLeJDSNS VSwxmUq7/fRJsvti9k7Ge4aZMn6xbL4mw3BMIibA5KouSNdcKlfcM9zYts5zjki5Arwm 5TVWRYJeMq7ZlXykF+ZbtpAkSUZ1eSckcq/ICiwJ/S98nJPOxvTOIgsDaKc7qw0vkYLl szRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eKhI0skIpfD2LsAfZW9QasAKKjSkoz5772XizFNcoTw=; b=akeaGbSaqY+VeqfL6glkOD2eaHowMbJXj5QPvMdaGKXoJpK16rNMBEMNeXrn0QKBUd 6/2dmSPP+c0766mi8P/16OTqAD22rNXRsb18zMpwYIVCVNsXfFdquaEmOw7bcRnX8oF2 8/vapIt3QG3nq3mWXiMM0NHME8vyyhLGYXa2xt3Jls93rAvTTieCeeISfDUScDI+F1zK HLi3LUd/sA82E1ODP1OPSSunSMSJQBbkqkElhpC7pEeOiiSPJHRc0XDMWbMcf2ui0Zap 1ReV7jhhxqGzSBuvdgLwgP7fkyj1gTrQ7V3dZObnrPvcM1jy7YS1LsW04UvWbp9PKVjg wGgg== X-Gm-Message-State: AOAM531/qdZ4ZeVr4iztub+vWXR1YKuQiovkMi3mmFKAREwG0hNgRk7U v7t51bULIgbxp1tl13pG0S0+tTHw8e46K6x4Um0= X-Google-Smtp-Source: ABdhPJx0s+kTp8uCNris3qRIPDcPRQ9JtZ2MXdqYa0d3YcxpV5bcTDj3Fmctao8qdxYZAYYzYJ+dQCD8Ja38Vk6Z9tc= X-Received: by 2002:a05:6102:215c:: with SMTP id h28mr5573623vsg.58.1607117480668; Fri, 04 Dec 2020 13:31:20 -0800 (PST) MIME-Version: 1.0 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> <20201204203635.GS64351@kduck.mit.edu> In-Reply-To: <20201204203635.GS64351@kduck.mit.edu> From: Brian Dickson Date: Fri, 4 Dec 2020 13:31:09 -0800 Message-ID: To: Benjamin Kaduk Cc: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= , last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop WG , secdir@ietf.org Content-Type: multipart/alternative; boundary="0000000000008c3ca105b5aa32df" Archived-At: Subject: Re: [secdir] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Dec 2020 21:31:24 -0000 --0000000000008c3ca105b5aa32df Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Dec 4, 2020 at 12:39 PM Benjamin Kaduk wrote: > Hi Ond=C5=99ej, > > In a similar vein, you said something about the 32-bit timestamp being wi= de > enough to prevent brute-force attacks. Could you say a bit more about wh= at > attacks those are that are being prevented? I'm not really seeing how th= e > width of the timestamp comes into play for that concern, just from a quic= k > skim of the document. (Timestamps tend to not provide much protection > against brute force by themselves, since time is relatively guessable, > especially to seconds precision.) > I think the timestamp being used as input to the hash provides a particular protection to brute forcing. Since the output (hash) is a function of the input, this means that any attempt to brute force some other element which is an input to the hash, will be constrained by an element over which the attacker has no control. The timestamp is a monotonically increasing (modulo 32) value, which changes every second. This places a time window for a brute force attack, to be of a 1 second duration. Alternatively, it can be considered as increasing the entropy, meaning the brute force attempt would need to include all potential values of the timestamp over the cookie lifetime. I believe the 30 minutes or 1 hour lifetime adds enough entropy to significantly increase the work required for a brute force attack. I don't think the absolute size of the timestamp value (in bits) plays any part here. Brian Dickson --0000000000008c3ca105b5aa32df Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Fri, Dec 4, 2020 at 12:39 PM Benja= min Kaduk <kaduk@mit.edu> wrote:=
Hi Ond=C5=99ej,=

In a similar vein, you said something about the 32-bit timestamp being wide=
enough to prevent brute-force attacks.=C2=A0 Could you say a bit more about= what
attacks those are that are being prevented?=C2=A0 I'm not really seeing= how the
width of the timestamp comes into play for that concern, just from a quick<= br> skim of the document.=C2=A0 (Timestamps tend to not provide much protection=
against brute force by themselves, since time is relatively guessable,
especially to seconds precision.)

I thi= nk the timestamp being used as input to the hash provides a particular prot= ection to brute forcing.
Since the output (hash) is a function of= the input, this means that any attempt to brute force some other element w= hich is an input to the hash, will be constrained by an element over which = the attacker has no control.

The timestamp is a mo= notonically increasing (modulo 32) value, which changes every second.
=
This places a time window for a brute force attack, to be of a 1 secon= d duration.
Alternatively, it can be considered as increasing the= entropy, meaning the brute force attempt would need to include all potenti= al values of the timestamp over the cookie lifetime.
I believe th= e 30 minutes or 1 hour lifetime adds enough entropy to significantly increa= se the work required for a brute force attack.

I d= on't think the absolute size of the timestamp value (in bits) plays any= part here.

Brian Dickson
--0000000000008c3ca105b5aa32df-- From nobody Sat Dec 5 06:58:23 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5C53A0CE9; Sat, 5 Dec 2020 06:58:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y82W2-fVvoaJ; Sat, 5 Dec 2020 06:58:14 -0800 (PST) Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C83673A0CE8; Sat, 5 Dec 2020 06:58:13 -0800 (PST) Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0B5En1YR029755; Sat, 5 Dec 2020 14:58:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=+LLwu6dL70oiKsLUH06TmpiDNFg4hvCj8E1q5wAjAj4=; b=HpSYYFAgizUvAl5V89oNl56mdpuQSwvTkiWbDmN6DQxGKeKowNj93u11uKDHDT2wZDsU lPqFpOF2KFXWryv7VELDdsNwtP/pqMsg/O2Ti97hg7V+vyWyX2MVlalYfvf1R6S9SjrX ++Bnk/UQhUdc9q++Z2CnbWXFMm1jEpfdk/czS09NxOJ70Z+tCkxatYBlku1h1yRUQVd0 jOzojRZD1Vdrr26cLTEMO9hv6FwqMFxq3jzcwBYD/9J4fLYsPhTWueU4WuVEVQhM05qt Zsn/nzcKyP5GJIxILChoq0zmc4pWsp5cBPso8HolEFUSVBzdpi6rskCnXufb/L4yZS2R 8w== Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 3583kruvs1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 05 Dec 2020 14:58:12 +0000 Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 0B5EnN1V012892; Sat, 5 Dec 2020 09:58:12 -0500 Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint1.akamai.com with ESMTP id 3586e2rh65-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 05 Dec 2020 09:58:11 -0500 Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb4.msg.corp.akamai.com (172.27.123.56) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 5 Dec 2020 09:58:11 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 5 Dec 2020 09:58:11 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.008; Sat, 5 Dec 2020 09:58:10 -0500 From: "Salz, Rich" To: Benjamin Kaduk , =?utf-8?B?T25kxZllaiBTdXLDvQ==?= CC: "last-call@ietf.org" , "draft-ietf-dnsop-server-cookies.all@ietf.org" , dnsop WG , "secdir@ietf.org" Thread-Topic: [Last-Call] [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 Thread-Index: AQHWyNM3WzeTZavIY0a2VdBQji4irqnkc1MAgAAvdYCAABGCgIADCDGAgADfwgA= Date: Sat, 5 Dec 2020 14:58:10 +0000 Message-ID: <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> <20201204203635.GS64351@kduck.mit.edu> In-Reply-To: <20201204203635.GS64351@kduck.mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/16.43.20110804 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.27.164.43] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-05_10:2020-12-04, 2020-12-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 spamscore=0 mlxlogscore=999 mlxscore=0 bulkscore=0 adultscore=0 malwarescore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012050100 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-05_10:2020-12-04, 2020-12-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 phishscore=0 spamscore=0 impostorscore=0 priorityscore=1501 clxscore=1015 suspectscore=0 malwarescore=0 mlxlogscore=999 lowpriorityscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012050100 X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.18) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint1 Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2020 14:58:16 -0000 VGhlcmUgaXMgYSBmYWlyIGFtb3VudCBvZiBhY2FkZW1pYyBzdHVkeSBhcm91bmQgU2lwSGFzaCwg YW5kIHdoaWxlIGV2ZXJ5b25lIGNhbiBtYWtlIG1pc3Rha2VzLCBpdHMgY3JlYXRvcnMgaGF2ZSBh IHByZXR0eSBnb29kIHJlcHV0YXRpb24uIEkgZG9uJ3QgdGhpbmsgd2UgY2FuIHNheSBTaXBIYXNo IGlzIHVua25vd24gaW4gdGhlIGluZHVzdHJ5Lg0KDQpUaGUgVExTV0cgbWFkZSBpdCBhIHByYWN0 aWNlIHRvIGFzayBDRlJHIHRvICJhcHByb3ZlIiBhbGwgY3J5cHRvIGl0IHVzZWQgKGV4Y2VwdCBw ZXJoYXBkIEhLREYsIGJ1dCB0aGF0J3MgYSBzaWRlIG5vdGUpLiBUaGUgRE5TT1AgaGFzIG5vIHN1 Y2ggcHJhY3RpY2UuDQoNCklmIFNFQ0RJUiBvciB0aGUgQWRzIHRoaW5rcyBTaXBIYXNoIGlzbid0 IGdvb2QsIGl0IHdvdWxkIGJlIGdyZWF0IHRvIGhlYXIgcmVhc29ucy4gIEkgaGF2ZW4ndCBoZWFy ZCBhbnkgeWV0Lg0KDQoNCg== From nobody Sat Dec 5 08:18:47 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 246873A0489; Sat, 5 Dec 2020 08:18:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ST__TOERVTqj; Sat, 5 Dec 2020 08:18:35 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B73003A03F1; Sat, 5 Dec 2020 08:18:34 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 48D10BE2F; Sat, 5 Dec 2020 16:18:31 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cLeQfgL8ibv; Sat, 5 Dec 2020 16:18:29 +0000 (GMT) Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2EDFABE1C; Sat, 5 Dec 2020 16:18:29 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1607185109; bh=B8vzXuEfspEONZ1UsE4O2dsx/+2UOMVmOTwt0qF1jAM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=eujqngQuSJVviDp04vuq+t7WPabBPBadqwg5MWwovxd9GWl1DhUWNDceQyEzi63dc nQh1or8vgJf/XmrCxvel6UXwTny05BJaUneyp3i7OcNi3F1hfUt7Aavov3aprfbspw q1uaErVVxFr+ZCm4G4RMDhp8ghX0IlgzYfZ9co4U= To: "Salz, Rich" , Benjamin Kaduk , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: "last-call@ietf.org" , "draft-ietf-dnsop-server-cookies.all@ietf.org" , dnsop WG , "secdir@ietf.org" References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> <20201204203635.GS64351@kduck.mit.edu> <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> From: Stephen Farrell Message-ID: Date: Sat, 5 Dec 2020 16:18:27 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="TwNRxYgYC0rAwmYWyYuff8RvefFdJ9rNN" Archived-At: Subject: Re: [secdir] [DNSOP] [Last-Call] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2020 16:18:38 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --TwNRxYgYC0rAwmYWyYuff8RvefFdJ9rNN Content-Type: multipart/mixed; boundary="7OaUUUvLaixqMfjtwGk76gK213VxsAiNb"; protected-headers="v1" From: Stephen Farrell To: "Salz, Rich" , Benjamin Kaduk , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: "last-call@ietf.org" , "draft-ietf-dnsop-server-cookies.all@ietf.org" , dnsop WG , "secdir@ietf.org" Message-ID: Subject: Re: [DNSOP] [Last-Call] [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> <20201204203635.GS64351@kduck.mit.edu> <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> In-Reply-To: <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> --7OaUUUvLaixqMfjtwGk76gK213VxsAiNb Content-Type: multipart/mixed; boundary="------------D1CFE18449DDCCDF81D29262" Content-Language: en-US This is a multi-part message in MIME format. --------------D1CFE18449DDCCDF81D29262 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hiya, On 05/12/2020 14:58, Salz, Rich wrote: > There is a fair amount of academic study around SipHash, and while > everyone can make mistakes, its creators have a pretty good > reputation. I don't think we can say SipHash is unknown in the > industry. >=20 > The TLSWG made it a practice to ask CFRG to "approve" all crypto it > used (except perhapd HKDF, but that's a side note). The DNSOP has no > such practice. FWIW, I think asking CFRG for comment (not approval) whenever a new algorithm is introduced onto the standards-track is a good idea, regardless of the WG from which the draft came. Such checks don't mean anyone thinks badly of any algorithm, the argument is it's better to ask a question in the place where the expertise lies, just in case. Cheers, S. >=20 > If SECDIR or the Ads thinks SipHash isn't good, it would be great to > hear reasons. I haven't heard any yet. >=20 >=20 > _______________________________________________ DNSOP mailing list=20 > DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop >=20 --------------D1CFE18449DDCCDF81D29262 Content-Type: application/pgp-keys; name="OpenPGP_0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="OpenPGP_0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh5= Cg8 gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+QtaFq= 978 CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGu= D/Q 9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4= tNn cejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqB= wV+ 4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghVB5Uir= 1GC YChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5FmBKjG7cGcpBGmWav= ACY Ea7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK7uB7E7HlVE1IM1zNkVTYYGkKreU8D= VQu 8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER= 8la 5lsEEPbU/cDTcwARAQABzSFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT7CwX0EE= wEI ACcFAlo9UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qGC= xAA pYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKkrRl8beJ7j1CWX= Az9 +VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBrsjC+1uULaTU8zYEyET//GOGPL= F+X +degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZsdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4= g1U QAcCA4xlucY8QkJEyCrSNGpGnvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advre= k3U P71CKxpgtPmkd3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2= niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBGFEZYJGuaL= 4Nw tBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wVN3p46RyBQuXqJV8ccE11m= 6vt ZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8vovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7= +8A CcxRU3b9Ihd7WYjJ+pQPCoWYKozvtEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQ= LvC wFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8= rpK o9OkCz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqmuKhYr= qJs CcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMTAAr2p7PSaHgo+hIVa= W/r KSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQIAQlFxtgvOqpPOZNzeKBa/+KbE8TG= gMW rkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3u= rqR 1cLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/= 0A9 J9nrnBMqZpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5hc= JBD EN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPpMyEs04zvsbsl4= vrp 2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouBur45UDKTZkMZrr9FGrtkyXCGA= xvK dcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQyoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaK= xlf tjO+Bj3Jj73Cr5eqej3qB5+V4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjg= Uky o1s4vjUOY8DyI+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIO= aHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg2YVf0izSp= yyz JeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc/MoSjTS65vNWbpzONZWMZ= uLE FraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5w= sDc BBABCgAGBQJbxcflAAoJEGo7ETk8pK1gE7QL/ApC5P68W5DrI1787WJVZv1u4t/g39vTr7Xer= 3UM TVQg10vpa7pmqOGhjIDzDMg3Pe3K3M7fVzfAlUA1qw6ne4RCueVoRKpubeF4AlYbMr0K6hNCP= jt5 uAxmbBVuejKTc6pru5rv5gKL0nDbr+Snft5xt7juBLSSimw0/41sZnkjCxo9rF/RA/v6+uWyK= 171 RKmsEYu8fFtw1eqUNt/Xj792TUixE3pxXheNtQtZGk/9P3W83ChhG4Fh5EQsn0pIh9wZIAbMR= Lpg RKyW87fWHZC8/YH8h7afarvn9Thl5pFUldCe22mNJj6KLChn2aEHQd+PdY1GBpZEcmNEUPuov= wza tM0h64hCzTm41eDqRfihZVBT7TbfXQnv8rywa42Mk756RGzzEZcQEhwQXZcMQUfxIQQ2VyJo0= zG3 6VdZTQF7TF/4Lz7/3cJ56jOIm+dwPXtu+C2wAQuD4USOLt4JWPYpqzDfHYJIND/497P9Z9SuQ= eah r2ez3DRBg3qsHEjBV80yU3RlcGhlbiBGYXJyZWxsICgyMDE3KSA8c3RlcGhlbi5mYXJyZWxsQ= GNz LnRjZC5pZT7CwYAEEwEIACoCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AFAlo+o= 3cC GQEACgkQWrL68XsXK+qO0A//ZsfQzyXrZlu/eEV5jU620yeOM3P7SW3C3UQYdCgZ/TlvxGgKo= w5o DSXgjMiUyq9csGqbPBxlDYSxFZHNeDVKYIuP2ZK24tw5k6duTh4+sFwUualTMlcp0zBCIzn3h= Rcs RvuPKHfl5+6oOi0+xqx3jX/s/69L/fvHmdSKet5LIUAxoYaZkTCruFrPWb01tgAl5JExWkhmC= Y98 iD+EeiIMAWBjMw1xV+p0uCwNbN6XDzcToK7wsm+tAIiWUy3DpP60a6WbVwdV0HNt2WZq5U5Jd= h2k 4S+sN2CnYk4tTW7jHjsWarV3FLISCOObADZuB7ljU4kYfdwZ+WzenXY4LGlxGQSlAblGjwZe4= EIk CXAJUtzJhoFUuGaF/PlWjxqV3UFRcgTERZTijguVyREre8GNERNgvDxZvuXssEjvz9X5JfcIZ= DIJ pdzhLiEIj9noUbfx1SzB5KDPQj0O7elMHa1671/rwWcpGr/MfVPTOik4H7F8rcVJelceZTzC4= tvy a7M+jM4fyFWWt8Y4atTixUiP7U9o4uBZCQ0GzvsmFA4XLqn2pA5rVizMXnGbGOjufAP/efEJ4= ul3 qvjYe8ye8DXEDjKAxo/tuHYtk19XCi83QzFhWls5TT+XQeVTMEvVqo9Wek8yoxo67qvLKKqIc= G9g ivQd8MxYNAbNYgSPtkbhZ8TCwFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLzHAgAlWT6NXEGt= w/r 1miKNGcopzvzILQ9oB8rKI9U9EL6tOf/y2V5oYee/GyQDb3ZdoPxxYYcJf+RyiH1nMoqUIZiZ= Jaf 3bJXinDZ5+AdfE++UR2NBvqaNyC6u3r24jo1B/sagKbYtWgsYtRqHLD4IWi37MZrVyjBuF7u1= 4Q0 7+uhjq6mX2O/tHpCYw/Q82tbeTRPyUf1WQOAfD1kfBpW9PvAva5Iw9FWeXpCXRzwxnCZhYfGf= qtu Sw6CPBYLdbikqML6FZ7EDuTBb/8um1wK7Y9bgeIQC+CYjhYB5RXa1tDJRab2Js4luCvSR0w/C= gHw 26293tlve2Q6UTrmHxP5U22DlsLBfQQTAQgAJwUCWj1QMgIbAwUJCZQmAAULCQgHAgYVCAkKC= wIE FgIDAQIeAQIXgAAKCRBasvrxexcr6tJpD/4rrILH+meP07vrx8wW5eYuqCiPGYnh/CXxIF8eL= rfb e5d4QRgtq+w6UeQPMyzKRIRiCoBXB2oJLBZHyxBPxZlg33dTMrEGn8QWKx2iNuz9rZMXyOSWF= etu O01d/aUPd5BnbLbIyK5of8xCQlXM6KH8bc+9gQ7edR9mfLTdvBf2FR522hg8BRBM1imKc3vO8= v39 +qIHHRjuiwxBBCAOhHtHRsZXripS0uFA07dM46Oi/E8osjx6fQt/lH5z/PN+2adxYSrLSAXfr= 1oD 3RxYNhuWgyGFL64/VCQb1YGjf0Z5MBPnWm9jgUoOY5K9eNSS0L83WeJjlF5+Q/WOgB+rb49Pr= m2D Feo9+S9f2V53Llz1WIspXJg6f+n9lmHE94MfQj1GAHCzI0FeL19lvM+LhD8jJSCbhrC3+yoby= y/A UOs5Z3E+njjX1FF/VCVAs6iOa6i+XG+Y1hh3ir2y1kckJ5auT10MSU8GEZu9ayU4M3o3N9yxO= jao P0NuQ4MMLL/n/u4u94AeZaHPNBXn/hVfVRRmpRXtGKvJtFAEppGEYezB+bLKIm6XlpPkhnwYz= leL Z7AMEco2C6QM8QPB3g3JpS3sqRhA5rEP4lL16BmijmF+CHoPE/zwgKZbKpyVDqvIW5IDgvfIC= 2X4 pbZDRvGIUKaGSB4+ksZgUUnNyvfQr2p7jsLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g= 1MS BQJbtySbAAoJEBDvedn9g1MSeKkQAJm44jt1kwHgQgeDBKdjdvl0AjE0xVEQxriZ6lP/l//34= YT0 auFfzsYIrChSpQXAEtobBAr4Ohw1Us+BZe+H5P8vm6LRuPwozC3SjwfX4Iec8+9ot6tIVg4sb= edD Sgb/CCFVjsmIGcQ1P73JLJTBJ6mxYCV/gn3QC6bwDOFo7kD9FDHCjRN8XfhHQ4Q9cYyt06uF3= 1qG /aumgWYC9geCGgAwiHgwxNYb9GoJ0iZjCROwbYvLTcQgsVUW2bTmsVR13UVKDsdl02sRV7qcV= YW6 R0a3Ra8KudX+nt25H5DRGd382KZ5W8pydsy/viTvD9z6v0ulChBYxAedIvGIClrhbxlLEPmIg= 4Im VOLGqsUgVm32J95WOjEkk4PEZ12xSDBtwhSJqmJNboWlfmw43KdIbY8zNhffIO3N6O7FsdGxm= qyH eLoTpqY+ySVUPpbuyW8ujnI/J//+6hdTZ9dQsEJQlWngKuWOQ5ma58MPSN88zllsqhZAFQjNx= qnk SzL6ZQ+v/jvuRRe16B80AeO55DsmbWsMv/YLLD1mSi7+Khy2EtMBhgojWwrGMvdLN6X3mnzNJ= Esc YyLxM9tSk+iySP2sLthK0BVgpAzBSdaf/ezIz60P+neHDzteNFf8Mn7lmgYk1amvZoJ29s5+n= 2Hw xyRL5dVMyMdyQmntubbctfqrZ0tIwsDcBBABCgAGBQJbxcflAAoJEGo7ETk8pK1gnCYMAJY4F= eIY jlIXGghFWzsB4fYwK1+iaFpU3fSto5qcrqVtVPjXpwqczqBWeXGyQxiB0kan4OVAXydIeaP8E= AuF CA7paP3s9STLJBO3KurkwyRkPW5zo0X7xVqaVToRsX2Ul98KVJoHYQD1KdezEtwlvpNwiiBr4= 2AY R751Vm6JBVAbQXuFpB3c8bUV0OkkRxNFtL8/2PieHar58n5dntGkbPlPkztahsFqktgacIgXH= X5v aT+7YeeZ1DWLOYjGO0wNhkOSeroCmxwJUikU7joBp823L7r5KfpqWTPpSCzVstQKZUGmmoE1q= Csw Y/Ud5wvp9SccpIILkRXj0rZRtfnE5MpL3hjmtNzfDd9qIsJtBJlSB2hZwAsVm1l+EWN9hG3tq= yA4 3niUMy2n6q690of3berSiQ+kvY/aC9Hx8I+bKzOV9/J2VUTqfaPZa4Uy2rVX5Q2p69n/PMj7m= Eer 0rCL3j9V16J9c+s0BSkXoKdtYdB0TWVhBgUybd9qtYcwHWvhP80uU3RlcGhlbiBGYXJyZWxsI= Dxz dGVwaGVuQHRvbGVyYW50bmV0d29ya3MuY29tPsLBfQQTAQgAJwUCWj1RWgIbAwUJCZQmAAULC= QgH AgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBasvrxexcr6jscEADEcB0WQEZn2AkrzDs1RhL0Lp6cZ= i0B igofkbcGfdhJyMSs19C0dhvncrAFClVI6/Udw3yFtDyYtOCf2W3M3A1K6/RfEizCLzTsdFIhn= i9g OJLlUpXViQtgrlstjk7hqVV3Ooz4BlCqS4cG7rfqf4LQQPpTAuFUEV9I28FBUB2irqC+v4gTy= sIg pMw0bA1yBU9sX5jE/tRkzqnuzZrkwiobDtRFJ9qp+7O2JtcY4EsVtLAsaodJKc5cF8R4OvB1n= 66v xxcgg9Eh4JNWZ47xsaCmAGo1Bcb2jIY35OtgAL7gCGLRSMKTtAaPy1/fEgIqhCljJ9x40Fkn/= 3r2 BX21WC9HFSPFTBz2RluLRzxdgxOrkYK8EiHUPoE5b1AEzZKw2AbeXfr57f5zYsN3IqfbQLUjM= YtU N1wK3Pjb+idD972wyXMWt8uOzlI7b9Ocu+nYm2whBfJv9Pmp3QYTmPz+LB9lH65VNVUSxSXVr= 5iW XO3qx1HtEiGEqkporMQCTh3T5Ud3PvMSRBFFKNs9WhJ/Lxz+SV30WLwG6dr5mQqlzAhb4Phc/= zek ZyXRdS/oDKrBLUucS36O//49JeyRi1QvOfxnfmIqRIAf/k3PoYJmTo5E82//r5Qj3YGlRu78b= a0H Arxs+ACD6AnEHHcbswpbtVEKYzlSu0Ar0Dc7vRWM/IyQdMLAXAQQAQgABgUCWj1SoAAKCRAvP= Ic2 gF+NosIsB/9f/29FNla3BJfGIEIDnhrqGD0i9bSa89SqBd++uG06TQgW5wsqtNcrwn81yZTq6= XE6 i9VtD4GKfqC0d4KZJr9bnbeD81cI64VOdL8zJWJs0vj5EIXCobKyX74Kb4uePUyZqwT2Q74I1= 16u /HwA9/FXsPo5isbh4ZqD4t0VHpWkmfq1FPT9a/JPyX46qKqB2Fce/7Qy+SQP1NfkuUlbhUH/J= G9a SSYvk3lznNiH41x9M+FDlL106itXOubrl3oi2fT3fsSedq7uzt+IV0DQEeNaoQAUuwEhdB8IW= OMq N2woDjGVKJftfsSWY9ilZrnDBNDrp0vRqcx33LUMkIw4d7iBwsFzBBABCAAdFiEEfhcKBFyEz= 0YO K3mgEO952f2DUxIFAlu3JJwACgkQEO952f2DUxJjuw/6ApHSsVTWD4a0H6FJ23A9Ftpy+aXZ4= vYl zkSrfsn2ECrEfK3lXQh/uzwjJUDYZeB1/BQsFZtcYNQOJSSHbQ49BFRLwb1J/wBZG4bbmrkLx= nNb KDKQvzxEpclkMW0Dj0J6o7kGrmzIGGrhB+JJN99AcineHRug8ZSFIERRCmigxdhAKU0BFD7P+= 5HN HltSL3DF1c2fFOf2JrgBKVoE+9RhMZjWNbYetFFLCkjXb5Rpay9zeMm1DxfSTGAnuOwUXW6qq= 4hn l5+VC/48ceDZElLLfu7RQUZv44pkSTOWZs+iQoJiHMFHk9wPqyB2Vok1yJ2a2j27WhXrJlPwn= Zbg JO5RyWDG3p/eVmpl5Uuc2dsfIpR17KnAuWpghK6V+cyFncDoGCl/YG2MvoolsW08FiZh3Ej4d= nJj j25TZkeFG74JJDXLvMYpJfSBGnmETv4Dhcm2xPqVMuFuL1qJlMbVLrMo2GXeo03OzNyvbs+u8= WLI aGm5hC7N1CXY8wZs4jo6OJ/expvnc07dEuws4zT3AiWv3nIouWReRStZy9QkavDocqbyPmilc= dPC Yk4BsOlzpwwO74hNG7iyl0KdAlwTxGQ7y0rJou6HYa1TmRhIEr3vKvlW+JfUUrqtjXgsuacTX= o4+ Ira2JUErL2cYzQMq1j4r1ZyhFnuz93s7Rsx/Nw0+0YvCwNwEEAEKAAYFAlvFx+UACgkQajsRO= Tyk rWCJqwv+NLVPE4sD4sDA2/6Ek7UsRIUkg+S39fhqWsLc4rtw/mDunv8Un61I3K04fZ2Ry4nF9= hZM 0a710UvXFbStvrzRJO3EAAcdJR9LTCd19e8UeruQbIee3YT91U4NkC9JMpecfq62/teOAU2e5= P3f WYaLs5ZX7zCLwWuBcW2l3SyoljQczM85HhJ3XHm+FnwQ6D9xRle+lvWTcuC9d1yAyUb8IOosp= cL2 lJTmy8e3r79R24hPlSB4LDe0wEN8AXbagrcAQZjwyaHyWxjJbTwZ0b43WGdfIqZ1ElOeoffbk= etP GRmWvx5xUvb2ALFBBdETzV270gs5XDJgJ1SIIKOyDADxwvroTe2jD8C/841eEql5QSow3s/U3= zRq k3mttto8Qw/DN71aeh6dmYSsvd2UjsHw/vofOPRBGxZLEkKTEvMnhmMW9hiKPkPia+QgevYE0= 20q pKSxLEdWA8nprHwxmGiDNesCfXSC6vm1qfyj5g8HzxSckq9ZaMhKMCo7vxflUEDuzsFNBFo9U= DIB EAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiezGPuBHmpvceBRZgRasdbaMc4HJee+R9+5x= /nL PCuy/DxDyIjwIUeJNgc+l7LjI9WfpHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHE= hOV fBZO59ipSeZL5iQC6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1D= VI9 DYo2D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFeA7PbT= uW/ eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ/Vf3vDUew1h5QU1yD= aWT 3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbptPEcmoazpiKZt91CrFPOaoXDPck/Q6= 1df mr/oPikfByYnASIM3OwEuXqyQ9JDRfKrem5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8= MAv 2TGXmxpVJ8Nu4je6wf96Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOA= HZR 5iCunYghx8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQo= qj1 gwARAQABwsFlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P/1tF6TeR83xD6= Mas qXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8Wpfdn3BmvqGyh8+ouHX9jMOxi= RkM dNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJgx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB= ++/ KAmi5UJV7zsZ7uYJ5jm97LV5SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lX= xMD rvKnXMkjseQ2oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrf= ZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIAypqYo3pcN= 2OE 0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoMeDQkd0YjcqlB1E0svODHT= zcS oRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS/qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7= IKP 3ngUP4wEoiPx5ZE5+fPIScGmVUcZIMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeW= Iys s6uTiyF+ZbJSo2XOKVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3D40Nd -----END PGP PUBLIC KEY BLOCK----- --------------D1CFE18449DDCCDF81D29262-- --7OaUUUvLaixqMfjtwGk76gK213VxsAiNb-- --TwNRxYgYC0rAwmYWyYuff8RvefFdJ9rNN Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAl/LstMFAwAAAAAACgkQWrL68XsXK+oy nxAApVlbckFoT5kWfPhvTBofwnxkZWWv7Tq/cOgeN73T0mgwFWp3ctcETRJr4h6yWHQQ3putUa9Q 5bCZg6+vT78s4wOxF1QaYfnOeE2npxQnlAf1+CBl4sUz1zo7ViCH60Q7GZnG17kerGJUCuk51AHA p7RFKivqrEKPEaAJSrI8n/Lx95W32MYNeeZhKcbQujnDnCv0mHl/1KJSEe+bsJRqtZWKR0yWnmAF ygI/G01o1nF7Jr0chkywRqek4nK1s6fJx2OBnf4/pb0ZIu3kWOFPFh0s+5dSRwJjBLRH/uGhthzR s+Pvi+NL4QBTX1sDIGq5kIZSXsOqnmAyVsZFzWB1p9dyAvi752nEX2hZ+RSJIwCzfY9i8lg9TcII YBW1sBi4XyQUor4dWeRKpE69jOXZ4nIEdj5A3ouIZMY6yZd7KExtIN1ctRkmiyDKzf1tGpSfHS+F TveJchngpYFdfTpX0gyxeSkBgqLL6hnJ4cjIJ7bgviaVPxCcjgTsPSfBe35Q0XRWVlr/bpt7nKfk 9zB6y++iYL+uPfaTnkYbRomnBuleNpN1NZ/s1OY3+TFlx3/VXB7bLl1TLqM0wrRHnMK50kMEQFJs YH61iRAWJL9dlMB/3d/44UnjuNX61IPoQCd1Y6+tQx8KLNeL4izqgDf7XxFRf6Oc1Fhimnu4/Ht/ fak= =O1G4 -----END PGP SIGNATURE----- --TwNRxYgYC0rAwmYWyYuff8RvefFdJ9rNN-- From nobody Sat Dec 5 09:32:51 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F202E3A09E1; Sat, 5 Dec 2020 09:32:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HA-jZAKoilSs; Sat, 5 Dec 2020 09:32:43 -0800 (PST) Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBB853A09E0; Sat, 5 Dec 2020 09:32:43 -0800 (PST) Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 0B5HOASM008630; Sat, 5 Dec 2020 17:32:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=RWEy4L2U5KEiJt0WKoZSbxmCkpNk20x4TfihnLtQcIc=; b=h6EkEth6y1My7Z43DPkMRTZlr9J7Whv4KWRFg0sK+9MD3kAr+7fD9uksrBHaMBI8W7I0 13mhlwnj4J3qfI9F0AAvPm/RPywqFv9nlz9MLLxO5QnaFKq2vQhPcdFTuJ0znFUsQAbL cKp2Ee0EnOTCLjc39Rm4paaj4wOHn+2BFz/EMcIEQ0uu4k0W0Jcq523VKeadOIBDWJ0e Av8ev9J8+aVdmF54a7c3f8APGs8Q3iCRW44dCZTJQIz/SRoB6Ok3RUNDhqEwtVdwIfVY o6jb0B7dquMkVpIPLx6xAVeO0kphYsde2rO3Kz51vHuRYBC0FVZjllXpgVtxK8tTKDW9 pQ== Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 3583q5rhnu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 05 Dec 2020 17:32:38 +0000 Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 0B5HJkON001487; Sat, 5 Dec 2020 09:32:37 -0800 Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint5.akamai.com with ESMTP id 35892eghbs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 05 Dec 2020 09:32:36 -0800 Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb3.msg.corp.akamai.com (172.27.123.58) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 5 Dec 2020 12:32:36 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 5 Dec 2020 12:32:36 -0500 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.008; Sat, 5 Dec 2020 12:32:35 -0500 From: "Salz, Rich" To: Stephen Farrell , Benjamin Kaduk , =?utf-8?B?T25kxZllaiBTdXLDvQ==?= CC: "last-call@ietf.org" , "draft-ietf-dnsop-server-cookies.all@ietf.org" , dnsop WG , "secdir@ietf.org" Thread-Topic: [DNSOP] [Last-Call] [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 Thread-Index: AQHWyNM3WzeTZavIY0a2VdBQji4irqnkc1MAgAAvdYCAABGCgIADCDGAgADfwgCAAGp0gP//wLOA Date: Sat, 5 Dec 2020 17:32:35 +0000 Message-ID: <4DDA1831-7F6E-45C2-809E-F88CB9D599F3@akamai.com> References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> <20201204203635.GS64351@kduck.mit.edu> <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/16.43.20110804 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.27.164.43] Content-Type: text/plain; charset="utf-8" Content-ID: <7B3A59ABB10C1048A6B6D59668615A10@akamai.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-05_13:2020-12-04, 2020-12-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 phishscore=0 mlxscore=0 mlxlogscore=823 malwarescore=0 suspectscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012050116 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-12-05_13:2020-12-04, 2020-12-05 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 clxscore=1015 mlxlogscore=730 mlxscore=0 phishscore=0 spamscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 adultscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012050117 X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.60) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint5 Archived-At: Subject: Re: [secdir] [DNSOP] [Last-Call] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2020 17:32:45 -0000 PiAgICBGV0lXLCBJIHRoaW5rIGFza2luZyBDRlJHIGZvciBjb21tZW50IChub3QgYXBwcm92YWwp IHdoZW5ldmVyDQogICAgYSBuZXcgYWxnb3JpdGhtIGlzIGludHJvZHVjZWQgb250byB0aGUgc3Rh bmRhcmRzLXRyYWNrIGlzIGENCiAgICBnb29kIGlkZWEsIHJlZ2FyZGxlc3Mgb2YgdGhlIFdHIGZy b20gd2hpY2ggdGhlIGRyYWZ0IGNhbWUuDQogICAgU3VjaCBjaGVja3MgZG9uJ3QgbWVhbiBhbnlv bmUgdGhpbmtzIGJhZGx5IG9mIGFueSBhbGdvcml0aG0sDQogICAgdGhlIGFyZ3VtZW50IGlzIGl0 J3MgYmV0dGVyIHRvIGFzayBhIHF1ZXN0aW9uIGluIHRoZSBwbGFjZQ0KICAgIHdoZXJlIHRoZSBl eHBlcnRpc2UgbGllcywganVzdCBpbiBjYXNlLg0KDQpJIGRvbid0IGRpc2FncmVlLCBidXQgSSBD RlJHIHNob3VsZCBiZSBhc2tlZCBpZiB0aGV5IGFyZSB3aWxsaW5nLCBhbmQgaWYgdGhleSBhcmUs IHRoZW4gc3VjaCBhIGNoYW5nZSBuZWVkcyB0byBiZSBzb2NpYWxpemVkLiAgSSBhbSBub3Qgc3Vy ZSBpdCdzIGZhaXIgdG8gaG9sZCB0aGlzIGRyYWZ0IHVwLiAgSSBtZWFuLCBpdCdzIG5vdCBsaWtl IGl0IHVzZXMgUk9ULTEzLg0KDQoNCg0K From nobody Sat Dec 5 10:59:24 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA4BC3A0762 for ; Sat, 5 Dec 2020 10:59:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0FjrMhoy1zRl for ; Sat, 5 Dec 2020 10:59:17 -0800 (PST) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5663A074B for ; Sat, 5 Dec 2020 10:59:16 -0800 (PST) Received: by mail-lf1-x130.google.com with SMTP id v14so12336342lfo.3 for ; Sat, 05 Dec 2020 10:59:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+Y/NZITf/yqVml9sTuFJ9ZdqXkbpFTLZHUBv8OLEsWg=; b=GWcgFhuelKbr7ijaY5ECiaZ4amvt1fRHwiOP2Jn7OGmEyWCbYqyeHP8reI2jmaJM1Q cdzCFAfdN+PdGK/vmnL386w5C5N62e8aRvCPUw9kkjfIxkC6zS1F6Wu7vIsWqv55l+l6 ytTSzVjXN0QmqM0D/Pbwxv/NP0sEMduNv1NOPtYJU8NeCg+2VPDQRZgbiLdT6g8RwHM4 soiDmKFXlLCXu8icL0EKmszLwdoE95uEXvmzYlTohgZuqnlj099LRJVYv8ouZW+3Az+h XYHWJnv0PR2LcepJnZ7md9B/xdt+pcTvGIwYm7ezbAMPBgUW6WRvRndv1Tp2wOVznRLW kfbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+Y/NZITf/yqVml9sTuFJ9ZdqXkbpFTLZHUBv8OLEsWg=; b=tFVq8ujduPp4utuQe5+H+Vs+H31cc2BWZvBa4qier4f3eKGsG1xEZpdQ53C0usBKIM AIP/W0fB27etYkk3qplBx7EF1inA9Bd8LbRDfr4ZaqNOLtYXIBTIt7OcRel5nsOkNvcT MlvuwnMbGE06qWS6ECiiMximkyASl1/Jvw/ts1vXWfLuwjb/pFvzOYgxBNjWwXkuuPSW jSsSrzqXCpQlt9VkuDRKNJbMyJpjHEreVPVDXi0Uu78RPZb57B56x0/HKJEUVBWIF1F8 yXvNZYBHiIazsTtCgfMW/PKF63Is0ETegSkXibnrQSrimHDflN0OulHsAB2Dswg36IPd tE7Q== X-Gm-Message-State: AOAM5326l0V53PWjAlABXTeXfArW0jx2yVX0vMbkTXVXbWBz1OsrCBdk LrYOS4s+GrM+w2Id9BmuOg0dxaHJIwijGENHrGYloQ== X-Google-Smtp-Source: ABdhPJw453E+pvza93ecJbOEqYnkjc2Dodat3F4YnA8MILQGLwK+dh8Gg2vhZQASEeD33xIN7/zqIOqz4QeGhThqAK0= X-Received: by 2002:a05:6512:368a:: with SMTP id d10mr5510438lfs.579.1607194755036; Sat, 05 Dec 2020 10:59:15 -0800 (PST) MIME-Version: 1.0 References: <160693121881.9413.5642470305677631145@ietfa.amsl.com> <17AFD6F5-11DA-41BC-8C37-E1893648041D@isc.org> <51A61472-45D7-4133-80BC-1F470B5CBD84@isc.org> <20201204203635.GS64351@kduck.mit.edu> <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> In-Reply-To: <320692C5-9C47-4CE6-8D6C-A62C2B50728F@akamai.com> From: Eric Rescorla Date: Sat, 5 Dec 2020 10:58:38 -0800 Message-ID: To: "Salz, Rich" Cc: Benjamin Kaduk , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= , "last-call@ietf.org" , "draft-ietf-dnsop-server-cookies.all@ietf.org" , dnsop WG , "secdir@ietf.org" Content-Type: multipart/alternative; boundary="000000000000758c5305b5bc3052" Archived-At: Subject: Re: [secdir] [DNSOP] [Last-Call] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2020 18:59:20 -0000 --000000000000758c5305b5bc3052 Content-Type: text/plain; charset="UTF-8" On Sat, Dec 5, 2020 at 6:58 AM Salz, Rich wrote: > There is a fair amount of academic study around SipHash, and while > everyone can make mistakes, its creators have a pretty good reputation. I > don't think we can say SipHash is unknown in the industry. > > The TLSWG made it a practice to ask CFRG to "approve" all crypto it used > (except perhapd HKDF, but that's a side note). The DNSOP has no such > practice. > I recognize that this is a bigger issue, but I believe this should be the practice for the IETF as a whole and I would encourage the SEC ADs to work to make it so. -Ekr > If SECDIR or the Ads thinks SipHash isn't good, it would be great to hear > reasons. I haven't heard any yet. > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --000000000000758c5305b5bc3052 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Sat, Dec 5, 2020 at 6:58 AM Salz, = Rich <rsalz=3D40akamai.co= m@dmarc.ietf.org> wrote:
There is a fair amount of academic study around SipHash, an= d while everyone can make mistakes, its creators have a pretty good reputat= ion. I don't think we can say SipHash is unknown in the industry.

The TLSWG made it a practice to ask CFRG to "approve" all crypto = it used (except perhapd HKDF, but that's a side note). The DNSOP has no= such practice.

I recognize that this i= s a bigger issue, but I believe this should be the practice for the IETF as= a whole and I would encourage the SEC ADs to work to make it so.
=

-Ekr



If SECDIR or the Ads thinks SipHash isn't good, it would be great to he= ar reasons.=C2=A0 I haven't heard any yet.


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--000000000000758c5305b5bc3052-- From nobody Sun Dec 6 14:31:15 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A19033A0CB7; Sun, 6 Dec 2020 14:31:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ki1oEtBgxNIk; Sun, 6 Dec 2020 14:31:06 -0800 (PST) Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 096673A0CB5; Sun, 6 Dec 2020 14:31:02 -0800 (PST) Received: by mail-ej1-x62d.google.com with SMTP id x16so16763592ejj.7; Sun, 06 Dec 2020 14:31:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=p7mQpihJG6IAAg02Y6uxQFmGAeaP4gsF5PalgRiNCuA=; b=i75QEZePWl+bJhxI7ojw+j+ldr3OZsrxqb6B7FDN/T2cAOIeOXULrHodklZwjtfhoQ nRT4aAmrVdOhmxoG/UcT9Kh/9ZXJEPdE/b6f+Q7OE7Z+RUxhfPMPdjjIuEUfuDLLp/NB haftGKf7WIAxwkHfnfv94brecaHAPYkMYoayMgKQWXyJs0NSY1gcUMCMevoW4+F4uJ7I Nabb9vq6k/zAtN1r22IYpQJIKbyHALqplwd+XiNHRIDQrOipPxqxTgrFp5mKI5zDtIrQ wEDwBqFJtjjVuVuLm5liD7rTbvc8mOx+7SMorfXv0XuZMP49l87WYpCrXM4KoU9SqpGJ biUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=p7mQpihJG6IAAg02Y6uxQFmGAeaP4gsF5PalgRiNCuA=; b=nAdFNYijk5TnCV8uj1MW7q913fgyAyzdJYqmzq69Fq78kjBkUfwJN+AYowWfF5HPgQ dgTNDs8NWr21Qtvi/T18eyRCp0sV46J9ea5aD/ZofZYV1qgPleTMacfO8nkbB2SU+JA/ NAIwWWMTk4aevUp2DbK50qe8gwdM0QCywavvWKW3MEX+68pWf3FVUCyvh1i9kJdnsi7U EEOAHjMlTsAvva50YHFoe3b6kyknSGfPwo/5gP/M8k99lhgZHlx+Cii0O3zsD76ufciB AyDGi6XrS6+ypEt9JScU0WgbjT6spsawUUu16MvbPV7r/d+viPuwrAGZ0filDE5qh6Yy S8/A== X-Gm-Message-State: AOAM530OKyVLrJfbrYp2PBEmSEwiMia5r1o3NN+7CiEvb81fBeCBEytG +i2tPGDor0xmQjM5IwOm1dVxXPl/kI+TTjZJF3gQj1wfKAiEww== X-Google-Smtp-Source: ABdhPJzWuHfOdeKYHLh/uvuxax4vYpCA+LeY06m/PYKx+SWJGdctE+BXleieclk/kh3y68aoK0RmRGlysJhMAqyk2kk= X-Received: by 2002:a17:906:c7d9:: with SMTP id dc25mr16838311ejb.138.1607293860884; Sun, 06 Dec 2020 14:31:00 -0800 (PST) MIME-Version: 1.0 From: Shawn Emery Date: Sun, 6 Dec 2020 15:30:44 -0700 Message-ID: To: secdir Cc: draft-ietf-ippm-ioam-data.all@ietf.org, last-call@ietf.org, Shawn Emery Content-Type: multipart/alternative; boundary="000000000000a0b53c05b5d3436d" Archived-At: Subject: [secdir] Review of draft-ietf-ippm-ioam-data-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2020 22:31:10 -0000 --000000000000a0b53c05b5d3436d Content-Type: text/plain; charset="UTF-8" Reviewer: Shawn M. Emery Review result: Ready with nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This standards track draft specifies data fields in the In-situ Operations, Administration, and Maintenance (IOAM) scheme. The data fields contain operational and telemetry information in a network domain. "In-situ" refers to the fact that the associated data is actually encapsulated in the data packet itself rather than through a separate OAM packet. The security considerations section does exist and describes multiple vulnerabilities to the IOAM. Attackers can create both false-positives and false-negatives in regards to failures or the true state of the domain. This can eventually lead to DoS attacks. Another form of DoS is by crafting an IOAM header to packets thereby increasing the resources required or exceeding the packet beyond the network's MTU size. Verifying the path of the data packets is deferred to draft-ietf-sfc-proof-of-transit's security consideration section which has good coverage and ways to mitigate the various attacks on the protocol. Eavesdropping is also possible, which can reveal operational and telemetry data of the network domain. IOAM also utilizes timestamps, in which an attack on the time synchronization protocol can affect the timestamp fields in IOAM. In addition the management functionality of IOAM could also be targeted, but suggests authentication and integrity checks to protect against said attacks. Various measures against these attacks are not prescribed based on the fact that this specification is about the data fields of IOAM. However, I think it would be beneficial to provide some guidance (at least for future specifications) for each of these attacks that utilize these data fields else why articulate the security issues at all? General comments: None. Editorial comments: None. Shawn. -- --000000000000a0b53c05b5d3436d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Reviewer: Shawn M. Emery
Review result: Ready with nits=

I have reviewed this document as part of the security directorate&#= 39;s
ongoing effort to review all IETF documents being processed by the = IESG.
These comments were written primarily for the benefit of the secur= ity
area directors. Document editors and WG chairs should treat thesecomments just like any other last call comments.

This standards tra= ck draft specifies data fields in the In-situ Operations, Administration,and Maintenance (IOAM) scheme.=C2=A0 The data fields contain operational= and telemetry
information in a network domain.=C2=A0 "In-si= tu" refers=C2=A0to the fact that the associated data is
actu= ally encapsulated in the data packet itself rather than through a separate = OAM
packet.

The security considerations section doe= s exist and describes multiple vulnerabilities
to the IOAM.=C2=A0= Attackers can create both false-positives and false-negatives in regards
to failures or the true state of the domain.=C2=A0 This can eventu= ally lead to DoS attacks.
Another form of DoS is by crafting an I= OAM header to packets thereby increasing the
resources required o= r exceeding the packet beyond the network's MTU size.

Verifying the path of the data packets is deferred to draft-ietf-sf= c-proof-of-transit's security
consideration section which has= good coverage and ways to mitigate the various attacks
on the pr= otocol.=C2=A0 Eavesdropping is also possible, which can reveal operational = and telemetry
data of the network domain.

IOAM also utilizes timestamps, in which an attack on the time synchroniza= tion protocol can
affect the timestamp fields in IOAM.=C2=A0 In a= ddition the management functionality of IOAM could
also be target= ed, but suggests authentication and integrity checks to protect against sai= d attacks.
=C2=A0
Various measures against these attack= s are not prescribed based on the fact that this specification
is= about the data fields of IOAM.=C2=A0 However, I think it would be benefici= al to provide some guidance
(at least for future specifications) = for each of these attacks that=C2=A0utilize=C2=A0these data fields else=C2= =A0why
articulate the security issues at all?

General comments:

None.

Editorial comments:

None.

= Shawn.
--
--000000000000a0b53c05b5d3436d-- From nobody Mon Dec 7 03:06:01 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E443A130F; Mon, 7 Dec 2020 03:05:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhRVSy4VPmma; Mon, 7 Dec 2020 03:05:51 -0800 (PST) Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCBBC3A1313; Mon, 7 Dec 2020 03:05:47 -0800 (PST) Received: by mail-il1-x135.google.com with SMTP id k8so11771771ilr.4; Mon, 07 Dec 2020 03:05:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6ZplBsP+d3r4B9yVpkDNMPT8a9H1aeedorL/E7MCHEI=; b=S9WQNyt8gQoyyCPPnNBwm9Tjvq0UN6o1367bLUz8imHEsGUb07aqNHdzBJ/GizuPXC DqCPxHdLg6FnEA8ByUStYjiIFKMHL+yrKl6pKK+S2U8KMIO0/uCLZ90Va+c78yeNlq8F 7SSg3WWWXngRkicCHNss8PG1i100eGlHBMj3m0Z+fRqHqGy3Q/WmL10B8GjBDm3378z6 0HOXYHaCMacAj822Hs7tJfBHFtLLvFT9pGgPAFYpDEqhicTwsIJjxcNj3mM54Xc84i+x 0wXcfQeMXgFfQFxgotXFbUvnTZj8gffwG+AcsfHvploxAwRDeEVy7uwAanQUAV9FdPB0 zvuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6ZplBsP+d3r4B9yVpkDNMPT8a9H1aeedorL/E7MCHEI=; b=G6ZTluYPzNR89EON/6nQ5dyV4+y5H7a/1akcjhxITzOM6XnciiVFnNCOH7gahVD83s juHlF6y+z+2WYI3gai8BY9p51N2q9jQT33mcpZgaUtAQHmlFMDsgJlxQGbL7Tr78MAZp Yt/AFVgoHiccGfJDYS9M/8DF2f7+YnFsjv4f1WnVjaCwrEklLymZqO+PhhEGzBVRH5Eb eSpPWKe7GZQcazCpaJA/xiG/H2nG6Kn6B2naUtW5DlAEbNn1OJ08onlvtuPihHwxSYO4 cVL0sDujuJNYsUqBzkb4zebVTiUH2j86QssyLsu3HAfIiagopgb8H7i5iJ7Av5h2TMlM O04Q== X-Gm-Message-State: AOAM5331altdtlV0K0L7CnFsE41S7qBeQnDNI6Dkr8elFLBBxbGKLUXj bqZQxLSQCVmq/tnav2ofrCc0pWoHejBrkEG/qeihgBU6vfM= X-Google-Smtp-Source: ABdhPJyJp0EXebDr6DKsj2fMmGGkDfJdyQKNrIZNUAXM4SOkZjnifjU/VtSE/R1WWB8HtYfu0KvUX+//VH7rP57aKfA= X-Received: by 2002:a92:874c:: with SMTP id d12mr22887405ilm.244.1607339146826; Mon, 07 Dec 2020 03:05:46 -0800 (PST) MIME-Version: 1.0 References: <160711219694.2677.7881042583251252532@ietfa.amsl.com> In-Reply-To: <160711219694.2677.7881042583251252532@ietfa.amsl.com> From: Naveen Kottapalli Date: Mon, 7 Dec 2020 16:35:37 +0530 Message-ID: To: Christian Huitema Cc: secdir@ietf.org, last-call@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org Content-Type: multipart/alternative; boundary="000000000000e1590405b5ddce23" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2020 11:05:53 -0000 --000000000000e1590405b5ddce23 Content-Type: text/plain; charset="UTF-8" Thanks Christian. Reference is corrected and will be available in next version. Yours, Naveen. On Sat, 5 Dec 2020 at 01:34, Christian Huitema via Datatracker < noreply@ietf.org> wrote: > Reviewer: Christian Huitema > Review result: Ready > > This document presents a set of requirements for how "Prefix Delegating > Relays" should > handle the relaying of IPv6 Prefix delegation requests between DHCP > clients and DHCP servers. > > This document is Ready. But please fix one tiny nit. > > Prefix Delegating Relays are more complex than simple DHCP relays. Instead > of > merely passing information back and forth between DHCP clients and DHCP > servers, > they also need to install IPv6 routes so the allocated IPv6 prefix is > routed towards > the client to which the prefix is allocated via DHCP. The document explains > issues found during past deployments, and presents a set of requirements to > ensure smooth operation of the service. > > As written in the security section, stating these requrements does not add > any new security considerations beyond those mentioned in RFC 8213, which > requires > using IPSEC between DHCP relay and DHCP server. This is fine and I believe > that > the draft is ready, except for one nit. The draft mentions "Section 22 of > [RFC8213]", > but RFC 8213 only has 6 sections. Since that RFC is entirely about > "Security of > Messages Exchanged between Servers and Relay Agents", I don't understand > why the > draft needs to mention this bogus "Section 22". Are the authors trying to > trick > this reviewer? > > There is a security issue concerning communication between clients and > relays. This > draft is not the place to address it, which is why I think it is ready, > but I can't > resist using this review to pass a message to the working group. On link > attackers > could spoof requests for prefix delegation, or responses, just like > they can spoof any DHCP message. Spoofing prefix delegation requests might > be a way > to attack networks, or to cause support issues between clients and > providers. > RFC 8213 "suggests" using secure DHCPv6 between client and server, but the > "secure > DHCPv6" draft cited in RFC 8213 is now expired. I understand that > solutions like RA > Guard will in practice provide some protection, but the use of these > solutions are > not discussed in RFC 8213. The DHCP WG might want to address that. > > > > > --000000000000e1590405b5ddce23 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks Christian.=C2=A0 Reference is corrected and will be= available in next version.

Yours,
Naveen.=


On Sat, 5 Dec 2020 at 01:34, Christian Huitema via Da= tatracker <noreply@ietf.org> = wrote:
Reviewer:= Christian Huitema
Review result: Ready

This document presents a set of requirements for how "Prefix Delegatin= g Relays" should
handle the relaying of IPv6 Prefix delegation requests between DHCP clients= and DHCP servers.

This document is Ready. But please fix one tiny nit.

Prefix Delegating Relays are more complex than simple DHCP relays. Instead = of
merely passing information back and forth between DHCP clients and DHCP ser= vers,
they also need to install IPv6 routes so the allocated IPv6 prefix is route= d towards
the client to which the prefix is allocated via DHCP. The document explains=
issues found during past deployments, and presents a set of requirements to=
ensure smooth operation of the service.

As written in the security section, stating these requrements does not add<= br> any new security considerations beyond those mentioned in RFC 8213, which r= equires
using IPSEC between DHCP relay and DHCP server. This is fine and I believe = that
the draft is ready, except for one nit. The draft mentions "Section 22= of [RFC8213]",
but RFC 8213 only has 6 sections. Since that RFC is entirely about "Se= curity of
Messages Exchanged between Servers and Relay Agents", I don't unde= rstand why the
draft needs to mention this bogus "Section 22". Are the authors t= rying to trick
this reviewer?

There is a security issue concerning communication between clients and rela= ys. This
draft is not the place to address it, which is why I think it is ready, but= I can't
resist using this review to pass a message to the working group. On link at= tackers
could spoof requests for prefix delegation, or responses, just like
they can spoof any DHCP message. Spoofing prefix delegation requests might = be a way
to attack networks, or to cause support issues between clients and provider= s.
RFC 8213 "suggests" using secure DHCPv6 between client and server= , but the "secure
DHCPv6" draft cited in RFC 8213 is now expired. I understand that solu= tions like RA
Guard will in practice provide some protection, but the use of these soluti= ons are
not discussed in RFC 8213. The DHCP WG might want to address that.




--000000000000e1590405b5ddce23-- From nobody Mon Dec 7 04:31:22 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C84D73A1363; Mon, 7 Dec 2020 04:31:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.619 X-Spam-Level: X-Spam-Status: No, score=-9.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UK/eftAb; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=FQosMkUU Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9crsgKaGu1Sf; Mon, 7 Dec 2020 04:31:19 -0800 (PST) Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAD263A1362; Mon, 7 Dec 2020 04:31:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9747; q=dns/txt; s=iport; t=1607344279; x=1608553879; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=UL0f12cBqSl2+9HPDcMVOjRuwtbHjCfb8mV9q8Id8o8=; b=UK/eftAbsVtjWqSCqNeGIN8QXOFqQ3nGQ1H6OYue6Ab8jI66X23/hk4R 09x7taboXUIMNISEs0brd4nvhtRdWlVjL5UW1CXfzLC0S2bbL6CFqD0iX HDC2LgJhxMu122PiL6hEI/QOxfUWnb2Md0a34TzjtMzOF9XUzat1VzTox k=; X-IPAS-Result: =?us-ascii?q?A0AJAAB5H85fkIoNJK1iGgEBAQEBAQEBAQEDAQEBARIBA?= =?us-ascii?q?QEBAgIBAQEBgX0DAQEBAQsBgVFRgVcvLgqEMoNIA402JYoaigCEcYEuFIERA?= =?us-ascii?q?1QLAQEBDQEBLQIEAQGESgIXgX4CJTYHDgIDAQEBAwIDAQEBAQUBAQECAQYEF?= =?us-ascii?q?AEBAQEBAYY4DIVzAgEDEhEdAQE3AQ8CAQg/AwICAh8RFBECBA4FGweDBIF/V?= =?us-ascii?q?wMuAaEYAoE8iGl2gTKDBAEBBYUrDQuCEAmBOAGCcoN2hA2CSxuCAIE4DBCCV?= =?us-ascii?q?T6CG4FlJoMvM4IsgVmBCEYEDWUCLi8gNQMKIQ4UBY9jCAuCZT6HKIMymVFXC?= =?us-ascii?q?oJ0liMEhRUDH4MhiiSUZ6Fxkx8CBAIEBQIOAQEFgV0KJ4FZcBVlAYI+UBcCD?= =?us-ascii?q?Y4hGoNXilh0NwIGAQkBAQMJfIpTATFfAQE?= IronPort-PHdr: =?us-ascii?q?9a23=3Ag1i9Yh1KVtTR5VczsmDT+zVfbzU7u7jyIg8e44?= =?us-ascii?q?YmjLQLaKm44pD+JxWGtadtkV7VUIDSrfRJl7mev6PhXDkG5pCM+DAHfYdXXh?= =?us-ascii?q?AIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtVBcfialjb5Hu/8W1aFh?= =?us-ascii?q?D2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw?= =?us-ascii?q?=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.78,399,1599523200"; d="scan'208,217";a="610907521" Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Dec 2020 12:31:17 +0000 Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B7CVHlP026633 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 7 Dec 2020 12:31:17 GMT Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 06:31:17 -0600 Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 06:31:16 -0600 Received: from NAM02-BL2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 7 Dec 2020 06:31:16 -0600 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XnntF2Uq90Lu/DiR2cQTvUXzGPvx2MClp8Pbi+i90/80a4229lf84B9hZ6gTksJ7Ca2BMv0iAgcNqwsv+OJPhSrAciambyYNHZK97U09+Pfp++3dvx/9qWvU/EP3vomzXWj7O10M5Tyy1zctx2Pq4oFtyW8T5qI/Sfl1lAUUf7shGmy4Nsn3goh0nbyVQtArEyq0tHdzOcWoYlknAgRsrUqnVwdtidQ+wSjAIbnz5+RZAdptPbbMcf13SedWZWUAyYb9QiX1m8HvHTQgwnAwfDXv1SJwJ6k9Q+86q35deCwrh2whvvWHQqvr54vGQCjYRy4kolTgjit7U50/CT6D2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UL0f12cBqSl2+9HPDcMVOjRuwtbHjCfb8mV9q8Id8o8=; b=aiayTRJRYOHwcw8al6I9K8055Xc5l297RFtOsAx4G80JXGhfCPZjrb5RCkFe5DH50u4P/AD+srYrla3Lpbqxor6y3Z6JzeR5MsPbtV1lONjbNXOtIxuUt6A3HWW5f2QFL2zXhgs+5o/+CA98s+JoYdrJPzsemSyXAMt0rsy6gZVEz2MBvkpyxJHr8T19gyAMp7zyIDVr3ysyd+kps/qU5hfG3nl5m6UF31DTf6bM6gYZLEnAsPWq9qQqE1Iqsg3bndDqPXgepp18MiNy3ufoTjAcv4BfzFbAahyTcA1N/qfw54sjunpa9ka+hDnaUWJ3lLStK1FQecKBd4pz3xywiw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UL0f12cBqSl2+9HPDcMVOjRuwtbHjCfb8mV9q8Id8o8=; b=FQosMkUUFUCCbJ5F0yQjKmM35Vx9mycpDvhwvHX1qCbTNbESgCayN0PEsWB6KhNekzATd9gnqtBzHn3KiIdzbJWJbR7Anr81ow7oTXxxxvz9g62TfesxYW900DBJmrAiXmX2HVhrK6254Q9ORNsS5gWs1xUDKXw5OvvKNOlojN8= Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR1101MB2209.namprd11.prod.outlook.com (2603:10b6:405:50::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.21; Mon, 7 Dec 2020 12:31:15 +0000 Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711%6]) with mapi id 15.20.3632.023; Mon, 7 Dec 2020 12:31:15 +0000 From: "Bernie Volz (volz)" To: Naveen Kottapalli CC: Christian Huitema , "secdir@ietf.org" , "last-call@ietf.org" , "draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org" , "dhcwg@ietf.org" Thread-Topic: Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 Thread-Index: AQHWzIj6eBYmgkGtQ0undY5o+MeyR6nrkKNO Date: Mon, 7 Dec 2020 12:31:15 +0000 Message-ID: References: <160711219694.2677.7881042583251252532@ietfa.amsl.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=cisco.com; x-originating-ip: [24.233.121.124] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cf351b78-7932-4b36-b481-08d89aabfd87 x-ms-traffictypediagnostic: BN6PR1101MB2209: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ieJigTFlNFpqHpaIRON44nxk0B0mP5IdRe5NMm9phufR8FoCdRf1CZH6JuXqrEHozWc83pUuxtD1P5RqaLffu1HVm3Ellvun/bGIzr9kyJT1pdA/qMyWBeRLNvWzVlIBDP4R/v7WoLnYltOOefvHyt2Vb7U5P2h4etQNiYkaWQrb55HYkZKdsS71gvFGWNMJkc3LBCXgWgahgHxFA4hoQvTI5YiIBhqDdHKs3cDSJuZAAIT5CQUwflAiYX26d4Wpy3GExLpNHcRPU66tSBRmWSAHOYEEU35R5nShQmYLRsy8dIousKbZZI+i/RPFj/3nfZtkM4KDMA1lJVAvegtk33dEow89MegJUP6pSomo8tJTuPWrO2qavBgfHVslLc7B x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(396003)(39860400002)(346002)(376002)(366004)(6486002)(186003)(4326008)(6506007)(478600001)(66946007)(2616005)(6916009)(86362001)(33656002)(76116006)(64756008)(53546011)(8676002)(36756003)(66556008)(91956017)(71200400001)(66476007)(5660300002)(26005)(316002)(54906003)(8936002)(6512007)(66446008)(83380400001)(2906002)(45980500001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?SHl2QzNrVTJCZzZob1FGdHVNbTJwbE1aamN6OGxOaW5pUHN0NHl5bzFaN2la?= =?utf-8?B?bmZHRFlGeFV6aU9zVm55Y21zQXNVcmRxcHJkMGRWeFRURGhKNyt6bXRocCtJ?= =?utf-8?B?aVNmTU90Um04TTFxSEdQVU5seW9BV0dXanRYOEFzNy90R0F6MVBJRnBSZFpi?= =?utf-8?B?NnFwUStVZEhvY1NzME53V2RGYUFTcy80blFkR1ZPaUxiU3dFN2lGS2c3LzZw?= =?utf-8?B?TGxZRVJsWUMvMFBnSzNncXRod1VRSlN0V0ovd1p2ZTVSVEpzT0lPQWxETTht?= =?utf-8?B?UFhxdThvaU5aN3pCR2w0QzhvNWZ0OGNYWEcvL1ZMSWlBdUlyK0pVVTRNQkhO?= =?utf-8?B?YnRmWGdHN1RoQS84TXRzblB2YWRURUZQK3pZeEFxdlhKV1U1RDNhWDVxWGR0?= =?utf-8?B?RzIxaE5TbTY5TERCVDVNZmQxMm12UWJ0Rm4vUS9PeVAxYW1VSHlmZ2F6YWoy?= =?utf-8?B?aEZaeXRUbStkS2NKYmxYeFBIbnk0dVNZNU1QNVlkQUU3RmltVmFWUUx4Y29u?= =?utf-8?B?b2duTkJaUk9rcUxtUTAwMVJPOE1EUUFRWExSdFdxcmk0QTJicjRsd2Nhd2Zs?= =?utf-8?B?ZzBRZDIvbGJ4c09PUkE1NVk4dlNwUHlUdGU2Wk95ZWthQVY3V3JoclIvb1RX?= =?utf-8?B?aEZCOHlTRWk2RU5CeDZVYnJla01qV2FnNmJaV04yYVBtK3UxeDNoeG8rMlpE?= =?utf-8?B?N2F0WlUzclE2SVZCUVd0VGxVb3Q3a1dMOUlURWkvSzZXNWR1SlBpaDV2YVlC?= =?utf-8?B?Q0NvU0NwTzBDSytIckZTYlloWU1RMzJ6aEVMaG5pYWRUbWMrV2VtQ2w2TG5U?= =?utf-8?B?aC83N0JiakF2MFMyWmh0eXhJWU85U1JxL1dFVWFCR2hzOGh6UC9jYWVzS1dL?= =?utf-8?B?bmdnQXROZHIrS3M2SURaR2JzNmt4OUQvTDhYVnhzWk5iM1hNVXhZdlY1aUlv?= =?utf-8?B?Y1poZmZ2TUFSdDNTVmpYa0NPVkZhZG9WNWMvOUhpODBmS1JiZ2c2RG84dGNH?= =?utf-8?B?ZWJRdU0vd3FiK2NaaEtwL3ZZOU8zSEpMOHppb29MTllETlhYWUs5V2hZakND?= =?utf-8?B?SlphdHo3WnZYckJhVnd3R2h2OTBmSzBnbndTZjRaSGxCalFvLzVlWWVqUGFm?= =?utf-8?B?VTZSZ1BOUmZlajdwV3htekZKeVpPdmJHYlhEQlJqNjVkVkFXVjlPQWs3TUIr?= =?utf-8?B?NnA5Z29vcTV5UThkYjVhUVI2U1dVbWRzbmlidHVlMWJPLytkWWdqbUxSeTNP?= =?utf-8?B?QWNrVDRiYjRDM3BJM0UvYlFYdDdvUUJQLzRwb0hVbEg2SGtEWmU3L2ZtMnZD?= =?utf-8?Q?xgrsze2Cx5Mha6Do6hSXwr644oMXdNJjp6?= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_F5FE0A09351E4ED58880A7EE943B8EA9ciscocom_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: cf351b78-7932-4b36-b481-08d89aabfd87 X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2020 12:31:15.6309 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8iWE//IqQTR40pLAq9QV19cfQsJspgVEnkDOm/4b0kyZqbbOFuDCoAnAT6wlQeZ4 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2209 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com X-Outbound-Node: alln-core-5.cisco.com Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2020 12:31:21 -0000 --_000_F5FE0A09351E4ED58880A7EE943B8EA9ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RllJOg0KDQpJIHVuZGVyc3RhbmQgdGhhdCBzb2x1dGlvbnMgbGlrZSBSQQ0KR3VhcmQgd2lsbCBp biBwcmFjdGljZSBwcm92aWRlIHNvbWUgcHJvdGVjdGlvbiwgYnV0IHRoZSB1c2Ugb2YgdGhlc2Ug c29sdXRpb25zIGFyZQ0Kbm90IGRpc2N1c3NlZCBpbiBSRkMgODIxMy4gVGhlIERIQ1AgV0cgbWln aHQgd2FudCB0byBhZGRyZXNzIHRoYXQuDQoNClJGQzg0MTXigJlzIHNlY3VyaXR5IGNvbnNpZGVy YXRpb25zIGlzIHJhdGhlciBleHRlbnNpdmUgYW5kIGluY2x1ZGVzIHJlZmVyZW5jZSB0byBtYW55 IHRlY2huaXF1ZXMgdG8gcmVkdWNlIHRoZSBpc3N1ZXMuIDgyMTMgd2FzIHdyaXR0ZW4gd2hpbGUg ODQxNSB3YXMgdW5kZXIgZGV2ZWxvcG1lbnQuDQoNCi0gQmVybmllDQoNCk9uIERlYyA3LCAyMDIw LCBhdCA2OjA2IEFNLCBOYXZlZW4gS290dGFwYWxsaSA8bmF2ZWVuLnNhcm1hQGdtYWlsLmNvbT4g d3JvdGU6DQoNCu+7vw0KVGhhbmtzIENocmlzdGlhbi4gIFJlZmVyZW5jZSBpcyBjb3JyZWN0ZWQg YW5kIHdpbGwgYmUgYXZhaWxhYmxlIGluIG5leHQgdmVyc2lvbi4NCg0KWW91cnMsDQpOYXZlZW4u DQoNCg0KT24gU2F0LCA1IERlYyAyMDIwIGF0IDAxOjM0LCBDaHJpc3RpYW4gSHVpdGVtYSB2aWEg RGF0YXRyYWNrZXIgPG5vcmVwbHlAaWV0Zi5vcmc8bWFpbHRvOm5vcmVwbHlAaWV0Zi5vcmc+PiB3 cm90ZToNClJldmlld2VyOiBDaHJpc3RpYW4gSHVpdGVtYQ0KUmV2aWV3IHJlc3VsdDogUmVhZHkN Cg0KVGhpcyBkb2N1bWVudCBwcmVzZW50cyBhIHNldCBvZiByZXF1aXJlbWVudHMgZm9yIGhvdyAi UHJlZml4IERlbGVnYXRpbmcgUmVsYXlzIiBzaG91bGQNCmhhbmRsZSB0aGUgcmVsYXlpbmcgb2Yg SVB2NiBQcmVmaXggZGVsZWdhdGlvbiByZXF1ZXN0cyBiZXR3ZWVuIERIQ1AgY2xpZW50cyBhbmQg REhDUCBzZXJ2ZXJzLg0KDQpUaGlzIGRvY3VtZW50IGlzIFJlYWR5LiBCdXQgcGxlYXNlIGZpeCBv bmUgdGlueSBuaXQuDQoNClByZWZpeCBEZWxlZ2F0aW5nIFJlbGF5cyBhcmUgbW9yZSBjb21wbGV4 IHRoYW4gc2ltcGxlIERIQ1AgcmVsYXlzLiBJbnN0ZWFkIG9mDQptZXJlbHkgcGFzc2luZyBpbmZv cm1hdGlvbiBiYWNrIGFuZCBmb3J0aCBiZXR3ZWVuIERIQ1AgY2xpZW50cyBhbmQgREhDUCBzZXJ2 ZXJzLA0KdGhleSBhbHNvIG5lZWQgdG8gaW5zdGFsbCBJUHY2IHJvdXRlcyBzbyB0aGUgYWxsb2Nh dGVkIElQdjYgcHJlZml4IGlzIHJvdXRlZCB0b3dhcmRzDQp0aGUgY2xpZW50IHRvIHdoaWNoIHRo ZSBwcmVmaXggaXMgYWxsb2NhdGVkIHZpYSBESENQLiBUaGUgZG9jdW1lbnQgZXhwbGFpbnMNCmlz c3VlcyBmb3VuZCBkdXJpbmcgcGFzdCBkZXBsb3ltZW50cywgYW5kIHByZXNlbnRzIGEgc2V0IG9m IHJlcXVpcmVtZW50cyB0bw0KZW5zdXJlIHNtb290aCBvcGVyYXRpb24gb2YgdGhlIHNlcnZpY2Uu DQoNCkFzIHdyaXR0ZW4gaW4gdGhlIHNlY3VyaXR5IHNlY3Rpb24sIHN0YXRpbmcgdGhlc2UgcmVx dXJlbWVudHMgZG9lcyBub3QgYWRkDQphbnkgbmV3IHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGJl eW9uZCB0aG9zZSBtZW50aW9uZWQgaW4gUkZDIDgyMTMsIHdoaWNoIHJlcXVpcmVzDQp1c2luZyBJ UFNFQyBiZXR3ZWVuIERIQ1AgcmVsYXkgYW5kIERIQ1Agc2VydmVyLiBUaGlzIGlzIGZpbmUgYW5k IEkgYmVsaWV2ZSB0aGF0DQp0aGUgZHJhZnQgaXMgcmVhZHksIGV4Y2VwdCBmb3Igb25lIG5pdC4g VGhlIGRyYWZ0IG1lbnRpb25zICJTZWN0aW9uIDIyIG9mIFtSRkM4MjEzXSIsDQpidXQgUkZDIDgy MTMgb25seSBoYXMgNiBzZWN0aW9ucy4gU2luY2UgdGhhdCBSRkMgaXMgZW50aXJlbHkgYWJvdXQg IlNlY3VyaXR5IG9mDQpNZXNzYWdlcyBFeGNoYW5nZWQgYmV0d2VlbiBTZXJ2ZXJzIGFuZCBSZWxh eSBBZ2VudHMiLCBJIGRvbid0IHVuZGVyc3RhbmQgd2h5IHRoZQ0KZHJhZnQgbmVlZHMgdG8gbWVu dGlvbiB0aGlzIGJvZ3VzICJTZWN0aW9uIDIyIi4gQXJlIHRoZSBhdXRob3JzIHRyeWluZyB0byB0 cmljaw0KdGhpcyByZXZpZXdlcj8NCg0KVGhlcmUgaXMgYSBzZWN1cml0eSBpc3N1ZSBjb25jZXJu aW5nIGNvbW11bmljYXRpb24gYmV0d2VlbiBjbGllbnRzIGFuZCByZWxheXMuIFRoaXMNCmRyYWZ0 IGlzIG5vdCB0aGUgcGxhY2UgdG8gYWRkcmVzcyBpdCwgd2hpY2ggaXMgd2h5IEkgdGhpbmsgaXQg aXMgcmVhZHksIGJ1dCBJIGNhbid0DQpyZXNpc3QgdXNpbmcgdGhpcyByZXZpZXcgdG8gcGFzcyBh IG1lc3NhZ2UgdG8gdGhlIHdvcmtpbmcgZ3JvdXAuIE9uIGxpbmsgYXR0YWNrZXJzDQpjb3VsZCBz cG9vZiByZXF1ZXN0cyBmb3IgcHJlZml4IGRlbGVnYXRpb24sIG9yIHJlc3BvbnNlcywganVzdCBs aWtlDQp0aGV5IGNhbiBzcG9vZiBhbnkgREhDUCBtZXNzYWdlLiBTcG9vZmluZyBwcmVmaXggZGVs ZWdhdGlvbiByZXF1ZXN0cyBtaWdodCBiZSBhIHdheQ0KdG8gYXR0YWNrIG5ldHdvcmtzLCBvciB0 byBjYXVzZSBzdXBwb3J0IGlzc3VlcyBiZXR3ZWVuIGNsaWVudHMgYW5kIHByb3ZpZGVycy4NClJG QyA4MjEzICJzdWdnZXN0cyIgdXNpbmcgc2VjdXJlIERIQ1B2NiBiZXR3ZWVuIGNsaWVudCBhbmQg c2VydmVyLCBidXQgdGhlICJzZWN1cmUNCkRIQ1B2NiIgZHJhZnQgY2l0ZWQgaW4gUkZDIDgyMTMg aXMgbm93IGV4cGlyZWQuIEkgdW5kZXJzdGFuZCB0aGF0IHNvbHV0aW9ucyBsaWtlIFJBDQpHdWFy ZCB3aWxsIGluIHByYWN0aWNlIHByb3ZpZGUgc29tZSBwcm90ZWN0aW9uLCBidXQgdGhlIHVzZSBv ZiB0aGVzZSBzb2x1dGlvbnMgYXJlDQpub3QgZGlzY3Vzc2VkIGluIFJGQyA4MjEzLiBUaGUgREhD UCBXRyBtaWdodCB3YW50IHRvIGFkZHJlc3MgdGhhdC4NCg0KDQoNCg0K --_000_F5FE0A09351E4ED58880A7EE943B8EA9ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IGRpcj0iYXV0byI+DQpG WUk6DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdj4NCjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiPg0K PGRpdiBkaXI9Imx0ciI+DQo8ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+DQo8YmxvY2txdW90ZSBj bGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46IDBweCAwcHggMHB4IDAuOGV4OyBib3Jk ZXItbGVmdC1jb2xvcjogcmdiKDIwNCwgMjA0LCAyMDQpOyBwYWRkaW5nLWxlZnQ6IDFleDsiPg0K SSB1bmRlcnN0YW5kIHRoYXQgc29sdXRpb25zIGxpa2UgUkE8YnI+DQpHdWFyZCB3aWxsIGluIHBy YWN0aWNlIHByb3ZpZGUgc29tZSBwcm90ZWN0aW9uLCBidXQgdGhlIHVzZSBvZiB0aGVzZSBzb2x1 dGlvbnMgYXJlPGJyPg0Kbm90IGRpc2N1c3NlZCBpbiBSRkMgODIxMy4gVGhlIERIQ1AgV0cgbWln aHQgd2FudCB0byBhZGRyZXNzIHRoYXQuPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwv YmxvY2txdW90ZT4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2PlJGQzg0MTXigJlzIHNlY3VyaXR5 IGNvbnNpZGVyYXRpb25zIGlzIHJhdGhlciBleHRlbnNpdmUgYW5kIGluY2x1ZGVzIHJlZmVyZW5j ZSB0byBtYW55IHRlY2huaXF1ZXMgdG8gcmVkdWNlIHRoZSBpc3N1ZXMuIDgyMTMgd2FzIHdyaXR0 ZW4gd2hpbGUgODQxNSB3YXMgdW5kZXIgZGV2ZWxvcG1lbnQuPC9kaXY+DQo8YnI+DQo8ZGl2IGRp cj0ibHRyIj4tIEJlcm5pZTwvZGl2Pg0KPGRpdiBkaXI9Imx0ciI+PGJyPg0KPGJsb2NrcXVvdGUg dHlwZT0iY2l0ZSI+T24gRGVjIDcsIDIwMjAsIGF0IDY6MDYgQU0sIE5hdmVlbiBLb3R0YXBhbGxp ICZsdDtuYXZlZW4uc2FybWFAZ21haWwuY29tJmd0OyB3cm90ZTo8YnI+DQo8YnI+DQo8L2Jsb2Nr cXVvdGU+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiPg0KPGRpdiBkaXI9Imx0ciI+ 77u/DQo8ZGl2IGRpcj0ibHRyIj5UaGFua3MgQ2hyaXN0aWFuLiZuYnNwOyBSZWZlcmVuY2UgaXMg Y29ycmVjdGVkIGFuZCB3aWxsIGJlIGF2YWlsYWJsZSBpbiBuZXh0IHZlcnNpb24uDQo8ZGl2Pjxi ciBjbGVhcj0iYWxsIj4NCjxkaXY+DQo8ZGl2IGRpcj0ibHRyIiBjbGFzcz0iZ21haWxfc2lnbmF0 dXJlIiBkYXRhLXNtYXJ0bWFpbD0iZ21haWxfc2lnbmF0dXJlIj5Zb3Vycyw8YnI+DQpOYXZlZW4u PC9kaXY+DQo8L2Rpdj4NCjxicj4NCjwvZGl2Pg0KPC9kaXY+DQo8YnI+DQo8ZGl2IGNsYXNzPSJn bWFpbF9xdW90ZSI+DQo8ZGl2IGRpcj0ibHRyIiBjbGFzcz0iZ21haWxfYXR0ciI+T24gU2F0LCA1 IERlYyAyMDIwIGF0IDAxOjM0LCBDaHJpc3RpYW4gSHVpdGVtYSB2aWEgRGF0YXRyYWNrZXIgJmx0 OzxhIGhyZWY9Im1haWx0bzpub3JlcGx5QGlldGYub3JnIj5ub3JlcGx5QGlldGYub3JnPC9hPiZn dDsgd3JvdGU6PGJyPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0 eWxlPSJtYXJnaW46MHB4IDBweCAwcHggMC44ZXg7Ym9yZGVyLWxlZnQ6MXB4IHNvbGlkIHJnYigy MDQsMjA0LDIwNCk7cGFkZGluZy1sZWZ0OjFleCI+DQpSZXZpZXdlcjogQ2hyaXN0aWFuIEh1aXRl bWE8YnI+DQpSZXZpZXcgcmVzdWx0OiBSZWFkeTxicj4NCjxicj4NClRoaXMgZG9jdW1lbnQgcHJl c2VudHMgYSBzZXQgb2YgcmVxdWlyZW1lbnRzIGZvciBob3cgJnF1b3Q7UHJlZml4IERlbGVnYXRp bmcgUmVsYXlzJnF1b3Q7IHNob3VsZDxicj4NCmhhbmRsZSB0aGUgcmVsYXlpbmcgb2YgSVB2NiBQ cmVmaXggZGVsZWdhdGlvbiByZXF1ZXN0cyBiZXR3ZWVuIERIQ1AgY2xpZW50cyBhbmQgREhDUCBz ZXJ2ZXJzLjxicj4NCjxicj4NClRoaXMgZG9jdW1lbnQgaXMgUmVhZHkuIEJ1dCBwbGVhc2UgZml4 IG9uZSB0aW55IG5pdC48YnI+DQo8YnI+DQpQcmVmaXggRGVsZWdhdGluZyBSZWxheXMgYXJlIG1v cmUgY29tcGxleCB0aGFuIHNpbXBsZSBESENQIHJlbGF5cy4gSW5zdGVhZCBvZjxicj4NCm1lcmVs eSBwYXNzaW5nIGluZm9ybWF0aW9uIGJhY2sgYW5kIGZvcnRoIGJldHdlZW4gREhDUCBjbGllbnRz IGFuZCBESENQIHNlcnZlcnMsPGJyPg0KdGhleSBhbHNvIG5lZWQgdG8gaW5zdGFsbCBJUHY2IHJv dXRlcyBzbyB0aGUgYWxsb2NhdGVkIElQdjYgcHJlZml4IGlzIHJvdXRlZCB0b3dhcmRzPGJyPg0K dGhlIGNsaWVudCB0byB3aGljaCB0aGUgcHJlZml4IGlzIGFsbG9jYXRlZCB2aWEgREhDUC4gVGhl IGRvY3VtZW50IGV4cGxhaW5zPGJyPg0KaXNzdWVzIGZvdW5kIGR1cmluZyBwYXN0IGRlcGxveW1l bnRzLCBhbmQgcHJlc2VudHMgYSBzZXQgb2YgcmVxdWlyZW1lbnRzIHRvPGJyPg0KZW5zdXJlIHNt b290aCBvcGVyYXRpb24gb2YgdGhlIHNlcnZpY2UuPGJyPg0KPGJyPg0KQXMgd3JpdHRlbiBpbiB0 aGUgc2VjdXJpdHkgc2VjdGlvbiwgc3RhdGluZyB0aGVzZSByZXF1cmVtZW50cyBkb2VzIG5vdCBh ZGQ8YnI+DQphbnkgbmV3IHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIGJleW9uZCB0aG9zZSBtZW50 aW9uZWQgaW4gUkZDIDgyMTMsIHdoaWNoIHJlcXVpcmVzPGJyPg0KdXNpbmcgSVBTRUMgYmV0d2Vl biBESENQIHJlbGF5IGFuZCBESENQIHNlcnZlci4gVGhpcyBpcyBmaW5lIGFuZCBJIGJlbGlldmUg dGhhdDxicj4NCnRoZSBkcmFmdCBpcyByZWFkeSwgZXhjZXB0IGZvciBvbmUgbml0LiBUaGUgZHJh ZnQgbWVudGlvbnMgJnF1b3Q7U2VjdGlvbiAyMiBvZiBbUkZDODIxM10mcXVvdDssPGJyPg0KYnV0 IFJGQyA4MjEzIG9ubHkgaGFzIDYgc2VjdGlvbnMuIFNpbmNlIHRoYXQgUkZDIGlzIGVudGlyZWx5 IGFib3V0ICZxdW90O1NlY3VyaXR5IG9mPGJyPg0KTWVzc2FnZXMgRXhjaGFuZ2VkIGJldHdlZW4g U2VydmVycyBhbmQgUmVsYXkgQWdlbnRzJnF1b3Q7LCBJIGRvbid0IHVuZGVyc3RhbmQgd2h5IHRo ZTxicj4NCmRyYWZ0IG5lZWRzIHRvIG1lbnRpb24gdGhpcyBib2d1cyAmcXVvdDtTZWN0aW9uIDIy JnF1b3Q7LiBBcmUgdGhlIGF1dGhvcnMgdHJ5aW5nIHRvIHRyaWNrPGJyPg0KdGhpcyByZXZpZXdl cj88YnI+DQo8YnI+DQpUaGVyZSBpcyBhIHNlY3VyaXR5IGlzc3VlIGNvbmNlcm5pbmcgY29tbXVu aWNhdGlvbiBiZXR3ZWVuIGNsaWVudHMgYW5kIHJlbGF5cy4gVGhpczxicj4NCmRyYWZ0IGlzIG5v dCB0aGUgcGxhY2UgdG8gYWRkcmVzcyBpdCwgd2hpY2ggaXMgd2h5IEkgdGhpbmsgaXQgaXMgcmVh ZHksIGJ1dCBJIGNhbid0PGJyPg0KcmVzaXN0IHVzaW5nIHRoaXMgcmV2aWV3IHRvIHBhc3MgYSBt ZXNzYWdlIHRvIHRoZSB3b3JraW5nIGdyb3VwLiBPbiBsaW5rIGF0dGFja2Vyczxicj4NCmNvdWxk IHNwb29mIHJlcXVlc3RzIGZvciBwcmVmaXggZGVsZWdhdGlvbiwgb3IgcmVzcG9uc2VzLCBqdXN0 IGxpa2U8YnI+DQp0aGV5IGNhbiBzcG9vZiBhbnkgREhDUCBtZXNzYWdlLiBTcG9vZmluZyBwcmVm aXggZGVsZWdhdGlvbiByZXF1ZXN0cyBtaWdodCBiZSBhIHdheTxicj4NCnRvIGF0dGFjayBuZXR3 b3Jrcywgb3IgdG8gY2F1c2Ugc3VwcG9ydCBpc3N1ZXMgYmV0d2VlbiBjbGllbnRzIGFuZCBwcm92 aWRlcnMuPGJyPg0KUkZDIDgyMTMgJnF1b3Q7c3VnZ2VzdHMmcXVvdDsgdXNpbmcgc2VjdXJlIERI Q1B2NiBiZXR3ZWVuIGNsaWVudCBhbmQgc2VydmVyLCBidXQgdGhlICZxdW90O3NlY3VyZTxicj4N CkRIQ1B2NiZxdW90OyBkcmFmdCBjaXRlZCBpbiBSRkMgODIxMyBpcyBub3cgZXhwaXJlZC4gSSB1 bmRlcnN0YW5kIHRoYXQgc29sdXRpb25zIGxpa2UgUkE8YnI+DQpHdWFyZCB3aWxsIGluIHByYWN0 aWNlIHByb3ZpZGUgc29tZSBwcm90ZWN0aW9uLCBidXQgdGhlIHVzZSBvZiB0aGVzZSBzb2x1dGlv bnMgYXJlPGJyPg0Kbm90IGRpc2N1c3NlZCBpbiBSRkMgODIxMy4gVGhlIERIQ1AgV0cgbWlnaHQg d2FudCB0byBhZGRyZXNzIHRoYXQuPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPC9ibG9j a3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPC9ib2R5Pg0K PC9odG1sPg0K --_000_F5FE0A09351E4ED58880A7EE943B8EA9ciscocom_-- From nobody Mon Dec 7 05:03:35 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 079DC3A0CF2 for ; Mon, 7 Dec 2020 05:03:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.885 X-Spam-Level: X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, NO_DNS_FOR_FROM=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0MBMp5Y9TIs for ; Mon, 7 Dec 2020 05:03:25 -0800 (PST) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 828433A0CF4 for ; Mon, 7 Dec 2020 05:03:25 -0800 (PST) Received: by mail-qk1-x734.google.com with SMTP id x25so12351188qkj.3 for ; Mon, 07 Dec 2020 05:03:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=1Inf+boT2UOMV8IkveQMzSfyezfl9bf6DhKvWXruLOk=; b=bjz62xTOlRRSLtJwJ8eODXbMiPaUzzqjJGaWFo6Cifqcl66p8mvUUcFYAdzzG29FfK XXjM1IfK3JjJs99+DMOqA6t5ApLCMyjkIcELp2U+XzY+ZEnP7X6rcYLtg7RyIPWj6QWQ dUBEIk3b2mst8Y13r8P3vWl9KItnAKcvLZV4932+aI+k7Cu9H3yarq0Sqd+iEKEHkrxM FHmsK46tnC9DNE8pfF6hHy0hUNUlHvLn1rYAOxB1pEarrq+E2Qc6Ak5syT6+Nu8PWC2b /mCq0NELHdx1VeuRjiCDoFQqQatcgYec4oGg2yTGwtiCHEe2skZDFzCF7RbgIosATU+L 4hPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=1Inf+boT2UOMV8IkveQMzSfyezfl9bf6DhKvWXruLOk=; b=ZJpPHZMZ1Xhx3JKlO0m1D5ireBH+XF5UiNiXOlg/gyoFwy9AnfAHBIn44sNxoifBXF P7r0+E5rpNUGfJxHMRTgQZRSQWWRXNmv/bNxXCdAFAUjOW4pJ/zWVBlAp+5HtyP5tv1q qwPaXqXsmMUw7LaNNsCxzgORMduyOgD6+VMHnNU+oNZWL2UxGh870NWWaAsm9xy2KAKk 7tGuV0gFXBf9ySX1rUeJk8cYTA75hQMEJGld7i+jgNmOMtWOaSVrkFMP3mszRdg3CkrM ZWFcIZynxTjUxjIgox+xWsPPPwEI1Rl0XXOom0aFLwsjLGX1c36PB33z7OMmHUSNUo4I BWnA== X-Gm-Message-State: AOAM5310Nxr7AvVJN7ymU6ir+lNOUoSKYT6LDx3+XOEP6POrZA4xVUhB cUTI+te5m+r9Fh+Vq6MRhdJd+o3MirY6VZN2 X-Google-Smtp-Source: ABdhPJxPegRrBESCgfuu+2bSdo0CIfsrZiWMVZD7b5YlRuDfVfHUzKUys6jF1jjUGAM04RO5Sc1mTg== X-Received: by 2002:a05:620a:148d:: with SMTP id w13mr23251623qkj.299.1607346203966; Mon, 07 Dec 2020 05:03:23 -0800 (PST) Received: from [192.168.4.114] (c-24-91-177-160.hsd1.ma.comcast.net. [24.91.177.160]) by smtp.gmail.com with ESMTPSA id k188sm11792612qkd.98.2020.12.07.05.03.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 07 Dec 2020 05:03:23 -0800 (PST) Content-Type: multipart/alternative; boundary=Apple-Mail-6515CAC2-4197-402D-879D-F55E42D0AB19 Content-Transfer-Encoding: 7bit From: Ted Lemon Mime-Version: 1.0 (1.0) Date: Mon, 7 Dec 2020 08:03:22 -0500 Message-Id: <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com> References: Cc: Naveen Kottapalli , last-call@ietf.org, Christian Huitema , draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org, secdir@ietf.org In-Reply-To: To: "Bernie Volz (volz)" X-Mailer: iPhone Mail (18C65) Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2020 13:03:28 -0000 --Apple-Mail-6515CAC2-4197-402D-879D-F55E42D0AB19 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Also, Christian, RA guard only works in a managed environment. In an unmanag= ed environment it will break things. It would be wise to be careful about wh= en and where you recommend it or we will wind up with interoperability probl= ems. This is probably outside of the DHC wg=E2=80=99s bailiwick.=20 > On Dec 7, 2020, at 07:32, Bernie Volz (volz) wrote: >=20 > =EF=BB=BF FYI: >=20 >>> I understand that solutions like RA >>> Guard will in practice provide some protection, but the use of these sol= utions are >>> not discussed in RFC 8213. The DHCP WG might want to address that. >=20 > RFC8415=E2=80=99s security considerations is rather extensive and includes= reference to many techniques to reduce the issues. 8213 was written while 8= 415 was under development. >=20 > - Bernie >=20 >>> On Dec 7, 2020, at 6:06 AM, Naveen Kottapalli w= rote: >>>=20 >> =EF=BB=BF >> Thanks Christian. Reference is corrected and will be available in next v= ersion. >>=20 >> Yours, >> Naveen. >>=20 >>=20 >>> On Sat, 5 Dec 2020 at 01:34, Christian Huitema via Datatracker wrote: >>> Reviewer: Christian Huitema >>> Review result: Ready >>>=20 >>> This document presents a set of requirements for how "Prefix Delegating R= elays" should >>> handle the relaying of IPv6 Prefix delegation requests between DHCP clie= nts and DHCP servers. >>>=20 >>> This document is Ready. But please fix one tiny nit. >>>=20 >>> Prefix Delegating Relays are more complex than simple DHCP relays. Inste= ad of >>> merely passing information back and forth between DHCP clients and DHCP s= ervers, >>> they also need to install IPv6 routes so the allocated IPv6 prefix is ro= uted towards >>> the client to which the prefix is allocated via DHCP. The document expla= ins >>> issues found during past deployments, and presents a set of requirements= to >>> ensure smooth operation of the service. >>>=20 >>> As written in the security section, stating these requrements does not a= dd >>> any new security considerations beyond those mentioned in RFC 8213, whic= h requires >>> using IPSEC between DHCP relay and DHCP server. This is fine and I belie= ve that >>> the draft is ready, except for one nit. The draft mentions "Section 22 o= f [RFC8213]", >>> but RFC 8213 only has 6 sections. Since that RFC is entirely about "Secu= rity of >>> Messages Exchanged between Servers and Relay Agents", I don't understand= why the >>> draft needs to mention this bogus "Section 22". Are the authors trying t= o trick >>> this reviewer? >>>=20 >>> There is a security issue concerning communication between clients and r= elays. This >>> draft is not the place to address it, which is why I think it is ready, b= ut I can't >>> resist using this review to pass a message to the working group. On link= attackers >>> could spoof requests for prefix delegation, or responses, just like >>> they can spoof any DHCP message. Spoofing prefix delegation requests mig= ht be a way >>> to attack networks, or to cause support issues between clients and provi= ders. >>> RFC 8213 "suggests" using secure DHCPv6 between client and server, but t= he "secure >>> DHCPv6" draft cited in RFC 8213 is now expired. I understand that soluti= ons like RA >>> Guard will in practice provide some protection, but the use of these sol= utions are >>> not discussed in RFC 8213. The DHCP WG might want to address that. >>>=20 >>>=20 >>>=20 >>>=20 > --=20 > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call --Apple-Mail-6515CAC2-4197-402D-879D-F55E42D0AB19 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Also, Christian, RA guard o= nly works in a managed environment. In an unmanaged environment it will brea= k things. It would be wise to be careful about when and where you recommend i= t or we will wind up with interoperability problems. This is probably outsid= e of the DHC wg=E2=80=99s bailiwick. 

On Dec 7, 2020, at 07:32, Bernie Volz (volz) <volz=3D4= 0cisco.com@dmarc.ietf.org> wrote:

=EF=BB=BF FYI:

I understand that solutions like RA
Guard will in practice provide some protection, but the use of these solutio= ns are
not discussed in RFC 8213. The DHCP WG might want to address that.

RFC8415=E2=80=99s security considerations is rather extensive and inclu= des reference to many techniques to reduce the issues. 8213 was written whil= e 8415 was under development.

- Bernie

On Dec 7, 2020, at 6:06 AM, Naveen Kottapalli <= naveen.sarma@gmail.com> wrote:

=EF=BB=BF
Thanks Christian.  Reference is corrected and will be a= vailable in next version.

Yours,
Naveen.


On Sat, 5 Dec 2020 at 01:34, Christian= Huitema via Datatracker <noreply@iet= f.org> wrote:
Reviewer: Christian Huitema
Review result: Ready

This document presents a set of requirements for how "Prefix Delegating Rela= ys" should
handle the relaying of IPv6 Prefix delegation requests between DHCP clients a= nd DHCP servers.

This document is Ready. But please fix one tiny nit.

Prefix Delegating Relays are more complex than simple DHCP relays. Instead o= f
merely passing information back and forth between DHCP clients and DHCP serv= ers,
they also need to install IPv6 routes so the allocated IPv6 prefix is routed= towards
the client to which the prefix is allocated via DHCP. The document explains<= br> issues found during past deployments, and presents a set of requirements to<= br> ensure smooth operation of the service.

As written in the security section, stating these requrements does not add any new security considerations beyond those mentioned in RFC 8213, which re= quires
using IPSEC between DHCP relay and DHCP server. This is fine and I believe t= hat
the draft is ready, except for one nit. The draft mentions "Section 22 of [R= FC8213]",
but RFC 8213 only has 6 sections. Since that RFC is entirely about "Security= of
Messages Exchanged between Servers and Relay Agents", I don't understand why= the
draft needs to mention this bogus "Section 22". Are the authors trying to tr= ick
this reviewer?

There is a security issue concerning communication between clients and relay= s. This
draft is not the place to address it, which is why I think it is ready, but I= can't
resist using this review to pass a message to the working group. On link att= ackers
could spoof requests for prefix delegation, or responses, just like
they can spoof any DHCP message. Spoofing prefix delegation requests might b= e a way
to attack networks, or to cause support issues between clients and providers= .
RFC 8213 "suggests" using secure DHCPv6 between client and server, but the "= secure
DHCPv6" draft cited in RFC 8213 is now expired. I understand that solutions l= ike RA
Guard will in practice provide some protection, but the use of these solutio= ns are
not discussed in RFC 8213. The DHCP WG might want to address that.




--
last-call mailing list
last-call@i= etf.org
https://www.ietf.org/mailman/listinfo/last-call
= --Apple-Mail-6515CAC2-4197-402D-879D-F55E42D0AB19-- From nobody Mon Dec 7 17:14:08 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC58A3A0D41 for ; Mon, 7 Dec 2020 17:14:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.89 X-Spam-Level: X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sugg0LXH_r2e for ; Mon, 7 Dec 2020 17:14:05 -0800 (PST) Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13293A0D02 for ; Mon, 7 Dec 2020 17:14:05 -0800 (PST) Received: from xse275.mail2web.com ([66.113.197.21] helo=xse.mail2web.com) by mx171.antispamcloud.com with esmtp (Exim 4.92) (envelope-from ) id 1kmRZn-000Xpn-9g for secdir@ietf.org; Tue, 08 Dec 2020 02:14:04 +0100 Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4Cqhw63TQPzPHY for ; Mon, 7 Dec 2020 17:11:34 -0800 (PST) Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from ) id 1kmRXS-0004lE-C5 for secdir@ietf.org; Mon, 07 Dec 2020 17:11:34 -0800 Received: (qmail 21851 invoked from network); 8 Dec 2020 01:11:34 -0000 Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.42]) (envelope-sender ) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 8 Dec 2020 01:11:33 -0000 To: Ted Lemon , "Bernie Volz (volz)" Cc: secdir@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, last-call@ietf.org, Naveen Kottapalli , dhcwg@ietf.org References: <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com> From: Christian Huitema Message-ID: <45aa2ea2-bc78-25c6-cc66-9f7b61a33a26@huitema.net> Date: Mon, 7 Dec 2020 17:11:33 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <1B6C9B2E-A750-44C5-A1AC-703482FB1AF4@fugue.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Originating-IP: 66.113.197.21 X-Spampanel-Domain: xsmtpout.mail2web.com X-Spampanel-Username: 66.113.197.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com X-Spampanel-Outgoing-Class: ham X-Spampanel-Outgoing-Evidence: Combined (0.10) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/jvsL0yi2MddWrcgEY1klwPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yACVCDlSNkcmtpadwF3M9U42UuDhyzVYcwl2RB+0AaekGL qB/8gA3tMNaE+zZuzlsh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f699YA0uCAr3G83qh9q+h/6RDIPAgTtUp75uqlx0KezvZHVhR7Kc RgkXOfV6Ul6Hdg1IWQaaSSaRcFTFxaRvADgOuME95bF8tPKjnaWlQ6fjTEeg4CZvTGBeutAohO1y UnDCBSl7YrgCdzbaCwJPCCSougyg4uMaxHP8xQTpohmgJxQ1dHhpUbi1UdTVmV3LL7N9ueszlpij Q8vuNSxljixs9l2PHznFCr1UPjZRtNG50GjfX8TdqEXkwxwMjsp2mNAp23iZ8TJTdK5H0dgUOB1h 85nckpWaLvahyBjmQxBKOzuhP7r/qeCcLfNPkwm2lNnsvr3LBR8rUYXJ4jh62pfHaKqsknzQ1WVE SSlbgJ6e928BIkUL/j1Y48GvmeURQjjEX0A97HxucLVrVBP4JnvMUB5qHXnqVEsVtzedAe9tmriM 2pjfqsoZxQ+A4ohoD4UhHF29j8cA+VxmrdV21v79MMGon863E1HGjZsfM9C+/MIqM56VVlcswDb0 N8Su4voNiwQzKw+6v3CaIMG6s7LqJGmSbOMS+/fdqXUrTrvB1uep0srCGhqQVLm3YuZYsovTnUOW wvlbzeZPkpFRizZSiZwUd61lA2Gf5bjXgiz0l11DPDo3pDJlUlQ25PasjIMIGaT7745xaNsi2wqo q68C6euO5TcDeKjrEmYPn2IVWRvsDFbMyuyrnnpyt5QdgPdM2kAubAmq/PTQO+W2FInivlx21Yi3 rRmhgFI0Buha6+OZ3JKVmi72ocgY5kMQSjs7FeHN9ztUfyhmiivUY2iqA4H7+3hna43Kh3w6qf0n g4eLCrVbm7nC2LbgwAUU/zyk X-Report-Abuse-To: spam@quarantine11.antispamcloud.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 01:14:07 -0000 On 12/7/2020 5:03 AM, Ted Lemon wrote: > Also, Christian, RA guard only works in a managed environment. In an > unmanaged environment it will break things. It would be wise to be > careful about when and where you recommend it or we will wind up with > interoperability problems. This is probably outside of the DHC wg’s > bailiwick. But I am being careful -- I am not asking for any change in the draft, except for a trivial nit. I am just pointing out that there are attacks and that the proposed solution in 8213 did not pan out. It would be nice is there was guidance available on how to secure DHCP clients and servers "in practice", especially if your attack model includes virus of fishing attacks overtaking an authorized client inside the perimeter. -- Christian Huitema From nobody Mon Dec 7 17:23:57 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393313A0D84; Mon, 7 Dec 2020 17:23:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efbSeMqWMhfe; Mon, 7 Dec 2020 17:23:45 -0800 (PST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69F0A3A0D43; Mon, 7 Dec 2020 17:23:41 -0800 (PST) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0B81NWDb001971 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 7 Dec 2020 20:23:38 -0500 Date: Mon, 7 Dec 2020 17:23:32 -0800 From: Benjamin Kaduk To: =?utf-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, secdir@ietf.org, dnsop WG Message-ID: <20201208012332.GJ64351@kduck.mit.edu> References: <20201204203635.GS64351@kduck.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 01:23:56 -0000 Hi Ondřej, Thanks for this detailed writeup; it really helps bring clarity to the current situation. In light of the follow-ups from others, it seems that there are actually two distinct but somewhat entangled issues: (1) whether SipHash is a strong cryptographic hash function that delivers its stated properties. (2) whether the stated properties of SipHash are appropriate for the scenario we are using it for in this document. I had initially assumed that Stephen's review was asking about (2), but for the most part we tend to ask CFRG about things like (1). So, while I agree that it's valuable to get input from the CFRG on (1) and am willing to start the conversation there if needed, I would also like to get Stephen's (or anyone else's really) input about question (2). I suspect that we are okay in that regard, not least because of the other similar usage that you describe, but request that the analysis of what properties we need from a hash function for this use case (and that SipHash meets them) be included in a future version of the draft. Thanks again, Ben On Fri, Dec 04, 2020 at 10:14:29PM +0100, Ondřej Surý wrote: > Hi Benjamin, > > I did not used appeal to authority as an argument, but I’ve just provided examples that SipHash has been implemented in the similar scenarios and there hasn’t been reported issue with the choice for years now. > > Using fast PRF (pseudorandom function) for the DNS Cookies is a good choice because it matches the required properties - it needs to be fast and secure in a sense that attacker can’t compute neither the key nor the output of the function. DNS Cookies are not MACs. > > Sorry for the misnomer of the brute force - what I meant was a protection against a replay attack. I’m just currently very tired with day to day job. > > Please note that DNS Cookies doesn’t protect the actual DNS message payload, it merely provide means to establish trust between the client and the server as to distinguish between a legitimate and spoofed traffic, so different policies can be used - Response Rate Limiting (RRL) could be turned off for DNS messages with cookies or when under attack it could require fallback to TCP for DNS queries without the DNS Cookie. The DNS cookies doesn’t protect the actual content in any way, neither it does protect the communication from the on path adversary. > > In that regard, the client cookie is just nonce (and it’s just convenient to use same algorithm to generate it, but it could be output from CSPRNG as well) and the server cookie is a cryptographic primitive that uses the client nonce, key and timestamp to construct the server cookie. Such server cookie is used by the DNS client to authenticate to the server (it’s shared secret, but it requires no per-client state on the server). Just to repeat, the actual payload (DNS message) is not protected by the DNS cookie. > > If the DNS server could keep a state for every DNS client, a CS random number would be as good as the output of the SipHash. > > I might not be a cryptographer as my daily job, but I am reasonably confident that SipHash has matching properties, it hasn’t been broken as of today. Also all DNS vendors have agreed to make this choice and the RFC here is merely a way how to ensure interoperability between various implementations. > > (Typing this on phone, so excuse any irregularities in the text.) > Ondrej > -- > Ondřej Surý — ISC (He/Him) > > > On 4. 12. 2020, at 21:37, Benjamin Kaduk wrote: > > > > Hi Ondřej, > > > > Just because someone else does something, even a "big name", doesn't > > necessarily make it a good idea for us to also do it. > > We should be able to justify our algorithm choices on cryptographic > > principles, not just appeal to authority. > > > > In a similar vein, you said something about the 32-bit timestamp being wide > > enough to prevent brute-force attacks. Could you say a bit more about what > > attacks those are that are being prevented? I'm not really seeing how the > > width of the timestamp comes into play for that concern, just from a quick > > skim of the document. (Timestamps tend to not provide much protection > > against brute force by themselves, since time is relatively guessable, > > especially to seconds precision.) > > > > Thanks, > > > > Ben > > > >> On Wed, Dec 02, 2020 at 11:18:29PM +0100, Ondřej Surý wrote: > >> SYN cookies in both Linux and FreeBSD uses siphash. > >> > >> * FreeBSD: https://svnweb.freebsd.org/base?view=revision&revision=253210 (since 2013) > >> * Linux: https://github.com/torvalds/linux/commit/fe62d05b295bde037fa324767674540907c89362#diff-14feef60c3dbcf67539f089de04546c907233cbae09e1b2dd2c2bc6d6eae4416 (since 2017) > >> > >> I believe that the SYN cookies have exactly the same properties as DNS cookies. > >> > >> Ondrej > >> -- > >> Ondřej Surý (He/Him) > >> ondrej@isc.org > >> > >>>> On 2. 12. 2020, at 22:15, Eric Rescorla wrote: > >>> > >>> Well hash tables are an application with somewhat different security properties than MACs, so I don't think this is dispositive. > >>> > >> > >> _______________________________________________ > >> secdir mailing list > >> secdir@ietf.org > >> https://www.ietf.org/mailman/listinfo/secdir > >> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview > From nobody Mon Dec 7 17:27:58 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75793A0D48 for ; Mon, 7 Dec 2020 17:27:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.889 X-Spam-Level: X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 77sZ0h4U7AHq for ; Mon, 7 Dec 2020 17:27:55 -0800 (PST) Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22FA3A0D6E for ; Mon, 7 Dec 2020 17:27:52 -0800 (PST) Received: from xse203.mail2web.com ([66.113.196.203] helo=xse.mail2web.com) by mx18.antispamcloud.com with esmtp (Exim 4.92) (envelope-from ) id 1kmRSX-0002fI-U1 for secdir@ietf.org; Tue, 08 Dec 2020 02:06:34 +0100 Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4Cqhp55Yb5z2J2y for ; Mon, 7 Dec 2020 17:06:21 -0800 (PST) Received: from [10.5.2.12] (helo=xmail02.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from ) id 1kmRSP-00054c-Lu for secdir@ietf.org; Mon, 07 Dec 2020 17:06:21 -0800 Received: (qmail 28473 invoked from network); 8 Dec 2020 01:06:21 -0000 Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.42]) (envelope-sender ) by xmail02.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 8 Dec 2020 01:06:21 -0000 To: "Bernie Volz (volz)" , Naveen Kottapalli Cc: "secdir@ietf.org" , "last-call@ietf.org" , "draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org" , "dhcwg@ietf.org" References: <160711219694.2677.7881042583251252532@ietfa.amsl.com> From: Christian Huitema Message-ID: <3d382362-9eed-5cb3-07b6-ee3e358d5e51@huitema.net> Date: Mon, 7 Dec 2020 17:06:21 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------A2C3488A51F4C7A17FFEF305" Content-Language: en-US X-Originating-IP: 66.113.196.203 X-Spampanel-Domain: xsmtpout.mail2web.com X-Spampanel-Username: 66.113.196.203/32 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.203/32@xsmtpout.mail2web.com X-Spampanel-Outgoing-Class: unsure X-Spampanel-Outgoing-Evidence: Combined (0.13) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT8i2d6D0wi1Xf3n9XY9O1sHPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yACVCDlSNkcmtpadwF3M9U42UuDhyzVYcwl2RB+0AaeuVh MSIXzwp9hdWSfb51Q6Ah55uqY3MhMgFAHq5BxPxP0EaxlviJjKFkdKXQPdRxvKbhl3nfFY6HnhCo Ll8na5G1V+rHkl7eagOI9ppTAQm7BDqP4+FM1yPT0U9y1IYkq1CP3w6H/VScmJlbgSPQt7KyJhXr Yza12wV4IuMNuf2S9UuKK2wtu8CG6m9SfMMg0Kl8w3ZldeJR4dtCYvIWyYIyPl9obAWsqr/2UZLD PE3ht8NAP2tNgqlZSPO6AG7dtFvWQeTZiMNt17vFPbs8DRFq8RGminksXtFq8ejOBuf1wNP1kbQK ZdzS/i0oexRKO47w4vcwqZanLHsZM8r4s5ZjlHoGly8aneNxj+pRyx6DAzHPcWsnfqGSaNoXhWPo OpFVgpT1b21uZVckGp0ccOZtuBWXiK6eoWgQZnNLL6SbpUc7peFeo3eDQNYbhOKhzzgqmaDn5SlD Y9mmtv6e91aWBLor1oCWetcUjeG94V2X35WETf//+OPZlB2+CKRA0lN+P1jLzmtjAA8s25q7kwBS IOdu0dXD1flRkQgEMcPkEk3L//1j5QGgpgR8zZMuPFaRqJj7H8lDYVaDUnTym2fn+ATs4LRq7Wbt pX/aVg1O55RG8/vjrz5/4Qa1aRJkvXC9bmFpg0DFPbwMefu7bxdG67RoML5sF3N3cOrBcrK4Lzdk kFmI/P8Xq1LeVfPe/zD4IIJ8WY+UC55nE+1VZt6x8qvQ9NRe4fVdGTEMOrjXyo8tomi3zYPc1QA0 X/TjyuuO5TcDeKjrEmYPn2IVWRvsDFbMyuyrnnpyt5QdgPdM2kAubAmq/PTQO+W2FInivlx21Yi3 rRmhgFI0Buha6+OZ3JKVmi72ocgY5kMQSjs7FeHN9ztUfyhmiivUY2iqA4H7+3hna43Kh3w6qf0n g4eLCrVbm7nC2LbgwAUU/zyk X-Report-Abuse-To: spam@quarantine11.antispamcloud.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 01:27:57 -0000 This is a multi-part message in MIME format. --------------A2C3488A51F4C7A17FFEF305 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit On 12/7/2020 4:31 AM, Bernie Volz (volz) wrote: > FYI: > >> I understand that solutions like RA >> Guard will in practice provide some protection, but the use of >> these solutions are >> not discussed in RFC 8213. The DHCP WG might want to address that. >> > > RFC8415’s security considerations is rather extensive and includes > reference to many techniques to reduce the issues. 8213 was written > while 8415 was under development. In the context of the draft, I am concerned in particular with the "resource-exhaustion" DoS attack, through exhaustion of delegatable prefixes. The attack is mentioned in the security section of 8415, but I have not seen the proposed mitigation. -- Christian Huitema --------------A2C3488A51F4C7A17FFEF305 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit


On 12/7/2020 4:31 AM, Bernie Volz (volz) wrote:
FYI:

I understand that solutions like RA
Guard will in practice provide some protection, but the use of these solutions are
not discussed in RFC 8213. The DHCP WG might want to address that.

