From nobody Thu Sep 2 04:24:22 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291803A12CA; Thu, 2 Sep 2021 04:24:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.101 X-Spam-Level: X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3-RLB2i5aCI; Thu, 2 Sep 2021 04:24:07 -0700 (PDT) Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [IPv6:2a0b:5c81:1c1::37]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 046EF3A12C7; Thu, 2 Sep 2021 04:24:06 -0700 (PDT) Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 430CE1B001E9; Thu, 2 Sep 2021 14:24:01 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1630581841; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aa0X7tQQvtUYo3wPw92LX2ssMHNZi+LRorKhU/f1ZX0=; b=gnuYQa/7z+U6dFemmIZu478Im0w8WYVYEhJNor6gZngN7L8qmRbSth1E8ABZrbtLFQdcEU SClPXYyXrShZNaQ9ELWFK8IvI6h+GeA6eNMbhnDTAToIOt8MmlPuMJ8TVwwfpUw7Ovb3dn 6WzFaG35M/PKAWWmyoen+XftCvANWr3KKT5wjvRwHKLmH2h53sAKVUbAYQ+uFldewn2msU VHWGNrmx6g0PSdQpSkUPMFKPZbkQJwEya/8Ha/EN6bW/LpG8Mp+Xup0V5BJh53bxMlymzf XVvusFjRcBAw/QyVQd/nQuOdXAUQG7MylOJhS28mOef57nkgM8Np2KuTiie/hQ== Received: by fireball.acr.fi (Postfix, from userid 15204) id 930F825C12B7; Thu, 2 Sep 2021 14:24:00 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <24880.46160.502738.363907@fireball.acr.fi> Date: Thu, 2 Sep 2021 14:24:00 +0300 From: Tero Kivinen To: "Nagendra Kumar Nainar \(naikumar\)" Cc: "secdir\@ietf.org" , "draft-ietf-mpls-lsp-ping-ospfv3-codepoint.all\@ietf.org" , "last-call\@ietf.org" , "mpls\@ietf.org" In-Reply-To: References: <162333482591.8235.4418205938937483332@ietfa.amsl.com> X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd) X-Edit-Time: 17 min X-Total-Time: 18 min ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1630581841; a=rsa-sha256; cv=none; b=gfiJeOJL4ZKsFFxkQg5PQD75g07gq3uRLqxhvyopVrsqPmg2pDTkohxXD1y1pSt5mB4tij kTfZD1EnHjeRrqYgWca+hqC+gR5y6wuenGyndLRB64MjVPYMB1yDfuOgQ+SzHrabBNxf/f vZ2vIuva5Fy+F6QOeIbD2U8WGBZuuLOh1DZ8pZHJ4J90WTHbkcaNER5EyDD5/2lzOEXwsi CzgeNtNNPokot0F89S5EC9JtAoHNJhy0erupRcvq62vmM6ghGgnxz0ddR2VsM1SNvJqbc9 rSn4rRbeUCIe3oeemFy/g4MMMrfLQGdlSRxbDr/le/8Fi/O/9u27XYrKXJlL5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1630581841; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aa0X7tQQvtUYo3wPw92LX2ssMHNZi+LRorKhU/f1ZX0=; b=r5bXA2Lwv//GcgxcpU9qSMMpLdHfG7GK/PSrmB2NOkBBTIGUGeNxfXhBFk5GouIPFTw2Ws rN+or+WbbkgT7N1vcKNcimgBQHRQXobFLo6Z5bsRYibUVZwWbxOqpGYdLVSUXahjbxnwmw vLRa7ZTZWV5kgPfWsuYEn98/Qu+MYACVgLWZCJYI94B3mI0pw6+uAi0CXKDj6oTqgyTD2i 1zAeJDFh07DfVtrBoKZ4vpH43RBSsj3kcClFcTD23eKoA+3RFdxiYh7A5OeDn6K2Y1miNT yPSh2KWAOV910Lm8YrTa3hPtqQdUHyUU1B6DZ/nwfYj8B77+c7PHI0up5M46Xg== ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-ospfv3-codepoint-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2021 11:24:12 -0000 Nagendra Kumar Nainar (naikumar) writes: > The security considerations section just says: >=20 > This document updates [RFC8287] and does not introduce any additio= nal > security considerations. >=20 > And I am not completely sure if that is true, if this document really= allows > using > IPv6 when it was not possible before. Quite often having multiple add= ress > families do=20 > cause new security considerations too.=20 >=20 > This draft only introduces the codepoint to indicate the pr= otocol is > OSPFv3. What to do when the protocol is OSPFv3 is defined in RFC8287.= So we > believe that this draft doesn=E2=80=99t introduce any new semantics/a= ctions. >=20 > Also RFC8287 refers to the RFC8029 for its > security considerations, so perhaps direct reference to RFC8029 would= be > needed here. >=20 > Ok. We can clarify that in the section as below: >=20 > =E2=80=9CThis document updates [RFC8287], [RFC8029] and does not intr= oduce any additional >=20 > security considerations. >=20 > =E2=80=9C I do not think that is completely correct, as this document is not marked as updating the RFC 8029. Perhaps something like: This document updates [RFC8287] and does not introduce any additional security considerations. See [RFC8029] to see generic security considerations about the MPLS LSP Ping. > Please let us know if the above is fine. >=20 > There are several acronyms which are not expanded on their first use > (including > in title, and in abstract). Examples of such are IS, TLV, OSPF, IS+IS= , IGP, > SUb-TLV (is the=20 > spelling correct in abstract with uppercase u=3F), FEC. >=20 > =E2=80=9CProtocol in the Segment ID Sub-TLV=E2=80=9D is the= IANA registry name and I > am not sure if we should try expanding it. For clarity, we will expan= d the > rest. Let us know if that solves the concern. That should be ok. Btw, looking at the RFC8287 and 8029 they seem to use sub-TLV inside the text, but in this draft you seem to use both Sub-TLV and sub-TLV. It would be better to be consistent with it. For example the section 7.1 (both in header and body) has lower case version of "Segment ID sub-TLV", when section 6 has upper case version "Segment ID Sub-TLV" in the body. Only the abstract uses the SUb-TLV spelling... > The use of just RFC numbers in reference format makes the document > hard to read as not everybody remembers what RFC is RFC number 8287, > 8402 etc. It would be much nicer to at least on the first time use > the format where the text refers to RFC with title or similar and > just has the reference in parenthesis, i.e.: >=20 > RFC5340 "OSPF for IPv6" ([RFC5340]) describes OSPF version 3 (OSPF= v3) to=20 > support IPv6. RFC5838 "Support of Address Families in OSPFv3" ([RF= C5838]) > describes the mechanism to support multiple address families (AFs)= in > OSPFv3. > Accordingly, OSPFv3 may be used to advertise IPv6 and IPv4 prefixe= s. >=20 > is easier for reader than current format: >=20 > [RFC5340] describes OSPF version 3 (OSPFv3) to support IPv6. > [RFC5838] describes the mechanism to support multiple address > families (AFs) in OSPFv3. Accordingly, OSPFv3 may be used to > advertise IPv6 and IPv4 prefixes. >=20 > The use of RFC number alone as the reference is a common us= e AFAIK > and we feel that it is not specific to this document. But we don=E2=80= =99t want that > to be a hurdle to move this document forward and if the consensus is = to > include the RFC document name, we are ok. I agree it is common use, but it makes it hard for outsiders to get in to reading IETF specifications in general. It makes us (the ietf) to be felt like insider group, if you do not know the magic language and can't map the RFC numbers to actual document names in your head, you can't follow the discussion easily. I understand it is much harder to get rid of that in the actual discussions in the session etc, but at least here in the RFCs we can make it easier for new people to read the drafts when they do not need to be doing mappings between RFC numbers and the titles in their head, but can see both the number and name in the text. --=20 kivinen@iki.fi From nobody Thu Sep 2 04:33:47 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 509F23A136E for ; Thu, 2 Sep 2021 04:33:45 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 7.36.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: secdir-secretary@mit.edu, Tero Kivinen Message-ID: <163058242461.12689.1936678929992573234@ietfa.amsl.com> Date: Thu, 02 Sep 2021 04:33:45 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2021 11:33:46 -0000 Review instructions and related resources are at: https://trac.ietf.org/trac/sec/wiki/SecDirReview Last calls: Reviewer LC end Draft Derek Atkins 2021-09-07 draft-ietf-bess-evpn-optimized-ir John Bradley 2021-09-06 draft-ietf-core-senml-data-ct Shaun Cooley 2021-09-06 draft-ietf-jmap-smime Linda Dunbar 2021-09-27 draft-danyliw-replace-ftp-pointers Shawn Emery 2021-09-10 draft-ietf-extra-quota Steve Hanna 2021-03-22 draft-ietf-regext-secure-authinfo-transfer Sandra Murphy 2020-10-15 draft-ietf-tls-external-psk-importer Tim Polk 2021-08-06 draft-ietf-opsawg-vpn-common Stefan Santesson 2021-08-11 draft-ietf-bier-te-arch Mališa Vučinić 2021-09-06 draft-ietf-httpbis-semantics Samuel Weiler 2021-08-25 draft-ietf-alto-path-vector Brian Weis 2021-08-19 draft-ietf-dnsop-svcb-https Klaas Wierenga 2021-08-30 draft-ietf-alto-cdni-request-routing-alto Klaas Wierenga 2020-12-02 draft-ietf-core-echo-request-tag Klaas Wierenga 2020-05-26 draft-ietf-kitten-krb-spake-preauth Paul Wouters 2021-08-26 draft-ietf-alto-unified-props-new Paul Wouters 2021-09-06 draft-ietf-httpbis-messaging Liang Xia 2021-09-07 draft-ietf-bess-evpn-igmp-mld-proxy Liang Xia 2021-03-17 draft-ietf-core-sid Dacheng Zhang 2021-09-07 draft-ietf-bess-evpn-bum-procedure-updates Early review requests: Reviewer Due Draft Donald Eastlake 2021-09-15 draft-ietf-ippm-ioam-flags Stephen Farrell 2021-09-15 draft-ietf-ippm-ioam-direct-export Stephen Farrell 2021-06-21 draft-ietf-idr-bgpls-srv6-ext Tina Tsou 2021-08-25 draft-ietf-opsawg-sbom-access Sean Turner 2021-08-18 draft-ietf-taps-interface Loganaden Velvindron 2021-08-18 draft-ietf-taps-arch Next in the reviewer rotation: Daniel Franke Daniel Gillmor Tobias Gondrom Phillip Hallam-Baker Steve Hanna Dan Harkins Russ Housley Christian Huitema Charlie Kaufman Scott Kelly From nobody Thu Sep 2 09:54:20 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B87C23A1767; Thu, 2 Sep 2021 09:53:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.598 X-Spam-Level: X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=lxzsa0r2; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=WEE5wsRT Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_I1ivu0ROnU; Thu, 2 Sep 2021 09:53:50 -0700 (PDT) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F5403A1769; Thu, 2 Sep 2021 09:53:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15809; q=dns/txt; s=iport; t=1630601630; x=1631811230; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=+c/XZE8f5Z0/uQC6Cs0SholoIg1iiP2dV5LF4Qs1KAI=; b=lxzsa0r2yOWo9b00As5Jkp0ELSUnCIjpIh8J5nbGtoRcJx/WXi7qWhgu nQIu0FV1/4qHjWBh4hujgUXzbdnd8H7HJfOBMnmoBZCB/uq2A0myozTVi BNlX+SSnFTn25AQKQPRpa1rAURCE6RIZikoIye5NyutQkLKvKbEQ2odxD M=; X-IPAS-Result: =?us-ascii?q?A0ByAwDnADFhl5tdJa1aHgEBCxIMQIMsIy6BWDcxhg6CA?= =?us-ascii?q?QOFOYgIlVGFA4JTA1QLAQEBDQEBQQQBAYRuAoI9AiU4EwECBAEBAQEDAgMBA?= =?us-ascii?q?QEBBQEBBQEBAQIBBgQUAQEBAQEBAQGBCIVoDYZDAQEBAgESLgEBNwEECwIBC?= =?us-ascii?q?EYyJQIEDgUIGoJPgX9XAw4hAZ53AYE6AoofeIEzgQGCCAEBBgQEghGCeRiCN?= =?us-ascii?q?AmBOoJ/hA+GbCccgg2BFUOCZj6ERoNLgi6GK4FWBEOCIxkTniSNRZEHgRgKg?= =?us-ascii?q?yueexSDZqMfmDmjEQIEAgQFAg4BAQaBeCKBW3AVgyRQGQ+OIAwNCYNQil50O?= =?us-ascii?q?AIGCwEBAwmSCwEB?= IronPort-PHdr: A9a23:b3vOCBy1e8JI4azXCzPJngc9DxPP8531PQ9T5Jt0w75Nc6H2+ZPkM QSf4Ph2l1bGUM3d7O4MkOvZta3sGAliqZaMuXwPatpAAhkCj8hFng8hRsCEWgX3KffwZHk8G 8JPHFZu43C8Nx1TH8DzL13fq3G/93gcABL6YAF0Pe/yXIXVipff6g== IronPort-HdrOrdr: A9a23:Hjp6HaPtzpeJZcBcT2P155DYdb4zR+YMi2TDiHoRdfUFSKKlfp 6V88jzjSWE9wr4WBkb6Le90dq7MA3hHP9OkMgs1NKZPDUO11HYV72KgbGSpgEIXheOitK1tp 0QM5SWaueAd2SS5PySiGLTfrpQo6jkzEnrv5ai854Hd3ANV0gU1XYANu/tKDwOeOApP+tcKL Osou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/HCVwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1lXU849dlLLau5l+7Y23+40owwfX+0GVjbdaKvu/VfcO0biSAWMR4Z 3xStEbTpxOAj3qDzqISFDWqnjdOX4Vmg/fIBmj8CHeSQiTfkNnNyKH7rgpLycxonBQz+1Uwe ZF2XmUuIFQCg6FlCPh58LQXxUvjUasp2E++NRjwkC3fLFuI4O5l7Zvtn+90a1wax7S+cQiCq 1jHcvc7PFZfReTaG3YpHBmxJipUm4oFhmLT0AesojNugIm00xR3g8d3ogSj30A/JUyR91N4P nFKL1hkPVLQtUNZaxwCe8dSY+8C3DLQxjLLGWOSG6XWJ0vKjbIsdr68b817OaldNgBy4Yzgo 3IVBdCuWs7ayvVeIWzNV1wg1nwqUCGLHrQI+1llu1EU4zHNczW2He4OSITeuOb0oEiPvE= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.85,262,1624320000"; d="scan'208,217";a="739598082" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 02 Sep 2021 16:53:48 +0000 Received: from mail.cisco.com (xbe-rcd-006.cisco.com [173.37.102.21]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 182Grm9o027475 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 2 Sep 2021 16:53:48 GMT Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-rcd-006.cisco.com (173.37.102.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 2 Sep 2021 11:53:48 -0500 Received: from xfe-rtp-001.cisco.com (64.101.210.231) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 2 Sep 2021 11:53:48 -0500 Received: from NAM10-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-001.cisco.com (64.101.210.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 2 Sep 2021 12:53:48 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ntWmC/LM98QeLoHVNgztWEB19ZIKXrJZSRVUHQaOP++iN6dMFZbDictPgbjJuTftRPP4O3gNpCLKRkptsTrHP8bPmU9pK6G4DqSuWcvyULss8Mp2wEnROxYdieP9z5XMm+SVbxJxLzznsQPHOLfvIRTo86LlyIf4I2jnDk5RGoByw+SRt9E4vNyGUmz23ZVOeLIOjL+93+WQj447+7hlNXg5eh5PbhzvLrEUqeh66o6aa9sccWUIoCwB9955HOeXEomKC+t9Qq4sOVPsss4FRFM3GXl3qyoRZ4MpqfZn//5ZC59xy0Lpffpe7FRjySfTgsVO1nLYshvMT0qBLelm+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zQnvuOdNmqOFqMWsbPdAcecuWKWKjdH01DGMeQgCN5A=; b=WGawI8gcfyzswwKUYOAvS9L/8nfBX6zR0QmlmsBlB/PqnaCcefLQ2g2MIscnPHUNCdzZD5o1Iufn+ZI8C5wlHpaYc8OaawpPBnnqyb88qQQlvkOWz7XFWZqaM5g+2vzI7B0R9SDmT7/oVpahR/c1vedFf/9CH6eVWrutHsSpnp6aQwHJWx84iE+38/ZSaAVOy23MizxJFwpwLq+aCN8+S9JA7TRlSH9LkMBEaJ9F9c6c+VRikBhYdLQdefu6L51k2N4SzteyelN6SyUQP3jnL6pro4WCBCU/ymJXpLpypYOdQOH+IqUlcbMo4+gkneoED8WUyRPgYEHPcQU6gKHZQw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zQnvuOdNmqOFqMWsbPdAcecuWKWKjdH01DGMeQgCN5A=; b=WEE5wsRTI8hifY7+0GSXrJ6EQf64WEmpRU85+Io3iRJJ0W5+H/6a/VgMAI1Pvf7cIF9Zj5PVaoSeREI35z4f037Ru9Hzttib0VKQl+GMtJWfF9XWFbVKCQaHf/xmSXnf9l1lXwJ0U73DSRq3da6QJ8xjgzKFJQFMZKXNhgJhKPc= Received: from BL3PR11MB5732.namprd11.prod.outlook.com (2603:10b6:208:353::14) by MN2PR11MB3791.namprd11.prod.outlook.com (2603:10b6:208:f9::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4457.24; Thu, 2 Sep 2021 16:53:47 +0000 Received: from BL3PR11MB5732.namprd11.prod.outlook.com ([fe80::1c1c:533d:ef59:5fed]) by BL3PR11MB5732.namprd11.prod.outlook.com ([fe80::1c1c:533d:ef59:5fed%4]) with mapi id 15.20.4478.022; Thu, 2 Sep 2021 16:53:47 +0000 From: "Nagendra Kumar Nainar (naikumar)" To: Tero Kivinen CC: "secdir@ietf.org" , "draft-ietf-mpls-lsp-ping-ospfv3-codepoint.all@ietf.org" , "last-call@ietf.org" , "mpls@ietf.org" Thread-Topic: Secdir last call review of draft-ietf-mpls-lsp-ping-ospfv3-codepoint-04 Thread-Index: AQHXXgPKnSgH5QomtUKAK8yBTGMG8auOj2POgAKOogCAAEzd2Q== Date: Thu, 2 Sep 2021 16:53:46 +0000 Message-ID: References: <162333482591.8235.4418205938937483332@ietfa.amsl.com> <24880.46160.502738.363907@fireball.acr.fi> In-Reply-To: <24880.46160.502738.363907@fireball.acr.fi> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: iki.fi; dkim=none (message not signed) header.d=none;iki.fi; dmarc=none action=none header.from=cisco.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1b85840c-5d4c-437a-62f1-08d96e323b34 x-ms-traffictypediagnostic: MN2PR11MB3791: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: wmuingUCTKk103TwKt1wHjdAS0UGAQQ8oupJLioocNXWmatJyIA0HIuco0SN03rHf2UGQoQvyRDM4PU6b14JEMkyK6Xul1eHRj4d0NwetEnzMT5ErlM+c/Pbkwg+pZSGljM9nKpF8e3/mFK4GRoVmrzMfXCfYGMPPe9XVslqKSax9bxL/TQkZHxMsHE0+ofzU7Wy1v00q1WSmPaQBFgsPj8ly7Jm3gvUaVibb3fL3zW8X+e1/uPRJM73OLOBKcO+A1r7eDdtPa6PlcEdmbK3aCeBjrT/ULQknlTa3RI2ykMF0Z18eIY5+4omPQDJAnuVioaQQ+zQwNNGZplXg+7YjnBASqoXrUDKA9ByaTPZkufL0nztnihFcDkU3prlHREL7eCUvfqdbfbnuS2pwED++pakwRZfpl1GhBolI70lu8UKIj6F4ZcisulG74YY6t/NF7PN8ST/1nkJ7qum+GXEcekKnThao/QJnnaoBVar+KSXqgvbpdxFOAXgVjDxvuigxz61Eds1S4AxV47BJ4NluO7W2oqdunPsP+NIi6ybXeuGLXy7Np/dPJN93VZlLGfsxquphCh3QmdOK3SRGQW3LwdFeNUsThd2UjvxL+RzGHiFsyXEXJfQoc5o0XQJZ+hsRpgNva0ZWXwRGgSLDqQYhAMjIwe+QDMrVB9aTloV6LkafoEaIW5OQnjp7+mUqA0qW43Ked8HFbtJYiPm/bWf2Q== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL3PR11MB5732.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(39860400002)(136003)(376002)(366004)(346002)(54906003)(83380400001)(86362001)(4326008)(66946007)(66446008)(71200400001)(9686003)(66556008)(478600001)(66476007)(64756008)(76116006)(7696005)(2906002)(5660300002)(52536014)(6506007)(33656002)(316002)(26005)(53546011)(55016002)(6916009)(9326002)(38100700002)(8676002)(186003)(122000001)(8936002)(38070700005); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?rolpSOyF4f/Sd9aQyxu81aqMwrx7vcY8Ov9O7CK2yQCMNEt6f1s4OrzL?= =?Windows-1252?Q?i6H6kmOTTCjVKNU3ssvGiTrbbTVXzS1LdeSHj455PvEy8BenaZDlOF5Y?= =?Windows-1252?Q?Y5pj6CstBZjV65fMBGcl8pEYyauF5i16KHNOczmmWRCCkoFxxF/nX+Et?= =?Windows-1252?Q?4R4K7ES0rZcM/XpHcmDEw25YIKZqXR0ex1aCxbJI8HoCn3+iH0w4EMK7?= =?Windows-1252?Q?6gkxicYnCtU5idU5OLvkeLAR7EwipHsJcP8OC+40rFfdQRMLAdYtAMeW?= =?Windows-1252?Q?VKAQJhkPROGpJibj4Kw/0Sfcd8n+ls+ycMFAZYNuikxJVKpjEbxHq6a7?= =?Windows-1252?Q?+lrZD+gVymhwLCkzhVdjKM5av04Xzv9eSrS5TZY5RAfOMur9hQtCA+gZ?= =?Windows-1252?Q?xr1sQtg55kb3ovgN7UiL+DVnTy9iiL75Fv74S4/YtOul9HJ1fazAF+OA?= =?Windows-1252?Q?Sfh2lTkdPNMAf2+Kj4iylOr+9JFu0vTCi03yf5J6Q1Tffbnp12uB1b9g?= =?Windows-1252?Q?PfPmcX8aI6xd3rwtXXbi2reFSvz5ThFYkvlUvqtNRbSwaXz9iwD9prf+?= =?Windows-1252?Q?hzZcMj2WmdhfeYkWsGFZO4kbYUg/b0RGp15cNLR7Xciv4/GBDPYR67aS?= =?Windows-1252?Q?OIdfY9KQvabizCuzTlgFrs9tsukR0yMz9SfCgbnqkQdbQLtuZeR953ex?= =?Windows-1252?Q?SkLMC1voPfv6M11HCboNQXsieNbobwKHCHEVbaxNFML5n9Fy2Btyqlbn?= =?Windows-1252?Q?1r6bYraSoyXV3QR1AOzzOjVbD2FLJDXl5nmtI4GYTYZ8KCnlVIWiAFWy?= =?Windows-1252?Q?KLNkUEqZh/jVKACrRgRnVCX3Yq+p/O0swupl3T2rW0KLvSXjMYXz18+m?= =?Windows-1252?Q?I9H9EFh+0pcghUy3SqQtsNaJIhOvEc2ruT21SOttyCzXhtkq8T3jUEQ2?= =?Windows-1252?Q?mM1xrI82Rn7vEsRTDfoQOpyUnWuRed19Zb1MAuM0DjXzcM5LTnctQhuD?= =?Windows-1252?Q?sZBvINwIPnUqEsufLrywsel+K4lEC2O+0kq28y5cKyvltSszV/MBogJv?= =?Windows-1252?Q?w6Deyij9s7fZ1pXBCcfR7PMtPj15/p2pyxmUcrPBFBKNGpwVR338IGDo?= =?Windows-1252?Q?TdPdTgC/wCLGxONaang1GxjInuJVkuA+lTZ+j9lgRc1QFcsGXJCq3EIo?= =?Windows-1252?Q?8Fa/1A3ac6rL1J1Et6sTM+ePuZQBGetdNHEfXSWBcPldtvQ8gZ+SnUD+?= =?Windows-1252?Q?I/DsiRsbi48kUxpwdJN7yfQvMQ8pyuuSh2zISzHxv+uk0O8IKPjhMY0a?= =?Windows-1252?Q?j1cjhQ0BThXz4T49K3aeayib7pRlZqj2/ikt54dom1xiZWGFQdc10cWY?= =?Windows-1252?Q?5hiehRmMFnsv62JzoxfoaCQXArUasvmyEtx8IBA/NZQrNDw9GrHjMNSt?= =?Windows-1252?Q?YV35pRYSaPYl8vFia9U2zA=3D=3D?= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_BL3PR11MB5732FB445DEA2A1F9A1923E2C6CE9BL3PR11MB5732namp_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BL3PR11MB5732.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1b85840c-5d4c-437a-62f1-08d96e323b34 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Sep 2021 16:53:46.9239 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: sa2isjmlkt8h9G4uG506Pf62IgOnoacge9srNKOSqG9tlIAM96z39tjQYMjCryP5VcZX4kozb8lCr7UV9LmvWw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3791 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.37.102.21, xbe-rcd-006.cisco.com X-Outbound-Node: rcdn-core-4.cisco.com Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-ospfv3-codepoint-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2021 16:53:58 -0000 --_000_BL3PR11MB5732FB445DEA2A1F9A1923E2C6CE9BL3PR11MB5732namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi Tero, I do not think that is completely correct, as this document is not marked as updating the RFC 8029. Perhaps something like: This document updates [RFC8287] and does not introduce any additional security considerations. See [RFC8029] to see generic security considerations about the MPLS LSP Ping. It looks good. We will update the document accordingly. Btw, looking at the RFC8287 and 8029 they seem to use sub-TLV inside the text, but in this draft you seem to use both Sub-TLV and sub-TLV. It would be better to be consistent with it. For example the section 7.1 (both in header and body) has lower case version of "Segment ID sub-TLV", when section 6 has upper case version "Segment ID Sub-TLV" in the body. Only the abstract uses the SUb-TLV spelling... Good catch. We will update the same for consistency. I understand it is much harder to get rid of that in the actual discussions in the session etc, but at least here in the RFCs we can make it easier for new people to read the drafts when they do not need to be doing mappings between RFC numbers and the titles in their head, but can see both the number and name in the text. Some of these RFCs are referenced multiple times in the draft. A= re you suggesting to have it in the first occurrence or in all the occurenc= es?. Thanks, Nagendra From: Tero Kivinen Date: Thursday, September 2, 2021 at 7:24 AM To: Nagendra Kumar Nainar (naikumar) Cc: secdir@ietf.org , draft-ietf-mpls-lsp-ping-ospfv3-code= point.all@ietf.org = , last-call@ietf.org , mpls@ietf.org Subject: Re: Secdir last call review of draft-ietf-mpls-lsp-ping-ospfv3-cod= epoint-04 Nagendra Kumar Nainar (naikumar) writes: > The security considerations section just says: > > This document updates [RFC8287] and does not introduce any additional > security considerations. > > And I am not completely sure if that is true, if this document really all= ows > using > IPv6 when it was not possible before. Quite often having multiple address > families do > cause new security considerations too. > > This draft only introduces the codepoint to indicate the protoc= ol is > OSPFv3. What to do when the protocol is OSPFv3 is defined in RFC8287. So = we > believe that this draft doesn=92t introduce any new semantics/actions. > > Also RFC8287 refers to the RFC8029 for its > security considerations, so perhaps direct reference to RFC8029 would be > needed here. > > Ok. We can clarify that in the section as below: > > =93This document updates [RFC8287], [RFC8029] and does not introduce any = additional > > security considerations. > > =93 I do not think that is completely correct, as this document is not marked as updating the RFC 8029. Perhaps something like: This document updates [RFC8287] and does not introduce any additional security considerations. See [RFC8029] to see generic security considerations about the MPLS LSP Ping. > Please let us know if the above is fine. > > There are several acronyms which are not expanded on their first use > (including > in title, and in abstract). Examples of such are IS, TLV, OSPF, IS+IS, IG= P, > SUb-TLV (is the > spelling correct in abstract with uppercase u?), FEC. > > =93Protocol in the Segment ID Sub-TLV=94 is the IANA registry n= ame and I > am not sure if we should try expanding it. For clarity, we will expand th= e > rest. Let us know if that solves the concern. That should be ok. Btw, looking at the RFC8287 and 8029 they seem to use sub-TLV inside the text, but in this draft you seem to use both Sub-TLV and sub-TLV. It would be better to be consistent with it. For example the section 7.1 (both in header and body) has lower case version of "Segment ID sub-TLV", when section 6 has upper case version "Segment ID Sub-TLV" in the body. Only the abstract uses the SUb-TLV spelling... > The use of just RFC numbers in reference format makes the document > hard to read as not everybody remembers what RFC is RFC number 8287, > 8402 etc. It would be much nicer to at least on the first time use > the format where the text refers to RFC with title or similar and > just has the reference in parenthesis, i.e.: > > RFC5340 "OSPF for IPv6" ([RFC5340]) describes OSPF version 3 (OSPFv3) = to > support IPv6. RFC5838 "Support of Address Families in OSPFv3" ([RFC583= 8]) > describes the mechanism to support multiple address families (AFs) in > OSPFv3. > Accordingly, OSPFv3 may be used to advertise IPv6 and IPv4 prefixes. > > is easier for reader than current format: > > [RFC5340] describes OSPF version 3 (OSPFv3) to support IPv6. > [RFC5838] describes the mechanism to support multiple address > families (AFs) in OSPFv3. Accordingly, OSPFv3 may be used to > advertise IPv6 and IPv4 prefixes. > > The use of RFC number alone as the reference is a common use AF= AIK > and we feel that it is not specific to this document. But we don=92t want= that > to be a hurdle to move this document forward and if the consensus is to > include the RFC document name, we are ok. I agree it is common use, but it makes it hard for outsiders to get in to reading IETF specifications in general. It makes us (the ietf) to be felt like insider group, if you do not know the magic language and can't map the RFC numbers to actual document names in your head, you can't follow the discussion easily. I understand it is much harder to get rid of that in the actual discussions in the session etc, but at least here in the RFCs we can make it easier for new people to read the drafts when they do not need to be doing mappings between RFC numbers and the titles in their head, but can see both the number and name in the text. -- kivinen@iki.fi --_000_BL3PR11MB5732FB445DEA2A1F9A1923E2C6CE9BL3PR11MB5732namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Hi Tero,

 

I do not think that is completely correct, as this d= ocument is not
marked as updating the RFC 8029. Perhaps something like:

   This document updates [RFC8287] and does not introduce any
   additional security considerations. See [RFC8029] to see gener= ic
   security considerations about the MPLS LSP Ping.

<Nagendra> It looks good. We will update the d= ocument accordingly.

 

Btw, looking at the RFC8287 and 8029 they seem to us= e sub-TLV inside
the text, but in this draft you seem to use both Sub-TLV and sub-TLV.
It would be better to be consistent with it. For example the section
7.1 (both in header and body) has lower case version of "Segment ID sub-TLV", when section 6 has upper case version "Segment ID Sub-T= LV"
in the body. Only the abstract uses the SUb-TLV spelling...

<Nagendra> Good catch. We will update the same= for consistency.

 

I understand it is much harder
to get rid of that in the actual discussions in the session etc, but
at least here in the RFCs we can make it easier for new people to read
the drafts when they do not need to be doing mappings between RFC
numbers and the titles in their head, but can see both the number and
name in the text.

<Nagendra> Some of these RFCs are referenced m= ultiple times in the draft. Are you suggesting to have it in the first occu= rrence or in all the occurences?.

 

Thanks,

Nagendra

 

 

From: Tero Kivinen <ki= vinen@iki.fi>
Date: Thursday, September 2, 2021 at 7:24 AM
To: Nagendra Kumar Nainar (naikumar) <naikumar@cisco.com>
Cc: secdir@ietf.org <secdir@ietf.org>, draft-ietf-mpls-lsp-pin= g-ospfv3-codepoint.all@ietf.org <draft-ietf-mpls-lsp-ping-ospfv3-codepoi= nt.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>, mpls@ie= tf.org <mpls@ietf.org>
Subject: Re: Secdir last call review of draft-ietf-mpls-lsp-ping-osp= fv3-codepoint-04

Nagendra Kumar Nainar (naikumar) writes:
> The security considerations section just says:
>
>    This document updates [RFC8287] and does not introdu= ce any additional
>    security considerations.
>
> And I am not completely sure if that is true, if this document really = allows
> using
> IPv6 when it was not possible before. Quite often having multiple addr= ess
> families do
> cause new security considerations too.
>
> <Authors> This draft only introduces the codepoint to indicate t= he protocol is
> OSPFv3. What to do when the protocol is OSPFv3 is defined in RFC8287. = So we
> believe that this draft doesn=92t introduce any new semantics/actions.=
>
> Also RFC8287 refers to the RFC8029 for its
> security considerations, so perhaps direct reference to RFC8029 would = be
> needed here.
>
> <Authors> Ok. We can clarify that in the section as below:
>
> =93This document updates [RFC8287], [RFC8029] and does not introduce a= ny additional
>
>    security considerations.
>
> =93

I do not think that is completely correct, as this document is not
marked as updating the RFC 8029. Perhaps something like:

   This document updates [RFC8287] and does not introduce any
   additional security considerations. See [RFC8029] to see gener= ic
   security considerations about the MPLS LSP Ping.

> Please let us know if the above is fine.
>
> There are several acronyms which are not expanded on their first use > (including
> in title, and in abstract). Examples of such are IS, TLV, OSPF, IS+IS,= IGP,
> SUb-TLV (is the
> spelling correct in abstract with uppercase u?),  FEC.
>
> <Authors> =93Protocol in the Segment ID Sub-TLV=94 is the IANA r= egistry name and I
> am not sure if we should try expanding it. For clarity, we will expand= the
> rest. Let us know if that solves the concern.

That should be ok.

Btw, looking at the RFC8287 and 8029 they seem to use sub-TLV inside
the text, but in this draft you seem to use both Sub-TLV and sub-TLV.
It would be better to be consistent with it. For example the section
7.1 (both in header and body) has lower case version of "Segment ID sub-TLV", when section 6 has upper case version "Segment ID Sub-T= LV"
in the body. Only the abstract uses the SUb-TLV spelling...

> The use of just RFC numbers in reference format makes the document
> hard to read as not everybody remembers what RFC is RFC number 8287, > 8402 etc. It would be much nicer to at least on the first time use
> the format where the text refers to RFC with title or similar and
> just has the reference in parenthesis, i.e.:
>
>    RFC5340 "OSPF for IPv6" ([RFC5340]) descri= bes OSPF version 3 (OSPFv3) to
>    support IPv6. RFC5838 "Support of Address Famil= ies in OSPFv3" ([RFC5838])
>    describes the mechanism to support multiple address = families (AFs) in
> OSPFv3.
>    Accordingly, OSPFv3 may be used to advertise IPv6 an= d IPv4 prefixes.
>
> is easier for reader than current format:
>
>    [RFC5340] describes OSPF version 3 (OSPFv3) to suppo= rt IPv6.
>    [RFC5838] describes the mechanism to support multipl= e address
>    families (AFs) in OSPFv3. Accordingly, OSPFv3 may be= used to
>    advertise IPv6 and IPv4 prefixes.
>
> <Authors> The use of RFC number alone as the reference is a comm= on use AFAIK
> and we feel that it is not specific to this document. But we don=92t w= ant that
> to be a hurdle to move this document forward and if the consensus is t= o
> include the RFC document name, we are ok.

I agree it is common use, but it makes it hard for outsiders to get
in to reading IETF specifications in general. It makes us (the ietf)
to be felt like insider group, if you do not know the magic language
and can't map the RFC numbers to actual document names in your head,
you can't follow the discussion easily. I understand it is much harder
to get rid of that in the actual discussions in the session etc, but
at least here in the RFCs we can make it easier for new people to read
the drafts when they do not need to be doing mappings between RFC
numbers and the titles in their head, but can see both the number and
name in the text.
--
kivinen@iki.fi

--_000_BL3PR11MB5732FB445DEA2A1F9A1923E2C6CE9BL3PR11MB5732namp_-- From nobody Thu Sep 2 10:41:55 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 222D53A191A; Thu, 2 Sep 2021 10:41:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.101 X-Spam-Level: X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ov2ooNJWbJye; Thu, 2 Sep 2021 10:41:29 -0700 (PDT) Received: from meesny.iki.fi (meesny.iki.fi [IPv6:2001:67c:2b0:1c1::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A3E13A191D; Thu, 2 Sep 2021 10:41:28 -0700 (PDT) Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by meesny.iki.fi (Postfix) with ESMTPSA id 90A89203CF; Thu, 2 Sep 2021 20:41:23 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1630604483; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JVfUtrR4Ks2e+YUKa+cmQogqv7/keHoTOWq/qikOvyk=; b=jAJqm6XWSLCqOyV8i0yu9j0cQxHDd4fNbc0hmtydIiiuKRO/bGRtlzdNgHay6wJM/Cq5L0 WWYSfOU6XoReolnfZpv2f+bHJ2hHJWlSTCxaG9jBUADH+mg9FAPL5b4UuytN1r0kt4mgFK t/hf2MkokRhbGS+sX7A76l2DtMgjx1I= Received: by fireball.acr.fi (Postfix, from userid 15204) id 9168725C12B7; Thu, 2 Sep 2021 20:40:51 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <24881.3235.541861.281100@fireball.acr.fi> Date: Thu, 2 Sep 2021 20:40:51 +0300 From: Tero Kivinen To: "Nagendra Kumar Nainar \(naikumar\)" Cc: "secdir\@ietf.org" , "draft-ietf-mpls-lsp-ping-ospfv3-codepoint.all\@ietf.org" , "last-call\@ietf.org" , "mpls\@ietf.org" In-Reply-To: References: <162333482591.8235.4418205938937483332@ietfa.amsl.com> <24880.46160.502738.363907@fireball.acr.fi> X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd) X-Edit-Time: 4 min X-Total-Time: 3 min ARC-Seal: i=1; s=meesny; d=iki.fi; t=1630604483; a=rsa-sha256; cv=none; b=y4aG8FKrnOnKMA07hs/k9oDpaNneMFBVYqhWFDRq+wzRrqyEJeuFtDh5JPxH8nT+8Sm540 P3CYNc4+iSZkigDpJjCFrUcxwFf6tL/xZhh08/FZuAcx1+aCzAO4jh5ciHgSwxRmOew1Lk sTDnkbno98T8x+M65Cv/R5znl8XrQXg= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1630604483; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JVfUtrR4Ks2e+YUKa+cmQogqv7/keHoTOWq/qikOvyk=; b=PUxksXZpn+weGfjds0Zxj5z0vBGcrcseTsvEKz7lJj5OLXMl29QXe8rGG5QIFXutujfc50 gyLtRyXFw5jHwCynJlUDycavTLJqQAJUJrxxuV2yiVrzpfCf62fB+XhVZ2aY56OMBBTWFL peIRQ5tTgtaKsxKgQ+I+ORZWf0dznWY= Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-ospfv3-codepoint-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2021 17:41:45 -0000 Nagendra Kumar Nainar (naikumar) writes: > I understand it is much harder > to get rid of that in the actual discussions in the session etc, but > at least here in the RFCs we can make it easier for new people to read > the drafts when they do not need to be doing mappings between RFC > numbers and the titles in their head, but can see both the number and > name in the text. > > Some of these RFCs are referenced multiple times in the draft. Are > you suggesting to have it in the first occurrence or in all the occurences?. Yes, first reference is good enough. Of course repeating it few times (i.e., once during the section 1 Introduction, and second time in section x where the actual text is) does not hurt either. Repeating it severals times inside same chapter is not really needed, and might even be harmful. -- kivinen@iki.fi From nobody Fri Sep 3 01:17:28 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A9C83A1176; Fri, 3 Sep 2021 01:17:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_2EzlQUyiN9; Fri, 3 Sep 2021 01:17:05 -0700 (PDT) Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 227533A1173; Fri, 3 Sep 2021 01:17:05 -0700 (PDT) Received: from opfednr05.francetelecom.fr (unknown [xx.xx.xx.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr26.francetelecom.fr (ESMTP service) with ESMTPS id 4H19ct69s1zyr1; Fri, 3 Sep 2021 10:17:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1630657022; bh=Ys12//K/MsX8/dVeaaU3ZpAduJTJ3+6hX+UOG5ozGvE=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=GSb4SnDkcr2WzUffIYYGM9aSoRMBprBDewiW16aex+SBwKUwcugKpiIxU+OmcafY4 8qd8eqFLZ3pawL4ibw/kAk3Fr/PdRloLbfBiQGjWEpU0qTZc35UyuDHGg/cP0WylUe oTxl52Lfg6QjU72DqVVCt+rMaXzIklA8TWvPYa5hpGEGOzAypKCbCW19L3FvcIoT/P qJyiXzatJJIz50vuSmBULBohvuwu9LJvHfmh37CUeHqElMEWOaD4ydXIeNcLhBBtrx B2Oari/CYb4/i+qJi9SmXWO+7XBTekRjtQWclPsQYXzH/y5+UaqVK00HFHB1a+2uN4 sGCsR5Y2pw8oQ== Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfednr05.francetelecom.fr (ESMTP service) with ESMTPS id 4H19ct57KwzyQ5; Fri, 3 Sep 2021 10:17:02 +0200 (CEST) From: To: Rifaat Shekh-Yusef , "secdir@ietf.org" CC: "draft-ietf-opsawg-l3sm-l3nm.all@ietf.org" , "last-call@ietf.org" , "opsawg@ietf.org" Thread-Topic: Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 Thread-Index: AQHXgZdSwzNfaHSiC0m9Ry8G0T+4M6uSMV/Q Date: Fri, 3 Sep 2021 08:17:01 +0000 Message-ID: <13601_1630657022_6131D9FE_13601_86_23_787AE7BB302AE849A7480A190F8B9330353E84CA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> References: <162724649271.1477.16367299362861096101@ietfa.amsl.com> In-Reply-To: <162724649271.1477.16367299362861096101@ietfa.amsl.com> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.114.13.245] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 08:17:11 -0000 SGkgUmlmYWF0LCANCg0KVGhhbmsgeW91IGZvciB0aGUgcmV2aWV3LiANCg0KUGxlYXNlIHNlZSBp bmxpbmUuIA0KDQpDaGVlcnMsDQpNZWQNCg0KPiAtLS0tLU1lc3NhZ2UgZCdvcmlnaW5lLS0tLS0N Cj4gRGXCoDogUmlmYWF0IFNoZWtoLVl1c2VmIHZpYSBEYXRhdHJhY2tlciBbbWFpbHRvOm5vcmVw bHlAaWV0Zi5vcmddDQo+IEVudm95w6nCoDogZGltYW5jaGUgMjUganVpbGxldCAyMDIxIDIyOjU1 DQo+IMOAwqA6IHNlY2RpckBpZXRmLm9yZw0KPiBDY8KgOiBkcmFmdC1pZXRmLW9wc2F3Zy1sM3Nt LWwzbm0uYWxsQGlldGYub3JnOyBsYXN0LWNhbGxAaWV0Zi5vcmc7DQo+IG9wc2F3Z0BpZXRmLm9y Zw0KPiBPYmpldMKgOiBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZiBkcmFmdC1pZXRmLW9wc2F3 Zy1sM3NtLWwzbm0tMTANCj4gDQo+IFJldmlld2VyOiBSaWZhYXQgU2hla2gtWXVzZWYNCj4gUmV2 aWV3IHJlc3VsdDogSGFzIElzc3Vlcw0KPiANCj4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1l bnQgYXMgcGFydCBvZiB0aGUgc2VjdXJpdHkgZGlyZWN0b3JhdGUncw0KPiBvbmdvaW5nIGVmZm9y dCB0byByZXZpZXcgYWxsIElFVEYgZG9jdW1lbnRzIGJlaW5nIHByb2Nlc3NlZCBieSB0aGUNCj4g SUVTRy4gIFRoZXNlIGNvbW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5l Zml0IG9mIHRoZQ0KPiBzZWN1cml0eSBhcmVhIGRpcmVjdG9ycy4gIERvY3VtZW50IGVkaXRvcnMg YW5kIFdHIGNoYWlycyBzaG91bGQNCj4gdHJlYXQgdGhlc2UgY29tbWVudHMganVzdCBsaWtlIGFu eSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQo+IA0KPiBUaGlzIGRvY3VtZW50IGRlZmluZXMg YW4gTDNWUE4gTmV0d29yayBZQU5HIE1vZGVsIChMM05NKSB0aGF0IGNhbiBiZQ0KPiB1c2VkIGZv ciB0aGUgcHJvdmlzaW9uaW5nIG9mIExheWVyIDMgVmlydHVhbCBQcml2YXRlIE5ldHdvcmsgKFZQ TikNCj4gc2VydmljZXMgd2l0aGluIGEgc2VydmljZSBwcm92aWRlciBuZXR3b3JrLiAgVGhlIG1v ZGVsIHByb3ZpZGVzIGENCj4gbmV0d29yay1jZW50cmljIHZpZXcgb2YgTDNWUE4gc2VydmljZXMu DQo+IA0KPiANCj4gSXNzdWVzOg0KPiANCj4gMS4gVGhlIGZvbGxvd2luZyBpcyBhIHF1b3RlIGZy b20gU2VjdXJpdHkgQ29uc2lkZXJhdGlvbiBzZWN0aW9uOg0KPiAgICAgIlNldmVyYWwgZGF0YSBu b2RlcyBkZWZpbmVkIGluIHRoZSBMM05NIHJlbHkgdXBvbiBbUkZDODE3N10gZm9yDQo+ICAgICAg YXV0aGVudGljYXRpb24gcHVycG9zZXMuIg0KPiANCj4gSSB0aGluayBpdCB3b3VsZCBiZSBoZWxw ZnVsIHRvIGVsYWJvcmF0ZSBvbiB3aGljaCBub2RlcyBuZWVkIHRoZQ0KPiBtZWNoYW5pc20gZGVm aW5lZCBpbiBSRkM4MTc3IGFuZCB3aHk/DQo+IA0KDQpbTWVkXSA4MTc3IGlzIHVzZWQgaGVyZSB0 byBlYXNlIHRoZSBtYXBwaW5nIHdpdGggdW5kZXJseWluZyBkZXZpY2UgbW9kdWxlcywgcGFydGlj dWxhcmx5IHJvdXRpbmcgcHJvdG9jb2xzLg0KDQpVcGRhdGVkIHRoZSB0ZXh0IHRvIGNpdGUgdGhl IG5vZGVzLiBORVc6DQoNCiJTZXZlcmFsIGRhdGEgbm9kZXMgKCdiZ3AnLCAnb3NwZicsICdpc2lz JywgJ3JpcCcsIGFuZCAnYmZkJykgcmVseSB1cG9uIC4uLiINCg0KPiANCj4gMi4gVGhlIHN1bW1h cnkgYnVsbGV0czoNCj4gDQo+ICAgIG8gIE1hbGljaW91cyBjbGllbnRzIGF0dGVtcHRpbmcgdG8g ZGVsZXRlIG9yIG1vZGlmeSBWUE4gc2VydmljZXMuDQo+IA0KPiBXaHkgJ2NyZWF0ZScgYW5kICdy ZWFkJyBhcmUgbm90IHBhcnQgb2YgdGhlIHJpc2tzIGluIHRoaXMgY2FzZT8NCj4gDQoNCltNZWRd IGJlY2F1c2UgJ2NyZWF0ZScgaXMgY292ZXJlZCBpbiB0aGUgbmV4dCBidWxsZXQ6IA0KDQogICBv ICBVbmF1dGhvcml6ZWQgY2xpZW50cyBhdHRlbXB0aW5nIHRvIGNyZWF0ZS9tb2RpZnkvZGVsZXRl IGEgVlBODQogICAgICBzZXJ2aWNlLg0KDQpBbmQgJ3JlYWQnIGluIHRoZSB0aGlyZCBvbmU6IA0K DQogICBvICBVbmF1dGhvcml6ZWQgY2xpZW50cyBhdHRlbXB0aW5nIHRvIHJlYWQgVlBOIHNlcnZp Y2UgcmVsYXRlZA0KICAgICAgaW5mb3JtYXRpb24uDQoNCkFmdGVyIHJlLXJlYWRpbmcgdGhlIHRl eHQgdG8gY2hlY2sgeW91ciBjb21tZW50LCBJIGZpZ3VyZWQgb3V0IHRoYXQgd2UgZG9uJ3QgYWN0 dWFsbHkgbmVlZCB0aGlzIGxpc3QgYXMgaXQgaXMgcmVkdW5kYW50IHdpdGggdGhlIHJpc2tzIGNp dGVkIGZvciBib3RoIHdyaXRlIGFuZCByZWFkIG5vZGVzLiBUaGUgYnVsbGV0IGxpc3Qgd2lsbCBi ZSByZW1vdmVkLg0KDQpZb3VyIHJldmlldyB3aWxsIGJlIEFDS2VkIGluIHRoZSBuZXh0IGl0ZXJh dGlvbiBvZiB0aGUgZG9jdW1lbnQuIFRoYW5rIHlvdS4gDQoNCkNoZWVycywNCk1lZA0KCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18KCkNlIG1lc3NhZ2UgZXQgc2VzIHBpZWNlcyBqb2ludGVzIHBldXZlbnQgY29udGVuaXIgZGVz IGluZm9ybWF0aW9ucyBjb25maWRlbnRpZWxsZXMgb3UgcHJpdmlsZWdpZWVzIGV0IG5lIGRvaXZl bnQgZG9uYwpwYXMgZXRyZSBkaWZmdXNlcywgZXhwbG9pdGVzIG91IGNvcGllcyBzYW5zIGF1dG9y aXNhdGlvbi4gU2kgdm91cyBhdmV6IHJlY3UgY2UgbWVzc2FnZSBwYXIgZXJyZXVyLCB2ZXVpbGxl eiBsZSBzaWduYWxlcgphIGwnZXhwZWRpdGV1ciBldCBsZSBkZXRydWlyZSBhaW5zaSBxdWUgbGVz IHBpZWNlcyBqb2ludGVzLiBMZXMgbWVzc2FnZXMgZWxlY3Ryb25pcXVlcyBldGFudCBzdXNjZXB0 aWJsZXMgZCdhbHRlcmF0aW9uLApPcmFuZ2UgZGVjbGluZSB0b3V0ZSByZXNwb25zYWJpbGl0ZSBz aSBjZSBtZXNzYWdlIGEgZXRlIGFsdGVyZSwgZGVmb3JtZSBvdSBmYWxzaWZpZS4gTWVyY2kuCgpU aGlzIG1lc3NhZ2UgYW5kIGl0cyBhdHRhY2htZW50cyBtYXkgY29udGFpbiBjb25maWRlbnRpYWwg b3IgcHJpdmlsZWdlZCBpbmZvcm1hdGlvbiB0aGF0IG1heSBiZSBwcm90ZWN0ZWQgYnkgbGF3Owp0 aGV5IHNob3VsZCBub3QgYmUgZGlzdHJpYnV0ZWQsIHVzZWQgb3IgY29waWVkIHdpdGhvdXQgYXV0 aG9yaXNhdGlvbi4KSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBlbWFpbCBpbiBlcnJvciwgcGxl YXNlIG5vdGlmeSB0aGUgc2VuZGVyIGFuZCBkZWxldGUgdGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0 YWNobWVudHMuCkFzIGVtYWlscyBtYXkgYmUgYWx0ZXJlZCwgT3JhbmdlIGlzIG5vdCBsaWFibGUg Zm9yIG1lc3NhZ2VzIHRoYXQgaGF2ZSBiZWVuIG1vZGlmaWVkLCBjaGFuZ2VkIG9yIGZhbHNpZmll ZC4KVGhhbmsgeW91LgoK From nobody Fri Sep 3 01:51:57 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 394C03A13CF; Fri, 3 Sep 2021 01:51:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.553 X-Spam-Level: X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telefonica.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOpPJi7MF8HJ; Fri, 3 Sep 2021 01:51:48 -0700 (PDT) Received: from FRA01-MR2-obe.outbound.protection.outlook.com (mail-eopbgr90127.outbound.protection.outlook.com [40.107.9.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 890993A13CC; Fri, 3 Sep 2021 01:51:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a6ezis5eMHulShyLaXTCJbOPKON3YhaaqZ+4HzIYzsEa5V+ad2ZoLcvYtjisMGFUg/n+5tPQ5LBVAe3eeiMMcd2OiaB85A8Iby+WkD+aCVSrzByeedBevYq/ga8i/xWZbyQAXPoZkyvNuTvc5wwz8g4/kElJXCf5BP/LHZ+hW+ZJj0fi/9P51uNa61VoVRk0VZjh3te815t3TXZ/5vESlSSPTuM9gawNuqFkTrha0VoBB444F5kszg8MAjFOjaKCZTrinybJ4F5jbPqz8CXC9K6G+cARjgzmClA7/ZN4LHkMSt57i4lxbWDSKPMcPEPicXGqspTecAQAD8gD1Bbffw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zNstzk4e+WhPrBYTnoLDFefByUa34orrWLOoAvzYR6w=; b=ClkE2t0ntCCi6ij/4XYTAoD9wKXmEvJxUxa4zktnEQPzEsuQQU7i+fb1YasxsQ9TApI4wNdiddoIDMg6JK43V03a+yW7o2JGlkKUudWpAfXl8GHBUSMfaK2gH5K310hjnMS5K7JT2O/K6RyYgl1NFJ3q3Xvn8Far6FS3/+HMNj2ouHs9Nz3LAQM/QZRM0kjXo+H31iIFGwA6pJFqmIXKVjqEX3/8g+vIA5L3PV4498NmHXT5s2Lh14ezDJ1j0t4EZSkYHiMbShO29s5gd2aCQ0plcQ61dLtjbfnMOUFGYzjC7ieI1r4V9RTpv0wUICtCdhuzt2PAAHh2vgCsm+vazg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=telefonica.com; dmarc=pass action=none header.from=telefonica.com; dkim=pass header.d=telefonica.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telefonica.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zNstzk4e+WhPrBYTnoLDFefByUa34orrWLOoAvzYR6w=; b=lsWQiZTWrjlFV90QXZa3d89LScdbiWC8TOZgCTt8IVYE/6UbcWZuSluxANXc6XRoOoQjmSZgHYJC/qX1/DcfjoIE6YSHxxakUvVoN8kGB5Qd6Cu6U/EJdr37P1MrNFA3asNRiuVdPrxEHVsD8dePN3fRi/xNSouUhLuWL2nQRQo= Received: from PAXPR06MB7872.eurprd06.prod.outlook.com (2603:10a6:102:1a3::9) by PR1PR06MB5756.eurprd06.prod.outlook.com (2603:10a6:102:e::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4478.19; Fri, 3 Sep 2021 08:51:44 +0000 Received: from PAXPR06MB7872.eurprd06.prod.outlook.com ([fe80::dc1e:4a84:4569:af43]) by PAXPR06MB7872.eurprd06.prod.outlook.com ([fe80::dc1e:4a84:4569:af43%9]) with mapi id 15.20.4478.017; Fri, 3 Sep 2021 08:51:44 +0000 From: =?utf-8?B?T3NjYXIgR29uesOhbGV6IGRlIERpb3M=?= To: "mohamed.boucadair@orange.com" , Rifaat Shekh-Yusef , "secdir@ietf.org" CC: "draft-ietf-opsawg-l3sm-l3nm.all@ietf.org" , "last-call@ietf.org" , "opsawg@ietf.org" Thread-Topic: Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 Thread-Index: AQHXgZdUoDZuW1TYHk+hG7minU9JlauSNPWAgAABjyA= Date: Fri, 3 Sep 2021 08:51:44 +0000 Message-ID: References: <162724649271.1477.16367299362861096101@ietfa.amsl.com> <13601_1630657022_6131D9FE_13601_86_23_787AE7BB302AE849A7480A190F8B9330353E84CA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> In-Reply-To: <13601_1630657022_6131D9FE_13601_86_23_787AE7BB302AE849A7480A190F8B9330353E84CA@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> Accept-Language: es-ES, en-US Content-Language: es-ES X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: orange.com; dkim=none (message not signed) header.d=none;orange.com; dmarc=none action=none header.from=telefonica.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: abb0cc5d-ff37-42e5-3886-08d96eb80e4f x-ms-traffictypediagnostic: PR1PR06MB5756: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: FGwMfxnr+GvKVOyqm0tHhIZeCn742L0QaBO+iih1a/F+DsBA1m3HYxliN/Jg+p+0v3pc2jx2pI2fJjL6nK60Sx7TaEmQVo9oThs4BpCuPYVN2/VQDJw+Y8ZSs9KsRPA1IMiXFS+Bxh4EqMlYgg/B45oMMZCouF52W6ugX5xh6udwk4Sr8FdPoNLrMP5cUOFdqRFftvytziNx1nzB7Mj2cZ76/wj6oNv9IoMu+3antALl4PcNfejhWvkSHf2/mbCKQVlRJGITGP7uisj5t1oxp+jBVEoNrOPIUATUAgyOD2nVtHBGkjSfZI/s1+j7x9/jhvd0N3OijGUvFMhEg1VSk/s8AJ1NL8X7wy1EBl0o3fE9/5y5/M/LzzdHWKytPETQD8TXb7T5w/dyibNhwQA8VnGQme8HK3Oem30Rr9xbBEE6XmWNzE/gRlcqhMjB+7Tv2iQPkVVWP2jwkFiXJCgmtISD/rxgAwMiTNb/LrpCzrP+EK2QKyWqcVH3O3CSEYQTG9Ph2W1zu9saTYGjyGig4crwhaEkKYxTzfYnzg6ywKci8a79wHzxUKXpAJlW8AH1bzXnsF3qUW6kgd5BSi3gICex2yzwVqLP6gnd8dtKut4jXMicPs/WeoN5F8eV61ER3lY/+gioJ58vlGAuyPnoh5Wp5PX17wGiwXqYpgHZtLEjv/COwaRCTGi5w50eS3TMlZZbLMfno5eYe1ELKxLjTMsyc1NtKg6iyWDWdTK+wIlTAFzg/EWEihewcgOztmDm x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR06MB7872.eurprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(52536014)(4326008)(66556008)(64756008)(508600001)(66476007)(26005)(54906003)(71200400001)(66446008)(5660300002)(110136005)(85202003)(122000001)(38100700002)(316002)(83380400001)(66574015)(66946007)(76116006)(7696005)(38070700005)(85182001)(86362001)(2906002)(6506007)(8936002)(8676002)(186003)(9686003)(33656002)(55016002)(9010500006); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?MUdxejlUTng1ejRpMmh0aUYwR0FwYkdOcnlSV09mUTlrZWtzWDJ6VmQ5Q09a?= =?utf-8?B?ZWFPaGdUWEo3ZWdkLzlCVHd6UHQ2SGkxQVFQRWdKSCttM0dZSUhiUFkxS2Y4?= =?utf-8?B?VURPdVFEZ3FNOVloeU1XWVhoQVJBcUJaQlZkdEc5SmcyVm43U0hyUlhQV016?= =?utf-8?B?cVp5VDFRbUtJQk5aUUdxYTIxZTJQNnBBcWMrTDZ6WmVyUzNWV3pmRXg4bkVY?= =?utf-8?B?NXpZazgyaEJEY0tQM3JFYitDblNJbjdwTk9IWHdiM1V3TlBNeE1BbnB2dkdN?= =?utf-8?B?b1d0aVNIUVh4REZRejFRU3BEZHJiMlJyelJXR21vTnQySFRaUjhKZmlxT1lw?= =?utf-8?B?a3o4NFdSM2pXWHlUNGxibW82ZmhZSHFmVTJmNlI0UUJldW9Wc3NUOFFYWC9L?= =?utf-8?B?MncyalJjWk1SQ0V5L2ZiWk90RWpHNDhOcUxPeWZCVWl2NmNtcnVabXZqY2tS?= =?utf-8?B?amJGVDZ3cm9GN1F6MC85bW5tN1FYVkg4VTRnOWRQWEJSd0xieUthbmY0amQ1?= =?utf-8?B?N2FwZU92bjg5NkFYWVFGNmp2UUdhUTZNSGNDT1FpZFZERU1jZmVVcThBSHFK?= =?utf-8?B?U1RhL0piaDI5dDJpYUhleUpzQ04ydEpDYnVSZHNYWXlvWGdCUUMxWnNmOG9i?= =?utf-8?B?MmhNOE1IVktaa3JINWVSbVZVNEx6eDJqcHhML05TNjJ0RjFISGI1Ty9maU5W?= =?utf-8?B?aU1Pa3FGTy9sSzFWY2I4VDdSZ0QyV3JhS0hublcvZ0E3L3U0aDFRSVFPaWV3?= =?utf-8?B?NDkvc2QxeC9nNURQT3IzMlZRTDN6cWZsblliVnYyRE8yMDh2OXgzNTlQOHlP?= =?utf-8?B?YmcwVlgxTFk5azhTWW1MOVkrcTdoemtNQVNkSUpBYUFaSzVhd1dwcVhNVzVp?= =?utf-8?B?YVplVm9Ga1pqVzBER0lDdTRNYVhPU2x5cjZrNFhndFcrOFdpMkYxeUN4QUVL?= =?utf-8?B?UFVCYVBGajBENWtZOXpJdlorYjZGOEZreEM2ejF6UHh5T1h1WEVzc1RLZm5W?= =?utf-8?B?SThmeVN6c1N1V2FKZ2psMmcwUWJVbmFlY0xQSDN1bCtLTFBET0pZZVRSeUp1?= =?utf-8?B?Q2tpWTFHR1hIS1dmNDRsSXN4VE9UWFk5UTk0ZmtrNXFXbmZwN0RiZitBUGls?= =?utf-8?B?UHM3UXRPYlBMbHZXOUxIcUdRb0J2NVF6OVdOMmNDKzk4QVI1Z243VVBQTUFv?= =?utf-8?B?ZEpaenAvLzJkTVBUd0RWaGswdDNXWjQ5SjFiaTNKMnhFWHQxN2pTZzY2N21V?= =?utf-8?B?bllwT2h6TysyNVhueERUYVpuWWZydU0veGorb1NaZnRTSFIzdGh2MWgzVWNm?= =?utf-8?B?alFkNCs2cWVZZWh4ZjJubHJzS0VzM2FFSzhrUUNPOWJQdzFBN3kxSTlCYi9n?= =?utf-8?B?RVBlOVVDaUtiU3NmdkVXa2hvcXJ1Q1dUUVY4Rlh0aDJBSlNvUXBIQ3Evak5a?= =?utf-8?B?Tm9KSVcvNHh5ZXhubUdxcFpBMXhHMmFFOXR4MWVuZndRaVM0VFBtYjlHNmk3?= =?utf-8?B?RFRKMWhLaUFobzNZSFhnaFhhd3VTalYwNmZHcUwyS1RiRmNPMGNpT3JySjAy?= =?utf-8?B?MFhwSTRBZXhCeVFwVWJwLy96ZGRXU05KekxMRi94TUoreEEzWG9walIxSjU0?= =?utf-8?B?ZGRhSUp2RitkTFRqSEJ1N0dIYjljSDIzSzNHd3dkS2hKTitZMXp3MStieGFV?= =?utf-8?B?bkJZRmpiME9QTE9PK3VMUC9yTDI1NEFwU00vbjYzWUVkVjZtVXErOUF1N3hO?= =?utf-8?Q?UfoysLZyI4/jIB/0m2/U/ccHGQfqtTOTdoPKlcN?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: telefonica.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PAXPR06MB7872.eurprd06.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: abb0cc5d-ff37-42e5-3886-08d96eb80e4f X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Sep 2021 08:51:44.0874 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: kPkBLxwFhoBBECeh7Vl3JVUUAHmIinVgWGRZieswYibV/71BA8sWKyAj/v+16oRCkqIeAa+yMttHJ8QVgvJvSsKI/ZRWlE6QBpOrcrKNRHpCGW+U+tZWBs3p5/oipdm2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR1PR06MB5756 Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 08:51:55 -0000 SGkgUmlmYWF0LCBNZWQsIGZ1cnRoZXIgY29tbWVudHMgaW5saW5lDQoNCi0tLS0tTWVuc2FqZSBv cmlnaW5hbC0tLS0tDQpEZTogbW9oYW1lZC5ib3VjYWRhaXJAb3JhbmdlLmNvbSA8bW9oYW1lZC5i b3VjYWRhaXJAb3JhbmdlLmNvbT4NCkVudmlhZG8gZWw6IHZpZXJuZXMsIDMgZGUgc2VwdGllbWJy ZSBkZSAyMDIxIDEwOjE3DQpQYXJhOiBSaWZhYXQgU2hla2gtWXVzZWYgPHJpZmFhdC5zLmlldGZA Z21haWwuY29tPjsgc2VjZGlyQGlldGYub3JnDQpDQzogZHJhZnQtaWV0Zi1vcHNhd2ctbDNzbS1s M25tLmFsbEBpZXRmLm9yZzsgbGFzdC1jYWxsQGlldGYub3JnOyBvcHNhd2dAaWV0Zi5vcmcNCkFz dW50bzogUkU6IFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtb3BzYXdnLWwz c20tbDNubS0xMA0KDQpIaSBSaWZhYXQsDQoNClRoYW5rIHlvdSBmb3IgdGhlIHJldmlldy4NCg0K UGxlYXNlIHNlZSBpbmxpbmUuDQoNCkNoZWVycywNCk1lZA0KDQo+IC0tLS0tTWVzc2FnZSBkJ29y aWdpbmUtLS0tLQ0KPiBEZSA6IFJpZmFhdCBTaGVraC1ZdXNlZiB2aWEgRGF0YXRyYWNrZXIgW21h aWx0bzpub3JlcGx5QGlldGYub3JnXQ0KPiBFbnZvecOpIDogZGltYW5jaGUgMjUganVpbGxldCAy MDIxIDIyOjU1IMOAIDogc2VjZGlyQGlldGYub3JnIENjIDoNCj4gZHJhZnQtaWV0Zi1vcHNhd2ct bDNzbS1sM25tLmFsbEBpZXRmLm9yZzsgbGFzdC1jYWxsQGlldGYub3JnOw0KPiBvcHNhd2dAaWV0 Zi5vcmcgT2JqZXQgOiBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZg0KPiBkcmFmdC1pZXRmLW9w c2F3Zy1sM3NtLWwzbm0tMTANCj4NCj4gUmV2aWV3ZXI6IFJpZmFhdCBTaGVraC1ZdXNlZg0KPiBS ZXZpZXcgcmVzdWx0OiBIYXMgSXNzdWVzDQo+DQo+IEkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3Vt ZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3MNCj4gb25nb2luZyBlZmZv cnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlDQo+ IElFU0cuICBUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVu ZWZpdCBvZiB0aGUNCj4gc2VjdXJpdHkgYXJlYSBkaXJlY3RvcnMuICBEb2N1bWVudCBlZGl0b3Jz IGFuZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0DQo+IHRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZSBh bnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1lbnRzLg0KPg0KPiBUaGlzIGRvY3VtZW50IGRlZmluZXMg YW4gTDNWUE4gTmV0d29yayBZQU5HIE1vZGVsIChMM05NKSB0aGF0IGNhbiBiZQ0KPiB1c2VkIGZv ciB0aGUgcHJvdmlzaW9uaW5nIG9mIExheWVyIDMgVmlydHVhbCBQcml2YXRlIE5ldHdvcmsgKFZQ TikNCj4gc2VydmljZXMgd2l0aGluIGEgc2VydmljZSBwcm92aWRlciBuZXR3b3JrLiAgVGhlIG1v ZGVsIHByb3ZpZGVzIGENCj4gbmV0d29yay1jZW50cmljIHZpZXcgb2YgTDNWUE4gc2VydmljZXMu DQo+DQo+DQo+IElzc3VlczoNCj4NCj4gMS4gVGhlIGZvbGxvd2luZyBpcyBhIHF1b3RlIGZyb20g U2VjdXJpdHkgQ29uc2lkZXJhdGlvbiBzZWN0aW9uOg0KPiAgICAgIlNldmVyYWwgZGF0YSBub2Rl cyBkZWZpbmVkIGluIHRoZSBMM05NIHJlbHkgdXBvbiBbUkZDODE3N10gZm9yDQo+ICAgICAgYXV0 aGVudGljYXRpb24gcHVycG9zZXMuIg0KPg0KPiBJIHRoaW5rIGl0IHdvdWxkIGJlIGhlbHBmdWwg dG8gZWxhYm9yYXRlIG9uIHdoaWNoIG5vZGVzIG5lZWQgdGhlDQo+IG1lY2hhbmlzbSBkZWZpbmVk IGluIFJGQzgxNzcgYW5kIHdoeT8NCj4NCg0KW01lZF0gODE3NyBpcyB1c2VkIGhlcmUgdG8gZWFz ZSB0aGUgbWFwcGluZyB3aXRoIHVuZGVybHlpbmcgZGV2aWNlIG1vZHVsZXMsIHBhcnRpY3VsYXJs eSByb3V0aW5nIHByb3RvY29scy4NCg0KVXBkYXRlZCB0aGUgdGV4dCB0byBjaXRlIHRoZSBub2Rl cy4gTkVXOg0KDQoiU2V2ZXJhbCBkYXRhIG5vZGVzICgnYmdwJywgJ29zcGYnLCAnaXNpcycsICdy aXAnLCBhbmQgJ2JmZCcpIHJlbHkgdXBvbiAuLi4iDQoNCj4NCj4gMi4gVGhlIHN1bW1hcnkgYnVs bGV0czoNCj4NCj4gICAgbyAgTWFsaWNpb3VzIGNsaWVudHMgYXR0ZW1wdGluZyB0byBkZWxldGUg b3IgbW9kaWZ5IFZQTiBzZXJ2aWNlcy4NCj4NCj4gV2h5ICdjcmVhdGUnIGFuZCAncmVhZCcgYXJl IG5vdCBwYXJ0IG9mIHRoZSByaXNrcyBpbiB0aGlzIGNhc2U/DQo+DQoNCltNZWRdIGJlY2F1c2Ug J2NyZWF0ZScgaXMgY292ZXJlZCBpbiB0aGUgbmV4dCBidWxsZXQ6DQoNCiAgIG8gIFVuYXV0aG9y aXplZCBjbGllbnRzIGF0dGVtcHRpbmcgdG8gY3JlYXRlL21vZGlmeS9kZWxldGUgYSBWUE4NCiAg ICAgIHNlcnZpY2UuDQoNCkFuZCAncmVhZCcgaW4gdGhlIHRoaXJkIG9uZToNCg0KICAgbyAgVW5h dXRob3JpemVkIGNsaWVudHMgYXR0ZW1wdGluZyB0byByZWFkIFZQTiBzZXJ2aWNlIHJlbGF0ZWQN CiAgICAgIGluZm9ybWF0aW9uLg0KDQoNCltPc2Nhcl0gQ29tcGxlbWVudGluZywgdGhlIG1haW4g aW50ZW50aW9uIG9mIHRoZSBidWxsZXQgd2FzIHRvIGhpZ2hsaWdodCB0aGF0LCBpbiB0aGlzIGNh c2UsIHRoZXJlIGNhbiBiZSBhIGRpcmVjdCBpbXBhY3Qgb24gYSBydW5uaW5nIHNlcnZpY2UgKGFu ZCB0aGUgaW1wYWN0IGNhbiBwb3RlbnRpYWxseSBiZSBodWdlKS4gUmVhZCBpcyBkaWZmZXJlbnQs IGdldHMga25vd2xlZGdlLCBidXQgZG9lcyBub3QgaGl0IHRoZSBzZXJ2aWNlLiBDcmVhdGUgYWxz byBkb2VzIG5vdCBpbXBhY3QgZGlyZWN0bHkgcnVubmluZyBzZXJ2aWNlcy4NCg0KQWZ0ZXIgcmUt cmVhZGluZyB0aGUgdGV4dCB0byBjaGVjayB5b3VyIGNvbW1lbnQsIEkgZmlndXJlZCBvdXQgdGhh dCB3ZSBkb24ndCBhY3R1YWxseSBuZWVkIHRoaXMgbGlzdCBhcyBpdCBpcyByZWR1bmRhbnQgd2l0 aCB0aGUgcmlza3MgY2l0ZWQgZm9yIGJvdGggd3JpdGUgYW5kIHJlYWQgbm9kZXMuIFRoZSBidWxs ZXQgbGlzdCB3aWxsIGJlIHJlbW92ZWQuDQoNCltPc2Nhcl0gVGhlIG9yaWdpbmFsIGFpbSBvZiB0 aGUgYnVsbGV0cyB3YXMgdG8gYnJpZWZseSBzdW1tYXJpemUgYW5kIGhpZ2hsaWdodCB0aGUgZGlm ZmVyZW50IGludGVudGlvbnMgYW5kIGltcGFjdHMgb2YgdGhlIHJpc2tzLCBvbmUgZm9yIG1hbGlj aW91cyBjbGllbnRzIHRoYXQgY2FuIGltcGFjdCBydW5uaW5nIHNlcnZpY2VzLCBzbyB0aGUgY3Vz dG9tZXIgb2YgdGhlIHNlcnZpY2UgY291bGQgYmUgZGlyZWN0bHkgaGl0IChodWdlIHByb2JsZW0p LCBvdGhlciBzb21lb25lIGNyZWF0aW5nIGEgc2VydmljZSBhbmQgbWFraW5nIHVzZSBvZiB0aGUg bmV0d29yayB3aXRob3V0IGF1dGhvcml6YXRpb24gIChidXQgZG9lcyBub3QgaW1wYWN0IG90aGVy IHNlcnZpY2VzKSAgYW5kIHVuYXV0aG9yaXplZCBjbGllbnRzIHRoYXQgZG9uJ3QgaW1wYWN0IGRp cmVjdGx5IHRoZSBzZXJ2aWNlLCBidXQganVzdCBnYWluIGtub3dsZWRnZSBvZiBpdCAodGhlIGRh dGEgY2FuIGJlIHVzZWQgZm9yIG1hbGljaW91cyBwdXJwb3NlcywgYnV0IGF0IHRoZSBtb21lbnQg b2YgdGhlIGF0dGFjaywgdGhlIHNlcnZpY2UgaXMgbm90IGhpdCkuIEV2ZW4gdGhvdWdoIGl0IGlz IHRydWUgaXQgY2FuIGJlIHJlZHVuZGFudCBmb3IgdGhlIHJpc2tzIGFscmVhZHkgY2l0ZWQgYmVm b3JlIGZvciByZWFkIGFuZCB3cml0ZSBub2RlcywgSSBzZWUgbm8gaGFybSBpbiBleHBsaWNpdGx5 IGFkZGluZyB0aGUgY2xhc3NpZmljYXRpb24gKG5ldHdvcmsgbW9kZWxzIGFyZSBhIHBvd2VyZnVs IHRvb2wsIHVzZSB0aGVtIHdpc2VseSA6LSkgKS4NCg0KWW91ciByZXZpZXcgd2lsbCBiZSBBQ0tl ZCBpbiB0aGUgbmV4dCBpdGVyYXRpb24gb2YgdGhlIGRvY3VtZW50LiBUaGFuayB5b3UuDQoNCkNo ZWVycywNCk1lZA0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fDQoNCkNlIG1lc3NhZ2UgZXQgc2VzIHBpZWNlcyBqb2ludGVz IHBldXZlbnQgY29udGVuaXIgZGVzIGluZm9ybWF0aW9ucyBjb25maWRlbnRpZWxsZXMgb3UgcHJp dmlsZWdpZWVzIGV0IG5lIGRvaXZlbnQgZG9uYyBwYXMgZXRyZSBkaWZmdXNlcywgZXhwbG9pdGVz IG91IGNvcGllcyBzYW5zIGF1dG9yaXNhdGlvbi4gU2kgdm91cyBhdmV6IHJlY3UgY2UgbWVzc2Fn ZSBwYXIgZXJyZXVyLCB2ZXVpbGxleiBsZSBzaWduYWxlciBhIGwnZXhwZWRpdGV1ciBldCBsZSBk ZXRydWlyZSBhaW5zaSBxdWUgbGVzIHBpZWNlcyBqb2ludGVzLiBMZXMgbWVzc2FnZXMgZWxlY3Ry b25pcXVlcyBldGFudCBzdXNjZXB0aWJsZXMgZCdhbHRlcmF0aW9uLCBPcmFuZ2UgZGVjbGluZSB0 b3V0ZSByZXNwb25zYWJpbGl0ZSBzaSBjZSBtZXNzYWdlIGEgZXRlIGFsdGVyZSwgZGVmb3JtZSBv dSBmYWxzaWZpZS4gTWVyY2kuDQoNClRoaXMgbWVzc2FnZSBhbmQgaXRzIGF0dGFjaG1lbnRzIG1h eSBjb250YWluIGNvbmZpZGVudGlhbCBvciBwcml2aWxlZ2VkIGluZm9ybWF0aW9uIHRoYXQgbWF5 IGJlIHByb3RlY3RlZCBieSBsYXc7IHRoZXkgc2hvdWxkIG5vdCBiZSBkaXN0cmlidXRlZCwgdXNl ZCBvciBjb3BpZWQgd2l0aG91dCBhdXRob3Jpc2F0aW9uLg0KSWYgeW91IGhhdmUgcmVjZWl2ZWQg dGhpcyBlbWFpbCBpbiBlcnJvciwgcGxlYXNlIG5vdGlmeSB0aGUgc2VuZGVyIGFuZCBkZWxldGUg dGhpcyBtZXNzYWdlIGFuZCBpdHMgYXR0YWNobWVudHMuDQpBcyBlbWFpbHMgbWF5IGJlIGFsdGVy ZWQsIE9yYW5nZSBpcyBub3QgbGlhYmxlIGZvciBtZXNzYWdlcyB0aGF0IGhhdmUgYmVlbiBtb2Rp ZmllZCwgY2hhbmdlZCBvciBmYWxzaWZpZWQuDQpUaGFuayB5b3UuDQoNCg0KX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NCg0KRXN0ZSBtZW5zYWplIHkgc3VzIGFkanVudG9zIHNlIGRp cmlnZW4gZXhjbHVzaXZhbWVudGUgYSBzdSBkZXN0aW5hdGFyaW8sIHB1ZWRlIGNvbnRlbmVyIGlu Zm9ybWFjacOzbiBwcml2aWxlZ2lhZGEgbyBjb25maWRlbmNpYWwgeSBlcyBwYXJhIHVzbyBleGNs dXNpdm8gZGUgbGEgcGVyc29uYSBvIGVudGlkYWQgZGUgZGVzdGluby4gU2kgbm8gZXMgdXN0ZWQu IGVsIGRlc3RpbmF0YXJpbyBpbmRpY2FkbywgcXVlZGEgbm90aWZpY2FkbyBkZSBxdWUgbGEgbGVj dHVyYSwgdXRpbGl6YWNpw7NuLCBkaXZ1bGdhY2nDs24geS9vIGNvcGlhIHNpbiBhdXRvcml6YWNp w7NuIHB1ZWRlIGVzdGFyIHByb2hpYmlkYSBlbiB2aXJ0dWQgZGUgbGEgbGVnaXNsYWNpw7NuIHZp Z2VudGUuIFNpIGhhIHJlY2liaWRvIGVzdGUgbWVuc2FqZSBwb3IgZXJyb3IsIGxlIHJvZ2Ftb3Mg cXVlIG5vcyBsbyBjb211bmlxdWUgaW5tZWRpYXRhbWVudGUgcG9yIGVzdGEgbWlzbWEgdsOtYSB5 IHByb2NlZGEgYSBzdSBkZXN0cnVjY2nDs24uDQoNClRoZSBpbmZvcm1hdGlvbiBjb250YWluZWQg aW4gdGhpcyB0cmFuc21pc3Npb24gaXMgcHJpdmlsZWdlZCBhbmQgY29uZmlkZW50aWFsIGluZm9y bWF0aW9uIGludGVuZGVkIG9ubHkgZm9yIHRoZSB1c2Ugb2YgdGhlIGluZGl2aWR1YWwgb3IgZW50 aXR5IG5hbWVkIGFib3ZlLiBJZiB0aGUgcmVhZGVyIG9mIHRoaXMgbWVzc2FnZSBpcyBub3QgdGhl IGludGVuZGVkIHJlY2lwaWVudCwgeW91IGFyZSBoZXJlYnkgbm90aWZpZWQgdGhhdCBhbnkgZGlz c2VtaW5hdGlvbiwgZGlzdHJpYnV0aW9uIG9yIGNvcHlpbmcgb2YgdGhpcyBjb21tdW5pY2F0aW9u IGlzIHN0cmljdGx5IHByb2hpYml0ZWQuIElmIHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgdHJhbnNt aXNzaW9uIGluIGVycm9yLCBkbyBub3QgcmVhZCBpdC4gUGxlYXNlIGltbWVkaWF0ZWx5IHJlcGx5 IHRvIHRoZSBzZW5kZXIgdGhhdCB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIGNvbW11bmljYXRpb24g aW4gZXJyb3IgYW5kIHRoZW4gZGVsZXRlIGl0Lg0KDQpFc3RhIG1lbnNhZ2VtIGUgc2V1cyBhbmV4 b3Mgc2UgZGlyaWdlbSBleGNsdXNpdmFtZW50ZSBhbyBzZXUgZGVzdGluYXTDoXJpbywgcG9kZSBj b250ZXIgaW5mb3JtYcOnw6NvIHByaXZpbGVnaWFkYSBvdSBjb25maWRlbmNpYWwgZSDDqSBwYXJh IHVzbyBleGNsdXNpdm8gZGEgcGVzc29hIG91IGVudGlkYWRlIGRlIGRlc3Rpbm8uIFNlIG7Do28g w6kgdm9zc2Egc2VuaG9yaWEgbyBkZXN0aW5hdMOhcmlvIGluZGljYWRvLCBmaWNhIG5vdGlmaWNh ZG8gZGUgcXVlIGEgbGVpdHVyYSwgdXRpbGl6YcOnw6NvLCBkaXZ1bGdhw6fDo28gZS9vdSBjw7Nw aWEgc2VtIGF1dG9yaXphw6fDo28gcG9kZSBlc3RhciBwcm9pYmlkYSBlbSB2aXJ0dWRlIGRhIGxl Z2lzbGHDp8OjbyB2aWdlbnRlLiBTZSByZWNlYmV1IGVzdGEgbWVuc2FnZW0gcG9yIGVycm8sIHJv Z2Ftb3MtbGhlIHF1ZSBub3MgbyBjb211bmlxdWUgaW1lZGlhdGFtZW50ZSBwb3IgZXN0YSBtZXNt YSB2aWEgZSBwcm9jZWRhIGEgc3VhIGRlc3RydWnDp8Ojbw0K From nobody Fri Sep 3 01:56:22 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 805553A13EE; Fri, 3 Sep 2021 01:56:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NTsJw-_wyYwS; Fri, 3 Sep 2021 01:55:56 -0700 (PDT) Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.70.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DCF63A1429; Fri, 3 Sep 2021 01:55:56 -0700 (PDT) Received: from opfednr03.francetelecom.fr (unknown [xx.xx.xx.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfednr23.francetelecom.fr (ESMTP service) with ESMTPS id 4H1BTk14qRz5wfF; Fri, 3 Sep 2021 10:55:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1630659354; bh=qN2jgiHNM8Lep/GZAGT8e1tilbdCv268g4Ng86P1HdI=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=ZdTrkja/8o2fyzA7CQk6UaYLhuzekqNWwMJzdVIPwVr3VzZ+t51KLtcX0k5zKaHDC RIPl+BsI6mPIhA/JdLAHJux9TROrgHpTlgzKWY24FOMCgRK6uebe187fso0EaFUx9E M0Yhn9qsPg/UtArSJoBEguMmO6eozCkpzpkn0id+SQ+1OFrMBHpjyypYg3IXNvrg08 FPDFO5fBeha3E3aYswrRXHRj3Hnl27qji7j6ApHcnMOEESqgTtWNoEidr+jQzVcY+l EhEwj9iWJ0HLcQ+WeLYoUZFT1/Ft8sPC3rFGbvfmAFBZGoH0l3P1eNu15YXeIaUkPs l2EpsF1Oy78gw== Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by opfednr03.francetelecom.fr (ESMTP service) with ESMTPS id 4H1BTk0CSgzDq8T; Fri, 3 Sep 2021 10:55:54 +0200 (CEST) From: To: Benjamin Kaduk , tom petch CC: "last-call@ietf.org" , "draft-ietf-opsawg-l3sm-l3nm.all@ietf.org" , Rifaat Shekh-Yusef , "secdir@ietf.org" Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 Thread-Index: AQHXgZdSwzNfaHSiC0m9Ry8G0T+4M6taA6cAgAcVkwCAMSMk4A== Date: Fri, 3 Sep 2021 08:55:52 +0000 Message-ID: <29936_1630659354_6131E31A_29936_20_1_787AE7BB302AE849A7480A190F8B9330353E852D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> References: <162724649271.1477.16367299362861096101@ietfa.amsl.com> <6102D2D8.6010106@btconnect.com> <20210803042102.GB50759@kduck.mit.edu> In-Reply-To: <20210803042102.GB50759@kduck.mit.edu> Accept-Language: fr-FR, en-US Content-Language: fr-FR X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.114.13.245] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2021 08:56:16 -0000 Hi Ben, all,=20 Glad to see that you found the text where explain why MD5 is supported in t= he model.=20 Added this NEW text to the security considerations section:=20 As discussed in Section 7.6.3, the module supports MD5 to basically accommodate the installed BGP base. MD5 suffers from the security weaknesses discussed in Section 2 of [RFC6151] or Section 2.1 of [RFC6952]. Cheers, Med > -----Message d'origine----- > De=A0: last-call [mailto:last-call-bounces@ietf.org] De la part de > Benjamin Kaduk > Envoy=E9=A0: mardi 3 ao=FBt 2021 06:21 > =C0=A0: tom petch > Cc=A0: last-call@ietf.org; draft-ietf-opsawg-l3sm-l3nm.all@ietf.org; > Rifaat Shekh-Yusef ; secdir@ietf.org > Objet=A0: Re: [Last-Call] Secdir last call review of draft-ietf- > opsawg-l3sm-l3nm-10 >=20 > Hi Tom, >=20 > On Thu, Jul 29, 2021 at 05:10:00PM +0100, tom petch wrote: > > Reading this I-D, I wondered what the secdir view is of > recommending > > the use of MD5 to secure the session as this I-D does for BGP. > (Such > > a use in NTP did generate a comment). >=20 > This part: >=20 > 'authentication': The module adheres to the recommendations > in > Section 13.2 of [RFC4364] as it allows enabling TCP-AO > [RFC5925] and accommodates the installed base that makes > use of > MD5. In addition, the module includes a provision for the > use >=20 > seems to be about as good as we can do given the current state of > deployment and implementation. >=20 > I will probably suggest adding some additional discussion of the > weakness of MD5 to the security considerations in my ballot > comments, if no such text appears before then. >=20 > Thanks, >=20 > Ben >=20 > -- > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call ___________________________________________________________________________= ______________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confiden= tielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu= ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages el= ectroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou = falsifie. Merci. This message and its attachments may contain confidential or privileged inf= ormation that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and dele= te this message and its attachments. As emails may be altered, Orange is not liable for messages that have been = modified, changed or falsified. Thank you. From nobody Mon Sep 6 19:33:02 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC123A0B44; Mon, 6 Sep 2021 19:32:42 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Shawn Emery via Datatracker To: Cc: draft-ietf-extra-quota.all@ietf.org, extra@ietf.org, last-call@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.36.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <163098196206.10347.8674654620317888270@ietfa.amsl.com> Reply-To: Shawn Emery Date: Mon, 06 Sep 2021 19:32:42 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-extra-quota-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2021 02:32:43 -0000 Reviewer: Shawn Emery Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft specifies an extension to the IMAP protocol that allows querying and administrative functions related to resource limits and utilization. The security considerations section does exist and describes that the extension must adhere to the local security policies. It continues to state that user's resource usage could also be considered sensitive information. I don't believe that this draft adds additional security concerns from the proposed to be obsoleted RFC, 2087. These updates define two additional resource types (ANNOTATION-STORAGE and MAILBOX), a response code, and two data items. General comments: None. Editorial comments: s/a couple of extension/an extension/ s/mupltiple/multiple/ s/ Name of the quota resource type:\n/ Name of the quota resource type: ANNOTATION-STORAGE\n/ s/registrations for 3/registrations for 4/ s/clarify meaning/clarify the meaning/ From nobody Tue Sep 7 09:37:18 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1025B3A1333; Tue, 7 Sep 2021 09:37:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpp1HtL7F0MQ; Tue, 7 Sep 2021 09:37:11 -0700 (PDT) Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 468D03A132F; Tue, 7 Sep 2021 09:37:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=10581; q=dns/txt; s=VRSN; t=1631032631; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=KxyAxjTMPrOx6+u9W4Sbh26sUHVaxbLom7n9Q9FJwVw=; b=dk/Wq/wllK09FOvkfqSscV38QA7Wjb0DQ2ANfVBx5cRERbsS1DWSbeLJ yXeFCxkchoWTini/78sgEP0DCMuVBaUHPHB9NKL/Dub+CHBt8931p8cbS q2j/fkrIIMQo3VnZ+W+MgoC6VYqlZlv1aMtZCSJxRlPZzpxuAxFx7BWI1 nLf80TCGNSk9nEYPdJ8HJlX+YAkCGvcV5nj7Ri1VyuWJ45FfaSulD9bqF ZoSBQSkUXJe5+ZvLtNgDwfGTJg/WwdPxuwTs9mbdMHjWIr9bhGjl2fFzg 6NgoIFwF+t0Ku2bmptH31cdhRUT0yUgbihILxVWAZLhaUYbEv3vzO8AMD w==; IronPort-SDR: 5tcTk5Ij46ppS/PAb1EFQ8VPZFpKGpfFnHCfbpDTqPyd8eZLfPx2f8hF8sxEHP3UpjKtmLuSk6 q+uvDEbyiZl9n6mLArrJeE6Z0gJQyzC64uXaw1ohyRWo1M0DvHNtcyLr0ItUWmIkplYkE4xPqx BlCz5/9UIYrx56ImLuyjrbu4bd+k+qBDVOb2kVA2tEk+YnbY5SWwFEH7hdeJlCKKmXFq9OQuIp o43/MJEVwAs5j30zzHoJVfIZ4qcDORd9NfANk2Y2h935ZSa1bf3VAwzUBZ+2k/EUrY3ujXpZDU DMY= IronPort-HdrOrdr: A9a23:5WGbJ6l9NYTb7Wwp9jSDbUtfmwjpDfIP3DAbv31ZSRFFG/Fwz/ re+Mjy1XfP5Ar5K0tQ/uxoWZPwO080mqQU3WB8B92ftUzdyQ6VxeJZnPbfKl/bak7DH4dmvM 8KT0E9MqyTMbEQt6nHCXyDcurIt+PozEnHv4rjJjxWPGdXgulbnn5E4pbyKDwPeOBpP+tDKK ah X-IronPort-AV: E=Sophos; i="5.85,274,1624334400"; d="p7s'?scan'208"; a="9526822" Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Tue, 7 Sep 2021 12:37:09 -0400 Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2308.008; Tue, 7 Sep 2021 12:37:09 -0400 From: "Wessels, Duane" To: Alan DeKok CC: "secdir@ietf.org" , "draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org" Thread-Topic: [EXTERNAL] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12 Thread-Index: AQHXm4IW1D9iX4Pn7k6ITpXUHmZR5auZGT2A Date: Tue, 7 Sep 2021 16:37:09 +0000 Message-ID: References: <0DA9ABEC-E5F0-4479-B3D7-F03E6BEB7DF9@freeradius.org> In-Reply-To: <0DA9ABEC-E5F0-4479-B3D7-F03E6BEB7DF9@freeradius.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-mailer: Apple Mail (2.3608.120.23.2.7) x-originating-ip: [10.170.148.18] Content-Type: multipart/signed; boundary="Apple-Mail=_A88A1800-5DDF-4A3A-B083-C640063BFEE2"; protocol="application/pkcs7-signature"; micalg=sha-256 MIME-Version: 1.0 Archived-At: Subject: Re: [secdir] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2021 16:37:16 -0000 --Apple-Mail=_A88A1800-5DDF-4A3A-B083-C640063BFEE2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On Aug 27, 2021, at 1:28 PM, Alan DeKok wrote: >=20 > Caution: This email originated from outside the organization. Do not = click links or open attachments unless you recognize the sender and know = the content is safe.=20 >=20 > Reviewer: Alan DeKok > Review result: Has nits >=20 > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. >=20 > Over all, I think this document is clear, useful and well written. >=20 > Section 1 says: >=20 > ... Section 6.1.3.2 to clarify that all DNS resolvers and recursive = MUST > support and service both TCP and UDP queries. >=20 > NIT: bare "recursive" should perhaps be "recursive servers", to match = similar text elsewhere in the document. Done. >=20 >=20 > It may be good to update Section 3 with notes on "head of line = blocking". This text could arguably be in RFC 7766, but having it here = is a reasonable alternative: >=20 > When using UDP as a transport for DNS, there is no ordering of > packets. If a packet is lost, that loss has no > effect on subsequent packets sent by that client or server. >=20 > Unlike UDP, TCP is subject to issues related to Head of Line (HoL) > blocking. This occurs when a TCP segment is lost and a subsequent > TCP segment arrives out of order. While the DNS implementation can > process DNS packets out of order, the semantics of TCP makes this > impossible. This limitation can lower the maximum packet processing > rate of DNS over TCP. To fit this in I added a whole new subsection to History of DNS over = TCP. It might be more than you were expecting but I thought it would be = helpful to have the background on head-of-line blocking issues. 2.6. Reuse, Pipelining, and Out-of-Order Processing The idea that a TCP connection can support multiple transactions goes back as far as [RFC0883], which states: "Multiple messages may be sent over a virtual circuit." Although [RFC1035], which updates the former, omits this particular detail, it has been generally accepted that a TCP connection can be used for more than one query and response. [RFC5966] clarified that servers are not required to preserve the order of queries and responses over any transport. [RFC7766], which updates the former, further encourages query pipelining over TCP to achieve performance on par with UDP. A server that sends out-of- order responses to pipelined queries avoids head-of-line blocking when the response for a later query is ready before the response to an earlier query. However, TCP can potentially suffer from a different head-of-line blocking problem due to packet loss. Since TCP itself enforces ordering, a single lost segment delays delivery of data in any following segments until the lost segment is retransmitted and successfully received. >=20 > Section 6 says: >=20 > Developers SHOULD also keep in mind connection reuse, query > pipelining, and out-of-order responses when building and testing DNS > monitoring applications. >=20 > It would also be good to note that if the monitoring software tracks = requests and responses, then clients could potentially attack the = monitoring software, too. i.e. by sending large volumes of requests to = "black hole" IPs, which will never get a response. So the monitoring = software should have both timeouts for request/response tracking, and = also limit the total number of request/responses which are monitored. This part of section 6 now says: Applications that capture network packets (e.g., with libpcap [libpcap]) SHOULD implement and perform full TCP segment reassembly. Furthermore, as with real TCP, such applications need to protect themselves from resource exhaustion attacks by limiting the amount of memory allocated to tracking unacknowledged connection state data. FYI we are tracking this in github at = https://github.com/jtkristoff/draft-ietf-dnsop-dns-tcp-requirements/pull/6= /files if that is helpful. DW --Apple-Mail=_A88A1800-5DDF-4A3A-B083-C640063BFEE2 Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDOIw ggYfMIIFB6ADAgECAhADuA0Dc6a64oQdstGwJ3SrMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBHMjAeFw0xOTA2MDQxMjM2MjBaFw0yOTA2 MDQxMjM2MjBaMG8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5EaWdpQ2VydCwgSW5jLjFHMEUGA1UE AxM+RGlnaUNlcnQgUEtJIFBsYXRmb3JtIEMyIFNoYXJlZCBTTUlNRSBJbmRpdmlkdWFsIFN1YnNj cmliZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCmay8IyCiMMl3lgLo6BSrd LBKvx0U1KZR/8PzvS/rsZDBQJLuVgmOTaBxUrNqo9WtejI9me5HihbHKE9BtydcyC8f+8cOQOX3h Ojs0SZr2P9eXAR8SWf0p/Q/1NkYRorjjPo4z0RovEnX/cl0of7Cny0fW65tMBt/exaxQTso6Ea1i RF9U8bf6ZsFkevsNt1WKSY9X/QvWUhfoZb4fsoa8JUZkJMzb12wS/cLnWhaO5G7cqZ+E2KqhuqlP CrlUGFNVuaPcGsuZRy2X1ByMgA4VIIwNNG0RlPa+KSqpixO6RK7kWTlt5BGhgtKw7MnuDcLtM2Bc SyaPIEqZnapn5qf7AgMBAAGjggK/MIICuzAdBgNVHQ4EFgQU3LcfIDF0S5Qadq2Dgq34xqPwRF8w HwYDVR0jBBgwFoAUzsNKuZlV8rjbYL+pfr1WtZc2p9YwDgYDVR0PAQH/BAQDAgGGMEwGA1UdJQRF MEMGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDBAYKKwYBBAGCNxQCAgYKKwYBBAGCNwoD DAYJKoZIhvcvAQEFMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUF BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9j cmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RHMi5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RHMi5jcmwwggEiBgNVHSAE ggEZMIIBFTCCAREGCWCGSAGG/WwFAjCCAQIwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2lj ZXJ0LmNvbS9DUFMwgdUGCCsGAQUFBwICMIHIDIHFQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRl IGNvbnN0aXR1dGVzIGFjY2VwdGFuY2Ugb2YgdGhlIERpZ2lDZXJ0IENQL0NQUyBhbmQgUmVseWlu ZyBQYXJ0eSBBZ3JlZW1lbnQgd2hpY2ggbGltaXQgbGlhYmlsaXR5IGFuZCBhcmUgaW5jb3Jwb3Jh dGVkIGhlcmVpbiBieSByZWZlcmVuY2UuIGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9ycGEtdWEw JwYDVR0RBCAwHqQcMBoxGDAWBgNVBAMTD0RpZ2lDZXJ0UEtJLTMtMjANBgkqhkiG9w0BAQsFAAOC AQEAFTczZjttMnThPMxQyeeuZ/VeQHCNNqxCze644O19xXE0Wt3qBx1VRU/QdL4kPtAWvg9sMHhQ tLvp9ySna4uF5+ffFQeHUbX12yBrfmgATdKHP2noPeyVCXnculSqsF/F/854dBW9Z1jfMtvxp/qb TPOf9d5d1mxt+mJ4sDfvd0wl3U2wVCJMUbSXjs8alHeU6ematIwXios5sn2cQcIpMtm/ySjYvhh4 G1DMUrQdpJZTBovuXh8yA3Urq8ZgmBd6mzem450LB48fa6TQyRUZJfr26Ke8EOrBEKLovi+iTCMQ bQsR+4TEsJlJBPemkwqpcfI4V3GVYQjq63ECC2ftATCCBrswggWjoAMCAQICEAr0ASWGduRZuIOf XBBcJ+4wDQYJKoZIhvcNAQELBQAwbzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ bmMuMUcwRQYDVQQDEz5EaWdpQ2VydCBQS0kgUGxhdGZvcm0gQzIgU2hhcmVkIFNNSU1FIEluZGl2 aWR1YWwgU3Vic2NyaWJlciBDQTAeFw0yMTAzMjQwMDAwMDBaFw0yMjA0MjIyMzU5NTlaMHAxJDAi BgkqhkiG9w0BCQEWFWR3ZXNzZWxzQHZlcmlzaWduLmNvbTEXMBUGA1UEAwwOV2Vzc2VscywgRHVh bmUxFjAUBgNVBAsMDUVOVEVSUFJJU0UgSVQxFzAVBgNVBAoMDlZlcmlTaWduLCBJbmMuMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArYSHCx5uh9XazjWbg98gX0iCVG+J/n6Nmf8NC36u by0TWBVZHjfPhbW2mJxoxytCiNYguOuCMVC9cgQpBLxjq2U5siM0l1A9vruJXIL4YKGZ9fXqbY5U QgFhbVOnO2vrbb7JTrJBSzBT0vEvzC2+JtCZm6dG52ayw7pNpGMozj265bXFVZkR0gfpc46yR+pn w42jdaD3TvZTCucUlfGplPblRL/NsZcDiYWL/zc5BJjk1/FK9XvK7chJHnw0mkuQo0w7rV/uet3g V5KiIfC4OPtZnkQxPOoGcMqH3M5NMOgqjpYZgVFFKQC5sdLZJ4sQdHsfKTvwXAdaxtUFdak9OwID AQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAwwCgYI KwYBBQUHAwQwHQYDVR0OBBYEFFaFSmgtcRDwfRFiqt3Vq8LJCLn5MCAGA1UdEQQZMBeBFWR3ZXNz ZWxzQHZlcmlzaWduLmNvbTAfBgNVHSMEGDAWgBTctx8gMXRLlBp2rYOCrfjGo/BEXzB/BggrBgEF BQcBAQRzMHEwKAYIKwYBBQUHMAGGHGh0dHA6Ly9wa2ktb2NzcC5kaWdpY2VydC5jb20wRQYIKwYB BQUHMAKGOWh0dHA6Ly9jYWNlci5zeW1hdXRoLmNvbS9tcGtpL2RpZ2ljZXJ0YzJzaGFyZWRzbWlt ZWNhLmNydDBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vcGtpLWNybC5zeW1hdXRoLmNvbS9jYV80 YjVkNWZkM2IyNjUxYjM1MjI5MGUzNjQ2YWJjYzAwMS9MYXRlc3RDUkwuY3JsMIIBIgYDVR0gBIIB GTCCARUwggERBglghkgBhv1sBQIwggECMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2Vy dC5jb20vQ1BTMIHVBggrBgEFBQcCAjCByBqBxUFueSB1c2Ugb2YgdGhpcyBDZXJ0aWZpY2F0ZSBj b25zdGl0dXRlcyBhY2NlcHRhbmNlIG9mIHRoZSBEaWdpQ2VydCBDUC9DUFMgYW5kIFJlbHlpbmcg UGFydHkgQWdyZWVtZW50IHdoaWNoIGxpbWl0IGxpYWJpbGl0eSBhbmQgYXJlIGluY29ycG9yYXRl ZCBoZXJlaW4gYnkgcmVmZXJlbmNlLiBodHRwczovL3d3dy5kaWdpY2VydC5jb20vcnBhLXVhMEIG CSqGSIb3DQEJDwQ1MDMwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBFjALBglg hkgBZQMEASowLQYKYIZIAYb4RQEQAwQfMB0GE2CGSAGG+EUBEAECAgEBg77/jiwWBjI0NzY2NDA5 BgpghkgBhvhFARAFBCswKQIBABYkYUhSMGNITTZMeTl3YTJrdGNtRXVjM2x0WVhWMGFDNWpiMjA9 MA0GCSqGSIb3DQEBCwUAA4IBAQB0IgeZtJzCYl/O/AcgmSfN3ZeHBvT9eCQJrYrEebI/csxa0Doe 5nPeLteEwaXgn1hE7ZVWcGNSTU5Yv78OnPs3ECg0VQLQSOs8psFS3pH5evSDnehj4tbCiNgf8S1R w3r6Eyb47nMIzL2OVZKhExdTPP2nrDIRrJyhvlcNs4Z/9ocCa7WTCCnNxaZpvlrRHmuL/wTehJ8V TlTt+6deCU3H/2Gte4jr7V4nsl/HPWv15O9YtM20Bc3PxWqVJiP+oGhHHivvsBA8QF2s3RBSebbG HfFfmC1cZfeEit2b0sUzMuXNkhlheEe2D1bBDzZQ9jHZfFHfXQrC93x1ZeUyu4UwMYIDTDCCA0gC AQEwgYMwbzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMUcwRQYDVQQDEz5E aWdpQ2VydCBQS0kgUGxhdGZvcm0gQzIgU2hhcmVkIFNNSU1FIEluZGl2aWR1YWwgU3Vic2NyaWJl ciBDQQIQCvQBJYZ25Fm4g59cEFwn7jANBglghkgBZQMEAgEFAKCCAZkwGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwOTA3MTYzNzA5WjAvBgkqhkiG9w0BCQQxIgQg Pzcangol9o69mrwnIoIdtHWlbts8VUsT761fI30TpXcwgZQGCSsGAQQBgjcQBDGBhjCBgzBvMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xRzBFBgNVBAMTPkRpZ2lDZXJ0IFBL SSBQbGF0Zm9ybSBDMiBTaGFyZWQgU01JTUUgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBAhAK9AEl hnbkWbiDn1wQXCfuMIGWBgsqhkiG9w0BCRACCzGBhqCBgzBvMQswCQYDVQQGEwJVUzEXMBUGA1UE ChMORGlnaUNlcnQsIEluYy4xRzBFBgNVBAMTPkRpZ2lDZXJ0IFBLSSBQbGF0Zm9ybSBDMiBTaGFy ZWQgU01JTUUgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBAhAK9AElhnbkWbiDn1wQXCfuMA0GCSqG SIb3DQEBAQUABIIBAI3X+21QvKpefuxjqWCAj3CKu4OLJ9OiOwdkHFBZilw5CiXCIuPjUfHBUtNL Hka1bUJBV8gP+u4Q9q7ZEZGnYWJNOiDqvDMGk59eLu+ZaSK3yq0FzMl7mfX1aDrS+J9U0EnInFfK F8t6Btp32XA5dsPMbPFxxLQuPS+IYoaxlVeDQtxwnIQKD+yEO4f/SUMZs1kvEghqNKZ6eFqKc/CB pqEtVDjn45/HAnH2NOtZtO8u/5Cx+QNTvXTU4zrImtTfUOFW2NNzxMGTiPbRtMwaJ2cBeSI2GDk0 HzGbF0NPF59+PPnYZ8BzvT9Npjv58eH8AUXVMtL+0xTnkqF2Y3Vkx0kAAAAAAAA= --Apple-Mail=_A88A1800-5DDF-4A3A-B083-C640063BFEE2-- From nobody Tue Sep 7 12:26:57 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 874583A0C15; Tue, 7 Sep 2021 11:56:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1631040964; bh=p6XauYqcdXpmkWKMfSH7BrvnNYtT5BEAeApXnFFZ8B4=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Reply-To; b=dB/MLWJZN4CbrB8+RDyfHvI/RmsleXFPJTckIV5oZA7NswDu1TBDJPZkoZ41B1Pi8 RoGZHvOivFNm8otk1/eKDwMhUUADLiQi1QHph0gzAnnOIxEnV8xlimpIykEJeeu/VT U/fORTU3+AGzrYGTiNzEnWVaQImWafpY7nxZxtKQ= X-Mailbox-Line: From new-work-bounces@ietf.org Tue Sep 7 11:55:58 2021 Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 089C83A0CBC; Tue, 7 Sep 2021 11:55:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1631040957; bh=p6XauYqcdXpmkWKMfSH7BrvnNYtT5BEAeApXnFFZ8B4=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Reply-To; b=LOCZg1xkYl3H6EKdwFaR9HdaPEtaVMitzAhK+xL1bE9Eu38+BxAbImyeWrcueEuh3 SRMCU8BGYDKElWht44ozeSe3vMA+4SXLRmEEFVfBcGKKKNHQDDuR0dja6o6BPObetW z+VwBwsSTrg4spV5oE2WkBaOpIY/N/RjA7LzhRkM= X-Original-To: new-work@ietf.org Delivered-To: new-work@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A7ED3A0BC9 for ; Tue, 7 Sep 2021 11:55:36 -0700 (PDT) MIME-Version: 1.0 From: The IESG To: X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk MIME-Version: 1.0 Reply_to: Message-ID: <163104093641.14970.2832774121617725345@ietfa.amsl.com> Date: Tue, 07 Sep 2021 11:55:36 -0700 Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.29 Reply-To: iesg@ietf.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Tue, 07 Sep 2021 12:26:57 -0700 Subject: [secdir] [new-work] WG Review: Oblivious Applications using Relayed HTTP (oarh) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2021 18:56:11 -0000 A new IETF WG has been proposed in the Security Area. The initial chartering process was started under the name OHTTP, and subsequently the OHTTP BOF was held at IETF 111. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2021-09-17. Oblivious Applications using Relayed HTTP (oarh) ----------------------------------------------------------------------- Current status: Proposed WG Chairs: TBD Assigned Area Director: Francesca Palombini Security Area Directors: Benjamin Kaduk Roman Danyliw Mailing list: Address: oarh@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/oarh Archive: https://mailarchive.ietf.org/arch/browse/oarh/ Group page: https://datatracker.ietf.org/group/oarh/ Charter: https://datatracker.ietf.org/doc/charter-ietf-oarh/ In a number of different settings, interactions between clients and servers involve information that could be sensitive when associated with client identity. Client-server applications built on HTTP reveal aspects of client identity to servers through these interactions, especially source addresses. Even without client identity, a server might be able to build a profile of client activity by correlating requests from the same client over time. In HTTP-based applications where the information included in requests does not need to be correlated, the Oblivious HTTP protocol allows a supporting server to accept requests via a proxy. The proxy ensures that the server cannot see source addressing information for clients, which prevents servers linking requests to the same client using such information. Encryption ensures that the proxy is unable to read requests or responses. However, if the proxy and server collude, then neither of these privacy properties hold. Applications and use cases best suited for the Oblivious HTTP protocol are those that have discrete, transactional queries that might reveal small amounts of information over time. Examples include DNS queries, telemetry submission, and certificate revocation checking. In some of these application deployments, the relationship between client, server, and cooperating proxy might be configured out-of-band. General purpose HTTP applications such as web browsing are not in scope for the Oblivious HTTP protocol. Broad applicability is limited by multiple factors, including the need for explicit server support of the protocol. In contrast, transport-level proxies such as HTTP CONNECT or MASQUE are a more appropriate mechanism for those use cases, as they allow connecting to unmodified servers. The OARH working group will define the Oblivious HTTP protocol, a method of encapsulating HTTP requests and responses that provides protected, low-latency exchanges. This protocol will use existing cryptographic primitives to meet these goals. The working group will define any data formats necessary to carry encapsulated requests and responses, plus formats for supplementary material, such as server keying material, that might be needed to use the protocol. The OARH working group will include an applicability statement that documents the limitations of this design and any usage constraints that are necessary to ensure that the protocol is secure. The working group will consider the operational impact as part of the protocol design and document operational considerations. The working group will prioritize work on the core protocol elements as identified. In addition, the working group may work on other use cases and deployment models, including those that involve discovery of OHTTP proxies or servers and their key configurations. The OARH working group will work closely with other groups that develop the tools that Oblivious HTTP depends on (HTTPbis for HTTP, CFRG for HPKE) or that might use Oblivious HTTP (DPRIVE and ADD for DNS over HTTPS). The working group will use draft-thomson-http-oblivious as input. _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From nobody Thu Sep 9 05:51:07 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1362E3A0A35 for ; Thu, 9 Sep 2021 05:51:06 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Tero Kivinen via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: secdir-secretary@mit.edu, Tero Kivinen Message-ID: <163119186527.4629.8277429115968143641@ietfa.amsl.com> Date: Thu, 09 Sep 2021 05:51:06 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2021 12:51:06 -0000 Review instructions and related resources are at: https://trac.ietf.org/trac/sec/wiki/SecDirReview For telechat 2021-09-23 Reviewer LC end Draft Kyle Rose R2021-08-02 draft-ietf-tcpm-rfc793bis Last calls: Reviewer LC end Draft Derek Atkins 2021-09-07 draft-ietf-bess-evpn-optimized-ir John Bradley 2021-09-06 draft-ietf-core-senml-data-ct Shaun Cooley 2021-09-06 draft-ietf-jmap-smime Linda Dunbar 2021-09-27 draft-danyliw-replace-ftp-pointers Daniel Franke 2021-09-22 draft-ietf-cbor-network-addresses Phillip Hallam-Baker 2021-09-21 draft-ietf-cbor-cddl-control Steve Hanna 2021-09-16 draft-ietf-lamps-rfc7299-update Steve Hanna 2021-03-22 draft-ietf-regext-secure-authinfo-transfer Dan Harkins 2021-09-16 draft-ietf-dnsop-dnssec-iana-cons Sandra Murphy 2020-10-15 draft-ietf-tls-external-psk-importer Tim Polk 2021-08-06 draft-ietf-opsawg-vpn-common Kyle Rose R2021-08-02 draft-ietf-tcpm-rfc793bis Stefan Santesson 2021-08-11 draft-ietf-bier-te-arch Mališa Vučinić 2021-09-06 draft-ietf-httpbis-semantics Samuel Weiler 2021-08-25 draft-ietf-alto-path-vector Brian Weis 2021-08-19 draft-ietf-dnsop-svcb-https Klaas Wierenga 2021-08-30 draft-ietf-alto-cdni-request-routing-alto Klaas Wierenga 2020-12-02 draft-ietf-core-echo-request-tag Klaas Wierenga 2020-05-26 draft-ietf-kitten-krb-spake-preauth Paul Wouters 2021-08-26 draft-ietf-alto-unified-props-new Paul Wouters 2021-09-06 draft-ietf-httpbis-messaging Liang Xia 2021-09-07 draft-ietf-bess-evpn-igmp-mld-proxy Liang Xia 2021-03-17 draft-ietf-core-sid Dacheng Zhang 2021-09-07 draft-ietf-bess-evpn-bum-procedure-updates Early review requests: Reviewer Due Draft Donald Eastlake 2021-09-15 draft-ietf-ippm-ioam-flags Stephen Farrell 2021-09-15 draft-ietf-ippm-ioam-direct-export Stephen Farrell 2021-06-21 draft-ietf-idr-bgpls-srv6-ext Tina Tsou 2021-08-25 draft-ietf-opsawg-sbom-access Sean Turner 2021-08-18 draft-ietf-taps-interface Loganaden Velvindron 2021-08-18 draft-ietf-taps-arch Next in the reviewer rotation: Russ Housley Christian Huitema Charlie Kaufman Scott Kelly Tero Kivinen Watson Ladd Barry Leiba Chris Lonvick Aanchal Malhotra David Mandelberg From nobody Thu Sep 9 14:16:08 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FAE93A094A; Thu, 9 Sep 2021 14:16:02 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Kyle Rose via Datatracker To: Cc: draft-ietf-tcpm-rfc793bis.all@ietf.org, last-call@ietf.org, tcpm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <163122216220.18111.15433502352893906147@ietfa.amsl.com> Reply-To: Kyle Rose Date: Thu, 09 Sep 2021 14:16:02 -0700 Archived-At: Subject: [secdir] Secdir telechat review of draft-ietf-tcpm-rfc793bis-25 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2021 21:16:03 -0000 Reviewer: Kyle Rose Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Upon review of the changes from -24 to -25, I have no further comments. From nobody Fri Sep 10 09:11:47 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 015D33A091C; Fri, 10 Sep 2021 09:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1631290134; bh=x3bbG55/mby2wecMcKN2SATjOnVDruRQEN+PB7uRsd4=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Reply-To; b=cFfpHifIlTnKIR7hyrAqP62fyTiz4JxaZLzI9n+l3vTA8cg93FWXScIbvzNsogQLq coL+DUOybhuPdyX2HZmIIgyI6tNg74dhMabiPIq30VFWatcyRIC12ajfaE3m92A5/N Q7Un5DM4ivXMLI4FKC4uzCDdReX3t50+IYh4kZXo= X-Mailbox-Line: From new-work-bounces@ietf.org Fri Sep 10 09:08:46 2021 Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id ED1373A0898; Fri, 10 Sep 2021 09:08:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1631290113; bh=x3bbG55/mby2wecMcKN2SATjOnVDruRQEN+PB7uRsd4=; h=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:Reply-To; b=prkTd8oGQlo6HD70gobnGWBgkUMklGQYSsjIoXTMepBAyF/5IumdYcNDIXyZ0A1AW FfshaInOBwl+J7j/JlVwRoQ/DrlJ9sLA+47NZev/4/WwG/Lg8S53EPL8yQRGp/kyER KCMQ7RPvcmrxpIzONbRDBWuyliZM9jXkBDiqDug0= X-Original-To: new-work@ietf.org Delivered-To: new-work@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B76C33A08E2 for ; Fri, 10 Sep 2021 09:08:18 -0700 (PDT) MIME-Version: 1.0 From: The IESG To: X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk MIME-Version: 1.0 Reply_to: Message-ID: <163129009872.26088.14135020113436616575@ietfa.amsl.com> Date: Fri, 10 Sep 2021 09:08:18 -0700 Archived-At: X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.29 Reply-To: iesg@ietf.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: new-work-bounces@ietf.org Sender: "new-work" Archived-At: X-Mailman-Approved-At: Fri, 10 Sep 2021 09:11:45 -0700 Subject: [secdir] [new-work] WG Review: DANE Authentication for Network Clients Everywhere (dance) X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2021 16:09:01 -0000 A new IETF WG has been proposed in the Security Area. The IESG has not made any determination yet. The following draft charter was submitted, and is provided for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by 2021-09-20. DANE Authentication for Network Clients Everywhere (dance) ----------------------------------------------------------------------- Current status: Proposed WG Chairs: Wes Hardaker Assigned Area Director: Roman Danyliw Security Area Directors: Benjamin Kaduk Roman Danyliw Mailing list: Address: dance@ietf.org To subscribe: https://www.ietf.org/mailman/listinfo/dance Archive: https://mailarchive.ietf.org/arch/browse/dance/ Group page: https://datatracker.ietf.org/group/dance/ Charter: https://datatracker.ietf.org/doc/charter-ietf-dance/ # Objective The DANE Authentication for Network Clients Everywhere (DANCE) WG seeks to extend DANE (RFC 6698) to encompass TLS client authentication using certificates or Raw Public Keys (RPK). # Problem Statement The process of establishing trust in public-key-authenticated identity typically involves the use of a Public Key Infrastructure (PKI), and a shared PKI root of trust between the parties exchanging public keys. A Certification Authority (CA) is one example of a root of trust for a PKI, which can be then used for establishing trust in certified public keys. The DNS namespace, together with DNSSEC, forms the most widely-recognized namespace and authenticated lookup mechanism on the Internet. DANE built on this authenticated lookup mechanism to enable public key-based TLS authentication which is resilient to impersonation, but only for TLS server identities. However, the DANE WG did not define authentication for TLS client identities. In response to the challenges related to ambiguity between identically named identities issued by different CAs, application owners frequently choose to onboard client identities to a single private PKI with a limited CA set that is specific to that vertical. This creates a silo effect where different parts of large deployments can not communicate. Examples of where DANCE could be useful includes SMTP transport client authentication, authentication of DNS authoritative server to server zone file transfers over TLS, authentication to DNS recursive servers, and Internet of Things (IoT) device identification. # Scope of work DANCE will specify the DANE-enabled TLS client authentication use cases and an architecture describing the primary components and interaction patterns. DANCE will define how DNS DANE records will represent client identities for TLS connections. DANCE will coordinate with the TLS working group to define any TLS protocol updates required to support client authentication using DANE. The DANCE scope of work will be initially limited to just TLS client authentication. Future work may include using client identifiers for other tasks including object security, or authenticating to other protocols. # Deliverables: * DANCE architecture and use cases (e.g., IoT, SMTP client, authentication to DNS services) document (9 months) * DANE client authentication and publication practices (6 months after architecture) * A TLS extension to indicate DANE identification capability and the client's DANE identity name (6 months after architecture) Milestones: Jul 2022 - DANCE architecture and use cases to WGLC Jan 2023 - DANE client authentication and publication practice to WGLC Jan 2023 - TLS extension to indicate DANE identification capability and the client's DANE identity name to WGLC _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From nobody Tue Sep 14 07:33:59 2021 Return-Path: <0100017be4ba7624-b2b8c900-5ee4-431a-b902-422a4576bd62-000000@amazonses.watsen.net> X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96C693A2198; Tue, 14 Sep 2021 07:33:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6n9XNYid5at; Tue, 14 Sep 2021 07:33:54 -0700 (PDT) Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA3293A2199; Tue, 14 Sep 2021 07:33:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1631630030; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=YNslsXyqBdvS0hZyf351RUAexr/OlJhqIIUqNZMpI6A=; b=agC2Kz2q0tzSK6cXwDVIrMcZrwDfN1xCWBlLMpcZFoLcstRy8Mcn4ht8SjY1LjNW tdInCuz4j8dpsNpD2pi2rxCmveNT3+9kCOmVV5/UbWvNNzGDBTfIIY1uWTr3+dUC3bF J691bYzeQ4k1ft/Rcq7GjX/NSiqzw/SvbONKipvQ= From: Kent Watsen Message-ID: <0100017be4ba7624-b2b8c900-5ee4-431a-b902-422a4576bd62-000000@email.amazonses.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_1E8278FA-2AD2-4C52-BDF0-4BDA2143D848" Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Date: Tue, 14 Sep 2021 14:33:50 +0000 In-Reply-To: <034d01d79e3d$a5b5d5b0$f1218110$@smyslov.net> Cc: secdir@ietf.org, draft-ietf-netconf-crypto-types.all@ietf.org, "netconf@ietf.org" To: Valery Smyslov References: <162982978380.3381.17549750696257276827@ietfa.amsl.com> <0100017b8819bf19-1f20d528-72e4-462c-884a-6c29eff0769b-000000@email.amazonses.com> <017c01d79b5e$a00a0000$e01e0000$@smyslov.net> <0100017b89613006-504db539-c16c-4c87-8772-2b6676e9c295-000000@email.amazonses.com> <034d01d79e3d$a5b5d5b0$f1218110$@smyslov.net> X-Mailer: Apple Mail (2.3654.120.0.1.13) Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES X-SES-Outgoing: 2021.09.14-54.240.48.92 Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 14:33:57 -0000 --Apple-Mail=_1E8278FA-2AD2-4C52-BDF0-4BDA2143D848 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Valery, Reducing to just the open bits=E2=80=A6 >> Is your concern that the certificate=E2=80=99s content would be = visible to the administrators? Is your comment on end-entity = certificates (containing personally-identifying information), more than = trust-anchor-certificates? >> =20 >> Yes, it=E2=80=99s mostly on end-entity certificates, = however there may be quite a lot of interesting private information = besides certificates. >> =20 >> If this information is only visible to the administrators = and the used management protocols must have mutual authentication, then = it=E2=80=99s probably not a big deal. I would have still added a = sentence about privacy of the stored data (i.e. that persons, that are = allowed to access this data are able to learn quite a lot of private = information from it). I don=E2=80=99t insist though, it=E2=80=99s up to = you. > =20 > I added the following to Section 3.8 (The "ietf-crypto-types" YANG = Module). > =20 > The "cert-data" node: >=20 > The "cert-data" node, defined in both the = "trust-anchor-cert-grouping" > and "end-entity-cert-grouping" groupings, is = additionally sensitive to > read operations, as certificates sometimes convey = personally identifying > information (especially end-entity certificates). = However, as it is > commonly understood that certificates are = "public", the NACM extension > "nacm:default-deny-write" (not "default-deny-all") = has been applied. It > is RECOMMENDED that implementations adjust = read-access to certificates > to comply with local policy. >=20 > Is this okay? > =20 > Yes, thanks. > =20 > Separately, I thought about if there are any other values in the = module that may have privacy concerns but was unable to locate any. > =20 > certificate-signing-request? Of course, CSRs contain similar information as certs but, from the = =E2=80=9Ccrypto-types=E2=80=9D module perspective, CSRs are never = *configured*, as they are only conveyed in dynamic RPCs, and therefore = the readability of them from any other than the originator is negligent. = Hence I do not believe that extending the comment above to CSRs is = warranted. Thoughts? > =20 > =20 >>> Section 3.5. >>> While I understand and support the idea, expressed in this section, = I think that >>> the way it is expressed makes it difficult to follow in practice. In = general, it's >>> not always obvious how to estimate the "strength" of the underlying = secure transport. >>> For this reason it's not clear for me how it is supposed to = "compare" the=20 >>> "strength" of the transport with the "strength" of the keys being = transported. > =20 > =20 > All comments from this point to the end regard the Security = Consideration "Strength of Keys Conveyed=E2=80=9D (was "Strength of Keys = Configured=E2=80=9D). I rewrote the section as follows. Can you please = check for accuracy? > =20 > Strength of Keys Conveyed >=20 > When accessing key values, it is desireable that = implementations > ensure that the strength of the keys being accessed is not = greater > than the strength of the underlying secure transport = connection > over which the keys are conveyed. However, comparing key = strengths > can be complicated and difficult to implement in practice. >=20 > That said, expert Security opinion suggests that already it = is > infeasible to break a 128-bit key using a classical = computer, and=20 > =20 > s/key/symmetric key/ amended. > thus the concern for conveying higher-strength keys begins = to lose=20 > its allure. >=20 > Implementations SHOULD only use transport algorithms to = those=20 >=20 > s/transport algorithms/secure transport/ >=20 That substitution by itself seems to result in an incomplete sentence. = How about this: =20 "Implementations SHOULD only use secure transport algorithms = meeting local policy.=E2=80=9D > meeting local policy. A reasonable policy may, e.g., = state that=20 > only algorithms listed as "recommended" by the IETF be = used. >=20 > s\algorithms/ciphersuites/ >=20 Done. > Another reasonable policy may be to only use = quantum-resistant=20 > algorithms. >=20 > Works for me with changes above. I would only add a few = words at the end of the second para that things may change in the future = (e.g. if full-size quantum computers appear), so it is recommended to = follow up-to-date advise from crypto community when protecting transport = channel. >=20 > I would also remove the last sentence in the last para, = mostly because > it=E2=80=99s difficult to follow in practice (we still know = not much about post-quantum crypto and generally it=E2=80=99s not yet = widely supported in protocols like TLS) and instead reference RFC 7525 = which contains recommendations how to use TLS in applications. I = don=E2=80=99t know in similar RFC exists for SSH, sorry... >=20 I removed the last sentence but did NOT add =E2=80=9Ca few words=E2=80=9D,= because the existing text already covers the =E2=80=9Cneed to stay = current=E2=80=9D angle. The current =E2=80=9Clast=E2=80=9D paragraph = reads: Implementations SHOULD only use secure transport algorithms=20= meeting local policy. A reasonable policy may, e.g., state = that only ciphersuites listed as "recommended" by the IETF be = used. Good? Kent --Apple-Mail=_1E8278FA-2AD2-4C52-BDF0-4BDA2143D848 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi = Valery,