RFC8415’s security considerations is rather extensive and includes reference to many techniques to reduce the issues. 8213 was written while 8415 was under development.

In the context of the draft, I am concerned in particular with the "resource-exhaustion" DoS attack, through exhaustion of delegatable prefixes. The attack is mentioned in the security section of 8415, but I have not seen the proposed mitigation.

-- Christian Huitema


--------------A2C3488A51F4C7A17FFEF305-- From nobody Mon Dec 7 18:01:49 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D87A33A0A7E; Mon, 7 Dec 2020 18:01:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.6 X-Spam-Level: X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=YESiAepd; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=XZyl4rwo Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gyMM_OFsqEma; Mon, 7 Dec 2020 18:01:37 -0800 (PST) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C50093A03F2; Mon, 7 Dec 2020 18:01:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6783; q=dns/txt; s=iport; t=1607392896; x=1608602496; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BMsOiX945HOm27zh/nTLpi3+S4tXTSFG9dgNhjgj9Lg=; b=YESiAepdDwI1SzOF2jQxv+Th5DmAHm4vZLsZHKhXYh90XKnAZYGMeTPz sEoCQvGwYYAtEtJ6VyIC2AAAh/NISv90GR3mYiX/VsqSy2VGViNSMUlWg T8K2GcjwMHEcrI+GLBFoNuwTapJL0sRvvVQRiD2DqJn+7400+dIb8gYFj A=; X-IPAS-Result: =?us-ascii?q?A0AHAAAO3s5fmJhdJa1iGwEBAQEBAQEBBQEBARIBAQEDA?= =?us-ascii?q?wEBAYF7BgEBAQsBgVFRgVcvLgqENINIA4RZiQOUGoRxgS6BJQNUCwEBAQ0BA?= =?us-ascii?q?S0CBAEBhEoCF4F+AiU0CQ4CAwEBAQMCAwEBAQEFAQEBAgEGBBQBAQEBAQEBA?= =?us-ascii?q?YY2DIVzAgEDEhEdAQE3AQ8CAQgEPgICAjAlAgQOBRsHgwSBf1cDLgGhSwKBP?= =?us-ascii?q?IhpdoEygwQBAQWFQRiCEAmBOAGCcoN2hA2CSxuCAIE4HIInLj6EFREvgwAzg?= =?us-ascii?q?iyBWYFOBHICLQE1PRIDBDUZkloBPoconVoKgnSbPAMfoiywXgGEMQIEAgQFA?= =?us-ascii?q?g4BAQWBVjiBWXAVZQGCPlAXAg2OIRodgzqKWHQ3AgYBCQEBAwl8iTOBNQGBE?= =?us-ascii?q?AEB?= IronPort-PHdr: =?us-ascii?q?9a23=3AEs5+1hHWkIG6RGohj8Jnl51GYnJ96bzpIg4Y7I?= =?us-ascii?q?YmgLtSc6Oluo7vJ1Hb+e401QObUoDS6vYCgO3T4OjsWm0FtJCGtn1KMJlBTA?= =?us-ascii?q?QMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8n7blzW5Ha16G1aFh?= =?us-ascii?q?D2LwEgIOPzF8bbhNi20Obn/ZrVbk1IiTOxbKk0Ig+xqFDat9Idhs1pLaNixw?= =?us-ascii?q?=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.78,401,1599523200"; d="scan'208,217";a="649136442" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Dec 2020 02:01:34 +0000 Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B821XFs014209 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Dec 2020 02:01:34 GMT Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 20:01:33 -0600 Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Dec 2020 20:01:33 -0600 Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 7 Dec 2020 21:01:33 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AbC3FttaHxP3cVFzpzjByhkjJbEnNti4kMwkOfAWhOTddaX3wY7A/qVJXth7c06QB4iSpbZjb95nUTOIFMAfH6CMZvFoeT4j78+Pz3Dp5L4cxKrXFYjP4z2PW4Smcf1cTOPWBrSv/iCp9yXupUlexQn08CdRPz3uEhnRmP9CLJqH9okAU7N2bH2G2f7z2VpOUzPKTslcRWF4MB9JwoNvtmX0ixlNdJf87B87Kn4YT8Fmho7n7oJETR/D1OZwQgI9MTz4eXsssVT5tT9wjUUka1973zzm8T2PymPVkMdm3xFRf46gIY9hukPiewfFYdS0u5Bd0jfwDJG6LBNn8BFxDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BMsOiX945HOm27zh/nTLpi3+S4tXTSFG9dgNhjgj9Lg=; b=WLBCA5El8bV73DnRuxT8BcqkFKL4sJ7gcDR0RSIxrbRiWklMqypPxyNyccJkCKN4QPJfEUVTZ2+8DMsY+eTJPcNobrCboSH+/LxyBPNe0l+2OmUJZ974ODeix44vq4Jm4X/dTaph7rcEn9Vps3P3ExhwWDgWwBSRpagQ+jw/rcczV24WKUNgkkoj/16Gg5/o/I242N8p+i2zlzwR0k+jFKO7ce3ibCrxKeGtBSlhjdsG8jhBMvi0z5vPgDxruvpuqk+4QegS9yhIzI2U5OoIMjAdWnz1Zfqh7irihtcYh8AX4dnBo1n52kYIgezkrTjdco+7MHdyo941xDSHfy7tAg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BMsOiX945HOm27zh/nTLpi3+S4tXTSFG9dgNhjgj9Lg=; b=XZyl4rwoGuyTtqb/7xtRyimFvCI0xFMObwYWD/ZVZCLJJOq2vH1issCt3pQbEAXPkhmmIBv3xQTPbyYdQv3dcq5hYCTipb9ADN3vkHfferKo7vf/knrcHC2zG1fqVGXaJ2gbvoZeOPDxpD8be670VpsTkq8++jpHZlhgmKZ4em8= Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR1101MB2322.namprd11.prod.outlook.com (2603:10b6:404:9b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3632.17; Tue, 8 Dec 2020 02:01:32 +0000 Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711%6]) with mapi id 15.20.3632.023; Tue, 8 Dec 2020 02:01:32 +0000 From: "Bernie Volz (volz)" To: Christian Huitema CC: Naveen Kottapalli , "secdir@ietf.org" , "last-call@ietf.org" , "draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org" , "dhcwg@ietf.org" Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 Thread-Index: AQHWzIj6eBYmgkGtQ0undY5o+MeyR6nrkKNOgADS+YCAAA9rqA== Date: Tue, 8 Dec 2020 02:01:32 +0000 Message-ID: References: <160711219694.2677.7881042583251252532@ietfa.amsl.com> , <3d382362-9eed-5cb3-07b6-ee3e358d5e51@huitema.net> In-Reply-To: <3d382362-9eed-5cb3-07b6-ee3e358d5e51@huitema.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com; x-originating-ip: [24.233.121.124] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5e2c85f3-ca57-4b9e-44d6-08d89b1d2f4b x-ms-traffictypediagnostic: BN6PR1101MB2322: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: x+SIK8ThH9d/lw/NAnaigsfZgfjHydlpRJh8pPFYLrUmKDSTdQplXAmft6tfhTghHDl8KnWDLDCSrwdVc/+U2ox03InNmRGPdBe49AlVO4AkpoTmlURt9HyWMFBiUNWdN95Dj3HbGE9+1Fq5WfrFxdo08ty2UVuPTfJrhvONKkZ46/4ENhH6MfmGfrBk77epF2YCLI0AzoHLdT9mG/4RH4J9vVW34Tenjp+EWsSECxRz/OXZRdRCGHeh693uxmrdkClg0SoSvQT63257OA0kNNhWwjq1su43/fcSiQkLplzhYe5xB+fpjgyQzF6yXPFpRBCj8H43paGGNRTYCJjooMxgfvkZFLHYYXgRLojBuB8ygH6KrGi13rjZtNffJRyl x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(366004)(346002)(136003)(39860400002)(316002)(186003)(36756003)(6506007)(53546011)(8676002)(66946007)(54906003)(66556008)(71200400001)(83380400001)(6486002)(64756008)(86362001)(66476007)(66446008)(76116006)(6512007)(5660300002)(33656002)(2616005)(2906002)(6916009)(4326008)(26005)(8936002)(478600001)(45980500001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?b1ZiSzMrYk91SXhBSTVVWnlzZXdLdWQ0bGY4UjU1T3RXSFltYWJ3bGJaZE5s?= =?utf-8?B?WFdDNjRHRjJGcDNmNjJXMHcyaW5WcnVTTStTQnJodGtSVUpVditYZ2NzTHBV?= =?utf-8?B?dHRMM2V4b3BaMEVvODBkdEM1c1RNSzY2bkg0SVFHU0RaamJsTlZXU3NVbnlF?= =?utf-8?B?aGVDTmVKdVZjU2lRVUpERm54ZWpsbzJJT0RyZkd5bTRZZFJhUGJKdW8xMk1k?= =?utf-8?B?VERFbVhrZjNaVGRmbGIxRFdWaVJQaTVPZmlvMURiaGNFdHNVb0x6NzhBQ2VI?= =?utf-8?B?eWhqdlAydjNhaHV3Ky9HRGxCdW44dzN2SDYzclZKWml0eVViVHdVOTRKcGxV?= =?utf-8?B?c1krRXdDbktyV2c0TitoU0xKZTg2RzZkcmdVMDYxL2FHL2VuVTUrRk1Ec0Uw?= =?utf-8?B?UzhyNC8wWnpScDVLSXlTVGFsaG8vYzB2SUw5NlZpSXFaaW9qTGJIMVNodmk0?= =?utf-8?B?d2svN3lINW1EYXloWVhlRGtqWGc5c3E5ZmpldSs5OGpIUEs2MzJDYzZEREpJ?= =?utf-8?B?YmdDU3E1d2ZRMEpmTVpZc01TL1hXR2ZnUmZmYmdTV1lIaDY3eGpTYzcwK2xY?= =?utf-8?B?L1cvMlVheFRjdGEyWDFRbk9qVU1BZm9veXlSdDFxRVZKUzZCOHpKSTRrQTFT?= =?utf-8?B?NCtXblpJZGhrOXZodlBpU0lOdFNUbmpWWkhnYncxQi92NEN5TTIzK01tT3Mr?= =?utf-8?B?MnJrVkxtd2hBL1NoVENFOG80ZHZCV3Y4Q0pxZ0J4NGJ0OXJZMW5mOUdTV3lU?= =?utf-8?B?T1Q1T1E5K0MrWFBxMXJtUUVtUjFiK0o0dmlqenExcUFtaVgybE92dWpaSmdS?= =?utf-8?B?TzhSNlBxZ0xSQVpQUDhnWERsYi9MTTFhR3BHcXhieTlZVmxadWR3bkxnUXAy?= =?utf-8?B?dUVuWGMxVGJacHJVdXpkWFBUSGFxS3BoY3RuWktyZHRzcWpaK1k4dm1PZWpI?= =?utf-8?B?Z0ZqbDN5N21iN1FtT0FhRXRRVDAydVZkZ08xalEyMTFna1dxNElmYllCV2Qy?= =?utf-8?B?Wk5Hck9NNjZIbDYzZTBXTjhzVVAxd244ZmtDbU9UWGZsd1d2bkxNaDdoeE1q?= =?utf-8?B?SUZWNHFvZHRxTUpsV0V5a2xXRk5FZGoxQXF2bnhtNFdXOWJodTU4L1dISFNX?= =?utf-8?B?RFVNTEFEaGVVWlVQejEvSk9mTzNXREJmSDNjQVJ6Y2swbkIxRkRvT2d4dFlu?= =?utf-8?B?WDZCY1NXTTFIem5WVlNlVUcyeVRsVUtjQ1pabDJRTHJPN2FBNkU0b1d2Z3Ro?= =?utf-8?B?WldjRUhKdkxCNjBNM2ZEOXJHN1I5RlNVeHNSVnZHemtCUVFQU0k1ZnB1cG9v?= =?utf-8?Q?l9SNSYYRbO+m0SXYkjwDrou8BOK1N4s4YE?= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_D384486E9FBF42FBAA113558DEC28B63ciscocom_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5e2c85f3-ca57-4b9e-44d6-08d89b1d2f4b X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Dec 2020 02:01:32.1844 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: SweXe/ZPnK2N5aAQq0AIqgegPwYQ0TsobqFyuKySPy3MNNXVQl5Pe/kuUGPpJ0Jn X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2322 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com X-Outbound-Node: rcdn-core-1.cisco.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 02:01:40 -0000 --_000_D384486E9FBF42FBAA113558DEC28B63ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlcmUgcmVhbGx5IGFyZW7igJl0IGFueS4gQ2xpZW50cyBjYW4gZ2VuZXJhdGUgZGlmZmVyZW50 IGNsaWVudC1pZCBhbmQgcmVxdWVzdCBwcmVmaXggYWZ0ZXIgcHJlZml4Lg0KDQpIb3dldmVyLCBh cyB0aGlzIGRvY3VtZW50IHBvaW50cyBvdXQgdGhlc2UgcmVsYXlzIHVzdWFsbHkgaGF2ZSBsaW1p dHMgdG8gd2hhdCBpdCBtYXkgdHJhY2sgKGFuZCBsaWtlbHkgaXQgd291bGQgZHJvcCB0aG9zZSBw YWNrZXRzIGZyb20gcmVhY2hpbmcgY2xpZW50KS4NCg0KSW4gc29tZSBkZXBsb3ltZW50cywgdGhl IG51bWJlciBvZiBwcmVmaXhlcyBhbGxvd2VkIGJlaGluZCBhIHBhcnRpY3VsYXIgcmVsYXkgaXMg bGltaXRlZCAoYXQgc2VydmVyIG9yIHJlbGF5KS4gT3RoZXIgbWl0aWdhdGlvbnMgbWF5IGJlIHNo b3J0ZXIgbGVhc2VzIGFzIHRoZW4gaXQgY29tZXMgZG93biB0byBob3cgbWFueSBjYW4gYmUgcmVx dWVzdGVkIGR1cmluZyB0aGF0IHRpbWUuDQoNClRoZSBtYWluIHF1ZXN0aW9uIGlzIHdoYXQgZG9l cyB0aGlzIGJlbmVmaXQgYW55b25lPyBJdCBpcyBhIERvUyBidXQgaW4gZ2VuZXJhbCBpdCBoYXMg bGltaXRlZCBpbXBhY3QgYXMgcHJlZml4ZXMgdGVuZCB0byBiZSB0b3BvbG9naWNhbCwgc28gaXQg aXNu4oCZdCBsaWtlIHlvdSBjb3VsZCBhc3NpZ24gYWxsIG9mIHRoZSBwcmVmaXhlcyBhbiBJU1Ag aGFzIOKAlCBqdXN0IHdoYXQgaXMgYWxsb3dlZCBvbiB0aGF0IGxpbmsuDQoNCldoeSBkbyB5b3Ug dGhpbmsgdGhpcyBpcyBhIG5ldyBpc3N1ZSB0aGF0IG5lZWRzIHRvIGJlIGZpeGVkIGluIHRoaXMg ZG9jdW1lbnQ/DQoNCkluIG15IGV4cGVyaWVuY2Ugd2UgaGF2ZSBub3Qgc2VlbiB0aGVzZSBraW5k cyBvZiBhdHRhY2tzIGFzIHRoZXkgYXJlbuKAmXQgdmVyeSB1c2VmdWwuIEFuZCBpdCBoYXMgYmVl biBhIGRoY3AgaXNzdWUgc2luY2UgZGhjcHY0IChhZGRyZXNzZXMgd2VyZSBtdWNoIG1vcmUgc2Nh cmNlKS4NCg0KV2UgdHJpZWQgc2VjdXJpbmcgZGhjcHY2Li4uYnV0IGl0IGlzbuKAmXQgYW4gZWFz eSBwcm9ibGVtIHRvIHNvbHZlLg0KDQotIEJlcm5pZQ0KDQpPbiBEZWMgNywgMjAyMCwgYXQgODow NiBQTSwgQ2hyaXN0aWFuIEh1aXRlbWEgPGh1aXRlbWFAaHVpdGVtYS5uZXQ+IHdyb3RlOg0KDQrv u78NCg0KDQpPbiAxMi83LzIwMjAgNDozMSBBTSwgQmVybmllIFZvbHogKHZvbHopIHdyb3RlOg0K RllJOg0KDQpJIHVuZGVyc3RhbmQgdGhhdCBzb2x1dGlvbnMgbGlrZSBSQQ0KR3VhcmQgd2lsbCBp biBwcmFjdGljZSBwcm92aWRlIHNvbWUgcHJvdGVjdGlvbiwgYnV0IHRoZSB1c2Ugb2YgdGhlc2Ug c29sdXRpb25zIGFyZQ0Kbm90IGRpc2N1c3NlZCBpbiBSRkMgODIxMy4gVGhlIERIQ1AgV0cgbWln aHQgd2FudCB0byBhZGRyZXNzIHRoYXQuDQoNClJGQzg0MTXigJlzIHNlY3VyaXR5IGNvbnNpZGVy YXRpb25zIGlzIHJhdGhlciBleHRlbnNpdmUgYW5kIGluY2x1ZGVzIHJlZmVyZW5jZSB0byBtYW55 IHRlY2huaXF1ZXMgdG8gcmVkdWNlIHRoZSBpc3N1ZXMuIDgyMTMgd2FzIHdyaXR0ZW4gd2hpbGUg ODQxNSB3YXMgdW5kZXIgZGV2ZWxvcG1lbnQuDQoNCkluIHRoZSBjb250ZXh0IG9mIHRoZSBkcmFm dCwgSSBhbSBjb25jZXJuZWQgaW4gcGFydGljdWxhciB3aXRoIHRoZSAicmVzb3VyY2UtZXhoYXVz dGlvbiIgRG9TIGF0dGFjaywgdGhyb3VnaCBleGhhdXN0aW9uIG9mIGRlbGVnYXRhYmxlIHByZWZp eGVzLiBUaGUgYXR0YWNrIGlzIG1lbnRpb25lZCBpbiB0aGUgc2VjdXJpdHkgc2VjdGlvbiBvZiA4 NDE1LCBidXQgSSBoYXZlIG5vdCBzZWVuIHRoZSBwcm9wb3NlZCBtaXRpZ2F0aW9uLg0KDQotLSBD aHJpc3RpYW4gSHVpdGVtYQ0KDQo= --_000_D384486E9FBF42FBAA113558DEC28B63ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IGRpcj0iYXV0byI+DQpU aGVyZSByZWFsbHkgYXJlbuKAmXQgYW55LiBDbGllbnRzIGNhbiBnZW5lcmF0ZSBkaWZmZXJlbnQg Y2xpZW50LWlkIGFuZCByZXF1ZXN0IHByZWZpeCBhZnRlciBwcmVmaXguJm5ic3A7DQo8ZGl2Pjxi cj4NCjwvZGl2Pg0KPGRpdj5Ib3dldmVyLCBhcyB0aGlzIGRvY3VtZW50IHBvaW50cyBvdXQgdGhl c2UgcmVsYXlzIHVzdWFsbHkgaGF2ZSBsaW1pdHMgdG8gd2hhdCBpdCBtYXkgdHJhY2sgKGFuZCBs aWtlbHkgaXQgd291bGQgZHJvcCB0aG9zZSBwYWNrZXRzIGZyb20gcmVhY2hpbmcgY2xpZW50KS48 L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2PkluIHNvbWUgZGVwbG95bWVudHMsIHRoZSBu dW1iZXIgb2YgcHJlZml4ZXMgYWxsb3dlZCBiZWhpbmQgYSBwYXJ0aWN1bGFyIHJlbGF5IGlzIGxp bWl0ZWQgKGF0IHNlcnZlciBvciByZWxheSkuIE90aGVyIG1pdGlnYXRpb25zIG1heSBiZSBzaG9y dGVyIGxlYXNlcyBhcyB0aGVuIGl0IGNvbWVzIGRvd24gdG8gaG93IG1hbnkgY2FuIGJlIHJlcXVl c3RlZCBkdXJpbmcgdGhhdCB0aW1lLjwvZGl2Pg0KPGRpdj48YnI+DQo8L2Rpdj4NCjxkaXY+VGhl IG1haW4gcXVlc3Rpb24gaXMgd2hhdCBkb2VzIHRoaXMgYmVuZWZpdCBhbnlvbmU/IEl0IGlzIGEg RG9TIGJ1dCBpbiBnZW5lcmFsIGl0IGhhcyBsaW1pdGVkIGltcGFjdCBhcyBwcmVmaXhlcyB0ZW5k IHRvIGJlIHRvcG9sb2dpY2FsLCBzbyBpdCBpc27igJl0IGxpa2UgeW91IGNvdWxkIGFzc2lnbiBh bGwgb2YgdGhlIHByZWZpeGVzIGFuIElTUCBoYXMg4oCUIGp1c3Qgd2hhdCBpcyBhbGxvd2VkIG9u IHRoYXQgbGluay48L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2PldoeSBkbyB5b3UgdGhp bmsgdGhpcyBpcyBhIG5ldyBpc3N1ZSB0aGF0IG5lZWRzIHRvIGJlIGZpeGVkIGluIHRoaXMgZG9j dW1lbnQ/PC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdj5JbiBteSBleHBlcmllbmNlIHdl IGhhdmUgbm90IHNlZW4gdGhlc2Uga2luZHMgb2YgYXR0YWNrcyBhcyB0aGV5IGFyZW7igJl0IHZl cnkgdXNlZnVsLiBBbmQgaXQgaGFzIGJlZW4gYSBkaGNwIGlzc3VlIHNpbmNlIGRoY3B2NCAoYWRk cmVzc2VzIHdlcmUgbXVjaCBtb3JlIHNjYXJjZSkuPC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2Pg0K PGRpdj5XZSB0cmllZCBzZWN1cmluZyBkaGNwdjYuLi5idXQgaXQgaXNu4oCZdCBhbiBlYXN5IHBy b2JsZW0gdG8gc29sdmUuPC9kaXY+DQo8ZGl2Pg0KPGRpdj48YnI+DQo8ZGl2IGRpcj0ibHRyIj4t IEJlcm5pZTwvZGl2Pg0KPGRpdiBkaXI9Imx0ciI+PGJyPg0KPGJsb2NrcXVvdGUgdHlwZT0iY2l0 ZSI+T24gRGVjIDcsIDIwMjAsIGF0IDg6MDYgUE0sIENocmlzdGlhbiBIdWl0ZW1hICZsdDtodWl0 ZW1hQGh1aXRlbWEubmV0Jmd0OyB3cm90ZTo8YnI+DQo8YnI+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rp dj4NCjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiPg0KPGRpdiBkaXI9Imx0ciI+77u/DQo8cD48YnI+ DQo8L3A+DQo8ZGl2IGNsYXNzPSJtb3otY2l0ZS1wcmVmaXgiPk9uIDEyLzcvMjAyMCA0OjMxIEFN LCBCZXJuaWUgVm9seiAodm9seikgd3JvdGU6PGJyPg0KPC9kaXY+DQo8YmxvY2txdW90ZSB0eXBl PSJjaXRlIiBjaXRlPSJtaWQ6RjVGRTBBMDktMzUxRS00RUQ1LTg4ODAtQTdFRTk0M0I4RUE5QGNp c2NvLmNvbSI+DQpGWUk6DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdj4NCjxibG9ja3F1b3RlIHR5 cGU9ImNpdGUiPg0KPGRpdiBkaXI9Imx0ciI+DQo8ZGl2IGNsYXNzPSJnbWFpbF9xdW90ZSI+DQo8 YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxlPSJtYXJnaW46IDBweCAwcHggMHB4 DQogICAgICAgICAgICAgICAgMC44ZXg7IGJvcmRlci1sZWZ0LWNvbG9yOiByZ2IoMjA0LCAyMDQs IDIwNCk7DQogICAgICAgICAgICAgICAgcGFkZGluZy1sZWZ0OiAxZXg7Ij4NCkkgdW5kZXJzdGFu ZCB0aGF0IHNvbHV0aW9ucyBsaWtlIFJBPGJyPg0KR3VhcmQgd2lsbCBpbiBwcmFjdGljZSBwcm92 aWRlIHNvbWUgcHJvdGVjdGlvbiwgYnV0IHRoZSB1c2Ugb2YgdGhlc2Ugc29sdXRpb25zIGFyZTxi cj4NCm5vdCBkaXNjdXNzZWQgaW4gUkZDIDgyMTMuIFRoZSBESENQIFdHIG1pZ2h0IHdhbnQgdG8g YWRkcmVzcyB0aGF0LjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+ DQo8ZGl2Pjxicj4NCjwvZGl2Pg0KPGRpdj5SRkM4NDE14oCZcyBzZWN1cml0eSBjb25zaWRlcmF0 aW9ucyBpcyByYXRoZXIgZXh0ZW5zaXZlIGFuZCBpbmNsdWRlcyByZWZlcmVuY2UgdG8gbWFueSB0 ZWNobmlxdWVzIHRvIHJlZHVjZSB0aGUgaXNzdWVzLiA4MjEzIHdhcyB3cml0dGVuIHdoaWxlIDg0 MTUgd2FzIHVuZGVyIGRldmVsb3BtZW50LjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8 cD5JbiB0aGUgY29udGV4dCBvZiB0aGUgZHJhZnQsIEkgYW0gY29uY2VybmVkIGluIHBhcnRpY3Vs YXIgd2l0aCB0aGUgJnF1b3Q7cmVzb3VyY2UtZXhoYXVzdGlvbiZxdW90OyBEb1MgYXR0YWNrLCB0 aHJvdWdoIGV4aGF1c3Rpb24gb2YgZGVsZWdhdGFibGUgcHJlZml4ZXMuIFRoZSBhdHRhY2sgaXMg bWVudGlvbmVkIGluIHRoZSBzZWN1cml0eSBzZWN0aW9uIG9mIDg0MTUsIGJ1dCBJIGhhdmUgbm90 IHNlZW4gdGhlIHByb3Bvc2VkIG1pdGlnYXRpb24uPC9wPg0KPHA+LS0gQ2hyaXN0aWFuIEh1aXRl bWE8YnI+DQo8L3A+DQo8cD48YnI+DQo8L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_D384486E9FBF42FBAA113558DEC28B63ciscocom_-- From nobody Mon Dec 7 19:17:28 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341063A0DCD for ; Mon, 7 Dec 2020 19:17:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.886 X-Spam-Level: X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okjf1QRqL6r0 for ; Mon, 7 Dec 2020 19:17:24 -0800 (PST) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 614A33A0DC6 for ; Mon, 7 Dec 2020 19:17:24 -0800 (PST) Received: from xse150.mail2web.com ([66.113.196.150] helo=xse.mail2web.com) by mx105.antispamcloud.com with esmtp (Exim 4.92) (envelope-from ) id 1kmTV8-0006NQ-OT for secdir@ietf.org; Tue, 08 Dec 2020 04:17:21 +0100 Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4Cqlj85HVdz3JYb for ; Mon, 7 Dec 2020 19:17:16 -0800 (PST) Received: from [10.5.2.13] (helo=xmail03.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from ) id 1kmTV6-0006Xg-KM for secdir@ietf.org; Mon, 07 Dec 2020 19:17:16 -0800 Received: (qmail 26677 invoked from network); 8 Dec 2020 03:17:16 -0000 Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.42]) (envelope-sender ) by xmail03.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 8 Dec 2020 03:17:15 -0000 Content-Type: multipart/alternative; boundary=Apple-Mail-C3F89CC6-C8D2-4AF0-B20A-C20744FB42A4 Content-Transfer-Encoding: 7bit From: Christian Huitema Mime-Version: 1.0 (1.0) Date: Mon, 7 Dec 2020 19:17:14 -0800 Message-Id: <81C397F9-70EF-4917-8481-B0CC540ECC6E@huitema.net> References: Cc: Naveen Kottapalli , secdir@ietf.org, last-call@ietf.org, draft-ietf-dhc-dhcpv6-pd-relay-requirements.all@ietf.org, dhcwg@ietf.org In-Reply-To: To: "Bernie Volz (volz)" X-Mailer: iPhone Mail (18B92) X-Originating-IP: 66.113.196.150 X-Spampanel-Domain: xsmtpout.mail2web.com X-Spampanel-Username: 66.113.196.150/32 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.150/32@xsmtpout.mail2web.com X-Spampanel-Outgoing-Class: ham X-Spampanel-Outgoing-Evidence: Combined (0.09) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/JbZr0IC4hsUrS+H+jGiiCPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yACVCDlSNkcmtpadwF3M9U42UuDhyzVYcwl2RB+0Aaeoxp lx3/bwptnWFuplp1ZMkh55uqY3MhMgFAHq5BxPxP0EaxlviJjKFkdKXQPdRxvKbhl3nfFY6HnhCo Ll8na5G1V+rHkl7eagOI9ppTAQm7XGHuGjIyhYcySph9ARoCa9cam2SxBi2gl3tHFIoPtzulu3db eB82e4qSoY/T1kosmTmYf9felIf8Q0lvYJANyzomXENRHopjv7Jf3ak8aEV9arI3e954UgwnP++6 ZyoDzRnNodUbpoMB9AcZ6NR6iHGu1ES901EyL1XQM+GcAHbdY4ZzPzG72tly1fyyBM2iF9sTerfA FyVZIC7nAfR6A12PHznFCr1UPjZRtNG50GjfX8TdqEXkwxwMjsp2mNAp23iZ8TJTdK5H0dgUOB1h 85nckpWaLvahyBjmQxBKOzuhP7r/qeCcLfNPkwm2lNnsvr3LBR8rUYXJ4jh62pfHaKqsknzQ1WVE SSlbgJ6e928BIkUL/j1Y48GvmeURQjjEfcUqMHbG9QeVKzLyZepldZwvj4Qr8b52uenKr+jPf+Ug ZVKmtDBZtsfa+ya9I6gYZHpggkrPKGDlJby2oZZbHUXriM6seijiXKL+PVkapvnzg1zcjVdIhfBo dOedlBBe92PNDpgLsd6Ddd/s7VM53mdi34McnyDMbWYIwERBRHsOtp+q3yU+z72+fnpodgpDk7pQ f3BggXYLhsrAgAzwhY0ThEH6RRy5XJEEOQoLQ5NmMRr+w2X69ygMahiTQMBdZNmURwQxqnV47ewr SUMJ2PoPFZIShBSdpVJW5HbjQTCUIzbw71BPKv8cPtVshTSLr6YHJu91A3avrF49rf9JcoEpejCA XczArXyV+OFXiMtbLPp9n350Mbemie5JWWm/MpxAyl4q1x5O0+PBD/gPmWjXVA9S7TnWXDlmMpVd cwCFwrnT0GQK/7labXRdXAB+MS+4ayUpOtEhdxekWDmK9g== X-Report-Abuse-To: spam@quarantine11.antispamcloud.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-dhc-dhcpv6-pd-relay-requirements-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 03:17:26 -0000 --Apple-Mail-C3F89CC6-C8D2-4AF0-B20A-C20744FB42A4 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I do not think this is a new issue that should be fixed in this document. I h= ave written that a couple times already. I do think that it would be nice to= work on another document describing best practices to secure DHCP services.= -- Christian Huitema=20 > On Dec 7, 2020, at 6:01 PM, Bernie Volz (volz) wrote: >=20 > =EF=BB=BF There really aren=E2=80=99t any. Clients can generate different c= lient-id and request prefix after prefix.=20 >=20 > However, as this document points out these relays usually have limits to w= hat it may track (and likely it would drop those packets from reaching clien= t). >=20 > In some deployments, the number of prefixes allowed behind a particular re= lay is limited (at server or relay). Other mitigations may be shorter leases= as then it comes down to how many can be requested during that time. >=20 > The main question is what does this benefit anyone? It is a DoS but in gen= eral it has limited impact as prefixes tend to be topological, so it isn=E2=80= =99t like you could assign all of the prefixes an ISP has =E2=80=94 just wha= t is allowed on that link. >=20 > Why do you think this is a new issue that needs to be fixed in this docume= nt? >=20 > In my experience we have not seen these kinds of attacks as they aren=E2=80= =99t very useful. And it has been a dhcp issue since dhcpv4 (addresses were m= uch more scarce). >=20 > We tried securing dhcpv6...but it isn=E2=80=99t an easy problem to solve. >=20 > - Bernie >=20 >>> On Dec 7, 2020, at 8:06 PM, Christian Huitema wrot= e: >>>=20 >> =EF=BB=BF >>=20 >>=20 >>> On 12/7/2020 4:31 AM, Bernie Volz (volz) wrote: >>> FYI: >>>=20 >>>>> I understand that solutions like RA >>>>> Guard will in practice provide some protection, but the use of these s= olutions are >>>>> not discussed in RFC 8213. The DHCP WG might want to address that. >>>=20 >>> RFC8415=E2=80=99s security considerations is rather extensive and includ= es reference to many techniques to reduce the issues. 8213 was written while= 8415 was under development. >> In the context of the draft, I am concerned in particular with the "resou= rce-exhaustion" DoS attack, through exhaustion of delegatable prefixes. The a= ttack is mentioned in the security section of 8415, but I have not seen the p= roposed mitigation. >>=20 >> -- Christian Huitema >>=20 >>=20 --Apple-Mail-C3F89CC6-C8D2-4AF0-B20A-C20744FB42A4 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable I do not think this is a new issue that sho= uld be fixed in this document. I have written that a couple times already. I= do think that it would be nice to work on another document describing best p= ractices to secure DHCP services.

-- Christian Huite= ma 

On Dec 7, 2020,= at 6:01 PM, Bernie Volz (volz) <volz@cisco.com> wrote:

=EF=BB=BF There really aren=E2=80=99t any. Clients can generate different client-id an= d request prefix after prefix. 

However, as this document points out these relays usually have limits t= o what it may track (and likely it would drop those packets from reaching cl= ient).

In some deployments, the number of prefixes allowed behind a particular= relay is limited (at server or relay). Other mitigations may be shorter lea= ses as then it comes down to how many can be requested during that time.

The main question is what does this benefit anyone? It is a DoS but in g= eneral it has limited impact as prefixes tend to be topological, so it isn=E2= =80=99t like you could assign all of the prefixes an ISP has =E2=80=94 just w= hat is allowed on that link.

Why do you think this is a new issue that needs to be fixed in this doc= ument?

In my experience we have not seen these kinds of attacks as they aren=E2= =80=99t very useful. And it has been a dhcp issue since dhcpv4 (addresses we= re much more scarce).

We tried securing dhcpv6...but it isn=E2=80=99t an easy problem to solv= e.

- Bernie

On Dec 7, 2020, at 8:06 PM, Christian Huitema <= huitema@huitema.net> wrote:

=EF=BB=BF


On 12/7/2020 4:31 AM, Bernie Volz (volz) wrot= e:
FYI:

I understand that solutions like RA
Guard will in practice provide some protection, but the use of these solutio= ns are
not discussed in RFC 8213. The DHCP WG might want to address that.

RFC8415=E2=80=99s security considerations is rather extensive and inclu= des reference to many techniques to reduce the issues. 8213 was written whil= e 8415 was under development.

In the context of the draft, I am concerned in particular with the "resou= rce-exhaustion" DoS attack, through exhaustion of delegatable prefixes. The a= ttack is mentioned in the security section of 8415, but I have not seen the p= roposed mitigation.

-- Christian Huitema


= --Apple-Mail-C3F89CC6-C8D2-4AF0-B20A-C20744FB42A4-- From nobody Mon Dec 7 21:58:03 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40EF33A07D1; Mon, 7 Dec 2020 21:57:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.838 X-Spam-Level: X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VpQTI-sTeA_6; Mon, 7 Dec 2020 21:57:51 -0800 (PST) Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 361AC3A07B3; Mon, 7 Dec 2020 21:57:48 -0800 (PST) Received: by mail-io1-xd31.google.com with SMTP id n4so15806542iow.12; Mon, 07 Dec 2020 21:57:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=7BW3kKkznMw3z7qdnFoeCkOx5GpJflhChuqkA4KfcfM=; b=qoA2ARV5ybPul5waj+hNRK9pHUZJa9umUGf6b78wXExw8zGNaS9Rg+FMQwMqehRaCV HgZfXQXHtXAGq/fCHHR8n/R4+khJSpyVGTki0bmHRifCIikas+RqUa8STcm1AzdM6Kf/ Ke4z6QqxBbGZgseVpBBnNs8c8SLWrGm9p2x3YmYx5JjXaLxdPxch9u433eh8uADTVe17 HLilTys4w4QmZQjZAKqs/hh6kZtqehvczdYWmIqgGI2wRXig0HPKO0tSZkMqS6mYubjC L9dYAttdNuiOGuNdJ0K7A5ibKZALjNPLWoVxvDP4g7T2bsIkbeH19THVxTPM9zwdPe9w /l/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=7BW3kKkznMw3z7qdnFoeCkOx5GpJflhChuqkA4KfcfM=; b=tmn6tn5OayP1/dnV6Fv0aRmjDD4I7MIMlC32CXGjHI9wE3N1O9cXoI0zLwjbUW5oMp zvyZ94+KCF9aq9cc/eDTGI8TxtkhcmSDm/GVHdSTgR6rwSrEAgOj8V9QrNXk5H71SQrm OtbjSc1wrOZ0pZfNbZSuW1BY9iWn86xJLt1JGNkXAz0UsFMIVQGiJyqXj0g/6LyHpIoC 9k8aQ8XYI/7knwZlPEXWLDZBM1jDx6lFnSzAKnRwuKGUTrk50TkovSdKOQSI6cWxE4nP Zj6GllqUqTskOlMJbPQdeVYWY+/rdd/+D3+Pi+EhrfEe0iKtP8QkU63CuF09W/LKwkkA p1+g== X-Gm-Message-State: AOAM5336RxfieGA5jrjE7bc6P9BcXk+jJdU0QIq8x6Z/qRqZfkzBOrPl acdTuWlzl8chlzRBn7KdXY5FE40pijO+71CyCbZZMJzeZ5O07w== X-Google-Smtp-Source: ABdhPJzsASccBq00QzdSJlPKk9NwVGwNPzDCEkd4OH249sjGjztVDOTpCgex+BvnnqmzfDabxnmeTY0Z6yN5NoE4qAo= X-Received: by 2002:a05:6602:13c5:: with SMTP id o5mr22472626iov.46.1607407066579; Mon, 07 Dec 2020 21:57:46 -0800 (PST) MIME-Version: 1.0 From: Donald Eastlake Date: Tue, 8 Dec 2020 00:57:33 -0500 Message-ID: To: "iesg@ietf.org" , draft-ietf-teas-pce-native-ip.all@ietf.org Cc: secdir , last-call@ietf.org Content-Type: multipart/mixed; boundary="00000000000036b4e005b5ed9f95" Archived-At: Subject: [secdir] SECDIR review of draft-ietf-teas-pce-native-ip-14 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 05:57:54 -0000 --00000000000036b4e005b5ed9f95 Content-Type: multipart/alternative; boundary="00000000000036b4de05b5ed9f93" --00000000000036b4de05b5ed9f93 Content-Type: text/plain; charset="UTF-8" I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with Issues. Security: This is a very high level Informational document about a general method of traffic engineering using multiple BGP sessions and PCE. The Security Considerations section is adequate except that I would recommend adding a reference for BGP security, perhaps to RFC 7454. Other Issues: The title of the document doesn't really make it clear what it is about and does not spell out some acronyms. I suggest the following: Path Computation Element (PCE) Traffic Engineering (TE) in Native IP NetworkNetworks Editorial: There are a number of editorial/typo issues including the curious lack of any expansion or definition for the first three acronyms listed in Section 2 on Terminology and what appears to be a line sliced off the bottom of Figure 3. Also, I think a reference should be given where BGP Flowspec is mentioned in Section 7.1, presumably to the rfc5575bis draft. See attached for detailed change suggestions in MS Word with tracked changes and, alternatively, as a PDF thereof. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com --00000000000036b4de05b5ed9f93 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have reviewed this document as part of the security = directorate's ongoing effort to review all IETF documents being process= ed by the IESG.=C2=A0 Document editors and WG chairs should treat these com= ments just like any other last call comments.

The summary of the rev= iew is Ready with Issues.

Security:
This is a very high level Informat= ional document about a general method of traffic engineering using multiple= BGP sessions and PCE. The Security Considerations section is adequate exce= pt that I would recommend adding a reference for BGP security, perhaps to R= FC 7454.

Other Issues:
The title of the document doesn't really make it clear = what it is about and does not spell out some acronyms. I suggest the follow= ing:
<= div class=3D"gmail_signature" data-smartmail=3D"gmail_signature">Path Compu= tation Element (PCE) Traffic Engineering (TE) in Native IP NetworkNetworks<= /div>

Editorial:
There are a number of editorial/typo issues including the = curious lack of any expansion or definition for the first three acronyms li= sted in Section 2 on Terminology and what appears to be a line sliced off t= he bottom of Figure 3. Also, I think a reference should be given where BGP = Flowspec is mentioned in Section 7.1, presumably to the rfc5575bis draft. S= ee attached for detailed change suggestions in MS Word with tracked changes= and, alternatively, as a PDF thereof.

Thanks,
Donald
= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D
=C2=A0Donald E. Eastlake 3rd =C2=A0 +1-508-333-2270 (= cell)
=C2=A02386 Panoramic Circle, Apopka, FL 32703 USA
=C2=A0d3e3e3@gmail.com
--00000000000036b4de05b5ed9f93-- --00000000000036b4e005b5ed9f95 Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="draft-ietf-teas-pce-native-ip-14-de.docx" Content-Disposition: attachment; filename="draft-ietf-teas-pce-native-ip-14-de.docx" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_kifkebng0 UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0 lMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqa bAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgA jiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep8 6dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT6 2i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8Rmvd CZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD/ /wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMw DEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZV DYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2ki Kc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop 9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEA AP//AwBQSwMEFAAGAAgAAAAhANZks1H0AAAAMQMAABwACAF3b3JkL19yZWxzL2RvY3VtZW50Lnht bC5yZWxzIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLLasMwEEX3hf6DmH0t O31QQuRsSiHb1v0ARR4/qCwJzfThv69ISevQYLrwcq6Yc8+ANtvPwYp3jNR7p6DIchDojK971yp4 qR6v7kEQa1dr6x0qGJFgW15ebJ7Qak5L1PWBRKI4UtAxh7WUZDocNGU+oEsvjY+D5jTGVgZtXnWL cpXndzJOGVCeMMWuVhB39TWIagz4H7Zvmt7ggzdvAzo+UyE/cP+MzOk4SlgdW2QFkzBLRJDnRVZL itAfi2Myp1AsqsCjxanAYZ6rv12yntMu/rYfxu+wmHO4WdKh8Y4rvbcTj5/oKCFPPnr5BQAA//8D AFBLAwQUAAYACAAAACEABJEgrIFEAACg/gUAEQAAAHdvcmQvZG9jdW1lbnQueG1s7H3dcttIsub9 Ruw7VPimrTBJiZRkyZrTOiFTUo922h4NpQnHOY7eiCJQFGsMoDAogDQn+mLfYd9wn2QzqwAQAElZ oj3RRCnZHZYIghCQ+eVvZWX+x39+DQM2E4mWKvr5Vb938IqJyFO+jB5+fvX3++vu6SumUx75PFCR +PnVQuhX/3n+P//Hf8zPfOVloYhSBpeI9Nk89n5+NU3T+Gx/X3tTEXLdC6WXKK0mac9T4b6aTKQn 9ucq8fcHB/0D81ucKE9oDX9vyKMZ16/yy3lfn3Y1P+Fz+DJe8Gjfm/IkFV+X1+g/+yLH++/2T1cv NNjiQvCEg/7qpQ6ffam3+3hXKxc62upCcFcrVzre7kprHu7tdlcarF7pZLsrHa5e6XS7K63AKVwF uIpFBB9OVBLyFN4mD/shT75kcRcuHPNUjmUg0wVc8+BtcRkuoy9b3BF8q7xCeOg/+won+6HyRXDo F1dRP7/Kkugs/363/D7e+pn9fv6j+EbylOe3X7nMlYN58v1EBEALFempjEsJD7e9Gnw4LS4ye+wh ZmFQnDeP+08Ul03q6dKScnnBp9x+Tv8wsHf++BX7B0/gCF6i/MZTbqH+N4s7CQGFyz+8FWkqxO0/ UYEUFxisXOCtJ56o8ItrnObX2PeWEorXkU8UjeI6lit4HbkkbP+Jeqx5M5ULaPG8SxwX96EXYeWJ 4ofvg+0vicri5dXk913tZqmE5ugOPONaOfyrIqm/72bupjwG3RR6ZzcPkUr4OIA7AjAzwCMzHMB/ ga34w/wqvjJUBK/OwX0ZK3+BP2M2PwP3xx/9/Org4PDi4P1J/1Vx6DbBg8PrwaA/KA9eignPgnT1 9NvKIXPl28T8uEsXAdzK2YwHP7+6DUDy7sXX9NU+fpjYc5JrFaUazuHak8CjocoSKRL2Uczx6tOL SK8e9XT9kLmg/lfxlwYHxZEhXrlybD//u/v5PeJPIgWRgkhBpPgWKeDt2if+w29wfpae319d3LFP KvkC1oEZy8ee97rosU88esCLpvbSxPy2MP8mSkUSibQLfvUk/TavK6/hVEac3YtAgNtBzG8f89Gl PNMx98ADjBOhRTITrwwiIl/4mMFKM33GbiIbGUEoyoNvYOJ9j9WQAFRIlJpcJUiFdBHDX9KxCIK7 lCcFm3ZXOP4y5ZpHavakR7qK/Pz7hP0WKL6rr7EEzJ+xD3zBBu86bHAw6H8D3cvXf3EQka/s11+H pPhcUXzf5vo3Xn/rsf+eckWIeOmIuEqnIpEe3E06B79aEyJIR+SvP/fAbxYRIYIQYV7XWZolYi4k IeKFI+KjmolwDHczODbO6AEhYj0iiBRECpf1RE3u52e+CODCuEB7gPfDs3Sq4AFLw8HuhTeNVKAe pNB4hs9TgTcxOOj2B92Dk/v+6dng8Ozg4L8tMR4DxqUI8ODgZHBw+W4XaAdPj0BbT8Hb4ZWhVn5S RVfCEfy2jPDCSDsD8B9Hu90iUnp+y9OmuYBnr5PAMHlLEhztPgmm3yTAodMY2KBkhiqMs9Rkb9lV ILAgqKFg1j1QcagtqvSbvD9yGvzrqfIa9OMeu084VoSwq+hBRkIkuMr3+h4+2ECz9fZhd59SRuwj wHsm2M3tZtt5/GNlv0228zxPQz3RUr79t2nJnQVWTqEn6MWduNvVhKIR3X0KBpAE7gQDPi7Jd6VI J91UcN2NPdGNjKrryrjbP2qigLhPUXGLBOH8YqzThHsrkQsxj3DcIhxvVOj3U6lZueHLFxPwvzXj EeOJN5Wp8NC3YhOVsDhRM4nbx1hqvXUSCYdwICqRF0QrnFkjjvFKZF1zlmFpPguBWTIGDrz/5ZZp rNdXEQLGZ5wA4RAgbnk6XZeYYSZi7465Fj7z4EDCA+bB3ScqYCEEYDySOuwxdkM20yU8FKYhnQo2 zNk+zNl+uYh4KD02UllqUjfD4eVoDy2GJ3ywH0Y/EBocQoP0AQJyIoG1YDWwEheIKiJrDNBbQJhs UiGEBIeQAPwNs0h6lsO3iUqVByoBrcTtXo9YTWFTi1F/fmf2FzA1sYHSBxFS6SxB2t1MQGOrFRzR 2TiUaQoWHsLCSRYYZ99stok8YIIEEw+2noTCISSYTI915UDxvR/espNThhG++fUdGXXSgE7ivq78 IGhNgMb5nuMiRWpEAoOb4uRqzQIJhkv2kOsv7FolYOVe31zdX+/1sP45FcB9njKF22fYA+5E1yzk C8YDrZgvdZrIcZaSQXQJCqtKgDddJd1DD0qwABCAKsLLkgSzpeVZBAiHAJEbCHCPQRVgpyN9tr/v cwgWE+59EUkPCyKKPmFw5n4Oh33ynch3ejG+k8F+RWnCJaVvssMcTOZXGWYhqkotv7IQnmdKe1Bd QgQGjOgYjQXLYqzE9DssEXEAZ8JvAAI11ioQmFkYL3J/qmJgU7jAggDhECBSGQqzLox2U0Y8jhMV J5KjS61YppcxValENCBmIsByeuRQuwSFEJgOnA9QDQDvPWnCKhHmagAirAiZ/8rUncgIM1IP8H3d e0UwIP/JRYlYl32fyyBgwvQAYiqqNQGiOILkoNULq0MVLxL5ME0xpybJvBOe3dTrS5y/9vZMywyG yWR2n2QaQxzfLCbEItG43FaWVfno/tC6qltYKMvs7c5FTBlfgIU38MBIx5zpk2knVeiui1vKgC0t +YfwUowAK0UGZnG1VJE/afareOABCYVDSLhdFpiMzAAZ3FSkLNeLiTCUDHaJ46+LRbIUhVqI5QJZ AM5/pEVXRhO1h7keMZmgUoCAFzUBJo6ZmhAYyCYSKYgUTmnLc5xI0WECAoKgV22qwFje+fsbjb8/ 3/IHwfq/kXZsHfMDrtMRzjBIhI9cfJ8I/sV8a4z3bHv2x/BB8TVibNsZu3mQCfYIrLWIyrshVUR9 2XmVuq6S3SNSuB4wxdk4KDZVmorzSu4EfIXbQHAtWCJmUswxUII3ZfEMqQeHgODxROC2q0UnXxJY MF9oL5FjwRbwR4v0MabO4HtpIj0zkNduzYIjsaDuRU4hIlUr6mCofGF22qvIVM8BlbFplfDZJFFh /XQWZpoA4RIgZOQFGQDgToZxYFcP399dsl9tZo2lQGLUHYXaMDs574RRE+yoR+k11/TDVOTLy2bl pJptN22aEpH38gIkoJFQWcrmPEl4lC4AJ4QFh7BQk3kExnod0SOmUxjVYvyf3+OMeAyUsCUVxUAE aFcVeh93UGDXNT+zDhzrPfM/xgYkHA4hYoA7j0USStP5fvFsPCAiDgkRDiHiEDMCw8sRu6j28MWg D50/CA5UbKHyCCKocbtLiDjahIhfefIAQYHHq7BYj4hjQoRDiDguEPEhq/Rzviv6Od+lCU/Fo9aE sbeECIcQ8RaXlYZXt+yq6ORqtur/RSzYLU94KFKRaHYpAjkTyVrbwdgpIcIhRJwASy9FHKiFWTeA 0BruXyR2UfIRzVBFxDtChEOIQExgBIoOAx/LQKbPjTcIEe4hAiPQP8uHKbuYcflsXBAi3EMERqA3 kZeYdu88YP7SijwFEX2qcHMNERiB/qpUDDpCSd/0Dn4CEggRbiLiFH0I4cHVwVDU/EpNiHiRiHiH FuPi48V2aCBEuIeI/kGPXXhfIjUPhP9gZ089HQ0WEX1ChEuIgNBzVPSD089f+SREuOdZAiYwIfER B1KY3TMVgBAiXigiMCFxY4eUPB8TrE/1ES4h4sI22/mJXfg+HNfPtxyEiI2IIFK0QjjOm2VjhGfC s4vK/vPoeng6OD38rcPshGIVMR4th5MW03tuh1c1EZifSdwydyb9n1+d4F3aFm0/v7rOsFRmLiS7 F97UlNhJofEM7EyDtzY46PYH3YOT+/7bs+OTs4OD/7YkqiLo/fDg9OB0l0n3+pavbAoDktQpc7ot ZYAsb3eeMufTbxLg3UuExpoJvnsbKNU6jcGr9XDVzTJkIB2zCkdvj4/rjXJATkWQC3b/4Dsku78q 2evQcCmC3RJ4eHxE1way4Yn5GRU5gCO7DYLzDkivdXSxiy4bJ4r7cL1MC8bjGJsq5AUKdhAN9l7h mnESeIcE3gMblXAzqhagEAQi6eXFjQ0NsDTtfcOqF2bbcUo7K2a279WJs7TqFTVpkL4lkdZ4gG1S k+dSGzzJKBP+o8qxAqrDH0uvXfOYC3qsbLdsqz+YKjOvCiNH220Ft8ob6SD74JB9GIt0LkRkjX/k w8/hZsNwtK0Mn54dbjAMw6P+u4PLXaYR5gOmtdBvGEiHIj/wB95nMvCx9TQ8XIP7FYt3/B0afA33 2x8YmGZCT7V/b38s9XbN/uEo6AZ01t1ry2Rjkx+4uzJ+jt0yO40+V0U6h3pBuGS6OdMqyIxFyjRq bxvCYzCfR33yX+C95ZEf7nHlLCobq0a2sSohwiFEgM+e97NiV5HfTVUXfjS0csUknXyHSTpqaw6/ fRr99dXgag8HY5kyHtwvwLXOEvsbuOx/U3dG6EHiJxPp9UikHRLpewi8SzXvqXAsI2HDcUzjqgnz JXY6HWfY4jJRmZkgU0TqeZs7AoRDgFhj2gOR4EDxiUgSOAhGgGs2rJyGncDQA7hcRDyUHsHBITiM rMhvNvJuVyq4Y+SxBcke2e4NskmkaLea+ozVaCeHx78tcxHGidFgzngilfVUtAwzHIIHrg58Gdim q44tyYZDgBDRA3iyIkF3dX1mYlm2mHu63LRpIhQ4hIJq0RnWJcDfKDUFJjFFvSyNlMGLVQZ6qrLA Z6EQqcHFBMIeNW96vgSEdgMBPIMUYMDPiKvkB7sIcMXYHQ8rKT00aaW2mx0xdIPhl7eUzSVJIFIQ KYgUbpuKx4ak/pihyAMaitw+WNDoY2elmkYfk90jUpCyKP/u49FiFscqSU2ciLv5eNdXIcckWYSb c0GVFAfKpZQeaQYSB0fF4cKbSjEz5Y1Y6GJ+2ETJsiiuYwc++zimIZSRMBVyJBMOAYHhvqUpn0mV dKqLQiwR/8ykWUbgDE+X1WLJGgRqNTJbN7M4ORus2fJuyHjV779/u8tkbEpEC2pkYjBviUyxqI3k 2S15ziWYKqDIeXET4w3r03iCi5Pj/rs/cBus+bPDKY8ekPNoFAfb9YE5vT84ODsaLI3iHwyY8rGe wCWFGRbmmdM15mIaPFvuhR0YIdqSOIeb9sLmIMgP5nthdxAZRre4iYxH9/vyZ3UC2kHGbdeDox0i fY6bX0TykykZnfPE7GcvogTyKn6wV5ErpzzK+XfSp6J0t24/AWHasYGvvTA5L891XtSK/1Jhy9Z9 IUq2bKbKWrjtAKkKIzDkcdFELVWmUNl0ylFzuLSaPGoulvmHwda9IdZTcMfyD+fv80LuphJua2uk dbvrN4vHyQsWD1ykAIF4RA7+Tba4Qoqdt8XmFuuO2nds2qtg5ttPXnUDal5V/tUKjL8nR9pyGD+W t5oE4qu0FmA/UeNMp5HQ+um6/3Drdqvt0P3pFPzyh039pFun+nltv32xOaEwAnHAI9FrPivFGpTB bJCihcg3QUBRjeDLiZkjlJYiYFfeTEt0zXTmTbEJwUan6HC7/JnVes/rntoSaxLwBMz/U43Gdhm4 jeTbNaMxlQ2Lsf5e2yZCrTOC57TZ0j01vroWVdHLW3dpdlUv81BlYOaeqpi/J0XZAsU8U0EWNgtp SDXvzHNgvgXeTeTXR2R863zt6Vn/eQM+Li4OTwY71bleezx4LB1VE+at07LrCVWhyM7CyhDoMfne HZam52t2/+++S9Vr3jI5U5QeaJBilwH8aHX2cimM+//ItG3VoeJUhjxgMfbR920PQh4EC5bFKjJn FCU3NmtKwuEIIuBVtm9JeZrpnimwioTwTdV2PF1ohAILZPRFY8svuBMcTW0vYhqBUctyxxBh58r4 KhKm1Y8/w9J8MopkFJ0EfHWyimlnNlYzRL8dzKBXBzVMTH9nHpFAOISCWhM7bGGGiAA4aFFfNxkv 8kkONe7XYtITvNktY9JKCWcVSDsU0j1Wd+tAeiYEWZRxYNd51idntq78WM/fNiVnfkTR9S5F+u9/ uSUt7pAW10JrbNmm0wSk72HBzHCFYmyuiWPX9ubvmSkOBAVXDbovYhH5unDxGhN3GU6W3WPCjovH 8MczowQJEC4Bopnn6hjlkKUSlYFVDnnmqxzSUuxNwdbWN7/c7hMeXIr7frmtTOHBZFdlVxKigdp7 Ps51IkW7BQDnViUi4Fgma8bNA01FhP6TButphknjnDrsYcR8bIRGguAQ9z/fdGv8hGdJlJpcJfgs tq2hjkUQ3KU8KYi9s095ftmTIq0vTW16oKvI3/nHcYk18UpbH+LLjvAldocxpe3q2lbtLnFKusOn 38ibJm+6zf7U+QBzhaZrIeb6FwRngnOL4fxIcFhd9M50niErZzox7Nyp89VwEyJ+Hl0Pj4+ODn6j yUAkE07KhDId4Bu+WGXhf+v996dnhycbdpYc9d8d/IEdqr5Nlv/3f/4vu8Wy0aEKm4Kf1wAsSXS0 9VZ6INHpzpPoPM5SOxv1yq4lrSUIqQHSiI5oxIYubHOQrZ70LC2IsTcxC1P8G23XkREgZxXzY7Zr eMVu82VAUtfrKUjq2g11bRzY4WYlsHXPitYrgdyBLf23YSDJfSN94Lg++Gs6hcvaTA6u+FeyObVN D5TRIQFw1SAOh5ejMzbMK0KHylaEXuaVgCNbCUj4J/w7iv+rwdVZZVYXIZ2Q7irShx9uAer/zHjQ HSqdsg9mrxe4/gR6Ar2joB+Bc4NOjGAjMQmEl6qE0E5oJ1IQKYgUbpqD8088eugwkTIe9GxHl+J1 9TWWYCDYB75gg3cdHFLfr5+Br8+3/EGww9/IULSO+WO8M7teGQMTiw+Jfe1gX8B1OhKRLxLhoxC+ TwT/Yr6Vnt/gJPlIpN1L3Iu1lFZcwJQR+2jK3tnNLfxt29Br+fqoZiIcw23hmg1JNVk3IoULhv6x uO/u8uMZu1OTdI4LO5f5wk6uGkgFEO5bjPvzw55dt2EX1SYfYATvZIi9m+5VTJszCOfO6vdr+YCA 7zMZBJntdWS3ZxihqHW+wb4WeSMLJqIHsAIiwe0bMiLhcAgR2iq+NFd8tp9V+ZbJRwY9HW09UOT0 7PDd8waK7Ewx2KP97LD7UyJxICp+4wljCI62nimynoQVWu0sFEsqNYC17iF24n7rbapbRu0Ngt/U 4fmGm4pwf8ckETeFe7xobbfKCVyA+WImsQH7fCpxgl9CTepcsuN3n/od+GfQYSP4ZWQ2m08F+HEY xZe9aRtd+ccQ1QsRwVcYpwoep/BgEZD77wWfYzs+6va633+tIsTMHjJ+eXyQHx/sgedHeHAID5FK sH9lHtF1ytBuFRqDNdAgKDgEBRDznMdGzIHFUiVmtE+OiXTKU6anKgt8nOeRJsK0+uOep0yTy2DR I0CsBwSRot2y8djrTRdfbwj6LvPbMtly2qyQlweI8U4z/vcmBt6UnxDjXwjjm58Q491mPHZyv8sn f/RfB6rf3w/UoL9HjH8pNr7xIhtPqp4Y77qqH6CqH6CqH5CqJ1VPjG8N488xP70q3Jteaz/B9Cfx vp28X9lz9Hze94n3LeQ96vEyIVMkaOy/NQZv/sR8REq/jcz//e5Tf2nI3xSBen+wVzfv+MnAhPDN T7pv7j4NyNVrv+QbrT6yZqDBfPOJdQ4aup8k32E/v4qCdbYg/4TYv579RAo3JKHY2XG2ZiuHjJpl /iQNJA0uSsONHdN9gz0Zuxd3THsi4olUHZzCzLCeDfOAngrHZlfrXKbTYso71UM7hQRfxIFaCCxg q9Y4M1MXm8NEYmOEOkxUFCzwM8KCQ1iwgx1rc7ux7rGASLHnrVERKzhuk/B9uBKVQrsEh5jLhIV8 wbwpjx6Me5QIrI2WoTA6AnWDpxL4TqwiM9Vdw714Yt8XOpWIJhURIhxCRC7lQjM1MdwvdAGihAda FVDxbXdnHlAJNPnQjgoD2sIvYsGkL3gpEBv6A2Cv/0ZoSZ60Y3ioTe+kgQ6k9ZxEuWLsfSYDcP7m ykQK2hYLNTfJQgDZYTPJjVj4cjIRyZp5PwSFdqdUA6XiMfe+VD1DkzPQgiXYFDvR5P+RJnRVE/5d m0HdoOFuh1cdUIWpeSO+xoH0ZMpiAX/YyAGKRakYjU8IupMkwy1tGAEZ2VTFOOmlNHn1XhIVRbma cCU8uIUHjBDX6QKPR7hfHNWFGQRngsSQpxhEcqZxQqJHWHALC4bznbypECbVS/0wSVRoQGDBEQie 4JpbefiGDIVrYChWV0jjk29MpCBSECmIFK7bwx80NOeIhua0j/k0NKfV7KOhOWTdiBSkLL4z8MWh OaBFqqlR0zQTLH+xUCh0yseB1FNhK5CLxUVwGK5prqpTaICX+MqxJKZjGu3u457jEggV5jObH8cd 7XjOoHoOIcItRBQsp7UQMoJugvxiAv6yUV98DP4v4x5WSeuOOTSWXR8iYXNo2YS6XCk0C82gKkk2 HAKEtW2Dfsf89gQUmNYu+bcGbC6DgPDgEB4eFIAgUdnDdFMNAZUOkLl8KdJwY8rqcW+2ZqFKVnef 1bWh6cgfCeE/No7tLd71dhObjk6fN7Hp4KR/ebULFC6mMaUKKIfHN4xnInlpuTehNcDZztWroL8y Se/kO9C/aZLezsAcAJ7wSMcqWSk1zye37S5Pz3FXtS0O475vtd237D5WGia4AZfsv0NCjEFAWUua 1wpXUiP5vnywiB7XwkaOZSbVWEDaWuaYVvdnIknNwNSxabtg9+gLkWjj7bBIpVhRanff+hQNUDTg aDTQMfqwXDgoY4NGzmRlVBdW05JUuKQSQeUB84v9FLZZxesKOCqT+g5x3ehwb5lhS1XKKWvmEhxm KshCgRsoVkTfV+AWoYEUXz20laZrCYdr4El22z5BwSEowJuZVJkOFlhnP5PoNQPb66GUjbWM72Ra WdUQUMsWneIN/7h4uU3ZovUkhpATT23jfO/Sjyahd0zoIzEHKQZnAARaq2YTqtVCo2ZEfU94cAoP 315DtU6hWT+trrkhODQPCQ1OBQsg6A/oBIB6AB8AhzQ3MqscM2frV5dM0VmP8LAeD0SKdovGXYbd O0EwPJXFAbaziKcyUFqBgBRNzW5+ud1Hg1lIh21kYGNpkguXQqd6qwpvKsUMnCbOJoH4KscBtvuM 0kQFJoAeywBDaNvgDoMps8GDAOEQIHKJ7+RYKLrdYNwMNvRv6s4uOPPIw6QaC0XeAYfH2PXC+N4/ UVNglxCRiH9m4FiHIkpt2JT3+cqrbkwyRWcxrsAX/aRvbEf5ELgn44AshktwqHUA1CLNYhNiLysX VzvEkStNrnSbZeH8CBSf6fN70Rge8ytPHgS7AwdKsHuaIENgbz/YNyr+T9N8Q8rKehucHT1WfvsO 7227BZXjAxcXVLiXKG0p1sJFlQ3PxAKjDLVRhnlo2Nlclnp88B2o6O98Wep6ImnMvTQNxO7XqZpc Kadezi6pcxkEmQYNjqlx8GTyKXkDW1xaRG51b9/jkS07JCA4BIRqBwYsPx4v8Mdq2V1TlceJUpOr BJ/YNvrRsQiCu5QnBUt2lhbnstlJYNPjXEX+rj/MBsbiBD+Qayx6ubjrkcRSUOKi8roGJWWcKl4Z VTjHGAWicS1YZvq1czYynXZHYhJA8A7feT0a7ZFMOASEz6Pr4dHR8dvfcFUiX8dCUMhQQlzCxGQC jO8xdjUTyYIJ/6FMY9N+elcdmtWJNWasLfoyo9GGrDUhwSEkLEcvwI8Ya8NmIljkq1h2N4FORazt inZRPV5gQtI4S+cAgf0E8no/WwHGU+YL7SVybONg/HTTSD+Ke13CQmM6Y4+YSyGSizi/0ExP1Tyq Z/nkBMMkLTAeYqPDohx2NOow0XSRX4+oAZlTVhA7SZxYayd1keTbs5Xx43WzHquOM3YjmBAeHMID 8hW7d1ttYBVBpW6eA+tBPYz63dGgOzrqjk5MPtj6SioWCU+pU69brtFUZaAEHpluaPdVAWhuy9FG 5RxQgoJDUMhnutYC6A6LlYT4GGuDcR+VXSYs+9e8plyKg0CozPudlO2oTor5dhhYZ9itBgChseW7 LRQy/Rhox71zYGiWgO0VisC6EDjMUCVznvhm9cUip0cIoACbSEGkIFK4aS1+0Ly3Y5r31j7mbx4Y RpPgHGUsTYIju0ekIGVRdQE2BoyPvt508fWG1ICjDLf8rbzeGBOxcpgw4C4Gfm+8R+7j/83DcCZh 4KVgYMMxwgBhgDDwojDw5s06U0AYeDk+IfgCo8M1R8kndAkDZnhbKd0NTFhYrNUDy1+xNychwilE LJcC1nsC6151RFB9qkOIQCNQKIG6X1DXDrV3cF75xlyAEOEOIn6/+9QvXIM3o/JX8+649u7t8t2b 0Un55s3dpwH5kqQjSEc4i4ja6xl+BGGAMEAYeAkYeMQyEAbcxUAtp/RmNKj5i0fVT8kfcBUDTUA0 9ADx3UW+F5udz9Y0dJARW9OulHCwHgdEilaIxPlxL+9T/iGr9O+8K7of3Zl2n9ShnGDupub/RUQi 4QFuUF029qoMptEs5AuWzzOpnPI3dce8BGxDInmHhMMhRNjNqch1GXlB5oszYi/pPheRrhi7zxvY maZmuZbTLFBzcHVTEXkLhnu2pR2NrgXcotmfkSoG1/siqL27Y1FQoGjTNem7l6jvrD4zAmB0nscj JiIfA/+pfJgK6lbkmqqzBo60HWm7l6ft/iFTCF0J+4R9J7F/jz3lKtmaok93ZS6tGU3ExoLpLAx5 Iv9V9nImoXAICRMVgL4zbef4OKBcDmk8Zx3a1S3Tj7xbfU9r2s4h4nd2a9sp3kFk+1H1bG3Tr3lm D9/d2qj3V4x6zaf/yziGxXI4VTiRjmgcIUS4piPyV7GjyuoIiBHLdx9VEvJg+f5SRT+l4D4nwhwh RJCOqB8hRDiqI4p9uHWtgO9KhZG/v2xMwaoOdz82nNxyjPfJs4a7X58eHp0e7AKBi6HtZsm0hRPc z5cqnzQ+afzGEUKEoxr/cKPGb3qFVQtAOoJ0RPNFOsIxRFRe95hbZ/1eueI4Wi60sGFeJkv8X89/ IkW7RQHnydfzrH0zTx7XF/NhiWbMCUQ7qdAp86VOeeQJOyUtVSQXDoEBQqRkYfidrzn/yQwCruNj sA4fFg1TTjW1pCeJFESK55Nivsvpox8z6OUtDXppH/NpnEur2UfjXMi6ESlIWXxnZDTlGjfU4N5B /JGhQunW5L62Rmj4t+Ua4Wm71wjXkzBQ3IxGxfM3rh/KCC9uCHj4YwlYodTOYs/QqAGpdQ+wE/cq nnKnO0vqDWLetOOAx91WV+eBjL7odUmawzJJE9A+Z6csUbEbJOZaM/BCE8aZL8CRDWUkfKZBywY2 H9dhHLe+s6t/ZjxgQ6UJCC4BwbY8wrzr66vhh9s9k5pP5DjDzi9Mmd1AgAPsDwOOidEU2AvBF1pC LNQjLJCn7qJY3KSIch6EoO+YDGOltcT1Xez6kaiZ9AUDq3gV+d1UdeEHSM/gas8oTBIJh3Ag0EpK EaXBgs0laMl8y3wn3z4M1hGYX22c4KkIFCiQHx4E0BIK8pzc8pzAHvIxuEz1nbQyAg+q2hvz5rY7 5hp8qbxJJthSwFCGnhWjOhCXEFF6TMDsRIHjBBwGI5EqTwUdBscRM7qBl3zndQhqA/UKAcI1FQEO Q17joia4FmDiKNOFAnxnD/BiN9t/Hl0Pj94eH/9mDAm+Ox2cHv5GjrVLgLgHQOBy0FwGAZty7B4H RzDshrCqNBAzKeaAkrEMZLpA3wH0R1EaQ3BwCA6J4EE3lWHZQBuYHWM+emHdSQRH8UkskglWmaMi kZH5FSNzwoNDeAB30joJdkUoWKAHkQOgt9QejWI5HoOTEScSAhJCg0NoyEtiTeRoGD3jiVSZXqsS aj4lHCUkOBVYNJo3kVe4gb1EinYjHU1cbdAI6D8ZxoHdPYNKcHU+gy7mM2C6jeYzOIYIzL5jvCzy 9mWa2paR7nM/OTBGl07HoNbMchOWZJhUQQzhIg+sb+ipMM5SEwYWJ5BsOOn2QXSnEkwGeQHXYO8w lZi7gqQOSR06iX5lK+fz3CeuodrUWDX7xWaSow/Y/fXOpMxPTo4HNoGOBSokGQ7BAV5ZKgP5L8v4 JgjQOIqvUptFt2KDxQcVyRQUJxy6W+hUhIQItxDx+uOHuz02SVS4KWtKHCfr6LJ15IGXYSmSDZEr SwE2RLCVJ1mc129Whvn9pEk03FKG1SUAu36oReRbYHwRC1O8G2Jpt6lHE/6D2B+NTKEKHHo96tPo RscAMToxKBgdYn1JPs35cM8wX+MEAKmnLFyXSbVrjQQHt+AQKBWPufeFcd+HjzCNkKF1KHJL9Vz6 VGWBj2moOOARbgWREQHCLUBwf2bWjlFJVGsX7egX5qsQaE0eNHnQLnvQSx/JeEK1xAJYyvID8JrQ RxoNOqOjDlhWUoeuqcOlh5RHSwCEOU/MRnMTTGGeCSBzS4x3i/Gfb5q9FyCKVpOrBB/H9urRsQiC u5QnBb139kHPL3tSpJMnPdBV5O/847jEmtirB1XEl53hS+wOY8Ao4HB6FXUj03LKJU5Jd/hU795X 6/dzhH9km3Y17876z5sJMjg9Pn67+/1+Hm/0s8NM7mAMMc5kYDdzFCXdVKnjnBOJ2bMISNmdqtiU 5+Byiz8TSSoxyRabfjpC94jv6/lOpGi3COTplM1G7ZiMWp1omHl6cge7tz+WehUy7SzUkEANOK27 /524Vb++mt4ySjvTwM74WLmlXZfJvR0OzXJXYZhl9ED22C0/rFo0nQOhqA+E0NCTEwneWGWpkxwy cshcdchubBhS7h4omz0WkjEHSWHelEcPIBR5gxrQlSkP2EwFWUhRqmPaEQLTFTT4SmBjz5SJr54Q eaJiutDSAxh4HC6EZ9uQlvDgFh7g/cz0FLgaXOVdXq2fdMUiwIK2zcqshsh1iVEd9X7NBITWA6GS qiq3U/gPjdoHrHpYLpOT50Sek+Oek3WC1lpNayxt5RAZSXfBUDWS5W4L7PRatZXYkSkR5ccMKyq5 b1wpAoNjhrKxxcZspuCep8JQYfY134mIygELx4qGPYxdTMCQEhrIZBIpiBRECjctxw8a7XlCoz3b x3wa7dlq9tFoT7JuRApSFt8fImJz/2YeHYLELC7jQxV1TSlokV2tFomSjnALDc1dZFgfOl7gjx6x mnSgo6hf/3rTrbzeEPxfAs9/ZxfLrkO/E89fkJzbHyTnL4Ln+Ysk/AVwu7TjS4NOUu4q3ytO25u7 y49sCDebYFfeZB/i26pLRxhwFQO/r4HD/17yvXomYcB9DDx6jDBAGCAMOIkB7H7V4Lftvv+7+aT5 +p3aZZEyMEcJAy8HA29mNYeweBEGXkCAWEYEo8M1RylAdAoDt9f9QSndDUxYWKzVA8tfb+EhCRFu IaKsaVzvCax71RHRJ0S4gwg0AoUSqPsFde1Qe/emOyvfmAsQItxBxO93n/qFa/BmVP5q3h3X3r2t LC6MTpZLDnefBuRLuqoj3jxZR7whHfFiswzrX6QVCAOEgReBgUcsA2HAXQzUGLvyNLvUELJe6Toa 1Dzbo+8rmqgAs95Z8juAWWk1eoKX27LV6DvTatRe+A+GeuWJTr/7icwDtUZMaq+6cmyCLe/pWSHW u+2JNTjYLWKhFK6Il3nitWL2WJvWf6fs/bGSQvbRAftYNOU6Y8Ph5YjxxJvKVHgovKbh7QdglOzW Jjz6Ig7UAqfFkrtEkuGcZLzt5eUqV8U4HCMIDQ9y2Z/eavIt7N6gf3Z8+qz+9Jcnx4fH73eBdo/2 p/+LWDy1Pf1bg/AfR7zdolJ6Pkxkiu1QG+hZd78tE5MWNnm/Xc4xB4GSM5EsyIKRBXPOgjEzhd0a sThRqfJUsOwmMMYucyn2K/HNdIOER3oi7CTviQoCNccd55vNneH1yzR351+E0RhPMWyHbhs2b51h K6wAaY92a4+4NJRnZCDJQLoIcZw6JuDCtVk/U54yqVmGzcxr4xcr+Q8SCBIIRwXi6iu225Cp7S5V E43N7uC2I2fRz3nedL6WZD9AcTzVR9x2suEG2u2ajwjwaeBm3a22TVSaBmD38x7FhFnTQUxN1k2X JatGVs1Rq3axinaGYxbAr5MJ41orD3vy02w/kgf35eGvkWcbidoGoiwRnpAzkAidedOqx9dh4Afq qcogAhI65eNA6il1GXUMDhWVx+YyNQxmMcbFPI6VjFAtSgyM82xyCOfyB9GhprNOwkFE9fF8tWBl 20HiLUlod5tIzv36Sqh78mMp0P5Q9/FAd3cFAGL0zTjftuYTuVyp+Wwxzrct5NxAAcL5H8ZsUOjM Fz720M1Hz2EOYCP2T76nlMkJ7FvPg7DvAPbH9eKeGs6/p4bBDZx/T3kC4XyXcA4KvcPs3NA80VWd t41zZjkVajfohiRobZS2Wa19z1rc7qu19QThiWjhkowHfxjEYZle8VQCjxSryMx7qSZbeiS864WX SNFuPYY1qo3gRGpjtwTIgo+zjkL+BcVB424kU51jZyTbMgWSC4fAYEtOvEQYMADrcQLalKP7IthU Pkzhj8aJVIlMF+x1oObw3n7HAkZEntgjRDiECJB3axpXq5EqMFEpIsNfRDyUXlntrsloktEkUhAp iBSOmo0fNC/9lOalt4/5mwdu0yR1RxlLk9TJ7hEpSFlUXYCNkeNFEDA+BqEv4kIeBIsyaNQp/NDs dbWnTaex96VT0xK1HPvWezYGZweVLldVaO18jp3xRmHYPm30dUJSbs0i4eqGkAb8K+vGW1cBrod/ +9eNO61dON5jcwmaciyYFwiOGXezB9Yk2GViM21qslkTnrxETbim5Jk0oQOa0HgFLJWhAPvPsPI9 gSuw+VTivgjNxhy1YykgUqe4MHWH35pkAUYhTVgQHFoMh8+j6+Hp4LD/G7o+yN3hMD92evgbC0HF 8UjqsEdMpxDKRfyPxANPTClKo/2F2RcG+jBSKfPlxKy8pmySqNAu0HsqmpiWoisBA+GhxXhoeIGV gGDr7RKHZ4foCD49IDh5f3j07noX6FR4+zPJjXyEPMpsK6wndH042Xp7xXqK7RZp0nNLjGClteLO F+VtAP9q79clL0+33jABjDxsaQyEqG8dc88/Xt0P//rxev+/Lj7+0mPssrRdtd7WWE2K7Z/IeDlk vEKgY7AwXZxNqW3AEznBskOb4TAHo3zVqCib7+Shn8cjNqZdzi7BoXRbbduPwogvvVnUCA2VHydK Ta4SfFq7vKxjEQQQ/icFO3aWDufY+md119/6J7qK/J1/HtDe75fZGEm9i1wSTp0mIJUPC4gzJ2xu XGsZZ4FJzuGuJqwSx67FeVRKYrqzz9NBJtl8KXKNpNQhKc0lsLbH8JEoyXBpy4h3Q5S0QxHveirN RSs3plWWgsuGQLUIqVwznPLogQIlp8Sae54yWd9ggSGySLkMNEZIngrDLMpDJg3sT+cCdLvZpogL JIAQAoJLXlg21gudilAX+1Ntv7ifNCb400QFLA54JEy+BBdMASPaU7Gw4TT55E6hwTcVtyjnhfL3 hfYSObbblzkYB5wYkNbTJDUPYOuGGy32AJivvGzdmDwqGHFAKD7f1LustDv4vOxJkTZrvdobe7rE mthr6lXiy47wxZ1kTVcUwy67kdlJ4xKnpDt8qm9XrBZinG7d0Wu9i9WmQgzHOnr1akzeJ0cRSVD8 JFLsvM98fmKyR8WUcDZU8Jd8YbcUELYJ2+3Gdh/QfefxgI9lIFMaIUyAdjLBcWMTv8Ph5YjxxJvK VHjoVHaYwmoqsw/Gfygyw/kaoKeiCE6ryUTNS926RSV4qUctLxc2WfEWOqQbIILrgw1GVzK+W++T Xs/o3eIo7Q58WboQm4zgUpdt0arlOMBZ6bactCyCKJfOjdNb7g0A9sk4oBJSl/BQq4jwy0inZ5ua rjYszLGil2ghODgEB7SE+Tq5irqmRrHwiiTgQ+o0keOsWmyMACqaVfYICxRBuCgW16D1CvPHfIXb MBr+YiUw2LqxCPiLxxQY7BLnlwbR1ACj99TBbXTGW1IqwCIhOEY20CVhX+Ma60LqdYdFQvg6zxyo soiskUQgQDgECGBzOSV0aQauqq7znxgPgryFN3hDnvBB69tNmGsiaUJDmytKeSgY14WrrKJCN5D3 S96vk4j/exTIL3bXmlZBZvMA2CfFsX1r14Gaw+16T3qkssamkik+wVvZ0vPfMFh49zPFn0fXw6bm y3cHVUizXXOV0/uDg7P+hlYhg8ODq6vD3YDO8fHJ8VjqlR7su79NygY29WRPxcclm+aWI/tFiNhq clB02DsC4thAegvLeV2uBaBqx3283amK884SBAWHoFBrHVHpFYLd0GrwyHHR2CdLWHBJLUxFqEUw E9os+0jNAghrRWRHlo2zxBdld5mUY1pEy3+ZDXJWdxAYHAKDbQ/bsAaNtaA/MdxChzPtQpWYLsvw norI3AODp8LY9NM2O+gdC/cmW4V7rePiate/NjPtr7GIkHGOM63Is6BFxsVH8ZWHcSDyXkKkYx3S sXMepehe1z3y/sHBwbIgK+9KLMA9T0IesDThE3DOO6amldDgEBoqq4u4slBMiGaxEMWYYBkxMRMJ nlD1yrDPI+CHU2zmWGxGflcreUd+VwuZVvpdRhHnVriWIKV9f67pV5p9somjRIpWgPv8pDeAOPHP 8mHKLmZc0n5OgrXLOht3pqxs5lwZbZbpvIcfRM3lSGXaqeAiIG4sm3Fv2wQbfdqaholK5vnop9i0 eDQ9/3CBcwxoCeE6qfA7WMpHi9tu4aG2qa1o8YoFuggLX8ykB458iYZJwGOGC1p10BAiXHLzzbJ1 IkwNP8uivOczmQFykYgURAoihZsGIeA6HYnIF4nwb/mDeJ8I/sV8Kz3/BBagw0QKjgEEz9XXFU4N Bw/hA1+wwbsOGxwM+vUz8PUZL8jerZT8Eix2HhZjvDObr46BicWHxL72S/UNzjuPRNq9NK3eyxfG hjJiH8tMwMd8TN7y9VHNRDiG28LtByTVZPeIFA4oi0ezRlhiESkfC1xtnWucSqyvMWUVNRVQ6/Dw /9m72ua0kST8V6by4S6pAhkwBHuvjloMZONd43DG2b27LX8YpAFNLDSsZoTj/PqbHklYvNhLTC4r jZsPu0TCoOl+uqe7p1+eN/c4KWZ6+1UdHopT45Q1deDSxNiSeUl7DIk+fd5g4UeJVSyqqI4JOG7u FmUp+1pEXERc3WcJZSYohlufRUpuavoSLPVXpxU8EyZVlU2nIlJrEXKt8bQb9EErRBgUzJYshNk4 fBYiHCyCg4TMwXSDM0VdgaAemdCAhi478oWqSkVDb5J0Rd1SD0ogGixCw5yxrWGXD2bOqeHKM3fu drnNnN0kA5nY1+wxS/x2xCua2UM3YLPrQcsmEOWz4oyfAhYoJEBIrmLTpNNBJY0eu437lamECqX+ dm2x+pDuRnPpbpDtQyHQdzTuX1bTxmwBtC5da/qOwmERIrSrIhYwj0UjQ/oiDjwSMVM7Q9hnLtVu oDxkeWsPCPFgER605GctGUHyK0TGrg8pXm4QS8WM4lCZCXZPIOsn1/QaoYD7ZomlotN2jh0Yd+JG pnO/9vMfwI3YRmzbqPEvhUrLYdPeZbkW9mF6xruG/bUQx/NGTVoc4jBZsfDhfWIczxuBVJoYR1KL vRHz3P28ZZObzd2g+KEOGS8WcGaRJvqPtH2fzvnFnc0ide6xKQ+ZB7k6OJe+wMvBufTIl+/AF5xL j3Ppv+9SbojkMOOBhkzEMrh30LzYbV4gKVakKDKgnzxMMdHR1bmhrKyGvaX5kGaijTlWSUZcmNyg CSPxYhZRL8kBRNmwBBBTHklVIWklbAKALPEn5XuaEMS/aAs9q6td9a1DMNjkhyXjrhxCfkviaYxq VZFcTXJH8ymjgI00mVAjgwYCjlmwqN4qROQTR9Ns0e4TkdXnTc22OLI61v/j7v4JZM8bI1ma4Op6 zvzuBy2ZkOQYXLI0skgsuae/AbZ5yQLmgoMa3Gd2Hupyy3R5zszP7esQdJXsj5iFLnOQ3+j2lhj6 nbbT1BbKhRAL0l0K7kGBA2IaMW2jOu+a8vbsuJpQKSEf3KWBGwcmspM1whs0Bklt61qnPKmoirFt uE2I0PzOkl+yzmZwE8zTSO/wPEkQk7DjR4wGVcXnuOWjerRTGKBf6JqCdGG8O/g7JsadjVhIpis8 ZEwSEcFnXmOOuF1wWM3SSaaqUJ4kvO0OY7XhcZ4Zhdkx0rdMYaxOJFTMDPb3iVcdMuH3keHHRQ8D dRI/elM7FD7g84hoaM3oM+o9IQ2HND55UdJQrx3S9gTF4fs+9xuAPgv4nIcwe4uG92QhpOSTAEMG Nu38KqL6N8G0yw4vAyEWDvIY/Z4Sw71z4hAyZm5sWrX0Ut8myehBaCO0bdTk4NJLpuIFRLry7f4r 6dBMQr0lixSXJtCVZDWtDVNEybAIDknohklo88+lb6I3NGJm5sOqHNwjaVurUW/gbDo5edPdMPF5 pvtxa7fpfjpo9msF2S7GjJHfr9712psikBrqeVIYpD+TFI80bywSKZqt5o0Zcg8q5JEtdMs8LKt7 fy1ANy6NbKD2s0j7TcQslibCLVloujn6NJpP44DM9a5IZ8wEvfMF0dDzNp2SlF5CQFgEiGzEUdoR B/Q3zBV3IbgBPNdfx720Y1I2OMsYSNBbiaF2sAoMErY1ps2g+TwOAQOQDwDzj0IGedtJEr+CMaiE DBnc4HIuofmrG/GJKcVFPFiEBzD9Thqt45tMPUA9j8RZWI9yGUlRbsBDrGB7XKgn9AYJ4//SfJjH T73qtQO6xBzXv+rYqzjO0WGNcMsGk2QeoHwKBAc0uzlu2AgCbTw+iYF8HOGAaqBdxCsWlVQnca82 wLPraUsmFiWsZcEBrnbGOJhPl1xET2noAyrmLNXQ4f4aum23hhabrZdQO/8VbADDMYbJfQG9z8JU T0j0ATmFdkp0ZX+BPiBXrwwC7bwcec5JRP2AtEI7JUJrlNR530cq6oec7ZZAKq7tk4oVf8u105m2 KKEg1PM4hNxpkETiubrfXAw6JiV2TPhcX1RZxywJBUTGqlnfn5DLKy4jKUoB+M4pjBLoXnYxoxRh /QL0+LXPJfGEG5vkwa3TIagJMdKglf3OrDBkPsoBkgJJgaRAUiApbDUfOr/RcFYhTBEaaPs4/xp8 XmhDQZIhvSeN0wpp1Br19U9A8tWIzhip127QfCgd8yfwZEk3+4XmYnYT2VcO9gVUqisGZ0/MAyk8 ixi9NX+lOuehYlHIVLUf0al6EFdIjOYhuTQDG8j5SP92kkD/8LoUSzaf6MeCYDFKNe5uSAorNvp6 DRpcu7ehuAtgDALO0ERMlxzTT2ZIJ2ei5M6UBAT8liU1YzS8JX02ERH1N1Ovyjyw6CyKwxmN1geY PLakEowteixbpOtFnCZZYJZw7h2NIhbYwrdOBfcUixTpr1z6YWyVomQsonPb1eSFiMkZi2YsqpC+ H8VLm1jY94W3nnNiIQev6MynS+3eR9Qm3g1pENyv12NbxzxSIUNtb+JGaNFGaJEI/iIC79712dJ2 FWoRz95TMdd+j+V6878+g8Moi/g20gvyY24534bcKqaNfSqmseU8A2RuLDFfVmAMkOeVFTQf6fbc bbfqp/1isFh7RZDB7pEBlSqgt2wrbFHWpmjQ9uhn6B3pUtLT+nRzXWiFltgKhc5+ymccBl0vFiLS Twf8hlZIZvqNydmHtE849XWQ9btZj6QohRR06nWHkCtmhnFvltUiDxHO5YMzAPpSRPMk/QahjdC2 2175/epdr9lsvb0h5Ex7CrJCrp2KMUsrZOAkTcyvHH2BQpy7Ql5B2+Ir6H2NEmERDHIvrfPMNG4R /kC6IekGkKeYqEMlyLs4CMiQSZ8kCYw0gEbWiAU7sfD6XDP3zasK0VqCgJrQXvmHc1KvOfV286R9 lCqPCukuIh6QRq32FrMLLMXC3wL1D1+phfzh6Oju7s6Jpm6VeVyJyBHR7IiHU3GkrwEe/jZT/3AQ B2gx2SgSxmJ622rdWHXkaFeO26O5iY5VxyC/UilZvD5XqMRc0wz6OXU5fnZIV/ra3eiSEQyP74n5 IlamHQTuK3baF4PAFDyQ16Pe4E31jErmkW6ufXZmhWrVizampRjYci6A2aQbz2Kp0LtA78IFQKB3 gd6F1d5Fq9ms2eVdWGiojrSlOvAcYqzVC4dcMAiLfzYXtd2KVqvFQpp7rVmtwPDcxKtRJJRwRWBu rsKoIN1oxrwQA9YwmwxhDBDYr6fI+JdtvwIenme//j9Ynk8nPWTgVNukkybfXDzrd6MHdY6Q63e+ ESEPGdqU5OUWgJDrSzpklFKCDbOiQssyGN7tZqu5KZjbE6rrhwx9yWVeF5cc287HhnIuUP/53Svo x5E2zJN48sZSvtaPKlKv/RHTzxp+ouuzk7/WkyrSiirkPA35/+SQvmARh/oik2X0YZE1gDb3s1np 2ow+641I/bSZ2NMgtNtpCcnVd2wSxTS617ZXvVXZd5OGv925SRtdsM8e82dG2zfbeDDYVBBSbAlZ WYJN7XarYVew6aeIeQGzJtj02Fn2+yQAZdWB9pB5S2Z9h6RvYJQUiWmjiC25Z3kFbYWM7eKabU2t TG6PthPXVoQGSrkNlNxr7JAreq9dg0sRKb96JmLtE/S5VBGfxCbcLqbkgoe3VS1/CqZnIBQshcJ1 RKdT7pJBOOMhY+AyktfXgzfkXDtwpnRLo+GjhMvaj0yPXcDOxei7pYjY8v6B2atjlzqmDdnK+H0j OhoPmDb0BA6QFOUWCYjknDSO6zeE9CI6mbCkenMN7uX2V4Z6q7fex4RYuE08ezHhnLRM2iLe/Uqj mTVdQDtpRh5u/3aagblEy1VG3pO5eAgEO4Ew+KyY/n04M4ZOXCYUNI0DmKqUxgHASkJ30FL2b8YB DLPJmC1UNjCr3kbmW8r8PWMBgAmMBTyBAyRFuUUiiQW0jm8IuRAL9qVC+tpD+UmEX2jAvhCPkT4X skI+6Ku/xRXyr9R/6Vvlv1g1ggJn9ti6ab0Cd2T8A/koYUqvmJLrizH02dL+ypJrUaVJ3iODQ69Q QkPZrMUsIsJORGxWDu7n0L5CDWEpHhKntXW8neOcXP3gKoG+jeUg2Nu3aR2jb4O+DZICSYGkQFIg KZAUSIrvQIq7IgePfqNQU8kUoYGzblYOPi+4tjjJkN6TxmlF+xCN+von9Ov3EYQm6vUbNCpLx/wJ PFkS61xoLmY3kX3lYF9Apbpiocci5oEUnkWM3pq/Up2k/z5T1T6MknoQ11FvQHhILpOW/ecj/dvq TkS3OYm+FMvsPLRRQ6nG3Q1JYcNG/ycngidwIrgm7XdYwVigIz5TwWgquv/rU5Gcy5p/XnB9KT2k 7Tn6roihM3aImtsiGc298l2vzWnfR2mOBmFnBwwon5n3awdCCAY7wbBxzgemHV2ZdHcczgpZqCIa aDjo/4sATwJthUJyEniy8yTQXGUupjniUWB2FHiCR4Ho1NgrEsapaR/DHKYkwAnm8/vYvP23fvsL WMm9DfN55JAhR9VoqWp8NXZZSCMu0o6BfB4HSbbUFZOaVTKzohMjKouQIRzshENqJWeFP1pX7LCc zNVcn8gGNmd/6ZaThgRaTgdaTv+PVed7MLfh+57Xg7neKE6X7eIKVKdedxoOIaueSnqrvGJTFrHQ ZfLPRaNxXBsMTFP5TTys3/lGeDixAQ/7EDIByldRN710AHVPD6Bu86+irlkJDK6fwUrNQvSNQxey m0INo9+KRKFJ8t+efA4aV4TbpbPyyzbb3EFiZ1ZdBIX3pKPZarVbEy5v1s/PjnaNB2gcMEmjflwG mvSeUShYhNV0LgSffO2BYSEeHLrPkvfr7Vh2g++A6SN5BVdc8Ok3lWe12ikEI6+o/BJ/7fSG4jID SovJ0B35LJIirJBhWflyRl3/q1vGF5kvG0uBNRTUz3j19KPmjNe/5FHNz25YkQfMQ9q2Iotr8gFb +lxKNudhEkYVU/IuEHdkvGAun2alqFdxsOERlghwu7fRA0Y81VvF2ka1MvAgQ7TKmZpWuRdVYQ5d Ys9WG+18AWmjViEmr4CHRCu/mdYn0tlJraO9PdXHo2HfLA6A54hICoyVH2ozgKd7Xt3LBCpJBxgH NN5eCypDfqhNrFm46+1LkC+F4cvCHsawrBlkFczXJbOJU9wePmFdoU02RO71kJZlkeD94lNJQ7G0 Rvwq5Exz6J3hFcw4u6YhBFhz5SYxZsRYKqGm+9xD02RTbLJVOPoqCyDYtH2iZ4CewfflC6pNa9Qm uEnb3gVfVGun5PVmAPXNKsKKcLATDhA4d5C5u5mLpCgFzjtdc9gl/066ngdqa58cT0Q0IrqwiH5U c6/hutzWcpd/isO91lPa+WomioSqyCL56/k8pOSaBcwVc+QsatYiatYzxv/gn7g1ExAf4dm1uAut Cs+bHLYF39gy7GNcn0sVcVeh/rRIf2ql80lDl5B6rdGonSJvbbN6kKO7OYqkKDe4B3PKgx/Ind57 6afjH13AukoMfMcNEfWIeiSF1QrgTERcvvQ0HwRxuUH8Hxp67DO5uOjhjmURWy3SSh8DrqTtMSmL +HWxRGaVhlnXIpBKzITlHKu/xd3Not1tKKQr7pClFrH0KpZy4+QJWbpiKZKi3OhOY4UT7WAbD/vH e+oL4WAuACIeSWG78P8r5qHioZlwhOJuk1ZXPou4S9KaMUwetom59VrtlIxJ76J7NRh+uLwm42vk r0X8HXcvybB7PfhQIb0uIafNZq2BDLaIwR/HXeQnWpQ2Qjt1J//4oi3KH1lihYSpEYJOJeIeSYGk QFIgKV7AHtlJGi4xRWjgrJeoDz4vuN41yZDek8ZpBUrW6+uf0K/fR3TGSL2BDbnKx/wJPFlyPr3Q XMxuIvvKwb6ASnXFQo9FzAMpPIsYvTV/pTrnoWKRNmmrfejC9CCu6SDDrX5NOYm+FMtsInCjhlKN uxuSwoaN/iWkOr6PKZ/bnovV81mIatkiAVyNikCuWsTVMyGVGW+EUXSb2IqnImgI2n0q4hsjynG1 mfHjNNua8FQEcY+kQFIgKZAUSAokBZICSYGkQFIgKZAUSAokBZICSYGkQFIgKZAUSAokBZICSYGk QFIgKZAUSAokBZICSYGkQFIgKZAUSAokBZICSYGkQFIgKZAUSIpSkeLO/m4Wx9jN4k/kQDJXjVY4 2JMeY/1HcPXt8dvj3lmy8NkYnuLun6/qjUazZlag37dOmukjLWZDCr+jxEJfbyYfifjMV/Cxmvnu iVBKzB9uB2ya3DWP4zPqMf007Ya5ORVC5f45i5X5Z/pzrgiAAml5DHzGXPaE+1PEPfhuHrIRV65+ yuO3GYkSapi3E+Hdmzf6T+I5C1XnfwAAAP//AwBQSwMEFAAGAAgAAAAhALb0Z5jSBgAAySAAABUA AAB3b3JkL3RoZW1lL3RoZW1lMS54bWzsWUuLG0cQvgfyH4a5y3rN6GGsNdJI8mvXNt61g4+9Umum rZ5p0d3atTCGYJ9yCQSckEMMueUQQgwxxOSSH2OwSZwfkeoeSTMt9cSPXYMJu4JVP76q/rqquro0 c+Hi/Zg6R5gLwpKOWz1XcR2cjNiYJGHHvX0wLLVcR0iUjBFlCe64Cyzcizuff3YBnZcRjrED8ok4 jzpuJOXsfLksRjCMxDk2wwnMTRiPkYQuD8tjjo5Bb0zLtUqlUY4RSVwnQTGovTGZkBF2DpRKd2el fEDhXyKFGhhRvq9UY0NCY8fTqvoSCxFQ7hwh2nFhnTE7PsD3petQJCRMdNyK/nPLOxfKayEqC2Rz ckP9t5RbCoynNS3Hw8O1oOf5XqO71q8BVG7jBs1BY9BY69MANBrBTlMups5mLfCW2BwobVp095v9 etXA5/TXt/BdX30MvAalTW8LPxwGmQ1zoLTpb+H9XrvXN/VrUNpsbOGblW7faxp4DYooSaZb6Irf qAer3a4hE0YvW+Ft3xs2a0t4hirnoiuVT2RRrMXoHuNDAGjnIkkSRy5meIJGgAsQJYecOLskjCDw ZihhAoYrtcqwUof/6uPplvYoOo9RTjodGomtIcXHESNOZrLjXgWtbg7y6sWLl4+ev3z0+8vHj18+ +nW59rbcZZSEebk3P33zz9Mvnb9/+/HNk2/teJHHv/7lq9d//Plf6qVB67tnr58/e/X913/9/MQC 73J0mIcfkBgL5zo+dm6xGDZoWQAf8veTOIgQyUt0k1CgBCkZC3ogIwN9fYEosuB62LTjHQ7pwga8 NL9nEN6P+FwSC/BaFBvAPcZoj3Hrnq6ptfJWmCehfXE+z+NuIXRkWzvY8PJgPoO4JzaVQYQNmjcp uByFOMHSUXNsirFF7C4hhl33yIgzwSbSuUucHiJWkxyQQyOaMqHLJAa/LGwEwd+GbfbuOD1Gber7 +MhEwtlA1KYSU8OMl9BcotjKGMU0j9xFMrKR3F/wkWFwIcHTIabMGYyxEDaZG3xh0L0Gacbu9j26 iE0kl2RqQ+4ixvLIPpsGEYpnVs4kifLYK2IKIYqcm0xaSTDzhKg++AElhe6+Q7Dh7ref7duQhuwB ombm3HYkMDPP44JOELYp7/LYSLFdTqzR0ZuHRmjvYkzRMRpj7Ny+YsOzmWHzjPTVCLLKZWyzzVVk xqrqJ1hAraSKG4tjiTBCdh+HrIDP3mIj8SxQEiNepPn61AyZAVx1sTVe6WhqpFLC1aG1k7ghYmN/ hVpvRsgIK9UX9nhdcMN/73LGQObeB8jg95aBxP7OtjlA1FggC5gDBFWGLd2CiOH+TEQdJy02t8pN zEObuaG8UfTEJHlrBbRR+/gfr/aBCuPVD08t2NOpd+zAk1Q6Rclks74pwm1WNQHjY/LpFzV9NE9u YrhHLNCzmuaspvnf1zRF5/mskjmrZM4qGbvIR6hksuJFPwJaPejRWuLCpz4TQum+XFC8K3TZI+Ds j4cwqDtaaP2QaRZBc7mcgQs50m2HM/kFkdF+hGawTFWvEIql6lA4MyagcNLDVt1qgs7jPTZOR6vV 1XNNEEAyG4fCazUOZZpMRxvN7AHeWr3uhfpB64qAkn0fErnFTBJ1C4nmavAtJPTOToVF28KipdQX stBfS6/A5eQg9Ujc91JGEG4Q0mPlp1R+5d1T93SRMc1t1yzbayuup+Npg0Qu3EwSuTCM4PLYHD5l X7czlxr0lCm2aTRbH8PXKols5AaamD3nGM5c3Qc1IzTruBP4yQTNeAb6hMpUiIZJxx3JpaE/JLPM uJB9JKIUpqfS/cdEYu5QEkOs591Ak4xbtdZUe/xEybUrn57l9FfeyXgywSNZMJJ1YS5VYp09IVh1 2BxI70fjY+eQzvktBIbym1VlwDERcm3NMeG54M6suJGulkfReN+SHVFEZxFa3ij5ZJ7CdXtNJ7cP zXRzV2Z/uZnDUDnpxLfu24XURC5pFlwg6ta054+Pd8nnWGV532CVpu7NXNde5bqiW+LkF0KOWraY QU0xtlDLRk1qp1gQ5JZbh2bRHXHat8Fm1KoLYlVX6t7Wi212eA8ivw/V6pxKoanCrxaOgtUryTQT 6NFVdrkvnTknHfdBxe96Qc0PSpWWPyh5da9Savndeqnr+/XqwK9W+r3aQzCKjOKqn649hB/7dLF8 b6/Ht97dx6tS+9yIxWWm6+CyFtbv7qu14nf3DgHLPGjUhu16u9cotevdYcnr91qldtDolfqNoNkf 9gO/1R4+dJ0jDfa69cBrDFqlRjUISl6joui32qWmV6t1vWa3NfC6D5e2hp2vvlfm1bx2/gUAAP// AwBQSwMEFAAGAAgAAAAhAEk+hihoBAAAKA0AABEAAAB3b3JkL3NldHRpbmdzLnhtbLRX32/bNhB+ H7D/wfDzHOu3ZaFOIVvymiJehzjFnimJtomIokBSdt1i//uOlBg5i1okLZKHhLrv7rvj3fHIvHv/ hZajI+aCsGoxtq+s8QhXOStItV+MP9+vJ+F4JCSqClSyCi/GZyzG769//+3dKRJYSlATI6CoRETz xfggZR1NpyI/YIrEFatxBeCOcYokfPL9lCL+0NSTnNEaSZKRksjz1LGsYNzRsMW44VXUUUwoyTkT bCeVScR2O5Lj7o+x4C/x25okLG8orqT2OOW4hBhYJQ6kFoaN/iwbgAdDcvzRJo60NHon23rBdk+M F48WLwlPGdSc5VgIKBAtTYCk6h17z4gefV+B726LmgrMbUuvLiP3X0fgPCMIcvzldRxhxzEFy0se UryOJ3jkIX1i7eDngrkgEPh1FL6JQ5xpvyNRvqTGLXRLMo54e4K6AtM8utlXjKOshHCg0COo1UhH p37DltUfvQSf13CQvzJGR6eoxjyHboYp4FrjqQKgh9huK5EEy0jUuCz1WMhLjMDRKdpzROFAG4m2 kRzlD3f4SNREEVpU4B1qSnmPsq1kNdgdEWxx5nRe8gMCG4n5tkY5OFixSnJWGr2C/cXkCuYFh3bu LPT06FfbdhKBRYUobPrJdNmwAqtgG05eXh1loL3b/qXL/ztiMDk5KfC9SvZWnku8huC35CuOq+Jj IyQBRj1jfiGCHwWAK+X5E7TH/bnGa4xkA2l6I2e6EuuS1BvCOeM3VQHt8mbOyG6HOTgg0H4baB/C 2Unn+QNGBVxYb+S3EfgfUIbT6d6rVl4yKRn9cK4PkOtfq6Tu9+ll+8K1WwizuGNMPqpacer6cdJG qtAesdZ27K2GEBt+wnQQCd00mQ8hjmulqTuIwAn9jk3o+0F3ep8ibmwtZ11+nyL+DOIejNpP/CT1 hpCZ7drWYASzpevN10NIGDirZTiEzFMvsZwhJJ759nww13HszpxBtu/XZ7myQmvQZgU7Sgbrs/Ls uTXItkptexkMImvHsQf3k8x8118OIaltefFg3tah64WmQ7u+pJF61PzNzUoNtxFtLVaIZpyg0UY9 e6ZKI+MPS1IZPMNwW+FLZNtkBpxMWkBQVJZrOGYG0AHQqCCiTvBOr8sN4vuet9Pgg1K4aT4+cqnL DPM/OWvqFj1xVLdDy6jYntdZkkreEmrkosm2xqqC+/UCaqri05HrPPXpgWsPhoAe/rdIDxOti6vJ 522b7LzkWzUo8AbVdTtvsr29GJdkf5C2GhESvgp4HeuPbO90mKMxp8X0B8rVzkC7W/Qyx8gu9Fwj c3uZZ2ReL/ONzO9lgZEFSnaAG4bDC+ABRp9ZKvmOlSU74eJDjz8TtUkocE6g4tszzfr7/arFSiJg FtfwFJCMG+wPjdleVLD8Rr1bvFbuOcnaS+ftaLB9/YSQelxDau/wbokELjrMmPqt6belN0+SOAwm c2/uTSzPsyexlXqTdTxPgiRYeqkT/9udA/MvzvV/AAAA//8DAFBLAwQUAAYACAAAACEATJM07IEB AAA4AwAAEQAIAWRvY1Byb3BzL2NvcmUueG1sIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAnJJRT8MgEIDfTfwPDe8dtFMzm65L1OxJExNnNL4hnBuuBQI36/69tF07N/XFtzvu4wPu yGefVRl9gPPK6ClJRoxEoIWRSi+n5HExjyck8si15KXRMCVb8GRWnJ7kwmbCOLh3xoJDBT4KJu0z YadkhWgzSr1YQcX9KBA6FN+MqziG1C2p5WLNl0BTxi5oBcglR04bYWwHI9kppRiUduPKViAFhRIq 0OhpMkronkVwlf91Q1v5RlYKtxZ+RfviQH96NYB1XY/qcYuG+yf0+e72oX1qrHTTKwGkyKXIUGEJ RU73YYj85vUdBHbLQxJi4YCjccV8gxsHNahoAWKlTWmWoRct3iNN89ewrY2TPogOsoBJ8MIpi2Gk 3TEHC4Euuce7MOM3BfJq++eJP8lms4MP1fyWIm2JIe3F905pBFmkLGVxksZssmDn2fgyY+xlcPZQ vptX9zSQUehz1k2lrzyNr28Wc3LkO5t0vqP9e2G1u/W/jb2ga/DhXy++AAAA//8DAFBLAwQUAAYA CAAAACEAa8ZDwygCAAA0CAAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbMSU3W7aMBSA7yf1HSLflzgh /KqhalmRJk27qLoHMI5DrMV25GMIvP2Ok8CQAKmp1A6k4Jxjfzn+cszD416VwU5YkEanJBpQEgjN TSb1JiW/31b3UxKAYzpjpdEiJQcB5HFx9+2hnudGOwhwvYa54ikpnKvmYQi8EIrBwFRCYzI3VjGH t3YTKmb/bKt7blTFnFzLUrpDGFM6Jh3Gvodi8lxy8d3wrRLaNetDK0okGg2FrOBIq99Dq43NKmu4 AMA9q7LlKSb1CRMlFyAluTVgcjfAzXQVNShcHtFmpMp/gFE/QHwBGHOx78eYdowQV55zZNaPMz5x ZHbG+VgxZwAQ/RCjYx1wUH5His9/bLSxbF0iCd9RgJqDBuyvWK3/aYY4fdH1a1DPNVO4YMlKubay SVRMGxAR5nasTAmN6YqO8Oq/CR36Kwn9RF4wC8JD2om0DedMyfJwjEItAdpEJR0vjvEds9IX26ZA bjCxhTVNyUtCafyyWpE2EmF1FCPJ5LmLxP5ZzWfWRYanCPUR3nCa26jl8IZzmoPPDFsDFybepBIQ /BJ18GoU0zeMxHSMJkbow5sZ9jJiG24vI37/F0Ym09GXGOl6I/gpN4W72SG+L76sQ7yPp//VIUv8 XzUlgxsqnrE1Zh9UoUwm7LXeyOVeZFdERH7f5yLw7NDV8hTpJWLWW8TWSmH9YbnhYoIGWhf+mCSf 68KruHJIkuGnNEU3gMVfAAAA//8DAFBLAwQUAAYACAAAACEAITpQXa4BAADCBAAAFAAAAHdvcmQv d2ViU2V0dGluZ3MueG1snJTBbtswDIbvA/YOhu6Nna4JMqNJgaDoMGAYhq17AFmmE2GSKIhK3PTp RytO4i071LtYFKn/80/J8v3DizXZHgJpdEsxnRQiA6ew1m6zFD+fn24WIqMoXS0NOliKA5B4WL1/ d9+WLVQ/IEZeSRlTHJVWLcU2Rl/mOaktWEkT9OC42GCwMvI0bHIrw6+dv1FovYy60kbHQ35bFHPR Y8JbKNg0WsEjqp0FF5M+D2CYiI622tOJ1r6F1mKofUAFRNyPNUeeldqdMdO7K5DVKiBhEyfcTO8o oVg+LVJkzQUwGwe4vQLMFbyMYyx6Rs7KIUfX4zjzM0fXA87/mRkACMYhZicfdLBdR1aVnzcOg6wM k/iMMt7mLIG7J7vthhTy8hV/tbXeUz9mbdntw/TuQzFbfJylcoX14TGV9tJwTeRdlj/ZL9DEU7Y4 Z7/rzfYf6Wf018k1xoj2rzzbWNehi+JF4/iqCZ7Qa7euC7xU0McKDfINkbuIR4QZOBunrP5wNE4b hp2PkeaXpo/haUzHgj5qq1/hCcM6YEsQ0tukMdh++/rpqB/8eVa/AQAA//8DAFBLAwQUAAYACAAA ACEAiTOqQ3UMAAAdeAAADwAAAHdvcmQvc3R5bGVzLnhtbOSdS3PjuBHH76nKd2DplBxm/JAtz7jW s2V77Ni1tse7sjNniIQsrElC4cOPfPoAICiBaoJig4gPyWXGItU/gOj+N9AkRf7y61sSBy80yxlP T0Z7n3dHAU1DHrH06WT0+HD56csoyAuSRiTmKT0ZvdN89Ou3v/7ll9fjvHiPaR4IQJofJ+HJaFEU y+OdnTxc0ITkn/mSpmLnnGcJKcTH7GknIdlzufwU8mRJCjZjMSved/Z3dycjjcn6UPh8zkL6nYdl QtNC2e9kNBZEnuYLtsxr2msf2ivPomXGQ5rn4qCTuOIlhKUrzN4BACUszHjO58VncTC6RwolzPd2 1V9JvAYc4gD7ADAJ6RuO8UUzdoSlyWERjjNZcVhkcNw6YwByikMc1v3I3xN5REl4fP2U8ozMYkES PgrEMAcKLP8VvZX/qT/F17+JgI14+J3OSRkXufyY3Wf6o/6k/rvkaZEHr8ckDxl7EP0S8ISJdq5O 05yNxB5K8uI0Z6R150L+0bonzAtj8xmL2GhHtpj/W+x8IfHJaP+g3nIue9DYFpP0qd5G00+PU7Mn xqaZ4J6MSPZpeioNd/SBVf8bh7tcfaq+tTE2QkxCWtNK4WIvnd/w8JlG00LsOBntyqbExsfr+4zx TKj4ZPT1q944pQm7YlFEU+OL6YJF9OeCpo85jdbbf79UStQbQl6m4u/x0UT5K86ji7eQLqWuxd6U yNG7kwax/HbJ1o0r83/VsD09Zm32C0pkcgv2NhGq+yjEvrTIjaNtZ5Ybx66+hWpo/FENHXxUQ4cf 1dDkoxo6+qiGvnxUQwrz32yIpRF9q4QImwHUbRyLGtEci9jQHIuW0ByLVNAcixLQHEugozmWOEZz LGGK4BQ8tEWhEexjS7R3c7fPEW7c7VOCG3f7DODG3Z7w3bjb87sbd3s6d+Nuz95u3O3JGs+tllrB tZBZWgxW2ZzzIuUFDQr6NpxGUsFSFZ8fnpz0aOblID1gqsymJ+LBtJCoz9sjRInUfT4vZCkW8Hkw Z09lRvPBHafpC41FyR6QKBI8j8CMFmVmGRGXmM7onGY0DanPwPYHjVlKg7RMZh5ic0mevLFoGnke vproJSmsApqUxUKKhHkI6oSEGR/eNU685Ycblg8fKwkJzso4pp5Yd35CTLGG1wYKM7w0UJjhlYHC DC8MDJ/5GiJN8zRSmuZpwDTN07hV8elr3DTN07hpmqdx07Th4/bAilileHPVsdf/3N15zOU5+sH9 mLKnlIgFwPDpRp8zDe5JRp4yslwE8vxxO9Y8Zmw7Zzx6Dx58zGkrkq91vQqRc3HULC2HD2iD5ktc K54nea14ngS24g2X2K1YJssF2pWfemZazopW0SpSL9FOSVxWC9rhaiPF8AhbC+CSZbk3GbRjPUTw nVzOSnf6yHzrXg7v2Jo1XFabWclr9zTSQy9jHj77ScNX70uaibLseTDpkscxf6WRP+K0yHgVa6bk 95VLekn+IlkuSM5UrdRA9J/q66v7wS1ZDj6g+5iw1I/fLj4lhMWBvxXE1cPtTfDAl7LMlAPjB3jG i4In3pj6TODfftLZ3/108FQUwem7p6M99XR6SMHOmYdJpiLxyBNJLDNZyrzMoYr3G32fcZJFfmj3 Ga1uqCmoJ+KUJMtq0eFBWyIvvor842E1pHj/JBmT54UG04wzfXk5+5OGw7PTHQ+8nMz5URbqlKFa nSprf7jhM3sDN3xWf1Bn+aZMhpyHg23ghh9sA+frYM9jkufMetXTmefrcGue7+MdXq9pHo95Ni9j fwNYA72NYA30NoQ8LpM093nEiufxgBXP9/F6DBnF83AWTfH+kbHImzMUzJcnFMyXGxTMlw8UzKsD ht9UY8CG31ljwIbfXlPBPC0BDJivOPM6/Xu6MGPAfMWZgvmKMwXzFWcK5ivOxt8DOp+LRbC/KcZA +oo5A+lvokkLmix5RrJ3T8iLmD4RD+c0K9p9xufyxxE8re679oCUp5Vjj4vtCufLyT/pzFvXJMvD uUwSx5x7OoW1niSUZfMWMbvZfUxCuuBxRDNLP+y2oi6dLkmoz2CDK2G9zgjesKdFEUwXqxPhJmay u9WyLowbZtsbbBunyX6H2S2NWJnUHYW/M5iM+xuryGkY1z8H6TBez9gNy8OelrDNyXbL9Wq0YXnU 0xK2+aWnpcrCDcuuGP5OsufWQDjqip9VLWUJvqOuKFoZtzbbFUgry7YQPOqKooZUgtMwlCfSoXf6 acZu3088dnuMiuwUjJzslN66siO6BPYHfWFyBsUkTdXe6sYCkKvVYrVX5vy95NUp7ca1mP6/d7oW C5Q0p0ErZ9z/mk4jy9jHsXe6sSN65x07oncCsiN6ZSKrOSol2Sm9c5Md0TtJ2RHobAVnBFy2gva4 bAXtXbIVpLhkqwGrADui93LAjkALFSLQQh2wUrAjUEIF5k5ChRS0UCECLVSIQAsVLsBwQoX2OKFC exehQoqLUCEFLVSIQAsVItBChQi0UCECLVTHtb3V3EmokIIWKkSghQoRaKGq9eIAoUJ7nFChvYtQ IcVFqJCCFipEoIUKEWihQgRaqBCBFipEoIQKzJ2ECilooUIEWqgQgRZq9Ss8d6FCe5xQob2LUCHF RaiQghYqRKCFChFooUIEWqgQgRYqRKCECsydhAopaKFCBFqoEIEWqrooN0Co0B4nVGjvIlRIcREq pKCFChFooUIEWqgQgRYqRKCFChEooQJzJ6FCClqoEIEWKkR0xae+FGi7A30Pf9bTejN7/0tXulN/ mL9yNlHj/qi6V3ZW/9v0zzh/Dlp/kzdW9UY/CJvFjKtT1JbL1yZX3XqAulj547z7xy8mfeDziPTP BNTlUQA/6GsJzqkcdIW8aQmKvIOuSDctwarzoCv7mpZgGjzoSrpKl/XNH2I6AsZdacYw3rOYd2Vr wxwOcVeONgzhCHdlZsMQDnBXPjYMDwOZnDetD3uO02R1HycgdIWjQTiyE7rCEvqqTsdQGH2dZif0 9Z6d0NeNdgLKn1YM3rF2FNrDdpSbq6HMsK52F6qdgHU1JDi5GmDcXQ1Rzq6GKDdXw8SIdTUkYF3t npztBCdXA4y7qyHK2dUQ5eZqOJVhXQ0JWFdDAtbVAydkK8bd1RDl7GqIcnM1XNxhXQ0JWFdDAtbV kODkaoBxdzVEObsaotxcDapktKshAetqSMC6GhKcXA0w7q6GKGdXQ1SXq9VZlIarUR42zHGLMMMQ NyEbhrjkbBg6VEuGtWO1ZBAcqyXoq9rnuGrJdJqd0Nd7dkJfN9oJKH9aMXjH2lFoD9tRbq7GVUtt rnYXqp2AdTWuWrK6GlctdboaVy11uhpXLdldjauW2lyNq5baXO2enO0EJ1fjqqVOV+OqpU5X46ol u6tx1VKbq3HVUpurcdVSm6sHTshWjLurcdVSp6tx1ZLd1bhqqc3VuGqpzdW4aqnN1bhqyepqXLXU 6WpctdTpaly1ZHc1rlpqczWuWmpzNa5aanM1rlqyuhpXLXW6GlctdboaVy3dChPm4elI04RkReDv UWpXJF8UZPhz+x7TjOY8fqFR4PdQb1BHufPaeDOUZKu3wInvF2LM5MPBjZ8rRdXDUTVQffE6Wr3B SRrLngT6rVZ6s+qwvlxbtagMtzS1gutrxXsAv37vk2phRsRR/ZCjARpP5TMDW7bLgKi3182cL0hW 7V2Hav0dLcb1sbweZzmL6t27u/vj3YsLfYl3Wb1+7JnS5Z1oX22TH4R/aK4+5dUPaIX5TD5ui8p3 g2mh8uqBSDcv8QquvaWxnS83I392vNxM7rzQ2+T+xvvNGpbr95vJzWer95uFUth1v/YvDw++Kmmr LyvRn4yIkryKErVZ3ociQGeXFWH9hrSxzgHmG9KqbcaLzizxEgpXkVA/BswSmvpxvqsf3amH+W5G kuWZv5Yo0PHWlFNnYBcyI3Z0UmXMThFVSdUalzow15Jv76HozyyuAkf8cZ3KyH3Vr1qrehq9kQol 9p/TOL4l1bf50v7VmM6lusTevV317IiN/bPqyYVW+0zN41bATrMz1cfuwKjeZaBvMLHmLDlZtQy3 uttp6Ehjk5y6gUP9Bn+zQ8aTLrelOTOdrYCd+UwfTUugNPPaZDwZn59pd7VlHnmnVyqmM6JuqlIp pbkpzI3PGzlgXyuq8ZbEenbC5ICwzEWkqZls093N8bAPcrAer42Rbs0k9nHfNub/awPcmD83x1fv FIv2gcO7WgzYRrdtcM1Z+f9x3qz/yr/9BwAA//8DAFBLAwQUAAYACAAAACEAvrDQB+MBAADlAwAA EAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACc U8Fu2zAMvQ/YPxi6N3LStGkDRcWQYuhhWwPEbc+aTCfCZEmQ2KDZ14+yG8/ZdppPj4/00xNJibu3 1hYHiMl4t2LTSckKcNrXxu1W7Kn6fHHDioTK1cp6Byt2hMTu5McPYhN9gIgGUkESLq3YHjEsOU96 D61KE0o7yjQ+tgopjDvum8ZouPf6tQWHfFaW1xzeEFwN9UUYBFmvuDzg/4rWXmd/6bk6BtKTooI2 WIUgv+U/7aT22Ao+sKLyqGxlWpBToodAbNQOkpwR2SPx4mOd5Hy2WAjeY7Heq6g0Ug/lbH65uBV8 xIhPIVijFVJ/5Vejo0++weKxM11kBcHHJYIusgX9Gg0eZSn4OBRfjMtuykvBe0j+otpFFfZJXi2y ySEUW60srKkLslE2geC/CfEAKk94o0y2eMDlATT6WCTzk2Y8Y8V3lSD3bsUOKhrlkPVlfdBhGxJG WRm0pD3EHRyXjbGZ5/b24LywCzoPhM/ddSekx4buhv8wOx2b7Tz0Vkd2xs5OZ/yhuvZtUI5azAdE Hf6RnkLl7/OGvPfwnByN/sXgfhuUzvO5ubo9W4JRTmyJhZqmOkxlIMQD3SHafAL963ZQn2r+TuS1 eu5frZxeT0r6uj06cbQKw3OSvwAAAP//AwBQSwECLQAUAAYACAAAACEA36TSbFoBAAAgBQAAEwAA AAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAekRq37wAA AE4CAAALAAAAAAAAAAAAAAAAAJMDAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQDWZLNR9AAA ADEDAAAcAAAAAAAAAAAAAAAAALMGAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxzUEsBAi0A FAAGAAgAAAAhAASRIKyBRAAAoP4FABEAAAAAAAAAAAAAAAAA6QgAAHdvcmQvZG9jdW1lbnQueG1s UEsBAi0AFAAGAAgAAAAhALb0Z5jSBgAAySAAABUAAAAAAAAAAAAAAAAAmU0AAHdvcmQvdGhlbWUv dGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQBJPoYoaAQAACgNAAARAAAAAAAAAAAAAAAAAJ5UAAB3 b3JkL3NldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQBMkzTsgQEAADgDAAARAAAAAAAAAAAAAAAA ADVZAABkb2NQcm9wcy9jb3JlLnhtbFBLAQItABQABgAIAAAAIQBrxkPDKAIAADQIAAASAAAAAAAA AAAAAAAAAO1bAAB3b3JkL2ZvbnRUYWJsZS54bWxQSwECLQAUAAYACAAAACEAITpQXa4BAADCBAAA FAAAAAAAAAAAAAAAAABFXgAAd29yZC93ZWJTZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAiTOq Q3UMAAAdeAAADwAAAAAAAAAAAAAAAAAlYAAAd29yZC9zdHlsZXMueG1sUEsBAi0AFAAGAAgAAAAh AL6w0AfjAQAA5QMAABAAAAAAAAAAAAAAAAAAx2wAAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAAAAsA CwDBAgAA4G8AAAAA --00000000000036b4e005b5ed9f95 Content-Type: application/pdf; name="draft-ietf-teas-pce-native-ip-14-de.pdf" Content-Disposition: attachment; filename="draft-ietf-teas-pce-native-ip-14-de.pdf" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_kifkeox71 JVBERi0xLjMKJcTl8uXrp/Og0MTGCjMgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVEZWNvZGUgL0xl bmd0aCAzMjIzID4+CnN0cmVhbQp4Ac1cTXPbRhK981dM5bJ2lUlh8I3cbFnOutZxyQmrUrurPUDk UERCEgwAKva/z2sQwAxnYAogwKq1D5ZgcXqmP16/7mnoT/aF/clubnPOFjmzyr/5Ao+sme0ev6cv wpkTWT7zImcW+JHLFlv2bs5cu/wJ/GMH0SyKopC5YTSZb9nNfM4ZZ/MVe8Ves/nv7G5eCrp0Vde+ wqpO5F1jVTcYuurUmlmWG7D5YtKiYsey2KmK53dvf2W/pdkfye6J/ZSlhz3r9+ftjP0W755eTy62 lBXCtJHDlM1NLrS/PH2bg9meo6n3464Q2U4Ul/uZi81bju0wc/Fp31Xl7hXbeZYHAb5LAjTbvc/i VdHLWrfrZBezudiIRbodwWTKnq5kMstvMdluKZYsL+LikP/IPu5WabaNiyTdxZsXtPFuxv61jvN4 lz6PcXrAWhVN1zk993REvPu6TzKBU/8cf2N29IbZls3VQ3f2uckRh6XPKRHDOZyOOy7DBuoT1pCs CtO/7qvTduGhAzzwbBKu2f7fMSz/lX36dNv5mGa6qeHGXL53upH7VwK2yWecA8VO85musL7fj6Pg CNa1gSjYoKbgLzP2n3WcjqFdY+2RtYv9j6PccXTqUxKzQ+a7mkrvirXIkgX7LIq/kGbzPrqdnBKl 2nPNo3de9FzUS8cFffi/9ludJf1zxm7XnXVQQUIVvJP5QkE+2yLwCT3GdR2IXWcBlZIV/lVbzli1 e1B0stzU0fldX4TRfn6c4Ag9AI7nM2xPi44Ph+KQib9E0lm53wd0c/Xu2j31ie+w52mgO4Wmra7f jqNVn7SKAgvb0rT6OX0W20eRgTOWDMHqo93vgE7L4TuvagZEXfNNue3pYDPKsoE9dFmZ3FV8aDZu 867USFrbmoU88q0gohLZciKb+/RV+SxknWpnsk7rzkIqRKIA7mDu7P72rnsonAOaCEI4d4JWIXH3 MspwCBBOME4bEGHuvjuytyxLG3baVh1HIQ1Tbtn3bbrdH1CkoDBhdxuxFbtCukLfLgn3iGCAUaqC Rq06uE+0kHulBA1QHl7BhR4QmKg4VyAzMkRvfkL75ylntuvMvLLP44Sz0EKfZ8vcgJfPJl79bNM8 Y/TMsfFzm9PPVs/WbMXgCtWaWDx0ac2JlFM/Uz+PZw71mPBM/Wz1jNbEfm3a758TqPPFLlVrpDU8 aWr7VABOlI7V3e4p2QkQPnRTHl7NSWdSV11bZOciMKB2gB/BSKVstVuW7NhneNuzYB/va6mTLwCY waBDDbtWusSJLnHbbttORXjl8V9w+XOn5jYVpOSaxqmPYsaR4hAIBa1iVOJe23HywokMqsJdOkZI eKSdY6L2OuuYetFygVfFhx3MPIqlLXgrvkQcTrz62aZ5xuiZRXG0YepHq0dlyEXHj5c/elxy4ri6 mA07eVZ93lY/q64JrVbQYM88hOdki9ZFLcc5PqOQVZ9Z4TGM1c9Wz2ifjQmaeO7UdX4hnh2uNwjb GN0ovhZQug45IgdCNaqypL5eXymy2qDynlsULebS3XuS58Ixoqi3SkJvbD4RxeryvUtAudbeJdMw JRQi7l6fm2SDE3zADlfTO+dEZ1wqpAy97xdigNpt2jqafS0Lj+My3Kat+4A+c+u7MmsN2L1L/hiC lZprj7R7l/QTgX2ZEpL9gJ1Td59H19S7Rw0Nq1Xv3B2y85qPmhqpycfL13ZGDElu5fhG97Tvbl9A e9cKNeB9+ziKCAcqt6jKm5oi8iKLFwPAvblvall7FL3D0zWt9F72Bb17llGbs3FkEH+zKKeaIubr JGfLdHGgMowtxQo0PWfxjsXZYp0UYkF9KIabJLbP0udkSQQepqJqZ0DRVl9lqBsatWiT8eK5+m0J uEtndz7X/5JadfWWh1DKHZQfMTtCORUguFWlfjc75KTK7WFTJPuNYO9+ume5yHMUxaT+JYsvVy+K AlSsIeIMh6+d9lrqjfQm2/jqjfT24n1crFlLGwGlZVmPk3knF41HyL6FJ6VWquueMg2vUTplaBMh KTshjGOo7jHOcYG7QCRmuLJdpPg33bCtWKzjXZJvZ4x9HACRTQ+fJNduUV9fdo6Ic/xXRp3vtlxD jSKjiTpTRI1euFlit5USbyslvv+2i7fo0PySHvoGVitsc0pmPADzwT60rlBx7HLc3r7/BX0O4OZC LIGiZVz31YEsXzg1Ge0AJNc8eXdA62g+UDrjqqvv1lv1Js1niEiWsFmySqAotIpolEF8LcTuCImU gciu3wv9vkZV9EodYuqw+nJHVwLLwAk1VxkdLCFCsxxwcnvYJYtjw/U+S4t0AVQpofL+4fWMzDoU LBWpl6pOGkSiSBAOniaTTtg2ijANHb3J8Gs5PsPSFSup0c9i2/3a36DtARGvgFDCFNQ7Zts0BN/V zN17WakhJUtJG0S2kSt68KdzcNNAgSmiVL02hIaWbd++Ig0fWD440PRExIRmKMfJ5k3bGQK00D5O oYFd54fHbVIUwDNQwdVhU2b2cjZrtxDsrwRcBsjWF12lN/AawE4O2XNQ9JyhFGfAPdqV8wJd1Z2K KAuPYxZAVL67vWdBWFLk8stoNgD6m86UInVMAOOYQtPcont8GiyyFcE43XqcKqxPUjln9yZAW2Qg OPt6bCvQUIvKsuHM0xYh/WZQDfT1CH1dagu2rN09/s+piG4fLTdsF1EiAFgfCmgq+YgV1pV2TgmG +EwNcky5IRvg0A1HrE6s3sEN8LzWzIAxOX0ItY/nnXNv6XmQoXn3PM7/YB/SDNj58Orj3fwDOAxj n9NCQKFxwVKoNWNPNLKdsy3GQeNNnrJlgg5T8ngoxBDtoitJA4JTOjq2dV3t+i2XLp1jrqN20Xg+ xQ7TUeO8cdJK+gWZmNOkFw0cQHGKyBEzsazcSYQGusdIhJvMEXIbuAKF3+KQZdT0qkOws24NoJGV 9enxyhzcG2hkZpeNnJZ1u4fzOQCTuZ3b3OCSYzO9FhkVSIInIXbXRbHPf7y5WcZg4WgI/yGyGV2c zdLs6WZJ13/5DczWN4RbMw9v5sRoV5rDkGPclKXRZa/Z4EIKUOGiy9OyeHfLVVGseEQzZ4UBMZ1x 9l5X6qWdWjiW0fMe3SNMGS3x2GkoRWpJSfz68pORiL+S+CFC8x4l8ZdOq6T953iTLMt+eozk9DXZ HraERXnylW3RqlrnfX1bntqup2mnaDGS4a6anhzPeH+sh290S0+QoaUn6oxTTn8U7LAHSojlG5aJ /SZGi+0NQ48ofczTjaBi6/FbRQUk5wLCxLtvQzRcN9b5cWvX1XB09ZsL7uCO9ZQAFMlWlI1mBkjG W1F7lF/7LIGqWZHi1kJS1sv1KOd9qg2oeuyeLw0nUmgqb+6+ScR34jOH76wEsH7QjED92gjCztBm d0jumKSpnDk1WB/OfU6I5NymDLxGhtk93ElQFzZlC1wMUvUC6CrJNnh3X2eQqUc1Wj3OxrEFzWa4 RcvZD+XVGdoocMondNTz2Q+XszYlR5sn7m04BYdljnbx+qZmrb77bVWUwto89+qtem7KGL1Bdypj xLqg6dCRBM2nyjyNDhxacqJ8gZBhJFl9g7A7AzRqArSWwAAtDN+cHu2yvlyrd3mh3uvv7bUveZfv 6AzwNt1/y5KndUEldwLgvPgFZ9mdRcE2mK+0asgPDZLSOf6M7NLOkQNbz6DjA7IpQ1rh4dUCl4x4 3dVi1AzBKPoB5S3xJEAz24ssp4mC5m4NgwU5/c/lZuM05Wj7VNoc96Um7+4OaKhXyQMKvAXGSzx9 1GsIUWwo8x1kaChdU0YWH4p1muUgRG8BEqXfE2nIRfYslkM6z831MQaTSfogJbb6fmjr99IDjKPo TTFOiJstLb31qAG6kRFTxunI0vGC5XcMKhEzUW4HyP0/3vX181ZA5DRdxiNMDmOaUk8idcz9I2ef xFO86QMwp++UNRc5JEVXbOdlz6lVsV3EjeQxuu1MGbh+fk6Odzm/iA2upGmcLD0i1/tqCm1ACSyn aTGUSucbFFatvqCq0NcL//GxKfL1BPzwqu6SFQT1QsgO2Qb5eJcPwfZmkBrv3ukpeaTCrOH4kKDx sQS/sgLJDPxerFYU0aBjFMZU6KNL0jcEJCwidkHG8O7jtDqX+n5Qd1g0SJ50BtsyJs9HWtc3urKX 60HZLwc11bC777ovxAfemdOvcuk34rxhAvxkg5Sq/ql+gccJ+1b///j1f+/jJ8H4//qiuvQE2SSr tvcdhKjfNXKimePRr2lyo5lfvb6HK79AfYS3946PypeLqjd8mg/Kd4voBZ0vfwOfywX0CmVuZHN0 cmVhbQplbmRvYmoKMSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDIgMCBSIC9SZXNvdXJj ZXMgNCAwIFIgL0NvbnRlbnRzIDMgMCBSIC9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCj4+CmVuZG9i ago0IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEg NSAwIFIgPj4gL0V4dEdTdGF0ZSA8PCAvR3MxCjcgMCBSIC9HczIgOCAwIFIgPj4gL0ZvbnQgPDwg L1RUMSA2IDAgUiA+PiA+PgplbmRvYmoKNyAwIG9iago8PCAvVHlwZSAvRXh0R1N0YXRlIC9BQVBM OkFBIGZhbHNlID4+CmVuZG9iago4IDAgb2JqCjw8IC9UeXBlIC9FeHRHU3RhdGUgL0FBUEw6QUEg dHJ1ZSA+PgplbmRvYmoKOSAwIG9iago8PCAvTiAzIC9BbHRlcm5hdGUgL0RldmljZVJHQiAvTGVu Z3RoIDI2MTIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBnZZ3VFPZFofPvTe90BIi ICX0GnoJINI7SBUEUYlJgFAChoQmdkQFRhQRKVZkVMABR4ciY0UUC4OCYtcJ8hBQxsFRREXl3Yxr Ce+tNfPemv3HWd/Z57fX2Wfvfde6AFD8ggTCdFgBgDShWBTu68FcEhPLxPcCGBABDlgBwOFmZgRH +EQC1Py9PZmZqEjGs/buLoBku9ssv1Amc9b/f5EiN0MkBgAKRdU2PH4mF+UClFOzxRky/wTK9JUp MoYxMhahCaKsIuPEr2z2p+Yru8mYlybkoRpZzhm8NJ6Mu1DemiXho4wEoVyYJeBno3wHZb1USZoA 5fco09P4nEwAMBSZX8znJqFsiTJFFBnuifICAAiUxDm8cg6L+TlongB4pmfkigSJSWKmEdeYaeXo yGb68bNT+WIxK5TDTeGIeEzP9LQMjjAXgK9vlkUBJVltmWiR7a0c7e1Z1uZo+b/Z3x5+U/09yHr7 VfEm7M+eQYyeWd9s7KwvvRYA9iRamx2zvpVVALRtBkDl4axP7yAA8gUAtN6c8x6GbF6SxOIMJwuL 7OxscwGfay4r6Df7n4Jvyr+GOfeZy+77VjumFz+BI0kVM2VF5aanpktEzMwMDpfPZP33EP/jwDlp zcnDLJyfwBfxhehVUeiUCYSJaLuFPIFYkC5kCoR/1eF/GDYnBxl+nWsUaHVfAH2FOVC4SQfIbz0A QyMDJG4/egJ961sQMQrIvrxorZGvc48yev7n+h8LXIpu4UxBIlPm9gyPZHIloiwZo9+EbMECEpAH dKAKNIEuMAIsYA0cgDNwA94gAISASBADlgMuSAJpQASyQT7YAApBMdgBdoNqcADUgXrQBE6CNnAG XARXwA1wCwyAR0AKhsFLMAHegWkIgvAQFaJBqpAWpA+ZQtYQG1oIeUNBUDgUA8VDiZAQkkD50Cao GCqDqqFDUD30I3Qaughdg/qgB9AgNAb9AX2EEZgC02EN2AC2gNmwOxwIR8LL4ER4FZwHF8Db4Uq4 Fj4Ot8IX4RvwACyFX8KTCEDICAPRRlgIG/FEQpBYJAERIWuRIqQCqUWakA6kG7mNSJFx5AMGh6Fh mBgWxhnjh1mM4WJWYdZiSjDVmGOYVkwX5jZmEDOB+YKlYtWxplgnrD92CTYRm40txFZgj2BbsJex A9hh7DscDsfAGeIccH64GFwybjWuBLcP14y7gOvDDeEm8Xi8Kt4U74IPwXPwYnwhvgp/HH8e348f xr8nkAlaBGuCDyGWICRsJFQQGgjnCP2EEcI0UYGoT3QihhB5xFxiKbGO2EG8SRwmTpMUSYYkF1Ik KZm0gVRJaiJdJj0mvSGTyTpkR3IYWUBeT64knyBfJQ+SP1CUKCYUT0ocRULZTjlKuUB5QHlDpVIN qG7UWKqYup1aT71EfUp9L0eTM5fzl+PJrZOrkWuV65d7JU+U15d3l18unydfIX9K/qb8uAJRwUDB U4GjsFahRuG0wj2FSUWaopViiGKaYolig+I1xVElvJKBkrcST6lA6bDSJaUhGkLTpXnSuLRNtDra ZdowHUc3pPvTk+nF9B/ovfQJZSVlW+Uo5RzlGuWzylIGwjBg+DNSGaWMk4y7jI/zNOa5z+PP2zav aV7/vCmV+SpuKnyVIpVmlQGVj6pMVW/VFNWdqm2qT9QwaiZqYWrZavvVLquNz6fPd57PnV80/+T8 h+qwuol6uPpq9cPqPeqTGpoavhoZGlUalzTGNRmabprJmuWa5zTHtGhaC7UEWuVa57VeMJWZ7sxU ZiWzizmhra7tpy3RPqTdqz2tY6izWGejTrPOE12SLls3Qbdct1N3Qk9LL1gvX69R76E+UZ+tn6S/ R79bf8rA0CDaYItBm8GooYqhv2GeYaPhYyOqkavRKqNaozvGOGO2cYrxPuNbJrCJnUmSSY3JTVPY 1N5UYLrPtM8Ma+ZoJjSrNbvHorDcWVmsRtagOcM8yHyjeZv5Kws9i1iLnRbdFl8s7SxTLessH1kp WQVYbbTqsPrD2sSaa11jfceGauNjs86m3ea1rakt33a/7X07ml2w3Ra7TrvP9g72Ivsm+zEHPYd4 h70O99h0dii7hH3VEevo4bjO8YzjByd7J7HTSaffnVnOKc4NzqMLDBfwF9QtGHLRceG4HHKRLmQu jF94cKHUVduV41rr+sxN143ndsRtxN3YPdn9uPsrD0sPkUeLx5Snk+cazwteiJevV5FXr7eS92Lv au+nPjo+iT6NPhO+dr6rfS/4Yf0C/Xb63fPX8Of61/tPBDgErAnoCqQERgRWBz4LMgkSBXUEw8EB wbuCHy/SXyRc1BYCQvxDdoU8CTUMXRX6cxguLDSsJux5uFV4fnh3BC1iRURDxLtIj8jSyEeLjRZL FndGyUfFRdVHTUV7RZdFS5dYLFmz5EaMWowgpj0WHxsVeyR2cqn30t1Lh+Ps4grj7i4zXJaz7Npy teWpy8+ukF/BWXEqHhsfHd8Q/4kTwqnlTK70X7l35QTXk7uH+5LnxivnjfFd+GX8kQSXhLKE0USX xF2JY0muSRVJ4wJPQbXgdbJf8oHkqZSQlKMpM6nRqc1phLT4tNNCJWGKsCtdMz0nvS/DNKMwQ7rK adXuVROiQNGRTChzWWa7mI7+TPVIjCSbJYNZC7Nqst5nR2WfylHMEeb05JrkbssdyfPJ+341ZjV3 dWe+dv6G/ME17msOrYXWrlzbuU53XcG64fW+649tIG1I2fDLRsuNZRvfbore1FGgUbC+YGiz7+bG QrlCUeG9Lc5bDmzFbBVs7d1ms61q25ciXtH1YsviiuJPJdyS699ZfVf53cz2hO29pfal+3fgdgh3 3N3puvNYmWJZXtnQruBdreXM8qLyt7tX7L5WYVtxYA9pj2SPtDKosr1Kr2pH1afqpOqBGo+a5r3q e7ftndrH29e/321/0wGNA8UHPh4UHLx/yPdQa61BbcVh3OGsw8/rouq6v2d/X39E7Ujxkc9HhUel x8KPddU71Nc3qDeUNsKNksax43HHb/3g9UN7E6vpUDOjufgEOCE58eLH+B/vngw82XmKfarpJ/2f 9rbQWopaodbc1om2pDZpe0x73+mA050dzh0tP5v/fPSM9pmas8pnS8+RzhWcmzmfd37yQsaF8YuJ F4c6V3Q+urTk0p2usK7ey4GXr17xuXKp2737/FWXq2euOV07fZ19ve2G/Y3WHruell/sfmnpte9t velws/2W462OvgV95/pd+y/e9rp95Y7/nRsDiwb67i6+e/9e3D3pfd790QepD14/zHo4/Wj9Y+zj oicKTyqeqj+t/dX412apvfTsoNdgz7OIZ4+GuEMv/5X5r0/DBc+pzytGtEbqR61Hz4z5jN16sfTF 8MuMl9Pjhb8p/rb3ldGrn353+71nYsnE8GvR65k/St6ovjn61vZt52To5NN3ae+mp4req74/9oH9 oftj9MeR6exP+E+Vn40/d3wJ/PJ4Jm1m5t/3hPP7CmVuZHN0cmVhbQplbmRvYmoKNSAwIG9iagpb IC9JQ0NCYXNlZCA5IDAgUiBdCmVuZG9iagoxMSAwIG9iago8PCAvRmlsdGVyIC9GbGF0ZURlY29k ZSAvTGVuZ3RoIDExMyA+PgpzdHJlYW0KeAErVAhUKFTQdy42VEguVjAAw+JkoJCBnpEJhA9iWOgZ WxqYKZhaGuuZm1maKCTnKjiFKJgYgVUAKSNzSz1LS0sLBRMLS66QXAX9kBBjBUOFkDQFDUVNhZAs BdcQsEWkmWqBaaoh1FQFhKmBAA2fKXYKZW5kc3RyZWFtCmVuZG9iagoxMCAwIG9iago8PCAvVHlw ZSAvUGFnZSAvUGFyZW50IDIgMCBSIC9SZXNvdXJjZXMgMTIgMCBSIC9Db250ZW50cyAxMSAwIFIg L01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjEyIDAgb2JqCjw8IC9Qcm9jU2V0IFsg L1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNSAwIFIgPj4gL0ZvbnQgPDwgL1RUMyAx NCAwIFIKL1RUMSA2IDAgUiA+PiA+PgplbmRvYmoKMTYgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVE ZWNvZGUgL0xlbmd0aCAzNjIxID4+CnN0cmVhbQp4Ab1cW3fbuBF+16/AW5NzIi3BO/vmOO42p2mO N/Fbsw80RdvsUqRLSs66v77f8AYQoCVSIps8xEZEDPhh5psLBvoP+439h/1yXXIWlcyo/pYRhoyN ade/0w/+xgoMlzmBtfHcwGbRjn28Y2tjYxi2x+4iZpvVh/GP6QWbIAh8ZvvB6m7Hfrm744yzuwf2 7nO2j4ss3r9nd/9mN3eV6DFyxOS2D5GWaQ1Mvp46q1j9SghwDAcCXJsEsP7qPxXhw551f26vb1iS sa/hPnmJ2edb9jXe/8yLP+gD71fTXlAsRQKSO3hZk/OBd20WceYbr3r7xT3HoS3WX/hr/hLv7uOC mYZpjJa1qnVDQGoa9B5BtWcKpOyCWTs1g6T+Rs0xqxU4l846uKmddVhkNz3rIL0ZaxgNyIMiLOyn wU2mS3g+3KdJBIXNM5Y/sP1TUrJtHh12cbbfMHabxmEZsyJ+SeKf+N8Yv7T/XU5VabH/3CcFc1x5 QauaEMa/8CjGsQxDYZwpmGoiJFroMDUMZdeisIgfDmn6+oGFJYH2yrZxGRXJfcxe80PBiuTxaV+y MNsC2XJfJBHhX7Kfyf6JRp7jaH8+uJ1x4d3blS0DrulYC4MLCe0rNA5jn2tKep1vY3ad757zDFpb svjPfRFG+3jLHop81/842x3Ki7AlxYUfkBa2ELaGuzS28N59ukmyKD0Ay+/J7jlNHhIg+PH7LATk k5MOPBt+QxX6iX1JojgDseyxcWQxrbFsyZl+hy0QOdmbGAR1iVXAjZs+l1ewzM5xRw1y5qYcSFB2 DiTD7gqoNvsSP4Ypuy3yl6SsSIVYBoTEnmloiy0llskPe/YzLIow278C8vNh5YEFT+76TFrTQrBy vrBBcARWfYPoaSJh3LOMTnM3F+BHbgTxFpOEn4uf8K9dSOHaKmajzfmY7+vm52rEchfep2So4GNE 9mDj0fK0INGjuNsNmCZjfIigzdktfG11vrFxLJNnHYy0hABPhWYKC4wJ5taaBI6IDQlVkW8PNWmy zcS/jJnn63IXeEgrO1eXT4DLTUdV7Amh8jHVbsO6NUQobGBuJuuIMEkbPGmY+H1g4snTDqJjU5Bv +taQhLu42CVZnuaPrxM1gjSIMWsOrZAQXUotPHNxtfDU3NICQNfXn76xqyJ6SvaIVw5wtxS6UBgF v5w/18C/iTxj9iz4iqUthK/Jlw5t1hChmJ39Fr5fwuIRLjkKZZCHGI8xZw58paUtha+7dNC/Nl01 AHdafP95SPcJaezHX28Rd5d1/PgdydQ+Bm9MhXCQpHgb79BCFFsd2rp6jDH3/DhCuCX93edhXuH0 La7mq7N7fV2Eiw1E6fGW3fyJkIt2jT3kBfsH6g63YRHuYpRYS/YpTlGVLF7ZAA0x5k/dXeHZBL7S 0hYyEMtdOglYQ4RCQB7w/RQ/p/krVcUosi2RSMEqCOkBNHU9ZiyYBV+xtIXwtQ1fMUro79mRVb+q bFM8bxqcrSFFg5hiV6Ly8D5JEySlOojHRmYCWFrYUgA7A4Hr/AA7auzqbaYS6CB9ixgTPyl7iPCY /R2VTXb1EiaT93GuHRTLWmgHHWMgxpx9ByFFgdfbUKD5OYuKmGgIRZ6t4KQR5sK4MQcHSQtbCmB7 IMicH2BbjTO9DUWaX/L8GRqcJ9swi+Jx9N4EKTMBLBa2FMCBp5P8aHoYlTw7gVr98Inf4+hQELn3 XGjZV97zlZRbqDJzL2BrSfysGHLyYZxSbEhQMHzLPZHdTTzDG4qtpFdaqGDl2rZCOVM8/6iKlS4i IE67+np1VCX6CqL8NhOvSUubVWVEbuAGi8euEKFsITc27Cr6I8t/pvH2sfIcCn5v6W07jsr0+SYp cgNpaQvh61kDseto0xtFaxCh4ou49Vv8EBcxvEU5xV3MjK+0tKXw9f8foavnq3El5zPFrnQGSY1C 6wEZoKGvebGrO3ekDW136di/M1mItKqFdtC3Bs7rZ4+sIEU3EkoOPmcoS5wDMeOznEpIC1sKYH/p bpM1TtIVdK8OOM8tyr+wq+0WzSPldBqaC1+xtHPxlSKftplrHZhqqDW+aneM1YVnpsaE/sGvepI2 2o1oJ44usY6LmH6tSxn/Htq0YvHcMFWnP3newVxfFoFj2D5As4eGnI56+zL+9e1v1z4OtH7v0F9d 0IRKrZOG7bs4HoMoJXj/wO7R57ZlKOiF2Xj4avVaDcJHjRHcQI9bJU95NXS6NJXaqukupvotveWq aoE1Nj4PXAOZDHorDCswuUs/VWM+G9uLK/WqcTp95L43uJbxr3ssxudUGuKIP4de98e723B8i6+m 7NyhritjePlPnXacalEemBc6Qe20Q2ueCRaX2o64MyiCetYO+7qOfJNWwfmP9yLYnth6LXEn9A7t tQ1eiqpL7/XLr+jxfkSP9yl9sxy+cdDtvbIse+Mb6PbeMYdb1RjrxtL+mGXicylrn60+14w9sYdV 93ZYhUmruMC2JariXD1WCuVjWbmj53zFCagMYFS7CnmKbUsAn3ilY/Ykv5KrBlTzsy/XZBD72q7j SOx7Uk9OvG/jjYWiSpyMBbytqJ2ujBPQ8HH/+IEM0XBMMgr9ZT/gvL7um4ETCNl9kYc44WEHdCWG z+iFjNpjCTpYC4mtqVExFLY6bmHizXlA1OORd6hXs5IuRUgaNNpEue015sg96lC1Vzv05LUm2ozB HKUxtzZljIlnuzGYaHf3YzWviZp88SiZQ4ZilugxxUl2yiI0phV5msYFUpLq2LTjgdVMCj6of9wg 0uA+dlxfHBwkVApdm/s8ytMf7yUNOKFZxzhEFEQHRKLRn6BIskO8bRBY0cUfqOV5t3w4hbqm2byg YsytKKkfcKxR626b6NfEhZwhJGdCrm1rHRKBFnR08oMbtq0wADfaUE07aAzVMDYB3ZzawTUqYyv4 TXkMN3HIl/aebcbIUG3USMg/M7T8t3OCu6uxVTeWsnas+lzzfO9ZaU5Jvos7XbTOlfTZZgxzCtkQ 2Ph8sfZuTCYUQstczebzTUfNEOt7F9TzXBlUZ+Ej9HuFW2yCp+EAkb7hvJra9tQzjXb7T99aO2al kqe3DLX4Nb+n12Xc45ZaHGe1V0O3+O31tXBsM1BiH1GfGiF93P1ac30p8yBKt4uMwCKC0EVUucgT zhva2Fu86yXkZ1L6g778SqRCfhm7ThO4HwT33UnQRPYbTDE53X3kuJY29J7wbh8PSbpNskdKa0ny rNnl8Irai11DK6oulwkETqB9zGSk6Enf4P3TJbmmOLEY0B1JPVu+R1paU6/p+RsOOkfcZblN3NWO URokxryN29C5eLYbq+jcr59fdc8j3RKfreVgTmmse95unsWl224Mc67sNhZEQQW5dOV2xGfbMdB5 97xvbryazqVn6zG4J43O50vhLEftsKBLtB+Ui1xtJidFFOM0SpC7FJJBphIvSns9bt5Bg5DJPVAL XAuQuyYjZGWeHqpWtUNJXFBnL5THNBFx8l8EMk1UTG3LIcvqYxBcYMbNbMJ+KkUKiGVzqtb2Rp5z AmKtjiu5aAli21aT/ykQa0KkCpq4FgAZiqYgHmwuV7GbrI2lR8cEAqv2wsua6zLGX2U/xpse+V6P XK8uYZ9PpWZp5fBDho8LxkMTz7N0n9J3H1Y6JKIHexexIJ07v3oqKVh3ebESrfh2iSbGuvS+nvWr FFJlSd+iH+9uzBskh89xUZ2kUYNSWJYHXOOjnxC6/ZZ/r3p/kek+PCTRBRfTkKO2NcR6IW8YbusH O9TfqlmjfN04StveUB0QjtI06xwFiU09RjmOGLM2vl3nPeLZbkx2QDMXKOxAq0WdfUqKb8IYphFE wP3jjjvcL+y4Osp390mGozy6dUhlKJwTbBO6K35/oJvNBW5wEpu3GU59m/yCgpRpUI0dN5uh5NXS 3tjveYjasRfvheGQoSA84PBQBvqAK/do4CiA6uSb4YM+nwNL5AJAUn/NnOqG13UpqnK813U5in16 zcJdEp3PwSbVl+iCcyVWeXOJpU5s4DH3IXlax1c7YaZ42mNChKfVZXyrtV6A1LHOXFzvkIdElx+h 6Gv9RJLgs74Wp8/1dKplELlWspQd+/GO7pT9eD+590Xyyp2315GUFOIIgxOq4tQRd3caBkdXGUpR VLnidlN5gr+ox6ic3I4ZQf3dQBhrnl0h9WjHZAavKkLjUwjxkpJOupbWoCQ27ITa931yn7RlEb6W JkzwDOPU3tVkVAfhnuX83n01Qu0XShBaWCR5Tf5lsjuk9WEi2kBwl6uUQ4FLQvjOM9RLW9QzIOVU I6wJCB/bRkEskKFYW5w9wtvGBbnU4RRINAg03jisLn2eDyv3qFyOnts1r9ezLKyeWiKdwtcjYdUu pMtHr3TagiO1Tpcpn0fQKh/OUlLaRK4X4EqZgmlTxdarFrQorr6pfcPC7OoKGYPqOprcjvFO9+1m az4g55hBlPgWkXTLdnG8r7byAYdq+U9Y0CV7R1RT9czUi1l277zlg1Df04JQ3IAA0YR/nbp9wudJ x+b6/JJnP+HzGrUQ80qOLsBBZT89mTzvYGwsi3CXP+wINBk5rqHgSqzItIh0uoLXi12l0Z9vX9yW iS7Ioblo/qkXcpE6D+0TrlNqqepovWpYfXheVzujn2Vebmh+aJ55HY2HxbxthItTScuhU1Lb2bhN CZwKYvIQKuD1UNXr1PYwtQ+i/Um0MLFuPtNCIF+X1Nv52iFpPpzNNuer3YNiiILhdtj0/e4Ut5mv GxLzSQX+7sFezV/MB1blVMrftS+H7y9rhqT57K620s0nhnrrM7n6vmY7JM0nIv1uPjFE8/32P05t P4kKZW5kc3RyZWFtCmVuZG9iagoxNSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDIgMCBS IC9SZXNvdXJjZXMgMTcgMCBSIC9Db250ZW50cyAxNiAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5 Ml0gPj4KZW5kb2JqCjE3IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNw YWNlIDw8IC9DczEgNSAwIFIgPj4gL0V4dEdTdGF0ZSA8PCAvR3MxCjcgMCBSIC9HczIgOCAwIFIg Pj4gL0ZvbnQgPDwgL1RUMSA2IDAgUiA+PiA+PgplbmRvYmoKMTkgMCBvYmoKPDwgL0ZpbHRlciAv RmxhdGVEZWNvZGUgL0xlbmd0aCAxOTEgPj4Kc3RyZWFtCngBnZBLC4JAFIX3/orTLsHGeaVzt4XL IGGgRbQQMSkyMlvUv89XobQJ7yxmznDv4Tu3RIwS/roSSCvw9lRp/cWZ1J1uHoYp4gGWpFgYkEZa YGWx4IxzHcKm0LJtri8ZEiMiA23IsQV8awUE7BHzXXLNPWQPJBeGUUXP2+meVdgkL0jyILkUo4ZW 7LdJnkEeXMeeEdkW/R/OARw39QCpBg49nNPBwcVk129kLfvIqo88m+5qfl0/ixywxm91KF7nCmVu ZHN0cmVhbQplbmRvYmoKMTggMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAyIDAgUiAvUmVz b3VyY2VzIDIwIDAgUiAvQ29udGVudHMgMTkgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+ CmVuZG9iagoyMCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8 PCAvQ3MxIDUgMCBSID4+IC9Gb250IDw8IC9UVDEgNiAwIFIKL1RUMyAxNCAwIFIgPj4gPj4KZW5k b2JqCjIyIDAgb2JqCjw8IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlIC9MZW5ndGggNDA2NCA+PgpzdHJl YW0KeAG9XEtz2zgSvvNXYE+bVMUKwTfntnGyUzlM1pNx1R4mc6Al2uYsJSqUlMTzK/cnbTdJoJsE LYOitMkhSktEA/340A+AX8Wv4qt4e72TYrkTbvN3twSSu/CC9v/4IVn4qRuJMPUXcZQGYrkW727F lbtw3SAWt0sReM2P4R8vThdpmiYiSFLndi3e3t5KIcXtvXj1cbPP602+fy1u/xQfbhvWNnxo8CAB lr7njwx+NXVUmr1DDEI3BAZRgAxEf/bv6+x+L/Sfm+sPotiIT9m++JaLjzfiU77/XtX/aX/w2pm2 RJoME6WMfBCPTEdW23A5ccVOT18yDkNUsbngT9W3fH2X18JzPdeal9PaBonUc0FpXtrobCBSMWNU bWbAqa+oc4zqp+HcUUdVqr3DR7/peQeodKo4Rln4oE9XesLkUAnx22G7req9uK9qsN59nU01VNJr gnxSP+CMnNbRZ/giM/8EnT2NGwYDJFlV6wycL9uscBV5bS04QC4HkItWIT3gAo7GV9HBlf0qOpsf VYf0AVJkFI8w6FaxW+abrC6q3QKX4ZwEjDJGqPAjzqVThr1VdbBOwiFrdd2BBiaPSsJhcKsZeKF/ YXcwOYA7/GP5WOQA3x/AkPZV+w/A/H2xFNlud6izzTJ/I74X+0exysHO1sUmX4lfq99OdxuJfuOF kWATOlVTJFNm0SRTNxoq7XzbRgD25npgKh7EBX0gu8sfs29FVb9pUAYwppFnnX89FHWxeRCZ2OX1 t2KZk4xJnO4ikWnkxilGIK6fejLCTw0tEVahycDBY/A/zx+bKLNh28jnqKcrHzRF8uXVFhy8LvbF X/mqAysHIy9Y2othFvNHF708CQ2hO6/YWt7+DNHcA0RzL4kykPEixLguCuC3LsR1a7Ajv6E5mlZq WvM734PfAY0/29EexT2FkDALD2fx1bFZ43FLlqEOxpSrzLHkfsCqLRm4DPyls90vrxtkPi1kjXCb jNxEmMMznU22BBX+SCkHk548Ksl+DJkhFu6797njFIMB4PKnSiwfs81DvsMYm7bFF03aSo4OrZjh ZozhRgKBkzGhjIn0HECRIHYmEBEbnOrKOpI5hkQ6cjIYHGAT+/sOgfl7Vq8QjRVaLwiDrYTIJCdD 3NLcmK1HuSktxxqVZBp2qCRlk206a8A7hVQdDRCoR/OSBpV6z3Y0jkqORqWpyKv9TYft5hLt5DZq fHrTvvKNSGtCXmAk5syjVV4AHAYeDQ5HejrqYo7VBvxsbUBDrbnK62yb3RVlsX/CQOywy8X+MRfb 6jvkn9U9Te8FGR/zCikx1A8iYUrgXbaDuK7aEB/XQU+3Xi7t0dJHLhC/MC5nNRUZYEKR+MhgAP2Q SMCWVWKQIZYVfK7K/5NmZYpRFsCNOSlM0kCXJNoXVGhmIaqAYI7NVqfwxUtlCx9hEkDe1QQ1vp8O aKVQNCdM/EXUwgd7VtMQPmCTVc+nAHTNmOy3Ha10GC1ZxG2gxJ7VNBwziDqYCxM9ZqhgTtGcUjCa fp49q2k4piW6HXMSAqJYI12XDzchF5P4C3o8xoWAwOByX+Y/ihYJ3tbV3WG33+S7HWLAWUpqLmxV 0gMMiOOB8+wf6+rw8Eh2arvVj9QUYIOXITiDsbrziE96uAoIik0GmVgVu31d3MFOvxJQbG1qkgoM tmW2yWfs9B5s9QsoaHDGJrgpVzy6lSC2epHyq9hbJOCDsNX7bpuAiLCjwVbfowXof7D982c7GvpA 3LqVE8bxIkUXhOiBftrReo/HiyBohuweBc6aBCM2G0GzFVi6lwlgKni4AsUNrM7eII7t7eS1MjbK oXx3n+GzOn4wWbDC4qq4v89r2Ie07bWJf74G2k7sDstHSPsFOfOLRvLClDvvG42qZIS7kgRzNedc ZvVDbi/9Y2imSugjXB4LjigvLKXjwWIJVSsaGZlN3Raojq4BcwbERVNSXRZMwDh1GR6CLkTjY4Oz ZRyBDawhUAko8NR2HjaJVFO3CIc0qFFoWpAuohY21LNOSDSEDR9aW00tBHMZ2eKG+q3QNKyFaD7B Impww2HPKprAMbVe7IEDa1ejpkwejg0hIyPvJeXapVBsp9XQLEJ4mMcAy7J1dQDHtzaUPqL121Lo uW7oxeLKXO+3qjys7QNKw62w4+XGsRwbm81eq8/O3kfVposKI8vAwHhb5/fFD8UUSoJad5ignq47 hiE64jEVtjtRVVBAY4mlxPhcQj5iamqZlTP0RAmbObL91I+iHkATBFLPTN1aOsdZoHSgwTQiHqi/ EI/G3OwTbKZh3JlhDxpwcLDlPqNwSYmsaTjKYKGFfwS10YQJtWXYVZZDP1HVZl2v0bRS9GhdZVk9 K/B3VG1mCReN6fsKyRUNkz1G656nZK0bE5ItRG1K2AJ/kSDCr6F2q55XNJgnp/mYaAKtSxRhd/EX HQ3HpAhUPQ9RqU5UFQ2iUk5rn3d6z7IxNTxN213IbtiWEg17OEzBM9CPOPiAD8amRbY/g4cOS00W 2OCjmlK2+hOSyaasVG33xTorxTbDxt7TJlsXgFTlkzhsq03zC1V9np52MvlS3YJWb2ZLL6y9v0n2 WxdMvpHRBpjTIenvxZSt+xE0+HunFlSGudtn+8Nu0ZTuNzmknnjCYPv4tEPJirLY/Gcn6nxXHeol FPXhE7QA4ehMtdlRKmAniVEB07wuJODATQbRzsRySF+PzwkY2AwEDNXQu1ysqk2OrZBs9Q170hzW rfprJLQUtyPpQ2Bl8mJp2WRd6Bw3CPXRmQvpInQ9UxfWYNJXRD+U0WACLAZ6eHcoyqZh0iFEdgfH o0AvSwhFIbN9A7BR7PT/4bjAPZwV2MERldPtW2L06AVQR2LTuZRMg2E030sp7MyBQmAWHpJMg2Hi ktVw/mKfL+1PBB6LtEKQlhskkMNCbjfQ3qHOxTrP99jxgmI0tBd6ZYk7gP4dfkfKOkMg/mwyJ3Gq noQExJzpeLPRyslJ/Lw5pw4RdrwcdiBzfSj3xbbkZZC5yz6mIH30xXLZzlSr48vWDYlWxHzZ736+ mYoWhJ8SAdSLWysbwhANax0W+0nb2nSwWtEUKaAGmnZFBk2DEJbTmgIF0Lpnm0pHR4NwE4bqwtUg 6goScLBD9Rs0DYoZnNb0SrBowp5FWhcWnxBuPltEoLglTIdl+PPDTjpsZOygoQCRh4A6ebbPH56a c4SZwBO9UJrEvuNII63Ma4hubqGRNbEPwU1HNclg2QqgLoTnURAMjXNCHdhqjwQWahFdh0jjOcLt Kt/mmxV0brqIuu1N6r7kl1cg7y+vRV42pWHs+i6r9RbaFqcLmAqNbG6XEnA6EnGT/0+FrrENM0qH 0TbaJk9e3jSme9hD4/wvCDbw6y6dEdDManY7db6DbW1T58ZhVVekYXIDA6vuxcefb95OlQH5B9S7 AFrheNuVObh9QnrMdgl4Yn8YaE8BnmO7nI53TBaw8UDFr9pXy6psDuHwgziovK7UPqNDR1Ubxv5U F2Cq0eF9nFy6hZX4F68VmCwA2CEkLGE/WOFGcCPyH/t8g9sExPCAZqC2b8UKvoQkbIU3QU5HKYr+ 2DROVdFozEdmDl2dgZdOMfNjrqTNHFgMtoHfP1pjQOdIZGh4uAWum0BobI57ngP5VM0wObxfFPl+ 8mkjmj2lIObY55k99UVMDtvljGJ7hNkTNLQuJ3g8iO1Gowxg5tvTbSbBgZPQu9zU9YnNEavUQKEX YJm3kNlI3aMZKtV5ZW82hrfyfVv1aIDBABA2zQ02PfnJh9Klp067mGPPmDwLiOi4y1A84lWx/YMX w44f6zTQRiKKNa0Tc2T7iMMYlvA3hQ5mv2A6edgXEB4vSPU5eJinNHdVqrJ6eELNnnapSB9dv2JM Tt2oyNpJOtL1hkGkvXgMc2cWw1kA4vTlM2UHtAr0JKJan8dtrxgIx1nb4Py+Ksvqe1OEAgVBubCp EjZBxe+f/3kdBoH7x08zIgsdnXdT4lWPyZId1ZiUxqWiqdBBBj2uMWyW9qV5fo2ZPKBZBHEfrUUX wuYdoiAh6qvFVyBDfwDCM5QT4m0CCJvgdI057n9pQXZZH5svnpII8Lj0yLiT5zuqdAqXkMVA6TfY nLOe/jFH1YHHCJfran0eHhg+4e2RRlqDpUBVo+l1iQ9tsYM8XFfVpmqHzkYc1451HRLKh80BKMeX HjQd2oOTqh2taaxF7dNVDPWsYDSsQ+rV2beosWZINshw3JPDwMXeOCy3Ci80NusJNbNjFqiTJQhl hjxa4GEV6fMjDyEEsD8j8hBCmOPOQR70paaRg+KaO99R5KE0akQjWAg+DyiojGeMSVcHIkYnXznB Vod0m2OuzLzMQM0eC/zubgIc2mzuRuAVLG9AwzPYnNbci4AjMPzZjoZHYBQWzL+CdYVX6gFhZwU3 ZBXjcOOHF+8xg6SGTeYGC66ZSZhXeDEcoUNVU7cNFoSMrJAYTx6XIMYcdw4UEMSY49o76bENgAUh pkJOCkJo/6LIwxyaqfkFaRv5JV40d2M4UjhmQtZKPLZh0RHZERbYpWnjmeuygLbOWcIZTMRBcM2S nod8ewhT4YwXRc3VErwHkigIUzSAME7rrpHocAafpaslZw1noJ37/CpfsIdj1swiJozdL51HmTz+ BX2MWuC7MtrCOUtxeydk5qS5+oqlbPnP2gnIW7ns0tkZGu0w42luGAy7e+dPc00esMNcX7///JO4 7vqx19090fftMUjxue0bkk/bGSNJEQCjq6nBFThc4vm1EybGYTxr1LN0nsjXp9jo+qM1k2PQSrmA yQO088H78BN7H83peqCqOOTWs+Ml0i/zkigxgiRrEVnqAW7RXhzETB6oh+tfbkARXw9ZiWs6rYJK +z/j0QXmM2rjLGSlUAA4DHaU6wrOO//SnPGCWspEzTDQ0hc84G6YoQ3rYY0ohhlSfKGLsoxFAi/a ufRuaPIAQ/oMYIugmovPOVxuXu6r+nSnZqley+z84JrEs2vyo2CRytmgPT5uNPtAwti40IO+dAgA 74kats7/DS+9eSPyvchK6OLwPx9+bAs4Ni9+yZ7gmsgbeP2JJ/n37effb6baFoUpDFVkChmGFyVw pQjmOICVDO7N+n9Y+30H9EzG+l7EyOCTczo2rj6jArVCVTbyu937b6fPNxkbV73TlM1X5Sbwsgk/ xLdqhVId6IT3a7kxJ8E5y5bUvGeru5GkH4Tv6JITnPzsxsNXbnU3U9V4isTGc6O2fItHRrsHiYSV GEUO02CRti/IUPPTJBoPr+F3R0P1g0TqjRdB5RJfpAGHTbv5hYrExqMbXHo8IvHxgthtsy8aT5No vCCE22Tt6zvUeIzEx4P3xkJZsTc/TaLxWAlbjcdIvfFcmF9/vb4i0XhekrRSJn0wEh/Pg9cONC8i ofVqEhuPclI1v36aKn79H62T70MKZW5kc3RyZWFtCmVuZG9iagoyMSAwIG9iago8PCAvVHlwZSAv UGFnZSAvUGFyZW50IDIgMCBSIC9SZXNvdXJjZXMgMjMgMCBSIC9Db250ZW50cyAyMiAwIFIgL01l ZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjIzIDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BE RiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNSAwIFIgPj4gL0V4dEdTdGF0ZSA8PCAvR3Mx CjcgMCBSIC9HczIgOCAwIFIgPj4gL0ZvbnQgPDwgL1RUMSA2IDAgUiAvVFQzIDE0IDAgUiA+PiA+ PgplbmRvYmoKMjUgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVEZWNvZGUgL0xlbmd0aCAzNDA4ID4+ CnN0cmVhbQp4AbVcS3PbOBK+61dgb0nZUgjwITK3yWsqh015Ym/lsLMHRqJsbihREekkrsqPn26S eBCAZUCinSpLoSU0+vXhQ7PB7+Qv8p28ettQsmpI0P1rVnApWLCo/z++SRdhFiQkzsLFMskistqS NzdkHiyCIFqSmxWJWPdheGHLbJFlWUqiNJvdbMmrmxtKKLnZkBcfd21x2BXtS3Lzf/L+phPtIkcO HqUgMmShZfC576hy9jMpIA5iEJBEKICMZ//ukG9aIn6u3r4n5Y58ytvyR0E+XpFPRfuzPnwTHyDk U/2j2H4tDoQFLHg5O1VpFoDWLOuU5nOa9RYlvkpLTaWfIqb5aYpRwyw+d1Srg8S0Qwy8UXiB5Z3N MTsSwWEMMUAZMSXUhFy/+/SaXNeb9md+KMi7YlPuijX3/ek+phSEUvCOInRCH4dB8LzeYHGoeSNc EPL27bvP5I/D6q5si1V7DwaDjLkut/uqIDf1vq7q24czbMYgL2gSEkX4hDZjQfK8NqOxDjFTR7Ap 4UN5i26gpKyq+6Y95G3RkPau6F2Vq67a1AcCH9hsyhUpdrcQ58Wh3N2CC093mYAyZWanukzCg231 oZTq3vOAB2OBU5YIDg8gQQv5po/sdojshTccSXRe4kKXAgiZUrxHtRoqxYUujW0CbiAcuA6kbDp5 s265DhYpzZJgmSE9CMKM0QTfdddS4sobZtYJUQYzorFF4VW93R/KBmB2EninEUJtBqTEcCCXpMiZ +REUmsDgDBiTOXhzetrQBBkAS9VRJ00bugTjs7CLBi1tvj4oZvcjiI84GmObRTYTber7A1kXP8oV oJJ0wqs/Gzq7BXr6VPiF8XIRI1FNaArUFIjqlkRUuzar1GvwRwafq4jyXXHtjmwIy/j3WbgIom5M /tlZwq+p32dsESNJrtTvims4ppwT//52FoXxMHd+DeYpr4nvK98V13BM4RqwFkNrTcHhk0iLhp93 5eqOAPWR3nGTI6FNUGxjcMXlboNKIFHwWTBE+twE0RBw/YVekusv7JJ8hjefGVAgAFNYb5Erbu+r tkTms797aMpVXpGq3H1ryFfYNxTFDr5C8t36dJAAQIa8SgFBhd6TYoSw6zw0yOTESytI0JbW3pYD G+EW2x+Afv8iVx8o/ftFDczyC/37JRqRiL8w/hcGfynPgGBhXWVuz2Te5VJLOh9a6MJc5ksRIcPO fFcfthCQA9275G9EbAp7UmZY2jdiZdIqvI0iH2FRSmBumvbo49PRhmY4MGzozYEnhps5ZbEWtT6O c9mRWkRcfWDcJX2IQ+yX9aFsH4QT27u8Jc1dfV+twaFwuQDWvyb5alUf1sDoq4eFrw8lmgNrA/tC sUSd26mJoQzLq0hzujy7PCEjzrZMzIG/mn4D1z36g9HYE2K3ZUqqRdFalCVEFTpY68I3yKVaaiJh sYiGnQAtkeb44ytEmftA0HHq2sjeU1dHhVWLxpCf5rBTJyhLEgdHO1toyFipi9i0zU1J7iY6BgRi 12aR0Ll37OOZW3w+EkgiVDuzzZRC7gXB6qe7SuNFaTaqF1MmAsBwD1fpdJfQCEdPlxBexuju8zc8 LfaQlmHdo/aYpxW2BdlsFDoNbPJFcKvPZQCHNNRy/LcU6W643vGP7AM5UoEsTcFxFD+1kzlmRl5V mJtCLrhCv0V4OeaLzHgZB/r4sxfucTBOj0dup8zDxFLR4jqIV6HLOVZT4iDRi1xKHAih8GaS+KNY W6PLmNiVddZtMKjqJw4DphWl+58ymWVYnC+Ukmzz9Z2tzEgrS4mCVMsS1fz8vbPQY0kj3W8K/U3e /HlFroumKWHHBburqqb0VVXDRuvlb98gUB3ELamIPJVGSksqxEgCKtT/NGzj1lNffS0pdVHMF+s7 AnfoPOYgSQNAFy0q+JppvJ7jHJ49irhTWau0kwRPi0eczW+ApzV74oBpdlJ9zd87Cz3mHOl+U+gj 4AnyJ8kdReAz5U4c6dyf2059ndqOkb5BG6MQbIABhRiiEOyBp7GkFPlclsz0QodqQf7e15Iyu5Qw zPRyz9QoFBsSDPThF6ZAIUXclCgEw+rrgrP53VAogbseYyoPtUs2+NpZ1jHwiWEZDaIICgymLB5T kpg68l3reirjq5ek7g+PwJyYhPIGa1iK9p633GQFyqKyb7hZVZXUIcl0Do7FZ0WV7q2/+tR3njLP FfWBiA7RdSpmKcOKAtwyTLW0cIePY2kRQmE2CEIs+cKvcVoAWigBcbwZ7Vg6hHgbncIexiJD7P9E IWOGvXAu93utUYJ3foMEWDrK0izWoZ+zRsY+Q+aaOfQ0zpCM0uqMidyRIY8MYkAnU4p0B+ZQp5VP jdXqEooxRhOo/ph2O9MlsrBkDj2NSyQ9No3lN/ljGUJjvBsPGPakS6bySYYCl30MmGlyepJIIJzA IwoQ8u5LSwzJldQbOKy7lCXcvR0D4W+4p+keTsccHSHcsgAdbUjpwgl/CeufwwwSyHJIcgTCTpLK DC5EwQDuJL5016yHRHshMcPSQQAU9JhmI+3IdyeOYccU3nX4mHasK4cIS/pFhlYbj8GUcOfZppmX +Y4FBk3wDil0Xj1lvi46zsdkdBdbsk6clv8X0DtxRjlOdBeiJtrQ3qmqIICgQmmoV8V9I1jpmVcQ QFIhkKAhgJqVT8XSMTdLKmTKkGtvR12hE6Vfgz1b1q35IrPTtB4mpfjxzBg7FlCRnY9o+bnfbmkU /cKXf1tVpWJps6rqqaBauxQ32c2BvSNQCWyxtJnDeueLtIgS2HLnlKZ6S08XY+KXs3GGGJdayOXG lOFunGOpI5m9KUGEr1g8z9tFSIoMsjQMk2nap6fHMZrZY8d1JEV20Q2P7DgtndI9kmCaArzTThlW rFrKsFNuezP23NWgbKlXg0Q2ePTTHQtcWQ0yZfGTAK8trf9wSkPrZffFR8VRvLV4rsxhSkfRgOlF manBiwaJXoEGV/lClkRIBdr5aYK5RcbHXXc0A47NHfJBmDO4SAdI9BqLmOGRPMn4n+IWRilHUQLb 04MESuadFhpq/XENJwOKXQ5taZfkI9w8xAZNvIkI3fZfy0mMKDfjYxW7U4d4Putn2ULXcte1gr3L nrxG2pIC2EA3Ya8nJ2qnBrM1HuSKCScIjANIHkFn+EtZlmXQgQyuxtAKui72Vf0ANuNdtn1fct/N PERkiQc5z7AiclEKp0jmqCPIV3eI00Qkxe0uTWHnZDHjKCLrXQWtknfuDe0GAaG4ZjPc7w7qqGde p0EJNSrgwNu4RjA9FOGhurGMXX/MFdN2f6jbelVXeDSIB0vf6C46TnnoFDkeFlivD9AucHq4sAA3 qClULiBacGJquLjb10gIBcAU+zKq0y4f+xpCrFkHMjT77vPyQLb5A1nd5bvb7pwktOlCR3a5hdMD AJh4Rg/6dcGS+3qHXbukgcMyq+LVumjaEt1TT3EuD7p4u7k9r4ljg1pNDmws1m96DnEIJ4vqTWfO odtdWYE8qa3c2kLr91jcVO1fuKOkNITaForQVlaMl7xqah4064ddvsWTJdjR7bo5MOGMHzbrRGpx 6p5uxrhKjkG949xxn1o8QzjaOIYwnzQ+Rqrl4mnKwKOT34oHUq6LXMRZdwraPFp7B/ipsezuYNXJ 5EQeUYE+OtT+WZM4zCydIM5R54aTIENzIsLgpq6q+idA4GtncUYw4qYESf2cmjKmiXG8Ca8FoO90 n4rxCJ4JoYnwwFG3GDdlwEMQ3tyXcJYEHnfR8fimbwbUT7IBY7wkP8q8w9p1udnAQbhdezoNkCd5 aD+pZw3vODI2lQAgHuYdR/i4ro9N6QGDbcUcTj6Im/YDAa/qev81X33jxAkXrG4j2BTkUN8D827O OK9DQ5BNl0imetFnWVHujBR0j1P99rd7Ro2tBq3QCn9SRCShsYB4uMYt8k0ZEPn/aZB6IQrBCYhL 0hTtNJ3PeEqNBngTBiiufu8CxRW/9lW5Kluyh8cw9HGAYSE2Z4CKB8xGX4xRPChptqm6uwePGVf1 YGpZn8f55cTGrBip5FfSyVGDfFf8asldvYdnHBABS+NDuUrq8a2MMPQZuacs0Oa03C1s5Ih9I7Nk lgV6bGGfZpdHEQzkaKsQsiBbvK7yHR5AxKSBCmO/lMO50xYJeU6aFjYxq3PWB7EN76ekOn166xrn VHF18AChsRcft65xVrdbAy5JfxIf9+B8aSWbQ73tzNp9hFRFDk/bWsvLUHw7x7z8vi1ddnN6VvOm TH/ywEnWlegm2x+oZWxn1Bx7bbw+KagDIrSc4FWTMzZmSiHXHN89wA0urKByCsRAY5TOpjk2bkb1 Dr9p5pslBg+YYr7QJmMw62nGTfTCj7cdrAuedCGUb8aVCPLiC1SULgmAbl5BnU79ef9rX0JFifwb Cgksu8Tn1BnNrIT89yqHilT0v9OxQzZmDNM7CztkUqtqxxwwwoFH/8vZY0NSy3FT0fEBfTF8XP4U Q8Vj+GAaAo9aCbNFGONjZ1i6SIfHzgDDX6qX4Gku/aVZgk+kGR46w78oL+GzXP76B4ZiX6MKZW5k c3RyZWFtCmVuZG9iagoyNCAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDIgMCBSIC9SZXNv dXJjZXMgMjYgMCBSIC9Db250ZW50cyAyNSAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4K ZW5kb2JqCjI2IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8 IC9DczEgNSAwIFIgPj4gL0V4dEdTdGF0ZSA8PCAvR3MxCjcgMCBSIC9HczIgOCAwIFIgPj4gL0Zv bnQgPDwgL1RUMSA2IDAgUiAvVFQzIDE0IDAgUiA+PiA+PgplbmRvYmoKMjggMCBvYmoKPDwgL0Zp bHRlciAvRmxhdGVEZWNvZGUgL0xlbmd0aCAzNTg1ID4+CnN0cmVhbQp4Ab1cS5Pithbe8yu0uzNV DW35hb2cTGZSXXVvqsN0VRaZLNwgGt8AZmzTj3+f7/glITm0jXGSxUwU0JHO8zsP8YP9xn6w288Z Z8uMWcW/2RJL1sx2y/+mvwQzJ7R85oXObO6HLlvu2E8PbGrNLMuds4clc+3iw/jDnoezMAwD5gbh 5GHHbh8eOOPsYc0+3O1zke5F/pE9/J99eShId6EjN3cDkHRsp2Xzad9d5eknkoBneSDgu0SAnZ7+ 5zRa56z55/7zFxbv2a9RHj8LdnfPfhX5S5L+1XyAsV+TZ7F7FCmzLdv6OLn00raFW9thcen6TJOS o6zvpeVNpZxcW5PTNXZ1Qm/orq0Cao7tkOKdqBc435kdkzMa7HjQAW4zk0LC2DexX7FVvF6LVOxz dkjFOn4VGXuOI5ZvBBNZHj1u42wjVuynX+5ZJrIsTvbZjLGvSXq5EvCQlGDuq6e6VAkkY9vs1rEs XXKFTnfm7al3mJx4B9eBAdvQQlDRxCdeo91hK27Y/VfOb+87kzsnyoDMOfDayH21eSM0RVBwVREk jDPYt/dfbVv9zOXSa0xYufY40rM951+QHqho0qv0nNmzvoKTLskn7+67ITO3723ZctfGY9iIYJrH 6HvW85bDPT1mXNslmRQ+rRFTC88TPSLcsGiZk7u5KZYe48tVlnOYKncCptCsVHZAqFUcDufwsxxy AgFNZVdxKop7RFuWI+yu4yV7RHgVYl/cizxEX9EpCmGBsI34rtysQii91ewdheAI06PGKG5QKL2X zW8KP0YhaYgWBBQLQ8dlCqGrakFANh/OCwI9tID8c+Wo4aNf4u12iD5A0+3AU+84jj4AV46rDgaB pwQGkybHp40KWjZvWbyEbW3j/V9ZYVl9/USr3nNCTnzuMd/VREmGuygj66JHhCiRhALP+RwB3XZs UNA5OUD+dcbCDUTZd9NWtjQBaOromOfa8cGkcLcmj5kKFmdsl+BP3Z+eWlK+iXK2F2KVMakS1izg oW/NQ8oKLSe0uU9/K9YC1ildnPxTusgJotluwMyj5wlUU0qgTk4n3ZJT6e95SPbtmyQmHxR/f/sL cuAn5MDvXdZ1+cwrsuEgBDuQDe+YOy/XJl69tm3WmBcEs7mNz2FNfrdZ27C1TLxxCptO8WOCIw9M wKfzRp9rrNkjQzpF8ac5fp0hgYJm6FGWHVOxklLrKyyPEgTX8pi5tyKsd4X0DtlzOYNHIc91fTqB 5mRgO/vskKRKBcOakF52soF/LJnMKQYGCGjmnW9YshdsGe1ZtFqVBnwwvfeJe2WwG+L/pKiwdFZr 3qjm3J4FQaHWPPQKVZ949dqW1WuM1lxSf6yp363WxlNrbnuQy0QpLKUiWm4u1zmoG5JSi7MpttYU WlG6d3TKMBglbskQwOe2plRXjwEmCUKBe/Gas01yYOskVSsTyNgYuyNcjQixjDIk4PTxprBRRIQo FTIcdOOD9L92jbenyslqj9RXau9EWAQlXYBDfJ4iwsbngYQmwWj1LNI8zlDyeXwruEcFhYMQqXK7 yx06t6CfnCN+laRVzc+KYM32SY5YyZabaP8kVgNScORkCMfWvKallm+7m0LlXhUVqCHW1PZHTsKn DtdrE1e3MJPE3fqmMKymiNWAriHZFyfL4TZCkULxqukXp9oyGEYENMNRk/BDGidpnEO5q2x8nSY7 RbnPtwsMdeAhgT5gePVe46RcU8cfOwdvIRHBIIG6KWinKACzQxSn7PsHcr2VhlQOlgqNDhUane8f ZcaeJ3m0HeJwib0B4ply+ZEcrmsFmt70sbZzMbNxuCChOdznZHvcCZaswUVNMVcJivHkDsXrEmlM 4Y2X0SFakvbiCxDL5YyVequcaSzGegYUuXYkcz0CUqqLR9R/jpNjtn0DZ5PnmFoXYCJBzsbaO+Zf rYGaW1RURMVmWtJWQ5msSJSgl7JQoF8cpSF9PjmbDEPhnMrPto0wi7NpOl1B6rJpWSei3bqkk3ZG zCnOwgGaMmjQRKGrXVulho9tWg4tJBSOnskPCLHIHN/lVdrrBvMm7bXDMhVu1pDiyjW/SXur707c oFlrzw/OB5JTd3HaWZIQ27NGh9gmib14gabC30Nps+SYLsXtCr3AeI/+cLKXcLruE6otJ0LgD0P8 EooykBUqmFPlYCP5Jc8dHWGDhOaXAKIuNgSZ3Zn7du9knKsYNE3NqUlBRVE1eKpbGU3sLwrYTKnV IkqxLNoNClXkzdAvVs80lkqEehno6hjAC/VaDCpN8RMFJ1gcQkdehSkZRViUFdG/hetla3d2ORBQ DE4e7FLutqVJvquX0BWf3TsBb7IvP+RaZOu9rQxnanJMFRQLzcIpKGi22wO1nDOyBg6aFL4dlxsW QRGWyfGAnsYTAEu8TbIEuKXCfOzul/tb8rm1NlDro+6QXa4HKIYhjKOko977Uj2QnFW6pDKszZ3R kTZIaMI7KTaiubyJxTMAdsTWW/EaP25Rc0j2eZpsUTo6RI/xlmA2pTnkwTDqRRNRl7NXVo6Uk43F 3kAHfVd3YnNE6FO8XWkjMr+Cs6S6JeME4Yjfkm9wYiioR/slGjcJ2wmRFx+IDtBzOD1Ai/9kQ/hL QQKTZVPlaCPxN3D0AsPV+QsSGn9T8eOIWYIdRrVKjMXQC6WBibLFVWQX2fFwSPrysNVWMS2B7AZt sql52RRttWZUkHr0u+M2jzHvdDmwsakuWKT55sW7u/VzPlc6H7TpNdb2kd45Go1fN0koGDnDIF1+ PBTTWHL6bpskh8doCUde1llENiCmc598OeVkykkuNYa2mB7aBkzqLPzTzAfdOCX4SinRHMWpg3Gh 9p8//7xgn1J4mBxTNWjP0dzqf6P0SbBvmAIQ7CE5JNvk6a2vEchLcgLZPIAjUY5wTd5xyx4HuUjm ccvX046r63gLjd831VCTUcrKDug2/ltt+HoYa9pyxGiZJihiSmVFBQRtz4HlFodKQXNquoHxGiqN 2LbQz6zQzwpH3KgnONelH1oIaqrTLSfLCGuecKJH+7e9FiSTiTbeq3w3ijVUomkbyHD9snHLHMed BdWMQtXMlWso1qhrDmYUJlhTv0traPBSsQb1hbLY4zjhLHCLBrFjz7W1LavXJvQ5h14LbE+/W61d UgA6F0gUS+YYUDn1g9TFlFJ7J4GqqEj3RnHd4mgkTDEGp2+taEO3fVuxg3p6X4cx1/dD3KCBEbpj BjxKiTTiw9f4iSKFXXaDa7CiNo4H4E7uE3LhqFeBnXRZtQ7cnZ9GUFTyJuwL20CrtiChuRfMU5Qd 084qUZGSKsFpMtL2UF+hK2j7D7hCa1znNh8dfrXQUN8y0OQAmtv4w2x0spiQ2kuMEYJ9Ma/y6dsQ HCY5W157kHJIiSkWZntjIzEMT+u53vWN2KSBJyasiFARorPYR+iO3bAXmuYAxMsEO2aUYkZsQVkQ Wwhk8csc3/n+YbH4/nEA/pMyKw81SGbvOUjHM14s9SgyGV5DMbkmGcEoq95E+GPx9bPrev6flIlX lRCwMot3McAKE3gStKQs8wuGQd6YWAFeV8lmMZ588fMv2XSsDjUub0Mdi/XR2468DXWg3XgahorR SZAp3EpR81gsmuyvr6K2KhSnUUOgJ3hwx7h0+bqrzi97hglFoTjNt9MAB9HQMEn3KNER9tDQ4ins 6SO7c0SkXZg0mtybYdThQO82nsX2rSq3lGMQWS4OWVkWrOZHmhw+LopYfQWqeHU5XFYebVTrcEMj 1F/d84CGJkVM3xUWQB2hsquBIW10F5dp/FiiNSoaFml+pKb5VR32cubKyWlenmpU5nqukeJfnbmg oTEX/htVOPj0sgYyYHaOWvrWvMhoTTK9jV1R8aZ9wzFKrh2/976tvlDBRr4zPnAxaXxCgW+TvOxP U494TeAlE4RS2MKpO3qLxQ1DG+I0ygLC8Ms1XU5LAM0TA0bVdD8YH8CAhqYqVHVedA5l58JB8wx/ iqEZncycZFhME1ejbt8/lv3tx2O8xUDWaYBX4ztixt16iAzrKYjqVKPKEC869Kzv6t4KNDQZkqOn Xx4obaJscCsN8ChHIzTDU6vLudg84qJpbSKvcrH7vISBBNXcvOmTEAmNiwu7s4qaSTlNYvAA08st Gw84uwroMLA142hy1+xRx+cWbuezGzUmTj89wQES2zbufvZzZqsgXlOzFvOi1FM+sE0OApWgIb9X IFu3LWrUPWidUyMlaM2Nh0h9kK9BRJG3RL6goRkjItYRHg2dqQKeiVdqysb4UQhM/pe5X/m7EDBY PAdIkzxZolGOaTBYcTZotofKZzQ+zctDqSZ6dd4GtjGKcnVHBxoab8vUOTvJKW7YIYn3mKlDl5ze tYoiU2wetnz/0NfrtWIh2Qfk5tUvzAhV5ydLJeb2A4Sn6KxiGAHg6NgpoUlDpoSYuK7f/cK/vGxi mtRBOnOkxzIQYkY/p0KSLN8bXWFCm8qyNJCDMEBXH9U0Qj76SA5CjQ759UYh8FVlDiUqAGeR+b1E 6aoo9pWt8SEF2WYwujrMIJ625jWhbwzfdI6kBgqQ6o83fUa+fp19feM3cq6yL7fGLkyj66K72t/x aAwJVc6iLRC4+s+X1wOmZzL2v+iN2eEN/Y4VV/9/+fc/7iPUOr0/+3pfRRPqX7jCC7fieP+gYXX/ kxqLXvF7ZO4spA4jXmCjQzdXl9DILJeKx6u87EM2X8Tb1WqJ2pD1shva+n7NktzPDfjMpwey6HVW B1GW1P0c15v5Vfe1Ol+zJPejHm3VZ633U5Zov9/+BjHLWa8KZW5kc3RyZWFtCmVuZG9iagoyNyAw IG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDIgMCBSIC9SZXNvdXJjZXMgMjkgMCBSIC9Db250 ZW50cyAyOCAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjI5IDAgb2JqCjw8 IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNSAwIFIgPj4gL0V4 dEdTdGF0ZSA8PCAvR3MxCjcgMCBSIC9HczIgOCAwIFIgPj4gL0ZvbnQgPDwgL1RUMSA2IDAgUiA+ PiA+PgplbmRvYmoKMzEgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVEZWNvZGUgL0xlbmd0aCAxMTMg Pj4Kc3RyZWFtCngBK1QIVChU0HcuNlRILlYwAMPiZKCQgZ6RCYQPYljoGVsamCmYWhrrmZtZmigk 5yo4hSiYGIFVACkjc0s9S0tLCwUTC0uukFwF/ZAQYwVDhZA0BQ1FTYWQLAXXELBFpJlqgWmqIdRU BYSpgQANnyl2CmVuZHN0cmVhbQplbmRvYmoKMzAgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVu dCAyIDAgUiAvUmVzb3VyY2VzIDMyIDAgUiAvQ29udGVudHMgMzEgMCBSIC9NZWRpYUJveApbMCAw IDYxMiA3OTJdID4+CmVuZG9iagozMiAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAv Q29sb3JTcGFjZSA8PCAvQ3MxIDUgMCBSID4+IC9Gb250IDw8IC9UVDMgMTQgMCBSCi9UVDEgNiAw IFIgPj4gPj4KZW5kb2JqCjM1IDAgb2JqCjw8IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlIC9MZW5ndGgg MzgwMCA+PgpzdHJlYW0KeAG9Xd2T2zYOf/dfwXu6dBw7ImXJUu+t+ej0Js1sNjuTh5t7cBztrluv ndhK09zkjz9QHwREcGXSkrOZdG13QxDADz+AIKn9LN6Kz+LZ86MU66OIqj/HNXwUzdWifq9fZPM4 j1KR5PF8meYLsX4Qv9yIWTSPosVS3KzFQlU/DN/UMp/neZ6JRZZPbh7Es5sbKaS4uRVPftuVxWFX lD+Jmz/Ey5tKtI8cHHyRgchYxY7BZ6Gj4uwnKCCJEhCQLrQA0Z39i8PqthTm6+r5S7HZiTercvNX IX67Em8KPYNJgF44A2I/GSfJXC4Th4rl1/3hTzMBId7s/yoePhQHoSIVeas/qZ2HOqsIrKryyqiW zmLAqAYHIKlryTFGjfNk6KhO8xv4xhrYHfgSyztf/jQ5F9ZSe0DGgsic1CEz9XZAX0xKCbCW8UIL sGJypr9ChSB2pIph5olr5OCp01F1DCS5Y77+2GEGIWGOXo6ifi97m4aFVQo6RGmUiZjJ8DdNM6oT qqkmw3QBVmICKq+S/2gthjNTi9IoskA0FZoN/bXqumbSyR9Stb4/qVUAcJl35BJCQsXKYTx/PRyj QjioOHWM6g/cPp8b4KokPg3cwS43GAZxls+/2xwYbDYnqA1VcQUHuVtqVAHD8GHHmrem8EXqEBA+ b7dlWqp1qGD7QojvA7LRsgExEdSkI38Qd0P8kRJRRamFKksRb/YFcZPHKlIEMZSw3ZTOQAzyXZ+N ZE+Ufxl7Qsp02zPEjqSy7zLzQic0lcVCZ+auHVu3ecvp4zjjLy7H5RvXZ+P4i8i/kL+kdPsr2J5e +JcSispOSeuw3XQ6gDlkQ4JEUmO54BrzEQ7UhWwiYHzLcNPWZOT791A4kgq05UCiSbOK9efAPpCb RA5rza5PiAL6ZaPDRK/TwxbLJo4sEZMn/imvj8ZN/ZkuLGeQyrN5GeoJt/elXmzEmbAUEk+m17G/ Tn1uMesZJoLrNBsQKG31iWKaOPFXo3GNA7PMHy2IvDsuaH7XoknylfEo/o3BvVG0zAUTcPVKKhMX LtIKdQUqSFsvbZEo+SrZW0EWMcSCUjX0ZRvQyV5GYXH1Sik9gZB6HnFh+jvUrBPdkBuAC2I2Q2Wz 2F4YGvoahjwDDJBgsSUgQzaG8nZRHwGk4KEoUUvBRQUo0yuh7QtwCQ5kIwg6r8hPAjhkKPwd4CCz uUyxM1vaURVgUEZ2CAk2bDCFIhmQWNVt2AhYB6ZtQQ4ywShQW2i6U+AKLqLlAyjG2l75JDj9t+0h e/jJE//5MzYjca9zWJTmevpW/m+nD5BFBfzqlwk6g4iSkSZOmTlMNZIzoEMKElTqkODQxrsac2vT tvi55QK0Ya4h4JULbS9Yqtm+h1LJ8Ii/axo6Q9aQuvZTyukPg9hTDu8jSdOecyhgNEAFPIPD7Y1c 67JsPT8hG1Yhkc4YCnI9dBhhG4l7GSd+ykaOUfVsYbOGjzogmxPoYDaHTqzFfAGE3edc5G4u4vu7 99LfPH1STLtixqXwVcnEZ23lxE+qaTxJIRZqORRA0+sAZfoCWi9HoyV4/VFdQrDaZzYdDVLGUABx UdPrZBzftBteDhmNa6g6g6Jbg00uZatO1zupvzp93pE6lcvMaTOjzzi8qBf1CnbkHZabXi/91emD AOw+gxCnjFYbosz5kSNzLWcJBZAjct69V/79mx6ahKGt6mR0ngQN7BYOsU9/16bxA6ZWQo5s3HHc aypbyQTQqDuVmvoQhKUtl9Gm73FqW3v80YtbEGDhp1XgAtWtrY14ElAQ9jkEy1suwqHPWPUtN16A Pv2M2xa4j+gTGoDO1C4T4HUV6bTLQqUqo0OlYJhLJHI2dHCY02HbwpzP2H/V14uktnXpsMnUQKlV YSCQTGnuApK/Po700NbmfOB26t4tK7S+6bRp21isMXbWUfKxTbhmgReKTWcEmD2EGZdHelBmTel+ McZmNJ3AhRpUKv2h29EzkGcVDj/apDiBC5k0lva5EQsh3iiFGD69wz8DeX0mbWN7IC2ZbhRXb6z8 ZtpRXCNDsiHdtV5KN/0oLixAn14RpiHFRRB94NhK3e/0dhCSr2y3bLsguMxGR2rvPw+ENaqBjBun 9nZ9C9/TqanPF2bfdsYltOs7/T3UFc4Egu0EEGalxOm18teoWw12T6aYdkKfQt5M02c7adoJXNT0 euGvTq8Q007gQtBBRh/P9ghCDLu39vhnrJ7IsKYyhGFtV5vZnlpWslqNxDUbduyiagHHde2lvBXZ 5G1ogKCpMCo6Eiuu8sdQNyS6Z+xwxwQkWM4woX2aR5gI0inGNWVHieqqB+F0f316Y8LkKC4sQJ9G BHoCd0r4uMEzp8O2HUE+rD9o+wyCfXpodPeANhSkThZPYFUZLTLYIwFhFppebe6+HAqhfhbPn7+4 FqvD+n5TFutSfwgXZLarw10hjuvVthBw90dfYTFcEM5cmV6QJ9AxtJWehB9mQG+hLZPo0uu2BA7s dykmmYvadL9/2ZabT2CnX369Eu+K43Gz3x3Fu/KwKou7b+fv8UMLVJ+ag50oIvzcgt9ptdzeAfbH eB/DoF/SheOYnMHRqZzSF0emG8pF/FrsisNqu/32VHzc3N4Wh2JXitWnT9vNGm59ad88rL6JQ/H5 ywawjj/ydv9OrA8QBIfN6un5bsNuApnauW5zhjWxb25nbMhz3vbt8yHaN7fL2a/3m/V9ZcPNbr39 8rH42Vsi4/FMH0bINDOkTI6/ImxYtNASzh124zZ42BM+WGYOHg+1iFOG8QEXsQ/WAglAr+ng5iHs rfFxg4d1Thz3EbiEG7iPebtZi/J+VbZBeBTb/VdIOWWxW38Tq91HsTmK3b4Ux2J33FQ3Ncu9+LRa /wm3UM++rgcdYchC4C2q94UCM4vdDRRvXHRjs7tuQvOCGAvd2/3xOPeWwgIngZQTLeA+zIwPHYwN hBzGY5bZRwGDh3VCDiXkcArQivgATvTKOVzEXojHgV0DFzB+PFbgXq92oth91JXW/ebuvjicj2mZ QzArOI48I3O6EKbzpX1gvF5UeaPND9MgxvJfQwwDYI2HPfjowfhzwVpGyk6TweOewLXUh/YuDGyH jF5k/7EpoVyaD8CvqXEb0fSgh78FG2Q5PSMl2x44E7GwVCfraGQckGDTcEgZ5kU5Dhk398WR1q+w 4Kgya1PZPkDZexSaaz7AQu7Lw8PqsAl1lBOSoC3kUdjHmulJWcvK/xWQvHeQ3avHKpz3uAgJSQJI zTl+MCZQBbfvlGQJaex0IbmM2/0WSp7N7k6Uqw/buoI+75qAPvQTLeuTUqjKuSnAGUEqufQ6EW4I OYroM4II549FkmPw4BYRoogcbyZHFfn8seNbvwoNPdQk0x7O4TEQs0YTypH+mnSzb7ftqAMu0qmx EmGFdEeTQOokMdfeomm1oI+Y8deijyzNLTCXiI4WdevxvICT+q6JgtuMHSlNwPkr0ucOwrAArD53 aK1CXKL3YhFZeNZ5jBih42oC16edHeP6M3ifr0n2jaF9wOqiLnecf9iR0kglhwbfd3F1KG43f0PX r4TH+szrS+ivm3WsfndVrVnF6z2U/tX//XdVMdWF86DrzthmgkcPaQPQifnbuA+G1Ma5+4p6CPb0 DXXECDUsG3xAGBHGofyc27WzxQf+UdSgEjWh/MzE+GvSh3bKz0xERxPtkDN5rbnlCDGLIsaltfZR GJWIfloLAVaX1Cg/oyLNLfBx3EH5mYnouEO/OT/zU36u5NAY91eFr47aR4e5HDGAO0jsEe7Q7SQH P3t7mAUcNjClY+zQcd2lHSxx6kt+DhHmuFd7hbX64DW0MKsv/e7N/vCw2uL7F/vdP0tYjEHLB74G HKwjtF/rTiExwHWEmanrcnt9V6vkbWMGPUL7CzZ4MKTRdwR6hPZBhAU9Ozq9NWEoJLTPxfhr4kn7 XERHE63GUNonIi5F+yDiB9A+UeRStM9FdNyh34xC+7UcGuP+yGKxR7mDOWIAd5DYI9yRLFhHtCKP 0IjDGCccRWiEyzH83D58osvI+p0ha83G8Bf4Gf0VzTOZp/qJFrCKieJcyVS/qj7L4EzEqX1rMLxV kiz1egj2wmfwzEXbKuS5qr4Pcu3jDHiWj74Fpu81clmYgwac2CQw6kiwj2w++xUeT3sHj6c9Zc5F nMwT/aBapdJ5Ag+qnTyIxUJ2PxPb7mdRBg+0hc/ov20+uxe35pm4E5iF0rPwu4fvBBsFdWafyqow HRw8uHqgSGaDBwc7zp8EJUmISWZvh9u8FRqeqAlJiFyMvyZ94CbrIC6io8kYCZGIuFRCBBGOhOjt g4biG693d4nxzKskijQJkdjKWxirgMhKi0sYx+FkpcVFECXql0jhftGO2CUrrVrO+CkXxrVcHcwa zugm7JTG43TRUY475XI5JuXGNR9WSRUXQd0EXKdcmoLHWhLVE6O+G2Bjoju1ccaOGlYqe4cRK8tI BkjZ4P5h1OWC7l4lyQAg4kcsibgYf008MwAX0SGEMTIAEXGpDAAiLFroaDGkvU/4mShyqSURF2Ep MtKSqJZDY9wfWSz2SC3LHTGAO0j1RbhjqewudMOW+M2bRvqCxDziCe6z2hJv9H6zkHNzXum6Pgir jwuI583x1/MTKUnYtWzqqGCDkgTd/l4CuKPLHlwVPC4mOLejMniMBmtZjuIac6ZTchmv9gdrQ0kO OIdMyvFa1CBPoMVIWiTlOIiwaOxrUR0+ORZbuFWgD4SI4/3+UBbHEs5cH8vVbl3Akc7yXpT7UMsi LMizSLg9/WHRF0wkfjM4ZnFxWDAZ0DU+fKsM2Jzw+Ze4ZUhRTwU3eG1eOGh7fjzjoVl4UI7WfhCK 0HHEqrkcXBi7x03trXN/QPBEYfgHTk7bTczgcTGanPwDD1i3DyW9X+3ungrYZl5t4d4J/Xr59ye4 x3AUv8OlBpU/1b9Vpt2XID/2n6sV3OdJ/zsECe2mfjO90ZEAx6Tag0bwtPLqQto/vKmBeSxDj+G4 7e80Ih5r21RxPo8T3YSK1TxW0FyCJpR+ehf9CPpN9UcTpSQclK5aUOYf4ke6A/X2/zHh1HgKZW5k c3RyZWFtCmVuZG9iagozMyAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDM0IDAgUiAvUmVz b3VyY2VzIDM2IDAgUiAvQ29udGVudHMgMzUgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+ CmVuZG9iagozNiAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8 PCAvQ3MxIDUgMCBSID4+IC9FeHRHU3RhdGUgPDwgL0dzMQo3IDAgUiAvR3MyIDggMCBSID4+IC9G b250IDw8IC9UVDEgNiAwIFIgL1RUMyAxNCAwIFIgPj4gPj4KZW5kb2JqCjM4IDAgb2JqCjw8IC9G aWx0ZXIgL0ZsYXRlRGVjb2RlIC9MZW5ndGggMzgxMCA+PgpzdHJlYW0KeAG9XFtz2zYWftevwD5t OmMpBEnx0n3aumknM5uM63hmH5I80BJls6FEhaTseH/9fge8AARYmRSltp02hS0c4Jzv3HH0nf3B vrO31wVnq4JZ4u9ihSVrYbvV/9MfgoUTWh5bhs7C90KXrbbslzs2txaW5frsbsVcW/wy/mP74SIM w4C5QTi727K3d3eccXa3YW/e78o438XlT+zuT/buTpAeQkdu7gYg6dhOz+bzsbvK088kgaW1BAHP JQKse/pf82hTsvavm+t3LNmxj1GZPMXs/Q37GJfPWf6t/QXGPmZPP83GXVUeSmEpDxywaWn33Dre 3sc5sy3bGnt9eWfbAlftsI+pbMKuLQ5cW8PBOXZ1wuXUXSWvFQC08HUI2B34QrKD2TE7oiHOEhjj NjMpPEYFi3drVmbiP4fdOs7HIkjKNSA6oeOqhGaVJirKYi0CHnqWH5LKW05oc4/+JNYC9rotOHbT gNQ19DsnqG1BmkXrZPegcnQGsqfZHE4I5k7PRYnMYKEdM2ucEwnXIxoa8OLRFKSMuA3V5kvBIW1b hTWn2eVZxy5zG3Dgy1BlUiOLZPet+BfbZDm7yeNN8oN9iktYr4VzxZ5jtop2TKLw7e/wFQ/wFa/h xvb8xZK8hue7C8+F19gyxwrF2qxdS9s18XucvEvKOp+t1x7ZhgGWzZ7hwgtoz5nyu/Va5/MhUF3t qX62XqM9W+biZvYMNzuH83MsSxNnOsXvtSbD2FZBydhz91k9e+lc2OqZFEo41k2yYvuoKFj2BH8W sXWMUGGb7OI1K2Am0hg/LR+vGAzkLmPvvh+ilF1nRSlxOez2iuaRebSXHlMOVFvHCTxVvHbrSWzL 07AwxpMYRkkRWwMLUNCk9uGQlgmxjH158+76w82Xn9g6Kco8uT+USbZj+Kd8JKbmUZrGKUvJBLCk AOOLJI/XiwmMDSla8QJEJe2pTmWsFFfLTZgwnZunG3iFl5IAh4+8qOPnBoX3JfE+SreANEu2+6wo knuAHoHAPs+eknXMot0EkdjkvDyHKZRPFYmMmhSscwdxM/d8IqBJ591uint06OCITcx9lRBmmOrL gytS5y4dPOhwpvaKZTYYV3UMJNHKXXK2IRIfQ9TDz30ssuKUCfFw2UMADCelt99B58kC0C1mJ2Vb bd6h3OKssGl1znM11JzbQiKj6+p0TC4niXdl+sKeE9jJNCrj3erliv2ZlPA9cDXg4z5afUMolEIf 2SrbwYBGya4sSC+3MRz6yOxOAqTNueTBLsNZrker5+Ys19Mk8ivRPfw4y+PvBziTLbgM37KDW0+j /CFGUhHBtr2/OZ19Um1b6jX7hquX4VhVe+ZSWB7Anunsu48KxCQoYohcP9sBPgeKUFh0urVowWDw cngkcsxYtGo2dyxNDcag4RiJJhIxKbRhB9iWZ4g+wCv4tDJbZekVQzhCgUihgYVSjvsYOlYK5Twd KLZFUR5qOcrBLqNoc1+HyhjeGmBUfFTLW78Fe+OiSNUQKhQlooOhRbVjYvTALcuzAobbaEhZxSzb MFS9RBBePkYlxYorRJQQLJT78+1v1y4+/1UYTvq/wA6crxMCSSk7eZgLyQ7J8YUd0BwkNI7eQXpU RXxO0pQ9RjCYZDopAUJM3pqYpyR+BsvvkzQpX8jxQG/SeCXUZopeIO6xA87Uc12Kub5RABxRSRuk Gdy3NebmcZSOVQnpnil8swBfsMfYebiHOaZpbSW7h0KZbONW/mW2z9LsAYEJBSSEkMb57OMcJZtt tINqJjvxR8rtpoCCMrdg2bn1hUCBSs6lNQ4kNFAgLKn8DROl1fSFnFHNzgVjjUKS9yniRsng2UeG eTLTUEMKn5jreGxuXn0Ph7jPE0SggyFbq4WELA+REdh+7/7Dw4hj2ibDCNtrM/vaE43xdcfUovV1 JglRzagDb6EHT1GeZAcUhOpgTNWHTugJ1RgrQoWvVMS2ia3y0hfSCYc7l9YJkNB0Yp1sNnGOEJ3V dbjFYAzWgpS8Cqh7FqBRNTfpDMegsa0EnuMZtZmxp+1VTknBRfDTzRTPDm2TBBmeKF89JiUc+yEX dR9UgVKROgmsX1//esuqoh5Sp19+v4GBQuCHlJRRUlrGDy+nQ7zNP+bK0S6EcXjWS2McJDQRUm0N STu4vEHwlD0XP49FTR/GTTpnwfjS0mOZ0du+gvGlqzvGs2PcJNE4VxHtIrfL42IP+IoyJ3WeSDrZ HqEPKvvC1K+y7f5Qor0+Fti9t0f7DgGvi8wGR9MQiGJ4fYLBsDDcr0xWzP2Hy2+Y+12GenJ2fvkZ JKSfQKSS5ZSMrFIknzF6NpvGd/w8VlZSr9oS8ly53qlGSG4rLbvnGkXGseKWyFLSc4UCCr4X9h2e QSJjIomss0IqTVb5gpoSsKckIqcxQTqUEVFBe66coJbO8ITIgLcaHzcVbaKgKeh/Ponygu8v7aq8 QO2qwcIz4wmrSX6VyzSB7NhtJSaUy0hM+E5PPHEudaUqpWUD7HOTDCptafI/mE9YNyU7FFAgWxv/ QNmI8p+Pdfj8IdslJRQbS59eijLeno4WGVAo5zpVl19jcNATUIxhcBeU3UcTCoORFnd1+8ubjx8+ oceyybOt8F49OeXpLORNy27uS8qnsrDPHAaOkWwMhn6XZXj/12sOkThpLBsjlkFZokmiMYdRujqk TU1+Ro8ckcWd9rrIp6zGQwkZ1DTDVML7kTJFMoOvgpeqTXBAhNP8PE1WQhn/WdRsHnwoRXpWU6Dp XHxGjysnBBm9hiu0e+rZYwTYBclf6RXIaCBRU/eq6FXgTVzF52/xC/ibR2gMxDn5OhavH+K3t7ei tYClL29u+dXpWiejOOVcp2rdK4YL7+I0NIG7F2Awnt91DdetL0qJtw6V7X9LHijhdGDIiJvoJNyn SfHItuIBiZZrVjWyKextHC89CqxPdSH2csvWw4iL8JfoNFepY4g0y/b36ByzaL1GmkMh8oG6hk2a 003fH7NDuka363S2cp9KVK6Lum11mJny6Po8dkGmTz183afRjl5qJcObULVxUE1b06jrITDhDr2e iZM57yrFSGwc804yaOihE62fRMGeivlqaxSqSI5knW3xwmBC04w3L2aABXHJSVhQ5NM8557jMYjx nu3MkQMo6GXKMYbxmHDaAnMPjTp2kO6G+tWd3grZSBKT+AEckHA3t/bVrXsFqwr8j+wUSP7K8n19 sElye8X1cJvrkcxI/A9z7kRH0zPF39SxEazic5SLx+Ci7kO5KtqiZ0lW6wNclpfLvyVQQv9Yj5Q+ vx+sd0YOrPQfzY2HZ/THVK2dpaEes372XxdJXG6U8w96/S/1Rb5UMDafvRl+/i6Ou5NMHryqhYfr okeuy3i/mtCr86m97PtV913fecLhFWdHIYEVYMqkj/k4/F5h/fHUyIAOco9qqqNv6+GnPwadEHEi tzh1ok3oxD/wUo96H+0VZsOyO4kejmojBkZQDTb2Pxd6OKeKGUgKElqkvxNTY+35B2anyvmb97Z9 mw8XgYF+BUDcIRY1GNWseLL/Kg9/dBJk9voEkRELtq/7OtIx84R2cmOY+KVTVK/ZvPTr0KoD+Svy 9/eHBPE5ef2mA40/t7cfDT1ZG+uBnhLoDp6zcdxlNRNjh+7Cx79ozmbJqzmbdg1zNvUaozWb5nGw pn62XjNmYmja5/sg8yw53FtSoBI/gNTxxiLuaLk5UBEkHUWSSthd0VFHT3/5fTCNY3ZJ8ZomjRu8 RPihDrcO4plUao+quUsMTsxrRskLnMsoKV4T59eM0mO2F60cqmet8QqtTChp3YuJsLiY8CyASx0z uaZA/hU1NhyRrLJzB48OtITuLAJXSYQ9OeNZiMicxDFo1DmJpNNaW0LXCfOahs1XVHVJCMREBCEw 1LuklBYNF1aXTLf6p6LQuDDIyMsOQ4Q0B8pd6LmV5dMLPpOp66YG+/oIugE6JbAyN1b4M9Q5HTM3 8j1NzyWER6qVs9PhqXPUm+trUXFqdBmNndPTU8VrVbfuGHEpsMFei3uN10KY5GFCc7bFwFjltTCS V63RJKi6xsm7pazz2XqNvBasQO31PKuZOJW/26ypn8daPV3afBajp+0a9py1YqTpUOEJj0fLXdx3 EwrFmLiuUUOZ4gm7+qV4QtDR7KLax6dZXxQnKeMmNBX7eJVsEhh9pUI5pRZFim6j6zLn1Tn+AjSv aLkRH6p8DC/dxcJwtl7fPX8tyqQBu/8ezyoo6myeW7Rzso3SP+PdHls9RrsHiKyepEDEWuIFzVOW HrYTSsqKvldnmyS6XgOtSHEZBFoscplyFOho2oCnK5K/0oy9gshjNlvJ7U1y9aTzOoPW7bISTfhV DNkJMT++FGgRphi3x9QZPa+hZzXINE4uKSI6QIggnnNXJ7moDD1HjycvI0PQ0WSICPVJPATGzKPI 0ZC2QW9otGIH7uJ9Ek1pVXpSa5QwfOvTWcub4fE5KtVGTjMYRwOdhRf0DFCMMUJdOn/pLEBHY20T OwCjjZOghqtW/6bKt9JInOIx2kfyvDrMJMjK1EqxNciQdVtzuryU9FMlIeeVmldFIwZejhkXmSn4 Bg3pMSrjT/ZD2rba8lQGp2qmn83QYA4Zfh6DMphlEceaJLXXnEVg/y19cw46mjZUhmYwWo4Jckk1 VDfAWEEPHcw0wBHQ+5USikdVJ2nRaDYlj9sfi04+2szTPIUiwOrWlxWg//c05gMUL7s1Af2ZjnhB Eq3w0nibrcFs4R0qFaFncM1ABGP/3uC9yQR30c7mYKaYDjWJv71mLeRGCDUYqMcC7NAz3Po59kVa Nzlw7+MDvnPE6GyOPa80QL3mHT1NvZn1X4TgVwzDylGKJzLqX+9+7DEBX7AP0Qvqrlf0TW1c/Xn1 5883EZyq//V0hMl4vT7e2RFmIxGqHSe+LUN8n98/xnJWSixonxMo+zbfE6hUUZp6ghMunCV9l1Sw XLjVd0m5VN9Rl1JWL4lvl6rz+vaD+BIq5YukmmV8T9MCX/VHNfNmv3ZJ7mcHwSKsvpmq+aCyRKWH dtnzFi5935TcD3Nj1ZKyH/xlXbdoPyiXaL8//g/H2RrACmVuZHN0cmVhbQplbmRvYmoKMzcgMCBv YmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzNCAwIFIgL1Jlc291cmNlcyAzOSAwIFIgL0NvbnRl bnRzIDM4IDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+PgplbmRvYmoKMzkgMCBvYmoKPDwg L1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA1IDAgUiA+PiAvRXh0 R1N0YXRlIDw8IC9HczEKNyAwIFIgL0dzMiA4IDAgUiA+PiAvRm9udCA8PCAvVFQxIDYgMCBSIC9U VDMgMTQgMCBSID4+ID4+CmVuZG9iago0MSAwIG9iago8PCAvRmlsdGVyIC9GbGF0ZURlY29kZSAv TGVuZ3RoIDQ1MzYgPj4Kc3RyZWFtCngBvR1dc9s28l2/Ao/pOFIIfknsW5uknc5dUzfxTB+udzOK TMe6ypIryUk8kx9/uySAXQIQBUjUuQ9WUHEX+/0BcP23+F38LV693kmx2Imk+W+3gKVkkubtv/HD bJJVSSmKKptMyyoXiwfx440YJ5MkyafiZiHytPky/Eqn1aSqqpnIZ9Xo5kG8urmRQoqbO/Hil/W+ 3q7r/Xfi5r/i7U2DOgQPAc9ngDJLMw/wcSxU2v2IEBRJAQjKHBGI7u7fbOd3e2F+rl+/Fcu1eDff Lz/X4pdr8a7ef9ls/8IvfDeKI5C2whgpCyA2ldJDq9rEiRSPOvKS06JAEbsEv9t8rh8+1luRJmkS jGvU6gaxNE2QjqqRmcVScQZUo2aAqSuoIaBmVXEuVK9QjXVkaDcd62iFGssRL5Y8AzNJgTEulv39 fP9S7O9rgQq8ruvbndhvxNPj7XxfN+ubdaz6kqxlBpjlVHLEo9b4z7BPbhQZaCuoLCKwvMvjfH8v tpsn8DENSR+flqtbpCiWpYycClV3WnJylC+LVjKvoEgdkuT/oQ4OlrvN9st8e7tcfxIN/+43j+Lj s4BfkzO0QIIXlVkuMsKntCCcbSrGkDAMr9Iis0QfDZWEwXw/IYBQ57NN5XatX0a9RmFRkyhC7ZIy m4KD7SIcvbgyUM+JxTJBQcgZIrBYNmY/kbgYy2SGCEqXAhFBgRMxjBex+SJehEtaQSVJMy9iJC0L O8pbwu38M9YivLiN0AG3JZNv4ofHx9VyASnFZv3tHKkoL+whLxhqGP8gPYmwlMi0yGMpkhAqjzKw pQACSyqtoQTzzfFbUmLIAlpc0GfsnRuhRD+Sl4jAkkaz9+CtewxRmbcLOXzrHqhaPZ39DmzekMeH a6cy9VgjJyU1gia0SkdjbZm5KvDerXDL3NLLcF455RpTHnKF/ny04wA1i6h+G8XVbxVKPilAVW1s V7F89ztXNLWkmgJ8i1s63AUbQ48d27DDbaFPEkbSDm/03sNTaNfmcrTkWeZjPEmzv+r3AEVxzpDb tp0Fs1kB9UrT6OY482fHRjkR3eikjkIJGpOUyUwwHINGlhLsNynzChEc0MlxuGC7CtSt5I1xMVJU tXL14c078Xqz3m83q1W9fQW1X7jS9olIYqmJKuDiNFrLyItOkeUU9DbNUgf+CSky89RT2HWalQrq iPWozvCqzGuT5k5tZ2F0tv0QbCgg+dGhnhsp8dS2xG+Ej0s8yG97jbLSLnZMuJTBaInH0IR9RCYY nSsBcMtY/hMLlXbPwp1xsmz3ykb07sONsd8wlMN1EV2RSITODEbYho2LpdIoMQmiIWUUUSV1/cmB Tu5YpoUlDUYCfoyRTYAWAz4roDA1Nqg9a4MkEbJE7yDBY3vpjqHV0m7jzFzAWhFOaIqTIrhgoyTT 7ekzqyF3JqdOt9XIo/kQzJ0+4yF/5uLzSF341gTY1sn1JmMpEay83BksZZ6OWAqadtC4grnZteNu XlCAOieQ/4kxKnW3IIJE4Npi348/XzO0QYGCOXBs9svMh2ocKw5y4IxvUvcWkRiLb//88K2hp6uR oAjY6+ZE9XtapZmMqBnEvBSqFg8Dw7WhT+GZNpTdViC0vLo/KJuYVNfLRTKwtLQ7gz5j8q2hgZ1e OpjgBRuwdHJolmagj12t73K0wTcgSwGfpZge9l19PoN5uicwdkkbKHtJMXsBj+Ei4NmL5uMgnpah upCnzUq7t6cJiMtgWJw85GkBlU/nTpc5WawLmif2Qa7N7xOoUHU2b3Jj82EgZ47VY4bFtyOaq/dZ OF194U+miKTIGySWUAw59OF0EbFa1WFgOClu9DGu0pX80K4yh0aI4ypjOeLVLjy3TSTU8S6K659g Xf34POVAqoZ1K8R03IDlnlmDIrAKIxJZliy103RJ9DpNTbMQ1z+laSyVlJ6YCxactxdyoXnhqQSD FaRrplBtMu6RghR28QcKIjWzPAqi/5f1m30T+CsH4S9t7UL8LZLUUs740ESagbcxkmQKlawLN9wj BUkNEFieA1xqsGL05cbmMgsSYeHQdsWyqegWIzVobfijF+EUOExiNQuW/UnplwIpbaxARuSEGC5z 5O/h1kACgQoMXGkK5ZDNMDj1d+kJbm356dEXfjwqHEGPIx7meaQ+G+mlJ1w8bgRHFUtTSHNchoVr WJ+NUOrhYvgMMhnEEKHqwJuCXjJasceiIU8lsa2cQq/Fw6JozvsVSd/l8mA4wVXR1iHqw9bhuqgH cPTWOVhUGrg26QE7jDyp6VDA8ZSd9sXK0st0FoAcFN8+/CGj+ePFAkkJXHeEw82xS4hK7Bk1QR0t Lx7sC8PhNRpAQw0/N7p6H0FMnzfCbD+Z9tFygrZ6yTE3kTxsu3pfDCMbqRuCB0XDyQkM3l5yzK0x r3TKcHL6pEPnnT30MGU7vRyXWPGncDHbK51pODn9cQOReHEow+Hx6XTLYe7dtZwPf6ThnUQlHK+f zO2GcLif7JM585Nws+RcP0k7Z87RgTuMeE1NVTgIuNUdK3r7NIhl5w4OnQxeETWBBk5MYtm5BX/4 7Lyyz5w1AZDdEAnHuNWq0tHs3KJGvIjIZvsEwrJzB4WHnsGyc4d5EfT0WR/LznvoCReP4h1pmKTs 3EHAvd8Zrtyc+7p2eGVkokk4UyKU5nokEk6Px8+aNNcBrLd+wuE1Na+AN3brIziQ9ikQue8yP3If NBhfnwFSp97Fx3pSVCh7Pw1ypMI2cKF+VVkdPlJp6ApmKYgw4GYI4LMi8CGWxvb7/DllCkqPt+jH RwkFaoNpdX2Q8RAeAs8BC8VEc8/NBRu9Wy+DyLimcIxj50YdzUYyBjxlBXyWu+hoQqxLOhavXfIi 4lufu6B47aIwsYHyjzOjg+mmueyLoKfP3VK87qVnmMsDLorB1Xpmn0Z0lLo1+hi1psSDAsWUkCg/ Hau+/nexKXkGDJa16PoOfwd7mFbwfluhdgIjR98/fp+GU9RvLep+kYuDCDLkBFYbXs9G7YQWVbfZ k4eT028s4KCb69N99ITLpyewuAjCSfCA1YHFBcssMJnMZFXiARSEoSSrUlliD6FZm4mB5gyMZ5l9 38Yy0c4/jXIcq+McoknBAaMV66J56dc5/b4m0mRhiLDSfgPCjAYPb1wULNwoLgVHG/JqZDcdBCMc ABHOJcdo+BGXCWKAwfFqwfJVKNjOzTmQCzd65xystnEXLLOVVz/DDI5POzEtJgXO2sgqOclzmLXx ILJCWmsrszaCwRyTCmdyrNijZule3NFUD0CRIoojN80dxackbzZzXsQJ5nefVhKGKnVbbK39MkSn NyLNAJFxi4h79Z+Wn562tci+F69fv3kv5tvF/XJfL/a4CO/Ji1+fVvsl20VQQ4DrgX4jwKUx2sP7 3Yd5GcfFALd6xa7e7eDN4p24rR9Xm+eHer2PrZKInBR9VTqTQnGyGfRyapXJwOq5HuNqeuE3Hscy Se1qspzAbRy8E/32675eI7ca0ZPUTUhDHWxDGurBICENrxknFcxNaHZmebZ/1M/MWxwx4a777F5S pBd4PPS/3i738AL6igg+gslxFuYtWB97GQWhs4b63Aa9zeMh5Xq+nT/UzTSQN/UKhvRsn0/XdjqN UZi442BUaS9u1IQyn66apNlU+fS8nGRplY8eRAouv/X9ag18OlsrJjOMB7BGz5o1dPSpzJrnRxgw MowJANN8V6/x5wvY56yFqZ6FwGLWAObIiCkweDhRlVy7hDswllIzzh3Rs65Gd6+OMRRSOrfJ4/sy XudqzlLgXXgbx007TudaPG43+81is6LBOh9rUaMrua1hFs1G7Lfz9e4OZirhBJ47eBlz8wVnr5Bi HlWc43w62EbjfCrt/PKv+jnW6I/xycGxcLxL0ihYcCVAcaJAX5nD0IMxiMPQ4safYIOE0Wat7ckU TkQbe5S5tke1BrbH1mQ7C20l6FGzhOZoMjk5xfshaOH0zXYJANJSOZkl3TxOmiUnjxsdz+Mck2E5 NFOFVNrvJUO+FawKDhJ2sYpMBnBY5cyj8c7fB+NyYg1dyJAuhnAaHLicO4WTj8bu12smDAXM0LGY EyOAvvhIAnBxbCDRqcERLdeQ2z40I2fAKc33YrkTT7vWW5kRWoKlj+Srjrsi+/1HvNIEhzBjnBsE NB8IorFwOS8L5/5ssLj6VJmjqNzLUtG65tUJJi4HB4jr7VccDrTct0POOoIjmVwyftC7dzJzNgjB LZjTfTrLcjoXCahqLBIKGfB2rDrM8Wyfbd6kPEf0sJeKFPuUEJhA1R1WoTGtISvAMWticyfmt5Cc 7pdodI/b+m75td6RQI9sQiktUZniK/RoXhrzASMLDowmA0X2lRChII5lUnUp9BoEss6ahIwWM1Wd 0Tasb9eaTHWqMtW0TCYwHKPJVM139Rp/HtZk2+VI1bMCn1VrQ2eqkFhcOlPN4Wqnc14Wq9xH3IiL A9zID662ifkastNYnfMip+MsCdgtJt7Xy62Y73abxRKmTd7yqDKJJZ00Xk8wHSNGm6eng2Uuv8jt PgFzF0cMtM9LcBQzz/Fp7Oa9EqGoUjg4flsv2qGf7dxMsa0XNVTKO7F7WtzzCPNSQNzZ3W+eYKRm vdvPP66Wu/tmuObJ79hTAwkm3SLxBxzVEf46Uduf5ZaZfQAWk2Q5SLxZLuCw1I+lTeLLEuaTYtn3 iGnX/PFxs4R5yLc4RBhXm67TA3To5p/ql8JkXrFGSWbB+Ntu7LL8nTmJV3wVQZsnpS0dwOEDXXvF BgE6kfCi5hgugNnvFa1vyfR6M6rRCaUrXZnkmFXpGt4JdiI/XYNHuJbrZQ4rNL/pcq/bRKQ+OqdB nfbuN73cO+UIkDSDpll4qDyDe6yhcHHu4WTvJJ9h88LVPegVQYP+FseAYkKIU40hTzQcBe45h6rd 1mKYwySOwghaSKTwLexhOco6wRfnKKsaXI5+ZJ0tD/fO00d6vXxg7lG1cnnuUbXicg+U72WTIJoy pY1iqlKBf8yjU0dSvhRnWWQJ3LBTpnAgSgWXK9CebRt5cK1iUrZtNwkduKa5p9ewkcfX0rbx1nlW rWG5IrO23BmZ5x+oEWjWWHMQ1zRM9axga1iuYO7X3RM062eqrGIwO2sKZudZXButBO4zS1QT0zwP pVpi44FSja8pmPrZhka11tBu+FSlkymWcEB7qvHoNaCdr2EDVaxGxGP4XrvW7NM0UaV+HvmpZaTX kJ9srWnKch53YRKf9PPsQMXgoZJyhGtqT51n2T6JTwTTlLkEc9RZU893nmUwTfQNPFAJrB9AMlbu 2clvjdu7wLEl5WqwCSvtmMPZuQlddBMhKET5r5mxLMeleQEjLufLNcRNQnoEVx9/zYvbMIbMZq9K 2xeb7bbePW7WzQx9nsSfM0Afk5E0gamaCvG5TlEfMshpOcnbFg7Zplrr+EQ4u6jadg09apbQLWg1 HgWqsZOtstp32gwwPEDjEfF1k9SDAwxnqXOZIL48ofLaW/4BDssE8VzQSuWgu449vhq05hb/0sLD /C88ANzhJZOm/Y61YK06vacXf/TCnWy3dVnuTj1vAQRboCNCP3fhr4p0+2VNz0IstnWTKAMvwfrE /Rz++Aew8H756R7K7MftcgOHjs/izxdw1AoL7UOtCGrofvz53elMpndXIN7i7i7K5EraF947Hj7W TrxMBhwWk0En2/5Eyzh+WsQ4vwGWb8Xt83r+sFyYU/DdOS6wwutFMEl9LNtNncVblm+a+0VwZcdp CcXqrA9umjjz38KjUY+bhD+G4RzUDrJfmVz6xSs4k7Bd4x/z9aeXot6Hs6YvUJs/2wUTGh1U8xVc 6uI/cJC2hKAtfp0/wwnFS/z7Vma+EH3vX9fQiROzfw/hH9SuDuiwrm2yagK3b0qRJyozfYCPMAyA L630Er/4qR9kd0GbckDBy4opXPltMncNzywxeHl7vINHOfpBWurAg1Q/aQ9tDDy9xOBBIdb8sTgG j5Y4PBgB2WQlUFloeGaJ4LEjJL0/tsThyWo2gT9nhpWKhmeWCB4cGzT1IaOXLSG83/8H1jcp5wpl bmRzdHJlYW0KZW5kb2JqCjQwIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMzQgMCBSIC9S ZXNvdXJjZXMgNDIgMCBSIC9Db250ZW50cyA0MSAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0g Pj4KZW5kb2JqCjQyIDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNl IDw8IC9DczEgNSAwIFIgPj4gL0V4dEdTdGF0ZSA8PCAvR3MxCjcgMCBSIC9HczIgOCAwIFIgPj4g L0ZvbnQgPDwgL1RUMSA2IDAgUiA+PiA+PgplbmRvYmoKNDQgMCBvYmoKPDwgL0ZpbHRlciAvRmxh dGVEZWNvZGUgL0xlbmd0aCAxMTMgPj4Kc3RyZWFtCngBK1QIVChU0HcuNlRILlYwAMPiZKCQgZ6R CYQPYljoGVsamCmYWhrrmZtZmigk5yo4hSiYGIFVACkjc0s9S0tLCwUTC0uukFwF/ZAQYwVDhZA0 BQ1FTYWQLAXXELBFpJlqgWmqIdRUBYSpgQANnyl2CmVuZHN0cmVhbQplbmRvYmoKNDMgMCBvYmoK PDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzNCAwIFIgL1Jlc291cmNlcyA0NSAwIFIgL0NvbnRlbnRz IDQ0IDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+PgplbmRvYmoKNDUgMCBvYmoKPDwgL1By b2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA1IDAgUiA+PiAvRm9udCA8 PCAvVFQzIDE0IDAgUgovVFQxIDYgMCBSID4+ID4+CmVuZG9iago0NyAwIG9iago8PCAvRmlsdGVy IC9GbGF0ZURlY29kZSAvTGVuZ3RoIDQyOTkgPj4Kc3RyZWFtCngBtVxJl9s2Er7rV+A2znstmeAm 8s0paTsZXxwn6TnMS3JgS1Q3J9QSUep2z6+fr0BiIUBTpJbkEBsRUUChlq8W4G/2C/ubvb+vOFtU zBP/VgsMeTM/rP9Of0hmQerFLEqD2TxOQ7ZYsx8e2NSbeV44Zw8LFvrix/iPP09naZomLEzSycOa vX944IyzhxV792lzyPeb/PAde/gv+/ggSA+hoycPE5AM/KBj8unYWfXqJ5pA5EUgEIdEgLVX/2Gf rQ5M/fPl/iMrNuxzdihecvbpC/ucH163+7/UDxj7vH3J14/5nvme7303OXfTvodd+6nYtFzTpOYo G7tpvVN9TqFvndM1Zg3S6NJZOw9ILTsgwWuJFzg/mB2THgkOIsgA95lL4fuyZNkjTpUt3zbZulhk ZfnGFvs8O+RLVh3wn4r98e6Hn76wKq+qYrup7tjHr7uyWBQHtt8eD/mdlgNvlvA09uYpKZsXpD6P 6U9iLGGDtHACLTSO1AvwfRJ1rPw6nPE9sMaHZrisyTZLzXxpRybD7IixA44dBB53CEzeGTt4/xPM 1RPM1SkGhmk0i8hwxfNwFocwXGsW8VSMTdRYqcbE7zgZuJK1vm3GntlK20iswqdV/D0B0y+0lYHn SWGWmj1CmPvMsRJmz7P08cs+XxVfWbZ8yfeHooIA78SIcYx9/J0MEtBvuokUksS9dM6wdWthd8ZR S0ka55EmLY/EPRh1zhMiJbnceKQ/vmOvBZT6MWeLMs/2eu8nJLfPfvAA9ppDrV16YPJ2ww7POcu/ 7oo9fAf+ul3d0CZwYrQ/hzVzNm+w+ZLdpuSd5nEHAexTM1Se5HiboIyOtYMzbcJ83tiEOJgFpOuw CR5vbIIcg01oxlgc+7MkqW2C/laNkU3wAzVnMgs9mnPih7WdwffNWMmMsfks9cWcxrdqzLEzE7Iz V8BkfhRYyjbGaTp2xgBO0s6AgqVjwi2yQ7HO4f8AmYABX7KSvT4Xi2dWVOwxI9uj1KKoDsXmif1G znR1LBlwllaPYTww/Ampvp9wZixLGlgtmsNm1XDEdLkS7fpefGvOwo+1Ac/vv/54n/gB/5PB+xKj 7u9ZPZYEf7J1vnjONkW1np3PP07HyucREKwifi7/jFORTOORHSIMt0l9wqhAIufAyTcFiS6FX/On bL8kGSY7b2DBOwYQCIHfbA9sWaxW+T7fHNhqv13jl9mBLbabVfF03OfL8w8MOLKGgMa6zj2wfoGP wz55PwnNTuhcn3+VpgZRWvtsX4pM8HydbY5Z2ej3hALcsxHanOLBOGWC1sSIZWsa5Zu2ItLBDSNn mM6U4InHo5qIGTAP14Y+fqUQCe5FQME2w7Z7g4I6MsKz54Uj30R7CoI5UkNndjYPOyWUY68zHoTu dj9/fLj/+fOP7//z/eefZox9UDo4Vt+66c5J9QJis6UZhg2oWLbPjQ0PCmUIanMFPbx4NifosGa+ L8MbOQaIYY4Bb1Ao0/qWxiYlE7BFQRT5PeacBw08kmOY0xxr5pRQZhLjd80YzYkMUR1xcV6nitYG eTlmLgljiCixzIn5aT0kVqn0SgVcJ9WZwuLOM9KOwU4eHAFCtByesBiNtmmPRojf4zESXfa8xlkP m7R/3dPADmHGALg+KyGtqkthnRUbpDlWsBbk0RZlti9WyH00wYsYRFZPJL/qEDJH2qPGd4tsg+Bq rH5pxvoSwBnLuo0/m87nltqO4WwfGlGcndvCoVBAIRJI0n+pYYEeNvnXw/N2B4P1g0bKRXU+T3lC ISH8AbYsPeiNeMp9Jwt4SV7DcJqKqSAhN9EE9dUBgXX+9Aa8tWKvOYOrLnbHEmNCVHfZ4ZkdtuLP ZJkb/t7RQB2b0y/OZ69K106Npd2Kv3Mnd3t1/iJ30IZZDe+kqoNvAK/adt4SRyRkZ9N5yKbc2fkr 8LS5jFG1jEmn2VWwhchZXEDeTO/5AtPOKbvPA7Eji4TMy70WJLHtYKJSiSstqYPABCWWkWOuvXQU gZ/kfeH4GzAwUWNGviLC/4wpr4Ex9a0ec/IV18qLTkENTDGBNwW1TyN8dWOZtUsJYf08PwHHMblt 8gcfaZ/BVyhj6scqbG6M0xinMshduySyxWIrAtDyjVBufsiKskKWEQHmen3cNJ4biRf47BwmD4mD LyKDAGuohemESDts1V7FWNGNzF7Ab53GmoKEpY3V8bF6qw75uqK6H6mjKOjs/1FR5H7Yb0u2K7NN LhA+pbrA8Wqx3eX0h8PzRR5b5ljNZd2KtzG3leLaLiUAUG67lKWorVIWS6bjl3m12BePyAyC2RnK abuMvLqWT+VmKBo4L1xtV89U2n7qrs/wKyf0ok9neUiRKVkel8JyuziukQ/SBsibUOQzuMqiDRyP QcZHPsEk40rLYG8RBNJbeKEIPSdrFshgLWrG4BlaY01I2PrWCBNlUDcZHtR9M7mgzW3oJbeWXZCw ZPf3T/rMhgmHPioSCPQGcDZ15x3e0NAncyGSEp4Pih0UPsyK/LA6f/URobEwQSBxq9WTJHuRP++i sFsY1aWxjI9p6agId018HcbLzGEHb7Dy3flcT4gnSdR5otdZekIyk6DhpGPtCEbzDXU2qA2MLugh Pwcz6HeIzeTd8A04AMyoyihM7RqEjejXUYsflqw1p/YpmxohAnHnvmDxRmSLqBHsiTpFs9j9qZfe 6wGHl+e1NeIB7W1uW6MJ9W4ZHlDa7vG8o6CdqkkdvJvpfZ3QZRd5ynp7x7TGsof7O7+u5k7CFJXb OjoKgiavqcbg78wxr46OguZbtI8kaI4TEROiI+HKhTMf5+/02RhOLnJyKmN5p4NdQ+40hcizg925 CCR25faNMAq7R2NTsczr/oWG+OA6i94ToVrOA1j3FkVb3sbKg7GR8NYBXoQOljaUnc84mPUbWsOy x6IsDkaF6MRGGjeu+aNciEvFkOuxs2r2xKFdEBo9rZYkw0YaFFIb6V89/o0dEp/q6Oz+/sOviMUW z8UhXxxQVr1DkwHy2BS55csnGb5VGKiLrxv87JbxhUq7ukuutAYPta6OtHBKjpFXdae/zrFyKlT6 KCJ2UKAUlbEH2Th2WSlRa4IuA2BzNsTXdE+oggMZTOsnC+cdm4PEaBpnn49PdUkf9qKDgnFAPW6K uKm7Q+GZ6iReSCW/uiIYcemm5Bg1NxpjXl0RlN+CAQCT9Rgl8cJI/hZIIKqbo8JI0pFjaI40x0QC sZy0vq3Hble/m84DOw67umVxSVDPN9Vv93m1Ixf4WOaqLKbS4aqhUrhKWdNZH8tDsSuNBMYwYTV1 APyn7l5z725YP2zaE3Z7njgY49pJIJCwPGerTL7MJdqAN32QyTYkg1CGXNelR6Nt8oJNc4piffQJ Td1N1xXPKm86Y3PDTJ+m2M4uaQvmbtzQ/hPT9kX62usmgZ27vLpuuCTIAzR5URUcnoEJdWDeIiEw 4QXxlYFOFKoCAcuVUOGvyeoiyVuhSwu1xOIRbftLJhWZpHS33x62i21pBi2DusC1NnPqyvHjhE1b +xT3ZJhGISfkwYmFDCFIVKfAjYxE6t+8Yg4SlpH4ETopbSlbbqk3wfDN18YdOhPibtYwBkMxgXNc BAm9FL1KU3f+4VahD9foiqnLS21jRfGbCkHAyHWXx26LegYKFxi7qNWgwaQGcVcaeyAPJfc15PG9 ps86QEcS9U8jE+1LeCPHRI2ygTE0FtbwpvVtM2bWLa+biUaN2rItY0xw34Gqxgcqg7dDzw5YAt9V Kwk6cjZ5vkQdUMRAW1WzssKhC0yP7NOfGitzD3uYRTuBT7jnO2HAtQEK0bAYjM6Hx2NRLkUMqazQ xwa4NHZosNPr3KPqXpx27FHcKPsnw60ztsW57ckRLfIlYtu6r7AVqJxgtBs/qiJjx86HG6NhEIVT U21bescoSB8RpSAdNKpsjfos9U4IsLJFtbZWj0t65OX1IpyY2JTZrTCcb45v0K4cvdzO5QLt9E6c c58tMUnEN8eM2IVN49+bsvirbsuqtuVRdBSKhnhSqR/L7Wu1yxfaJPVmvIeVStuonPuUgsSyph2L G352feKIG41IescI+ztI0G2NwSfZS0WVljuoRNE8eiwqXTrQ6eixwmPgaF1mJpKWt6sBhQoEzrjq zanO5YcAyB3TXxAJGDkflOIBL6iS1sE0IxYwBMGBKt/KcAW86c0OuF/3RxtFczVmFM2DpjkavdnG t00Tdd2vrWDmwCJCn8AYqo/ElGWKNVIY69N0gBOBtx6kEsxtETgvu9/pK809RDePRVCXs4MR4IG/ 8nwn4ABZKmqLZrstrnu/1WFkpdJDZNCo01Qbs2GqpxkKJRNgmBgqVmL6mQsUoqXSiEd8XGYWJCyV Rg9y3clkJENH70GlkGkPFgFDzYbNq4XCUGpDKGB5LcG+PsZwaajubWrqVpkjwG9c+yKwrQRFtI9V o4N9vWvz5CI6OY+8DFZkMdZq2B3scAAdLHepkhZExebt4HkH2qUAlvnWENGlgSNaV3n5klci8Ygs UImnHNDzIA7v8bhfomVSdPQBt2SUAa6K/4kev1rxL1BweVUbZyi2bir4BcphiImpHKlTG716BBWk NsivL/s2ki9vlIyACY3oaKuoLreBaQ614VaxTyTVUwVdJAyYUCEyQwfjM+KL9RZVAlzxx99lFfjs 51/UDX5J/qZiEYZOqHF1sQANS7HRmYz+TmRZRas7+cpVA/4pH/XzLt/Q35mMEUg1KRGYf83WqKk0 Fz3O1zzjyka9ttuyOLXR8hi31BfP6dA3RPdW23a+ZmjcgCdouyfccPCYbEa7MHOh2ro4qFsuSLws gixFc9s5hzdEGadkuKqzAmi6Y1StH+tAtBXgOnfh7ny46eyzAobpjEI7MTTmAPuI6AN0aWhQjhye sC71s0K7HIkgYVGpVTrHay5v+MH5ysDpDSwOWzpFmxtt1FSG4RbVkVPDDXEKDtC0XZOwRMWwqHSL ELd6MiPVfgIZOv5BXYiXu7n+/WpTMpKbV6VRr7RpEKo8bTNF/pfVCt8KUS4SFq149bpMYRmueH3C YrA3DmxoO0bxHCJG1KAVDzQsy0mI0Kz09V8/diRQvVk3RQRnzz2cRc68Jl8SBymPtaWdUYVBAlfO LbbMZz7c8L+Kp2f2/QuuGF0MdHQxDLft7GtfwxnVHLN2DuYu3Eu+gxnVJz4GiQThc9vzjpHRYc7B pfEAE+A0vDmv6xxHl/I6xUK9CjPlWIllvpvrTvDwotOaXkbsKpePVCL18pwgaTN48Bn2sdc8Q/RA 3/wMHRqf6JpYThVXtqIre3UOFUHSa/OeTH29TNyQomQCHi0rAJsX6E64o6IGPj7f6xt+MhEru6kh T/nNL+pw0LAOkXykfJdR3X6kYhqxfZm/FAsgVMXeVZntREBH/1efwiUspmI4Xato1nZbFse395Vp bPuzOiOyz6kvo2LHTXNb13SfIxtljOjbJtd6AO4EMOzxCrh/ZYcrV/E2eDPLftrwOvNy7+LUaZd3 xJVB25gb65WVD1wGDCJ6UjOJ6taKNQuR6Z+bQ2gQrYcmxuN56kP9nh71X6hhjt6OuotVzSeHjPn0 azPqQz1kzhfFqBbWlzfkfGpIz2dcbJfzGUOt+aig015fJIf0fGHqz9L6AVE5nzFkzhcG8Sxoz6eG