Reducing to just the open = bits=E2=80=A6

Is your concern that the certificate=E2=80=99s content would = be visible to the administrators?  Is your comment on = end-entity certificates (containing personally-identifying information), = more than trust-anchor-certificates?
 
          Yes, it=E2=80=99s mostly on end-entity = certificates, however there may be quite a lot of = interesting private information besides = certificates.
 
          If = this information is only visible to the administrators and the used = management protocols must have mutual authentication, then it=E2=80=99s probably not a = big deal. I would have still added a sentence about privacy of the stored data (i.e. that = persons, that are allowed to access this data are able to learn quite a lot of private = information from it). I don=E2=80=99t insist though, it=E2=80=99s up to = you.
 
I added the following to Section 3.8 (The "ietf-crypto-types" = YANG Module).
 

             The "cert-data" = node:

                  =  The "cert-data" node, defined in both the = "trust-anchor-cert-grouping"
        =             and = "end-entity-cert-grouping" groupings, is additionally sensitive = to
                =     read operations, as certificates sometimes = convey personally identifying
        =             information (especially = end-entity certificates).  However, as it is
                =     commonly understood that certificates are = "public", the NACM extension
        =             "nacm:default-deny-write" = (not "default-deny-all") has been applied. It
  =                   is = RECOMMENDED that implementations adjust read-access to = certificates
            =         to comply with local policy.

Is this okay?
 
          Yes, = thanks.
 
Separately, I thought about if there are any other values in = the module that may have privacy concerns but was unable to locate = any.
 
          = certificate-signing-request?


Of = course, CSRs contain similar information as certs but, from the = =E2=80=9Ccrypto-types=E2=80=9D module perspective, CSRs are never = *configured*, as they are only conveyed in dynamic RPCs, and therefore = the readability of them from any other than the originator is negligent. =  Hence I do not believe that extending the comment above to CSRs is = warranted.  Thoughts?


 
 
Section 3.5.
While I understand and support the idea, expressed in this = section, I think that
the way it is expressed makes it = difficult to follow in practice. In general, it's
not = always obvious how to estimate the "strength" of the underlying secure = transport.
For this reason it's not clear for me how it is = supposed to "compare" the 
"strength" = of the transport with the "strength" of the keys being transported.
 
 
All comments from this point to the end regard the Security = Consideration "Strength of Keys Conveyed=E2=80=9D (was "Strength of = Keys Configured=E2=80=9D).  I rewrote the section as follows. =  Can you please check for accuracy?
 
      Strength of Keys Conveyed

           When accessing key = values, it is desireable that implementations
  =           ensure that the strength of the = keys being accessed is not greater
    =         than the strength of the underlying = secure transport connection
      =       over which the keys are = conveyed.  However, comparing key strengths
            can be = complicated and difficult to implement in practice.

           That said, expert = Security opinion suggests that already it is
  =           infeasible to break a 128-bit = key using a classical computer, and 
 
          = s/key/symmetric = key/
amended.


  =           thus the concern for conveying = higher-strength keys begins to lose 
    =         its allure.


          =   Implementations SHOULD only use transport algorithms to = those 

          = s/transport algorithms/secure = transport/

That substitution by itself seems to = result in an incomplete sentence.  How about this: =  

"Implementations SHOULD = only use secure transport algorithms meeting local = policy.=E2=80=9D

 =           meeting local policy.  A reasonable = policy may, e.g., state that 
    =         only algorithms listed as "recommended" = by the IETF be used.

          = s\algorithms/ciphersuites/

<= /blockquote>

Done.

 =           Another reasonable policy may = be to only use quantum-resistant 
    =         algorithms.

          Works = for me with changes above. I would only add a few words at the end of = the second para that things may change in the = future (e.g. if full-size quantum computers appear), so it is = recommended to follow up-to-date advise from crypto community when = protecting transport channel.

          I = would also remove the last sentence in the last para, mostly because
          it=E2=80= =99s difficult to follow in practice (we still know not much about = post-quantum crypto and generally it=E2=80=99s not yet widely = supported in protocols like TLS) and instead reference RFC = 7525 which contains recommendations how to use TLS in applications. =  I don=E2=80=99t know in similar RFC exists for SSH, sorry...


I removed the last sentence = but did NOT add =E2=80=9Ca few words=E2=80=9D, because the = existing text already covers the =E2=80=9Cneed to stay current=E2=80=9D = angle.  The current =E2=80=9Clast=E2=80=9D paragraph = reads:

        =     Implementations SHOULD only use secure transport = algorithms 
          =   meeting local policy.  A reasonable = policy may, e.g., state that
      =       only ciphersuites listed as "recommended" = by the IETF be used.


Good?


Kent

= --Apple-Mail=_1E8278FA-2AD2-4C52-BDF0-4BDA2143D848-- From nobody Tue Sep 14 07:59:16 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B703B3A2286; Tue, 14 Sep 2021 07:59:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=smyslov.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnUQG0Hf_Dpg; Tue, 14 Sep 2021 07:59:10 -0700 (PDT) Received: from direct.host-care.com (direct.host-care.com [198.136.54.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BB503A2283; Tue, 14 Sep 2021 07:59:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To: References:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=47gA+hWFoLHTjdm6+pfpW4RNupWbuhPomkIwcka+ucU=; b=x04nv6+mfy0hwmhNHVkaTtUPRE 3plGppB5ujVUxhXZySP2Yyi6KAi/DP4ldXGSnsxhjR0DL+LVbw6JrtHKZjSkn03TuQhezPjar9D05 2+M+mECGq2RgESGoa+j19Lfr/9jmWUEMqIRZUzknloPy4SwRoKelYVv2FiEIqql7G+Le5YMvUgtG+ gQwr70wv5LHNAqNO/utJpgT1g5EaEvoN3/1kp+lkR1Cr2tCDocAxxI7SaE0KyhuJ639vtxpA8qG8g 3M9Vfy1BjATVKdoWYG1R10WaBMm7rmCRVSf2tlTvnzxvkhSeDppUeeAIFY3Ou/C05oWP+JJxP97PH rw1Iolfw==; Received: from [93.188.44.204] (port=53574 helo=buildpc) by direct.host-care.com with esmtpsa (TLS1.2) tls TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mQ9to-0005Zr-So; Tue, 14 Sep 2021 10:59:05 -0400 From: "Valery Smyslov" To: "'Kent Watsen'" Cc: , , References: <162982978380.3381.17549750696257276827@ietfa.amsl.com> <0100017b8819bf19-1f20d528-72e4-462c-884a-6c29eff0769b-000000@email.amazonses.com> <017c01d79b5e$a00a0000$e01e0000$@smyslov.net> <0100017b89613006-504db539-c16c-4c87-8772-2b6676e9c295-000000@email.amazonses.com> <034d01d79e3d$a5b5d5b0$f1218110$@smyslov.net> <0100017be4ba7624-b2b8c900-5ee4-431a-b902-422a4576bd62-000000@email.amazonses.com> In-Reply-To: <0100017be4ba7624-b2b8c900-5ee4-431a-b902-422a4576bd62-000000@email.amazonses.com> Date: Tue, 14 Sep 2021 17:59:03 +0300 Message-ID: <0cc201d7a979$10ab7cd0$32027670$@smyslov.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0CC3_01D7A992.35FBC210" X-Mailer: Microsoft Outlook 14.0 Content-Language: ru Thread-Index: AQGndKy5sGszK4BuDx47nymU5VnBUwHC5W7jAisjdPUBQDIbDgLhFR17AQVyoUeru16T8A== X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - direct.host-care.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - smyslov.net X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 14:59:15 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0CC3_01D7A992.35FBC210 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Kent, =20 Hi Valery, =20 Reducing to just the open bits=E2=80=A6 =20 Is your concern that the certificate=E2=80=99s content would be visible = to the administrators? Is your comment on end-entity certificates = (containing personally-identifying information), more than = trust-anchor-certificates? =20 Yes, it=E2=80=99s mostly on end-entity certificates, however = there may be quite a lot of interesting private information besides = certificates. =20 If this information is only visible to the administrators and = the used management protocols must have mutual authentication, then = it=E2=80=99s probably not a big deal. I would have still added a = sentence about privacy of the stored data (i.e. that persons, that are = allowed to access this data are able to learn quite a lot of private = information from it). I don=E2=80=99t insist though, it=E2=80=99s up to = you. =20 I added the following to Section 3.8 (The "ietf-crypto-types" YANG = Module). =20 The "cert-data" node: The "cert-data" node, defined in both the = "trust-anchor-cert-grouping" and "end-entity-cert-grouping" groupings, is = additionally sensitive to read operations, as certificates sometimes convey = personally identifying information (especially end-entity certificates). = However, as it is commonly understood that certificates are "public", = the NACM extension "nacm:default-deny-write" (not "default-deny-all") = has been applied. It is RECOMMENDED that implementations adjust = read-access to certificates to comply with local policy. Is this okay? =20 Yes, thanks. =20 Separately, I thought about if there are any other values in the module = that may have privacy concerns but was unable to locate any. =20 certificate-signing-request? =20 =20 Of course, CSRs contain similar information as certs but, from the = =E2=80=9Ccrypto-types=E2=80=9D module perspective, CSRs are never = *configured*, as they are only conveyed in dynamic RPCs, and therefore = the readability of them from any other than the originator is negligent. = Hence I do not believe that extending the comment above to CSRs is = warranted. Thoughts? =20 OK, thanks for the explanation. =20 =20 =20 =20 Section 3.5. While I understand and support the idea, expressed in this section, I = think that the way it is expressed makes it difficult to follow in practice. In = general, it's not always obvious how to estimate the "strength" of the underlying = secure transport. For this reason it's not clear for me how it is supposed to "compare" = the=20 "strength" of the transport with the "strength" of the keys being = transported. =20 =20 All comments from this point to the end regard the Security = Consideration "Strength of Keys Conveyed=E2=80=9D (was "Strength of Keys = Configured=E2=80=9D). I rewrote the section as follows. Can you please = check for accuracy? =20 Strength of Keys Conveyed When accessing key values, it is desireable that = implementations ensure that the strength of the keys being accessed is not = greater than the strength of the underlying secure transport = connection over which the keys are conveyed. However, comparing key = strengths can be complicated and difficult to implement in practice. That said, expert Security opinion suggests that already it = is infeasible to break a 128-bit key using a classical = computer, and=20 =20 s/key/symmetric key/ =20 amended. =20 thus the concern for conveying higher-strength keys begins = to lose=20 its allure. Implementations SHOULD only use transport algorithms to = those=20 s/transport algorithms/secure transport/ That substitution by itself seems to result in an incomplete sentence. = How about this: =20 =20 "Implementations SHOULD only use secure transport algorithms = meeting local policy.=E2=80=9D =20 I was trying to avoid using combination of words = =E2=80=9Ctransport algorithm=E2=80=9D just to make text more accurate (usually we have transport = protocols, which are implemented using some crypto algorithms, if we talk about secure transports). So how about: =20 Implementations SHOULD only use secure transport protocols = meeting local policy. =20 ? meeting local policy. A reasonable policy may, e.g., state = that=20 only algorithms listed as "recommended" by the IETF be used. s\algorithms/ciphersuites/ =20 Done. =20 Another reasonable policy may be to only use = quantum-resistant=20 algorithms. Works for me with changes above. I would only add a few words = at the end of the second para that things may change in the future (e.g. = if full-size quantum computers appear), so it is recommended to follow = up-to-date advise from crypto community when protecting transport = channel. I would also remove the last sentence in the last para, mostly = because it=E2=80=99s difficult to follow in practice (we still know = not much about post-quantum crypto and generally it=E2=80=99s not yet = widely supported in protocols like TLS) and instead reference RFC 7525 = which contains recommendations how to use TLS in applications. I = don=E2=80=99t know in similar RFC exists for SSH, sorry... =20 I removed the last sentence but did NOT add =E2=80=9Ca few = words=E2=80=9D, because the existing text already covers the = =E2=80=9Cneed to stay current=E2=80=9D angle. The current = =E2=80=9Clast=E2=80=9D paragraph reads: =20 Implementations SHOULD only use secure transport algorithms=20 meeting local policy. A reasonable policy may, e.g., state = that only ciphersuites listed as "recommended" by the IETF be = used. Good? =20 Works for me if you replace =E2=80=9Calgorithms=E2=80=9D with = =E2=80=9Cprotocols=E2=80=9D :-) (I still think that referencing RFC 7525 would be helpful, but = it=E2=80=99s up to you, it=E2=80=99s definitely not a big deal). Thank you, Valery. =20 =20 =20 Kent =20 ------=_NextPart_000_0CC3_01D7A992.35FBC210 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi Kent,

 

Hi Valery,

 

Reducing to just the open = bits=E2=80=A6

 

Is your concern that the certificate=E2=80=99s content = would be visible to the administrators?  Is your comment on = end-entity certificates (containing personally-identifying information), = more than = trust-anchor-certificates?

 

<= p class=3DMsoNormal>        &= nbsp; Yes, it=E2=80=99s mostly on end-entity certificates, however there = may be quite a lot of interesting private information besides = certificates.

 

          If this = information is only visible to the administrators and the used = management protocols must have mutual authentication, then it=E2=80=99s probably not a big = deal. I would have still added a sentence about privacy of the = stored data (i.e. that persons, that are allowed to access this = data are able to learn quite a lot of private information from it). = I don=E2=80=99t insist though, it=E2=80=99s up to = you.

 

I added the following to Section 3.8 (The = "ietf-crypto-types" YANG = Module).

 

      =        The "cert-data" = node:

            =        The "cert-data" node, defined = in both the "trust-anchor-cert-grouping"
    =                 and = "end-entity-cert-grouping" groupings, is additionally = sensitive to
                =     read operations, as certificates sometimes = convey personally identifying
          =           information (especially = end-entity certificates).  However, as it is
  =                 =   commonly understood that certificates are = "public", the NACM extension
        =           =   "nacm:default-deny-write" = (not "default-deny-all") has been applied. It
  =                   is = RECOMMENDED that implementations adjust read-access to = certificates
                =     to comply with local = policy.

Is this = okay?

 

          Yes, = thanks.

 

Separately, I thought about if there are any other = values in the module that may have privacy concerns but was unable to = locate any.

 

          = certificate-signing-request?

 

 

Of course, CSRs contain similar information as certs = but, from the =E2=80=9Ccrypto-types=E2=80=9D module perspective, CSRs = are never *configured*, as they are only conveyed in dynamic RPCs, and = therefore the readability of them from any other than the originator is = negligent.  Hence I do not believe that extending the comment above = to CSRs is warranted.  Thoughts?

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 OK, thanks for = the explanation.

 

 

 

 

Section 3.5.
While I understand and support the = idea, expressed in this section, I think that
the way it is expressed = makes it difficult to follow in practice. In general, it's
not always = obvious how to estimate the "strength" of the underlying = secure transport.
For this reason it's not clear for me how it is = supposed to "compare" the 
"strength" of = the transport with the "strength" of the keys being = transported.

 

 

All comments from this point to the end regard the = Security Consideration "Strength of Keys Conveyed=E2=80=9D = (was "Strength of Keys Configured=E2=80=9D).  I = rewrote the section as follows.  Can you please check = for accuracy?

 

      Strength of Keys = Conveyed


           When = accessing key values, it is desireable that = implementations
            ensure = that the strength of the keys being accessed is not = greater
            than the = strength of the underlying secure transport connection
  =           over which the keys are = conveyed.  However, comparing key strengths
  =           can be complicated and difficult = to implement in practice.


           That = said, expert Security opinion suggests that already it is
  =           infeasible to break a 128-bit = key using a classical computer, = and 

 

          = s/key/symmetric = key/

 

amended.

 



            thus the = concern for conveying higher-strength keys begins to = lose 
            its = allure.


    =         Implementations SHOULD only use = transport algorithms to those 

          s/transport = algorithms/secure = transport/

That substitution by = itself seems to result in an incomplete sentence.  How about this: =  

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 "Implementations = SHOULD only use secure transport algorithms meeting local = policy.=E2=80=9D

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 I was trying = to avoid using combination of words =E2=80=9Ctransport = algorithm=E2=80=9D

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 just to make = text more accurate (usually we have transport = protocols,

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 which are = implemented using some crypto algorithms, if we = talk

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 about secure = transports). So how about:

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = Implementations SHOULD only use secure transport protocols meeting local = policy.

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = ?



      =       meeting local policy.  A = reasonable policy may, e.g., state that 
    =         only algorithms listed as = "recommended" by the IETF be used.

          = s\algorithms/ciphersuites/

<= /div>

 

Done.

 

      =       Another reasonable policy may be to only = use quantum-resistant 
          =   algorithms.

          Works for me = with changes above. I would only add a few words at the end of the = second para that things = may change in the future (e.g. if full-size quantum computers = appear), so it is recommended to follow up-to-date advise from = crypto community when protecting transport = channel.

          I would also = remove the last sentence in the last para, mostly = because
          = it=E2=80=99s difficult to follow in practice (we still know not much = about post-quantum crypto and generally it=E2=80=99s not yet widely = supported in protocols like TLS) and instead reference RFC = 7525 which contains recommendations how to use TLS in applications. =  I don=E2=80=99t know in similar RFC exists for SSH, = sorry...

=

 

I removed the last = sentence but did NOT add =E2=80=9Ca few words=E2=80=9D, = because the existing text already covers the =E2=80=9Cneed to stay = current=E2=80=9D angle.  The current =E2=80=9Clast=E2=80=9D = paragraph reads:

 

          =   Implementations SHOULD only use secure transport = algorithms 
          =   meeting local policy.  A reasonable = policy may, e.g., state that
          =   only ciphersuites listed as "recommended" = by the IETF be used.

Good?

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Works for me = if you replace =E2=80=9Calgorithms=E2=80=9D with = =E2=80=9Cprotocols=E2=80=9D :-)

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (I still think = that referencing RFC 7525 would be helpful, but it=E2=80=99s up to you, = it=E2=80=99s definitely not a big deal).

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Thank = you,
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = Valery.

 

 

 

Kent

 

------=_NextPart_000_0CC3_01D7A992.35FBC210-- From nobody Tue Sep 14 10:04:15 2021 Return-Path: <0100017be5436c1b-801549ca-b4b1-41a1-bdb7-9f1429d5450e-000000@amazonses.watsen.net> X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 463A73A2617; Tue, 14 Sep 2021 10:03:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FRQbKS3SXzrZ; Tue, 14 Sep 2021 10:03:28 -0700 (PDT) Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A87F3A25F4; Tue, 14 Sep 2021 10:03:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1631639006; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=/qTu0gko4n78ZLG8HUkUWwrP6gRickBCG3+vXbGLNTw=; b=ZelKVeOs82YY6jbIx7W0IdbWCXO1CNUaKqJGn1zXfLMumqWieat07sKhlCsLJ/J6 TTxXutOjs3ZO3ZRqKQhqeWZHcOB2+KczwbpIhdFstC2jnYf8nwU/WdtiaHzqkpKGknc y7JUMRhxGyFlvv/27IrSOK1k+wqf+uqeEf0JnNJ8= From: Kent Watsen Message-ID: <0100017be5436c1b-801549ca-b4b1-41a1-bdb7-9f1429d5450e-000000@email.amazonses.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_EE1235DC-76E4-4762-8E0D-21D7398B92E5" Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Date: Tue, 14 Sep 2021 17:03:26 +0000 In-Reply-To: <0cc201d7a979$10ab7cd0$32027670$@smyslov.net> Cc: secdir@ietf.org, draft-ietf-netconf-crypto-types.all@ietf.org, "netconf@ietf.org" To: Valery Smyslov References: <162982978380.3381.17549750696257276827@ietfa.amsl.com> <0100017b8819bf19-1f20d528-72e4-462c-884a-6c29eff0769b-000000@email.amazonses.com> <017c01d79b5e$a00a0000$e01e0000$@smyslov.net> <0100017b89613006-504db539-c16c-4c87-8772-2b6676e9c295-000000@email.amazonses.com> <034d01d79e3d$a5b5d5b0$f1218110$@smyslov.net> <0100017be4ba7624-b2b8c900-5ee4-431a-b902-422a4576bd62-000000@email.amazonses.com> <0cc201d7a979$10ab7cd0$32027670$@smyslov.net> X-Mailer: Apple Mail (2.3654.120.0.1.13) Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES X-SES-Outgoing: 2021.09.14-54.240.8.33 Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 17:03:45 -0000 --Apple-Mail=_EE1235DC-76E4-4762-8E0D-21D7398B92E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi Valery, > Implementations SHOULD only use transport algorithms to = those=20 >=20 > s/transport algorithms/secure transport/ >=20 > That substitution by itself seems to result in an incomplete sentence. = How about this: =20 > =20 > "Implementations SHOULD only use secure transport algorithms = meeting local policy.=E2=80=9D > =20 > I was trying to avoid using combination of words = =E2=80=9Ctransport algorithm=E2=80=9D > just to make text more accurate (usually we have transport = protocols, > which are implemented using some crypto algorithms, if we = talk > about secure transports). So how about: > =20 > Implementations SHOULD only use secure transport protocols = meeting local policy. > =20 > ? Done. > I removed the last sentence but did NOT add =E2=80=9Ca few words=E2=80=9D= , because the existing text already covers the =E2=80=9Cneed to stay = current=E2=80=9D angle. The current =E2=80=9Clast=E2=80=9D paragraph = reads: > =20 > Implementations SHOULD only use secure transport = algorithms=20 > meeting local policy. A reasonable policy may, e.g., = state that > only ciphersuites listed as "recommended" by the IETF be = used. >=20 > Good? > =20 > Works for me if you replace =E2=80=9Calgorithms=E2=80=9D = with =E2=80=9Cprotocols=E2=80=9D :-) >=20 Done (per above) > (I still think that referencing RFC 7525 would be helpful, = but it=E2=80=99s up to you, it=E2=80=99s definitely not a big deal). >=20 Added. Resulting diffs here: = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-netconf-crypto-types-21.txt= = > Thank you, > Valery. >=20 No, thank you! :) K. --Apple-Mail=_EE1235DC-76E4-4762-8E0D-21D7398B92E5 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Hi Valery,


            = Implementations SHOULD only use transport algorithms to = those 

          = s/transport algorithms/secure transport/

That substitution = by itself seems to result in an incomplete sentence.  How about = this:  
 
          = "Implementations SHOULD only = use secure transport algorithms meeting local = policy.=E2=80=9D
 
          I was = trying to avoid using combination of words =E2=80=9Ctransport = algorithm=E2=80=9D
          just = to make text more accurate (usually we have transport protocols,
          which = are implemented using some crypto algorithms, if we talk
          about = secure transports). So how about:
 
          = Implementations SHOULD only use secure transport protocols meeting local = policy.
 
          = ?


Done.



I removed the last sentence but did NOT add =E2=80=9C= a few words=E2=80=9D, because the existing text already covers the = =E2=80=9Cneed to stay current=E2=80=9D angle.  The current = =E2=80=9Clast=E2=80=9D paragraph reads:
 

          =   Implementations SHOULD only use secure transport = algorithms 
          =   meeting local policy.  A reasonable = policy may, e.g., state that
      =       only ciphersuites listed as "recommended" = by the IETF be used.

Good?
 

          Works = for me if you replace =E2=80=9Calgorithms=E2=80=9D with =E2=80=9Cprotocols= =E2=80=9D = :-)

=
Done (per above)

          (I = still think that referencing RFC 7525 would be helpful, but it=E2=80=99s = up to you, it=E2=80=99s definitely not a big = deal).




          Thank = you,
          = Valery.

<= div>
No, thank you!  :)

K.

= --Apple-Mail=_EE1235DC-76E4-4762-8E0D-21D7398B92E5-- From nobody Tue Sep 14 14:59:07 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 463733A3211; Tue, 14 Sep 2021 14:58:26 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Linda Dunbar via Datatracker To: Cc: draft-danyliw-replace-ftp-pointers.all@ietf.org, last-call@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <163165670610.12129.8493956242740023211@ietfa.amsl.com> Reply-To: Linda Dunbar Date: Tue, 14 Sep 2021 14:58:26 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-danyliw-replace-ftp-pointers-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 21:58:27 -0000 Reviewer: Linda Dunbar Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document changes the FTP link to URL links for all the RFCs that reference the IETF FTP services. Very good. Linda Dunbar From nobody Wed Sep 15 02:38:24 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CD1333A0A9D; Wed, 15 Sep 2021 02:38:21 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Steve Hanna via Datatracker To: Cc: draft-ietf-lamps-rfc7299-update.all@ietf.org, last-call@ietf.org, spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <163169870178.28115.9749565789693881234@ietfa.amsl.com> Reply-To: Steve Hanna Date: Wed, 15 Sep 2021 02:38:21 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-lamps-rfc7299-update-00 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2021 09:38:22 -0000 Reviewer: Steve Hanna Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready. This short document adds a small number of object identifiers to the IANA registry for PKIX. These OIDs were assigned in RFC 4212 but accidentally not included in RFC 7299. This RFC will rectify that error. I see no problems from a security standpoint. In fact, there will be some slight improvement because readers will be able to find the OIDs in the registry. Nothing substantive here but it should be approved. From nobody Wed Sep 15 04:58:21 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EC023A1572; Wed, 15 Sep 2021 04:57:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=smyslov.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2Zo3_3ER1Z8; Wed, 15 Sep 2021 04:57:51 -0700 (PDT) Received: from direct.host-care.com (direct.host-care.com [198.136.54.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C72343A156B; Wed, 15 Sep 2021 04:57:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To: References:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=L90exu+FSjMEOLystqNLX3iQEO8e7K1GJPoUyMgPOhU=; b=k2FUwRMfaKjhJnbUUG/zzjduCB NrUAKFzVPGfTVuTEERzaJxX4oxX5pozUOO39ZSI8QhF2s0paHesJ24+NvbgmIIlvN4HPGBJTos3bi SkQQAA77t19KAWKQz0kgKBEsgN2dsaVDQ8CYxXUf0YLU4S6LKvAkz+g9sbl0dv2PCr489RT8URFD5 QooDYM1C42PjmK3OX4XoUuinFHNOcVglAVynHzhkc+W30HawRlLUSE9VKzrdkAnVOQVh/oiuhInJG pjDJmFKiH9XyCWLsgIjs+e++k5vKBFhJU8UqIeTq7fJdTXIoFAjMRwj+Gfa1hNWleUFlcVIXFV9Gh FvloarGg==; Received: from [93.188.44.204] (port=58298 helo=buildpc) by direct.host-care.com with esmtpsa (TLS1.2) tls TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1mQTXu-0003Xz-FH; Wed, 15 Sep 2021 07:57:46 -0400 From: "Valery Smyslov" To: "'Kent Watsen'" Cc: , , References: <162982978380.3381.17549750696257276827@ietfa.amsl.com> <0100017b8819bf19-1f20d528-72e4-462c-884a-6c29eff0769b-000000@email.amazonses.com> <017c01d79b5e$a00a0000$e01e0000$@smyslov.net> <0100017b89613006-504db539-c16c-4c87-8772-2b6676e9c295-000000@email.amazonses.com> <034d01d79e3d$a5b5d5b0$f1218110$@smyslov.net> <0100017be4ba7624-b2b8c900-5ee4-431a-b902-422a4576bd62-000000@email.amazonses.com> <0cc201d7a979$10ab7cd0$32027670$@smyslov.net> <0100017be5436c1b-801549ca-b4b1-41a1-bdb7-9f1429d5450e-000000@email.amazonses.com> In-Reply-To: <0100017be5436c1b-801549ca-b4b1-41a1-bdb7-9f1429d5450e-000000@email.amazonses.com> Date: Wed, 15 Sep 2021 14:57:45 +0300 Message-ID: <0d8501d7aa28$e76bbb90$b64332b0$@smyslov.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0D86_01D7AA42.0CB98FD0" X-Mailer: Microsoft Outlook 14.0 Content-Language: ru Thread-Index: AQGndKy5sGszK4BuDx47nymU5VnBUwHC5W7jAisjdPUBQDIbDgLhFR17AQVyoUcCVr8fQQJEGiXfq5fqOOA= X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - direct.host-care.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - smyslov.net X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2021 11:57:56 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0D86_01D7AA42.0CB98FD0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Kent, =20 (I still think that referencing RFC 7525 would be helpful, but = it=E2=80=99s up to you, it=E2=80=99s definitely not a big deal). =20 Added. Resulting diffs here: = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-netconf-crypto-types-21.tx= t =20 Good, my concerns are resolved. Thank you for your patience = and collaboration. =20 Regards, Valery. =20 ------=_NextPart_000_0D86_01D7AA42.0CB98FD0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi Kent,

 

          (I still think = that referencing RFC 7525 would be helpful, but it=E2=80=99s up to you, = it=E2=80=99s definitely not a big deal).

 

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Good, my = concerns are resolved. Thank you for your patience and = collaboration.

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = Regards,

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 = Valery.

 

<= /html> ------=_NextPart_000_0D86_01D7AA42.0CB98FD0-- From nobody Wed Sep 15 14:37:30 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C3DA3A1403; Wed, 15 Sep 2021 14:37:27 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Paul Wouters via Datatracker To: Cc: alto@ietf.org, draft-ietf-alto-unified-props-new.all@ietf.org, last-call@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <163174184742.9427.9373192733692803905@ietfa.amsl.com> Reply-To: Paul Wouters Date: Wed, 15 Sep 2021 14:37:27 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-alto-unified-props-new-18 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2021 21:37:28 -0000 Reviewer: Paul Wouters Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Has Nits This document extends RFC 7285 (the ALTO protocol) with some new registries and values. As such, there is no real change to the protocol, only to the possible information conveyed via the ALTO protocol. Therefor it is appropriate to refer to RFC 7285 for the Security Considerations, as is done in this document. While extensions to a protocol don't necessitate an Updates: clause, in this case I think it should because the document addresses shortcomings in the original protocol. That is, new implementations are expected to really require implementing this new document as part of the "core specification". Thus implementers reading 7285 should really be warned to also read (and implement) this document. The IANA considerations are quite verbose. Usually, this section only contains the minimal information for an IANA operator to read to implement the requested changes. In this case there is lots of text on justifying things that are better omitted or written out in another section. The new IANA registries do not all seem to allow for private use registrations? This means technically any new value cannot be tested unless by violating the RFC. At least, that is my reading but I'm a little confused by it. From nobody Wed Sep 15 15:27:22 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90BB3A163C; Wed, 15 Sep 2021 15:27:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CG0NcBx3-GaT; Wed, 15 Sep 2021 15:27:12 -0700 (PDT) Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 107AD3A163E; Wed, 15 Sep 2021 15:27:09 -0700 (PDT) Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QZH0W319YD8OB@wwwlocal.goatley.com>; Wed, 15 Sep 2021 17:27:08 -0500 (CDT) Received: from blockhead.lan ([166.170.39.190]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QZH00F2GY4BXX@trixy.bergandi.net>; Wed, 15 Sep 2021 15:21:48 -0700 (PDT) Received: from mobile-166-170-39-190.mycingular.net ([166.170.39.190] EXTERNAL) (EHLO blockhead.lan) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Wed, 15 Sep 2021 15:21:48 -0700 Date: Wed, 15 Sep 2021 15:27:05 -0700 From: Dan Harkins To: "iesg@ietf.org" , "secdir@ietf.org" , draft-ietf-dnsop-dnssec-iana-cons.all@ietf.org Message-id: <68420a02-674d-a842-e331-7dcd144dd7f8@lounge.org> MIME-version: 1.0 Content-type: multipart/alternative; boundary=------------B0761D5DD8CE2E024F7F353B Content-language: en-US User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=166.170.39.190) X-PMAS-External-Auth: mobile-166-170-39-190.mycingular.net [166.170.39.190] (EHLO blockhead.lan) X-PMAS-Software: PreciseMail V3.3 [210914] (trixy.bergandi.net) X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists) Archived-At: Subject: [secdir] secdir last call review of draft-ietf-dnsop-dnssec-iana-cons X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2021 22:27:15 -0000 This is a multi-part message in MIME format. --------------B0761D5DD8CE2E024F7F353B Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is "Ready with nits". The nits are: - maybe it's the source or maybe it's datatracker, but there are two references in section 1 (the first word of the 2nd and 3rd paragraph) that should be hotlinked but aren't. - the problem statement in section 1 is a bit confusing. It says that "[RFC8126] gives guidelines for listing in the myriad IANA registries." Full stop, end of paragraph. Then next paragraph it says how an earlier document, RFC 6014, updated the requirements for how values in some registries get assigned. So... 6014 didn't follow 8126 because it didn't exist yet. So what's the point of mentioning 8126? Yes, it lists guidelines...and? I don't think anything will be lost in the draft if the entire 2nd paragraph of section 1 (the single sentence) and its Normative Reference are removed. Suggest doing so. - the Security Considerations should, I think, instruct the reader that the burden for deciding between "good algorithms" and "bad algorithms" belongs to the implementer/user now. There's a decision that now has to be made-- it can't be passed off to the IETF and their Standards Action-- and there are security considerations to that decision. I suggest that be highlighted. regards, Dan. -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius --------------B0761D5DD8CE2E024F7F353B Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit 
  Hello,

  I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The summary of the review is "Ready with nits". The nits are:

  - maybe it's the source or maybe it's datatracker, but there are two
    references in section 1 (the first word of the 2nd and 3rd paragraph)
    that should be hotlinked but aren't.

  - the problem statement in section 1 is a bit confusing. It says that
    "[RFC8126] gives guidelines for listing in the myriad IANA registries."
    Full stop, end of paragraph. Then next paragraph it says how an earlier
    document, RFC 6014, updated the requirements for how values in some
    registries get assigned. So... 6014 didn't follow 8126 because it
    didn't exist yet. So what's the point of mentioning 8126? Yes, it
    lists guidelines...and? I don't think anything will be lost in the
    draft if the entire 2nd paragraph of section 1 (the single sentence)
    and its Normative Reference are removed. Suggest doing so.

  - the Security Considerations should, I think, instruct the reader that
    the burden for deciding between "good algorithms" and "bad algorithms"
    belongs to the implementer/user now. There's a decision that now has
    to be made-- it can't be passed off to the IETF and their Standards
    Action-- and there are security considerations to that decision. I
    suggest that be highlighted.

  regards,

  Dan.