jPl0f66aTw+Z8wV4VC1u71cN6fkC/RihnM8Yas3nB3VnsD5fPLwsm4Xl+cqqlbj+WQuGMUTz/fJ/ J7L1XAplbmRzdHJlYW0KZW5kb2JqCjQ2IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMzQg MCBSIC9SZXNvdXJjZXMgNDggMCBSIC9Db250ZW50cyA0NyAwIFIgL01lZGlhQm94ClswIDAgNjEy IDc5Ml0gPj4KZW5kb2JqCjQ4IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xv clNwYWNlIDw8IC9DczEgNSAwIFIgPj4gL0V4dEdTdGF0ZSA8PCAvR3MxCjcgMCBSIC9HczIgOCAw IFIgPj4gL0ZvbnQgPDwgL1RUMSA2IDAgUiA+PiA+PgplbmRvYmoKNTAgMCBvYmoKPDwgL0ZpbHRl ciAvRmxhdGVEZWNvZGUgL0xlbmd0aCAyMjQgPj4Kc3RyZWFtCngBpVI7a8MwEN71K75sKTjKSZZt 3drgsVDDQYaSwRgnpNShjju0/75+NdikQ9pIg07i+F6nGhlqrDeNQdGA+t0U7RNp64Z7V3gdMsWI ONRJzA5FhUfBijSRSyAFnO2b28MmrJnZw3lWUmEtYmAgeyy3+ekQoPxA/qYxW+nn+/FcNnjKv2A5 gCVr+oYHyCtSQabukGSiKNKWkk4SpFITSTMVF7K/+Vcz/8b7Nrt45Jraf3nODyV4dzONGmKeZEsd Noe/gOMO1MvEWqZhYuE4scX/Uf016s8/mGjNvgGox4ZWCmVuZHN0cmVhbQplbmRvYmoKNDkgMCBv YmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzNCAwIFIgL1Jlc291cmNlcyA1MSAwIFIgL0NvbnRl bnRzIDUwIDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+PgplbmRvYmoKNTEgMCBvYmoKPDwg L1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA1IDAgUiA+PiAvRm9u dCA8PCAvVFQxIDYgMCBSCi9UVDMgMTQgMCBSID4+ID4+CmVuZG9iago1MyAwIG9iago8PCAvRmls dGVyIC9GbGF0ZURlY29kZSAvTGVuZ3RoIDQ1MjkgPj4Kc3RyZWFtCngBtVxLk9y2Eb7zV+BoV2lH BN88yrKTUlWi2PFW5RD7wJ3h7DDhDMckZy3l1+drPoAmQXE4L6vK0nYt0ECj0f31A/xD/CL+EO8/ VlKsK2E3f6o1SPbK8dqf6R/Ryo3tQPixuwqD2BPrvfjhWTzZK9v2QvG8Fp7T/DL+csJ4FcdxJLwo tp734v3zsxRSPG/Fd58OdVoe0vp78fwf8dNzw3oJHz25F4Gl67gTkz9dOqtevaUZ+LYPBoFHDMRw 9T+WybYW6r+fP/4ksoP4nNTZWyo+/Sw+p/WfRflf9QtCfC7e0v1LWgrHduzvrWs37djYtRM3m+7X ZLUSFZduWu9Un5PnjM7pHrO6sX/rrJMHpJbtkuIN1AuSXywOa0aDXR86IB1hcvi0FcUhFYdik+If ot7hr2Od7ZNcHJN6J/QZ26tIxoEdxnSRbDd2ZED/amiRWHTDrG/dMCmxQImTNBeYVWKbZHm6uYsg pAvFk9iDyYi4VJpJYzisRdv6puGQdPdk3HAbqc67RtTHMivKrP4qatzEbbYWf2Z5rtdwxmZ1J84u gMTuXHtqd0yP3v8VpvEVptE8UGtwoK4br3wykkHorQIPRnIv3GBMy4c0ScYUtG6sRWM72k5shRP5 /ZzxKojaOTWfjqbHg3cMdaM5rcHYliZoTmXjsTOHdnZGbrD139REfRlt+9GX0eCwTfJcwMKWoi4a /XhJq1rfwPPbIk3U6hCRa4lDT7iaU2dlb3AtjEFM6m1LnxiM9DvdbouyFvjfn0m5yQ6vjTlZCfEP WJt1chDpW3oQm7TKXg83KLyNFTiR5DvsPDNT+DNymzOcSh0c332wOpgcKsio7AyxkpF1ZjdzQCYg NxDYkWh5WQzIVKRyeZFsxEuSJ4d1+n5XLEc1hiWSZImkF3ScOGRarnpzByMd0j1/Yv6qTg6bF5hU uDLDvtbF9ddJxtiTEw72dC1o0UCAXSetbHYwuk6XAAFDAxgY7IGAA6s+hBr7NK3ZnZlwDtrb3+gW FeTFKkb7pENTqr7Ajg8Nnk8Gz4twQsbEyfWzBtA023fCiVnZWpUTuuh+WoNAI3Cxfj/A/TSOpwFj BFFOZSqqrD4BpBeHFdsV+e6z8Y12DuoCGawY5puBClobCPtJL+zcugfNIXe9F9JvoYIV9LRc0QTR XKeBCoOxHY3cunTcfk5/FTXww2K/29Ewp+btr4BPCH4MxnY0AypYi6DCUMXUHcXu9A2yKBZkynCR Dnwj2JRSji7HvY0AOOgtNOHsX4pSpIfqVJLD3mWvO5G8QeeSlywnlFpsRSIQJb7/9cfPN9hRD2ou o1Aw/neFJdKjaCJGjG6IcF0c6rLI87SsRFKud1mdrmtcqXfsIpFmf/siGa5OxbJsO4/BIIjhhzb7 EoWYc6a9VzAYAKcVR2CQGnpR7YpTvhFlmkMRgN++ZFU9rSZVkZ/IOiFyK8rr9QRBJk4i8mEr+n0/ xt3K8NEXbRzX4/4IporvBAs8z9iOuXOMyFNFviPkmOFpjatciXV+qpCwomOD4u8ORV68fhXAS0Di x7z4uk8P9er6E5MUEDg4Ls3/2hPTjkpZ3Cd3HGTcYHEZJtIMwrHYwpWLkOXTYV2mJBpgcS0nZTEW InK9I8KRUrqheBoxtC73IXpWvQ3pPDhR9SRDp7+Svam7c6ZqgsXnoqaosfwqyuIELUaypN4hX0mY ESnYJlOpdXcWwN6arnLIwQAATKySMjjL9XLuNqtc1QSXQ5puKGRTSij+uBT/EVh2gAAmZmcI8DpY O4Q0khC0g2CNWI1MbXU6HilRQIcIZPEzE90i8EmhSJ9rEr4P/NzllJDXb3JXioackqJ5yDM1OSU2 tqNZeZNTQhatH4+jJqCK3Fefp/Lp+Fvwymhdjgx8urGW7yuaAT6X5alYanEYKujbjgzs6C6mX2qA ODhgph0XghpVNHgyp2dHdIOvYhsIxrHovXHNk2Ow2KTb7JBuqN7x70+dnCwqHM2Cvy601kY3oIgT qVExZNHEA8sTHUbEzpICIfn0oGUwujs/rrK03i4+ZGPxEaWDYtdrFj+a+4bFM9eqMpBD8TSxxnGd Ll66AbpjuoHIbY7k3ky8fOlz1lc7aVN5sPTj9WuXVPyS7uOWLiV0RnbnetY2XAxfpEvxWwjPMZaM 9d1y2c/pvKSARIZwGOAwUsxDU51cLH1D6VVNZmLuG1bPlF76FLfYkwecHX9H9mZ/ypGkTItTlX/l KZx542NcAqfPfhsHcUkywpy2L3c/udDSUcS5WPBzd0vbfjcYpyDubvtNFpTlqCgiUnm06l2HKauu CKpx5KUeAZkn3A4fRpUxvjYKmkwTA97jdhD6BIfR7Ug3ryjgUppmU+wTODcqtbyk4nR8LZPN5UVU 7emQb6dSS8v1wVrhoUQx0rt7hxcmi21WVvW7JhgGGG3Dir4s20mxKydk/wNweEHEkVIJK9tu0xLB 4Q0qQ97MQUj1xFZ1V5XRFw6psZHKXHLhDKPNzF6fRHoCi9HptbpYIZT+VxuypQluX0ttC+G9oJvo Cfra1Q0h5yQvKFuxS6+Xr8rQ8aU9SL6+PY5w7i5fsBjJtykTL+1AMuw9ZUttJ4K/Mmde7hHn7L0q +Exw6ArFVN+Afnxoggur6aS6QwSP8MmatKEamJp7/jUt37L1BXUoQ6IK4ZmT3yfRpxGeycFYvW1R EH9jJ4tDmDVodWRkQI5l8ZZtkI8hK1mlOTLq6B9DlrhzOs3lvVo7nb6nZUJ3WCQ6kywYNrU4QVep 8kIoWJcskF1TiqIhiOc0r00W9GMt+r2ORoE9YuQ2WeCF/ipukwX97wpFy8WA5lFFC00tfGxLe1xT y5OPUPXBntVk0abrAK0YeFyUrZq8uqrI222GdzGgLKE9C8X2VfrHKUU3ww0oWwM6c2dMAc/gRMNG aJfsI4wdnQkT1KKYYFJQmkPgqQpKl64NVx6s7d+K4ig+vBXZhjo+rnewIWVBIvQXPjFO1zpYBjlV IBLEY6C7XPJzmEWLKHQfDjlNFh8o5YncdZvLRYEGlVfqjsrXp7yp7xOUp8zoT85PbTvmS1IBE3WN muh0qU/V9cemcRFb2rXHdkYFw+jhuBMsRvcI0usLA1TjIklWnXssYRiytqpTkaEo0yS/XpI65GeL 6CS5HEIZmsrSgGiQRYxgU83IkCTadS8wcGZGhJKYjhNNTX3xNZu6vZHrjiDDxdNq7WIRh769gHOj o78Edc9BVxXVmCye25KFvr+o6FYNECJFS78c82yd1W1igdUNRVESWPrtuxuL41RTQefjE1vYg+5u 7Dy6QP4EFqMDTL/cxQl6lD53bMjJZJHsj3n6TmzLYi9qtLnwspfZG02O+C7N7hESRKhSAUubSyqL +pSWd9m5TmBPsaECqmaDAAFBwuIQQV9ylLEplw3bwZjcVQ3V0wDiMDIjaFndpWhZZRu58dzmTIHO SrO9dnjqjuemE9RTbG46N21FuWehrmAHHU8TAv7te2oLTvNsnyHvniI59pUJeybm0peFCrSO1xVj 3SDqYy4y3k2BVtEQH3FaH3PxsUTrC7T9QwQ1fi/oso/nHNC6OftHDBaN5XGc3cWGbuiqOE7x72lY J6f1cRwfy+I41+333o9njygUH8Sbaj/4PRqPfQ7GsjlVUR4nsOTBw5xWaydKLwWGccixqKrsJed1 ukVxm7YPOvNjzs7M7ZngaQ4Y6fVL2zGihAvSxgYThjQUCiAeIyEhdQm3jwSwesSTI6y6IeCMyaSi DRjtEiY3dv3OCG0m4pRUUB4e9cXzTtoSdhgSz8OGLCJEnL+mazSXopX0Y4eVmjDnhhhGF4LRfkkc eTpg+aYMUMx3EjwavkpHPhy/TvAgAFul9elIYeYPf/0ZP+C+42De4eEE+iO+iGSDfqs6q5rut7Y2 onDtMQWCuOEFaI9fu4XddG7nlNHxx9DhkvhgmWUAj5HCN3kvgSdcyUueVTvqIETTMbwoOsRU9ycq Se1bFaQCVswk3iH7/c1HbkjkNmAWFsZc9a9pKv79z798DDWqWtZbNnkIkppMnMaYtaz4OXu+9zuV esQPjNd8wmt4FqOeKOp7cKgpZGJbUG/NpEcubtyBEBQ2m9eI1l74TgciehqeEwxo3cvDwVj2GrHz yQvbKiaFxoyPa4/zJjCheiNnfMBQWujKm/Rp4DHS3CkbzTxagz+WPwLScECXXRA3KKZ3jRfUm8Qn YjEKGJ4LsmxvHNBcr266CMM30wUEdNUXH5PhqvvHOc0eRmczocYTtmJY9EBZosHFThi1j3H3umah aMC1fS3CCcP2cW4uuqEWIz2ulxEh1ri2eYmhnsO5GsKZPF6K11PV5GKr9NA8Vt0l5X57ysUeHjF5 TZvXkZTV6dOJ9F4ebpKRbnGFZCKps6LbPjeR7LQvvessxuMGJR5/w+ISCS80KHjyPsR+m5RKqlX/ iCQ5QXKHOltTUElCfEvybNM9MaKfKS9OKdvmMRI85vXSlaq5QsJiY1kPla7njfvV7i9d8BhJtyJU jcJBsd+fDiRUgDix3iWHQ5qrRhWIdQ8E/ne8+0gOWbWv6PX1usxemi7Y6wWsnuk8yXZljxVwbIDx u8d4HnJzQ/UlPBTh0TSa99pXUNRShUoM84nLMJJ2hTo9J8f87vUMxPeMeHixS5q76Mya+NHDy2bS 5PEMC/Hx449sM4vSEpNYi5o1bSSJYH1bRlx9/zl4JIiOJZiwA56hdNUjZpwnXPAwB3aD9dYNt7TE EaQha6kFoTJDi9hN98bI/n1mLxH+ep+MB/lDxrJPudIZXPddGPbKYfxyRAUq5s4RtOpVLNov+7wT A8KSWuwdF9XrCVVD+hMSXszHRHI6/jH1mK1/6cHNQRxJ8NqhvJHJqmuow8s/tZeFEYo2WQ4l+12q pRgMBiarj65m7wRVGzzZ5VuR/8Cb2+aRjde/Gle0XPQ0vIuP2691gabGahoBU9dRczaoCg93LNeX Hf5FUw+QVvOBGk3z2hfryLfqsYrWzKnCxG48wkTNX8/JaGq8DhOlonEAbS3M4RoGeRreBe445rk/ AAGPkX98SXfJGz5lxBW6NwtkBluzMIxJLr2xbL+6BQiZjPF+AX2Uii98z6MdAzML6mMpT8RktOFi +bMbwySoFz0T87Kl38MihOTcQlQaJ1iR4zgdUIrOk6+Agg0+1yjw7N09f3zfTj+pFvmJZb1jIjjD w5CsVF2KExNzrDYf9JvzIpOAuJkSS6YqXLxerW1MpZmPN1ngqADvmVYvgjvacEsqwyAQmli/9d0z m3deLnMmSFctSUQjjDJa/lLNbvl9A6ToFKYpr6aL/FAgfY2YErEQ3m3TJtu24sXeSQZd1gQf/lnF 9F0RfNMkaqt5lqLhWyMdTRANH1lsvj/Cx3a0xpP0XaVqPLxT73UUjXkiNqfqSGW0Zs6gqzD24+Gd lNfpafRJtt6LsfEuH8vW2X9TxXJsD1/EbPfe70nRsHdNwyJG33OB2e9pWKfl0o/0OTk1Huvs5aFo WKemqfFsbEvrq8C97NR4qq6O+WBOTdNzdmOxR0Xjnllc5ZlHKWnVwiiDaJzaasJ2JD0WX0DDMOny 6sT03GDMX+xu3knDxIK90BmndS7BFnNMdHLO5JHtj8m67h9mVWnvq274TgWLvVt+POZbLrbOHmo7 y2UVGhWnxcds2FmGShiLCD0bwzRFjPzOpw+fP4yrq7r5/kLHoV8IyzG3AeI/46jnBBWFD09SxPLx SQqTx/MOny7dFOtTU/czUgfUStOcFZSbaq43qLPuDcVHj2ir91fnOBj79LtcEzTmGem8S6/J1PXD 99Nu/lbM5LzSvvlaT8/reyPMxOTbIxZ8fsL14T8DfEO16Qaijifge05CYNyS+IdX1cDht1gVGaFw 8zkMNl9PYvPpL7apgZrUAJFufX6A6KF9WdOvT5H0fHhNoT7C0Q/UJD6fF2F9w/kUSc/H3uT062Mk Pp8LpzyaT5H0fKw3rJ+PkQbz2XgNNFwfPojaQ8H+PFgBrZ+Pkfh8jiORkmwwVy8/RdLr4yiukx8j 0Xy//B+RA1IyCmVuZHN0cmVhbQplbmRvYmoKNTIgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVu dCAzNCAwIFIgL1Jlc291cmNlcyA1NCAwIFIgL0NvbnRlbnRzIDUzIDAgUiAvTWVkaWFCb3gKWzAg MCA2MTIgNzkyXSA+PgplbmRvYmoKNTQgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0g L0NvbG9yU3BhY2UgPDwgL0NzMSA1IDAgUiA+PiAvRXh0R1N0YXRlIDw8IC9HczEKNyAwIFIgL0dz MiA4IDAgUiA+PiAvRm9udCA8PCAvVFQxIDYgMCBSID4+ID4+CmVuZG9iago1NiAwIG9iago8PCAv RmlsdGVyIC9GbGF0ZURlY29kZSAvTGVuZ3RoIDIzNyA+PgpzdHJlYW0KeAGlkj1vwjAQhvf8ipeN SmDOH0l8K4ixUpEsdagYoihErQABYYB/X+cD4ZYMobUHn0/W+9x7viNWOGK2qCTyCtTsKvcpEsq0 9zqwQjMliFmLNGGDfIe5g1HNC3+olAUzWxjLkdth5pyEhNtgjBe4LyxdAxqiOiVBZFK4POoD+NxP wHu2Lycozsi2AsNpUevhTgvsJNrXECfezgMNweqcRXULn3MWsNizpIfVrF+tW14On6eiwmt2heIJ FCkZ4Nvw4y0rC0haD+5z5zxoLllfPus+u/9Qvc2E5rj7Mt3NxOjvqvZRtWfSVt+GXpgtCmVuZHN0 cmVhbQplbmRvYmoKNTUgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzNCAwIFIgL1Jlc291 cmNlcyA1NyAwIFIgL0NvbnRlbnRzIDU2IDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+Pgpl bmRvYmoKNTcgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwg L0NzMSA1IDAgUiA+PiAvRm9udCA8PCAvVFQxIDYgMCBSCi9UVDMgMTQgMCBSID4+ID4+CmVuZG9i ago2MCAwIG9iago8PCAvRmlsdGVyIC9GbGF0ZURlY29kZSAvTGVuZ3RoIDMwODMgPj4Kc3RyZWFt CngBvVxbb9u4En73rxjkqQVsRdRdxeIAubXbbtqmjU8XOKfnQbHp2BtFyuqSbPvrz4xkSRSlOJIt tQU2XibhRw7n8s0M2b/hC/wNx2cxg0UMavY3XuCQqmhG/v/0wVF0V7XAdHXFtlwDFvdwOoeZqqiq YcN8AYaW/TB+0WxXcV3XAcNxJ/N7OJ7PGTCYr+DV+yDhUcCT1zD/Cy7mGXQXnGpyw0FIXdNbJp/1 nbVa/aQCMFUTASyDAKC++vPIWyVQ/rk6u4BNAJ+8ZPPI4f0VfOLJUxjdlT8A8Cl85Pc3PAJN1dTX k303ram4a83NNl2saZJLFPpuutppdU6GJp3TELPqrnnorK0HVC5bJ8WrqRdTFYCTxV0QPvl8ecvv edBd1Sa5SlfysUnVHKZBE6i7fBqzVstXVWn5vWet5NNmfpqpywAwDIRuoo2gYJoI8zUHL03WYQRP Yeovwd/ccUhCSNZecAfn/CaMvDWcRmlw60XLKfQ1itYtM5PsgzFakKRzJ8to4wXw1osi7k97Govg FpirI4TltOx5GJmWeqGhm62rNTqUzgvf6lurmMpjayB828TrIIVTziPvfgqXIX2Obnk0hfNhTkhF lWGahY7Qkk5oHaWPcL4Olz+m8NW7XXuPPFhGHnz0fP+HB1P4iCrUd/+VFTOXdMPOkGW59p21Varl wTFTDhhDH1wT4Y/QX/5YrPnjFH73wntS9f+seXA7hSv87zrdoPSmcL32wlWaDVWnqSoOcy3VdinS q7qrMYs+ZWMOdKIAk+coQGmQzRWjRoWBh57hwosT37vjmVFOMjLQk31Uh4zrx6U7JiCepF7dTafB aQTz10h/NWQEzQ15wVLAOH6HROoWiVRTupOadHXHVkyiVJbmKqaGlOoeDNeUxvz6mGrgz/lQ/O6E fnc7toZVxd5wFRqtoheLm7SzOIZ+te6PPvA43iw8OENN62tC1ZmRz1YNx4ImgCDPF3awy92Vholk rr6Boe2yAbDC+Jes+SaCOH14CKMkBlKTRXhPlCSGMMBvb2JAP7dKlMomX9jtVkMrGTJiq8x1oVrB gLyQ2ePYUpEfzHSZATGGBO4rX/GIBwse769cFjEUS3WgidFbuSpxlxo1s2Xq2XvW3bFkxjRTUlqU DUnnUxjd5xmHIKe9MwuXwrLq2iACDqhCM2YfnFtUkhIdcqlEGLEkSQ1t3rMmxH+/vj0zDNP6H8Cp l/B4CnNlmjnEKVzgJ7L2rwoO4IfIG4zmUhBS8bBwQZJpHp2+u4KvYZp0p0pNb+KgN9EMNJrm/N31 e2cYrU7NamG5eHDFn76mXymJkApZyApUE0n7TGvAofX4fJFswuANnARw4lNlIjcsTFfepr4PH3m8 hrxk4fmAAj7AURfpg7iSfe2sda+Vb9KZnAQVQs2/dhZtfpKTVrhKtAgn2d/3V+9RWN9fHyGhf3sG ZCfI+j6/B8zPmW049vHWeqZw8hBtfEwKVGs6hHCFtYwlXItJljeucC2ZfP22TpKH+M3x8dPTkxKt FuVpTnqTByLNTNMwRkook1cH1NIE+2NF1kcIktj4cpOEkRJGt8ebYBUe41ZIUf6llBt6ib02SivM olRPo6AvbQhedfdfjWkryzKQUEhMsu9qW41JQDDlsI/qNQhGkfzPjAZEFsyQMWEw29ZJ4ARj2Dcv jnmKJYAP24D2QYGTeD2Fo5MDbNWiGMNMENcxqK0yck0UsQlBUrorL1nDWXj/kCbo6sPu2Qu6Qkp2 BSpYZJziPrZV7mEOrFIKU9Vktas5HdKPPIHu5gJadbBy6Agnie3Cz0qp8P0V1ry/v+6sjw2pVXSz uafuLmdX0kfVHsZ05EhNhFMv5ks4iRbrTYKhP414EaFQ+Q+JPzZpnG7VMAfVaUEXDJn51VShu+p1 C+6mIZPrRhwn2cFJepvGycGBnLo7zEXnIOCOJUi3kd3WJNlHybEV9hJLMjHHqoeOMQK5jDJ8IEcE yTm0BXLUiWECubyhgQK5ZTRKQp3Pe5f3qezUcmXiNnggb0JQIDcNQ8VAXgXvK4zeF0slS0k/XCpw ySlP/CcbxFjeCIl71xLKGulMWNlI1mvrjqSGNeMd2g0inGS9UkgkUnGfBlgVJVoBV1GYhIvQzyNm lQrR4RwQaDBPoio0g5mwoLEk7MjkaVwJY/G+7h/lQJPJDrtCGL4pzrgHyJEhM8Q4Q3KsYEeSo6P/ 0mwc4SQ5jhFnZJTh40xTbC1xhlRimDgjb6gWZ17s5XSj3ULyUJbBHEeV/VjnQJQzOOEOTmt51NVk 4jF4IGpCUCCyDdMQ9kLdr/3uE5lUyzcMpNc50ES4UISRTsDY/85Slf0ghnQi52mEVdw8Db7iD9wP /vLupvB+mxW/U7CjyaMNNV2zKuznB+yiUxjImz5Vrlz0Bu1tl0+3HMVxss6fqbO881eO+VAbM1Tq /E3EX82HgBp/Q/b7Zq4tk6NrvkijTfID06XTsytgrpFX9uiIm5W9fPQtv4lSL/qBvpphgrBDCqat WLQ77H/ahRSKMex/imOM+qSCFPDH8qHhpcBUTWZwz3rS3pUqKlSpFuZWsxaYYRJhG6mCarUjtLhS OjR0pXuTP6ZTMdHGkLrdkWilgo02bMCwFD3vfuvatiOuF2PY6d6OTXTDVJy8+13aQDW0T/N7R52P keDqbETYwgvevlt+gE3vlgZIZ1+2C6Ss9LVgZI7ZNjX0m+8ivvTphs/veYKAF2348pEXji7ij5sl 3R3B74pVQXSF+2tJeZFxtl3bM1rygogbkU8szJWxFSX8DPXqLOY6UP2CBHFIVXN01HgEktUlJ8ud gXadZxWbWoCuFbw0hTenjrAvnKwJr08lsKIkVd1MBNly4u4eqS6w+r1gRtkLY1iebzmZ0zDFlun5 Jk6izU2aJVHhCi43wV1fGVZ7YliGwH6A0XpC3fe062yqloMotm0d+BqLzHgdEg2muO7cv0fjUsaH tzuaSjbp0dPYdSxVzYJprMFGa0lfuY+XAl6O91JNjPAku5njhZjVZgEXwe0mwNuIyKowh55j0Rkb sXirhq4+YH7975i+gU3GbQHXRpd2QD4ouKV8SaO6Jc2UGWZNyN0jTVcpm3IGIKfWmfjK1Jod1Ist U2u8wUK4o4pSV39pkYIhnqSwz3DCCT2q6JLxCN6qbMfWYSb0cKK7t9pl6lU/liCkNKeNFKJZDZNf 17eUvQXprudbB1yJSnBZutnojXX2UrscuwiB9+skMtgj69wFUjE1vYFBTM3RdIZM7SzybmhTfSJ7 a4+P+lSqTYwF8aTjv+H5zaWP6HeR9lF2K/JBjGJ0oembF93idaasalzKeY+oRo16vJOdLaQm3BGi GpYOpL2O62+pVFHXF6HjDEXh+IWC8f4cmznEekwSbr6SUT2w4T7DsbcyLpWkmz98kTIgniTci38S HsRZuYWu3Waka5X6gK3qLTsgMzqAHbDyygLL0UcVqGnIN2XG1VbEkwQqs4NMfHDNH5LiLRuzDxEn 1fOyW4wsxx5XnM4vbRThwwe5UzQKQ6jBjMMQEEJym8QQetpzUZ2up86MoQowjOezFnlJl8JI+2oc pFMhueIKQoZWExpykD1iTTWvQBAsXeZS3blNg661FvFxEw2aMzgHaWLkHMTUkYNchg/8J9Z6kRa8 C4Ofns9/wpJjwh7i3efPOPpnOoUv+JWIwjmWxLMHXQdEseLZ1my791G9hK3JdGhcp4t4ktM9wnB1 df0GM1vvlgOWPuaX1/RuEjvJWIfDKgI6YCzCc8AMOYjpSQlsH5nsL2Mh7c0XNK6M7V+b9tqNNxry VYeuXOzogGhXvkzDlxDZgkaVsaMZks8eV48RT9JjzFrA0TpHiV3ZUfn+esaaOKbebDw5+PwXndEi CfMn94fRFJtoChXeBPCR7ggwx/61pA/xpHMbhaXUYMZhKU3JtdQxSDFqHGJ3aaZRbxA4RG1LA9Yx XKyL15PG7hyisV6Bm7iWXLEaZF5s6sp52EDzWnJJeJh5GT6bGkG+eJNd9oDCeotmp+4quklPfQ01 a3ZOsNVNlRhhCLDTXQxpeC0ga/dD+YvVELU6i2H8J1kUF/81FmG+YkiYj1qnWYMd26nbhQhDNN+X /wMNpxncCmVuZHN0cmVhbQplbmRvYmoKNTggMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA1 OSAwIFIgL1Jlc291cmNlcyA2MSAwIFIgL0NvbnRlbnRzIDYwIDAgUiAvTWVkaWFCb3gKWzAgMCA2 MTIgNzkyXSA+PgplbmRvYmoKNjEgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0Nv bG9yU3BhY2UgPDwgL0NzMSA1IDAgUiA+PiAvRXh0R1N0YXRlIDw8IC9HczEKNyAwIFIgL0dzMiA4 IDAgUiA+PiAvRm9udCA8PCAvVFQxIDYgMCBSID4+ID4+CmVuZG9iago2MyAwIG9iago8PCAvRmls dGVyIC9GbGF0ZURlY29kZSAvTGVuZ3RoIDE5OSA+PgpzdHJlYW0KeAGtUU0LgkAUvPsrpluCrfuV 7rsWHoOEhQ7RQcSkyMjsUP8+NaMET9bbw9tZHvNmZ0rEKOEvK4G0Am9PldZPnEn9ws3FMEU8wJwU CwPSSAssLLRsJ+omQ2JEZKANObaAb62AgN1jChf2iMi2i8ayavkr64wzznUImzoDshXN0Ze9Sc65 h+yG5MTQq+h+OVyzCqvkAUkeJJeiN9CA7TrJMwixc53Rv+emtosUvsQ5//NU6bDzVHVJTcYnZd75 f1gH8o+fMFSCYgplbmRzdHJlYW0KZW5kb2JqCjYyIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJl bnQgNTkgMCBSIC9SZXNvdXJjZXMgNjQgMCBSIC9Db250ZW50cyA2MyAwIFIgL01lZGlhQm94Clsw IDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjY0IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBd IC9Db2xvclNwYWNlIDw8IC9DczEgNSAwIFIgPj4gL0ZvbnQgPDwgL1RUMSA2IDAgUgovVFQzIDE0 IDAgUiA+PiA+PgplbmRvYmoKNjYgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVEZWNvZGUgL0xlbmd0 aCAyOTI3ID4+CnN0cmVhbQp4Ab1cXXPTyBJ996/oysuFKluZ0be2tm4RTLhLbYCQmLp778KDcZRY rG0FSSa7++u3W5Y08ozKHn0YqAJHhO6Znu5zzvSM8g0+wDc4n6YcFimw/He6wEfMMO3d1/TBN6yA ueAEluG5gQ2LNbycwYQZjNkezBZgm/k341+mFxhBEPhg+8Fotobz2YwDh9k9PHuzycJkE2bPYfYV Lme5ax0/wrjto0vLtBqMT9paFaMfCQcOc9CBa5MD2B/9q2R+n0H163p6CdEG3s2z6HsIb67hXZg9 xckf1TcAvIu/h+svYQImM9nzUddJmwxnbQb5pMsxjXYRhbaTFjMV62Sb0joNYdUKnFNYtb2+VhuX 3aJlZ5YPFqXzXtKCfjRGB8rCctADNxsc/H7zeuqbvvUZ4PU8ScLVGC6MMVze4R//X87jMXwov7yK 8BF+Md/cwdTAf423Yzi72PTJLQtzy3fq4+qaWyKyTXBgMSYvXa1UWkR5Bz6jRm8uzoY5Lq4jY9I6 XiSLZZSFi2ybhHAfJ/AxDSG+B6pjime2DPPP03i93m6iBdZ13COwPMAFNz1ccDGS0wTWdKwfGFj0 JgX2OomzeBGv4NMzjOX1p+cEi/MKDp+ibAnTcJMl8xVMY/w7Xp2Nu2csD7BWTUTo2khOFFjm/sjA Ir/uIw/iAhAwjOHV+zfAmcE92/fOC7jAp+EC6aVtJBvrhjtEMZwjU8lzzumLe+PuTMM9Mm7jiinG 9bFVkRw10q6ojDsyae9BjL63Q0heYYzq7edllj2mP52fPz09Gcn9gmI26iR0OEMk46YJNSdFlvcQ OjVc5gzxiZsuOZCyPLyLsjgx4uThPNrcx+c4EUrDfxvaKVCET4gN7lIKmH59OoUobL0owqpYd8zc /dppbbWxLCoHCDeS/RaEdSiZSlmgOMhVgWc5qAr+O9887DTBL9v8428oAX4l6p/ih7omuDbgbdQH W31SA44JYjingVauyLi9QtVONC0twGVJd3a7CDfzJIrTnPlvo/V2ldM93ITpdpWlpS7YEVmp8Nsi bS1RGXGWj/ugaiinievE+pEiC71JZVHsgc7GkJMX5m8DeeVP2wazsT4rWFHn/Tr8kmznyV/53qst edW5hYCYBLI62YExZuJVyVFCY1NRjGjDTnzaaXdekRd6k2C/ibx0d+kj7AaIdK/IS52SPnkdQs2K vFQHTeSFCYfk1Xn/LbJMrFDX8hVBqrhlws3eW2VRHfXULTsxE477kH3+4twwDYA3yO/JegdwN+F9 mISbRZgW8IuZxgyfBy7zAso4ZgUmd+lT/swH7UaRmDUnJOTcBxqTlID69VSIQWFWBBPH1tfskWCa rizUsUy1GetQWpdiYKK6IDngOJ7zJUo/l856IgEqMubaAZA3KWTYW7iKoy/Yibg14Je59uRwXQgJ RAD3QKEQnA2zS8IUGcOAm3n69/YPpAzUMYvrZZik8WYMb/vUrk/bcMfNZ1nWQNfibZ6XT9J250AK 48v5AucwLtcL+53n/8FG60MKnmM4eUPV9AzHxIbqGhzG95+NVvvPmI3ft9r7r8WjJdyTZZMsH+EG RZmLyrG4vLM/0174g1ld9tYmqodXUZqG62izU1/YjXm9ip/g9jFcRPdFCwZutiuEpO7obdFOyuNI 4GKCRQboT1DZftYzm+qWeyQRuNyKGcMdtY21A6kgG3dIfzCrybg+mSrDr9EEd6hEmLcXoEKBRGF2 rz12Jbe4S5ZRqdRDX1jWH/uh3BLUXFvccux3SY+hezT0U468bIo0xAY33AXWVxMYHalrJW8wZTBv ct0q0j6PzOiZfuyVvKmlvUkdBBOPSRrS3vQOoh53MbY71ONBgXrls9XIEc+c3XFTDfV49ag96jXi dw0AXbmL8H6RxeX5zRjy0x3cEj4m8QMyVtqHlsruy8QSTlVaUuiC2Ya3owvTLemifLaCvWcUYKSQ imnw2/KYr4ACV5309ecNm/klsRaVVyO8I2mrQIZYDdtx+po9st4Ok1Xx4EJOdfH7m6qmW3O1TUxq MqQy1a5+TR/CUxtBg5moqxs8vDL6sQG1mJnto1I61ehdio9jIpOpHh4XYffAU/dyp5VVw8ME3qOh u4ilqgMc+WP3oftk2MeWXoPlYYZOPUPm4/F0g4fwzyzcpHSQVh75tyYysdeXQzMUkXE6X0eSpPFL Cp6E6Xf9xFFYmJsYHO6gjlBt60dfYeG6ejORhemQoCH60ePnKu6twYZXulmOOzxrDfDHkBi3ofv9 ib3OV+6uzTlKozvR+nJsuUcgWuy/LufpfBN/H8NLbK6/zvvtt/hpNsed6A1+qM7et2VXUXsfLvoV PKBNo0dYWJ/6iG7J6AdXyYu6OquaP04gd/rU4Or2+fDWz5GD9wm6k9byjI6F4bKEgvzwfXdtpseu zqSadalohT9VQB2RH4cCyOlOCHeJTJQAits+2Olut8FTFA9uHHc7jdpEht0jVTsN1UM/Rudl60M1 rA9uh+RIddZfX+UiOL0IvVZ/In26Rl2UtVme8zSMV7+sD0VE6GMXD9R/IGaiO4kbW+kShRk9Ug0e 1q9qWD93lPqtESOVFfOo76NGSpUlremRAJxzC+FBNa8/gUNLLVrlqoeWukQFHWz6GJx0vmp7oNFz CpCNDKd6iHroWaGoVLsDjbxSVKoHFuAtJ7kP8On5GIpOQXdCE9BR8zooodWgI+BSLZ9UEbiB3Feh +7A9bpPUSlsx3Rpma+hdSSYPb4JK2NpWSDdKULEEHnbm9j1cbLNlnKT/gou7O+ou9el5V+Bac9M1 l5ri41tyn1s/7IcwW8QHlYUUn8F7M6qLi+jrdpNft6lWu/V2VfQgZPujwZV9YDYo+2roxyjt0EJU J5HoQlqH6RKPa2AWrsJFvNZ2pjCQaKmoLvST6RB/imQKvAap1HbojQUt4qS4eBlG36KvEYYqfsKt 43SJW8nHaPMAeOaVJdEi684VeH5ecGttZl3ru3FeInacmQ1koR08rSQjH1KWYfS+UrDw2qtpskDb n5JnFRQ2OBk6zzh18PZRfXDUavCRV2T3CFXv1EwabLcOURNdcI7XRqS4tB3vsTSlXoDkYuhbGTgL 2cfleh6tfoInrO35V+sFTap3n0pkLPqTdBq+woDSf4e9xkJ0VTWwXrqihW1V7HliY7JhVsMsuskV Cm+76I3JZDoyJbUe77FkwtbPyZNJ9fEyTqIUygZk21wSsarOEqiFVc7jVPRgOXLPvA3k6dED+iin UfRo/odd2PBPuLqadk8podS46mD4lApOTw2W4uPjKsrSOVx9JxmySrP4IQbudlce9O4NZxyvuvCd s1Ht9U79mCnL3ti45rYtX0wbPrfQh5Rbb+N0ET91z6vqFdIJTUAyrh8jPWnLbTx4OzXvqT5utmka 6d8LVFRZPUbqBLrHvqZbHVvWlIPH3vGVNsHgmkP1UWiOL3hQlZ9Uvfhrvoxjg3Zj3S/JiWu5O4e9 6lpQUW09XKv3Ledmu75CQNr5o+BQrX9cGzpeuTl5jak+PmyjTYbXjegd4GJGHU4a6Qoec/GKDl24 rk3jJEeN3FPeKhgesdGHtBqX+O4u7qjLV07L++vHf76Agkuis0hTkdwMjh8+XjA8NXarPvBcIYBb mF5d3Fy+ff9uBrez7sAhLn/wnadewHFMl/ve6XsR6ENalNuLd/D2Ynb5Hrs4FwCBbTNTG2KUFKML 6SzId16qq8FTLMBXLU6dYqqPj7cX3QMk7qBx1XLrADVyRuBW+6JiQ9Ha7pFUxVt6J9dlDT4KbfDt b+SMF+EOFvEHrtCJVdpTIVQnhoXbXoXetCr4drjy8qJ2FhVM3miXM6VNPoxdRz4Sr2VReXXXCgzL oR+d4+K7VH5+59mmk+/6oxUUj0aOuKVb/UfxiC7ufvgHc50/+gplbmRzdHJlYW0KZW5kb2JqCjY1 IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgNTkgMCBSIC9SZXNvdXJjZXMgNjcgMCBSIC9D b250ZW50cyA2NiAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjY3IDAgb2Jq Cjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNSAwIFIgPj4g L0V4dEdTdGF0ZSA8PCAvR3MxCjcgMCBSIC9HczIgOCAwIFIgPj4gL0ZvbnQgPDwgL1RUMSA2IDAg UiA+PiA+PgplbmRvYmoKNjkgMCBvYmoKPDwgL0ZpbHRlciAvRmxhdGVEZWNvZGUgL0xlbmd0aCAx OTkgPj4Kc3RyZWFtCngBrVFNC4JAFLz7K6Zbgq37le67Fh6DhIUO0UHEpMjI7FD/PjWjBE/W28Pb WR7zZmdKxCjhLyuBtAJvT5XWT5xJ/cLNxTBFPMCcFAsD0kgLLCy0bCfqJkNiRGSgDTm2gG+tgIDd YwoX9ojItovGsmr5K+uMM851CJs6A7IVzdGXvUnOuYfshuTE0Kvofjlcswqr5AFJHiSXojfQgO06 yTMIuXOd0b/npraLFL7EOf/zVOmw81R1SU3GJ2Xe+X9YB/KPnzFjgmMKZW5kc3RyZWFtCmVuZG9i ago2OCAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDU5IDAgUiAvUmVzb3VyY2VzIDcwIDAg UiAvQ29udGVudHMgNjkgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago3MCAw IG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDUgMCBS ID4+IC9Gb250IDw8IC9UVDEgNiAwIFIKL1RUMyAxNCAwIFIgPj4gPj4KZW5kb2JqCjcyIDAgb2Jq Cjw8IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlIC9MZW5ndGggNzU0ID4+CnN0cmVhbQp4AbWZTVPbQAyG 7/4VOsJMbFb7vT21pOmUAwxM3emh04ObMZCWJCUx0P77rgPxGjt1bYiSQ+KMR9K+eiStN7dwAbdw NF4jTNfANu/11P/EEi4fr8svNhGOaVBOJEY7CdM5HKcQs4QxaSCdguSbm/0HNy5xzlmQ1kXpHI7S FAEhvYSDk0WRrxZ5cQjpD5ikG9d9/ATj0nqXgosdxuOhVkP0UXCgmPIOtCwdwPPo36+yywKq1/l4 ArMFnGXF7D6Hk3M4y4uH5epndQPA2fI+n3/PV8AZZ4fRSxfNmV81d5tFb2OKHhWFoYsOKw15kryR p31YFU691urOBFVhixK8Z3h55XvLEXUQLJRnADm0PXy8y2bzJYyv80XlKepXK0F4LTzDStuW/eig f/y9KlAw1szBAIlaLmplUknEWCMJH+6Ku1X+kM8qgf7XTJ5SEQRSZZFLq8HH37DeX6CuBFcMcSWa DgYI1OViK1Dbw/FyXSwXIzh9V1MoGtYGddmlFDfQNg9D+0yosl1NnDNNjJD30MjB5091abonUQse WVYX9zC17Q6GJyBZEYOqORYGW+0WHNF3dtK21vYwmWezmzdwveluydR3t7eX2zJOpsv5UKSCboi+ l6K/rjnd4+jSsglnraa6wXnqbiHUkGJDYDQWrVa8h1BjQxIr8lfP7h26xmgoNhoxx+Y+s39J/puC mOtW59tHxgQKErw0UpiVzJKYVSSAKUYCmJIkgClHUrxaUjTFWDsSwIwgAcxYEsCsIClea0mGg+Mk gDlDAhgyTkIYMk1Svn5HQzIgvFkSyJAjCWV+s0CCGQpGUsMoFMmUQOFoOJOShjPpaDhTkqaOlSUZ Fb7caDjTloYzw2k4M0QPE5bTzAtraDhzSMOZ0ySccfb6J4pwJFE746seiGN/lNI8iPuSLa5GkBeQ 3SS1E2//dfL712yVr+E0+wPcjcqzb3x+h7/6ep5d5YDi28uPFqpT8W14Ue2fhv08ASLrmGwXfwG/ fkCLCmVuZHN0cmVhbQplbmRvYmoKNzEgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA1OSAw IFIgL1Jlc291cmNlcyA3MyAwIFIgL0NvbnRlbnRzIDcyIDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIg NzkyXSA+PgplbmRvYmoKNzMgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9y U3BhY2UgPDwgL0NzMSA1IDAgUiA+PiAvRm9udCA8PCAvVFQxIDYgMCBSCj4+ID4+CmVuZG9iagoy IDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvUGFyZW50IDc0IDAgUiAvQ291bnQgOCAvS2lkcyBbIDEg MCBSIDEwIDAgUiAxNSAwIFIgMTggMCBSCjIxIDAgUiAyNCAwIFIgMjcgMCBSIDMwIDAgUiBdID4+ CmVuZG9iagozNCAwIG9iago8PCAvVHlwZSAvUGFnZXMgL1BhcmVudCA3NCAwIFIgL0NvdW50IDgg L0tpZHMgWyAzMyAwIFIgMzcgMCBSIDQwIDAgUiA0MyAwIFIKNDYgMCBSIDQ5IDAgUiA1MiAwIFIg NTUgMCBSIF0gPj4KZW5kb2JqCjU5IDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvUGFyZW50IDc0IDAg UiAvQ291bnQgNSAvS2lkcyBbIDU4IDAgUiA2MiAwIFIgNjUgMCBSIDY4IDAgUgo3MSAwIFIgXSA+ PgplbmRvYmoKNzQgMCBvYmoKPDwgL1R5cGUgL1BhZ2VzIC9NZWRpYUJveCBbMCAwIDYxMiA3OTJd IC9Db3VudCAyMSAvS2lkcyBbIDIgMCBSIDM0IDAgUiA1OSAwIFIKXSA+PgplbmRvYmoKNzUgMCBv YmoKPDwgL1R5cGUgL0NhdGFsb2cgL1BhZ2VzIDc0IDAgUiA+PgplbmRvYmoKNiAwIG9iago8PCAv VHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9BQUFBQUIrQ291cmllck5l d1BTTVQgL0ZvbnREZXNjcmlwdG9yCjc2IDAgUiAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2Rpbmcg L0ZpcnN0Q2hhciAzMiAvTGFzdENoYXIgMjA4IC9XaWR0aHMgWyA2MDAKMCA2MDAgMCAwIDAgMCA2 MDAgNjAwIDYwMCAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAg NjAwCjYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDAgNjAwIDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2 MDAgNjAwIDYwMCA2MDAgNjAwIDYwMAo2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYw MCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDAgNjAwCjYwMCAwIDAgNjAwIDYwMCA2 MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYw MAo2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCAwIDYwMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNjAwIF0gPj4KZW5kb2JqCjc2 IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL0FBQUFBQitDb3VyaWVy TmV3UFNNVCAvRmxhZ3MgMzMgL0ZvbnRCQm94ClstMTIyIC02ODAgNjIyIDEwMjFdIC9JdGFsaWNB bmdsZSAwIC9Bc2NlbnQgODMzIC9EZXNjZW50IC0zMDAgL0NhcEhlaWdodCA1NzEKL1N0ZW1WIDAg L1hIZWlnaHQgNDIzIC9BdmdXaWR0aCA2MDAgL01heFdpZHRoIDYwMCAvRm9udEZpbGUyIDc3IDAg UiA+PgplbmRvYmoKNzcgMCBvYmoKPDwgL0xlbmd0aDEgNDAxMjggL0xlbmd0aCAyNzUzNyAvRmls dGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHMvXlgFEXaP15V3TOZM9Nz3/eVZGZyX0BCOoSA gkhQrgAhAUXERQHB2xU8kUNhvVZFBddbVwkBNIAK7uqqq65476r7ivtFPHbxepH1IDPfT/VMgKD7 vt/ff78MdVd3V1c9z1PPVc2y8y+YRwxkBRGIfMa5cxYT5c/TQQi99IwLl4XyZYOBkKK1Zy2ef26+ bL2dENXC+QsvOStf9i0jZPmss+fNOTNfJkeQ1p+NinyZ1iKNnX3usovzZbeI+5+ycNEZhXbvq6h/ +Nw5FxeeTz5EOXTenHPn5fvfheeRksWLluI5/G/DXkQvLT5/XqE/nU6IbssUzUutxwdC0et0chLe jf8xIpEKMoUQYaNqmlLD21WElL3+3I3dpqbvNFqNUn1ffJIyrhf0b9yTK/pxvfiTJoUGrXI/3gPX qR8ZuIMQ8bVcUe5N8aejLcr1iE7fSSbn9gh7+qbUyP1IhivJ1uJY9QoUt+qNStqnrWlprRD2kMUI mxFeRxBJN+LlhRqBBJFrQeC16xBEsknYRXoR9iDsReA1O1GzEzU7UbMTNS1CP6HCU8KTfbEgRrBt qztW/VWrR9hKcghM+I2whoRx79mFtLuQrkNahvr1hfQGYU3fiKCpVYsyJV8hziEwvNtdfWMnVu9Q Mg1NSmbDYM2GragJtrqFuzCquzCquzCquzCqrxBT3H0D6jegfgPqNyj1GwhVbhUuLdyqkLmrz+Qo 1CDTqhM6hamkGreYXkinCVP7qoO7W3uEKbj1ZiXeJExGfp0SdyvxRCVerrQuV/KLlPwiJd+i5FsK eX5thZLPx0Elb+KxcJpwOinF0ycJ45S0Q2gncZQnoszTU4WTlXSCMFZJT0G9C/XjhXZiQTpOGKOU T0Z5NMonoczTscKYvtHBytbFKHejjRGTwOtHYySjsZijMUm8Zh3CJoSPlJpuxMsRXkcQlJ5UGI1f G36tQiuukHEPGS0yEQQZvxb8Rgoj0dKMt2lGLAtNeN8g4gqEFoSJCN0IexD2IhQJTYhDQh2pRJAR OhB6EFS4TxrXpTGuNJ6QFjIkhnuF2VpiQxoqpEG2hgRQDrA1fYGg3Kpl20gHQg/CYoQVbFufymJq taEf71uBMBGhG2E5wkaEzQga0oIYLbKetbAWYSKbKIiA7tKtTU3VSlpTn099/nxq8FSbWs8XSjFN pWQjgoAhl2LIpXjVwVIQOQbQSZLdCK8jfITAJzyJyUhiMpJ4wSSuTyq91Eq/r1DKIQhkEeLlCMf3 4VOTxCsn8axjd+G1JagpwT1LcE0J7leCafwIMVWu4O0dCOsQdiPwtgja1ilxC+KJCAz3iOANeM6E OChE+pjW1I/5pcNNrQ2Y94kIaGQ3YDZvwLzdwCEEswfYRktLocc6pJsRVMIO/ErxS+JXgl8EvzB+ IfyC+AWweuvxW4ffjfjdgN9a/NZgNWybU7tTrLtuUd3yunV1G+s21+2uK9rF5uDXw3pkHXE4QBMt Zo2nVWIimUWM9EclflyJz1diWYmdsmeWcf8s40uzjHfMMt46yzh9lvHUWcYxs4wVs4z9dK7sTBk/ SBnXp4xTU8b6lLEuZaxJGUtTxlYz7aTTiJE8q8SjlLhaiSNK7KfT+oxE+zSdScIaQDxNbgtfGfwk 3C/SvuDV4X4NkqvypZn5ZASvfDJYGZ4fTOdrEvkkFn5GxB3IFPp7UkRTcrro5aLuIrloWFF5Uaao pChZFC0KFtk0Fo2kKdYYNDqNRqPWiBqmIRpbf26fjO2EEpta4oma74VEVPIS43lEiAmjGkbGkV6r MJ6NP30UHd+75wwyfm6o9/Dp0X6qmzSjVxUdRXst48n4yaNcvQ2p8f1FudN6G1Pje7UdM6dvofTG TpR62fX9lEye3k9zvOpab6+lbfoOQmn62hu8hbSzk18zfYtIb7ihkzgubHG1WEaah40Z/QtRj1LZ Mzp17M91LJtK8ZH4e28bf/r03kf9nb3VPJPzd47HPJ8emjV9B2tk9e2jd7AGnnRO36FbwRrbT+P1 uhWjMZDBfiSE+tE7SJgnSj8S4v1I6IR+AdbA+8V5ku8XUPoFhvTb0hxuH70ljCjfp1np0zy0z/yh feYrfeYX+gjK+JVbDN6naB8JK33CRfuUsR/fJ5B/1v/YJ/6LfY6bznmjjiv8LEt3kHH03S1tl7bP i7b3RNvnIfT0rrnwbFfvirmh0A7SRt/lTaFeIdEz94yzeTpnXj99NzpvdG9bdHRoyzjl0qHtvZfy 5nHR0VvIpe2Tp2+5VJ43um+cPK49Omd059axc8oeH/K4VYOP21I25+cP653Db1bGnzVWue6EZz3O m8fyZz3On/U4f9ZYeazyLAXqAZYaMqqzbVY+3cr0OgBwjzfcOcohLR6pQPOIsOsK706R0IeJPtXZ a4iO6jUicEDPtGZaeROwjDcVo9pUaHJdMSLs3UkfLjRJqDZHRxFX+4LR+Ld0aSGTL/6v8dKlS5fN XjobydJlyr+lyy5AyteMLCXgXPEGrQZlfwuCGnPavAZhrUKjhaVLO5cRZX2XXkD405fx6OhDj+Uu wM3p0uMhgfBHDvlDK02RfMDtll5AMQY+jAvy19GlFI24DS5dVqgDzRE/RbiJeJEGhLnYsUnuo0L4 R/aKfHt2IJdj76Hz5EJAouQmk1tRhx+dkE/JmeRtci75Dfkt6mroX8gjRCYmtL1NBErAsTeRm8lF 5B0yJfcNasPkPvIVSZNh5OxclpjJcpKlvyb3UcZnijSSt8g8sp41CSnxnyCOZbRSeIxeRTK4y2Ry G3GS13HHspwO5a3Mz5pw1WTyitCtSecqc9/SPeLLubnkd7SJvSs+QV4lB2lEJNmrc2tyG3J3kWJy SPAP/DFXlTsXV00hPeQCcjlGsILcQ16jnayZ7c6twpimYwzLyVPkFZoCQPWAozsNva8ht5Md5Fny Ovkr+YRSaqIldAV9i76tIgPPZ5/PnZybm1tE2smppIOsQKufxmkrmyHMEB4X3hv4P9l9uQDuPZlc SC4ml5F1ZD15jLxH/kY+oALTsclsivA48ZJmMoPMxWzejDE9Ql4mH1ENraXDqUyvo79nF4rCwPPY 4UVixwyehLudib4bMKcPkM3kebKXvIF7foM5Fagbiz+FzqK/ptfSG+kt9AH6e/oE/SdTsb8KgnCl +Cfxn9l3c7rcnblH8Fwv8ZEQeN001uAUrOdr5Au8XxlN0xb6JkuxtEBFw0A2W5Mbm1ueeyH3HomS JPo2g69tJxPINIz6EnI12UX+hGtfI38hB8i/MUsC1VEL5iJEo/Q0ejq9AKN4nH5FB5gD69fIFrI+ 9raQEl4Tp4lPDGzL2rN92a+yudxjud7cH3OvKutbj+e0YQW6yGKgGF+x7XjOC2Q/+Zx8h2eoaRBj PYmOx/vejvt/RI8AnDTsCvZ7lgP3u154WXSLt2dPzZ6bvT27NVebmwDYEsB0uUktfsMBTVNIJ+59 FWbzPvIoVmYroOdd8iV10QCtpCfTqXQ67aFn00V0MV1CL6OXY1YfodvoLvou/YB+yUSmZnbMU4qd wa5iN7Nt7Hn2LtsvEOF0yDBLhMuEm4Vtwl7hM1ES02KlOEHsES8RL1WBJVM7NK8ecR45d2DuwJ0D f8yWZ0dnf5Vdk30u+272Hzl9bnfuE6ImlRhjJ5mPMf4a738duZFsBHw8ijF+TD4l/8Saf4u5EKiW ejDioLJubRj3BIx8Glims/A7m56D+V9BH6N99Gm6hz5HX6av0Dfph/QrRjH6cvxGAAumsLPwDney x1gv+xt+37EfhAS4/mqhBlJFD95mpXA93ue3wofCJyIT7WKVeLq4XHxRJajOVN2m2qB6XvWS6gu1 pJ4JCM3/8vRDiYVX2XPiSGEh2QTpQBC+YG+yJvpr9hN9iPnpc3iaX+gQOlgbGwHeaBeg/FxiK9qg DqvDzEakoh5+E3YHywjTxIRgIMuAb4TNYNexHvIgfZr8xE4CpF0ovMY2sW5hg3iTOJK+B/niOZEw Iz1MWkkrHYm1e4sswQplhM3iX/gdVRrhiOpcZsytFD9VMeFN0MFmyoQ/0xn0IO1gDszWCHYjiaIs 0YNITwYG/g2QvwNsZ6O4T1jLxrEPULeQ3EyfwzvuIgvZLvo7rEsj8PF82kHvEqrIFXQJZmQYOYfd QiJsMYsAnqeQ/6ZXUTsw9yesTYydRUTByM4gb7NOrPpeamHl9ArA6blkDV1N0nSA7iGvst+QejpP ePaIe6CE0SMH6RbhJLKF/iS+LL4M5vsnzKQfkKuhMiDkPtCIKcDMsJAA1DQSFYMcB3zqAa6b2Xf0 craQLKC3C5/TB1grmUjmCUvZGHpb9juxVajBjO0ENWlTD9MQVZPKL9ZixT8lIwGN86EhOVv8SHUV zwtvCYdynblwtltVnP2QXIrZOQnUbQ1w6STyPnXQ2XSSmGPjxVxuKnmMbRY/zDmpgYbJGzlgWHY7 baKxXIguyenpJED4bK57EdeI14oXiJdjf/oJVPM6chO5k/wBu8n92LeSmMdTMJuzQHsWYI+ohMag Dm83kowCVToZbR1kKuhpD6jkWeQ8sgSU927ye7IFO9R4zMdsXHcWOQf1S7FDXUauAP6vJGtBA24j D5I32KNsI2Tc69kL7EK2gLxP3hdeFGQ6lbwtrhKXQ+MUI5OoFU9uwCoFcd3a3Ft4WinxgvrXAksB +bl/5t7NPTzwOu73IMZ+k3oU+ae6jZSQifSw6KEquXWy3DKyuWnE8GGNDXW1NdVVlRXlmXSqrLQk mYjHopFwKBjw+7wet8vpsNusFrNkKjYa9DqtpkitEgVGSbo9OqYn1Jvo6RUT0ZNOyvBydA4q5hxX 0dMbQtWYoX16Q/y6OWga0lNGz7NO6Cnne8pHe1Ip1ESaMulQezTU+9roaKifzpg0HfkbRkc7Q70H lfwEJb9eyRuRD4dxQajddfboUC/tCbX3jrnw7NXtPaMzabpFr2uLts3TZdJki06PrB65Xmd08Rbq HEmVDHO2D9/CiMaIV+z1REe397qjuBS3EeLtc87s7Zg0vX20NxzuzKR7adsZ0bm9hHOBKaULaVMe 06tu6y1SHhNa0Iu3IWtCW9J7Vq/tl8jcnpThzOiZc2ZN7xXm4B7tveYUnju613npftexIm4OfnPl 8a1eYXW7a0GId169emWod9Ok6cdd6w3zO3R24h64lsXH9Kweg0evxUqN55JSL7u2c3ovvRaPBM8c V94q/355jj7ec06oVxsdFT179Tk9WBrP6l5y2iXhPo9H3pHbRzztodWTp0fDvS3eaOec0b4tNrL6 tEu2uuWQe2hLJr1FMucndkuxqZAxGI/PzMOk59uUnNKd58afdnRmKR9j9OReGRB1RggjmR7FOzXy aF4jWX1GIxYAf50UV/WeiRVZ0Ktt61ktDef1eEXaq4pL0dDq7wggIHrwX0Nr5hRq1HHpO8IbOZwc BbVeOmcw35tK9ZaVcRApasOaYowjlXJdJn1hP1sQXSyFkEAgIh2Y2zmdwysw/eEwX+A1/TKZi0Lv iknT8+UQmevtI3IF5AbWw1v2DLbYp/CWFYMtRy/viQKSt4GJIMTeq0kc/WeSHNb2s4f3Usf/0Dwv 3z7+9Oj4STOmh9pX9xSgdvzkIaV8O59QzBvaCrlea9t0wctQx3PMKyitAMpZM452QWG6oVeM459a Aeoz+4s0gEqlhobG9Eo9J+XjTl04XMCZ/+2i/tzX/ColOXZZ4TV6h6cKA80Pu3fEkPKQ4RlWC+Mn g+Sw8ZNnrF6tG9I2BsRs9eox0dCY1T2r5/TnVsyNhqTo6h1gQBKrF7eDDOVXtD+3c423d8zaTrzK 2XQ44JaRUVui9PpJW2R6/ekzpu+ApiV0/eTpfWBt2npGdXZmxNfIfARo86kO4WPxNdaFlNevR5pC uhPpa0gPIHyCsB/hMYQ/IryL8DzaLUjfQvgUeWu+P21EeS7CLQjvIZgRpiEsR7gHYTrCRoQVCL9C 4Pfm9+1E4HUuhHKEsxG2FlJ+zQ6EdQinI0gIcYQOhDMQ3sH4m/H8JuT5OPEOhL8Lv+8VCPy+fCy/ RpiC8AzCNoTdCLsQ7AgLEX6DwK/j/fm1ryPchDATYQQCf7d5CLciHMQz+fN+A8CHcIeYwKqkpguR hrCv8hqu1sr/cTlFhayaFEGnqyU6okdvI+QwE2w0ZshVVuiP7cQBuY5AX07Aj3sUScTP9ci4Y5hE IGfESJwksNuXYG8tIynIKBlSDhtPJanCjl8Dzohg369HTLAXN4IrGE5GYE9uBifQgr2+FfxAmyKn jCFjwYucDHXbeHAHEyCrTeTcI5mkXPv//+i0whAb8J5ryHZwT2eAL/2G6VkVWyk8LGbErOod9flF YU2z5l7t47p7dfv1w/V3G5jRWTzM1GD6t7TbfJNlsrXZdpHdav+Tc4rzGXfI4/S2+6hfDvQE08GH Q78O/yoait0Z700sSDyW+Cx5Ssm4Unfp3rIrUv7UK+n7Mo+WO8tvq2ypvLVaU+Ou+bT2hbrN9Rc3 7G1cNqx+uHfEl813jNzTMqtlZcsTgATwh+J8gIAACBizRV3UTw3bwLKoRJ4RiE6tQuZJQWAebRGv e5ISt2biZa7UqdKhpgkDTadKh5smSAMwWDQNNPFQVVljDpvjYXN4vkiOhIQ9R2QV+YmExD2QFXTs IeE58U3Ampn0bClW9bPrZB3VablFT/eedie7n+jZs7IhZN5tft38kfkrs8q8kzoIY89u1UBG6Gf3 b6/ULIL+9ml2B6DzG9pBXCnpcNehg9LA4a6Dhw5iHE1SE8ZWVUnDglodjSSSxzJ41hh1yO0Oqel8 JevyhFTim1lPIhhM0AP5FBrZj6Fb/6f4KcZZKkuqJ4FKT7CbyBPrNDnl0ROAKll6av7R+wf2k5aD xz/uY37rsAtPET8d+O+ycLgMN2Bd2SOQZD4F9nTIyVJDmcRUzmKrzuJQq1WS02G1j7SqJmi11k3F MQLkY8Tt+/NOqiIu6r6Wz3bXhIFDTdJBCU/DRJstw4ZRHuHBXbTWYmmor6kG/1kEIddm4ZwoXj2Z YAnW1fRo0lBscRedN3v2eUVuS7Eh/rBMv11KGT0tqneZdYY/Z/vvfyDb/7JBZ3brI3RcFjOQyR5h ywujLdUyrcfN3B6Rj1hrUTsdkkqN0ep0GDTGawIpYMTjv38nnTA43sN8vPsxYGW4Q0ZrY6yIL0xd bUO9pa6WJZHD6J0Oi4Mt/8XRfrM0m8s+HjG4MdqX6Un3P0BP+jNG69JHsk9itNDUtInN4gQMY6Zc 5Z4ZDBLo9x+SZooPaUwztVqN70MyU+OcaTa7ZkqShs4sKtJ8WGmgBndI03GlK0UqqDLByvxiyHya saqAI0z3wH6kyGGizXxSE3XmMB97fU3YzIftsJvDfObVUfYbl9Xiyq4NeDwBuozn6TKeZ8HsLKXu fqfV6qS/4/nsbJ4HXNBU9m32Bi0HSNXIrj+QN8k+8jXI8pMi/W/2HHnTBAMGK3qa3g7ifC71H4O5 Cj6iLhqmhamEusCcfc+bcEcFWj7w1+qoWwdnAUp2siLRypYDwz2ygezBOqmYWzzjMY7C+6UDpGIC v5E9XCdajzzEll98Mcb0Wu4fUA1+g53AB/zs0+jFv+rdxefuoAE8H1M1AauKq+IKyKmjylrWsymx xo5JDTz6ZmLj8FN5wPMP5KYJX6jOBUifKw/Xah3UrRWwA2jH0JO1M7W/0l5IL9au0qzS3kbv0D5A H9E+SZ6kL9KXte/SA/Rz7WH6vdap11J9P31pu6AfSWZq+2kfBjVT80yFQIX3zP1015anQQQOdQ0A //cTZV6WdHVB65SHMVqfRw1h38Ass9fs1rH79LZis1sV+3F63G0y2FUPO4vdJj1A+BO892cqrnWq oI9vtTBddGfuWyLkDvVlNKWtWuRLcodIMvdv4kCw5/79pK9YW6wpZjtz3xMp922fvzjDryjLfStH S1W+4mBxxHKuJuCzkHKaVBkj0eJwsyXdrLKoVEZPM+jZq09WxZqL3ZX37qRqoE5aQfUJB6XDmOEW gN9BYA7Q3Mwj4HrbJfIMVi4lXG6n2+G2u21uldrn9XsD3qBXVCcTJYnSRFlCVOsNOoPWoDEUGVRq IRExx2QSsnpkmlLHZfASFTKNmsIy9boRJQxpmZQzRFwpDQ01/srwl7qSNBb+6GBGScG6ynZzwOpu sQXMzhYzjxyBgKUl0p/7SZaRSdp8ZkReCZHbhMhZ3BLlUdLmMCKHSLChnxCw6FsyOkQOnvPb3GF+ k3/JTmRMNmeQXxVsYTrJPNLJo/zolCEejfiwO6ldUmhKMpEAOamTFHLodDicjqJa1CQT0Qiz220o Ox011ZY64bMr59057upyf7vJidz4q8oDoyXH5LYyd8mwsTdsaku5SoadtHYT+2Bv9pt7Lh9RF76p eerSvVTi+chNTVOXX/Rac9Qdze7bs+OivzRH3DEa3sOxbT+20s/E70Hlt/RZNN7+3PeyyawmGq1X 9nZYOryi1rSTPUIMdIOslQwGk/SsVsN4jQo1FqpSMfqspqBKKLJ4bTuh4zez+U8RlVZjcDPbLnYl 9k4n+4usI/PNZjqfSFR6hi2GcvheqPYVCMJ+CBI2cFBStsOWgwexUTiHEWmg2TKswkWl7w49P6RQ VUm6+MLSQUJ2lL6pCihU38DW0xCnWwMLFUoWyn5p05rcOo1b/P6nWU6QOpfF6hQrp6rdZpNRw/fz xzAT7wGXUjS0Rc3aJk9/yqtPqUQbIf105nadwdYcUYGKtAzwwVVVwgLqyP2XnPbGak8yXVp8XfK6 kutKHyx5sHSXYVuZ1mjROeoMjWViabQskLIlAyVRg03PIcX4heWg40fLgEMs0QzO5IdPFSZS9Qzd D8Kqp0YQtZnbtFqdwdNPf9imPHsXnQl2l6Fe87G5Od5qZIvAtjpRG0B/PTsXirzfDGKldBgsxmEQ GL6hHTzYgvndLx2khTklfE4V7PQFYxaXIx5K2MMumVijZpk6gzaZWmKICth15ZX5+caUkyV0Saqz IaxsgA47qHCsYSSrqwW4qovwy1PWPP1Sq4tI0QC7lm8sR96m5Nslk4NPXHbeo2611iCZnQt2zLn7 H4mZF2b/unNymC/SBZcf+HLR2RNLFj54RZerSOeUKu+f/f7q4XOWLst+eC+H1T/m/iFioggWfuvC Rkr6QbVqqqvrzMNjJ8fGxdsazyfq5eHrGm8Vb667rfGBugcbd1h3Ol+xvmJ7zfmB9e/Of1l/dOYq zPy67bYIFs7cjxX0IVOqMelTJWahAgNxEVXUR9yBUEki7cbSbw2FLOl+esPWRHNNMdLtlmZ1tLm+ nxplnb1Z8PmGCZ7hFTuxBD525VN697Aaldr4r510RR64QRb5Zj1h//5TpQOA5wkS5/r4agzsR/Eg 6CQnlwrIA7DMeaLpq62Lxa02URWvjcrUqrLLNFaXkKlNtMgEBARLcyX+kDR2LWkkjUuoI89CcWqS Z05qquuxLlgYpcKplJRVGsSR/GYoWJdd+l3/ws/KTU5Jsm14/KYX5jzZFfC43SctufnOy6fdlJbM erNr2iV3bnx1Lnusdvvc3346q1KySC7T0qcWj19/Osclunrm7PVNtTatUyppnrL7msm3YW96l+MT ODI/ZK43ZCP28xALhFX+oM+BaT3wpN//rMNkt/TTHtlSXPysPRQOz2cCeC2BhYNQ/s18ShBEVThg DCDfBxGvn2G/8vs4GjiICXUOu9DPrpZNVFU83+8PElOAAhUCO9l5JExnynrgEHVHRNFuwG71JpYj dm2qsBxLJoD9XtIE3nugCRyq1AQGqkn6UuGlFIZ8oMk8TLWyPPVr6XkX4Yjz3dtNg6mpqnIJDdfR GvMgPzGYKRCiGrM5SgVh4C361uYxQY8nOEaJsy/x/N3p7DTaPUdIHnmVz132u0FqRLvZRwNhwPnz HM4xc2nyX3JE79X6ItpS93CXKlN6Sml36Xmlt5e+7P7A9U+Xxs2B2MGB2IqMNxTV2KRQzBH00KA/ TJ7BRMU5HcFs7Je1/mZR1JFE3NpP/4+sdTbrPM1SES3aya4lpWzhdvScH4/1078/JbkzcVE3CMLH 5mzCIYhL0sGBrjz4cpa+4iCoNgdhhbXncKwQFZfLp9L6VNi/XVpEXrVfpm6N8xjkAoVTqa4l1Fxg dQCSfM8bArnRSJ6cDBJ5unzc9c33vPP1tovOO1VOuCSz9bd9N+95cMXVV4eMYMTHcRIi3pSdFwz+ 1/aXvq+LN4QdFrflhpcfuvHxdsnlYBlOh0A+LZhdD6hIlFTSR2VDecQWq40EUoFwILEzdxhmgX/I xXXiCE2bOF4zRZyhUccxwVsxv6FCig0f5WhtrD/3tqzj1ANXxzTGfly5XBRFjU20aRJiQlNmHW4d b51pPcd6ifV667WxXdbtsff171v+abTqqUpTFFIn3KZYKB6eFzojfEn4kpKlFYsrt0Z2lb1r+Ifu gMEyQwOmRzJbQlZb0B5w+J1uyWWMkJjRENcndLSygpWnsYuUFqXKVE51sTFWBRx5YHumWRC03n76 X7Ij2GxTJZu1RtfH6mZSJpWFyirLxLJn2GvQcsRojBjYg09FmiuLabG7ahdtpFfmaZYiXPC9Y6BL ERaxgfC13s9Xme9++R0QvJ0vng6FRatkMpssJkFtMOqNTJ0Wy2Qaskb66e9lO0nowMvFYyUaVKZU GZmGTUHeoqdxY1ImpUWICoyc1KRwcpyuLVE2eM4yFbae1CBXzKkXhxRsO1wEK8iN0Qix28A+5Yke Bx268NQH5l2399mHzn2mvq2lctM7l09udDnMRktp8x+zu92J+xYt3rhp3pwZTcy69LyP7r/th+vW PP7mPdcv2DgvYnJbnDpbdsun4TeevGvz2qt/f3oDsPKtXFZ4F1hpJyu2aAXOAqlBusqYWi2wZ7UG o3G+ndjsdmIHM2Fw6u0GIkiUzdfrzCZJJ0oG/U5gImUPb3Nq3Q7sD0fZ5/0TFManReKEB3THqWAT R6aVxeWpYk6BTti3aV1YeW8wjmE7VZQGmBDhyoEHOS0RhOwTGkexxaUWFyYUtNh43U8vecwuSWcB Ff4UMsOniswQJ1V0pTza8lDkz+RL8qVB9Ih+eyozLTWPqfTFostbbHOtdt1C79Tcqb85uTF1V+YR el9yO9ut22nYmXpN9+eU9RL6QJhV2TLgbPp80UB/7u99ldHynbm/Q9j4fptZU1ICLPl7X1lJZGfu XySe+6IvGQlzNsiSKpE10ebSUrW/2aqqaFYb4Zr2N1kqLXVIiWbhY09zi2Oigzn66UFZXxNqlj5O N2vd1SeIHQDRQ1yLwknRAc6cKXCq0KDKTJU3aLaLmoAlJBOfDXSovAgyQ6UK22jQDIrktSPKaCpk UgUB45gwwTfWn0sSpIt2LSFLIEvsIKncZ1shDeBFPtsKIYGnciVkBJULJZULOcpzlOdULpuhxe5C dzuvs/M6O68DBTz213l0/wYNbBgkhYDuInWDwlxBFABsW4/LC9YFv9q3adO+X50zq2z4O7f99u3h pcZ7L1h278YLL9ro/P2KFb9/fPnyx9mamod6bn3//Vu7H6qtGzZp7urXX189t2P45ws33HXO3Jtv zhYtuv/+885/+GHQRSvoohNwESc1tEPOFGnEsqIUKX80tjOmTnAiGU0jKnYhMhYHqmsNEUTVjpp0 Mm3nnJhpZtUnlh+i/112qFy1m9AqTiX5Vf180R1Y/y9INeYpg6vUtu1Vz1e9VSXO1hhjJFFsSOpL tGWQ/pAzJlBhFE2x0maditMzWVcBgqYLNzuMiZ2gWUb2oKyLNZs8dZ6Pi5rTz7CHSe0x0iUdGgCj dXjCwUOfAB4UqtWSlycAI8cIVzJZHomKdmOxoZipzWBnrJJNEtWqeJkWMFKiB4wkExE79sPfy1Za LnJhU1OKymJEUSmM+u0kowbYDMLNMeJFulLglFNL6FEahryCpPkNDhIdX1eFWz5uzyN1tRAGwaHl l7qhXtjdunX2tPt6dm86/+natmGJm2ddcf2MYR6X2eBM1rxDq211dy/41e9+d9aIpTVh9qely858 7pw7B25c+fgnfRd23FbREpFcZqfeSms+LfvrKzdvu2HVVhnuoyyvKxHmQlfiJVWy1tTn0Gv6iNqy C3pLNxGpY7te73b7jilPoC/NSxGK1nCQ5VHYSuuQ0nEKFUWrokTC3I6GEafyMLDuqJaF0cZcGTxZ +ChcZLps3lO8t/iv0r7iz6Wvi3+QipxgUh7dWmmipn7qkbUYn+m/peccYj91yEZ9bfGbJgd1vO8m 6sIoSQsFITjEdywwcweRBSMCZdOQ4QlQPRV4XzY53jixowHRpFlUk/3E7ja7QurjhvpqtjJiCdgN Vi53zCWt4jBo68zkajmwRU01Wm2MUBvR6gjXBceIGXmoiDUzKR820c00t2rpo0QH3xEDuw3y8GNE Q5/uU++g/ewxwDPu6baQiVe6+mkULKm7grqULXf/wYP4R9yHXAfdEqKVmjz9R+pSNgL+UlaaF6+K KC3sfnOFtQ692R05cljQRtxmvYONpT9C9+i2ZjuyHVZkDHjiLXiLXylvcZ0c2a1+w/CtQRgy+uPf aibUVHgTvFGrHm/C34K/TeFNsI09Bt3cjgo1VeNFOi7Di4SPf5GB/f8PL3JM4UULnJ/4qyPLlDcR dEf+XXiTrFp5E9pLe/Nvwsh7uSsgqZthjRlLu3ZAj7Vnqy9Qa+nP7ZG1lkCtUUbUgtJWpNZC6lJS V20b7+W0uGp3ap6WmUWqMEYl4WxNyE+b64f102JZV19f3UzFsSNH+/sFlax1V6WLPxw5U9fcLwiy WUyPHu3WqWNptz70xLCR9ZBTxshGh25kXX1s5NgYHGggGG7sa03DMFEh6x32WMYRy3Skafpp+ikM RS9yBTk3AEDggHw+ACUgZ6ohg0iHuFq+BRSLi4aA5P0gWJZhiughNZEuZVM7raUtXqtylaVKUyWp ZCqRglrbZrGZbZJNVFckauIt2tYS4oo7uomp0t5NjNX6EtqmQp2sGVlCnSl3N7GVF3dTQ21xCR2l Hl2Sp18FLRrXo+W5r8LOROsKGFNfo8j4XMRX2802S031Uf29wo/xHcucV2JBv6zIouoozBkFWibM dJdZLrv7j49ef9bYlpSvsn3r7beNN0tmV1PPho5rM75TJef1C+85bfU5NpvR6hp9za3nzjXHbbRc L4q3L7xsy5zz1sbcsZYtV2e3/yH777GSSwolmkfUBm8bPmkxvKDI765qv3fBwB4G9s6upfvoVZNP OUsF5yxgLBF3wzO1DOrMJ+VUvRkz6h2ZbsiMtZzsOSU9JgMVl6Pb053uyHxfZkqRsrJ0OWUso5Ng uZEdxnXGjUb2kZEaS81Go2T268yWaClvKk4kasoSidIyf7QsrYUYiiq1ukZhBv1alnFblSqHY6rF 4bBa/G6LOeLjVScFSXBFcH1Q2BukwVJvMAhtaMTr8aTLygJej83r9VjM5gDLQA7OxKJReOUQGkiZ yoNwpSvXujPphMeagHHDsxNuq2k6UraVJbyySdtCzNQEpeo+79deEcx/+slKljBnEpaddCQxAxfM uhaoO/bIEvqazJSYJ8JalTOLQPT01or2hUBhKHMBmUvAmAD8AJ08C0iEQYRLx5zH6gKwKgarlSpF NF4JurTy15CQNUeVdd90LamAvu64iv9PReXqIrDCPOQNBkKBig8K17Sg0ggPkvfBBkGICsJlA39d ci+XBbN/4nErXfo9T+lD9M5WpfpFLoRvuvmz4Md0Zfa1QeFb+ILbN376w2CZrmRnDNwNFQb8UInY CRjywV5cTc+Sn9lc9ljqT7oX9O/pVOvKVqfuDm2Ib0w9EVdfFlseX5q6ILNOt862JrYurpkizZOW 6xZLi82LLYutReNCE8Inx8anritWVZtGhIaHh8dbykak2k1jJY22wh3yhb1xb5m3ImoqS2kukZ6O vVghjAmdHL8wdF1odeWtoQdC20OatAbqE5wC8TuYRpWi1K+pDBUL0ZLi6lDSX5pwJBOagD9QVV3t 0DCHJho3GYKGCkOLYaKh27AI6vV+erVcmokTIB8zmdeb95j3mveZvzarzZ7aZAkUKNyU9zXfoGrG XZKHCb41LSnYTrsUxQnX9QMaFHWAIv4rCgCush2qKFFoViCWtth0emsiFS+zZTI0rotmaNpSihNf +kSG5pVZijqLLOmiS5bAFNLVFTcPLrJiJCwQlMJCW8OgPly5FYXVtlrJIUvJEr6+TLr7hQeuvrTj gTkDimHrBVraPbF59C0XZbfSRyZdPLLznjXZNyfnl3v7pXd2V9w1e/KauVwbzOqjvnMaJl57xHHS OcPki0diEpbnPhJPER+HB8BH8sUZG62A9X8iEVQOu2Oqc57tTMeC8sW2pY7Frm1OXYOvvnKcY1z9 TOfMunOcZ9dd67ujQldTZQp5I3AN1hQ7nA3VoWjABE2YRR/dlrLEG/RrxEA81SCILKUtTmh6womE Z7g3YaoKVlVUtVSJVe5hK49bhAkHOWc7MMCnX7G1cL4sL48r5pa8DhFcLpgfMr5Xf/r43hj8gXYQ H6Qz8ChcBPPn/rUdVgafy8E16Pjr5GINMH1Qo6uYDPMGCE7ti9SwQhCIHkfpPdfVlAt1dbUW8CHC XznaOK1mJ1NNXXbLnKlyYlTSR6VtCx/rMNstjtRpry2YOfuk2auqr/105V4xOIIv0edBj8s7ubUz Fcyc2j1m+s1PZ/85u9vuMDsrZnVFvSc99ptpj11O+WFReKwT8ULgnh+kziCHb9St0l9vWWVdZVtr XxdcF1odviG5unRdmQG7XDJU6oMgtk/W3pHcHmZtGqef01u9p5R4PH7id2oYL9epShVdu19jLjcF Aw6HP+DUpAJaLQtoWCxhAstpCpmYyVOeDgRoCKsNw3ZmFx1GNcd0I8eQgSvXoRNTIq4dGWKnGFJQ cKE2VKazF5uMJoNJbxLViXgyXhIvjYtqq8VmYepwvEwXK6che7Scxk2pchqxBMv5Ds1lRVi4Cop4 aEeOxw9uIsIiYamig5RQwQouTyQhUYSpf6xCAp8/Z3P5xFL/+deecVW2iddsoFXn7Ohyx0bF1k7K vl5AiumN3edMWLDsym9njOJYsfq52bef2tzZkT4Z+DAd61GB9aijFtnTHVykXq4WzPrilMXi10d8 wbpo1O8TtGrOa5kCLTyV0yZ3i3oqY36tzeNMWa1+T205B3BWlaqr85cnM1wvxcpSiYQ/A8XQQrnJ w2hCH40lPHXQVgYI0XuYXhNJmHz0K1/Ox3ytcDnW0g7tJu1e7T7t11qVti6RKCcZKcMy/dgRHfE4 2POA9jRrheUry9cWweKuH7dIsQN3NU04OMC1vof4TiZ1LYGosKRAzRQ2DBH+gYpBx/ld19tNRzMF yqbUp1KDDW8rfaEa5iYpmKMKSDRocK85SsUKlvg6EKzBPnnbfB2dwq7jOHRkDl+RJQoNE5bymoEH qaKzxCq4WF02qOxj2W18UfLkK/sRv+S17Phunma/5HE3VmkjVmkZVqmWfCPP7lFRk9aQkiS/NuwN 1EUifm9NxlQZrGSVqdpafwbbSD3fRixue8ps9rsTaVIqlbLSVDzuT0eiCXcttHcJOFJhVbRuptXU xjPxBElL6Y60ALvISDkdi0UJTUiRBPGGvKzDu8m7V+FDVN7TzCGJEmmFtF76WhIld93hHRyPFPcQ vqVg8jHfynoAjeCU04IiZ4E5Szzws9kf3F+Grs5xiwCRb1BdPIgK+SUA9Qr/D2twV95YmPUOroFJ HxDu5hM/8OuhizDIHygrYNT98hJgDVZg57gWO0cTTciNa0N3hliF1CJNlISTDWNiU/VdhqmxB/UP xp5W7zRoxagzmjAko4lYfUxdT4atJ8OGEX99XQUnWDWmalpdX15dXVHur9NpgkkpY6UBpwvbU6a+ LOiXhLC3KVFfkag/qw4uEeF4sQD2b4EcstmsrCwuagNnlZdnApQSz8hkwqQJwiPI3bxy0bG9XdlW FKco7qvDTYWgZ5zb239se8kr+BWJhPPQx1G2rrxxNm+olWBUPG7nadVBOPsXUcEHIQ31TylCSe6L 7TFHxBEd3H+wAS3p4huQmYsa5aywsThr86aBvJ6TkzFuYASZE/leNIhgKsWRRS1W9OzuXvnajRNX fbn2lbVFXPfpspidVP3GZct2Taqn5ONTrpqWXyp6S8Aj2Whf9va6+o71favuXE1VqxdV2UyewLNB t9M/ZeG8G7suvOONw6ES2gAsdFGn1egowor+Cli1CFjVRv8gGyz3Op6o2OrYXSHmRQW9MVWQEDwh vmrFkp/6U2G/PxT2e9LVShV8NCpKayoqqmv86aZRvEoytcBZoCXV1tIyqs3flJcj9OpUQYzICxF6 R2lBhkjFlfuYSmhJKlZSEo/5UyPqeFUb7CmNqdrGxrpa/4hoJACjD3SliXQ6FUp44olUKi8zNI0Y oYNAUROI1QZibbIvWLuxbXMbW9f2URtr62e7ZG+7JRAOmwOVTMaBbZyS38uYiXWzRbDJPY3jJ6P5 oVEuvx7qAuYCTjhnmOKiLGQE7nXEJQVercQchDiVPWrGL4AKqrlRf2jpBBP/zwHsF6868R6KwKCo aCu4MsBka3HIiCqwET1VbEUBERdtO2n4Zya7AsM5qDKCU+CJNSfIIcLVA28p5Dr7oUJ5a7lg8YNC QVhmMUyowR94TW2eOqOPO7iY1WcDQ0gIeCerM3sK3cZTHo44BtsBc59AAPkcMBck78mZCrFcFTWE jCFbyF7hqwiMVNUYKm2V9hZfS+BUVZtBtsn28b6J/okBOz/RD97HUK+4bPi17qBS9tUTny9I/O48 L6QH5ecOHH6Ny8Lbk/Z6s91uMftdwYTbknC7GEtoTAn4o3Eh1DwRnhvu0NqPBndSxYmSLzZfddDx /+CtcdxSnrDIymqdQK+xQRac1QZ91E7w49jHJ5gBi2HtG3lssvI7Ip9ArrF7DNR3M+YtQb6VL79C WG691LaKrRXWWVfbvndotExv09uFO9ndRY8WfSp9YvvEoRals6QnpSdtYrUmEYrWQcAKuYO+D1wu f7DIZNHrxVCQWUBNXU5OSmWjGW7ABqllH4GdH6S1xHRWcUCjKeINRbxhBUyr7uTdO+g7he0OLByn sVw5rYjYBS9UTB4gG6rpXxKdIpKDqe0OG2KzygSqa1IXWQVnhkpq0GAHs2TyzCFHvRTnDrkAhS0w z8MXvP0EBywHXF46YWaFzfvv6X5qId/k6ITfjjvt5IaZ2ac4wLKz8pM74Llj37QzaD0vZb8dO7Yk cOMkdmAQTvHWnaCId2CWR7Ez5S5XxlXvaY3V1NU01I8Nz2ydH17YelH48tbV8urWO+QNrZtbd7W+ UmM1kfqa9ppptaIpkqofU9taN7Xq+ZY/yntaNd6It2pBZEHVLbWbM4/Ufxb5IfNDva56FCFVg9Cc GgLNxcRHfTUhAHTI7y6r5ADsCGXWZ1hlhmYy66symcoqf1kVycN6MRyWVDVDwF0PhicP7qVRfnVH wpQIJipxLCAV4fuNvzQSbq2V68WWUZEqYiGBcMQWDkdIuCoihmhloiyaKCstdVdFIiHgCxDGxRob EiNbWjQaKQGlNYwXl24Lh13a6n46/anQqFFVZFSiGsfGcUzvUtkpd1T1VC2uEqCEr+qoEvZVfQ2e uLVhF/Q6Ieiz62Xz6HCI4x08pr7mqNc2biedfEwIUUTypiYoij0DLtDhJR7uWMKJrsetbN8HXS0e zlVxo6IioPAs/wFbudQI7wbuGecmcqAJ0OxrQOSuRuTMILKVtCimjVTnStWvn8d9ncNcxyl1urhW 5z/gPKfKx3Wt6FoypO+JRLuoGKqevMvVDhLJ7cMXh2q5JNeHFEPo5GRCEVH/E8kuuLNGzYOaoUEa DqMahKPBEoNn9dQNHMKzmzhM53lt2sNrNrDRs3j6b94QyVbPv74l1rOA1/zumm0r6Z+zqwep8jFC M/ATPKILVDt7RtkVy1q/5p3ogte5/zTOgBNxOrAjTBbKjRCS6riQxFlw0BYvhKQPCjJRHZeJWELv 5WKOSUu1HnDTAavFHXngEoXU5qXNA13gjvOmGMUZReGBj7K+g5wx5gob16Cbb56SHpNC8iSVvsPK FZ+sHv6yL73EY/oJjzlBpafyjSo7+5iYoRBVyk9TiHvwPo0sKQ//h/9AgI0h4xr34IT4W/Svvjf8 h8lhetivi5OkPxlINI71TfM9HNgReJu8Td/2f0E/8xunB6hB2WisG7mYHYSYXWo1mSxWvyGosDYS iXREWKQ0EYnEE/5ghcLc6KvxbZ7qunp/hR7+99jVNDWiRqMS/XqvnZetG13U5Aq6mKvU5nLZbX5v eQmvLyapDpyeLk2mUiVJf3l/bo3s81MS8vn9AcpslMeBRkKgLrOhCtjql/WBODzrAwGfPwFTjV8e 5/N5GxuYYE94WXlFsj5RUaHXG0RrwqBJJBsb/YGAv6E+AA+G12kw2Z1clNyc3J1UJeEvX5uULXWm 5Lrk3uS+5Neo62cfy3Z/kHZTto6+Dmd2Kvp8ImMi1BSXyA5rSBBtYmCi9XXrR9avrKLVPewPBZl1 Akdij1s66DIPq8j/61qCYlcqtcQlHfBAUMrXcgFKkZwUIbYJeS5aocDZMYUt42pb6GsVe5IKjgUp +DYd3beH4uUJSDsEg4cUfn4ZgPB88PRLcEA/+p9wtoYOam9/oQu7pyf7jLSBg2T2zzweW8fjv+CU 9bC/cKSszftTvQKVeXCDhTtOncgJDKTZ2xxwj6/nWAl1ingloDhNF8lQkVKtz+1jLzKqp2qvlzq8 ot6sAFlxKZzSzMDYeCoPTGC6S9MlJam0P64TlS5FNUJRkSj4dR6bUoZ2w+m0AZljAV6OhGv84XDA 74954XREAz6vDdBEvcSaSsTjgUQsBoXUpU96bQlgPmwDl8JJXK/TUY3fF4AdMS17CUnL8TpTemK6 O70ovS79UVqd9pQzOCF7eXerpdu6yLrO+rVVNFmp1Z0Z/qujQt0SrukAYHBug/MdB/LMGhftOPlH in+K01ZhFzBRDSg+tZl9iCSv4p3Qqaj2jwHIkGX/z4WhAMH9TBXyHY7S/wwMg7z2ICkX2cKBW/O0 +hW+4GMURvtDthBA4Q7meZKxovNI81Cy/NOnwguDJJlAc3c2+MCzIYUbiZsekXMvm15wM8sBxwHX D9IPlkOOQ271i46/SX+zvOt4z/W59LmlyCN5LHaHwyW+aPnRdNgq3K291XA/e0T1iPZ+w5/Vf9Zo rmZrVTdoVhighLTfwjaoNA3qBk2NtskwXKqx1DiGuzRlLGWokOKWuKPCNQInIUy7pT5Ln7XP3uvY 7drp1jxuekJ6wPI76332+x2bXY+6NdOskxxdro3SrdabHXe57nBr2q3t9nbHONcp7hmmGdJpFk2p a7ip3tpgH+Y61TROardo9Gqdxqv2akpNSWvSDrnYTUWN1WQUSZETTKo5rhOK41yVH8KRtk04MneR LV7k3uppu1TZUaAEgxMfd5dRVMbcnZkr3gu6d2BuVxc4g+0OHbziYVY9vBWpBNfwrRZXC9wNv5eL bd4Wh8vhb3HxSIvNeivUfGj6gqeq/ty7R8t6Cy//YStS9FNS2GT/sBWMMtxG9hXSQ3IxmGY7PPlG WgOIKHetgcM+nOqUlPFUsrcYCinMud+C17aOpMWIDBGe44Ld0L88A5PqhG7OxqBdgNUDqmyHpaiW cfd6rte2iGdf/9WqV7Kv0LpXVn25asqXz2z5iRY98MyXbMzD2Y834TsXxTh7P31T9h+PvEbHZF/+ 8Ivse7Sdw9ZWUJKZoCRRkiFfyy44T3mLcMbQ6rUE4946b7t3R0pXZkn2576UpQs813hYUlOmudlz a1D53hqXzgb52V+WxqqOsqdpRRaLkkDcYoq1xFgs5oJIVhqHRtTnqciARZTc5YePGQoG1dP81AuX Lrr4F4RkU0zGGsQgFSPSm7gc3Mk5wyEi+n/Gao7H3KOFLIHjPbQ1BUwdqmaDlk3hMRRX8HjBNgMF dO+J+jVwHJ89/sHY6vEdw6dmf6CGrvvGP3pV9h26L7tsKEa/umrSVfFGj3Xy6RePPAPmAI7TZgWn y8lw+rLcvTJ1XeXq2t+m7qh9uOTBsvvLNZZzqhbUMF1SSHmTtpQtkyDjKttq2+pPHjZ+eFdsRnxq sqvy9JoptdMaZg6bNfzM1JlV82t7Gp6ovK92U8MzlU/W9NX2NuwY/qfUnyojlYYGQPuTw3WVmhjP Huqr0tQgkTtThqSmNFM6rK6kpWx4Zviwk2NjUzfE1iSvTl1Tfk3lqvoNsQ3Jm1Pry2+tvKP+AfJg 6q3U58N+rDxce7j+x+G++oZhw8XamkohnYBpiASiERuOJPnPAo6C8E/t058F74FVslWIOxuh6q6O lzpLhai2+Kw0jiJ09dGD8DpIy666ijhXw4bSlelNaVX6orp4wj0CGK4YcrnLOcdy+Bjs52q9lgqu 1YP8OchoF+X29Gml2lTnfvcnLtQrrEHxr58/RhEU96W8kQifGOGeb/KYaBOOx5SfCW+2VAmick4h 6gOIanlUz0/Q1PKoPoB+9fwETS2P6vkJmloepWxA/KGoSqCO6VIVwZrkVCRVhV9XICgCKayQgX9j Q4LVcfzlWGw9DoPZ+YtPr58+pSk8fKzPAM9N+7jG+rJb2qtOmtds05pdzl0PfQXkBoJn935wFL3D k80hZ4XFaTXpXSF3vcFshqOeTVpZSsd9xhE++3D2m+x32YfYmcejPVMsIM8C6zOkgd6Lb8zlnpdP DYVHpmzQyM6sO6vqgiqhKDW8alzVDM/0qmWhZemL626oe6Ds0arXE+8E3wp9lHgn81XCDKVKVXtw TPji9LXB1enfBH8XfCz9Uujl8IGUMbALR7O0+LbXL1GIoQLsiGMUIhgqS4XVkUw6CoNRfUEazZBA RTlHekRYtXKNqxQiaxnX5wR3sktJhm2SjTjgTANSTdxHEjQB8Nq+3LcORpZ+WoK2CO2IbIrsjXwd ESOcHzaZZYlWQJfPJHfjuILPwKB9uGvJ/q79XVwTBK6TnwdTmE7FbwCEeFAIVXTICpAdx3r+L2Sn ETplS8Ga2Rc0hHZCoRzOHdqWMtQ5gtif+mpDcDf8Ig+rOA2RVykDyv4jx1EgU5APj5MOcTywYFam U34uJx65+71r75qx4gaZs6KL73psUfa7T87bOumRS7KvMF123FCy9eKvZ2ysG3nXt7yWOp+tm9yx sHHy7eA/d4AjsYEjGU0+kMuaa07xTqzpqrnIcZ1jpWeVd+2wO0bpTg6NaWUcJB5pfXjUO84Dzu+c RTiXdbjP6qqHTyVoj1zaPMLjMqlshDYUV1dGhfJablU2692JpqZac7wNduXyNcnaeLgNpuWkJqwY lxvi3YFFARbwjLHF5apENCG3LipdXrqudGPp5lJVqbv97p00eEy9MAGeaBI3OONcbN7iPGhyHoC0 UTA7512Vhyku4dzojBWgnH040ZrMtfd2W4BxU2XBaW3QgVmRVY96bnOLZcEnUrg5z8lZnFR13zVr 7i8/peesx1qndR744wdX82lFQMuue+55akx75e1vzJr11uO94kgfX513cYrHO/m6dXOqT6sJmn3+ 5OrZ619ZVcmbPuO251m/vWfhqPkBuwdft7n2mme5XLAOu3mTspvfKJfBYFbHDWYwadZzkyZsZHXc RmZ1O+ohxbujFggeMIVpcJBl0ZOSZIaVEpR7kRySfBW+Ht/rPtHka/FN9HX7FgObNvs+8ml8n8e5 QMe1fzi2CzEtfy560Mh1VJIfKtdzeb4AoUd32kFDFgT9vA3RzNa/z99tQNFevJ99mE+P8DifvqEq 0uzfOS9NL8quUlLoGcjpgMfL8d6VNLILfgLfk2Du+76g5OMHRL3g9CIXeferD/i+CP7AvlN/5/0+ +FNIq2eimnr1wWu9G9Rqi4sLOxKxS3Zmr3Hb7S6335JXxxUTaOJKCRRxxF9m1ilCkrFUazTqtH5z Xuc2NlFT0LVBnwaFWmmpK2HRJSxm5gcfGwlD2boIa8NMMMR38yPB1W4P9KwTtd3aRdrl2nUw/rqr jpN7IPYUpJ58TrFnHRV4/l9EmaHSC0qcN+ZbIYC7oFmFq5tiGuBGxbxKJWpW3LOhYy3YDAr1wsC/ Hlr8xKUwvxcbAnmpZcOzV52+ar4i2+YrxJEDo7Z8PffFi9mzWDGjji/bwKg1fzjlnjOUGsUqgJWS AKF850nRTtmHk3WuSnKKa1yqx3+TtNf/g+uHlO5h8rCfGRRhtFiSauw4z2X3G+yOSBmfehD4xQlG ElKiJ7EXx1MSpbC5l6X8kRTRKw5srkVFlJ/eXlQEubaUFRUJzK9nNOzmV5/s99e4/H63yx92Oe3Q XgSAx8BlHEYnsEbanE58TqosEXEnwraEQUjoI/g2jkHPCOy9cF9IVLo6XL2ur10i2JORst7JEhX2 bvtuu2BHeSs+2+XcSa+GSnvv1rTii3YmfNEOHeiCdz9sTAeh+wKjOqjF4DaHiopBXcYvuKCd6HEG lPsFjeTxKsrCMkNGxQJyb1RlaTmpwmlxfITyF2rZAxdkO1udNqPR5qTDXFZjsdV5L71OTa/c5LKh 4KKN+VQWR2rtBoNdm4+POIQvji9z6gNZTbwfa1vCvsnzZ7LL7mIOp0qNg2CaEo9NnQgZmDbG7KX5 rZNz7U2YEq6WxVlU+fRFnkXeRb5F/usd1zn3qPbYPnNoe6Qec4+lxyq+zqjkkJyyQ3aKLuZ1BtxB f6Ck1FnP6h1VzjFsjKPV2UlnOqY7r3c+7HyZveR4H6+leDCapQ6onutskmS1+Y02exh6rPvlQCwU WxxjJCbFOmJ7Yntjqtj6klgsWeIPlxCDWumiNWmDWmbS7tZ+pP1KmwOirldptWqV36ASQx7exebv hpG0zu33e9ywtuBslsMZ6s/+KNfaRSFkU4liwG7DiRobnFQDLjeUe/BBYAINuJzIO2GTpEIA1hG7 3cESzn52oRxwJWD6hLZOEDXJRNjD/4VC1oRRnTAacFCZpgm+CoMdyo1J75KrX3fToJu65bI6t1xb X+teUYFMNFbrlhPJWndCNpUES7pLlpesK9lY8nrJVyWakl3sEoggTrDfTgcuc8gVCLjUIXvqTI6v lAMr07cxOVEH5c4lfaqQ/Rk8zkYEPFqkGdketNE9NmpLSCp8tGSiap3qdZWIU79wuiDtinafAz72 iIOA2S/d0n5o91IDS7hY6zrglgaWeFwHFRl3Sdd+tLqkL4EZBfqGJG9/bcKpPI4dGmj4kLqOZXhF Hl9wv+N19Io6/ziE+JkT588rgGQgjeN7E2DMyuBm9hRbwTxOj8Oj0MpOtHiOOqAxOKAxjRMfetri kArtikq/q6szDKfNqDCUbkat1hqr9YQ64b1rvvz8msuDfKujjXwHe37R/7ny83NfUCrqeUVQaDmC L0HmGQco/yJCxZE3hP8aLAPTOoBpK4BpbaxGvtVSR4eHG6N1bbJhomNieWvjJEO3o6t8UuMcw3mO 88rnNN5Tvr7xoUi/pT/cX9vf9pLlpfBLtS+1/ZX8q/arloNt/8b3XL6RIi7ctppa2syWtqgUweEQ fHSPhmtr2ywWmNNrYTOqrY7iiEkARzYorWbgsyWYmnTWhCURTsBCPyrRlqhN1CVGVCWqE3AfuFj2 gU/XaTyaEayMfVVLaxNtbS2NjS3RaHl5so2z5paWVpWUoFRlMKj8fgPc2MB/lMhmk6pC1QK46lap VJ726gQOVZVsT57lx5N4u24icG6RX/C7R++iCcWlzZ7/WIt7As4bSIf40QPO87kn7HdBc5DXK7uR UxqVOjcKqM9XcqME90VUmMWDnGMcjDgAcpExIHGjksSNShI3Kkk4V9EiFRsdiAy2QVGQqxo5ZOKK HcSSe3srroHm6e2tuExJcSXSz+DSny/jel7fN/QWJvwp+7Vyn5rcN7K1GB98MEGraVbZeQQdEtct yVZUhV1obOOR5IKXgHJ/pNVofwqpuRgy3aCoqqiSOo8qrQeZsRMq6qHWLkDtoFzxswp2B10X4iCb /ZbH12UfyD5ynVI+xF1Taujq7PUKjH/CIXo2HU1Hzea5A7xPiE0bGODsHTfP0Gezo/L5YocahPHT QTjPdtH7BvMAzjMA82cD5qvpXdzA9ulWfKICh1g/leugYXsyQrVRbbU76q5eEF1QrZ5hme3o9s8I i5rwmZFbIg9ExH+Hv4/CN1EbtYfdUXwPgtNuPRhk/jUIvzbv72I86uwSjqSq0GOrVE7L+9kfZH11 eXlVtT9VXTDE6sFK550O3Fb+/SQH73PUSb4sxu9ek0xFk8lY1F8WjUSoFDETwa2tjlqrEqlYIlUW SpR5whaL4gcPJjya6ICLVD/bvR1UPWGG6/5u2RROEMtEyzru/FdzPH+Ig2Fc4QWeQmEp8uYS2EcA ubBC8u0UG+yw40gj//jEMcJ44qcojm/inON/7qmAJT4MOr7XDbIYB8HcSlxmV8EBdwng6+ec/v8O SzcfZfzdwfez66o5jHzKo9Pxheea047CTTWTsqOPws3TrHwQPLJJ+rfBPOdE3oHHSRawgp1RHnaJ QC1ztHPsPY7FuiX6xQ51v/AZ+8wkaBiCKSg4TSWsQmhk+A81hOXCRaYLpVXsesGU5wD02qmFDT/v x1QG2Sl/FkIyMcEsqgLFRmaB6EQ1JjlUZ5L9CG5frSkB88qlctSd5/kX4dtCHq85YWgNUToRX0te Tr+mInV7sKp5P0JIqpxkQevJt0Ysa16pyc/RFhh+5XMXQwrKzmU/uj+Zct9uYcV8LbgvGgX12C7w D8FA6f2PrYX0KeixmGAK8kPKXGMVxhcAjp7DNeMcrn3Q8Cpkj7zHHh14gxtZ2TsDU9k1fIYvFZ4p +jdfEDr+oiOjtDTO8zhJ1ZwdEG7FuWIzGSMnYCf+lpBqPSTOb7FXaPQ6SWMhNKaVdJW6Dp2gc1vm PXK8Aw731hvycQK82VGJcVBJy37zqkJg9uXVsOJNP+7mI1J9wUeIVadN2QF2izKGkXLoxDFIeotW F6MtgI7Bpx/hs83dNU98tuqoADTobcJaXuHPpqHsPp5uVrVyj5MfFS8n3HE/2wcPp5xytq7mbM3F mus1glavLdLPlAi4TqIt0uqLZjKC8zCQgJBnasEkIREN2ueIrN4pCPg4jVu2h0ivQFuERcI6QRA8 VpzhfhFfWVI+GQXzk7vCM2HABW7qYP54NbwfcLZaYZCKCwwSR9CjR+qOnk1jZ9El+IyAzZF9M/sm vlTmtoj/t7IvAY+qytY9+9Q8T6eqUkOqzqlKJalMlaECgQrJgTCoyCCCgBK1GZRBL4PStsOV+Oyr 2E4gouJwzbtOtwUDJiCTNlxFxMYW+4q22naDXLT7dmOL/Wi6X2OK+699qkKIre978atzqk4VMXX2 Xmuv/a/1/+tsviGICsMw68p3RaBPhoojUViDffRlui6hEhSwueolL5qejb9Ypys3peI5/Y2+m8I/ jHRJ/xJ+SFof3mjqlp4N92S2mV51vixtDe+MHXSeavBbIYhcxXSPex4Oi7fW/aTuiboXnRvr3mz4 oOHzBnMl0LceNZzKKKlUQklUekt9wfQwRRiWZromu6UGpLOj6uVsdaVgbVJ0NotCwPAy1Oemc3Z7 pfSkWyk10RsOQZYV8NXaXQrLKO3KFOUq5Wlls7JHOaKYlXBL8MF6xUjvLzU+bdxjPGLUG0PDq3YP QMqdrHpS/xdkbaAGaVMAqDKn2WY68ay9lXOxC14UhaKewaWiFDAW/B/xEvYIJoAM2bMnhWY8QmdP 9XnNdWZEh/hByoZcJVEYJHx0txDDR3xn99I7gJc6lWakc4p02gI1jV8YXiAqFG1AR5U8SJDx/flw 3azt7z364tFfjVw9patr7suyxR20Ouc9OfXp3mVkjW/mfnzh9msn37Ti+t3zbn58w9JbXnG5V4+7 ZoQV1aRWV7jqqXn9SCoD0fs3j3tKbtrFC2deRWNfi7GfCeuJCpWs7GXaOPWoNneGb5oSjmiAXvtC GX8oFPAnojGTjtnkcnsnJMLmbStXLLKC2G2eWqWLwvdiupcqLtx50RiuSk4X7LJfInqXS1oqHZHg lNJXPjB4OGgQeE0ZJXtQIEKbAqxloeMlxB8kWsh3gh58MOwFH6hOX2xh9bb6sgmVl1XOr/xp4rmy 7Wyn7dXYKxX7DAfNh/Wfmo8b/mD2BPQNrNEwytbBptgujF3GZhg6TZ22+ewaw3W2leKt1ltjN8fv ie2Kv5bYlgog0jrZa3NXApt9OcYLfnmF2mzofgDGR/4NVBJ/MV4qeg5EuwMkaFb12K92MGP+r9s+ XcfD/EJ9/L9+8tBDn9ADgoXv78//5fV9+ZP7n6OYSN9GPu2bA0//5jdP4wEPQ7WAE2GZVcLJbYoV QDjSjqfVGjx5y/9p6uOKo/Gjyh9Tf6gwlfkrAmPlSalJFTPkztTlFYtdi0OLUveE7Mhr/lm9wSfN 9l3mX5K6puJ02GBEPYY/jEJ5byr8E/cT7kdK1oef8z+HzyYBXrlCUoQR5ycUDWrIrLDao6RNtj69 MfpvQSVpc+bMs7vjbE18b1yMh2skBZtNS3t3OaMStDUoQQtV7xs0zrA2XqUN+hXx8aDnhP8wwCTF QQFLEKYGW8MLDCqhVVQGiIiiSOrhLE6tiLpgCRgAoBsmWBF450iq6N4kt4xiZzB5jJsf3v36hy/O PTjND52mBc8cOJg/w2wH/0PniJKV/CwOfc8JXX949JnDF0yVgp7qMUuY7q2DDOp9onA77vZG2EIM 9/uzVy6sWliFtglkALwAL8NDv4Q5BtCwR3VHMsFIpCSYiFkDiUpLpxVm0Fep4H7DHOSEIsUEu00y Yc8OTSqL3EUdMhgL16SULoASO9h9fdVVXZoxuE8v50EA6GlU8kKmQBUvkLw6fors4DuMgMN7E7cE CkbQ50TnJXIxE7cU7WIntPFO9MpSBQGi5Yidk+ay0ICPGlhqk9wfacBRY7A4lQfLNehFzcU89NmK X9588y9v+PQR/nrZR+sf+eijR9Z/pP/dmevJt7xw4OajN/3oyC0H2CfaTO7+9NNumski5xRkMJND SOu/py6yBjb4xUZxjDgNHSL2i/t9Pw994v0k9Gnkv0o+j/894AhFq6JZsSV2UeTi+JzI5fGlkevi t0fui2yIbohtN7hWBnZF9+n2ed+Ovh0zmt/0hGUZkYCnVAma9IrHZp8eznULbBksaAf7XA0m5BzL dUtsqbRHOgRXpIf2XdWmc65o+STs/gi44BwCWhIozobo4qCb2RuQwAk6uTUixWPI6J8YcPUo8GMK 1ameRzPTZqZgIhduNOlrv/n3wOc/vfLd0T4nGMD1f7njo/wR5jrwLrPODH2wbt3hMHvqmbfamlwh j8fdOJNF3t4Oz/F/7ri3Z9P9mEHohSDoL8fMzAoH1ZRqn2roMtxpv6Oh295r31r9evXhamsQ5Xf2 A253wpKtgzQKtjF6SKmCk2A27GCqGmYsYS6rTAipzrRSKgheOVRXW2K0mK2QurkPxHEUFcnhQ3xq rlcdGb/qX+Z/z6/3h5pX7mTvFOqAJ3HqUSuELAnSbKVgtZ8L62ClHBxNgXxUvMCpY86q6ggGtCYu VEfScdAmGRTAvpPvMqwJhG3Y+EC6hftUfwGWFjOM19P0L6WQ7OArdHxl0wM33d0EZRKz79GF/3QT u4cu6hz9E4q7BnEnzcdVi58MmANeb1AXvG7cKi1+FIV/zt+uvx0zswLaITG1YZy0TBI/Vd5PnVCO p84op8qMS9LX187LzGu6xXFbennTfemupqfSa5s2prubdsWcopm8wVyq0M1YDAazJSEKseqGEtkd lDGWzti6BkW2VivCunITIBGIDrDKUpnJVqsbJLAtFp3LQgmBzZZDQBnDzXVKV3JNsju5JanfkzyU PJo8mdQnQ9mqH5w3WXkQQ/WUcBgUyLYfJ5dK4TRntA7yGNxJDJrFu5EYOSWEUQ1QZQZW8LfeGEp9 8arGXE+ntB0lAn/rrQ2AdVBMSRYmOkUurLmIDHgkk1NE4p+HMdBnGz6smbwI1PRArx/sOnR3aGtf WcmyOZM4y+vri26qCNz9wUtnzrz0wd0H77//5z+///6D4oHHucfYOX1MzZWVCPBL2MUXVo3+Zidj 27YxIT/x4Xd+se7hX/wCtjADtnA9bKGFrVBrN4TPyKKe+dl840rjGvaw2M2eFbewPtH6nPF501bD NtN+00emI2FT2OwBzAq/7ZLikijNQcI8WJLwpMFTQsBTM6e+piZTn0i7kekhfw/a/Bye7Em4tfjV lppTiF9bsF3vUZPNmYbm5saGRAsj8qY+XVmJ4W4R9Ca31WyRQ0dKGNaJZ1TbSEGRG/bUHwJnbQf7 Y9+ICYWhpF0f38zjWHD5POfs+U6Hjy36uaWANuznXp33Am8VCyUYyIwQ+UIsc7QXJGls1Gdzg3SH IwaTMRUxoB4tbIpqJgmbxEwp5qp3Csazp7bJ9rikRT/YNVIApKmeQSdhaGaPIh/UO3zremGOsGlT 110x9545V8ZDqND9itbiK+9cOWd05rrBBEBu2YiLzsycMO7BKf1/HbBf3RW31Mo39Z8oXtBCJawr r2E2BKCnoUMEu0qtSoQaQ2poWmhe6MbQj0Mmn8M9S5ISDqPdMstgSNgD0dB6P+JY3ZviDvbwK1Gj ww4dlN2M0nMitiFOvR6w9xSA3KHSS1ad26siL8eLENtPw8LO27Ke83MwD3+y2VfctxapIMX1VFxz 2yp2EX3v/hJyT+yiv1AFqMHz8cf5S77hyXaKAeGpEMtQNLI1f7uuhX+zUuFptdqNUnqULuiucM2O IrqL3ujqErpYl9ilW+9yTjY/aH7avDG6K2qImiNUYhCFNRts5h3spVf0+oRN+8Kq02YMTw/JXp8z sA7gxQ52leqBaKEuFrc75NLSKcjYhGK72Db2y4LH5ylJBCGZgbRv//H20/2Fm4AFEuEaVBz5Nx/4 xoPpvAZoN4pHbrsj76DiR3HCrFmjpuf/wm+AZcmP6dv3f8Mtf96SNbVxbvj3XQsr34NxXQcrRy5i J8h3e/tQf5Mmbi7Up+isToGG7bW+533iviyrkqpSdemqbGXziLL21Kh0e3axtDhpu8bHkr5hPrFa mpL+OPVx9kTqRPZM6kzWPDI1Mru4bHHzRmlj0lgG5i/6Y3E/MODDo7Rp3Yp+mXHUaOztQ30fnVU3 Iu/4nGQ8nkgmoiiea+Leor5+fLa+vimbqM02e2z8FzkzVqfTZk14qM4bOyityLtkA6/yTkQkX005 XZ+QTs9JpdPlqURNqixVViY3ZyWQCJNobeOThST0W5OCr7lMMiRZIheN+nMRY3mupilXW1tTI9py Xo9gzjHRKtEW2rIUCcDHU2UzmnexbiGFK45l2a6sKGfrs1dndVnyRqXDIQrkxeqzzNJlEd0W2VKP J7QOGS2hYbvZU6j8L2FI4xTrYngNNvGMoaqh4Y7FPA2tNUXqOBAJPUfMd2Kfe7gPlAyUSR7uAyuD n4GH8zPwcDr3nqNnMOJnAM0oqaaK7pJBEOTX38qDnufj8OIcXDn0s9g9ZIb6x/OIGj7UbobLstSV tM/lIZ2do704E04O/4jsz7kIOokIWjKnSGg6e/Y0rYVFzicEChB6T8UOf6eQRH1pKpSV+dtUMUzQ Oyua/gCJoWmA5VHMvQ/B4JuAwb86aLP4JltQzW3FQY7jB3no8/yAnuVP0tVc/lH2w/xPBm0d/85q yH2QQeX/lJ9d9JboecjQI05A9c7vwIXoVLNz/Tf47/Qj+LDPopgRUeIsihC9Jf71Hg+yQggMBSZ7 3GD97nHr3KHQYG9I0d/3eMHv9IBrz/d/fyb/V9w6nPsSFO/68bfuQUw2XqxSW9GpoQX9Gka6Wl2j XKqrwzXO4i23D7NvjfTW6CvYMCbOiM41zY3eaLoxahhmaoyOM42LzjAZ6s3DR3H7PDKSjRzfNnLk qLbEcD9SAD1qTPayqd73vEdBsdcLXrdXBdg+3un1upwJfwqEQwQKQsINPsf4WCIRjyVSw0DSootN 7iaxaXymqak+kxg2XqWLC450sI7x7R0danuiNmOMldfVVpZGjcxUNVzNCeONVYourFgsOhOIbKmU 3+pwykjAxpvrA13IuX5TXhqTK8rpdXkXegh80yZk5PY2ArKEtj1th9C4OjSh6iVtLdKAK1gilaQV ThgNKi7Qoj8kUYt5AGQCvosecZ4pnW8pIMcOfbcYTBjJC/NgYmhQUYgq5Mp0CYTw9QZbKq2viDOD MWQNohmhoSrOSuwAjylRUE1ic1ymsLMT4UaksH0F3dp69k+CHg/T2U8Qe3yC3ujvF2NPpmkXou6z LxBu4xoNOCOs2duLM7dbiIv5CRgIovyBtDWLgUjSwzGZgcBEez0oUhmK4fx+yXWj5yotN4y8YtgE rj3xxOSmumtGjyeLe2JKQ23NqA5++Rhd0D6hmzvjhnHjx4/LXXx5/zYyOvFRdfq4Bf3v8+drO2aW pudrL2iaa5sRzPLrMMtnYpa3sLvV4R8YPzCL+4z7zOIz5l5jr1m33NRlEueZ5pvnR3RPRJ4zirfG +9hWUReNL46jNAX0mxjslc9Klz+OAqbxvIAp4R0a02pLklOAUur4wqqkxbRuIeVOiUMCW0fzeC2w bcy1GNkudlSQgWj4ShW9CTGuF2CixSqHj6D0gBYUNw9v19R3I7wNUWzLVw4C9jA7tZiJT05IMbV/ OTAdh86wQZHs+bNx6AeLU/G74lopEoU2LdpOi0ZI+MZZxAzWEm03iWB6brL1opIB5YgvRyRy2AJx B8AhgHQP82uzZ9D0KfLQzp9FxRxq0cWzmbMemH31lJYr+NT4jHz0+P91/aW3LB8c3fL3dHNXzR6b jt17Yf9XRfcs6mbf2vEv/V8PvOa7VYoB1wKRasUMsaFs4wK1xRvQB6AUq3ubvW37QPy14TemD2zG JaZFHnGBuEC/yLzIuthxnWeB75qg2a/oXIoFcLrJrmCHB02TUDs/I2NMZ9Xhb94iMDc4Flcj+N0h 3q2WeIGf42NGFZ9ZCgj9kPGo8aTRYNzBjvWVwAUVVbawuKE8ezluazUBtxQJcKikKNqzG+rypwQJ Ra5uySkFd509hrDgWJ8j5olxg+Y3ndi+WmG2LUCkHRQwR0jl6zSCpVi7TcLBbMXBRAdcP6GWIuIz SSgJBgPa2x6QPME2iQ4+iRLeO1DN7MUTqxXBmpkOPOHFqAfweT+zGWG3RXyGD6uGK+pb818CjP0T 8+57nflmfNbd/Rk92Oa9+ZPMs2cvWn6c/I9//e2Rp548egRjUwvcgKyXlGhr1fYGq2tEBR7NtZdA FqXTMZ9hTIxLHDeyW6tW1NneMO61fmz62PJJxccNXxg/h5g/WojearpPt0G3CT1PwaHCNjSUKYV6 ZWkioK1SNu+B85ak0YlMYTWCqFvGlfNHc6hic2YUmzWtsHV6kxDPpYzlisvMzOGmGsEpx1ylU3jV hL401DgYfCcL5QQr3l2klQMI/wg/OM8Ah7zgY16MlHor7fW076jlpc0OmdGoN5z9zcsVyYEx5yOO SaNZGRXTEohedNTfMqlBQ8OqJm5aedt/3pDvf+2z+7R8IId/CpD6U+8/tuHw4Q2PHtbN3XDFnBsP rdiWP7s9byR7olyhPscDokVrD723Zu17hzB2XRi7FzF2SehaXEyauKd7XSOwrTittrhG9AgvRHpS umnCVeH5wj+FFyvoshv+Yd2dwv3hu+o2lD9Z82jdT8s31Txf53k2yZ5Ib5Q3pnXa/kHDiQswkOab bf4DBbesueFp5IaLmwMhXFFbkvNSIO+sVaLQtwBCVAGsKGEqQ+uWkNxlZS7rUetJJE/DDVUKie91 x7fE9YfiR+Mn47p4qL4IIvOAvYizE+kSoAJQIWJP8yKr84Hk7/ey5w9sWBPfyiAQTkk1JJZcKVVD GPnl9JCR1VD7AYRoKEAAeAhGVzYEHtr0JvnKZRxPzkN4ApDevcdezfcz3c+O3nv4sccO00N8ewON 4Bnw47QRZX/fDmDolbP5iWsPHVq79r33sJpuxGp6ue4meHu/Kt3mZDWWKdbF3pu993gfMT7lM/Ed nWqLHyjs3iL+XWIPNjuqailsykiipEedUjmZ65Mkqm1OibcWNZgcaGwqOd3WslROqDZa291YDLEX oy1ZxOoynUTToHCtIMllruTUpAbgnUwak6Ga/gfOLYhooUCloJO0jRNGhcsS0rhoERt0c74D0Bli d9+7CGKV8xRCqm0+yRnwRrUlDvlhvrZRWSginoIozZBQfWCjIorPPjNu4h0hn9XpS2ZDw5/Yw26k ceq/nnbxBzmRUTf38MMzFoR9QFmS4Vkb81k+OJCuEV+lwcKIHDp7RJeHlY1lX6urpfboaNF7MYQX Fo3dJG8a/r9b3vG9Pea3vg8DH7b9eswffcezvx/zje9U9m9jvDafMWBos4yJ+/wBf1tkzL2J9dnd LttM3+Uti1oW525puT13T8s9ueekXsn6QG5bXLzEXA12SIM6qjULboHT5LePELIgF+jrhrmcUIoF vyCUGzUK+hwdyNM0b9XJVODDHlGj5cMURciZZoxQpsSIYqADxaBhejKX9isqrZIBrIfq7KVpBo5B h0lnLLcqtisLeRtC7Xh/jM5Jp1g18ZMIl+WMAxpjziZBsRnpGfBkV0Ebnee9kPPiQFzL8DFeOZry pYJt/riQi4yIs+EyDt4xeBloL4kLqOMaNbK0FbFMONfaEh8WF6TRHh5KU2CFaBoH2m3ih8c4xdHf mpOy1uirZ38nBCFjNBZm2yaBBnaiLxFopTmh/XAFveXEmNwptGCNtWDbkZNwaKEVtwQVZzkJh7G0 xI6VsKiOlQCBROn34M7Qh7ZTYCHRQfsj6EikRc6NIGk3PtsqODpIMveDaBRUoIzwqpDow3uURCHl tzJexozE3m3abpbyei3T7r5/cm58/V2bx/7gqnffemuV2e/gRIpQMLlh6bPdl0zLv7X64sPrenTV pZipa2LhQKi1omVEdXNrZdTlK0nedsGSFxYkJGc49hImsb8uXt9+y9jJmYycXdh63SradT6EaCuH +qEa4W217EyEOSLhiPisdZv1dev71uNWww+ddznXO5937rd9aDMGzdR/ogeVsStUv1mvN5lR7SVZ /FDM93glQ8ie3sGeUT2xXFmZKceYYLQrIZu0GjLQP1WlmhpgxOXKfiHqjsrgWewBbrdD/LyvljZ6 mETH4RwQQRclrYgGryVKeYHXYDeh5VfCEavNFrbEBWvEHoeuCuVXeLoaPcu0Kn/wLejuouxfy53y O1+MXrV8S8CPcJ8rKuRbVi6fsX+45EDPBvmvy9f18JL/J2gwdHPJuPt/eeHcJtlB/YeUST9ZKWbo Itd4o/t4Be7jbN1coQKe2G7VbwuIlQEWRoKKBzn2jNlut5gTLi2RaotMLiRSKxR6H9KarGy8XFam yIkKFnBJspITKqzBkhy0DVxmSw5CMhLKQZDxE4IoT3hGtaTdHtl8CKI1BLBXDgXYcSMp7cy5ojCW QoHVeXnV71kOi1g6CO4qIenyeTC610e66z69Jy54jZJ25zUz9BWc8GtoJnAC8fAxVIYeg81RcQgv ACHR4YGtJ43N8HMvC0un7q5NB25VL+Wg+JsLJ/9iIx+Gr/g24tYnO2atFGN8MO6ftvhV7amGI9MY 5LAaPoQxSALibdjINno3+XSyVbbJJMLklF0ydm451uId6btGvNazSFqU3IwPvejzqnFGsmA9qt8h ONyOjEPnmMzlwRIQENYWUXxbAKPnYFDS/kLSxGicw8W/ACehPwFdai9xcXGLyQOwpwfsC9kLEWY8 koKA7iCSzwe0Ey0pCwBnxJ2z6nJWizGZA6y5WLX5xFzG0+7Z7NGhPeViwccsKlSyWb13qbcbEI7e +xrbjDmTYooGXWLjufwLzr3AsBfry6m8/HtpF0OLyIfAj0PfptdUdIWKO413QU5sANTjnIvBV8Qt D+RfuIyiG5aj470sm2J1XOOVtVJGZIbOQUPJh3OCBhDQcxrJlrNn9Q9jJCt1NepzlYGK4F26FwPP IZm1M7A1aBZEt7gq8GBgc+BngSOBfMDcLW4RD4k6s97sB2HFXymm9ZX+imCLvsV/gf4C/0z9TGmW f1ZoVuU1bIl+of/a4LWhaytv1f/I/1jgkeDz4kb9v/u7g9vE3fod/i3B7aHtlW8H3gr+OnA4+N+B 48FqWyASgDBJoDp4d+juyk2B3YH9hv3Sp4Hfs98H/yaeCfwt6NFqiEDiKRYRacyLHrVmWRkTwL5Q y3Qn6Vk3yBe6ZWVdZSJRMcAM38B5GIkCD6NHTV/FaVJAKeNIkuq+srDNnJKBC8xi2cArNBMFSkaP 6iktzXA+RgJ8jPWcj3H2IrWxyMdALVKBjyEP4mPIg/gYcoGPsQeYR5DdiNl0FLffDyA9qRemg5sx XW+tyCnhnOzLOYw5uyLLDofduBSZvjdCyKXcp5YL60JqPXgYldXgYaTAw1BLYziEwjgAYA7l1Kuh xbGbvYA9SJDdCyLGDFFtGJEV6XMifU5U3Z4sklMvqA6DfDUKM9+Q9OukHGQI9vbWN9Opr2VElr+s 1l7if8Mv4zfwM/49P+OX0Vn1BoJZg+pvXgXChki8DRGcjWNCepDFnO6EHkvh50viZnQSdQM//Zy4 0VkkblSfAo/jeKdQokGOFOXwaBakQFSrIB39/0vdGGJlGUAwy7/Fd/pHFwv8jSLisK3SHDLriZ1R CGjYCsWk01UUqRnFTclgakbxmm71wp07FvakyS5/R4cl6/vm73hwMaHTX1DQW8nEKMocBlnoNaLU f0LkGeuilS6Av10MK+0QH1LXxz1xr+ht8cz0iBHCWOKJq9n13qXK0uTVHW+wN9zvet9V3km+0/h6 9vUOFzRFhccSun9Ew+DUC1mjXnBKhqxRMkSUs7hycJS+nDen5ORcuCHXmCvLJXNVY3IdueZcNpdT i7SLCvAu2mcbsjtY3Va543HUBWNGR4h+oSgBUDAEtKMABeNxl2EppgaIF3i/L/l4Bbqb4XPK4xWz XaWZAoxgAPnCag1bq4w54xe7mAk2AuH1QYHw8YH+DxQLF5gYnUS5wIPyiNQd4nj4yxK0CCjwMArn sFByjoBx7hn1MSsQK34+hFixqU8jVpzu8yaJAHGsD7gVzr/tjbS2abN5EDVDTbqHEZmjZoDMYcU/ c8eIQRFDwOtODPwryIb98z6iY2g7rW2eEocr2wRmRS/OCHMpR0SeXwOlm84eQ+sGG1pzApXCp46p F+GJxxoItnmwZLZ1jIbYAKNDx3DoDDA6dAyHzgCjQweVaiPd7GpXrKVyW9aFQ6MUirShp4uf6Bwn SDoE34qf0QFiX59bIuR7n+rAk2QrDgodCnuAghXzkxaRUzDOGjXqchFjGZJ2IuqHRh1sKlrFEOoH Gu52szvKITUaz/+ZjOLe/M78br6A5b+KhV2+cnZH/sUyH97/nNaz+SzCSueTCX1O75axN/MPmgII 2AkAZyPyb2lYJ9RJsTG9wMzfwXqX/4p5tHXQHoBuo7AeOM1jsKpG9iqCCaHEW5KodihBFK97pjjU 4Bnf/03YLOhTdlFiIVvo+ZHvR4nVvtWJnZ7XfLsS+xO/SjixgHobvZ5GnxbTxByOzEAwE0nEutBy b0MiBlQtkkgS96Nna1093xsGC+SPRHWjz6IVARoMG7QSQAtEE8FUxZITrAf5M8OlkxJhXyMxQHrU 6ysqMpwCkgAFxNcI4XSukeHxemXqvOL1CawRb3jRyMAcM3jRCT6Ri0SkXDgMixYp9CnLVTXkoJrt FGJTY+Ky2NHYSdqZZqcaQLxzG2TDMsNRw0mD0RBqqtrFKO7hvWyPdy4HxrB8AGQYFPwUKi2pKQtl Womu9P9IuA6NeIa46oG3YdLM/XVnxj00I2syu1vN1AZheadSIIOgsqvAOf7W9CoqahVmqCJel78l FAs7/AHOHVrOZrJpPBAGs8gt1fWfuJNcdZ5T5pkJvtmL9hk8fJoivqxNIUyuc4gRRVJfokb5T5hN QeG/VauTIGJmdlrF19A5z4EKSaugx+jZTBkujZWwBngYPNaXcfnQJS4RcDLRK8oOJ1izTlAynSzg EO3M6ZKFINqoyWgDzDr1OZe13bqU8LpQoHMptb0uWVnACwiim1SodyYCvbYTKVTBjgAiAFdH9I2d gqiRyFBmuJdIZPwMX4fzR73wV2TcXN/qPFrIeS9w22mDzwCGMaWwwTaB9DHQe033Yf+9Yguvt+gX xBX9p7XN3cT+UbyN9oGJ4usr6A6/BZYHMSzWInPsEJSduEdNaGMksKxQZjKHnAVGB/Bk2qzif6sr 8Pr5/l9ci6pcbvQl+p6/302/0HAz3AeNxloxrm8Vb8BvDat2Uxmk0l36kJNahA/ulV2cD3ze6PXf 8OS4joJokapFgvSgTAn/ySeF6XjCtFeDjpfiuQ5SUlZkUuyCU3CBj+ERvAJgPeSaA5gRJahMDaOr VBR6/VBCEhRgw2XA9stRF1gJgmuVUA1coBYabBmkTBrQg7AJ1ZjNwjBhuIAO2wJ2U0Iruvq0Caow WhgrjBPGCxPQNOdC4SJhonCxMEmYDBmAqcIlwjThUvyVM4TL0J1jFuCwy4UrhDlCJyQCevnfDsoM /8uNlAUfTT9jqjuWrlyxaMGKyQtumnrppOnC/wAXwqMLCmVuZHN0cmVhbQplbmRvYmoKMTQgMCBv YmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvQUFBQUFEK0Nh bWJyaWFNYXRoIC9Gb250RGVzY3JpcHRvcgo3OCAwIFIgL1RvVW5pY29kZSA3OSAwIFIgL0ZpcnN0 Q2hhciAzMyAvTGFzdENoYXIgMzMgL1dpZHRocyBbIDIyMCBdID4+CmVuZG9iago3OSAwIG9iago8 PCAvTGVuZ3RoIDIyNCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAFdkMFuwyAQRO98 xR6TQwTOLRJCqlJF8qFNVKcfgGFtIcULwvjgvy8QN5V62AMz82BYfm7fW3IJ+C1602GCwZGNOPsl GoQeR0esOYJ1Jm2nqplJB8Yz3K1zwqmlwYOUDIB/ZWROcYXdm/U97ot2jRajoxF23+euKt0SwgMn pASCKQUWh3zdhw6fekLgFT20NvsurYdM/SXua0DIjTLRPCsZb3EO2mDUNCKTQih5uSiGZP9ZG9AP W/LYKFlGCHGq+V+noOWLr0pmiTG3qXuoRUsBR/haVfChPFjnB3BGcBkKZW5kc3RyZWFtCmVuZG9i ago3OCAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0ZvbnROYW1lIC9BQUFBQUQrQ2Ft YnJpYU1hdGggL0ZsYWdzIDQgL0ZvbnRCQm94ClstMTQ3NSAtMjQ2NCAyODY3IDMxMTddIC9JdGFs aWNBbmdsZSAwIC9Bc2NlbnQgOTUwIC9EZXNjZW50IC0yMjIgL0NhcEhlaWdodAo2NjcgL1N0ZW1W IDAgL1hIZWlnaHQgNDY3IC9BdmdXaWR0aCA2MTUgL01heFdpZHRoIDI5MTkgL0ZvbnRGaWxlMiA4 MCAwIFIgPj4KZW5kb2JqCjgwIDAgb2JqCjw8IC9MZW5ndGgxIDU4NCAvTGVuZ3RoIDQzMyAvRmls dGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAErKSpNZeBgaGBgZmBIzk0sYAADxgQgJZWeU5kG 5bcA6QUZqYkpED7DHyBtlgEUgMqbAGmVjNySCig/Akhz5OQnw+RrgHy23MQKqPkMd4B8hbzE3FSI eiYVIK2CW37ODKC8RkF+cQlE/ewLQPpEQVEqzL1A+7g2hnKccETGDIxAVUwMpgwsYF1MDAIM+gxt DAycSwQ1wCIgebZnaRbvQ2Li+W2+MkhzgIV3PpthC2Jc7GV88sXkjZfYR4n3QC4n0CwIAOpjn/XP koFBPOqLyd8lYh/BNkElwRQTqwvDPsbDYDYjVJaHgY2BByiiCOSDbAaBACBkALpvH5BoYw1h0GDQ YTBgAIYmo6mJHZO5HbOpiZqyEh8Tu7KpHaOxkRyTqAiQw8csyyguqmzKKKgoCMJM5mxiWiriatL8 jnYKBiqSnAk2nc5uyXYy/Co2OgpqouxCExj//GVjTvxjwfhcTExVy1RdUt/YUtk7SETFSK5JTk/W 2E1Tzc7WTVdRR11Dhi1v4cJ/T1hm/U5j+f5rDdBVQOcwCEHdzAZkMTiCgIu2c2JuUlFmom9iSQYA 9Q5mLAplbmRzdHJlYW0KZW5kb2JqCjgxIDAgb2JqCjw8IC9UaXRsZSAoTWljcm9zb2Z0IFdvcmQg LSBkcmFmdC1pZXRmLXRlYXMtcGNlLW5hdGl2ZS1pcC0xNC1kZS5kb2N4KSAvUHJvZHVjZXIKKG1h Y09TIFZlcnNpb24gMTAuMTYgXChCdWlsZCAyMEIyOVwpIFF1YXJ0eiBQREZDb250ZXh0KSAvQ3Jl YXRvciAoV29yZCkgL0NyZWF0aW9uRGF0ZQooRDoyMDIwMTIwODA1NDkxMVowMCcwMCcpIC9Nb2RE YXRlIChEOjIwMjAxMjA4MDU0OTExWjAwJzAwJykgPj4KZW5kb2JqCnhyZWYKMCA4MgowMDAwMDAw MDAwIDY1NTM1IGYgCjAwMDAwMDMzMTggMDAwMDAgbiAKMDAwMDA1NjM3MiAwMDAwMCBuIAowMDAw MDAwMDIyIDAwMDAwIG4gCjAwMDAwMDM0MjIgMDAwMDAgbiAKMDAwMDAwNjM3NSAwMDAwMCBuIAow MDAwMDU2ODc0IDAwMDAwIG4gCjAwMDAwMDM1NTggMDAwMDAgbiAKMDAwMDAwMzYxMSAwMDAwMCBu IAowMDAwMDAzNjYzIDAwMDAwIG4gCjAwMDAwMDY1OTYgMDAwMDAgbiAKMDAwMDAwNjQxMCAwMDAw MCBuIAowMDAwMDA2NzAzIDAwMDAwIG4gCjAwMDAwMDAwMDAgMDAwMDAgbiAKMDAwMDA4NTQzNyAw MDAwMCBuIAowMDAwMDEwNTA4IDAwMDAwIG4gCjAwMDAwMDY4MTMgMDAwMDAgbiAKMDAwMDAxMDYx NSAwMDAwMCBuIAowMDAwMDExMDE2IDAwMDAwIG4gCjAwMDAwMTA3NTIgMDAwMDAgbiAKMDAwMDAx MTEyMyAwMDAwMCBuIAowMDAwMDE1MzcxIDAwMDAwIG4gCjAwMDAwMTEyMzMgMDAwMDAgbiAKMDAw MDAxNTQ3OCAwMDAwMCBuIAowMDAwMDE5MTA5IDAwMDAwIG4gCjAwMDAwMTU2MjcgMDAwMDAgbiAK MDAwMDAxOTIxNiAwMDAwMCBuIAowMDAwMDIzMDI0IDAwMDAwIG4gCjAwMDAwMTkzNjUgMDAwMDAg biAKMDAwMDAyMzEzMSAwMDAwMCBuIAowMDAwMDIzNDU0IDAwMDAwIG4gCjAwMDAwMjMyNjggMDAw MDAgbiAKMDAwMDAyMzU2MSAwMDAwMCBuIAowMDAwMDI3NTQ1IDAwMDAwIG4gCjAwMDAwNTY0OTUg MDAwMDAgbiAKMDAwMDAyMzY3MSAwMDAwMCBuIAowMDAwMDI3NjUzIDAwMDAwIG4gCjAwMDAwMzE2 ODYgMDAwMDAgbiAKMDAwMDAyNzgwMiAwMDAwMCBuIAowMDAwMDMxNzk0IDAwMDAwIG4gCjAwMDAw MzY1NTMgMDAwMDAgbiAKMDAwMDAzMTk0MyAwMDAwMCBuIAowMDAwMDM2NjYxIDAwMDAwIG4gCjAw MDAwMzY5ODQgMDAwMDAgbiAKMDAwMDAzNjc5OCAwMDAwMCBuIAowMDAwMDM3MDkyIDAwMDAwIG4g CjAwMDAwNDE1NzUgMDAwMDAgbiAKMDAwMDAzNzIwMiAwMDAwMCBuIAowMDAwMDQxNjgzIDAwMDAw IG4gCjAwMDAwNDIxMTcgMDAwMDAgbiAKMDAwMDA0MTgyMCAwMDAwMCBuIAowMDAwMDQyMjI1IDAw MDAwIG4gCjAwMDAwNDY5MzggMDAwMDAgbiAKMDAwMDA0MjMzNSAwMDAwMCBuIAowMDAwMDQ3MDQ2 IDAwMDAwIG4gCjAwMDAwNDc0OTMgMDAwMDAgbiAKMDAwMDA0NzE4MyAwMDAwMCBuIAowMDAwMDQ3 NjAxIDAwMDAwIG4gCjAwMDAwNTA4NjggMDAwMDAgbiAKMDAwMDA1NjYyMCAwMDAwMCBuIAowMDAw MDQ3NzExIDAwMDAwIG4gCjAwMDAwNTA5NzYgMDAwMDAgbiAKMDAwMDA1MTM4NSAwMDAwMCBuIAow MDAwMDUxMTEzIDAwMDAwIG4gCjAwMDAwNTE0OTMgMDAwMDAgbiAKMDAwMDA1NDYwNCAwMDAwMCBu IAowMDAwMDUxNjAzIDAwMDAwIG4gCjAwMDAwNTQ3MTIgMDAwMDAgbiAKMDAwMDA1NTEyMSAwMDAw MCBuIAowMDAwMDU0ODQ5IDAwMDAwIG4gCjAwMDAwNTUyMjkgMDAwMDAgbiAKMDAwMDA1NjE2NiAw MDAwMCBuIAowMDAwMDU1MzM5IDAwMDAwIG4gCjAwMDAwNTYyNzQgMDAwMDAgbiAKMDAwMDA1Njcy NCAwMDAwMCBuIAowMDAwMDU2ODIzIDAwMDAwIG4gCjAwMDAwNTc1NjggMDAwMDAgbiAKMDAwMDA1 NzgxMCAwMDAwMCBuIAowMDAwMDg1OTAxIDAwMDAwIG4gCjAwMDAwODU2MDQgMDAwMDAgbiAKMDAw MDA4NjE0MyAwMDAwMCBuIAowMDAwMDg2NjYyIDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgODIg L1Jvb3QgNzUgMCBSIC9JbmZvIDgxIDAgUiAvSUQgWyA8MDFkZjlmOWVhODAwZDM1ZjgyZWUwNjhl ODI3MGY1NjM+CjwwMWRmOWY5ZWE4MDBkMzVmODJlZTA2OGU4MjcwZjU2Mz4gXSA+PgpzdGFydHhy ZWYKODY5MDgKJSVFT0YK --00000000000036b4e005b5ed9f95-- From nobody Tue Dec 8 00:32:29 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE5003A0E1F; Tue, 8 Dec 2020 00:32:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.917 X-Spam-Level: X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOX-qnY53mjm; Tue, 8 Dec 2020 00:32:26 -0800 (PST) Received: from violet.upc.es (violet.upc.es [147.83.2.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05983A0DE9; Tue, 8 Dec 2020 00:32:25 -0800 (PST) Received: from entelserver.upc.edu (entelserver.upc.es [147.83.40.4]) by violet.upc.es (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id 0B88WMs6008369; Tue, 8 Dec 2020 09:32:22 +0100 Received: from webmail.entel.upc.edu (webmail.entel.upc.edu [147.83.39.6]) by entelserver.upc.edu (Postfix) with ESMTP id 083E81D53C1; Tue, 8 Dec 2020 09:32:21 +0100 (CET) Received: from 79.152.1.171 by webmail.entel.upc.edu with HTTP; Tue, 8 Dec 2020 09:32:22 +0100 Message-ID: In-Reply-To: <160573826402.16462.7124606612381130154@ietfa.amsl.com> References: <160573826402.16462.7124606612381130154@ietfa.amsl.com> Date: Tue, 8 Dec 2020 09:32:22 +0100 From: "Carles Gomez Montenegro" To: "Catherine Meadows" Cc: secdir@ietf.org, last-call@ietf.org, draft-ietf-6lo-blemesh.all@ietf.org, 6lo@ietf.org User-Agent: SquirrelMail/1.4.21-1.fc14 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: clamav-milter 0.100.3 at violet X-Virus-Status: Clean X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.3.9 (violet.upc.es [147.83.2.51]); Tue, 08 Dec 2020 09:32:23 +0100 (CET) Archived-At: Subject: Re: [secdir] [6lo] Secdir last call review of draft-ietf-6lo-blemesh-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 08:32:28 -0000 Hi Catherine, Sorry for the late reply. Thank you very much for your review, which has been very valuable to us. We understand that no action is needed from our side in the context of your review. Should you have any further comments, please do not hesitate to let us know. Cheers, Carles (on behalf of the authors) > Reviewer: Catherine Meadows > Review result: Ready > > I have reviewed this document as part of the security directorate's > ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. > Document editors and WG chairs should treat these comments just like any > other > last call comments. This document specifies mechanisms that are needed to > enable IPv6 mesh topologies over Bluetooth Low Energy Links established > using > the Bluetooth Internet Protocol Support Profile. It does not specify the > routing protocol to be used in an IPv6, and it does not specify security > mechanisms. > > In the Security Considerations Section the document directs the reader to > the > relevant documents. For most security issues, it points the reader to RFC > 7668, > “IPv6 over BLUETOOTH(R) Low Energy.” For security issues produced by > the > routing protocol, the reader is directed to RFC 7416, “ A Security > Threat > Analysis for the Routing Protocol for Low-Power and Lossy Networks > (RPLs)”, and > it is noted that the issues addressed in that RFC are useful for other low > energy routing protocols as well. Finally it is noted that the > Registration > Ownership Verifier (ROVR) field can be derived from the Bluetooth address, > and > that this field is also subject to impersonation and spoofing. For this > the > document refers the reader the Internet Draft on "Address Protected > Neighbor > Discovery for Low-power and Lossy Networks.” > > I think that this document does an excellent job of identifying the > relevant > security issues to related to its topic, and of directing the reader to > the > relevant documents. > > I consider this document Ready. > > > _______________________________________________ > 6lo mailing list > 6lo@ietf.org > https://www.ietf.org/mailman/listinfo/6lo > From nobody Tue Dec 8 06:56:42 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F9703A0EB3; Tue, 8 Dec 2020 06:56:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSh0gU_KVztW; Tue, 8 Dec 2020 06:56:31 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 265A43A0F39; Tue, 8 Dec 2020 06:56:29 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 999D5BE4C; Tue, 8 Dec 2020 14:56:27 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Rk7YEWOmCv2; Tue, 8 Dec 2020 14:56:24 +0000 (GMT) Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id BD0EABE2F; Tue, 8 Dec 2020 14:56:24 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1607439384; bh=rbqEY/IXn0kmb1SC93nkcMagS9Qj/5wh/F230iIX0FU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=Tz50zTKth+BHxH6PSHx5FVy0TQdXJ3aPtREtQtCoQ93bnBAlEGtQDVxS6ek6UEAPr paf0t1rSpXPt28NDFWMZiuWHnFM186fYw/AVDdHGDvM2pjngcyLaH1JY0KNuISRGXr RU7aSHw3Y0709VYlR6hweQkQ1/CylzJPRKv4ej68= To: Benjamin Kaduk , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop WG , secdir@ietf.org References: <20201204203635.GS64351@kduck.mit.edu> <20201208012332.GJ64351@kduck.mit.edu> From: Stephen Farrell Message-ID: <200cabf3-79a5-bb61-57b7-30317dbb0944@cs.tcd.ie> Date: Tue, 8 Dec 2020 14:56:23 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <20201208012332.GJ64351@kduck.mit.edu> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="yUnDk8M4VytKCSRxIKXkjK9AI5qRap8sP" Archived-At: Subject: Re: [secdir] [DNSOP] Secdir last call review of draft-ietf-dnsop-server-cookies-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 14:56:34 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --yUnDk8M4VytKCSRxIKXkjK9AI5qRap8sP Content-Type: multipart/mixed; boundary="ExVB2Qoiko5GtaK9yl8HB32ev7zNouOnO"; protected-headers="v1" From: Stephen Farrell To: Benjamin Kaduk , =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= Cc: last-call@ietf.org, draft-ietf-dnsop-server-cookies.all@ietf.org, dnsop WG , secdir@ietf.org Message-ID: <200cabf3-79a5-bb61-57b7-30317dbb0944@cs.tcd.ie> Subject: Re: [DNSOP] [secdir] Secdir last call review of draft-ietf-dnsop-server-cookies-04 References: <20201204203635.GS64351@kduck.mit.edu> <20201208012332.GJ64351@kduck.mit.edu> In-Reply-To: <20201208012332.GJ64351@kduck.mit.edu> --ExVB2Qoiko5GtaK9yl8HB32ev7zNouOnO Content-Type: multipart/mixed; boundary="------------6FDA43A02FABDAF43A69738C" Content-Language: en-US This is a multi-part message in MIME format. --------------6FDA43A02FABDAF43A69738C Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hiya, (I wouldn't put that much store on my specific response, but since you asked...) On 08/12/2020 01:23, Benjamin Kaduk wrote: > Hi Ond=C5=99ej, >=20 > Thanks for this detailed writeup; it really helps bring clarity to the > current situation. >=20 > In light of the follow-ups from others, it seems that there are actuall= y > two distinct but somewhat entangled issues: >=20 > (1) whether SipHash is a strong cryptographic hash function that delive= rs > its stated properties. Right. And whether there are any oddities, e.g. ways in which one ought not use the algorithm. Asking about that is IMO a good plan because once this gets used somewhere it'll be used again elsewhere so I'd prefer we know if/when that's ok or not. (Additionally, I'll admit a slight personal bias against adding new algorithms where we have existing ones that are fine - I figure that just costs more and damages interop for little or no benefit. That could be outweighed though if the new alg is already implemented and deployed for the purpose in question and/or if it's widely available in libraries.) >=20 > (2) whether the stated properties of SipHash are appropriate for the > scenario we are using it for in this document. For DNS cookies, I'd say it'd be very unlikely that this is not ok. Cheers, S. >=20 > I had initially assumed that Stephen's review was asking about (2), but= for > the most part we tend to ask CFRG about things like (1). So, while I a= gree > that it's valuable to get input from the CFRG on (1) and am willing to > start the conversation there if needed, I would also like to get Stephe= n's > (or anyone else's really) input about question (2). I suspect that we = are > okay in that regard, not least because of the other similar usage that = you > describe, but request that the analysis of what properties we need from= a > hash function for this use case (and that SipHash meets them) be includ= ed > in a future version of the draft. >=20 > Thanks again, >=20 > Ben >=20 > On Fri, Dec 04, 2020 at 10:14:29PM +0100, Ond=C5=99ej Sur=C3=BD wrote: >> Hi Benjamin, >> >> I did not used appeal to authority as an argument, but I=E2=80=99ve ju= st provided examples that SipHash has been implemented in the similar sce= narios and there hasn=E2=80=99t been reported issue with the choice for y= ears now. >> >> Using fast PRF (pseudorandom function) for the DNS Cookies is a good c= hoice because it matches the required properties - it needs to be fast an= d secure in a sense that attacker can=E2=80=99t compute neither the key n= or the output of the function. DNS Cookies are not MACs. >> >> Sorry for the misnomer of the brute force - what I meant was a protect= ion against a replay attack. I=E2=80=99m just currently very tired with d= ay to day job. >> >> Please note that DNS Cookies doesn=E2=80=99t protect the actual DNS me= ssage payload, it merely provide means to establish trust between the cli= ent and the server as to distinguish between a legitimate and spoofed tra= ffic, so different policies can be used - Response Rate Limiting (RRL) co= uld be turned off for DNS messages with cookies or when under attack it c= ould require fallback to TCP for DNS queries without the DNS Cookie. The = DNS cookies doesn=E2=80=99t protect the actual content in any way, neithe= r it does protect the communication from the on path adversary. >> >> In that regard, the client cookie is just nonce (and it=E2=80=99s just= convenient to use same algorithm to generate it, but it could be output = from CSPRNG as well) and the server cookie is a cryptographic primitive t= hat uses the client nonce, key and timestamp to construct the server cook= ie. Such server cookie is used by the DNS client to authenticate to the s= erver (it=E2=80=99s shared secret, but it requires no per-client state on= the server). Just to repeat, the actual payload (DNS message) is not pro= tected by the DNS cookie. >> >> If the DNS server could keep a state for every DNS client, a CS random= number would be as good as the output of the SipHash. >> >> I might not be a cryptographer as my daily job, but I am reasonably co= nfident that SipHash has matching properties, it hasn=E2=80=99t been brok= en as of today. Also all DNS vendors have agreed to make this choice and = the RFC here is merely a way how to ensure interoperability between vario= us implementations. >> >> (Typing this on phone, so excuse any irregularities in the text.) >> Ondrej >> -- >> Ond=C5=99ej Sur=C3=BD =E2=80=94 ISC (He/Him) >> >>> On 4. 12. 2020, at 21:37, Benjamin Kaduk wrote: >>> >>> =EF=BB=BFHi Ond=C5=99ej, >>> >>> Just because someone else does something, even a "big name", doesn't >>> necessarily make it a good idea for us to also do it. >>> We should be able to justify our algorithm choices on cryptographic >>> principles, not just appeal to authority. >>> >>> In a similar vein, you said something about the 32-bit timestamp bein= g wide >>> enough to prevent brute-force attacks. Could you say a bit more abou= t what >>> attacks those are that are being prevented? I'm not really seeing ho= w the >>> width of the timestamp comes into play for that concern, just from a = quick >>> skim of the document. (Timestamps tend to not provide much protectio= n >>> against brute force by themselves, since time is relatively guessable= , >>> especially to seconds precision.) >>> >>> Thanks, >>> >>> Ben >>> >>>> On Wed, Dec 02, 2020 at 11:18:29PM +0100, Ond=C5=99ej Sur=C3=BD wrot= e: >>>> SYN cookies in both Linux and FreeBSD uses siphash. >>>> >>>> * FreeBSD: https://svnweb.freebsd.org/base?view=3Drevision&revision=3D= 253210 (since 2013) >>>> * Linux: https://github.com/torvalds/linux/commit/fe62d05b295bde037f= a324767674540907c89362#diff-14feef60c3dbcf67539f089de04546c907233cbae09e1= b2dd2c2bc6d6eae4416 (since 2017) >>>> >>>> I believe that the SYN cookies have exactly the same properties as D= NS cookies. >>>> >>>> Ondrej >>>> -- >>>> Ond=C5=99ej Sur=C3=BD (He/Him) >>>> ondrej@isc.org >>>> >>>>>> On 2. 12. 2020, at 22:15, Eric Rescorla wrote: >>>>> >>>>> Well hash tables are an application with somewhat different securit= y properties than MACs, so I don't think this is dispositive. >>>>> >>>> >>>> _______________________________________________ >>>> secdir mailing list >>>> secdir@ietf.org >>>> https://www.ietf.org/mailman/listinfo/secdir >>>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview >> >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >=20 --------------6FDA43A02FABDAF43A69738C Content-Type: application/pgp-keys; name="OpenPGP_0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="OpenPGP_0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh5= Cg8 gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+QtaFq= 978 CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGu= D/Q 9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4= tNn cejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqB= wV+ 4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghVB5Uir= 1GC YChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5FmBKjG7cGcpBGmWav= ACY Ea7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK7uB7E7HlVE1IM1zNkVTYYGkKreU8D= VQu 8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER= 8la 5lsEEPbU/cDTcwARAQABzSFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT7CwX0EE= wEI ACcFAlo9UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qGC= xAA pYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKkrRl8beJ7j1CWX= Az9 +VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBrsjC+1uULaTU8zYEyET//GOGPL= F+X +degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZsdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4= g1U QAcCA4xlucY8QkJEyCrSNGpGnvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advre= k3U P71CKxpgtPmkd3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2= niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBGFEZYJGuaL= 4Nw tBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wVN3p46RyBQuXqJV8ccE11m= 6vt ZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8vovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7= +8A CcxRU3b9Ihd7WYjJ+pQPCoWYKozvtEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQ= LvC wFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8= rpK o9OkCz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqmuKhYr= qJs CcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMTAAr2p7PSaHgo+hIVa= W/r KSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQIAQlFxtgvOqpPOZNzeKBa/+KbE8TG= gMW rkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3u= rqR 1cLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/= 0A9 J9nrnBMqZpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5hc= JBD EN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPpMyEs04zvsbsl4= vrp 2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouBur45UDKTZkMZrr9FGrtkyXCGA= xvK dcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQyoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaK= xlf tjO+Bj3Jj73Cr5eqej3qB5+V4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjg= Uky o1s4vjUOY8DyI+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIO= aHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg2YVf0izSp= yyz JeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc/MoSjTS65vNWbpzONZWMZ= uLE FraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5w= sDc BBABCgAGBQJbxcflAAoJEGo7ETk8pK1gE7QL/ApC5P68W5DrI1787WJVZv1u4t/g39vTr7Xer= 3UM TVQg10vpa7pmqOGhjIDzDMg3Pe3K3M7fVzfAlUA1qw6ne4RCueVoRKpubeF4AlYbMr0K6hNCP= jt5 uAxmbBVuejKTc6pru5rv5gKL0nDbr+Snft5xt7juBLSSimw0/41sZnkjCxo9rF/RA/v6+uWyK= 171 RKmsEYu8fFtw1eqUNt/Xj792TUixE3pxXheNtQtZGk/9P3W83ChhG4Fh5EQsn0pIh9wZIAbMR= Lpg RKyW87fWHZC8/YH8h7afarvn9Thl5pFUldCe22mNJj6KLChn2aEHQd+PdY1GBpZEcmNEUPuov= wza tM0h64hCzTm41eDqRfihZVBT7TbfXQnv8rywa42Mk756RGzzEZcQEhwQXZcMQUfxIQQ2VyJo0= zG3 6VdZTQF7TF/4Lz7/3cJ56jOIm+dwPXtu+C2wAQuD4USOLt4JWPYpqzDfHYJIND/497P9Z9SuQ= eah r2ez3DRBg3qsHEjBV80yU3RlcGhlbiBGYXJyZWxsICgyMDE3KSA8c3RlcGhlbi5mYXJyZWxsQ= GNz LnRjZC5pZT7CwYAEEwEIACoCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AFAlo+o= 3cC GQEACgkQWrL68XsXK+qO0A//ZsfQzyXrZlu/eEV5jU620yeOM3P7SW3C3UQYdCgZ/TlvxGgKo= w5o DSXgjMiUyq9csGqbPBxlDYSxFZHNeDVKYIuP2ZK24tw5k6duTh4+sFwUualTMlcp0zBCIzn3h= Rcs RvuPKHfl5+6oOi0+xqx3jX/s/69L/fvHmdSKet5LIUAxoYaZkTCruFrPWb01tgAl5JExWkhmC= Y98 iD+EeiIMAWBjMw1xV+p0uCwNbN6XDzcToK7wsm+tAIiWUy3DpP60a6WbVwdV0HNt2WZq5U5Jd= h2k 4S+sN2CnYk4tTW7jHjsWarV3FLISCOObADZuB7ljU4kYfdwZ+WzenXY4LGlxGQSlAblGjwZe4= EIk CXAJUtzJhoFUuGaF/PlWjxqV3UFRcgTERZTijguVyREre8GNERNgvDxZvuXssEjvz9X5JfcIZ= DIJ pdzhLiEIj9noUbfx1SzB5KDPQj0O7elMHa1671/rwWcpGr/MfVPTOik4H7F8rcVJelceZTzC4= tvy a7M+jM4fyFWWt8Y4atTixUiP7U9o4uBZCQ0GzvsmFA4XLqn2pA5rVizMXnGbGOjufAP/efEJ4= ul3 qvjYe8ye8DXEDjKAxo/tuHYtk19XCi83QzFhWls5TT+XQeVTMEvVqo9Wek8yoxo67qvLKKqIc= G9g ivQd8MxYNAbNYgSPtkbhZ8TCwFwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLzHAgAlWT6NXEGt= w/r 1miKNGcopzvzILQ9oB8rKI9U9EL6tOf/y2V5oYee/GyQDb3ZdoPxxYYcJf+RyiH1nMoqUIZiZ= Jaf 3bJXinDZ5+AdfE++UR2NBvqaNyC6u3r24jo1B/sagKbYtWgsYtRqHLD4IWi37MZrVyjBuF7u1= 4Q0 7+uhjq6mX2O/tHpCYw/Q82tbeTRPyUf1WQOAfD1kfBpW9PvAva5Iw9FWeXpCXRzwxnCZhYfGf= qtu Sw6CPBYLdbikqML6FZ7EDuTBb/8um1wK7Y9bgeIQC+CYjhYB5RXa1tDJRab2Js4luCvSR0w/C= gHw 26293tlve2Q6UTrmHxP5U22DlsLBfQQTAQgAJwUCWj1QMgIbAwUJCZQmAAULCQgHAgYVCAkKC= wIE FgIDAQIeAQIXgAAKCRBasvrxexcr6tJpD/4rrILH+meP07vrx8wW5eYuqCiPGYnh/CXxIF8eL= rfb e5d4QRgtq+w6UeQPMyzKRIRiCoBXB2oJLBZHyxBPxZlg33dTMrEGn8QWKx2iNuz9rZMXyOSWF= etu O01d/aUPd5BnbLbIyK5of8xCQlXM6KH8bc+9gQ7edR9mfLTdvBf2FR522hg8BRBM1imKc3vO8= v39 +qIHHRjuiwxBBCAOhHtHRsZXripS0uFA07dM46Oi/E8osjx6fQt/lH5z/PN+2adxYSrLSAXfr= 1oD 3RxYNhuWgyGFL64/VCQb1YGjf0Z5MBPnWm9jgUoOY5K9eNSS0L83WeJjlF5+Q/WOgB+rb49Pr= m2D Feo9+S9f2V53Llz1WIspXJg6f+n9lmHE94MfQj1GAHCzI0FeL19lvM+LhD8jJSCbhrC3+yoby= y/A UOs5Z3E+njjX1FF/VCVAs6iOa6i+XG+Y1hh3ir2y1kckJ5auT10MSU8GEZu9ayU4M3o3N9yxO= jao P0NuQ4MMLL/n/u4u94AeZaHPNBXn/hVfVRRmpRXtGKvJtFAEppGEYezB+bLKIm6XlpPkhnwYz= leL Z7AMEco2C6QM8QPB3g3JpS3sqRhA5rEP4lL16BmijmF+CHoPE/zwgKZbKpyVDqvIW5IDgvfIC= 2X4 pbZDRvGIUKaGSB4+ksZgUUnNyvfQr2p7jsLBcwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9g= 1MS BQJbtySbAAoJEBDvedn9g1MSeKkQAJm44jt1kwHgQgeDBKdjdvl0AjE0xVEQxriZ6lP/l//34= YT0 auFfzsYIrChSpQXAEtobBAr4Ohw1Us+BZe+H5P8vm6LRuPwozC3SjwfX4Iec8+9ot6tIVg4sb= edD Sgb/CCFVjsmIGcQ1P73JLJTBJ6mxYCV/gn3QC6bwDOFo7kD9FDHCjRN8XfhHQ4Q9cYyt06uF3= 1qG /aumgWYC9geCGgAwiHgwxNYb9GoJ0iZjCROwbYvLTcQgsVUW2bTmsVR13UVKDsdl02sRV7qcV= YW6 R0a3Ra8KudX+nt25H5DRGd382KZ5W8pydsy/viTvD9z6v0ulChBYxAedIvGIClrhbxlLEPmIg= 4Im VOLGqsUgVm32J95WOjEkk4PEZ12xSDBtwhSJqmJNboWlfmw43KdIbY8zNhffIO3N6O7FsdGxm= qyH eLoTpqY+ySVUPpbuyW8ujnI/J//+6hdTZ9dQsEJQlWngKuWOQ5ma58MPSN88zllsqhZAFQjNx= qnk SzL6ZQ+v/jvuRRe16B80AeO55DsmbWsMv/YLLD1mSi7+Khy2EtMBhgojWwrGMvdLN6X3mnzNJ= Esc YyLxM9tSk+iySP2sLthK0BVgpAzBSdaf/ezIz60P+neHDzteNFf8Mn7lmgYk1amvZoJ29s5+n= 2Hw xyRL5dVMyMdyQmntubbctfqrZ0tIwsDcBBABCgAGBQJbxcflAAoJEGo7ETk8pK1gnCYMAJY4F= eIY jlIXGghFWzsB4fYwK1+iaFpU3fSto5qcrqVtVPjXpwqczqBWeXGyQxiB0kan4OVAXydIeaP8E= AuF CA7paP3s9STLJBO3KurkwyRkPW5zo0X7xVqaVToRsX2Ul98KVJoHYQD1KdezEtwlvpNwiiBr4= 2AY R751Vm6JBVAbQXuFpB3c8bUV0OkkRxNFtL8/2PieHar58n5dntGkbPlPkztahsFqktgacIgXH= X5v aT+7YeeZ1DWLOYjGO0wNhkOSeroCmxwJUikU7joBp823L7r5KfpqWTPpSCzVstQKZUGmmoE1q= Csw Y/Ud5wvp9SccpIILkRXj0rZRtfnE5MpL3hjmtNzfDd9qIsJtBJlSB2hZwAsVm1l+EWN9hG3tq= yA4 3niUMy2n6q690of3berSiQ+kvY/aC9Hx8I+bKzOV9/J2VUTqfaPZa4Uy2rVX5Q2p69n/PMj7m= Eer 0rCL3j9V16J9c+s0BSkXoKdtYdB0TWVhBgUybd9qtYcwHWvhP80uU3RlcGhlbiBGYXJyZWxsI= Dxz dGVwaGVuQHRvbGVyYW50bmV0d29ya3MuY29tPsLBfQQTAQgAJwUCWj1RWgIbAwUJCZQmAAULC= QgH AgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBasvrxexcr6jscEADEcB0WQEZn2AkrzDs1RhL0Lp6cZ= i0B igofkbcGfdhJyMSs19C0dhvncrAFClVI6/Udw3yFtDyYtOCf2W3M3A1K6/RfEizCLzTsdFIhn= i9g OJLlUpXViQtgrlstjk7hqVV3Ooz4BlCqS4cG7rfqf4LQQPpTAuFUEV9I28FBUB2irqC+v4gTy= sIg pMw0bA1yBU9sX5jE/tRkzqnuzZrkwiobDtRFJ9qp+7O2JtcY4EsVtLAsaodJKc5cF8R4OvB1n= 66v xxcgg9Eh4JNWZ47xsaCmAGo1Bcb2jIY35OtgAL7gCGLRSMKTtAaPy1/fEgIqhCljJ9x40Fkn/= 3r2 BX21WC9HFSPFTBz2RluLRzxdgxOrkYK8EiHUPoE5b1AEzZKw2AbeXfr57f5zYsN3IqfbQLUjM= YtU N1wK3Pjb+idD972wyXMWt8uOzlI7b9Ocu+nYm2whBfJv9Pmp3QYTmPz+LB9lH65VNVUSxSXVr= 5iW XO3qx1HtEiGEqkporMQCTh3T5Ud3PvMSRBFFKNs9WhJ/Lxz+SV30WLwG6dr5mQqlzAhb4Phc/= zek ZyXRdS/oDKrBLUucS36O//49JeyRi1QvOfxnfmIqRIAf/k3PoYJmTo5E82//r5Qj3YGlRu78b= a0H Arxs+ACD6AnEHHcbswpbtVEKYzlSu0Ar0Dc7vRWM/IyQdMLAXAQQAQgABgUCWj1SoAAKCRAvP= Ic2 gF+NosIsB/9f/29FNla3BJfGIEIDnhrqGD0i9bSa89SqBd++uG06TQgW5wsqtNcrwn81yZTq6= XE6 i9VtD4GKfqC0d4KZJr9bnbeD81cI64VOdL8zJWJs0vj5EIXCobKyX74Kb4uePUyZqwT2Q74I1= 16u /HwA9/FXsPo5isbh4ZqD4t0VHpWkmfq1FPT9a/JPyX46qKqB2Fce/7Qy+SQP1NfkuUlbhUH/J= G9a SSYvk3lznNiH41x9M+FDlL106itXOubrl3oi2fT3fsSedq7uzt+IV0DQEeNaoQAUuwEhdB8IW= OMq N2woDjGVKJftfsSWY9ilZrnDBNDrp0vRqcx33LUMkIw4d7iBwsFzBBABCAAdFiEEfhcKBFyEz= 0YO K3mgEO952f2DUxIFAlu3JJwACgkQEO952f2DUxJjuw/6ApHSsVTWD4a0H6FJ23A9Ftpy+aXZ4= vYl zkSrfsn2ECrEfK3lXQh/uzwjJUDYZeB1/BQsFZtcYNQOJSSHbQ49BFRLwb1J/wBZG4bbmrkLx= nNb KDKQvzxEpclkMW0Dj0J6o7kGrmzIGGrhB+JJN99AcineHRug8ZSFIERRCmigxdhAKU0BFD7P+= 5HN HltSL3DF1c2fFOf2JrgBKVoE+9RhMZjWNbYetFFLCkjXb5Rpay9zeMm1DxfSTGAnuOwUXW6qq= 4hn l5+VC/48ceDZElLLfu7RQUZv44pkSTOWZs+iQoJiHMFHk9wPqyB2Vok1yJ2a2j27WhXrJlPwn= Zbg JO5RyWDG3p/eVmpl5Uuc2dsfIpR17KnAuWpghK6V+cyFncDoGCl/YG2MvoolsW08FiZh3Ej4d= nJj j25TZkeFG74JJDXLvMYpJfSBGnmETv4Dhcm2xPqVMuFuL1qJlMbVLrMo2GXeo03OzNyvbs+u8= WLI aGm5hC7N1CXY8wZs4jo6OJ/expvnc07dEuws4zT3AiWv3nIouWReRStZy9QkavDocqbyPmilc= dPC Yk4BsOlzpwwO74hNG7iyl0KdAlwTxGQ7y0rJou6HYa1TmRhIEr3vKvlW+JfUUrqtjXgsuacTX= o4+ Ira2JUErL2cYzQMq1j4r1ZyhFnuz93s7Rsx/Nw0+0YvCwNwEEAEKAAYFAlvFx+UACgkQajsRO= Tyk rWCJqwv+NLVPE4sD4sDA2/6Ek7UsRIUkg+S39fhqWsLc4rtw/mDunv8Un61I3K04fZ2Ry4nF9= hZM 0a710UvXFbStvrzRJO3EAAcdJR9LTCd19e8UeruQbIee3YT91U4NkC9JMpecfq62/teOAU2e5= P3f WYaLs5ZX7zCLwWuBcW2l3SyoljQczM85HhJ3XHm+FnwQ6D9xRle+lvWTcuC9d1yAyUb8IOosp= cL2 lJTmy8e3r79R24hPlSB4LDe0wEN8AXbagrcAQZjwyaHyWxjJbTwZ0b43WGdfIqZ1ElOeoffbk= etP GRmWvx5xUvb2ALFBBdETzV270gs5XDJgJ1SIIKOyDADxwvroTe2jD8C/841eEql5QSow3s/U3= zRq k3mttto8Qw/DN71aeh6dmYSsvd2UjsHw/vofOPRBGxZLEkKTEvMnhmMW9hiKPkPia+QgevYE0= 20q pKSxLEdWA8nprHwxmGiDNesCfXSC6vm1qfyj5g8HzxSckq9ZaMhKMCo7vxflUEDuzsFNBFo9U= DIB EAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiezGPuBHmpvceBRZgRasdbaMc4HJee+R9+5x= /nL PCuy/DxDyIjwIUeJNgc+l7LjI9WfpHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHE= hOV fBZO59ipSeZL5iQC6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1D= VI9 DYo2D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFeA7PbT= uW/ eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ/Vf3vDUew1h5QU1yD= aWT 3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbptPEcmoazpiKZt91CrFPOaoXDPck/Q6= 1df mr/oPikfByYnASIM3OwEuXqyQ9JDRfKrem5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8= MAv 2TGXmxpVJ8Nu4je6wf96Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOA= HZR 5iCunYghx8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQo= qj1 gwARAQABwsFlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P/1tF6TeR83xD6= Mas qXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8Wpfdn3BmvqGyh8+ouHX9jMOxi= RkM dNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJgx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB= ++/ KAmi5UJV7zsZ7uYJ5jm97LV5SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lX= xMD rvKnXMkjseQ2oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrf= ZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIAypqYo3pcN= 2OE 0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoMeDQkd0YjcqlB1E0svODHT= zcS oRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS/qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7= IKP 3ngUP4wEoiPx5ZE5+fPIScGmVUcZIMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeW= Iys s6uTiyF+ZbJSo2XOKVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3D40Nd -----END PGP PUBLIC KEY BLOCK----- --------------6FDA43A02FABDAF43A69738C-- --ExVB2Qoiko5GtaK9yl8HB32ev7zNouOnO-- --yUnDk8M4VytKCSRxIKXkjK9AI5qRap8sP Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAl/PlBcFAwAAAAAACgkQWrL68XsXK+rh ChAArMHmaLwfqd+7jWary9+hGzdVTXwJxtH2ExAi6OTDGaEoHDl3X2EXgKwSgs8dPtl3s/Bve+WU pTef78Xfv+iYhlWgc/oy/qcW0V7OlB7g5/heHGAZB93jeiirDMBkVcvQMGyUKnEovqsK0UL8bsga /viFWXMOmgUjZxdvG6NMfdLG2HLxxt23z8VUtmTqkp+3G6bvmwZDl9yanmidCUEvFce4eiczcblg 33gZYJGm4xXzCDARMnLBqXk5hrIQeZ41YxxUQ/wZYye3qzCH4pP0NUiMztYufit5CzdYtu6IJlao NsQLdFfBF1xo2sdzOkmAc5pPwL6R1+a5VaL9wsLdYnypMu2Jev8WRWQDHf6PniwRoG/n1AgYiCRC bFEoXfk7wIIy9DDmj6bqk69N7rLzogrnNhD5r9lZszLLPzgpacIBwDN2c4DS/zdYGuyT0ZDKFNhQ 4a8AdwQ+hRa4NVxx6/2NXhcnR6kpInlBMQA78tVplCd8jMC8ASuUwu7bz70GEktPW5I/js8ihvTZ 3WICTna5hPc8CFnL+wat7E6+B4kIq1XWGt9iIzIm8J3Z8K68QTPLO+bqDZXkUwGLojEadU5lA38H QF9Izek5cdp0HzrSrPmhAcoIcGTmUS3ZMhrucd0yDsRIWIHsOcblsmIGLz228WBpTs/u/wlaboTo hGE= =0oV8 -----END PGP SIGNATURE----- --yUnDk8M4VytKCSRxIKXkjK9AI5qRap8sP-- From nobody Tue Dec 8 08:20:52 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B00E3A1021; Tue, 8 Dec 2020 08:20:36 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Russ Housley via Datatracker To: Cc: bess@ietf.org, draft-ietf-bess-evpn-proxy-arp-nd.all@ietf.org, last-call@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160744443645.5849.4437345323739394566@ietfa.amsl.com> Reply-To: Russ Housley Date: Tue, 08 Dec 2020 08:20:36 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-bess-evpn-proxy-arp-nd-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 16:20:45 -0000 Reviewer: Russ Housley Review result: Has Issues I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-bess-evpn-proxy-arp-nd-09 Reviewer: Russ Housley Review Date: 2020-12-08 IETF LC End Date: 2020-12-15 IESG Telechat date: unknown Summary: Has Issues Major Concerns: I worry about the reference to SEND (RFC 3971). The SEND protocol only supports digital signatures using RSA with SHA-1. While this still might be adequate for the time scales associated with ND, the 80-bit security offered by SHA-1 is not considered adequate for digital signatures in general. Is the reference to SEND really needed in this document? Minor Concerns: None Nits: The Gen-ART review by me includes some editorial suggestions. From nobody Tue Dec 8 18:26:06 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 380EA3A00D3; Tue, 8 Dec 2020 18:25:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13vKVDfVJ09r; Tue, 8 Dec 2020 18:25:55 -0800 (PST) Received: from chinatelecom.cn (prt-mail.chinatelecom.cn [42.123.76.220]) by ietfa.amsl.com (Postfix) with ESMTP id 2ADD53A00C4; Tue, 8 Dec 2020 18:25:53 -0800 (PST) HMM_SOURCE_IP: 172.18.0.48:15114.1238962797 HMM_ATTACHE_NUM: 0000 HMM_SOURCE_TYPE: SMTP Received: from clientip-219.142.69.75?logid-d2695525dd284714830add372e61a7fa (unknown [172.18.0.48]) by chinatelecom.cn (HERMES) with SMTP id 0074C2800CB; Wed, 9 Dec 2020 10:25:42 +0800 (CST) X-189-SAVE-TO-SEND: 66040164@chinatelecom.cn Received: from ([172.18.0.48]) by App0024 with ESMTP id d2695525dd284714830add372e61a7fa for d3e3e3@gmail.com; Wed Dec 9 10:25:43 2020 X-Transaction-ID: d2695525dd284714830add372e61a7fa X-filter-score: filter<0> X-Real-From: wangaj3@chinatelecom.cn X-Receive-IP: 172.18.0.48 X-MEDUSA-Status: 0 Sender: wangaj3@chinatelecom.cn From: "Aijun Wang" To: , , Cc: "'secdir'" , References: In-Reply-To: Date: Wed, 9 Dec 2020 10:25:40 +0800 Message-ID: <009501d6cdd2$98623ed0$c926bc70$@chinatelecom.cn> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0096_01D6CE15.A686B750" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQIlk6kYgF4MaLToiNjvYXbC2YXmWalQfEyQ Content-Language: zh-cn Archived-At: Subject: Re: [secdir] SECDIR review of draft-ietf-teas-pce-native-ip-14 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 02:25:57 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0096_01D6CE15.A686B750 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Donald: =20 Thanks for your careful review. I have updated the draft according to your suggestions, except one minor = change for the name of the document.=20 It seems =E2=80=9CPath Computation Element (PCE) based Traffic = Engineering (TE) in Native IP Network=E2=80=9Dis more better? =20 I have uploaded the new version on the IETF repository. Detail responses are inline below. =20 =20 Best Regards =20 Aijun Wang China Telecom =20 From: d3e3e3@gmail.com =20 Sent: Tuesday, December 8, 2020 1:58 PM To: iesg@ietf.org; draft-ietf-teas-pce-native-ip.all@ietf.org Cc: secdir ; last-call@ietf.org Subject: SECDIR review of draft-ietf-teas-pce-native-ip-14 =20 I have reviewed this document as part of the security directorate's = ongoing effort to review all IETF documents being processed by the IESG. = Document editors and WG chairs should treat these comments just like = any other last call comments. The summary of the review is Ready with Issues. =20 Security: This is a very high level Informational document about a general method = of traffic engineering using multiple BGP sessions and PCE. The Security = Considerations section is adequate except that I would recommend adding = a reference for BGP security, perhaps to RFC 7454. [WAJ] Done, thanks. =20 Other Issues: The title of the document doesn't really make it clear what it is about = and does not spell out some acronyms. I suggest the following: Path Computation Element (PCE) Traffic Engineering (TE) in Native IP = NetworkNetworks [WAJ] Just add one word =E2=80=9Cbased=E2=80=9D to become =E2=80=9CPath = Computation Element (PCE) based Traffic Engineering (TE) in Native IP = Network=E2=80=9D =20 Editorial: There are a number of editorial/typo issues including the curious lack = of any expansion or definition for the first three acronyms listed in = Section 2 on Terminology and what appears to be a line sliced off the = bottom of Figure 3. Also, I think a reference should be given where BGP = Flowspec is mentioned in Section 7.1, presumably to the rfc5575bis = draft. See attached for detailed change suggestions in MS Word with = tracked changes and, alternatively, as a PDF thereof. [WAJ] Done, thanks. =20 Thanks, Donald =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com =20 ------=_NextPart_000_0096_01D6CE15.A686B750 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

H= i, Donald:

<= o:p> 

T= hanks for your careful review.

I= have updated the draft according to your suggestions, except one minor = change for the name of the document.

I= t seems =E2=80=9CPath Computation Element = (PCE) based Traffic Engineering (TE) in Native IP = Network=E2=80=9Di= s more better?

<= o:p> 

I= have uploaded the new version on the IETF = repository.

D= etail responses are inline below.

<= o:p> 

<= o:p> 

B= est Regards

<= o:p> 

A= ijun Wang

C= hina Telecom

<= o:p> 

From:<= /b> = d3e3e3@gmail.com <d3e3e3@gmail.com>
Sent: Tuesday, = December 8, 2020 1:58 PM
To: iesg@ietf.org; = draft-ietf-teas-pce-native-ip.all@ietf.org
Cc: secdir = <secdir@ietf.org>; last-call@ietf.org
Subject: SECDIR = review of draft-ietf-teas-pce-native-ip-14

 

I have reviewed this document as part of the security = directorate's ongoing effort to review all IETF documents being = processed by the IESG.  Document editors and WG chairs should treat = these comments just like any other last call comments.

The = summary of the review is Ready with = Issues.

 

Security:

This is a very high level Informational document about a = general method of traffic engineering using multiple BGP sessions and = PCE. The Security Considerations section is adequate except that I would = recommend adding a reference for BGP security, perhaps to RFC = 7454.

[= WAJ] Done, thanks.<= o:p>

 

Other Issues:

The title of the document doesn't really make it clear what = it is about and does not spell out some acronyms. I suggest the = following:

Path Computation Element (PCE) Traffic Engineering (TE) in = Native IP NetworkNetworks

[= WAJ] Just add one word =E2=80=9Cbased=E2=80=9D to become = =E2=80=9CPath Computation Element = (PCE) based Traffic Engineering (TE) in Native IP = Network=E2=80=9D<= o:p>

 

Editorial:

There are a number of editorial/typo issues including the = curious lack of any expansion or definition for the first three acronyms = listed in Section 2 on Terminology and what appears to be a line sliced = off the bottom of Figure 3. Also, I think a reference should be given = where BGP Flowspec is mentioned in Section 7.1, presumably to the = rfc5575bis draft. See attached for detailed change suggestions in MS = Word with tracked changes and, alternatively, as a PDF = thereof.

[= WAJ] Done, thanks.<= o:p>

 

Thanks,

Donald
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 Donald E. Eastlake = 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, = Apopka, FL 32703 USA
 d3e3e3@gmail.com