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius
--------------B0761D5DD8CE2E024F7F353B-- From nobody Wed Sep 15 15:50:22 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2AA63A1748; Wed, 15 Sep 2021 15:50:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8BhlE1y2ufx; Wed, 15 Sep 2021 15:50:02 -0700 (PDT) Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 849273A1742; Wed, 15 Sep 2021 15:50:02 -0700 (PDT) Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa2.lax.icann.org (8.16.0.43/8.16.0.43) with ESMTPS id 18FMo199020031 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Sep 2021 22:50:01 GMT Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.922.13; Wed, 15 Sep 2021 15:50:00 -0700 Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0922.013; Wed, 15 Sep 2021 15:50:00 -0700 From: Paul Hoffman To: Dan Harkins CC: "iesg@ietf.org" , secdir , "draft-ietf-dnsop-dnssec-iana-cons.all@ietf.org" Thread-Topic: [Ext] secdir last call review of draft-ietf-dnsop-dnssec-iana-cons Thread-Index: AQHXqoDYCE+8DoBPf0S5iUxzz/SBraumKF0A Date: Wed, 15 Sep 2021 22:50:00 +0000 Message-ID: <823893DD-F80D-42A9-99CD-13520CDDD91B@icann.org> References: <68420a02-674d-a842-e331-7dcd144dd7f8@lounge.org> In-Reply-To: <68420a02-674d-a842-e331-7dcd144dd7f8@lounge.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [192.0.32.234] x-source-routing-agent: Processed Content-Type: multipart/signed; boundary="Apple-Mail=_0AA443B0-66AA-438C-99ED-463E1E798E16"; protocol="application/pkcs7-signature"; micalg=sha-256 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-09-15_07:2021-09-15, 2021-09-15 signatures=0 Archived-At: Subject: Re: [secdir] [Ext] secdir last call review of draft-ietf-dnsop-dnssec-iana-cons X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Sep 2021 22:50:09 -0000 --Apple-Mail=_0AA443B0-66AA-438C-99ED-463E1E798E16 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Sep 15, 2021, at 3:27 PM, Dan Harkins wrote: > I have reviewed this document as part of the security directorate's=20= > ongoing effort to review all IETF documents being processed by the=20 > IESG. These comments were written primarily for the benefit of the=20 > security area directors. Document editors and WG chairs should treat=20= > these comments just like any other last call comments. >=20 > The summary of the review is "Ready with nits". The nits are: >=20 > - maybe it's the source or maybe it's datatracker, but there are two > references in section 1 (the first word of the 2nd and 3rd = paragraph) > that should be hotlinked but aren't. That does seeme to be an artifact of the HTMLizer in the Datatracker. = The XML source shows those as normal links. > - the problem statement in section 1 is a bit confusing. It says = that > "[RFC8126] gives guidelines for listing in the myriad IANA = registries." > Full stop, end of paragraph. Then next paragraph it says how an = earlier > document, RFC 6014, updated the requirements for how values in = some > registries get assigned. So... 6014 didn't follow 8126 because it > didn't exist yet. So what's the point of mentioning 8126? Yes, it > lists guidelines...and? I don't think anything will be lost in the > draft if the entire 2nd paragraph of section 1 (the single = sentence) > and its Normative Reference are removed. Suggest doing so. Good catch. I'll clean that up before IESG consideration.=20 >=20 > - the Security Considerations should, I think, instruct the reader = that > the burden for deciding between "good algorithms" and "bad = algorithms" > belongs to the implementer/user now. There's a decision that now = has > to be made-- it can't be passed off to the IETF and their = Standards > Action-- and there are security considerations to that decision. I > suggest that be highlighted. That seems fair. RFC 8624 only covers what implementers are expected to = support, but it seems reasonable to say something in the security = considerations that deciding based on standards track is now even a = worse idea. Thanks for the review! --Paul Hoffman --Apple-Mail=_0AA443B0-66AA-438C-99ED-463E1E798E16 Content-Disposition: attachment; filename="smime.p7s" Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCBrYw ggayMIIFmqADAgECAhMwAAAX4ZqelQKZcEdTAAMAABfhMA0GCSqGSIb3DQEBCwUAMF8xEzARBgoJ kiaJk/IsZAEZFgNvcmcxFTATBgoJkiaJk/IsZAEZFgVpY2FubjESMBAGCgmSJomT8ixkARkWAmRz MR0wGwYDVQQDExRhZDEtbGF4LmRzLmljYW5uLm9yZzAeFw0yMTA1MjAxNTAxMzNaFw0yMzA1MjAx NTAxMzNaMIGUMRMwEQYKCZImiZPyLGQBGRYDb3JnMRUwEwYKCZImiZPyLGQBGRYFaWNhbm4xEjAQ BgoJkiaJk/IsZAEZFgJkczEUMBIGA1UECxMLSUNBTk4tVXNlcnMxFTATBgNVBAMTDFBhdWwgSG9m Zm1hbjElMCMGCSqGSIb3DQEJARYWcGF1bC5ob2ZmbWFuQGljYW5uLm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALtvlgd1mCsDZcUXiDdEtqqeklaJa3MfG8v1RMIKaVSaK3dsq2gA JujPfGwUdRIne4Tz6HJqPXBYEzVkgUdxdFXu/xPzfZei+fRb7zeVA9sMTrKl9gQ31Q0cw5VbmJzG P41Lxq2ruCyX/cGiru1PG4VVN72f9w1lpBt4rhRYpi5f2DDRmNm01teEoNOdvQ6PavUJVWrLVDI0 Z+uF4oe51yriMBQntRw9XenckW2yDa9ob3DlmOYKdZp1mNv2f+XB1Uc4xZSpJMFly/nxd0hIvkmi GrG0+puC0+OyDV4z1JIURBIx2RnXEJxYvaFPID5g/IT7MtFqQnLKIZTJc2DXySECAwEAAaOCAy8w ggMrMB0GA1UdDgQWBBRXoW6yUY7G6nMFSxU+2lZm7KqcvDAfBgNVHSMEGDAWgBTpKerCBbuXyks/ cnl6+luCS7lqhDCB2QYDVR0fBIHRMIHOMIHLoIHIoIHFhoHCbGRhcDovLy9DTj1hZDEtbGF4LmRz LmljYW5uLm9yZygxKSxDTj1hZDEtbGF4LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNl cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWRzLERDPWljYW5uLERDPW9yZz9jZXJ0 aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9p bnQwgcoGCCsGAQUFBwEBBIG9MIG6MIG3BggrBgEFBQcwAoaBqmxkYXA6Ly8vQ049YWQxLWxheC5k cy5pY2Fubi5vcmcsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz LENOPUNvbmZpZ3VyYXRpb24sREM9ZHMsREM9aWNhbm4sREM9b3JnP2NBQ2VydGlmaWNhdGU/YmFz ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA4GA1UdDwEB/wQEAwIFoDA9Bgkr BgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiBurJNhMjIaoOtkz+HlPRag/mIbk6H68s/hoOYWgIBZAIB BzApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwNQYJKwYBBAGCNxUK BCgwJjAMBgorBgEEAYI3CgMEMAoGCCsGAQUFBwMEMAoGCCsGAQUFBwMCMEkGA1UdEQRCMECgJgYK KwYBBAGCNxQCA6AYDBZwYXVsLmhvZmZtYW5AaWNhbm4ub3JngRZwYXVsLmhvZmZtYW5AaWNhbm4u b3JnMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUr DgMCBzAKBggqhkiG9w0DBzANBgkqhkiG9w0BAQsFAAOCAQEAetxZFQDQ4/o0w3yjeD1PEIf4QJU3 vLp3QHq5I0I3ogj7UTGxAUudkuz7ttpb7K9HtBWRcbhyFY9blGQ2FLScWMBQkg1GO5pIwGSAkFGj iLPcyihxOASMrI1TBGaPuHUeMfOhqYl1tYgLWnabrd2mjjSLJHvJHJQ7ZSAexjGLhoFoj8/sVPk1 JIOvOOtIWZ3lky3eYI4Q7NYI4p9sHE6CAeOX52gpdvpVphaktfKZhGbIbeQiQTmdkcvOklHr6xHE CKXbhVZqEzOQtSxbsoGUOascj3k7PwFZPmWH/aQbnINDyqo97A++tKkSyVbmKbCeOORbH5hIGpYg CshNrXTOsTGCAyAwggMcAgEBMHYwXzETMBEGCgmSJomT8ixkARkWA29yZzEVMBMGCgmSJomT8ixk ARkWBWljYW5uMRIwEAYKCZImiZPyLGQBGRYCZHMxHTAbBgNVBAMTFGFkMS1sYXguZHMuaWNhbm4u b3JnAhMwAAAX4ZqelQKZcEdTAAMAABfhMA0GCWCGSAFlAwQCAQUAoIIBezAYBgkqhkiG9w0BCQMx CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTA5MTUyMjUwMDBaMC8GCSqGSIb3DQEJBDEi BCAC6872nLIxbL+7hMfnsn2m0i7qpr+qA02ERBqyIex2LjCBhQYJKwYBBAGCNxAEMXgwdjBfMRMw EQYKCZImiZPyLGQBGRYDb3JnMRUwEwYKCZImiZPyLGQBGRYFaWNhbm4xEjAQBgoJkiaJk/IsZAEZ FgJkczEdMBsGA1UEAxMUYWQxLWxheC5kcy5pY2Fubi5vcmcCEzAAABfhmp6VAplwR1MAAwAAF+Ew gYcGCyqGSIb3DQEJEAILMXigdjBfMRMwEQYKCZImiZPyLGQBGRYDb3JnMRUwEwYKCZImiZPyLGQB GRYFaWNhbm4xEjAQBgoJkiaJk/IsZAEZFgJkczEdMBsGA1UEAxMUYWQxLWxheC5kcy5pY2Fubi5v cmcCEzAAABfhmp6VAplwR1MAAwAAF+EwDQYJKoZIhvcNAQELBQAEggEAIu8cBmN57PWZ17XbhfjT iahEqxUE8OelMQfjw1+SY+wKLw4y2+BPSE6WAfdWkwqy2iYcbGbkQ2TXxQoq1SWGP/h6q3ABFkE7 Hji3V5MZeMi+Lue07Ge7vWjg9WMbWu9tcRWAgqNj/vP9lN16fIHmnhKCAbg2/DZWieJizQ9fPTam 50SnFa2fHJ2yTEM8ZW8Fs5Y/LcyC43kC5opy1jGZ/iv5Vo8j2YYSaGNe6gRYCU0s1oU21cZsXNR1 B5GIk3IK6SCCPjumbVBu0WK7d3TkPKyuMxOrKezKDM/j7XlPfWBCYGR44ibC8458vlO4lMmiKKvF O+ZJ4pZfY56zcLYCOgAAAAAAAA== --Apple-Mail=_0AA443B0-66AA-438C-99ED-463E1E798E16-- From nobody Thu Sep 16 07:31:00 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5303B3A2B0F for ; Thu, 16 Sep 2021 07:30:58 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Tero Kivinen via Datatracker To: X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: secdir-secretary@mit.edu, Tero Kivinen Message-ID: <163180265832.17425.7992628573384716111@ietfa.amsl.com> Date: Thu, 16 Sep 2021 07:30:58 -0700 Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Sep 2021 14:30:59 -0000 Review instructions and related resources are at: https://trac.ietf.org/trac/sec/wiki/SecDirReview For telechat 2021-09-23 Reviewer LC end Draft John Bradley 2021-09-06 draft-ietf-core-senml-data-ct Tim Polk 2021-08-06 draft-ietf-opsawg-vpn-common Samuel Weiler R2020-06-11 draft-ietf-trill-multilevel-single-nickname Last calls: Reviewer LC end Draft Derek Atkins 2021-09-07 draft-ietf-bess-evpn-optimized-ir John Bradley 2021-09-06 draft-ietf-core-senml-data-ct Shaun Cooley 2021-09-06 draft-ietf-jmap-smime Daniel Franke 2021-09-22 draft-ietf-cbor-network-addresses Phillip Hallam-Baker 2021-09-21 draft-ietf-cbor-cddl-control Steve Hanna 2021-03-22 draft-ietf-regext-secure-authinfo-transfer Russ Housley 2021-09-28 draft-ietf-pim-bfd-p2mp-use-case Christian Huitema 2021-09-28 draft-ietf-sfc-proof-of-transit Charlie Kaufman 2021-09-28 draft-ietf-sfc-nsh-tlv Sandra Murphy 2020-10-15 draft-ietf-tls-external-psk-importer Tim Polk 2021-08-06 draft-ietf-opsawg-vpn-common Stefan Santesson 2021-08-11 draft-ietf-bier-te-arch Samuel Weiler 2021-08-25 draft-ietf-alto-path-vector Samuel Weiler R2020-06-11 draft-ietf-trill-multilevel-single-nickname Brian Weis 2021-08-19 draft-ietf-dnsop-svcb-https Klaas Wierenga 2021-08-30 draft-ietf-alto-cdni-request-routing-alto Klaas Wierenga 2020-12-02 draft-ietf-core-echo-request-tag Klaas Wierenga 2020-05-26 draft-ietf-kitten-krb-spake-preauth Liang Xia 2021-09-07 draft-ietf-bess-evpn-igmp-mld-proxy Liang Xia 2021-03-17 draft-ietf-core-sid Dacheng Zhang 2021-09-07 draft-ietf-bess-evpn-bum-procedure-updates Early review requests: Reviewer Due Draft Donald Eastlake 2021-09-15 draft-ietf-ippm-ioam-flags Stephen Farrell 2021-09-15 draft-ietf-ippm-ioam-direct-export Stephen Farrell 2021-06-21 draft-ietf-idr-bgpls-srv6-ext Tina Tsou 2021-08-25 draft-ietf-opsawg-sbom-access Sean Turner 2021-08-18 draft-ietf-taps-interface Loganaden Velvindron 2021-08-18 draft-ietf-taps-arch Next in the reviewer rotation: Scott Kelly Tero Kivinen Watson Ladd Barry Leiba Chris Lonvick Aanchal Malhotra David Mandelberg Catherine Meadows Alexey Melnikov Daniel Migault From nobody Sun Sep 19 20:48:21 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A50203A0E75; Sun, 19 Sep 2021 20:48:18 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Christian Huitema via Datatracker To: Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org, last-call@ietf.org, sfc@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.37.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <163210969860.31323.5718880916818308072@ietfa.amsl.com> Reply-To: Christian Huitema Date: Sun, 19 Sep 2021 20:48:18 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2021 03:48:19 -0000 Reviewer: Christian Huitema Review result: Serious Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document proposes a security mechanism to prove that traffic transited through all specified nodes in a path. The mechanism works by adding a short option to each packet for which transit shall be verified. The option consists of a random number set by the originator of the packet, and a sum field to which each transit node adds a value depending on public parameters, on the random number and on secrets held by the node. The destination has access to all the secrets held by the nodes on the path, and can verify whether or not the final sum corresponds to the sum of expected values. The proposed size of the random number and the sum field is 64 bits. In the paragraph above, I described the mechanism without mentioning the algorithm used to compute these 64 bit numbers. The 64 bit size is obviously a concern: for cryptographic applications, 64 bits is not a large number, and that might be a weakness whatever the proposed algorithm. The actual algorithm appears to be a bespoke derivation of Shamir's Secret Sharing algorithm (SSS). In other word, it is a case of "inventing your own crypto". SSS relies on the representation of polynomials as a sum of Lagrange Basis Polynomials. Each of the participating nodes holds a share of the secret represented by a point on the polynomial curve. A polynomial of degree K on the field of integers modulo a prime number N can only be revealed if at list K+1 participants reveal the value of their point. The safety of the algorithm relies on the size of the number N and on the fact that the secret shall be revealed only once. But the algorithm does not use SSS directly, so it deserves its own security analysis instead of relying simply on Shamir's work. The proposed algorithm uses two polynomials of degree K for a path containing K+1 nodes, on a field defined by a prime number N of 64 bits. One of the polynomial, POLY-1, is secret, and only fully known by the verifying node. The other, POLY-2 is public, with the constant coefficient set at a random value RND for each packet. For each packet, the goal is compute the value of POLY-1 plus POLY-2 at the point 0 -- that is, the constant coefficient of POLY-3 = POLY-1 + POLY-2. Without going in too much details, one can observe that the constant coefficient of POLY-3 is equal to the sum of the constant coefficients of POLY-1 and POLY-2, and that the constant coefficient of POLY-2 is the value RND present in each packet. In the example given in section 3.3.2, the numbers are computed modulo 53, the constant coefficient of POLY-1 is 10, and the value RND is 45. The final sum CML is indeed 10 + 45 = 2 mod 53. To me, this appears as a serious weakness in the algorithm. If an adversary can observe the value RND and CML for a first packet, it can retrieve the constant coefficient of POLY-1, and thus can predict the value of CML for any other packet. That does not seem very secure. My recommendation would be to present the problem and ask the CFRG for algorithm recommendations. From nobody Tue Sep 21 09:17:24 2021 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6953A07BC; Tue, 21 Sep 2021 09:17:15 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Russ Housley via Datatracker To: Cc: draft-ietf-pim-bfd-p2mp-use-case.all@ietf.org, last-call@ietf.org, pim@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.38.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <163224103532.4850.12172127983159243773@ietfa.amsl.com> Reply-To: Russ Housley Date: Tue, 21 Sep 2021 09:17:15 -0700 Archived-At: Subject: [secdir] Secdir last call review of draft-ietf-pim-bfd-p2mp-use-case-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Sep 2021 16:17:16 -0000 Reviewer: Russ Housley Review result: Has Issues I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-pim-bfd-p2mp-use-case-07 Reviewer: Russ Housley Review Date: 2021-09-21 IETF LC End Date: 2021-09-28 IESG Telechat date: Unknown Summary: Has Issues Major Concerns: None Minor Concerns: General: All of the field names in this document use camel case, except one. I think the document would be easier to read if My Discriminator were to use the same convention. Also, HeadDiscriminator would be more descriptive. Section 2.1 says: The head MUST include the BFD Discriminator option in its Hello messages. This MUST statement cold me much more complete: The head MUST include the BFD Discriminator option in its Hello messages, and it MUST include a 4-byte My Discriminator with a value other than zero. Section 2.3: s/must set/MUST set/ Nits: Section 1, para 1 could be more clear and more forceful. I suggest: Faster convergence in the control plane minimizes the periods of traffic blackholing, transient routing loops, and other situations that may negatively affect service data flow. Faster convergence in the control plane is beneficial to unicast and multicast routing protocols. Section 1, para 2: s/DR is to act on behalf/DR acts on behalf/ Section 1, para 3: The first sentence is very unclear. I cannot offer an improvement because it is too hard to parse. Section 1, para 3: s/networks precisely/networks, and it precisely/ Section 1.1.1: s/familiarity/Familiarity/ From nobody Tue Sep 21 16:20:59 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A3CF3A098D; Tue, 21 Sep 2021 16:20:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.696 X-Spam-Level: X-Spam-Status: No, score=-0.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5YwPBAPG2w5T; Tue, 21 Sep 2021 16:20:52 -0700 (PDT) Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAD3A3A0983; Tue, 21 Sep 2021 16:20:48 -0700 (PDT) Received: by mail-ed1-x530.google.com with SMTP id v22so2455103edd.11; Tue, 21 Sep 2021 16:20:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7MFbjHaIu8MVezCbVqlmbGIsAoOStNOrsc4qGNsCRbU=; b=fVpcPt/Sac1YgsJPGR2hUgIJtFFxphOxydRoXWp9s8npgbuGyCMv9cSR3+Z10OtkT2 12S0SNV0vW6SUjE6iWL7S7Tk8UhYPX9eadwFHpbPfWS/+AY/iKIAlwa2CEd3cLVGO3Kv NHeiTgRca7NAsYxQxe7Mjg35anQjtk7AXo4VJOLKEGPn59c/2HPUyHPaC4TCX1EOT3mp sKV6b5zSBcPdpMMK+xK+6myezTWAEnqmFxcvDQAtYGTLWLjMlwJJTdno2iFLBmmDHF/y uV/ng+4EmJNzz+AZe7hm5szU0OeTjGFUS6XumVdQdIvjM6HOq6a/hLlI5vPXQy4ETFQC A/9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7MFbjHaIu8MVezCbVqlmbGIsAoOStNOrsc4qGNsCRbU=; b=6FtAxc++5hLQh/mwKD7LptkCYcpxY9sgLkOr3DOpvjtb5tFSUgKDnrD1OT9SpBM/SB THyGXASfkEp2nZDq7jCrkCoFoVRgl4wUoguXAMlMZ5f9J+h4wPYED9dF4qLkl50Qymc+ VQMICj7ve20qAyAFnQf6zvaKVWIhEstPyrJZMnGp7oEU5tCcTrVDfsPM2YEpIiyoAOPi x+9bN5CVPSI6z2cBkhafTHbR8WRLZNWlgIGz9fJBpx8YzqiYYTlH4R1AfDO8n8TbZj5C EdsiOyKp1J+87AyJbugKqWqSW9ir+QhE6g3BqJ8Z2k4LND3dlpaCgHTAXvuF64xdXvX9 n+ig== X-Gm-Message-State: AOAM532+ba7FNDdYEcf1XLyrGmQ1REuXOUsFhfb2A07Itvah3ooSWyzs inQ0nOrkue5hURRSsbPRPjdq6lu39jn5cM1UEEadMmcz1KwSyw== X-Google-Smtp-Source: ABdhPJwWNBk3g3L1Bx/7B2quiTTGAEapuo8lR626pHdbKRoGwjQ4aeWTis1M1p5fr9ct2SIlvlC0Odd1hWsZtPv71pk= X-Received: by 2002:a05:6402:694:: with SMTP id f20mr38492440edy.100.1632266446777; Tue, 21 Sep 2021 16:20:46 -0700 (PDT) MIME-Version: 1.0 References: <163224103532.4850.12172127983159243773@ietfa.amsl.com> In-Reply-To: <163224103532.4850.12172127983159243773@ietfa.amsl.com> From: Greg Mirsky Date: Tue, 21 Sep 2021 16:20:35 -0700 Message-ID: To: Russ Housley Cc: secdir@ietf.org, draft-ietf-pim-bfd-p2mp-use-case.all@ietf.org, last-call@ietf.org, pim@ietf.org Content-Type: multipart/mixed; boundary="000000000000bd509205cc89a539" Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-pim-bfd-p2mp-use-case-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Sep 2021 23:20:58 -0000 --000000000000bd509205cc89a539 Content-Type: multipart/alternative; boundary="000000000000bd509105cc89a537" --000000000000bd509105cc89a537 Content-Type: text/plain; charset="UTF-8" Hi Russ, thank you for your thorough review, thoughtful and helpful suggestions. Please find my notes in-lined below under the GIM>> tag. I've attached the new working version and the diff. Regards, Greg On Tue, Sep 21, 2021 at 9:17 AM Russ Housley via Datatracker < noreply@ietf.org> wrote: > Reviewer: Russ Housley > Review result: Has Issues > > I reviewed this document as part of the Security Directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the Security Area > Directors. Document authors, document editors, and WG chairs should > treat these comments just like any other IETF Last Call comments. > > Document: draft-ietf-pim-bfd-p2mp-use-case-07 > Reviewer: Russ Housley > Review Date: 2021-09-21 > IETF LC End Date: 2021-09-28 > IESG Telechat date: Unknown > > > Summary: Has Issues > > > Major Concerns: None > > > Minor Concerns: > > General: All of the field names in this document use camel case, except > one. I think the document would be easier to read if My Discriminator > were to use the same convention. Also, HeadDiscriminator would be > more descriptive. > GIM>> Thank you for pointing this out to me. I agree with the proposed update of the field name, The remaining in the text references to My Discriminator use the convention of RFC 5880. I hope that is acceptable. > > Section 2.1 says: > > The head MUST include the BFD Discriminator option in its Hello > messages. > > This MUST statement cold me much more complete: > > The head MUST include the BFD Discriminator option in its Hello > messages, and it MUST include a 4-byte My Discriminator with a > value other than zero. > GIM>> Thank you, I agree with the proposed text with a minor modification based on re-naming of the field to HeadDiscriminator. Below is the update: OLD TEXT: The head MUST include the BFD Discriminator option in its Hello messages. NEW TEXT: The head MUST include the BFD Discriminator option in its Hello messages, and it MUST include a 4-byte HeadDiscriminator with a value other than zero. > Section 2.3: s/must set/MUST set/ > GIM>> Thank you. Done. > > > Nits: > > Section 1, para 1 could be more clear and more forceful. I suggest: > > Faster convergence in the control plane minimizes the periods of > traffic blackholing, transient routing loops, and other situations > that may negatively affect service data flow. Faster convergence > in the control plane is beneficial to unicast and multicast routing > protocols. > GIM>> Thank you for the suggested text. Accepted. > > Section 1, para 2: s/DR is to act on behalf/DR acts on behalf/ > GIM>> Thank you. Done. > > Section 1, para 3: The first sentence is very unclear. I cannot offer > an improvement because it is too hard to parse. > GIM>> Would the following update make it clearer: OLD TEXT: Bidirectional Forwarding Detection (BFD) [RFC5880] had been originally defined to detect a failure of point-to-point (p2p) paths - single-hop [RFC5881], multihop [RFC5883]. NEW TEXT: Bidirectional Forwarding Detection (BFD) [RFC5880] had been originally defined to detect a failure of a point-to-point (p2p) path, single-hop [RFC5881] or multihop [RFC5883]. > Section 1, para 3: s/networks precisely/networks, and it precisely/ > GIM>> Thank you. Accepted. > > Section 1.1.1: s/familiarity/Familiarity/ > GIM>> Done. --000000000000bd509105cc89a537 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Russ,
thank you for your thorough review,= thoughtful and helpful suggestions. Please find my notes in-lined below un= der the GIM>> tag. I've attached the new working version and the = diff.

Regards,
Greg

On Tue, Sep 21,= 2021 at 9:17 AM Russ Housley via Datatracker <noreply@ietf.org> wrote:
Reviewer: Russ Housley
Review result: Has Issues

I reviewed this document as part of the Security Directorate's ongoing<= br> effort to review all IETF documents being processed by the IESG.=C2=A0 Thes= e
comments were written primarily for the benefit of the Security Area
Directors.=C2=A0 Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-pim-bfd-p2mp-use-case-07
Reviewer: Russ Housley
Review Date: 2021-09-21
IETF LC End Date: 2021-09-28
IESG Telechat date: Unknown


Summary: Has Issues


Major Concerns:=C2=A0 None


Minor Concerns:

General: All of the field names in this document use camel case, except
one.=C2=A0 I think the document would be easier to read if My Discriminator=
were to use the same convention.=C2=A0 Also, HeadDiscriminator would be
more descriptive.
GIM>> Thank you for pointing t= his out to me. I agree with the proposed update of the field name, The rema= ining in the text references to My Discriminator use the convention of RFC = 5880. I hope that is acceptable.

Section 2.1 says:

=C2=A0 =C2=A0The head MUST include the BFD Discriminator option in its Hell= o
=C2=A0 =C2=A0messages.

This MUST statement cold me much more complete:

=C2=A0 =C2=A0The head MUST include the BFD Discriminator option in its Hell= o
=C2=A0 =C2=A0messages, and it MUST include a 4-byte My Discriminator with a=
=C2=A0 =C2=A0value other than zero.
GIM>> Thank = you, I agree with the proposed text with a minor modification based on re-n= aming of the field to HeadDiscriminator. Below is the update:
OLD= TEXT:
=C2=A0 =C2=A0The head MUST include the BFD Discriminator o= ption in its Hello
=C2=A0 =C2=A0messages.
NEW TEXT:
=C2=A0 =C2=A0 The head MUST include the BFD Discriminator option in = its Hello
=C2=A0 =C2=A0messages, and it MUST include a 4-byte Hea= dDiscriminator with a value
=C2=A0 =C2=A0other than zero.


Section 2.3: s/must set/MUST set/
GIM>> Thank yo= u. Done.=C2=A0


Nits:

Section 1, para 1 could be more clear and more forceful.=C2=A0 I suggest:
=C2=A0 =C2=A0Faster convergence in the control plane minimizes the periods = of
=C2=A0 =C2=A0traffic blackholing, transient routing loops, and other situat= ions
=C2=A0 =C2=A0that may negatively affect service data flow.=C2=A0 Faster con= vergence
=C2=A0 =C2=A0in the control plane is beneficial to unicast and multicast ro= uting
=C2=A0 =C2=A0protocols.
GIM>> Thank you for the = suggested text. Accepted.=C2=A0

Section 1, para 2: s/DR is to act on behalf/DR acts on behalf/
GIM>> Thank you. Done.=C2=A0

Section 1, para 3: The first sentence is very unclear.=C2=A0 I cannot offer=
an improvement because it is too hard to parse.
GIM>= ;> Would the following update make it clearer:
OLD TEXT:
=
=C2=A0 =C2=A0Bidirectional Forwarding Detection (BFD) [RFC5880] had be= en
=C2=A0 =C2=A0originally defined to detect a failure of point-t= o-point (p2p) paths
=C2=A0 =C2=A0- single-hop [RFC5881], multihop= [RFC5883].=C2=A0=C2=A0
=C2=A0NEW TEXT:
=C2=A0 =C2= =A0Bidirectional Forwarding Detection (BFD) [RFC5880] had been
= =C2=A0 =C2=A0originally defined to detect a failure of a point-to-point (p2= p)
=C2=A0 =C2=A0path, single-hop [RFC5881] or multihop [RFC5883].= =C2=A0


Section 1, para 3: s/networks precisely/networks, and it precisely/
GIM>> Thank you. Accepted.=C2=A0