------=_NextPart_000_0096_01D6CE15.A686B750-- From nobody Wed Dec 9 04:42:48 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 624093A0F47 for ; Wed, 9 Dec 2020 04:42:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJvaNEnzpfkJ for ; Wed, 9 Dec 2020 04:42:45 -0800 (PST) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF5373A0F3A for ; Wed, 9 Dec 2020 04:42:44 -0800 (PST) Received: by mail-qk1-x734.google.com with SMTP id w79so1000775qkb.5 for ; Wed, 09 Dec 2020 04:42:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic :mime-version:content-transfer-encoding; bh=FEKw/aByUnEONU+qrCUh4+gDE/H7ZfurgzRCr/pF21I=; b=rbVK0Qf+FV8oUcnSgHarK6NDmfH1NVbeKS/LP9UgmCXBbA7+saQy59ccsCW7+fW741 nGvxk594CmC7+vblHCafNXc0cTtKTo41NeEkoEuBOz2TLZueqAUqcGrYkS1U7j7vFsq6 zXEvP81OBj3vBaYoRptBu8r/0WylX2pesuAAY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:mime-version:content-transfer-encoding; bh=FEKw/aByUnEONU+qrCUh4+gDE/H7ZfurgzRCr/pF21I=; b=FfZlQolrH053cXPWqO7tSGsrunu1u9M3Z4TX3w3CERMHEfgB9nHkHoA06KoVGUerTr RW3MvB03aT21u1iLagIXGlauQbVegdCYjdmagEz8jRryAMNF3/0Fk30ZB3ffmRSyY9v6 7doQRmcqQtiPLpJT7UcIKxQHsuyVSWHV1FZMFYvov5WUqmE5mFA4NQ+Y8VmDf8Gw7Tyr SNViWwsmQMavQ4T26vXoasUN+4w+OWwjaECEscfD6X2Y+6W6YNWwvmLNqqe1J92NbWpp GVtTLWjSIcTFoCzoeWk0m6rEqFLQMujMQmVCOa6FKzqwwlHUZLFbKRgbM8Nf1vKZJLiZ U6BQ== X-Gm-Message-State: AOAM5318EFbS9LkdLYHQX2YCmtae1jRIRzB23HOgzsHOQUExIqGc8teN ZAT29WjFOF6+kRUVX9T1HCJzwnqrPZv58Uqn X-Google-Smtp-Source: ABdhPJzdQPThw5srXV6b/ffYfIJdXo4ASdr/ykq4vd+HwHZMTDjPcduseYnI917VFlfxIJ+xhrjaaA== X-Received: by 2002:a37:c04:: with SMTP id 4mr2751697qkm.491.1607517763645; Wed, 09 Dec 2020 04:42:43 -0800 (PST) Received: from [192.168.2.16] (pool-108-18-106-102.washdc.fios.verizon.net. [108.18.106.102]) by smtp.gmail.com with ESMTPSA id x2sm766063qtw.3.2020.12.09.04.42.42 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Dec 2020 04:42:42 -0800 (PST) User-Agent: Microsoft-MacOutlook/16.43.20110804 Date: Wed, 09 Dec 2020 07:42:42 -0500 From: Carl Wallace To: , , "iesg@ietf.org" Message-ID: Thread-Topic: secdir review of draft-ietf-roll-unaware-leaves Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Archived-At: Subject: [secdir] secdir review of draft-ietf-roll-unaware-leaves X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 12:42:46 -0000 I reviewed this document as part of the Security Directorate's ongoing effo= rt to review all IETF documents being processed by the IESG. These comments= were written primarily for the benefit of the Security Area Directors. Doc= ument authors, document editors, and WG chairs should treat these comments j= ust like any other IETF Last Call comments. This specification updates RFC6550, RFC6775, and RFC8505, to provide routin= g services to RPL Unaware Leaves that implement 6LoWPAN ND and the extension= s therein. The changes described in the draft largely consist of defining so= me previously undefined reserved flags (including corresponding inclusion of= ROVR in existing message), redefining some status messages and extending us= e of an existing message for additional mode of operation. Some questions an= d comments are below. These could all be categorized minor nits focused on i= mproving clarity. General - The document feels long given the magnitude of changes. There are some ex= planatory sections that may be better off left as references to the normativ= e specs. As someone unfamiliar with ROLL, I found reconciling explanatory te= xt here with source docs difficult in spots. Section 1 - In the introduction, the reference to RFC6687 in the first sentence of th= e third paragraph seems misplaced. While the term 'path stretch' appears in = that document, the concept being referenced doesn't seem to match and may be= better served by a reference to section 3.1 of RFC 6550. Section 4.3.1 - The last sentence in section 4.3.1 probably belongs in (or should be repe= ated) in Section 8. It seems odd to feature fresh standards language in a se= ction that is providing background but not in the section enhancing the refe= renced doc. Section 5.1, 5.3 and 5.4 - There are a number of "is expected" instances that may benefit from being= written as SHOULD/SHOULD NOT or MUST/MUST NOT. Section 5.2 - Language is unclear on whether decapsulation is required by a RUL. The st= atement "the RUL, as an IPv6 Host, must be able to decapsulate the tunneled = packet" is inconsistent with the last statement in the paragraph. Maybe chan= ge first statement to "If a RUL supports terminating an IP-in-IP tunnel...". - The statement "the Root terminates" may benefit from a SHOULD. The senten= ce establishes when a SHOULD would not apply already. [USEofRPLinfo] has a S= HOULD when making this same point in 4.1. Replacing this entire paragraph wi= th the fourth paragraph in section 4.1 may be the right thing to do. Section 6.1: - What does "if the =E2=80=99F=E2=80=99 flag is reset" mean? Does it just mean set to 0= ? - In the ROVRsz definition, why would values above 4 result in size being u= nknown? Maybe this should say the meaning is unknown for values above 4.=20 - It states "an implementation SHOULD propagate the whole Target Option" wh= en ROVRsz is greater than 4. In what cases should the whole target option no= t be propagated?=20 - Should there be a "prefix length field MUST indicate 128 bits when F flag= is set" instead of ignoring the length and assuming 128?=20 - Should this section require bits not claimed by this spec to be set to ze= ro as in 6550? This assumes this spec is only claiming 5 of 8 bits. That may= be worth clarifying as well. Section 7 - What does "A 6LR and a Root that support this specification MUST implemen= t the Non-Storing DCO" mean? The only definition of "non-storing DCO" appear= s to be in the previous paragraph, which does not apply to the 6LR. Section 9 - What does 'reset' mean in second paragraph? It seems to mean "not set". Section 9.2.1 - This section begins by noting no changes are defined for the described pr= ocess that is defined by various other specs. The section describes many req= uirements including some that look to be new, i.e., first paragraph below th= e bulleted list. From nobody Wed Dec 9 10:44:29 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B3F13A173D; Wed, 9 Dec 2020 10:44:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.6 X-Spam-Level: X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=E3u4j4Om; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=kZtAQzuK Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qR794TM4sVLt; Wed, 9 Dec 2020 10:44:10 -0800 (PST) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3740D3A1733; Wed, 9 Dec 2020 10:44:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18516; q=dns/txt; s=iport; t=1607539450; x=1608749050; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=jsICrA/Tsxw9tLXdh63LzfPg4codrrxny++uCtpBtQM=; b=E3u4j4OmVFMls9UCol1Ky71jUeXuNzP4DVPvQbfRanoPy9FKwtFaoFvp aAPhVkj/ZkXM7Z7XQ+MltxZoWrNnZgdYzZ5IxnY/1PgCK6JflOw/NYBaz BlTP21c5WE374uzamgQ32SDNJ34t32+b906iNjQCI+FB43P9+wLscrEDj o=; IronPort-PHdr: =?us-ascii?q?9a23=3A7o/mwxf7IZUgcCNy0kc3CkjWlGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwaSDdfB5v5EjPfQv7vnV3Af6IyM9nsFdc8EWx?= =?us-ascii?q?wEjJAQmAotSI6ABFbgJfHnJyo9AIxZVVBj8n36VCodGMv3a1DI5HHn6zkUF0?= =?us-ascii?q?blOAZ1IfnzFpXVgdio3vq/vZbUZlYAiD+0e7gnKhKwoE3YvdUXho03LKE3x3?= =?us-ascii?q?6r6ntFcuhb3yVmP1WWyh39/cy3upVk9ndd?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ArCACYGtFf/51dJa1iHQEBAQEJARI?= =?us-ascii?q?BBQUBQIFPgVIjLgd1Wy8uCoN0QINIA41hA4EFjgWJf4FCgREDVAsBAQENAQE?= =?us-ascii?q?jCgIEAQGESgIXgWgCJTgTAgMBAQsBAQUBAQECAQYEcYVhDIVyAQEBAQIBDAY?= =?us-ascii?q?REQwBATgEBwQCAQYCEQQBAQMCJgICAjAVCAgCBAESCBqDBYJVAw4gAQ6RK5B?= =?us-ascii?q?rAoE8iGl2gTKDBAEBBYE3AoQEGIIQAwaBDiqCdIJmTkKGWRuBQT+BEUOBV0k?= =?us-ascii?q?1PoJdAQECARaBLAEbgxUzgiyBWAECKT0GAU8OAgEDDQ0eCw4CTzMCEggjCA0?= =?us-ascii?q?EAQEjAQ8BEAgLj0ODTqN/gQYKgnSJHoZxi1WDJIolhVeJMIVnk3yLDJFECIR?= =?us-ascii?q?LAgQCBAUCDgEBBYElSCOBV3AVO4JpUBcCDY4hBwUXg06FFIVEdAI1AgYBCQE?= =?us-ascii?q?BAwl8hxwtgQYBgRABAQ?= X-IronPort-AV: E=Sophos;i="5.78,405,1599523200"; d="scan'208";a="828506143" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Dec 2020 18:43:45 +0000 Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 0B9IhjhQ007854 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 9 Dec 2020 18:43:45 GMT Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 9 Dec 2020 12:43:44 -0600 Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 9 Dec 2020 12:43:44 -0600 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 9 Dec 2020 12:43:44 -0600 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gGUKXAnebZTG37SXgkvOEhPQ5N7LncbcdLye4YWHp2noAP733IHuv/rYX9FuDWydeEUi7itk4J0dJLoT1i0EGGs5vzIJdO3Scp5lHGAWOG+m7d70Gf4DKLZlXTdZgKMUry9H9EJBR15lSSPxbeENqV/UaQ3QAEGRKqrgwrcAJd5r6pZorWLdR4xYZ/nua6B7sIrCfh9SRrX5wXf1bE1N+Ubocwn8a8nZLyrmUbosdxzqdEbqb7BfJNFOogRGXP93Ds6WnS0u7m/Ev+QQyKbMqn8D5PShb+MbWCbVBiMr+Nqg/fPjE6ZcXqvWIQY4HBJRInkvtvlza4zA9gVCiM+SoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jsICrA/Tsxw9tLXdh63LzfPg4codrrxny++uCtpBtQM=; b=JrBs812W8KN6vsQedl/99/4LVOTDn86kPQQRE3DOIelX/Wp6qtrDFngnjLjuwOHUPzKnf6jlFJ732xtc2jSGq8y62frZhFiDalvByxvHMKmYK4Fwe6muyZfe6/m5Y60/7F/TMyuFMEzue/VbfNJHURcrjjKzL1LzxC8IKELLGsOmgCX6R+ymY/dBNMjj20Oo9ipaPa3XdT0UyYfDJHQRWGr+AGZEFhI7+tk5ZBzQzq4CEzZs79E76bwAEKG0UwcFKlGS0sVVjXN4caztBGUB3ktjO3uInyhPFu4oW4b+ABwU/SqL1CXet+8r2/JyqLlbabOxoPfbhzJvVcT7Q4TvfQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jsICrA/Tsxw9tLXdh63LzfPg4codrrxny++uCtpBtQM=; b=kZtAQzuKbLmVd9gJWYXrqaQc3q33kNLfUXbRQdPHSZ+1wWja9bCKyvu/cFEgnrDYgCpXeastsBpP4SpK3uLvVVH5mgQfUOgGA+yUo72aJJUg7HEFDoskmJ2Vz4CIujqemzUabv0CRJFU8A3RJpyMPDL1uzxV5Tf+9FLIPrn6hh4= Received: from SJ0PR11MB4896.namprd11.prod.outlook.com (2603:10b6:a03:2dd::20) by BY5PR11MB4184.namprd11.prod.outlook.com (2603:10b6:a03:192::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12; Wed, 9 Dec 2020 18:43:43 +0000 Received: from SJ0PR11MB4896.namprd11.prod.outlook.com ([fe80::3143:6202:a05:c34c]) by SJ0PR11MB4896.namprd11.prod.outlook.com ([fe80::3143:6202:a05:c34c%3]) with mapi id 15.20.3654.012; Wed, 9 Dec 2020 18:43:43 +0000 From: "Pascal Thubert (pthubert)" To: Carl Wallace , "draft-ietf-roll-unaware-leaves.all@ietf.org" , "secdir@ietf.org" , "iesg@ietf.org" Thread-Topic: secdir review of draft-ietf-roll-unaware-leaves Thread-Index: AQHWzijPCDA/arAvD0OoX9bPOcAIH6nu/5FQ Date: Wed, 9 Dec 2020 18:43:32 +0000 Deferred-Delivery: Wed, 9 Dec 2020 18:43:22 +0000 Message-ID: References: In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: redhoundsoftware.com; dkim=none (message not signed) header.d=none;redhoundsoftware.com; dmarc=none action=none header.from=cisco.com; x-originating-ip: [173.38.220.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: c0c696d5-49be-4ad1-f2ef-08d89c725a88 x-ms-traffictypediagnostic: BY5PR11MB4184: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: RAaT1NAvXu1ifU+FowUd3Bh83EAgjYJyiwKADCNMZsmM1c5tOWdnLexkct3/nypw7fM7ilhGt7qB5o4pq0jf6f150CkvOcFw/2ZdUFUOqS2nLX+RX0q7sfXgYx3PqG7ZOfWkE87wSlV3mZ75uBdBkDS9Shl46CBexKJ11KQaxNERKEXu8bmN2aE1WZBT2g/Y1H/8AaCGiPaXvauv00BQiFfxIW6KxQRAJfrFHfwgEJ0AWyP8UPbtzOmfQWh1/Eon0SOZL3p2pRvdKIippFL6BZVvy5VFGnbuHmrrPyreLOeHDHTP6XSU36Bc5AwWcTPKQ2rvAn5ZoiM02vydGmfodBmxcUxRw6BMP7xLLW16ZpTCDBmyfjlZT6aFkxIq9U3IDoJtnuxKse95gxFzC3GiUA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SJ0PR11MB4896.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(376002)(346002)(366004)(6666004)(71200400001)(64756008)(52536014)(966005)(66476007)(66946007)(33656002)(66446008)(186003)(53546011)(5660300002)(6506007)(30864003)(66556008)(55016002)(76116006)(66574015)(110136005)(26005)(86362001)(7696005)(508600001)(8936002)(8676002)(2906002)(9686003)(83380400001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?OFc4dy9wenJjcjhNR0RXK1FBTDc1bEplYWJtS3ZZQWx3WWJEK3FDSEU0QU55?= =?utf-8?B?T244aEx6OFhweE1WTWN5b0VkRUtZeUtwS05DTmJvWkxKOEQzN3lpWW04WW90?= =?utf-8?B?ckk1c2xYbmpJNU5mN3ljOTdYRk1kaVFUMWdaMVFtZjk2bStuVlFpNFg0SGdU?= =?utf-8?B?b25qQ1VKQVo5OGFBWmppeDZCZXJaaEhyeWJDMFhtL3BvK0N5cllmOUUyZDdm?= =?utf-8?B?UzJTWEN3ZmREQ0hlVjZiVnJlVVpIMDBVMjgrOXE2cUc3OGVYeUdMKzJIUk54?= =?utf-8?B?UlRaVCtVaXhQcERwUGZWM0JKRVBidFNLQ2k4aHFMWGNmTThjTEY2bmQ2R2xH?= =?utf-8?B?MGhXTUlzSE5lZ3V3ZjhORlZZekJZblRyQSs1UTdsS0VCeS9sYS9jckNHZTY0?= =?utf-8?B?ME10ZXJlWkkvMmtCeHhmVGNVL1Fxb21HL3pFYlQ5MjcyaEhCaGgzc0h3SVlY?= =?utf-8?B?OWlUUmtHdzUzMzdZSTR1NndzMDJvWG85Mnl1M1FuekxvdWRvVWZmQmRFeFgy?= =?utf-8?B?YVgxNlo1dFZscTlZeWFZaGVRUnZXbFNPZUJDTTVVc2JlVDlBellrY0pCMHEw?= =?utf-8?B?OStXZ3pnVWNFUy94Mm5XWWJXMFV6L2ZUT09HN29uWmlvZ0tnRmhyWHlucXVZ?= =?utf-8?B?em5VaHliaDZKZDNEakxRdmwrSDRMamxBRDlnSXBaZFV4a1ljQkIrZ0RoN1By?= =?utf-8?B?cytCT2ZjeE9wTThPVTN2eERmUnNNYjd5VlVKQnpvYUVQeG9vZHB3WDVNU1Y2?= =?utf-8?B?bjFYa0ZmcnVXLzlWb1JkWFg5R1hTRXVCczZxQXNiMjlCcFpjZFlGVjdVWGRV?= =?utf-8?B?bU1CWXpNN2JJdFFXVUpZNzJpNEpWczlPNkhoVDRQY0prMDNIcCtwWmY5S2tR?= =?utf-8?B?WmtVNldWYVF1ZUg5OVFtZm1nYmcvckwrSUVrejNyVzNPZ1BrZTZXWmtiYk1I?= =?utf-8?B?UEUwS0RKRU5IQ3lDRVg4QVhBN2RSMFVkTlBvZ1QrTzQ3SlNtZzVyVWRRN3pI?= =?utf-8?B?anAyNThQbHZKL0V1cHVuUVVLL3NUOFlsMFNZdmFVK3dOVDhsTVJwNklVUkVt?= =?utf-8?B?U2dFcTFrUjZQcHNrRGxWdndJMVNSRlNIWk5oY2Z2QXBoenZoM1ZscXZ3UDcz?= =?utf-8?B?dU9YdmhVUzlWNFY0RGFYMm9Mbm9GaWNhRngyN1JYeCtBVXJhN0ZXTEI2TXJy?= =?utf-8?B?RDgzSU5vVHVhYjcxdXR0b2tVTGZMcTRvLzR1YWVuQnBZVHlzTW95SjlzY1Z3?= =?utf-8?B?VTMzUmkyYVVFQVk4aDlMQTJScC9xbVd3NWgrNWVnV3lLSVJSbkZLWVJKSnJ2?= =?utf-8?Q?mslzxBAbm1zVDOy/f4Y4yXGsXb1Td+ngnR?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SJ0PR11MB4896.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c0c696d5-49be-4ad1-f2ef-08d89c725a88 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Dec 2020 18:43:43.1128 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: hk1sao56bPmzeEkI731EA6ZHmEfFUdzA22nM1x/9PMDhBdlkYlxeoE9un71yKx5D0wM8h7P+Ktbg93GC+wiXZg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB4184 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com X-Outbound-Node: rcdn-core-6.cisco.com Archived-At: Subject: Re: [secdir] secdir review of draft-ietf-roll-unaware-leaves X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Dec 2020 18:44:22 -0000 SGVsbG8gQ2FybA0KDQpNYW55IHRoYW5rcyBmb3IgeW91ciBkZWVwIHJldmlldyENCg0KSSBzdWJt aXR0ZWQgdGhlIHByb3Bvc2VkIGNoYW5nZXMgYXMgcmV2IDI0IHNvIHlvdSBjYW4gaW52ZXN0aWdh dGUgd2hhdCBJIGRpZCBpbiB0aGUgZGlmZnM6DQpodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZm P3VybDI9ZHJhZnQtaWV0Zi1yb2xsLXVuYXdhcmUtbGVhdmVzLTI0DQoNCkxldCB1cyBzZWUgYmVs b3cg8J+Yig0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206IENhcmwgV2Fs bGFjZSA8Y2FybEByZWRob3VuZHNvZnR3YXJlLmNvbT4NCj4gU2VudDogbWVyY3JlZGkgOSBkw6lj ZW1icmUgMjAyMCAxMzo0Mw0KPiBUbzogZHJhZnQtaWV0Zi1yb2xsLXVuYXdhcmUtbGVhdmVzLmFs bEBpZXRmLm9yZzsgc2VjZGlyQGlldGYub3JnOyBpZXNnQGlldGYub3JnDQo+IFN1YmplY3Q6IHNl Y2RpciByZXZpZXcgb2YgZHJhZnQtaWV0Zi1yb2xsLXVuYXdhcmUtbGVhdmVzDQo+IA0KPiBJIHJl dmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgU2VjdXJpdHkgRGlyZWN0b3JhdGUn cyBvbmdvaW5nIGVmZm9ydCB0bw0KPiByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHBy b2Nlc3NlZCBieSB0aGUgSUVTRy4gIFRoZXNlIGNvbW1lbnRzIHdlcmUNCj4gd3JpdHRlbiBwcmlt YXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBTZWN1cml0eSBBcmVhIERpcmVjdG9ycy4gIERv Y3VtZW50DQo+IGF1dGhvcnMsIGRvY3VtZW50IGVkaXRvcnMsIGFuZCBXRyBjaGFpcnMgc2hvdWxk IHRyZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZQ0KPiBhbnkgb3RoZXIgSUVURiBMYXN0IENh bGwgY29tbWVudHMuDQo+IA0KPiBUaGlzIHNwZWNpZmljYXRpb24gdXBkYXRlcyBSRkM2NTUwLCBS RkM2Nzc1LCBhbmQgUkZDODUwNSwgdG8gcHJvdmlkZSByb3V0aW5nDQo+IHNlcnZpY2VzIHRvIFJQ TCBVbmF3YXJlIExlYXZlcyB0aGF0IGltcGxlbWVudCA2TG9XUEFOIE5EIGFuZCB0aGUNCj4gZXh0 ZW5zaW9ucyB0aGVyZWluLiBUaGUgY2hhbmdlcyBkZXNjcmliZWQgaW4gdGhlIGRyYWZ0IGxhcmdl bHkgY29uc2lzdCBvZiBkZWZpbmluZw0KPiBzb21lIHByZXZpb3VzbHkgdW5kZWZpbmVkIHJlc2Vy dmVkIGZsYWdzIChpbmNsdWRpbmcgY29ycmVzcG9uZGluZyBpbmNsdXNpb24gb2YNCj4gUk9WUiBp biBleGlzdGluZyBtZXNzYWdlKSwgcmVkZWZpbmluZyBzb21lIHN0YXR1cyBtZXNzYWdlcyBhbmQg ZXh0ZW5kaW5nIHVzZQ0KPiBvZiBhbiBleGlzdGluZyBtZXNzYWdlIGZvciBhZGRpdGlvbmFsIG1v ZGUgb2Ygb3BlcmF0aW9uLiBTb21lIHF1ZXN0aW9ucyBhbmQNCj4gY29tbWVudHMgYXJlIGJlbG93 LiBUaGVzZSBjb3VsZCBhbGwgYmUgY2F0ZWdvcml6ZWQgbWlub3Igbml0cyBmb2N1c2VkIG9uDQo+ IGltcHJvdmluZyBjbGFyaXR5Lg0KPiANCj4gR2VuZXJhbA0KPiAtIFRoZSBkb2N1bWVudCBmZWVs cyBsb25nIGdpdmVuIHRoZSBtYWduaXR1ZGUgb2YgY2hhbmdlcy4gVGhlcmUgYXJlIHNvbWUNCj4g ZXhwbGFuYXRvcnkgc2VjdGlvbnMgdGhhdCBtYXkgYmUgYmV0dGVyIG9mZiBsZWZ0IGFzIHJlZmVy ZW5jZXMgdG8gdGhlIG5vcm1hdGl2ZQ0KPiBzcGVjcy4gQXMgc29tZW9uZSB1bmZhbWlsaWFyIHdp dGggUk9MTCwgSSBmb3VuZCByZWNvbmNpbGluZyBleHBsYW5hdG9yeSB0ZXh0DQo+IGhlcmUgd2l0 aCBzb3VyY2UgZG9jcyBkaWZmaWN1bHQgaW4gc3BvdHMuDQoNClllcywgc2VjdGlvbiAzIGFuZCA0 IGFyZSBpbmZvcm1hdGl2ZSwgdG8gcHJvdmlkZSB0aGUgY29udGV4dCB0aGF0IHdlIHVzZSBpbiB0 aGlzIHNwZWMuIA0KVGhpcyB3YXkgd2UgY2FuIGhhdmUgcmVmZXJlbmNlcyBpbnNpZGUgdGhlIGRv Y3VtZW50IGl0c2VsZiwgdG8gbWFrZSB0aGUgcmVhZGluZyBlYXNpZXI7IGZyb20geW91ciByZXZp ZXcgSSByZWFsaXplIGl0IGlzIHN0aWxsIGZhciBmcm9tIHBlcmZlY3QuDQpTbyBJIGNoYW5nZWQg dGhlIGludHJvIHRleHQgdG8gYmUgY2xlYXJlciBvbiB0aGUgbm9uLW5vcm1hdGl2ZSBhc3BlY3Qg b2YgdGhvc2Ugc2VjdGlvbnM6DQoiDQogICAqICBTZWN0aW9uIDMgYW5kIFNlY3Rpb24gNCBwcmVz ZW50IGluIGEgbm9uLW5vcm1hdGl2ZSBmYXNoaW9uIHRoZQ0KICAgICAgc2FsaWVudCBhc3BlY3Rz IG9mIFJQTCBhbmQgNkxvV1BBTiBORCwgcmVzcGVjdGl2ZWx5LCB0aGF0IGFyZQ0KICAgICAgbGV2 ZXJhZ2VkIGluIHRoaXMgc3BlY2lmaWNhdGlvbiB0byBwcm92aWRlIGNvbm5lY3Rpdml0eSB0byBh IDZMTg0KICAgICAgYWN0aW5nIGFzIGEgUlVMIGFjcm9zcyBhIFJQTCBuZXR3b3JrLg0KIg0KDQoN Cj4gDQo+IFNlY3Rpb24gMQ0KPiAtIEluIHRoZSBpbnRyb2R1Y3Rpb24sIHRoZSByZWZlcmVuY2Ug dG8gUkZDNjY4NyBpbiB0aGUgZmlyc3Qgc2VudGVuY2Ugb2YgdGhlIHRoaXJkDQo+IHBhcmFncmFw aCBzZWVtcyBtaXNwbGFjZWQuIFdoaWxlIHRoZSB0ZXJtICdwYXRoIHN0cmV0Y2gnIGFwcGVhcnMg aW4gdGhhdA0KPiBkb2N1bWVudCwgdGhlIGNvbmNlcHQgYmVpbmcgcmVmZXJlbmNlZCBkb2Vzbid0 IHNlZW0gdG8gbWF0Y2ggYW5kIG1heSBiZQ0KPiBiZXR0ZXIgc2VydmVkIGJ5IGEgcmVmZXJlbmNl IHRvIHNlY3Rpb24gMy4xIG9mIFJGQyA2NTUwLg0KDQpXZWxsLCB0aGF0IHdhcyBhbiBlYXJsaWVy IGNvbW1lbnQgdGhhdCBJIGFwcGxpZWQgaGVyZS4gSSBmaW5kIHRoYXQgdGhlIGNvbW1lbnQgd2Fz IGNvcnJlY3QgdGhvdWdoLCBzZWUgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL3JmYzY2ODcj c2VjdGlvbi00LjINCiINCg0KICAgUGF0aCBTdHJldGNoOiAgVGhlIHBhdGggc3RyZXRjaCBtZXRy aWMgZW5jb21wYXNzZXMgdGhlIHN0cmV0Y2ggZmFjdG9yDQogICAgICBmb3IgYm90aCBob3AgZGlz dGFuY2UgYW5kIEVUWCBwYXRoIGNvc3QgKGFzIGRlZmluZWQgaW4gdGhlDQogICAgICBUZXJtaW5v bG9neSBzZWN0aW9uKS4gIFRoZSBob3AgZGlzdGFuY2Ugc3RyZXRjaCwgd2hpY2ggaXMNCiAgICAg IGRldGVybWluZWQgYXMgdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiB0aGUgbnVtYmVyIG9mIGhvcHMg dGFrZW4gYnkgYQ0KICAgICAgcGFja2V0IHdoaWxlIGZvbGxvd2luZyBhIHJvdXRlIGJ1aWx0IHZp YSBSUEwgYW5kIHRoZSBudW1iZXIgb2YNCiAgICAgIGhvcHMgdGFrZW4gYnkgc2hvcnRlc3QgcGF0 aCByb3V0aW5nICh1c2luZyBsaW5rIEVUWCBhcyB0aGUNCiAgICAgIG1ldHJpYyksIGlzIGNvbXB1 dGVkLiAgVGhlIEVUWCBwYXRoIGNvc3Qgc3RyZXRjaCBpcyBhbHNvIHByb3ZpZGVkLg0KIg0KSXQg d2FzIGhhcmRlciB0byBmaW5kIGEgZ29vZCB0ZXh0IGxpa2UgdGhlIGFib3ZlIGluIFJGQyA2NTUw LiANClJGQyA2NTUwIGZvY3VzZXMgb24gdGhlIG9wZXJhdGlvbiBidXQgZG9lcyBub3QgaW5zaXN0 IHRoYXQgbXVjaCBvbiB0aGUgY29uc2VxdWVuY2VzIG9mIHVzaW5nIHNheSwgc3RvcmluZyB2cy4g bm9uIHN0b3JpbmcgbW9kZS4NClRoZSBpZGVhIHdhcyB0byBsZWF2ZSB0aGF0IHRvIGJvb2tzIG9y IGluZm9ybWF0aW9uYWwgYXBwbGljYWJpbGl0eSBzdGF0ZW1lbnRzIGFuZCBrZWVwIHRoZSBkcmFm dCBhcyBzaG9ydCBhcyBwb3NzaWJsZS4gV2hpY2ggYXBwYXJlbnRseSB3ZSBkaWQgbm90IGRvIHN3 ZWxsIGVub3VnaCBlaXRoZXI7IHRoZSBzaXplIG9mIHRoZSBSRkMgaGFzIHBsYXllZCBhZ2FpbnN0 IGl0IGluIHRoZSBwYXN0LCBlLmcuLCBob21lbmV0Lg0KDQo+IA0KPiBTZWN0aW9uIDQuMy4xDQo+ IC0gVGhlIGxhc3Qgc2VudGVuY2UgaW4gc2VjdGlvbiA0LjMuMSBwcm9iYWJseSBiZWxvbmdzIGlu IChvciBzaG91bGQgYmUgcmVwZWF0ZWQpDQo+IGluIFNlY3Rpb24gOC4gSXQgc2VlbXMgb2RkIHRv IGZlYXR1cmUgZnJlc2ggc3RhbmRhcmRzIGxhbmd1YWdlIGluIGEgc2VjdGlvbiB0aGF0IGlzDQo+ IHByb3ZpZGluZyBiYWNrZ3JvdW5kIGJ1dCBub3QgaW4gdGhlIHNlY3Rpb24gZW5oYW5jaW5nIHRo ZSByZWZlcmVuY2VkIGRvYy4NCg0KVHJ1ZSwgdGhlIGlkZWEgd2FzIHRoYXQgdGhpcyBzZWN0aW9u IHNob3VsZCBub3QgYmUgbm9ybWF0aXZlLiBJIHJlbW92ZWQgdGhlIHVwcGVyY2FzZSBhbmQgaW5k aWNhdGVkIG1vcmUgaW4gc2VjdGlvbiA5LjIuIFRoZW4gSSBhZGRlZCB0ZXh0IGluIHNlY3Rpb25z IDkuMi4xIGFuZCA5LjIuMi4NCg0KVGhlIHRleHQgaW4gNC4zLjEgYmVjb21lczoNCiINCiAgIEEg NkxSIHRoYXQgcHJvdmlkZXMgcmVhY2hhYmlsaXR5IHNlcnZpY2VzIGZvciBhIFJVTCBpbiBhIFJQ TCBuZXR3b3JrDQogICBhcyBzcGVjaWZpZWQgaW4gdGhpcyBkb2N1bWVudCBpbmNsdWRlcyBhIDZD SU8gaW4gaXRzIFJBIG1lc3NhZ2VzIGFuZA0KICAgc2V0IHRoZSBMLCBQIGFuZCBFIGZsYWdzIGFz IHByZXNjcmliZWQgYnkgW1JGQzg1MDVdLCBtb3JlIGluDQogICBTZWN0aW9uIDkuMi4NCiINCg0K VGhlbiB3ZSBub3cgZmluZDoNCiINCjkuMi4xLiAgUGVyc3BlY3RpdmUgb2YgdGhlIDZMTiBBY3Rp bmcgYXMgUlVMDQoNCiAgIFRoaXMgc3BlY2lmaWNhdGlvbiBkb2VzIG5vdCBhbHRlciB0aGUgb3Bl cmF0aW9uIG9mIGEgNkxvV1BBTiBORC0NCiAgIGNvbXBsaWFudCA2TE4vUlVMLCB3aGljaCBpcyBl eHBlY3RlZCB0byBvcGVyYXRlIGFzIGZvbGxvd3M6DQoNCiAgIDEuICBUaGUgNkxOIHNlbGVjdHMg YSA2TFIgdGhhdCBwcm92aWRlcyByZWFjaGFiaWxpdHkgc2VydmljZXMgZm9yIGENCiAgICAgICBS VUwuICBUaGlzIGlzIHNpZ25hbGVkIGEgNkNJTyBpbiB0aGUgUkEgbWVzc2FnZXMgd2l0aCB0aGUg TCwgUA0KICAgICAgIGFuZCBFIGZsYWdzIHNldCB0byAxIGFzIHByZXNjcmliZWQgYnkgW1JGQzg1 MDVdLg0KIg0KQW5kIA0KIg0KOS4yLjIuICBQZXJzcGVjdGl2ZSBvZiB0aGUgNkxSIEFjdGluZyBh cyBCb3JkZXIgUm91dGVyDQoNCiAgIEEgNkxSIHRoYXQgcHJvdmlkZXMgcmVhY2hhYmlsaXR5IHNl cnZpY2VzIGZvciBhIFJVTCBpbiBhIFJQTCBuZXR3b3JrDQogICBhcyBzcGVjaWZpZWQgaW4gdGhp cyBkb2N1bWVudCBNVVNUIGluY2x1ZGUgYSA2Q0lPIGluIGl0cyBSQSBtZXNzYWdlcw0KICAgYW5k IHNldCB0aGUgTCwgUCBhbmQgRSBmbGFncyB0byAxIGFzIHByZXNjcmliZWQgYnkgW1JGQzg1MDVd Lg0KIg0KDQoNCj4gU2VjdGlvbiA1LjEsIDUuMyBhbmQgNS40DQo+IC0gVGhlcmUgYXJlIGEgbnVt YmVyIG9mICJpcyBleHBlY3RlZCIgaW5zdGFuY2VzIHRoYXQgbWF5IGJlbmVmaXQgZnJvbSBiZWlu Zw0KPiB3cml0dGVuIGFzIFNIT1VMRC9TSE9VTEQgTk9UIG9yIE1VU1QvTVVTVCBOT1QuDQogDQpX ZWxsLCB0aGUgcHJvYmxlbSBpcyB0aGF0IHRoZSAiZXhwZWN0ZWQiIGJlaGF2aW9yIGlzIG5vcm1h dGl2ZWx5IGltcG9zZWQgYnkgYW5vdGhlciBzcGVjLCBSRkMgODIwMCBvciBSRkMgODUwNSBmb3Ig dGhlIG1vc3QgcGFydC4NCg0KV2UgYXZvaWRlZCB0aGUgbm9ybWF0aXZlIHBhcmFwaHJhc2luZyB3 aXRoIHRoaXMgdHJpY2suIFRoYXQgd2FzIG9uZSBvZiB0aGUgZGVlcCBleGVyY2lzZXMgd2UgbWFk ZSBkdXJpbmcgQS1EIHJldmlldy4NCg0KRm9yIHRoZSBzYWtlIG9mIGNvbXBsZXRlbmVzcyBJIHNj YW5uZWQgdGhlIGRvYyBhZ2Fpbi4gSSBkaWQgbm90IGZpbmQgYSBwbGFjZSB3aGVyZSBJIHRob3Vn aHQgSSBjb3VsZCBkbyB0aGlzIHJlcGxhY2VtZW50Lg0KDQoNCg0KPiBTZWN0aW9uIDUuMg0KPiAt IExhbmd1YWdlIGlzIHVuY2xlYXIgb24gd2hldGhlciBkZWNhcHN1bGF0aW9uIGlzIHJlcXVpcmVk IGJ5IGEgUlVMLiBUaGUNCj4gc3RhdGVtZW50ICJ0aGUgUlVMLCBhcyBhbiBJUHY2IEhvc3QsIG11 c3QgYmUgYWJsZSB0byBkZWNhcHN1bGF0ZSB0aGUgdHVubmVsZWQNCj4gcGFja2V0IiBpcyBpbmNv bnNpc3RlbnQgd2l0aCB0aGUgbGFzdCBzdGF0ZW1lbnQgaW4gdGhlIHBhcmFncmFwaC4gTWF5YmUg Y2hhbmdlDQo+IGZpcnN0IHN0YXRlbWVudCB0byAiSWYgYSBSVUwgc3VwcG9ydHMgdGVybWluYXRp bmcgYW4gSVAtaW4tSVAgdHVubmVsLi4uIi4NCg0KSGV5LCB0aGF0J3Mgd2hlbiBhIHBhcnRpYWwg aW5mb3JtYXRpb24gaXMgbWlzaW5mb3JtYXRpb24uIFRoZSBmdWxsIHNlbnRlbmNlIGlzIA0KDQoi DQogICBUbyB0ZXJtaW5hdGUgdGhlIElQLWluLUlQIHR1bm5lbCwgdGhlIFJVTCwgYXMNCiAgIGFu IElQdjYgSG9zdCwgbXVzdCBiZSBhYmxlIHRvIGRlY2Fwc3VsYXRlIHRoZSB0dW5uZWxlZCBwYWNr ZXQgYW5kDQogICBlaXRoZXIgZHJvcCB0aGUgaW5uZXIgcGFja2V0IGlmIGl0IGlzIG5vdCB0aGUg ZmluYWwgZGVzdGluYXRpb24sIG9yDQogICBwYXNzIGl0IHRvIHRoZSB1cHBlciBsYXllciBmb3Ig ZnVydGhlciBwcm9jZXNzaW5nLg0KDQoiDQpJdCBkb2VzIG5vdCBzYXkgIiB0aGUgUlVMIE1VU1Qg YmUgYWJsZSB0byBkZWNhcHN1bGF0ZSAiIGF0IGFsbC4gVGhlcmUgaXMgYSBjb25kaXRpb24gIlRv IHRlcm1pbmF0ZSB0aGUgSVAtaW4tSVAgdHVubmVsIiwgYW5kIHRoZW4gdGhhdCdzIG5vdCBub3Jt YXRpdmUgdGV4dC4gU28gdGhlcmUncyBubyBpbmNvbnNpc3RlbmN5IGJ1dCBtYXliZSBhIGhhcmQg dGV4dCB0byByZWFkLg0KU28gbWF5YmUgd2hhdCB5b3VyIHBvaW50IGlzIHNpbXBseSB0byByZXBs YWNlICJtdXN0IiBieSAid291bGQiIHRvIGNsYXJpZnkgdGhlIGNvbmRpdGlvbmFsIGludGVudGlv bj8gDQoNCj4gLSBUaGUgc3RhdGVtZW50ICJ0aGUgUm9vdCB0ZXJtaW5hdGVzIiBtYXkgYmVuZWZp dCBmcm9tIGEgU0hPVUxELiBUaGUNCj4gc2VudGVuY2UgZXN0YWJsaXNoZXMgd2hlbiBhIFNIT1VM RCB3b3VsZCBub3QgYXBwbHkgYWxyZWFkeS4gW1VTRW9mUlBMaW5mb10NCj4gaGFzIGEgU0hPVUxE IHdoZW4gbWFraW5nIHRoaXMgc2FtZSBwb2ludCBpbiA0LjEuIFJlcGxhY2luZyB0aGlzIGVudGly ZQ0KPiBwYXJhZ3JhcGggd2l0aCB0aGUgZm91cnRoIHBhcmFncmFwaCBpbiBzZWN0aW9uIDQuMSBt YXkgYmUgdGhlIHJpZ2h0IHRoaW5nIHRvIGRvLg0KDQpUaGVuIGFnYWluIHRoYXQncyBhIG5vcm1h dGl2ZSBwYXJhcGhyYXNlIHRoYXQgd2UgdHJ5IHRvIGF2b2lkLiBCdXQgSSBjYW4gcXVvdGUuCQ0K DQpBbGwgaW4gYWxsIHdlJ2QgZW5kIHVwIHdpdGgNCg0KIg0KNS4yLiAgU3VwcG9ydCBvZiBJUHY2 IEVuY2Fwc3VsYXRpb24NCg0KICAgU2VjdGlvbiAyLjEgb2YgW1VTRW9mUlBMaW5mb10gZGVmaW5l cyB0aGUgcnVsZXMgZm9yIHR1bm5lbGluZyBlaXRoZXINCiAgIHRvIHRoZSBmaW5hbCBkZXN0aW5h dGlvbiAoZS5nLiwgYSBSVUwpIG9yIHRvIGl0cyBhdHRhY2htZW50IFJvdXRlcg0KICAgKGRlc2ln bmF0ZWQgYXMgNkxSKS4gIEluIG9yZGVyIHRvIHRlcm1pbmF0ZSB0aGUgSVAtaW4tSVAgdHVubmVs LCB0aGUNCiAgIFJVTCwgYXMgYW4gSVB2NiBIb3N0LCB3b3VsZCBoYXZlIHRvIGJlIGNhcGFibGUg b2YgZGVjYXBzdWxhdGluZyB0aGUNCiAgIHR1bm5lbGVkIHBhY2tldCBhbmQgZWl0aGVyIGRyb3Ag dGhlIGVuY2Fwc3VsYXRlZCBwYWNrZXQgaWYgaXQgaXMgbm90DQogICB0aGUgZmluYWwgZGVzdGlu YXRpb24sIG9yIHBhc3MgaXQgdG8gdGhlIHVwcGVyIGxheWVyIGZvciBmdXJ0aGVyDQogICBwcm9j ZXNzaW5nLiAgQXMgaW5kaWNhdGVkIGluIHNlY3Rpb24gNC4xIG9mIFtVU0VvZlJQTGluZm9dLCB0 aGlzIGlzDQogICBub3QgbWFuZGF0ZWQgYnkgW1JGQzg1MDRdLCBzbyB0aGUgUm9vdCB0eXBpY2Fs bHkgdGVybWluYXRlcyB0aGUgSVAtDQogICBpbi1JUCB0dW5uZWwgYXQgdGhlIHBhcmVudCA2TFIu ICBJdCBpcyB0aHVzIG5vdCBuZWNlc3NhcnkgZm9yIGEgUlVMDQogICB0byBzdXBwb3J0IElQLWlu LUlQIGRlY2Fwc3VsYXRpb24uDQoNCiINCg0KDQo+IFNlY3Rpb24gNi4xOg0KPiAtIFdoYXQgZG9l cyAiaWYgdGhlIOKAmUbigJkgZmxhZyBpcyByZXNldCIgbWVhbj8gRG9lcyBpdCBqdXN0IG1lYW4g c2V0IHRvIDA/DQoNClllcy4gVGhpcyB1c2VkIHRvIGJlIGEgY2xlYXIgbGFuZ3VhZ2UgYnV0IGFw cGFyZW50bHkgdGhlIGZhc2hpb24gaGFzIGNoYW5nZWQuIA0KQnV0IGRhbW5pdC4gSW4gbXkgb2xk IGJvb2sgYSBmbGFnIGlzIHVwIChzZXQpIG9yIGRvd24gKHJlc2V0IG9yIHVuc2V0KS4gQXJndWFi bGUsIHllcywgYSBiaXQgaXMgc2V0IHRvIDAgb3Igc2V0IHRvIDEuDQpCdXQgT0sgaWYgdGhhdCdz IHRoZSBtb3N0IGFjY2VwdGVkIHRlcm1pbm9sb2d5LCBsZXQncyB1c2UgInNldCB0byAwIiBhbmQg InNldCB0byAxIi4NClNvIEkgd2VudCB0aHJvdWdoIHRoZSBkb2MgYW5kIG1hZGUgdGhlIGNoYW5n ZSAodGhhdCdzIG1hbnkgdGltZXMpLiBJIGZpbmQgaXQgYSBsb3QgbGVzcyByZWFkYWJsZS4NCg0K DQo+IC0gSW4gdGhlIFJPVlJzeiBkZWZpbml0aW9uLCB3aHkgd291bGQgdmFsdWVzIGFib3ZlIDQg cmVzdWx0IGluIHNpemUgYmVpbmcNCj4gdW5rbm93bj8gTWF5YmUgdGhpcyBzaG91bGQgc2F5IHRo ZSBtZWFuaW5nIGlzIHVua25vd24gZm9yIHZhbHVlcyBhYm92ZSA0Lg0KDQpUcnVlLCBidXQgdGhl IHBvaW50IGlzIHRoYXQgLWFzIGEgY29uc2VxdWVuY2Ugb2YgdGhlIG1lYW5pbmcgYmVpbmcgdW5r bm93biAtICIgdGhlIHNpemUgb2YgdGhlIFJPVlIgaXMgdW5kZXRlcm1pbmVkIGFuZCB0aGlzIG5v ZGUgY2Fubm90IHZhbGlkYXRlIHRoZSBST1ZSICINCg0KDQo+IC0gSXQgc3RhdGVzICJhbiBpbXBs ZW1lbnRhdGlvbiBTSE9VTEQgcHJvcGFnYXRlIHRoZSB3aG9sZSBUYXJnZXQgT3B0aW9uIg0KPiB3 aGVuIFJPVlJzeiBpcyBncmVhdGVyIHRoYW4gNC4gSW4gd2hhdCBjYXNlcyBzaG91bGQgdGhlIHdo b2xlIHRhcmdldCBvcHRpb24NCj4gbm90IGJlIHByb3BhZ2F0ZWQ/DQoNCk9LLCB0aGUgaW50ZW50 aW9uIHdhcyB0byBzYXkgdGhhdCB0aGUgdGFyZ2V0IG9wdGlvbiBpcyBzdGlsbCBmb3J3YXJkZWQg YXMgaXMgZXZlbiBpZiB0aGVyZSBpcyBhbiB1bmtub3duIHRoZSBST1ZSIHNpemUuIEkgdGhpbmsg dGhhdCB0aGUgdGV4dCBzYXlzIHRoYXQgYW5kIHRoYXQgeW91ciBxdWVzdGlvbiBpcyBhYm91dCB0 aGUgcmV2ZXJzZSBsb2dpYy4gU28gSSByZWFkIHRoYXQgdGhlIGludGVudGlvbiBpcyBub3QgdG8g Y2hhbmdlIHRoZSB0ZXh0Lg0KVGhlcmUgY291bGQgYmUgcGFkZGluZywgYW5kIHRoYXQgcGFkZGlu ZyBkb2VzIG5vdCBoYXZlIHRvIGJlIHJlcHJvZHVjZWQgYXMgaXMuIEFuIGltcGxlbWVudGF0aW9u IG1heSByZWJ1aWxkIHRoZSBEQU9zIGZyb20gUklCLiBBIGxlZ2FjeSBpbXBsZW1lbnRhdGlvbiBt YXkgbm90IHBhcnNlIGJleW9uZCB0aGUgdGFyZ2V0IHByZWZpeCBhbmQgcmVidWlsZCB0aGUgREFP cyB3aXRob3V0IFJPVlIuIFdoYXQgd2UgYXJlIHNwZWNpZnlpbmcgbm93IGlzIHRvIG1lbW9yaXpl IHRoZSBvcHRpb24gYW5kIHJlcHJvZHVjZSBpdCBhcyBpcyBpZiB0aGUgUk9WUlN6IGlzIG5vdCB1 bmRlcnN0b29kLCB0byBlbnN1cmUgd2UgcHJvcGFnYXRlIGl0IGFsbC4gVGhpcyBwcm90ZWN0cyB0 aGUgZnV0dXJlIGJ1dCBvcGVucyB0aGUgcmlzayBvZiBhIHNpZGUgY2hhbm5lbC4NCg0KU28gSSBh ZGRlZCB0byB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnM6DQoiDQogICBTZWN0aW9uIDYuMSBp bmRpY2F0ZXMgdGhhdCB3aGVuIHRoZSBsZW5ndGggb2YgdGhlIFJPVlIgZmllbGQgaXMNCiAgIHVu a25vd24sIHRoZSBSUEwgVGFyZ2V0IE9wdGlvbiBtdXN0IGJlIHBhc3NlZCBvbiBhcyByZWNlaXZl ZCBpbiBSUEwNCiAgIHN0b3JpbmcgTW9kZS4gIFRoaXMgY3JlYXRlcyBhIHBvc3NpYmxlIG9wZW5p bmcgZm9yIHVzaW5nIERBTyBtZXNzYWdlcw0KICAgYXMgYSBjb3ZlcnQgY2hhbm5lbC4gIE5vdGUg dGhhdCBEQU8gbWVzc2FnZXMgYXJlIHJhcmUgYW5kIHRoZQ0KICAgb3ZlcnVzaW5nIHRoYXQgY2hh bm5lbCBjb3VsZCBiZSBkZXRlY3RlZC4gIEFuIGltcGxlbWVudGF0aW9uIFNIT1VMRA0KICAgbm90 aWZ5IHRoZSBuZXR3b3JrIG1hbmFnZW1lbnQgd2hlbiBhIFJQTCBUYXJnZXQgT3B0aW9uIGlzIHJl Y2VpdmVzDQogICB3aXRoIGFuIHVua25vd24gUk9WUiBmaWVsZCBzaXplLCB0byBlbnN1cmUgdGhh dCB0aGUgc2l0dWF0aW9uIGlzIA0KICAga25vd24gdG8gdGhlIG5ldHdvcmsgYWRtaW5pc3RyYXRv ci4NCiINCg0KPiAtIFNob3VsZCB0aGVyZSBiZSBhICJwcmVmaXggbGVuZ3RoIGZpZWxkIE1VU1Qg aW5kaWNhdGUgMTI4IGJpdHMgd2hlbiBGIGZsYWcgaXMgc2V0Ig0KPiBpbnN0ZWFkIG9mIGlnbm9y aW5nIHRoZSBsZW5ndGggYW5kIGFzc3VtaW5nIDEyOD8NCg0KTm8uIFRoZSBwcmVmaXggbGVuZ3Ro IG11c3QgaW5kaWNhdGUgdGhlIHByZWZpeCBsZW5ndGguIFRoZSAnRicgZmxhZyBpbmRpY2F0ZXMg dGhhdCB0aGUgSUlEIGlzIHByb3ZpZGVkIGFzIHdlbGwuDQoNCj4gLSBTaG91bGQgdGhpcyBzZWN0 aW9uIHJlcXVpcmUgYml0cyBub3QgY2xhaW1lZCBieSB0aGlzIHNwZWMgdG8gYmUgc2V0IHRvIHpl cm8gYXMgaW4NCj4gNjU1MD8gVGhpcyBhc3N1bWVzIHRoaXMgc3BlYyBpcyBvbmx5IGNsYWltaW5n IDUgb2YgOCBiaXRzLiBUaGF0IG1heSBiZSB3b3J0aA0KPiBjbGFyaWZ5aW5nIGFzIHdlbGwuDQoN ClllcywgZG9uZS4NCg0KDQo+IFNlY3Rpb24gNw0KPiAtIFdoYXQgZG9lcyAiQSA2TFIgYW5kIGEg Um9vdCB0aGF0IHN1cHBvcnQgdGhpcyBzcGVjaWZpY2F0aW9uIE1VU1QgaW1wbGVtZW50DQo+IHRo ZSBOb24tU3RvcmluZyBEQ08iIG1lYW4/IFRoZSBvbmx5IGRlZmluaXRpb24gb2YgIm5vbi1zdG9y aW5nIERDTyIgYXBwZWFycw0KPiB0byBiZSBpbiB0aGUgcHJldmlvdXMgcGFyYWdyYXBoLCB3aGlj aCBkb2VzIG5vdCBhcHBseSB0byB0aGUgNkxSLg0KDQpUaGUgcGFyYWdyYXBoIGp1c3QgYWJvdmUg c2F5czoNCiINCg0KICAgVGhpcyBzcGVjaWZpY2F0aW9uIGV4dGVuZHMgdGhlIHVzZSBvZiB0aGUg RENPIG1lc3NhZ2UgdG8gdGhlIE5vbi0NCiAgIFN0b3JpbmcgTU9QLCB3aGVyZWJ5IHRoZSBEQ08g aXMgc2VudCBlbmQtdG8tZW5kIGJ5IHRoZSBSb290IGRpcmVjdGx5DQogICB0byB0aGUgUkFOIHRo YXQgaW5qZWN0ZWQgdGhlIERBTyBtZXNzYWdlIGZvciB0aGUgY29uc2lkZXJlZCB0YXJnZXQuDQog ICBJbiB0aGF0IGNhc2UsIGludGVybWVkaWF0ZSBub2RlcyBkbyBub3QgbmVlZCB0byBzdXBwb3J0 DQogICBbRUZGSUNJRU5ULU5QREFPXTsgdGhleSBmb3J3YXJkIHRoZSBEQ08gbWVzc2FnZSBhcyBh IHBsYWluIElQdjYNCiAgIHBhY2tldCBiZXR3ZWVuIHRoZSBSb290IGFuZCB0aGUgUkFOLg0KIg0K Rm9yIFJVTHMsIHRoZSBzZXJ2aW5nIDZMUiBpcyB0aGUgUkFODQoNCkkgYWRkZWQgdGhlIGZpcnN0 IHNlbnRlbmNlIGJlbG93Og0KIg0KSW4gdGhlIGNhc2Ugb2YgYSBSVUwsIHRoZSA2TFIgdGhhdCBz ZXJ2ZXMgdGhlIFJVTCBhY3RzIGFzIHRoZSBSQU4gdGhhdCByZWNlaXZlcw0KdGhlIE5vbi1TdG9y aW5nIERDTy4NClRoaXMgc3BlY2lmaWNhdGlvbiBsZXZlcmFnZXMgdGhlIE5vbi1TdG9yaW5nIERD TyBiZXR3ZWVuIHRoZSBSb290IGFuZCB0aGUgNkxSDQogdGhhdCBzZXJ2ZXMgYXMgYXR0YWNobWVu dCBSb3V0ZXIgZm9yIGEgUlVMLiBBIDZMUiBhbmQgYSBSb290IHRoYXQgc3VwcG9ydCB0aGlzDQog c3BlY2lmaWNhdGlvbiBNVVNUIGltcGxlbWVudCB0aGUgTm9uLVN0b3JpbmcgRENPLg0KIg0KDQoN Cj4gU2VjdGlvbiA5DQo+IC0gV2hhdCBkb2VzICdyZXNldCcgbWVhbiBpbiBzZWNvbmQgcGFyYWdy YXBoPyBJdCBzZWVtcyB0byBtZWFuICJub3Qgc2V0Ii4NCg0KSSBjaGFuZ2VkIHJlc2V0IHRocm91 Z2hvdXQgdG8gInNldCB0byAwIg0KDQo+IA0KPiBTZWN0aW9uIDkuMi4xDQo+IC0gVGhpcyBzZWN0 aW9uIGJlZ2lucyBieSBub3Rpbmcgbm8gY2hhbmdlcyBhcmUgZGVmaW5lZCBmb3IgdGhlIGRlc2Ny aWJlZCBwcm9jZXNzDQo+IHRoYXQgaXMgZGVmaW5lZCBieSB2YXJpb3VzIG90aGVyIHNwZWNzLiBU aGUgc2VjdGlvbiBkZXNjcmliZXMgbWFueSByZXF1aXJlbWVudHMNCj4gaW5jbHVkaW5nIHNvbWUg dGhhdCBsb29rIHRvIGJlIG5ldywgaS5lLiwgZmlyc3QgcGFyYWdyYXBoIGJlbG93IHRoZSBidWxs ZXRlZCBsaXN0Lg0KPiANCkdyZWF0IGNhdGNoLiBTZXR0aW5nIHRoZSAiVCIgZmxhZyB0byAxIGlz IGFjdHVhbGx5IG1hbmRhdGVkIGluIFJGQyA4NTA1Og0KIg0KICAgbyAgQSBub2RlIHRoYXQgc3Vw cG9ydHMgdGhpcyBzcGVjaWZpY2F0aW9uIE1VU1QgcHJvdmlkZSBhIFRJRCBmaWVsZA0KICAgICAg aW4gdGhlIEVBUk8gYW5kIHNldCB0aGUgVCBmbGFnIHRvIGluZGljYXRlIHRoZSBwcmVzZW5jZSBv ZiB0aGUgVElEDQogICAgICAoc2VlIFNlY3Rpb24gNS4yKS4NCiINCg0KVGhlIHVwcGVyY2FzZSB3 YXMgYSBtaXN0YWtlLiBJIGZpeGVkIHRvDQoiDQogICBjb21wbGlhbnQgNkxOL1JVTCwgd2hpY2gg aXMgZXhwZWN0ZWQgdG8gb3BlcmF0ZSBhcyBmb2xsb3dzOg0KDQogICAxLiAgVGhlIDZMTiBzZWxl Y3RzIGEgNkxSIHRoYXQgcHJvdmlkZXMgcmVhY2hhYmlsaXR5IHNlcnZpY2VzIGZvciBhDQogICAg ICAgUlVMLiAgVGhpcyBpcyBzaWduYWxlZCBhIDZDSU8gaW4gdGhlIFJBIG1lc3NhZ2VzIHdpdGgg dGhlIEwsIFANCiAgICAgICBhbmQgRSBmbGFncyBzZXQgdG8gMSBhcyBwcmVzY3JpYmVkIGJ5IFtS RkM4NTA1XS4NCg0KICAgMi4gIFRoZSA2TE4gb2J0YWlucyBhbiBJUHY2IGdsb2JhbCBhZGRyZXNz LCBlaXRoZXIgdXNpbmcgU3RhdGVsZXNzDQogICAgICAgQWRkcmVzcyBBdXRvY29uZmlndXJhdGlv biAoU0xBQUMpIFtSRkM0ODYyXSBiYXNlZCBvbiBhIFByZWZpeA0KICAgICAgIEluZm9ybWF0aW9u IE9wdGlvbiAoUElPKSBbUkZDNDg2MV0gZm91bmQgaW4gYW4gUkEgbWVzc2FnZSwgb3INCiAgICAg ICBzb21lIG90aGVyIG1lYW5zLCBzdWNoIGFzIERIQ1B2NiBbUkZDODQxNV0uDQoNCiAgIDMuICBP bmNlIGl0IGhhcyBmb3JtZWQgYW4gYWRkcmVzcywgdGhlIDZMTiByZWdpc3RlcnMgaXRzIGFkZHJl c3MgYW5kDQogICAgICAgcmVmcmVzaGVzIGl0cyByZWdpc3RyYXRpb24gcGVyaW9kaWNhbGx5LCBl YXJseSBlbm91Z2ggd2l0aGluIHRoZQ0KICAgICAgIExpZmV0aW1lIG9mIHRoZSBwcmV2aW91cyBB ZGRyZXNzIFJlZ2lzdHJhdGlvbiwgYXMgcHJlc2NyaWJlZCBieQ0KICAgICAgIFtSRkM2Nzc1XSwg dG8gcmVmcmVzaCB0aGUgTkNFIGJlZm9yZSB0aGUgbGlmZXRpbWUgaW5kaWNhdGVkIGluDQogICAg ICAgdGhlIEVBUk8gZXhwaXJlcy4gIEl0IHNldHMgdGhlIFQgRmxhZyB0byAxIGFzIHByZXNjcmli ZWQgaW4NCiAgICAgICBbUkZDODUwNV0uIFRoZSBUSUQgaXMgaW5jcmVtZW50ZWQgZWFjaCB0aW1l IGFuZCB3cmFwcyBpbiBhDQogICAgICAgbG9sbGlwb3AgZmFzaGlvbiAoc2VlIHNlY3Rpb24gNS4y LjEgb2YgW1JGQzg1MDVdLCB3aGljaCBpcyBmdWxseQ0KICAgICAgIGNvbXBhdGlibGUgd2l0aCBz ZWN0aW9uIDcuMiBvZiBbUkZDNjU1MF0pLg0KDQoiDQoNCkFnYWluLCBtYW55IHRoYW5rcyBmb3Ig eW91ciByZXZpZXchDQoNClBsZWFzZSBsZXQgbWUga25vdyBpZiB3ZSBhcmUgZ29vZCwgYW5kIGtl ZXAgc2FmZTsNCg0KUGFzY2FsDQo= From nobody Wed Dec 9 19:30:53 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6A033A091B for ; Wed, 9 Dec 2020 19:30:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8tAz4mPRW_l for ; Wed, 9 Dec 2020 19:30:46 -0800 (PST) Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F08083A091C for ; Wed, 9 Dec 2020 19:30:45 -0800 (PST) Received: by mail-qt1-x82a.google.com with SMTP id y15so2737786qtv.5 for ; Wed, 09 Dec 2020 19:30:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6Vv0YsgSNXSKqTYluQlg+BE1nIxOzELhLn1mZHWmNPs=; b=ACbk4Ws/bHYcKB4aL5N5bxZCjecTrHD6yPbmKA8kq8NZHwgKwi07bqhCPnJ+wxS15j t1YLMvRxS6nvrQfCkhZJV51GBl4VW854DJ+zkhb/pUg2tOGaOtCBh8NahKD3wrHY8emn WYQwgtMcOpz/mlkqsyULgWxlT0xOUthCo+Kn8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6Vv0YsgSNXSKqTYluQlg+BE1nIxOzELhLn1mZHWmNPs=; b=Jcri8WElOtdU8L3omxz3rFEuFLCmnhD5OJQAjaXHUiPQSNChbpO9zrqQdRReZWgcSe c/GdLqNfVobm36rT1NRKIcOG+02cKPj2TQObaescpV5sRIm0NOFOUFUewZW8SZQZO7PT mcfqBMsYD+NQXMiumkeWBtVgrGnQJsVrHcfmaBVPyitRmiCOBHsEBwuCTiA6RpCtnQ1S F8M8ntR6IkOepHvoJvdb34uCxHF2J78fpAbhO5jETX8QwBDPz1Oucj1xo2cK3A4VMDB+ eHD1sUtAKa4c02hYVmyh+tmNdwaC2JbAV9TbeIGAOT3j1FWi3DNdOk0vPa1M6DFY/L0i wQ3A== X-Gm-Message-State: AOAM5333w9N/gpqBs886nSlxvqvNrTcoG7qoLEYJsPqAyS79ZmELPXTc sA/qpVyDQdJ07do4M6OxNgm6ZQ== X-Google-Smtp-Source: ABdhPJxC17/ku1pFPkaIh10X+3v3b5SwrB8cAFrumre3xtl/jXQ/eEzh81oi4KFfBkoBLL5/Ds2bYg== X-Received: by 2002:aed:20ea:: with SMTP id 97mr6506632qtb.125.1607571044956; Wed, 09 Dec 2020 19:30:44 -0800 (PST) Received: from [192.168.1.152] (pool-108-31-39-252.washdc.fios.verizon.net. [108.31.39.252]) by smtp.gmail.com with ESMTPSA id l20sm2942365qtu.25.2020.12.09.19.30.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 Dec 2020 19:30:44 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\)) From: Sean Turner In-Reply-To: <160458838575.14807.16400082227129460453@ietfa.amsl.com> Date: Wed, 9 Dec 2020 22:30:43 -0500 Cc: secdir@ietf.org, last-call@ietf.org, draft-ietf-tls-exported-authenticator.all@ietf.org, TLS List Content-Transfer-Encoding: quoted-printable Message-Id: References: <160458838575.14807.16400082227129460453@ietfa.amsl.com> To: Yaron Sheffer X-Mailer: Apple Mail (2.3608.120.23.2.4) Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-tls-exported-authenticator-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 03:30:48 -0000 > On Nov 5, 2020, at 09:59, Yaron Sheffer via Datatracker = wrote: >=20 > Reviewer: Yaron Sheffer > Review result: Has Nits >=20 > It's been a long time... >=20 > My mail here [1] mentions two remaining open issues: a mention of QUIC = and the > code point. >=20 > The first (small) issue seems to have been forgotten. You are right, how about: OLD: The application layer protocol used to send the authenticator request SHOULD use TLS as its underlying transport to keep the request confidential NEW: The application layer protocol used to send the authenticator request SHOULD use a secure channel with equivalent security to TLS, such as QUIC [ID.draft-ietf-quic-tls], as its underlying transport to keep the request confidential I will also add an informative to QUIC via a PR. > I believe the second issue has been addressed by the WG, with the = introduction > of a new message type. >=20 > [1] = https://mailarchive.ietf.org/arch/msg/secdir/n54wuiSwCx9VqgSrrWvX_9FCoW0/ I believe it does as well. spt= From nobody Thu Dec 10 14:16:05 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AE6943A120A for ; Thu, 10 Dec 2020 14:16:02 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: secdir-secretary@mit.edu, Tero Kivinen Message-ID: <160763856269.22414.10980263125399150089@ietfa.amsl.com> Date: Thu, 10 Dec 2020 14:16:02 -0800 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2020 22:16:03 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2020-12-17 Reviewer LC end Draft Phillip Hallam-Baker 2020-12-03 draft-ietf-tls-ticketrequests-07 Mališa Vučinić 2020-12-04 draft-ietf-bmwg-b2b-frame-03 Samuel Weiler 2020-12-02 draft-ietf-extra-sieve-mailboxid-06 For telechat 2021-01-07 Reviewer LC end Draft Dan Harkins 2020-12-30 draft-carpenter-eligibility-expand-08 Last calls: Reviewer LC end Draft Daniel Franke 2020-09-18 draft-ietf-jmap-mdn-16 Daniel Franke 2020-03-09 draft-ietf-regext-dnrd-objects-mapping-10 Daniel Gillmor 2020-09-30 draft-ietf-ccamp-layer0-types-08 Phillip Hallam-Baker 2020-09-30 draft-ietf-lwig-tcp-constrained-node-networks-13 Phillip Hallam-Baker 2020-12-03 draft-ietf-tls-ticketrequests-07 Steve Hanna 2020-09-30 draft-ietf-ccamp-wson-yang-27 Dan Harkins None draft-ietf-rtgwg-policy-model-03 Dan Harkins 2020-12-30 draft-carpenter-eligibility-expand-08 Leif Johansson None draft-ietf-netconf-crypto-types-18 Leif Johansson 2020-10-02 draft-ietf-lpwan-schc-over-lorawan-13 Charlie Kaufman 2021-01-04 draft-gont-numeric-ids-sec-considerations-06 Scott Kelly 2020-12-24 draft-ietf-pce-association-policy-15 Tero Kivinen None draft-ietf-rtgwg-bgp-pic-12 Watson Ladd None draft-ietf-rift-applicability-03 Russ Mundy 2020-07-20 draft-ietf-ace-dtls-authorize-14 Sandra Murphy 2020-10-15 draft-ietf-tls-external-psk-importer-06 Tirumaleswar Reddy.K 2020-11-16 draft-ietf-quic-transport-32 Rich Salz R2020-08-14 draft-ietf-suit-architecture-14 Mališa Vučinić 2020-12-04 draft-ietf-bmwg-b2b-frame-03 Samuel Weiler 2020-12-02 draft-ietf-extra-sieve-mailboxid-06 Klaas Wierenga 2020-12-02 draft-ietf-core-echo-request-tag-11 Klaas Wierenga 2020-05-26 draft-ietf-kitten-krb-spake-preauth-09 Christopher Wood R2019-11-06 draft-ietf-dtn-tcpclv4-24 Christopher Wood 2020-09-23 draft-ietf-6man-rfc4941bis-12 Paul Wouters 2020-09-08 draft-ietf-i2nsf-capability-data-model-13 Liang Xia 2020-11-30 draft-ietf-spring-sr-yang-29 Early review requests: Reviewer Due Draft Nancy Cam-Winget 2020-12-07 draft-ietf-idr-ext-opt-param-09 Linda Dunbar 2020-12-07 draft-ietf-idr-bgp-optimal-route-reflection-21 Steve Hanna 2020-12-23 draft-ietf-sfc-nsh-integrity-01 Dacheng Zhang 2020-12-07 draft-ietf-idr-eag-distribution-13 Next in the reviewer rotation: Chris Lonvick Aanchal Malhotra David Mandelberg Catherine Meadows Alexey Melnikov Daniel Migault Adam Montville Kathleen Moriarty Russ Mundy Sandra Murphy From nobody Mon Dec 14 10:30:33 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84EB73A12A7; Mon, 14 Dec 2020 10:30:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIhqx38-S-xo; Mon, 14 Dec 2020 10:30:26 -0800 (PST) Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E853A12A5; Mon, 14 Dec 2020 10:30:26 -0800 (PST) Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QLC06K1CE2Q3A@wwwlocal.goatley.com>; Mon, 14 Dec 2020 12:30:26 -0600 (CST) Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QLC00J1OE1XU5@trixy.bergandi.net>; Mon, 14 Dec 2020 10:30:01 -0800 (PST) Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 14 Dec 2020 10:30:01 -0800 Date: Mon, 14 Dec 2020 10:30:20 -0800 From: Dan Harkins To: "iesg@ietf.org" , "secdir@ietf.org" , draft-carpenter-eligibility-expand.all@ietf.org Message-id: <60ccd55f-bc28-0c3a-2434-d8d69f6cda6d@lounge.org> MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_mP+mh3AlQ75kdl7DUZI8og)" Content-language: en-US User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8) X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local) X-PMAS-Software: PreciseMail V3.3 [201212] (trixy.bergandi.net) X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists) Archived-At: Subject: [secdir] secdir review of draft-carpenter-eligibility-expand X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 18:30:29 -0000 This is a multi-part message in MIME format. --Boundary_(ID_mP+mh3AlQ75kdl7DUZI8og) Content-type: text/plain; charset=utf-8; format=flowed Content-transfer-encoding: 8BIT Greetings, I have reviewed draft-carpenter-eligibility-expand as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The draft proposes a temporary change (it calls this an "experiment") in the process for qualifying volunteers to serve in the NOMCOM. This is necessary due to the virtualization of IETFs 107-110. It lists goals and new criteria for qualification as well as a way to revert back to RFC 8713 when we return to normal in-person IETFs. It makes sense.  This draft will have no impact on the security of the Internet if published. The summary of the review is Ready. regards, Dan. -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius --Boundary_(ID_mP+mh3AlQ75kdl7DUZI8og) Content-type: text/html; charset=utf-8 Content-transfer-encoding: 8BIT 
  Greetings,

  I have reviewed draft-carpenter-eligibility-expand as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors
and WG chairs should treat these comments just like any other last
call comments.

  The draft proposes a temporary change (it calls this an "experiment")
in the process for qualifying volunteers to serve in the NOMCOM. This
is necessary due to the virtualization of IETFs 107-110. It lists
goals and new criteria for qualification as well as a way to revert
back to RFC 8713 when we return to normal in-person IETFs. It makes
sense.

 This draft will have no impact on the security of the Internet if
published. The summary of the review is Ready. 

  regards,

  Dan.


-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius
--Boundary_(ID_mP+mh3AlQ75kdl7DUZI8og)-- From nobody Tue Dec 15 03:29:50 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E102B3A0FBA; Tue, 15 Dec 2020 03:29:40 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: =?utf-8?b?TWFsacWhYSBWdcSNaW5pxIcgdmlhIERhdGF0cmFja2Vy?= To: Cc: last-call@ietf.org, draft-ietf-bmwg-b2b-frame.all@ietf.org, bmwg@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160803178079.7403.9358014699248845740@ietfa.amsl.com> Reply-To: =?utf-8?b?TWFsacWhYSBWdcSNaW5pxIc=?= Date: Tue, 15 Dec 2020 03:29:40 -0800 Archived-At: Subject: [secdir] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2020 11:29:41 -0000 Reviewer: Mališa Vučinić Review result: Ready I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Thank you for this well-written document, it was a pleasure to read and I think it is ready to proceed. Since the document updates RFC2544 benchmarking procedure for estimating the buffer time of a Device Under Test (DUT), it does not raise any security issues. Security Considerations section is quite clear and it stresses that these tests are performed in a lab environment. I do have a question regarding the last paragraph of the Security Considerations on special capabilities of DUTs for benchmarking purposes. Currently, the sentence reads: "Special capabilities SHOULD NOT exist in the DUT/SUT specifically for benchmarking purposes." Why is this a SHOULD NOT and not a MUST NOT? Could you give an example when such special capabilities in a DUT are appropriate? From nobody Tue Dec 15 05:45:36 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A3E23A111C; Tue, 15 Dec 2020 05:45:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.003 X-Spam-Level: X-Spam-Status: No, score=0.003 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYJZDUOOYEsO; Tue, 15 Dec 2020 05:45:25 -0800 (PST) Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C8D43A1117; Tue, 15 Dec 2020 05:45:25 -0800 (PST) Received: from pps.filterd (m0049287.ppops.net [127.0.0.1]) by m0049287.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0BFDiS0g045224; Tue, 15 Dec 2020 08:45:25 -0500 Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0049287.ppops.net-00191d01. with ESMTP id 35dc4xbj16-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 15 Dec 2020 08:45:25 -0500 Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFDjNji052390; Tue, 15 Dec 2020 07:45:24 -0600 Received: from zlp30493.vci.att.com (zlp30493.vci.att.com [135.46.181.176]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFDjLir052345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 15 Dec 2020 07:45:21 -0600 Received: from zlp30493.vci.att.com (zlp30493.vci.att.com [127.0.0.1]) by zlp30493.vci.att.com (Service) with ESMTP id B06724009E93; Tue, 15 Dec 2020 13:45:21 +0000 (GMT) Received: from clph811.sldc.sbc.com (unknown [135.41.107.12]) by zlp30493.vci.att.com (Service) with ESMTP id 8E6BE40006A0; Tue, 15 Dec 2020 13:45:21 +0000 (GMT) Received: from sldc.sbc.com (localhost [127.0.0.1]) by clph811.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFDjLhm053961; Tue, 15 Dec 2020 07:45:21 -0600 Received: from mail-green.research.att.com (mail-green.research.att.com [135.207.255.15]) by clph811.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFDjGbW053439; Tue, 15 Dec 2020 07:45:16 -0600 Received: from exchange.research.att.com (njmtcas1.research.att.com [135.207.255.86]) by mail-green.research.att.com (Postfix) with ESMTP id 3AA3210A18EC; Tue, 15 Dec 2020 08:45:15 -0500 (EST) Received: from njmtexg5.research.att.com ([fe80::b09c:ff13:4487:78b6]) by njmtcas1.research.att.com ([fe80::e881:676b:51b6:905d%12]) with mapi id 14.03.0487.000; Tue, 15 Dec 2020 08:45:16 -0500 From: "MORTON, ALFRED C (AL)" To: =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= , "secdir@ietf.org" CC: "last-call@ietf.org" , "bmwg@ietf.org" , "draft-ietf-bmwg-b2b-frame.all@ietf.org" Thread-Topic: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 Thread-Index: AQHW0tWfW/48KRvlBkmQMYKHh09ZYqn4I0Xw Date: Tue, 15 Dec 2020 13:45:16 +0000 Message-ID: <4D7F4AD313D3FC43A053B309F97543CF014766EE92@njmtexg5.research.att.com> References: <160803178079.7403.9358014699248845740@ietfa.amsl.com> In-Reply-To: <160803178079.7403.9358014699248845740@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [24.148.42.167] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-15_10:2020-12-15, 2020-12-15 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 mlxscore=0 adultscore=0 suspectscore=0 impostorscore=0 clxscore=1011 spamscore=0 lowpriorityscore=0 phishscore=0 mlxlogscore=999 priorityscore=1501 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012150098 Archived-At: Subject: Re: [secdir] [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2020 13:45:28 -0000 SGkgTWFsacWhYSwgDQp0aGFua3MgZm9yIHlvdXIgcmV2aWV3LCBwbGVhc2Ugc2VlIGJlbG93IGZv ciBvbmUgcmVwbHkgdG8geW91ciBxdWVzdGlvbiAoYWNtXS4NCkFsDQoNCj4gLS0tLS1PcmlnaW5h bCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogYm13ZyBbbWFpbHRvOmJtd2ctYm91bmNlc0BpZXRmLm9y Z10gT24gQmVoYWxmIE9mIE1hbGnFoWEgVnVjaW5pYyB2aWENCj4gRGF0YXRyYWNrZXINCj4gU2Vu dDogVHVlc2RheSwgRGVjZW1iZXIgMTUsIDIwMjAgNjozMCBBTQ0KPiBUbzogc2VjZGlyQGlldGYu b3JnDQo+IENjOiBsYXN0LWNhbGxAaWV0Zi5vcmc7IGJtd2dAaWV0Zi5vcmc7IGRyYWZ0LWlldGYt Ym13Zy1iMmItDQo+IGZyYW1lLmFsbEBpZXRmLm9yZw0KPiBTdWJqZWN0OiBbYm13Z10gU2VjZGly IHRlbGVjaGF0IHJldmlldyBvZiBkcmFmdC1pZXRmLWJtd2ctYjJiLWZyYW1lLTAzDQo+IA0KPiBS ZXZpZXdlcjogTWFsacWhYSBWdcSNaW5pxIcNCj4gUmV2aWV3IHJlc3VsdDogUmVhZHkNCj4gDQo+ IEkgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBTZWN1cml0eSBEaXJlY3Rv cmF0ZSdzIG9uZ29pbmcNCj4gZWZmb3J0DQo+IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMg YmVpbmcgcHJvY2Vzc2VkIGJ5IHRoZSBJRVNHLiBUaGVzZSBjb21tZW50cw0KPiB3ZXJlDQo+IHdy aXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgU2VjdXJpdHkgQXJlYSBEaXJl Y3RvcnMuIERvY3VtZW50DQo+IGF1dGhvcnMsIGRvY3VtZW50IGVkaXRvcnMsIGFuZCBXRyBjaGFp cnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3QNCj4gbGlrZQ0KPiBhbnkgb3RoZXIg SUVURiBMYXN0IENhbGwgY29tbWVudHMuDQo+IA0KPiBUaGFuayB5b3UgZm9yIHRoaXMgd2VsbC13 cml0dGVuIGRvY3VtZW50LCBpdCB3YXMgYSBwbGVhc3VyZSB0byByZWFkIGFuZCBJDQo+IHRoaW5r DQo+IGl0IGlzIHJlYWR5IHRvIHByb2NlZWQuIFNpbmNlIHRoZSBkb2N1bWVudCB1cGRhdGVzIFJG QzI1NDQgYmVuY2htYXJraW5nDQo+IHByb2NlZHVyZSBmb3IgZXN0aW1hdGluZyB0aGUgYnVmZmVy IHRpbWUgb2YgYSBEZXZpY2UgVW5kZXIgVGVzdCAoRFVUKSwgaXQNCj4gZG9lcw0KPiBub3QgcmFp c2UgYW55IHNlY3VyaXR5IGlzc3Vlcy4gU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBp cyBxdWl0ZQ0KPiBjbGVhcg0KPiBhbmQgaXQgc3RyZXNzZXMgdGhhdCB0aGVzZSB0ZXN0cyBhcmUg cGVyZm9ybWVkIGluIGEgbGFiIGVudmlyb25tZW50Lg0KPiANCj4gSSBkbyBoYXZlIGEgcXVlc3Rp b24gcmVnYXJkaW5nIHRoZSBsYXN0IHBhcmFncmFwaCBvZiB0aGUgU2VjdXJpdHkNCj4gQ29uc2lk ZXJhdGlvbnMgb24gc3BlY2lhbCBjYXBhYmlsaXRpZXMgb2YgRFVUcyBmb3IgYmVuY2htYXJraW5n IHB1cnBvc2VzLg0KPiBDdXJyZW50bHksIHRoZSBzZW50ZW5jZSByZWFkczogIlNwZWNpYWwgY2Fw YWJpbGl0aWVzIFNIT1VMRCBOT1QgZXhpc3QgaW4NCj4gdGhlDQo+IERVVC9TVVQgc3BlY2lmaWNh bGx5IGZvciBiZW5jaG1hcmtpbmcgcHVycG9zZXMuIiBXaHkgaXMgdGhpcyBhIFNIT1VMRCBOT1QN Cj4gYW5kDQo+IG5vdCBhIE1VU1QgTk9UPyBDb3VsZCB5b3UgZ2l2ZSBhbiBleGFtcGxlIHdoZW4g c3VjaCBzcGVjaWFsIGNhcGFiaWxpdGllcw0KPiBpbiBhDQo+IERVVCBhcmUgYXBwcm9wcmlhdGU/ DQpbYWNtXSANCldlIGNhbiBvbmx5IG1ha2UgYSBzdHJvbmcgcmVjb21tZW5kYXRpb24gaW4gdGhp cyBhcmVhLiBBcyB0ZXN0ZXJzL2JlbmNobWFya2VycyBhcmUgb2Z0ZW4gaW5kZXBlbmRlbnQgZnJv bSB0aGUgRFVUIGRldmVsb3BlcnMgYW5kIGNvbmR1Y3QgdGVzdGluZyBleHRlcm5hbCB0byB0aGUg RFVULCB3ZSBhc3N1bWUgaG9uZXN0eSBhbW9uZyBvdGhlciBwYXJ0aWVzIGJ1dCB3ZSBjYW5ub3Qg cmVxdWlyZSBpdC4gSWYgc29tZW9uZSBjb25zdHJ1Y3RlZCBhIERVVCB0aGF0IHJlY29nbml6ZWQg dGVzdCBjb25kaXRpb25zIGFuZCBvcGVyYXRlZCBkaWZmZXJlbnRseSB0byBwZXJmb3JtIGJldHRl ciBzb21laG93LCBvdXIgdGVzdHMgd291bGQgbWVhc3VyZSB0aGUgaW50ZW5kZWQgImJldHRlciIg cGVyZm9ybWFuY2UuIEl0IHRha2VzIGEgc3BlY2lhbC9hZGRpdGlvbmFsIHRlc3QgZWZmb3J0IHRv IHByb3ZlIHRoYXQgYSBEVVQgaGFzICJkZXNpZ25lZCB0byB0aGUgdGVzdCIgKGNvbnNpZGVyIFZv bGtzd2FnZW4gYW5kIGZ1ZWwgZWZmaWNpZW5jeSB0ZXN0aW5nIFswXSkuDQoNCldlIHNpbXBseSBk byBub3QgaGF2ZSBhbnkgYXV0aG9yaXR5IGluIHRoaXMgbWF0dGVyLCBidXQgd2UgY2FuIGxldCBh bGwgcGFydGllcyBrbm93IHRoYXQgZ2FtaW5nIHRoZSB0ZXN0IGNhbiBiZSBkaXNjb3ZlcmVkIGFu ZCByZXBvcnRlZCAoYWxiZWl0IHdpdGggbW9yZSB0ZXN0aW5nIHRoYXQgd2UgZG8gbm90IGRlc2Ny aWJlKS4NCg0KWzBdIGh0dHBzOi8vd3d3LmNvbnN1bWVycmVwb3J0cy5vcmcvZnVlbC1lY29ub215 LWVmZmljaWVuY3kvdm9sa3N3YWdlbi11c2VkLXNwZWNpYWwtc29mdHdhcmUtdG8tZXhhZ2dlcmF0 ZS1mdWVsLWVjb25vbXkvDQogDQo+IA0KPiANCj4gDQo+IF9fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fDQo+IGJtd2cgbWFpbGluZyBsaXN0DQo+IGJtd2dAaWV0 Zi5vcmcNCj4gaHR0cHM6Ly91cmxkZWZlbnNlLmNvbS92My9fX2h0dHBzOi8vd3d3LmlldGYub3Jn L21haWxtYW4vbGlzdGluZm8vYm13Z19fOyENCj4gIUJoZFQhMUpGZUxzRU56TVUtZXc4OWp4bUpL eGZwNHdqNVpvM0FaNlY4aVVMVTNoV0FlbnRIMWR5bXFKbURPdnc3JA0K From nobody Tue Dec 15 06:21:19 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 658713A1146; Tue, 15 Dec 2020 06:21:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QUndsTNkAKx; Tue, 15 Dec 2020 06:21:09 -0800 (PST) Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11A1C3A1142; Tue, 15 Dec 2020 06:21:07 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.78,421,1599516000"; d="scan'208";a="483101263" Received: from adsl-bb1-l35.crnagora.net (HELO [192.168.1.65]) ([95.155.1.35]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 15 Dec 2020 15:21:01 +0100 User-Agent: Microsoft-MacOutlook/10.11.0.180909 Date: Tue, 15 Dec 2020 15:20:59 +0100 From: =?UTF-8?B?TWFsacWhYQ==?= =?UTF-8?B?IFZ1xI1pbmnEhw==?= To: "MORTON, ALFRED C (AL)" , "secdir@ietf.org" CC: "last-call@ietf.org" , "bmwg@ietf.org" , "draft-ietf-bmwg-b2b-frame.all@ietf.org" Message-ID: <5C525F90-FAB1-46D9-A399-8AB493345A48@inria.fr> Thread-Topic: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 References: <160803178079.7403.9358014699248845740@ietfa.amsl.com> <4D7F4AD313D3FC43A053B309F97543CF014766EE92@njmtexg5.research.att.com> In-Reply-To: <4D7F4AD313D3FC43A053B309F97543CF014766EE92@njmtexg5.research.att.com> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Archived-At: Subject: Re: [secdir] [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2020 14:21:12 -0000 Hi Al, Thanks, that is clear. I think that discussing the assumption of honesty am= ong the parties involved in benchmarking would be a useful addition to the = Security Considerations section in the draft. Mali=C5=A1a =EF=BB=BFOn 15/12/2020 14:45, "MORTON, ALFRED C (AL)" wrot= e: Hi Mali=C5=A1a,=20 thanks for your review, please see below for one reply to your question= (acm]. Al =20 > -----Original Message----- > From: bmwg [mailto:bmwg-bounces@ietf.org] On Behalf Of Mali=C5=A1a Vucini= c via > Datatracker > Sent: Tuesday, December 15, 2020 6:30 AM > To: secdir@ietf.org > Cc: last-call@ietf.org; bmwg@ietf.org; draft-ietf-bmwg-b2b- > frame.all@ietf.org > Subject: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-0= 3 >=20 > Reviewer: Mali=C5=A1a Vu=C4=8Dini=C4=87 > Review result: Ready >=20 > I reviewed this document as part of the Security Directorate's ongoin= g > effort > to review all IETF documents being processed by the IESG. These comme= nts > were > written primarily for the benefit of the Security Area Directors. Doc= ument > authors, document editors, and WG chairs should treat these comments = just > like > any other IETF Last Call comments. >=20 > Thank you for this well-written document, it was a pleasure to read a= nd I > think > it is ready to proceed. Since the document updates RFC2544 benchmarki= ng > procedure for estimating the buffer time of a Device Under Test (DUT)= , it > does > not raise any security issues. Security Considerations section is qui= te > clear > and it stresses that these tests are performed in a lab environment. >=20 > I do have a question regarding the last paragraph of the Security > Considerations on special capabilities of DUTs for benchmarking purpo= ses. > Currently, the sentence reads: "Special capabilities SHOULD NOT exist= in > the > DUT/SUT specifically for benchmarking purposes." Why is this a SHOULD= NOT > and > not a MUST NOT? Could you give an example when such special capabilit= ies > in a > DUT are appropriate? [acm]=20 We can only make a strong recommendation in this area. As testers/bench= markers are often independent from the DUT developers and conduct testing ex= ternal to the DUT, we assume honesty among other parties but we cannot requi= re it. If someone constructed a DUT that recognized test conditions and oper= ated differently to perform better somehow, our tests would measure the inte= nded "better" performance. It takes a special/additional test effort to prov= e that a DUT has "designed to the test" (consider Volkswagen and fuel effici= ency testing [0]). =20 We simply do not have any authority in this matter, but we can let all = parties know that gaming the test can be discovered and reported (albeit wit= h more testing that we do not describe). =20 [0] https://www.consumerreports.org/fuel-economy-efficiency/volkswagen-= used-special-software-to-exaggerate-fuel-economy/ =20 >=20 >=20 >=20 > _______________________________________________ > bmwg mailing list > bmwg@ietf.org > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bmw= g__;! > !BhdT!1JFeLsENzMU-ew89jxmJKxfp4wj5Zo3AZ6V8iULU3hWAentH1dymqJmDOvw7$ =20 From nobody Tue Dec 15 11:22:45 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78453A16DF; Tue, 15 Dec 2020 11:22:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dK9gtResM9yu; Tue, 15 Dec 2020 11:22:34 -0800 (PST) Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD7113A16DD; Tue, 15 Dec 2020 11:22:33 -0800 (PST) Received: from pps.filterd (m0048589.ppops.net [127.0.0.1]) by m0048589.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0BFJFBVJ010024; Tue, 15 Dec 2020 14:22:33 -0500 Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0048589.ppops.net-00191d01. with ESMTP id 35dcccbr8q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 15 Dec 2020 14:22:33 -0500 Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFJMVuV112079; Tue, 15 Dec 2020 13:22:32 -0600 Received: from zlp30493.vci.att.com (zlp30493.vci.att.com [135.46.181.176]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFJMQiO111886 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 15 Dec 2020 13:22:26 -0600 Received: from zlp30493.vci.att.com (zlp30493.vci.att.com [127.0.0.1]) by zlp30493.vci.att.com (Service) with ESMTP id C3AA1400A0A4; Tue, 15 Dec 2020 19:22:26 +0000 (GMT) Received: from clph811.sldc.sbc.com (unknown [135.41.107.12]) by zlp30493.vci.att.com (Service) with ESMTP id 9E0CB40006A0; Tue, 15 Dec 2020 19:22:26 +0000 (GMT) Received: from sldc.sbc.com (localhost [127.0.0.1]) by clph811.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFJMQ7B099405; Tue, 15 Dec 2020 13:22:26 -0600 Received: from mail-azure.research.att.com (mail-azure.research.att.com [135.207.255.18]) by clph811.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BFJMKMC098857; Tue, 15 Dec 2020 13:22:20 -0600 Received: from exchange.research.att.com (njmtcas1.research.att.com [135.207.255.86]) by mail-azure.research.att.com (Postfix) with ESMTP id CAF3810A18E3; Tue, 15 Dec 2020 14:22:19 -0500 (EST) Received: from njmtexg5.research.att.com ([fe80::b09c:ff13:4487:78b6]) by njmtcas1.research.att.com ([fe80::e881:676b:51b6:905d%12]) with mapi id 14.03.0487.000; Tue, 15 Dec 2020 14:22:21 -0500 From: "MORTON, ALFRED C (AL)" To: =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= , "secdir@ietf.org" CC: "last-call@ietf.org" , "bmwg@ietf.org" , "draft-ietf-bmwg-b2b-frame.all@ietf.org" Thread-Topic: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 Thread-Index: AQHW0tWfW/48KRvlBkmQMYKHh09ZYqn4I0XwgABl5oD///zl4A== Date: Tue, 15 Dec 2020 19:22:19 +0000 Message-ID: <4D7F4AD313D3FC43A053B309F97543CF014766F108@njmtexg5.research.att.com> References: <160803178079.7403.9358014699248845740@ietfa.amsl.com> <4D7F4AD313D3FC43A053B309F97543CF014766EE92@njmtexg5.research.att.com> <5C525F90-FAB1-46D9-A399-8AB493345A48@inria.fr> In-Reply-To: <5C525F90-FAB1-46D9-A399-8AB493345A48@inria.fr> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [24.148.42.167] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-15_12:2020-12-15, 2020-12-15 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 clxscore=1015 priorityscore=1501 bulkscore=0 mlxlogscore=999 spamscore=0 impostorscore=0 mlxscore=0 malwarescore=0 lowpriorityscore=0 adultscore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012150127 Archived-At: Subject: Re: [secdir] [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2020 19:22:36 -0000 SGkgTWFsacWhYSwNCnBsZWFzZSBzZWUgYmVsb3cuLi4NCg0KPiAtLS0tLU9yaWdpbmFsIE1lc3Nh Z2UtLS0tLQ0KPiBGcm9tOiBNYWxpxaFhIFZ1xI1pbmnEhyBbbWFpbHRvOm1hbGlzYS52dWNpbmlj QGlucmlhLmZyXQ0KPiBTZW50OiBUdWVzZGF5LCBEZWNlbWJlciAxNSwgMjAyMCA5OjIxIEFNDQo+ IFRvOiBNT1JUT04sIEFMRlJFRCBDIChBTCkgPGFjbUByZXNlYXJjaC5hdHQuY29tPjsgc2VjZGly QGlldGYub3JnDQo+IENjOiBsYXN0LWNhbGxAaWV0Zi5vcmc7IGJtd2dAaWV0Zi5vcmc7IGRyYWZ0 LWlldGYtYm13Zy1iMmItDQo+IGZyYW1lLmFsbEBpZXRmLm9yZw0KPiBTdWJqZWN0OiBSZTogW2Jt d2ddIFNlY2RpciB0ZWxlY2hhdCByZXZpZXcgb2YgZHJhZnQtaWV0Zi1ibXdnLWIyYi1mcmFtZS0w Mw0KPiANCj4gSGkgQWwsDQo+IA0KPiBUaGFua3MsIHRoYXQgaXMgY2xlYXIuIEkgdGhpbmsgdGhh dCBkaXNjdXNzaW5nIHRoZSBhc3N1bXB0aW9uIG9mIGhvbmVzdHkNCj4gYW1vbmcgdGhlIHBhcnRp ZXMgaW52b2x2ZWQgaW4gYmVuY2htYXJraW5nICB3b3VsZCBiZSBhIHVzZWZ1bCBhZGRpdGlvbiB0 bw0KPiB0aGUgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMgc2VjdGlvbiBpbiB0aGUgZHJhZnQuDQpb YWNtXSANCg0KSSBkb24ndCBtaW5kIGV4cGxhaW5pbmcgdGhlIHJlcXVpcmVtZW50IHVzaW5nIHRo ZSB0ZXJtICJob25lc3R5IiwgYnV0IEkgY2FuIG9ubHkgaW1hZ2luZSByYWlzZWQgZXllYnJvd3Mg YW5kIHN1YnNlcXVlbnQgRElTQ1VTUy9jb21tZW50cyBpZiB3ZSB0cnkgdG8gYXNzZXJ0IGEgbmVl ZCBmb3IvYXNzdW1wdGlvbiBvZiBob25lc3R5IGFueXdoZXJlIGluIHRoZSBtZW1vLg0KDQpEbyB5 b3UgaGF2ZSBzdWdnZXN0ZWQgd29yZGluZz8NCg0KRG8gb3RoZXJzIGhhdmUgb3BpbmlvbnMgd2hl dGhlciBvciBub3QgdGhpcyBpcyBuZWVkZWQ/DQoNCnRoYW5rcywNCkFsDQoNCj4gDQo+IE1hbGnF oWENCj4gDQo+IO+7v09uIDE1LzEyLzIwMjAgMTQ6NDUsICJNT1JUT04sIEFMRlJFRCBDIChBTCki IDxhY21AcmVzZWFyY2guYXR0LmNvbT4gd3JvdGU6DQo+IA0KPiAgICAgSGkgTWFsacWhYSwNCj4g ICAgIHRoYW5rcyBmb3IgeW91ciByZXZpZXcsIHBsZWFzZSBzZWUgYmVsb3cgZm9yIG9uZSByZXBs eSB0byB5b3VyDQo+IHF1ZXN0aW9uIChhY21dLg0KPiAgICAgQWwNCj4gDQo+ICAgICA+IC0tLS0t T3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+ICAgICA+IEZyb206IGJtd2cgW21haWx0bzpibXdnLWJv dW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBNYWxpxaFhDQo+IFZ1Y2luaWMgdmlhDQo+ICAg ICA+IERhdGF0cmFja2VyDQo+ICAgICA+IFNlbnQ6IFR1ZXNkYXksIERlY2VtYmVyIDE1LCAyMDIw IDY6MzAgQU0NCj4gICAgID4gVG86IHNlY2RpckBpZXRmLm9yZw0KPiAgICAgPiBDYzogbGFzdC1j YWxsQGlldGYub3JnOyBibXdnQGlldGYub3JnOyBkcmFmdC1pZXRmLWJtd2ctYjJiLQ0KPiAgICAg PiBmcmFtZS5hbGxAaWV0Zi5vcmcNCj4gICAgID4gU3ViamVjdDogW2Jtd2ddIFNlY2RpciB0ZWxl Y2hhdCByZXZpZXcgb2YgZHJhZnQtaWV0Zi1ibXdnLWIyYi1mcmFtZS0NCj4gMDMNCj4gICAgID4N Cj4gICAgID4gUmV2aWV3ZXI6IE1hbGnFoWEgVnXEjWluacSHDQo+ICAgICA+IFJldmlldyByZXN1 bHQ6IFJlYWR5DQo+ICAgICA+DQo+ICAgICA+IEkgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBw YXJ0IG9mIHRoZSBTZWN1cml0eSBEaXJlY3RvcmF0ZSdzDQo+IG9uZ29pbmcNCj4gICAgID4gZWZm b3J0DQo+ICAgICA+IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2Vk IGJ5IHRoZSBJRVNHLiBUaGVzZQ0KPiBjb21tZW50cw0KPiAgICAgPiB3ZXJlDQo+ICAgICA+IHdy aXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgU2VjdXJpdHkgQXJlYSBEaXJl Y3RvcnMuDQo+IERvY3VtZW50DQo+ICAgICA+IGF1dGhvcnMsIGRvY3VtZW50IGVkaXRvcnMsIGFu ZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRzDQo+IGp1c3QNCj4gICAgID4g bGlrZQ0KPiAgICAgPiBhbnkgb3RoZXIgSUVURiBMYXN0IENhbGwgY29tbWVudHMuDQo+ICAgICA+ DQo+ICAgICA+IFRoYW5rIHlvdSBmb3IgdGhpcyB3ZWxsLXdyaXR0ZW4gZG9jdW1lbnQsIGl0IHdh cyBhIHBsZWFzdXJlIHRvIHJlYWQNCj4gYW5kIEkNCj4gICAgID4gdGhpbmsNCj4gICAgID4gaXQg aXMgcmVhZHkgdG8gcHJvY2VlZC4gU2luY2UgdGhlIGRvY3VtZW50IHVwZGF0ZXMgUkZDMjU0NA0K PiBiZW5jaG1hcmtpbmcNCj4gICAgID4gcHJvY2VkdXJlIGZvciBlc3RpbWF0aW5nIHRoZSBidWZm ZXIgdGltZSBvZiBhIERldmljZSBVbmRlciBUZXN0DQo+IChEVVQpLCBpdA0KPiAgICAgPiBkb2Vz DQo+ICAgICA+IG5vdCByYWlzZSBhbnkgc2VjdXJpdHkgaXNzdWVzLiBTZWN1cml0eSBDb25zaWRl cmF0aW9ucyBzZWN0aW9uIGlzDQo+IHF1aXRlDQo+ICAgICA+IGNsZWFyDQo+ICAgICA+IGFuZCBp dCBzdHJlc3NlcyB0aGF0IHRoZXNlIHRlc3RzIGFyZSBwZXJmb3JtZWQgaW4gYSBsYWIgZW52aXJv bm1lbnQuDQo+ICAgICA+DQo+ICAgICA+IEkgZG8gaGF2ZSBhIHF1ZXN0aW9uIHJlZ2FyZGluZyB0 aGUgbGFzdCBwYXJhZ3JhcGggb2YgdGhlIFNlY3VyaXR5DQo+ICAgICA+IENvbnNpZGVyYXRpb25z IG9uIHNwZWNpYWwgY2FwYWJpbGl0aWVzIG9mIERVVHMgZm9yIGJlbmNobWFya2luZw0KPiBwdXJw b3Nlcy4NCj4gICAgID4gQ3VycmVudGx5LCB0aGUgc2VudGVuY2UgcmVhZHM6ICJTcGVjaWFsIGNh cGFiaWxpdGllcyBTSE9VTEQgTk9UDQo+IGV4aXN0IGluDQo+ICAgICA+IHRoZQ0KPiAgICAgPiBE VVQvU1VUIHNwZWNpZmljYWxseSBmb3IgYmVuY2htYXJraW5nIHB1cnBvc2VzLiIgV2h5IGlzIHRo aXMgYQ0KPiBTSE9VTEQgTk9UDQo+ICAgICA+IGFuZA0KPiAgICAgPiBub3QgYSBNVVNUIE5PVD8g Q291bGQgeW91IGdpdmUgYW4gZXhhbXBsZSB3aGVuIHN1Y2ggc3BlY2lhbA0KPiBjYXBhYmlsaXRp ZXMNCj4gICAgID4gaW4gYQ0KPiAgICAgPiBEVVQgYXJlIGFwcHJvcHJpYXRlPw0KPiAgICAgW2Fj bV0NCj4gICAgIFdlIGNhbiBvbmx5IG1ha2UgYSBzdHJvbmcgcmVjb21tZW5kYXRpb24gaW4gdGhp cyBhcmVhLiBBcw0KPiB0ZXN0ZXJzL2JlbmNobWFya2VycyBhcmUgb2Z0ZW4gaW5kZXBlbmRlbnQg ZnJvbSB0aGUgRFVUIGRldmVsb3BlcnMgYW5kDQo+IGNvbmR1Y3QgdGVzdGluZyBleHRlcm5hbCB0 byB0aGUgRFVULCB3ZSBhc3N1bWUgaG9uZXN0eSBhbW9uZyBvdGhlciBwYXJ0aWVzDQo+IGJ1dCB3 ZSBjYW5ub3QgcmVxdWlyZSBpdC4gSWYgc29tZW9uZSBjb25zdHJ1Y3RlZCBhIERVVCB0aGF0IHJl Y29nbml6ZWQNCj4gdGVzdCBjb25kaXRpb25zIGFuZCBvcGVyYXRlZCBkaWZmZXJlbnRseSB0byBw ZXJmb3JtIGJldHRlciBzb21laG93LCBvdXINCj4gdGVzdHMgd291bGQgbWVhc3VyZSB0aGUgaW50 ZW5kZWQgImJldHRlciIgcGVyZm9ybWFuY2UuIEl0IHRha2VzIGENCj4gc3BlY2lhbC9hZGRpdGlv bmFsIHRlc3QgZWZmb3J0IHRvIHByb3ZlIHRoYXQgYSBEVVQgaGFzICJkZXNpZ25lZCB0byB0aGUN Cj4gdGVzdCIgKGNvbnNpZGVyIFZvbGtzd2FnZW4gYW5kIGZ1ZWwgZWZmaWNpZW5jeSB0ZXN0aW5n IFswXSkuDQo+IA0KPiAgICAgV2Ugc2ltcGx5IGRvIG5vdCBoYXZlIGFueSBhdXRob3JpdHkgaW4g dGhpcyBtYXR0ZXIsIGJ1dCB3ZSBjYW4gbGV0IGFsbA0KPiBwYXJ0aWVzIGtub3cgdGhhdCBnYW1p bmcgdGhlIHRlc3QgY2FuIGJlIGRpc2NvdmVyZWQgYW5kIHJlcG9ydGVkIChhbGJlaXQNCj4gd2l0 aCBtb3JlIHRlc3RpbmcgdGhhdCB3ZSBkbyBub3QgZGVzY3JpYmUpLg0KPiANCj4gICAgIFswXSBo dHRwczovL3VybGRlZmVuc2UuY29tL3YzL19faHR0cHM6Ly93d3cuY29uc3VtZXJyZXBvcnRzLm9y Zy9mdWVsLQ0KPiBlY29ub215LWVmZmljaWVuY3kvdm9sa3N3YWdlbi11c2VkLXNwZWNpYWwtc29m dHdhcmUtdG8tZXhhZ2dlcmF0ZS1mdWVsLQ0KPiBlY29ub215L19fOyEhQmhkVCEwS1NfVkNGNVpR ZklHa1Z5UExvSlh1QXhkY29TMy0NCj4geEpURTBMb0taUFd1U2lIalFaTTF1MEg5TTM2WVhCeUNr JA0KPiANCj4gICAgID4NCj4gICAgID4NCj4gICAgID4NCj4gICAgID4gX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gICAgID4gYm13ZyBtYWlsaW5nIGxp c3QNCj4gICAgID4gYm13Z0BpZXRmLm9yZw0KPiAgICAgPg0KPiBodHRwczovL3VybGRlZmVuc2Uu Y29tL3YzL19faHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9ibXdnX187IQ0K PiAgICAgPiAhQmhkVCExSkZlTHNFTnpNVS1ldzg5anhtSkt4ZnA0d2o1Wm8zQVo2VjhpVUxVM2hX QWVudEgxZHltcUptRE92dzckDQo+IA0KPiANCg0K From nobody Tue Dec 15 13:56:15 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C27273A0140; Tue, 15 Dec 2020 13:56:11 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Linda Dunbar via Datatracker To: Cc: idr@ietf.org, draft-ietf-idr-bgp-optimal-route-reflection.all@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160806937175.20796.7391460851134145603@ietfa.amsl.com> Reply-To: Linda Dunbar Date: Tue, 15 Dec 2020 13:56:11 -0800 Archived-At: Subject: [secdir] Secdir early review of draft-ietf-idr-bgp-optimal-route-reflection-21 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Dec 2020 21:56:12 -0000 Reviewer: Linda Dunbar Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document alters how BGP Route Reflector computes the optimal routes on behalf of clients. Instead using its own IGP cost to the AS Exit points, the document describes the steps for RR to compute the optimal route by using Clients' position to the AS Exit points. The described method is useful when RR is centralized. For deployment with distributed RR closer to the clients, the described method doesn't have any benefits. Security Concern: If RR's information of its clients topology is compromised, then the optimal paths selected by the RR might not be accurate anymore. Minor nits: Page 7: Section 3.2. "If the routing routing optimization requires ..." Is it a typo? duplicated word "routing"? Last sentence: "This needed for use cases ..." Do you mean "This is needed for use cases ..." Cheers, Linda Dunbar From nobody Tue Dec 15 21:02:09 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEE0A3A08CA; Tue, 15 Dec 2020 21:01:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnH1-U0R6XIo; Tue, 15 Dec 2020 21:01:56 -0800 (PST) Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EDCA3A10D9; Tue, 15 Dec 2020 21:01:43 -0800 (PST) Received: by mail-lf1-x133.google.com with SMTP id x20so25637387lfe.12; Tue, 15 Dec 2020 21:01:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=GM3YlPmDwJi9FGNtUMRLpJpRK4LOV69uZuZGdcYtqLs=; b=S5L+/GoZdGCMy+D1xOBtOrRLo5vFD33iaEPQf0MFHx0dPfm+BVNSWe5ep8EmaNC19c HmQVwuToFLFMMvRqlCvH5ZeR9NCc8t2S5GKD+wFv7IKOCM0LdVsu6e3B59tNenNf8WYg UxjC1ybxG2V+v3xxparRQgP29p7985k0l0zaL0F0Kg2+XnyVJyXabVy2+XPMs6TQbygW RG0x/yIh14S+wsCBl25pnbRsxGLnWU5OP2Egkf1OgoWIDNivFXpkrAOf3d14FASZ9eiH V2FsmzpQrOeUDsO0pOsgAuXQJQc5+7du/ntsoBqiFNJgjrAdJ8A4mqLB91fQ4maqnBLo B7tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=GM3YlPmDwJi9FGNtUMRLpJpRK4LOV69uZuZGdcYtqLs=; b=dvv9QOKAwYHytlK+uFRClurdYnKz8SuJK0KrVHP4B/BI9PMfEgw5ax+CiZ2SO/mAAn w15WPVezDg3TdIWJEozBraOeMqCOqLM+/RbxzIQVx/NLohqyRrAilBKWVwPHlbFqkrNu +t//HolLGp3Mdo39hD+4SRKKNEnv8/94R9FaX9xpJH3gvlfxspwh4ogBT0uJaTEN8UUS hLSynlcW6Pnl37eQ48J187eSQjWQiztouHBqblK34hmg81o4ZOfuIUzlKYfGMpa7K6hm +ja/5CcBZARVBW3OoQhVDD/v5bBoiEq/W0Zn4ZKka+c2ObOqNdB1OLmCWAWHPJMfSZ5F YOPQ== X-Gm-Message-State: AOAM532hVDzZHCa5Yi34lVnc7Smyr8xwrwbPqlzrX4mOzMP8EtvY+xmC 88phNPOTPNFzYShImYzNMg2qtv5xmf7ofBcc2jA= X-Google-Smtp-Source: ABdhPJyL0lhH7B/dx4WQ6KbddHTBpLYINxPL+qhF5sD25pr5Ke5hUlmaSTXebezs3JorBulKLC9p27zm4B7tJaPA7yI= X-Received: by 2002:a2e:874c:: with SMTP id q12mr13301792ljj.424.1608094901014; Tue, 15 Dec 2020 21:01:41 -0800 (PST) MIME-Version: 1.0 References: <160108120392.5893.18114957198518376382@ietfa.amsl.com> In-Reply-To: From: Watson Ladd Date: Tue, 15 Dec 2020 21:01:29 -0800 Message-ID: To: Nat Sakimura Cc: secdir , IETF oauth WG , last-call@ietf.org, draft-ietf-oauth-jwsreq.all@ietf.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-oauth-jwsreq-30 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 05:01:59 -0000 On Sat, Oct 31, 2020 at 6:13 AM Nat Sakimura wrote: > > Hi Watson, > > Thanks very much for the review. I thought I have sent my response > earlier, which I actually did not. It was sitting in my draft box. I > apologize for it. My apologies for missing it in my inbox for a number of months. > > My responses inline: > > On Sat, Sep 26, 2020 at 9:46 AM Watson Ladd via Datatracker > wrote: > > > > Reviewer: Watson Ladd > > Review result: Serious Issues > > > > I generated this review of this document as part of the security direct= orate's > > ongoing effort to review all IETF documents being processed by the IESG= . These > > comments were written with the intent of improving security requirement= s and > > considerations in IETF drafts. Comments not addressed in last call may= be > > included in AD reviews during the IESG review. Document editors and WG= chairs > > should treat these comments just like any other last call comments. > > > > Two minor issues: On page 4, "This offers an additional degree of priva= cy > > protection." should be reworded. I don't think it makes sense in contex= t, where > > authenticity was discussed. > > > In the course of the edit, explanation about two distinct privacy > benefits was collated in one sentence and has become very difficult to > parse. > > What it is trying to express as privacy benefits are the following. > > 1) The authorization request content is sent to the AS in the > backchannel so it will not be exposed through the browser to the eyes > of an active or passive outsider observing what is going on in the > browser. In the RFC6749 framework case, the authorization request > goes through the browser redirect and it could leak to the adversary > via WPAD/PAC Attack, referrer, browser history, etc. Also, if the > browser was infected by an adversary controlled malware, the content > can be sniffed by the adversary. In the case of JAR, it does not > happen. This is one privacy benefit it is trying to explain. > > 2) The location that the authorization request is getting pushed to > does not have to be the AS. A trusted third party that examines the > content for the conformance to the collection minimization principle > may act as the party that accepts the authorization request and issues > the request_uri. AS can then just evaluate the domain part of > request_uri to evaluate that the authorization request is conformant > to this principle. This is another privacy benefit from the point of > view of the individual user. I'm fine with any fix to the sentence that makes sense. Don't think we need to insert the above but I very much appreciate the explanation. > > > > It took me a while to understand what the by reference method is: maybe= the > > intro should say via URL instead of by reference. > > > request_uri can be URL or a handle such as URN. That is why the "by > reference" word is being used, per the suggestion of the WG. I'm fine with that, just noting my confusion. > > > > > > > And now for the thorny issues with this draft. Signatures and encryptio= n are > > different. And encrypting a signed blob doesn't mean the signer encrypt= ed it. > > Then there are a plethora of methods specified in the draft to authent= icate > > the blob, which will give different results in maliciously constructed > > examples. The security considerations section should discuss what the e= ncrypted > > vs signed choices give in the way of security, and it doesn't. This mak= es me > > worry. > > We don=E2=80=99t expect the encryption to ensure authenticity, that=E2=80= =99s what the > signatures are used for. This needs to be very clearly spelled out in the text. Lots of people will not understand this. The wording of section 10.2 is at best ambivalent, with multiple alternatives presented as acceptable. > > > I didn't quite get what is meant by "plethora of methods specified in > the draft to authenticate the blob ... " > There is a bit of text about authenticating the source (=3Dclient) but > not much on the blob itself. > The discussion around the signature and/or encryption is covered in > RFC7519 (JWT), the format that the request object assumes. > This is required reading when implementing this spec, so WG thought it > is not worth repeating here. > Attacks etc. on the signature and encryption are covered in RFC7515 > and RFC7516 respectively. Well, the draft happens to include the following text: "The Authorization Server MUST validate the signature of the JSON Web Signature [RFC7515] signed Request Object. The signature MUST be validated using the key for that "client_id" and the algorithm specified in the "alg" Header Parameter." Shouldn't the key be associated with a single algorithm? How do we ensure that the common attack of telling the server to use hmac to verify the signature doesn't work here? > > > > > Looking at the cited reference for attacks, I see the fix is to include > > information about which IPD was used by the RP. But the draft before us= doesn't > > mandate that. It's not clear than how the cited attack is prevented by = the > > draft. Saying that the communication through the user-agent is subject = to > > The mention of mix-up attack was introduced after the Last call by one > of the comment. It just added it in the sentence with a reference. I > am ok to remove it. That works for me. > > Having said that, the heart of mix-up attack is that the combination > of the client believes that it is communicating with the > attacker-controlled AS (AAS) while it in-fact is talking to Honest AS > (HAS), AND HAS unable to find out that the client is thinking that it > is talking to AAS not him. > > OAuth JAR seems to mitigate it in two ways: > > a) Use request_uri which is hosted by the AS. Then, if the client is > thinking that it is talking to the AAS, then it will push it to AAS > and when the user is redirected to HAS, HAS will find out that the > request_uri is not created by herself and return an error, making the > mix-up attack fail. > > b) Include `aud` in the request. Then, when the HAS will find that the > request was minted to AAS and not her. So, it will result in an error, > making the mix-up attack fail. If the draft mandates doing this it addresses the attack and the sentence can stay. > > So, I added mix-up attack to the sentence thinking the commenter's > request to add it is fine, but I am fine with removing it. > > > manipulation, and this prevents it, ignores that the attacker in that p= osition > > sees a lot more. The user-agent as resource owner modifying the request= ed > > resources is a very funny sort of attack: can't they do what they want = with the > > resources since they control the access? > > If the client is in the browser, yes. > But in the mainstream case, the client is not in the browser but the > web-server that the browser is communicating with and the resource > access happens without being mediated by the browser. My concern on this point is resolved. > > > > > > > Key management is ignored. This is a very important issue, especially > > A lot of ground is covered by RFC 7515, 7516, 7517, 7518, 7519, 7591, > and 8414 so this document is not specifically restating them. > > > > > considering the potential problems with the reuse of JWT. I'd like to s= ee a > > Are you talking about the reuse of the request object by an adversary > trying to act as an honest client? > Even if it happens, the malicious client does not have the proper > client credential so it cannot redeem the code it obtained with the > token. It is no different than RFC6749 code grant. Protocols that > extend it, such as OpenID Connect, have introduced nonce to prevent > the reuse and used JAR (it is called request object there) to further > protect tampering and achieve client authentication even in the front > channel. > > > recommendation that keys be separated by intended uses, rather than lim= iting > > particular fields in an ad-hoc manner. > > Could you kindly elaborate on the "ad-hoc manner" part so that I can > understand it more fully? 10.8, Cross-JWT Confusion discusses avoiding signing certain fields, rather than suggesting good key usage as a solution. > > > > > > > Then we have section 11. What section 11 introduces is an entire new dr= amatis > > personae, the Trust Framework Provider, with no prior discussion of wha= t it is > > or a reference to where it is defined and a good number of statements a= bout how > > it works that aren't really clear what they mean from the document to = me. > > Trust Framework Provider first appears in 5.2.1. > At the time of writing the related text, it was a pretty well-known > concept. In the United State, it was part of its National Strategy > (NSTIC) and internationally, it was even taken up at WEF Davos > meeting. It is quite surprising that such a mainstream concept faded > into obscurity so quickly. The reason for introducing it was to a) > justify request_uri as some WG members wanted it to be removed, b) > justify that requst_uri to be served from a different domain. Now that > people appreciate it, e.g., it can be seen from PAR, the justification > for a) probably is no longer required. A full explanation for b) would > probably be a much longer text but I doubt if it belongs to this > document. I am fine with removing the reference to Trust framework > etc. as long as the capability to push the authorization request to a > place other than the client or the authorization server is not > removed. Let's remove the text then, but keep the capability. > > > > > My biggest concern is that these issues are signs that the problem this= draft > > is trying to solve and the mechanisms to solve it haven't been analyzed= as > > thoroughly as they should have been. Without that sort of thorough anal= ysis > > it's not certain that the mechanisms actually solve the problem and it'= s not > > clear what the recommendations to implementers have to be to preserve t= hose > > properties. > > OAuth JAR, as the name "The OAuth 2.0 Authorization Framework: JWT > Secured Authorization Request (JAR)" suggests, is a framework and not > a house itself. One such example is FAPI [1] which was formally > verified [2]. "It's possible to use this draft security" I don't think should be enough anymore. Rather it should be impossible to use insecurely. > > [1] https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md > [2] https://arxiv.org/abs/1901.11520 > > > > > Obviously this draft has had a long and tortured history with multiple = reviews, > > and what I'm suggesting needs to happen is a lot of work. But it's ess= ential > > in any security protocol to do this analysis and be clear about what is= , and > > what is not, protected by the protocol. > > OAuth JAR is nothing but just another binding to OAuth 2.0. Where RFC6749 > binds it to form encoding, it provides two additional bindings: > 1) binding to JWT, and > 2) binding to the pushed authorization request that is referenced by = a URI. > It is this simple. As such, it would also inherit some of the > shortcomings in RFC6749. However, it is not this document to address > them. It should be done by other documents so that the result can be > encoded using the mechanisms provided in this document. This is not a simple matter. JWT has a long and twisted history with some pervasive errors in common libraries, and is a fairly large standard. OAuth 2.0 is also large. Ensuring that the mapping has the right properties is going to be a mess. If the encoding does not respect the semantics we have a serious security issue. If implementors assume the encoding provides properties it does not, we again have a security issue. > > It is quite surprising that this fact is not getting appreciated and > is taking such a long time to complete. > Maybe I should delete all the explanation text and leave it with just > the core text. Explanation and justification text for defining > additional bindings probably are just distractions now as it is now > appreciated and used all over the world unlike when the project was > started. > > > > > Sincerely, > > Watson Ladd > > > > Thanks again for your detailed comments. > > Best wishes, > > -- > Nat Sakimura > NAT.Consulting LLC -- Astra mortemque praestare gradatim From nobody Wed Dec 16 02:54:20 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E42983A0902; Wed, 16 Dec 2020 02:54:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.096 X-Spam-Level: X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5sxrTg7ygUWx; Wed, 16 Dec 2020 02:54:14 -0800 (PST) Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.39]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BC7F3A08D4; Wed, 16 Dec 2020 02:54:13 -0800 (PST) Received: from opfedar01.francetelecom.fr (unknown [xx.xx.xx.2]) by opfedar24.francetelecom.fr (ESMTP service) with ESMTP id 4CwsSh2RMKz5w18; Wed, 16 Dec 2020 11:54:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1608116052; bh=cbVILpLiw0uXpTdb6tmy1FphLGxZMNK6noaH+XLa/q4=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=wKh7bmdoAueWmI0byb3UVCwShdNkQTROC358VB3xRKpufPq6FroFwoO0RxsLic+bJ 9aOnG5IBoLVNZpAlXw4fqNcn8ZMldrEEGq5h3cFur8KQHFvinIaz664o2JltYwLGYQ Kaq6YcP36uq7bTlaLR0CKCJJEv2/9qaHZecXEUghOTjyZGSm7AnOhDPKLU/vquBKiy H8cdlGObo//KCw9n7RRR7afUhhpwamEnjhdAUtKwipdnfBrW6noqiKfSJAlGntSGTj lq/BkmfiobtD9kKQKVdoTtajgo0eDbO0KjvozSHPkeMP37EEkWYDBwHPz2yYSQpgSx W9nh7sPzJWOCA== Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.26]) by opfedar01.francetelecom.fr (ESMTP service) with ESMTP id 4CwsSh1H8MzBrM3; Wed, 16 Dec 2020 11:54:12 +0100 (CET) From: To: Linda Dunbar , "secdir@ietf.org" CC: "idr@ietf.org" , "draft-ietf-idr-bgp-optimal-route-reflection.all@ietf.org" Thread-Topic: Secdir early review of draft-ietf-idr-bgp-optimal-route-reflection-21 Thread-Index: AQHW0y0btPHeXE3QG0yBotQbgi8tFqn5ilwA Date: Wed, 16 Dec 2020 10:54:11 +0000 Message-ID: <19398_1608116052_5FD9E754_19398_452_23_53C29892C857584299CBF5D05346208A49056412@OPEXCAUBM43.corporate.adroot.infra.ftgroup> References: <160806937175.20796.7391460851134145603@ietfa.amsl.com> In-Reply-To: <160806937175.20796.7391460851134145603@ietfa.amsl.com> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.114.13.245] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] Secdir early review of draft-ietf-idr-bgp-optimal-route-reflection-21 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 10:54:15 -0000 SGkgTGluZGEsDQoNClRoYW5rcyBmb3IgeW91ciByZXZpZXcuDQpQbGVhc2Ugc2VlIGNvbW1lbnRz IGluIGxpbmUNCg0KPiBGcm9tOiBMaW5kYSBEdW5iYXIgdmlhIERhdGF0cmFja2VyIFttYWlsdG86 bm9yZXBseUBpZXRmLm9yZ10NCj4gDQo+IFJldmlld2VyOiBMaW5kYSBEdW5iYXINCj4gUmV2aWV3 IHJlc3VsdDogSGFzIE5pdHMNCj4gDQo+IEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFz IHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZw0KPiBlZmZvcnQgdG8g cmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuICBU aGVzZQ0KPiBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBv ZiB0aGUgc2VjdXJpdHkgYXJlYQ0KPiBkaXJlY3RvcnMuDQo+ICBEb2N1bWVudCBlZGl0b3JzIGFu ZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZSBhbnkNCj4g b3RoZXINCj4gIGxhc3QgY2FsbCBjb21tZW50cy4NCj4gDQo+IFRoaXMgZG9jdW1lbnQgYWx0ZXJz IGhvdyAgQkdQIFJvdXRlIFJlZmxlY3RvciBjb21wdXRlcyB0aGUgb3B0aW1hbCByb3V0ZXMNCj4g b24NCj4gYmVoYWxmIG9mIGNsaWVudHMuIEluc3RlYWQgdXNpbmcgaXRzIG93biBJR1AgY29zdCB0 byB0aGUgQVMgRXhpdCBwb2ludHMsIHRoZQ0KPiBkb2N1bWVudCBkZXNjcmliZXMgdGhlIHN0ZXBz IGZvciBSUiB0byBjb21wdXRlIHRoZSBvcHRpbWFsIHJvdXRlIGJ5IHVzaW5nDQo+IENsaWVudHMn IHBvc2l0aW9uIHRvIHRoZSBBUyBFeGl0IHBvaW50cy4gVGhlIGRlc2NyaWJlZCBtZXRob2QgaXMg dXNlZnVsIHdoZW4NCj4gUlINCj4gaXMgY2VudHJhbGl6ZWQuICBGb3IgZGVwbG95bWVudCB3aXRo IGRpc3RyaWJ1dGVkIFJSIGNsb3NlciB0byB0aGUgY2xpZW50cywgdGhlDQo+IGRlc2NyaWJlZCBt ZXRob2QgZG9lc24ndCBoYXZlIGFueSBiZW5lZml0cy4NCj4gDQo+IFNlY3VyaXR5IENvbmNlcm46 DQo+IElmIFJSJ3MgaW5mb3JtYXRpb24gb2YgaXRzIGNsaWVudHMgdG9wb2xvZ3kgaXMgY29tcHJv bWlzZWQsIHRoZW4gdGhlIG9wdGltYWwNCj4gcGF0aHMgc2VsZWN0ZWQgYnkgdGhlIFJSIG1pZ2h0 IG5vdCBiZSBhY2N1cmF0ZSBhbnltb3JlLg0KDQpJIGFncmVlIHdpdGggdGhlIGFuYWx5c2lzLg0K QnV0IGl0J3Mgbm90IGNsZWFyIHRvIG1lIHdoZXRoZXIgeW91IGFyZSBhc2tpbmcgc29tZXRoaW5n IHRvIGJlIGFkZGVkIGluIHRoZSBkcmFmdC4NCkknbSBzZWVpbmcgdHdvIGNhc2VzOg0KLSBJZiB0 aGUgc2VsZWN0ZWQgSUdQIGxvY2F0aW9uIGlzIGNvbmZpZ3VyZWQgb24gdGhlIHJvdXRlciAoUlIp LCB0aGUgYXR0YWNrIHJlcXVpcmVzIHRoZSBhYmlsaXR5IHRvIGNoYW5nZSB0aGUgY29uZmlndXJh dGlvbiBvZiB0aGUgcm91dGVyLiBJZiBhbiBhdHRhY2tlciBjYW4gZG8gdGhpcywgaXQgY2FuIGRv IHZpcnR1YWxseSBhbnl0aGluZyAod2l0aGluIHRoZSByb3V0ZXIgY2FwYWJpbGl0eSkuIEkgZG9u J3QgZmVlbCB0aGF0ICJzZWN1cmluZyBhY2Nlc3MgdG8gdGhlIHJvdXRlciBjb25maWd1cmF0aW9u IiBpcyBhIHR5cGljYWwgcG9pbnQgYWRkZWQgaW4gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb24g YWx0aG91Z2ggaXQgcHJvYmFibHkgYXBwbGllcyB0byBtYW55IGRvY3VtZW50cy4NCi0gSWYgdGhl IHNlbGVjdGVkIElHUCBsb2NhdGlvbiBpcyBpbXBsaWNpdCBieSB1c2luZyB0aGUgSVAgYWRkcmVz cyBvZiB0aGUgY2xpZW50IElCR1Agc2Vzc2lvbiB0aGVyZSBpcyBubyBuZXcgdGhpbmcgdG8gY29t cHJvbWlzZS4NCg0KIA0KPiBNaW5vciBuaXRzOg0KPiBQYWdlIDc6IFNlY3Rpb24gMy4yLg0KPiAN Cj4gIklmIHRoZSByb3V0aW5nIHJvdXRpbmcgb3B0aW1pemF0aW9uIHJlcXVpcmVzIC4uLiINCj4g SXMgaXQgYSB0eXBvPyBkdXBsaWNhdGVkIHdvcmQgInJvdXRpbmciPw0KPiANCj4gTGFzdCBzZW50 ZW5jZTogIlRoaXMgbmVlZGVkIGZvciB1c2UgY2FzZXMgLi4uIg0KPiBEbyB5b3UgbWVhbiAiVGhp cyBpcyBuZWVkZWQgZm9yIHVzZSBjYXNlcyAuLi4iDQoNClRoYW5rcyBmb3IgdGhlIG5pdHMuDQpD b3JyZWN0ZWQgaW4gbXkgbG9jYWwgdmVyc2lvbi4NCg0KIENoZWVycywNCi0tQnJ1bm8NCg0KPiBD aGVlcnMsDQo+IExpbmRhIER1bmJhcg0KPiANCg0KCl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KCkNlIG1lc3NhZ2UgZXQgc2Vz IHBpZWNlcyBqb2ludGVzIHBldXZlbnQgY29udGVuaXIgZGVzIGluZm9ybWF0aW9ucyBjb25maWRl bnRpZWxsZXMgb3UgcHJpdmlsZWdpZWVzIGV0IG5lIGRvaXZlbnQgZG9uYwpwYXMgZXRyZSBkaWZm dXNlcywgZXhwbG9pdGVzIG91IGNvcGllcyBzYW5zIGF1dG9yaXNhdGlvbi4gU2kgdm91cyBhdmV6 IHJlY3UgY2UgbWVzc2FnZSBwYXIgZXJyZXVyLCB2ZXVpbGxleiBsZSBzaWduYWxlcgphIGwnZXhw ZWRpdGV1ciBldCBsZSBkZXRydWlyZSBhaW5zaSBxdWUgbGVzIHBpZWNlcyBqb2ludGVzLiBMZXMg bWVzc2FnZXMgZWxlY3Ryb25pcXVlcyBldGFudCBzdXNjZXB0aWJsZXMgZCdhbHRlcmF0aW9uLApP cmFuZ2UgZGVjbGluZSB0b3V0ZSByZXNwb25zYWJpbGl0ZSBzaSBjZSBtZXNzYWdlIGEgZXRlIGFs dGVyZSwgZGVmb3JtZSBvdSBmYWxzaWZpZS4gTWVyY2kuCgpUaGlzIG1lc3NhZ2UgYW5kIGl0cyBh dHRhY2htZW50cyBtYXkgY29udGFpbiBjb25maWRlbnRpYWwgb3IgcHJpdmlsZWdlZCBpbmZvcm1h dGlvbiB0aGF0IG1heSBiZSBwcm90ZWN0ZWQgYnkgbGF3Owp0aGV5IHNob3VsZCBub3QgYmUgZGlz dHJpYnV0ZWQsIHVzZWQgb3IgY29waWVkIHdpdGhvdXQgYXV0aG9yaXNhdGlvbi4KSWYgeW91IGhh dmUgcmVjZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxlYXNlIG5vdGlmeSB0aGUgc2VuZGVy IGFuZCBkZWxldGUgdGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVudHMuCkFzIGVtYWlscyBt YXkgYmUgYWx0ZXJlZCwgT3JhbmdlIGlzIG5vdCBsaWFibGUgZm9yIG1lc3NhZ2VzIHRoYXQgaGF2 ZSBiZWVuIG1vZGlmaWVkLCBjaGFuZ2VkIG9yIGZhbHNpZmllZC4KVGhhbmsgeW91LgoK From nobody Wed Dec 16 04:21:59 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 236003A0A20; Wed, 16 Dec 2020 04:21:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wu4VwNaLqoqm; Wed, 16 Dec 2020 04:21:48 -0800 (PST) Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F2673A0982; Wed, 16 Dec 2020 04:21:45 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.78,424,1599516000"; d="scan'208";a="367833299" Received: from adsl-bb1-l35.crnagora.net (HELO [192.168.1.65]) ([95.155.1.35]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 16 Dec 2020 13:21:43 +0100 User-Agent: Microsoft-MacOutlook/10.11.0.180909 Date: Wed, 16 Dec 2020 13:21:40 +0100 From: =?UTF-8?B?TWFsacWhYQ==?= =?UTF-8?B?IFZ1xI1pbmnEhw==?= To: "MORTON, ALFRED C (AL)" , "secdir@ietf.org" CC: "last-call@ietf.org" , "bmwg@ietf.org" , "draft-ietf-bmwg-b2b-frame.all@ietf.org" Message-ID: Thread-Topic: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 References: <160803178079.7403.9358014699248845740@ietfa.amsl.com> <4D7F4AD313D3FC43A053B309F97543CF014766EE92@njmtexg5.research.att.com> <5C525F90-FAB1-46D9-A399-8AB493345A48@inria.fr> <4D7F4AD313D3FC43A053B309F97543CF014766F108@njmtexg5.research.att.com> In-Reply-To: <4D7F4AD313D3FC43A053B309F97543CF014766F108@njmtexg5.research.att.com> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Archived-At: Subject: Re: [secdir] [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 12:21:50 -0000 Al, I don't have a strong opinion on using the term "honesty" here. How about t= his phrasing, just before the last paragraph in Security Considerations: The DUT developers are commonly independent from the personnel and institut= ions conducting the benchmarking. The DUT developers might have incentives to alter the performance of the DU= T if the test conditions are detected. Procedures described in this document are not designed to detect such activ= ity. Additional testing, outside of the scope of this document, is needed and ha= s been successfully used in the past to discover such malpractices. Mali=C5=A1a =EF=BB=BFOn 15/12/2020 20:22, "MORTON, ALFRED C (AL)" wrot= e: Hi Mali=C5=A1a, please see below... =20 > -----Original Message----- > From: Mali=C5=A1a Vu=C4=8Dini=C4=87 [mailto:malisa.vucinic@inria.fr] > Sent: Tuesday, December 15, 2020 9:21 AM > To: MORTON, ALFRED C (AL) ; secdir@ietf.org > Cc: last-call@ietf.org; bmwg@ietf.org; draft-ietf-bmwg-b2b- > frame.all@ietf.org > Subject: Re: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-fra= me-03 >=20 > Hi Al, >=20 > Thanks, that is clear. I think that discussing the assumption of hone= sty > among the parties involved in benchmarking would be a useful additio= n to > the Security Considerations section in the draft. [acm]=20 =20 I don't mind explaining the requirement using the term "honesty", but I= can only imagine raised eyebrows and subsequent DISCUSS/comments if we try = to assert a need for/assumption of honesty anywhere in the memo. =20 Do you have suggested wording? =20 Do others have opinions whether or not this is needed? =20 thanks, Al =20 >=20 > Mali=C5=A1a >=20 > =EF=BB=BFOn 15/12/2020 14:45, "MORTON, ALFRED C (AL)" wrote: >=20 > Hi Mali=C5=A1a, > thanks for your review, please see below for one reply to your > question (acm]. > Al >=20 > > -----Original Message----- > > From: bmwg [mailto:bmwg-bounces@ietf.org] On Behalf Of Mali=C5=A1a > Vucinic via > > Datatracker > > Sent: Tuesday, December 15, 2020 6:30 AM > > To: secdir@ietf.org > > Cc: last-call@ietf.org; bmwg@ietf.org; draft-ietf-bmwg-b2b- > > frame.all@ietf.org > > Subject: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-f= rame- > 03 > > > > Reviewer: Mali=C5=A1a Vu=C4=8Dini=C4=87 > > Review result: Ready > > > > I reviewed this document as part of the Security Directorate's > ongoing > > effort > > to review all IETF documents being processed by the IESG. These > comments > > were > > written primarily for the benefit of the Security Area Director= s. > Document > > authors, document editors, and WG chairs should treat these com= ments > just > > like > > any other IETF Last Call comments. > > > > Thank you for this well-written document, it was a pleasure to = read > and I > > think > > it is ready to proceed. Since the document updates RFC2544 > benchmarking > > procedure for estimating the buffer time of a Device Under Test > (DUT), it > > does > > not raise any security issues. Security Considerations section = is > quite > > clear > > and it stresses that these tests are performed in a lab environ= ment. > > > > I do have a question regarding the last paragraph of the Securi= ty > > Considerations on special capabilities of DUTs for benchmarking > purposes. > > Currently, the sentence reads: "Special capabilities SHOULD NOT > exist in > > the > > DUT/SUT specifically for benchmarking purposes." Why is this a > SHOULD NOT > > and > > not a MUST NOT? Could you give an example when such special > capabilities > > in a > > DUT are appropriate? > [acm] > We can only make a strong recommendation in this area. As > testers/benchmarkers are often independent from the DUT developers an= d > conduct testing external to the DUT, we assume honesty among other pa= rties > but we cannot require it. If someone constructed a DUT that recognize= d > test conditions and operated differently to perform better somehow, o= ur > tests would measure the intended "better" performance. It takes a > special/additional test effort to prove that a DUT has "designed to t= he > test" (consider Volkswagen and fuel efficiency testing [0]). >=20 > We simply do not have any authority in this matter, but we can le= t all > parties know that gaming the test can be discovered and reported (alb= eit > with more testing that we do not describe). >=20 > [0] https://urldefense.com/v3/__https://www.consumerreports.org/f= uel- > economy-efficiency/volkswagen-used-special-software-to-exaggerate-fue= l- > economy/__;!!BhdT!0KS_VCF5ZQfIGkVyPLoJXuAxdcoS3- > xJTE0LoKZPWuSiHjQZM1u0H9M36YXByCk$ >=20 > > > > > > > > _______________________________________________ > > bmwg mailing list > > bmwg@ietf.org > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bmw= g__;! > > !BhdT!1JFeLsENzMU-ew89jxmJKxfp4wj5Zo3AZ6V8iULU3hWAentH1dymqJmDO= vw7$ >=20 >=20 =20 =20 From nobody Wed Dec 16 06:35:50 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C880B3A0E3B; Wed, 16 Dec 2020 06:35:48 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Samuel Weiler via Datatracker To: Cc: draft-ietf-extra-sieve-mailboxid.all@ietf.org, last-call@ietf.org, extra@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.23.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160812934878.12321.15129391511723203770@ietfa.amsl.com> Reply-To: Samuel Weiler Date: Wed, 16 Dec 2020 06:35:48 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-extra-sieve-mailboxid-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 14:35:49 -0000 Reviewer: Samuel Weiler Review result: Has Issues Thank you for the well-written document! I'm concerned about the user experience of this extension. I imagine confusion will arise when the opaque :mailboxid takes precedence over the human readable mailbox name. I don't see any feedback mechanism to show that the mail is going to a mailbox other than the one that is human readable - feedback that could prompt updating of the script. As a human trying debug this, it may not be obvious where mail went - the script says "INBOX.foo" and the mail simply isn't there. Is there a way to make this more debuggable? Or is there useful advice to provide to the Sieve UI implementer, like "this is for special cases and should probably be off by default"? Minor: I'd like section 3 to point at what "require" means: https://tools.ietf.org/html/rfc5228#section-2.10.5 From nobody Wed Dec 16 07:38:19 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42F573A0E94; Wed, 16 Dec 2020 07:38:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.09 X-Spam-Level: X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ab9zVttucAWi; Wed, 16 Dec 2020 07:38:13 -0800 (PST) Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2110.outbound.protection.outlook.com [40.107.237.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68DAB3A0A73; Wed, 16 Dec 2020 07:38:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HLEHdh+yyT9DbxynsDaoiwtb5OrCdXEkVr90OTw1bmvjXhzOtlcV0WUDMzE7FXgDLb2EYwIhF3S3k0ueMFqc46Qj6Qryk7pphekI+7EGKcTHRtaxxEGjC8yJrt9JkYqpQ2E60O6zPYuGhyNz7ZQKCiR0K5wi9zQTPSnjWQ2R85AWTQVdg8ghtA3Gtg5IxnmLAEUp71YiWbHvGNLNjrPvscVZ5BBpE+n7AWDBjTrIREfCUKTydLfb1OuMcH4c/Q/qCoDk3RXop/ml0Yt4ply1ynShn9tTnxmWJZx+JUqjF51MaN87b1rKDyQCfuWdn2uvCc0CRYW7Iad2LbwIIsUdYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nd4WZy6MthTFiEGsbakZXjLpXCHvJasY0f+bMSFkKsI=; b=BEmwzvQwMeevBIxrXq53AAYWc6pNEzfpEPH787CUEWdYY2th/WrP18SIIwr+ZTG2XbzhWxZuD13cypGdwwJVIpRjcc+7Bo7sa2IKhkK339InfM5maR77Dw4eeAEfdu8bJ2xNBrEBfhED/JbE6YFxsXEupcvrNvm8fo6rqa1CpFQmPduV6rY9gC2cV4P/d0o1Hj+Xj8vA+z2glPZxCn570xJ35pbEdfJWno1XsC6PHC2GIXodFULcQ4L09EstI4Od0jF17e7R7Qxwq9xP6TmWRduy/9k8Tf7WxmJ5lU+FxA1Zf5nWmJDBGZUQh96W7BJ6CMvOgouvBvbS8+Y8QUB94w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nd4WZy6MthTFiEGsbakZXjLpXCHvJasY0f+bMSFkKsI=; b=bKpMhBLiTPzEcxYJgnqeg/OitPpSZwudhUBNr9jRXlUczfjzFuG5LUW44sCP8SlfMaPEYYha7HoeI2f+VRW96k18Yf9qhC59EkWDTTi7Isvp1M3JXaxuPHARl2Y1SiZwFLVvjaSp7KU2gQ/GPUdjoP7LEt42pabFNsRxaR4AYuQ= Received: from DM6PR13MB2330.namprd13.prod.outlook.com (2603:10b6:5:cc::16) by DM5PR13MB1769.namprd13.prod.outlook.com (2603:10b6:3:131::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.13; Wed, 16 Dec 2020 15:38:09 +0000 Received: from DM6PR13MB2330.namprd13.prod.outlook.com ([fe80::c1e2:96dd:2538:b0c4]) by DM6PR13MB2330.namprd13.prod.outlook.com ([fe80::c1e2:96dd:2538:b0c4%3]) with mapi id 15.20.3676.013; Wed, 16 Dec 2020 15:38:09 +0000 From: Linda Dunbar To: "bruno.decraene@orange.com" , "secdir@ietf.org" CC: "idr@ietf.org" , "draft-ietf-idr-bgp-optimal-route-reflection.all@ietf.org" Thread-Topic: Secdir early review of draft-ietf-idr-bgp-optimal-route-reflection-21 Thread-Index: AQHW05nMSye7Py0U7US0dfMHa9Kuq6n51+8Q Date: Wed, 16 Dec 2020 15:38:08 +0000 Message-ID: References: <160806937175.20796.7391460851134145603@ietfa.amsl.com> <19398_1608116052_5FD9E754_19398_452_23_53C29892C857584299CBF5D05346208A49056412@OPEXCAUBM43.corporate.adroot.infra.ftgroup> In-Reply-To: <19398_1608116052_5FD9E754_19398_452_23_53C29892C857584299CBF5D05346208A49056412@OPEXCAUBM43.corporate.adroot.infra.ftgroup> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: orange.com; dkim=none (message not signed) header.d=none;orange.com; dmarc=none action=none header.from=futurewei.com; x-originating-ip: [72.180.73.64] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0f6797e6-7ed8-4bc5-c7f7-08d8a1d89707 x-ms-traffictypediagnostic: DM5PR13MB1769: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: O37H/D01BmdihHiMDUBO7iqqqkEIEGP3otJGP6q/z/KuptxJPsbvDLQIRy+U/c3jG7RPONCyxz+YdcTug5pMUUT1/68DfOTQQWL7xx3BkX++Fm4xDc5yYoJSiF1lQIlyLfVe0c9qXXFYQ44nSgVJzVWvCZ7aIFoyFWj6T+76EBCoj8tuEN4ou92sCxV0xtj2uX8WHrBOkvBp29CybFsjmIx+Imw/yKXAUXwjGFpek4Yr3pmjTtpUgP/ecbbfxVPdX384zRjnEfuqAiF0xkbHA0CDjcAxPfCW86tivNEYh73IVsfkxob+CFiDouHU4AZTdNHBGgXoCiaNIORsS1PISRS4K0RrPdZX12xupNhIDdQ= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR13MB2330.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(39840400004)(396003)(346002)(376002)(8936002)(478600001)(6506007)(110136005)(64756008)(66476007)(76116006)(44832011)(66946007)(186003)(53546011)(66574015)(66556008)(316002)(26005)(5660300002)(52536014)(66446008)(33656002)(8676002)(7696005)(86362001)(71200400001)(2906002)(9686003)(83380400001)(55016002)(54906003)(4326008); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata: =?utf-8?B?M3FZWTlyTDJ1NEVCOGR5L2V3UVZ2QlI2YXh5czN3NGRESUYweDZWVU0yTndV?= =?utf-8?B?SUVCcDJXSkdzc3hrdUIrdDlMeW1ROUluQTRCdTlJWCtoWFFRS0VuR2ZSa2xs?= =?utf-8?B?UTNDVW8rb05kbW4xazRwNEh4R1ZBV2RWcXQzR1VYMm0rb3Y2TTluYnJZK2Ew?= =?utf-8?B?K0JYR3N0Q1ZlRFc5bnIwb0NYaGJSUDRqWXlSWjN1eW1IQXhXUG4xS0VLRE1h?= =?utf-8?B?YnJRRVNkMkQ0ZmhSSlRCQ1MxbHRIMkNJNE9sRTJ0MzE0V1dOcTNyb0tua29q?= =?utf-8?B?WGxVVnZMeStBMHZpdkdBN3RicVdiRE1qWU04YkUvdFl2dUZjaGMrOWluQ1dq?= =?utf-8?B?aGpzZXBsVEVFWDFQdDllaFJmMmRLUVJJSnBwWlc1K3hEVXJhZlBaMGVjMEYr?= =?utf-8?B?L25PRDFOV0RqN2s2eW5JN013bXI1eDRwSk52aEdyL0Z6L1RUT2hhUllEZGtR?= =?utf-8?B?SmVIQnVvVEt5enpzdlQzcVVSeDVvemJtL1p0TExydXJxZms4VDc5OUFOWDJB?= =?utf-8?B?WGRKZUpsTU10bWg4TlFaZ3lzV25nN0tjSEYrcWpNQUlxQzNpd0VDeHh6ckNo?= =?utf-8?B?RzBtUkVMbG56M2tMZXJZODZ5bFNwazVIbm1Ba3pnKzcvbW8zdFBDNkc5Qk9U?= =?utf-8?B?OHpCOElnazhyQjltMWNocFJNWUQ0dnVUOEJrYTlWK3RSZnBBTUJtK2UzMERY?= =?utf-8?B?djlOZUptTENhNVFFV245UHhiYzZObmswd0Zwa0JyeVh0b1gxdml6b1dScU9Q?= =?utf-8?B?MDgvaGZGSXdmanU1QXhMRTd0c3lsRHpsVmgxeXRBT212cVByQVhyUUlmSzdi?= =?utf-8?B?V1FpZDlIMDFrdU1XZlRlOGpqcEJTcUFEYVFzWEVHdmZNeU5YZ0pROTkyUVFv?= =?utf-8?B?YUJYaThEYVZaTFhYWitnanNiSjVTVDhSMjlPTTB2UFV0QnZzSnJqVFZlaUFR?= =?utf-8?B?VFF4djRQZ3NoSllFa0JBTmQxODJWbURmbUZTSzZ1aWIvMy9RN1FWL0I3OGl4?= =?utf-8?B?SXNRL01YeWNIZWdzTlNqd1V5YVpOUnpjdE44aWpnWmhMa0RtUmhVOGljV0Ez?= =?utf-8?B?cDhPWVNkdE41WkMrVGxWdVNaUXQwRjZvZ2NURm83ek93TVNHRUhRaDRUdHlj?= =?utf-8?B?czZMUHlMRmdoZmM3TTNjNUdvWnB3cFJNUDIzcUZzY1R2TzBTZEtMQnpya1hl?= =?utf-8?B?SEVzQlR5NTRySVNiczZ2TnZOSWdVcGdycWxhTmlGQUpPZFY4VW4vU2FNSFFP?= =?utf-8?B?SUJTZ0dIVDBtS2d5bE5abEtTTjQ5Z0svYi8zT3Z6UHhuc2xEMnQxUk9LQlBN?= =?utf-8?Q?9/7WdNsuELk90=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: Futurewei.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM6PR13MB2330.namprd13.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0f6797e6-7ed8-4bc5-c7f7-08d8a1d89707 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Dec 2020 15:38:08.9893 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4sTOKKQHUcBZtuVUkBV4wwA5R6lLGu6ug9kF+FCt7K5gyjwzZ90AeZo2hLuki+Cd7laR2Ml1Aw5Vg5OJC9HKBg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR13MB1769 Archived-At: Subject: Re: [secdir] Secdir early review of draft-ietf-idr-bgp-optimal-route-reflection-21 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 15:38:14 -0000 QnJ1bm8sIA0KDQpZZXMsIHlvdXIgZXhwbGFuYXRpb24gbWFrZXMgc2Vuc2UuIEl0IHdvdWxkIGJl IHVzZWZ1bCB0byBhZGQgeW91ciBleHBsYW5hdGlvbiB0byB0aGUgU2VjdXJpdHkgQ29uc2lkZXJh dGlvbi4gDQoNClRoYW5rIHlvdS4gDQoNCkxpbmRhIA0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2Ut LS0tLQ0KRnJvbTogYnJ1bm8uZGVjcmFlbmVAb3JhbmdlLmNvbSA8YnJ1bm8uZGVjcmFlbmVAb3Jh bmdlLmNvbT4gDQpTZW50OiBXZWRuZXNkYXksIERlY2VtYmVyIDE2LCAyMDIwIDQ6NTQgQU0NClRv OiBMaW5kYSBEdW5iYXIgPGxpbmRhLmR1bmJhckBmdXR1cmV3ZWkuY29tPjsgc2VjZGlyQGlldGYu b3JnDQpDYzogaWRyQGlldGYub3JnOyBkcmFmdC1pZXRmLWlkci1iZ3Atb3B0aW1hbC1yb3V0ZS1y ZWZsZWN0aW9uLmFsbEBpZXRmLm9yZw0KU3ViamVjdDogUkU6IFNlY2RpciBlYXJseSByZXZpZXcg b2YgZHJhZnQtaWV0Zi1pZHItYmdwLW9wdGltYWwtcm91dGUtcmVmbGVjdGlvbi0yMQ0KDQpIaSBM aW5kYSwNCg0KVGhhbmtzIGZvciB5b3VyIHJldmlldy4NClBsZWFzZSBzZWUgY29tbWVudHMgaW4g bGluZQ0KDQo+IEZyb206IExpbmRhIER1bmJhciB2aWEgRGF0YXRyYWNrZXIgW21haWx0bzpub3Jl cGx5QGlldGYub3JnXQ0KPiANCj4gUmV2aWV3ZXI6IExpbmRhIER1bmJhcg0KPiBSZXZpZXcgcmVz dWx0OiBIYXMgTml0cw0KPiANCj4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFy dCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncyANCj4gb25nb2luZyBlZmZvcnQgdG8gcmV2 aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIA0KPiBJRVNHLiAg VGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2Yg dGhlIA0KPiBzZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4NCj4gIERvY3VtZW50IGVkaXRvcnMgYW5k IFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtlIA0KPiBhbnkg b3RoZXIgIGxhc3QgY2FsbCBjb21tZW50cy4NCj4gDQo+IFRoaXMgZG9jdW1lbnQgYWx0ZXJzIGhv dyAgQkdQIFJvdXRlIFJlZmxlY3RvciBjb21wdXRlcyB0aGUgb3B0aW1hbCANCj4gcm91dGVzIG9u IGJlaGFsZiBvZiBjbGllbnRzLiBJbnN0ZWFkIHVzaW5nIGl0cyBvd24gSUdQIGNvc3QgdG8gdGhl IEFTIA0KPiBFeGl0IHBvaW50cywgdGhlIGRvY3VtZW50IGRlc2NyaWJlcyB0aGUgc3RlcHMgZm9y IFJSIHRvIGNvbXB1dGUgdGhlIA0KPiBvcHRpbWFsIHJvdXRlIGJ5IHVzaW5nIENsaWVudHMnIHBv c2l0aW9uIHRvIHRoZSBBUyBFeGl0IHBvaW50cy4gVGhlIA0KPiBkZXNjcmliZWQgbWV0aG9kIGlz IHVzZWZ1bCB3aGVuIFJSIGlzIGNlbnRyYWxpemVkLiAgRm9yIGRlcGxveW1lbnQgDQo+IHdpdGgg ZGlzdHJpYnV0ZWQgUlIgY2xvc2VyIHRvIHRoZSBjbGllbnRzLCB0aGUgZGVzY3JpYmVkIG1ldGhv ZCANCj4gZG9lc24ndCBoYXZlIGFueSBiZW5lZml0cy4NCj4gDQo+IFNlY3VyaXR5IENvbmNlcm46 DQo+IElmIFJSJ3MgaW5mb3JtYXRpb24gb2YgaXRzIGNsaWVudHMgdG9wb2xvZ3kgaXMgY29tcHJv bWlzZWQsIHRoZW4gdGhlIA0KPiBvcHRpbWFsIHBhdGhzIHNlbGVjdGVkIGJ5IHRoZSBSUiBtaWdo dCBub3QgYmUgYWNjdXJhdGUgYW55bW9yZS4NCg0KSSBhZ3JlZSB3aXRoIHRoZSBhbmFseXNpcy4N CkJ1dCBpdCdzIG5vdCBjbGVhciB0byBtZSB3aGV0aGVyIHlvdSBhcmUgYXNraW5nIHNvbWV0aGlu ZyB0byBiZSBhZGRlZCBpbiB0aGUgZHJhZnQuDQpJJ20gc2VlaW5nIHR3byBjYXNlczoNCi0gSWYg dGhlIHNlbGVjdGVkIElHUCBsb2NhdGlvbiBpcyBjb25maWd1cmVkIG9uIHRoZSByb3V0ZXIgKFJS KSwgdGhlIGF0dGFjayByZXF1aXJlcyB0aGUgYWJpbGl0eSB0byBjaGFuZ2UgdGhlIGNvbmZpZ3Vy YXRpb24gb2YgdGhlIHJvdXRlci4gSWYgYW4gYXR0YWNrZXIgY2FuIGRvIHRoaXMsIGl0IGNhbiBk byB2aXJ0dWFsbHkgYW55dGhpbmcgKHdpdGhpbiB0aGUgcm91dGVyIGNhcGFiaWxpdHkpLiBJIGRv bid0IGZlZWwgdGhhdCAic2VjdXJpbmcgYWNjZXNzIHRvIHRoZSByb3V0ZXIgY29uZmlndXJhdGlv biIgaXMgYSB0eXBpY2FsIHBvaW50IGFkZGVkIGluIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9u IGFsdGhvdWdoIGl0IHByb2JhYmx5IGFwcGxpZXMgdG8gbWFueSBkb2N1bWVudHMuDQotIElmIHRo ZSBzZWxlY3RlZCBJR1AgbG9jYXRpb24gaXMgaW1wbGljaXQgYnkgdXNpbmcgdGhlIElQIGFkZHJl c3Mgb2YgdGhlIGNsaWVudCBJQkdQIHNlc3Npb24gdGhlcmUgaXMgbm8gbmV3IHRoaW5nIHRvIGNv bXByb21pc2UuDQoNCiANCj4gTWlub3Igbml0czoNCj4gUGFnZSA3OiBTZWN0aW9uIDMuMi4NCj4g DQo+ICJJZiB0aGUgcm91dGluZyByb3V0aW5nIG9wdGltaXphdGlvbiByZXF1aXJlcyAuLi4iDQo+ IElzIGl0IGEgdHlwbz8gZHVwbGljYXRlZCB3b3JkICJyb3V0aW5nIj8NCj4gDQo+IExhc3Qgc2Vu dGVuY2U6ICJUaGlzIG5lZWRlZCBmb3IgdXNlIGNhc2VzIC4uLiINCj4gRG8geW91IG1lYW4gIlRo aXMgaXMgbmVlZGVkIGZvciB1c2UgY2FzZXMgLi4uIg0KDQpUaGFua3MgZm9yIHRoZSBuaXRzLg0K Q29ycmVjdGVkIGluIG15IGxvY2FsIHZlcnNpb24uDQoNCiBDaGVlcnMsDQotLUJydW5vDQoNCj4g Q2hlZXJzLA0KPiBMaW5kYSBEdW5iYXINCj4gDQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpDZSBtZXNzYWdlIGV0 IHNlcyBwaWVjZXMgam9pbnRlcyBwZXV2ZW50IGNvbnRlbmlyIGRlcyBpbmZvcm1hdGlvbnMgY29u ZmlkZW50aWVsbGVzIG91IHByaXZpbGVnaWVlcyBldCBuZSBkb2l2ZW50IGRvbmMgcGFzIGV0cmUg ZGlmZnVzZXMsIGV4cGxvaXRlcyBvdSBjb3BpZXMgc2FucyBhdXRvcmlzYXRpb24uIFNpIHZvdXMg YXZleiByZWN1IGNlIG1lc3NhZ2UgcGFyIGVycmV1ciwgdmV1aWxsZXogbGUgc2lnbmFsZXIgYSBs J2V4cGVkaXRldXIgZXQgbGUgZGV0cnVpcmUgYWluc2kgcXVlIGxlcyBwaWVjZXMgam9pbnRlcy4g TGVzIG1lc3NhZ2VzIGVsZWN0cm9uaXF1ZXMgZXRhbnQgc3VzY2VwdGlibGVzIGQnYWx0ZXJhdGlv biwgT3JhbmdlIGRlY2xpbmUgdG91dGUgcmVzcG9uc2FiaWxpdGUgc2kgY2UgbWVzc2FnZSBhIGV0 ZSBhbHRlcmUsIGRlZm9ybWUgb3UgZmFsc2lmaWUuIE1lcmNpLg0KDQpUaGlzIG1lc3NhZ2UgYW5k IGl0cyBhdHRhY2htZW50cyBtYXkgY29udGFpbiBjb25maWRlbnRpYWwgb3IgcHJpdmlsZWdlZCBp bmZvcm1hdGlvbiB0aGF0IG1heSBiZSBwcm90ZWN0ZWQgYnkgbGF3OyB0aGV5IHNob3VsZCBub3Qg YmUgZGlzdHJpYnV0ZWQsIHVzZWQgb3IgY29waWVkIHdpdGhvdXQgYXV0aG9yaXNhdGlvbi4NCklm IHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgZW1haWwgaW4gZXJyb3IsIHBsZWFzZSBub3RpZnkgdGhl IHNlbmRlciBhbmQgZGVsZXRlIHRoaXMgbWVzc2FnZSBhbmQgaXRzIGF0dGFjaG1lbnRzLg0KQXMg ZW1haWxzIG1heSBiZSBhbHRlcmVkLCBPcmFuZ2UgaXMgbm90IGxpYWJsZSBmb3IgbWVzc2FnZXMg dGhhdCBoYXZlIGJlZW4gbW9kaWZpZWQsIGNoYW5nZWQgb3IgZmFsc2lmaWVkLg0KVGhhbmsgeW91 Lg0KDQo= From nobody Wed Dec 16 09:44:28 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E77D3A0A29; Wed, 16 Dec 2020 09:44:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54-GVb_7db5A; Wed, 16 Dec 2020 09:44:20 -0800 (PST) Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 506B93A07EA; Wed, 16 Dec 2020 09:44:20 -0800 (PST) Received: from pps.filterd (m0083689.ppops.net [127.0.0.1]) by m0083689.ppops.net-00191d01. (8.16.0.43/8.16.0.43) with SMTP id 0BGHXvcW036362; Wed, 16 Dec 2020 12:44:19 -0500 Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0083689.ppops.net-00191d01. with ESMTP id 35f241uwvt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 16 Dec 2020 12:44:18 -0500 Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BGHiHpN094859; Wed, 16 Dec 2020 11:44:18 -0600 Received: from zlp30494.vci.att.com (zlp30494.vci.att.com [135.46.181.159]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BGHiEeB094770 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 16 Dec 2020 11:44:14 -0600 Received: from zlp30494.vci.att.com (zlp30494.vci.att.com [127.0.0.1]) by zlp30494.vci.att.com (Service) with ESMTP id 67CAB4009E73; Wed, 16 Dec 2020 17:44:14 +0000 (GMT) Received: from tlpd252.dadc.sbc.com (unknown [135.31.184.157]) by zlp30494.vci.att.com (Service) with ESMTP id 4C2E34009E6E; Wed, 16 Dec 2020 17:44:14 +0000 (GMT) Received: from dadc.sbc.com (localhost [127.0.0.1]) by tlpd252.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BGHiELv106035; Wed, 16 Dec 2020 11:44:14 -0600 Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.178.11]) by tlpd252.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id 0BGHi4vn105548; Wed, 16 Dec 2020 11:44:05 -0600 Received: from exchange.research.att.com (njmtcas1.research.att.com [135.207.255.86]) by mail-blue.research.att.com (Postfix) with ESMTP id 5FDC110A18FB; Wed, 16 Dec 2020 12:44:03 -0500 (EST) Received: from njmtexg5.research.att.com ([fe80::b09c:ff13:4487:78b6]) by njmtcas1.research.att.com ([fe80::e881:676b:51b6:905d%12]) with mapi id 14.03.0487.000; Wed, 16 Dec 2020 12:44:04 -0500 From: "MORTON, ALFRED C (AL)" To: =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= , "secdir@ietf.org" , The IESG CC: "last-call@ietf.org" , "bmwg@ietf.org" , "draft-ietf-bmwg-b2b-frame.all@ietf.org" Thread-Topic: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 Thread-Index: AQHW0tWfW/48KRvlBkmQMYKHh09ZYqn4I0XwgABl5oD///zl4IABdBkAgAADeHA= Date: Wed, 16 Dec 2020 17:44:04 +0000 Message-ID: <4D7F4AD313D3FC43A053B309F97543CF014766FD79@njmtexg5.research.att.com> References: <160803178079.7403.9358014699248845740@ietfa.amsl.com> <4D7F4AD313D3FC43A053B309F97543CF014766EE92@njmtexg5.research.att.com> <5C525F90-FAB1-46D9-A399-8AB493345A48@inria.fr> <4D7F4AD313D3FC43A053B309F97543CF014766F108@njmtexg5.research.att.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [24.148.42.167] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-16_07:2020-12-15, 2020-12-16 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 adultscore=0 phishscore=0 spamscore=0 impostorscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 bulkscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2012160113 Archived-At: Subject: Re: [secdir] [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 17:44:22 -0000 SGkgTWFsacWhYSwNCg0KVGhhbmtzIGZvciB5b3VyIHByb3Bvc2VkIHdvcmRpbmcsIGl0IHNlZW1z IHN1ZmZpY2llbnRseSBuZXV0cmFsIGFuZCB3aXRoIGEgZmV3IHNtYWxsIHR3ZWFrcywgV0ZNLg0K DQpJIHNlZSB0aGF0IFJvbWFuJ3MgQ09NTUVOVCBhbHNvIHN1cHBvcnRzIHRoaXMgYWRkaXRpb25h bCB0ZXh0Lg0KDQpTbywgY29uc2lkZXIgaXQgcGFydCBvZiB0aGUgbmV4dCB2ZXJzaW9uLCBhbmQg dGhhbmtzIGZvciB5b3VyIGhlbHAhDQpBbA0KDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0t LS0NCj4gRnJvbTogTWFsacWhYSBWdcSNaW5pxIcgW21haWx0bzptYWxpc2EudnVjaW5pY0BpbnJp YS5mcl0NCj4gU2VudDogV2VkbmVzZGF5LCBEZWNlbWJlciAxNiwgMjAyMCA3OjIyIEFNDQo+IFRv OiBNT1JUT04sIEFMRlJFRCBDIChBTCkgPGFjbUByZXNlYXJjaC5hdHQuY29tPjsgc2VjZGlyQGll dGYub3JnDQo+IENjOiBsYXN0LWNhbGxAaWV0Zi5vcmc7IGJtd2dAaWV0Zi5vcmc7IGRyYWZ0LWll dGYtYm13Zy1iMmItDQo+IGZyYW1lLmFsbEBpZXRmLm9yZw0KPiBTdWJqZWN0OiBSZTogW2Jtd2dd IFNlY2RpciB0ZWxlY2hhdCByZXZpZXcgb2YgZHJhZnQtaWV0Zi1ibXdnLWIyYi1mcmFtZS0wMw0K PiANCj4gQWwsDQo+IA0KPiBJIGRvbid0IGhhdmUgYSBzdHJvbmcgb3BpbmlvbiBvbiB1c2luZyB0 aGUgdGVybSAiaG9uZXN0eSIgaGVyZS4gSG93IGFib3V0DQo+IHRoaXMgcGhyYXNpbmcsIGp1c3Qg YmVmb3JlIHRoZSBsYXN0IHBhcmFncmFwaCBpbiBTZWN1cml0eSBDb25zaWRlcmF0aW9uczoNCj4g DQo+IFRoZSBEVVQgZGV2ZWxvcGVycyBhcmUgY29tbW9ubHkgaW5kZXBlbmRlbnQgZnJvbSB0aGUg cGVyc29ubmVsIGFuZA0KPiBpbnN0aXR1dGlvbnMgY29uZHVjdGluZyB0aGUgYmVuY2htYXJraW5n Lg0KPiBUaGUgRFVUIGRldmVsb3BlcnMgbWlnaHQgaGF2ZSBpbmNlbnRpdmVzIHRvIGFsdGVyIHRo ZSBwZXJmb3JtYW5jZSBvZiB0aGUNCj4gRFVUIGlmIHRoZSB0ZXN0IGNvbmRpdGlvbnMgYXJlIGRl dGVjdGVkLg0KPiBQcm9jZWR1cmVzIGRlc2NyaWJlZCBpbiB0aGlzIGRvY3VtZW50IGFyZSBub3Qg ZGVzaWduZWQgdG8gZGV0ZWN0IHN1Y2gNCj4gYWN0aXZpdHkuDQo+IEFkZGl0aW9uYWwgdGVzdGlu Zywgb3V0c2lkZSBvZiB0aGUgc2NvcGUgb2YgdGhpcyBkb2N1bWVudCwgaXMgbmVlZGVkIGFuZA0K PiBoYXMgYmVlbiBzdWNjZXNzZnVsbHkgdXNlZCBpbiB0aGUgcGFzdCB0byBkaXNjb3ZlciBzdWNo IG1hbHByYWN0aWNlcy4NCj4gDQo+IE1hbGnFoWENCj4gDQo+IO+7v09uIDE1LzEyLzIwMjAgMjA6 MjIsICJNT1JUT04sIEFMRlJFRCBDIChBTCkiIDxhY21AcmVzZWFyY2guYXR0LmNvbT4gd3JvdGU6 DQo+IA0KPiAgICAgSGkgTWFsacWhYSwNCj4gICAgIHBsZWFzZSBzZWUgYmVsb3cuLi4NCj4gDQo+ ICAgICA+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+ICAgICA+IEZyb206IE1hbGnFoWEg VnXEjWluacSHIFttYWlsdG86bWFsaXNhLnZ1Y2luaWNAaW5yaWEuZnJdDQo+ICAgICA+IFNlbnQ6 IFR1ZXNkYXksIERlY2VtYmVyIDE1LCAyMDIwIDk6MjEgQU0NCj4gICAgID4gVG86IE1PUlRPTiwg QUxGUkVEIEMgKEFMKSA8YWNtQHJlc2VhcmNoLmF0dC5jb20+OyBzZWNkaXJAaWV0Zi5vcmcNCj4g ICAgID4gQ2M6IGxhc3QtY2FsbEBpZXRmLm9yZzsgYm13Z0BpZXRmLm9yZzsgZHJhZnQtaWV0Zi1i bXdnLWIyYi0NCj4gICAgID4gZnJhbWUuYWxsQGlldGYub3JnDQo+ICAgICA+IFN1YmplY3Q6IFJl OiBbYm13Z10gU2VjZGlyIHRlbGVjaGF0IHJldmlldyBvZiBkcmFmdC1pZXRmLWJtd2ctYjJiLQ0K PiBmcmFtZS0wMw0KPiAgICAgPg0KPiAgICAgPiBIaSBBbCwNCj4gICAgID4NCj4gICAgID4gVGhh bmtzLCB0aGF0IGlzIGNsZWFyLiBJIHRoaW5rIHRoYXQgZGlzY3Vzc2luZyB0aGUgYXNzdW1wdGlv biBvZg0KPiBob25lc3R5DQo+ICAgICA+IGFtb25nIHRoZSBwYXJ0aWVzIGludm9sdmVkIGluIGJl bmNobWFya2luZyAgd291bGQgYmUgYSB1c2VmdWwNCj4gYWRkaXRpb24gdG8NCj4gICAgID4gdGhl IFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24gaW4gdGhlIGRyYWZ0Lg0KPiAgICAgW2Fj bV0NCj4gDQo+ICAgICBJIGRvbid0IG1pbmQgZXhwbGFpbmluZyB0aGUgcmVxdWlyZW1lbnQgdXNp bmcgdGhlIHRlcm0gImhvbmVzdHkiLCBidXQNCj4gSSBjYW4gb25seSBpbWFnaW5lIHJhaXNlZCBl eWVicm93cyBhbmQgc3Vic2VxdWVudCBESVNDVVNTL2NvbW1lbnRzIGlmIHdlDQo+IHRyeSB0byBh c3NlcnQgYSBuZWVkIGZvci9hc3N1bXB0aW9uIG9mIGhvbmVzdHkgYW55d2hlcmUgaW4gdGhlIG1l bW8uDQo+IA0KPiAgICAgRG8geW91IGhhdmUgc3VnZ2VzdGVkIHdvcmRpbmc/DQo+IA0KPiAgICAg RG8gb3RoZXJzIGhhdmUgb3BpbmlvbnMgd2hldGhlciBvciBub3QgdGhpcyBpcyBuZWVkZWQ/DQo+ IA0KPiAgICAgdGhhbmtzLA0KPiAgICAgQWwNCj4gDQo+ICAgICA+DQo+ICAgICA+IE1hbGnFoWEN Cj4gICAgID4NCj4gICAgID4g77u/T24gMTUvMTIvMjAyMCAxNDo0NSwgIk1PUlRPTiwgQUxGUkVE IEMgKEFMKSIgPGFjbUByZXNlYXJjaC5hdHQuY29tPg0KPiB3cm90ZToNCj4gICAgID4NCj4gICAg ID4gICAgIEhpIE1hbGnFoWEsDQo+ICAgICA+ICAgICB0aGFua3MgZm9yIHlvdXIgcmV2aWV3LCBw bGVhc2Ugc2VlIGJlbG93IGZvciBvbmUgcmVwbHkgdG8geW91cg0KPiAgICAgPiBxdWVzdGlvbiAo YWNtXS4NCj4gICAgID4gICAgIEFsDQo+ICAgICA+DQo+ICAgICA+ICAgICA+IC0tLS0tT3JpZ2lu YWwgTWVzc2FnZS0tLS0tDQo+ICAgICA+ICAgICA+IEZyb206IGJtd2cgW21haWx0bzpibXdnLWJv dW5jZXNAaWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBNYWxpxaFhDQo+ICAgICA+IFZ1Y2luaWMgdmlh DQo+ICAgICA+ICAgICA+IERhdGF0cmFja2VyDQo+ICAgICA+ICAgICA+IFNlbnQ6IFR1ZXNkYXks IERlY2VtYmVyIDE1LCAyMDIwIDY6MzAgQU0NCj4gICAgID4gICAgID4gVG86IHNlY2RpckBpZXRm Lm9yZw0KPiAgICAgPiAgICAgPiBDYzogbGFzdC1jYWxsQGlldGYub3JnOyBibXdnQGlldGYub3Jn OyBkcmFmdC1pZXRmLWJtd2ctYjJiLQ0KPiAgICAgPiAgICAgPiBmcmFtZS5hbGxAaWV0Zi5vcmcN Cj4gICAgID4gICAgID4gU3ViamVjdDogW2Jtd2ddIFNlY2RpciB0ZWxlY2hhdCByZXZpZXcgb2Yg ZHJhZnQtaWV0Zi1ibXdnLWIyYi0NCj4gZnJhbWUtDQo+ICAgICA+IDAzDQo+ICAgICA+ICAgICA+ DQo+ICAgICA+ICAgICA+IFJldmlld2VyOiBNYWxpxaFhIFZ1xI1pbmnEhw0KPiAgICAgPiAgICAg PiBSZXZpZXcgcmVzdWx0OiBSZWFkeQ0KPiAgICAgPiAgICAgPg0KPiAgICAgPiAgICAgPiBJIHJl dmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgU2VjdXJpdHkgRGlyZWN0b3JhdGUn cw0KPiAgICAgPiBvbmdvaW5nDQo+ICAgICA+ICAgICA+IGVmZm9ydA0KPiAgICAgPiAgICAgPiB0 byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy4N Cj4gVGhlc2UNCj4gICAgID4gY29tbWVudHMNCj4gICAgID4gICAgID4gd2VyZQ0KPiAgICAgPiAg ICAgPiB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIFNlY3VyaXR5IEFy ZWENCj4gRGlyZWN0b3JzLg0KPiAgICAgPiBEb2N1bWVudA0KPiAgICAgPiAgICAgPiBhdXRob3Jz LCBkb2N1bWVudCBlZGl0b3JzLCBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZQ0KPiBj b21tZW50cw0KPiAgICAgPiBqdXN0DQo+ICAgICA+ICAgICA+IGxpa2UNCj4gICAgID4gICAgID4g YW55IG90aGVyIElFVEYgTGFzdCBDYWxsIGNvbW1lbnRzLg0KPiAgICAgPiAgICAgPg0KPiAgICAg PiAgICAgPiBUaGFuayB5b3UgZm9yIHRoaXMgd2VsbC13cml0dGVuIGRvY3VtZW50LCBpdCB3YXMg YSBwbGVhc3VyZSB0bw0KPiByZWFkDQo+ICAgICA+IGFuZCBJDQo+ICAgICA+ICAgICA+IHRoaW5r DQo+ICAgICA+ICAgICA+IGl0IGlzIHJlYWR5IHRvIHByb2NlZWQuIFNpbmNlIHRoZSBkb2N1bWVu dCB1cGRhdGVzIFJGQzI1NDQNCj4gICAgID4gYmVuY2htYXJraW5nDQo+ICAgICA+ICAgICA+IHBy b2NlZHVyZSBmb3IgZXN0aW1hdGluZyB0aGUgYnVmZmVyIHRpbWUgb2YgYSBEZXZpY2UgVW5kZXIN Cj4gVGVzdA0KPiAgICAgPiAoRFVUKSwgaXQNCj4gICAgID4gICAgID4gZG9lcw0KPiAgICAgPiAg ICAgPiBub3QgcmFpc2UgYW55IHNlY3VyaXR5IGlzc3Vlcy4gU2VjdXJpdHkgQ29uc2lkZXJhdGlv bnMgc2VjdGlvbg0KPiBpcw0KPiAgICAgPiBxdWl0ZQ0KPiAgICAgPiAgICAgPiBjbGVhcg0KPiAg ICAgPiAgICAgPiBhbmQgaXQgc3RyZXNzZXMgdGhhdCB0aGVzZSB0ZXN0cyBhcmUgcGVyZm9ybWVk IGluIGEgbGFiDQo+IGVudmlyb25tZW50Lg0KPiAgICAgPiAgICAgPg0KPiAgICAgPiAgICAgPiBJ IGRvIGhhdmUgYSBxdWVzdGlvbiByZWdhcmRpbmcgdGhlIGxhc3QgcGFyYWdyYXBoIG9mIHRoZQ0K PiBTZWN1cml0eQ0KPiAgICAgPiAgICAgPiBDb25zaWRlcmF0aW9ucyBvbiBzcGVjaWFsIGNhcGFi aWxpdGllcyBvZiBEVVRzIGZvcg0KPiBiZW5jaG1hcmtpbmcNCj4gICAgID4gcHVycG9zZXMuDQo+ ICAgICA+ICAgICA+IEN1cnJlbnRseSwgdGhlIHNlbnRlbmNlIHJlYWRzOiAiU3BlY2lhbCBjYXBh YmlsaXRpZXMgU0hPVUxEDQo+IE5PVA0KPiAgICAgPiBleGlzdCBpbg0KPiAgICAgPiAgICAgPiB0 aGUNCj4gICAgID4gICAgID4gRFVUL1NVVCBzcGVjaWZpY2FsbHkgZm9yIGJlbmNobWFya2luZyBw dXJwb3Nlcy4iIFdoeSBpcyB0aGlzIGENCj4gICAgID4gU0hPVUxEIE5PVA0KPiAgICAgPiAgICAg PiBhbmQNCj4gICAgID4gICAgID4gbm90IGEgTVVTVCBOT1Q/IENvdWxkIHlvdSBnaXZlIGFuIGV4 YW1wbGUgd2hlbiBzdWNoIHNwZWNpYWwNCj4gICAgID4gY2FwYWJpbGl0aWVzDQo+ICAgICA+ICAg ICA+IGluIGENCj4gICAgID4gICAgID4gRFVUIGFyZSBhcHByb3ByaWF0ZT8NCj4gICAgID4gICAg IFthY21dDQo+ICAgICA+ICAgICBXZSBjYW4gb25seSBtYWtlIGEgc3Ryb25nIHJlY29tbWVuZGF0 aW9uIGluIHRoaXMgYXJlYS4gQXMNCj4gICAgID4gdGVzdGVycy9iZW5jaG1hcmtlcnMgYXJlIG9m dGVuIGluZGVwZW5kZW50IGZyb20gdGhlIERVVCBkZXZlbG9wZXJzDQo+IGFuZA0KPiAgICAgPiBj b25kdWN0IHRlc3RpbmcgZXh0ZXJuYWwgdG8gdGhlIERVVCwgd2UgYXNzdW1lIGhvbmVzdHkgYW1v bmcgb3RoZXINCj4gcGFydGllcw0KPiAgICAgPiBidXQgd2UgY2Fubm90IHJlcXVpcmUgaXQuIElm IHNvbWVvbmUgY29uc3RydWN0ZWQgYSBEVVQgdGhhdA0KPiByZWNvZ25pemVkDQo+ICAgICA+IHRl c3QgY29uZGl0aW9ucyBhbmQgb3BlcmF0ZWQgZGlmZmVyZW50bHkgdG8gcGVyZm9ybSBiZXR0ZXIg c29tZWhvdywNCj4gb3VyDQo+ICAgICA+IHRlc3RzIHdvdWxkIG1lYXN1cmUgdGhlIGludGVuZGVk ICJiZXR0ZXIiIHBlcmZvcm1hbmNlLiBJdCB0YWtlcyBhDQo+ICAgICA+IHNwZWNpYWwvYWRkaXRp b25hbCB0ZXN0IGVmZm9ydCB0byBwcm92ZSB0aGF0IGEgRFVUIGhhcyAiZGVzaWduZWQgdG8NCj4g dGhlDQo+ICAgICA+IHRlc3QiIChjb25zaWRlciBWb2xrc3dhZ2VuIGFuZCBmdWVsIGVmZmljaWVu Y3kgdGVzdGluZyBbMF0pLg0KPiAgICAgPg0KPiAgICAgPiAgICAgV2Ugc2ltcGx5IGRvIG5vdCBo YXZlIGFueSBhdXRob3JpdHkgaW4gdGhpcyBtYXR0ZXIsIGJ1dCB3ZSBjYW4NCj4gbGV0IGFsbA0K PiAgICAgPiBwYXJ0aWVzIGtub3cgdGhhdCBnYW1pbmcgdGhlIHRlc3QgY2FuIGJlIGRpc2NvdmVy ZWQgYW5kIHJlcG9ydGVkDQo+IChhbGJlaXQNCj4gICAgID4gd2l0aCBtb3JlIHRlc3RpbmcgdGhh dCB3ZSBkbyBub3QgZGVzY3JpYmUpLg0KPiAgICAgPg0KPiAgICAgPiAgICAgWzBdDQo+IGh0dHBz Oi8vdXJsZGVmZW5zZS5jb20vdjMvX19odHRwczovL3d3dy5jb25zdW1lcnJlcG9ydHMub3JnL2Z1 ZWwtDQo+ICAgICA+IGVjb25vbXktZWZmaWNpZW5jeS92b2xrc3dhZ2VuLXVzZWQtc3BlY2lhbC1z b2Z0d2FyZS10by1leGFnZ2VyYXRlLQ0KPiBmdWVsLQ0KPiAgICAgPiBlY29ub215L19fOyEhQmhk VCEwS1NfVkNGNVpRZklHa1Z5UExvSlh1QXhkY29TMy0NCj4gICAgID4geEpURTBMb0taUFd1U2lI alFaTTF1MEg5TTM2WVhCeUNrJA0KPiAgICAgPg0KPiAgICAgPiAgICAgPg0KPiAgICAgPiAgICAg Pg0KPiAgICAgPiAgICAgPg0KPiAgICAgPiAgICAgPiBfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fXw0KPiAgICAgPiAgICAgPiBibXdnIG1haWxpbmcgbGlzdA0K PiAgICAgPiAgICAgPiBibXdnQGlldGYub3JnDQo+ICAgICA+ICAgICA+DQo+ICAgICA+DQo+IGh0 dHBzOi8vdXJsZGVmZW5zZS5jb20vdjMvX19odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL2Jtd2dfXzshDQo+ICAgICA+ICAgICA+ICFCaGRUITFKRmVMc0VOek1VLQ0KPiBldzg5 anhtSkt4ZnA0d2o1Wm8zQVo2VjhpVUxVM2hXQWVudEgxZHltcUptRE92dzckDQo+ICAgICA+DQo+ ICAgICA+DQo+IA0KPiANCj4gDQoNCg== From nobody Wed Dec 16 09:59:19 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCC83A0A70; Wed, 16 Dec 2020 09:59:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.196 X-Spam-Level: X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nL-Ix94MrlJn; Wed, 16 Dec 2020 09:59:04 -0800 (PST) Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F1B73A0A4C; Wed, 16 Dec 2020 09:59:02 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.78,425,1599516000"; d="scan'208";a="367885128" Received: from adsl-bb1-l35.crnagora.net (HELO [192.168.1.65]) ([95.155.1.35]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 16 Dec 2020 18:58:59 +0100 User-Agent: Microsoft-MacOutlook/10.11.0.180909 Date: Wed, 16 Dec 2020 18:58:57 +0100 From: =?UTF-8?B?TWFsacWhYQ==?= =?UTF-8?B?IFZ1xI1pbmnEhw==?= To: "MORTON, ALFRED C (AL)" , "secdir@ietf.org" , The IESG CC: "last-call@ietf.org" , "bmwg@ietf.org" , "draft-ietf-bmwg-b2b-frame.all@ietf.org" Message-ID: <1EA8F16E-667E-4D55-80AB-E22591A6D720@inria.fr> Thread-Topic: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 References: <160803178079.7403.9358014699248845740@ietfa.amsl.com> <4D7F4AD313D3FC43A053B309F97543CF014766EE92@njmtexg5.research.att.com> <5C525F90-FAB1-46D9-A399-8AB493345A48@inria.fr> <4D7F4AD313D3FC43A053B309F97543CF014766F108@njmtexg5.research.att.com> <4D7F4AD313D3FC43A053B309F97543CF014766FD79@njmtexg5.research.att.com> In-Reply-To: <4D7F4AD313D3FC43A053B309F97543CF014766FD79@njmtexg5.research.att.com> Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Archived-At: Subject: Re: [secdir] [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-frame-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2020 17:59:06 -0000 Sounds good, thanks! Mali=C5=A1a =EF=BB=BFOn 16/12/2020 18:44, "MORTON, ALFRED C (AL)" wrot= e: Hi Mali=C5=A1a, =20 Thanks for your proposed wording, it seems sufficiently neutral and wit= h a few small tweaks, WFM. =20 I see that Roman's COMMENT also supports this additional text. =20 So, consider it part of the next version, and thanks for your help! Al =20 =20 > -----Original Message----- > From: Mali=C5=A1a Vu=C4=8Dini=C4=87 [mailto:malisa.vucinic@inria.fr] > Sent: Wednesday, December 16, 2020 7:22 AM > To: MORTON, ALFRED C (AL) ; secdir@ietf.org > Cc: last-call@ietf.org; bmwg@ietf.org; draft-ietf-bmwg-b2b- > frame.all@ietf.org > Subject: Re: [bmwg] Secdir telechat review of draft-ietf-bmwg-b2b-fra= me-03 >=20 > Al, >=20 > I don't have a strong opinion on using the term "honesty" here. How a= bout > this phrasing, just before the last paragraph in Security Considerati= ons: >=20 > The DUT developers are commonly independent from the personnel and > institutions conducting the benchmarking. > The DUT developers might have incentives to alter the performance of = the > DUT if the test conditions are detected. > Procedures described in this document are not designed to detect such > activity. > Additional testing, outside of the scope of this document, is needed = and > has been successfully used in the past to discover such malpractices. >=20 > Mali=C5=A1a >=20 > =EF=BB=BFOn 15/12/2020 20:22, "MORTON, ALFRED C (AL)" wrote: >=20 > Hi Mali=C5=A1a, > please see below... >=20 > > -----Original Message----- > > From: Mali=C5=A1a Vu=C4=8Dini=C4=87 [mailto:malisa.vucinic@inria.fr] > > Sent: Tuesday, December 15, 2020 9:21 AM > > To: MORTON, ALFRED C (AL) ; secdir@ietf.o= rg > > Cc: last-call@ietf.org; bmwg@ietf.org; draft-ietf-bmwg-b2b- > > frame.all@ietf.org > > Subject: Re: [bmwg] Secdir telechat review of draft-ietf-bmwg-b= 2b- > frame-03 > > > > Hi Al, > > > > Thanks, that is clear. I think that discussing the assumption o= f > honesty > > among the parties involved in benchmarking would be a useful > addition to > > the Security Considerations section in the draft. > [acm] >=20 > I don't mind explaining the requirement using the term "honesty",= but > I can only imagine raised eyebrows and subsequent DISCUSS/comments if= we > try to assert a need for/assumption of honesty anywhere in the memo. >=20 > Do you have suggested wording? >=20 > Do others have opinions whether or not this is needed? >=20 > thanks, > Al >=20 > > > > Mali=C5=A1a > > > > =EF=BB=BFOn 15/12/2020 14:45, "MORTON, ALFRED C (AL)" > wrote: > > > > Hi Mali=C5=A1a, > > thanks for your review, please see below for one reply to y= our > > question (acm]. > > Al > > > > > -----Original Message----- > > > From: bmwg [mailto:bmwg-bounces@ietf.org] On Behalf Of Ma= li=C5=A1a > > Vucinic via > > > Datatracker > > > Sent: Tuesday, December 15, 2020 6:30 AM > > > To: secdir@ietf.org > > > Cc: last-call@ietf.org; bmwg@ietf.org; draft-ietf-bmwg-b2= b- > > > frame.all@ietf.org > > > Subject: [bmwg] Secdir telechat review of draft-ietf-bmwg= -b2b- > frame- > > 03 > > > > > > Reviewer: Mali=C5=A1a Vu=C4=8Dini=C4=87 > > > Review result: Ready > > > > > > I reviewed this document as part of the Security Director= ate's > > ongoing > > > effort > > > to review all IETF documents being processed by the IESG. > These > > comments > > > were > > > written primarily for the benefit of the Security Area > Directors. > > Document > > > authors, document editors, and WG chairs should treat the= se > comments > > just > > > like > > > any other IETF Last Call comments. > > > > > > Thank you for this well-written document, it was a pleasu= re to > read > > and I > > > think > > > it is ready to proceed. Since the document updates RFC254= 4 > > benchmarking > > > procedure for estimating the buffer time of a Device Unde= r > Test > > (DUT), it > > > does > > > not raise any security issues. Security Considerations se= ction > is > > quite > > > clear > > > and it stresses that these tests are performed in a lab > environment. > > > > > > I do have a question regarding the last paragraph of the > Security > > > Considerations on special capabilities of DUTs for > benchmarking > > purposes. > > > Currently, the sentence reads: "Special capabilities SHOU= LD > NOT > > exist in > > > the > > > DUT/SUT specifically for benchmarking purposes." Why is t= his a > > SHOULD NOT > > > and > > > not a MUST NOT? Could you give an example when such speci= al > > capabilities > > > in a > > > DUT are appropriate? > > [acm] > > We can only make a strong recommendation in this area. As > > testers/benchmarkers are often independent from the DUT develop= ers > and > > conduct testing external to the DUT, we assume honesty among ot= her > parties > > but we cannot require it. If someone constructed a DUT that > recognized > > test conditions and operated differently to perform better some= how, > our > > tests would measure the intended "better" performance. It takes= a > > special/additional test effort to prove that a DUT has "designe= d to > the > > test" (consider Volkswagen and fuel efficiency testing [0]). > > > > We simply do not have any authority in this matter, but we = can > let all > > parties know that gaming the test can be discovered and reporte= d > (albeit > > with more testing that we do not describe). > > > > [0] > https://urldefense.com/v3/__https://www.consumerreports.org/fuel- > > economy-efficiency/volkswagen-used-special-software-to-exaggera= te- > fuel- > > economy/__;!!BhdT!0KS_VCF5ZQfIGkVyPLoJXuAxdcoS3- > > xJTE0LoKZPWuSiHjQZM1u0H9M36YXByCk$ > > > > > > > > > > > > > > _______________________________________________ > > > bmwg mailing list > > > bmwg@ietf.org > > > > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bmw= g__;! > > > !BhdT!1JFeLsENzMU- > ew89jxmJKxfp4wj5Zo3AZ6V8iULU3hWAentH1dymqJmDOvw7$ > > > > >=20 >=20 >=20 =20 =20 From nobody Thu Dec 17 03:25:16 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47EDB3A1627; Thu, 17 Dec 2020 03:25:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.597 X-Spam-Level: X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=lT1aJrv1; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=w3LGTSUT Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ykjxzk4Jvzdb; Thu, 17 Dec 2020 03:25:08 -0800 (PST) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9CC3A1583; Thu, 17 Dec 2020 03:25:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15042; q=dns/txt; s=iport; t=1608204307; x=1609413907; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=9XJ/8ZyRsxfMKmYKiJveqYK1ch8f1A3H5d9E4poiV10=; b=lT1aJrv1EsdtEyBnQQ7hcXOM/qXsFuUtWxTRn9nqDgR21ew4FNGO4YpN gFf7jLW7vfaf1qaQXZNQ7GlcjQQnU71m6LA7HKgyMCWoz0E/Ch2SvTkNG oFOAs0FHfoTDbOaX9eEOPYbExa4J+JrHT8P10pxWrP1W/fccREeSSrpfC U=; X-IPAS-Result: =?us-ascii?q?A0BhAQA0P9tf/4MNJK1iHAEBAQEBAQcBARIBAQQEAQGBf?= =?us-ascii?q?gQBAQsBgSIvIy4HdVsvLgqENYNIA41cA4oaigCEcoJTA1QLAQEBDQEBIwoCB?= =?us-ascii?q?AEBhEoCF4FcAiU3Bg4CAwEBAQMCAwEBAQEFAQEBAgEGBHGFYQyFcgEBAQEDE?= =?us-ascii?q?hEKEwEBNwEPAgEGAhEEAQErAgICHxEdCAIEAQ0FCBqDBYF+VwMuAQ6Re5BrA?= =?us-ascii?q?oE8iGl2gTKDBAEBBYE3AoNwDQuCEAMGgTgBgnSDeoJEgUuCJyYbgUE/gRFDg?= =?us-ascii?q?lY+ghtCAQEDgV4rgmozgiyDJwEDMhEOAiFZVgYKIA8BGJMihyqMLZAwL1cKg?= =?us-ascii?q?nSJI40MhT6DJoonlHEdk2qLDYJ3ji9UhCMCBAIEBQIOAQEFgSVHJIFXcBWDJ?= =?us-ascii?q?FAXAg2OIQwXg06FFIVEdDcCBgEJAQEDCXyKYgGBEAEB?= IronPort-PHdr: =?us-ascii?q?9a23=3ADpdhzBPa4VZS4JHrwZgl6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEvKwx3lDMVITfrflDjrmev6PhXDkG5pCM+DAHfYdXXh?= =?us-ascii?q?AIwcMRg0Q7AcGDBEG6SZyibyEzEMlYElMw+Xa9PBtaHc//YxvZpXjhpTIXEw?= =?us-ascii?q?/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.78,426,1599523200"; d="scan'208,217";a="611119907" Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Dec 2020 11:25:06 +0000 Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 0BHBP6N6009994 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Dec 2020 11:25:06 GMT Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 17 Dec 2020 05:25:06 -0600 Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 17 Dec 2020 05:25:05 -0600 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 17 Dec 2020 05:25:05 -0600 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I1aXfe1yksBigpXIBJF8d8x1ktE6iXCT/kdo9p0LtEsjt7JOVr79/zB7hBD3qo2d7G/jAThEuCXq/Vm7A78KdPz4fGtK+9zHF2EHmDWIFDGYTQ5fWd3ure35REGRtf7IVDMVBfu+ga/1LqezXaJRDcS9+W2EvFHhfkt9OAhCB/1Uvv2fwgk24zInKdiW0cUIOfwcUSpcp3F2EBOHb0he8/DHB+ShcOa5xOyLJirJCIGHkIMh7oSp0Hc2fXtH1hZQdG8IDNqjzjYLaeEQcRpx3W+mAmt0sbvj7RorhU1Y66kiANtzaHVg+0x9YD0VW5A3zVLzrX/gLw2jfjTCDXMRnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9XJ/8ZyRsxfMKmYKiJveqYK1ch8f1A3H5d9E4poiV10=; b=UGRUufog2DDRdzBAVMUHPLn8i+hlQtVXlgM1LYgn0+7HmJpsO/TPXQKoBayZof0DF3cSb8CF2Zpf6uITkzGzTuu8MeP1my9JtlaJQm9uk2nIaYd2F9ewFS3QgkniUcO17mE0NkZCrdZXM5UuOTmrUH7zay5vWKkKNrZep98YlmJ6q4aohHYx/8ZK72Nr500Px8eQ41JvJ1y16Y/+7x7QSXIqYWY2bVp/NqPuE1lZjm9UZGQvM16+Bx414M+OpX8GK5ZpO3objP7yW+zSgdPB6zyacEJeprkQ/GsNSJgx5zxJSHB4HgD39uRFxRrmxnO61BiY6Wwm7Wsnt//O6Z+vlQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9XJ/8ZyRsxfMKmYKiJveqYK1ch8f1A3H5d9E4poiV10=; b=w3LGTSUTguL+YzPJeL4owvPHKAaTZKZ3aTLAuDIoqAlj+m2/S9l9Dpr502COb0Ns97EysqGXVKJ8ab/dH73le8nnV7zaeGqQ3+QiaW8eBY8DQqJk28t0t3GFF6czmaiaMbrmirgnFTVc00El/iK+aHy2E6E1+RL/PQCocOItN60= Received: from BYAPR11MB2584.namprd11.prod.outlook.com (2603:10b6:a02:c8::31) by BYAPR11MB3543.namprd11.prod.outlook.com (2603:10b6:a03:b1::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.21; Thu, 17 Dec 2020 11:25:04 +0000 Received: from BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::bd56:222e:91b5:fc4b]) by BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::bd56:222e:91b5:fc4b%7]) with mapi id 15.20.3654.024; Thu, 17 Dec 2020 11:25:04 +0000 From: "Frank Brockners (fbrockne)" To: Shawn Emery , secdir CC: "draft-ietf-ippm-ioam-data.all@ietf.org" , "last-call@ietf.org" , Shawn Emery Thread-Topic: Review of draft-ietf-ippm-ioam-data-11 Thread-Index: AQHWzB+R9/zLhlAw2USHLw32Jfa4b6n7NC7w Date: Thu, 17 Dec 2020 11:25:04 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com; x-originating-ip: [173.38.220.48] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cb96fd11-5986-450c-832a-08d8a27e66d5 x-ms-traffictypediagnostic: BYAPR11MB3543: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 0TQ/2alYwmqHHDx3d8ql4igQ6Ud0/keQIuMG3BJVDYAQKm/1esYVPTN2IIGY+RyvLHhlEQwPEUnbXOdUhBZoQJHuCyrqE2h7hxOO2gqAMbGOF4HVnOoiD5EK/8vyS4OXCulTA+BadwGW6+ntIZuaL6H5omXrZosYAfJdjZBfwrX0xkLYLsjvLzAI3puHwm0oaocuC4PY+W5uUmyz/O5LZafiKDSc2bFf/OV4diRX56rWIFPS+MD0gu5mhUSE6ChncBpiR4xzlnN2v++8t2BtFgaXSEl/qKDyZAaDMM/2ByLg259nZc9ezBRqNDt5DLxrCWyroTYDfS++iN+U0WD65y6XncXvPc9bzUShca7TMnFDKd8c+s/9S2gUFcX5Z7LMZDXQOWTkHvORztgCscUuEQ== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2584.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(39860400002)(366004)(376002)(396003)(346002)(54906003)(7696005)(53546011)(83380400001)(8936002)(33656002)(76116006)(66476007)(186003)(478600001)(166002)(66446008)(9326002)(4326008)(66946007)(8676002)(2906002)(55016002)(64756008)(6506007)(110136005)(9686003)(52536014)(86362001)(966005)(5660300002)(316002)(26005)(71200400001)(66556008); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?OUk2MEh6Wm1pcG82YkpxbVFYN2VOT29Kck5DQXFRaDhtbFBxandUV01JNlE1?= =?utf-8?B?U0RiOFhsWSt3NUdsN1I5cE9XVCtLTUduUzlFY0dWbkZqSXJvZnRObTNCZEJP?= =?utf-8?B?elNlamE0Q3dWd2xDZDYxOGFtTllTYzBLL1RmQ0JMQXhhcHU2T1FLdGJhbVdG?= =?utf-8?B?V0EyV3VpaW9DK2dUbmRoUm83RE5VbFEzS1FCMkcwR0pheFNpTFBDcmg2NHRP?= =?utf-8?B?eFpZSzR6UTVkR0paanh5MTJZOXVtWXh4RGQ3czJoVTBrOGdNc2R6RVBYWkpq?= =?utf-8?B?S05yREFET21nYTZOaW9lc1BONGRaL0R6VHpWdFRYa1RiSUc2Y1R3ZFZEQTFu?= =?utf-8?B?WG1wY1A5STlYNmw5NG5UWWdnRmR6UmZkYnNoNUhoeFNaUnhEdUg0ZW5ySWVB?= =?utf-8?B?MmxCMFBWcVdNcldqSFNicTFSQU9FWlJ4b2FTSUt1QXNXc1NHVTdubEdiZ01Y?= =?utf-8?B?U2djbDFuYU5odXFwOXptcFZLMmJOc0ZyMzhyTEh2VkRnKzVuZk9qY3pDT0ZS?= =?utf-8?B?QzliQ3g0MnhPdHhxVEUyVFBhVXRTZElKQWN1UUlrVXFqWER1TXhtb2c0YmxM?= =?utf-8?B?akRxNjRnYXRkT2h4VnR5dC9USERzVjhNenVFdGZSeENRUTFYcU1HWEtaTGIy?= =?utf-8?B?ZTNpOUxHL1lZYzdBejB2VjFTb0ttcmxwVi9rZnFnc0Z3QnFUcmFnMittYmJs?= =?utf-8?B?QS81Z1NCNCt1a2dheXpMMFpqeDZiQkNsSTF0QjVrWEx2VW1aTkFmWXlRUG9N?= =?utf-8?B?QXc2ZzhXWVZIMVRTVUIyNmZDb1FSbTNUQ2hSVXV3Tkxvb2lJaEZtVm1SWkdl?= =?utf-8?B?cmpxYnpwQi9lL1haamU0NG9LMTlOVzFONCtTS2U2cFIySUxvOEJ1MzRMSWFC?= =?utf-8?B?T2ZJSkFWR2FuaG1JZGk4SytZZFNONTBOL3dQQ0NFbE82RGpHSUt2U0NoQjQ4?= =?utf-8?B?NDFoK3VxbHFycDd4YmxxZ3VXNEJ6UDAzbGZZN1BXOHd0aTgwek1MakdaMTY4?= =?utf-8?B?M2twc3dFLzlFY1ozWVdYYzJxcmxHdTl6TEg0dGF1R0E0Zng2TlE3c1JBVitD?= =?utf-8?B?S0NWQkY3cUdObEpJMjhZUDh0cDEvMWhoWG1JMjNiUUxCOUptRkExSXl4cURw?= =?utf-8?B?bDl3Y0Z5OUNOZzhaTDNIckdlTzdvOEVIQk8wbEVrQ1JRMUx2S0dzS0RwaXNm?= =?utf-8?B?UmpldTJPK3ZwQjFYOFd0MUViRDZpZW4vMmFTb2szQzlnaDRZcTFwaEFrc093?= =?utf-8?B?TW9QbmpuWTQ5bVF5VHVMSzk5enRtUWZLQlpndHRTck16cUpZWXkzclc0Ui93?= =?utf-8?Q?mwVF+xUMnyLT0=3D?= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_BYAPR11MB2584875CF7E3A20FEFD0240ADAC40BYAPR11MB2584namp_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2584.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: cb96fd11-5986-450c-832a-08d8a27e66d5 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2020 11:25:04.7203 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: TjDQf68f5bQcjdGk+2NzZBPaXUci/k7Suxb07WVwtsOCDj2ZWwV+3icyI80Poi82Dg681Ez5qu14PMILtUvSIA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3543 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com X-Outbound-Node: alln-core-1.cisco.com Archived-At: Subject: Re: [secdir] Review of draft-ietf-ippm-ioam-data-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2020 11:25:10 -0000 --_000_BYAPR11MB2584875CF7E3A20FEFD0240ADAC40BYAPR11MB2584namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpIaSBTaGF3biwNCg0KVGhhbmtzIGEgbG90IGZvciB5b3VyIHJldmlldy4gUGxlYXNlIHNlZSBp bmxpbmUgKC4uRkIpDQoNCkZyb206IFNoYXduIEVtZXJ5IDxzaGF3bi5lbWVyeUBnbWFpbC5jb20+ DQpTZW50OiBTb25udGFnLCA2LiBEZXplbWJlciAyMDIwIDIzOjMxDQpUbzogc2VjZGlyIDxzZWNk aXJAaWV0Zi5vcmc+DQpDYzogZHJhZnQtaWV0Zi1pcHBtLWlvYW0tZGF0YS5hbGxAaWV0Zi5vcmc7 IGxhc3QtY2FsbEBpZXRmLm9yZzsgU2hhd24gRW1lcnkgPHNlbWVyeUB1Y2NzLmVkdT4NClN1Ympl Y3Q6IFJldmlldyBvZiBkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhLTExDQoNClJldmlld2VyOiBT aGF3biBNLiBFbWVyeQ0KUmV2aWV3IHJlc3VsdDogUmVhZHkgd2l0aCBuaXRzDQoNCkkgaGF2ZSBy ZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRl J3MNCm9uZ29pbmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJv Y2Vzc2VkIGJ5IHRoZSBJRVNHLg0KVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmls eSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5DQphcmVhIGRpcmVjdG9ycy4gRG9jdW1l bnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZQ0KY29tbWVudHMganVz dCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQoNClRoaXMgc3RhbmRhcmRzIHRy YWNrIGRyYWZ0IHNwZWNpZmllcyBkYXRhIGZpZWxkcyBpbiB0aGUgSW4tc2l0dSBPcGVyYXRpb25z LCBBZG1pbmlzdHJhdGlvbiwNCmFuZCBNYWludGVuYW5jZSAoSU9BTSkgc2NoZW1lLiAgVGhlIGRh dGEgZmllbGRzIGNvbnRhaW4gb3BlcmF0aW9uYWwgYW5kIHRlbGVtZXRyeQ0KaW5mb3JtYXRpb24g aW4gYSBuZXR3b3JrIGRvbWFpbi4gICJJbi1zaXR1IiByZWZlcnMgdG8gdGhlIGZhY3QgdGhhdCB0 aGUgYXNzb2NpYXRlZCBkYXRhIGlzDQphY3R1YWxseSBlbmNhcHN1bGF0ZWQgaW4gdGhlIGRhdGEg cGFja2V0IGl0c2VsZiByYXRoZXIgdGhhbiB0aHJvdWdoIGEgc2VwYXJhdGUgT0FNDQpwYWNrZXQu DQoNClRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uIGRvZXMgZXhpc3QgYW5kIGRl c2NyaWJlcyBtdWx0aXBsZSB2dWxuZXJhYmlsaXRpZXMNCnRvIHRoZSBJT0FNLiAgQXR0YWNrZXJz IGNhbiBjcmVhdGUgYm90aCBmYWxzZS1wb3NpdGl2ZXMgYW5kIGZhbHNlLW5lZ2F0aXZlcyBpbiBy ZWdhcmRzDQp0byBmYWlsdXJlcyBvciB0aGUgdHJ1ZSBzdGF0ZSBvZiB0aGUgZG9tYWluLiAgVGhp cyBjYW4gZXZlbnR1YWxseSBsZWFkIHRvIERvUyBhdHRhY2tzLg0KQW5vdGhlciBmb3JtIG9mIERv UyBpcyBieSBjcmFmdGluZyBhbiBJT0FNIGhlYWRlciB0byBwYWNrZXRzIHRoZXJlYnkgaW5jcmVh c2luZyB0aGUNCnJlc291cmNlcyByZXF1aXJlZCBvciBleGNlZWRpbmcgdGhlIHBhY2tldCBiZXlv bmQgdGhlIG5ldHdvcmsncyBNVFUgc2l6ZS4NCg0KVmVyaWZ5aW5nIHRoZSBwYXRoIG9mIHRoZSBk YXRhIHBhY2tldHMgaXMgZGVmZXJyZWQgdG8gZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNp dCdzIHNlY3VyaXR5DQpjb25zaWRlcmF0aW9uIHNlY3Rpb24gd2hpY2ggaGFzIGdvb2QgY292ZXJh Z2UgYW5kIHdheXMgdG8gbWl0aWdhdGUgdGhlIHZhcmlvdXMgYXR0YWNrcw0Kb24gdGhlIHByb3Rv Y29sLiAgRWF2ZXNkcm9wcGluZyBpcyBhbHNvIHBvc3NpYmxlLCB3aGljaCBjYW4gcmV2ZWFsIG9w ZXJhdGlvbmFsIGFuZCB0ZWxlbWV0cnkNCmRhdGEgb2YgdGhlIG5ldHdvcmsgZG9tYWluLg0KDQpJ T0FNIGFsc28gdXRpbGl6ZXMgdGltZXN0YW1wcywgaW4gd2hpY2ggYW4gYXR0YWNrIG9uIHRoZSB0 aW1lIHN5bmNocm9uaXphdGlvbiBwcm90b2NvbCBjYW4NCmFmZmVjdCB0aGUgdGltZXN0YW1wIGZp ZWxkcyBpbiBJT0FNLiAgSW4gYWRkaXRpb24gdGhlIG1hbmFnZW1lbnQgZnVuY3Rpb25hbGl0eSBv ZiBJT0FNIGNvdWxkDQphbHNvIGJlIHRhcmdldGVkLCBidXQgc3VnZ2VzdHMgYXV0aGVudGljYXRp b24gYW5kIGludGVncml0eSBjaGVja3MgdG8gcHJvdGVjdCBhZ2FpbnN0IHNhaWQgYXR0YWNrcy4N Cg0KVmFyaW91cyBtZWFzdXJlcyBhZ2FpbnN0IHRoZXNlIGF0dGFja3MgYXJlIG5vdCBwcmVzY3Jp YmVkIGJhc2VkIG9uIHRoZSBmYWN0IHRoYXQgdGhpcyBzcGVjaWZpY2F0aW9uDQppcyBhYm91dCB0 aGUgZGF0YSBmaWVsZHMgb2YgSU9BTS4gIEhvd2V2ZXIsIEkgdGhpbmsgaXQgd291bGQgYmUgYmVu ZWZpY2lhbCB0byBwcm92aWRlIHNvbWUgZ3VpZGFuY2UNCihhdCBsZWFzdCBmb3IgZnV0dXJlIHNw ZWNpZmljYXRpb25zKSBmb3IgZWFjaCBvZiB0aGVzZSBhdHRhY2tzIHRoYXQgdXRpbGl6ZSB0aGVz ZSBkYXRhIGZpZWxkcyBlbHNlIHdoeQ0KYXJ0aWN1bGF0ZSB0aGUgc2VjdXJpdHkgaXNzdWVzIGF0 IGFsbD8NCg0KLi5GQjog4oCc4oCmc29tZSBndWlkYW5jZSBmb3IgZWFjaCBvZiB0aGUgYXR0YWNr c+KApuKAnSB2ZXJ5IG11Y2ggaGludHMgYXQgZGVwbG95bWVudCBjb25zaWRlcmF0aW9ucyBmb3Ig SU9BTS4gRm9yIHRoYXQsIHdlIGhhdmUgYW4g4oCcSU9BTSBEZXBsb3ltZW504oCdIGRyYWZ0OiBo dHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtYnJvY2tuZXJzLW9wc2F3Zy1pb2FtLWRl cGxveW1lbnQtMDIgaW4gZmxpZ2h0LiBUaGUgY3VycmVudCB0aG91Z2h0IG1vZGVsIGlzIGNvdmVy IGFsbCBhc3BlY3RzIG9mIElPQU0gZGVwbG95bWVudCwgaW5jbHVkaW5nIGd1aWRhbmNlIG9uIG1p dGlnYXRpbmcgc2VjdXJpdHkgY29uY2VybnMsIGluIHRoaXMgZGVwbG95bWVudCBkcmFmdC4gV291 bGQgdGhhdCBiZSBhIHdvcmthYmxlIGFwcHJvYWNoIGZvciB5b3U/DQoNClRoYW5rcywgRnJhbmsN Cg0KR2VuZXJhbCBjb21tZW50czoNCg0KTm9uZS4NCg0KRWRpdG9yaWFsIGNvbW1lbnRzOg0KDQoN Cg0KDQpOb25lLg0KDQoNClNoYXduLg0KLS0NCg== --_000_BYAPR11MB2584875CF7E3A20FEFD0240ADAC40BYAPR11MB2584namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCWZvbnQtc2l6ZTox MS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFu Lk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6IzA1NjNDMTsN Cgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjow Y207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1m YW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1z dHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseTpD b25zb2xhczt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1y ZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0 ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtz aXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzAuODVwdCA3MC44NXB0IDIuMGNtIDcwLjg1 cHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxl PjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIg c3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48 eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQi IGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+ DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiIHN0eWxl PSJ3b3JkLXdyYXA6YnJlYWstd29yZCI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48Yj48aT5IaSBTaGF3biw8bzpwPjwvbzpwPjwvaT48L2I+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PGI+PGk+PG86cD4mbmJzcDs8L286cD48L2k+PC9iPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxiPjxpPlRoYW5rcyBhIGxvdCBmb3IgeW91ciByZXZpZXcuIFBsZWFzZSBzZWUg aW5saW5lICguLkZCKTxvOnA+PC9vOnA+PC9pPjwvYj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1s ZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2Pg0K PGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3Bh ZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+RnJvbTo8 L2I+IFNoYXduIEVtZXJ5ICZsdDtzaGF3bi5lbWVyeUBnbWFpbC5jb20mZ3Q7IDxicj4NCjxiPlNl bnQ6PC9iPiBTb25udGFnLCA2LiBEZXplbWJlciAyMDIwIDIzOjMxPGJyPg0KPGI+VG86PC9iPiBz ZWNkaXIgJmx0O3NlY2RpckBpZXRmLm9yZyZndDs8YnI+DQo8Yj5DYzo8L2I+IGRyYWZ0LWlldGYt aXBwbS1pb2FtLWRhdGEuYWxsQGlldGYub3JnOyBsYXN0LWNhbGxAaWV0Zi5vcmc7IFNoYXduIEVt ZXJ5ICZsdDtzZW1lcnlAdWNjcy5lZHUmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJldmlldyBv ZiBkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhLTExPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+UmV2aWV3ZXI6IFNoYXduIE0uIEVtZXJ5PGJyPg0KUmV2aWV3 IHJlc3VsdDogUmVhZHkgd2l0aCBuaXRzPGJyPg0KPGJyPg0KSSBoYXZlIHJldmlld2VkIHRoaXMg ZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUnczxicj4NCm9uZ29p bmcgZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5 IHRoZSBJRVNHLjxicj4NClRoZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9y IHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eTxicj4NCmFyZWEgZGlyZWN0b3JzLiBEb2N1bWVu dCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNlPGJyPg0KY29tbWVudHMg anVzdCBsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuPGJyPg0KPGJyPg0KVGhpcyBz dGFuZGFyZHMgdHJhY2sgZHJhZnQgc3BlY2lmaWVzIGRhdGEgZmllbGRzIGluIHRoZSBJbi1zaXR1 IE9wZXJhdGlvbnMsIEFkbWluaXN0cmF0aW9uLDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPmFuZCBNYWludGVuYW5jZSAoSU9BTSkgc2NoZW1lLiZuYnNwOyBUaGUg ZGF0YSBmaWVsZHMgY29udGFpbiBvcGVyYXRpb25hbCBhbmQgdGVsZW1ldHJ5PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5pbmZvcm1hdGlvbiBpbiBh IG5ldHdvcmsgZG9tYWluLiZuYnNwOyAmcXVvdDtJbi1zaXR1JnF1b3Q7IHJlZmVycyZuYnNwO3Rv IHRoZSBmYWN0IHRoYXQgdGhlIGFzc29jaWF0ZWQgZGF0YSBpczxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+YWN0dWFsbHkgZW5jYXBzdWxhdGVkIGlu IHRoZSBkYXRhIHBhY2tldCBpdHNlbGYgcmF0aGVyIHRoYW4gdGhyb3VnaCBhIHNlcGFyYXRlIE9B TTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+cGFj a2V0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PGJyPg0KVGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24gZG9lcyBleGlzdCBhbmQg ZGVzY3JpYmVzIG11bHRpcGxlIHZ1bG5lcmFiaWxpdGllczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+dG8gdGhlIElPQU0uJm5ic3A7IEF0dGFja2Vy cyBjYW4gY3JlYXRlIGJvdGggZmFsc2UtcG9zaXRpdmVzIGFuZCBmYWxzZS1uZWdhdGl2ZXMgaW4g cmVnYXJkczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+dG8gZmFpbHVyZXMgb3IgdGhlIHRydWUgc3RhdGUgb2YgdGhlIGRvbWFpbi4mbmJzcDsgVGhp cyBjYW4gZXZlbnR1YWxseSBsZWFkIHRvIERvUyBhdHRhY2tzLjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QW5vdGhlciBmb3JtIG9mIERvUyBpcyBi eSBjcmFmdGluZyBhbiBJT0FNIGhlYWRlciB0byBwYWNrZXRzIHRoZXJlYnkgaW5jcmVhc2luZyB0 aGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPnJl c291cmNlcyByZXF1aXJlZCBvciBleGNlZWRpbmcgdGhlIHBhY2tldCBiZXlvbmQgdGhlIG5ldHdv cmsncyBNVFUgc2l6ZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+VmVyaWZ5aW5nIHRoZSBwYXRoIG9mIHRoZSBkYXRhIHBhY2tldHMgaXMgZGVm ZXJyZWQgdG8gZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdCdzIHNlY3VyaXR5PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5jb25zaWRlcmF0 aW9uIHNlY3Rpb24gd2hpY2ggaGFzIGdvb2QgY292ZXJhZ2UgYW5kIHdheXMgdG8gbWl0aWdhdGUg dGhlIHZhcmlvdXMgYXR0YWNrczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+b24gdGhlIHByb3RvY29sLiZuYnNwOyBFYXZlc2Ryb3BwaW5nIGlzIGFs c28gcG9zc2libGUsIHdoaWNoIGNhbiByZXZlYWwgb3BlcmF0aW9uYWwgYW5kIHRlbGVtZXRyeTxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ZGF0YSBv ZiB0aGUgbmV0d29yayBkb21haW4uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPklPQU0gYWxzbyB1dGlsaXplcyB0aW1lc3RhbXBzLCBpbiB3aGlj aCBhbiBhdHRhY2sgb24gdGhlIHRpbWUgc3luY2hyb25pemF0aW9uIHByb3RvY29sIGNhbjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+YWZmZWN0IHRo ZSB0aW1lc3RhbXAgZmllbGRzIGluIElPQU0uJm5ic3A7IEluIGFkZGl0aW9uIHRoZSBtYW5hZ2Vt ZW50IGZ1bmN0aW9uYWxpdHkgb2YgSU9BTSBjb3VsZDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+YWxzbyBiZSB0YXJnZXRlZCwgYnV0IHN1Z2dlc3Rz IGF1dGhlbnRpY2F0aW9uIGFuZCBpbnRlZ3JpdHkgY2hlY2tzIHRvIHByb3RlY3QgYWdhaW5zdCBz YWlkIGF0dGFja3MuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPlZhcmlvdXMgbWVhc3VyZXMgYWdhaW5zdCB0aGVzZSBhdHRhY2tzIGFyZSBub3Qg cHJlc2NyaWJlZCBiYXNlZCBvbiB0aGUgZmFjdCB0aGF0IHRoaXMgc3BlY2lmaWNhdGlvbjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+aXMgYWJvdXQg dGhlIGRhdGEgZmllbGRzIG9mIElPQU0uJm5ic3A7IEhvd2V2ZXIsIEkgdGhpbmsgaXQgd291bGQg YmUgYmVuZWZpY2lhbCB0byBwcm92aWRlIHNvbWUgZ3VpZGFuY2U8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPihhdCBsZWFzdCBmb3IgZnV0dXJlIHNw ZWNpZmljYXRpb25zKSBmb3IgZWFjaCBvZiB0aGVzZSBhdHRhY2tzIHRoYXQmbmJzcDt1dGlsaXpl Jm5ic3A7dGhlc2UgZGF0YSBmaWVsZHMgZWxzZSZuYnNwO3doeTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+YXJ0aWN1bGF0ZSB0aGUgc2VjdXJpdHkg aXNzdWVzIGF0IGFsbD88YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxiPjxpPi4uRkI6IOKAnOKApnNvbWUgZ3VpZGFuY2UgZm9yIGVhY2ggb2YgdGhlIGF0 dGFja3PigKbigJ0gdmVyeSBtdWNoIGhpbnRzIGF0IGRlcGxveW1lbnQgY29uc2lkZXJhdGlvbnMg Zm9yIElPQU0uIEZvciB0aGF0LCB3ZSBoYXZlIGFuIOKAnElPQU0gRGVwbG95bWVudOKAnSBkcmFm dDoNCjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1icm9ja25lcnMt b3BzYXdnLWlvYW0tZGVwbG95bWVudC0wMiI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2Ry YWZ0LWJyb2NrbmVycy1vcHNhd2ctaW9hbS1kZXBsb3ltZW50LTAyPC9hPiBpbiBmbGlnaHQuIFRo ZSBjdXJyZW50IHRob3VnaHQgbW9kZWwgaXMgY292ZXIgYWxsIGFzcGVjdHMgb2YgSU9BTSBkZXBs b3ltZW50LCBpbmNsdWRpbmcgZ3VpZGFuY2Ugb24gbWl0aWdhdGluZw0KIHNlY3VyaXR5IGNvbmNl cm5zLCBpbiB0aGlzIGRlcGxveW1lbnQgZHJhZnQuIFdvdWxkIHRoYXQgYmUgYSB3b3JrYWJsZSBh cHByb2FjaCBmb3IgeW91PzxvOnA+PC9vOnA+PC9pPjwvYj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48Yj48aT48bzpwPiZuYnNwOzwvbzpwPjwvaT48L2I+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PGI+PGk+VGhhbmtzLCBGcmFuazxvOnA+PC9vOnA+PC9pPjwvYj48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8c3BhbiBzdHlsZT0iZm9udC1mYW1p bHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+R2VuZXJhbCBjb21tZW50czo8YnI+DQo8 YnI+DQpOb25lLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90Oyxz YW5zLXNlcmlmIj48YnI+DQpFZGl0b3JpYWwgY29tbWVudHM6PGJyPg0KPGJyPg0KPC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYnJlYWstYmVmb3JlOnBhZ2UiPjxzcGFu IHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOmJs YWNrIj5Ob25lLjwvc3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPjxvOnA+PC9vOnA+PC9z cGFuPjwvcHJlPg0KPHByZSBzdHlsZT0iYnJlYWstYmVmb3JlOnBhZ2UiPjxzcGFuIHN0eWxlPSJj b2xvcjpibGFjayI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wcmU+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1z ZXJpZiI+U2hhd24uPGJyPg0KLS08L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BYAPR11MB2584875CF7E3A20FEFD0240ADAC40BYAPR11MB2584namp_-- From nobody Thu Dec 17 14:21:59 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A42E3A046B; Thu, 17 Dec 2020 14:21:54 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Tero Kivinen via Datatracker To: Cc: draft-ietf-rtgwg-bgp-pic.all@ietf.org, last-call@ietf.org, rtgwg@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.24.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160824371413.9402.11129595558687198049@ietfa.amsl.com> Reply-To: Tero Kivinen Date: Thu, 17 Dec 2020 14:21:54 -0800 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-rtgwg-bgp-pic-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2020 22:21:54 -0000 Reviewer: Tero Kivinen Review result: Ready This document describes internal algorithm and structure change for the BGP. The security considerations sections says as follows: The behavior described in this document is internal functionality to a router that result in significant improvement to convergence time as well as reduction in CPU and memory used by FIB while not showing change in basic routing and forwarding functionality. As such no additional security risk is introduced by using the mechanisms proposed in this document. I agree on that statement, but of course this proposed method is bit more complicated than old method, thus there might be more implementation bugs or corner cases than before, but perhaps that is obvious and does not need to be mentioned. From nobody Thu Dec 17 14:38:18 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 866C13A044E for ; Thu, 17 Dec 2020 14:38:17 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Tero Kivinen via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 7.24.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: secdir-secretary@mit.edu, Tero Kivinen Message-ID: <160824469752.6082.3059645688162555767@ietfa.amsl.com> Date: Thu, 17 Dec 2020 14:38:17 -0800 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2020 22:38:18 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview For telechat 2020-12-17 Reviewer LC end Draft Phillip Hallam-Baker 2020-12-03 draft-ietf-tls-ticketrequests-07 For telechat 2021-01-07 Reviewer LC end Draft Sandra Murphy 2020-10-15 draft-ietf-tls-external-psk-importer-06 Tirumaleswar Reddy.K 2020-11-16 draft-ietf-quic-transport-33 Yaron Sheffer R2020-10-27 draft-ietf-detnet-security-13 Last calls: Reviewer LC end Draft Daniel Franke 2020-09-18 draft-ietf-jmap-mdn-16 Daniel Franke 2020-03-09 draft-ietf-regext-dnrd-objects-mapping-11 Daniel Gillmor 2020-09-30 draft-ietf-ccamp-layer0-types-08 Phillip Hallam-Baker 2020-09-30 draft-ietf-lwig-tcp-constrained-node-networks-13 Phillip Hallam-Baker 2020-12-03 draft-ietf-tls-ticketrequests-07 Steve Hanna 2020-09-30 draft-ietf-ccamp-wson-yang-27 Dan Harkins None draft-ietf-rtgwg-policy-model-03 Leif Johansson None draft-ietf-netconf-crypto-types-18 Leif Johansson 2020-10-02 draft-ietf-lpwan-schc-over-lorawan-13 Charlie Kaufman 2021-01-04 draft-gont-numeric-ids-sec-considerations-06 Charlie Kaufman R2020-12-29 draft-ietf-cose-x509-08 Scott Kelly 2020-12-24 draft-ietf-pce-association-policy-15 Watson Ladd None draft-ietf-rift-applicability-03 Russ Mundy 2020-07-20 draft-ietf-ace-dtls-authorize-14 Sandra Murphy 2020-10-15 draft-ietf-tls-external-psk-importer-06 Tirumaleswar Reddy.K 2020-11-16 draft-ietf-quic-transport-33 Rich Salz R2020-08-14 draft-ietf-suit-architecture-14 Yaron Sheffer R2020-10-27 draft-ietf-detnet-security-13 Klaas Wierenga 2020-12-02 draft-ietf-core-echo-request-tag-11 Klaas Wierenga 2020-05-26 draft-ietf-kitten-krb-spake-preauth-09 Christopher Wood R2021-01-18 draft-ietf-dtn-tcpclv4-24 Christopher Wood 2020-09-23 draft-ietf-6man-rfc4941bis-12 Paul Wouters 2020-09-08 draft-ietf-i2nsf-capability-data-model-13 Liang Xia 2020-11-30 draft-ietf-spring-sr-yang-29 Early review requests: Reviewer Due Draft Nancy Cam-Winget 2020-12-07 draft-ietf-idr-ext-opt-param-09 Steve Hanna 2020-12-23 draft-ietf-sfc-nsh-integrity-01 Dacheng Zhang 2020-12-07 draft-ietf-idr-eag-distribution-13 Next in the reviewer rotation: Chris Lonvick Aanchal Malhotra David Mandelberg Catherine Meadows Alexey Melnikov Daniel Migault Adam Montville Kathleen Moriarty Russ Mundy Sandra Murphy From nobody Thu Dec 17 17:24:16 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 46F8B3A0B08; Thu, 17 Dec 2020 17:24:11 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Nancy Cam-Winget via Datatracker To: Cc: draft-ietf-idr-ext-opt-param.all@ietf.org, idr@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.24.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160825465125.21464.15874080718333007730@ietfa.amsl.com> Reply-To: Nancy Cam-Winget Date: Thu, 17 Dec 2020 17:24:11 -0800 Archived-At: Subject: [secdir] Secdir early review of draft-ietf-idr-ext-opt-param-09 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2020 01:24:11 -0000 Reviewer: Nancy Cam-Winget Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. This document describes the allowance for the extended optional parameters in BGP to be greater than 255. As written, the document is straightforward and on point. I only have an editorial nit and a suggestion. NIT: Section 2: 1st sentence of the 7th paragraph "that in the..." Needs to be fixed. Should it be: "that is in the..."? Suggestion: - As new drafts need to include security and privacy considerations, I think it would be good to just add in the security section (5) that it doesn't change both underlying security or privacy issues as noted in RFC5272. From nobody Thu Dec 17 22:36:06 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44D2E3A1059; Thu, 17 Dec 2020 22:35:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g56owixk0j1f; Thu, 17 Dec 2020 22:35:57 -0800 (PST) Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CCA33A1058; Thu, 17 Dec 2020 22:35:57 -0800 (PST) Received: by mail-ej1-x633.google.com with SMTP id w1so1571800ejf.11; Thu, 17 Dec 2020 22:35:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PYdMvuGMKR/HN9nOeos6EU2/MywAsCUQth4v/5r0Q0U=; b=DVsZTDOVqTADuMQh5Wa6Lo/kxPd96JIgT9WWrw/YmqtzLlFAoyhB89UzBju6vw5q7V tDsxUxPa6btAtmJTAoGZhKl+JGcMUwggefzfmysbI7xYijZ7YVVTkKlkfxP4se9OJWmV Is3+46bym5az6XK81s5dC8lofLxzLABkO/ASbyvZt9kW43xJPZjWdYN7lVUid8Cz+oon UvB4/T9v819sDFgtwrQlVjYw1Q1JKfQVzo3BQHoHnWXFTmXO64FxYqlbCsb9mfv+HWa4 Ux4LirraVuEYZVVp9XXMzEXsXjpYJVYccv4u1imIW1L1SSDa+dhtK8RLtp6xtuBmSyFs Oarw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PYdMvuGMKR/HN9nOeos6EU2/MywAsCUQth4v/5r0Q0U=; b=l4Bavu1QkRs/e1pm1ax0+mddK8B2PyBhj4IXa0cf1ikEpaxwqBHLL3rTeIw0MqIsoC pZp6zItj8OZ5BqcQCvtVohvk720ghMC1U3ig5HPZD2WRjDnWH3JdnQw0dPF95aLumkTx LQKfvfospBQ+XQYJ2NE69E0+nXs6tpdLrTEAy0cgVw3eWjjaHpS2t9HJeiMjwRiqD6de U3k/3JGfCedD08oVsl21+FByPZSu/gdXqC7vQrHjEjcQjC6ziDHi+9GZCQgnWx9SAQVk SWEwYY22jd6bw57exWq22VQe8z8MyzoInq6smFeo+yMlNhTcdZqkXK9U+BINzicEHLm5 k5wg== X-Gm-Message-State: AOAM532/gVoIiHO9JUiDssUMP31gbp+qV1VVPqv0ujbPVkYcdF6GxF/c Ly6wevZV1Jt9VIY10aDrx8ul+gOkqGsoVKtJupc= X-Google-Smtp-Source: ABdhPJyl3WkL6AKmXClE42jCyC8FP7AUZjIi2KV4pKI6P/n04RCeOo+AavqvkQuEWGQESBb5c5yVkET/1u1Xk8hjcPA= X-Received: by 2002:a17:906:447:: with SMTP id e7mr2578731eja.172.1608273355655; Thu, 17 Dec 2020 22:35:55 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Shawn Emery Date: Thu, 17 Dec 2020 23:35:39 -0700 Message-ID: To: "Frank Brockners (fbrockne)" Cc: secdir , "draft-ietf-ippm-ioam-data.all@ietf.org" , "last-call@ietf.org" Content-Type: multipart/alternative; boundary="00000000000010ce4805b6b752c2" Archived-At: Subject: Re: [secdir] Review of draft-ietf-ippm-ioam-data-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2020 06:35:59 -0000 --00000000000010ce4805b6b752c2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Frank, Thanks for your response. I've read draft-brockners-opsawg-ioam-deployment-02 and still have concerns that mitigating against eavesdropping, DoS/DDoS, and time synchronization attacks, have not been sufficiently covered specifically regarding the data tuple vector. Regards, Shawn. -- On Thu, Dec 17, 2020 at 4:25 AM Frank Brockners (fbrockne) < fbrockne@cisco.com> wrote: > > > *Hi Shawn,* > > > > *Thanks a lot for your review. Please see inline (..FB)* > > > > *From:* Shawn Emery > *Sent:* Sonntag, 6. Dezember 2020 23:31 > *To:* secdir > *Cc:* draft-ietf-ippm-ioam-data.all@ietf.org; last-call@ietf.org; Shawn > Emery > *Subject:* Review of draft-ietf-ippm-ioam-data-11 > > > > Reviewer: Shawn M. Emery > Review result: Ready with nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > This standards track draft specifies data fields in the In-situ > Operations, Administration, > > and Maintenance (IOAM) scheme. The data fields contain operational and > telemetry > > information in a network domain. "In-situ" refers to the fact that the > associated data is > > actually encapsulated in the data packet itself rather than through a > separate OAM > > packet. > > > The security considerations section does exist and describes multiple > vulnerabilities > > to the IOAM. Attackers can create both false-positives and > false-negatives in regards > > to failures or the true state of the domain. This can eventually lead to > DoS attacks. > > Another form of DoS is by crafting an IOAM header to packets thereby > increasing the > > resources required or exceeding the packet beyond the network's MTU size. > > > > Verifying the path of the data packets is deferred to > draft-ietf-sfc-proof-of-transit's security > > consideration section which has good coverage and ways to mitigate the > various attacks > > on the protocol. Eavesdropping is also possible, which can reveal > operational and telemetry > > data of the network domain. > > > > IOAM also utilizes timestamps, in which an attack on the time > synchronization protocol can > > affect the timestamp fields in IOAM. In addition the management > functionality of IOAM could > > also be targeted, but suggests authentication and integrity checks to > protect against said attacks. > > > > Various measures against these attacks are not prescribed based on the > fact that this specification > > is about the data fields of IOAM. However, I think it would be beneficia= l > to provide some guidance > > (at least for future specifications) for each of these attacks > that utilize these data fields else why > > articulate the security issues at all? > > *..FB: =E2=80=9C=E2=80=A6some guidance for each of the attacks=E2=80=A6= =E2=80=9D very much hints at > deployment considerations for IOAM. For that, we have an =E2=80=9CIOAM De= ployment=E2=80=9D > draft: > https://tools.ietf.org/html/draft-brockners-opsawg-ioam-deployment-02 > i= n > flight. The current thought model is cover all aspects of IOAM deployment= , > including guidance on mitigating security concerns, in this deployment > draft. Would that be a workable approach for you?* > > > > *Thanks, Frank* > > > General comments: > > None. > > > Editorial comments: > > > > None. > > > > Shawn. > -- > --00000000000010ce4805b6b752c2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Frank,

Thanks for your response.=C2= =A0 I've read draft-brockners-opsawg-ioam-deployment-02=C2=A0and still = have concerns that mitigating against=C2=A0eavesdropping, DoS/DDoS, and tim= e synchronization attacks, have not been sufficiently covered specifically = regarding the data tuple vector.

Regards,

Shawn.
--

On Thu, Dec 17, 2020 at 4:25 AM F= rank Brockners (fbrockne) <fbrockn= e@cisco.com> wrote:

=C2=A0

Hi Shawn,

=C2=A0

Thanks a lot for your review. Please see inlin= e (..FB)

=C2=A0

From: Shawn Emery <shawn.emery@gmail.com>
Sent: Sonntag, 6. Dezember 2020 23:31
To: secdir <= secdir@ietf.org>
Cc: draft-ietf-ippm-ioam-data.all@ietf.org; last-call@ietf.org; Shawn Emery &l= t;semery@uccs.edu&= gt;
Subject: Review of draft-ietf-ippm-ioam-data-11

=C2=A0

Reviewer: Shawn M. Emery
Review result: Ready with nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This standards track draft specifies data fields in the In-situ Operations,= Administration,

and Maintenance (IOAM) scheme.=C2=A0 The data fields= contain operational and telemetry

information in a network domain.=C2=A0 "In-situ= " refers=C2=A0to the fact that the associated data is

actually encapsulated in the data packet itself rath= er than through a separate OAM

packet.


The security considerations section does exist and describes multiple vulne= rabilities

to the IOAM.=C2=A0 Attackers can create both false-p= ositives and false-negatives in regards

to failures or the true state of the domain.=C2=A0 T= his can eventually lead to DoS attacks.

Another form of DoS is by crafting an IOAM header to= packets thereby increasing the

resources required or exceeding the packet beyond th= e network's MTU size.

=C2=A0

Verifying the path of the data packets is deferred t= o draft-ietf-sfc-proof-of-transit's security

consideration section which has good coverage and wa= ys to mitigate the various attacks

on the protocol.=C2=A0 Eavesdropping is also possibl= e, which can reveal operational and telemetry

data of the network domain.

=C2=A0

IOAM also utilizes timestamps, in which an attack on= the time synchronization protocol can

affect the timestamp fields in IOAM.=C2=A0 In additi= on the management functionality of IOAM could

also be targeted, but suggests authentication and in= tegrity checks to protect against said attacks.

=C2=A0

Various measures against these attacks are not presc= ribed based on the fact that this specification

is about the data fields of IOAM.=C2=A0 However, I t= hink it would be beneficial to provide some guidance

(at least for future specifications) for each of the= se attacks that=C2=A0utilize=C2=A0these data fields else=C2=A0why=

articulate the security issues at all?

..FB: =E2=80=9C=E2=80=A6some guidance for each= of the attacks=E2=80=A6=E2=80=9D very much hints at deployment considerati= ons for IOAM. For that, we have an =E2=80=9CIOAM Deployment=E2=80=9D draft: https://tools.ietf.org/html/draft-brockners-opsawg= -ioam-deployment-02 in flight. The current thought model is cover all a= spects of IOAM deployment, including guidance on mitigating security concerns, in this deployment draft. Would that be a workable appr= oach for you?

=C2=A0

Thanks, Frank


General comments:

None.


Editorial comments:

=C2=A0
None.
=C2=A0<=
u>

Shawn.<= br> --

--00000000000010ce4805b6b752c2-- From nobody Fri Dec 18 00:33:21 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905373A1163; Fri, 18 Dec 2020 00:33:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.599 X-Spam-Level: X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=G42qY9q+; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=a9Yw5JXX Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4meO4TyRftv; Fri, 18 Dec 2020 00:33:14 -0800 (PST) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B32463A1161; Fri, 18 Dec 2020 00:33:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=23314; q=dns/txt; s=iport; t=1608280393; x=1609489993; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=S62GWo6XXzoHWdivFvaunu2TN4a9WeAyLLKouLHpFx0=; b=G42qY9q+Sp0oozkev5liwZFy9SF6gd3TV/+oH2wWGP+ceD4fLac3t5hO 7Pfdb8GX/nbMYSY+yZi1bC05vCsn2siov93ApaEx7nYExtJy7/bD2eBLp Wye++jFUrfiwlsukC/HSDuLqFn3quvVCZ/3HlwQaaIOjsmZ/f1aHGOoAu k=; X-IPAS-Result: =?us-ascii?q?A0DqAQDxZ9xfmIcNJK1iHAEBAQEBAQcBARIBAQQEAQGCD?= =?us-ascii?q?4EjLyMufFsvLgqENYNIA41bA4oaigCEcoJTA1QLAQEBDQEBIwoCBAEBhEoCF?= =?us-ascii?q?4FcAiU4EwIDAQEBAwIDAQEBAQUBAQECAQYEFAEBAQEBAQEBhjYMhXIBAQEBA?= =?us-ascii?q?xIRChMBATcBDwIBBgIRBAEBKAMCAgIfERQJCAIEDgUIGoMEAYF+VwMuAQ6RW?= =?us-ascii?q?pBrAoE8iGl2gTKDBAEBBYEzAQMCg3YNC4IQAwaBOIJ1g3qBBoMJgSCBByYbg?= =?us-ascii?q?UE/gRFDglY+ghtCAQEDgV4rCYJhM4IsgWmBPgEDMhEOAiFZVgYKIA8BGJMih?= =?us-ascii?q?yqMLZAxL1cKgnSJI40MhT6DJoonhVqPGB2eeIJ3ji9UgTaCbQIEAgQFAg4BA?= =?us-ascii?q?QWBJUghgVlwFYMkUBcCDY4hDA4Jg06FFIVEdDcCBgEJAQEDCXyLBQGBEAEB?= IronPort-PHdr: =?us-ascii?q?9a23=3AkTEkNRASGJ0E9qp9cN+FUyQJPHJ1sqjoPgMT9p?= =?us-ascii?q?ssgq5PdaLm5Zn5IUjD/qw00A3GWIza77RPjO+F+6zjWGlV55GHvThCdZFXTB?= =?us-ascii?q?YKhI0QmBBoG8+KD0D3bZuIJyw3FchPThlpqne8N0UGF8P3ZlmUqXq3vnYeHx?= =?us-ascii?q?zlPl9zIeL4UofZk8Ww0bW0/JveKwVFjTawe/V8NhKz+A7QrcIRx4BlL/U8?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.78,429,1599523200"; d="scan'208,217";a="616127634" Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 18 Dec 2020 08:33:12 +0000 Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 0BI8XCtQ021663 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 18 Dec 2020 08:33:12 GMT Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 18 Dec 2020 02:33:12 -0600 Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 18 Dec 2020 02:33:11 -0600 Received: from NAM10-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 18 Dec 2020 02:33:11 -0600 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aM29YygCcCsriA+KD0mFoGUrMy3MC8zjtb9PHjyNzAp4kVMDKOkWfQn+cADKqOaPSra2R7ZM7bLKNHDu/oXVPA3twAdU5+Pd4Fmh2aj2iLq7Cm1ues825ugr/qRQaIUe5H6rlD1OIQEWBintwaRiZLtEsQJQmqStL8GsFQXPhvjPvNc5rI1UYo30gOLapN2sm4pWLo21EWpo0ZljXpSW99f7bvvcVsbSykjwptXKhcNDN5I6i6MKi8KSpx+QlKTJ5yCVCbhzgoI5yQJ/u7o9tOMhvOtdWOvPcsbtcFBHAZ/WWKRhiiO2ziq7mT3Xv95aNa4xzh7EqEyMnpSx9l/4TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S62GWo6XXzoHWdivFvaunu2TN4a9WeAyLLKouLHpFx0=; b=az3JB99UEcIkuLpb3CnK3P4JqjitVM6CDsz/FklLJzeIEymw4fDV9awnL40gsCNLTECY4HlpjZ9ELPQ4oVc4OT6B/ASuLvwEv/Kr942gqcs3JfRGFZHdf2xqakECOIxuWhj/OtIoaMvaOX11C8x6BB3abODAT38D5liGGD96tORviw82mNNU4DV/h1GU0fWMS+mDUI12u0JIT3ASrbnz3+7OxllxOuDL4EMigCLZIaQU8a2EtPvzsL8CHsi5qgqx46wEcuCKmH3jg7UbEIRQpmXHkgcSi4w+HloG/XtKIUk6oVmS4+9+DZPnCf94lE9sXZLZie/i2rIqmFMyjOApEg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S62GWo6XXzoHWdivFvaunu2TN4a9WeAyLLKouLHpFx0=; b=a9Yw5JXX4MEaxvhurpICC3bsh+ScDNIgmkINjSuv+DlZB5YOvXgf3Ec0O1hc35i0o3MQI1NRDfrNDVT0IKbFljot3T1fNjZPDoo3MkzKncu6uS8vCF44ZEUfojjwxozJkDKmERgbT7WL22B4+Mzu2kpmKmlyb6b8NIywrJZzUj8= Received: from BYAPR11MB2584.namprd11.prod.outlook.com (2603:10b6:a02:c8::31) by BY5PR11MB3926.namprd11.prod.outlook.com (2603:10b6:a03:184::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.25; Fri, 18 Dec 2020 08:33:10 +0000 Received: from BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::bd56:222e:91b5:fc4b]) by BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::bd56:222e:91b5:fc4b%7]) with mapi id 15.20.3654.024; Fri, 18 Dec 2020 08:33:10 +0000 From: "Frank Brockners (fbrockne)" To: Shawn Emery CC: secdir , "draft-ietf-ippm-ioam-data.all@ietf.org" , "last-call@ietf.org" Thread-Topic: Review of draft-ietf-ippm-ioam-data-11 Thread-Index: AQHWzB+R9/zLhlAw2USHLw32Jfa4b6n7NC7wgAFDkoCAACAg4A== Date: Fri, 18 Dec 2020 08:33:10 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com; x-originating-ip: [173.38.220.49] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 65b1b23d-c15a-4293-bcfa-08d8a32f8d46 x-ms-traffictypediagnostic: BY5PR11MB3926: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: FuHQPketiFMqdwlS0cVcWkusmpA0tLzFFXv6aFbb3o+O+E7hSjCqUwEIstQDCi1TZ95CflgNoV5pa7Ina8Zo3b7P/zITm6MCxXckr+3VmAbLaqyQrUYqlS7p/SAIKHYlN/nPPdcMLQZe40rUlqyHJaL6fq8a5fb42Kt9t+cK+omzFBacBUKoHMvSQ8BTuMK3Xnihp78O3TQZW57gqRwiobVpmnO3spcbSFdbtQ8jqiZMEao5wgLKyQXWn+gUGV4udfoL4W82pWcyshYa58tngPuj3ba3e0oKp/SeU1l2Ap2rx2s5QFlSQ/7K8V1pSG96NTIsD7zcf2VmnNpi6MW41f4ULhtn/LI5FlgwX0XhN07I2ev8isjpqNlhj/kOWgOJN/vAm0oVpe2fMtlfX98MsA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2584.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(136003)(39860400002)(346002)(396003)(366004)(55016002)(8936002)(33656002)(76116006)(66446008)(52536014)(186003)(8676002)(166002)(71200400001)(9686003)(5660300002)(9326002)(6916009)(83380400001)(966005)(6506007)(64756008)(66556008)(66946007)(7696005)(86362001)(54906003)(316002)(26005)(478600001)(4326008)(2906002)(53546011)(66476007); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?N3ZubDBKeXZZcE1XakptUitxT0VvVmpXbTlQQWRWQ3gxeURjY2tKbUpXUmRT?= =?utf-8?B?VDk0Wmtkb2RHdzFlREtaS0JLM0pERTJxczEyM1h4ejRwOHBHRTExS2VKK2w0?= =?utf-8?B?UUVNTGZjRHRGNGdNZVpkRjI3eVRCVDJRWkQ1QVdlOWZsQ0ZDU1laQUFFbjRT?= =?utf-8?B?K0RkamtINU1PNkQzejRsdDhmN1dIRk1QS2lqVU5rNUppS29Ua0NVTEI5eHEy?= =?utf-8?B?aDVpZGNXY2R4VmQ0aStlWnJYajBsbjBwR0FmT3kzb01ra1F3bUlkTTRDak1u?= =?utf-8?B?MFFLTlB1ekErZTF6ZkN1TFhmNTAzTFJ5cEF1RUNQSWtYSUhSR1RSRXNjTzdJ?= =?utf-8?B?ZlgxR3I0M3ZwVHl3YkVjSjUyaGFaa0EwLy9mUjZ2cHE4N3diZTV2bWtrd2pC?= =?utf-8?B?enZUemFZcDI4U21uS1dKZmlncnllVTNsdmsyYWtKbTRUQmFRZXlZMDlRTVBH?= =?utf-8?B?a0hickU2UkEwdmtwTW1zenFmcHE0L0hyeDhicmMxRlIxaG41RExTU3pLdVRt?= =?utf-8?B?RjFESzZUdnlYYXNVRXVNK094ZjZpNlZnN3h0MERTaVA4Y0g3NTNxcGtLOHpa?= =?utf-8?B?cEFkL0x2ZXNDVTAyRlVpOEtNdm9laVRBOFVGOTY5SGVDM0xOTnJRV05qc1Jv?= =?utf-8?B?QWdjZUtDbFZHWS9hSU1vTzBGa09WajRVa25aYWhZNVMyNlhyYXFjS25jVjBW?= =?utf-8?B?b2VTOE1yeC9RS2N4TmtlMjZTNncxcXNMd09GUENPUDJyM1lHOUxqQ0NtMHV6?= =?utf-8?B?UExvaGx2dldRdnN0Q2hua3N1VjFjOWJKVnd5Ni96YUZ4bUcwemVMakk4SG11?= =?utf-8?B?QzR5RnltOUIwSGZ0NHM5SDFEN0VDREFLRzdMMnpPN3ZLYkdBRXJxWEFRWDJi?= =?utf-8?B?NFJHTW9tQlY4WmxadEVLcVpRV2hkZXd6WjZvaUdwSEYyMnc3M1hrdHBHMzY0?= =?utf-8?B?L2FkTWlwdzYzS2lrWWQ0bnY1N2Nvc09VVTUwVnEySTYzb3RiQVVwU084QTdW?= =?utf-8?B?QTJ0UDBFUThsWFdaN2JPZzUvNHd4cVpXckVoTEZYcmJEUVF5YTNqYWpaL2o4?= =?utf-8?B?eUZybHdjM0dEWXEweUVCOTNTK3h0bm1uNWg1MlZEZGNqMjVvcDIveDNONTFt?= =?utf-8?B?bmFTaklTaFRadlhFQmxpMTFNRjJka0NYTWJKek5TT1RKcHpoamUvVmM1cXI1?= =?utf-8?B?NFBGQnhaOFhLY0pmcjJmTllLeVAwd3lIQm1lNFFNc001dGt6cFE3WGw2dVhE?= =?utf-8?B?NGlqNXlGS0d3MUdSQTRkRDViNGgyUnV4ZnpjcVNpTmFSUU44cFVrWFBqTS9W?= =?utf-8?Q?m+URU1Zgme8IQ=3D?= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_BYAPR11MB258450012E8566A3342E73E2DAC30BYAPR11MB2584namp_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2584.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 65b1b23d-c15a-4293-bcfa-08d8a32f8d46 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2020 08:33:10.0449 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: WYaU/5/9TQSZNh+rscOgbrck/K6MVCiI2tvI9BLYvyU/EgGGmwm1W9n0pjQPjYyAbjjy7NOFsBsWmEqc9It8sA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB3926 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com X-Outbound-Node: alln-core-2.cisco.com Archived-At: Subject: Re: [secdir] Review of draft-ietf-ippm-ioam-data-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2020 08:33:17 -0000 --_000_BYAPR11MB258450012E8566A3342E73E2DAC30BYAPR11MB2584namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgU2hhd24sDQoNClRoYW5rcyBmb3IgcmV2aWV3aW5nIGRyYWZ0LWJyb2NrbmVycy1vcHNhd2ct aW9hbS1kZXBsb3ltZW50LTAyIOKAkyB3aGljaCBpcyBzdGlsbCBldm9sdmluZy4gSSBhZ3JlZSB0 aGF0IGl0IGRvZXMgbm90IGNvdmVyIG1pdGlnYXRpb24gY29uc2lkZXJhdGlvbnMgZm9yIGFsbCB0 aGUgcG90ZW50aWFsIHRocmVhdHMvYXR0YWNrcy4gSeKAmXZlIGp1c3QgY3JlYXRlZCBhbiBpc3N1 ZXMgc28gdGhhdCB3ZeKAmWxsIHRhY2tsZSBpdCBpbiB0aGUgbmV4dCByZXYgb2YgdGhlIGRvYzog aHR0cHM6Ly9naXRodWIuY29tL2luYmFuZC1vYW0vaWV0Zi9pc3N1ZXMvMjA0DQoNClRoYW5rcyBh Z2FpbiwgRnJhbmsNCg0KRnJvbTogU2hhd24gRW1lcnkgPHNoYXduLmVtZXJ5QGdtYWlsLmNvbT4N ClNlbnQ6IEZyZWl0YWcsIDE4LiBEZXplbWJlciAyMDIwIDA3OjM2DQpUbzogRnJhbmsgQnJvY2tu ZXJzIChmYnJvY2tuZSkgPGZicm9ja25lQGNpc2NvLmNvbT4NCkNjOiBzZWNkaXIgPHNlY2RpckBp ZXRmLm9yZz47IGRyYWZ0LWlldGYtaXBwbS1pb2FtLWRhdGEuYWxsQGlldGYub3JnOyBsYXN0LWNh bGxAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBSZXZpZXcgb2YgZHJhZnQtaWV0Zi1pcHBtLWlvYW0t ZGF0YS0xMQ0KDQpIaSBGcmFuaywNCg0KVGhhbmtzIGZvciB5b3VyIHJlc3BvbnNlLiAgSSd2ZSBy ZWFkIGRyYWZ0LWJyb2NrbmVycy1vcHNhd2ctaW9hbS1kZXBsb3ltZW50LTAyIGFuZCBzdGlsbCBo YXZlIGNvbmNlcm5zIHRoYXQgbWl0aWdhdGluZyBhZ2FpbnN0IGVhdmVzZHJvcHBpbmcsIERvUy9E RG9TLCBhbmQgdGltZSBzeW5jaHJvbml6YXRpb24gYXR0YWNrcywgaGF2ZSBub3QgYmVlbiBzdWZm aWNpZW50bHkgY292ZXJlZCBzcGVjaWZpY2FsbHkgcmVnYXJkaW5nIHRoZSBkYXRhIHR1cGxlIHZl Y3Rvci4NCg0KUmVnYXJkcywNCg0KU2hhd24uDQotLQ0KDQpPbiBUaHUsIERlYyAxNywgMjAyMCBh dCA0OjI1IEFNIEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIDxmYnJvY2tuZUBjaXNjby5jb208 bWFpbHRvOmZicm9ja25lQGNpc2NvLmNvbT4+IHdyb3RlOg0KDQpIaSBTaGF3biwNCg0KVGhhbmtz IGEgbG90IGZvciB5b3VyIHJldmlldy4gUGxlYXNlIHNlZSBpbmxpbmUgKC4uRkIpDQoNCkZyb206 IFNoYXduIEVtZXJ5IDxzaGF3bi5lbWVyeUBnbWFpbC5jb208bWFpbHRvOnNoYXduLmVtZXJ5QGdt YWlsLmNvbT4+DQpTZW50OiBTb25udGFnLCA2LiBEZXplbWJlciAyMDIwIDIzOjMxDQpUbzogc2Vj ZGlyIDxzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz4+DQpDYzogZHJhZnQt aWV0Zi1pcHBtLWlvYW0tZGF0YS5hbGxAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtaXBwbS1p b2FtLWRhdGEuYWxsQGlldGYub3JnPjsgbGFzdC1jYWxsQGlldGYub3JnPG1haWx0bzpsYXN0LWNh bGxAaWV0Zi5vcmc+OyBTaGF3biBFbWVyeSA8c2VtZXJ5QHVjY3MuZWR1PG1haWx0bzpzZW1lcnlA dWNjcy5lZHU+Pg0KU3ViamVjdDogUmV2aWV3IG9mIGRyYWZ0LWlldGYtaXBwbS1pb2FtLWRhdGEt MTENCg0KUmV2aWV3ZXI6IFNoYXduIE0uIEVtZXJ5DQpSZXZpZXcgcmVzdWx0OiBSZWFkeSB3aXRo IG5pdHMNCg0KSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2Vj dXJpdHkgZGlyZWN0b3JhdGUncw0Kb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRv Y3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuDQpUaGVzZSBjb21tZW50cyB3ZXJl IHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkNCmFyZWEg ZGlyZWN0b3JzLiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRo ZXNlDQpjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0K VGhpcyBzdGFuZGFyZHMgdHJhY2sgZHJhZnQgc3BlY2lmaWVzIGRhdGEgZmllbGRzIGluIHRoZSBJ bi1zaXR1IE9wZXJhdGlvbnMsIEFkbWluaXN0cmF0aW9uLA0KYW5kIE1haW50ZW5hbmNlIChJT0FN KSBzY2hlbWUuICBUaGUgZGF0YSBmaWVsZHMgY29udGFpbiBvcGVyYXRpb25hbCBhbmQgdGVsZW1l dHJ5DQppbmZvcm1hdGlvbiBpbiBhIG5ldHdvcmsgZG9tYWluLiAgIkluLXNpdHUiIHJlZmVycyB0 byB0aGUgZmFjdCB0aGF0IHRoZSBhc3NvY2lhdGVkIGRhdGEgaXMNCmFjdHVhbGx5IGVuY2Fwc3Vs YXRlZCBpbiB0aGUgZGF0YSBwYWNrZXQgaXRzZWxmIHJhdGhlciB0aGFuIHRocm91Z2ggYSBzZXBh cmF0ZSBPQU0NCnBhY2tldC4NCg0KVGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24g ZG9lcyBleGlzdCBhbmQgZGVzY3JpYmVzIG11bHRpcGxlIHZ1bG5lcmFiaWxpdGllcw0KdG8gdGhl IElPQU0uICBBdHRhY2tlcnMgY2FuIGNyZWF0ZSBib3RoIGZhbHNlLXBvc2l0aXZlcyBhbmQgZmFs c2UtbmVnYXRpdmVzIGluIHJlZ2FyZHMNCnRvIGZhaWx1cmVzIG9yIHRoZSB0cnVlIHN0YXRlIG9m IHRoZSBkb21haW4uICBUaGlzIGNhbiBldmVudHVhbGx5IGxlYWQgdG8gRG9TIGF0dGFja3MuDQpB bm90aGVyIGZvcm0gb2YgRG9TIGlzIGJ5IGNyYWZ0aW5nIGFuIElPQU0gaGVhZGVyIHRvIHBhY2tl dHMgdGhlcmVieSBpbmNyZWFzaW5nIHRoZQ0KcmVzb3VyY2VzIHJlcXVpcmVkIG9yIGV4Y2VlZGlu ZyB0aGUgcGFja2V0IGJleW9uZCB0aGUgbmV0d29yaydzIE1UVSBzaXplLg0KDQpWZXJpZnlpbmcg dGhlIHBhdGggb2YgdGhlIGRhdGEgcGFja2V0cyBpcyBkZWZlcnJlZCB0byBkcmFmdC1pZXRmLXNm Yy1wcm9vZi1vZi10cmFuc2l0J3Mgc2VjdXJpdHkNCmNvbnNpZGVyYXRpb24gc2VjdGlvbiB3aGlj aCBoYXMgZ29vZCBjb3ZlcmFnZSBhbmQgd2F5cyB0byBtaXRpZ2F0ZSB0aGUgdmFyaW91cyBhdHRh Y2tzDQpvbiB0aGUgcHJvdG9jb2wuICBFYXZlc2Ryb3BwaW5nIGlzIGFsc28gcG9zc2libGUsIHdo aWNoIGNhbiByZXZlYWwgb3BlcmF0aW9uYWwgYW5kIHRlbGVtZXRyeQ0KZGF0YSBvZiB0aGUgbmV0 d29yayBkb21haW4uDQoNCklPQU0gYWxzbyB1dGlsaXplcyB0aW1lc3RhbXBzLCBpbiB3aGljaCBh biBhdHRhY2sgb24gdGhlIHRpbWUgc3luY2hyb25pemF0aW9uIHByb3RvY29sIGNhbg0KYWZmZWN0 IHRoZSB0aW1lc3RhbXAgZmllbGRzIGluIElPQU0uICBJbiBhZGRpdGlvbiB0aGUgbWFuYWdlbWVu dCBmdW5jdGlvbmFsaXR5IG9mIElPQU0gY291bGQNCmFsc28gYmUgdGFyZ2V0ZWQsIGJ1dCBzdWdn ZXN0cyBhdXRoZW50aWNhdGlvbiBhbmQgaW50ZWdyaXR5IGNoZWNrcyB0byBwcm90ZWN0IGFnYWlu c3Qgc2FpZCBhdHRhY2tzLg0KDQpWYXJpb3VzIG1lYXN1cmVzIGFnYWluc3QgdGhlc2UgYXR0YWNr cyBhcmUgbm90IHByZXNjcmliZWQgYmFzZWQgb24gdGhlIGZhY3QgdGhhdCB0aGlzIHNwZWNpZmlj YXRpb24NCmlzIGFib3V0IHRoZSBkYXRhIGZpZWxkcyBvZiBJT0FNLiAgSG93ZXZlciwgSSB0aGlu ayBpdCB3b3VsZCBiZSBiZW5lZmljaWFsIHRvIHByb3ZpZGUgc29tZSBndWlkYW5jZQ0KKGF0IGxl YXN0IGZvciBmdXR1cmUgc3BlY2lmaWNhdGlvbnMpIGZvciBlYWNoIG9mIHRoZXNlIGF0dGFja3Mg dGhhdCB1dGlsaXplIHRoZXNlIGRhdGEgZmllbGRzIGVsc2Ugd2h5DQphcnRpY3VsYXRlIHRoZSBz ZWN1cml0eSBpc3N1ZXMgYXQgYWxsPw0KLi5GQjog4oCc4oCmc29tZSBndWlkYW5jZSBmb3IgZWFj aCBvZiB0aGUgYXR0YWNrc+KApuKAnSB2ZXJ5IG11Y2ggaGludHMgYXQgZGVwbG95bWVudCBjb25z aWRlcmF0aW9ucyBmb3IgSU9BTS4gRm9yIHRoYXQsIHdlIGhhdmUgYW4g4oCcSU9BTSBEZXBsb3lt ZW504oCdIGRyYWZ0OiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtYnJvY2tuZXJz LW9wc2F3Zy1pb2FtLWRlcGxveW1lbnQtMDIgaW4gZmxpZ2h0LiBUaGUgY3VycmVudCB0aG91Z2h0 IG1vZGVsIGlzIGNvdmVyIGFsbCBhc3BlY3RzIG9mIElPQU0gZGVwbG95bWVudCwgaW5jbHVkaW5n IGd1aWRhbmNlIG9uIG1pdGlnYXRpbmcgc2VjdXJpdHkgY29uY2VybnMsIGluIHRoaXMgZGVwbG95 bWVudCBkcmFmdC4gV291bGQgdGhhdCBiZSBhIHdvcmthYmxlIGFwcHJvYWNoIGZvciB5b3U/DQoN ClRoYW5rcywgRnJhbmsNCg0KR2VuZXJhbCBjb21tZW50czoNCg0KTm9uZS4NCg0KRWRpdG9yaWFs IGNvbW1lbnRzOg0KDQoNCg0KTm9uZS4NCg0KDQpTaGF3bi4NCi0tDQo= --_000_BYAPR11MB258450012E8566A3342E73E2DAC30BYAPR11MB2584namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCWZvbnQtc2l6ZTox MS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFu Lk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0 ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7 DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowY207 DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1p bHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHls ZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7 DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseTpDb25z b2xhczt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBs eTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0 O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdl IFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzAuODVwdCA3 MC44NXB0IDIuMGNtIDcwLjg1cHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0 aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZh dWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86 aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFb ZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9 InB1cnBsZSIgc3R5bGU9IndvcmQtd3JhcDpicmVhay13b3JkIj4NCjxkaXYgY2xhc3M9IldvcmRT ZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBTaGF3biw8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+VGhhbmtzIGZvciByZXZpZXdpbmcgZHJhZnQtYnJvY2tuZXJzLW9wc2F3Zy1pb2Ft LWRlcGxveW1lbnQtMDIg4oCTIHdoaWNoIGlzIHN0aWxsIGV2b2x2aW5nLiBJIGFncmVlIHRoYXQg aXQgZG9lcyBub3QgY292ZXIgbWl0aWdhdGlvbiBjb25zaWRlcmF0aW9ucyBmb3IgYWxsIHRoZSBw b3RlbnRpYWwgdGhyZWF0cy9hdHRhY2tzLiBJ4oCZdmUganVzdCBjcmVhdGVkIGFuIGlzc3VlcyBz byB0aGF0IHdl4oCZbGwgdGFja2xlIGl0DQogaW4gdGhlIG5leHQgcmV2IG9mIHRoZSBkb2M6IDxh IGhyZWY9Imh0dHBzOi8vZ2l0aHViLmNvbS9pbmJhbmQtb2FtL2lldGYvaXNzdWVzLzIwNCI+DQpo dHRwczovL2dpdGh1Yi5jb20vaW5iYW5kLW9hbS9pZXRmL2lzc3Vlcy8yMDQ8L2E+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlRoYW5rcyBhZ2FpbiwgRnJhbms8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVy Om5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQu MHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNF MUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48Yj5Gcm9tOjwvYj4gU2hhd24gRW1lcnkgJmx0O3NoYXduLmVtZXJ5QGdtYWlsLmNvbSZn dDsgPGJyPg0KPGI+U2VudDo8L2I+IEZyZWl0YWcsIDE4LiBEZXplbWJlciAyMDIwIDA3OjM2PGJy Pg0KPGI+VG86PC9iPiBGcmFuayBCcm9ja25lcnMgKGZicm9ja25lKSAmbHQ7ZmJyb2NrbmVAY2lz Y28uY29tJmd0Ozxicj4NCjxiPkNjOjwvYj4gc2VjZGlyICZsdDtzZWNkaXJAaWV0Zi5vcmcmZ3Q7 OyBkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhLmFsbEBpZXRmLm9yZzsgbGFzdC1jYWxsQGlldGYu b3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBSZXZpZXcgb2YgZHJhZnQtaWV0Zi1pcHBtLWlv YW0tZGF0YS0xMTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PkhpIEZyYW5rLDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ VGhhbmtzIGZvciB5b3VyIHJlc3BvbnNlLiZuYnNwOyBJJ3ZlIHJlYWQgZHJhZnQtYnJvY2tuZXJz LW9wc2F3Zy1pb2FtLWRlcGxveW1lbnQtMDImbmJzcDthbmQgc3RpbGwgaGF2ZSBjb25jZXJucyB0 aGF0IG1pdGlnYXRpbmcgYWdhaW5zdCZuYnNwO2VhdmVzZHJvcHBpbmcsIERvUy9ERG9TLCBhbmQg dGltZSBzeW5jaHJvbml6YXRpb24gYXR0YWNrcywgaGF2ZSBub3QgYmVlbiBzdWZmaWNpZW50bHkg Y292ZXJlZCBzcGVjaWZpY2FsbHkgcmVnYXJkaW5nDQogdGhlIGRhdGEgdHVwbGUgdmVjdG9yLjxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5SZWdh cmRzLDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5TaGF3bi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPi0tPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPk9uIFRodSwgRGVjIDE3LCAyMDIwIGF0IDQ6MjUgQU0gRnJhbmsgQnJvY2tuZXJzIChmYnJv Y2tuZSkgJmx0OzxhIGhyZWY9Im1haWx0bzpmYnJvY2tuZUBjaXNjby5jb20iPmZicm9ja25lQGNp c2NvLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90 ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRk aW5nOjBjbSAwY20gMGNtIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowY20i Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48aT5IaSBTaGF3biw8L2k+PC9iPjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48aT4mbmJzcDs8L2k+PC9iPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48aT5UaGFua3MgYSBsb3Qg Zm9yIHlvdXIgcmV2aWV3LiBQbGVhc2Ugc2VlIGlubGluZSAoLi5GQik8L2k+PC9iPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxk aXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGlu ZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9y ZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj5Gcm9tOjwvYj4gU2hhd24gRW1lcnkgJmx0OzxhIGhy ZWY9Im1haWx0bzpzaGF3bi5lbWVyeUBnbWFpbC5jb20iIHRhcmdldD0iX2JsYW5rIj5zaGF3bi5l bWVyeUBnbWFpbC5jb208L2E+Jmd0Ow0KPGJyPg0KPGI+U2VudDo8L2I+IFNvbm50YWcsIDYuIERl emVtYmVyIDIwMjAgMjM6MzE8YnI+DQo8Yj5Ubzo8L2I+IHNlY2RpciAmbHQ7PGEgaHJlZj0ibWFp bHRvOnNlY2RpckBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPnNlY2RpckBpZXRmLm9yZzwvYT4m Z3Q7PGJyPg0KPGI+Q2M6PC9iPiA8YSBocmVmPSJtYWlsdG86ZHJhZnQtaWV0Zi1pcHBtLWlvYW0t ZGF0YS5hbGxAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj4NCmRyYWZ0LWlldGYtaXBwbS1pb2Ft LWRhdGEuYWxsQGlldGYub3JnPC9hPjsgPGEgaHJlZj0ibWFpbHRvOmxhc3QtY2FsbEBpZXRmLm9y ZyIgdGFyZ2V0PSJfYmxhbmsiPg0KbGFzdC1jYWxsQGlldGYub3JnPC9hPjsgU2hhd24gRW1lcnkg Jmx0OzxhIGhyZWY9Im1haWx0bzpzZW1lcnlAdWNjcy5lZHUiIHRhcmdldD0iX2JsYW5rIj5zZW1l cnlAdWNjcy5lZHU8L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZXZpZXcgb2YgZHJhZnQt aWV0Zi1pcHBtLWlvYW0tZGF0YS0xMTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj5SZXZpZXdlcjogU2hhd24gTS4gRW1lcnk8YnI+DQpSZXZpZXcgcmVz dWx0OiBSZWFkeSB3aXRoIG5pdHM8YnI+DQo8YnI+DQpJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1 bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzPGJyPg0Kb25nb2luZyBl ZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhl IElFU0cuPGJyPg0KVGhlc2UgY29tbWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhl IGJlbmVmaXQgb2YgdGhlIHNlY3VyaXR5PGJyPg0KYXJlYSBkaXJlY3RvcnMuIERvY3VtZW50IGVk aXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2U8YnI+DQpjb21tZW50cyBqdXN0 IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy48YnI+DQo8YnI+DQpUaGlzIHN0YW5k YXJkcyB0cmFjayBkcmFmdCBzcGVjaWZpZXMgZGF0YSBmaWVsZHMgaW4gdGhlIEluLXNpdHUgT3Bl cmF0aW9ucywgQWRtaW5pc3RyYXRpb24sPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvIj5hbmQgTWFpbnRlbmFuY2UgKElPQU0pIHNjaGVtZS4mbmJzcDsgVGhlIGRh dGEgZmllbGRzIGNvbnRhaW4gb3BlcmF0aW9uYWwgYW5kIHRlbGVtZXRyeTxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5pbmZvcm1hdGlvbiBpbiBh IG5ldHdvcmsgZG9tYWluLiZuYnNwOyAmcXVvdDtJbi1zaXR1JnF1b3Q7IHJlZmVycyZuYnNwO3Rv IHRoZSBmYWN0IHRoYXQgdGhlIGFzc29jaWF0ZWQgZGF0YSBpczxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5hY3R1YWxseSBlbmNhcHN1bGF0ZWQg aW4gdGhlIGRhdGEgcGFja2V0IGl0c2VsZiByYXRoZXIgdGhhbiB0aHJvdWdoIGEgc2VwYXJhdGUg T0FNPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PnBhY2tldC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6 YXV0byI+PGJyPg0KVGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24gZG9lcyBleGlz dCBhbmQgZGVzY3JpYmVzIG11bHRpcGxlIHZ1bG5lcmFiaWxpdGllczxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj50byB0aGUgSU9BTS4mbmJzcDsg QXR0YWNrZXJzIGNhbiBjcmVhdGUgYm90aCBmYWxzZS1wb3NpdGl2ZXMgYW5kIGZhbHNlLW5lZ2F0 aXZlcyBpbiByZWdhcmRzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPnRvIGZhaWx1cmVzIG9yIHRoZSB0cnVlIHN0YXRlIG9mIHRoZSBkb21haW4u Jm5ic3A7IFRoaXMgY2FuIGV2ZW50dWFsbHkgbGVhZCB0byBEb1MgYXR0YWNrcy48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+QW5vdGhlciBmb3Jt IG9mIERvUyBpcyBieSBjcmFmdGluZyBhbiBJT0FNIGhlYWRlciB0byBwYWNrZXRzIHRoZXJlYnkg aW5jcmVhc2luZyB0aGU8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0byI+cmVzb3VyY2VzIHJlcXVpcmVkIG9yIGV4Y2VlZGluZyB0aGUgcGFja2V0IGJl eW9uZCB0aGUgbmV0d29yaydzIE1UVSBzaXplLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0 bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VmVyaWZ5aW5nIHRoZSBwYXRoIG9mIHRoZSBk YXRhIHBhY2tldHMgaXMgZGVmZXJyZWQgdG8gZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNp dCdzIHNlY3VyaXR5PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPmNvbnNpZGVyYXRpb24gc2VjdGlvbiB3aGljaCBoYXMgZ29vZCBjb3ZlcmFnZSBh bmQgd2F5cyB0byBtaXRpZ2F0ZSB0aGUgdmFyaW91cyBhdHRhY2tzPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPm9uIHRoZSBwcm90b2NvbC4mbmJz cDsgRWF2ZXNkcm9wcGluZyBpcyBhbHNvIHBvc3NpYmxlLCB3aGljaCBjYW4gcmV2ZWFsIG9wZXJh dGlvbmFsIGFuZCB0ZWxlbWV0cnk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+ZGF0YSBvZiB0aGUgbmV0d29yayBkb21haW4uPG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5JT0FNIGFsc28g dXRpbGl6ZXMgdGltZXN0YW1wcywgaW4gd2hpY2ggYW4gYXR0YWNrIG9uIHRoZSB0aW1lIHN5bmNo cm9uaXphdGlvbiBwcm90b2NvbCBjYW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+YWZmZWN0IHRoZSB0aW1lc3RhbXAgZmllbGRzIGluIElPQU0u Jm5ic3A7IEluIGFkZGl0aW9uIHRoZSBtYW5hZ2VtZW50IGZ1bmN0aW9uYWxpdHkgb2YgSU9BTSBj b3VsZDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv Ij5hbHNvIGJlIHRhcmdldGVkLCBidXQgc3VnZ2VzdHMgYXV0aGVudGljYXRpb24gYW5kIGludGVn cml0eSBjaGVja3MgdG8gcHJvdGVjdCBhZ2FpbnN0IHNhaWQgYXR0YWNrcy48bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlZhcmlvdXMgbWVh c3VyZXMgYWdhaW5zdCB0aGVzZSBhdHRhY2tzIGFyZSBub3QgcHJlc2NyaWJlZCBiYXNlZCBvbiB0 aGUgZmFjdCB0aGF0IHRoaXMgc3BlY2lmaWNhdGlvbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5pcyBhYm91dCB0aGUgZGF0YSBmaWVsZHMgb2Yg SU9BTS4mbmJzcDsgSG93ZXZlciwgSSB0aGluayBpdCB3b3VsZCBiZSBiZW5lZmljaWFsIHRvIHBy b3ZpZGUgc29tZSBndWlkYW5jZTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t Ym90dG9tLWFsdDphdXRvIj4oYXQgbGVhc3QgZm9yIGZ1dHVyZSBzcGVjaWZpY2F0aW9ucykgZm9y IGVhY2ggb2YgdGhlc2UgYXR0YWNrcyB0aGF0Jm5ic3A7dXRpbGl6ZSZuYnNwO3RoZXNlIGRhdGEg ZmllbGRzIGVsc2UmbmJzcDt3aHk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90 dG9tOjEyLjBwdCI+YXJ0aWN1bGF0ZSB0aGUgc2VjdXJpdHkgaXNzdWVzIGF0IGFsbD88bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6 YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PGk+Li5GQjog4oCc4oCmc29tZSBn dWlkYW5jZSBmb3IgZWFjaCBvZiB0aGUgYXR0YWNrc+KApuKAnSB2ZXJ5IG11Y2ggaGludHMgYXQg ZGVwbG95bWVudCBjb25zaWRlcmF0aW9ucyBmb3IgSU9BTS4gRm9yIHRoYXQsIHdlIGhhdmUgYW4g 4oCcSU9BTSBEZXBsb3ltZW504oCdIGRyYWZ0Og0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LWJyb2NrbmVycy1vcHNhd2ctaW9hbS1kZXBsb3ltZW50LTAyIiB0YXJn ZXQ9Il9ibGFuayI+DQpodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtYnJvY2tuZXJz LW9wc2F3Zy1pb2FtLWRlcGxveW1lbnQtMDI8L2E+IGluIGZsaWdodC4gVGhlIGN1cnJlbnQgdGhv dWdodCBtb2RlbCBpcyBjb3ZlciBhbGwgYXNwZWN0cyBvZiBJT0FNIGRlcGxveW1lbnQsIGluY2x1 ZGluZyBndWlkYW5jZSBvbiBtaXRpZ2F0aW5nIHNlY3VyaXR5IGNvbmNlcm5zLCBpbiB0aGlzIGRl cGxveW1lbnQgZHJhZnQuIFdvdWxkIHRoYXQgYmUgYSB3b3JrYWJsZSBhcHByb2FjaA0KIGZvciB5 b3U/PC9pPjwvYj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PGk+ Jm5ic3A7PC9pPjwvYj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+ PGk+VGhhbmtzLCBGcmFuazwvaT48L2I+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxicj4NCjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv dDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj5HZW5lcmFsIGNvbW1lbnRzOjxicj4NCjxicj4NCk5v bmUuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0 Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZiI+ PGJyPg0KRWRpdG9yaWFsIGNvbW1lbnRzOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwcmU+PHNw YW4gc3R5bGU9ImNvbG9yOmJsYWNrIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxw cmUgc3R5bGU9ImJyZWFrLWJlZm9yZTpwYWdlIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1 b3Q7QXJpYWwmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjpibGFjayI+Tm9uZS48L3NwYW4+PG86cD48 L286cD48L3ByZT4NCjxwcmUgc3R5bGU9ImJyZWFrLWJlZm9yZTpwYWdlIj48c3BhbiBzdHlsZT0i Y29sb3I6YmxhY2siPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7QXJpYWwmcXVvdDssc2Fu cy1zZXJpZiI+U2hhd24uPGJyPg0KLS08L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_BYAPR11MB258450012E8566A3342E73E2DAC30BYAPR11MB2584namp_-- From nobody Fri Dec 18 05:08:48 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E5AA53A03F2; Fri, 18 Dec 2020 05:08:38 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Yaron Sheffer via Datatracker To: Cc: detnet@ietf.org, draft-ietf-detnet-security.all@ietf.org, last-call@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.24.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160829691884.5087.4790659184585669947@ietfa.amsl.com> Reply-To: Yaron Sheffer Date: Fri, 18 Dec 2020 05:08:38 -0800 Archived-At: Subject: [secdir] Secdir telechat review of draft-ietf-detnet-security-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2020 13:08:39 -0000 Reviewer: Yaron Sheffer Review result: Has Issues The author team informed me, after they submitted -13, that they are still working to address my previous review. I will be happy to review the document again when they are done. From nobody Fri Dec 18 22:11:05 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 815153A07C8; Fri, 18 Dec 2020 22:10:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URZhbCCzpYmS; Fri, 18 Dec 2020 22:10:54 -0800 (PST) Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 298783A074E; Fri, 18 Dec 2020 22:10:54 -0800 (PST) Received: by mail-ed1-x531.google.com with SMTP id j16so4593599edr.0; Fri, 18 Dec 2020 22:10:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=L+N/sMcwFNBlk2BqdlxpYZSirWrkZjsUoEM4p+4loWw=; b=Ww1qwzb9DYzSETDJqa4pGcvqbMIjDKH+HvVInvYz/1Lby/KgiUHOqoc4gUOL8FBCB4 HipjRy76whmo0J5QsjeRT5HoaPgL1HDkND2KkmnVKkgEzSM3CBTLsJzeF71sJLpdrANw T7QVJbtNWCqPItmie1KJyjOKtybE3jXjwvJdyrqnUgKo6Iz7vzOojFviIJdXC372sbm7 3UhmjzcfOqFQ30zSTL50VfXKclKuMvPQit39bSgUFQzOnPOsePjNuQf4qj4N62VLjXM9 aJ5Gz6fHG7yzP010DmqrXjz1dBXGB7NEbqLwtBgfUNwThRFH6wiY9+HVYsSPf++2EvEr Mu5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=L+N/sMcwFNBlk2BqdlxpYZSirWrkZjsUoEM4p+4loWw=; b=ofsbpc1lCwLbfk4w1YcqEqy5R07aKxJjc8/smj2qqw+IXkwfR2Sn9mQc02rafUHfan nK2ff1bcfu9v676B0z0zBAE4ZT/lz0RKWLazWLc0kxMAnBrugcRuWRmrF8pt2V07cS3u HnMTHdh/VDGtK9VIHGfE7mXA1EQmkBUQHh7huWhvivgmZwiElr3L1/yQ6JW0E04YKaDY I+JxkUgy43jhQ79lzoWgW8UnF6n9G4RIRghjwc2uEnEhEkQRNX4R0qVxnqV5rSpo1eZC MpKue2ZzmrMufwfHDd4kfhp9g1TSNDbITwkY49cvdCJsyxpcPjmj6vtGsDm60iDqWzE7 ZROg== X-Gm-Message-State: AOAM530p2iL2Rkj4nlyXrTEz6csRi+Z9hQ0pV6vLpW3F+oXUwv/A0wYQ HeJ0STYdvg0Gp+HiiQBgCPiu0nr+nAbYRJ09vEVjlWhI4OAz1A== X-Google-Smtp-Source: ABdhPJx3YCtiwPBgkpedT30iREx/Hwnd0ahSdMLtoo/TFcmOtl6YCkTSi2JV59cw2a4UyEGyLnZ2zOTn5TxDPqgJaoU= X-Received: by 2002:a50:f404:: with SMTP id r4mr7711690edm.62.1608358252336; Fri, 18 Dec 2020 22:10:52 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Shawn Emery Date: Fri, 18 Dec 2020 23:10:35 -0700 Message-ID: To: "Frank Brockners (fbrockne)" Cc: secdir , "draft-ietf-ippm-ioam-data.all@ietf.org" , "last-call@ietf.org" Content-Type: multipart/alternative; boundary="0000000000004d5a3b05b6cb16f0" Archived-At: Subject: Re: [secdir] Review of draft-ietf-ippm-ioam-data-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2020 06:10:57 -0000 --0000000000004d5a3b05b6cb16f0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Frank, This sounds good to me. Just let me know when the revision is ready for review and please update draft-ietf-ippm-ioam-data with an informative reference to the BCP draft. Thanks, Shawn. -- On Fri, Dec 18, 2020 at 1:33 AM Frank Brockners (fbrockne) < fbrockne@cisco.com> wrote: > Hi Shawn, > > > > Thanks for reviewing draft-brockners-opsawg-ioam-deployment-02 =E2=80=93 = which is > still evolving. I agree that it does not cover mitigation considerations > for all the potential threats/attacks. I=E2=80=99ve just created an issue= s so that > we=E2=80=99ll tackle it in the next rev of the doc: > https://github.com/inband-oam/ietf/issues/204 > > > > Thanks again, Frank > > > > *From:* Shawn Emery > *Sent:* Freitag, 18. Dezember 2020 07:36 > *To:* Frank Brockners (fbrockne) > *Cc:* secdir ; draft-ietf-ippm-ioam-data.all@ietf.org; > last-call@ietf.org > *Subject:* Re: Review of draft-ietf-ippm-ioam-data-11 > > > > Hi Frank, > > > > Thanks for your response. I've read > draft-brockners-opsawg-ioam-deployment-02 and still have concerns that > mitigating against eavesdropping, DoS/DDoS, and time synchronization > attacks, have not been sufficiently covered specifically regarding the da= ta > tuple vector. > > > > Regards, > > > > Shawn. > > -- > > > > On Thu, Dec 17, 2020 at 4:25 AM Frank Brockners (fbrockne) < > fbrockne@cisco.com> wrote: > > > > *Hi Shawn,* > > > > *Thanks a lot for your review. Please see inline (..FB)* > > > > *From:* Shawn Emery > *Sent:* Sonntag, 6. Dezember 2020 23:31 > *To:* secdir > *Cc:* draft-ietf-ippm-ioam-data.all@ietf.org; last-call@ietf.org; Shawn > Emery > *Subject:* Review of draft-ietf-ippm-ioam-data-11 > > > > Reviewer: Shawn M. Emery > Review result: Ready with nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security > area directors. Document editors and WG chairs should treat these > comments just like any other last call comments. > > This standards track draft specifies data fields in the In-situ > Operations, Administration, > > and Maintenance (IOAM) scheme. The data fields contain operational and > telemetry > > information in a network domain. "In-situ" refers to the fact that the > associated data is > > actually encapsulated in the data packet itself rather than through a > separate OAM > > packet. > > > The security considerations section does exist and describes multiple > vulnerabilities > > to the IOAM. Attackers can create both false-positives and > false-negatives in regards > > to failures or the true state of the domain. This can eventually lead to > DoS attacks. > > Another form of DoS is by crafting an IOAM header to packets thereby > increasing the > > resources required or exceeding the packet beyond the network's MTU size. > > > > Verifying the path of the data packets is deferred to > draft-ietf-sfc-proof-of-transit's security > > consideration section which has good coverage and ways to mitigate the > various attacks > > on the protocol. Eavesdropping is also possible, which can reveal > operational and telemetry > > data of the network domain. > > > > IOAM also utilizes timestamps, in which an attack on the time > synchronization protocol can > > affect the timestamp fields in IOAM. In addition the management > functionality of IOAM could > > also be targeted, but suggests authentication and integrity checks to > protect against said attacks. > > > > Various measures against these attacks are not prescribed based on the > fact that this specification > > is about the data fields of IOAM. However, I think it would be beneficia= l > to provide some guidance > > (at least for future specifications) for each of these attacks > that utilize these data fields else why > > articulate the security issues at all? > > *..FB: =E2=80=9C=E2=80=A6some guidance for each of the attacks=E2=80=A6= =E2=80=9D very much hints at > deployment considerations for IOAM. For that, we have an =E2=80=9CIOAM De= ployment=E2=80=9D > draft: > https://tools.ietf.org/html/draft-brockners-opsawg-ioam-deployment-02 > i= n > flight. The current thought model is cover all aspects of IOAM deployment= , > including guidance on mitigating security concerns, in this deployment > draft. Would that be a workable approach for you?* > > > > *Thanks, Frank* > > > General comments: > > None. > > > Editorial comments: > > > > None. > > > > Shawn. > -- > > --0000000000004d5a3b05b6cb16f0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Frank,

This sounds good to me.=C2=A0= Just let me know when the revision is ready for review and please update d= raft-ietf-ippm-ioam-data with an informative reference to the BCP draft.

Thanks,

Shawn.
--=

On Fri, Dec 18, 2020 at 1:33 AM Frank Brockners (fbrockne) <fbrockne@cisco.com> wrote:
=

Hi Shawn,

=C2=A0

Thanks for reviewing draft-brockners-opsawg-ioam-dep= loyment-02 =E2=80=93 which is still evolving. I agree that it does not cove= r mitigation considerations for all the potential threats/attacks. I=E2=80= =99ve just created an issues so that we=E2=80=99ll tackle it in the next rev of the doc: https://github.com/inband-oam/ietf/issues/204

=C2=A0

Thanks again, Frank

=C2=A0

From: Shawn Emery <shawn.emery@gmail.com>
Sent: Freitag, 18. Dezember 2020 07:36
To: Frank Brockners (fbrockne) <fbrockne@cisco.com>
Cc: secdir <= secdir@ietf.org>; draft-ietf-ippm-ioam-data.all@ietf.org; last-call@ietf.org Subject: Re: Review of draft-ietf-ippm-ioam-data-11

=C2=A0

Hi Frank,

=C2=A0

Thanks for your response.=C2=A0 I've read draft-= brockners-opsawg-ioam-deployment-02=C2=A0and still have concerns that mitig= ating against=C2=A0eavesdropping, DoS/DDoS, and time synchronization attack= s, have not been sufficiently covered specifically regarding the data tuple vector.

=C2=A0

Regards,

=C2=A0

Shawn.

--

=C2=A0

On Thu, Dec 17, 2020 at 4:25 AM Frank Brockners (fbr= ockne) <fbrockne= @cisco.com> wrote:

=C2=A0

Hi Shawn,

=C2=A0

Thanks a lot for your review. Please see inlin= e (..FB)

=C2=A0

From: Shawn Emery <shawn.emery@gmail.com>
Sent: Sonntag, 6. Dezember 2020 23:31
To: secdir <= secdir@ietf.org>
Cc: draft-ietf-ippm-ioam-data.all@ietf.org; last-call@ietf.org; Shawn Emery <semery@uccs.edu>
Subject: Review of draft-ietf-ippm-ioam-data-11

=C2=A0

Reviewer: Shawn M. Emery
Review result: Ready with nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.

This standards track draft specifies data fields in the In-situ Operations,= Administration,

and Maintenance (IOAM) scheme.=C2=A0 The data fields= contain operational and telemetry

information in a network domain.=C2=A0 "In-situ= " refers=C2=A0to the fact that the associated data is

actually encapsulated in the data packet itself rath= er than through a separate OAM

packet.


The security considerations section does exist and describes multiple vulne= rabilities

to the IOAM.=C2=A0 Attackers can create both false-p= ositives and false-negatives in regards

to failures or the true state of the domain.=C2=A0 T= his can eventually lead to DoS attacks.

Another form of DoS is by crafting an IOAM header to= packets thereby increasing the

resources required or exceeding the packet beyond th= e network's MTU size.

=C2=A0

Verifying the path of the data packets is deferred t= o draft-ietf-sfc-proof-of-transit's security

consideration section which has good coverage and wa= ys to mitigate the various attacks

on the protocol.=C2=A0 Eavesdropping is also possibl= e, which can reveal operational and telemetry

data of the network domain.

=C2=A0

IOAM also utilizes timestamps, in which an attack on= the time synchronization protocol can

affect the timestamp fields in IOAM.=C2=A0 In additi= on the management functionality of IOAM could

also be targeted, but suggests authentication and in= tegrity checks to protect against said attacks.

=C2=A0

Various measures against these attacks are not presc= ribed based on the fact that this specification

is about the data fields of IOAM.=C2=A0 However, I t= hink it would be beneficial to provide some guidance

(at least for future specifications) for each of the= se attacks that=C2=A0utilize=C2=A0these data fields else=C2=A0why=

articulate the security= issues at all?

..FB: =E2=80=9C=E2=80=A6some guidance for each= of the attacks=E2=80=A6=E2=80=9D very much hints at deployment considerati= ons for IOAM. For that, we have an =E2=80=9CIOAM Deployment=E2=80=9D draft: https://tools.ietf.org/html/draft-brockners-opsawg-ioam-deployment-02 i= n flight. The current thought model is cover all aspects of IOAM deployment= , including guidance on mitigating security concerns, in this deployment dr= aft. Would that be a workable approach for you?

=C2=A0

Thanks, Frank


General comments:

None.


Editorial comments:

=C2=A0
None.
=C2=A0<=
u>

Shawn.<= br> --

--0000000000004d5a3b05b6cb16f0-- From nobody Sun Dec 20 09:23:42 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 130AA3A10F6; Sun, 20 Dec 2020 09:23:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.6 X-Spam-Level: X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=B9XrQSbe; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=qsq7RJb6 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EMFYlN33QDeE; Sun, 20 Dec 2020 09:23:37 -0800 (PST) Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A0EB3A10F5; Sun, 20 Dec 2020 09:23:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=29742; q=dns/txt; s=iport; t=1608485017; x=1609694617; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=wEM00LYyWXWb9fYbS/tVBEQo+ltJkmz5WLulvh/F11s=; b=B9XrQSbeB88/9wEAv+bz44ApCiDcJZAGrdjFJYeOjDPgaJSRuw/zGCry 635QCccblqewlUOlkYfofOGLmuoOGbbEcYDPhXEKhg87ASA6FW8s0yeHy a8yMdl53UWWBCTZyWENJfUzS55rjNpmzPhDhWhCr28cZzr8ZBWnLt4CJw A=; X-IPAS-Result: =?us-ascii?q?A0A4AABkht9fmIkNJK1iHAEBAQEBAQcBARIBAQQEAQGBf?= =?us-ascii?q?QUBAQsBgSIvIy59Wy8uCoQ3g0gDjVYDihqOcoEugSUDVAsBAQENAQEjCgIEA?= =?us-ascii?q?QGESgIXgV0CJTYHDgIDAQEBAwIDAQEBAQUBAQECAQYEFAEBAQEBAQEBhjYMh?= =?us-ascii?q?XMBAQEEEhEKEwEBNwEPAgEGAhEEAQEhBwMCAgIfERQJCAIEDgUIGoMEAYF+V?= =?us-ascii?q?wMuAQ4+kTOQawKBPIhpdoEygwQBAQaBMwEDAoN2DQuCEAMGgTgBgnSDfIEGg?= =?us-ascii?q?wuBIIEHJhuBQT+BEUOCVj6CG0IBAQOBXisJgmE0giyBaYE+AQMNJREOAiFZV?= =?us-ascii?q?gYKIA8BGJAMgxqHK4wvkDMvWAqCdIkkjQyFPoMmiimFXI8bHZVuiQ2Cd44wV?= =?us-ascii?q?IE3gm0CBAIEBQIOAQEGgSUENAMugVlwFYMkUBcCDY4hDA4Jg06FFIVEdDcCB?= =?us-ascii?q?gEJAQEDCXyIYgGBEAEB?= IronPort-PHdr: =?us-ascii?q?9a23=3AaxdARx/1MDoZzv9uRHGN82YQeigqvan1NQcJ65?= =?us-ascii?q?0hzqhDabmn44+7ZRCN6vBkjVuPVoLeuLpIiOvT5qbnX2FIoZOMq2sLf5EEUR?= =?us-ascii?q?gZwd4XkAotDI/gawX7IffmYjZ8EJFEU1lorH6+OElRXs35Yg6arni79zVHHB?= =?us-ascii?q?L5OEJ8Lfj0HYiHicOx2qiy9pTfbh8OiiC6ZOZ5LQ69qkPascxFjA=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.78,435,1599523200"; d="scan'208,217";a="636993975" Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Dec 2020 17:23:35 +0000 Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 0BKHNZwf020232 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 20 Dec 2020 17:23:35 GMT Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 20 Dec 2020 11:23:34 -0600 Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 20 Dec 2020 12:23:33 -0500 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 20 Dec 2020 11:23:33 -0600 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GcHRilE0QeFEStkq4CX7nMonBDy8CLQfq+ARqgf4EdKDdF+svtXhxRO20+UnEk0ThujvkXCos1A2YgbTulkQEcxGJi4pgm9a08DXTKJHnxWYBPelUoR4T6bYPDU/M/IgtrcANg6mufjGahuSur7w9j9U5r55RMS5rpvT3fiHmps4scqkQ8lMp9vKZcuKah73pXoaN7IVw6UYT74YJ/sCuE96t1sKU2V0arCEfchNRL3XnEqqsCCzSHROlbrxw7pXEKd9oE+9FJz4PFYkwnHV9bH09u9stS2WTs5PrSwdz+ijhJ6r7uuAG4mQ/jwjPJudxWXfl1R6sC3FcyqRkpQy7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wEM00LYyWXWb9fYbS/tVBEQo+ltJkmz5WLulvh/F11s=; b=FxDRn2s+v9llMjUyB4SIqpYWz9hg/ScvrqhGGf5QT3wy3n52rsdFNHkDVL6q3JTaqEar9PjtCGjzz94Xac3fB5LCNCZZlnvilT/BHaBL0t+4HngrtjxzFXU5iwLUYgzovBpFSFpiLT5mlwJVA56DsF82dJxhusTMOI5R95BaB/DmgJL6TqHxoYhJ2aMFD8/xmAPIuwBH7ScN1vBCR6yrctn1p/SqC6n7RNl7BRcutPv6yDU00CqJF6txiYeulYKBrw66Km3CixjDP9yym/vWhe2l/bCkw9WZkxW4eKxjBWtYzdBgZYehWDp80+Fi4TD67F6Tjg5YCgkIxmfSVTHUrw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wEM00LYyWXWb9fYbS/tVBEQo+ltJkmz5WLulvh/F11s=; b=qsq7RJb6TjNFumpd854F3T3hLWP4YdMbW+MT0eAVK6J3TNlT0+vNqn5H/k7TuyzUeQ3mWdvYs1/bOCLJ9NP5ggsuSYk4MojbGpsUgrx0jc/wf+SF/57GFMQy19GqozWPOddeuCmy+GILXwAoy6bVdADGMlBJzFNVK7wi6UndOS8= Received: from BYAPR11MB2584.namprd11.prod.outlook.com (2603:10b6:a02:c8::31) by BYAPR11MB2584.namprd11.prod.outlook.com (2603:10b6:a02:c8::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3676.29; Sun, 20 Dec 2020 17:23:32 +0000 Received: from BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::bd56:222e:91b5:fc4b]) by BYAPR11MB2584.namprd11.prod.outlook.com ([fe80::bd56:222e:91b5:fc4b%7]) with mapi id 15.20.3676.031; Sun, 20 Dec 2020 17:23:32 +0000 From: "Frank Brockners (fbrockne)" To: Shawn Emery CC: secdir , "draft-ietf-ippm-ioam-data.all@ietf.org" , "last-call@ietf.org" Thread-Topic: Review of draft-ietf-ippm-ioam-data-11 Thread-Index: AQHWzB+R9/zLhlAw2USHLw32Jfa4b6n7NC7wgAFDkoCAACAg4IABazSAgAJN+mA= Date: Sun, 20 Dec 2020 17:23:31 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com; x-originating-ip: [173.38.220.40] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: de6cb976-7283-45d8-dd02-08d8a50bf965 x-ms-traffictypediagnostic: BYAPR11MB2584: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ZtTVR5wbR2uZXQ3Ud2lFDrUMazanxryQl0NF+BF1HCA7fqXpuXdLky/rIEfUsARs+CpbQbF1JMJ0goPMcxm8m5lsTOR7kPahEzS3qjWLbMBcQWAeVTHq9TwRO5soboUC//2rSdPKlmXadc0VhENXZ4QJUtf1t2TClNASqh1J0/D6OAkzwE7BGVTDJza9oWDkrf0K/pBuqhawuODasCTECaxX5VYGLDxgm/ePRzkR4VOSFD1sn3u9eKIWcd4quxFw6ci8pLXDNsVqAeTUQemgln2aJdvsXp1T+Ct9n4ULmmMBiGSlXDC1wFBf8B/VP+i3vCN2BcJZdgwtItC+y/M+EJXOWPLzJB7oVAsa0ZS6sc8k9rCDTVqa+AVhIjUK6dfumkjzlYntkslhn02y6PdtljUNXSlbZeyFRzn5FKR2b5DGVJMcHLh/vJchUERbST4QKJ6WsjBoWv1S8IkpCBB5kw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR11MB2584.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(396003)(136003)(346002)(39860400002)(9326002)(8936002)(54906003)(9686003)(6506007)(186003)(26005)(966005)(66556008)(66946007)(53546011)(8676002)(76116006)(66476007)(86362001)(52536014)(55016002)(66446008)(64756008)(5660300002)(478600001)(33656002)(2906002)(71200400001)(7696005)(6916009)(166002)(4326008)(316002)(83380400001); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?utf-8?B?MWVnUXBrQUQvQXBsdDNCMDJUMGludDExdHlMbEdQR0JsVitUT2QzMlEvRHpD?= =?utf-8?B?SHlVajN1M0daUk5pNmFvZUxRbVh3WWFWMFVlWWc3a0V6aGR2MzN5RDBqUWxl?= =?utf-8?B?TkJRUVJ5Vjl0WUxpOHpnTWZPYUM5V04xK2lEMmtCdWhyNGlKdUlBZW5KMHI1?= =?utf-8?B?aE1RYjlmSHBrTWlWMm5DeW53VHpXcDJEWjdFMTV5d1R2QWtWWXRTN0ZkUk1h?= =?utf-8?B?UjMxUEtncFVWTVNySGFFbi9WVWM4M1BhRFFTREwzUGVKZlBHbTRRY3VhWUpQ?= =?utf-8?B?ZlFFN1k5a1ZOM3pTNmsweERKYlpjMkhjY1ZlM040VGJSZDVWa0hyRHE4RDVC?= =?utf-8?B?azZYN2daTTV4bGllK0Uwd1BkQldxcjVBMXNkaDJOZVVMUXpGZXl6WndQTW0x?= =?utf-8?B?SXpvZm1qSWVPcnEzVHhCQit2UDhJcW1hWnRVcDhLL3NuRlZNb040NUZkZWJB?= =?utf-8?B?VWQ0OEowRWVmR21tUFFwSjc3b0QzMGcvajYxWnpLd280Y3JlQTRqWkR6VWl5?= =?utf-8?B?RnhnSEpMdzFXbWRsVUtHUkhocXRkeTllWXpsYkhMUVhOU3FHZW5jaGZ6Q00y?= =?utf-8?B?WHQwajMvVHRqZTc5NWhkcVg0a25xdkl0bjZBQ1JFR1pOOW5RcFlxTEZOT3Br?= =?utf-8?B?cGdwNTJ2WTNwMU9Pc2pwTUpFM09oVmc0MU5nWGFraDNOSmpUYmZtZFZ2OTE0?= =?utf-8?B?VjZXaGxMTk9nR0hGbGhXSWFtakNsYXhCSHAwL0plWWt3R096eVNJbE5LNFhP?= =?utf-8?B?Y1UzOTBtOThJL0xuNXAwOHZxS3NyeTJIS0FxMjJ5NHVuOWFLWE9VS080cFFq?= =?utf-8?B?ckNLVi9SOG4yWEVrK0J1ODF6M2pQVnQxaGJGcDFTQU5qRHkxbHFMSyt0RnhC?= =?utf-8?B?bUJYMnVPZjdwcXdhVzFHQ3ZleDNlc1F1RzR4UTNaTy9kM3NzeVFFM1JGcGxD?= =?utf-8?B?TVhTdUdaSFpSeWJhempVMGgwcGZCY0Z4bnQwdEdOelBEcXVndE5Mck9QZVhs?= =?utf-8?B?S1VSY2x3ckNtb3pCWmlJSGNMSWJGNytoUEZuWVBBVjlZUERZcUdBY29XQnRZ?= =?utf-8?B?RnlCNGN3SFRmazhjTm5qRmptSSsxd1BaZXk3TmplMGtITG1KaURYMGNxT3pM?= =?utf-8?B?akd0QWRGNnFFRk5SWDFadDdMZEpaSlpaYTJQQUpmeDdkUEpUdnVsRUZoY1hs?= =?utf-8?B?bnJFS2JQVkVSWVRIMjA1Z2oyT3NVakFXK0d3bE1kcnVzWks2ckhOQTFjaEs0?= =?utf-8?B?REd6QWZ4NldFYU9meXY4eGxQKzhiYlRFRXF2V2FoRFk0UzhVVGJ1dUNqNFBx?= =?utf-8?Q?xbeTqqp/qQuQ8=3D?= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_BYAPR11MB2584370262F47264B2DD909DDAC10BYAPR11MB2584namp_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BYAPR11MB2584.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: de6cb976-7283-45d8-dd02-08d8a50bf965 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2020 17:23:31.5853 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: hMCuWVo994yydDcPesX29To4/qPspSIYV/I9yR1QPkCufqz3qrB5fgaRSYrG289uCBG6UE71o47rbtq+r78R+A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2584 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com X-Outbound-Node: alln-core-4.cisco.com Archived-At: Subject: Re: [secdir] Review of draft-ietf-ippm-ioam-data-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Dec 2020 17:23:40 -0000 --_000_BYAPR11MB2584370262F47264B2DD909DDAC10BYAPR11MB2584namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgU2hhd24sDQoNClRoYW5rcyDigJMgd2lsbCBkby4gSeKAmXZlIGFsc28gYWRkZWQgaHR0cHM6 Ly9naXRodWIuY29tL2luYmFuZC1vYW0vaWV0Zi9pc3N1ZXMvMjA1IHRvIGVuc3VyZSB3ZSBhZGQg YW4gaW5mb3JtYXRpdmUgcmVmZXJlbmNlIHRvIGRyYWZ0LWJyb2NrbmVycy1vcHNhd2ctaW9hbS1k ZXBsb3ltZW50IHdoZW4gd2UgY3JlYXRlIHRoZSBuZXh0IHJldiBvZiBkcmFmdC1pZXRmLWlwcG0t aW9hbS1kYXRhLg0KDQpDaGVlcnMsIEZyYW5rDQoNCkZyb206IFNoYXduIEVtZXJ5IDxzaGF3bi5l bWVyeUBnbWFpbC5jb20+DQpTZW50OiBTYW1zdGFnLCAxOS4gRGV6ZW1iZXIgMjAyMCAwNzoxMQ0K VG86IEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIDxmYnJvY2tuZUBjaXNjby5jb20+DQpDYzog c2VjZGlyIDxzZWNkaXJAaWV0Zi5vcmc+OyBkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhLmFsbEBp ZXRmLm9yZzsgbGFzdC1jYWxsQGlldGYub3JnDQpTdWJqZWN0OiBSZTogUmV2aWV3IG9mIGRyYWZ0 LWlldGYtaXBwbS1pb2FtLWRhdGEtMTENCg0KSGkgRnJhbmssDQoNClRoaXMgc291bmRzIGdvb2Qg dG8gbWUuICBKdXN0IGxldCBtZSBrbm93IHdoZW4gdGhlIHJldmlzaW9uIGlzIHJlYWR5IGZvciBy ZXZpZXcgYW5kIHBsZWFzZSB1cGRhdGUgZHJhZnQtaWV0Zi1pcHBtLWlvYW0tZGF0YSB3aXRoIGFu IGluZm9ybWF0aXZlIHJlZmVyZW5jZSB0byB0aGUgQkNQIGRyYWZ0Lg0KDQpUaGFua3MsDQoNClNo YXduLg0KLS0NCg0KT24gRnJpLCBEZWMgMTgsIDIwMjAgYXQgMTozMyBBTSBGcmFuayBCcm9ja25l cnMgKGZicm9ja25lKSA8ZmJyb2NrbmVAY2lzY28uY29tPG1haWx0bzpmYnJvY2tuZUBjaXNjby5j b20+PiB3cm90ZToNCkhpIFNoYXduLA0KDQpUaGFua3MgZm9yIHJldmlld2luZyBkcmFmdC1icm9j a25lcnMtb3BzYXdnLWlvYW0tZGVwbG95bWVudC0wMiDigJMgd2hpY2ggaXMgc3RpbGwgZXZvbHZp bmcuIEkgYWdyZWUgdGhhdCBpdCBkb2VzIG5vdCBjb3ZlciBtaXRpZ2F0aW9uIGNvbnNpZGVyYXRp b25zIGZvciBhbGwgdGhlIHBvdGVudGlhbCB0aHJlYXRzL2F0dGFja3MuIEnigJl2ZSBqdXN0IGNy ZWF0ZWQgYW4gaXNzdWVzIHNvIHRoYXQgd2XigJlsbCB0YWNrbGUgaXQgaW4gdGhlIG5leHQgcmV2 IG9mIHRoZSBkb2M6IGh0dHBzOi8vZ2l0aHViLmNvbS9pbmJhbmQtb2FtL2lldGYvaXNzdWVzLzIw NA0KDQpUaGFua3MgYWdhaW4sIEZyYW5rDQoNCkZyb206IFNoYXduIEVtZXJ5IDxzaGF3bi5lbWVy eUBnbWFpbC5jb208bWFpbHRvOnNoYXduLmVtZXJ5QGdtYWlsLmNvbT4+DQpTZW50OiBGcmVpdGFn LCAxOC4gRGV6ZW1iZXIgMjAyMCAwNzozNg0KVG86IEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUp IDxmYnJvY2tuZUBjaXNjby5jb208bWFpbHRvOmZicm9ja25lQGNpc2NvLmNvbT4+DQpDYzogc2Vj ZGlyIDxzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz4+OyBkcmFmdC1pZXRm LWlwcG0taW9hbS1kYXRhLmFsbEBpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1pcHBtLWlvYW0t ZGF0YS5hbGxAaWV0Zi5vcmc+OyBsYXN0LWNhbGxAaWV0Zi5vcmc8bWFpbHRvOmxhc3QtY2FsbEBp ZXRmLm9yZz4NClN1YmplY3Q6IFJlOiBSZXZpZXcgb2YgZHJhZnQtaWV0Zi1pcHBtLWlvYW0tZGF0 YS0xMQ0KDQpIaSBGcmFuaywNCg0KVGhhbmtzIGZvciB5b3VyIHJlc3BvbnNlLiAgSSd2ZSByZWFk IGRyYWZ0LWJyb2NrbmVycy1vcHNhd2ctaW9hbS1kZXBsb3ltZW50LTAyIGFuZCBzdGlsbCBoYXZl IGNvbmNlcm5zIHRoYXQgbWl0aWdhdGluZyBhZ2FpbnN0IGVhdmVzZHJvcHBpbmcsIERvUy9ERG9T LCBhbmQgdGltZSBzeW5jaHJvbml6YXRpb24gYXR0YWNrcywgaGF2ZSBub3QgYmVlbiBzdWZmaWNp ZW50bHkgY292ZXJlZCBzcGVjaWZpY2FsbHkgcmVnYXJkaW5nIHRoZSBkYXRhIHR1cGxlIHZlY3Rv ci4NCg0KUmVnYXJkcywNCg0KU2hhd24uDQotLQ0KDQpPbiBUaHUsIERlYyAxNywgMjAyMCBhdCA0 OjI1IEFNIEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIDxmYnJvY2tuZUBjaXNjby5jb208bWFp bHRvOmZicm9ja25lQGNpc2NvLmNvbT4+IHdyb3RlOg0KDQpIaSBTaGF3biwNCg0KVGhhbmtzIGEg bG90IGZvciB5b3VyIHJldmlldy4gUGxlYXNlIHNlZSBpbmxpbmUgKC4uRkIpDQoNCkZyb206IFNo YXduIEVtZXJ5IDxzaGF3bi5lbWVyeUBnbWFpbC5jb208bWFpbHRvOnNoYXduLmVtZXJ5QGdtYWls LmNvbT4+DQpTZW50OiBTb25udGFnLCA2LiBEZXplbWJlciAyMDIwIDIzOjMxDQpUbzogc2VjZGly IDxzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBpZXRmLm9yZz4+DQpDYzogZHJhZnQtaWV0 Zi1pcHBtLWlvYW0tZGF0YS5hbGxAaWV0Zi5vcmc8bWFpbHRvOmRyYWZ0LWlldGYtaXBwbS1pb2Ft LWRhdGEuYWxsQGlldGYub3JnPjsgbGFzdC1jYWxsQGlldGYub3JnPG1haWx0bzpsYXN0LWNhbGxA aWV0Zi5vcmc+OyBTaGF3biBFbWVyeSA8c2VtZXJ5QHVjY3MuZWR1PG1haWx0bzpzZW1lcnlAdWNj cy5lZHU+Pg0KU3ViamVjdDogUmV2aWV3IG9mIGRyYWZ0LWlldGYtaXBwbS1pb2FtLWRhdGEtMTEN Cg0KUmV2aWV3ZXI6IFNoYXduIE0uIEVtZXJ5DQpSZXZpZXcgcmVzdWx0OiBSZWFkeSB3aXRoIG5p dHMNCg0KSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUgc2VjdXJp dHkgZGlyZWN0b3JhdGUncw0Kb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3Vt ZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuDQpUaGVzZSBjb21tZW50cyB3ZXJlIHdy aXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkNCmFyZWEgZGly ZWN0b3JzLiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNl DQpjb21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0KVGhp cyBzdGFuZGFyZHMgdHJhY2sgZHJhZnQgc3BlY2lmaWVzIGRhdGEgZmllbGRzIGluIHRoZSBJbi1z aXR1IE9wZXJhdGlvbnMsIEFkbWluaXN0cmF0aW9uLA0KYW5kIE1haW50ZW5hbmNlIChJT0FNKSBz Y2hlbWUuICBUaGUgZGF0YSBmaWVsZHMgY29udGFpbiBvcGVyYXRpb25hbCBhbmQgdGVsZW1ldHJ5 DQppbmZvcm1hdGlvbiBpbiBhIG5ldHdvcmsgZG9tYWluLiAgIkluLXNpdHUiIHJlZmVycyB0byB0 aGUgZmFjdCB0aGF0IHRoZSBhc3NvY2lhdGVkIGRhdGEgaXMNCmFjdHVhbGx5IGVuY2Fwc3VsYXRl ZCBpbiB0aGUgZGF0YSBwYWNrZXQgaXRzZWxmIHJhdGhlciB0aGFuIHRocm91Z2ggYSBzZXBhcmF0 ZSBPQU0NCnBhY2tldC4NCg0KVGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24gZG9l cyBleGlzdCBhbmQgZGVzY3JpYmVzIG11bHRpcGxlIHZ1bG5lcmFiaWxpdGllcw0KdG8gdGhlIElP QU0uICBBdHRhY2tlcnMgY2FuIGNyZWF0ZSBib3RoIGZhbHNlLXBvc2l0aXZlcyBhbmQgZmFsc2Ut bmVnYXRpdmVzIGluIHJlZ2FyZHMNCnRvIGZhaWx1cmVzIG9yIHRoZSB0cnVlIHN0YXRlIG9mIHRo ZSBkb21haW4uICBUaGlzIGNhbiBldmVudHVhbGx5IGxlYWQgdG8gRG9TIGF0dGFja3MuDQpBbm90 aGVyIGZvcm0gb2YgRG9TIGlzIGJ5IGNyYWZ0aW5nIGFuIElPQU0gaGVhZGVyIHRvIHBhY2tldHMg dGhlcmVieSBpbmNyZWFzaW5nIHRoZQ0KcmVzb3VyY2VzIHJlcXVpcmVkIG9yIGV4Y2VlZGluZyB0 aGUgcGFja2V0IGJleW9uZCB0aGUgbmV0d29yaydzIE1UVSBzaXplLg0KDQpWZXJpZnlpbmcgdGhl IHBhdGggb2YgdGhlIGRhdGEgcGFja2V0cyBpcyBkZWZlcnJlZCB0byBkcmFmdC1pZXRmLXNmYy1w cm9vZi1vZi10cmFuc2l0J3Mgc2VjdXJpdHkNCmNvbnNpZGVyYXRpb24gc2VjdGlvbiB3aGljaCBo YXMgZ29vZCBjb3ZlcmFnZSBhbmQgd2F5cyB0byBtaXRpZ2F0ZSB0aGUgdmFyaW91cyBhdHRhY2tz DQpvbiB0aGUgcHJvdG9jb2wuICBFYXZlc2Ryb3BwaW5nIGlzIGFsc28gcG9zc2libGUsIHdoaWNo IGNhbiByZXZlYWwgb3BlcmF0aW9uYWwgYW5kIHRlbGVtZXRyeQ0KZGF0YSBvZiB0aGUgbmV0d29y ayBkb21haW4uDQoNCklPQU0gYWxzbyB1dGlsaXplcyB0aW1lc3RhbXBzLCBpbiB3aGljaCBhbiBh dHRhY2sgb24gdGhlIHRpbWUgc3luY2hyb25pemF0aW9uIHByb3RvY29sIGNhbg0KYWZmZWN0IHRo ZSB0aW1lc3RhbXAgZmllbGRzIGluIElPQU0uICBJbiBhZGRpdGlvbiB0aGUgbWFuYWdlbWVudCBm dW5jdGlvbmFsaXR5IG9mIElPQU0gY291bGQNCmFsc28gYmUgdGFyZ2V0ZWQsIGJ1dCBzdWdnZXN0 cyBhdXRoZW50aWNhdGlvbiBhbmQgaW50ZWdyaXR5IGNoZWNrcyB0byBwcm90ZWN0IGFnYWluc3Qg c2FpZCBhdHRhY2tzLg0KDQpWYXJpb3VzIG1lYXN1cmVzIGFnYWluc3QgdGhlc2UgYXR0YWNrcyBh cmUgbm90IHByZXNjcmliZWQgYmFzZWQgb24gdGhlIGZhY3QgdGhhdCB0aGlzIHNwZWNpZmljYXRp b24NCmlzIGFib3V0IHRoZSBkYXRhIGZpZWxkcyBvZiBJT0FNLiAgSG93ZXZlciwgSSB0aGluayBp dCB3b3VsZCBiZSBiZW5lZmljaWFsIHRvIHByb3ZpZGUgc29tZSBndWlkYW5jZQ0KKGF0IGxlYXN0 IGZvciBmdXR1cmUgc3BlY2lmaWNhdGlvbnMpIGZvciBlYWNoIG9mIHRoZXNlIGF0dGFja3MgdGhh dCB1dGlsaXplIHRoZXNlIGRhdGEgZmllbGRzIGVsc2Ugd2h5DQphcnRpY3VsYXRlIHRoZSBzZWN1 cml0eSBpc3N1ZXMgYXQgYWxsPw0KLi5GQjog4oCc4oCmc29tZSBndWlkYW5jZSBmb3IgZWFjaCBv ZiB0aGUgYXR0YWNrc+KApuKAnSB2ZXJ5IG11Y2ggaGludHMgYXQgZGVwbG95bWVudCBjb25zaWRl cmF0aW9ucyBmb3IgSU9BTS4gRm9yIHRoYXQsIHdlIGhhdmUgYW4g4oCcSU9BTSBEZXBsb3ltZW50 4oCdIGRyYWZ0OiBodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtYnJvY2tuZXJzLW9w c2F3Zy1pb2FtLWRlcGxveW1lbnQtMDIgaW4gZmxpZ2h0LiBUaGUgY3VycmVudCB0aG91Z2h0IG1v ZGVsIGlzIGNvdmVyIGFsbCBhc3BlY3RzIG9mIElPQU0gZGVwbG95bWVudCwgaW5jbHVkaW5nIGd1 aWRhbmNlIG9uIG1pdGlnYXRpbmcgc2VjdXJpdHkgY29uY2VybnMsIGluIHRoaXMgZGVwbG95bWVu dCBkcmFmdC4gV291bGQgdGhhdCBiZSBhIHdvcmthYmxlIGFwcHJvYWNoIGZvciB5b3U/DQoNClRo YW5rcywgRnJhbmsNCg0KR2VuZXJhbCBjb21tZW50czoNCg0KTm9uZS4NCg0KRWRpdG9yaWFsIGNv bW1lbnRzOg0KDQoNCg0KTm9uZS4NCg0KDQpTaGF3bi4NCi0tDQo= --_000_BYAPR11MB2584370262F47264B2DD909DDAC10BYAPR11MB2584namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCWZvbnQtc2l6ZTox MS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFu Lk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0 ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7 DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowY207 DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1p bHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHls ZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7 DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseTpDb25z b2xhczt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBs eTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0 O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5O30NCkBwYWdl IFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzAuODVwdCA3 MC44NXB0IDIuMGNtIDcwLjg1cHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0 aW9uMTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZh dWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwh LS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86 aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFb ZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9 InB1cnBsZSIgc3R5bGU9IndvcmQtd3JhcDpicmVhay13b3JkIj4NCjxkaXYgY2xhc3M9IldvcmRT ZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IaSBTaGF3biw8bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+VGhhbmtzIOKAkyB3aWxsIGRvLiBJ4oCZdmUgYWxzbyBhZGRlZCA8YSBocmVmPSJo dHRwczovL2dpdGh1Yi5jb20vaW5iYW5kLW9hbS9pZXRmL2lzc3Vlcy8yMDUiPg0KaHR0cHM6Ly9n aXRodWIuY29tL2luYmFuZC1vYW0vaWV0Zi9pc3N1ZXMvMjA1PC9hPiB0byBlbnN1cmUgd2UgYWRk IGFuIGluZm9ybWF0aXZlIHJlZmVyZW5jZSB0byBkcmFmdC1icm9ja25lcnMtb3BzYXdnLWlvYW0t ZGVwbG95bWVudCB3aGVuIHdlIGNyZWF0ZSB0aGUgbmV4dCByZXYgb2YgZHJhZnQtaWV0Zi1pcHBt LWlvYW0tZGF0YS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2hlZXJzLCBGcmFuazxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2 IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6 MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRl ci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxiPkZyb206PC9iPiBTaGF3biBFbWVyeSAmbHQ7c2hhd24uZW1l cnlAZ21haWwuY29tJmd0OyA8YnI+DQo8Yj5TZW50OjwvYj4gU2Ftc3RhZywgMTkuIERlemVtYmVy IDIwMjAgMDc6MTE8YnI+DQo8Yj5Ubzo8L2I+IEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpICZs dDtmYnJvY2tuZUBjaXNjby5jb20mZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBzZWNkaXIgJmx0O3NlY2Rp ckBpZXRmLm9yZyZndDs7IGRyYWZ0LWlldGYtaXBwbS1pb2FtLWRhdGEuYWxsQGlldGYub3JnOyBs YXN0LWNhbGxAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFJldmlldyBvZiBkcmFm dC1pZXRmLWlwcG0taW9hbS1kYXRhLTExPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+SGkgRnJhbmssPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5UaGlzIHNvdW5kcyBnb29kIHRvIG1lLiZuYnNwOyBKdXN0IGxldCBtZSBr bm93IHdoZW4gdGhlIHJldmlzaW9uIGlzIHJlYWR5IGZvciByZXZpZXcgYW5kIHBsZWFzZSB1cGRh dGUgZHJhZnQtaWV0Zi1pcHBtLWlvYW0tZGF0YSB3aXRoIGFuIGluZm9ybWF0aXZlIHJlZmVyZW5j ZSB0byB0aGUgQkNQIGRyYWZ0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5UaGFua3MsPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNoYXduLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gRnJpLCBEZWMgMTgsIDIwMjAgYXQgMTozMyBBTSBG cmFuayBCcm9ja25lcnMgKGZicm9ja25lKSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmZicm9ja25lQGNp c2NvLmNvbSI+ZmJyb2NrbmVAY2lzY28uY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44 cHQ7bWFyZ2luLXJpZ2h0OjBjbSI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0 byI+SGkgU2hhd24sPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNw OzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGFua3MgZm9yIHJldmll d2luZyBkcmFmdC1icm9ja25lcnMtb3BzYXdnLWlvYW0tZGVwbG95bWVudC0wMiDigJMgd2hpY2gg aXMgc3RpbGwgZXZvbHZpbmcuIEkgYWdyZWUgdGhhdCBpdCBkb2VzIG5vdCBjb3ZlciBtaXRpZ2F0 aW9uIGNvbnNpZGVyYXRpb25zIGZvciBhbGwgdGhlIHBvdGVudGlhbCB0aHJlYXRzL2F0dGFja3Mu DQogSeKAmXZlIGp1c3QgY3JlYXRlZCBhbiBpc3N1ZXMgc28gdGhhdCB3ZeKAmWxsIHRhY2tsZSBp dCBpbiB0aGUgbmV4dCByZXYgb2YgdGhlIGRvYzogPGEgaHJlZj0iaHR0cHM6Ly9naXRodWIuY29t L2luYmFuZC1vYW0vaWV0Zi9pc3N1ZXMvMjA0IiB0YXJnZXQ9Il9ibGFuayI+DQpodHRwczovL2dp dGh1Yi5jb20vaW5iYW5kLW9hbS9pZXRmL2lzc3Vlcy8yMDQ8L2E+PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj5UaGFua3MgYWdhaW4sIEZyYW5rPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5v bmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0 Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUx RTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPjxiPkZyb206PC9iPiBTaGF3biBFbWVyeSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNoYXduLmVt ZXJ5QGdtYWlsLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnNoYXduLmVtZXJ5QGdtYWlsLmNvbTwvYT4m Z3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gRnJlaXRhZywgMTguIERlemVtYmVyIDIwMjAgMDc6MzY8 YnI+DQo8Yj5Ubzo8L2I+IEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpICZsdDs8YSBocmVmPSJt YWlsdG86ZmJyb2NrbmVAY2lzY28uY29tIiB0YXJnZXQ9Il9ibGFuayI+ZmJyb2NrbmVAY2lzY28u Y29tPC9hPiZndDs8YnI+DQo8Yj5DYzo8L2I+IHNlY2RpciAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNl Y2RpckBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPnNlY2RpckBpZXRmLm9yZzwvYT4mZ3Q7Ow0K PGEgaHJlZj0ibWFpbHRvOmRyYWZ0LWlldGYtaXBwbS1pb2FtLWRhdGEuYWxsQGlldGYub3JnIiB0 YXJnZXQ9Il9ibGFuayI+ZHJhZnQtaWV0Zi1pcHBtLWlvYW0tZGF0YS5hbGxAaWV0Zi5vcmc8L2E+ Ow0KPGEgaHJlZj0ibWFpbHRvOmxhc3QtY2FsbEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmxh c3QtY2FsbEBpZXRmLm9yZzwvYT48YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFJldmlldyBvZiBk cmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhLTExPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG8iPkhpIEZyYW5rLDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlRoYW5rcyBmb3IgeW91ciByZXNwb25zZS4mbmJzcDsg SSd2ZSByZWFkIGRyYWZ0LWJyb2NrbmVycy1vcHNhd2ctaW9hbS1kZXBsb3ltZW50LTAyJm5ic3A7 YW5kIHN0aWxsIGhhdmUgY29uY2VybnMgdGhhdCBtaXRpZ2F0aW5nIGFnYWluc3QmbmJzcDtlYXZl c2Ryb3BwaW5nLCBEb1MvRERvUywgYW5kIHRpbWUgc3luY2hyb25pemF0aW9uDQogYXR0YWNrcywg aGF2ZSBub3QgYmVlbiBzdWZmaWNpZW50bHkgY292ZXJlZCBzcGVjaWZpY2FsbHkgcmVnYXJkaW5n IHRoZSBkYXRhIHR1cGxlIHZlY3Rvci48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlJlZ2FyZHMsPG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1 dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5TaGF3bi48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+LS08bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10 b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk9uIFRodSwgRGVjIDE3 LCAyMDIwIGF0IDQ6MjUgQU0gRnJhbmsgQnJvY2tuZXJzIChmYnJvY2tuZSkgJmx0OzxhIGhyZWY9 Im1haWx0bzpmYnJvY2tuZUBjaXNjby5jb20iIHRhcmdldD0iX2JsYW5rIj5mYnJvY2tuZUBjaXNj by5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGlu ZzowY20gMGNtIDBjbSA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21h cmdpbi1yaWdodDowY207bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu LWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPjxiPjxpPkhpIFNoYXduLDwvaT48L2I+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPjxiPjxpPiZuYnNwOzwvaT48L2I+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPjxiPjxpPlRoYW5rcyBhIGxvdCBmb3IgeW91ciByZXZpZXcuIFBsZWFz ZSBzZWUgaW5saW5lICguLkZCKTwvaT48L2I+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7 Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4N CjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEg MS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i PjxiPkZyb206PC9iPiBTaGF3biBFbWVyeSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNoYXduLmVtZXJ5 QGdtYWlsLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnNoYXduLmVtZXJ5QGdtYWlsLmNvbTwvYT4mZ3Q7 DQo8YnI+DQo8Yj5TZW50OjwvYj4gU29ubnRhZywgNi4gRGV6ZW1iZXIgMjAyMCAyMzozMTxicj4N CjxiPlRvOjwvYj4gc2VjZGlyICZsdDs8YSBocmVmPSJtYWlsdG86c2VjZGlyQGlldGYub3JnIiB0 YXJnZXQ9Il9ibGFuayI+c2VjZGlyQGlldGYub3JnPC9hPiZndDs8YnI+DQo8Yj5DYzo8L2I+IDxh IGhyZWY9Im1haWx0bzpkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhLmFsbEBpZXRmLm9yZyIgdGFy Z2V0PSJfYmxhbmsiPg0KZHJhZnQtaWV0Zi1pcHBtLWlvYW0tZGF0YS5hbGxAaWV0Zi5vcmc8L2E+ OyA8YSBocmVmPSJtYWlsdG86bGFzdC1jYWxsQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+DQps YXN0LWNhbGxAaWV0Zi5vcmc8L2E+OyBTaGF3biBFbWVyeSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNl bWVyeUB1Y2NzLmVkdSIgdGFyZ2V0PSJfYmxhbmsiPnNlbWVyeUB1Y2NzLmVkdTwvYT4mZ3Q7PGJy Pg0KPGI+U3ViamVjdDo8L2I+IFJldmlldyBvZiBkcmFmdC1pZXRmLWlwcG0taW9hbS1kYXRhLTEx PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlJldmll d2VyOiBTaGF3biBNLiBFbWVyeTxicj4NClJldmlldyByZXN1bHQ6IFJlYWR5IHdpdGggbml0czxi cj4NCjxicj4NCkkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNl Y3VyaXR5IGRpcmVjdG9yYXRlJ3M8YnI+DQpvbmdvaW5nIGVmZm9ydCB0byByZXZpZXcgYWxsIElF VEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUgSUVTRy48YnI+DQpUaGVzZSBjb21t ZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJp dHk8YnI+DQphcmVhIGRpcmVjdG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNo b3VsZCB0cmVhdCB0aGVzZTxicj4NCmNvbW1lbnRzIGp1c3QgbGlrZSBhbnkgb3RoZXIgbGFzdCBj YWxsIGNvbW1lbnRzLjxicj4NCjxicj4NClRoaXMgc3RhbmRhcmRzIHRyYWNrIGRyYWZ0IHNwZWNp ZmllcyBkYXRhIGZpZWxkcyBpbiB0aGUgSW4tc2l0dSBPcGVyYXRpb25zLCBBZG1pbmlzdHJhdGlv biw8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPmFuZCBNYWlu dGVuYW5jZSAoSU9BTSkgc2NoZW1lLiZuYnNwOyBUaGUgZGF0YSBmaWVsZHMgY29udGFpbiBvcGVy YXRpb25hbCBhbmQgdGVsZW1ldHJ5PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp bi1ib3R0b20tYWx0OmF1dG8iPmluZm9ybWF0aW9uIGluIGEgbmV0d29yayBkb21haW4uJm5ic3A7 ICZxdW90O0luLXNpdHUmcXVvdDsgcmVmZXJzJm5ic3A7dG8gdGhlIGZhY3QgdGhhdCB0aGUgYXNz b2NpYXRlZCBkYXRhIGlzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0 b20tYWx0OmF1dG8iPmFjdHVhbGx5IGVuY2Fwc3VsYXRlZCBpbiB0aGUgZGF0YSBwYWNrZXQgaXRz ZWxmIHJhdGhlciB0aGFuIHRocm91Z2ggYSBzZXBhcmF0ZSBPQU08bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+cGFja2V0LjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQpUaGUgc2VjdXJp dHkgY29uc2lkZXJhdGlvbnMgc2VjdGlvbiBkb2VzIGV4aXN0IGFuZCBkZXNjcmliZXMgbXVsdGlw bGUgdnVsbmVyYWJpbGl0aWVzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i b3R0b20tYWx0OmF1dG8iPnRvIHRoZSBJT0FNLiZuYnNwOyBBdHRhY2tlcnMgY2FuIGNyZWF0ZSBi b3RoIGZhbHNlLXBvc2l0aXZlcyBhbmQgZmFsc2UtbmVnYXRpdmVzIGluIHJlZ2FyZHM8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+dG8gZmFpbHVy ZXMgb3IgdGhlIHRydWUgc3RhdGUgb2YgdGhlIGRvbWFpbi4mbmJzcDsgVGhpcyBjYW4gZXZlbnR1 YWxseSBsZWFkIHRvIERvUyBhdHRhY2tzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvIj5Bbm90aGVyIGZvcm0gb2YgRG9TIGlzIGJ5IGNyYWZ0aW5n IGFuIElPQU0gaGVhZGVyIHRvIHBhY2tldHMgdGhlcmVieSBpbmNyZWFzaW5nIHRoZTxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5yZXNvdXJjZXMg cmVxdWlyZWQgb3IgZXhjZWVkaW5nIHRoZSBwYWNrZXQgYmV5b25kIHRoZSBuZXR3b3JrJ3MgTVRV IHNpemUuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1 dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvIj5WZXJpZnlpbmcgdGhlIHBhdGggb2YgdGhlIGRhdGEgcGFja2V0cyBpcyBkZWZlcnJl ZCB0byBkcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi10cmFuc2l0J3Mgc2VjdXJpdHk8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Y29uc2lkZXJhdGlv biBzZWN0aW9uIHdoaWNoIGhhcyBnb29kIGNvdmVyYWdlIGFuZCB3YXlzIHRvIG1pdGlnYXRlIHRo ZSB2YXJpb3VzIGF0dGFja3M8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0byI+b24gdGhlIHByb3RvY29sLiZuYnNwOyBFYXZlc2Ryb3BwaW5nIGlzIGFs c28gcG9zc2libGUsIHdoaWNoIGNhbiByZXZlYWwgb3BlcmF0aW9uYWwgYW5kIHRlbGVtZXRyeTxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5kYXRh IG9mIHRoZSBuZXR3b3JrIGRvbWFpbi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPklPQU0gYWxzbyB1dGlsaXplcyB0aW1lc3RhbXBzLCBp biB3aGljaCBhbiBhdHRhY2sgb24gdGhlIHRpbWUgc3luY2hyb25pemF0aW9uIHByb3RvY29sIGNh bjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5h ZmZlY3QgdGhlIHRpbWVzdGFtcCBmaWVsZHMgaW4gSU9BTS4mbmJzcDsgSW4gYWRkaXRpb24gdGhl IG1hbmFnZW1lbnQgZnVuY3Rpb25hbGl0eSBvZiBJT0FNIGNvdWxkPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPmFsc28gYmUgdGFyZ2V0ZWQsIGJ1 dCBzdWdnZXN0cyBhdXRoZW50aWNhdGlvbiBhbmQgaW50ZWdyaXR5IGNoZWNrcyB0byBwcm90ZWN0 IGFnYWluc3Qgc2FpZCBhdHRhY2tzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+VmFyaW91cyBtZWFzdXJlcyBhZ2FpbnN0IHRoZXNlIGF0 dGFja3MgYXJlIG5vdCBwcmVzY3JpYmVkIGJhc2VkIG9uIHRoZSBmYWN0IHRoYXQgdGhpcyBzcGVj aWZpY2F0aW9uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG8iPmlzIGFib3V0IHRoZSBkYXRhIGZpZWxkcyBvZiBJT0FNLiZuYnNwOyBIb3dldmVyLCBJ IHRoaW5rIGl0IHdvdWxkIGJlIGJlbmVmaWNpYWwgdG8gcHJvdmlkZSBzb21lIGd1aWRhbmNlPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPihhdCBs ZWFzdCBmb3IgZnV0dXJlIHNwZWNpZmljYXRpb25zKSBmb3IgZWFjaCBvZiB0aGVzZSBhdHRhY2tz IHRoYXQmbmJzcDt1dGlsaXplJm5ic3A7dGhlc2UgZGF0YSBmaWVsZHMgZWxzZSZuYnNwO3doeTxv OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0Ij5hcnRpY3VsYXRl IHRoZSBzZWN1cml0eSBpc3N1ZXMgYXQgYWxsPzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvIj48Yj48aT4uLkZCOiDigJzigKZzb21lIGd1aWRhbmNlIGZvciBlYWNoIG9mIHRo ZSBhdHRhY2tz4oCm4oCdIHZlcnkgbXVjaCBoaW50cyBhdCBkZXBsb3ltZW50IGNvbnNpZGVyYXRp b25zIGZvciBJT0FNLiBGb3IgdGhhdCwgd2UgaGF2ZSBhbiDigJxJT0FNIERlcGxveW1lbnTigJ0g ZHJhZnQ6DQo8YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtYnJvY2tu ZXJzLW9wc2F3Zy1pb2FtLWRlcGxveW1lbnQtMDIiIHRhcmdldD0iX2JsYW5rIj4NCmh0dHBzOi8v dG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1icm9ja25lcnMtb3BzYXdnLWlvYW0tZGVwbG95bWVu dC0wMjwvYT4gaW4gZmxpZ2h0LiBUaGUgY3VycmVudCB0aG91Z2h0IG1vZGVsIGlzIGNvdmVyIGFs bCBhc3BlY3RzIG9mIElPQU0gZGVwbG95bWVudCwgaW5jbHVkaW5nIGd1aWRhbmNlIG9uIG1pdGln YXRpbmcgc2VjdXJpdHkgY29uY2VybnMsIGluIHRoaXMgZGVwbG95bWVudCBkcmFmdC4gV291bGQg dGhhdCBiZSBhIHdvcmthYmxlIGFwcHJvYWNoDQogZm9yIHlvdT88L2k+PC9iPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48aT4mbmJzcDs8L2k+PC9iPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48Yj48aT5UaGFua3MsIEZyYW5rPC9pPjwv Yj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+ PGJyPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LHNhbnMtc2Vy aWYiPkdlbmVyYWwgY29tbWVudHM6PGJyPg0KPGJyPg0KTm9uZS48L3NwYW4+PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp bi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LWZh bWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj48YnI+DQpFZGl0b3JpYWwgY29tbWVu dHM6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2si PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHByZSBzdHlsZT0iYnJlYWstYmVmb3Jl OnBhZ2UiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNl cmlmO2NvbG9yOmJsYWNrIj5Ob25lLjwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHByZSBzdHls ZT0iYnJlYWstYmVmb3JlOnBhZ2UiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+Jm5ic3A7PC9z cGFuPjxvOnA+PC9vOnA+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxl PSJmb250LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OyxzYW5zLXNlcmlmIj5TaGF3bi48YnI+DQot LTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K PC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv YmxvY2txdW90ZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_BYAPR11MB2584370262F47264B2DD909DDAC10BYAPR11MB2584namp_-- From nobody Tue Dec 22 16:35:46 2020 Return-Path: <010001768d05bf5b-eb6d3807-2d23-45c8-a905-dfdaf9fe5bb3-000000@amazonses.watsen.net> X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 656D23A1375; Tue, 22 Dec 2020 16:35:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mj1VqA6cCeAF; Tue, 22 Dec 2020 16:35:43 -0800 (PST) Received: from a48-93.smtp-out.amazonses.com (a48-93.smtp-out.amazonses.com [54.240.48.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E5E53A1374; Tue, 22 Dec 2020 16:35:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1608683733; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=QiNBCV7g484bZ7js2oMBN8//inWODaleTMeeVQC2WRc=; b=HDTcEue1gfAQPhfPtqWhInDYWdW3cpS6wVG7mOYAWvKnmr8L7v7l9PVho0KM/NC/ fLQbPh8ZD4hpUBWM15sp/3zE+rIl2IluQAobyGyg/A4ErUoXHs4kyEPYth39ssrxGaw iODBVW6EePE8v4GQYOYnNQ0ZSBrUkKHuNehn+Ctw= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) From: Kent Watsen In-Reply-To: <01000174e90a9186-0a4edb66-4120-44b7-a79f-7b9935f6d48f-000000@email.amazonses.com> Date: Wed, 23 Dec 2020 00:35:32 +0000 Cc: secdir@ietf.org, "netconf@ietf.org" , draft-ietf-netconf-trust-anchors.all@ietf.org Content-Transfer-Encoding: quoted-printable Message-ID: <010001768d05bf5b-eb6d3807-2d23-45c8-a905-dfdaf9fe5bb3-000000@email.amazonses.com> References: <160107496501.14047.597283542214697710@ietfa.amsl.com> <01000174e90a9186-0a4edb66-4120-44b7-a79f-7b9935f6d48f-000000@email.amazonses.com> To: Yoav Nir X-Mailer: Apple Mail (2.3608.80.23.2.2) X-SES-Outgoing: 2020.12.23-54.240.48.93 Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-trust-anchors-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Dec 2020 00:35:44 -0000 Hi Yoav, I finally found some time :sigh: ;) Please see below for responses to your comments. Kent > On Oct 2, 2020, at 7:20 AM, Kent Watsen wrote: >=20 > [-last-call] >=20 > Hi Yoav, >=20 > Thank you for your review! The takeaway for me is that some = clarifications are needed, but otherwise the draft is fundamentally = okay. I will post an update, or perhaps just a GitHub commit, for your = review, when I get a chance. That said, my getting a chance will be = delayed as I have a major engagement I need to focus on now. This email = is just to let you know that your review has not been forgotten. >=20 > Thanks again, > Kent >=20 >=20 >> On Sep 25, 2020, at 7:02 PM, Yoav Nir via Datatracker = wrote: >>=20 >> Reviewer: Yoav Nir >> Review result: Has Issues >>=20 >> I have reviewed this document as part of the security directorate's = ongoing >> effort to review all IETF documents being processed by the IESG. = These >> comments were written primarily for the benefit of the security area = directors. >> Document editors and WG chairs should treat these comments just like = any other >> last call comments. >>=20 >> The document defines a YANG model for managing a trust anchor store. = It allows >> two kinds of trust anchors: certificates and raw public keys. = However, >> certificates are not just containers for public keys. Certificates = include >> attributes about key usage, path constraints and name constraints, = all of which >> constrain the ability to use the public key, and are relevant for = trust >> anchors. As far as I can tell the document does not include any = attributes to >> equivalently constrain the use of the raw public keys. If the = intention is >> that raw public keys will not be constrained, the document should = state this >> explicitly. Good catch. You=E2=80=99re right that this document is not constraining = the raw keys in the truststore. Looking deeper, I see that the keys are = unconstrained in both the =E2=80=9Ckeystore=E2=80=9D draft and the = common =E2=80=9Ccrypto-types=E2=80=9D draft. It seems like the right = thing to do is to put a Security Consideration note into each draft. = Something like this? 4.2. Unconstrained Public Key Usage This module enables the configuration of public keys without constraints on their usage, e.g., what operations the key is = allowed to be used for (encryption, verification, both). This module also enables the configuration of certificates, where each certificate may constrain the usage of the public key = according to local policy. Thoughts? >> Perhaps this is clear to the people who worked on the document, but = it's not >> clear to me. Are the trust anchors managed with this module supposed = to be >> used to establish trust for the NETCONF or RESTCONF connections? = Section 1.1 >> seems to suggest that it does, but then how is the bootstrap problem = solved? >> How do we establish the NETCONF connection the first time, and if we = are able >> to do that, why do we need more certificates? If the answer is no, = and the >> certificates are to be used by other protocols, then perhaps some = re-wording in >> section 1.1 would help to show this. Currently, it says: "This = document >> presents ... YANG modules that are part of a collection of RFCs ... = define >> configuration modules for clients and servers of both the NETCONF and = RESTCONF >> protocols." Answering your question: Yes, the trust anchors may be used to establish = trust for NETCONF and RESTCONF connections. The trust anchors may also = be used by other models (e.g., other TLS-based protocols), created = outside the effort described in Section 1.1. For the bootstrap problem, Section 3 (Support for Built-in Trust = Anchors) shows how a system may be shipped from a Manufacturer=E2=80=99s = facility with preconfigured trust-anchors. FWIW, the =E2=80=9Ckeystore=E2= =80=9D draft separately defines how a system can be shipped from a = Manufacturer=E2=80=99s facility with preconfigured private keys (e.g., = using a TPM-protected key). You suggest rewording the first paragraph in 1.1. First, I have to = assume you saw the second paragraph, that says that the modules have = been defined to be used by other efforts, so my best guess is: OLD: This document presents one or more YANG modules [RFC7950] that are part = of a collection of RFCs that work together to define configuration = modules for clients and servers of both the NETCONF [RFC6241] and = RESTCONF [RFC8040] protocols. NEW: This document presents one or more YANG modules [RFC7950] that are part = of a collection of RFCs that work together to, ultimately, enable the = configuration of the clients and servers of both the NETCONF [RFC6241] = and RESTCONF [RFC8040] protocols. Please let me know what you had in mind, if something different. >> The security considerations section is OK, especially sub-section = 4.2. Thanks. >> Sub-section 4.1 has the following: >>=20 >> The YANG module defined in this document defines a mechanism called = a >> "truststore" that, by its name, suggests that it will protect its >> contents from unauthorized modification. >>=20 >> Perhaps this is my different perspective, but the name doesn't lead = me to >> expect that it protects its contents. I think that the document = should either >> just suggest that some mechanism to prevent unauthorized modification = should be >> used, or to present such a mechanism in detail. The current text = suggests is >> partially specific by mentioning digital signatures and non-volatile = storage, >> but not explaining where the trust for the digital signature comes = from and >> what policies govern its us: >>=20 >> In order to satisfy the expectations of a "truststore", it is >> RECOMMENDED that implementations ensure that the truststore contents >> are signed when persisted to non-volatile memory, to prevent >> unauthorized modifications from being made undetected. >>=20 >> It is too vague to be a specification, but still unnecessarily = constrains the >> solution space. I think the correct thing to do is to be explicitly = vague and >> to just suggest some mechanism for protecting the content. Agreed. OLD: In order to satisfy the expectations of a "truststore", it is = RECOMMENDED that implementations ensure that the truststore contents are = signed when persisted to non-volatile memory, to prevent unauthorized = modifications from being made undetected. NEW: In order to satisfy the expectations of a "truststore", it is = RECOMMENDED that implementations ensure that the truststore contents are = protected from unauthorized modifications when at rest. What do you think? Thanks, Kent (as editor/author) From nobody Wed Dec 23 23:56:50 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EC133A0980; Mon, 21 Dec 2020 19:27:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1608607644; bh=PJOxNA9eLO41mV/iEnT6UfoagodzpoH0VhUn6xHrn4c=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=GjrOftPYlKVegHJGSe01Nb/9+GbF8SvtYypaOIrzYRo79jc2QF3jUWRher/FYSIPz ipjBB2SvviXTRM2ijVpdkUCBHiY85GT3mv7eDLda7bHWUqzfOYo8+pdQIDzvaKuvIN XoLasurSeXreepLO9W9sopHgSErU2C+Wm5CCia68= X-Mailbox-Line: From new-work-bounces@ietf.org Mon Dec 21 19:27:23 2020 Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BEC73A0964; Mon, 21 Dec 2020 19:27:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1608607643; bh=PJOxNA9eLO41mV/iEnT6UfoagodzpoH0VhUn6xHrn4c=; h=To:From:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=WkjI9ooMaiaXuAeD5AhdGwCmfvDvAbAB1Oh6ZviCLCo0LII/GbArsx8gbx+MGhoIM f1VR3hCq7Td76uQAZm8TTt5hZOksqaylNdc83waURBw2X3AW9kFM5s5jOwZwn764tZ WIY91jZofI6mlenO1v4x4SMkmh+Ns7cqdwiQBytc= X-Original-To: new-work@ietfa.amsl.com Delivered-To: new-work@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D94A13A0964 for ; Mon, 21 Dec 2020 19:27:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.158 X-Spam-Level: X-Spam-Status: No, score=-0.158 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.342, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCQoZVaNFFH8 for ; Mon, 21 Dec 2020 19:27:19 -0800 (PST) Received: from raoul.w3.org (raoul.w3.org [128.30.52.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 192C53A0962 for ; Mon, 21 Dec 2020 19:27:18 -0800 (PST) Received: from [42.100.1.218] (helo=[192.168.0.100]) by raoul.w3.org with esmtpsa (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1krYKS-0008JD-2l for new-work@ietf.org; Tue, 22 Dec 2020 03:27:17 +0000 To: new-work@ietf.org From: xueyuan Message-ID: Date: Tue, 22 Dec 2020 11:27:11 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.5.1 MIME-Version: 1.0 Content-Language: en-US Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.29 Precedence: list Content-Transfer-Encoding: base64 Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Wed, 23 Dec 2020 23:56:49 -0800 Subject: [secdir] [new-work] Proposed W3C Charter: Web Performance Working Group (until 2021-01-28/29) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Dec 2020 03:27:26 -0000 CkhlbGxvLAoKVG9kYXkgVzNDIEFkdmlzb3J5IENvbW1pdHRlZSBSZXByZXNlbnRhdGl2ZXMgcmVj ZWl2ZWQgYSBQcm9wb3NhbAp0byByZXZpZXcgYSBkcmFmdCBjaGFydGVyIGZvciB0aGUgV2ViIFBl cmZvcm1hbmNlIFdvcmtpbmcgR3JvdXA6CiDCoCBodHRwczovL3d3dy53My5vcmcvMjAyMC8xMC93 ZWJwZXJmLmh0bWwKCkFzIHBhcnQgb2YgZW5zdXJpbmcgdGhhdCB0aGUgY29tbXVuaXR5IGlzIGF3 YXJlIG9mIHByb3Bvc2VkIHdvcmsKYXQgVzNDLCB0aGlzIGRyYWZ0IGNoYXJ0ZXIgaXMgcHVibGlj IGR1cmluZyB0aGUgQWR2aXNvcnkKQ29tbWl0dGVlIHJldmlldyBwZXJpb2QuCgpXM0MgaW52aXRl cyBwdWJsaWMgY29tbWVudHMgdGhyb3VnaCAwNDo1OSBVVEMgb24gMjAyMS0wMS0yOQooMjM6NTks IEJvc3RvbiB0aW1lIG9uIDIwMjEtMDEtMjgpIG9uIHRoZSBwcm9wb3NlZCBjaGFydGVyLgpQbGVh c2Ugc2VuZCBjb21tZW50cyB0byBwdWJsaWMtbmV3LXdvcmtAdzMub3JnLCB3aGljaCBoYXMgYQpw dWJsaWMgYXJjaGl2ZToKIMKgIGh0dHA6Ly9saXN0cy53My5vcmcvQXJjaGl2ZXMvUHVibGljL3B1 YmxpYy1uZXctd29yay8KCk90aGVyIHRoYW4gY29tbWVudHMgc2VudCBpbiBmb3JtYWwgcmVzcG9u c2VzIGJ5IFczQyBBZHZpc29yeQpDb21taXR0ZWUgUmVwcmVzZW50YXRpdmVzLCBXM0MgY2Fubm90 IGd1YXJhbnRlZSBhIHJlc3BvbnNlIHRvCmNvbW1lbnRzLiBJZiB5b3Ugd29yayBmb3IgYSBXM0Mg TWVtYmVyIFsxXSwgcGxlYXNlIGNvb3JkaW5hdGUKeW91ciBjb21tZW50cyB3aXRoIHlvdXIgQWR2 aXNvcnkgQ29tbWl0dGVlIFJlcHJlc2VudGF0aXZlLiBGb3IKZXhhbXBsZSwgeW91IG1heSB3aXNo IHRvIG1ha2UgcHVibGljIGNvbW1lbnRzIHZpYSB0aGlzIGxpc3QgYW5kCmhhdmUgeW91ciBBZHZp c29yeSBDb21taXR0ZWUgUmVwcmVzZW50YXRpdmUgcmVmZXIgdG8gaXQgZnJvbSBoaXMKb3IgaGVy IGZvcm1hbCByZXZpZXcgY29tbWVudHMuCgpUaGUgV29ya2luZyBHcm91cCdzIGN1cnJlbnQgY2hh cnRlciBpcyBoZXJlYnkgZXh0ZW5kZWQgdW50aWwKRmVicnVhcnkgMjgsIDIwMjEgdG8gYWNjb21t b2RhdGUgdGhlIGNoYXJ0ZXIgcmV2aWV3IHBlcmlvZC4KaHR0cHM6Ly93d3cudzMub3JnLzIwMTgv MDkvd2VicGVyZi8KCklmIHlvdSBzaG91bGQgaGF2ZSBhbnkgcXVlc3Rpb25zIG9yIG5lZWQgZnVy dGhlciBpbmZvcm1hdGlvbiwgcGxlYXNlCmNvbnRhY3QgQ2FyaW5lIEJvdXJuZXosIFdlYiBQZXJm b3JtYW5jZSBXRyBUZWFtIENvbnRhY3QgPGNhcmluZUB3My5vcmc+LgoKVGhhbmsgeW91LAoKWHVl eXVhbiBKaWEsIFczQyBNYXJrZXRpbmcgJiBDb21tdW5pY2F0aW9ucwoKWzFdIGh0dHA6Ly93d3cu dzMub3JnL0NvbnNvcnRpdW0vTWVtYmVyL0xpc3QKCl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fCm5ldy13b3JrIG1haWxpbmcgbGlzdApuZXctd29ya0BpZXRm Lm9yZwpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL25ldy13b3JrCg== From nobody Thu Dec 24 10:21:38 2020 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C67983A1364; Thu, 24 Dec 2020 10:21:36 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Steve Hanna via Datatracker To: Cc: draft-ietf-sfc-nsh-integrity.all@ietf.org, sfc@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.24.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <160883409674.11984.2680388131154961282@ietfa.amsl.com> Reply-To: Steve Hanna Date: Thu, 24 Dec 2020 10:21:36 -0800 Archived-At: Subject: [secdir] Secdir early review of draft-ietf-sfc-nsh-integrity-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2020 18:21:37 -0000 Reviewer: Steve Hanna Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes adds integrity and optional encryption of sensitive metadata directly to the Network Service Header (NSH) protocol defined in RFC 8300, thus reducing or eliminating several attack vectors against Service Function Chaining (SFC). The document is well written and seems adequate for the goals articulated here and elsewhere in the SFC document suite. However, I have some issues, questions, and nits. Note that I have not previously worked with SFC. In the last few days, I have read the documents on this document so I am fairly confident that I understand the relevant security aspects. ISSUES and QUESTIONS: Why include a MUST in section 9.2? Isn't that already covered earlier (in the last sentence of section 7.5)? The Timestamp field is supposed to handle replay attacks. However, this permits unlimited replays within the Delta interval. Is that acceptable? What is the ? operator in section 7.4 supposed to connote? Subtraction seems like a better choice. Is the Timestamp field only set by the first imposer in the SFP or should it be updated whenever an imposer changes the MAC? This should be documented somewhere, maybe in section 7.4. The threat model described in draft-arkko-farrell-arch-model-t-04 includes compromised nodes. The security considerations section of this document should describe how and to what extent compromised nodes are handled by the protections provided by this document and what residual risks remain. The Security Considerations section should explicitly acknowledge that authentication is not provided by this method. What does this statement mean? • If HMAC algorithm is used, IV length is set to zero. Don't all the current algorithms use HMAC? What is the expected behavior if these Context Headers are missing? The last paragraph at the bottom of page 18 seems to be ambiguous on this topic, with the first sentence saying that this "SHOULD be logged locally" while the last sentence says that this "MUST cause that packet to be discarded". Probably this is clear to the writer but not to this reader! NITS: At the top of page 6, "unecrypted" should be "unencrypted". In the last line of page 18, "depend" should be "depending". Just below Figure 9 on page 20, a comma is needed after "doing so". In the second paragraph of section 7.5, "successfuly" should be spelled "successfully". At the end of the first paragraph of section 9, change the sentence from: • Also, that section indicates that metadata considerations that operators can take into account when using NSH are discussed in [RFC8165]. to • Also, that section indicates that [RFC8165] discusses metadata considerations that operators can take into account when using NSH. The last sentence of the third paragraph of section 9 recommends that "the next key identifier" be distributed long before the key is changed. This should say "the next key identifier and associated keying material". In the second paragraph of section 9.1, "domain be able" should be "domain should be able". From nobody Thu Dec 24 11:52:03 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FBDB3A07A9; Thu, 24 Dec 2020 11:51:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlcWCz0WyzeM; Thu, 24 Dec 2020 11:51:56 -0800 (PST) Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B162F3A06E7; Thu, 24 Dec 2020 11:51:53 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4D211P3zHZz1pFRk; Thu, 24 Dec 2020 11:51:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1608839513; bh=23D+mZb/lpvVHMRyreF7ptO/M6i3VQqeMzhikWZ+3ak=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=gntb0rbfr+G8PG9X5+xdL/gDbLlLVHeCZcKjcC56NhlpKRYOXIWCmYYPu5WXNtuKq AeED3JQ+qPckVCkDK5M8bIa22Sp6FFypq3FW+RXWn7zhi7OaodrHNFwyaPN4zUZ0eS YBPajCF1pUHDmZurwTy7OGKh3IMQHrcsoqlj4Vro= X-Quarantine-ID: X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net Received: from [192.168.128.43] (unknown [50.225.209.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4D211N67tTz1pFPh; Thu, 24 Dec 2020 11:51:52 -0800 (PST) To: Steve Hanna , secdir@ietf.org Cc: draft-ietf-sfc-nsh-integrity.all@ietf.org, sfc@ietf.org References: <160883409674.11984.2680388131154961282@ietfa.amsl.com> From: "Joel M. Halpern" Message-ID: <4b216e75-5a5f-13b8-0b66-3c28227e22fa@joelhalpern.com> Date: Thu, 24 Dec 2020 14:51:51 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <160883409674.11984.2680388131154961282@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] Secdir early review of draft-ietf-sfc-nsh-integrity-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2020 19:51:58 -0000 Thank you Steve. I expect the authors will get back to you after the holidays (although they have impressed me with the rapidity of their responses in the past.) Yours, Joel On 12/24/2020 1:21 PM, Steve Hanna via Datatracker wrote: > Reviewer: Steve Hanna > Review result: Has Issues > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > This document describes adds integrity and optional encryption of sensitive > metadata directly to the Network Service Header (NSH) protocol defined in RFC > 8300, thus reducing or eliminating several attack vectors against Service > Function Chaining (SFC). The document is well written and seems adequate for > the goals articulated here and elsewhere in the SFC document suite. However, I > have some issues, questions, and nits. > > Note that I have not previously worked with SFC. In the last few days, I have > read the documents on this document so I am fairly confident that I understand > the relevant security aspects. > > ISSUES and QUESTIONS: > Why include a MUST in section 9.2? Isn't that already covered earlier (in the > last sentence of section 7.5)? > > The Timestamp field is supposed to handle replay attacks. However, this permits > unlimited replays within the Delta interval. Is that acceptable? > > What is the ? operator in section 7.4 supposed to connote? Subtraction seems > like a better choice. > > Is the Timestamp field only set by the first imposer in the SFP or should it be > updated whenever an imposer changes the MAC? This should be documented > somewhere, maybe in section 7.4. > > The threat model described in draft-arkko-farrell-arch-model-t-04 includes > compromised nodes. The security considerations section of this document should > describe how and to what extent compromised nodes are handled by the > protections provided by this document and what residual risks remain. > > The Security Considerations section should explicitly acknowledge that > authentication is not provided by this method. > > What does this statement mean? > • If HMAC algorithm is used, IV length is set to zero. > Don't all the current algorithms use HMAC? > > What is the expected behavior if these Context Headers are missing? The last > paragraph at the bottom of page 18 seems to be ambiguous on this topic, with > the first sentence saying that this "SHOULD be logged locally" while the last > sentence says that this "MUST cause that packet to be discarded". Probably this > is clear to the writer but not to this reader! > > NITS: > At the top of page 6, "unecrypted" should be "unencrypted". > > In the last line of page 18, "depend" should be "depending". > > Just below Figure 9 on page 20, a comma is needed after "doing so". > > In the second paragraph of section 7.5, "successfuly" should be spelled > "successfully". > > At the end of the first paragraph of section 9, change the sentence from: > • Also, that section indicates that metadata considerations that > operators can take into account when using NSH are discussed in > [RFC8165]. > to > • Also, that section indicates that [RFC8165] discusses metadata > considerations that operators can take into account when using NSH. > > The last sentence of the third paragraph of section 9 recommends that "the next > key identifier" be distributed long before the key is changed. This should say > "the next key identifier and associated keying material". > > In the second paragraph of section 9.1, "domain be able" should be "domain > should be able". > > > From nobody Tue Dec 29 17:17:19 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 035E13A0D85; Tue, 29 Dec 2020 17:17:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vmwkwdUEKo8i; Tue, 29 Dec 2020 17:17:11 -0800 (PST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5164A3A0D82; Tue, 29 Dec 2020 17:17:09 -0800 (PST) Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BU1H2Le015105 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Dec 2020 20:17:06 -0500 Date: Tue, 29 Dec 2020 17:17:01 -0800 From: Benjamin Kaduk To: Kent Watsen Cc: Yoav Nir , "netconf@ietf.org" , draft-ietf-netconf-trust-anchors.all@ietf.org, secdir@ietf.org Message-ID: <20201230011701.GO89068@kduck.mit.edu> References: <160107496501.14047.597283542214697710@ietfa.amsl.com> <01000174e90a9186-0a4edb66-4120-44b7-a79f-7b9935f6d48f-000000@email.amazonses.com> <010001768d05bf5b-eb6d3807-2d23-45c8-a905-dfdaf9fe5bb3-000000@email.amazonses.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <010001768d05bf5b-eb6d3807-2d23-45c8-a905-dfdaf9fe5bb3-000000@email.amazonses.com> Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-trust-anchors-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2020 01:17:13 -0000 Hi Kent, I'm not Yoav, but... On Wed, Dec 23, 2020 at 12:35:32AM +0000, Kent Watsen wrote: > Hi Yoav, > > I finally found some time :sigh: ;) > > Please see below for responses to your comments. > > Kent > > > > On Oct 2, 2020, at 7:20 AM, Kent Watsen wrote: > > > > [-last-call] > > > > Hi Yoav, > > > > Thank you for your review! The takeaway for me is that some clarifications are needed, but otherwise the draft is fundamentally okay. I will post an update, or perhaps just a GitHub commit, for your review, when I get a chance. That said, my getting a chance will be delayed as I have a major engagement I need to focus on now. This email is just to let you know that your review has not been forgotten. > > > > Thanks again, > > Kent > > > > > >> On Sep 25, 2020, at 7:02 PM, Yoav Nir via Datatracker wrote: > >> > >> Reviewer: Yoav Nir > >> Review result: Has Issues > >> > >> I have reviewed this document as part of the security directorate's ongoing > >> effort to review all IETF documents being processed by the IESG. These > >> comments were written primarily for the benefit of the security area directors. > >> Document editors and WG chairs should treat these comments just like any other > >> last call comments. > >> > >> The document defines a YANG model for managing a trust anchor store. It allows > >> two kinds of trust anchors: certificates and raw public keys. However, > >> certificates are not just containers for public keys. Certificates include > >> attributes about key usage, path constraints and name constraints, all of which > >> constrain the ability to use the public key, and are relevant for trust > >> anchors. As far as I can tell the document does not include any attributes to > >> equivalently constrain the use of the raw public keys. If the intention is > >> that raw public keys will not be constrained, the document should state this > >> explicitly. > > Good catch. You’re right that this document is not constraining the raw keys in the truststore. Looking deeper, I see that the keys are unconstrained in both the “keystore” draft and the common “crypto-types” draft. It seems like the right thing to do is to put a Security Consideration note into each draft. Something like this? > > 4.2. Unconstrained Public Key Usage > > This module enables the configuration of public keys without > constraints on their usage, e.g., what operations the key is allowed > to be used for (encryption, verification, both). > > This module also enables the configuration of certificates, where > each certificate may constrain the usage of the public key according > to local policy. > > Thoughts? This doesn't really fill me with joy. In short, constraints are going to have to be applied at *some* level, even if it's not this one, or the system as a whole is likely to have some very surprising security properties. I recognize that coming up with a new language to describe this sort of constraints is neither fun nor easy (and trying to repurpose an existing language, such as that used by X.509, is not without issues either), but I'd hope we could come up with something to say about how to effectively use constraints on raw public keys. Thanks, Ben From nobody Wed Dec 30 13:03:54 2020 Return-Path: <01000176b576c690-7bb22a7a-1fb1-485f-bb06-51f3c08d0fdc-000000@amazonses.watsen.net> X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B352E3A00C9; Wed, 30 Dec 2020 13:03:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.895 X-Spam-Level: X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FT-S0SSKOQwE; Wed, 30 Dec 2020 13:03:50 -0800 (PST) Received: from a48-93.smtp-out.amazonses.com (a48-93.smtp-out.amazonses.com [54.240.48.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DC0E3A00C4; Wed, 30 Dec 2020 13:03:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1609362229; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=uJKDkbzRYh/Fcq3X5jfz1qH5xA6WAvBMcuLtSq4Lx8c=; b=R5vgIUWA9clb7xaGdH6gVz/GEidzeQYF+UOdyAXzm6buHO9/K4FWiFoUoFLO2IP0 JEeC59hW/OJLa99AQ5s/5GffT73ut1bvxK6UjLnIOxIvfmWoAxX/NZaqzWdS2SqOzay IsK64WMd3hbXJoC+RgU+Dme1x2hmxmjq0oWmWB7s= From: Kent Watsen Message-ID: <01000176b576c690-7bb22a7a-1fb1-485f-bb06-51f3c08d0fdc-000000@email.amazonses.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_05EA0C49-FECA-4115-A0B3-683577EDF065" Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Date: Wed, 30 Dec 2020 21:03:48 +0000 In-Reply-To: <20201230011701.GO89068@kduck.mit.edu> Cc: Yoav Nir , "netconf@ietf.org" , draft-ietf-netconf-trust-anchors.all@ietf.org, secdir@ietf.org To: Benjamin Kaduk References: <160107496501.14047.597283542214697710@ietfa.amsl.com> <01000174e90a9186-0a4edb66-4120-44b7-a79f-7b9935f6d48f-000000@email.amazonses.com> <010001768d05bf5b-eb6d3807-2d23-45c8-a905-dfdaf9fe5bb3-000000@email.amazonses.com> <20201230011701.GO89068@kduck.mit.edu> X-Mailer: Apple Mail (2.3608.80.23.2.2) X-SES-Outgoing: 2020.12.30-54.240.48.93 Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-trust-anchors-13 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Dec 2020 21:03:52 -0000 --Apple-Mail=_05EA0C49-FECA-4115-A0B3-683577EDF065 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Ben, > This doesn't really fill me with joy. In short, constraints are going = to > have to be applied at *some* level, even if it's not this one, or the > system as a whole is likely to have some very surprising security > properties. I recognize that coming up with a new language to = describe > this sort of constraints is neither fun nor easy (and trying to = repurpose > an existing language, such as that used by X.509, is not without = issues > either), but I'd hope we could come up with something to say about how = to > effectively use constraints on raw public keys. You say constraints have to be applied at some level, but is this true = when TLS uses a raw key? Likewise for SSH keys (e.g., ~/.ssh/id_rsa)? I=E2=80=99m extremely hesitant to make this change. Already this work = (9 drafts in total) has been in progress for more than 5 years. Will = you object during the IETF Last Call if it=E2=80=99s not added? One thing not mentioned before, is that, while the keys are = unconstrained in the three base drafts (crypto-types, keystore, and = truststore), the =E2=80=9Ctis-client-server=E2=80=9D and = =E2=80=9Cssh-client-server=E2=80=9D drafts refine the base YANG models = to assert that the raw public key must be a SubjectPublicInfo structure = or an SSH public key, respectively. In fairness, this only constrains = the format of the data, not how the keys are used. That said, this = approach works with OpenSSH and OpenSSL keys, apparently indicating that = specifying the raw key=E2=80=99s use isn=E2=80=99t always necessary... >=20 > Thanks, >=20 > Ben Kent --Apple-Mail=_05EA0C49-FECA-4115-A0B3-683577EDF065 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Ben,

This doesn't = really fill me with joy.  In short, constraints are going to
have to be applied at *some* level, even if it's not this = one, or the
system as a whole is likely to have some very = surprising security
properties.  I recognize that = coming up with a new language to describe
this sort of = constraints is neither fun nor easy (and trying to repurpose
an existing language, such as that used by X.509, is not = without issues
either), but I'd hope we could come up with = something to say about how to
effectively use constraints = on raw public keys.

You say constraints have to be applied at some = level, but is this true when TLS uses a raw key?  Likewise for SSH = keys (e.g., ~/.ssh/id_rsa)?

I=E2=80= =99m extremely hesitant to make this change.  Already this work (9 = drafts in total) has been in progress for more than 5 years.  Will = you object during the IETF Last Call if it=E2=80=99s not = added?

One thing not mentioned before, is that, = while the keys are unconstrained in the three base drafts (crypto-types, = keystore, and truststore), the =E2=80=9Ctis-client-server=E2=80=9D and = =E2=80=9Cssh-client-server=E2=80=9D drafts refine the base YANG models = to assert that the raw public key must be a SubjectPublicInfo structure = or an SSH public key, respectively.  In fairness, this only = constrains the format of the data, not how the keys are used.   = That said, this approach works with OpenSSH and OpenSSL keys, apparently = indicating that specifying the raw key=E2=80=99s use isn=E2=80=99t = always necessary...



Thanks,

Ben


Kent


= --Apple-Mail=_05EA0C49-FECA-4115-A0B3-683577EDF065-- From nobody Thu Dec 31 11:41:13 2020 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C3A73A08A9 for ; Thu, 31 Dec 2020 11:41:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzQ7BQZTRUS4 for ; Thu, 31 Dec 2020 11:41:10 -0800 (PST) Received: from smtp127.iad3a.emailsrvr.com (smtp127.iad3a.emailsrvr.com [173.203.187.127]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E5AB3A08A5 for ; Thu, 31 Dec 2020 11:41:10 -0800 (PST) Received: from app12.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp32.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 31218429D; Thu, 31 Dec 2020 14:41:09 -0500 (EST) Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by app12.wa-webapps.iad3a (Postfix) with ESMTP id 1E824E0FA2; Thu, 31 Dec 2020 14:41:09 -0500 (EST) Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Thu, 31 Dec 2020 11:41:09 -0800 (PST) X-Auth-ID: scott@hyperthought.com Date: Thu, 31 Dec 2020 11:41:09 -0800 (PST) From: "Scott G. Kelly" To: "secdir@ietf.org" , "iesg@ietf.org" , draft-ietf-pce-association-policy.all@ietf.org MIME-Version: 1.0 Content-Type: text/plain;charset=UTF-8 Content-Transfer-Encoding: quoted-printable Importance: Normal X-Priority: 3 (Normal) X-Type: plain X-Client-IP: 24.23.138.127 Message-ID: <1609443669.12212399@apps.rackspace.com> X-Mailer: webmail/18.1.10-RC X-Classification-ID: ffcb51c0-a5e3-4125-baf7-6c2f4839a4d7-1-1 Archived-At: Subject: [secdir] secdir review of draft-ietf-pce-association-policy-15 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Dec 2020 19:41:11 -0000 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments.=0A=0AThe summary of the review is ready.=0A=0AF= rom the abstract, this document introduces a simple mechanism to associate = policies to a group of Label Switched Paths (LSPs) via an extension to the = Path Computation Element (PCE) Communication Protocol (PCEP).=0A=0AThe secu= rity considerations section references security considerations from RFCs 53= 94, 5440, 8231, 8281, 8408, and 8697. In addition, it recommends securing s= essions with TLS in accordance with RFCs 8253 and 7525.=0A=0ABecause this p= rotocol extension utilizes TLVs, there is an explicit call for care in deco= ding and utilizing these TLVs due to the potential for attack via malformed= payloads.=0A=0AI'm not a routing expert, but I think the authors have adeq= uately covered security considerations for this extension.