Section 1.1.1: s/familiarity/Familiarity/
GIM>> = Done.=C2=A0
--000000000000bd509105cc89a537-- --000000000000bd509205cc89a539 Content-Type: text/plain; charset="US-ASCII"; name="draft-ietf-pim-bfd-p2mp-use-case-08.txt" Content-Disposition: attachment; filename="draft-ietf-pim-bfd-p2mp-use-case-08.txt" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ktupa61a0 CgoKClBJTSBXb3JraW5nIEdyb3VwICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIEcuIE1pcnNreQpJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgRXJpY3Nzb24KSW50ZW5kZWQgc3RhdHVzOiBTdGFu ZGFyZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSi4gWGlhb2xpCkV4cGly ZXM6IE1hcmNoIDI1LCAyMDIyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFpURSBD b3Jwb3JhdGlvbgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICBTZXB0ZW1iZXIgMjEsIDIwMjEKCgogRmFzdCBGYWlsb3ZlciBpbiBQcm90b2NvbCBJ bmRlcGVuZGVudCBNdWx0aWNhc3QgLSBTcGFyc2UgTW9kZSAoUElNLVNNKQogVXNpbmcgQmlkaXJl Y3Rpb25hbCBGb3J3YXJkaW5nIERldGVjdGlvbiAoQkZEKSBmb3IgTXVsdGlwb2ludCBOZXR3b3Jr cwogICAgICAgICAgICAgICAgICBkcmFmdC1pZXRmLXBpbS1iZmQtcDJtcC11c2UtY2FzZS0wOAoK QWJzdHJhY3QKCiAgIFRoaXMgZG9jdW1lbnQgc3BlY2lmaWVzIGhvdyBCaWRpcmVjdGlvbmFsIEZv cndhcmRpbmcgRGV0ZWN0aW9uIGZvcgogICBtdWx0aXBvaW50IG5ldHdvcmtzIGNhbiBwcm92aWRl IHN1Yi1zZWNvbmQgZmFpbG92ZXIgZm9yIHJvdXRlcnMgdGhhdAogICBwYXJ0aWNpcGF0ZSBpbiBQ cm90b2NvbCBJbmRlcGVuZGVudCBNdWx0aWNhc3QgLSBTcGFyc2UgTW9kZSAoUElNLVNNKS4KICAg QW4gZXh0ZW5zaW9uIHRvIHRoZSBQSU0gSGVsbG8gbWVzc2FnZSB1c2VkIHRvIGJvb3RzdHJhcCBh IHBvaW50LXRvLQogICBtdWx0aXBvaW50IEJGRCBzZXNzaW9uIGlzIGFsc28gZGVmaW5lZCBpbiB0 aGlzIGRvY3VtZW50LgoKU3RhdHVzIG9mIFRoaXMgTWVtbwoKICAgVGhpcyBJbnRlcm5ldC1EcmFm dCBpcyBzdWJtaXR0ZWQgaW4gZnVsbCBjb25mb3JtYW5jZSB3aXRoIHRoZQogICBwcm92aXNpb25z IG9mIEJDUCA3OCBhbmQgQkNQIDc5LgoKICAgSW50ZXJuZXQtRHJhZnRzIGFyZSB3b3JraW5nIGRv Y3VtZW50cyBvZiB0aGUgSW50ZXJuZXQgRW5naW5lZXJpbmcKICAgVGFzayBGb3JjZSAoSUVURiku ICBOb3RlIHRoYXQgb3RoZXIgZ3JvdXBzIG1heSBhbHNvIGRpc3RyaWJ1dGUKICAgd29ya2luZyBk b2N1bWVudHMgYXMgSW50ZXJuZXQtRHJhZnRzLiAgVGhlIGxpc3Qgb2YgY3VycmVudCBJbnRlcm5l dC0KICAgRHJhZnRzIGlzIGF0IGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZHJhZnRzL2N1 cnJlbnQvLgoKICAgSW50ZXJuZXQtRHJhZnRzIGFyZSBkcmFmdCBkb2N1bWVudHMgdmFsaWQgZm9y IGEgbWF4aW11bSBvZiBzaXggbW9udGhzCiAgIGFuZCBtYXkgYmUgdXBkYXRlZCwgcmVwbGFjZWQs IG9yIG9ic29sZXRlZCBieSBvdGhlciBkb2N1bWVudHMgYXQgYW55CiAgIHRpbWUuICBJdCBpcyBp bmFwcHJvcHJpYXRlIHRvIHVzZSBJbnRlcm5ldC1EcmFmdHMgYXMgcmVmZXJlbmNlCiAgIG1hdGVy aWFsIG9yIHRvIGNpdGUgdGhlbSBvdGhlciB0aGFuIGFzICJ3b3JrIGluIHByb2dyZXNzLiIKCiAg IFRoaXMgSW50ZXJuZXQtRHJhZnQgd2lsbCBleHBpcmUgb24gTWFyY2ggMjUsIDIwMjIuCgpDb3B5 cmlnaHQgTm90aWNlCgogICBDb3B5cmlnaHQgKGMpIDIwMjEgSUVURiBUcnVzdCBhbmQgdGhlIHBl cnNvbnMgaWRlbnRpZmllZCBhcyB0aGUKICAgZG9jdW1lbnQgYXV0aG9ycy4gIEFsbCByaWdodHMg cmVzZXJ2ZWQuCgogICBUaGlzIGRvY3VtZW50IGlzIHN1YmplY3QgdG8gQkNQIDc4IGFuZCB0aGUg SUVURiBUcnVzdCdzIExlZ2FsCiAgIFByb3Zpc2lvbnMgUmVsYXRpbmcgdG8gSUVURiBEb2N1bWVu dHMKICAgKGh0dHBzOi8vdHJ1c3RlZS5pZXRmLm9yZy9saWNlbnNlLWluZm8pIGluIGVmZmVjdCBv biB0aGUgZGF0ZSBvZgogICBwdWJsaWNhdGlvbiBvZiB0aGlzIGRvY3VtZW50LiAgUGxlYXNlIHJl dmlldyB0aGVzZSBkb2N1bWVudHMKICAgY2FyZWZ1bGx5LCBhcyB0aGV5IGRlc2NyaWJlIHlvdXIg cmlnaHRzIGFuZCByZXN0cmljdGlvbnMgd2l0aCByZXNwZWN0CiAgIHRvIHRoaXMgZG9jdW1lbnQu ICBDb2RlIENvbXBvbmVudHMgZXh0cmFjdGVkIGZyb20gdGhpcyBkb2N1bWVudCBtdXN0CiAgIGlu Y2x1ZGUgU2ltcGxpZmllZCBCU0QgTGljZW5zZSB0ZXh0IGFzIGRlc2NyaWJlZCBpbiBTZWN0aW9u IDQuZSBvZgoKCgpNaXJza3kgJiBYaWFvbGkgICAgICAgICAgRXhwaXJlcyBNYXJjaCAyNSwgMjAy MiAgICAgICAgICAgICAgICAgW1BhZ2UgMV0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgQkZE IFAyTVAgVXNlIGluIFBJTS1TTSAgICAgICAgICAgU2VwdGVtYmVyIDIwMjEKCgogICB0aGUgVHJ1 c3QgTGVnYWwgUHJvdmlzaW9ucyBhbmQgYXJlIHByb3ZpZGVkIHdpdGhvdXQgd2FycmFudHkgYXMK ICAgZGVzY3JpYmVkIGluIHRoZSBTaW1wbGlmaWVkIEJTRCBMaWNlbnNlLgoKVGFibGUgb2YgQ29u dGVudHMKCiAgIDEuICBJbnRyb2R1Y3Rpb24gIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuICAgMgogICAgIDEuMS4gIENvbnZlbnRpb25zIHVzZWQgaW4gdGhp cyBkb2N1bWVudCAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDMKICAgICAgIDEuMS4xLiAgVGVy bWlub2xvZ3kgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICAzCiAg ICAgICAxLjEuMi4gIFJlcXVpcmVtZW50cyBMYW5ndWFnZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuICAgMwogICAyLiAgQkZEIERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIE9wdGlvbiAg LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDMKICAgICAyLjEuICBVc2luZyBQMk1QIEJGRCBp biBQSU0gUm91dGVyIE1vbml0b3JpbmcgLiAuIC4gLiAuIC4gLiAuIC4gICA0CiAgICAgMi4yLiAg UDJNUCBCRkQgaW4gUElNIERSIExvYWQgQmFsYW5jaW5nIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu ICAgNQogICAgIDIuMy4gIE11bHRpcG9pbnQgQkZEIEVuY2Fwc3VsYXRpb24gIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAgIDUKICAgMy4gIElBTkEgQ29uc2lkZXJhdGlvbnMgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA1CiAgIDQuICBTZWN1cml0eSBDb25z aWRlcmF0aW9ucyAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNQogICA1 LiAgQWNrbm93bGVkZ21lbnRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAgIDYKICAgNi4gIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA2CiAgICAgNi4xLiAgTm9ybWF0aXZlIFJlZmVyZW5j ZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNgogICAgIDYuMi4gIElu Zm9ybWF0aXZlIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAg IDcKICAgQXV0aG9ycycgQWRkcmVzc2VzICAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gICA3CgoxLiAgSW50cm9kdWN0aW9uCgogICBGYXN0ZXIgY29udmVyZ2Vu Y2UgaW4gdGhlIGNvbnRyb2wgcGxhbmUgbWluaW1pemVzIHRoZSBwZXJpb2RzIG9mCiAgIHRyYWZm aWMgYmxhY2tob2xpbmcsIHRyYW5zaWVudCByb3V0aW5nIGxvb3BzLCBhbmQgb3RoZXIgc2l0dWF0 aW9ucwogICB0aGF0IG1heSBuZWdhdGl2ZWx5IGFmZmVjdCBzZXJ2aWNlIGRhdGEgZmxvdy4gIEZh c3RlciBjb252ZXJnZW5jZSBpbgogICB0aGUgY29udHJvbCBwbGFuZSBpcyBiZW5lZmljaWFsIHRv IHVuaWNhc3QgYW5kIG11bHRpY2FzdCByb3V0aW5nCiAgIHByb3RvY29scy4KCiAgIFtSRkM3NzYx XSBpcyB0aGUgY3VycmVudCBzcGVjaWZpY2F0aW9uIG9mIHRoZSBQcm90b2NvbCBJbmRlcGVuZGVu dAogICBNdWx0aWNhc3QgLSBTcGFyc2UgTW9kZSAoUElNLVNNKSBmb3IgSVB2NCBhbmQgSVB2NiBu ZXR3b3Jrcy4gIEEKICAgY29uZm9ybWluZyBpbXBsZW1lbnRhdGlvbiBvZiBQSU0tU00gZWxlY3Rz IGEgRGVzaWduYXRlZCBSb3V0ZXIgKERSKQogICBvbiBlYWNoIFBJTS1TTSBpbnRlcmZhY2UuICBX aGVuIGEgZ3JvdXAgb2YgUElNLVNNIG5vZGVzIGlzIGNvbm5lY3RlZAogICB0byBhIHNoYXJlZCBt ZWRpYSBzZWdtZW50LCBlLmcuLCBFdGhlcm5ldCwgdGhlIG5vZGUgZWxlY3RlZCBhcyBEUgogICBh Y3RzIG9uIGJlaGFsZiBvZiBkaXJlY3RseSBjb25uZWN0ZWQgaG9zdHMgaW4gdGhlIGNvbnRleHQg b2YgdGhlIFBJTS0KICAgU00gcHJvdG9jb2wuICBGYWlsdXJlIG9mIHRoZSBEUiBpbXBhY3RzIHRo ZSBxdWFsaXR5IG9mIHRoZSBtdWx0aWNhc3QKICAgc2VydmljZXMgaXQgcHJvdmlkZXMgdG8gZGly ZWN0bHkgY29ubmVjdGVkIGhvc3RzIGJlY2F1c2UgdGhlIGRlZmF1bHQKICAgZmFpbHVyZSBkZXRl Y3Rpb24gaW50ZXJ2YWwgZm9yIFBJTS1TTSByb3V0ZXJzIGlzIDEwNSBzZWNvbmRzLgoKICAgQmlk aXJlY3Rpb25hbCBGb3J3YXJkaW5nIERldGVjdGlvbiAoQkZEKSBbUkZDNTg4MF0gaGFkIGJlZW4K ICAgb3JpZ2luYWxseSBkZWZpbmVkIHRvIGRldGVjdCBhIGZhaWx1cmUgb2YgYSBwb2ludC10by1w b2ludCAocDJwKQogICBwYXRoLCBzaW5nbGUtaG9wIFtSRkM1ODgxXSBvciBtdWx0aWhvcCBbUkZD NTg4M10uICBJbiBzb21lIFBJTS1TTQogICBkZXBsb3ltZW50cywgYSBwMnAgQkZEIGNhbiBiZSB1 c2VkIHRvIGRldGVjdCBhIGZhaWx1cmUgYW5kIGVuYWJsZQogICBmYXN0ZXIgZmFpbG92ZXIuICBb UkZDODU2Ml0gZXh0ZW5kcyB0aGUgQkZEIGJhc2Ugc3BlY2lmaWNhdGlvbgogICBbUkZDNTg4MF0g Zm9yIG11bHRpcG9pbnQgYW5kIG11bHRpY2FzdCBuZXR3b3JrcywgYW5kIGl0IHByZWNpc2VseQog ICBjaGFyYWN0ZXJpemVzIGRlcGxveW1lbnQgc2NlbmFyaW9zIGZvciBQSU0tU00gb3ZlciBhIExB TiBzZWdtZW50LgogICBBbW9uZyBzcGVjaWZpYyBjaGFyYWN0ZXJpc3RpY3Mgb2YgcDJtcCBCRkQg dGhhdCBwYXJ0aWN1bGFybHkgYmVuZWZpdAogICBQSU0tU00gb3ZlciBhIExBTiBzZWdtZW50IGlz IGEgZmFzdGVyIHRyYW5zaXRpb24gdG8gdGhlIFVwIHN0YXRlIG9mCgoKCk1pcnNreSAmIFhpYW9s aSAgICAgICAgICBFeHBpcmVzIE1hcmNoIDI1LCAyMDIyICAgICAgICAgICAgICAgICBbUGFnZSAy XQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBCRkQgUDJNUCBVc2UgaW4gUElNLVNNICAgICAg ICAgICBTZXB0ZW1iZXIgMjAyMQoKCiAgIHRoZSBwMm1wIEJGRCBzZXNzaW9uIGR1ZSB0byBhdm9p ZGFuY2Ugb2YgdGhlIHRocmVlLXdheSBoYW5kc2hha2UKICAgcmVxdWlyZWQgaW4gcDJwIEJGRCBb UkZDNTg4MF0uICBBbHNvLCBiZWNhdXNlIHRoZSByb3V0ZXIgdGhhdAogICB0cmFuc21pdHMgQkZE IENvbnRyb2wgbWVzc2FnZXMgdXNlcyB0aGUgQkZEIERlbWFuZCBtb2RlIFtSRkM1ODgwXSwgaXQK ICAgbWFpbnRhaW5zIGxlc3MgQkZEIHN0YXRlIHRoYW4gdGhlIEFzeW5jaHJvbm91cyBtb2RlLiAg UG9pbnQtdG8tCiAgIG11bHRpcG9pbnQgKHAybXApIEJGRCBjYW4gZW5hYmxlIGZhc3RlciBkZXRl Y3Rpb24gb2YgUElNLVNNIHJvdXRlcgogICBmYWlsdXJlIGFuZCB0aHVzIG1pbmltaXplIG11bHRp Y2FzdCBzZXJ2aWNlIGRpc3J1cHRpb24uICBUaGUKICAgbW9uaXRvcmVkIFBJTS1TTSByb3V0ZXIg YWN0cyBhcyB0aGUgaGVhZCBhbmQgb3RoZXIgcm91dGVycyBhcyB0YWlscwogICBvZiBhIHAybXAg QkZEIHNlc3Npb24uICBUaGlzIGRvY3VtZW50IGRlZmluZXMgdGhlIG1vbml0b3Jpbmcgb2YgYQog ICBQSU0tU00gcm91dGVyIHVzaW5nIHAybXAgQkZELiAgVGhlIGRvY3VtZW50IGFsc28gZGVmaW5l cyB0aGUKICAgZXh0ZW5zaW9uIHRvIFBJTS1TTSBbUkZDNzc2MV0gdG8gYm9vdHN0cmFwIGEgUElN LVNNIHJvdXRlciB0byBqb2luIGluCiAgIHAybXAgQkZEIHNlc3Npb24gb3ZlciBzaGFyZWQgbWVk aWEgc2VnbWVudC4KCjEuMS4gIENvbnZlbnRpb25zIHVzZWQgaW4gdGhpcyBkb2N1bWVudAoKMS4x LjEuICBUZXJtaW5vbG9neQoKICAgVGhpcyBkb2N1bWVudCB1c2VzIHRlcm1pbm9sb2d5IGRlZmlu ZWQgaW4gW1JGQzU4ODBdLCBbUkZDODU2Ml0sIGFuZAogICBbUkZDNzc2MV0uICBGYW1pbGlhcml0 eSB3aXRoIHRoZXNlIHNwZWNpZmljYXRpb25zIGFuZCB0aGUgdGVybWlub2xvZ3kKICAgdXNlZCBp cyBleHBlY3RlZC4KCjEuMS4yLiAgUmVxdWlyZW1lbnRzIExhbmd1YWdlCgogICBUaGUga2V5IHdv cmRzICJNVVNUIiwgIk1VU1QgTk9UIiwgIlJFUVVJUkVEIiwgIlNIQUxMIiwgIlNIQUxMIE5PVCIs CiAgICJTSE9VTEQiLCAiU0hPVUxEIE5PVCIsICJSRUNPTU1FTkRFRCIsICJOT1QgUkVDT01NRU5E RUQiLCAiTUFZIiwgYW5kCiAgICJPUFRJT05BTCIgaW4gdGhpcyBkb2N1bWVudCBhcmUgdG8gYmUg aW50ZXJwcmV0ZWQgYXMgZGVzY3JpYmVkIGluIEJDUAogICAxNCBbUkZDMjExOV0gW1JGQzgxNzRd IHdoZW4sIGFuZCBvbmx5IHdoZW4sIHRoZXkgYXBwZWFyIGluIGFsbAogICBjYXBpdGFscywgYXMg c2hvd24gaGVyZS4KCjIuICBCRkQgRGlzY3JpbWluYXRvciBQSU0gSGVsbG8gT3B0aW9uCgogICBG aWd1cmUgMSBkaXNwbGF5cyB0aGUgbmV3IG9wdGlvbmFsIEJGRCBEaXNjcmltaW5hdG9yIFBJTSBI ZWxsbyBvcHRpb24KICAgdG8gYm9vdHN0cmFwIGEgdGFpbCBvZiB0aGUgcDJtcCBCRkQgc2Vzc2lv bi4KCiAgICAgICAgMCAgICAgICAgICAgICAgICAgICAxICAgICAgICAgICAgICAgICAgIDIgICAg ICAgICAgICAgICAgICAgMwogICAgICAgIDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUg NiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMQogICAgICAgKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSsKICAgICAgIHwg ICAgICAgICAgT3B0aW9uVHlwZSAgICAgICAgICAgfCAgICAgICAgIE9wdGlvbkxlbmd0aCAgICAg ICAgICB8CiAgICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKwogICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgSGVh ZERpc2NyaW1pbmF0b3IgICAgICAgICAgICAgICAgICAgICAgIHwKICAgICAgICstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rCgog ICAgICAgICAgICAgICBGaWd1cmUgMTogQkZEIERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIE9wdGlv bgoKICAgd2hlcmUgbmV3IGZpZWxkcyBhcmUgaW50ZXJwcmV0ZWQgYXM6CgogICAgICBPcHRpb25U eXBlOiBUQkEuCgogICAgICBPcHRpb25MZW5ndGg6IE1VU1QgYmUgc2V0IHRvIDQuCgoKCk1pcnNr eSAmIFhpYW9saSAgICAgICAgICBFeHBpcmVzIE1hcmNoIDI1LCAyMDIyICAgICAgICAgICAgICAg ICBbUGFnZSAzXQoMCkludGVybmV0LURyYWZ0ICAgICAgICAgICBCRkQgUDJNUCBVc2UgaW4gUElN LVNNICAgICAgICAgICBTZXB0ZW1iZXIgMjAyMQoKCiAgICAgIEhlYWREaXNjcmltaW5hdG9yOiBl cXVhbHMgdGhlIHZhbHVlIG9mIE15IERpc2NyaW1pbmF0b3IKICAgICAgKFtSRkM1ODgwXSkgYWxs b2NhdGVkIGJ5IHRoZSBoZWFkLgoKICAgSWYgdGhlIHZhbHVlIG9mIHRoZSBPcHRpb25MZW5ndGgg ZmllbGQgaXMgbm90IGVxdWFsIHRvIDQsIHRoZSBCRkQKICAgRGlzY3JpbWluYXRvciBQSU0gSGVs bG8gb3B0aW9uIGlzIGNvbnNpZGVyZWQgbWFsZm9ybWVkLCBhbmQgdGhlCiAgIHJlY2VpdmVyIE1V U1Qgc3RvcCBwcm9jZXNzaW5nIFBJTSBIZWxsbyBvcHRpb25zLiAgSWYgdGhlIHZhbHVlIG9mIHRo ZQogICBIZWFkRGlzY3JpbWluYXRvciBmaWVsZCBlcXVhbHMgemVybywgdGhlbiB0aGUgQkZEIERp c2NyaW1pbmF0b3IgUElNCiAgIEhlbGxvIG9wdGlvbiBNVVNUIGJlIGNvbnNpZGVyZWQgaW52YWxp ZCwgYW5kIHRoZSByZWNlaXZlciBNVVNUIGlnbm9yZQogICBpdC4gIFRoZSByZWNlaXZlciBTSE9V TEQgbG9nIGEgbm90aWZpY2F0aW9uIHJlZ2FyZGluZyB0aGUgbWFsZm9ybWVkCiAgIG9yIGludmFs aWQgQkZEIERpc2NyaW1pbmF0b3IgSGVsbG8gb3B0aW9uIHVuZGVyIHRoZSBjb250cm9sIG9mIGEK ICAgdGhyb3R0bGluZyBsb2dnaW5nIG1lY2hhbmlzbS4KCjIuMS4gIFVzaW5nIFAyTVAgQkZEIGlu IFBJTSBSb3V0ZXIgTW9uaXRvcmluZwoKICAgVGhlIGhlYWQgTVVTVCBjcmVhdGUgYSBCRkQgc2Vz c2lvbiBvZiB0eXBlIE11bHRpcG9pbnRIZWFkIFtSRkM4NTYyXS4KICAgTm90ZSB0aGF0IGFueSBQ SU0tU00gcm91dGVyLCByZWdhcmRsZXNzIG9mIGl0cyByb2xlLCBNQVkgYmVjb21lIGEKICAgaGVh ZCBvZiBhIHAybXAgQkZEIHNlc3Npb24uICBUbyBjb250cm9sIHRoZSB2b2x1bWUgb2YgQkZEIGNv bnRyb2wKICAgdHJhZmZpYyBvbiBhIHNoYXJlZCBtZWRpYSBzZWdtZW50LCBhbiBvcGVyYXRvciBz aG91bGQgY2FyZWZ1bGx5CiAgIHNlbGVjdCBQSU0tU00gcm91dGVycyBjb25maWd1cmVkIGFzIGEg aGVhZCBvZiBhIHAybXAgQkZEIHNlc3Npb24uCiAgIFRoZSBoZWFkIE1VU1QgaW5jbHVkZSB0aGUg QkZEIERpc2NyaW1pbmF0b3Igb3B0aW9uIGluIGl0cyBIZWxsbwogICBtZXNzYWdlcywgYW5kIGl0 IE1VU1QgaW5jbHVkZSBhIDQtYnl0ZSBIZWFkRGlzY3JpbWluYXRvciB3aXRoIGEgdmFsdWUKICAg b3RoZXIgdGhhbiB6ZXJvLgoKICAgSWYgYSBQSU0tU00gcm91dGVyIGlzIGNvbmZpZ3VyZWQgdG8g bW9uaXRvciB0aGUgaGVhZCBieSB1c2luZyBwMm1wCiAgIEJGRCwgcmVmZXJyZWQgdG8gdGhyb3Vn aCB0aGlzIGRvY3VtZW50IGFzICd0YWlsJywgcmVjZWl2ZXMgYSBQSU0tCiAgIEhlbGxvIHBhY2tl dCB3aXRoIHRoZSBCRkQgRGlzY3JpbWluYXRvciBQSU0gSGVsbG8gb3B0aW9uLCB0aGUgdGFpbAog ICBNQVkgY3JlYXRlIGEgcDJtcCBCRkQgc2Vzc2lvbiBvZiB0eXBlIE11bHRpcG9pbnRUYWlsLCBh cyBkZWZpbmVkIGluCiAgIFtSRkM4NTYyXS4KCiAgIFRoZSBub2RlIHRoYXQgaW5jbHVkZXMgdGhl IEJGRCBEaXNjcmltaW5hdG9yIFBJTSBIZWxsbyBvcHRpb24KICAgdHJhbnNtaXRzIEJGRCBDb250 cm9sIHBhY2tldHMgcGVyaW9kaWNhbGx5LiAgRm9yIHRoZSB0YWlsIHRvCiAgIGNvcnJlY3RseSBk ZW11bHRpcGxleCBCRkQgW1JGQzg1NjJdLCB0aGUgc291cmNlIGFkZHJlc3MsIGFuZCBNeQogICBE aXNjcmltaW5hdG9yIHZhbHVlcyBvZiB0aGUgQkZEIHBhY2tldHMgTVVTVCBiZSB0aGUgc2FtZSBh cyB0aG9zZSBvZgogICB0aGUgSGVhZERpc2NyaW1pbmF0b3IgaW4gdGhlIFBJTSBIZWxsbyBtZXNz YWdlLiAgSWYgdGhhdCBpcyBub3QgdGhlCiAgIGNhc2UsIHRoZSB0YWlsIEJGRCBub2RlIHdvdWxk IG5vdCBiZSBhYmxlIHRvIG1vbml0b3IgdGhlIHN0YXRlIG9mIHRoZQogICBQSU0tU00gbm9kZSwg dGhhdCBpcywgdGhlIGhlYWQgb2YgdGhlIHAybXAgQkZEIHNlc3Npb24sIHRob3VnaCB0aGUKICAg cmVndWxhciBQSU0tU00gbWVjaGFuaXNtcyByZW1haW4gZnVsbHkgb3BlcmF0aW9uYWwuCgogICBJ ZiB0aGUgdGFpbCBkZXRlY3RzIGEgTXVsdGlwb2ludEhlYWQgZmFpbHVyZSBbUkZDODU2Ml0sIGl0 IE1VU1QKICAgZGVsZXRlIHRoZSBjb3JyZXNwb25kaW5nIG5laWdoYm9yIHN0YXRlIGFuZCBmb2xs b3cgcHJvY2VkdXJlcyBkZWZpbmVkCiAgIGluIFtSRkM3NzYxXS4KCiAgIElmIHRoZSBoZWFkIGNl YXNlcyB0byBpbmNsdWRlIHRoZSBCRkQgRGlzY3JpbWluYXRvciBQSU0gSGVsbG8gb3B0aW9uCiAg IGluIGl0cyBQSU0tSGVsbG8gbWVzc2FnZSwgdGFpbHMgTVVTVCBjbG9zZSB0aGUgY29ycmVzcG9u ZGluZwogICBNdWx0aXBvaW50VGFpbCBCRkQgc2Vzc2lvbiB3aXRob3V0IGFmZmVjdGluZyB0aGUg UElNIHN0YXRlIGluIGFueQogICB3YXkuICBUaHVzIHRoZSB0YWlsIHN0b3BzIHVzaW5nIEJGRCB0 byBtb25pdG9yIHRoZSBoZWFkIGFuZCByZXZlcnRzCiAgIHRvIHRoZSBwcm9jZWR1cmVzIGRlZmlu ZWQgaW4gW1JGQzc3NjFdLgoKCgoKTWlyc2t5ICYgWGlhb2xpICAgICAgICAgIEV4cGlyZXMgTWFy Y2ggMjUsIDIwMjIgICAgICAgICAgICAgICAgIFtQYWdlIDRdCgwKSW50ZXJuZXQtRHJhZnQgICAg ICAgICAgIEJGRCBQMk1QIFVzZSBpbiBQSU0tU00gICAgICAgICAgIFNlcHRlbWJlciAyMDIxCgoK Mi4yLiAgUDJNUCBCRkQgaW4gUElNIERSIExvYWQgQmFsYW5jaW5nCgogICBbUkZDODc3NV0gc3Bl Y2lmaWVzIHRoZSBQSU0gRGVzaWduYXRlZCBSb3V0ZXIgTG9hZCBCYWxhbmNpbmcgKERSTEIpCiAg IGZ1bmN0aW9uYWxpdHkuICBBbnkgUElNIHJvdXRlciB0aGF0IGFkdmVydGlzZXMgdGhlIERSTEIt Q2FwIEhlbGxvCiAgIE9wdGlvbiBjYW4gYmVjb21lIHRoZSBoZWFkIG9mIGEgcDJtcCBCRkQgc2Vz c2lvbiwgYXMgc3BlY2lmaWVkIGluCiAgIFNlY3Rpb24gMi4xLiAgVGhlIGhlYWQgcm91dGVyIGFk bWluaXN0cmF0aXZlbHkgc2V0cyB0aGUKICAgYmZkLlNlc3Npb25TdGF0ZSB0byBVcCBpbiB0aGUg TXVsdGlwb2ludEhlYWQgc2Vzc2lvbiBbUkZDODU2Ml0gb25seQogICBpZiBpdCBpcyBhIEdyb3Vw IERlc2lnbmF0ZWQgUm91dGVyIChHRFIpIENhbmRpZGF0ZSwgYXMgc3BlY2lmaWVkIGluCiAgIFNl Y3Rpb25zIDUuNSBhbmQgNS42IG9mIFtSRkM4Nzc1XS4gIElmIHRoZSByb3V0ZXIgaXMgbm8gbG9u Z2VyIHRoZQogICBHRFIsIHRoZW4gaXQgTVVTVCBzaHV0IGRvd24gZm9sbG93aW5nIHRoZSBwcm9j ZWR1cmVzIGRlc2NyaWJlZCBpbgogICBTZWN0aW9uIDUuOSBbUkZDODU2Ml0uICBGb3IgZWFjaCBH RFIgQ2FuZGlkYXRlIHRoYXQgaW5jbHVkZXMgQkZECiAgIERpc2NyaW1pbmF0b3Igb3B0aW9uIGlu IGl0cyBQSU0gSGVsbG8sIHRoZSBQSU0gRFIgY3JlYXRlcyBhCiAgIE11bHRpcG9pbnRUYWlsIHNl c3Npb24gW1JGQzg1NjJdLiAgUElNIERSIGRlbXVsdGlwbGV4ZXMgQkZEIHNlc3Npb25zCiAgIGJh c2VkIG9uIHRoZSB2YWx1ZSBvZiB0aGUgTXkgRGlzY3JpbWluYXRvciBmaWVsZCBhbmQgdGhlIHNv dXJjZSBJUAogICBhZGRyZXNzLiAgSWYgUElNIERSIGRldGVjdHMgYSBmYWlsdXJlIG9mIG9uZSBv ZiB0aGUgc2Vzc2lvbnMsIGl0IE1VU1QKICAgcmVtb3ZlIHRoYXQgcm91dGVyIGZyb20gdGhlIEdE UiBDYW5kaWRhdGUgbGlzdCBhbmQgaW1tZWRpYXRlbHkKICAgdHJhbnNtaXQgYSBuZXcgRFJMQi1M aXN0IG9wdGlvbi4KCjIuMy4gIE11bHRpcG9pbnQgQkZEIEVuY2Fwc3VsYXRpb24KCiAgIFRoZSBN dWx0aXBvaW50SGVhZCBvZiBhIHAybXAgQkZEIHNlc3Npb24gd2hlbiB0cmFuc21pdHRpbmcgQkZE CiAgIENvbnRyb2wgcGFja2V0czoKCiAgICAgIE1VU1Qgc2V0IFRUTCBvciBIb3AgTGltaXQgdmFs dWUgdG8gMjU1IChTZWN0aW9uIDUgW1JGQzU4ODFdKTsKCiAgICAgIE1VU1QgdXNlIHRoZSBncm91 cCBhZGRyZXNzIEFMTC1QSU0tUk9VVEVSUyAoJzIyNC4wLjAuMTMnIGZvciBJUHY0CiAgICAgIGFu ZCAnZmYwMjo6ZCcgZm9yIElQdjYpIGFzIGRlc3RpbmF0aW9uIElQIGFkZHJlc3MKCjMuICBJQU5B IENvbnNpZGVyYXRpb25zCgogICBJQU5BIGlzIHJlcXVlc3RlZCB0byBhbGxvY2F0ZSBhIG5ldyBP cHRpb25UeXBlIHZhbHVlIGZyb20gUElNLUhlbGxvCiAgIE9wdGlvbnMgcmVnaXN0cnkgYWNjb3Jk aW5nIHRvOgoKICAgICAgICstLS0tLS0tKy0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLS0tLSsKICAgICAgIHwgVmFsdWUgfCBMZW5ndGggfCBOYW1lICAgICAg ICAgICAgICAgICAgICAgfCBSZWZlcmVuY2UgICAgIHwKICAgICAgICstLS0tLS0tKy0tLS0tLS0t Ky0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSsKICAgICAgIHwgVEJB ICAgfCA0ICAgICAgfCBCRkQgRGlzY3JpbWluYXRvciBPcHRpb24gfCBUaGlzIGRvY3VtZW50IHwK ICAgICAgICstLS0tLS0tKy0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLS0tLSsKCiAgICAgICAgICAgICAgICAgIFRhYmxlIDE6IEJGRCBEaXNjcmltaW5hdG9y IG9wdGlvbiB0eXBlCgo0LiAgU2VjdXJpdHkgQ29uc2lkZXJhdGlvbnMKCiAgIFRoZSBzZWN1cml0 eSBjb25zaWRlcmF0aW9ucyBkaXNjdXNzZWQgaW4gW1JGQzc3NjFdLCBbUkZDNTg4MF0sCiAgIFtS RkM4NTYyXSwgYW5kIFtSRkM4Nzc1XSBhcHBseSB0byB0aGlzIGRvY3VtZW50LgoKCgoKCgpNaXJz a3kgJiBYaWFvbGkgICAgICAgICAgRXhwaXJlcyBNYXJjaCAyNSwgMjAyMiAgICAgICAgICAgICAg ICAgW1BhZ2UgNV0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgQkZEIFAyTVAgVXNlIGluIFBJ TS1TTSAgICAgICAgICAgU2VwdGVtYmVyIDIwMjEKCgo1LiAgQWNrbm93bGVkZ21lbnRzCgogICBU aGUgYXV0aG9ycyBjYW5ub3Qgc2F5IGVub3VnaCB0byBleHByZXNzIHRoZWlyIGFwcHJlY2lhdGlv biBvZiB0aGUKICAgY29tbWVudHMgYW5kIHN1Z2dlc3Rpb25zIHdlIHJlY2VpdmVkIGZyb20gU3Rp ZyBWZW5hYXMuICBUaGUgYXV0aG9ycwogICBncmVhdGx5IGFwcHJlY2lhdGUgdGhlIGNvbW1lbnRz IGFuZCBzdWdnZXN0aW9ucyBieSBBbHZhcm8gUmV0YW5hIHRoYXQKICAgaW1wcm92ZWQgdGhlIGNs YXJpdHkgb2YgdGhlIGRvY3VtZW50LgoKNi4gIFJlZmVyZW5jZXMKCjYuMS4gIE5vcm1hdGl2ZSBS ZWZlcmVuY2VzCgogICBbUkZDMjExOV0gIEJyYWRuZXIsIFMuLCAiS2V5IHdvcmRzIGZvciB1c2Ug aW4gUkZDcyB0byBJbmRpY2F0ZQogICAgICAgICAgICAgIFJlcXVpcmVtZW50IExldmVscyIsIEJD UCAxNCwgUkZDIDIxMTksCiAgICAgICAgICAgICAgRE9JIDEwLjE3NDg3L1JGQzIxMTksIE1hcmNo IDE5OTcsCiAgICAgICAgICAgICAgPGh0dHBzOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZj MjExOT4uCgogICBbUkZDNTg4MF0gIEthdHosIEQuIGFuZCBELiBXYXJkLCAiQmlkaXJlY3Rpb25h bCBGb3J3YXJkaW5nIERldGVjdGlvbgogICAgICAgICAgICAgIChCRkQpIiwgUkZDIDU4ODAsIERP SSAxMC4xNzQ4Ny9SRkM1ODgwLCBKdW5lIDIwMTAsCiAgICAgICAgICAgICAgPGh0dHBzOi8vd3d3 LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNTg4MD4uCgogICBbUkZDNTg4MV0gIEthdHosIEQuIGFu ZCBELiBXYXJkLCAiQmlkaXJlY3Rpb25hbCBGb3J3YXJkaW5nIERldGVjdGlvbgogICAgICAgICAg ICAgIChCRkQpIGZvciBJUHY0IGFuZCBJUHY2IChTaW5nbGUgSG9wKSIsIFJGQyA1ODgxLAogICAg ICAgICAgICAgIERPSSAxMC4xNzQ4Ny9SRkM1ODgxLCBKdW5lIDIwMTAsCiAgICAgICAgICAgICAg PGh0dHBzOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjNTg4MT4uCgogICBbUkZDNzc2MV0g IEZlbm5lciwgQi4sIEhhbmRsZXksIE0uLCBIb2xicm9vaywgSC4sIEtvdXZlbGFzLCBJLiwKICAg ICAgICAgICAgICBQYXJla2gsIFIuLCBaaGFuZywgWi4sIGFuZCBMLiBaaGVuZywgIlByb3RvY29s IEluZGVwZW5kZW50CiAgICAgICAgICAgICAgTXVsdGljYXN0IC0gU3BhcnNlIE1vZGUgKFBJTS1T TSk6IFByb3RvY29sIFNwZWNpZmljYXRpb24KICAgICAgICAgICAgICAoUmV2aXNlZCkiLCBTVEQg ODMsIFJGQyA3NzYxLCBET0kgMTAuMTc0ODcvUkZDNzc2MSwgTWFyY2gKICAgICAgICAgICAgICAy MDE2LCA8aHR0cHM6Ly93d3cucmZjLWVkaXRvci5vcmcvaW5mby9yZmM3NzYxPi4KCiAgIFtSRkM4 MTc0XSAgTGVpYmEsIEIuLCAiQW1iaWd1aXR5IG9mIFVwcGVyY2FzZSB2cyBMb3dlcmNhc2UgaW4g UkZDCiAgICAgICAgICAgICAgMjExOSBLZXkgV29yZHMiLCBCQ1AgMTQsIFJGQyA4MTc0LCBET0kg MTAuMTc0ODcvUkZDODE3NCwKICAgICAgICAgICAgICBNYXkgMjAxNywgPGh0dHBzOi8vd3d3LnJm Yy1lZGl0b3Iub3JnL2luZm8vcmZjODE3ND4uCgogICBbUkZDODU2Ml0gIEthdHosIEQuLCBXYXJk LCBELiwgUGFsbGFnYXR0aSwgUy4sIEVkLiwgYW5kIEcuIE1pcnNreSwKICAgICAgICAgICAgICBF ZC4sICJCaWRpcmVjdGlvbmFsIEZvcndhcmRpbmcgRGV0ZWN0aW9uIChCRkQpIGZvcgogICAgICAg ICAgICAgIE11bHRpcG9pbnQgTmV0d29ya3MiLCBSRkMgODU2MiwgRE9JIDEwLjE3NDg3L1JGQzg1 NjIsCiAgICAgICAgICAgICAgQXByaWwgMjAxOSwgPGh0dHBzOi8vd3d3LnJmYy1lZGl0b3Iub3Jn L2luZm8vcmZjODU2Mj4uCgogICBbUkZDODc3NV0gIENhaSwgWS4sIE91LCBILiwgVmFsbGVwYWxs aSwgUy4sIE1pc2hyYSwgTS4sIFZlbmFhcywgUy4sCiAgICAgICAgICAgICAgYW5kIEEuIEdyZWVu LCAiUElNIERlc2lnbmF0ZWQgUm91dGVyIExvYWQgQmFsYW5jaW5nIiwKICAgICAgICAgICAgICBS RkMgODc3NSwgRE9JIDEwLjE3NDg3L1JGQzg3NzUsIEFwcmlsIDIwMjAsCiAgICAgICAgICAgICAg PGh0dHBzOi8vd3d3LnJmYy1lZGl0b3Iub3JnL2luZm8vcmZjODc3NT4uCgoKCgoKCgpNaXJza3kg JiBYaWFvbGkgICAgICAgICAgRXhwaXJlcyBNYXJjaCAyNSwgMjAyMiAgICAgICAgICAgICAgICAg W1BhZ2UgNl0KDApJbnRlcm5ldC1EcmFmdCAgICAgICAgICAgQkZEIFAyTVAgVXNlIGluIFBJTS1T TSAgICAgICAgICAgU2VwdGVtYmVyIDIwMjEKCgo2LjIuICBJbmZvcm1hdGl2ZSBSZWZlcmVuY2Vz CgogICBbUkZDNTg4M10gIEthdHosIEQuIGFuZCBELiBXYXJkLCAiQmlkaXJlY3Rpb25hbCBGb3J3 YXJkaW5nIERldGVjdGlvbgogICAgICAgICAgICAgIChCRkQpIGZvciBNdWx0aWhvcCBQYXRocyIs IFJGQyA1ODgzLCBET0kgMTAuMTc0ODcvUkZDNTg4MywKICAgICAgICAgICAgICBKdW5lIDIwMTAs IDxodHRwczovL3d3dy5yZmMtZWRpdG9yLm9yZy9pbmZvL3JmYzU4ODM+LgoKQXV0aG9ycycgQWRk cmVzc2VzCgogICBHcmVnIE1pcnNreQogICBFcmljc3NvbgoKICAgRW1haWw6IGdyZWdpbWlyc2t5 QGdtYWlsLmNvbQoKCiAgIEppIFhpYW9saQogICBaVEUgQ29ycG9yYXRpb24KICAgTm8uNTAgU29m dHdhcmUgQXZlbnVlLCBZdWh1YXRhaSBEaXN0cmljdAogICBOYW5qaW5nCiAgIENoaW5hCgogICBF bWFpbDogamkueGlhb2xpQHp0ZS5jb20uY24KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoK TWlyc2t5ICYgWGlhb2xpICAgICAgICAgIEV4cGlyZXMgTWFyY2ggMjUsIDIwMjIgICAgICAgICAg ICAgICAgIFtQYWdlIDddCg== --000000000000bd509205cc89a539 Content-Type: text/html; charset="UTF-8"; name="Diff_ draft-ietf-pim-bfd-p2mp-use-case-07.txt - draft-ietf-pim-bfd-p2mp-use-case-08.txt.html" Content-Disposition: attachment; filename="Diff_ draft-ietf-pim-bfd-p2mp-use-case-07.txt - draft-ietf-pim-bfd-p2mp-use-case-08.txt.html" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_ktupabuk1 PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25h bC5kdGQiPgo8IS0tIHNhdmVkIGZyb20gdXJsPSgwMDQyKWh0dHBzOi8vd3d3Ni5pZXRmLm9yZy9y ZmNkaWZmL3JmY2RpZmYucHlodCAtLT4KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5 OTkveGh0bWwiPjxoZWFkPjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4gCiAgIAogIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRl bnQtU3R5bGUtVHlwZSIgY29udGVudD0idGV4dC9jc3MiPiAKICA8dGl0bGU+RGlmZjogZHJhZnQt aWV0Zi1waW0tYmZkLXAybXAtdXNlLWNhc2UtMDcudHh0IC0gZHJhZnQtaWV0Zi1waW0tYmZkLXAy bXAtdXNlLWNhc2UtMDgudHh0PC90aXRsZT4gCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4gCiAg ICBib2R5ICAgIHsgbWFyZ2luOiAwLjRleDsgbWFyZ2luLXJpZ2h0OiBhdXRvOyB9IAogICAgdHIg ICAgICB7IH0gCiAgICB0ZCAgICAgIHsgd2hpdGUtc3BhY2U6IHByZTsgZm9udC1mYW1pbHk6IG1v bm9zcGFjZTsgdmVydGljYWwtYWxpZ246IHRvcDsgZm9udC1zaXplOiAwLjg2ZW07fSAKICAgIHRo ICAgICAgeyBmb250LXNpemU6IDAuODZlbTsgfSAKICAgIC5zbWFsbCAgeyBmb250LXNpemU6IDAu NmVtOyBmb250LXN0eWxlOiBpdGFsaWM7IGZvbnQtZmFtaWx5OiBWZXJkYW5hLCBIZWx2ZXRpY2Es IHNhbnMtc2VyaWY7IH0gCiAgICAubGVmdCAgIHsgYmFja2dyb3VuZC1jb2xvcjogI0VFRTsgfSAK ICAgIC5yaWdodCAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZGOyB9IAogICAgLmRpZmYgICB7IGJh Y2tncm91bmQtY29sb3I6ICNDQ0Y7IH0gCiAgICAubGJsb2NrIHsgYmFja2dyb3VuZC1jb2xvcjog I0JGQjsgfSAKICAgIC5yYmxvY2sgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkY4OyB9IAogICAgLmlu c2VydCB7IGJhY2tncm91bmQtY29sb3I6ICM4RkY7IH0gCiAgICAuZGVsZXRlIHsgYmFja2dyb3Vu ZC1jb2xvcjogI0FDRjsgfSAKICAgIC52b2lkICAgeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRkZCOyB9 IAogICAgLmNvbnQgICB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IH0gCiAgICAubGluZWJyIHsg YmFja2dyb3VuZC1jb2xvcjogI0FBQTsgfSAKICAgIC5saW5lbm8geyBjb2xvcjogcmVkOyBiYWNr Z3JvdW5kLWNvbG9yOiAjRkZGOyBmb250LXNpemU6IDAuN2VtOyB0ZXh0LWFsaWduOiByaWdodDsg cGFkZGluZzogMCAycHg7IH0gCiAgICAuZWxpcHNpc3sgYmFja2dyb3VuZC1jb2xvcjogI0FBQTsg fSAKICAgIC5sZWZ0IC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjogI0RERDsgfSAKICAgIC5yaWdo dCAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICNFRUU7IH0gCiAgICAubGJsb2NrIC5jb250IHsg YmFja2dyb3VuZC1jb2xvcjogIzlEOTsgfSAKICAgIC5yYmxvY2sgLmNvbnQgeyBiYWNrZ3JvdW5k LWNvbG9yOiAjREQ2OyB9IAogICAgLmluc2VydCAuY29udCB7IGJhY2tncm91bmQtY29sb3I6ICMw REQ7IH0gCiAgICAuZGVsZXRlIC5jb250IHsgYmFja2dyb3VuZC1jb2xvcjogIzhBRDsgfSAKICAg IC5zdGF0cywgLnN0YXRzIHRkLCAuc3RhdHMgdGggeyBiYWNrZ3JvdW5kLWNvbG9yOiAjRUVFOyBw YWRkaW5nOiAycHggMDsgfSAKICAgIHNwYW4uaGlkZSB7IGRpc3BsYXk6IG5vbmU7IGNvbG9yOiAj YWFhO30gICAgYTpob3ZlciBzcGFuIHsgZGlzcGxheTogaW5saW5lOyB9ICAgIHRyLmNoYW5nZSB7 IGJhY2tncm91bmQtY29sb3I6IGdyYXk7IH0gCiAgICB0ci5jaGFuZ2UgYSB7IHRleHQtZGVjb3Jh dGlvbjogbm9uZTsgY29sb3I6IGJsYWNrIH0gCiAgPC9zdHlsZT4gCiAgICAgPHNjcmlwdD4KdmFy IGNodW5rX2luZGV4ID0gMDsKdmFyIG9sZF9jaHVuayA9IG51bGw7CgpmdW5jdGlvbiBmb3JtYXRf Y2h1bmsoaW5kZXgpIHsKICAgIHZhciBwcmVmaXggPSAiZGlmZiI7CiAgICB2YXIgc3RyID0gaW5k ZXgudG9TdHJpbmcoKTsKICAgIGZvciAoeD0wOyB4PCg0LXN0ci5sZW5ndGgpOyArK3gpIHsKICAg ICAgICBwcmVmaXgrPScwJzsKICAgIH0KICAgIHJldHVybiBwcmVmaXggKyBzdHI7Cn0KCmZ1bmN0 aW9uIGZpbmRfY2h1bmsobil7CiAgICByZXR1cm4gZG9jdW1lbnQucXVlcnlTZWxlY3RvcigndHJb aWQkPSInICsgbiArICciXScpOwp9CgpmdW5jdGlvbiBjaGFuZ2VfY2h1bmsob2Zmc2V0KSB7CiAg ICB2YXIgaW5kZXggPSBjaHVua19pbmRleCArIG9mZnNldDsKICAgIHZhciBuZXdfc3RyOwogICAg dmFyIG5ld19jaHVuazsKCiAgICBuZXdfc3RyID0gZm9ybWF0X2NodW5rKGluZGV4KTsKICAgIG5l d19jaHVuayA9IGZpbmRfY2h1bmsobmV3X3N0cik7CiAgICBpZiAoIW5ld19jaHVuaykgewogICAg ICAgIHJldHVybjsKICAgIH0KICAgIGlmIChvbGRfY2h1bmspIHsKICAgICAgICBvbGRfY2h1bmsu c3R5bGUub3V0bGluZSA9ICIiOwogICAgfQogICAgb2xkX2NodW5rID0gbmV3X2NodW5rOwogICAg b2xkX2NodW5rLnN0eWxlLm91dGxpbmUgPSAiMXB4IHNvbGlkIHJlZCI7CiAgICB3aW5kb3cubG9j YXRpb24uaGFzaCA9ICIjIiArIG5ld19zdHI7CiAgICB3aW5kb3cuc2Nyb2xsQnkoMCwtMTAwKTsK ICAgIGNodW5rX2luZGV4ID0gaW5kZXg7Cn0KCmRvY3VtZW50Lm9ua2V5ZG93biA9IGZ1bmN0aW9u KGUpIHsKICAgIHN3aXRjaCAoZS5rZXlDb2RlKSB7CiAgICBjYXNlIDc4OgogICAgICAgIGNoYW5n ZV9jaHVuaygxKTsKICAgICAgICBicmVhazsKICAgIGNhc2UgODA6CiAgICAgICAgY2hhbmdlX2No dW5rKC0xKTsKICAgICAgICBicmVhazsKICAgIH0KfTsKICAgPC9zY3JpcHQ+IAo8L2hlYWQ+IAo8 Ym9keSBkYXRhLW5ldy1nci1jLXMtY2hlY2stbG9hZGVkPSIxNC45OTQuMCIgZGF0YS1nci1leHQt aW5zdGFsbGVkPSIiPiAKICA8dGFibGUgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNw YWNpbmc9IjAiPiAKICA8dGJvZHk+PHRyIGlkPSJwYXJ0LTEiIGJnY29sb3I9Im9yYW5nZSI+PHRo PjwvdGg+PHRoPjxhIGhyZWY9Imh0dHBzOi8vd3d3Ni5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJh ZnQtaWV0Zi1waW0tYmZkLXAybXAtdXNlLWNhc2UtMDcudHh0IiBzdHlsZT0iY29sb3I6IzAwODsg dGV4dC1kZWNvcmF0aW9uOm5vbmU7Ij4mbHQ7PC9hPiZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vdG9v bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLXBpbS1iZmQtcDJtcC11c2UtY2FzZS0wNy50eHQi IHN0eWxlPSJjb2xvcjojMDA4Ij5kcmFmdC1pZXRmLXBpbS1iZmQtcDJtcC11c2UtY2FzZS0wNy50 eHQ8L2E+Jm5ic3A7PC90aD48dGg+IDwvdGg+PHRoPiZuYnNwOzxhIGhyZWY9Imh0dHBzOi8vdG9v bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLXBpbS1iZmQtcDJtcC11c2UtY2FzZS0wOC50eHQi IHN0eWxlPSJjb2xvcjojMDA4Ij5kcmFmdC1pZXRmLXBpbS1iZmQtcDJtcC11c2UtY2FzZS0wOC50 eHQ8L2E+Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly93d3c2LmlldGYub3JnL3JmY2RpZmY/dXJsMT1k cmFmdC1pZXRmLXBpbS1iZmQtcDJtcC11c2UtY2FzZS0wOC50eHQiIHN0eWxlPSJjb2xvcjojMDA4 OyB0ZXh0LWRlY29yYXRpb246bm9uZTsiPiZndDs8L2E+PC90aD48dGg+PC90aD48L3RyPiAKICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5QSU0g V29ya2luZyBHcm91cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICBHLiBNaXJza3k8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5QSU0gV29ya2luZyBH cm91cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHLiBNaXJz a3k8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPkludGVybmV0LURyYWZ0ICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFcmljc3NvbjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPkludGVybmV0LURyYWZ0ICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFcmljc3NvbjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+SW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFyZHMgVHJhY2sgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgSi4gWGlhb2xpPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ SW50ZW5kZWQgc3RhdHVzOiBTdGFuZGFyZHMgVHJhY2sgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgSi4gWGlhb2xpPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij5FeHBpcmVzOiBNYXJj aCAyNSwgMjAyMiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVEUgQ29ycG9yYXRp b248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5FeHBpcmVzOiBNYXJjaCAyNSwgMjAy MiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaVEUgQ29ycG9yYXRpb248L3RkPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIFNlcHRlbWJlciAyMSwgMjAyMTwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIFNlcHRlbWJlciAyMSwgMjAyMTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs ZWZ0Ij4gRmFzdCBGYWlsb3ZlciBpbiBQcm90b2NvbCBJbmRlcGVuZGVudCBNdWx0aWNhc3QgLSBT cGFyc2UgTW9kZSAoUElNLVNNKTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiBGYXN0 IEZhaWxvdmVyIGluIFByb3RvY29sIEluZGVwZW5kZW50IE11bHRpY2FzdCAtIFNwYXJzZSBNb2Rl IChQSU0tU00pPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gVXNpbmcgQmlkaXJlY3Rpb25h bCBGb3J3YXJkaW5nIERldGVjdGlvbiAoQkZEKSBmb3IgTXVsdGlwb2ludCBOZXR3b3JrczwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiBVc2luZyBCaWRpcmVjdGlvbmFsIEZvcndhcmRp bmcgRGV0ZWN0aW9uIChCRkQpIGZvciBNdWx0aXBvaW50IE5ldHdvcmtzPC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDAxIj48dGQ+PC90ZD48L3Ry PgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAg ICAgICAgICAgICAgICAgIGRyYWZ0LWlldGYtcGltLWJmZC1wMm1wLXVzZS1jYXNlLTA8c3BhbiBj bGFzcz0iZGVsZXRlIj43PC9zcGFuPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4g ICAgICAgICAgICAgICAgICBkcmFmdC1pZXRmLXBpbS1iZmQtcDJtcC11c2UtY2FzZS0wPHNwYW4g Y2xhc3M9Imluc2VydCI+ODwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ QWJzdHJhY3Q8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij5BYnN0cmFjdDwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyBob3cg QmlkaXJlY3Rpb25hbCBGb3J3YXJkaW5nIERldGVjdGlvbiBmb3I8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBUaGlzIGRvY3VtZW50IHNwZWNpZmllcyBob3cgQmlkaXJlY3Rpb25h bCBGb3J3YXJkaW5nIERldGVjdGlvbiBmb3I8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IG11bHRpcG9pbnQgbmV0d29ya3MgY2FuIHByb3ZpZGUgc3ViLXNlY29uZCBmYWlsb3ZlciBmb3Ig cm91dGVycyB0aGF0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgbXVsdGlwb2lu dCBuZXR3b3JrcyBjYW4gcHJvdmlkZSBzdWItc2Vjb25kIGZhaWxvdmVyIGZvciByb3V0ZXJzIHRo YXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHBhcnRpY2lwYXRlIGluIFByb3RvY29s IEluZGVwZW5kZW50IE11bHRpY2FzdCAtIFNwYXJzZSBNb2RlIChQSU0tU00pLjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHBhcnRpY2lwYXRlIGluIFByb3RvY29sIEluZGVwZW5k ZW50IE11bHRpY2FzdCAtIFNwYXJzZSBNb2RlIChQSU0tU00pLjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgQW4gZXh0ZW5zaW9uIHRvIHRoZSBQSU0gSGVsbG8gbWVzc2FnZSB1c2VkIHRv IGJvb3RzdHJhcCBhIHBvaW50LXRvLTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IEFuIGV4dGVuc2lvbiB0byB0aGUgUElNIEhlbGxvIG1lc3NhZ2UgdXNlZCB0byBib290c3RyYXAg YSBwb2ludC10by08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIG11bHRpcG9pbnQgQkZE IHNlc3Npb24gaXMgYWxzbyBkZWZpbmVkIGluIHRoaXMgZG9jdW1lbnQuPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgbXVsdGlwb2ludCBCRkQgc2Vzc2lvbiBpcyBhbHNvIGRlZmlu ZWQgaW4gdGhpcyBkb2N1bWVudC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+U3Rh dHVzIG9mIFRoaXMgTWVtbzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPlN0YXR1cyBv ZiBUaGlzIE1lbW88L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyIGlkPSJwYXJ0LTIiIGNsYXNzPSJjaGFuZ2UiPjx0ZD48L3RkPjx0aD48c21hbGw+c2tpcHBp bmcgdG8gY2hhbmdlIGF0PC9zbWFsbD48YSBocmVmPSJodHRwczovL3d3dzYuaWV0Zi5vcmcvcmZj ZGlmZi9yZmNkaWZmLnB5aHQjcGFydC0yIj48ZW0+IHBhZ2UgMiwgbGluZSAyNzxzcGFuIGNsYXNz PSJoaWRlIj4gwrY8L3NwYW4+PC9lbT48L2E+PC90aD48dGg+IDwvdGg+PHRoPjxzbWFsbD5za2lw cGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxhIGhyZWY9Imh0dHBzOi8vd3d3Ni5pZXRmLm9yZy9y ZmNkaWZmL3JmY2RpZmYucHlodCNwYXJ0LTIiPjxlbT4gcGFnZSAyLCBsaW5lIDI3PHNwYW4gY2xh c3M9ImhpZGUiPiDCtjwvc3Bhbj48L2VtPjwvYT48L3RoPjx0ZD48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDMuICBJQU5BIENv bnNpZGVyYXRpb25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAg NTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDMuICBJQU5BIENvbnNpZGVyYXRp b25zIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNTwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgNC4gIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA1PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+ICAgNC4gIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA1PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4g ICA1LiAgQWNrbm93bGVkZ21lbnRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAgIDY8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICA1LiAgQWNr bm93bGVkZ21lbnRzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAgIDY8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDYuICBSZWZlcmVuY2VzICAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIDYuICBSZWZlcmVuY2VzICAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICA2LjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gICA2PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgICA2LjEuICBOb3JtYXRpdmUgUmVmZXJlbmNlcyAgLiAuIC4gLiAuIC4gLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gICA2PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgIDYuMi4g IEluZm9ybWF0aXZlIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4g LiAgIDc8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgIDYuMi4gIEluZm9ybWF0 aXZlIFJlZmVyZW5jZXMgIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAgIDc8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEF1dGhvcnMnIEFkZHJlc3NlcyAgLiAuIC4gLiAu IC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNzwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmlnaHQiPiAgIEF1dGhvcnMnIEFkZHJlc3NlcyAgLiAuIC4gLiAuIC4gLiAuIC4g LiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuICAgNzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4xLiAgSW50cm9kdWN0aW9uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ MS4gIEludHJvZHVjdGlvbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgog ICAgICA8dHIgaWQ9ImRpZmYwMDAyIj48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIEZhc3RlciBjb252ZXJnZW5jZSBp biB0aGUgY29udHJvbCA8c3BhbiBjbGFzcz0iZGVsZXRlIj5wbGFuZSwgaW4gZ2VuZXJhbCwgaXMg YmVuZWZpY2lhbDwvc3Bhbj48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgRmFz dGVyIGNvbnZlcmdlbmNlIGluIHRoZSBjb250cm9sIDxzcGFuIGNsYXNzPSJpbnNlcnQiPnBsYW5l IG1pbmltaXplcyB0aGU8L3NwYW4+IHBlcmlvZHMgb2Y8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0ZSI+ICAgYW5kIGFsbG93cyBtaW5pbWl6aW5nPC9zcGFu PiBwZXJpb2RzIG9mIHRyYWZmaWMgYmxhY2tob2xpbmcsIHRyYW5zaWVudDwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICB0cmFmZmljIGJsYWNraG9saW5nLCB0cmFuc2llbnQgcm91 dGluZyBsb29wcywgYW5kIG90aGVyIDxzcGFuIGNsYXNzPSJpbnNlcnQiPnNpdHVhdGlvbnM8L3Nw YW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIHJvdXRpbmcgbG9vcHMsIGFuZCBv dGhlciA8c3BhbiBjbGFzcz0iZGVsZXRlIj5zY2VuYXJpb3M8L3NwYW4+IHRoYXQgbWF5IG5lZ2F0 aXZlbHkgYWZmZWN0IHNlcnZpY2U8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAg dGhhdCBtYXkgbmVnYXRpdmVseSBhZmZlY3Qgc2VydmljZSBkYXRhIGZsb3cuICA8c3BhbiBjbGFz cz0iaW5zZXJ0Ij5GYXN0ZXIgY29udmVyZ2VuY2UgaW48L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgIGRhdGEgZmxvdy4gIDxzcGFuIGNsYXNzPSJkZWxldGUiPlRoYXQgZXF1 YWxseSBhcHBsaWVzPC9zcGFuPiB0byB1bmljYXN0IGFuZCBtdWx0aWNhc3Qgcm91dGluZzwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICB0aGUg Y29udHJvbCBwbGFuZSBpcyBiZW5lZmljaWFsPC9zcGFuPiB0byB1bmljYXN0IGFuZCBtdWx0aWNh c3Qgcm91dGluZzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgcHJvdG9jb2xzLjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHByb3RvY29scy48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk Pjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzc3NjFdIGlzIHRoZSBjdXJyZW50IHNwZWNpZmljYXRp b24gb2YgdGhlIFByb3RvY29sIEluZGVwZW5kZW50PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+ICAgW1JGQzc3NjFdIGlzIHRoZSBjdXJyZW50IHNwZWNpZmljYXRpb24gb2YgdGhlIFBy b3RvY29sIEluZGVwZW5kZW50PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBNdWx0aWNh c3QgLSBTcGFyc2UgTW9kZSAoUElNLVNNKSBmb3IgSVB2NCBhbmQgSVB2NiBuZXR3b3Jrcy4gIEE8 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBNdWx0aWNhc3QgLSBTcGFyc2UgTW9k ZSAoUElNLVNNKSBmb3IgSVB2NCBhbmQgSVB2NiBuZXR3b3Jrcy4gIEE8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIGNvbmZvcm1pbmcgaW1wbGVtZW50YXRpb24gb2YgUElNLVNNIGVsZWN0 cyBhIERlc2lnbmF0ZWQgUm91dGVyIChEUik8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBjb25mb3JtaW5nIGltcGxlbWVudGF0aW9uIG9mIFBJTS1TTSBlbGVjdHMgYSBEZXNpZ25h dGVkIFJvdXRlciAoRFIpPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBvbiBlYWNoIFBJ TS1TTSBpbnRlcmZhY2UuICBXaGVuIGEgZ3JvdXAgb2YgUElNLVNNIG5vZGVzIGlzIGNvbm5lY3Rl ZDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIG9uIGVhY2ggUElNLVNNIGludGVy ZmFjZS4gIFdoZW4gYSBncm91cCBvZiBQSU0tU00gbm9kZXMgaXMgY29ubmVjdGVkPC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDAzIj48dGQ+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPiAgIHRvIGEgc2hhcmVkIG1lZGlhIHNlZ21lbnQsIGUuZy4sIEV0aGVybmV0LCB0aGUgbm9k ZSBlbGVjdGVkIGFzIERSIDxzcGFuIGNsYXNzPSJkZWxldGUiPmlzPC9zcGFuPjwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICB0byBhIHNoYXJlZCBtZWRpYSBzZWdtZW50LCBlLmcu LCBFdGhlcm5ldCwgdGhlIG5vZGUgZWxlY3RlZCBhcyBEUjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj48c3BhbiBjbGFzcz0iZGVsZXRlIj4gICB0byBhY3Q8L3NwYW4+IG9uIGJlaGFsZiBv ZiBkaXJlY3RseSBjb25uZWN0ZWQgaG9zdHMgaW4gdGhlIGNvbnRleHQgb2YgdGhlPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPmFjdHM8L3Nw YW4+IG9uIGJlaGFsZiBvZiBkaXJlY3RseSBjb25uZWN0ZWQgaG9zdHMgaW4gdGhlIGNvbnRleHQg b2YgdGhlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPlBJTS08L3NwYW4+PC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPlBJTS1TTTwvc3Bhbj4gcHJvdG9j b2wuICBGYWlsdXJlIG9mIHRoZSBEUiBpbXBhY3RzIHRoZSBxdWFsaXR5IG9mIHRoZTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gICBTTTwvc3Bh bj4gcHJvdG9jb2wuICBGYWlsdXJlIG9mIHRoZSBEUiBpbXBhY3RzIHRoZSBxdWFsaXR5IG9mIHRo ZSBtdWx0aWNhc3Q8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgbXVsdGljYXN0IHNl cnZpY2VzIGl0IHByb3ZpZGVzIHRvIGRpcmVjdGx5IGNvbm5lY3RlZCBob3N0cyBiZWNhdXNlPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIHNlcnZpY2VzIGl0IHByb3ZpZGVzIHRv IGRpcmVjdGx5IGNvbm5lY3RlZCBob3N0cyBiZWNhdXNlIHRoZSBkZWZhdWx0PC90ZD48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPiAgIHRoZSBkZWZhdWx0IGZhaWx1cmUgZGV0ZWN0aW9uIGludGVy dmFsIGZvciBQSU0tU00gcm91dGVycyBpcyAxMDU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJi bG9jayI+ICAgZmFpbHVyZSBkZXRlY3Rpb24gaW50ZXJ2YWwgZm9yIFBJTS1TTSByb3V0ZXJzIGlz IDEwNSBzZWNvbmRzLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBzZWNvbmRzLjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+ICAgQmlkaXJlY3Rpb25hbCBGb3J3YXJkaW5nIERldGVjdGlvbiAoQkZEKSBbUkZD NTg4MF0gaGFkIGJlZW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBCaWRpcmVj dGlvbmFsIEZvcndhcmRpbmcgRGV0ZWN0aW9uIChCRkQpIFtSRkM1ODgwXSBoYWQgYmVlbjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAwNCI+PHRk PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj4gICBvcmlnaW5hbGx5IGRlZmluZWQgdG8gZGV0ZWN0IGEgZmFpbHVyZSBvZiBwb2lu dC10by1wb2ludCAocDJwKSA8c3BhbiBjbGFzcz0iZGVsZXRlIj5wYXRoczwvc3Bhbj48L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgb3JpZ2luYWxseSBkZWZpbmVkIHRvIGRldGVj dCBhIGZhaWx1cmUgb2YgPHNwYW4gY2xhc3M9Imluc2VydCI+YTwvc3Bhbj4gcG9pbnQtdG8tcG9p bnQgKHAycCk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PHNwYW4gY2xhc3M9ImRlbGV0 ZSI+ICAgLTwvc3Bhbj4gc2luZ2xlLWhvcCA8c3BhbiBjbGFzcz0iZGVsZXRlIj5bUkZDNTg4MV0s PC9zcGFuPiBtdWx0aWhvcCBbUkZDNTg4M10uICBJbiBzb21lIFBJTS1TTTwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5wYXRoLDwvc3Bhbj4g c2luZ2xlLWhvcCA8c3BhbiBjbGFzcz0iaW5zZXJ0Ij5bUkZDNTg4MV0gb3I8L3NwYW4+IG11bHRp aG9wIFtSRkM1ODgzXS4gIEluIHNvbWUgUElNLVNNPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPiAgIGRlcGxveW1lbnRzLCBhIHAycCBCRkQgY2FuIGRldGVjdCBhIGZhaWx1cmUgYW5kIGVu YWJsZSBmYXN0ZXI8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgZGVwbG95bWVu dHMsIGEgcDJwIEJGRCBjYW4gPHNwYW4gY2xhc3M9Imluc2VydCI+YmUgdXNlZCB0bzwvc3Bhbj4g ZGV0ZWN0IGEgZmFpbHVyZSBhbmQgZW5hYmxlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgIGZhaWxvdmVyLiAgW1JGQzg1NjJdIGV4dGVuZHMgdGhlIEJGRCBiYXNlIHNwZWNpZmljYXRp b24gW1JGQzU4ODBdIGZvcjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICBmYXN0 ZXIgZmFpbG92ZXIuICBbUkZDODU2Ml0gZXh0ZW5kcyB0aGUgQkZEIGJhc2Ugc3BlY2lmaWNhdGlv bjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBtdWx0aXBvaW50IGFuZCBtdWx0aWNh c3QgPHNwYW4gY2xhc3M9ImRlbGV0ZSI+bmV0d29ya3M8L3NwYW4+IHByZWNpc2VseSBjaGFyYWN0 ZXJpemVzIGRlcGxveW1lbnQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgW1JG QzU4ODBdIGZvciBtdWx0aXBvaW50IGFuZCBtdWx0aWNhc3QgPHNwYW4gY2xhc3M9Imluc2VydCI+ bmV0d29ya3MsIGFuZCBpdDwvc3Bhbj4gcHJlY2lzZWx5PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+ PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJs YmxvY2siPiAgIHNjZW5hcmlvcyBmb3IgUElNLVNNIG92ZXIgYSBMQU4gc2VnbWVudC4gIEFtb25n IHNwZWNpZmljPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGNoYXJhY3Rlcml6 ZXMgZGVwbG95bWVudCBzY2VuYXJpb3MgZm9yIFBJTS1TTSBvdmVyIGEgTEFOIHNlZ21lbnQuPC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGNoYXJhY3RlcmlzdGljcyBvZiBwMm1wIEJG RCB0aGF0IHBhcnRpY3VsYXJseSBiZW5lZml0IFBJTS1TTSBvdmVyIGE8L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJibG9jayI+ICAgQW1vbmcgc3BlY2lmaWMgY2hhcmFjdGVyaXN0aWNzIG9mIHAy bXAgQkZEIHRoYXQgcGFydGljdWxhcmx5IGJlbmVmaXQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxi bG9jayI+ICAgTEFOIHNlZ21lbnQgaXMgYSBmYXN0ZXIgdHJhbnNpdGlvbiB0byB0aGUgVXAgc3Rh dGUgb2YgdGhlIHAybXAgQkZEPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIFBJ TS1TTSBvdmVyIGEgTEFOIHNlZ21lbnQgaXMgYSBmYXN0ZXIgdHJhbnNpdGlvbiB0byB0aGUgVXAg c3RhdGUgb2Y8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgc2Vzc2lvbiBkdWUgdG8g YXZvaWRhbmNlIG9mIHRoZSB0aHJlZS13YXkgaGFuZHNoYWtlIHJlcXVpcmVkIGluIHAycDwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICB0aGUgcDJtcCBCRkQgc2Vzc2lvbiBkdWUg dG8gYXZvaWRhbmNlIG9mIHRoZSB0aHJlZS13YXkgaGFuZHNoYWtlPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsYmxvY2siPiAgIEJGRCBbUkZDNTg4MF0uICBBbHNvLCBiZWNhdXNlIHRoZSByb3V0ZXIg dGhhdCB0cmFuc21pdHMgQkZEIENvbnRyb2w8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9j ayI+ICAgcmVxdWlyZWQgaW4gcDJwIEJGRCBbUkZDNTg4MF0uICBBbHNvLCBiZWNhdXNlIHRoZSBy b3V0ZXIgdGhhdDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0 ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBtZXNzYWdlcyB1c2Vz IHRoZSBCRkQgRGVtYW5kIG1vZGUgW1JGQzU4ODBdLCBpdCBtYWludGFpbnMgbGVzcyBCRkQ8L3Rk Pjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgdHJhbnNtaXRzIEJGRCBDb250cm9sIG1l c3NhZ2VzIHVzZXMgdGhlIEJGRCBEZW1hbmQgbW9kZSBbUkZDNTg4MF0sIGl0PC90ZD48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsYmxvY2siPiAgIHN0YXRlIHRoYW4gdGhlIEFzeW5jaHJvbm91cyBtb2RlLiAg PHNwYW4gY2xhc3M9ImRlbGV0ZSI+UG9pbnQtdG8tbXVsdGlwb2ludDwvc3Bhbj4gKHAybXApIEJG RCBjYW48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgbWFpbnRhaW5zIGxlc3Mg QkZEIHN0YXRlIHRoYW4gdGhlIEFzeW5jaHJvbm91cyBtb2RlLiAgPHNwYW4gY2xhc3M9Imluc2Vy dCI+UG9pbnQtdG8tPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBlbmFi bGUgZmFzdGVyIGRldGVjdGlvbiBvZiBQSU0tU00gcm91dGVyIGZhaWx1cmUgYW5kIHRodXMgbWlu aW1pemU8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+PHNwYW4gY2xhc3M9Imluc2Vy dCI+ICAgbXVsdGlwb2ludDwvc3Bhbj4gKHAybXApIEJGRCBjYW4gZW5hYmxlIGZhc3RlciBkZXRl Y3Rpb24gb2YgUElNLVNNIHJvdXRlcjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBt dWx0aWNhc3Qgc2VydmljZSBkaXNydXB0aW9uLiAgVGhlIG1vbml0b3JlZCBQSU0tU00gcm91dGVy IGFjdHMgYXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgZmFpbHVyZSBhbmQg dGh1cyBtaW5pbWl6ZSBtdWx0aWNhc3Qgc2VydmljZSBkaXNydXB0aW9uLiAgVGhlPC90ZD48dGQg Y2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIHRoZSBoZWFkIGFuZCBvdGhlciByb3V0ZXJzIGFzIHRh aWxzIG9mIGEgcDJtcCBCRkQgc2Vzc2lvbi4gIFRoaXM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJibG9jayI+ICAgbW9uaXRvcmVkIFBJTS1TTSByb3V0ZXIgYWN0cyBhcyB0aGUgaGVhZCBhbmQg b3RoZXIgcm91dGVycyBhcyB0YWlsczwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4K ICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBk b2N1bWVudCBkZWZpbmVzIHRoZSBtb25pdG9yaW5nIG9mIGEgUElNLVNNIHJvdXRlciB1c2luZyBw Mm1wIEJGRC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgb2YgYSBwMm1wIEJG RCBzZXNzaW9uLiAgVGhpcyBkb2N1bWVudCBkZWZpbmVzIHRoZSBtb25pdG9yaW5nIG9mIGE8L3Rk Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgVGhlIGRvY3VtZW50IGFsc28gZGVmaW5lcyB0 aGUgZXh0ZW5zaW9uIHRvIFBJTS1TTSBbUkZDNzc2MV0gdG88L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJibG9jayI+ICAgUElNLVNNIHJvdXRlciB1c2luZyBwMm1wIEJGRC4gIFRoZSBkb2N1bWVu dCBhbHNvIGRlZmluZXMgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIGJvb3Rz dHJhcCBhIFBJTS1TTSByb3V0ZXIgdG8gam9pbiBpbiBwMm1wIEJGRCBzZXNzaW9uIG92ZXIgc2hh cmVkPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGV4dGVuc2lvbiB0byBQSU0t U00gW1JGQzc3NjFdIHRvIGJvb3RzdHJhcCBhIFBJTS1TTSByb3V0ZXIgdG8gam9pbiBpbjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBtZWRpYSBzZWdtZW50LjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmJsb2NrIj4gICBwMm1wIEJGRCBzZXNzaW9uIG92ZXIgc2hhcmVkIG1lZGlh IHNlZ21lbnQuPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjEuMS4gIENvbnZlbnRp b25zIHVzZWQgaW4gdGhpcyBkb2N1bWVudDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQi PjEuMS4gIENvbnZlbnRpb25zIHVzZWQgaW4gdGhpcyBkb2N1bWVudDwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4xLjEuMS4gIFRlcm1pbm9sb2d5PC90ZD48dGQ+IDwvdGQ+PHRkIGNs YXNzPSJyaWdodCI+MS4xLjEuICBUZXJtaW5vbG9neTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICBUaGlzIGRvY3VtZW50IHVzZXMgdGVybWlub2xvZ3kgZGVmaW5lZCBpbiBbUkZD NTg4MF0sIFtSRkM4NTYyXSwgYW5kPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg VGhpcyBkb2N1bWVudCB1c2VzIHRlcm1pbm9sb2d5IGRlZmluZWQgaW4gW1JGQzU4ODBdLCBbUkZD ODU2Ml0sIGFuZDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlk PSJkaWZmMDAwNSI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBbUkZDNzc2MV0uIDxzcGFuIGNsYXNzPSJkZWxldGUi PmY8L3NwYW4+YW1pbGlhcml0eSB3aXRoIHRoZXNlIHNwZWNpZmljYXRpb25zIGFuZCB0aGUgdGVy bWlub2xvZ3k8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgW1JGQzc3NjFdLiA8 c3BhbiBjbGFzcz0iaW5zZXJ0Ij4gRjwvc3Bhbj5hbWlsaWFyaXR5IHdpdGggdGhlc2Ugc3BlY2lm aWNhdGlvbnMgYW5kIHRoZSB0ZXJtaW5vbG9neTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgdXNlZCBpcyBleHBlY3RlZC48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB1 c2VkIGlzIGV4cGVjdGVkLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwv dGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgog ICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4xLjEuMi4g IFJlcXVpcmVtZW50cyBMYW5ndWFnZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjEu MS4yLiAgUmVxdWlyZW1lbnRzIExhbmd1YWdlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48 L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9Imxl ZnQiPiAgIFRoZSBrZXkgd29yZHMgIk1VU1QiLCAiTVVTVCBOT1QiLCAiUkVRVUlSRUQiLCAiU0hB TEwiLCAiU0hBTEwgTk9UIiw8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBUaGUg a2V5IHdvcmRzICJNVVNUIiwgIk1VU1QgTk9UIiwgIlJFUVVJUkVEIiwgIlNIQUxMIiwgIlNIQUxM IE5PVCIsPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAiU0hPVUxEIiwgIlNIT1VMRCBO T1QiLCAiUkVDT01NRU5ERUQiLCAiTk9UIFJFQ09NTUVOREVEIiwgIk1BWSIsIGFuZDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICJTSE9VTEQiLCAiU0hPVUxEIE5PVCIsICJSRUNP TU1FTkRFRCIsICJOT1QgUkVDT01NRU5ERUQiLCAiTUFZIiwgYW5kPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICAiT1BUSU9OQUwiIGluIHRoaXMgZG9jdW1lbnQgYXJlIHRvIGJlIGludGVy cHJldGVkIGFzIGRlc2NyaWJlZCBpbiBCQ1A8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICAiT1BUSU9OQUwiIGluIHRoaXMgZG9jdW1lbnQgYXJlIHRvIGJlIGludGVycHJldGVkIGFz IGRlc2NyaWJlZCBpbiBCQ1A8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIDE0IFtSRkMy MTE5XSBbUkZDODE3NF0gd2hlbiwgYW5kIG9ubHkgd2hlbiwgdGhleSBhcHBlYXIgaW4gYWxsPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgMTQgW1JGQzIxMTldIFtSRkM4MTc0XSB3 aGVuLCBhbmQgb25seSB3aGVuLCB0aGV5IGFwcGVhciBpbiBhbGw8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIGNhcGl0YWxzLCBhcyBzaG93biBoZXJlLjwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPiAgIGNhcGl0YWxzLCBhcyBzaG93biBoZXJlLjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PHRkIGNsYXNzPSJsZWZ0Ij4yLiAgQkZEIERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIE9wdGlvbjwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjIuICBCRkQgRGlzY3JpbWluYXRvciBQSU0g SGVsbG8gT3B0aW9uPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAg IDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIEZpZ3VyZSAx IGRpc3BsYXlzIHRoZSBuZXcgb3B0aW9uYWwgQkZEIERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIG9w dGlvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEZpZ3VyZSAxIGRpc3BsYXlz IHRoZSBuZXcgb3B0aW9uYWwgQkZEIERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIG9wdGlvbjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgdG8gYm9vdHN0cmFwIGEgdGFpbCBvZiB0aGUgcDJt cCBCRkQgc2Vzc2lvbi48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0byBib290 c3RyYXAgYSB0YWlsIG9mIHRoZSBwMm1wIEJGRCBzZXNzaW9uLjwvdGQ+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFz cz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICAgICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAg ICAgICAyICAgICAgICAgICAgICAgICAgIDM8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICAgICAgIDAgICAgICAgICAgICAgICAgICAgMSAgICAgICAgICAgICAgICAgICAyICAgICAg ICAgICAgICAgICAgIDM8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICAgMCAxIDIg MyA0IDUgNiA3IDggOSAwIDEgMiAzIDQgNSA2IDcgOCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAx PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgICAwIDEgMiAzIDQgNSA2IDcg OCA5IDAgMSAyIDMgNCA1IDYgNyA4IDkgMCAxIDIgMyA0IDUgNiA3IDggOSAwIDE8L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPiAgICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgICAgICArLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAgIHwgICAgICAgICAgT3B0aW9uVHlwZSAgICAgICAgICAgfCAgICAgICAgIE9wdGlvbkxlbmd0 aCAgICAgICAgICB8PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgICAgIHwgICAg ICAgICAgT3B0aW9uVHlwZSAgICAgICAgICAgfCAgICAgICAgIE9wdGlvbkxlbmd0aCAgICAgICAg ICB8PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZD4g PC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0ciBpZD0iZGlmZjAwMDYiPjx0ZD48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+ICAgICAg IHwgICAgICAgICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPk15ICA8L3NwYW4+ RGlzY3JpbWluYXRvciAgICAgICAgICAgICAgICAgICAgICAgfDwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmJsb2NrIj4gICAgICAgfCAgICAgICAgICAgICAgICAgICAgICAgPHNwYW4gY2xhc3M9 Imluc2VydCI+SGVhZDwvc3Bhbj5EaXNjcmltaW5hdG9yICAgICAgICAgICAgICAgICAgICAgICB8 PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICAgKy0rLSstKy0rLSstKy0rLSstKy0r LSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSst Ky0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSstKy0rLSs8L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGVmdCI+ICAgICAgICAgICAgICAgRmlndXJlIDE6IEJGRCBEaXNjcmltaW5hdG9yIFBJ TSBIZWxsbyBPcHRpb248L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICAgICAgICAg ICAgICBGaWd1cmUgMTogQkZEIERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIE9wdGlvbjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5l bm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB3aGVyZSBuZXcgZmllbGRzIGFyZSBpbnRlcnBy ZXRlZCBhczo8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB3aGVyZSBuZXcgZmll bGRzIGFyZSBpbnRlcnByZXRlZCBhczo8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ ICAgICAgT3B0aW9uVHlwZTogVEJBLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg ICAgIE9wdGlvblR5cGU6IFRCQS48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg ICAgT3B0aW9uTGVuZ3RoOiBNVVNUIGJlIHNldCB0byA0LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPiAgICAgIE9wdGlvbkxlbmd0aDogTVVTVCBiZSBzZXQgdG8gNC48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAwNyI+PHRk PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj4gICAgICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5NeSBEaXNjcmltaW5hdG9yOjwvc3Bh bj4gTXkgRGlzY3JpbWluYXRvciAoW1JGQzU4ODBdKSA8c3BhbiBjbGFzcz0iZGVsZXRlIj52YWx1 ZTwvc3Bhbj4gYWxsb2NhdGVkIGJ5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg ICAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPkhlYWREaXNjcmltaW5hdG9yOiBlcXVhbHMgdGhlIHZh bHVlIG9mPC9zcGFuPiBNeSBEaXNjcmltaW5hdG9yPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxv Y2siPiAgICAgIHRoZSBoZWFkLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAg ICAoW1JGQzU4ODBdKSBhbGxvY2F0ZWQgYnkgdGhlIGhlYWQuPC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIElmIHRoZSB2YWx1ZSBvZiB0aGUgT3B0aW9uTGVuZ3RoIGZpZWxkIGlz IG5vdCBlcXVhbCB0byA0LCB0aGUgQkZEPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ ICAgSWYgdGhlIHZhbHVlIG9mIHRoZSBPcHRpb25MZW5ndGggZmllbGQgaXMgbm90IGVxdWFsIHRv IDQsIHRoZSBCRkQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIERpc2NyaW1pbmF0b3Ig UElNIEhlbGxvIG9wdGlvbiBpcyBjb25zaWRlcmVkIG1hbGZvcm1lZCwgYW5kIHRoZTwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIG9wdGlv biBpcyBjb25zaWRlcmVkIG1hbGZvcm1lZCwgYW5kIHRoZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgcmVjZWl2ZXIgTVVTVCBzdG9wIHByb2Nlc3NpbmcgUElNIEhlbGxvIG9wdGlvbnMu ICBJZiB0aGUgdmFsdWUgb2YgdGhlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg cmVjZWl2ZXIgTVVTVCBzdG9wIHByb2Nlc3NpbmcgUElNIEhlbGxvIG9wdGlvbnMuICBJZiB0aGUg dmFsdWUgb2YgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIg aWQ9ImRpZmYwMDA4Ij48dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJkZWxldGUiPk15IDwvc3Bh bj5EaXNjcmltaW5hdG9yIGZpZWxkIGVxdWFscyB6ZXJvLCB0aGVuIHRoZSBCRkQgRGlzY3JpbWlu YXRvciBQSU08L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJibG9jayI+ICAgPHNwYW4gY2xhc3M9 Imluc2VydCI+SGVhZDwvc3Bhbj5EaXNjcmltaW5hdG9yIGZpZWxkIGVxdWFscyB6ZXJvLCB0aGVu IHRoZSBCRkQgRGlzY3JpbWluYXRvciBQSU08L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwv dHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAg IEhlbGxvIG9wdGlvbiBNVVNUIGJlIGNvbnNpZGVyZWQgaW52YWxpZCwgYW5kIHRoZSByZWNlaXZl ciBNVVNUIGlnbm9yZTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIEhlbGxvIG9w dGlvbiBNVVNUIGJlIGNvbnNpZGVyZWQgaW52YWxpZCwgYW5kIHRoZSByZWNlaXZlciBNVVNUIGln bm9yZTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgaXQuICBUaGUgcmVjZWl2ZXIgU0hP VUxEIGxvZyBhIG5vdGlmaWNhdGlvbiByZWdhcmRpbmcgdGhlIG1hbGZvcm1lZDwvdGQ+PHRkPiA8 L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGl0LiAgVGhlIHJlY2VpdmVyIFNIT1VMRCBsb2cgYSBu b3RpZmljYXRpb24gcmVnYXJkaW5nIHRoZSBtYWxmb3JtZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9 ImxlZnQiPiAgIG9yIGludmFsaWQgQkZEIERpc2NyaW1pbmF0b3IgSGVsbG8gb3B0aW9uIHVuZGVy IHRoZSBjb250cm9sIG9mIGE8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBvciBp bnZhbGlkIEJGRCBEaXNjcmltaW5hdG9yIEhlbGxvIG9wdGlvbiB1bmRlciB0aGUgY29udHJvbCBv ZiBhPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICB0aHJvdHRsaW5nIGxvZ2dpbmcgbWVj aGFuaXNtLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRocm90dGxpbmcgbG9n Z2luZyBtZWNoYW5pc20uPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8 dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90 ZD48dGQgY2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjIuMS4gIFVz aW5nIFAyTVAgQkZEIGluIFBJTSBSb3V0ZXIgTW9uaXRvcmluZzwvdGQ+PHRkPiA8L3RkPjx0ZCBj bGFzcz0icmlnaHQiPjIuMS4gIFVzaW5nIFAyTVAgQkZEIGluIFBJTSBSb3V0ZXIgTW9uaXRvcmlu ZzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJy aWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBUaGUgaGVhZCBNVVNUIGNyZWF0 ZSBhIEJGRCBzZXNzaW9uIG9mIHR5cGUgTXVsdGlwb2ludEhlYWQgW1JGQzg1NjJdLjwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBoZWFkIE1VU1QgY3JlYXRlIGEgQkZEIHNl c3Npb24gb2YgdHlwZSBNdWx0aXBvaW50SGVhZCBbUkZDODU2Ml0uPC90ZD48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNs YXNzPSJsZWZ0Ij4gICBOb3RlIHRoYXQgYW55IFBJTS1TTSByb3V0ZXIsIHJlZ2FyZGxlc3Mgb2Yg aXRzIHJvbGUsIE1BWSBiZWNvbWUgYTwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAg IE5vdGUgdGhhdCBhbnkgUElNLVNNIHJvdXRlciwgcmVnYXJkbGVzcyBvZiBpdHMgcm9sZSwgTUFZ IGJlY29tZSBhPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBoZWFkIG9mIGEgcDJtcCBC RkQgc2Vzc2lvbi4gIFRvIGNvbnRyb2wgdGhlIHZvbHVtZSBvZiBCRkQgY29udHJvbDwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGhlYWQgb2YgYSBwMm1wIEJGRCBzZXNzaW9uLiAg VG8gY29udHJvbCB0aGUgdm9sdW1lIG9mIEJGRCBjb250cm9sPC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsZWZ0Ij4gICB0cmFmZmljIG9uIGEgc2hhcmVkIG1lZGlhIHNlZ21lbnQsIGFuIG9wZXJhdG9y IHNob3VsZCBjYXJlZnVsbHk8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICB0cmFm ZmljIG9uIGEgc2hhcmVkIG1lZGlhIHNlZ21lbnQsIGFuIG9wZXJhdG9yIHNob3VsZCBjYXJlZnVs bHk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHNlbGVjdCBQSU0tU00gcm91dGVycyBj b25maWd1cmVkIGFzIGEgaGVhZCBvZiBhIHAybXAgQkZEIHNlc3Npb24uPC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+ICAgc2VsZWN0IFBJTS1TTSByb3V0ZXJzIGNvbmZpZ3VyZWQgYXMg YSBoZWFkIG9mIGEgcDJtcCBCRkQgc2Vzc2lvbi48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3Rk PjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQi PiAgIFRoZSBoZWFkIE1VU1QgaW5jbHVkZSB0aGUgQkZEIERpc2NyaW1pbmF0b3Igb3B0aW9uIGlu IGl0cyBIZWxsbzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFRoZSBoZWFkIE1V U1QgaW5jbHVkZSB0aGUgQkZEIERpc2NyaW1pbmF0b3Igb3B0aW9uIGluIGl0cyBIZWxsbzwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZmMDAwOSI+PHRk PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5tZXNzYWdlcy48L3NwYW4+PC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIDxzcGFuIGNsYXNzPSJpbnNlcnQiPm1lc3NhZ2Vz LCBhbmQgaXQgTVVTVCBpbmNsdWRlIGEgNC1ieXRlIEhlYWREaXNjcmltaW5hdG9yIHdpdGggYSB2 YWx1ZTwvc3Bhbj48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxibG9jayI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAgIG90aGVyIHRoYW4gemVy by48L3NwYW4+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIElmIGEgUElNLVNN IHJvdXRlciBpcyBjb25maWd1cmVkIHRvIG1vbml0b3IgdGhlIGhlYWQgYnkgdXNpbmcgcDJtcDwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIElmIGEgUElNLVNNIHJvdXRlciBpcyBj b25maWd1cmVkIHRvIG1vbml0b3IgdGhlIGhlYWQgYnkgdXNpbmcgcDJtcDwvdGQ+PHRkIGNsYXNz PSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGVmdCI+ICAgQkZELCByZWZlcnJlZCB0byB0aHJvdWdoIHRoaXMgZG9jdW1lbnQg YXMgJ3RhaWwnLCByZWNlaXZlcyBhIFBJTS08L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0 Ij4gICBCRkQsIHJlZmVycmVkIHRvIHRocm91Z2ggdGhpcyBkb2N1bWVudCBhcyAndGFpbCcsIHJl Y2VpdmVzIGEgUElNLTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSGVsbG8gcGFja2V0 IHdpdGggdGhlIEJGRCBEaXNjcmltaW5hdG9yIFBJTSBIZWxsbyBvcHRpb24sIHRoZSB0YWlsPC90 ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgSGVsbG8gcGFja2V0IHdpdGggdGhlIEJG RCBEaXNjcmltaW5hdG9yIFBJTSBIZWxsbyBvcHRpb24sIHRoZSB0YWlsPC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBNQVkgY3JlYXRlIGEgcDJtcCBCRkQgc2Vzc2lvbiBvZiB0eXBlIE11 bHRpcG9pbnRUYWlsLCBhcyBkZWZpbmVkIGluPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdo dCI+ICAgTUFZIGNyZWF0ZSBhIHAybXAgQkZEIHNlc3Npb24gb2YgdHlwZSBNdWx0aXBvaW50VGFp bCwgYXMgZGVmaW5lZCBpbjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAg PHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgW1JGQzg1NjJd LjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIFtSRkM4NTYyXS48L3RkPjx0ZCBj bGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIG5vZGUgdGhhdCBpbmNsdWRlcyB0aGUgQkZE IERpc2NyaW1pbmF0b3IgUElNIEhlbGxvIG9wdGlvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0i cmlnaHQiPiAgIFRoZSBub2RlIHRoYXQgaW5jbHVkZXMgdGhlIEJGRCBEaXNjcmltaW5hdG9yIFBJ TSBIZWxsbyBvcHRpb248L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRyYW5zbWl0cyBC RkQgQ29udHJvbCBwYWNrZXRzIHBlcmlvZGljYWxseS4gIEZvciB0aGUgdGFpbCB0bzwvdGQ+PHRk PiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRyYW5zbWl0cyBCRkQgQ29udHJvbCBwYWNrZXRz IHBlcmlvZGljYWxseS4gIEZvciB0aGUgdGFpbCB0bzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+ICAgY29ycmVjdGx5IGRlbXVsdGlwbGV4IEJGRCBbUkZDODU2Ml0sIHRoZSBzb3VyY2UgYWRk cmVzcywgYW5kIE15PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgY29ycmVjdGx5 IGRlbXVsdGlwbGV4IEJGRCBbUkZDODU2Ml0sIHRoZSBzb3VyY2UgYWRkcmVzcywgYW5kIE15PC90 ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9ImRpZmYwMDEwIj48 dGQ+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNz PSJsYmxvY2siPiAgIERpc2NyaW1pbmF0b3IgdmFsdWVzIG9mIHRoZSBCRkQgcGFja2V0cyBNVVNU IGJlIHRoZSBzYW1lIGFzIHRob3NlPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAg IERpc2NyaW1pbmF0b3IgdmFsdWVzIG9mIHRoZSBCRkQgcGFja2V0cyBNVVNUIGJlIHRoZSBzYW1l IGFzIHRob3NlIDxzcGFuIGNsYXNzPSJpbnNlcnQiPm9mPC9zcGFuPjwvdGQ+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBj bGFzcz0ibGJsb2NrIj4gICA8c3BhbiBjbGFzcz0iZGVsZXRlIj51c2VkPC9zcGFuPiBpbiB0aGUg UElNIEhlbGxvIG1lc3NhZ2UuICBJZiB0aGF0IGlzIG5vdCB0aGUgY2FzZSwgdGhlIHRhaWwgQkZE PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPjxzcGFuIGNsYXNzPSJpbnNlcnQiPiAg IHRoZSBIZWFkRGlzY3JpbWluYXRvcjwvc3Bhbj4gaW4gdGhlIFBJTSBIZWxsbyBtZXNzYWdlLiAg SWYgdGhhdCBpcyBub3QgdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2siPiAgIG5vZGUg d291bGQgbm90IGJlIGFibGUgdG8gbW9uaXRvciB0aGUgc3RhdGUgb2YgdGhlIFBJTS1TTSBub2Rl LCB0aGF0PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyYmxvY2siPiAgIGNhc2UsIHRoZSB0YWls IEJGRCBub2RlIHdvdWxkIG5vdCBiZSBhYmxlIHRvIG1vbml0b3IgdGhlIHN0YXRlIG9mIHRoZTwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGJsb2NrIj4gICBpcywgdGhlIGhlYWQgb2YgdGhlIHAybXAg QkZEIHNlc3Npb24sIHRob3VnaCB0aGUgcmVndWxhciBQSU0tU008L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJibG9jayI+ICAgUElNLVNNIG5vZGUsIHRoYXQgaXMsIHRoZSBoZWFkIG9mIHRoZSBw Mm1wIEJGRCBzZXNzaW9uLCB0aG91Z2ggdGhlPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsYmxvY2si PiAgIG1lY2hhbmlzbXMgcmVtYWluIGZ1bGx5IG9wZXJhdGlvbmFsLjwvdGQ+PHRkPiA8L3RkPjx0 ZCBjbGFzcz0icmJsb2NrIj4gICByZWd1bGFyIFBJTS1TTSBtZWNoYW5pc21zIHJlbWFpbiBmdWxs eSBvcGVyYXRpb25hbC48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0 cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3Rk Pjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAg ICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgSWYgdGhl IHRhaWwgZGV0ZWN0cyBhIE11bHRpcG9pbnRIZWFkIGZhaWx1cmUgW1JGQzg1NjJdLCBpdCBNVVNU PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgSWYgdGhlIHRhaWwgZGV0ZWN0cyBh IE11bHRpcG9pbnRIZWFkIGZhaWx1cmUgW1JGQzg1NjJdLCBpdCBNVVNUPC90ZD48dGQgY2xhc3M9 ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRk IGNsYXNzPSJsZWZ0Ij4gICBkZWxldGUgdGhlIGNvcnJlc3BvbmRpbmcgbmVpZ2hib3Igc3RhdGUg YW5kIGZvbGxvdyBwcm9jZWR1cmVzIGRlZmluZWQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBkZWxldGUgdGhlIGNvcnJlc3BvbmRpbmcgbmVpZ2hib3Igc3RhdGUgYW5kIGZvbGxv dyBwcm9jZWR1cmVzIGRlZmluZWQ8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAg ICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIGluIFtS RkM3NzYxXS48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBpbiBbUkZDNzc2MV0u PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIElmIHRoZSBoZWFkIGNlYXNlcyB0 byBpbmNsdWRlIHRoZSBCRkQgRGlzY3JpbWluYXRvciBQSU0gSGVsbG8gb3B0aW9uPC90ZD48dGQ+ IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgSWYgdGhlIGhlYWQgY2Vhc2VzIHRvIGluY2x1ZGUg dGhlIEJGRCBEaXNjcmltaW5hdG9yIFBJTSBIZWxsbyBvcHRpb248L3RkPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xh c3M9ImxlZnQiPiAgIGluIGl0cyBQSU0tSGVsbG8gbWVzc2FnZSwgdGFpbHMgTVVTVCBjbG9zZSB0 aGUgY29ycmVzcG9uZGluZzwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIGluIGl0 cyBQSU0tSGVsbG8gbWVzc2FnZSwgdGFpbHMgTVVTVCBjbG9zZSB0aGUgY29ycmVzcG9uZGluZzwv dGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGlu ZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgTXVsdGlwb2ludFRhaWwgQkZEIHNlc3Npb24g d2l0aG91dCBhZmZlY3RpbmcgdGhlIFBJTSBzdGF0ZSBpbiBhbnk8L3RkPjx0ZD4gPC90ZD48dGQg Y2xhc3M9InJpZ2h0Ij4gICBNdWx0aXBvaW50VGFpbCBCRkQgc2Vzc2lvbiB3aXRob3V0IGFmZmVj dGluZyB0aGUgUElNIHN0YXRlIGluIGFueTwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90 cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAg d2F5LiAgVGh1cyB0aGUgdGFpbCBzdG9wcyB1c2luZyBCRkQgdG8gbW9uaXRvciB0aGUgaGVhZCBh bmQgcmV2ZXJ0czwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHdheS4gIFRodXMg dGhlIHRhaWwgc3RvcHMgdXNpbmcgQkZEIHRvIG1vbml0b3IgdGhlIGhlYWQgYW5kIHJldmVydHM8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRvIHRoZSBwcm9jZWR1cmVzIGRlZmluZWQg aW4gW1JGQzc3NjFdLjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIHRvIHRoZSBw cm9jZWR1cmVzIGRlZmluZWQgaW4gW1JGQzc3NjFdLjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwv dGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVm dCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVu byI+PC90ZD48L3RyPgogICAgICA8dHIgaWQ9InBhcnQtMyIgY2xhc3M9ImNoYW5nZSI+PHRkPjwv dGQ+PHRoPjxzbWFsbD5za2lwcGluZyB0byBjaGFuZ2UgYXQ8L3NtYWxsPjxhIGhyZWY9Imh0dHBz Oi8vd3d3Ni5pZXRmLm9yZy9yZmNkaWZmL3JmY2RpZmYucHlodCNwYXJ0LTMiPjxlbT4gcGFnZSA1 LCBsaW5lIDI4PHNwYW4gY2xhc3M9ImhpZGUiPiDCtjwvc3Bhbj48L2VtPjwvYT48L3RoPjx0aD4g PC90aD48dGg+PHNtYWxsPnNraXBwaW5nIHRvIGNoYW5nZSBhdDwvc21hbGw+PGEgaHJlZj0iaHR0 cHM6Ly93d3c2LmlldGYub3JnL3JmY2RpZmYvcmZjZGlmZi5weWh0I3BhcnQtMyI+PGVtPiBwYWdl IDUsIGxpbmUgMjg8c3BhbiBjbGFzcz0iaGlkZSI+IMK2PC9zcGFuPjwvZW0+PC9hPjwvdGg+PHRk PjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0i bGVmdCI+ICAgYmFzZWQgb24gdGhlIHZhbHVlIG9mIHRoZSBNeSBEaXNjcmltaW5hdG9yIGZpZWxk IGFuZCB0aGUgc291cmNlIElQPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgYmFz ZWQgb24gdGhlIHZhbHVlIG9mIHRoZSBNeSBEaXNjcmltaW5hdG9yIGZpZWxkIGFuZCB0aGUgc291 cmNlIElQPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNs YXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICBhZGRyZXNzLiAgSWYgUElNIERS IGRldGVjdHMgYSBmYWlsdXJlIG9mIG9uZSBvZiB0aGUgc2Vzc2lvbnMsIGl0IE1VU1Q8L3RkPjx0 ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij4gICBhZGRyZXNzLiAgSWYgUElNIERSIGRldGVjdHMg YSBmYWlsdXJlIG9mIG9uZSBvZiB0aGUgc2Vzc2lvbnMsIGl0IE1VU1Q8L3RkPjx0ZCBjbGFzcz0i bGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQg Y2xhc3M9ImxlZnQiPiAgIHJlbW92ZSB0aGF0IHJvdXRlciBmcm9tIHRoZSBHRFIgQ2FuZGlkYXRl IGxpc3QgYW5kIGltbWVkaWF0ZWx5PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg cmVtb3ZlIHRoYXQgcm91dGVyIGZyb20gdGhlIEdEUiBDYW5kaWRhdGUgbGlzdCBhbmQgaW1tZWRp YXRlbHk8L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xh c3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIHRyYW5zbWl0IGEgbmV3IERSTEIt TGlzdCBvcHRpb24uPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAgdHJhbnNtaXQg YSBuZXcgRFJMQi1MaXN0IG9wdGlvbi48L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+ CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+ PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ Mi4zLiAgTXVsdGlwb2ludCBCRkQgRW5jYXBzdWxhdGlvbjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFz cz0icmlnaHQiPjIuMy4gIE11bHRpcG9pbnQgQkZEIEVuY2Fwc3VsYXRpb248L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgVGhlIE11bHRpcG9pbnRIZWFkIG9mIGEgcDJtcCBCRkQg c2Vzc2lvbiB3aGVuIHRyYW5zbWl0dGluZyBCRkQ8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJp Z2h0Ij4gICBUaGUgTXVsdGlwb2ludEhlYWQgb2YgYSBwMm1wIEJGRCBzZXNzaW9uIHdoZW4gdHJh bnNtaXR0aW5nIEJGRDwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgQ29udHJvbCBwYWNr ZXRzOjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgIENvbnRyb2wgcGFja2V0czo8 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmln aHQiPjwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyIGlkPSJkaWZm MDAxMSI+PHRkPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0 ZCBjbGFzcz0ibGJsb2NrIj4gICAgICA8c3BhbiBjbGFzcz0iZGVsZXRlIj5tdXN0PC9zcGFuPiBz ZXQgVFRMIG9yIEhvcCBMaW1pdCB2YWx1ZSB0byAyNTUgKFNlY3Rpb24gNSBbUkZDNTg4MV0pOzwv dGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmJsb2NrIj4gICAgICA8c3BhbiBjbGFzcz0iaW5zZXJ0 Ij5NVVNUPC9zcGFuPiBzZXQgVFRMIG9yIEhvcCBMaW1pdCB2YWx1ZSB0byAyNTUgKFNlY3Rpb24g NSBbUkZDNTg4MV0pOzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRy Pjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+ PHRkIGNsYXNzPSJyaWdodCI+PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAg ICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBNVVNU IHVzZSB0aGUgZ3JvdXAgYWRkcmVzcyBBTEwtUElNLVJPVVRFUlMgKCcyMjQuMC4wLjEzJyBmb3Ig SVB2NDwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPiAgICAgIE1VU1QgdXNlIHRoZSBn cm91cCBhZGRyZXNzIEFMTC1QSU0tUk9VVEVSUyAoJzIyNC4wLjAuMTMnIGZvciBJUHY0PC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4gICAgICBhbmQgJ2ZmMDI6OmQnIGZvciBJUHY2KSBhcyBk ZXN0aW5hdGlvbiBJUCBhZGRyZXNzPC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ICAg ICAgYW5kICdmZjAyOjpkJyBmb3IgSVB2NikgYXMgZGVzdGluYXRpb24gSVAgYWRkcmVzczwvdGQ+ PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5v Ij48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNzPSJyaWdodCI+ PC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJs aW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij4zLiAgSUFOQSBDb25zaWRlcmF0aW9uczwvdGQ+ PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjMuICBJQU5BIENvbnNpZGVyYXRpb25zPC90ZD48 dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8i PjwvdGQ+PHRkIGNsYXNzPSJsZWZ0Ij48L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9InJpZ2h0Ij48 L3RkPjx0ZCBjbGFzcz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9Imxp bmVubyI+PC90ZD48dGQgY2xhc3M9ImxlZnQiPiAgIElBTkEgaXMgcmVxdWVzdGVkIHRvIGFsbG9j YXRlIGEgbmV3IE9wdGlvblR5cGUgdmFsdWUgZnJvbSBQSU0tSGVsbG88L3RkPjx0ZD4gPC90ZD48 dGQgY2xhc3M9InJpZ2h0Ij4gICBJQU5BIGlzIHJlcXVlc3RlZCB0byBhbGxvY2F0ZSBhIG5ldyBP cHRpb25UeXBlIHZhbHVlIGZyb20gUElNLUhlbGxvPC90ZD48dGQgY2xhc3M9ImxpbmVubyI+PC90 ZD48L3RyPgogICAgICA8dHI+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PHRkIGNsYXNzPSJsZWZ0 Ij4gICBPcHRpb25zIHJlZ2lzdHJ5IGFjY29yZGluZyB0bzo8L3RkPjx0ZD4gPC90ZD48dGQgY2xh c3M9InJpZ2h0Ij4gICBPcHRpb25zIHJlZ2lzdHJ5IGFjY29yZGluZyB0bzo8L3RkPjx0ZCBjbGFz cz0ibGluZW5vIj48L3RkPjwvdHI+CiAgICAgIDx0cj48dGQgY2xhc3M9ImxpbmVubyI+PC90ZD48 dGQgY2xhc3M9ImxlZnQiPjwvdGQ+PHRkPiA8L3RkPjx0ZCBjbGFzcz0icmlnaHQiPjwvdGQ+PHRk IGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KICAgICAgPHRyPjx0ZCBjbGFzcz0ibGluZW5vIj48 L3RkPjx0ZCBjbGFzcz0ibGVmdCI+ICAgICAgICstLS0tLS0tKy0tLS0tLS0tKy0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLSs8L3RkPjx0ZD4gPC90ZD48dGQgY2xhc3M9 InJpZ2h0Ij4gICAgICAgKy0tLS0tLS0rLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0tLS0tLS0tLS0tKzwvdGQ+PHRkIGNsYXNzPSJsaW5lbm8iPjwvdGQ+PC90cj4KCiAg ICAgPHRyPjx0ZD48L3RkPjx0ZCBjbGFzcz0ibGVmdCI+PC90ZD48dGQ+IDwvdGQ+PHRkIGNsYXNz PSJyaWdodCI+PC90ZD48dGQ+PC90ZD48L3RyPgogICAgIDx0ciBpZD0iZW5kIiBiZ2NvbG9yPSJn cmF5Ij48dGggY29sc3Bhbj0iNSIgYWxpZ249ImNlbnRlciI+Jm5ic3A7RW5kIG9mIGNoYW5nZXMu IDExIGNoYW5nZSBibG9ja3MuJm5ic3A7PC90aD48L3RyPgogICAgIDx0ciBjbGFzcz0ic3RhdHMi Pjx0ZD48L3RkPjx0aD48aT40MiBsaW5lcyBjaGFuZ2VkIG9yIGRlbGV0ZWQ8L2k+PC90aD48dGg+ PGk+IDwvaT48L3RoPjx0aD48aT40MiBsaW5lcyBjaGFuZ2VkIG9yIGFkZGVkPC9pPjwvdGg+PHRk PjwvdGQ+PC90cj4KICAgICA8dHI+PHRkIGNvbHNwYW49IjUiIGFsaWduPSJjZW50ZXIiIGNsYXNz PSJzbWFsbCI+PGJyPlRoaXMgaHRtbCBkaWZmIHdhcyBwcm9kdWNlZCBieSByZmNkaWZmIDEuNDgu IFRoZSBsYXRlc3QgdmVyc2lvbiBpcyBhdmFpbGFibGUgZnJvbSA8YSBocmVmPSJodHRwOi8vd3d3 LnRvb2xzLmlldGYub3JnL3Rvb2xzL3JmY2RpZmYvIj5odHRwOi8vdG9vbHMuaWV0Zi5vcmcvdG9v bHMvcmZjZGlmZi88L2E+IDwvdGQ+PC90cj4KICAgPC90Ym9keT48L3RhYmxlPgogICAKICAgCjwv Ym9keT48Z3JhbW1hcmx5LWRlc2t0b3AtaW50ZWdyYXRpb24gZGF0YS1ncmFtbWFybHktc2hhZG93 LXJvb3Q9InRydWUiPjwvZ3JhbW1hcmx5LWRlc2t0b3AtaW50ZWdyYXRpb24+PC9odG1sPg== --000000000000bd509205cc89a539-- From nobody Wed Sep 22 14:24:54 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F333A0863; Wed, 22 Sep 2021 14:24:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.849 X-Spam-Level: X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YK-o1pcYZHkR; Wed, 22 Sep 2021 14:24:20 -0700 (PDT) Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13E873A084E; Wed, 22 Sep 2021 14:24:17 -0700 (PDT) Received: by mail-io1-xd33.google.com with SMTP id y197so5267637iof.11; Wed, 22 Sep 2021 14:24:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=S1nexqenueCERDZC9krCjJE+LEJlryoM6D7/F2xpros=; b=Q0sCF7JVEng2S+E7NsYiKBoMdTPCt3UrgCk3X6/ACw7YEizw3PCBstjWo9YVz73UAJ 7su8NPmgcQLoR8dyj4rpVQ92tbq2XKak1oA937acUjQ4NPxUYZs7PRX7BXxVY2YSD+tu 6k45mZQC3xSbqcjK7bcCJZYMqxJz5ncVxEUeMkV7rvsR/cnaqh6CUpVbnwTon5PBbo98 ESP9Q6DpL9uifAWri4A/+gAd0j06Fv3HzST9OqMC+E4CqN3jLdRcc/alpenQWv+mp5OJ OfACStpOJ1kowOR9tisC/GzWbw6o40UCsNWxzKHwkBWVbXy+q+kbJObafDMOohb1IrLU gJaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=S1nexqenueCERDZC9krCjJE+LEJlryoM6D7/F2xpros=; b=RYCyX/N24SBE9udf212/cmtHzVyCVbFh9ym2IXov1NfTKqUPZy3xlPzO0+unpNi9hK z6znTEszrWjtsAfCOd2OPOI4B9zVHL97TKJ6qo13Cjd3ZZP19ndHI5H2oSCPv1roakqP +3KdXwBXgh53zvK7dUhib0fYRk13E8sHBhzo4z3ez9w11DiyiSyvqM/FGrMT6Huda6ea h3392peBjLQmLBQUdzpskh1gIs/RkyOJrgYXSBJ7m5smg7fSZJRMzD4PmrxEPQgmU7oX 4VQBfniCHQQv3qwt3dGO/K70LuwuF4RPtubS1Di+7gBhz1XZ5q94PYIZWGNquDeCjElP iBVg== X-Gm-Message-State: AOAM533DX+uiLWYQyLDkodqavdAm+Zxm4pf37NPllKwkJivzHwyIOL1T lqTFgN0VZTQkMAnkzYFZVnkbMTy7aSwX0+lTZzniJsn0sQQ= X-Google-Smtp-Source: ABdhPJxAuvINjVnGGY30gxIQGdU3VyTnKuWvMrUojvtESn7XlxcKQf3qO2iYw/5CqYH9vH32H1yy6nMxXWy/ZjYjPpY= X-Received: by 2002:a02:7f4a:: with SMTP id r71mr1014656jac.132.1632345855839; Wed, 22 Sep 2021 14:24:15 -0700 (PDT) MIME-Version: 1.0 From: Donald Eastlake Date: Wed, 22 Sep 2021 17:24:04 -0400 Message-ID: To: "iesg@ietf.org" Cc: secdir , draft-ietf-ippm-ioam-flags.all@ietf.org, Last Call Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: [secdir] SECDIR Review draft-ietf-ippm-ioam-flags-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2021 21:24:26 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready with a minor issue. (really just capitalization of key words) Security: I believe that the theme of the Security Considerations section, that possible use of the IOAM flags specified in this document could be used in amplification attacks, is correct and that the Security Considerations section adequately explores this topic. Minor: Section 4.1.1: Both occurrences of "recommended" seem like they should be in all capital letters. Section 4.2: Second paragraph, "recommended" should be all capital letters. Also, this stuff about N seems to be redundantly included in both 4.1.1 and 4.2 which are adjacent sections. Maybe the second paragraph in 4.2 could be replaced by a tweaked version of its first sentence something like: "An IOAM node that supports the reception and processing of the Loopback flag MUST support the ability to limit the rate of the looped back packets as discussed in Section 4.1.1.". Section 5: last paragraph, "It is recommended to use N>100." -> "Using N>100 is RECOMMENDED." Nits: Section 2.2: Suggest adding reference to the Terminology entry for OAM: [RFC6291] Section 4.1: last sentence of 2nd paragraph (first full sentence of page 5): Somehow "allowing a single data field" does not sound quite strong enough to me. Suggest "allowing only a single data field" or "limiting to a single data field" or some other stronger and clearer wording. Section 4.1.1: Remove superfluous wording: "It is noted that this requirement..." -> "This requirement..." Section 4.1.1: Grammar and incorporating capitalization point from above: "it is recommended to use N>100." -> "using N>100 is RECOMMENDED." (and same change in Section 4.2 if Section 4.2 is not modified as suggested above) Section 5: third bullet point "one or more IOAM option," -> "one or more IOAM options," Also, in the same bullet point, remove superfluous wording "It should be noted that the current..." -> "The current..." Multiple places "to avoid loading" would be a little better as "to avoid overloading" or "to avoid excessively loading". There are almost twice as many authors as the guideline maximum of 5. Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com From nobody Thu Sep 23 12:33:01 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D00B43A190C; Thu, 23 Sep 2021 12:32:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.596 X-Spam-Level: X-Spam-Status: No, score=-4.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=lENMDqUO; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=tDaeOO0d Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRYYF16f4gwO; Thu, 23 Sep 2021 12:31:58 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24F2B3A1909; Thu, 23 Sep 2021 12:31:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7764; q=dns/txt; s=iport; t=1632425518; x=1633635118; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=xU8A48+H4ZF4B9IFD/PCESkYXx2m0419mAkb+RQFdRA=; b=lENMDqUOqZ5lXASwTjwQ8RaAHexmltn1D1AJwDbiV3nmHTZF9xkhfwuB NeiQ5dVN8dLMszKIeclAYSV3hBhcfPPTHwHf5SW/0aaDV2pvP5mJnTVnF dAz6jyfVPreF0wOnl8oXe3udxHh3fTK651WmAohIt6ph3t92WfYo4c1pF 8=; IronPort-PHdr: =?us-ascii?q?A9a23=3ABq0o6hR86SLx97b/WKsmjCmwbdpso13LVj580?= =?us-ascii?q?XJvo7JTc7iu+p2kOkHDtr1hj17MCIPc7f8My+/bqLvpVmFI55Gd+GsDf5pBW?= =?us-ascii?q?15g640WkgUsDdTDBRj9K/jnPCwnHdhPUVYj+XynYgBZHc/kbAjUpXu/pTcZB?= =?us-ascii?q?hT4M19zIeL4Uo7fhsi6zaa84ZrWNg5JnzG6J7h1KUbekA=3D=3D?= IronPort-Data: =?us-ascii?q?A9a23=3AMAgCtqgZN4U1SDpLAh553j3wX1613BIKZh0uj?= =?us-ascii?q?C45NGQN5FlHY01jehtvUWvQaP2Pa2qmL9FxbIzjoUkG7JbUzoBkSVBo+y41F?= =?us-ascii?q?ChjpJueD7x1DKtf0wB+jyH7ockOA/w2MrEsF+hpCC+BzvuRGuK59yAkhPvTH?= =?us-ascii?q?uCU5NPsY0ideyc1EE/Ntjo78wIJqtYAbemRW2thi/uryyHsEAfNNwpPD44hw?= =?us-ascii?q?/nrRCWDExjFkGhwUlQWPZintbJF/pUfJMp3yaqZdxMUTmTId9NWSdovzJnhl?= =?us-ascii?q?o/Y1w0mBtXgmbHhfwhTGvjZPBOFjTxdXK3Kbhpq/3NplP1kcqtHLx4L1V1ln?= =?us-ascii?q?PgpoDlJnZK6UwAiPavBsO8cSBJfVSp5OMWq/ZeWeyHn75bDlhOun3zEhq8G4?= =?us-ascii?q?FsNFZYE9/53DGcI5PsFJTQJRhKbguWsz7u9DOJrg6wLN8n0MZ8fszdqzTjfA?= =?us-ascii?q?f88QLjMRqzL4ZlT2zJYrttAFt7fatYXLz11Y3zoZxRUJhIcAZY6tOalmne5d?= =?us-ascii?q?CdXwHqZv6M5/y3SwRB/laPjO5/NYNuNS4BSkAOEvGvA5GXlRBgeMPSexCaLt?= =?us-ascii?q?HW2iYfnhi7wVIMIPLy16vAsh0ecrkQTFRwKWF6yifmki1KzXtsZLUEIkhfCB?= =?us-ascii?q?4BaGFeDVNLxWVizp2SJ+0dEHdFRCOY9rgqKz8LpD8+iLjBsZlZ8hBYO7ZJeq?= =?us-ascii?q?eQW62K0?= IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AkPHoHa4eal9d/9JhDgPXwZCCI+orL9Y04l?= =?us-ascii?q?Q7vn2ZFiY1TiXIra6TdaoguiMc0AxhJ03Jmbi7Sc69qADnhOBICO4qTPeftW?= =?us-ascii?q?jdySqVxeRZjbcKrAeQYBEWmtQtsJuINpIOdOEYbmIKzvoSgjPIaerIqePvmM?= =?us-ascii?q?vD6IuurAYOcegpUdAc0+4TMHf8LqQCfng/OXNPLuvk2iMonUvFRV0nKuCAQl?= =?us-ascii?q?UVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1UjegIK5Y1n3XnOkgT/6K?= =?us-ascii?q?nmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3DRY0eTFcBcso+5zXYISdKUmQ?= =?us-ascii?q?8XeR730k8d1vFImjTsl6eO0EDQMkfboWwTAjTZuC6laDPY0LzErXQBepd8bU?= =?us-ascii?q?YzSGqH16Lm1+sMjJ6jlljpxKZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5?= =?us-ascii?q?ACAYUh4LD30XklW6voJhiKorzP0dMee/309bJTaxeXfnrZtm5gzJilWWkyBA?= =?us-ascii?q?6PRgwHttaO2zZbkXhlxw9ArfZv0Uso5dY4Ud1J9u7EOqNnmPVHSdIXd7t0AK?= =?us-ascii?q?METdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHrIkd9aWvYtgF3ZEykJPOXBdRsn?= =?us-ascii?q?MzYVvnDYmU0JhC4nn2MS2AtPTWu4hjDr1Cy/PBrZbQQFi+oWEV4r2dSq8kc7?= =?us-ascii?q?/mst6ISeZrP8M=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BXAAC91Uxh/5JdJa1aHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgUUHAQELAYFSUQeBUTcxhEeDSAOEWWCICAOBEo55ilOBLoE?= =?us-ascii?q?lA1QLAQEBDQEBQQQBAYR9AheCLwIlNAkOAQIEAQEBEgEBBQEBAQIBBgSBERO?= =?us-ascii?q?FaA2GQgEBAQECARIREQwBATcBCwQCAQgRBAEBAwImAgICMBUICAIEAQ0FCBq?= =?us-ascii?q?FJQMOIQFQon0BgToCih96gTGBAYIIAQEGBASFChiCNQmBECoBgn+EFoRDgQ6?= =?us-ascii?q?BHyccgUlEgRVDeYE3Nz6ERoMWN4IuiSdqAQN1VwYGEy0+DAQBDAcFMgEHEZE?= =?us-ascii?q?2gw8BRo0emzgKgyyYfYYAFINni2eXOpYeoAUrIwyEVwIEAgQFAg4BAQaBMDE?= =?us-ascii?q?7gVlwFTuCaVEZD44gg3KKXnQ4AgYLAQEDCZI4AQE?= X-IronPort-AV: E=Sophos;i="5.85,317,1624320000"; d="scan'208";a="921062816" Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Sep 2021 19:31:33 +0000 Received: from mail.cisco.com (xbe-rcd-002.cisco.com [173.37.102.17]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 18NJVXTG029790 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 23 Sep 2021 19:31:33 GMT Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-rcd-002.cisco.com (173.37.102.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 23 Sep 2021 14:31:32 -0500 Received: from xfe-aln-005.cisco.com (173.37.135.125) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 23 Sep 2021 14:31:32 -0500 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 23 Sep 2021 14:31:32 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fV1Vlj9SgCpi6MoGJvTIQJS+owKGbXpyxHPiBRMtkny0Bu2gK0Z7czyO/zE2w84+fXzyvIP9q8w2vM2liZ1jxJuF2d+zcdtftv0LGp4+CJrXXqNXJ+NbH5goZu020xBhObfq+HshTRhSch1rdARAEUfSXURALAoQrMHJKIUKfe3Tku2HMDIsNb/lx0KNy8jndi3DM/FS7SHxnX1mffrRneaPtctwyzIXNQN+RvcjiZoqo37W1CNatxVfamaUvZNYOBnE77swVCIfbyvDhhRBniRCY+HC8eglVZE8/2cps0O9hyBpG60cJQG91ok54PPiE2bD3P9QDfBoyFJ1EcSP5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xU8A48+H4ZF4B9IFD/PCESkYXx2m0419mAkb+RQFdRA=; b=VbIaoKwa0PnDiSXr1lxrc18W3eD7oH+toXF+i060ZxB3858ssbw64n9TyNx6l2RT4PJJvaT7TqlV0OnBiUgFRbBJwj9RVTFXwpR/r27YyZBVsv/6fT1nSKBKLd19dKhcSUj7i/bIyHZe7jTrowcKtSly2dLDfRhRJ+hvIpNdSE710qKiVIQ/cltNivBLmKmAiXxVHT5lAal6fUlqnt+2wguYmQAtgcWkPXCbpvB0QF6GjKSf8vsz1S4aYiMVXQl20ya85HhtxcfFBbIeSZuSseVX+5YO8301c1vzNq5LUY7ZHxI6+MFMqe84goYlxomYwAMMitCzeiBWAF7MpdADgg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xU8A48+H4ZF4B9IFD/PCESkYXx2m0419mAkb+RQFdRA=; b=tDaeOO0dw7QBnHftow5F/Ani3HAfeQjY5NThk6JxqF+THoOAXWiZqfOLdsti8zCnTWTYbUxXnVrgvpSnFXoRI4LEPeF566+FbXe4YvKSDo3QG1dTU/kLZT1GcwJcGolqbArEooeHcg7D3p2BWBSYg47aXpi9TVqDGWljkKvegSs= Received: from DM8PR11MB5606.namprd11.prod.outlook.com (2603:10b6:8:3c::23) by DM8PR11MB5655.namprd11.prod.outlook.com (2603:10b6:8:28::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.13; Thu, 23 Sep 2021 19:31:31 +0000 Received: from DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65]) by DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65%3]) with mapi id 15.20.4544.015; Thu, 23 Sep 2021 19:31:31 +0000 From: "Frank Brockners (fbrockne)" To: Christian Huitema , "secdir@ietf.org" CC: "draft-ietf-sfc-proof-of-transit.all@ietf.org" , "last-call@ietf.org" , "sfc@ietf.org" , "shwetha.bhandari@gmail.com" , "Youell, Stephen" Thread-Topic: Secdir last call review of draft-ietf-sfc-proof-of-transit-08 Thread-Index: AQHXrdJnjOHuO4fhnU+wPCtBTLa6aaux/B8w Date: Thu, 23 Sep 2021 19:31:31 +0000 Message-ID: References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> In-Reply-To: <163210969860.31323.5718880916818308072@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=cisco.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 198b5d59-267f-4a63-7d30-08d97ec8bf2f x-ms-traffictypediagnostic: DM8PR11MB5655: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: LzTFzUVDCV9UH0DuD1eXU9pb3SloPDriUuU2owAu0661F/3z7KnTFIUUTVEC2s2eMrKzvR6WHdPe0Ob6UkfzmnWXxa1Y+0gPEKCgiyXvr91np0Gm+6B6bAY9+Dz9fiMDHux7DIs+zD+15S6rm0b9kjvXO2iM5IbBnPFI7iWKRRLZhtZfeOcoWhxJ27DYc270mNU2laiHe8dZJ6WFiskrwCaySIhQ1xapjTsyBnkSB5QFmjTw5kTGlS5sV1PA+YUfOIBk5/7lxytDXKrXsYb4VrsDJwwKhn5KzsXYe52C1daeyANw+FuNpSI9DGGj7jY8P0EwOBNlcCeFCShnJme/Z1AoVv/b+GgmEsObfUFD09j3I04+mW0Wq/kOTddLoXzkeHIUOsLbf3T6Jc6dW6BXepWD/oS8zvigT1yD9EU2/bzyfWag0KQoRg9ZgRCcXGPyMgVPvX5KWwSBEeVYe7/HpMcnyVwh6fsYj2yQN1j/yEsQ/bfnQcY88A4j6UupcAxb8W23Qss5tAoVtgQuqH+VDpkX6A3jwRgQ9ft/0vB13YBlUAUR7CZm/PRk7ZmgoG/mJKeWiC1lxUxxx7pOAPMw7fgf1oCLwXHmPp0JAW+S8PsLgRlUKTGWIGRw3rxXCchXADJ76Zt+X2Zz7FyTpBoy3hQplsnyFor2v3M5A+pHFYKImpHJp44R5FzU+eBtmHk8YyGPID2cNZru4kzr25G2Jw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR11MB5606.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(186003)(66946007)(5660300002)(2906002)(86362001)(53546011)(508600001)(71200400001)(7696005)(66476007)(26005)(6506007)(4326008)(9686003)(38100700002)(122000001)(52536014)(83380400001)(8676002)(8936002)(38070700005)(64756008)(110136005)(54906003)(76116006)(55016002)(33656002)(316002)(66446008)(66556008); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?ajRPamRlVGUrOFprak9zSmIwalNtQWVLTU9PYzdRM2VGeTVkcnQ3Y2R1SWVs?= =?utf-8?B?SXRiQW85ZGRSajVOWFdyZDNQMHFPYzFyWGVnczV0RnpLT21pdEwyMEtoTEo5?= =?utf-8?B?NHBodUJwdkxRMHFzQzVlamxZNGtIc2V5UitmOSt3cmlqbGdmZ3RhTEkwR2Ex?= =?utf-8?B?bjRtcmtjbWoxN0hJOEZoRkVtaGVWclVhZnhVU2ZYa1hyM213OVdubE9QUWpW?= =?utf-8?B?M2MveTAySnlvS1BneFJMTW5KZ1AwcW5VaVZiUmtNT1dzbFdoTTZjcjYrY250?= =?utf-8?B?TysrWVFsVVJQOXR6dlpYekRZTmJjcVNaSTY2bUIyVHMvZFJmcTdXVHlMN1Ax?= =?utf-8?B?eWZRTkFYM29ZMyt0UFpYL09TaUJHdTNMc2luZ05XMmxUVVJBQmRaVEYwaHpU?= =?utf-8?B?by9Pdi8rRWw5QitXZ0FiQnY4dFp6Ti82Ymo5QmRaVStCZGVzSnVJcDZXM1hO?= =?utf-8?B?QytHUFhLWUZBamRsMlBEenpCWEpQNW1BSkZyWFdPU1Q4TjJPa0R1dmVRTWJq?= =?utf-8?B?QjM4eFBPdHZOU1QrYmdMNFJXcmQxZkxQVU4wOXJ2eitMYWtWUFA3VVJrOE1t?= =?utf-8?B?clBFWktvQ1pWVEdtekdBREdIL0YrelVNRlYxYWdhaGI0OHppb2pJMG9KdVM5?= =?utf-8?B?bE1VNkI5ck1jWHNCRHFvMTNNeTBHV2JncDJxVXFza3dpcVJQWkYxVnZ1M1Zy?= =?utf-8?B?UURuOFVXckFEZG41bzdRSkNKSnJEVjZ0UVNUSFlSTHh5UFMzUUg0cElLR0t4?= =?utf-8?B?Vit0a01YeVNXK09TTllkT3JaallLRS84alowQzBVQ2l4VlljN1g4L3M5SDJh?= =?utf-8?B?cVJ2ckh6MmdEenJBUjhaZ0ZYdVNBY1hYaWxUbTgwMmVVMlN2S2FPSHdjazF0?= =?utf-8?B?TzRMeTlJUlJ5bThWMUpvL0pmVmFvaWcxWWZyM0tiRFpKcVVSdXlWWERyazg2?= =?utf-8?B?c2hsdlptZkE3QVpKWEdDZE96SXR5UVhIU0wxOVUyMEt3MitLRG1mVmxMTkFM?= =?utf-8?B?Y2NobjFXR2tycUhpTWt0cTI2VEVrd2xaTEJEZzIrZkRyeFhSdzZCZmtUMHI0?= =?utf-8?B?MkFRMWp5Zm5rRzl0U2tpY3hhd3pydWJJWGZGam14ZW9yRk1ySlZPZWdreWdn?= =?utf-8?B?MEVoQS9Hb1daM0FETnVWRk83RmNaR3FZeUh1UUpVOEZycFhJSkNKekdxdGJN?= =?utf-8?B?VXFpUS9GR0pLZ2tXcktRQUwvQ0JVLzlkSFJnY01XQjBpazFTM2VTKzV1VW5w?= =?utf-8?B?dEQ0ZXNoV01ycTZtamRYdFNXTk9NdVE0dHBEblVGNGdvbDc0eWJ2SFIxbjcx?= =?utf-8?B?c2tCWFFkbjZBaVFCNG43RmJrVUx2UHUxbENlbHU5RDhyZ0Z5Q0pJVFdVeHlY?= =?utf-8?B?bnNxa3RvOGNNVjdza0w5cmlmeGFEMVg3aXpldVdEVEZVMnVqcjRqK2VSQ0xV?= =?utf-8?B?a3N2NXBMMXAxMXpsMG1ReFF1RjZQWHk3cG1jbHh1eTFhV2RDRy9aMmdYRGw0?= =?utf-8?B?bmF1S2RJOWhKOUtta3owTDlka3NkcVIvNC9jaDg1cU1XdHFDVk90K00walZP?= =?utf-8?B?SmYwWWpMWE8zdHlyekk5am9UM0VHdlh4V2FYZkpQNld4dEIvY29WVW00WFBl?= =?utf-8?B?NlpHRzUyODRtS0NHaWUwRVVOOWhqZXBBQmx4NU1NQ0l2a0JGVXUrK1Q5WGxj?= =?utf-8?B?UitNb1pPREowdE5IVVhNbXVEblEyanZkRnFlMU9mYTZiZXZmdmdGSUdsd08r?= =?utf-8?Q?irmZutlN0ZvsovYt3Q3nhX3pvgVCdxebpxu+I/n?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5606.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 198b5d59-267f-4a63-7d30-08d97ec8bf2f X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2021 19:31:31.5197 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: uliEUEF+XvaJl2c7FjCRh1h7vfvc5kDXiUXkhEUfKfUP2nbddeNBu3ejt75NCgU3pMZTwPT5qd2ZbkblLOkxuw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5655 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.37.102.17, xbe-rcd-002.cisco.com X-Outbound-Node: rcdn-core-10.cisco.com Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2021 19:32:03 -0000 SGkgQ2hyaXN0aWFuLA0KDQpUaGFua3MgYSBsb3QgZm9yIHlvdXIgZGV0YWlsZWQgcmV2aWV3LiBQ bGVhc2Ugc2VlIGlubGluZS4NCg0KPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiBGcm9t OiBDaHJpc3RpYW4gSHVpdGVtYSB2aWEgRGF0YXRyYWNrZXIgPG5vcmVwbHlAaWV0Zi5vcmc+DQo+ IFNlbnQ6IE1vbmRheSwgMjAgU2VwdGVtYmVyIDIwMjEgMDU6NDgNCj4gVG86IHNlY2RpckBpZXRm Lm9yZw0KPiBDYzogZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdC5hbGxAaWV0Zi5vcmc7 IGxhc3QtY2FsbEBpZXRmLm9yZzsgc2ZjQGlldGYub3JnDQo+IFN1YmplY3Q6IFNlY2RpciBsYXN0 IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQtMDgNCj4gDQo+ IFJldmlld2VyOiBDaHJpc3RpYW4gSHVpdGVtYQ0KPiBSZXZpZXcgcmVzdWx0OiBTZXJpb3VzIElz c3Vlcw0KPiANCj4gSSBoYXZlIHJldmlld2VkIHRoaXMgZG9jdW1lbnQgYXMgcGFydCBvZiB0aGUg c2VjdXJpdHkgZGlyZWN0b3JhdGUncyAgb25nb2luZw0KPiBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJ RVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlICBJRVNHLiAgVGhlc2UNCj4gY29t bWVudHMgd2VyZSB3cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlIHNlY3Vy aXR5IGFyZWEgZGlyZWN0b3JzLg0KPiBEb2N1bWVudCBlZGl0b3JzIGFuZCBXRyBjaGFpcnMgc2hv dWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZSBhbnkNCj4gb3RoZXIgbGFzdCBjYWxs IGNvbW1lbnRzLg0KPiANCj4gVGhpcyBkb2N1bWVudCBwcm9wb3NlcyBhIHNlY3VyaXR5IG1lY2hh bmlzbSB0byBwcm92ZSB0aGF0IHRyYWZmaWMgdHJhbnNpdGVkDQo+IHRocm91Z2ggYWxsIHNwZWNp ZmllZCBub2RlcyBpbiBhIHBhdGguIFRoZSBtZWNoYW5pc20gd29ya3MgYnkgYWRkaW5nIGEgc2hv cnQNCj4gb3B0aW9uIHRvIGVhY2ggcGFja2V0IGZvciB3aGljaCB0cmFuc2l0IHNoYWxsIGJlIHZl cmlmaWVkLiBUaGUgb3B0aW9uIGNvbnNpc3RzIG9mIGENCj4gcmFuZG9tIG51bWJlciBzZXQgYnkg dGhlIG9yaWdpbmF0b3Igb2YgdGhlIHBhY2tldCwgYW5kIGEgc3VtIGZpZWxkIHRvIHdoaWNoDQo+ IGVhY2ggdHJhbnNpdCBub2RlIGFkZHMgYSB2YWx1ZSBkZXBlbmRpbmcgb24gcHVibGljIHBhcmFt ZXRlcnMsIG9uIHRoZSByYW5kb20NCj4gbnVtYmVyIGFuZCBvbiBzZWNyZXRzIGhlbGQgYnkgdGhl IG5vZGUuIFRoZSBkZXN0aW5hdGlvbiBoYXMgYWNjZXNzIHRvIGFsbCB0aGUNCj4gc2VjcmV0cyBo ZWxkIGJ5IHRoZSBub2RlcyBvbiB0aGUgcGF0aCwgYW5kIGNhbiB2ZXJpZnkgd2hldGhlciBvciBu b3QgdGhlIGZpbmFsDQo+IHN1bSBjb3JyZXNwb25kcyB0byB0aGUgc3VtIG9mIGV4cGVjdGVkIHZh bHVlcy4gVGhlIHByb3Bvc2VkIHNpemUgb2YgdGhlDQo+IHJhbmRvbSBudW1iZXIgYW5kIHRoZSBz dW0gZmllbGQgaXMgNjQgYml0cy4NCj4gDQo+IEluIHRoZSBwYXJhZ3JhcGggYWJvdmUsIEkgZGVz Y3JpYmVkIHRoZSBtZWNoYW5pc20gd2l0aG91dCBtZW50aW9uaW5nIHRoZQ0KPiBhbGdvcml0aG0g dXNlZCB0byBjb21wdXRlIHRoZXNlIDY0IGJpdCBudW1iZXJzLiBUaGUgNjQgYml0IHNpemUgaXMg b2J2aW91c2x5IGENCj4gY29uY2VybjogZm9yIGNyeXB0b2dyYXBoaWMgYXBwbGljYXRpb25zLCA2 NCBiaXRzIGlzIG5vdCBhIGxhcmdlIG51bWJlciwgYW5kIHRoYXQNCj4gbWlnaHQgYmUgYSB3ZWFr bmVzcyB3aGF0ZXZlciB0aGUgcHJvcG9zZWQgYWxnb3JpdGhtLiBUaGUgYWN0dWFsIGFsZ29yaXRo bQ0KPiBhcHBlYXJzIHRvIGJlIGEgYmVzcG9rZSBkZXJpdmF0aW9uIG9mIFNoYW1pcidzIFNlY3Jl dCBTaGFyaW5nIGFsZ29yaXRobSAoU1NTKS4gSW4NCj4gb3RoZXIgd29yZCwgaXQgaXMgYSBjYXNl IG9mICJpbnZlbnRpbmcgeW91ciBvd24gY3J5cHRvIi4NCg0KLi4uRkI6IFNTUyBpcyBhIHdlbGwg a25vdyBhbGdvcml0aG0gYW5kIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQgZG9lcyBu b3QgbW9kaWZ5IGl0Lg0KQWxsIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQgZG9lcyBp cyB0byBvcGVyYXRpb25hbGl6ZSB0aGUgU1NTIGFsZ29yaXRobSBmb3IgdGhlIHByb29mIG9mIHRy YW5zaXQgdXNlIGNhc2UuDQoNCkFsc28gbm90ZSB0aGF0IHRoZSBkcmFmdCBkb2VzIG5vdCByZXF1 aXJlIHRoZSB1c2Ugb2YgNjQgYml0IG51bWJlcnMuDQpOb3IgZG9lcyBkcmFmdCByZXF1aXJlIGEg bWluaW11bSB0aW1lIGJldHdlZW4gY2hhbmdpbmcgdGhlIHNlY3JldHMuIA0KV2hhdCBwYXJ0aWN1 bGFyIGF0dGFjayBhcmUgeW91IGNvbmNlcm5lZCBhYm91dCB3aGVyZSA2NCBiaXQgbnVtYmVycyBh cmUgYSBjb25jZXJuPw0KDQo+IA0KPiBTU1MgcmVsaWVzIG9uIHRoZSByZXByZXNlbnRhdGlvbiBv ZiBwb2x5bm9taWFscyBhcyBhIHN1bSBvZiBMYWdyYW5nZSBCYXNpcw0KPiBQb2x5bm9taWFscy4g RWFjaCBvZiB0aGUgcGFydGljaXBhdGluZyBub2RlcyBob2xkcyBhIHNoYXJlIG9mIHRoZSBzZWNy ZXQNCj4gcmVwcmVzZW50ZWQgYnkgYSBwb2ludCBvbiB0aGUgcG9seW5vbWlhbCBjdXJ2ZS4gQSBw b2x5bm9taWFsIG9mIGRlZ3JlZSBLIG9uIHRoZQ0KPiBmaWVsZCBvZiBpbnRlZ2VycyBtb2R1bG8g YSBwcmltZSBudW1iZXIgTiBjYW4gb25seSBiZSByZXZlYWxlZCBpZiBhdCBsaXN0IEsrMQ0KPiBw YXJ0aWNpcGFudHMgcmV2ZWFsIHRoZSB2YWx1ZSBvZiB0aGVpciBwb2ludC4gVGhlIHNhZmV0eSBv ZiB0aGUgYWxnb3JpdGhtIHJlbGllcyBvbg0KPiB0aGUgc2l6ZSBvZiB0aGUgbnVtYmVyIE4gYW5k IG9uIHRoZSBmYWN0IHRoYXQgdGhlIHNlY3JldCBzaGFsbCBiZSByZXZlYWxlZCBvbmx5DQo+IG9u Y2UuIEJ1dCB0aGUgYWxnb3JpdGhtIGRvZXMgbm90IHVzZSBTU1MgZGlyZWN0bHksIHNvIGl0IGRl c2VydmVzIGl0cyBvd24gc2VjdXJpdHkNCj4gYW5hbHlzaXMgaW5zdGVhZCBvZiByZWx5aW5nIHNp bXBseSBvbiBTaGFtaXIncyB3b3JrLg0KPiANCj4gVGhlIHByb3Bvc2VkIGFsZ29yaXRobSB1c2Vz IHR3byBwb2x5bm9taWFscyBvZiBkZWdyZWUgSyBmb3IgYSBwYXRoIGNvbnRhaW5pbmcNCj4gSysx IG5vZGVzLCBvbiBhIGZpZWxkIGRlZmluZWQgYnkgYSBwcmltZSBudW1iZXIgTiBvZiA2NCBiaXRz LiBPbmUgb2YgdGhlDQo+IHBvbHlub21pYWwsIFBPTFktMSwgaXMgc2VjcmV0LCBhbmQgb25seSBm dWxseSBrbm93biBieSB0aGUgdmVyaWZ5aW5nIG5vZGUuDQo+IFRoZSBvdGhlciwgUE9MWS0yIGlz IHB1YmxpYywgd2l0aCB0aGUgY29uc3RhbnQgY29lZmZpY2llbnQgc2V0IGF0IGEgcmFuZG9tIHZh bHVlDQo+IFJORCBmb3IgZWFjaCBwYWNrZXQuDQo+IA0KPiBGb3IgZWFjaCBwYWNrZXQsIHRoZSBn b2FsIGlzIGNvbXB1dGUgdGhlIHZhbHVlIG9mIFBPTFktMSBwbHVzIFBPTFktMiBhdCB0aGUNCj4g cG9pbnQgMCAtLSB0aGF0IGlzLCB0aGUgY29uc3RhbnQgY29lZmZpY2llbnQgb2YgUE9MWS0zID0g UE9MWS0xICsgUE9MWS0yLg0KPiANCj4gV2l0aG91dCBnb2luZyBpbiB0b28gbXVjaCBkZXRhaWxz LCBvbmUgY2FuIG9ic2VydmUgdGhhdCB0aGUgY29uc3RhbnQNCj4gY29lZmZpY2llbnQgb2YgUE9M WS0zIGlzIGVxdWFsIHRvIHRoZSBzdW0gb2YgdGhlIGNvbnN0YW50IGNvZWZmaWNpZW50cyBvZiBQ T0xZLTENCj4gYW5kIFBPTFktMiwgYW5kIHRoYXQgdGhlIGNvbnN0YW50IGNvZWZmaWNpZW50IG9m IFBPTFktMiBpcyB0aGUgdmFsdWUgUk5EDQo+IHByZXNlbnQgaW4gZWFjaCBwYWNrZXQuIEluIHRo ZSBleGFtcGxlIGdpdmVuIGluIHNlY3Rpb24gMy4zLjIsIHRoZSBudW1iZXJzIGFyZQ0KPiBjb21w dXRlZCBtb2R1bG8gNTMsIHRoZSBjb25zdGFudCBjb2VmZmljaWVudCBvZiBQT0xZLTEgaXMgMTAs IGFuZCB0aGUgdmFsdWUNCj4gUk5EIGlzIDQ1LiBUaGUgZmluYWwgc3VtICBDTUwgaXMgaW5kZWVk DQo+IDEwICsgNDUgPSAyIG1vZCA1My4NCj4gDQo+IFRvIG1lLCB0aGlzIGFwcGVhcnMgYXMgYSBz ZXJpb3VzIHdlYWtuZXNzIGluIHRoZSBhbGdvcml0aG0uIElmIGFuIGFkdmVyc2FyeSBjYW4NCj4g b2JzZXJ2ZSB0aGUgdmFsdWUgUk5EIGFuZCBDTUwgZm9yIGEgZmlyc3QgcGFja2V0LCBpdCBjYW4g cmV0cmlldmUgdGhlIGNvbnN0YW50DQo+IGNvZWZmaWNpZW50IG9mIFBPTFktMSwgYW5kIHRodXMg Y2FuIHByZWRpY3QgdGhlIHZhbHVlIG9mIENNTCBmb3IgYW55IG90aGVyDQo+IHBhY2tldC4gVGhh dCBkb2VzIG5vdCBzZWVtIHZlcnkgc2VjdXJlLg0KDQouLi5GQjogVGhlcmUgc2VlbXMgdG8gYmUg YSBiaXQgb2YgY29uZnVzaW9uIG9yIG1pc3JlYWRpbmcgb2YgaG93IHRoZSBtZXRob2Qgd29ya3Mu IEluIHRoZSBhYm92ZSBzdGF0ZW1lbnQgeW91IHNlZW0gdG8gYXNzdW1lIHRoYXQgdGhlIHZlcmlm aWVyIHdvdWxkIG5vdCBiZSBwYXJ0IG9mIHRoZSBwcm9vZi1jaGFpbiwgc28gdGhhdCB0aGUgZmlu YWwgQ01MIHZhbHVlIHdvdWxkIGJlIHNvbWVob3cgZXhwb3NlZCB0byBhbiBleHRlcm5hbCBlbnRp dHkgYWxvbmcgd2l0aCBSTkQuIFRoaXMgaXMgbm90IHRoZSBjYXNlLiBUaGUgdmVyaWZpZXIgaXMg dGhlIGxhc3Qgbm9kZSAoaysxKSBpbiB0aGUgcHJvb2YtY2hhaW4uIA0KDQpBdCBjb25jZXB0IGxl dmVsLCB0aGUgbWV0aG9kIHJlY29uc3RydWN0cyB0aGUgcG9seW5vbWlhbCBob3AgYnkgaG9wLCBw aWNraW5nIHVwIGEgcG9pbnQgb24gdGhlIGN1cnZlIGF0IGV2ZXJ5IGhvcC4gT25seSBmaW5hbCBu b2RlIGluIHRoZSBwcm9vZi1jaGFpbiwgd2hpY2ggaXMgYWxzbyB0aGUgdmVyaWZpZXIsIGFjdHMg b24gdGhlIGluZm9ybWF0aW9uIG9mIGFsbCB0aGUgaysxIHBvaW50cyBhbmQgYXMgc3VjaCBpcyBh YmxlIHRvIHJlY29uc3RydWN0IHRoZSBwb2x5bm9taWFsLiANCg0KSW4gc2VjdGlvbiAzLjIuMSwg dGhlIGRyYWZ0IGV4cGxpY2l0bHkgc3RhdGVzIHRoYXQgdGhlIHZlcmlmaWVyICppcyogcGFydCBv ZiB0aGUgcHJvb2YtY2hhaW46ICJFYWNoIG9mIHRoZSBrKzEgbm9kZXMgKGluY2x1ZGluZyB2ZXJp ZmllcikgYXJlIGFzc2lnbmVkIGEgcG9pbnQgb24gdGhlIHBvbHlub21pYWwgaS5lLiwgc2hhcmVz IG9mIHRoZSBTRUNSRVQuIiBUaGUgZmFjdCB0aGF0IHRoZSB2ZXJpZmllciwgaS5lLiwgdGhlIGxh c3Qgbm9kZSBpbiB0aGUgcHJvb2YtY2hhaW4gKCJrKzEiKSwgIGNhbiByZXRyaWV2ZSB0aGUgc2Vj cmV0LCBpcyBkZXNpcmVkIGFuZCBpbnRlbnRpb25hbCwgYmVjYXVzZSB0aGUgdmVyaWZpZXIgbmVl ZHMgdG8gY29tcGFyZSB0aGUgcmVzdWx0IG9mIHRoZSBpdGVyYXRpdmUgY29uc3RydWN0aW9uIG9m IHRoZSBzZWNyZXQgd2l0aCB0aGUgc2VjcmV0IHZhbHVlIGl0IHJlY2VpdmVkIGZyb20gdGhlIGNv bnRyb2xsZXIuIFRoaXMgaXMgaG93IHRoZSBzeXN0ZW0gaXMgZGVzaWduZWQsIGFuZCB0aGUgY2Fs Y3VsYXRpb24gb2YgKDEwKzQ1KSBtb2QgNTMgPSAyIGlzIHBhcnQgb2YgdGhlIHZlcmlmaWNhdGlv bi4gDQoNCkNoZWVycywgRnJhbmsNCg0KDQoNCj4gDQo+IE15IHJlY29tbWVuZGF0aW9uIHdvdWxk IGJlIHRvIHByZXNlbnQgdGhlIHByb2JsZW0gYW5kIGFzayB0aGUgQ0ZSRyBmb3INCj4gYWxnb3Jp dGhtIHJlY29tbWVuZGF0aW9ucy4NCj4gDQoNCg== From nobody Thu Sep 23 14:06:41 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 754543A1DA7 for ; Thu, 23 Sep 2021 14:06:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.111 X-Spam-Level: *** X-Spam-Status: No, score=3.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHgtYTXfiyTu for ; Thu, 23 Sep 2021 14:06:34 -0700 (PDT) Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B38113A1DA0 for ; Thu, 23 Sep 2021 14:06:34 -0700 (PDT) Received: from xse303.mail2web.com ([66.113.197.49] helo=xse.mail2web.com) by mx134.antispamcloud.com with esmtp (Exim 4.92) (envelope-from ) id 1mTV5s-0001kB-Ld for secdir@ietf.org; Thu, 23 Sep 2021 22:13:24 +0200 Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4HFmZ72WJXzBJK for ; Thu, 23 Sep 2021 13:13:19 -0700 (PDT) Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from ) id 1mTV5r-0003gz-7K for secdir@ietf.org; Thu, 23 Sep 2021 13:13:19 -0700 Received: (qmail 24121 invoked from network); 23 Sep 2021 20:13:17 -0000 Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.0]) (envelope-sender ) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 23 Sep 2021 20:13:16 -0000 To: "Frank Brockners (fbrockne)" , "secdir@ietf.org" Cc: "shwetha.bhandari@gmail.com" , "last-call@ietf.org" , "Youell, Stephen" , "sfc@ietf.org" , "draft-ietf-sfc-proof-of-transit.all@ietf.org" References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> From: Christian Huitema Message-ID: <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> Date: Thu, 23 Sep 2021 13:13:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Originating-IP: 66.113.197.49 X-Spampanel-Domain: xsmtpout.mail2web.com X-Spampanel-Username: 66.113.197.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com X-Spampanel-Outgoing-Class: unsure X-Spampanel-Outgoing-Evidence: Combined (0.08) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/0jwbKD9Qwr8pzJGw57imhPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yACVCDlSNkcmtpadwF3M9U42UuDhyzVYcwl2RB+0Aaet7e rdmGvOvF81wmA5nkttgh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f6991J9zfdu4MFxaWjgX9dWKXYPAgTtUp75uqlx0KezvZHWhWQ59 Qnb1f8O4K9KHPb6BWQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfY+eX5ZvcELCIKs663F/co VFYFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0juPh8WNrp6UcEFtxxstnQGF7lLXQUcNAszDsnoUOr0Bj/ NwXBS3WpaeZU/moQga46OI+gTB/pfSlbi1HgG7umZ25gpnihbI3Vv1c2tRvdVD2GbN7BITAZon7Z Iz1ONK9yUo4/+EUytKrR9Md9I2Rs19xyQUvS98p8yCPwb5JU04dPCC/cRgvQKtcrMMueERx3bp3d 0uLrp+S0z/bOc0bo0YdkxcTAhM/kjN1Jz4LCx+ALVMcScraAEu0RqZMYbqf5RA0faF4O4NMKD7MO CBjYxX6m+UeFXprlCOm3BAEbJtAT1BYHStA0OogdNtRxnRSLF+XCKxIG9XMEgRDdaWpvCv+zESlk TxdSCNcDfRohcehWBb39uS1TjWG2Inx+Ts2QNOYPIz4ynMa7pZQ4hi/HGtuWeHzx9sLaQmDwvYQn 76e9NXttZBkk6PeFqH6So31P X-Report-Abuse-To: spam@quarantine11.antispamcloud.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2021 21:06:40 -0000 On 9/23/2021 12:31 PM, Frank Brockners (fbrockne) wrote: > Hi Christian, > > Thanks a lot for your detailed review. Please see inline. > >> -----Original Message----- >> From: Christian Huitema via Datatracker >> Sent: Monday, 20 September 2021 05:48 >> To: secdir@ietf.org >> Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org; last-call@ietf.org; = sfc@ietf.org >> Subject: Secdir last call review of draft-ietf-sfc-proof-of-transit-08= >> >> Reviewer: Christian Huitema >> Review result: Serious Issues >> >> I have reviewed this document as part of the security directorate's o= ngoing >> effort to review all IETF documents being processed by the IESG. The= se >> comments were written primarily for the benefit of the security area d= irectors. >> Document editors and WG chairs should treat these comments just like a= ny >> other last call comments. >> >> This document proposes a security mechanism to prove that traffic tran= sited >> through all specified nodes in a path. The mechanism works by adding a= short >> option to each packet for which transit shall be verified. The option = consists of a >> random number set by the originator of the packet, and a sum field to = which >> each transit node adds a value depending on public parameters, on the = random >> number and on secrets held by the node. The destination has access to = all the >> secrets held by the nodes on the path, and can verify whether or not t= he final >> sum corresponds to the sum of expected values. The proposed size of th= e >> random number and the sum field is 64 bits. >> >> In the paragraph above, I described the mechanism without mentioning t= he >> algorithm used to compute these 64 bit numbers. The 64 bit size is obv= iously a >> concern: for cryptographic applications, 64 bits is not a large number= , and that >> might be a weakness whatever the proposed algorithm. The actual algori= thm >> appears to be a bespoke derivation of Shamir's Secret Sharing algorith= m (SSS). In >> other word, it is a case of "inventing your own crypto". > ...FB: SSS is a well know algorithm and draft-ietf-sfc-proof-of-transit= does not modify it. > All draft-ietf-sfc-proof-of-transit does is to operationalize the SSS a= lgorithm for the proof of transit use case. > > Also note that the draft does not require the use of 64 bit numbers. > Nor does draft require a minimum time between changing the secrets. > What particular attack are you concerned about where 64 bit numbers are= a concern? > >> SSS relies on the representation of polynomials as a sum of Lagrange B= asis >> Polynomials. Each of the participating nodes holds a share of the secr= et >> represented by a point on the polynomial curve. A polynomial of degree= K on the >> field of integers modulo a prime number N can only be revealed if at l= ist K+1 >> participants reveal the value of their point. The safety of the algori= thm relies on >> the size of the number N and on the fact that the secret shall be reve= aled only >> once. But the algorithm does not use SSS directly, so it deserves its = own security >> analysis instead of relying simply on Shamir's work. >> >> The proposed algorithm uses two polynomials of degree K for a path con= taining >> K+1 nodes, on a field defined by a prime number N of 64 bits. One of t= he >> polynomial, POLY-1, is secret, and only fully known by the verifying n= ode. >> The other, POLY-2 is public, with the constant coefficient set at a ra= ndom value >> RND for each packet. >> >> For each packet, the goal is compute the value of POLY-1 plus POLY-2 a= t the >> point 0 -- that is, the constant coefficient of POLY-3 =3D POLY-1 + PO= LY-2. >> >> Without going in too much details, one can observe that the constant >> coefficient of POLY-3 is equal to the sum of the constant coefficients= of POLY-1 >> and POLY-2, and that the constant coefficient of POLY-2 is the value R= ND >> present in each packet. In the example given in section 3.3.2, the num= bers are >> computed modulo 53, the constant coefficient of POLY-1 is 10, and the = value >> RND is 45. The final sum CML is indeed >> 10 + 45 =3D 2 mod 53. >> >> To me, this appears as a serious weakness in the algorithm. If an adve= rsary can >> observe the value RND and CML for a first packet, it can retrieve the = constant >> coefficient of POLY-1, and thus can predict the value of CML for any o= ther >> packet. That does not seem very secure. > ...FB: There seems to be a bit of confusion or misreading of how the me= thod works. In the above statement you seem to assume that the verifier w= ould not be part of the proof-chain, so that the final CML value would be= somehow exposed to an external entity along with RND. This is not the ca= se. The verifier is the last node (k+1) in the proof-chain. > > At concept level, the method reconstructs the polynomial hop by hop, pi= cking up a point on the curve at every hop. Only final node in the proof-= chain, which is also the verifier, acts on the information of all the k+1= points and as such is able to reconstruct the polynomial. > > In section 3.2.1, the draft explicitly states that the verifier *is* pa= rt of the proof-chain: "Each of the k+1 nodes (including verifier) are as= signed a point on the polynomial i.e., shares of the SECRET." The fact th= at the verifier, i.e., the last node in the proof-chain ("k+1"), can ret= rieve the secret, is desired and intentional, because the verifier needs = to compare the result of the iterative construction of the secret with th= e secret value it received from the controller. This is how the system is= designed, and the calculation of (10+45) mod 53 =3D 2 is part of the ver= ification. OK. That's slightly less bad. But it is still very bad crypto, because=20 you are effectively doing a linear combination. You are evaluating POLY-3 =3D POLY-1 + POLY-2 POLY-2 can be written as POLY-2 =3D RND + POLY-2-NC, in which POLY2-NC=20 only contains the non constant terms -- that is, POLY-2-NC(0) =3D 0 Then for any point X, we get POLY-3(X) =3D POLY-1(X) + POLY2-NC(X) + RND For a given value Xj of X, this means we can express : POLY-3(Xj) =3D Vj = + RND In which Vj is a constant term =3D POLY-1(Xj) + POLY2-NC(Xj) Each node will increment the cumul by the value LPCj * POLY-3(Xj) =3D LPC= j=20 * (Vj + RND) Suppose that an adversary can observe the value of CML before and after=20 being incremented by node Xj. Suppose that it could do that twice. Then=20 it has the values: CML1-before-j =3D C1b CML1-after-j =3D C1a D1 =3D C1a - C1b =3D LPCj * (Vj + RND1) CML1-before-j =3D C2b CML1-after-j =3D C2a D2 =3D C2a - C2b =3D LPCj * (Vj + RND2) D2-D1 =3D LPCj*(RND2-RND1) LPCj =3D (RND2-RND1)/(D2-D1) Vj =3D D2/LPCj - RND2 The inverse of numbers modulo a prime P is easily computed -- see=20 Fermat's little theorem. Once the input and output of a node have been observed twice, it becomes = easy to update the cumulative sum CML while bypassing these nodes. The scheme described in the draft is definitely not equivalent to SSS.=20 It boils down to linear combinations of coefficients, and it is not secur= e. -- Christian Huitema From nobody Fri Sep 24 01:40:12 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 051303A1ECC; Fri, 24 Sep 2021 01:40:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.596 X-Spam-Level: X-Spam-Status: No, score=-4.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XR+BNn5M; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=l8cjw1us Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IN3yajcLkdec; Fri, 24 Sep 2021 01:40:00 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A4843A1ECB; Fri, 24 Sep 2021 01:40:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11714; q=dns/txt; s=iport; t=1632472800; x=1633682400; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=MQhIe2rBH11ItEkDcgT9995M1PC+vK+bkVNmKSMZ7ZU=; b=XR+BNn5MrOg28KcLPxZSlQUGpQenqp5NAhPtrH49nRpzPHQKkg+ndQqe oU5r37wwEEJ8guDnqJq4WR19e7ZDSAmCa911sGwJ220Z9TA52R7tV9lLO 5UrAY7KH4q+lSWSOB/sRIKwxhLwUd2rAIDtqlljvMrDcy+nnNv8KOqkID c=; IronPort-PHdr: =?us-ascii?q?A9a23=3At2SspxfxZObcxfrNnQcnzrYplGM/U4qcDmcuA?= =?us-ascii?q?tIPi69Pbqmm9tLkMVCMrflujVqcW4Ld5roEjufNqKnvVCQG5orJq3ENdpFAF?= =?us-ascii?q?npnwcUblgAtGoiJXEv8KvO5bzE7AMlHXRlj8m3oeURQEdz1MlvVpHD65DUOG?= =?us-ascii?q?xL5YAxyIOm9GoPbg8mtke6o/JiGaARTjz37arR3f32L?= IronPort-Data: =?us-ascii?q?A9a23=3AmCkekapftDkEZqsUJYFteZzVF0teBmJMZBIvg?= =?us-ascii?q?KrLsJaIsI4StFCztgarIBmHPP7fZzCmeY1+a4/k9hwF7J+Dztc1SwBlqXs3F?= =?us-ascii?q?XxEp+PIVI+TRqvS04x+DSFioHqKZKzyU/GYRCwPZiKa9krF3oTJ9yEmjPnZH?= =?us-ascii?q?OakUYYoBwgoLeNaYHZ54f5cs7ZRbr5A2bBVMivV0T/Ai5S31GyNg1aYBlkpB?= =?us-ascii?q?5er83uDihhdVAQw5TTSbdgT1LPXeuJ84Jg3fcldJFOgKmVY83LTegrN8F251?= =?us-ascii?q?juxExYFENiplPPwdVcHB+6UNgmVgX0QUK+n6vRAjnVtieBga7xNMgEO12nhc?= =?us-ascii?q?9NZkL2hsbS+Qx0uNa7KlcwWUgJTFGd1OqguFLrvcCHm7ZDKnhaYG5fr67A0Z?= =?us-ascii?q?K0sBqUb4OdsAWdHs+cRMzAEaBOriOe/wbb9Qe5p7uwvNsDlIMYet21uiCrXB?= =?us-ascii?q?rM+W5fETeDN65pExj42ncFSW//aY+IYZCZhKhPabHVnIVkcIJMzgOnugWPwG?= =?us-ascii?q?xVDtF+NpacxpXnU0QF11JDvKN/SYNODQ4NemUPwjmbP5Hi8CRgeMPSexCaLt?= =?us-ascii?q?HW2iYfnhiPkVZ4SHfuy9vdsjFSJx0QcDRQXUR2wpvzRolWzUN5eMWQV9zYg6?= =?us-ascii?q?68o+ySDTsT8QxC9qVaEox8AVt9ZVes39GmwJgD8i+qCLnIPQjgEY9s8uYpmA?= =?us-ascii?q?zcrzVSO2djuAFRSXHSuYSr13t+pQfmaYED59VM/WBI=3D?= IronPort-HdrOrdr: =?us-ascii?q?A9a23=3ARqxcFa5T8fLd2eoTRQPXwZCCI+orL9Y04l?= =?us-ascii?q?Q7vn2ZFiY1TiXIra6TdaoguiMc0AxhJ03Jmbi7Sc69qADnhOBICO4qTPeftW?= =?us-ascii?q?jdySqVxeRZjbcKrAeQYBEWmtQtsJuINpIOdOEYbmIKzvoSgjPIaerIqePvmM?= =?us-ascii?q?vD6IuurAYOcegpUdAc0+4TMHf8LqQCfng/OXNPLuvk2iMonUvFRV0nKuCAQl?= =?us-ascii?q?UVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1UjegIK5Y1n3XnOkgT/6K?= =?us-ascii?q?nmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3DRY0eTFcBcso+5zXYISdKUmQ?= =?us-ascii?q?8XeR730k8d1vFImjTsl6eO0EDQMkfboWwTAjTZuC6laDPY0LzErXQBepd8bU?= =?us-ascii?q?YzSGqH16Lm1+sMjJ6jlljpxKZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5?= =?us-ascii?q?ACAYUh4LD30XklW6voJhiKorzP0dMee/309bJTaxeXfnrZtm5gzJilWWkyBA?= =?us-ascii?q?6PRgwHttaO2zZbkXhlxw9ArfZv0Uso5dY4Ud1J9u7EOqNnmPVHSdIXd7t0AK?= =?us-ascii?q?METdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHrIkd9aWvYtgF3ZEykJPOXBdRsn?= =?us-ascii?q?MzYVvnDYmU0JhC4nn2MS2AtPTWu4hjDr1Cy/PBrZbQQFi+oWEV4r2dSq8kc7?= =?us-ascii?q?/mst6ISeZrP8M=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BoCABXjk1h/5BdJa1aHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQFAgVmBU1EHgVE3MYRHg0gDhTmFY4IlA4ETiVuFHopUgUKBEQN?= =?us-ascii?q?UCwEBAQ0BAUEEAQGEfQIXgi8CJTgTAQIEAQEBEgEBBQEBAQIBBgSBEROFaA2?= =?us-ascii?q?GQgEBAQECARIREQwBATcBCwQCAQgRBAEBAQICJgICAh8RFQgIAgQBDQUIEwe?= =?us-ascii?q?FJQMOIQFQoncBgToCih96gTGBAYIIAQEGBASFCg0LgjUJgRAqgwCEFoRDgQ6?= =?us-ascii?q?BHwgfHIFJRIEVQ3mBNwcwPoIhgWZAFYMBN4IuiUZqAQMNDhQUMgklKQYGE2s?= =?us-ascii?q?MBAEMBwUyAQcRkTiDDwFGjR+aXF4Kgy2YeQSGABSDZ4tolzqWIIIejWSQAys?= =?us-ascii?q?jDIRXAgQCBAUCDgEBBoEwSCSBWXAVO4JpURkPjiCDcopedDgCBgsBAQMJkiw?= =?us-ascii?q?BAQ?= X-IronPort-AV: E=Sophos;i="5.85,319,1624320000"; d="scan'208";a="911441936" Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Sep 2021 08:39:58 +0000 Received: from mail.cisco.com (xbe-rcd-007.cisco.com [173.37.102.22]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 18O8dwF9028361 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 24 Sep 2021 08:39:58 GMT Received: from xfe-aln-002.cisco.com (173.37.135.122) by xbe-rcd-007.cisco.com (173.37.102.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 24 Sep 2021 03:39:57 -0500 Received: from xfe-rtp-001.cisco.com (64.101.210.231) by xfe-aln-002.cisco.com (173.37.135.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 24 Sep 2021 03:39:57 -0500 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-001.cisco.com (64.101.210.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Fri, 24 Sep 2021 04:39:57 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aF8vP7Y0x9yQ/frJsnEKFKAo9M8IS57RW6LjshBDH+iYULn47zXAOR4rzAI0pJ9sCuzf8E4xD5USLmjveajOjnSnrbaAXlEKupwR5azCwp7tciEH5FmvHcTzTjxJTN/lSFqBRdx5jvCsoIs6FjabNn3RKGYqrbyPB1OAWIBe5sFCewUUp5XLpcXTnMPmkpf7VsOnno78rBLKDyxeak1T0tychFaxvo02gKBAAdoumrMK9c+YMUKfYfqAJQ5X0m2hgma9yv7QEwLReoyx9F8g8u6am+bUEnNQE6DCaiQanhMO3Ui9aziX2vL5Shaqtejckt4aEeU/i81T+GXvP60q+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=MQhIe2rBH11ItEkDcgT9995M1PC+vK+bkVNmKSMZ7ZU=; b=OfEln7CJofOWeDqrtDTe+i9gl4wBnNMZVMF8GAtjYTbizCjBd9G+43IBvuCLF+DCCPxN/UiphjWUHOo9T+Ws3MImN1BUgUgul3Jh1DZFX/JiME83Iw5M8f3TOa//Ok3CcUDFk2AkPxq+/buO9iYEsIs9pwr98Z7V7Ed1b5fntNvxTDT8roj6lhO7lKN9OF3Pja9gd2anfHFpwziFcdiejvo8hcMWtH8tiQyLQHB+8Vd83Ui+zPnv/e6FpWckA18zF9j8qFQRO+sMlD3oHFM0Smqn7m95mg5wypOjgawSUIkqu0mewqXnDxb6uGWhPSDhVT64GnSe0YoI2kwh0Scegg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MQhIe2rBH11ItEkDcgT9995M1PC+vK+bkVNmKSMZ7ZU=; b=l8cjw1uss7BVGOzxvrnvQ/AGsHcrR7QGaoFRP/J1H4pwV9NnNyc/oS1GOYgV47sfsQssR2GlCHBOLu5yMQaSONAn0PFqD1eku4aDLPD4oNWM376aj/eYK28Bb3PDxGrWLUfa4niwov2z0LQVZVQfkQmzJzKNJ8cJAFGcqeCmra0= Received: from DM8PR11MB5606.namprd11.prod.outlook.com (2603:10b6:8:3c::23) by DM8PR11MB5592.namprd11.prod.outlook.com (2603:10b6:8:35::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.13; Fri, 24 Sep 2021 08:39:55 +0000 Received: from DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65]) by DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65%3]) with mapi id 15.20.4544.018; Fri, 24 Sep 2021 08:39:55 +0000 From: "Frank Brockners (fbrockne)" To: Christian Huitema , "secdir@ietf.org" CC: "shwetha.bhandari@gmail.com" , "last-call@ietf.org" , "Youell, Stephen" , "sfc@ietf.org" , "draft-ietf-sfc-proof-of-transit.all@ietf.org" , "krishna.sashank@gmail.com" Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 Thread-Index: AQHXrdJnjOHuO4fhnU+wPCtBTLa6aaux/B8wgAAXGgCAAMvnUA== Date: Fri, 24 Sep 2021 08:39:55 +0000 Message-ID: References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> In-Reply-To: <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=cisco.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 820f2b3d-68a5-4510-071b-08d97f36e2a2 x-ms-traffictypediagnostic: DM8PR11MB5592: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: J3HOazatDpyNtXCZcNdkC0n4bzzRSKR7kweEYYGQT2oqW+aBNr1PlO1UV5j/AeIyAzAq4AEfCYkoHWEHKZcpOJSgDIZNidh85axd46/WDn/inVrQIiX6lT1eSooS6giZDUuCD5Qj8fvveqdLy3uqzy4GCLzc5YlzSlOkVTVfrwlv7nd/1b9qwRtxgA5Ycx8Xm+FFIZp2ykVgJmig6bYfRh/RcHIZx7KXE580h608FLx+cTsm3q9oKaRAKoqd1CCMqVBfgPnpZrq0+wZAZs2PR/w4KUUX7akrAGyVLOqx8k1A2yrTgynFdICIqzWuTdLT6L7ZsqZ6ctjRx1p0Eh1msAZeFLIeNGgocD0YR81e3xy5y4gx1F9sVOQke/ABMCfr5ZORy5i/jLWLvZFmJXZpCGL6CEyAN7YIyYbTaJp5dpp49+3GuasjUpv5zVTC/DS4K0dhzYTPnRwdU4pBqCyXX3jaOgoyLlWod13Ak+8z6kViAi6OpUjRfkzza44mHIbecexHQDFfZRVhjdKoaAmgJKgmaoc1wfzkNLfsfhQqpGLxmrxeRoWlPnDMmZp+M77Ky08x8YssZWynE82HyKU57hVPoqT22ITawNFxR81jSYqhoVQ5LjZKhYgAXr1ZmBTCTvRskRC4vd8M11l1RpNtZaEk38RdNvoJMDpn4JEFqOfmNQKeEUxBGpRlzuTZ6IxcjYsmAP2Sz54FU05ncKliLw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR11MB5606.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(54906003)(71200400001)(8936002)(66946007)(33656002)(83380400001)(66476007)(64756008)(86362001)(5660300002)(66446008)(76116006)(4326008)(2906002)(66556008)(7696005)(9686003)(316002)(52536014)(6506007)(508600001)(8676002)(110136005)(26005)(53546011)(38100700002)(55016002)(186003)(122000001)(38070700005); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?QnFqTnJmWkh5ZEY3MGZXRzhtcmUzNEE1dGxaRFhnR2RFK2NPdkc5WnRrVncy?= =?utf-8?B?ZkRFT3NzQUhPTGI0Wnh4V2xQRndFV0pxMTJIM3FtTURoL2c0bHFieVR1Zmsr?= =?utf-8?B?K3Z2OUhXMVNJSlNYZnNEK1plazRnY1JweWIyaFlvd1dHTHpqVVFmd1ZGWmh3?= =?utf-8?B?dzJySStkeE8vSERMRGZ3WTVZaTkxY25kcmVMS01iQ25jOGJzbHphbDdGWm84?= =?utf-8?B?VUtaTklmUjNCS0wzdEdPMXphN3M4NmZXQXVtR3c4TE1MM2NUU201NkMycmhy?= =?utf-8?B?R0kwSEVnTEVlbEZzNHV0a0hySzNzQjRKQnFFcFBKL2d4S3F5SE1WVkpzMkFX?= =?utf-8?B?d0JYa0lRaEh3a25PamZOd2tyczU0elFSck9UVnM1TERqczNMbTVTaG92S3Jm?= =?utf-8?B?UDdOSDRJcGllQ05wRklCcWhaQ1N3N2lTS2h5ZHJMYWVOQkJINGNSNGJyUUpo?= =?utf-8?B?d1FsVWJ5aVBINVFIYitsS2lxSEwxVTlsbXFRR2FhSmRRd1gvcE9iYmovdmQz?= =?utf-8?B?VEJ0aHBtZDJBOEk3aWJvZi9CYWFjblduVEN2bjFVUFAyOUx5SW1IcmpqZU84?= =?utf-8?B?Tk9YeVVzT3Z6NWpjVXRFaGt2b0YxOFcrKzRkYkI1STlVdkhGMVRqd2VkbmFU?= =?utf-8?B?SmRkMjBxbGVvVnZSUC9PVTNrNytNRWViakYrVTlocHRZS3IzcHQ0VlE1NmY2?= =?utf-8?B?SnpkdXpnL0ZDQ2NSMnN1YVFVR21OT0Uyb08yTGN2akVEM0I4WXF6OXFUQ1N1?= =?utf-8?B?ci9wUjZ0aXQ2ak42Z1J1QitqbndtVHZqR2NIOExvNTdRSmRVYnliUDhiTlkv?= =?utf-8?B?aTZYVWJyM29UcTBHRzN5Z3J0WmlMamV1R3A2Y1F3Tk1sMWpaQXlSMWd2dEpU?= =?utf-8?B?MFE3ak9aMWpLMTlaZlBuVytBYys2a0dZOUlORzl6YjR5cGNhc05wTjBTckFX?= =?utf-8?B?Wkg3Q3FoeDNkQVlJU25yVWliaFNJMXloV0NEdi9KR2IrR2xXeVN1Tit1aThT?= =?utf-8?B?NjVkZTgwN2h1YUwxQnZaSmx6SGpaTTJHenN3aVNndUFUdWRlSFB1UmJUcTEy?= =?utf-8?B?RStJMU00cnVUS0crWW1Ud0g1RnNUMTRzYmhGcHJvUUg2bFhxSDNZU1NKTXlF?= =?utf-8?B?SUMrOTV3YU5LZXJqblJpSCtmUXZrOTd3NXdZYzZMOUtqbTNLbStQaUZlc1c4?= =?utf-8?B?THBrZTVzSVlFKzFSQ3U0Nmo1d3JjRUVpcGY5eFRJNmszcHE2VTAxY0wzenJu?= =?utf-8?B?SmEyVTAxWWF2VDB3Z285NHplUTc0bnFkUjF4NTZTUEJFWjQ5TDFrSmZjQWN6?= =?utf-8?B?NlF5RG13ZVMveVdudUh1ajZvTkQ2MkF0UHhtVU9SZ0o3Y2lmS2Zidlo2RWRT?= =?utf-8?B?dEZ5QU53V3NKMnVVQU13bHNBcXlNc0ZUOFdvMGJtZnZCSU9RRnRhRitMZzFh?= =?utf-8?B?bkhya0xzSlVYbVZqMHhFeGdlM3UyVlBGNDhOZTU1QXAxL1h4aWJNd3ZVYVNt?= =?utf-8?B?YkgwQis2WllvY3BqdUhJc2NGVDlyR0VjL2hZV0pQckFOR1NxTWxmNkVZRHlU?= =?utf-8?B?dVBWN2loMUJpYkdUbTlwMHJNWEdrYURUSzhBMmVObkIyK2FtemM3aFpzNFBa?= =?utf-8?B?aHVKZW5GN09Gd1R0MUZCYlJyTUhwbjVCUFJybWllMUttVXJDZndtbm4yMDlE?= =?utf-8?B?ZUp4MEo2TDVXL0V1c21FbW80MCt0Z21CNElzU0phb1lFSmtPdmY4cWpoNnB4?= =?utf-8?Q?dDFHMExbeJ/Oc0AwOZ6pBTHf1A8tsS4qT75p6Jj?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5606.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 820f2b3d-68a5-4510-071b-08d97f36e2a2 X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2021 08:39:55.4696 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: IBqQ7/s8HSg6+WsLMNjsNBLqrX7dotoN+jEwqpiKLOMVCYogbFNdSXgA/I6lWI4nexq1lWThUKLX4Q9T3lKIlg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5592 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.37.102.22, xbe-rcd-007.cisco.com X-Outbound-Node: rcdn-core-8.cisco.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2021 08:40:05 -0000 SGkgQ2hyaXN0aWFuLA0KDQpUaGFua3MgYSBsb3QgZm9yIHRoZSBkZXRhaWxlZCBmb2xsb3ctdXAu IFBsZWFzZSBzZWUgaW5saW5lLg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZy b206IENocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0Pg0KPiBTZW50OiBUaHVy c2RheSwgMjMgU2VwdGVtYmVyIDIwMjEgMjI6MTMNCj4gVG86IEZyYW5rIEJyb2NrbmVycyAoZmJy b2NrbmUpIDxmYnJvY2tuZUBjaXNjby5jb20+OyBzZWNkaXJAaWV0Zi5vcmcNCj4gQ2M6IHNod2V0 aGEuYmhhbmRhcmlAZ21haWwuY29tOyBsYXN0LWNhbGxAaWV0Zi5vcmc7IFlvdWVsbCwgU3RlcGhl bg0KPiA8c3RlcGhlbi55b3VlbGxAanBtb3JnYW4uY29tPjsgc2ZjQGlldGYub3JnOyBkcmFmdC1p ZXRmLXNmYy1wcm9vZi1vZi0NCj4gdHJhbnNpdC5hbGxAaWV0Zi5vcmcNCj4gU3ViamVjdDogUmU6 IFtMYXN0LUNhbGxdIFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc2ZjLXBy b29mLW9mLXRyYW5zaXQtDQo+IDA4DQo+IA0KPiANCj4gT24gOS8yMy8yMDIxIDEyOjMxIFBNLCBG cmFuayBCcm9ja25lcnMgKGZicm9ja25lKSB3cm90ZToNCj4gPiBIaSBDaHJpc3RpYW4sDQo+ID4N Cj4gPiBUaGFua3MgYSBsb3QgZm9yIHlvdXIgZGV0YWlsZWQgcmV2aWV3LiBQbGVhc2Ugc2VlIGlu bGluZS4NCj4gPg0KPiA+PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0KPiA+PiBGcm9tOiBD aHJpc3RpYW4gSHVpdGVtYSB2aWEgRGF0YXRyYWNrZXIgPG5vcmVwbHlAaWV0Zi5vcmc+DQo+ID4+ IFNlbnQ6IE1vbmRheSwgMjAgU2VwdGVtYmVyIDIwMjEgMDU6NDgNCj4gPj4gVG86IHNlY2RpckBp ZXRmLm9yZw0KPiA+PiBDYzogZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdC5hbGxAaWV0 Zi5vcmc7IGxhc3QtY2FsbEBpZXRmLm9yZzsNCj4gPj4gc2ZjQGlldGYub3JnDQo+ID4+IFN1Ympl Y3Q6IFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mDQo+ID4+IGRyYWZ0LWlldGYtc2ZjLXByb29m LW9mLXRyYW5zaXQtMDgNCj4gPj4NCj4gPj4gUmV2aWV3ZXI6IENocmlzdGlhbiBIdWl0ZW1hDQo+ ID4+IFJldmlldyByZXN1bHQ6IFNlcmlvdXMgSXNzdWVzDQo+ID4+DQo+ID4+IEkgaGF2ZSByZXZp ZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3MN Cj4gPj4gb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBw cm9jZXNzZWQgYnkgdGhlDQo+ID4+IElFU0cuICBUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4g cHJpbWFyaWx5IGZvciB0aGUgYmVuZWZpdCBvZiB0aGUgc2VjdXJpdHkNCj4gYXJlYSBkaXJlY3Rv cnMuDQo+ID4+IERvY3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhl c2UgY29tbWVudHMganVzdCBsaWtlDQo+ID4+IGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMu DQo+ID4+DQo+ID4+IFRoaXMgZG9jdW1lbnQgcHJvcG9zZXMgYSBzZWN1cml0eSBtZWNoYW5pc20g dG8gcHJvdmUgdGhhdCB0cmFmZmljDQo+ID4+IHRyYW5zaXRlZCB0aHJvdWdoIGFsbCBzcGVjaWZp ZWQgbm9kZXMgaW4gYSBwYXRoLiBUaGUgbWVjaGFuaXNtIHdvcmtzDQo+ID4+IGJ5IGFkZGluZyBh IHNob3J0IG9wdGlvbiB0byBlYWNoIHBhY2tldCBmb3Igd2hpY2ggdHJhbnNpdCBzaGFsbCBiZQ0K PiA+PiB2ZXJpZmllZC4gVGhlIG9wdGlvbiBjb25zaXN0cyBvZiBhIHJhbmRvbSBudW1iZXIgc2V0 IGJ5IHRoZQ0KPiA+PiBvcmlnaW5hdG9yIG9mIHRoZSBwYWNrZXQsIGFuZCBhIHN1bSBmaWVsZCB0 byB3aGljaCBlYWNoIHRyYW5zaXQgbm9kZQ0KPiA+PiBhZGRzIGEgdmFsdWUgZGVwZW5kaW5nIG9u IHB1YmxpYyBwYXJhbWV0ZXJzLCBvbiB0aGUgcmFuZG9tIG51bWJlciBhbmQNCj4gPj4gb24gc2Vj cmV0cyBoZWxkIGJ5IHRoZSBub2RlLiBUaGUgZGVzdGluYXRpb24gaGFzIGFjY2VzcyB0byBhbGwg dGhlDQo+ID4+IHNlY3JldHMgaGVsZCBieSB0aGUgbm9kZXMgb24gdGhlIHBhdGgsIGFuZCBjYW4g dmVyaWZ5IHdoZXRoZXIgb3Igbm90DQo+ID4+IHRoZSBmaW5hbCBzdW0gY29ycmVzcG9uZHMgdG8g dGhlIHN1bSBvZiBleHBlY3RlZCB2YWx1ZXMuIFRoZSBwcm9wb3NlZCBzaXplDQo+IG9mIHRoZSBy YW5kb20gbnVtYmVyIGFuZCB0aGUgc3VtIGZpZWxkIGlzIDY0IGJpdHMuDQo+ID4+DQo+ID4+IElu IHRoZSBwYXJhZ3JhcGggYWJvdmUsIEkgZGVzY3JpYmVkIHRoZSBtZWNoYW5pc20gd2l0aG91dCBt ZW50aW9uaW5nDQo+ID4+IHRoZSBhbGdvcml0aG0gdXNlZCB0byBjb21wdXRlIHRoZXNlIDY0IGJp dCBudW1iZXJzLiBUaGUgNjQgYml0IHNpemUNCj4gPj4gaXMgb2J2aW91c2x5IGENCj4gPj4gY29u Y2VybjogZm9yIGNyeXB0b2dyYXBoaWMgYXBwbGljYXRpb25zLCA2NCBiaXRzIGlzIG5vdCBhIGxh cmdlDQo+ID4+IG51bWJlciwgYW5kIHRoYXQgbWlnaHQgYmUgYSB3ZWFrbmVzcyB3aGF0ZXZlciB0 aGUgcHJvcG9zZWQgYWxnb3JpdGhtLg0KPiA+PiBUaGUgYWN0dWFsIGFsZ29yaXRobSBhcHBlYXJz IHRvIGJlIGEgYmVzcG9rZSBkZXJpdmF0aW9uIG9mIFNoYW1pcidzDQo+ID4+IFNlY3JldCBTaGFy aW5nIGFsZ29yaXRobSAoU1NTKS4gSW4gb3RoZXIgd29yZCwgaXQgaXMgYSBjYXNlIG9mICJpbnZl bnRpbmcgeW91cg0KPiBvd24gY3J5cHRvIi4NCj4gPiAuLi5GQjogU1NTIGlzIGEgd2VsbCBrbm93 IGFsZ29yaXRobSBhbmQgZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdCBkb2VzIG5vdA0K PiBtb2RpZnkgaXQuDQo+ID4gQWxsIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQgZG9l cyBpcyB0byBvcGVyYXRpb25hbGl6ZSB0aGUgU1NTIGFsZ29yaXRobQ0KPiBmb3IgdGhlIHByb29m IG9mIHRyYW5zaXQgdXNlIGNhc2UuDQo+ID4NCj4gPiBBbHNvIG5vdGUgdGhhdCB0aGUgZHJhZnQg ZG9lcyBub3QgcmVxdWlyZSB0aGUgdXNlIG9mIDY0IGJpdCBudW1iZXJzLg0KPiA+IE5vciBkb2Vz IGRyYWZ0IHJlcXVpcmUgYSBtaW5pbXVtIHRpbWUgYmV0d2VlbiBjaGFuZ2luZyB0aGUgc2VjcmV0 cy4NCj4gPiBXaGF0IHBhcnRpY3VsYXIgYXR0YWNrIGFyZSB5b3UgY29uY2VybmVkIGFib3V0IHdo ZXJlIDY0IGJpdCBudW1iZXJzIGFyZSBhDQo+IGNvbmNlcm4/DQo+ID4NCj4gPj4gU1NTIHJlbGll cyBvbiB0aGUgcmVwcmVzZW50YXRpb24gb2YgcG9seW5vbWlhbHMgYXMgYSBzdW0gb2YgTGFncmFu Z2UNCj4gPj4gQmFzaXMgUG9seW5vbWlhbHMuIEVhY2ggb2YgdGhlIHBhcnRpY2lwYXRpbmcgbm9k ZXMgaG9sZHMgYSBzaGFyZSBvZg0KPiA+PiB0aGUgc2VjcmV0IHJlcHJlc2VudGVkIGJ5IGEgcG9p bnQgb24gdGhlIHBvbHlub21pYWwgY3VydmUuIEENCj4gPj4gcG9seW5vbWlhbCBvZiBkZWdyZWUg SyBvbiB0aGUgZmllbGQgb2YgaW50ZWdlcnMgbW9kdWxvIGEgcHJpbWUgbnVtYmVyDQo+ID4+IE4g Y2FuIG9ubHkgYmUgcmV2ZWFsZWQgaWYgYXQgbGlzdCBLKzEgcGFydGljaXBhbnRzIHJldmVhbCB0 aGUgdmFsdWUNCj4gPj4gb2YgdGhlaXIgcG9pbnQuIFRoZSBzYWZldHkgb2YgdGhlIGFsZ29yaXRo bSByZWxpZXMgb24gdGhlIHNpemUgb2YgdGhlDQo+ID4+IG51bWJlciBOIGFuZCBvbiB0aGUgZmFj dCB0aGF0IHRoZSBzZWNyZXQgc2hhbGwgYmUgcmV2ZWFsZWQgb25seSBvbmNlLg0KPiA+PiBCdXQg dGhlIGFsZ29yaXRobSBkb2VzIG5vdCB1c2UgU1NTIGRpcmVjdGx5LCBzbyBpdCBkZXNlcnZlcyBp dHMgb3duIHNlY3VyaXR5DQo+IGFuYWx5c2lzIGluc3RlYWQgb2YgcmVseWluZyBzaW1wbHkgb24g U2hhbWlyJ3Mgd29yay4NCj4gPj4NCj4gPj4gVGhlIHByb3Bvc2VkIGFsZ29yaXRobSB1c2VzIHR3 byBwb2x5bm9taWFscyBvZiBkZWdyZWUgSyBmb3IgYSBwYXRoDQo+ID4+IGNvbnRhaW5pbmcNCj4g Pj4gSysxIG5vZGVzLCBvbiBhIGZpZWxkIGRlZmluZWQgYnkgYSBwcmltZSBudW1iZXIgTiBvZiA2 NCBiaXRzLiBPbmUgb2YNCj4gPj4gSyt0aGUNCj4gPj4gcG9seW5vbWlhbCwgUE9MWS0xLCBpcyBz ZWNyZXQsIGFuZCBvbmx5IGZ1bGx5IGtub3duIGJ5IHRoZSB2ZXJpZnlpbmcgbm9kZS4NCj4gPj4g VGhlIG90aGVyLCBQT0xZLTIgaXMgcHVibGljLCB3aXRoIHRoZSBjb25zdGFudCBjb2VmZmljaWVu dCBzZXQgYXQgYQ0KPiA+PiByYW5kb20gdmFsdWUgUk5EIGZvciBlYWNoIHBhY2tldC4NCj4gPj4N Cj4gPj4gRm9yIGVhY2ggcGFja2V0LCB0aGUgZ29hbCBpcyBjb21wdXRlIHRoZSB2YWx1ZSBvZiBQ T0xZLTEgcGx1cyBQT0xZLTINCj4gPj4gYXQgdGhlIHBvaW50IDAgLS0gdGhhdCBpcywgdGhlIGNv bnN0YW50IGNvZWZmaWNpZW50IG9mIFBPTFktMyA9IFBPTFktMSArIFBPTFktDQo+IDIuDQo+ID4+ DQo+ID4+IFdpdGhvdXQgZ29pbmcgaW4gdG9vIG11Y2ggZGV0YWlscywgb25lIGNhbiBvYnNlcnZl IHRoYXQgdGhlIGNvbnN0YW50DQo+ID4+IGNvZWZmaWNpZW50IG9mIFBPTFktMyBpcyBlcXVhbCB0 byB0aGUgc3VtIG9mIHRoZSBjb25zdGFudA0KPiA+PiBjb2VmZmljaWVudHMgb2YgUE9MWS0xIGFu ZCBQT0xZLTIsIGFuZCB0aGF0IHRoZSBjb25zdGFudCBjb2VmZmljaWVudA0KPiA+PiBvZiBQT0xZ LTIgaXMgdGhlIHZhbHVlIFJORCBwcmVzZW50IGluIGVhY2ggcGFja2V0LiBJbiB0aGUgZXhhbXBs ZQ0KPiA+PiBnaXZlbiBpbiBzZWN0aW9uIDMuMy4yLCB0aGUgbnVtYmVycyBhcmUgY29tcHV0ZWQg bW9kdWxvIDUzLCB0aGUNCj4gPj4gY29uc3RhbnQgY29lZmZpY2llbnQgb2YgUE9MWS0xIGlzIDEw LCBhbmQgdGhlIHZhbHVlIFJORCBpcyA0NS4gVGhlDQo+ID4+IGZpbmFsIHN1bSAgQ01MIGlzIGlu ZGVlZA0KPiA+PiAxMCArIDQ1ID0gMiBtb2QgNTMuDQo+ID4+DQo+ID4+IFRvIG1lLCB0aGlzIGFw cGVhcnMgYXMgYSBzZXJpb3VzIHdlYWtuZXNzIGluIHRoZSBhbGdvcml0aG0uIElmIGFuDQo+ID4+ IGFkdmVyc2FyeSBjYW4gb2JzZXJ2ZSB0aGUgdmFsdWUgUk5EIGFuZCBDTUwgZm9yIGEgZmlyc3Qg cGFja2V0LCBpdA0KPiA+PiBjYW4gcmV0cmlldmUgdGhlIGNvbnN0YW50IGNvZWZmaWNpZW50IG9m IFBPTFktMSwgYW5kIHRodXMgY2FuIHByZWRpY3QNCj4gPj4gdGhlIHZhbHVlIG9mIENNTCBmb3Ig YW55IG90aGVyIHBhY2tldC4gVGhhdCBkb2VzIG5vdCBzZWVtIHZlcnkgc2VjdXJlLg0KPiA+IC4u LkZCOiBUaGVyZSBzZWVtcyB0byBiZSBhIGJpdCBvZiBjb25mdXNpb24gb3IgbWlzcmVhZGluZyBv ZiBob3cgdGhlIG1ldGhvZA0KPiB3b3Jrcy4gSW4gdGhlIGFib3ZlIHN0YXRlbWVudCB5b3Ugc2Vl bSB0byBhc3N1bWUgdGhhdCB0aGUgdmVyaWZpZXIgd291bGQgbm90DQo+IGJlIHBhcnQgb2YgdGhl IHByb29mLWNoYWluLCBzbyB0aGF0IHRoZSBmaW5hbCBDTUwgdmFsdWUgd291bGQgYmUgc29tZWhv dw0KPiBleHBvc2VkIHRvIGFuIGV4dGVybmFsIGVudGl0eSBhbG9uZyB3aXRoIFJORC4gVGhpcyBp cyBub3QgdGhlIGNhc2UuIFRoZSB2ZXJpZmllciBpcw0KPiB0aGUgbGFzdCBub2RlIChrKzEpIGlu IHRoZSBwcm9vZi1jaGFpbi4NCj4gPg0KPiA+IEF0IGNvbmNlcHQgbGV2ZWwsIHRoZSBtZXRob2Qg cmVjb25zdHJ1Y3RzIHRoZSBwb2x5bm9taWFsIGhvcCBieSBob3AsIHBpY2tpbmcNCj4gdXAgYSBw b2ludCBvbiB0aGUgY3VydmUgYXQgZXZlcnkgaG9wLiBPbmx5IGZpbmFsIG5vZGUgaW4gdGhlIHBy b29mLWNoYWluLCB3aGljaCBpcw0KPiBhbHNvIHRoZSB2ZXJpZmllciwgYWN0cyBvbiB0aGUgaW5m b3JtYXRpb24gb2YgYWxsIHRoZSBrKzEgcG9pbnRzIGFuZCBhcyBzdWNoIGlzIGFibGUNCj4gdG8g cmVjb25zdHJ1Y3QgdGhlIHBvbHlub21pYWwuDQo+ID4NCj4gPiBJbiBzZWN0aW9uIDMuMi4xLCB0 aGUgZHJhZnQgZXhwbGljaXRseSBzdGF0ZXMgdGhhdCB0aGUgdmVyaWZpZXIgKmlzKiBwYXJ0IG9m IHRoZQ0KPiBwcm9vZi1jaGFpbjogIkVhY2ggb2YgdGhlIGsrMSBub2RlcyAoaW5jbHVkaW5nIHZl cmlmaWVyKSBhcmUgYXNzaWduZWQgYSBwb2ludCBvbg0KPiB0aGUgcG9seW5vbWlhbCBpLmUuLCBz aGFyZXMgb2YgdGhlIFNFQ1JFVC4iIFRoZSBmYWN0IHRoYXQgdGhlIHZlcmlmaWVyLCBpLmUuLCB0 aGUgbGFzdA0KPiBub2RlIGluIHRoZSBwcm9vZi1jaGFpbiAoImsrMSIpLCAgY2FuIHJldHJpZXZl IHRoZSBzZWNyZXQsIGlzIGRlc2lyZWQgYW5kDQo+IGludGVudGlvbmFsLCBiZWNhdXNlIHRoZSB2 ZXJpZmllciBuZWVkcyB0byBjb21wYXJlIHRoZSByZXN1bHQgb2YgdGhlIGl0ZXJhdGl2ZQ0KPiBj b25zdHJ1Y3Rpb24gb2YgdGhlIHNlY3JldCB3aXRoIHRoZSBzZWNyZXQgdmFsdWUgaXQgcmVjZWl2 ZWQgZnJvbSB0aGUgY29udHJvbGxlci4NCj4gVGhpcyBpcyBob3cgdGhlIHN5c3RlbSBpcyBkZXNp Z25lZCwgYW5kIHRoZSBjYWxjdWxhdGlvbiBvZiAoMTArNDUpIG1vZCA1MyA9IDIgaXMNCj4gcGFy dCBvZiB0aGUgdmVyaWZpY2F0aW9uLg0KPiANCj4gT0suIFRoYXQncyBzbGlnaHRseSBsZXNzIGJh ZC4gQnV0IGl0IGlzIHN0aWxsIHZlcnkgYmFkIGNyeXB0bywgYmVjYXVzZSB5b3UgYXJlDQo+IGVm ZmVjdGl2ZWx5IGRvaW5nIGEgbGluZWFyIGNvbWJpbmF0aW9uLg0KPiANCj4gWW91IGFyZSBldmFs dWF0aW5nIFBPTFktMyA9IFBPTFktMSArIFBPTFktMg0KPiANCj4gUE9MWS0yIGNhbiBiZSB3cml0 dGVuIGFzIFBPTFktMiA9IFJORCArIFBPTFktMi1OQywgaW4gd2hpY2ggUE9MWTItTkMgb25seQ0K PiBjb250YWlucyB0aGUgbm9uIGNvbnN0YW50IHRlcm1zIC0tIHRoYXQgaXMsIFBPTFktMi1OQygw KSA9IDANCj4gDQo+IFRoZW4gZm9yIGFueSBwb2ludCBYLCB3ZSBnZXQgUE9MWS0zKFgpID0gUE9M WS0xKFgpICsgUE9MWTItTkMoWCkgKyBSTkQgRm9yIGENCj4gZ2l2ZW4gdmFsdWUgWGogb2YgWCwg dGhpcyBtZWFucyB3ZSBjYW4gZXhwcmVzcyA6IFBPTFktMyhYaikgPSBWaiArIFJORCBJbiB3aGlj aCBWag0KPiBpcyBhIGNvbnN0YW50IHRlcm0gPSBQT0xZLTEoWGopICsgUE9MWTItTkMoWGopDQo+ IA0KPiBFYWNoIG5vZGUgd2lsbCBpbmNyZW1lbnQgdGhlIGN1bXVsIGJ5IHRoZSB2YWx1ZSBMUENq ICogUE9MWS0zKFhqKSA9IExQQ2oNCj4gKiAoVmogKyBSTkQpDQo+IA0KPiBTdXBwb3NlIHRoYXQg YW4gYWR2ZXJzYXJ5IGNhbiBvYnNlcnZlIHRoZSB2YWx1ZSBvZiBDTUwgYmVmb3JlIGFuZCBhZnRl ciBiZWluZw0KPiBpbmNyZW1lbnRlZCBieSBub2RlIFhqLiBTdXBwb3NlIHRoYXQgaXQgY291bGQg ZG8gdGhhdCB0d2ljZS4gVGhlbiBpdCBoYXMgdGhlDQo+IHZhbHVlczoNCj4gDQo+IENNTDEtYmVm b3JlLWogPSBDMWINCj4gQ01MMS1hZnRlci1qID0gQzFhDQo+IEQxID0gQzFhIC0gQzFiID0gTFBD aiAqIChWaiArIFJORDEpDQo+IA0KPiBDTUwxLWJlZm9yZS1qID0gQzJiDQo+IENNTDEtYWZ0ZXIt aiA9IEMyYQ0KPiBEMiA9IEMyYSAtIEMyYiA9IExQQ2ogKiAoVmogKyBSTkQyKQ0KPiANCj4gRDIt RDEgPSBMUENqKihSTkQyLVJORDEpDQo+IA0KPiBMUENqID0gKFJORDItUk5EMSkvKEQyLUQxKQ0K PiBWaiA9IEQyL0xQQ2ogLSBSTkQyDQo+IA0KPiBUaGUgaW52ZXJzZSBvZiBudW1iZXJzIG1vZHVs byBhIHByaW1lIFAgaXMgZWFzaWx5IGNvbXB1dGVkIC0tIHNlZSBGZXJtYXQncw0KPiBsaXR0bGUg dGhlb3JlbS4NCj4gDQo+IE9uY2UgdGhlIGlucHV0IGFuZCBvdXRwdXQgb2YgYSBub2RlIGhhdmUg YmVlbiBvYnNlcnZlZCB0d2ljZSwgaXQgYmVjb21lcyBlYXN5DQo+IHRvIHVwZGF0ZSB0aGUgY3Vt dWxhdGl2ZSBzdW0gQ01MIHdoaWxlIGJ5cGFzc2luZyB0aGVzZSBub2Rlcy4NCg0KLi4uRkI6IFRo aXMgaXMgZ3JlYXQuIFRoYW5rcyBmb3Igc3BlbGxpbmcgb3V0IHRoZSBkZXRhaWxzLiAgWW91IHJh aXNlIGEgZ29vZCBwb2ludDogRm9yIHRoZSBzb2x1dGlvbiB0byBtYWtlIHNlbnNlLCB3ZSBuZWVk IHRvIGVuc3VyZSB0aGF0IGFuIGF0dGFja2VyIGNhbm5vdCBvYnNlcnZlIHRoZSBpbnB1dCBhbmQg b3V0cHV0IG9mIGEgbm9kZS4gDQpUbyBlbnN1cmUgdGhpcyBkb2VzIG5vdCBoYXBwZW4sIHdlIG11 c3QgcmVxdWlyZSB0aGUgY29tbXVuaWNhdGlvbiB0by9mcm9tIHRoZSBub2RlIHRvIGJlIGVuY3J5 cHRlZCwgZS5nLiwgdGhyb3VnaCBsaW5rIGxheWVyIGVuY3J5cHRpb24gb2YgYXQgbGVhc3QgdGhl IHByb29mLW9mLXRyYW5zaXQgZGF0YSBmaWVsZHMuIA0KV2UnbGwgYWRkIHRoaXMgcmVxdWlyZW1l bnQgdG8gdGhlIGRyYWZ0IC0gYW5kIGFsc28gZGV0YWlsIHRoZSB0aHJlYXQgeW91IGRlc2NyaWJl IGFib3ZlIGluIGRldGFpbCBpbiB0aGUgc2VjdXJpdHkgY29uc2lkZXJhdGlvbnMgc2VjdGlvbi4N Cg0KVGhhbmtzIGFnYWluLCBGcmFuaw0KDQoNCj4gDQo+IFRoZSBzY2hlbWUgZGVzY3JpYmVkIGlu IHRoZSBkcmFmdCBpcyBkZWZpbml0ZWx5IG5vdCBlcXVpdmFsZW50IHRvIFNTUy4NCj4gSXQgYm9p bHMgZG93biB0byBsaW5lYXIgY29tYmluYXRpb25zIG9mIGNvZWZmaWNpZW50cywgYW5kIGl0IGlz IG5vdCBzZWN1cmUuDQo+IA0KPiAtLSBDaHJpc3RpYW4gSHVpdGVtYQ0KPiANCj4gDQo+IA0KPiAN Cj4gDQoNCg== From nobody Fri Sep 24 08:16:41 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 247AD3A08F6 for ; Fri, 24 Sep 2021 08:16:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.111 X-Spam-Level: *** X-Spam-Status: No, score=3.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-x2cQ8clC0x for ; Fri, 24 Sep 2021 08:16:24 -0700 (PDT) Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FF5A3A08D6 for ; Fri, 24 Sep 2021 08:16:24 -0700 (PDT) Received: from xse466.mail2web.com ([66.113.197.212] helo=xse.mail2web.com) by mx136.antispamcloud.com with esmtp (Exim 4.92) (envelope-from ) id 1mTmvu-0002Vw-Td for secdir@ietf.org; Fri, 24 Sep 2021 17:16:22 +0200 Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4HGFwt0vY2zLwk for ; Fri, 24 Sep 2021 08:16:14 -0700 (PDT) Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from ) id 1mTmvt-0006Rx-Ve for secdir@ietf.org; Fri, 24 Sep 2021 08:16:14 -0700 Received: (qmail 18678 invoked from network); 24 Sep 2021 15:16:13 -0000 Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.0]) (envelope-sender ) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 24 Sep 2021 15:16:13 -0000 To: "Frank Brockners (fbrockne)" , "secdir@ietf.org" Cc: "shwetha.bhandari@gmail.com" , "last-call@ietf.org" , "Youell, Stephen" , "sfc@ietf.org" , "draft-ietf-sfc-proof-of-transit.all@ietf.org" , "krishna.sashank@gmail.com" References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> From: Christian Huitema Message-ID: <31b9ad77-1848-011c-9b3f-3787aee21e41@huitema.net> Date: Fri, 24 Sep 2021 08:16:12 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: en-US X-Originating-IP: 66.113.197.212 X-Spampanel-Domain: xsmtpout.mail2web.com X-Spampanel-Username: 66.113.197.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com X-Spampanel-Outgoing-Class: unsure X-Spampanel-Outgoing-Evidence: Combined (0.13) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT/CZNiEfG5h0ymcjMxjEvvwPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yACVCDlSNkcmtpadwF3M9U42UuDhyzVYcwl2RB+0AaepUJ l11oBlMVk5cqKg882J8h55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f6991J9zfdu4MFxaWjgX9dWKXYPAgTtUp75uqlx0KezvZHV8InZ+ 7lKRjU3tJ9MJeN7wWQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfY+eX5ZvcELCIKs663F/co VFYFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0jUeJfX5HDIsTH89Prkv7CGV7lLXQUcNAszDsnoUOr0Biq gu+aezEQ4jgOCx0ysd3ZOI+gTB/pfSlbi1HgG7umZ25gpnihbI3Vv1c2tRvdVD2GbN7BITAZon7Z Iz1ONK9yUo4/+EUytKrR9Md9I2Rs14zgEFqIGhlE3oJBPE8tqghPCC/cRgvQKtcrMMueERx3KZQJ vqDZrM6lSfcbRuGusdTy/WdK02ZhmcmptZSPJCaIaIzNoZzswxuMaWjBAlpwke9xm7vVFMmb1MPt BcG/L/Uf9oDBqtClgM5jH/om1Q5UomG0v+rwIiID/kwKc8V5Tj9+FRkaOS/DNjANmb8tO61SbYdY AwdpaVzHW7wHO7YhEWyJzIkwSFAW0Pw8uiKeubcolFl/rX+2ReQklqJDASQX2Id+W5hjJNcdGs0+ iHjXODmj5PX/tZQU3bYnWKpb X-Report-Abuse-To: spam@quarantine11.antispamcloud.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2021 15:16:37 -0000 On 9/24/2021 1:39 AM, Frank Brockners (fbrockne) wrote: > Hi Christian, > > Thanks a lot for the detailed follow-up. Please see inline. > >> -----Original Message----- >> From: Christian Huitema >> Sent: Thursday, 23 September 2021 22:13 >> To: Frank Brockners (fbrockne) ; secdir@ietf.org >> Cc: shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen >> ; sfc@ietf.org; draft-ietf-sfc-proof-of- >> transit.all@ietf.org >> Subject: Re: [Last-Call] Secdir last call review of draft-ietf-sfc-pro= of-of-transit- >> 08 >> >> >> On 9/23/2021 12:31 PM, Frank Brockners (fbrockne) wrote: >>> Hi Christian, >>> >>> Thanks a lot for your detailed review. Please see inline. >>> >>>> -----Original Message----- >>>> From: Christian Huitema via Datatracker >>>> Sent: Monday, 20 September 2021 05:48 >>>> To: secdir@ietf.org >>>> Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org; last-call@ietf.org= ; >>>> sfc@ietf.org >>>> Subject: Secdir last call review of >>>> draft-ietf-sfc-proof-of-transit-08 >>>> >>>> Reviewer: Christian Huitema >>>> Review result: Serious Issues >>>> >>>> I have reviewed this document as part of the security directorate's >>>> ongoing effort to review all IETF documents being processed by the >>>> IESG. These comments were written primarily for the benefit of the = security >> area directors. >>>> Document editors and WG chairs should treat these comments just like= >>>> any other last call comments. >>>> >>>> This document proposes a security mechanism to prove that traffic >>>> transited through all specified nodes in a path. The mechanism works= >>>> by adding a short option to each packet for which transit shall be >>>> verified. The option consists of a random number set by the >>>> originator of the packet, and a sum field to which each transit node= >>>> adds a value depending on public parameters, on the random number an= d >>>> on secrets held by the node. The destination has access to all the >>>> secrets held by the nodes on the path, and can verify whether or not= >>>> the final sum corresponds to the sum of expected values. The propose= d size >> of the random number and the sum field is 64 bits. >>>> In the paragraph above, I described the mechanism without mentioning= >>>> the algorithm used to compute these 64 bit numbers. The 64 bit size >>>> is obviously a >>>> concern: for cryptographic applications, 64 bits is not a large >>>> number, and that might be a weakness whatever the proposed algorithm= =2E >>>> The actual algorithm appears to be a bespoke derivation of Shamir's >>>> Secret Sharing algorithm (SSS). In other word, it is a case of "inve= nting your >> own crypto". >>> ...FB: SSS is a well know algorithm and draft-ietf-sfc-proof-of-trans= it does not >> modify it. >>> All draft-ietf-sfc-proof-of-transit does is to operationalize the SSS= algorithm >> for the proof of transit use case. >>> Also note that the draft does not require the use of 64 bit numbers. >>> Nor does draft require a minimum time between changing the secrets. >>> What particular attack are you concerned about where 64 bit numbers a= re a >> concern? >>>> SSS relies on the representation of polynomials as a sum of Lagrange= >>>> Basis Polynomials. Each of the participating nodes holds a share of >>>> the secret represented by a point on the polynomial curve. A >>>> polynomial of degree K on the field of integers modulo a prime numbe= r >>>> N can only be revealed if at list K+1 participants reveal the value >>>> of their point. The safety of the algorithm relies on the size of th= e >>>> number N and on the fact that the secret shall be revealed only once= =2E >>>> But the algorithm does not use SSS directly, so it deserves its own = security >> analysis instead of relying simply on Shamir's work. >>>> The proposed algorithm uses two polynomials of degree K for a path >>>> containing >>>> K+1 nodes, on a field defined by a prime number N of 64 bits. One of= >>>> K+the >>>> polynomial, POLY-1, is secret, and only fully known by the verifying= node. >>>> The other, POLY-2 is public, with the constant coefficient set at a >>>> random value RND for each packet. >>>> >>>> For each packet, the goal is compute the value of POLY-1 plus POLY-2= >>>> at the point 0 -- that is, the constant coefficient of POLY-3 =3D PO= LY-1 + POLY- >> 2. >>>> Without going in too much details, one can observe that the constant= >>>> coefficient of POLY-3 is equal to the sum of the constant >>>> coefficients of POLY-1 and POLY-2, and that the constant coefficient= >>>> of POLY-2 is the value RND present in each packet. In the example >>>> given in section 3.3.2, the numbers are computed modulo 53, the >>>> constant coefficient of POLY-1 is 10, and the value RND is 45. The >>>> final sum CML is indeed >>>> 10 + 45 =3D 2 mod 53. >>>> >>>> To me, this appears as a serious weakness in the algorithm. If an >>>> adversary can observe the value RND and CML for a first packet, it >>>> can retrieve the constant coefficient of POLY-1, and thus can predic= t >>>> the value of CML for any other packet. That does not seem very secur= e. >>> ...FB: There seems to be a bit of confusion or misreading of how the = method >> works. In the above statement you seem to assume that the verifier wou= ld not >> be part of the proof-chain, so that the final CML value would be someh= ow >> exposed to an external entity along with RND. This is not the case. Th= e verifier is >> the last node (k+1) in the proof-chain. >>> At concept level, the method reconstructs the polynomial hop by hop, = picking >> up a point on the curve at every hop. Only final node in the proof-cha= in, which is >> also the verifier, acts on the information of all the k+1 points and a= s such is able >> to reconstruct the polynomial. >>> In section 3.2.1, the draft explicitly states that the verifier *is* = part of the >> proof-chain: "Each of the k+1 nodes (including verifier) are assigned = a point on >> the polynomial i.e., shares of the SECRET." The fact that the verifier= , i.e., the last >> node in the proof-chain ("k+1"), can retrieve the secret, is desired = and >> intentional, because the verifier needs to compare the result of the i= terative >> construction of the secret with the secret value it received from the = controller. >> This is how the system is designed, and the calculation of (10+45) mod= 53 =3D 2 is >> part of the verification. >> >> OK. That's slightly less bad. But it is still very bad crypto, because= you are >> effectively doing a linear combination. >> >> You are evaluating POLY-3 =3D POLY-1 + POLY-2 >> >> POLY-2 can be written as POLY-2 =3D RND + POLY-2-NC, in which POLY2-NC= only >> contains the non constant terms -- that is, POLY-2-NC(0) =3D 0 >> >> Then for any point X, we get POLY-3(X) =3D POLY-1(X) + POLY2-NC(X) + R= ND For a >> given value Xj of X, this means we can express : POLY-3(Xj) =3D Vj + R= ND In which Vj >> is a constant term =3D POLY-1(Xj) + POLY2-NC(Xj) >> >> Each node will increment the cumul by the value LPCj * POLY-3(Xj) =3D = LPCj >> * (Vj + RND) >> >> Suppose that an adversary can observe the value of CML before and afte= r being >> incremented by node Xj. Suppose that it could do that twice. Then it h= as the >> values: >> >> CML1-before-j =3D C1b >> CML1-after-j =3D C1a >> D1 =3D C1a - C1b =3D LPCj * (Vj + RND1) >> >> CML1-before-j =3D C2b >> CML1-after-j =3D C2a >> D2 =3D C2a - C2b =3D LPCj * (Vj + RND2) >> >> D2-D1 =3D LPCj*(RND2-RND1) >> >> LPCj =3D (RND2-RND1)/(D2-D1) >> Vj =3D D2/LPCj - RND2 >> >> The inverse of numbers modulo a prime P is easily computed -- see Ferm= at's >> little theorem. >> >> Once the input and output of a node have been observed twice, it becom= es easy >> to update the cumulative sum CML while bypassing these nodes. > ...FB: This is great. Thanks for spelling out the details. You raise a= good point: For the solution to make sense, we need to ensure that an at= tacker cannot observe the input and output of a node. > To ensure this does not happen, we must require the communication to/fr= om the node to be encrypted, e.g., through link layer encryption of at le= ast the proof-of-transit data fields. > We'll add this requirement to the draft - and also detail the threat yo= u describe above in detail in the security considerations section. That still will not be sufficient, because you also have to deal with=20 the nodes themselves. By definition, they see the intermediate results=20 of other nodes. For example, if the function chain is A->B->C->D->E, the = node B sees the output of B and the node D sees the input of D. If B and = D=C2=A0 collude, they have access to the input and output of C. They can = easily find the secrets of C, and then execute a chain A->B---->D->E in=20 which the input of D is "corrected" to hide the absence of C from the=20 evaluator E. The linear combination scheme in the draft is not sound crypto. My=20 recommendation is to present the problem and the threat model clearly to = the crypto community, for example by presenting to the CFRG, and solicit = advice on better algorithms. -- Christian Huitema From nobody Fri Sep 24 10:19:50 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9C9A3A1145; Fri, 24 Sep 2021 10:19:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UYtJ8EpzwSeH; Fri, 24 Sep 2021 10:19:30 -0700 (PDT) Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 7B2673A114F; Fri, 24 Sep 2021 10:19:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1632503966; d=isode.com; s=june2016; i=@isode.com; bh=izaKhl4UUyDiDR53VzHEpKn/lTQ/qzlw8QMbs6f/jpQ=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=NGe3II2cS0tFLzV5uF38njCLOqZH4fndujaohsLIz50SMOGpLGg6BdWrX2KY+7KGTPttzk qqNKZlaFutYIc6DvXOL3/7P5PyVvNMFCItf6FurFs2QiqYB8+iPQQQq2M2BHOEgDMxoyVo U9Vug6C57zhma2zROxrFTI99UZdctUI=; Received: from [192.168.1.222] (host31-49-142-35.range31-49.btcentralplus.com [31.49.142.35]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id ; Fri, 24 Sep 2021 18:19:26 +0100 To: Shawn Emery , secdir@ietf.org Cc: extra@ietf.org, last-call@ietf.org, draft-ietf-extra-quota.all@ietf.org References: <163098196206.10347.8674654620317888270@ietfa.amsl.com> From: Alexey Melnikov Message-ID: <2bff77d0-35f3-c16e-913a-40eeb8497194@isode.com> Date: Fri, 24 Sep 2021 18:19:09 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 In-Reply-To: <163098196206.10347.8674654620317888270@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Archived-At: Subject: Re: [secdir] Secdir last call review of draft-ietf-extra-quota-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2021 17:19:35 -0000 Hi Shawn, Thank you for your review. On 07/09/2021 03:32, Shawn Emery via Datatracker wrote: > Reviewer: Shawn Emery > Review result: Has Nits > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any other > last call comments. > > This draft specifies an extension to the IMAP protocol that allows querying and > administrative functions related to resource limits and utilization. > > The security considerations section does exist and describes that the extension > must adhere to the local security policies. It continues to state that user's resource > usage could also be considered sensitive information. I don't believe that this draft > adds additional security concerns from the proposed to be obsoleted RFC, 2087. > These updates define two additional resource types (ANNOTATION-STORAGE and > MAILBOX), a response code, and two data items. > > General comments: > > None. > > Editorial comments: > > s/a couple of extension/an extension/ > s/mupltiple/multiple/ > s/ Name of the quota resource type:\n/ Name of the quota resource type: ANNOTATION-STORAGE\n/ > s/registrations for 3/registrations for 4/ > s/clarify meaning/clarify the meaning/ I've fixed the editorial comments that you provided. Best Regards, Alexey From nobody Fri Sep 24 11:50:11 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD0A53A0FCC for ; Fri, 24 Sep 2021 11:50:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.896 X-Spam-Level: X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWGALkCgPH7P for ; Fri, 24 Sep 2021 11:49:56 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C623A0FCD for ; Fri, 24 Sep 2021 11:49:56 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F1B0B300C77 for ; Fri, 24 Sep 2021 14:44:13 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ss-U1RAZ90OK for ; Fri, 24 Sep 2021 14:44:10 -0400 (EDT) Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id ABCBE300B68; Fri, 24 Sep 2021 14:44:09 -0400 (EDT) From: Russ Housley Message-Id: <550B57DC-32C9-4B2F-9C42-70C786A8B726@vigilsec.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_5EB98ED7-76E2-4F7E-AAE6-D956B1FD3A82" Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) Date: Fri, 24 Sep 2021 14:44:07 -0400 In-Reply-To: Cc: Last Call , draft-ietf-pim-bfd-p2mp-use-case.all@ietf.org, pim@ietf.org, IETF SecDir To: Greg Mirsky References: <163224103532.4850.12172127983159243773@ietfa.amsl.com> X-Mailer: Apple Mail (2.3445.104.21) Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-pim-bfd-p2mp-use-case-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2021 18:50:02 -0000 --Apple-Mail=_5EB98ED7-76E2-4F7E-AAE6-D956B1FD3A82 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Thanks. Your proposed changes resolve all of my comments. Russ > On Sep 21, 2021, at 7:20 PM, Greg Mirsky = wrote: >=20 > Hi Russ, > thank you for your thorough review, thoughtful and helpful = suggestions. Please find my notes in-lined below under the GIM>> tag. = I've attached the new working version and the diff. >=20 > Regards, > Greg >=20 > On Tue, Sep 21, 2021 at 9:17 AM Russ Housley via Datatracker = > wrote: > Reviewer: Russ Housley > Review result: Has Issues >=20 > I reviewed this document as part of the Security Directorate's ongoing > effort to review all IETF documents being processed by the IESG. = These > comments were written primarily for the benefit of the Security Area > Directors. Document authors, document editors, and WG chairs should > treat these comments just like any other IETF Last Call comments. >=20 > Document: draft-ietf-pim-bfd-p2mp-use-case-07 > Reviewer: Russ Housley > Review Date: 2021-09-21 > IETF LC End Date: 2021-09-28 > IESG Telechat date: Unknown >=20 >=20 > Summary: Has Issues >=20 >=20 > Major Concerns: None >=20 >=20 > Minor Concerns: >=20 > General: All of the field names in this document use camel case, = except > one. I think the document would be easier to read if My Discriminator > were to use the same convention. Also, HeadDiscriminator would be > more descriptive. > GIM>> Thank you for pointing this out to me. I agree with the proposed = update of the field name, The remaining in the text references to My = Discriminator use the convention of RFC 5880. I hope that is acceptable. >=20 > Section 2.1 says: >=20 > The head MUST include the BFD Discriminator option in its Hello > messages. >=20 > This MUST statement cold me much more complete: >=20 > The head MUST include the BFD Discriminator option in its Hello > messages, and it MUST include a 4-byte My Discriminator with a > value other than zero. > GIM>> Thank you, I agree with the proposed text with a minor = modification based on re-naming of the field to HeadDiscriminator. Below = is the update: > OLD TEXT: > The head MUST include the BFD Discriminator option in its Hello > messages. > NEW TEXT: > The head MUST include the BFD Discriminator option in its Hello > messages, and it MUST include a 4-byte HeadDiscriminator with a = value > other than zero. >=20 >=20 > Section 2.3: s/must set/MUST set/ > GIM>> Thank you. Done.=20 >=20 >=20 > Nits: >=20 > Section 1, para 1 could be more clear and more forceful. I suggest: >=20 > Faster convergence in the control plane minimizes the periods of > traffic blackholing, transient routing loops, and other situations > that may negatively affect service data flow. Faster convergence > in the control plane is beneficial to unicast and multicast routing > protocols. > GIM>> Thank you for the suggested text. Accepted.=20 >=20 > Section 1, para 2: s/DR is to act on behalf/DR acts on behalf/ > GIM>> Thank you. Done.=20 >=20 > Section 1, para 3: The first sentence is very unclear. I cannot offer > an improvement because it is too hard to parse. > GIM>> Would the following update make it clearer: > OLD TEXT: > Bidirectional Forwarding Detection (BFD) [RFC5880] had been > originally defined to detect a failure of point-to-point (p2p) = paths > - single-hop [RFC5881], multihop [RFC5883]. =20 > NEW TEXT: > Bidirectional Forwarding Detection (BFD) [RFC5880] had been > originally defined to detect a failure of a point-to-point (p2p) > path, single-hop [RFC5881] or multihop [RFC5883].=20 >=20 >=20 > Section 1, para 3: s/networks precisely/networks, and it precisely/ > GIM>> Thank you. Accepted.=20 >=20 > Section 1.1.1: s/familiarity/Familiarity/ > GIM>> Done.=20 > --=20 > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call --Apple-Mail=_5EB98ED7-76E2-4F7E-AAE6-D956B1FD3A82 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Thanks.  Your proposed changes resolve all of my = comments.

Russ

On Sep 21, 2021, at 7:20 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:

Hi Russ,
thank you for your thorough review, = thoughtful and helpful suggestions. Please find my notes in-lined below = under the GIM>> tag. I've attached the new working version and the = diff.

Regards,
Greg

On Tue, Sep 21, 2021 at 9:17 AM Russ Housley via = Datatracker <noreply@ietf.org> wrote:
Reviewer: Russ Housley
Review result: Has Issues

I reviewed this document as part of the Security Directorate's = ongoing
effort to review all IETF documents being processed by the IESG.  = These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs = should
treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-pim-bfd-p2mp-use-case-07
Reviewer: Russ Housley
Review Date: 2021-09-21
IETF LC End Date: 2021-09-28
IESG Telechat date: Unknown


Summary: Has Issues


Major Concerns:  None


Minor Concerns:

General: All of the field names in this document use camel case, = except
one.  I think the document would be easier to read if My = Discriminator
were to use the same convention.  Also, HeadDiscriminator would = be
more descriptive.
GIM>> = Thank you for pointing this out to me. I agree with the proposed update = of the field name, The remaining in the text references to My = Discriminator use the convention of RFC 5880. I hope that is = acceptable.

Section 2.1 says:

   The head MUST include the BFD Discriminator option in its = Hello
   messages.

This MUST statement cold me much more complete:

   The head MUST include the BFD Discriminator option in its = Hello
   messages, and it MUST include a 4-byte My Discriminator = with a
   value other than zero.
GIM>> Thank you, I agree with the proposed text with a = minor modification based on re-naming of the field to HeadDiscriminator. = Below is the update:
OLD TEXT:
   The head MUST include the BFD Discriminator = option in its Hello
  =  messages.
NEW TEXT:
 =   The head MUST include the BFD Discriminator option in its = Hello
   messages, and it MUST include a = 4-byte HeadDiscriminator with a value
  =  other than zero.


Section 2.3: s/must set/MUST set/
GIM>> Thank you. Done. 


Nits:

Section 1, para 1 could be more clear and more forceful.  I = suggest:

   Faster convergence in the control plane minimizes the = periods of
   traffic blackholing, transient routing loops, and other = situations
   that may negatively affect service data flow.  Faster = convergence
   in the control plane is beneficial to unicast and multicast = routing
   protocols.
GIM>> Thank you for the suggested text. = Accepted. 

Section 1, para 2: s/DR is to act on behalf/DR acts on behalf/
GIM>> Thank you. = Done. 

Section 1, para 3: The first sentence is very unclear.  I cannot = offer
an improvement because it is too hard to parse.
GIM>> Would the following = update make it clearer:
OLD TEXT:
   Bidirectional Forwarding Detection (BFD) = [RFC5880] had been
   originally defined = to detect a failure of point-to-point (p2p) paths
   - single-hop [RFC5881], multihop = [RFC5883].  
 NEW TEXT:
   Bidirectional Forwarding = Detection (BFD) [RFC5880] had been
  =  originally defined to detect a failure of a point-to-point = (p2p)
   path, single-hop [RFC5881] or = multihop [RFC5883]. 


Section 1, para 3: s/networks precisely/networks, and it precisely/
GIM>> Thank you. = Accepted. 

Section 1.1.1: s/familiarity/Familiarity/
GIM>> = Done. 
<draft-ietf-pim-bfd-p2mp-use-case-08.txt><Diff_ = draft-ietf-pim-bfd-p2mp-use-case-07.txt - = draft-ietf-pim-bfd-p2mp-use-case-08.txt.html>--
last-call mailing list
last-call@ietf.org
https://www.ietf.org/mailman/listinfo/last-call

= --Apple-Mail=_5EB98ED7-76E2-4F7E-AAE6-D956B1FD3A82-- From nobody Fri Sep 24 11:57:22 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BECC3A1033; Fri, 24 Sep 2021 11:57:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpmuWxnUKC8o; Fri, 24 Sep 2021 11:57:11 -0700 (PDT) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCF13A102E; Fri, 24 Sep 2021 11:57:11 -0700 (PDT) Received: by mail-ed1-x52c.google.com with SMTP id g8so39703874edt.7; Fri, 24 Sep 2021 11:57:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MLGG2DiSB8aopa2NzTsVMszNxJZt2P07Il4d2VtK5as=; b=BUTKe2buX6HlG/XrktyOLK/1ox0kiUSTNq4G3yqKUdE0jcP/00ptXHe25PxQgHm2xh U/zz5fYPpjkK7aHQY76PLoDsKYqhITWQwHoM26iMRwDT89zmRQ+15pdTY5KIUUDEPLf0 O8h467YyeeNK4LHmzZeigsF85qnA/pg1dh1lx69V4mosR3ZNL9FnLX7HDUqg+RgvKupK yODIMjJ8lifhZTtoQ+SWqY84fqELsbymYX5PggR6NAmxJWQewoBaLS3x8fS3rO4txVuV 6RhVWZaqWr/RIeOGWAmEgLXiWpBTOBcFsZlHbd6D3a++5IBUzvUfoBYa6kVXwr2iJMto FnQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MLGG2DiSB8aopa2NzTsVMszNxJZt2P07Il4d2VtK5as=; b=YE7lfMRk2sEn7Yi941udVyxB9gQ9BoQkrUjklWlPxQKvcu+MJNZSajmPshM7g8BVjU 6OmQiwQz2AaZvH6GEO7RDaDJAxKDw5Vtok4Tm764CDzcvn7xu3JlXu6cJAgMNaDA8w1i B8wf4O6tVXKScWZR9ci8gyaARgNuahHTWPNfkC7CRut4cXqyyHFIPVnbUKJW/AhtSMik TcAEcwy3z6AK4Q0sMa2zqNzY86FJ7odloND1mcNRWBZfXKzDCzcKU+3lN9NIQ6NKfpCe q+eEhsnL0Nv7xFRQCNEYfrq46Go8U6MN79q7h8cifctAHgtezMv3LHhEjfqahiIZz488 9U+A== X-Gm-Message-State: AOAM533EGayIVq11/Z7dUzqyDBvA5DiPvKK3y9gRdFEBAx64IGolHYO5 ntq3jhHBwwpei5PbTu2nVbW4EkI5H2NeaKPT5B7hSN1QoXI= X-Google-Smtp-Source: ABdhPJz4fQ8IbNM+mr1VJG5D2bKM5pqrpF1mpKtlZV5HCArR2CyDkpohNo3Btc32JNtPcdHHMCeL1Pj1NUoZEdhh93c= X-Received: by 2002:a05:6402:168b:: with SMTP id a11mr6958594edv.295.1632509829237; Fri, 24 Sep 2021 11:57:09 -0700 (PDT) MIME-Version: 1.0 References: <163224103532.4850.12172127983159243773@ietfa.amsl.com> <550B57DC-32C9-4B2F-9C42-70C786A8B726@vigilsec.com> In-Reply-To: <550B57DC-32C9-4B2F-9C42-70C786A8B726@vigilsec.com> From: Greg Mirsky Date: Fri, 24 Sep 2021 11:56:58 -0700 Message-ID: To: Russ Housley Cc: Last Call , draft-ietf-pim-bfd-p2mp-use-case.all@ietf.org, pim@ietf.org, IETF SecDir Content-Type: multipart/alternative; boundary="00000000000076ce1805ccc25056" Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-pim-bfd-p2mp-use-case-07 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2021 18:57:17 -0000 --00000000000076ce1805ccc25056 Content-Type: text/plain; charset="UTF-8" Russ, thank you for the review, comments, and suggestions. I've uploaded the updated version -08. Regards, Greg On Fri, Sep 24, 2021 at 11:44 AM Russ Housley wrote: > Thanks. Your proposed changes resolve all of my comments. > > Russ > > On Sep 21, 2021, at 7:20 PM, Greg Mirsky wrote: > > Hi Russ, > thank you for your thorough review, thoughtful and helpful suggestions. > Please find my notes in-lined below under the GIM>> tag. I've attached the > new working version and the diff. > > Regards, > Greg > > On Tue, Sep 21, 2021 at 9:17 AM Russ Housley via Datatracker < > noreply@ietf.org> wrote: > >> Reviewer: Russ Housley >> Review result: Has Issues >> >> I reviewed this document as part of the Security Directorate's ongoing >> effort to review all IETF documents being processed by the IESG. These >> comments were written primarily for the benefit of the Security Area >> Directors. Document authors, document editors, and WG chairs should >> treat these comments just like any other IETF Last Call comments. >> >> Document: draft-ietf-pim-bfd-p2mp-use-case-07 >> Reviewer: Russ Housley >> Review Date: 2021-09-21 >> IETF LC End Date: 2021-09-28 >> IESG Telechat date: Unknown >> >> >> Summary: Has Issues >> >> >> Major Concerns: None >> >> >> Minor Concerns: >> >> General: All of the field names in this document use camel case, except >> one. I think the document would be easier to read if My Discriminator >> were to use the same convention. Also, HeadDiscriminator would be >> more descriptive. >> > GIM>> Thank you for pointing this out to me. I agree with the proposed > update of the field name, The remaining in the text references to My > Discriminator use the convention of RFC 5880. I hope that is acceptable. > >> >> Section 2.1 says: >> >> The head MUST include the BFD Discriminator option in its Hello >> messages. >> >> This MUST statement cold me much more complete: >> >> The head MUST include the BFD Discriminator option in its Hello >> messages, and it MUST include a 4-byte My Discriminator with a >> value other than zero. >> > GIM>> Thank you, I agree with the proposed text with a minor modification > based on re-naming of the field to HeadDiscriminator. Below is the update: > OLD TEXT: > The head MUST include the BFD Discriminator option in its Hello > messages. > NEW TEXT: > The head MUST include the BFD Discriminator option in its Hello > messages, and it MUST include a 4-byte HeadDiscriminator with a value > other than zero. > > >> Section 2.3: s/must set/MUST set/ >> > GIM>> Thank you. Done. > >> >> >> Nits: >> >> Section 1, para 1 could be more clear and more forceful. I suggest: >> >> Faster convergence in the control plane minimizes the periods of >> traffic blackholing, transient routing loops, and other situations >> that may negatively affect service data flow. Faster convergence >> in the control plane is beneficial to unicast and multicast routing >> protocols. >> > GIM>> Thank you for the suggested text. Accepted. > >> >> Section 1, para 2: s/DR is to act on behalf/DR acts on behalf/ >> > GIM>> Thank you. Done. > >> >> Section 1, para 3: The first sentence is very unclear. I cannot offer >> an improvement because it is too hard to parse. >> > GIM>> Would the following update make it clearer: > OLD TEXT: > Bidirectional Forwarding Detection (BFD) [RFC5880] had been > originally defined to detect a failure of point-to-point (p2p) paths > - single-hop [RFC5881], multihop [RFC5883]. > NEW TEXT: > Bidirectional Forwarding Detection (BFD) [RFC5880] had been > originally defined to detect a failure of a point-to-point (p2p) > path, single-hop [RFC5881] or multihop [RFC5883]. > > >> Section 1, para 3: s/networks precisely/networks, and it precisely/ >> > GIM>> Thank you. Accepted. > >> >> Section 1.1.1: s/familiarity/Familiarity/ >> > GIM>> Done. > draft-ietf-pim-bfd-p2mp-use-case-07.txt - > draft-ietf-pim-bfd-p2mp-use-case-08.txt.html>-- > last-call mailing list > last-call@ietf.org > https://www.ietf.org/mailman/listinfo/last-call > > > --00000000000076ce1805ccc25056 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Russ,
thank you for the review, comments, and=C2=A0sug= gestions. I've uploaded the updated version -08.

Regards,
Greg

On Fri, Sep 24, 2021 at 11:44 AM Russ Housl= ey <housley@vigilsec.com>= wrote:
Thanks.=C2=A0 Your proposed changes resol= ve all of my comments.

Russ

On Sep 21, 2021, at 7:20 PM, Greg Mirsky <gregimirsky@gmail.com> w= rote:

Hi Russ,
thank you for y= our thorough review, thoughtful and helpful suggestions. Please find my not= es in-lined below under the GIM>> tag. I've attached the new work= ing version and the diff.

Regards,
Greg<= /div>

On Tue, Sep 21, 2021 at 9:17 AM Russ Housley via Datatracker <noreply@ietf.org> w= rote:
Reviewer: = Russ Housley
Review result: Has Issues

I reviewed this document as part of the Security Directorate's ongoing<= br> effort to review all IETF documents being processed by the IESG.=C2=A0 Thes= e
comments were written primarily for the benefit of the Security Area
Directors.=C2=A0 Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments.

Document: draft-ietf-pim-bfd-p2mp-use-case-07
Reviewer: Russ Housley
Review Date: 2021-09-21
IETF LC End Date: 2021-09-28
IESG Telechat date: Unknown


Summary: Has Issues


Major Concerns:=C2=A0 None


Minor Concerns:

General: All of the field names in this document use camel case, except
one.=C2=A0 I think the document would be easier to read if My Discriminator=
were to use the same convention.=C2=A0 Also, HeadDiscriminator would be
more descriptive.
GIM>> Thank you for pointing t= his out to me. I agree with the proposed update of the field name, The rema= ining in the text references to My Discriminator use the convention of RFC = 5880. I hope that is acceptable.

Section 2.1 says:

=C2=A0 =C2=A0The head MUST include the BFD Discriminator option in its Hell= o
=C2=A0 =C2=A0messages.

This MUST statement cold me much more complete:

=C2=A0 =C2=A0The head MUST include the BFD Discriminator option in its Hell= o
=C2=A0 =C2=A0messages, and it MUST include a 4-byte My Discriminator with a=
=C2=A0 =C2=A0value other than zero.
GIM>> Thank = you, I agree with the proposed text with a minor modification based on re-n= aming of the field to HeadDiscriminator. Below is the update:
OLD= TEXT:
=C2=A0 =C2=A0The head MUST include the BFD Discriminator o= ption in its Hello
=C2=A0 =C2=A0messages.
NEW TEXT:
=C2=A0 =C2=A0 The head MUST include the BFD Discriminator option in = its Hello
=C2=A0 =C2=A0messages, and it MUST include a 4-byte Hea= dDiscriminator with a value
=C2=A0 =C2=A0other than zero.


Section 2.3: s/must set/MUST set/
GIM>> Thank yo= u. Done.=C2=A0


Nits:

Section 1, para 1 could be more clear and more forceful.=C2=A0 I suggest:
=C2=A0 =C2=A0Faster convergence in the control plane minimizes the periods = of
=C2=A0 =C2=A0traffic blackholing, transient routing loops, and other situat= ions
=C2=A0 =C2=A0that may negatively affect service data flow.=C2=A0 Faster con= vergence
=C2=A0 =C2=A0in the control plane is beneficial to unicast and multicast ro= uting
=C2=A0 =C2=A0protocols.
GIM>> Thank you for the = suggested text. Accepted.=C2=A0

Section 1, para 2: s/DR is to act on behalf/DR acts on behalf/
GIM>> Thank you. Done.=C2=A0

Section 1, para 3: The first sentence is very unclear.=C2=A0 I cannot offer=
an improvement because it is too hard to parse.
GIM>= ;> Would the following update make it clearer:
OLD TEXT:
=
=C2=A0 =C2=A0Bidirectional Forwarding Detection (BFD) [RFC5880] had be= en
=C2=A0 =C2=A0originally defined to detect a failure of point-t= o-point (p2p) paths
=C2=A0 =C2=A0- single-hop [RFC5881], multihop= [RFC5883].=C2=A0=C2=A0
=C2=A0NEW TEXT:
=C2=A0 =C2= =A0Bidirectional Forwarding Detection (BFD) [RFC5880] had been
= =C2=A0 =C2=A0originally defined to detect a failure of a point-to-point (p2= p)
=C2=A0 =C2=A0path, single-hop [RFC5881] or multihop [RFC5883].= =C2=A0


Section 1, para 3: s/networks precisely/networks, and it precisely/
GIM>> Thank you. Accepted.=C2=A0

Section 1.1.1: s/familiarity/Familiarity/
GIM>> = Done.=C2=A0
<draft-ietf-pim= -bfd-p2mp-use-case-08.txt><Diff_ draft-ietf-pim-bfd-p2mp-use-case-07.txt - draft= -ietf-pim-bfd-p2mp-use-case-08.txt.html>--
last-call mailing = list
last-call@i= etf.org
https://www.ietf.org/mailman/listinfo/last-call

--00000000000076ce1805ccc25056-- From nobody Sat Sep 25 04:21:10 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 771CA3A08FB; Sat, 25 Sep 2021 04:20:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.599 X-Spam-Level: X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Z1FjcWkd; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=M52Rvi05 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E50Bjh247i16; Sat, 25 Sep 2021 04:20:23 -0700 (PDT) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AA133A08FA; Sat, 25 Sep 2021 04:20:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15626; q=dns/txt; s=iport; t=1632568823; x=1633778423; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=g+sAfZ8LbET/68yC8b+wQMXqRiihq/bZBrB7Z5veSBc=; b=Z1FjcWkdUJtfFwZ1wDKXE8N0NO+5eJrDHLuhOFdoSLG+DfJumrlbfZ++ SdbQfcV1k/wp8hTro2sYgv0SI3d0vjtLcxyXGnqN8R7uLSvZHlNwagiL6 oc8LxOzRELgDK9fLog6cBfo2B8PKLZmqJrwtesiLd/F65cGhXH5pyt+/I A=; X-IPAS-Result: =?us-ascii?q?A0DUAADNBE9hl4cNJK1aGwEBAQEBAQEBBQEBARIBAQEDA?= =?us-ascii?q?wEBAUCBWYFTUX5aNzGER4NIA4U5hWOCJQOBE4lfhR6KVoFCgREDVAsBAQENA?= =?us-ascii?q?QE3CgQBAYR9AheCLwIlOBMBAgQBAQEBAwIDAQEBAQUBAQUBAQECAQYEFAEBA?= =?us-ascii?q?QEBAQEBgQiFaA2GQgEBAQECARIRBA0MAQE3AQsEAgEIEQQBAQECAiYCAgIfE?= =?us-ascii?q?RUICAIEAQ0FCAwHB4JPAYJVAw4hAQ5CowkBgToCih96fzKBAYIIAQEGBASBS?= =?us-ascii?q?kGCfw0LgjUDBoEQKgGCf4QVhEN+EIEfCB8cgUlEgRVDeW1KBzA+giFCAQECA?= =?us-ascii?q?YEfQBWDATeCLohcZg03JgEDDQ4UFA4CIAIJJSkGBhMtDy8MBAEMBwURERABB?= =?us-ascii?q?xGROIMPAUaNIZohO14Kgy2KQY45BIYAFINni2iRAYY5liKCHooqgzuQAysjD?= =?us-ascii?q?IRXAgQCBAUCDgEBBoEwSCKBW3AVO4JpURkPjiAMDQmDUIUUhUp0AgE1AgYBC?= =?us-ascii?q?gEBAwmSFQEB?= IronPort-PHdr: A9a23:SCY4cRxT4wTKyzjXCzM/ngc9DxPP8530Iw8J558uzbRDbvfr85fjO RnZ4vNgxB/MUJ7A4v1Jw+zRr+j7WGMG7JrA1RJKcJFFWxIfz8lDmQsmDZ2FFEznIfvjKSo3A JcKWFps5XruN09TFY73bEHTpXvn6zkUF13/OAN5K/6zFJTVipG81vu5/NvYZAAb7Ac= IronPort-Data: A9a23:br9/X6yVZqCiBVIaE6F6t+eFxirEfRIJ4+MujC+fZmUNrF6WrkVVz mEaX2mPPfyKZGf9eIogbI7i/UsBvpbVm9JmGgRppVhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4wUNdokb0/n9BCJC5xZVH/fzOFueU5NLsYHgrHFc1Ent50nqPpsZg6mJWqYnha++yk YuaT/33YDdJDBYtbwr4Q4rawP9elKyaVAEw5zTSVtgX1LPqrET5ObpETU2Hw9QUdaEPdgKyb 76rILhUZQo19T91Yj+uuu6TnkHn3tc+MCDW4ke6VZROjTB8qyYr2IB8LcEuM1cJjW+mnMwt2 Ipk4MnYpQcBZsUgmcwUVx1eVip5J6ADovnMIGO0toqYyEiun3nEmqo1Shpoe9RDvL8sXAmi9 tRAQNwJRh6JneW9w7S2YuJtnc8kasLsOevzv1k/kGyIXah/Gsirr6Pi+N5ZjRYBgZxyHO/0I PtGYGBzQCqQfEgaUrsQIMtuwLj37pXlSBVbslOOpaw+pXPa1wx41rvFP9/ce9jMTsJQ9m6Uv GvI4yH4Dw0UcceRwn+d6HWriKrIk2bnQosUD7yksPduhHWSy3AdThoMWjOTuveyok+zR9wZL FYbkgI1saUq9EGtCMj6QhC8pFaGphsbQdVZFasx7wTl4q7d+BrcDWEAShZAZcAo8sgsSlQCz V+Wks/pDHplsLSTRXuH95+bqDqzPW4eKmpqTTQJRgcE+fHirZ09yBXVQb5LELO0ktDwEBnw3 jGWoS03wbMekaY2O76T9FTDhXenoYLEC1Rz7QTMVWXj5QR8DGK4W2C2wWbW5+9KCsGAdWvbr CYCweed8LweUrjYwURhX94xNL2u4v+ENhjVjlhuA4Qt+lyRF5iLIN84DNZWeRcBDyoURdP6S BSI4FoOuve/KFPvPPEpPNPoYyg/5fK4fekJQMw4eTanjnJZXQuD8ScGiaW4gD21yRNEfU3Sx f6mnSuEBHIeD+FsyyC7Ar1b2r4wzSd4zmTWLXwa8/hF+efEDJJ2Ye5YWLdrUgzfxPnVyOky2 40FX/ZmMz0FDIXDjtD/qOb/12wiI3khHozRoMdKbOOFKQcOMDh/UKWMmeN7I9c/xPs9egL0E peVBxAwJL3X2CyvFOl2QisLhE7HBMwm9itrYUTAw37xgSVyCWpQ0EvvX8JnIeZ4nACS5fV1V PICM96RGehCTy+vxtjuRceVkWCWTzzy3VjmF3P8OFAXJsc8LySUqo6MVla+r0EmU3vo3eNg+ OfI/l2AHvI+q/FKUZ++hASHlAjq4xDwWYtaAiP1HzWkUB+3rdc2e3Cv1K9fzgNlAUyr+wZ2H j2+WX8wzdQhaadsmDUVrchod7uULtY= IronPort-HdrOrdr: A9a23:Yo3206yxyIU+7Dimz4NdKrPxdOgkLtp133Aq2lEZdPULSK2lfp GV8sjziyWatN9IYgBepTiBUJPwJk80hqQFn7X5Wo3SHDUO2VHYbb2KiLGD/9SOIVyEygcw79 YET0E6MqyNMbEYt7e43ODbKadb/DDvysnB7o2yowYPPGNXguNbnnpE422gYytLrXx9dOIE/e 2nl7N6TlSbCBAqR/X+IkNAc/nIptXNmp6jSwUBHQQb5A6Hii7twKLmEjCDty1uEQ9n8PMHyy zoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDPsqRkcIYQw+czzpAJb4RH4FqjgpF5t1H22xaye UkZC1QZ/ib3kmhOV1dZyGdgDUIngxesUMKgmXo8EcL6faJNA7STfAx2L6wtnDimhUdVBYW6t MW44vRjeslMTrQ2Cv6/NTGTBdsiw69pmcji/caizhFXZIZc6I5l/1TwKp5KuZKIMvB0vFsLA CuNrCq2N9GNVeBK3zJtGhmx9KhGnw1AxedW0AH/siYySJfknx1x1YRgJV3pAZOyLstD51fo+ jUOKVhk79DCscQcKJmHe8EBc+6EHbETx7AOH+bZV7nCKYEMXTQrIOf2sR42Mi6PJgTiJcikp XIV11V8WY0ZkL1EMWLmIZG9xjcKV/NFQgFCvsurqSRn4eMCoYDHRfzPWzGovHQ1cn3WPerKc pbEKgmd8PeEQ== X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="5.85,321,1624320000"; d="scan'208";a="755986130" Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Sep 2021 11:20:21 +0000 Received: from mail.cisco.com (xbe-aln-003.cisco.com [173.36.7.18]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 18PBKLBA005393 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Sat, 25 Sep 2021 11:20:21 GMT Received: from xfe-rcd-003.cisco.com (173.37.227.251) by xbe-aln-003.cisco.com (173.36.7.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Sat, 25 Sep 2021 06:20:21 -0500 Received: from xfe-rtp-001.cisco.com (64.101.210.231) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Sat, 25 Sep 2021 06:20:20 -0500 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-001.cisco.com (64.101.210.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Sat, 25 Sep 2021 07:20:20 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WAcwF5Ejdz5CWWuDkzQFzf+O6CC1rjRfUGkqWqGue7iDs5OXUNJP6Q+Uz+tei2uSbGVAnfhYiZU2VKIS5cdqPOqOE6+ABwQwHKnSVCNQWWtHrzFwN1hxelBew6ujUuuyec0CtHvaRPflf80YwYuT2El30eNBkU8/Ccr+5+F5tk5F8Q2tIPwBdAQJpX6Z3ni6nGjjMOh7zMQFbNJjNSa0quj3E75mDO1l2N2TMqm9/jSfRUvQHyvLySlNlEudgedHHa69Ghkb+/9zPPkxF15taDbXz3TywnCm10MhpFNclmgvbH1E+hPsI71OZkBBeFVB2BdSAqFDE4D1vHiVDYxzeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=g+sAfZ8LbET/68yC8b+wQMXqRiihq/bZBrB7Z5veSBc=; b=EQNqDvhK9s/aUtLp4yWmyG25rqbrF8wQePUCnsw6r8GtwQaAx1JoT/9NsA43w/gX0lbHrul4knNX9mWXesaAXWNEEOV38PCjsr4f4Vm66KXhJc6exgBPGt+pysNiSozZkreiRRdQhDMZ8LvA5kPga6JCKGNqn2T6JGTPLusy5HsfwKqHkhThTyvFPAXStX6ZHh5H/XO0hYD2Kqb352oXRJj6knVt7833alKQTBPaUKkoiBXjB8UPuWXOx4aIG7idkXo07CFofQGZIbk9yJ7neqS11qsGiohqrkJt7CqfcPH7j8wPQg1x+nWJq/vZTli90yqokqeYh1/Ps/EzkqBbfw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g+sAfZ8LbET/68yC8b+wQMXqRiihq/bZBrB7Z5veSBc=; b=M52Rvi05uljbb8pTUMlA3PXlFhBvCJ/xrsk5zO/3SEbe7mcErxDrlxbI3b5tVZz84Tl/27bzH7+S7rZqf3pUl7Cwubb/qfdo9ACsLE+o8kB4JPi8Ij5/kahZblzKPVoO55igJAGv3x1C2945qPOEO4agNzunJuaWZL9EYqUgn/A= Received: from DM8PR11MB5606.namprd11.prod.outlook.com (2603:10b6:8:3c::23) by DM8PR11MB5591.namprd11.prod.outlook.com (2603:10b6:8:38::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.13; Sat, 25 Sep 2021 11:20:19 +0000 Received: from DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65]) by DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65%3]) with mapi id 15.20.4544.020; Sat, 25 Sep 2021 11:20:19 +0000 From: "Frank Brockners (fbrockne)" To: Christian Huitema , "secdir@ietf.org" CC: "shwetha.bhandari@gmail.com" , "last-call@ietf.org" , "Youell, Stephen" , "sfc@ietf.org" , "draft-ietf-sfc-proof-of-transit.all@ietf.org" , "krishna.sashank@gmail.com" Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 Thread-Index: AQHXrdJnjOHuO4fhnU+wPCtBTLa6aaux/B8wgAAXGgCAAMvnUIAAc3MAgAFE1nA= Date: Sat, 25 Sep 2021 11:20:19 +0000 Message-ID: References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> <31b9ad77-1848-011c-9b3f-3787aee21e41@huitema.net> In-Reply-To: <31b9ad77-1848-011c-9b3f-3787aee21e41@huitema.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=cisco.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a48900ce-da60-4697-eeb6-08d98016755b x-ms-traffictypediagnostic: DM8PR11MB5591: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: AOEu9Ee++jQvcmthgvsRnwvi6e8O09nJGmWm/gbMPjYYynVzbvLXYEA98+tyVCA123KJBI+kQfogWZS4s9qPChY89ehiI6Kh2wJfgDaKhzGPhLTC5HLrqJ76KBhawzVSUSNhJkmj85nH0qyKn2KfpaVAcRj3+2Si8+OTVCo+opov9t0IGRZH9hYnEFkXq2y2e5qq9I9L68EsvEpQ8aQ+fJe1hKbaqDzgopT1Kt4IJZJXD3zgooUY0w/0BzS8ojxWNcLAHCWQOGqSBFdW+vH0tKMZiyUaduBGFnz8qbQMtzR0+zU3+qCRfIMQy6RcPcMkZxbtB9EQG+i2mo+oBqNNLe9IiPOVXnCGwACVOe6l9giO0sM3a9JcT06UsB98m5aRNNixcpwVSrTC2eiOlCcujfJDasCL5cZn1ovOcmse9hY+Ydo1trbyMATbhIQMXBrga3Oca6xw1THqaPyHkE8p/CaREbDYIHAZJMHiaDmTAZzzIDlWAfqBh4X3Nfz1SOODHvqRcOx4aMET6T2kaIClFIJpcFXRhjQLgnprk6RvyUrb8zXgm86KAOsRv1M2xrmQHnYjTDaTuef5vUovQjQdUuDuE/9fZIHJn87bBPm7PWZCCyGGPv7yGTcHxX8vIcKI5rJpKpWK1rRdotk2fCvUBqzg5tJOeZk2ie6V5dO6fcqb1bp2teuaAqP/kjZWogymIfRXod5z0v7Vf63C8J0d6m5ypCph8XO07J6HN8MrVzHNi7Hu1Ym7MhoBd60RLfMxLovi6UpAZdpBhgy6Un/FkWeB3q9UjdRV06lYzv8I4cU= x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR11MB5606.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(52536014)(83380400001)(8936002)(7696005)(66946007)(55016002)(66446008)(66476007)(66556008)(64756008)(966005)(4326008)(5660300002)(76116006)(8676002)(71200400001)(186003)(54906003)(508600001)(38070700005)(30864003)(110136005)(316002)(86362001)(122000001)(6506007)(38100700002)(53546011)(9686003)(26005)(33656002)(2906002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?B?QnNjbXF0VjFDN3pHTmZSV1BMeWxWRjJnZm9ybWYyTUtoRk1wMStJelhYSUNq?= =?utf-8?B?YmtndGtHL0dGSGhuNFREM0tHS0djY3p3MzRNbVZJb3Qrc3lCcEpjYjhUbDE4?= =?utf-8?B?bmVsUUxSQ1J5Vnd1d2xQZStkMFRRdjVYUnNkYWtHazI4dDBkWDkxNkJxUDc2?= =?utf-8?B?RzVwTUJHZ3U3ZzlhN1BzaGdNa0owMjlndDY0Y3V2cTQ1OE8wQ2pOZjQ3S0pj?= =?utf-8?B?aXFWa0s2L3ExVDNoYkpuUXpMbUYyK0lwNUtiOHVIL0JmZUdnVGk3UENLdFZT?= =?utf-8?B?c2ErancyZjdIQ2FSU0xuQTJyM2tSMVVKM3h3ZndYMGs5MkFlZSsvdDhTRHdo?= =?utf-8?B?eGJNMUg5UmZkU1VjOW9KV001UTl1QjZkQXlMMnVjdlplR1N4N2pndnNDczNX?= =?utf-8?B?QW9uZVUzNm1paloyR2M5VmtLaFdRQUdCeFhDeldaVWdRSElZNStlWll2bXVE?= =?utf-8?B?SWJpVG5tMEwvaGhkUnJqeFpNbDIvL2t6cGdDSDgrMGQvQ3RUZWxtV3dyL0Zr?= =?utf-8?B?V2F6RWJITjNjTUNBWG9EU2dvdHE2dXpPZ0d6Q0RmODNrK0RjNkMwcGJuMUZM?= =?utf-8?B?aTV2V3liL1JRVVRaZGNSazJvdHhPbFIwYzBOL2R1VkpmYjZXT1ZlNW9iZm9X?= =?utf-8?B?R2hkUmFJK0s1QWdhTGJZYmpyM0Nxcm9xRW5yYmVYQkZmZHBINHp1d0hyZkhG?= =?utf-8?B?RGJ1UWJwc2FPR3NZcm43UHNiblEyK0lhLytnY1UwSklHZUd1N0cvUXYzSlFC?= =?utf-8?B?dmxHTitPUHhyQlBuYTNvbDlzZHNxbGllMGUxRFpNeVVZOS9GQldLK1lMblFT?= =?utf-8?B?QzBWZDc2Tng5WXRQM2NTR2srbjhpZFFHazU5emtsVUozYzNJSXBoS3RBOEZV?= =?utf-8?B?azBuVUY3eDlPdTZJMWZJTVRsODVNeWxKZU5ZblBTaEJtdE9pTHJsQWI4OVVm?= =?utf-8?B?UnJVY2pPYWp5SHRqZGViK0JlbVpYZFE3bDIvYVBsM1NiQlE3N0E1akRtWHJW?= =?utf-8?B?SmpMQnNnSzdKVWdwVVFqTVZlTzVTMzMrUzBDekE4S3FqcXpjQXF5Ni80SW8v?= =?utf-8?B?NEYweE5uMXpqdzFxNEV4azRmdGt2MFB0aFFkZEE2cUh5VTdvbERjTWZxTnBL?= =?utf-8?B?QXZ2KzlrTWxjT3VrZkdvcmdQb1pMWmU3VU80QXZjSWF2MENkSDViQmFtRm1M?= =?utf-8?B?dU9uUld1cUVDR3BjKzYzNEFtYkFaeVhkY1BqUTQ1bzJ3TWVNWG5mMEMwNUJi?= =?utf-8?B?NUo5RlpTemZRMnkvU0Nob2pPemNPUk9ZSjEwamNWbVBUTXlNMEpNTGVMS01G?= =?utf-8?B?Rm1oazFmSHdtdGdXUmthbUJBMG5vcXYwVnBCcW0rZnJzdDIzN08rZXNFZk02?= =?utf-8?B?ZStreXBDemdBRnZoS1dNZllISXMyMjRaOTY3ZzNYc3hXeFduTUFBNUo1RDQv?= =?utf-8?B?Um4yakgyZDdBTUVkQjNNNTdzNnZkOWF3VDZra3Y2SHl5RlE2Si80RENQcFVa?= =?utf-8?B?ZkRSTENYYUlSSVh0RFpoWklEOHNyUDllZExyeXhVNlJJQXRaRzArWHBMdzA2?= =?utf-8?B?aGhrTGdwS2k3OFg1Y3lZWUdoU1NSM1B0S0I2TTkvUXNaNVMyem9TZmNya1Mx?= =?utf-8?B?NDA5S2FlNFZRWW5jV2I0U3RYdmZBTnpRYXlQYjNwYk01QTFkTXF6UjFCT25u?= =?utf-8?B?and3YkU2Z3hSRFZ3cmNLK2w4RXlQYnBzN3ZLR054V3NBeDBTb0U1Y0YxVHI5?= =?utf-8?Q?IH8pIFYLyyq5pGY2k5OF5kLVl4mSY3V+ZlUA6fR?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5606.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: a48900ce-da60-4697-eeb6-08d98016755b X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Sep 2021 11:20:19.5364 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 0qF76Xqy36/MEOEbXnIAD4sRXBHpuP6YVhcX1sZCWvlsC4Pm2vFWMn1JzuqfYgBFL4rm6UNpWcc5MeicTjtX8w== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5591 X-OriginatorOrg: cisco.com X-Outbound-SMTP-Client: 173.36.7.18, xbe-aln-003.cisco.com X-Outbound-Node: alln-core-2.cisco.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2021 11:20:29 -0000 SGkgQ2hyaXN0aWFuLA0KDQpUaGFua3MgZm9yIHRoZSBmb2xsb3ctdXAuIFBsZWFzZSBzZWUgYmVs b3cuDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogQ2hyaXN0aWFuIEh1 aXRlbWEgPGh1aXRlbWFAaHVpdGVtYS5uZXQ+DQo+IFNlbnQ6IEZyaWRheSwgMjQgU2VwdGVtYmVy IDIwMjEgMTc6MTYNCj4gVG86IEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIDxmYnJvY2tuZUBj aXNjby5jb20+OyBzZWNkaXJAaWV0Zi5vcmcNCj4gQ2M6IHNod2V0aGEuYmhhbmRhcmlAZ21haWwu Y29tOyBsYXN0LWNhbGxAaWV0Zi5vcmc7IFlvdWVsbCwgU3RlcGhlbg0KPiA8c3RlcGhlbi55b3Vl bGxAanBtb3JnYW4uY29tPjsgc2ZjQGlldGYub3JnOyBkcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi0N Cj4gdHJhbnNpdC5hbGxAaWV0Zi5vcmc7IGtyaXNobmEuc2FzaGFua0BnbWFpbC5jb20NCj4gU3Vi amVjdDogUmU6IFtMYXN0LUNhbGxdIFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWll dGYtc2ZjLXByb29mLW9mLXRyYW5zaXQtDQo+IDA4DQo+IA0KPiANCj4gT24gOS8yNC8yMDIxIDE6 MzkgQU0sIEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIHdyb3RlOg0KPiA+IEhpIENocmlzdGlh biwNCj4gPg0KPiA+IFRoYW5rcyBhIGxvdCBmb3IgdGhlIGRldGFpbGVkIGZvbGxvdy11cC4gUGxl YXNlIHNlZSBpbmxpbmUuDQo+ID4NCj4gPj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4g Pj4gRnJvbTogQ2hyaXN0aWFuIEh1aXRlbWEgPGh1aXRlbWFAaHVpdGVtYS5uZXQ+DQo+ID4+IFNl bnQ6IFRodXJzZGF5LCAyMyBTZXB0ZW1iZXIgMjAyMSAyMjoxMw0KPiA+PiBUbzogRnJhbmsgQnJv Y2tuZXJzIChmYnJvY2tuZSkgPGZicm9ja25lQGNpc2NvLmNvbT47IHNlY2RpckBpZXRmLm9yZw0K PiA+PiBDYzogc2h3ZXRoYS5iaGFuZGFyaUBnbWFpbC5jb207IGxhc3QtY2FsbEBpZXRmLm9yZzsg WW91ZWxsLCBTdGVwaGVuDQo+ID4+IDxzdGVwaGVuLnlvdWVsbEBqcG1vcmdhbi5jb20+OyBzZmNA aWV0Zi5vcmc7IGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLQ0KPiA+PiB0cmFuc2l0LmFsbEBpZXRm Lm9yZw0KPiA+PiBTdWJqZWN0OiBSZTogW0xhc3QtQ2FsbF0gU2VjZGlyIGxhc3QgY2FsbCByZXZp ZXcgb2YNCj4gPj4gZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdC0NCj4gPj4gMDgNCj4g Pj4NCj4gPj4NCj4gPj4gT24gOS8yMy8yMDIxIDEyOjMxIFBNLCBGcmFuayBCcm9ja25lcnMgKGZi cm9ja25lKSB3cm90ZToNCj4gPj4+IEhpIENocmlzdGlhbiwNCj4gPj4+DQo+ID4+PiBUaGFua3Mg YSBsb3QgZm9yIHlvdXIgZGV0YWlsZWQgcmV2aWV3LiBQbGVhc2Ugc2VlIGlubGluZS4NCj4gPj4+ DQo+ID4+Pj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gPj4+PiBGcm9tOiBDaHJpc3Rp YW4gSHVpdGVtYSB2aWEgRGF0YXRyYWNrZXIgPG5vcmVwbHlAaWV0Zi5vcmc+DQo+ID4+Pj4gU2Vu dDogTW9uZGF5LCAyMCBTZXB0ZW1iZXIgMjAyMSAwNTo0OA0KPiA+Pj4+IFRvOiBzZWNkaXJAaWV0 Zi5vcmcNCj4gPj4+PiBDYzogZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdC5hbGxAaWV0 Zi5vcmc7DQo+ID4+Pj4gbGFzdC1jYWxsQGlldGYub3JnOyBzZmNAaWV0Zi5vcmcNCj4gPj4+PiBT dWJqZWN0OiBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZg0KPiA+Pj4+IGRyYWZ0LWlldGYtc2Zj LXByb29mLW9mLXRyYW5zaXQtMDgNCj4gPj4+Pg0KPiA+Pj4+IFJldmlld2VyOiBDaHJpc3RpYW4g SHVpdGVtYQ0KPiA+Pj4+IFJldmlldyByZXN1bHQ6IFNlcmlvdXMgSXNzdWVzDQo+ID4+Pj4NCj4g Pj4+PiBJIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0 eSBkaXJlY3RvcmF0ZSdzDQo+ID4+Pj4gb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRG IGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlDQo+ID4+Pj4gSUVTRy4gIFRoZXNlIGNv bW1lbnRzIHdlcmUgd3JpdHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZQ0KPiA+ Pj4+IHNlY3VyaXR5DQo+ID4+IGFyZWEgZGlyZWN0b3JzLg0KPiA+Pj4+IERvY3VtZW50IGVkaXRv cnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMganVzdA0KPiA+Pj4+ IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCj4gPj4+Pg0KPiA+Pj4+IFRoaXMg ZG9jdW1lbnQgcHJvcG9zZXMgYSBzZWN1cml0eSBtZWNoYW5pc20gdG8gcHJvdmUgdGhhdCB0cmFm ZmljDQo+ID4+Pj4gdHJhbnNpdGVkIHRocm91Z2ggYWxsIHNwZWNpZmllZCBub2RlcyBpbiBhIHBh dGguIFRoZSBtZWNoYW5pc20NCj4gPj4+PiB3b3JrcyBieSBhZGRpbmcgYSBzaG9ydCBvcHRpb24g dG8gZWFjaCBwYWNrZXQgZm9yIHdoaWNoIHRyYW5zaXQNCj4gPj4+PiBzaGFsbCBiZSB2ZXJpZmll ZC4gVGhlIG9wdGlvbiBjb25zaXN0cyBvZiBhIHJhbmRvbSBudW1iZXIgc2V0IGJ5DQo+ID4+Pj4g dGhlIG9yaWdpbmF0b3Igb2YgdGhlIHBhY2tldCwgYW5kIGEgc3VtIGZpZWxkIHRvIHdoaWNoIGVh Y2ggdHJhbnNpdA0KPiA+Pj4+IG5vZGUgYWRkcyBhIHZhbHVlIGRlcGVuZGluZyBvbiBwdWJsaWMg cGFyYW1ldGVycywgb24gdGhlIHJhbmRvbQ0KPiA+Pj4+IG51bWJlciBhbmQgb24gc2VjcmV0cyBo ZWxkIGJ5IHRoZSBub2RlLiBUaGUgZGVzdGluYXRpb24gaGFzIGFjY2Vzcw0KPiA+Pj4+IHRvIGFs bCB0aGUgc2VjcmV0cyBoZWxkIGJ5IHRoZSBub2RlcyBvbiB0aGUgcGF0aCwgYW5kIGNhbiB2ZXJp ZnkNCj4gPj4+PiB3aGV0aGVyIG9yIG5vdCB0aGUgZmluYWwgc3VtIGNvcnJlc3BvbmRzIHRvIHRo ZSBzdW0gb2YgZXhwZWN0ZWQNCj4gPj4+PiB2YWx1ZXMuIFRoZSBwcm9wb3NlZCBzaXplDQo+ID4+ IG9mIHRoZSByYW5kb20gbnVtYmVyIGFuZCB0aGUgc3VtIGZpZWxkIGlzIDY0IGJpdHMuDQo+ID4+ Pj4gSW4gdGhlIHBhcmFncmFwaCBhYm92ZSwgSSBkZXNjcmliZWQgdGhlIG1lY2hhbmlzbSB3aXRo b3V0DQo+ID4+Pj4gbWVudGlvbmluZyB0aGUgYWxnb3JpdGhtIHVzZWQgdG8gY29tcHV0ZSB0aGVz ZSA2NCBiaXQgbnVtYmVycy4gVGhlDQo+ID4+Pj4gNjQgYml0IHNpemUgaXMgb2J2aW91c2x5IGEN Cj4gPj4+PiBjb25jZXJuOiBmb3IgY3J5cHRvZ3JhcGhpYyBhcHBsaWNhdGlvbnMsIDY0IGJpdHMg aXMgbm90IGEgbGFyZ2UNCj4gPj4+PiBudW1iZXIsIGFuZCB0aGF0IG1pZ2h0IGJlIGEgd2Vha25l c3Mgd2hhdGV2ZXIgdGhlIHByb3Bvc2VkIGFsZ29yaXRobS4NCj4gPj4+PiBUaGUgYWN0dWFsIGFs Z29yaXRobSBhcHBlYXJzIHRvIGJlIGEgYmVzcG9rZSBkZXJpdmF0aW9uIG9mIFNoYW1pcidzDQo+ ID4+Pj4gU2VjcmV0IFNoYXJpbmcgYWxnb3JpdGhtIChTU1MpLiBJbiBvdGhlciB3b3JkLCBpdCBp cyBhIGNhc2Ugb2YNCj4gPj4+PiAiaW52ZW50aW5nIHlvdXINCj4gPj4gb3duIGNyeXB0byIuDQo+ ID4+PiAuLi5GQjogU1NTIGlzIGEgd2VsbCBrbm93IGFsZ29yaXRobSBhbmQNCj4gPj4+IGRyYWZ0 LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQgZG9lcyBub3QNCj4gPj4gbW9kaWZ5IGl0Lg0KPiA+ Pj4gQWxsIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQgZG9lcyBpcyB0byBvcGVyYXRp b25hbGl6ZSB0aGUNCj4gPj4+IFNTUyBhbGdvcml0aG0NCj4gPj4gZm9yIHRoZSBwcm9vZiBvZiB0 cmFuc2l0IHVzZSBjYXNlLg0KPiA+Pj4gQWxzbyBub3RlIHRoYXQgdGhlIGRyYWZ0IGRvZXMgbm90 IHJlcXVpcmUgdGhlIHVzZSBvZiA2NCBiaXQgbnVtYmVycy4NCj4gPj4+IE5vciBkb2VzIGRyYWZ0 IHJlcXVpcmUgYSBtaW5pbXVtIHRpbWUgYmV0d2VlbiBjaGFuZ2luZyB0aGUgc2VjcmV0cy4NCj4g Pj4+IFdoYXQgcGFydGljdWxhciBhdHRhY2sgYXJlIHlvdSBjb25jZXJuZWQgYWJvdXQgd2hlcmUg NjQgYml0IG51bWJlcnMNCj4gPj4+IGFyZSBhDQo+ID4+IGNvbmNlcm4/DQo+ID4+Pj4gU1NTIHJl bGllcyBvbiB0aGUgcmVwcmVzZW50YXRpb24gb2YgcG9seW5vbWlhbHMgYXMgYSBzdW0gb2YNCj4g Pj4+PiBMYWdyYW5nZSBCYXNpcyBQb2x5bm9taWFscy4gRWFjaCBvZiB0aGUgcGFydGljaXBhdGlu ZyBub2RlcyBob2xkcyBhDQo+ID4+Pj4gc2hhcmUgb2YgdGhlIHNlY3JldCByZXByZXNlbnRlZCBi eSBhIHBvaW50IG9uIHRoZSBwb2x5bm9taWFsIGN1cnZlLg0KPiA+Pj4+IEEgcG9seW5vbWlhbCBv ZiBkZWdyZWUgSyBvbiB0aGUgZmllbGQgb2YgaW50ZWdlcnMgbW9kdWxvIGEgcHJpbWUNCj4gPj4+ PiBudW1iZXIgTiBjYW4gb25seSBiZSByZXZlYWxlZCBpZiBhdCBsaXN0IEsrMSBwYXJ0aWNpcGFu dHMgcmV2ZWFsDQo+ID4+Pj4gdGhlIHZhbHVlIG9mIHRoZWlyIHBvaW50LiBUaGUgc2FmZXR5IG9m IHRoZSBhbGdvcml0aG0gcmVsaWVzIG9uIHRoZQ0KPiA+Pj4+IHNpemUgb2YgdGhlIG51bWJlciBO IGFuZCBvbiB0aGUgZmFjdCB0aGF0IHRoZSBzZWNyZXQgc2hhbGwgYmUgcmV2ZWFsZWQgb25seQ0K PiBvbmNlLg0KPiA+Pj4+IEJ1dCB0aGUgYWxnb3JpdGhtIGRvZXMgbm90IHVzZSBTU1MgZGlyZWN0 bHksIHNvIGl0IGRlc2VydmVzIGl0cyBvd24NCj4gPj4+PiBzZWN1cml0eQ0KPiA+PiBhbmFseXNp cyBpbnN0ZWFkIG9mIHJlbHlpbmcgc2ltcGx5IG9uIFNoYW1pcidzIHdvcmsuDQo+ID4+Pj4gVGhl IHByb3Bvc2VkIGFsZ29yaXRobSB1c2VzIHR3byBwb2x5bm9taWFscyBvZiBkZWdyZWUgSyBmb3Ig YSBwYXRoDQo+ID4+Pj4gY29udGFpbmluZw0KPiA+Pj4+IEsrMSBub2Rlcywgb24gYSBmaWVsZCBk ZWZpbmVkIGJ5IGEgcHJpbWUgbnVtYmVyIE4gb2YgNjQgYml0cy4gT25lDQo+ID4+Pj4gSytvZiB0 aGUNCj4gPj4+PiBwb2x5bm9taWFsLCBQT0xZLTEsIGlzIHNlY3JldCwgYW5kIG9ubHkgZnVsbHkg a25vd24gYnkgdGhlIHZlcmlmeWluZyBub2RlLg0KPiA+Pj4+IFRoZSBvdGhlciwgUE9MWS0yIGlz IHB1YmxpYywgd2l0aCB0aGUgY29uc3RhbnQgY29lZmZpY2llbnQgc2V0IGF0IGENCj4gPj4+PiBy YW5kb20gdmFsdWUgUk5EIGZvciBlYWNoIHBhY2tldC4NCj4gPj4+Pg0KPiA+Pj4+IEZvciBlYWNo IHBhY2tldCwgdGhlIGdvYWwgaXMgY29tcHV0ZSB0aGUgdmFsdWUgb2YgUE9MWS0xIHBsdXMNCj4g Pj4+PiBQT0xZLTIgYXQgdGhlIHBvaW50IDAgLS0gdGhhdCBpcywgdGhlIGNvbnN0YW50IGNvZWZm aWNpZW50IG9mDQo+ID4+Pj4gUE9MWS0zID0gUE9MWS0xICsgUE9MWS0NCj4gPj4gMi4NCj4gPj4+ PiBXaXRob3V0IGdvaW5nIGluIHRvbyBtdWNoIGRldGFpbHMsIG9uZSBjYW4gb2JzZXJ2ZSB0aGF0 IHRoZQ0KPiA+Pj4+IGNvbnN0YW50IGNvZWZmaWNpZW50IG9mIFBPTFktMyBpcyBlcXVhbCB0byB0 aGUgc3VtIG9mIHRoZSBjb25zdGFudA0KPiA+Pj4+IGNvZWZmaWNpZW50cyBvZiBQT0xZLTEgYW5k IFBPTFktMiwgYW5kIHRoYXQgdGhlIGNvbnN0YW50DQo+ID4+Pj4gY29lZmZpY2llbnQgb2YgUE9M WS0yIGlzIHRoZSB2YWx1ZSBSTkQgcHJlc2VudCBpbiBlYWNoIHBhY2tldC4gSW4NCj4gPj4+PiB0 aGUgZXhhbXBsZSBnaXZlbiBpbiBzZWN0aW9uIDMuMy4yLCB0aGUgbnVtYmVycyBhcmUgY29tcHV0 ZWQgbW9kdWxvDQo+ID4+Pj4gNTMsIHRoZSBjb25zdGFudCBjb2VmZmljaWVudCBvZiBQT0xZLTEg aXMgMTAsIGFuZCB0aGUgdmFsdWUgUk5EIGlzDQo+ID4+Pj4gNDUuIFRoZSBmaW5hbCBzdW0gIENN TCBpcyBpbmRlZWQNCj4gPj4+PiAxMCArIDQ1ID0gMiBtb2QgNTMuDQo+ID4+Pj4NCj4gPj4+PiBU byBtZSwgdGhpcyBhcHBlYXJzIGFzIGEgc2VyaW91cyB3ZWFrbmVzcyBpbiB0aGUgYWxnb3JpdGht LiBJZiBhbg0KPiA+Pj4+IGFkdmVyc2FyeSBjYW4gb2JzZXJ2ZSB0aGUgdmFsdWUgUk5EIGFuZCBD TUwgZm9yIGEgZmlyc3QgcGFja2V0LCBpdA0KPiA+Pj4+IGNhbiByZXRyaWV2ZSB0aGUgY29uc3Rh bnQgY29lZmZpY2llbnQgb2YgUE9MWS0xLCBhbmQgdGh1cyBjYW4NCj4gPj4+PiBwcmVkaWN0IHRo ZSB2YWx1ZSBvZiBDTUwgZm9yIGFueSBvdGhlciBwYWNrZXQuIFRoYXQgZG9lcyBub3Qgc2VlbSB2 ZXJ5DQo+IHNlY3VyZS4NCj4gPj4+IC4uLkZCOiBUaGVyZSBzZWVtcyB0byBiZSBhIGJpdCBvZiBj b25mdXNpb24gb3IgbWlzcmVhZGluZyBvZiBob3cgdGhlDQo+ID4+PiBtZXRob2QNCj4gPj4gd29y a3MuIEluIHRoZSBhYm92ZSBzdGF0ZW1lbnQgeW91IHNlZW0gdG8gYXNzdW1lIHRoYXQgdGhlIHZl cmlmaWVyDQo+ID4+IHdvdWxkIG5vdCBiZSBwYXJ0IG9mIHRoZSBwcm9vZi1jaGFpbiwgc28gdGhh dCB0aGUgZmluYWwgQ01MIHZhbHVlDQo+ID4+IHdvdWxkIGJlIHNvbWVob3cgZXhwb3NlZCB0byBh biBleHRlcm5hbCBlbnRpdHkgYWxvbmcgd2l0aCBSTkQuIFRoaXMNCj4gPj4gaXMgbm90IHRoZSBj YXNlLiBUaGUgdmVyaWZpZXIgaXMgdGhlIGxhc3Qgbm9kZSAoaysxKSBpbiB0aGUgcHJvb2YtY2hh aW4uDQo+ID4+PiBBdCBjb25jZXB0IGxldmVsLCB0aGUgbWV0aG9kIHJlY29uc3RydWN0cyB0aGUg cG9seW5vbWlhbCBob3AgYnkgaG9wLA0KPiA+Pj4gcGlja2luZw0KPiA+PiB1cCBhIHBvaW50IG9u IHRoZSBjdXJ2ZSBhdCBldmVyeSBob3AuIE9ubHkgZmluYWwgbm9kZSBpbiB0aGUNCj4gPj4gcHJv b2YtY2hhaW4sIHdoaWNoIGlzIGFsc28gdGhlIHZlcmlmaWVyLCBhY3RzIG9uIHRoZSBpbmZvcm1h dGlvbiBvZg0KPiA+PiBhbGwgdGhlIGsrMSBwb2ludHMgYW5kIGFzIHN1Y2ggaXMgYWJsZSB0byBy ZWNvbnN0cnVjdCB0aGUgcG9seW5vbWlhbC4NCj4gPj4+IEluIHNlY3Rpb24gMy4yLjEsIHRoZSBk cmFmdCBleHBsaWNpdGx5IHN0YXRlcyB0aGF0IHRoZSB2ZXJpZmllciAqaXMqDQo+ID4+PiBwYXJ0 IG9mIHRoZQ0KPiA+PiBwcm9vZi1jaGFpbjogIkVhY2ggb2YgdGhlIGsrMSBub2RlcyAoaW5jbHVk aW5nIHZlcmlmaWVyKSBhcmUgYXNzaWduZWQNCj4gPj4gYSBwb2ludCBvbiB0aGUgcG9seW5vbWlh bCBpLmUuLCBzaGFyZXMgb2YgdGhlIFNFQ1JFVC4iIFRoZSBmYWN0IHRoYXQNCj4gPj4gdGhlIHZl cmlmaWVyLCBpLmUuLCB0aGUgbGFzdCBub2RlIGluIHRoZSBwcm9vZi1jaGFpbiAoImsrMSIpLCAg Y2FuDQo+ID4+IHJldHJpZXZlIHRoZSBzZWNyZXQsIGlzIGRlc2lyZWQgYW5kIGludGVudGlvbmFs LCBiZWNhdXNlIHRoZSB2ZXJpZmllcg0KPiA+PiBuZWVkcyB0byBjb21wYXJlIHRoZSByZXN1bHQg b2YgdGhlIGl0ZXJhdGl2ZSBjb25zdHJ1Y3Rpb24gb2YgdGhlIHNlY3JldCB3aXRoDQo+IHRoZSBz ZWNyZXQgdmFsdWUgaXQgcmVjZWl2ZWQgZnJvbSB0aGUgY29udHJvbGxlci4NCj4gPj4gVGhpcyBp cyBob3cgdGhlIHN5c3RlbSBpcyBkZXNpZ25lZCwgYW5kIHRoZSBjYWxjdWxhdGlvbiBvZiAoMTAr NDUpDQo+ID4+IG1vZCA1MyA9IDIgaXMgcGFydCBvZiB0aGUgdmVyaWZpY2F0aW9uLg0KPiA+Pg0K PiA+PiBPSy4gVGhhdCdzIHNsaWdodGx5IGxlc3MgYmFkLiBCdXQgaXQgaXMgc3RpbGwgdmVyeSBi YWQgY3J5cHRvLA0KPiA+PiBiZWNhdXNlIHlvdSBhcmUgZWZmZWN0aXZlbHkgZG9pbmcgYSBsaW5l YXIgY29tYmluYXRpb24uDQo+ID4+DQo+ID4+IFlvdSBhcmUgZXZhbHVhdGluZyBQT0xZLTMgPSBQ T0xZLTEgKyBQT0xZLTINCj4gPj4NCj4gPj4gUE9MWS0yIGNhbiBiZSB3cml0dGVuIGFzIFBPTFkt MiA9IFJORCArIFBPTFktMi1OQywgaW4gd2hpY2ggUE9MWTItTkMNCj4gPj4gb25seSBjb250YWlu cyB0aGUgbm9uIGNvbnN0YW50IHRlcm1zIC0tIHRoYXQgaXMsIFBPTFktMi1OQygwKSA9IDANCj4g Pj4NCj4gPj4gVGhlbiBmb3IgYW55IHBvaW50IFgsIHdlIGdldCBQT0xZLTMoWCkgPSBQT0xZLTEo WCkgKyBQT0xZMi1OQyhYKSArDQo+ID4+IFJORCBGb3IgYSBnaXZlbiB2YWx1ZSBYaiBvZiBYLCB0 aGlzIG1lYW5zIHdlIGNhbiBleHByZXNzIDogUE9MWS0zKFhqKQ0KPiA+PiA9IFZqICsgUk5EIElu IHdoaWNoIFZqIGlzIGEgY29uc3RhbnQgdGVybSA9IFBPTFktMShYaikgKyBQT0xZMi1OQyhYaikN Cj4gPj4NCj4gPj4gRWFjaCBub2RlIHdpbGwgaW5jcmVtZW50IHRoZSBjdW11bCBieSB0aGUgdmFs dWUgTFBDaiAqIFBPTFktMyhYaikgPQ0KPiA+PiBMUENqDQo+ID4+ICogKFZqICsgUk5EKQ0KPiA+ Pg0KPiA+PiBTdXBwb3NlIHRoYXQgYW4gYWR2ZXJzYXJ5IGNhbiBvYnNlcnZlIHRoZSB2YWx1ZSBv ZiBDTUwgYmVmb3JlIGFuZA0KPiA+PiBhZnRlciBiZWluZyBpbmNyZW1lbnRlZCBieSBub2RlIFhq LiBTdXBwb3NlIHRoYXQgaXQgY291bGQgZG8gdGhhdA0KPiA+PiB0d2ljZS4gVGhlbiBpdCBoYXMg dGhlDQo+ID4+IHZhbHVlczoNCj4gPj4NCj4gPj4gQ01MMS1iZWZvcmUtaiA9IEMxYg0KPiA+PiBD TUwxLWFmdGVyLWogPSBDMWENCj4gPj4gRDEgPSBDMWEgLSBDMWIgPSBMUENqICogKFZqICsgUk5E MSkNCj4gPj4NCj4gPj4gQ01MMS1iZWZvcmUtaiA9IEMyYg0KPiA+PiBDTUwxLWFmdGVyLWogPSBD MmENCj4gPj4gRDIgPSBDMmEgLSBDMmIgPSBMUENqICogKFZqICsgUk5EMikNCj4gPj4NCj4gPj4g RDItRDEgPSBMUENqKihSTkQyLVJORDEpDQo+ID4+DQo+ID4+IExQQ2ogPSAoUk5EMi1STkQxKS8o RDItRDEpDQo+ID4+IFZqID0gRDIvTFBDaiAtIFJORDINCj4gPj4NCj4gPj4gVGhlIGludmVyc2Ug b2YgbnVtYmVycyBtb2R1bG8gYSBwcmltZSBQIGlzIGVhc2lseSBjb21wdXRlZCAtLSBzZWUNCj4g Pj4gRmVybWF0J3MgbGl0dGxlIHRoZW9yZW0uDQo+ID4+DQo+ID4+IE9uY2UgdGhlIGlucHV0IGFu ZCBvdXRwdXQgb2YgYSBub2RlIGhhdmUgYmVlbiBvYnNlcnZlZCB0d2ljZSwgaXQNCj4gPj4gYmVj b21lcyBlYXN5IHRvIHVwZGF0ZSB0aGUgY3VtdWxhdGl2ZSBzdW0gQ01MIHdoaWxlIGJ5cGFzc2lu ZyB0aGVzZQ0KPiBub2Rlcy4NCj4gPiAuLi5GQjogVGhpcyBpcyBncmVhdC4gVGhhbmtzIGZvciBz cGVsbGluZyBvdXQgdGhlIGRldGFpbHMuICBZb3UgcmFpc2UgYSBnb29kIHBvaW50Og0KPiBGb3Ig dGhlIHNvbHV0aW9uIHRvIG1ha2Ugc2Vuc2UsIHdlIG5lZWQgdG8gZW5zdXJlIHRoYXQgYW4gYXR0 YWNrZXIgY2Fubm90DQo+IG9ic2VydmUgdGhlIGlucHV0IGFuZCBvdXRwdXQgb2YgYSBub2RlLg0K PiA+IFRvIGVuc3VyZSB0aGlzIGRvZXMgbm90IGhhcHBlbiwgd2UgbXVzdCByZXF1aXJlIHRoZSBj b21tdW5pY2F0aW9uIHRvL2Zyb20NCj4gdGhlIG5vZGUgdG8gYmUgZW5jcnlwdGVkLCBlLmcuLCB0 aHJvdWdoIGxpbmsgbGF5ZXIgZW5jcnlwdGlvbiBvZiBhdCBsZWFzdCB0aGUNCj4gcHJvb2Ytb2Yt dHJhbnNpdCBkYXRhIGZpZWxkcy4NCj4gPiBXZSdsbCBhZGQgdGhpcyByZXF1aXJlbWVudCB0byB0 aGUgZHJhZnQgLSBhbmQgYWxzbyBkZXRhaWwgdGhlIHRocmVhdCB5b3UgZGVzY3JpYmUNCj4gYWJv dmUgaW4gZGV0YWlsIGluIHRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uLg0KPiAN Cj4gVGhhdCBzdGlsbCB3aWxsIG5vdCBiZSBzdWZmaWNpZW50LCBiZWNhdXNlIHlvdSBhbHNvIGhh dmUgdG8gZGVhbCB3aXRoIHRoZSBub2Rlcw0KPiB0aGVtc2VsdmVzLiBCeSBkZWZpbml0aW9uLCB0 aGV5IHNlZSB0aGUgaW50ZXJtZWRpYXRlIHJlc3VsdHMgb2Ygb3RoZXIgbm9kZXMuIEZvcg0KPiBl eGFtcGxlLCBpZiB0aGUgZnVuY3Rpb24gY2hhaW4gaXMgQS0+Qi0+Qy0+RC0+RSwgdGhlIG5vZGUg QiBzZWVzIHRoZSBvdXRwdXQgb2YgQg0KPiBhbmQgdGhlIG5vZGUgRCBzZWVzIHRoZSBpbnB1dCBv ZiBELiBJZiBCIGFuZCBEwqAgY29sbHVkZSwgdGhleSBoYXZlIGFjY2VzcyB0byB0aGUNCj4gaW5w dXQgYW5kIG91dHB1dCBvZiBDLiBUaGV5IGNhbiBlYXNpbHkgZmluZCB0aGUgc2VjcmV0cyBvZiBD LCBhbmQgdGhlbiBleGVjdXRlIGENCj4gY2hhaW4gQS0+Qi0tLS0+RC0+RSBpbiB3aGljaCB0aGUg aW5wdXQgb2YgRCBpcyAiY29ycmVjdGVkIiB0byBoaWRlIHRoZSBhYnNlbmNlIG9mDQo+IEMgZnJv bSB0aGUgZXZhbHVhdG9yIEUuDQoNClRoYW5rcyBtdWNoLiBZb3UgcmFpc2UgYW5vdGhlciB2YWxp ZCBwb2ludCBhbmQgd2Ugd2lsbCBhZGQgaXQgdG8gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25z IHNlY3Rpb24uDQpUaGF0IHNhaWQsIElNSE8gd2UnZCBuZWVkIHRvIHB1dCB0aGUgc2NlbmFyaW8g eW91IHJhaXNlIGludG8gcGVyc3BlY3RpdmU6DQpJZiB0aGUgbm9kZXMgQiBhbmQgRCB3b3VsZCBi ZSBjb21wcm9taXNlZCBieSBhbiBhdHRhY2tlciwgdGhlIGRlcGxveW1lbnQgd291bGQgZmFjZSBh IG11Y2ggbW9yZSBzZXJpb3VzIHNlY3VyaXR5IGlzc3VlIHRoYW4gd2hhdCBhbnkgcHJvb2Ytb2Yt dHJhbnNpdCBtZXRob2QgY291bGQgcHJvdGVjdCBhZ2FpbnN0Lg0KDQo+IA0KPiBUaGUgbGluZWFy IGNvbWJpbmF0aW9uIHNjaGVtZSBpbiB0aGUgZHJhZnQgaXMgbm90IHNvdW5kIGNyeXB0by4gTXkN Cj4gcmVjb21tZW5kYXRpb24gaXMgdG8gcHJlc2VudCB0aGUgcHJvYmxlbSBhbmQgdGhlIHRocmVh dCBtb2RlbCBjbGVhcmx5IHRvIHRoZQ0KPiBjcnlwdG8gY29tbXVuaXR5LCBmb3IgZXhhbXBsZSBi eSBwcmVzZW50aW5nIHRvIHRoZSBDRlJHLCBhbmQgc29saWNpdCBhZHZpY2Ugb24NCj4gYmV0dGVy IGFsZ29yaXRobXMuDQoNClRoZXJlIGhhcyBiZWVuIHF1aXRlIGEgYml0IG9mIGRpc2N1c3Npb24g b24gcHJvb2Ygb2YgdHJhbnNpdCBpbiBzZXZlcmFsIFdHcywgZXZlbiBiZWZvcmUgdGhlIFNGQyBX RyBwaWNrZWQgaXQgdXAuIEFuZCB0aGUgU0ZDIHdvcmtpbmcgZ3JvdXAgaGFzIGNvbnNpZGVyZWQg ZGlmZmVyZW50IGFwcHJvYWNoZXMgZWFybHkgb24gaW4gdGhlIHNvbHV0aW9uIHNwZWNpZmljYXRp b24sIGluY2x1ZGluZyBlLmcuLCB1c2luZyBuZXN0ZWQgZW5jcnlwdGlvbiwgd2hpY2ggaXMgcHJv YmFibHkgbW9yZSBpbiBsaW5lIHdpdGggeW91ciBwcmVmZXJlbmNlcy4gU2VlIGh0dHBzOi8vZGF0 YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2h0bWwvZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNp dC0wMSNzZWN0aW9uLTMuNS4xLiBGcm9tIG15IHJlY29sbGVjdGlvbiBvZiB0aGUgZGlzY3Vzc2lv biAtIG90aGVycyBwbGVhc2UgY2hpbWUgaW4gLSBvbmUgbWFpbiByZWFzb24gb2Ygd2h5IHRoZSBj dXJyZW50IGFwcHJvYWNoIHdhcyBjaG9zZW4gd2FzIGl0cyBjb21wdXRhdGlvbmFsIHNpbXBsaWNp dHksIGkuZS4sIGhhcmR3YXJlIHBsYXRmb3JtcyB3aGljaCBkbyBub3Qgc3VwcG9ydCBuYXRpdmUg ZW5jcnlwdGlvbiBjYXBhYmlsaXRpZXMgbGlrZSBBRVMtTkkgY2FuIGltcGxlbWVudCBpdCB3aXRo b3V0IGNvbnNpZGVyYWJsZSBpbXBhY3Qgb24gdGhlIGNvbXB1dGF0aW9uYWwgbGF0ZW5jeS4gU28g aW4gb3RoZXIgd29yZHMsIHRoZSBjdXJyZW50IG1ldGhvZCBpcyB0aGUgcmVzdWx0IG9mIGEgdHJh ZGUtb2ZmIGRlY2lzaW9uLg0KDQpDaGVlcnMsIEZyYW5rDQoNCj4gDQo+IC0tIENocmlzdGlhbiBI dWl0ZW1hDQo+IA0KPiANCg0K From nobody Sat Sep 25 07:42:56 2021 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 278FB3A15A1 for ; Sat, 25 Sep 2021 07:42:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.111 X-Spam-Level: *** X-Spam-Status: No, score=3.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BxSb1QJ1AecK for ; Sat, 25 Sep 2021 07:42:21 -0700 (PDT) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9091C3A1598 for ; Sat, 25 Sep 2021 07:42:20 -0700 (PDT) Received: from xse460.mail2web.com ([66.113.197.206] helo=xse.mail2web.com) by mx134.antispamcloud.com with esmtp (Exim 4.92) (envelope-from ) id 1mU8sZ-000BD9-8J for secdir@ietf.org; Sat, 25 Sep 2021 16:42:17 +0200 Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4HGs770h45zLrY for ; Sat, 25 Sep 2021 07:42:11 -0700 (PDT) Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from ) id 1mU8sU-00029V-U9 for secdir@ietf.org; Sat, 25 Sep 2021 07:42:10 -0700 Received: (qmail 19567 invoked from network); 25 Sep 2021 14:42:07 -0000 Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.0]) (envelope-sender ) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 25 Sep 2021 14:42:06 -0000 To: "Frank Brockners (fbrockne)" , "secdir@ietf.org" Cc: "shwetha.bhandari@gmail.com" , "last-call@ietf.org" , "Youell, Stephen" , "sfc@ietf.org" , "draft-ietf-sfc-proof-of-transit.all@ietf.org" , "krishna.sashank@gmail.com" References: <163210969860.31323.5718880916818308072@ietfa.amsl.com> <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net> <31b9ad77-1848-011c-9b3f-3787aee21e41@huitema.net> From: Christian Huitema Message-ID: Date: Sat, 25 Sep 2021 07:42:06 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------0759671A8D2F84B2341AC638" Content-Language: en-US X-Originating-IP: 66.113.197.206 X-Spampanel-Domain: xsmtpout.mail2web.com X-Spampanel-Username: 66.113.197.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com X-Spampanel-Outgoing-Class: unsure X-Spampanel-Outgoing-Evidence: Combined (0.05) X-Recommended-Action: accept X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9Yvgml6dq2baYSPS6J0Gz8PUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yACVCDlSNkcmtpadwF3M9U42UuDhyzVYcwl2RB+0AaeuV9 3w+ykrcUPezQG3fBG2oh55uqY3MhMgFAHq5BxPxPXn36fLqvhISQ5ykyqUZqUd1jhnM/Mbva2XLV /LIEzaL2KoAZhJekBPedneT7f6991J9zfdu4MFxaWjgX9dWKXYPAgTtUp75uqlx0KezvZHWhWQ59 Qnb1f8O4K9KHPb6BWQaaSSaRcFTFxaRvADgOuFdAU5fRzM/QzQW9/IoH33AG8ECuCwECazCwODtO F78PiyQEs+dlGXUJLWZ+Gc08Nmllke3azHdKmySKNUVQl4ntlVxnbS8qIO7oudHyb2T1VQ58xe/l rqiRGalI3YPsxOTrFXToVyBmRCgQVX6zVyFUu8qzeMQP6uTHL0d9UjfY+eX5ZvcELCIKs663F/co VFYFvf25LVONYbYifH5OzZDcG6hsRQZiAIgw+z837AqgX7ewI8e1h7RITgN14BHmGVt/ReJ9Mfhz zmbKTH7wI9GEU1utNskUAORCV2WFZX0juPh8WNrp6UcEFtxxstnQGF7lLXQUcNAszDsnoUOr0Bi/ c8dCbNa8ZeGpP59+ANoOOI+gTB/pfSlbi1HgG7umZ25gpnihbI3Vv1c2tRvdVD2GbN7BITAZon7Z Iz1ONK9yUo4/+EUytKrR9Md9I2Rs1+Zvawjvsx+KAPw72eVokv1PCC/cRgvQKtcrMMueERx32X1y mJwGpauNgHWBMB16Q3XQnieY9wMLpYmG8hJ9OymIaIzNoZzswxuMaWjBAlpwAIBoskyvigKYMdjj 49wPP/Uf9oDBqtClgM5jH/om1Q5UomG0v+rwIiID/kwKc8V5Tj9+FRkaOS/DNjANmb8tO61SbYdY AwdpaVzHW7wHO7YhEWyJzIkwSFAW0Pw8uiKeubcolFl/rX+2ReQklqJDASQX2Id+W5hjJNcdGs0+ iHjXODmj5PX/tZQU3bYnWKpb X-Report-Abuse-To: spam@quarantine11.antispamcloud.com Archived-At: Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Sep 2021 14:42:34 -0000 This is a multi-part message in MIME format. --------------0759671A8D2F84B2341AC638 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 9/25/2021 4:20 AM, Frank Brockners (fbrockne) wrote: > Hi Christian, > > Thanks for the follow-up. Please see below. > >> -----Original Message----- >> From: Christian Huitema >> Sent: Friday, 24 September 2021 17:16 >> To: Frank Brockners (fbrockne) ; secdir@ietf.org >> Cc: shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen >> ; sfc@ietf.org; draft-ietf-sfc-proof-of- >> transit.all@ietf.org; krishna.sashank@gmail.com >> Subject: Re: [Last-Call] Secdir last call review of draft-ietf-sfc-pro= of-of-transit- >> 08 >> >> >> On 9/24/2021 1:39 AM, Frank Brockners (fbrockne) wrote: >>> Hi Christian, >>> >>> Thanks a lot for the detailed follow-up. Please see inline. >>> >>>> -----Original Message----- >>>> From: Christian Huitema >>>> Sent: Thursday, 23 September 2021 22:13 >>>> To: Frank Brockners (fbrockne) ; secdir@ietf.org= >>>> Cc: shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen >>>> ; sfc@ietf.org; draft-ietf-sfc-proof-of= - >>>> transit.all@ietf.org >>>> Subject: Re: [Last-Call] Secdir last call review of >>>> draft-ietf-sfc-proof-of-transit- >>>> 08 >>>> >>>> >>>> On 9/23/2021 12:31 PM, Frank Brockners (fbrockne) wrote: >>>>> Hi Christian, >>>>> >>>>> Thanks a lot for your detailed review. Please see inline. >>>>> >>>>>> -----Original Message----- >>>>>> From: Christian Huitema via Datatracker >>>>>> Sent: Monday, 20 September 2021 05:48 >>>>>> To: secdir@ietf.org >>>>>> Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org; >>>>>> last-call@ietf.org; sfc@ietf.org >>>>>> Subject: Secdir last call review of >>>>>> draft-ietf-sfc-proof-of-transit-08 >>>>>> >>>>>> Reviewer: Christian Huitema >>>>>> Review result: Serious Issues >>>>>> >>>>>> I have reviewed this document as part of the security directorate'= s >>>>>> ongoing effort to review all IETF documents being processed by the= >>>>>> IESG. These comments were written primarily for the benefit of th= e >>>>>> security >>>> area directors. >>>>>> Document editors and WG chairs should treat these comments just >>>>>> like any other last call comments. >>>>>> >>>>>> This document proposes a security mechanism to prove that traffic >>>>>> transited through all specified nodes in a path. The mechanism >>>>>> works by adding a short option to each packet for which transit >>>>>> shall be verified. The option consists of a random number set by >>>>>> the originator of the packet, and a sum field to which each transi= t >>>>>> node adds a value depending on public parameters, on the random >>>>>> number and on secrets held by the node. The destination has access= >>>>>> to all the secrets held by the nodes on the path, and can verify >>>>>> whether or not the final sum corresponds to the sum of expected >>>>>> values. The proposed size >>>> of the random number and the sum field is 64 bits. >>>>>> In the paragraph above, I described the mechanism without >>>>>> mentioning the algorithm used to compute these 64 bit numbers. The= >>>>>> 64 bit size is obviously a >>>>>> concern: for cryptographic applications, 64 bits is not a large >>>>>> number, and that might be a weakness whatever the proposed algorit= hm. >>>>>> The actual algorithm appears to be a bespoke derivation of Shamir'= s >>>>>> Secret Sharing algorithm (SSS). In other word, it is a case of >>>>>> "inventing your >>>> own crypto". >>>>> ...FB: SSS is a well know algorithm and >>>>> draft-ietf-sfc-proof-of-transit does not >>>> modify it. >>>>> All draft-ietf-sfc-proof-of-transit does is to operationalize the >>>>> SSS algorithm >>>> for the proof of transit use case. >>>>> Also note that the draft does not require the use of 64 bit numbers= =2E >>>>> Nor does draft require a minimum time between changing the secrets.= >>>>> What particular attack are you concerned about where 64 bit numbers= >>>>> are a >>>> concern? >>>>>> SSS relies on the representation of polynomials as a sum of >>>>>> Lagrange Basis Polynomials. Each of the participating nodes holds = a >>>>>> share of the secret represented by a point on the polynomial curve= =2E >>>>>> A polynomial of degree K on the field of integers modulo a prime >>>>>> number N can only be revealed if at list K+1 participants reveal >>>>>> the value of their point. The safety of the algorithm relies on th= e >>>>>> size of the number N and on the fact that the secret shall be reve= aled only >> once. >>>>>> But the algorithm does not use SSS directly, so it deserves its ow= n >>>>>> security >>>> analysis instead of relying simply on Shamir's work. >>>>>> The proposed algorithm uses two polynomials of degree K for a path= >>>>>> containing >>>>>> K+1 nodes, on a field defined by a prime number N of 64 bits. One >>>>>> K+of the >>>>>> polynomial, POLY-1, is secret, and only fully known by the verifyi= ng node. >>>>>> The other, POLY-2 is public, with the constant coefficient set at = a >>>>>> random value RND for each packet. >>>>>> >>>>>> For each packet, the goal is compute the value of POLY-1 plus >>>>>> POLY-2 at the point 0 -- that is, the constant coefficient of >>>>>> POLY-3 =3D POLY-1 + POLY- >>>> 2. >>>>>> Without going in too much details, one can observe that the >>>>>> constant coefficient of POLY-3 is equal to the sum of the constant= >>>>>> coefficients of POLY-1 and POLY-2, and that the constant >>>>>> coefficient of POLY-2 is the value RND present in each packet. In >>>>>> the example given in section 3.3.2, the numbers are computed modul= o >>>>>> 53, the constant coefficient of POLY-1 is 10, and the value RND is= >>>>>> 45. The final sum CML is indeed >>>>>> 10 + 45 =3D 2 mod 53. >>>>>> >>>>>> To me, this appears as a serious weakness in the algorithm. If an >>>>>> adversary can observe the value RND and CML for a first packet, it= >>>>>> can retrieve the constant coefficient of POLY-1, and thus can >>>>>> predict the value of CML for any other packet. That does not seem = very >> secure. >>>>> ...FB: There seems to be a bit of confusion or misreading of how th= e >>>>> method >>>> works. In the above statement you seem to assume that the verifier >>>> would not be part of the proof-chain, so that the final CML value >>>> would be somehow exposed to an external entity along with RND. This >>>> is not the case. The verifier is the last node (k+1) in the proof-ch= ain. >>>>> At concept level, the method reconstructs the polynomial hop by hop= , >>>>> picking >>>> up a point on the curve at every hop. Only final node in the >>>> proof-chain, which is also the verifier, acts on the information of >>>> all the k+1 points and as such is able to reconstruct the polynomial= =2E >>>>> In section 3.2.1, the draft explicitly states that the verifier *is= * >>>>> part of the >>>> proof-chain: "Each of the k+1 nodes (including verifier) are assigne= d >>>> a point on the polynomial i.e., shares of the SECRET." The fact that= >>>> the verifier, i.e., the last node in the proof-chain ("k+1"), can >>>> retrieve the secret, is desired and intentional, because the verifie= r >>>> needs to compare the result of the iterative construction of the sec= ret with >> the secret value it received from the controller. >>>> This is how the system is designed, and the calculation of (10+45) >>>> mod 53 =3D 2 is part of the verification. >>>> >>>> OK. That's slightly less bad. But it is still very bad crypto, >>>> because you are effectively doing a linear combination. >>>> >>>> You are evaluating POLY-3 =3D POLY-1 + POLY-2 >>>> >>>> POLY-2 can be written as POLY-2 =3D RND + POLY-2-NC, in which POLY2-= NC >>>> only contains the non constant terms -- that is, POLY-2-NC(0) =3D 0 >>>> >>>> Then for any point X, we get POLY-3(X) =3D POLY-1(X) + POLY2-NC(X) += >>>> RND For a given value Xj of X, this means we can express : POLY-3(Xj= ) >>>> =3D Vj + RND In which Vj is a constant term =3D POLY-1(Xj) + POLY2-N= C(Xj) >>>> >>>> Each node will increment the cumul by the value LPCj * POLY-3(Xj) =3D= >>>> LPCj >>>> * (Vj + RND) >>>> >>>> Suppose that an adversary can observe the value of CML before and >>>> after being incremented by node Xj. Suppose that it could do that >>>> twice. Then it has the >>>> values: >>>> >>>> CML1-before-j =3D C1b >>>> CML1-after-j =3D C1a >>>> D1 =3D C1a - C1b =3D LPCj * (Vj + RND1) >>>> >>>> CML1-before-j =3D C2b >>>> CML1-after-j =3D C2a >>>> D2 =3D C2a - C2b =3D LPCj * (Vj + RND2) >>>> >>>> D2-D1 =3D LPCj*(RND2-RND1) >>>> >>>> LPCj =3D (RND2-RND1)/(D2-D1) >>>> Vj =3D D2/LPCj - RND2 >>>> >>>> The inverse of numbers modulo a prime P is easily computed -- see >>>> Fermat's little theorem. >>>> >>>> Once the input and output of a node have been observed twice, it >>>> becomes easy to update the cumulative sum CML while bypassing these >> nodes. >>> ...FB: This is great. Thanks for spelling out the details. You raise= a good point: >> For the solution to make sense, we need to ensure that an attacker can= not >> observe the input and output of a node. >>> To ensure this does not happen, we must require the communication to/= from >> the node to be encrypted, e.g., through link layer encryption of at le= ast the >> proof-of-transit data fields. >>> We'll add this requirement to the draft - and also detail the threat = you describe >> above in detail in the security considerations section. >> >> That still will not be sufficient, because you also have to deal with = the nodes >> themselves. By definition, they see the intermediate results of other = nodes. For >> example, if the function chain is A->B->C->D->E, the node B sees the o= utput of B >> and the node D sees the input of D. If B and D=C2=A0 collude, they hav= e access to the >> input and output of C. They can easily find the secrets of C, and then= execute a >> chain A->B---->D->E in which the input of D is "corrected" to hide the= absence of >> C from the evaluator E. > Thanks much. You raise another valid point and we will add it to the se= curity considerations section. > That said, IMHO we'd need to put the scenario you raise into perspectiv= e: > If the nodes B and D would be compromised by an attacker, the deploymen= t would face a much more serious security issue than what any proof-of-tr= ansit method could protect against. > >> The linear combination scheme in the draft is not sound crypto. My >> recommendation is to present the problem and the threat model clearly = to the >> crypto community, for example by presenting to the CFRG, and solicit a= dvice on >> better algorithms. > There has been quite a bit of discussion on proof of transit in several= WGs, even before the SFC WG picked it up. And the SFC working group has = considered different approaches early on in the solution specification, i= ncluding e.g., using nested encryption, which is probably more in line wi= th your preferences. See https://datatracker.ietf.org/doc/html/draft-ietf= -sfc-proof-of-transit-01#section-3.5.1. From my recollection of the discu= ssion - others please chime in - one main reason of why the current appro= ach was chosen was its computational simplicity, i.e., hardware platforms= which do not support native encryption capabilities like AES-NI can impl= ement it without considerable impact on the computational latency. So in = other words, the current method is the result of a trade-off decision. We are discussing mathematics, not opinions. It is not a matter of=20 preferences, it is a matter of threat model. The draft that I reviewed=20 does not mention that the scheme should only be used in a benign=20 environment in which no attacker can see the traffic and all nodes are=20 fully trusted to not try gaming the system. The proposed scheme uses=20 crypto vocabulary, with references to SSS and use of terms like "proof"=20 or "cryptanalysis". Indeed, the header paragraph of the security=20 considerations says: POT is a mechanism that is used for verifying the path through which a packet was forwarded. The security considerations of IOAM in general are discussed in [I-D.ietf-ippm-ioam-data]. Specifically, it= is assumed that POT is used in a confined network domain, and therefore the potential threats that POT is intended to mitigate should be viewed accordingly. POT prevents spoofing and tampering; an attacker cannot maliciously create a bogus POT or modify a legitimate one. Furthermore, a legitimate node that takes part in the POT protocol cannot masquerade as another node along the path. These considerations are discussed in detail in the rest of this section. The previous discussions have shown that an attacker CAN "maliciously=20 create a bogus POT or modify a legitimate one", provided it is able to=20 see the traffic, or some of the traffic. The discussions also show that=20 "a legitimate node that takes part in the POT protocol" CAN "masquerade=20 as another node along the path". Contrary to statements in the=20 "cryptanalysis" section, "A passive attacker observing CML values across = nodes (i.e., as the packets entering and leaving)" CAN=C2=A0 "perform=20 differential analysis". The attack cannot "be mitigated using a good=20 PRNG for generating RND". If the system was only designed for operation in a "benign environment"=20 and you were only concerned with detecting operation failures, I am=20 pretty sure that you could come out with something less complicated. For = example you could exploit the analysis that I made to radically simplify = the implementation and describe the scheme as "CML =3D Sum (Xj*RNDp)",=20 where Xj is a secret coefficient provisioned to node j, and RNPp is per=20 packet random number. The verification by the evaluator will check that=20 "RND =3D=3D CML + Xe*RND", where "Xe =3D 1 - Sum Xj". That would get you = an=20 easy-to-implement checksum. But you would need to be very clear about=20 the domain of application, and the failure mode if the traffic can be=20 observed or nodes can be compromised, and the draft should probably drop = the references to Shamir's SSS, because they just obfuscate the analysis.= -- Christian Huitema --------------0759671A8D2F84B2341AC638 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit


On 9/25/2021 4:20 AM, Frank Brockners (fbrockne) wrote:
Hi Christian,

Thanks for the follow-up. Please see below.


-----Original Message-----
From: Christian Huitema <huitema@huitema.net>
Sent: Friday, 24 September 2021 17:16
To: Frank Brockners (fbrockne) <fbrockne@cisco.com>; secdir@ietf.org
Cc: shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen
<stephen.youell@jpmorgan.com>; sfc@ietf.org; draft-ietf-sfc-proof-of-
transit.all@ietf.org; krishna.sashank@gmail.com
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-
08


On 9/24/2021 1:39 AM, Frank Brockners (fbrockne) wrote:

Hi Christian,

Thanks a lot for the detailed follow-up. Please see inline.


-----Original Message-----
From: Christian Huitema <huitema@huitema.net>
Sent: Thursday, 23 September 2021 22:13
To: Frank Brockners (fbrockne) <fbrockne@cisco.com>; secdir@ietf.org
Cc: shwetha.bhandari@gmail.com; last-call@ietf.org; Youell, Stephen
<stephen.youell@jpmorgan.com>; sfc@ietf.org; draft-ietf-sfc-proof-of-
transit.all@ietf.org
Subject: Re: [Last-Call] Secdir last call review of
draft-ietf-sfc-proof-of-transit-
08


On 9/23/2021 12:31 PM, Frank Brockners (fbrockne) wrote:

Hi Christian,

Thanks a lot for your detailed review. Please see inline.


-----Original Message-----
From: Christian Huitema via Datatracker <noreply@ietf.org>
Sent: Monday, 20 September 2021 05:48
To: secdir@ietf.org
Cc: draft-ietf-sfc-proof-of-transit.all@ietf.org;
last-call@ietf.org; sfc@ietf.org
Subject: Secdir last call review of
draft-ietf-sfc-proof-of-transit-08

Reviewer: Christian Huitema
Review result: Serious Issues

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security

area directors.

Document editors and WG chairs should treat these comments just
like any other last call comments.

This document proposes a security mechanism to prove that traffic
transited through all specified nodes in a path. The mechanism
works by adding a short option to each packet for which transit
shall be verified. The option consists of a random number set by
the originator of the packet, and a sum field to which each transit
node adds a value depending on public parameters, on the random
number and on secrets held by the node. The destination has access
to all the secrets held by the nodes on the path, and can verify
whether or not the final sum corresponds to the sum of expected
values. The proposed size

of the random number and the sum field is 64 bits.

In the paragraph above, I described the mechanism without
mentioning the algorithm used to compute these 64 bit numbers. The
64 bit size is obviously a
concern: for cryptographic applications, 64 bits is not a large
number, and that might be a weakness whatever the proposed algorithm.
The actual algorithm appears to be a bespoke derivation of Shamir's
Secret Sharing algorithm (SSS). In other word, it is a case of
"inventing your

own crypto".

...FB: SSS is a well know algorithm and
draft-ietf-sfc-proof-of-transit does not

modify it.

All draft-ietf-sfc-proof-of-transit does is to operationalize the
SSS algorithm

for the proof of transit use case.

Also note that the draft does not require the use of 64 bit numbers.
Nor does draft require a minimum time between changing the secrets.
What particular attack are you concerned about where 64 bit numbers
are a

concern?

SSS relies on the representation of polynomials as a sum of
Lagrange Basis Polynomials. Each of the participating nodes holds a
share of the secret represented by a point on the polynomial curve.
A polynomial of degree K on the field of integers modulo a prime
number N can only be revealed if at list K+1 participants reveal
the value of their point. The safety of the algorithm relies on the
size of the number N and on the fact that the secret shall be revealed only

once.

But the algorithm does not use SSS directly, so it deserves its own
security

analysis instead of relying simply on Shamir's work.

The proposed algorithm uses two polynomials of degree K for a path
containing
K+1 nodes, on a field defined by a prime number N of 64 bits. One
K+of the
polynomial, POLY-1, is secret, and only fully known by the verifying node.
The other, POLY-2 is public, with the constant coefficient set at a
random value RND for each packet.

For each packet, the goal is compute the value of POLY-1 plus
POLY-2 at the point 0 -- that is, the constant coefficient of
POLY-3 = POLY-1 + POLY-

2.

Without going in too much details, one can observe that the
constant coefficient of POLY-3 is equal to the sum of the constant
coefficients of POLY-1 and POLY-2, and that the constant
coefficient of POLY-2 is the value RND present in each packet. In
the example given in section 3.3.2, the numbers are computed modulo
53, the constant coefficient of POLY-1 is 10, and the value RND is
45. The final sum  CML is indeed
10 + 45 = 2 mod 53.

To me, this appears as a serious weakness in the algorithm. If an
adversary can observe the value RND and CML for a first packet, it
can retrieve the constant coefficient of POLY-1, and thus can
predict the value of CML for any other packet. That does not seem very

secure.

...FB: There seems to be a bit of confusion or misreading of how the
method

works. In the above statement you seem to assume that the verifier
would not be part of the proof-chain, so that the final CML value
would be somehow exposed to an external entity along with RND. This
is not the case. The verifier is the last node (k+1) in the proof-chain.

At concept level, the method reconstructs the polynomial hop by hop,
picking

up a point on the curve at every hop. Only final node in the
proof-chain, which is also the verifier, acts on the information of
all the k+1 points and as such is able to reconstruct the polynomial.

In section 3.2.1, the draft explicitly states that the verifier *is*
part of the

proof-chain: "Each of the k+1 nodes (including verifier) are assigned
a point on the polynomial i.e., shares of the SECRET." The fact that
the verifier, i.e., the last node in the proof-chain ("k+1"),  can
retrieve the secret, is desired and intentional, because the verifier
needs to compare the result of the iterative construction of the secret with

the secret value it received from the controller.

This is how the system is designed, and the calculation of (10+45)
mod 53 = 2 is part of the verification.

OK. That's slightly less bad. But it is still very bad crypto,
because you are effectively doing a linear combination.

You are evaluating POLY-3 = POLY-1 + POLY-2

POLY-2 can be written as POLY-2 = RND + POLY-2-NC, in which POLY2-NC
only contains the non constant terms -- that is, POLY-2-NC(0) = 0

Then for any point X, we get POLY-3(X) = POLY-1(X) + POLY2-NC(X) +
RND For a given value Xj of X, this means we can express : POLY-3(Xj)
= Vj + RND In which Vj is a constant term = POLY-1(Xj) + POLY2-NC(Xj)

Each node will increment the cumul by the value LPCj * POLY-3(Xj) =
LPCj
* (Vj + RND)

Suppose that an adversary can observe the value of CML before and
after being incremented by node Xj. Suppose that it could do that
twice. Then it has the
values:

CML1-before-j = C1b
CML1-after-j = C1a
D1 = C1a - C1b = LPCj * (Vj + RND1)

CML1-before-j = C2b
CML1-after-j = C2a
D2 = C2a - C2b = LPCj * (Vj + RND2)

D2-D1 = LPCj*(RND2-RND1)

LPCj = (RND2-RND1)/(D2-D1)
Vj = D2/LPCj - RND2

The inverse of numbers modulo a prime P is easily computed -- see
Fermat's little theorem.

Once the input and output of a node have been observed twice, it
becomes easy to update the cumulative sum CML while bypassing these

nodes.

...FB: This is great. Thanks for spelling out the details.  You raise a good point:

For the solution to make sense, we need to ensure that an attacker cannot
observe the input and output of a node.

To ensure this does not happen, we must require the communication to/from

the node to be encrypted, e.g., through link layer encryption of at least the
proof-of-transit data fields.

We'll add this requirement to the draft - and also detail the threat you describe

above in detail in the security considerations section.

That still will not be sufficient, because you also have to deal with the nodes
themselves. By definition, they see the intermediate results of other nodes. For
example, if the function chain is A->B->C->D->E, the node B sees the output of B
and the node D sees the input of D. If B and D  collude, they have access to the
input and output of C. They can easily find the secrets of C, and then execute a
chain A->B---->D->E in which the input of D is "corrected" to hide the absence of
C from the evaluator E.

Thanks much. You raise another valid point and we will add it to the security considerations section.
That said, IMHO we'd need to put the scenario you raise into perspective:
If the nodes B and D would be compromised by an attacker, the deployment would face a much more serious security issue than what any proof-of-transit method could protect against.


The linear combination scheme in the draft is not sound crypto. My
recommendation is to present the problem and the threat model clearly to the
crypto community, for example by presenting to the CFRG, and solicit advice on
better algorithms.

There has been quite a bit of discussion on proof of transit in several WGs, even before the SFC WG picked it up. And the SFC working group has considered different approaches early on in the solution specification, including e.g., using nested encryption, which is probably more in line with your preferences. See https://datatracker.ietf.org/doc/html/draft-ietf-sfc-proof-of-transit-01#section-3.5.1. From my recollection of the discussion - others please chime in - one main reason of why the current approach was chosen was its computational simplicity, i.e., hardware platforms which do not support native encryption capabilities like AES-NI can implement it without considerable impact on the computational latency. So in other words, the current method is the result of a trade-off decision.
We are discussing mathematics, not opinions. It is not a matter of preferences, it is a matter of threat model. The draft that I reviewed does not mention that the scheme should only be used in a benign environment in which no attacker can see the traffic and all nodes are fully trusted to not try gaming the system. The proposed scheme uses crypto vocabulary, with references to SSS and use of terms like "proof" or "cryptanalysis". Indeed, the header paragraph of the security considerations says:

   POT is a mechanism that is used for verifying the path through which
   a packet was forwarded.  The security considerations of IOAM in
   general are discussed in [I-D.ietf-ippm-ioam-data].  Specifically, it
   is assumed that POT is used in a confined network domain, and
   therefore the potential threats that POT is intended to mitigate
   should be viewed accordingly.  POT prevents spoofing and tampering;
   an attacker cannot maliciously create a bogus POT or modify a
   legitimate one.  Furthermore, a legitimate node that takes part in
   the POT protocol cannot masquerade as another node along the path.
   These considerations are discussed in detail in the rest of this
   section.

The previous discussions have shown that an attacker CAN  "maliciously create a bogus POT or modify a legitimate one", provided it is able to see the traffic, or some of the traffic. The discussions also show that "a legitimate node that takes part in the POT protocol" CAN "masquerade as another node along the path". Contrary to statements in the "cryptanalysis" section, "A passive attacker observing CML values across nodes (i.e., as the packets entering and leaving)" CAN  "perform differential analysis". The attack cannot "be mitigated using a good PRNG for generating RND".

If the system was only designed for operation in a "benign environment" and you were only concerned with detecting operation failures, I am pretty sure that you could come out with something less complicated. For example you could exploit the analysis that I made to radically simplify the implementation and describe the scheme as "CML = Sum (Xj*RNDp)", where Xj is a secret coefficient provisioned to node j, and RNPp is per packet random number. The verification by the evaluator will check that "RND == CML + Xe*RND", where "Xe = 1 - Sum Xj". That would get you an easy-to-implement checksum. But you would need to be very clear about the domain of application, and the failure mode if the traffic can be observed or nodes can be compromised, and the draft should probably drop the references to Shamir's SSS, because they just obfuscate the analysis.

-- Christian Huitema


      

    

  


--------------0759671A8D2F84B2341AC638--


From nobody Tue Sep 28 08:13:10 2021
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17FC13A3141; Tue, 28 Sep 2021 08:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.595
X-Spam-Level: 
X-Spam-Status: No, score=-4.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=erw63chw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=HZirKEEq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdmHkjYvCaIK; Tue, 28 Sep 2021 08:12:54 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8FD23A1CF2; Tue, 28 Sep 2021 08:12:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=59880; q=dns/txt; s=iport; t=1632841974; x=1634051574; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=F3w4gQytmtlWfi3+mLpNl3GD+PmpZAug76I4zISLt0o=; b=erw63chwzxeTohc7+ddL50s1hu/KN3JOgRxXfc+ptX7uXIeB37H38Eud WadFgOcMoUeRmgB8TmJabbaPQMN+Z1u4/JT31CAxbLMLamhZ9b0WtV4jV qDZg+tkMM5yy0edEvLmYlDjTXEfr/9ptHmNPA2Sf/Pacz0AdjpcBGwfJk 0=;
IronPort-PHdr: =?us-ascii?q?A9a23=3A1NZT5h8NOqmzdf9uWMPoyV9kXcBvk7XpPxIY7?= =?us-ascii?q?5Nhjb9SIeyv/JXnaUrY4/glzFrERp7S5P8Mje3K+7vhVmoN7dfk0jgCfZVAW?= =?us-ascii?q?gVDhZAQmAotU86YCFH2KfesaSEmT4xOUVZ/9CS9Nk5YUM/1e1zVpCi06jgfU?= =?us-ascii?q?hXyPAZ4PKL7AInX2s+2zOu1vZbUZlYguQ=3D=3D?=
IronPort-Data: =?us-ascii?q?A9a23=3AgVK/Aa+olKzKrjNxHCJcDrUD6H+TJUtcMsCJ2?= =?us-ascii?q?f8bNWPcYEJGY0x3ymUWXGyFbP3ZYWX9f4ojPYm/o0JS78eGz4RrT1Zk+CFEQ?= =?us-ascii?q?iMRo6IpJzg2wmQcns+qw0aqoHtPt63yUfGdapBpJpPgjk31aOG5/CMsjfvgq?= =?us-ascii?q?ofUUYYoBAggHWeIdw954f5Ts7ZRbr9A2bBVMSvU0T/Bi5W31Gue5tJBGjl8B?= =?us-ascii?q?5RvB/9YlK+aVDsw5jTSbB3Q1bPUvyF94Jk3fcldI5ZkK7S4ENJWR86bpF241?= =?us-ascii?q?nnS8xFoAdS/n/OiNEYLWbXVewOJjxK6WYD73UME/XN0g/19badGAatUo23hc?= =?us-ascii?q?9RZxt9XspezTwoBNazXk+NbWB5de817Ff0apuaYeyLg6KR/yGWDKRMA2c5GD?= =?us-ascii?q?1s3Jo0e86BsCHpO/PobAD8IZxGHwemxxdqTRvNliNhmLcT3MsYEtHol1SveC?= =?us-ascii?q?vhjRp6GX7/D48RZwHE5gsRmHPvCaYweczUHRA/OaDVON0sZTpUkk4+AnWXya?= =?us-ascii?q?z1VrhSEorc652z7zhR016LiOdyTcduPLe1Rl12E42nP+2DRAxwGOpqY0zXt2?= =?us-ascii?q?mmsmeLTnSq9UoIbErGx7P9Cj1iax2hVAxoTPXO+qOOli0j4RdNQLFEO9zc+h?= =?us-ascii?q?a41902iCNL6WnWQu3OPsh8Gc9tdD+N87xuCooLU/geFC20NZj5cacArscZwQ?= =?us-ascii?q?zE2vmJlNfuB6SdHqraZTzeW8a2Z6Gr0MikOJmhEbigBJTbpKuLL+Okb5i8jh?= =?us-ascii?q?P46eEJtsuDIJA=3D=3D?=
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3A2kdaz6he0mo3OWEIjqNs8/xuwHBQX3h13D?= =?us-ascii?q?Abv31ZSRFFG/FwyPrOoB1L73HJYWgqN03IwerwR5VpQRvnhPlICPoqTMmftW?= =?us-ascii?q?jdySqVxeRZjbcKrAeQYBEWmtQtsJuINpIOdOEYbmIKzfoSgjPIaerIqePvmM?= =?us-ascii?q?vD6IuurAYOcegpUdAc0+4TMHf8LqQCfng/OXNPLuvk2iMonUvFRV0nKuCAQl?= =?us-ascii?q?UVVenKoNPG0Lj8ZwQdOhIh4A6SyRu19b/TCXGjr1QjegIK5Y1n3XnOkgT/6K?= =?us-ascii?q?nmmeq80AXg22ja6IkTsMf9y+FEGNeHhqEuW3fRY0eTFcFcso+5zXcISdKUmR?= =?us-ascii?q?AXeR730k4d1vFImjfsl6eO0EPQMkfboW0TAjTZuC6laDPY0LzErXQBepB8bU?= =?us-ascii?q?YzSGqE16Lm1+sMjZ6jlljpxKZ/HFfOmj/w6MPPUAwvnk2ooWA6mepWlHBHV5?= =?us-ascii?q?ACAYUh4LD30XklW6voJhiKorzP0dMee/309bJTaxeXfnrZtm5gzJilWWkyBA?= =?us-ascii?q?6PRgwHttaO2zZbkXhlxw9ArfZv0Uso5dY4Ud1J9u7EOqNnmPVHSdIXd7t0AK?= =?us-ascii?q?METdGsAmLATBrQOCaZIEjhFqsAJ3XRwqSHrIkd9aWvYtgF3ZEykJPOXBdRsn?= =?us-ascii?q?MzYVvnDYmU0JhC4nn2MS2AtPTWu4hjDr1Cy/PBrZbQQFi+oWEV4r2dSq8kc7?= =?us-ascii?q?/mst6ISeZrP8M=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ASAgBkMFNh/5hdJa1aHQEBAQEJARI?= =?us-ascii?q?BBQUBgggFAQsBgSIwIy4Hd1o3MYRHg0gDhTmFY4IlA4ETiV+FHopWgUKBEQN?= =?us-ascii?q?UCwEBAQ0BATcKBAEBhH0CF4IlAiU3Bg4BAgQBAQESAQEFAQEBAgEGBIERE4V?= =?us-ascii?q?oDYZCAQEBAQMSCAkEBhMBATcBCwQCAQgRBAEBIQEGAwICAh8RFAkIAgQBDQU?= =?us-ascii?q?IDAcHglCBflcDLwEOQqQiAYE6Aoofen8ygQGCCAEBBgQEgUpBgn8NC4I1Awa?= =?us-ascii?q?BOgGCf4QTAQGBG4MofhCBHwgfHIFJRIEVQ3ltSgcwPoIhQgEBAgGBH0AVFgm?= =?us-ascii?q?CYjeCLokDZggFNyYBAw0OAhIJCw4CIAIJHQgpBgYTLQ8vDAQBDAcFEREQAQc?= =?us-ascii?q?RkTiDDwFGiHGEMIkakQc7XgqDLYpBjjkEhgAUg2eLaJEBhjmWIoIeiiqDO5A?= =?us-ascii?q?DKyMMhFcCBAIEBQIOAQEGgTBHJYFZcBU7gmlRGQ+OIAwWg1CFFIVKdAIBNQI?= =?us-ascii?q?GAQoBAQMJkUgBAQ?=
X-IronPort-AV: E=Sophos;i="5.85,329,1624320000";  d="scan'208,217";a="846172271"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Sep 2021 15:12:51 +0000
Received: from mail.cisco.com (xbe-aln-003.cisco.com [173.36.7.18]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 18SFCpae002425 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Tue, 28 Sep 2021 15:12:51 GMT
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xbe-aln-003.cisco.com (173.36.7.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Tue, 28 Sep 2021 10:12:51 -0500
Received: from xfe-aln-002.cisco.com (173.37.135.122) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Tue, 28 Sep 2021 10:12:50 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-002.cisco.com (173.37.135.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Tue, 28 Sep 2021 10:12:50 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Nh4nYpXmTunXsqnySJKd4twNcSCfz6/gYYM1nrg5Jheu9804FtBjYSb+HPf6Gu6/50WQduRU7iwiO4ftFxeT4CTg+148aMUsa5Ff8b+mEs9ZBhGfRYmuRDnuu5/lRtu8jFIuZY7kDEyvM2O6gckKfGEALD/Lbhq+pGSgq/IAWheKwdNCW9S2laF7yz2znbxDu1rohShYvZeB6MlEdF5XDVlHBJmCT60g7i79+vGAztEivd4dzkvlmKPlI3p4FduiQ3IdeGZtDQOsl6c0tlI0PO6Wo6jHAGV+PYzDnSkekDvZi/e3TEZDqX2DQ55XHhyxPniPyrlacakCEUsXuU9TlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;  s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;  bh=F3w4gQytmtlWfi3+mLpNl3GD+PmpZAug76I4zISLt0o=; b=igKv1edlmSd7wbiy6+M3uaiCV9ntL/XTnRBf+b2Q3j42jrHDHJ7nEIyhNd7gljYfBNBwTajvOXiNt5U/7sDKRhfzny6wt3OLpqxFbzIAtGf2iDCp/DM3tnOeJt9MH2TrK8N20XKsJj1a9sJ/GJlo5zjWdWPufuAn9uUw2zLAji8bHk3XF+c6taKtuXsFQHE8yVNS6xQKvpng5w/l6lP866XAT4UE4OU9xaufJMq+haMAVFhfL9CcEWv2/+1llTeHCXJtN3ZVEDSB3gk2c9TxE70hsIdVloTbLJt34Lq9kwz/OOoJIlGTU1jLpiHO5rIXEEDruHX9wBRWjFoFgRhNYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com;  s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F3w4gQytmtlWfi3+mLpNl3GD+PmpZAug76I4zISLt0o=; b=HZirKEEqzIKGNPkDACoCn6gcH6cezKKe4p4ZXgMQ78uYT4dgY4vR/Wh/naP+Xk4nJL1GO11p+cH2VutGqJT/LgoHz4gthOD6Un+/ezSMMY9hidsjOvK/W8tDiYQHR0/dYHxCKUEBUPmvx2NZR5NUu1RwuvFa4TwycjgthuEwh4I=
Received: from DM8PR11MB5606.namprd11.prod.outlook.com (2603:10b6:8:3c::23) by DM8PR11MB5671.namprd11.prod.outlook.com (2603:10b6:8:3c::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.13; Tue, 28 Sep 2021 15:12:49 +0000
Received: from DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65]) by DM8PR11MB5606.namprd11.prod.outlook.com ([fe80::2544:292:4ad5:dd65%3]) with mapi id 15.20.4544.022; Tue, 28 Sep 2021 15:12:49 +0000
From: "Frank Brockners (fbrockne)" 
To: Christian Huitema , "secdir@ietf.org" , Martin Vigoureux 
CC: "shwetha.bhandari@gmail.com" , "last-call@ietf.org" , "Youell, Stephen" , "sfc@ietf.org" , "draft-ietf-sfc-proof-of-transit.all@ietf.org" , "krishna.sashank@gmail.com" 
Thread-Topic: [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
Thread-Index: AQHXrdJnjOHuO4fhnU+wPCtBTLa6aaux/B8wgAAXGgCAAMvnUIAAc3MAgAFE1nCAAEP3AIAEulAA
Date: Tue, 28 Sep 2021 15:12:48 +0000
Message-ID: 
References: <163210969860.31323.5718880916818308072@ietfa.amsl.com>  <7329d9eb-3597-0006-dbc5-892a4ada74ab@huitema.net>  <31b9ad77-1848-011c-9b3f-3787aee21e41@huitema.net>  
In-Reply-To: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 07e2dfc3-eb61-4f33-e208-08d982926f21
x-ms-traffictypediagnostic: DM8PR11MB5671:
x-microsoft-antispam-prvs: 
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LOLnVrUEV1RnB6roijMXCXqET19TMqLLNskBXhSO/sL4ow5uOCm0Q21JkfuMBabVd0pcEGyHMUWHPNans3G3xkIkbREhbEwK4ZLBRlmINoCZ89oH5wahJ6BeXCz5pru6nS6evkhL6KwBiByqMCh+i5riEM0TquEsgZ1Qt+kT9jEGBEU3OKtn+4a3y7GNI/jTTTgHrDbI5NK0rnoRf1lwBe/LsIkG2TuPqAoi4GbIO+CdnwzEcMilD4Dg4bpP/lMqECnIZKKrrw0mRjc1qxC1cXgucEOwdSc43j4Bt/x3vavpX7I6nb4Dp0BKLMC5HKDlm0TUlyAH3LYL825719lKyZhaEsbDf2ImaMPZaPs+hn6bxXEexXdeLCeLdzFvD0zRkAACyYpHpOg735ExiCXNk5NGuCLGitT9hQezBUEh0XRrzc9d6JsEKaZxCd+C4yhJbQQ5PP1VdBHB253yVGo66+Uy6NefP25cxCOS2IPUu3U4aclNbXCXWLAhdShQTVieh1E4f5bx0Bn3NUCZyvBhomUrb2ogQCJLzvpsLfLYnB6zqanm02qzBM7LBNKOfj3PqcDREf+S5zaFVvQDrTatoh7R7QfUJsuzSbAecK8qHr37dLMkFYPr5c/mM9i2F2lnWgsrnG80kApSb6gYHq/fp16RC4varu0pyT1jU8xDDFg6hfyFtroLf86MN9fsnCFXjigJdETcJAHiyp1K49nHmhyvGBlGwnU3GbpsbfOVdbgjDFW77W4ZiOOqlfcGR84JMt7U8XoSncXdYQDnDneEP1tBwURCJhJY8B5mBsZtdtc=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;  IPV:NLI; SFV:NSPM; H:DM8PR11MB5606.namprd11.prod.outlook.com; PTR:; CAT:NONE;  SFS:(366004)(38070700005)(52536014)(66946007)(7696005)(2906002)(6506007)(64756008)(66556008)(38100700002)(8936002)(66476007)(4326008)(66446008)(5660300002)(76116006)(33656002)(122000001)(186003)(55016002)(53546011)(9686003)(86362001)(30864003)(71200400001)(8676002)(83380400001)(26005)(54906003)(966005)(110136005)(508600001)(316002)(166002); DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?OUN0dGpyQnprWUNYODdYZHZ1KzB6c2ZYUUczTGFCVEovNmxiQXpLY0pVcmk5?= =?utf-8?B?UCthc3o2eWpCSExIaWJvbzV6QVVxWlBjN0lNRVdOYVNqYUZ5UXZvOGRtRkJC?= =?utf-8?B?R1kzUCswd3VNUGxrZnY1NmxZQUIrVHB0OGhXRU5BeS9wOGFJQmhrSzc1a2lP?= =?utf-8?B?VW9OYXZxYWhmem5aZVA5MFh0YlkyL2VQV3MyK1VqMVN3NURIYmZKcEJnZGFR?= =?utf-8?B?cDNFcEtoeDZoelFXVG9UTFNoRjQrRElpRkNhWnFkcUI0ckZTK2cxNi9JeHly?= =?utf-8?B?eFJ4YlRuTytZSGNaUzJLVWY3UzNYaElHbGQ5S2pIYTdrYzVkQTBpQjFHL3dr?= =?utf-8?B?MGN6cFd1a1N4bjNPSmplNjdvcnpFOHNvOEMzRFlFS0JqOFBvWUVqckxXUzY3?= =?utf-8?B?Z0pzUERsMTlPc3RGZWkwc2J1NlR4aU80UGpneXlPbXBpdmNkQmI4UzZ6Y0NJ?= =?utf-8?B?UWdHM2lTeGcxRVUwMGJBL1YwVkVTL1JQc1FYYWNJWXFJei9pbEkzRExJbEdE?= =?utf-8?B?azFYVVB6L1pGbDFIbk9BQkEyQkdKMTlRWjFQUUdiQjdod3NVUUhua2VhU0Vm?= =?utf-8?B?RGhpMU81UkNlazFxeEJQQ2pBRkRDb1VUdjJTaGxBaktacjBaYXI1YWhucWNi?= =?utf-8?B?dUhiTExoby91dFpvOExETUJBTjNOSmwyZTBZSHd0M1NQMEhwUjV1NnY4OFZu?= =?utf-8?B?NVYwOW8yUEtIdzdHZk56NlJFRVg5Q2c3WTI1TVphdmRwNDAvUEt1M0VqZkNt?= =?utf-8?B?b05YbnlucW51bmRya0Q5aHNkaFBzb3gxNTlDVENFRjdrajZjR1pQbi9zcDRO?= =?utf-8?B?MmpUWVlZWVR6Um5jcE9NdmVkN1BLcFlCN2JISXRtS1F4SDZKZVlldTF0RWtW?= =?utf-8?B?cm5ERHpibUJjeVBRNi95b0ttdGFoUGpWUzRhVlZpTnZmYml4MVBxZjl1dy93?= =?utf-8?B?empRcHpFMUhlaVB4NzZSdEhmSVl4Z2pwZk1FRytLcEFkdEVtUFN3QUkwYTUv?= =?utf-8?B?TmpRNVJIVnJnUVZHbCtZaFZkR2c2czNQRUErRXVtVDJsK0VyeFlGR2pFWisx?= =?utf-8?B?Z240dEdiNTlWNDhPMlVuSnJPNGJrM0V2KzFwd1N5cTRxbStINEh1Z3RHMnh0?= =?utf-8?B?ajN6c0NFM0NCWFBuTkxKUW92cW4xamViMUwwVjJhK3Z5RTU5N1pBQ2VJTlRK?= =?utf-8?B?TzJZdEVQcFFYRXBCWjQ5c3p4UWpneU80YTYzK3FnMlFOM3RDZWluTGFGRC9X?= =?utf-8?B?Q2x0ODR1c2l5NnZhQnBqaWgzU21rbHloTlVhcGZ1Q3RFV0l1REo2ZkJQOE5D?= =?utf-8?B?blZwZjVneE5na0VVQ2RLMGpKR09UYkR3OEtRZGE3MktsUkdsRERjQktxV2tE?= =?utf-8?B?TTJHUnBEV3N0cWRvYWk4a3Yvd0xMYWVGRDd3c3ovd0hQL1U5T04rdzVBbFBK?= =?utf-8?B?RFBpbGdhTGszVmEzSWNlRmlwT3huK2J1djhXeFgzNXZkTXh3eXNlNWw2MXN4?= =?utf-8?B?MFdWMGQ2WVZoWko0RnE1SnBPVWpQM2hrci9EVDRyQzZRNi9ZKzh4bEtjMkZC?= =?utf-8?B?WDYxRWJlU0ZGa1g3azJZN0ZLYnhuenp2T3BuVGhwaUVPdEEzb0pncjRSTkNo?= =?utf-8?B?am1iZVdBTXovS3Z6WDg0MnVoS2xFb1ZtQkpNMU5uOTFOYmlPS0R2L1lraG5j?= =?utf-8?B?K0Nia1N4VTdNT0Z4eFA4QTMyd20yMGdDT0dOWlJSM1V5TDRCeXRuRzVndytr?= =?utf-8?Q?/680qjw8HHFpCe3AU3V5EF5LN63+u+tAqub5gAy?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM8PR11MB5606B4D10F2CE68734684248DAA89DM8PR11MB5606namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR11MB5606.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 07e2dfc3-eb61-4f33-e208-08d982926f21
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Sep 2021 15:12:49.0336 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vfkibXxx9VOdc3DD9dN8O39yjGJiEN4Xo82g59htEDP6x/+im7U9YzMWNqLwP+Xnvp+zdJzdKI/AdmmSyimDfg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5671
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.18, xbe-aln-003.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: 
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-proof-of-transit-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 28 Sep 2021 15:13:00 -0000

--_000_DM8PR11MB5606B4D10F2CE68734684248DAA89DM8PR11MB5606namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgQ2hyaXN0aWFuLA0KVGhhbmtzIGZvciB0aGUgZm9sbG93IHVwIOKAkyBhbmQgdGhlIHN1Z2dl
c3Rpb24gb2YgYW4gYWx0ZXJuYXRlIGFwcHJvYWNoLiBJTUhPIOKAkyBhbmQgSSBjaGVja2VkIHdp
dGggb3RoZXIgYXV0aG9ycywgd2hvIHZvaWNlZCBzaW1pbGFyIHZpZXdzIOKAkyBpdCB3b3VsZCBi
ZSBiZXN0IHRvIGZvbGxvdyB5b3VyIGd1aWRhbmNlIGFuZCBoYXZlIHRoZSB3b3JraW5nIGdyb3Vw
IGNyaXNwZW4gdXAgdGhlIHJlcXVpcmVtZW50cyBhcyB3ZWxsIGFzIGFzc3VtcHRpb25zIGZvciB0
aGUgb3BlcmF0aW9uYWwgZW52aXJvbm1lbnQgYW5kIG9ubHkgdGhlbiBkaXNjdXNzIGFuZCBldmFs
dWF0ZSBzb2x1dGlvbiBhcHByb2FjaGVzLg0KRGVwZW5kaW5nIG9uIHRoZSB0YXJnZXQgc2V0IG9m
IHJlcXVpcmVtZW50cyBhbmQgdGhlIG9wZXJhdGlvbmFsIGVudmlyb25tZW50LCB0aGUgV0cgY2Fu
IGNob29zZSBhbiBhcHByb3ByaWF0ZSBhcHByb2FjaCB3aXRoIGd1aWRhbmNlIGZyb20gQ0ZSRy4g
VGhhdCBjb3VsZCBiZSwgcGVyIHdoYXQgeW91IHN1Z2dlc3QgYmVsb3csIHNvbWV0aGluZyBtdWNo
IHNpbXBsZXIgZnJvbSBhIGNvbnRyb2wgcGxhbmUgcGVyc3BlY3RpdmUgLSBhdm9pZGluZyB0aGUg
Y29tcGxleGl0aWVzIG9mIFNTUyAg4oCTIHdpdGggYSBkYXRhLXBsYW5lIGFzIHNpbXBsZSBhcyB3
aGF0IHRoZSBkcmFmdCBjdXJyZW50bHkgc3VnZ2VzdHMuIFRoYXQgY291bGQgYWxzbyBiZSBhbm90
aGVyLCB5ZXQgdG8gYmUgZGV0ZXJtaW5lZCBhcHByb2FjaCwgc3VjaCBhcyB0aGUgYXBwcm9hY2gg
YmFzZWQgb24gbmVzdGVkIGVuY3J5cHRpb24gdGhhdCB0aGUgV0cgZGlzY3Vzc2VkIGJlZm9yZSwg
b3IgYW4gU1NTIGJhc2VkIGFwcHJvYWNoIHdpdGggYSBwb2x5bm9taWFsIHBlciBwYWNrZXQsIGV0
Yy4gSG9wZWZ1bGx5IHdl4oCZbGwgZ2V0IGl0IHJpZ2h0IHRoZSBuZXh0IHRpbWUuDQoNCk1hcnRp
biwgSmltLCBKb2VsIOKAkyBhbnkgdGhvdWdodHMgYW5kIGd1aWRhbmNlIGZyb20geW91ciBlbmQs
IG9uIHdoZXRoZXIgdGhlIGRvY3VtZW50IHNob3VsZCBiZSBoYW5kZWQgYmFjayB0byB0aGUgd29y
a2luZyBncm91cD8NCg0KVGhhbmtzIGFnYWluLCBGcmFuaw0KDQoNCkZyb206IENocmlzdGlhbiBI
dWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0Pg0KU2VudDogU2F0dXJkYXksIDI1IFNlcHRlbWJl
ciAyMDIxIDE2OjQyDQpUbzogRnJhbmsgQnJvY2tuZXJzIChmYnJvY2tuZSkgPGZicm9ja25lQGNp
c2NvLmNvbT47IHNlY2RpckBpZXRmLm9yZw0KQ2M6IHNod2V0aGEuYmhhbmRhcmlAZ21haWwuY29t
OyBsYXN0LWNhbGxAaWV0Zi5vcmc7IFlvdWVsbCwgU3RlcGhlbiA8c3RlcGhlbi55b3VlbGxAanBt
b3JnYW4uY29tPjsgc2ZjQGlldGYub3JnOyBkcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi10cmFuc2l0
LmFsbEBpZXRmLm9yZzsga3Jpc2huYS5zYXNoYW5rQGdtYWlsLmNvbQ0KU3ViamVjdDogUmU6IFtM
YXN0LUNhbGxdIFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc2ZjLXByb29m
LW9mLXRyYW5zaXQtMDgNCg0KDQoNCk9uIDkvMjUvMjAyMSA0OjIwIEFNLCBGcmFuayBCcm9ja25l
cnMgKGZicm9ja25lKSB3cm90ZToNCg0KSGkgQ2hyaXN0aWFuLA0KDQoNCg0KVGhhbmtzIGZvciB0
aGUgZm9sbG93LXVwLiBQbGVhc2Ugc2VlIGJlbG93Lg0KDQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNz
YWdlLS0tLS0NCg0KRnJvbTogQ2hyaXN0aWFuIEh1aXRlbWEgPGh1aXRlbWFAaHVpdGVtYS5uZXQ+
PG1haWx0bzpodWl0ZW1hQGh1aXRlbWEubmV0Pg0KDQpTZW50OiBGcmlkYXksIDI0IFNlcHRlbWJl
ciAyMDIxIDE3OjE2DQoNClRvOiBGcmFuayBCcm9ja25lcnMgKGZicm9ja25lKSA8ZmJyb2NrbmVA
Y2lzY28uY29tPjxtYWlsdG86ZmJyb2NrbmVAY2lzY28uY29tPjsgc2VjZGlyQGlldGYub3JnPG1h
aWx0bzpzZWNkaXJAaWV0Zi5vcmc+DQoNCkNjOiBzaHdldGhhLmJoYW5kYXJpQGdtYWlsLmNvbTxt
YWlsdG86c2h3ZXRoYS5iaGFuZGFyaUBnbWFpbC5jb20+OyBsYXN0LWNhbGxAaWV0Zi5vcmc8bWFp
bHRvOmxhc3QtY2FsbEBpZXRmLm9yZz47IFlvdWVsbCwgU3RlcGhlbg0KDQo8c3RlcGhlbi55b3Vl
bGxAanBtb3JnYW4uY29tPjxtYWlsdG86c3RlcGhlbi55b3VlbGxAanBtb3JnYW4uY29tPjsgc2Zj
QGlldGYub3JnPG1haWx0bzpzZmNAaWV0Zi5vcmc+OyBkcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi0N
Cg0KdHJhbnNpdC5hbGxAaWV0Zi5vcmc8bWFpbHRvOnRyYW5zaXQuYWxsQGlldGYub3JnPjsga3Jp
c2huYS5zYXNoYW5rQGdtYWlsLmNvbTxtYWlsdG86a3Jpc2huYS5zYXNoYW5rQGdtYWlsLmNvbT4N
Cg0KU3ViamVjdDogUmU6IFtMYXN0LUNhbGxdIFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRy
YWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQtDQoNCjA4DQoNCg0KDQoNCg0KT24gOS8yNC8y
MDIxIDE6MzkgQU0sIEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIHdyb3RlOg0KDQpIaSBDaHJp
c3RpYW4sDQoNCg0KDQpUaGFua3MgYSBsb3QgZm9yIHRoZSBkZXRhaWxlZCBmb2xsb3ctdXAuIFBs
ZWFzZSBzZWUgaW5saW5lLg0KDQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCg0KRnJv
bTogQ2hyaXN0aWFuIEh1aXRlbWEgPGh1aXRlbWFAaHVpdGVtYS5uZXQ+PG1haWx0bzpodWl0ZW1h
QGh1aXRlbWEubmV0Pg0KDQpTZW50OiBUaHVyc2RheSwgMjMgU2VwdGVtYmVyIDIwMjEgMjI6MTMN
Cg0KVG86IEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIDxmYnJvY2tuZUBjaXNjby5jb20+PG1h
aWx0bzpmYnJvY2tuZUBjaXNjby5jb20+OyBzZWNkaXJAaWV0Zi5vcmc8bWFpbHRvOnNlY2RpckBp
ZXRmLm9yZz4NCg0KQ2M6IHNod2V0aGEuYmhhbmRhcmlAZ21haWwuY29tPG1haWx0bzpzaHdldGhh
LmJoYW5kYXJpQGdtYWlsLmNvbT47IGxhc3QtY2FsbEBpZXRmLm9yZzxtYWlsdG86bGFzdC1jYWxs
QGlldGYub3JnPjsgWW91ZWxsLCBTdGVwaGVuDQoNCjxzdGVwaGVuLnlvdWVsbEBqcG1vcmdhbi5j
b20+PG1haWx0bzpzdGVwaGVuLnlvdWVsbEBqcG1vcmdhbi5jb20+OyBzZmNAaWV0Zi5vcmc8bWFp
bHRvOnNmY0BpZXRmLm9yZz47IGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLQ0KDQp0cmFuc2l0LmFs
bEBpZXRmLm9yZzxtYWlsdG86dHJhbnNpdC5hbGxAaWV0Zi5vcmc+DQoNClN1YmplY3Q6IFJlOiBb
TGFzdC1DYWxsXSBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZg0KDQpkcmFmdC1pZXRmLXNmYy1w
cm9vZi1vZi10cmFuc2l0LQ0KDQowOA0KDQoNCg0KDQoNCk9uIDkvMjMvMjAyMSAxMjozMSBQTSwg
RnJhbmsgQnJvY2tuZXJzIChmYnJvY2tuZSkgd3JvdGU6DQoNCkhpIENocmlzdGlhbiwNCg0KDQoN
ClRoYW5rcyBhIGxvdCBmb3IgeW91ciBkZXRhaWxlZCByZXZpZXcuIFBsZWFzZSBzZWUgaW5saW5l
Lg0KDQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCg0KRnJvbTogQ2hyaXN0aWFuIEh1
aXRlbWEgdmlhIERhdGF0cmFja2VyIDxub3JlcGx5QGlldGYub3JnPjxtYWlsdG86bm9yZXBseUBp
ZXRmLm9yZz4NCg0KU2VudDogTW9uZGF5LCAyMCBTZXB0ZW1iZXIgMjAyMSAwNTo0OA0KDQpUbzog
c2VjZGlyQGlldGYub3JnPG1haWx0bzpzZWNkaXJAaWV0Zi5vcmc+DQoNCkNjOiBkcmFmdC1pZXRm
LXNmYy1wcm9vZi1vZi10cmFuc2l0LmFsbEBpZXRmLm9yZzxtYWlsdG86ZHJhZnQtaWV0Zi1zZmMt
cHJvb2Ytb2YtdHJhbnNpdC5hbGxAaWV0Zi5vcmc+Ow0KDQpsYXN0LWNhbGxAaWV0Zi5vcmc8bWFp
bHRvOmxhc3QtY2FsbEBpZXRmLm9yZz47IHNmY0BpZXRmLm9yZzxtYWlsdG86c2ZjQGlldGYub3Jn
Pg0KDQpTdWJqZWN0OiBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBvZg0KDQpkcmFmdC1pZXRmLXNm
Yy1wcm9vZi1vZi10cmFuc2l0LTA4DQoNCg0KDQpSZXZpZXdlcjogQ2hyaXN0aWFuIEh1aXRlbWEN
Cg0KUmV2aWV3IHJlc3VsdDogU2VyaW91cyBJc3N1ZXMNCg0KDQoNCkkgaGF2ZSByZXZpZXdlZCB0
aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRlJ3MNCg0Kb25n
b2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQg
YnkgdGhlDQoNCklFU0cuICBUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZv
ciB0aGUgYmVuZWZpdCBvZiB0aGUNCg0Kc2VjdXJpdHkNCg0KYXJlYSBkaXJlY3RvcnMuDQoNCkRv
Y3VtZW50IGVkaXRvcnMgYW5kIFdHIGNoYWlycyBzaG91bGQgdHJlYXQgdGhlc2UgY29tbWVudHMg
anVzdA0KDQpsaWtlIGFueSBvdGhlciBsYXN0IGNhbGwgY29tbWVudHMuDQoNCg0KDQpUaGlzIGRv
Y3VtZW50IHByb3Bvc2VzIGEgc2VjdXJpdHkgbWVjaGFuaXNtIHRvIHByb3ZlIHRoYXQgdHJhZmZp
Yw0KDQp0cmFuc2l0ZWQgdGhyb3VnaCBhbGwgc3BlY2lmaWVkIG5vZGVzIGluIGEgcGF0aC4gVGhl
IG1lY2hhbmlzbQ0KDQp3b3JrcyBieSBhZGRpbmcgYSBzaG9ydCBvcHRpb24gdG8gZWFjaCBwYWNr
ZXQgZm9yIHdoaWNoIHRyYW5zaXQNCg0Kc2hhbGwgYmUgdmVyaWZpZWQuIFRoZSBvcHRpb24gY29u
c2lzdHMgb2YgYSByYW5kb20gbnVtYmVyIHNldCBieQ0KDQp0aGUgb3JpZ2luYXRvciBvZiB0aGUg
cGFja2V0LCBhbmQgYSBzdW0gZmllbGQgdG8gd2hpY2ggZWFjaCB0cmFuc2l0DQoNCm5vZGUgYWRk
cyBhIHZhbHVlIGRlcGVuZGluZyBvbiBwdWJsaWMgcGFyYW1ldGVycywgb24gdGhlIHJhbmRvbQ0K
DQpudW1iZXIgYW5kIG9uIHNlY3JldHMgaGVsZCBieSB0aGUgbm9kZS4gVGhlIGRlc3RpbmF0aW9u
IGhhcyBhY2Nlc3MNCg0KdG8gYWxsIHRoZSBzZWNyZXRzIGhlbGQgYnkgdGhlIG5vZGVzIG9uIHRo
ZSBwYXRoLCBhbmQgY2FuIHZlcmlmeQ0KDQp3aGV0aGVyIG9yIG5vdCB0aGUgZmluYWwgc3VtIGNv
cnJlc3BvbmRzIHRvIHRoZSBzdW0gb2YgZXhwZWN0ZWQNCg0KdmFsdWVzLiBUaGUgcHJvcG9zZWQg
c2l6ZQ0KDQpvZiB0aGUgcmFuZG9tIG51bWJlciBhbmQgdGhlIHN1bSBmaWVsZCBpcyA2NCBiaXRz
Lg0KDQpJbiB0aGUgcGFyYWdyYXBoIGFib3ZlLCBJIGRlc2NyaWJlZCB0aGUgbWVjaGFuaXNtIHdp
dGhvdXQNCg0KbWVudGlvbmluZyB0aGUgYWxnb3JpdGhtIHVzZWQgdG8gY29tcHV0ZSB0aGVzZSA2
NCBiaXQgbnVtYmVycy4gVGhlDQoNCjY0IGJpdCBzaXplIGlzIG9idmlvdXNseSBhDQoNCmNvbmNl
cm46IGZvciBjcnlwdG9ncmFwaGljIGFwcGxpY2F0aW9ucywgNjQgYml0cyBpcyBub3QgYSBsYXJn
ZQ0KDQpudW1iZXIsIGFuZCB0aGF0IG1pZ2h0IGJlIGEgd2Vha25lc3Mgd2hhdGV2ZXIgdGhlIHBy
b3Bvc2VkIGFsZ29yaXRobS4NCg0KVGhlIGFjdHVhbCBhbGdvcml0aG0gYXBwZWFycyB0byBiZSBh
IGJlc3Bva2UgZGVyaXZhdGlvbiBvZiBTaGFtaXIncw0KDQpTZWNyZXQgU2hhcmluZyBhbGdvcml0
aG0gKFNTUykuIEluIG90aGVyIHdvcmQsIGl0IGlzIGEgY2FzZSBvZg0KDQoiaW52ZW50aW5nIHlv
dXINCg0Kb3duIGNyeXB0byIuDQoNCi4uLkZCOiBTU1MgaXMgYSB3ZWxsIGtub3cgYWxnb3JpdGht
IGFuZA0KDQpkcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi10cmFuc2l0IGRvZXMgbm90DQoNCm1vZGlm
eSBpdC4NCg0KQWxsIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQgZG9lcyBpcyB0byBv
cGVyYXRpb25hbGl6ZSB0aGUNCg0KU1NTIGFsZ29yaXRobQ0KDQpmb3IgdGhlIHByb29mIG9mIHRy
YW5zaXQgdXNlIGNhc2UuDQoNCkFsc28gbm90ZSB0aGF0IHRoZSBkcmFmdCBkb2VzIG5vdCByZXF1
aXJlIHRoZSB1c2Ugb2YgNjQgYml0IG51bWJlcnMuDQoNCk5vciBkb2VzIGRyYWZ0IHJlcXVpcmUg
YSBtaW5pbXVtIHRpbWUgYmV0d2VlbiBjaGFuZ2luZyB0aGUgc2VjcmV0cy4NCg0KV2hhdCBwYXJ0
aWN1bGFyIGF0dGFjayBhcmUgeW91IGNvbmNlcm5lZCBhYm91dCB3aGVyZSA2NCBiaXQgbnVtYmVy
cw0KDQphcmUgYQ0KDQpjb25jZXJuPw0KDQpTU1MgcmVsaWVzIG9uIHRoZSByZXByZXNlbnRhdGlv
biBvZiBwb2x5bm9taWFscyBhcyBhIHN1bSBvZg0KDQpMYWdyYW5nZSBCYXNpcyBQb2x5bm9taWFs
cy4gRWFjaCBvZiB0aGUgcGFydGljaXBhdGluZyBub2RlcyBob2xkcyBhDQoNCnNoYXJlIG9mIHRo
ZSBzZWNyZXQgcmVwcmVzZW50ZWQgYnkgYSBwb2ludCBvbiB0aGUgcG9seW5vbWlhbCBjdXJ2ZS4N
Cg0KQSBwb2x5bm9taWFsIG9mIGRlZ3JlZSBLIG9uIHRoZSBmaWVsZCBvZiBpbnRlZ2VycyBtb2R1
bG8gYSBwcmltZQ0KDQpudW1iZXIgTiBjYW4gb25seSBiZSByZXZlYWxlZCBpZiBhdCBsaXN0IEsr
MSBwYXJ0aWNpcGFudHMgcmV2ZWFsDQoNCnRoZSB2YWx1ZSBvZiB0aGVpciBwb2ludC4gVGhlIHNh
ZmV0eSBvZiB0aGUgYWxnb3JpdGhtIHJlbGllcyBvbiB0aGUNCg0Kc2l6ZSBvZiB0aGUgbnVtYmVy
IE4gYW5kIG9uIHRoZSBmYWN0IHRoYXQgdGhlIHNlY3JldCBzaGFsbCBiZSByZXZlYWxlZCBvbmx5
DQoNCm9uY2UuDQoNCkJ1dCB0aGUgYWxnb3JpdGhtIGRvZXMgbm90IHVzZSBTU1MgZGlyZWN0bHks
IHNvIGl0IGRlc2VydmVzIGl0cyBvd24NCg0Kc2VjdXJpdHkNCg0KYW5hbHlzaXMgaW5zdGVhZCBv
ZiByZWx5aW5nIHNpbXBseSBvbiBTaGFtaXIncyB3b3JrLg0KDQpUaGUgcHJvcG9zZWQgYWxnb3Jp
dGhtIHVzZXMgdHdvIHBvbHlub21pYWxzIG9mIGRlZ3JlZSBLIGZvciBhIHBhdGgNCg0KY29udGFp
bmluZw0KDQpLKzEgbm9kZXMsIG9uIGEgZmllbGQgZGVmaW5lZCBieSBhIHByaW1lIG51bWJlciBO
IG9mIDY0IGJpdHMuIE9uZQ0KDQpLK29mIHRoZQ0KDQpwb2x5bm9taWFsLCBQT0xZLTEsIGlzIHNl
Y3JldCwgYW5kIG9ubHkgZnVsbHkga25vd24gYnkgdGhlIHZlcmlmeWluZyBub2RlLg0KDQpUaGUg
b3RoZXIsIFBPTFktMiBpcyBwdWJsaWMsIHdpdGggdGhlIGNvbnN0YW50IGNvZWZmaWNpZW50IHNl
dCBhdCBhDQoNCnJhbmRvbSB2YWx1ZSBSTkQgZm9yIGVhY2ggcGFja2V0Lg0KDQoNCg0KRm9yIGVh
Y2ggcGFja2V0LCB0aGUgZ29hbCBpcyBjb21wdXRlIHRoZSB2YWx1ZSBvZiBQT0xZLTEgcGx1cw0K
DQpQT0xZLTIgYXQgdGhlIHBvaW50IDAgLS0gdGhhdCBpcywgdGhlIGNvbnN0YW50IGNvZWZmaWNp
ZW50IG9mDQoNClBPTFktMyA9IFBPTFktMSArIFBPTFktDQoNCjIuDQoNCldpdGhvdXQgZ29pbmcg
aW4gdG9vIG11Y2ggZGV0YWlscywgb25lIGNhbiBvYnNlcnZlIHRoYXQgdGhlDQoNCmNvbnN0YW50
IGNvZWZmaWNpZW50IG9mIFBPTFktMyBpcyBlcXVhbCB0byB0aGUgc3VtIG9mIHRoZSBjb25zdGFu
dA0KDQpjb2VmZmljaWVudHMgb2YgUE9MWS0xIGFuZCBQT0xZLTIsIGFuZCB0aGF0IHRoZSBjb25z
dGFudA0KDQpjb2VmZmljaWVudCBvZiBQT0xZLTIgaXMgdGhlIHZhbHVlIFJORCBwcmVzZW50IGlu
IGVhY2ggcGFja2V0LiBJbg0KDQp0aGUgZXhhbXBsZSBnaXZlbiBpbiBzZWN0aW9uIDMuMy4yLCB0
aGUgbnVtYmVycyBhcmUgY29tcHV0ZWQgbW9kdWxvDQoNCjUzLCB0aGUgY29uc3RhbnQgY29lZmZp
Y2llbnQgb2YgUE9MWS0xIGlzIDEwLCBhbmQgdGhlIHZhbHVlIFJORCBpcw0KDQo0NS4gVGhlIGZp
bmFsIHN1bSAgQ01MIGlzIGluZGVlZA0KDQoxMCArIDQ1ID0gMiBtb2QgNTMuDQoNCg0KDQpUbyBt
ZSwgdGhpcyBhcHBlYXJzIGFzIGEgc2VyaW91cyB3ZWFrbmVzcyBpbiB0aGUgYWxnb3JpdGhtLiBJ
ZiBhbg0KDQphZHZlcnNhcnkgY2FuIG9ic2VydmUgdGhlIHZhbHVlIFJORCBhbmQgQ01MIGZvciBh
IGZpcnN0IHBhY2tldCwgaXQNCg0KY2FuIHJldHJpZXZlIHRoZSBjb25zdGFudCBjb2VmZmljaWVu
dCBvZiBQT0xZLTEsIGFuZCB0aHVzIGNhbg0KDQpwcmVkaWN0IHRoZSB2YWx1ZSBvZiBDTUwgZm9y
IGFueSBvdGhlciBwYWNrZXQuIFRoYXQgZG9lcyBub3Qgc2VlbSB2ZXJ5DQoNCnNlY3VyZS4NCg0K
Li4uRkI6IFRoZXJlIHNlZW1zIHRvIGJlIGEgYml0IG9mIGNvbmZ1c2lvbiBvciBtaXNyZWFkaW5n
IG9mIGhvdyB0aGUNCg0KbWV0aG9kDQoNCndvcmtzLiBJbiB0aGUgYWJvdmUgc3RhdGVtZW50IHlv
dSBzZWVtIHRvIGFzc3VtZSB0aGF0IHRoZSB2ZXJpZmllcg0KDQp3b3VsZCBub3QgYmUgcGFydCBv
ZiB0aGUgcHJvb2YtY2hhaW4sIHNvIHRoYXQgdGhlIGZpbmFsIENNTCB2YWx1ZQ0KDQp3b3VsZCBi
ZSBzb21laG93IGV4cG9zZWQgdG8gYW4gZXh0ZXJuYWwgZW50aXR5IGFsb25nIHdpdGggUk5ELiBU
aGlzDQoNCmlzIG5vdCB0aGUgY2FzZS4gVGhlIHZlcmlmaWVyIGlzIHRoZSBsYXN0IG5vZGUgKGsr
MSkgaW4gdGhlIHByb29mLWNoYWluLg0KDQpBdCBjb25jZXB0IGxldmVsLCB0aGUgbWV0aG9kIHJl
Y29uc3RydWN0cyB0aGUgcG9seW5vbWlhbCBob3AgYnkgaG9wLA0KDQpwaWNraW5nDQoNCnVwIGEg
cG9pbnQgb24gdGhlIGN1cnZlIGF0IGV2ZXJ5IGhvcC4gT25seSBmaW5hbCBub2RlIGluIHRoZQ0K
DQpwcm9vZi1jaGFpbiwgd2hpY2ggaXMgYWxzbyB0aGUgdmVyaWZpZXIsIGFjdHMgb24gdGhlIGlu
Zm9ybWF0aW9uIG9mDQoNCmFsbCB0aGUgaysxIHBvaW50cyBhbmQgYXMgc3VjaCBpcyBhYmxlIHRv
IHJlY29uc3RydWN0IHRoZSBwb2x5bm9taWFsLg0KDQpJbiBzZWN0aW9uIDMuMi4xLCB0aGUgZHJh
ZnQgZXhwbGljaXRseSBzdGF0ZXMgdGhhdCB0aGUgdmVyaWZpZXIgKmlzKg0KDQpwYXJ0IG9mIHRo
ZQ0KDQpwcm9vZi1jaGFpbjogIkVhY2ggb2YgdGhlIGsrMSBub2RlcyAoaW5jbHVkaW5nIHZlcmlm
aWVyKSBhcmUgYXNzaWduZWQNCg0KYSBwb2ludCBvbiB0aGUgcG9seW5vbWlhbCBpLmUuLCBzaGFy
ZXMgb2YgdGhlIFNFQ1JFVC4iIFRoZSBmYWN0IHRoYXQNCg0KdGhlIHZlcmlmaWVyLCBpLmUuLCB0
aGUgbGFzdCBub2RlIGluIHRoZSBwcm9vZi1jaGFpbiAoImsrMSIpLCAgY2FuDQoNCnJldHJpZXZl
IHRoZSBzZWNyZXQsIGlzIGRlc2lyZWQgYW5kIGludGVudGlvbmFsLCBiZWNhdXNlIHRoZSB2ZXJp
Zmllcg0KDQpuZWVkcyB0byBjb21wYXJlIHRoZSByZXN1bHQgb2YgdGhlIGl0ZXJhdGl2ZSBjb25z
dHJ1Y3Rpb24gb2YgdGhlIHNlY3JldCB3aXRoDQoNCnRoZSBzZWNyZXQgdmFsdWUgaXQgcmVjZWl2
ZWQgZnJvbSB0aGUgY29udHJvbGxlci4NCg0KVGhpcyBpcyBob3cgdGhlIHN5c3RlbSBpcyBkZXNp
Z25lZCwgYW5kIHRoZSBjYWxjdWxhdGlvbiBvZiAoMTArNDUpDQoNCm1vZCA1MyA9IDIgaXMgcGFy
dCBvZiB0aGUgdmVyaWZpY2F0aW9uLg0KDQoNCg0KT0suIFRoYXQncyBzbGlnaHRseSBsZXNzIGJh
ZC4gQnV0IGl0IGlzIHN0aWxsIHZlcnkgYmFkIGNyeXB0bywNCg0KYmVjYXVzZSB5b3UgYXJlIGVm
ZmVjdGl2ZWx5IGRvaW5nIGEgbGluZWFyIGNvbWJpbmF0aW9uLg0KDQoNCg0KWW91IGFyZSBldmFs
dWF0aW5nIFBPTFktMyA9IFBPTFktMSArIFBPTFktMg0KDQoNCg0KUE9MWS0yIGNhbiBiZSB3cml0
dGVuIGFzIFBPTFktMiA9IFJORCArIFBPTFktMi1OQywgaW4gd2hpY2ggUE9MWTItTkMNCg0Kb25s
eSBjb250YWlucyB0aGUgbm9uIGNvbnN0YW50IHRlcm1zIC0tIHRoYXQgaXMsIFBPTFktMi1OQygw
KSA9IDANCg0KDQoNClRoZW4gZm9yIGFueSBwb2ludCBYLCB3ZSBnZXQgUE9MWS0zKFgpID0gUE9M
WS0xKFgpICsgUE9MWTItTkMoWCkgKw0KDQpSTkQgRm9yIGEgZ2l2ZW4gdmFsdWUgWGogb2YgWCwg
dGhpcyBtZWFucyB3ZSBjYW4gZXhwcmVzcyA6IFBPTFktMyhYaikNCg0KPSBWaiArIFJORCBJbiB3
aGljaCBWaiBpcyBhIGNvbnN0YW50IHRlcm0gPSBQT0xZLTEoWGopICsgUE9MWTItTkMoWGopDQoN
Cg0KDQpFYWNoIG5vZGUgd2lsbCBpbmNyZW1lbnQgdGhlIGN1bXVsIGJ5IHRoZSB2YWx1ZSBMUENq
ICogUE9MWS0zKFhqKSA9DQoNCkxQQ2oNCg0KKiAoVmogKyBSTkQpDQoNCg0KDQpTdXBwb3NlIHRo
YXQgYW4gYWR2ZXJzYXJ5IGNhbiBvYnNlcnZlIHRoZSB2YWx1ZSBvZiBDTUwgYmVmb3JlIGFuZA0K
DQphZnRlciBiZWluZyBpbmNyZW1lbnRlZCBieSBub2RlIFhqLiBTdXBwb3NlIHRoYXQgaXQgY291
bGQgZG8gdGhhdA0KDQp0d2ljZS4gVGhlbiBpdCBoYXMgdGhlDQoNCnZhbHVlczoNCg0KDQoNCkNN
TDEtYmVmb3JlLWogPSBDMWINCg0KQ01MMS1hZnRlci1qID0gQzFhDQoNCkQxID0gQzFhIC0gQzFi
ID0gTFBDaiAqIChWaiArIFJORDEpDQoNCg0KDQpDTUwxLWJlZm9yZS1qID0gQzJiDQoNCkNNTDEt
YWZ0ZXItaiA9IEMyYQ0KDQpEMiA9IEMyYSAtIEMyYiA9IExQQ2ogKiAoVmogKyBSTkQyKQ0KDQoN
Cg0KRDItRDEgPSBMUENqKihSTkQyLVJORDEpDQoNCg0KDQpMUENqID0gKFJORDItUk5EMSkvKEQy
LUQxKQ0KDQpWaiA9IEQyL0xQQ2ogLSBSTkQyDQoNCg0KDQpUaGUgaW52ZXJzZSBvZiBudW1iZXJz
IG1vZHVsbyBhIHByaW1lIFAgaXMgZWFzaWx5IGNvbXB1dGVkIC0tIHNlZQ0KDQpGZXJtYXQncyBs
aXR0bGUgdGhlb3JlbS4NCg0KDQoNCk9uY2UgdGhlIGlucHV0IGFuZCBvdXRwdXQgb2YgYSBub2Rl
IGhhdmUgYmVlbiBvYnNlcnZlZCB0d2ljZSwgaXQNCg0KYmVjb21lcyBlYXN5IHRvIHVwZGF0ZSB0
aGUgY3VtdWxhdGl2ZSBzdW0gQ01MIHdoaWxlIGJ5cGFzc2luZyB0aGVzZQ0KDQpub2Rlcy4NCg0K
Li4uRkI6IFRoaXMgaXMgZ3JlYXQuIFRoYW5rcyBmb3Igc3BlbGxpbmcgb3V0IHRoZSBkZXRhaWxz
LiAgWW91IHJhaXNlIGEgZ29vZCBwb2ludDoNCg0KRm9yIHRoZSBzb2x1dGlvbiB0byBtYWtlIHNl
bnNlLCB3ZSBuZWVkIHRvIGVuc3VyZSB0aGF0IGFuIGF0dGFja2VyIGNhbm5vdA0KDQpvYnNlcnZl
IHRoZSBpbnB1dCBhbmQgb3V0cHV0IG9mIGEgbm9kZS4NCg0KVG8gZW5zdXJlIHRoaXMgZG9lcyBu
b3QgaGFwcGVuLCB3ZSBtdXN0IHJlcXVpcmUgdGhlIGNvbW11bmljYXRpb24gdG8vZnJvbQ0KDQp0
aGUgbm9kZSB0byBiZSBlbmNyeXB0ZWQsIGUuZy4sIHRocm91Z2ggbGluayBsYXllciBlbmNyeXB0
aW9uIG9mIGF0IGxlYXN0IHRoZQ0KDQpwcm9vZi1vZi10cmFuc2l0IGRhdGEgZmllbGRzLg0KDQpX
ZSdsbCBhZGQgdGhpcyByZXF1aXJlbWVudCB0byB0aGUgZHJhZnQgLSBhbmQgYWxzbyBkZXRhaWwg
dGhlIHRocmVhdCB5b3UgZGVzY3JpYmUNCg0KYWJvdmUgaW4gZGV0YWlsIGluIHRoZSBzZWN1cml0
eSBjb25zaWRlcmF0aW9ucyBzZWN0aW9uLg0KDQoNCg0KVGhhdCBzdGlsbCB3aWxsIG5vdCBiZSBz
dWZmaWNpZW50LCBiZWNhdXNlIHlvdSBhbHNvIGhhdmUgdG8gZGVhbCB3aXRoIHRoZSBub2Rlcw0K
DQp0aGVtc2VsdmVzLiBCeSBkZWZpbml0aW9uLCB0aGV5IHNlZSB0aGUgaW50ZXJtZWRpYXRlIHJl
c3VsdHMgb2Ygb3RoZXIgbm9kZXMuIEZvcg0KDQpleGFtcGxlLCBpZiB0aGUgZnVuY3Rpb24gY2hh
aW4gaXMgQS0+Qi0+Qy0+RC0+RSwgdGhlIG5vZGUgQiBzZWVzIHRoZSBvdXRwdXQgb2YgQg0KDQph
bmQgdGhlIG5vZGUgRCBzZWVzIHRoZSBpbnB1dCBvZiBELiBJZiBCIGFuZCBEICBjb2xsdWRlLCB0
aGV5IGhhdmUgYWNjZXNzIHRvIHRoZQ0KDQppbnB1dCBhbmQgb3V0cHV0IG9mIEMuIFRoZXkgY2Fu
IGVhc2lseSBmaW5kIHRoZSBzZWNyZXRzIG9mIEMsIGFuZCB0aGVuIGV4ZWN1dGUgYQ0KDQpjaGFp
biBBLT5CLS0tLT5ELT5FIGluIHdoaWNoIHRoZSBpbnB1dCBvZiBEIGlzICJjb3JyZWN0ZWQiIHRv
IGhpZGUgdGhlIGFic2VuY2Ugb2YNCg0KQyBmcm9tIHRoZSBldmFsdWF0b3IgRS4NCg0KDQoNClRo
YW5rcyBtdWNoLiBZb3UgcmFpc2UgYW5vdGhlciB2YWxpZCBwb2ludCBhbmQgd2Ugd2lsbCBhZGQg
aXQgdG8gdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24uDQoNClRoYXQgc2FpZCwg
SU1ITyB3ZSdkIG5lZWQgdG8gcHV0IHRoZSBzY2VuYXJpbyB5b3UgcmFpc2UgaW50byBwZXJzcGVj
dGl2ZToNCg0KSWYgdGhlIG5vZGVzIEIgYW5kIEQgd291bGQgYmUgY29tcHJvbWlzZWQgYnkgYW4g
YXR0YWNrZXIsIHRoZSBkZXBsb3ltZW50IHdvdWxkIGZhY2UgYSBtdWNoIG1vcmUgc2VyaW91cyBz
ZWN1cml0eSBpc3N1ZSB0aGFuIHdoYXQgYW55IHByb29mLW9mLXRyYW5zaXQgbWV0aG9kIGNvdWxk
IHByb3RlY3QgYWdhaW5zdC4NCg0KDQoNCg0KDQpUaGUgbGluZWFyIGNvbWJpbmF0aW9uIHNjaGVt
ZSBpbiB0aGUgZHJhZnQgaXMgbm90IHNvdW5kIGNyeXB0by4gTXkNCg0KcmVjb21tZW5kYXRpb24g
aXMgdG8gcHJlc2VudCB0aGUgcHJvYmxlbSBhbmQgdGhlIHRocmVhdCBtb2RlbCBjbGVhcmx5IHRv
IHRoZQ0KDQpjcnlwdG8gY29tbXVuaXR5LCBmb3IgZXhhbXBsZSBieSBwcmVzZW50aW5nIHRvIHRo
ZSBDRlJHLCBhbmQgc29saWNpdCBhZHZpY2Ugb24NCg0KYmV0dGVyIGFsZ29yaXRobXMuDQoNCg0K
DQpUaGVyZSBoYXMgYmVlbiBxdWl0ZSBhIGJpdCBvZiBkaXNjdXNzaW9uIG9uIHByb29mIG9mIHRy
YW5zaXQgaW4gc2V2ZXJhbCBXR3MsIGV2ZW4gYmVmb3JlIHRoZSBTRkMgV0cgcGlja2VkIGl0IHVw
LiBBbmQgdGhlIFNGQyB3b3JraW5nIGdyb3VwIGhhcyBjb25zaWRlcmVkIGRpZmZlcmVudCBhcHBy
b2FjaGVzIGVhcmx5IG9uIGluIHRoZSBzb2x1dGlvbiBzcGVjaWZpY2F0aW9uLCBpbmNsdWRpbmcg
ZS5nLiwgdXNpbmcgbmVzdGVkIGVuY3J5cHRpb24sIHdoaWNoIGlzIHByb2JhYmx5IG1vcmUgaW4g
bGluZSB3aXRoIHlvdXIgcHJlZmVyZW5jZXMuIFNlZSBodHRwczovL2RhdGF0cmFja2VyLmlldGYu
b3JnL2RvYy9odG1sL2RyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQtMDEjc2VjdGlvbi0z
LjUuMS4gRnJvbSBteSByZWNvbGxlY3Rpb24gb2YgdGhlIGRpc2N1c3Npb24gLSBvdGhlcnMgcGxl
YXNlIGNoaW1lIGluIC0gb25lIG1haW4gcmVhc29uIG9mIHdoeSB0aGUgY3VycmVudCBhcHByb2Fj
aCB3YXMgY2hvc2VuIHdhcyBpdHMgY29tcHV0YXRpb25hbCBzaW1wbGljaXR5LCBpLmUuLCBoYXJk
d2FyZSBwbGF0Zm9ybXMgd2hpY2ggZG8gbm90IHN1cHBvcnQgbmF0aXZlIGVuY3J5cHRpb24gY2Fw
YWJpbGl0aWVzIGxpa2UgQUVTLU5JIGNhbiBpbXBsZW1lbnQgaXQgd2l0aG91dCBjb25zaWRlcmFi
bGUgaW1wYWN0IG9uIHRoZSBjb21wdXRhdGlvbmFsIGxhdGVuY3kuIFNvIGluIG90aGVyIHdvcmRz
LCB0aGUgY3VycmVudCBtZXRob2QgaXMgdGhlIHJlc3VsdCBvZiBhIHRyYWRlLW9mZiBkZWNpc2lv
bi4NCldlIGFyZSBkaXNjdXNzaW5nIG1hdGhlbWF0aWNzLCBub3Qgb3BpbmlvbnMuIEl0IGlzIG5v
dCBhIG1hdHRlciBvZiBwcmVmZXJlbmNlcywgaXQgaXMgYSBtYXR0ZXIgb2YgdGhyZWF0IG1vZGVs
LiBUaGUgZHJhZnQgdGhhdCBJIHJldmlld2VkIGRvZXMgbm90IG1lbnRpb24gdGhhdCB0aGUgc2No
ZW1lIHNob3VsZCBvbmx5IGJlIHVzZWQgaW4gYSBiZW5pZ24gZW52aXJvbm1lbnQgaW4gd2hpY2gg
bm8gYXR0YWNrZXIgY2FuIHNlZSB0aGUgdHJhZmZpYyBhbmQgYWxsIG5vZGVzIGFyZSBmdWxseSB0
cnVzdGVkIHRvIG5vdCB0cnkgZ2FtaW5nIHRoZSBzeXN0ZW0uIFRoZSBwcm9wb3NlZCBzY2hlbWUg
dXNlcyBjcnlwdG8gdm9jYWJ1bGFyeSwgd2l0aCByZWZlcmVuY2VzIHRvIFNTUyBhbmQgdXNlIG9m
IHRlcm1zIGxpa2UgInByb29mIiBvciAiY3J5cHRhbmFseXNpcyIuIEluZGVlZCwgdGhlIGhlYWRl
ciBwYXJhZ3JhcGggb2YgdGhlIHNlY3VyaXR5IGNvbnNpZGVyYXRpb25zIHNheXM6DQoNCiAgIFBP
VCBpcyBhIG1lY2hhbmlzbSB0aGF0IGlzIHVzZWQgZm9yIHZlcmlmeWluZyB0aGUgcGF0aCB0aHJv
dWdoIHdoaWNoDQoNCiAgIGEgcGFja2V0IHdhcyBmb3J3YXJkZWQuICBUaGUgc2VjdXJpdHkgY29u
c2lkZXJhdGlvbnMgb2YgSU9BTSBpbg0KDQogICBnZW5lcmFsIGFyZSBkaXNjdXNzZWQgaW4gW0kt
RC5pZXRmLWlwcG0taW9hbS1kYXRhXS4gIFNwZWNpZmljYWxseSwgaXQNCg0KICAgaXMgYXNzdW1l
ZCB0aGF0IFBPVCBpcyB1c2VkIGluIGEgY29uZmluZWQgbmV0d29yayBkb21haW4sIGFuZA0KDQog
ICB0aGVyZWZvcmUgdGhlIHBvdGVudGlhbCB0aHJlYXRzIHRoYXQgUE9UIGlzIGludGVuZGVkIHRv
IG1pdGlnYXRlDQoNCiAgIHNob3VsZCBiZSB2aWV3ZWQgYWNjb3JkaW5nbHkuICBQT1QgcHJldmVu
dHMgc3Bvb2ZpbmcgYW5kIHRhbXBlcmluZzsNCg0KICAgYW4gYXR0YWNrZXIgY2Fubm90IG1hbGlj
aW91c2x5IGNyZWF0ZSBhIGJvZ3VzIFBPVCBvciBtb2RpZnkgYQ0KDQogICBsZWdpdGltYXRlIG9u
ZS4gIEZ1cnRoZXJtb3JlLCBhIGxlZ2l0aW1hdGUgbm9kZSB0aGF0IHRha2VzIHBhcnQgaW4NCg0K
ICAgdGhlIFBPVCBwcm90b2NvbCBjYW5ub3QgbWFzcXVlcmFkZSBhcyBhbm90aGVyIG5vZGUgYWxv
bmcgdGhlIHBhdGguDQoNCiAgIFRoZXNlIGNvbnNpZGVyYXRpb25zIGFyZSBkaXNjdXNzZWQgaW4g
ZGV0YWlsIGluIHRoZSByZXN0IG9mIHRoaXMNCg0KICAgc2VjdGlvbi4NCg0KVGhlIHByZXZpb3Vz
IGRpc2N1c3Npb25zIGhhdmUgc2hvd24gdGhhdCBhbiBhdHRhY2tlciBDQU4gICJtYWxpY2lvdXNs
eSBjcmVhdGUgYSBib2d1cyBQT1Qgb3IgbW9kaWZ5IGEgbGVnaXRpbWF0ZSBvbmUiLCBwcm92aWRl
ZCBpdCBpcyBhYmxlIHRvIHNlZSB0aGUgdHJhZmZpYywgb3Igc29tZSBvZiB0aGUgdHJhZmZpYy4g
VGhlIGRpc2N1c3Npb25zIGFsc28gc2hvdyB0aGF0ICJhIGxlZ2l0aW1hdGUgbm9kZSB0aGF0IHRh
a2VzIHBhcnQgaW4gdGhlIFBPVCBwcm90b2NvbCIgQ0FOICJtYXNxdWVyYWRlIGFzIGFub3RoZXIg
bm9kZSBhbG9uZyB0aGUgcGF0aCIuIENvbnRyYXJ5IHRvIHN0YXRlbWVudHMgaW4gdGhlICJjcnlw
dGFuYWx5c2lzIiBzZWN0aW9uLCAiQSBwYXNzaXZlIGF0dGFja2VyIG9ic2VydmluZyBDTUwgdmFs
dWVzIGFjcm9zcyBub2RlcyAoaS5lLiwgYXMgdGhlIHBhY2tldHMgZW50ZXJpbmcgYW5kIGxlYXZp
bmcpIiBDQU4gICJwZXJmb3JtIGRpZmZlcmVudGlhbCBhbmFseXNpcyIuIFRoZSBhdHRhY2sgY2Fu
bm90ICJiZSBtaXRpZ2F0ZWQgdXNpbmcgYSBnb29kIFBSTkcgZm9yIGdlbmVyYXRpbmcgUk5EIi4N
Cg0KSWYgdGhlIHN5c3RlbSB3YXMgb25seSBkZXNpZ25lZCBmb3Igb3BlcmF0aW9uIGluIGEgImJl
bmlnbiBlbnZpcm9ubWVudCIgYW5kIHlvdSB3ZXJlIG9ubHkgY29uY2VybmVkIHdpdGggZGV0ZWN0
aW5nIG9wZXJhdGlvbiBmYWlsdXJlcywgSSBhbSBwcmV0dHkgc3VyZSB0aGF0IHlvdSBjb3VsZCBj
b21lIG91dCB3aXRoIHNvbWV0aGluZyBsZXNzIGNvbXBsaWNhdGVkLiBGb3IgZXhhbXBsZSB5b3Ug
Y291bGQgZXhwbG9pdCB0aGUgYW5hbHlzaXMgdGhhdCBJIG1hZGUgdG8gcmFkaWNhbGx5IHNpbXBs
aWZ5IHRoZSBpbXBsZW1lbnRhdGlvbiBhbmQgZGVzY3JpYmUgdGhlIHNjaGVtZSBhcyAiQ01MID0g
U3VtIChYaipSTkRwKSIsIHdoZXJlIFhqIGlzIGEgc2VjcmV0IGNvZWZmaWNpZW50IHByb3Zpc2lv
bmVkIHRvIG5vZGUgaiwgYW5kIFJOUHAgaXMgcGVyIHBhY2tldCByYW5kb20gbnVtYmVyLiBUaGUg
dmVyaWZpY2F0aW9uIGJ5IHRoZSBldmFsdWF0b3Igd2lsbCBjaGVjayB0aGF0ICJSTkQgPT0gQ01M
ICsgWGUqUk5EIiwgd2hlcmUgIlhlID0gMSAtIFN1bSBYaiIuIFRoYXQgd291bGQgZ2V0IHlvdSBh
biBlYXN5LXRvLWltcGxlbWVudCBjaGVja3N1bS4gQnV0IHlvdSB3b3VsZCBuZWVkIHRvIGJlIHZl
cnkgY2xlYXIgYWJvdXQgdGhlIGRvbWFpbiBvZiBhcHBsaWNhdGlvbiwgYW5kIHRoZSBmYWlsdXJl
IG1vZGUgaWYgdGhlIHRyYWZmaWMgY2FuIGJlIG9ic2VydmVkIG9yIG5vZGVzIGNhbiBiZSBjb21w
cm9taXNlZCwgYW5kIHRoZSBkcmFmdCBzaG91bGQgcHJvYmFibHkgZHJvcCB0aGUgcmVmZXJlbmNl
cyB0byBTaGFtaXIncyBTU1MsIGJlY2F1c2UgdGhleSBqdXN0IG9iZnVzY2F0ZSB0aGUgYW5hbHlz
aXMuDQoNCi0tIENocmlzdGlhbiBIdWl0ZW1hDQoNCg0KDQoNCg==

--_000_DM8PR11MB5606B4D10F2CE68734684248DAA89DM8PR11MB5606namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCWZvbnQtc2l6ZTox
MS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFu
Lk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0
ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7
DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowY207
DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4u
SFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVk
IENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQ
cmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHlsZTIx
DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
IixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNv
LXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3Jk
U2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBwdCA3Mi4wcHQg
NzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30N
Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6
ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn
dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2
OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t
LT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9ImVuLURFIiBsaW5rPSJibHVlIiB2bGluaz0icHVycGxl
IiBzdHlsZT0id29yZC13cmFwOmJyZWFrLXdvcmQiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24x
Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0ibXNvLWZh
cmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkhpIENocmlzdGlhbiw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIGxhbmc9IkVOLVVTIj5UaGFua3MgZm9yIHRo
ZSBmb2xsb3cgdXAg4oCTIGFuZCB0aGUgc3VnZ2VzdGlvbiBvZiBhbiBhbHRlcm5hdGUgYXBwcm9h
Y2guIElNSE8g4oCTIGFuZCBJIGNoZWNrZWQgd2l0aCBvdGhlciBhdXRob3JzLCB3aG8gdm9pY2Vk
IHNpbWlsYXIgdmlld3Mg4oCTIGl0IHdvdWxkIGJlIGJlc3QgdG8NCiBmb2xsb3cgeW91ciBndWlk
YW5jZSBhbmQgaGF2ZSB0aGUgd29ya2luZyBncm91cCBjcmlzcGVuIHVwIHRoZSByZXF1aXJlbWVu
dHMgYXMgd2VsbCBhcyBhc3N1bXB0aW9ucyBmb3IgdGhlIG9wZXJhdGlvbmFsIGVudmlyb25tZW50
IGFuZCBvbmx5IHRoZW4gZGlzY3VzcyBhbmQgZXZhbHVhdGUgc29sdXRpb24gYXBwcm9hY2hlcy4N
CjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9
ImVuLURFIiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkRlcGVuZGluZyBvbiB0
aGUgdGFyZ2V0IHNldCBvZiByZXF1aXJlbWVudHMgYW5kIHRoZSBvcGVyYXRpb25hbCBlbnZpcm9u
bWVudCwNCjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1
YWdlOkVOLVVTIj50aGUgV0c8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJtc28tZmFy
ZWFzdC1sYW5ndWFnZTpFTi1VUyI+DQo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJt
c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+Y2FuPC9zcGFuPjxzcGFuIGxhbmc9ImVuLURFIiBz
dHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiBjaG9vc2UgYW4gYXBwcm9wcmlhdGUg
YXBwcm9hY2ggd2l0aCBndWlkYW5jZSBmcm9tPC9zcGFuPjxzcGFuIGxhbmc9ImVuLURFIj4NCjwv
c3Bhbj5DRlJHPHNwYW4gbGFuZz0iZW4tREUiIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpF
Ti1VUyI+LiBUaGF0IGNvdWxkIGJlLCBwZXIgd2hhdCB5b3Ugc3VnZ2VzdCBiZWxvdywgc29tZXRo
aW5nIG11Y2ggc2ltcGxlciBmcm9tIGEgY29udHJvbCBwbGFuZSBwZXJzcGVjdGl2ZSAtIGF2b2lk
aW5nIHRoZSBjb21wbGV4aXRpZXMgb2YgU1NTICZuYnNwO+KAkyB3aXRoIGEgZGF0YS1wbGFuZSBh
cyBzaW1wbGUgYXMgd2hhdCB0aGUgZHJhZnQgY3VycmVudGx5DQogc3VnZ2VzdHMuIFRoYXQgY291
bGQgYWxzbyBiZSA8L3NwYW4+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJtc28tZmFyZWFzdC1s
YW5ndWFnZTpFTi1VUyI+YW48L3NwYW4+PHNwYW4gbGFuZz0iZW4tREUiIHN0eWxlPSJtc28tZmFy
ZWFzdC1sYW5ndWFnZTpFTi1VUyI+b3RoZXIsIHlldCB0byBiZSBkZXRlcm1pbmVkIGFwcHJvYWNo
LCBzdWNoIGFzIHRoZSBhcHByb2FjaCBiYXNlZCBvbiBuZXN0ZWQgZW5jcnlwdGlvbiB0aGF0IHRo
ZSBXRyBkaXNjdXNzZWQNCiBiZWZvcmUsIG9yIGFuIFNTUyBiYXNlZCBhcHByb2FjaCB3aXRoIGEg
cG9seW5vbWlhbCBwZXIgcGFja2V0LCBldGMuIDwvc3Bhbj48c3BhbiBsYW5nPSJFTi1VUyIgc3R5
bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5Ib3BlZnVsbHkgd2XigJlsbCBnZXQgaXQg
cmlnaHQgdGhlIG5leHQgdGltZS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBsYW5nPSJlbi1ERSIgc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVO
LVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBsYW5nPSJFTi1VUyIgc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5NYXJ0
aW4sIEppbSwgSm9lbCDigJMgYW55IHRob3VnaHRzIGFuZCBndWlkYW5jZSBmcm9tIHlvdXIgZW5k
LCBvbiB3aGV0aGVyIHRoZSBkb2N1bWVudCBzaG91bGQgYmUgaGFuZGVkIGJhY2sgdG8gdGhlIHdv
cmtpbmcgZ3JvdXA/PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PHNwYW4gbGFuZz0iZW4tREUiIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86
cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFu
Zz0iRU4tVVMiIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+VGhhbmtzIGFnYWlu
LCBGcmFuazxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw
YW4gbGFuZz0iZW4tREUiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIGxhbmc9ImVuLURFIiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6
RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpu
b25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBw
dCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFF
MUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PGI+PHNwYW4gbGFuZz0iRU4tVVMiPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1V
UyI+IENocmlzdGlhbiBIdWl0ZW1hICZsdDtodWl0ZW1hQGh1aXRlbWEubmV0Jmd0Ow0KPGJyPg0K
PGI+U2VudDo8L2I+IFNhdHVyZGF5LCAyNSBTZXB0ZW1iZXIgMjAyMSAxNjo0Mjxicj4NCjxiPlRv
OjwvYj4gRnJhbmsgQnJvY2tuZXJzIChmYnJvY2tuZSkgJmx0O2Zicm9ja25lQGNpc2NvLmNvbSZn
dDs7IHNlY2RpckBpZXRmLm9yZzxicj4NCjxiPkNjOjwvYj4gc2h3ZXRoYS5iaGFuZGFyaUBnbWFp
bC5jb207IGxhc3QtY2FsbEBpZXRmLm9yZzsgWW91ZWxsLCBTdGVwaGVuICZsdDtzdGVwaGVuLnlv
dWVsbEBqcG1vcmdhbi5jb20mZ3Q7OyBzZmNAaWV0Zi5vcmc7IGRyYWZ0LWlldGYtc2ZjLXByb29m
LW9mLXRyYW5zaXQuYWxsQGlldGYub3JnOyBrcmlzaG5hLnNhc2hhbmtAZ21haWwuY29tPGJyPg0K
PGI+U3ViamVjdDo8L2I+IFJlOiBbTGFzdC1DYWxsXSBTZWNkaXIgbGFzdCBjYWxsIHJldmlldyBv
ZiBkcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi10cmFuc2l0LTA4PG86cD48L286cD48L3NwYW4+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+
PC9wPg0KPHA+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+T24gOS8yNS8yMDIxIDQ6MjAgQU0sIEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUpIHdyb3Rl
OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1
LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+SGkgQ2hyaXN0aWFuLDxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPlRoYW5rcyBmb3IgdGhl
IGZvbGxvdy11cC4gUGxlYXNlIHNlZSBiZWxvdy48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpw
PiZuYnNwOzwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7
bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tPG86
cD48L286cD48L3ByZT4NCjxwcmU+RnJvbTogQ2hyaXN0aWFuIEh1aXRlbWEgPGEgaHJlZj0ibWFp
bHRvOmh1aXRlbWFAaHVpdGVtYS5uZXQiPiZsdDtodWl0ZW1hQGh1aXRlbWEubmV0Jmd0OzwvYT48
bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5TZW50OiBGcmlkYXksIDI0IFNlcHRlbWJlciAyMDIxIDE3
OjE2PG86cD48L286cD48L3ByZT4NCjxwcmU+VG86IEZyYW5rIEJyb2NrbmVycyAoZmJyb2NrbmUp
IDxhIGhyZWY9Im1haWx0bzpmYnJvY2tuZUBjaXNjby5jb20iPiZsdDtmYnJvY2tuZUBjaXNjby5j
b20mZ3Q7PC9hPjsgPGEgaHJlZj0ibWFpbHRvOnNlY2RpckBpZXRmLm9yZyI+c2VjZGlyQGlldGYu
b3JnPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPkNjOiA8YSBocmVmPSJtYWlsdG86c2h3ZXRo
YS5iaGFuZGFyaUBnbWFpbC5jb20iPnNod2V0aGEuYmhhbmRhcmlAZ21haWwuY29tPC9hPjsgPGEg
aHJlZj0ibWFpbHRvOmxhc3QtY2FsbEBpZXRmLm9yZyI+bGFzdC1jYWxsQGlldGYub3JnPC9hPjsg
WW91ZWxsLCBTdGVwaGVuPG86cD48L286cD48L3ByZT4NCjxwcmU+PGEgaHJlZj0ibWFpbHRvOnN0
ZXBoZW4ueW91ZWxsQGpwbW9yZ2FuLmNvbSI+Jmx0O3N0ZXBoZW4ueW91ZWxsQGpwbW9yZ2FuLmNv
bSZndDs8L2E+OyA8YSBocmVmPSJtYWlsdG86c2ZjQGlldGYub3JnIj5zZmNAaWV0Zi5vcmc8L2E+
OyBkcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi08bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48YSBocmVm
PSJtYWlsdG86dHJhbnNpdC5hbGxAaWV0Zi5vcmciPnRyYW5zaXQuYWxsQGlldGYub3JnPC9hPjsg
PGEgaHJlZj0ibWFpbHRvOmtyaXNobmEuc2FzaGFua0BnbWFpbC5jb20iPmtyaXNobmEuc2FzaGFu
a0BnbWFpbC5jb208L2E+PG86cD48L286cD48L3ByZT4NCjxwcmU+U3ViamVjdDogUmU6IFtMYXN0
LUNhbGxdIFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9m
LXRyYW5zaXQtPG86cD48L286cD48L3ByZT4NCjxwcmU+MDg8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0K
PHByZT5PbiA5LzI0LzIwMjEgMTozOSBBTSwgRnJhbmsgQnJvY2tuZXJzIChmYnJvY2tuZSkgd3Jv
dGU6PG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0
O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHByZT5IaSBDaHJpc3RpYW4sPG86cD48L286cD48L3By
ZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+VGhhbmtzIGEgbG90IGZvciB0
aGUgZGV0YWlsZWQgZm9sbG93LXVwLiBQbGVhc2Ugc2VlIGlubGluZS48bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdp
bi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPi0tLS0tT3JpZ2luYWwgTWVz
c2FnZS0tLS0tPG86cD48L286cD48L3ByZT4NCjxwcmU+RnJvbTogQ2hyaXN0aWFuIEh1aXRlbWEg
PGEgaHJlZj0ibWFpbHRvOmh1aXRlbWFAaHVpdGVtYS5uZXQiPiZsdDtodWl0ZW1hQGh1aXRlbWEu
bmV0Jmd0OzwvYT48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5TZW50OiBUaHVyc2RheSwgMjMgU2Vw
dGVtYmVyIDIwMjEgMjI6MTM8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5UbzogRnJhbmsgQnJvY2tu
ZXJzIChmYnJvY2tuZSkgPGEgaHJlZj0ibWFpbHRvOmZicm9ja25lQGNpc2NvLmNvbSI+Jmx0O2Zi
cm9ja25lQGNpc2NvLmNvbSZndDs8L2E+OyA8YSBocmVmPSJtYWlsdG86c2VjZGlyQGlldGYub3Jn
Ij5zZWNkaXJAaWV0Zi5vcmc8L2E+PG86cD48L286cD48L3ByZT4NCjxwcmU+Q2M6IDxhIGhyZWY9
Im1haWx0bzpzaHdldGhhLmJoYW5kYXJpQGdtYWlsLmNvbSI+c2h3ZXRoYS5iaGFuZGFyaUBnbWFp
bC5jb208L2E+OyA8YSBocmVmPSJtYWlsdG86bGFzdC1jYWxsQGlldGYub3JnIj5sYXN0LWNhbGxA
aWV0Zi5vcmc8L2E+OyBZb3VlbGwsIFN0ZXBoZW48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48YSBo
cmVmPSJtYWlsdG86c3RlcGhlbi55b3VlbGxAanBtb3JnYW4uY29tIj4mbHQ7c3RlcGhlbi55b3Vl
bGxAanBtb3JnYW4uY29tJmd0OzwvYT47IDxhIGhyZWY9Im1haWx0bzpzZmNAaWV0Zi5vcmciPnNm
Y0BpZXRmLm9yZzwvYT47IGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLTxvOnA+PC9vOnA+PC9wcmU+
DQo8cHJlPjxhIGhyZWY9Im1haWx0bzp0cmFuc2l0LmFsbEBpZXRmLm9yZyI+dHJhbnNpdC5hbGxA
aWV0Zi5vcmc8L2E+PG86cD48L286cD48L3ByZT4NCjxwcmU+U3ViamVjdDogUmU6IFtMYXN0LUNh
bGxdIFNlY2RpciBsYXN0IGNhbGwgcmV2aWV3IG9mPG86cD48L286cD48L3ByZT4NCjxwcmU+ZHJh
ZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdC08bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4wODxv
OnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+
Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPk9uIDkvMjMvMjAyMSAxMjozMSBQTSwgRnJhbmsgQnJv
Y2tuZXJzIChmYnJvY2tuZSkgd3JvdGU6PG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0
eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHByZT5IaSBDaHJp
c3RpYW4sPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxw
cmU+VGhhbmtzIGEgbG90IGZvciB5b3VyIGRldGFpbGVkIHJldmlldy4gUGxlYXNlIHNlZSBpbmxp
bmUuPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxibG9j
a3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHBy
ZT4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPkZyb206
IENocmlzdGlhbiBIdWl0ZW1hIHZpYSBEYXRhdHJhY2tlciA8YSBocmVmPSJtYWlsdG86bm9yZXBs
eUBpZXRmLm9yZyI+Jmx0O25vcmVwbHlAaWV0Zi5vcmcmZ3Q7PC9hPjxvOnA+PC9vOnA+PC9wcmU+
DQo8cHJlPlNlbnQ6IE1vbmRheSwgMjAgU2VwdGVtYmVyIDIwMjEgMDU6NDg8bzpwPjwvbzpwPjwv
cHJlPg0KPHByZT5UbzogPGEgaHJlZj0ibWFpbHRvOnNlY2RpckBpZXRmLm9yZyI+c2VjZGlyQGll
dGYub3JnPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPkNjOiA8YSBocmVmPSJtYWlsdG86ZHJh
ZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdC5hbGxAaWV0Zi5vcmciPmRyYWZ0LWlldGYtc2Zj
LXByb29mLW9mLXRyYW5zaXQuYWxsQGlldGYub3JnPC9hPjs8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT48YSBocmVmPSJtYWlsdG86bGFzdC1jYWxsQGlldGYub3JnIj5sYXN0LWNhbGxAaWV0Zi5vcmc8
L2E+OyA8YSBocmVmPSJtYWlsdG86c2ZjQGlldGYub3JnIj5zZmNAaWV0Zi5vcmc8L2E+PG86cD48
L286cD48L3ByZT4NCjxwcmU+U3ViamVjdDogU2VjZGlyIGxhc3QgY2FsbCByZXZpZXcgb2Y8bzpw
PjwvbzpwPjwvcHJlPg0KPHByZT5kcmFmdC1pZXRmLXNmYy1wcm9vZi1vZi10cmFuc2l0LTA4PG86
cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+UmV2aWV3
ZXI6IENocmlzdGlhbiBIdWl0ZW1hPG86cD48L286cD48L3ByZT4NCjxwcmU+UmV2aWV3IHJlc3Vs
dDogU2VyaW91cyBJc3N1ZXM8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpw
PjwvcHJlPg0KPHByZT5JIGhhdmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRo
ZSBzZWN1cml0eSBkaXJlY3RvcmF0ZSdzPG86cD48L286cD48L3ByZT4NCjxwcmU+b25nb2luZyBl
ZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhl
PG86cD48L286cD48L3ByZT4NCjxwcmU+SUVTRy4mbmJzcDsgVGhlc2UgY29tbWVudHMgd2VyZSB3
cml0dGVuIHByaW1hcmlseSBmb3IgdGhlIGJlbmVmaXQgb2YgdGhlPG86cD48L286cD48L3ByZT4N
CjxwcmU+c2VjdXJpdHk8bzpwPjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPC9ibG9ja3F1
b3RlPg0KPHByZT5hcmVhIGRpcmVjdG9ycy48bzpwPjwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUg
c3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8YmxvY2txdW90
ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+RG9j
dW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBjb21tZW50cyBq
dXN0PG86cD48L286cD48L3ByZT4NCjxwcmU+bGlrZSBhbnkgb3RoZXIgbGFzdCBjYWxsIGNvbW1l
bnRzLjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJl
PlRoaXMgZG9jdW1lbnQgcHJvcG9zZXMgYSBzZWN1cml0eSBtZWNoYW5pc20gdG8gcHJvdmUgdGhh
dCB0cmFmZmljPG86cD48L286cD48L3ByZT4NCjxwcmU+dHJhbnNpdGVkIHRocm91Z2ggYWxsIHNw
ZWNpZmllZCBub2RlcyBpbiBhIHBhdGguIFRoZSBtZWNoYW5pc208bzpwPjwvbzpwPjwvcHJlPg0K
PHByZT53b3JrcyBieSBhZGRpbmcgYSBzaG9ydCBvcHRpb24gdG8gZWFjaCBwYWNrZXQgZm9yIHdo
aWNoIHRyYW5zaXQ8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5zaGFsbCBiZSB2ZXJpZmllZC4gVGhl
IG9wdGlvbiBjb25zaXN0cyBvZiBhIHJhbmRvbSBudW1iZXIgc2V0IGJ5PG86cD48L286cD48L3By
ZT4NCjxwcmU+dGhlIG9yaWdpbmF0b3Igb2YgdGhlIHBhY2tldCwgYW5kIGEgc3VtIGZpZWxkIHRv
IHdoaWNoIGVhY2ggdHJhbnNpdDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPm5vZGUgYWRkcyBhIHZh
bHVlIGRlcGVuZGluZyBvbiBwdWJsaWMgcGFyYW1ldGVycywgb24gdGhlIHJhbmRvbTxvOnA+PC9v
OnA+PC9wcmU+DQo8cHJlPm51bWJlciBhbmQgb24gc2VjcmV0cyBoZWxkIGJ5IHRoZSBub2RlLiBU
aGUgZGVzdGluYXRpb24gaGFzIGFjY2VzczxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnRvIGFsbCB0
aGUgc2VjcmV0cyBoZWxkIGJ5IHRoZSBub2RlcyBvbiB0aGUgcGF0aCwgYW5kIGNhbiB2ZXJpZnk8
bzpwPjwvbzpwPjwvcHJlPg0KPHByZT53aGV0aGVyIG9yIG5vdCB0aGUgZmluYWwgc3VtIGNvcnJl
c3BvbmRzIHRvIHRoZSBzdW0gb2YgZXhwZWN0ZWQ8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT52YWx1
ZXMuIFRoZSBwcm9wb3NlZCBzaXplPG86cD48L286cD48L3ByZT4NCjwvYmxvY2txdW90ZT4NCjwv
YmxvY2txdW90ZT4NCjxwcmU+b2YgdGhlIHJhbmRvbSBudW1iZXIgYW5kIHRoZSBzdW0gZmllbGQg
aXMgNjQgYml0cy48bzpwPjwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10
b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2lu
LXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+SW4gdGhlIHBhcmFncmFwaCBh
Ym92ZSwgSSBkZXNjcmliZWQgdGhlIG1lY2hhbmlzbSB3aXRob3V0PG86cD48L286cD48L3ByZT4N
CjxwcmU+bWVudGlvbmluZyB0aGUgYWxnb3JpdGhtIHVzZWQgdG8gY29tcHV0ZSB0aGVzZSA2NCBi
aXQgbnVtYmVycy4gVGhlPG86cD48L286cD48L3ByZT4NCjxwcmU+NjQgYml0IHNpemUgaXMgb2J2
aW91c2x5IGE8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5jb25jZXJuOiBmb3IgY3J5cHRvZ3JhcGhp
YyBhcHBsaWNhdGlvbnMsIDY0IGJpdHMgaXMgbm90IGEgbGFyZ2U8bzpwPjwvbzpwPjwvcHJlPg0K
PHByZT5udW1iZXIsIGFuZCB0aGF0IG1pZ2h0IGJlIGEgd2Vha25lc3Mgd2hhdGV2ZXIgdGhlIHBy
b3Bvc2VkIGFsZ29yaXRobS48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5UaGUgYWN0dWFsIGFsZ29y
aXRobSBhcHBlYXJzIHRvIGJlIGEgYmVzcG9rZSBkZXJpdmF0aW9uIG9mIFNoYW1pcidzPG86cD48
L286cD48L3ByZT4NCjxwcmU+U2VjcmV0IFNoYXJpbmcgYWxnb3JpdGhtIChTU1MpLiBJbiBvdGhl
ciB3b3JkLCBpdCBpcyBhIGNhc2Ugb2Y8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mcXVvdDtpbnZl
bnRpbmcgeW91cjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+
DQo8cHJlPm93biBjcnlwdG8mcXVvdDsuPG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0
eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHByZT4uLi5GQjog
U1NTIGlzIGEgd2VsbCBrbm93IGFsZ29yaXRobSBhbmQ8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5k
cmFmdC1pZXRmLXNmYy1wcm9vZi1vZi10cmFuc2l0IGRvZXMgbm90PG86cD48L286cD48L3ByZT4N
CjwvYmxvY2txdW90ZT4NCjxwcmU+bW9kaWZ5IGl0LjxvOnA+PC9vOnA+PC9wcmU+DQo8YmxvY2tx
dW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+
QWxsIGRyYWZ0LWlldGYtc2ZjLXByb29mLW9mLXRyYW5zaXQgZG9lcyBpcyB0byBvcGVyYXRpb25h
bGl6ZSB0aGU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5TU1MgYWxnb3JpdGhtPG86cD48L286cD48
L3ByZT4NCjwvYmxvY2txdW90ZT4NCjxwcmU+Zm9yIHRoZSBwcm9vZiBvZiB0cmFuc2l0IHVzZSBj
YXNlLjxvOnA+PC9vOnA+PC9wcmU+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBw
dDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+QWxzbyBub3RlIHRoYXQgdGhlIGRyYWZ0IGRv
ZXMgbm90IHJlcXVpcmUgdGhlIHVzZSBvZiA2NCBiaXQgbnVtYmVycy48bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT5Ob3IgZG9lcyBkcmFmdCByZXF1aXJlIGEgbWluaW11bSB0aW1lIGJldHdlZW4gY2hh
bmdpbmcgdGhlIHNlY3JldHMuPG86cD48L286cD48L3ByZT4NCjxwcmU+V2hhdCBwYXJ0aWN1bGFy
IGF0dGFjayBhcmUgeW91IGNvbmNlcm5lZCBhYm91dCB3aGVyZSA2NCBiaXQgbnVtYmVyczxvOnA+
PC9vOnA+PC9wcmU+DQo8cHJlPmFyZSBhPG86cD48L286cD48L3ByZT4NCjwvYmxvY2txdW90ZT4N
CjxwcmU+Y29uY2Vybj88bzpwPjwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdp
bi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFy
Z2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+U1NTIHJlbGllcyBvbiB0
aGUgcmVwcmVzZW50YXRpb24gb2YgcG9seW5vbWlhbHMgYXMgYSBzdW0gb2Y8bzpwPjwvbzpwPjwv
cHJlPg0KPHByZT5MYWdyYW5nZSBCYXNpcyBQb2x5bm9taWFscy4gRWFjaCBvZiB0aGUgcGFydGlj
aXBhdGluZyBub2RlcyBob2xkcyBhPG86cD48L286cD48L3ByZT4NCjxwcmU+c2hhcmUgb2YgdGhl
IHNlY3JldCByZXByZXNlbnRlZCBieSBhIHBvaW50IG9uIHRoZSBwb2x5bm9taWFsIGN1cnZlLjxv
OnA+PC9vOnA+PC9wcmU+DQo8cHJlPkEgcG9seW5vbWlhbCBvZiBkZWdyZWUgSyBvbiB0aGUgZmll
bGQgb2YgaW50ZWdlcnMgbW9kdWxvIGEgcHJpbWU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5udW1i
ZXIgTiBjYW4gb25seSBiZSByZXZlYWxlZCBpZiBhdCBsaXN0IEsrMSBwYXJ0aWNpcGFudHMgcmV2
ZWFsPG86cD48L286cD48L3ByZT4NCjxwcmU+dGhlIHZhbHVlIG9mIHRoZWlyIHBvaW50LiBUaGUg
c2FmZXR5IG9mIHRoZSBhbGdvcml0aG0gcmVsaWVzIG9uIHRoZTxvOnA+PC9vOnA+PC9wcmU+DQo8
cHJlPnNpemUgb2YgdGhlIG51bWJlciBOIGFuZCBvbiB0aGUgZmFjdCB0aGF0IHRoZSBzZWNyZXQg
c2hhbGwgYmUgcmV2ZWFsZWQgb25seTxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8
L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlPm9uY2UuPG86
cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdp
bi1ib3R0b206NS4wcHQiPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFy
Z2luLWJvdHRvbTo1LjBwdCI+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDtt
YXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0
O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHByZT5CdXQgdGhlIGFsZ29yaXRobSBkb2VzIG5vdCB1
c2UgU1NTIGRpcmVjdGx5LCBzbyBpdCBkZXNlcnZlcyBpdHMgb3duPG86cD48L286cD48L3ByZT4N
CjxwcmU+c2VjdXJpdHk8bzpwPjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPC9ibG9ja3F1
b3RlPg0KPHByZT5hbmFseXNpcyBpbnN0ZWFkIG9mIHJlbHlpbmcgc2ltcGx5IG9uIFNoYW1pcidz
IHdvcmsuPG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUu
MHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6
NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPlRoZSBwcm9wb3NlZCBhbGdvcml0aG0g
dXNlcyB0d28gcG9seW5vbWlhbHMgb2YgZGVncmVlIEsgZm9yIGEgcGF0aDxvOnA+PC9vOnA+PC9w
cmU+DQo8cHJlPmNvbnRhaW5pbmc8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5LKzEgbm9kZXMsIG9u
IGEgZmllbGQgZGVmaW5lZCBieSBhIHByaW1lIG51bWJlciBOIG9mIDY0IGJpdHMuIE9uZTxvOnA+
PC9vOnA+PC9wcmU+DQo8cHJlPksrb2YgdGhlPG86cD48L286cD48L3ByZT4NCjxwcmU+cG9seW5v
bWlhbCwgUE9MWS0xLCBpcyBzZWNyZXQsIGFuZCBvbmx5IGZ1bGx5IGtub3duIGJ5IHRoZSB2ZXJp
Znlpbmcgbm9kZS48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5UaGUgb3RoZXIsIFBPTFktMiBpcyBw
dWJsaWMsIHdpdGggdGhlIGNvbnN0YW50IGNvZWZmaWNpZW50IHNldCBhdCBhPG86cD48L286cD48
L3ByZT4NCjxwcmU+cmFuZG9tIHZhbHVlIFJORCBmb3IgZWFjaCBwYWNrZXQuPG86cD48L286cD48
L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+Rm9yIGVhY2ggcGFja2V0
LCB0aGUgZ29hbCBpcyBjb21wdXRlIHRoZSB2YWx1ZSBvZiBQT0xZLTEgcGx1czxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPlBPTFktMiBhdCB0aGUgcG9pbnQgMCAtLSB0aGF0IGlzLCB0aGUgY29uc3Rh
bnQgY29lZmZpY2llbnQgb2Y8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5QT0xZLTMgPSBQT0xZLTEg
KyBQT0xZLTxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+DQo8
cHJlPjIuPG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUu
MHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6
NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPldpdGhvdXQgZ29pbmcgaW4gdG9vIG11
Y2ggZGV0YWlscywgb25lIGNhbiBvYnNlcnZlIHRoYXQgdGhlPG86cD48L286cD48L3ByZT4NCjxw
cmU+Y29uc3RhbnQgY29lZmZpY2llbnQgb2YgUE9MWS0zIGlzIGVxdWFsIHRvIHRoZSBzdW0gb2Yg
dGhlIGNvbnN0YW50PG86cD48L286cD48L3ByZT4NCjxwcmU+Y29lZmZpY2llbnRzIG9mIFBPTFkt
MSBhbmQgUE9MWS0yLCBhbmQgdGhhdCB0aGUgY29uc3RhbnQ8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT5jb2VmZmljaWVudCBvZiBQT0xZLTIgaXMgdGhlIHZhbHVlIFJORCBwcmVzZW50IGluIGVhY2gg
cGFja2V0LiBJbjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnRoZSBleGFtcGxlIGdpdmVuIGluIHNl
Y3Rpb24gMy4zLjIsIHRoZSBudW1iZXJzIGFyZSBjb21wdXRlZCBtb2R1bG88bzpwPjwvbzpwPjwv
cHJlPg0KPHByZT41MywgdGhlIGNvbnN0YW50IGNvZWZmaWNpZW50IG9mIFBPTFktMSBpcyAxMCwg
YW5kIHRoZSB2YWx1ZSBSTkQgaXM8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT40NS4gVGhlIGZpbmFs
IHN1bSZuYnNwOyBDTUwgaXMgaW5kZWVkPG86cD48L286cD48L3ByZT4NCjxwcmU+MTAgKyA0NSA9
IDIgbW9kIDUzLjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+
DQo8cHJlPlRvIG1lLCB0aGlzIGFwcGVhcnMgYXMgYSBzZXJpb3VzIHdlYWtuZXNzIGluIHRoZSBh
bGdvcml0aG0uIElmIGFuPG86cD48L286cD48L3ByZT4NCjxwcmU+YWR2ZXJzYXJ5IGNhbiBvYnNl
cnZlIHRoZSB2YWx1ZSBSTkQgYW5kIENNTCBmb3IgYSBmaXJzdCBwYWNrZXQsIGl0PG86cD48L286
cD48L3ByZT4NCjxwcmU+Y2FuIHJldHJpZXZlIHRoZSBjb25zdGFudCBjb2VmZmljaWVudCBvZiBQ
T0xZLTEsIGFuZCB0aHVzIGNhbjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnByZWRpY3QgdGhlIHZh
bHVlIG9mIENNTCBmb3IgYW55IG90aGVyIHBhY2tldC4gVGhhdCBkb2VzIG5vdCBzZWVtIHZlcnk8
bzpwPjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPC9ibG9ja3F1b3RlPg0KPC9ibG9ja3F1
b3RlPg0KPC9ibG9ja3F1b3RlPg0KPHByZT5zZWN1cmUuPG86cD48L286cD48L3ByZT4NCjxibG9j
a3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGJs
b2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8
YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4N
CjxwcmU+Li4uRkI6IFRoZXJlIHNlZW1zIHRvIGJlIGEgYml0IG9mIGNvbmZ1c2lvbiBvciBtaXNy
ZWFkaW5nIG9mIGhvdyB0aGU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5tZXRob2Q8bzpwPjwvbzpw
PjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPHByZT53b3Jrcy4gSW4gdGhlIGFib3ZlIHN0YXRlbWVu
dCB5b3Ugc2VlbSB0byBhc3N1bWUgdGhhdCB0aGUgdmVyaWZpZXI8bzpwPjwvbzpwPjwvcHJlPg0K
PHByZT53b3VsZCBub3QgYmUgcGFydCBvZiB0aGUgcHJvb2YtY2hhaW4sIHNvIHRoYXQgdGhlIGZp
bmFsIENNTCB2YWx1ZTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPndvdWxkIGJlIHNvbWVob3cgZXhw
b3NlZCB0byBhbiBleHRlcm5hbCBlbnRpdHkgYWxvbmcgd2l0aCBSTkQuIFRoaXM8bzpwPjwvbzpw
PjwvcHJlPg0KPHByZT5pcyBub3QgdGhlIGNhc2UuIFRoZSB2ZXJpZmllciBpcyB0aGUgbGFzdCBu
b2RlIChrKzEpIGluIHRoZSBwcm9vZi1jaGFpbi48bzpwPjwvbzpwPjwvcHJlPg0KPGJsb2NrcXVv
dGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPkF0
IGNvbmNlcHQgbGV2ZWwsIHRoZSBtZXRob2QgcmVjb25zdHJ1Y3RzIHRoZSBwb2x5bm9taWFsIGhv
cCBieSBob3AsPG86cD48L286cD48L3ByZT4NCjxwcmU+cGlja2luZzxvOnA+PC9vOnA+PC9wcmU+
DQo8L2Jsb2NrcXVvdGU+DQo8cHJlPnVwIGEgcG9pbnQgb24gdGhlIGN1cnZlIGF0IGV2ZXJ5IGhv
cC4gT25seSBmaW5hbCBub2RlIGluIHRoZTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnByb29mLWNo
YWluLCB3aGljaCBpcyBhbHNvIHRoZSB2ZXJpZmllciwgYWN0cyBvbiB0aGUgaW5mb3JtYXRpb24g
b2Y8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5hbGwgdGhlIGsrMSBwb2ludHMgYW5kIGFzIHN1Y2gg
aXMgYWJsZSB0byByZWNvbnN0cnVjdCB0aGUgcG9seW5vbWlhbC48bzpwPjwvbzpwPjwvcHJlPg0K
PGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+
DQo8cHJlPkluIHNlY3Rpb24gMy4yLjEsIHRoZSBkcmFmdCBleHBsaWNpdGx5IHN0YXRlcyB0aGF0
IHRoZSB2ZXJpZmllciAqaXMqPG86cD48L286cD48L3ByZT4NCjxwcmU+cGFydCBvZiB0aGU8bzpw
PjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPHByZT5wcm9vZi1jaGFpbjogJnF1b3Q7RWFj
aCBvZiB0aGUgaysxIG5vZGVzIChpbmNsdWRpbmcgdmVyaWZpZXIpIGFyZSBhc3NpZ25lZDxvOnA+
PC9vOnA+PC9wcmU+DQo8cHJlPmEgcG9pbnQgb24gdGhlIHBvbHlub21pYWwgaS5lLiwgc2hhcmVz
IG9mIHRoZSBTRUNSRVQuJnF1b3Q7IFRoZSBmYWN0IHRoYXQ8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT50aGUgdmVyaWZpZXIsIGkuZS4sIHRoZSBsYXN0IG5vZGUgaW4gdGhlIHByb29mLWNoYWluICgm
cXVvdDtrKzEmcXVvdDspLCZuYnNwOyBjYW48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5yZXRyaWV2
ZSB0aGUgc2VjcmV0LCBpcyBkZXNpcmVkIGFuZCBpbnRlbnRpb25hbCwgYmVjYXVzZSB0aGUgdmVy
aWZpZXI8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5uZWVkcyB0byBjb21wYXJlIHRoZSByZXN1bHQg
b2YgdGhlIGl0ZXJhdGl2ZSBjb25zdHJ1Y3Rpb24gb2YgdGhlIHNlY3JldCB3aXRoPG86cD48L286
cD48L3ByZT4NCjwvYmxvY2txdW90ZT4NCjwvYmxvY2txdW90ZT4NCjxwcmU+dGhlIHNlY3JldCB2
YWx1ZSBpdCByZWNlaXZlZCBmcm9tIHRoZSBjb250cm9sbGVyLjxvOnA+PC9vOnA+PC9wcmU+DQo8
YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4N
CjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQi
Pg0KPHByZT5UaGlzIGlzIGhvdyB0aGUgc3lzdGVtIGlzIGRlc2lnbmVkLCBhbmQgdGhlIGNhbGN1
bGF0aW9uIG9mICgxMCs0NSk8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5tb2QgNTMgPSAyIGlzIHBh
cnQgb2YgdGhlIHZlcmlmaWNhdGlvbi48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNw
OzwvbzpwPjwvcHJlPg0KPHByZT5PSy4gVGhhdCdzIHNsaWdodGx5IGxlc3MgYmFkLiBCdXQgaXQg
aXMgc3RpbGwgdmVyeSBiYWQgY3J5cHRvLDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPmJlY2F1c2Ug
eW91IGFyZSBlZmZlY3RpdmVseSBkb2luZyBhIGxpbmVhciBjb21iaW5hdGlvbi48bzpwPjwvbzpw
PjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5Zb3UgYXJlIGV2YWx1
YXRpbmcgUE9MWS0zID0gUE9MWS0xICsgUE9MWS0yPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86
cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+UE9MWS0yIGNhbiBiZSB3cml0dGVuIGFzIFBPTFkt
MiA9IFJORCArIFBPTFktMi1OQywgaW4gd2hpY2ggUE9MWTItTkM8bzpwPjwvbzpwPjwvcHJlPg0K
PHByZT5vbmx5IGNvbnRhaW5zIHRoZSBub24gY29uc3RhbnQgdGVybXMgLS0gdGhhdCBpcywgUE9M
WS0yLU5DKDApID0gMDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
cmU+DQo8cHJlPlRoZW4gZm9yIGFueSBwb2ludCBYLCB3ZSBnZXQgUE9MWS0zKFgpID0gUE9MWS0x
KFgpICsgUE9MWTItTkMoWCkgKzxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPlJORCBGb3IgYSBnaXZl
biB2YWx1ZSBYaiBvZiBYLCB0aGlzIG1lYW5zIHdlIGNhbiBleHByZXNzIDogUE9MWS0zKFhqKTxv
OnA+PC9vOnA+PC9wcmU+DQo8cHJlPj0gVmogKyBSTkQgSW4gd2hpY2ggVmogaXMgYSBjb25zdGFu
dCB0ZXJtID0gUE9MWS0xKFhqKSArIFBPTFkyLU5DKFhqKTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJl
PjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPkVhY2ggbm9kZSB3aWxsIGluY3JlbWVudCB0
aGUgY3VtdWwgYnkgdGhlIHZhbHVlIExQQ2ogKiBQT0xZLTMoWGopID08bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT5MUENqPG86cD48L286cD48L3ByZT4NCjxwcmU+KiAoVmogKyBSTkQpPG86cD48L286
cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+U3VwcG9zZSB0aGF0
IGFuIGFkdmVyc2FyeSBjYW4gb2JzZXJ2ZSB0aGUgdmFsdWUgb2YgQ01MIGJlZm9yZSBhbmQ8bzpw
PjwvbzpwPjwvcHJlPg0KPHByZT5hZnRlciBiZWluZyBpbmNyZW1lbnRlZCBieSBub2RlIFhqLiBT
dXBwb3NlIHRoYXQgaXQgY291bGQgZG8gdGhhdDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnR3aWNl
LiBUaGVuIGl0IGhhcyB0aGU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT52YWx1ZXM6PG86cD48L286
cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+Q01MMS1iZWZvcmUt
aiA9IEMxYjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPkNNTDEtYWZ0ZXItaiA9IEMxYTxvOnA+PC9v
OnA+PC9wcmU+DQo8cHJlPkQxID0gQzFhIC0gQzFiID0gTFBDaiAqIChWaiArIFJORDEpPG86cD48
L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+Q01MMS1iZWZv
cmUtaiA9IEMyYjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPkNNTDEtYWZ0ZXItaiA9IEMyYTxvOnA+
PC9vOnA+PC9wcmU+DQo8cHJlPkQyID0gQzJhIC0gQzJiID0gTFBDaiAqIChWaiArIFJORDIpPG86
cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+RDItRDEg
PSBMUENqKihSTkQyLVJORDEpPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286
cD48L3ByZT4NCjxwcmU+TFBDaiA9IChSTkQyLVJORDEpLyhEMi1EMSk8bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT5WaiA9IEQyL0xQQ2ogLSBSTkQyPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4m
bmJzcDs8L286cD48L3ByZT4NCjxwcmU+VGhlIGludmVyc2Ugb2YgbnVtYmVycyBtb2R1bG8gYSBw
cmltZSBQIGlzIGVhc2lseSBjb21wdXRlZCAtLSBzZWU8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5G
ZXJtYXQncyBsaXR0bGUgdGhlb3JlbS48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNw
OzwvbzpwPjwvcHJlPg0KPHByZT5PbmNlIHRoZSBpbnB1dCBhbmQgb3V0cHV0IG9mIGEgbm9kZSBo
YXZlIGJlZW4gb2JzZXJ2ZWQgdHdpY2UsIGl0PG86cD48L286cD48L3ByZT4NCjxwcmU+YmVjb21l
cyBlYXN5IHRvIHVwZGF0ZSB0aGUgY3VtdWxhdGl2ZSBzdW0gQ01MIHdoaWxlIGJ5cGFzc2luZyB0
aGVzZTxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJl
Pm5vZGVzLjxvOnA+PC9vOnA+PC9wcmU+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1
LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+Li4uRkI6IFRoaXMgaXMgZ3JlYXQuIFRo
YW5rcyBmb3Igc3BlbGxpbmcgb3V0IHRoZSBkZXRhaWxzLiZuYnNwOyBZb3UgcmFpc2UgYSBnb29k
IHBvaW50OjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlPkZvciB0aGUgc29s
dXRpb24gdG8gbWFrZSBzZW5zZSwgd2UgbmVlZCB0byBlbnN1cmUgdGhhdCBhbiBhdHRhY2tlciBj
YW5ub3Q8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5vYnNlcnZlIHRoZSBpbnB1dCBhbmQgb3V0cHV0
IG9mIGEgbm9kZS48bzpwPjwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10
b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPlRvIGVuc3VyZSB0aGlzIGRvZXMg
bm90IGhhcHBlbiwgd2UgbXVzdCByZXF1aXJlIHRoZSBjb21tdW5pY2F0aW9uIHRvL2Zyb208bzpw
PjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPHByZT50aGUgbm9kZSB0byBiZSBlbmNyeXB0
ZWQsIGUuZy4sIHRocm91Z2ggbGluayBsYXllciBlbmNyeXB0aW9uIG9mIGF0IGxlYXN0IHRoZTxv
OnA+PC9vOnA+PC9wcmU+DQo8cHJlPnByb29mLW9mLXRyYW5zaXQgZGF0YSBmaWVsZHMuPG86cD48
L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1i
b3R0b206NS4wcHQiPg0KPHByZT5XZSdsbCBhZGQgdGhpcyByZXF1aXJlbWVudCB0byB0aGUgZHJh
ZnQgLSBhbmQgYWxzbyBkZXRhaWwgdGhlIHRocmVhdCB5b3UgZGVzY3JpYmU8bzpwPjwvbzpwPjwv
cHJlPg0KPC9ibG9ja3F1b3RlPg0KPHByZT5hYm92ZSBpbiBkZXRhaWwgaW4gdGhlIHNlY3VyaXR5
IGNvbnNpZGVyYXRpb25zIHNlY3Rpb24uPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJz
cDs8L286cD48L3ByZT4NCjxwcmU+VGhhdCBzdGlsbCB3aWxsIG5vdCBiZSBzdWZmaWNpZW50LCBi
ZWNhdXNlIHlvdSBhbHNvIGhhdmUgdG8gZGVhbCB3aXRoIHRoZSBub2RlczxvOnA+PC9vOnA+PC9w
cmU+DQo8cHJlPnRoZW1zZWx2ZXMuIEJ5IGRlZmluaXRpb24sIHRoZXkgc2VlIHRoZSBpbnRlcm1l
ZGlhdGUgcmVzdWx0cyBvZiBvdGhlciBub2Rlcy4gRm9yPG86cD48L286cD48L3ByZT4NCjxwcmU+
ZXhhbXBsZSwgaWYgdGhlIGZ1bmN0aW9uIGNoYWluIGlzIEEtJmd0O0ItJmd0O0MtJmd0O0QtJmd0
O0UsIHRoZSBub2RlIEIgc2VlcyB0aGUgb3V0cHV0IG9mIEI8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT5hbmQgdGhlIG5vZGUgRCBzZWVzIHRoZSBpbnB1dCBvZiBELiBJZiBCIGFuZCBEJm5ic3A7IGNv
bGx1ZGUsIHRoZXkgaGF2ZSBhY2Nlc3MgdG8gdGhlPG86cD48L286cD48L3ByZT4NCjxwcmU+aW5w
dXQgYW5kIG91dHB1dCBvZiBDLiBUaGV5IGNhbiBlYXNpbHkgZmluZCB0aGUgc2VjcmV0cyBvZiBD
LCBhbmQgdGhlbiBleGVjdXRlIGE8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5jaGFpbiBBLSZndDtC
LS0tLSZndDtELSZndDtFIGluIHdoaWNoIHRoZSBpbnB1dCBvZiBEIGlzICZxdW90O2NvcnJlY3Rl
ZCZxdW90OyB0byBoaWRlIHRoZSBhYnNlbmNlIG9mPG86cD48L286cD48L3ByZT4NCjxwcmU+QyBm
cm9tIHRoZSBldmFsdWF0b3IgRS48bzpwPjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPHBy
ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5UaGFua3MgbXVjaC4gWW91IHJhaXNlIGFu
b3RoZXIgdmFsaWQgcG9pbnQgYW5kIHdlIHdpbGwgYWRkIGl0IHRvIHRoZSBzZWN1cml0eSBjb25z
aWRlcmF0aW9ucyBzZWN0aW9uLjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPlRoYXQgc2FpZCwgSU1I
TyB3ZSdkIG5lZWQgdG8gcHV0IHRoZSBzY2VuYXJpbyB5b3UgcmFpc2UgaW50byBwZXJzcGVjdGl2
ZTo8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5JZiB0aGUgbm9kZXMgQiBhbmQgRCB3b3VsZCBiZSBj
b21wcm9taXNlZCBieSBhbiBhdHRhY2tlciwgdGhlIGRlcGxveW1lbnQgd291bGQgZmFjZSBhIG11
Y2ggbW9yZSBzZXJpb3VzIHNlY3VyaXR5IGlzc3VlIHRoYW4gd2hhdCBhbnkgcHJvb2Ytb2YtdHJh
bnNpdCBtZXRob2QgY291bGQgcHJvdGVjdCBhZ2FpbnN0LjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJl
PjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1
LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4N
CjxwcmU+VGhlIGxpbmVhciBjb21iaW5hdGlvbiBzY2hlbWUgaW4gdGhlIGRyYWZ0IGlzIG5vdCBz
b3VuZCBjcnlwdG8uIE15PG86cD48L286cD48L3ByZT4NCjxwcmU+cmVjb21tZW5kYXRpb24gaXMg
dG8gcHJlc2VudCB0aGUgcHJvYmxlbSBhbmQgdGhlIHRocmVhdCBtb2RlbCBjbGVhcmx5IHRvIHRo
ZTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPmNyeXB0byBjb21tdW5pdHksIGZvciBleGFtcGxlIGJ5
IHByZXNlbnRpbmcgdG8gdGhlIENGUkcsIGFuZCBzb2xpY2l0IGFkdmljZSBvbjxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPmJldHRlciBhbGdvcml0aG1zLjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2Nr
cXVvdGU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPlRoZXJlIGhhcyBiZWVu
IHF1aXRlIGEgYml0IG9mIGRpc2N1c3Npb24gb24gcHJvb2Ygb2YgdHJhbnNpdCBpbiBzZXZlcmFs
IFdHcywgZXZlbiBiZWZvcmUgdGhlIFNGQyBXRyBwaWNrZWQgaXQgdXAuIEFuZCB0aGUgU0ZDIHdv
cmtpbmcgZ3JvdXAgaGFzIGNvbnNpZGVyZWQgZGlmZmVyZW50IGFwcHJvYWNoZXMgZWFybHkgb24g
aW4gdGhlIHNvbHV0aW9uIHNwZWNpZmljYXRpb24sIGluY2x1ZGluZyBlLmcuLCB1c2luZyBuZXN0
ZWQgZW5jcnlwdGlvbiwgd2hpY2ggaXMgcHJvYmFibHkgbW9yZSBpbiBsaW5lIHdpdGggeW91ciBw
cmVmZXJlbmNlcy4gU2VlIDxhIGhyZWY9Imh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9j
L2h0bWwvZHJhZnQtaWV0Zi1zZmMtcHJvb2Ytb2YtdHJhbnNpdC0wMSNzZWN0aW9uLTMuNS4xIj5o
dHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWlldGYtc2ZjLXByb29m
LW9mLXRyYW5zaXQtMDEjc2VjdGlvbi0zLjUuMTwvYT4uIEZyb20gbXkgcmVjb2xsZWN0aW9uIG9m
IHRoZSBkaXNjdXNzaW9uIC0gb3RoZXJzIHBsZWFzZSBjaGltZSBpbiAtIG9uZSBtYWluIHJlYXNv
biBvZiB3aHkgdGhlIGN1cnJlbnQgYXBwcm9hY2ggd2FzIGNob3NlbiB3YXMgaXRzIGNvbXB1dGF0
aW9uYWwgc2ltcGxpY2l0eSwgaS5lLiwgaGFyZHdhcmUgcGxhdGZvcm1zIHdoaWNoIGRvIG5vdCBz
dXBwb3J0IG5hdGl2ZSBlbmNyeXB0aW9uIGNhcGFiaWxpdGllcyBsaWtlIEFFUy1OSSBjYW4gaW1w
bGVtZW50IGl0IHdpdGhvdXQgY29uc2lkZXJhYmxlIGltcGFjdCBvbiB0aGUgY29tcHV0YXRpb25h
bCBsYXRlbmN5LiBTbyBpbiBvdGhlciB3b3JkcywgdGhlIGN1cnJlbnQgbWV0aG9kIGlzIHRoZSBy
ZXN1bHQgb2YgYSB0cmFkZS1vZmYgZGVjaXNpb24uPG86cD48L286cD48L3ByZT4NCjwvYmxvY2tx
dW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+
V2UgYXJlIGRpc2N1c3NpbmcgbWF0aGVtYXRpY3MsIG5vdCBvcGluaW9ucy4gSXQgaXMgbm90IGEg
bWF0dGVyIG9mIHByZWZlcmVuY2VzLCBpdCBpcyBhIG1hdHRlciBvZiB0aHJlYXQgbW9kZWwuIFRo
ZSBkcmFmdCB0aGF0IEkgcmV2aWV3ZWQgZG9lcyBub3QgbWVudGlvbiB0aGF0IHRoZSBzY2hlbWUg
c2hvdWxkIG9ubHkgYmUgdXNlZCBpbiBhIGJlbmlnbiBlbnZpcm9ubWVudA0KIGluIHdoaWNoIG5v
IGF0dGFja2VyIGNhbiBzZWUgdGhlIHRyYWZmaWMgYW5kIGFsbCBub2RlcyBhcmUgZnVsbHkgdHJ1
c3RlZCB0byBub3QgdHJ5IGdhbWluZyB0aGUgc3lzdGVtLiBUaGUgcHJvcG9zZWQgc2NoZW1lIHVz
ZXMgY3J5cHRvIHZvY2FidWxhcnksIHdpdGggcmVmZXJlbmNlcyB0byBTU1MgYW5kIHVzZSBvZiB0
ZXJtcyBsaWtlICZxdW90O3Byb29mJnF1b3Q7IG9yICZxdW90O2NyeXB0YW5hbHlzaXMmcXVvdDsu
IEluZGVlZCwgdGhlIGhlYWRlciBwYXJhZ3JhcGggb2YgdGhlDQogc2VjdXJpdHkgY29uc2lkZXJh
dGlvbnMgc2F5czo8bzpwPjwvbzpwPjwvcD4NCjxwcmU+Jm5ic3A7Jm5ic3A7IFBPVCBpcyBhIG1l
Y2hhbmlzbSB0aGF0IGlzIHVzZWQgZm9yIHZlcmlmeWluZyB0aGUgcGF0aCB0aHJvdWdoIHdoaWNo
PG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7IGEgcGFja2V0IHdhcyBmb3J3YXJk
ZWQuJm5ic3A7IFRoZSBzZWN1cml0eSBjb25zaWRlcmF0aW9ucyBvZiBJT0FNIGluPG86cD48L286
cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7IGdlbmVyYWwgYXJlIGRpc2N1c3NlZCBpbiBbSS1E
LmlldGYtaXBwbS1pb2FtLWRhdGFdLiZuYnNwOyBTcGVjaWZpY2FsbHksIGl0PG86cD48L286cD48
L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7IGlzIGFzc3VtZWQgdGhhdCBQT1QgaXMgdXNlZCBpbiBh
IGNvbmZpbmVkIG5ldHdvcmsgZG9tYWluLCBhbmQ8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJz
cDsmbmJzcDsgdGhlcmVmb3JlIHRoZSBwb3RlbnRpYWwgdGhyZWF0cyB0aGF0IFBPVCBpcyBpbnRl
bmRlZCB0byBtaXRpZ2F0ZTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyBzaG91
bGQgYmUgdmlld2VkIGFjY29yZGluZ2x5LiZuYnNwOyBQT1QgcHJldmVudHMgc3Bvb2ZpbmcgYW5k
IHRhbXBlcmluZzs8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgYW4gYXR0YWNr
ZXIgY2Fubm90IG1hbGljaW91c2x5IGNyZWF0ZSBhIGJvZ3VzIFBPVCBvciBtb2RpZnkgYTxvOnA+
PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyBsZWdpdGltYXRlIG9uZS4mbmJzcDsgRnVy
dGhlcm1vcmUsIGEgbGVnaXRpbWF0ZSBub2RlIHRoYXQgdGFrZXMgcGFydCBpbjxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNwOyB0aGUgUE9UIHByb3RvY29sIGNhbm5vdCBtYXNxdWVy
YWRlIGFzIGFub3RoZXIgbm9kZSBhbG9uZyB0aGUgcGF0aC48bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT4mbmJzcDsmbmJzcDsgVGhlc2UgY29uc2lkZXJhdGlvbnMgYXJlIGRpc2N1c3NlZCBpbiBkZXRh
aWwgaW4gdGhlIHJlc3Qgb2YgdGhpczxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiZuYnNwOyZuYnNw
OyBzZWN0aW9uLjxvOnA+PC9vOnA+PC9wcmU+DQo8cD5UaGUgcHJldmlvdXMgZGlzY3Vzc2lvbnMg
aGF2ZSBzaG93biB0aGF0IGFuIGF0dGFja2VyIENBTiZuYnNwOyAmcXVvdDttYWxpY2lvdXNseSBj
cmVhdGUgYSBib2d1cyBQT1Qgb3IgbW9kaWZ5IGEgbGVnaXRpbWF0ZSBvbmUmcXVvdDssIHByb3Zp
ZGVkIGl0IGlzIGFibGUgdG8gc2VlIHRoZSB0cmFmZmljLCBvciBzb21lIG9mIHRoZSB0cmFmZmlj
LiBUaGUgZGlzY3Vzc2lvbnMgYWxzbyBzaG93IHRoYXQgJnF1b3Q7YSBsZWdpdGltYXRlIG5vZGUg
dGhhdCB0YWtlcyBwYXJ0IGluIHRoZQ0KIFBPVCBwcm90b2NvbCZxdW90OyBDQU4gJnF1b3Q7bWFz
cXVlcmFkZSBhcyBhbm90aGVyIG5vZGUgYWxvbmcgdGhlIHBhdGgmcXVvdDsuIENvbnRyYXJ5IHRv
IHN0YXRlbWVudHMgaW4gdGhlICZxdW90O2NyeXB0YW5hbHlzaXMmcXVvdDsgc2VjdGlvbiwgJnF1
b3Q7QSBwYXNzaXZlIGF0dGFja2VyIG9ic2VydmluZyBDTUwgdmFsdWVzIGFjcm9zcyBub2RlcyAo
aS5lLiwgYXMgdGhlIHBhY2tldHMgZW50ZXJpbmcgYW5kIGxlYXZpbmcpJnF1b3Q7IENBTiZuYnNw
OyAmcXVvdDtwZXJmb3JtIGRpZmZlcmVudGlhbCBhbmFseXNpcyZxdW90Oy4gVGhlDQogYXR0YWNr
IGNhbm5vdCAmcXVvdDtiZSBtaXRpZ2F0ZWQgdXNpbmcgYSBnb29kIFBSTkcgZm9yIGdlbmVyYXRp
bmcgUk5EJnF1b3Q7LjxvOnA+PC9vOnA+PC9wPg0KPHA+SWYgdGhlIHN5c3RlbSB3YXMgb25seSBk
ZXNpZ25lZCBmb3Igb3BlcmF0aW9uIGluIGEgJnF1b3Q7YmVuaWduIGVudmlyb25tZW50JnF1b3Q7
IGFuZCB5b3Ugd2VyZSBvbmx5IGNvbmNlcm5lZCB3aXRoIGRldGVjdGluZyBvcGVyYXRpb24gZmFp
bHVyZXMsIEkgYW0gcHJldHR5IHN1cmUgdGhhdCB5b3UgY291bGQgY29tZSBvdXQgd2l0aCBzb21l
dGhpbmcgbGVzcyBjb21wbGljYXRlZC4gRm9yIGV4YW1wbGUgeW91IGNvdWxkIGV4cGxvaXQgdGhl
IGFuYWx5c2lzIHRoYXQNCiBJIG1hZGUgdG8gcmFkaWNhbGx5IHNpbXBsaWZ5IHRoZSBpbXBsZW1l
bnRhdGlvbiBhbmQgZGVzY3JpYmUgdGhlIHNjaGVtZSBhcyAmcXVvdDtDTUwgPSBTdW0gKFhqKlJO
RHApJnF1b3Q7LCB3aGVyZSBYaiBpcyBhIHNlY3JldCBjb2VmZmljaWVudCBwcm92aXNpb25lZCB0
byBub2RlIGosIGFuZCBSTlBwIGlzIHBlciBwYWNrZXQgcmFuZG9tIG51bWJlci4gVGhlIHZlcmlm
aWNhdGlvbiBieSB0aGUgZXZhbHVhdG9yIHdpbGwgY2hlY2sgdGhhdCAmcXVvdDtSTkQgPT0gQ01M
ICsNCiBYZSpSTkQmcXVvdDssIHdoZXJlICZxdW90O1hlID0gMSAtIFN1bSBYaiZxdW90Oy4gVGhh
dCB3b3VsZCBnZXQgeW91IGFuIGVhc3ktdG8taW1wbGVtZW50IGNoZWNrc3VtLiBCdXQgeW91IHdv
dWxkIG5lZWQgdG8gYmUgdmVyeSBjbGVhciBhYm91dCB0aGUgZG9tYWluIG9mIGFwcGxpY2F0aW9u
LCBhbmQgdGhlIGZhaWx1cmUgbW9kZSBpZiB0aGUgdHJhZmZpYyBjYW4gYmUgb2JzZXJ2ZWQgb3Ig
bm9kZXMgY2FuIGJlIGNvbXByb21pc2VkLCBhbmQgdGhlIGRyYWZ0IHNob3VsZCBwcm9iYWJseQ0K
IGRyb3AgdGhlIHJlZmVyZW5jZXMgdG8gU2hhbWlyJ3MgU1NTLCBiZWNhdXNlIHRoZXkganVzdCBv
YmZ1c2NhdGUgdGhlIGFuYWx5c2lzLjxvOnA+PC9vOnA+PC9wPg0KPHA+LS0gQ2hyaXN0aWFuIEh1
aXRlbWE8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0
O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHBy
ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8L2Rpdj4N
CjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_DM8PR11MB5606B4D10F2CE68734684248DAA89DM8PR11MB5606namp_--


From nobody Thu Sep 30 01:26:14 2021
Return-Path: 
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6651D3A07A0 for ; Thu, 30 Sep 2021 01:26:12 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Tero Kivinen via Datatracker 
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 7.38.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: secdir-secretary@mit.edu, Tero Kivinen 
Message-ID: <163299037188.25401.17351976424698653231@ietfa.amsl.com>
Date: Thu, 30 Sep 2021 01:26:12 -0700
Archived-At: 
Subject: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 30 Sep 2021 08:26:13 -0000

Review instructions and related resources are at:
https://trac.ietf.org/trac/sec/wiki/SecDirReview

For telechat 2021-10-07

Reviewer               LC end     Draft
Daniel Franke          2021-09-22 draft-ietf-cbor-network-addresses

Last calls:

Reviewer               LC end     Draft
Derek Atkins           2021-09-07 draft-ietf-bess-evpn-optimized-ir
John Bradley           2021-09-06 draft-ietf-core-senml-data-ct
Shaun Cooley           2021-09-06 draft-ietf-jmap-smime
Daniel Franke          2021-09-22 draft-ietf-cbor-network-addresses
Phillip Hallam-Baker   2021-10-12 draft-ietf-cbor-cddl-control
Charlie Kaufman        2021-09-28 draft-ietf-sfc-nsh-tlv
Scott Kelly            2021-10-27 draft-ietf-regext-rfc7484bis
Tero Kivinen           2021-10-21 draft-zern-webp
Watson Ladd            2021-10-01 draft-ietf-netmod-yang-instance-file-format
Barry Leiba            2021-10-01 draft-ietf-netconf-notification-capabilities
Chris Lonvick          None       draft-ietf-opsawg-l2nm
Sandra Murphy          2020-10-15 draft-ietf-tls-external-psk-importer
Tim Polk               2021-08-06 draft-ietf-opsawg-vpn-common
Stefan Santesson       2021-08-11 draft-ietf-bier-te-arch
Samuel Weiler         R2020-06-11 draft-ietf-trill-multilevel-single-nickname
Samuel Weiler          2021-08-25 draft-ietf-alto-path-vector
Brian Weis             2021-08-19 draft-ietf-dnsop-svcb-https
Klaas Wierenga         2021-08-30 draft-ietf-alto-cdni-request-routing-alto
Klaas Wierenga         2020-12-02 draft-ietf-core-echo-request-tag
Klaas Wierenga         2020-05-26 draft-ietf-kitten-krb-spake-preauth
Liang Xia              2021-09-07 draft-ietf-bess-evpn-igmp-mld-proxy
Liang Xia              2021-03-17 draft-ietf-core-sid
Dacheng Zhang          2021-09-07 draft-ietf-bess-evpn-bum-procedure-updates

Early review requests:

Reviewer               Due        Draft
Stephen Farrell        2021-09-15 draft-ietf-ippm-ioam-direct-export
Stephen Farrell        2021-06-21 draft-ietf-idr-bgpls-srv6-ext
Tina Tsou              2021-08-25 draft-ietf-opsawg-sbom-access
Sean Turner            2021-08-18 draft-ietf-taps-interface
Loganaden Velvindron   2021-08-18 draft-ietf-taps-arch

Next in the reviewer rotation:

  Aanchal Malhotra
  David Mandelberg
  Catherine Meadows
  Alexey Melnikov
  Daniel Migault
  Adam Montville
  Kathleen Moriarty
  Russ Mundy
  Sandra Murphy
  Yoav Nir


From nobody Thu Sep 30 23:23:23 2021
Return-Path: 
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232673A081D; Thu, 30 Sep 2021 23:23:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.9
X-Spam-Level: **
X-Spam-Status: No, score=2.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_SUMOF=5, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yE_nTJNzQ3uU; Thu, 30 Sep 2021 23:23:04 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10olkn2109.outbound.protection.outlook.com [40.92.40.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98A593A005E; Thu, 30 Sep 2021 23:23:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=madit/6VqkqwntanwEBhg/oY2rhNQ50a/NQ+2mXIrw6diOoSDDhTNConQ6Wh7lkt25uUTq8f9RtAebvw/qUziwXgn94QUSDlTnbw/1x71eOL8j2dmvVpbgSUZupGmiK29Zmcr5CnNMSkFUbMZ4mJQRujq27QvS8UoQXpd4EqX3o0ckd/ndgTabNekJDzdOgxLBQlGJHG5etoXJj/x3HiF+nmw5tBDeQwzLzKIcjJke0OsqMBUOM5HQhN+uOT2r2Y/SuvUBAFY9eHYT7D0GN3rStepyC3NEcTwy4v8R49ucysD2fY0msmADnEorUBXyL2wz0ExupO7HXpWLQKbcYaIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;  s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EF2JjIs3J+Fy9Z3rzr1frEiUKBOUsaQ680sqgRPX0pw=; b=bkAxcpmLFqd1y8Zo8nI0QTZwyPAfol3JP/btlcanHo1EseIf7iVmqEg5qqY0YEEj9/OOWLQ+PP1qCiLzA5xde9bYnifEDkbs/L+4msBokrvsNOM9uv4uqwttyCiZCHv8/cjy9PpI1Oo/tsinPZw+7BClawplwX769IlNnqhbFJbcOVnEsKSSdWvju51VsnwBcYGymITcWyEu0sU44nc5KB+a/FRM4/YqP7+fCYK4d4UWWI5/hRUBnAJqTmzZSToZyTfqdLvbJoa+4SEuIoj0fXzfGtaczLmcm7lwKTcZNuQtxLDumZqWWdOrye/MRU0lbM5DBdAH/swuTPnotnVa9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EF2JjIs3J+Fy9Z3rzr1frEiUKBOUsaQ680sqgRPX0pw=; b=qKcopZxSloBQecL4X7/2au4VS6lRtILq8lvd0buAnFAKf9lXMAJ151Bs1KeUuYongQ4cHLLMmH9fs7FhVzgez/elFF5Cih1Ct7HeoqdM0nCXCZZ8Rb+Kp5h+w1xj+XJnxp9qxe+BIT04nIbTrHUj8TX1UcjIxJeJYkrLoyPLJKTd37gOFi9JSh3Ath/dGsQ9d0Rhca1nSuT+eXdeuzUX0MwqttnJj2henNRlIJYKRSN8pBypl2zI92+W+2sAa25tRhaXed9w7DtVMJyqO7m3+mYqhDVW//WxYl4J5lrtu58AcjqXfossnMtgwfd+RQIl2qeJbIIPZIadfcC80PUreg==
Received: from MW2PR1901MB4683.namprd19.prod.outlook.com (2603:10b6:302:6::28) by MWHPR19MB1086.namprd19.prod.outlook.com (2603:10b6:300:a5::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.21; Fri, 1 Oct 2021 06:23:02 +0000
Received: from MW2PR1901MB4683.namprd19.prod.outlook.com ([fe80::d1fc:871:50e:2dd5]) by MW2PR1901MB4683.namprd19.prod.outlook.com ([fe80::d1fc:871:50e:2dd5%6]) with mapi id 15.20.4544.025; Fri, 1 Oct 2021 06:23:02 +0000
From: Charlie Kaufman 
To: "secdir@ietf.org" , "iesg@ietf.org" , "draft-ietf-nsh-tlv.all@ietf.org" 
Thread-Topic: Secdir review of draft-ietf-nsh-tlv-08
Thread-Index: AQHXtoxLoeTM3+lkiked51ZCecVWng==
Date: Fri, 1 Oct 2021 06:23:02 +0000
Message-ID: 
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
suggested_attachment_session_id: f10ce794-a09b-d976-9c6a-5f13b6580c87
x-tmn: [6xdA+qOQ21RI4OpKfTemObUfKluvZBWlrnk8ybCzFPzUecY0fFKTzg==]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 187747bf-b822-4764-e4cc-08d984a3ec16
x-ms-traffictypediagnostic: MWHPR19MB1086:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hvmRSGWxO5lgDxT/KCchaXn9CfHLkaL5TPH0mUtsohV7koZffyT1Zl38PDmcBRrri53dIrncnUbRJl712bNZbhhTLCQyJO2nWGRr3M+7V+mq6um5FqAdd3Wyp5MZdbrHUymTTfkP042xSp/orYKafS5x1IDnXiDpXQKcBcAc0kzCrhnege/tRIF6QVTXk4AErHWe6E9GMuocgAryWlVK9wlP9u6XQoZbgTyUtv1bSMZcXzhEbw5jWIOQKv34EQsf9Rr1xQZu8OS5aeOXvMgDaIQA3hjDskYHNrVemScZuDu/ZqsrTAPDUGx6nu2BRWbPsHHqYRmQHAOl/a8O9bv91EggaYx0DWftxDCoocLXUj0s05b5vMqHic5VLIH43wEcNshR8XL3+5s49BGqdNBIleJaLqMYu4UhHYgBHwiziB0Q6PJpe3lok+bDcjA1bflu
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BDc1ItXV6m5to2UymYncVl2pxhWwWzq9Mq5Xvg+dSeJvnhv8xzKux3mjBEAwV5YmPtmK4klW3jFz0eFtEQe3TRKdIjQdW3Gm8yFQaBU8VLvU9jA3ctPTqaOhlZ62KkkwcTRhQbkvqNuFm+7sX6vBX6Id2fShCZ8C31xAbkik3B4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MW2PR1901MB468370FA7A15C00DAD68285BDFAB9MW2PR1901MB4683_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW2PR1901MB4683.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 187747bf-b822-4764-e4cc-08d984a3ec16
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2021 06:23:02.4485 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR19MB1086
Archived-At: 
Subject: [secdir] Secdir review of draft-ietf-nsh-tlv-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 01 Oct 2021 06:23:10 -0000

--_000_MW2PR1901MB468370FA7A15C00DAD68285BDFAB9MW2PR1901MB4683_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG.  These co=
mments were written primarily for the benefit of the security area director=
s.  Document editors and WG chairs should treat these comments just like an=
y other last call comments.

Summary: No security issues

This document specifies a syntax only and therefore has no security conside=
rations. The security considerations section points to the RFC8300 for secu=
rity considerations of the protocol in which these messages are used.

General comments:

I found no nits with the document.

Section 3 of the document repeats information from RFC8300 but in less deta=
il. I assume that's to set context and is non-normative. It omits important=
 details like processing of the "U" fields. Neither document says what to d=
o on format violations (e.g., Length=3D0).

I would have expected Section 4 to say what to do with format violations. F=
or example, if the Length is not the value the spec says it has to be, shou=
ld the length be ignored, or the extension be ignored, or the entire packet=
 be discarded. What if the sum of the lengths of the extensions exceeds the=
 length (in four octet groups) specified in the outer header?

This is common in specifications and does not lead to problems until someon=
e tries to extend the protocol later and discovers divergent behavior in im=
plementations. (Sadly, that's often true even if the specification does def=
ine correct behavior because implementations often don't follow the specifi=
cations, but you have to start somewhere).



--_000_MW2PR1901MB468370FA7A15C00DAD68285BDFAB9MW2PR1901MB4683_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable









I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG.  The=
se comments were written primarily for the benefit of the security area dir=
ectors.  Document editors and WG chairs
 should treat these comments just like any other last call comments.






Summary: No security issues







This document specifies a syntax only and therefore has no security co=
nsiderations. The security considerations section points to the RFC8300 for=
 security considerations of the protocol in which these messages are used.<=
/div>






General comments:







I found no nits with the document.







Section 3 of the document repeats information from RFC8300 but in less=
 detail. I assume that's to set context and is non-normative. It omits impo=
rtant details like processing of the "U" fields. Neither document=
 says what to do on format violations (e.g.,
 Length=3D0).







I would have expected Section 4 to say what to do with format violatio=
ns. For example, if the Length is not the value the spec says it has to be,=
 should the length be ignored, or the extension be ignored, or the entire p=
acket be discarded. What if the
 sum of the lengths of the extensions exceeds the length (in four octet gro=
ups) specified in the outer header?






This is common in specifications and does not lead to problems until =
someone tries to extend the protocol later and discovers divergent behavior=
 in implementations. (Sadly, that's often true even if the specification do=
es define correct behavior because
 implementations often don't follow the specifications, but you have to sta=
rt somewhere).





























--_000_MW2PR1901MB468370FA7A15C00DAD68285BDFAB9MW2PR1901MB4683_--